**Revantha Ramanayake Josef Urban (Eds.)**

# LNAI 14278

# **Automated Reasoning with Analytic Tableaux and Related Methods**

**32nd International Conference, TABLEAUX 2023 Prague, Czech Republic, September 18–21, 2023 Proceedings**

# Lecture Notes in Computer Science

# **Lecture Notes in Artificial Intelligence 14278**

Founding Editor Jörg Siekmann

Series Editors

Randy Goebel, *University of Alberta, Edmonton, Canada* Wolfgang Wahlster, *DFKI, Berlin, Germany* Zhi-Hua Zhou, *Nanjing University, Nanjing, China*

The series Lecture Notes in Artificial Intelligence (LNAI) was established in 1988 as a topical subseries of LNCS devoted to artificial intelligence.

The series publishes state-of-the-art research results at a high level. As with the LNCS mother series, the mission of the series is to serve the international R & D community by providing an invaluable service, mainly focused on the publication of conference and workshop proceedings and postproceedings.

Revantha Ramanayake · Josef Urban Editors

# Automated Reasoning with Analytic Tableaux and Related Methods

32nd International Conference, TABLEAUX 2023 Prague, Czech Republic, September 18–21, 2023 Proceedings

*Editors* Revantha Ramanayake University of Groningen Groningen, The Netherlands

Josef Urban Czech Technical University in Prague Prague, Czech Republic

ISSN 0302-9743 ISSN 1611-3349 (electronic) Lecture Notes in Artificial Intelligence ISBN 978-3-031-43512-6 ISBN 978-3-031-43513-3 (eBook) https://doi.org/10.1007/978-3-031-43513-3

LNCS Sublibrary: SL7 – Artificial Intelligence

© The Editor(s) (if applicable) and The Author(s) 2023. This book is an open access publication.

**Open Access** This book is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this book are included in the book's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the book's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use.

The publisher, the authors, and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

Paper in this product is recyclable.

# **Preface**

TABLEAUX, the *International Conference on Automated Reasoning with Analytic Tableaux and Related Methods*, is a conference series that started in 1992 and has been held every year since then. The series brings together researchers interested in all aspects - theoretical foundations, implementation techniques, systems development and applications - of the mechanization of reasoning with tableaux and related methods. Since 1995, proceedings of TABLEAUX have been published in Springer's LNCS/LNAI series.

TABLEAUX 2023 was the 32nd edition of the conference series and it was an inperson conference hosted by the Czech Technical University in Prague, Czech Republic, September 18–21, 2023. It was co-located with the 14th International Symposium on Frontiers of Combining Systems (FroCoS 2023).

The Program Committee received a total of 43 submissions, comprising 33 research papers and 10 short papers. Each submission received on average three reviews in a single-blind process and was evaluated during program committee discussions. Eventually 20 research papers and 5 short papers were accepted for presentation at the conference.

This volume includes all the accepted research papers and short papers of TABLEAUX 2023. These include papers on proof theory, with deductive mechanisms ranging from tableaux, sequent calculi and extensions, and non-wellfounded proofs. Their objects of inquiry encompass a range of modal logics, including in the non-normal, intuitionistic, constructive and temporal settings, linear logic, MV-algebras, separation logic, first-order logics and results on cut-elimination, termination and complexity of proof search, term-forming operators and proof-theoretic semantics. Investigations also delve into formalised proofs, automated theorem proving for classical and non-classical logics, and their integration with machine learning and SMT solvers. In addition to the main track, this year's edition hosted a special track on Artificial Intelligence and Theorem Proving (AITP), inviting papers combining machine learning and related AI methods with standard TABLEAUX topics.

This volume also includes abstracts of invited talks presented at TABLEAUX 2023. The five invited speakers, chosen by the Program Committee, were:


The following papers were selected by the Program Committee for awards:

– **Best Paper.**Ian Shillito, Iris van der Giessen, Rajeev Gore and Rosalie Iemhoff. *A new calculus for intuitionistic Strong Löb logic: strong termination and cut-elimination, formalised*.

– **Best Junior Researcher Paper.** Bahareh Afshari, Lide Grotenhuis, Graham Leigh and Lukas Zenger. *Ill-founded Proof Systems For Intuitionistic Linear-time Temporal Logic*.

The two awards were presented at the conference.

We thank all the people who contributed to making TABLEAUX 2023 a success. We thank the Programme Committee and all additional reviewers for the time, professional effort and expertise they invested to deliver the high scientific standards of the conference and these proceedings. We thank the local organizers for making this event happen. We thank the invited speakers for their inspiring talks, and the Steering Committee for their helpful advice. We thank all the authors for their excellent contributions. Special thanks to Jens Otten who supported us with advice through all phases of the conference.

We would also like to thank Springer for sponsoring the conference and publishing these proceedings, University of Innsbruck for providing the registration system, and the Czech Institute of Informatics, Robotics, and Cybernetics (CIIRC-CTU) for hosting and supporting the conference and its organization.

July 2023 Revantha Ramanayake Josef Urban

# **Organization**

# **Program Committee Chairs**


# **Steering Committee**


### **Program Committee**

Kaustuv Chaudhuri Inria, France Stéphane Demri CNRS, France

Bahareh Afshari University of Gothenburg, Sweden, and University of Amsterdam, The Netherlands Carlos Areces Universidad Nacional de Córdoba, Argentina Peter Baumgartner Data61/CSIRO, Australia Serenella Cerrito Université Paris-Saclay, Université d'Evry, France Anupam Das University of Birmingham, UK Clare Dixon University of Manchester, UK Christian Fermüller Technische Universität Wien, Austria Camillo Fiorentini Universitá degli Studi di Milano, Italy Ulrich Furbach University of Koblenz, Germany Didier Galmiche Université de Lorraine, France Silvio Ghilardi Universitá degli Studi di Milano, Italy Marianna Girlando University of Amsterdam, The Netherlands Charles Grellois Université de Bordeaux, France Andrzej Indrzejczak University of Łód´z, Poland

Stéphane Graham-Lengrand SRI International, USA Neil Murray University at Albany, USA Sara Negri University of Genoa, Italy Nicolas Peltier CNRS, France Gian Luca Pozzato University of Turin, Italy Lutz Straßburger Inria, France Yoni Zohar Bar-Ilan University, Israel

# **Local Organizers**

Cezary Kaliszyk University of Innsbruck, Austria Hidenori Kurokawa Kanazawa University, Japan Stepan Kuznetsov Russian Academy of Sciences, Russia Timo Lang University College London, UK Sonia Marin University of Birmingham, UK Cláudia Nalon University of Brasília, Brazil Hans de Nivelle Nazarbayev University, Kazakhstan Eugenio Orlandelli University of Bologna, Italy Jens Otten University of Oslo, Norway Alessandra Palmigiano Vrije Universiteit Amsterdam, The Netherlands Dirk Pattinson Australian National University, Australia Frank Pfenning Carnegie Mellon University, USA Elaine Pimentel University College London, UK Michael Rawson Technische Universität Wien, Austria Reuben Rowe Royal Holloway, University of London, UK Katsuhiko Sano Hokkaido University, Japan José Espírito Santo University of Minho, Portugal Thomas Studer University of Bern, Switzerland Zsolt Zombori Alfréd Rényi Institute of Mathematics, Hungary

Karel Chvalovský Czech Technical University in Prague, Czechia Jan Jakub˚uv Czech Technical University in Prague, Czechia Cezary Kaliszyk University of Innsbruck, Austria Martin Suda Czech Technical University in Prague, Czechia Josef Urban Czech Technical University in Prague, Czechia

# **Additional Reviewers**

Stefano Aguzzoli Martín Diéguez Andrea De Domenico Mauro Ferrari Guido Fiorino Pietro Galliani Anton Gnatenko Giuseppe Greco Sean Holden Etienne Lozes

Tim Lyon Sergei Odintsov Edi Pavlovic Florian Rabe Atefeh Rohani Tor Sandqvist Apostolos Tzimoulis Dominik Wehr Junhua Yu Lukas Zenger

# **Abstracts of Invited Talks**

# **Epistemic Logics of Structured Intensional Groups: Agents - Groups - Names - Types**

Marta Bílková

Czech Academy of Sciences, Czechia

In the overwhelming majority of contributions to multi-agent epistemic, doxastic, and coalition logic, a group is reduced to its extension, i.e., the set of its members. This has a counter-intuitive consequence that groups change identity when their membership changes, and rules out uncertainty regarding who is a member of a given group. Additionally, this idealization does not reflect the structure of groups, or the structured way in which collective epistemic attitudes emerge, in the intended application of logical models. We will outline an abstract framework in which we can lift this idealisation, namely replacing agent or group labels of epistemic modalities with names, or providing them with an algebraic structure relevant to types of collective epistemic attitudes in question. The resulting formalisms are essentially two-sorted, combining the language of labels of modalities and the language of epistemic statements. A fully abstract account of such epistemic logics can be given, linking two-sorted algebras (involving propositions and group labels/types of knowledge) with monotone neighborhood frame semantics, in terms of an algebraic duality. This can further be applied to obtain, e.g., a definability theorem or to design a multi-type proof theory for the basic logic. We further discuss several particular examples of algebraic signatures giving rise to interesting and useful variants of group knowledge.

# **First-Order Instantiation-Based Tableau**

Chad E. Brown

Czech Technical University in Prague, Czechia

We present a tableau calculus for first-order logic with equality. The calculus is a fragment of the higher-order calculus that is the theoretical basis for the award winning higherorder automated theorem prover Satallax and its successor Lash. A key aspect of the calculus is that universal quantifiers only need to be instantiated with terms that occur on one side of a disequation on the current open branch. This makes the search instantiationbased (as no metavariables are introduced and no unification is used). We will give an overview of the completeness proof and how the completeness proof can be modified to justify various modifications to the calculus. Both Satallax and Lash make use of the SAT solver MiniSat to determine when the search is complete (i.e., when every branch of the tableau is closed). Superposition provers like Vampire and E and SMT solvers like CVC5 and Z3 outperform Lash on typical first-order TPTP problems (used in the CASC competition). However, we will present a set of first-order clausal problems on which Lash significantly outperforms other provers.

# **Combining Semantic Tableaux**

Valentin Goranko

Stockholm University, Sweden

Semantic tableaux for combined logical systems are usually constructed ad hoc and the question of developing more general methodologies for combining tableaux is yet to be systematically explored.

In this talk I will address that question and will outline a methodological approach for combining tableaux. I will discuss the questions of transfer of soundness, completeness, and termination from the components to the combined tableaux, both in general and in the context of some important special cases, including multi-agent epistemic and temporal epistemic logics.

# **Proof Systems and Termination**

Rosalie Iemhoff

Utrecht University, The Netherlands

In the study of logics, proof systems are a useful tool, and proof systems that are terminating even more so. Termination comes in degrees, where the strongest form of termination arguably requires that any backwards proof search in the proof system terminates. Not every application in which a proof system is involved needs this strong form of termination, but some applications seem to do so. In this talk I discuss the role of termination in proof theory, and connect it in particular to counter model constructions and interpolation.

# **Always Look on Both Sides of Proof: Syntax and Semantics as the Yin and Yang of Structural Proof Theory**

Roman Kuznets

Technische Universität Wien, Austria

Proof theory provides a purely syntactic way of reasoning, without the need to resort to semantics. This is especially true of internal proof calculi where proof objects are interpreted as formulas, as opposed to external calculi that also exploit semantic elements. On the other hand, tableau formalisms suggest that the distinction between pure and "impure" syntax, between internal and external calculi is, perhaps, more superficial than commonly believed. Indeed, tableaus are typically isomorphic to some internal sequent-like calculus, despite themselves being described in largely semantic terms.

I argue that the choice between embracing and avoiding semantic elements is a false one, that the two sides of proof formalisms mutually enrich rather than oppose each other. As an illustration of such successful interplay, I will discuss how semantic intuitions have been instrumental in developing several proof formalisms, including those used for solving two open problems: (1) the Lyndon interpolation property for Gödel-Dummett Logic and (2) decidability for the intuitionistic modal logic S4.

Supported by the Austrian Science Fund (FWF) project ByzDEL (P33600).

# **Contents**

#### **Tableau Calculi**


#### **Sequent Calculi**




#### **Modal Logics**

xxiv Contents



#### **Separation Logic**


# **Tableau Calculi**

# **Range-Restricted and Horn Interpolation through Clausal Tableaux**

Christoph Wernhard(B)

University of Potsdam, Potsdam, Germany info@christophwernhard.com

**Abstract.** We show how variations of range-restriction and also the Horn property can be passed from inputs to outputs of Craig interpolation in first-order logic. The proof system is clausal tableaux, which stems from first-order ATP. Our results are induced by a restriction of the clausal tableau structure, which can be achieved in general by a proof transformation, also if the source proof is by resolution/paramodulation. Primarily addressed applications are query synthesis and reformulation with interpolation. Our methodical approach combines operations on proof structures with the immediate perspective of feasible implementation through incorporating highly optimized first-order provers.

# **1 Introduction**

We show how variations of range-restriction and also the Horn property can be passed from inputs to outputs of Craig interpolation in first-order logic. The primarily envisaged application field is synthesis and reformulation of queries with interpolation [5,39,56]. Basically, the sought target query *R* is understood there as the right side of a definition of a given query *Q* within a given background knowledge base *K*, i.e., it holds that *K* |= (*Q* ↔ *R*), where the vocabulary of *R* is in a given set of permitted target symbols. In first-order logic, the formulas *R* can be characterized as the Craig interpolants of *K* ∧ *Q* and ¬*K*- ∨ *Q*- , where *K, Q* are copies of *K*- *, Q* with the symbols not allowed in *R* replaced by fresh symbols [14]. Formulas *R* exist if and only if the entailment *K* ∧ *Q* |= ¬*K*- ∨ *Q*- holds. They can be constructed as Craig interpolants from given proofs of the entailment in a suitable calculus.

In databases and knowledge representation, syntactic fragments of first-order logic ensure desirable properties, for example domain independence. Typically, for given *K* and *Q* in some such fragment, also *R* must be in some specific fragment to be usable as a query or as a knowledge base component. Our work addresses this by showing for certain such fragments how membership is passed on to interpolants and thus to the constructed right sides of definitions. The

Funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) – Project-ID 457292495. The work was supported by the North-German Supercomputing Alliance (HLRN).

c The Author(s) 2023

R. Ramanayake and J. Urban (Eds.): TABLEAUX 2023, LNAI 14278, pp. 3–23, 2023. https://doi.org/10.1007/978-3-031-43513-3\_1

fragment in focus here is a variant of range-restriction from [59], known as a rather general syntactic condition to ensure domain independence [1, p. 97]. It permits conversion into a shape suitable for "evaluation" by binding free and quantified variables successively to the members of given predicate extensions. Correspondingly, if the vocabulary is relational, a range-restricted formula can be translated into a relational algebra expression. First-order representations of widely-used classes of integrity constraints, such as tuple-generating dependencies, are sentences that are range-restricted in the considered sense.

As proof system we use *clausal tableaux* [26,29–31,33], devised in the 1990s to take account of automated first-order provers that may be viewed as enumerating tree-shaped proof structures, labeled with instances of input clauses.<sup>1</sup> Such systems include the Prolog Technology Theorem Prover [53], SETHEO [32], leanCoP [42,43] and CMProver [16,45,60,61]. As shown in [62], a *given* closed clausal tableau is quite well-suited as a proof structure to extract a Craig interpolant. Via the translation of a resolution deduction tree [12] to a clausal tableau in cut normal form [31,62] this transfers also to interpolation from a given resolution/paramodulation proof.

Since the considered notion of range-restriction is based on prenexing and properties of both a CNF and a DNF representation of the formula, it fits well with the common first-order ATP setting involving Skolemization and clausification and the ATP-oriented interpolation on the basis of clausal tableaux, where in a first stage the propositional structure of the interpolant is constructed and in a second stage the quantifier prefix.

Our strengthenings of Craig interpolation are induced by a specific restriction of the clausal tableau structure, which we call *hyper*, since it relates to the proof structure restrictions of hyperresolution [46] and hypertableaux [2]. However, it is considered here for tree structures with rigid variables. A proof transformation that converts an arbitrary closed clausal tableau to one with the hyper property shows that the restriction is w.l.o.g. and, moreover, allows the prover unhampered search for the closed clausal tableaux or resolution/paramodulation proof underlying interpolation.

*Structure of the Paper.* Section 2 summarizes preliminaries, in particular interpolation with clausal tableaux [62]. Our main result on strengthenings of Craig interpolation for range-restricted formulas is developed in Sect. 3. Section 4 discusses Craig interpolation from a Horn formula, also combined with rangerestriction. The proof transformation underlying these results is introduced in Sect. 5. We conclude in Sect. 6 with discussing related work, open issues and perspectives.

<sup>1</sup> Alternate accounts and views are provided by model elimination [34] and the connection method [7,8].

Proofs of nontrivial claims that are not proven in the body of the paper are supplemented in the preprint version [63]. An implementation with the PIE environment [60,61] <sup>2</sup> is in progress.

# **2 Notation and Preliminaries**

#### **2.1 Notation**

We consider *formulas* of first-order logic. An *NNF formula* is a quantifier-free formula built up from *literals* (atoms or negated atoms), truth-value constants *,* ⊥, conjunction and disjunction. A *CNF formula*, also called *clausal formula*, is an NNF formula that is a conjunction of disjunctions (*clauses*) of literals. A *DNF formula* is an NNF formula that is a disjunction of conjunctions (*conjunctive clauses*) of literals. The complement of a literal *L* is denoted by *L*. An occurrence of a subformula in a formula has positive (negative) *polarity*, depending on whether it is in the scope of an even (odd) number of possibly implicit occurrences of negation. Let *F* be a formula. V*ar* (*F*) is set of its free variables. <sup>V</sup>*ar* <sup>+</sup>(*F*) (V*ar* <sup>−</sup>(*F*)) is the set of its free variables with an occurrence in an atom with positive (negative) polarity. F*un*(*F*) is the set of functions occurring in it, including constants, regarded here throughout as 0-ary functions. P*red*±(*F*) is the set of pairs *p, pol*, where *p* is a predicate and *pol* ∈ {+*,* −}, such that an atom with predicate *p* occurs in *F* with the polarity indicated by *pol*. V*oc*±(*F*) is F*un*(*F*) ∪ P*red* <sup>±</sup>(*F*). A *sentence* is a formula without free variables. An NNF is *ground* if it has no variables. If *S* is a set of terms, we call its members *S*-terms. The |= symbol expresses semantic entailment.

#### **2.2 Clausal First-Order Tableaux**

A *clausal tableau* (briefly *tableau*) *for* a clausal formula *F* is a finite ordered tree whose nodes *N* with exception of the root are labeled with a literal lit(*N*), such that for each node *N* the disjunction of the literals of all its children in their leftto-right order, clause(*N*), is an instance of a clause in *F*. A branch of a tableau is *closed* iff it contains nodes with complementary literals. A node is *closed* iff all branches through it are closed. A tableau is *closed* iff its root is closed. A node is *closing* iff it has an ancestor with complementary literal. With a closing node *N*, a particular such ancestor is associated as *target of N*, written tgt(*N*). A tableau is *regular* iff no node has an ancestor with the same literal and is *leaf-closing* iff all closing nodes are leaves. A closed tableau that is leaf-closing is called *leaf-closed*. Tableau simplification can convert any tableau to a regular and leaf-closing tableau for the same clausal formula, closed iff the original tableau is so. Regularity is achieved by repeating the following operation [31, Sect. 2.1.3]: Select a node *N* with an ancestor that has the same literal, remove the edges originating in the parent of *N* and replace them with the edges originating in *N*. The leaf-closing property is achieved by repeatedly selecting an inner node

<sup>2</sup> http://cs.christophwernhard.com/pie.

*N* that is closing and removing the edges originating in *N*. All occurrences of variables in (the literal labels of) a tableau are free and their scope spans the whole tableau. That is, we consider *free-variable tableaux* [30, p. 158ff] with *rigid* variables [26, p. 114]. A tableau without variables is called *ground*. The universal closure of a clausal formula *F* is unsatisfiable iff there exists a closed clausal tableau for *F*. This holds also if *clausal tableau* is restricted by the properties *ground*, *regular* and *leaf-closing* in arbitrary combinations.

#### **2.3 Interpolation with Clausal Tableaux**

Craig's interpolation theorem [13,15] along with Lyndon's observation on the preservation of predicate polarities [35] ensures for first-order logic the existence of *Craig-Lyndon interpolants*, defined as follows. Let *F, G* be formulas such that *F* |= *G*. A *Craig-Lyndon interpolant* of *F* and *G* is a formula *H* such that (1) *F* |= *H* and *H* |= *G*. (2) V*oc*±(*H*) ⊆ V*oc*±(*F*) ∩ V*oc*±(*G*). (3) V*ar* (*H*) ⊆ V*ar* (*F*)∩V*ar* (*G*). The perspective of validating an entailment *F* |= *G* by showing unsatisfiability of *F* ∧ ¬*G* is reflected in the notion of *reverse Craig-Lyndon interpolant* of *F* and *G*, defined as Craig-Lyndon interpolant of *F* and ¬*G*.

Following [62], our interpolant construction is based on a generalization of clausal tableaux where nodes have an additional *side* label that is shared by siblings and indicates whether the tableau clause is an instance of an input clause derived from the formula *F* or of the formula *G* of the statement *F* ∧*G* |= ⊥ underlying the reverse interpolant. Thus, a *two-sided clausal tableau for* clausal formulas *F and G* is a tableau for *F* ∧ *G* whose nodes *N* with exception of the root are labeled additionally with a *side* side(*N*) ∈ {F*,*G}, such that (1) if *N* and *N* are siblings, then side(*N*) = side(*N*- ); (2) if *N* has a

**Fig. 1.** A two-sided clausal tableau.

child *N* with side(*N*- ) = F, then clause(*N*) is an instance of a clause in *F*, and if *N* has a child *N* with side(*N*- ) = G, then clause(*N*) is an instance of a clause in *G*. We also refer to the side of the children of a node *N* as *side of* clause(*N*). For *side* ∈ {F*,*G} define path*side* (*N*) def = - *N*-<sup>∈</sup>*Path* and side(*N*-)=*side* lit(*N*- ), where *Path* is the union of the set of the ancestors of *N* and {*N*}.

Let *N* be a node of a leaf-closed two-sided clausal tableau. The value of ipol(*N*) is an NNF formula, defined inductively as specified with the tables below, the left for the base case where *N* is a leaf, the right for the case where *N* is an inner node with children *N*1*,...,Nn*.


**Example 1.** Figure 1 shows a two-sided tableau for *F* = p(a) ∧ (¬p(a) ∨ q(a)) and *G* = (¬q(a)∨r(a))∧¬r(a). Side G is indicated by gray background. For each node the value of ipol, after truth-value simplification, is annotated in brackets. The clauses of the tableau are ¬r(a) and ¬q(a) ∨ r(a), which have side G, and ¬p(a) ∨ q(a) and p(a), which have side F. If *N* is the node shown bottom left, labeled with p(a), then pathF(*N*) = ¬p(a) ∧ p(a) and pathG(*N*) = ¬r(a) ∧ ¬q(a).

If *N*<sup>0</sup> is the root of a two-sided tableaux for clausal *ground* formulas *F* and *G*, then ipol(*N*0) is a Craig-Lyndon interpolant of *F* and ¬*G*. <sup>3</sup> The CTIF (*Clausal Tableau Interpolation for First-Order Formulas*) procedure (Fig. 2) [62] extends this to a two-stage [9,24] (inductive construction and lifting) interpolation method for full first-order logic. It is complete (yields a Craig-Lyndon interpolant for all first order formulas *F* and *G* such that *F* |= *G*) under the assumption that the method for tableau computation in Step 3 is complete (yields a closed tableau for all unsatisfiable clausal formulas). Some steps leave room for interpolation-specific heuristics: In step 4 the choice of the terms used for grounding; in step 5 the choice of the side assigned to clauses that are an instance of both a clause in *F* and a clause in *G*- ; and in step 7 the quantifier prefix, which is constrained just by a partial order.

**Example 2.** Let *F* def <sup>=</sup> <sup>∀</sup>*<sup>x</sup>* <sup>p</sup>(*x*) ∧ ∀*<sup>x</sup>* (¬p(*x*) <sup>∨</sup> <sup>q</sup>(*x*)) and let *<sup>G</sup>* def = ∀*x* (¬q(*x*) ∨ r(*x*)) → r(a). Clausifying *F* and ¬*G* then yields *F*- = p(*x*) ∧ ¬p(*x*) ∨ q(*x*) and *G*- = ¬q(*x*)∨r(*x*)∧¬r(a). The tableau from Fig. 1 is a leaf-closed ground tableau for *F* and *G* and we obtain q(a) as *H*grd. Lifting for F = {} and G = {a} yields the interpolant *H* = ∀*v*<sup>1</sup> q(*v*1).

**Example 3.** Let *F* def <sup>=</sup> <sup>∀</sup>*x*∀*<sup>y</sup>* <sup>p</sup>(*x,* <sup>f</sup>(*x*)*, y*) and let *<sup>G</sup>* def = ∃*x*p(a*, x,* g(*x*)). Clausifying yields *F*- = p(*x,* f(*x*)*, y*) and *G*- = ¬p(a*, z,* g(*z*)). We obtain p(a*,* f(a)*,* g(f(a))) as *H*grd. Lifting is for F = {f} and G = {a*,* g} with *t*<sup>1</sup> = a, *t*<sup>2</sup> = f(a) and *t*<sup>3</sup> = g(f(a)). It yields *H* = ∀*v*1∃*v*2∀*v*<sup>3</sup> p(*v*1*, v*2*, v*3).

#### **3 Interpolation and Range-Restriction**

We now develop our main result on strengthenings of Craig interpolation for range-restricted formulas.

<sup>3</sup> So far, the interpolation method is a variation of well-known methods for sequent systems [52,55] and analytic tableaux [20] when restricted to propositional formulas.

## **3.1 CNF and DNF with Some Assumed Syntactic Properties**

Following [59] we will consider a notion of range-restriction defined in terms of properties of two prenex formulas that are equivalent to the original formula, have both the same quantifier prefix but matrices in CNF and DNF, respectively.

	-
	-


$$H\_c \stackrel{\text{def}}{=} Q\_1 v\_1 \dots Q\_n v\_n \, H'\_{\text{GD}},$$

**Fig. 2.** The CTIF Procedure for Craig-Lyndon Interpolation [62].

Although not syntactically unique, we refer to them functionally as cnf(*F*) and dnf(*F*) since we only rely on specific – easy to achieve – syntactic properties that are stated in the following Proposition 4–6.

**Proposition 4.** *For all formulas F it holds that* V*ar* (cnf(*F*)) ⊆ V*ar* (*F*)*;* V*oc*±(cnf(*F*)) ⊆ V*oc*±(*F*)*;* V*ar* (dnf(*F*)) ⊆ V*ar* (*F*)*;* V*oc*±(dnf(*F*)) ⊆ V*oc*±(*F*)*.*

For prenex formulas *F* with an NNF matrix let dual(*F*) be the formula obtained from *F* by switching quantifiers ∀ and ∃, connectives ∧ and ∨, truth-value constants and ⊥, and literals with their complement.

**Proposition 5.** *For all formulas F it holds that* cnf(*F*) = dual(dnf(¬*F*))*;* dnf(*F*) = dual(cnf(¬*F*))*;* cnf(¬*F*) = dual(dnf(*F*))*;* dnf(¬*F*) = dual(cnf(*F*))*.*

**Proposition 6.** *Let F*1*, F*2*, ...,F<sup>n</sup> be NNF formulas. Then* (i) *Each clause in* cnf( *n <sup>i</sup>*=1 *Fi*) *is in some* cnf(*F<sup>j</sup>* )*.* (ii) *Each conjunctive clause in* dnf( *<sup>n</sup> <sup>i</sup>*=1 *Fi*) *is in some* dnf(*F<sup>j</sup>* )*.* (iii) *Formulas F<sup>j</sup> that are literals are in each clause in* cnf( *<sup>n</sup> <sup>i</sup>*=1 *Fi*)*.* (iv) *Formulas F<sup>j</sup> that are literals are in each conjunctive clause in* dnf( *n <sup>i</sup>*=1 *Fi*)*.* (v) *If S is a set of variables such that for all i* ∈ {1*,...,n*} *and clauses C in* cnf(*Fi*) *it holds that* V*ar* (*C*) ∩ *S* ⊆ V*ar* <sup>−</sup>(*C*)*, then for all clauses C in* cnf( *<sup>n</sup> <sup>i</sup>*=1 *Fi*) *it holds that* V*ar* (*C*)∩*S* ⊆ V*ar* <sup>−</sup>(*C*)*.* (vi) *If S is a set of variables such that for all i* ∈ {1*,...,n*} *and conjunctive clauses D in* dnf(*Fi*) *it holds that* <sup>V</sup>*ar* (*D*) <sup>∩</sup> *<sup>S</sup>* ⊆ V*ar* <sup>+</sup>(*D*)*, then for all conjunctive clauses <sup>D</sup> in* dnf( *n <sup>i</sup>*=1 *Fi*) *it holds that* <sup>V</sup>*ar* (*D*) <sup>∩</sup> *<sup>S</sup>* ⊆ V*ar* <sup>+</sup>(*D*)*.*

#### **3.2 Used Notions of Range-Restriction**

The following definition renders the characteristics of the range-restricted formulas as considered by Van Gelder and Topor in [59, Theorem 7.2] (except for the special consideration of equality in [59]).

**Definition 7.** A formula *F* with free variables X is called *VGT-range-restricted* if cnf(*F*) = *Q M*<sup>C</sup> and dnf(*F*) = *Q M*D, where *Q* is a quantifier prefix (the same in both formulas) upon universally quantified variables U and existentially quantified variables E (in arbitrary order), and *M*C, *M*<sup>D</sup> are quantifier-free formulas in CNF and DNF, respectively, such that


For VGT-range-restricted formulas it is shown in [59] that these can be translated via two intermediate formula classes to a relational algebra expression. Related earlier results include [17,18,40,41]. The constraint on universal variables is also useful on its own as a weaker variation of range-restriction, defined as follows.

**Definition 8.** A formula *F* is called *U-range-restricted* if cnf(*F*) = *Q M*<sup>C</sup> where *Q* is a quantifier prefix upon of the universally quantified variables U (there may also be existentially quantified variables in *Q*) and *M*<sup>C</sup> is a quantifier-free formula in CNF such that for all clauses *C* in *M*<sup>C</sup> it holds that V*ar* (*C*) ∩U ⊆V*ar* <sup>−</sup>(*C*). For formulas without free variables, U-range-restriction and VGT-range-restriction are related as follows.

**Proposition 9.** *Let F be a sentence. Then* (i) *F is VGT-range-restricted iff F and* ¬*F are both U-range-restricted.* (ii) *If F is universal (i.e., in prenex form with only universal quantifiers), then F is VGT-range-restricted iff F is Urange-restricted.* (iii) *If F is existential (i.e., in prenex form with only existential quantifiers), then F is VGT-range-restricted iff* ¬*F is U-range-restricted.*

U-range-restriction covers well-known restrictions of knowledge bases and inputs of bottom-up calculi for first-order logic and fragments of it that are naturally represented by clausal formulas [3]. First-order representations of tuplegenerating dependencies (TGDs) are VGT-range-restricted sentences: conjunctions of sentences of the form ∀X Y (*A*(X Y) → ∃Z *B*(YZ)), where *A* is a possibly empty conjunction of relational atoms, *B* is a nonempty conjunction of relational atoms and the free variables of *A* and *B* are exactly those in the sequences X Y and YZ, respectively. Also certain generalizations, e.g., to disjunctive TGDs, where *B* is built up from atoms, ∧ and ∨, are VGT-range-restricted.

#### **3.3 Results on Range-Restricted Interpolation**

The following theorem shows three variations for obtaining range-restricted interpolants from range-restricted inputs.

**Theorem 10 (Interpolation and Range-Restriction).** *Let F and G be formulas such that F* |= *G.*


Observe that Theorem 10.i requires range-restriction only for *F*, the first of the two interpolation arguments. Theorem 10.iii aims at applications for query reformulation that in a basic form are expressed as interpolation task for input formulas *F* = *K* ∧ *Q*(X ) and *G* = ¬*K*- ∨ *Q*- (X ). Here *K* expresses background knowledge and constraints as a U-range-restricted sentence and *Q*(X ) represents a query to be reformulated, with free variables X . Formulas *K* and *Q*are copies of *K* and *Q*, respectively, where predicates not allowed in the interpolant are replaced by primed versions. If the query *Q* is Boolean, i.e., X is empty, and *Q* is VGT-range-restricted, then Theorem 10.ii already suffices to justify the construction of a VGT-range-restricted interpolant. If X is not empty, the fineprint preconditions of Theorem 10.iii come into play. Precondition (1) requires that cnf(*K*) does not have a clause with only negative literals, which is satisfied if *K* represents TGDs. Also cnf(*Q*) is not allowed to have a clause with only negative literals. By precondition (2) all the free variables X must occur in all those clauses of cnf(¬*Q*) that only have negative literals, which follows if *Q* meets condition (3.) of the VGT-range-restriction (Definition 7). By precondition (3) for all clauses *C* in cnf(¬*Q*) it must hold that V*ar* (*C*)∩X ⊆ V*ar* <sup>−</sup>(*C*). A sufficient condition for *Q* to meet all these preconditions is that dnf(*Q*) has a purely existential quantifier prefix and a matrix with only positive literals where each query variable, i.e., member of X , occurs in each conjunctive clause.

#### **3.4 Proving Range-Restricted Interpolation – The Hyper Property**

We will prove Theorem 10 by showing how the claimed interpolants can be obtained with CTIF. As a preparatory step we match items from the specification of CTIF (Fig. 2) with the constraints of range-restriction. The following notion gathers intermediate formulas and sets of symbols of CTIF.

**Definition 11.** An *interpolation context* is a tuple *F, G, F*- *, G*- *,* F*,* G*,* E*,* U*,* C*, V* , where *F, G* are formulas, *F*- *, G* are clausal formulas, C is a set of constants, F*,* G are sets of functions, and E*,* U*,* V are sets of terms such that the following holds. (i) *F* |= *G*. (ii) Let *F<sup>c</sup>* and *G<sup>c</sup>* be *F* and *G* after replacing each free variable with a dedicated fresh constant. Let C be those constants that were used there to replace a variable that occurs in both *F* and *G*. *F* and *G* are the matrices of cnf(*Fc*) and of cnf(¬*Gc*), after replacing existentially quantified variables with Skolem terms. (iii) F is the union of the set of the Skolem functions introduced for existential quantifiers of cnf(*Fc*), the set of functions occurring in *F<sup>c</sup>* but not in *G<sup>c</sup>* and, possibly, further functions freshly introduced in the grounding step of CTIF. Analogously, G is the union of the set of the Skolem functions introduced for cnf(¬*Gc*), the set of functions occurring in *G<sup>c</sup>* but not in *Fc*, and, possibly, further functions introduced in grounding. (iv) E and U are the sets of all terms with outermost function symbol in F and G, respectively. (v) V is E∪U∪C.

The following statements about an interpolation context are easy to infer.

**Lemma 12.** *Let F, G, F*- *, G*- *,* F*,* G*,* E*,* U*,* C*, V be an interpolation context. Then* (i) *No member of* G *occurs in F*- *.* (ii) *No member of* F *occurs in G*- *.* (iii) *If F is U-range-restricted, then for all clauses C in F it holds that if a variable occurs in C in a position that is not within an* E*-term it occurs in C in a negative literal, in a position that is not within an* E*-term.* (iv) *If* ¬*G is U-range-restricted, then for all clauses C in G it holds that if a variable occurs in C in a position that is not within an* U*-term, it occurs in C in a negative literal, in a position that is* *not within an* U*-term.* (v) *If G satisfies condition (3) of Theorem 10.iii, then for all clauses C in G it holds that any member of* C *that occurs in C in a position that is not within an* U*-term occurs in C in a negative literal in a position that is not within an* U*-term.*

CTIF involves conversion of terms to variables at lifting (step 7) and at replacing placeholder constants (step 8). We introduce a notation to identify those terms that will be converted there to variables. It mimics the notation for the set of free variables of a formula but applies to a set of terms, those with occurrences that are "maximal" with respect to a given set *S* of terms, i.e., are not within another term from *S*. For NNF formulas *F* define *S*-M*ax* (*F*) as the set of *S*-terms that occur in *F* in a position other than as subterm of another *<sup>S</sup>*-term. Define *<sup>S</sup>*-M*ax* <sup>+</sup>(*F*) (*S*-M*ax* <sup>−</sup>(*F*), respectively) as the set of *<sup>S</sup>*-terms that occur in *F* in a positive (negative, respectively) literal in a position other than as subterm of another *S*-term. We can now conclude from Lemma 12 the following properties of instances of clauses used for interpolant construction.

**Lemma 13.** *Let F, G, F*- *, G*- *,* F*,* G*,* E*,* U*,* C*, V be an interpolation context. Then*


The following proposition adapts Props. 6.v and 6.vi to *S*-M*ax* .

**Proposition 14.** *Let F*1*, F*2*, ...,F<sup>n</sup> be NNF formulas and let T be a set of terms. Then* (i) *If S is a set of terms such that for all i* ∈ {1*,...,n*} *and clauses C in* cnf(*Fi*) *it holds that T-*M*ax* (*C*) ∩ *S* ⊆ *T-*M*ax* <sup>−</sup>(*C*)*, then for all clauses C in* cnf( *<sup>n</sup> <sup>i</sup>*=1 *Fi*) *it holds that T-*M*ax* (*C*) ∩ *S* ⊆ *T-*M*ax* <sup>−</sup>(*C*)*.* (ii) *If S is a set of terms such that for all i* ∈ {1*,...,n*} *and conjunctive clauses D in* dnf(*Fi*) *it holds that <sup>T</sup>-*M*ax* (*D*) <sup>∩</sup> *<sup>S</sup>* <sup>⊆</sup> *<sup>T</sup>-*M*ax* <sup>+</sup>(*D*)*, then for all conjunctive clauses D in* dnf( *n <sup>i</sup>*=1 *<sup>F</sup>i*) *it holds that <sup>T</sup>-*M*ax* (*D*) <sup>∩</sup> *<sup>S</sup>* <sup>⊆</sup> *<sup>T</sup>-*M*ax* <sup>+</sup>(*D*)*.*

The key to obtain range-restricted interpolants from CTIF is that the tableau must have a specific form, which we call *hyper*, as it resembles proofs by hyperresolution [46] and hypertableaux [2].

**Definition 15.** A clausal tableau is called *hyper* if the nodes labeled with a negative literal are exactly the leaf nodes.

While hyperresolution and related approaches, e.g., [2,3,11,36,46], consider DAG-shaped proofs with non-rigid variables, aiming at interpolant extraction we consider the hyper property for tree-shaped proofs with rigid variables. The *hyper* requirement is w.l.o.g. because arbitrary closed clausal tableaux can be converted to tableaux with the hyper property, as we will see in Sect. 5.

The proof of Theorem 10 is based on three properties that invariantly hold for all nodes, or for all inner nodes, respectively, stated in the following lemma.

**Lemma 16.** *Let F, G, F*- *, G*- *,* F*,* G*,* E*,* U*,* C*, V be an interpolation context and assume a leaf-closed and hyper two-sided clausal ground tableau for F and G*- *.*


Each of Lemma 16.i, 16.ii and 16.iii can be proven independently by an induction on the tableau structure, but for the same tableau, such that the properties claimed by them can be combined. In proving these three sub-lemmas it is sufficient to use their respective preconditions only to justify the application of matching sub-lemmas of Lemma 13. That lemma might thus be seen as an abstract interface that delivers everything that depends on these preconditions and is relevant for Theorem 10.

We show here the proof of Lemma 16.i. Lemma 16.ii can be proven in full analogy. The proof of Lemma 16.iii is deferred to [63, App. A]. In general, recall that the tableau in Lemma 16 is a two-sided tableau for *F* and *G* that is leafclosed and hyper. Hence literal labels of leaves are negative, while those of inner nodes are positive. All tableau clauses are ground and with an associated *side* in {F*,*G} such that a tableau clause with side F is an instance of a clause in *F*- and one with side G is an instance of a clause in *G*- .

*Proof (Lemma* 16.i*).* By induction on the tableau structure.

*Base case where N is a leaf.* If *N* and tgt(*N*) have the same side, then ipol(*N*) is a truth value constant, hence V-M*ax* (ipol(*N*)) = ∅, implying INVC(*N*). If *N* has side F and tgt(*N*) has side G, then ipol(*N*) = lit(*N*), which, because *N* is a leaf, is a negative literal. Thus V-M*ax* (ipol(*N*)) = V-M*ax* <sup>−</sup>(ipol(*N*)), which implies INVC(*N*). If *N* has side G and tgt(*N*) has side F, then ipol(*N*) = lit(tgt(*N*)), which, because *N* is a leaf, is a positive literal. Thus <sup>V</sup>-M*ax* (ipol(*N*)) ⊆ V-M*ax* <sup>+</sup>(pathF(*N*)), implying INVC(*N*).

*Induction Step.* Let *N*1*,...,Nn*, where 1 ≤ *n*, be the children of *N*. Assume as induction hypothesis that for *i* ∈ {1*,...,n*} it holds that INVC(*Ni*). Consider the case where the side of the children is F. Then

$$(1)\text{ ipol}(N) = \bigvee\_{i=1}^{n} \text{ipol}(N\_i).$$

Assume that INVC(*N*) does not hold. Then there exists a clause *K* in cnf(ipol(*N*)) and a term *t* such that (2) *t* ∈ U; (3) *t* ∈ V-M*ax* (*K*); (4) *t /*∈ V-M*ax* <sup>−</sup>(*K*); (5) *t /*∈ V-M*ax* <sup>+</sup>(pathF(*N*)). To derive a contradiction, we first show that given (2), (4) and (5) it holds that

(6) For all children *N* of *<sup>N</sup>*: *t /*∈ V-M*ax* <sup>+</sup>(pathF(*N*- )).

Statement (6) can be proven as follows. Assume to the contrary that there is a child *N* of *<sup>N</sup>* such that *<sup>t</sup>* ∈ V-M*ax* <sup>+</sup>(pathF(*N*- )). By (5) it follows that *t* ∈ V-M*ax* (lit(*N*- )) and lit(*N*- ) is positive. By Lemma 13.i and (2) there is another child *N*- of *N* such that lit(*N*--) is negative and *t* ∈ V-M*ax* (lit(*N*--)). Since the tableau is closed, it follows from (5) that tgt(*N*--) has side G, which implies that ipol(*N*--) = lit(*N*--). Hence *t* ∈ V-M*ax* (ipol(*N*--)). Since ipol(*N*--) is a negative literal and a disjunct of ipol(*N*), it follows from (1) and Prop. 6.iii that for all clauses *C* in cnf(ipol(*N*)) it holds that *t* ∈ V-M*ax* <sup>−</sup>(*C*), contradicting assumption (4). Hence (6) must hold.

From (6), (2) and the induction hypothesis it follows that for all children *N* of *N* and clauses *C* in cnf(ipol(*N*- )) it holds that V-M*ax* (*C*- ) ∩ {*t*} ⊆ V-M*ax* <sup>−</sup>(*C*- ). Hence, by (1) and Prop. 14.i it follows that for all clauses *C* in cnf(ipol(*N*)) it holds that V-M*ax* (*C*) ∩ {*t*}⊆V-M*ax* <sup>−</sup>(*C*). This, however, contradicts our assumption of the existence of a clause *K* in cnf(ipol(*N*)) that satisfies (3) and (4). Hence INVC(*N*) must hold.

We conclude the proof of the induction step for INVC(*N*) by considering the case where the side of the children of *N* is G. Then

(7) ipol(*N*) = *n <sup>i</sup>*=1 ipol(*Ni*).

(8) For all children *N* of *N*: pathF(*N*) = pathF(*N*- ).

INVC(*N*) follows from the induction hypothesis, (8), (7) and Prop. 6.i.

The invariant properties of tableau nodes shown in Lemmas 16.i–16.iii apply in particular to the tableau root. We now apply this to prove Theorem 10.

*Proof (Theorem* 10*).* Interpolants with the stated properties are obtained with CTIF, assuming w.l.o.g. that the CNF computed in step 2 meets the requirement of Sect. 3.1, and that the closed clausal tableau computed in step 3 is leaf-closed and has the hyper property. That CTIF constructs a Craig-Lyndon interpolant has been shown in [62]. It remains to show the further claimed properties of the interpolant. Let *F, G, F*- *, G*- *,* F*,* G*,* E*,* U*,* C*, V* be the interpolation context for the input formulas *F* and *G* and let *N*<sup>0</sup> be the root of the tableau computed in step 3. Since *N*<sup>0</sup> is the root, pathF(*N*0) = pathG(*N*0) = and thus the expressions <sup>V</sup>-M*ax* <sup>+</sup>(pathF(*N*0)) and <sup>V</sup>-M*ax* <sup>+</sup>(pathG(*N*0)) in the specifications of INVC(*N*0), INVD(*N*0) and INVX(*N*0) all denote the empty set. The claims made in the particular sub-theorems can then be shown as follows.

(10.i) By Lemma 16.i it follows that INVC(*N*0). Hence, for all clauses *C* in cnf(ipol(*N*0)) it holds that V-M*ax* (*C*) ∩U ⊆V-M*ax* <sup>−</sup>(*C*). It follows that the result of the interpolant lifting (step 7) of CTIF applied to ipol(*N*0) is U-rangerestricted. Placeholder constant replacement (step 8) does not alter this.

(10.ii) As for Theorem 10.i it follows that for all clauses *C* in cnf(ipol(*N*0)) it holds that V-M*ax* (*C*) ∩U ⊆ V-M*ax* <sup>−</sup>(*C*). By Lemma 16.ii it follows that INVD(*N*0). Hence, for all conjunctive clauses *D* in dnf(ipol(*N*0)) it holds that <sup>V</sup>-M*ax* (*D*) ∩E ⊆ V-M*ax* <sup>+</sup>(*D*). It follows that the result of the interpolant lifting of CTIF applied to ipol(*N*0) is U-range-restricted. Since *F* and *G* have no free variables, placeholder constant replacement has no effect.

(10.iii) As for Theorem 10.ii it follows that for all clauses *C* in cnf(ipol(*N*0)) it holds that V-M*ax* (*C*)∩U ⊆ V-M*ax* <sup>−</sup>(*C*) and for all conjunctive clauses *D* in dnf(ipol(*N*0)) it holds that <sup>V</sup>-M*ax* (*D*) ∩E ⊆V-M*ax* <sup>+</sup>(*D*). By Lemma 16.iii it follows that INVX(*N*0). Hence, for all conjunctive clauses *D* in dnf(ipol(*N*0)) it holds that C⊆V-M*ax* <sup>+</sup>(*D*). It follows that the result of the interpolant lifting of CTIF applied to ipol(*N*0) followed by placeholder constant replacement, now applied to C, is VGT-range-restricted.

#### **4 Horn Interpolation**

A *Horn clause* is a clause with at most one positive literal. A *Horn formula* is built up from Horn clauses with the connectives ∧, ∃ and ∀. Horn formulas are important in countless theoretical and practical respects. Our interpolation method on the basis of clausal tableaux with the hyper property can be applied to obtain a Horn interpolant under the precondition that the first argument formula *F* of the interpolation problem is Horn. The following theorem makes this precise. It can be proven by an induction on the structure of a clausal tableau with the hyper property (see [63, App. B]).

**Theorem 17 (Interpolation from a Horn Formula).** *Let F be a Horn formula and let G be a formula such that F* |= *G. Then there exists a Craig-Lyndon interpolant H of F and G that is a Horn formula. Moreover, H can be effectively constructed from a clausal tableau proof of F* |= *G.*

An apparently weaker property than Theorem 17 has been shown in [38, § 4] with techniques from model theory: For *two* universal Horn formulas *F* and *G* there exists a universal Horn formula that is like a Craig interpolant, except that function symbols are not constrained. A *universal* Horn formula is there a prenex formula with only universal quantifiers and a Horn matrix. For CTIF, the corresponding strengthening of the interpolant to a universal formula can be read-off from the specification of interpolant lifting (step 7 in Fig. 2).

The following corollary shows that Theorem 17 can be combined with Theorem 10 to obtain interpolants that are both Horn and range-restricted.

**Corollary 18 (Range-Restricted Horn Interpolants).** *Theorems 10.i, 10.ii and 10.iii can be strengthened: If F is a Horn formula, then there exists* *a Craig-Lyndon interpolant H with the properties shown in the respective theorem and the additional property that it is Horn. Moreover, H can be effectively constructed from a clausal tableau proof of F* |= *G.*

*Proof.* Can be shown by combining the proof of Theorem 10.i, 10.ii and 10.iii , respectively, with the proof of interpolation from a Horn sentence, Theorem 17. The combined proofs are based on inductions on the same closed tableau with the hyper property.

# **5 Obtaining Proofs with the Hyper Property**

Our new interpolation theorems, Theorems 10 and 17, depend on the hyper property of the underlying closed clausal tableaux from which interpolants are extracted. We present a proof transformation that converts any closed clausal tableau to one with the hyper property. The transformation can be applied to a clausal tableau as obtained directly from a clausal tableaux prover. Moreover, it can be also be indirectly applied to a resolution proof. To this end, the resolution deduction *tree* [12] of the binary resolution proof is first translated to a closed clausal ground tableau in *cut normal form* [31, Sect. 7.22]. There the inner clauses are atomic cuts, tautologies of the form ¬*p*(*t*1*,...,tn*) ∨ *p*(*t*1*,...,tn*) or *p*(*t*1*,...,tn*) ∨ ¬*p*(*t*1*,...,tn*), corresponding to literals upon which a (tree) resolution step has been performed. Clauses of nodes whose children are leaves are instances of input clauses. Our hyper conversion can then be applied to the tableau in cut normal form. It is easy to see that a regular leaf-closed tableau with the hyper property can not have atomic cuts. Hence the conversion might be viewed as an elimination method for these cuts.

We specify the hyper conversion in Fig. 3 as a procedure that destructively manipulates a tableau. A *fresh copy* of an ordered tree *T* is there an ordered tree *T* with fresh nodes and edges, related to *T* through a bijection *c* such that any node *N* of *T* has the same labels (literal label and side label) as node *c*(*N*) of *T* and such that the *i*-th edge originating in node *N* of *T* ends in node *M* if and only if the *i*-th edge originating in node *c*(*N*) of *T* ends in node *c*(*M*). The procedure is performed as an iteration that in each round chooses an inner node with negative literal label and then modifies the tableau. Hence, at termination there is no inner node with negative literal, which means that the tableau is hyper. Termination of the procedure can be shown with a measure that strictly decreases in each round (Prop. 20 in [63, App. C]). Figures 4 and 5 show example applications of the procedure.

Since the hyper conversion procedure copies parts of subtrees it is not a polynomial operation.<sup>4</sup> To get an idea of its practical feasibility, we experimented with an unbiased set of proofs of miscellaneous problems. For this we took those 112 *CASC-J11* [54] problems that could be proven with Prover9 [37] in 400 s per

<sup>4</sup> A thorough complexity analysis should take calculus- or strategy-dependent properties of the input proofs into account. And possibly also the blow-up from resolution to tree resolution underlying the cut normal form tableaux.


**Fig. 3.** The *hyper conversion* proof transformation procedure.

**Fig. 4.** Hyper conversion of a closed clausal tableau in two rounds.

**Fig. 5.** Hyper conversion of a closed clausal tableau in cut normal form in two rounds. For each round the result after procedure steps 1–4 is shown and then the result after step 5, simplification, applied here to achieve regularity.

problem, including a basic proof conversion with Prover9's tool Prooftrans. <sup>5</sup> The hyper conversion succeeded on 107 (or 96%) of these, given 400 s timeout per proof, where the actual median of used time was only 0.01 s. It was applied to a tableau in cut normal form that represents the proof tree of Prover9's proof. The two intermediate steps, translation of paramodulation to binary resolution and expansion to cut normal form, succeeded in fractions of a second, except for one case where the expansion took 121 s and two cases where it failed due to memory exhaustion. The hyper conversion then failed in three further cases. For all except two proofs the hyper conversion reduced the proof size, where the overall median of the size ratio hyper-to-input was 0.39. See [63, App. D] for details.

# **6 Conclusion**

We conclude with discussing related work, open issues and perspectives. Our interpolation method CTIF [62] is complete for first-order logic with function symbols. Vampire's native interpolation [22,23], targeted at verification, is like all local methods incomplete [28]. Princess [10,47] implements interpolation with a sequent calculus that supports theories for verification and permits uninterpreted predicates and functions. Suitable proofs for our approach can currently be obtained from CMProver (clausal tableaux) and Prover9 (resolution/paramodulation). With optimized settings, Vampire [27] and E [49] as of today only output proofs with gaps. This seems to improve [48] or might be overcome by re-proving with Prover9 using lemmas from the more powerful systems.

So far we did not address special handling of equality in the context of range-restriction, a topic on its own, e.g., [3,59]. We treat it as predicate, with axioms for reflexivity, symmetry, transitivity and substitutivity. CTIF works smoothly with these, respecting polarity constraints of equality in interpolants [62, Sect. 10.4]. With exception of reflexivity these axioms are U-range-restricted. We do not interfere with the provers' equality handling and just translate in finished proofs paramodulation into binary resolution with substitutivity axioms.

The potential bottleneck of conversion to clausal form in CTIF may be remedied with structure-preserving (aka *definitional*) normal forms [19,44,50,58].

Our *hyper* property might be of interest for proof presentation and exchange, since it gives the proof tree a constrained shape and in experiments often shortens it. Like hyperresolution and hypertableaux it can be generalized to take a "semantics" into account [51] [12, Chap. 6] [26, Sect. 4.5]. To shorten interpolants, it might be combined with proof reductions (e.g., [64]).

For query reformulation, interpolation on the basis of general first-order ATP was so far hardly considered. Most methods are sequent calculi [6,56] or analytic tableaux systems [5,21,25,57]. Experiments with ATP systems and propositional inputs indicate that requirements are quite different from those

<sup>5</sup> On a Linux notebook with 12th Gen Intel-<sup>R</sup> CoreTM i7-1260P CPU and 32 GB RAM.

in verification [4]. An implemented system [25,57] uses analytic tableaux with dedicated refinements for enumerating alternate proofs/interpolants corresponding to query plans for heuristic choice. In [5] the focus is on interpolants that are sentences respecting binding patterns, which, like range-restriction, ensures database evaluability. Our interpolation theorems show fine-grained conditions for passing variations of range-restriction and the Horn property on to interpolants. Matching these with the many formula classes considered in knowledge representation and databases is an issue for future work. A further open topic is adapting recent synthesis techniques for nested relations [6] to the clausal tableaux proof system.

Methodically, we exemplified a way to approach operations on proof structures while taking efficient automated first-order provers into account. Feasible implementations are brought within reach, for practical application and also for validating abstract claims and conjectures with scrutiny. The prover is a black box, given freedom on optimizations, strategy and even calculus. For interfacing, the overall setting incorporates clausification and Skolemization. Requirements on the proof structure do not hamper proof search, but are ensured by transformations applied to proofs returned by the efficient systems.

**Acknowledgments.** The author thanks Michael Benedikt for bringing the subtleties of range-restriction in databases to attention, C´ecilia Pradic for insights into subtleties of proof theory, and anonymous reviewers for helpful suggestions to improve the presentation.

# **References**


64. Wernhard, C., Bibel, W.: Learning from Lukasiewicz and Meredith: investigations into proof structures. In: Platzer, A., Sutcliffe, G. (eds.) CADE 2021. LNCS (LNAI), vol. 12699, pp. 58–75. Springer, Cham (2021). https://doi.org/10.1007/ 978-3-030-79876-5 4

**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Non-Classical Logics in Satisfiability Modulo Theories**

Clemens Eisenhofer1(B) , Ruba Alassaf<sup>2</sup> , Michael Rawson<sup>1</sup> , and Laura Kov´acs<sup>1</sup>

<sup>1</sup> TU Wien, Vienna, Austria {clemens.eisenhofer,michael.rawson,laura.kovacs}@tuwien.ac.at <sup>2</sup> University of Manchester, Manchester, UK ruba.alassaf@manchester.ac.uk

**Abstract.** We show that tableau methods for satisfiability in nonclassical logics can be supported naturally in SMT solving via the framework of user-propagators. By way of demonstration, we implement the description logic ALC in the Z3 SMT solver and show that working with user-propagators allows us to significantly outperform encodings to firstorder logic with relatively little effort. We promote user-propagators for creating solvers for non-classical logics based on tableau calculi.

**Keywords:** SMT · Non-Classical Logics · User-Propagators · Tableaux

### **1 Introduction**

Satisfiability modulo theory (SMT) solvers, e.g. [4,14,29], mostly implement CDCL(T ) [6,27] to combine propositional satisfiability (SAT) solving with theory-specific decision procedures. Due to the modular nature of the underlying CDCL(T ) algorithm, not only can SMT solvers reason in combinations of theories, but it is even possible to add and control custom first-order theories by attaching new decision procedures, as recently introduced in the user-propagator framework [8]. The underlying logic in the SMT solving community is classical first-order logic. When moving towards non-classical logics, such as modal or description logics [2,9,21], tableau calculi provide common ground [13]. The resulting proof procedures behave very differently to SMT solvers [16,22].

In this paper, we argue that *it is time to join forces*. We show that tableau methods can be integrated naturally into SMT solving (Sect. 3). In so doing, we promote user-propagators [8] for guiding non-classical reasoning within SMT solving. We demonstrate our work within the Z3 SMT solver [29] and show that this approach outperforms two standard Z3 implementations based on quantification (Sect. 4). Finally, we discuss an alternative encoding for non-boolean based logics capable of dealing with explicit non-containment (Sect. 5).

We thank Nikolaj Bjørner for discussions on this topic. We acknowledge funding from the ERC Consolidator Grant ARTIST 101002685, the TU Wien SecInt Doctoral College, and the FWF SFB project SpyCoDe F8504.

c The Author(s) 2023

R. Ramanayake and J. Urban (Eds.): TABLEAUX 2023, LNAI 14278, pp. 24–36, 2023. https://doi.org/10.1007/978-3-031-43513-3\_2

*Related Work.* SAT/SMT solving driven by instantiation rules from modal and description logic tableaux have been investigated [1,20,33], as has porting classical tableau rules to SMT [10], as has intuitionistic logic [12,15]. Our work applies user propagation as a *framework for implementing non-classical logics*, but also for *theories* that have tableau rules, such as strings [26] or finite sets [3]. Met-TeL 2 [37,38] can automatically synthesize solvers from tableau rules expressed in a domain-specific input language: complex features that cannot be expressed in the input language can be implemented by manually changing the output program generated by the tool.

Another approach to non-classical logics translates non-classical input to SAT/SMT [11,23], first-order or higher-order logic [18,19,31,32,35,36] via a shallow embedding. After translation, a SAT/SMT solver or automatic theorem provers (ATPs) can be used for reasoning. ATPs typically work poorly esspecially on satisfiable instances from such translations [25,39,40]. Solvers do not usually take into account meta-logical properties of the considered non-classical logic. If at all, such properties are communicated to a solver via further lemmas or fine-tuning the solver's configuration. Our approach allows us to directly encode expert knowledge of the considered logic. Additionally, our approach allows reasoning in multiple non-classical logics simultaneously and supports theory reasoning.

#### **2 Background and Challenges**

*Background.* We assume familiarity with basics of classical first-order logic [34], SMT solving [7] , and the description logic ALC [2]. To avoid confusion with first-order quantifiers, we use modal syntax to write ALC formulas ϕ as

$$\varphi ::= \top \mid A \mid \neg \varphi \mid \varphi\_1 \land \varphi\_2 \mid \Box\_r \varphi$$

where <sup>A</sup> is a (theory<sup>1</sup>) atom and <sup>r</sup> a modality/role. The logical connectives <sup>⇒</sup>, ∧, and ⊥ are defined as usual. The modal operator ♦*<sup>r</sup>* is defined as the dual of *<sup>r</sup>*. We assume a problem in ALC is given by a *knowledge base* T Box, ABox. Elements in T Box are of the form global(ϕ)<sup>2</sup> and are intended to be true in all worlds. Elements in ABox are of the form w*<sup>i</sup>* : ϕ, asserting "ϕ holds in world w*i*"; or r*<sup>k</sup>* : (w*i*, w*<sup>j</sup>* ), asserting "r*<sup>k</sup>* relates worlds w*<sup>i</sup>* and w*j*". In case no ABox is given, we assume the existence of an implicit world w0. The truth-value of a formula ϕ under such a Kripke interpretation is given as in [2].

*SMT Challenges for First-Order Translation of Description Logics.* We motivate our work by considering the ALC knowledge base

$$TBox = \{global(\diamondsuit\_r (A \land \diamondsuit\_r \neg A))\}.\tag{1}$$

<sup>1</sup> this is an addition to the classical definition of ALC. <sup>2</sup> we write the more usual form <sup>ϕ</sup><sup>1</sup> -

<sup>ϕ</sup><sup>2</sup> as global(ϕ<sup>1</sup> <sup>⇒</sup> <sup>ϕ</sup><sup>2</sup>).

$$\begin{array}{c} \text{Some conditions } P\_1, \dots, P\_n \\ \hline \\ sign\_{1,1} : \varphi\_{1,1} \in \mathcal{L}(w\_{1,1}) \\ \dots \\ sign\_{1,m\_1} : \varphi\_{1,m\_1} \in \mathcal{L}(w\_{1,m\_1}) \end{array} \quad \begin{array}{c} \text{Some conditions } P\_1, \dots, P\_n \\ \hline \\ sign\_{n,1} : \varphi\_{n,1} \in \mathcal{L}(w\_{n,1}) \\ \dots \\ sign\_{n,m\_n} : \varphi\_{n,m\_n} \in \mathcal{L}(w\_{n,m\_n}) \end{array}$$

**Fig. 1.** Abstract tableau calculus rule.

One may reason about this formula by (i) translating it into classical first-order logic via the *standard translation* [9]; and (ii) using a decision procedure handling uninterpreted functions and quantifiers to establish satisfiability of the translated formula. In particular, step (i) translates (1) into the first-order formula

$$\forall x (\exists y (reach^r(x, y) \land A(y) \land \exists z (reach^r(y, z) \land \neg A(z))))\tag{2}$$

where reach*<sup>r</sup>* is an uninterpreted function symbol. Then, in step (ii) SMT solving over (2) instantiates the universally-quantified variable x with w0, using for example model-based quantifier instantiation (MBQI) [17]. Skolemization introduces two new constants w<sup>1</sup> and w2, which results in the quantifier-free instance:

$$\operatorname{reach}^r(w\_0, w\_1) \land \operatorname{reach}^r(w\_1, w\_2) \land A(w\_1) \land \neg A(w\_2), \tag{3}$$

from which the partial interpretation

$$\vdash reach^r(x, y) \colon \text{ if } (((x = w\_0 \land y = w\_1) \lor (x = w\_1 \land y = w\_2))) \text{ then } \top \text{ else } \*. \tag{4}$$

can be deduced. The symbol ∗ is undetermined and represents an arbitrary Boolean value. Assume that the SMT solver sets ∗ to ⊥ in order to complete the partial model (4) for checking (2): As the solver cannot derive equalities among the world constants w0, w1, w2, the solver has to check all three constants with respect to the universal quantifier of (2). As w<sup>1</sup> and w<sup>2</sup> violate the universal quantifier, further constants are generated by Skolemization, but (2) remains violated and the sequence of MBQI steps repeat indefinitely. Choosing for ∗ avoids such failure, but increases the burden of SMT solving, as the solver must consider all potential relations among all constants (here, w0, w<sup>1</sup> and w2) and eliminate such relations stepwise again as they lead to conflicts. Randomly choosing or ⊥ for completing the partial model (4) of (2) is not a solution either, as it combines the disadvantages of both approaches.

# **3 Tableau as a Decision Procedure in CDCL(***T* **)**

Addressing the above challenges, we advocate user-propagators for tailored SMT solving, providing efficient implementations of custom tableau reasoners. We propose using the lemma generation process of CDCL(T ), explained below, to simulate rule application of tableau calculi.

In a nutshell, the CDCL(T ) infrastructure [6] introduces fresh Boolean variables to name theory atoms of an input formula; the resulting propositional


**Fig. 2.** Rules for the ALC Description Logic.

skeleton is then solved by an ordinary SAT solver. If a propositional model is found, theory solvers are asked if the model is correct with respect to theory atoms. These specialized procedures may introduce further "lemma" formulas to the Boolean abstraction or report conflicts directly, forcing the SAT solver to "correct" the Boolean interpretation. This is repeated until all theory solvers agree on the Boolean assignment or the Boolean abstraction becomes unsatisfiable.

**User-Propagators in CDCL(**T **) with Tableau Methods.** Our solution builds a custom reasoner using the user-propagator framework [8]. Algorithm 1 shows underlined parts relevant for the following discussion. The custom reasoner is implemented by providing the methods push, pop, fixed and final in some programming language. The method abstr(f) is a method to be applied *a priori* solving. All other methods are those of the SMT solver.

We can simulate a tableau calculus whose rules are of the abstract form shown in Fig. 1. We use *signed formulas* of the form sign : ◦( ¯ϕ), where sign is a member of a fixed set, usually truth values, and ◦ is a logical operator applied to operands/subformulas ¯ϕ. Each P*<sup>i</sup>* asserts that a signed formula is (not) contained in a *label* L(w). Labels are sets of signed formulas with known sign at some node w on the current branch. Rules may only add signed formulas to labels and create new branches. We assume the input is satisfiable, in case no more rule is applicable.

This means, we consider *sound, confluent, and non-destructive tableaux with signed formulas* [34] and *explicit labelled nodes* [24], which are straightforward in **Algorithm 1:** Simple CDCL(T ) Algorithm. Methods that can be provided by a user-propagator are underlined.


our framework. Many calculi [13], including those for propositional logics, firstorder logics, various modal/description logics, and several many-valued logics, can naturally be expressed within Fig. 1. The main steps of our work towards integrating tableau reasoning in SMT solving can be illustrated using a running example in ALC. The tableaux rules for ALC in our notation are detailed in Fig. 2.

*Example 1 (Running Example).* Consider the ALC knowledge base:

$$\begin{aligned} TBox &= \{global(Human \Rightarrow (\Box\_p (Alive \Rightarrow age \le recordListspan) \land \Diamond\_p Hom))\} \\ ABox &= \{eva : Human \lor \Diamond\_f \neg Fun, \quad par : (eva, paul)\} \end{aligned}$$

where Alive (Alive), Hum (Human), and age depend on the current world, but recordLifespan does not; age and recordLifespan are of integral sort; p (parent) and f (friend) denote roles; and eva and paul are named worlds.

#### **3.1 SMT-LIB Encoding and Custom SMT Theory**

To enable SMT-based tableau reasoning, we encode non-classical logic features directly in an extension of the SMT-LIB input standard [5]. In particular, we encode non-classical logic symbols with the help of uninterpreted function symbols and sorts, yielding an SMT theory of non-classical logic.

*Example 2 (*ALC *Knowledge Base in SMT-LIB).* For ALC, we introduce the uninterpreted Relation and W orld sorts and the following functions:

box : Relation × B → B dia : Relation × B → B global : B → B world : ∅ → W reachable : Relation × W × W → B

where B is the sort of Booleans and world represents the current world<sup>3</sup>. Functions may have an extra "World" argument to denote their dependency on some world. With these syntactic features on top of SMT-LIB, Example 1 is encoded as

```
(declare-fun Hum (World) Bool) (declare-fun Alive (World) Bool)
(declare-fun age (World) Int) (declare-const recordLifespan Int)
(declare-const eva World) (declare-const paul World)
(declare-const p Relation) (declare-const f Relation)
(assert (global
   (=> (Hum world) (and
       (box p (=> (Alive world) (<= (age world) recordLifespan)))
       (dia p (Hum world))))))
(assert (global (=> (= world eva) (or (Hum world) (dia f (Rob world))))))
(assert (reachable p eva paul))
```
#### **3.2 Preprocessing (**Abstr**)**

Next, we traverse the syntax tree of the parsed problem and introduce fresh user-function symbols to abstract away subformulas we want to observe. All instances of introduced user-functions are automatically *associated* with our user-propagator and thus Boolean assignments to those instances might be reported by the SMT core by calling the fixed method. We might add a node parameter of an uninterpreted sort to user-functions to store additional information, such as the current world in Kripke semantics. As we go, we build a tree-shaped *abstraction* data structure for keeping track of abstracted subformulas and efficiently applying tableau rules. Only the root of the abstraction is passed to the SMT solver. Furthermore, we apply (logic-specific) simplifications.

*Example 3 (Preprocessing and Abstraction).* Recall Example 1. We replace all operators handled by tableau rules by fresh user-functions: here, for the occurrences of *<sup>r</sup>*ϕ, global(ϕ), and for theory atoms. World-dependent terms and some operators, such as -, require a node argument denoting the world in which they are evaluated. To ease instantiating multiple instances of the formulas, we use an unbounded variable x as the node argument. We obtain the SMT abstraction of Example 1 given in Fig. 3. G denotes applications of the global-rule, M*<sup>r</sup>* applications of *<sup>r</sup>*, and T arbitrary theory atoms. ABox elements are encoded directly by instantiating the node arguments accordingly (e.g., <sup>¬</sup>M*<sup>f</sup>* <sup>1</sup> (eva)).

<sup>3</sup> which will be eliminated during preprocessing.

$$G\_1 \land (Hum(eva) \lor \neg M\_1^f(eva)) \land reach^p(eva, paul)$$

$$G\_1: Hum(x) \Rightarrow (M\_2^p(x) \land \neg M\_3^p(x)) \qquad \qquad M\_1^f(x): Hum(x)$$

$$M\_2^p(x): Alive(x) \Rightarrow T\_1(x) \qquad \qquad M\_3^p(x): \neg Hum(x)$$

$$\mid \qquad T\_1(x): age(x) \leq recordLifespan$$

**Fig. 3.** Abstraction tree for Example 1. For simplicity, we rewrote *<sup>r</sup>*A as <sup>¬</sup>♦*r*¬A.

#### **3.3 Populating Languages (**Fixed**)**

Whenever the SAT core assigns a variable V*i*(w) → value , we look up the operator ◦ and its operands abstracted by V*<sup>i</sup>* during preprocessing. We add ◦, together with the auxiliary symbol and its operands ¯ϕ*i*, to the respective label set<sup>4</sup> such that <sup>L</sup>ˆ(w) := <sup>L</sup>ˆ(w) ∪ {(value : ◦, V*i*, <sup>ϕ</sup>¯*i*)} As the user-propagator reports only assignments to formulas that were previously abstracted away by user-functions, we might also need to abstract away other formulas for which we are not interested in adding additional rules, in order to be notified when these elements are added to some labels. For example, if we must observe 0: (ϕ<sup>1</sup> ∧ ϕ2) ∈ L(w), we can replace ∧ by a user-function. Usually, the tableau is closed (i.e. conflict) automatically if we have formulas of different sign. If the calculus has more complicated closing conditions, they can be reported explicitly by propagating a conflict.

*Example 4 (Tracking Assignments to Arbitrary Subformulas).* To keep track of all relevant Boolean assignments to atoms, we replace all atoms by userfunctions, including complex theory atoms such as age(w) ≤ recordLifespan as shown in Fig. 3. To preserve semantics, we add the definitions of the abstracted atoms by propagation For example, within Example 1 we might eagerly propagate

$$T\_1(w) = value \vdash ((age(w) \le recordListspan) = value),$$

as soon as T1(w) is assigned the Boolean value.

#### **3.4 Rule Application (**Final**)**

Whenever the solver found a Boolean assignment such that the propositional abstraction of its extended SMT problem (Sect. 3.1) is satisfied, we apply logicspecific tableau rules by iterating over the set <sup>L</sup>ˆ(w) for every node <sup>w</sup> until no more tableau rules are applicable. A *propagation claim* is of the form J1,...,J*<sup>m</sup>* C. An arbitrary number of them can be added by the user-propagator within *fixed* and *final*, indicating that the SAT core needs to assign C → 1 justified by the expressions J1,...,J*m*; here, C may be an arbitrary Boolean expression.

<sup>4</sup> <sup>L</sup>ˆ(w) are sets maintained by the user-propagator code to simulate <sup>L</sup>(w).

Consider a tableau rule R as in Fig. 1 and assume that R is applied because {P 1,...,P *<sup>m</sup>*}⊆{P1,...,P*n*} are satisfied, obtaining

$$Just(P'\_1), \ldots, Just(P'\_m) \vdash C,\tag{5}$$

where Just(P *<sup>i</sup>* ) is J*i*. We give C as a formula in disjunctive normal form (DNF)

$$\bigvee\_{1 \le i \le n} \bigwedge\_{1 \le j \le m\_i} (\varphi\_{i,j}(w\_{i,j}) = sign\_{i,j}) \tag{6}$$

simulating application of the rule R. We note that by using relevancy propagation [28] SMT solving may enjoy tableau-style branching, such that only one disjunct of the above DNF is chosen and reported assigned; unnecessary Boolean assignments are not reported to the user-propagator. We distinguish between two types of P *<sup>i</sup>* in (5): (i) those asserting elements are in the label, where P *<sup>i</sup>* is sign : ◦( ¯ϕ) ∈ L(w); and (ii) those that assert the opposite, where P *<sup>i</sup>* is sign : ◦( ¯ϕ) ∈ L/ (w).

Justifying (i) is straightforward, as there must be an auxiliary user-function denoting that the respective element is contained in the label. We therefore have sign : ◦( ¯ϕ),V, <sup>ϕ</sup>¯ <sup>∈</sup> <sup>L</sup>ˆ(w) and define Just(P *<sup>i</sup>* ) to be the equality V = sign. Case (ii) cannot be justified in general in our encoding because some assignments might not have been reported due to relevancy propagation. However, justifications for non-containment constraints may be omitted in the following scenarios:


In either scenario, we do not justify that the respective conditions P *<sup>i</sup>* are satisfied, but only check P *<sup>i</sup>* before application of R (e.g. checking if a world is blocked). We hence set Just(P *<sup>i</sup>* ) to -.

*Example 5 (Applying Rules).* Recall Example 1. Consider 1: M*<sup>p</sup>* <sup>2</sup> <sup>∈</sup> <sup>L</sup>ˆ(eva), 0: M*<sup>p</sup>* <sup>3</sup> <sup>∈</sup> <sup>L</sup>ˆ(eva) and 1: <sup>G</sup> <sup>∈</sup> <sup>L</sup>ˆ. SMT solving may propagate in final

$$M\_3^p(eva) = \bot \vdash (\negHuman(mark)) = \bot \land reach^p(eva, many) = \top$$

by a 0: --rule instance of Fig. 1, where mary is a fresh world. The next final callback might then propagate (because of the 1: and 1: global rules)

$$\begin{aligned} M\_2^p(eva) &= \top \land reach^p(eva, many) = \top \\ &\vdash (Alive(mark) \Rightarrow T\_1(mark) = \top \\ G\_1 &= \top \land reach^p(eva, many) = \top \\ &\vdash (Human(mark) \Rightarrow (M\_2^p(mark) \land \neg M\_3^p(mark))) = \top. \end{aligned}$$

### **3.5 Backtracking (**Push+pop**)**

Backtracking in the CDCL core of SMT solving uses justifications provided for propagation claims. Our SMT-based tableau reasoner has to reset (*pop*) its state to a previously-saved state (*push*), by restoring the value of <sup>L</sup>ˆ(w) to the one it had in the previous state. However, unlike tableau calculi, subformulas introduced by rule application may persist after backtracking because of conflict learning and similar techniques, which can result in the solver assigning these atoms unnecessarily. These spurious assignments correspond to adding elements to some label L(w) without a respective rule being applicable and hence, it might happen that <sup>L</sup>ˆ(w) <sup>=</sup> <sup>L</sup>(w). We can nonetheless apply rules resulting from spurious assignments as if they were not spurious: mostly, the solver will either justify the spurious elements anyway later or, in the case of a conflict, backtrack and undo these assignments.

*Example 6 (Spurious Assignments).* Recall Example 1. Suppose paul has a parent mary, generated by M*<sup>p</sup>* <sup>3</sup> (paul) → 0 using the 0: --rule. Further, assume mary has a parent sam, generated by M*<sup>p</sup>* <sup>3</sup> (mary) → 0. On conflict, the SMT solver might backtrack to a state before assigning M*<sup>p</sup>* <sup>3</sup> (paul) → 0. The tableau-based theory solver removes reach*<sup>p</sup>*(sam) from <sup>L</sup>ˆ(mary), as well as reach*<sup>p</sup>*(mary) from <sup>L</sup>ˆ(paul). However, the solver may not "forget" the existence of atoms <sup>M</sup>*<sup>p</sup>* <sup>3</sup> (mary) and M*<sup>p</sup>* <sup>3</sup> (paul). It may therefore happen that <sup>M</sup>*<sup>p</sup>* <sup>3</sup> (mary) is assigned later without first generating mary via M*<sup>p</sup>* <sup>3</sup> (paul) → 0. We ignore this spurious assignment, as the solver may later again assign M*<sup>p</sup>* <sup>3</sup> (paul) → 0, *ex post facto* justifying the existence of mary. If this justification is not given later and we encounter a conflict, the solver backtracks and removes the spurious assignment. If it leads to a model, we ignore everything in the model resulting from the spurious assignment.

# **4 Implementation and Experiments**

We implemented<sup>5</sup> our tableau reasoning approach from Sect. 3 in the Z3 SMT solver [29]. We compare our implementation applying user propagation over the custom SMT theory of Sect. 3.1 against our implementation using two translations of modal logic to first-order logic, *viz.* the standard translation [9] and iterative deepening using cardinality assumptions. We considered altogether 400

<sup>5</sup> https://github.com/CEisenhofer/ModalZ3.


**Table 1.** Experimental results for benchmarks in the modal logic K.

satisfiable and 185 unsatisfiable benchmarks in the modal logic K [30]. Our initial experiments using a 60-second timeout are summarized in Table 1, showing that applying our user-propagator framework performs the best. This is partially so because quantifier reasoning in Z3 comes with MBQI overhead (Sect. 2). Finite model building performs poorly for large minimal models.

# **5 Conclusion and Discussion**

We introduce an SMT-based reasoning framework for tableau methods, encoding tableau rules directly in SMT and applying user-propagators for custom reasoning. When implemented and evaluated using the Z3 SMT solver, our results outperform alternative encodings of the modal logic K. However, implementing logics via user-propagators *requires further knowledge about the considered nonclassical logics* for tailored support towards, e.g., conflict learning and theory reasoning.

*Beyond the Boolean Basis and Alternative Encodings.* We so far considered an assignment V → value to denote that value : V ∈ L(w) and only capture value : V /∈ L(w) implicitly. This can be generalized to n mutually-exclusive truth values by using log2(n) Boolean variables. If, on the other hand, we need to justify that some element is *not* in our label, we can use a different encoding with each potential value encoded by a single Boolean. In this case, we use bit*sign*(V ) = true to represent V ∈ L(w) instead of V = sign.

*Example 7 (Ternary Logic).* Consider a three-valued logic with values true, false, and undefined. The first encoding represents each truth value as a list of two bits where 00 represents false, 01 true, and 10 undefined respectively. The case of 11 is invalid. The second uses a list of three bits, one for each potential value. For each introduced subformula, we additionally propagate the cardinality constraint that exactly one bit has to be set to 1. This encoding incorporates the usual assumption that value<sup>1</sup> : ◦∈L(w) and value<sup>2</sup> : ◦∈L(w) with value<sup>1</sup> = value<sup>2</sup> represents a conflict, but could be dropped in cases where this is not desired.

*Theories and Non-Classical Logic* A challenging question arises when considering theories in combination with non-Boolean based logics. As we abstract away theory atoms (Example 3) and add them again on demand (Example 4), we can customize what and how theory atoms are passed to the SMT solver. For ternary logic, we might propagate the theory atom positively when assigned true, for false its negation, and nothing when the value is undefined.

# **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **DefTab: A Tableaux System for Sceptical Consequence in Default Modal Logics**

Carlos Areces<sup>1</sup>, Valentin Cassano1,2, Raul Fervari1,3(B) , and Guillaume Hoffmann1,3

 CONICET and Universidad Nacional de C´ordoba, C´ordoba, Argentina Universidad Nacional de R´ıo Cuarto, R´ıo Cuarto, Argentina Guangdong Technion - Israel Institute of Technology, Shantou, China rfervari@gmail.com

**Abstract.** We report on an implementation of a tableaux calculus for sceptical consequence in Default Logic built on Hybrid Modal Logic. In turn, our tool offers support for checking default consequence over formulas from Propositional Logic, Basic Modal Logic and Hybrid Logic. We develop a test suite for assessing the correctness, scalability, and efficiency of our system, and inform on the results. Interestingly, our method can be adapted to generate examples for other default provers.

# **1 Introduction**

A tableau method [11] is a standard proof procedure based on 'refutations'. To prove that a certain fact is valid, the procedure begins with a syntactical expression intended to assert the negation of the given fact. Then, successive steps syntactically break down this assertion into cases. Finally, impossibility conditions dictate closing cases. A proof is obtained if all cases are closed. Tableaux are one of the most popular proof calculi for Modal Logics, as they are known to lead to efficient and modular implementations [9].

The tableaux method presented here, called *default tableaux*, operates in the way just described. The novelty is that this tableaux method captures sceptical consequence in Default Logic [17], one of the most prominent approaches for non-monotonic reasoning [1]. Two distinguishing characteristics of a default logic are *defaults* and *alternative extensions*. Briefly, defaults can be understood as defeasible rules of inference, whereas extensions can be understood as sets closed under the application of defaults. Alternative extensions originate from 'consistency checks' on the application of defaults. A formula is called a 'sceptical consequence' if it is a consequence from every alternative extension. Our tableaux method handles sceptical consequence for DHL, a default logic built over Hybrid Logic (HL) [3,4], via *default tableaux*. Default tableaux are introduced as an extension of tableaux for HL. These tableaux build on results presented in [5,7].

Moreover, we report on DefTab, an implementation of the default tableaux mentioned above. DefTab was originally conceived for checking sceptical consequence in Default Intuitionistic Logic [7]. Here, we advance on a modular implementation of a default prover acting over different modal logics. The general implementation of the tool is based on the architecture of HTab [13], a tableaux system for HL (see also [12]). Given the ability of handling formulas from HL, our prover also supports formulas from fragments of HL such as Classical Propositional Logic and Basic Modal Logic. Each fragment is in itself interesting.

We discuss the overall architecture of DefTab, the implementation of default tableaux algorithm, and optimization details. In addition, we present an empirical evaluation of the tool to assess its correctness and efficiency. To this end, we build a test suite for sceptical consequence in DHL by using hGen [2], a random formula generator for HL and the mentioned fragments. We provide a systematic method to convert formulas generated by hGen into interesting test cases for DHL. We posit other provers could benefit from our method in the future.

# **2 Basic Definitions**

**Hybrid Logic.** The language of HL is defined on an enumerable set *P* = { p*<sup>i</sup>* | 0 ≤ i } of *proposition symbols* and an enumerable set N = { n*<sup>i</sup>* | 0 ≤ i } of *nominals*, and is determined by the following BNF:

$$\varphi ::= p\_i \mid n\_i \mid \neg \varphi \mid \varphi \land \varphi \mid \Box \varphi \mid \Diamond\_{n\_i} \varphi \mid \mathsf{A} \varphi.$$

Other Boolean connectives are defined as usual. The modal formula ϕ is an abbreviation for ¬-¬ϕ, whereas Eϕ abbreviates ¬A¬ϕ. We will also refer to some fragments of HL: the Basic Hybrid Logic (HL−) is obtained by removing the constructor Aϕ from the BNF above. The Basic Modal Logic (BML) is obtained by additionally removing n*<sup>i</sup>* and @*<sup>n</sup>i*ϕ from the BNF. Finally, the Classical Propositional Logic (CPL) is obtained by additionally removing ϕ.

A hybrid Kripke model M is a tuple W, R, V where: W is a non-empty set of elements called worlds; <sup>R</sup> <sup>⊆</sup> <sup>W</sup><sup>2</sup> is the accessibility relation; and the valuation <sup>V</sup> : *<sup>P</sup>* <sup>∪</sup> <sup>N</sup> → <sup>2</sup>*<sup>W</sup>* is a function s.t. for all <sup>n</sup> <sup>∈</sup> <sup>N</sup>, <sup>|</sup><sup>V</sup> (n)<sup>|</sup> = 1.

The notion of satisfiability, written M, w |= ϕ, is defined inductively as follows, with the Boolean cases defined as usual:

> M, w |= p*<sup>i</sup>* iff w ∈ V (p*i*) M, w |= n*<sup>i</sup>* iff {w} = V (n*i*) M, w |= ϕ iff for all w ∈ W, Rww implies M, w |= ϕ M, w |= Aϕ iff for all w ∈ W, M, w |= ϕ M, w |= @*<sup>n</sup>i*ϕ iff M, w |= ϕ, where {w } = V (n*i*).

We write M, w |= Φ to abbreviate: for all ϕ ∈ Φ, M, w |= ϕ. We call ϕ a *(local) semantic consequence* ( [3]) of Φ, notation Φ ϕ, iff for every hybrid Kripke model M, and world w of M, if M, w |= Φ, then M, w |= ϕ.

**Normal Default Logic.** The work on *Default Logic*, initiated in [17], comprises nowadays a wide range of non-monotonic formalisms built on an underlying (typically monotonic) logic. In what follows, we describe a default logic built on HL, and call this default logic Default Hybrid Logic (DHL).

DHL is characterized by *normal defaults* and *extensions*. A normal default is a pair (π, χ) of formulas of HL written as π/χ; where π is called the prerequisite of the default, and χ its consequent. A normal default can be understood as a non-admissible rule of inference of HL which is only applied if its application does not yield a contradiction. Normal defaults are common in the literature, since interestingly most existing variants of Default Logic converge in the case of normal defaults (see, e.g., [1]). Extensions are defined with respect to default theories. A default theory is a pair Θ = Φ, Δ where: Φ is a set of formulas of HL, also indicated by ΦΘ; and Δ is a set of *normal defaults*, also indicated by ΔΘ. An extension can be understood as a saturation of a set of facts via the application of defaults. The precise definition of an extension is given in Def. 4.

**Definition 1.** *Let* δ = π/χ *be a default and* Δ *be a set of defaults; then:* δ<sup>Π</sup> = π*,* <sup>δ</sup><sup>X</sup> <sup>=</sup> <sup>χ</sup>*;* <sup>Δ</sup><sup>Π</sup> <sup>=</sup> { <sup>δ</sup><sup>Π</sup> <sup>|</sup> <sup>δ</sup> <sup>∈</sup> <sup>Δ</sup> }*,* <sup>Δ</sup><sup>X</sup> <sup>=</sup> { <sup>δ</sup><sup>X</sup> <sup>|</sup> <sup>δ</sup> <sup>∈</sup> <sup>Δ</sup> } *and* <sup>Δ</sup> <sup>∪</sup> <sup>δ</sup> <sup>=</sup> <sup>Δ</sup> ∪ {δ}*.*

**Definition 2 (Detachment).** *Let* Θ *be a default theory, and* Δ ∪ δ ⊆ ΔΘ*; we say that* <sup>δ</sup> *is* triggered *by* <sup>Δ</sup> *(in* <sup>Θ</sup>*) iff* (Φ<sup>Θ</sup> <sup>∪</sup> <sup>Δ</sup><sup>X</sup>) δΠ*. We say that* δ *is* blocked *by* Δ *iff* (Φ<sup>Θ</sup> ∪ (Δ ∪ δ) <sup>X</sup>) - ⊥*. We say that* δ *is* detached *by* Δ *if* δ *is triggered, and not blocked, by* Δ*.*

If we think of a default π/χ as a rule which enables us to pass from π to χ, the notion of detachment in Def. 2 tells us under which conditions on π we can obtain χ. The definition of detachment is an intermediate step towards the definition of an extension via generating sets.

**Definition 3 (Generating Set).** *Let* Θ *be a default theory; we call* Δ ⊆ Δ<sup>Θ</sup> *a* generating set *if there is a total-ordering on* Δ<sup>Θ</sup> *s.t.* Δ = D- <sup>Θ</sup>(n)*, where* n = |ΔΘ|*,* D- <sup>Θ</sup>(0) = ∅*, and for all* 0 <i<n*:*

D- <sup>Θ</sup>(i+1) = ⎧ ⎪⎨ ⎪⎩ D- <sup>Θ</sup>(i) <sup>∪</sup> <sup>δ</sup> *if* <sup>δ</sup> <sup>∈</sup> <sup>Δ</sup>Θ\D- <sup>Θ</sup>(i) *is detached by* D- <sup>Θ</sup>(i)*, and for all* <sup>η</sup> <sup>=</sup> <sup>δ</sup> <sup>∈</sup> <sup>Δ</sup>Θ\D- <sup>Θ</sup>(i)*, if* η *is detached by* D- <sup>Θ</sup>(i)*,* δ η D<sup>≺</sup> <sup>Θ</sup>(i) *otherwise.*

**Definition 4 (Extension).** *Let* <sup>Θ</sup> *be a default theory and* <sup>E</sup> <sup>=</sup> <sup>Φ</sup><sup>Θ</sup> <sup>∪</sup> <sup>Δ</sup>*<sup>X</sup>; the set* E *is an extension of* Θ *iff* Δ *is a generating subset of* ΔΘ*. We use* E(Θ) *to indicate the set of all extensions of* Θ*.*

As mentioned, intuitively, an extension is a set of formulas that is closed under detachment. We present the definition of default consequence in Def. 5.

**Definition 5 (Default Consequence).** *We say a formula* ϕ *is a* sceptical consequence *of a default theory* Θ*, notation* Θ |≈ ϕ*, iff for all* E ∈ E(Θ)*,* E ϕ*.*

The notion of default consequence in Def. 5 is referred to as sceptical in the literature on Default Logic. In Sec. 3 we present a syntactic characterization of sceptical consequence via a default tableaux proof calculus. This proof calculus is the focus of our system description. We illustrate our definitions in Ex. 1.

*Example 1.* We start by assuming that every world in the model has a successor, and that every world is either a *sink* world (nominal s) or 'sees' the sink world. These assumptions are expressed in a default theory as facts, i.e., by Φ = {A ,A(s ∨ s)}. Moreover, we have three defaults: δ<sup>1</sup> = /@*n*2n3, δ<sup>2</sup> = /@*n*<sup>3</sup> ¬s, and δ<sup>3</sup> = /@*n*3n3. Thus, we have Δ = {δ1, δ2, δ3}, and Θ = Φ, Δ. The default δ<sup>1</sup> expresses that n<sup>2</sup> must 'see' n3. This default is detached by Φ. Then, we have the defaults δ2, expressing that n<sup>3</sup> must not be the sink world, and δ3, expressing that n<sup>3</sup> must only 'see' itself. Both of these defaults are individually detached by δ1, but they block each other: δ<sup>2</sup> forces n<sup>3</sup> to have a successor different from itself to comply with the facts, while δ<sup>3</sup> forces n<sup>3</sup> to see only itself, i.e., it forces n<sup>3</sup> be the sink. This means that we have two generating sets, {δ1, δ2} and {δ1, δ3}, thus there are two extensions: E<sup>1</sup> = Φ ∪ {@*<sup>n</sup>*2n3, @*<sup>n</sup>*<sup>3</sup> ¬s} and E<sup>2</sup> = Φ ∪ {@*<sup>n</sup>*2n3, @*<sup>n</sup>*3n3}. In both cases, n<sup>2</sup> sees the sink in two steps, i.e., Θ |≈ @*<sup>n</sup>*2s.

# **3 Default Tableaux Proof Calculus**

We present the default tableaux calculus for sceptical consequence in DHL which is the focus of our system description. In what follows, we consider all the formulas from HL in *negation normal form*. The default tableaux calculus for sceptical consequence in DHL constructs so-called *default tableaux*. A default tableau is a tree whose nodes are of three different kinds. We write nodes of the first kind as @*i*ϕ, meaning that ϕ holds at world i. The second kind of nodes (which is a special case of the first kind) is written as @*<sup>i</sup>*j, meaning that world j is accessible from world i. Nodes of the third kind are indicated by defaults. This last kind of nodes marks the use of a default in a proof attempt. A default tableau for a formula ϕ from a default theory Θ, is a default tableau whose root is @0¬ϕ, and whose construction is carried out using the rules from Fig. 1.

**Fig. 1.** Tableau expansion rules for DHL.

The rule (F) enables us to incorporate formulas from Φ<sup>Θ</sup> into a default tableau, while the rule (D) enables us to incorporate defaults from ΔΘ. This last rule corresponds to the concept of detachment in Def. 2. The notion of reducibility using default tableaux is made precise in Def. 7.

**Definition 6 (Closure).** *A branch of a default tableau is* closed ()*, if* @*i*ϕ *and* @*i*¬ϕ *occur in the branch. A branch is* open () *if it is not closed. A default tableau is* closed *if all of its branches are closed; otherwise it is* open*.*

**Definition 7 (Default Deducibility).** *We call any closed default tableau for* ϕ *from* Θ *a* sceptical proof *of* ϕ *from* Θ*, notation* Θ |∼ ϕ*.*

The expansion rules in Fig. 1 together with Def. 7 yield a sceptical proof calculus which is is *sound* and *complete* (see [7] for details of this claim).

#### **Theorem 1 (Soundess and Completeness.).** Θ |∼ ϕ *iff* Θ |≈ ϕ*.*

In addition, notice that if we forbid the application of the rule (D), we obtain a notion of deducibility Φ<sup>Θ</sup> ϕ which yields a sound and complete proof calculus for HL, i.e., Φ<sup>Θ</sup> ϕ iff Φ<sup>Θ</sup> ϕ (see [16]). We use to syntactically check the side condition of the rule (D), and decide whether it can be applied or not.

**Definition 8 (Saturation).** *A branch of a default tableau is* saturated*, notation* ()*, if the application of any of the expansion rules in Fig. 1 is redundant.*

It can be proven that every branch of a default tableau can be extended to one that is saturated in a finite number of steps. Also, if a default tableau for ϕ from Θ has a branch that is open and saturated, then Θ |≈ ϕ. From these two facts, it follows that default tableaux decide sceptical consequence.

#### **4 Implementation**

DefTab is an implementation of the tableaux proof calculus for sceptical default consequence in Sec. 3. The architecture of DefTab is based on the hybrid logic prover HTab [13], and incorporates the specific features for implementing default reasoning. HTab implements a terminating tableaux algorithm for HL and comes ready with some optimizations such as semantic branching and backjumping. All these features, as well as others, are reported in detail in [13]. Given Θ and ϕ as input, DefTab builds proof attempts of Θ |∼ ϕ by searching for Kripke models for ϕ, and subsequently restricting these models with the use of sentences from Φ<sup>Θ</sup> and defaults from ΔΘ. DefTab reports whether a default proof has been found or not. In the latter case, it exhibits an extension of Θ from which the ϕ does not follow; thus establishing that ϕ is not a default consequence of Θ. In what follows we discuss some implementation details, including some comments on optimizations. DefTab is available at http://tinyurl.com/deftab0.

**Tableaux and Subtableaux.** The tableaux algorithm of DefTab follows a standard strategy for proof search, and the novel part is the treatment of the rule (D). In such a case, it selects a default δ from the set ΔΘ, and checks if δ is detached, according to Def. 2. This relies on subtableaux, that is, tableaux executions that are independent of the main default tableaux. These subtableaux are needed to check whether δ is detached in the branch; i.e., whether it is triggered (i.e., δ<sup>Π</sup> is a consequence of the premises and the consequences already obtained in the branch), and not blocked (i.e., if δ<sup>X</sup> adds an inconsistency into the branch). If δ is detached, then @0δ<sup>X</sup> is added to the branch, δ is marked as treated, and the algorithm continues with the expansion of the updated branch. Once no rule can be applied, the algorithm returns TRUE if and only if ϕ is a default consequence of Θ.

**Subtableaux Caching.** One of the main optimizations provided in DefTab is *caching*, operating under the following premise. Subtableaux are executed to check which default rules are triggered or blocked in the context of a branch. Many of these checks are redundant, since the results of such subtableaux does not change unless a default rule is applied to a branch. DefTab implements a simple caching system that stores subtableaux results in a dictionary. Each time a subtableaux is about to be executed, the set of initial formulas is checked against the cache. If there is a cache hit, the result is taken from the cache and a tableaux run is saved. Note that subtableaux do not involve the rule (D), that is, they are purely tableaux of the underlying logic.

**Default Rules Data Structures.** At any given moment, DefTab maintains defaults in two lists: *available* and *triggered*. The available list contains the defaults of the input default theory. When the (D) rule is about to be applied, several steps are performed to handle default rules systematically. First, the *available* list is scanned, and each rule is checked to be triggered. Triggered rules are moved into the *triggered* list, and the rest is left into the *available* list. Note that non-triggered rules, may become triggered in the future after some default is added to the branch. The *triggered* list is also scanned, and each rule is checked to be blocked in the current branch. When a rule is blocked, it is deleted from the *triggered* list and will never come back again in the branch. Once this is done, DefTab uses that list to apply the rule (D). The tableaux branches as many times as there are rules in the (non-blocked) *triggered* list. For each new branch, the procedure removes the corresponding rule from the *triggered* list, and adds it and its consequent formula to the branch.

**Backjumping.** Backjumping [14] is a standard optimization for the HL calculus that greatly improves performance (see [13]). The overall idea is that, instead of performing a simple backtracking when a branch is found to be closed, backjumping calculates the lowest level to which the execution of the tableaux may directly come back when a clash is found. This requires all formulas in the tableaux to be annotated with a set of *dependencies*. A dependency is the level of a branching rule application. For the specific case of default tableaux, we take special care of tracking dependencies of the formulas introduced by the application of rule (D). To do so, once a default π/χ is triggered, we bookkeep it in the *triggered* list along with the dependencies of the formulas that triggered it, according to Definition 2. Concretely, this is the union of the dependencies of all defaults <sup>Δ</sup> such that <sup>Φ</sup><sup>Θ</sup> <sup>∪</sup> <sup>Δ</sup><sup>X</sup> <sup>|</sup><sup>=</sup> <sup>π</sup>. When (D) rule is applied, the consequent of a default is added to the current branch with these dependencies, plus the dependency of the current tableaux level.

**Usage.** DefTab takes as input a file following the structure of the following simple example file hybrid01.dt.


DefTab is executed from the command line as:

```
$ ./deftab -f hybrid01.dt
Indeed a sceptical consequence.
Elapsed time: 0.00 seconds
                                    (@n0-
                                          -
```
The output indicates that N0:<><>N0 n0) is a sceptical consequence of the default theory.

# **5 Testing Generation and Methodology**

**Hybrid and Default Formulas Generation.** Another contribution of our work is to provide a systematic way of constructing test cases for DHL provers. To our knowledge, there is no standard test set for automated reasoning with default logic, and less so for default reasoning based on HL.

We build test cases for DHL using the random formula generator hGen [2]. hGen enables us to generate formulas in conjunctive normal form (CNF) from several fragments of HL, such as CPL, BML and HL−. Moreover, hGen also allows us to specify the different parameters of a formula: number of clauses, size of clauses and modal depths of each subformula of a clause, probability of that an operator appears in the clause (e.g. modal, hybrid, universal), and the total number of propositional symbols and nominals.

We adapted hGen to generate normal default theories from random HL formulas. The transformation depends on the satisfiability status of the original HL formulas. The first case applies to satisfiable formulas of HL in CNF. Given c<sup>1</sup> ...c*<sup>n</sup>* the clauses of an HL formula, we put each one of them as the consequent of a default /c*i*, and put ⊥ as the consequence to be proved. As the original set of clauses is satisfiable, and the consequence is never provable, all the defaults will be applied (as putting as the prerequisite triggers every rule) in all possible permutations. This is an easy way to stress our tool.

The second case works with unsatisfiable formulas of HL in CNF. Here, we use an intentionally harder transformation. Given c<sup>1</sup> ...c*<sup>n</sup>* the clauses of the HL formula, then for all i<n, we generate two rules: /c*<sup>i</sup>* ∨ c*i*+1 and c*<sup>i</sup>* ∨ c*i*+1/c*<sup>i</sup>* ∧ c*i*+1. Finally, we add c*<sup>n</sup>* as consequence. In this case, not all defaults will be applied to a same branch, but a great amount of them. Moreover, the formula c*<sup>n</sup>* may or may not be a sceptical consequence of the default theory; this is another difference with the case of satisfiable formulas. This case not only serves to test the scalability of our tool, but also its correctness.

**Test Suite Structure.** The Bash script testsuite.sh executes four steps: formula generation, renaming, benchmark, and consistency check.

The *formula generation* step uses hGen to generate random sets of formulas from CPL, BML, HL<sup>−</sup> and HL, respectively. Initially, each set contains 1000 formulas. Then, the Hybrid Logic prover HTab ([13]) is run to classify each set of formulas into satisfiable (SAT) and unsatisfiable (UNSAT). This way, hGen generates the corresponding default theories, as described in the previous section. The *renaming* step is then performed to organize file names in each folder.

The *benchmark* step enables to specify a list of provers to be run. Currently, it is performed with DefTab with cache disabled (NC) and DefTab with cache enabled (C), but the script can be easily modified to run any new default prover. The provers are executed on all input files of each combination of 4 languages and 2 satisfiability values, and the results (execution time and answer) are stored in log files. The script reports how many formulas could be solved within 10 s, 30 s, and 60 s. This is done by running the provers with the highest timeout value; the other values are deduced from the prover's running time.

Finally, the *consistency check* step looks for inconsistent outputs between provers by comparing the log files generated in the previous step.

Although the preselected option is to run all these steps together, they can also be run separately. This enables to run the benchmark step on a known set of formulas, to reproduce results. Instructions on how to run the tests, the test script and the set of formulas used to generate the following results can be found at http://tinyurl.com/deftab0.

hGen **parameters.** For each language, we tuned hGen's parameters to get a good SAT/UNSAT balance of its output (ideally a 50/50 ratio). We also aimed at getting a balanced difficulty of the translated default theories. That is, the sets of default theories should be hard enough so that many of them make DefTab timeout and we may measure improvements in the future, but not too hard so we can already observe different results according to different timeout values. The parameters for each language are: for CPL, 33 clauses and 10 proposition symbols; for BML, 34 clauses, 10 proposition symbols, one relation and 2 nested modal operators as maximum; for HL−, 15 clauses, 3 proposition symbols, 3 nominals, one relation and 6 nested modal and hybrid operators as maximum; and for HL, 13 clauses, 2 proposition symbols, 2 nominals, one relation and 6 nested modal, hybrid and universal operators as maximum. Moreover, each language has fine-tuned probabilities of the different logic connectives in order to meet the SAT/UNSAT and timeout balances that the following results show. All parameters can be found in the released test script.

**Results.** We report below a run of the benchmark script with 1000 formulas per language, performed with DefTab with cache disabled (NC) and DefTab with cache enabled (C). DefTab was compiled with GHC 8.10.7, and the tests were run on the following platform: Ubuntu 22.04 operating system, Linux 5.19 kernel, 12th Gen Intel i7-1260P CPU with 16 cores, 16GB of RAM and SSD storage.


Finally, the following table describes the outcome of checking sceptical consequence of those formulas that were originally unsatisfiable. We take therein all the tests cases that finished with timeout of 60 s, solved using caching. The column label by 'Consequence' indicates the number of formulas for which running DefTab returns it is indeed a sceptical consequence in the corresponding default theories; while 'Not Consequence' indicates the number of formulas for which DefTab returns they are not a sceptical consequence.


These results are useful for checking consistency across the execution of different provers, or provers executed with different parameters, as we are currently doing with DefTab's cache option. Moreover, we would like to compare the obtained data with the results of running other provers for the different fragments that are supported by DefTab, to assess both soundness and the performance of our tool. This is part of our future work agenda.

### **6 Final Remarks**

We reported on DefTab, a tableaux-based system to decide sceptical consequence in Default Logic over Hybrid Modal Logic. To the best of our knowledge, DefTab is the first prover combining Modal and Default Logic. This said, other provers do exist for Default Logic. For instance, DeReS is a default logic reasoner with an underlying propositional tableaux calculus [8]. This prover is designed to check default consequence treating reasoning in the underlying logic as a "black box". This contrasts with DefTab which extends tableaux reasoning in the underlying logic with the use of defaults. At present, DefTab only supports sceptical consequence checking, while DeReS also supports credulous consequence checking. We have not been able to find a working implementation of DeReS. However, many of the ideas presented in [8] can be explored in our setting, in particular, the kind of (graph-based) problems that are used to generate test cases.

Although not a default logic reasoner, in [15], a nonmonotonic reasoning plugin for OWL ontologies is presented. DefTab could approach this tool by implementing multiple relations (roles) and role inclusions to its underlying modal language. In [10] a tool supporting default reasoning over knowledge bases is reported, this time not via a calculus implementation but via a translation into conjunctive query programs in a Description Logic reasoner. After adapting our calculus to handle Description Logic features, it would be interesting to use the above-mentioned tools to perform a comparison with DefTab, both for correctness and performance.

We provided a systematic way of testing our tool, by introducing a test suite generation method based on hGen [2] and HTab [12,13]. This idea can be easily adapted to any kind of default prover working over CPL, BML, HL<sup>−</sup> and HL. We tested the performance of our tool using this test suite, and empirically showed that DefTab's *subtableaux caching* optimization positive impacts on performance.

For future work there are several other interesting lines of research. The treatment of defaults in the calculus can be seen as parametric on the underlying logic (modulo some basic properties, e.g., the possibility of using premises, see [6]). DefTab was originally designed to handle Default Logic over Intuitionistic Logic [7]. Herein, the tableaux-based procedure not only handles classical reasoning instead of intuitionistic reasoning, but also it is extended to support a family of Modal Logics (i.e., the fragments we described along the paper). Moreover, our approach allowed us to design test suites that can be used to test DefTab and other nonmonotonic provers. These ideas can be extended to better assess the behaviour of the tools. We believe that our implementation is a first step towards having a modular prover that can be generalized to a wider family of Default Logics.

**Acknowledgments.** We thank the reviewers for their valuable comments. Our work is partially supported by the projects ANPCyT-PICT-2020-3780, ANPCyT-PICT-2021- 00400, CONICET PIP 11220200100812CO, the EU Grant Agreement 101008233 (MIS-SION), and by the Laboratoire International Associ´e SINFIN.

# **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Non-distributive Description Logic**

Ineke van der Berg1,2 , Andrea De Domenico1(B) , Giuseppe Greco<sup>1</sup> , Krishna B. Manoorkar<sup>1</sup> , Alessandra Palmigiano1,3 , and Mattia Panettiere<sup>1</sup>

> <sup>1</sup> Vrije Universiteit Amsterdam, Amsterdam, The Netherlands a.de.domenico@vu.nl

<sup>2</sup> Department of Mathematical Sciences, Stellenbosch University, Stellenbosch, South Africa

<sup>3</sup> Department of Mathematics and Applied Mathematics, University of Johannesburg, Johannesburg, South Africa

**Abstract.** We define LE-ALC, a generalization of the description logic ALC based on the propositional logic of general (i.e. not necessarily distributive) lattices, and semantically interpreted on relational structures based on formal contexts from Formal Concept Analysis (FCA). The description logic LE-ALC allows us to formally describe databases with objects, features, and formal concepts, represented according to FCA as Galois-stable sets of objects and features. We describe ABoxes and TBoxes in LE-ALC, provide a tableaux algorithm for checking the consistency of LE-ALC knowledge bases with acyclic TBoxes, and show its termination, soundness and completeness. Interestingly, consistency checking for LE-ALC with acyclic TBoxes is in PTIME, while the complexity of the consistency checking of classical ALC with acyclic TBoxes is PSPACE-complete.

**Keywords:** Description logic · Tableaux algorithm · Formal Concept Analysis · LE-logics

# **1 Introduction**

Description Logic (DL) [2] is a class of logical formalisms, typically based on classical first-order logic, and widely used in Knowledge Representation and Reasoning to describe and reason about relevant concepts in a given application domain and their relationships. Since certain laws of classical logic fail in certain application domains, in recent years, there has been a growing interest in developing versions of description logics on weaker (non-classical) propositional bases. For instance, in [20], an intuitionistic version of the DL ALC has been introduced for resolving some inconsistencies arising from the classical law of excluded middle when applying ALC to legal domains. In [6,19], many-valued

This paper is partially funded by the EU MSCA (grant No. 101007627). The first author is funded by the National Research Foundation of South Africa (grant No. 140841). The third and fourth authors are partially funded by the NWO grant KIVI.2019.001.

(fuzzy) description logics have been introduced to account for uncertainty and imprecision in processing information in the Semantic Web, and recently, frameworks of non-monotonic description logics have been introduced [14,15,18].

One domain of application in which there is no consensus as to how classical logic should be applied is Formal Concept Analysis (FCA). In this setting, formal concepts arise from formal contexts P = (A, X, I), where A and X are sets (of objects and features respectively), and <sup>I</sup> <sup>⊆</sup> <sup>A</sup> <sup>×</sup> <sup>X</sup>. Specifically, formal concepts are represented as Galois-stable tuples (B,Y ) such that <sup>B</sup> <sup>⊆</sup> <sup>A</sup> and <sup>Y</sup> <sup>⊆</sup> <sup>X</sup> and <sup>B</sup> <sup>=</sup> {<sup>a</sup> <sup>∈</sup> <sup>A</sup> | ∀y(<sup>y</sup> <sup>∈</sup> <sup>Y</sup> <sup>⇒</sup> aIy)} and <sup>Y</sup> <sup>=</sup> {<sup>x</sup> <sup>∈</sup> <sup>X</sup> | ∀b(<sup>b</sup> <sup>∈</sup> <sup>B</sup> <sup>⇒</sup> bIx)}. The formal concepts arising from a formal context are naturally endowed with a partial order (the sub-concept/super-concept relation) as follows: (B1, Y1) <sup>≤</sup> (B2, Y2) iff <sup>B</sup><sup>1</sup> <sup>⊆</sup> <sup>B</sup><sup>2</sup> iff <sup>Y</sup><sup>2</sup> <sup>⊆</sup> <sup>Y</sup>1. This partial order is a complete lattice, which is in general non-distributive. The failure of distributivity in the lattice of formal concepts introduces a tension between classical logic and the natural logic of formal concepts in FCA. This failure motivated the introduction of lattice-based propositional (modal) logics as the (epistemic) logics of formal concepts [9,10]. Complete relational semantics of these logics is given by *enriched formal contexts* (cf. Sect. 2.2), relational structures <sup>F</sup> = (P, <sup>R</sup>✷, <sup>R</sup>✸) based on formal contexts.

In this paper, we introduce LE-ALC, a lattice-based version of ALC which stands in the same relation to the lattice-based modal logic of formal concepts [12] as classical ALC stands in relation to classical modal logic: the language and semantics of LE-ALC is based on enriched formal contexts and their associated modal algebras. Thus, just like the language of ALC can be seen as a hybrid modal logic language interpreted on Kripke frames, the language of LE-ALC can be regarded as a hybrid modal logic language interpreted on enriched formal contexts.

FCA and DL are different and well known approaches in the formal representation of concepts (or categories). They have been used together for several purposes [1,4,17]. Thus, providing a DL framework which allows us to describe formal contexts (possibly enriched, e.g. with additional relations on them) would be useful in relating these frameworks both at a theoretical and at a practical level. Proposals to connect FCA and DL have been made, in which concept lattices serve as models for DL concepts. Shilov and Han [21] interpret the positive fragment of ALC concept names over concept lattices and show that this interpretation is compatible with standard Kripke models for ALC. A similar approach is used by Wrum [22] in which complete semantics for the (full) Lambek calculus is defined on concept lattices. The approach of the present paper for defining and interpreting non-distributive description logic and modal logic in relation with concept lattices with operators differs from the approaches mentioned above in that it is based on duality-theoretic insights (cf. [10]). This allows us not only to show that the DL framework introduced in the present paper is consistent with the standard DL setting and its interpretation on Kripke models, but also to show that several properties of these logics and the meaning of their formulas can also be "lifted" from the classical (distributive) to non-distributive settings (cf. [7,8,12] for extended discussions).

The main technical contribution of this paper is a tableaux algorithm for checking the consistency of LE-ALC ABoxes. We show that the algorithm is terminating, sound and complete. Interestingly, this algorithm has a polynomial time complexity, compared to the complexity of the consistency checking of classical ALC ABoxes which is PSPACE-complete. The algorithm also constructs a model for the given ABox which is polynomial in size. Thus, it also implies that the corresponding hybrid modal logic has the finite model property.

*Structure of the Paper.* In Sect. 2, we give the necessary preliminaries on the DL ALC, lattice-based modal logics and their relational semantics. In Sect. 3, we introduce the syntax and the semantics of LE-ALC. In Sect. 4, we introduce a tableaux algorithm for checking the consistency of LE-ALC ABoxes and show that it is terminating, sound and complete. In Sect. 5, we conclude and discuss some future research directions.

#### **2 Preliminaries**

# **2.1 Description Logic** *ALC*

Let C and R be disjoint sets of primitive or atomic *concept names* and *role names*. The set of *concept descriptions* or compound concept names over C and R are defined recursively as follows.

$$C := A \mid \top \mid \perp \mid C \land C \mid C \lor C \mid \neg C \mid \exists r. C \mid \forall r. C \mid$$

where <sup>A</sup> ∈ C and <sup>r</sup> ∈ R. An *interpretation* is a tuple I = (Δ<sup>I</sup> , · I ) s.t. Δ<sup>I</sup> is a non-empty set and · <sup>I</sup> maps every concept name <sup>A</sup> ∈ C to a set <sup>A</sup><sup>I</sup> <sup>⊆</sup> <sup>Δ</sup><sup>I</sup> , and every role name <sup>r</sup> ∈ R to a relation <sup>r</sup><sup>I</sup> <sup>⊆</sup> <sup>Δ</sup><sup>I</sup> <sup>×</sup> <sup>Δ</sup><sup>I</sup> . This mapping extends to all concept descriptions as follows:

$$\begin{array}{lll}\mathsf{T}^{\mathrm{I}} = \Delta^{\mathrm{I}} & \mathsf{L}^{\mathrm{I}} = \mathscr{D} \\ (C \wedge D)^{\mathrm{I}} = C^{\mathrm{I}} \cap D^{\mathrm{I}} & (C \vee D)^{\mathrm{I}} = C^{\mathrm{I}} \cup D^{\mathrm{I}} \\ (\exists r.C)^{\mathrm{I}} = \{d \in \Delta^{\mathrm{I}} \mid \exists e((d,e) \in r^{\mathrm{I}} \; \& \; e \in C^{\mathrm{I}}) \\ (\forall r.C)^{\mathrm{I}} = \{d \in \Delta^{\mathrm{I}} \mid \forall e((d,e) \in r^{\mathrm{I}} \; \Rightarrow \; e \in C^{\mathrm{I}}\} \end{array}$$

Let S be a set of individual names disjoint from C and R, such that for every <sup>a</sup> in <sup>S</sup>, <sup>a</sup><sup>I</sup> <sup>∈</sup> <sup>Δ</sup><sup>I</sup> . For any a, b ∈ S, any <sup>C</sup> ∈ C and <sup>r</sup> ∈ R, an expression of the form <sup>a</sup> : <sup>C</sup> (resp. (a, b) : <sup>r</sup>) is an ALC *concept assertion* (resp. *role assertion*). A finite set of ALC concept and role assertions is an ALC *ABox*. An assertion <sup>a</sup> : <sup>C</sup> (resp. (a, b) : <sup>r</sup>) is *satisfied* in an interpretation I if <sup>a</sup><sup>I</sup> <sup>∈</sup> <sup>C</sup><sup>I</sup> (resp. if (a<sup>I</sup> , b<sup>I</sup> ) <sup>∈</sup> <sup>r</sup><sup>I</sup> ). An ALC *TBox* is a finite set of expressions of the form <sup>C</sup><sup>1</sup> <sup>≡</sup> <sup>C</sup>2. An interpretation <sup>I</sup> *satisfies* <sup>C</sup><sup>1</sup> <sup>≡</sup> <sup>C</sup><sup>2</sup> iff <sup>C</sup><sup>I</sup> <sup>1</sup> = C<sup>I</sup> <sup>2</sup>. An ALC *knowledge base* is a tuple (A, <sup>T</sup> ), where A is an ALC ABox, and T is an ALC TBox. An interpretation I is a *model* for a knowledge base (A, <sup>T</sup> ) iff it satisfies all members of <sup>A</sup> and <sup>T</sup> . A knowledge base (A, <sup>T</sup> ) is *consistent* if there is a model for it. An ABox <sup>A</sup> (resp. TBox <sup>T</sup> ) is *consistent* if the knowledge base (A, <sup>∅</sup>) (resp. (∅, <sup>T</sup> )) is consistent.

An ALC *concept definition* in <sup>T</sup> is an expression of the form <sup>A</sup> <sup>≡</sup> <sup>C</sup> where A is an atomic concept. We say that A *directly uses* B if there is a concept definition <sup>A</sup> <sup>≡</sup> <sup>C</sup> in <sup>T</sup> such that <sup>B</sup> occurs in <sup>C</sup>. We say that <sup>A</sup> *uses* <sup>B</sup> if <sup>A</sup> directly uses B, or if there is a concept name B such that A uses B and B directly uses <sup>B</sup>. A finite set <sup>T</sup> of concept definitions is an *acyclic* TBox if


Checking the consistency of a knowledge base is a key problem in description logics, usually solved via tableaux algorithms. In the ALC case, checking the consistency of any knowledge base is EXPTIME-complete while checking the consistency of a knowledge base with acyclic TBoxes is PSPACE-complete [2].

#### **2.2 Basic Normal Non-distributive Modal Logic and Its Semantics**

The logic introduced in this section is part of a family of lattice-based logics, sometimes referred to as *LE-logics* (cf. [11]), which have been studied in the context of a research program on the logical foundations of categorization theory [8–10,12]. Let Prop be a (countable) set of atomic propositions. The language L is defined as follows:

$$
\varphi := \bot \mid \top \mid p \mid \varphi \land \varphi \mid \varphi \lor \varphi \mid \Box \varphi \mid \Diamond \varphi,
$$

where <sup>p</sup> <sup>∈</sup> Prop, and ✷ ∈ G and ✸ ∈ F for finite sets <sup>F</sup> and <sup>G</sup> of unary ✸-type (resp. ✷-type) modal operators. The *basic*, or *minimal normal* L-*logic* is a set **<sup>L</sup>** of sequents <sup>ϕ</sup> <sup>ψ</sup>, with ϕ, ψ ∈ L, containing the following axioms for every ✷ ∈ F and ✸ ∈ G:

$$\begin{array}{c} p \vdash p \ \bot \vdash p \ p \vdash p \lor q \ p \land q \vdash p \ \top \vdash \Box \top \quad \Box p \land \Box q \vdash \Box (p \land q) \\\ p \vdash \top \ q \vdash p \lor q \ p \land q \vdash q \ \Diamond \bot \vdash \Box \ \Diamond (p \lor q) \vdash \Diamond p \lor \Diamond q \end{array}$$

and closed under the following inference rules:

$$\frac{\varphi \vdash \chi \quad \chi \vdash \psi}{\varphi \vdash \psi} \quad \frac{\varphi \vdash \psi}{\varphi \left(\chi/p\right) \vdash \psi \left(\chi/p\right)} \quad \frac{\chi \vdash \varphi \quad \chi \vdash \psi}{\chi \vdash \varphi \land \psi} \quad \frac{\varphi \vdash \chi \quad \psi \vdash \chi}{\varphi \lor \psi \vdash \chi} \quad \frac{\varphi \vdash \psi}{\Box \varphi \vdash \Box \psi} \quad \frac{\varphi \vdash \psi}{\Diamond \varphi \vdash \Diamond \psi}$$

Note that unlike in classical modal logic, we cannot assume that ✷ and ✸ are inter-definable in LE-logics, hence we take all connectives as primitive.

*Relational Semantics.* The following notation, notions and facts are from [8,12]. For any binary relation <sup>T</sup> <sup>⊆</sup> <sup>U</sup> <sup>×</sup> <sup>V</sup> , and any <sup>U</sup> <sup>⊆</sup> <sup>U</sup> and <sup>V</sup> <sup>⊆</sup> <sup>V</sup> , we let <sup>T</sup><sup>c</sup> denote the set-theoretic complement of <sup>T</sup> in <sup>U</sup> <sup>×</sup> <sup>V</sup> , and

$$T^{(1)}[U'] := \{ v \mid \forall u (u \in U' \Rightarrow uTv) \} \qquad T^{(0)}[V'] := \{ u \mid \forall v (v \in V' \Rightarrow uTv) \}. \tag{1}$$

In what follows, we fix two sets A and X, and use a, b (resp. x, y) for elements of A (resp. X), and B, C, A<sup>j</sup> (resp. Y, W, X<sup>j</sup> ) for subsets of A (resp. of X).

A *polarity* or *formal context* (cf. [13]) is a tuple P = (A, X, I), where A and <sup>X</sup> are sets, and <sup>I</sup> <sup>⊆</sup> <sup>A</sup> <sup>×</sup> <sup>X</sup> is a binary relation. Intuitively, formal contexts can be understood as abstract representations of databases [13], so that A and X represent collections of *objects* and *features*, and for any object a and feature x, the tuple (a, x) belongs to I exactly when object a has feature x.

As is well known, for every formal context P = (A, X, I), the pair of maps

$$(\cdot)^\uparrow: \mathcal{P}(A) \to \mathcal{P}(X) \quad \text{and} \quad (\cdot)^\downarrow: \mathcal{P}(X) \to \mathcal{P}(A),$$

defined by the assignments B<sup>↑</sup> := I (1)[B] and Y <sup>↓</sup> := I (0)[Y ], form a Galois connection, and hence induce the closure operators (·)↑↓ and (·)↓↑ on <sup>P</sup>(A) and on <sup>P</sup>(X) respectively. The fixed points of (·)↑↓ and (·)↓↑ are the *Galois-stable* sets. A *formal concept* of a polarity P = (A, X, I) is a tuple c = (B,Y ) such that <sup>B</sup> <sup>⊆</sup> <sup>A</sup> and <sup>Y</sup> <sup>⊆</sup> <sup>X</sup>, and <sup>B</sup> <sup>=</sup> <sup>Y</sup> <sup>↓</sup> and <sup>Y</sup> <sup>=</sup> <sup>B</sup>↑. The subset <sup>B</sup> (resp. <sup>Y</sup> ) is the *extension* (resp. the *intension*) of c and is denoted by [[c]] (resp. ([c])). It is well known (cf. [13]) that the sets B and Y are Galois-stable, and that the set of formal concepts of a polarity P, with the order defined by

$$c\_1 \le c\_2 \quad \text{iff} \quad \[c\_1\} \subseteq \{c\_2\} \quad \text{iff} \quad \{c\_2\} \subseteq \{c\_1\},$$

forms a complete lattice P<sup>+</sup>, namely the *concept lattice* of P.

For the language L defined above, an *enriched formal* L*-context* is a tuple <sup>F</sup> = (P, <sup>R</sup>✷, <sup>R</sup>✸), where <sup>R</sup>✷ <sup>=</sup> {R✷ <sup>⊆</sup> <sup>A</sup> <sup>×</sup> <sup>X</sup> <sup>|</sup> ✷ ∈ G} and <sup>R</sup>✸ <sup>=</sup> {R✸ <sup>⊆</sup> <sup>X</sup> <sup>×</sup> <sup>A</sup> <sup>|</sup> ✸ ∈ F} are sets of <sup>I</sup>*-compatible* relations, that is, for all ✷ ∈ G, ✸ ∈ F, <sup>a</sup> <sup>∈</sup> <sup>A</sup>, and <sup>x</sup> <sup>∈</sup> <sup>X</sup>, the sets <sup>R</sup>(0) ✷ [x], R(1) ✷ [a], R(0) ✸ [a], R(1) ✸ [x] are Galois-stable in <sup>P</sup>. For each ✷ ∈ G and ✸ ∈ F, their associated relations <sup>R</sup>✷ and <sup>R</sup>✸ provide their corresponding semantic interpretations as operations [R✷] and R✸ on the concept lattice <sup>P</sup><sup>+</sup> defined as follows: For any <sup>c</sup> <sup>∈</sup> <sup>P</sup><sup>+</sup>,

$$(R\_{\square})c = (R\_{\square}^{(0)}[[c]], I^{(1)}[R\_{\square}^{(0)}[[c]]]) \quad \text{and} \quad \langle R\_{\diamond} \rangle c = (I^{(0)}[R\_{\diamond}^{(0)}[[c]]], R\_{\diamond}^{(0)}[[c]]).$$

We refer to the algebra <sup>F</sup><sup>+</sup> = (P+, {[R✷]}✷∈G, {R✸}✸∈F ) as the *complex algebra* of F.

<sup>A</sup> *valuation* on such an <sup>F</sup> is a map <sup>V</sup> : Prop <sup>→</sup> <sup>P</sup><sup>+</sup>. For each <sup>p</sup> <sup>∈</sup> Prop, we let [[p]] := [[V (p)]] (resp. ([p]) := ([V (p)])) denote the extension (resp. intension) of the interpretation of p under V .

<sup>A</sup> *model* is a tuple <sup>M</sup> = (F, V ) where <sup>F</sup> = (P, <sup>R</sup>✷, <sup>R</sup>✸) is an enriched formal context and <sup>V</sup> is a valuation on <sup>F</sup>. For every <sup>ϕ</sup> ∈ L, we let [[ϕ]]<sup>M</sup> := [[<sup>V</sup> (ϕ)]] (resp. ([ϕ])<sup>M</sup> := ([V (ϕ)])) denote the extension (resp. intension) of the interpretation of ϕ under the homomorphic extension of V . The following 'forcing' relations can be recursively defined as follows:


As to the interpretation of modal formulas, for every ✷ ∈ G and ✸ ∈ F:

$$\begin{array}{lll} \mathsf{M}, a \Vdash \Box \varphi & \text{iff } (\forall x \in X)(\mathsf{M}, x \succ\_{\varphi} \Rightarrow aR\_{\Box}x) & \mathsf{M}, x \succ\_{\Box} \Box \varphi & \text{iff } (\forall a \in A)(\mathsf{M}, a \Vdash \Box \varphi \Rightarrow aIx) \\\ \mathsf{M}, x \succ \lozenge \varphi & \text{iff for all } a \in A, if \mathsf{M}, a \Vdash \varphi \text{ then } xR\_{\Diamond}a & \mathsf{M}, a \Vdash \Diamond \varphi & \text{iff } (\forall x \in X)(\mathsf{M}, x \succ \lozenge \varphi \Rightarrow aIx) \end{array}$$

The definition above ensures that, for any <sup>L</sup>-formula <sup>ϕ</sup>,

M, a <sup>ϕ</sup> iff <sup>a</sup> <sup>∈</sup> [[ϕ]]M, and <sup>M</sup>, x  <sup>ϕ</sup> iff <sup>x</sup> <sup>∈</sup> ([ϕ])M. <sup>M</sup> <sup>|</sup><sup>=</sup> <sup>ϕ</sup> <sup>ψ</sup> iff [[ϕ]]<sup>M</sup> <sup>⊆</sup> [[ψ]]<sup>M</sup> iff ([ψ])<sup>M</sup> <sup>⊆</sup> ([ϕ])M.

The interpretation of the propositional connectives ∨ and ∧ in the framework described above reproduces the standard notion of join and the meet of formal concepts used in FCA. The interpretation of the operators ✷ and ✸ is motivated by algebraic properties and duality theory for modal operators on lattices (cf. [12, Sect. 3] for an expanded discussion). In [8, Proposition 3.7], it is shown that the semantics of LE-logics is compatible with Kripke semantics for classical modal logic, and thus, LE-logics are indeed generalizations of classical modal logic. This interpretation is further justified in [8, Sect. 4] by noticing that, under the interpretations of the relation I as aIx iff "object a has feature x" and R = R✷ = R−<sup>1</sup> ✸ as aRx iff "there is evidence that object a has feature x", then, for any concept c, the extents of concepts ✷c and ✸c can be interpreted as "the set of objects which *certainly* belong to c" (upper approximation), and "the set of objects which *possibly* belong to c" (lower approximation) respectively. Thus, the interpretations of ✷ and ✸ have similar meaning in the LE-logic as in the classical modal logic. A similar justification regarding similarity of epistemic interpretations of ✷ in classical and lattice-based modal logics is discussed in [9]. This transfer of meaning of modal axioms from classical modal logic to LE-logics has been investigated as a general phenomenon in [7, Sect. 4.3], [12].

# **3 LE Description Logic**

In this section, we introduce the non-classical DL LE-ALC, so that LE-ALC will be in same relation with LE-logic as ALC is with classical modal logic. This similarity extends to the models we will introduce for LE-ALC: in the same way as Kripke models of classical modal logic are used as models of ALC, enriched formal contexts, which provide complete semantics for LE-logic, will serve as models of LE-ALC. In this specific respect, LE-ALC can be seen as a generalization of the positive fragment (i.e. the fragment with no negations in concept names) of ALC in which we do not assume distributivity laws to hold for concepts. Consequently, the language of LE-ALC contains individuals of two types, usually interpreted as the *objects* and *features* of the given database or categorization. Let OBJ and FEAT be disjoint sets of individual names for objects and features.

The set R of the role names for LE-ALC is the union of three disjoint sets of relations: (1) the singleton set {<sup>I</sup> <sup>|</sup> <sup>I</sup> <sup>⊆</sup> OBJ <sup>×</sup> FEAT}; (2) a set <sup>R</sup>✷ <sup>=</sup> {R✷ <sup>⊆</sup> OBJ <sup>×</sup> FEAT <sup>|</sup> ✷ ∈ G}; (3) a set <sup>R</sup>✸ <sup>=</sup> {R✸ <sup>⊆</sup> FEAT <sup>×</sup> OBJ <sup>|</sup> ✸ ∈ G}. While <sup>I</sup> is intended to be interpreted as the incidence relation of formal concepts, and encodes information on which objects have which features, the relations in R✷

and R✸ encode additional relationships between objects and features (cf. [8] for an extended discussion).

For any set C of atomic concept names, the language of LE-ALC concepts is:

$$C := D \mid C\_1 \land C\_2 \mid C\_1 \lor C\_2 \mid \top \mid \bot \mid \langle R\_{\lozenge} \rangle C \mid [R\_{\square}] C$$

where <sup>D</sup> ∈ C, <sup>R</sup>✷ ∈ R✷ and <sup>R</sup>✸ ∈ R✸. This language matches the language of LE-logic, and has an analogous intended interpretation on the complex algebras of enriched formal contexts (cf. Sect. 2.2). As usual, ∨ and ∧ are to be interpreted as the smallest common superconcept and the greatest common subconcept as in FCA. The constants and ⊥ are to be interpreted as the largest and the smallest concept, respectively. We do not include <sup>¬</sup><sup>C</sup> as a valid concept name in our language, since there is no canonical and natural way to interpret negations in non-distributive settings.

The concept names R✸<sup>C</sup> and [R✷]<sup>C</sup> in LE-ALC are intended to be interpreted as the operations R✸ and [R✷] defined by the interpretations of their corresponding role names in enriched formal contexts, analogously to the way in which <sup>∃</sup><sup>r</sup> and <sup>∀</sup><sup>r</sup> in ALC are interpreted on Kripke frames. We do not use the symbols <sup>∀</sup><sup>r</sup> and <sup>∃</sup><sup>r</sup> in the context of LE-ALC because, as discussed in Sect. 2.2, the semantic clauses of modal operators in LE-logic use universal quantifiers, and hence using the same notation verbatim would be ambiguous or misleading.

TBox assertions in LE-ALC are of the shape <sup>C</sup><sup>1</sup> <sup>≡</sup> <sup>C</sup>2, where <sup>C</sup><sup>1</sup> and <sup>C</sup><sup>2</sup> are concepts defined as above.<sup>1</sup> The ABox assertions are of the form:

$$a R\_{\square} x, \quad x R\_{\diamond} a, \quad a I x, \quad a:C, \quad x :: C, \quad \neg \alpha,$$

where α is any of the first five ABox terms. We refer to the terms of first three types as *relational terms*. The interpretations of the terms a : C and x::C are: "object a is a member of concept C", and "feature x is in the description of concept C", respectively.

An *interpretation* for LE-ALC is a tuple I = (F, · I ), where <sup>F</sup> = (P, <sup>R</sup>✷, <sup>R</sup>✸) is an enriched formal context, and · <sup>I</sup> maps:


$$\begin{array}{ll} \bot^{\mathrm{I}} = (X^{\downarrow}, X) & \top^{\mathrm{I}} = (A, A^{\uparrow})\\ (C\_{1} \vee C\_{2})^{\mathrm{I}} = C\_{1}^{\mathrm{I}} \vee C\_{2}^{\mathrm{I}} \text{ (} [R\_{\Box}]C \text{)}^{\mathrm{I}} = [R\_{\Box}^{\mathrm{I}}]C^{\mathrm{I}} \text{ (} \langle R\_{\Diamond} \rangle C \text{)}^{\mathrm{I}} = \langle R\_{\Diamond}^{\mathrm{I}} \rangle C^{\mathrm{I}} \end{array}$$

where the operators [R<sup>I</sup> ✷] and R<sup>I</sup> ✸ are defined as in Sect. 2.2.

The satisfiability relation for an interpretation I is defined as follows:

1. I <sup>|</sup><sup>=</sup> <sup>C</sup><sup>1</sup> <sup>≡</sup> <sup>C</sup><sup>2</sup> iff [[C<sup>I</sup> 1]] = [[C<sup>I</sup> 2]] iff ([C<sup>I</sup> 2]) = ([C<sup>I</sup> <sup>1</sup>]).

<sup>1</sup> As is standard in DL (cf. [2] for more details), general concept inclusion of the form <sup>C</sup><sup>1</sup> <sup>C</sup><sup>2</sup> can be rewritten as concept definition <sup>C</sup><sup>1</sup> <sup>≡</sup> <sup>C</sup><sup>2</sup> <sup>∧</sup> <sup>C</sup>3, where <sup>C</sup><sup>3</sup> is a new concept name.

2. I <sup>|</sup><sup>=</sup> <sup>a</sup> : <sup>C</sup> iff <sup>a</sup><sup>I</sup> <sup>∈</sup> [[C<sup>I</sup> ]] and I <sup>|</sup><sup>=</sup> <sup>x</sup>::<sup>C</sup> iff <sup>x</sup><sup>I</sup> <sup>∈</sup> ([C<sup>I</sup> ]).

3. I <sup>|</sup><sup>=</sup> aIx (resp. aR✷x, xR✸a) iff <sup>a</sup><sup>I</sup> II x<sup>I</sup> (resp. a<sup>I</sup> R<sup>I</sup> ✷x<sup>I</sup> , x<sup>I</sup> R<sup>I</sup> ✸a<sup>I</sup> ).

4. I <sup>|</sup><sup>=</sup> <sup>¬</sup>α, where <sup>α</sup> is any ABox term, iff I |<sup>=</sup> <sup>α</sup>.

An interpretation I is a *model* for an LE-ALC knowledge base (A, <sup>T</sup> ) if I <sup>|</sup><sup>=</sup> <sup>A</sup> and I |= T .

The framework of LE-ALC formally brings FCA and DL together in two important ways: (1) the concepts of LE-ALC are naturally interpreted as formal concepts in FCA; (2) the language of LE-ALC is designed to represent knowledge and reasoning in the setting of enriched formal contexts.

# **4 Tableaux Algorithm for ABox of LE-***ALC*

In this section, we define a tableaux algorithm for checking the consistency of LE-ALC ABoxes. An LE-ALC ABox <sup>A</sup> contains a *clash* iff it contains both <sup>β</sup> and <sup>¬</sup><sup>β</sup> for some relational term <sup>β</sup>. The expansion rules below are designed so that the expansion of <sup>A</sup> will contain a clash iff <sup>A</sup> is inconsistent. The set sub(C) of sub-formulas of any LE-ALC concept name <sup>C</sup> is defined as usual.

A concept name <sup>C</sup> *occurs* in <sup>A</sup> (in symbols: <sup>C</sup> ∈ A) if <sup>C</sup> <sup>∈</sup> sub(C) for some <sup>C</sup> such that one of the terms <sup>a</sup> : <sup>C</sup>, <sup>x</sup>::C, <sup>¬</sup><sup>a</sup> : <sup>C</sup>, or <sup>¬</sup>x::<sup>C</sup> is in <sup>A</sup>. A constant <sup>b</sup> (resp. <sup>y</sup>) *occurs* in <sup>A</sup> (<sup>b</sup> ∈ A, or <sup>y</sup> ∈ A), iff some term containing <sup>b</sup> (resp. <sup>y</sup>) occurs in it.

The tableaux algorithm below constructs a model (F, · I ) for every consistent <sup>A</sup>, where <sup>F</sup> = (P, <sup>R</sup>✷, <sup>R</sup>✸) is such that, for any <sup>C</sup> ∈ A, some <sup>a</sup><sup>C</sup> <sup>∈</sup> <sup>A</sup> and <sup>x</sup><sup>C</sup> <sup>∈</sup> <sup>X</sup> exist such that, for any <sup>a</sup> <sup>∈</sup> <sup>A</sup> (resp. any <sup>x</sup> <sup>∈</sup> <sup>X</sup>), <sup>a</sup> <sup>∈</sup> [[C<sup>I</sup> ]] (resp. <sup>x</sup> <sup>∈</sup> ([C])<sup>I</sup> ) iff aIx<sup>C</sup> (resp. a<sup>C</sup> Ix). We call a<sup>C</sup> and x<sup>C</sup> the *classifying object* and the *classifying feature* of C, respectively. To make our notation more easily readable, we will write <sup>a</sup>✷<sup>C</sup> , <sup>x</sup>✷<sup>C</sup> (resp. <sup>a</sup>✸<sup>C</sup> , <sup>x</sup>✸<sup>C</sup> ) instead of <sup>a</sup>[R✷]<sup>C</sup> , <sup>x</sup>[R✷]<sup>C</sup> (resp. <sup>a</sup>R✸<sup>C</sup> , <sup>x</sup>R✸<sup>C</sup> ) Moreover, for every <sup>R</sup>✷ ∈ R✷ and <sup>R</sup>✸ ∈ R✸, we will also impose the condition that <sup>a</sup> <sup>∈</sup> [[[R✷]C]] (resp. <sup>x</sup> <sup>∈</sup> ([R✸C])) iff aR✷x<sup>C</sup> (resp. xR✸a<sup>C</sup> ), where <sup>a</sup><sup>C</sup> and x<sup>C</sup> are the classifying object and the classifying feature of C, respectively. Note that we can always assume w.l.o.g. that any consistent ABox A is satisfiable in a model with classifying objects and features (cf. Theorem 3).

**Algorithm 1.** tableaux algorithm for checking LE-ALC ABox consistency

**Input**: An LE-ALC ABox A. **Output**: whether A is inconsistent.


Below, we list the expansion rules. The commas in each rule are metalinguistic conjunctions, hence every tableau is non-branching.

$$\begin{array}{ccccc}\hline\\\textbf{Creatlón}\ \textbf{rule} & \textbf{Basle rules}\ & \textbf{Rulasle for \top}\ \textbf{and \bot}\\\hline\\\hline\\\textbf{Cor any }C\in\mathcal{A} & \textbf{creatlón} & I\ \frac{b:C,\quad y::C}{bJy} & \top \ \frac{}{b:\top} & \bot \ \frac{}{y::\bot}\\\hline\\\textbf{Rulos for the logleal conxectíveas} \\\hline\\\forall\_A\ \begin{array}{c}\dfrac{b:C\_1\lor C\_2,\quad y::C\_1,\quad y::C\_2}{bJy} & \frac{b:C\_1\land C\_2}{b:C\_1,\quad b:C\_2} \land \_A & \top\\\hline\\\textbf{b:C\_1,\quad b:C\_1,\quad b:C\_2} & \land A & \lor X\ \frac{b:C\_1\lor C\_2}{y\cdot:C\_1,\quad y::C\_2}\\\hline\\\textbf{\end{array} & \begin{array}{c}\dfrac{b:[R\_{\mathcal{O}}]C,\quad y::C}{b} & \frac{b:(R\_{\mathcal{O}})C,\quad b:C}{b}\\\hline\\\textbf{\end{array} & \begin{array}{c}\dfrac{b:[R\_{\mathcal{O}}]C,\quad b:C}{b}\\\hline\\\hline\\\textbf{\end{array} & \begin{array}{c}\dfrac{b:(R\_{\mathcal{O}})C,\quad b:C}{b}\\\hline\\\textbf{\end{array} & \begin{array}{c}\dfrac{b:(R\_{\mathcal{O}})C,\quad b:C}{b}\\\hline\\\textbf{\end{array} & \begin{array}{c}\dfrac{b:(R\_{\mathcal{O}})C,\quad b:C}{b}\\\hline\\\textbf{\end{array} & \begin{array}{c}\dfrac{b:(R\_{\mathcal{O}})C,\quad b:C}{b}\\\hline\\\textbf{\end{array} & \begin{array}{c}\dfrac{b:(R\_{\mathcal{O}})C,\quad b:C}{b}\\\hline\\\hline\\\textbf{\end{array} & \begin{array}{c}\dfrac{$$

$$\begin{array}{ccccc} \mathit{adj}\_{\Box} & \stackrel{\scriptstyle \Phi \dot{\mathit{o}} : C}{\longrightarrow} & \frac{\mathit{I} \, y :: C}{\langle R \rangle \langle C \rangle :: y} \, d\mathit{d}\dot{y} & R\_{\Box} & \stackrel{\scriptstyle \qquad \mathit{6R}\_{\Box} \, y}{\langle b \rangle \langle b \rangle} & \stackrel{\scriptstyle \qquad yR \, \dot{\mathit{o}} \, b}{\langle b \rangle \langle b \rangle} & \stackrel{\scriptstyle \qquad yR \, \dot{\mathit{o}} \, b}{\langle b \rangle \langle b \rangle} & R\_{\langle b \rangle} \, d \\ \text{Bas } & \text{rule } \text{for } \mathit{negat} \, \mathit{to } \mathit{assert} \, \mathit{tors} & & \stackrel{\scriptstyle \mathtt{\mathit{?}}}{\mathtt{Ap}} \, \mathit{and \mathit{!} \mathtt{n}} & & \\ \end{array}$$

$$\neg b \xrightarrow[\neg (bIdx\_C)]{\neg(b : C)} \quad \frac{\neg (x :: C)}{\neg (a\_C \lor x)} \neg x \quad \quad x\_C \xrightarrow[b : C]{bIdx\_C} \quad \frac{a\_C \, \, Iy}{y :: C} \; a\_C$$

In rules and <sup>⊥</sup>, <sup>b</sup> and <sup>y</sup> are any objects or features occurring in the tableau. In the adjunction rules the individuals b, ✸b, ✷y, and y are new and unique for each relation R✷ and R✸, except for ✸a<sup>C</sup> = a✸<sup>C</sup> and ✷x<sup>C</sup> = x✷<sup>C</sup> .

The basic rule and the logical rules for the connectives encode the semantics of the logical connectives in LE-ALC. The creation rule makes sure that, whenever successful, the algorithm outputs models with classifying object a<sup>C</sup> and feature <sup>x</sup><sup>C</sup> for every concept name <sup>C</sup> ∈ A. The adjunction rules imply that every <sup>R</sup>✷ <sup>∈</sup> <sup>R</sup>✷ and <sup>R</sup>✸ ∈ R✸ are <sup>I</sup>-compatible. Appending and negative assertion rules encode the defining property of classifying objects and features of concepts.

*Remark 1 (Branching).* Note that no expansion rule above involves branching. Thus, unlike tableaux algorithms for ALC, Algorithm 1 does not involve any branching. New elements are added to A only via adjunction and creation rules.

*Example 1.* Let <sup>A</sup> <sup>=</sup> {<sup>b</sup> : [R✷][R✷]C1, b : [R✷][R✷]C2, y::[R✷](C<sup>1</sup> <sup>∧</sup> <sup>C</sup>2), <sup>¬</sup>(bR✷y)}. It is easy to check that <sup>A</sup> has no LE-ALC model. The algorithm applies on A as follows (We only do the partial expansion to show that the clash exists):


By applying the same process to b : [R✷]C1, b : [R✷]C<sup>2</sup> and x✷C<sup>1</sup> ::[R✷]C1, x✷C<sup>2</sup> ::[R✷]C2, we add the terms b : C<sup>1</sup> and b : C<sup>2</sup> to the tableau. Then the further tableau expansion is as follows:


Thus, there is a clash between <sup>¬</sup>(bR✷y) and bR✷<sup>y</sup> in the expansion.

*Example 2.* Let <sup>A</sup> <sup>=</sup> {¬(bIy), y::C1,¬(<sup>b</sup> : <sup>C</sup>2), b : <sup>C</sup><sup>1</sup> <sup>∨</sup> <sup>C</sup>2, bR✷y}. The following table shows the tableau expansion for <sup>A</sup>. Let <sup>W</sup> := {C1, C2, C<sup>1</sup> <sup>∨</sup> <sup>C</sup>2}.


Note that no expansion rule is applicable anymore. It is clear that the tableau does not contain any clashes. Thus, this ABox has a model. By the procedure described in Sect. 4.2, this model is given by <sup>R</sup>✷ <sup>=</sup> {R✷}, <sup>R</sup>✸ <sup>=</sup> {R✸}, A <sup>=</sup> {a<sup>C</sup><sup>1</sup> , a<sup>C</sup><sup>2</sup> , a<sup>C</sup>1∨C<sup>2</sup> , b,b}, <sup>X</sup> <sup>=</sup> {x<sup>C</sup><sup>1</sup> , x<sup>C</sup><sup>2</sup> , x<sup>C</sup>1∨C<sup>2</sup> , y, ✷y}, <sup>I</sup> <sup>=</sup> {(a<sup>C</sup> , x<sup>C</sup> )<sup>C</sup>∈W,(a<sup>C</sup><sup>1</sup> , x<sup>C</sup>1∨C<sup>2</sup> ),(a<sup>C</sup><sup>2</sup> , x<sup>C</sup>1∨C<sup>2</sup> ),(b, y),(b, ✷y)}, <sup>R</sup>✷ <sup>=</sup> {(b, y)}, R✸ = ∅.

## **4.1 Termination of the Tableaux Algorithm**

In this section, we show that Algorithm 1 always terminates for any finite LE-ALC ABox A. Since no rule branches out, we only need to check that the number of new individuals added by the expansion rules is finite. Note that the only rules for adding new individuals are the creation and adjunction rules. The creation rules add one new object and feature for every concept C occurring in the expansion of A. Thus, it is enough to show that the number of individuals and new concepts added by applying adjunction rules is finite. To do so, we will show that any individual constant introduced by means of any adjunction rule will contain only finitely many modal operators applied to a constant occurring in A or added by the creation rule and any new concept name added will contain finitely many ✷ and ✸ operators applied to a concept occurring in A.

**Definition 1.** *The* ✸*-depth* ✸<sup>D</sup> *and* ✷*-depth* ✷<sup>D</sup> *of* <sup>C</sup> *is defined as follows:*


**Definition 2.** *The* ✷*-depth* ✷<sup>D</sup> *and* ✸*-depth* ✸<sup>D</sup> *of any constants* <sup>b</sup> *and* <sup>y</sup> *are:*


The following lemma is key to give bounds on the ✷-depth and ✸-depth of new concept names added in a tableau expansion.

**Lemma 1.** *For any individual names* b, y *and for any* <sup>R</sup>✷ ∈ R✷, R✸ ∈ R✸*,*

	- *some* <sup>C</sup>*,* <sup>C</sup> *such that* ✸D(C) = ✸D(C ) *and* ✷D(C) = ✷D(C )*. (ii)* b = d *(resp.* b = ✸d*) for some* d*, and the terms* d : [R✷]C *and* y::C *(resp.* <sup>y</sup>::R✸<sup>C</sup> *and* <sup>b</sup> : <sup>C</sup>*) occur in some previous expansion of* <sup>A</sup> *for some* C*.*
	- *(iii)* <sup>y</sup> <sup>=</sup> <sup>w</sup> *(resp.* <sup>y</sup> <sup>=</sup> ✷w*) for some* <sup>w</sup>*, and the terms* <sup>w</sup>::R✸<sup>C</sup> *and* <sup>b</sup> : <sup>C</sup> *(resp.* <sup>b</sup> : [R✷]<sup>C</sup> *and* <sup>w</sup>::C*) occur in some previous expansion of* <sup>A</sup> *for some* C*.*
	- *5. If* b : C *is added to the tableau by some expansion rule, there is* d : C *s.t.*
	- *(i)* <sup>d</sup> : <sup>C</sup> ∈ A *or is added by applying the creation rule.*
	- *(ii)* b *is obtained by applying some finite combination of* ✸ *and to* d*.*
	- *(iii)* ✸D(C- ) + ✸D(d) <sup>≤</sup> ✸D(C) + ✸D(b)*, and* ✷D(C) + ✷D(b) <sup>≤</sup> ✷D(C- ) + ✷D(d)*. 6. If* y::C *is added to the tableau by some expansion rule, there is* w::C *s.t.*
	- *(i)* <sup>w</sup>::C ∈ A *or is added by applying the creation rule.*
	- *(ii)* y *is obtained by applying some finite combination of* ✷ *and to* w*.*
	- *(iii)* ✸D(C) + ✸D(y) <sup>≤</sup> ✸D(C- ) + ✸D(w)*, and* ✷D(C- ) + ✷D(w) <sup>≤</sup> ✷D(C) + ✷D(y)*.*

*Proof.* Items 1 and 2 follow from the observation that new terms of the type bR✷y and yR✸b are only added through the expansion rules for terms of the forms <sup>b</sup> : [R✷]<sup>C</sup> and <sup>y</sup>::R✸C, respectively.

For item 3, the cases where bIy is introduced with the expansion rules for <sup>b</sup> : <sup>C</sup> or <sup>y</sup>::<sup>C</sup> are straightforward. If the expansion rule for <sup>y</sup>::C<sup>1</sup> <sup>∧</sup> <sup>C</sup><sup>2</sup> is applied, then from the term <sup>x</sup>C1∧C<sup>2</sup> ::C<sup>1</sup> <sup>∧</sup> <sup>C</sup><sup>2</sup> we can get bIxC1∧C<sup>2</sup> (since both <sup>b</sup> : <sup>C</sup><sup>1</sup> and <sup>b</sup> : <sup>C</sup><sup>2</sup> must be present), finally obtaining <sup>b</sup> : <sup>C</sup><sup>1</sup> <sup>∧</sup> <sup>C</sup><sup>2</sup> from the appending rule. The <sup>b</sup> : <sup>C</sup><sup>1</sup> <sup>∨</sup> <sup>C</sup><sup>2</sup> case is analogous. The only other rule that can add bIy is the adjunction rule. However, note that this can only happen if yR✸b or bR✷y is present. By item 1, if the term bR✷y is added then b : [R✷]C and y::C are in the tableau and it also adds the terms bIy and bI✷y. Note that since b : [R✷]C and y::C are in the tableau, b : C and ✷y::[R✷]C must also be in it. The first term can be obtained from b : [R✷]C adding bR✷x<sup>C</sup> to the tableau and applying the adjunction rule and then the appending rule. Using the fact that a✷<sup>C</sup> : [R✷]C is in the tableau after applying the creation rule, ✷y::[R✷]C can be obtained similarly. Therefore, the required condition is satisfied for both bIy and bI✷y. We can deal with the terms of the form yR✸b analogously.

For item 4, the only non-trivial case is when bIy, bI✷y or ✸bIy, bIy are added via an adjunction rule. In the first case, bR✷y must be present, meaning that item 1 is applicable and hence for some C, both b : [R✷]C and y::C appear in the tableau, satisfying the thesis. The other case is treated analogously.

We prove items 5 and 6 by simultaneous induction on the number of expansion rules applied. The rules which can add new terms of the form b : C and <sup>y</sup>::<sup>C</sup> are the expansion rules for terms of the form <sup>b</sup> : <sup>C</sup><sup>1</sup> <sup>∧</sup> <sup>C</sup>2, <sup>y</sup>::C<sup>1</sup> <sup>∨</sup> <sup>C</sup>2, the appending rules, and the adjunction rules.

If <sup>b</sup> : <sup>C</sup> is obtained from <sup>b</sup> : <sup>C</sup> <sup>∧</sup> <sup>C</sup> , either the latter is present in the original tableau and the thesis follows trivially, or the induction hypothesis applies and it follows by transitivity. The case where <sup>y</sup>::<sup>C</sup> comes from <sup>y</sup>::<sup>C</sup> <sup>∨</sup>C is analogous.

If b : [R✷]C is obtained from b : C via an adjunction rule, then it suffices to apply the induction hypothesis to b : C, noticing that no black operators can appear in the starting tableau. The adjunction case for <sup>y</sup>::R✸<sup>C</sup> is similar.

Without loss of generality, we only treat the case where the appending rule is used to add a term of the form b : C. Notice that for the appending rule to be applicable we must have bIx<sup>C</sup> in the tableau. Then by item 4, either:


In case (i), if <sup>C</sup> <sup>≡</sup> <sup>C</sup>2, the thesis follows easily, else we apply the induction hypothesis to x<sup>C</sup> ::C<sup>2</sup> to find a term w::C <sup>2</sup> in the original tableau such that

$$
\Diamond\_{\mathcal{D}}(C\_1) = \Diamond\_{\mathcal{D}}(C\_2) + \Diamond\_{\mathcal{D}}(x\_C) \le \Diamond\_{\mathcal{D}}(C\_2') + \Diamond\_{\mathcal{D}}(w), \tag{2}
$$

$$
\Box\_{\mathcal{D}}(C\_2') + \Box\_{\mathcal{D}}(w) \le \Box\_{\mathcal{D}}(C\_2) + \Box\_{\mathcal{D}}(x\_C) = \Box\_{\mathcal{D}}(C\_1) - \Box\_{\mathcal{D}}(C), \tag{3}
$$

where x<sup>C</sup> is obtained by applying n ✷-operators to w for some n (note that x<sup>C</sup> can not be obtained by application of -operators). Thus, we have w = xC<sup>3</sup> such that <sup>C</sup> = [R✷]<sup>1</sup> ··· [R✷]nC3. Since <sup>x</sup>C<sup>3</sup> ::C <sup>2</sup> is in the original tableau, it must have been added by a creation rule, meaning that C <sup>2</sup> <sup>≡</sup> <sup>C</sup>3. Thus, we have ✷D(w) = <sup>−</sup>✷D(C <sup>2</sup>), ✸D(w) = 0, ✸D(C <sup>2</sup>) = ✸D(C), and ✷D(C <sup>2</sup>) = ✷D(C) <sup>−</sup> <sup>n</sup>. Using these equalities in (3) and (2) we obtain

$$
\Diamond\_{\mathcal{D}}(C\_1) + \Diamond\_{\mathcal{D}}(b) \le \Diamond\_{\mathcal{D}}(C) + \Diamond\_{\mathcal{D}}(b) \quad \text{and} \quad \Box\_{\mathcal{D}}(C) + \Box\_{\mathcal{D}}(b) \le \Box\_{\mathcal{D}}(C\_1) + \Box\_{\mathcal{D}}(b).
$$

Thus, if <sup>b</sup> : <sup>C</sup><sup>1</sup> ∈ A, then it is the witness we needed, otherwise it is sufficient to apply the induction hypothesis to b : C1, and the result follows by transitivity.

In case (ii), suppose <sup>d</sup> : [R✷]C<sup>2</sup> and <sup>x</sup><sup>C</sup> ::C<sup>2</sup> are both in the tableau. If <sup>C</sup> <sup>≡</sup> <sup>C</sup>2, then the proof follows easily applying the induction hypothesis once to b : C<sup>2</sup> if it is not in the original tableau. Otherwise, we can apply the induction hypothesis to <sup>x</sup><sup>C</sup> ::R✸C2, obtaining, by the same argument as in case (i), ✸D(C2) <sup>≤</sup> ✸D(C) and ✷D(C) <sup>≤</sup> ✷D(C2). Therefore,

✸D([R✷]C2)+✸D(d) = ✸D(C2)+✸D(d) = ✸D(C2)+✸D(d) <sup>≤</sup> ✸D(C)+✸D(b), ✷D(C) + ✷D(b) <sup>≤</sup> ✷D(C2) + ✸D(d) = ✷D(C2) + ✷D(d)+1= ✷D([R✷]C2) + ✷D(d).

Thus, if <sup>d</sup> : [R✷]C<sup>2</sup> ∈ A, then it is the witness we need; otherwise, it is sufficient to apply the induction hypothesis a second time to d : [R✷]C2, and the result then follows by transitivity. The proof for the remaining subcase, where <sup>b</sup> : <sup>C</sup> and <sup>x</sup><sup>C</sup> ::R✸C are both present in the tableau, is done similarly.

The proof for case (iii) is analogous to (ii) and therefore omitted.

**Definition 3.** *The* ✷-depth *(resp.* ✸-depth*) of an ABox* A *is* ✷D(A) := max{✷D(C ) <sup>|</sup> <sup>C</sup> ∈ A} *(resp.* ✸D(A) := max{✸D(C ) <sup>|</sup> <sup>C</sup> ∈ A}*).*

**Corollary 1.** *Let* C *be any concept name added to the tableau expansion at some step. Then* ✷D(C) <sup>≤</sup> ✷D(A)*, and* ✸D(C) <sup>≤</sup> ✸D(A)*.*

*Proof.* By item 5 of Lemma 1, for any b : C added to the tableau we must have another term <sup>d</sup> : <sup>C</sup> in <sup>A</sup> or added by a creation rule, such that ✷D(C) <sup>≤</sup> ✷D(C)+✷D(b) <sup>≤</sup> ✷D(C )+✷D(d) = ✷D(C ). The first inequality holds because ✷D(b) is always non-negative, and the equality follows from the fact that, as <sup>d</sup> is in the original tableau or added by a creation rule, its ✷-depth is zero. The proof for the ✸-depth can be shown in a similar manner using item 6 of Lemma 1.

**Definition 4.** *For any concept ABox term of the form* <sup>t</sup> <sup>≡</sup> <sup>a</sup> : <sup>C</sup> *or* <sup>t</sup> <sup>≡</sup> <sup>x</sup>::C*,* size(t) = 1+|sub(C)|*. For any relational term* <sup>β</sup>*,* size(β)=2*. For any LE-*ALC *ABox* <sup>A</sup>*,* size(A) = - <sup>t</sup>∈A size(t)*.*

**Theorem 1 (Termination).** *For any ABox* A*, the tableaux algorithm 1 terminates in a finite number of steps which is polynomial in* size(A)*.*

*Proof.* New individuals are added to the tableau only in the following ways:


As to (1), by Corollary 1, the ✷-depth (resp. ✸-depth) of any C appearing in an expansion of A is bounded by ✷D(A) (resp. ✸D(A)). Moreover, no new propositional connective is ever added to create a new concept name in any of the rules. Therefore, the total number of concept names occurring in an expansion of <sup>A</sup> is bounded by size(A)∗(✷D(A)+✸D(A)). Thus, only finitely many constants of type (1) can be added.

For (2), for any individual name b added by some expansion rule, b occurs in <sup>b</sup> : <sup>C</sup> for some <sup>C</sup>. By Lemma <sup>1</sup> (5), there is a term <sup>d</sup> : <sup>C</sup> ∈ A s.t.

$$
\Box\_{\mathcal{D}}(b) + \Box\_{\mathcal{D}}(C) \le \Box\_{\mathcal{D}}(d) + \Box\_{\mathcal{D}}(C') = \Box\_{\mathcal{D}}(C').
$$

Therefore, ✷D(b) is bounded by ✷D(A). On the other hand, by item 6 of the same lemma we also have 0 <sup>≤</sup> ✸D(C ) + ✸D(d) <sup>≤</sup> ✸D(C) + ✸D(b).

The first inequality follows from the fact that <sup>d</sup> ∈ A, and thus ✸D(d)=0 or <sup>d</sup> <sup>=</sup> <sup>a</sup><sup>C</sup> , and thus ✸D(d) = <sup>−</sup>✸D(C ). Therefore, we must have <sup>−</sup>✸D(C) <sup>≤</sup> ✸D(b), meaning that ✸D(b) is bounded below by <sup>−</sup>✸D(A). Thus, the number of connectives ✸ and in <sup>b</sup> is bounded by ✷D(A) + ✸D(A). Repeating the same argument for the individual names of type y, the total number of new constant names occurring in an expansion of <sup>A</sup> is bounded by size(A)∗(✷D(A)+ ✸D(A)). Thus, only finitely many constants of type (2) are added. Overall, the size of the tableau expansion (and hence the model) is <sup>O</sup>((size(A) <sup>∗</sup> (✷D(A) + ✸D(A))<sup>2</sup> <sup>∗</sup> (|R✷<sup>|</sup> <sup>+</sup> |R✸|)). Since the tableaux algorithm for LE-ALC does not involve any branching, the above theorem implies that the time complexity of checking the consistency of an LE-ALC ABox A using the tableaux algorithm is P oly(size(A)).

#### **4.2 Soundness of the Tableau Algorithm**

For any consistent ABox A, we let its *completion* A be its maximal expansion (which exists due to termination). If there is no clash in A, we construct a model (F, · I ) where A and X are the sets of names of objects and features occurring in the expansion, and for any <sup>a</sup> <sup>∈</sup> <sup>A</sup>, <sup>x</sup> <sup>∈</sup> <sup>X</sup>, and any role names <sup>R</sup>✷ ∈ R✷, <sup>R</sup>✸ ∈ R✸ we have aIx, aR✷x, xR✸<sup>a</sup> iff such relational terms explicitly occur in <sup>A</sup>. Let <sup>F</sup> = (A, X, I, <sup>R</sup>✷, <sup>R</sup>✸) be the relational structure obtained in this manner. We define an interpretation I on it as follows. For any object name a, and feature name x, we let a<sup>I</sup> := a and x<sup>I</sup> := x. For any atomic concept D, we define D<sup>I</sup> = (xD<sup>↓</sup>, aD<sup>↑</sup>). Next, we show that I is a valid interpretation for LE-ALC. To this end, we need to show that <sup>F</sup> is an enriched formal context, i.e. that all R✷ and R✸ are I-compatible, and that D<sup>I</sup> is a concept in the concept lattice P<sup>+</sup> of P = (A, X, I). The latter condition is shown in the next lemma, and the former in the subsequent one.

$$\textbf{Lemma 2.}\quad x\_D^{\uparrow\uparrow} = a\_D^{\uparrow} \text{ and } a\_D^{\uparrow\downarrow} = x\_D^{\downarrow} \text{ for any } D \in \mathcal{C}\dots$$

*Proof.* By the creation rules, we always have <sup>a</sup><sup>D</sup> : <sup>D</sup> and <sup>x</sup>D::<sup>D</sup> in <sup>A</sup>, meaning that the tableau can be expanded with aDIxD. Therefore, we always have x↓↑ D ⊆ a↑ <sup>D</sup>. Suppose <sup>a</sup>DIy and bIx<sup>D</sup> for some <sup>y</sup> <sup>∈</sup> <sup>X</sup>, <sup>b</sup> <sup>∈</sup> <sup>A</sup>. Then by the appending rules we have <sup>y</sup>::<sup>D</sup> <sup>∈</sup> <sup>A</sup>. This along with bIx<sup>D</sup> <sup>∈</sup> <sup>A</sup> immediately implies bIy <sup>∈</sup> <sup>A</sup>. Thus, we also have a<sup>↑</sup> <sup>D</sup> <sup>⊆</sup> <sup>x</sup>↓↑ <sup>D</sup> . We can prove the other equality analogously.

**Lemma 3.** *All the relations* <sup>R</sup>✷ ∈ R✷ *and* <sup>R</sup>✸ ∈ R✸ *in* <sup>F</sup> = (P, <sup>R</sup>✷, <sup>R</sup>✸) *are* I*-compatible.*

*Proof.* We need to show that for any <sup>b</sup> <sup>∈</sup> <sup>A</sup> and <sup>y</sup> <sup>∈</sup> <sup>X</sup>, and any ✷ ∈ G and ✸ ∈ F, (1) <sup>R</sup>(0) ✷ [y]=(✷y)↓, (2) R(1) ✷ [b]=(b)↑, (3) R(0) ✸ [b]=(✸b)↑, and (4) R(1) ✸ [y]=(y)↓. We prove only (1) and (2). The proofs for (3) and (4) are analogous.


From the lemmas above, it immediately follows that the tuple <sup>M</sup> = (F, · I ), with <sup>F</sup> and · <sup>I</sup> defined at the beginning of the present section, is a model for LE-ALC. The following lemma states that the interpretation of any concept C in the model M is completely determined by the terms of the form bIx<sup>C</sup> and a<sup>C</sup> Iy occurring in the tableau expansion.

**Lemma 4.** *Let* <sup>M</sup> = (F, · I ) *be the model defined by the construction above. Then for any concept* <sup>C</sup> *and individuals* <sup>b</sup>*,* <sup>x</sup> *occurring in* <sup>A</sup>*,*

$$(1)\ b \in [C]\_M \text{ iff } \begin{array}{c} bIx\_C \in \overline{\mathcal{A}} \end{array} \qquad (2)\ x \in [C]\_M \text{ iff } \begin{array}{c} a\_C Ix \in \overline{\mathcal{A}}. \end{array}$$

*Proof.* By induction on the complexity of C. The base case (when C is atomic) is immediate by the construction of the model. For <sup>C</sup> <sup>=</sup> , by rule , and <sup>x</sup>:: from the creation rule, bIx<sup>T</sup> <sup>∈</sup> <sup>A</sup> for any <sup>b</sup> <sup>∈</sup> <sup>A</sup>. Therefore, <sup>x</sup><sup>↓</sup> <sup>=</sup> <sup>A</sup> = [[]]. For item 2, for any <sup>y</sup>, and if <sup>a</sup><sup>T</sup> Iy <sup>∈</sup> <sup>A</sup>, then by the appending rule <sup>y</sup>:: ∈ <sup>A</sup>. Then by and the basic rule bIy <sup>∈</sup> <sup>A</sup> for all <sup>b</sup>. Thus, ([]) = <sup>A</sup><sup>↑</sup> <sup>⊆</sup> <sup>a</sup><sup>↑</sup> . Moreover, if <sup>y</sup> <sup>∈</sup> ([]), then bIy <sup>∈</sup> <sup>A</sup> for any <sup>b</sup>. In particular <sup>a</sup><sup>T</sup> Iy <sup>∈</sup> <sup>A</sup>. Thus, ([]) = <sup>a</sup><sup>↑</sup> . The proof for ⊥ is analogous. For the induction step, we have four cases.

1. Suppose <sup>C</sup> <sup>=</sup> <sup>C</sup><sup>1</sup> <sup>∨</sup> <sup>C</sup>2. For the first claim, notice that <sup>b</sup> <sup>∈</sup> [[C<sup>1</sup> <sup>∨</sup> <sup>C</sup>2]] iff <sup>∀</sup>y(<sup>y</sup> <sup>∈</sup> ([C1]) <sup>∩</sup> ([C2]) <sup>⇒</sup> bIy). By the induction hypothesis, this is equivalent to

$$\forall y (y \colon C\_1 \in \overline{\mathcal{A}} \; \&\quad y \colon C\_2 \in \overline{\mathcal{A}} \implies bIy \in \overline{\mathcal{A}}).$$

By the creation rule for <sup>C</sup><sup>1</sup> <sup>∨</sup> <sup>C</sup>2, we have <sup>x</sup>C1∨C<sup>2</sup> ::C<sup>1</sup> <sup>∨</sup> <sup>C</sup>2, and consequently both <sup>x</sup>C1∨C<sup>2</sup> ::C<sup>1</sup> and <sup>x</sup>C1∨C<sup>2</sup> ::C<sup>2</sup> are added to the tableau. Thus, if the condition <sup>y</sup>::C<sup>1</sup> & <sup>y</sup>::C<sup>2</sup> <sup>⇒</sup> bIy is satisfied for any <sup>y</sup> in <sup>A</sup>, then bIxC1∨C<sup>2</sup> <sup>∈</sup> <sup>A</sup>. So <sup>b</sup> <sup>∈</sup> [[C<sup>1</sup> <sup>∨</sup> <sup>C</sup>2]] implies that bIx<sup>C</sup>1∨C<sup>2</sup> <sup>∈</sup> <sup>A</sup>. Conversely, if bIx<sup>C</sup>1∨C<sup>2</sup> <sup>∈</sup> <sup>A</sup>, then by the appending rule <sup>b</sup> : <sup>C</sup><sup>1</sup> <sup>∨</sup> <sup>C</sup><sup>2</sup> <sup>∈</sup> <sup>A</sup>. Thus, for any <sup>y</sup>::C<sup>1</sup> and <sup>y</sup>::C<sup>2</sup> <sup>∈</sup> <sup>A</sup>, bIy <sup>∈</sup> <sup>A</sup> due to rule <sup>∨</sup>A. Hence, bIx<sup>C</sup>1∨C<sup>2</sup> <sup>∈</sup> <sup>A</sup> implies

$$\forall y (y :: C\_1 \in \overline{\mathcal{A}} \; \&\;\; \; y :: C\_2 \in \overline{\mathcal{A}} \implies bJy \in \overline{\mathcal{A}}).\;\;$$

As observed before, this is equivalent to <sup>y</sup> <sup>∈</sup> ([C<sup>1</sup> <sup>∨</sup> <sup>C</sup>2]), as desired.

For the second claim, notice that <sup>x</sup> <sup>∈</sup> ([C<sup>1</sup> <sup>∨</sup> <sup>C</sup>2]) iff <sup>x</sup> <sup>∈</sup> ([C1]) and <sup>x</sup> <sup>∈</sup> ([C2]). By induction hypothesis, this is equivalent to <sup>x</sup>::C<sup>1</sup> and <sup>x</sup>::C<sup>2</sup> occurring in <sup>A</sup>. By the creation rule for <sup>C</sup>1∨C2, <sup>a</sup><sup>C</sup>1∨C<sup>2</sup> : <sup>C</sup>1∨C<sup>2</sup> <sup>∈</sup> <sup>A</sup>. Since <sup>x</sup>::C1, x::C<sup>2</sup> <sup>∈</sup> <sup>A</sup>, we have <sup>a</sup><sup>C</sup>1∨C<sup>2</sup> Ix <sup>∈</sup> <sup>A</sup> by the rule <sup>∨</sup>X. Conversely, if <sup>a</sup><sup>C</sup>1∨C<sup>2</sup> Ix <sup>∈</sup> <sup>A</sup>, then <sup>x</sup>::C<sup>1</sup> <sup>∨</sup> <sup>C</sup><sup>2</sup> <sup>∈</sup> <sup>A</sup> by the appending rules, which implies <sup>x</sup>::C1, x::C<sup>2</sup> <sup>∈</sup> <sup>A</sup>, or equivalently, <sup>x</sup> <sup>∈</sup> ([C<sup>1</sup> <sup>∨</sup> <sup>C</sup>2]).


For the second claim, notice that <sup>y</sup> <sup>∈</sup> ([[R✷]C1]) iff <sup>∀</sup>b(<sup>b</sup> <sup>∈</sup> [R✷]C<sup>1</sup> <sup>⇒</sup> bIy). Equivalently (as proved previously), for all <sup>b</sup>, if <sup>b</sup> : [R✷]C<sup>1</sup> <sup>∈</sup> <sup>A</sup>, implies bIy <sup>∈</sup> <sup>A</sup>. Combining this with the fact that the creation rule for [R✷]C<sup>1</sup> implies <sup>a</sup>✷C<sup>1</sup> ::[R✷]C<sup>1</sup> <sup>∈</sup> <sup>A</sup>, this implies that <sup>a</sup>✷C<sup>1</sup> Iy <sup>∈</sup> <sup>A</sup> as well. Conversely, suppose <sup>a</sup>✷C<sup>1</sup> Iy <sup>∈</sup> <sup>A</sup>. Then for any <sup>b</sup>, if <sup>b</sup> : [R✷]C<sup>1</sup> <sup>∈</sup> <sup>A</sup>, then bIy <sup>∈</sup> <sup>A</sup>. This is equivalent to <sup>y</sup> <sup>∈</sup> ([[R✷]C1]).

4. The proof for <sup>C</sup> <sup>=</sup> R✸C<sup>1</sup> is similar to the previous one.

**Theorem 2 (Soundness).** *The model* <sup>M</sup> = (F, · I ) *defined above satisfies the ABox* A*.*

*Proof.* We proceed by cases.


3. For the terms of the form <sup>b</sup> : <sup>C</sup>, <sup>y</sup>::C, <sup>¬</sup>(<sup>b</sup> : <sup>C</sup>), or <sup>¬</sup>(y::C), we have <sup>b</sup> <sup>∈</sup> [[C]] iff bIx<sup>C</sup> <sup>∈</sup> <sup>A</sup>, and <sup>y</sup> <sup>∈</sup> ([C]) iff <sup>a</sup><sup>C</sup> Iy <sup>∈</sup> <sup>A</sup> (Lemma 4). For any <sup>b</sup> : <sup>C</sup>, <sup>y</sup>::C, <sup>¬</sup>(<sup>b</sup> : <sup>C</sup>), or <sup>¬</sup>(y::C) occurring in <sup>A</sup>, we respectively add bIx<sup>C</sup> , <sup>a</sup><sup>C</sup> Iy, <sup>¬</sup>(bIx<sup>C</sup> ), or <sup>¬</sup>(a<sup>C</sup> Iy) to <sup>A</sup> via the expansion rules, and thus <sup>M</sup> satisfies the constraints.

The following corollary is an immediate consequence of the termination and soundness of the tableau procedure.

**Corollary 2 (Finite Model Property).** *For any consistent LE-*ALC *ABox* <sup>A</sup>*, some model of* <sup>A</sup> *exists the size of which is polynomial in* size(A)*.*

*Proof.* The model M of Theorem 2 is the required witness. The polynomial bound on the size of M follows from the proof of Theorem 1.

#### **4.3 Completeness of the Tableau Algorithm**

In this section, we prove the completeness of the tableau algorithm. The following lemma is key to this end, since it shows that every model for an LE-ALC ABox can be extended to a model with classifying object and features.

**Lemma 5.** *For any ABox* <sup>A</sup>*, any model* <sup>M</sup> = (F, · I ) *of* A *can be extended to a model* M = (F , · I ) *such that* F = (A , X , I , {R ✷}✷∈G, {R ✸}✸∈F )*,* <sup>A</sup> <sup>⊆</sup> <sup>A</sup> *and* <sup>X</sup> <sup>⊆</sup> <sup>X</sup> *, and moreover for every* ✷ ∈ G *and* ✸ ∈ F*:*

*1. There exists* <sup>a</sup><sup>C</sup> <sup>∈</sup> <sup>A</sup> *and* <sup>x</sup><sup>C</sup> <sup>∈</sup> <sup>X</sup> *such that:*

$$C^{\mathbf{I}'} = (I^{\prime(0)}[x\_C^{\mathbf{I}'}], I^{\prime(1)}[a\_C^{\mathbf{I}'}]), \quad a\_C^{\mathbf{I}'} \in [C^{\mathbf{I}'}], \quad x\_C^{\mathbf{I}'} \in \{C^{\mathbf{I}'}\}, \tag{4}$$

*2. For every individual* b *in* A *there exist* ✸b *and* b *in* A *such that:*

$$I^{\prime(1)}[\Phi b] = R^{\prime(1)}\_{\square}[b^{\mathbb{I}^\prime}] \quad \text{and} \quad I^{\prime(1)}[\Diamond b] = R^{\prime(0)}\_{\diamondsuit}[b^{\mathbb{I}^\prime}],\tag{5}$$

*3. For every individual* y *in* X *there exist* ✷y *and* y *in* X *such that:*

$$I^{\prime(0)}[\![\![y]\!] = R^{\prime(1)}\_{\diamond}][y^{\mathrm{I}^{\prime}}] \quad \text{and} \quad I^{\prime(0)}[\![\![\![y]\!] = R^{\prime(0)}\_{\square}][y^{\mathrm{I}^{\prime}}].\tag{6}$$

*4. For any* C*,* [[C<sup>I</sup> ]] = [[C<sup>I</sup> ]] <sup>∩</sup> <sup>A</sup> *and* ([C<sup>I</sup> ]) = ([C<sup>I</sup> ]) <sup>∩</sup> <sup>X</sup>*.*

*Proof.* Fix ✷ ∈ G and ✸ ∈ F. Let <sup>M</sup> be defined as follows. For every concept C, we add new elements a<sup>C</sup> and x<sup>C</sup> to A and X (respectively) to obtain the sets A and X . For any <sup>J</sup> ∈ {I,R✷}, any <sup>a</sup> <sup>∈</sup> <sup>A</sup> and <sup>x</sup> <sup>∈</sup> <sup>X</sup> , we set aJ x iff one of the following holds:


We set xR ✸a iff one of the following holds: 1. <sup>a</sup> <sup>∈</sup> <sup>A</sup>, <sup>x</sup> <sup>∈</sup> <sup>X</sup>, and xR✸a;


For any <sup>b</sup> <sup>∈</sup> <sup>A</sup>, <sup>y</sup> <sup>∈</sup> <sup>X</sup>, let <sup>b</sup> <sup>=</sup> <sup>a</sup>✷(cl(b)), ✸<sup>b</sup> <sup>=</sup> <sup>a</sup>✸(cl(b)), <sup>y</sup> <sup>=</sup> <sup>x</sup>✸(cl(y)), and ✷y = x✷(cl(y)), where cl(b) (resp. cl(y)) is the smallest concept generated by b (resp. y). For any C, let C<sup>I</sup> = (I(0)[x<sup>C</sup> ], I(1)[a<sup>C</sup> ]). Then M is as required.

**Theorem 3 (Completeness).** *Let* A *be a consistent ABox and* A *be obtained via the application of any expansion rule applied to* A*. Then* A *is also consistent.*

*Proof.* If <sup>A</sup> is consistent, by Lemma 5, a model <sup>M</sup> of <sup>A</sup> exists which satisfies (4), (5) and (6). The statement follows from the fact that any term added by any expansion rule is satisfied by M where we interpret a<sup>C</sup> , x<sup>C</sup> , b, ✸b, ✷y, y as in Lemma 5.

*Remark 2.* The algorithm can easily be extended to acyclic TBoxes, via the unravelling technique (cf. [3] for details).

# **5 Conclusion and Future Work**

In this paper, we define a two-sorted non-distributive description logic LE-ALC to describe and reason about formal concepts arising from (enriched) formal contexts from FCA. We describe ABox and TBox terms for the logic and define a tableaux algorithm for it. This tableaux algorithm decides the consistency of ABoxes and acyclic TBoxes, and provides a procedure to construct a model when the input is consistent. We show that this algorithm is computationally more efficient than the tableaux algorithm for ALC.

This work can be extended in several interesting directions.

*Dealing with Cyclic TBoxes and RBox Axioms.* In this paper, we introduced a tableaux algorithm only for knowledge bases with acyclic TBoxes. We conjecture that the following statement holds of general (i.e. possibly cyclic) TBoxes.

*Conjecture.* The tableaux algorithm introduced in this paper can be extended to check the consistency of any knowledge base (A, <sup>T</sup> ) (with possibly cyclic TBox axioms) in time polynomial in size(A∪T ).

Developing such an algorithm is a research direction we are currently pursuing. Another aspect we intend to develop in future work concerns giving a complete axiomatization for LE-ALC. RBox axioms are used in description logics to describe the relationship between different relations in knowledge bases and the properties of these relations such as reflexivity, symmetry, and transitivity. It would be interesting to see if it is possible to obtain necessary and/or sufficient conditions on the shape of RBox axioms for which a tableaux algorithm can be obtained. This has an interesting relationship with the problem in LElogic of providing computationally efficient proof systems for various extensions of LE-logic in a modular manner [5,16].

*Generalizing to Other Semantic Frameworks.* The non-distributive DL introduced in this paper is semantically motivated by a relational semantics for LElogics which establishes a link with FCA. A different semantics for the same logic, referred to as graph-based semantics [12], provides another interpretation of the same logic as a logic suitable for evidential and hyper-constructivist reasoning. In the future, we intend to develop description logics for reasoning in the framework of graph-based semantics, to appropriately model evidential and hyper-constructivist settings.

*Generalizing to More Expressive Description Logics.* The DL LE-ALC is the non-distributive counterpart of ALC. A natural direction for further research is to explore the non-distributive counterparts of extensions of ALC such as ALCI and ALCIN .

*Description Logic and Formal Concept Analysis.* The relationship between FCA and DL has been studied and used in several applications [1,4,17]. The framework of LE-ALC formally brings FCA and DL together, both because its concepts are naturally interpreted as formal concepts in FCA, and because its language is designed to represent knowledge and reasoning in enriched formal contexts. Thus, these results pave the way to the possibility of establishing a closer and more formally explicit connection between FCA and DL, and of using this connection in theory and applications.

### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Sequent Calculi**

# A New Calculus for Intuitionistic Strong Löb Logic: Strong Termination and Cut-Elimination, Formalised

Ian Shillito1(B) , Iris van der Giessen<sup>2</sup>, Rajeev Goré3,4, and Rosalie Iemhoff<sup>5</sup>

> Australian National University, Canberra, Australia ian.shillito@anu.edu.au University of Birmingham, Birmingham, UK Technical University of Vienna, Vienna, Austria Polish Academy of Science, Warsaw, Poland Utrecht University, Utrecht, The Netherlands

Abstract. We provide a new sequent calculus that enjoys syntactic cutelimination and strongly terminating backward proof search for the intuitionistic Strong Löb logic iSL, an intuitionistic modal logic with a provability interpretation. A novel measure on sequents is used to prove both the termination of the naive backward proof search strategy, and the admissibility of cut in a syntactic and direct way, leading to a straightforward cut-elimination procedure. All proofs have been formalised in the interactive theorem prover Coq.

Keywords: Intuitionistic provability logic · Cut-elimination · Backward proof search · Interactive theorem proving · Proof theory

# 1 Introduction

Gödel-Löb logic GL extends classical modal logic K with the Gödel-Löb axiom ( <sup>ϕ</sup> <sup>→</sup> <sup>ϕ</sup>) <sup>→</sup> <sup>ϕ</sup>. GL is the provability logic of Peano Arithmetic PA, i.e. it consists of all modal formulas that are true under any arithmetical interpretation where ϕ means "ϕ is provable in PA" (expressed in the language of PA).

An intuitionistic version of GL is iGL and the intuitionistic counterpart of PA is Heyting Arithmetic HA. For a long time, the provability logic of HA was an open problem and was only known to be an extension of iGL. However, Mojtahedi claims to have found a solution in a preprint [34] currently under review.

Several other logics also have provability interpretations, such as modalised Heyting calculus mHC, Kuznetsov-Muravitsky logic KM, and intuitionistic Strong Löb logic iSL [14,30,32,35]. All these intuitionistic modal logics except mHC include the Gödel-Löb axiom and all except iGL contain the so-called completeness axiom ϕ → ϕ.

Important to note is that these logics are defined over the language with only the -modality and without . In classical modal logic, is dual to and reads as consistency in the provability interpretation. However, for intuitionistic modal logics, in general, and are not interdefinable and several choices can be made. Interestingly, intuitionistic modal logics defined over the language with only the already reveal intrinsic intuitionistic characters. Important for us is the aforementioned completeness principle, also known as the coreflection principle. It trivializes in a classical setting, but has interesting intuitionistic readings. Indeed, in our setting of provability, ϕ → ϕ reads as completeness: "if ϕ is true then ϕ is provable" (see [45] for a discussion on the completeness principle in extensions of Heyting Arithmetic). The coreflection principle also appears in intuitionistic epistemic logic and lax logic (for overviews see, e.g., [18,32]).

Here, we consider iSL, the minimal intuitionistic modal logic with both the Gödel-Löb axiom and the completeness axiom, which can also be axiomatised over intuitionistic modal logic iK by the Strong Löb axiom ( <sup>ϕ</sup> <sup>→</sup> <sup>ϕ</sup>) <sup>→</sup> <sup>ϕ</sup>. The logic iSL is the provability logic of an extension of Heyting Arithmetic with respect to so-called slow provability [46] and plays an important role in the Σ1-provability logic of HA [3].

The Gödel-Löb axiom characterises transitive converse well-founded Kripke frames for GL and also for the birelational frames for iGL, iSL, and KM. Interestingly, for iSL, mHC, and KM, the modal relation is a part of the intuitionistic relation. This semantics plays an important role in the study of iSL, e.g. in the characterisation of its admissible rules [19]. A natural deduction system for iSL can be found in [7]. The proof systems that we focus on here are sequent calculi.

From a proof-theoretic perspective, the "diagonal formula" ϕ in the modal (GLR) rule for GL causes difficulties for direct cut-elimination because the standard induction on the size of the cut-formula and the height fail. Cut-elimination is highly nontrivial as witnessed by decades of unsuccessful attempts and controversies before the proof by Valentini [44] was finally shown to be correct [23].

$$\begin{array}{c} \Gamma, \Box \Gamma, \Box \varphi \Rightarrow \varphi\\ \hline \Phi, \Box \Gamma \Rightarrow \Box \varphi, \Delta \end{array} (\text{GLR}) \qquad \begin{array}{c} \Gamma, \varphi \rightarrow \psi \Rightarrow \varphi\\ \hline \Gamma, \varphi \rightarrow \psi \Rightarrow \varphi \end{array} (\begin{array}{c} \Gamma, \psi \Rightarrow \varphi\\ \hline \end{array} \left(\begin{array}{c} \Box \text{L}\_{\text{i}} \end{array} \right) \end{array}$$

In backward proof search, the (GLR) rule causes loops because Γ is preserved upwards from conclusion to premise. For (GLR), a simple terminating and complete strategy consists in applying (GLR) only if ϕ ∈ Γ. In sequent calculi for intuitionistic logic, the traditional (→ Li) rule, shown above right, can cause backward proof search to go into loops. For termination without loop check, various authors have independently discovered the sequent calculus G4ip which replaces the (→ Li) rule with multiple rules, depending on the form of ϕ [12]. Iemhoff [29] developed G4-like calculi for several intuitionistic modal logics.

Thus, in a sequent calculus for an intuitionistic provability logic, both the modal rule and left implication rule have the potential to cause loops *and* the modal rule can complicate direct cut-elimination! For logic iGL, van der Giessen and Iemhoff have developed G3iGL and G4iGL [20], providing a direct cut-elimination procedure for the former. The initial proof of cut-elimination for G4iGL was indirect, via G3iGL, but Goré and Shillito later formalised direct cutelimination using the maximal height of derivations as induction parameter [26].

Recently, van der Giessen and Iemhoff [21] developed two sequent calculi, G3iSL and G4iSL, for iSL for which they provided the analogue results compared to G3iGL and G4iGL mentioned above. In particular, they show that backward proof search in G4iSL *weakly* terminates: *there exists* a terminating (and complete) backward proof search strategy, namely one similar to the above-described for logic GL. However, *not all* strategies terminate on this calculus: the naive backward proof search strategy, apply any rule in any order, does not.

Here, we present G4iSLt which replaces the G4iSL rules of the top row below, by the rules in the bottom row. As suggested by van der Giessen and Iemhoff [21], the new modal rule drops the explicit embedding of transitivity. But crucially, the new left-implication rule drops both transitivity and contraction on ϕ → ψ in the left premise. The right premise <sup>S</sup> <sup>=</sup> Φ, Γ, ψ <sup>⇒</sup> <sup>χ</sup> is kept untouched:

$$\begin{array}{c} \frac{\Phi,\Gamma,\square\square,\square\varphi\Rightarrow\varphi}{\Phi,\square\Gamma\Rightarrow\square\varphi} \\ \frac{\Phi,\square\Gamma\Rightarrow\square\varphi}{\Phi,\square\Gamma,\square\varphi\Rightarrow\psi\Rightarrow\chi} \end{array} \qquad\qquad \begin{array}{c} \frac{\Phi,\Gamma,\square\square,\square\varphi\rightarrow\psi,\square\varphi\Rightarrow\varphi}{\Phi,\square\Gamma,\square\varphi\rightarrow\psi\Rightarrow\chi} \\ \frac{\Phi,\Gamma,\psi,\square\varphi\Rightarrow\varphi}{\Phi,\square\Gamma,\square\varphi\rightarrow\psi\Rightarrow\chi} \end{array}$$

Our results improve on the work of van der Giessen and Iemhoff [21]. First, our new measure ensures that the naive backward proof search strategy for our new calculus terminates. This is unusual for sequent calculi for provability logics, and especially for intuitionistic provability logics. Second, we prove direct cut-elimination for G4iSLt using a proof technique similar to the *mhd proof technique* [6,24]. Third, all our results are formalised in Coq and can be found here: https://ianshil.github.io/G4iSLT. We consequently contribute to the rapidly growing literature of formalised proof theory [1,8,9,15,17,24,26,39]. We also think that our work sheds light on what one might call proof-theoretic meta considerations. Namely, it shows the subtle consequences of rule choices on termination and cut-elimination.

In Sect. 2, we introduce the preliminaries of iSL, including our calculus G4iSLt. Section 3 presents the admissibility of structural rules in G4iSLt. In Sect. 4, we prove that backward proof search in G4iSLt strongly terminates. Finally, in Sect. 5, we directly prove cut-admissibility for G4iSL using a proof technique similar to the *mhd proof technique* [6,24].

# 2 Preliminaries

In this section we successively present the syntax, axiomatic system, Kripke semantics and sequent calculus for the logic iSL.

#### 2.1 Syntax

Let <sup>V</sup> <sup>=</sup> {p, q, r . . . } be a countably infinite set of propositional variables on which equality is decidable, that is <sup>∀</sup>p, q <sup>∈</sup> <sup>V</sup>, we can decide whether <sup>p</sup> <sup>=</sup> <sup>q</sup> or-else <sup>p</sup> <sup>=</sup> <sup>q</sup>. Modal formulae are defined using BNF notation as below:

$$\varphi ::= p \in \mathbb{V} \mid \perp \mid \varphi \land \varphi \mid \varphi \lor \varphi \mid \varphi \to \varphi \mid \Box \varphi$$

We use the greek letters ϕ, ψ, χ, δ, . . . for formulae and Γ, Δ, Φ, Ψ . . . for multisets of formulae. We say that ϕ is a *boxed formula* if is its main connective. For a multiset <sup>Γ</sup>, we define the multiset <sup>Γ</sup> := { <sup>ϕ</sup> : <sup>ϕ</sup> <sup>∈</sup> <sup>Γ</sup>}. By the unboxing of a multiset Γ we mean the multiset Γ.

Following Goré et al. [24,26], we encode formulae as an inductive type MPropF whose base case encodes V as the type nat of natural numbers because nat is countably infinite and equality is decidable on it. A list of such formulae then has the type list MPropF. The usual operations on lists "append" and "cons" are respectively represented by ++ and :: but Coq also allows us to write lists in infix notation using ;. Thus the terms ϕ1 :: ϕ2 :: ϕ3 :: nil and [ϕ1] ++ [ϕ2] ++ [ϕ3] and [ϕ1 ; ϕ2 ; ϕ3] all encode the list ϕ1, ϕ2, ϕ3.

We straightforwardly extend Dyckhoff's notion of weight of a formula [11], defined for the intuitionistic language, to the modal language.

Definition 1. *The weight* w(ϕ) *of a formula* ϕ *is defined as follows:*

$$\begin{array}{c} w(\bot) = w(p) = 1\\ w(\psi \vee \chi) = w(\psi \rightarrow \chi) = w(\psi) + w(\chi) + 1\\ w(\psi \wedge \chi) = w(\psi) + w(\chi) + 2\\ w(\Box \psi) = w(\psi) + 1 \end{array}$$

The main motivation behind this weight is to ensure that <sup>w</sup>(<sup>ϕ</sup> <sup>→</sup> (<sup>ψ</sup> <sup>→</sup> <sup>χ</sup>)) <sup>&</sup>lt; <sup>w</sup>((<sup>ϕ</sup> <sup>∧</sup> <sup>ψ</sup>) <sup>→</sup> <sup>χ</sup>), which is crucial to show termination of naive backward proof search on the sequent calculus G4ip for intuitionistic logic.

#### 2.2 Axiomatic Systems as Consequence Relations

Traditional Hilbert calculi are designed to capture logics as sets of theorems, that is sets of the form {<sup>ϕ</sup> : ϕ}. However, when considering logics as consequence relations these systems are inadequate, and notably lead to historical confusions about properties such as the deduction theorem [25,27].

Generalised Hilbert calculi manipulate expressions Γ ϕ, where Γ is a set of formulae. They clearly distinguish between the notion of deducibility from a set of assumptions, versus theoremhood. They are particularly useful for identifying the appropriate form of deduction theorem holding for a logic [25]. Still, they correspond to traditional Hilbert calculi when restricted to consecutions of the shape ∅ ϕ, as we do here. Thus, we can connect the generalised Hilbert calculus here to the traditional Hilbert calculus considered by Ardeshir and Mojtahedi [3].

The generalised Hilbert calculus iSLH for iSL, shown in Fig. 1, extends the one for intuitionistic modal logic iK with the Strong Löb axiom ( <sup>ϕ</sup> <sup>→</sup> <sup>ϕ</sup>) <sup>→</sup> <sup>ϕ</sup>. We write Γ iSLH ϕ if Γ ϕ is provable in iSLH.

Note that if we replace the premise of the rule (Nec) by Γ ϕ we obtain an equivalent calculus. This is implied by the completeness axiom ϕ → ϕ and the holding of the deduction theorem in iSLH [18].

$$\begin{array}{llll} A\_{1}\multicolumn{2}{r}{\varphi\rightarrow(\psi\rightarrow\varphi)} & A\_{7} & (\varphi\wedge\psi)\rightarrow\psi\\ A\_{2}\left(\varphi\rightarrow(\psi\rightarrow\chi)\right)\rightarrow\left((\varphi\rightarrow\psi)\rightarrow(\varphi\rightarrow\chi)\right) & A\_{8} & (\varphi\rightarrow\psi)\rightarrow\left((\varphi\rightarrow\chi)\rightarrow(\varphi\rightarrow(\psi\wedge\chi))\right)\\ A\_{3}\left(\varphi\rightarrow(\varphi\vee\psi)\right) & A\_{9} & \bot\rightarrow\varphi\\ A\_{4}\left(\psi\rightarrow(\varphi\vee\psi)\right) & A\_{10}\left(\Box(\varphi\rightarrow\psi)\rightarrow(\Box\varphi\rightarrow\Box\psi)\right) & A\_{11}\left(\Box\varphi\rightarrow\varphi\right)\rightarrow\varphi\\ A\_{5}\left(\varphi\rightarrow\chi\right)\rightarrow\left((\psi\rightarrow\chi)\rightarrow\left((\varphi\vee\psi)\rightarrow\chi\right)\right) & A\_{11}\left(\Box\varphi\rightarrow\varphi\right)\rightarrow\varphi\\ A\_{6}\left(\varphi\wedge\psi\right)\rightarrow\varphi & & & \end{array}$$

Fig. 1. Generalised Hilbert calculus iSLH for iSL

#### 2.3 Kripke Semantics

We now present the Kripke semantics for iSL [3,32] to notably prove soundness of our sequent calculus G4iSLt, and explain its rules (SLtR) and ( →L).

The Kripke semantics of iSL is a restriction of the Kripke semantics for intuitionistic modal logics. More precisely, the semantic interpretation of connectives is preserved, but the class of models is restricted. The models for this logic are defined below, where for a set <sup>W</sup>, we write <sup>P</sup>(W) for the set of all subsets of <sup>W</sup>.

Definition 2. *<sup>A</sup>* Kripke model <sup>M</sup> *for* iSL *is a tuple* (W, <sup>≤</sup>, R, I)*, where* <sup>W</sup> *is a non-empty set (of possible worlds), both* ≤ *(the intuitionistic relation) and* R *(the modal relation) are subsets of* <sup>W</sup> <sup>×</sup> <sup>W</sup>*, and* <sup>I</sup> : <sup>V</sup> → P(W)*, which satisfies the following:* ≤ *is reflexive and transitive;* R *is transitive and converse wellfounded;* (≤ ◦R) <sup>⊆</sup> <sup>R</sup> *where "*◦*" is relational composition;* <sup>R</sup> ⊆ ≤*; and for all* <sup>p</sup> <sup>∈</sup> <sup>V</sup> *and* w, v <sup>∈</sup> <sup>W</sup>*, if* <sup>w</sup> <sup>≤</sup> <sup>v</sup> *and* <sup>w</sup> <sup>∈</sup> <sup>I</sup>(p) *then* <sup>v</sup> <sup>∈</sup> <sup>I</sup>(p)*.*

Note the peculiarity of the models for iSL: R ⊆ ≤, that is the modal relation is a subset of the intuitionistic relation. We recall the standard definition of forcing for intuitionistic modal logics, and show that persistence holds.

Definition 3. *Given a Kripke model* <sup>M</sup> = (W, <sup>≤</sup>, R, I)*, we define the forcing relation as follows, where* v ≥ w *is just* w ≤ v*:*


*Local consequence is as below where* M, w - Γ *means* ∀ϕ ∈ Γ,M, w ϕ*:*

$$
\Gamma \vdash \varphi \qquad \qquad \text{iff} \qquad \forall \mathcal{M}. \forall w. (\mathcal{M}, w \Vdash \Gamma \quad implies \quad \mathcal{M}, w \Vdash \varphi)
$$

Lemma 1 (Persistence). *For any model* <sup>M</sup> = (W, <sup>≤</sup>, R, I)*, formula* <sup>ϕ</sup> *and points* w, v ∈ W*, if* w ≤ v *and* M, w ϕ *then* M, v ϕ*.*

Interestingly, as iSL satisfies the finite model property [46] it can also be characterised by the class of *finite* frames where R is transitive and *irreflexive*.

#### 2.4 Sequent Calculus

A *sequent* is a pair of a finite multiset Γ of formulae and a formula ϕ, denoted Γ ⇒ ϕ. For a sequent Γ ⇒ ϕ we call Γ the *antecedent* of the sequent and ϕ the *consequent* of the sequent. For multisets Γ and Δ, the multiset sum Γ Δ is the multiset whose multiplicity (at each formula) is a sum of the multiplicities of Γ and Δ. We write Γ,Δ to mean Γ Δ. For a formula ϕ, we write ϕ, Γ and Γ, ϕ to mean {ϕ} Γ. From the formalisation perspective, a pair of a list of formulae (list MPropF) and a formula MPropF has type (list MPropF) \* MPropF, using the Coq notation \* for forming pairs. The latter is the type we give to sequents in our formalisation, for which we use the macro Seq. Thus the sequent <sup>ϕ</sup>1, ϕ2, ϕ<sup>3</sup> <sup>⇒</sup> <sup>ψ</sup> is encoded by the term [ϕ1 ; <sup>ϕ</sup>2 ; <sup>ϕ</sup>3] \* <sup>ψ</sup>, which itself can also be written as the pair ([ϕ1 ; ϕ2 ; ϕ3], ψ). Note that [ϕ1 ; ϕ2 ; ϕ3] \* ψ is different from [ϕ2 ; ϕ1 ; ϕ3] \* ψ since the order of the elements is crucial, so our lists do not capture multisets (yet).

A *sequent calculus* consists of a finite set of *sequent rule schemas*. Each rule schema consists of a conclusion sequent schema and some number of premise sequent schemas. A rule schema with zero premise schemas is called an initial rule. The conclusion and premises are built in the usual way from propositionalvariables, formula-variables and multiset-variables. A *rule instance* is obtained by uniformly instantiating every variable in the rule schema with a concrete object of that type. This is the standard definition from structural proof theory.

Definition 4 (Derivation/Proof). *A* derivation *of a sequent* S *in the sequent calculus* C *is a finite tree of sequents such that (i) the root node is* S*; and (ii) each interior node and its direct children are the conclusion and premise(s) of a rule instance in* C*. A* proof *is a derivation where every leaf is the conclusion of an instance of an initial rule.*

Note that we explicitly define the notion of a derivation as an object rather than define the notion of derivability, as is done in some papers. We do so as we want to create a "deep" embedding of such derivations into Coq [9].

In what follows, it should be clear from context whether the word "proof" refers to the object defined in Definition 4, or to the meta-level notion. We say that a sequent is *provable* in G4iSLt if it has a proof in G4iSLt. We elide the details of the encodings of sequent rules and derivations, as these can be found elsewhere [1,39]. We define a predicate G4iSLt\_prv on sequents to encode *provability* in G4iSLt. Our encodings rely on the type Type, which bears computational content, unlike Prop, and is crucially compatible with the extraction function of Coq.

Before presenting our calculus, we recall standard notions from proof theory.

Definition 5 (Height). *For any derivation* δ*, its* height h(δ) *is the maximum number of nodes on a path from root to leaf.*

Definition 6 (Admissibility, Invertibility, Height-Preservation). *Let* R *be a rule schema with premises* S0,...,S<sup>n</sup> *and conclusion* S*. We say that* R *is:*


The sequent calculus G4iSLt is given in Fig. 2. When defining rules we put the label naming of the rule on the left of the horizontal line, while the label appears on the right of the line in *instances* of rules.

Fig. 2. The sequent calculus G4iSLt, where Φ contains no boxed formula.

In (IdP), a propositional variable instantiating the featured occurrences of p is principal. In a rule instance of (∧R), (∧L), (∨Ri), (∨L) or (→R), the *principal* *formula* of that instance is defined as usual. In a rule instance of (p→L), both a propositional variable instantiating p and the formula instantiating the featured p → ϕ are principal formulae of that instance. In a rule instance of (∧→L), (∨→L), (→→L) or ( <sup>→</sup>L), the formula instantiating respectively (<sup>ϕ</sup> <sup>∧</sup> <sup>ψ</sup>) <sup>→</sup> <sup>χ</sup>, (<sup>ϕ</sup> <sup>∨</sup> <sup>ψ</sup>) <sup>→</sup> <sup>χ</sup>, (<sup>ϕ</sup> <sup>→</sup> <sup>ψ</sup>) <sup>→</sup> <sup>χ</sup> or <sup>ϕ</sup> <sup>→</sup> <sup>ψ</sup> is the principal formula of that instance. In a rule instance of (SLtR) or ( →L), ϕ is called the *diagonal formula* [38].

The non-modal rules are taken from the calculus for IPC for which backward proof search strongly terminates [11]. Keypoint is that the usual intuitionistic left implication rule is replaced by four implication rules depending on the main connective in the antecedent of the principal formula, in such a way that each premise is less complex than the conclusion. In particular, when considering the rule (→→ <sup>L</sup>), an application of the "regular" left implication rule yields the more complex left premise Γ,(<sup>ϕ</sup> <sup>→</sup> <sup>ψ</sup>) <sup>→</sup> <sup>χ</sup> <sup>⇒</sup> <sup>ϕ</sup> <sup>→</sup> <sup>ψ</sup>, which is (semantically) equivalent to the simpler left premise stated in rule (→→ <sup>L</sup>).

We proceed to give semantic intuitions for the rules (SLtR) and ( →L).

The (SLtR) rule has similarities with the rule (GLR) (shown below) from sequent calculi for provability logics such as GL, but with two major differences: (1) the non-boxed formulae Φ in the antecedent of the sequent are preserved from conclusion to premise in (SLtR), while they are deleted in (GLR); and (2) the formulae in Γ are not preserved upwards in (SLtR), while they are in (GLR).

$$\begin{array}{c} \Phi, \Gamma, \Box\varphi \Rightarrow \varphi\\ \hline \Phi, \Box\Gamma \Rightarrow \Box\varphi \end{array} (\text{SLtR}) \qquad\qquad\qquad \begin{array}{c} \Gamma, \Box\Gamma, \Box\varphi \Rightarrow \varphi\\ \hline \Phi, \Box\Gamma \Rightarrow \Box\varphi \end{array} (\text{GLR})$$

From a backward proof search perspective, both rules correspond, semantically, to a "modal jump" from a point w which falsifies the conclusion Φ, Γ ⇒ ϕ to a modal successor v which forces Γ but falsifies the succedent ϕ of the premise. The underlying relation R in both logics is transitive and converse well-founded. Using converse well-foundedness we can assume that v is the last modal successor making ϕ false, thus v forces ϕ in both logics. Transitivity implies that v forces Γ in both logics, so all its successors force Γ. But, in iSL, the underlying relation R is also persistent so v also forces Φ in iSL, but not in GL, thus explaining difference (1). Thanks to persistence, v forcing Γ implies that all its successors force Γ, meaning that v forces Γ already, thus explaining difference (2).

The two premises of ( →L) capture how ϕ → ψ in the antecedent of the conclusion can be true. The simple case is when ψ is true, which corresponds to the right premise. The more complicated case is when ψ is not true, implying that ϕ must also be not true. Now, ϕ true semantically means that ϕ is true in all modal successors, hence ϕ not true means that ϕ is not true in a modal successor. But converse well-foundedness implies the existence of a last modal successor where ϕ is not true, with all its modal successors making ϕ true. The left premise corresponds to this last modal successor, as it encodes that ϕ is not true but ϕ is true. Moreover, this last modal successor is also an intuitionistic successor as R ⊆ ≤. By persistence, this last successor must also make ϕ → ψ true. But then, a simple modus ponens on ϕ and ϕ → ψ gives us ψ.

Finally, we show that G4iSLt indeed captures the set of theorems of iSL.

Theorem 1. *For all* ϕ *we have:* ∅ iSLH ϕ *iff* ⇒ ϕ *is provable in* G4iSLt*.*

*Proof.* We proved in Coq the two following results.

(1) Γ iSLH ϕ implies there exists a finite Γ ⊆ Γ s.t. Γ ⇒ ϕ is provable in G4iSLt (2) <sup>Γ</sup> <sup>⇒</sup> <sup>ϕ</sup> is provable in G4iSLt implies <sup>Γ</sup> <sup>|</sup><sup>=</sup> <sup>ϕ</sup>

The result (1), which relies on the admissibility of cut (Theorem 2), shows that G4iSLt is (strongly) complete with respect to iSLH and gives us the left-to-right direction of our theorem. The other direction involves the soundness of G4iSLt w.r.t. the local consequence shown in (2), as well as the (non-formalised) result of (weak) completeness of iSLH w.r.t. the local consequence obtained by Ardeshir and Mojtahedi [3].

# 3 Admissible Rules in **G4iSLt**

This section aims at showing that the contraction rule is admissible. To do so, it follows the work developed by Goré and Shillito [26] on the sequent calculus GL4ip for the intuitionistic provability logic iGL, which extends itself on the work of Dyckhoff and Negri [13] on G4ip. Most of the overall structure of the argument is the same as for the case of GL4ip, except for the crucial and typical *left-unboxing rule* (), shown to be height-preserving admissible.

Most of the results of this section are proven by inductions on the weight of formulae and/or height of derivations. We omit the Coq encodings for brevity.

Lemma 2 (Height-preserving invertibility of rules). *The rules* (∧R), (∧L)*,* (∨L),(<sup>→</sup> <sup>R</sup>),(p<sup>→</sup> <sup>L</sup>), (∧→ <sup>L</sup>),(∨→ <sup>L</sup>) *are height-preserving invertible.*

We present height-preserving admissible and admissible rules in Fig. 3.

The structural rules of weakening (Wkn), contraction (Ctr) and exchange (Exc), are all (at least) admissible. The presence of the latter may be surprising, as the sequents we use are based on multisets. However, as mentioned earlier, our formalisation encodes sequents using lists and not multisets. So, the formal proof of the height-preserving admissibility of (Exc) shows that list-sequents of our formalisation mimic multiset-sequents of the pen-and-paper definition. In fact, we designed the formalisation of G4iSLt so that it admits exchange [26].

The rule () is quite typical of the logic iSL, as it reflects one of its theorems: the completeness axiom ϕ → ϕ. Indeed, this axiom implies that Γ entails Γ, allowing the replacement of Γ by Γ in the antecedent of a provable sequent while preserving provability. The height-preserving admissibility of () is crucially used in many places, notably Lemma 2 and the admissibility of cut.

The height-preserving admissibility of ( →LIR) and (→→LIR) shows height-preserving invertibility in the right premise of the rules ( →L) and (→→L).

The admissible rule (→L) is the traditional left-implication rule. We use this rule to prove the admissibility of (→→LIL), resembling the invertibility in the left premise of (→→L). In turn, (→→LIL) is crucial in the admissibility of (Ctr).

$$\begin{array}{c} \text{(Exc)} \quad \frac{\Gamma\_{0},\Gamma\_{3},\Gamma\_{2},\Gamma\_{1},\Gamma\_{4} \Rightarrow \chi}{\Gamma\_{0},\Gamma\_{1},\Gamma\_{2},\Gamma\_{3},\Gamma\_{4} \Rightarrow \chi} \end{array} \qquad\qquad\qquad\qquad\text{(Wkn)} \quad \frac{\Gamma \Rightarrow \chi}{\Gamma,\varphi \Rightarrow \chi} \qquad\qquad\qquad\qquad\qquad\qquad\text{(Eb)} \quad \frac{\Phi,\Box\Gamma \Rightarrow \chi}{\Phi,\Gamma \Rightarrow \chi}$$

$$\begin{array}{c} \text{(}\texttt{\tiny\tiny\textsc{\\$}\textrm{\\$}\textrm{\\$}\textrm{\\$}\textrm{\\$}\textrm{\\$}\textrm{\\$}\textrm{\\$}\textrm{\\$}\textrm{\\$}\textrm{\\$}\textrm{\\$}\textrm{\\$}\textrm{\\$}\textrm{\\$}\textrm{\\$}\textrm{\\$}\textrm{\\$}\textrm{\\$}\textrm{\\$}\textrm{\\$}\textrm{\\$}\textrm{\\$}\textrm{\\$}\textrm{\\$}\textrm{\}}\\\end{array}$$

Fig. 3. Height-preserving admissible and admissible rules in G4iSLt.

In the following section we introduce a measure on sequents which we use to show that the naive backward proof search strategy for G4iSLt terminates. This measure could thus be used to derive the notion of maximum height of derivations (mhd) for a sequent, as was done in previous works [24,26]. There, the mhd measure was used as secondary induction measure in the proof of admissibility of cut. Here, we simply use the termination measure instead.

# 4 Naive Backward Proof Search Terminates

Sequent calculi enjoying cut-elimination can often be used to decide whether a given formula ϕ is deducible from a given set of assumptions Γ by strategically applying the rules "backwards" from the end-sequent Γ ⇒ ϕ. To obtain a decision procedure, we require a backward proof search strategy which terminates and is complete, i.e. which provides a proof for any sequent provable in the calculus.

But often, terminating complete strategies necessitate a "loop check" mechanism, that stops the search if the same sequent appears twice on a branch. For example, the sequent calculus LJ, for propositional intuitionistic logic, only has a strategy with loop check as terminating complete strategy. The termination of these strategies is messy to reason about, as in most cases their unguarded version is not terminating and results in proof trees with infinite branches.

While some calculi have terminating complete strategies without loop checks, like GLS for GL [24] and GL4ip for iGL [20], we consider a stronger kind of calculus: calculi with *strongly terminating* backward proof search, such as G4ip for intuitionistic propositional logic [12]. Backward proof search for a sequent calculus is strongly terminating if and only if *all* backward proof search strategies for this calculus, complete or not, terminate. This characterisation has other equivalent forms: (1) the naive backward proof search strategy terminates, and (2) there is a well-founded ordering on sequents decreasing upwards in all the rules of the calculus. In contrast, backward proof search is *weakly* terminating if and only if *there is* a terminating complete strategy for this calculus.

In this section we show that backward proof search for G4iSLt is strongly terminating. More precisely, we show that the naive strategy terminates. To do this, we need two ingredients: (1) a locally defined measure on sequents, and (2) a well-founded order making this measure decrease upwards in the rules of G4iSLt.

#### 4.1 Shortlex: A Well-Founded Order on list N

We define the shortlex order, which is a well-founded order on list N, i.e. the set of all lists of natural numbers.

In the following, we use < to mean the usual ordering on natural numbers. Let us recall the definition of the lexicographic order on lists of natural numbers.

Definition 7 (Lexicographic order). *Let* <sup>n</sup> <sup>∈</sup> <sup>N</sup>*. We define the lexicographic order* <<sup>n</sup> lex *on lists of natural numbers of length* n*. For two lists of natural numbers* [m1; ··· ; <sup>m</sup>n] *and* [k1; ··· ; <sup>k</sup>n]*, we write* [m1; ··· ; <sup>m</sup>n] <sup>&</sup>lt;<sup>n</sup> lex [k1; ··· ; <sup>k</sup>n] *if there is a* <sup>1</sup>≤<sup>j</sup> <sup>≤</sup><sup>n</sup> *such that: (1)* <sup>m</sup><sup>p</sup> <sup>=</sup> <sup>k</sup><sup>p</sup> *for all* <sup>1</sup> <sup>≤</sup> p<j*, and (2)* <sup>m</sup><sup>j</sup> < k<sup>j</sup> *.*

Note that as < is a well-founded order, then <<sup>n</sup> lex is also well-founded [36]. Finally, we define the shortlex order, also called *breadth-first* [31] or *lengthlexicographic* order, over lists of natural numbers (viewed as n-tuples).

Definition 8 (Shortlex order). *The shortlex order over lists of natural numbers, noted* <<*, is defined as follows. For two lists* l<sup>0</sup> *and* l<sup>1</sup> *of natural numbers, we say that* l<sup>0</sup> << l<sup>1</sup> *whenever one of the following conditions is satisfied:*

*1.* length(l0) < length(l1) *; 2.* length(l0) = length(l1) = n *and* l<sup>0</sup> <<sup>n</sup> lex l1*.*

Intuitively, the shortlex order is ordering lists according to their length and follows the lexicographic order whenever length does not discriminate. Note that on top of being well-founded, << is obviously transitive.

#### 4.2 A (list N)-Measure on Sequents

We proceed to attach to each sequent <sup>Γ</sup> <sup>⇒</sup> <sup>χ</sup> a "measure" <sup>Θ</sup>(<sup>Γ</sup> <sup>⇒</sup> <sup>χ</sup>) which is a (finite) list of natural numbers, i.e. of type list N. For simplicity, in the following we consider a fixed sequent Γ ⇒ χ for which we define the measure.

To introduce our measure, we first wish to explain why the measure used for GL4ip [26], acting as a substitute of the Dershowitz-Manna order [10] considered in Dyckhoff's article on G4ip [11], does not work for our purpose. The explanation of this failure justifies the modification we made to obtain the measure for G4iSLt.

The intuition behind the measure for GL4ip and G4ip is the following: for a multiset we create an ordered list of counters for each weight of occurrences of formulae of this weight. For more details, take a finite multiset of formulae Δ. As it is finite, it contains a *topmost* formula of maximal weight n. We can create a list of length n such that at each position m in the list (counting from right to left) for <sup>1</sup> <sup>≤</sup> <sup>m</sup> <sup>≤</sup> <sup>n</sup>, we find the number of occurrences in <sup>Δ</sup> of *topmost* formulae of weight m. Such a list gives the count of occurrences in Δ of formulae of weight n in its leftmost (i.e. n-th) component, then of occurrences of formulae of weight <sup>n</sup>−<sup>1</sup> in the next (i.e. (n−1)-th) component, and so on until we reach <sup>1</sup>.

The measure for GL4ip and G4ip consisted in attaching to Γ ⇒ χ the list obtained by applying the above procedure on the multiset Γ {χ}. Call this function Θfail. This measure fails to show termination of the naive strategy for G4iSLt, as it does not decrease upwards in the following application of (SLtR).

$$\frac{\square p \Rightarrow p}{\Rightarrow \square p} \text{ (SLtR)}$$

We have that <sup>Θ</sup>fail(<sup>⇒</sup> <sup>p</sup>) = [1, 0] because <sup>p</sup> is the formula of maximum weight 2, and it is the only formula with this weight occurring in the list, while no formula of weight <sup>1</sup> appears in <sup>⇒</sup> <sup>p</sup>. In addition to that, we have that <sup>Θ</sup>fail( <sup>p</sup> <sup>⇒</sup> <sup>p</sup>) = [1, 1]. Consequently, we obtain <sup>Θ</sup>fail(<sup>⇒</sup> <sup>p</sup>) << Θfail( <sup>p</sup> <sup>⇒</sup> <sup>p</sup>): the measure increased upwards. So, the measure used for GL4ip and G4ip cannot be used here. We need to define another one.

With enough scrutinising, one can notice that in G4iSLt the principal box of a boxed formula in the antecedent of a sequent is a "deadweight". More precisely, once a formula ϕ is in the antecedent of a sequent, only two things can happen to its outermost box: it is either deleted (via the modal rule (SLtR) or ( →L)), or else it is preserved (through all other rules). Intuitively, this observation suggests that boxed formulae in the antecedent are destined to be unboxed eventually in the upward application of rules, without having any other effect.

Consequently, as the top-level boxes in the antecedent of a sequent are deadweights, we can think about unboxing the antecedent of Γ ⇒ χ before applying the procedure described above. This is precisely what we do: if Γ is of the shape <sup>Γ</sup>0, <sup>Γ</sup><sup>1</sup> with no boxed formula in <sup>Γ</sup>0, we define <sup>Θ</sup>(<sup>Γ</sup> <sup>⇒</sup> <sup>χ</sup>) to be the list of natural numbers obtained via the above machinery applied on the multiset Γ0Γ1{χ}.

For example, to compute <sup>Θ</sup>( (<sup>p</sup> <sup>∧</sup> <sup>q</sup>), p <sup>∨</sup> <sup>q</sup> <sup>⇒</sup> <sup>q</sup> <sup>→</sup> <sup>p</sup>), we first unbox the antecedent of this sequent by transforming (<sup>p</sup> <sup>∧</sup> <sup>q</sup>) into <sup>p</sup> <sup>∧</sup> <sup>q</sup> to obtain the multiset {p ∧ q, p ∨ q, q → p}. Because p ∧ q is the only formula of maximum weight four, our list of length four begins with 1. Since both p∨q and q → p are of weight three, the second element is 2. Finally, since there are no formulae of weights two and one, we obtain <sup>Θ</sup>( (p∧q), p∨<sup>q</sup> <sup>⇒</sup> <sup>q</sup> <sup>→</sup> <sup>p</sup>) = [1, <sup>2</sup>, <sup>0</sup>, 0]. Following this explanation, observe that the issue we faced with ⇒ p and p ⇒ p is now fixed: we first unbox <sup>p</sup> in <sup>p</sup> <sup>⇒</sup> <sup>p</sup>, hence <sup>Θ</sup>( <sup>p</sup> <sup>⇒</sup> <sup>p</sup>) = [2] <<[1, 0] = <sup>Θ</sup>(<sup>⇒</sup> <sup>p</sup>).

Two things need to be noted about such lists. First, if no topmost occurrence of a formula is of weight <sup>1</sup> <sup>≤</sup> <sup>k</sup> <sup>≤</sup> <sup>n</sup>, then a <sup>0</sup> appears in position <sup>k</sup> in the list. This is the case for the weight 2 in the last example above. Second, as no formula is of weight 0 we do not dedicate a position for this particular weight in our list.

#### 4.3 Every Rule of **G4iSLt** Reduces *Θ* Upwards

We obtain the sought after result about our measure Θ: it decreases upwards through the rules of G4iSLt on the << ordering.

Lemma 3. *For all sequents* <sup>S</sup>0, S1, ..., S<sup>n</sup> *and for all* <sup>1</sup> <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>n</sup>*, if there is an instance of a rule* r *of* G4iSLt *of the form below, then* Θ(Si) << Θ(S0)*:*

$$\begin{array}{c} S\_1 \quad \dots \quad S\_n \\ \hline \hline S\_0 \end{array} \begin{array}{c} \begin{array}{c} S\_n \\ \hline \end{array} \begin{array}{c} r \\ \hline \end{array} \end{array}$$

Clearly, this result implies that the naive strategy for G4iSLt terminates: any rule application makes the measure decrease on <<, ensuring termination via well-foundedness of <<. Thus, backward proof search is strongly terminating.

Moreover, this lemma is quite crucial in the proof of admissibility of cut: as we use <sup>Θ</sup>(<sup>Γ</sup> <sup>⇒</sup> <sup>χ</sup>) as secondary induction measure (through well-foundedness of <<) there, we know that we can apply the secondary induction hypothesis on any sequent <sup>S</sup> which is a premise of <sup>Γ</sup> <sup>⇒</sup> <sup>χ</sup> through a rule, as <sup>Θ</sup>(S) << Θ(<sup>Γ</sup> <sup>⇒</sup> <sup>χ</sup>).

# 5 Cut-Elimination for **G4iSLt**

To reach cut-elimination, our main theorem, we first state and prove the admissibility of the cut rule in a direct and purely syntactic way. More precisely, we prove that the *additive*-cut rule, with *cut formula* ϕ, is admissible. This statement and its formalisation are given below, where Γ is encoded as Γ0++Γ1.

Theorem 2 (Admissibility of additive-cut). *The additive cut rule below is admissible in* G4iSLt*.* <sup>Γ</sup> <sup>⇒</sup> ϕ ϕ, Γ <sup>⇒</sup> <sup>ψ</sup>

$$\frac{\Gamma \Rightarrow \varphi \quad \varphi, \Gamma \Rightarrow \psi}{\Gamma \Rightarrow \psi} \text{ (Cut)}$$

Theorem G4iSLt\_cut\_adm : forall ϕ Γ 0 Γ 1 χ, (G4iSLt\_prv (Γ 0++Γ 1,ϕ) \* G4iSLt\_prv (Γ 0++ϕ::Γ 1,χ)) -> G4iSLt\_prv (Γ 0++Γ 1,χ).

*Proof.* Let d<sup>1</sup> (with last rule r1) and d<sup>2</sup> (with last rule r2) be proofs in G4iSLt of Γ ⇒ ϕ and ϕ, Γ ⇒ χ respectively, as shown below.

$$\frac{d\_1}{\varGamma \Rightarrow \varphi} \, r\_1 \qquad \frac{d\_2}{\varphi, \varGamma \Rightarrow \chi} \, r\_2$$

We show that there is a proof in G4iSLt of Γ ⇒ χ. We reason by strong primary induction (PI) on the weight of the cut-formula ϕ, giving the primary inductive hypothesis (PIH). We also use a strong secondary induction (SI) on <sup>Θ</sup>(<sup>Γ</sup> <sup>⇒</sup> <sup>χ</sup>) of the conclusion of a cut, giving the secondary inductive hypothesis (SIH). Crucially, by using SIH we avoid the issues caused by the diagonal formula [23,44].

We consider r1. In total, there are thirteen cases for r1: one for each rule in G4iSLt. However, we can reduce the number of cases to eight. We separate them by using Roman numerals and showcase the most interesting ones.

(V) **<sup>r</sup><sup>1</sup>** = (→**R**) : Then <sup>r</sup><sup>1</sup> has the following form where <sup>ϕ</sup> <sup>=</sup> <sup>ϕ</sup><sup>0</sup> <sup>→</sup> <sup>ϕ</sup>1:

$$\frac{\varphi\_0, \varGamma \Rightarrow \varphi\_1}{\varGamma \Rightarrow \varphi\_0 \to \varphi\_1} \left( \xrightarrow{\rightarrow \mathsf{R}} \right)$$

For the cases where <sup>ϕ</sup><sup>0</sup> <sup>→</sup> <sup>ϕ</sup><sup>1</sup> is principal in <sup>r</sup><sup>2</sup> and <sup>r</sup><sup>2</sup> = ( <sup>→</sup> <sup>L</sup>), or where <sup>r</sup><sup>2</sup> ∈ {(IdP),(⊥L)}, we refer to Dyckhoff and Negri's proof [13] as the cuts produced in these cases involve the traditional induction hypothesis PIH. We are left with seven sub-cases, but here again focus on the most interesting ones. (V-d) If r<sup>2</sup> is (→→ L) where the cut formula is not principal in r2, then it must have the following form where (γ<sup>0</sup> <sup>→</sup> <sup>γ</sup>1) <sup>→</sup> <sup>γ</sup>2, Γ<sup>0</sup> <sup>=</sup> <sup>Γ</sup>.

$$\frac{\varphi\_0 \to \varphi\_1, \gamma\_1 \to \gamma\_2, \Gamma\_0 \Rightarrow \gamma\_0 \to \gamma\_1 \qquad \varphi\_0 \to \varphi\_1, \gamma\_2, \Gamma\_0 \Rightarrow \chi}{\varphi\_0 \to \varphi\_1, (\gamma\_0 \to \gamma\_1) \to \gamma\_2, \Gamma\_0 \Rightarrow \chi} \ (\longleftrightarrow \text{L})$$

Thus, <sup>Γ</sup> <sup>⇒</sup> <sup>χ</sup> is of the form (γ<sup>0</sup> <sup>→</sup> <sup>γ</sup>1) <sup>→</sup> <sup>γ</sup>2, Γ<sup>0</sup> <sup>⇒</sup> <sup>χ</sup> and <sup>Γ</sup> <sup>⇒</sup> <sup>ϕ</sup><sup>0</sup> <sup>→</sup> <sup>ϕ</sup><sup>1</sup> is of the form (γ<sup>0</sup> <sup>→</sup> <sup>γ</sup>1) <sup>→</sup> <sup>γ</sup>2, Γ<sup>0</sup> <sup>⇒</sup> <sup>ϕ</sup><sup>0</sup> <sup>→</sup> <sup>ϕ</sup>1. Using the admissible rule (→→LIR) on the latter we obtain a proof of the sequent γ2, Γ<sup>0</sup> ⇒ ϕ<sup>0</sup> → ϕ1. Then consider the following proof of the sequent γ<sup>1</sup> → γ2, Γ<sup>0</sup> ⇒ γ<sup>0</sup> → γ1, where the rule (→→LIL) deconstructs the implication (γ<sup>0</sup> <sup>→</sup> <sup>γ</sup>1) <sup>→</sup> <sup>γ</sup>2, rule (Ctr) contracts <sup>γ</sup><sup>1</sup> <sup>→</sup> <sup>γ</sup><sup>2</sup> and Lemma 2 is the invertibility of the rule (→R).

(γ<sup>0</sup> <sup>→</sup> <sup>γ</sup>1) <sup>→</sup> <sup>γ</sup>2, Γ<sup>0</sup> <sup>⇒</sup> <sup>ϕ</sup><sup>0</sup> <sup>→</sup> <sup>ϕ</sup><sup>1</sup> (→→LIL) <sup>γ</sup>0, γ<sup>1</sup> <sup>→</sup> <sup>γ</sup>2, γ<sup>1</sup> <sup>→</sup> <sup>γ</sup>2, Γ<sup>0</sup> <sup>⇒</sup> <sup>ϕ</sup><sup>0</sup> <sup>→</sup> <sup>ϕ</sup><sup>1</sup> (*Ctr*) γ0, γ<sup>1</sup> → γ2, Γ<sup>0</sup> ⇒ ϕ<sup>0</sup> → ϕ<sup>1</sup> <sup>ϕ</sup><sup>0</sup> <sup>→</sup> <sup>ϕ</sup>1, γ<sup>1</sup> <sup>→</sup> <sup>γ</sup>2, Γ<sup>0</sup> <sup>⇒</sup> <sup>γ</sup><sup>0</sup> <sup>→</sup> <sup>γ</sup><sup>1</sup> Lem.2 <sup>ϕ</sup><sup>0</sup> <sup>→</sup> <sup>ϕ</sup>1, γ0, γ<sup>1</sup> <sup>→</sup> <sup>γ</sup>2, Γ<sup>0</sup> <sup>⇒</sup> <sup>γ</sup><sup>1</sup> SIH <sup>γ</sup>0, γ<sup>1</sup> <sup>→</sup> <sup>γ</sup>2, Γ<sup>0</sup> <sup>⇒</sup> <sup>γ</sup><sup>1</sup> (→R) γ<sup>1</sup> → γ2, Γ<sup>0</sup> ⇒ γ<sup>0</sup> → γ<sup>1</sup>

The crucial point here is to see that the use of SIH is justified, in other words, that <sup>Θ</sup>(γ0, γ<sup>1</sup> <sup>→</sup> <sup>γ</sup>2, Γ<sup>0</sup> <sup>⇒</sup> <sup>γ</sup>1) << Θ((γ<sup>0</sup> <sup>→</sup> <sup>γ</sup>1) <sup>→</sup> <sup>γ</sup>2, Γ<sup>0</sup> <sup>⇒</sup> <sup>χ</sup>). This is the case as the rule applications (→→L) and (→R) entail <sup>Θ</sup>(γ0, γ<sup>1</sup> <sup>→</sup> <sup>γ</sup>2, Γ<sup>0</sup> <sup>⇒</sup> <sup>γ</sup>1) << Θ(γ<sup>1</sup> <sup>→</sup> <sup>γ</sup>2, Γ<sup>0</sup> <sup>⇒</sup> <sup>γ</sup><sup>0</sup> <sup>→</sup> <sup>γ</sup>1) << Θ((γ<sup>0</sup> <sup>→</sup> <sup>γ</sup>1) <sup>→</sup> <sup>γ</sup>2, Γ<sup>0</sup> <sup>⇒</sup> <sup>χ</sup>) by Lemma 3, hence <sup>Θ</sup>(γ0, γ<sup>1</sup> <sup>→</sup> <sup>γ</sup>2, Γ<sup>0</sup> <sup>⇒</sup> <sup>γ</sup>1) << Θ((γ<sup>0</sup> <sup>→</sup> <sup>γ</sup>1) <sup>→</sup> <sup>γ</sup>2, Γ<sup>0</sup> <sup>⇒</sup> <sup>χ</sup>) by transitivity of <<. So, we are done. Note that the created cut could not be justified by usual induction on height, as the admissibility of (→→LIL) is not height-preserving. (V-f) If r<sup>2</sup> is ( →L) with a principal formula different from the cut formula, then it must have the following form where <sup>γ</sup><sup>0</sup> <sup>→</sup> <sup>γ</sup>1, Φ, <sup>Γ</sup><sup>0</sup> <sup>=</sup> <sup>Γ</sup>.

$$\frac{\varphi\_0 \to \varphi\_1, \gamma\_1, \Phi, \Gamma\_0, \Box \gamma\_0 \Rightarrow \gamma\_0 \qquad \gamma\_1, \varphi\_0 \to \varphi\_1, \Phi, \Box \Gamma\_0 \Rightarrow \chi}{\varphi\_0 \to \varphi\_1, \Box \gamma\_0 \to \gamma\_1, \Phi, \Box \Gamma\_0 \Rightarrow \chi} \text{ ( $\mathbb{D}$ -L)}$$

Thus, we have that Γ ⇒ χ and Γ ⇒ ϕ<sup>0</sup> → ϕ<sup>1</sup> are respectively of the form γ<sup>0</sup> → γ1, Φ, Γ<sup>0</sup> ⇒ χ and γ<sup>0</sup> → γ1, Φ, Γ<sup>0</sup> ⇒ ϕ<sup>0</sup> → ϕ1. Using the admissible rule ( →LIR) on the latter we obtain a proof of γ1, Φ, Γ<sup>0</sup> ⇒ ϕ<sup>0</sup> → ϕ1. Then, we proceed as follows by combining the proof π second-below with the first one.

π γ1, Φ, Γ0, γ<sup>0</sup> ⇒ γ<sup>0</sup> <sup>γ</sup>1, Φ, Γ<sup>0</sup> <sup>⇒</sup> <sup>ϕ</sup><sup>0</sup> <sup>→</sup> <sup>ϕ</sup><sup>1</sup> <sup>γ</sup>1, ϕ<sup>0</sup> <sup>→</sup> <sup>ϕ</sup>1, Φ, Γ<sup>0</sup> <sup>⇒</sup> <sup>χ</sup> SIH <sup>γ</sup>1, Φ, Γ<sup>0</sup> <sup>⇒</sup> <sup>χ</sup> (-→L) γ<sup>0</sup> → γ1, Φ, Γ<sup>0</sup> ⇒ χ <sup>ϕ</sup>0, <sup>γ</sup><sup>0</sup> <sup>→</sup> <sup>γ</sup>1, Φ, <sup>Γ</sup><sup>0</sup> <sup>⇒</sup> <sup>ϕ</sup><sup>1</sup> (Wkn) <sup>ϕ</sup>0, <sup>γ</sup><sup>0</sup> <sup>→</sup> <sup>γ</sup>1, Φ, <sup>Γ</sup>0, <sup>γ</sup><sup>0</sup> <sup>⇒</sup> <sup>ϕ</sup><sup>1</sup> ( <sup>→</sup>LIR) <sup>ϕ</sup>0, γ1, Φ, <sup>Γ</sup>0, <sup>γ</sup><sup>0</sup> <sup>⇒</sup> <sup>ϕ</sup><sup>1</sup> () <sup>ϕ</sup>0, γ1, Φ, Γ0, <sup>γ</sup><sup>0</sup> <sup>⇒</sup> <sup>ϕ</sup><sup>1</sup> (→R) <sup>γ</sup>1, Φ, Γ0, <sup>γ</sup><sup>0</sup> <sup>⇒</sup> <sup>ϕ</sup><sup>0</sup> <sup>→</sup> <sup>ϕ</sup><sup>1</sup> <sup>ϕ</sup><sup>0</sup> <sup>→</sup> <sup>ϕ</sup>1, γ1, Φ, Γ0, <sup>γ</sup><sup>0</sup> <sup>⇒</sup> <sup>γ</sup><sup>0</sup> SIH γ1, Φ, Γ0, γ<sup>0</sup> ⇒ γ<sup>0</sup>

Note that both uses of SIH are justified here, as the last rule in the first proof is an instance of ( <sup>→</sup>L) hence <sup>Θ</sup>(γ1, Φ, <sup>Γ</sup><sup>0</sup> <sup>⇒</sup> <sup>χ</sup>) << Θ( <sup>γ</sup><sup>0</sup> <sup>→</sup> <sup>γ</sup>1, Φ, <sup>Γ</sup><sup>0</sup> <sup>⇒</sup> <sup>χ</sup>) and <sup>Θ</sup>(γ1, Φ, Γ0, <sup>γ</sup><sup>0</sup> <sup>⇒</sup> <sup>γ</sup>0) << Θ( <sup>γ</sup><sup>0</sup> <sup>→</sup> <sup>γ</sup>1, Φ, <sup>Γ</sup><sup>0</sup> <sup>⇒</sup> <sup>χ</sup>) by Lemma 3. (VII) **<sup>r</sup><sup>1</sup>** =( <sup>→</sup>**L**): Then <sup>r</sup><sup>1</sup> is as follows, where <sup>γ</sup><sup>0</sup> <sup>→</sup> <sup>γ</sup>1, Φ, <sup>Γ</sup><sup>0</sup> <sup>=</sup> <sup>Γ</sup>.

$$\frac{\gamma\_1, \Phi, \Gamma\_0, \Box \gamma\_0 \Rightarrow \gamma\_0 \qquad \gamma\_1, \Phi, \Box \Gamma\_0 \Rightarrow \varphi}{\Box \gamma\_0 \rightarrow \gamma\_1, \Phi, \Box \Gamma\_0 \Rightarrow \varphi} \ (\blacksquare \rightarrow \bot)$$

Thus, the sequents Γ ⇒ χ and ϕ, Γ ⇒ χ are of the form γ<sup>0</sup> → γ1, Φ, Γ<sup>0</sup> ⇒ χ and ϕ, γ<sup>0</sup> → γ1, Φ, Γ<sup>0</sup> ⇒ χ, respectively. Then, we proceed as follows.

$$\frac{\begin{array}{c} \gamma\_{1}, \Phi, \Gamma\_{0}, \mathsf{D}\gamma\_{0} \Rightarrow \gamma\_{0} \end{array}}{\begin{array}{c} \underline{\gamma}\_{1}, \Phi, \Gamma\_{0}, \mathsf{D}\gamma\_{0} \Rightarrow \gamma\_{0} \end{array}} \xrightarrow{\underline{\varphi}, \underline{\mathsf{D}}, \underline{\mathsf{D}}\Gamma\_{0} \Rightarrow \underline{\varphi}} \underbrace{\begin{array}{c} \underline{\varphi}, \underline{\mathsf{D}}\gamma\_{0} \Rightarrow \underline{\gamma}\_{1}, \underline{\Phi}, \underline{\Pi}\underline{\Gamma}\_{0} \Rightarrow \underline{\chi} \\ \underline{\varphi}, \underline{\gamma}\_{1}, \Phi, \underline{\Pi}\underline{\Gamma}\_{0} \Rightarrow \underline{\chi} \end{array}}\_{\begin{array}{c} (\mathsf{D}\rightarrow\mathsf{L}) \end{array}} \xrightarrow{\underline{\varphi}} \underbrace{\begin{array}{c} \underline{\chi} \end{array}}\_{\begin{array}{c} (\mathsf{D}\rightarrow\mathsf{L}\mathsf{R}) \end{array}}$$

Note that the use of SIH is justified, as the last rule in this proof gives us <sup>Θ</sup>(γ1, Φ, <sup>Γ</sup><sup>0</sup> <sup>⇒</sup> <sup>χ</sup>) << Θ( <sup>γ</sup><sup>0</sup> <sup>→</sup> <sup>γ</sup>1, Φ, <sup>Γ</sup><sup>0</sup> <sup>⇒</sup> <sup>χ</sup>) by Lemma 3. (VIII) **r<sup>1</sup>** =(**SLtR**): Then ϕ is the diagonal formula in r1:

$$\frac{\Phi, \varGamma\_0, \Box \varphi\_0 \Rightarrow \varphi\_0}{\Phi, \Box \varGamma\_0 \Rightarrow \Box \varphi\_0} \text{ (SLtR)}$$

where <sup>ϕ</sup> <sup>=</sup> <sup>ϕ</sup><sup>0</sup> and Φ, <sup>Γ</sup><sup>0</sup> <sup>=</sup> <sup>Γ</sup>. Thus, we have that <sup>Γ</sup> <sup>⇒</sup> <sup>χ</sup> and ϕ, Γ <sup>⇒</sup> <sup>χ</sup> are respectively of the form Φ, Γ<sup>0</sup> ⇒ χ and ϕ0, Φ, Γ<sup>0</sup> ⇒ χ. We now consider r2. (VIII-b) If <sup>r</sup><sup>2</sup> is ( <sup>→</sup>L) it is of the following form, where <sup>Φ</sup> <sup>=</sup> <sup>γ</sup><sup>0</sup> <sup>→</sup> <sup>γ</sup>1, Φ0.

$$\frac{\gamma\_1, \Phi\_0, \Box \gamma\_0, \varphi\_0, \Gamma\_0 \Rightarrow \gamma\_0 \qquad \gamma\_1, \Phi\_0, \Box \varphi\_0, \Box \Gamma\_0 \Rightarrow \chi}{\Box \gamma\_0 \to \gamma\_1, \Phi\_0, \Box \varphi\_0, \Box \Gamma\_0 \Rightarrow \chi} \ (\Box \neg \mathcal{L})$$

We proceed as follows.

π0 γ1, Φ0, Γ0, γ<sup>0</sup> ⇒ γ<sup>0</sup> γ<sup>0</sup> → γ1, Φ0, -Γ<sup>0</sup> ⇒ <sup>ϕ</sup><sup>0</sup> (-<sup>→</sup>LIR) γ1, Φ0, -Γ<sup>0</sup> ⇒ ϕ<sup>0</sup> γ1, Φ0, ϕ0, -<sup>Γ</sup><sup>0</sup> <sup>⇒</sup> <sup>χ</sup> SIH γ1, Φ0, -<sup>Γ</sup><sup>0</sup> <sup>⇒</sup> <sup>χ</sup> (-<sup>→</sup>L) γ<sup>0</sup> → γ1, Φ0, -Γ<sup>0</sup> ⇒ χ

where π<sup>0</sup> is the first proof given below, which depends π1, the second one:

$$\begin{array}{c} \Box \underline{\gamma\_{0}} \xrightarrow{\scriptstyle \neg \gamma\_{1}} \underline{\gamma\_{1}}, \underline{\Phi\_{0}}, \underline{\Box} \Gamma\_{0} \xrightarrow{\scriptstyle \neg} \underline{\Box} \underline{\varphi\_{0}} \quad \text{(E)}\\ \Box \underline{\gamma\_{0}} \xrightarrow{\scriptstyle \neg \gamma\_{1}} \underline{\Phi\_{0}}, \underline{\Phi\_{0}}, \underline{\Gamma\_{0}} \xrightarrow{\scriptstyle \neg} \overline{\Box} \underline{\varphi\_{0}} \quad \text{(Hkn)}\\ \Box \underline{\gamma\_{0}} \xrightarrow{\scriptstyle \neg \gamma\_{1}} \underline{\Phi\_{0}}, \underline{\Gamma\_{0}}, \underline{\Gamma\_{0}}, \underline{\Box} \overline{\gamma\_{0}} \xrightarrow{\scriptstyle \neg \gamma\_{0}} \underline{\Box} \underline{\varphi\_{0}} \quad \text{(Un \mapsto \text{LIR})}\\ \Box \underline{\gamma\_{1}}, \underline{\Phi\_{0}}, \underline{\Gamma\_{0}}, \overline{\Gamma\_{0}}, \overline{\Gamma\_{0}}, \overline{\Gamma\_{0}}, \overline{\gamma\_{0}} \xrightarrow{\scriptstyle \neg \gamma\_{1}} \underline{\gamma\_{1}} \underline{\Phi\_{0}}, \underline{\Gamma\_{0}}, \overline{\Gamma\_{0}} \gamma\_{0}, \underline{\Gamma\_{0}} \xrightarrow{\scriptstyle \neg \gamma\_{0}} \underline{\gamma\_{0}} \end{array}$$

<sup>γ</sup><sup>0</sup> <sup>→</sup> <sup>γ</sup>1, Φ0, <sup>ϕ</sup>0, Γ<sup>0</sup> <sup>⇒</sup> <sup>ϕ</sup><sup>0</sup> (Wkn) <sup>γ</sup><sup>0</sup> <sup>→</sup> <sup>γ</sup>1, Φ0, <sup>γ</sup>0, <sup>ϕ</sup>0, Γ<sup>0</sup> <sup>⇒</sup> <sup>ϕ</sup><sup>0</sup> ( <sup>→</sup>LIR) γ1, Φ0, γ0, ϕ0, Γ<sup>0</sup> ⇒ ϕ<sup>0</sup> <sup>ϕ</sup>0, γ1, Φ0, <sup>γ</sup>0, Γ<sup>0</sup> <sup>⇒</sup> <sup>γ</sup><sup>0</sup> (Wkn) <sup>ϕ</sup>0, γ1, Φ0, <sup>γ</sup>0, <sup>ϕ</sup>0, Γ<sup>0</sup> <sup>⇒</sup> <sup>γ</sup><sup>0</sup> PIH γ1, Φ0, γ0, ϕ0, Γ<sup>0</sup> ⇒ γ<sup>0</sup>

Note that both uses of SIH are justified here as the rule application ( →L) entails <sup>Θ</sup>(γ1, Φ0, Γ0, <sup>γ</sup><sup>0</sup> <sup>⇒</sup> <sup>γ</sup>0) << Θ( <sup>γ</sup><sup>0</sup> <sup>→</sup> <sup>γ</sup>1, Φ0, <sup>Γ</sup><sup>0</sup> <sup>⇒</sup> <sup>χ</sup>) and we have <sup>Θ</sup>(γ1, Φ0, <sup>Γ</sup><sup>0</sup> <sup>⇒</sup> <sup>χ</sup>) << Θ( <sup>γ</sup><sup>0</sup> <sup>→</sup> <sup>γ</sup>1, Φ0, <sup>Γ</sup><sup>0</sup> <sup>⇒</sup> <sup>χ</sup>) by Lemma 3.

(VIII-c) If r<sup>2</sup> is (SLtR), then it is of the following form where χ = χ0.

$$\frac{\Phi, \varphi\_0, \varGamma\_0, \mathsf{D}\chi\_0 \Rightarrow \chi\_0}{\Phi, \mathsf{D}\varphi\_0, \mathsf{D}\varGamma\_0 \Rightarrow \mathsf{D}\chi\_0} \text{ (SLtR)}$$

We proceed as follows.

Φ, Γ0, <sup>ϕ</sup><sup>0</sup> <sup>⇒</sup> <sup>ϕ</sup><sup>0</sup> (SLtR) Φ, -Γ<sup>0</sup> ⇒ <sup>ϕ</sup><sup>0</sup> () Φ, Γ<sup>0</sup> ⇒ <sup>ϕ</sup><sup>0</sup> (Wkn) Φ, Γ0, χ<sup>0</sup> ⇒ ϕ0 <sup>ϕ</sup>0, Φ, Γ<sup>0</sup> <sup>⇒</sup> <sup>ϕ</sup><sup>0</sup> (Wkn) ϕ0, Φ, Γ0, χ<sup>0</sup> ⇒ ϕ<sup>0</sup> ϕ0, Φ, Γ0, <sup>χ</sup><sup>0</sup> <sup>⇒</sup> <sup>χ</sup><sup>0</sup> (Wkn) ϕ0, ϕ0, Φ, Γ0, <sup>χ</sup><sup>0</sup> <sup>⇒</sup> <sup>χ</sup><sup>0</sup> PIH ϕ0, Φ, Γ0, <sup>χ</sup><sup>0</sup> <sup>⇒</sup> <sup>χ</sup><sup>0</sup> SIH Φ, Γ0, <sup>χ</sup><sup>0</sup> <sup>⇒</sup> <sup>χ</sup><sup>0</sup> (SLtR) Φ, -Γ<sup>0</sup> ⇒ χ0

The use of SIH is justified because the last rule in this proof ensures that <sup>Θ</sup>(Φ, Γ0, <sup>χ</sup><sup>0</sup> <sup>⇒</sup> <sup>χ</sup>0) << Θ(Φ, <sup>Γ</sup><sup>0</sup> <sup>⇒</sup> <sup>χ</sup>0) by Lemma 3.

The attentive reader may have noticed that our proof technique requires the use of additive, and not multiplicative, cuts. Indeed, the use of SIH relies on the decrease of the measure Θ, which is notably ensured by the upward application of any rule of the calculus. More generally, in the proof of admissibility if the cut we initially consider has Γ ⇒ χ as conclusion, then we can justify a cut with conclusion Γ ⇒ χ using SIH as long as we have a chain r0,...,r<sup>n</sup> of application of rules of G4iSLt of the following form.

$$\begin{array}{c} \dots \quad \Gamma' \Rightarrow \chi' \quad \dots \quad \text{ $r\_n$ }\\ \hline \dots \quad \quad \vdots \quad \quad \quad \quad \dots \quad \quad r\_0 \end{array}$$

However, the contraction rule does not ensure the decrease of the measure Θ from conclusion to premise: it is not the case that <sup>Θ</sup>(Γ, ϕ, ϕ <sup>⇒</sup> <sup>χ</sup>) << Θ(Γ, ϕ <sup>⇒</sup> χ). So, this prevents us from allowing one of r0,...,r<sup>n</sup> above to be (Ctr). This is where multiplicative cuts are problematic: they most often use the contraction rule as follows, where Γ ⇒ χ is the conclusion of the initial cut and Γ , Γ ⇒ χ is the conclusion of the cut we want to justify through SIH.

$$
\underline{\Gamma}' \Rightarrow \underline{\varphi} \begin{array}{c} \underline{\varphi} \\ \overline{\Gamma}', \overline{\Gamma}'' \Rightarrow \underline{\chi}' \end{array} \begin{array}{c} \underline{\varphi}, \underline{\Gamma}'' \Rightarrow \underline{\chi}' \\ \underline{\chi}' \end{array} \text{sIH}
$$
 
$$\begin{array}{c} \underline{\vdots} \\ \overline{\Gamma} \Rightarrow \underline{\chi} \end{array} (\text{Crr})^\* $$

Unfortunately, the presence of the contraction rule above Γ ⇒ χ disallows us from using SIH on Γ , Γ ⇒ χ , as we are not ensured that the measure decreased between the two sequents. So, our proof technique prohibited us from using multiplicative cuts, forcing us to use additive ones. This observation was already made by Goré and Shillito [26].

Using our purely syntactic proof of cut-admissibility above, we easily obtain a cut-elimination procedure for the calculus G4iSLt extended with (cut), by simply repetitively eliminating topmost cuts first. To effectively prove this statement in Coq we explicitly encode the additive cut rule as follows:

$$\begin{array}{cc} \langle \varGamma \mathsf{O} \mathsf{++} \varGamma \mathsf{1} \ \mathsf{ } \mathsf{ } \varphi \rangle & \langle \varGamma \mathsf{O} \mathsf{++} \varphi \mathrel{\mathop{:} \begin{array}{c} \langle \varGamma \mathsf{O} \mathsf{++} \varphi \mathrel{\mathop{:} \begin{array}{c} \Gamma \mathsf{1} \ \mathsf{ } \times \end{array} \chi \rangle} \end{array} \rangle \\ \end{array} \\ \end{array}$$

We encode the calculus G4iSLt + (cut) as G4iSLt\_cut\_rules, i.e. G4iSLt\_rules enhanced with (cut). Finally, we turn to the elimination of additive cuts:

Theorem 3. *The additive cut rule is eliminable from* G4iSLt + (cut)*.*

Theorem G4iSLt\_cut\_elimination : forall s, (G4iSLt\_cut\_prv s) -> (G4iSLt\_prv s).

The above theorem shows that any proof in G4iSLt + (cut) of a sequent, i.e. G4iSLt\_cut\_prv s, can be transformed into a proof in G4iSLt of the same sequent. As this theorem is in fact a constructive function based on Type, we can use the extraction feature of Coq and obtain a cut-eliminating Haskell program.

# 6 Conclusion

This paper introduces a sequent calculus for iSL, denoted G4iSLt. It is an improvement over the sequent calculus G4iSL from [21], because backward proof search for G4iSLt is strongly terminating (instead of weakly terminating) shown via a new well-founded measure, and cut-elimination is proved directly (instead of indirectly via an equivalent calculus based on G3i [21]). All our results are formalised in Coq in a constructive way. In turn, Coq's extraction mechanism can generate a Haskell program for the cut-elimination procedure for G4iSLt.

One of the reasons to develop G4iSLt is to use its strongly terminating proof search to investigate uniform interpolation, a strengthening of Craig interpolation, in the setting of intuitionistic provability logics. Typically, calculi with good (weakly or strongly) terminating proof search form good grounds for constructive proofs of uniform interpolation (see e.g. [2,5,22,28,37,41–43]).

We also suggest to develop a countermodel construction for G4iSLt similarly to the one for G4iSL in [21]. Furthermore, as iSL is an intuitionistic modal logic only defined with , there is the question how it can be extended by operators. It is clear from the literature of intuitionistic modal logics that several choices can be made (e.g. [4,16,33,40,47]), so we leave this for future work.

Acknowledgements. Iris van der Giessen would like to thank Sonia Marin and Marianna Girlando for an interesting discussion on the subtle choice of rules in proof systems. We would like to thank the anonymous reviewers for their helpful comments and suggestions. Van der Giessen is supported by a UKRI Future Leaders Fellowship, 'Structure vs Invariants in Proofs', project reference MR/S035540/1. Rosalie Iemhoff is supported by the Netherlands Organisation for Scientific Research under grant 639.073.807 and by the EU H2020-MSCA-RISE-2020 Project 101007627. Rajeev Goré is supported by FWF project P 33548 and the National Centre for Research and Development, Poland (NCBR), and the Luxembourg National Research Fund (FNR), under the PolLux/FNR-CORE project STV (POLLUX-VII/1/2019).

# References


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Some Analytic Systems of Rules**

Timo Lang(B)

University College London, London, UK timo.lang@ucl.ac.uk

**Abstract.** We define two simple systems of rules, i.e. calculi with a global condition on the order of rule instances in a proof, for the modal logics of shift-reflexive and Euclidean frames respectively. Cutelimination, and therefore the subformula property, can be derived directly from the cut-elimination property of adjacent logics. We compare our system to the calculus of grafted hypersequents, which has previously been used to capture both logics.

We then discuss an attempt to obtain similar 'modular' cut-elimination proofs in other systems of rules. This general attempt is carried out for two more logics, namely the modal logic of serial frames and the intermediate logic axiomatised by the law of the weak excluded middle.

# **1 Introduction**

Among the various proof frameworks used in the investigation of nonclassical logics, *systems of rules* as introduced by Negri [16] remain relatively little studied. Broadly speaking, a system of rules is a sequent-type calculus with a global correctness condition on the order in which rules may be applied; they form an instance of *higher-level rules* [20]. In [16], for example, it is shown that extending the sequent calculus for intuitionistic logic with the system of rules

$$\begin{array}{ccc} A,B,\varGamma\_{1}\Rightarrow H\_{1} & (A,B)\_{L} & \frac{A,B,\varGamma\_{2}\Rightarrow H\_{2}}{B,\varGamma\_{2}\Rightarrow H\_{2}} \;(A,B)\_{R} \\ & & \vdots & \vdots \\ \varGamma\Rightarrow H & & \varGamma\Rightarrow H & (Lin) \\ \hline & & \Gamma\Rightarrow H & & \end{array}$$

yields a calculus for *G¨odel Logic*, i.e. the extension of intuitionistic logic by the linearity axiom (A → B)∨(B → A). The schematic representation of the system above is understood as follows: Both rules (A, B)*<sup>L</sup>* and (A, B)*<sup>R</sup>* can be used in branches of the proof tree as long as those branches meet below in an instance of (Lin). By using such global conditions it is possible to capture analytically various logics that do not have a cutfree sequent calculus. For example, [16] develops systems of rules based on the labelled sequent calculus for all normal modal logics axiomatised by (generalised) Sahlqvist formulas. In [9] it is shown that proofs in the hypersequent calculus can be rewritten as particular systems of sequent rules, called *2-systems* (and vice versa). A different use of global conditions is shown in [1]: By replacing the (local) eigenvariable condition in

c The Author(s) 2023

R. Ramanayake and J. Urban (Eds.): TABLEAUX 2023, LNAI 14278, pp. 94–111, 2023. https://doi.org/10.1007/978-3-031-43513-3\_6

first-order **LK**-proofs by a global condition, one obtains sound but potentially much shorter proofs.

The study of cut-elimination in systems of rules is in a rather unsatisfying stage. In [9] the analyticity of the systems of rules is obtained, but only indirectly via cut-elimination in the hypersequent calculus. [16] argues that a standard cut reduction argument goes through in the system of rules and illustrates one reduction step. As already remarked in [9], the argument seems to apply only to rules handling atomic formulas. This restriction is possible in the labelled sequent calculus but is too strong in an unlabelled system.

In the first part of this article we develop *grounded proofs*, a simple system of rules for the modal logics **KT** and **K5** of shift-reflexive and Euclidean frames respectively. These logics are of interest because their proof theory is less straightforward than that of other modal logics. In particular, neither shiftreflexivity nor Euclideanness is a *simple frame property* [13] which would guarantee the existence of a cutfree hypersequent calculus. The most elementary proof system for **KT** and **K5** seems to be the *grafted hypersequent calculus* of Lellmann and Kuznets [12]. Nested [7], prefixed tableaux [14] and labelled sequent calculi [15] are also available.

Our systems can be succinctly described as follows. For **KT**-, grounded proofs can make use of all rules of a sequent calculus for **KT**, with the proviso that every unsound modal rule has an instance of the rule (K) below it. For **K5**, grounded proofs can make use of all rules of a hypersequent calculus for **S5**, with the proviso that every unsound modal rule has an instance of the rule (MM) below it:

$$\frac{\Gamma \Rightarrow A}{\Box \Gamma \Rightarrow \Box A} \left( K \right) \qquad \frac{\Gamma\_1 \Rightarrow A\_1 \mid \dots \mid \Gamma\_n \Rightarrow A\_n}{\Box \Gamma\_1, \dots, \Box \Gamma\_n \Rightarrow \Box A\_1, \dots, \Box A\_n} \left( MM \right)$$

It is a remarkable feature of both systems that their cutfree completeness can be proved *directly*, using only the deduction theorem and the cutfreeness of the (hyper)sequent calculi for **K**, **KT** and **S5**. With these ingredients the proof is almost trivial for **KT**-; for **K5** we additionally have to prove a combinatorial lemma about hypersequent derivations. In retrospect, grounded proofs can be seen as proofs in the grafted hypersequent calculus that satisfy a normal form. We make this observation precise by defining a translation from our system into the grafted hypersequent calculus, thereby obtaining a new (and arguably much simpler) proof of cut-elimination for the latter calculus.

In the second part of this article we explore the theme of *strongly modular proofs of cut-elimination*, i.e.: Proofs of cut-elimination that build on the cutelimination property of adjacent logics (**K**, **KT** and **S5** in our example) but do not require knowledge about *how* cut-elimination for these systems was obtained. In other words, a proof of cut-elimination is strongly modular if it uses other cut-elimination theorems as 'blackboxes'. What is the scope of strongly modular proofs? We show that for many logics, strongly modular proofs of cut-elimination are possible in a simple sequent system with a global correctness condition called *revivability*. This condition however is defined only abstractly, and so the usefulness of said result depends on finding a simpler equivalent characterisation of revivability. We conclude by showing two examples where such a simple characterisation is possible: The modal logic **KD** of serial frames and the intermediate logic **LQ** axiomatised by the law of the weak excluded middle.

# **2 Preliminaries**

**Modal Logics.** By a *modal logic* we mean any set of formulas in the language {⊥,¬,∧,∨,→, -} that contains all propositional tautologies, the normality axiom -(p → q) → (p → q), and is closed under uniform substitution, *Modus Ponens* (from A and A → B infer B) and *Necessitation* (from A infer -A).

The smallest modal logic (with respect to ⊆) is **K**. For any modal logic **L** and formula C, **L**+C denotes the smallest extension of **L** to a modal logic containing all instances of C. The table below lists some modal logics relevant to this paper, together with their corresponding frame condition (for proofs, see e.g. [5]).


The deduction theorem has to be slightly adapted for modal logics. We define *<sup>k</sup>*A := - ... -A (k boxes) for k > 0 and -<sup>0</sup>A := A. A *modalized instance of* C is any formula of the form *<sup>k</sup>*C<sup>0</sup> where <sup>C</sup><sup>0</sup> is an instance of <sup>C</sup> and <sup>k</sup> <sup>≥</sup> 0. Then:

**Theorem 1 (essentially** [10, **Theorem 2**]**).** A ∈ **K** + C *iff* (∧Ω) → A ∈ **K** *for some finite set* Ω *of modalized instances of* C*.*

**Sequent Calculi.** A *sequent* is a pair of finite multisets of formulas written Γ ⇒ Δ. Its *formula interpretation* is ∧Γ → ∨Δ where ∧∅ := ¬⊥ and ∨∅ := ⊥. We say that a sequent is valid in a logic if its formula interpretation is.

The propositional rules in Fig. 1 constitute a calculus **LK** for classical propositional logic.<sup>1</sup> We obtain sequent calculi


<sup>1</sup> The metavariables in Fig. <sup>1</sup> are chosen such that by enforcing <sup>|</sup>Π<sup>|</sup> = 0 and <sup>|</sup>Δ| ≤ <sup>1</sup> one obtains a calculus for intuitionistic logic. This will be used in Sect. 4.3.

**Fig. 1.** Propositional, modal and structural hypersequent rules.

Derivations in sequent calculi will be denoted by letters α, β. The formula A is said to be derivable in a sequent calculus if the sequent ⇒ A is. A sequent calculus is called *adequate for a logic* if the formulas it derives are exactly the theorems of the logic. Finally, a proof in a sequent calculus is *cutfree* if it does not use the rule (cut), and a sequent calculus *admits cut-elimination* if every sequent provable in it has a cutfree proof. The following is folklore:

**Theorem 2.** *The calculi* C**<sup>K</sup>** *and* C**KT** *are adequate for the modal logics* **K** *and* **KT** *respectively and admit cut-elimination.*

#### **3 Two Systems of Rules**

The similarity of the modal logics **KT** and **K5** lies in the fact that they are both 'one step away' from their companion logics **KT** and **S5** respectively. That is, in any shift-reflexive (Euclidean) frame the subframe induced by all worlds reachable from some fixed world is reflexive (totally connected), and therefore adequate for **KT** (**S5**). We formalize this observation for later reference.

**Theorem 3.** *Let* M *be a Kripke model containing a world* w*, and let* M*<sup>w</sup> be obtained from* M *by restricting* M*'s frame to worlds that are reachable from* w *(using one or more steps) via the accessibility relation. Then:*


From this one can easily deduce the following known equivalences:

**Theorem 4.** -<sup>A</sup> <sup>∈</sup> **KT**- ⇐⇒ A ∈ **KT** *and* -A ∈ **K5** ⇐⇒ A ∈ **S5***.*

Theorem 4 implies that we can use the sequent calculus C**KT** and the hypersequent calculus **HS5** (see Sect. 3.2) to derive formulas in the boxed fragment of **KT** and **K5**. But it is not immediate what Theorem 4 tells us about the proofs of theorems in **KT** and **K5** that are not prefixed with -, e.g. ¬p → -¬p ∈ **K5** or -p → <sup>p</sup> <sup>∈</sup> **KT**-.

#### **3.1 KT**-

We start by describing a simple system of rules for **KT**-, which is obtained by imposing a global constraint on C**KT**-proofs. The crucial notion is the following:

**Definition 1 (grounded** C**KT-proof).** *A proof in* C**KT** *is* grounded *if any lowermost modal inference in it is* (K)*.*

In other words, only those instances of (T) are admitted in a grounded C**KT**proof that have an instance of (K) below. No exact pairing is required, i.e. the same instance of (K) can 'ground' multiple instances of (T) above it. Figure 2 (left and middle) shows two grounded C**KT**-proofs with the modal rules highlighted.

$$\begin{array}{c} \frac{p \Rightarrow p}{\Box p \Rightarrow p} (T) \qquad \quad \quad \quad \quad \frac{p \Rightarrow p}{\Box p \Rightarrow p} (T) \qquad \quad \quad \quad \frac{p \Rightarrow p}{\Box p \Rightarrow p} (T) \qquad \quad (K) \\ \frac{\Box \Box p \Rightarrow p}{\Box (\Box p \lor \Box p)} (K) \qquad \quad \quad \quad \frac{\Box \Box p \Rightarrow p}{\Box (\Box p \lor \Box p) \Rightarrow \Box p} (K) \qquad \quad \quad \quad \frac{\begin{array}{c} p \Rightarrow p \\ \Rightarrow p \mid \Box p \Rightarrow \neg \Box p \end{array}}{\Rightarrow p \mid \Box \Rightarrow \neg \Box p} (M M) \\ \qquad \quad \quad \quad \quad \frac{\Box \Box p \Rightarrow \Box \Box p}{\Box \Rightarrow \Box p \Rightarrow \Box \Box p} (M M) \qquad \quad \quad \quad \quad \frac{\begin{array}{c} \Box \exists p \Rightarrow \neg \Box \neg \Box p \end{array}}{\Rightarrow \Box p \Rightarrow \Box \Box p} (M M) \end{array}$$

**Fig. 2.** Grounded proofs in **KT** (left and middle) and in **HS5** (right)

**Theorem 5 (Soundness of grounded** C**KT-proofs).** *If there is a grounded* <sup>C</sup>**KT***-proof of* <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>*, then* <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> *is valid in* **KT**-*.*

*Proof.* It suffices to show that the conclusion of an instance of (K) in a C**KT**-proof is valid in **KT**-. Indeed, as the endsequent of a grounded C**KT**-proof is derivable from the conclusions of its lowermost instances of (K) using only propositional rules, it then follows that the endsequent is valid in **KT**as well.<sup>2</sup> So let

$$\frac{\Gamma \Rightarrow A}{\Box \Gamma \Rightarrow \Box A} \ (K)$$

<sup>2</sup> Note that if a grounded proof has no instances of (K) at all, then it is essentially a propositional proof, and so the statement is trivial.

be such an instance. As its premise Γ ⇒ A is valid in **KT**, we can use the deduction theorem (Theorem 1) to obtain a finite set Ω of modalized instances of the reflexivity axiom p → p such that the sequent Ω,Γ ⇒ A is valid in **K**. Then, by (K), also -Ω, -Γ ⇒ -A is valid in **K**. As all formulas in -Ω are modalized instances of the axiom of shift-reflexivity and therefore valid in **KT**-, it follows that the reduced sequent -Γ ⇒ -A is valid in **KT**-. 

**Theorem 6 (Cutfree completeness of grounded** C**KT-proofs).** *If* Γ ⇒ Δ *is valid in* **KT**-*, then there is a grounded cutfree* C**KT***-proof of it.*

*Proof.* Let <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> be valid in **KT**-. By the deduction theorem there is a finite set Ω of modalized instances of -(p → p) such that Ω,Γ ⇒ Δ is valid in **K**. We may write Ω as -Ω , where Ω is now a set of modalized instances of p → p.

Consider a lowermost instance of (K) in a cutfree C**K**-proof α of Ω,Γ ⇒ Δ:

$$\frac{\Omega', \Sigma \Rightarrow A}{\square \Omega', \square \Sigma \Rightarrow \square A} \ (K)$$

Here we assume harmlessly that -Ω in the conclusion of (K) contains exactly the antecessors of Ω = -Ω in the endsequent, i.e. no contraction or weakening has been applied to a formula in -Ω between this instance of (K) and the endsequent. We now construct a cutfree grounded proof as follows. In α, replace the proof of the premise (for all lowermost (K) simultaneously) with a cutfree C**KT**-proof of Σ ⇒ A; this is possible as every formula in Ω is valid in **KT**, and moreover **KT** admits cut-elimination. Apply (K) to obtain the sequent -Σ ⇒ -A, and now follow the original proof downwards while removing antecessors of -Ω to eventually obtain Γ ⇒ Δ. 

#### **3.2 K5**

The system of rules for **K5** will involve a hypersequent calculus for **S5**, so we first introduce some notation. A *hypersequent* is a multiset of sequents written Γ<sup>1</sup> ⇒ Δ<sup>1</sup> | ... | Γ*<sup>n</sup>* ⇒ Δ*<sup>n</sup>* and its (modal) formula interpretation is -(∧Γ<sup>1</sup> → ∨Δ1) ∨ ... ∨ -(∧Γ<sup>1</sup> → ∨Δ1). We say that a hypersequent is valid in a logic if its formula interpretation is.

There are now two ways of assigning a formula to Γ ⇒ Δ, namely -(∧Γ → ∨Δ) "boxed" or ∧Γ → ∨Δ "flat", depending on whether we treat Γ ⇒ Δ as a one-component hypersequent or as a sequent. To avoid any ambiguity, we will explicitly say in this section that Γ ⇒ Δ is *flat-valid in a logic* **L** if ∧Γ → ∨Δ ∈ **L**. Otherwise, by validity of a hypersequent (possibly with only one component) we always mean the boxed interpretation above. In any modal logic **L** ⊇ **KT** (so in particular, **S5**) we have the equivalence A ∈ **L** ⇐⇒ -A ∈ **L** and so the notions of valid and flat-valid coincide on sequents. However, we will work in **K5** where such an equivalence does not apply.

**Definition 2.** *The rules of the hypersequent calculus* **HS5** *are as follows:*


$$\frac{\Gamma\_1 \Rightarrow A\_1 \mid \dots \mid \Gamma\_n \Rightarrow A\_n}{\Box \Gamma\_1, \dots, \Box \Gamma\_n \Rightarrow \Box A\_1, \dots, \Box A\_n} \left( MM \right)^\ast$$

There are a number of slightly different hypersequent calculi for **S5** (see the survey [3]) and any of these would be suitable for the system of rules we define below. We use a variant due to Restall [18] as this calculus underlies the grafted hypersequent calculus in [12] to which we later relate.

The only change from [18] is that we include the rule (MM). While being redundant—(MM) is derivable from (-5 *L*) and (-5 *R*)—it will be useful to formulate the system of rules. Note that (MM) has no hypersequent context and so its conclusion is always a sequent. For n = 1 the rule coincides with (K).

**Theorem 7 (**[18]**). HS5** *is adequate for* **S5** *and admits cut-elimination.*

**Definition 3.** *A proof in* **HS5** *is* grounded *if every lowermost modal rule in it is* (MM)*.*

Figure 2 (right) shows a grounded **HS5**-proof of the characteristic **K5**-axiom. While it is formally possible due to (ew) and (ec) that hypersequents with more than one component appear in the lower part of a grounded **HS5**-proof, it is easy to see that this is never necessary. We will therefore tacitly assume that Definition 3 is extended by the clause: *. . . and every hypersequent that is not above an instance of* (MM) *has exactly one component.* The following Lemma will give us the soundness of grounded **HS5**-proofs.

**Lemma 1.** *If the premise of an instance of* (MM) *is valid in* **S5***, then its conclusion is flat-valid in* **K5***.*

*Proof.* Assume contrapositively the conclusion -Γ1,..., -Γ*<sup>n</sup>* ⇒ -A1,..., -A*<sup>n</sup>* is not flat-valid in **K5**. Then (∧*<sup>i</sup>*≤*<sup>n</sup>*-Γ*i*) → (∨*<sup>i</sup>*≤*<sup>n</sup>*-A*i*) fails at a world w of an Euclidean model M. In particular, there are worlds v1,...,v*<sup>n</sup>* accessible from w such that v*<sup>i</sup>* satisfies every formula in Γ*<sup>i</sup>* but falsifies A*i*. Now we use Theorem 3. Pick an arbitrary world v in M*<sup>w</sup>* (say, v1). As M*<sup>w</sup>* is totally connected, every world v1,...,v*<sup>n</sup>* is accessible from v. Hence -(∧Γ*<sup>i</sup>* → A*i*) fails at v for every i ≤ n, and consequently so does ∨*<sup>i</sup>*≤*<sup>n</sup>*-(∧Γ*<sup>i</sup>* → A*i*), which is the (boxed) interpretation of the premise Γ<sup>1</sup> ⇒ A<sup>1</sup> | ... | Γ*<sup>n</sup>* ⇒ A*<sup>n</sup>* of (MM). Since M*<sup>w</sup>* is totally connected, it follows that this hypersequent is not valid in **S5**. 

**Theorem 8 (soundness of grounded HS5-proofs).** *If there is a grounded* **HS5***-proof of* Γ ⇒ Δ*, then* Γ ⇒ Δ *is flat-valid in* **K5***.*

*Proof.* Similar to the proof of Theorem 5. The endsequent Γ ⇒ Δ of a grounded proof is derivable from the conclusions of instances of (MM) using only propositional inferences. As these conclusions are flat-valid in **S5** by Lemma 1, the same follows<sup>3</sup> for <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>. 

<sup>3</sup> Note that propositional rules preserve both validity and flat-validity.

We now turn to the cutfree completeness of grounded **HS5**-proofs. This will again be derived from the deduction theorem and cut-elimination for C**<sup>K</sup>** and **HS5**. The situation in **K5** is more complicated than in **KT** for the following reason: The outermost connective of the axiom -(p → p) is a -, and thus the first (read bottom-up) rule that will be applied to it when used as an assumption in a C**K**-proof is (K), i.e. the very rule that separates the top from the bottom part in our system of rules. In contrast, the outermost connective of ¬p → -¬p is →. So if we follow an occurrence of the axiom upwards in the proof, it will first be split into two different parts p and -¬p via (→*L*) and (¬*R*) that only later encounter a modal rule. Thus at the part of the proof where we want to introduce the rule (MM) to obtain a system of rules, the constituent formulas of the axiom instances have been scattered among the branches of the C**K**-proof. In a first step, we use the hypersequent structure to bring these scattered axiom parts back together.

**Lemma 2.** *The following rule is admissible in* **S5***:*

$$\frac{\mathcal{H}\mid C,\varGamma\_1 \Rightarrow \varDelta\_1 \qquad \mathcal{H}\mid \neg\square C,\varGamma\_2 \Rightarrow \varDelta\_2}{\mathcal{H}\mid \varGamma\_1 \Rightarrow \varDelta\_1\mid \varGamma\_2 \Rightarrow \varDelta\_2}$$

*Proof.* The rule can easily shown to be sound using the Kripke semantics of **S5**. It can also be derived from the generalised rule for cuts on boxed formulas that Avron uses in his proof [2] of cut-elimination for **S5**. 

$$\begin{array}{c} \begin{array}{c} \begin{array}{c} \text{Lemma 2} \\ \Box C, \Box \Gamma\_{1} \Rightarrow A\_{1} \\ \Box C, \Box \Gamma\_{1} \Rightarrow \Box A\_{1} \end{array} (K) \end{array} (K) \end{array} \begin{array}{c} \begin{array}{c} \text{Lemma 2} \\ \begin{array}{c} \Gamma\_{1} \Rightarrow A\_{1} \mid \Gamma\_{2} \Rightarrow A\_{2} \\ \Box \Gamma\_{1}, \Box \Gamma\_{2} \Rightarrow \Box A\_{1} \end{array} (M) \end{array} \begin{array}{c} \begin{array}{c} \text{Lemma 2} \\ \Gamma\_{1} \Rightarrow A\_{1} \mid \Gamma\_{2} \Rightarrow A\_{2} \\ \hline \Box \Gamma\_{1}, \Box \Gamma\_{2} \Rightarrow \Box A\_{1} \end{array} (M) \end{array} \begin{array}{c} \begin{array}{c} \text{Lemma 2} \\ \Gamma\_{1} \Rightarrow A\_{1} \mid \Gamma\_{2} \Rightarrow A\_{2} \\ \hline \Box \Gamma\_{1}, \Box \Gamma\_{2} \Rightarrow A\_{2} \end{array} (M) \end{array} \begin{array}{c} \begin{array}{c} \Gamma\_{1} \Rightarrow A\_{1} \mid \Gamma\_{2} \Rightarrow A\_{2} \\ \hline \Box \Gamma\_{1}, \Box \Gamma\_{2} \Rightarrow A\_{2} \end{array} (M) \end{array} \begin{array}{c} \begin{array}{c} \Gamma\_{1} \Rightarrow A\_{1} \mid \Gamma\_{2} \Rightarrow A\_{2} \\ \hline \Box \Gamma\_{1}, \Box \Gamma\_{2} \Rightarrow A\_{2} \end{array} (M) \end{array}$$

**Fig. 3.** Constructing a grounded **HS5**-proof

At this point we can already illustrate how the grounded **HS5**-proof will be constructed in a very simple case—see Fig. 3. Here we start from a cutfree C**K**proof using only a single non-modalized axiom instance ¬-C → -¬-C. After breaking up the axiom into two parts -C and -¬-C using invertible rules, both parts are traced upwards in their respective branch α<sup>1</sup> and α<sup>2</sup> until they are principal in an inference of (K). Then both premises of (K) are rejoined using Lemma 2 into a single hypersequent, thereby eliminating the axiom parts. Below this hypersequent we can simulate both proofs α1, α<sup>2</sup> (this time omitting the axiom parts) to arrive at the desired Γ ⇒ Δ.

To deal with the general case, we need to extend Lemma 2. For this we introduce some notation: Given an index set I = {1,...,n} we write Γ, {C*i*}*i*∈*<sup>I</sup>* ⇒ Δ for the sequent Γ, C1,...,C*<sup>n</sup>* ⇒ Δ, and H | [Γ*<sup>i</sup>* ⇒ Δ*i*]*i*∈*<sup>I</sup>* for the hypersequent H | Γ<sup>1</sup> ⇒ Δ<sup>1</sup> | ... | Γ*<sup>n</sup>* ⇒ Δ*n*.

**Lemma 3.** *Let* {C*<sup>i</sup>* | i ∈ I} *be a set of formulas. If the hypersequent*

$$\mathcal{H} \mid \{C\_j\}\_{j \in J}, \{\neg \Box C\_k\}\_{k \in I \backslash J}, \Gamma\_J \Rightarrow \Delta\_J$$

*is valid in* **S5** *for all* J ⊆ I*, then so is* H | [Γ*<sup>J</sup>* ⇒ Δ*<sup>J</sup>* ]*<sup>J</sup>*⊆*<sup>I</sup> .*

*Proof.* By induction on |I|. For I = ∅ the statement is trivial. Thus let i<sup>0</sup> ∈ I. For J ⊆ I we call S*<sup>J</sup>* the hypersequent

$$\mathcal{H} \mid \{C\_j\}\_{j \in J}, \{\neg \Box C\_k\}\_{k \in I \backslash J}, \Gamma\_J \Rightarrow \Delta\_J.$$

For any J ⊆ I with i<sup>0</sup> ∈ J and L ⊆ (I \ {i0}) we apply Lemma 2 (with C := C*<sup>i</sup>*<sup>0</sup> ) to S*<sup>J</sup>* and S*<sup>L</sup>* obtaining

$$\mathcal{H} \mid \{C\_j\}\_{j \in J \mid \{i\_0\}}, \{\neg \Box C\_k\}\_{k \in I \mid J}, \Gamma\_J \Rightarrow \Delta\_J \mid \{C\_l\}\_{l \in L}, \{\neg \Box C\_m\}\_{m \in \{I \mid \{i\_0\}\}}, \Gamma\_L \Rightarrow \Delta\_L$$

Call S<sup>∗</sup> *<sup>J</sup>* the component with right hand side Δ*<sup>J</sup>* . Keeping J fixed while letting L ⊆ (I \ {i0}) vary, we can use the induction hypothesis to obtain the hypersequent

$$\mathcal{H} \mid S\_J^\* \mid [\varGamma\_L \Rightarrow \varDelta\_L]\_{L \subseteq I \backslash \{i\_0\}}.$$

By another application of the induction hypothesis, now letting J vary across subsets of I containing i<sup>0</sup> (in other words: letting J vary across subsets of I \{i0} and setting J := J ∪ {i0}), we obtain

$$\mathcal{H} \mid [\varGamma\_J \Rightarrow \Delta\_J]\_{J \subseteq I, i\_0 \in J} \mid [\varGamma\_L \Rightarrow \Delta\_L]\_{L \subseteq I \backslash \{i\_0\}}$$
  $\text{i.e. } \mathcal{H} \mid [\varGamma\_J \Rightarrow \Delta\_J]\_{J \subseteq I}$ .

Note that Lemma 2 is the instance of Lemma 3 where |I| = 1. We can now prove the completeness theorem.

**Theorem 9 (Cutfree completeness of grounded HS5-proofs).** *If* Γ ⇒ Δ *is flat-valid in* **K5***, then there is a cutfree grounded* **HS5***-proof of it.*

*Proof.* Let Γ ⇒ Δ by flat-valid in **K5**. By the deduction theorem, there is a set Ω of modalized instances of ¬p → -¬p such that Ω,Γ ⇒ Δ is flatvalid in **K**, and therefore has a cutfree C**K**-proof α. We can write Ω as -Ω<sup>1</sup> ∪ {-C*<sup>i</sup>* → -¬-C*i*}*<sup>i</sup>*∈*<sup>I</sup>* where -Ω<sup>1</sup> contains modalized instances of the axiom with at least one box. By standard invertibility results in C**K**, we may assume that the lowermost inferences in α are (→*L*) and (¬*R*) applied to all axioms ¬-C*<sup>i</sup>* → -¬-C*i*. In this way, we obtain 2|*I*<sup>|</sup> -many premises, which can succinctly be described as follows: For every J ⊆ I, we have a premise T*<sup>J</sup>* containing the (negated) antecedents of all axioms with index j ∈ J and the consequents of all other axioms, i.e.

$$T\_J := \Box \Omega\_1, \{\Box C\_j\}\_{j \in J}, \{\Box \neg \Box C\_k\}\_{k \in I\backslash J}, \Gamma \Rightarrow \Delta.$$

We now fix cutfree C**K**-proofs α*<sup>J</sup>* of T*<sup>J</sup>* for every J ⊆ I. Letting P*<sup>J</sup>* denote the number of lowermost inferences of (K) in α*<sup>J</sup>* , we enumerate them as

$$\frac{\Omega\_1, \{C\_j\}\_{j \in J}, \{\neg \Box C\_k\}\_{k \in I \backslash J}, \Gamma\_J^p \Rightarrow A\_J^p}{\Box \Omega\_1, \{\Box C\_j\}\_{j \in J}, \{\Box \neg \Box C\_k\}\_{k \in I \backslash J}, \Box \Gamma\_J^p \Rightarrow \Box A\_J^p} \ (K)\_J^p$$

where 0 < p ≤ P*<sup>J</sup>* . Once again we assume harmlessly that the modalized axiom instances and their parts in the antecedent have not been subject to contraction or weakening. Let us assume moreover that P*<sup>J</sup>* = 0 for all J ⊆ I, i.e. there is at least one instance of (K) in every α*<sup>J</sup>* , as the other case is very simple.<sup>4</sup>

As the premise of (K) *p <sup>J</sup>* is flat-valid in **K** and every formula in Ω<sup>1</sup> is valid in **S5**, it follows that the sequent

$$S\_J^p := \{C\_j\}\_{j \in J}, \{\neg \Box C\_k\}\_{k \in I \backslash J}, \Gamma\_J^p \Rightarrow A\_J^p$$

is flat-valid, and therefore also valid, in **S5**. Define <sup>F</sup> := {<sup>f</sup> : <sup>P</sup>(I) <sup>→</sup> <sup>N</sup> <sup>|</sup> <sup>0</sup> <sup>&</sup>lt; f(J) ≤ P*<sup>J</sup>* } and fix one f ∈ F. We think of f as choosing one specific lowermost instances (K) *f*(*J*) *<sup>J</sup>* in every <sup>α</sup>*<sup>J</sup>* . The family {S*<sup>f</sup>*(*J*) *<sup>J</sup>* }*<sup>J</sup>*⊆*<sup>I</sup>* is such that Lemma 3 is applicable to it, and therefore the following hypersequent is valid in **S5**:

$$\mathcal{H}^f := [\Gamma\_J^{f(J)} \Rightarrow A\_J^{f(J)}]\_{J \subseteq I}$$

We now construct the grounded **HS5**-proof. Fix cutfree **HS5**-proofs <sup>β</sup>*<sup>f</sup>* of <sup>H</sup>*<sup>f</sup>* for every <sup>f</sup> ∈ F. Below each <sup>β</sup>*<sup>f</sup>* apply (MM) to obtain the sequent

$$\{\Box F\_J^{f(J)}\}\_{J \subseteq I} \Rightarrow \{\Box A\_J^{f(J)}\}\_{J \subseteq I}.$$

Letting J1, J2,... be an enumeration of P(I), we focus on the subfamily of sequents

$$\{\Box I\_J^{f(J)}\}\_{J \subseteq I, J \neq J\_1}, \Box I\_{J\_1}^p \Rightarrow \Box A\_{J\_1}^p, \{\Box A\_J^{f(J)}\}\_{J \subseteq I, J \neq J\_1}$$

for fixed f ∈ F and varying 0 < p ≤ P*<sup>J</sup>*<sup>1</sup> . In other words, we consider all possible values of f on J<sup>1</sup> while keeping the other values fixed. Now observe that these P*<sup>J</sup>*<sup>1</sup> -many sequents look similar to the conclusions of the instances (K) *p <sup>J</sup>*<sup>1</sup> where 0 < p ≤ P*<sup>J</sup>*<sup>1</sup> , only that the axiom parts have been replaced. We can therefore simulate<sup>5</sup> the proof α*<sup>J</sup>*<sup>1</sup> below these sequents obtaining

$$\{\Box \Gamma\_J^{f(J)}\}\_{J \subseteq I, J \neq J\_1}, \Gamma \Rightarrow \Delta, \{\Box A\_J^{f(J)}\}\_{J \subseteq I, J \neq J\_1}$$

instead of the original endsequent T*<sup>J</sup>* of α*<sup>J</sup>*<sup>1</sup> . Starting from this new family of sequents (for all f ∈ F), we can repeat the above steps, simulating the proofs α*<sup>J</sup>*<sup>2</sup> , α*<sup>J</sup>*<sup>3</sup> , α*<sup>J</sup>*<sup>4</sup> ... until we eventually arrive at the sequent Γ,..., Γ ⇒ Δ, . . . , Δ from which we then obtain Γ ⇒ Δ by contraction. 

<sup>4</sup> Assume (K) is never applied in α*<sup>J</sup>* . Then no modal formula is ever principal in α*<sup>J</sup>* (note here that modal formulas do not appear in initial sequents, which we require to be atomic). It is then easy to see that the modal formulas in the conclusion of α*<sup>J</sup>* can simply be removed to obtain a (still cutfree) C**K**-proof of Γ ⇒ Δ. This proves

the theorem, as a cutfree <sup>C</sup>**K**-proof is also a cutfree grounded **HS5**-proof. <sup>5</sup> Note that <sup>α</sup>*<sup>J</sup>*<sup>1</sup> has only propositional inferences below (K) *p <sup>J</sup>*<sup>1</sup> , so we do not have to worry about the changed contexts breaking some instance of (K).

#### **3.3 Grounded Proofs and Grafted Hypersequents**

In [12] calculi for the logics **KT** and **K5** are defined. These build on the notion of a *grafted hypersequent* Γ ⇒ Δ || Σ<sup>1</sup> ⇒ Δ<sup>1</sup> | ... | Σ*<sup>n</sup>* ⇒ Δ*<sup>n</sup>* consisting of a sequent Γ ⇒ Δ called the *trunk* and a hypersequent Σ<sup>1</sup> ⇒ Δ<sup>1</sup> | ... | Σ*<sup>n</sup>* ⇒ Δ*<sup>n</sup>* called the *crown*. If the crown is empty, we write Γ ⇒ Δ instead of Γ ⇒ Δ ||. A grafted hypersequent corresponds to the modal formula (∧<sup>Γ</sup> → ∨Δ) ∨ ∨*<sup>n</sup> i*=1-(∧Σ*<sup>i</sup>* → ∨Δ*i*), i.e. one combines the flat interpretation of the trunk with the boxed interpretation of the crown. As pointed out in [12], grafted hypersequents are a restricted form of *nested sequents*.

We can now compare our systems of grounded proofs with the calculi in [12]. Let us first consider the grafted hypersequent calculus R**K5** for **K5**. We refer to [12, Figs. 1 and 2] for a complete list of the rules. The following presentation should suffice for our purposes:


$$\frac{\Gamma \Rightarrow \Delta \mid \mid \mathcal{H} \mid \Rightarrow A}{\Gamma \Rightarrow \Delta, \Box A \mid \mid \mathcal{H}} \left(\Box\_R\right) \quad \frac{\Gamma \Rightarrow \Delta \mid \mid \mathcal{H} \mid \Sigma, A \Rightarrow \Pi}{\Gamma, \Box A \Rightarrow \Delta \mid \mid \mathcal{H} \mid \Sigma \Rightarrow \Pi} \left(\Box\_L\right)$$

A grounded **HS5**-proof can be translated into a proof in R**K5** as follows:


$$\frac{\begin{array}{c} \varGamma\_{1} \Rightarrow A\_{1} \mid \ldots \mid \varGamma\_{n} \Rightarrow A\_{n} \\ \hline \Box \Gamma\_{1}, \ldots, \Box \Gamma\_{n} \Rightarrow \Box A\_{1}, \ldots, \Box A\_{n} \end{array} \rightsquigarrow \begin{array}{c} \Rightarrow \left| \left| \: \Gamma\_{1} \Rightarrow A\_{1} \mid \ldots \mid \Gamma\_{n} \Rightarrow A\_{n} \right. \\ \hline \Box \Gamma\_{1}, \ldots, \Box \Gamma\_{n} \Rightarrow \left| \left| \Rightarrow A\_{1} \mid \ldots \mid \Rightarrow A\_{n} \right. \\ \hline \Box \Gamma\_{1}, \ldots, \Box \Gamma\_{n} \Rightarrow \Box A\_{1}, \ldots, \Box A\_{n} \end{array} \right. \\ \text{some } \langle \square\_{R} \rangle \text{'s} \end{array}$$

The grafted hypersequent calculus R**KT** for the logic of shift-reflexive frames is defined similarly; here it is only componentwise applications of C**KT**-rules that are admitted in the crown (it follows that one only needs crowns with one component). An analogous translation from grounded C**KT**-proofs to R**KT** can be defined. The translated proofs satisfy a normal form that already appears in [12, see Def. 4.3].

As the translation described above does not introduce cuts, and as there are cutfree grounded proofs for all theorems of **KT**- (Theorem 6) and **K5** (Theorem 8), we immediately obtain a new proof of the following (first established in [12] via a syntactic reduction procedure):

**Theorem 10.** R**K5** *and* R**KT***admit cut elimination.*

## **4 Strongly Modular Proofs of Cut-Elimination**

The method of the previous section can be summarized as follows: Aiming to show <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> in an extended system (**KT** or **S5**), we start from a cutfree C**K**proof α of Ω,Γ ⇒ Δ for some (modularized) axiom instances Ω of the extended logic. Then we inspect α and replace some parts of it with cutfree proofs in C**KT** or **HS5**, this way getting rid of the axiom instance in Ω and thereby obtaining a cutfree 'grounded' proof of Γ ⇒ Δ.

We emphasize the following: *At no point in the argument one needed to understand how cut-elimination for* C**K**, C**KT** *and* **HS5** *is established*. In other words, these cut-elimination results are used as 'blackboxes' in the proof. Let us introduce the following informal terminology: A proof of cut-elimination is


Our proofs of Theorem 6 and Theorem 9 are strongly modular in this sense. We are not aware of other such proofs in the literature.<sup>6</sup> On the other hand, weakly modular proofs are numerous: One might for example argue for cutelimination in C**KT** by describing how the reduction steps in the cut-elimination algorithm for <sup>C</sup>**<sup>K</sup>** have to be extended to accommodate the additional rule (T).<sup>7</sup> The disadvantage of this approach is of course that the reader has to know the algorithm for C**K**. If such a proof were to be formalised, one would have to copy and extend the complete formalisation of the proof for C**K**, instead of using C**K**'s already established cut-elimination as a lemma in the formalised proof for C**KT**. The most successful attempts at modularity in cut-elimination have been proofs that are parametrized over a specific class of axioms or rules (e.g. [4,8,13,17]).

We believe strongly modular proofs of cut-elimination are interesting and deserve further study. They have the potential of being both shorter<sup>8</sup> and more reliable through the reuse of already established theorems. Moreover, given the general significance of cut-elimination, any method for obtaining it is important.

Of course, with only two<sup>9</sup> examples at hand there is the possibility that we have encountered a 'happy coincidence' rather than a general idea. Indeed the situation of **KT** and **K5** is quite special in that they are sandwiched between logics with cutfree calculi, i.e. **<sup>K</sup>** <sup>⊆</sup> **KT**- ⊆ **KT** and **K** ⊆ **K5** ⊆ **S5**, and the gap to the 'upper logic' **KT** or **S5** is very small in a precise sense (Theorem 4).

In the remainder of this article we sketch an idea that could be useful for obtaining strongly modular proofs of cut-elimination for other logics. We conduct

<sup>6</sup> We do not count proofs using cutfreeness of another calculus for the *same* logic, or a conservative extension thereof.

<sup>7</sup> Also, a *weakly modular* proof of cut-elimination for grounded **KT**-proofs is obtained

by observing that all reduction steps in <sup>C</sup>**KT**'s cut-elimination preserve groundedness. <sup>8</sup> E.g., compare our proof for **K5** with the one in the grafted hypersequent calculus [12].

<sup>9</sup> Side remark: The result for **KT** also applies to all modal logics **K** + -C where **K** + C has a cutfree calculus.

the discussion in a semi-formal style. While there will not be enough evidence for a 'general method', we do present two further examples where a strongly modular proof is possible: The modal logic **KD** (using cut-elimination in **K**) and the intermediate logic **LQ** (using cut-elimination in intuitionistic logic).

#### **4.1 Calculi with Ghost Rules**

We start from the general situation that **L** ⊆ **M** where **L** is some logic with a cutfree sequent calculus C**L**. We seek a calculus for **M** that admits a strongly modular proof of cut-elimination, relative to cut-elimination in C**L**. We additionally assume that a deduction theorem holds between **L** and **M**. That is, a sequent Γ ⇒ Δ is valid in **M** iff Ω,Γ ⇒ Δ is valid (and therefore cutfree provable) in **L** for a suitable set of formulas Ω.

Our proofs of the completeness theorems (Theorems 6 and 9) suggest that we should attempt to construct a cutfree **M**-proof of Γ ⇒ Δ by somehow transforming a cutfree C**L**-proof α of Ω,Γ ⇒ Δ. Now one naive transformation might immediately spring to mind: Can we simply take α and remove all occurrences of Ω and its ancestors in α to obtain a cutfree proof α† of Γ ⇒ Δ?

The first question then is, in what system does α† qualify as a proof? Clearly removing formulas from inferences in C**<sup>L</sup>** creates unsound rules. In a first step, we therefore extend C**<sup>L</sup>** with *'ghost rules'*: These are rules in which the principal formula in the conclusion and its ancestors in the premises have been removed. For examples, the ghost rules corresponding to (∧*R*) and (K) are

$$\frac{\Gamma \Rightarrow \Delta \qquad \Gamma \Rightarrow \Delta}{\Gamma \Rightarrow \Delta} \ (\wedge\_R)^\dagger \quad \text{and} \quad \frac{\Gamma \Rightarrow}{\Box \Gamma \Rightarrow} (K)^\dagger.$$

Different rules can have the same ghost rules, e.g. (∧*R*)† = (∨*L*)†. Some ghost rules, e.g. (∧*L*)†, are 'dummy inferences' Γ ⇒ Δ/Γ ⇒ Δ that we do not add to the system. If C**<sup>L</sup>** has initial sequents p ⇒ p then one or both occurrences of p can be ancestors of Ω, and thus we need different ghost initial sequents:

$$\begin{array}{ccc}\hline\hline\Rightarrow p & (\* \Rightarrow)^{\dagger} & \begin{array}{ccc}\hline\end{array}\end{array}\begin{array}{ccc}\hline\Rightarrow\rightsquigarrow\rightharpoonup\ast & \begin{array}{ccc}\Rightarrow\rightharpoonup\ast & (\* \Rightarrow\*)^{\dagger} \end{array}\end{array}$$

Letting C† **<sup>L</sup>** denote the calculus extended by such ghost inferences we see that α† is (up to dummy inferences) a cutfree C† **<sup>L</sup>**-proof of Γ ⇒ Δ. More generally we infer from the deduction theorem that every sequent valid in **M** has a cutfree proof in C† **<sup>L</sup>**. But of course, C† **<sup>L</sup>** also has many derivations which do not correspond to proofs in **M**.

**Definition 4.** *A class* <sup>P</sup> *of* <sup>C</sup>† **<sup>L</sup>***-proofs is* cutfree-adequate for **M** *if the endsequent of every* P*-proof is valid in* **M** *('soundness') and there is a cutfree* P*-proof of every* **M***-valid sequent ('completeness').*

Let us informally call **M***-revivable* a C† **<sup>L</sup>**-proof of Γ ⇒ Δ if we can insert formulas and inferences into it to obtain a C**L**-proof of Ω,Γ ⇒ Δ, where Ω is a set of **M**-valid formulas. The proof α† from the above discussion is the typical example of an **M**-revivable proof.

By the deduction theorem and cut-elimination in C**<sup>L</sup>** it follows that the **M**revivable proofs in C† **<sup>L</sup>** form a cutfree-adequate class for **M**. <sup>10</sup> So what we have obtained is indeed a strongly modular proof of cut-elimination for the system of **M**-revivable C† **<sup>L</sup>**-proofs. The property of being **M**-revivable can be seen as a global correcteness condition on C† **<sup>L</sup>**-proofs, and therefore constitutes—in its broadest interpretation—a system of rules for C† **L**. But of course this observation is rather<sup>11</sup> useless in practice unless we can express the property of being revivable in simpler terms, say via a condition on the order of rules being applied.

To conclude this article, we now discuss two logics—**KD** and **LQ**—where this is the case. Their similarity lies in the fact that they admit a very strong version of the deduction theorem, and this will allow us to express their notions of 'revivability' in fairly simple terms. In doing so, we obtain both a system of rules and a strongly modular proof of cut-elimination.

# **4.2 K** *⊆* **KD**

The modal logic **KD** is the extension of **K** by the seriality axiom ¬-⊥; in terms of the Kripke semantics, ¬-⊥ enforces that every world has at least one successor. It is well-known (see, e.g., [13]) that extending C**<sup>K</sup>** with the rule

$$\frac{\Gamma \Rightarrow}{\Box \Gamma \Rightarrow} (D)$$

yields a sequent calculus C**KD** for **KD** admitting cut-elimination. We now present a new proof of cut-elimination for **KD** that is strongly modular.

As the seriality axiom has no variables, the modalized instances of it are exactly the formulas *<sup>k</sup>*¬-⊥ for k ≥ 0. Following the methodology sketched in the previous section, we now extend C**<sup>K</sup>** to a calculus C† **<sup>K</sup>** with ghost rules. Crucially, the ghost rule (K)† coincides with the rule (D) above.

**Theorem 11.** *Those proofs in* C† **<sup>K</sup>** *whose only ghost rule is* (K)† *form a cutfreeadequate class for* **KD***.*

*Proof.* Let us first deal with completeness. If Γ ⇒ Δ is valid in **KD**, then there is a set of modalized instances of ¬-⊥ such that Ω,Γ ⇒ Δ has a C**K**-proof α. Using cut-elimination in C**K**, we may assume that α is cutfree. As there is no right rule for ⊥, the C**K**-rules that can be applied in α to an ancestor of a modalized instance of ¬-⊥ in Ω are only (¬*L*) and (K). Now obtain α† by removing Ω and all its ancestors from the proof. As (¬*L*)† is a dummy rule, the only ghost rule we need to create is (K)†. Thus α† is as desired.

<sup>10</sup> The idea of systematically replacing systems of rules with axiom instances in order to prove *soundness* already appears in [16].

<sup>11</sup> One could maybe make the following remark: When looking for a simple cut-free sequent calculus that endowed with *some* global correctness criterion captures the logic **M**, one does not have to look further than C† **L**.

We now turn to soundness. For this we have to 'revive' a C† **<sup>K</sup>**-proof β of Γ ⇒ Δ whose only ghost rule is (K)†. This is done as follows:

$$\begin{array}{rcl} \frac{\Gamma \Rightarrow \qquad}{\Box \Gamma \Rightarrow \end{array} (K)^{\dagger} \qquad \leadsto \qquad \begin{array}{rcl} \frac{\Gamma \Rightarrow \qquad}{\Gamma \Rightarrow \perp} (w) \\ \frac{\overline{\Box \Gamma \Rightarrow \perp} \quad (K)}{\overline{\Box \Gamma, \neg \Box \perp \Rightarrow} (\neg\_{L}) \end{array}$$

Now propagate the newly added ¬-⊥ downwards in the proof. We will have to add -'s in front of it whenever we encounter the rule (K). Doing so for all instances of (K)† we eventually obtain a C**K**-proof of Ω,Γ ⇒ Δ where Ω contains modalized instances of ¬-⊥. Thus Γ ⇒ Δ is valid in **KD**. 

As restricting the ghost inferences in C† **<sup>K</sup>** to (K)† yields exactly C**KD**, we have obtained a new (and strongly modular) proof of cut-elimination for C**KD**.

# **4.3 IL** *⊆* **LQ**

For our final example, we leave the realm of modal logics and consider an intermediate logic instead. **LQ** extends **IL** by the law of *weak excluded middle* ¬p ∨ ¬¬p; it is known [11] that the following deduction theorem holds: A ∈ **LQ** ⇐⇒ (∧*<sup>i</sup>*≤*<sup>n</sup>*¬p*<sup>i</sup>* ∨ ¬¬p*i*) → A ∈ **IL** where p1,...,p*<sup>n</sup>* are the variables occurring in A. Let C**IL** be the single-conclusion calculus obtained from the first group of rules in Fig. 1 by stipulating that |Π| = 0 and |Δ| ≤ 1. C**IL** is adequate for **IL** and admits cut-elimination.

**Definition 5.** *A proof in* C† **IL** *is* **LQ***-grounded if the following holds:*

	- *every ghost initial sequent* p ⇒ *(resp.* ⇒ p*, resp.* ⇒*) appears in exactly one* L*<sup>i</sup> (resp. exactly one* R*i, resp. exactly one* R*<sup>i</sup> and exactly one* L*<sup>j</sup> );*
	- *No two distinct variables appear in connected components, where being connected is the reflexive, transitive and symmetric closure of the relation* L*<sup>i</sup>* ∼ R*<sup>j</sup>* ⇐⇒ i = j ∨ L*<sup>i</sup>* ∩ R*<sup>j</sup>* = ∅
	- *Every branch of the proof containing a sequent in* L*<sup>i</sup> (*R*i) goes through the left (right) premise of* (∨*L*) † *<sup>i</sup> . If it goes through the right premise, it contains a sequent with empty right hand side above* (∨*L*) † *i .*

Figure 4 (middle) shows a simple **LQ**-grounded proof where n = 1.

#### **Theorem 12.** *The class of* **LQ***-grounded* C† **IL***-proofs is cutfree-adequate for* **LQ***.*

*Proof. (Sketch).* Completeness is similar to Theorem 11; **LQ**'s special deduction theorem restricts the necessary ghost inferences to initial sequents and (∨*L*)†.

We now show soundness by 'reviving' an **LQ**-grounded proof of Γ ⇒ Δ. Start by adding variables and (¬*R*)-inferences to the ghost initial sequents as follows:

$$(p \Rightarrow) \in L\_i \leadsto (\frac{p \Rightarrow p^{L\_i}}{p, \neg p^{L\_i} \Rightarrow}) \quad (\Rightarrow p) \in R\_i \leadsto (p^{R\_i} \Rightarrow p) \quad (\Rightarrow) \in L\_i \cap R\_j \leadsto (\frac{p^{R\_j} \Rightarrow p^{L\_i}}{p^{R\_j}, \neg p^{L\_i} \Rightarrow})$$

The superscripts act only as markers, i.e. p, p*R<sup>i</sup>* , p*L<sup>i</sup>* denote the same variable. In replacing (⇒) ∈ L*<sup>i</sup>* ∩ R*<sup>j</sup>* we add the variable p from a component connected to L*<sup>i</sup>* or R*<sup>j</sup>* (unique if it exists) and an arbitrary variable otherwise; in the other cases the choice of the added variable is forced by the preexisting <sup>p</sup>. The <sup>¬</sup>p*L<sup>i</sup>* 's are then propagated downwards until the left premise of (∨*L*) † *<sup>i</sup>* . The p*<sup>R</sup><sup>i</sup>* 's are propagated downwards until we encounter the first sequent Σ ⇒ with empty right hand side, at which point we introduce double negations:

$$(\Sigma \Rightarrow) \leadsto \left(\frac{\Sigma, p^{R\_i} \Rightarrow}{\Sigma \Rightarrow \neg p^{R\_i}}\right)$$

Propagate the ¬¬p*<sup>R</sup><sup>i</sup>* 's down to the right premise of (∨*L*) † *<sup>i</sup>* and rewrite as follows:

$$\begin{array}{ccccc} \Sigma \Rightarrow \Pi & \Sigma \Rightarrow \Pi & \left( \vee\_{L} \right)\_{i}^{\dagger} & \leadsto & \frac{\Sigma, \neg p^{L\_{i}} \Rightarrow \Pi}{\downarrow\_{\bot}} \ \begin{array}{c} \Sigma, \neg p^{L\_{i}} \Rightarrow \Pi & \Sigma, \neg \neg p^{R\_{i}} \Rightarrow \Pi \\ \downarrow\_{\bot} & \frac{\Sigma, \neg p^{\vee} \vee \neg \neg p}{\downarrow\_{\bot}} \ \begin{array}{c} \Sigma, \neg p^{\vee} \Rightarrow \neg p \Rightarrow \Pi \end{array} \ \begin{array}{c} \left( \vee\_{L} \right) \ \neg \end{array} \ \begin{array}{c} \Sigma, \neg \neg p^{\vee} \Rightarrow \neg \neg p \end{array} \end{array}$$

Propagate the new formula ¬p ∨ ¬¬p to the endsequent. Doing so for all i ≤ n, we obtain a C**IL**-proof of Ω,Γ ⇒ Δ where Ω contains instances of the weak excluded middle axiom. Thus Γ ⇒ Δ is valid in **LQ**. 

It is instructive to compare **LQ**-grounded proofs to other calculi in the literature. For example, a hypersequent calculus for **LQ** [8] is obtained by adding the rule (lq) (below left) to a hypersequent calculus for intuitionistic logic.<sup>12</sup> The corresponding 2-system of rules [9] is pictured on the right:

Σ,Σ <sup>⇒</sup> (lq) <sup>Σ</sup> ⇒| <sup>Σ</sup> <sup>⇒</sup> Σ ⇒ . . . Γ ⇒ Δ Σ,Σ ⇒ Σ ⇒ . . . <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> (bot) <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>

Figure 4 hints at the translation of **LQ**-grounded proofs into both calculi.

$$\begin{array}{ccccc} p \Rightarrow p & \quad & \quad & p \Rightarrow p \\ \vdots \alpha\_{1} & \quad & \quad & \quad \vdots \\ \frac{\Gamma, p \Rightarrow}{\Gamma \Rightarrow \Delta} & \quad & \quad \frac{\Gamma, p \Rightarrow}{p \Rightarrow \Delta} & \quad \quad \quad \frac{\Gamma, p \Rightarrow}{\Delta \Rightarrow} & \quad \quad \frac{\Sigma, p \Rightarrow}{\Sigma \Rightarrow \mid p \Rightarrow} & \quad (lq) \\ \frac{\Gamma, \alpha\_{2}}{\Gamma \Rightarrow \Delta} & \quad & \quad \frac{\Gamma \Rightarrow \Delta}{\Delta} & \quad \quad \quad \frac{\Gamma \Rightarrow \Delta}{\Delta} & \quad \quad \quad \frac{\Gamma \Rightarrow \Delta}{\Delta \Rightarrow \mid p \Rightarrow} & \quad (lq) \\ \frac{\Gamma \Rightarrow \Delta}{\Gamma \Rightarrow \Delta} & \quad \quad \Gamma \Rightarrow \Delta & \quad (bot) & \quad \quad \frac{\Gamma \Rightarrow \Delta \quad \quad \Gamma \Rightarrow \Delta}{\Gamma \Rightarrow \Delta} & \quad \quad \frac{\Gamma \Rightarrow \Delta \mid \Gamma \Rightarrow \Delta}{\Gamma \Rightarrow \Delta} \end{array}$$

**Fig. 4.** From **LQ**-grounded proofs to 2-systems (left) and hypersequents (right) <sup>12</sup> An interesting sequent calculus for **LQ** is presented in [6].

# **5 Conclusion and Future Work**

We have defined *grounded proofs*, a system of rules for **KT** and **K5**, and proved the cut-elimination theorem. We showed how grounded proofs relate to grafted hypersequents, thereby recovering and simplifying the cut-elimination theorem for the latter calculus. We then elaborated on *strongly modular proofs of cutelimination*, providing two more examples through the logics **KD** and **LQ**.

*Future work.* Strongly modular proofs do not directly yield an algorithm for eliminating cuts. We would like to know whether the arguments given here can be used to write an algorithm that, e.g., eliminates cuts in grounded **K5**-proofs by calling the cut-elimination algorithms for **K** and **S5** as subroutines.

The method of obtaining strongly modular proofs through calculi with ghost rules is in a very early stage and so much remains to be explored. As a first step, one could try to extend the argument for **LQ** to all intermediate logics with a similar deduction theorem, i.e. logics with the *simple substitution property* [19].

**Acknowledgements.** The author is indebted to the anonymous reviewers for many corrections and helpful suggestions.

# **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# A Cut-Free, Sound and Complete Russellian Theory of Definite Descriptions

Andrzej Indrzejczak and Nils Kürbis(B)

Department of Logic, University of Lodz, Lodz, Poland {andrzej.indrzejczak,nils.kurbis}@filhist.uni.lodz.pl

Abstract. We present a sequent calculus for first-order logic with lambda terms and definite descriptions. The theory formalised by this calculus is essentially Russellian, but avoids some of its well known drawbacks and treats definite description as genuine terms. A constructive proof of the cut elimination theorem and a Henkin-style proof of completeness are the main results of this contribution.

Keywords: Definite Descriptions · Predicate abstracts · Sequent Calculus · Cut Elimination

# 1 Introduction

Definite descriptions (DD) are complex terms commonly applied not only in natural languages but also in mathematics and computer science. In formal languages they are usually expressed by means of the iota operator, which forms terms from formulas. Thus ıxϕ means 'the (only) x satisfying ϕ'. A DD aims to denote a unique object by virtue of a property that only it has. Sometimes a DD fails, because nothing or more than one thing has the property. A DD that succeeds to denote only one object is *proper* ; otherwise it is *improper*.

Definite descriptions, proper and improper, are ubiquitous not only in natural languages but also in mathematics and science (like the proper 'the sum of 7 and 5' or the improper 'the square root of n'). In formal languages the application of functional terms is the prevailing way of representing complex names. However, applying DD can outrun functional terms in many ways, since they are more expressive than functional terms, in the sense that an arbitrary functional term f <sup>n</sup>(t1,...,tn) can be represented as a description ıxF <sup>n</sup>+1(x, t1,...,tn), where F is a predicate corresponding to the function f. On the other hand, not every definite description, even if proper, can be expressed using functional terms; it is possible only in the case of predicates expressing functional relations, whereas every sentence can be used to form a DD. For example, both 'the father of Ben'

Funded by the European Union (ERC, ExtenDD, project number: 101054714). Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Research Council. Neither the European Union nor the granting authority can be held responsible for them.

c The Author(s) 2023

R. Ramanayake and J. Urban (Eds.): TABLEAUX 2023, LNAI 14278, pp. 112–130, 2023. https://doi.org/10.1007/978-3-031-43513-3\_7

and 'the daughter of Mary' may be represented as terms using the iota operator, but only the first may be represented as a functional term. Moreover, even if we can use functional terms instead of DD we enrich a language with another sort of functors in addition to predicates. This has an impact on the formalisation of valid arguments in which very often the conclusion follows on the basis of the content expressed by functional terms which is directly expressed by predicates. For example: 'Adam has children' follows from 'Adam is the father of Ben'. However to prove its validity, its formal representation <sup>a</sup> <sup>=</sup> <sup>f</sup>(b) -<sup>∃</sup>x(Cxa) requires two enthymematic premisses: <sup>∀</sup>xy(Mxy <sup>∨</sup> F xy <sup>↔</sup> Cyx) and <sup>∀</sup>xy(<sup>x</sup> <sup>=</sup> <sup>f</sup>(y) <sup>↔</sup> F xy). Let us call the latter premiss a bridge principle allowing us to transfer information conveyed by predicates to related functions and vice versa. In general they have a form: <sup>∀</sup>x1,...,xn, y(<sup>y</sup> <sup>=</sup> <sup>f</sup> <sup>n</sup>(x1,...,xn) <sup>↔</sup> <sup>F</sup> <sup>n</sup>+1(y, x1,...,xn) and show how the information encoded by the functional predicates is represented by predicates. In the case of using DD instead of functional terms we do not need such extra bridge principles, whereas in languages with functional terms they are necessary in an analysis of obviously valid arguments.<sup>1</sup>

The usefulness of formal devices like the iota operator and other term-forming operators has recently been better recognised (cf. Tennant's [32] or Scott and Benzmüller's implementation of free logic using proof assistant *Isabelle/HOL* [3]) also in the fields connected with computer science, like differential dynamic logic used for verification of hybrid systems [5] or description logics (see [1] or [25]). Logics with DD are often implemented to enable formalisation of deep philosophical problems. e.g. Anselm's ontological argument (see the work by Oppenheimer and Zalta using the automated reasoning tool *PROVER9* [26] or its encoding by Blumson [4]).

Since several rival theories of DD were formulated, the applicability and potential usefulness of DD was underestimated so far. It leads to a question which approach is the best one, at least for some specific kind of applications. In this paper we focus on the Russellian approach to definite descriptions ([28] and [35]) which plays a central role in this area. Although Russell's theory of DD has some controversial points, it became a standard point of reference of almost all works devoted to the analysis of definite descriptions. Moreover, it is still widely accepted by formal logicians as a proper way of handling descriptions; the scores of textbooks that use it as their official theory of definite descriptions count as witnesses for this claim. Russell's theory has also strong affinities to logics closely connected with applications in constructive mathematics and computer science like the logic of the existence predicate by Scott [30] or the definedness logic (or the logic of partial terms) of Beeson [2] and Feferman [8]. These connections were elaborated in [14].

Russell treated DD as incomplete signs and defined their use by contextual definitions of the form:

$$\psi[x/iy\varphi] \;:=\; \exists x(\forall y(\varphi \leftrightarrow y = x) \land \psi)$$

<sup>1</sup> Some other advantages of using DD instead of functional terms are discussed in more detail in [17].

but this solution leads to scoping difficulties if <sup>ψ</sup> is not elementary. <sup>¬</sup>ψ[x/ıyϕ], e.g., is ambiguous: is the whole formula negated or only the predicate ψ? The method which Russell introduced in [35] to draw scope distinctions is rather clumsy. Fortunately, it is possible to develop a logic which treats DD as genuine terms and yet retains desirable features of the Russellian approach. Such a logic was formalised as a natural deduction system by Kalish, Montague, and Mar [18] and by Francez and Więckowski [11]. These systems involve complex rules and axioms, but recently Indrzejczak [16] provided an analytic and cut-free sequent calculus equivalent to the Russellian logic as formalised in [18]. However, in all these systems the formal counterpart of the Russellian policy of eliminating DD from sentences must be restricted to predicate letters, which is connected with the scoping difficulties of the Russellian approach just mentioned.

Can we offer any improvement on the state of the art? A possible strategy of avoiding these problems is to treat DD by means of a binary quantifier; this approach was formally developed by Kürbis (cf. [19–23]). However, if we want to treat DD as terms, then the introduction of the lambda operator to construct complex predicate abstracts from formulas offers a good solution. λxϕ means 'the property of being ϕ' and applied to some term, in particular to a DD, forms a formula called a lambda atom. This device was introduced into studies of modal predicate logic by Thomason and Stalnaker [31], and the idea was further developed by Bressan [6] and Fitting [9], in particular, to distinguish between *de dicto* and *de re* reading of modal operators. Independently, this technique was used by Scales [29] in his formulation of attributional logic, where Aristotle's distinction between the negation of a sentence and of a predicate is formally expressible. In fact, Scales seems to be the first one to apply predicate abstraction to formalise a theory of DD which relates closely to Russell's. Predicate abstracts were also successfully applied by Fitting and Mendelsohn [10] to obtain a theory of DD in a modal setting. This approach, with slight modifications, was further developed independently by Orlandelli [27] and Indrzejczak [12] to obtain cutfree sequent calculi for modal logics with DD and predicate abstracts.

In this article we focus on a different logic RL, first introduced in [17], which also combines the iota and lambda operators. It avoids the shortcomings of the Russellian approach while saving all its plausible features. Predicate abstracts permit us to draw scope distinctions rather more elegantly than with the Russellian scope markers and their application is more general. RL is essentially Russellian but with DD treated as genuine terms. Nonetheless, the reductionist aspect of Russell's approach is retained in several ways. On the level of syntax the occurrences of DD are restricted to arguments of predicate abstracts to form lambda atoms. On the level of semantics DD are not defined by an interpretation function but by satisfaction clauses for lambda atoms. Eventually, on the level of calculus DD cannot be instantiated for variables in quantifier rules but are subject to special rules for lambda atoms. This strict connection of DD with predicate abstracts avoids disadvantages of the Russellian approach connected with scoping difficulties, and, at the same time, simplifies proofs of metalogical properties.

RL was originally characterised semantically and formalised as an analytic tableau calculus in [17], where it was also applied for proving the Craig interpolation theorem. Here we are completing the research on RL by providing an adequate sequent calculus for which the cut elimination theorem is proved constructively. We characterise the language, semantics and axiomatisation of RL in Sect. 2. Then we present the sequent calculus GRL for RL and show its equivalence with an axiomatic Hilbert style system HRL. Section 4 contains a proof of the cut elimination theorem, and Sect. 5 a Henkin-style proof of completeness. The paper finishes with some comparative remarks.

# 2 Preliminaries

The language <sup>L</sup> of RL is standard, except that it contains the operators <sup>ı</sup> and <sup>λ</sup>. Following the remarks on the functional terms from the Introduction, as well as the original Russellian attitude towards terms, the 'official' language has neither constant nor function symbols; in the completeness proof we add constants solely for the purpose of constructing models from consistent sets. As is customary in proof theoretic investigations since Gentzen, we distinguish free and bound variables graphically in deductions. It is not customary to make this distinction in semantics, and so there we won't make it either. This blend of two customs should not lead to confusion, and we are following Fitting and Mendelsohn [10] in this respect. There are two disjoint sets V AR of variables and P AR of parameters. The former plays the role of the bound, the latter of the free variables in the presentation of the proof theory of RL; in the presentation of the semantics, this restriction is relaxed and members of V AR are permitted as free variables. The *terms* of the language in the strict sense are the variables and parameters. Expressions formed by ı are admitted as terms in a more general sense: their application is restricted to predicate abstracts and they are called quasi-terms. We mention only the following formation rules for the more general notion of a formula used in the semantics:


ϕ[x/t] denotes the result of replacing x by t in ϕ. To save space, we'll often write ϕ<sup>x</sup> <sup>t</sup> instead of ϕ[x/t]. If t is a variable y, it is assumed that y is free for x in ϕ, that is, no occurrence of y becomes bound in ϕ in the replacement. To save space and simplify things in the statement of semantics and in the completeness proof in Sect. 4, we treat <sup>∨</sup>,→, <sup>∃</sup> as defined notions.

<sup>A</sup> *model* is a structure <sup>M</sup> <sup>=</sup> D, I, where for each <sup>n</sup>-argument predicate <sup>P</sup> <sup>n</sup>, <sup>I</sup>(<sup>P</sup> <sup>n</sup>) <sup>⊆</sup> <sup>D</sup><sup>n</sup>. An *assignment* <sup>v</sup> is a function <sup>v</sup> : V AR <sup>∪</sup> P AR −→ <sup>D</sup>. An x*-variant* v of v agrees with v on all arguments, save possibly x. We write v<sup>x</sup> <sup>o</sup> to denote the x-variant of v with v<sup>x</sup> <sup>o</sup> (x) = o. The notion of *satisfaction* of a formula <sup>ϕ</sup> *with* <sup>v</sup>, in symbols M,v <sup>|</sup><sup>=</sup> <sup>ϕ</sup>, is defined as follows, where <sup>t</sup> <sup>∈</sup> V AR <sup>∪</sup> P AR:


A formula ϕ is *satisfiable* if there are a model M and an assignment v such that M,v <sup>|</sup><sup>=</sup> <sup>ϕ</sup>. A formula is *valid* if, for all models <sup>M</sup> and assignments <sup>v</sup>, M,v <sup>|</sup><sup>=</sup> <sup>ϕ</sup>. Semantically, HRL is identified with the set of valid formulas, RL with the set of valid sequents. A set of formulas Γ is *satisfiable* iff there is some structure M and an assignment v such that M satisfies every member of Γ with v. A sequent <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> is satisfied by a structure <sup>M</sup> with an assignment <sup>v</sup> if and only if, if for all <sup>ϕ</sup> <sup>∈</sup> <sup>Γ</sup>, M,v <sup>|</sup><sup>=</sup> <sup>ϕ</sup>, then for some <sup>ψ</sup> <sup>∈</sup> <sup>Δ</sup>, M,v <sup>|</sup><sup>=</sup> <sup>ψ</sup>. We symbolise this by M,v <sup>|</sup><sup>=</sup> <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>. A sequent <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> is *valid* iff it is satisfied by every structure with every assignment <sup>v</sup>. In this case we write <sup>|</sup><sup>=</sup> <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>.

Note that we do not characterise DD semantically by means of interpretation function I as it is usually done (for example in [10,27])). The syntactic restriction making DD only arguments in lambda atoms allows us to define them together as a separate satisfaction clause instead. It is closer to the original Russellian treatment of descriptions and simplifies the completeness proof.

Before presenting the sequent calculus, we briefly give the Hilbert system HRL. As we noted Russell treated DD as incomplete symbols and eliminated them by means of contextual definitions. Adopting the following axiom corresponding to his definitions would be too simplistic:

$$R \qquad \psi(\imath y \varphi) \leftrightarrow \exists x (\forall y (\varphi \leftrightarrow y = x) \land \psi)$$

R must be restricted to atomic ψ or it is necessary to add means for marking scope distinctions. Whitehead and Russell chose the latter part, but their method is far from ideal. It is possible to avoid the problem in more elegant fashion with the help of a λ operator. In particular, we can use it to distinguish the application of the negated predicate <sup>¬</sup><sup>ψ</sup> to ıyϕ from negating the application of <sup>ψ</sup> to it. In the present context scoping difficulties arise only in relation to DD, and the problem is solved by restricting predication on DD to predicate abstracts. Accordingly, atomic formulas are built from predicate symbols and variables/parameters only. This is in full accordance with Russell, since the language of *Principia* contains no primitive constant and function symbols: they are introduced by contextual definitions by means of DD. We modify R to reflect the restriction that ı terms require λ abstracts:

$$R\_{\lambda} \qquad (\lambda x \psi) \imath y \varphi \leftrightarrow \exists x (\forall y (\varphi \leftrightarrow y = x) \land \psi)$$

This way we avoid problems with scope while permitting complex as well as primitive predicates to be applied to DD. The axiomatic system HRL for our logic RL results from a standard axiomatization of pure first-order logic with identity and quantifier rules restricted to parameters by adding the axiom R<sup>λ</sup> and <sup>β</sup>-conversion for <sup>λ</sup> but restricted again to parameters: (λxψ)<sup>t</sup> <sup>↔</sup> <sup>ψ</sup>[x/t], where t is a parameter. The adequacy of HRL will be demonstrated below.

# 3 Sequent Calculus

We now formalise the Russellian logic RL as a sequent calculus GRL. Sequents <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> are ordered pairs of finite multisets of formulas, called the antecedent and the succedent, respectively. GRL is essentially the calculus G1c of Troelstra and Schwichtenberg [34] with rules for identity and lambda atoms: see Fig. 1.

Let us recall that formulas displayed in the schemata are active, whereas the remaining ones are parametric, or form a context. In particular, all active formulas in the premisses are called side formulas, and the one in the conclusion is the principal formula of the respective rule application. Proofs are defined in the standard way as finite trees with nodes labelled by sequents. The height of a proof <sup>D</sup> of <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> is defined as the number of nodes of the longest branch in D. <sup>k</sup> <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> means that <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> has a proof with height at most <sup>k</sup>. means that there is a proof of the expression standing to its right, be it a formula (in the case of HRL) or a sequent (in the case of GRL).

We need some auxiliary results. In particular, since (= <sup>−</sup>) is Leibniz' Principle restricted to atomic formulas, we must prove its unrestricted form.

\*\*Lemma 1.\*\* 1.\*\* 1.\*\*  $b\_1 = b\_2$ ,  $\varphi[x/b\_1] \Rightarrow \varphi[x/b\_2]$ ,  $for$  any formula  $\varphi$ .
2. If  $\vdash\_k \Gamma \Rightarrow \Delta$ , then  $\vdash\_k \Gamma[b\_1/b\_2] \Rightarrow \Delta[b\_1/b\_2]$ ,  $where  $k$  is the height of a prof.$ 

*Proof.* 1. follows by induction over the complexity of formulas, which is standard for all cases except those concerning lambda atoms with DD. We note that ϕ<sup>z</sup> b y c is the same as ϕ<sup>y</sup> c z <sup>b</sup> , etc. We write [(λxψ)ıyϕ] z <sup>b</sup><sup>1</sup> to denote substitutions in lambda atoms in more readable fashion. To simplify proofs applications of weakening and contraction rules to derive shared contexts are omitted from now on. Let D be the following deduction, where the leaves are axioms and c a fresh parameter:

$$(\upsilon\_2 \Rightarrow) \begin{array}{l} \varphi\_{c\;b\_1}^{y\;z} \Rightarrow \varphi\_{c\;b\_1}^{y\;z} & \varphi\_{a\;b\_1}^{y\;z} \Rightarrow \varphi\_{a\;b\_1}^{y\;z} & c=a \Rightarrow c=a\\ \hline [(\lambda x \psi) \imath y \varphi]\_{b\_1}^z, \varphi\_{a\;b\_1}^{y\;z}, \varphi\_{c\;b\_1}^{y\;z} \Rightarrow c=a \end{array}$$

Then we derive b<sup>1</sup> = b2, [(λxψ)ıyϕ]]<sup>z</sup> <sup>b</sup><sup>1</sup> <sup>⇒</sup> [(λxψ)ıyϕ] z b2 :

#### Fig. 1. Calculus GRL

$$\begin{array}{ll} (\Rightarrow \imath) \xrightarrow{b\_{1}=b\_{2},\varphi\_{a\textbf{b}\_{1}}^{y\underline{x}}\Rightarrow \varphi\_{a\textbf{b}\_{2}}^{y\underline{z}} & b\_{1}=b\_{2},\psi\_{a\textbf{b}\_{1}}^{x\underline{z}}\Rightarrow \psi\_{a\textbf{b}\_{2}}^{x\underline{z}} & \mathcal{D} \\ (\imath\_{1}\Rightarrow) \xrightarrow{b\_{1}=b\_{2},\varphi\_{a\textbf{b}\_{1}}^{y\underline{z}},\psi\_{a\textbf{b}\_{1}}^{x\underline{z}},[(\lambda x\psi)\imath y\varphi]\_{\textbf{b}\_{1}}^{\underline{z}} \Rightarrow [(\lambda x\psi)\imath y\varphi]\_{\textbf{b}\_{2}}^{\underline{z}} \\ (C\Rightarrow) \xrightarrow{b\_{1}=b\_{2},[(\lambda x\psi)\imath y\varphi]\_{\textbf{b}\_{1}}^{z},[(\lambda x\psi)\imath y\varphi]\_{\textbf{b}\_{1}}^{z} \Rightarrow [(\lambda x\psi)\imath y\varphi]\_{\textbf{b}\_{2}}^{z}} \\ \hline \end{array}$$

The two left leaves are provable by the induction hypothesis (if b1, b<sup>2</sup> are not present in ψ or ϕ, we have an axiomatic sequent).

The proof of 2 is by a standard induction on the height of proofs; the rules for lambda atoms with DD are treated similarly to the rules for quantifiers.

Let us now show that the Russellian axiom R<sup>λ</sup> is provable in GRL. We will provide proofs for two sequents corresponding to two implications. Let D be:

$$(\imath\_2 \Rightarrow) \begin{array}{c} \varphi\_a^y \Rightarrow \varphi\_a^y \qquad \varphi\_{a\_1}^y \Rightarrow \varphi\_{a\_1}^y \qquad a\_1 = a \Rightarrow a\_1 = a \\ \hline (\lambda x \psi) \imath y \varphi, \varphi\_a^y, \varphi\_{a\_1}^y \Rightarrow a\_1 = a \end{array}$$

The following establishes one half of Rλ:

$$\begin{array}{l} (\Rightarrow \rightarrow) \xrightarrow{\mathcal{D}} \xrightarrow{\begin{subarray}{l} \varphi\_{a}^{y}, a\_{1} = a \Rightarrow \varphi\_{a\_{1}}^{y} \\ (\Rightarrow \forall) \xrightarrow{} (\lambda x \psi) \lor y \varphi, \varphi\_{a}^{y} \Rightarrow \varphi\_{a\_{1}}^{y} \leftrightarrow a\_{1} = a \end{subarray}} \\ (\Rightarrow \forall) \xrightarrow{\begin{subarray}{l} (\lambda x \psi) \lor y \varphi, \varphi\_{a}^{y} \Rightarrow \forall y (\varphi \leftrightarrow y = a) \end{subarray}} \quad \begin{subarray}{l} \psi\_{a}^{x} \Rightarrow \psi\_{a}^{x} \\ \Rightarrow \forall\_{a}^{x} \Rightarrow \psi\_{a}^{x} \end{subarray} \\ (\Rightarrow \exists) \xrightarrow{(\lambda x \psi) \lor y \varphi, \psi\_{a}^{x}, \varphi\_{a}^{y} \Rightarrow \exists x (\forall y (\varphi \leftrightarrow y = x) \wedge \psi)} \\ (\iota\_{1} \Rightarrow) \xrightarrow{(\lambda x \psi) \lor y \varphi, (\lambda x \psi) \lor y \varphi \Rightarrow \exists x (\forall y (\varphi \leftrightarrow y = x) \wedge \psi)} \\ (C \Rightarrow) \xrightarrow{(\lambda x \psi) \lor y \varphi \rightarrow \exists x (\forall y (\varphi \leftrightarrow y = x) \wedge \psi)} \end{array}$$

where the only nonaxiomatic sequent is provable by lemma 1.1. Next, where D is:

$$\begin{array}{ll} (\leftrightarrow \Rightarrow) \begin{array}{l} \varphi\_b^y \Rightarrow \varphi\_b^y \end{array} & b = a \Rightarrow b = a \\ \hline (\forall \Rightarrow) \begin{array}{l} \varphi\_b^y \leftrightarrow b = a, \varphi\_b^y \Rightarrow b = a \\ \forall y(\varphi \leftrightarrow y = a), \varphi\_b^y \Rightarrow b = a \end{array} \end{array}$$

the following establishes the other half of Rλ:

$$(\Rightarrow \imath) \xrightarrow{\begin{subarray}{c} (=+) \end{subarray}} \frac{a = a \Rightarrow a = a}{\Rightarrow a = a} \qquad \varphi\_a^y \Rightarrow \varphi\_a^y$$

$$(\Rightarrow \imath) \xrightarrow{\begin{subarray}{c} \psi\_a^x \Rightarrow \psi\_a^x \end{subarray}} \frac{\varphi\_a^y \leftrightarrow a = a \Rightarrow \varphi\_a^y}{\forall y (\varphi \leftrightarrow y = a) \Rightarrow \varphi\_a^y} \qquad \mathcal{D}$$

$$(\Rightarrow \imath) \xrightarrow{\begin{subarray}{c} \forall y (\varphi \leftrightarrow y = a), \psi\_a^x \Rightarrow (\lambda x \psi) \imath y \varphi \end{subarray}} \frac{\forall y (\varphi \leftrightarrow y = a) \land \psi\_a^x \Rightarrow (\lambda x \psi) \imath y \varphi}{\exists x (\forall y (\varphi \leftrightarrow y = x) \land \psi) \Rightarrow (\lambda x \psi) \imath y \varphi}$$

Conversely, the three rules for lambda atoms with DD are derivable in G1 with <sup>R</sup><sup>λ</sup> added in the form of two axiomatic sequents. To derive (ı<sup>1</sup> <sup>⇒</sup>), let <sup>R</sup><sup>⇒</sup> λ be (λxψ)ıyϕ ⇒ ∃x(∀y(<sup>ϕ</sup> <sup>↔</sup> <sup>y</sup> <sup>=</sup> <sup>x</sup>) <sup>∧</sup> <sup>ψ</sup>):

$$\begin{array}{c} (=+) \xrightarrow{a=a \Rightarrow a=a} \\ (\hookrightarrow) \xrightarrow{\Rightarrow} \overline{a=a} \\ (\forall \Rightarrow) \frac{\varphi\_a^y \leftrightarrow a=a, \psi\_a^x, \Gamma \Rightarrow \Delta}{\forall y(\varphi \leftrightarrow y=a), \psi\_a^x, \Gamma \Rightarrow \Delta} \\ (\land \Rightarrow) \frac{\forall y(\varphi \leftrightarrow y=a), \psi\_a^x, \Gamma \Rightarrow \Delta}{\forall y(\varphi \leftrightarrow y=a) \land \psi\_a^x, \Gamma \Rightarrow \Delta} \\ (Cut) \xrightarrow{R\_\lambda^{\Rightarrow}} \frac{\exists x(\forall y(\varphi \leftrightarrow y=x) \land \psi), \Gamma \Rightarrow \Delta}{(\lambda x \psi) \imath y \varphi, \Gamma \Rightarrow \Delta} \end{array}$$

To derive (ı<sup>2</sup> <sup>⇒</sup>), use (Cut) with (λxψ)ıyϕ ⇒ ∃x(∀y(<sup>ϕ</sup> <sup>↔</sup> <sup>y</sup> <sup>=</sup> <sup>x</sup>) <sup>∧</sup> <sup>ψ</sup>) and:

<sup>Γ</sup> <sup>⇒</sup> Δ, ϕ<sup>y</sup> b1 <sup>Γ</sup> <sup>⇒</sup> Δ, ϕ<sup>y</sup> b2 <sup>b</sup><sup>1</sup> <sup>=</sup> <sup>b</sup>2, Γ <sup>⇒</sup> <sup>Δ</sup> (= <sup>−</sup>) <sup>b</sup><sup>1</sup> <sup>=</sup> a, b<sup>2</sup> <sup>=</sup> a, Γ <sup>⇒</sup> <sup>Δ</sup> (↔⇒) <sup>b</sup><sup>1</sup> <sup>=</sup> a, ϕ<sup>y</sup> <sup>b</sup><sup>2</sup> ↔ b<sup>2</sup> = a, Γ ⇒ Δ (↔⇒) ϕy <sup>b</sup><sup>1</sup> <sup>↔</sup> <sup>b</sup><sup>1</sup> <sup>=</sup> a, ϕ<sup>y</sup> <sup>b</sup><sup>2</sup> ↔ b<sup>2</sup> = a, Γ ⇒ Δ (∀ ⇒) <sup>∀</sup>y(<sup>ϕ</sup> <sup>↔</sup> <sup>y</sup> <sup>=</sup> <sup>a</sup>), <sup>∀</sup>y(<sup>ϕ</sup> <sup>↔</sup> <sup>y</sup> <sup>=</sup> <sup>a</sup>), Γ <sup>⇒</sup> <sup>Δ</sup> (<sup>C</sup> <sup>⇒</sup>) <sup>∀</sup>y(<sup>ϕ</sup> <sup>↔</sup> <sup>y</sup> <sup>=</sup> <sup>a</sup>), ψ<sup>x</sup> <sup>a</sup>, Γ <sup>⇒</sup> <sup>Δ</sup> (∧ ⇒) <sup>∀</sup>y(<sup>ϕ</sup> <sup>↔</sup> <sup>y</sup> <sup>=</sup> <sup>a</sup>) <sup>∧</sup> <sup>ψ</sup><sup>x</sup> <sup>a</sup>, Γ <sup>⇒</sup> <sup>Δ</sup> (∃ ⇒) <sup>∃</sup>x(∀y(<sup>ϕ</sup> <sup>↔</sup> <sup>y</sup> <sup>=</sup> <sup>x</sup>) <sup>∧</sup> <sup>ψ</sup>), Γ <sup>⇒</sup> <sup>Δ</sup>

The following derives (<sup>⇒</sup> <sup>ı</sup>):

$$(\Rightarrow \leftrightarrow) \xrightarrow{\varphi\_a^y, \Gamma \Rightarrow \Delta, a = b} \frac{(Cut) \xrightarrow{\Gamma \Rightarrow \Delta, \varphi\_b^y \qquad a = b, \varphi\_b^y \Rightarrow \varphi\_a^y}}{(\Rightarrow \forall) \frac{\Gamma \Rightarrow \Delta, \varphi\_a^y \iff a = b}{\Gamma \Rightarrow \Delta, \forall y (\varphi \leftrightarrow y = b)}} \qquad \qquad \Gamma \Rightarrow \Delta, \psi\_b^x \qquad \qquad \Gamma \Rightarrow \Delta, \forall\_b^x \qquad \qquad \Gamma \Rightarrow \Delta, \forall\_b^y \qquad \qquad \Gamma \Rightarrow \Delta, \forall\_b^x \qquad \qquad \Gamma \Rightarrow \Delta, \forall\_b^y \qquad \qquad \Gamma \Rightarrow \Delta, \forall\_b \forall\_b \qquad \qquad \Gamma \Rightarrow \Delta, \forall\_b \forall\_b \qquad \qquad \Gamma \Rightarrow \Delta, \forall\_b \forall\_b \qquad \qquad \Gamma \Rightarrow \Delta, \forall\_b \forall\_b \forall\_b \qquad \qquad \Gamma \Rightarrow \Delta, \forall\_b \forall\_b \forall\_b \qquad \qquad \Gamma \Rightarrow \Delta, \forall\_b \forall\_b \forall\_b \qquad \qquad \qquad \Gamma \Rightarrow \Delta, \forall\_b \forall\_b \forall\_b \qquad \qquad \qquad \Gamma \Rightarrow \Delta, \forall\_b \forall\_b \forall\_b \forall\_b \qquad \qquad \qquad \Gamma \Rightarrow \Delta, \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \qquad \qquad \qquad \Gamma \Rightarrow \Delta, \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \qquad \qquad \qquad \Gamma \Rightarrow \Delta, \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b \forall\_b$$

where the right premiss of (Cut) is provable by lemma 1.1, and the conclusion of the rule follows by (Cut) with <sup>∃</sup>x(∀y(<sup>ϕ</sup> <sup>↔</sup> <sup>y</sup> <sup>=</sup> <sup>x</sup>) <sup>∧</sup> <sup>ψ</sup>) <sup>⇒</sup> (λxψ)ıyϕ.

Since the proofs of the interderivability of the axiom of λ conversion and (<sup>λ</sup> <sup>⇒</sup>),(<sup>⇒</sup> <sup>λ</sup>) are trivial we are done and conclude with:

Theorem 1. -HRL <sup>ϕ</sup> *iff* -GRL <sup>⇒</sup> <sup>ϕ</sup>

# 4 Cut Elimination

We will show that (Cut) is eliminable from every proof in GRL using the general strategy of cut elimination proofs applied originally for hypersequent calculi in Metcalfe, Olivetti and Gabbay [24], which works well also in the context of standard sequent calculi (see [15]). Such a proof has a particularly simple structure and allows us to avoid many complexities inherent in other methods of proving cut elimination. In particular, we avoid well known problems with contraction, since two auxiliary lemmata deal with this problem in advance. We assume that all proofs are regular in the sense that every parameter a which is fresh by the side condition of the respective rule must be fresh in the entire proof, not only on the branch where the application of this rule takes place. There is no loss of generality since every proof may be systematically transformed into a regular one by lemma 1.2. The following notions are crucial for the proof:


The proof of the cut elimination theorem is based on two lemmata which successively make a reduction: first of the height of the right, and then of the height of the left premiss of cut. ϕk, Γ<sup>k</sup> denote k > 0 occurrences of ϕ, Γ, respectively.

Lemma 2 (Right reduction). *Let* D<sup>1</sup> - <sup>Γ</sup> <sup>⇒</sup> Δ, ϕ *and* <sup>D</sup><sup>2</sup> <sup>ϕ</sup>k, Π <sup>⇒</sup> <sup>Σ</sup> *with* <sup>d</sup>D1, dD<sup>2</sup> < dϕ*, and* <sup>ϕ</sup> *principal in* <sup>Γ</sup> <sup>⇒</sup> Δ, ϕ*, then we can construct a proof* <sup>D</sup> *such that* D -<sup>Γ</sup>k, Π <sup>⇒</sup> <sup>Δ</sup>k, Σ *and* <sup>d</sup><sup>D</sup> < dϕ*.*

*Proof.* By induction on the height of <sup>D</sup>2. The basis is trivial, since <sup>Γ</sup> <sup>⇒</sup> Δ, ϕ is identical with <sup>Γ</sup>k, Π <sup>⇒</sup> <sup>Δ</sup>k, Σ. The induction step requires examination of all cases of possible derivations of <sup>ϕ</sup>k, Π <sup>⇒</sup> <sup>Σ</sup>, and the role of the cut-formula in the transition. In cases where all occurrences of ϕ are parametric we simply apply the induction hypothesis to the premisses of <sup>ϕ</sup>k, Π <sup>⇒</sup> <sup>Σ</sup> and then apply the respective rule – it is essentially due to the context independence of almost all rules and the regularity of proofs, which together prevent violation of side conditions on eigenvariables. If one of the occurrences of ϕ in the premiss(es) is a side formula of the last rule we must additionally apply weakening to restore the missing formula before the application of the relevant rule.

In cases where one occurrence of <sup>ϕ</sup> in <sup>ϕ</sup>k, Π <sup>⇒</sup> <sup>Σ</sup> is principal we make use of the fact that ϕ in the left premiss is also principal; for the cases of contraction and weakening this is trivial. We consider the cases of lambda atoms with DD. Hence D<sup>1</sup> finishes with:

$$\frac{\Gamma \Rightarrow \Delta, \varphi[y/b] \quad \Gamma \Rightarrow \Delta, \psi[x/b] \quad \varphi[y/a], \Gamma \Rightarrow \Delta, a = b}{\Gamma \Rightarrow \Delta, (\lambda x \psi) \imath y \varphi}$$

and D<sup>2</sup> finishes with:

$$\frac{\varphi[y/a'], \psi[x/a'], (\lambda x \psi) \imath y \varphi^{k-1}, \Pi \Rightarrow \Sigma}{(\lambda x \psi) \imath y \varphi^k, \Pi \Rightarrow \Sigma}$$

or

$$\frac{\left(\lambda x \psi\right) \text{vy} \varphi^{k-1}, \Pi \Rightarrow \Sigma, \varphi[y/b\_1] \qquad \left(\lambda x \psi\right) \text{vy} \varphi^{k-1}, \Pi \Rightarrow \Sigma, \varphi[y/b\_2] \qquad b\_1 = b\_2, (\lambda x \psi) \text{vy} \varphi^{k-1}, \Pi \Rightarrow \Sigma$$

In the first case, by the induction hypothesis and lemma 1.2 we obtain <sup>ϕ</sup>[y/b], ψ[x/b], Γ<sup>k</sup>−<sup>1</sup>, Π<sup>⇒</sup> <sup>Δ</sup><sup>k</sup>−<sup>1</sup>, Σ and by two cuts with the leftmost and central premiss of (<sup>⇒</sup> <sup>ı</sup>) in <sup>D</sup><sup>1</sup> we obtain <sup>Γ</sup>k+1, Π<sup>⇒</sup> <sup>Δ</sup>k+1, Σ, which by contraction yields the result.

In the second case note first that by lemma 1.2 from the rightmost premiss of (<sup>⇒</sup> <sup>ı</sup>) in <sup>D</sup><sup>1</sup> we obtain

a. <sup>ϕ</sup>[y/b1], Γ <sup>⇒</sup> Δ, b<sup>1</sup> <sup>=</sup> <sup>b</sup> and b. <sup>ϕ</sup>[y/b2], Γ <sup>⇒</sup> Δ, b<sup>2</sup> <sup>=</sup> <sup>b</sup>.

Again by the induction hypothesis from the three premisses we get:

1. <sup>Γ</sup>k−<sup>1</sup>, Π<sup>⇒</sup> <sup>Δ</sup>k−<sup>1</sup>,Σ,ϕ[y/b1] 2. <sup>Γ</sup><sup>k</sup>−1, Π<sup>⇒</sup> <sup>Δ</sup><sup>k</sup>−1,Σ,ϕ[y/b2] 3. <sup>b</sup><sup>1</sup> <sup>=</sup> <sup>b</sup>2, Γ<sup>k</sup>−1, Π<sup>⇒</sup> <sup>Δ</sup><sup>k</sup>−1, Σ

We proceed as follows with a series of the applications of cut, followed by contractions, using the provable sequent <sup>b</sup><sup>1</sup> <sup>=</sup> b, b<sup>2</sup> <sup>=</sup> <sup>b</sup> <sup>⇒</sup> <sup>b</sup><sup>1</sup> <sup>=</sup> <sup>b</sup>2:

$$\begin{array}{cc} \begin{array}{c} \begin{array}{c} 1 \quad a \\ \hline \end{array} \begin{array}{c} 1 \quad a \\ \hline \end{array} \begin{array}{c} 1 \quad a \\ \hline \end{array} \begin{array}{c} 1 \quad b \\ \hline \end{array} \begin{array}{c} 1 \quad b\_{1} = b, b\_{2} = b \Rightarrow b\_{1} = b\_{2} \\ \hline b\_{1} = b, b\_{2} = b, \Gamma^{k-1}, \Pi \Rightarrow \Delta^{k-1}, \Sigma \\\hline \end{array} \\ \hline \end{array} \\ \begin{array}{c} \begin{array}{c} \Gamma^{3k-1}, \Pi^{3} \Rightarrow \Delta^{3k-1}, \Sigma^{3} \\ \hline \end{array} \end{array} \\ \begin{array}{c} \Gamma^{3k-1}, \Pi^{3} \Rightarrow \Delta^{3k-1}, \Sigma^{3} \\ \hline \end{array} \\ \hline \end{array} \\ \begin{array}{c} \Gamma^{k}, \Pi \Rightarrow \Delta^{3k-1}, \Sigma \\\end{array} \\ \begin{array}{c} \Gamma^{k}, \Pi \Rightarrow \Delta^{k-1}, \Sigma \\\end{array} \\ \end{array}$$

Lemma 3 (Left reduction). *Let* D<sup>1</sup> - <sup>Γ</sup> <sup>⇒</sup> Δ, ϕ<sup>k</sup> *and* <sup>D</sup><sup>2</sup> ϕ, Π <sup>⇒</sup> <sup>Σ</sup> *with* <sup>d</sup>D1, dD<sup>2</sup> < dϕ*, then we can construct a proof* <sup>D</sup> *such that* D - Γ,Π<sup>k</sup> <sup>⇒</sup> Δ, Σ<sup>k</sup> *and* <sup>d</sup><sup>D</sup> < dϕ*.*

*Proof.* By induction on the height of D<sup>1</sup> but with some important differences to the proof of the right reduction lemma. First note that we do not require ϕ to be principal in ϕ, Π <sup>⇒</sup> <sup>Σ</sup>, so it includes the case where <sup>ϕ</sup> is atomic. In all these cases we just apply the induction hypothesis. This guarantees that even if an atomic cut formula was introduced in the right premiss by (= <sup>−</sup>) the reduction of the height is achieved only on the left premiss, and we always obtain the expected result. Now, in cases where one occurrence of <sup>ϕ</sup> in <sup>Γ</sup> <sup>⇒</sup> Δ, ϕ<sup>k</sup> is principal, we first apply the induction hypothesis to eliminate all other <sup>k</sup> <sup>−</sup> <sup>1</sup> occurrences of ϕ in the premisses and then we apply the respective rule. Since the only new occurrence of ϕ is principal, we can make use of the right reduction lemma again and obtain the result, possibly after some applications of structural rules.

Now we are ready to prove the cut elimination theorem:

#### Theorem 2. *Every proof in GRL can be transformed into cut-free proof.*

*Proof.* By double induction: primary on <sup>d</sup><sup>D</sup> and subsidiary on the number of maximal cuts (in the basis and in the inductive step of the primary induction). We always take the topmost maximal cut and apply lemma 3 to it. By successive repetition of this procedure we reduce either the degree of a proof or the number of cuts in it until we obtain a cut-free proof.

# 5 Adequacy

In this section, we'll make use of the fact that for every set there is a corresponding multiset, so if <sup>Γ</sup>, <sup>Δ</sup> are sets of formulas, we may write <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>. We recall that we treat <sup>∨</sup>,→, <sup>∃</sup> as defined notions. For the completeness proof we assume that a denumerable set of individual constants may be added to the language. I assigns objects in the domain <sup>D</sup> of the model D, I to these constants. For brevity we introduce the notation Iv, where if t is a variable or parameter, Iv(t) = v(t) and where t is a constant, Iv(t) = I(t).

Recall the distinction between terms and pseudo-terms, the former variables and parameters and now also constants, the latter iota terms. In the following lemma, t denotes a variable, parameter or constant, not a DD, hence the proof is standard, with the case of lambda atoms similar to the case of quantifiers. In the rest of this section, too, t will refer to terms only. In particular, there is no need to consider pseudo-terms in the Lindenbaum-Henkin construction (theorem 4), because in substitution in the formulas concerned only terms can be used. Pseudo-terms are treated, just as they are in the semantics, as occurring in lambda atoms, and thus like the logical constants by the consideration of the consistent addition of formulas to a set in the construction of its maximally consistent extension.

Lemma 4 (The Substitution Lemma.). M,v <sup>|</sup><sup>=</sup> <sup>ϕ</sup><sup>x</sup> <sup>t</sup> *iff* M,v<sup>x</sup> <sup>I</sup>*v*(t) <sup>|</sup><sup>=</sup> <sup>ϕ</sup>*, if* <sup>t</sup> *is free for* x *in* ϕ*.*

*Proof.* See e.g. [7, 133f] and adjust.

Next, the soundness of GRL.

#### Theorem 3 (Soundness of GRL). *If* -<sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>*, then* <sup>|</sup><sup>=</sup> <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>

*Proof.* By induction on the height of the proof. Since it is well-known that the rules of G1 are validity preserving, and it is obvious for both lambda rules, we show this property only for (ı<sup>2</sup> <sup>⇒</sup>) and (<sup>⇒</sup> <sup>ı</sup>), leaving (ı<sup>1</sup> <sup>⇒</sup>) as an exercise.

(ı<sup>2</sup> <sup>⇒</sup>). Suppose (1) <sup>|</sup><sup>=</sup> <sup>Γ</sup> <sup>⇒</sup> Δ, ϕ<sup>y</sup> <sup>b</sup><sup>1</sup> , (2) <sup>|</sup><sup>=</sup> <sup>Γ</sup> <sup>⇒</sup> Δ, ϕ<sup>y</sup> <sup>b</sup><sup>2</sup> , (3) <sup>|</sup><sup>=</sup> <sup>b</sup><sup>1</sup> <sup>=</sup> <sup>b</sup>2, Γ <sup>⇒</sup> <sup>Δ</sup>, and |= (λxψ)ıyϕ, Γ <sup>⇒</sup> <sup>Δ</sup>. By the last, there are a structure <sup>M</sup> <sup>=</sup> D, I and assignment <sup>v</sup>, such that M,v <sup>|</sup>= (λxψ)ıyϕ, for all <sup>γ</sup> <sup>∈</sup> <sup>Γ</sup>, M,v <sup>|</sup><sup>=</sup> <sup>γ</sup> and for all <sup>δ</sup> <sup>∈</sup> <sup>Δ</sup>, M,v |<sup>=</sup> <sup>δ</sup>. Thus by (1), (2) and (3): (4) M,v <sup>|</sup><sup>=</sup> <sup>ϕ</sup><sup>y</sup> <sup>b</sup><sup>1</sup> , (5) M,v <sup>|</sup><sup>=</sup> <sup>ϕ</sup><sup>y</sup> b2 and (6) M,v |<sup>=</sup> <sup>b</sup><sup>1</sup> <sup>=</sup> <sup>b</sup>2. And there is an <sup>o</sup> <sup>∈</sup> <sup>D</sup> such that M,v<sup>x</sup> <sup>o</sup> <sup>|</sup><sup>=</sup> <sup>ψ</sup>, and M,v<sup>x</sup> <sup>o</sup> <sup>|</sup><sup>=</sup> <sup>ϕ</sup>[y/x], and (7) for any <sup>y</sup>-variant <sup>v</sup> of <sup>v</sup><sup>x</sup> <sup>o</sup> , if M,v <sup>|</sup><sup>=</sup> <sup>ϕ</sup>, then <sup>v</sup> (y) = o. By the conventions on the use of free and bound variables in sequents, x is not free in ϕ<sup>y</sup> <sup>b</sup><sup>1</sup> or <sup>ϕ</sup><sup>y</sup> <sup>b</sup><sup>2</sup> , so <sup>v</sup> and <sup>v</sup><sup>x</sup> <sup>o</sup> agree on them, and so by (4) and (5) M,v<sup>x</sup> <sup>o</sup> <sup>|</sup><sup>=</sup> <sup>ϕ</sup><sup>y</sup> <sup>b</sup><sup>1</sup> and M,v<sup>x</sup> <sup>o</sup> <sup>|</sup><sup>=</sup> <sup>ϕ</sup><sup>y</sup> <sup>b</sup><sup>2</sup> . By the substitution lemma, M,v<sup>x</sup> o y <sup>I</sup>*v*(b1) <sup>|</sup><sup>=</sup> <sup>ϕ</sup> and M,v<sup>x</sup> o y <sup>I</sup>*v*(b2) <sup>|</sup><sup>=</sup> <sup>ϕ</sup>. So the y-variants v and v of v<sup>x</sup> <sup>o</sup> that assign Iv*<sup>x</sup> <sup>o</sup>* (b1) and <sup>I</sup>v*<sup>x</sup> <sup>o</sup>* (b2) to <sup>y</sup> satisfy <sup>ϕ</sup> with M, so by (7) I<sup>v</sup>- (b1) = I<sup>v</sup>-- (b2) = o. But v and v differ from v only in what they assign to <sup>x</sup> and <sup>y</sup>, and by (6) <sup>I</sup>v(b1) <sup>=</sup> <sup>I</sup>v(b2). Contradiction.

(<sup>⇒</sup> <sup>ı</sup>). Suppose (1) <sup>|</sup><sup>=</sup> <sup>Γ</sup> <sup>⇒</sup> Δ, ϕ<sup>y</sup> <sup>b</sup> , (2) <sup>|</sup><sup>=</sup> <sup>Γ</sup> <sup>⇒</sup> Δ, ψ<sup>x</sup> <sup>b</sup> , (3) <sup>|</sup><sup>=</sup> <sup>ϕ</sup><sup>y</sup> <sup>a</sup>, Γ <sup>⇒</sup> Δ, a <sup>=</sup> <sup>b</sup>, but |<sup>=</sup> <sup>Γ</sup> <sup>⇒</sup> Δ,(λxψ)ıyϕ, <sup>a</sup> not free in any formulas in <sup>Γ</sup> and <sup>Δ</sup> nor in <sup>ϕ</sup>. Then

there are a structure <sup>M</sup> <sup>=</sup> D, I and assignment <sup>v</sup> such that for all <sup>γ</sup> <sup>∈</sup> <sup>Γ</sup>, M,v <sup>|</sup><sup>=</sup> <sup>γ</sup>, for all <sup>δ</sup> <sup>∈</sup> <sup>Δ</sup>, M,v |<sup>=</sup> <sup>δ</sup> and (4) M,v |= (λxψ)ıyϕ. So by (1), M,v <sup>|</sup><sup>=</sup> <sup>ϕ</sup><sup>y</sup> <sup>b</sup> , by (2), M,v <sup>|</sup><sup>=</sup> <sup>ψ</sup><sup>x</sup> <sup>b</sup> , and by (4), it is not the case that there is an <sup>o</sup> <sup>∈</sup> <sup>D</sup> such that M,v<sup>x</sup> <sup>o</sup> <sup>|</sup><sup>=</sup> <sup>ψ</sup>, and M,v<sup>x</sup> <sup>o</sup> <sup>|</sup><sup>=</sup> <sup>ϕ</sup><sup>y</sup> <sup>x</sup>, and for any y-variant v of v<sup>x</sup> <sup>o</sup> , if M,v <sup>|</sup><sup>=</sup> <sup>ϕ</sup>, then <sup>v</sup> (y) = <sup>o</sup>, i.e. for every <sup>o</sup> <sup>∈</sup> <sup>D</sup>, either M,v<sup>x</sup> <sup>o</sup> |<sup>=</sup> <sup>ψ</sup>, or M,v<sup>x</sup> <sup>o</sup> |<sup>=</sup> <sup>ϕ</sup><sup>y</sup> x, or for some y-variant v of v<sup>x</sup> <sup>o</sup> , M,v <sup>|</sup><sup>=</sup> <sup>ϕ</sup> and <sup>v</sup> (y) <sup>=</sup> <sup>o</sup>. Consider <sup>I</sup>v(b). We have either (5) M,v<sup>x</sup> <sup>I</sup>*v*(b) |<sup>=</sup> <sup>ψ</sup>, or (6) M,v<sup>x</sup> <sup>I</sup>*v*(b) |<sup>=</sup> <sup>ϕ</sup><sup>y</sup> <sup>x</sup>, or (7) for some y-variant v of vx <sup>I</sup>*v*(b), M,v <sup>|</sup><sup>=</sup> <sup>ϕ</sup> and <sup>v</sup> (y) <sup>=</sup> <sup>I</sup>v(b). By the substitution lemma from (5) and (6) we have M,v |<sup>=</sup> <sup>ψ</sup><sup>x</sup> <sup>b</sup> and M,v |<sup>=</sup> <sup>ϕ</sup><sup>x</sup> y y <sup>b</sup> , and as <sup>ϕ</sup><sup>y</sup> x x <sup>b</sup> is the same as <sup>ϕ</sup><sup>y</sup> <sup>b</sup> , this contradicts consequences of (1) and (2). By conventions on the use of free and bound variables in sequents, x and y are not free in any of their formulas, so v<sup>x</sup> I*v*(b) agrees with <sup>v</sup> on all formulas in <sup>Γ</sup>, <sup>Δ</sup>, so for all <sup>γ</sup> <sup>∈</sup> <sup>Γ</sup>, M,v<sup>x</sup> <sup>I</sup>*v*(b) <sup>|</sup><sup>=</sup> <sup>γ</sup>, and for all <sup>δ</sup> <sup>∈</sup> <sup>Δ</sup>, M,v<sup>x</sup> <sup>I</sup>*v*(b) |<sup>=</sup> <sup>δ</sup>. So by (3), if M,v<sup>x</sup> <sup>I</sup>*v*(b) <sup>|</sup><sup>=</sup> <sup>ϕ</sup><sup>y</sup> <sup>a</sup>, then M,v<sup>x</sup> <sup>I</sup>*v*(b) <sup>|</sup><sup>=</sup> <sup>a</sup> <sup>=</sup> <sup>b</sup>. By the substitution lemma and the semantic clause for identity, if M,v<sup>x</sup> I*v*(b) y <sup>I</sup>*v*(a) <sup>|</sup><sup>=</sup> <sup>ϕ</sup>, then Iv(a) = Iv(b). Now evidently v<sup>x</sup> I*v*(b) y <sup>I</sup>*v*(a)(y) = <sup>I</sup>v(a), so <sup>v</sup><sup>x</sup> I*v*(b) y <sup>I</sup>*v*(a)(y) = <sup>I</sup>v(b). But v<sup>x</sup> I*v*(b) y <sup>I</sup>*v*(a) is a <sup>y</sup>-variant of <sup>v</sup><sup>x</sup> <sup>I</sup>*v*(b), and the reasoning holds for any such <sup>y</sup>variant, contradicting (7).

Let <sup>⊥</sup> represent an arbitrary contradiction. A set of formulas <sup>Γ</sup> is *inconsistent* iff <sup>Γ</sup> -<sup>⊥</sup>. <sup>Γ</sup> is *consistent* iff it is not inconsistent. A set of formulas <sup>Γ</sup> is *maximal* iff for any formula <sup>A</sup>, either <sup>A</sup> <sup>∈</sup> <sup>Γ</sup> or <sup>¬</sup><sup>A</sup> <sup>∈</sup> <sup>Γ</sup>. A set of formulas <sup>Γ</sup> is *deductively closed* iff, if <sup>Γ</sup> -<sup>A</sup>, then <sup>A</sup> <sup>∈</sup> <sup>Γ</sup>. We state without proof this standard result:

#### Lemma 5. *Any maximally consistent set is deductively closed.*

Extend <sup>L</sup> to a language <sup>L</sup><sup>+</sup> by adding countably new constants ordered by a list <sup>C</sup> <sup>=</sup> <sup>c</sup>1, c<sup>2</sup> .... We will say that such a constant occurs *parametrically* if its occurrence satisfies the restrictions imposed on parameters in (⇒ ∀) and (ı<sup>1</sup> <sup>⇒</sup>).

Theorem 4. *Any consistent set of formulas* Δ *can be extended to a maximally consistent set* Δ<sup>+</sup> *such that:*

*(a) for any formula* <sup>ϕ</sup> *and variable* <sup>x</sup>*, if* ¬∀xϕ <sup>∈</sup> <sup>Δ</sup><sup>+</sup>*, then for some constant* <sup>c</sup>*,* ϕ<sup>x</sup> <sup>c</sup> ∈ <sup>Δ</sup><sup>+</sup>*;*

*(b) for any formulas* <sup>ϕ</sup>*,* <sup>ψ</sup> *and variables* <sup>x</sup>*,* <sup>y</sup>*, if* (λxψ)ıyϕ <sup>∈</sup> <sup>Δ</sup><sup>+</sup>*, then for some constant* c*,* ϕ<sup>y</sup> <sup>c</sup> , ψ<sup>x</sup> <sup>c</sup> <sup>∈</sup> <sup>Δ</sup><sup>+</sup> *and for all terms* <sup>t</sup>*, if* <sup>ϕ</sup><sup>y</sup> <sup>t</sup> <sup>∈</sup> <sup>Δ</sup><sup>+</sup>*, then* <sup>t</sup> <sup>=</sup> <sup>c</sup> <sup>∈</sup> <sup>Δ</sup><sup>+</sup>*;*

*(c) for any formulas* <sup>ϕ</sup>*,* <sup>ψ</sup> *and variables* <sup>x</sup>*,* <sup>y</sup>*, if* <sup>¬</sup>(λxψ)ıyϕ <sup>∈</sup> <sup>Δ</sup><sup>+</sup>*, then for all terms* t*, either* ϕ<sup>y</sup> <sup>t</sup> ∈ <sup>Δ</sup><sup>+</sup>*, or for some constant* <sup>c</sup>*,* <sup>ϕ</sup><sup>y</sup> <sup>c</sup> <sup>∈</sup> <sup>Δ</sup><sup>+</sup> *and* <sup>c</sup> <sup>=</sup> <sup>t</sup> ∈ <sup>Δ</sup><sup>+</sup>*, or* ψ<sup>x</sup> <sup>t</sup> ∈ <sup>Δ</sup><sup>+</sup>*.*

*Proof.* Extend <sup>Δ</sup> by following an enumeration <sup>φ</sup>1, φ<sup>2</sup> ... of the formulas of <sup>L</sup><sup>+</sup> on which every formula occurs infinitely many times as follows:

Δ<sup>0</sup> = Δ If Δn, φ<sup>n</sup> is inconsistent, then Δn+1 = Δn. If Δn, φ<sup>n</sup> is consistent, then:


where Σ<sup>n</sup> is constructed in the following way. Take a sequence of formulas σ1, σ<sup>2</sup> ... of the form ϕ<sup>y</sup> <sup>t</sup> <sup>→</sup> (ψ<sup>x</sup> <sup>t</sup> → ¬(ϕ<sup>y</sup> <sup>c</sup> <sup>→</sup> <sup>c</sup> <sup>=</sup> <sup>t</sup>)), where <sup>t</sup> is a term in <sup>Δ</sup>n, φn, and <sup>c</sup> is a constant of <sup>C</sup> not in <sup>Δ</sup>n, φ<sup>n</sup> or any previous formulas in the sequence. Let <sup>T</sup> <sup>=</sup> <sup>t</sup>1, t2,... be an enumeration of all terms occurring in <sup>Δ</sup>n, φn. In case <sup>Δ</sup><sup>0</sup> contains infinitely many formulas, it must be ensured that <sup>C</sup> is not depleted of constants needed later. So pick constants from C by a method that ensures some constants are always left over for later use. The following will do. Let σ<sup>1</sup> be ϕ<sup>y</sup> <sup>t</sup><sup>1</sup> <sup>→</sup> (ψ<sup>x</sup> <sup>t</sup><sup>1</sup> → ¬(ϕ<sup>y</sup> <sup>c</sup><sup>1</sup> <sup>→</sup> <sup>c</sup><sup>1</sup> <sup>=</sup> <sup>t</sup>1)), where <sup>t</sup><sup>1</sup> is the first term of <sup>T</sup> and <sup>c</sup><sup>1</sup> is the first constant of <sup>C</sup> not in <sup>Δ</sup>n, φn; let <sup>σ</sup><sup>2</sup> be <sup>ϕ</sup><sup>y</sup> <sup>t</sup><sup>2</sup> <sup>→</sup> (ψ<sup>x</sup> <sup>t</sup><sup>2</sup> → ¬(ϕ<sup>y</sup> <sup>c</sup><sup>2</sup> <sup>→</sup> <sup>c</sup><sup>2</sup> <sup>=</sup> <sup>t</sup>2)), where <sup>t</sup><sup>2</sup> is the second term on <sup>T</sup> and <sup>c</sup><sup>2</sup> is the <sup>2</sup><sup>2</sup> = 4th constant of <sup>C</sup> not in Δn, φn, σ1. In general, let σ<sup>n</sup> be ϕ<sup>y</sup> <sup>t</sup>*<sup>n</sup>* <sup>→</sup> (ψ<sup>x</sup> <sup>t</sup>*<sup>n</sup>* → ¬(ϕ<sup>y</sup> <sup>c</sup>*<sup>n</sup>* <sup>→</sup> <sup>c</sup><sup>n</sup> <sup>=</sup> <sup>t</sup>n)), where <sup>t</sup><sup>n</sup> is the <sup>n</sup>th term of <sup>T</sup> and <sup>c</sup><sup>n</sup> is the <sup>2</sup><sup>n</sup>th constant of <sup>C</sup> not in <sup>Δ</sup>n, φ<sup>n</sup> nor any <sup>σ</sup>i, i<n. The entire collection of σis is Σn.

Δn+1 is consistent if Δn, φ<sup>n</sup> is:

$$\text{Case (i). Trivial.}$$

Case (ii). Suppose <sup>Δ</sup>n+1 <sup>=</sup> <sup>Δ</sup>n,¬∀xϕ,¬ϕ<sup>x</sup> <sup>c</sup> is inconsistent. Then for some finite Δ <sup>n</sup> <sup>⊆</sup> <sup>Δ</sup>n: - Δ n,¬∀xϕ,¬ϕ<sup>x</sup> <sup>c</sup> ⇒ ⊥. Hence - Δ <sup>n</sup>,¬∀xϕ <sup>⇒</sup> <sup>ϕ</sup><sup>x</sup> <sup>c</sup> by deductive properties of negation. c does not occur in any formula in Δ <sup>n</sup> nor in ¬∀xϕ, so it occurs parametrically, and so by (⇒ ∀), - Δ <sup>n</sup>,¬∀xϕ ⇒ ∀xϕ. Hence - Δ <sup>n</sup> ⇒ ∀xϕ, again by deductive properties of negation. But then <sup>Δ</sup> <sup>n</sup>,¬∀xϕ is inconsistent, and hence so is <sup>Δ</sup>n,¬∀xϕ.

Case (iii). Suppose Δn+1 = Δn,(λxψ)ıyϕ, ϕ<sup>y</sup> <sup>c</sup> , ψ<sup>x</sup> <sup>c</sup> is inconsistent. Then for some finite Δ <sup>n</sup> <sup>⊆</sup> <sup>Δ</sup>n, - Δ n,(λxψ)ıyϕ, ϕ<sup>y</sup> <sup>c</sup> , ψ<sup>x</sup> <sup>c</sup> ⇒ ⊥. <sup>c</sup> does not occur in <sup>Δ</sup> <sup>n</sup>,(λxψ)ıyϕ, so it occurs parametrically, and hence by (ı<sup>1</sup> <sup>⇒</sup>), - Δ <sup>n</sup>,(λxψ)ıyϕ ⇒ ⊥, that is to say Δ <sup>n</sup>,(λxψ)ıyϕ is inconsistent, and so is Δn,(λxψ)ıyϕ.

Case (iv). Suppose <sup>Δ</sup>n+1 <sup>=</sup> <sup>Δ</sup>n,¬(λxψ)ıyϕ, Σ<sup>n</sup> is inconsistent. Then for some finite Δ <sup>n</sup> <sup>⊆</sup> <sup>Δ</sup><sup>n</sup> and a finite {σ<sup>j</sup> ...σk} ⊆ <sup>Σ</sup>n, - Δ <sup>n</sup>,¬(λxψ)ıyϕ, σ<sup>j</sup> ...σ<sup>k</sup> ⇒ ⊥. Let σ<sup>k</sup> be ϕ<sup>y</sup> <sup>t</sup>*<sup>k</sup>* <sup>→</sup> (ψ<sup>x</sup> <sup>t</sup>*<sup>k</sup>* → ¬(ϕ<sup>y</sup> <sup>c</sup>*<sup>k</sup>* <sup>→</sup> <sup>c</sup><sup>k</sup> <sup>=</sup> <sup>t</sup>k)). Then by the deductive properties of implication and negation:

$$\begin{array}{l} \vdash \Delta'\_{n}, \neg(\lambda x \psi) \imath y \varphi, \sigma\_{j} \dots \sigma\_{k-1} \Rightarrow \varphi^{y}\_{t\_{k}} \\ \vdash \Delta'\_{n}, \neg(\lambda x \psi) \imath y \varphi, \sigma\_{j} \dots \sigma\_{k-1} \Rightarrow \psi^{x}\_{t\_{k}} \\ \vdash \Delta'\_{n}, \neg(\lambda x \psi) \imath y \varphi, \sigma\_{j} \dots \sigma\_{k-1}, \varphi^{y}\_{c\_{k}} \Rightarrow c\_{k} = t\_{k} \end{array}$$

c<sup>k</sup> was chosen so as not to occur in any previous σi, i<k, nor in Δn, φn. Hence it occurs parametrically and the conditions for (<sup>⇒</sup> <sup>ı</sup>) are fulfilled. Thus - Δ <sup>n</sup>,¬(λxψ)ıyϕ, σ<sup>j</sup> ...σk−<sup>1</sup> <sup>⇒</sup> (λxψ)ıyϕ. But - Δ <sup>n</sup>,¬(λxψ)ıyϕ, σ<sup>j</sup> ...σk−<sup>1</sup> <sup>⇒</sup> <sup>¬</sup>(λxψ)ıyϕ. So <sup>Δ</sup> <sup>n</sup>,¬(λxψ)ıyϕ, σ<sup>j</sup> ...σk−<sup>1</sup> is inconsistent. Repeat this process from <sup>σ</sup>k−<sup>1</sup> all the way down to <sup>σ</sup><sup>j</sup> , showing that <sup>Δ</sup> <sup>n</sup>,¬(λxψ)ıyϕ is inconsistent. Hence so is <sup>Δ</sup>n,¬(λxψ)ıyϕ.

Let <sup>Δ</sup><sup>+</sup> be the union of all <sup>Δ</sup>i. <sup>Δ</sup><sup>+</sup> is maximal, for if neither <sup>ϕ</sup> not <sup>¬</sup><sup>ϕ</sup> are in <sup>Δ</sup><sup>+</sup>, then there is a <sup>Δ</sup><sup>k</sup> <sup>⊆</sup> <sup>Δ</sup><sup>+</sup> such that <sup>Δ</sup>k, ϕ -<sup>⊥</sup> and <sup>Δ</sup>k,¬<sup>ϕ</sup> -<sup>⊥</sup>, but then <sup>Δ</sup><sup>k</sup> is inconsistent, contradicting the method of construction of Δk. Δ<sup>+</sup> is consistent, because otherwise some Δ<sup>i</sup> would have to be inconsistent, but they are not.

Δ<sup>+</sup> satisfies (a) by construction.

To see that it satisfies (b), suppose (λxψ)ıyϕ <sup>∈</sup> <sup>Δ</sup><sup>+</sup>. Then there is a <sup>Δ</sup>n+1 <sup>=</sup> Δn,(λxψ)ıyϕ, ϕ<sup>y</sup> <sup>c</sup> , ψ<sup>x</sup> <sup>c</sup> , and so ϕ<sup>y</sup> <sup>c</sup> , ψ<sup>x</sup> <sup>c</sup> <sup>∈</sup> <sup>Δ</sup><sup>+</sup>. Suppose <sup>ϕ</sup><sup>y</sup> <sup>t</sup> <sup>∈</sup> <sup>Δ</sup><sup>+</sup>. Then there is <sup>a</sup> <sup>Δ</sup> <sup>⊆</sup> <sup>Δ</sup><sup>+</sup> such that - <sup>Δ</sup> <sup>⇒</sup> <sup>ϕ</sup><sup>y</sup> <sup>c</sup> , - <sup>Δ</sup> <sup>⇒</sup> <sup>ϕ</sup><sup>y</sup> <sup>t</sup> and by properties of identity <sup>t</sup> <sup>=</sup> <sup>c</sup> <sup>⇒</sup> <sup>t</sup> <sup>=</sup> <sup>c</sup>. But then by (ı<sup>2</sup> <sup>⇒</sup>), - Δ ,(λxψ)ıyϕ <sup>⇒</sup> <sup>t</sup> <sup>=</sup> <sup>c</sup>, hence <sup>t</sup> <sup>=</sup> <sup>c</sup> <sup>∈</sup> <sup>Δ</sup><sup>+</sup> by the deductive closure of Δ<sup>+</sup>.

To see that it satisfies (c), suppose <sup>¬</sup>(λxψ)ıyϕ <sup>∈</sup> <sup>Δ</sup><sup>+</sup>, but for some term <sup>t</sup>, ϕ<sup>y</sup> <sup>t</sup> <sup>∈</sup> <sup>Δ</sup><sup>+</sup>, (1) for all constants <sup>c</sup>, if <sup>ϕ</sup><sup>y</sup> <sup>c</sup> <sup>∈</sup> <sup>Δ</sup><sup>+</sup>, then <sup>c</sup> <sup>=</sup> <sup>t</sup> <sup>∈</sup> <sup>Δ</sup><sup>+</sup>, and <sup>ψ</sup><sup>x</sup> <sup>t</sup> <sup>∈</sup> <sup>Δ</sup><sup>+</sup>. As every formula occurs infinitely many times on the enumeration of formulas of <sup>L</sup><sup>+</sup>, there is a Δ<sup>n</sup> that contains ϕ<sup>y</sup> <sup>t</sup> and ψ<sup>x</sup> <sup>t</sup> and <sup>Δ</sup>n+1 <sup>=</sup> <sup>Δ</sup>n,¬(λxψ)ıyϕ, Σn. Thus ϕ<sup>y</sup> <sup>t</sup> <sup>→</sup> (ψ<sup>x</sup> <sup>t</sup> → ¬(ϕ<sup>y</sup> <sup>b</sup> <sup>→</sup> <sup>b</sup> <sup>=</sup> <sup>t</sup>)) <sup>∈</sup> <sup>Σ</sup>n, for some constant <sup>b</sup> of <sup>C</sup>. Consequently, this formula is in Δ<sup>+</sup>, too. By the deductive properties of implication and negation and the deductive closure and consistency of Δ<sup>+</sup>, (2) ϕ<sup>y</sup> <sup>b</sup> <sup>∈</sup> <sup>Δ</sup><sup>+</sup> and <sup>b</sup> <sup>=</sup> <sup>t</sup> ∈ <sup>Δ</sup><sup>+</sup>. But by (1) and (2), <sup>b</sup> <sup>=</sup> <sup>t</sup> <sup>∈</sup> <sup>Δ</sup><sup>+</sup>. Contradiction.

This completes the proof of Theorem 4.

#### Theorem 5. *If* Δ *is a consistent set of formulas, then* Δ *is satisfiable.*

*Proof.* Extend Δ to a maximally consistent set Δ<sup>+</sup> as per Theorem 4. We construct a structure <sup>M</sup> <sup>=</sup> D, I and function <sup>v</sup> : V AR <sup>∪</sup> P AR <sup>→</sup> <sup>D</sup> from <sup>Δ</sup><sup>+</sup> which will satisfy Δ. D is the set of equivalence classes of terms under identities <sup>t</sup><sup>1</sup> <sup>=</sup> <sup>t</sup><sup>2</sup> <sup>∈</sup> <sup>Δ</sup><sup>+</sup>. Denote the equivalence class to which <sup>t</sup> belongs by [t]. For all predicate letters <sup>P</sup>, [t1], ..., [tn]<sup>∈</sup> <sup>I</sup>(<sup>P</sup> <sup>n</sup>) iff <sup>P</sup> <sup>n</sup>(t1, ..., tn) <sup>∈</sup> <sup>Δ</sup><sup>+</sup>. For all variables v(x)=[x], and for all parameters v(a)=[a]. In these latter cases I<sup>v</sup> = v, and for all new constants of <sup>C</sup>, <sup>I</sup>v(c)=[c]. We'll show by induction over the number of logical constants (connectives, quantifiers, ı and λ symbols) in formula ϕ that M,v <sup>|</sup><sup>=</sup> <sup>ϕ</sup> if and only if <sup>ϕ</sup> <sup>∈</sup> <sup>Δ</sup><sup>+</sup>.

Suppose <sup>ϕ</sup> is an atomic formula. (a) <sup>ϕ</sup> is <sup>P</sup> <sup>n</sup>(t1, ..., tn). Then M,v <sup>|</sup><sup>=</sup> <sup>P</sup> <sup>n</sup>(t1, ..., tn) iff <sup>I</sup>v(t1), ..., Iv(tn)<sup>∈</sup> <sup>I</sup>(<sup>P</sup> <sup>n</sup>), iff [t1] ... [tn]<sup>∈</sup> <sup>I</sup>(<sup>P</sup> <sup>n</sup>), iff <sup>P</sup> <sup>n</sup>(t1, ..., tn) <sup>∈</sup> <sup>Δ</sup><sup>+</sup>. (b) <sup>ϕ</sup> is <sup>t</sup><sup>1</sup> <sup>=</sup> <sup>t</sup>2. Then M,v <sup>|</sup><sup>=</sup> <sup>t</sup><sup>1</sup> <sup>=</sup> <sup>t</sup><sup>2</sup> iff <sup>I</sup>v(t1) = <sup>I</sup>v(t2), iff [t1]=[t2], and as these are equivalence classes under identities in <sup>Δ</sup><sup>+</sup>, iff <sup>t</sup><sup>1</sup> <sup>=</sup> <sup>t</sup><sup>2</sup> <sup>∈</sup> <sup>Δ</sup><sup>+</sup>.

For the rest of the proof suppose M,v <sup>|</sup><sup>=</sup> <sup>ϕ</sup> if and only if <sup>ϕ</sup> <sup>∈</sup> <sup>Δ</sup>, where <sup>ϕ</sup> has fewer than <sup>n</sup> connectives. We skip the standard cases of <sup>¬</sup>,∧, <sup>∀</sup> (see e.g. [7]).

Case 4. ϕ is (λxψ)t.

(λxψ)<sup>t</sup> <sup>∈</sup> <sup>Δ</sup><sup>+</sup> iff <sup>ψ</sup><sup>x</sup> <sup>t</sup> <sup>∈</sup> <sup>Δ</sup><sup>+</sup> by deductive closure of <sup>Δ</sup><sup>+</sup>, iff M,v <sup>|</sup><sup>=</sup> <sup>ψ</sup><sup>x</sup> <sup>t</sup> by induction hypothesis. <sup>t</sup> must be free for <sup>x</sup> in <sup>ψ</sup>, hence by the substitution lemma, M,v <sup>|</sup><sup>=</sup> ψx <sup>t</sup> iff M,v<sup>x</sup> <sup>I</sup>*v*(t) <sup>|</sup><sup>=</sup> <sup>ψ</sup>, iff M,v<sup>x</sup> [t] <sup>|</sup><sup>=</sup> <sup>ψ</sup> and <sup>I</sup>v(t)=[t], as the latter holds by construction of <sup>M</sup>, and this in turn is the case iff M,v <sup>|</sup>= (λxψ)<sup>t</sup> by the first semantic clause for lambda atoms.

#### Case 5. ϕ is (λxψ)ıyχ.

(a) If (λxψ)ıyχ ∈ <sup>Δ</sup><sup>+</sup>, then by deductive closure <sup>¬</sup>(λxψ)ıyχ <sup>∈</sup> <sup>Δ</sup><sup>+</sup>, and so for all terms t, either χ<sup>y</sup> <sup>t</sup> ∈ <sup>Δ</sup><sup>+</sup>, or for some constant <sup>c</sup>, <sup>χ</sup><sup>y</sup> <sup>c</sup> <sup>∈</sup> <sup>Δ</sup><sup>+</sup> and <sup>c</sup> <sup>=</sup> <sup>t</sup> ∈ <sup>Δ</sup><sup>+</sup>, or ψ<sup>x</sup> <sup>t</sup> ∈ <sup>Δ</sup><sup>+</sup>. [t] <sup>∈</sup> <sup>D</sup> iff <sup>t</sup> is a term, so by induction hypothesis, for all [t] <sup>∈</sup> <sup>D</sup>, either M,v χ<sup>y</sup> <sup>t</sup> , or there is a [c] <sup>∈</sup> <sup>D</sup> such that M,v <sup>|</sup><sup>=</sup> <sup>χ</sup><sup>y</sup> <sup>c</sup> and M,v c = t, or M,v ψ<sup>x</sup> <sup>t</sup> . χ<sup>y</sup> <sup>t</sup> is the same formula as χ<sup>y</sup> x x <sup>t</sup> , so M,v χ<sup>y</sup> x x <sup>t</sup> . Furthermore, x and y are not free in χ<sup>y</sup> <sup>c</sup> , so for any <sup>o</sup> <sup>∈</sup> <sup>D</sup>, M,v <sup>|</sup><sup>=</sup> <sup>χ</sup><sup>y</sup> <sup>c</sup> iff M,v<sup>x</sup> <sup>o</sup> <sup>|</sup><sup>=</sup> <sup>χ</sup><sup>y</sup> <sup>c</sup> . By the substitution lemma, either M,v<sup>x</sup> <sup>I</sup>*v*(t) χ<sup>y</sup> <sup>x</sup>, or M,v<sup>x</sup> <sup>I</sup>*v*(t) ψ, or there is a [c] <sup>∈</sup> <sup>D</sup> such that M,v<sup>x</sup> I*v*(t) y <sup>I</sup>*v*(c) <sup>|</sup><sup>=</sup> <sup>χ</sup> and M,v<sup>x</sup> I*v*(t) y <sup>I</sup>*v*(c) y = x. Iv(t)=[t] and Iv(c)=[c], so either M,v<sup>x</sup> [t] χ<sup>y</sup> <sup>x</sup>, or M,v<sup>x</sup> [t] <sup>ψ</sup>, or there is a [c] <sup>∈</sup> <sup>D</sup> such that M,v<sup>x</sup> [t] y [c] <sup>|</sup><sup>=</sup> <sup>χ</sup> and M,v<sup>x</sup> [t] y [c] y = x, i.e. v<sup>x</sup> [t] y [c] (y) = [t]. <sup>v</sup><sup>x</sup> [t] y [c] is a <sup>y</sup>-variant of <sup>v</sup><sup>x</sup> [t] , hence M,v -(λxψ)ıyχ.

(b) If (λxψ)ıyχ <sup>∈</sup> <sup>Δ</sup><sup>+</sup>, then for some constant <sup>c</sup>, <sup>ψ</sup><sup>x</sup> <sup>c</sup> , χ<sup>y</sup> <sup>c</sup> <sup>∈</sup> <sup>Δ</sup><sup>+</sup> and for all terms t, if χ<sup>y</sup> <sup>t</sup> <sup>∈</sup> <sup>Δ</sup><sup>+</sup>, then <sup>c</sup> <sup>=</sup> <sup>t</sup> <sup>∈</sup> <sup>Δ</sup><sup>+</sup>. By induction hypothesis, M,v <sup>|</sup><sup>=</sup> <sup>ψ</sup><sup>x</sup> <sup>c</sup> and M,v <sup>|</sup><sup>=</sup> <sup>χ</sup><sup>y</sup> <sup>c</sup> . As y is either identical to x or x is not free in χ, χ<sup>y</sup> <sup>c</sup> is the same formula as χ<sup>y</sup> x x <sup>c</sup> and Iv(c)=[c], so by the substitution lemma M,v<sup>x</sup> [c] <sup>|</sup><sup>=</sup> <sup>ψ</sup> and M,v<sup>x</sup> [c] <sup>|</sup><sup>=</sup> <sup>χ</sup><sup>y</sup> <sup>x</sup>. Furthermore, for all [t] <sup>∈</sup> <sup>D</sup>, if M,v <sup>|</sup><sup>=</sup> <sup>χ</sup><sup>y</sup> <sup>t</sup> , then M,v <sup>|</sup><sup>=</sup> <sup>c</sup> <sup>=</sup> <sup>t</sup>, i.e. Iv(t) = Iv(c), i.e. Iv(t)=[c]. Let v be a y-variant of v<sup>x</sup> [c] , i.e. v = v<sup>x</sup> [c] y [s] , for some [s] <sup>∈</sup> <sup>D</sup>. Either <sup>y</sup> is identical to <sup>x</sup> or <sup>x</sup> is not free in <sup>χ</sup>, so <sup>v</sup><sup>x</sup> [c] y [s] and v agree on the assignments of elements of D to all variables in χ except possibly y, and so M,v<sup>x</sup> [c] y [s] <sup>|</sup><sup>=</sup> <sup>χ</sup> iff M,v<sup>y</sup> [s] <sup>|</sup><sup>=</sup> <sup>χ</sup>. So suppose now M,v <sup>|</sup><sup>=</sup> <sup>χ</sup> and v (y) = [c]. <sup>v</sup> (y)=[s], so [c] = [s]. Then M,v<sup>y</sup> [s] <sup>|</sup><sup>=</sup> <sup>χ</sup>, and also if M,v <sup>|</sup><sup>=</sup> <sup>χ</sup><sup>y</sup> <sup>s</sup> , then M,v <sup>|</sup><sup>=</sup> <sup>c</sup> <sup>=</sup> <sup>s</sup>, i.e. <sup>I</sup>v(s) = <sup>I</sup>v(c), i.e. <sup>I</sup>v(s)=[c]. But <sup>I</sup>v(s)=[s], so <sup>I</sup>v(s) = [c]. Hence M,v χ<sup>y</sup> <sup>s</sup> , and so by the substitution lemma, M,v<sup>y</sup> [s] χ. Contradiction.

Finally, restrict the language again to the language of Δ: structure M constructed from <sup>Δ</sup><sup>+</sup> satisfies <sup>Δ</sup>. This completes the proof of Theorem 5.

#### Theorem 6 (Completeness for Sequents). *If* <sup>|</sup><sup>=</sup> <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>*, then* -<sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>*.*

*Proof.* Let <sup>¬</sup><sup>Δ</sup> be the negation of all formulas in <sup>Δ</sup>. If <sup>|</sup><sup>=</sup> <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>, then Γ,¬<sup>Δ</sup> is not satisfiable. Hence by Theorem 5 it is inconsistent, and as they are both finite, - Γ,¬<sup>Δ</sup> ⇒ ⊥. Hence by the properties of negation -<sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>.

#### Theorem 7 (Completeness for Sets). *If* <sup>Γ</sup> <sup>|</sup><sup>=</sup> <sup>A</sup>*, then* <sup>Γ</sup> -A*.*

*Proof.* Suppose <sup>Γ</sup> <sup>|</sup><sup>=</sup> <sup>A</sup>. Then Γ,¬<sup>A</sup> is not satisfiable, hence by Theorem <sup>5</sup> it is inconsistent and Γ,¬<sup>A</sup> -<sup>⊥</sup>. So for some finite <sup>Σ</sup> <sup>⊆</sup> Γ,¬A, <sup>Σ</sup> ⇒ ⊥. If <sup>¬</sup><sup>A</sup> <sup>∈</sup> <sup>Σ</sup>, then by the deductive properties of negation, <sup>Σ</sup> − {¬A} ⇒ <sup>A</sup>, and as <sup>Σ</sup> − {¬A} is certain to be a subset of <sup>Γ</sup>, <sup>Γ</sup> - <sup>A</sup>. If <sup>¬</sup><sup>A</sup> ∈ <sup>Σ</sup>, then <sup>Σ</sup> <sup>⇒</sup> <sup>A</sup> by the properties of negation, and again <sup>Γ</sup> -<sup>A</sup>. By theorem 1 and 7 we also obtain the (strong) completeness of HRL.

# 6 Conclusion

Summing up, RL saves the essential features of the Russellian approach to definite descriptions. It avoids problems like the arbitrary restriction of axiom R to predicate symbols and scoping difficulties. In the semantics it retains the reductionist Russellian flavour in the sense that DD are not characterised by an interpretation function, but instead they are treated as a case in the clauses of the forcing definition for lambda atoms. In this respect RL is different from the approach provided by Fitting and Mendelsohn [10] which is closer to the Fregean tradition.

The rules of GRL are in principle direct counterparts of the tableau rules from [17] but with two important exceptions. The tableau rule corresponding to (= <sup>−</sup>) is not restricted to atomic formulas and the tableau rule corresponding to (ı<sup>2</sup> <sup>⇒</sup>) is not branching. Its counterpart in sequent calculus would be:

$$(\imath\_2 \Rightarrow')\quad \frac{b\_1 = b\_2, \Gamma \Rightarrow \Delta}{(\lambda x \psi) \imath y \varphi, \varphi[y/b\_1], \varphi[y/b\_2], \Gamma \Rightarrow \Delta}$$

Such a non-branching rule is certainly much better for proof search, but it is not possible to prove the cut elimination theorem in its presence. The same applies to (= <sup>−</sup>) without restriction to atomic formulas. In both cases the occurrences of arbitrary formulas ϕ in the antecedent of the conclusion can be cut formulas and, in case the cut formula in the left premiss of the cut application is principal, it is not possible to make a reduction of the complexity of the cut formulas.

There is an interesting advantage of introducing the sequent characterisation of RL over tableau formalisation from [17]. Since no rule specific to GRL has more than one active formula in the succedent they are also correct in the setting of intuitionistic logic as characterised by G1i [34]. It is sufficient to change the background calculus for the intuitionistic version (with (↔⇒), (⇒ ∨) split into two rules, and (<sup>⇒</sup> <sup>C</sup>),(<sup>⇒</sup> <sup>W</sup>) deleted) and check that all proofs from Sect. 3, 4 hold also for a (syntactically characterised) intuitionistic version of RL. By comparison, the changes in the tableau setting would be rather more involved and connected with the introduction of labels for naming the states of knowledge in the constructed model.

The approach provided here may be modified also to cover some more expressive logics (like modal ones) and some other theories of DD like those proposed in the context of free logics. Some preliminary work in this direction is found in [12] and [13]. On the other hand the problems briefly mentioned in Sect. 1 need serious examination and this may be carried out only after the implementation of the presented formal systems. This is one of the most important future tasks.

Acknowledgements. We would like to thank Michał Zawidzki for his comments and suggestions.

# References


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Towards Proof-Theoretic Formulation of the General Theory of Term-Forming Operators**

Andrzej Indrzejczak(B)

Department of Logic, University of Lodz, Lodz, Poland andrzej.indrzejczak@filhist.uni.lodz.pl

**Abstract.** Term-forming operators (tfos), like iota- or epsilon-operator, are technical devices applied to build complex terms in formal languages. Although they are very useful in practice their theory is not well developed. In the paper we provide a proof-theoretic formulation of the general approach to tfos provided independently by several authors like Scott, Hatcher, Corcoran, and compare it with an approach proposed later by Tennant. Eventually it is shown how the general theory can be applied to specific areas like Quine's set theory NF.

**Keywords:** Term-Forming Operators · Abstraction Operator · Definite Descriptions · Sequent Calculus · Quine

# **1 Introduction**

In formal languages terms are usually treated as these elements of language which only refer to the objects in the domain of discourse. In particular, this way of treating terms is prevailing in proof theory and automated deduction where usually only functional terms are approved. In contrast, in natural languages, naming expressions are used very often not only for referring to objects but also for conveying information about them. In the earlier stages of development of mathematical logic several formal devices were introduced for this aim which currently are rather neglected. These term-forming operators, also called shortly tfos or vbtos (variable binding term operators), include, among others:


Funded by the European Union (ERC, ExtenDD, project number: 101054714). Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Research Council. Neither the European Union nor the granting authority can be held responsible for them.

R. Ramanayake and J. Urban (Eds.): TABLEAUX 2023, LNAI 14278, pp. 131–149, 2023. https://doi.org/10.1007/978-3-031-43513-3\_8

It seems that currently only the lambda-operator is treated as an important tool and found diverse applications in recursion theory, type theory and proof theory. Abstraction-operator, although commonly used in practice, is rather not treated seriously in the formal development of set theories. The remaining ones are sadly treated as formal tools having only some historical value. Since the role of complex terms as information conveying tools is crucial in communication it is important to fill this gap.

Recently, some more attention was paid to proof theory of definite descriptions. In particular, cut-free sequent calculi were provided for Fregean [11], Russellian [17] and free description theories [13]. The latter theories were also characterised in terms of tableau systems [18] and tableau calculus was also used to develop a Russelian theory in the language enriched with lambda-operator [19]. Some modal logics of definite descriptions were also developed in terms of cutfree sequent calculus [10], in particular, the logic of Fitting and Mendelsohn [5] was independently formalised as a labelled sequent calculus [28] and as a hybrid system [12]. Alternatively, interesting natural deduction and sequent calculi were proposed for free and intuitionistic logics of definite descriptions characterised in terms of binary quantifier [21–25].

Since definite descriptions are amenable to proof theoretic treatment it is tempting to suspect that for other tfos we can obtain equally interesting results. Perhaps one should start with posing a question whether a general theory of such operators is possible? In fact at least two different attempts to develop such a theory were proposed. The earlier approach was independently introduced by several authors, including: Scott [32], Da Costa [3,4], Hatcher [7,8], Corcoran and Herring [1,2]. It was formulated semantically and as an axiomatic theory. In what follows it will be called simply S-theory (after Scott). The second approach was introduced by Neil Tennant [33], and then developed in [35] as a general theory of abstraction operators (see also [34,36]). This T-theory was formulated in terms of natural deduction system and with adequate semantical characterisation. In what follows we will examine these two approaches and show how they can be formulated as well-behaved sequent calculi in Sect. 3. Then, in Sect. 4 we consider their specification with respect to set-abstraction operator. For this aim we focus on Quine's version of set theory NF (New Foundations) [29] (see also [30]) but the proposed systems may be modified to apply to other formulations of set theory as well.

# **2 Preliminaries**

We will be using standard first-order predicate languages with quantifiers ∀, ∃, identity predicate = and arbitrary term-forming operator τ making complex terms from formulae of the language. The definition of a term and formula is standard, by simultaneous recursion on both categories. In the presented system the only terms are variables and complex terms constructed by means of arbitrary unary tfo τ . The complex terms are written as τxϕ where ϕ is a formula in the scope of respective operator.

ϕ, Γ ⇒ Δ

In accordance with Gentzen's custom we divide individual variables into bound V AR = {x, y, z, . . .} and free variables (parameters) P AR = {a, b, c, . . .}. It makes easier an elaboration of some technical issues concerning substitution and proof transformations. In the metalanguage ϕ, ψ, χ denote any formulae and Γ, Δ, Π, Σ their multisets. Metavariables t, t1,... denote arbitrary terms. ϕ[t1/t2] is officially used for the operation of correct substitution of a term t<sup>2</sup> for all occurrences of a term t<sup>1</sup> (a variable or parameter) in ϕ, and similarly Γ[t1/t2] for a uniform substitution in all formulae in Γ. Ocassionally, we will use simplified notation ϕ(t) to denote the result of correct substitution.

First-order logic in general will be abbreviated as FOL or FOLI if identity is primitive. CFOL(I), PFFOL(I), NFFOL(I) denote the classical, positive free and negative free versions. The basic system GC for CFOL consists of the following rules:

$$\begin{array}{ll} \begin{array}{ll} (Cut) & \frac{\Gamma \Rightarrow \Delta, \varphi \qquad \varphi, \Pi \Rightarrow \Sigma \\ \Gamma, \Pi \Rightarrow \Delta, \Sigma \end{array} & \begin{array}{ll} (AX) & \varphi, \Gamma \Rightarrow \Delta, \varphi \\\\ \hline \end{array} \\\\ \begin{array}{ll} \begin{array}{ll} \Gamma \Rightarrow \Delta, \varphi \\ \hline \end{array} & \begin{array}{ll} (\Rightarrow) & \frac{\varphi, \Gamma \Rightarrow \Delta}{\Gamma \Rightarrow \Delta, \neg \varphi \end{array} & \begin{array}{ll} (W \Rightarrow) & \frac{\Gamma \Rightarrow \Delta}{\varphi, \Gamma \Rightarrow \Delta} \\ \end{array} \\ \end{array} \end{array}$$

$$\{\Rightarrow\land\}\quad \frac{\Gamma\Rightarrow\Delta,\varphi\qquad\Gamma\Rightarrow\Delta,\psi}{\Gamma\Rightarrow\Delta,\varphi\land\psi}\qquad\qquad\{\land\Rightarrow\}\quad\frac{\varphi,\psi,\Gamma\Rightarrow\Delta}{\varphi\land\psi,\Gamma\Rightarrow\Delta}\quad\text{(\Rightarrow\)}\quad\frac{\Gamma\Rightarrow\Delta}{\Gamma\Rightarrow\Delta,\varphi}$$

$$(\vee \Rightarrow) \quad \frac{\varphi, \Gamma \Rightarrow \Delta \qquad \psi, \Gamma \Rightarrow \Delta}{\varphi \lor \psi, \Gamma \Rightarrow \Delta} \qquad (\Rightarrow \lor) \quad \frac{\Gamma \Rightarrow \Delta, \varphi, \psi}{\Gamma \Rightarrow \Delta, \varphi \lor \psi} \quad (\text{Cos}) \quad \frac{\varphi, \varphi, \Gamma \Rightarrow \Delta}{\varphi, \Gamma \Rightarrow \Delta}$$

$$(\xrightarrow{\Gamma} \Rightarrow \Delta, \varphi \quad \begin{array}{c} \psi, \Gamma \Rightarrow \Delta \\ \varphi \rightarrow \psi, \Gamma \Rightarrow \Delta \end{array} \quad \begin{array}{c} \left( \Rightarrow \rightarrow \right) \end{array} \begin{array}{c} \varphi, \Gamma \Rightarrow \Delta, \psi \\ \Gamma \Rightarrow \Delta, \varphi \rightarrow \psi \end{array} \begin{array}{c} \Gamma \Rightarrow \Delta, \varphi, \varphi \\ \Gamma \Rightarrow \Delta, \varphi \end{array}$$

$$(\leftrightarrow \Rightarrow) \quad \frac{\Gamma \Rightarrow \Delta, \varphi, \psi \quad \varphi, \psi, \Gamma \Rightarrow \Delta}{\varphi \leftrightarrow \psi, \Gamma \Rightarrow \Delta} \quad (\forall \Rightarrow) \quad \frac{\varphi[x/t], \Gamma \Rightarrow \Delta}{\forall x \varphi, \Gamma \Rightarrow \Delta} \quad (\Rightarrow \exists) \quad \frac{\Gamma \Rightarrow \Delta, \varphi[x/t]}{\Gamma \Rightarrow \Delta, \exists x \varphi}$$

$$\begin{array}{cccc} \left( \Rightarrow \leftrightarrow \right) & \frac{\varphi, \Gamma \Rightarrow \Delta, \psi \qquad \psi, \Gamma \Rightarrow \Delta, \varphi \quad \left( \Rightarrow \forall \right) & \frac{\Gamma \Rightarrow \Delta, \varphi[x/a]}{\Gamma \Rightarrow \Delta, \forall x \varphi} \end{array} \left( \begin{array}{c} \Box \Rightarrow \Delta, \varphi[x/a] \\ \Rightarrow \end{array} \right) \begin{array}{c} \begin{array}{c} \varphi[x/a], \Gamma \Rightarrow \Delta \\ \exists x \varphi, \Gamma \Rightarrow \Delta \end{array} \end{array} \right)$$

where a is a fresh parameter (eigenvariable), not present in Γ,Δ and ϕ. If instead of (∀⇒) and (⇒∃) we introduce:

$$(\forall \Rightarrow) \begin{array}{c} \varphi[x/b], \varGamma \Rightarrow \varDelta \\ \forall x \varphi, \varGamma \Rightarrow \varDelta \end{array} (\Rightarrow \exists) \begin{array}{c} \varGamma \Rightarrow \varDelta, \varphi[x/b] \\ \varGamma \Rightarrow \varDelta, \exists x \varphi \end{array}$$

we obtain a pure variant GPC which is adequate for CFOL with variables as the only terms but in general incomplete for extensions with some tfos.

The variant GF for PFFOL can be obtained by changing all quantifier rules into:

$$(\forall \Rightarrow)^{F} \quad \frac{\varphi[x/t], \varGamma \Rightarrow \varDelta}{Et, \forall x\varphi, \varGamma \Rightarrow \varDelta} \quad (\Rightarrow \forall)^{F} \quad \frac{Ea, \varGamma \Rightarrow \varDelta, \varphi[x/a]}{\varGamma \Rightarrow \varDelta, \forall x\varphi}$$

$$(\exists \Rightarrow)^{F} \quad \frac{Ea, \varphi[x/a], \varGamma \Rightarrow \varDelta}{\exists x\varphi, \varGamma \Rightarrow \varDelta} \; (\Rightarrow \exists)^{F} \quad \frac{\varGamma \Rightarrow \varDelta, \varphi[x/t]}{Et, \varGamma \Rightarrow \varDelta, \exists x\varphi}$$

where E is the existence predicate, which is usually defined as Et := ∃x(x = t). This form of rules follows from the fact that in free logics terms may designate nonexistent objects whereas quantifiers have existential import. For pure version GPF again we use <sup>b</sup> instead of <sup>t</sup> in (∀⇒)<sup>F</sup> and (⇒∃)<sup>F</sup> .

Moreover, in negative free logic atomic formulae with such terms are false which implies that Et → t = t and ϕ(t) → Et, for any atomic formula ϕ. Hence to obtain GNF (or GPNF) for NFFOL we have to add to GF (or GPF) the rule requiring all predicates to be strict in the sense that they are satisfied only by denoting terms:

$$(Str)\ \ \frac{Et, F \Rightarrow \Delta}{\varphi(t), F \Rightarrow \Delta} \qquad\qquad\text{where }\varphi\text{ is atomic.}$$

Identity can be characterised in GC (GPC) and GF (GPF) in several ways (see [16]). For our purposes we use the following rules:

$$(Ref)\quad \frac{t=t, \Gamma \Rightarrow \Delta}{\Gamma \Rightarrow \Delta} \quad (2LL) \quad \frac{\Gamma \Rightarrow \Delta, t\_1 = t\_2 \qquad \Gamma \Rightarrow \Delta, \varphi[x/t\_1]}{\Gamma \Rightarrow \Delta, \varphi[x/t\_2]}.$$

where ϕ is atomic.

GCI, GPCI, GFI, GPFI will denote the respective calculi with the rules for identity added. In case of NFFOLI, due to strictness condition, reflexivity does not hold unconditionally and we must weaken the first rule, using instead:

$$(Ref)^{N} \stackrel{t=t, I \Rightarrow \Delta}{\underline{\hspace{0.5cm}}}$$

GNFI, GPNFI will denote the respective calculi for NFFOLI with the rules for identity having (Ref)<sup>N</sup> .

Proofs are defined in the standard way as finite trees with nodes labelled by sequents. The height of a proof D of Γ ⇒ Δ is defined as the number of nodes of the longest branch in D. <sup>k</sup> Γ ⇒ Δ means that Γ ⇒ Δ has a proof with height at most k. Let us recall that formulae displayed in the schemata are active, whereas the remaining ones are parametric, or form a context. In particular, all active formulae in the premisses are called side formulae, and the one in the conclusion is the principal formula of the respective rule application.

Note that the Cut-elimination theorem holds for all above mentioned calculi (see e.g. [15]) and the full Leibniz' Law LL: t<sup>1</sup> = t2, ϕ[x/t1] ⇒ ϕ[x/t2] (for arbitrary formula ϕ) is also provable.

## **3 The General Theory**

The S-theory of tfos is expressed by two general principles:

$$\begin{array}{l} \text{EXT: } \forall x(\varphi(x) \leftrightarrow \psi(x)) \rightarrow \tau x\varphi(x) = \tau x\psi(x) \\ \text{AV: } \tau x\varphi(x) = \tau y\varphi(y) \end{array}$$

or, equivalently, by one principle:

EXTAV: ∀xy(x = y → (ϕ(x) ↔ ψ(y))) → τxϕ(x) = τyψ(y)

Such a general theory was first developed on the basis of positive free firstorder logic with identity by Scott [32]. However, the remaining authors used the classical first-order logic with identity as the basis. In both cases the general completeness theorem was provided and several important model theoretic results which hold for CFOLI (see in particular Da Costa [4]). In what follows, we will pay more attention to classical case since for several kinds of tfos, in particular for descriptions, it is rather difficult to find reasonable theories, in contrast to the situation in free logic (see [26]).

Several possible objections can be raised against such a theory. In a sense it is too general and too weak, on the other hand, for specific kind of operators it may be too strong, in particular in the setting of classical logic. Let us illustrate these remarks with some examples. For example, for ı-operator Rosser [30] is enforced to add (in CFOLI) to EXT and AV the following axiom:

$$\exists\_1 x \varphi(x) \to \forall x (x = \iota x \varphi(x) \leftrightarrow \varphi(x))$$

which still gives incomplete logic as noticed by Hailperin [6]. Da Costa [4] adds:

$$\begin{aligned} \exists\_1 x \varphi(x) \to \forall x (x = \iota x \varphi(x) \to \varphi(x)) \text{ and } \\\\ \neg \exists\_1 x \varphi(x) \to \iota x \varphi(x) = \iota x (x \neq x) \end{aligned}$$

In fact, the theory of descriptions axiomatised by the addition of these two axioms to EXT and AV is redundant, since the latter principles can be proven with their help. This theory is in fact equivalent to Fregean/Carnapian theory of descriptions (often called the chosen object theory), in particular in the formulation of Kalish and Montague [20]. However, we call an S-theory every theory of arbitrary tfo where EXT and AV hold either as axioms or as derived theses.

On the other hand, for some theories of definite descriptions these two principles are too strong. For example, in the Russellian theory [31,37] both principles do not hold. Instead we have their weaker versions:

$$\begin{aligned} \text{wEX: } & \operatorname{Eux}\varphi(x) \to ((\varphi(x) \leftrightarrow \psi(x)) \to \iota x \varphi(x) = \iota x \psi(x)) \\ \text{wAV: } & \operatorname{Eux}\varphi(x) \to \iota x \varphi(x) = \iota y \varphi(y) .\end{aligned}$$

In other cases of tfos, like set-abstraction operator or counting operator, EXT may be even more disastrous, since for the latter it yields one half of the Fregean ill-famed V law, in fact this half which is sufficient for deriving contradiction. Similar problems with set-abstraction will be discussed below.

#### **3.1 The Formalisation of S-Theory**

To obtain an adequate sequent calculus for S-theory we add to GCI the following two rules:

$$(Ext)\quad \frac{\varphi(a),\Gamma\Rightarrow\Delta,\psi(a)}{\Gamma\Rightarrow\Delta,\tau x\varphi(x)=\tau x\psi(x)}\text{ (}AV\text{)}\quad\frac{\tau x\varphi(x)=\tau y\varphi(y),\Gamma\Rightarrow\Delta}{\Gamma\Rightarrow\Delta}$$

where a is a fresh parameter.

Alternatively, we can add just one rule corresponding to EXTAV:

$$\left( (ExtAV) \xrightarrow{a=b, \varphi(a), \Gamma \Rightarrow \Delta, \psi(b) \qquad a=b, \psi(b), \Gamma \Rightarrow \Delta, \varphi(a) \right)$$

$$\Gamma \Rightarrow \Delta, \tau x \varphi(x) = \tau y \psi(y)$$

where both a, b are fresh parameters.

**Theorem 1.** *GCI+*{(Ext),(AV )} *and GCI+*{(ExtAV )} *are equivalent to axiomatic formulations of S-theory of tfos.*

*Proof.* It is sufficient to prove respective axioms in GCI+{(Ext),(AV )} or in GCI+{(ExtAV )} and to show that the above rules are derivable in GCI with added axioms EXT, AV or EXTAV. We will show this for the more compact version with (ExtAV ) and EXTAV; proofs for the remaining rules and axioms are similar and simpler. Provability of EXTAV:

$$\begin{array}{ll} (\longrightarrow \Rightarrow) \xrightarrow{a=b \Rightarrow a=b} & \varphi(a) \leftrightarrow \psi(b), \varphi(a) \Rightarrow \psi(b) \\ (\forall \Rightarrow) \xrightarrow{(\forall \Rightarrow) \to (\varphi(a) \leftrightarrow \psi(b)), a=b, \varphi(a) \Rightarrow \psi(b)} \\ (ExtAV) \end{array}$$

where the rightmost leaf is provable and D is an analogous proof of ∀xy(x = y → (ϕ(x) ↔ ψ(y))), a = b, ψ(b) ⇒ ϕ(a).

Derivability of (ExtAV ):

$$\begin{array}{ll} (\Rightarrow \rightarrow) & \frac{a=b, \varphi(a), \Gamma \Rightarrow \Delta, \psi(b) \qquad a=b, \psi(b), \Gamma \Rightarrow \Delta, \varphi(a)}{(\Rightarrow \rightarrow) & \frac{a=b, \Gamma \Rightarrow \Delta, \varphi(a) \leftrightarrow \psi(b)}{\Gamma \Rightarrow \Delta, a=b \rightarrow (\varphi(a) \leftrightarrow \psi(b))}\\ (\Rightarrow \forall) & \frac{\Gamma \Rightarrow \Delta, a=b \rightarrow (\varphi(a) \leftrightarrow \psi(b))}{\Gamma \Rightarrow \Delta, \forall x y (x = y \rightarrow (\varphi(x) \leftrightarrow \psi(y)))} & \mathcal{D}\\ & \frac{\Gamma \Rightarrow \Delta, \tau x \varphi(x) = \tau y \psi(y)}{\Gamma \Rightarrow \Delta, \tau x \varphi(x) = \tau y \psi(y)} \end{array}$$

where both leaves are premisses and D is a proof of ∀xy(x = y → (ϕ(x) ↔ ψ(y))) ⇒ τxϕ(x) = τyψ(y) from the axiom ⇒ EXT AV . 

Let us consider the question of cut elimination for either of the two formalisations of S-theory. We can observe that the choice of the rule (2LL) for representation of LL was connected with the shape of (Ext) or (ExtAV ). In both calculi identities can appear as the principal formulae of some rule application only in the succedent. This makes it safe for proving cut elimination since identities in antecedents can only appear either as parametric formulae or as formulae introduced by weakening. In both cases if identity is a cut formula under consideration it is eliminable either by induction on the height of cut or directly.

Still there is a problem connected with the application of (∀ ⇒) and (⇒ ∃) to complex terms. If for example ∀xϕ is a cut formula which was in both premisses of cut introduced as the principal formula, and in the right premiss x was instantiated with τyψ, then the formula ϕ[x/τyψ] may have higher complexity than ∀xϕ and the induction on the complexity of cut formulae fails. This problem may be overcome either by introduction of more complex way of measuring the complexity of formulae (see e.g. [11]) or by replacing the basic calculus GCI with its pure version GPCI. Of course, the restriction of all quantifier rules to parameters makes the calculus with complex terms incomplete. However, to avoid the loss of generality we can add to GPCI the rule:

$$(a \Rightarrow) \frac{a = \tau x \varphi(x), \varGamma \Rightarrow \Delta}{\varGamma \Rightarrow \Delta}$$

where a is a fresh parameter.

**Theorem 2.** *The calculus GPCI+*{(Ext),(AV )} *(or GPCI+*{(ExtAV )}*) with added* (a ⇒) *is equivalent to GCI+*{(Ext),(AV )} *(or GCI+*{(ExtAV )}*)*

*Proof.* It is enough to show that (a ⇒) is derivable in GCI:

$$\begin{array}{llll} (\Rightarrow \exists) & \frac{\Rightarrow \tau x \varphi(x) = \tau x \varphi(x)}{\Rightarrow \exists y (y = \tau x \varphi(x))} & \frac{\begin{array}{l} a = \tau x \varphi(x), \Gamma \Rightarrow \Delta \\ \exists y (y = \tau x \varphi(x)), \Gamma \Rightarrow \Delta \end{array}}{\begin{array}{l} \Gamma \Rightarrow \Delta \\ \vdots \end{array}} & \begin{array}{l} \Gamma \Rightarrow \Delta \end{array} \end{array} (\begin{array}{l} \left(\Rightarrow \Rightarrow\right) \\ \end{array})$$

and that unrestricted (∀ ⇒),(⇒ ∃) are derivable in GPC with (a ⇒):

$$\begin{array}{c} (Cut) \xrightarrow{\Gamma \Rightarrow \Delta, \varphi(\tau x \psi(x))} \quad \varphi(\tau x \psi(x)), a = \tau x \psi(x) \Rightarrow \varphi(a) \\\ (\Rightarrow \exists) \, \frac{a = \tau x \psi(x), \Gamma \Rightarrow \Delta, \varphi(a)}{a = \tau x \psi(x), \Gamma \Rightarrow \Delta, \exists x \varphi} \\\ (a \Rightarrow) \, \frac{\Gamma \Rightarrow \Delta, \exists x \varphi}{\Gamma \Rightarrow \Delta, \exists x \varphi} \end{array}$$

where the rightmost sequent being an instance of LL is provable. Similar proof works for (∀ ⇒). 

Let us call GPCI+{(Ext),(AV )} (or GPCI+{(ExtAV )}) with added (a ⇒) simply GS (GS'). Note that for both systems the following lemma holds:

**Lemma 1.** *1.* t<sup>1</sup> = t2, ϕ[x/t1] ⇒ ϕ[x/t2]*, for any formula* ϕ*. 2. If* <sup>k</sup> Γ ⇒ Δ*, then* <sup>k</sup> Γ[b1/b2] ⇒ Δ[b1/b2]*, where* k *is the height of a proof.*

*Proof.* 1. follows by induction on the complexity of ϕ and is standard for all cases. The proof of 2 is by induction on the height of proofs. 

The first result is Leibniz' Law (LL) stated in full generality, i.e. covering also complex terms. Since (2LL) yields only LL restricted to atomic formulae, we need its unrestricted form for completeness. The second result is a substitution lemma which is necessary for unifying terms while proving the cut elimination theorem. Note that it is restricted to parameters only but in the case of GS (GS'), which is an extension of GPCI, it is sufficient since only parameters are instantiated for bound variables in all applications of quantifier rules.

#### **Theorem 3.** *The cut elimination theorem holds for GS and GS'.*

*Proof.* The proof is standard and essentially requires two inductions: on the complexity of cut formula and on the height of the derivations of both premisses of cut. In general we can follow the strategy applied for example in [15]; here we focus only on the crucial points connected with the new rules which could lead to troubles.

Consider the situation where the cut formula in the left premiss is the principal formula of the application of (2LL). It is an atomic formula, possibly an identity. Since in no logical rule atomic formula in the antecedent can be a principal formula, so in the right premiss a suitable cut formula is either introduced by weakening or is just a parametric formula. In the first case it is directly eliminated, in the second it is eliminated by induction on the height of the proof. The case where the right premiss is axiomatic is also directly eliminable.

The cases where in the left premiss the cut formula is the principal formula of the application of (Ext) or (ExtAV ) are treated in a similar way. Eventually, rules like (AV ) or (a ⇒) have no impact on the elimination of cuts since there are no principal formulae in the conclusion. 

Although we cannot totally avoid the loss of the subformula property in GS and GS', the introduction of complex terms is separated from quantifier rules and technically it is more desirable. In fact, from the semantic point of view we are not really in need of introducing an arbitrary complex term in the premiss while doing a proof-search. The rule is required only for these terms which either occur already in Γ,Δ, or have in their scope the formulae from Γ,Δ. It can be shown by providing Hintikka-style completeness proof for this system which is possible since Henkin-style proofs were provided by the mentioned authors; we omit the details because of space restrictions.

In fact, for the needs of proof-search we could simplify GS (GS') a little bit. In particular we could use a more convenient one-premiss rule of Negri and von Plato [27] for LL of the form:

$$(1LL)\ \frac{\varphi(t\_2), \varGamma \Rightarrow \varDelta}{t\_1 = t\_2, \varphi(t\_1), \varGamma \Rightarrow \varDelta}$$

for all cases where at least one of t1, t<sup>2</sup> is a parameter and ϕ(t1) is not an identity with both arguments being complex terms. In fact, the only troublesome cases of LL which could make a clash in the proof of cut elimination are three:

1. b = t, t = t ⇒ b = t 2. t = t , ϕ(t) ⇒ ϕ(t ) 3. t = t , t = t ⇒ t = t 

where t, t are complex terms, and only for these cases a two-premiss rule (2LL) is necessary.

Also note that instead of (Ref) we can use more restricted version:

$$(Ref')\ \frac{b=b, \varGamma \Rightarrow \Delta}{\varGamma \Rightarrow \Delta}$$

since τxϕ(x) = τxϕ(x) is derivable by (Ext) or (ExtAV ).

#### **3.2 The Formalisation of T-Theory**

The theory of abstraction-operators developed by Tennant, which we call here a T-theory of tfos, is generally much stronger than S-theory. But we must emphasize that it is formulated in the setting of much weaker logic, namely NFFOLI (negative free FOLI), where not only quantifier rules are weaker but also the identity is not (unconditionally) reflexive.

Tennant's theory of tfo is based on the following natural deduction rules:

$$\begin{array}{ll} \left(\tau I\right) & \text{If } \varphi(a), Ea \vdash aRt \text{ and } aRt \vdash \varphi(a) \text{ and } Et, \text{ then } t = \tau x\varphi(x);\\ \left(\tau E1\right) & \text{If } t = \tau x\varphi(x) \text{ and } \varphi(b) \text{ and } Eb, \text{ then } bRt \\ \left(\tau E2\right) & \text{If } t = \tau x\varphi(x), \text{ then } Et \\ \left(\tau E3\right) & \text{If } t = \tau x\varphi(x) \text{ and } bRt, \text{ then } \varphi(b) \end{array}$$

where a is an eigenvariable, and R is a specific relation involved in the characterisation of τ . For example, R is = for the case of ı, and ∈ for set-abstraction operator. The corresponding sequent rules are:

$$(\Rightarrow \tau) \frac{\Gamma \Rightarrow \Delta, Et \qquad Ea, \varphi(a), \Gamma \Rightarrow \Delta, aRt \qquad aRt, \Gamma \Rightarrow \Delta, \varphi(a)}{\Gamma \Rightarrow \Delta, t = \tau x \varphi(x)}$$

where a is not in Γ, Δ, ϕ

$$\Gamma \left( \Rightarrow \tau E1 \right) \frac{\Gamma \Rightarrow \Delta, Eb \qquad \Gamma \Rightarrow \Delta, \varphi(b) \qquad \Gamma \Rightarrow \Delta, t = \tau x \varphi(x)}{\Gamma \Rightarrow \Delta, bRt}$$

$$\left(\Rightarrow \tau E2\right) \frac{\Gamma \Rightarrow \Delta, t = \tau x \varphi(x)}{\Gamma \Rightarrow \Delta, Et}$$

$$(\Rightarrow \tau E3) \xrightarrow{\Gamma \Rightarrow \Delta, bRt} \frac{\Gamma \Rightarrow \Delta, t = \tau x \varphi(x)}{\Gamma \Rightarrow \Delta, \varphi(b)}$$

To get more standard SC we can apply the rule-generation theorem (see e.g. [14]) and obtain left introduction rules for τ :

$$\left(\left(\tau \Rightarrow 1\right)\frac{\Gamma \Rightarrow \Delta, Eb \qquad \Gamma \Rightarrow \Delta, \varphi(b) \qquad bRt, \Gamma \Rightarrow \Delta}{t = \tau x \varphi(x), \Gamma \Rightarrow \Delta}\right)$$

$$(\tau \Rightarrow 2) \xrightarrow[t = \tau x \varphi(x), \varGamma \Rightarrow \Delta]{Et, \varGamma \Rightarrow \Delta}$$

$$(\tau \Rightarrow 3) \begin{array}{c} \Gamma \Rightarrow \Delta, bRt \qquad \varphi(b), \Gamma \Rightarrow \Delta \\\ t = \tau x \varphi(x), \Gamma \Rightarrow \Delta \end{array}$$

Note that if we transfer these rules to the setting of CFOLI we do not need formulae of the form Et, and the rule (τ ⇒ 2), being specific to negative free logic, is superfluous. As a result we obtain the following three rules:

$$(\Rightarrow \tau) \frac{\varphi(a), \Gamma \Rightarrow \Delta, aRt \qquad aRt, \Gamma \Rightarrow \Delta, \varphi(a)}{\Gamma \Rightarrow \Delta, t = \tau x \varphi(x)}$$

where a is not in Γ, Δ, ϕ

$$(\tau \Rightarrow) \frac{\Gamma \Rightarrow \Delta, \varphi(b) \qquad bRt, \Gamma \Rightarrow \Delta}{t = \tau x \varphi(x), \Gamma \Rightarrow \Delta}$$

$$(\tau \Rightarrow) \frac{\Gamma \Rightarrow \Delta, bRt \qquad \varphi(b), \Gamma \Rightarrow \Delta}{t = \tau x \varphi(x), \Gamma \Rightarrow \Delta}$$

In general what we obtain with these rules is equivalent to the following principle, often called Lambert axiom:

$$\text{LA: } \forall y (y = \tau x \varphi(x) \leftrightarrow \forall x (\varphi(x) \leftrightarrow xRy))$$

which is derivable also in the setting of NFFOLI. In the setting of CFOLI it is equivalent to Hintikka axiom:

$$\text{HA: } t = \tau x \varphi(x) \leftrightarrow \forall x (\varphi(x) \leftrightarrow xRt).$$

for which we demonstrate syntactically the equivalence with the stated rules. In one direction we have:

$$\begin{array}{c} \varphi(\tau \Rightarrow) \begin{aligned} & \varphi[x/a] \Rightarrow \varphi[x/a] \\ & \qquad \quad \quad \quad aRt \Rightarrow aRt \end{aligned} \qquad \begin{aligned} & aRt \Rightarrow aRt \\ & \qquad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \begin{aligned} & aRt \Rightarrow aRt \\ & \qquad \quad \quad t = \tau x \varphi(x), aRt \Rightarrow \varphi[x/a] \end{aligned} \end{array}$$
 
$$\begin{aligned} & \left(\Rightarrow\;\forall\right) \begin{aligned} & \qquad \quad t = \tau x \varphi(x) \Rightarrow \varphi[x/a] \leftrightarrow aRt \\ & \qquad \quad t = \tau x \varphi(x) \Rightarrow \forall x(\varphi(x) \leftrightarrow xRt) \end{aligned} \end{aligned}$$

In the second direction:

$$\begin{array}{llll} (\leftrightarrow \Rightarrow) & \frac{aRt \Rightarrow aRt}{\varphi[x/a] \Rightarrow aRt, aRt \Rightarrow \varphi[x/a]} & \frac{\varphi[x/a] \Rightarrow \varphi[x/a] \Rightarrow \varphi[x/a]}{\varphi[x/\varphi(x) \leftrightarrow xRt), aRt \Rightarrow \varphi[x/a]} \\ (\Rightarrow \tau) & \frac{\forall x(\varphi(x) \leftrightarrow xRt), aRt \Rightarrow \varphi[x/a]}{\forall x(\varphi(x) \leftrightarrow xRt) \Rightarrow \varphi[x/a]} & \frac{\forall x(\varphi(x) \leftrightarrow xRt), \varphi[x/a] \Rightarrow aRt}{\forall x(\varphi(x) \leftrightarrow xRt), \varphi[x/a] \Rightarrow aRt} \end{array}$$

Derivability of the specific rules is straightforward. Notice that from HA as additional axioms we obtain:

$$\begin{array}{l} \text{(a) } t = \tau x \varphi(x) \Rightarrow \forall x (\varphi(x) \leftrightarrow xRt) \qquad \text{and} \\ \text{(b) } \forall x (\varphi(x) \leftrightarrow xRt) \Rightarrow t = \tau x \varphi(x) \end{array}$$

From the premisses of any variant of (τ ⇒), applying weakening we deduce:

$$(\longleftrightarrow)\frac{\Gamma\Rightarrow\Delta, bRt, \varphi[x/b] \qquad bRt, \varphi[x/b], \Gamma\Rightarrow\Delta}{(\forall\Rightarrow)\frac{\varphi[x/b]\leftrightarrow bRt, \Gamma\Rightarrow\Delta}{\forall x(\varphi(x)\leftrightarrow xRt), \Gamma\Rightarrow\Delta}}$$

which, by cut with (a) yields the conclusion of (τ ⇒). In a similar way we deduce Γ ⇒ Δ, ∀x(ϕ(x) ↔ xRt) from premisses of (⇒ τ ), and by cut with (b) we obtain the conclusion of this rule.

One should note that T-theory is much stronger than S-theory; both central principles EXT and AV are provable (in fact even in the setting of NFFOLI by means of the weaker rules).

$$\begin{array}{c} (\tau \Rightarrow) \begin{array}{l} aR\tau x\varphi(x) \Rightarrow aR\tau x\varphi(x) \qquad \varphi[x/a], \varphi[x/a] \leftrightarrow \psi[x/a] \Rightarrow \psi[x/a] \\ \hline (Ref) \begin{array}{l} \tau x\varphi(x) = \tau x\varphi(x), \varphi[x/a] \leftrightarrow \psi[x/a], aR\tau x\varphi(x) \Rightarrow \psi[x/a] \end{array} \\ (\forall \Rightarrow) \begin{array}{l} \frac{\varphi[x/a] \leftrightarrow \psi[x/a], aR\tau x\varphi(x) \Rightarrow \psi[x/a]}{\forall x(\varphi(x) \leftrightarrow \psi(x)), aR\tau x\varphi(x) \Rightarrow \psi[x/a]} \\ \hline \end{array} \end{array} \end{array}$$

where the second leaf is directly provable and D is an analogous proof of ∀x(ϕ(x) ↔ ψ(x)), ψ[x/a] ⇒ aRτxϕ(x).

$$\begin{array}{c} \varphi(\tau \Rightarrow) \begin{array}{l} aR\tau x\varphi(x) \Rightarrow aR\tau x\varphi(x) \end{array} & \varphi[x/a] \Rightarrow \varphi[y/a] \\ \hline (Rref) \begin{array}{l} \tau\pi\varphi(x) = \tau x\varphi(x), aR\tau x\varphi(x) \Rightarrow \varphi[y/a] \end{array} \\ \hline (\Rightarrow \tau) \begin{array}{l} aR\tau x\varphi(x) \Rightarrow \varphi[y/a] \end{array} & \begin{array}{l} \tau\pi\varphi(x) = \tau x\varphi(x), \varphi[y/a] \Rightarrow aR\tau x\varphi(x) \end{array} \\ \hline \end{array} \\ \begin{array}{l} \tau\pi\varphi(x) = \tau x\varphi(x), \varphi[y/a] \Rightarrow aR\tau x\varphi(x) \end{array} \\ \hline \end{array}$$

Note that ϕ[x/a] and ϕ[y/a] are identical since ϕ(x) and ϕ(y) are alphabetic variants.

One may even prove the converse of EXT:

$$\begin{array}{c} \varphi(\tau \Rightarrow) \begin{array}{l} \varphi[x/a] \Rightarrow \varphi[x/a] \\ \hline \\ \end{array} \begin{array}{l} \tau x \varphi(x) = \tau x \varphi(x), \varphi[x/a] \Rightarrow aR\tau x \varphi(x) \\ \end{array} \\ \hline \\ \begin{array}{l} \varphi[x/a] \Rightarrow aR\tau x \varphi(x) \\ \end{array} \begin{array}{l} \varphi[x/a] \Rightarrow aR\tau x \varphi(x) \\ \end{array} \begin{array}{l} \psi[x/a] \Rightarrow \psi[x/a] \\ \end{array} \\ \hline \\ \begin{array}{l} \tau x \varphi(x) = \tau x \psi(x), \varphi[x/a] \Rightarrow \psi[x/a] \\ \end{array} \begin{array}{l} \tau x \varphi(x) = \tau x \psi(x) \Rightarrow \varphi[x/a] \Rightarrow \psi[x/a] \\ \end{array} \begin{array}{l} \mathcal{D} \\ \end{array} \\ \hline \\ \begin{array}{l} \tau x \varphi(x) = \tau x \psi(x) \Rightarrow \varphi[x/a] \leftrightarrow \psi[x/a] \\ \end{array} \\ \hline \\ \end{array} \begin{array}{l} \tau x \varphi(x) = \tau x \psi(x) \Rightarrow \varphi[x/a] \leftrightarrow \psi[x/a] \\ \end{array} \end{array}$$

where D is a similar proof of τxϕ(x) = τxψ(x), ψ[x/a] ⇒ ϕ[x/a].

To realise how strong is this principle on the ground of CFOLI notice that when t is instantiated with τxϕ(x) we obtain:

$$
\tau x \varphi(x) = \tau x \varphi(x) \leftrightarrow \forall x (\varphi(x) \leftrightarrow x R \tau x \varphi(x)).
$$

which by (unrestricted) reflexivity of = yields:

∀x(ϕ(x) ↔ xRτxϕ(x)).

For several term-forming operators, at least on the ground of CFOLI, it is too strong. For example if we instantiate this principle with iota-operator (where R is = ) we run into contradiction:

1. ıx(Ax ∧ ¬Ax) = ıx(Ax ∧ ¬Ax) → ∀x(Ax ∧ ¬Ax ↔ x = ıx(Ax ∧ ¬Ax)) 2. ıx(Ax ∧ ¬Ax) = ıx(Ax ∧ ¬Ax) 3. ∀x(Ax ∧ ¬Ax ↔ x = ıx(Ax ∧ ¬Ax)) 1, 2 4. A(ıx(Ax ∧ ¬Ax)) ∧ ¬A(ıx(Ax ∧ ¬Ax)) ↔ ıx(Ax ∧ ¬Ax) = ıx(Ax ∧ ¬Ax)) 3 5. A(ıx(Ax ∧ ¬Ax)) ∧ ¬A(ıx(Ax ∧ ¬Ax)) 4, 2

Similarly in the case of set-abstraction operator (where R is ∈) we obtain just unrestricted axiom of comprehension which immediately leads to Russell's paradox. Hence it is crucial to establish what is R for the specific tfo to decide if Tennant's rules may be safely added to GCI or GPCI. Therefore, we do not attempt here to state T-theory as a general calculus GT. Instead we will consider in the next section the application of his theory to set-abstraction operator, since even in this context one may introduce restrictions which can prevent us against troubles.

#### **4 Application to Set-Abstracts**

Several kinds of set theory with set-abstraction operator as primitive can be rather easily developed on the basis of S- or T-theory as formalised in the preceding section. In fact, both Scott [32] and Tennant [33] applied their theories to set-abstract operators but in the context of free logic the unrestricted axiom of comprehension does not lead to Russell's paradox. However we work here in the setting of CFOL so the rules responsible for its derivation must be somehow restricted. For these reasons we decided to examine the possible formalisations of Quine's NF (New Foundations) as developed in [30], where the comprehension axiom is suitably restricted by means of the outer syntactic side condition which is independent of the structure of rules. In fact, NF is not very popular formalisation of set theory due to some peculiarities. However, it has also several advantages which we are not going to discuss here because of the space restrictions<sup>1</sup>. In particular, the syntactic simplicity of NF make it a very convenient theory for proof-theoretic investigations.

Before we focus on sequent calculi for NF let us start with some general preliminaries concerning arbitrary formalisation of set theory. It often goes unnoticed that it may be developed in the language where only ∈ is a primitive predicate or in the language with = primitive, which is rather more popular choice. In the latter case we assume that we have already some axioms/rules for = , so the only specific axiom we need for sets is:

ExtAx : ∀xy(∀z(z ∈ x ↔ z ∈ y) → x = y)

since the converse is already provable by LL.

If we start with CFOL (only ∈ primitive), = may be defined either in the Leibnizian spirit:

=<sup>L</sup>: t = t := ∀z(t ∈ z ↔ t ∈ z)

<sup>1</sup> See in particular its presentation in [30] and discussion in [8,9].

or in the way Quine prefers:

=Q: t = t := ∀z(z ∈ t ↔ z ∈ t )

The first choice leads to the standard characterisation of = and the axiom ExtAx is still required. The second one is different since ExtAx is provable but still we cannot obtain the full characterisation of identity. Therefore we must add a special form of LL as an extensionality axiom:

$$ExtAx' \colon \forall xyz (x = y \to (x \in z \to y \in z))$$

and this is the way Quine proceeded with the development of NF. The second axiom is the axiom of abstraction:

$$ABS \colon \forall x (x \in \{y : \varphi(y)\} \hookrightarrow \varphi[y/x])$$

where ϕ is stratified. Assuming that the only predicate is ∈ this condition may be defined roughly as follows: it is possible to define a mapping from variables of ϕ into integers in a way that for each atom we have i ∈ i + 1. In case we admit =, a mapping should yield i = i. In what follows we will admit both kinds of formulae as atomic, briefly called ∈-atoms and =-atoms.

We will consider two approaches to construction of cut-free sequent calculus for NF. Although the rules (Ext),(AV ) will be not primitive but derivable in both, the first one, following closely Quinean formulation, is closer to the general GS, whereas the second starts with Tennant's rules suitably restricted.

#### **4.1 The S-Approach to NF**

There is no sense to take the instances of (Ext) and (AV ) as primitive rules since it will not save us from addition of most of the specific rules for setabstraction operators and =. So it is better to follow quite closely the original Quinean axiomatisation of NF. A difference with the latter is connected with the treatment of identity, since we take it as a primitive predicate characterised by rules. However, we do not take the primitive rules of GPCI for identity as primitive but rather provide new rules based on =<sup>Q</sup>. Hence we take GPC as the basis and add:

$$\left(\Rightarrow = \right) \begin{array}{c} a \in t, \Gamma \Rightarrow \Delta, a \in t' \\ \hline \end{array} \begin{array}{c} a \in t', \Gamma \Rightarrow \Delta, a \in t \\ \hline \end{array}$$

$$\left( (\implies) \frac{\Gamma \Rightarrow \Delta, b \in t, b \in t' \qquad b \in t, b \in t', \Gamma \Rightarrow \Delta}{t = t', \Gamma \Rightarrow \Delta} \right)$$

These rules correspond to =<sup>Q</sup>. Moreover, we add two rules corresponding to the axiom ABS:

$$(Abs \Rightarrow) \begin{array}{c} \varphi[x/t], \varGamma \Rightarrow \varDelta \\ t \in \{x: \varphi(x)\}, \varGamma \Rightarrow \varDelta \end{array} \begin{array}{c} (\Rightarrow \text{Abs}) \quad \frac{\varGamma \Rightarrow \Delta, \varphi[x/t]}{\varGamma \Rightarrow \Delta, t \in \{x: \varphi(x)\}} \end{array}$$

with ϕ stratified.

We omit easy proofs of the equivalence of stated rules with respective axioms: ABS and the object language counterpart of =Q. Proofs of these axioms, as well as derivability of our rules in GPC enriched with axiomatic sequents expressing ABS and =<sup>Q</sup> are straightforward and similar to proofs from Theorem 1. Instead we will show that although we have neither (Ext) nor (AV ) as primitive rules they are derivable in such a system for stratified ϕ.

#### **Lemma 2.** *Derivability of* (Ext) *and* (AV )

*Proof.* :

$$(Abs \Rightarrow Abs) \xrightarrow[\left(\Rightarrow = \right)]{} \frac{\varphi(a), \Gamma \Rightarrow \Delta, \psi(a)}{a \in \{x : \varphi(x)\}, \Gamma \Rightarrow \Delta, a \in \{x : \psi(x)\}} \qquad \frac{\psi(a), \Gamma \Rightarrow \Delta, \varphi(a)}{a \in \{x : \psi(x)\}, \Gamma \Rightarrow \Delta, a \in \{x : \varphi(x)\}} \quad \frac{\varphi(a), \Gamma \Rightarrow \Delta, \varphi(a)}{\Gamma \Rightarrow \Delta, \{x : \varphi(x)\}, \Gamma \Rightarrow \Delta, a \in \{x : \psi(x)\}}$$

The proof of (AV ) or alternatively, of (ExtAV ) is similar. 

But the rules (⇒=) and (=⇒) are not sufficient for obtaining the complete characterisation of identity in NF. In particular they are not sufficient for the case corresponding to the specific instance of LL expressed by the axiom ExtAx Note that in general we must be able to prove:


With case 1 there is no problem; it is derivable by (⇒=),(=⇒), similarly as other properties of =, including reflexivity and symmetry. The case 2 would be provable by (=⇒) provided instead of b we are allowed to use any term t . So this case is problematic and needs reformulation of the rules which in general destroys the subformula property and may be troublesome in proving the cut elimination theorem. The case 3 corresponds exactly to ExtAx and requires a separate rule which possibly covers also the case 2. To avoid troubles we might follow the general solution introduced for GS and use the rule (2LL) as two-premiss right-sided rule but it does not work since (Abs ⇒) introduces an ∈-atom as a principal formula in the antecedent. As a result while proving cut elimination we cannot make a reduction of the following cut instance:

$$(2LL)\ \frac{\Gamma \Rightarrow \Delta, t = t' \qquad \Gamma \Rightarrow \Delta, t' \in \{x:\varphi\}}{\Gamma \Rightarrow \Delta, t \in \{x:\varphi\}} \quad \frac{\varphi(t), \Pi \Rightarrow \Sigma}{t \in \{x:\varphi\}, \Pi \Rightarrow \Sigma} \\ (Abs \Rightarrow)$$

It seems that in the presence of (Abs ⇒) and (⇒ Abs) the only solution is to add a 3-premiss version of LL:

$$(3LL)\begin{array}{c} \Gamma \Rightarrow \Delta, t = t' \qquad \Gamma \Rightarrow \Delta, \varphi(t) \qquad \varphi(t'), \Gamma \Rightarrow \Delta \\ \hline \end{array}$$

where ϕ(t) and ϕ(t ) are either t ∈ t and t ∈ t or t ∈ t and t ∈ t .

Summing up we obtain a system GSNF which adds to GPC the following rules: (=⇒),(⇒=),(Abs ⇒),(⇒ Abs) and (3LL) ((Ref) is derivable).

**Theorem 4.** *GSNF is an adequate formalisation of NF.*

Moreover the cut elimination theorem can be proved for GSNF in a similar fashion as in [13] where similar solution was provided for sequent calculi for free description theories. Note however that the situation with the subformula property is even worse than in GS (GS') due to the presence of (3LL). Is it possible to obtain a better formalisation of NF by means of Tennant's rules?

#### **4.2 The T-Approach to NF**

If we want to apply the approach of Tennant to NF we have = as a primitive predicate not only present in the language but already characterised by specific rules so we start with GPCI and add the following Tennant's-style rules:

$$(\Rightarrow \colon) \frac{\varphi(a), \Gamma \Rightarrow \Delta, a \in t \qquad a \in t, \Gamma \Rightarrow \Delta, \varphi(a)}{\Gamma \Rightarrow \Delta, t = \{x : \varphi(x)\}}$$

$$(\left(\Rightarrow\right)\frac{\Gamma\Rightarrow\Delta,\varphi(b)\qquad b\in t,\varGamma\Rightarrow\Delta}{t=\{x:\varphi(x)\},\varGamma\Rightarrow\Delta}$$

$$(\Rightarrow)\frac{\Gamma\Rightarrow\Delta,b\in t\qquad\varphi(b),\Gamma\Rightarrow\Delta}{t=\{x:\varphi(x)\},\Gamma\Rightarrow\Delta}$$

where a is not in Γ, Δ, ϕ, t is any term and ϕ is stratified.

Note that (Ext) and (AV ) are derivable which follows from the proofs of EXT and AV presented in Sect. 3.2. As we noticed there, also the axiom ABS is provable, so we do not need special rules (Abs ⇒),(⇒ Abs) too. We do not need to care even about the axiom ExtAx since it is provable:

<sup>c</sup> <sup>∈</sup> <sup>a</sup> <sup>↔</sup> <sup>c</sup> <sup>∈</sup> b, c <sup>∈</sup> <sup>a</sup> <sup>⇒</sup> Δ, c <sup>∈</sup> <sup>b</sup> (∀ ⇒) <sup>∀</sup>z(<sup>z</sup> <sup>∈</sup> <sup>a</sup> <sup>↔</sup> <sup>z</sup> <sup>∈</sup> <sup>b</sup>), c <sup>∈</sup> <sup>a</sup> <sup>⇒</sup> <sup>c</sup> <sup>∈</sup> <sup>b</sup> c ∈ a ↔ c ∈ b, c ∈ b ⇒ c ∈ a <sup>∀</sup>z(<sup>z</sup> <sup>∈</sup> <sup>a</sup> <sup>↔</sup> <sup>z</sup> <sup>∈</sup> <sup>b</sup>), c <sup>∈</sup> <sup>b</sup> <sup>⇒</sup> <sup>c</sup> <sup>∈</sup> <sup>a</sup> (⇒:) <sup>∀</sup>z(<sup>z</sup> <sup>∈</sup> <sup>a</sup> <sup>↔</sup> <sup>z</sup> <sup>∈</sup> <sup>b</sup>) <sup>⇒</sup> <sup>a</sup> <sup>=</sup> {<sup>x</sup> : <sup>x</sup> <sup>∈</sup> <sup>b</sup>} <sup>c</sup> <sup>∈</sup> <sup>b</sup> <sup>⇒</sup> <sup>c</sup> <sup>∈</sup> <sup>b</sup> (⇒:) <sup>⇒</sup> <sup>b</sup> <sup>=</sup> {<sup>x</sup> : <sup>x</sup> <sup>∈</sup> <sup>b</sup>} (2LL) <sup>∀</sup>z(<sup>z</sup> <sup>∈</sup> <sup>a</sup> <sup>↔</sup> <sup>z</sup> <sup>∈</sup> <sup>b</sup>) <sup>⇒</sup> <sup>a</sup> <sup>=</sup> <sup>b</sup> (⇒→) ⇒ ∀z(<sup>z</sup> <sup>∈</sup> <sup>a</sup> <sup>↔</sup> <sup>z</sup> <sup>∈</sup> <sup>b</sup>) <sup>→</sup> <sup>a</sup> <sup>=</sup> <sup>b</sup> (⇒ ∀) ⇒ ∀xy(∀z(<sup>z</sup> <sup>∈</sup> <sup>x</sup> <sup>↔</sup> <sup>z</sup> <sup>∈</sup> <sup>y</sup>) <sup>→</sup> <sup>x</sup> <sup>=</sup> <sup>y</sup>)

It seems that T-approach is better than S-approach to NF since it is more economical. However, if we think about cut elimination we must consider carefully the problem of primitive rules for identity. Although we first stated that we add the special Tennant's-style rules to GPCI and we used (2LL) in the above proof it seems that we cannot keep (2LL) since in general we face the same problem with cut elimination as in the case of S-system illustrated in Subsect. 4.1. To prove the cut elimination theorem we must again either generally replace (2LL) with (3LL) or to follow the strategy introduced in [17] and separate the rules for LL dealing with special cases of atomic formulae. One possibility is to keep:

$$(2LL')\begin{array}{c} \Gamma \Rightarrow \Delta, t = t' \qquad \Gamma \Rightarrow \Delta, \varphi(t) \\ \hline \quad \Gamma \Rightarrow \Delta, \varphi(t') \end{array}$$

for ϕ being ∈-atom and restrict (3LL) only to =-atoms:

$$(3LL')\begin{array}{c} \Gamma \Rightarrow \Delta, t = t' \qquad \Gamma \Rightarrow \Delta, t = t'' \qquad \qquad t' = t'', \Gamma \Rightarrow \Delta \end{array}$$

This way we obtain a system GTNF which adds to GPC the rules: (:⇒),(⇒: ),(2LL ),(3LL ),(Ref). (2LL ) deals only with ∈-atoms and all properties of identity are derivable by (Ref) and (3LL).

**Theorem 5.** *GTNF is an adequate formalisation of NF.*

The cut elimination theorem is provable for GTNF as well. Unfortunately, the situation with the subformula property is similar to that in the system GSNF from the preceding subsection. However, there are possible some simplifications obtained by reduction of the applications of (3LL ) if at least two of t, t , t are parameters. Consider the cases with at most one term t complex:

1. a = b, a = c ⇒ b = c 2. t = b, t = c ⇒ b = c 3. a = t, a = b ⇒ t = b 4. a = b, a = t ⇒ b = t

> (2LL ) may be modified to cover identities from case 1 and 2:

$$(2LL'')\begin{array}{c} \Gamma \Rightarrow \Delta, t = t' \qquad \Gamma \Rightarrow \Delta, \varphi(t) \\ \hline \qquad \Gamma \Rightarrow \Delta, \varphi(t') \end{array}$$

for ϕ(t ) being ∈-atom or =-atom of the form b = c (a third term in the premisses may be complex or a parameter). For cases 3 and 4 we may add the rules:

$$(Tr)\xrightarrow{\varGamma\Rightarrow\Delta,a=t}\frac{t=b,\Gamma\Rightarrow\Delta}{a=b,\Gamma\Rightarrow\Delta}$$

or

$$(E)\ \frac{\Gamma \Rightarrow \Delta, a = t \qquad b = t, \Gamma \Rightarrow \Delta}{a = b, \Gamma \Rightarrow \Delta}$$

Any of them will do the task. For example, if we take (E) we have a direct proof of 4 and the following proof of 3:

$$\begin{array}{llll} a = t \Rightarrow a = t & \Rightarrow b = t & \Rightarrow b = b \Rightarrow t = b \\ \hline \end{array} \begin{array}{llll} b = t \Rightarrow b = b & t = b \Rightarrow t = b \\ b = t \Rightarrow t = b & (E) \\ \end{array} (3LL')$$

As a result we have to keep (3LL ) only for all cases where at least two of t, t , t are complex terms at the price of adding (T r) or (E). Let us call such a modified system GTNF'.

#### **5 Conclusion**

We have provided a proof theoretic treatment of the general theory of tfos introduced independently by several authors (S-theory), and proposed a modification of a different approach (T-theory) in a way which allows us to compare their relative strength. Moreover, we examined the ways in which both approaches may be extended to cover set theory NF of Quine. All obtained sequent systems satisfy the cut elimination theorem, but do not satisfy the subformula property. Hence, in the case of the systems for NF, we cannot obtain a syntactical consistency proof on the basis of the cut elimination theorem, because of the rules like (3LL). Still these systems, in particular a system GTNF described in the last subsection, allow us to keep a stricter control over the construction of proof.

The natural next step of this research is connected with the application of, possibly modified, systems GS, GS', or (suitably restricted) rules of Tennant's approach, to other kinds of term-forming operators, and careful examination of their specific features.

Eventually it is also interesting to investigate if the obtained systems allow us to prove other desirable properties in constructive way. One of such important points is the interpolation theorem. Since it was proved semantically for the general S-theory in [4], it is an important task to find a constructive proof as well. However, the method of split-sequents due to Maehara, which is usually applied in the setting of sequent calculi, fails for the presented systems since it does not work with rules like (a ⇒). The problem is connected with the fact that the complex term occuring in the active formula in the premiss may contain some predicates which do not occur in the rest of the respective division of a split-sequent but occur in the interpolant (and of course in the other division of a split-sequent). In this case the interpolant of the premiss fails to be an interpolant of the conclusion, where the active formula is deleted. Only the weaker form of interpolation can be proved in which we require that interpolants have only parameters (but not predicates) common to both divisions of the split-sequent. It is an open problem if such difficulties can be overcome.

# **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Theorem Proving**

# Lemmas: Generation, Selection, Application

Michael Rawson<sup>1</sup> , Christoph Wernhard2(B) , Zsolt Zombori3,5 , and Wolfgang Bibel<sup>4</sup>

<sup>1</sup> TU Wien, Vienna, Austria michael@rawsons.uk <sup>2</sup> University of Potsdam, Potsdam, Germany info@christophwernhard.com <sup>3</sup> Alfréd Rényi Institute of Mathematics, Budapest, Hungary zombori@renyi.hu <sup>4</sup> Technical University Darmstadt, Darmstadt, Germany bibel@gmx.net <sup>5</sup> Eötvös Loránd University, Budapest, Hungary

Abstract. Noting that lemmas are a key feature of mathematics, we engage in an investigation of the role of lemmas in automated theorem proving. The paper describes experiments with a combined system involving learning technology that generates useful lemmas for automated theorem provers, demonstrating improvement for several representative systems and solving a hard problem not solved by any system for twenty years. By focusing on condensed detachment problems we simplify the setting considerably, allowing us to get at the essence of lemmas and their role in proof search.

# 1 Introduction

Mathematics is built in a carefully structured way, with many disciplines and subdisciplines. These are characterized by concepts, definitions, axioms, theorems, lemmas, and so forth. There is no doubt that this inherent structure of mathematics is part of the discipline's long-lasting success.

Research into Automated Theorem Proving (ATP) to date has taken little notice of the information provided by this structure. Even state-of-the-art ATP systems ingest a conjecture together with pertinent definitions and axioms in a way completely agnostic to their place in the mathematical structure. A comparatively small but nevertheless important part of the structure of mathematics is

Funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) – Project-ID 457292495, by the North-German Supercomputing Alliance (HLRN), by the ERC grant CoG ARTIST 101002685, by the Hungarian National Excellence Grant 2018-1.2.1-NKP-00008 and the Hungarian Artificial Intelligence National Laboratory Program (RRF-2.3.1-21-2022-00004).

c The Author(s) 2023

R. Ramanayake and J. Urban (Eds.): TABLEAUX 2023, LNAI 14278, pp. 153–174, 2023. https://doi.org/10.1007/978-3-031-43513-3\_9

the identification and application of *lemmas*. It is this aspect which is the focus of the work presented here.

The purpose of lemmas in mathematics is at least threefold. First, and perhaps most importantly, lemmas support the search for proofs of assertions. If some lemma applies to a given problem, a proof may be found more easily. Second, it is often the case that a lemma may be applied more than once. If this happens, its use will shorten the length of the overall proof since the proof of the lemma need only be carried out once, not repeatedly for every application. Third, the structuring effect of proofs by the use of lemmas is an important feature for human comprehension of proofs. In our work we are motivated primarily by the first two of these three aspects.

These considerations give rise to the crucial question: how can we find useful lemmas for proving a given problem? Here we mean useful in the sense of the two aforementioned aspects: lemmas should be applicable to the problem at hand, preferably many times. In full generality this is a difficult question indeed, which will require much further research. In this first step we restrict the question to a narrow range of problems, known in literature as *condensed detachment* (CD) problems [41]. Proofs of CD problems can be represented in a simple and accessible form as *proof structure terms*, enabling structure enumeration to enhance proof search and lemma maintenance, as well as feature extraction for learning. Our investigation thus focuses on the question of how ATP performance may be improved for CD problems by the generation and selection of useful lemmas before search begins.

CD problems are of the form "axiom(s) and *Det* imply a goal" where *Det* represents the well-known modus ponens rule, or *condensed detachment*. They have a single unary predicate. A typical application is the investigation of an axiomatization of some propositional logic, whose connectives are then represented by function symbols. In order to support this study experimentally, we have built a combined system for dealing with these problems. It features SGCD [74] as prover and lemma generator along with a learning module based on either an easily-interpreted linear model over hand-engineered features, or a graph neural network supporting end-to-end learning directly from lemmas.

Our work results in a number of inter-related particular contributions:


few hundreds of supplied lemmas; Learning based on manual features and on automatic feature extraction perform similarly.


Structure of the Paper. Section 2 presents condensed detachment and its embedding into the CM by way of so-called *D-terms*, as well as background material on lemmas and machine learning in ATP. Section 3 introduces a method for generating and selecting useful lemmas and presents experimental results with it, leading up to the proof of LCL073-1 in Sect. 4. We conclude with a summary and outlook for further work in this area in Sect. 5.

Supplementary material is provided in the appendix of the preprint version [54]. All experiments are fully reproducible and the artifacts are available at https://github.com/zsoltzombori/lemma, commit df2faaa. We use CD Tools [74] and PIE [71,72], implemented in SWI-Prolog [77], for reasoning tasks and PyTorch [47] for learning.

# 2 Background and Related Work

In a very general sense, lemmas in ATP factorize duplication. This may be between different proofs that make use of the same lemma, or within a single proof where a lemma is used multiple times. It may not even be a particular formula that is shared, but a *pattern*, such as a *resonator* [81]. In the presence of machine learning, we may think of even more abstract entities that are factorized: the *principles* by which proofs are written, repeated in different proofs or contexts.

Depending on the proving method, lemmas in ATP play different roles. Provers based on *saturation*, typically resolution/superposition (RS) systems [3], inherently operate by generating lemmas: a resolvent is itself a lemma derived from its parents. Nevertheless, one may ask for more meaningful lemmas than the clauses of the proof. This is addressed with *cut introduction* [14,20,78], which studies methods to obtain complex lemmas from resolution proofs. Such lemmas provide insight about the high-level structure of proofs, extract interesting concepts and support research into the correspondence between natural mathematical notions and possible proof compressions. Other approaches to interesting theorems or lemmas are described for example in [52,65].

Another question concerning lemmas and ATP systems is whether performance can be improved by supplementing the input with lemmas. This is particularly applicable if lemmas are obtained with methods that are *different* from those of the prover. Otherwise, it may have obtained these by itself.<sup>1</sup> As we will see, leading ATP systems such as Vampire and E [59] can indeed be improved in this way. Different *methods* does not necessarily mean different *systems*: it is possible to use different configurations of the same system for lemma generation and proving, as well as for intermediate operations. This was the workflow used by Larry Wos to prove the challenge problem LCL073-1 with OTTER [84]. Our SGCD system also supports this, which played a major role in its ability to prove the aforementioned challenge problem.

Lemmas play a quite different role for a family of provers which we call *CM-CT* for *Connection Method/Clausal Tableaux*, exemplified by PTTP [61], SETHEO [33], and leanCoP [45,46]. Underlying conceptual models are model elimination [35], clausal tableaux [31] and the CM. They enumerate proof structures while propagating variable bindings initialized by the goal through unification, and hence proceed in an inherently goal-driven way. While they are good at problems that benefit from goal direction, in general they are much weaker than RS provers and have not been among the top provers at *CASC* for about two decades. This is attributed to the fact that they do not re-use the proof of one subgoal as the solution of another: they do not use lemmas *internally*.

The lack of lemmas was identified early as a weakness of CM-CT [15], so there have been various proposed remedies [2,15,17,19,32,45,60,62]. Despite some insight and success, this did not yet elevate CM-CT to the level of the best RS systems. Nevertheless, the expectation remains that CM-CT provers would benefit from supplying lemmas as additional input. Hence, we included two CM-CT systems in our experiments, leanCoP and CMProver [12,71,72] and show that the expectation is greatly confirmed. Two other systems considered here, SGCD and CCS [73], can be viewed as CM-CT systems extended to support specific forms of lemma generation and application.

Lemmas can be maintained within the prover as an inherent part of the method, as in saturation. They may also be created and applied by different systems, or different instances of the same system [13,55]. Larry Wos calls this *lemma adjunction* [83]. Lemmas created by one system are passed to a second system in two principal ways. First, they can be passed as *additional axioms*, in the hope that the second system finds a shorter proof in the wider but shallower search space. Second, external lemmas can be used to *replace search*. The second system then starts with the given lemmas as if they were the cached result of its previous computation. Moreover, the provided lemmas can be restricted in advance by heuristic methods, such as by a machine-learned model. SGCD supports this *replacing* lemma incorporation. The basic distinction between augmenting and replacing search with lemmas was already observed by Owen L. Astrachan and Mark E. Stickel [2] in the context of improving CM-CT provers.

<sup>1</sup> We note here that in some cases systems *cannot* generate certain lemmas because of e.g. ordering restrictions.

#### 2.1 Machine Learning for ATP

The past decade has seen numerous attempts to leverage machine learning in the automated theorem proving effort. Early systems mostly focused on premise selection, e.g. [1,68,70], aiming to reduce the number of axioms supplied as input to the prover, or on selection of heuristics, e.g. [11]. Other works provide internal guidance directly at the level of inferences during search, e.g. [18,24,25,27,34, 53,85]. The emergence of generative language models has also led to some initial attempts at directly generating next proof steps, e.g. [48,49,67], moving the emphasis away from search.

In contrast to these lines of work, our focus is on learning the utility of lemmas. Close to our aims is [26,28], trying to identify globally useful lemmas in a collection of millions of proofs in HOL Light. Besides differences in the formal system, what distinguishes our work is that we learn a much more focused model: we put great emphasis on evaluating lemmas in the context of a particular goal and axiom set; in fact, our entire system was designed around the question whether a given lemma is moving the goal closer to the axioms. We argue that the D-term representation of all involved components (goal, lemma, axioms, proof) makes our framework particularly suitable for the lemma selection task.

We employ an iterative improvement approach first used in MaLARea [68]: in each iteration, we run proof search guided by a learned model, extract training data from proving attempts, and fit a new model to the new data. These steps can be repeated profitably until performance saturates.

#### 2.2 Condensed Detachment: Proofs as Terms

*Condensed detachment (CD)* was developed in the mid-1950s by Carew A. Meredith as an evolution of *substitution and detachment* [30,43,50,51]. Reasoning steps are by *detachment*, or modus ponens, under implicit substitution by most general unifiers. Its primary application is the investigation of axiomatizations of propositional logics at a first-order meta-level. CD also provides a technical approach to the Curry-Howard correspondence, "formulas as types" [22,23] and is considered in witness theory [57]. Many early successes in ATP were on CD problems [40,66], but success was also found in the reverse direction. Refinements of the OTTER prover in the 1990s, some of which have found their ways into modern RS provers, were originally conceived and explored in the setting of CD [16,40,69,79–82,84].

From a first-order ATP perspective, a CD problem consists of *axioms*, i.e. positive unit clauses; a *goal theorem*, i.e. a single negative ground unit clause representing a universally-quantified atomic goal theorem after Skolemization; and the following ternary Horn clause that models detachment.

$$\text{Det } \stackrel{\text{def}}{=} \mathsf{P}(\mathsf{i}(x,y)) \land \mathsf{P}(x) \to \mathsf{P}(y).$$

The premises of *Det* are called the *major* and *minor* premise, respectively. All atoms in the problem have the same predicate P, which is unary and stands for something like *provable*. The formulas of the investigated propositional logic are expressed as terms, where the binary function symbol i stands for *implies*.

CD may be seen as an *inference rule*. From an ATP perspective, a *CD inference step* can be described as a hyperresolution from *Det* and two positive unit clauses to a third positive unit clause. A *CD proof* is a proof of a CD problem constructed with the CD inference rule. CD proofs can be contrasted with other types of proof, such as a proof with binary resolution steps yielding nonunit clauses. Prover9 [38] chooses positive hyperresolution by default as its only inference rule for CD problems and thus produces CD proofs for these.

It is, however, another aspect of CD that makes it of particular interest for developing new ATP methods, which only recently came to our attention in the ATP context [75]: the structure of CD proofs can be represented in a very simple and convenient way as full binary trees, or as terms. In ATP we find this aspect in the CM, where the proof structure as a whole is in focus, in contrast to extending a set of formulas by deduction [9]. This view of CD is made precise and elaborated upon in [76], on which the subsequent informal presentation is based. We call the structure representations of CD proofs *D-terms*. A D-term is a term recursively built from numeral constants and the binary function symbol D whose arguments are D-terms. In other words, it is a full binary tree where the leaf nodes are labeled with constants. Four examples of D-terms are

$$1, \quad 2, \quad \mathsf{D}(1,1), \quad \mathsf{D}(\mathsf{D}(2,1), \mathsf{D}(1,\mathsf{D}(2,1))).$$

A D-term represents the structure of a proof. A proof in full is represented by a D-term together with a mapping of constant D-terms to axioms. Conversion between CD proofs and D-terms is straightforward: the use of an axiom corresponds to a constant D-term, while an inference step corresponds to a D-term D(d1, d2) where d<sup>1</sup> is the D-term that proves the major premise and d<sup>2</sup> the minor.

Through first-order unification, constrained by axioms for the leaf nodes and the requirements of *Det* for inner nodes, it is possible to obtain a most general formula proven by a D-term [76]. We call it the *most general theorem* (MGT) of the D-term with respect to the axioms, unique up to renaming of variables. For a given axiom map, not all D-terms necessarily have an MGT: if unification fails, we say the D-term has no MGT. It is also possible that different D-terms have the same MGT, or that the MGT of one is subsumed by the MGT of another. A D-term is a proof of the problem if its MGT subsumes the goal theorem.

As an example, let the constant D-term 1 be mapped to P(i(x, i(x, x))), known as *Mingle* [66]. Then, the MGT of the D-term 1 is just this axiom. The MGT of the D-term D(1, 1) is P(i(x, i(x, x)), i(x, i(x, x))), that is, after renaming of variables, P(y)σ where σ is the most general unifier of the set of pairs {{P(i(x, y)), <sup>P</sup>(i(x , i(x , x )))}, {P(x), <sup>P</sup>(i(x, <sup>i</sup>(x, x)))}}.

D-terms, as full binary trees, facilitate characterizing and investigating structural properties of proofs. While, for a variety of reasons, it is far from obvious how to measure the size of proofs obtained from ATP systems in general, for D-terms there are at least three straightforward size measures:

– The *tree size* of a D-term is the number of its inner nodes.


Alternative names in the literature are *length* for compacted size, *level* for height and *CDcount* [69] for tree size. The D-term D(D(1, D(1, 1)), D(D(1, 1), 1)), for example, has tree size 5, compacted size 4 and height 3. *Factor equations* provide a compact way of writing D-terms: distinct subproofs with multiple incoming edges in the DAG receive numeric labels, by which they are referenced. The D-term D(D(1, 1), D(D(1, D(1, 1)), D(1, D(1, 1)))), for example, can be written as 2 = D(1, 1), 3 = D(1, 2), 4 = D(2, D(3, 3)).

CD problems have core characteristics of first-order ATP problems: first-order variables, at least one binary function symbol and cyclic predicate dependency. But they are restricted: positive unit clauses, one negative ground clause, and one ternary Horn clause. Equality is not explicitly considered. The generalization of CD to arbitrary Horn problems is, however, not difficult [73].

#### 2.3 Condensed Detachment for ATP and Lemmas

From an ATP point of view, D-terms provide access to proofs as a whole. This exposes properties of proofs that are not merely local to an inference step, but spread across the whole proof. It suggests a shift in the role of the calculus from providing a recipe for building the structure towards an inductive structure *specification*. Moreover, D-terms as objects provide insight into *all* proofs: for example, growth rates of the number of binary trees for tree size, height and compacted size are well-known with entries in *The On-Line Encyclopedia of Integer Sequences* [44] and provide upper bounds for the number of proofs [76]. A practical consequence for ATP is the justification of proof structure enumeration techniques where each structure appears at most once.

CD proofs suggest and allow for a specific form of lemmas, which we call *unit* or *subtree* lemmas, reflecting two views on them. As formulas, they are positive unit clauses, which can be re-used in different CD inference steps. In the structural view, they are subterms, or subtrees, of the overall D-term. If they occur multiply there, they are factored in the minimal DAG of the overall D-term. The views are linked in that the formula of a lemma is the MGT of its D-term. The *compacted size* measure specified above takes into account the compression achievable by unit/subtree lemmas. From the perspective of proof structure compression methods, unit/subtree lemmas have the property that the compression target is unique, because each tree is represented by a unique minimal DAG. CM-CT provers do not support such lemmas, which is the main reason for their notorious weakness on CD problems.

#### 2.4 SGCD—Structure Generating Theorem Proving

SGCD *(Structure Generating Theorem Proving for Condensed Detachment)* [74] is the central system used in our experiments as prover as well as lemma generator. It realizes an approach to first-order theorem proving combining techniques known from the CM and RS that was not fully recognized before. It generalizes (for CD problems) bottom-up preprocessing for and with CM-CT provers [60] and hypertableaux [4]. SGCD works by enumeration of proof structures together with unification of associated formulas, which is also the core method of the CM-CT provers. Structures for which unification fails are excluded. Each structure appears at most once in the enumeration.

Let the proof structures be D-terms. Partition the set of all D-terms according to some *level* such that those in a lower level are strict subterms of those in a higher level. Tree size or height are examples of such a level. Let

#### enum\_dterm\_mgt\_pairs(*+Level*, *?DTerm*, *?Formula*)

be a Prolog<sup>2</sup> predicate enumerating D-terms and corresponding MGTs at a certain level, with respect to given axioms that do not explicitly appear as parameter. We say that the predicate generates these pairs in an *axiom-driven* way. If the predicate is invoked with the formula argument instantiated by a ground formula, it enumerates D-terms that prove the formula at the specified level. The predicate is then used *goal-driven*, like a CM-CT prover. Invoking it for increasing level values realizes iterative deepening. There are further instantiation possibilities: if only the D-term is instantiated and the level is that of the D-term, its MGT is computed. If both D-term and formula are instantiated, the predicate acts as verifier.

The implementation includes several *generators*, concrete variants of the enum\_dterm\_mgt\_pairs predicate for specific level characterizations. SGCD maintains a cache of *level*, *D-term*, *formula* triples used to obtain solutions for subproblems in levels below the calling level. This cache is highly configurable. In particular, the number of entries can be limited, where only the best triples according to specified criteria are kept. Typical criteria are height or size of the formula, a heuristic shared with RS provers. Subsumed entries can be deleted, another feature in common with RS. Novel criteria are also supported, some of which relate the formula to the goal. Most criteria are based on the formula component of the triples, the MGT. Due to rigid variables [21], MGTs are not usually available in CM-CT provers [76] and cannot be used as a basis for heuristics.

When lemmas are provided to SGCD, they are used to initialize the cache, replacing search at levels lower than the calling level.<sup>3</sup> SGCD further maintains a set of *abandoned level*, *D-term*, *formula* triples, those that are generated but do not qualify for entering the cache or were removed from the cache. These are kept as a source for heuristic evaluation of other triples and for lemma generation.

For theorem proving, SGCD proceeds as shown in Fig. 1. Input parameter g is the goal formula, while parameters *maxLevel* and *preAddMaxLevel* are configurable. enum\_dterm\_mgt\_pairs represents a particular generator that is also configurable. It enumerates argument bindings nondeterministically: if it succeeds in the inner loop, an exception returns the D-term d. C is the

<sup>2</sup> Prolog serves here as a suitable specification language.

<sup>3</sup> Replacement can be subject to heuristic restrictions.

cache. The procedure merge\_news\_into\_cache(N,C) merges newly generated *level*, *D-term*, *formula* triples N into the cache C. If *maxLevel* is configured as 0, the method proceeds in purely goal-driven mode with the inner loop performing iterative deepening on the level m. Similarity to CM-CT provers can be shown empirically by comparing the sets of solved TPTP problems [74]. Generally successful configurations of *preAddMaxLevel* typically have values 0–3.

Fig. 1. The nested loops of the SGCD theorem proving method.

# 3 Improving a Prover via Learned Lemma Selection

We employ machine learning to identify lemmas that can enhance proof search. Unlike the standard supervised scenario in which we learn from some training problems and evaluate performance on separate test problems, we take a reinforcement learning approach of self-improvement that has already been successfully applied in several theorem proving projects since [68]. In this approach, we perform proof search with a *base prover* on our entire problem set and learn from the proof attempts.<sup>4</sup> The learning-assisted prover is evaluated again in the problem set to see if it can find more or different problems. If there is improvement, the process can be repeated until performance saturates. In a bit more detail, our system has the following components.


<sup>4</sup> We currently only learn from successful proof attempts and sketch an extension to learning from failure.

Base Prover. Any prover that emits proofs as D-terms is suitable as a base prover. Given a D-term proof tree P of some formula C from axiom set As, any connected subgraph S of P can be considered as the proof of a lemma L. If S is a full tree, it proves a unit lemma, which is the formula associated with its root. Otherwise, it proves a Horn clause, whose head is the root formula of S and whose body corresponds to the open leaves of S. We currently focus on unit lemmas and leave more general subgraphs for future work. To approximate the utility of lemma L for proving C from As, there are several easy-to-compute logical candidates, such as the reduction in tree size, tree height or compressed size. A more refined measure is obtained if we reprove C with the lemma L added to the axioms As and observe how the number of inference steps changes.<sup>5</sup> This is slower to compute, but takes into account the particularities of the base prover, hence provides more focused guidance. In our experiments, we find that the best performance is obtained by reproving and then computing utility U as the inference step reduction normalized into [−1, 1], where <sup>−</sup><sup>1</sup> means that the problem could not be solved within the original inference limit and 1 is assigned to the lemma that yields the greatest speedup. We end up with tuples C, As, L, U to learn from.

Utility Model Training. We experiment with gradient-descent optimization for two classes of functions: linear models and graph neural networks (GNNs). Our linear model is based on 51 manually-identified features, some of them novel, described in [54, App. A]. For each feature f*<sup>i</sup>* there is an associated weight parameter w*<sup>i</sup>* to produce the final predicted utility

$$U(f; w) = \sum\_{i} f\_i w\_i$$

The second, more involved model is a GNN. Describing this model is beyond the scope of this paper: see e.g. [58] for a gentle introduction. What is crucial for our purposes is that no manual feature extraction is involved: a specialized neural network processes the D-terms of involved formulas directly and learns to extract useful features during optimization. As input, the model is given a graph, losslessly encoding D-terms of the lemma to be evaluated, the conjecture and the axioms. The precise network architecture is provided in [54, App. B].

Candidate Lemma Generation. Candidate lemmas are generated separately for each problem via the structure enumeration mechanism of SGCD, as explained in Fig. 1. The goal g is provided and *preAddMaxLevel* is set to 0, making SGCD proceed axiom-driven, generating lemmas level by level. However, it does intersperse the goal-driven inner loop, which is only trying to prove the goal on the level directly above the last cached level. SGCD may terminate with

<sup>5</sup> The number of inferences is a measure provided by the Prolog engine and is not identical to the number of steps in the FOL calculus.

a proof, in which case further lemma generation is pointless. Otherwise it terminates after *maxLevel* is reached, generation of new levels is exhausted, or a time limit is reached. We then use the cache C and the abandoned triples as the generated output lemmas. Furthermore, there are many ways to configure SGCD. We obtained the best results generating by tree size and by PSP-level (explained below), combined with known good heuristic restrictions. In particular we restrict the size of the lemma formulas to the maximum of the size of the axioms and the goal, multiplied by some factor (usually 2–5). We also restrict the number of elements in the cache, typically to 1,000. The lemmas are sorted by formula size measures, smaller preferred, to determine which are retained in the cache.

Proof structure generation by PSP-level is a novel technique introduced in [74,76], based on an observation by Łukasiewicz and Meredith. In a detachment step, often the D-term that proves one premise is a subterm of the D-term that proves the other. We turn this relationship into a proof structure enumeration method: structures in level n + 1 are D-terms where one argument D-term is at level n and the other argument is a subterm of that D-term. The method is incomplete, but combines features of DAG enumeration while being compatible with a simple global lemma maintenance as realized with SGCD's cache [76].


Table 1. Features of the considered provers: whether their proofs are available as Dterms (possibly after some conversion), whether they were used with *replacing* lemma incorporation (Sect. 2), whether they operate goal-driven, and the underlying method.

Evaluated Prover. For each problem, we evaluate the candidate set with the utility model and select k lemmas with the highest predicted utility, where k is a hyperparameter. The evaluated prover then tries to solve the problems with the help of the selected lemmas. The lemmas can either be treated as additional axioms—applicable to any prover—or have a specialized treatment if the prover provides for it: in particular, SGCD and CCS-Vanilla use the lemmas to replace inner lemma enumeration.<sup>6</sup> The evaluated prover can be any prover, since there is no specialized requirement to handle lemmas as new axioms. If, however, it

<sup>6</sup> Before the obtained input lemmas are passed to a prover we supplement them with the lemmas for all their subproofs, i.e. we close the set of D-terms under the subterm relationship. This proved beneficial in experiments (see, e.g., [54, App. D]). An alternative would be to perform this closure on all generated lemmas before selection.

is the base prover—or any other system that emits proofs as D-terms, then the learning procedure can be iterated as long as there are new problems solved.

#### 3.1 Learning-Based Experiments

We experiment with a total of 312 CD problems, including all 196 pure CD problems from TPTP 8.1.2 [64], enriched with single-axiom versions of all the problems to which a technique by Tarski [37], as specified by Rezuş [56], was applicable. We test several representative ATP systems, including state-of-theart systems for both general first-order reasoning and for CD problems.

Table 1 gives an overview of the considered provers. CCS-Vanilla is CCS [73] in a restricted configuration to find only those CD proofs with minimal compacted size, identifying problems that can clearly be solved with exhaustive search. It operates goal-driven, like the CM-CT provers, but by enumerating DAGs instead of trees through a local lemma maintenance mechanism. Vampire and E represent the state of the art of first-order ATP. Provers that produce D-terms as proofs (SGCD, Prover9, CMProver, CCS) can serve as base provers. We always rely on SGCD for lemma candidate generation. All provers are recent public versions: Vampire 4.5.1, E 2.6, leanCoP 2.1. We provide results in terms of *time* limits, although for the Prolog provers SGCD, CMProver and CCS-Vanilla we used a roughly-equivalent inference limit to avoid fluctuations due to server workload.

Improving the Base Prover. In our first experiment, we evaluate base provers after learning from their own proof attempts. The provers are given k = 200 best lemmas according to the linear utility model. Table 2<sup>7</sup> shows problems solved by four base provers without lemmas (*Base* case) and with two iterations of learning. The *Total* row gives the number of theorems proved by any of the three iterations shown. The stronger the base model, the harder it is to improve. CMProver and CCS-Vanilla are purely goal-driven and benefit greatly, reaching over 37% improvement for larger time limits. SGCD and Prover9 improve over 5% for shorter time limits, but this effect gradually vanishes as the time limit is increased.


Table 2. Number of problems solved over 2 iterations of training a linear model.

An analysis, provided in [54, App. D], reveals that in the proofs not found during lemma generation and found by SGCD after the provision of lemmas,

<sup>7</sup> Further visualizations of our experiments are provided in [54, App. C].

63–96% of the distinct subterms originate from the lemmas, i.e., a substantial portion of the proofs are built up from the provided lemmas.

Learned Lemmas to Enhance Other Provers. Next, we fix SGCD as base prover and evaluate other provers, namely Vampire, E, Prover9 and leanCoP. Again, the provers are given k = 200 best lemmas according to the linear utility model. Table 3 shows the greatest boost is for the purely goal-driven leanCoP, where there is over 40% improvement for all time limits. Second is Vampire with 8–15% improvement, followed by Prover9 and E with around 3% improvement. Interestingly, E does not solve more problems with the lemmas, but it solves different ones, hence the improvement. These results suggest a great deal of transferability of the benefits of the lemma selector.

Table 3. Number of problems solved by Vampire (casc), E (autoschedule), Prover9 and leanCoP without and with additional lemmas using various time limits.


Changing the Number of Lemmas Added. Adding lemmas has potential to shorten proofs, but it also widens the search space, so it is not obvious how many lemmas are beneficial. In the next experiment, we again fix SGCD as base prover and evaluate SGCD and Vampire with different number of lemmas selected. Table 4 shows that as little as 25 added lemmas yield substantial improvement, 7% for Vampire and 4% for SGCD, and performance does not drop as we add more lemmas: even at 500 we see no negative effect of the expanded search space.

Table 4. Number of problems solved by Vampire (casc) and SGCD as we alter the number k of supplemented lemmas. We use a time limit of 100 s.


Linear vs GNN Model. The preceding experiments suggest that even a simple linear model can provide useful guidance when features are carefully selected. Table 5 shows that the GNN—which processes the formulas directly and has no access to expert designed features—also successfully learns to identify useful lemmas for SGCD and even slightly surpasses the linear model. LCL125-1 can only be solved by the GNN-assisted prover, even at extremely large time limits.


Table 5. Number of problems solved by SGCD over 2 iterations of training both a linear and a graph neural network model, for time limits 50 s, 100 s, 500 s and 30 min.

#### 3.2 Discussion of Learning-Based Experiments

When enhanced by learning-based lemma selection, SGCD solves 287 of the 312 problems. These include 28 problems not solved by the leading first-order prover Vampire [29], which solves 263 problems in its *CASC* [63] portfolio mode. Supplemented with our lemmas, Vampire is boosted to 284 solved problems. In combination, boosted SGCD and Vampire give 293 solved problems. Taking into account the solutions obtained by further provers with our lemmas, we obtain a total of 297. For detailed results see [54, App. E] and http://cs.christophwernhard.com/ cdtools/exp-lemmas/lemmas.html.

A notable observation is that all systems—with the exception of E—improve when provided with selected lemmas. We argue that our framework addresses fundamental weaknesses of both purely goal-driven systems such as CMProver, leanCoP and CCS-Vanilla, as well as those of saturation style systems such as Vampire and E. For the former, it is their inability to generate lemmas, which results in unduly long proofs. For the latter, it is their unrestricted expansion of the branching of the search space. We find that goal-driven systems demonstrate huge improvement when lemmas are added: usually 20–40% depending on the configuration. The improvement is much more modest for saturation style systems, partly because their baselines are already stronger and partly because learned lemma selection still has a large room for improvement. This is the focus of our immediate future work. SGCD already provides a balance between goaldriven search and axiom-driven lemma generation and we only see significant improvement from lemmas when the time limit on proof search is smaller. Our manual feature-based linear model allows for exploiting expert knowledge. However, we see more potential in automated feature extraction via GNNs. The fact that the two models perform similarly suggests that we are not providing enough training data for the GNN to manifest its full capabilities.

# 4 Proving LCL073-1

LCL073-1 was proven by Meredith in the early 1950s with substitution and detachment [42] but it remains outstandingly hard for ATP, where it came to attention in 1992 [40]; TPTP reports rating 1.0 and status *Unknown* since 1997. Only Wos proved it in the year 2000 with several invocations of OTTER [84], transferring output and insight between runs. The problem has a single axiom,

P(i(i(i(i(i(x, y), i(n(z), n(u))), z), v), i(i(v, x), i(u, x)))),

and the goal P(i(i(a, b), i(i(b, c), i(a, c)))), known as *Syll* [66]. The wider context is showing that a single axiom entails the elements of a known axiomatization of a propositional logic. Experiments with SGCD in our workflow led to a proof of LCL073-1 (Fig. 2, also [54, App. F]) surprisingly quickly. Its compacted size is 46, between that of Meredith (40, reconstructed with CD in [84]) and that of Wos (74). Our workflow is much simpler than Wos', basically the same as our other experiments but restricted to one phase of lemma generation and incorporation, with only heuristic lemma selection, no learning. Nevertheless, success is fragile with respect to configuration, where reasons for failure or success are not obvious.

Our configuration parameters are not problem specific, although we started out with lemma generation by PSP-level because it led earlier to a short proof of LCL038-1 [74,76]. We first call SGCD to generate lemmas by PSP-level enumeration, configured with a cache size of 5,000, terminating after 60 s with exhaustion of the search space.<sup>8</sup> Lemma features are computed for the 98,198 generated lemmas and written to disk, taking another 120 s. Lemmas are then ordered lexicographically according to five features relating to sharing of symbols and subterms with the goal, and to formula dimensions, taking a further 70 s. These five features are lf\_h\_height, lf\_h\_excluded\_goal\_subterms, lf\_h\_tsize, lf\_h\_distinct\_vars, dcterm\_hash, see [54, App. A] for their specification. We now call SGCD again, configured such that it performs PSP-level enumeration for axiom-driven phases, interleaved with level enumeration by height for goaldriven phases with 0 as *preAddMaxLevel*. It incorporates the first 2,900 ordered

<sup>8</sup> Notebook hardware, Intel-<sup>R</sup> CoreTM i7-1260P processor, 32 GB RAM.

lemmas<sup>9</sup> as input by *replacement* (Sect. 2). The cache size limit is set to 1,500, a value used in other generally successful configurations. Formulas occurring as subformulas of an earlier-proven formula are excluded, a variation of the *organic* property [37,76]. The proof is then found in 20 s, total time elapsed about 270 s.

The D-term dimensions *compacted size*,*tree size*, *height* are 46, <sup>3276</sup>, <sup>40</sup>, compared to Meredith's 40, <sup>6172</sup>, <sup>30</sup><sup>10</sup> and Wos' 74, <sup>9207</sup>, <sup>48</sup>. The maximal size (occurrences of non-constant function symbols) of a lemma formula (MGT of a subproof) in the proof is 19, the maximal height (tree height, disregarding the predicate symbol) 9, and the maximal number of variables 7. Of the 46 lemmas in the proof 12 are present in the 2,900 input lemmas. Among the 46 lemma formulas 35 are weakly organic [76] and 4 involve double negation. N-simplification [76] applies to 65 occurrences but does not effect a size reduction. The proof is S- and C-regular [76]. Certain configurations of SGCD for the proving phase also yield further proofs. In experiments so far, these are enumerated after the presented proof and have larger compacted size.

Proof structure enumeration by PSP-level [76] is the main key to finding our proof of LCL073-1. It is used for lemma generation and for axiom-driven proof search, whereas goal-driven phases use height instead. The structure of the proof reflects this: all steps with the exception of the root can be considered PSP steps, i.e. one premise is a subproof of the other. The particular challenge of the problem lies in the fact that it was solved by a human (Meredith). Unlike in recent ATP successes for Boolos' curious inference [5,10], where the key is two particular second-order lemmas, the key here is a proof-structural *principle* for building-up proofs by lemmas. Intuitively it might express a form of economy, building proofs from proofs at hand, that belonged to Meredith's repertoire.

# 5 Conclusion

We presented encouraging results about the use of lemmas in proof search. Provers are provided with lemmas generated via structure enumeration, a feature of the CM, and filtered with either learned guidance or manual heuristics. As a first step with this new methodology, we focus on the class of CD problems where we obtained strong results with our own system and substantial improvement of general first-order provers based on different paradigms, including the long-time competition leader Vampire. Moreover, our approach has led to the—in a sense first—automatic proof for the well-known Meredith single axiom problem with TPTP difficulty rating 1.0.

An important and novel aspect in our work was the explicit consideration of proof structures, which for CD have a particularly simple form in D-terms. Proof structures of the CM have a direct correspondence to these [76], such that the

<sup>9</sup> 2,900 is one of the fragile parameters. Depending on features chosen for ordering lemmas, there are ranges around 3,000 where the problem is solved.

<sup>10</sup> The *length* reported in [84] is the compacted size if also the proofs of the two other goals required to prove completeness of the single axiom are considered. The notion of compacted size straightforwardly generalizes from trees to *sets* of trees [76].

CM may guide the way to generalizations for more expressive logics. Another course of generalization is to move from unit lemmas, i.e. sharing of *subtrees* of D-terms, to more powerful lemmas. Preliminary work shows a correspondence between Horn clause lemmas, D-terms with variables, proofs in the connection structure calculus [15], and combinatory compression [73].

The learning-based experiments show little difference in performance between using a simple linear model and a more sophisticated graph neural network. We believe this is due to the small problem corpus, which yields a limited training signal. Hence, we plan to scale the system up to larger problem sets.

Our work also sheds new light on perspectives for the CM. It is well-known that the lack of inherent lemma maintenance is a disadvantage of the CM compared to resolution, which can be overcome with the connection structure calculus [15], a generalization of the CM. Here we see in experiments a drastic improvement of the CM-CT provers by supplementing their input with externally generated lemmas. SGCD, which grew out of the CM-CT approach and integrates repeated lemma generation into the proving process, keeps up with RS provers on CD problems, and can even be applied to improve these by supplying its lemmas as additional input.

Acknowledgments. We thank Jens Otten for inspiring discussions at the outset of the current project and anonymous reviewers for helpful suggestions to improve the presentation. The Hungarian Artificial Intelligence National Laboratory (RRF-2.3.1- 21-2022-00004) and the ELTE TKP 2021-NKTA-62 funding scheme.

# References


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# Machine-Learned Premise Selection for Lean

Bartosz Piotrowski1(B) , Ramon Fernández Mir<sup>2</sup>, and Edward Ayers<sup>3</sup>

<sup>1</sup> University of Warsaw and Czech Technical University, Warsaw, Poland bartoszpiotrowski@post.pl

<sup>2</sup> University of Edinburgh, Edinburgh, Scotland

<sup>3</sup> Carnegie Mellon University, Pittsburgh, USA

Abstract. We introduce a machine-learning-based tool for the Lean proof assistant that suggests relevant premises for theorems being proved by a user. The design principles for the tool are (1) tight integration with the proof assistant, (2) ease of use and installation, (3) a lightweight and fast approach. For this purpose, we designed a custom version of the random forest model, trained in an online fashion. It is implemented directly in Lean, which was possible thanks to the rich and efficient metaprogramming features of Lean 4. The random forest is trained on data extracted from mathlib – Lean's mathematics library. We experiment with various options for producing training features and labels. The advice from a trained model is accessible to the user via the suggest\_premises tactic which can be called in an editor while constructing a proof interactively.

Keywords: premise selection · machine learning · Lean proof assistant

# 1 Introduction

Formalizing mathematics in proof assistants is an ambitious and hard undertaking. One of the major challenges in constructing formal proofs of theorems depending on multiple other results is the prerequisite of having a good familiarity with the structure and contents of the library. Tools for helping users search through formal libraries are currently limited.

In the case of the Lean proof assistant [13], users may look for relevant lemmas in its formal library, mathlib [5], either by (1) using general textual search tools and keywords, (2) browsing the related source files manually, (3) using mathlib's suggest or library\_search tactics.

Approaches (1) and (2) are often slow and tedious. The limitation of approach (3) is the fact that suggest or library\_search propose lemmas that strictly match the goal at the current proof state. This is often very useful, but it also means that these tactics often fail to direct the user to relevant lemmas that do not

The results were supported by the Hoskinson Center for Formal Mathematics (BP, RFM, EA), the Kościuszko Foundation (BP), and the Principal's Career Development Scholarship of the University of Edinburgh (RFM).

c The Author(s) 2023

R. Ramanayake and J. Urban (Eds.): TABLEAUX 2023, LNAI 14278, pp. 175–186, 2023. https://doi.org/10.1007/978-3-031-43513-3\_10

match the current goal exactly. They may also suggest too many trivial lemmas if the goal is simple.

The aim of this project is to make progress towards improving the situation of a Lean user looking for relevant lemmas while building proofs. We develop a new tool that efficiently computes a ranking of potentially useful lemmas selected by a machine learning (ML) model trained on data extracted from mathlib. This ranking can be accessed and used interactively via the suggest\_premises tactic.

The project described here belongs to the already quite broad body of work dealing with the problem of fact selection for theorem proving [1,7,9,11,12,15, 16]. This problem, commonly referred to as the *premise selection* problem, is crucial when performing automated reasoning in large formal libraries – both in the context of *automated* (ATP) and *interactive* (ITP) theorem proving, and regardless of the underlying logical calculus. Most of the existing work on premise selection focuses on the ATP context. Our main contribution is the development of a premise selection tool that is practically usable in a proof assistant (Lean in that case), tightly integrated with it, lightweight, extendable, and equipped with a convenient interface. The tool is available in a public GitHub repository: https://github.com/BartoszPiotrowski/lean-premise-selection.

# 2 Dataset Collection

A crucial requirement of a useful ML model is a high-quality dataset of training examples. It should represent the learning task well and be suitable for the ML architecture being applied.

In this work, we use simple ML architectures that cannot process raw theorem statements and require *featurization* as a preprocessing step. The features need to be meaningful yet simple so that the model can use them appropriately. Our approach is described in Sect. 2.1. The notion of *relevant premise* may be understood differently depending on the context. In Sect. 2.2, we describe the different specifications of this notion that we used in our experiments.

The tool developed in this work is implemented and meant to be used in Lean 4 together with mathlib 4. However, since, at the time of writing, Lean 4's version of the library is still being ported from Lean 3, we use mathlib3port<sup>1</sup> as our main data source.

#### 2.1 Features

The features, similar to those used in [8,15], consist of the symbols used in the theorem statement with different degrees of structure. In particular, three types of features are used: names, bigrams and trigrams.

As an illustration, take this theorem about groups with zero:

theorem div\_ne\_zero (ha : a -<sup>=</sup> 0) (hb : b -<sup>=</sup> 0) : a / b -= 0 := ...

This statement comes from one of the source files of mathlib. When producing the features for it, we do not use it directly as printed above but rather we take

<sup>1</sup> https://github.com/leanprover-community/mathlib3port (commit f4e5dfe).

its *elaborated* counterpart – a much more detailed version where all the hidden assumptions are made explicit by the Lean's elaborator so that the expression precisely conforms to Lean's dependent type theory.

The most basic form of featurization is the *bag-of-words* model, where we simply collect all the names (and numerical constants) involved in the theorem.

Following this definition, we obtain names -= , 0, and /, which are visible in the source version of the statement,<sup>2</sup> plus many more hidden names only appearing in the elaborated expression, e.g., OfNat.ofNat that is related to interpreting numerical literals as natural numbers.

During the featurization we distinguish features coming from the *conclusion* and the *hypotheses* (assumptions) of the theorem, and we mark them by prepending either T or H, respectively.

For our running example of theorem div\_ne\_zero, all this results in the list of names that looks as follows:

```
H:OfNat.ofNat H:MonoidWithZero.toZero H:0 H:Ne T:HDiv.hDiv T:0 T:Ne ...
```
It would be desirable, however, to keep track of which symbols appear next to each other in the syntactic trees of the theorem hypotheses and its statement. Thus, we extract bigrams that are formed by the head symbol and each of its arguments (separated by / below).

```
H:Ne/OfNat.ofNat H:OfNat.ofNat/0 T:OfNat.ofNat/0 T:Ne/OfNat.ofNat ...
```
Similarly, we also consider trigrams, taking all paths of length 3 from the syntactic tree of the expression.

H:Ne/OfNat.ofNat/0 H:Ne/OfNat.ofNat/Zero.toOfNat0 ...

#### 2.2 Relevant Premises

To obtain the list of all the premises used in a proof of a given theorem it suffices to traverse the theorem's proof term<sup>3</sup> and keep track of all the constants whose type is a proposition. For instance, the raw list of premises that appear in the proof of div\_ne\_zero is:

```
GroupWithZero.noZeroDivisors
div_eq_mul_inv
mul_ne_zero
inv_ne_zero
Eq.refl
```
For more complicated examples, this approach results in a large number of premises including lemmas used *implicitly* by tactics (for instance, those picked by the 'simplify' tactic simp), or simple facts that a user would rarely write

<sup>2</sup> In fact, we use translations of these symbols from the elaborated counterpart of the theorem; so, for instance, we use Ne instead of the notation -=, etc.

<sup>3</sup> A proof term is an internal Lean expression whose type is the theorem, constructed based on the proof written by a user, possibly using tactics.


Table 1. Filters' statistics. An example is a theorem with a non-empty list of premises. Because applying the source or math filter may result in an empty set of premises, the numbers of obtained training examples differ across the filters.

explicitly. Three different filters are applied to mitigate this issue: all, source, and math. They are described below and their overall effect is shown in Table 1.


by rw [div\_eq\_mul\_inv]; exact mul\_ne\_zero ha (inv\_ne\_zero hb)

3. The math filter preserves only lemmas that are clearly of mathematical nature, discarding basic, technical ones. The names of all theorems and definitions from mathlib are extracted and used as a *white list*. In particular, this means that many basic lemmas from Lean's core library (e.g. Eq.refl from our example) are filtered out.

In addition to our base datasets containing *one data point per theorem*, we also created a dataset (labeled as intermediate) representing *intermediate proof states*. In the standard data sets we recorded features of an initial proof state (the hypotheses and the conclusion of the theorem to be proved) and the premises used in a full proof. In the intermediate data set we instead record features of a proof state encountered *during* constructing a proof, and premises used in the next proof step only.

To this end, we used LeanInk, <sup>4</sup> a helper tool for Alectryon [17] – a toolkit that aids exploration of tactical proof scripts without running the proof assistant. Given a Lean file, LeanInk generates all the states that a user might be able to see in the *infoview* (a panel in Lean that displays goal states and other information about the prover's state) by clicking on the file. The file is split

<sup>4</sup> https://github.com/leanprover/LeanInk.

into fragments, each containing a string of Lean code, represented by a list of tokens, together with the proof states before and after. In this way, the file can be loaded statically simulating the effect of running Lean. Furthermore, it can be configured to keep track of typing information, which is key to detecting which tokens are premises. We modified LeanInk so that every fragment that appears inside a proof is treated as its own theorem by our extractor. We gather all the premises found in the list of tokens and featurize the hypotheses and goals in the "before" proof state.

This dataset consists of 91 292 examples and 143 165 premises, which gives an average of around 1*.*57 premises per example. It represents a more fine-grained use of the premises, which does not exactly correspond to our main objective of providing rankings of premises on the level of theorem statements. We treat it as an auxiliary dataset potentially useful for augmenting our base data sets.

# 3 Machine Learning Models

The task modelled here with ML is predicting a ranking of likely useful premises (lemmas and theorems) conditioned by the features of the statement of a theorem being proved by a user. The nature of this problem is different than common applications of classical ML: both the number of features and labels (premises) to predict is large, and the training examples are sparse in the feature space. Thus, we could not directly rely on traditional implementations of ML algorithms, and using custom-built versions was necessary. As one of our design requirements was tight integration with the proof assistant, we implemented the ML algorithms directly in Lean 4, without needing to call external tools. This also served as a test for the maturity and efficiency of Lean 4 as a programming language.

In Sects. 3.1 and 3.2 we describe two machine learning algorithms implemented in this work: *k*-nearest neighbours (*k*-NN) and random forest.

#### 3.1 *k*-Nearest Neighbours

This is a classical and conceptually simple ML algorithm [6], which has already been used multiple times for premise selection [2,9,10]. It belongs to the *lazy learning* category, meaning that it does not result in a prediction model trained beforehand on the dataset, but rather the dataset is an input to the algorithm while producing the predictions.

Given an unlabeled example, *k*-NN produces a prediction by extracting the labels of the *k* most similar examples in the dataset and returning an averaged (or most frequent) label. In our case, the labels are lists of premises. We compose multiple labels into a ranking of premises according to the frequency of appearance in the concatenated labels.

The similarity measure in the feature space calculates how many features are shared between the two data points, but additionally puts more weight on those features that are rarer in the whole training dataset D. The formula for the similarity of the two examples *x*<sup>1</sup> and *x*<sup>2</sup> associated with sets of features *f*<sup>1</sup> and *f*2, respectively, is given below.

$$M(x\_1, x\_2) = \frac{\sum\_{f \in f\_1 \cap f\_2} t(f)}{\sum\_{f \in f\_1} t(f) + \sum\_{f \in f\_2} t(f) - \sum\_{f \in f\_1 \cap f\_2} t(f)}, \quad t(f) = \log\left(\frac{|\mathcal{D}|}{|\mathcal{D}\_f|}\right)^2,$$

where D*<sup>f</sup>* are those training examples that contain the feature *f*.

The advantages of *k*-NN are its simplicity and the lack of training. A disadvantage, however, is the need to traverse the whole training dataset in order to produce a single prediction (a ranking). This may be slow, and thus not optimal for interactive usage in proof assistants.

#### 3.2 Random Forest

As an alternative to *k*-NN, we use *random forest* [4] – an ML algorithm from the *eager learning* category, with a separate training phase resulting in a prediction model consisting of a collection of decision trees. The leaves of the trees contain labels, and their nodes contain decision rules based on the features. In our case, the labels are sets of premises, and the rules are simple tests that check if a given feature appears in an example.

When predicting, unlabeled examples are passed down the trees to the leaves, the reached labels are recorded, and the final prediction is averaged across the trees via voting. The trees are trained in such a way as to avoid correlations between them, and the averaged prediction from them is of better quality than the prediction from a single tree.

Our version of random forest, adapted to deal with sparse binary features and a large number of labels, is similar to the one used in [19], where the task was to predict the next tactic progressing a proof in Coq proof assistant. There, the features were also sparse, however, the difference is that here we need to predict *sets* of labels (premises), not just one label (the next tactic).

Our random forest is trained in an *online* manner, i.e., it is updated sequentially with single training examples – not with the entire training dataset at once, as is typically done. The rationale for this is to make it easy to update the model with data coming from new theorems proved by a user. This allows the model to immediately provide suggestions taking into account these recently added theorems.<sup>5</sup>

Algorithm 1 provides a sketch of how a training example updates a tree – for all the details see the actual implementation in our public GitHub repository.<sup>6</sup> A crucial part of the algorithm is the MakeSplitRule function creating node splitting rules. Searching for the rules resulting in optimal splits would be costly, thus this function relies on heuristics.

Figure 1 schematically depicts how a simple decision tree from a trained random forest predicts a set of premises for an input example.

<sup>5</sup> This mode, however, has not yet been tested in the current stage of this work.

<sup>6</sup> The decision tree implementation is in a file PremiseSelection/Tree.lean.

Fig. 1. A schematic example of a decision tree from a trained random forest. Lowercase letters (a, b, c, ...) designate features of theorem statements, whereas uppercase letters (P, Q, R, ...) designate names of premises. The input (a featurized theorem statement) is being passed down the tree (along the green arrows) so that each node tests for a presence of a single feature, and passes the input example to the left (or right) sub-tree in the negative (or positive) case. The output is a set of premises in the reached leaf. (Color figure online)

Algorithm 1. Updating a tree with a training example in a random forest.


# 4 Evaluation Setup and Results

To assess the performance of the ML algorithms, the data points extracted from mathlib were split into *training* and *testing* sets. The testing examples come from the modules that are *not* dependencies of any other modules (there are 592 of them). This simulates a realistic scenario in which a user utilizing the suggestion tool develops a new mathlib module. The rest of the modules (2436) served as the source of training examples.

Two measures of the quality of the rankings produced by ML are defined: Cover and Cover+. Assuming a theorem *T* depends on the set of premises *P* of size *n*, and *R* is the ranking of premises predicted by the ML advisor for *T*, these measures are defined as follows:

$$\text{Cover}(T) = \frac{\left| P \cap R \, \mathbb{I} : n \right\|}{n}, \qquad \text{Cover}\_+(T) = \frac{\left| P \cap R \, \mathbb{I} : n + 10 \right\|}{n},$$

where *R*[:*k*] is a set of *k* initial premises from ranking *R*. Both Cover and Cover<sup>+</sup> return values in [0*,* 1]. Cover gives the score of <sup>1</sup> only for a "perfect" prediction where the premises actually used in the proof form an initial segment of the ranking. Cover<sup>+</sup> may also give a perfect score to less precise predictions. The rationale for Cover<sup>+</sup> is that the user in practice may look through 10 or more suggested premises. This is often more than the *n* premises actually used in the proof, so we consider initial segments of length *<sup>n</sup>* + 10 in Cover+.

Both *k*-NN and random forest are evaluated on data subject to all three premise filters described in Sect. 2.2. For each of these variants of data, three combinations of features are tested: (1) names only, (2) names and bigrams, (3) names, bigrams, and trigrams. The hyper-parameters for the ML algorithms were selected by an experiment on a smaller dataset. For *k*-NN, the number of neighbours was fixed to 100. For random forest, the number of trees was set to 300, each example was used for training a particular decision tree with probability equal to 0*.*3, and the training algorithm passed through the whole training data 3 times.

Table 2 shows the results of the experiment. In terms of the Cover metric, random forest performed better than *k*-NN for all data configurations. However, for Cover<sup>+</sup> metric, *k*-NN surpassed random forest for the math filter.

It turned out that the union of names and bigrams constitutes the best features for all the filters and both ML algorithms. It likely means that the more complex trigrams did not help the algorithms to generalize well but rather caused *over-fitting* on the training set.

The results for the all filter appear to be much higher than for the other two filters. However, this is because applying all results in many simple examples containing just a few common, basic premises (e.g., just a single rfl lemma). They increase the average score.

Overall, random forest with names + bigrams (n+b) features gives the best results. An additional practical advantage of this model over *k*-NN is the speed of outputting predictions. For instance, for the source filter and n+b features, the average times of predicting a ranking of premises per theorem were 0*.*28 s and 5*.*65 s for random forest and *<sup>k</sup>*-NN, respectively.

Additionally, we evaluated the ML models on the intermediate dataset, using n+b features. The random forest achieved Cover = 0.09 and Cover<sup>+</sup> = 0.24, whereas *k*-NN resulted in Cover = 0.08 and Cover<sup>+</sup> = 0.21 on the testing part of the data. Then, we used the intermediate dataset in an attempt to improve the testing results on the base dataset with the source filter (as intermediate only contains premises exposed in the source files). We used the intermediate data as a *pre-training* dataset, first training a random forest on it, and later on the base data. We also used intermediate to *augment* the base data, mixing the two together. However, neither in the pre-training, nor in the augmentation mode statistically significant improvements in the testing performance were achieved. It is possible that the prediction quality from the practical perspective actually

Table 2. Average performance of random forest and k-NN on testing data, for three premises filters and three kinds of features. The type of features is indicated by a oneletter abbreviation: n = names, b = bigrams, t = trigrams. For each configuration, Cover and Cover+ measures are reported (the latter in brackets). In each row, the best Cover result is bolded.


improved, being more proof-state-dependent and not only theorem-dependent, but it did not manifest in our theorem-dependent evaluation.

The evaluation may be reproduced by following the instructions in the linked source code.<sup>7</sup>

# 5 Interactive Tool

The ML predictor is wrapped in an interactive tactic suggest\_premises that users can type into their proof script. It will invoke the predictor and produce a list of suggestions. This list is displayed in the infoview. The display makes use of the new remote-procedure-call (RPC) feature in Lean 4 [14], to then asynchronously run various tactics for each suggestion. Given a suggested premise *p*, the system will attempt to run tactics apply *p*, rw [ *p*] and simp only [ *p*], and return the first successful tactic application that advances the state. This will then be displayed to the user as shown in Fig. 2. She can select the resulting tactic to insert into the proof script. By using an asynchronous approach, we can display results rapidly without waiting for a slow tactic search to complete.

# 6 Future Work

There are several directions in which the current work may be developed.

The results may be improved by augmenting the dataset with, for instance, synthetic theorems, as well as developing better features, utilizing the welldefined structure of Lean expressions.

The evaluation may be extended to assess the proof-state level performance, and to compare with the standard Lean's suggestion tactics: library\_search

<sup>7</sup> https://github.com/BartoszPiotrowski/lean-premise-selection#reproducingevaluation.

Fig. 2. The interactive tool in Visual Studio Code. The left pane shows the source file with the cursor over a suggest\_premises tactic. The right pane shows the goal state at the cursor position and, below, the suggested lemmas to solve the goal. Suggestions annotated with a checkbox advance the goal state, suggestions annotated with confetti close the current goal. Clicking on a suggested tactic (e.g. apply mul\_left\_eq\_self) automatically appends to the proof script on the left.

and suggest. It could be beneficial to combine these tactics – which use sctrict matching – with our tool based on statistical matching.

Applying modern neural architectures in place of the simpler ML algorithms used here is a promising path [7,12,16,18]. It would depart from our philosophy of a lightweight, self-contained approach as the suggestions would come from an external tool, possibly placed on a remote server. However, given the strength of the current neural networks, we could hope for higher-quality predictions. Moreover, neural models do not require hand-engineered features. The results presented here could serve as a baseline for comparison.

Finally, premise selection is an important component of ITP *hammer systems* [3]. The presented tool may be readily used for a hammer in Lean, which has not yet been developed.

# References


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# gym-saturation: Gymnasium Environments for Saturation Provers (System description)

Boris Shminke(B)

Université Côte d'Azur, CNRS, LJAD, Nice, France boris.shminke@univ-cotedazur.fr

Abstract. This work describes a new version of a previously published Python package — gym-saturation: a collection of OpenAI Gym environments for guiding saturation-style provers based on the given clause algorithm with reinforcement learning. We contribute usage examples with two different provers: Vampire and iProver. We also have decoupled the proof state representation from reinforcement learning per se and provided examples of using a known ast2vec Python code embedding model as a first-order logic representation. In addition, we demonstrate how environment wrappers can transform a prover into a problem similar to a multi-armed bandit. We applied two reinforcement learning algorithms (Thompson sampling and Proximal policy optimisation) implemented in Ray RLlib to show the ease of experimentation with the new release of our package.

Keywords: Automated theorem proving *·* Reinforcement learning *·* Saturation-style proving *·* Machine learning

# 1 Introduction

This work describes a new version (0.10.0, released 2023.04.25) of a previously published [28] Python package — gym-saturation<sup>1</sup>: a collection of OpenAI Gym [6] environments for guiding saturation-style provers (using the given clause algorithm) with reinforcement learning (RL) algorithms. The new version partly implements the ideas of our project proposal [29]. The main changes from the previous release (0.2.9, on 2022.02.26) are:


<sup>1</sup> https://pypi.org/project/gym-saturation/.

This work has been supported by the French government, through the 3IA Côte d'Azur Investment in the Future project managed by the National Research Agency (ANR) with the reference numbers ANR-19-P3IA-0002.

c The Author(s) 2023 R. Ramanayake and J. Urban (Eds.): TABLEAUX 2023, LNAI 14278, pp. 187–199, 2023. https://doi.org/10.1007/978-3-031-43513-3\_11


gym-saturation works with Python 3.8+. One can install it by pip install gym-saturation or conda install -c conda-forge gym-saturation. Then, provided Vampire and/or iProver binaries are on PATH, one can use it as any other Gymnasium environment:

#### import gymnasium

#### import gym\_saturation

```
# v0 here is a version of the environment class, not the prover
env = gymnasium.make("Vampire-v0") # or "iProver-v0"
# edit and uncomment the following line to set a non-default problem
# env.set_task("a-TPTP-problem-path")
observation, info = env.reset()
print("Starting proof state:")
env.render()
# truncation means finishing an episode in a non-terminal state
# e.g. because of the externally imposed time limit
terminated, truncated = False, False
while not (terminated or truncated):
    # apply policy (e.g. a random available action)
    action = env.action_space.sample(mask=observation["action_mask"])
    print("Given clause:", observation["real_obs"][action])
    observation, reward, terminated, truncated, info = env.step(action)
print("Final proof state:")
env.render()
env.close()
```
# 2 Related Work

Guiding provers with RL is a hot topic. Recent projects in this domain include TRAIL (Trial Reasoner for AI that Learns) [2], FLoP (Finding Longer Proofs) [37], and lazyCoP [26]. We will now compare the new gym-saturation features with these three projects.

Usually, one guides either a new prover created for that purpose (lazyCoP; FLoP builds on fCoP [14], an OCaml rewrite of older leanCoP [19]) or an experimental patched version of an existing one (TRAIL relies on a modified E [27]). Contrary to that, gym-saturation works with unmodified stable versions of Vampire [15] and iProver [10].

In addition, known RL-guiding projects are prover-dependent: FLoP could, in principle, work with both fCoP and leanCoP but reported only fCoP experiments. TRAIL claims to be reasoner-agnostic, but to our best knowledge, no one has tried it with anything but a patched E version it uses by default. [26] mentions an anonymous reviewer's suggestion to create a standalone tool for other existing systems, but we are not aware of further development in this direction. Quite the contrary, we have tested gym-saturation compatibility with two different provers (Vampire and iProver).

Deep learning models expect their input to be real-valued tensors and not, for example, character strings in the TPTP [32] language. Thus, one always uses a *representation* (or *embeddings*) — a function mapping a (parsed) logic formula to a real vector. In lazyCoP and FLoP parts of embedding functions belong to the underlying provers, making it harder to vary and experiment with (e.g., one needs Rust or OCaml programming skills to do it). gym-saturation leaves the choice of representation open and supports any mapping from TPTP-formatted string to real vectors. The version described in this work also provides a couple of default options.

# 3 Architecture and Implementation Details

#### 3.1 Architecture

gym-saturation is compatible with Gymnasium [35], a maintained fork of nowoutdated OpenAI Gym standard of RL-environments, and passes all required environment checks. As a result of our migration to Gymnasium, its maintainers featured gym-saturation in a curated list of third-party environments<sup>2</sup>.

Previously, gym-saturation guided an experimental pure Python prover [28] which happened to be too slow and abandoned in favour of existing highly efficient provers: Vampire and iProver.

Although the gym-saturation user communicates with both iProver and Vampire in the same manner, under the hood, they use different protocols. For Vampire, we relied on the so-called manual (interactive) clause selection mode implemented several years ago for an unrelated task [11]. In this mode, Vampire interrupts the saturation loop and listens to standard input for a number of a given clause instead of applying heuristics. Independent of this mode, Vampire writes (or not, depending on the option show\_all) newly inferred clauses to its standard output. Using Python package pexpect, we attach to Vampire's standard input and output, pass the action chosen by the agent to the former and read observations from the latter. In manual clause selection mode, Vampire works like a server awaiting a request with an action to which it replies (exactly what an environment typically does).

iProver recently added support of being guided by external agents. An agent has to be a TCP server satisfying a particular API specification. So, iProver behaves as a client which sends a request with observations to some server and awaits a reply containing an action. To make it work with gym-saturation, we implemented a *relay server*. It accepts a long-running TCP connection from a running iProver thread and stores its requests to a thread-safe queue, and pops

<sup>2</sup> https://gymnasium.farama.org/environments/third\_party\_environments/.

a response to it from another such queue filled by gym-saturation thread. See Fig. 1 for a communication scheme.

Fig. 1. gym-saturation interacting with iProver

#### 3.2 Implementation Details

Clause Class. A clause is a Python data class having the following keys and respective values:


All these fields except the birth\_step (computed by the environment itself) are already available as separate entities (and not parts of TPTP-formatted strings) in iProver and Vampire output.

# Environment Class

*Observation* is a Python dictionary with several keys:


Limiting the total number of clauses in a proof state is a proxy of both randomaccess memory (each clause needs storage space) and time (a prover has to process each clause encountered) limits typical for the CASC [33] competition. One can add a standard Gymnasium time-limit wrapper to limit the number of steps in an episode. Setting wall-clock time and RAM limits is not typical for RL research.

*Action* is a zero-based order number of a clause from real\_obs. If a respective action\_mask is zero, an environment throws an exception during the execution of the step method.

*Reward* is 1*.*0 after a step if we found the refutation at this step and 0*.*0 otherwise. One can change this behaviour by either Gymnasium reward wrappers or by collecting trajectories in a local buffer and postprocessing them before feeding the trainer.

*Episode is terminated* when an empty clause \$false appears in the proof state or if there are no more available actions.

*Episode is truncated* when there are more than max\_clauses clauses in the proof state. Since the state is an (extendable) tuple, we don't raise an exception when a prover generates a few more clauses.

*Info* dictionary is always empty at every step by default.

<sup>3</sup> https://gymnasium.farama.org/api/wrappers/observation\_wrappers/.

*Render modes* of the environment include two standard ones ('human' and 'ansi'), the first one printing and the second one returning the same TPTP formatted string.

Multi-task Environment. The latest gym-saturation follows a Meta-World benchmark [36] style and defines set\_task method with one argument — a TPTP problem full path. If one resets an environment without explicitly setting a task in advance, the environment defaults to a simple group theory problem (any idempotent element equals the identity). Having a default task helps us keep compatibility with algorithms not aware of multi-task RL. One can inherit from gym-saturation environment classes to set a random problem at every reset or implement any other desirable behaviour.

# 4 Representation Subsystem

#### 4.1 Existing First-Order Formulae Representations and Related Projects

As mentioned in Sect. 2, to apply any deep reinforcement learning algorithm, one needs a representation of the environment state in a tensor form first. There are many known feature engineering procedures. It can be as simple as clause age and weight [25], or information extracted from a clause syntax tree [18] or an inference lineage of a clause [30]. Representing logic formulae as such is an active research domain: for example, in [23], the authors proposed more than a dozen different embedding techniques based on formulae syntax. In communities other than automated deduction, researchers also study first-order formulae representation: for example, in [5], the authors use semantics representation rather than syntax. One can also notice that first-order logic (FOL) is nothing more than a formal language, so abstract syntax trees of FOL are not, in principle, that different from those of programming language statements. And of course, encoding models for programming languages (like code2vec [4] for Java) exist, as well as commercially available solutions as GPT-3 [7] generic code embeddings and comparable free models like LLaMA [34].

To make the first step in this direction, we took advantage of existing pretrained embedding models for programming languages and tried to apply them to a seemingly disconnected domain of automated provers.

### 4.2 ast2vec and Our Contributions to It

In [20], the authors proposed a particular neural network architecture they called *Recursive Tree Grammar Autoencoders (RTG-AE)*, which encodes abstract syntax trees produced by a programming language parser into real vectors. Being interested in education applications, they also published the pre-trained model for Python [21]. To make use of it for our purpose, we furnished several technical improvements to their code (our contribution is freely available<sup>4</sup>):

<sup>4</sup> https://gitlab.com/inpefess/ast2vec.


Fig. 2. gym-saturation communication with ast2vec

To integrate the ast2vec server with gym-saturation environments, we added Gymnasium observation wrappers, one of them mapping a clause in the TPTP language to a boolean-valued statement in Python (in particular, by replacing logic operation symbols, e.g. = in TPTP becomes == in Python). See Fig. 2 for a communication diagram. In principle, since a clause doesn't contain any quantifiers explicitly, one can rewrite it as a boolean-valued expression in many programming languages for which pre-trained embeddings might exist.

#### 4.3 Latency Considerations

Looking at Fig. 2, one might wonder how efficient is such an architecture. The average response time observed in our experiments was 2 ms (with a 150 ms maximum). A typical natural language processing model which embeds whole texts has a latency from 40 ms to more than 600 ms [17] (depending on the model complexity and the length of a text to embed) when run on CPU, so there is no reason to believe that ast2vec is too slow. When evaluating a prover, one usually fixes the time limit: for example, 60 s is the default value for Vampire. Being written in C++ and with a cornucopia of optimisation tweaks, Vampire can generate around a million clauses during this relatively short timeframe. Thus, to be on par with Vampire, a representation service must have latency around 60µs (orders of magnitude faster than we have). There can be several ways to lower the latency:


# 5 Usage Examples

We provide examples of experiments easily possible with gym-saturation as a supplementary code to this paper<sup>5</sup>. We don't consider these experiments as being of any scientific significance per se, serving merely as illustrations and basic usage examples. Tweaking the RL algorithms' meta-parameters and deep neural network architectures is out of the scope of the present system description.

We coded these experiments in the Ray framework, which includes an RLlib — a library of popular RL algorithms. The Ray is compatible with Tensorflow [1] and PyTorch [22] deep learning frameworks, so it doesn't limit a potential gym-saturation user by one.

In the experiments, we try to solve SET001-1 from the TPTP with max\_clauses=20 (having no more than twenty clauses in the proof state) for guiding Vampire and max\_clauses=15 for iProver. This difference is because even a random agent communicating to iProver manages to always solve SET001-1 by generating no more than twenty clauses. We wanted training to start, but keep the examples as simple as possible, so we chose to harden the constraints instead of moving on to a more complicated problem.

In one experiment, we organise clauses in two priority queues (by age and weight) and use an action wrapper to map from a queue number (0 or 1) to the clause number. That means we don't implant these queues inside provers but follow a Gymnasium idiomatic way to extend environments. Of course, Vampire and iProver have these particular queues as part of their implementation, but our illustration shows one could use any other priorities instead. It transforms

<sup>5</sup> https://github.com/inpefess/ray-prover/releases/tag/v0.0.3.

our environment into a semblance of a 2-armed bandit, and we use Thompson sampling [3] to train. This experiment reflects ideas similar to those described in [31].

In another experiment, we use ast2vec server for getting clause embeddings and train a Proximal Policy Optimisation (PPO) algorithm as implemented in the Ray RLlib. The default policy network there is a fully connected one, and we used <sup>256</sup> *<sup>×</sup>* <sup>20</sup> tensors as its input (<sup>256</sup> is an embedding size in ast2vec, and 20 is the maximal number of clauses we embed). So, the policy chooses a given clause given the embeddings of all clauses seen up to the current step (including those already chosen or judged to be redundant/subsumed). Such an approach is more similar to [37].

Fig. 3. Episode reward mean vs the total number of steps. The blue line is for a random agent and the orange one — for the PPO. Both agents guide Vampire (Color figure online)

We provide Fig. 3 as a typical training process chart.

# 6 Conclusion and Future Work

We contributed a new version of gym-saturation, which continued to be free and open-source software, easy to install and use while promising assistance in setting up experiments for RL research in the automated provers domain. In the new version, we enabled anyone interested to conduct experiments with RL algorithms independently of an underlying prover implementation. We also added the possibility of varying representations as external plug-ins for further experimentation. We hope that researchers having such an instrument can focus on more advanced questions, namely how to generate and prioritise training problems to better transfer search patterns learned on simpler theorems to harder ones.

Our experience with adding Vampire and iProver support to gym-saturation shows that working tightly with corresponding prover developers is not mandatory, although it might help immensely. Implementing the prover guidance through the standard I/O (as in Vampire) seems to be relatively easy, and we hope more provers will add similar functionality in future to be more ML-friendly. Such provers could then profit from using any other external guidance (see [8] for a different system using the same iProver technical features as we did).

We identify a discerning and computationally efficient representation service as a bottleneck for our approach and envision an upcoming project of creating a universal first-order logic embedding model usable not only by saturationstyle provers but also tableaux-based ones, SMT-solvers, semantic reasoners, and beyond.

Acknowledgements. We would like to thank Konstantin Korovin for the productive discussion and for adding the external agents' communication feature to iProver, without which this work won't be possible. We also thank anonymous reviewers for their meticulous suggestions on improving the present paper.

# References


and Reasoning. EPiC Series in Computing, vol. 94, pp. 112–123. EasyChair (2023). https://doi.org/10.29007/tp23. https://easychair.org/publications/paper/5z94


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Non-wellfounded Proofs**

# A Linear Perspective on Cut-Elimination for Non-wellfounded Sequent Calculi with Least and Greatest Fixed-Points

Alexis Saurin(B)

IRIF, CNRS, Université de Paris Cité & INRIA, Paris, France alexis.saurin@irif.fr

Abstract. This paper establishes cut-elimination for *µ*LL∞, *µ*LK<sup>∞</sup> and *µ*LJ∞, that are non-wellfounded sequent calculi with least and greatest fixed-points, by expanding on prior works by Santocanale and Fortier [20] as well as Baelde et al. [3,4]. The paper studies a fixed-point encoding of LL exponentials in order to deduce those cut-elimination results from that of *µ*MALL∞. Cut-elimination for *µ*LK<sup>∞</sup> and *µ*LJ<sup>∞</sup> is obtained by developing appropriate linear decorations for those logics.

Keywords: LL · *<sup>µ</sup>*-calculus · Non-wellfounded proofs · cut elimination

# 1 Introduction

*On the Non-Wellfounded Proof-Theory of Fixed-Point Logics.* In the context of logics with induction and coinduction (such as logics with inductive definitions *à la* Martin Löf [6,9,10,25], or variants of the μ-calculus [11,22,23]), the need for a (co)inductive invariant (in the form of the Park's rule for induction) is replaced by the ability to pursue the proof infinitely, admitting non-wellfounded branches, when considering non-wellfounded and circular proofs (also called cyclic, or regular proofs, since the proof tree is a regular tree, with finitely many distinct subtrees). In such frameworks, sequent proofs may be finitely branching but non-wellfounded derivation trees and infinite branches shall satisfy some validity condition. (Otherwise one could derive any judgement, see Fig. 1(a).) Various validity conditions have been considered in the literature [3].

The non-wellfounded and circular proof-theory of fixed-points attracted a growing attention first motivated by proof-search [1,7,8,16–18,28] and more recently by a Curry-Howard perspective, studying the dynamics of the cutelimination in those logics [4,20,29] where formulas correspond to (co)inductive types. Notice also that when interested in the computational content of proofs, we will not focus solely on the regular fragment as we expect, for instance, that we can write a regular program that computes a non-ultimately periodic stream.

This work was partially funded by the ANR project RECIPROG, project reference ANR-21-CE48-019-01.

$$\begin{array}{lcl} \vdots & \hfil\vdash \Gamma, \mu X.X \\ \hline \vdash \Gamma, \mu X.X \\ \hline \vdash \Gamma, \mu X.X \\ \hline \end{array} (\mu) \quad \begin{array}{lcl} \vdots & \hfil\vdash \nu X.X, \Delta \\ \hline \vdash \nu X.X, \Delta \\ \hfil\vdash \text{Cut} \end{array} (\nu) \quad \begin{array}{lcl} \vdash \Gamma, \ C \ \vdash \mathcal{C}^{\bot}, \Delta, D \ \vdash D^{\bot}, \Sigma \\ \hline \vdash \Gamma, \Delta, \Sigma \end{array} \text{\begin{array}{lcl} \vdash \Gamma, \ C \ \vdash \Gamma, \Delta, D \ \vdash D^{\bot}, \Sigma \\ \hline \vdash \Gamma, \Delta, \Sigma \end{array} \text{\begin{array}{lcl} \vdash \Gamma, \Delta \Rightarrow \Delta \end{array} \text{\begin{array}{lcl} \vdash \Gamma \Rightarrow \Delta \Rightarrow \Delta \end{array} \text{\quad\hfil\vdash \Gamma, \Delta \Rightarrow \Delta \end{array}} (\nu) \end{array}$$

Fig. 1. (a) Example of an invalid circular pre-proof (b) Schema of the multicut rule

*Cut-Elimination and* LL*.* When studying the structure of proofs and their cutelimination properties, LL, Girard's Linear Logic [21], is a logic of choice: the careful treatment of structural rules gives access to a lot of information and a fine-grained control over cut-reduction. The constrained use of structural rules indeed renders the cut-elimination theorem more informative than in LJ and of course LK. Interestingly it provided a positive feedback on the understanding of LJ and LK: by decorating intuitionistic and classical proofs with enough exponential modalities (!, ?), they can become LL proofs and one can therefore refine the original cut-elimination relations [12,21]. This approach impacted the understanding of evaluation strategies of programming languages such as call-by-name and call-by-value notably. Another way to view this is by noting that, in LK, the additive and multiplicative presentations of conjunction (resp. disjunction) can be shown to be interderivable thanks to structural rules. This fails in LL and it is the reason why LL has well-established additive – <sup>⊕</sup>, -, , <sup>0</sup> – (resp. multiplicative ,⊗, <sup>⊥</sup>, <sup>1</sup>) *fragments*. It is the role of the exponential fragment to relate the additive and multiplicative worlds, by mean of the fundamental equivalence: ! <sup>A</sup> <sup>⊗</sup> ! <sup>B</sup> !(A-<sup>B</sup>) (and its dual, ? <sup>A</sup> ? <sup>B</sup> ?(<sup>A</sup> <sup>⊕</sup> <sup>B</sup>)). The exponential modalities are precisely introduced where structural rules are needed to restore the equivalence between the additive and multiplicative conjunctions; in categorical models of LL [26], this principle is referred to as Seely isomorphisms.

*Cut-Elimination for Non-Wellfounded Proofs.* Proving cut-elimination results for non-wellfounded proofs in the presence of least and greatest fixed-points requires to use reasoning techniques coping with the non-inductive structure of the considered formulas (fixed-points formulas regenerate) and proof objects (which are non-wellfounded). For instance, Santocanale and Fortier [20] proved cut-elimination for the regular fragment of non-wellfounded proofs of purely additive linear logic with fixed points, μALL∞, while Baelde *et al.* [4] proved cut-elimination for non-wellfounded proofs with additive and multiplicative connectives, μMALL∞. In both cases, the proof relies on a generalization of the cut-rule, the *multicut* rule (which abstracts a portion of a proof tree constituted only of cut inferences see Fig. 1(b)) and on a reasoning by contradiction to prove that one can eliminate cuts at the limit of an infinite cut reduction sequence, while preserving the validity condition. Baelde *et al.* [3,4] use a socalled "locative" approach by modelling sequents as sets of formulas paired with addresses which determines uniquely the formula occurrence in a sequent and makes explicit the ancestor relation used to trace the progress along branches. Moreover, the cut-elimination proof proceeds by a rather complex semantical, roundabout, argument relying on a soundness theorem.

In a slightly different direction, Das and Pous [15] proved a cut-elimination result for Kleene algebras and their variants. This can be viewed as a noncommutative version of intuitionistic MALL with a particular form of inductive construction, Kleene's star. Kuperberg et al [24] and more specifically Pinault's PhD thesis [27] as well as Das [13] examine non-wellfounded versions of System T based on [15], exploring the computational content of non-wellfounded proofs.

Neither Santocanale and Fortier's [20,29], nor Baelde et al. [3,4] works captured full linear logic: the exponentials are missing and the proofs cannot deal with them in a simple way. Indeed, the proof for μALL strongly relies on the assumption the sequents are pairs of formulas (A B) while in μMALL, the locative approach taken by Baelde et al. is not well-suited to work with structural rules: the extension of the proof would be possible though highly technical. In contrast, our motto in the present work is to work with traditional sequents as lists of formulas and to exploit the (co)inductive nature of LL exponentials.

*On the (Co)Inductive Nature of Exponential Modalities in Linear Logic.* The original works by Baelde and Miller on fixed-points in linear logic [2,5] focus on μMALL only and present an encoding of the exponential modalities of LL using least and greatest fixed points. Indeed, the ? and ! modalities have an infinitary character which is well-known from the early days of linear logic (see Section V.5 of Girard's seminal paper [21]) and which is in fact respectively inductive for ? and coinductive for !; let us discuss it briefly here.

One can decide to contract a ?-statement any *finite* number of times before it is ultimately weakened or derelicted. It is therefore natural to represent ? A with formula ?•<sup>A</sup> <sup>=</sup> μX.A <sup>⊕</sup> (⊥ ⊕ (XX)): <sup>A</sup> allows for dereliction, <sup>⊥</sup> for weakening and XX will regenerate, by unfolding, two copies of ?•A, making the contraction derivable. The ⊕ and μ connectives respectively provide the ability to choose either of those three inferences and to repeat finitely this process.

On the other hand, a !-formula is a formula which, during cut-elimination, shall maintain a proper interaction with *any number* of contractions, weakenings or derelictions: a proof concluded with a promotion shall be able to react to any number of duplications or erasure before the promotion actually interact with a dereliction to open the *exponential box* : from that follows the coinductive character of ! A modelled as ! •A = νX.A-(1-(<sup>X</sup> <sup>⊗</sup>X)).

As discussed above and formally established by Baelde and Miller [5], the exponential rules can be derived in the finitary sequent calculus μMALL: to any LL provable sequent can be associated a provable μMALL sequent via the above translations of the exponentials. However, until now one can hardly say more about this embedding for two deep reasons: (i) the fundamental Seely isomorphisms which relate the additive and multiplicative versions of conjunction (resp. disjunction) are still derivable through this encoding but they are no more isomorphisms and (ii) on the provability level as well, the encoding is not faithful: the μMALL provability of the translation of an LL sequent s does not entail the LL provability of s itself (counter-example due to Das [14]). A contribution of the present paper is to put to work Baelde and Miller's encoding, showing that, in the case of non-wellfounded proofs, its structure is faithful enough to extract information of the cut-reduction behaviour of the logic.

*Contributions and Organization of the Paper.* The main result of this paper is a cut-elimination theorem for μLL∞, the non-wellfounded sequent calculus for linear logic extended with least and greatest fixed points. Our proof proceeds by encoding LL exponentials in μMALL<sup>∞</sup> and studying μLL<sup>∞</sup> cutreduction sequences through their simulation in μMALL<sup>∞</sup> which may be a *transfinite* sequence. In Sect. 2, we introduce our logics, μMALL∞, μLL∞, μLK<sup>∞</sup> and μLJ∞, altogether with their non-wellfounded proofs and validity conditions. We adapt μMALL<sup>∞</sup> cut-elimination theorem [4] to our setting where sequents are lists and prove a compression lemma for μMALL<sup>∞</sup> transfinite cut-reduction sequences. Section 3 constitutes the core of our paper: we define μLL<sup>∞</sup> cutreduction rules, study the encoding of exponentials in μMALL<sup>∞</sup> and show that μLL<sup>∞</sup> cut-reduction steps can be simulated in μMALL∞, before proving μLL<sup>∞</sup> cut-elimination theorem. We prove in Sect. 4, as corollaries, cut-elimination for μLK<sup>∞</sup> and μLJ∞, the non-wellfounded sequent-calculi for classical and intuitionistic logic. While our result for μLL<sup>∞</sup> shows that any fair cut-reduction sequence produces a cut-free valid proof, our two other cut-elimination results are truly (infinitary) weak-normalization results. We finally conclude in Sect. 5 with perspectives. A major advantage of our approach is that μMALL<sup>∞</sup> cutelimination proof and, to some extent, the validity conditions, are regarded as black boxes, simplifying the presentation of the proof and making it reusable wrt. other validity conditions or μMALL<sup>∞</sup> proof techniques. An additional byproduct of our approach, to the theory of linear logic, is to illustrate the fact that Seely isomorphisms are not needed to reach a cut-free proof.

A companion technical report containing additional details on the definitions as well as full proofs is available online [30].

# 2 Non-Wellfounded Proofs: *µ***MALL***∞*, *µ***LL***∞*, *µ***LK***∞*, *µ***LJ***<sup>∞</sup>*

#### 2.1 *µ*-Signatures and Formulas

Definition 1 (μ-signature). *<sup>A</sup>* <sup>μ</sup>-signature *is a set* <sup>C</sup> *of pairs* (c, p) *of a connective symbol* <sup>c</sup> *and a tuple* <sup>p</sup> *of elements of* {+, −}*. The arity of* <sup>c</sup>*,* ar(c)*, is the length of* p*, while the elements of* p *indicate the mono/antitonicity of the connective in the given component. The empty tuple will be denoted as* ()<sup>1</sup>*.*

*Example 2 (*μ*-signature associated with* μMALL, μLL, μLK, μLJ*).* The μsignatures associated with μMALL, μLL, μLK, μLJ are:

<sup>1</sup> *µ*-signature can be enriched to consider quantifiers but we restrict to the propositional case here.


Definition 3 (Pre-formulas). *Given a* μ*-signature* C*, a countable set* V *of fixed-point variables and a set of atomic formulas* A*, the set of* pre-formulas *over* <sup>S</sup> *is defined as the least set* <sup>F</sup><sup>S</sup> *such that:* (α) A∪V ⊆F<sup>S</sup> *;* (β) *for every* <sup>c</sup> *of arity* <sup>n</sup> *in* <sup>C</sup> *and* <sup>F</sup>1,...,F<sup>n</sup> ∈ F<sup>S</sup> *,* <sup>c</sup>(F1,...,Fn) ∈ F<sup>S</sup> *;* (γ) *for every* <sup>X</sup> ∈ V *and pre-formula* F ∈ F<sup>S</sup> *,* μX.F ∈ F<sup>S</sup> *and* νX.F ∈ F<sup>S</sup> *.*

Definition 4 (Positive and negative occurrences of a variable). *Given a* μ*-signature* C *and a fixed-point variable* X ∈ V*, one defines by induction on pre-formulas the fact, for* X*, to occur positively (resp. negatively) in a preformula :* (α) X *occurs positively in* X*;* (β) X *occurs positively (resp. negatively) in* <sup>c</sup>(F1,...,Fn)*, for* (c, p) ∈ C*, if there is some* <sup>1</sup> <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>n</sup> *such that* <sup>X</sup> *occurs positively (resp. negatively) in* <sup>F</sup><sup>i</sup> *and* <sup>p</sup><sup>i</sup> = + *or there is some* <sup>1</sup> <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>n</sup> *such that* <sup>X</sup> *occurs negatively (resp. positively) in* <sup>F</sup><sup>i</sup> *and* <sup>p</sup><sup>i</sup> <sup>=</sup> <sup>−</sup>*;* (γ) <sup>X</sup> *occurs positively (resp. negatively) in* σY.F*, for* <sup>σ</sup> ∈ {μ, ν}*, if* <sup>Y</sup> <sup>=</sup> <sup>X</sup> *and* <sup>X</sup> *occurs positively (resp. negatively) in* F*.*

Definition 5 (μ-formula). *A* μ*-formula* F *over a signature* S *is a pre-formula containing no free fixed-point variable and such that for any sub-pre-formula of* F *of the form* σX.G*, all occurrences of* X *in* G *are positive.*

Definition 6. *One-sided* μLL *formulas are those formulas defined over the signature* C<sup>μ</sup>LL<sup>1</sup> *together with a set of atomic formulas* {a, a<sup>⊥</sup> | a ∈ A} *for a countable set* <sup>A</sup>*. Negation* (*\_*)<sup>⊥</sup> *is the involution on pre-formulas defined by:*

(a⊥)<sup>⊥</sup> <sup>=</sup> <sup>a</sup>; <sup>⊥</sup><sup>⊥</sup> = 1; <sup>⊥</sup> = 0; (FG)<sup>⊥</sup> <sup>=</sup> <sup>F</sup> <sup>⊥</sup> <sup>⊗</sup>G⊥; (<sup>F</sup> <sup>⊕</sup> <sup>G</sup>)<sup>⊥</sup> <sup>=</sup> <sup>F</sup> <sup>⊥</sup>-G⊥; (? F)<sup>⊥</sup> = ! F <sup>⊥</sup>; X<sup>⊥</sup> = X; (νX.F)<sup>⊥</sup> = μX.F <sup>⊥</sup>.

Definition 7 (μ-Fischer-Ladner subformulas). *Given a* μ*-signature* C *and a* μ*-formula* F*,* F L(F) *is the least set of formulas such that:*

*–* <sup>F</sup> <sup>∈</sup> F L(F)*; –* <sup>c</sup>(F1,...,Fn) <sup>∈</sup> F L(F) <sup>⇒</sup> <sup>F</sup>1,...,F<sup>n</sup> <sup>∈</sup> F L(F) *for* <sup>c</sup> ∈ C*; –* σX.B <sup>∈</sup> F L(F) <sup>⇒</sup> <sup>B</sup>[σX.B/X] <sup>∈</sup> F L(F) *for* <sup>σ</sup> ∈ {μ, ν}*.*

*Example 8.* Let us consider <sup>F</sup> <sup>=</sup> νX.((aa⊥)⊗(!<sup>X</sup> <sup>⊗</sup>μY.X)). F L(F) is the set {F,(aa⊥) <sup>⊗</sup> (! <sup>F</sup> <sup>⊗</sup>μY.F), aa⊥, a, a⊥, ! <sup>F</sup> <sup>⊗</sup>μY.F, ! F, μY.F}.

The finiteness of F L(F) makes it an adequate notion of subformula:

Proposition 9. *For any* <sup>μ</sup>*-signature* <sup>S</sup> *and* <sup>μ</sup>*-formula* <sup>F</sup>*,* F L(F) *is finite.*

$$\begin{array}{rlrr} \text{(a)} & \begin{array}{c} \begin{array}{c} \text{(b)} \end{array} & \dfrac{\vdash F,F,\Gamma}{\vdash F,\Delta} \quad \left(\begin{array}{c} \vdash F,F \quad\vdash F^{\perp},\Delta \\ \vdash F,\Delta \end{array} \right) \quad \text{(Cut)} \end{array} \quad \begin{array}{c} \begin{array}{c} \vdash F,F \quad\vdash F^{\perp},\Delta \\ \vdash F,\Delta \end{array} \quad \text{(Cut)} \end{array} \quad \begin{array}{c} \vdash \begin{array}{c} \vdash F,G,F,\Delta \\ \vdash F,F,G,\Delta \end{array} \; \text{(Cut)} \end{array} \\ \begin{array}{c} \vdash F,F \quad\vdash G,\Delta \end{array} \quad \begin{array}{c} \vdash F,F \quad\vdash G,\Delta \end{array} \quad \begin{array}{c} \vdash F,F \right\_{\mathcal{E}},F \end{array} \; \text{(Cut)} \end{array} \quad \begin{array}{c} \vdash \begin{array}{c} \vdash F,G,F,\Delta \\ \vdash F,F,G,\Delta \end{array} \; \text{(Cut)} \end{array} \quad \begin{array}{c} \vdash \begin{array}{c} \vdash F,G,F,\Delta \\ \vdash F,F,G,\Delta \end{array} \; \text{(Cut)} \end{array} \quad \begin{array}{c} \vdash \begin{array}{c} \vdash F,G,F,\Delta \end{array} \; \text{(Cut)} \end{array} \; \text{(L)} \end{array}$$

Fig. 2. (a) *µ*MALL<sup>∞</sup> Inferences (b)*µ*LL<sup>∞</sup> Exponential Inferences

# 2.2 *µ***MALL***∞*, *µ***LL***∞*, *µ***LK***<sup>∞</sup>* & *µ***LJ***<sup>∞</sup>* Inference Rules

Now, we define the inference rules associated with the above μ-signatures.

Definition 10 (Sequents and inferences). *<sup>A</sup>* sequent <sup>s</sup> <sup>=</sup> <sup>Γ</sup> <sup>Δ</sup> *over a* <sup>μ</sup>*signature* S *is a pair of finite lists* Γ,Δ *of* S*-formulas:* Γ *is the* antecedent *and* Δ *the* succedent*. An* inference rule r*, usually presented by a schema, is the data of a* conclusion sequent*,* premise sequents*, together with an* ancestor relation *relating formulas of the conclusion with formulas of the premises. A rule has a subset of distinguished* principal formulas *of the conclusion.*

Convention 1. *In the following, the ancestor relation will be depicted as colored lines joining related formulas. The* principal *formulas of an inference are the formulas which are explicitly spelled out in the conclusion sequent of an inference, not described via a context meta-variable. A formula occurrence of an inference is said to be* active *if it is principal or related to a principal formula by the ancestor relation. We will freely use the derived rules obtained by* pre- and post-composition with the exchange rule*, adapting the ancestry relation accordingly. Finally, for one-sided sequent calculi with an involutive negation* · ⊥*, we may write* Γ Δ *for sequents* Γ <sup>⊥</sup>, Δ *to clarify the computational behaviour of our examples (keeping the rule names unchanged).*

Definition 11 (μMALL∞*,* μLL∞*,* μLK∞*,* μLJ∞). μMALL<sup>∞</sup> *inferences are given in Fig. 2. Those for one-sided* μLL<sup>∞</sup> *in Fig. 2(a) and 2(b). Those for* μLK<sup>∞</sup> *in Fig. 3. Those for* μLJ<sup>∞</sup> *by considering only inference from Fig. 3 where the succedent of both premises and conclusion sequents are singletons.*

In the above sequent calculi, every inference but the cut satisfies the subformula property *wrt.* FL-subformulae. The 2-sided μLL<sup>∞</sup> sequent calculus, over C<sup>μ</sup>LL<sup>2</sup> , is defined as usual and not recalled here for space constraints.

Fig. 3. *µ*LK<sup>∞</sup> Two-sided Inferences

#### 2.3 Pre-proofs and Validity Conditions

Definition 12 (Pre-proofs). *The set* PS,<sup>I</sup> *of* I-pre-proofs *associated to some of the above* μ*-signatures* S *and sets of inferences* I *is the set of* finite or infinite *trees whose nodes are correctly labelled with inferences and sequents.*

Pre-proofs are equipped with a metric structure as follows: we define a *distance* <sup>d</sup> : <sup>P</sup>S,<sup>I</sup> <sup>×</sup> <sup>P</sup>S,<sup>I</sup> <sup>→</sup> <sup>R</sup> as: <sup>d</sup>(π, π )=0 if π = π and d(π, π )=2−<sup>k</sup> where k is the length of the shortest position where π and π differ otherwise.

*Example 13.* Consider <sup>μ</sup>LJ formulas <sup>N</sup> <sup>=</sup> μX. ∨ <sup>X</sup> and <sup>S</sup> <sup>=</sup> νX.N <sup>∧</sup> <sup>X</sup>. They represent nats and streams of nats. The μLJ<sup>∞</sup> derivations of Fig. 4 respectively represent natural numbers, successor function, n::n + 1::n + 2:: ... , the double functions and the function that builds a stream enumerating the natural numbers from its input: the cut-elimination process considered below will ensure that cutting π<sup>k</sup> with πenum will infinitarily reduce to π<sup>k</sup> from. Figure 5 shows other examples of μLL<sup>∞</sup> pre-proofs, discussed with the validity condition.

The back-edge arrow to a lower sequent is notation to describe a fixed-point definition of the proof object: the subproof rooted in the source is equal to the proof rooted in the target. Trivially there is a unique solution.

In the following, we assume given a μ-signature S and a sequent calculus S for this signature and we shall define the valid S-proofs as a subset of S-pre-proofs, by introduction a *thread-based validity condition*.

Definition 14 (Thread and validity). *Given a pre-proof* π *and an infinite branch* <sup>β</sup> = (si)<sup>i</sup>∈<sup>ω</sup> *in* <sup>π</sup>*, a* thread *for* <sup>β</sup> *is an infinite sequence* <sup>θ</sup> *of formula occurrences such that* ∀i ∈ ω*,* θ<sup>i</sup> *is a formula occurrence of* s<sup>i</sup> *and* θ<sup>i</sup> *and* θ<sup>i</sup>+1 *are ancestor of each other.* θ *is said to* support β*.*

*A formula* F *is* recurring *in a thread* θ *of* β *if there are infinitely many* i *such that* θ<sup>i</sup> *is an occurrence of* F*.*

*A thread* θ *is* valid *if it contains infinitely often the principal formula (occurrence) of a* ν *or* μ *rule and if the set of recurring formulas of* θ *has a least element (for the usual subformula ordering) which is (i) a* ν *formula when the least element occurs in the succedents or (ii) a* μ *formula if it occurs in the antecedents. A pre-proof is* valid *if all its infinite branches have a suffix supported by a valid thread.*

Fig. 4. Examples of *µ*LJ<sup>∞</sup> pre-proofs

*Example 15 ((Non-)valid pre-proofs).* Consider the pre-proof in Fig. 5(a), with <sup>F</sup> <sup>=</sup> νX.((aa⊥) <sup>⊗</sup> (!<sup>X</sup> <sup>⊗</sup> μY.X)) and <sup>G</sup> <sup>=</sup> μY.F. The rightmost branch is supported by the green thread for which the least recurring formula is F, a νformula. All other branches are valid: this pre-proof is valid. Consider now the same pre-proof but with <sup>F</sup> <sup>=</sup> νX.((aa⊥)⊗(!X⊗G)) and <sup>G</sup> <sup>=</sup> μY.νX.((aa⊥)<sup>⊗</sup> (!<sup>X</sup> <sup>⊗</sup> <sup>Y</sup> )). <sup>G</sup> is now a subformula of <sup>F</sup> and <sup>G</sup>, a <sup>μ</sup>-formula, and becomes the least recurring formula of all threads along the right-most infinite branch. This branch is invalid: the pre-proof is not a proof. Examples of μLL<sup>∞</sup> invalid preproofs are given in Fig. 1(a),5(b–c). In Fig. 4, πdouble has a left thread on N while πn from, πenum have right threads on S: they are valid.

#### 2.4 Non-Locative *µ***MALL***<sup>∞</sup>* Cut-Elimination Theorem

The validity condition defines a subset of pre-proofs, ensuring good properties for those non-wellfounded derivations that satisfy the validity condition. In this paper, we will mainly be interested in cut-elimination theorem, which was proved for μMALL<sup>∞</sup> [4] and that we review in this subsection. In [4], a somehow stronger result than cut-elimination is proved: infinitary strong normalization with respect to the class of *fair* reduction sequences.

The only new result developed in this subsection is the lifting of the occurrence-based cut-elimination result of [4] to our setting system, for which we first introduce the multicut inference and review the main multicut-reduction steps for μMALL<sup>∞</sup> before defining fair reductions. The cut-elimination results of [4,20] do not rewrite cuts, *per se*, but subtrees of cuts in the form of an abstraction called *multicut* which is a variable arity inference defined as follows:

Definition 16. *The* multicut inference *is given by the data of (i) a conclusion sequent* <sup>s</sup>*, (ii) a non-empty list of premises* (s1,...,sn), n <sup>≥</sup> <sup>1</sup>*, (iii) an* ancestor relation ι *which is an injective map from the conclusion formulas to the premise formulas and relates identical formulas and additionally (iv) a* cutconnectedness relation |=*which is a total, symmetric, binary relation among the formula occurrences of the premises which are not ancestor of a conclusion*

Fig. 5. Examples of valid and invalid pre-proofs

*formula, which relates dual formulas*<sup>2</sup> *and which satisfies a connectedness and acyclicity condition (see [3,4]). The multicut inference has no principal formula.*

$$\text{We write this multivariate rule as:}\\\text{s.t.}\\\begin{array}{ccccc} s\_1 & \dots & s\_n\\ \hline s & \\\hline \end{array} \\ \text{\textbullet} \\ \text{cut(}\iota,\bot\text{)} \\ \text{\textbullet}$$

In the following, we only consider μMALL<sup>∞</sup> pre-proofs with specific multicuts:

Definition 17 (μMALL<sup>∞</sup> <sup>m</sup> ). μMALL<sup>∞</sup> <sup>m</sup> *(pre)proofs are those (pre)proofs built from* μMALL<sup>∞</sup> *inferences and the multicut, such that (i) any branch contains at most one multicut and (ii) any occurrence of a cut is above a multicut inference.*

In the following, we shall always assume, even without mentioning it, that we consider proofs in μMALL<sup>∞</sup> <sup>m</sup> (as well as μLL<sup>∞</sup> <sup>m</sup> , μLJ<sup>∞</sup> <sup>m</sup> , μLK<sup>∞</sup> <sup>m</sup> ). We need the following definition (from [4]), identifying the premises of an mcut which are cut-connected to a given formula occurrence:

Definition 18 (Restriction of a mcut-context). *Consider an occurrence of a mcut* <sup>s</sup><sup>1</sup> ... s<sup>n</sup> mcut(ι, ⊥⊥) <sup>s</sup> *and assume* s<sup>i</sup> *to be* F1,...,Fk*. We define* <sup>C</sup><sup>F</sup>*<sup>j</sup>* , <sup>1</sup> <sup>≤</sup> <sup>j</sup> <sup>≤</sup> <sup>k</sup>*, to be the least set of sequent occurrences contained in* {s1,...,s<sup>n</sup>} *such that: (i) If* <sup>∃</sup>k,l *such that* (k,l) |=(i, j)*, then* <sup>s</sup><sup>k</sup> ∈ C<sup>F</sup>*<sup>j</sup> ; (ii) for any* k, k <sup>=</sup> <sup>i</sup>*, if* <sup>s</sup><sup>k</sup> ∈ C<sup>F</sup>*<sup>j</sup> and* <sup>∃</sup>l,l *such that* (k,l) |=(k , l )*, then* s<sup>k</sup>- ∈ C<sup>F</sup>*<sup>j</sup> . We define* <sup>C</sup><sup>∅</sup> <sup>=</sup> <sup>∅</sup> *and* <sup>C</sup>F,Γ <sup>=</sup> <sup>C</sup><sup>F</sup> ∪ C<sup>Γ</sup> *.*

When relating μLL<sup>∞</sup> and μMALL<sup>∞</sup> mcut-sequences below, we shall consider not only finite sequence nor ω-indexed sequences but also transfinite sequences. Those are sequences of triples of a proof, a redex and the position of the redex in the proof tree. A position p has a *depth* dpth(p) which is its length.

Definition 19 (mcut-reduction rules, transfinite sequences). μMALL<sup>∞</sup> *mcut-reduction sequences are directly adapted from [3,4]. Given an ordinal* λ*, a* transfinite reduction sequence *of length* λ*, or* λTRS*, is a* λ*-indexed sequence* (πi, ri, pi)<sup>i</sup>∈<sup>λ</sup> *such that* <sup>π</sup><sup>i</sup> −→<sup>p</sup>*<sup>i</sup>* <sup>r</sup>*<sup>i</sup>* <sup>π</sup><sup>i</sup>+1*, for any* <sup>i</sup> *such that* <sup>i</sup> + 1 <sup>∈</sup> <sup>λ</sup>*, where the reduction occurs at position* p<sup>i</sup> *reducing mcut-redex* ri*.*

<sup>2</sup> When working with two-sided sequents, *|*= will relate identical formulas, one in a succedent, the other in an antecedent.

Definition 20 (Weak and strong convergence). *A (transfinite) mcut reduction sequence* (πi, ri, pi)i∈<sup>α</sup> *is* weakly converging *if for any limit ordinal* <sup>β</sup> <sup>∈</sup> <sup>α</sup>*,* lim(πi)i∈<sup>β</sup> <sup>=</sup> <sup>π</sup>β*.* (πi, ri, pi)i∈<sup>α</sup> *is* strongly converging *if it is weakly converging and moreover for any limit ordinal* <sup>β</sup> <sup>∈</sup> <sup>α</sup>*,* lim(dpth(pi))i∈<sup>β</sup> = +∞*.*

*Remark 21.* The cut-reduction rules preserve the property that every branch of a proof has at most one multicut inference: μMALL<sup>∞</sup> <sup>m</sup> is closed by cut-reduction.

A μMALL<sup>∞</sup> <sup>m</sup> pre-proof <sup>π</sup> may contain multiple cut-redexes: <sup>π</sup> −→p<sup>1</sup> <sup>r</sup><sup>1</sup> π<sup>1</sup> and <sup>π</sup> −→<sup>p</sup><sup>2</sup> <sup>r</sup><sup>2</sup> π2. As usual, a notion of residual associates to (r1, p1), a set of redexes of π2, (r1, p1)/(r2, p2) which is generalized to reduction sequences: (r1, p1)/σ.

Definition 22 (Fair reduction sequences). *A reduction sequence* (πi, <sup>r</sup>i, pi)<sup>i</sup>∈<sup>ω</sup> *is* fair *if for all* <sup>i</sup> <sup>∈</sup> <sup>ω</sup> *and* r, p *such that* <sup>π</sup><sup>i</sup> −→<sup>p</sup> <sup>r</sup> π *there is some* <sup>j</sup> <sup>≥</sup> <sup>i</sup> *such that* <sup>π</sup><sup>j</sup> *does not contain a residual of* (r, p) *anymore.*

Theorem 23. *Every fair mcut-reduction sequence of* μMALL<sup>∞</sup> *valid proofs of* Γ *(strongly) converges to a cut-free valid proof of* Γ*.*

# 2.5 Compressing Transfinite *µ***MALL***<sup>∞</sup>* Cut-Reduction Sequences

In the previous paragraph, we introduced not only ω-indexed sequences, but transfinite μMALL<sup>∞</sup> cut-reduction sequences as we shall need reduction beyond ω when simulating μLL<sup>∞</sup> cut-elimination in μMALL∞. We shall now prove that a class of transfinite μMALL<sup>∞</sup> mcut-reduction sequences can be compressed to ωTRS. This result can be viewed as adapting to our setting the compression lemma from infinitary rewriting [31], even though we require more on the structure of the compressed sequences as it will be useful to establish μLL<sup>∞</sup> cutelimination.

Definition 24 (Depth-increasing). *A* μMALL<sup>∞</sup> *cut reduction sequence* σ = (πi, ri, pi)<sup>i</sup>∈<sup>ω</sup> *is* depth-increasing *if* (dpth(pi))<sup>i</sup>∈<sup>ω</sup> *is (weakly) increasing.*

Definition 25 (Reordering). *An mcut reduction sequence* <sup>σ</sup> = (πi, ri, pi)<sup>i</sup>∈<sup>α</sup> *is a reordering of* σ = (π <sup>i</sup>, r <sup>i</sup>, p <sup>i</sup>)<sup>i</sup>∈<sup>β</sup> *if there is a bijection* <sup>o</sup> *between* <sup>α</sup> *and* <sup>β</sup> *such that for any* <sup>i</sup> <sup>∈</sup> <sup>α</sup>*,* (r <sup>o</sup>(i), p <sup>o</sup>(i))=(ri, pi)*.*

Proposition 26 (Compression lemma). *Let* <sup>σ</sup> = (πi, ri, pi)<sup>i</sup>∈<sup>α</sup> *be a strongly converging* μMALL<sup>∞</sup> *transfinite cut-reduction sequence. There exists a* μMALL<sup>∞</sup> *cut-reduction sequence* Comp(σ)=(π <sup>i</sup>, r <sup>i</sup>, p <sup>i</sup>)<sup>i</sup>∈<sup>β</sup> *which is a reordering of* <sup>σ</sup>*, depth-increasing, strongly converging with the same limit as* σ *and such that* β = α *if* α *is finite and* β = ω *otherwise.*

# 3 Cut-Elimination Theorem for *µ***LL***<sup>∞</sup>*

The aim of this section is to prove the following theorem:

Theorem 27. *For any valid* μLL<sup>∞</sup> *proof* π*, fair* μLL<sup>∞</sup> *mcut-sequences from* π *converge to cut-free* μLL<sup>∞</sup> *proofs.*

The idea of the proof and outline of the present section are as follows:


#### 3.1 Cut-Elimination Rules for *µ***LL***<sup>∞</sup>*

μLL<sup>∞</sup> mcut-reduction is defined by extending μMALL<sup>∞</sup> multicut-reduction with the steps given in Fig. 6. The reduction rules for the exponentials assume a condition on the premisses of the multi-cut rule: all the proofs (hereditarily) cutconnected to some distinguished formula must have promotions as last inferences.

Definition 28 ((!p)-ready contexts). *A subset of the subproofs of a multicut is said to be* (!p)*-ready if all its elements are concluded with an* (!p) *rule.* <sup>C</sup>! *will denote a* (!p)*-ready context and* <sup>C</sup>! <sup>Γ</sup> *a context restriction which is* (!p)*-ready.*

*Remark 29.* The condition for triggering the exponential key reductions (?w)/(!p) and (?c)/(!p) as well as the (!p)-commutation rule is expressed in terms of (!p)-readiness: for every ?-formula ?G in the context of a promotion which shall either commute or cut-reduce with a ?-rule, we require that <sup>C</sup>?<sup>G</sup> is (!p)-ready.

#### 3.2 Embedding *µ***LL***<sup>∞</sup>* in *µ***MALL***<sup>∞</sup>*

To extend the cut-elimination result from μMALL<sup>∞</sup> to μLL∞, we encode the exponential connectives using fixed points as follows, following Baelde [2]:

Definition 30. ?•(F) = μX.F <sup>⊕</sup> (⊥ ⊕ (XX)); !•(F) = νX.F-(1-(<sup>X</sup> <sup>⊗</sup> <sup>X</sup>))

This straightforwardly induces an embedding of μLL<sup>∞</sup> into μMALL∞:

Definition 31 (Embedding of μLL∞sequents into μMALL∞). (a)• <sup>=</sup> <sup>a</sup> *if* <sup>a</sup> *is an atom* (σX.F)• <sup>=</sup> σX.(F)• , σ ∈ {μ, ν} (u)• <sup>=</sup> <sup>u</sup> *if* <sup>u</sup> ∈ {1, <sup>⊥</sup>, , <sup>0</sup>} (?F)• = ?•(F•) (AB)• = (A)• (B)• *if* ∈ {-, <sup>⊕</sup>, ,⊗} (!F)• = !•(F•)

$$\begin{array}{ccccc} \mathcal{C}\_{\Gamma} & \stackrel{\scriptstyle \vdash ?F, ?F, \Gamma}{\mid \vdash ?F, \Gamma} & \mbox{(?c)}\\ & \stackrel{\scriptstyle \vdash ?F, \Gamma}{\vdash .F', ?\Sigma} & \mbox{mcut(\iota, \sqcup)}{\mid \scriptstyle}^{r} & \stackrel{\scriptstyle \vdash ?F}{\mid \vdash .F', ?\Sigma, ?\Sigma} & \mbox{mcut(\iota', \sqcup')}{\mid \scriptstyle & \vdash .F', ?\Sigma} \end{array}$$

$$\begin{array}{ccc} \mathcal{C}\_{\Gamma} & \mathcal{C}\_{\;^{\mathsf{F}}F}^{!} & \stackrel{\mathsf{\mathsf{F}}\vdash F}{\vdash} \mathcal{F}, \Gamma \\ \hline & \vdash \Gamma', ? \Sigma \\ \text{where } \mathcal{C}\_{\;^{\mathsf{F}}F}^{!} \neq \emptyset \text{ and } \bot \text{ } ' \text{ corresponds to the restriction of } \bot \text{ on } \mathcal{C}\_{\Gamma}, \Gamma. \end{array}$$


Definition 32 (μMALL∞derivability of the exponentials). μLL<sup>∞</sup> *exponential rules can be encoded in* μMALL<sup>∞</sup> *as shown in Fig. 7. We denote the derivable rules by* ?d•, ?c•*,* ?w• *and* !p• *respectively. (*!p• *uses a circular proof.)*

Proposition 33 (Preservation of validity). π *is a valid* μLL<sup>∞</sup> *proof of* Γ *iff* π• *is a valid* μMALL<sup>∞</sup> *proof of* Γ•*.*

*Proof (Proof sketch).* We simply relate the infinite branches in both pre-proofs. Assuming that π is valid, consider the special case of an infinite branch β of π• that, when entering the encoding of a promotion, follows the left-most premise of the (-) rule. To such an infinite branch it is easy to associate an infinite branch b of π. b is valid and supported by a thread t with least formula νX.F. (νX.F)• is the least recurring formula in the thread θ associated with t in β: β is valid.

Fig. 7. *µ*MALL<sup>∞</sup> encoding of the exponential inferences

#### 3.3 Simulation of *µ***LL***<sup>∞</sup>* Cut-Elimination Steps

Now we have to show that μLL<sup>∞</sup> cut-elimination steps can be simulated by the previous encoding. *E.g.*, the commutation rule for dereliction is simulated by a (μ)/(Cut) commutation followed by a (⊕)/(Cut) commutation as follows:

$$\begin{array}{c} \begin{array}{l} \vdash F,G,\Gamma\\ \vdash ?F,G,\Gamma \end{array} \begin{array}{l} (\mathsf{?d}^{\mathsf{o}})\\ \vdash ?F,\Gamma,\Delta \end{array} \begin{array}{l} \vdash G^{\bot},\Delta\\ \vdash ?F,\Gamma,\Delta \end{array} \begin{array}{l} \vdash ?F,G,\Gamma\\ \vdash ?F,\Gamma,\Delta \end{array} \begin{array}{l} \vdash ?F,G,\Gamma \end{array} \begin{array}{l} \vdash G^{\bot},\Delta\\ \vdash ?F,\Gamma,\Delta \end{array} \begin{array}{l} \text{(Cut)} \end{array} \end{array} \begin{array}{l} \begin{array}{l} \vdash ?F,G,\Gamma \end{array} \begin{array}{l} \vdash G^{\bot},\Delta \end{array} \begin{array}{l} \text{(Cut)} \end{array} \end{array}$$

The challenge is to show that the simulation of reductions also holds (i) for the reductions involving (!p) as well as (ii) for reductions occurring *above* a promotion rule (aka. in a box) since the encoding of [!p] uses an infinite, circular derivation. In the promotion commutation case for instance, we have:

 F, ?•G, ?•<sup>Γ</sup> (!p•) ! •F, ?•G, ?•Γ <sup>G</sup>⊥, ?•<sup>Δ</sup> (!p•) ! •G⊥, ?•Δ (Cut) ! •F, ?•Γ, ?•Δ −→<sup>ω</sup> F, ?•G, ?•<sup>Γ</sup> <sup>G</sup>⊥, ?•<sup>Δ</sup> (!p•) ! •G⊥, ?•Δ (Cut) F, ?•Γ, ?•<sup>Δ</sup> (!p•) ! •F, ?•Γ, ?•Δ

Proposition 34. *Each* μLL<sup>∞</sup> *mcut-reduction* r *can be simulated in* μMALL<sup>∞</sup> *by a (possibly infinite) sequence of mcut-reductions, denoted* r•*.*

*Remark 35.* Conversely, one can wonder whether a possible reduction in π• necessarily comes from the simulation of a reduction step in π. It is *almost* the case except when the reduction in π• comes from exponential cuts requiring a (!p)-ready context (*ie.* (!p) commutation as well as (?w)/(!p) and (?c)/(!p) key cases, see above): in those cases indeed, if the context is "partially ready" – meaning that some, but not all, the required premises are promoted – a prefix of the sequence simulating the reduction step can indeed be performed, before being stuck. As consequence – and we shall exploit it in the next section when proving μLL<sup>∞</sup> cut-elimination – the simulation of a fair reduction sequence is not necessarily fair, *but only as long as the above cases are involved*:

Proposition 36. *There exists a fair reduction* ρ *from some* μLL<sup>∞</sup> *(pre-)proof* π *such that* ρ• *is an* ω*-indexed unfair* μMALL<sup>∞</sup> *cut-reduction sequence.*

#### 3.4 Proof of *µ***LL***<sup>∞</sup>* Cut-Elimination Theorem

μLL<sup>∞</sup> cut-elimination theorem follows from the following two lemmas:

Lemma 37. *Let* <sup>π</sup> *be a* <sup>μ</sup>LL∞*-proof of* <sup>Γ</sup> *and* <sup>σ</sup> = (πi, ri, pi)i∈<sup>ω</sup> *a fair* <sup>μ</sup>LL<sup>∞</sup> *cut-reduction sequence from* π*.* σ *converges to a cut-free* μLL∞*-pre-proof of* Γ*.*

Lemma 38. *Let* π *be a* μLL<sup>∞</sup> *pre-proof of* Γ *and let us consider a cutreduction sequence* <sup>σ</sup> = (πi, ri, pi)<sup>i</sup>∈<sup>ω</sup> *in* <sup>μ</sup>LL<sup>∞</sup> *from* <sup>π</sup> *that converges to a cut-free* μLL<sup>∞</sup> *pre-proof* π *.* σ• *is a strongly converging (possibly transfinite) sequence.*

*Proof (Sketch for Thm.* <sup>27</sup>*).* Let <sup>π</sup> be a <sup>μ</sup>LL∞-proof of <sup>Γ</sup> and <sup>σ</sup> = (πi, ri, pi)<sup>i</sup>∈<sup>ω</sup> be a fair μLL<sup>∞</sup> mcut-reduction sequence from π. Consider the associated (transfinite) μMALL<sup>∞</sup> mcut-reduction sequence σ• from π• obtained by simulation. By Lemma 37, σ converges (*strongly*) to a cut-free μLL<sup>∞</sup> pre-proof π .

Let us prove that π is valid. By Lemma 38, σ• is a *transfinite* mcut-reduction sequence from π• *strongly converging* to π• . By Prop. 26, σ• can be compressed into ρ = (π <sup>i</sup>, r <sup>i</sup>, p <sup>i</sup>)<sup>i</sup>∈<sup>ω</sup> an <sup>ω</sup>*-indexed* depth-increasing <sup>μ</sup>MALL<sup>∞</sup> mcut-reduction sequence which converges to π• and contains the same reductions as σ•. By Proposition 36, ρ may not be fair: this prevents us from concluding directly by Proposition 33 but we can still conclude. Let us consider ρ<sup>f</sup> a fair reduction sequence obtained from ρ by reducing those redexes which cause the lack of fairness of ρ and let us consider the limit of ρ<sup>f</sup> , π<sup>f</sup> . To any infinite branch β of π• , one can associate a branch β<sup>f</sup> of π<sup>f</sup> : it coincides with β except when the next inference of β<sup>f</sup> is on a (! F) • (in a sequent, say, (! <sup>F</sup>) • , ?•Δ• which is not principal along β). In that case, we expand β<sup>f</sup> by following the unique premise of the (ν) rule, the second premise of the first (-) rule and the first premise of the second (-) rule, reaching <sup>1</sup>, ?•Δ•, in which case we know that the <sup>1</sup> is not principal (and never will be) and we follow back β. β<sup>f</sup> has exactly the same threads as β: finite threads may only be extended *finitely* on occurrences of (! F) • . Since ρ<sup>f</sup> is fair, β<sup>f</sup> is valid and so is β.

We can then conclude that π• is cut-free and valid and, using preservation of validity (Proposition 33), that π is a valid cut-free μLL∞-proof.

Infinitary cut-elimination for μLL<sup>∞</sup> two-sided sequent calculus is an easy corollary of Theorem 27. Indeed, fair cut-reduction sequences in two-sided μLL<sup>∞</sup> are mapped to fair reduction sequences in one-sided μLL<sup>∞</sup> from which follows:

Corollary 39. *Fair 2-sided* μLL<sup>∞</sup> *valid mcut-reduction sequences eliminate cuts.*

# 4 Cut-Elimination Theorem for *µ***LK***<sup>∞</sup>* and *µ***LJ***<sup>∞</sup>*

Cut-elimination theorems for both μLK<sup>∞</sup> and μLJ<sup>∞</sup> can be established as corollaries of Theorem 27. For lack of space, we directly go to our results and postpone to future work a detailed study of the generalizations to non-wellfounded sequent calculi of the linear embeddings of LK and LJ into LL developed since Girard seminal paper. We shall comment on those translations in the conclusion.

#### 4.1 *µ***LK***<sup>∞</sup>* Cut-Elimination: Skeletons and Decorations

To any μLL<sup>∞</sup> formulas and μLL<sup>∞</sup> proofs, one can associate their skeletons, that is corresponding μLK<sup>∞</sup> formulas and proofs, after erasing of the linear information:

Definition 40 (Skeleton). Sk(A) *is defined by induction on* <sup>A</sup> <sup>∈</sup> <sup>μ</sup>LL∞*:* Sk(A⊗B) = Sk(A) <sup>∧</sup> Sk(B) Sk(AB) = Sk(A) <sup>∨</sup> Sk(B) Sk(! <sup>A</sup>) = Sk(A) Sk(A-<sup>B</sup>) = Sk(A) <sup>∧</sup> Sk(B) Sk(<sup>A</sup> <sup>⊕</sup> <sup>B</sup>) = Sk(A) <sup>∨</sup> Sk(B) Sk(? <sup>A</sup>) = Sk(A) Sk(1) = Sk() = Sk(⊥) = Sk(0) = <sup>F</sup> Sk(a) = <sup>a</sup> Sk(A - <sup>B</sup>) = Sk(A) <sup>⇒</sup> Sk(B) Sk(σX.A) = σX.Sk(A) Sk(X) = <sup>X</sup> *with* σ ∈ {μ, ν}*.*

*Given a 2-sided* μLL<sup>∞</sup> *pre-proof* π *of* Γ Δ *with last rule* r *and premises* (πi)1≤i≤<sup>n</sup>*,* Sk(π) *is the* <sup>μ</sup>LK<sup>∞</sup> *pre-proof of* Sk(Γ) Sk(Δ) *defined corecursively, by case on* <sup>r</sup>*: (i) if* <sup>r</sup> ∈ {(!p),(?d)}*,* Sk(π) = Sk(π1)*; (ii) otherwise, apply the* <sup>μ</sup>LK<sup>∞</sup> *rule corresponding to* <sup>r</sup> *with premises* (Sk(πi))1≤i≤<sup>n</sup>*.*

Proposition 41. Sk(·) *transports valid* <sup>μ</sup>LL∞*-proofs to valid* <sup>μ</sup>LK<sup>∞</sup> *proofs.*

μLK<sup>∞</sup> cut-elimination follows from the existence of μLK<sup>∞</sup> linear decorations.

Proposition 42. *For any* μLK<sup>∞</sup> *sequent* s *and any* μLK<sup>∞</sup> *proof* π *of* s*, there is a linear decoration of* π*, that is a* μLL<sup>∞</sup> *proof* π<sup>d</sup> *such that* Sk(π<sup>d</sup>) = π*.*

Definition 43 (μLK∞cut-reduction). μLK<sup>∞</sup> *mcut-reduction relation is defined as follows:* −→<sup>μ</sup>LK∞<sup>=</sup> {(Sk(π), Sk(π )) <sup>|</sup> <sup>π</sup> −→mcut <sup>π</sup> & <sup>π</sup> <sup>=</sup> <sup>π</sup> }*.*

Theorem 44. μLK<sup>∞</sup> *enjoys cut-elimination.*

#### 4.2 *µ***LJ***<sup>∞</sup>* Cut-Elimination

The linear decoration for μLJ<sup>∞</sup> is simply Girard's call-by-value translation [21] extended to fixed-points on formulas and proofs as follows:

[X] <sup>j</sup> = ! X; [μX.F] <sup>j</sup> = ! μX.[F] <sup>j</sup> ; [νX.F] <sup>j</sup> = ! νX.[F] j . ⎡ ⎣ π <sup>Γ</sup> <sup>F</sup>[σX.F/X] (σr) Γ σX.F ⎤ ⎦ j = [π] j [Γ] <sup>j</sup> [F] <sup>j</sup> [σX.[F] <sup>j</sup>/X] (σr) [Γ] <sup>j</sup> σX.[F] j (!pr) [Γ] <sup>j</sup> [σX.F] j and ⎡ ⎣ π Γ, F[σX.F/X] <sup>G</sup> (σl) Γ, σX.F G ⎤ ⎦ j = [π] j [Γ] <sup>j</sup> , [F] <sup>j</sup> [σX.[F] <sup>j</sup>/X], [G] j (σl) [Γ] <sup>j</sup> , σX.[F] <sup>j</sup> [G] j (!dl) [Γ] <sup>j</sup> , [σX.F] <sup>j</sup> [G] j .

The translation is consistent with μLJ∞- and μLL∞-positivity conditions.

Definition 45 (μILL∞). μILL *formulas are defined inductively as:* I,J:: = <sup>a</sup> <sup>|</sup> ! <sup>X</sup> <sup>|</sup> <sup>I</sup> - <sup>J</sup> <sup>|</sup> <sup>I</sup>-<sup>J</sup> <sup>|</sup> <sup>I</sup> <sup>⊕</sup> <sup>J</sup> || <sup>0</sup> <sup>|</sup> μX.I <sup>|</sup> νX.I <sup>|</sup> ! I.

*A* μILL *sequent is a sequent of* μILL *formulas with exactly one formula in the succedent. A* μILL<sup>∞</sup> *proof is a* μLL<sup>∞</sup> *proof containing only* μILL *sequents.*

The translation preserves validity, following from [X] <sup>j</sup> = ! X, by induction.

Lemma 46. *The following hold:*


On <sup>μ</sup>ILL<sup>∞</sup> proofs, the skeletons of the previous section can be reused: Sk(·) transports valid μILL<sup>∞</sup> proof to valid μLJ<sup>∞</sup> proofs. Moreover μILL<sup>∞</sup> proofs are closed by μLL<sup>∞</sup> cut-reductions from which we deduce, as for μLK∞, that:

Theorem 47. μLJ<sup>∞</sup> *enjoys cut-elimination.*

# 5 Conclusion

In the present paper, we established several cut-elimination results for nonwellfounded proof systems for logics with least and greatest fixed-points expanding on previous works [4,20]: (i) for μMALL<sup>∞</sup> with sequents as lists in contrast sequents as sets of locative occurrences [4], (ii) for the 1-sided and 2-sided sequent calculi of μLL∞, (iii) for μLK<sup>∞</sup> and (iv) for μLJ∞. We also established additional results from a compression lemma for μMALL<sup>∞</sup> strongly converging cut-reduction sequences to linear embeddings of μLK<sup>∞</sup> and μLJ<sup>∞</sup> into μLL∞.

*On the Meaning and Expressiveness of Tree-Exponential Modalities.* The proof of our main result proceeds by encoding LL exponentials in μMALL<sup>∞</sup> following an encoding first considered by Baelde and Miller, and studying μLL<sup>∞</sup> cut-reduction sequences through their simulation in μMALL∞, which was first conjectured in Doumane's thesis [18]. We think that the present paper does not only demonstrate the usefulness of the encoding but that it also suggests new questions. Indeed, this encoding has interesting features:

– this "rigid" tree-like exponential does not exhibit the Seely isomorphism but, even though those isomorphisms are common in axiomatizations of categorical models of linear logic, it is not necessary to have them as isomorphisms to build a denotational model of linear logic (that is, which quotients proofs up to cut-equivalence): the present work is actually an example of this fact. (They are crucial, though, to encode the λ-calculus in linear logic, as additional equations are needed, which are realized by Seely isos.)

– These exponentials allow for a realization of a somehow non-uniform promotion: indeed, while a proof of ! •F, ?•<sup>Γ</sup> has to provide a proof of F, ?•Γ, the circular definition of the promotion is not the only possible definition: one can consider as well promotions that would provide a distinct value each time a box is opened (*e.g.* a proof of ! •μX.<sup>1</sup> <sup>⊕</sup> <sup>X</sup> may provide distinct integers depending on how structural rules managed the resource). See [30] for a detailed discussion.

This tree-like exponential is being investigated with Ehrhard and Jafarrahmani.

*Benefiting from Advances in Infinitary Rewriting.* Our cut-elimination proof by encoding μLL<sup>∞</sup> into μMALL<sup>∞</sup> relies on a simulation of reductions sequences which makes use of transfinite reductions sequences and compression results. Those techniques are inspired and adapted from the literature on infinitary rewriting. We plan to make clearer the connection between non-wellfounded proof theory and infinitary rewriting in the future, even though in the present state it was not possible to readily apply results from infinitary rewriting such as the compression lemma which we has to reprove in our setting [31]. Moreover, we did not make use of coinductive formulations of infinitary rewriting [19]. That is another direction for future work: currently, we do not know how to use those formulations of infinitary rewriting because the sequences we consider by simulation are not given as (strongly) converging sequences. We plan to reconsider this and benefit from the coinductive approach to infinite reduction sequences.

*On Linear Translations for Fixed-Point Logics and Non-Wellfounded Proofs.* We obtained a cut-elimination theorem for μLK<sup>∞</sup> and μLJ<sup>∞</sup> thanks to linear translations which deserve some comments. While the linear translation used for μLJ<sup>∞</sup> is standard (it is a call-by-value translation dating back to Girard's seminal paper), the treatment of classical logic was more complex. Indeed, usual linear translation for classical logic introduce, at places, cuts. Due to the sensitivity of the straight-thread validity condition with respect to the presence of cuts in cycles, we could not use those translations. However, we plan to investigate whether a more standard translation can be used in the specific case of bouncing validity [3].

*A Treatment of Cut-Elimination Which Is Agnostic to Validity Conditions.* Last but not least, a major advantage of our approach is that μMALL<sup>∞</sup> cutelimination proof and, to some extent, the validity conditions, are regarded as black boxes, simplifying the presentation of the proof and making it reusable wrt. other validity condition or μMALL<sup>∞</sup> proof techniques. The proof seems to be reusable easily with bouncing validity for instance (even though setting up an adequate definition of bouncing validity for μLL<sup>∞</sup> is quite tricky). A fragment which seems promising and that we wish to investigate in the near future, is μMELL<sup>∞</sup> equipped with bouncing validity [3].

Acknowledgements. First, I would like to deeply thank David Baelde and Amina Doumane for their extensive collaboration and brilliant ideas on the topic of *µ*MALL∞; the idea of a cut-elimination proof exploiting the fixed-point encoding of the exponentials emerged in joint discussions with them. Many thanks to Esaïe Bauer, Anupam Das, Abhishek De, Claudia Faggian, Guilhem Jaber, Farzad Jafarrahmani, Paul-André Melliès and Luc Pellissier for helpful discussions and constructive feedback on earlier versions of this draft. Last, the author would like to thank the anonymous reviewers for their work and for bringing very relevant suggestions for the present paper as well as for future works.

# References


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# Ill-Founded Proof Systems for Intuitionistic Linear-Time Temporal Logic

Bahareh Afshari<sup>1</sup>, Lide Grotenhuis<sup>2</sup>, Graham E. Leigh<sup>1</sup>, and Lukas Zenger3(B)

<sup>1</sup> Department of Philosophy, Linguistics and Theory of Science, University of Gothenburg, Gothenburg, Sweden {bahareh.afshari,graham.leigh}@gu.se <sup>2</sup> Institute of Logic, Language and Computation, University of Amsterdam, Amsterdam, The Netherlands l.m.grotenhuis@uva.nl <sup>3</sup> Institute of Computer Science, University of Bern, Bern, Switzerland lukas.zenger@unibe.ch

Abstract. We introduce ill-founded sequent calculi for two intuitionistic linear-time temporal logics. Both logics are based on the language of intuitionistic propositional logic with 'next' and 'until' operators and are evaluated on dynamic Kripke models wherein the intuitionistic and temporal accessibility relations are assumed to satisfy one of two natural confluence properties: forward confluence in one case, and both forward and backward confluence in the other. The presented sequent calculi are cut-free and incorporate a simple form of formula nesting. Soundness of the calculi is shown by a standard argument and completeness via proof search.

Keywords: Sequent calculus · Intuitionistic logic · Temporal logic · Ill-founded proofs

# 1 Introduction

Intuitionistic modal and temporal logics have found tangible applications in computer science [7,9,12,13,16,22] and with that comes the motivation for developing succinct proof systems that facilitate establishing fundamental properties such as decidability and algorithmic proof search. Temporal logic describes a range of modal logics in which modal and 'fixed point' operators are interpreted as temporal relations. An important example is linear-time temporal logic LTL, whose temporal operators include a 'next' operator X and an 'until' operator U. The formula XA is interpreted as 'A is true in the next time-step', and A U B as 'A is true until B is true'. The until operator satisfies the equivalence

<sup>A</sup> <sup>U</sup> <sup>B</sup> iff <sup>B</sup> <sup>∨</sup> (<sup>A</sup> <sup>∧</sup> <sup>X</sup>(<sup>A</sup> <sup>U</sup> <sup>B</sup>)),

Supported by the Swiss National Science Foundation [200021L\_196176], Dutch Research Council [OCENW.M20.048], the Knut and Alice Wallenberg Foundation [2020.0199], and the Swedish Research Council [2017-05111].

showing that <sup>A</sup>U<sup>B</sup> is a *fixed point* of the propositional function <sup>p</sup> → <sup>B</sup>∨(A∧Xp).

Advances in the proof theory of temporal logics evidence that ill-founded calculi are particularly suitable for capturing the behaviour of fixed point operators in a syntactic way [1,8,10,15]. So far, the study of such proof systems has focused on classical logic and their applicability to intuitionistic temporal logics remains largely unexplored. One of the obstacles in directly applying the techniques from the classical setting is the interaction of the temporal and intuitionistic relation in the intuitionistic Kripke semantics.

A standard way to present the semantics of intuitionistic propositional logic is in terms of Kripke models (W, <sup>≤</sup>, V ), where <sup>≤</sup> is a partial order on the set of worlds W and V a valuation that is monotone in ≤. A key property of this semantics is the monotonicity lemma: for all v, v <sup>∈</sup> <sup>W</sup>, if <sup>v</sup> <sup>≤</sup> <sup>v</sup> and <sup>v</sup> <sup>|</sup><sup>=</sup> <sup>A</sup> then <sup>v</sup> <sup>|</sup><sup>=</sup> <sup>A</sup>. The semantics of intuitionistic modal/temporal logics can be given in terms of intuitionistic Kripke models (W, <sup>≤</sup>, V ) equipped with an additional relation R on W used to interpret the modal operators. In order to keep the monotonicity property, modalities are interpreted as follows.

$$\begin{aligned} w &= \Box A \quad \text{iff} \quad \forall w' \ge w \,\forall v (w'Rv \text{ implies } v \mid = A) \\ w &= \Diamond A \quad \text{iff} \quad \forall w' \ge w \,\exists v (w'Rv \text{ and } v \mid = A) \end{aligned}$$

One can also use the classical truth conditions for modalities and instead impose confluence properties on R and ≤ to ensure monotonicity. Two confluence properties considered in the literature are:

Forward confluence if v ≥ w and wRw then there exists v ≥ w with vRv . Backward confluence if wRw and w ≤ v then there exists v ≥ w with vRv .

In the setting of intuitionistic LTL, forward confluence alone suffices to obtain the monotonicity lemma [3]. Since Simpson [20] argues that an intuitionistic reading of possible world semantics results in models that also satisfy backward confluence, *intuitionistic modal logic* is generally used to refer to the logic obtained when adopting both conditions. Nevertheless, logics corresponding to weaker frame conditions, often called *constructive modal logics*, have also received considerable interest (see e.g. [2,23]).

In this work, the language of linear temporal logic is interpreted over models satisfying forward confluence and models satisfying both forward and backward confluence; following the terminology in [3], they are referred to as *expanding* and *persistent* models, respectively. To date, neither logic has been given a sound and complete axiomatisation.<sup>1</sup> For each of the resulting logics, we present a cutfree, ill-founded sequent calculus. Both calculi employ a simple form of nested sequents so that formulas can be operated on at different temporal steps. This form of nesting has been used by Kojima and Igarashi [14] to obtain a finitary calculus for a constructive interpretation of LTL without the until operator.

A standard technique for showing completeness of an ill-founded calculus is to set up a proof search game between two players, Prover and Refuter, such

<sup>1</sup> A Hilbert-style axiomatisation exists for the 'eventually' only fragment over expanding models [5] but the case of persistent models is unknown.

that a winning strategy for Prover corresponds to a proof and a winning strategy for Refuter to a countermodel (see e.g. [1,19]). When applying this technique to the intuitionistic case, one needs to ensure that the constructed 'countermodel' satisfies the required frame conditions. We present such a proof search game for both logics. The use of nested sequents is crucial for the game as it enables postponing the application of non-invertible rules until all relevant information about future time steps is determined.

Intuitionistic temporal logics have been studied in different contexts, the most notable of which are *metaprogramming* and *topological dynamics*. The former involves the addition of temporal operators to λ-calculi with the aim of modelling aspects of metaprogramming such as staged computation (see e.g. [7,21,24]). The latter concerns the use of intuitionistic temporal logics to reason about dynamical topological systems. Fernández-Duque [11] introduced the logic ITL<sup>c</sup>, in which formulas of LTL are interpreted in general topological models, and showed that its restriction to the 'eventually' operator ♦ is decidable.<sup>2</sup> Boudou et al. [4] show the decidability of the same fragment interpreted in expanding models, denoted by ITL<sup>e</sup>, and provide a Hilbert-style axiomatisation for both logics in [5]. A calculus with ω-branching inference rules is given in [6] for ITL<sup>e</sup> extended with the 'henceforth' operator. To date, no recursive axiomatisation of the validities in persistent models is known.

Outline. Section 2 introduces the syntax and semantics of intuitionistic linear temporal logic iLTL. Section 3 presents the proof system iLTL<sup>e</sup> nest, which is proven sound and complete with respect to expanding models in Sects. 4 and 5. In Sect. 6, we outline how iLTL<sup>e</sup> nest can be adapted to obtain a system iLTL<sup>p</sup> nest that is sound and complete with respect to persistent models.

# 2 Syntax and Semantics

Fix a countable set Prop of atomic propositions. *Formulas* of iLTL are defined inductively as follows:

$$A, B ::= \bot \mid p \mid A \land B \mid A \lor B \mid A \to B \mid \lnot A \mid A \Downarrow B$$

where p ∈ Prop. We denote formulas by A, B, etc., and atomic propositions by p, q, etc. We define the formula X<sup>n</sup>A inductively by X<sup>0</sup>A := A and X<sup>n</sup>+1A := XX<sup>n</sup>A.

Formulas of iLTL are evaluated on *dynamic models*, which are intuitionistic Kripke models equipped with a time function that maps each world to its temporal successor.

Definition 1. *<sup>A</sup>* dynamic model *is a tuple* <sup>M</sup> = (W, <sup>≤</sup>,f,V ) *where*


<sup>2</sup> In our notation, the eventually operator ♦ can be defined as ♦<sup>A</sup> := -U A.

Fig. 1. Forward and backward confluence.

*4.* <sup>V</sup> : <sup>W</sup> −→ P(P rop) *is a valuation function that is monotone in* <sup>≤</sup>*, i.e., for all* w, v <sup>∈</sup> <sup>W</sup>*, if* <sup>w</sup> <sup>≤</sup> <sup>v</sup>*, then* <sup>V</sup> (w) <sup>⊆</sup> <sup>V</sup> (v)*.*

Elements of <sup>W</sup> are called *worlds*. If w, v <sup>∈</sup> <sup>W</sup> such that <sup>f</sup>(w) = <sup>v</sup>, then <sup>v</sup> is called the *temporal successor* of w. If w ≤ v, then v is called an *intuitionistic successor* of w. We inductively define f <sup>0</sup>(w) := w and f <sup>n</sup>+1(w) := f(f <sup>n</sup>(w)).

Given a dynamic model <sup>M</sup> = (W, <sup>≤</sup>,V,f), the *truth relation* M,w <sup>|</sup><sup>=</sup> <sup>A</sup> where w ∈ W is defined inductively on A as follows.

M,w <sup>|</sup><sup>=</sup> <sup>⊥</sup> M,w <sup>|</sup><sup>=</sup> <sup>p</sup> iff <sup>p</sup> <sup>∈</sup> <sup>V</sup> (w), M,w <sup>|</sup><sup>=</sup> <sup>A</sup> <sup>∧</sup> <sup>B</sup> iff M,w <sup>|</sup><sup>=</sup> <sup>A</sup> and M,w <sup>|</sup><sup>=</sup> <sup>B</sup>, M,w <sup>|</sup><sup>=</sup> <sup>A</sup> <sup>∨</sup> <sup>B</sup> iff M,w <sup>|</sup><sup>=</sup> <sup>A</sup> or M,w <sup>|</sup><sup>=</sup> <sup>B</sup>, M,w <sup>|</sup><sup>=</sup> <sup>A</sup> <sup>→</sup> <sup>B</sup> iff for all <sup>v</sup> <sup>≥</sup> <sup>w</sup> if M,v <sup>|</sup><sup>=</sup> <sup>A</sup>, then M,v <sup>|</sup><sup>=</sup> <sup>B</sup>, M,w <sup>|</sup><sup>=</sup> <sup>X</sup><sup>A</sup> iff M,f(w) <sup>|</sup><sup>=</sup> <sup>A</sup>, M,w <sup>|</sup><sup>=</sup> <sup>A</sup> <sup>U</sup> <sup>B</sup> iff there exists an n<ω such that M,f <sup>n</sup>(w) <sup>|</sup><sup>=</sup> <sup>B</sup> and for all m<n we have M,f<sup>m</sup>(w) <sup>|</sup><sup>=</sup> <sup>A</sup>.

Validity and satisfiability over a class of dynamic models are defined in the standard way.

We consider dynamic models that satisfy certain confluence properties, namely forward and backward confluence, which are illustrated in Fig. 1.

Definition 2. *A dynamic model* <sup>M</sup> = (W, <sup>≤</sup>,f,V ) *is*

*–* expanding *if* M *is forward confluent: for all* w, v ∈ W*,*

$$if \ w \le v, \ then \ f(w) \le f(v),$$

*–* persistent *if* M *is expanding and backward confluent: for all* w, v ∈ W*,*

*if* <sup>v</sup> <sup>≥</sup> <sup>f</sup>(w)*, then there exists* <sup>v</sup> <sup>≥</sup> <sup>w</sup> *with* <sup>f</sup>(v) = <sup>v</sup> *.*

We denote by iLTL<sup>e</sup> and iLTL<sup>p</sup> the set of iLTL-validities over expanding and persistent models, respectively. It is easy to check that the temporal version of the **<sup>K</sup>**-axiom, namely <sup>X</sup>(<sup>A</sup> <sup>→</sup> <sup>B</sup>) <sup>→</sup> (X<sup>A</sup> <sup>→</sup> <sup>X</sup>B), is valid over expanding models. The converse (X<sup>A</sup> <sup>→</sup> <sup>X</sup>B) <sup>→</sup> <sup>X</sup>(<sup>A</sup> <sup>→</sup> <sup>B</sup>) is only valid over persistent models, and so we have iLTL<sup>e</sup> iLTLp.

With a straightforward induction, one can prove the monotonicity lemma for expanding models. Note that the lemma thus also holds for persistent models.

Lemma 1. *Let* <sup>M</sup> = (W, <sup>≤</sup>,V,f) *be an expanding model,* w, v <sup>∈</sup> <sup>W</sup> *and* <sup>A</sup> *<sup>a</sup> formula. If* M,w <sup>|</sup><sup>=</sup> <sup>A</sup> *and* <sup>w</sup> <sup>≤</sup> <sup>v</sup>*, then* M,v <sup>|</sup><sup>=</sup> <sup>A</sup>*.*

# 3 Nested Ill-Founded Proofs

In this section we present an ill-founded sequent calculus that is sound and complete with respect to the class of expanding models. Proofs in this calculus are finitely-branching trees that admit infinitely long branches. Importantly, the calculus has no explicit induction rule and does not make use of the cut-rule.

To ensure soundness, infinite branches are required to satisfy a global soundness condition, which is presented in a standard way using formula traces. To ensure completeness, the calculus incorporates a simple form of *nesting*.

Definition 3. *A* nested iLTL-formula *is a tuple* (A, n)*, denoted by* A<sup>n</sup>*, with* A *an* iLTL*-formula and* n<ω*. A* sequent *is an ordered pair* Γ,Δ*, written as* Γ ⇒ Δ*, where* Γ *and* Δ *are finite sets of nested formulas.*

For the remainder of this paper we call nested formulas simply formulas. Formulas that are not nested are called *plain*. Observe that sequents Γ ⇒ Δ may contain multiple formulas in Δ, i.e. we consider a multi-succedent calculus. The intended interpretation of a nested formula A<sup>n</sup> is the plain formula X<sup>n</sup>A. The interpretation of a sequent A<sup>m</sup><sup>1</sup> <sup>1</sup> ,...,A<sup>m</sup>*<sup>k</sup>* <sup>k</sup> <sup>⇒</sup> <sup>B</sup><sup>n</sup><sup>1</sup> <sup>1</sup> ,...,B<sup>n</sup>*<sup>l</sup>* <sup>l</sup> is the plain formula

$$\bigwedge\_{1 \le i \le k} \mathsf{X}^{m\_i} A\_i \to \bigvee\_{1 \le j \le l} \mathsf{X}^{n\_j} B\_j$$

We write M,w <sup>|</sup><sup>=</sup> <sup>A</sup><sup>n</sup> if M,w <sup>|</sup><sup>=</sup> <sup>X</sup><sup>n</sup><sup>A</sup> and M,w <sup>|</sup><sup>=</sup> <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> if M,w satisfies the interpretation of <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>. For any set <sup>Γ</sup> of nested formulas, we define <sup>Γ</sup> +1 <sup>=</sup> {A<sup>n</sup>+1 : <sup>A</sup><sup>n</sup> <sup>∈</sup> <sup>Γ</sup>}.

Definition 4. *The sequent calculus* iLTL<sup>e</sup> nest *consists of the rules in Fig. 2. Rules without premises are called* axioms*.*

The propositional rules of iLTL<sup>e</sup> nest are based on the multi-succedent calculus **G3im** from Negri and von Plato [18] and the nesting is inspired by the work of Kojima and Igarashi [14]. The rule <sup>→</sup><sup>L</sup> differs from the presentation in Negri and von Plato insofar that there is no weakening in the left premise, resulting in invertibility of <sup>→</sup>L. The choice to use a multi-succedent instead of a singlesuccedent calculus is motivated by the former's better compatibility with proof search. Observe that the rule <sup>→</sup><sup>R</sup> has only a single formula in the succedent of the premise, ensuring that the law of excluded middle is not derivable. Moreover, <sup>→</sup><sup>R</sup> can only be applied to implications with nesting level 0. Relaxing this restriction by allowing implications of arbitrary nesting depth is unsound for expanding models but sound and complete for persistent models (see Sect. 6).

The <sup>U</sup>-rules capture the equivalence <sup>A</sup> <sup>U</sup> <sup>B</sup> <sup>≡</sup> <sup>B</sup> <sup>∨</sup> (<sup>A</sup> <sup>∧</sup> <sup>X</sup>(<sup>A</sup> <sup>U</sup> <sup>B</sup>)) and the 'shift' rule S captures modal necessitation. The rules XL and XR are purely structural as XA<sup>n</sup> has the same interpretation as A<sup>n</sup>+1. Moreover, note that all rules except <sup>S</sup> and <sup>→</sup><sup>R</sup> are invertible in the sense that the conclusion is valid

$$\begin{array}{llcl}\hline\hline\Gamma,A^{n}\Rightarrow A^{n},\Delta &\text{id} &\Gamma,\Box^{n}\Rightarrow\Delta\\\hline\Gamma,A^{n},B^{n}\Rightarrow\Delta &\Delta &\text{Id} &\Gamma\\\hline\Gamma,A\land B^{n}\Rightarrow\Delta &\Delta &\text{Id} &\Gamma\\\hline\end{array}\land\begin{array}{llcl}\Gamma\Rightarrow A^{n},\Delta &\Gamma\Rightarrow B^{n},\Delta &\vdash\Delta\\\hline\Gamma\Rightarrow A\land B^{n},\Delta &\text{Id} &\text{Id}\\\hline\Gamma\Rightarrow A\land B^{n},\Delta &\text{Id} &\\\hline\Gamma\Rightarrow\Delta &\Gamma\Rightarrow B^{n},\Delta &\text{Id}\\\hline\end{array}\land\begin{array}{llcl}\Gamma\Rightarrow A^{n},\Delta &\Gamma\Rightarrow B^{n},\Delta\\\hline\Gamma\Rightarrow\Delta &\vdash\Delta\\\hline\Gamma\Rightarrow A\lor B^{n},\Delta &\text{Id}\\\hline\Gamma\Rightarrow\Delta &\vdash B^{0},\Delta &\text{Id}\\\hline\end{array}\rightarrow\text{R}\\\begin{array}{llcl}\Gamma,A\stackrel{n+1}{\Rightarrow}\Rightarrow\Delta &\text{Id} &\text{Id}\\\hline\Gamma\Rightarrow\Delta^{n+1}\Rightarrow\Delta &\text{Id} &\text{Id}\\\hline\Gamma\Rightarrow\Delta^{n+1}\Rightarrow\Delta &\text{Id} &\text{Id}\\\hline\end{array}\begin{array}{llcl}\Gamma\Rightarrow A^{n+1},\Delta &\text{Id} &\text{Id}\\\hline\Gamma\Rightarrow\Delta^{n+1}\Rightarrow\Delta &\text{Id} &\text{Id}\\\hline\Gamma\Rightarrow\Delta^{n+1}\Rightarrow\Delta &\text{Id} &\text{Id}\\\hline\Gamma\Rightarrow\Delta^{n+1}\Rightarrow\Delta &\text{Id} &\text{Id}\\\hline\end{array}\end{array}$$

$$\begin{array}{llcl}\Gamma\Rightarrow\Delta &\text{Id} &\text{Id}\\\hline\Gamma\Rightarrow\Delta^{n} &\text{Id}\\\hline\end{array}$$

$$\begin{array}{llcl}\Gamma\Rightarrow\Delta\\\hline\end{array}\begin{array}{llcl}\Gamma\Rightarrow\Delta\\\hline\end{array}$$

Fig. 2. Rules of the system iLTL<sup>e</sup> nest. The symbols Γ, Δ, Σ and Π range over arbitrary finite sets of nested formulas which may be empty.

if and only if the premises are.<sup>3</sup> We will therefore refer to <sup>S</sup> and <sup>→</sup><sup>R</sup> as the *non-invertible rules* and to all other rules as the *invertible rules*.

It will be helpful to refer to formulas according to their role in a particular rule application. For each rule, the distinguished formula in the conclusion is called *principal* and the distinguished formulas in the premises are called its *residuals*; for example, in <sup>→</sup><sup>L</sup> the principal formula is <sup>A</sup> <sup>→</sup> <sup>B</sup><sup>n</sup> and its residuals are <sup>A</sup> <sup>→</sup> <sup>B</sup><sup>n</sup>, <sup>A</sup><sup>n</sup> and <sup>B</sup><sup>n</sup>. In <sup>S</sup>, all formulas in the conclusion are principal and each formula in the premise is the residual of its corresponding principal formula; in particular, formulas in Σ and Π have no residual. In every rule application, any formula that is neither principal nor residual is called a *side formula*.

A *derivation* in iLTL<sup>e</sup> nest of a sequent σ is a finite or infinite tree whose nodes are labelled according to the rules of iLTL<sup>e</sup> nest and whose root is labelled by σ. We will read trees 'upwards', so the nodes labelled by premises are viewed as successors of the node labelled by the conclusion. A *path* through such a derivation T is a finite or infinite sequence ρ0, ρ1,... of nodes of T such that for each index i, ρi+1 is a direct successor of ρ<sup>i</sup> in T.

Definition 5. *Let* ρ *be a path through a derivation* T*. A* (formula) trace *on* ρ *is a finite or infinite sequence of nested formulas* A0, A1,... *such that for each index* i *the following hold.*

*1.* A<sup>i</sup> *occurs on the left-hand side of the sequent labelling* ρi*;*

<sup>3</sup> This is a semantic notion of invertibility. The syntactic invertibility of these rules, meaning that the conclusion is provable if and only if the premises are, will follow from soundness and completeness.


For any rule R, we say that a trace (Ai)<sup>i</sup> *actively passes through* R if there is an index j such that A<sup>j</sup> is a principal formula in an application of R.

Definition 6. *A formula trace is* good *if it actively passes through infinitely many applications of the rule* UL*.*

The following lemma describes a straightforward yet key property of good formula traces.

Lemma 2. *If* (Ai)<sup>i</sup> *is a good formula trace, then there is a plain formula of the form* <sup>A</sup> <sup>U</sup> <sup>B</sup> *and some* j<ω *such that for all* <sup>k</sup> <sup>≥</sup> <sup>j</sup>*,* <sup>A</sup><sup>k</sup> *is of the form* <sup>A</sup> <sup>U</sup> <sup>B</sup><sup>m</sup>*<sup>k</sup> or* X(A U B)<sup>m</sup>*<sup>k</sup> for* m<sup>k</sup> < ω*.*

A proof in iLTL<sup>e</sup> nest is defined as follows.

Definition 7. *An* iLTL<sup>e</sup> nest*-derivation* T *of a sequent* σ *is a* proof of σ *if*


# 4 Soundness

This section establishes soundness of iLTL<sup>e</sup> nest with respect to the class of expanding models. The proof proceeds via a standard argument using *signatures*: maps that associate a natural number to each 'relevant' formula in a sequent σ. We assume towards a contradiction that there is a proof π of an invalid sequent σ. Then, using a countermodel of σ, we find an infinite path ρ of invalid sequents in π and assign a signature to each of them. By ensuring that these signatures never increase and decrease when passing through the UL-rule, it then follows that a good formula trace on ρ corresponds to an infinite descent of natural numbers. The aforementioned 'relevant' formulas are called *eventualities*.

For a sequent σ, let Γ<sup>σ</sup> and Δ<sup>σ</sup> denote, respectively, the left-hand and righthand side of σ.

Definition 8. *An* eventuality *is a formula of the form* X<sup>j</sup> (AUB)<sup>n</sup> *with* n, j < ω*. Given a sequent* σ*, a formula* E *is an* eventuality of σ *if* E *is an eventuality occurring in* Γσ*.*

Let U<sup>k</sup> be the operator defined inductively by A U<sup>0</sup> B = B and A U<sup>k</sup>+1 B = <sup>A</sup> <sup>∧</sup> <sup>X</sup>(<sup>A</sup> <sup>U</sup><sup>k</sup>B). For an eventuality <sup>E</sup> <sup>=</sup> <sup>X</sup><sup>j</sup> (<sup>A</sup> <sup>U</sup> <sup>B</sup>)<sup>n</sup> and k<ω define

$$E[k] := \mathbb{X}^j (A \bullet^k B)^n.$$

Given a sequent σ, a *signature for* σ is a map τ which assigns a natural number to each eventuality of σ. By Γσ[τ ] we denote the set obtained from Γ<sup>σ</sup> by replacing each eventuality E with E[τ (E)]. Furthermore, we let σ[τ ] denote the sequent <sup>Γ</sup>σ[<sup>τ</sup> ] <sup>⇒</sup> <sup>Δ</sup>σ.

Theorem 1. *Every sequent provable in* iLTL<sup>e</sup> nest *is valid over the class of expanding models.*

*Proof.* Let π be a iLTL<sup>e</sup> nest-proof of σ and suppose, for contradiction, that σ is not valid. Let <sup>M</sup> = (W, <sup>≤</sup>,f,V ) be an expanding model and <sup>w</sup> <sup>∈</sup> <sup>W</sup> such that M,w <sup>|</sup><sup>=</sup> <sup>σ</sup>. For brevity, we will identify each node in <sup>π</sup> with the sequent that labels it.

We will inductively define a path (σi)<sup>i</sup> of sequents through π, a sequence of worlds (wi)<sup>i</sup> in M and a sequence of signatures (τi)<sup>i</sup> such that the following hold for every i<ω:

	- (a) <sup>τ</sup>i(E) is the least natural number <sup>k</sup> such that <sup>w</sup><sup>i</sup> <sup>|</sup><sup>=</sup> <sup>E</sup>[k];
	- (b) if E is a side formula in the rule application with conclusion σi, then E is an eventuality of <sup>σ</sup>i+1 and <sup>τ</sup>i+1(E) <sup>≤</sup> <sup>τ</sup>i(E).

We define (σi)i, (wi)<sup>i</sup> and (τi)<sup>i</sup> as follows.

Set <sup>σ</sup><sup>0</sup> <sup>=</sup> <sup>σ</sup>. Since <sup>w</sup> <sup>|</sup><sup>=</sup> <sup>σ</sup>, there exists a <sup>v</sup> <sup>≥</sup> <sup>w</sup> such that <sup>v</sup> <sup>|</sup><sup>=</sup> <sup>Γ</sup><sup>σ</sup> and <sup>v</sup> <sup>|</sup><sup>=</sup> <sup>Δ</sup>σ. Set <sup>w</sup><sup>0</sup> <sup>=</sup> <sup>v</sup> and for every eventuality <sup>E</sup> in <sup>Γ</sup>σ, define <sup>τ</sup>0(E) to be the least <sup>k</sup> such that <sup>w</sup><sup>0</sup> <sup>|</sup><sup>=</sup> <sup>E</sup>[k].

Suppose σi, w<sup>i</sup> and τ<sup>i</sup> are given. We use a case distinction based on the rule applied at σ<sup>i</sup> in π (i.e. the rule that has σ<sup>i</sup> as conclusion). Note that this rule cannot be an axiom, since <sup>w</sup><sup>i</sup> <sup>|</sup><sup>=</sup> <sup>σ</sup>i. We only show the cases <sup>→</sup>R, <sup>X</sup>L, <sup>S</sup>, and <sup>U</sup>L; the other cases are treated in a straightforward way.

	- <sup>S</sup> Suppose <sup>σ</sup><sup>i</sup> = (Σ,Γ +1 <sup>⇒</sup> <sup>Δ</sup>+1, Π) such that <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> is the premise of the rule application. Let <sup>σ</sup>i+1 = (<sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>), <sup>w</sup>i+1 <sup>=</sup> <sup>f</sup>(wi) and <sup>τ</sup>i+1(A<sup>n</sup>) = <sup>τ</sup>i(A<sup>n</sup>+1) for every eventuality A<sup>n</sup> in Γ.

Alternatively, if <sup>τ</sup>i(<sup>A</sup> <sup>U</sup> <sup>B</sup><sup>n</sup>) <sup>&</sup>gt; <sup>0</sup>, let <sup>σ</sup>i+1 = (Γ, A<sup>n</sup>,X(<sup>A</sup> <sup>U</sup> <sup>B</sup>)<sup>n</sup> <sup>⇒</sup> <sup>Δ</sup>) and wi+1 = wi. If A<sup>n</sup> is an eventuality and not in Γ, let τi+1 map A<sup>n</sup> to the least <sup>k</sup> such that <sup>w</sup>i+1 <sup>|</sup><sup>=</sup> <sup>A</sup><sup>n</sup>[k]. Define <sup>τ</sup>i+1(X(<sup>A</sup> <sup>U</sup> <sup>B</sup>)n) = <sup>τ</sup>i(<sup>A</sup> <sup>U</sup> <sup>B</sup><sup>n</sup>) <sup>−</sup> <sup>1</sup>. On other eventualities, τi+1 acts as τi.

It is easy to verify that (σi)i, (wi)<sup>i</sup> and (τi)<sup>i</sup> satisfy properties 1–3.

Since <sup>π</sup> is a proof, the infinite branch (σi)<sup>i</sup> must contain a good trace (Ai)i≥<sup>j</sup> starting in some sequent σ<sup>j</sup> . By Lemma 2, we may assume that this trace only passes actively through the rules XL, S and UL, and it cannot pass through the latter in a degenerative way.<sup>4</sup> Now consider the infinite sequence (τi(Ai))i≥<sup>j</sup> of natural numbers. Note that, by property 3(b), if A<sup>i</sup> is a side formula then <sup>τ</sup>i+1(Ai+1) <sup>≤</sup> <sup>τ</sup>i(Ai). Moreover, if <sup>A</sup><sup>i</sup> is principal in an application of <sup>X</sup><sup>L</sup> or <sup>S</sup> then τi+1(Ai+1) = τi(Ai), and if A<sup>i</sup> is principal in a (non-degenerative) application of UL then τi+1(Ai+1) < τi(Ai). As the trace is good, the latter case occurs infinitely often, and so we obtain an infinite, strictly decreasing sequence of natural numbers and thereby a contradiction.

# 5 Completeness

This section establishes completeness of iLTL<sup>e</sup> nest with respect to the class of expanding models. For each sequent σ we construct an infinite two-player game between *Prover* (Prov) and *Refuter* (Ref) such that a winning strategy for Prov corresponds to a proof of σ and a winning strategy for Ref to the existence of a countermodel for σ. The game will be played on a *proof search tree*, which is a finitely branching, ill-founded tree that presents a systematic search for a proof of σ. In this tree, non-invertible rules will only be applied to *saturated* sequents.

Definition 9. *A sequent* Γ ⇒ Δ *is* left-saturated *if the following hold.*


*The sequent is* saturated *if, in addition,*

*6. if* <sup>A</sup> <sup>∧</sup> <sup>B</sup><sup>n</sup> <sup>∈</sup> <sup>Δ</sup>*, then* <sup>A</sup><sup>n</sup> <sup>∈</sup> <sup>Δ</sup> *or* <sup>B</sup><sup>n</sup> <sup>∈</sup> <sup>Δ</sup>*; 7. if* <sup>A</sup> <sup>∨</sup> <sup>B</sup><sup>n</sup> <sup>∈</sup> <sup>Δ</sup>*, then* <sup>A</sup><sup>n</sup>, B<sup>n</sup> <sup>∈</sup> <sup>Δ</sup>*; 8. if* <sup>X</sup>A<sup>n</sup> <sup>∈</sup> <sup>Δ</sup>*, then* <sup>A</sup><sup>n</sup>+1 <sup>∈</sup> <sup>Δ</sup>*; 9. if* <sup>A</sup> <sup>U</sup> <sup>B</sup><sup>0</sup> <sup>∈</sup> <sup>Δ</sup>*, then* <sup>B</sup><sup>0</sup>, A<sup>0</sup> <sup>∈</sup> <sup>Δ</sup> *or* <sup>B</sup><sup>0</sup>,X(<sup>A</sup> <sup>U</sup> <sup>B</sup>)<sup>0</sup> <sup>∈</sup> <sup>Δ</sup>*.*

*Given a sequent* σ*, we say that a formula* φ *is* saturated in σ *if* σ *satisfies the relevant saturation clause for* φ*.*

Note that the saturation clause for right U-formulas is restricted to the zeroth nesting level. The saturation clause for left U-formulas is needed to ensure that the valuation of the countermodel constructed from a failed proof search is monotone. This will become evident once we define such countermodels later in this section.

<sup>4</sup> Formally, a trace (A*i*)*<sup>i</sup> passes degeneratively through* <sup>U</sup><sup>L</sup> if there is an <sup>A</sup>*<sup>j</sup>* of the form <sup>A</sup> <sup>U</sup> <sup>B</sup>*<sup>n</sup>* such that <sup>A</sup>*j*+1 ∈ {A*<sup>n</sup>*, B*<sup>n</sup>*}.

As we are working with set sequents, formulas can simultaneously function as principal and side formulas. To avoid creating infinite branches with no good trace, one needs to be explicit about how rules may be applied in the proof search tree. We call an application of a rule *succinct* if the principal formula(s) is not also a side formula, and *preserving* if the principal formula(s) is also a side formula. For example, an application of XL of the form given in Fig. 2 is succinct if <sup>X</sup>A<sup>n</sup> <sup>∈</sup> <sup>Γ</sup> and preserving if <sup>X</sup>A<sup>n</sup> <sup>∈</sup> <sup>Γ</sup>. Rule applications of <sup>→</sup><sup>R</sup> and S are always succinct. Note that succinct and preserving are dual notions; we find it useful to refer to them as separate concepts as they each highlight a key property of the proof search tree.

Definition 10. *A* proof search tree T *for a sequent* σ *is a finite or infinite tree whose nodes are labelled according to the rules of* iLTL<sup>e</sup> nest *and in which the following holds.*


$$\frac{\Sigma, \Gamma^{+1}, A\_0^0 \Rightarrow B\_0^0 \quad \dots \quad \Sigma, \Gamma^{+1}, A\_k^0 \Rightarrow B\_k^0 \quad \Gamma \Rightarrow \Delta}{\Sigma, \Gamma^{+1} \Rightarrow (A\_0 \to B\_0)^0, \dots, (A\_k \to B\_k)^0, \Delta^{+1}, \Pi} \text{ C},$$

*where it is required that every formula in* <sup>Σ</sup> <sup>∪</sup> <sup>Π</sup> *is of nesting level* <sup>0</sup>*,* <sup>Π</sup> *does not contain a formula of the form* <sup>A</sup> <sup>→</sup> <sup>B</sup><sup>0</sup> *and the conclusion is a saturated sequent. We call the premises of the form* Σ,Γ +1, A<sup>0</sup> <sup>i</sup> <sup>⇒</sup> <sup>B</sup><sup>0</sup> <sup>i</sup> *the* left premises*, and* <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> *the* right premise *of* <sup>C</sup>*.*

The 'choice' rule C represents a choice between non-invertible rules that Prov has to make once the sequent is saturated. Note that the empty sequent is saturated; an empty sequent in a proof search tree can only be the conclusion of a C-rule and has another empty sequent as its only direct successor.

Given a sequent σ, one can build a proof search tree as follows. First try to saturate all left formulas by succinctly applying invertible left rules. If a left-saturated sequent is obtained, saturate all right formulas by preservingly applying invertible right rules, then apply C and start over. Observe that it is possible that some branches in a proof search tree do not contain a saturated sequent due the fifth saturation clause.

The following lemmas describe some key properties of proof search trees. For a node s in a proof search tree, we write Γ<sup>s</sup> ⇒ Δ<sup>s</sup> to denote the sequent labelling the node s.

Lemma 3. *If* T *is a proof search tree wherein* s ∈ T *is the conclusion of a* <sup>C</sup>*-application with right premise* <sup>t</sup> <sup>∈</sup> <sup>T</sup>*, then the following hold.*

*1.* t *is labelled by a left-saturated sequent;*

*2. if* <sup>r</sup> <sup>≥</sup> <sup>t</sup> *and no* <sup>C</sup>*-application occurs between* <sup>t</sup> *and* <sup>r</sup>*, then* <sup>Γ</sup><sup>r</sup> <sup>=</sup> <sup>Γ</sup>t*.*

Lemma 4. *Every infinite branch of a proof search tree* T *contains infinitely many applications of* UL *or* C*.*

*Proof.* Let (ρi)i<λ be a branch of <sup>T</sup> (where <sup>λ</sup> <sup>≤</sup> <sup>ω</sup>). Suppose there exists a suffix (ρi)j≤i<λ that contains no applications of <sup>U</sup><sup>L</sup> or <sup>C</sup>. Due to property 3 to 5 of the proof search tree, there exists a k ≥ j such that all formulas except for left U-formulas will be saturated in ρk. The only rules which may be applied at that point are UL or C, showing that (ρi)i<λ must be finite.

Lemma 5. *Every infinite branch of a proof search tree* T *that contains only finitely many* C*-applications has a suffix with a good formula trace.*

*Proof.* Let β be an infinite branch of T with finitely many C-applications. Let ρ be a suffix of β that starts after the last C-application. By the previous lemma, ρ must contain infinitely many applications of UL. We show that ρ contains a good trace.

Consider the tree T<sup>ρ</sup> of formula traces on ρ (add a fresh node as the root). Now let T <sup>ρ</sup> be the tree obtained from T<sup>ρ</sup> by identifying consecutive nodes that are labelled by the same formula. Note that T <sup>ρ</sup> cannot be finite, since ρ must contain infinitely many applications of UL and this rule may not be applied to formulas that also function as a side formula. By König's lemma, T <sup>ρ</sup> contains an infinite branch. Note that this branch corresponds to an infinite formula trace (Ai)<sup>i</sup> on ρ that does not stagnate on a side formula, that is, (Ai)<sup>i</sup> actively passes through a left rule infinitely often. Property 3 to 5 of the proof search tree and absence of C-applications then imply that (Ai)<sup>i</sup> actively passes through UL infinitely often.

We are now ready to define the notion of a refutation which corresponds to a winning strategy for Ref.

Definition 11. *A* refutation *of a sequent* σ *is a subtree* R *of a proof search tree* T *for* σ *such that the following hold.*


Note that the final condition above together with Lemma 4 implies that every branch in a refutation must contain infinitely many applications of the C-rule.

Proposition 1. *Every sequent with a refutation has an expanding countermodel.*

The proof of the above proposition is provided in the following section. For now, we turn to defining the proof search game which is instrumental in the completeness proof.

Given a sequent σ and a proof search tree T for σ, the *proof search game* <sup>G</sup>(T,σ) is defined as follows. The game is played by two *players* Prov and Ref. The *arena* of the game is the proof search tree T. Each *play* starts in the root of T, which is labelled by σ. If the current play is in position t, where t is a node of T, and t is owned by player P ∈ {Prov, Ref}, then P *plays* by choosing a direct successor of t in T. Prov owns all positions that are conclusions of applications of the C-rule while every other position is owned by Ref. If a play reaches a node that has no successors (i.e. an axiom), then the play ends and is called *finite*; otherwise the play is called *infinite*. Observe that every play directly corresponds to a branch of T. The *winning conditions* are as follows: finite plays are won by Prov and infinite plays are won by Prov if the infinite branch of T to which the play corresponds contains a good trace, and won by Ref otherwise. We make use of the standard notion of a *(winning) strategy* for players. The following lemma is then a straightforward consequence of the winning conditions of the game <sup>G</sup>(T,σ).

Lemma 6. *If there is a winning strategy for* Prov *in* <sup>G</sup>(T,σ)*, then* <sup>σ</sup> *has a* iLTL<sup>e</sup> nest*-proof, and if there is a winning strategy for* Ref*, then* σ *has a refutation.*

As the set of winning plays (for each player) is Borel, it follows from Martin's determinacy theorem [17] that the game <sup>G</sup>(T,σ) is determined for any sequent σ and proof search tree T. That is, exactly one player has a winning strategy in <sup>G</sup>(T,σ). As every sequent has a proof search tree, completeness of iLTL<sup>e</sup> nest is then obtained as a direct consequence of Proposition 1 and Lemma 6.

Theorem 2. *Every sequent valid over the class of expanding models is provable in* iLTL<sup>e</sup> nest*.*

### 5.1 Proof of Proposition 1

Let R be a refutation of σ. Recall that, for any node s ∈ R, Γ<sup>s</sup> ⇒ Δ<sup>s</sup> denotes the sequent labelling <sup>s</sup>. We define a dynamic model <sup>M</sup> = (W, <sup>≤</sup>,f,V ) as follows.


<sup>f</sup>(w) = <sup>v</sup> iff there exist s <sup>∈</sup> w and t <sup>∈</sup> v such that s is the conclusion and t is the *right* premise of the same C−application.

Note that f is a total function, since every branch of R contains infinitely many C-applications and every C-application has a right premise.

3. First define the relation ≤<sup>0</sup> on W by

<sup>w</sup> <sup>≤</sup><sup>0</sup> <sup>v</sup> iff there exist s <sup>∈</sup> w and t <sup>∈</sup> v such that s is the conclusion and t a *left* premise of the same C−application.

Then let ≤ be the transitive reflexive closure of the relation

$$\leq\_1 := \{ (f^n(w), f^n(v)) : w \leq\_0 v \text{ and } n < \omega \}.$$

4. Define the valuation by <sup>V</sup> (w) = {<sup>p</sup> <sup>∈</sup> Prop : <sup>p</sup><sup>0</sup> <sup>∈</sup> <sup>Γ</sup>w} where <sup>Γ</sup><sup>w</sup> <sup>=</sup> <sup>s</sup>∈<sup>w</sup> Γs.

Similar to Γ<sup>w</sup> we write Δ<sup>w</sup> for <sup>s</sup>∈<sup>w</sup> <sup>Δ</sup>s.

Lemma 7. M *is an expanding model.*

*Proof.* Forward confluence follows directly from the definition of ≤1. For monotonicity of the valuation, note that it suffices to show that the relation ≤<sup>1</sup> is monotone in V . In the following, we write [t] for the equivalence class of t with respect to ∼.

Let w, v ∈ W with w ≤<sup>1</sup> v. Then there exist n<ω and s, t ∈ R such that w = f <sup>n</sup>([s]), v = f <sup>n</sup>([t]) and t is a left premise of a C-application on s. Note that this means that w is reached from [s] by applying the C-rule n times while always taking the right premise, and similarly for v and [t]. From Lemma 3 and definition of C, it follows that for any atomic proposition p,

$$p^0 \in \Gamma\_{f^n([s])} \text{ implies } p^n \in \Gamma\_{[s]},\tag{1}$$

$$p^n \in \varGamma\_{[t]} \qquad \text{implies } p^0 \in \varGamma\_{f^n([t])}.\tag{2}$$

So we have the following chain of implications

$$p^0 \in \Gamma\_{f^n([s])} \stackrel{\{1\}}{\Longrightarrow} p^n \in \Gamma\_{[s]} \Longrightarrow p^n \in \Gamma\_{[t]} \stackrel{\{2\}}{\Longrightarrow} p^0 \in \Gamma\_{f^n([t])},$$

where the middle implication follows from the definition of <sup>C</sup>. This shows <sup>V</sup> (w) <sup>⊆</sup> V (v) as required.

Lemma 8. *For any* <sup>w</sup> <sup>∈</sup> <sup>W</sup>*, we have* M,w <sup>|</sup><sup>=</sup> <sup>Γ</sup><sup>w</sup> *and* M,w <sup>|</sup><sup>=</sup> <sup>Δ</sup>w*.*

*Proof.* Let A be a formula. By induction on the logical complexity of A, we simultaneously prove that for any <sup>w</sup> <sup>∈</sup> <sup>W</sup> and n<ω we have (a) <sup>w</sup> <sup>|</sup><sup>=</sup> <sup>A</sup><sup>n</sup> if <sup>A</sup><sup>n</sup> <sup>∈</sup> <sup>Γ</sup><sup>w</sup> and (b) <sup>w</sup> <sup>|</sup><sup>=</sup> <sup>A</sup><sup>n</sup> if <sup>A</sup><sup>n</sup> <sup>∈</sup> <sup>Δ</sup>w.

We only treat the propositional case and the connectives → and U. The proof relies on the C-rule being applied only on a saturated conclusion. Thus the sequent Γ<sup>w</sup> ⇒ Δ<sup>w</sup> is saturated for every w ∈ W.

We begin with (a). Suppose <sup>A</sup><sup>n</sup> <sup>∈</sup> <sup>Γ</sup>w. If <sup>A</sup> <sup>∈</sup> Prop, then <sup>A</sup><sup>0</sup> <sup>∈</sup> <sup>Γ</sup><sup>f</sup> *<sup>n</sup>*(w) and thus <sup>w</sup> <sup>|</sup><sup>=</sup> <sup>X</sup><sup>n</sup>A. If <sup>A</sup> <sup>=</sup> <sup>B</sup> <sup>U</sup> <sup>C</sup>, by saturation there exists an <sup>m</sup> <sup>≥</sup> <sup>n</sup> such that <sup>C</sup><sup>m</sup> <sup>∈</sup> <sup>Γ</sup><sup>w</sup> and <sup>B</sup><sup>k</sup> <sup>∈</sup> <sup>Γ</sup><sup>w</sup> for all <sup>n</sup> <sup>≤</sup> k<m. Thus <sup>w</sup> <sup>|</sup><sup>=</sup> <sup>A</sup><sup>n</sup> by the IH. This leaves the case <sup>A</sup> <sup>=</sup> <sup>B</sup> <sup>→</sup> <sup>C</sup>. Let <sup>s</sup> <sup>∈</sup> <sup>w</sup> be the (unique) conclusion of a <sup>C</sup>-application. By definition of <sup>→</sup>L, we have <sup>C</sup><sup>n</sup> <sup>∈</sup> <sup>Γ</sup><sup>w</sup> or <sup>B</sup> <sup>→</sup> <sup>C</sup><sup>n</sup> <sup>∈</sup> <sup>Γ</sup>s. In the first case, the IH implies <sup>w</sup> <sup>|</sup><sup>=</sup> <sup>C</sup><sup>n</sup> hence <sup>w</sup> <sup>|</sup><sup>=</sup> <sup>A</sup><sup>n</sup>. The second case is more involved. We have <sup>A</sup><sup>0</sup> <sup>∈</sup> <sup>Γ</sup><sup>f</sup> *<sup>n</sup>*(w) by Lemma 3. Define <sup>u</sup> := <sup>f</sup> <sup>n</sup>(w) and let <sup>v</sup> <sup>≥</sup> <sup>u</sup>. We will restrict ourselves to the case that v ≥<sup>1</sup> u; the argument can be extended to the general case using the monotonicity lemma. Let r, t ∈ R and m<ω be such that u = f<sup>m</sup>([r]), v = f<sup>m</sup>([t]) and t is a left premise of a C-application with conclusion <sup>r</sup>. Since <sup>A</sup><sup>0</sup> <sup>∈</sup> <sup>Γ</sup>u, we have <sup>A</sup><sup>m</sup> <sup>∈</sup> <sup>Γ</sup><sup>r</sup> (by Lemma 3), which implies that <sup>A</sup><sup>m</sup> <sup>∈</sup> <sup>Γ</sup>t. As before, we then have <sup>C</sup><sup>m</sup> <sup>∈</sup> <sup>Γ</sup>[t] or <sup>A</sup><sup>m</sup> <sup>∈</sup> <sup>Γ</sup>t- , where t <sup>∈</sup> [t] is the conclusion of a <sup>C</sup>-application. This implies <sup>v</sup> <sup>|</sup><sup>=</sup> <sup>C</sup><sup>0</sup> (by the IH) or <sup>A</sup><sup>0</sup> <sup>∈</sup> <sup>Γ</sup><sup>v</sup> (by Lemma 3). In the second case, saturation implies that <sup>C</sup><sup>0</sup> <sup>∈</sup> <sup>Γ</sup><sup>v</sup> or <sup>B</sup><sup>0</sup> <sup>∈</sup> <sup>Δ</sup>v. Applying the IH, either <sup>v</sup> <sup>|</sup><sup>=</sup> <sup>C</sup><sup>0</sup> or <sup>v</sup> <sup>|</sup><sup>=</sup> <sup>B</sup><sup>0</sup>. Thus <sup>u</sup> <sup>|</sup><sup>=</sup> <sup>A</sup><sup>0</sup> and thereby <sup>w</sup> <sup>|</sup><sup>=</sup> <sup>A</sup>n.

We now consider (b). Suppose <sup>A</sup><sup>n</sup> <sup>∈</sup> <sup>Δ</sup>w. If <sup>A</sup> <sup>∈</sup> Prop, then <sup>A</sup><sup>n</sup> <sup>∈</sup>/ <sup>Γ</sup><sup>w</sup> since no sequent in R can be an axiom. By the same argument used to obtain (1), we have <sup>A</sup><sup>0</sup> <sup>∈</sup>/ <sup>Γ</sup><sup>f</sup> *<sup>n</sup>*(w) and thus <sup>w</sup> <sup>|</sup><sup>=</sup> <sup>X</sup>nA. If <sup>A</sup> <sup>=</sup> <sup>B</sup> <sup>→</sup> <sup>C</sup>, then <sup>A</sup><sup>0</sup> <sup>∈</sup> <sup>Δ</sup><sup>f</sup> *<sup>n</sup>*(w). As the C-rule must be applied to some (namely the highest) sequent in the equivalence class f <sup>n</sup>(w), it must be the case that f <sup>n</sup>(w) has an intuitionistic successor v such that <sup>B</sup><sup>0</sup> <sup>∈</sup> <sup>Γ</sup><sup>v</sup> and <sup>C</sup><sup>0</sup> <sup>∈</sup> <sup>Δ</sup>v. The IH then implies <sup>f</sup> <sup>n</sup>(w) <sup>|</sup><sup>=</sup> <sup>A</sup><sup>0</sup> and thus <sup>w</sup> <sup>|</sup><sup>=</sup> <sup>A</sup><sup>n</sup>.

Finally, if <sup>A</sup> <sup>=</sup> <sup>B</sup> <sup>U</sup> <sup>C</sup>, then <sup>A</sup><sup>0</sup> <sup>∈</sup> <sup>Δ</sup><sup>f</sup> *<sup>n</sup>*(w) because <sup>U</sup>R-applications are preserving. Saturation and the IH implies <sup>f</sup> <sup>n</sup>(w) <sup>|</sup><sup>=</sup> <sup>C</sup><sup>0</sup> and either <sup>f</sup> <sup>n</sup>(w) <sup>|</sup><sup>=</sup> <sup>B</sup><sup>0</sup> or <sup>A</sup><sup>1</sup> <sup>∈</sup> <sup>Δ</sup><sup>f</sup> *<sup>n</sup>*(w). Similarly, for every <sup>m</sup> <sup>≥</sup> <sup>n</sup>, if <sup>A</sup><sup>1</sup> <sup>∈</sup> <sup>Δ</sup>f*m*(w) then <sup>f</sup><sup>m</sup>+1(w) <sup>|</sup><sup>=</sup> <sup>C</sup><sup>0</sup> and either <sup>f</sup><sup>m</sup>+1(w) <sup>|</sup><sup>=</sup> <sup>B</sup><sup>0</sup> or <sup>A</sup><sup>1</sup> <sup>∈</sup> <sup>Δ</sup>f*m*+1(w). So either there exists an <sup>m</sup> <sup>≥</sup> <sup>n</sup> such that <sup>f</sup><sup>m</sup>(w) <sup>|</sup><sup>=</sup> <sup>B</sup><sup>0</sup> and <sup>f</sup> <sup>k</sup>(w) <sup>|</sup><sup>=</sup> <sup>C</sup><sup>0</sup> for all <sup>n</sup> <sup>≤</sup> <sup>k</sup> <sup>≤</sup> <sup>m</sup>, or <sup>f</sup><sup>m</sup>(w) <sup>|</sup><sup>=</sup> <sup>C</sup><sup>0</sup> for all <sup>m</sup> <sup>≥</sup> <sup>n</sup>. Either way, <sup>w</sup> <sup>|</sup><sup>=</sup> <sup>A</sup><sup>n</sup>.

We conclude that the expanding model M falsifies σ.

#### 5.2 A Sequent Unprovable with Bounded Nesting

We have shown that the calculus iLTL<sup>e</sup> nest is complete with respect to the class of expanding models via a proof search argument. However, our argument does not yield regular completeness. Observe that in the construction of the proof search tree, there is no bound given on the nesting depth occurring in sequents. Indeed, in order to saturate U-formulas on the left, one has to keep unfolding them until the left premise is chosen, which, in case of a successful branch, might never happen. Hence, proofs might have arbitrary large nesting depth and there is thus no guarantee that infinite branches will contain repetitions. This observation raises the question of whether the completeness proof can be adapted to obtain a bound on the nesting depth occurring in iLTL<sup>e</sup> nest-proofs. Unfortunately, this is not possible, as there are sequents that are not provable in iLTL<sup>e</sup> nest with bounded nesting depth. An example for this is the sequent

$$
\Diamond(A \lor B)^0 \Rightarrow C \to \Diamond A^0, C \to \Diamond B^0,
$$

where ♦<sup>A</sup> := <sup>U</sup> <sup>A</sup> and := ⊥→⊥. For brevity, instead of the <sup>U</sup>-rules we will use the following rules for ♦.

$$\frac{\Gamma, A^n \Rightarrow \Delta \quad \Gamma, \mathsf{X} \Diamond A^n \Rightarrow \Delta}{\Gamma, \Diamond A^n \Rightarrow \Delta} \quad \Diamond \mathbf{L} \qquad \frac{\Gamma \Rightarrow A^n, \mathsf{X} \Diamond A^n, \Delta}{\Gamma \Rightarrow \Diamond A^n, \Delta} \text{ } \Diamond \mathbf{R}$$

It is easy to see that any formula in the ♦-fragment of iLTL is provable in iLTL<sup>e</sup> nest if and only if it is provable in iLTL<sup>e</sup> nest with the ♦-rules instead of the U-rules.

Let us now consider the following proof <sup>π</sup> of the sequent ♦(<sup>A</sup> <sup>∨</sup> <sup>B</sup>)<sup>0</sup> <sup>⇒</sup> <sup>C</sup> <sup>→</sup> ♦A<sup>0</sup>, C <sup>→</sup> ♦B<sup>0</sup>.

π0 <sup>A</sup> <sup>∨</sup> <sup>B</sup><sup>0</sup> <sup>⇒</sup> <sup>Δ</sup> π1 <sup>A</sup> <sup>∨</sup> <sup>B</sup><sup>1</sup> <sup>⇒</sup> <sup>Δ</sup> . . . ♦(<sup>A</sup> <sup>∨</sup> <sup>B</sup>)<sup>2</sup> <sup>⇒</sup> <sup>C</sup> <sup>→</sup> ♦A<sup>0</sup>, C <sup>→</sup> ♦B<sup>0</sup> <sup>X</sup><sup>L</sup> <sup>X</sup>♦(<sup>A</sup> <sup>∨</sup> <sup>B</sup>)<sup>1</sup> <sup>⇒</sup> <sup>C</sup> <sup>→</sup> ♦A<sup>0</sup>, C <sup>→</sup> ♦B<sup>0</sup> ♦L ♦(<sup>A</sup> <sup>∨</sup> <sup>B</sup>)<sup>1</sup> <sup>⇒</sup> <sup>C</sup> <sup>→</sup> ♦A<sup>0</sup>, C <sup>→</sup> ♦B<sup>0</sup> <sup>X</sup><sup>L</sup> <sup>X</sup>♦(<sup>A</sup> <sup>∨</sup> <sup>B</sup>)<sup>0</sup> <sup>⇒</sup> <sup>C</sup> <sup>→</sup> ♦A<sup>0</sup>, C <sup>→</sup> ♦B<sup>0</sup> ♦L ♦(<sup>A</sup> <sup>∨</sup> <sup>B</sup>)<sup>0</sup> <sup>⇒</sup> <sup>C</sup> <sup>→</sup> ♦A<sup>0</sup>, C <sup>→</sup> ♦B<sup>0</sup>

The subproof π<sup>0</sup> is given as follows.

$$\begin{array}{cc} \begin{array}{c} \overline{A^{0},C^{0}\Rightarrow A^{0},\mathsf{X}\Diamond A^{0}} \ \mathrm{id} \\ \overline{A^{0},C^{0}\Rightarrow\Diamond A^{0}} \end{array} \;\mathrm{\not\!R} \\\ \begin{array}{c} \overline{A^{0}\Rightarrow C\to\Diamond A^{0},C\to\Diamond B^{0}} \ \mathrm{\not\!R} \end{array} \rightarrow \begin{array}{c} \overline{B^{0},C^{0}\Rightarrow B^{0},\mathsf{X}\Diamond B^{0}} \ \mathrm{\not\!R} \\\ \overline{B^{0},C^{0}\Rightarrow\Diamond B^{0}} \ \end{array} \;\mathrm{\not\!R} \\\ \begin{array}{c} \overline{A^{0}\Rightarrow C\to\Diamond A^{0},C\to\Diamond B^{0}} \ \mathrm{\not\!\!R} \end{array} \rightarrow \begin{array}{c} \mathrm{\not\!R} \\ \overline{A^{0}\Rightarrow C\to\Diamond A^{0},C\to\Diamond B^{0}} \end{array} \end{array}$$

The subproof π<sup>1</sup> is similar, the only difference being that the formulas ♦A<sup>0</sup> and ♦B<sup>0</sup> have to be unfolded twice to reach an axiom instead of just once. In the same way, we obtain the subproofs π<sup>i</sup> for each i<ω.

Note that π is indeed a proof, as it contains only one infinite branch and this branch contains a good trace, and that the nesting depth in π is unbounded. Furthermore, note that *any* proof of this sequent will have an infinite branch on the right with unbounded nesting levels. Working bottom-up, applying any other rule than ♦L to the root sequent results in an unprovable sequent, and applying any rule other than XL to its right premise results in an unprovable sequent as well. The same argument applies to each sequent in the right-most branch of π.

Interestingly, allowing analytic cuts there is a proof of this sequent with nesting depth bounded by 1, the cut formula being ♦<sup>A</sup> <sup>∨</sup> ♦B<sup>0</sup>.

# 6 Persistency

The system iLTL<sup>e</sup> nest can be adapted to a sound and complete proof system for the logic iLTL<sup>p</sup> of validities over persistent models.

Definition 12. *The sequent calculus* iLTL<sup>p</sup> nest *consists the rules of* iLTL<sup>e</sup> nest *except* <sup>S</sup> *and* <sup>→</sup><sup>R</sup> *which are replaced by*

$$\frac{\Gamma, A^n \Rightarrow B^n}{\Gamma \Rightarrow A \to B^n, \Delta} \to \mathbf{R\_p}$$

Derivations, paths, (good) formula traces and proofs are defined for iLTL<sup>p</sup> nest just as for iLTL<sup>e</sup> nest, and it is easy to see that Lemma 2 still holds. To prove soundness, one can simply follow the proof of Theorem <sup>1</sup> and in the case for <sup>→</sup>R<sup>p</sup> invoke the validity of (X<sup>A</sup> <sup>→</sup> <sup>X</sup>B) <sup>→</sup> <sup>X</sup>(<sup>A</sup> <sup>→</sup> <sup>B</sup>) over the class of persistent models.

To show completeness, we will adapt the proof search for iLTL<sup>e</sup> nest by introducing different levels of saturation.

Definition 13. *Let* k<ω*. A sequent* Γ ⇒ Δ *is* k-saturated *if it satisfies clauses 1-8 of Definition 9 and the additional clause*

*9. for all* <sup>n</sup> <sup>≤</sup> <sup>k</sup>*, if* <sup>A</sup> <sup>U</sup> <sup>B</sup><sup>n</sup> <sup>∈</sup> <sup>Δ</sup>*, then* <sup>B</sup>n, A<sup>n</sup> <sup>∈</sup> <sup>Δ</sup> *or* <sup>B</sup>n,X(<sup>A</sup> <sup>U</sup> <sup>B</sup>)<sup>n</sup> <sup>∈</sup> <sup>Δ</sup>*.*

*Given a sequent* σ*, we say that a formula* A *is* k-saturated in σ *if* σ *satisfies the relevant* k*-saturation clause for* A*.*

Note that 0-saturation is equivalent to our earlier notion of saturation.

To keep track of the level of saturation in sequents, the proof search tree will be labelled by *indexed sequents* Γ ⇒<sup>k</sup> Δ, that is, sequents equipped with a natural number k<ω.

Definition 14. *A* persistent proof search tree T *for a sequent* Γ ⇒ Δ *is a finite or infinite tree whose nodes are labelled with indexed sequents following the rules of* iLTL<sup>p</sup> nest *such that:*


$$\frac{\Gamma, A\_0^k \Rightarrow\_0 B\_0^k \quad \cdots \quad \Gamma, A\_j^k \Rightarrow\_0 B\_j^k \quad \Gamma \Rightarrow\_{k+1} (A\_0 \rightarrow B\_0)^k, \ldots, (A\_j \rightarrow B\_j)^k, \Delta}{\Gamma \Rightarrow\_k (A\_0 \rightarrow B\_0)^k, \ldots, (A\_j \rightarrow B\_j)^k, \Delta} \text{ C}\_\mathbf{p}$$

*is utilised, where* <sup>Δ</sup> *may not contain a formula of the form* <sup>A</sup> <sup>→</sup> <sup>B</sup><sup>k</sup> *and the conclusion of the rule is a* k*-saturated sequent.*

It is easy to see that every sequent has a persistent proof search tree and that Lemma 3, 4 and 5 also hold for persistent proof search trees. Following Definition 11, we define a *persistent refutation* as a subtree of a persistent proof search tree satisfying properties 1-5 of Definition 11, with C replaced by Cp. As before, the fifth property ensures that every branch in a persistent refutation passes through the Cp-rule infinitely often.

Via a game-theoretic argument, we obtain completeness of iLTL<sup>p</sup> nest as a corollary of the following proposition.

Proposition 2. *If a sequent* σ *has a persistent refutation, then it has a persistent countermodel.*

Due to space limit the proof is omitted. The main difference to the proof of Proposition 1 is that, when constructing a persistent countermodel from a persistent refutation, right premises of the Cp-rule are not viewed as temporal successors but as a further description of the current world w. In the limit, this description fully determines the temporal 'successors' f <sup>n</sup>(w) for every n, whereby these successors can be added accordingly. Due to this limit construction, worlds in the obtained countermodel may have infinitely many intuitionistic successors, which is not the case for the countermodel obtained in Proposition 1.

# 7 Conclusion

This investigation is part of a larger programme of devising sequent calculi for intuitionistic modal logic with fixed points to establish fundamental properties such as decidability and algorithmic proof search. To this aim, we introduce ill-founded cut-free sequent calculi for intuitionistic linear-time temporal logic over expanding and persistent models, denoted iLTL<sup>e</sup> and iLTL<sup>p</sup> respectively. The presented systems and the techniques devised to establish soundness and completeness are inspired by the study of ill-founded proof systems for classical temporal logics. In particular, we have illustrated how the method of proof search can be adapted to the intuitionistic realm.

A natural direction for future research is to extend iLTL<sup>e</sup> and iLTL<sup>p</sup> to logics containing greatest fixed point operators such as 'henceforth' and, more generally, 'release'. The latter is the classical dual of U which is not definable from U in the intuitionistic setting [3]. Although we believe that our approach can be extended to handle more expressive temporal logics, an adaptation of the proof search strategy is by no means trivial. The presence of greatest fixed point formulas on the left-hand side of a sequent presents a challenge in ensuring that the model constructed from a refutation satisfies monotonicity.

Another possible direction is to devise complete cyclic calculi for iLTL-based logics. The main difficulty in turning an ill-founded proof into a cyclic one lies in our reliance on nested sequents. In the completeness proof, there is no guarantee that every infinite branch in a proof contains a repeated sequent. Indeed, as shown in Sect. 5.2, the sequent ♦(A∨B)<sup>0</sup> <sup>⇒</sup> <sup>C</sup> <sup>→</sup> ♦A0, C <sup>→</sup> ♦B<sup>0</sup> admits a proof in iLTL<sup>e</sup> nest only with an unbounded nesting depth. This implies that a simple definition of repetition in an infinite branch will not result in a complete cyclic system. Incorporating the cut-rule into the systems, one can obtain a proof of the sequent wherein the nesting depth is at most 1. Since the required application of cut in this example requires only analytic formulas, it is worthwhile investigating whether the presented systems can be turned into cyclic systems with analytic cuts.

# References


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# Proof Systems for the Modal *µ*-Calculus Obtained by Determinizing Automata

Maurice Dekker, Johannes Kloibhofer, Johannes Marti(B) , and Yde Venema

ILLC, University of Amsterdam, Amsterdam, Netherlands pmauricedekker@gmail.com, {j.kloibhofer,y.venema}@uva.nl, johannes.marti@gmail.com

Abstract. Automata operating on infinite objects feature prominently in the theory of the modal μ-calculus. One such application concerns the tableau games introduced by Niwiński & Walukiewicz, of which the winning condition for infinite plays can be naturally checked by a nondeterministic parity stream automaton. Inspired by work of Jungteerapanich and Stirling we show how determinization constructions of this automaton may be used to directly obtain proof systems for the μ-calculus. More concretely, we introduce a binary tree construction for determinizing nondeterministic parity stream automata. Using this construction we define the annotated cyclic proof system BT, where formulas are annotated by tuples of binary strings. Soundness and Completeness of this system follow almost immediately from the correctness of the determinization method.

Keywords: modal mu-calculus · derivation system · determinisation of Büchi and parity automata · non-wellfounded and cyclic proofs

# 1 Introduction

*The Modal* μ*-calculus.* The modal μ-calculus is a natural extension of basic modal logic with explicit least and greatest fixpoint operators. Allowing the formulation of various recursive phenomena, this extension raises the expressive power of the language (at least when it comes to bisimulation-invariant properties of transition systems) to that of monadic second-order logic [12]. The μ-calculus is generally regarded as a universal specification language, since it embeds most other logics that are used for this purpose, such as LTL, CTL, CTL<sup>∗</sup> and PDL. Despite its expressive power the μ-calculus has still reasonable computational properties; its model checking problem is in quasi-polynomial time [4] and its satisfiability problem is exptime-complete [7]. Another interesting feature of the theory of the modal μ-calculus lies in its connections with other fields, in particular the theory of finite automata operating on infinite objects, and that of infinite games.

*Derivation Systems.* Given the importance of the modal μ-calculus, there is a natural interest in the development and study of derivation systems for its validities. And indeed, already in [15] Kozen proposed an axiomatization. Despite the naturality of this axiom system, he only established a partial completeness result, and it took a substantial amount of time before Walukiewicz [25] managed to prove soundness and completeness for the full language.

Kozen's axiomatization amounts to a Hilbert-style derivation system, making it less attractive for proof search. If one is interested in a cut-free system, a good starting point is the two-player tableau-style game introduced by Niwiński & Walukiewicz [19]. Here we will present their system in the shape of a derivation system NW (this change of perspective can be justified by identifying winning strategies for one of the players in the game with NW-proofs). NW is a onesided sequent system which allows for infinite proofs: although its proof rules are completely standard (and finitary), due to the unfolding rules for the fixpoint operators, derivations may have infinite branches. A crucial aspect of the NWsystem is that one has to keep track of the *traces* of individual formulas along the infinite branches. A derivation will only count as a proper proof if each of its infinite branches is *successful*, in the sense that it carries a so-called ν-trace: a trace which is dominated by a *greatest* fixpoint operator.

This condition is easy to formulate but not so nice to work with. One could describe the subsequent developments in the proof theory for the modal μcalculus as a series of modifications of the system NW which aim to get a grip on the complexities and intricacies of the above-mentioned traces, and in particular, to use the resulting "trace management" for the introduction of finitary, cyclic proof systems. Landmark results were obtained by Jungteerapanich [13] and Stirling [23], who introduced cyclic proof systems for the μ-calculus, two calculi that we will identify here under the name JS.

*Automata and Derivation Systems.* Applications of automata theory are ubiquitous in the theory of the modal μ-calculus, and the area of proof theory is no exception. In particular, Niwiński & Walukiewicz [19] observed that infinite matches of their game, corresponding to infinite branches in an NW-derivation, can be seen as infinite words or *streams* over some finite alphabet. It follows that *stream automata* (automata operating on infinite words) can be used to determine whether such a match/branch carries a ν-trace. Niwiński & Walukiewicz used this perspective to link their results to the exponential-time complexity of the satisfiability problem for the μ-calculus.

A key contribution of Jungteerapanich and Stirling [13,23] was to bring automata *inside* the proof system. The basic idea would be to decorate each sequent in a derivation with a state of the stream automaton which recognizes whether an infinite branch is successful or not; starting from the root, the successive states decorating the sequents on a given branch simply correspond to a run of the automaton on this branch. For this idea to work one needs the stream automaton to be *deterministic*. To see this, observe that two successful but distinct branches in a derivation would generally require two distinct runs, and in the case of a nondeterministic automaton, these two runs might already diverge before the two branches split.

Interestingly, there is a natural stream automaton recognizing the successful branches of an NW-derivation: One may simply take the states of such an automaton to be the formulas in the (Fischer-Ladner) *closure* of the root sequent. But given the *nondeterministic* format of this automaton, before it can be used in a proof system, we need to transform it into an equivalent deterministic one. This explains the relevance of constructions for determinizing stream automata to the proof theory of the modal μ-calculus.

*Determinization of Stream Automata.* Using the ideas we just sketched, one may obtain sound and complete derivation systems for the modal μ-calculus in an easy way. For any deterministic automaton A that recognizes the successful branches in NW-derivations, one could simply introduce new-style sequents consisting of an NW-sequent decorated with a state of A, and adapt the proof rules of NW incorporating the transition map of A. This could be done in such a way that the stream of decorations of an infinite branch corresponds to the run of A on the stream of sequents of the same branch. The trace condition of NW-derivations could then be replaced by the acceptance condition of A (which is generally much simpler, since it does not refer to traces).

More interesting is to use specific determinization constructions, in order to design more attractive proof systems or to prove results *about* the derivation system (and thus, potentially, about the μ-calculus). In particular, some determinization constructions are based on a *power construction*, meaning that the states of the deterministic automaton consist of *macrostates* (*subsets* of the nondeterministic original) with some additional structure. Such constructions allow for proof calculi where this additional structure is incorporated into the sequents. For instance, the derivation system JS is based on the well-known Safra construction [20], in which the states of the deterministic automaton consist of macrostates of the original automaton that are organised by means of so-called *Safra trees*. Concretely, the (augmented) sequents in JS consist of a set of *annotated formulas*, with the annotations indicating the position of the formula in the Safra tree and a so-called *control* which provides additional information on the Safra tree.

*Our Contribution.* Our overall goal is to explicitize the role of automata theory in the design of derivation systems for the modal μ-calculus (and other fixpoint logics). Our point is that distinct determinization constructions lead to distinct sequent system, and that we may look for alternatives to the Safra construction. Concretely the contribution of this paper is threefold:


key difference is that our sequents consist of annotated formulas, and nothing else.

3. We establish the soundness and completeness of BT. A distinguishing feature of our approach is that (up to some optimizations) this result is a *direct* consequence of the soundness and completeness of NW and the adequacy of our determinization construction.

*Related Work.* There is an extensive literature on applications of automata theory in the theory of the modal μ-calculus, among others [6,11,12,26]. Jungteerapanich and Stirling [13,23] were the first to obtain an annotated proof system inspired by the determinization of automata. The proof system Focus for the alternation-free μ-calculus designed by Marti & Venema [18] originates with a rather simple determinization construction for so-called weak automata. In [17], Leigh & Wehr also take a rather general approach towards the use of determinization constructions in the design of derivation systems, but they confine attention to the Safra construction.

*Overview of Paper.* In the next section we provide the necessary background material on binary trees, on ω-automata, on the modal μ-calculus and the proof system NW; doing so we fix our notation. In Sect. 3 we introduce a new determinization method for nondeterministic Büchi and parity automata. We will use this construction to prove the soundness and completeness of the proof system BT, which we introduce in Sect. 4. All missing proofs can be found in the extended version of this paper [5].

# 2 Preliminaries

*Binary Trees.* We let 2<sup>∗</sup> denote the set of *binary strings*; we write <sup>&</sup>lt; for the lexicographical order of 2<sup>∗</sup>, and for the (initial) substring relation given by s <sup>t</sup> if sr = <sup>t</sup> for some <sup>r</sup>. *Substitution* for binary strings is defined in the following way: Let s, t, s, r ˜ <sup>∈</sup> 2<sup>∗</sup> be such that <sup>s</sup> <sup>=</sup> ts˜, then <sup>s</sup>[t\r] denotes the binary string rs˜. A *binary tree* is a finite set of binary strings <sup>T</sup> <sup>⊆</sup> 2<sup>∗</sup> such that <sup>s</sup>0 <sup>∈</sup> <sup>T</sup> <sup>⇒</sup> <sup>s</sup> <sup>∈</sup> <sup>T</sup> and <sup>s</sup>0 <sup>∈</sup> <sup>T</sup> <sup>⇔</sup> <sup>s</sup>1 <sup>∈</sup> <sup>T</sup>. Here we let leaves(T) = {<sup>s</sup> <sup>∈</sup> <sup>T</sup> <sup>|</sup> <sup>s</sup>0 <sup>∈</sup>/ <sup>T</sup>} denote its set of *leaves*, and minL(T) its *minimal* leaf of <sup>T</sup>, i.e. the unique leaf of the form 0 ··· 0. A set of binary strings <sup>L</sup> is a *set of leaves of a binary trees* if for all <sup>s</sup> = <sup>t</sup> <sup>∈</sup> <sup>L</sup> we have <sup>s</sup> <sup>t</sup> and tree(L) = {<sup>s</sup> <sup>∈</sup> 2<sup>∗</sup> | ∃<sup>t</sup> <sup>∈</sup> <sup>L</sup> : <sup>s</sup> t} is a binary tree.

*Stream Automata.* A *non-deterministic automaton* over a finite alphabet Σ is a quadruple <sup>A</sup> <sup>=</sup> A, Δ, a<sup>I</sup> , Acc , where <sup>A</sup> is a finite set, <sup>Δ</sup> : <sup>A</sup> <sup>×</sup> <sup>Σ</sup> → P(A) is the transition function of <sup>A</sup>, <sup>a</sup><sup>I</sup> <sup>∈</sup> <sup>A</sup> its initial state and Acc <sup>⊆</sup> <sup>A</sup><sup>ω</sup> its acceptance condition. An automaton is called *deterministic* if <sup>|</sup>Δ(a, y)<sup>|</sup> = 1 for all pairs (a, y) <sup>∈</sup> <sup>A</sup> <sup>×</sup> <sup>Σ</sup>. A *run* of an automaton <sup>A</sup> on a stream <sup>w</sup> = <sup>y</sup>0y1y2... <sup>∈</sup> <sup>Σ</sup><sup>ω</sup> is a stream <sup>a</sup>0a1a2... <sup>∈</sup> <sup>A</sup><sup>ω</sup> such that <sup>a</sup><sup>0</sup> <sup>=</sup> <sup>a</sup><sup>I</sup> and <sup>a</sup>i+1 <sup>∈</sup> <sup>Δ</sup>(ai, y<sup>i</sup>) for all <sup>i</sup> <sup>∈</sup> <sup>ω</sup>. A stream <sup>w</sup> is *accepted* by <sup>A</sup> if there is a run of <sup>A</sup> on <sup>w</sup>, which is in Acc; we define <sup>L</sup>(A) to be the set of all accepting streams of <sup>A</sup>.

The acceptance condition can be given in different ways: A *Büchi* condition is given as a subset F ⊆ A. The corresponding acceptance condition is the set of runs, which contain infinitely many states in F. A *parity* condition is given as a map <sup>Ω</sup> : <sup>A</sup> <sup>→</sup> <sup>ω</sup>. The corresponding acceptance condition is the set of runs <sup>α</sup> such that min{Ω(a) <sup>|</sup> <sup>a</sup> occurs infinitely often in <sup>α</sup>} is even. A *Rabin* condition is given as a set <sup>R</sup> = ((Gi, Bi))i∈<sup>I</sup> of pairs of subsets of <sup>A</sup>. The corresponding acceptance condition is the set of runs α for which there exists i ∈ I such that α contains infinitely many states in G<sup>i</sup> and finitely many in Bi. Automata with these acceptance conditions are called *Büchi*, *parity* and *Rabin automata*, respectively.

*Modal* μ*-calculus: Syntax.* The set L<sup>μ</sup> of *formulas* of the modal μ-calculus is generated by the grammar

$$\varphi ::= p \mid \overline{p} \mid \bot \mid \top \mid (\varphi \lor \varphi) \mid (\varphi \land \varphi) \mid \Diamond \varphi \mid \Box \varphi \mid \mu x.\varphi \mid \nu x.\varphi,$$

where p and x are taken from a fixed set Prop of propositional variables and in formulas of the form μx.ϕ and νx.ϕ there are no occurrences of x in ϕ.

Formulas of the form μx.ϕ (νx.ϕ) are called μ*-formulas* (ν*-formulas*, respectively); formulas of either kind are called *fixpoint formulas*. We write η, λ ∈ {μ, ν} to denote an arbitrary fixpoint operator. We use standard terminology and notation for the binding of variables by the fixpoint operators and for substitutions, and make sure only to apply substitution in situations where no variable capture will occur. An important use of the substitution operation concerns the *unfolding* <sup>χ</sup>[ξ/x] of a fixpoint formula <sup>ξ</sup> = ηx.χ.

Given two formulas ϕ, ψ ∈ L<sup>μ</sup> we write ϕ →<sup>C</sup> ψ if ψ is either a direct boolean or modal subformula of ϕ, or else ϕ is a fixpoint formula and ψ is its unfolding. The *closure* Clos(Φ) ⊆ L<sup>μ</sup> of <sup>Φ</sup> ⊆ L<sup>μ</sup> is the least superset of <sup>Φ</sup> that is closed under this relation. It is well known that Clos(Φ) is finite iff <sup>Φ</sup> is finite. A *trace* is a sequence (ϕ<sup>n</sup>)n<κ, with <sup>κ</sup> <sup>≤</sup> <sup>ω</sup>, such that <sup>ϕ</sup><sup>n</sup> <sup>→</sup><sup>C</sup> <sup>ϕ</sup>n+1, for all <sup>n</sup> + 1 < κ.

We define a *dependence order* on the fixpoint formulas occurring in Φ, written Fix(Φ), by setting ηx.ϕ <<sup>Φ</sup> λy.ψ (where smaller in <sup>&</sup>lt;<sup>Φ</sup> means being of higher priority) if Clos(ηx.ϕ) = Clos(λy.ψ) and ηx.ϕ is a subformula of λy.ψ. One may define a *parity function* <sup>Ω</sup> : Fix(Φ) <sup>→</sup> <sup>ω</sup>, which respects this order (i.e., <sup>Ω</sup>(ηx.ϕ) < Ω(λy.ψ) if ηx.ϕ <<sup>Φ</sup> λyψ) and satisfies <sup>Ω</sup>(ηx.ϕ) is even iff <sup>η</sup> <sup>=</sup> <sup>ν</sup>. Let max<sup>Ω</sup>(Φ) = max{Ω(νx.ϕ) <sup>|</sup> νx.ϕ <sup>∈</sup> Fix(Φ)}.

It is well known that any infinite trace <sup>τ</sup> = (ϕ<sup>n</sup>)n<κ features a unique formula ϕ that occurs infinitely often on τ and is a subformula of ϕ<sup>n</sup> for cofinitely many n. This formula is always a fixpoint formula, and where it is of the form ηx.ψ we call τ an η*-trace*.

Since the semantics of the modal μ-calculus only plays an indirect role in our paper, we refrain from giving the definition.

*Non-wellfounded Proofs.* A sequent Γ is a finite set of μ-calculus formulas, possibly with additional structure such as annotations. Rules have the following form, possibly with additional side conditions:

$$R \colon \begin{array}{ccccc} \Gamma\_1 & \cdots & \Gamma\_n \\ \hline \hline \Gamma & & & \vdots \\ & & & \mathsf{D}^\* \colon & \frac{\mathsf{D}}{\mathsf{T}} \\ \hline \end{array} \qquad \begin{array}{ccc} \Gamma \\ \vdots \\ \hline \end{array} \begin{array}{ccc} [\Gamma]^\* \\ \hline \end{array}$$

A rule <sup>R</sup>, where <sup>n</sup> = 0, is called an axiom. The rules <sup>D</sup><sup>x</sup> are called *discharge* rules. Each discharge rule is marked by a unique *discharge token* taken from a fixed infinite set <sup>D</sup> = {x, <sup>y</sup>, ...}.

Definition 1. *<sup>A</sup>* derivation system <sup>P</sup> *is a set of rules. A* <sup>P</sup> derivation <sup>π</sup> = (T, P, <sup>S</sup>, <sup>R</sup>, <sup>f</sup>) *is a quintuple such that* (T,P) *is a, possibly infinite, tree with nodes* T *and parent relation* P*;* S *is a function that maps every node* u ∈ T *to a nonempty sequent* <sup>Σ</sup>u*;* <sup>R</sup> *is a function that maps every node* <sup>u</sup> <sup>∈</sup> <sup>T</sup> *to its* label <sup>R</sup>(u)*, which is either (i) the name of a rule in* P *or (ii) a discharge token; and* f *is a partial function that maps some nodes* <sup>u</sup> <sup>∈</sup> <sup>T</sup> *to its* principal formula <sup>f</sup>(u) <sup>∈</sup> <sup>S</sup>(u)*. If a specific formula* <sup>ϕ</sup> *in the conclusion of a rule is designated, then* <sup>f</sup>(u) = <sup>ϕ</sup> *and otherwise* <sup>f</sup>(u) *is undefined. To qualify as a derivation, such a quintuple is required to satisfy the following conditions:*


A derivation <sup>π</sup> = (T , P , S , R , f ) is a *subderivation* of <sup>π</sup> = (T, P, <sup>S</sup>, <sup>R</sup>, <sup>f</sup>) if (T , P ) is a subtree of (T,P) and <sup>S</sup> , R , <sup>f</sup> and <sup>S</sup>, <sup>R</sup>, <sup>f</sup> are equal on (T , P ). A derivation π is called *regular* if it has finitely many distinct subderivations.

Definition 2. *Let* <sup>π</sup> = (T, P, <sup>S</sup>, <sup>R</sup>, <sup>f</sup>) *be a derivation. We define two graphs we are interested in: (i) The usual* proof tree <sup>T</sup><sup>π</sup> = (T,P) *and (ii) the* proof tree with back edges <sup>T</sup> <sup>C</sup> <sup>π</sup> = (T,P <sup>C</sup> )*, where* <sup>P</sup> <sup>C</sup> <sup>=</sup> <sup>P</sup> ∪{(l, c(l)) <sup>|</sup> <sup>l</sup> *is a discharged leaf*} *is the parent relation plus back-edges for every discharged leaf.*

*<sup>A</sup>* strongly connected subgraph *in* <sup>T</sup> <sup>C</sup> <sup>π</sup> *is a set* S *of nodes, such that for every* u, v <sup>∈</sup> <sup>S</sup> *there is a* <sup>P</sup> <sup>C</sup> *-path from* <sup>u</sup> *to* <sup>v</sup>*.*

*The* NW *Proof System.* The rules of the derivation system NW, which is directly based on the tableau games introduced by Niwiński & Walukiewicz [19], are given in Fig. 1.

In order to decide whether an NW derivation qualifies as a proper *proof*, one has to keep track of the development of individual formulas along infinite branches of the proofs.

$$\begin{array}{ccccc} \mathsf{Ax1} & \overline{p,\overline{p},\Gamma} & \mathsf{Ax2} & \overline{\top,\Gamma} & \mathsf{R}\_{\mathsf{V}} & \frac{\varphi,\psi,\Gamma}{\varphi\vee\psi,\Gamma} & & & \mathsf{R}\_{\mathsf{A}} & \frac{\varphi,\Gamma}{\varphi\wedge\psi,\Gamma} \\\\ \mathsf{R}\_{\mathsf{O}} & \frac{\varphi,\Gamma}{\Box\varphi,\Diamond\Gamma,\Delta} & & & & \mathsf{R}\_{\mathsf{A}} & \frac{\varphi[\mu x.\varphi/x],\Gamma}{\mu x.\varphi,\Gamma} & & & & \mathsf{R}\_{\mathsf{V}} & \frac{\varphi[\nu x.\varphi/x],\Gamma}{\nu x.\varphi,\Gamma} \\\\ \end{array}$$

#### Fig. 1. Rules of NW

Definition 3. *Let* Γ, Γ *be sequents,* ξ *be a formula such that* Γ *is the conclusion and* Γ *is a premise of a rule in Fig. 1 with principal formula* ξ*. We define the* active *and* passive trail relation AΓ,ξ,Γ- , PΓ,ξ,Γ- ⊆ Γ × Γ *. Both relations are defined via a case distinction on* ξ*:*

Case <sup>ξ</sup> = ✷ϕ: *Then* <sup>Γ</sup> = ✷ϕ, ✸Λ, Δ *and* <sup>Γ</sup> <sup>=</sup> ϕ, Λ*. We define* <sup>A</sup>Γ,ξ,Γ- , = {(✷ϕ, ϕ)}∪{(✸χ, χ) <sup>|</sup> <sup>χ</sup> <sup>∈</sup> <sup>Λ</sup>} *and* <sup>P</sup>Γ,ξ,Γ- = <sup>∅</sup>*.*

Case <sup>ξ</sup> = <sup>ϕ</sup> <sup>∨</sup> <sup>ψ</sup>: *Then* <sup>Γ</sup> = <sup>ϕ</sup> <sup>∨</sup> ψ,Λ *and* <sup>Γ</sup> <sup>=</sup> ϕ, ψ, Λ*. We define* <sup>A</sup>Γ,ξ,Γ- = {(<sup>ϕ</sup> <sup>∨</sup> ψ,ϕ),(<sup>ϕ</sup> <sup>∨</sup> ψ,ψ)} *and* <sup>P</sup>Γ,ξ,Γ- = {(χ, χ) <sup>|</sup> <sup>χ</sup> <sup>∈</sup> <sup>Λ</sup>}*.*

*The relations for the remaining rules are defined analogously.*

*The* trail relation TΓ,ξ,Γ- ⊆ Γ ×Γ *is defined as* AΓ,ξ,Γ- ∪PΓ,ξ,Γ- *. Finally, for nodes* u, v *in an* NW *proof* <sup>π</sup>*, such that* <sup>P</sup>(u, v)*, we define* <sup>T</sup>u,v <sup>=</sup> <sup>T</sup><sup>S</sup>(u),f(u),S(v)

Note that for any two nodes u, v with <sup>P</sup>(u, v) and (ϕ, ψ) <sup>∈</sup> <sup>T</sup>u,v, we have either (ϕ, ψ) <sup>∈</sup> <sup>A</sup>u,v and <sup>ϕ</sup> <sup>→</sup><sup>C</sup> <sup>ψ</sup>, or else (ϕ, ψ) <sup>∈</sup> <sup>P</sup>u,v and <sup>ϕ</sup> <sup>=</sup> <sup>ψ</sup>. The idea is that A connects the active formulas in the premise and conclusion, whereas P connects the side formulas.

Definition 4. *Let* <sup>π</sup> = (T, P, <sup>S</sup>, <sup>R</sup>, <sup>f</sup>) *be an* NW *derivation. A* branch *of* <sup>π</sup> *is simply a (finite or infinite) branch of the underlying tree* (T,P) *of* <sup>π</sup>*. A* trail *on a branch* <sup>α</sup> = (v<sup>n</sup>)n<κ *is a sequence* <sup>τ</sup> = (ϕ<sup>n</sup>)n<κ *of formulas such that* (ϕi, ϕi+1) <sup>∈</sup> <sup>T</sup><sup>v</sup>*i*,v*i*+1 *, whenever* <sup>i</sup> + 1 < κ*. We obtain the* tightening <sup>τ</sup> *of such <sup>a</sup>* <sup>τ</sup> *by erasing all* <sup>ϕ</sup>i+1 *from* <sup>τ</sup> *for which* (ϕi, ϕi+1) *belongs to the passive trail relation* <sup>P</sup><sup>v</sup>*i*,v*i*+1 *. We call* <sup>τ</sup> *<sup>a</sup>* <sup>ν</sup>-trail *if its tightening* <sup>τ</sup> *is a* ν*-trace (and so, in particular, it is infinite).*

Definition 5. *An* NW proof π *is an* NW *derivation such that on every infinite branch of* π *there is a* ν*-trail. We write* NW Γ *if there is an* NW *proof of* Γ*, i.e., an* NW *proof, where* Γ *is the sequent at the root of the proof.*

Soundness and Completeness of NW for guarded formulas, (i.e., where in every subformula ηx.ψ all free occurrences of x in ψ are in the scope of a modality) follows from the results by Niwiński & Walukiewicz [19]. As pointed out in [2], it follows from [24] and [10] that the result in fact holds for arbitrary formulas. By Theorem 6.3 in [19], NW-proofs can be assumed to be regular, and this observation applies to unguarded formulas as well. Theorem 1 (Soundness & Completeness). *Let* <sup>Γ</sup> *be a sequent, then* <sup>Γ</sup>

*is valid iff* NW Γ *iff* Γ *has a regular* NW*-proof.*

# 3 Determinization of Automata with Binary Trees

#### 3.1 Büchi automata

Let <sup>Σ</sup> be an alphabet and <sup>B</sup> <sup>=</sup> B, Δ, b<sup>I</sup> , F a nondeterministic Büchi automaton over Σ. We want to present an equivalent deterministic Rabin automaton.

The *run tree* of <sup>B</sup> on a word <sup>w</sup> = (wi)i∈<sup>ω</sup> is a pair <sup>R</sup> = (R, l), where <sup>R</sup> is the full infinite binary tree and l labels every node s with B<sup>s</sup> ⊆ B, such that <sup>l</sup>() = {b<sup>I</sup> } and for <sup>|</sup>s<sup>|</sup> <sup>=</sup> <sup>i</sup>: <sup>l</sup>(s1) = <sup>Δ</sup>(Bs, w<sup>i</sup>) <sup>∩</sup> <sup>F</sup> and <sup>l</sup>(s0) = <sup>Δ</sup>(Bs, w<sup>i</sup>) <sup>∩</sup> <sup>F</sup>, where we define <sup>Δ</sup>(Bs, y) = <sup>b</sup>∈B*<sup>s</sup>* <sup>Δ</sup>(b, y). It describes all possible runs of <sup>B</sup> on w, using the 1 s to keep track of visited states in F.

The *profile tree*, introduced in [9], is a pruned version of the run tree, where 1) at each level all but the (lexicographically) greatest occurrence of a state b are removed and 2) nodes labelled by the empty set are deleted. This results in a tree of bounded width, where every node has 0,1 or 2 children. It can be proved that B accepts a stream w iff the corresponding profile tree has a branch with infinitely many 1 s.

In [8] a determinization method was defined, where macrostates encode levels of the profile tree. In our approach macrostates encode a compressed version of the whole profile tree up to some level: Nodes u, v are identified (iteratively), if v is the unique child of u. This results in finite binary trees, where leaves are labelled by subsets of B. In every step of the transition function we add one level of the run tree and then prune and compress the tree to obtain a binary tree again. Whenever a 1 is compressed (in the sense of a node being identified with its right child) we know that a state in F has been visited and mark the node green. A run of the deterministic automaton is accepted if there is a node, which never gets removed and is marked green infinitely often. Figure 2 contains an example of this determinization construction.

Formally we define the deterministic Rabin automaton <sup>B</sup><sup>D</sup> <sup>=</sup> <sup>B</sup><sup>D</sup>, δ, b <sup>I</sup> , R as follows: An element S in the carrier B<sup>D</sup> of B<sup>D</sup> is called a *macrostate* and consists of


We define <sup>T</sup> <sup>S</sup> to be the binary tree tree(ran(f)), that has ran(f) as its leaves and say that a binary string <sup>s</sup> is *in play* if <sup>s</sup> <sup>∈</sup> <sup>T</sup> <sup>S</sup>. If it is clear from the context we occasionally abbreviate T <sup>S</sup> by T. We will sometimes denote a macrostate by a set of pairs (b, s), usually written as <sup>b</sup><sup>s</sup>, where <sup>b</sup> <sup>∈</sup> <sup>B</sup><sup>S</sup> and <sup>s</sup> <sup>=</sup> <sup>f</sup>(b) and deal with the colouring c implicitly.

The initial macrostate b <sup>I</sup> consists of the singleton {<sup>b</sup> <sup>I</sup> }, where <sup>c</sup>() = white. To define the transition function <sup>δ</sup> let <sup>S</sup> be in <sup>B</sup><sup>D</sup> and <sup>y</sup> <sup>∈</sup> <sup>Σ</sup>. We define <sup>δ</sup>(S, y) = S , where starting from the empty set we build up S in the following steps:

1. Move: For every <sup>a</sup><sup>s</sup> <sup>∈</sup> <sup>S</sup> and <sup>b</sup> <sup>∈</sup> <sup>Δ</sup>(a, y), add <sup>b</sup><sup>s</sup> to <sup>S</sup> .

<sup>1</sup> Here ran(f) denotes the co-domain of f.

Fig. 2. A nondeterministic Büchi automaton B on the left and its determinization B<sup>D</sup> on the right. The diagram in the middle shows the internal structure of the macrostates m0, m1, m<sup>2</sup> and m<sup>3</sup> of B<sup>D</sup>. Binary trees are represented in the obvious way (i.e., the root is the string -, and for every node the left child appends 0 and the right child appends 1). The transitions of B<sup>D</sup> are split in two parts: In the first part one level of the run tree is added, corresponding to the steps 1 and 2 in the definition of the transition function. In the second part (the dashed arrows) the tree is pruned and compressed, corresponding to the steps 3 and 4. The acceptance condition of B<sup>D</sup> is such that the word a<sup>ω</sup> is accepted by B<sup>D</sup> because the string is always in play, marked green infinitely often and never red.

	- (a) For any <sup>t</sup> <sup>∈</sup> <sup>T</sup>, such that <sup>t</sup>0 <sup>∈</sup> <sup>T</sup> and <sup>t</sup>1 <sup>∈</sup>/ <sup>T</sup>, change every <sup>a</sup><sup>s</sup> <sup>∈</sup> <sup>S</sup> , where <sup>t</sup>0 s, to a<sup>s</sup>[t0\t] . For any <sup>s</sup> <sup>∈</sup> <sup>T</sup>, where <sup>t</sup> ❁ <sup>s</sup>, let <sup>c</sup>(s) = red.
	- (b) For any <sup>t</sup> <sup>∈</sup> <sup>T</sup>, such that <sup>t</sup>0 <sup>∈</sup>/ <sup>T</sup> and <sup>t</sup>1 <sup>∈</sup> <sup>T</sup>, change every <sup>a</sup><sup>s</sup> <sup>∈</sup> <sup>S</sup> , where <sup>t</sup>1 s, to a<sup>s</sup>[t1\t] . For any <sup>s</sup> <sup>∈</sup> <sup>T</sup> such that <sup>t</sup> = <sup>s</sup>0 ··· 0, let <sup>c</sup>(s) = green, if <sup>c</sup>(s) = red. In particular let <sup>c</sup>(t) = green if <sup>c</sup>(t) = red. For any <sup>s</sup> <sup>∈</sup> <sup>T</sup>, where <sup>t</sup> ❁ <sup>s</sup>, let <sup>c</sup>(s) = red.

We define B<sup>D</sup> as the set of macrostates that can be reached from b <sup>I</sup> in this way.

A run of B<sup>D</sup> is accepting if there is a binary string s, which is in play cofinitely often such that <sup>c</sup>(s) is green infinitely often and red only finitely often.

# Theorem 2. B *accepts a word* w *iff* B<sup>D</sup> *accepts* w*.*

*Remark 1.* For a Büchi automaton of n states, our construction yields a deterministic automaton <sup>B</sup><sup>D</sup> with <sup>n</sup>O(n) states and a Rabin condition of <sup>O</sup>(2<sup>n</sup>) pairs,

<sup>2</sup> As shown in Proposition 1 of [5] this procedure does not depend on the order in which witnesses are chosen, and thus produces a unique binary tree.

see Lemma 5 of [5]. With some adaptations we could also match the optimal Rabin condition, which is known to be linear-size [20].

This can be achieved by adding an labelling function as follows: Let <sup>L</sup> = {1,..., 2<sup>n</sup> <sup>−</sup> 1} be the set of potential labels. Macrostates are defined as before, where an additional injective function <sup>l</sup> : <sup>T</sup> <sup>S</sup> <sup>→</sup> <sup>L</sup> is added. For the initial state we let <sup>l</sup>()=1. The steps 1–4 in the transition function remain the same, where we add a final step 5 in which we define the new labeling function l : We let l (s) = <sup>l</sup>(s) for all <sup>s</sup> that already occurred in <sup>T</sup> <sup>S</sup> and for all <sup>s</sup> <sup>∈</sup> <sup>T</sup> <sup>S</sup>- \ <sup>T</sup> <sup>S</sup> we let <sup>c</sup>(s) = red and choose new, distinct labels in <sup>L</sup>, i.e. ones which do not occur in ran(l). The binary tree <sup>T</sup> <sup>S</sup>- has at most <sup>n</sup> leaves, hence it has at most 2<sup>n</sup> <sup>−</sup> 1 many nodes and this is always possible.

The new acceptance condition has the following form: A run of the automaton is accepting if there is a label <sup>k</sup> <sup>∈</sup> <sup>L</sup>, such that <sup>c</sup>(<sup>l</sup> <sup>−</sup>1(k)) is green infinitely often and red only finitely often. Here <sup>c</sup>(<sup>l</sup> <sup>−</sup>1(k)) is defined to be red if k /<sup>∈</sup> ran(l). This is a Rabin condition with <sup>O</sup>(n) pairs. Notably we still have <sup>n</sup>O(n) macrostates, thus the determination method is optimal.

#### 3.2 Parity Automata

We now extend the approach to parity automata. Let Σ be an alphabet and <sup>A</sup> <sup>=</sup> A, ΔA, a<sup>I</sup> , Ω be a nondeterministic parity automaton.

In order to present the intuitive idea behind the construction we first transform A into an equivalent nondeterministic Büchi automaton B. Let m be the maximal even priority of <sup>Ω</sup>. For even <sup>k</sup> = 0, <sup>2</sup>, ...m we define <sup>A</sup>0, <sup>A</sup>2, ..., <sup>A</sup><sup>n</sup> as copies of <sup>A</sup> without the states of priority smaller than <sup>k</sup>, i.e. <sup>A</sup><sup>k</sup> <sup>=</sup> <sup>A</sup>k, Δk, F<sup>k</sup> with <sup>A</sup><sup>k</sup> <sup>=</sup> {a<sup>k</sup> <sup>|</sup> <sup>a</sup> <sup>∈</sup> <sup>A</sup>∧Ω(a) <sup>≥</sup> <sup>k</sup>}, <sup>Δ</sup><sup>k</sup> <sup>=</sup> <sup>Δ</sup>A|<sup>A</sup>*<sup>k</sup>* and <sup>F</sup><sup>k</sup> <sup>=</sup> {a<sup>k</sup> <sup>∈</sup> <sup>A</sup><sup>k</sup> <sup>|</sup> <sup>Ω</sup>(a) = <sup>k</sup>}. Now we define the nondeterministic Büchi automaton <sup>B</sup> <sup>=</sup> B,ΔB, b<sup>I</sup> , F : 3

$$\begin{aligned} \text{with } A\_k &= \{a\_k \mid a \in A \land \Omega(a) \ge k\}, \Delta\_k = \Delta\_A|\_{A\_k} \text{ and } F\_k = \{a\_k \in A\_k \mid \Omega(a) = k\}.\\ \text{Now we define the nondeterministic Büchih automaton } \mathbb{B} &= \{B, \Delta\_B, b\_I, F\} ? \end{aligned}$$

$$\begin{aligned} B &= A \cup \bigcup\_{\substack{k=0\\k \text{ even}}}^m A\_k, & b\_I &= a\_I, & F &= \bigcup\_{\substack{k=0\\k \text{ even}}}^m F\_k, \\ \Delta\_B &= \Delta\_A \cup \bigcup\_{\substack{k=0\\k \text{ even}}}^m \Delta\_k \cup \{ (a, y, b\_k) \in A \times \Sigma \times A\_k \mid b \in \Delta\_A(a, y), k = 0, 2, \dots, m \}. \end{aligned}$$

Although A<sup>k</sup> is not an automaton, as it does not have an initial state, we can define the Büchi automaton <sup>A</sup>∪A<sup>k</sup> <sup>=</sup> <sup>A</sup>∪Ak, ΔB|<sup>A</sup>∪A*<sup>k</sup>* , a<sup>I</sup> , F<sup>k</sup> for <sup>k</sup> = 0, ..., m.

The intuition behind the determinization of the parity automaton A is the following: We apply the binary tree construction to every automaton <sup>A</sup> <sup>∪</sup> <sup>A</sup><sup>k</sup> for <sup>k</sup> = 0, <sup>2</sup>, ..., m, which is possible as there are no paths from <sup>A</sup><sup>k</sup> to <sup>A</sup><sup>j</sup> if <sup>k</sup> <sup>=</sup> <sup>j</sup> and none of the accepting states of B are in the set A. The annotation of a state <sup>a</sup> <sup>∈</sup> <sup>A</sup> will then be the tuple (s0, s2, ..., s<sup>m</sup>), where <sup>s</sup><sup>k</sup> is the annotation at the state <sup>a</sup><sup>k</sup> <sup>∈</sup> <sup>A</sup> <sup>∪</sup> <sup>A</sup>k. Note that the automaton <sup>A</sup><sup>D</sup> will be different from the automaton obtained from the binary tree construction on the whole B.

<sup>3</sup> For easier notation we represent the transition function <sup>B</sup> <sup>×</sup> <sup>Σ</sup> → P(B) by its corresponding relation (i.e., subset of B × Σ × B).

To make that formal we need some definitions. A *treetop* L is a set of leaves of a binary tree, where potentially the minimal leaf is missing, i.e. L is a finite set of binary strings such that for all <sup>s</sup> = <sup>t</sup> <sup>∈</sup> <sup>L</sup> it holds <sup>s</sup> <sup>t</sup> and tree(L) = {<sup>s</sup> <sup>∈</sup> 2<sup>∗</sup> | ∃<sup>t</sup> <sup>∈</sup> <sup>L</sup> : <sup>s</sup> <sup>t</sup>}∪{s0 <sup>|</sup> <sup>s</sup> = 0 ··· 0 and <sup>s</sup>1 <sup>∈</sup> <sup>L</sup>} is a binary tree.

For even <sup>m</sup> let TSeq(m) = {(s0, s2, ..., sm) <sup>|</sup> <sup>s</sup>0, s2, ..., s<sup>m</sup> <sup>∈</sup> <sup>2</sup>∗} be the set of sequences of length <sup>m</sup> <sup>2</sup> + 1, where <sup>s</sup>0, ..., s<sup>m</sup> are binary strings. Let <sup>π</sup><sup>k</sup> be the projection function, which maps <sup>σ</sup> = (s0, ..., sm) to <sup>s</sup><sup>k</sup> for <sup>k</sup> = 0, <sup>2</sup>, ..., m. We define a partial order <sup>&</sup>lt; on TSeq(m): Let (s0, ..., sm) <sup>&</sup>lt; (t0, ..., tm) if there exists <sup>l</sup> ∈ {0, ..., m} such that <sup>s</sup><sup>l</sup> < t<sup>l</sup> and <sup>s</sup><sup>j</sup> <sup>=</sup> <sup>t</sup><sup>j</sup> for <sup>j</sup> = 0, ..., l <sup>−</sup> <sup>2</sup>.

We now define the deterministic Rabin automaton <sup>A</sup><sup>D</sup> <sup>=</sup> <sup>A</sup><sup>D</sup>, δA, a <sup>I</sup> , R<sup>A</sup> . Let m be the maximal even priority of Ω in A. An element S in the carrier A<sup>D</sup> of <sup>A</sup><sup>D</sup> consists of a tuple (AS,f, c0, ..., c<sup>m</sup>), where


We define T <sup>S</sup> <sup>k</sup> to be the binary tree tree(ran(π<sup>k</sup> ◦ <sup>f</sup>)) for <sup>k</sup> = 0, <sup>2</sup>, ..., m and say a binary string <sup>s</sup> is *in play at position* <sup>k</sup> if <sup>s</sup> <sup>∈</sup> <sup>T</sup> <sup>S</sup> <sup>k</sup> . If the context is clear we will abbreviate T <sup>S</sup> <sup>k</sup> with Tk. Again we sometimes denote a macrostate by a set of pairs (a, σ), usually written as <sup>a</sup><sup>σ</sup>, where <sup>a</sup> <sup>∈</sup> <sup>A</sup><sup>S</sup> and <sup>σ</sup> <sup>=</sup> <sup>f</sup>(a) and deal with the colourings c<sup>k</sup> implicitly.

The initial macrostate a <sup>I</sup> consists of the singleton {a( ,..., ) <sup>I</sup> }. To define the transition function <sup>δ</sup><sup>A</sup> let <sup>S</sup> be in <sup>A</sup><sup>D</sup> and <sup>y</sup> <sup>∈</sup> <sup>Σ</sup>. We define <sup>δ</sup><sup>A</sup>(S, y) = <sup>S</sup> , where S is constructed in the following steps:

	- (a) For any <sup>t</sup> <sup>∈</sup> <sup>T</sup>k, such that <sup>t</sup><sup>0</sup> <sup>∈</sup> <sup>T</sup><sup>k</sup> and <sup>t</sup><sup>1</sup> <sup>∈</sup>/ <sup>T</sup>k, change every <sup>a</sup><sup>σ</sup> <sup>∈</sup> <sup>S</sup> , where <sup>σ</sup> = (s0, ..., s<sup>m</sup>), and <sup>t</sup>0 sk, to a<sup>σ</sup>- , where <sup>σ</sup> = (s0, ..., s<sup>k</sup>[t0\t], ..., s<sup>m</sup>). For any <sup>s</sup> <sup>∈</sup> <sup>T</sup>k, where <sup>t</sup> ❁ <sup>s</sup>, let <sup>c</sup><sup>k</sup>(s) = red.
	- (b) For any <sup>t</sup> <sup>∈</sup> <sup>T</sup>k, such that <sup>t</sup><sup>0</sup> <sup>∈</sup>/ <sup>T</sup>k, <sup>t</sup><sup>1</sup> <sup>∈</sup> <sup>T</sup><sup>k</sup> and <sup>t</sup> = 0 ··· <sup>0</sup>, change every <sup>a</sup><sup>σ</sup> <sup>∈</sup> <sup>S</sup> , where <sup>σ</sup> = (s0, ...s<sup>m</sup>), and <sup>t</sup>1 sk, to a<sup>σ</sup>- , where <sup>σ</sup> = (s0, ..., s<sup>k</sup>[t1\t], ..., s<sup>m</sup>). For any <sup>s</sup> <sup>∈</sup> <sup>T</sup><sup>k</sup> such that <sup>t</sup> <sup>=</sup> <sup>s</sup><sup>0</sup> ··· <sup>0</sup>, let <sup>c</sup><sup>k</sup>(s) = green, if <sup>c</sup><sup>k</sup>(s) = red. In particular let <sup>c</sup><sup>k</sup>(t) = green if <sup>c</sup><sup>k</sup>(t) = red. For any <sup>s</sup> <sup>∈</sup> <sup>T</sup>k, where <sup>t</sup> ❁ <sup>s</sup>, let <sup>c</sup><sup>k</sup>(s) = red.

A run of <sup>A</sup><sup>D</sup> is accepting if there is <sup>k</sup> ∈ {0, 2, ..., m} and a binary string <sup>s</sup>, which is in play at position <sup>k</sup> cofinitely often such that <sup>c</sup>k(s) is green infinitely often and red only finitely often.

Theorem 3. *Let* A *be a parity automaton and* A<sup>D</sup> *the deterministic Rabin automaton defined from* <sup>A</sup>*. Then* <sup>L</sup>(A) = <sup>L</sup>(AD)*.*

*Remark 2.* For a parity automaton A of size n with highest even priority m, our construction produces a deterministic Rabin automaton with nO(m·n) macrostates and <sup>O</sup>(<sup>m</sup> · 2n) Rabin pairs, see Lemma 6 of [5].

# 4 **BT** Proofs

#### 4.1 Proof Systems

We present two non-wellfounded proof systems for the modal μ-calculus, namely BT and BT∞. The idea is that annotated sequents in the BT system correspond to macrostates of A<sup>D</sup>, where A is a nondeterministic parity automaton checking the trace condition in an NW proof. The rules of BT resemble the transition function of A<sup>D</sup>.

Let <sup>Φ</sup> be a set of formulas, the sequent we want to prove, and let <sup>m</sup> = max<sup>Ω</sup>(Φ) be the maximal even priority of <sup>Ω</sup>. *Annotated sequents* are sets of pairs (ϕ, σ), usually written as <sup>ϕ</sup><sup>σ</sup>, where <sup>ϕ</sup> <sup>∈</sup> Clos(Φ) and <sup>σ</sup> <sup>∈</sup> TSeq(m). For an annotated sequent Γ we let Γ <sup>N</sup> be the set of annotations occurring in Γ, i.e. <sup>Γ</sup> <sup>N</sup> = {<sup>σ</sup> <sup>∈</sup> TSeq(m) | ∃<sup>ϕ</sup> s.t. <sup>ϕ</sup><sup>σ</sup> <sup>∈</sup> <sup>Γ</sup>}. We let <sup>Γ</sup> <sup>N</sup> <sup>k</sup> be the set of binary strings occurring at the k-th position of the annotations in Γ, i.e., Γ <sup>N</sup> <sup>k</sup> <sup>=</sup> <sup>π</sup><sup>k</sup>[<sup>Γ</sup> <sup>N</sup> ]. We say that a string s *occurs in* Γ <sup>N</sup> <sup>k</sup> if there exists <sup>t</sup> <sup>∈</sup> <sup>Γ</sup> <sup>N</sup> <sup>k</sup> such that s t.

For <sup>σ</sup> = (s0, ..., s<sup>m</sup>) <sup>∈</sup> TSeq(m) we define <sup>σ</sup> · <sup>1</sup><sup>k</sup> = (s0, ..., s<sup>k</sup>1, ..., s<sup>m</sup>) and <sup>σ</sup> · <sup>0</sup><sup>k</sup> = (s0, ..., s<sup>k</sup>0, ..., s<sup>m</sup>). For an annotated sequent <sup>Γ</sup> we let <sup>Γ</sup>·0*<sup>k</sup>* denote the annotated sequent {ϕ<sup>σ</sup>·0*<sup>k</sup>* <sup>|</sup> <sup>ϕ</sup><sup>σ</sup> <sup>∈</sup> <sup>Γ</sup>}.

Let <sup>Γ</sup> be an annotated sequent and <sup>ϕ</sup><sup>σ</sup> <sup>∈</sup> <sup>Γ</sup>. We define <sup>σ</sup> k<sup>Γ</sup> to be the tuple of binary strings obtained from <sup>σ</sup> = (s0, ..., s<sup>m</sup>) by replacing every <sup>s</sup><sup>j</sup> with j>k by minL(tree(<sup>Γ</sup> <sup>N</sup> <sup>j</sup> ). If the context <sup>Γ</sup> is clear we write <sup>σ</sup> k instead of σ k<sup>Γ</sup> .

The rules Compress<sup>s</sup><sup>0</sup> <sup>k</sup> and Compress<sup>s</sup><sup>1</sup> <sup>k</sup> are schemata for <sup>k</sup> = 0, <sup>2</sup>, ..., m and <sup>s</sup> <sup>∈</sup> <sup>2</sup><sup>∗</sup>. In these rules the notation <sup>ϕ</sup>(...,st*i*,... ) <sup>i</sup> is to be read such that st<sup>i</sup> is the binary string in the k-th position of the annotation. We will write Compress for any of those rules and write Compress<sup>s</sup> <sup>k</sup> for either Compress<sup>s</sup><sup>0</sup> <sup>k</sup> or Compress<sup>s</sup><sup>1</sup> k .

Note that, if one ignores the annotations, the rules Ax1, Ax2, R∨, R∧, Rμ, R<sup>ν</sup> and R✷ in Fig. 3 are the same as the rules of NW. As mentioned above annotated sequents in the BT system correspond to macrostates of A<sup>D</sup>, where A is a nondeterministic parity automaton checking the trace condition in an NW proof. The rules of BT correspond to the transition function δ<sup>A</sup> of A<sup>D</sup>, where the transformations of δ<sup>A</sup> are distributed over multiple rules: Step 1(a) of δ<sup>A</sup> is carried out in every rule and step 1(b) and step 2 correspond to the modification of the annotations in the rules R<sup>μ</sup> and Rν. Notably, we do not add zeros to the annotations if the zeros would get deleted anyway in step 4 of the transition function. The rules Resolve and Compress are additional and correspond to steps 3 and 4 of δA.

$$\begin{array}{llll} \mathsf{A}\ltimes 1: \frac{\varphi^{\sigma}, \varphi^{\tau}, I^{\tau}}{\varphi^{\sigma}, \tau^{\tau}, I^{\tau}} & \mathsf{A}\ltimes 2: \frac{\varphi^{\sigma}, \psi^{\sigma}, I^{\tau}}{\tau^{\sigma}, \psi^{\tau}, I^{\tau}} & \mathsf{R}\_{\mathsf{V}}: \frac{\varphi^{\sigma}, \psi^{\tau}, I^{\tau}}{(\varphi \vee \psi)^{\sigma}, I^{\tau}} & \mathsf{R}\_{\mathsf{V}}: \frac{\varphi^{\sigma}, \Gamma \quad \psi^{\sigma}, I^{\tau}}{(\varphi \vee \psi)^{\sigma}, I^{\tau}} \\\\ \mathsf{R}\_{\mathsf{A}^{\perp}} & \frac{\varphi[x \vee \mu x.\varphi]^{\sigma \mid \Omega \ (\mu x.\varphi)}{\mu x.\varphi^{\sigma}, I^{\tau}}, \Gamma & \mathsf{R}\_{\mathsf{V}}: \frac{\varphi[x \vee \nu x.\varphi]^{\sigma \mid \mathsf{k} \ 1 \cdot 1}{\nu x.\varphi^{\sigma}, \Gamma} & \mathsf{where } \mathsf{k} = \Omega(\nu x.\varphi) \\\\ & & & & [\Gamma]^{\kappa} \\\\ \mathsf{R}\_{\mathsf{D}} & \frac{\varphi^{\sigma}, I^{\tau}}{\Box \varphi^{\sigma}, \phi \Gamma, \Delta & \mathsf{Resolve} \ \frac{\varphi^{\sigma}, \Gamma}{\varphi^{\sigma}, \varphi^{\tau}, I^{\tau}} & \mathsf{where } \sigma > \tau \end{array} \quad \text{where } k = \Omega(\nu x.\varphi) \text{ and } \mathsf{k} = \Omega(\nu x.\varphi) \text{ are} \\ & & & [\Gamma]^{\kappa} \mathsf{R}\_{\mathsf{E}} \xleftarrow{} \mathsf{E} \mathsf{R} \end{array}$$

#### Fig. 3. Rules of BT

Definition 6. *A* BT derivation π *is a derivation defined from the rules in Fig. 3, such that the rules are applied with the following priority: first* Resolve*, then* Compress*, and then all other rules.*

Just as annotated sequents correspond to macrostates of the deterministic automaton A<sup>D</sup>, the soundness condition of BT<sup>∞</sup> and BT correspond to the acceptance condition of <sup>A</sup><sup>D</sup>: We say that a pair (k, s) is preserved at a node, if s is in play at position k at the corresponding macrostate and not marked red; and progresses if it is marked green.

Definition 7. *Let* <sup>π</sup> *be a* BT *derivation of* <sup>Φ</sup>*,* <sup>m</sup> = max<sup>Ω</sup>(Φ) *and* <sup>S</sup> *be a set of nodes in* <sup>π</sup>*. Let* <sup>k</sup> ∈ {0, 2, ..., m} *and* <sup>s</sup> <sup>∈</sup> 2<sup>∗</sup>*. We say that the pair* (k, s)

*– is* preserved *on* S *if*

• <sup>s</sup> *occurs in* <sup>S</sup>(v)<sup>N</sup> <sup>k</sup> *for every* v *in* S *and*

• *if* <sup>R</sup>(v) = Compress<sup>t</sup> <sup>k</sup> *for a node* v *in* S*, then* t ❁ s*,*

*–* progresses *(infinitely often) on* <sup>S</sup> *if there is* <sup>s</sup> = <sup>s</sup>0 ··· 0 *such that* <sup>R</sup>(v) = Compress<sup>s</sup>- 1 <sup>k</sup> *for some* v *in* S *(for infinitely many* v ∈ S*).*

Definition 8. *Let* <sup>π</sup> *be a* BT *derivation. An infinite branch* <sup>α</sup> = (u<sup>i</sup>)<sup>i</sup>∈<sup>ω</sup> *in* <sup>π</sup> *is* successful *if there are* <sup>N</sup> *and* (k, s) *such that* (k, s) *is preserved and progresses infinitely often on* {u<sup>i</sup> | i ≥ N}*. A* BT<sup>∞</sup> proof *is a* BT *derivation without occurrences of* D<sup>x</sup> *and such that all infinite branches are successful. A* BT proof *is a finite* BT *derivation such that for each* strongly connected subgraph S *in* T C <sup>π</sup> *there exists* (k, s) *that is preserved and progresses on* <sup>S</sup>*.*

*We write* BT Γ *(*BT<sup>∞</sup> Γ*) if there is a* BT *(*BT∞*) proof of* Γ*, i.e., a proof, where* Γ *is the sequent at the root of the proof.*

*Remark 3.* In the proof system JS introduced by Jungteerapanich and Stirling [13,23] annotated sequents are of the form <sup>θ</sup> <sup>ϕ</sup>a<sup>1</sup> <sup>1</sup> , ..., ϕa*<sup>n</sup>* <sup>n</sup> , where a1, ..., a<sup>n</sup> are sequences of names and the so-called *control* θ is a linear order on all names occurring in the sequent. In contrast to JS our sequents consist of formulas with annotations and nothing else, that is, no control. On the other hand the soundness condition of BT is less local: It speaks about strongly connected subgraphs, whereas in JS only paths between leafs and its companions have to be checked. We see that the control in JS gives information on the structure of the cyclic proof tree. Interestingly, we could also add a control to our sequents and obtain a soundness condition that talks about paths, if desired. Similarly, in [1] a control was added to a cyclic system for the first-order μ-calculus introduced by [22] to obtain a path-based system.

#### 4.2 Soundness and Completeness

The intuitive idea behind the BT<sup>∞</sup> proof system is the following: Starting with an NW proof, we can define a nondeterministic parity automaton A, that checks if an infinite branch carries a ν-trail. Using the determinization method from Sect. 3 we simulate macrostates of A<sup>D</sup> by annotated formulas in the proof system. Thus an infinite branch in BT<sup>∞</sup> resembles an infinite run of A<sup>D</sup>. This will be formalised in the Soundness and Completeness proofs.

*Tracking Automaton.* Let Φ be a sequent of formulas, ηx1.ψ1, ..., ηxn.ψ<sup>n</sup> the fixpoint formulas in Fix(Φ) and <sup>Ω</sup> the parity function on Fix(Φ).

We define a nondeterministic parity automaton that checks if there is a νtrail on an infinite branch of some NW proof of Φ. The alphabet Σ consists of all triples (Γ, ξ, Γ ), where <sup>Γ</sup> <sup>⊆</sup> Clos(Φ) is the conclusion and <sup>Γ</sup> <sup>⊆</sup> Clos(Φ) is the premise of a rule in Fig. 1 with principal formula ξ. We define the following nondeterministic parity automaton <sup>A</sup> = (A, Δ, a<sup>I</sup> , Ω<sup>A</sup>):

	- 1. if <sup>γ</sup> <sup>=</sup> <sup>a</sup><sup>I</sup> , then <sup>Δ</sup>(γ,(Γ, ξ, Γ )) = <sup>Φ</sup>,
	- 2. if <sup>γ</sup> = <sup>ξ</sup> = ηx.ψ then <sup>Δ</sup>(γ,(Γ, ξ, Γ )) = {ηx.ψ<sup>∗</sup>},
	- 3. if <sup>γ</sup> = ηx.ψ∗, then <sup>Δ</sup>(γ,(Γ, ξ, Γ )) = {γ <sup>|</sup> (ψ[x\ηx.ψ], γ ) <sup>∈</sup> <sup>T</sup>Γ,ξ,Γ-} and }.

Let <sup>α</sup> = (v<sup>n</sup>)<sup>n</sup>∈<sup>ω</sup> be an infinite branch in an NW-proof <sup>π</sup>. We define <sup>w</sup>(α) <sup>∈</sup> <sup>Σ</sup><sup>ω</sup> to be the infinite word (S(v<sup>0</sup>), <sup>f</sup>(v<sup>0</sup>), <sup>S</sup>(v<sup>0</sup>))(S(v<sup>0</sup>), <sup>f</sup>(v<sup>0</sup>), <sup>S</sup>(v<sup>1</sup>))(S(v<sup>1</sup>), <sup>f</sup>(v<sup>1</sup>), <sup>S</sup>(v<sup>2</sup>))....

Lemma 1. *Let* α *be an infinite branch in an* NW *proof. Then* α *carries a* ν*-trail iff* <sup>w</sup>(α) ∈ L(A)*.*

Combining Lemma 1 and Theorem 3 from Sect. 3 we get

Lemma 2. *Let* π *be an* NW *derivation. Then* π *is an* NW *proof iff for every infinite branch* <sup>α</sup> *in* <sup>π</sup> *it holds* <sup>w</sup>(α) ∈ L(AD)*.*

Lemma 3. *Let* <sup>Γ</sup> *be a sequent. Then* NW <sup>Γ</sup> *iff* BT <sup>Γ</sup> *.*

*Proof (Sketch).* Let π be an NW proof of a sequent Γ. Inductively we translate every node v in π to a node v plus some additional nodes, such that v is labeled by the same sequent as v plus annotations. This can be achieved by replacing every rule in NW by its corresponding rule in BT and adding the rules Resolve and Compress whenever applicable. This yields a BT derivation ρ. It remains to show that every infinite branch <sup>α</sup> = (v<sup>i</sup>)<sup>i</sup>∈<sup>ω</sup> in <sup>ρ</sup> is successful. Let <sup>α</sup><sup>ˆ</sup> be the corresponding infinite branch in <sup>π</sup>. Due to Lemma <sup>2</sup> it holds that <sup>α</sup>ˆ ∈ L(A<sup>D</sup>). Thus there is (k, s) such that <sup>s</sup> is in play at position <sup>k</sup> cofinitely often and <sup>c</sup><sup>k</sup>(s) is green infinitely often and red only finitely often. As the annotations in <sup>α</sup> resemble the annotations in the run of <sup>A</sup><sup>D</sup> on <sup>α</sup><sup>ˆ</sup> it follows that there is some <sup>N</sup> <sup>∈</sup> <sup>ω</sup> such that (k, s) is preserved and progresses infinitely often on {v<sup>i</sup> <sup>|</sup> <sup>i</sup> <sup>≥</sup> <sup>N</sup>}.

Conversely let ρ be a BT proof of Γ . We let π be the NW derivation defined from ρ by omitting the rules Resolve and Compress and reducing the other rules to the corresponding NW rules. We have to show that every infinite branch <sup>α</sup> in <sup>π</sup> is successful. Let <sup>α</sup> = (v<sup>i</sup>)<sup>i</sup>∈<sup>ω</sup> be the corresponding infinite branch in <sup>ρ</sup>. Because <sup>ρ</sup> is a BT proof there is <sup>N</sup>,(k, s) such that (k, s) is preserved and progresses infinitely often on {v<sup>i</sup> | i ≥ N}. Again the annotations in α resemble the annotations in the run of <sup>A</sup><sup>D</sup> on <sup>α</sup>, thus (k, s) witnesses the acceptance of the run of <sup>L</sup>(A<sup>D</sup>) on <sup>α</sup> and Lemma <sup>2</sup> concludes the proof.

Theorem 4 (Soundness and Completeness). *Let* Γ *be a sequent. Then there is a* BT∞*-proof of* <sup>Γ</sup> *iff* <sup>Γ</sup> *is valid.*

*Proof.* This follows from Lemma 3 and Theorem 1.

#### 4.3 Cyclic **BT** Proofs

As NW proofs can be assumed to be regular and annotations are added deterministically we can also assume BT<sup>∞</sup> proofs to be regular. A standard argument then transforms regular BT<sup>∞</sup> proofs into BT proofs and vice versa.

Lemma 4. *An annotated sequent is provable in* BT *iff it is provable in* BT∞*.*

Theorem 5 (Soundness and Completeness). *Let* Γ *be a sequent. Then there is a* BT*-proof of* <sup>Γ</sup> *iff* <sup>Γ</sup> *is valid..*

*Remark 4.* The number of distinct subtrees in a regular BT<sup>∞</sup> proof can be bounded by the number of distinct annotated sequents. This follows because the same statement holds for NW proofs [19] and because in the proof of Lemma 3 annotations and extra rules are added deterministically to sequents in NW proofs.

Let <sup>Φ</sup> be a sequent, <sup>n</sup> = <sup>|</sup>Clos(Φ)<sup>|</sup> and <sup>m</sup> = max<sup>Ω</sup>(Φ). There are at most nO(m·n) many distinct annotated sequents occurring in a proof of Φ, because annotated sequents resemble macrostates in A<sup>D</sup> and as seen in Remark 2 there are at most nO(m·n) distinct macrostates in AD.

Combining these two observations with the proof of Lemma 4 yields that the height of a BT proof of a sequent Φ can be bound by nO(m·n) . This is the same complexity as in JS [13].

*Remark 5.* Given a BT derivation <sup>π</sup>, we can check if <sup>π</sup> is a BT proof in coNP. We can give the following algorithm in NP, that checks if <sup>π</sup> is not a BT proof: Choose non-deterministically a strongly connected subgraph S and check if there exists (k, s) that is preserved and progresses on <sup>S</sup>, the latter can be done in polynomial time. The complexity of proof checking can be compared to linear time in JS and PSPACE in NW. Note that, if we add a control to the BT proof system, the soundness condition boils down to checking paths between leafs and its companions. In that case proof checking could also be done in linear time.

# 5 Conclusions and Future Work

We hope that this paper contributes to the theory of non-wellfounded and cyclic proof systems by discussing applications of automata theory in the field. We have argued for the relevance of the notion of determinizing stream automata in the design of proof systems for the modal μ-calculus. More concretely, we have introduced a determinization construction based on binary trees and used this to obtain a new derivation system BT which is cyclic, cutfree, and sound and complete for the collection of valid Lμ-formulas. In the remainder of this concluding section we point out some directions for future research.

First of all, our approach is not restricted to the modal μ-calculus, but will apply to non-wellfounded and cyclic derivation systems for many other logics as well. For instance, in the proof systems LKID<sup>ω</sup> [3] for first-order logic with inductive definitions, cyclic arithmetic CA [21] and similar systems the trace condition is of the form that on every infinite branch there is a term/variable which progresses infinitely often. This condition can be checked by a nondeterministic Büchi automaton and thus our method would yield an annotated proof system, where the annotations are binary strings, which label the terms/variables.

Second, in Remark 3 we discussed some relative advantages and disadvantages of the systems JS and BT. It would be interesting to either design a system that combines the advantages of both systems (i.e. sequents consisting of annotated formulas only as in BT, and a local condition for proof checking as in JS), or prove that such a system cannot exist.

Finally, it would be interesting (and in fact, it was one of the original aims of our work), to connect annotation-based sequent calculi such as JS and BT to Kozen's Hilbert-style proof system and to see whether a more structured automata-theoretic approach would yield an alternative proof of Walukiewicz' completeness result. Note that this was also the goal of Afshari & Leigh [2]; unfortunately, it was recently shown by the second author [14] that the system Clo, a key system in Afshari & Leigh's approach linking JS to Kozen's axiomatization, is in fact incomplete.

# References


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Modal Logics**

# **Extensions of K5: Proof Theory and Uniform Lyndon Interpolation**

Iris van der Giessen1(B) , Raheleh Jalali2,3 , and Roman Kuznets<sup>4</sup>

> University of Birmingham, Birmingham, UK i.vandergiessen@bham.ac.uk Utrecht University, Utrecht, Netherlands Czech Academy of Sciences, Prague, Czechia TU Wien, Vienna, Austria roman@logic.at

**Abstract.** We introduce a Gentzen-style framework, called *layered sequent calculi*, for modal logic K5 and its extensions KD5, K45, KD45, KB5, and S5 with the goal to investigate the uniform Lyndon interpolation property (ULIP), which implies both the uniform interpolation property and the Lyndon interpolation property. We obtain complexityoptimal decision procedures for all logics and present a constructive proof of the ULIP for K5, which to the best of our knowledge, is the first such syntactic proof. To prove that the interpolant is correct, we use modeltheoretic methods, especially bisimulation modulo literals.

# **1 Introduction**

The uniform interpolation property (UIP) is an important property of a logic. It strengthens the Craig interpolation property (CIP) by making interpolants depend on only one formula of an implication, either the premise or conclusion. A lot of work has gone into proving the UIP, and it is shown to be useful in various areas of computer science, including knowledge representation [17] and description logics [25]. Early results on the UIP in modal logic include positive results proved semantically for logics GL and K (independently in [9,32,35]) and negative results for logics S4 [10] and K4 [5]. A proof-theoretic method to prove the UIP was first proposed in [30] for intuitionistic propositional logic and later adapted to modal logics, such as K and T in [5]. A general proof-theoretic method of proving the UIP for many classical and intuitionistic (non-)normal modal logics and substructural (modal) logics based on the form of their sequentcalculi rules was developed in the series of papers [2,3,16].

c The Author(s) 2023

I. van der Giessen—Supported by a UKRI Future Leaders Fellowship, 'Structure vs Invariants in Proofs', project reference MR/S035540/1.

R. Jalali—Acknowledges the support of the Netherlands Organization for Scientific Research under grant 639.073.807 and the Czech Science Foundation Grant No. 22- 06414L.

R. Kuznets—Supported by the Austrian Science Fund (FWF) ByzDEL project (P33600).

R. Ramanayake and J. Urban (Eds.): TABLEAUX 2023, LNAI 14278, pp. 263–282, 2023. https://doi.org/10.1007/978-3-031-43513-3\_15

Apart from the UIP, we are also interested in the uniform Lyndon interpolation property (ULIP) that is a strengthening of the UIP in the sense that interpolants must respect the polarities of the propositional variables involved. Kurahashi [18] first introduced this property and proved it for several normal modal logics, by employing a semantic method using layered bisimulations. A sequent-based proof-theoretic method was used in [1] to show the ULIP for several non-normal modal logics and conditional logics.

Our long-term goal is to provide a general proof-theoretic method to (re)prove the UIP for modal logics via multisequent calculi (i.e., nested sequents, hypersequents, labelled hypersequents, etc.). Unlike many other ways of proving interpolation, the proof-theoretic treatment is constructive in that it additionally yields an algorithm for constructing uniform interpolants. Towards this goal, we build on the modular treatment of multicomponent calculi to prove the CIP for modal and intermediate logics in [8,19,21,23,24]. First steps have been made by reproving the UIP for modal logics K, D, and T via nested sequents [12] and for S5 via hypersequents [11,13], the first time this is proved proof-theoretically for S5.

In this paper, we focus on logics K5, KD5, K45, KD45, KB5, and S5. The ULIP for these logics was derived in [18, Prop. 3] from the logics' local tabularity [28] and Lyndon interpolation property (LIP) [20].

Towards a modular proof-theoretic treatment, we introduce a new form of multisequent calculi for these logics that we call *layered sequent calculi*, the structure of which is inspired by the structure of the Kripke frames for the concerned logics from [27]. For S5, this results in standard hypersequents [4,26, 31]. For K5 and KD5, the presented calculi are similar to grafted hypersequent calculi in [22] but without explicit weakening. Other, less related, proof systems include analytic cut-free sequent systems for K5 and KD5 [34], cut-free sequent calculi for K45 and KD45 [33], and nested sequent calculi for modal logics [7].

The layered sequent calculi introduced in this paper adopt a strong version of termination that only relies on a local loop-check based on saturation. For all concerned logics, this yields a decision procedure that runs in co-NP time, which is, therefore, optimal [15]. We provide a semantic completeness proof via a countermodel construction from failed proof search.

Finally, layered sequents are used to provide the first proof-theoretic proof of the ULIP for K5. The method is adapted from [11,13] in which the UIP is proved for S5 based on hypersequents. We provide an algorithm to construct uniform Lyndon interpolants purely by syntactic means using the termination strategy of the proof search. To show the correctness of the constructed interpolants, we use model-theoretic techniques inspired by bisimulation quantification in the setting of uniform Lyndon interpolation [18].

An extended version of the paper with more detailed proofs is found in [14].

### **2 Preliminaries**

The language of modal logics consists of a set Pr of countably many (*propositional*) *atoms* p, q, . . ., their *negations* p, q,..., *propositional connectives* <sup>∧</sup> and <sup>∨</sup>,


**Table 1.** Modal axioms and their corresponding frame conditions.

*boolean constants* and ⊥, and *modal operators* and ♦. A *literal* is either an atom or its negation, and the set of all literals is denoted by Lit. We define *modal formulas* in the usual way and denote them by lowercase Greek letters ϕ, ψ, . . .. We define ϕ using the usual De Morgan laws to push the negation inwards (in particular, <sup>p</sup> := <sup>p</sup>) and <sup>ϕ</sup> <sup>→</sup> <sup>ψ</sup> := <sup>ϕ</sup> <sup>∨</sup> <sup>ψ</sup>. We use uppercase Greek letters Γ, Δ, . . . to refer to finite *multisets* of formulas. We write Γ,Δ to mean <sup>Γ</sup> <sup>∪</sup> <sup>Δ</sup> and Γ, ϕ to mean <sup>Γ</sup> ∪ {ϕ}. The set of literals of a formula <sup>ϕ</sup>, denoted Lit(ϕ), is defined recursively: Lit() = Lit(⊥) = <sup>∅</sup>, Lit(-) = for - ∈ Lit, Lit(<sup>ϕ</sup> <sup>∧</sup> <sup>ψ</sup>) = Lit(<sup>ϕ</sup> <sup>∨</sup> <sup>ψ</sup>) = Lit(ϕ) <sup>∪</sup> Lit(ψ), and Lit(ϕ) = Lit(♦ϕ) = Lit(ϕ).

We consider extensions of K5 with any combination of axioms 4, d, b, and t (Table 1). Several of the 16 combinations coincide, resulting in 6 logics: K5, KD5, K45, KD45, KB5, and S5 (Table 2). Throughout the paper, we assume <sup>L</sup> ∈ {K5,KD5,K45,KD45,KB5, S5} and write <sup>L</sup> <sup>ϕ</sup> iff <sup>ϕ</sup> <sup>∈</sup> <sup>L</sup>.

**Definition 1 (Logic** K5**).** Modal logic K5 *is axiomatized by the classical tautologies, axioms* <sup>k</sup> *and* <sup>5</sup>*, and rules modus ponens* (*from* <sup>ϕ</sup> *and* <sup>ϕ</sup> <sup>→</sup> <sup>ψ</sup> *infer* <sup>ψ</sup>) *and necessitation* (*from* ϕ *infer* ϕ)*.*

Throughout the paper we employ the semantics of Kripke frames and models.

**Definition 2 (Kripke semantics).** *A* Kripke frame *is a pair* (W, R) *where* <sup>W</sup> *is a nonempty set of* worlds *and* <sup>R</sup> <sup>⊆</sup> <sup>W</sup> <sup>×</sup> <sup>W</sup> *a binary relation. A* Kripke model *is a triple* (W, R, V ) *where* (W, R) *is a Kripke frame and* <sup>V</sup> : Pr → P(W) *is a* valuation function*. A formula* ϕ *is defined to be* true *at a world* w *in a model* <sup>M</sup> = (W, R, V )*, denoted* <sup>M</sup>, w <sup>ϕ</sup>*, as follows:* <sup>M</sup>, w *,* <sup>M</sup>, w <sup>⊥</sup> *and*


*Formula* <sup>ϕ</sup> *is* valid in <sup>M</sup> = (W, R, V )*, denoted* <sup>M</sup> <sup>ϕ</sup>*, iff for all* <sup>w</sup> <sup>∈</sup> <sup>W</sup>*,* <sup>M</sup>, w <sup>ϕ</sup>*. We call* <sup>∅</sup> <sup>=</sup> <sup>C</sup> <sup>⊆</sup> <sup>W</sup> *<sup>a</sup>* cluster (*in* <sup>M</sup>) *iff* <sup>C</sup> <sup>×</sup> <sup>C</sup> <sup>⊆</sup> <sup>R</sup>*, i.e., the relation* <sup>R</sup> *is* total *on* <sup>C</sup>*. We write* wRC *iff* wRv *for all* <sup>v</sup> <sup>∈</sup> <sup>C</sup>*.*


**Table 2.** Semantics for extensions of K5 (see [27,29]). Everywhere not ρRρ for the root ρ, set C is a finite cluster, and denotes disjoint union.

We work with specific classes of Kripke models sound and complete w.r.t. the logics. The respective frame conditions for the logic L, called L*-frames*, are defined in Table 2. A model (W, R, V ) is an L*-model* iff (W, R) is an L-frame. Table 2 is a refinement of Theorem 3, particularly shown for K45, KD45, and KB5 in [29]. More precisely, we consider rooted frames and completeness w.r.t. the root, i.e., <sup>L</sup> <sup>ϕ</sup> iff for all <sup>L</sup>-models <sup>M</sup> with root <sup>ρ</sup>, <sup>M</sup>, ρ <sup>ϕ</sup> (we often denote the if-condition as <sup>L</sup> ϕ). For each logic, this follows from easy bisimulation arguments.

**Theorem 3 (**[27]**).** *Any normal modal logic containing* K5 *is sound and complete w.r.t. a class of finite Euclidean Kripke frames* (W, R) *of one of the following forms:* (a) <sup>W</sup> <sup>=</sup> {ρ} *consists of a singleton root and* <sup>R</sup> <sup>=</sup> <sup>∅</sup>*,* (b) *the whole* <sup>W</sup> *is a cluster (any world can be considered its root), or* (c) <sup>W</sup>\{ρ} *is a cluster for a (unique) root* <sup>ρ</sup> <sup>∈</sup> <sup>W</sup> *such that* ρRw *for some* <sup>w</sup> <sup>∈</sup> <sup>W</sup>\{ρ} *while not* ρRρ*.*

**Definition 4 (UIP and ULIP).** *A logic* L *has the* uniform interpolation property (UIP) *iff for any formula* <sup>ϕ</sup> *and* <sup>p</sup> <sup>∈</sup> Pr *there is a formula* <sup>∀</sup>pϕ *such that*

*(1)* Lit(∀pϕ) <sup>⊆</sup> Lit(ϕ) \ {p, <sup>p</sup>}*, (2)* <sup>L</sup> <sup>∀</sup>pϕ <sup>→</sup> <sup>ϕ</sup>*, and (3)* <sup>L</sup> <sup>ψ</sup> <sup>→</sup> <sup>ϕ</sup> *implies* <sup>L</sup> <sup>ψ</sup> → ∀pϕ *for any formula* <sup>ψ</sup> *with* p, p /<sup>∈</sup> Lit(ψ)*.*

*A logic* L *has the* uniform Lyndon interpolation property (ULIP) *[1,18] iff for any formula* ϕ *and* - <sup>∈</sup> Lit*, there is a formula* <sup>∀</sup>ϕ *such that*

*(i)* Lit(∀<sup>ϕ</sup>) <sup>⊆</sup> Lit(ϕ) \ {-}*, (ii)* <sup>L</sup> <sup>∀</sup><sup>ϕ</sup> <sup>→</sup> <sup>ϕ</sup>*, and (iii)* <sup>L</sup> <sup>ψ</sup> <sup>→</sup> <sup>ϕ</sup> *implies* <sup>L</sup> <sup>ψ</sup> → ∀ϕ *for any formula* ψ *with* -/<sup>∈</sup> Lit(ψ)*.*

*We call* <sup>∀</sup>pϕ (∀ϕ) *the* uniform (Lyndon) interpolant of ϕ w.r.t. atom p (literal -)*.*

These are often called *pre-interpolants* as opposed to their dual *post-interpolants* that, in classical logic, can be defined as <sup>∃</sup>pϕ <sup>=</sup> <sup>∀</sup>pϕ and <sup>∃</sup><sup>ϕ</sup> <sup>=</sup> <sup>∀</sup>ϕ (see, e.g., [1,5,11,18] for more explanations).

**Theorem 5.** *If a logic* L *has the ULIP, then it also has the UIP.*

*Proof.* We define a uniform interpolant of ϕ w.r.t. atom p as a uniform Lyndon interpolant <sup>∀</sup>p∀pϕ of <sup>∀</sup>pϕ w.r.t. literal <sup>p</sup>. We need to demonstrate conditions LIP(1)–(3) from Definition 4. First, it follows from ULIP(i) that Lit(∀p∀pϕ) <sup>⊆</sup> Lit(∀pϕ) \ {p} ⊆ Lit(ϕ) \ {p, <sup>p</sup>}. Second, <sup>L</sup> <sup>∀</sup>p∀pϕ → ∀pϕ and <sup>L</sup> <sup>∀</sup>pϕ <sup>→</sup> <sup>ϕ</sup> by ULIP(ii), hence, <sup>L</sup> <sup>∀</sup>p∀pϕ <sup>→</sup> <sup>ϕ</sup>. Finally, if <sup>L</sup> <sup>ψ</sup> <sup>→</sup> <sup>ϕ</sup> where p, p /<sup>∈</sup> Lit(ψ), then by ULIP(iii), <sup>L</sup> <sup>ψ</sup> → ∀pϕ as p /<sup>∈</sup> Lit(ψ) and <sup>L</sup> <sup>ψ</sup> → ∀p∀pϕ as p /<sup>∈</sup> Lit(ψ).

#### **3 Layered Sequents**

**Definition 6 (Layered sequents).** *A* layered sequent *is a generalized onesided sequent of the form*

$$\mathcal{G} = \Gamma\_1, \dots, \Gamma\_n, [\Sigma\_1], \dots, [\Sigma\_m], [[\Pi\_1]], \dots, [[\Pi\_k]] \tag{1}$$

*where* <sup>Γ</sup>i, Σi, <sup>Π</sup><sup>i</sup> *are finite multisets of formulas,* n, m, k <sup>≥</sup> <sup>0</sup>*, and if* <sup>k</sup> <sup>≥</sup> <sup>1</sup>*, then* <sup>m</sup> <sup>≥</sup> <sup>1</sup>*. A layered sequent is an* <sup>L</sup>*-sequent iff it satisfies the conditions in the rightmost column of Table 3. Each* Σi*, each* Πi*, and* - <sup>i</sup> <sup>Γ</sup><sup>i</sup> *is called a* sequent component *of* G*. The* formula interpretation *of a layered sequent* G *above is:*

$$\iota(\mathcal{G}) = \bigvee\_{i=1}^{n} \left( \bigvee\_{i=1}^{r} \Gamma\_{i} \right) \vee \bigvee\_{i=1}^{m} \Box(\bigvee \Sigma\_{i}) \vee \bigvee\_{i=1}^{k} \Box(\bigvee \Pi\_{i}) .$$

Layered sequents are denoted by G and H. The structure of a layered sequent can be viewed as at most two layers of hypersequents ([ ]*-components* Σ<sup>i</sup> and [[ ]]*-components* Π<sup>i</sup> forming the first and second layer respectively) possibly nested on top of the sequent component - <sup>i</sup> <sup>Γ</sup><sup>i</sup> as the root. Following the arboreal terminology from [22], the root is called the *trunk* while [ ]- and [[ ]]-components form the *crown*. Analogously to nested sequents representing tree-like Kripke models, the structure of L-sequents is in line with the structure of L-models introduced in Sect. 2. We view sequents components as freely permutable, e.g., [[Π1]], Γ1, [Σ1], Γ<sup>2</sup> and Γ1, Γ2, [Σ1], [[Π1]] represent the same layered sequent.

**Table 3.** Layered sequent calculi L.L: in addition to explicitly stated rules, all L.L have axioms id<sup>P</sup> and id and rules ∨, ∧, ♦c, and t (see Fig. 1). Note that the rules of system L.L may only be applied to L-sequents.


*Remark 7.* The layered calculi presented here generalize grafted hypersequents of [22] and, hence, similarly combine features of hypersequents and nested sequents. In particular, layered sequents are generally neither pure hypersequents (except for the case of S5) nor bounded-depth nested sequents. The latter is due to the fact that the defining property of nested sequents is the tree structure of the sequent components, whereas the crown components of a layered sequent form a cluster. Although formally grafted hypersequents are defined with one layer only, this syntactic choice is more of a syntactic sugar than a real distinction. Indeed, the close relationship of one-layer grafted hypersequents for K5 and KD5 in [22] to the two-layer layered sequents presented here clearly manifests itself when translating grafted hypersequents into the prefixed-tableau format (see grafted tableau system for K5 [22, Sect. 6]). There prefixes for the crown are separated into two types, limbs and twigs, which match the separation into [ ]- and [[ ]]-components.

For a layered sequent (1), we assign labels to the components as follows: the trunk is labeled •, [ ]-components get distinct labels •1, •2,... , and [[ ]] components get distinct labels 1, 2,... . We let σ, τ, . . . range over these labels. The set of labels is denoted *Lab*(G) and <sup>σ</sup> ∈ G means <sup>σ</sup> <sup>∈</sup> *Lab*(G). We write <sup>σ</sup> : <sup>ϕ</sup> ∈ G (or <sup>σ</sup> : <sup>ϕ</sup> if no confusion occurs) when a formula <sup>ϕ</sup> occurs in a sequent component of <sup>G</sup> labeled by <sup>σ</sup>.

*Example 8.* <sup>G</sup> <sup>=</sup> ϕ, ψ, [χ], [ξ], [[θ]] is a layered sequent with the trunk and three crown components: two [ ]-components and one [[ ]]-component. Since it has both the trunk and a [[ ]]-component, it can only be a K5- or KD5-sequent. A corresponding labeled sequent is <sup>G</sup> <sup>=</sup> <sup>ϕ</sup>•, ψ•, [χ]•1, [ξ]•2, [[θ]]1, with the set *Lab*(G) = {•, •1, •2, <sup>1</sup>} of four labels. Similarly, for the KB5/S5-sequent <sup>H</sup> = [σ], [δ], a corresponding labeled sequent is <sup>H</sup> = [σ]•1, [δ]•<sup>2</sup> with *Lab*(H) = {•1, •2}.

**Fig. 1.** Layered sequent rules: brackets -and range over both [ ] and [[ ]].

We sometimes use *unary contexts*, i.e., layered sequents with exactly one *hole*, denoted { }. Such contexts are denoted by G{ }. The insertion G{Γ} of a finite multiset <sup>Γ</sup> into G{ } is obtained by replacing { } with <sup>Γ</sup>. The hole { } in a component <sup>σ</sup> can also be labeled G{ }σ. We use the notations - and to refer to either of [ ] or [[ ]].

Using Fig. 1 and the middle column of Table 3, we define layered sequent calculi L.K5, L.KD5, L.K45, L.KD45, L.KB5, and L.S5, where L.L is the calculus for the logic L. Following the terminology from [22], we split all modal rules into *trunk rules* (subscript t) and *crown rules* (subscript c) depending on the position of the *principal* formula. We write <sup>L</sup>.<sup>L</sup> <sup>G</sup> iff <sup>G</sup> is derivable in <sup>L</sup>.L.

# **Definition 9 (Saturation).** *Labeled formula* <sup>σ</sup> : <sup>ϕ</sup> ∈ G *is* saturated for <sup>L</sup>.<sup>L</sup> *iff*


*In addition, we define for any label* σ *and formula* ϕ*:*


G *is* propositionally saturated *iff all* ∨*- and* ∧*-formulas are saturated in* G*.* L*sequent* <sup>G</sup> *is* <sup>L</sup>-saturated *iff* <sup>a</sup>) *each non-*♦ *formula is saturated,* <sup>b</sup>) *each* <sup>σ</sup> : ♦<sup>ϕ</sup> *is saturated w.r.t. every label in Lab*(G)*,* <sup>c</sup>) *each* <sup>σ</sup> : ♦<sup>ϕ</sup> *is* <sup>d</sup>*-saturated whenever* <sup>d</sup> <sup>∈</sup> <sup>L</sup>.<sup>L</sup> ∩ {dt, <sup>d</sup>c, <sup>d</sup><sup>c</sup>-}*, and* <sup>d</sup>) <sup>G</sup> *is not of the from* H{} *or* H{q, <sup>q</sup>} *for some* <sup>q</sup> <sup>∈</sup> Pr*.*

**Theorem 10.** *Proof search in* L.L *modulo saturation terminates and provides an optimal-complexity decision algorithm, i.e., runs in co-NP time.*

*Proof.* Given a proof search of layered sequent G, for each layered sequent H in this proof search, consider its labeled formulas as a set <sup>F</sup><sup>H</sup> <sup>=</sup> {<sup>σ</sup> : <sup>ϕ</sup> <sup>|</sup> <sup>σ</sup> : <sup>ϕ</sup> ∈ H}. Let <sup>s</sup> be the number of subformulas occurring in <sup>G</sup> and <sup>N</sup> be the number of sequent components in G. Since we only apply rules (that do not equal id<sup>P</sup> or id) to non-saturated sequents, sets <sup>F</sup><sup>H</sup> will grow for each premise. Going bottom-up in the proof search, at most <sup>s</sup> labels of the form •<sup>i</sup> and at most <sup>s</sup> labels of the form i can be created, and each label can have at most s formulas. Therefore, the cardinality of sets <sup>F</sup><sup>H</sup> are bounded by <sup>s</sup>(<sup>N</sup> <sup>+</sup>s+s), which is polynomial in the size of <sup>F</sup>G. Hence, the proof search terminates modulo saturation. Moreover, since each added labeled formula is linear in the size <sup>F</sup><sup>G</sup> and the non-deterministic branching in the proof search is bounded by (N + s + s)s(N + s + s), again a polynomial in the size of <sup>F</sup>G, this algorithm is co-NP, i.e., provides an optimal decision procedure for the logic.

**Definition 11 (Interpretations).** *An* interpretation of an L-sequent G into an <sup>L</sup>-model <sup>M</sup> = (W, R, V ) *is a function* <sup>I</sup> : *Lab*(G) <sup>→</sup> <sup>W</sup> *such that the following conditions apply whenever the respective type of labels exists in* G*:*

*1.* <sup>I</sup>(•) = <sup>ρ</sup>*, where* <sup>ρ</sup> *is the root of* <sup>M</sup>*;*

*2.* <sup>I</sup>(•)<sup>R</sup> <sup>I</sup>(•i) *for each label of the form* •<sup>i</sup> <sup>∈</sup> *Lab*(G)*;*

*3.* <sup>I</sup>(•i)<sup>R</sup> <sup>I</sup>(j) *and* <sup>I</sup>(j)<sup>R</sup> <sup>I</sup>(•i) *for all labels of the form* •<sup>i</sup> *and* <sup>j</sup> *in Lab*(G)*;*

*4. Not* <sup>I</sup>(•)<sup>R</sup> <sup>I</sup>(j) *for any label of the form* <sup>j</sup> <sup>∈</sup> *Lab*(G)*.*

Note that none of the conditions (1)–(4) apply to layered S5-sequents.

**Definition 12 (Sequent semantics).** *For any given interpretation* I *of an* L*-sequent* G *into an* L*-model* M*,*

$$\mathcal{M}, \mathcal{T} \models \mathcal{G} \qquad \text{iff} \qquad \mathcal{M}, \mathcal{T}(\sigma) \models \varphi \text{ for some } \sigma: \varphi \in \mathcal{G}.$$

<sup>G</sup> *is* valid *in* <sup>L</sup>*, denoted* <sup>L</sup> <sup>G</sup>*, iff* <sup>M</sup>, <sup>I</sup> <sup>G</sup> *for all* <sup>L</sup>*-models* <sup>M</sup> *and interpretations* I *of* G *into* M*. We omit* L *and* M *when clear from the context.*

The proof of the following theorem is based on a countermodel construction (for more standard parts of the proof we refer to the Appendix of [14]):

**Theorem 13 (Soundness and completeness).** *For any* L*-sequent* G*,*

 <sup>L</sup>.<sup>L</sup> G ⇐⇒ <sup>L</sup> <sup>ι</sup>(G) ⇐⇒ <sup>L</sup> <sup>G</sup>.

*Proof.* We show a cycle of implications. The left-to-middle implication, i.e., that <sup>L</sup>.<sup>L</sup> <sup>G</sup> <sup>=</sup><sup>⇒</sup> <sup>L</sup> <sup>ι</sup>(G), can be proved by induction on the <sup>L</sup>.L-derivation of <sup>G</sup>.

For the middle-to-right implication, i.e., <sup>L</sup> <sup>ι</sup>(G) =<sup>⇒</sup> <sup>L</sup> <sup>G</sup>, let <sup>G</sup> be a sequent of form (1). We prove that <sup>M</sup>, <sup>I</sup> <sup>G</sup> implies <sup>M</sup>, <sup>I</sup>(•) <sup>ι</sup>(G) (if <sup>n</sup> = 0, use 1 in place of •). By definition, <sup>I</sup>(•) is the root of <sup>M</sup>. If <sup>M</sup>, <sup>I</sup> <sup>G</sup>, then <sup>I</sup>(•) <sup>ϕ</sup> for all <sup>ϕ</sup> <sup>∈</sup> n <sup>i</sup>=1 <sup>Γ</sup>i, for each 1 <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>m</sup> we have <sup>I</sup>(•i) <sup>ψ</sup> for all <sup>ψ</sup> <sup>∈</sup> <sup>Σ</sup>i, and for each 1 <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>k</sup> we have <sup>I</sup>(i) <sup>χ</sup> for all <sup>χ</sup> <sup>∈</sup> <sup>Π</sup>i. By Definition 11, in case <sup>k</sup> <sup>≥</sup> 1 label •1 is in <sup>G</sup> and <sup>I</sup>(•)RI(•1)RI(i) for each 1 <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>k</sup>. Therefore <sup>M</sup>, <sup>I</sup>(•) <sup>ι</sup>(G).

Finally, we prove the right-to-left implication by contraposition using a countermodel construction: from a failed proof search of G, construct an L-model refuting <sup>G</sup> from (1). In a failed proof-search tree (Theorem 10), since <sup>L</sup>.<sup>L</sup> <sup>G</sup>, at least one saturated leaf

$$\mathcal{G}' = \Gamma', [\Sigma'\_1], \dots, [\Sigma'\_m], [\Sigma''\_1], \dots, [\Sigma''\_{m'}], [[\Pi'\_1]], \dots, [[\Pi'\_k]], [[\Pi''\_1]], \dots, [[\Pi''\_{k'}]], \dots$$

is such that - <sup>i</sup> <sup>Γ</sup><sup>i</sup> <sup>⊆</sup> <sup>Γ</sup> , <sup>Σ</sup><sup>i</sup> <sup>⊆</sup> <sup>Σ</sup> <sup>i</sup>, and Π<sup>i</sup> ⊆ Π <sup>i</sup> (or for KB5, if <sup>G</sup> <sup>=</sup> <sup>Γ</sup>, then <sup>G</sup> <sup>=</sup> <sup>Γ</sup> for <sup>Γ</sup> <sup>⊆</sup> <sup>Γ</sup> or [Σ], [Σ1],..., [Σm] with <sup>Γ</sup> <sup>⊆</sup> <sup>Σ</sup>). Define <sup>M</sup> = (W, R, V ):

$$W = \operatorname{Lab}(\mathcal{G}'), \qquad V(p) = \{ \sigma \mid \sigma : \overline{p} \in \mathcal{G}' \},$$

$$R = \{ (\bullet, \bullet i) \mid \bullet i \in \operatorname{Lab}(\mathcal{G}') \} \cup \{ (\sigma, \tau) \mid \sigma, \tau \in \operatorname{Lab}(\mathcal{G}'), \sigma, \tau \neq \bullet \}.$$

Since G is saturated, M is an L-model. Taking I of G into M as the identity function (or <sup>I</sup>(•) = 1 in case of KB5), we have <sup>M</sup>, <sup>I</sup> <sup>G</sup> as desired.

# **4 Uniform Lyndon Interpolation**

#### **Definition 14 (Multiformulas).** *The grammar*

::= <sup>σ</sup> : <sup>ϕ</sup> <sup>|</sup> ( ) <sup>|</sup> ( )

*defines* multiformulas*, where* σ : ϕ *is a labeled formula. Lab*() *denotes the set of labels of . An* interpretation <sup>I</sup> *of a layered sequent* <sup>G</sup> *into a model* <sup>M</sup> *is called an* interpretation of a multiformula into <sup>M</sup> *iff Lab*() <sup>⊆</sup> *Lab*(G)*. If* <sup>I</sup> *is an interpretation of into* <sup>M</sup>*, we define* <sup>M</sup>, <sup>I</sup> *as follows:*

<sup>M</sup>, <sup>I</sup> <sup>σ</sup> : <sup>ϕ</sup> *iff* <sup>M</sup>, <sup>I</sup>(σ) <sup>ϕ</sup>*,* <sup>M</sup>, <sup>I</sup> <sup>1</sup> <sup>2</sup> *iff* <sup>M</sup>, <sup>I</sup> <sup>1</sup> *and* <sup>M</sup>, <sup>I</sup> 2*,* <sup>M</sup>, <sup>I</sup> <sup>1</sup> <sup>2</sup> *iff* <sup>M</sup>, <sup>I</sup> <sup>i</sup> *for at least one* <sup>i</sup> = 1, <sup>2</sup>*.*

*Multiformulas* <sup>1</sup> *and* <sup>2</sup> *are said to be* equivalent*, denoted* <sup>1</sup> <sup>≡</sup><sup>L</sup> 2*, or simply* <sup>1</sup> <sup>≡</sup> 2*, iff* <sup>M</sup>, <sup>I</sup> <sup>1</sup> ⇔ M, <sup>I</sup> <sup>2</sup> *for any interpretation* <sup>I</sup> *of both* <sup>1</sup> *and* <sup>2</sup> *into an* L*-model* M*.*

**Lemma 15 (**[21]**).** *Any multiformula can be transformed into an equivalent one in SDNF* (*SCNF*) *as a -disjunction* (*-conjunction*) *of -conjunctions* (*-disjunctions*) *of labeled formulas* σ : ϕ *such that each label of occurs exactly once per conjunct (disjunct).*

**Definition 16 (Bisimilarity)** *. Let* <sup>M</sup> = (W, R, V ) *and* <sup>M</sup> = (W , R , V ) *be models and* - <sup>∈</sup> Lit*. We say* <sup>M</sup> *is* --bisimilar *to* M*, denoted* M ≤ M *iff there is a nonempty binary relation* <sup>Z</sup> <sup>⊆</sup> <sup>W</sup> <sup>×</sup> <sup>W</sup> *, called an* --bisimulation *between* M *and* M *, such that the following hold for every* <sup>w</sup> <sup>∈</sup> <sup>W</sup> *and* <sup>w</sup> <sup>∈</sup> <sup>W</sup> *:*

**literals.** *if* wZw *, then* <sup>a</sup>) <sup>M</sup>, w <sup>q</sup> *iff* <sup>M</sup> , w <sup>q</sup> *for all atoms* q /∈ {-, -} *and* <sup>b</sup>) *if* <sup>M</sup> , w -*, then* <sup>M</sup>, w -*;*

**forth.** *if* wZw *and* wRv*, then there exists* <sup>v</sup> <sup>∈</sup> <sup>W</sup> *such that* vZv *and* <sup>w</sup> R v *;* **back.** *if* wZw *and* w R v *, then there exists* <sup>v</sup> <sup>∈</sup> <sup>W</sup> *such that* vZv *and* wRv*.*

M *and* M *are* bisimilar*, denoted* M∼M *, iff there is a relation* <sup>Z</sup> <sup>=</sup> <sup>∅</sup> *satisfying forth and back, as well as part* <sup>a</sup>) *of literals for any* <sup>p</sup> <sup>∈</sup> Pr*, in which case* <sup>Z</sup> *is called a* bisimulation*. We write* (*similarly for* <sup>∼</sup> *instead of* <sup>≤</sup>)*:*


Note that ≤ is a preorder and we have M ≤ M iff M ≤ M . By analogy with [6, Theorem 2.20], we have the following immediate observation, which additionally holds for multiformulas (we provide a proof in [14]):

**Lemma 17.** *Let* I *and* I *be interpretations of a layered sequent* G *into models* M *and* M *respectively.*

*1. Let* - /<sup>∈</sup> Lit(G)*. If* (M , I ) <sup>≤</sup> (M, <sup>I</sup>)*, then* <sup>M</sup>, <sup>I</sup> <sup>G</sup> *implies* <sup>M</sup> , <sup>I</sup> <sup>G</sup>*. 2. If* (M, <sup>I</sup>) <sup>∼</sup> (M , I )*, then* <sup>M</sup>, <sup>I</sup> <sup>G</sup> *iff* <sup>M</sup> , <sup>I</sup> <sup>G</sup>*.*

**Definition 18 (BLUIP).** *Logic* L *is said to have the* bisimulation layeredsequent uniform interpolation property (BLUIP) *iff for every literal and every* <sup>L</sup>*-sequent* <sup>G</sup>*, there is a multiformula* <sup>A</sup>(G)*, called* BLU interpolant*, such that:*

*(i)* Lit <sup>A</sup>(G) <sup>⊆</sup> Lit(G)\{-} *and Lab* <sup>A</sup>(G) ⊆ *Lab*(G)*; (ii) for each interpretation* I *of* G *into an* L*-model* M*,*

<sup>M</sup>, <sup>I</sup> <sup>A</sup>(G) *implies* <sup>M</sup>, <sup>I</sup> <sup>G</sup>;

*(iii) for each* <sup>L</sup>*-model* <sup>M</sup> *and interpretation* <sup>I</sup> *of* <sup>G</sup> *into* <sup>M</sup>*, if* <sup>M</sup>, <sup>I</sup> <sup>A</sup>(G)*, then there is an* L*-model* M *and interpretation* I *of* G *into* M *such that*

$$(\mathcal{M}', \mathcal{T}') \leq\_{\ell} (\mathcal{M}, \mathcal{T}) \text{ and } \mathcal{M}', \mathcal{T}' \models \mathcal{G}.$$

**Lemma 19.** *The BLUIP for* L *implies the ULIP for* L*.*

*Proof.* Let <sup>∀</sup>ϕ = A(ϕ). We prove the properties of Definition 4. Variable property is immediate. For Property (ii), assume <sup>L</sup> <sup>A</sup>(ϕ) <sup>→</sup> <sup>ϕ</sup>. By completeness, we have <sup>M</sup>, ρ <sup>A</sup>(ϕ) and <sup>M</sup>, ρ <sup>ϕ</sup> for some <sup>L</sup>-model <sup>M</sup> with root <sup>ρ</sup>. As <sup>ρ</sup> is the root, it can be considered as an interpretation by Definition 11. By condition (ii) from Definition 18 we get a contradiction. For (iii), let ψ be a formula such that - /<sup>∈</sup> Lit(ψ) and suppose <sup>L</sup> <sup>ψ</sup> <sup>→</sup> <sup>A</sup>(ϕ). So there is an <sup>L</sup>-model <sup>M</sup> with root <sup>ρ</sup> such that <sup>M</sup>, ρ <sup>ψ</sup> and <sup>M</sup>, ρ <sup>A</sup>(ϕ). Again, <sup>ρ</sup> is treated as an interpretation, and by (iii) from Definition 18, there is an <sup>L</sup>-model <sup>M</sup> with root <sup>ρ</sup> such that (M , ρ ) <sup>≤</sup> (M, ρ) and <sup>M</sup> , ρ <sup>ϕ</sup>. By Lemma 17, <sup>M</sup> , ρ ψ, hence <sup>L</sup> <sup>ψ</sup> <sup>→</sup> <sup>ϕ</sup> as desired.

To show that calculus L.K5 enjoys the BLUIP for K5, we need two important ingredients: some model modifications that are closed under bisimulation and an algorithm to compute uniform Lyndon interpolants.

**Definition 20 (Copying).** *Let* <sup>M</sup> = (W, R, V ) *be a* K5*-model with root* <sup>ρ</sup> *and cluster* <sup>C</sup>*. Model* <sup>N</sup> = (<sup>W</sup> {wc}, R , V ) *is obtained by* copying <sup>w</sup> <sup>∈</sup> <sup>C</sup> *iff* <sup>R</sup> <sup>=</sup> <sup>R</sup> ({wc} × <sup>C</sup>) (<sup>C</sup> × {wc}) {(ρ, wc) <sup>|</sup> (ρ, w) <sup>∈</sup> <sup>R</sup>}{(wc, wc)}*, and* V (p) = <sup>V</sup> (p) {w<sup>c</sup> <sup>|</sup> <sup>w</sup> <sup>∈</sup> <sup>V</sup> (p)} *for any* <sup>p</sup> <sup>∈</sup> Pr*. Model* <sup>N</sup> = (<sup>W</sup> {wc}, R, V ) *is obtained by* copying <sup>w</sup> away from the root *iff* <sup>R</sup> <sup>=</sup> <sup>R</sup> \ {(ρ, wc)}*.*

**Lemma 21.** *Let model* <sup>N</sup> *be obtained by copying a world* <sup>w</sup> *from a* K5*-model* <sup>M</sup> *(away from the root). Let* <sup>I</sup> : <sup>X</sup> → M *and* <sup>I</sup> : <sup>X</sup> → N *be interpretations such that for each* <sup>x</sup> <sup>∈</sup> <sup>X</sup>*, either* <sup>I</sup>(x) = <sup>I</sup> (x) *or* <sup>I</sup>(x) = <sup>w</sup> *while* <sup>I</sup> (x) = wc*. Then,* <sup>N</sup> *is a* K5*-model and* (M, <sup>I</sup>) <sup>∼</sup> (<sup>N</sup> , <sup>I</sup> )*.*

In the construction of interpolants, we use the following rules d <sup>t</sup> and dd and sets G<sup>c</sup> and -♦G<sup>c</sup> of formulas from the crown of G:

$$\mathcal{G}\_c = \{\varphi \mid \sigma : \varphi \in \mathcal{G}, \sigma \neq \bullet\} \qquad \Box \Diamond \mathcal{G}\_c = \{\Box\varphi \mid \Box\varphi \in \mathcal{G}\_c\} \sqcup \{\Diamond\varphi \mid \Diamond\varphi \in \mathcal{G}\_c\}$$

$$\mathsf{d}'\_t \frac{\Gamma, \left[\{\psi \mid \Diamond\psi \in \Gamma\}\right] \quad \Gamma, \Diamond\top \qquad \text{and} \quad \underline{\mathcal{G}, \left[\{\psi \mid \Diamond\psi \in \mathcal{G}\}\right]}, \left[\left[\{\chi \mid \Diamond\chi \in \mathcal{G}\_c\}\right]\right]$$

Rule d <sup>t</sup> shows similarities with rule d<sup>t</sup> from logics KD5 and KD45, but is only applied in the absence of the crown. Rule d <sup>t</sup> is sound for K5 because it can be viewed as a composition of an (admissible) cut on -⊥ and ♦ in the trunk, followed by <sup>t</sup> in the left premise on -⊥ that creates the first crown component (though ⊥ is dropped from it), which is populated using several ♦t-rules for ♦<sup>ψ</sup> <sup>∈</sup> <sup>Γ</sup>. The label of this crown component is always •1. Rule dd provides extra information in the calculation of the uniform interpolant and is needed primarily for technical reasons. We highlight the two new sequent components created by the last instance of dd using special placeholder labels •d and d for the respective brackets. These labels are purely for readability purposes and revert to the standard •<sup>j</sup> and <sup>k</sup> labels after the next instance of dd.


**Table 4.** Recursive construction of A-(t, Σc; G) for G that are not K5-saturated.

To compute a uniform Lyndon interpolant <sup>∀</sup>ξ for a formula ξ, we first compute a BLU interpolant <sup>A</sup>(0, <sup>∅</sup>; <sup>ξ</sup>•) by using the recursive function <sup>A</sup>(t, Σc; <sup>G</sup>) with three parameters we present below. The main parameter is a K5-sequent G, while the other two parameters are auxiliary: <sup>t</sup> ∈ {0, <sup>1</sup>} is a boolean variable such that t = 1 guarantees that rule dd has been applied at least once for the case when <sup>G</sup> contains diamond formulas; <sup>Σ</sup><sup>c</sup> <sup>⊆</sup> -♦G<sup>c</sup> is a set of modal formulas that provides a bookkeeping strategy to prevent redundant applications of rule dd.

To calculate <sup>A</sup>(t, Σc; <sup>G</sup>) our algorithm makes a choice of which row from Table 4 to apply by trying each of the following steps in the specified order:

1. If possible, apply rows 1–2, i.e., stop and return <sup>A</sup>(t, Σc; <sup>G</sup>) = <sup>σ</sup> : .

	- (a) if <sup>G</sup> has no ♦-formulas, stop and return <sup>A</sup>(t, Σc; <sup>G</sup>) = LitDis(G) where

$$\text{LitDis}\_{\ell}(\mathcal{G}) = \bigotimes\_{\sigma:\ell' \in \mathcal{G}, \ell' \in \text{Lit} \backslash \{\ell\}} \sigma: \ell' \tag{2}$$

(b) else, if <sup>G</sup> <sup>=</sup> <sup>Γ</sup> consists of the trunk only, apply rule <sup>d</sup> <sup>t</sup> as follows:

$$\begin{aligned} A\_{\ell}(t,\Sigma\_{c};\varGamma) &= \\ \left(\bullet:\square\bot\otimes\bigotimes\_{i=1}^{h}\left(\bullet:\Diamond\delta\_{i}\otimes\bullet:\gamma\_{i}\right)\right)\otimes\left(\bullet:\Diamond\top\otimes\operatorname{LitDis}\_{\ell}(\varGamma)\right) \end{aligned} (3)$$

where the SDNF of A 0, Σc; Γ, {<sup>ψ</sup> <sup>|</sup> ♦<sup>ψ</sup> <sup>∈</sup> <sup>Γ</sup>} •1 is

$$\bigotimes\_{i=1}^{h} \left( \bullet 1 : \delta\_{i} \otimes \bullet : \gamma\_{i} \right) \tag{4}$$


$$A\_{\ell}(t, \Sigma\_c; \mathcal{G}) = \bigotimes\_{i=1}^{h} \left( \bullet : \Diamond \delta\_i \otimes \bullet \mathbf{1} : \Diamond \delta'\_i \otimes \bigotimes\_{\tau \in \mathcal{G}} \tau : \gamma\_{i, \tau} \right) \tag{5}$$

where SDNF of A 1, -♦Gc; <sup>G</sup>, {<sup>ψ</sup> <sup>|</sup> ♦<sup>ψ</sup> ∈ G} •d, {<sup>χ</sup> <sup>|</sup> ♦<sup>χ</sup> ∈ Gc} d is

$$\bigotimes\_{i=1}^{h} \left( \bullet \mathfrak{d} : \delta\_i \otimes \mathfrak{d} : \delta'\_i \otimes \bigotimes\_{\tau \in \mathcal{G}} \tau : \gamma\_{i,\tau} \right) \tag{6}$$

The computation of the algorithm can be seen as a proof search tree (extended with rules d <sup>t</sup> and dd). In this proof search, call <sup>A</sup>(t, Σc; <sup>G</sup>) is *sufficient* (to be a BLU interpolant for G) if each branch going up from it either stops in Steps 1 or 4a or continues via Steps 4b or 4d. Otherwise, it is *insufficient*, if one of the branches stops in Step 4c, say, calculating <sup>A</sup>(1, Σc; <sup>H</sup>). In this case, <sup>A</sup>(1, Σc; <sup>H</sup>) is not generally a BLU interpolant for <sup>H</sup>, but these leaves provide enough information to find a BLU interpolant from some sequent down the proof search tree.

*Example 22.* Consider the layered sequent <sup>G</sup> <sup>=</sup> <sup>ϕ</sup> for <sup>ϕ</sup> <sup>=</sup> <sup>p</sup>∨♦♦(p∨q). We show how to construct A(0, ∅; ϕ) for - = p. First, we compute the proof search tree decorated with (t, Σc) to the left of each line, according to the algorithm, using the following abbreviations <sup>Γ</sup> <sup>=</sup> ϕ, p,♦♦(<sup>p</sup> <sup>∨</sup> <sup>q</sup>) and <sup>Σ</sup><sup>1</sup> <sup>=</sup> ♦(<sup>p</sup> <sup>∨</sup> <sup>q</sup>), p <sup>∨</sup> q, p, q:

$$\begin{array}{c} \begin{array}{l} \left(1,\{\diamondsuit(p\lor q)\}\right) & \Gamma,\left[\Sigma\_{1}\right]\_{\bullet\bot},\left[\diamondsuit(p\lor q),p\lor q,p,q\right]\_{\bullet\mathsf{d}},\left[[p\lor q,p,q]\right]\_{\mathsf{d}}\\ \hline \left(1,\{\diamondsuit(p\lor q)\}\right) & \Gamma,\left[\Sigma\_{1}\right]\_{\bullet\bot},\left[\diamondsuit(p\lor q),p\lor q\right]\_{\bullet\mathsf{d}},\left[[p\lor q]\right]\_{\mathsf{d}}\\ \hline \left(0,\mathcal{D}\right) & \Gamma,\left[\diamondsuit(p\lor q),p\lor q,p\right]\_{\bullet\mathsf{1}}\\ \hline \left(0,\mathcal{D}\right) & \Gamma,\left[\diamondsuit(p\lor q),p\lor q\right]\_{\bullet\mathsf{1}}\\ \hline \left(0,\mathcal{D}\right) & \Gamma,\left[\diamondsuit(p\lor q)\right]\_{\bullet\mathsf{1}}\\ \hline \left(0,\mathcal{D}\right) & \varphi,\overline{p},\copyleft\big\triangleright\lozenge{\geqslant}q\\ \hline \end{array} \right.\\ \begin{array}{l} \Gamma,\lozenge\top \\ \hline \end{array}$$

<sup>H</sup> <sup>=</sup> ϕ, p,♦♦(<sup>p</sup> <sup>∨</sup> <sup>q</sup>), [♦(<sup>p</sup> <sup>∨</sup> <sup>q</sup>), p <sup>∨</sup> q, p, q]•1, [♦(<sup>p</sup> <sup>∨</sup> <sup>q</sup>), p <sup>∨</sup> q, p, q]•<sup>d</sup>, [[<sup>p</sup> <sup>∨</sup> q, p, q]]<sup>d</sup> in the left leaf is a saturated sequent with ♦-formulas, crown components, t = 1, and -♦H<sup>c</sup> <sup>=</sup> {♦(<sup>p</sup> <sup>∨</sup> <sup>q</sup>)}⊆{♦(<sup>p</sup> <sup>∨</sup> <sup>q</sup>)} <sup>=</sup> <sup>Σ</sup>c. Hence, by Step 4c,

$$A\_p(1, \{\diamondsuit(p \lor q)\}; \mathcal{H}) \quad = \quad \bullet : \mathbb{P} \oslash \bullet \newlhd : q \oslash \bullet \bullet \bullet \colon q \oslash : q. \tag{7}$$

Applications of rule ∨ do not change the interpolant (Step 2, row 3). To compute <sup>A</sup>p(0, <sup>∅</sup>; Γ, [Σ1]•<sup>1</sup>) for the conclusion of dd, we convert (7) into an SDNF

$$\left(\bullet:\overline{p}\otimes\bigotimes\_{\sigma\in\{\bullet1,\bulletd,d\}}\sigma:\top\right)\otimes\bigotimes\_{\tau\in\{\bullet1,\bulletd,d\}}\left(\tau:q\otimes\bigotimes\_{\sigma\in\{\bullet,\bullet1,\bulletd,d\}\backslash\{\tau\}}\sigma:\top\right).$$

Now, by Step (d), and converting into a new SDNF, we get <sup>A</sup>p(0, <sup>∅</sup>; Γ, [Σ1]•<sup>1</sup>) <sup>≡</sup>

$$
\begin{split}
&\mathfrak{b}\left(\bullet:\left(\overline{p}\wedge\lozenge\sqcap\right)\otimes\bullet\mathbbm{1}:\left(\top\wedge\lozenge\lozenge\sqsupset\right)\right)\otimes\left(\bullet:\left(\top\wedge\lozenge\lozenge\top\right)\otimes\bullet\mathbbm{1}:\left(q\wedge\lozenge\lozenge\top\right)\right)\otimes\cdots\\
&\mathfrak{b}\left(\bullet:\left(\top\wedge\lozenge q\right)\otimes\bullet\mathbbm{1}:\left(\top\wedge\lozenge\lozenge\top\right)\right)\otimes\left(\bullet:\left(\top\wedge\lozenge\top\right)\otimes\bullet\mathbbm{1}:\left(\top\wedge\lozenge q\right)\right).
\end{split}
$$

Further applications of ∨ and t keep this interpolant intact. Note that the application of d <sup>t</sup> does not require to continue proof search for the right branch. Instead, Step 4b prescribes that <sup>A</sup>p(0, <sup>∅</sup>; ϕ, p,♦♦(<sup>p</sup> <sup>∨</sup> <sup>q</sup>)) <sup>≡</sup> • : <sup>p</sup> • : ♦ 

$$\begin{aligned} &\left\{ \left( \bullet : (\exists \gamma \land \Diamond \sqcap \land \Diamond (\sqsubseteq \wedge \Diamond \sqcap \sqsubseteq)) \right) \otimes \left( \bullet : (\top \land \Diamond \sqcap \top \land \Diamond (q \land \Diamond \sqcap \sqcap)) \right) \otimes \\ &\left( \bullet : (\top \land \Diamond q \land \Diamond (\top \land \Diamond \sqcap \top)) \right) \otimes \left( \bullet : (\top \land \Diamond \sqcap \top \land \Diamond (\top \land \Diamond q)) \right) \otimes \bullet : \square \sqcap \right). \end{aligned}$$

Simplifying, we finally obtain

$$A\_p(0, \mathcal{Q}; \varphi) \equiv \bullet : \left( (\mathbb{p} \lor \Diamond \top) \land \left( (\mathbb{p} \land \Diamond \top) \lor \lozenge q \lor \lozenge \lozenge q \lor \Box \bot \right) \right) \equiv \bullet : (\mathbb{p} \lor \Diamond \lozenge q). \tag{8}$$

To check that <sup>p</sup> <sup>∨</sup> ♦♦<sup>q</sup> is a uniform Lyndon interpolant for <sup>ϕ</sup> w.r.t. literal <sup>p</sup>, it is sufficient to verify that (8) is a BLU interpolant for G by checking the conditions in Definition 18. We only check BLUIP(iii) as the least trivial. If <sup>M</sup>, <sup>I</sup> • : (<sup>p</sup> <sup>∨</sup> ♦♦q) for an interpretation <sup>I</sup> into a K5-model <sup>M</sup> = (W, R, V ), then, by Definitions <sup>14</sup> and 11, <sup>M</sup>, ρ <sup>p</sup>∨♦♦<sup>q</sup> for the root <sup>ρ</sup> of <sup>M</sup>. For - = p, we have an --bisimulation (M , <sup>I</sup>) <sup>≤</sup> (M, <sup>I</sup>) for <sup>M</sup> = (W, R, V ) with V (p) = {ρ} and V (r) = <sup>V</sup> (r) for <sup>r</sup> <sup>=</sup> <sup>p</sup> since **literals**<sup>p</sup> allows to turn <sup>p</sup> from true to false. It is easy to see that M , ρ <sup>p</sup> <sup>∨</sup> ♦♦(<sup>p</sup> <sup>∨</sup> <sup>q</sup>). Thus, <sup>M</sup> , <sup>I</sup> • : <sup>ϕ</sup>.

We have the following properties of the algorithm (we provide a proof in [14]).

**Lemma 23.** *All recursive calls* <sup>A</sup>(t, Σc; <sup>G</sup>) *in a proof search tree of* <sup>A</sup>(0, <sup>∅</sup>; <sup>ϕ</sup>) *have the following properties:*

	- *(a) sufficient and final when calculated via Step 1;*
	- *(b) sufficient and propositionally saturated when calculated via Step 3, with every branch going up from there consisting of more Steps 2–3, followed by either final Step 1 or continuation via Step 4d;*
	- *(c) insufficient and saturated when calculated via Step 4c.*

**Theorem 24.** *Logic* K5 *has the BLUIP and, hence, the ULIP.*

*Proof.* It is sufficient to prove that, once the algorithm starts on A(0, ∅; ϕ), then every sufficient call <sup>A</sup>(t, Σc; <sup>G</sup>) in the proof search returns a BLU interpolant for a K5-sequent G. Because the induction on the proof-search is quite technical and involves multiple cases, we demonstrate only a few representative cases and omitting simple ones, e.g., BLUIP(i), altogether. We present more cases in the Appendix of [14].

**BLUIP(**ii**)** We show that <sup>M</sup>, <sup>I</sup> <sup>A</sup>(t, Σc; <sup>G</sup>) implies <sup>M</sup>, <sup>I</sup> <sup>G</sup> for any interpretation <sup>I</sup> of <sup>G</sup> into any K5-model <sup>M</sup> = (W, R, V ). The hardest among Steps 1–3 is **Step** 3 **using row 5** in Table 4. Let G = G , ϕ and <sup>M</sup>, <sup>I</sup> <sup>A</sup>(t, Σc; <sup>G</sup> , ϕ) for

$$A\_{\ell}(t, \Sigma\_c; \quad \mathcal{G}', \Box \varphi) \quad = \bigotimes\_{i=1}^h \left( \bullet : \Box \delta\_i \otimes \bigotimes\_{\tau \in \mathcal{G}} \tau : \gamma\_{i, \tau} \right), \tag{9}$$

i.e., for each 1 <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>h</sup> either <sup>M</sup>, ρ <sup>δ</sup><sup>i</sup> or <sup>M</sup>, <sup>I</sup>(<sup>τ</sup> ) <sup>γ</sup>i,τ for some <sup>τ</sup> ∈ G. For an arbitrary <sup>v</sup> such that ρRv and the the smallest <sup>j</sup> such that •j /∈ G, clearly <sup>I</sup><sup>v</sup> <sup>=</sup> I{(•j, v)} is an interpretation of <sup>G</sup> , ϕ, [ϕ]•<sup>j</sup> into <sup>M</sup>. Since <sup>M</sup>, <sup>I</sup>v(•j) <sup>δ</sup><sup>i</sup> whenever <sup>M</sup>, ρ <sup>δ</sup>i, it follows that for each 1 <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>h</sup> either <sup>M</sup>, <sup>I</sup>v(•j) <sup>δ</sup><sup>i</sup> or <sup>M</sup>, <sup>I</sup>v(<sup>τ</sup> ) <sup>γ</sup>i,τ for some <sup>τ</sup> ∈ G, i.e., <sup>M</sup>, <sup>I</sup><sup>v</sup> A t, Σc; <sup>G</sup> , ϕ, [ϕ]•<sup>j</sup> for

$$A\_\ell(t, \Sigma\_c; \quad \mathcal{G}', \Box \varphi, [\varphi]\_{\bullet j}) \quad \equiv \bigotimes\_{i=1}^h \left( \bullet j : \delta\_i \otimes \bigotimes\_{\tau \in \mathcal{G}} \tau : \gamma\_{i,\tau} \right). \tag{10}$$

By IH, <sup>M</sup>, <sup>I</sup><sup>v</sup> <sup>G</sup> , ϕ, [ϕ]•<sup>j</sup> whenever ρRv. If <sup>M</sup>, ρ <sup>ϕ</sup>, then <sup>M</sup>, <sup>I</sup> <sup>G</sup>. Otherwise, <sup>M</sup>, <sup>I</sup>v(•j) <sup>ϕ</sup> for some <sup>v</sup> with ρRv. For it, <sup>M</sup>, <sup>I</sup><sup>v</sup> <sup>G</sup> , hence, <sup>M</sup>, <sup>I</sup> <sup>G</sup>.

The only other case we consider (here) is **Step** 4d. Let <sup>M</sup>, <sup>I</sup> <sup>A</sup>(t, Σc; <sup>G</sup>) for <sup>A</sup>(t, Σc; <sup>G</sup>) from (5), i.e., for some 1 <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>h</sup> we have <sup>M</sup>, ρ ♦δi, and <sup>M</sup>, <sup>I</sup>(•1) ♦δ <sup>i</sup>, and <sup>M</sup>, <sup>I</sup>(<sup>τ</sup> ) <sup>γ</sup>i,τ for all <sup>τ</sup> ∈ G. In particular, <sup>M</sup>, v <sup>δ</sup><sup>i</sup> for some ρRv and <sup>M</sup>, u <sup>δ</sup> <sup>i</sup> for some <sup>I</sup>(•1)Ru. Let <sup>M</sup> be obtained by copying <sup>u</sup> into <sup>u</sup> away from the root in <sup>M</sup> and let <sup>J</sup> <sup>=</sup> I{(•d, v),(d, u )} be a well-defined interpretation. M ,<sup>J</sup> <sup>A</sup>(1, -♦Gc; <sup>G</sup>, [{<sup>ψ</sup> <sup>|</sup> ♦<sup>ψ</sup> ∈ G}]•d, [[{<sup>χ</sup> <sup>|</sup> ♦<sup>χ</sup> ∈ Gc}]]d), as (6) is true for <sup>M</sup> and <sup>J</sup> . By IH, <sup>M</sup> ,<sup>J</sup> <sup>G</sup>, [{<sup>ψ</sup> <sup>|</sup> ♦<sup>ψ</sup> <sup>∈</sup> G}]•d, [[{<sup>χ</sup> <sup>|</sup> ♦<sup>χ</sup> ∈ Gc}]]d. If <sup>M</sup> , v <sup>ψ</sup> for some ♦<sup>ψ</sup> ∈ G or <sup>M</sup> , u χ for some ♦<sup>χ</sup> ∈ Gc, then <sup>M</sup> ,<sup>J</sup> <sup>G</sup> because of ♦<sup>ψ</sup> or ♦<sup>χ</sup> respectively. Otherwise, also M ,<sup>J</sup> <sup>G</sup>. Since we have (M, <sup>I</sup>) <sup>∼</sup> (M ,<sup>J</sup> ) by Lemma 21, we have <sup>M</sup>, <sup>I</sup> <sup>G</sup> by Lemma 17(2) in all cases.

**BLUIP(**iii**)** We show the following statement by induction restricted to sufficient calls: if <sup>M</sup>, <sup>I</sup> <sup>A</sup>(t, Σc; <sup>G</sup>), then <sup>M</sup> ,<sup>J</sup> <sup>G</sup> for some interpretation <sup>J</sup> of G into another K5-model M such that (M ,J ) <sup>≤</sup> (M, <sup>I</sup>). Here we only consider **Step** 4 as the other steps are sufficiently similar to K and S5 covered in [12,13]. Among the four subcases, Step 4a is tedious but conceptually transparent. Step 4c is trivial because the induction statement is only for sufficient calls while Step 4c calls are insufficient by Lemma 23. Out of remaining two steps we only have space for **Step** 4d, which is conceptually the most interesting because its recursive call may be insufficient, precluding the use of IH for it. Let <sup>M</sup>, <sup>I</sup> <sup>A</sup>(t, Σc; <sup>G</sup>) for <sup>A</sup>(t, Σc; <sup>G</sup>) from (5).

We first modify M and I to obtain an injective interpretation I into a K5-model <sup>N</sup> = (W , R , V ) such that <sup>W</sup> \*Range*(I ) is not empty and partitioned into pairs (v, u) with <sup>I</sup> (•)Rv and not <sup>I</sup> (•)Ru. To this end we employ copying as per Definition 20, constructing a sequence of interpretations I<sup>i</sup> from <sup>G</sup> into models <sup>N</sup><sup>i</sup> = (Wi, Ri, Vi) starting from <sup>N</sup><sup>0</sup> <sup>=</sup> <sup>M</sup> and <sup>I</sup><sup>0</sup> <sup>=</sup> <sup>I</sup> as follows:


Then I = I<sup>K</sup> is an injective interpretation of G into N .

Note that <sup>W</sup> \*Range*(I ) = <sup>Y</sup> <sup>Z</sup> {y<sup>2</sup> <sup>|</sup> <sup>y</sup> <sup>∈</sup> <sup>Y</sup> }{z<sup>1</sup> <sup>|</sup> <sup>z</sup> <sup>∈</sup> <sup>Z</sup>} <sup>=</sup> <sup>∅</sup>. Further, I (•)R <sup>y</sup> for all <sup>y</sup> <sup>∈</sup> <sup>Y</sup> , and not <sup>I</sup> (•)R <sup>y</sup><sup>2</sup> for all <sup>y</sup> <sup>∈</sup> <sup>Y</sup> , and <sup>I</sup> (•)R z<sup>1</sup> for all <sup>z</sup> <sup>∈</sup> <sup>Z</sup>, and not <sup>I</sup> (•)R <sup>z</sup> for all <sup>z</sup> <sup>∈</sup> <sup>Z</sup>. Thus, we obtain the requisite partition <sup>P</sup> <sup>=</sup> {(y, y2) <sup>|</sup> <sup>y</sup> <sup>∈</sup> <sup>Y</sup> }{(z1, z) <sup>|</sup> <sup>z</sup> <sup>∈</sup> <sup>Z</sup>} <sup>=</sup> <sup>∅</sup> of the non-empty <sup>W</sup> \ *Range*(I ).

It is clear that (N , I ) <sup>∼</sup> (M, <sup>I</sup>). So <sup>N</sup> , <sup>I</sup> <sup>A</sup>(t, Σc; <sup>G</sup>) by Lemma 17, i.e., for each 1 <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>h</sup> we have <sup>N</sup> , ρ ♦δ<sup>i</sup> for <sup>ρ</sup> <sup>=</sup> <sup>I</sup> (•), or N , I (•1) ♦δ i, or N , I (<sup>τ</sup> ) <sup>γ</sup>i,τ for some <sup>τ</sup> ∈ G. Thus, for any (v, u) <sup>∈</sup> <sup>P</sup> and each 1 <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>h</sup>, we have <sup>N</sup> , v <sup>δ</sup>i, or <sup>N</sup> , u δ <sup>i</sup>, or N , I (<sup>τ</sup> ) <sup>γ</sup>i,τ for some <sup>τ</sup> ∈ G. Hence, (6) is false under injective interpretation <sup>J</sup>v,u <sup>=</sup> <sup>I</sup> {(•d, v),(d, u)} into N , i.e., abbreviating <sup>Θ</sup> <sup>=</sup> {<sup>ψ</sup> <sup>|</sup> ♦<sup>ψ</sup> ∈ G} and <sup>Φ</sup> <sup>=</sup> {<sup>χ</sup> <sup>|</sup> ♦<sup>χ</sup> ∈ Gc}, we get N ,Jv,u <sup>A</sup>(1, -♦Gc; <sup>G</sup>, [Θ]•<sup>d</sup>, [[Φ]]d).

Ordinarily, here we would use IH, but this is only possible for sufficient calls, which, alas, is not guaranteed for (6). What is known by Lemma 23(3) is that every branch going up from (6) leads to a call of the form

$$A\_{\ell}(1, \Box \Diamond \mathcal{G}\_{c}; \quad \mathcal{G}, [\Theta\_{j}]\_{\bullet \bullet}, [[\Phi\_{j}]]\_{\bullet}), \tag{11}$$

where <sup>Θ</sup><sup>j</sup> <sup>⊇</sup> <sup>Θ</sup> and <sup>Φ</sup><sup>j</sup> <sup>⊇</sup> <sup>Φ</sup>, that returns multiformula <sup>j</sup> and is either sufficient or insufficient but saturated. Let Ξ denote the multiset of these multiformulas <sup>j</sup> returned by all these calls. Since Step 2 is the only one used between that call and all the calls comprising (11), it is clear that (6) is their conjunction, i.e., A(1, -♦Gc; <sup>G</sup>, [Θ]•<sup>d</sup>, [[Φ]]d) <sup>≡</sup> *<sup>j</sup>*∈<sup>Ξ</sup> <sup>j</sup> . Collecting all this together, we conclude that for each pair (v, u) <sup>∈</sup> <sup>P</sup> there is some v,u <sup>∈</sup> <sup>Ξ</sup> such that

$$\mathcal{N}', \mathcal{J}\_{v,u} \models \mathfrak{J}\_{v,u}.\tag{12}$$

We distinguish between two cases. First, suppose for at least one pair (v, u) <sup>∈</sup> P there is a sufficient v,u = A(1, -♦Gc; <sup>G</sup>, [Θv,u]•<sup>d</sup>, [[Φv,u]]d) satisfying (12). By IH for this v,u there is an interpretation <sup>J</sup> <sup>0</sup> into a K5-model M such that (M ,J <sup>0</sup>) ≤ (N ,Jv,u) and <sup>M</sup> ,J <sup>0</sup> <sup>G</sup>, [Θv,u]•<sup>d</sup>, [[Φv,u]]d. Thus, <sup>M</sup> ,<sup>J</sup> <sup>G</sup> for J = J <sup>0</sup> *Lab*(G). Finally, by restricting to labels of G, we can see that

$$(\mathcal{M}', \mathcal{T}') \quad \leq\_{\ell} \quad (\mathcal{N}', \mathcal{T}') \quad \sim \quad (\mathcal{M}, \mathcal{T}).\tag{13}$$

Otherwise, (12) does not hold for any pair (v, u) <sup>∈</sup> <sup>P</sup> and any sufficient v,u <sup>∈</sup> <sup>Ξ</sup>. In this case, <sup>N</sup> ,Jv,u *<sup>j</sup>*∈<sup>Ξ</sup> <sup>j</sup> guarantees the existence of an insufficient v,u <sup>∈</sup> <sup>Ξ</sup> for each pair (v, u) <sup>∈</sup> <sup>P</sup> such that (12) holds. Since all these v,u are insufficient, we cannot use IH. Instead, we construct <sup>M</sup> and <sup>J</sup> directly by changing from true to false if needed based on G within *Range*(I ) and based on v,u's outside of this range. Thanks to <sup>I</sup> being injective, we do not need to worry about conflicting requirements from different components of <sup>G</sup>. Similarly, <sup>P</sup> being a partition prevents conflicts outside *Range*(I ). Let <sup>M</sup> = (W , R , U ) be <sup>N</sup> with <sup>V</sup> changed into <sup>U</sup> . We define V <sup>↓</sup><sup>T</sup> as the valuation that makes false in all worlds from <sup>T</sup> <sup>⊆</sup> <sup>W</sup> , i.e., (V <sup>↓</sup>T)(q) = V (q) for all q /∈ {-, -}, while

$$(V' \downarrow\_{\ell} T)(p) = \begin{cases} V'(p) \searrow T & \text{if } \ell = p, \\ V'(p) \cup T & \text{if } \ell = \overline{p} \end{cases}$$

for <sup>p</sup> ∈ {-, -}. Using this notation, we define <sup>U</sup> <sup>=</sup> <sup>V</sup> <sup>↓</sup>T<sup>G</sup> where

$$T\_{\mathcal{G}} = \{ \mathcal{T}'(\sigma) \mid \sigma: \ell \in \mathcal{G} \} \sqcup \{ v \mid (v, u) \in P \text{ and } \bullet \mathfrak{d}: \ell \in \mathbb{U}\_{v, u} \} \sqcup$$

$$\{ u \mid (v, u) \in P \text{ and } \mathfrak{d}: \ell \in \mathbb{U}\_{v, u} \} . \tag{14}$$

Finally, J = I . It is clear that (13) holds for these M and J . It remains to show that M ,<sup>J</sup> <sup>G</sup>. This is done by mutual induction on the construction of formula ϕ for the following three induction statements

$$\sigma : \varphi \in \mathcal{G} \Longrightarrow \mathcal{M}', \mathcal{T}(\sigma) \not\models \varphi,\tag{15}$$

$$\bullet \mathfrak{d} : \varphi \in \mathfrak{U}\_{v,u} \implies \mathcal{M}', v \not\models \varphi,\tag{16}$$

$$\clubsuit : \varphi \in \eth\_{v,u} \implies \mathcal{M}', u \nvdash \varphi. \tag{17}$$


Since <sup>v</sup>, <sup>u</sup>, and <sup>I</sup> (<sup>τ</sup> ) are all in the cluster <sup>C</sup> of <sup>M</sup> , we have vR I (τ ) and uR I (τ ). It remains to use IH(16) and IH(17).

**Case** <sup>ϕ</sup> <sup>=</sup> ♦ξ**.** First consider <sup>σ</sup> <sup>=</sup> • and • : ♦<sup>ξ</sup> ∈ G. Since <sup>I</sup> (•) = <sup>ρ</sup> is the root, ρR <sup>w</sup> implies either <sup>w</sup> <sup>=</sup> <sup>I</sup> (•j) for some <sup>j</sup> or w /<sup>∈</sup> *Range*(I ). In the former case, •<sup>j</sup> : <sup>ξ</sup> ∈ G by saturation of <sup>G</sup>, so <sup>M</sup> , w ξ by IH(15). In the latter case, (w, u) <sup>∈</sup> <sup>P</sup> for some <sup>u</sup>. Recall for <sup>A</sup>(1, -♦Gc; <sup>G</sup>, [Θw,u]•<sup>d</sup>, [[Φw,u]]d) that we have <sup>Θ</sup>w,u <sup>⊇</sup> <sup>Θ</sup> <sup>=</sup> {<sup>ψ</sup> <sup>|</sup> ♦<sup>ψ</sup> ∈ G} <sup>ξ</sup>. Hence, •<sup>d</sup> : <sup>ξ</sup> <sup>∈</sup> w,u and M , w <sup>ξ</sup> by IH(16). Since <sup>M</sup> , w <sup>ξ</sup> for all <sup>I</sup> (•) = ρR w, we conclude M , I (•) ♦ξ.

If <sup>σ</sup> <sup>=</sup> • and <sup>σ</sup> : ♦<sup>ξ</sup> ∈ G, the argument is similar. But additionally we may have <sup>w</sup> <sup>=</sup> <sup>I</sup> (k) for some <sup>k</sup> or (v, w) <sup>∈</sup> <sup>P</sup> for some <sup>v</sup>. In the former case, <sup>k</sup> : <sup>ξ</sup> ∈ G by saturation of <sup>G</sup>, so <sup>M</sup> , w ξ by IH(15). In the latter case, <sup>Φ</sup>v,w <sup>⊇</sup> <sup>Φ</sup> <sup>=</sup> {<sup>χ</sup> <sup>|</sup> ♦<sup>χ</sup> ∈ Gc} <sup>ξ</sup>. Hence, <sup>d</sup> : <sup>ξ</sup> <sup>∈</sup> v,w and <sup>M</sup> , w ξ by IH(17). Since M , w <sup>ξ</sup> for all <sup>I</sup> (σ)R <sup>w</sup>, we conclude <sup>M</sup> , I (σ) ♦ξ.

If •d/<sup>d</sup> : ♦<sup>ξ</sup> <sup>∈</sup> v,u, then, similar to the analogous subcase of ξ, conditions of Step 4c imply that ♦<sup>ξ</sup> ∈ Gc, i.e., <sup>τ</sup><sup>0</sup> : ♦<sup>ξ</sup> ∈ G for some <sup>τ</sup><sup>0</sup> <sup>=</sup> •. Then <sup>τ</sup> : <sup>ξ</sup> ∈ G for all <sup>τ</sup> <sup>=</sup> • by saturation of <sup>G</sup>. Thus, <sup>M</sup> , I (τ ) ξ for all <sup>τ</sup> <sup>=</sup> • by IH(15). For each y /<sup>∈</sup> *Range*(I ) such that ρR y, there is x such that (y, x) <sup>∈</sup> <sup>P</sup> and •<sup>d</sup> : <sup>ξ</sup> <sup>∈</sup> y,x because <sup>Θ</sup>y,x <sup>⊇</sup> <sup>Θ</sup> <sup>ξ</sup>. Hence, M , y <sup>ξ</sup> by IH(16). Finally, for each x /<sup>∈</sup> *Range*(I ) such that not ρR x, there is <sup>y</sup> such that (y, x) <sup>∈</sup> <sup>P</sup> and <sup>d</sup> : <sup>ξ</sup> <sup>∈</sup> y,x because <sup>Φ</sup>y,x <sup>⊇</sup> <sup>Φ</sup> <sup>ξ</sup>. Hence, M , x <sup>ξ</sup> by IH(17). We have shown that <sup>M</sup> , w ξ whenever vR w (uR <sup>w</sup>). Thus, <sup>M</sup> , v ♦<sup>ξ</sup> and <sup>M</sup> , u ♦ξ.

# **5 Conclusion**

We presented layered sequent calculi for several extensions of modal logic K5: namely, K5 itself, KD5, K45, KD45, KB5, and S5. By leveraging the simplicity of Kripke models for these logics, we were able to formulate these calculi in a modular way and obtain optimal complexity upper bounds for proof search. We used the calculus for K5 to obtain the first syntactic (and, hence, constructive) proof of the uniform Lyndon interpolation property for K5.

Due to the proof being technically involved, space considerations prevented us from extending the syntactic proof of ULIP to KD5, K45, KD45, KB5, and S5. For S5, layered sequents coincide with hypersequents, and we plan to upgrade the hypersequent-based syntactic proof of UIP from [11] to ULIP (see also [13]). As for KD5, K45, KD45, and KB5, the idea is to modify the method presented here for K5 by using the layered sequent calculus for the respective logic and making other necessary modifications, e.g., to rule dd, to fit the specific structure of the layers. We conjecture that the proof for K45, KD45, and KB5 would be similar to that for S5, whereas KD5 would more closely resemble K5.

**Acknowledgments.** Iris van der Giessen and Raheleh Jalali are grateful for the productive and exciting four-week research visit to the Embedded Computing Systems Group at TU Wien. The authors thank the anonymous reviewers for their useful comments.

# **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# On Intuitionistic Diamonds (and Lack Thereof)

Anupam Das and Sonia Marin(B)

University of Birmingham, Birmingham, UK {a.das,s.marin}@bham.ac.uk

Abstract. A variety of intuitionistic versions of modal logic *K* have been proposed in the literature. An apparent misconception is that all these logics coincide on their --only (or ♦-free) fragment, suggesting some robustness of '--only intuitionistic modal logic'. However in this work we show that this is not true, by consideration of negative translations from classical modal logic: Fischer Servi's *IK* proves strictly more ♦-free theorems than Fitch's *CK*, and indeed i*K*, the minimal --normal intuitionistic modal logic.

On the other hand we show that the smallest extension of i*K* by a normal ♦ is in fact conservative over i*K* (over ♦-free formulas). To this end, we develop a novel proof calculus based on nested sequents for intuitionistic propositional logic due to Fitting. Along the way we establish a number of new metalogical results.

Keywords: Modal logic · Intuitionistic logic · Negative translation · Proof theory · Nested sequents · Cut-elimination

# 1 Introduction

Usual (propositional) modal logic extends the language of classical propositional logic (*CPL*) by two modalities, and ♦, informally representing 'necessity' and 'possibility', resp. This informality is made precise by relational semantics. This semantics gives rise to the 'standard translation', allowing us to distill the normal modal logic *K* as a well-behaved fragment of the first-order logic (FOL).

Notably, over classical logic, and ♦ are De Morgan dual, just like ∀ and <sup>∃</sup>: we have ♦<sup>A</sup> <sup>=</sup> <sup>¬</sup>-<sup>¬</sup>A. However, in light of the association with FOL, one would naturally expect an intuitionistic counterpart of modal logic not to satisfy any such reduction. The pursuit of a reasonable definition for an 'intuitionistic' modal logic goes back decades, including works such as [7–9,14] as early as the 1950s-60s, more developments [13,25,29,32] in the 1970s, and a growing interest [6,12,17,26,28,30,31,34,35] in the 1980s. See [33] or [20] for a survey.

The smallest such logic that is typically considered is i*K*, obtained by simply extending intuitionistic propositional logic (*IPL*) by the axiom k<sup>1</sup> and rules *mp*, *nec* from Fig. 1, but not including any axioms involving ♦, e.g. [6,36]. It


Fig. 1. Axioms and rules for intuitionistic modal logics.

seems that Fitch [14] was the first one to propose a way to treat ♦ in an intuitionistic setting by considering a version of *CK*, extending i*K* with k2. *CK* enjoys a rather natural proof-theoretic formulation [35] that simply adapts the sequent calculus for *K* according to the usual intuitionistic restriction: each sequent may have just one formula on the RHS. What is more, cut-elimination for this simple calculus is just a specialisation of the classical case.

*IK*, which includes all axioms and rules in Fig. 1, was introduced by [28] and is equivalent to the logic proposed by [31], or even to [12] in the context of intuitionistic tense logic. In [33] Simpson gives logical arguments in favour of *IK*, namely as a logic that corresponds to intuitionistic FOL along the same standard translation that lifts *K* to classical FOL. The price to pay, however, is steep: there is no known cut-free sequent calculus complete for *IK*. On the other hand, Simpson demonstrates how the relational semantics of classical modal logic may be leveraged to recover a labelled sequent calculus. The cut-elimination theorem, this time, specialises the cut-elimination theorem for intuitionistic FOL.

Contribution. An apparently widespread perception about intuitionistic modal logics is that i*K* and *IK* (and so all logics in between) coincide on their '--only' (i.e. ♦-free) fragments. We show that this is not true by giving an explicit separation of *IK* from i*K* (also *CK*) by a ♦-free formula, and go on to initiate a comparison of the various logics by their ♦-free fragments. For the first separation, we show *IK* validates a form of Gödel-Gentzen translation from *K*, but that *CK* does not; the simplest such separation arising from this is given by ¬¬-⊥ → -⊥. An important question at this point is whether it is even possible to conservatively extend i*K* by a normal ♦, i.e. is *CK* + k<sup>3</sup> + k<sup>5</sup> ♦-free conservative over *CK*? We answer this positively by designing a new system for the logic based on Fitting's nested sequents for *IPL* [16] and proving a cut-elimination result. Our results are summarised in Fig. 2.

Some of the ideas behind this work were announced and discussed on *The Proof Theory Blog* in 2022 [11] (but have not been peer-reviewed before). We shall reference that discussion further in Sect. 4.

# 2 Preliminaries

Let us fix a countable set of *propositional variables*, written p, q etc. When working in predicate logic, we shall simultaneously construe these as unary predicate symbols, and further fix a (infix) binary relation symbol R.

Fig. 2. Comparison of ♦-free fragments. Solid arrows denote inclusion, dashed arrows denote non-inclusion. All new results of this work are in red, where faded arrows are consequences of the non-faded ones. The dotted blue ? arrow is apparently open. (Color figure online)

Throughout this paper we shall work with *(modal propositional) formulas*, written A, B etc., generated by:

$$A \quad ::= \quad \bot \quad | \quad p \quad | \quad (A \lor B) \quad | \quad (A \land B) \quad | \quad (A \to B) \quad | \quad \Diamond A \quad | \quad \Box A$$

We may write <sup>¬</sup><sup>A</sup> := <sup>A</sup> → ⊥, and frequently omit brackets to aid legibility when it is unambiguous. We write, say, <sup>A</sup> <sup>→</sup> <sup>B</sup> <sup>→</sup> <sup>C</sup> for <sup>A</sup> <sup>→</sup> (<sup>B</sup> <sup>→</sup> <sup>C</sup>).

Due to space constraints, we shall not cover any formal semantics in this work; however it is insightful to recall how modal formulas may be viewed as a fragment of first-order predicate logic. The *standard translation* is a certain action of modal formulas on first-order variables given by a predicate formula:

Definition 1 (Standard translation). *For modal formulas* A *we define the predicate formula* A(x) *by:*

<sup>⊥</sup>(x) := <sup>⊥</sup> p(x) := px (<sup>A</sup> <sup>∨</sup> <sup>B</sup>)(x) := <sup>A</sup>(x) <sup>∨</sup> <sup>B</sup>(x) (<sup>A</sup> <sup>∧</sup> <sup>B</sup>)(x) := <sup>A</sup>(x) <sup>∧</sup> <sup>B</sup>(x) (<sup>A</sup> <sup>→</sup> <sup>B</sup>)(x) := <sup>A</sup>(x) <sup>→</sup> <sup>B</sup>(x) (♦A)(x) := <sup>∃</sup>y(xRy <sup>∧</sup> <sup>A</sup>(y)) (-<sup>A</sup>)(x) := <sup>∀</sup>y(xRy <sup>→</sup> <sup>A</sup>(y))

For the reader familiar with the usual relational semantics of modal logic, note that the formula A(x) simply describes the evaluation of the modal formula A at a 'world' x, within predicate logic. From this point of view we have:

Definition 2. *K is the set of modal formulas* A *s.t.* A(x) *is classically valid.*

#### 2.1 Some Axiomatisations and Characterisations

The intuitionistic modal logics we consider will always be extensions of intuitionistic propositional logic (*IPL*) by some of the axioms and rules in Fig. 1. Let us first point out the following well-known axiomatisation:

Proposition 3 (see, e.g., [4,5]). *The* ♦*-free fragment of K is axiomatised by classical propositional logic (CPL),* k1*, mp and nec.*

In classical modal logic it suffices at this point to set ♦<sup>A</sup> ↔ ¬-<sup>¬</sup><sup>A</sup> in order to recover the full axiomatisation of *K*, but this will not (in general) be the case for intuitionistic modal logics we are concerned with.

$$\begin{aligned} \rightsquigarrow\iota\iota\iota\frac{\Gamma\Rightarrow A}{A\Rightarrow A} \qquad \rightsquigarrow\frac{\Gamma\Rightarrow A}{\Gamma,\Gamma'\Rightarrow A} \qquad\quad\rightsquigarrow\frac{\Gamma\Rightarrow A}{\bot\Rightarrow A} \qquad\quad\bigcirc\frac{\Gamma\Rightarrow A}{\Box\Gamma\Rightarrow\Box A} \qquad\quad\rightsquigarrow\frac{\Gamma,A\Rightarrow B}{\Box\Gamma,\Diamond A\Rightarrow\Diamond B} \\\rightsquigarrow\iota\frac{\Gamma,A\Rightarrow C\qquad\Gamma,B\Rightarrow C}{\Gamma,A\lor B\Rightarrow C} \qquad\quad\rightsquigarrow\frac{\Gamma,A\_i\Rightarrow B}{\Gamma,A\_0\land A\_1\Rightarrow B} \qquad\quad\rightsquigarrow\frac{\Gamma\Rightarrow A\quad\Gamma,B\Rightarrow C}{\Gamma,A\rightarrow B\Rightarrow C} \\\rightsquigarrow\frac{\Gamma\Rightarrow A\_i}{\Gamma\Rightarrow A\_0\lor A\_1} \qquad\quad\rightsquigarrow\frac{\Gamma\Rightarrow A\quad\Gamma\Rightarrow B}{\Gamma\Rightarrow A\land B} \qquad\quad\rightsquigarrow\frac{\Gamma,A\Rightarrow B}{\Gamma\Rightarrow A\rightarrow B} \end{aligned}$$

Fig. 3. The cut-free sequent calculus LCK, obtained from the calculus for *K* by requiring exactly one formula on the RHS.

Definition 4. *We define the following intuitionistic modal logics:*


i*K* was studied in, e.g., [6] and [36]. The logic *CK* + k<sup>5</sup> was considered in [35], while the restriction to *CK* itself was given a categorical treatment in [3] and further in [23]. *IK* was first defined in [30] and [28], and investigated in details in [33]. Note that it is clear from the definitions that <sup>i</sup>*<sup>K</sup>* <sup>⊆</sup> *CK* <sup>⊆</sup> *IK*.

Since we do not work with formal semantics, we shall introduce certain proof theoretic characterisations of the logics above in order to more easily reason about (non-)provability. At the same time, these characterisations will expose some naturality underlying the logics i*K*, *CK* and *IK*.

First, let us point out that classical modal logic *K* has a simple sequent calculus, extending the usual propositional fragment of Gentzen's LK by the modal rules (see, e.g., [15]):

$$
\diamond \frac{\Gamma, A \Rightarrow \Delta}{\Box \Gamma, \Diamond A \Rightarrow \Diamond \Delta} \qquad \Box \frac{\Gamma \Rightarrow \Delta, A}{\Box \Gamma \Rightarrow \Diamond \Delta, \Box A}
$$

Here <sup>Γ</sup> and <sup>Δ</sup> are sets of formulas (*cedents*) and <sup>⇒</sup> is just a syntactic delimiter. <sup>A</sup> *sequent* <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> is understood logically as - <sup>Γ</sup> <sup>→</sup> <sup>Δ</sup>, its *formula translation*. Note in particular here the symmetry of the two rules, underpinned by the De Morgan duality between ♦ and in classical modal logic.

The characteristic property of the logic *CK* is that it is obtained from the sequent calculus for *K* by imposing the usual intuitionistic restriction: each sequent must have exactly one formula on the RHS. Formally, writing LCK for the (cut-free) sequent calculus given in Fig. 3, we have the well-known result:

#### Theorem 5 (e.g., implied by [35]). LCK *is sound and complete for CK.*

This has an entirely syntactic proof, simulating the axiomatisation of *CK* using a 'cut' rule and proving cut-elimination (for the completeness direction). An immediate (and well-known) consequence of this result is the following, justifying the leftmost node of Fig. 2:

Corollary 6. *CK is conservative over* i*K, over* ♦*-free formulas.*

*Proof (idea).* By the subformula property of LCK only ♦-free formulas appear in any proof with ♦-free conclusion. It is easily verified that any inference step whose premisses and conclusion are ♦-free are already derivable in i*K*.

Let us now turn to *IK*. One of the principal motivations behind *IK* is its compatibility with the standard translation, analogous to classical *K*:

Theorem 7 (Intuitionistic standard translation, [33]). *IK is the set of modal formulas whose standard translations are intuitionistically valid.*

This result corresponds to Simpson's 'Requirement 6' in his PhD thesis [33]. Note here the analogy to *K*'s relationship with classical predicate logic, cf. Definition 2. The proof of the above theorem is a priori nontrivial and is beyond the scope of this work. Importantly, this result induces a proof-theoretic characterisation of *IK* similar to that of *CK*, only beginning from a different underlying calculus. Namely, *IK* can be obtained from the 'labelled' calculus for *K* (e.g. [24]) by requiring that each sequent has exactly one formula on the RHS.

*Remark 8.* Before closing this section it is worthwhile to mention that several other logics intermediate to *CK* and *IK* have been studied. One notable choice is Wijesekara's *CK* + k5, sometimes called *WK* (e.g. in [10]). Wijesekera used a minor adaptation of LCK to allow *empty* RHS (as well as singleton), resulting in a calculus that is sound and (cut-free) complete for *WK* [35]. We shall return to this idea later but for now let us point out that a similar argument to Corollary 6 above indeed shows that even *WK* is ♦-free conservative over i*K*. This will be subsumed by our later result for *CK* + k<sup>3</sup> + k5.

# 3 Separating *CK* and *IK* over the ♦-Free Fragment

In this section we shall justify the main subject matter of this work: the comparison of ♦-free fragments of intuitionistic modal logics. That such an investigation is even nontrivial is surprising: for decades now numerous papers have claimed that i*K*, *CK*,*IK* all coincide on their ♦-free fragments.<sup>1</sup> In this section we show that this is not the case.

<sup>1</sup> It is not the purpose of this paper to enumerate all such cases in the literature (nor do we believe it is fruitful to do so), but we point the reader to the blog post [11] for more background underlying this perception.

#### 3.1 The Gödel-Gentzen Negative Translation

Gödel and Gentzen (independently) introduced certain double negation translations for embedding classical first-order predicate logic into its intuitionistic counterpart [18,19]. Inspired by the 'standard translation' of Definition 1, we duly adapt this translation to the language of modal logic:

Definition 9 (Gödel-Gentzen negative translation). *For each modal formula* A *we define another modal formula* A<sup>N</sup> *as follows:*

$$\begin{array}{c} \begin{array}{c} \bot^{N} := \bot \\ p^{N} := \neg\neg p \end{array} \quad \quad \quad \quad \quad \begin{array}{c} (A \to B)^{N} := A^{N} \to B^{N} \\ \Diamond A^{N} := \neg\Box\neg A^{N} \\ \Diamond A^{N} := \Box A^{N} \end{array} \end{array}$$

Note that the image of · <sup>N</sup> is {∨,♦}-free: it is formed from only the 'negative' connectives <sup>⊥</sup>,∧,→, -. For the reader familiar with the usual Gödel-Gentzen translation · <sup>N</sup> on first-order predicate formulas, note that our translation above is justified by the standard translation from Definition 1: A<sup>N</sup> (x) is the same as A(x)<sup>N</sup> , up to double negations in front of atomic relational formulas xRy. Nonetheless due to this slight difference, and for self-containment of the exposition, we better give the necessary characterisations explicitly.

#### 3.2 *IK* Validates Gödel-Gentzen

Lemma 10 (Negativity). *IK proves the following:*

$$\begin{array}{ccc} \neg\neg\bot \to \bot & \neg\neg(A\land B) \to \neg\neg A\land \neg\neg B\\ \neg\neg\neg A \to \neg A & \neg\neg(A\to B) \to \neg\neg A \to \neg\neg B \end{array} \qquad \neg\neg\square A \to \neg\square\neg\neg A$$

*Proof.* The non-modal cases are already theorems of *IPL*, so it remains to check the final case:


Let us point out that k<sup>3</sup> was not used in the argument above. We shall keep track of k<sup>3</sup> (non-)use during this section and state stronger results later. From here by structural induction on formulas, using the above Lemma, we have:

# Lemma 11 (Double-negation elimination). *IK* ¬¬A<sup>N</sup> <sup>→</sup> <sup>A</sup><sup>N</sup> *.*

# Theorem 12. *If <sup>K</sup>* <sup>A</sup> *then IK* <sup>A</sup><sup>N</sup> *.*

*Proof (sketch).* Referring to Proposition 3, simply take an axiomatic *K* proof of <sup>A</sup> and replace every formula by its image under · <sup>N</sup> . Any non-constructive reasoning is justified by appealing to Lemma 11 above.<sup>2</sup>

Let us point out that no modal reasoning was used to justify Lemma 11 and Theorem 12, further to what we used for Lemma 10. Thus it is immediate that *CK* + k<sup>4</sup> + k<sup>5</sup> also validates the Gödel-Gentzen translation:

Corollary 13. *If <sup>K</sup>* <sup>A</sup> *then CK* <sup>+</sup> <sup>k</sup><sup>4</sup> <sup>+</sup> <sup>k</sup><sup>5</sup> <sup>A</sup><sup>N</sup> *.*

*Example 14.* Instantiating the --case of the proof of Lemma <sup>10</sup> by <sup>A</sup> <sup>=</sup> <sup>⊥</sup>, and since *IPL* ¬¬⊥ → ⊥, we have that *CK* <sup>+</sup> <sup>k</sup><sup>4</sup> <sup>+</sup> <sup>k</sup><sup>5</sup> ¬¬-⊥ → -⊥.

#### 3.3 *CK* Does *not* validate Gödel-Gentzen

On the other hand, it is easy to show that *CK* does *not* validate the Gödel-Gentzen translation. In particular the simplest such separation is given by:

Proposition 15. *CK*  ¬¬-⊥ → -⊥*.*

*Proof.* By case analysis on cut-free bottom-up proof search in LCK. The only applicable rule is <sup>→</sup> -r, requiring us to prove ¬¬-⊥ ⇒ -⊥. At this stage there are two possible choices:


Recalling Lemma 10 for *IK*, what breaks down here for *CK* is the negativity of the -, i.e. ¬¬-<sup>A</sup> <sup>→</sup> -¬¬A. Its underivability in *CK* is immediate from Proposition 15 above, cf. Example 14. In particular we have:

Corollary 16. *CK* + k<sup>4</sup> + k<sup>5</sup> *(and so also IK) proves strictly more* ♦*-free theorems than CK (and so also* i*K).*

<sup>2</sup> Note that a common axiomatisation of *CPL* simply extends *IPL* by ¬¬<sup>A</sup> <sup>→</sup> <sup>A</sup>. <sup>3</sup> Recall that <sup>¬</sup><sup>A</sup> := <sup>A</sup> → ⊥.

# 4 Perspectives

#### 4.1 On Other Separations and ♦-Free Axiomatisations

Despite the separation in the preceding section, i*K* and *CK* are known to validate some other double-negation translations, see e.g. [22]. Of course none of these translations rely on negativity of the -, i.e. ¬¬-<sup>A</sup> <sup>→</sup> -¬¬A. Our separation was announced (but not peer-review published) in a post on *The Proof Theory Blog* in August 2022 [11]. The discussion therein covered several other separating formulas too. In particular, Alex Simpson reported such a separation <sup>C</sup> = (¬-⊥ → -<sup>⊥</sup>) <sup>→</sup> -⊥ privately communicated to him in 1996 by Carsten Grefe. Let us point out that this latter separation is already a consequence of Proposition 15, as even *IPL* already proves <sup>C</sup> → ¬¬-⊥ → -⊥: it is an instance of the *IPL* theorem ((¬<sup>A</sup> <sup>→</sup> <sup>A</sup>) <sup>→</sup> <sup>A</sup>) → ¬¬<sup>A</sup> <sup>→</sup> <sup>A</sup> by <sup>A</sup> <sup>=</sup> -⊥.

In the same discussion it was mentioned that the ♦-free fragment of *IK* was not finitely ♦-free axiomatisable. We could not find this result in the literature, nor could we easily verify it independently. While its status is beyond the scope of this work, let us make an observation:

#### Proposition 17. *We have:*


*Proof (sketch).* Replacing ♦· by ¬-¬· and ·∨· by <sup>¬</sup>(¬· ∧¬·) in the axioms <sup>k</sup>1-k<sup>5</sup> yields theorems of *CK* + k<sup>4</sup> + k5. Both results follow from here by carrying out the same replacement everywhere in an axiomatic proof, construing the modified versions of k1-k<sup>5</sup> as the underlying axiomatisation.

Note that an immediate consequence of the result above is that, if indeed the ♦-free fragment of *IK* is not finitely axiomatised, then it is separated from the ♦-free fragment of *CK* +k<sup>4</sup> +k5, and any such separation must make crucial use of ∨, cf. the blue arrow in Fig. 2.

#### 4.2 On ♦-Normality and the Problem of *CK* **+** *k***<sup>3</sup> +** *k***<sup>5</sup>**

The ♦-free separation of i*K* and *IK* forces us to question some of the 'canonical' aspects of '--only intuitionistic modal logic' i*K*. Above all, it is not clear whether fixing i*K* (or the ♦-free fragment of *CK*) forces, say, *ab*normality of the ♦; equivalently, does normality of the ♦, i.e. k<sup>3</sup> + k5, force more ♦-free theorems over i*K* (or *CK*)? Let us point out that in the post [11] there was significant discussion about the status of *CK* + k<sup>3</sup> + k5, with no definitive resolution about its ♦-free fragment with respect to i*K*, *CK*,*IK*. The remainder of this paper is devoted to a resolution of this question; namely, *CK* + k<sup>3</sup> + k<sup>5</sup> is indeed ♦-free conservative over i*K*, cf. Fig. 2.

Before turning to that, let us briefly discuss why the status of *CK* + k<sup>3</sup> + k<sup>5</sup> is somewhat nontrivial. Recalling Remark 8, it would be natural to further generalise the calculus LCK to a 'multi-succedent' version, allowing *any number* of formulas on the RHS, not just 1 (or 0 for *WK*). The RHS singleton restriction now only applies to the and <sup>→</sup> -<sup>r</sup> rules. The idea is that, while 0 formulas on the RHS corresponds to k5, many could correspond to k3. Indeed this seems promising in light of the following (cut-free) multi-succedent proofs of those axioms:

$$k\_3: \underbrace{\begin{aligned} ^{IPL}\overline{A \lor B \Rightarrow A, B}}\_{\downarrow \sim r} \otimes \underbrace{\begin{aligned} ^{IPL}\overline{A \lor B \Rightarrow A, B} \\ \overline{\diamond(A \lor B) \Rightarrow \diamond(A, \diamond B)} \end{aligned}}\_{\rightarrow \sim r} \quad \begin{aligned} k\_5: \end{aligned} \qquad k\_5: \underbrace{\begin{aligned} ^{\perp \cdot l}\overline{\bot \Rightarrow} \\ \overline{\diamond\downarrow \perp \Rightarrow} \\ \xrightarrow{\perp \cdot r} \overline{\diamond\downarrow \perp \Rightarrow} \end{aligned}}\_{\rightarrow \sim r}$$

The calculus is hence readily seen to be sound for *CK* +k<sup>3</sup> +k5. However it does not enjoy cut-elimination, due to issues with commutative cases arising from the single succedent restriction on the rule and the <sup>→</sup> -<sup>r</sup> rule. In particular, while *CK* <sup>+</sup> <sup>k</sup><sup>3</sup> <sup>+</sup> <sup>k</sup><sup>5</sup> ♦(<sup>A</sup> <sup>∨</sup> (<sup>B</sup> <sup>→</sup> <sup>C</sup>)) <sup>→</sup> (♦<sup>A</sup> <sup>∨</sup> (-<sup>B</sup> <sup>→</sup> ♦C)), e.g. by the proof,

id <sup>A</sup> <sup>⇒</sup> <sup>A</sup> id <sup>B</sup> <sup>→</sup> <sup>C</sup> <sup>⇒</sup> <sup>B</sup> <sup>→</sup> <sup>C</sup> ∨−<sup>l</sup> A ∨ (B → C) ⇒ A, B → C ♦ ♦(A ∨ (B → C)) ⇒ ♦A, ♦(B → C) id <sup>B</sup> <sup>⇒</sup> <sup>B</sup> id <sup>C</sup> <sup>⇒</sup> <sup>C</sup> →−<sup>l</sup> B → C, B ⇒ C ♦ ♦(B → C), -<sup>B</sup> <sup>⇒</sup> ♦<sup>C</sup> →−<sup>r</sup> ♦(B → C) ⇒ -<sup>B</sup> <sup>→</sup> ♦<sup>C</sup> *cut* ♦(A ∨ (B → C)) ⇒ ♦A, -B → ♦C

note that it has no cut-free such proof, by consideration of rule applications.

# 5 Nested Sequent Calculus for *CK* **+** *k***<sup>3</sup> +** *k***<sup>5</sup>**

In this section we will introduce a *nested sequent* calculus nJ♦, for *CK* +k3+k5, by extending Fitting's calculus for *IPL* [16] by natural modal rules. We prove a cut-elimination result for nJ♦,, which will imply the ♦-free conservativity of *CK* +k<sup>3</sup> +k<sup>5</sup> over *CK*. We shall mostly follow the notation employed by Fitting, but deviate in minor conventions to facilitate our ultimate cut-elimination result. All results are self-contained.

<sup>A</sup> *(nested) sequent*, written <sup>S</sup> etc., is an expression <sup>Γ</sup> <sup>⇒</sup> <sup>X</sup> where <sup>Γ</sup> is a set of formulas and X is a set of formulas and nested sequents. We interpret sequents by a formula translation: *fm*(<sup>Γ</sup> <sup>⇒</sup> Δ, X) := - <sup>Γ</sup> <sup>→</sup> <sup>Δ</sup> <sup>∨</sup> <sup>S</sup>∈<sup>X</sup> *fm*(S) .

A *(nested sequent) context*, written S[ ], is defined as expected. Note that it is implicit in this notation that the context hole must only occur where a nested sequent may be placed to produce a correct nested sequent, i.e., for S[ ] a context and S a nested sequent, S[S ] is always a nested sequent.

*Example 18 (Contexts).* <sup>A</sup> <sup>⇒</sup> B,(C, D <sup>⇒</sup> E, [ ]) is a context, but A, [ ] <sup>⇒</sup> B,C and <sup>A</sup> <sup>⇒</sup> B,(C, [ ] <sup>⇒</sup> <sup>D</sup>) are not.

We may also write contexts for sets (of nested sequents and formulas), e.g. X[ ], etc., where again X[S] must always be a correct set of nested sequents and formulas. A consequence of the definition of nested sequent is that we can safely substitute sets in place of context hole, i.e. if Y is a set of nested sequents and formulas then (X[Y ] and) S[Y ] is a (set of) nested sequent(s and formulas).

#### 5.1 System **nJ**♦*,*

The system nJ is given by the structural rules and (left and right) logical rules from Fig. 4. It is equivalent to the nested calculus given by Fitting in [16], but we shall not use this fact: its soundness and completeness for *IPL* will be a consequence of later results. To define its extension by modalities, we must first generalise the usual notion of a modality distributing over a sequent:

$$^{id}\frac{}{S[\varGamma, A \Rightarrow X[A]]} \quad \uplus ^{l}\frac{S[\varGamma \Rightarrow X]}{S[\varGamma, A \Rightarrow X]} \quad \uplus ^{u}\frac{S[\varGamma \Rightarrow X]}{S[\varGamma \Rightarrow X, S']}$$

$$\Rightarrow \frac{S[\varGamma \Rightarrow X[\varDelta, \varSigma \Rightarrow Y]]}{S[\varGamma, \Delta \Rightarrow X[\varSigma \Rightarrow Y]]} \quad \uplus \multimap \frac{S[\ni \succ X]}{S[X]}$$

$$\begin{aligned} ^{\perp \text{-} l} \frac{\rightharpoonup \frac{\text{-} S}{S} [\varGamma, A \Rightarrow X]}{S [\varGamma, A \Rightarrow X]} & \xrightarrow{\text{-} \sim l} \frac{S [\varGamma, B \Rightarrow X]}{S [\varGamma, A \lor B \Rightarrow X]} \\\\ ^{\sim l} \frac{\sightharpoonup \frac{S [\varGamma, A, B \Rightarrow X]}{S [\varGamma, A \land B \Rightarrow X]}}{S [\varGamma, A \land B \Rightarrow X]} & \xrightarrow{\text{-} \sim l} \frac{S [\varGamma, A \rightarrow B \Rightarrow X, A]}{S [\varGamma, A \rightarrow B \Rightarrow X]} \end{aligned}$$

$$r \rightsquigarrow r \frac{S[\varGamma \Rightarrow X, A, B]}{S[\varGamma \Rightarrow X, A \lor B]} \quad \rightsquigarrow r \frac{S[\varGamma \Rightarrow X, A] \quad S[\varGamma \Rightarrow X, B]}{S[\varGamma \Rightarrow X, A \land B]} \quad \rightarrow r \frac{S[\varGamma \Rightarrow X, (A \Rightarrow B)]}{S[\varGamma \Rightarrow X, A \to B]}$$

$$\circ \circ \frac{S[\varGamma, A \Rightarrow X]}{S^{\diamond}[\varsquare \varGamma, \diamond A \Rightarrow X^{\diamond}]} \quad \circ \frac{S[\varGamma \Rightarrow A]}{S^{\diamond}[\varsquare \varGamma \Rightarrow \varsquare A]} \text{ is right-,-free}$$

$$\textbf{Fig. 4. system } \mathfrak{n} \mathsf{J}\_{\diamondsuit, \square}.$$

Definition 19 (Promotion). *For sets* X *define* X◦ *by:*

$$\mathcal{Q}^{\diamond} := \mathcal{Q} \qquad A^{\diamond} := \diamond A \qquad \qquad (X, Y)^{\diamond} := X^{\diamond}, Y^{\diamond} \qquad \qquad (\varGamma \Rightarrow X)^{\diamond} := \square \varGamma \Rightarrow X^{\diamond}$$

*For (set-)contexts* X[]*, we define* X◦[] *the same way and by setting* []◦ := []*.*

*Remark 20 (Promotion and* ♦*-normality).* The intention is that X◦ is a consequence of ♦*fm*(X). The ∅ case is justified by k5, while the ',' case is justified by <sup>k</sup>3. The '⇒' case is justified by the 'Fischer Servi' property: ♦(<sup>A</sup> <sup>→</sup> <sup>B</sup>) <sup>→</sup> -<sup>A</sup> <sup>→</sup> ♦B. This is a consequence already of *CK*:

$$\begin{aligned} \stackrel{IPL}{\diamondsuit} \overbrace{\begin{aligned} ^{IPL}\overline{A \to B, A \Rightarrow B}}^{IPL} \\ \circlearrowright \end{aligned} \begin{aligned} \stackrel{IPL}{\diamondsuit} (A \to B), \square A \Rightarrow \Diamond B \\ \Rightarrow \Diamond (A \to B) \to \square A \to \diamondsuit B \end{aligned} $$

<sup>A</sup> *right-,* is a comma ',' on the RHS of some <sup>⇒</sup> (immediately, not hereditarily). A sequent (or context) is *right-,-free* if it has no right-,.

Definition 21. *The system* nJ♦, *consists of all the rules in Fig. 4.*

*Example 22.* Recall the formula ♦(<sup>A</sup> <sup>∨</sup> (<sup>B</sup> <sup>→</sup> <sup>C</sup>)) <sup>→</sup> (♦<sup>A</sup> <sup>∨</sup> (-<sup>B</sup> <sup>→</sup> ♦C)) from Subsect. 4.2, which is a consequence of *CK* + k<sup>3</sup> + k<sup>5</sup> but has no cut-free proof in the 'multi-succedent' version of LCK. We here give a nJ♦, proof of it:

$$\begin{array}{c} \stackrel{id}{\longrightarrow} \xrightarrow{id} \xrightarrow{\begin{subarray}{c} id \ \stackrel{id}{\Longrightarrow} \Rightarrow A, (B \to C, B \to C, B) \end{subarray}} \xrightarrow{id} \xrightarrow{\begin{subarray}{c} id \ \stackrel{id}{\Longrightarrow} \Rightarrow A, (C, B \Rightarrow C) \end{subarray}} \xrightarrow{id} \xrightarrow{\begin{subarray}{c} id \ \stackrel{id}{\Longrightarrow} \Rightarrow A, (C, B \Rightarrow C) \end{subarray}} \xrightarrow{id} \xrightarrow{\begin{subarray}{c} id \ \stackrel{id}{\Longrightarrow} \Rightarrow A, (B \to C, B \Rightarrow C) \end{subarray}} \xrightarrow{id} \xrightarrow{\begin{subarray}{c} id \ \stackrel{id}{\Longrightarrow} \Rightarrow A, (B \to C) \end{subarray}} \xrightarrow{id} \xrightarrow{\begin{subarray}{c} id \ \stackrel{id}{\Longrightarrow} \Rightarrow A, (B \to C) \end{subarray}}$$

We have coloured red the 'principal' part of an inference step. Note at the top the necessity of applying the <sup>⇒</sup> rule before <sup>→</sup> -l, bottom-up, in order to prove <sup>⇒</sup> <sup>B</sup> <sup>→</sup> <sup>C</sup> <sup>⇒</sup> A,(<sup>B</sup> <sup>⇒</sup> <sup>C</sup>).

The main result of this section is:

Theorem 23 (Soundness and completeness). nJ♦, <sup>⇒</sup> <sup>A</sup> *if and only if CK* <sup>+</sup> <sup>k</sup><sup>3</sup> <sup>+</sup> <sup>k</sup><sup>5</sup> <sup>A</sup>*.*

To show the completeness (if) direction we will need to first give a simulation using a 'cut' rule, then prove cut-elimination. To avoid case explosion later in the presence of modal rules, it will facilitate our ultimate cut-elimination argument to consider a 'context-joining' cut, à la Tait. For this, we first need to generalise the usual notion of sequent union:

Definition 24 (Context joining). *For contexts* S[]*,* S [] *define* <sup>S</sup>[] · <sup>S</sup> [] *by:*

$$\begin{array}{l} \vdash [] \cdot S[] := S[];\\ \vdash (I \Rightarrow X, S[]) \cdot (I' \Rightarrow X', S'[]) := I, I' \Rightarrow X, X', (S[] \cdot S'[]) \end{array}$$

Note that, by a basic induction on the structure of contexts, we have that · is associative, commutative and idempotent. We shall sometimes write simply (<sup>S</sup> ·S )[] for (S[]·S []), as abuse of notation. We shall also sometimes extend this notation to set-contexts, <sup>X</sup>[] · <sup>X</sup> [], by adding the clause (X, Y []) · (X , Y []) := X, X ,(<sup>Y</sup> [] · <sup>Y</sup> []). From here the *cut* rule is defined as:

$$\text{s.t.} \frac{S[\varGamma \Rightarrow X, A] \quad S'[\varGamma', A \Rightarrow X']}{(S \cdot S')[\varGamma, \varGamma' \Rightarrow X, X']} \tag{1}$$

#### 5.2 Metalogical Results

By induction on the structure of nJ♦, + *cut* proofs it is routine to establish the 'only if' direction of our main result Theorem 23:

Proposition 25 (Soundness). *If* nJ♦, <sup>+</sup>*cut* <sup>S</sup> *then CK* <sup>+</sup>k3+k<sup>5</sup> *fm*(S)*.*

The most interesting case is the ♦ rule, which is justified by Remark 20. Among the non-modal rules the most interesting cases are the 'switch' rule ⇒ and the branching rules, which make use of the following lemma:

Lemma 26. *The following are intuitionistically valid:*

$$\begin{array}{llll} ((A \to B) \lor C) \to (A \to (B \lor C)) & & (A \to (B \land C)) \leftrightarrow ((A \to B) \land (A \to C)) \\ ((A \lor B) \to C) \leftrightarrow ((A \to C) \land (B \to C)) & & (A \lor (B \land C)) \leftrightarrow ((A \lor B) \land (A \lor C)) \end{array}$$

Let us write <sup>⇒</sup><sup>n</sup> for n ⇒···⇒. Note that, if <sup>S</sup> is a nested sequent, then so is <sup>⇒</sup><sup>n</sup> <sup>S</sup>, for all <sup>n</sup> <sup>≥</sup> <sup>0</sup>. We have a routine (cut-free) simulation of *CK* in nJ♦,:

Lemma 27 (Simulation of LCK). *If* LCK <sup>Γ</sup> <sup>⇒</sup> <sup>A</sup> *then* nJ♦, <sup>⇒</sup><sup>n</sup> <sup>Γ</sup> <sup>⇒</sup> <sup>A</sup> *for all* <sup>n</sup> <sup>≥</sup> <sup>0</sup>*.*

*Proof (sketch).* The proof is by straightforward induction on the structure of a (cut-free) LCK proof of <sup>Γ</sup> <sup>⇒</sup> <sup>A</sup>. Almost all rules of LCK are essentially special cases of their analogues in nJ♦,; the only exception is the right implication rule, which is simulated as follows:<sup>4</sup>

$$\begin{array}{rcl} \stackrel{\Gamma,A}{\longrightarrow} \stackrel{\Gamma,B}{A\to} \stackrel{\text{B}}{B} & \leadsto & \stackrel{\begin{array}{c} \Rightarrow^{n+1} \ \Gamma,A\Rightarrow B \\ \stackrel{\begin{array}{c} \Rightarrow^{n} \ \Gamma \Rightarrow A\Rightarrow B \\ \stackrel{\begin{array}{c} \Rightarrow^{n} \ \Gamma \Rightarrow A\rightarrow B \end{array}} \end{array}} \end{array}}$$

<sup>4</sup> Note here the necessity of proving the statement for all <sup>n</sup> <sup>≥</sup> <sup>0</sup> as inductive invariant.

Proposition 28 (Cut-completeness with cut). *If CK* <sup>+</sup> <sup>k</sup><sup>3</sup> <sup>+</sup> <sup>k</sup><sup>5</sup> <sup>A</sup> *then* nJ♦, <sup>+</sup> *cut* <sup>⇒</sup> <sup>A</sup>*.*

*Proof (sketch).* By induction on an axiomatic *CK* + k<sup>3</sup> + k<sup>5</sup> proof of A. In light of Lemma 27 above, and the presence of *cut*, it suffices to prove k<sup>3</sup> and k5:


# 6 Cut-Elimination Argument

The goal of this section is to prove:

Theorem 29 (Cut-elimination). *If* nJ♦, <sup>+</sup> *cut* <sup>S</sup> *then also* nJ♦, <sup>S</sup>*.*

From here note that our main result follows immediately:

*Proof (of Theorem* 23*).* Immediate from Theorem 29 above, Soundness (Proposition 25) and Completeness with cut (Proposition 28).

The *size* of a proof is its number of inference steps. The *degree* of a cut is the number of symbols in its cut-formula, i.e. the formula A distinguished in (1). Our ultimate argument for cut-elimination is based on a typical double induction:

*Proof (of Theorem* 29*, sketch).* We proceed by induction on the multiset of cutdegrees in a proof. We start with a(ny) topmost cut, employing a subinduction on the size of the subproof rooting it, permuting the cut upwards in order to apply the subinductive hypothesis. At key cases the multiset of cut-degrees will decrease and we instead apply the main inductive hypothesis on the entire proof; sometimes we may need to first apply the subinductive hypothesis. In terms of the permutation strategy, we always permute cuts over non-modal rules (on either side) maximally, so that our modal cut-reductions only apply when the inference step immediately above each side of a cut is modal.

The next subsection is devoted to describing some of the cut-reductions. Before that let us give the desired consequence of cut-elimination for nJ♦,, namely the classification of the ♦-free fragment of *CK* + k<sup>3</sup> + k5, cf. Fig. 2:

Corollary 30. *CK* + k<sup>3</sup> + k<sup>5</sup> *is conservative over* i*K, over* ♦*-free formulas.*

*Proof (sketch).* If *CK* + k<sup>3</sup> + k<sup>5</sup> proves a ♦-free formula A, then there is a nJ♦, proof <sup>P</sup> of <sup>⇒</sup> <sup>A</sup> by Theorem 23. By the subformula property, <sup>P</sup> must be ♦ free itself, so the only modal rule occurring in P is the --rule, whose formula translation is derivable already in i*K*. (Note that the formula translation of ♦ free nested sequents is always ♦-free). All other rules are derivable already in *IPL*.

#### 6.1 Cut-Reduction Cases (Non-modal)

To facilitate the description of the cut-reduction cases we will need to 'bootstrap' nJ♦, somewhat. We say a rule r is *size-preserving admissible* for a system L if, whenever there is a proof in L + r of S, there is a proof in L of S of the same or smaller size.

Proposition 31. *The following rules are size-preserving admissible for* nJ♦,*:*

$$\begin{array}{c} \frac{S[R[X],Y]}{S[R[X,Y]]} \end{array} \qquad \begin{array}{c} \begin{array}{c} \end{array} \Rightarrow \begin{array}{c} S[X] \\ S[\Rightarrow X] \end{array} \end{array} \tag{3}$$

Thanks to the way we have presented our rules, almost all cut-reduction cases are 'the same' as those for usual sequent calculi for intuitionistic and/or modal logic, only under a sequent context. We highlight here some cases that need special attention.

For key cases, when the cut-formula is principal for a logical rule on both sides of a cut, the corresponding reduction is almost always the same as that for the usual (multi-succedent) sequent calculus for *IPL*, only under a sequent context. The only exception is for →, since its right-introduction rule is different from that of the sequent calculus. The key case for → is:

$$\xrightarrow[]{\longleftrightarrow\hspace{1cm}}\frac{S[\varGamma\Rightarrow X,(A\Rightarrow B)]}{S[\varGamma\Rightarrow X,A\rightarrow B]}\quad\rightarrow\hspace{1cm}\frac{S'[\varGamma',A\rightarrow B\Rightarrow X',A]\quad S'[\varGamma',B\Rightarrow X']}{(S\cdot S')[\varGamma,\varGamma'\Rightarrow X,X']}\quad\rightarrow\hspace{1cm}\frac{S[\varGamma\Rightarrow X,X']}{S[\varGamma'\Rightarrow X,X']}\quad\rightarrow\hspace{1cm}\frac{S[\varGamma\Rightarrow X,(A\Rightarrow B)]}{S[\varGamma'\Rightarrow X,A\rightarrow B\Rightarrow X',A]}\quad\Rightarrow\hspace{1cm}\frac{S[\varGamma\Rightarrow X,(A\Rightarrow B)]}{S[\varGamma,A\Rightarrow X,(\lozenge B)]}$$

Referring to our cut-elimination argument, note we must apply the subinductive hypothesis to the topmost cut before calling the main inductive hypothesis.

Any cut immediately preceded by an identity step (on either side) can be reduced to an identity step, eliminating the cut. Also all commutations of a cut above a logical rule are routine, as the ⇒-depth of the cut-formula is not affected.

Almost all permutations when a cut is preceded by a structural step are routine. The only exception is a permutation over a ⇒ step. Before we can present this we need to set up some notation. First, let us write <sup>⇒</sup><sup>X</sup>[ ] for <sup>⇒</sup><sup>d</sup> where <sup>d</sup> is the <sup>⇒</sup>-depth of the hole [ ] in <sup>X</sup>[ ]. I.e.,

$$\begin{array}{rcl} \Rightarrow [] & :=\\ \Rightarrow {}^{X,S[]} & := & \Rightarrow^{S[]}\\ \Rightarrow {}^{\Gamma \Rightarrow X[]} & := & \Rightarrow \Rightarrow^{X[]} \end{array}$$

We shall sometimes write <sup>⇒</sup><sup>X</sup> for <sup>⇒</sup>X[ ], as abuse of notation. By a straightforward induction on the structure of set-contexts we have that <sup>⇒</sup><sup>X</sup> [ ] · <sup>X</sup>[]= <sup>X</sup>[ ]. Now we can give the critical ⇒-permutation by:

$$\begin{array}{c} \begin{array}{c} \begin{array}{c} S[\varGamma \Rightarrow X, A] \\ \Rightarrow S'[\varGamma', \Delta, A \Rightarrow X'[\varSigma \Rightarrow Y]] \end{array} \\\\ \begin{array}{c} \begin{array}{c} S[\varGamma \Rightarrow X, A] \\ \end{array} \\\\ \begin{array}{c} \begin{array}{c} S[\varGamma \Rightarrow X, A] \\ \end{array} \\\\ \begin{array}{c} S[\varGamma \Rightarrow X, A] \\ \end{array} \\\\ \begin{array}{c} (S \cdot S')[\varGamma, \Gamma' \Rightarrow X, X'[\varGamma \Rightarrow Y]] \end{array} \\\\ \begin{array}{c} (S \cdot S')[\varGamma, \Gamma' \Rightarrow X, X'[\varDelta, \Sigma \Rightarrow Y]] \end{array} \\\\ \end{array} \end{array} \end{array} \end{array}$$

Note the importance here of size-preserving admissibility of <sup>⇒</sup> -i, Proposition 31, in order to appeal to the subinductive hypothesis.

#### 6.2 Cut-Reduction Cases (Modal)

Defining the modal cut-reductions is facilitated by the observation that (S◦ <sup>0</sup> · S◦ <sup>1</sup> )[] = (S<sup>0</sup> ·S1)◦[], proved again by a straightforward induction on the structure of sequent-contexts. The case analysis for modal cut-reductions is routine but lengthy; all reductions allow immediate appeal to the (sub)inductive hypothesis:

– (♦-♦) If a cut is preceded on both sides by a ♦ step, then the cut-formula on the right must be the distinguished ♦-formula of the ♦ rule in Fig. 4. We employ a case analysis on the relative location of the distinguished ♦ formula and the cut formula on the left, but each situation is handled similarly. If, e.g., the distinguished ♦ formula and cut formula occur in parallel in the sequent context we have the following reduction:

S0[Γ, A ⇒ X0][Δ<sup>0</sup> ⇒ Y0, B] ♦ S◦ <sup>0</sup> [-Γ, ♦A ⇒ X◦ <sup>0</sup> ][-Δ<sup>0</sup> ⇒ Y ◦ <sup>0</sup> , ♦B] S1[X1][Δ1, B ⇒ Y1] ♦ S◦ <sup>1</sup> [X◦ <sup>1</sup> ][-Δ1, ♦B ⇒ Y ◦ <sup>1</sup> ] *cut* (S◦ <sup>0</sup> · S◦ <sup>1</sup> )[(-Γ, ♦A ⇒ X◦ <sup>0</sup> ), X◦ <sup>1</sup> ][-Δ0, -Δ<sup>1</sup> ⇒ Y ◦ <sup>0</sup> , Y ◦ 1 ] <sup>S</sup>0[Γ, A <sup>⇒</sup> <sup>X</sup>0][Δ<sup>0</sup> <sup>⇒</sup> <sup>Y</sup>0, B] <sup>S</sup>1[X1][Δ1, B <sup>⇒</sup> <sup>Y</sup>1] *cut* (S<sup>0</sup> · S1)[(Γ, A ⇒ X0), X1][Δ0, Δ<sup>1</sup> ⇒ Y0, Y1] ♦ (S◦ <sup>0</sup> · S◦ <sup>1</sup> )[(-Γ, ♦A ⇒ X◦ <sup>0</sup> ), X◦ <sup>1</sup> ][-Δ0, -Δ<sup>1</sup> ⇒ Y ◦ <sup>0</sup> , Y ◦ 1 ]


each situation is handled similarly. If, e.g., the distinguished ♦ formula occurs (relatively) deeper than the cut formula, we have the following reduction:

$$\begin{array}{c} \Box \frac{S\_0[\varGamma\_0 \Rightarrow A]}{S\_0^\circ[\varBox \varGamma\_0 \Rightarrow \varBox A]} \quad \diamond \frac{S\_1[\varGamma\_1, A \Rightarrow X[\varDelta, B \Rightarrow Y]]}{S\_1^\circ[\varBox \varGamma\_1, \square A \Rightarrow X^\circ[\varBox \Delta, \Diamond B \Rightarrow Y^\circ]]} \\\\ \frac{S\_0^\circ \cdot S\_1^\circ)[\varBox \varGamma\_0, \square \varGamma\_1 \Rightarrow X^\circ[\varBox \Delta, \Diamond B \Rightarrow Y^\circ]]}{(S\_0^\circ \cdot S\_1^\circ)[\varBox \varGamma\_0, \square \varGamma\_1 \Rightarrow X^\circ[\varBox \Delta, \Diamond B \Rightarrow Y^\circ]]} \end{array}$$

$$\begin{array}{c} \begin{array}{c} S\_0[\varGamma\_0 \Rightarrow A] \quad S\_1[\varGamma\_1, A \Rightarrow X[\varDelta, B \Rightarrow Y]] \\ \diamond \frac{(S\_0 \cdot S\_1)[\varGamma\_0, \Gamma\_1 \Rightarrow X[\varDelta, B \Rightarrow Y]]}{(S\_0 \cdot S\_1)^\circ[\varBox \varGamma\_0, \square \varGamma\_1 \Rightarrow X^\circ[\varBox \Delta, \Diamond B \Rightarrow Y^\circ]] \end{array} \end{array}$$

– (---) If a cut is preceded on both sides by a rule, then the only possible reduction, due to right-,-freeness in the right premiss, is:

<sup>S</sup>0[Γ<sup>0</sup> <sup>⇒</sup> <sup>A</sup>] S◦ <sup>0</sup> [-Γ<sup>0</sup> ⇒ -A] <sup>S</sup>1[A, Γ<sup>1</sup> <sup>⇒</sup> <sup>R</sup>[<sup>Δ</sup> <sup>⇒</sup> <sup>B</sup>]] S◦ <sup>1</sup> [-A, -Γ<sup>1</sup> ⇒ R◦[-Δ ⇒ -<sup>B</sup>]] *cut* (S◦ <sup>0</sup> · S◦ <sup>1</sup> )[-Γ0, -Γ<sup>1</sup> ⇒ R◦[-Δ ⇒ -B]] <sup>S</sup>0[Γ<sup>0</sup> <sup>⇒</sup> <sup>A</sup>] <sup>S</sup>1[A, Γ<sup>1</sup> <sup>⇒</sup> <sup>R</sup>[<sup>Δ</sup> <sup>⇒</sup> <sup>B</sup>]] *cut* (S<sup>0</sup> · <sup>S</sup>1)[Γ0, Γ<sup>1</sup> <sup>⇒</sup> <sup>R</sup>[<sup>Δ</sup> <sup>⇒</sup> <sup>B</sup>]] (S<sup>0</sup> · S1) ◦[-Γ0, -Γ<sup>1</sup> ⇒ R◦[-Δ ⇒ -B]]

# 7 Conclusions

We showed that i*K* and *CK* are separated from *IK* by their ♦-free theorems, and have moreover initiated a comparison of intuitionistic modal logics by their ♦-free fragments. In particular, we have verified using proof theoretic techniques that the extension of i*K* by a normal ♦ is indeed conservative over i*K*, over ♦-free formulas. Again, our results are summarised in Fig. 2.

Our nested sequent system nJ♦, is based on Fitting's for *IPL* in [16], but let us point out that he did not give a cut-elimination result. Naturally our cutelimination result Theorem 29 also implies cut-elimination for the nested calculus nJ for *IPL*. Let us emphasise that, just as i*K*, *CK*,*IK* are proof-theoretically natural by the characterisations in Subsect. 2.1, so too is *CK* +k<sup>3</sup> +k5: it is just the extension of the calculus nJ for *IPL* by modal rules.

From here it would be fruitful to understand how to adequately extend (birelational) semantics for *CK* to *CK* + k<sup>3</sup> + k5. This could also yield an alternative (and perhaps simpler) proof of completeness of nJ♦, for *CK* + k<sup>3</sup> + k5. <sup>5</sup> We have also not addressed the decidability of logics in this work, but let us point out that we believe that *CK* +k<sup>3</sup> +k<sup>5</sup> might be proved decidable by eliminating <sup>⇒</sup> -<sup>e</sup> in nJ♦, and employing a basic loop checking argument.

There has been significant work on computational interpretations of *CK* e.g. [1–3,21,27]. However, one shortfall of *CK* here is that its interpretations

<sup>5</sup> We are aware of ongoing work by Nicola Olivetti and Han Gao investigating this.

do not lift to *K* along the Gödel-Gentzen translation; while alternative doublenegation translations are available, cf. [22], these do not seem robust against modest extensions, e.g. when including a global modality -∗. On the other hand the fact that *IK* validates Gödel-Gentzen, Theorem 12, suggests that it is better designed for computational interpretations, in particular for interpreting classical modal logic *K*. Under the standard translation, it would be interesting to classify the Curry-Howard interpretation of *IK* as a suitable fragment of *dependent type theory*. Let us point out that Simpson already gives a termination and confluence proof for a version of intuitionistic natural deduction specialised to *IK* in his thesis [33].

Acknowledgements. The authors would like to thank *The Proof Theory Blog* community for all the feedback from their post [11]. In particular this work would not have been possible without several insightful interactions with Alex Simpson, Reuben Rowe, Nicola Olivetti, Tiziano Dalmonte, Dale Miller, Dominik Kirst, Iris van der Giessen, and Marianna Girlando. We thank Nicola Olivetti in particular for encouraging us to publish these results.

This (alphabetically) first author was supported by a UKRI Future Leaders Fellowship, 'Structure vs Invariants in Proofs', project reference MR/S035540/1.

# References


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# CoNP Complexity for Combinations of Non-normal Modal Logics

Tiziano Dalmonte1(B) and Andrea Mazzullo<sup>2</sup>

<sup>1</sup> Free University of Bozen-Bolzano, Bolzano, Italy tiziano.dalmonte@unibz.it <sup>2</sup> University of Trento, Trento, Italy andrea.mazzullo@unitn.it

Abstract. We study the complexity of the validity/derivability problem for combinations of non-normal modal logics in the form of logic fusions, possibly extended with simple interaction axioms. We first present cutfree sequent calculi for these logic combinations. Then, we introduce hypersequent calculi with invertible rules, and show that they allow for a coNP proof search procedure. In the last part of the paper, we consider the case of combinations of logics sharing a universal modality. Using the hypersequent calculi, we show that these logics remain coNP-complete, and also provide an equivalent axiomatisation for them.

Keywords: Non-normal modal logics · Combination of logics · Fusion · Universal modality · Complexity · Hypersequent calculus

# 1 Introduction

Modal logics that combine different modalities have widespread diffusion. On the one hand, modal logics designed for applications usually contain multiple operators, possibly with interactions among them. On the other hand, non-standard modal logics, such as intuitionistic or description modal logics, have been connected with classical logics with combined modalities [18,19,46,47], an observation that allowed for a fruitful transfer of results among the different formalisms.

Concerning logics designed for applications, several systems contain modalities that display a non-normal behaviour, as they do not satisfy some principles that are validated by any normal operator. Significant examples are epistemic logics without omniscience [4], deontic logics [1], agency and ability logics [6,14,26], coalition logics [37,43]. At the same time, the recent introduction of non-normal systems based on intuitionistic or description logic [9,10,12,40,41] naturally raises the question of their connections with classical systems with combined non-normal modalities.

Multimodal logics obtained as combinations of normal systems have been extensively studied, with a specific focus on fusions and products [19,20,45], and the transfer of properties from the single systems to their combinations.

c The Author(s) 2023

R. Ramanayake and J. Urban (Eds.): TABLEAUX 2023, LNAI 14278, pp. 302–321, 2023. https://doi.org/10.1007/978-3-031-43513-3\_17

Concerning fusions of normal logics, it is known for instance that decidability, interpolation [45] and semantic completeness [17,30] are always preserved, whereas the complexity of the satisfiability/validity problem is not: while fusions of PSpace logics generally remain PSpace, the same does not hold for fusions of systems with coNP validity (respectively, NP satisfiability) problem, as witnessed by the PSpace bimodal logics S52, KD452, K4.3<sup>2</sup> and S4.3<sup>2</sup> [25,42], in contrast with their coNP monomodal counterparts<sup>1</sup> (see [19] for an overview on transfer results).

Although most studies focus on combinations of normal modal logics, similar questions have been also addressed for fusions of non-normal systems. In particular, decidability [3,23] and superamalgamation [21,22] (an algebraic property corresponding to a form of interpolation) are known to be preserved, while completeness is not [15,16]. By contrast, less is understood about the transfer of complexity results, which is the topic of the present work.

Non-normal modal logics (NNMLs in the following) are good examples of coNP modal logics. These logics are defined by extending classical propositional logic with the congruence rule A ↔ B/-A ↔ -B and combinations of standard modal axioms (cf. Sec. 2). As shown by Vardi [44], in this family of logics, the complexity of the validity problem strictly depends on the presence of the agglomeration axiom -A ∧ -B → -(<sup>A</sup> <sup>∧</sup> <sup>B</sup>): the logics with this axiom are in PSpace, whereas the logics without it are coNP-complete.<sup>2</sup> Differently from the coNP normal systems mentioned above, the same complexity bounds hold for the multi-modal formulations of these logics where all modalities are of the *same* kind [44]. For this reason, combinations of NNMLs are promising in terms of preservation of coNP complexity.

In this paper, we investigate the complexity of the validity problem for some kinds of combinations of coNP NNMLs. In particular, we consider all coNP NNMLs of the classical cube [7,34] as well as their coNP extensions with noniterative modal axioms. We first consider the fusions of NNMLs, roughly corresponding to the disjoint union of the modal axiomatisations of the combined systems, as well as their extensions with interaction axioms of the form <sup>i</sup>A → <sup>j</sup>A (that correspond, for instance, to the well-known principles of 'ought implies can' and 'does implies can' of deontic and agency logics (see e.g. [1,6,14])). In the last part of the paper we also consider the case of combinations of NNMLs sharing a universal modality. While most studies on property transfers are based on algebraic or model-theoretical techniques, we adopt here a proof-theoretical approach. We first present cut-free sequent calculi for these logic combinations. Then we present a reformulation of the calculi in terms of hypersequents where

<sup>1</sup> In the following, when mentioning the complexity of a logic, we always refer to the complexity of its *validity* problem. Dual results immediately follow for the corresponding *satisfiability* problem: in particular, coNP-complete logics have an NPcomplete satisfiability problem. If not differently specified, the complexity bounds are tight: by coNP logic, respectively PSpace logic, we mean that the logic is coNP-complete, respectively PSpace-complete.

<sup>2</sup> More precisely, Vardi [44] shows that the satisfiability problems for these logics are NP-complete.

Fig. 1. Diagram of non-normal monomodal logics.

all the rules are invertible, and show that they provide a coNP decision procedure for validity in the logics. In the last part of the paper, we consider the case of combinations of logics sharing a universal modality. Using the hypersequent calculi, we show that these logics remain coNP-complete.

# 2 Non-normal Modal Logics and Their Combinations

Given a set of unary modalities {-<sup>1</sup>, ..., <sup>n</sup>}, we denote <sup>L</sup>[-<sup>1</sup>, ..., <sup>n</sup>] the propositional modal language based on a set Atm <sup>=</sup> {p1, p2, p3, ...} of countably many propositional variables, containing the Boolean operators ⊥, →, and the modalities -<sup>1</sup>, ..., <sup>n</sup>. We consider ,¬,∧,∨,♦<sup>i</sup> to be defined as usual.

*Non-normal monomodal logics* are defined in a language <sup>L</sup>[<sup>i</sup>], for some <sup>i</sup> <sup>∈</sup> N, by extending any axiomatisation of classical propositional logic (containing modus ponens), formulated in <sup>L</sup>[<sup>i</sup>], with the rule RE<sup>i</sup> below, and a combination of the following axioms:

$$RE\_i \xrightarrow[\Box\_i A \leftrightarrow \Box\_i B]{} \quad \begin{array}{c} M\_i \quad \Box\_i (A \land B) \to \Box\_i A \\ N\_i \quad \Box\_i \top \end{array} \quad \begin{array}{c} T\_i \quad \Box\_i A \to A \\ D\_i \quad \Box\_i A \to \neg \Box\_i \neg A \\ P\_i \quad \neg \Box\_i \bot \end{array}$$

The minimal non-normal monomodal logic defined in <sup>L</sup>[<sup>i</sup>], denoted by Ei, only contains RE<sup>i</sup> (that is, it does not contain any additional modal axiom). Given a list of modal axioms <sup>Σ</sup><sup>i</sup> in <sup>L</sup>[<sup>i</sup>] (without repetitions), the other non-normal monomodal systems are denoted by EΣi. We call *monotonic* any system EΣ<sup>i</sup> such that <sup>M</sup><sup>i</sup> <sup>∈</sup> <sup>Σ</sup>i. Moreover, we use <sup>L</sup><sup>i</sup> to denote any logic defined in <sup>L</sup>[i].

We consider the standard notion of derivability in axiomatic modal systems: a rule B1, ..., Bn/A is derivable in a logic L<sup>i</sup> if there is a finite sequence of formulas ending with A in which every formula is an (instance of an) axiom of <sup>L</sup>i, or it belongs to {B1, ..., Bn}, or it is obtained from previous formulas by the application of a rule of <sup>L</sup>i. A formula <sup>A</sup> is derivable in <sup>L</sup>i, written <sup>L</sup>*<sup>i</sup>* <sup>A</sup>, if the rule <sup>∅</sup>/A is derivable in <sup>L</sup>i. Finally, a formula <sup>A</sup> is (locally) derivable from a set of formulas <sup>Φ</sup> in <sup>L</sup>i, written <sup>Φ</sup> <sup>L</sup>*<sup>i</sup>* <sup>A</sup>, if there is a finite set {B1, ..., Bn} ⊆ <sup>Φ</sup> such that <sup>L</sup>*<sup>i</sup>* B<sup>1</sup> ∧ ... ∧ B<sup>n</sup> → A. We recall that the axioms M<sup>i</sup> and N<sup>i</sup> are respectively equivalent to the monotonicity rule A → B/<sup>i</sup>A → <sup>i</sup>B and to the necessitation rule A/<sup>i</sup>A. Note also that the axioms P<sup>i</sup> and D<sup>i</sup> are equivalent in *normal* modal logics (i.e., modal logics extending Ki), but are not equivalent in non-normal ones. In particular, the following derivability relations hold: ET*<sup>i</sup>* Pi, ET*<sup>i</sup>* Di, EMD*<sup>i</sup>* Pi, END*<sup>i</sup>* Pi. By virtue of these relations, the considered family contains 17 distinct monomodal logics, displayed in Fig. 1.

In this paper, we study multimodal logics obtained by combining non-normal monomodal logics in the following way. First, let L1, ..., L<sup>n</sup> be n non-normal monomodal logics respectively formulated in the languages <sup>L</sup>[-<sup>1</sup>], ..., <sup>L</sup>[n] sharing the same propositional variables and Boolean operators, but with distinct modalities -<sup>1</sup>, ..., <sup>n</sup>. Moreover, let <sup>I</sup> be an *acyclic* set of pairs (i, j) with <sup>1</sup> <sup>≤</sup> i, j <sup>≤</sup> <sup>n</sup> (that is, there is no chain (i, j1), (j1, j2), ..., (jk, i)).

Definition 1. *The* combination <sup>L</sup>1...LnI *is the smallest multimodal logic in the language* <sup>L</sup>[-<sup>1</sup>, ..., <sup>n</sup>] *that contains* <sup>L</sup><sup>1</sup> <sup>∪</sup> ... <sup>∪</sup> <sup>L</sup><sup>n</sup> *as well as the interaction axioms* <sup>i</sup>A → <sup>j</sup>A*, for all* (i, j) ∈ I*, and is closed under the rules of* <sup>L</sup>1*, ...,* L<sup>n</sup> *(that is, modus ponens and* RE1*, ...,* REn*).*

Note that <sup>L</sup>1...Ln∅ corresponds to the *fusion* of <sup>L</sup>1, ..., <sup>L</sup><sup>n</sup> [45]. The reason for restricting to acyclic sets <sup>I</sup> is that in presence of cycles (i, j1), (j1, j2), ..., (jk, i), the modalities <sup>i</sup>, <sup>j</sup><sup>1</sup> , ..., <sup>j</sup>*<sup>k</sup>* become all indistinguishable. In the following, for every logic <sup>L</sup>1...LnI, we denote <sup>I</sup><sup>∗</sup> the transitive closure of <sup>I</sup>.

The standard semantics of non-normal monomodal logics is given in terms of so-called neighbourhood models. Dealing with multimodal logics, we consider here models endowed with n neighbourhood functions, one for each modality.

Definition 2. *<sup>A</sup>* <sup>n</sup>*-*neighbourhood model *is a tuple* <sup>M</sup> = (W, <sup>N</sup>1, ..., <sup>N</sup>n, <sup>V</sup>)*, where* <sup>W</sup> *is a non-empty set of* worlds*,* <sup>V</sup> : Atm −→ P(W) *is a* valuation function*, and each* <sup>N</sup><sup>i</sup> *is a* neighbourhood function W −→ P(P(W)) *possibly satisfying the following conditions for all* w ∈ W*, where* α, β ⊆ W*:*

$$\begin{array}{llll}(M\_i \text{-} c) \text{ if } \alpha \in \mathcal{N}\_i(w) \text{ and } \alpha \subseteq \beta, \text{ then } \beta \in \mathcal{N}\_i(w); & (N\_i \text{-} c) & \mathcal{W} \in \mathcal{N}\_i(w);\\(T\_i \text{-} c) \quad \text{if } \alpha \in \mathcal{N}\_i(w), \text{ then } w \in \alpha; & (P\_i \text{-} c) & \emptyset \notin \mathcal{N}\_i(w);\\(D\_i \text{-} c) \text{ if } \alpha \in \mathcal{N}\_i(w), \text{ then } \mathcal{W} \backslash \alpha \notin \mathcal{N}\_i(w); & (Int\_{ij} \text{-} c) \text{ } \mathcal{N}\_i(w) \subseteq \mathcal{N}\_j(w). \end{array}$$

*Given a monomodal logic* EΣ<sup>i</sup> *and a neighbourhood function* <sup>N</sup>i*, we say that* <sup>N</sup><sup>i</sup> *is a* EΣi-function *if it satisfies Condition (*σi*-c), for every* <sup>σ</sup><sup>i</sup> <sup>∈</sup> <sup>Σ</sup>i*. Moreover, we say that a model* <sup>M</sup> = (W, <sup>N</sup>1, ..., <sup>N</sup>n, <sup>V</sup>) *is a model for a multimodal logic* <sup>L</sup>1...LnI*, or it is a* <sup>L</sup>1...LnI*-model, if* <sup>N</sup><sup>i</sup> *is a* <sup>L</sup>i*-function for all* <sup>1</sup> <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>n</sup>*, and* <sup>M</sup> *satisfies (*Intij *-c) for all* (i, j) ∈ I*.*

*The relation* M, w A *is defined as usual for propositional variables and Boolean connectives, while for* <sup>i</sup> *it is as follows, where* -<sup>A</sup><sup>M</sup> <sup>=</sup> {<sup>v</sup> | M, v <sup>A</sup>}*:*

$$\mathcal{M}, w \Vdash\square\_i A \quad i\mathcal{Y} \quad \llbracket A\rrbracket\_{\mathcal{M}} \in \mathcal{N}\_i(w).$$

We consider the usual notions of *validity in a model* M and *validity in a class of models* <sup>C</sup>: M |<sup>=</sup> <sup>A</sup> iff <sup>M</sup>, w <sup>A</sup>, for all <sup>w</sup> of <sup>M</sup>; and C |<sup>=</sup> <sup>A</sup> iff M |<sup>=</sup> <sup>A</sup>, for all M∈C, respectively. In the following, we omit to specify M, and simply write w A or -A, when it is clear from the context.

In this paper, we study the complexity of the *validity problem* for the logics <sup>L</sup>1...LnI, that is, the problem of deciding, given a formula <sup>A</sup> of <sup>L</sup>[-<sup>1</sup>, ..., n], whether <sup>A</sup> is valid in the class of all <sup>L</sup>1...LnI-models. Due to the following completeness result, the validity problem for <sup>L</sup>1...LnI is equivalent to the *derivability problem* for <sup>L</sup>1...LnI, that is, the problem of deciding whether <sup>A</sup> is derivable in the axiomatic system <sup>L</sup>1...LnI (Definition 1).

Fig. 2. Sequent rules.

Theorem 1. *A formula* <sup>A</sup> *of* <sup>L</sup>[-<sup>1</sup>, ..., <sup>n</sup>] *is derivable in* <sup>L</sup>1...LnI *if and only if it is valid in the class of all* <sup>L</sup>1...LnI*-models.*

*Proof.* Soundness is routine by showing that all axioms and rules are, respectively, valid and validity preserving in the corresponding models. For completeness, we adapt the standard proof for non-normal monomodal logics (cf. [7]). As usual, we call <sup>L</sup>1...LnI-maximal consistent (or maxcons) any set <sup>Φ</sup> of formulas of <sup>L</sup>[-<sup>1</sup>, ..., <sup>n</sup>] such that <sup>Φ</sup> L1...L*n*I <sup>⊥</sup>, and for all <sup>A</sup> ∈ L[-<sup>1</sup>, ..., <sup>n</sup>], A /<sup>∈</sup> <sup>Φ</sup> implies <sup>Φ</sup> ∪ {A} L1...L*n*I <sup>⊥</sup>. Moreover, we denote [A] the class of <sup>L</sup>1...LnI maxcons sets s.t. A ∈ Φ. The usual properties of maxcons sets hold, in particular: if <sup>Φ</sup> L1...L*n*I <sup>⊥</sup>, then there is <sup>Ψ</sup> <sup>L</sup>1...LnI-maxcons s.t. <sup>Φ</sup> <sup>⊆</sup> <sup>Ψ</sup>. We define the canonical model for <sup>L</sup>1...LnI as <sup>M</sup> = (W, <sup>N</sup>1, ..., <sup>N</sup>n, <sup>V</sup>), where <sup>W</sup> is the class of all <sup>L</sup>1...LnI-maxcons sets, and for all <sup>p</sup> <sup>∈</sup> Atm, <sup>V</sup>(p)=[p]. Moreover, for all <sup>1</sup> <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>n</sup> and all <sup>Φ</sup> ∈ W, we define <sup>α</sup> ∈ Ni(Φ) iff <sup>α</sup> = [A] for some <sup>j</sup>A ∈ Φ s.t. <sup>j</sup> <sup>=</sup> <sup>i</sup> or (j, i) ∈ I<sup>∗</sup>, or <sup>α</sup> <sup>⊇</sup> [B] for some <sup>k</sup><sup>B</sup> <sup>∈</sup> <sup>Φ</sup> s.t. <sup>k</sup> <sup>=</sup> <sup>i</sup> or (k, i) ∈ I<sup>∗</sup>, and <sup>M</sup><sup>i</sup> <sup>∈</sup> <sup>L</sup>i, or <sup>M</sup><sup>k</sup> <sup>∈</sup> <sup>L</sup>k, or <sup>M</sup><sup>u</sup> <sup>∈</sup> <sup>L</sup><sup>u</sup> for some <sup>u</sup> s.t. (k, u),(u, i) ∈ I<sup>∗</sup>. We can show that <sup>M</sup> is a <sup>L</sup>1...LnI-model, and that for all <sup>A</sup> ∈ L[-<sup>1</sup>, ..., <sup>n</sup>], -A = [A]. Then the completeness of <sup>L</sup>1...LnI follows in the usual way.

# 3 Sequent Calculi

In this section, we present sequent calculi for all the considered combinations of NNMLs. We show that the calculi are sound and cut-free complete with respect to the corresponding axiomatic systems.

In the following, we use capital Greek letters Γ, Δ, Π, Θ to denote possibly empty *multisets* of formulas. As usual, we call *sequent* any pair Γ ⇒ Δ of finite multisets of formulas. Sequents are interpreted in the language of the logic by the *formula interpretation* <sup>ι</sup>(<sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>) = - <sup>Γ</sup> <sup>→</sup> <sup>Δ</sup>, if <sup>Γ</sup> <sup>=</sup> <sup>∅</sup>, and <sup>ι</sup>(<sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>) = <sup>Δ</sup>, if <sup>Γ</sup> <sup>=</sup> <sup>∅</sup>, where <sup>∅</sup> <sup>=</sup> <sup>⊥</sup>.


Fig. 3. Modal rules of sequent calculi for non-normal monomodal logics.

Sequent calculi for non-normal monomodal logics are studied in [27,28,31, 34,36].<sup>3</sup> For each logic Li, the corresponding sequent calculus S.L<sup>i</sup> contains the propositional rules init, <sup>⊥</sup><sup>L</sup>, <sup>→</sup><sup>L</sup>, <sup>→</sup><sup>R</sup> and suitable modal rules from Fig. 2, as summarised in Fig. 3.

Concerning the other rules in Fig. 2, note that the order of the indexes i, j is relevant for eij and mij (<sup>i</sup>A is in Γ while <sup>j</sup>B is in Δ), while it is not relevant for dij and mdij (both <sup>i</sup>A and <sup>j</sup>B are in Γ). Accordingly, we assume dij = dji and mdij <sup>=</sup> mdji, whereas <sup>e</sup>ij <sup>=</sup> <sup>e</sup>ji and <sup>m</sup>ij <sup>=</sup> <sup>m</sup>ji. The sequent calculi for the combinations of NNMLs are defined as follows.

Definition 3. *The sequent calculus* <sup>S</sup> <sup>L</sup>1...LnI *for* <sup>L</sup>1...LnI *contains, for all* <sup>1</sup> <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>n</sup>*, all the rules of* <sup>S</sup>.L<sup>i</sup> *different from* <sup>d</sup> <sup>i</sup>*, as well as the following rules:*

	- <sup>n</sup>i*, if there is* <sup>j</sup> *such that* (j, i) ∈ I<sup>∗</sup> *and* <sup>n</sup><sup>j</sup> <sup>∈</sup> <sup>S</sup>.L<sup>j</sup> *;*
	- <sup>d</sup>i*, if there is* <sup>j</sup> *such that* (i, j) ∈ I<sup>∗</sup>*, and* <sup>e</sup>ij <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI*, and* <sup>d</sup><sup>j</sup> <sup>∈</sup> <sup>S</sup>.L<sup>j</sup> *;*
	- <sup>p</sup>i*, if there is* <sup>j</sup> *such that* <sup>j</sup> <sup>=</sup> <sup>i</sup> *or* (i, j) ∈ I<sup>∗</sup>*, and* <sup>p</sup><sup>j</sup> <sup>∈</sup> <sup>S</sup>.L<sup>j</sup> *or there is* <sup>k</sup> *such that* <sup>n</sup><sup>k</sup> <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI*, and* <sup>d</sup>jk <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI *or* mdjk <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI*;*
	- d <sup>i</sup>*, if* <sup>p</sup><sup>i</sup> <sup>∈</sup>/ <sup>S</sup> <sup>L</sup>1...LnI*, and there is* <sup>j</sup> *s.t.* <sup>j</sup> <sup>=</sup> <sup>i</sup> *or* (i, j) ∈ I<sup>∗</sup>*, and* <sup>d</sup> <sup>j</sup> <sup>∈</sup> <sup>S</sup>.L<sup>j</sup> *.*
	- <sup>t</sup>i*, if there is* <sup>j</sup> *such that* (i, j) ∈ I<sup>∗</sup> *and* <sup>t</sup><sup>j</sup> <sup>∈</sup> <sup>S</sup>.L<sup>j</sup> *.*

The rules listed in Definition 3 are necessary in order to ensure cut-free completeness of the sequent calculi in presence of interactions. Two examples of calculi resulting from the definition are as follows:

<sup>3</sup> Here we only consider pure Gentzen-style sequent calculi for NNMLs. Other sequent calculi for NNMLs have been defined in the literature in terms of labelled sequent calculi [13,24,35], nested or hypersequent calculi [11,33,34], and display calculi [8].

$$
\begin{aligned}
\mathbb{S}\langle\mathsf{EN}\_{1},\mathsf{ET}\_{2},\mathsf{EM}\_{3}\{(1,2),(2,3)\}\rangle &= \{\mathsf{e}\_{1},\mathsf{n}\_{1},\mathsf{e}\_{2},\mathsf{t}\_{2},\mathsf{m}\_{3},\mathsf{m}\_{1,2},\mathsf{m}\_{1,3},\mathsf{m}\_{2,3},\mathsf{t}\_{1}, \\
&\qquad\qquad\qquad\qquad\qquad\qquad\qquad\qquad\qquad\qquad\qquad\qquad\qquad\sharp\_{2},\mathsf{n}\_{3}\}; \\
\mathbb{S}\langle\mathsf{EN}\_{1},\mathsf{EM}\_{2},\mathsf{ED}\_{3}\{(1,3),(2,3)\}\rangle &= \{\mathsf{e}\_{1},\mathsf{n}\_{1},\mathsf{m}\_{2},\mathsf{e}\_{3},\mathsf{d}\_{3},\mathsf{e}\_{1,3},\mathsf{m}\_{2,3},\mathsf{n}\_{3},\mathsf{d}\_{1,3},\mathsf{d}\_{2,3},\mathsf{d}\_{3,3},\mathsf{d}\_{1,3},\mathsf{d}\_{2,3},\mathsf{d}\_{3,3},\mathsf{d}\_{1,3},\mathsf{d}\_{2,3},\mathsf{d}\_{3,3},\mathsf{d}\_{1,3},\mathsf{d}\_{2,3},\mathsf{d}\_{3,3},\mathsf{d}\_{1,3},\mathsf{d}\_{3,3},\mathsf{d}\_{1,3},\mathsf{d}\_{2,3},\mathsf{d}\_{1,3},\mathsf{d}\_{2,3},\mathsf{d}\_{3,3},\mathsf{d}\_{1,3},\mathsf{d}\_{3,3},\mathsf{d}\_{1,3},\mathsf{d}\_{2,3},\mathsf{d}\_{3,3},\mathsf{d}\_{1,3},\mathsf{d}\_{2,3},\mathsf{d}\_{3,3},\mathsf{d}\_{1,3},\mathsf{d}\_{3,3},\mathsf{d}\_{1,3},\mathsf{d}\_{2,3},\mathsf{d}\_{3,3}\}\}.
$$

As usual, initial sequents are formulated only for propositional variables but can be extended to arbitrary formulas. We say that a rule is *admissible* in <sup>S</sup> <sup>L</sup>1...LnI if whenever the premisses are derivable in <sup>S</sup> <sup>L</sup>1...LnI, the conclusion is also derivable, and that a single-premiss rule is *height-preserving admissible* in <sup>S</sup> <sup>L</sup>1...LnI (hp-admissible for short) if whenever the premiss is derivable, the conclusion is derivable with a derivation of at most the same height. Moreover, we say that a rule <sup>S</sup>1, ..., <sup>S</sup>n/S is *height-preserving invertible* in <sup>S</sup> <sup>L</sup>1...LnI (hp-invertible) if the rule S /S<sup>i</sup> is hp-admissible for all premisses Si. One can show that the propositional rules of <sup>S</sup> <sup>L</sup>1...LnI are hp-invertible, by contrast the modal rules are not (with the exception of ti). As an easy example, consider the sequents p ⇒ q and <sup>i</sup>p ⇒ <sup>i</sup>q, <sup>i</sup>(<sup>p</sup> <sup>∨</sup> <sup>r</sup>), respectively premiss and conclusion of an instance of mi, where the conclusion is derivable and the premiss is not.

Proposition 1. *In every calculus* <sup>S</sup> <sup>L</sup>1...LnI*, the following structural rules* Lwk*,* Rwk*,* Lctr *and* Rctr *are hp-admissible, and the following rule* cut *is admissible:*

$$\mathsf{Lwk\\_\{\varDelta\)}\;\begin{array}{c}\Gamma\Rightarrow\Delta\\\Gamma,A\Rightarrow\Delta\end{array}\qquad\mathsf{Rwk\\_\{\varDelta\)}\;\begin{array}{c}\Gamma\Rightarrow\Delta\\\Gamma\Rightarrow A,\Delta\end{array}\qquad\mathsf{Lctx\\_\{\varDelta\)}\;\begin{array}{c}\Gamma,A,A\Rightarrow\Delta\\\Gamma,A\Rightarrow\Delta\end{array}\qquad\mathsf{Rctx\\_\{\varDelta\)}\;\begin{array}{c}\Gamma\Rightarrow A,A,\Delta\\\Gamma\Rightarrow A,\Delta\end{array}$$

$$\mathsf{cut}\;\begin{array}{c}\Gamma\Rightarrow A,\Delta\\\Gamma,\Pi\Rightarrow\Delta,\Theta\end{array}$$

*Proof.* Hp-admissibility of Lwk, Rwk, Lctr and Rctr is proved as usual by mutual induction on the height of the derivation of their premisses (with d <sup>i</sup> ensuring that contraction is admissible also in the calculi with di). Admissibility of cut is proved by induction on the lexicographically ordered pairs (c, h), where c is the weight of the cut formula, and h = h<sup>1</sup> +h<sup>2</sup> is the cut height, where h<sup>1</sup> and h<sup>2</sup> are the heights of the derivations of the premisses of cut. The proof is standard and distinguishes some cases according to whether the cut formula is or not principal in the last rules applied in the derivation of the premisses of cut. Here we only show two representative cases, where the cut formula is principal in the last rule applied in the derivation of both premisses of cut.

(eiu <sup>−</sup> mduj ) The derivation on the left is converted into the one on the right:

$$\begin{array}{c} \mathsf{Set}\_{\mathit{u}} \quad \frac{A \Rightarrow B \qquad B \Rightarrow A}{\Gamma, \Box\_{i} A \Rightarrow \Box\_{\mathit{u}} B, \Delta} \qquad \frac{B, C \Rightarrow}{\begin{array}{c} \Pi, \Box\_{\mathit{u}} B, \Box\_{j} C \Rightarrow \Theta \end{array}} \\ \hline \begin{array}{c} \Gamma, \Pi, \Box\_{i} A, \Box\_{j} C \Rightarrow \Delta, \Theta \end{array} \end{array} \mathsf{cut} \qquad \begin{array}{c} \begin{array}{c} A \Rightarrow B \qquad B, C \Rightarrow\\ \begin{array}{c} \mathrm{Aut} \\ \Gamma, \Pi, \Box\_{i} A, \Box\_{j} C \Rightarrow \Delta, \Theta \end{array} \end{array} \mathsf{cut} \end{array}$$

where the application of cut has a lower height, and mdij <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI by Definition 3. Indeed, <sup>e</sup>iu <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI implies (i, u) ∈ I<sup>∗</sup>. Moreover, since mduj <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI, following Definition <sup>3</sup> there are three possibilities: (1) (u, j) ∈ I<sup>∗</sup>, and <sup>m</sup>uj <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI, and <sup>d</sup><sup>j</sup> <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI or md<sup>j</sup> <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI; or (2) (j, u) ∈ I∗, and <sup>m</sup>ju <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI, and <sup>d</sup><sup>u</sup> <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI or md<sup>u</sup> <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI; or (3) there is <sup>k</sup> such that (u, k),(j, k) ∈ I∗, and <sup>m</sup>uk <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI or <sup>m</sup>jk <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI, and <sup>d</sup><sup>k</sup> <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI or md<sup>k</sup> <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI. If (1), then (i, j) ∈ I<sup>∗</sup> and <sup>m</sup>ij <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI. If (2), then (i, u),(j, u) ∈ I∗. If (3), then (i, k),(j, k) ∈ I∗. In all these cases, by Definition 3, mdij <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI.

(mij <sup>−</sup> <sup>p</sup><sup>j</sup> ) The derivation on the left is converted into the one on the right:

$$\begin{array}{c} \mathsf{m}\_{ij} \quad \frac{A \Rightarrow B}{\Gamma, \square\_i A \Rightarrow \square\_j B, \Delta} \quad \frac{B \Rightarrow}{\Pi, \square\_j B \Rightarrow \Theta} \quad \mathsf{p}\_j \quad \leadsto \quad \frac{A \Rightarrow B \quad \quad B \Rightarrow}{\begin{array}{c} A \Rightarrow \\ \Gamma, \Pi, \square\_i A \Rightarrow \end{array} \quad \begin{array}{c} \begin{array}{c} A \Rightarrow B \quad \quad \quad \end{array} \\ \begin{array}{c} \begin{array}{c} A \Rightarrow \\ \Delta, \Theta \end{array} \end{array} \; \mathsf{p}\_i \end{array} \end{array}$$

where the application of cut has a lower height, and <sup>p</sup><sup>i</sup> <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI by Definition 3. Indeed, <sup>m</sup>ij <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI implies (i, j) ∈ I<sup>∗</sup>. Moreover, since <sup>p</sup><sup>j</sup> <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI we have three possibilities: (1) <sup>p</sup><sup>j</sup> <sup>∈</sup> <sup>S</sup>.L<sup>j</sup> ; or (2) there is <sup>k</sup> such that (j, k) ∈ I<sup>∗</sup> and <sup>p</sup><sup>k</sup> <sup>∈</sup> <sup>S</sup>.Lk; or (3) there are <sup>k</sup>, <sup>u</sup> such that (j, k),(k.u) ∈ I<sup>∗</sup>, <sup>n</sup><sup>u</sup> <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI, and <sup>d</sup>ku <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI or mdku <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI. If (1), then by Definition 3, <sup>p</sup><sup>i</sup> <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI. If (2) or (3), then (i, k) ∈ I<sup>∗</sup>, and in both cases by Definition 3, <sup>p</sup><sup>i</sup> <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI.

Theorem 2. <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> *is derivable in* <sup>S</sup> <sup>L</sup>1...LnI *if and only if* - Γ → Δ *is derivable in* <sup>L</sup>1...LnI

*Proof.* (⇒) For each rule <sup>S</sup>/S or <sup>S</sup>1, <sup>S</sup>2/S of <sup>S</sup> <sup>L</sup>1...LnI, we need to show that the corresponding rule <sup>ι</sup>(S)/ι(S ) or <sup>ι</sup>(S1), ι(S2)/ι(S ) is derivable in <sup>L</sup>1...LnI. We consider as an example the rule mdij , and write for L1...L*n*I. First, it is easy to see that <sup>i</sup>A → <sup>j</sup><sup>A</sup> for all (i, j) ∈ I<sup>∗</sup>. Now suppose that <sup>A</sup>∧<sup>B</sup> → ⊥, hence <sup>A</sup> → ¬B. By Definition 3, there is <sup>k</sup> such that (i, k) ∈ I<sup>∗</sup> or <sup>k</sup> <sup>=</sup> <sup>i</sup>, (j, k) ∈ I<sup>∗</sup> or <sup>k</sup> <sup>=</sup> <sup>j</sup>, <sup>d</sup><sup>k</sup> <sup>∈</sup> <sup>S</sup>.L<sup>k</sup> or md<sup>k</sup> <sup>∈</sup> <sup>S</sup>.Lk, and <sup>m</sup>ik <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI or <sup>m</sup>jk <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI. Then, by def. of monomodal calculi, <sup>D</sup><sup>k</sup> <sup>∈</sup> <sup>L</sup>k. Suppose that <sup>m</sup>ik <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI. One can show that the rule <sup>C</sup> <sup>→</sup> D/<sup>i</sup>C → <sup>k</sup>D is derivable in <sup>L</sup>1...LnI for any <sup>C</sup>, <sup>D</sup>. Then since <sup>A</sup> → ¬B, we have <sup>i</sup>A → <sup>k</sup>¬B. Moreover, we have <sup>j</sup>B → <sup>k</sup>B. Then by Dk, <sup>i</sup>A ∧ <sup>j</sup>B → ⊥, thus - Γ ∧ <sup>i</sup>A ∧ <sup>j</sup><sup>B</sup> <sup>→</sup> <sup>Δ</sup> for all <sup>Γ</sup>, <sup>Δ</sup>. If <sup>m</sup>jk <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI the proof is analogous. (⇐) By showing that all axioms and rules of <sup>L</sup>1...LnI are derivable, respectively admissible, in <sup>S</sup> <sup>L</sup>1...LnI, with modus ponens simulated by cut in the usual way.

In this paper, we provide a proof of coNP-complexity for the validity problem for the logics <sup>L</sup>1...LnI following a strategy based on a reformulation of the calculi <sup>S</sup> <sup>L</sup>1...LnI in terms of hypersequents, as explained in the next section. Alternatively, it could be possible to devise a strategy directly based on the calculi <sup>S</sup> <sup>L</sup>1...LnI only.<sup>4</sup> To this goal, two key observations are in order. First, it is easy to see that in any proof tree <sup>T</sup> for <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> in <sup>S</sup> <sup>L</sup>1...LnI, every branch of T has polynomial length with respect to the length n of Γ ⇒ Δ. Second, for every non-invertible modal rule, at most quadratically many premisses (w.r.t. n) are possible. This would allow one to obtain certificates for non-derivability in <sup>S</sup> <sup>L</sup>1...LnI verifiable in polynomial time by a deterministic Turing machine. We leave as future work further investigation in this direction.

<sup>4</sup> We thank one reviewer for suggesting us this possibility.

# 4 Invertible Calculi and CoNP Complexity

In this section, we present a proof of coNP complexity for the logics <sup>L</sup>1...LnI based on a reformulation of the sequent calculi <sup>S</sup> <sup>L</sup>1...LnI where all the rules are invertible. In particular, in order to make the modal rules invertible, we rewrite all the rules using hypersequents, following the strategy of [11]. We show that the hypersequent calculi <sup>H</sup> <sup>L</sup>1...LnI provide a coNP decision procedure for the validity problem in <sup>L</sup>1...LnI. Specifically, we present a coNP proof search algorithm in <sup>H</sup> <sup>L</sup>1...LnI that explicitly constructs a derivation for every valid hypersequent/formula. Moreover, we show that from every failed derivation one can extract a countermodel of the input hypersequent: this means that we can construct a countermodel of every non-valid formula.

A *hypersequent* H [2] is a finite multiset of sequents, and is written Γ<sup>1</sup> ⇒ Δ<sup>1</sup> | ... | Γ<sup>k</sup> ⇒ Δk, where Γ<sup>1</sup> ⇒ Δ1, ..., Γ<sup>k</sup> ⇒ Δ<sup>k</sup> are called the *components* of H. The hypersequent rules for <sup>L</sup>1...LnI are direct reformulation of the sequent rules, and are displayed in Fig. 4. Essentially, backward applications of the hypersequent modal rules introduce a new component which coincides with the premiss of the corresponding sequent rule. In this way, all information contained in the conclusion is preserved into the premisses, thus making alternative rule applications still possible in bottom-up proof search. Concerning the propositional rules, we consider a cumulative formulation of them where the principal formulas are kept into the premisses. As we will see, this allows us to easily extract countermodels from failed proofs.

Differently from sequents, hypersequents cannot be interpreted as formulas of <sup>L</sup>[-<sup>1</sup>, ..., <sup>n</sup>] (we will come back to this problem in the next section). Hypersequents are evaluated on n-neighbourhood models as: M, w Γ ⇒ Δ if and only if <sup>M</sup>, w <sup>ι</sup>(<sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>); M |<sup>=</sup> <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> if and only if <sup>M</sup>, w <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>, for all <sup>w</sup> of <sup>M</sup>; and M |<sup>=</sup> <sup>Γ</sup><sup>1</sup> <sup>⇒</sup> <sup>Δ</sup><sup>1</sup> <sup>|</sup> ... <sup>|</sup> <sup>Γ</sup><sup>k</sup> <sup>⇒</sup> <sup>Δ</sup><sup>k</sup> if and only if M |<sup>=</sup> <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>, for some <sup>1</sup> <sup>≤</sup> <sup>≤</sup> <sup>k</sup>.

Definition 4. *The hypersequent calculus* <sup>H</sup> <sup>L</sup>1...LnI *for* <sup>L</sup>1...LnI *is defined as* <sup>S</sup> <sup>L</sup>1...LnI *(Definition 3), with the difference that the rules are formulated in their hypersequent version (Fig. 4).*

We first show that the calculi are sound and complete with respect to the corresponding logics. Since hypersequents do not have a formula interpretation, we consider a semantic proof of soundness.

Proposition 2. *If* <sup>H</sup> *is derivable in* <sup>H</sup> <sup>L</sup>1...LnI*, then* <sup>H</sup> *is valid in every* <sup>n</sup>*neighbourhood model for* <sup>L</sup>1...LnI*.*

*Proof.* It is immediate to see that the initial hypersequents init and <sup>⊥</sup><sup>L</sup> are valid in every model. We need to show that all rules of <sup>H</sup> <sup>L</sup>1...LnI are validity preserving in every model for <sup>L</sup>1...LnI. We consider as an example the rule mdij : Suppose that M |<sup>=</sup> H | Γ, <sup>i</sup>A, <sup>j</sup><sup>B</sup> <sup>⇒</sup> <sup>Δ</sup> <sup>|</sup> A, B <sup>⇒</sup>. If M |<sup>=</sup> H | Γ, <sup>i</sup>A, <sup>j</sup><sup>B</sup> <sup>⇒</sup> <sup>Δ</sup> we are done. Otherwise M |<sup>=</sup> A, B <sup>⇒</sup>, that is, -A ⊆ -¬B. As a consequence of Definition 3, mdij belongs to <sup>H</sup> <sup>L</sup>1...LnI in two cases: (1)

Fig. 4. Hypersequent rules.

(i, j) ∈ I<sup>∗</sup> and <sup>M</sup> satisfies (D<sup>j</sup> -c) and (Mi-c) or (M<sup>j</sup> -c), or (2) there is <sup>k</sup> such that (i, k),(j, k) ∈ I<sup>∗</sup> and <sup>M</sup> satisfies (Dk-c) and (Mi-c) or (M<sup>j</sup> -c) or (Mk-c). If (1), then suppose w <sup>i</sup>A, that is -<sup>A</sup> ∈ Ni(w). If (Mi-c), then -<sup>¬</sup>B ∈ Ni(w), and by (Intij -c), -<sup>¬</sup>B ∈ N<sup>j</sup> (w). Otherwise by (Intij -c), -<sup>A</sup> ∈ N<sup>j</sup> (w), and by (M<sup>j</sup> -c), -<sup>¬</sup>B ∈ N<sup>j</sup> (w). Thus by (D<sup>j</sup> -c), -<sup>B</sup> ∈ N/ <sup>j</sup> (w). If (2), let us assume (Mkc), the other cases being similar. Suppose w iA∧<sup>j</sup>B. Then -<sup>A</sup> ∈ Ni(w) and -<sup>B</sup> ∈ N<sup>j</sup> (w). By (Intik-c) and (Intjk-c), -A, -<sup>B</sup> ∈ Nk(w), thus -B, -¬B ∈ <sup>N</sup>k(w), against (Dk-c). Thus in both cases <sup>w</sup> <sup>i</sup>A ∧ <sup>j</sup>B. Since this holds for every <sup>w</sup>, we have M |<sup>=</sup> <sup>i</sup>A, <sup>j</sup><sup>B</sup> <sup>⇒</sup>, hence M |<sup>=</sup> H | Γ, <sup>i</sup>A, <sup>j</sup>B ⇒ Δ.

To prove completeness, we consider here a simple proof that relies on the cutfree completeness of the sequent calculi, although a direct proof of cut elimination analogous to the one in the previous section could be given. The proof is based on the following observation, which can be easily proved by induction on the height of the derivation of the premiss of the rules.

Lemma 1. *The rules of external weakening and external contraction are heightpreserving admissible in* <sup>H</sup> <sup>L</sup>1...LnI*:*

$$\mathsf{Ewk}\,\frac{\mathcal{H}}{\mathcal{H}\,\vert\,\Gamma\Rightarrow\Delta} \qquad\qquad\mathsf{Extr}\,\frac{\mathcal{H}\,\vert\,\Gamma\Rightarrow\Delta\,\vert\,\Gamma\Rightarrow\Delta}{\mathcal{H}\,\vert\,\Gamma\Rightarrow\Delta}$$

Proposition 3. *If* <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> *is derivable in* <sup>S</sup> <sup>L</sup>1...LnI*, then* <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> *is derivable in* <sup>H</sup> <sup>L</sup>1...LnI*.*

*Proof.* By induction on the height of the derivation of <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> in <sup>S</sup> <sup>L</sup>1...LnI, considering the last rule applied in the derivation. For initial sequents and propositional rules the proof is immediate. For modal rules, suppose that Γ ⇒ Δ is obtained from S<sup>1</sup> and (possibly) S<sup>2</sup> by the application of the sequent rule R. Then by i.h., <sup>S</sup><sup>1</sup> and <sup>S</sup><sup>2</sup> are derivable in <sup>H</sup> <sup>L</sup>1...LnI, and by Ewk, <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> | S<sup>1</sup> and <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> | S<sup>2</sup> are derivable in <sup>H</sup> <sup>L</sup>1...LnI. Then by the hypersequent version of the rule <sup>R</sup>, <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> is derivable in <sup>H</sup> <sup>L</sup>1...LnI.

Another immediate consequence of the height-preserving admissibility of external weakening is that all the rules of <sup>H</sup> <sup>L</sup>1...LnI are height-preserving invertible in the calculi. It follows that one single proof search is sufficient to establish whether a hypersequent is derivable or not. However, as a difference with sequent rules, backward applications of the hypersequent rules increase the complexity of the hypersequents, thus proof search in <sup>H</sup> <sup>L</sup>1...LnI does not terminate *per se*. In order to retrieve termination but also obtain an optimal proof search, following [11] (cf. also [32]), we consider a proof search strategy based on the following loop checking condition and on a fixed order of rule applications.

Definition 5. *An application of a hypersequent rule with premisses* G1*, ...,* G<sup>n</sup> *and conclusion* H *satisfies the* local loop checking condition *(LLCC) if for each premiss* Gi*, there exists a component* Γ ⇒ Δ *in* G<sup>i</sup> *such that for no component* <sup>Π</sup> <sup>⇒</sup> <sup>Θ</sup> *of the conclusion* <sup>H</sup> *we have* set(Γ) <sup>⊆</sup> set(Π) *and* set(Δ) <sup>⊆</sup> set(Θ)*. Moreover, having fixed an enumeration* <sup>R</sup>1, ..., R<sup>m</sup> *of the rules of* <sup>H</sup> <sup>L</sup>1...LnI*, we say that the backward application of a rule* R<sup>i</sup> *with conclusion* H *satisfies the* priority order *(PO) if there is no* R<sup>j</sup> *backward applicable to* H *with* j<i*.*

Bottom-up proof search with LLCC and PO is described by Algorithm 1. We now show that bottom-up proof search with LLCC and PO is complete, and that it provides a coNP procedure for deciding derivability in <sup>L</sup>1...LnI.

Proposition 4. *If* <sup>H</sup> *is derivable in* <sup>H</sup> <sup>L</sup>1...LnI*, then it is derivable with a derivation in which all rule applications satisfy the LLCC and the PO.*

*Proof.* First, we show by induction on the height n of the derivation D of H in <sup>H</sup> <sup>L</sup>1...LnI that if <sup>H</sup> is derivable in <sup>H</sup> <sup>L</sup>1...LnI, then it is derivable respecting the LLCC: If <sup>n</sup> = 0, then <sup>H</sup> is an initial hypersequent and <sup>D</sup> trivially satisfies LLCC. For <sup>n</sup>+1, let <sup>R</sup> be the last rule applied in <sup>D</sup>. If <sup>R</sup> satisfies the LLCC, then we apply the i.h. to its premisses and are done. Otherwise, there is a premiss G<sup>i</sup> of <sup>R</sup> such that for all components <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> in <sup>G</sup>i, there is <sup>Π</sup> <sup>⇒</sup> <sup>Θ</sup> in <sup>H</sup> s.t. set(Γ) <sup>⊆</sup> set(Π) and set(Δ) <sup>⊆</sup> set(Θ). Then <sup>H</sup> can be obtained from <sup>G</sup><sup>i</sup> by means of height-preserving applications of the structural rules. Again, by applying the i.h. we obtain a derivation of H where every rule application satisfies the LLCC. Moreover, given the invertibility of the rules, any derivation can be transformed into one satisfying PO by rearranging the order of the rule applications.

# Proposition 5. *For every logic* <sup>L</sup>1...LnI*, Algorithm <sup>1</sup> runs in* coNP*.*

*Proof.* The algorithm is presented in the form of a non-deterministic Turing machine with only universal states (that is, states that are accepting if every transition leads to some accepting state), thus in order to prove that it runs in coNP, we need to show that every computation takes polynomial time. Let H be the input hypersequent and n be the size of H defined as the sum of the lengths of the formulas occurring in it. Since every backward application of a rule introduces a formula or a component, the number of possible rule applications, whence the number of computation steps, is bounded by the maximal length of the hypersequents that can be generated by the procedure. Given that all formulas occurring in a hypersequent are subformulas of some formulas occurring in H, and that the LLCC avoids multiple occurrences of the same formulas in the same components, every component has length at most <sup>O</sup>(n). Moreover, new components are generated by a modal formula or a pair of modal formulas. Because of the LLCC, no matter in which component their occur, the same formula or pair of formulas cannot generate more than one component. Then the number of components is bounded by <sup>O</sup>(n) + <sup>O</sup>(n) + <sup>O</sup>(n2). It follows that every hypersequent has a maximal length of <sup>O</sup>(n3). Finally, checking that a premiss does not violate the LLCC takes polynomial time in the length of the conclusion. Thus the whole execution takes polynomial time.


In order for the procedure to succeed, it is necessary that all executions terminate on an initial hypersequent, hence a single failed execution is sufficient to ensure the non-derivability of the input hypersequent. In this latter case, the procedure constructs a hypersequent which is not initial and it is such that no rule is backward applicable to it without violating the LLCC. We call such a hypersequent *saturated*. We now show that from a saturated hypersequent we can extract a countermodel of the input hypersequent.

Definition 6. *Let* <sup>H</sup> <sup>=</sup> <sup>Γ</sup><sup>1</sup> <sup>⇒</sup> <sup>Δ</sup><sup>1</sup> <sup>|</sup> ... <sup>|</sup> <sup>Γ</sup><sup>k</sup> <sup>⇒</sup> <sup>Δ</sup><sup>k</sup> *be a saturated hypersequent returned by Algorithm <sup>1</sup> on input* <sup>G</sup> *and* <sup>H</sup> <sup>L</sup>1...LnI*. For all formulas* <sup>B</sup> *occurring in* <sup>H</sup> *and all* <sup>1</sup> <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>n</sup>*, we define*

$$\begin{aligned} \{B\}\_i &= \{\ell \mid B \in \Gamma\_{\ell}\};\\ \{B\}\_i &= \begin{cases} \mathcal{W} \backslash \{\ell \mid B \in \Delta\_{\ell}\}, & \text{if } \mathsf{L}\_i \text{ is not monotonic;}\\ \mathcal{W}, & \text{if } \mathsf{L}\_i \text{ is monotonic;}\\ \{\mathcal{W}\}, & \text{if } \mathsf{there is } j \text{ such that } j = i \text{ or } (i, j) \in \mathcal{T}^\*, \text{ and } N\_j \in \mathsf{L}\_j;\\ \emptyset, & \text{otherwise.} \end{cases} \end{aligned}$$

*Then the model* <sup>M</sup> = (W, <sup>N</sup>1, ..., <sup>N</sup>n, <sup>V</sup>) *is defined with* <sup>W</sup> <sup>=</sup> { <sup>|</sup> <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> ∈ H}*; for all* <sup>p</sup> <sup>∈</sup> Atm*,* <sup>V</sup>(p) = { <sup>|</sup> <sup>p</sup> <sup>∈</sup> <sup>Γ</sup>}*; and for all* <sup>1</sup> <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>n</sup> *and all* <sup>1</sup> <sup>≤</sup> <sup>≤</sup> <sup>k</sup>*,*

$$\mathcal{N}\_i(\ell) = \eta\_i \cup \{ \alpha \subseteq \mathcal{W} \mid \text{there is } \Box\_j B \in \Gamma\_\ell \text{ such that } j = i \text{ or } (j, i) \in \mathcal{T}^\*, \\ \text{and } \lfloor B \rfloor\_j \subseteq \alpha \subseteq \lceil B \rceil\_j \}.$$

Proposition 6. *Let* H *be a saturated hypersequent returned by Algorithm 1 on input* <sup>G</sup> *and* <sup>H</sup> <sup>L</sup>1...LnI*, and* <sup>M</sup> *be the model defined on the basis of* <sup>H</sup> *as in Definition 6. Then for all formulas* B *and all worlds of* M*, it holds:*

*– if* B ∈ Γ*, then* M, B*; – if* B ∈ Δ*, then* M, B*.*

*Moreover,* <sup>M</sup> *is a* <sup>L</sup>1...LnI*-model.*

*Proof.* The first claim is proved by induction on the construction of B. For B = p, <sup>B</sup> <sup>=</sup> <sup>⊥</sup> and <sup>B</sup> <sup>=</sup> <sup>C</sup> <sup>∧</sup> <sup>D</sup> the proof is standard. Suppose <sup>B</sup> <sup>=</sup> <sup>i</sup>C ∈ Γ. By i.h., C<sup>i</sup> ⊆ -C ⊆ Ci. Then by definition, -<sup>C</sup> ∈ Ni( ), thus <sup>M</sup>, <sup>i</sup>C. Now suppose B = <sup>i</sup>C ∈ Δ. If there is no <sup>i</sup>D ∈ Γ or <sup>j</sup><sup>D</sup> <sup>∈</sup> <sup>Γ</sup> with (j, i) ∈ I<sup>∗</sup>, then if <sup>η</sup><sup>i</sup> <sup>=</sup> <sup>∅</sup>, then <sup>N</sup>i( ) = <sup>∅</sup>, hence <sup>M</sup>, <sup>i</sup>C. If instead <sup>η</sup><sup>i</sup> <sup>=</sup> {W}, then <sup>N</sup>i( ) = {W}, moreover by Definition 3, <sup>n</sup><sup>i</sup> <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI, hence by Definition 4, <sup>n</sup><sup>i</sup> <sup>∈</sup> <sup>H</sup> <sup>L</sup>1...LnI. Thus, since <sup>H</sup> is saturated, there is <sup>Γ</sup><sup>m</sup> <sup>⇒</sup> <sup>Δ</sup><sup>m</sup> in <sup>H</sup> where C ∈ Δm, then by i.h., M, m C, hence -<sup>C</sup> <sup>=</sup> <sup>W</sup>, thus -<sup>C</sup> ∈ N / <sup>i</sup>( ), hence M, <sup>i</sup>C. Otherwise let <sup>j</sup><sup>D</sup> <sup>∈</sup> <sup>Γ</sup> with <sup>j</sup> <sup>=</sup> <sup>i</sup> or (j, i) ∈ I<sup>∗</sup>. If <sup>L</sup><sup>i</sup> is monotonic, then by the rule <sup>m</sup>ji there is <sup>Γ</sup><sup>m</sup> <sup>⇒</sup> <sup>Δ</sup><sup>m</sup> in <sup>H</sup> such that <sup>D</sup> <sup>∈</sup> <sup>Γ</sup><sup>m</sup> and <sup>C</sup> <sup>∈</sup> <sup>Δ</sup>m, while if <sup>L</sup><sup>i</sup> is not monotonic, then by the rule <sup>e</sup>ji there is <sup>Γ</sup><sup>m</sup> <sup>⇒</sup> <sup>Δ</sup><sup>m</sup> in <sup>H</sup> such that D ∈ Γ<sup>m</sup> and C ∈ Δm, or C ∈ Γ<sup>m</sup> and D ∈ Δm. In the first case, by i.h., D<sup>j</sup> ⊆ -C, and in the second case, D<sup>j</sup> ⊆ -C or -C ⊆ D<sup>j</sup> . Since this holds for all <sup>j</sup><sup>D</sup> <sup>∈</sup> <sup>Γ</sup> with <sup>j</sup> <sup>=</sup> <sup>i</sup> or (j, i) ∈ I<sup>∗</sup>, -<sup>C</sup> ∈ N/ <sup>i</sup>( ), thus <sup>M</sup>, <sup>i</sup>C.

We now prove that <sup>M</sup> is a <sup>L</sup>1...LnI-model. From the definition of <sup>N</sup><sup>i</sup> it follows immediately that (Intij -c) is satisfied for all (i, j) ∈ I<sup>∗</sup>, that (Mi-c) is satisfied if <sup>M</sup><sup>i</sup> <sup>∈</sup> <sup>L</sup>i, and that (Ni-c) is satisfied if <sup>N</sup><sup>i</sup> <sup>∈</sup> <sup>L</sup>i. We show (Di-c) as an example for the other conditions: Suppose that <sup>D</sup><sup>i</sup> <sup>∈</sup> <sup>L</sup><sup>i</sup> and, by contradiction, <sup>α</sup> ∈ Ni( ) and W \ <sup>α</sup> ∈ Ni( ). By def. of the monomodal calculi, <sup>d</sup><sup>i</sup> <sup>∈</sup> <sup>S</sup>.L<sup>i</sup> or md<sup>i</sup> <sup>∈</sup> <sup>S</sup>.Li. Moreover, by def. of <sup>N</sup>i, there is <sup>j</sup><sup>B</sup> <sup>∈</sup> <sup>Γ</sup> s.t. <sup>j</sup> <sup>=</sup> <sup>i</sup> or (j, i) ∈ I<sup>∗</sup>, and B<sup>j</sup> ⊆ α ⊆ B<sup>j</sup> , and either there is <sup>u</sup><sup>C</sup> <sup>∈</sup> <sup>Γ</sup> s.t. <sup>u</sup> <sup>=</sup> <sup>i</sup> or (u, i) ∈ I<sup>∗</sup>, and C<sup>u</sup> ⊆W\<sup>α</sup> ⊆ Cu, which implies Bj∩C<sup>u</sup> <sup>=</sup> <sup>∅</sup> and W\Bj∩W\C<sup>u</sup> <sup>=</sup>

$$\mathcal{U}\_{\mathsf{U}} \xrightarrow{\mathcal{H}} \frac{\mathcal{H} \mid \Gamma, \mathcal{U}A \Rightarrow \Delta \mid \Sigma, A \Rightarrow \Pi}{\mathcal{H} \mid \Gamma, \mathcal{U}A \Rightarrow \Delta \mid \Sigma \Rightarrow \Pi} \quad \mathcal{U}\_{\mathsf{R}} \xrightarrow{\mathcal{H}} \frac{\mathcal{H} \mid \Gamma \Rightarrow \mathcal{U}A, \Delta \mid \Rightarrow \Lambda}{\mathcal{H} \mid \Gamma \Rightarrow \mathcal{U}A, \Delta} \quad \mathcal{U}\_{\mathsf{U}} \xrightarrow{\mathcal{H}} \frac{\mathcal{H} \mid \Gamma, \mathcal{U}A, A \Rightarrow \Delta}{\mathcal{H} \mid \Gamma, \mathcal{U}A \Rightarrow \Delta}$$

Fig. 5. Hypersequent rules for universal modality.

<sup>∅</sup>, or W \ <sup>α</sup> <sup>=</sup> <sup>W</sup> and <sup>η</sup><sup>i</sup> <sup>=</sup> {W}. There are four possible cases. (1) If <sup>j</sup> <sup>=</sup> <sup>u</sup> and B = C, then by Definition 3, d <sup>j</sup> <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI or <sup>p</sup><sup>j</sup> <sup>∈</sup> <sup>S</sup> <sup>L</sup>1...LnI, hence by Definition 4, d <sup>j</sup> <sup>∈</sup> <sup>H</sup> <sup>L</sup>1...LnI or <sup>p</sup><sup>j</sup> <sup>∈</sup> <sup>H</sup> <sup>L</sup>1...LnI. Thus by saturation of H, there is Γ<sup>m</sup> ⇒ Δ<sup>m</sup> in H s.t. B ∈ Γ<sup>m</sup> or B ∈ Δm. Then m ∈ B<sup>j</sup> or <sup>m</sup> ∈W\B<sup>j</sup> . Since B<sup>j</sup> <sup>=</sup> C<sup>u</sup> and B<sup>j</sup> <sup>=</sup> Cu, this gives a contradiction. (2) If <sup>j</sup> <sup>=</sup> <sup>u</sup> and <sup>B</sup> <sup>=</sup> <sup>C</sup>, by Definition <sup>3</sup> and <sup>4</sup> we have <sup>d</sup><sup>j</sup> <sup>∈</sup> <sup>H</sup> <sup>L</sup>1...LnI or md<sup>j</sup> <sup>∈</sup> <sup>H</sup> <sup>L</sup>1...LnI. (3) If <sup>j</sup> <sup>=</sup> <sup>u</sup>, by Definition <sup>3</sup> and 4, <sup>d</sup>ju <sup>∈</sup> <sup>H</sup> <sup>L</sup>1...LnI or mdju <sup>∈</sup> <sup>H</sup> <sup>L</sup>1...LnI. In both cases, by saturation there is <sup>Γ</sup><sup>m</sup> <sup>⇒</sup> <sup>Δ</sup><sup>m</sup> in H s.t. B,C ∈ Γ<sup>m</sup> or B,C ∈ Δm, which implies m ∈ B<sup>j</sup> ∩ C<sup>j</sup> or m ∈ W\B<sup>j</sup> ∩W\C<sup>j</sup> , giving a contradiction. (4) W \ <sup>α</sup> <sup>=</sup> <sup>W</sup> and <sup>η</sup><sup>i</sup> <sup>=</sup> {W}, that is <sup>α</sup> <sup>=</sup> <sup>∅</sup>. By Definition <sup>3</sup> and 4, <sup>p</sup><sup>j</sup> <sup>∈</sup> <sup>H</sup> <sup>L</sup>1...LnI. Thus there is <sup>Γ</sup><sup>m</sup> <sup>⇒</sup> <sup>Δ</sup><sup>m</sup> in <sup>H</sup> s.t. <sup>B</sup> <sup>∈</sup> <sup>Γ</sup>m, then B<sup>j</sup> <sup>=</sup> <sup>∅</sup>, then <sup>α</sup> <sup>=</sup> <sup>∅</sup>, giving a contradiction. It follows that α /∈ Ni( ) or W \ α /∈ Ni( ).

Note that the model M of Proposition 6 is also a countermodel for the input hypersequent G. Indeed, since backward rule applications never delete formulas or components, for all components Γ ⇒ Δ in G, there is Π ⇒ Θ in H such that set(Γ) <sup>⊆</sup> set(Π) and set(Δ) <sup>⊆</sup> set(Θ). Thus the world corresponding to <sup>Π</sup> <sup>⇒</sup> <sup>Θ</sup> in M falsifies also Γ ⇒ Δ. In the light of this model extraction, Algorithm 1 can be easily reformulated in order to provide a NP decision procedure for the satisfiability problem in <sup>L</sup>1...LnI, with the algorithm taking as input hypersequents of the form A ⇒. On the basis of the above results, we can conclude the following.

Theorem 3. *The validity problem for* <sup>L</sup>1...LnI *is* coNP*-complete.*

# 5 Adding the Universal Modality

As we have seen, hypersequents cannot be interpreted in the language of NNMLs. The reason is that the hypersequent construct "|" semantically corresponds to a disjunction of validities of sequents. In order to make the hypersequent calculi fully internal, we now extend the language with a universal modality U, and add to the calculi suitable hypersequent rules for it. This operation allows us to treat another kind of logic combinations, namely the combination of NNMLs whose common language also contains U (together with the propositional variables and the Boolean connectives). Differently from the combinations introduced in Sect. 2, we define these logic combinations not based on the axiomatic systems, but based on the hypersequent calculi. We show that this extension of the calculi still provides a coNP proof search procedure, and also allows one to extract suitable countermodels. Based on the hypersequent calculi and the formula interpretation of the hypersequents, we also provide an axiomatisation for the resulting logics.

Let <sup>L</sup>[-<sup>1</sup>, ..., n] <sup>U</sup> be the language containing the modalities -<sup>1</sup>, ..., <sup>n</sup> as well as <sup>U</sup>. Hypersequents are now interpreted in <sup>L</sup>[-<sup>1</sup>, ..., n] U by considering the standard formula interpretation of hypersequent calculi for S5 [2,38]:

$$\iota(\varGamma\_1 \Rightarrow \Delta\_1 \mid \dots \mid \varGamma\_n \Rightarrow \Delta\_n) = \varPi(\bigwedge \varGamma\_1 \rightarrow \bigvee \Delta\_1) \vee \dots \vee \varPi(\bigwedge \varGamma\_n \rightarrow \bigvee \Delta\_n).$$

Moreover, let L1, ..., L<sup>n</sup> be n non-normal monomodal logics respectively formulated in the languages <sup>L</sup>[-<sup>1</sup>], ..., <sup>L</sup>[<sup>n</sup>], with -<sup>1</sup>, ..., <sup>n</sup> all distinct but sharing the same propositional variables, Boolean operators, and universal modality U.

Definition 7. *For every calculus* <sup>H</sup> <sup>L</sup>1...LnI *from Sect. 4, the corresponding calculus* <sup>H</sup> <sup>L</sup>1...LnI<sup>U</sup> *in* <sup>L</sup>[-<sup>1</sup>, ..., n] <sup>U</sup> *contains the rules of* <sup>H</sup> <sup>L</sup>1...LnI*, plus the rules* <sup>U</sup><sup>L</sup>*,* <sup>U</sup><sup>R</sup> *and* <sup>U</sup><sup>t</sup> *in Fig. 5. Moreover, we call* <sup>L</sup>1...LnI<sup>U</sup> *-model any* <sup>L</sup>1...LnI*-model (Definition 2), where* <sup>U</sup> *is interpreted as* <sup>M</sup>, w <sup>U</sup><sup>A</sup> *if and only if* M, v A *for all worlds* v *of* M*.*

The rules for U are taken from [38] (see also [39] for similar rules, while different hypersequent rules for S5 can be found in [29] and references therein). We start by showing that some of the results proved for <sup>H</sup> <sup>L</sup>1...LnI immediately extend to <sup>H</sup> <sup>L</sup>1...LnI<sup>U</sup> .

Proposition 7. *If* <sup>H</sup> *is derivable in* <sup>H</sup> <sup>L</sup>1...LnI<sup>U</sup> *, then* <sup>H</sup> *is valid in every* <sup>L</sup>1...LnI<sup>U</sup> *-model.*

*Proof.* By extending the proof of Proposition 2. We consider as an example the rule <sup>U</sup><sup>L</sup>: Suppose that M |<sup>=</sup> H | Γ, <sup>U</sup><sup>A</sup> <sup>⇒</sup> <sup>Δ</sup> <sup>|</sup> Σ,A <sup>⇒</sup> <sup>Π</sup>. If M |<sup>=</sup> H | Γ, <sup>U</sup><sup>A</sup> <sup>⇒</sup> <sup>Δ</sup> we are done. Otherwise M |<sup>=</sup> Σ,A <sup>⇒</sup> <sup>Π</sup>, and since M |<sup>=</sup> <sup>U</sup><sup>A</sup> or M |<sup>=</sup> ¬UA, from <sup>M</sup> |<sup>=</sup> Γ, <sup>U</sup><sup>A</sup> <sup>⇒</sup> <sup>Δ</sup> we get M |<sup>=</sup> <sup>U</sup>A. Then M |<sup>=</sup> <sup>Σ</sup> <sup>⇒</sup> <sup>Π</sup>.

Proposition 8. *Algorithm <sup>1</sup> on inputs* <sup>H</sup> *in* <sup>L</sup>[-<sup>1</sup>, ..., n] <sup>U</sup> *and* <sup>H</sup> <sup>L</sup>1...LnI<sup>U</sup> *runs in* coNP*.*

*Proof.* The proof is exactly as the one of Proposition 5, observing that every formula UA can generate at most one component (cf. [32]). Note that LLCC and Algorithm 1 remain well-defined on the new inputs.

Proposition 9. *Let* <sup>H</sup> <sup>=</sup> <sup>Γ</sup><sup>1</sup> <sup>⇒</sup> <sup>Δ</sup><sup>1</sup> <sup>|</sup> ... <sup>|</sup> <sup>Γ</sup><sup>k</sup> <sup>⇒</sup> <sup>Δ</sup><sup>k</sup> *be a saturated hypersequent returned by Algorithm <sup>1</sup> on input* <sup>G</sup> *and* <sup>H</sup> <sup>L</sup>1...LnI<sup>U</sup> *, and* <sup>M</sup> <sup>=</sup> (W, <sup>N</sup>1, ..., <sup>N</sup>n, <sup>V</sup>) *be the model defined on the basis of* <sup>G</sup> *as in Definition 6. Then for all formulas* <sup>B</sup> *of* <sup>L</sup>[-<sup>1</sup>, ..., n] <sup>U</sup> *and all* ∈ W*, it holds: if* B ∈ Γ*, then* <sup>M</sup>, <sup>B</sup>*, and if* <sup>B</sup> <sup>∈</sup> <sup>Δ</sup>*, then* <sup>M</sup>, <sup>B</sup>*. Moreover,* <sup>M</sup> *is a* <sup>L</sup>1...LnI<sup>U</sup>  *model.*

*Proof.* The proof extends the one of Proposition <sup>6</sup> with the case <sup>B</sup> <sup>=</sup> <sup>U</sup>C, which is standard: If UC ∈ Γ, then by U<sup>L</sup> and U<sup>t</sup>, C ∈ Γ<sup>m</sup> for all m ∈ W, then by i.h., M, m C for all m ∈ W, that is M, UC. If UC ∈ Δ, then by U<sup>R</sup> there is Γ<sup>m</sup> ⇒ Δ<sup>m</sup> in H with C ∈ Δm. By i.h., M, m C, thus M, UC.

As before, on the basis of Proposition 9, we can obtain from the algorithm a NP decision procedure for satisfiability of <sup>L</sup>[-<sup>1</sup>, ..., n] U formulas in <sup>L</sup>1...LnI<sup>U</sup> -models. As a further consequence, Proposition <sup>9</sup> entails that the calculi <sup>H</sup> <sup>L</sup>1...LnI<sup>U</sup> are complete with respect to the corresponding models. Indeed, if the proof search procedure fails on input H, then it constructs a saturated hypersequent <sup>G</sup> that extends <sup>H</sup>. From Proposition <sup>9</sup> we get a <sup>H</sup> <sup>L</sup>1...LnI<sup>U</sup> countermodel of <sup>G</sup>, whence of <sup>H</sup>, which means that <sup>H</sup> is not <sup>L</sup>1...LnI<sup>U</sup> -valid.

Theorem 4. <sup>H</sup> *is derivable in* <sup>H</sup> <sup>L</sup>1...LnI<sup>U</sup> *with LLCC and PO if and only if* <sup>H</sup> *is valid in every* <sup>L</sup>1...LnI<sup>U</sup> *-model.*

We now take advantage of the completeness of the calculi <sup>H</sup> <sup>L</sup>1...LnI<sup>U</sup> and of the formula interpretation of hypersequents to provide an axiomatisation for the corresponding logics.

Definition 8. *A logic* <sup>L</sup>1...LnI<sup>U</sup> *is axiomatically defined as the corresponding logic* <sup>L</sup>1...LnI *(Definition 1), but, for each* <sup>1</sup> <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>n</sup>*, replacing* REi*,* <sup>M</sup>i*,* <sup>N</sup>i*,* D<sup>i</sup> *and* P<sup>i</sup> *with the corresponding axiom* E<sup>U</sup> <sup>i</sup> *,* M<sup>U</sup> <sup>i</sup> *,* N<sup>U</sup> <sup>i</sup> *,* D<sup>U</sup> <sup>i</sup> *and* P <sup>U</sup> <sup>i</sup> *below, and adding* <sup>K</sup><sup>U</sup> *,* <sup>T</sup><sup>U</sup> *,* <sup>5</sup><sup>U</sup> *and* RN<sup>U</sup> *(*S5 *axioms for* <sup>U</sup>*):*

E*<sup>U</sup> <sup>i</sup>* U(A → B) ∧ U(B → A) → U(*<sup>i</sup>*A → *<sup>i</sup>*B) K*<sup>U</sup>* U(A → B) ∧ UA → UB M*<sup>U</sup> <sup>i</sup>* U(A → B) → U(*<sup>i</sup>*A → *<sup>i</sup>*B) T*<sup>U</sup>* UA → A N*<sup>U</sup> <sup>i</sup>* UA → U*<sup>i</sup>*A 5*<sup>U</sup>* UA ∨ U¬UA D*<sup>U</sup> <sup>i</sup>* U(A → B) ∧ U(B → A) → U(*<sup>i</sup>*A → ¬*<sup>i</sup>*¬B) <sup>A</sup> RN*<sup>U</sup>* <sup>P</sup> <sup>U</sup><sup>A</sup> *<sup>U</sup> <sup>i</sup>* U¬A → U¬*<sup>i</sup>*A

<sup>T</sup><sup>i</sup> is the only axiom that does not change. <sup>L</sup>1...LnI<sup>U</sup> is an extension of <sup>L</sup>1...LnI as RE<sup>i</sup> is derivable in <sup>L</sup>1...LnI<sup>U</sup> for all <sup>1</sup> <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>n</sup>, and <sup>M</sup>i, <sup>N</sup>i, <sup>D</sup><sup>i</sup> or P<sup>i</sup> is derivable if, respectively, M<sup>U</sup> <sup>i</sup> , N<sup>U</sup> <sup>i</sup> , D<sup>U</sup> <sup>i</sup> or P <sup>U</sup> <sup>i</sup> belongs to <sup>L</sup>1...LnI<sup>U</sup> . Consider as an example <sup>M</sup>i: From <sup>A</sup>∧<sup>B</sup> <sup>→</sup> <sup>A</sup>, by RN<sup>U</sup> , <sup>U</sup>(A∧<sup>B</sup> <sup>→</sup> <sup>A</sup>), then by M<sup>U</sup> <sup>i</sup> , <sup>U</sup>(<sup>i</sup>(<sup>A</sup> <sup>∧</sup> <sup>B</sup>) <sup>→</sup> <sup>i</sup>A), thus by <sup>T</sup><sup>U</sup> , <sup>i</sup>(<sup>A</sup> <sup>∧</sup> <sup>B</sup>) <sup>→</sup> <sup>i</sup>A. We now show that each logic <sup>L</sup>1...LnI<sup>U</sup> is equivalent to the corresponding calculus <sup>H</sup> <sup>L</sup>1...LnI<sup>U</sup> .

Proposition 10. *If* <sup>A</sup> *is derivable in* <sup>L</sup>1...LnI<sup>U</sup> *, then* <sup>⇒</sup> <sup>A</sup> *is derivable in* <sup>H</sup> <sup>L</sup>1...LnI<sup>U</sup> *, and if* <sup>H</sup> *is derivable in* <sup>H</sup> <sup>L</sup>1...LnI<sup>U</sup> *, then* <sup>ι</sup>(H) *is derivable in* <sup>L</sup>1...LnI<sup>U</sup> *.*

*Proof.* For the first claim, one can show that the axioms of <sup>L</sup>1...LnI<sup>U</sup> are derivable in <sup>H</sup> <sup>L</sup>1...LnI<sup>U</sup> . For the second claim, we prove that for every rule <sup>H</sup>/H or <sup>H</sup>1, <sup>H</sup>2/H of <sup>H</sup> <sup>L</sup>1...LnI<sup>U</sup> , the corresponding rule <sup>ι</sup>(H)/ι(H ) or <sup>ι</sup>(H1), ι(H2)/ι(H ) is derivable in <sup>L</sup>1...LnI<sup>U</sup> . The proof follows the lines of the proof of Theorem 2 (⇒), considering that depending on the logics, additional axioms such as <sup>U</sup>(<sup>A</sup> <sup>→</sup> <sup>B</sup>) ∧ U(<sup>B</sup> <sup>→</sup> <sup>A</sup>) → U(<sup>i</sup>A → ¬<sup>j</sup>¬B) can be derivable.

Finally, considering the properties of the calculi <sup>H</sup> <sup>L</sup>1...LnI<sup>U</sup> and their equivalence with the systems <sup>L</sup>1...LnI<sup>U</sup> , we can conclude the following.

Theorem 5. <sup>L</sup>1...LnI<sup>U</sup> *is sound and complete with respect to the class of all* <sup>L</sup>1...LnI<sup>U</sup> *-models. Moreover, the validity problem for* <sup>L</sup>1...LnI<sup>U</sup> *is* coNP*complete.*

# 6 Conclusion

We have proved that the validity/derivability problem for fusions of standard coNP NNMLs, as well as for their extensions with interaction axioms of the form <sup>i</sup>A → <sup>j</sup>A, remains coNP-complete, and that the same result holds for combinations of logics sharing also a universal modality. In this respect, combinations of NNMLs display a different behaviour than combinations of standard coNP normal logics such as S5, KD45, K4.3 and S4.3, whose fusions are instead PSpace.

As we have seen, fully invertible hypersequent calculi offer a good point of view on the problem, as they allow one to decompose its global complexity into the one of the single rule applications. As a further advantage, the hypersequent calculi <sup>H</sup> <sup>L</sup>1...LnI allow one to explicitly construct derivations of valid hypersequents/formulas, as well as to construct countermodels of non-valid hypersequents/formulas. Furthermore, after the integration of the rules for U from [38], the calculi <sup>H</sup> <sup>L</sup>1...LnI<sup>U</sup> directly construct countermodels where both <sup>U</sup> and the neighbourhood functions behave correctly. This can be compared with alternative techniques such as the submodel generation [5] that might be non-trivial to apply in presence of the neighbourhood functions.

On the other hand, the definition of cut-free calculi for the logics with interaction axioms requires an intricate combinatorial analysis, in future work we would like to study calculi that allow for a modular definition of the logic combinations. We would also like to study logics with iterative axioms such as 4, 5, B, as well as product-like combinations for NNMLs.

Acknowledgements. We thank Alessandro Gianola and Anton Gnatenko for helpful discussions and the anonymous reviewers for detailed comments that helped us to improve the paper. This research has been partially supported by the project D2G2 funded through the Call for International Cooperation Projects Germany-South Tyrol by the Province of Bolzano and DFG (DFG grant n. 500249124). Andrea Mazzullo acknowledges the support of the MUR PNRR project FAIR - Future AI Research (PE00000013) funded by the NextGenerationEU.

# References


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Resolution Calculi for Non-normal Modal Logics**

Dirk Pattinson1(B) , Nicola Olivetti<sup>2</sup> , and Cl´audia Nalon<sup>3</sup>

<sup>1</sup> School of Computing, The Australian National University, Canberra, Australia dirk.pattinson@anu.edu.au <sup>2</sup> Aix Marseille University, CNRS, LIS, Marseille, France nicola.olivetti@lis-lab.fr <sup>3</sup> Department of Computer Science, University of Bras´ılia, Bras´ılia, Brazil nalon@unb.br

**Abstract.** We present resolution calculi for the cube of classical nonnormal modal logics. The calculi are based on a simple clausal form that comprises both local and global clauses. Any formula can be efficiently transformed into a small set of clauses. The calculi contain uniform rules and provide a decision procedure for all logics. Their completeness is based on a new and crucial notion of inconsistency predicate, needed to ensure the usual closure properties of maximal consistent sets. As far as we know the calculi presented here are the first resolution calculi for this class of logics.

**Keywords:** Modal Logic · Automated Reasoning · Resolution

# **1 Introduction**

Non-normal modal logics (NNMLs) have been studied since the seminal work by Kripke in the 1960s, and then developed prominently by Montague, Segeberg, Scott, and Chellas in the 1970s. They are called *non-normal* as they do not satisfy all axioms of minimal normal modal logic **K**. NNMLs are used in a variety of contexts. In epistemic reasoning they offer a simple (preliminary) solution to the problem of logical omniscience. In deontic logic, they allow to avoid some well-known paradoxes of classical deontic logic, and enable us to represent conflicting obligations. Multi-agent non-normal modalities have been used to capture notions of agency and ability, where φ is read as "the agent can bring about φ", for a formula φ [12]. Moreover, the non-normal monotonic logic **EM** coincides with the 2-agent case of Pauly's coalition logic with determinacy. Finally NNMLs are the formalism of choice to express normality and typicality, or truth in most of the cases, as a modality [43].

In this paper we consider the classical cube of NNMLs. It comprises the minimal modal logic **E**, the smallest modal logic closed under congruence (only), and extensions of **E** with one or more of the axioms C, M and N. This results in a

c The Author(s) 2023

C. Nalon was partially supported by FAPDF 11/2021, DPG/UnB 004/2022.

R. Ramanayake and J. Urban (Eds.): TABLEAUX 2023, LNAI 14278, pp. 322–341, 2023. https://doi.org/10.1007/978-3-031-43513-3\_18

cube of 8 systems, where the stronger one (defined by all three axioms M, N, and C) is just the normal modal logic **K**. NNMLs have a well-understood semantics defined in terms of neighbourhood models [7]. In these models, each world w is associated with a set of neighbourhoods N(w), where each neighbourhood is a set of worlds itself. If we accept the traditional interpretation of a proposition as the set of worlds in which it holds (its truth set), we can think of N(w) as a set of propositions associated with w, i.e. precisely those propositions that are necessary, known, obligatory, . . . at the world w. The classical cube arises by imposing closure properties on the set of neighbourhoods (or propositions) associated with a world, and captured syntactically by the axioms.

From an automated reasoning and proof theoretic view, NNMLs are not as well studied as normal modal logics. Cut-free Gentzen calculi for NNML have been studied in [22,23,25,41,42]. Labelled calculi of different kinds have been proposed in [10,15,37], where the neighbourhood semantics is represented syntactically through two different labels, for worlds and neighbourhoods. Situated between these two approaches, there are calculi that augment sequents with additional structure, but without fully representing the neighbourhood semantics: linear nested sequents with an additional nesting operator [26] and structured hypersequents [9]. All these calculi have different purposes and properties. Cutfree Gentzen calculi typically provide a straightforward decision procedure, in some cases of optimal complexity, and help to prove interpolation [42]. Labelled calculi, and also the approach taken in [9], allow us to extract countermodels of unprovable sequents. The structured calculi of [26] provide a uniform and modular formulation of NNML when extended with axioms of the standard modal cube. An algorithmic alternative to deduction has been proposed in [16], where the satisfiability problem in NNML is reduced to a set of SAT problems. This essentially implements the proof of the complexity bound for these logics given by Vardi [52].

This paper presents a different approach to reasoning in NNMLs and introduces resolution calculi for all logics in the NNML cube. Resolution methods usually rely on normal forms, which not only helps in the design of the inference rules, but also allow for simple implementations. Moreover, although the complexity of the method is high – proofs might be exponential in the size of the input for some problems [21] – resolution for classical logics is widely implemented [11,17,27,28,47,49,50] with excellent performance in practice [48]. Resolution calculi have been designed for several modal logics, including the normal modal logic **K** and its extensions in the modal cube, either as direct method or using translations into more expressive logics, e.g. as in [1–6,8,13,14,29–31,36] and [38–40]. Recent evaluations [18,31–35,44] show that resolution-based provers for **K** also perform well when compared with tableaux, SAT, and translation based procedures for modal logics [11,17–20,24,47,49–51].

To the best of our knowledge, ours are the first resolution calculi for NNMLs. We use a very simple, congruential translation of formulae into sets of local and global clauses, where the latter are required to hold at any point in the model. Completeness is established via canonical models, and the main conceptual novelty is the analysis of maximally consistent sets using *inconsistency predicates*. As we demonstrate by example, our modal resolution calculus does not derive the modal literal ¬l from a set C of clauses if C∪{l} is inconsistent. Rather, it derives a (set of) literals e such that {e, l} are inconsistent over C. This allows us to show that maximally consistent sets are negation complete and disjunction complete. Also, inconsistency predicates allow us to lift statements of global satisfiability of clauses to resolution derivability, which in turn establishes premisses of resolution rules that we need to establish completeness.

The paper is structured as follows. In the next section we present the language of NNMLs and their axiomatisations. We then present the calculi for each modal logic in the NNML cube in Sect. 3, together with results for termination and soundness. Completeness is shown in Sect. 4. The completeness results show that proof systems for stronger logics are obtained modularly by adding rules to the weaker systems. We conclude in Sect. 5.

# **2 Syntax, Semantics, and Axiomatisation**

**Definition 1.** We fix a countable set V of propositional variables. The *language* L of the basic unimodal logic is given by the grammar L φ, ψ := p | ¬φ | φ | φ ∨ ψ where p ∈ V.

Other connectives , ⊥,∧,→ and are defined in the standard way, and we use the usual operator precedence ∧,∨,→,↔ from strongest to weakest. We denote the set of subformulae of φ ∈ L and their negations by subf(φ), where leading double negations are eliminated.

**Terminology 2.** Variables and their negations are called *propositional literals*, and *modal literals* are of the form p or ¬p where p ∈ V is a propositional variable. A *literal* is either a propositional or a modal literal. We write Lit(V) for the set of literals with variables in V.

Formulae are interpreted with respect to *neighbourhood models*.

**Definition 3.** A *neighbourhood frame* is a pair (W, N) where W is a set (of worlds) and N : W → P(P(W)) is a (neighbourhood) function, where P(S) denotes the powerset of S. A *neighbourhood model* is a neighbourhood frame endowed with a valuation, that is, a triple (W, N, θ) where (W, N) is a neighbourhood frame and θ : V→P(W) is a (valuation) function.

**Definition 4.** Truth of a formula φ ∈ L at a world w ∈ W of a neighbourhood model M = (W, N, θ) is given inductively by:

$$\begin{array}{l} M, w \mid = p \iff w \in \theta(p) \\ M, w \mid = \phi \lor \psi \iff M, w \mid = \phi \text{ or } M, w \mid = \psi \\ M, w \mid = \neg \phi \iff M, w \nmid \phi \\ M, w \mid = \Box \phi \iff \[\phi\}\_M \in N(w) \end{array}$$

where φ<sup>M</sup> = {w ∈ W | M,w |= φ} is the *truth set* of φ.


**Table 1.** Axioms and frame properties, where (W, N) is a frame, α, β ⊆ W, w ∈ W.

**Fig. 1.** The classical modal cube. Arrows indicate proper inclusion.

A formula φ ∈ L is *satisfiable* in a neighbourhood model M = (W, N, θ) if there is <sup>w</sup> <sup>∈</sup> <sup>W</sup> such that M,w <sup>|</sup><sup>=</sup> <sup>φ</sup>. A set <sup>Γ</sup> <sup>=</sup> {γ1,...,γn}, <sup>n</sup> <sup>∈</sup> <sup>N</sup>, is *satisfiable* if and only if there is a neighbourhood model (W, N, θ) and a world w ∈ W such that M,w |= γi, for all 1 ≤ i ≤ n. A formula φ is *satisfiable in a class* C *of neighbourhood models* if there exists M ∈ C such that φ is satisfiable in M. We denote by E the class of all neighbourhood models.

The axiomatisation for the minimal logic **E** comprises the axiomatisation of classical propositional logic and the rule RE: from φ ↔ ψ derive φ ↔ ψ. We also consider the extensions of **E** with the axioms given in Table 1. Neighbourhood models modularly characterise the classical cube of NNMLs given in Fig. 1 in the sense that a formula φ is a theorem of **E** if and only if it is valid in the class E of all neighbourhood models [7]. Furthermore, φ is a theorem of **E**Σ with Σ ⊆ {C,M,N} if and only if it is valid in the class of neighbourhood models that satisfy each of the additional axioms, whose corresponding frame conditions are given in Table 1. That is, the following holds [7, Theorem 7.5].

#### **Theorem 5.** *The logic* **E** *(resp.* **EC***,* **EM***,* **EN***,* **EMC***,* **ECN***,* **EMN***,* **EMCN***) is characterised by the class* E *(resp.* EC*,* EM*,* EN *,* EMC*,* ECN *,* EMN *,* EMCN *) of neighbourhood models.*

We also note that axioms M and N are, respectively, equivalent to the rules RM (φ → ψ / φ → ψ) and RN (φ / φ), and that the axiom K (-(φ → ψ) → φ → ψ) is derivable from M and C. As a consequence, the top system **EMCN** is equivalent to **K**, the weakest normal modal logic [7, Theorem 8.9]. Monotonicity and aggregation correspond to *regularity*, that is, the system with both M and C is equivalent to the regular system **R** [7, Theorem 8.11].

We conclude this section by providing the well-known results about the complexity of the satisfiability problem for the logics here considered [52].

**Theorem 6.** *Let* **E**Σ *with* Σ ⊆ {M,N}*. The satisfiability problem for* **E**Σ *is in* NP *and the satisfiability problem for* **EC**Σ *is in* PSPACE*.*

# **3 Resolution Calculi**

Our resolution calculi operates over sets of formulae in a specific normal form: disjunctions of (propositional or modal) literals. Formulae can be transformed into this form by means of renaming [45] which creates new propositions together with their definitions in the resulting formula. The idea here is simple. To translate the formula φ, say, to clausal form, we stipulate φ to be equivalent to p, and additionally p to be equivalent to φ – but the latter has to be true in *every* world of a neighbourhood model. Hence φ is satisfiable if and only if the formulae p and G(p ↔ φ) are satisfiable. Here G(·) is a global modality that stipulates that a formula is true at every world in a model. For a neighbourhood model (W, N, θ), w ∈ W, and a formula φ ∈ L, we have that M,w |= G(φ) ⇐⇒ M,w |= φ, for all w ∈ W, where M,w |= φ is as in Definition 4. Alternatively (and equivalently), M,w |= G(φ) ⇐⇒ φ = W.

A *clause* is a formula in one of the following forms:


We often think of a clause as a set of literals and sometimes use set notation, that is, we identify <sup>l</sup><sup>1</sup> <sup>∨</sup> ... <sup>∨</sup> <sup>l</sup><sup>n</sup> with the set {l1,...,ln}, for <sup>n</sup> <sup>∈</sup> <sup>N</sup>. This allows us to also use set theoretic notation on clauses. For instance, for a literal l and clause γ, we may write l ∈ γ and say that l is an element of γ. Similarly, γ<sup>1</sup> ⊆ γ<sup>2</sup> means that all literals of γ<sup>1</sup> are literals of γ2.

It is easy to see that every formula can be represented as a set of clauses. As most logics in the cube are non-monotonic, we only replace the argument of with an equivalent formula. As a consequence, the rewriting steps and introduction of new variables by renaming consistently use bi-implications (↔). For a fixed formula φ ∈ L, we let η = η<sup>φ</sup> : subf(φ) −→ V \ V(φ) be an injective renaming function that associates a fresh propositional variable to every (possibly negated) subformula of φ.

**Proposition 7.** *A formula* φ *is satisfiable if, and only if,* {η(φ)} ∪ R(G(η(φ) ↔ φ)) *is satisfiable, where* R *is defined as follows and* t, p ∈ V*:*

$$\begin{array}{c} \mathsf{R}(\mathsf{G}(t \leftrightarrow p)) = \{\mathsf{G}(\neg t \vee p), \mathsf{G}(t \vee \neg p)\} \\ \mathsf{R}(\mathsf{G}(t \leftrightarrow \neg \psi)) = \{\mathsf{G}(\neg t \vee \neg \eta(\psi)), \mathsf{G}(t \vee \eta(\psi))\} \cup \mathsf{R}(\mathsf{G}(\eta(\psi) \leftrightarrow \psi)) \\ \mathsf{R}(\mathsf{G}(t \leftrightarrow \psi \vee \psi')) = \{\mathsf{G}(\neg t \vee \eta(\psi) \vee \eta(\psi')), \mathsf{G}(t \vee \neg \eta(\psi)), \mathsf{G}(t \vee \neg \eta(\psi'))\} \\ \qquad \qquad \cup \mathsf{R}(\mathsf{G}(\eta(\psi) \leftrightarrow \psi)) \cup \mathsf{R}(\mathsf{G}(\eta(\psi') \leftrightarrow \psi')) \\ \mathsf{R}(\mathsf{G}(t \leftrightarrow \Box \psi)) = \{\mathsf{G}(\neg t \vee \Box \eta(\psi)), \mathsf{G}(t \vee \neg \Box \eta(\psi))\} \cup \mathsf{R}(\mathsf{G}(\eta(\psi) \leftrightarrow \psi)) \end{array}$$

*Moreover, the size of* {η(φ)}∪{R(G(η(φ) ↔ φ))} *is linear on the size of* φ*.*

The proof is standard. We can transform a model that satisfies φ into a model where η(φ) has exactly the same truth set as φ by just changing the valuation of the renaming symbol. Conversely, models that satisfy the transformation are automatically models of φ. The number of recursive calls is proportional to the number of subformulae of φ, hence the linear complexity bound.

The inference rules for the modal logic **E** and its extensions are given in Table 2. In the table, C and D are clauses, l are literals and p are propositional variables, possibly subscripted or primed. Inference rules are presented using standard notation with premisses and conclusion, called the *resolvent* separated by a horizontal line. Every inference rule except G2L has a local and a global variant, expressed by a leading L (resp. G) in its name. The second letter of the rule name indicates the logic axiomatised by the rule, so that e.g. GMRES is sound for the monotone modal logic **EM**. In the following, we give the intuition for the global inference rules that can be readily translated to their local variants. We consider the following four groups of inference rules.

*- Inference rules for all classical modal logics*: The rule GRES is a syntactical variation of the propositional resolution rule [46], the only differences being that reasoning is carried out within the global modality and that l occurring in the premisses may be a modal literal. The rule G2L asserts that local satisfiability is a consequence of its global counterpart. The rule GERES expresses that p and ¬p are inconsistent whenever p and p are globally equivalent, i.e. have the same truth set. By virtue of the side condition, we have three non-redundant instances: (1) G(C) = G(¬p ∨ p ) and G(C ) = G(p ∨ ¬p ), which means that p and p are semantically equivalent; (2) G(C) = G(¬p) and G(C ) = G(¬p ), in which case p and p are globally false and so semantically equivalent; or (3) G(C) = G(p ) and G(C ) = G(p), where p and p are semantically equivalent as they are both globally true. All other instances are already contradictory or can be reduced to the above by means of GRES.

*- Inference rules for classical modal logics with aggregation* that validate the axiom C. The rules GCRES1 and GCRES2 are sound in classical modal logics containing the axiom C. They are similar to the rule GERES, but the side conditions for clauses C<sup>i</sup> ensure that (p<sup>1</sup> ∧ ... ∧ p<sup>n</sup> ↔ p) is globally true.

*- Inference rules for monotone classical modal logics* that validate the axiom M: The rule GMRES is sound in logics that are monotone. This rule is a weaker version of GERES where congruence is required. For monotone logics, the rule RM (from φ → ψ derive φ → ψ) holds. The side condition gives three concrete instances: (1) C = G(¬p∨p ), thus, from p in the first premiss we have that p holds, which contradicts with ¬p in the second premiss; (2) C = G(¬p), that is, p is globally false and, *ex falso sequitur quodlibet*, we again have that p holds, which contradicts the modal literal in the second premiss; or (3) C = G(p ), from which we can derive ¬p, using the contrapositive of RM, which contradicts with the modal literal in the first premiss.

*- Inference rules for classical modal logics with the unit* that validate the axiom N: The rule GNRES is sound for these logics, as the premiss G(p) says that ¬p

**Table 2.** Inference Rules


(or its global occurrence) cannot be satisfied, therefore it must be the case that the resolvent G(D) is satisfied.

The basic resolution calculus, RES**E**, comprises the inference rules LRES, GRES, G2L, LERES and GERES. For the extensions of **E**, the calculi can be obtained in a modular way, that is, by just adding the rules that are sound with respect to the axioms for the logic. However, it is easy to see that, for


**Table 3.** Inference rules corresponding to each logic

instance, when considering monotone logics, whenever LERES or GERES can be applied, the rules LMRES or GMRES can also be applied, generating exactly the same resolvent. Thus, LERES and GERES are both redundant in the calculi for monotone logics. In Table 3 we give the rules for the calculus for each considered logic, but where redundant inference rules are suppressed. We denote by RES<sup>L</sup> the resolution calculus for a particular logic **L**.

The following definitions are needed before we establish our main results.

**Definition 8.** Let C be a finite set of clauses and L = **E**Σ with Σ ⊆ {C,M,N}. A derivation from C in RES<sup>L</sup> is a sequence of sets of clauses C0, C1,... where <sup>C</sup><sup>0</sup> <sup>=</sup> <sup>C</sup> and for every <sup>i</sup> <sup>∈</sup> <sup>N</sup>, <sup>C</sup>i+1 <sup>=</sup> <sup>C</sup><sup>i</sup> ∪ {D} where the resolvent <sup>D</sup> was obtained from C<sup>i</sup> by applying the rules of RES<sup>L</sup> given in Table 3. We require that D ∈ C<sup>i</sup> and that D is not a tautology (that is, a clause containing l and ¬l).

**Definition 9.** Let C be a finite set of clauses and C0, C1,... a derivation from C in RES<sup>L</sup> where <sup>L</sup> <sup>=</sup> **<sup>E</sup>**<sup>Σ</sup> with <sup>Σ</sup> ⊆ {C,M,N}. If there is <sup>k</sup> <sup>∈</sup> <sup>N</sup> such that ∈ Ck, then <sup>C</sup>0, <sup>C</sup>1,..., <sup>C</sup><sup>k</sup> is a *refutation* of <sup>C</sup>. If there is <sup>k</sup> <sup>∈</sup> <sup>N</sup> such that any resolvent D obtained from C<sup>k</sup> by applying the rules of RES<sup>L</sup> given in Table 3 to C<sup>k</sup> is such that D ∈ Ck, then C<sup>k</sup> is *saturated*, and C<sup>k</sup> is the *saturation* of C.

The following two theorems establish termination and soundness of the calculi.

**Theorem 10.** *Let* L = **E**Σ *with* Σ ⊆ {C,M,N}*,* C *be a finite set of clauses and* <sup>C</sup>0, <sup>C</sup>1,... *be a derivation from* <sup>C</sup> *in* RESL*. Then there is* <sup>k</sup> <sup>∈</sup> <sup>N</sup> *such that* <sup>C</sup><sup>k</sup> *is saturated, or* C0, C1,..., C<sup>k</sup> *is a refutation.*

As there is a finite number of literals in C and no inference rule introduces new literals, there is also an upper bound on the number of clauses that can be generated by RESL. Hence either the empty clause is generated at some C<sup>k</sup> or no new clauses can be generated. Thus, any derivation in RES<sup>L</sup> terminates.

**Theorem 11.** *Let* L = **E**Σ *with* Σ ⊆ {C,M,N}*. Then* RES<sup>L</sup> *is sound.*

The proof is by induction on the number of steps of a derivation: as every step of a derivation is satisfiability preserving, as argued above, then all derivations from satisfiable sets of clauses only generate satisfiable sets of clauses.

We present two examples before establishing completeness in the next section.

**Example 12.** We show that -(p ∨ q) → -(p ∨ ¬-(a ∨ ¬a) ∨ q) is valid in the logic **EN** by using the calculus RES**EN**. For the refutation, we negate the formula and obtain φ = -(p ∨ q) ∧ ¬-(p ∨ ¬-(a ∨ ¬a) ∨ q). We show next the relevant clauses resulting from the transformation, where we have that φ<sup>1</sup> = -(p ∨ q), φ<sup>2</sup> = ¬-(p ∨ ¬-(a ∨ ¬a) ∨ q), and φ<sup>3</sup> = (p ∨ ¬-(a ∨ ¬a) ∨ q):


The steps of the refutation are as follows:


**Example 13.** We now show that <sup>φ</sup> <sup>=</sup> p ∧ q → -(p ∧ q) is valid in **EC**. The transformation of ¬φ produces, among others, Clauses (1)–(7). The refutation is refreshingly short: it is obtained in two steps after an application of GCRES1:


# **4 Completeness**

We prove completeness by means of a canonical model construction. Our maximally consistent sets comprise both local and global clauses. The proof of the truth lemma hinges on the fact that maximally consistent sets are negation complete, that is, they contain either a literal or its negation. In completeness proofs of Hilbert systems, the argument is as follows. If M is a maximally consistent set, and neither φ ∈ M nor ¬φ ∈ M, then both M ∪ {φ} and M ∪ {¬φ} are inconsistent, that is, M ∪ {φ} ⊥ and M ∪ {¬φ} ⊥. Hence M ¬φ and M φ which contradicts the consistency of M, so that our supposition that neither φ ∈ M nor ¬φ ∈ M must have been false.

However, this argument is not available for resolution calculi, where we take a set C of local or global clauses to be consistent if C . In the simplest calculus, RES**E**, consider the set C = {G(¬p∨q),G(¬q∨p),¬q}. Then clearly C∪{p} , but it is patently false that C¬p.

However, something nearly as useful eventuates: We have that C¬q, and p and ¬q together are inconsistent over C (using a single application of LERES). That is, while we cannot derive ¬p, at least we can derive a literal, here ¬q, that is inconsistent with p over C. This is captured in the notion of inconsistency predicate, where, in full generality, we need to consider the inconsistency of n-element sets to accommodate instances of LNRES (where we are going to designate singleton sets as inconsistent) and the LCRES rules (where inconsistent sets can contain any finite number of elements). We formulate this for an arbitrary resolution calculus.

**Definition 14.** A *modal resolution calculus* is a relation between clause sets and clauses that is closed under propositional resolution. That is, C D ∨ l and C D ∨ ¬l then C D ∨ D , for all local clauses D and literals l. Let be a modal resolution calculus and C be a set of global clauses. An *inconsistency predicate* for C and is a subset P ⊆ P(Lit(V)) such that the following three conditions hold:


The formulation of inconsistency predicate instantiates to all modal calculi in the paper, where for a calculus RES, we say that C D if D is in the saturation of C. We think of an element {l1,...,ln} of an inconsistency predicate not as a clause, but rather as a conjunction of singleton clauses (that is inconsistent as per the first requirement). The second requirement formalises the semantically sound condition <sup>i</sup> a<sup>i</sup> ∩ <sup>j</sup> b<sup>j</sup> = ∅ whenever x ∩ <sup>i</sup> a<sup>i</sup> = ∅ = (W \ x) ∩ <sup>j</sup> b<sup>j</sup> for subsets x, ai, b<sup>j</sup> ⊆ W of a set W. We require that, in the formulation of the condition, that A ∪ B is inconsistent, i.e., C proves a sufficient number of global clauses Γ that, together with A ∪ B, allows us to derive the empty clause .

As an example, and a stepping stone to prove the completeness of classical modal logic, we have the following:

**Lemma 15.** *Let be the calculus for classical modal logic and let* C *be a set of global clauses. Then the set* P<sup>E</sup> *containing*


*is an inconsistency predicate for and* C*.*

*Proof (Sketch).* The inconsistency requirement is clear, as every element of an inconsistency predicate is an instance of a resolution rule. For cut closure, apply GRES to premisses of a rule inducing a cut.

The following definition is an adaptation of the deduction theorem to modal resolution calculi. The reader is encouraged to instantiate this to the case of the modal logic **E** (and the inconsistency predicate of Lemma 15), as we do in the example following the definition.

**Definition 16.** An inconsistency predicate P is *compatible* with a modal resolution calculus if for every local clause D and every (propositional or modal) literal l with C∪{l} D, either D = l or there is n ≥ 0 and D1,...,Dn, E1,...,E<sup>n</sup> such that

– D = D<sup>1</sup> ∨···∨ D<sup>n</sup>


For the case of classical modal logic, the definition of compatibility takes the following form.

**Example 17.** If is the resolution calculus for the classical modal logic **E**, the inconsistency predicate P<sup>E</sup> from Lemma 15 is binary. As a consequence, the above definition can only be instantiated with n = 1. Hence P<sup>E</sup> is compatible, if for all literals l and all local clauses D with C∪{l} D either D = l or there is a local clause E such that C E ∨ D and {l, e} ∈ P<sup>E</sup> for all e ∈ E.

As a second example, and to make further progress to completeness of the resolution calculus for classical modal logic, we establish that the inconsistency predicate P<sup>E</sup> from Lemma 15 is indeed compatible.

**Lemma 18.** *The inconsistency relation* P<sup>E</sup> *from Lemma 15 is compatible with the resolution calculus for classical modal logic.*

The proof proceeds by induction on the derivation of C∪{l} and is omitted.

Finally, we can reap some of the benefits of our work, and take the next step towards showing that maximally consistent sets are negation complete, i.e. for every literal l, they contain either l or ¬l.

**Lemma 19.** *Let* C *be a set of local or global clauses,* l *be a literal and* P *be a compatible inconsistency predicate. If* C∪{l} *and* C ∪ {¬l} *, then* C *.*

*Proof.* We demonstrate the proof for the special case of a binary inconsistency relation P, i.e. every set A ∈ P has two elements. As C∪{l} , we have a local clause E such that C E, and {e, l} ∈ P for all e ∈ E by compatibility. Similarly, as C ∪ {¬l} , we have a local clause E with {¬l, e } ∈ P for all e ∈ E . If either E = or E = we are done. If not, we have {e, e } ∈ P for all e ∈ E and e ∈ E as P is cut closed. This allows us to construct a resolution proof of from C E and C E as P is an inconsistency predicate.

**Remark 20.** For classical modal logic, we have shown that C∪{l} D, then either D = l or C E ∨ D where {l, e} ∈ P for all e ∈ E, where P is the inconsistency predicate from Lemma 15.

One might hypothesise whether E can always be chosen to be a singleton, or at least a sub-singleton. We show, by means of example, that neither is the case. First, we cannot always choose E as singleton: For C = {p} and l = q, we have that C∪{l} p but we do not have C E ∨ p for any singleton clause E (here, E = satisfies the condition).

We also cannot always choose E to be a sub-singleton clause. For example, put C = {¬q ∨ ¬p ∨ D,G(¬p ∨ q),G(p ∨ ¬q)}. Then C∪{p} D, but there is no sub-singleton clause E so that C E ∨ D.

We have now collected all the preliminaries to define and investigate maximally consistent sets, i.e. the worlds of the canonical model.

**Definition 21.** Let C be a set of global clauses. A *local extension* of C is a set M of clauses that extends C by local clauses only. That is, a local extension of C is a set M of clauses that satisfies {Γ ∈ M | Γ global} = C.

A local extension of C is *maximally consistent* if M is consistent (M ) and every other consistent local extension of M of Γ that encompasses M (M ⊇ M) satisfies M = M .

Calculi with a compatible inconsistency relation are negation complete.

**Lemma 22.** *Let be a modal calculus with a compatible inconsistency relation, and let* M *be a maximally consistent local extension of a set* C *of global clauses. Then, for every (propositional or modal) literal* l*, we have* l ∈ M *or* ¬l ∈ M*.*

*Proof.* If neither l ∈ M nor ¬l ∈ M, then M ∪ {l} and M ∪ {¬l} . Applying Lemma 19 now contradicts the consistency of M.

As we have insisted that resolution calculi are closed under propositional resolution, they are also disjunction complete:

**Corollary 23.** *Let be a modal resolution calculus with a compatible inconsistency relation, and let* M *be a maximally consistent local extension of a set* C *of global clauses. If* l<sup>1</sup> ∨···∨ l<sup>n</sup> ∈ M*, then there exists* 1 ≤ i ≤ n *such that* l<sup>i</sup> ∈ M*.*

*Proof.* If neither l<sup>i</sup> ∈ M, then all ¬l<sup>i</sup> ∈ M and we conclude inconsistency of M.

Compatible inconsistency predicates allow us to assert properties relative to derivations of a clause with the help of an additional singleton clause. The following lemma generalises this to a finite number of singleton clauses, but requires that the singleton clauses be *propositional*. This allows us to harness the fact that propositional literals are only inconsistent with their negation, which is enough to establish the hypotheses of the form G(C) where C ⊆ D is a sub-clause of a propositional clause D.

**Lemma 24.** *Let be a modal resolution calculus with compatible inconsistency predicate. Moreover, suppose that* C *is a set of global clauses,* l1,...,l<sup>n</sup> *are propositional literals and* D *is a (local) clause such that* l<sup>i</sup> ∈/ D *for all* i = 1,...,n*, and* C∪{l1,...,ln} D*. Then there is a sub-clause* E<sup>0</sup> ⊆ ¬l<sup>1</sup> ∨···∨¬l<sup>n</sup> *such that* C E ∨ D*.*

*Proof.* By induction on the number n of literals, where n = 0 is evident. If C∪{l1,...,ln+1} D, we have that C∪{l1,...,ln} E0∨D where {e, ln+1} ∈ P, for all e ∈ E0. This implies that either E<sup>0</sup> = or E<sup>0</sup> = ¬ln+1. The claim follows by applying the inductive hypothesis.

The above lemma *fails* without assuming that the l<sup>i</sup> are propositional literals, as illustrated by the example at the beginning of this section.

In the proof of the truth lemma, we need to show derivability of premisses (of modal rules) based on the truth set of formulae in maximally consistent sets. The following corollary establishes this for local clauses, which we will then lift to global derivability.

**Corollary 25.** *Consider a modal resolution calculus with a compatible inconsistency predicate, and let* C *be a set of global clauses, and let* D = l<sup>1</sup> ∨···∨l<sup>n</sup> *be a propositional clause such that all maximally consistent local extensions* M *of* C *contain at least one* l<sup>i</sup> *(*i = 1,...,n*). Then there exists a sub-clause* D<sup>0</sup> ⊆ D *such that* C D0*.*

The next property is obviously present in the calculus RE and its extensions.

**Definition 26.** A modal resolution calculus has the *global lifting property* if, for any set C of *global* clauses, and a *local* clause D, we have that C G(D) whenever C D.

For our calculi, this essentially means that rules with a global clause as a conclusion only have global clauses as premisses.

**Lemma 27.** *The calculus* RES**E***, as well as all other calculi discussed in this paper, has the global lifting property.*

We finally turn to canonical models, where we isolate the construction that is identical for all of the logics that we treat here.

**Definition 28 (Canonical Model).** Let C be a set of global clauses. The C*-canonical model*, or the *canonical model based on* C, is the triple (W, N, θ) where

– W is the set of all maximally consistent local extensions of C

$$-\left\{\begin{matrix} p \\ \hline \end{matrix}\right\} = \left\{ M \in W \mid p \in M \right\}$$

– N(M) = {θ(p) | p ∈ M}.

Here, consistent and maximally consistent refers to consistency in the modal resolution calculus RES**<sup>E</sup>** for classical modal logic.

This gives the truth lemma for classical modal logic.

**Lemma 29 (Truth Lemma).** *For the calculus* RE*, let* (W, N, θ) *be the* C*canonical model for some set* C *of global clauses. Then, for* M ∈ W*,* M |= Γ *whenever* Γ ∈ M*, for all local clauses* Γ*.*

*Proof.* By disjunction completeness, it suffices to show the claim for singleton clauses. The propositional cases and p ∈ M are easy. For the only interesting case assume ¬p ∈ M, and assume for a contradiction that θ(p) ∈ N(M). By construction, there must be a variable q ∈ V with q ∈ M and θ(p) = θ(q). That is p ∈ M ⇐⇒ q ∈ M for all maximally consistent local extensions M of C. By Corollary 25 and Lemma 27 we obtain the premisses of the modal rule that proves M , contradiction.

**Remark 30.** In the proof of the truth lemma, the modal rule was only used in a very specific form, i.e. D = D = in definition of the modal rule. The more general form of the rule is needed to establish Lemma 18. The reader is also invited to convince themselves that completeness fails without the more general form, for example to show that C = {G(¬p ∨ q),G(¬q ∨ p),G(¬q ∨ r),G(¬r ∨ q),¬p ∨ ¬q, r} is inconsistent.

We have used the rule GRES in the proof of Lemma 18. The rule GERES is hidden in the proof of Lemma 27. The reader is invited to convince themselves that GERES is needed to show the inconsistency of {G(¬p∨q ∨ r),G(p∨ ¬q),G(¬s),G(s),G(r),G(¬q)}.

**Corollary 31.** *Let* C *be a set of local or global clauses. If* C *is unsatisfiable in the class of neighbourhood models, then* C *.*

#### **4.1 Monotone Modal Logic**

To show completeness for the resolution calculus for monotone modal logic, we follow the same approach, and start with a compatible inconsistency predicate.

**Lemma 32.** *Let be the calculus for monotone modal logic and let* C *be a set of global clauses. Then the set* P<sup>M</sup> *containing*


*is a compatible inconsistency predicate for and* C*.*

The proof is very similar to that of classical modal logic (Lemma 15 and Lemma 18). The canonical model construction is an adaptation of the construction for **E** where the construction ensures that the set of neighbourhoods is upward closed.

**Definition 33.** Let C be a set of global clauses. The C*-canonical model* for the calculus RES**EM** is the triple (W, N, θ) where W and θ are the same as for classical modal logic (Definition 28) and the neighbourhood function N is defined by

$$N(M) = \{ \alpha \subseteq W \mid \theta(p) \subseteq \alpha \text{ for some } \Box p \in M \}.$$

where M ∈ W is a maximally consistent, local extension of C.

It is obvious that canonical models for RES**EM** are monotone by construction, but we need to re-establish the truth lemma for the calculus RES**EM** as the construction of the model has changed.

**Lemma 34 (Truth Lemma for EM).** *For the calculus* RES**EM***, let* (W, N, θ) *be the* C*-canonical model for some set* C *of global clauses. Then, for* M ∈ W*,* M |= Γ *whenever* Γ ∈ M*, for all local clauses* Γ*.*

The proof is in fact a simplification of the corresponding proof for classical modal logic, and we obtain completeness similar to Corollary 31.

**Corollary 35.** *Monotone modal logic is complete, i.e. any consistent set* C *of local or global clauses satisfies* C *whenever* C *is unsatisfiable in the class of monotone neighbourhood models.*

# **4.2 Logics with Unit**

We now adapt the construction to also incorporate logics with unit, i.e. the modal logics **EN** and **EMN** that – in addition to the frame conditions for **E** and **EM** – additionally require that the entire set of worlds is always a neighbourhood of any world. To show completeness for these logics, we need to provide a compatible inconsistency relation, which – in contrast to the logics **E** and **EM** – will no longer be binary.

**Lemma 36.** *Let be the calculus* RES**EN** *(resp.* RES**EMN***) and let* C *be a set of global clauses. Let* U = {¬p |C G(p)}*. Then the set* P ∪ U *is compatible inconsistency predicate for and* C*, where* P *is the inconsistency relation for the calculus* RES**<sup>E</sup>** *(resp.* RES**EM***).*

*Proof.* The inconsistency requirement follows as the predicate closely resembles the modal rules of the calculus. To see cut closure, suppose that {¬p} and {¬q, p} ∈ P ∪ U. Then the premisses that derive inconsistency of both sets can be combined to derive inconsistency of the cut {¬q}. For compatibility, we additionally need to consider the case n = 0 from Example 17, and extend the inductive proof of Lemma 18, where LNRES as last applied rule precisely induces this case.

This allows us to show completeness, again with a slight variation of the canonical model construction. The definition of the canonical model just adds the entire set of worlds to all neighbourhoods.

**Definition 37.** The canonical model for the logic **EN** and **EMN** is the triple (W, N, θ) where W and N are as for the logic **E** (or **EM**) and N(w) = N0(w) ∪ {W}, where N<sup>0</sup> is the neighbourhood function of the canonical model for the logic **E** (resp. **EM**).

The truth lemma follows as before, where we apply the rule LNRES to show inconsistency in case W ∈ N(θ).

**Lemma 38 (Truth Lemma for EN and EMN).** *Let* (W, N, θ) *be the canonical model for the logic* **EN** *or* **EMN***, respectively, over a set* C *of global clauses. Then, for* M ∈ W*,* M |= Γ *whenever* Γ ∈ M*, for all local clauses* Γ*.*

*Proof.* In addition to the cases for **E** and **EM**, consider, for a contradiction, that ¬p ∈ M and M |= p where θ(p) = W. In this case, C G(p) whence M , contradicting consistency of M using LNRES.

Completeness for **EN** and **EMN** follows as before.

**Corollary 39.** *The calculi* RES**EN** *and* RES**EMN** *are complete, i.e.* C *whenever* C *is inconsistent, for any set* C *of global clauses.*

#### **4.3 Logics with Aggregation**

We now turn to completeness for logics that additionally satisfy aggregation, i.e. the axiom C from Table 1. Our proof strategy is entirely similar to that of the previous cases, and we start with a compatible inconsistency relation. The format of the LCRES-rules is precisely chosen for the inconsistency relation below to be closed under cut which necessitates to generalise the C-axiom from binary conjunctions to arbitrary finite conjunctions.

**Lemma 40.** *Let* P *be the inconsistency relation for the calculi* RES**E***,* RES**EM***,* RES**EN** *or* RES**EMN***, and let*

$$\begin{aligned} U = \left\{ \left\{ \begin{array}{c} \Box p\_0, \Box p\_1, \ldots, \Box p\_n \right\} \mid \mathcal{C} \vdash \mathsf{G}(C\_i) \text{ for } i = 0, \ldots, n \text{ and clauses} \\ C\_0 \subseteq \neg p\_0 \lor p\_1 \lor \cdots \lor p\_n, C\_i \subseteq \neg p\_0 \lor p\_i \text{ for } i = 1, \ldots, n \right\}. \end{aligned} \right. $$

*Then* P ∪ U *is a compatible inconsistency relation for a set* C *of global clauses and the calculus* RES**EC***,* RES**EMC***,* RES**ECN** *or* RES**EMCN***, respectively.*

The proof is as before, noting that the inconsistency predicate is again modelled on the shape of the modal rules. The canonical model now takes the following form, where we distinguish between the different logics.

**Definition 41.** Let C be a set of global clauses. The *canonical model* for C and the logics **EC**, **ECN**, **EMC** or **EMCN**, respectively, is the triple (W, N, θ) where W and θ are as before (Definition 28) and N is given by

$$\begin{array}{l} N\_{\mathbf{EC}}(M) = \{\theta(p\_1) \cap \dots \cap \theta(p\_n) \mid \Box p\_1, \dots, \Box p\_n \in M\} & \text{for } \mathbf{EC} \\ N\_{\mathbf{ECN}}(M) = N\_{\mathbf{EC}}(M) \cup W & \text{for } \mathbf{ECN} \\ N\_{\mathbf{ECM}}(M) = \{\alpha \subseteq W \mid \beta \subseteq \alpha \text{ for some } \beta \in N\_{\mathbf{EC}}(M)\} & \text{for } \mathbf{ECC} \\ N\_{\mathbf{ECMCN}}(M) = N\_{\mathbf{ECMC}}(M) \cup \{W\} & \text{for } \mathbf{ECN} \end{array}$$

for a maximally consistent local extension M ∈ W of C.

As before, we have a truth lemma that gives completeness.

**Lemma 42.** *Let* RES *be one of* RES**EC***,* RES**ECN***,* RES**EMC** *or* RES**EMCN***, let* (W, N, θ) *be the canonical model for* RES*, and let* C *be a set of global clauses. Then* M |= D *whenever* D ∈ M*, for all local clauses* D *and all maximally* RES*-consistent local extensions* M *of* C*.*

*Proof.* The interesting case here is **EC** as the others are extensions of **EC** that we have previously discussed. Again, we just consider ¬p ∈ M and assume for a contradiction that M |= p. Then there are p1,...,p<sup>n</sup> such that θ(p) = θ(p1) ∩···∩ θ(pn) and p1,..., p<sup>n</sup> ∈ M. From the former we conclude the premiss of LCRES1 or LCRES2 depending on the sub-clauses we derive through Corollary 25 and arrive at a contradiction to the consistency of M.

Completeness now follows as in the other cases we have discussed before.

**Corollary 43 (Completeness).** *The calculi* RES**EC***,* RES**ECN***,* RES**EMC** *and* RES**EMCN** *are complete with respect to the classes of models* EC*,* ECN *,* EMC *and* EMCN *, respectively.*

# **5 Conclusion and Future Work**

We have presented the first resolution calculi for the cube of classical non-normal modal logics. The calculi manipulate sets of modal clauses of a very simple form. Their completeness is based on the notion of inconsistency predicate. Moreover, we have seen that resolution calculi appear to be modular, i.e. rules can just be combined to obtain a stronger calculus. Is this a coincidence? Are there general principles that enable this compositionality? This is what we are going to explore in a follow up paper. Also, the shape of our calculi, i.e. the modal resolution rules, when compared to the Hilbert axioms, insinuate that there might be a more principled way of synthesising resolution systems from Hilbert axioms. We aim to investigate this as a next step.

# **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# Canonicity of Proofs in Constructive Modal Logic

Matteo Acclavio1(B) , Davide Catta<sup>2</sup>, and Federico Olimpieri<sup>3</sup>

<sup>1</sup> University of Southern Denmark, Odense, Denmark acclavio@imada.sdu.dk <sup>2</sup> Università degli studi di Napoli, Federico II, Naples, Italy

<sup>3</sup> University of Leeds, Leeds, UK

Abstract. In this paper we investigate the Curry-Howard correspondence for constructive modal logic in light of the gap between the proof equivalences enforced by the lambda calculi from the literature and by the recently defined winning strategies for this logic.

We define a new lambda-calculus for a minimal constructive modal logic by enriching the calculus from the literature with additional reduction rules and we prove normalization and confluence for our calculus. We then provide a typing system in the style of focused proof systems allowing us to provide a unique proof for each term in normal form, and we use this result to show a one-to-one correspondence between terms in normal form and winning innocent strategies.

Keywords: Constructive Modal Logic · Lambda Calculus · Game Semantics

# 1 Introduction

Proof theory is the branch of mathematical logic whose aim is studying the properties of logical arguments (i.e., proofs) as well as the structure of proofs and their invariants. For this purpose, the most used representations of proofs are based on tree-like data structures inductively defined using inference rules of a proof system.<sup>1</sup> *Natural deduction* and *sequent calculus* are among the most used proof systems due to their intuitive representation. Both these proof systems were originally devised by Gentzen in order to prove the consistency of first-order arithmetic. Their versatility resulted in their employment for a wide variety of logics.

The first author is supported by Villum Fonden, grant no. 50079. The second author is supported by the PRIN project RIPER (No. 20203FFYLK) The third author is supported by the US Air Force Office for Scientific Research under award number FA9550-21-1-0007.

<sup>1</sup> It is worth noting that some proof systems (in the sense of [13]) allows to represent proofs using structures such as infinite trees (for non-well-founded proof systems, see, e.g., [16]), graphs (see proof nets [23,24], combinatorial proofs [28] or proof diagrams [3]) or structures defined in a compositional way (see open deduction [25] and deep inference [51]).

c The Author(s) 2023

R. Ramanayake and J. Urban (Eds.): TABLEAUX 2023, LNAI 14278, pp. 342–363, 2023. https://doi.org/10.1007/978-3-031-43513-3\_19

However, having formalisms able to represent proofs is not enough to define "what is a proof" since different derivations, or derivations in different proof systems, could represent the same abstract object. A notion of *proof identity* is therefore required to define a proof as a proper mathematical entity [19]. Such a notion of identity is provided by delineating the conditions under which two distinct formal representations of a proof represent the same logical argument. The definition of these conditions are often driven by semantic considerations (by performing specific transformations on two derivations, they can be transformed to the same object) or intuitive ones (two derivations only differ for the order in which the same rules are applied to the same formulas).

Natural deduction is often considered a satisfactory formalism since it allows to define a more canonical representation of proofs with respect to sequent calculus: sequent calculus derivations differing because of some rules permutations are represented (*via* a standard translation) by the same natural deduction derivation. Moreover, natural deduction provides a one-to-one correspondence between derivations and lambda-terms, called the *Curry-Howard correspondence* [49].

Constructive Modal Logic. Classical modal logics are obtained by extending *classical logic* with unary operators, called *modalities*, that qualify the truth of a judgment. The most used modalities are the - (called *box* ) and its dual operator ♦ (called *diamond*) which are usually interpreted as *necessity* and *possibility*. According to the interpretation of such modalities, modal logics find applications, for example, in knowledge representation [52], artificial intelligence [41] and the formal verification of computer programs [20,37,46]. The work of Fitch [22] initiated the investigation of the proof theory of modal logics extending intuitionistic logic, leading to numerous results on the topic [21,27,36,40,47].

In particular, the Curry-Howard correspondence has been extended to various constructive modal logics [7,10,17,32,33,45]. Intuitionistic logic can be extended with modalities in different ways (for an overview see [48]): while in classical logic axioms involving only provide also description of the behavior of ♦, for intuitionistic logic this is no more the case since the duality of the two modalities does not hold anymore. This leads to different approaches. *Constructive modal logics* consider minimal sets of axioms to guarantee the definition of the behaviors of the and ♦ modalities. A second approach, referred to as *intuitionistic modal logic*, considers additional axioms in order to validate the Gödel-Gentzen translation [15]. In this work we consider a minimal fragment of the constructive modal logic CK only containing the implication → and the modality -. This fragment is enough to define types for a λ-calculus with a Let constructor [7] which can be interpreted as an explicit substitution and, for this reason, we more concisely denote by N [M1,...Mn/x1,...,xn] instead of Let M1,...M<sup>n</sup> be x1,...,x<sup>n</sup> in N.

Recent works on the the proof equivalence of constructive modal logics [6] expose a complexity gap between the proof equivalences induced by the natural deduction [10] and winning innocent strategies [5] for this logic. This discrepancy cannot be observed in intuitionistic propositional logic where there are one-toone correspondences between natural deduction derivations, lambda terms and innocent winning strategies. In particular, in the logic CK we observe sequent calculus proofs which correspond to the same winning strategy but which cannot be represented by the same natural deduction derivation in the systems provided in [10,32] (or equivalently corresponding to different modal λ-terms). By means of example, consider the terms x [z/x] and x [z, w/x, y] and their (unique) typing derivations shown in Fig. 1 (see Fig. 3 for the typing system). Intuitively, the two terms x [z/x] and x [z, w/x, y] should be semantically

$$\mathop{\mathbb{M}}\_{\square \text{-sub} \mathfrak{sl}} \frac{\mathop{\mathbb{M}}\_{\square \text{-sub} \mathfrak{sl}} \mathbbm{1}\_{\square} \square a \Vdash \square a \Vdash \square a}{z : \square a, \w: \square b \Vdash \square \{z/x\}\_{\blacksquare} : \square a}$$

$$\mathop{\mathbb{M}}\_{\square \text{-sub} \mathfrak{sl}} \frac{\mathop{\mathbb{M}}\_{\square \square a, \psi: \square b \Vdash \square a} \Psidash \mathop{\mathbb{M}}\_{z : \square a, \psi: \square b \Vdash \square b \Vdash \square b}{z : \square a, \psi: \square b \Vdash \varepsilon \{z, \psi/x, \mathbf{y}\}\_{\blacksquare} : \square a}$$

Fig. 1. The typing derivations of the modal λ-terms x [z/x] and x [z, w/x, y] -.

equivalent since the explicit substitution of the variable y in the term x is vacuous. Said differently, if we explicit the substitution encoded by the constructor Let, both terms x [z/x] and x [z, w/x, y] should reduce to the term z.


$$\mathcal{S} = \{\epsilon, a^\circ, a^\circ a^\bullet\} \quad \text{over the area} \quad \left[\Box a, \Box b \vdash \Box a\right] \quad = \underbrace{\begin{array}{c} \Box a \\ b \end{array}}\_{a} \quad \underbrace{\begin{array}{c} \Box b \\ b \end{array}}\_{a} \quad \text{(1)}$$

Contribution. In this paper we define a new modal λ-calculus for CK by considering additional rewriting rules that allow us to retrieve a one-to-one correspondence between terms in normal form and winning innocent strategies, that is, providing more canonical representatives for proofs with respect to natural deduction and modal λ-terms defined in the literature. From the technical point-of-view, we obtain this result by extending the operational semantics of the modal λ-calculus with the appropriate new reduction rules for the explicit substitution encoded by the Let, dealing with contraction and weakening operating on the variables bound by the Let. We call this set of rules the κ-reduction, which we show to be strongly normalizing using elementary combinatorial methods. In order to deal with the interaction of the η-reduction with β-reduction, we define a restricted η-reduction following an approach similar to the one used in [18,31,43]. We prove strong normalization and confluence for our new operational semantics.

After proving confluence and strong normalization for our modal λ-calculus, we provide a canonical typing system inspired by focused sequent calculi (see, e.g., [8]) providing a unique typing derivation for each term in normal form. We conclude by establishing a one-to-one correspondence between the winning strategies defined in [5] and proofs of this calculi, therefore with terms in normal form.

Related Work. To the best of our knowledge, the first paper proposing a Curry-Howard correspondence for the logic CK is [10]. In this work, the authors provide a natural deduction system for the logic CK by enriching the standard system for intuitionistic propositional logic with a generalized elimination rule capable of taking into account the behavior of the --modality. At the level of lambda calculus, they enrich the syntax of terms by adding a new constructor Let defined as follows:

$$\text{Let } x\_1, \ldots, x\_n \text{ be } N\_1, \ldots, N\_n \text{ in } M \quad \text{ (which we denote } M \left[ N\_1, \ldots, N\_n / x\_1, \ldots, x\_n \right]\_\blacksquare \text{)}\text{ (2)}$$

providing a notation which can be interpreted as an explicit substitution of the variable x<sup>i</sup> with the term N<sup>i</sup> for all occurrences of x<sup>1</sup> ...,x<sup>n</sup> inside a term M. For this calculus, the authors only consider the usual η and β reductions plus the following reduction:

Let y be P in (Let x be N in M) Let x be (Let y be P in N)in (Let x be x in M) - in our syntax this reduction is written as M [N/x] - [P/y] - M [x/x] - [N [P/y] - /x] - 

In [32] the author considers the usual η and β reduction with an the following additional β-reduction rule specifically designed to handle the explicit substitution construct.

$$M\left[\overrightarrow{P}, R\left[\overrightarrow{N}/\overrightarrow{z}\right]\_{\blacksquare}, \overrightarrow{Q}/\overrightarrow{x}, y, \overrightarrow{w}\right]\_{\blacksquare} \sim\_{\beta\_2} M\left\{R/y\right\}\left[\overrightarrow{P}, \overrightarrow{N}, \overrightarrow{Q}/\overrightarrow{x}, \overrightarrow{z}, \overrightarrow{w}\right]\_{\blacksquare} \tag{3}$$

In the same paper, the author provides a detailed proof of strong normalization and confluence for modal lambda terms with respect to the standard η and β reduction, plus this new β<sup>2</sup> reduction. However, also this calculus does not manage to fix the aforementioned problem with canonicity.

An alternative natural deduction system (and λ-calculus) is proposed in [33], where the symmetry between elimination and introduction rules typical of natural deduction is restored. However, this result requires to define a sequent calculus where sequents have a more complex structure (dual-contexts), and lacks an in-depth study of the operational semantics because the η-expansion is not considered in the calculus.

Outline of the Paper. In Sect. 2 we recall the definition of the fragment of the logic CK we consider in this paper, as well as the main results on the proof theory for this logic, its natural deduction and lambda calculus. In Sect. 3 we define the modal λ-calculus we consider in this paper, proving its strong normalization and confluence properties. In Sect. 4 we provide a typing system in the style of focused sequent calculi, where we are able to narrow the proof search of the type assignment of our normal terms to a single derivation. In Sect. 5 we recall the definition of the game semantics for the logic we consider and we prove the one-to-one correspondence between terms in normal form and winning strategies.

For reason of space, we omit in the paper the proofs of those technical lemmas that are not particularly interesting (mostly by induction and case analysis). These proofs can be found in the extended version of this paper [4].

# 2 Preliminaries

In this section we recall the definition of the (fragment of the) constructive modal logic CK we consider in this paper, and we recall the definition and some terminology for modal λ-terms. We are interested in a minimal constructive modal logic whose *formulas* are defined from a countable set of propositional variables *<sup>A</sup>* <sup>=</sup> {a, b, c, . . .} using the following grammar:

$$A := a \mid (A \to A) \mid \Box A \tag{4}$$

We say that a formula is *modality-free* if it contains no occurrences of the modality -. A formula is a <sup>→</sup>*-formula* if it is of the form <sup>A</sup> <sup>→</sup> <sup>B</sup>. In the following we use Krivine's convention [38] and write (A1,...,An) <sup>→</sup> <sup>C</sup> as a shortcut for (A<sup>1</sup> <sup>→</sup> (··· → (A<sup>n</sup> <sup>→</sup> <sup>C</sup>)···)) <sup>A</sup> *sequent* is an expression <sup>Γ</sup> <sup>C</sup> where Γ is a finite (possibly empty) list of formulas and C is a formula. If <sup>Γ</sup> <sup>=</sup> <sup>A</sup>1,...,A<sup>n</sup> and <sup>σ</sup> a permutation over {1,...,n}, then we may write <sup>σ</sup>(Γ) to denote Aσ(1),...,Aσ(n).

In this paper we consider the logic CK defined by extending the conjunctionfree and disjunction-free fragment of intuitionistic propositional logic with the modality whose behavior is defined by the *necessitation rule* and the axiom K<sup>1</sup> below.

Nec := if A is provable, then also -A is K<sup>1</sup> := -(<sup>A</sup> <sup>→</sup> <sup>B</sup>) <sup>→</sup> (-<sup>A</sup> <sup>→</sup> -B)

The sequent calculus SCK, whose rules are provided in Fig. 2, is a sound and complete proof system for the logic CK. This system have been extracted from the one presented in [39] and satisfies cut-elimination.

#### 2.1 A Lambda Calculus for CK

The set of (untyped) *modal* λ*-terms* is defined inductively from a countable set of *variables <sup>V</sup>* <sup>=</sup> {x, y, . . .} using the following grammar:

$$M, N \coloneqq x \mid \lambda x. M \mid (MN) \mid M \left[ \overleftarrow{N} / \overrightarrow{x} \right]\_{\blacksquare} \text{ where } \begin{cases} \overrightarrow{N} = N\_1, \dots, N\_n \text{ is a list of terms and} \\ \overrightarrow{x} = x\_1, \dots, x\_n \text{ is a list of distinct variables.} \end{cases}$$

modulo the standard α-equivalence (denoted =α, see [9]) and modulo the equivalence generated by the following permutations (for any σ permutation over the set {1,...,n}) over the order of substitutions in the [·/·] constructor:

$$\begin{aligned} \left[\overrightarrow{N}/\overrightarrow{x}\right]\_{\blacksquare} \coloneqq \left[N\_1, \ldots, N\_n/x\_1, \ddots, x\_n\right]\_{\blacksquare} = \left[N\_{\sigma(1)}, \ldots, N\_{\sigma(n)}/x\_{\sigma(1)}, \ldots, x\_{\sigma(n)}\right]\_{\blacksquare} =: \left[\sigma(\overrightarrow{N})/\sigma(\overrightarrow{x})\right]\_{\blacksquare} \\ \text{for any } \sigma \text{ permutation over } \{1, \ldots, n\}. \end{aligned}$$

$$\begin{array}{c} \stackrel{\text{a}\times}{\begin{array}{c} \overline{a\leftarrow a} \end{array}} \quad \stackrel{\text{c}\times}{\begin{array}{c} \overline{\sigma(I')\leftarrow C} \end{array}} \quad \stackrel{\text{c}\times}{\begin{array}{c} \overline{\Gamma\vdash A\vdash C} \\ \overline{\Gamma\vdash A\to C} \end{array}} \quad \stackrel{\text{c}\times}{\begin{array}{c} \Gamma,A\vdash C \\ \overline{\Gamma\vdash A\to C} \end{array}} \quad \stackrel{\text{d}\times}{\begin{array}{c} \Gamma\vdash A\quad B,A\vdash C \\ \overline{\Gamma,A,A\to B} \end{array}} \\\\ \begin{array}{c} \overline{\Gamma\vdash A} \\ \overline{\Gamma,A\gets C} \end{array} \quad \stackrel{\text{c}\times}{\begin{array}{c} \Gamma,A,A\vdash C \\ \overline{\Gamma,A\gets C} \end{array}} \quad \stackrel{\text{c}\times}{\begin{array}{c} \Gamma,A\dashA,A\vdash C \\ \overline{\Gamma,A\gets C} \end{array}} \quad \stackrel{\text{c}\times}{\begin{array}{c} \Gamma\vdash A\quad A,A\vdash C \\ \overline{\Gamma,A\gets C} \end{array}} \end{array}$$

Fig. 2. Sequent calculus rules of the sequent system SCK, where σ is a permutation over {1,...,n}

$$\begin{array}{c} \mathsf{Set}\frac{\Gamma\vdash\mathsf{X}\_{1}:A\_{1},\ldots,\mathsf{X}\_{n}:A\_{n}\vdash\mathsf{x}\_{i}:A\_{i}}{\Gamma\vdash A\mathbin{\mathtt{x}}.\mathsf{A}\mathbin{\mathtt{x}}:A\mathbin{\mathtt{x}}\mathrel{\mathop{:}\mathtt{A}}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{1}\hspace{$$

Fig. 3. Typing rules in the natural deduction system NDCK for modal λ-terms.

As usual, application associates to the left, and has higher precedence than abstraction. For example, λxyz.xyz := λx.(λy.(λz.((xy)z))). A modal λ-term is a *(explicit) substitution* if it is of the form M #»N /#»<sup>x</sup> - , an *application* if of the form MN, and a λ*-abstraction* if of the form λx.M.

The set of *subterms* of a term M (denoted SUB(M)) is defined as follows:

Sub(x) = {x} , Sub(λx.M) = Sub(M) ∪ {λx.M} , Sub(MN) = Sub(M) <sup>∪</sup> Sub(N) ∪ {MN} , Sub(M [N1,...,Nn/x1,...,xn] -) = Sub(M) <sup>∪</sup> <sup>i</sup>∈{1,...,n} Sub(Ni) ∪ {<sup>M</sup> [N1,...,Nn/x1,...,xn] -} .

Its *length* <sup>|</sup>M<sup>|</sup> and its set of *free variables* FV(M) are defined as:

$$|M| = \begin{cases} 0 & \text{if } M = x \\ |N| + 1 & \text{if } M = \lambda x. N \\ \max\{|N|, |P|\} + 1 & \text{if } M = NP \\ \max\{|N|, |P\_1|, \dots, |P\_n|\} + 1 & \text{if } M = N \begin{bmatrix} \mathsf{F} \langle N \rangle \\ \mathsf{F} \mathsf{V} / \mathsf{T} \end{bmatrix}\_{\mathsf{T}} \end{cases} \quad \mathsf{FV}(M) = \begin{cases} \{x\} & \text{if } M = x \\ \mathsf{FV}(N) \nmid \{x\} & \text{if } M = \lambda x. N \\ \mathsf{FV}(N) \cup \mathsf{FV}(P) & \text{if } M = NP \\ \bigcup\_i \mathsf{FV}(P\_i) & \text{if } M = N \begin{bmatrix} \mathsf{F} / \mathsf{F} \\ \mathsf{F} \end{bmatrix}\_{\mathsf{T}} \end{cases}$$

We denote <sup>|</sup>M|<sup>x</sup> the number of the occurrences of the free variable <sup>x</sup> in a term <sup>M</sup> and we may write <sup>|</sup>M|<sup>x</sup> = 0 if x /<sup>∈</sup> FV(M) and we say that a term <sup>M</sup> is *linear* in the variables <sup>x</sup>1,...,x<sup>n</sup> if <sup>|</sup>M|<sup>x</sup>*<sup>i</sup>* = 1 for all <sup>i</sup> ∈ {1,...,n}. We denote by <sup>M</sup> {N1,...,Nn/x1,...,xn} the result of the standard capture avoiding substitution of the occurrences of the variable x1,...,x<sup>n</sup> in M with the term N1,...,N<sup>n</sup> respectively (see, e.g., [50]).

A *variable declaration* is an expression x : A where x is a variable and A is a *type*, that is, a formula as defined in Equation (4). A *(typing) context* is a finite list Γ := x<sup>1</sup> : A1,...,x<sup>n</sup> : A<sup>n</sup> of distinct variable declarations. Given a context Γ = x<sup>1</sup> : A1,...,x<sup>n</sup> : An, we say that a variable x *appears* in Γ if x = x<sup>i</sup> for a <sup>i</sup> ∈ {1,...,n} and we denote by Γ, y : <sup>B</sup> the context <sup>x</sup><sup>1</sup> : <sup>A</sup>1,...,x<sup>n</sup> : <sup>A</sup>n, y : <sup>B</sup> implicitly assuming that y does not appear in Γ. A *type assignment* is an expression of the form <sup>Γ</sup> <sup>M</sup> : <sup>A</sup> where <sup>Γ</sup> is a context, <sup>M</sup> a modal <sup>λ</sup>-term and <sup>A</sup> <sup>a</sup> type.

Definition 1. *Let* <sup>Γ</sup> <sup>M</sup> : <sup>A</sup> *be an type assignment. A* typing derivation *(or* derivation *for short) of* <sup>Γ</sup> <sup>M</sup> : <sup>A</sup> *in* NDCK *is a finite tree of type assignment constructed using the rules in Fig. <sup>3</sup> in such a way it has root* <sup>Γ</sup> <sup>M</sup> : <sup>A</sup> *and each leaf is the conclusion of a* Id*-rule. A type assignment is* derivable *(in* NDCK*) if there is a derivation with conclusion the given type assignment.*

*We denote by* Λ *(resp. by* Λ *and* Λ<sup>λ</sup>*) the set of modal* λ*-terms (resp. the set of substitutions and* λ*-abstractions in* Λ*) admitting a derivable type assignment in* NDCK*.*

# 3 A New Modal Lambda Calculus

In this section we define a new modal lambda calculus by enriching the operational semantics of the previous calculi with additional reduction rules aiming at recovering canonicity, proving confluence and strong normalization properties.

To define our term rewriting rules, we require special care when they are applied in a proper sub-term. This is due to the fact that the explicit substitution encoded by [·/·] could capture free variables. For this reason, we introduce the notion of *term with a hole* as a term of the form **<sup>C</sup>** [◦] containing a single occurrence of a special variable ◦. More precisely, the set CwH of terms with a hole and the two sets CwH<sup>η</sup><sup>1</sup> and CwH<sup>η</sup><sup>2</sup> of specific terms with a hole are defined by the following grammars:

CwH : **<sup>C</sup>** [◦] := ◦ | λx.**<sup>C</sup>** [◦] <sup>|</sup> <sup>M</sup>**<sup>C</sup>** [◦] <sup>|</sup> **<sup>C</sup>** [◦] <sup>M</sup> <sup>|</sup> **<sup>C</sup>** [◦] [# »M /#»x] <sup>|</sup> <sup>M</sup> #»N1, **<sup>C</sup>** [◦] , #»N2/#»x1, x, #»x<sup>2</sup> - CwH<sup>η</sup><sup>1</sup> : **<sup>E</sup>** [◦] := ◦ | λx.**<sup>E</sup>** [◦] <sup>|</sup> <sup>M</sup>**<sup>E</sup>** [◦] <sup>|</sup> **<sup>E</sup>** [◦]<sup>M</sup> <sup>|</sup> **<sup>E</sup>** [◦] # »M /#»<sup>x</sup> - | M #»N1, **<sup>E</sup>**, #»N2/#»x1, x, #»x<sup>2</sup> - CwH<sup>η</sup><sup>2</sup> : **<sup>D</sup>** [◦] := ◦ | λx.**<sup>D</sup>** [◦] <sup>|</sup> <sup>M</sup>**<sup>D</sup>** [◦] <sup>|</sup> **<sup>D</sup>** [◦] <sup>M</sup> <sup>|</sup> **<sup>D</sup>** [◦] # »M /#»<sup>x</sup> - | M #»N1, **<sup>D</sup>** [◦], #»N2/#»x1, x, #»x<sup>2</sup> - with **<sup>E</sup>** [◦] = [◦] <sup>=</sup> **<sup>D</sup>** [◦]

We denote by **<sup>C</sup>** [M] the term obtained by replacing the hole ◦ in **<sup>C</sup>** [◦] with the term <sup>M</sup>. By means of example, if **<sup>C</sup>** [◦] = ◦ then **<sup>C</sup>** [M] = <sup>M</sup> and if **<sup>E</sup>** [◦] = (λx.xN) [◦/x] then **E** [M]=(λx.xN) [M/x] -. The reduction relations of our calculus are provided in Fig. 4, where the ground steps and the rules for extending them to specific contexts are provided.

*Remark 1.* The term constructor Let (i.e., [·/·] from Equation (2)) plays no role in the standard η and β reduction rules from the literature, where it behaves as a black-box during reduction. The inertness of this constructor with respect to normalization is indeed what makes the lambda calculus in [10,32] unable to identify terms whose expected behavior is the same as, for example, the following pairs of terms:

$$x\left[v/x\right]\_{\blacksquare} \quad \text{and} \quad x\left[v, w/x, y\right]\_{\blacksquare} \qquad \left| \qquad xyz\left[v, v/y, z\right]\_{\blacksquare} \quad \text{and} \quad xyy\left[v/y\right]\_{\blacksquare} \tag{5}$$

Our operational semantics extends the one provided in [32]. The novelty of our approach is the definition of the κ-reduction and the restriction of the ηreduction. The former is needed to being able to identify modal λ-terms with the

Fig. 4. Definition of the ground steps of the reduction relations, and the rules for their extension to terms with holes.

same expected computational meaning, as the ones in Eq. (5). The latter is carefully defined to avoid η-redexes that would make the reduction non-terminating, using a well-known technique in term rewriting theory (see, e.g., [31,43]).

The need of these restrictions can be observed in the two following (unrestricted) η-reduction chains, which are both forbidden by our restricted rule from Fig. 4.

$$M \leadsto\_{\eta} \lambda x.Mx \leadsto\_{\eta} \lambda x.(\lambda y.My)x \leadsto\_{\eta} \dots \newline \quad \text{and} \quad M \leadsto\_{\eta} x \left[ M/x \right]\_{\blacksquare} \leadsto\_{\eta} x \left[ y \left[ M/y \right]\_{\blacksquare}/x \right]\_{\blacksquare} \leadsto\_{\eta} \dots \newline \quad \text{whenover } \Gamma \vdash M : \square A$$

Moreover, our definition rules out interactions between the η and β reductions which could lead to infinite chains, as the ones shown below.

$$\begin{array}{ccccc} \lambda x.M & \leadsto\_{\eta} & \lambda y.(\lambda x.M)y & \leadsto\_{\beta} \lambda y.(M\{x/y\}) =\_{\alpha} \lambda x.M & \text{or} \\ x\left[M/x\right]\_{\blacksquare} & \leadsto\_{\eta} & x\left[y\left[M/y\right]\_{\blacksquare}/x\right]\_{\blacksquare} & \leadsto\_{\beta} & y\left[M/y\right]\_{\blacksquare} & =\_{\alpha} x\left[M/x\right]\_{\blacksquare} \end{array}$$

Definition 2. *We define the following reduction relations:*

$$
\gamma \leadsto\_{\beta \eta} = \leadsto\_{\beta} \cup \lnot \leadsto\_{\eta} \qquad \leadsto\_{\beta \kappa} = \leadsto\_{\eta} \cup \lnot \leadsto\_{\kappa} \qquad \leadsto\_{\beta \eta \kappa} = \leadsto\_{\beta} \cup \lnot \leadsto\_{\eta} \cup \lnot \leadsto\_{\kappa} \tag{6}
$$

*For any* <sup>ξ</sup> ∈ {β, η, κ, βη, βκ, βηκ}*, we denote by* <sup>+</sup> <sup>ξ</sup> *its* transitive closure*, by* <sup>=</sup> <sup>ξ</sup> *its* reflexive closure*, by* <sup>∗</sup> <sup>ξ</sup> *its* reflexive and transitive closure*, and by* ≡<sup>ξ</sup> *the* equivalence relation *it enforces over terms, that is, its reflexive, symmetric and transitive closure. Given a term* M*, we denote by* nfξ(M) *the set of its* ξ-normal form*. A term* M *is* strongly normalizable *for* <sup>ξ</sup> *if it admits no infinite* ξ*-chains A reduction* <sup>ξ</sup> *is* strongly normalizing *if every term* M *is strongly normalizable for it. A reduction* <sup>ξ</sup> *is* confluent *if given* M <sup>∗</sup> <sup>ξ</sup> <sup>N</sup><sup>1</sup> *and* M <sup>∗</sup> <sup>ξ</sup> <sup>N</sup><sup>2</sup> *there exists a term* <sup>N</sup> *such that* <sup>N</sup><sup>1</sup> <sup>∗</sup> <sup>ξ</sup> <sup>N</sup> *and* <sup>N</sup><sup>2</sup> <sup>∗</sup> <sup>ξ</sup> <sup>N</sup>*.*

The *substitution* lemma and *subject reduction* theorem holds for the reduction βηκ.

Lemma 1. *[Substitution Lemma] Let* Γ, x : <sup>B</sup> <sup>M</sup> : <sup>C</sup> *and* <sup>Γ</sup> <sup>N</sup> : <sup>B</sup> *be derivable type assignments. Then* Γ, x : <sup>B</sup> <sup>M</sup> {N/x} : <sup>C</sup> *is a derivable type assignment.*

Theorem 1. *Let* <sup>Γ</sup> <sup>M</sup> : <sup>C</sup> *be derivable. If* <sup>M</sup> βηκ <sup>N</sup>*, then* <sup>Γ</sup> <sup>N</sup> : <sup>C</sup>*.*

*Proof.* Because of Lemma 1, it suffices to check the cases when M reduces to N in one ground step of βηκ:


$$M = M' \left[ \overrightarrow{P}, N, N, \overrightarrow{Q} / \overrightarrow{x}^\*, y\_1, y\_2, \overrightarrow{z}^\* \right]\_{\blacksquare} \quad \text{and} \quad N\_1 = M \left\{ y, y/y\_1, y\_2 \right\} \left[ \overrightarrow{P}, N, \overrightarrow{Q} / \overrightarrow{x}^\*, y, \overrightarrow{z}^\* \right]\_{\blacksquare}$$

.

We can prove local confluence of βηκ by case analysis of the critical pairs using the following lemma.

Lemma 2. *Let* P, P *and* Q *modal* λ*-terms. If* P βηκ P *, then* <sup>P</sup> {Q/x} <sup>∗</sup> βηκ <sup>P</sup> {Q/x}*. Moreover, there is a* <sup>N</sup><sup>Q</sup> *such that* <sup>Q</sup> {P/x} <sup>∗</sup> βηκ <sup>N</sup><sup>Q</sup> *and* <sup>Q</sup> {P /x} <sup>∗</sup> βηκ <sup>N</sup>Q*.*

Proposition 1. *The reduction* βηκ *is locally confluent.*

*Proof.* We show that if there are <sup>M</sup>, <sup>N</sup><sup>1</sup> and <sup>N</sup><sup>2</sup> with <sup>N</sup><sup>1</sup> <sup>=</sup> <sup>N</sup><sup>2</sup> such that M βηκ N<sup>1</sup> and M βηκ N2, then there exists N such that N<sup>1</sup> <sup>∗</sup> βηκ <sup>N</sup> and <sup>∗</sup> βηκ <sup>N</sup>. Without loss of generality we have the following cases:

<sup>2</sup> The admissibility of weakening is easily proven by induction on the size of a derivation.

	- either N<sup>2</sup> is not an abstraction and we conclude by letting N = λx.N2x. – otherwise N<sup>2</sup> = λy.M and we conclude since N<sup>1</sup> <sup>η</sup><sup>1</sup> λx.N2x <sup>β</sup><sup>1</sup> N2.

In order to prove the termination of βηκ, we define the following measures.

Definition 3. *Let* M *be a modal* λ*-term. We define the following multisets of derivable type assignments:*

Est1(M) = <sup>B</sup> <sup>→</sup> <sup>C</sup> <sup>|</sup> <sup>P</sup> <sup>∈</sup> Sub(M) \ <sup>Λ</sup><sup>λ</sup> *such that* <sup>M</sup> <sup>=</sup> P Q *and* <sup>Γ</sup> <sup>P</sup> : <sup>B</sup> <sup>→</sup> <sup>C</sup> Est2(M) = -<sup>B</sup> <sup>|</sup> <sup>P</sup> <sup>∈</sup> Sub(M) \ <sup>Λ</sup> *such that* <sup>M</sup> <sup>=</sup> <sup>Q</sup> #»N1, P, #»N2/#»x1, x, #»x<sup>2</sup> *and* <sup>Γ</sup> <sup>P</sup> : -B 

*We then define* <sup>M</sup> <sup>η</sup> := <sup>M</sup> <sup>1</sup> <sup>η</sup> <sup>+</sup> <sup>M</sup> <sup>2</sup> <sup>η</sup> *with*

$$\|\|M\|\|\_{\eta}^{1} := \sum\_{A \in \mathsf{Ext}\_{1}(M)} \|A\|\_{\eta}^{1} \quad \text{and} \quad \|M\|\_{\eta}^{2} := \sum\_{A \in \mathsf{Ext}\_{2}(M)} \|A\|\_{\eta}^{2}$$

$$where \qquad \begin{array}{lcl} \|a\|\_{\eta}^{1} = 0 & \|A \rightarrow B\|\_{\eta}^{1} = \|A\|\_{\eta}^{1} + \|B\|\_{\eta}^{1} + 1 & \|\Box A\|\_{\eta}^{1} = \|A\|\_{\eta}^{1} \\ \|a\|\_{\eta}^{2} = 0 & \|A \rightarrow B\|\_{\eta}^{2} = \|A\|\_{\eta}^{2} + \|B\|\_{\eta}^{2} & \|\Box A\|\_{\eta}^{2} = \|A\|\_{\eta}^{2} + 1 \end{array}$$

*We also define* <sup>M</sup> <sup>κ</sup> *as the size of substitution subterms of* <sup>M</sup> *as follows:*

$$\begin{aligned} \|x\|\_\kappa &= 0 \qquad \|\lambda x M\|\_\kappa = \|M\|\_\kappa \qquad \|MN\|\_\kappa = \|M\|\_\kappa + \|N\|\_\kappa\\ \|M\left[N\_1, \dots, N\_n/x\_1, \dots, x\_n\right]\_\mathbb{H}\|\_\kappa &= \|M\|\_\kappa + \|N\|\_\kappa + n \end{aligned}$$

*Example 1.* Intuitively, the measure · <sup>η</sup> does not take into account all the subterms of M, but only the ones on which we can apply the restricted η. For an example, consider the modal <sup>λ</sup>-term <sup>M</sup> = (λz<sup>a</sup>→<sup>a</sup>.z)<sup>y</sup> with <sup>M</sup> <sup>η</sup> = 3 because all four subterms of <sup>M</sup> are of type a <sup>→</sup>-formula, but the subterm λz.z is an abstraction, therefore no <sup>η</sup> can be applied on it. If M <sup>η</sup> N, because of the restrictions on η, we have that


Lemma 3. *Let* <sup>M</sup> *and* <sup>N</sup> *be modal* <sup>λ</sup>*-terms. If* <sup>M</sup> <sup>η</sup> <sup>N</sup>*, either* <sup>N</sup> <sup>η</sup> <sup>&</sup>lt; <sup>M</sup> <sup>η</sup> *or there is* <sup>N</sup> *such that* <sup>N</sup> <sup>η</sup> <sup>N</sup> *and* <sup>N</sup> <sup>η</sup> <sup>&</sup>lt; <sup>M</sup> <sup>η</sup>*.*

Lemma 4. *The following commutations between* β*,* <sup>η</sup> *and* <sup>κ</sup> *hold:*

*– if* M <sup>κ</sup> N <sup>β</sup> N *, then there is* M *such that* M <sup>β</sup> M *and* M <sup>∗</sup> <sup>κ</sup> <sup>N</sup> *; – if* M <sup>η</sup> N <sup>κ</sup> N *, then there is* M *such that* M <sup>κ</sup> M *and* M <sup>∗</sup> <sup>η</sup> <sup>N</sup> *;*

*– if* M <sup>β</sup> N <sup>η</sup> N *, then there is* M *such that* M <sup>η</sup> M *and* M <sup>∗</sup> <sup>β</sup> <sup>N</sup> *.*

Theorem 2. *The reduction relation* βηκ *is strongly normalizing and confluent.*

*Proof.* After Proposition 1, it suffices to prove that βηκ is strongly normalizing to conclude by Newman's lemma that βηκ is also confluent.

To prove strong normalization we use the fact that the reductions β, <sup>η</sup> and <sup>κ</sup> are strongly normalizing: for <sup>β</sup> the proof can be found in [32], for <sup>η</sup> the proof is by induction on · <sup>η</sup> using Lemma 3, and for <sup>κ</sup> it follows the fact that, by definition of · κ, we have that <sup>M</sup> <sup>κ</sup> <sup>&</sup>gt; <sup>N</sup> <sup>κ</sup> whenever <sup>M</sup> <sup>κ</sup> <sup>N</sup>. To conclude that βηκ also is strongly normalizing, the standard result (see, e.g., [50]) in rewriting theory ensuring that given two strongly normalizing reduction relations <sup>1</sup> and <sup>2</sup> with <sup>1</sup> confluent, if M <sup>2</sup> N implies the existence of a reduction nf1(M) <sup>+</sup> <sup>2</sup> nf1(N) for any <sup>M</sup> and <sup>N</sup>, , then <sup>1</sup> <sup>∪</sup> <sup>2</sup> is strongly normalizing. In our case, the fact that M <sup>2</sup> N implies nf1(M) <sup>+</sup> <sup>2</sup> nf1(N) is a corollary of Lemma 4.

Definition 4. *The set* <sup>Λ</sup> *is the set of modal* <sup>λ</sup>*-terms defined inductively as follows:*


Proposition 2. *The set* <sup>Λ</sup> *is the set of modal* <sup>λ</sup>*-terms in* βηκ*-normal form* nfβηκ(Λ)*.*

*Proof.* By definition, every <sup>Λ</sup> <sup>⊆</sup> nfβηκ(Λ) is βηκ-normal. To prove the converse we proceed by induction on the structure of <sup>M</sup> <sup>∈</sup> nfβηκ(Λ):


Fig. 5. Typing rules of the typing system CK<sup>F</sup>.

# 4 A Canonical Type System for CK

In this section we present an alternative typing system for modal λ-terms where each term in <sup>Λ</sup> admits exactly one typing derivation. The rules of this system (we call CK<sup>F</sup>) are provided in Fig. 5 and are conceived to reduce the non-determinism of the typing process, following the same approach used in designing focused sequent calculi [8,12,42]. Derivations and derivability in CK<sup>F</sup> are defined analogously to Definition 1, using rules in CK<sup>F</sup> instead of rules in NDCK. We remark that the structural rules of weakening and contraction are admissible in the system.

We can now prove a result of *canonicity* of CK<sup>F</sup> with respect to typing derivations of modal λ-terms in nfβηκ(Λ).

Theorem 3. *Let* <sup>T</sup> <sup>∈</sup> <sup>Λ</sup> *and* <sup>Γ</sup> <sup>T</sup> : <sup>A</sup> *be a derivable type assignment. Then there is a unique (up to* ex*-rules) derivation of* <sup>Γ</sup> <sup>T</sup> : <sup>A</sup> *in* CK<sup>F</sup>*.*

*Proof.* The proof of this theorem follows from the correspondence between the inductive definition of terms in <sup>Λ</sup> (Definition 4) and the shape of the typing rules of CKF. Details are provided the extended version of this paper [4].

# 5 Game Semantics for CK

In this section we recall definitions and results on the winning innocent strategies for the logic CK defined in [5]. For this purpose, we first recall the construction extending Hyland-Ong arenas [29,44] for intuitionistic propositional formulas to represent formulas containing modalities, and then we recall the characterization of the winning innocent strategies representing proofs in CK. We conclude by proving the full-completeness result between for those strategies by showing a one-to-one correspondence between strategies for type assignments of terms in normal forms and their (unique) typing derivations in CK<sup>F</sup>.

#### 5.1 Arenas with Modalities

We recall the definition of arenas with modalities from [5] extending the encoding of arenas from [26,30]. For this purpose, we assume the reader familiar with the definition of *two-color directed graph* (or *2-dag's* for short), i.e., directed acyclic graphs with two disjoint sets of directed edges → and (details can be found in [5,26]).

Definition 5. *The* arena *of a formula* F *is the 2-dag* [[F]] *with vertices are labeled by elements in <sup>L</sup>* <sup>=</sup> *<sup>A</sup>* ∪ {-} *inductively defined as follows:*

$$\begin{array}{cc} \begin{bmatrix} a \end{bmatrix} = a & \begin{bmatrix} A \rightarrow B \end{bmatrix} = \begin{bmatrix} A \end{bmatrix} \begin{bmatrix} \Rightarrow \begin{bmatrix} B \end{bmatrix} & \begin{bmatrix} \Box A \end{bmatrix} = \Box \sim \begin{bmatrix} A \end{bmatrix} \end{array} \tag{7}$$

*where* a *and denote the graphs consisting of a single vertex labeled by* a *and respectively, and where the binary operation* <sup>−</sup> *and* <sup>∼</sup> *on 2-dag's are defined as follows:*

$$\mathcal{G}\multimap\mathcal{H} = \left(\begin{array}{c} V\_{\vec{G}} \uplus V\_{\mathcal{H}}, \stackrel{\mathcal{G}\otimes\mathcal{H}}{\longrightarrow} \cup \left(\begin{array}{c} \overrightarrow{R}\_{\vec{G}} \frown \overrightarrow{R}\nu \right), \stackrel{\mathcal{G}\otimes\mathcal{H}}{\longrightarrow} \end{array} \right) \quad \text{and} \quad \mathcal{G}\multimap\mathcal{H} = \left(\begin{array}{c} V\_{\vec{G}} \uplus V\_{\mathcal{H}}, \stackrel{\mathcal{G}\otimes\mathcal{H}}{\longrightarrow}, \stackrel{\mathcal{G}\otimes\mathcal{H}}{\longleftrightarrow} \end{array} \right) \begin{array}{c} \begin{array}{c} \left(\begin{array}{c} \overrightarrow{R}\_{\vec{G}} \frown \overrightarrow{R}\nu \end{array} \right) \end{array} \right) \quad \text{with} \\\\ V\_{\vec{G}} \uplus V\_{\mathcal{H}} \ = \left\{ \left(v\_{i},i\right) \mid i \in \{0,1\} \text{ and } v\_{0} \in V\_{\vec{G}} \text{ and } v\_{1} \in V\_{\mathcal{H}} \right\} \quad \text{and} \quad \ell\left(\left(v\_{i},i\right)\right) = \ell\left(v\_{i}\right) \end{array}$$

*GH* - = ((vi, i),(wi, i)) <sup>|</sup> <sup>i</sup> ∈ {0, <sup>1</sup>} *and* (v0, w0) <sup>∈</sup> *<sup>G</sup> and* (v1, w1) <sup>∈</sup> *<sup>H</sup>* - *for each* - ∈ {→, } ( → R*<sup>G</sup>* -→ R*<sup>H</sup>* ) = ((v, 0),(w, 1)) <sup>v</sup> <sup>∈</sup> <sup>→</sup> <sup>R</sup>*<sup>G</sup>* , w <sup>∈</sup> <sup>→</sup> R*H where* <sup>→</sup> <sup>R</sup><sup>X</sup> := {<sup>v</sup> <sup>∈</sup> <sup>V</sup><sup>X</sup> <sup>|</sup> <sup>v</sup> <sup>X</sup> <sup>→</sup><sup>w</sup> *for no* <sup>w</sup> <sup>∈</sup> <sup>V</sup>X}

*The* arena of a sequent <sup>A</sup>1,...,A<sup>n</sup> <sup>C</sup> *is the arena* <sup>A</sup> *of* [[(A1,...,An) <sup>→</sup> <sup>C</sup>]]*.*

*Remark 2.* By construction, an arena *<sup>G</sup>* of a formula or a sequent <sup>Γ</sup> <sup>C</sup> always admits a unique non --labeled vertex in <sup>→</sup> <sup>R</sup>*<sup>G</sup>* , i.e., a unique vertex <sup>v</sup> with (v) <sup>=</sup> - such that there is no <sup>w</sup> <sup>∈</sup> <sup>V</sup>*<sup>G</sup>* such that <sup>v</sup> *G* →w.

We draw 2-dag's by representing a vertex v by its label (v). If v and w are vertices of an 2-dag, then we draw if <sup>v</sup>→<sup>w</sup> and if <sup>v</sup>w. By means of example, consider the arena below.

$$\begin{array}{rcl} \left\|(a \to \square(b \to (c \to \square d))) \to \square(e \to f)\right\| & = & \begin{array}{c} a \to \square\_{\square} \stackrel{\scriptstyle \square}{\square}\_{c} \\\\ b \to \square\_{\square} \stackrel{\scriptstyle \square}{\square}\_{c} \\\\ c \stackrel{\scriptstyle \square}{\square}\_{d} \end{array} \right\|\_{C}^{\square} \tag{8}$$

*Remark 3.* All arenas of the form (Aσ(1),...,Aσ(n)) <sup>→</sup> <sup>C</sup> have the same representation for any <sup>σ</sup> permutation over {1,...,n}. More in general, it can be shown that the arena of any two equivalent formulas modulo Currying <sup>A</sup> <sup>→</sup> (<sup>B</sup> <sup>→</sup> <sup>C</sup>) <sup>∼</sup> <sup>B</sup> <sup>→</sup> (<sup>A</sup> <sup>→</sup> <sup>C</sup>) can be depicted by the same arena. However, whenever there may be ambiguity because of the presence of two vertices with the same label, we may represent the vertex <sup>v</sup> = ((···(v , i1)···), in) (where <sup>i</sup>1,...,i<sup>n</sup> ∈ {0, <sup>1</sup>}) by (v)<sup>i</sup>1,...,i*<sup>n</sup>* instead of simply (v) = (v ) (see Example 2).

Definition 6. *Let* [[F]] *be an arena and* v *one of its vertices. The* depth *of* v *is the number* <sup>d</sup>(v) *of vertices in a* <sup>→</sup>*-path from* <sup>v</sup> *to a vertex in* <sup>→</sup> R[[<sup>F</sup> ]] <sup>3</sup>*. The* address *of* v *is defined as the unique sequence of modal vertices* add(v) = m1,...,m<sup>h</sup> *in* V[[<sup>F</sup> ]] *corresponding to the sequence of modalities in the path in the formula tree of* F *connecting the node of* v *to the root. If* add(v) = m1,...,mh*, we denote by* add<sup>k</sup>(v) = m<sup>k</sup> *its* kth *element and we call the* height *of* v *(denoted* hv*) the number of elements in* add(v)*.*

*Example 2.* Below an alternative representation of its arena of the formula - <sup>a</sup> <sup>→</sup> -(<sup>b</sup> <sup>→</sup> (<sup>c</sup> <sup>→</sup> <sup>d</sup>)) <sup>→</sup> -(<sup>e</sup> <sup>→</sup> <sup>f</sup>) in Equation (8) where the ambiguity of the vertex representation is avoided by the use of indices, the corresponding formulatree, and the complete list of the addresses of all vertices in this arena.

#### 5.2 Games and Winning Innocent Strategies

In this subsection, we briefly recall the definitions of games and winning strategies from [5] required to make the paper self-contained. Note that differently from the previous works, we here include the additional information of the *pointer*

<sup>3</sup> As proven in [6,26], arenas are *stratified*, that is, all the <sup>→</sup>-path from a vertex <sup>v</sup> to any vertex in <sup>→</sup> R[[<sup>F</sup> ]] have the same length. Therefore the number d(v) is well-defined.

*function* in the definition of views. This information is crucial for the results in Sect. 4 where we provide a one-to-one correspondence between our winning strategies and modal λ-terms.

Definition 7. *Let* A *be an arena. We call a* move *an occurrence of a vertex* v *of* <sup>A</sup> *with* (v) <sup>=</sup> -*. The* polarity *of a move* v *is the parity of* d(v)*: a move is a* ◦-move *(resp. a* •-move*) if* <sup>d</sup>(v) *is even (resp. odd).*

*<sup>A</sup>* pointed sequence *in* <sup>A</sup> *is a pair* <sup>p</sup> <sup>=</sup> <sup>s</sup>, f *where* <sup>s</sup> <sup>=</sup> <sup>s</sup>0,...,s<sup>n</sup> *is a finite sequences of moves in* <sup>A</sup> *and a* pointer function <sup>f</sup> : {1,...,n}→{0,...,n <sup>−</sup> <sup>1</sup>} *such that* f(i) < i *and* s<sup>i</sup> A →sf(i)*. The* length *of* p *(denoted* |p|*) is defined as the length of* <sup>s</sup>*, that is,* <sup>|</sup>p<sup>|</sup> <sup>=</sup> <sup>n</sup> + 1*. Note that we also use to denote the* empty pointed sequence , ∅*.*

*Remark 4.* It follows by definition of view that the player ◦ (resp. •) can only play vertices whose <sup>d</sup>(v) is even (resp. odd). For this reason, for each <sup>v</sup> <sup>∈</sup> <sup>V</sup>*<sup>G</sup>* we write v◦ (resp. v•) if the parity of d(v) even (resp. odd).

Note that the parity of a modality in the address of a move may not be the same as the parity of the move itself. By means of example, consider the vertex c in Example 2 which belongs in the scope of two modalities -<sup>011110</sup> and -010 with odd parity.

Given two pointed sequences <sup>p</sup> <sup>=</sup> <sup>s</sup>, f and <sup>p</sup> <sup>=</sup> <sup>s</sup> , f in A, we write p p whenever s is a prefix of s (thus |s|≤|s <sup>|</sup>) and <sup>f</sup>(i) = <sup>f</sup> (i) for all <sup>i</sup> ∈ {1,..., <sup>|</sup>p |} and we say that <sup>p</sup> is a *predecessor* of <sup>p</sup> if <sup>p</sup> <sup>p</sup> and <sup>|</sup>p<sup>|</sup> <sup>=</sup> <sup>|</sup>p | − <sup>1</sup>.

Definition 8. *Let* <sup>A</sup> *be an arena. A* play *on* <sup>A</sup> *is a pointed sequence* <sup>p</sup> <sup>=</sup> <sup>s</sup>, f *such that, either* <sup>s</sup> <sup>=</sup> *, or* <sup>s</sup><sup>i</sup> *and* <sup>s</sup>i+1 *have opposite polarities for all* <sup>i</sup> <sup>∈</sup> {0,..., <sup>|</sup>p| − <sup>1</sup>}*.*

*The* game of A *(denoted G*A*) is the set of prefix-closed sets of plays over* A*.*

*<sup>A</sup>* view *is a play* <sup>p</sup> <sup>=</sup> <sup>s</sup>, f *such that either* <sup>p</sup> <sup>=</sup> *or the following properties*

*hold: -* <sup>p</sup> *is* ◦-shortsighted *:* <sup>f</sup>(2k)=2<sup>k</sup> <sup>−</sup> <sup>1</sup> *for every* <sup>2</sup><sup>k</sup> ∈ {2,..., <sup>|</sup>p|}*;*

*-* <sup>p</sup> *is* •-uniform *:* (s<sup>2</sup>k+1) = (s<sup>2</sup>k) *for every* <sup>2</sup><sup>k</sup> + 1 ∈ {0,..., <sup>|</sup>p|}*.*

*A* winning innocent strategy *(or* WIS *for short) for the game G*<sup>A</sup> *is a finite non-empty prefix-closed set S of views in G*<sup>A</sup> *such that:*

*- S is* ◦-complete*: if* p ∈ *S and* p *as odd length,*

*then every successor of* p *(in G*A*) is also in S ;*

*-* p *is* •-total*: if* p ∈ *S and* p *has even length,*

*then exactly one successor of* p *(in G*A*) is in S ;*

*A view is* maximal *in S if it is not prefix of any other view in S. S is* trivial *if <sup>S</sup>* <sup>=</sup> { }*. We say that <sup>S</sup> is a* WIS *for a sequent* <sup>A</sup>1,...,A<sup>n</sup> <sup>C</sup> *if <sup>S</sup> is a* WIS *for* [[A1,...,A<sup>n</sup> <sup>C</sup>]]*.*

The definition of WIS above is a reformulation of the one in the literature of game semantics for intuitionistic propositional logic [14,26,29]. In presence of modalities, this definition requires to be refined to guarantee the possibility of gather modalities in *batches* corresponding to the modalities introduced by a

Fig. 6. Examples of WISs for arenas not corresponding to proofs.

single application of the K (see Fig. 2). By means of example, consider the following arenas and their corresponding WISs, which cannot represent valid proofs in CK because of the impossibility of applying rules handling the modalities in a correct way.

*Example 3.* Consider the formulas F<sup>1</sup> = (<sup>a</sup>) <sup>→</sup> <sup>a</sup> and <sup>F</sup><sup>2</sup> = (<sup>a</sup> <sup>→</sup> <sup>b</sup>) <sup>→</sup> -(<sup>a</sup> <sup>→</sup> <sup>b</sup>) and their arenas in Fig. 6. The set of views *<sup>S</sup>*<sup>1</sup> and *<sup>S</sup>*<sup>2</sup> are WISs for <sup>F</sup><sup>1</sup> and F<sup>2</sup> respectively. However, these formulas are not provable in SCK because the proof search fails (see Fig. 6). In particular, in the first case, no K can be applied because only there is a mismatch between the modalities on the left-hand side and on the right-hand side of the sequent; in the second case the problem is more subtle and, intuitively, is related to the fact that each K can remove only a single -◦ at a time, corresponding to the modality of the unique formula on the right-hand side of the sequent.

Therefore, in order to capture provability in CK, the notion of winning strategies has to be refined as follows.

Definition 9. *Let* p = (s, f) *be a view in a strategy S on an arena* A*, and let* <sup>h</sup><sup>p</sup> = 1 + max{h<sup>v</sup> <sup>|</sup> <sup>v</sup> <sup>∈</sup> <sup>p</sup>}*. We define the* batched view *of* <sup>p</sup> *as the* <sup>h</sup><sup>p</sup> <sup>×</sup> <sup>n</sup> *matrix F* (p) = - *F* (p)0,..., *F* (p)<sup>n</sup> *with elements in* <sup>V</sup>*<sup>G</sup>* ∪ { } *such that the each column F* (p)<sup>i</sup> *is defined as follows:*

$$\mathcal{F}(\mathfrak{p})\_i = \begin{pmatrix} \mathcal{F}(\mathfrak{p})\_i^{h\_{\mathfrak{p}}} \\ \vdots \\ \mathcal{F}(\mathfrak{p})\_i^0 \end{pmatrix} \quad where \quad \begin{cases} \mathcal{F}(\mathfrak{p})\_i^{h\_{\mathfrak{p}}} = \mathbf{ad} \mathbf{d}^{h\_{\mathfrak{p}\_i}}(\mathfrak{p}\_i), \dots, \mathcal{F}(\mathfrak{p})\_i^{h\_{\mathfrak{p}} - h\_{\mathfrak{p}\_i} + 1} = \mathbf{ad} \mathbf{d}^1(\mathfrak{p}\_i) \\ \mathcal{F}(\mathfrak{p})\_i^{h\_{\mathfrak{p}} - h\_{\mathfrak{p}\_i}} = \epsilon, \dots, \mathcal{F}(\mathfrak{p})\_i^1 = \epsilon \\ \mathcal{F}(\mathfrak{p})\_i^0 = \mathfrak{p}\_i \end{cases}$$

*We say that* <sup>p</sup> *is* well-batched *if* <sup>|</sup>add(s<sup>2</sup>k)<sup>|</sup> <sup>=</sup> <sup>|</sup>add(s<sup>2</sup>k+1)<sup>|</sup> *for every* <sup>2</sup><sup>k</sup> ∈ {0,..., <sup>|</sup>p| − <sup>1</sup>}*. Each well-batched view* <sup>p</sup> *induces an equivalence relation <sup>G</sup>*<sup>p</sup> <sup>∼</sup> *over* <sup>V</sup>*<sup>G</sup> generated by:*

$$u \stackrel{\circlearrowright}{\sim}\_1 w \qquad \text{iff} \quad u = \mathcal{F}(\mathfrak{p})\_{2k}^h \text{ and } w = \mathcal{F}(\mathfrak{p})\_{2k+1}^h \text{ for } a \ 2k < n - 1 \text{ and } a \ h \le h\_{\mathfrak{p}} \tag{9}$$

*A* WIS *S is* linked *if it contains only well-batched views and if for every* p ∈ *S the <sup>G</sup>*<sup>p</sup> <sup>∼</sup>*-classes are of the shape* {v• 1,...,v• <sup>n</sup>, w◦}*.*

*A* CK-winning innocent strategy *(or* CK*-*WIS *for short) is a linked* WIS *S.* <sup>4</sup>

*Example 4.* Consider the arenas in Fig. 6. The batched view of the (unique) maximal views in *<sup>S</sup>*<sup>1</sup> and *<sup>S</sup>*<sup>2</sup> are -• a◦ a• and -◦ <sup>10</sup> -• <sup>010</sup> -◦ <sup>000</sup> -◦ 10 b◦ b• a◦ a• respectively. The first is not well-batched because a◦ has height 0 while a• has height 1, while the second, even if well-batched, is not linked because the *<sup>G</sup>*<sup>p</sup> ∼-class {-◦ <sup>10</sup>, -• <sup>010</sup>, -◦ <sup>000</sup>} contains two -◦.

The definition of CK-WISs allows us to obtain a full-completeness result with respect to CK which, together with the good compositionality properties of CK-WISs shown in [5,11], provides a full-complete denotational semantics for the logic CK. That is, every given CK-WIS is the encoding of a derivation in CK, and if a derivation *D* reduces via cut-elimination to a derivation *D* , then they are encoded by the same CK-WIS.

Theorem 4 ([5]). *The set of* CK*-*WIS*s is a full-complete denotational model for* CK*.*

#### 5.3 Full Completeness for Modal Lambda Terms in Normal Form

We can prove the full completeness result using the type system CK<sup>F</sup> and relying on Theorem 3. For this purpose, we have to extend the definition of αequivalence from terms to type assignments in order to avoid technicality in our proofs, since in arenas we keep no track of variable names. For example, consider the α-equivalent terms λx.x and λy.y whose derivation should be considered non-equivalent due to the fact that α-equivalence does not extends to type assignments, therefore the two occurrence of the axiom rule with conclusion <sup>x</sup> : <sup>a</sup> <sup>x</sup> : <sup>a</sup> and <sup>y</sup> : <sup>a</sup> <sup>y</sup> : <sup>a</sup> should be considered distinct.<sup>5</sup>

Definition 10. *Let* <sup>A</sup>1,...,A<sup>n</sup> <sup>C</sup> *be a sequent. We define* <sup>Λ</sup>(<sup>Γ</sup> <sup>C</sup>) *as the set of terms* <sup>M</sup> *such that the typing derivation* <sup>x</sup><sup>1</sup> : <sup>A</sup>1,...,x<sup>n</sup> : <sup>A</sup><sup>n</sup> <sup>M</sup> : <sup>C</sup> *is derivable, that is,*

<sup>Λ</sup>(<sup>Γ</sup> <sup>C</sup>) = <sup>M</sup> <sup>∈</sup> <sup>Λ</sup> <sup>|</sup> <sup>x</sup><sup>1</sup> : <sup>A</sup>1,...,x*<sup>n</sup>* : <sup>A</sup>*<sup>n</sup>* <sup>M</sup> : <sup>C</sup> *is derivable for some* <sup>x</sup>1,...,x*<sup>n</sup>* .

*If* M,N <sup>∈</sup> <sup>Λ</sup>(<sup>Γ</sup> <sup>C</sup>)*, we define* <sup>M</sup> <sup>=</sup>Γ;<sup>C</sup> <sup>α</sup> <sup>N</sup> *as the smallest equivalence relation generated by the rule .*

<sup>4</sup> We here provide a simpler definition of CK-WISs w.r.t. the one in [5]. In fact, we are able here to simplify this definition because we are considering the ♦-free fragment of CK.

<sup>5</sup> Note that another possible way to deal with this problem is to label non-modal vertices of arenas by pairs of propositional atoms and variables instead of propositional variables only.

Fig. 7. Rules to construct a CK-WIS from a type derivation in CK<sup>F</sup>. For reasons of readability, we assume there is an implicit map identifying the moves in the arenas of the type assignment in the premises with the moves in the arena of the type assignment in the conclusion. Note that c◦ and c• are occurrences of the same atom c, but we have decorate them to improve readability.

From now on, we consider derivations up the α-equivalence defined above, that is, we consider derivations up to renaming of the variables occurring in a typing context.

Theorem 5. *There is a one-to-one correspondence between terms in* <sup>Λ</sup>∩Λ(<sup>Γ</sup> <sup>C</sup>) *and* CK*-*WIS *for* <sup>Γ</sup> <sup>C</sup>*.*

*Proof.* Given a CK-WIS *<sup>S</sup>* for <sup>Γ</sup> <sup>C</sup>, we can define a (unique) typing derivation *DS* in CK<sup>F</sup> of a term <sup>T</sup>*<sup>S</sup>* <sup>∈</sup> <sup>Λ</sup><sup>∩</sup> <sup>Λ</sup>(<sup>Γ</sup> <sup>C</sup>) by induction on the lexicographic order over the pairs (|*S*|, <sup>|</sup>C|) reasoning on the inductive definition of <sup>Λ</sup>.

Similarly, given a type assignment <sup>Γ</sup> <sup>T</sup> : <sup>C</sup>. for a <sup>T</sup> <sup>∈</sup> <sup>Λ</sup>, then, by Theorem 3, there is a (unique) derivation *D*<sup>T</sup> in CK<sup>F</sup>. We define *S*<sup>T</sup> as the CK-WIS defined by induction on the number of rules in *D*<sup>T</sup> using the rules in Fig. 7. We conclude since we have that *S*<sup>T</sup>*<sup>S</sup>* = *S* and T*<sup>S</sup><sup>T</sup>* = T by definition.

# 6 Conclusion

In this paper we introduced a new modal λ-calculus for the ♦-free fragment of the constructive modal logic CK (without conjunction or disjunction). This lambda calculus builds on the work in [32], by adding a restricted η-reduction as well as two new reduction rules dealing with the explicit substitution constructor used to model the modality -. We proved normalization and confluence for this calculus and we provide a one-to-one correspondence between the set of terms in normal form and the set of winning strategies for the logic CK introduced in [5].

We foresee the possibility of extending the result presented in this paper to the entire disjunction-free fragment of CK, for which winning strategies are already defined in [5]. For this purpose, we should consider additional term constructors for terms whose type is a conjunction, as well as a new Let-like operator to model terms whose type is the modality ♦-formula similar to the one proposed in [10]. For this reason, in future works we plan to reformulate our lambda-calculus in the light of the novel line of research on calculi with explicit substitutions [1,2,34,35]. This approach would allow us to simplify some of the technicalities and achieve a more elegant operational semantics. Another interesting prospective is to extend our approach to operational semantics to the Fitch-style modal λ-calculus studied in [53].

At the same time, we plan to make explicit that our game semantics provides a concrete model for the *cartesian closed categories* provided with a *strong monoidal endofunctor* [10,33]. Indeed, categorical semantics of the calculus in [10] is modeled by means of *cartesian closed categories* equipped with a *strong monoidal endofunctor* taking into account the proof-theoretical behavior of the --modality. We further conjecture that the syntactic category obtained via the quotient of modal terms modulo the relations we introduce in this paper is indeed a *free cartesian closed category* on a set of atoms with a *strong monoidal endofunctor*.

# References


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Linear Logic and MV-Algebras**

# **Proof-Theoretic Semantics for Intuitionistic Multiplicative Linear Logic**

Alexander V. Gheorghiu1(B) , Tao Gu1(B) , and David J. Pym1,2(B)

<sup>1</sup> University College London, London WC1E 6BT, UK {alexander.gheorghiu.19,tao.gu.18,d.pym}@ucl.ac.uk <sup>2</sup> Institute of Philosophy, University of London, London WC1H 0AR, UK

**Abstract.** This work is the first exploration of proof-theoretic semantics for a substructural logic. It focuses on the base-extension semantics (B-eS) for intuitionistic multiplicative linear logic (IMLL). The starting point is a review of Sandqvist's B-eS for intuitionistic propositional logic (IPL), for which we propose an alternative treatment of conjunction that takes the form of the *generalized* elimination rule for the connective. The resulting semantics is shown to be sound and complete. This motivates our main contribution, a B-eS for IMLL, in which the definitions of the logical constants all take the form of their elimination rule and for which soundness and completeness are established.

**Keywords:** Logic · Semantics · Proof Theory · Proof-theoretic Semantics · Substructural Logic · Multiplicative Connectives

# **1 Introduction**

In model-theoretic semantics (M-tS), logical consequence is defined in terms of models; that is, abstract mathematical structures in which propositions are interpreted and their truth is judged. As Schroeder-Heister [33] explains, in the standard reading given by Tarski [38,39], a propositional formula ϕ follows modeltheoretically from a context Γ iff every model of Γ is a model of ϕ; that is,

Γ |= ϕ iff for all models M, if M |= ψ for all ψ ∈ Γ, then M |= ϕ

Therefore, consequence is understood as the transmission of truth. Importantly, on this plan, *meaning* and *validity* are characterized is terms of *truth*.

Proof-theoretic semantics (P-tS) is an alternative approach to meaning and validity in which they are characterized in terms of *proofs*—understood as objects denoting collections of acceptable inferences from accepted premisses. This is subtle. It is not that one desires a proof system that precisely characterizes the consequences of the logic of interest, but rather that one desires to express the *meaning* of the logical constants in terms of proofs and provability. Indeed, as Schroeder-Heister [33] observes, since no formal system is fixed (only notions of inference) the relationship between semantics and provability remains the same as it has always been—in particular, soundness and completeness are desirable features of formal systems. Essentially, what differs is that *proofs* serve the role of *truth* in model-theoretic semantics. The semantic paradigm supporting P-tS is *inferentialism*—the view that meaning (or validity) arises from rules of inference (see Brandom [5]).

To illustrate the paradigmatic shift from M-tS to P-tS, consider the proposition 'Tammy is a vixen'. What does it mean? Intuitively, it means, somehow, 'Tammy is female' *and* 'Tammy is a fox'. On inferentialism, its meaning is given by the rules,


These merit comparison with the laws governing ∧ in IPL, which justify the sense in which the above proposition is a conjunction:

$$\frac{\varphi \cdot \psi}{\varphi \wedge \psi} \qquad \frac{\varphi \wedge \psi}{\varphi} \qquad \frac{\varphi \wedge \psi}{\psi}$$

There are two major branches of P-tS: proof-theoretic validity (P-tV) in the Dummett-Prawitz tradition (see, for example, Schroeder-Heister [32]) and baseextension semantics (B-eS) in the sense of, for example, Sandqvist [28–30]. The former is a semantics of arguments, and the latter is a semantics of a logic, but both are *proof-theoretic semantics*. This paper is concerned with the latter as explained below.

Tennant [40] provides a general motivation for P-tV: reading a *consequence* judgement Γ ϕ proof-theoretically—that is, that ϕ follows by some reasoning from Γ—demands a notion of *valid argument* that encapsulates what the forms of valid reasoning are. That is, we require explicating the semantic conditions required for an argument that witnesses

$$\psi\_1, \dots, \psi\_n; \text{ therefore, } \varphi$$

to be valid. A particular motivation comes from the following programmatic remarks by Gentzen [37]:

The introductions represent, as it were, the 'definitions' of the symbols concerned, and the eliminations are no more, in the final analysis, than the consequences of these definitions. This fact may be expressed as follows: In eliminating a symbol, we may use the formula with whose terminal symbol we are dealing only 'in the sense afforded it by the introduction of that symbol'.

Dummett [9] developed a philosophical understanding of the normalization results of Prawitz [25], which give a kind of priority to the introduction rules, that yields a notion of valid arguments. The result is P-tV—see Schroeder-Heister [32] for a succinct explanation.


**Fig. 1.** Sandqvist's Support in a Base

More generally, P-tV is about defining a notion of *validity* of objects witnessing that a formula ϕ follows by some reasoning from a collection of formulae Γ. This is quite different from simply giving an interpretation of proofs from some formal system; for example, while the version of P-tV discussed above is closely related to the BHK interpretation of IPL, it is important to distinguish the semantic and computational aspects—see, for example, Schroeder-Heister [32].

Meanwhile, B-eS proceeds via a judgement called *support* defined inductively according to the structure of formulas with the base case (i.e., the support of atoms) given by proof in a base. A *base* is a set of inference rules over atomic propositions, thought of as defining those atoms—an example is the set of rules above that define 'Tammy is a vixen'. Though this approach is closely related to possible world semantics in the sense of Beth [2] and Kripke [17]—see, for example, Goldfarb [13] and Makinson [18]—it remains subtle. For example, there are several incompleteness results for intuitionistic logics—see, for example, Piecha et al. [20,21,23], Goldfarb [13], Sandqvist [27–30], Stafford [36]. Significantly, a sound and complete B-eS for IPL has been given by Sandqvist [29]. Gheorghiu and Pym [10] have shown that this B-eS captures the declarative content of P-tV.

Sandqvist's B-eS for IPL is the point of departure for this paper. Fix a set of atomic propositions **A**. Given a base *B*, we write *<sup>B</sup>* p to denote that p ∈ **A** can be derived in *B*. Support in a base *B*—denoted -*<sup>B</sup>*—is defined by the clauses of Fig. <sup>1</sup> in which Γ <sup>=</sup> <sup>∅</sup>. We desire to give an analogous semantics for *intuitionistic multiplicative linear logic* (IMLL). We study this logic as it is the minimal setting in which we can explore how to set-up B-eS (and P-tS in general) for substructural logics, which enables extension to, for example, (intuitionistic) Linear Logic [11] and the logic of Bunched Implications [19]. Again, the aim is not simply to give a proof-theoretic interpretation of IMLL, which already exist, but to define the logical constants in terms of proofs.

A compelling reading of IMLL is its resource interpretation, which is inherently proof-theoretic—see Girard [11]. Accordingly, looking at (Inf), we expect that ϕ being supported in a base *B* relative to some multiset of formulas Γ means that the 'resources' garnered by Γ suffice to produce ϕ. We may express this by enriching the notion of support with multisets of resources P and U combined with multiset union—denoted **,** . Then, that the resources garnered by Γ are given to ϕ is captured by the following property:

$$
\Gamma \Vdash^{\mathbf{P}}\_{\mathcal{A}} \varphi \qquad \text{iff} \qquad \text{for any } \mathcal{A}^\* \supseteq \mathcal{A} \text{ and any } U, \text{ if } \Vdash^U\_{\mathcal{A}} \Gamma \text{, then } \Vdash^{\mathbf{P},U}\_{\mathcal{A}} \varphi
$$

Naively, we may define ⊗ as a resource-sensitive version of (∧); that is,


While the semantics is sound, proving completeness is more subtle. We aim to follow the method by Sandqvist [30], and this clause is not suitable because the following is not the case for IMLL:

$$
\Gamma \vdash \varphi \otimes \psi \quad \text{iff} \quad \text{there are } \Delta\_1, \Delta\_2 \text{ such that } \Gamma = (\Delta\_1, \Delta\_2), \,\Delta\_1 \vdash \varphi, \text{ and } \Delta\_2 \vdash \psi
$$

—a counter-example is the case where Γ is the (singleton) multiset consisting of ϕ⊗ψ, which denies any non-trivial partition into smaller multisets. We therefore take a more complex clause, which is inspired by the treatment of disjunction in IPL, that enables us to prove completeness using the approach by Sandqvist [29].

There is an obvious difference between the B-eS for IPL and its standard possible world semantics by Kripke [17]—namely, the treatment of disjunction (∨) and absurdity (⊥). The possible world semantics has the clause,

$$\mathfrak{M}, x \Vdash \varphi \lor \psi \qquad \text{iff} \qquad \mathfrak{M}, x \Vdash \varphi \text{ or } \mathfrak{M}, x \Vdash \psi$$

If such a clause is taken in the definition of validity in a B-eS for IPL, it leads to incompleteness —see, for example Piecha and Schroeder-Heister [20,21]. To yield completeness, Sandqvist [30] uses a more complex form that is close to the elimination rule for disjunction in natural deduction (see Gentzen [37] and Prawitz [24])—that is,

$$\begin{array}{rcl} \Vdash\_{\mathcal{Y}} \varphi \vee \psi & \text{iff} & \text{for any } \emptyset \text{ such that } \mathcal{B} \subseteq \emptyset \text{ and any } \mathbf{p} \in \mathbb{A}, \\ & & \text{if } \varphi \Vdash\_{\mathcal{C}} \mathbf{p} \text{ and } \psi \Vdash\_{\mathcal{C}} \mathbf{p}, \text{ then } \Vdash\_{\mathcal{C}} \mathbf{p} \end{array}$$

One justification for the clauses is the principle of *definitional reflection* (DR) (see Halln¨as [14,15] and Schroeder-Heister [31]):

whatever follows from all the premisses of an assertion also follows from the assertion itself

Taking the perspective that the introduction rules are definitions, DR provides an answer for the way in which the elimination rules follow. Similarly, it justifies that the clauses for the logical constants take the form of their elimination rules.

Why does the clause for conjunction (∧) not take the form given by DR? What DR gives is the *generalized* elimination rule,

$$\frac{\varphi \wedge \psi \quad \begin{matrix} [\varphi, \psi] \\ \chi \end{matrix}}{\chi}$$

We may modify the B-eS for IPL by replacing (∧) with the following:

(∧∗) -*<sup>B</sup>* ϕ ∧ ψ iff for any *C* ⊇ *B* and any p ∈ **A**, if ϕ, ψ -*<sup>C</sup>* p, then -*<sup>C</sup>* p

We show in Sect. 2.3 that the result does indeed characterize IPL. Indeed, it is easy to see that the generalized elimination rule and usual elimination rule for ∧ have the same expressive power.

Note, we here take the definitional view of the introduction rules for the logical constants of IPL, and not of bases themselves, thus do not contradict the distinctions made by Piecha and Schroeder-Heister [22,34].

Taking this analysis into consideration, we take the following definition of the multiplicative conjunction that corresponds to the definitional reflection of its introduction rule:

$$\begin{aligned} \Vdash^{\mathsf{P}}\_{\mathcal{A}} \varphi \otimes \psi \qquad \text{iff} \qquad \text{for any } \mathcal{X} \supseteq \mathcal{A} \text{, resources U, and p \in \mathsf{A}},\\ \text{if } \varphi \,\_{\mathcal{Y}} \psi \,\Vdash^{\mathsf{U}}\_{\mathcal{X}} \textbf{p, then } \Vdash^{\mathsf{P}}\_{\mathcal{X}} \textbf{p} \end{aligned}$$

We show in Sect. 4 that the result does indeed characterize IMLL.

The paper is structured as follows: in Sect. 2, we review the B-eS for IPL given by Sandqvist [29]; in Sect. 3, we define IMLL and provide intuitions about its BeS; in Sect. 4, we formally define the B-eS for IMLL and explain its soundness and completeness proofs. The paper ends in Sect. 5 with a conclusion and summary of results.

#### **2 Base-Extension Semantics for IPL**

In this section, we review the B-eS for IPL given by Sandqvist [29]. In Sect. 2.1, we give a terse but complete definition of the B-eS for IPL. In Sect. 2.2, we summarize the completeness proof. Finally, in Sect. 2.3, we discuss a modification of the treatment of conjunction. While IPL is not the focus of this paper, this review provides intuition and motivates the B-eS for IMLL in Sect. 3. Specifically, the analysis of the treatment of conjunction in IPL motivates the handling of the multiplicative conjunction in IMLL.

Throughout this section, we fix a denumerable set of atomic propositions **A**, and the following conventions: p, q,... denote atoms; P, Q,... denote finite sets of atoms; ϕ, ψ, θ, . . . denote formulas; Γ, Δ,... denote finite sets of formulas.

We forego an introduction to IPL, which is doubless familiar—see van Dalen [7]. For clarity, note that we distinguish sequents Γ ϕ from judgements Γ ϕ that say that the sequent is valid in IPL.

#### **2.1 Support in a Base**

The B-eS for IPL begins by defining *derivability in a base*. A (properly) secondlevel atomic rule—see Piecha and Schroeder-Heister [22,34]— is a natural deduction rule of the following form, in which q, q1, ..., q<sup>n</sup> are atoms and Q1,...,Q<sup>n</sup> are (possibly empty) sets of atoms:

$$
\begin{array}{ccc}
\begin{bmatrix} Q\_1 \end{bmatrix} & \begin{bmatrix} Q\_n \end{bmatrix} \\
\begin{array}{ccc} \begin{array}{c} \begin{array}{c} \text{q} \end{array} \end{array} \end{array} & \begin{array}{c} \begin{array}{c} \begin{bmatrix} Q\_n \end{bmatrix} \\
\begin{array}{c} \text{q} \end{array} \end{array} \end{array}
$$

Importantly, atomic rules are taken *per se* and not closed under substitution. They may be expressed inline as (Q<sup>1</sup> q1,..., Q<sup>n</sup> qn) ⇒ q—note, the axiom case is the special case when the left-hand side is empty, ⇒ q. They are read as natural deduction rules in the sense of Gentzen [37]; thus, ⇒ q means that the atom q may be concluded whenever, while (Q<sup>1</sup> q1,..., Q<sup>n</sup> qn) ⇒ q means that one may derive q from a set of atoms S if one has derived q<sup>i</sup> from S assuming Q<sup>i</sup> for i = 1, ..., n.

A *base* is a set of atomic rules. We write *B*,*C* ,... to denote bases, and ∅ to denote the empty base (i.e., the base with no rules). We say *C* is an *extension* of *B* if *C* is a superset of *B*, denoted *C* ⊇ *B*.

**Definition 1 (Derivability in a Base).** Derivability in a base *B is the least relation <sup>B</sup> satisfying the following:*

**(Ref-IPL)** S, q *<sup>B</sup>* q*.* **(App-IPL)** *If atomic rule* (Q<sup>1</sup> q1,..., Q<sup>n</sup> qn) ⇒ q *is in B, and* S, Q<sup>i</sup> *<sup>B</sup>* q<sup>i</sup> *for all* i = 1,...,n*, then* S *<sup>B</sup>* q*.*

This forms the base case of the B-eS for IPL:

**Definition 2 (Sandqvist's Support in a Base).** Sandqvist's support in a base *B is the least relation* -*<sup>B</sup> defined by the clauses of Fig. 1. A sequent* Γ ϕ *is* valid*—denoted* Γ ϕ*—iff it is supported in every base,*

> Γ ϕ *iff* Γ -*<sup>B</sup>* ϕ *holds for any B*

Every base is an extension of the empty base (∅), therefore Γ ϕ iff Γ -∅ ϕ. Sandqvist [29] showed that this semantics characterizes IPL:

**Theorem 1 (Sandqvist** [29]**).** Γ ϕ *iff* Γ ϕ

Soundness—that is, Γ ϕ implies Γ ϕ—follows from showing that respects the rules of Gentzen's [37] NJ; for example, Γ ϕ and Δ ψ implies Γ, Δ ϕ∧ψ. Completeness—that is, Γ ϕ implies Γ ϕ—is more subtle. We present the argument in Sect. 2.2 as it motivates the work in Sect. 4.3.

#### **2.2 Completeness of IPL**

We require to show that Γ ϕ implies that there is an NJ-proof witnessing Γ ϕ. To this end, we associate to each sub-formula ρ of Γ ∪ {ϕ} a unique atom r, and construct a base *N* such that r behaves in *N* as ρ behaves in NJ. Moreover, formulas and their atomizations are semantically equivalent in any extension of *N* so that support in *N* characterizes both validity and provability. When ρ ∈ **A**, we take r := ρ, but for complex ρ we choose r to be alien to Γ and ϕ.

$$\begin{array}{ccccccccc}\rho^{\flat} & \sigma^{\flat} & \langle\rho\wedge\sigma\rangle^{\flat} & \langle\rho\wedge\sigma\rangle^{\flat} & \langle\rho\wedge\sigma\rangle^{\flat} & \langle\rho\wedge\sigma\rangle^{\flat} & \langle\rho\wedge\sigma\rangle^{\flat} & \langle\rho\wedge\sigma\rangle^{\flat} \\ \langle\rho\wedge\sigma\rangle^{\flat} & & & & & \\ \langle\rho\vee\sigma\rangle^{\flat} & \langle\rho\vee\sigma\rangle^{\flat} & \langle\rho\vee\sigma\rangle^{\flat} & \langle\rho\wedge\sigma\rangle^{\flat} & \langle\rho\wedge\sigma\rangle^{\flat} & \langle\rho\wedge\sigma\rangle^{\flat} & \langle\rho\wedge\sigma\rangle^{\flat} & \\ \langle\rho\wedge\sigma\rangle^{\flat} & & & & & & \\ \end{array}$$

$$\begin{array}{ccccccccc}\rho^{\flat} & \langle\rho^{\flat}\wedge\sigma\rangle^{\flat} & \langle\rho\wedge\sigma\rangle^{\flat} & \langle\rho\wedge\sigma\rangle^{\flat} & \langle\rho\wedge\sigma\rangle^{\flat} & \langle\rho\wedge\sigma\rangle^{\flat} & \langle\rho\wedge\sigma\rangle^{\flat} & \\ \end{array}$$

**Fig. 2.** Atomic System *N*

*Example 1.* Suppose ρ := p ∧ q is a sub-formula of Γ ∪ {ϕ}. Associate to it a fresh atom r. Since the principal connective of ρ is ∧, we require *N* to contain the following rules:

$$\frac{1}{\frac{\text{p}}{\text{p}}} \quad \frac{1}{\frac{\text{p}}{\text{p}}} \quad \frac{1}{\frac{\text{p}}{\text{p}}}$$

We may write (p <sup>∧</sup> q)for r so that these rules may be expressed as follows:

$$\begin{array}{ccccc}\hline \mathbf{p} \mathbf{ \cdot q} \mathbf{ \cdot q} & \mathbf{\cdot (p \land q)} & \mathbf{\cdot (p \land q)} \\\hline \mathbf{p} \mathbf{ \cdot q} & \mathbf{p} & \mathbf{q} \\\hline \end{array}$$

Formally, given a judgement Γ ϕ, to every sub-formula ρ associate a unique atomic proposition ρas follows:

– if <sup>ρ</sup> ∈ **<sup>A</sup>**, then <sup>ρ</sup> is an atom that does not occur in any formula in Γ ∪ {ϕ}; – if <sup>ρ</sup> <sup>∈</sup> **<sup>A</sup>**, then <sup>ρ</sup>-= ρ.

By *unique* we mean that (·) is injective—that is, if <sup>ρ</sup> <sup>=</sup> <sup>σ</sup>, then <sup>ρ</sup>- <sup>=</sup> <sup>σ</sup>-. The left-inverse of (·) is (·), and the domain may be extended to the entirety of **<sup>A</sup>** by identity on atoms not in the codomain of (·)-. Both functions act on sets pointwise—that is, Σ- := {ϕ- <sup>|</sup> <sup>ϕ</sup> <sup>∈</sup> <sup>Σ</sup>} and P := {p <sup>|</sup> <sup>p</sup> <sup>∈</sup> <sup>P</sup>}. Relative to (·)-, let *N* be the base containing the rules of Fig. 2 for any sub-formulas ρ and σ of Γ and ϕ, and any p ∈ **A**.

Sandqvist [29] establishes three claims that deliver completeness:

**(IPL-AtComp)** Let S ⊆ **A** and p ∈ **A** and let *B* be a base: S -*<sup>B</sup>* p iff S *<sup>B</sup>* p. **(IPL-Flat)** For any sub-formula ξ of Γ ∪ {ϕ} and *N* ⊇ *N* : -*N* ξ iff -*N* ξ. **(IPL-Nat)** Let S <sup>⊆</sup> **<sup>A</sup>** and p <sup>∈</sup> **<sup>A</sup>**: if S *<sup>N</sup>* <sup>p</sup>, then S p.

The first claim is completeness in the atomic case. The second claim is that ξ- and ξ are equivalent in *N* —that is, ξ- -*<sup>N</sup>* ξ and ξ -*<sup>N</sup>* ξ-. Consequently,

> Γ- -*N* ϕ iff Γ -*N* ϕ

The third claim is the simulation statement which allows us to make the final move from derivability in *N* to derivability in NJ.

*Proof (Theorem* 1*—Completeness).* Assume Γ ϕ and let *N* be its bespoke base. By (IPL-Flat), Γ- -*<sup>N</sup>* ϕ-. Hence, by (IPL-AtComp), Γ- *<sup>N</sup>* <sup>ϕ</sup>-. Whence, by (IPL-Nat), (Γ-) (ϕ-), i.e. Γ ϕ, as required.

#### **2.3 Base-Extension Semantics for IPL, Revisited**

Goldfarb [13,23] has also given a (complete) proof-theoretic semantics for IPL, but it mimics Kripke's [17] semantics. What is interesting about the B-eS in Sandqvist [29] is the way in which it is *not* a representation of the possible world semantics. This is most clearly seen in (∨), which takes the form of the 'second-order' definition of disjunction—that is,

$$U + V = \forall X \left( (U \to X) \to (U \to X) \to X \right)$$

—see Girard [12] and Negri [41]. This adumbrates the categorical perspective on B-eS given by Pym et al. [26]. Proof-theoretically, the clause recalls the elimination rule for the connective restricted to atomic conclusions,

$$\begin{array}{c c c} \varphi \lor \psi & \begin{matrix} \varphi \end{matrix} & \begin{matrix} \psi \end{matrix} \\ \hline \end{array} \\ \begin{matrix} \varphi \end{matrix} & \begin{matrix} \psi \end{matrix} \\ \hline \end{array}$$

Dummett [9] has shown that such restriction in NJ is without loss of expressive power. Indeed, *all* of the clauses in Fig. 1 may be regarded as taking the form of the corresponding elimination rules.

The principle of *definitional reflection*, as described in Sect. 1 justifies this phenomenon. According to this principle, an alternative candidate clause for conjunction is as follows:

(∧<sup>∗</sup>) - ∗ *<sup>B</sup>* ϕ ∧ ψ iff for any *C* ⊇ *B* and any p ∈ **A**, if ϕ, ψ - ∗ *<sup>C</sup>* p, then - ∗ *<sup>C</sup>* p

**Definition 3.** *The relation* - ∗ *<sup>B</sup> is defined by the clauses of Fig. 1 with* (∧<sup>∗</sup>) *in place of* (∧)*. The judgement* Γ - <sup>∗</sup> ϕ *obtains iff* Γ - ∗ *<sup>B</sup>* ϕ *for any B.*

The resulting semantics is sound and complete for IPL:

**Theorem 2.** Γ - <sup>∗</sup> ϕ *iff* Γ ϕ*.*

*Proof.* We assume the following: for arbitrary base *B*, and formulas ϕ, ψ, χ,

**(IPL**∗**-Monotone)** If - ∗ *<sup>B</sup>* ϕ, then - ∗ *<sup>C</sup>* ϕ for any *C* ⊇ *B*. **(IPL**∗**-AndCut)** If - ∗ *<sup>B</sup>* ϕ ∧ ψ and ϕ, ψ - ∗ *<sup>B</sup>* χ, then - ∗ *<sup>B</sup>* χ.

The first claim follows easily from (Inf). The second is a generalization of (∧<sup>∗</sup>); it follows by induction on the structure of χ—an analogous treatment of disjunction was given by Sandqvist [29].

By Theorem 1, it suffices to show that Γ - <sup>∗</sup> ϕ iff Γ ϕ. For this it suffices to show - ∗ *<sup>B</sup>* θ iff -*<sup>B</sup>* θ for arbitrary *B* and θ. We proceed by induction on the structure of θ. Since the two relations are defined identically except in the case when the θ is a conjunction, we restrict attention to this case.

First, we show -*<sup>B</sup>* θ<sup>1</sup> ∧ θ<sup>2</sup> implies - ∗ *<sup>B</sup>* θ<sup>1</sup> ∧ θ2. By (∧<sup>∗</sup>), the conclusion is equivalent to the following: for any *C* ⊇ *B* and p ∈ **A**, if θ1, θ<sup>2</sup> - ∗ *<sup>C</sup>* p, then - ∗ *<sup>C</sup>* p. Therefore, fix *C* ⊇ *B* and p ∈ **A** such that θ1, θ<sup>2</sup> - ∗ *<sup>C</sup>* p. By (Inf), this entails the following: if - ∗ *<sup>C</sup>* θ<sup>1</sup> and - ∗ *<sup>C</sup>* θ2, then - ∗ *<sup>C</sup>* p. By (∧) on the assumption (i.e., -*<sup>B</sup>* θ1∧θ2), we obtain -*<sup>B</sup>* θ<sup>1</sup> and -*<sup>B</sup>* θ2. Hence, by the induction hypothesis (IH), - ∗ *<sup>B</sup>* θ<sup>1</sup> and - ∗ *<sup>B</sup>* θ2. Whence, by (IPL∗-Monotone), - ∗ *<sup>C</sup>* θ<sup>1</sup> and - ∗ *<sup>C</sup>* θ2. Therefore, - ∗ *<sup>C</sup>* p. We have thus shown - ∗ *<sup>B</sup>* θ<sup>1</sup> ∧ θ2, as required.

Second, we show - ∗ *<sup>B</sup>* θ1∧θ<sup>2</sup> implies -*<sup>B</sup>* θ1∧θ2. It is easy to see that θ1, θ<sup>2</sup> - ∗ *<sup>B</sup>* θ<sup>i</sup> obtains for i = 1, 2. Applying (IPL∗-AndCut) (setting ϕ = θ1, ψ = θ2) once with χ = θ<sup>1</sup> and once with χ = θ<sup>2</sup> yields - ∗ *<sup>B</sup>* θ<sup>1</sup> and - ∗ *<sup>B</sup>* θ2. By the IH, -*<sup>B</sup>* θ<sup>1</sup> and -*<sup>B</sup>* θ2. Hence, -*<sup>B</sup>* θ<sup>1</sup> ∧ θ2, as required.

A curious feature of the new semantics is that the meaning of the contextformer (i.e., the comma) is not interpreted as ∧; that is, defining the contextformer as

> - ∗ *<sup>B</sup>* Γ, Δ iff - ∗ *<sup>B</sup>* Γ and - ∗ *<sup>B</sup>* Δ

we may express (Inf)

Γ - ∗ *<sup>B</sup>* ϕ iff for any *C* ⊇ *B*, if - ∗ *<sup>C</sup>* Γ, then - ∗ *<sup>C</sup>* ϕ

The clause for contexts is not the same as the clause for ∧ in the new semantics. Nonetheless, as shown in the proof of Theorem 2, they are equivalent at every base—that is, - ∗ *<sup>B</sup>* ϕ, ψ iff - ∗ *<sup>B</sup>* ϕ ∧ ψ for any *B*.

This equivalence of the two semantics yields the following:

**Corollary 1.** *For arbitrary base B and formula* ϕ*,* -*<sup>B</sup>* ϕ *iff, for any X* ⊇ *B and every atom* p*, if* ϕ -*<sup>X</sup>* p*, then* -*<sup>X</sup>* p*.*

The significance of this result is that we see that formulas in the B-eS are precisely characterized by their support of atoms.

### **3 Intuitionistic Multiplicative Linear Logic**

Having reviewed the B-eS for IPL, we turn now to *intuitionistic multiplicative linear logic* (IMLL). We first define the logic and then consider the challenges of giving a B-eS for it. This motivates the technical work in Sect. 4. Henceforth, we abandon the notation of the previous section as we do not need it and may recycle symbols and conventions.

Fix a countably infinite set **A** of atoms.

**Definition 4 (Formula).** *The set of formulas* (FormIMLL) *is defined by the following grammar:*

$$\{\varphi, \psi ::= \mathbf{p} \in \mathbb{A} \mid \varphi \otimes \psi \mid I \mid \varphi \multimap \psi\}$$

We use p, q,... for atoms and ϕ, ψ, χ, . . . for formulas. In contrast to the work on IPL, collections of formulas in IMLL are more typically *multisets*. We use P, Q,... for *finite multisets* of atoms, and Γ, Δ,... to denote *finite multisets* of formulas.


**Fig. 3.** The Sequential Natural Deduction System NIMLL for IMLL

We use [ · ] to specify a multiset; for example, [ϕ, ϕ, ψ] denotes the multiset consisting of two occurrence of ϕ and one occurrences of ψ. The empty multiset (i.e., the multiset with no members) is denoted ∅. The union of two multisets Γ and Δ is denoted Γ**,**Δ. We may identify a multiset containing one element with the element itself; thus, we may write ψ**,**Δ instead of [ψ]**,**Δ to denote the union of multiset Δ and the singleton multiset [ψ]. Thus, when no confusion arises, we may write ϕ<sup>1</sup> **,**...**,**ϕ<sup>n</sup> to denote [ϕ1, ..., ϕn].

**Definition 5 (Sequent).** *A sequent is a pair* Γ ϕ *in which* Γ *is a multiset of formulas and* ϕ *is a formula.*

We characterize IMLL by proof in a natural deduction system. Since it is a substructural logic, we write the system in the format of a sequent calculus as this represents the context management explicitly. We assume general familiarity with sequent calculi—see, for example, Troelstra and Schwichtenberg [41].

**Definition 6 (System** NIMLL**).** *The sequential natural deduction system for* IMLL*, denoted* NIMLL*, is given by the rules in Fig. 3.*

A sequent Γ ϕ is a *consequence* of IMLL—denoted Γ ϕ—iff there is a NIMLL-proof of it.

One may regard IMLL as IPL without the structural rules of weakening and contraction—see Doˇsen [8]. In other words, adding the following rules to NIMLL recovers a sequent calculus for IPL:

$$\frac{\Gamma \rhd \varphi}{\Delta\_{\mathfrak{I}} \Gamma \rhd \varphi} \le \quad \frac{\Delta\_{\mathfrak{I}} \Delta\_{\mathfrak{I}} \Gamma \rhd \varphi}{\Delta\_{\mathfrak{I}} \Gamma \rhd \varphi} \ll$$

To stay close to the work in Sect. 2, it is instructive to consider the natural deduction presentation, too. The rule figures may be the same, but their application is not; for example,

$$\begin{aligned} \frac{\varphi}{\varphi \otimes \psi} \quad & \text{means} \quad \text{ if } \Gamma \vdash \varphi \text{ and } \Delta \vdash \psi \text{, then } \Gamma \vdash \varphi \otimes \psi\\ & \text{(i.e., } not \text{ 'if } \Gamma \vdash \varphi \text{ and } \Gamma \vdash \psi \text{, then } \Gamma \vdash \varphi \otimes \psi \text{')} \end{aligned}$$

Here, it is important that the context are multisets, not as sets.

The strict context management in IMLL yields the celebrated 'resource interpretations' of Linear Logic—see Girard [11]. The leading example of which is, perhaps, the number-of-uses reading in which a proof of a formula ϕ ψ determines a function that *uses* its arguments exactly once. This reading is, however, entirely proof-theoretic and is not expressed in the truth-functional semantics of IMLL—see Girard [11], Allwein and Dunn [1], and Coumans et al. [6]. Though these semantics do have sense of 'resource' it is not via the number-of-uses reading, but instead denotational in the sense of the treatment of resources in the truth-functional semantics of the logic of Bunched Implications [19]. The number-of-uses reading is, however, reflected in the categorical semantics—see Seely [35] and Biermann [3,4].

How do we render support sensitive to the resource reading? The subtlety is that for Γ <sup>ϕ</sup> (where Γ <sup>=</sup> <sup>∅</sup>), we must somehow transmit the resources captured by Γ to ϕ. From Corollary 1, we see that in B-eS the content of a formula is captured by the atoms it supports. Therefore, we enrich the support relation with an multiset of atoms P,

$$\Gamma \Vdash\_{\mathcal{A}}^{P} \varphi \quad \text{iff} \quad \text{for any } \mathcal{X} \supseteq \mathcal{A} \text{ and any } \mathbf{U}, \text{ if } \Vdash\_{\mathcal{X}}^{\mathsf{U}} \Gamma \text{, then } \Vdash\_{\mathcal{X}}^{\mathsf{P}\mathbf{U}} \varphi.$$

where


This completes the background on IMLL.

## **4 Base-extension Semantics for IMLL**

In this section, we give a B-eS for IMLL. It is structured as follows: first, we define support in a base in Sect. 4.1; second, we prove soundness in Sect. 4.2; finally, we prove completeness in Sect. 4.3.

#### **4.1 Support in a Base**

The definition of the B-eS proceeds in line with that for IPL (Sect. 2) while taking substructurality into consideration.

**Definition 7 (Atomic Sequent).** *An* atomic sequent *is a pair* P p *in which* P *is a multiset of atoms and* q *is an atom.*

**Definition 8 (Atomic Rule).** *An* atomic rule *is a pair* P ⇒ p *in which* P *is a (possibly empty) finite set of atomic sequents and* p *in an atom.*

**Definition 9 (Base).** *A* base *B is a (possibly infinite) set of atomic rules.*

**Definition 10 (Derivability in a Base).** *The relation <sup>B</sup> of* derivability in *B is the least relation satisfying the following:*

**(Ref)** p *<sup>B</sup>* p


**Fig. 4.** Base-extension Semantics for IMLL

# **(App)** *If* S<sup>i</sup> **,**P<sup>i</sup> *<sup>B</sup>* p<sup>i</sup> *for* i = 1,...,n *and* (P<sup>1</sup> p1,...,P<sup>n</sup> pn) ⇒ p ∈ *B, then* S<sup>1</sup> **,**...**,**S<sup>n</sup> *<sup>B</sup>* p*.*

Note the differences between Definition 1 and Definition 10: first, in (Ref), no redundant atoms are allowed to appear, while in (Ref-IPL) they may; second, in (App), the multisets S1,...,S<sup>n</sup> are collected together as a multiset, while in (App-IPL), there is one set. These differences reflect the fact in the multiplicative setting that 'resources' can neither be discharged nor shared.

**Definition 11 (Support).** *That a sequent* Γ ϕ *is* supported in the base *B* using resources S*—denoted* Γ -S *<sup>B</sup>* ϕ*—is defined by the clauses of Fig. 4 in which* Γ *and* Δ *are non-empty finite multisets of formulas. The sequent* Γ ϕ *is* supported using resources S*—denoted* Γ -<sup>S</sup> ϕ*—iff* Γ -S *<sup>B</sup>* ϕ *for any base B. The sequent* Γ ϕ *is* valid*—denoted* Γ ϕ*—iff* Γ ϕ *is supported using the empty multiset of resources (i.e.,* Γ -∅ϕ*).*

It is easy to see that Fig. 4 is an inductive definition on a structure of formulas that prioritizes conjunction (⊗) over implication ()—an analogous treatment in IPL with disjunction (∨) prioritized over implication (→) has been given by Sandqvist [29]. As explained in Sect. 3, the purpose of the multisets of atoms S in the support relation -S *<sup>B</sup>* is to express the susbtructurality of the logical constants. The naive ways of using multisets of formulas rather than multisets of atoms—for example, Γ -Δ *<sup>B</sup>* ϕ iff - Γ**,**Δ *<sup>B</sup>* ϕ—results in impredicative definitions of support.

We read (Inf) as saying that Γ -S *<sup>B</sup>* <sup>ϕ</sup> (for Γ <sup>=</sup> <sup>∅</sup>) means, for any extension *X* of *B*, if Γ is supported in *X* with some resources U (i.e. -U *<sup>X</sup>* Γ), then ϕ is also supported by combining the resources U with the resources S (i.e., -S**,**U *<sup>X</sup>* ϕ).

The following observation on the monotonicity of the semantics with regard to base extensions follows immediately by unfolding definitions:

**Proposition 1.** *If* Γ -S *<sup>B</sup>* ϕ *and C* ⊇ *B, then* Γ -S *<sup>C</sup>* ϕ*.*

From this proposition we see the following: Γ -<sup>S</sup> ϕ iff Γ -S ∅ ϕ, and Γ ϕ iff Γ -∅ ∅ ϕ. As expected, we do not have monotonicity on resources—that is, Γ -<sup>S</sup> ϕ does not, in general, imply Γ -<sup>S</sup>**,**<sup>T</sup> ϕ for arbitrary T. This exposes the different parts played by bases and the resources in the semantics: bases are the setting in which a formula is supported, resources are tokens used in that setting to establish the support.

A distinguishing aspect of support is the structure of (Inf). In one direction, it is merely cut, but in the other it says something stronger. The completeness argument will go through the atomic case (analogous to the treatment of IPL in Sect. 2.2), and the following proposition suggests that the setup is correct:

**Proposition 2.** *The following two propositions are equivalent for arbitrary base B, multisets of atoms* P, S*, and atom* q*, where we assume* P = [p1,..., pn]*:*


It remains to prove soundness and completeness.

#### **4.2 Soundness**

**Theorem 3 (Soundness).** *If* Γ ϕ*, then* Γ ϕ*.*

The argument follows a typical strategy of showing that the semantics respects the rules of NIMLL—that is, for any Γ, Δ, ϕ, ψ, and χ:

(Ax) ϕ ϕ (I) If Γ, ϕ ψ, then Γ ϕ ψ (E) If Γ ϕ ψ and Δ ϕ, then Γ**,**Δ ψ (⊗I) If Γ ϕ and Δ ψ, then Γ**,**Δ ϕ ⊗ ψ (⊗E) If Γ ϕ ⊗ ψ and Δ**,**ϕ**,**ψ χ, then Γ**,**Δ -(II) - I (IE) If Γ χ and Δ - I, then Γ**,**Δ χ

These follow quickly from the fact that the clauses of each connective in Fig. 4 takes the form of its elimination rules. The only subtle cases are (⊗E) and (IE).

χ

To show (IE), suppose Γ χ and Δ - I. We require to show Γ**,**Δ χ. By (Inf), we fix some base *B* and multisets of atoms P and Q such that -P *<sup>B</sup>* Γ and - Q *<sup>B</sup>* Δ. It remains to verify - P**,**Q *<sup>B</sup>* χ. When χ is atomic, this follows immediately from -P *<sup>B</sup>* χ and - Q *<sup>B</sup>* I by (I). To handle non-atomic χ, we require the following:

**Lemma 1.** *For arbitrary base B, multisets of atoms* S, T*, and formula* χ*, if 1.* -S *<sup>B</sup>* I*, 2.* -T *<sup>B</sup>* χ*, then 3.* - S**,**T *<sup>B</sup>* χ*.*

This lemma follows by induction on the structure of χ, with the base case given by (I). One cannot use this general form to define I as it would result in an impredicative definition of support.

Similarly, we require the following to prove (⊗E):


**Fig. 5.** Atomic System *M*

**Lemma 2.** *For arbitrary base B, multisets of atoms* S, T*, and formulas* ϕ, ψ, χ*, if 1.* -S *<sup>B</sup>* ϕ ⊗ ψ*, 2.* ϕ**,**ψ -T *<sup>B</sup>* χ*, then 3.* - S**,**T *<sup>B</sup>* χ*.*

With these results, we may prove soundness:

*Proof (Theorem* 3 *—sketch).* We demonstrate (⊗I) and (⊗E).

(⊗I). Assume Γ ϕ and Δ ψ. We require to show Γ**,**Δ ϕ ⊗ ψ. By (Inf), the conclusion is equivalent to the following: for any base *B*, for any multisets of atoms T and S , if -T *<sup>B</sup>* Γ and -S *<sup>B</sup>* Δ, then - T**,**S *<sup>B</sup>* ϕ ⊗ ψ. So we fix some *B* and T, S such that -T *<sup>B</sup>* Γ and -S *<sup>B</sup>* Δ, and show that - T**,**S *<sup>B</sup>* ϕ ⊗ ψ. By (⊗), it suffices to show, for arbitrary *C* ⊇ *B*, multiset of atoms U, and atom p, if ϕ**,**ψ -U *<sup>C</sup>* p, then - T**,**S**,**U *<sup>C</sup>* p. So we fix some *C* ⊇ *B*, multiset of atoms U, and atom p such that ϕ **,** ψ -U *<sup>C</sup>* p, and the goal is to show that - T**,**S**,**U *<sup>C</sup>* p. From the assumptions Γ ϕ and Δ ψ, we see that - S**,**T *<sup>B</sup>* ϕ **,** ψ obtains. Therefore, by monotonicity, - S**,**T *<sup>C</sup>* ϕ**,**ψ obtains. By (Inf), this suffices for ϕ**,**ψ -U *<sup>C</sup>* p, to yield - T**,**S**,**U *<sup>C</sup>* p, as required.

(⊗E). Assume Γ ϕ ⊗ ψ and Δ**,**ϕ**,**ψ χ. We require to show Γ**,**Δ χ. By (Inf), it suffices to assume -S *<sup>B</sup>* Γ and -T *<sup>B</sup>* Δ and show that - S**,**T *<sup>B</sup>* χ. First, Γ ϕ⊗ψ together with -S *<sup>B</sup>* Γ entails that -S *<sup>B</sup>* ϕ ⊗ ψ. Second, by (Inf), Δ **,** ϕ **,** ψ χ is equivalent to the following:

> for any *X* and P, Q, if -P *<sup>X</sup>* Δ and - Q *<sup>X</sup>* ϕ**,**ψ, then - P**,**Q *<sup>X</sup>* χ

Since -T *<sup>B</sup>* Δ, setting P := T and Q := S, yields,

$$\text{for any } \mathcal{K} \supseteq \mathcal{\mathcal{B}}, \text{ if } \Vdash\_{\mathcal{K}}^{\mathcal{S}} \varphi\_{\mathcal{I}} \psi, \text{ then } \Vdash\_{\mathcal{K}}^{\mathbf{T}\_{\mathcal{P}}^{\mathcal{S}}} \chi \tag{1}$$

Now, given -S *<sup>B</sup>* ϕ ⊗ ψ and (1), we can apply Lemma 2 and conclude - S**,**T *<sup>B</sup>* χ.

#### **4.3 Completeness**

**Theorem 4 (Completeness).** *If* Γ ϕ*, then* Γ ϕ*.*

The argument follows the strategy used by Sanqvist [29] for IPL—see Sect. 2.2. We explain the main steps.

Let Ξ be the set of all sub-formulas of Γ ∪ {ϕ}. Let (·) - : Ξ → **A** be an injection that is fixed on <sup>Ξ</sup> <sup>∩</sup> **<sup>A</sup>**—that is, p- = p for p ∈ Ξ ∩ **A**. Let (·) be the left-inverse of (·) - —that is p = χ if p = χ-, and p = p if p is not in the image of (·) - . Both act on multisets of formulas pointwise; that is, Δ- := [δ- | δ ∈ Δ] and P := [p <sup>|</sup> <sup>p</sup> <sup>∈</sup> P].

We construct a base *M* such that ϕ behaves in *M* as ϕ behaves in NIMLL. The base *M* contains all instances of the rules of Fig. 5 when σ and τ range over Ξ, and p ranges over **A**. We illustrate how *M* works with an example.

*Example 2.* Consider the sequent Γ ϕ where Γ = [p<sup>1</sup> **,**p<sup>2</sup> **,**p<sup>1</sup> ⊗ p<sup>2</sup> q, p1] and ϕ = q ⊗ p1. By definition, Ξ := {p1, p2, p<sup>1</sup> ⊗ p<sup>2</sup> q, p<sup>1</sup> ⊗ p2, q, q ⊗ p1}, and, therefore, the image of (·) is {p1, <sup>p</sup>2, <sup>q</sup>,(p<sup>1</sup> <sup>⊗</sup> <sup>p</sup><sup>2</sup> q)- ,(p<sup>1</sup> ⊗ p2) - ,(q ⊗ p1) - }.

That Γ ϕ obtains is witnessed by the following NIMLL-proof:

$$\begin{array}{c} \begin{array}{l} \mathbf{\overline{p\_{1}\otimes p\_{1}}} \quad \mathbf{ax} \\ \hline \mathbf{\overline{p\_{2}\otimes p\_{1}}\otimes p\_{2}} \end{array} \otimes \mathbf{\overline{q\_{1}\otimes p\_{2}}\otimes q\_{2}} \\ \hline \mathbf{\overline{p\_{1}\otimes p\_{2}}p\_{1}\otimes p\_{2}} \quad \mathbf{\overline{p\_{1}\otimes p\_{2}}p\_{1}\otimes p\_{2}} \quad \mathbf{\overline{q\_{2}\otimes p\_{1}}\otimes p\_{2}} \quad \mathbf{\overline{q\_{1}\otimes p\_{1}}\otimes q\_{2}} \\ \hline \mathbf{\overline{p\_{1}\otimes p\_{2}}p\_{1}\otimes p\_{2}} \quad \mathbf{\overline{p\_{1}\otimes p\_{1}}\otimes q\_{2}} \quad \mathbf{\overline{q\_{1}\otimes p\_{2}}\otimes q\_{2}} \end{array} \mathop{\mathbf{ax}}$$

The base *M* is designed so that we may simulate the rules of NIMLL; for example, the <sup>⊗</sup><sup>E</sup> is simulated by using (App) on <sup>⊗</sup>- E,

$$(\mathcal{Q}\rhd(\sigma\otimes\tau)^{\flat},\sigma^{\flat}\lrcorner\sigma^{\flat}\rhd\gamma^{\flat})\Rightarrow\gamma^{\flat}\text{ means}\quad\text{if}\ \Delta^{\flat}\vdash\_{\mathcal{A}}\left(\sigma\otimes\tau\right)^{\flat}\text{ and }\Sigma^{\flat}\lrcorner\sigma^{\flat}\lrcorner\sigma^{\flat}\vdash\_{\mathcal{A}}\gamma^{\flat}\text{ then}\quad\Delta^{\flat}\lrcorner\sigma^{\flat}$$

In this sense, the proof above is simulated by the following steps:


Significantly, steps (i)–(iv) are analogues of the steps in the proof tree above. -

Theorem 4 (Completeness) follows from the following three observations, which are counterparts to (IPL-AtComp), (IPL-Flat), and (IPL-Nat) from Sect. 2.2:

**(IMLL-AtComp)** For any *B*, P, S, and q, P**,**S *<sup>B</sup>* q iff P -S *<sup>B</sup>* q. **(IMLL-Flat)** For any ξ ∈ Ξ, *X* ⊇ *M* and U, -U *<sup>X</sup>* ξ iff -U *<sup>X</sup>* ξ. **(IMLL-Nat)** For any P and q, if P *<sup>M</sup>* q then P <sup>q</sup>.

(IMLL-AtComp) follows from Proposition 2 and is the base case of completeness. (IMLL-Flat) formalizes the idea that every formula ξ appearing in Γ ϕ behaves the same as ξ in any base extending *M*. Consequently, Γ- -*<sup>M</sup>* ϕ iff Γ -*<sup>M</sup>* ϕ. (IMLL-Nat) intuitively says that *M* is a faithful atomic encoding of NIMLL, witnessed by (·) . This together with (IMLL-Flat) guarantee that every <sup>ξ</sup> <sup>∈</sup> <sup>Ξ</sup> behaves in *<sup>M</sup>* as <sup>ξ</sup> in *M*, thus as - ξ- = ξ in NIMLL.

*Proof. (Theorem* 4 *—Completeness).* Assume Γ ϕ and let *M* be the bespoke base for Γ ϕ. By (IMLL-Flat), Γ- -∅ *<sup>M</sup>* ϕ-. Therefore, by (IMLL-AtComp), we have Γ- *<sup>M</sup>* <sup>ϕ</sup>-. Finally, by (IMLL-Nat), - Γ- - ϕ- , namely Γ ϕ.

# **5 Conclusion**

Proof-theoretic semantics (P-tS) is the paradigm of meaning in logic based on proof, as opposed to truth. A particular form of P-tS is *base-extension semantics* (B-eS) in which one defines the logical constants by means of a *support* relation indexed by a base—a system of natural deduction for atomic propositions which grounds the meaning of atoms by proof in that base. This paper provides a sound and complete base-extension semantics for *intuitionistic multiplicative linear logic* (IMLL).

The B-eS for IPL given by Sandqvist [29] provides a strategy for the problem. The paper begins with a brief but instructive analysis of this work that reveals *definitional reflection* (DR) as an underlying principle delivering the semantics; accordingly, in Sect. 2.3, the paper modifies the B-eS for IPL to strictly adhere to DR and proves soundness and completeness of the result. Moreover, the analysis highlights that essential to B-eS is a transmission of proof-theoretic content: a formula ϕ is supported in a base *B* relative to a context Γ iff, for any extension *C* of *B*, the formula ϕ is supported in *C* whenever Γ is supported in *C* .

With this understanding of B-eS of IPL, the paper gives a 'resource-sensitive' adaptation by enriching the support relation to carry a multiset of atomic 'resources' that enable the transmission of proof-theoretic content. This captures the celebrated 'resource reading' of IMLL which is entirely proof-theoretic—see Girard [11]. The clauses of the logical constants are then delivered by DR on their introduction rules. Having set up the B-eS for IMLL in this principled way, soundness and completeness follow symmetrically to the preceding treatment of IPL.

To date, P-tS has largely been restricted to classical and intuitionistic propositional logics. This paper provides the first step toward a broader analysis. In particular, the analysis in this paper suggests a general methodology for delivering B-eS for other substructural logics such as, *inter alia*, (intuitionistic) Linear Logic [11] (LL) and the logic of Bunched Implications [19] (BI). While it is straightforward to add the additive connectives of LL, with the evident semantic clauses following IPL and with the evident additional cases in the proofs, it is less apparent how to handle the exponentials. For BI, the primary challenge is to appropriately account for the *bunched* structure of contexts, and to enable and confine weakening and contraction to the additive context-former.

Developing the P-tS for substructural logics is valuable because of their deployment in the verification and modelling of systems. Significantly, P-tS has shown the be useful in simulation modelling—see, for example, Kuorikoski and Reijula [16]. Of course, more generally, we may ask what conditions a logic must satisfy in order to provide a B-eS for it.

**Acknowledgements.** We are grateful to Yll Buzoku, Diana Costa, Sonia Marin, and Elaine Pimentel for many discussion on the P-tS for substructural logics, and to Jonte Deakin for his careful reading of and feedback on an earlier draft of this article. Similarly, we would like to thank the reviewers for their helpful comments and remarks.

## **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# The MaxSAT Problem in the Real-Valued MV-Algebra

Zuzana Haniková1(B) , Felip Manyà<sup>2</sup> , and Amanda Vidal<sup>2</sup>

<sup>1</sup> Institute of Computer Science of the Czech Academy of Sciences, Prague, Czech Republic

zuzana@cs.cas.cz

<sup>2</sup> Artificial Intelligence Research Institute (IIIA, CSIC), Bellaterra, Spain {felip,amanda}@iiia.csic.es

Abstract. This work addresses the maximum satisfiability (MaxSAT) problem for a multiset of arbitrary formulas of the language of propositional Łukasiewicz logic over the MV-algebra whose universe is the real interval [0,1]. First, we reduce the MaxSAT problem to the SAT problem over the same algebra. This solution method sets a benchmark for other approaches, allowing a classification of the MaxSAT problem in terms of metric reductions introduced by Krentel. We later define an alternative analytic method with preprocessing in terms of a Tseitin transformation of the input, followed by a reduction to a system of linear constraints, in analogy to the earlier approaches of Hähnle and Olivetti. We discuss various aspects of these approaches to solving the problem.

Keywords: Maximum satisfiability · Satisfiability · Łukasiewicz logic · MV-algebra

# 1 Introduction

Satisfiability is a semantic problem: it relates not just to a logic (here, the infinitevalued Łukasiewicz logic), but to a semantics interpreting that logic (here, the MV-algebra on the real unit interval with natural order, called "standard MValgebra" and denoted [0, 1]<sup>Ł</sup>).

A propositional formula ϕ(x<sup>1</sup>,...,x<sup>n</sup>) of the language of Łukasiewicz logic is *satisfiable* in an MV-algebra A provided there is an assignment of elements of the universe of <sup>A</sup> to <sup>x</sup><sup>1</sup>,...,x<sup>n</sup> that yields the value <sup>1</sup><sup>A</sup> (i.e., the top element in the lattice order of A). This definition determines, for a given MV-algebra A, a unique set of its satisfiable formulas **SAT**(A). The satisfiability notion extends immediately to a *finite list* of formulas ϕ<sup>1</sup>,...,ϕ<sup>m</sup>, which is satisfiable in <sup>A</sup> if and only if so is the conjunction of the formulas on the list.<sup>1</sup>

<sup>1</sup> It is important to specify which MV-algebra is considered, since for many infinite MV-algebras <sup>A</sup>, and even many subalgebras of [0, 1]Ł, the set **SAT**(A) is distinct from **SAT**([0, 1]Ł) [16, Theorem 6.6]. Some extant works on satisfiability refer to "infinite-valued Łukasiewicz logic" while in fact working with the algebra [0, 1]Ł.

c The Author(s) 2023

R. Ramanayake and J. Urban (Eds.): TABLEAUX 2023, LNAI 14278, pp. 386–404, 2023. https://doi.org/10.1007/978-3-031-43513-3\_21

This paper works with the standard MV-algebra [0, 1]<sup>Ł</sup> without mentioning it explicitly from now on; thus we write **SAT** for **SAT**([0, 1]<sup>Ł</sup>) and likewise for the MaxSAT problems considered in this paper. If another algebra, distinct from [0, 1]<sup>Ł</sup>, is considered, it will be indicated explicitly.

The focus of this paper is not on satisfiability, but on maximum satisfiability, an optimization problem (with a natural decision version): given a multiset (i.e., a list) of arbitrary formulas of the language of Łukasiewicz logic, find the *maximum number* among them that can be satisfied under a single assignment, over all assignments. The formulas are not required to be in a normal form. It has been recognized early on by Mundici [22] that formulas of Łukasiewicz logic are a suitable device for *counting*; his paper gives a reduction of the (decision version of) the Boolean MaxSAT problem to the problem **SAT**; see also [25].

The MaxSAT problem for a list of arbitrary formulas over the three-element MV-chain has been addressed in [19], using semantic tableaux; the approach generalizes to other finite MV-chains, but not to MV-chains with infinitely many elements. Earlier results in satisfiability go back to Mundici's proof of the **NP**completeness of the **SAT** problem, obtained by bounding the denominators of a satisfying assignment. This line of research was continued in [1,2], see also [27].

Our main contribution consists in showing that the MaxSAT problem can be reduced to the **SAT** problem, in Sect. 3, and can then be used as a benchmark to assess the analytic method in Sect. 4; a similar analysis could then be performed with any other calculi for the maximum satisfiability problem.

This paper is structured as follows. Section 2 defines the problem and introduces technical tools. Section 3 gives a method for solving the MaxSAT problem in [0, 1]<sup>Ł</sup> based on a Cook reduction of MaxSAT to the **SAT** problem. Section <sup>4</sup> outlines an analytic method with preprocessing via a Tseitin transformation, using a variant of the approach of [12,24], where each branch of a tableau tree ends with solving a system of linear constraints. The method is proved sound and complete. Eliminating the branching of the tree can also be achieved, using established tools.

# 2 Problem Formulation and Preliminaries

The language of propositional Łukasiewicz logic Ł, denoted <sup>L</sup>(Ł), has two basic connectives: ¬ (negation, unary) and ⊕ (strong disjunction, binary). Other connectives are definable: 1 is x⊕¬x; 0 is <sup>¬</sup>1; xy is <sup>¬</sup>(¬x⊕¬y) (strong conjunction); x <sup>→</sup> y is <sup>¬</sup>x <sup>⊕</sup> y; x <sup>↔</sup> y is (x <sup>→</sup> y) (y <sup>→</sup> x); x <sup>∨</sup> y is (x <sup>→</sup> y) <sup>→</sup> y (weak disjunction); and x <sup>∧</sup> y is <sup>¬</sup>(¬x ∨ ¬y) (weak conjunction).

Well-formed formulas of <sup>L</sup>(Ł) are built up from an infinite set of propositional variables Var = {x<sup>i</sup>}<sup>i</sup>∈<sup>N</sup> using the connectives of <sup>L</sup>(Ł). The basic language is a point of reference for complexity considerations; other connectives are used as shortcuts. If ϕ is a formula of <sup>L</sup>(Ł) in the basic language, <sup>|</sup>ϕ<sup>|</sup> denotes the *number of occurrences of* propositional variables in ϕ. Given that ¬¬α <sup>↔</sup> α is a theorem of Ł for any formula α ∈ L(Ł), we will assume double negation does not occur in formulas. With this convention in place, the number of occurrences of connectives in ϕ is bounded by 2|ϕ|. Thus <sup>|</sup>ϕ<sup>|</sup> is a good notion of *length* of ϕ. Moreover ||ϕ|| denotes the number of *distinct* subformulas of ϕ.

MV-algebras can be introduced using Mundici's Γ-functor [10,20]: any MValgebra is isomorphic to Γ(G, u) for a lattice-ordered Abelian group <sup>G</sup> with a strong unit u (in particular, define x <sup>⊕</sup> y = u <sup>∧</sup> (x + y) and <sup>¬</sup>x = u <sup>−</sup> x for x, y <sup>∈</sup> G; then Γ(G, u) = -[0, u], <sup>⊕</sup>,¬ is an MV-algebra). The standard MValgebra [0, 1]<sup>Ł</sup> is <sup>Γ</sup>(R, 1), interpreting the basic connectives in [0, 1] as follows: for any assignment v, v(¬ϕ)=1−v(ϕ) and v(ϕ⊕ψ) = min(1, v(ϕ)+v(ψ)). Any assignment to variables of ϕ in language <sup>L</sup>(Ł) extends to all its subformulas in the interpretation provided by [0, 1]<sup>Ł</sup>; this also determines the notion of satisfiability in [0, 1]<sup>Ł</sup> and the set of satisfiable formulas of [0, 1]<sup>Ł</sup>, denoted **SAT**.

The interpretations of ⊕, , ∧ and ∨ are commutative and associative, so one can write <sup>x</sup><sup>1</sup> ⊕···⊕ <sup>x</sup><sup>n</sup> without worrying about order and parentheses. We write x<sup>n</sup> for <sup>x</sup> ··· <sup>x</sup> - n occurrences and nx for x ⊕···⊕ x - n occurrences . Also, ∨ and ∧ distribute over each other and distributes over ∨.

Unlike the Boolean MaxSAT problem over the two-element Boolean algebra, here we work with *arbitrary* formulas of <sup>L</sup>(Ł). We formulate both the optimization and the decision version of the MaxSAT problem.

#### MaxSAT-OPT

Instance: multiset ϕ1,...,ϕ<sup>m</sup> of formulas of <sup>L</sup>(Ł) in variables {x1,...,x<sup>n</sup>}. Output: the maximum integer k <sup>≤</sup> m such that there is an assignment v to {x1,...,x<sup>n</sup>} that satisfies at least k formulas in the multiset ϕ1,...,ϕ<sup>m</sup>.

### MaxSAT-DEC

Instance: multiset <sup>ϕ</sup>1,...,ϕ<sup>m</sup> of formulas of <sup>L</sup>(Ł) in variables {x1,...,x<sup>n</sup>} and a positive integer k <sup>≤</sup> m.

Output: (Boolean) Is MaxSAT-OPT(ϕ1,...,ϕ<sup>m</sup>(x1,...,x<sup>n</sup>)) at least k?

Let **<sup>A</sup>** be an integer m×n matrix. Let **<sup>x</sup>** be an n-vector of variables and **<sup>b</sup>** be an integer m-vector. The solvability of the system of inequalities **Ax** <sup>≤</sup> **<sup>b</sup>** in R can be tested in polynomial time [28].

More generally, for the system **Ax** ≤ **b**, one can ask about the maximal size (number of lines) of a subsystem that is solvable in R. This problem is known as the *maximum feasible subsystem* [4] of a system of linear constraints: the solution is a natural number k bounded by m (the total number of lines in the system). This problem is **NP**-hard. We shall refer to this problem as Max-FS problem. Notice that the system is not defined as a set, so the same constraint may appear multiple times.

There are many variants of the Max-FS problem, indeed many were already suggested in the paper [4]. We will use a variant that partitions the linear constraints into two groups: those that need to be satisfied by any feasible solution (often called *hard constraints*; the paper [4] refers to them as "mandatory") and those the satisfied number of which is to be maximized (often called *soft constraints*; [4] refers to them as "optional") over all feasible solutions. This variant of Max-FS problem will be called Max-FS with hard and soft constraints within this paper.

# 3 Canonical Method

First we give a polynomial-time, many-one (a.k.a. Karp) reduction of MaxSAT-DEC to **SAT**. Our reduction is similar to those used in [25] (which, in turn, refers to [22]) and in [15]. The differences arise from the fact that, in our case, an unsatisfied formula can take any value below 1 (but not necessarily 0), and this needs to be addressed in the definition of the set of formulas in the reduction.

Let ϕ<sup>1</sup>,...,ϕm(x<sup>1</sup>,...,xn) and k <sup>≤</sup> m be an instance of MaxSAT-DEC. It is well known that one can implicitly define any rational value in [0, 1]<sup>Ł</sup> with a formula of <sup>L</sup>(Ł): an early example of suitable formulas can be found in [30]. Let k <sup>≥</sup> 2 and y be a new variable, not among (x1,...,x<sup>n</sup>), and let

$$
\rho\_{1/k} := \quad y \leftrightarrow \neg((k-1)y)
$$

Then we have that <sup>ρ</sup>1/k implicitly defines the rational value <sup>1</sup>/k in [0, 1]<sup>Ł</sup> (see, e.g., [25, Lemma 2]): that is, an assignment <sup>v</sup> in [0, 1]<sup>Ł</sup> sends <sup>ρ</sup>1/k to <sup>1</sup> if and only if it sends y to 1/k. Moreover, the length of this formula is linear in k <sup>≤</sup> m, therefore linear in the size of the instance on input.

For <sup>1</sup> <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>m</sup>, consider a new variable <sup>y</sup>i,k, let <sup>Φ</sup><sup>ϕ</sup>*i*,k be the set of formulas

$$\{ \ (\varphi\_i \leftrightarrow k \ y\_{i,k}) \lor \neg y\_{i,k} \ , \ (y\_{i,k} \leftrightarrow y) \lor \neg y\_{i,k} \ \} $$

and let <sup>Φ</sup><sup>k</sup> be the list of formulas <sup>1</sup>≤i≤<sup>m</sup>{Φ<sup>ϕ</sup>*i*,k}.

Theorem 1. *The pair* ϕ1,...,ϕ<sup>m</sup>(x1,...,x<sup>n</sup>) *and* k *with* 2 <sup>≤</sup> k <sup>≤</sup> m *belongs to* MaxSAT-DEC *if and only if the set* {ρ1/k} ∪ <sup>Φ</sup><sup>k</sup> ∪ {<sup>m</sup> <sup>i</sup>=1 <sup>y</sup>i,k} *belongs to* **SAT***.*

*Proof.* For the left-to-right direction, assume v to be an assignment satisfying without loss of generality—the first k formulas of the list. Consider then the assignment <sup>v</sup> that coincides with <sup>v</sup> on the variables <sup>x</sup>1,...,x<sup>n</sup> and puts <sup>v</sup> (y) = 1/k and

$$v'(y\_{i,k}) = \begin{cases} 1/k & \text{if } i \le k \\ 0 & \text{otherwise.} \end{cases}$$

The assignment <sup>v</sup> clearly satisfies ρ<sup>1</sup>/k. Next, since v (y<sup>1</sup>,k) = ... = v (yk,k) = 1/k, also v ( <sup>m</sup> <sup>i</sup>=1 <sup>y</sup>i,k)=1. Lastly, the formulas in <sup>Φ</sup><sup>k</sup> are satisfied under <sup>v</sup> : the formulas (yi,k <sup>↔</sup> <sup>y</sup>) ∨ ¬yi,k are trivially satisfied, since each <sup>y</sup>i,k is indeed sent to either 1/k (and hence, v (y)) or to 0. For the other formulas in Φ<sup>k</sup>, first v (ϕ<sup>j</sup> )=1 and kv (yj,k) = k1/k = 1 for each 1 <sup>≤</sup> j <sup>≤</sup> k, and v (¬yj,k)=1 for k<j <sup>≤</sup> m, hence they are all satisfied.

For the right-to-left direction, let <sup>v</sup> be an assignment satisfying {ρ<sup>1</sup>/k}∪Φ<sup>k</sup> <sup>∪</sup> { <sup>m</sup> <sup>i</sup>=1 <sup>y</sup>i,k}. From <sup>Φ</sup><sup>k</sup> and <sup>ρ</sup><sup>1</sup>/k we know <sup>v</sup>(yi,k) is either <sup>1</sup>/k or <sup>0</sup>. Therefore, for v( <sup>m</sup> <sup>i</sup>=1 <sup>y</sup>i,k)=1, necessarily at least <sup>k</sup> many <sup>y</sup>-variables are evaluated to <sup>1</sup>/k. Assume, again without loss of generality, that v(y<sup>1</sup>,k) = ... <sup>=</sup> <sup>v</sup>(yk,k)=1/k. From <sup>Φ</sup><sup>k</sup>, we get that <sup>v</sup>((ϕ<sup>i</sup> <sup>↔</sup> k yi,k) ∨ ¬yi,k)=1 for each <sup>1</sup> <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>m</sup>. In particular, since <sup>v</sup>(¬yj,k) = 1 for every <sup>1</sup> <sup>≤</sup> <sup>j</sup> <sup>≤</sup> <sup>k</sup>, necessarily <sup>v</sup>((ϕ<sup>j</sup> <sup>↔</sup> k yj,k)) for each such <sup>j</sup>. Together with the previously observed fact that <sup>y</sup>j,k = 1/k for each such j, this implies that v(ϕ<sup>1</sup>) = ... <sup>=</sup> <sup>v</sup>(ϕ<sup>k</sup>)=1, concluding the proof.

For k = 1, it is immediate that ϕ<sup>1</sup>,...,ϕm and k is in MaxSAT-DEC if and only if (...(ϕ<sup>1</sup> <sup>∨</sup> <sup>ϕ</sup><sup>2</sup>) <sup>∨</sup> ...) <sup>∨</sup> <sup>ϕ</sup><sup>m</sup> is in **SAT**. Given that for <sup>m</sup> <sup>=</sup> <sup>k</sup> = 1 both problems coincide, we get:

#### Corollary 1. *The problem* MaxSAT-DEC *is* **NP***-complete.*

This reduction from MaxSAT-DEC to SAT provides a practical approach to the MaxSAT problem in [0, 1]<sup>Ł</sup>, provided that we use a competitive algorithm for solving **SAT** (i.e., the satisfiability problem in [0, 1]<sup>Ł</sup>). We could rely on either of the following two **SAT** solvers, which have been shown rather efficient. The first one is the tableau with constraints method proposed by Hähnle [12] that reduces **SAT** to Mixed Integer Programming (MIP) and can therefore use any available MIP solver. The second one is the Satisfiability Modulo Theory (SMT) methods proposed by Ansótegui et al. that reduces **SAT** to an SMT satisfiability problem and can use any available SMT solver [6,7,32]. These methods can take advantage of the latest developments and innovations in MIP and SMT solvers, avoiding the need to implement a **SAT** solver from scratch.

A polynomial-time Turing (a.k.a. Cook) reduction of MaxSAT-OPT to MaxSAT-DEC can be given, as we proceed to explain. It is this approach that prompts our referring to this method of solving MaxSAT-OPT as *canonical*, given its wide scope of applicability to optimization problems (see, e.g., [29]). The reduction uses an unspecified algorithm for MaxSAT-DEC as an *oracle*; as usual with oracle computations, any call to the oracle counts as one step in the computation and under this proviso, the oracle computation runs in time polynomial in the input size (Σ<sup>m</sup> <sup>i</sup>=1|ϕ<sup>i</sup>|). Indeed, given an instance ϕ1,...,ϕ<sup>m</sup>, it is easy to arrive at the optimal value for MaxSAT-OPT using binary search on the discrete, polynomial-size search space {1,...,m} of possible solutions, using at most log m oracle calls. Considering that MaxSAT-DEC is **NP**-complete by Corollary 1, we have the following:

# Corollary 2. MaxSAT-OPT *is in* **FPNP***.*

For this conclusion, it is not important that the oracle solves MaxSAT-DEC; any oracle solving an **NP**-complete problem (an **NP**-oracle) would suit, and indeed one can use any algorithm for **SAT**, relying on Theorem 1. In view of the obvious reduction from MaxSAT-DEC to MaxSAT-OPT, the two problems are equivalent in the sense that if either has a polynomial-time algorithm, so does the other. This is standard, and it is why the decision version of an optimization problem is often considered *in lieu* of the problem as such.

Can one do better than O(log m) oracle calls? Below, we provide a classification of the problem in terms of Krentel's work [17] that suggests a negative answer subject to **<sup>P</sup>** = **NP**. Krentel ranks optimization problems in **FPNP** in terms of the number of calls to an **NP**-oracle. For z : <sup>N</sup> −→ <sup>N</sup> a smooth function (i.e., z is non-decreasing and polynomial-time computable in unary representation), **FPNP**[z(n)] is the class of functions computable in polynomial time with an **NP** oracle with at most z(|x|) oracle calls for instance x, where <sup>|</sup>x<sup>|</sup> denotes the length of x. By definition, **FPNP** coincides with **FPNP**[n<sup>O</sup>(1)] since a polynomial-time algorithm can make no more than a polynomial amount of oracle calls.

For Σ a finite alphabet let f,g : Σ<sup>∗</sup> −→ <sup>N</sup>. A *metric reduction* [17] from f to g is a pair (h<sup>1</sup>, h<sup>2</sup>) of polynomial-time computable functions where <sup>h</sup><sup>1</sup> : <sup>Σ</sup><sup>∗</sup> −→ <sup>Σ</sup><sup>∗</sup> and <sup>h</sup><sup>2</sup> : <sup>Σ</sup><sup>∗</sup> <sup>×</sup> <sup>N</sup> −→ <sup>N</sup> such that <sup>f</sup>(x) = <sup>h</sup><sup>2</sup>(x, g(h<sup>1</sup>(x))) for all <sup>x</sup> <sup>∈</sup> <sup>Σ</sup>∗. The notion of a metric reduction is a natural generalization of polynomial-time manyone reduction to optimization problems. It follows from the definition that for each smooth function z as above, **FPNP**[z(n)] is closed under metric reductions.

Theorem 2. ( [17], see also [29]) *Assume* **<sup>P</sup>** = **NP***. Then* **FPNP**[O(log log n)] - **FPNP**[O(log n)] -**FPNP**[n<sup>O</sup>(1)]*.*

Recall that Boolean algebras form a subvariety of MV-algebras. In particular, in any Boolean algebra, the interpretations of the strong and the weak disjunction coincide, as do the interpretations of the strong conjunction and the weak conjunction. When mapping the Boolean connectives to the <sup>L</sup>(Ł) connectives, we take ¬ for the Boolean negation, ∨ for the Boolean disjunction, and as the Boolean conjunction.

Moreover, in every nontrivial MV-algebra A, the set consisting of its bottom element 0<sup>A</sup> and its top element <sup>1</sup><sup>A</sup> is closed under all operations of <sup>A</sup> and the subalgebra of A on the universe consisting of these two elements is isomorphic to the two-element Boolean algebra.

Now let us recall the MaxSAT problem in the two-element Boolean algebra for CNF formulas, given as multisets of clauses.

#### Classical-MaxSAT-OPT

Instance: multiset -C1,...,C<sup>m</sup> of Boolean clauses in variables {x1,...,x<sup>n</sup>}. Output: the maximum integer k <sup>≤</sup> m such that there is an assignment v in the two-element Boolean algebra on {0, 1} to {x1,...,x<sup>n</sup>} that satisfies at least <sup>k</sup> clauses.

Krentel [17] proves the following result: Classical-MaxSAT-OPT is complete for **FPNP**[O(log m)] under metric reductions.

We now prepare a few technical tools for eventually giving a metric reduction of Classical-MaxSAT-OPT to MaxSAT-OPT. Following [16, Def. 7.1], consider the language L(Ł) including the definable connectives and define:


#### Lemma 1. ([16, Thm. 7.4])


Lemma 2. *Let* <sup>C</sup><sup>1</sup>,...,C<sup>l</sup> *be clauses in* <sup>L</sup>(Ł) *in variables* {x<sup>1</sup>,...,xn}*. Assume* <sup>a</sup>¯ <sup>∈</sup> [0, 1]<sup>n</sup> *is such that* <sup>C</sup>i(¯a)=1 *for each* <sup>1</sup> <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>l</sup>*. Then there is an element* ¯b ∈ {0, 1}<sup>n</sup> *such that* <sup>C</sup><sup>i</sup>(¯b)=1 *for* <sup>1</sup> <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>l</sup>*.*

*Proof.* We construct ¯<sup>b</sup> from <sup>a</sup>¯ in <sup>n</sup> independent steps. Let ¯b<sup>1</sup> := ¯a. The <sup>j</sup>-th step takes a ¯b<sup>j</sup> , assuming the property that <sup>C</sup><sup>i</sup>(¯b<sup>j</sup> )=1 for each <sup>1</sup> <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>l</sup>, and produces ¯bj+1 with the same property, replacing the real value in the <sup>j</sup>-th coordinate of ¯b<sup>j</sup> with a Boolean value (i.e., either a <sup>0</sup> or a <sup>1</sup>). Lastly, we set ¯b := ¯b<sup>n</sup>+1: all coordinates of ¯<sup>b</sup> are Boolean.

We describe the <sup>j</sup>-th step. We simplify notation by writing ¯b for ¯b<sup>j</sup> . We thus have ¯b <sup>=</sup> b <sup>1</sup>,...,b <sup>n</sup>. Consider the j-th component of this vector: if b <sup>j</sup> is <sup>0</sup> or <sup>1</sup>, we set ¯b<sup>j</sup>+1 := ¯b<sup>j</sup> , whereby the step is finished. If <sup>0</sup> < b <sup>j</sup> <sup>&</sup>lt; <sup>1</sup>, define ¯b <sup>0</sup> := b <sup>1</sup>,...,b <sup>j</sup>−1, 0, b <sup>j</sup>+1,...,b <sup>n</sup> and ¯b <sup>1</sup> := b <sup>1</sup>,...,b <sup>j</sup>−1, 1, b <sup>j</sup>+1,...,b <sup>n</sup>. By assumption, we have C<sup>1</sup>(¯b )=1. From Lemma 1, the interpretation of <sup>C</sup><sup>1</sup> is a convex function. Now assume that either C<sup>1</sup>(¯b <sup>0</sup>) = 1 or C<sup>1</sup>(¯b <sup>1</sup>) = 1. Then there is a convex combination of C<sup>1</sup>(¯b <sup>0</sup>) and C<sup>1</sup>(¯b <sup>1</sup>) that is strictly below C<sup>1</sup>(¯b ), a contradiction with the convexity fact. We conclude that C<sup>1</sup>(¯b <sup>0</sup>) = C<sup>1</sup>(¯b <sup>1</sup>)=1. An analogous argument holds for the remaining clauses C2,...,C<sup>l</sup>. This means that we can set either ¯b<sup>j</sup>+1 := ¯b <sup>0</sup> or ¯b<sup>j</sup>+1 := ¯b <sup>1</sup> and we will indeed have <sup>C</sup><sup>i</sup>(¯b<sup>j</sup>+1)=1 for each 1 <sup>≤</sup> i <sup>≤</sup> l.

Theorem 3. MaxSAT-OPT *is complete for* **FPNP**[O(log m)] *under metric reductions.*

*Proof.* Containment was obtained in Corollary 2 and the discussion preceding it. We prove hardness. We claim that the metric reduction of Classical-MaxSAT-OPT to MaxSAT-OPT is provided by a pair of *identity functions*. Take an arbitrary instance of Classical-MaxSAT-OPT problem, namely a multiset -C1,...,C<sup>m</sup> of Boolean clauses in variables {x1,...,x<sup>n</sup>}, and interpret it as a multiset of clauses in <sup>L</sup>(Ł) (no change in notation is needed, see above). By Lemma 1, the interpretation of each <sup>C</sup><sup>i</sup> for <sup>i</sup> = 1,...,m in [0, 1]<sup>Ł</sup> is a convex function. The convexity of the interpretation is not violated by rewriting each <sup>C</sup><sup>i</sup> in the basic connectives of <sup>L</sup>(Ł); this yields formulas -C∗ <sup>1</sup> ,...,C<sup>∗</sup> <sup>m</sup>. Feed this m-tuple to the algorithm solving MaxSAT-OPT. The output is a natural number k <sup>≤</sup> m which indicates the maximal number among -C∗ <sup>1</sup> ,...,C<sup>∗</sup> <sup>m</sup> that are simultaneously satisfiable by an assignment in [0, 1]<sup>Ł</sup>. We assume without loss of generality that the first k formulas in the list are satisfied by some assignment; hence so are the first k among -C<sup>1</sup>,...,C<sup>m</sup>. By Lemma 2, the same clauses (hence, the same number of clauses) are also simultaneously satisfiable by a *Boolean* assignment. This gives a lower bound on the number of simultaneously satisfiable clauses among -C<sup>1</sup>,...,C<sup>m</sup> in {0, 1}. At the same time, the twoelement Boolean algebra is a subalgebra of [0, 1]<sup>Ł</sup>, so any assignment in {0, <sup>1</sup>}<sup>n</sup> is also an assignment in [0, 1]<sup>n</sup>: therefore, considering that k was the answer of the algorithm solving MaxSAT-OPT, no more than k clauses among -C<sup>1</sup>,...,C<sup>m</sup> can be simultaneously satisfiable in {0, 1}, because otherwise k would not be optimal for MaxSAT-OPT. Therefore k is the optimal value.

The binary search algorithm always makes a logarithmic number of oracle calls, no matter what the instance is. Also, the complexity analysis as given does not take into account the efficiency of the computations executed by the oracle; all that is known about the oracle is that it correctly decides a particular **NP**complete problem. Considering the experience obtained in Boolean MaxSAT solvers based on Boolean SAT solvers, there might be alternatives to binary search that might turn out to be more efficient in practice, where one departs from the paradigm that emphasizes worst-case complexity. A typical Boolean MaxSAT solver does a *linear* search, either from unsatisfiable to satisfiable (coreguided approach), or from satisfiable to unsatisfiable (model-guided approach) [8,18]. The solvers heavily exploit the fact that the formulas in the multiset are Boolean clauses (i.e., a *normal form* is assumed) and that a SAT solver also returns a satisfying assignment or an unsatisfiable core; moreover, the calls to the SAT solver need not be its independent runs. These parallels invite an openness of mind when implementing MaxSAT solvers for Łukasiewicz logic.

# 4 Tableau-Like Method

#### 4.1 Satisfiability

We give first a decision method for the **SAT** problem, combining several approaches that might be termed *analytic*. **SAT** and its complexity have been investigated in depth [1,2,6,7,9,12,14,16,21,23,26]. In particular, tableau calculi have been proposed in [12,24]. Presenting our decision method for **SAT** has several goals. It outlines our approach to a simpler problem than MaxSAT-OPT, to be modified in Subsect. 4.2. Our method for **SAT** can then be used as a lower bound on the complexity of the method for MaxSAT-OPT in Subsect. 4.2. Furthermore, the method, in its variant generating a tree with an exponential number of branches, provides a simple proof for **SAT** in **NP** and an upper bound on the runtime of a deterministic algorithm for **SAT**.

The method operates in two subsequent stages. The first one is a variant of Tseitin transformation of an arbitrary formula to a formula in *normal form* [31]; in classical logic, the target normal form is a CNF, while in our case, the target normal form is a system of equations in the language L(Ł). The transformation preserves satisfiability, involves only a polynomial increase in size, and adds new variables. A variant of the transformation was used for testing **SAT** in [9].

Let ||ϕ|| denote the number of pairwise distinct subformulas in ϕ. <sup>2</sup> Recall at this point the formula <sup>ρ</sup><sup>1</sup>/k from Sect. <sup>3</sup> and its subformula (k−1)y. If brackets in this subformula nest to the right (or to the left), then ||(k <sup>−</sup>1)y|| is proportional to <sup>|</sup>(k−1)y|. But if (k−1)y is bracketed as a balanced binary tree, then ||(k−1)y|| is proportional to log<sup>2</sup>(|(<sup>k</sup> <sup>−</sup> 1)y|).

<sup>2</sup> ϕ is viewed as a string, any subformula is a substring, and subformulas are the same if and only if the strings are. Thus x ⊕ (x ⊕ x) is distinct from (x ⊕ x) ⊕ x. Per convention ¬¬ψ does not occur as subformula for any ψ, since ¬¬ψ ↔ ψ in Ł.

The second stage is a tableau-like procedure that utilizes the system of equations obtained in the first stage as labels for nodes in a rooted linear tree, and expands the nodes using simple rules that translate these equations of <sup>L</sup>(Ł) into linear equations in the reals. Subsequently, each branch is evaluated for solvability in the reals, analogously to [12,24].

The algorithm for **SAT** is given below. The presentation is informal.

# Decision method TŁSAT. Let ϕ(x<sup>1</sup>,...,xn) be an input formula.

	- if <sup>x</sup> is a propositional variable in <sup>ϕ</sup> and <sup>1</sup> <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>l</sup> and <sup>z</sup><sup>i</sup> is the variable for x, include in **<sup>S</sup>** the equation

$$x = z\_i;$$

x = z<sup>i</sup>; – if <sup>¬</sup><sup>α</sup> is a subformula of <sup>ϕ</sup> and <sup>1</sup> <sup>≤</sup> i, j <sup>≤</sup> <sup>l</sup> and <sup>z</sup><sup>i</sup> is the variable for <sup>α</sup> and <sup>z</sup><sup>j</sup> is the variable for <sup>¬</sup>α, include in **<sup>S</sup>** the equation

$$z\_j = \neg z\_i$$

<sup>z</sup><sup>j</sup> <sup>=</sup> <sup>¬</sup>z<sup>i</sup>; – if <sup>α</sup> <sup>⊕</sup> <sup>β</sup> is a subformula of <sup>ϕ</sup> and <sup>1</sup> <sup>≤</sup> i, j, k <sup>≤</sup> <sup>l</sup> and <sup>z</sup><sup>i</sup>, <sup>z</sup><sup>j</sup> , <sup>z</sup><sup>k</sup> are the variables for α, β, α <sup>⊕</sup> β respectively, include in **<sup>S</sup>** the equation

$$z\_i \oplus z\_j = z\_k.$$

<sup>z</sup><sup>i</sup> <sup>⊕</sup> <sup>z</sup><sup>j</sup> <sup>=</sup> <sup>z</sup><sup>k</sup>. Having each item of **<sup>L</sup>** processed, **<sup>S</sup>** contains equations in the language <sup>L</sup>(Ł). The number of equations in **<sup>S</sup>** is l.


<sup>3</sup> This is a convention in favour of clarity of presentation. Avoiding introduction of new variables for atoms x1,...,x*<sup>n</sup>* would save n new variables.

<sup>4</sup> The structure of **T** will be linear up to a certain point and binary from there on. This is the case because a) the equations with the x-variables are not expanded, and b) all the equations with ¬ are expanded before any of the equations with ⊕, and the expansion rule for ¬ does not lead to branching. Cf. Example 1.

	- If the label of N is marked *active* (contains <sup>¬</sup> or <sup>⊕</sup>), mark it *passive*, and below each leaf of **T**, append a new subtree with labelled nodes using the following expansion rules (one new node per each constraint), marking each new label *final*:

$$\begin{array}{c|c} z\_i \oplus z\_j = z\_k \\ \hline z\_i + z\_j \le 1 \\ z\_i + z\_j = z\_k \\ \text{the rule on the left handing} \\ \end{array} \quad \begin{array}{c|c} z\_i = \neg z\_j \\ \hline z\_i = 1 - z\_j \\ \hline z\_k = 1 \\ \text{the rule on the left involves branching} \\ \end{array}$$

An application of the rule on the left involves branching below each leaf of **T**. The labels in the conclusions of these rules are linear constraints in real numbers. The mark *final* indicates the algorithm leaves them intact. Having processed all nodes of **T**, each branch of **T** defines a system of linear constraints marked *final* in an unambiguous way.


Typically in an analytic tableau method (cf. eg. Hähnle [12]), one starts with a given formula ϕ and decomposes it, taking one occurrence of a connective in each step and expanding the tableau using the given tableau rules. If a subformula of ϕ occurs multiple times in ϕ, it is processed multiple times and each time, new variables are introduced with it: cf. e.g. [12, section 5.1] where new variables <sup>i</sup><sup>1</sup> and <sup>i</sup><sup>2</sup> are introduced for each occurrence of an implication. This is a feature of the analytic method. With creating the set of subformulas first, we avoid this and have potentially less new variables. (Cf. also the introduction in [24], where our method might therefore not qualify as purely analytic.)

*Example 1.* A simple example will illustrate the generation of the tree and the resulting systems of constraints. Consider the formula ((x ⊕ ¬y) ⊕ ¬(x <sup>⊕</sup> y)) <sup>⊕</sup> <sup>¬</sup>(x <sup>⊕</sup> y). A list of its subformulas is the following:

$$\langle x, y, \neg y, x \oplus y, x \oplus \neg y, \neg(x \oplus y), (x \oplus \neg y) \oplus (\neg(x \oplus y)), ((x \oplus \neg y) \oplus \neg(x \oplus y)) \oplus \neg(x \oplus y) \rangle$$

In order to present the example in a compact way, we write three initial nodes only: the first, with the boundary, target and ground equations; the second, with the equations from **S** with symbol ¬, and the third, with the equations from **S** with symbol ⊕. Below this, we expand the tree as described by the algorithm. We omit marks (active, passive, final). We use vertical dots to indicate the tree that would be included in their place is a copy of the one depicted at its side.

<sup>5</sup> The testing procedure is in **P**. For the purpose of testing, one can render each equality **ax** <sup>=</sup> **<sup>b</sup>** as two inequalities **ax** <sup>≤</sup> **<sup>b</sup>** and <sup>−</sup>**ax** ≤ −**b**.


Lemma 3. *The expansion rules in step <sup>7</sup> of* <sup>T</sup>ŁSAT *preserve the following invariant: for any assignment* v *of values in* [0, 1] *to all* z*-variables,* v *satisfies the equation in the premise in the algebra* [0, 1]<sup>Ł</sup> *if and only if* <sup>v</sup> *satisfies all constraints in at least one branch in the conclusions of the rule in the algebra* R*.*

*Proof.* Notice that the expansion rules work as a switch between the signature of <sup>L</sup>(Ł) and language of real closed fields. (Where by slight abuse of language, we only differentiate between the two sets of the operation symbols, but not the relation symbols.) In both cases the statement is a straightforward consequence of the semantics of the connectives <sup>¬</sup> and <sup>⊕</sup> in [0, 1]<sup>Ł</sup>. We prove the case for <sup>⊕</sup>. Top-to-bottom: let v be an assignment of values in [0, 1] to z-variables introduced in step 2, and consider <sup>z</sup><sup>i</sup>, z<sup>j</sup> , z<sup>k</sup> s.t. <sup>v</sup>(z<sup>i</sup>) <sup>⊕</sup> <sup>v</sup>(z<sup>j</sup> ) = <sup>v</sup>(z<sup>k</sup>) is true in [0, 1]<sup>Ł</sup>. Then it must be the case that either <sup>v</sup>(z<sup>i</sup>)+v(z<sup>j</sup> ) <sup>≤</sup> <sup>1</sup> and <sup>v</sup>(z<sup>i</sup>)+v(z<sup>j</sup> ) = <sup>v</sup>(z<sup>k</sup>) holds in <sup>R</sup>, or <sup>v</sup>(z<sup>i</sup>)+v(z<sup>j</sup> ) <sup>≥</sup> <sup>1</sup> in which case we also have <sup>v</sup>(z<sup>k</sup>)=1 in <sup>R</sup>. Bottom to top: again let <sup>v</sup> be an assignment of values in [0, 1] to <sup>z</sup>-variables. If <sup>v</sup>(z<sup>i</sup>) +v(z<sup>j</sup> ) <sup>≤</sup> <sup>1</sup> and <sup>v</sup>(z<sup>i</sup>) + <sup>v</sup>(z<sup>j</sup> ) = <sup>v</sup>(z<sup>k</sup>) both hold in <sup>R</sup>, we have <sup>v</sup>(z<sup>i</sup>) <sup>⊕</sup> <sup>v</sup>(z<sup>j</sup> ) = <sup>v</sup>(z<sup>k</sup>) is true in [0, 1]<sup>Ł</sup>. If <sup>v</sup>(z<sup>i</sup>) + <sup>v</sup>(z<sup>j</sup> ) <sup>≥</sup> <sup>1</sup> and <sup>v</sup>(z<sup>k</sup>)=1 in <sup>R</sup>, we have <sup>v</sup>(z<sup>i</sup>) <sup>⊕</sup> <sup>v</sup>(z<sup>j</sup> ) = <sup>v</sup>(z<sup>k</sup>) is true in [0, 1]<sup>Ł</sup>. This exhausts possible cases.

Theorem 4. *The method* <sup>T</sup>ŁSAT *is sound and complete for* **SAT***.*

*Proof.* The soundness claim states that whenever the method answers 'yes' on input <sup>ϕ</sup>, then there is an assignment <sup>v</sup> to <sup>x</sup><sup>1</sup>,...,x<sup>n</sup> such that <sup>v</sup>(ϕ)=1. So assume that there is a branch B of **<sup>T</sup>** such that the system of constraints given by B is solvable, under some assignment v to variables on B, and fix v. In particular, for <sup>i</sup> = 1,...,n, the variable <sup>x</sup><sup>i</sup> gets value <sup>v</sup>(xi) (notice each <sup>x</sup><sup>i</sup> occurs on every branch). The assignment v extends to ϕ in a unique way and one shows by induction on the structure of ϕ, using Lemma 3, that for any subformula ψ of <sup>ϕ</sup>, we have <sup>v</sup>(ψ) = <sup>v</sup>(z<sup>j</sup> ) for <sup>z</sup><sup>j</sup> with <sup>j</sup> ∈ {1,...,l} being the <sup>z</sup>-variable assigned to ψ in step 2. In particular, v(ϕ)=1.

The completeness claim states that if v(ϕ)=1 for some assignment v, then the method yields 'yes' on input ϕ. So fix v s.t. v(ϕ)=1. We claim there is a branch of **T** with a solvable system of equations. First produce the full tree **<sup>T</sup>**. Then assign values to all z-variables, starting from those that are names for x1,...,x<sup>n</sup>, and then inductively on the structure of ϕ using again that v(ψ) = <sup>v</sup>(z<sup>j</sup> ) for a <sup>z</sup><sup>j</sup> assigned to <sup>ψ</sup> in step 2. This is consistent with equations obtained in step 3. By abuse of language, call this assignment v. The assignment v makes it possible to travel downward from the root of **T** via labelled nodes, using Lemma <sup>3</sup> to show that v satisfies each label: in particular if **<sup>T</sup>** branches due to a node with label <sup>z</sup><sup>i</sup> <sup>⊕</sup> <sup>z</sup><sup>j</sup> <sup>=</sup> <sup>z</sup><sup>k</sup>, then (assuming the label in the premise is satisfied by v), Lemma <sup>3</sup> guarantees that there is at least one branch on which the new (and hence, all) labels are satisfied by v. Finally a leaf L of **<sup>T</sup>** is reached: since Lemma 3 was applied at each expansion, and since the boundary and the final constraint clearly hold under v, all final constraints on the branch determined by L hold under v.

Lemma 4. *The problem* **SAT** *on instance* ϕ *can be solved deterministically by constructing the tree* **T** *and testing the solvability of systems of linear constraints in* <sup>R</sup> *on no more than* 2||ϕ|| *branches. Each branch has at most* <sup>4</sup>||ϕ|| + 1 *constraints and* ||ϕ|| + n *variables.*

*Proof.* Branching of the tree takes place at each occurrence of ⊕ in **S**; the number of such occurrences is bounded by ||ϕ||. Each branch has at most 2||ϕ|| constraints for subformulas, plus 2||ϕ|| boundary constraints, plus a target constraint. (Here we do not consider the possibility of replacing each equation with two inequalities.) Each branch of the tree uses all the variables: n input variables <sup>x</sup><sup>1</sup>,...,x<sup>n</sup> and ||ϕ|| <sup>z</sup>-variables.

Corollary 3. *The problem* **SAT** *is in* **NP***, in particular, a formula is satisfiable if and only if there is a polynomial-size witness consisting of a tableau branch of the method* <sup>T</sup>ŁSAT *and matching system of constraints solvable in* <sup>R</sup>*.*

*Proof.* Since the method <sup>T</sup>ŁSAT is sound and complete for **SAT** by Theorem 4, any satisfiable formula has the following polynomial-size certificate of its own satisfiability in [0, 1]<sup>Ł</sup>: the system of equations in <sup>z</sup>-variables constructed in step 3, and a branch of the tree **T**, defined by a list of instructions specifying which branch to take upon each application of <sup>⊕</sup>-rule, combined with a system C of constraints that matches the indicated branchings (in the sense that the equations with ⊕ have been expanded according to the specified branch) and such that C is solvable in <sup>R</sup>. On the other hand, the soundness and completeness theorem also says that an unsatisfiable formula *cannot* have such a certificate.

Furthermore, any decision tree obtained from the above procedure can be linearized, using the methods of [12]. In particular, any instance of the application of the branching rule introduced in step 7 can be replaced by an instance of an application of the following lemma (observing the condition that distinct Boolean variables will be used for distinct instances):

Lemma 5. (Cf. [12, Sect. 5.1], [13, Lemma 6.2.19]) *Assume* <sup>a</sup><sup>1</sup>, a<sup>2</sup>, a<sup>3</sup> <sup>∈</sup> [0, 1]*. Then* <sup>a</sup><sup>1</sup> <sup>⊕</sup> <sup>a</sup><sup>2</sup> <sup>=</sup> <sup>a</sup><sup>3</sup> *holds in* [0, 1]<sup>Ł</sup> *if and only if there is an* <sup>y</sup> ∈ {0, <sup>1</sup>} *such that all of the following constraints hold in* R*:*

*(i)* <sup>a</sup><sup>1</sup> <sup>+</sup> <sup>a</sup><sup>2</sup> <sup>≤</sup> 1 + <sup>y</sup> *(ii)* <sup>y</sup> <sup>≤</sup> <sup>a</sup><sup>1</sup> <sup>+</sup> <sup>a</sup><sup>2</sup> *(iii)* <sup>a</sup><sup>3</sup> <sup>≤</sup> <sup>a</sup><sup>1</sup> <sup>+</sup> <sup>a</sup><sup>2</sup> *(iv)* <sup>a</sup><sup>1</sup> <sup>+</sup> <sup>a</sup><sup>2</sup> <sup>≤</sup> <sup>a</sup><sup>3</sup> <sup>+</sup> <sup>y</sup> *(v)* y <sup>≤</sup> a3*.*

*Proof.* Assume <sup>a</sup><sup>1</sup> <sup>⊕</sup> <sup>a</sup><sup>2</sup> <sup>=</sup> <sup>a</sup><sup>3</sup> holds in [0, 1]<sup>Ł</sup>. Case 1: <sup>a</sup><sup>1</sup> <sup>+</sup> <sup>a</sup><sup>2</sup> <sup>≤</sup> <sup>1</sup>, then from the assumption we have <sup>a</sup><sup>1</sup> <sup>+</sup> <sup>a</sup><sup>2</sup> <sup>=</sup> <sup>a</sup><sup>3</sup>. We set <sup>y</sup> := 0. The fact that <sup>a</sup>1, a2, a<sup>3</sup> <sup>∈</sup> [0, 1] implies (ii) and (v); the remaining constraints in the Lemma follow from <sup>a</sup><sup>1</sup> <sup>+</sup> <sup>a</sup><sup>2</sup> <sup>=</sup> <sup>a</sup><sup>3</sup>. Case 2: <sup>a</sup><sup>1</sup> <sup>+</sup> <sup>a</sup><sup>2</sup> <sup>&</sup>gt; <sup>1</sup>. The assumption implies <sup>a</sup><sup>3</sup> = 1; we set <sup>y</sup> := 1, we get (v). The fact that <sup>a</sup>1, a2, a<sup>3</sup> <sup>∈</sup> [0, 1] implies (i) and (iv). From <sup>a</sup><sup>1</sup> <sup>+</sup> <sup>a</sup><sup>2</sup> <sup>&</sup>gt; <sup>1</sup> we get (ii) and (iii).

Now assume there is an y ∈ {0, 1} such that all constraints listed hold in <sup>R</sup>. Case 1: <sup>y</sup> = 0. We have (i) <sup>a</sup><sup>1</sup> <sup>+</sup> <sup>a</sup><sup>2</sup> <sup>≤</sup> <sup>1</sup> and (iii,iv) <sup>a</sup><sup>3</sup> <sup>≤</sup> <sup>a</sup><sup>1</sup> <sup>+</sup> <sup>a</sup><sup>2</sup> <sup>≤</sup> <sup>a</sup><sup>3</sup>. Hence <sup>a</sup><sup>1</sup> <sup>⊕</sup> <sup>a</sup><sup>2</sup> <sup>=</sup> <sup>a</sup><sup>3</sup>. Case 2: <sup>y</sup> = 1. We have (v) <sup>1</sup> <sup>≤</sup> <sup>a</sup><sup>3</sup> and (ii) <sup>1</sup> <sup>≤</sup> <sup>a</sup><sup>1</sup> <sup>+</sup> <sup>a</sup><sup>2</sup>. Hence <sup>a</sup><sup>1</sup> <sup>⊕</sup> <sup>a</sup><sup>2</sup> <sup>=</sup> <sup>a</sup><sup>3</sup>.

This modification eventually yields, in step 8, a single MIP problem — one of the extant competitive ways to address the **SAT** problem. A major advantage of using a MIP solver is the advanced possibility of applying heuristics, whereas in the simple version above, the only optimization considered is aborting the computation upon finding a branch with a solvable system.<sup>6</sup> That is: by design, the algorithm <sup>T</sup>ŁSAT needs to generate and perhaps eventually test exponentially many systems of equations. However, from the viewpoint of the worst-case deterministic complexity, the MIP method does not differ substantially from testing the (possibly exponentially many) branches.

#### 4.2 Maximum Satisfiability

In this Subsection we adapt the previous method to the MaxSAT-OPT problem from Sect. 2. It is easily observed that usual methods for **SAT**, the method from the previous Subsection among them (even if it easily adapts to test joint satisfiability of a list of formulas), are not applicable for MaxSAT-OPT; cf. [19] for a discussion. One problem is that they yield a Boolean value. Taking any satisfiable formula α and considering the m-element list α, . . . , α, for any m > 1,

<sup>6</sup> One might optimize by testing immediately on every generated branch and exiting the computation upon finding one with a solvable system. In our exposition though, we prefer to consider the size of the full decision tree.

clearly a complete method needs to produce the answer m on this input. The tableau approaches of [12,24] uses MIP solvers on branches, also returning a Boolean value. Another feature of the method from the previous Subsection is that it considers distinct subformulas as a set; thus any repetition of the same formula in the list on input would be obliterated.

These considerations invite the approach of preserving the Tseitin-like procedure of listing equations obtained from the subformulas, but combining it with:


The following algorithm updates the decision method <sup>T</sup>ŁSAT from the Subsect. 4.1. To highlight the differences, each step only gives the information that has changed compared to the previous case.

Optimization method <sup>T</sup>ŁMaxSAT for computing MaxSAT-OPT. Let ϕ1,...,ϕ<sup>m</sup> be a list of formulas in variables x1,...,x<sup>n</sup>.


<sup>7</sup> Since all equalities are marked hard, any feasible solution to the Max-FS task will need to satisfy all of them. More generally, see [5, Concluding remarks] for handling soft constraints that are equalities.

*Example 2.* Let us consider the list of formulas -(x ⊕ ¬y) ⊕ ¬x,¬x, x ⊕ ¬y, x. A list of its subformulas (according to the definition in step 1) is the following:

$$\langle x, y, \neg x, \neg y, x \oplus \neg y, (x \oplus \neg y) \oplus \neg x \rangle$$

In order to depict the example in a compact way we use the same conventions as in Example 1. Furthermore, we will print in bold the soft constraints.

**<sup>z</sup><sup>6</sup>** <sup>=</sup> **<sup>1</sup>**, **<sup>z</sup><sup>3</sup>** <sup>=</sup> **<sup>1</sup>**, **<sup>z</sup><sup>5</sup>** <sup>=</sup> **<sup>1</sup>**, **<sup>z</sup><sup>1</sup>** <sup>=</sup> **<sup>1</sup>**, {<sup>0</sup> <sup>≤</sup> <sup>z</sup><sup>i</sup> <sup>≤</sup> <sup>1</sup>}<sup>1</sup>≤<sup>6</sup>

$$\begin{aligned} z\_3 &= \neg z\_1, z\_4 = \neg z\_2\\ &\mid \\ z\_5 &= z\_1 \oplus z\_4, z\_6 = z\_5 \oplus z\_3\\ &\mid \\ z\_3 &= 1 - z\_1\\ z\_4 &= 1 - z\_2\\ z\_5 &= z\_1 + z\_4 & z\_5 = 1\\ &\mid \\ z\_1 + z\_4 &\le 1 & z\_1 + z\_4 &\ge 1\\ z\_6 &= z\_5 + z\_3 & z\_6 = 1 & z\_6 = z\_5 + z\_3 & z\_6 = 1\\ &\mid & \mid & \mid \\ z\_5 + z\_3 &\le 1 & z\_5 + z\_3 &\ge 1 & z\_5 + z\_3 \le 1 & z\_5 + z\_3 \ge 1 \end{aligned}$$

Theorem 5. *The method* <sup>T</sup>ŁMaxSAT *is sound and complete for* MaxSAT-OPT*.*

*Proof.* The soundness claim states that whenever the method returns k <sup>∈</sup> <sup>N</sup> on input <sup>ϕ</sup>1,...,ϕ<sup>m</sup>, then there is an assignment <sup>v</sup> to variables <sup>x</sup>1,...,x<sup>n</sup> that satisfies k formulas among <sup>ϕ</sup>1,...,ϕ<sup>m</sup>. If <sup>T</sup>ŁMaxSAT returns <sup>k</sup>, that means the tree **<sup>T</sup>** was constructed with a branch B and a system of constraints given by B that yielded k upon solving the Max-FS problem with hard and soft constraints, and that this was the maximum solution among all branches. Fix such a v and notice that v defines values for x<sup>1</sup>,...,x<sup>n</sup>. Using Lemma 3, all hard constraints from the system, in particular, all constraints from steps 3, 5 and 8 are satisfied by <sup>v</sup>, and so are <sup>k</sup> of the target constraints. If <sup>ψ</sup> is a subformula of some <sup>ϕ</sup><sup>i</sup> with <sup>i</sup> ∈ {1,...,m}, we have <sup>v</sup>(ψ) = <sup>v</sup>(z<sup>j</sup> ) whenever <sup>z</sup><sup>j</sup> is the <sup>z</sup>-variable assigned to <sup>ψ</sup>, by induction. In particular, from step <sup>7</sup> we have that there are <sup>k</sup> formulas <sup>ϕ</sup><sup>i</sup> among ϕ<sup>1</sup>,...,ϕ<sup>m</sup> such that v(ϕ<sup>i</sup>)=1.

The completeness claim states that if, for some assignment v, there are k items <sup>ϕ</sup><sup>i</sup> on the list <sup>ϕ</sup><sup>1</sup>,...,ϕ<sup>m</sup> such that <sup>v</sup>(ϕ<sup>i</sup>)=1, then the method <sup>T</sup>ŁMaxSAT yields at least k on that instance. So assume that v(ϕ<sup>i</sup>)=1 for at least k such items and fix v. We claim there is a branch B of **<sup>T</sup>** with a system of constraints that yields at least k upon solving its instance of Max-FS problem. First construct the tree **<sup>T</sup>**. From v, we get values for x<sup>1</sup>,...,x<sup>n</sup>, the <sup>z</sup>-variables that are their names, and using equations from step <sup>3</sup> for the remaining z-variables. The assignment v indicates a leaf of **<sup>T</sup>** that defines a branch B via a series of (possibly non-unique) choices on the hard constraints. If <sup>ψ</sup> is a subformula of some <sup>ϕ</sup><sup>i</sup> with <sup>i</sup> ∈ {1,...,m}, also <sup>v</sup>(ψ) = <sup>v</sup>(z<sup>j</sup> ) whenever <sup>z</sup><sup>j</sup> is the <sup>z</sup>-variable assigned to <sup>ψ</sup>, all the hard constraints and at least k soft constraints are satisfied on B under v. Since k formulas on input are satisfied by v, also k soft constraints are satisfied. Thus the method TŁMaxSAT, which returns a maximum over all branches, will yield a value no less than k.

To put side by side the efficiency of the method <sup>T</sup>ŁSAT from Subsect. 4.1 with the method <sup>T</sup>ŁMaxSAT above, we assume a modification of <sup>T</sup>ŁSAT that takes as input a finite list of arbitrary formulas ϕ1,...,ϕ<sup>m</sup> and tests their joint satisfiability. Then we obtain comparable trees from both methods, the main difference being in the target constraints. Each branch of the tree obtained from <sup>T</sup>ŁSAT defines a set of constraints the solvability of which is in **<sup>P</sup>**. It is typically not necessary to test solvability on all the branches. On the other hand, if ϕ1,...,ϕ<sup>m</sup> is an input to TŁMaxSAT, then on each branch of the generated tree, it is indeed necessary to solve the Max-FS problem with hard and soft constraints that the branch defines, because the method eventually takes a maximum over *all* the branches. Moreover, the problem on each branch is **NP**-hard [4]. In this sense, the complexity of the method <sup>T</sup>ŁSAT is a *lower bound* on the complexity of the method <sup>T</sup>ŁMaxSAT as presented above.

One can conceive optimizing the method <sup>T</sup>ŁMaxSAT by observing that, firstly, the multiset of soft constraints remains the same over all the branches, and secondly, if any subset S of a set <sup>S</sup> of hard constraints is unsolvable, then so is S. We refrain from pursuing these considerations here, since they are addressed by the methods used in MIP solvers. The following lemma comes in useful.

Lemma 6. *The tree obtained from the* <sup>T</sup>ŁMaxSAT *method can be linearized at the cost of adding at most* ||ϕ|| *Boolean variables. The linearization method does not affect the soft constraints.*

*Proof.* Any branching in step 8 of the algorithm can be replaced by expanding the tree with new nodes (without branching) using Lemma 5. The constraints obtained from the Lemma are all marked *hard*. This step therefore does not impact the set of possible solutions to the hard constraints in the system. The soft constraints are the same on all the branches, therefore the soft constraints in the linearization are well defined.

An extension of the Max-FS problem with Boolean variables among the set of hard constraints can also be rendered as a MIP problem with hard and soft constraints, with the Boolean variables not occurring in the soft constraints. Section <sup>3</sup> gives as benchmark for MaxSAT-OPT log m calls to a MIP solver for **SAT** with inputs of size O(Σ<sup>m</sup> <sup>i</sup>=1|ϕ<sup>i</sup><sup>|</sup> + m<sup>2</sup>).

# 5 Concluding Remarks and Future Work

Envisaged work on this material will consider finite-valued reductions of the **SAT** problem via upper bounds on denominators [1–3] to obtain a comparison with variants of <sup>T</sup>ŁSAT for deterministic worst-case complexity for arbitrary formulas. Also, it remains to be seen whether upper bounds on denominators (a "small-model theorem", cf., e.g., [11]) can be used to classify the decision version of the above Max-FS problem with Boolean variables among its hard constraints within **FPNP** for a conclusive comparison with the canonical approach. Another line of possible work stems from a generalized notion of satisfiability, considering, instead of the MaxSAT family of problems, their MaxSAT<sup>r</sup> version, for a rational r <sup>∈</sup> (0, 1], asking for the maximum number of formulas that are assigned a value greater than or equal to r by a single assignment.

Acknowledgements. We thank three anonymous reviewers for their useful and inspiring comments. Haniková was supported by the long-term strategic development financing of the ICS (RVO:67985807) and by mobility grant no. CSIC-20–12 of the Czech Academy of Sciences. Manyà was supported by grants PID2019-111544GB-C21, PID2022-139835NB-C21 and TED2021-129319B-I00 funded by MCIN/AEI/10.13039/501100011033. Vidal was supported by the European Union's Horizon 2020 research and innovation programme under the Marie Sklodowska-Curie grant agreement No. 101027914.

# References


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Separation Logic**

# **The Logic of Separation Logic: Models and Proofs**

Frank S. de Boer1,2, Hans-Dieter A. Hiep1,2(B) , and Stijn de Gouw<sup>3</sup>

<sup>1</sup> Centrum Wiskunde and Informatica (CWI), Amsterdam, The Netherlands hdh@cwi.nl

<sup>2</sup> Leiden Institute of Advanced Computer Sciences (LIACS), Leiden, The Netherlands

<sup>3</sup> Open University (OU), Heerlen, The Netherlands

**Abstract.** The standard semantics of separation logic is restricted to finite heaps. This restriction already gives rise to a logic which does not satisfy compactness, hence it does not allow for an effective, sound and complete axiomatization. In this paper we therefore study both the general model theory and proof theory of the separation logic of finite and infinite heaps over arbitrary (first-order) models. We show that we can express in the resulting logic finiteness of the models and the existence of both countably infinite and uncountable models. We further show that a sound and complete sequent calculus still can be obtained by restricting the second-order quantification over heaps to first-order definable heaps.

# **1 Introduction**

Separation logic [Rey02], in the sequel also referred to by SL, extends firstorder logic with the separating connectives of conjunction and implication for reasoning about programs which feature the dynamic allocation of variables that are stored at locations of that part of the memory called the 'heap'. The *separating conjunction* allows to specify properties of a partition of the heap into two disjoint sub-heaps. The *separating implication* (also called 'the magic wand') allows to express properties of disjoint extensions of the heap. Both separating connectives involve a second-order quantification over heaps (which are represented by binary relations).

In this paper we study both the model theory and the proof theory of SL. The standard model of SL (as introduced in [Rey02]) extends the standard model of arithmetic with the so-called 'points-to' relation which provides a formalization of the heap in terms of the *graph* of a *finitely-based partial function*. This function assigns to each location of the heap its stored value, or is undefined if the location is not allocated. In the standard semantics of SL (here also called *weak* SL), the domains of heaps are finite, that is, only finitely many locations are allocated. Reasoning about finite heaps however requires an *infinitary* logic because the logic of finite heaps, and that of finite model theory in general, does not satisfy the compactness property: it is straightforward to express for each natural number that the domain of the heap contains at least that number of elements. It follows that every finite subset of this infinite set of sentences is satisfiable, but clearly no finite heap satisfies the entire set.

To study the general model and proof theory of *full* SL<sup>1</sup> we (1) extend its semantics to arbitrary first-order models and (2) generalize the notion of a heap to a partial function on the underlying domain of the given (first-order) model: no restrictions are imposed on the cardinality of the domain of heap, in contrast to weak SL which restricts to finite heaps. Our main model-theoretic results are that in this general setting we can express: (1) finiteness of models, (2) well-foundedness of the points-to relation, and (3) existence of countably infinite and uncountable models. As a consequence we have that full SL satisfies neither compactness nor the downward and upward L¨owenheim-Skolem theorems (see [CK13]). Non-compactness implies that there does not exist an effective, sound and complete proof theory for SL. In fact, we will show that the well-foundedness of the points-to relation can already be expressed in full SL using only separating conjunction. Consequently, full SL without separating implication is already non-compact. For full SL without separating implication but in which separating conjunction only occurs positively, the fragment which we call separation logic light (SLL), we do have compactness, but its semantic consequence relation is not compact and therefore also does not allow for an effective, sound and complete proof theory.

The question thus arises whether there exists an *alternative* interpretation of SL that does allow for an effective, sound and complete proof theory. Clearly, the main complexity of SL stems from the (second-order) quantification over heaps (or sub-heaps, as in the case of the separating conjunction). For second-order logic a sound and complete axiomatization can be obtained by generalizing its semantics by means of so-called *general models*. Such models extend first-order models with a set of possible interpretations of the second-order variables. For example, instead of interpreting a monadic predicate over *all* possible subsets of the given first-order domain, a general model restricts its interpretation to a given set of such subsets. This generalization of the semantics of second-order logic allows for a sound and complete axiomatization by restricting to so-called Henkin models. A Henkin model is a general model for second-order logic which additionally satisfies the comprehension axiom

$$\exists R \forall x\_1, \dots, x\_n \big(R(x\_1, \dots, x\_n) \leftrightarrow \phi(x\_1, \dots, x\_n)\big)$$

for any second-order formula φ(x1,...,xn) which does not contain the n-ary relation symbol R. In the *arithmetic* comprehension axiom φ(x1,...,xn) is firstorder.

Generalizing the semantics of SL accordingly in terms of a given set of possible heaps, which does not necessarily contain *all* heaps, we can formulate in SL the following version of the arithmetic comprehension axiom

$$\spadesuit(\forall x, y ((x \hookrightarrow y) \leftrightarrow \phi(x, y)))$$

<sup>1</sup> Here we adopt the terminology for second-order logic [V¨a¨a01], where the semantics of *full* second-order logic does not impose any restrictions on the *cardinality* of the interpretation of the predicates/relations, in contrast to *weak* second-order logic which restricts to *finite* interpretations (of the predicates/relations).

which expresses the existence of a heap such that its *graph*, as denoted by the points-to relation →, satisfies the 'pure' first-order formula <sup>φ</sup>(x, y) (i.e., <sup>φ</sup> does not involve the separation connectives and the points-to relation). The - modality (formally defined in Sect. 3) expresses the existence of a heap which satisfies the associated formula. Such an instance of the arithmetic comprehension axiom holds if there exists a heap which is characterized by the formula φ(x, y). We cannot generalize this axiom to arbitrary SL formulas because it is not obvious how to avoid contradictions like -(∀x, y((x <sup>→</sup> <sup>y</sup>) ↔ ¬(x <sup>→</sup> <sup>y</sup>))). Simply requiring that the points-to relation does not occur in φ(x, y) does not work because the separating connectives implicitly refer to it. Therefore, we introduce a new interpretation of SL that restricts the (second-order) quantification to *first-order definable* heaps. For this new interpretation we introduce a *sequent calculus* which is sound and complete. The completeness proof is based on the construction of a model for a *consistent* theory (a theory from which false is not derivable), following [Hen49]. From the completeness proof we further derive that this new interpretation satisfies both compactness and the downward L¨owenheim-Skolem theorem. By the seminal theorem of Lindstr¨om we then infer that this new interpretation is as expressive as first-order logic.

*Related Work.* The model theory of SL has been focused mainly on finite heaps. For example, the computability and complexity results in [CYO01] depend on this assumption. Surprisingly, in [BDL12] the authors show that *weak* SL is as expressive as *weak* second-order logic [Man96], which is a semantics of secondorder logic where quantification is restricted to finite relations. In [DD16] this result is further refined by the restriction to two variables and the separating implication (no separating conjunction) which still is as expressive as weak second-order logic. In [EIP20] the satisfiability problem for SL with k record fields has been studied for finite heaps, but over arbitrary first-order models. A tableaux method for a propositional fragment of SL has been developed in [GM10] which has been proven sound and complete. Extensions to first-order SL are discussed assuming finite heaps. In fact, the tableaux method introduced is based on a labelling mechanism for encoding finite heap structures.

In contrast, when investigating complete proof systems for SL the assumption of the finiteness of heaps has to be dropped, thus allowing for infinite heaps, because, as already observed above, finiteness leads to non-compactness. Our general model theory shows that this generalization of SL, *full* SL, is also non-compact, and therefore does not allow for a finitary sound and complete logic either. Consequently, to obtain such a logic one either has to syntactically restrict SL or further abstract or generalize its semantics. In [DLM21], for example, a sound and complete sequent calculus is described for a quantifier-free subset of SL. On the other hand, examples of further abstractions and generalizations are [HT16] and [Pym02], and both describe a finitary logic which is sound and complete. In [Pym02], models are based on very general preordered commutative monoids and there is no points-to relation. In [HT16], special commutative monoids called *separation algebras* are used to give semantics to the separating connectives. The elements of such separation algebras represent heaps as relations on the underlying (first-order) domain. This allows for a standard set-theoretic interpretation of the points-to relation. However, the semantics of separating conjunction is defined in terms of the abstract monoid, and as such is decoupled from the set-theoretic interpretation of the points-to relation. For example, a first-order specification (using plain conjunction) of an enumeration of the elements of the domain of a (finite) heap *as a set* does not in general correspond with an enumeration using separation conjunction.

A sound and complete axiomatization of the points-to relation in the general context of first-order SL *respecting its standard set-theoretic interpretation* thus remains a main challenge.

Second-order logic allows for a straightforward translation of the (weak or full) semantics of SL, and one can use second-order logic to reason about validity in SL. This approach is followed for example by the IRIS project [JKJ+18] which formalizes the semantics of weak SL in the higher-order logic of Coq [HH14]. By restricting the semantics of the separating connectives to (first-order) definable heaps, our approach instead transforms a *compositional* second-order logical description of the semantics of SL into corresponding rules of a standard firstorder sequent calculus. The resulting calculus allows us to reason, in a natural manner, in first-order logic about the (hierarchical) heap structures generated by the rules for the separating connectives. As such it does not involve the additional tree structures of the so-called *bunched contexts* of the sequent calculi of [HT16] and [Pym02]. Also [Kri08] avoids the use of bunched contexts in a modal sequent calculus for propositional SL, which is proven sound. However it is incomplete because it provides limited support for equational reasoning about the modal contexts (so-called 'worlds') associated with the SL formulas.

*Plan of the Paper.* In the next section we introduce the syntax and semantics of full SL. In Sect. 3 we investigate the expressiveness of full SL. Section 4 introduces a restriction of the semantics to definable heaps. In Sect. 5 we introduce the sequent calculus, and discuss soundness and completeness. Finally, in the conclusion section we wrap up, and discuss some future work.

# **2 Separation Logic**

In this section we introduce the syntax of SL and define its classical semantics with respect to arbitrary first-order models. For an intuitive introduction to separation logic, see [Rey05]. Given a first-order signature of function and predicate symbols<sup>2</sup> and a countably infinite set of first-order variables x, y, z, . . ., the first-order terms of this signature are denoted by t, t ,....

We have the following inductive definition of formulas of separation logic.

**Definition 1 (Syntax of SL).** *We define*

<sup>p</sup> ::= (t<sup>1</sup> <sup>=</sup> <sup>t</sup>2) <sup>|</sup> <sup>R</sup>(t1,...,tn) <sup>|</sup> (¬p) <sup>|</sup> (<sup>p</sup> <sup>∧</sup> <sup>q</sup>) | ∃x(p) <sup>|</sup> (<sup>p</sup> <sup>∗</sup> <sup>q</sup>) <sup>|</sup> (<sup>p</sup> −∗ <sup>q</sup>)

<sup>2</sup> We allow for a countably infinite set of such symbols.

*where* R *is a* n*-ary relation symbol. As a special case we have the binary 'pointsto' relation symbol* <sup>→</sup> *(also called the weak/loose points-to).*

Let M = (D, I) denote a first-order model, where D denotes the non-empty domain and I provides an interpretation of the function and predicate symbols as functions and relations over D. A valuation s assigns elements of the domain D of M to the first-order variables x, y, z, . . .. We omit the standard inductive definition of the value Is(t) of a term t. Given a model M = (D, I), we denote by M, h, s <sup>|</sup><sup>=</sup> <sup>p</sup> that <sup>p</sup> holds in the model <sup>M</sup>, under the interpretation <sup>h</sup> <sup>⊆</sup> <sup>D</sup> <sup>×</sup><sup>D</sup> of the binary relation symbol →, where <sup>h</sup> denotes a so-called *heap*, represented as the graph of a *partial function* with *finite domain*.

**Definition 2 (Semantics of SL).** *We have the following main cases.*


*Other cases are the Tarksi-style semantics of classical logic [Yan01, Table 5.2].*

In the above definition we use the set-theoretic operation of *union* of binary relations as sets of pairs. On the other hand, by <sup>h</sup><sup>1</sup> <sup>⊥</sup> <sup>h</sup><sup>2</sup> we denote that the *domains* of the relations h<sup>1</sup> and h<sup>2</sup> are *disjoint*<sup>3</sup>. As such, we can introduce the strict/tight points-to relation → of SL, defined by M, h, s <sup>|</sup><sup>=</sup> <sup>t</sup> → <sup>t</sup> if and only if <sup>h</sup> <sup>=</sup> { Is(t), Is(<sup>t</sup> ) }, as a derived concept: it can be expressed by (t <sup>→</sup> <sup>t</sup> ) ∧ ∀x, y((x <sup>→</sup> <sup>y</sup>) <sup>→</sup> (<sup>x</sup> <sup>=</sup> <sup>t</sup> <sup>∧</sup> <sup>y</sup> <sup>=</sup> <sup>t</sup> )). The concept **emp** of the empty relation can also be expressed by <sup>∀</sup>x, y(<sup>x</sup> <sup>→</sup> <sup>y</sup>). *Intuitionistic* SL only allows for the weak/loose points-to relation. The strict version cannot be expressed in intuitionistic SL because of its *monotonicity* property that the truth of a formula is preserved by extensions of the domain of the heap [Rey00]. In this article we focus on classical separation logic only.

Let (x<sup>i</sup> → −) abbreviate <sup>∃</sup>y(x<sup>i</sup> <sup>→</sup> <sup>y</sup>). The sentences <sup>φ</sup><sup>n</sup> defined by

$$\exists x\_1, \dots, x\_n ((x\_1 \hookrightarrow -) \* \dots \* (x\_n \hookrightarrow -))\ .$$

then state that there exist at least n allocated elements of the underlying domain of the given first-order model. Note that the semantics of the separating conjunction implies that <sup>x</sup><sup>i</sup> <sup>=</sup> <sup>x</sup><sup>j</sup> for <sup>i</sup> <sup>=</sup> <sup>j</sup>. It is also possible to formulate the same property using propositional conjunction instead of separating conjunction by explicitly stating this fact, that the variables are not aliases. Now collect all φ<sup>n</sup> in a set. Clearly, every finite subset of this set of sentences is satisfied by a finite heap, but that there does not exist a finite heap satisfying all these sentences.

<sup>3</sup> The domain of an arbitrary relation R ⊆ <sup>D</sup> <sup>×</sup> <sup>D</sup> is the set <sup>d</sup> <sup>∈</sup> <sup>D</sup> for which there exists a d- ∈ D such that d, d- ∈R. Note that for heaps h<sup>1</sup> ⊥ h<sup>2</sup> is equivalent to h<sup>1</sup> ∩ h<sup>2</sup> = ∅.

This simple counterexample to compactness provides the basic motivation to study the above semantics of SL extended to unbounded heaps, i.e. heaps which potentially have an infinite domain.

Further, for technical convenience only, we generalize the semantics to arbitrary *binary relations*. For an arbitrary (binary) relation R ⊆ <sup>D</sup> <sup>×</sup> <sup>D</sup> on the underlying domain <sup>D</sup> of the given first-order model, we define M, <sup>R</sup>, s <sup>|</sup><sup>=</sup> <sup>p</sup> as above, where the interpretation of the separating connectives ranges over arbitrary subsets of <sup>D</sup> <sup>×</sup> <sup>D</sup>. In fact, in this generalized semantics, which we call *relational* SL, we can model the restriction to heaps simply by *syntactically* restricting the separating implication to assertions of the form (<sup>p</sup> <sup>∧</sup> *fun*) −∗ <sup>q</sup>, where *fun* denotes the assertion <sup>∀</sup>x, y, z((x <sup>→</sup> <sup>y</sup> <sup>∧</sup> x <sup>→</sup> <sup>z</sup>) <sup>→</sup> <sup>y</sup> <sup>=</sup> <sup>z</sup>). Let <sup>p</sup> denote the result of restricting syntactically all occurrences of the separating implication in p to heaps (as described above). It follows that the evaluation of <sup>p</sup> <sup>∧</sup> *fun* is restricted to heaps.

It is worthwhile to observe here that there exists a straightforward formalization of relational SL in second-order logic. For any formula p as defined above we define inductively the second-order formula p(R), where R is a binary relation.

#### **Definition 3 (Logical formalization of relational SL).**

*We have the following main cases.*

*–* (t <sup>→</sup> <sup>t</sup> )(R) = R(t, t )*, –* (<sup>p</sup> <sup>∗</sup> <sup>q</sup>)(R) = <sup>∃</sup>R1, R2(<sup>R</sup> <sup>=</sup> <sup>R</sup><sup>1</sup> <sup>R</sup><sup>2</sup> <sup>∧</sup> <sup>p</sup>(R1) <sup>∧</sup> <sup>q</sup>(R2))*, –* (<sup>p</sup> −∗ <sup>q</sup>)(R) = <sup>∀</sup>R1, R2((R<sup>2</sup> <sup>=</sup> <sup>R</sup><sup>1</sup> <sup>R</sup> <sup>∧</sup> <sup>p</sup>(R1)) <sup>→</sup> <sup>q</sup>(R2))*.*

Here we denote by <sup>R</sup> <sup>=</sup> <sup>R</sup><sup>1</sup> <sup>R</sup>2, for any binary relation symbols R, R1, R2, the conjunction of the formulas <sup>∀</sup>x, y(R(x, y) <sup>↔</sup> (R1(x, y) <sup>∨</sup> <sup>R</sup>2(x, y))) and <sup>∀</sup>x, y, z(¬R1(x, y) ∨ ¬R2(x, z)). We denote by M,s <sup>|</sup><sup>=</sup> <sup>φ</sup> the standard truth definition of a second-order formula φ, where the evaluation s additionally interprets the second-order variables. Correctness of this translation, that is, M, <sup>R</sup>, s <sup>|</sup><sup>=</sup> <sup>p</sup> if and only if M,s[<sup>R</sup> := <sup>R</sup>] <sup>|</sup><sup>=</sup> <sup>p</sup>(R) (where <sup>s</sup>[<sup>R</sup> := <sup>R</sup>] denotes the update of <sup>s</sup> which assigns to the binary variable <sup>R</sup> the relation <sup>R</sup>), can be established by a straightforward induction on p.

#### **3 Model Theory: Compactness and Countability**

To explore the general model theory of SL we introduce the modalities p and p as abbreviations of **true** <sup>∗</sup> (**emp**∧(**true** −∗ <sup>p</sup>)) and <sup>¬</sup>(**true** ∗ ¬p), respectively<sup>4</sup>. For <sup>M</sup> = (D, I) we have M, <sup>R</sup>, s <sup>|</sup><sup>=</sup> <sup>p</sup> if and only if M, <sup>R</sup> , s <sup>|</sup><sup>=</sup> <sup>p</sup>, for *every* <sup>R</sup> <sup>⊆</sup> <sup>D</sup>×D. Further, we have M, <sup>R</sup>, s <sup>|</sup><sup>=</sup> <sup>p</sup> if and only if M, <sup>R</sup> , s <sup>|</sup><sup>=</sup> <sup>p</sup>, for *every* sub-relation R of R (that is, R ⊆ R). By <sup>p</sup> we denote the formula <sup>¬</sup>¬p. It follows that M, <sup>R</sup>, s <sup>|</sup><sup>=</sup> <sup>p</sup> if and only if M, <sup>R</sup> , s <sup>|</sup><sup>=</sup> <sup>p</sup>, for *some* <sup>R</sup> <sup>⊆</sup> <sup>D</sup> <sup>×</sup> <sup>D</sup>.

*Characterizing Finite Models.* The above -modality allows to express that the domain D of a model M = (D, I) is finite, by asserting that every injective

<sup>4</sup> We note that and are, respectively, and ♦ in [HT16]. However in [HT16] they are introduced not as abbreviations but as *primitive* concepts.

function <sup>f</sup> : <sup>D</sup> <sup>→</sup> <sup>D</sup> is a surjection: Let *inj* be the conjunction of the formulas *fun* (as defined above), <sup>∀</sup>x, y, z((x <sup>→</sup> <sup>z</sup> <sup>∧</sup> y <sup>→</sup> <sup>z</sup>) <sup>→</sup> <sup>x</sup> <sup>=</sup> <sup>y</sup>), and <sup>∀</sup>x∃y(x <sup>→</sup> <sup>y</sup>). We have that M, <sup>R</sup>, s <sup>|</sup><sup>=</sup> *inj* if and only if <sup>R</sup> : <sup>D</sup> <sup>→</sup> <sup>D</sup> is injective (note that the domain of <sup>R</sup> is <sup>D</sup> because M, <sup>R</sup>, s <sup>|</sup><sup>=</sup> <sup>∀</sup>x∃y(x <sup>→</sup> <sup>y</sup>)). And so M, <sup>R</sup>, s <sup>|</sup><sup>=</sup> (*inj* <sup>→</sup> <sup>∀</sup>x∃y(y <sup>→</sup> <sup>x</sup>)) if and only if <sup>D</sup> is finite. Note that the occurrences of <sup>→</sup> in the scope of the -modality are universally bounded, and the interpretation of <sup>→</sup> thus ranges over *all* R ⊆ <sup>D</sup> <sup>×</sup> <sup>D</sup>.

*Characterizing Countable Infinity.* We next show that countability of the underlying domain of a model can be expressed, using the above two modalities. We will be working with chains related by →, and in that sense we speak of a *predecessor* of <sup>x</sup>, being any <sup>y</sup> such that (y <sup>→</sup> <sup>x</sup>), and *successor* of <sup>x</sup>, being any <sup>y</sup> such that (x <sup>→</sup> <sup>y</sup>). Let *enum* be the conjunction of the following formulas:


Note that a relation R is well-founded iff *every* (non-empty) sub-relation of R has a minimal element (with respect to that sub-relation). This fact can be expressed by the use of the formula *enum*. Let M, <sup>R</sup>, s <sup>|</sup><sup>=</sup> *enum*. We show that <sup>R</sup> encodes an enumeration <sup>d</sup><sup>n</sup> <sup>n</sup> of <sup>D</sup> (still we have <sup>M</sup> = (D, I)). We define the sequence <sup>d</sup><sup>n</sup> n by induction on n: for d<sup>0</sup> we take the (unique) minimal element, and for dn+1 we take the unique element <sup>d</sup> <sup>∈</sup> <sup>D</sup> such that <sup>d</sup>n, d ∈R. Note that *inj* implies that every element of <sup>D</sup> has a unique 'successor' and that <sup>d</sup>n+1 ∈ {d0,...,dn}. Wellfoundedness ensures that every element of <sup>D</sup> appears in the enumeration <sup>d</sup><sup>n</sup> n. Because otherwise we can construct an infinite descending chain of elements not appearing in the enumeration <sup>d</sup><sup>n</sup> <sup>n</sup> (since d<sup>0</sup> denotes the unique minimal element with respect to the functional interpretation <sup>R</sup> of →, it follows that for any <sup>d</sup> <sup>∈</sup> <sup>D</sup> which does not appear in the enumeration <sup>d</sup><sup>n</sup> <sup>n</sup> there exists a <sup>d</sup> <sup>∈</sup> <sup>D</sup> which also does not appear in the enumeration <sup>d</sup><sup>n</sup> <sup>n</sup> and <sup>d</sup> , d ∈R).

We thus have that M, <sup>R</sup>, s <sup>|</sup><sup>=</sup> *enum* implies that the domain of <sup>M</sup> is countably infinite. The formula *enum* further abstracts from the current interpretation of the points-to relation →, so that if the domain of <sup>M</sup> is countably infinite then M, <sup>R</sup>, s <sup>|</sup><sup>=</sup> *enum*, for arbitrary <sup>R</sup> (and <sup>s</sup>).

The class of uncountable models is characterized by ¬(*enum* ∨ *fin*), where *fin* denotes the above formula which characterizes the class of finite models.

Summarizing, the logic of full SL is neither compact nor does it satisfy the L¨owenheim-Skolem theorem because it can distinguish between countable and uncountable models. Further, we observe that the above expressiveness results do not depend on the interpretation of the points-to relation as an arbitrary relation. That is, these results also hold for the semantics restricted to (infinite) heaps.

<sup>5</sup> <sup>∃</sup>!xp is an abbreviation of <sup>∃</sup>x(<sup>p</sup> ∧ ∀y(p[y/x] <sup>→</sup> <sup>y</sup> <sup>=</sup> <sup>x</sup>)), where <sup>p</sup>[y/x] denotes the substitution of x by y.

Interestingly, since we can express that the points-to relation <sup>→</sup> is wellfounded (see above), even restricting to the separating conjunction gives rise to non-compactness: given a countably infinite set of individual constants cn, <sup>n</sup> <sup>≥</sup> 0, let <sup>Γ</sup> consist of the above formula (**emp**∨ ∃x((x → −)∧ ∀y((y → −) <sup>→</sup> (<sup>y</sup> <sup>→</sup> <sup>x</sup>))) and the formulas <sup>c</sup>n+1 <sup>→</sup> <sup>c</sup>n, <sup>n</sup> <sup>≥</sup> 0. Clearly, every finite subset of Γ is satisfiable but Γ itself is not. Note that we do not need to require that all the <sup>c</sup><sup>i</sup> <sup>=</sup> <sup>c</sup><sup>j</sup> , for every <sup>i</sup> <sup>=</sup> <sup>j</sup>, because in case the formulas <sup>c</sup>n+1 <sup>→</sup> <sup>c</sup>n, <sup>n</sup> <sup>≥</sup> 0, are satisfied and additionally <sup>c</sup><sup>i</sup> <sup>=</sup> <sup>c</sup><sup>j</sup> holds, for some <sup>i</sup> <sup>=</sup> <sup>j</sup>, we have a loop in the interpretation of →. Further, restricting SL to separating conjunction also does not satisfy the *upward* L¨owenheim-Skolem theorem, because, as argued above, M, <sup>R</sup>, s <sup>|</sup><sup>=</sup> *enum* implies (infinite) countability of the domain of <sup>M</sup>.

*Separation Logic Light.* What about further restricting to *positive* occurrences of the separating conjunction? Since we then can push negation inside, this restriction can be formally defined by the following syntax describing SLL ('separation logic light'):

$$p ::= (\neg) R(t\_1, \ldots, t\_n) \mid (p \lor q) \mid (p \land q) \mid \exists x (p) \mid \forall x (p) \mid (p \* q)$$

Here <sup>R</sup> denotes either a <sup>n</sup>-ary relation symbol or the points-to relation →. Thus, in this version of SL, negation can only be applied to atomic formulas. To show that the notion of satisfiability of SLL is compact, we introduce the following first-order translation p@R, where R is a binary predicate different from →, ◦ denotes conjunction/disjunction, and <sup>Q</sup> denotes the existential/universal quantifier.

$$\begin{array}{ll} (\neg)R(t\_1, \dots, t\_n) \circledast R' = (\neg)R(t\_1, \dots, t\_n) \\ (t \to t') \circledast R &= R(t, t') \\ (p \circ q) \circledast R &= p \circledast R \circ q \circledast R \\ Qx(p) \circledast R &= Qx(p \circledast R) \\ (p \ast q) \circledast R &= R = R\_1 \uplus R\_2 \land p \circledast R\_1 \land q \circledast R\_2 \end{array}$$

The binary relation symbols R<sup>1</sup> and R<sup>2</sup> are 'fresh'. It follows that p is satisfiable if and only if <sup>p</sup>@<sup>R</sup> is satisfiable. More precisely, M, <sup>R</sup>, s <sup>|</sup><sup>=</sup> <sup>p</sup> if and only if there exists a (first-order) model M such that M , s <sup>|</sup><sup>=</sup> <sup>p</sup>@R. Consequently, compactness of first-order logic implies compactness of SLL: Let Γ be an infinite set of formulas of SLL and <sup>Γ</sup> <sup>=</sup> {p@<sup>R</sup> <sup>|</sup> <sup>p</sup> <sup>∈</sup> <sup>Γ</sup>}<sup>6</sup>, for some binary relation symbol R. If every finite subset of Γ is satisfiable, so is every finite subset of Γ . By the compactness of first-order logic Γ is satisfiable, and so is Γ. Along the same lines it follows that if Γ is satisfiable then there exists a model M = (D, I) such that <sup>D</sup> is *countable* and M, <sup>R</sup>, s <sup>|</sup><sup>=</sup> <sup>p</sup>, for every <sup>p</sup> <sup>∈</sup> <sup>Γ</sup>.

Note however that compactness of the satisfiability relation does not imply that the (semantic) consequence relation is compact. In fact, non-compactness of the consequence relation for SLL follows directly from the above argument

<sup>6</sup> Note that Γ may require the introduction of an infinite number of fresh (binary) relation symbols. This is however no problem because first-order logic allows for a countably infinite set of function and relation symbols.

involving well-founded relations: Let <sup>Γ</sup> denote the set formulas <sup>c</sup>n+1 <sup>→</sup> <sup>c</sup>n, <sup>n</sup> <sup>≥</sup> 0. It follows that <sup>Γ</sup> <sup>|</sup><sup>=</sup> **true** <sup>∗</sup> (¬**emp** ∧ ∀x((x → −) → ∃y(y <sup>→</sup> <sup>x</sup>))). But clearly, there does not exist a finite subset <sup>Γ</sup><sup>0</sup> of <sup>Γ</sup> such that <sup>Γ</sup><sup>0</sup> <sup>|</sup><sup>=</sup> **true** <sup>∗</sup> (¬**emp** ∧ ∀x((x → −) → ∃y(y <sup>→</sup> <sup>x</sup>))).

*Some Open Problems.* The question remains whether restricting to separating conjunction satisfies the *downward* L¨owenheim-Skolem theorem. A counterexample to the downward L¨owenheim-Skolem theorem would be the expressibility of uncountable models. This seems to require the p modality (and thus the separating implication).

Another interesting question is whether we can express finiteness of the domain of the current interpretation of the points-to relation, that is, does there exist a formula <sup>p</sup> in SL such that M, <sup>R</sup>, s <sup>|</sup><sup>=</sup> <sup>p</sup> if and only if the domain of the relation R is finite?

A main open problem is a formalization of the relation between full SL and second-order logic. Intuitively, one of the main differences is the *local perspective* of SL, which is determined by the current heap. Remarkably, as already mentioned in the introduction, [BDL12] presents a rather intricate encoding of (dyadic) weak second-order logic into weak SL. Apparently this restriction to finite heaps allows to break the local perspective. Our conjecture however is that full SL is strictly less expressive than (dyadic) second-order logic. To illustrate how subtle this difference may be, consider the following extension of separation logic with a *binding* operator <sup>↓</sup>R(p) which binds the binary variable R in the evaluation of p to the current interpretation of the points-to relation. In other words, it corresponds to a bounded (second-order) quantification <sup>∃</sup>R((<sup>R</sup> <sup>=</sup> →) <sup>∧</sup> <sup>p</sup>), where, <sup>R</sup> <sup>=</sup> <sup>→</sup> abbreviates the first-order formula <sup>∀</sup>x, y(R(x, y) <sup>↔</sup> (x <sup>→</sup> <sup>y</sup>)). Alternatively, we can directly define M, <sup>R</sup>, s <sup>|</sup><sup>=</sup> <sup>↓</sup>R(p) if and only if M, <sup>R</sup>, s[<sup>R</sup> := <sup>R</sup>] <sup>|</sup><sup>=</sup> <sup>p</sup>. This definition thus assumes an extension of the valuation s to (binary) second-order variables. The expressive power of this binding operator lies in that it allows to 'break the spell' of the local perspective since the bound binary variable allows in the local context of the current interpretation of the points-to relation to refer to those 'outer' ones that have generated it (by the separating connectives). This extension of SL allows for a simple, compositional translation of (dyadic) second-order logic. We have the following main case which translates <sup>∃</sup>R(φ), where <sup>φ</sup> a dyadic second-order formula (which is assumed not to contain occurrences of the points-to relation of SL), into the SL formula -(↓R(p)).

#### **4 Separation Logic of Definable Binary Relations**

In this section we restrict the interpretation of the separating connectives to first-order definable binary relations. By φ we now denote a first-order formula which does not contain occurrences of the points-to relation <sup>→</sup> of SL. We omit the standard inductive truth definition M,s <sup>|</sup><sup>=</sup> <sup>φ</sup> of a first-order formula <sup>φ</sup>.

By φ(x1,...,xn) we denote that the free (first-order) variables of φ are among the distinct variables x1,...,xn. A formula φ(x, y) is called a *binary* formula. A binary formula is also simply denoted by φ, omitting its free variables x and y. Given a model M = (D, I), and a first-order formula φ(x, y), we denote by *Rel*M(φ) the relation { s(x), s(y) <sup>|</sup> M,s <sup>|</sup><sup>=</sup> <sup>φ</sup>} ⊆ <sup>D</sup> <sup>×</sup> <sup>D</sup>. Note that the evaluation of φ(x, y) only depends on the values of its free variables x and y, that is, M,s <sup>|</sup><sup>=</sup> <sup>φ</sup> if and only if M,s <sup>|</sup><sup>=</sup> <sup>φ</sup>, where <sup>s</sup>(x) = <sup>s</sup> (x) and s(y) = s (y). By φ(t, t ) we denote the result of replacing in φ(x, y) the variables x and y by t and t , respectively (if necessary renaming bound variables to ensure that the variables of t and t do not become bound).

**Definition 4 (First-order definability).** *Given a model* M = (D, I)*, a relation* R ⊆ <sup>D</sup> <sup>×</sup> <sup>D</sup> *is* first-order definable *if* <sup>R</sup> <sup>=</sup> *Rel*M(φ)*, for some binary formula* φ(x, y)*.*

Note that, given a model M = (D, I), I(R) = *Rel*M(R), that is, for any binary relation symbol R its interpretation I(R) is trivially a first-order definable relation. We generalize the definition of <sup>R</sup> <sup>=</sup> <sup>R</sup>1R<sup>2</sup> to arbitrary binary formulas: we denote by <sup>φ</sup> <sup>=</sup> <sup>φ</sup>1φ<sup>2</sup> that the binary formulas <sup>φ</sup>1(x, y) and <sup>φ</sup>2(x, y) represent a partition of the binary formula φ(x, y) which is expressed by the conjunction of <sup>∀</sup>x, y(φ(x, y) <sup>↔</sup> (φ1(x, y) <sup>∨</sup> <sup>φ</sup>2(x, y))) and <sup>∀</sup>x, y, z(¬φ1(x, y) ∨ ¬φ2(x, z)). The latter formula, which states that the domains of the binary relations represented by <sup>φ</sup>1(x, y) and <sup>φ</sup>1(x, y) are disjoint, we abbreviate by <sup>φ</sup><sup>1</sup> <sup>⊥</sup> <sup>φ</sup>2.

In the sequel we denote by M, <sup>R</sup>, s <sup>|</sup><sup>=</sup> <sup>p</sup> the *restriction* of the relational semantics of full SL (Definition 2 extended to binary relations) such that instead of quantifying over arbitrary binary relations, the separating connectives involve quantification over first-order definable binary relations. It is worthwhile to observe here that, as for Henkin models of second-order logic [Hen50], the implicit second-order quantification depends on the underlying signature of function and relation symbols. Extending or restricting the signature affects the semantics of formulas of the 'old' signature.

# **5 Sequent Calculus**

To reason about the implicit quantification over definable (binary) relations, we introduce *rooted* assertions of the form p@φ, where φ denotes a binary formula and <sup>p</sup> is a formula of SL (see Definition 1). We define M,s <sup>|</sup><sup>=</sup> <sup>p</sup>@<sup>φ</sup> if and only if M, <sup>R</sup>, s <sup>|</sup><sup>=</sup> <sup>p</sup>, where <sup>R</sup> <sup>=</sup> *Rel*M(φ). The variables <sup>x</sup> and <sup>y</sup> of the binary formula <sup>φ</sup>(x, y) are thus implicitly bound by the @-operator, that is, M,s <sup>|</sup><sup>=</sup> <sup>p</sup>@<sup>φ</sup> if and only if M,s <sup>|</sup><sup>=</sup> <sup>p</sup>@φ, for any <sup>s</sup> and <sup>s</sup> such that <sup>s</sup>(z) = <sup>s</sup> (z), for any free variable occurring in p.

Note that the separating connectives are interpreted in terms of relations which are definable by first-order formulas which do not involve the points-to relation →. This allows for the following alternative *predicative* definition<sup>7</sup> of the semantics of the separating connectives in rooted assertions (used in both the soundness and completeness proofs). Here <sup>ψ</sup> <sup>⊥</sup> <sup>φ</sup>, for the binary formulas <sup>ψ</sup>(x, y) and <sup>φ</sup>(x, y), denotes the formula <sup>∀</sup>x, y, z(¬ψ(x, y) ∨ ¬φ(x, z)).

<sup>7</sup> For a foundational discussion concerning predicativity, see [Cro17].


**Fig. 1.** Sequent calculus. The binary relation symbols R1, R<sup>2</sup> and R introduced in the rules **L**<sup>∗</sup> and **R**−∗ are 'fresh'. In the points-to rules p denotes a basic formula (which does not contain occurrences of the separating connectives).

#### **Lemma 1.** *We have*


We now develop a calculus for sequents <sup>A</sup>1,...,A<sup>n</sup> <sup>⇒</sup> <sup>B</sup>1,...,Bm, where each Ai, i = 1,...,n, and B<sup>j</sup> , j = 1,...,m, is constructed from first-order formulas and rooted assertions, which can be further composed using propositional connectives and quantification of first-order variables. This calculus is an extension of standard first-order sequent calculus (including cut), where the standard rules are applicable with respect to top-level propositional connectives and quantifiers. Figure 1 shows the left and right rules for separating conjunction and implication. These rules closely follow the translation in Definition 3 of SL into second-order logic, eliminating the explicit second-order quantification by applying the standard proof rules for second-order quantification (which themselves are straightforward generalizations of the rules for first-order quantification, instantiating the second-order variables by formulas). The binary relation symbols <sup>R</sup>1, R<sup>2</sup> and <sup>R</sup> introduced in the rules **<sup>L</sup>**<sup>∗</sup> and **<sup>R</sup>**−∗ are 'fresh' binary relation symbols, that is, they must not appear in the formulas of the conclusion of the rules.

We also have rules which allow classical reasoning under rooted assertions: (<sup>p</sup> ◦ <sup>q</sup>)@<sup>φ</sup> <sup>↔</sup> (p@φ) ◦ (q@φ), where ◦ denotes binary propositional connectives, e.g., conjunction, disjunction, and implication, (¬p)@<sup>φ</sup> ↔ ¬(p@φ), and (∃xp)@<sup>φ</sup> ↔ ∃x(p@φ) (and similarly (∀xp)@<sup>φ</sup> ↔ ∀x(p@φ)). Further, we have <sup>∀</sup>x, y(<sup>φ</sup> <sup>↔</sup> <sup>ψ</sup>) <sup>→</sup> (p@<sup>φ</sup> <sup>↔</sup> <sup>p</sup>@ψ). It is straightforward to validate these rules, but we omit the details of the semantics M,s <sup>|</sup><sup>=</sup> <sup>A</sup>, which follows the standard Tarski-style classical semantics, given the semantics of rooted assertions which may appear in the place of atomic formulas.

In the so-called 'points-to' rules of Fig. 1 the formula p does not involve occurrences of the separating connectives. Such a formula of SL we call *basic*. Note that it differs from pure first-order formulas in that basic formulas additionally may involve the points-to relation. For such formulas we denote by <sup>p</sup>[φ/ →], for any binary formula <sup>φ</sup>(x, y), the result of replacing every atomic assertion (t <sup>→</sup> <sup>t</sup> ) in p by φ(t, t ), which is a pure first-order formula. It follows that M,s <sup>|</sup><sup>=</sup> <sup>p</sup>[φ/ →] if and only if M, *Rel*M(φ), s <sup>|</sup><sup>=</sup> <sup>p</sup>, for any basic formula <sup>p</sup>.

*Example Proofs*

$$\begin{array}{c} \begin{array}{ccc} \Gamma \Rightarrow q@R, R\_1 \bot R\_2 & \Gamma \Rightarrow q@R, p@R\_1 & \Gamma, q@(R\_1 \lor R\_2) \Rightarrow q@R \\ \hline \hline \end{array} & \begin{array}{ccc} \Gamma \Rightarrow R\_1 \Downarrow R\_2, p@R\_1, (p \twoheadrightarrow q)@R\_2 \Rightarrow q@R \\ \hline \end{array} & \begin{array}{ccc} \textbf{L}\_\* & \\ \hline \end{array} \\ \begin{array}{ccc} (p \ast (p \twoheadrightarrow q))@R \Rightarrow q@R \\ \hline \end{array} & \begin{array}{ccc} \left(p \ast (p \twoheadrightarrow q)\right)@R \rightarrow q@R \\ \hline \end{array} \\ \hline \end{array} \end{array} \\ \begin{array}{ccc} \textbf{L}\_\* & \\ \hline \end{array} \\ \end{array}$$

As a first example of the use of the sequent calculus, above we have a derivation of the sequent <sup>⇒</sup> ((<sup>p</sup> <sup>∗</sup> (<sup>p</sup> −∗ <sup>q</sup>)) <sup>→</sup> <sup>q</sup>)@<sup>R</sup> which represents the validity of (<sup>p</sup> <sup>∗</sup> (<sup>p</sup> −∗ <sup>q</sup>)) <sup>→</sup> <sup>q</sup>. This derivation essentially consists of an application of the rule **<sup>L</sup>**<sup>∗</sup> followed by an application of the rule **<sup>L</sup>**−∗. In this derivation <sup>Γ</sup> denotes the formulas <sup>R</sup> <sup>=</sup> <sup>R</sup><sup>1</sup> <sup>R</sup>2, p@R<sup>1</sup> generated by the application of rule **<sup>L</sup>**∗. The second premise of the application of the rule **L**−∗ is derivable from an instance of the axiom Γ, A <sup>⇒</sup> A, Δ. Note that <sup>ψ</sup> (in the **<sup>L</sup>**−∗ rule) is instantiated with <sup>R</sup>1. The first and third premise follows from the fact that <sup>R</sup> <sup>=</sup> <sup>R</sup><sup>1</sup> <sup>R</sup><sup>2</sup> reduces to <sup>R</sup><sup>1</sup> <sup>⊥</sup> <sup>R</sup><sup>2</sup> and <sup>R</sup> <sup>=</sup> <sup>R</sup><sup>1</sup> <sup>∪</sup> <sup>R</sup><sup>2</sup> (that part of the proof is not shown above).

Next we show how to use the calculus in reasoning about the equivalence of weakest preconditions that arise in the practice of verifying the correctness of heap manipulating programs. Let p denote the weakest precondition (u → −)∧(<sup>z</sup> = 0 u <sup>=</sup> vv <sup>→</sup> <sup>z</sup>) of the heap update [u] := 0 which ensures the postcondition v <sup>→</sup> <sup>z</sup> after assigning the value 0 to the location denoted by the variable <sup>u</sup> (here φbψ abbreviates (b∧φ)∨(¬b∧ψ)) (in [dBHdG23] a dynamic logic extension of SL is introduced which generates this weakest precondition). The standard rule for backwards reasoning in [Rey02] gives the weakest precondition (<sup>u</sup> → −) <sup>∗</sup> (<sup>u</sup> → <sup>0</sup> −∗ v <sup>→</sup> <sup>z</sup>), which we denote by <sup>p</sup> . These preconditions are equivalent because both are the weakest.

Surprisingly, a proof of the implication <sup>p</sup> <sup>→</sup> <sup>p</sup> however exceeds the capability of all the automatic SL provers in the benchmark competition for SL [SNPR+19]. In particular, of the automatic provers, only the CVC4-SL tool [RISK16] supports the fragment of SL that includes the separating implication connective. However, from our own experiments with that tool, we found that it produces an incorrect counter-example and reported this as a bug to one of the maintainers of the project (Andrew Reynolds). In fact, the latest version, CVC5-SL, reports the same input as 'unknown', indicating that the tool is incomplete. In the case of (semi) interactive SL provers (such as Iris [JKJ+18], and VerCors [AH21,MRH22] that uses Viper [MSS16] as a back-end) we sought out expertise and collaborated in our search for a tool-supported proof of the above equivalence. Even after personally visiting the Iris team in Nijmegen (lead by Robbert Krebbers) and the VerCors team in Twente (lead by Marieke Huisman), we were unable to guide the tools to produce a proof of <sup>p</sup> <sup>→</sup> <sup>p</sup>. The problem here seems similar to that of [HT16], in that their semantics of separating connectives, which are formalized in terms of abstract monoids, are not compatible with the set-theoretic interpretation of the points-to relation.

In fact, the equivalence between the above two formulas can be expressed in quantifier-free separation logic, for which a complete axiomatization of all valid formulas has been given in [DLM21]. In the sequent calculus we can express the equivalence of <sup>p</sup> and <sup>p</sup> in terms of the sequent *fun*(R) <sup>⇒</sup> (<sup>p</sup> <sup>↔</sup> <sup>p</sup> )@R. Here R is an arbitrary binary relation symbol used to represent the current interpretation of the points-to relation. We abbreviate <sup>∀</sup>x, y, z((R(x, y) <sup>∧</sup> <sup>R</sup>(x, z)) <sup>→</sup> <sup>y</sup> <sup>=</sup> <sup>z</sup>) by *fun*(R). A proof of the above sequent amounts to proving the sequents *fun*(R), p @<sup>R</sup> <sup>⇒</sup> <sup>p</sup>@<sup>R</sup> and *fun*(R), p@<sup>R</sup> <sup>⇒</sup> <sup>p</sup> @R. Below we present a highlevel proof of the first sequent, abstracting from some basic first-order reasoning in the calculus.

By an application of **<sup>L</sup>**<sup>∗</sup> to derive the sequent *fun*(R), p @<sup>R</sup> <sup>⇒</sup> <sup>p</sup>@<sup>R</sup> it suffices to derive

$$fun(R), R = R\_1 \uplus R\_2, (u \mapsto -) \uplus R\_1, (u \mapsto 0 \twoheadrightarrow v \Longleftrightarrow z) \uplus R\_2 \Rightarrow p \uplus R\_1$$

for some fresh <sup>R</sup><sup>1</sup> and <sup>R</sup>2. Let <sup>ψ</sup>(x, y) denote the binary formula <sup>x</sup> <sup>=</sup> <sup>u</sup> <sup>∧</sup> <sup>y</sup> = 0. Further, let <sup>Γ</sup> denote the set of formulas *fun*(R), R <sup>=</sup> <sup>R</sup><sup>1</sup> <sup>R</sup>2,(<sup>u</sup> → −)@R1. By an application of the rule **L**−∗ it then suffices to prove the following sequents (from <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> we can derive <sup>Γ</sup> <sup>⇒</sup> A, Δ by right-weakening). First we prove <sup>Γ</sup> <sup>⇒</sup> <sup>R</sup><sup>2</sup> <sup>∩</sup> <sup>ψ</sup> <sup>=</sup> <sup>∅</sup>: By the points-to rules the rooted assertion (<sup>u</sup> → −)@R<sup>1</sup> (appearing in <sup>Γ</sup>) reduces to <sup>∃</sup>z(R1(u, z) ∧ ∀x, y(R1(x, y) <sup>→</sup> <sup>x</sup> <sup>=</sup> <sup>u</sup> <sup>∧</sup> <sup>y</sup> <sup>=</sup> <sup>z</sup>)) (the forall-part of the formula is due to the 'strict' points-to which states that the domain contains <sup>u</sup> as its only location). Further, <sup>R</sup><sup>2</sup> <sup>∩</sup> <sup>ψ</sup> <sup>=</sup> <sup>∅</sup> logically boils down to ¬∃x, y(R2(x, y) <sup>∧</sup> (<sup>x</sup> <sup>=</sup> <sup>u</sup> <sup>∧</sup> <sup>y</sup> = 0)), that is, <sup>¬</sup>R2(u, 0), which in basic first-order logic follows from <sup>∃</sup>zR1(u, z) and the assumptions <sup>R</sup> <sup>=</sup> <sup>R</sup><sup>1</sup> <sup>R</sup><sup>2</sup> and *fun*(R).

Second, we prove <sup>Γ</sup> <sup>⇒</sup> (<sup>u</sup> → 0)@ψ: By the points-to rules (<sup>u</sup> → 0)@<sup>ψ</sup> (using the expanded definition <sup>φ</sup> of <sup>u</sup> → 0 and the definition of the substitution <sup>φ</sup>[ψ/ →]) reduces to (<sup>u</sup> <sup>=</sup> <sup>u</sup>)∧(0 = 0)∧∀x, y((<sup>x</sup> <sup>=</sup> <sup>u</sup> <sup>∧</sup> <sup>y</sup> = 0) <sup>→</sup> (<sup>x</sup> <sup>=</sup> <sup>u</sup> <sup>∧</sup> <sup>y</sup> = 0)) which is equivalent to **true**.

420 F. S. de Boer et al.

And, finally, we prove Γ,(v <sup>→</sup> <sup>z</sup>)@(R<sup>2</sup> <sup>∨</sup> <sup>ψ</sup>) <sup>⇒</sup> <sup>p</sup>@R: First note that (again, by the points-to rules)

$$((u \longleftrightarrow -) \land (z = 0 \lhd u = v \rhd v \longleftrightarrow z))@R.$$

reduces to

$$(\exists z R(u, z)) \land (z = 0 \lhd u = v \rhd R(v, z)))$$

The assertion <sup>∃</sup>zR(u, z) clearly follows from the assumptions <sup>R</sup> <sup>=</sup> <sup>R</sup><sup>1</sup> <sup>R</sup><sup>2</sup> and (<sup>u</sup> → −)@R<sup>1</sup> in <sup>Γ</sup>. To prove <sup>z</sup> = 0 u <sup>=</sup> vR(v, z), we first reduce the assumption (v <sup>→</sup> <sup>z</sup>)@(R<sup>2</sup> <sup>∨</sup> <sup>ψ</sup>) to <sup>R</sup>2(v, z) <sup>∨</sup> (<sup>v</sup> <sup>=</sup> <sup>u</sup> <sup>∧</sup> <sup>z</sup> = 0). Now, if <sup>v</sup> <sup>=</sup> <sup>u</sup> then <sup>¬</sup>R2(v, z), because of the assumptions *fun*(R), <sup>R</sup> <sup>=</sup> <sup>R</sup><sup>1</sup> <sup>R</sup><sup>2</sup> and (<sup>u</sup> → −)@R1. So we have that z = 0. Otherwise, we have R2(v, z), and thus R(v, z), because <sup>R</sup> <sup>=</sup> <sup>R</sup><sup>1</sup> <sup>R</sup>2.

*Soundness and Completeness.* We denote by <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> that there exists a proof of the sequent <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>. To define <sup>|</sup><sup>=</sup> <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>, let <sup>σ</sup> denote a substitution which assigns to every binary relation symbol <sup>R</sup> of the sequent <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> a binary formula φ. Such a substitution σ simply replaces occurrences of R(t, t ) by φ(t, t ), where <sup>σ</sup>(R) = <sup>φ</sup>(x, y). By <sup>|</sup><sup>=</sup> <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> we then denote that M,s <sup>|</sup><sup>=</sup> - Γ σ (that is, M,s <sup>|</sup><sup>=</sup> Aσ, for every <sup>A</sup> <sup>∈</sup> <sup>Γ</sup>) implies M,s <sup>|</sup><sup>=</sup> Δσ (that is, M,s <sup>|</sup><sup>=</sup> Bσ, for some <sup>B</sup> <sup>∈</sup> <sup>Δ</sup>), for every M,s and every substitution <sup>σ</sup>.

In the soundness proof below we use these substitutions to instantiate the fresh binary relation symbols introduced in the rules **L**<sup>∗</sup> and **R**−∗. Note that updating the interpretation of these symbols (as provided by M) would affect the semantics of the separating connectives if binary formulas would refer to these fresh binary relation symbols (note that they are only supposed not to appear in formulas of the conclusion of the rules **L**<sup>∗</sup> and **R**−∗).

We generalize the above notions of derivability and validity to possibly infinite <sup>Γ</sup>: <sup>Γ</sup> <sup>Δ</sup> indicates that <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>, for some finite <sup>Γ</sup> <sup>⊆</sup> <sup>Γ</sup>, and <sup>Γ</sup> <sup>|</sup><sup>=</sup> <sup>Δ</sup> indicates that for every substitution <sup>σ</sup> we have that M,s <sup>|</sup><sup>=</sup> Γ σ (that is, M,s <sup>|</sup><sup>=</sup> Aσ, for every <sup>A</sup> <sup>∈</sup> <sup>Γ</sup>) implies M,s <sup>|</sup><sup>=</sup> Bσ, for some <sup>B</sup> <sup>∈</sup> <sup>Δ</sup>.

**Theorem 1 (Soundness).** *We have that* <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> *implies* <sup>|</sup><sup>=</sup> <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>*.*

*Proof.* We prove that the rules for the separating connectives preserve validity. The points-to rules are sound because M, *Rel*M(φ), s <sup>|</sup><sup>=</sup> <sup>p</sup> if and only if M,s <sup>|</sup><sup>=</sup> <sup>p</sup>[φ/ →], for any basic formula <sup>p</sup> (note that <sup>p</sup>[φ/ →] is a pure first-order formula which does not depend on the heap).

**<sup>L</sup>**∗: Let M,s <sup>|</sup><sup>=</sup> Γ σ and M,s <sup>|</sup>= (pσ <sup>∗</sup> qσ)@φσ. We have to show that M,s <sup>|</sup><sup>=</sup> Δσ. By Lemma 1, there exist <sup>φ</sup><sup>1</sup> and <sup>φ</sup><sup>2</sup> such that M,s <sup>|</sup>= (φσ) = <sup>φ</sup><sup>1</sup> <sup>φ</sup>2, M,s <sup>|</sup><sup>=</sup> pσ@φ1, and M,s <sup>|</sup><sup>=</sup> qσ@φ2. Let <sup>σ</sup> <sup>=</sup> <sup>σ</sup>[R1, R<sup>2</sup> := <sup>φ</sup>1, φ2]. Since <sup>R</sup><sup>1</sup> and <sup>R</sup><sup>2</sup> are fresh and as such do not appear in Γ,(<sup>p</sup> <sup>∗</sup> <sup>q</sup>)@φ, it follows that M,s <sup>|</sup><sup>=</sup> <sup>Γ</sup> σ , where <sup>Γ</sup> <sup>=</sup> Γ, φ <sup>=</sup> <sup>R</sup><sup>1</sup> <sup>R</sup>2, p@R1, q@R2. By the validity of the premise we thus obtain that M,s <sup>|</sup><sup>=</sup> Δσ . Since R<sup>1</sup> and R<sup>2</sup> also do not appear in <sup>Δ</sup>, we conclude that M,s <sup>|</sup><sup>=</sup> Δσ.

**<sup>R</sup>**∗: Let M,s <sup>|</sup><sup>=</sup> Γ σ and suppose that M,s |<sup>=</sup> Δσ. From the validity of the premises it then follows that M,s <sup>|</sup><sup>=</sup> φσ = (φ<sup>1</sup> <sup>φ</sup>2)σ, M,s <sup>|</sup><sup>=</sup> pσ@φ1σ, and M,s <sup>|</sup><sup>=</sup> qσ@φ2σ, By Lemma <sup>1</sup> we conclude M,s <sup>|</sup>= (pσ <sup>∗</sup> qσ)@φσ.

**<sup>L</sup>**−∗: Let M,s <sup>|</sup><sup>=</sup> Γ σ and M,s <sup>|</sup>= (pσ −∗ qσ)@φσ, and suppose that M,s |<sup>=</sup> Δσ. From the validity of the first two premises it then follows that M,s <sup>|</sup><sup>=</sup> φσ <sup>⊥</sup> ψσ and M,s <sup>|</sup><sup>=</sup> pσ@ψσ. By Lemma <sup>1</sup> again, it follows that M,s <sup>|</sup><sup>=</sup> qσ@(φσ <sup>∨</sup> ψσ). By the validity of the third premise we thus derive that M,s |<sup>=</sup> Δσ, which a contradicts our assumption.

**<sup>R</sup>**−∗: Let M,s <sup>|</sup><sup>=</sup> Γ σ and suppose that M,s |<sup>=</sup> Δσ. We have to show that M,s <sup>|</sup>= (pσ −∗ qσ)@φσ. Let <sup>ψ</sup> be such that M,s <sup>|</sup><sup>=</sup> <sup>ψ</sup> <sup>⊥</sup> (φσ) and M,s <sup>|</sup><sup>=</sup> pσ@ψ. Further, let <sup>R</sup> be a fresh variable and <sup>σ</sup> <sup>=</sup> <sup>s</sup>[<sup>R</sup> := <sup>ψ</sup>]. It follows that M,s <sup>|</sup><sup>=</sup> <sup>Γ</sup> σ , where <sup>Γ</sup> <sup>=</sup> Γ, R <sup>⊥</sup> φ, p@<sup>R</sup> and M,s |<sup>=</sup> Δσ . And so we derive from the validity of the premise of the rule that M,s <sup>|</sup><sup>=</sup> qσ@(φσ <sup>∪</sup> <sup>ψ</sup>). Since <sup>ψ</sup> was arbitrarily chosen, by Lemma <sup>1</sup> again we conclude that M,s <sup>|</sup>= (pσ −∗ qσ)@φσ.

As a corollary we obtain that <sup>Γ</sup> <sup>Δ</sup> implies <sup>Γ</sup> <sup>|</sup><sup>=</sup> <sup>Δ</sup>.

Following the completeness proof of first-order logic as described in [Hen49], it suffices to show that every consistent set of formulas is satisfiable (the socalled 'model existence theorem'). A set of formulas <sup>Γ</sup> is consistent if <sup>Γ</sup> ∅. We first show that every consistent set of formulas can be extended to a maximal consistent set. To this end we assume an infinite set of 'fresh' binary relation symbols R that do not appear in Γ. We construct for any consistent set Γ a maximal consistent extension Γ <sup>∞</sup>, assuming an enumeration of all formulas A (which also covers all first-order formulas). We define Γ<sup>0</sup> = Γ and Γn+1 satisfies the general rule: if <sup>Γ</sup>n, A<sup>n</sup> ∅ then <sup>Γ</sup><sup>n</sup> ∪ {An} ⊆ <sup>Γ</sup>n+1, otherwise <sup>Γ</sup>n+1 <sup>=</sup> <sup>Γ</sup>n. Additionally, in case <sup>A</sup><sup>n</sup> is added and <sup>A</sup><sup>n</sup> is of the form <sup>∃</sup>xA or a rooted assertion (<sup>p</sup> <sup>∗</sup> <sup>q</sup>)@<sup>φ</sup> or <sup>¬</sup>(<sup>p</sup> −∗ <sup>q</sup>)@φ, we also include corresponding *witnesses* in <sup>Γ</sup>n+1:

– If <sup>A</sup><sup>n</sup> is of the form <sup>∃</sup>xA we additionally add <sup>A</sup>(y), where <sup>A</sup>(y) results from replacing all free occurrences of x in A by the fresh variable y which does not appear in Γn.

Note that <sup>A</sup>(y) can indeed be added consistently because from <sup>Γ</sup>n, A(y) ∅ we would derive <sup>Γ</sup>n, <sup>∃</sup>xA ∅, which contradicts the assumption that <sup>Γ</sup>n, <sup>∃</sup>xA ∅.

– If <sup>A</sup><sup>n</sup> is of the form (<sup>p</sup> <sup>∗</sup> <sup>q</sup>)@<sup>φ</sup> we additionally add the formulas <sup>φ</sup> <sup>=</sup> <sup>R</sup><sup>1</sup> <sup>R</sup>2, R<sup>1</sup> <sup>⊥</sup> <sup>R</sup>2, p@R1, and <sup>q</sup>@R2, where <sup>R</sup><sup>1</sup> and <sup>R</sup><sup>2</sup> are fresh (e.g., not appearing in Γn).

Note that these formulas can indeed be added consistently because from <sup>Γ</sup>n, φ <sup>=</sup> <sup>R</sup>1R2, R<sup>1</sup> <sup>⊥</sup> <sup>R</sup>2, p@R1, q@R<sup>2</sup> ∅ we would derive <sup>Γ</sup>n,(<sup>p</sup> <sup>∗</sup> <sup>q</sup>)@<sup>φ</sup> ∅ (by rule **L**∗).

– If <sup>A</sup><sup>n</sup> is of the form <sup>¬</sup>(<sup>p</sup> −∗ <sup>q</sup>)@<sup>φ</sup> (which is equivalent to <sup>¬</sup>((<sup>p</sup> −∗ <sup>q</sup>)@φ)) we additionally add the formulas <sup>R</sup> <sup>⊥</sup> φ, p@R(x, y), and <sup>¬</sup>q@(φ<sup>∨</sup> <sup>R</sup>), where <sup>R</sup> is fresh (e.g., not appearing in Γn).

Note that these formulas can indeed be added consistently because from <sup>Γ</sup>n, R <sup>⊥</sup> φ, p@R(x, y),¬q@(<sup>φ</sup> <sup>∨</sup> <sup>R</sup>) ∅ we would derive <sup>Γ</sup><sup>n</sup> (<sup>p</sup> −∗ <sup>q</sup>)@<sup>φ</sup> (by rule **<sup>R</sup>**−∗), which contradicts the assumption that <sup>Γ</sup>n,¬(<sup>p</sup> −∗ <sup>q</sup>)@<sup>φ</sup> ∅.

We define Γ <sup>∞</sup> = <sup>n</sup> <sup>Γ</sup>n. By construction <sup>Γ</sup> <sup>∞</sup> is maximal consistent. Given a maximal consistent set of formulas Γ, let M<sup>Γ</sup> = (D, I), where D is the set of equivalences classes [t] = {<sup>t</sup> <sup>|</sup> <sup>t</sup> <sup>=</sup> <sup>t</sup> <sup>∈</sup> <sup>Γ</sup>}. For any function symbol <sup>f</sup> and relation symbol <sup>R</sup> (excluding the points-to relation →) we define

– I(f)([t1],..., [tn]) = [f(t1,...,tn)], – <sup>I</sup>(R)([t1],..., [tn]) = **true** if and only if <sup>R</sup>(t1,...,tn) <sup>∈</sup> <sup>Γ</sup>.

The above interpretation of the function and relational symbols is welldefined because its definition does not depend on the choice of the representatives (this follows from the equality axioms).

Given a maximal consistent set of formulas Γ and the model M<sup>Γ</sup> = (D, I), a corresponding valuation s assigns to every variable x an equivalence class [t]. However, in the sequel we will represent such a valuation by a *substitution* s which simply assigns to each variable a term. The value Is(x) of a variable x then is given by the equivalence class [s(x)] of the term s(x).

Given a substitution s, for any term t and formula A (of the sequent calculus) we denote by ts and As the result of replacing every free occurrence of a (firstorder) variable x in t and A by s(x). Note that (p@φ)s = ps@φ, because the meaning of p@φ does not depend on the free variables x and y of the binary formula φ(x, y).

Given a maximal consistent set of formulas Γ and the model M<sup>Γ</sup> = (D, I), it follows that Is(t)=[ts], for every term t and substitution s.

**Lemma 2.** *Given a maximal consistent set of formulas* Γ *and the model* M<sup>Γ</sup> = (D, I)*, we have* M,s <sup>|</sup><sup>=</sup> <sup>A</sup> *if and only if* As <sup>∈</sup> <sup>Γ</sup>*, for every formula* <sup>A</sup> *and substitution* s*.*

*Proof.* The proof proceeds by induction on the following well-founded ordering A<B on formulas of the sequent calculus: Let #A = (n, m), where n denotes the number of occurrences of the separating connectives and the @-binding operator of A and m denotes the number of occurrences of the (standard) first-order logical operations of A. Then A<B if #A < #B, where the latter denotes the lexicographical ordering on <sup>N</sup> <sup>×</sup> <sup>N</sup> (w.r.t. the standard 'smaller than' ordering on the natural numbers). We treat the following main cases (for notational convenience M denotes the model M<sup>Γ</sup> ).

– Let M,s <sup>|</sup><sup>=</sup> <sup>A</sup>, where <sup>A</sup> denotes the formula (<sup>p</sup> <sup>∗</sup> <sup>q</sup>)@φ. By Lemma <sup>1</sup> there exist <sup>φ</sup><sup>1</sup> and <sup>φ</sup><sup>2</sup> such that M,s <sup>|</sup><sup>=</sup> <sup>φ</sup> <sup>=</sup> <sup>φ</sup>1φ2, M,s <sup>|</sup><sup>=</sup> <sup>p</sup>@φ<sup>1</sup> and M,s <sup>|</sup><sup>=</sup> <sup>q</sup>@φ2. From the induction hypothesis it follows that ps@φ1, qs@φ2, φ <sup>=</sup> <sup>φ</sup><sup>1</sup> φ<sup>2</sup> <sup>∈</sup> <sup>Γ</sup> (note that the first-order formula <sup>φ</sup> <sup>=</sup> <sup>φ</sup><sup>1</sup> φ<sup>2</sup> does not contain free variables, and thus is not affected by the substitution <sup>s</sup>). So we derive by rule **<sup>R</sup>**<sup>∗</sup> that <sup>Γ</sup> (ps <sup>∗</sup> qs)@φ. By maximal consistency of <sup>Γ</sup>, we then conclude that (ps <sup>∗</sup> qs)@<sup>φ</sup> <sup>∈</sup> <sup>Γ</sup>, that is, As <sup>∈</sup> <sup>Γ</sup>.

On the other hand, let As <sup>∈</sup> <sup>Γ</sup>. That is, (ps <sup>∗</sup> qs)@<sup>φ</sup> <sup>∈</sup> <sup>Γ</sup>. By construction <sup>φ</sup> <sup>=</sup> <sup>R</sup><sup>1</sup> <sup>R</sup>2, ps@R1, qs@R<sup>2</sup> <sup>∈</sup> <sup>Γ</sup>, for some witnesses <sup>R</sup><sup>1</sup> and <sup>R</sup>2. By the induction hypothesis it then follows that M,s <sup>|</sup><sup>=</sup> <sup>p</sup>@R<sup>1</sup> and M,s <sup>|</sup><sup>=</sup> <sup>p</sup>@R2. Further, the induction hypothesis gives M,s <sup>|</sup><sup>=</sup> <sup>φ</sup> <sup>=</sup> <sup>R</sup><sup>1</sup> R<sup>2</sup> (again, note that the formula <sup>φ</sup> <sup>=</sup> <sup>R</sup><sup>1</sup> R<sup>2</sup> has no free variables, and thus is not affected by the substitution <sup>s</sup>). We conclude by Lemma <sup>1</sup> that M,s <sup>|</sup>= (<sup>p</sup> <sup>∗</sup> <sup>q</sup>)@φ.

– Let M,s <sup>|</sup><sup>=</sup> <sup>A</sup>, where <sup>A</sup> denotes the formula (<sup>p</sup> −∗ <sup>q</sup>)@φ. Suppose As ∈ <sup>Γ</sup>. By the maximal consistency of <sup>Γ</sup>, we then have <sup>¬</sup>(ps −∗ qs)@<sup>φ</sup> <sup>∈</sup> <sup>Γ</sup>. By construction <sup>R</sup> <sup>⊥</sup> φ, ps@R,¬qs@(<sup>φ</sup> <sup>∨</sup> <sup>R</sup>) <sup>∈</sup> <sup>Γ</sup>, for some witness <sup>R</sup>, which contradicts M,s <sup>|</sup>= (<sup>p</sup> −∗ <sup>q</sup>)@<sup>φ</sup> (after application of the induction hypothesis and using Lemma 1 again).

On the other hand, let As <sup>∈</sup> <sup>Γ</sup>. To show that M,s <sup>|</sup>= (<sup>p</sup> −∗ <sup>q</sup>)@φ, let M,s <sup>|</sup><sup>=</sup> <sup>φ</sup> <sup>⊥</sup> <sup>ψ</sup> and M,s <sup>|</sup><sup>=</sup> <sup>p</sup>@ψ, for some binary formula <sup>ψ</sup>. By the induction hypothesis we have that <sup>φ</sup> <sup>⊥</sup> ψ, ps@<sup>ψ</sup> <sup>∈</sup> <sup>Γ</sup>. Suppose that qs@(φ∨ψ) ∈ <sup>Γ</sup>, that is <sup>¬</sup>qs@(<sup>φ</sup> <sup>∨</sup> <sup>ψ</sup>) <sup>∈</sup> <sup>Γ</sup> (<sup>Γ</sup> is maximal consistent), and thus Γ, qs@(<sup>φ</sup> <sup>∨</sup> <sup>ψ</sup>) ∅. Applying rule **<sup>L</sup>**−∗ we then derive Γ,(ps −∗ qs)@<sup>φ</sup> ∅, which contradicts the consistency of <sup>Γ</sup> ((ps −∗ qs)@<sup>φ</sup> <sup>∈</sup> <sup>Γ</sup>). So we have that qs@(φ∨ψ) <sup>∈</sup> <sup>Γ</sup>, that is, M,s <sup>|</sup><sup>=</sup> <sup>q</sup>@(<sup>φ</sup> <sup>∨</sup> <sup>ψ</sup>), by the induction hypothesis. Since <sup>ψ</sup> is chosen arbitrarily, it follows by Lemma <sup>1</sup> that M,s <sup>|</sup>= (<sup>p</sup> −∗ <sup>q</sup>)@φ.

– Let <sup>A</sup> be a formula <sup>p</sup>@φ, where <sup>p</sup> denotes a basic formula. Let <sup>R</sup> <sup>=</sup> *Rel*M(φ). We then have M,s <sup>|</sup><sup>=</sup> <sup>p</sup>@<sup>φ</sup> iff (by definition) M, <sup>R</sup>, s <sup>|</sup><sup>=</sup> <sup>p</sup> iff (straightforward induction on <sup>p</sup>) M,s <sup>|</sup><sup>=</sup> <sup>p</sup>[φ/ →] iff (induction hypothesis for <sup>p</sup>[φ/ →]) ps[φ/ →] <sup>∈</sup> <sup>Γ</sup> iff (by the points-to rules) ps@<sup>φ</sup> <sup>∈</sup> <sup>Γ</sup>. Note that applying the substitution <sup>s</sup> to <sup>p</sup>@<sup>φ</sup> and <sup>p</sup>[φ/ →] results in ps@<sup>φ</sup> and ps[φ/ →].

The downward L¨owenheim-Skolem property follows. It should be noted that we cannot remove from the constructed model the binary relation symbols which are introduced as witnesses, as these determine the notion of first-order definability.

# **Theorem 2 (Completeness).** *We have that* <sup>Γ</sup> <sup>|</sup><sup>=</sup> <sup>Δ</sup> *implies* <sup>Γ</sup> <sup>Δ</sup>*.*

Compactness follows. We thus derive (by Lindstr¨om's theorem [V¨a¨a10]) that this version of SL is as expressive as first-order logic.

#### **6 Conclusion**

We investigated the expressiveness of full SL over arbitrary first-order models. We have shown that restricting the quantification over first-order definable heaps gives rise to a semantic consequence relation that can be captured by a sound and complete extension of the standard sequent calculus for first-order logic.

The main question remains what is the exact relationship between full SL which allows for infinite heaps and second-order logic. In [KR04] a translation is given of general second-order logic in a first-order logic with *spatial conjunction*. Spatial conjunction (as defined in [KR04]) allows to split a global set of *arbitrary* relations. As such it goes beyond the *local* scope of separating conjunction which is restricted to the points-to relation. We conjecture that second-order logic is strictly more expressive than full SL.

**Acknowledgements.** The authors thank the anonymous referees for providing many constructive and useful suggestions for improvement.

## **References**

	- [CK13] Chang, C.C., Keisler, H.J.: Model Theory: Third Edition. Dover Books on Mathematics. Dover Publications (2013)
	- [DD16] Demri, S., Deters, M.: Expressive completeness of separation logic with two variables and no separating conjunction. ACM Trans. Comput. Log. **17**(2), 12 (2016)
	- [DLM21] Demri, S., Lozes, E., Mansutti, A.: A complete axiomatisation for ´ quantifier-free separation logic. Log. Methods Comput. Sci. **17**(3) (2021)
		- [EIP20] Echenim, M., Iosif, R., Peltier, N.: The Bernays-Sch¨onfinkel-Ramsey class of separation logic with uninterpreted predicates. ACM Trans. Comput. Log. **21**(3), 19:1–19:46 (2020)
		- [GM10] Galmiche, D., M´ery, D.: Tableaux and resource graphs for separation logic. J. Log. Comput. **20**(1), 189–231 (2010)
		- [Hen49] Henkin, L.: The completeness of the first-order functional calculus. J. Symb. Log. **14**(3), 159–166 (1949)
		- [Hen50] Henkin, L.: Completeness in the theory of types. J. Symb. Logic **15**(2), 81–91 (1950)
		- [HH14] Huet, G.P., Herbelin, H.: 30 years of research and development around Coq. In: Jagannathan, S., Sewell, P. (eds.) The 41st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2014, San Diego, CA, USA, 20–21 January 2014, pp. 249– 250. ACM (2014)
		- [HT16] H´ou, Z., Tiu, A.: Completeness for a first-order abstract separation logic. In: Igarashi, A. (ed.) APLAS 2016. LNCS, vol. 10017, pp. 444–463. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-47958-3 23
	- [JKJ+18] Jung, R., Krebbers, R., Jourdan, J.-H., Bizjak, A., Birkedal, L., Dreyer, D.: Iris from the ground up: a modular foundation for higher-order concurrent separation logic. J. Funct. Program. **28** (2018)
		- [KR04] Kuncak, V., Rinard, M.C.: On spatial conjunction as second-order logic. CoRR, cs.LO/0410073 (2004)
	- [V¨a¨a01] V¨a¨an¨anen, J.: Second-order logic and foundations of mathematics. Bull. Symb. Logic **7**(4), 504–520 (2001)
	- [V¨a¨a10] V¨a¨an¨anen, J.: Lindstr¨om's theorem. Universal Logic: An Anthology, pp. 231–236 (2010)
	- [Yan01] Yang, H.: Local reasoning for stateful programs. Ph.D. thesis, University of Illinois at Urbana-Champaign. (Technical Report UIUCDCS-R-2001- 2227) (2001)

**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Testing the Satisfiability of Formulas in Separation Logic with Permissions**

Nicolas Peltier(B)

Universit´e Grenoble Alpes, LIG, CNRS, Inria, Grenoble INP, 38000 Grenoble, France nicolas.peltier@imag.fr

**Abstract.** We investigate the satisfiability problem for a fragment of Separation Logic (SL) with inductively defined spatial predicates and permissions. We show that the problem is undecidable in general, but decidable under some restrictions on the rules defining the semantics of the spatial predicates. Furthermore, if the satisfiability of permission formulas can be tested in exponential time for the considered permission model then SL satisfiability is Exptime complete.

# **1 Introduction**

Separation Logic [14,22] (SL) is a dialect of bunched logic [18] that is widely used in verification for reasoning on programs manipulating pointer-based data structures. It constitutes the theoretical basis of several industrial scale automated static program analyzers [1,2,7]. SL formulas describe *heaps*, with atoms asserting that some location (i.e., a memory address) is allocated and refers to some tuple of locations (i.e., a record), combined with a special connective ∗, called *separating conjunction*, which is used to compose heaps. Custom data structures may be described in this setting by using spatial predicates, the semantics of which is defined using *inductive rules*, similar to those used for defining recursive structures in usual programming languages. Such rules allow one to describe heaps of unbounded size with some particular structure such as lists or trees. In this setting, existing work usually focuses on the fragment of SL called *symbolic heaps* (defined as separating conjunctions of SL atoms).

Usually, SL formulas are interpreted in the *standard heap model*, where heaps are defined as partial finite functions mapping locations to tuples of locations and where the separating conjunction ∗ is interpreted as the disjoint union of heaps. Both the satisfiability and entailment problems have been extensively investigated for this heap model. It was proven that the satisfiability problem is Exptime complete [6], whereas the entailment problem is undecidable in general, and 2-Exptime complete provided the inductive rules meet some syntactic conditions [11–13,15] which are general enough to capture usual data structures used in programming. The combination of spatial reasoning with theory reasoning has also been thoroughly investigated, see for instance [16,19–21,23]).

However, richer models exist (see for instance [8]) accounting for additional features of dynamic memory. The automation of reasoning in these models received little attention. One such model that is of practical relevance is *separation logic with permissions* [3,5], where allocated locations are associated with so called *permissions* used to model the ownership of a given heap region (e.g., a process may have read or write permission over some location). The heap composition operator that is used to define the interpretation of the separating conjunction is more complex in this framework than in the above case: non disjoint heaps can be combined if they agree on all the locations on which they are both defined and if the corresponding permissions can be combined (for instance it is natural to assume that read permissions can be freely combined but not write permissions). The framework is thus parameterized by some *permission model* describing which permissions are available and how they can be combined. In [10] algorithms are provided to decide the satisfiability and entailment problems for SL formulas (symbolic heaps) with permissions in the case of lists, i.e., when all allocated locations refer to a single location (i.e., to a record of size 1) and when there is only one spatial predicate lsegp(x, y) denoting a list segment from x to y, with permission p. The provided algorithms are generic w.r.t. the permission model, and it is proven that these problems are in Np and co-Np, respectively, assuming that some oracle exists for testing the satisfiability of permission formulas in the considered model.

In the present paper, we investigate the satisfiability problem for SL formulas with permission defined over arbitrary spatial predicates, with user-defined inductive rules. The goal is to allow for more genericity by tackling custom data structures (such as trees, cyclic lists, doubly linked lists etc.) with arbitrary permissions. The addition of permissions makes satisfiability testing much more difficult: we prove that the problem is undecidable in general, and we devise syntactic conditions on the inductive rules for which the problem is Exptimecomplete. The restrictions are similar – but stronger – to those given in [13] to ensure the decidability of the entailment problem in the standard heap model. In particular, the inductive rules defining the predicate lseg mentioned above fulfill these restrictions<sup>1</sup>, as well as other usual data structures such as cyclic list, trees etc. (however, doubly linked lists or trees with parent links are not captured). The considered inductive rules use a special connective ◦ (different from ∗) that is interpreted as a disjoint union. As we shall see, this is both more natural for defining data structures (see also [5]) and required for deciding satisfiability.

# **2 Definitions**

*Syntax.* We first briefly review some basic notations. If x and y are finite sequences, then we denote by x.y the concatenation of x and y. We denote by |x| the length of x and by x|<sup>i</sup> its i-th element (if 1 ≤ i ≤ |x|). If E ⊆ {1,..., |x|} then x|<sup>E</sup> denotes the set {x|<sup>i</sup> | i ∈ E}. With a slight abuse of notations, a finite

<sup>1</sup> provided the considered lists are not empty.

sequence x is sometimes identified with the set {x|<sup>i</sup> | i = 1,..., |x|}, for instance, we may write x ∈ (u ∪ v) \ w to state that x occurs in u or v but not in w.

We consider a multisorted framework, with two sorts l (for locations) and <sup>p</sup> (for permissions). Let <sup>V</sup><sup>l</sup> and <sup>V</sup><sup>p</sup> be two countably infinite disjoint sets of *variables* with <sup>V</sup> def = V<sup>l</sup> ∪ Vp, where V<sup>l</sup> and V<sup>p</sup> denote location variables and permission variables, respectively. The set of *permission terms* T<sup>p</sup> denotes the set of terms built inductively as usual on the set of variables V<sup>p</sup> and the binary function ⊕ (written in infix notation). A *points-to atom* is an expression of the form x <sup>p</sup> → (y1,...,yk) with x, y1,...,y<sup>k</sup> ∈ V<sup>l</sup> and p ∈ Tp. An *equational atom* is an expression of the form x y or x  y with either x, y ∈ V<sup>l</sup> or x, y ∈ Tp.

We consider two disjoint sets of predicate symbols P<sup>p</sup> and P. The set P<sup>p</sup> denotes *permission predicates*, where each predicate <sup>P</sup><sup>ˆ</sup> ∈ P<sup>p</sup> is associated with a unique arity #(Pˆ). A *permission atom* is an expression of the form Pˆ(p1,...,pn), <sup>P</sup><sup>ˆ</sup> ∈ Pp, <sup>n</sup> = #(Pˆ) and <sup>p</sup>1,...,p<sup>n</sup> ∈ Tp. <sup>P</sup> is a finite set of *spatial predicate symbols*. Each symbol <sup>P</sup> ∈ P is associated with a *spatial arity* #l(P) <sup>∈</sup> <sup>N</sup> and with an *arity* #(P) <sup>∈</sup> <sup>N</sup>, with #(P) <sup>&</sup>gt; #l(P) <sup>&</sup>gt; 0 (#l(P) and #(P) <sup>−</sup> #l(P) denote the number of arguments of P that are of sort l and p, respectively). A *predicate atom* is an expression of the form P(x1,...,xn, p1,...,pm), with n = #l(P), n + m = #(P), x1,...,x<sup>n</sup> ∈ V<sup>l</sup> and p1,...,p<sup>m</sup> ∈ Tp. A *spatial atom* is either a points-to atom or a predicate atom.

The set of *formulas* is built inductively as usual on the logical constants emp, and ⊥ and on the set of spatial, equational and permission atoms, using the special connectives ∗ and ◦ and existential quantification on variables of sort l only (existential quantification over variables of type p is not allowed). The connective ∗ is usually called *separating conjunction*, and we call ◦ the *disjoint conjunction* (it is intended to capture the disjoint union of heaps<sup>2</sup>). Formulas are taken up to associativity and commutativity of the symbols ∗ and ◦, up to the commutativity of ,  and up to prenex form. We denote by |φ| the size of φ. For technical convenience, we assume that the symbols ◦ and ∗ have weight of 1 and 2, respectively, and that all atoms have size 1. For conciseness, a formula ∃x<sup>1</sup> ... ∃x<sup>n</sup> φ will often be written ∃x φ, with x = (x1,...,xn). A *permission formula* is a formula containing no spatial atoms and no equational atom of the form <sup>x</sup> <sup>y</sup> or <sup>x</sup> <sup>y</sup> with x, y ∈ V<sup>l</sup> (note that emp is a permission formula). A formula is *spatial* if all the atoms occurring in it are spatial. A *pure formula* is a formula that contains no spatial atom (it is not necessarily a permission formula, as it may contain equations or disequations between locations) A *symbolic heap* is a formula containing no occurrence of ◦, and a ◦*-formula* is a formula containing no occurrence of ∗.

A variable x is *free* in a formula φ if it occurs in φ outside of the scope of any quantifier binding x. The set of variables (freely) occurring in a term (or formula) φ is denoted by *fv*(φ). A *substitution* is a function mapping every variable in V<sup>l</sup> to a variable in V<sup>l</sup> and every variable in V<sup>p</sup> to a term in Tp.

<sup>2</sup> The connective ◦ is called *strong separating conjunction* in [5] and written <sup>∗</sup> (whereas ∗ is written ∗ ). Our notations are mostly consistent with those in [10].

The *domain* of a substitution σ (denoted by *dom*(σ)) is the set of variables x such that σ(x) = x. A substitution of domain {x1,...,xn} with σ(xi) = t<sup>i</sup> is denoted by {x<sup>i</sup> ← t<sup>i</sup> | i = 1,...,n}, or {x ← t}, with x = (x1,...,xn) and t = (t1,...,tn). For all formulas or terms φ, we denote by φσ the formula or term obtained from φ by replacing every free occurrence of a variable x by σ(x).

*Semantics.* Permissions are interpreted in some permission model:

#### **Definition 1 (Adapted from** [10]**).** *A* permission model P *is a triple*

$$(\mathcal{P}\_{\mathfrak{P}}, \oplus \mathfrak{p}, (\hat{P}\_{\mathfrak{P}})\_{\hat{P} \in \mathcal{P}\_{\mathfrak{p}}})$$

*where* <sup>P</sup><sup>P</sup> *is a non empty set, called the set of* permissions*,* <sup>⊕</sup><sup>P</sup> : <sup>P</sup><sup>2</sup> <sup>P</sup> → P<sup>P</sup> *is a binary partial function that is commutative, associative and cancellative, and* <sup>P</sup>ˆ<sup>P</sup> ⊆ P#(Pˆ) <sup>P</sup> *, for all* <sup>P</sup><sup>ˆ</sup> ∈ Pp*. If* π, π ∈ PP*, we write* <sup>π</sup> <sup>≤</sup><sup>P</sup> <sup>π</sup> *if* <sup>π</sup> <sup>=</sup> <sup>π</sup> <sup>∨</sup> (∃π <sup>∈</sup> P<sup>P</sup> π = π ⊕ π)*.*

In what follows, <sup>P</sup> always denotes a permission model. If <sup>π</sup> ∈ P<sup>P</sup> and <sup>n</sup> <sup>∈</sup> <sup>N</sup>, we denote by <sup>π</sup><sup>n</sup> the permission <sup>π</sup> <sup>⊕</sup><sup>P</sup> ... <sup>⊕</sup><sup>P</sup> <sup>π</sup> (<sup>n</sup> times), note that <sup>π</sup><sup>n</sup> is not necessarily defined and implicitly depends on the considered permission model, which will always be clear from the context. In contrast to [10], we do not assume that a maximal "total" permission 1<sup>P</sup> exists, we allow instead for arbitrary predicates over permissions (the total permission can be encoded as a unary predicate symbol *T*, with *T*<sup>P</sup> = {1P}).

*Example 2.* Assume that P<sup>p</sup> = ∅. A simple example of permission model is w = ({read, write}, <sup>⊕</sup>w, <sup>∅</sup>), with read <sup>⊕</sup><sup>w</sup> read <sup>=</sup> read and write⊕<sup>w</sup> <sup>π</sup> is undefined for all <sup>π</sup> ∈ {read, write}. Another example (from [4]) is <sup>f</sup> = (]0, 1], <sup>⊕</sup>f, <sup>∅</sup>) where ]0, 1] denotes the interval of rational numbers, with π ⊕<sup>f</sup> π = π +π if π +π ≤ 1 and π ⊕<sup>f</sup> π is undefined otherwise (f stands for *fractional*).

Let L be a countably infinite set of *locations*. A *store* (for a given permission model P) is a total mapping associating every variable in V<sup>l</sup> to an element of L and every variable in V<sup>p</sup> to an element of PP. A store can be extended into a partial mapping from <sup>T</sup><sup>p</sup> to <sup>P</sup><sup>P</sup> inductively defined as follows: <sup>s</sup>(p<sup>1</sup> <sup>⊕</sup> <sup>p</sup>2) def = s(p1) ⊕<sup>P</sup> s(p2). Note that the obtained mapping is partial since s(p1) ⊕<sup>P</sup> s(p2) is not always defined. If x1,...,x<sup>n</sup> are pairwise distinct variables in V<sup>l</sup> and 1,...,<sup>n</sup> ∈ L, we denote by s{x<sup>i</sup> ← <sup>i</sup> | i = 1,...,n} the store s coinciding with s on every variable not occurring in {x1,...,xn} and such that s (xi) = <sup>i</sup> for all i = 1,...,n.

A *heap* (for a given permission model P) is a partial finite function from L to L<sup>∗</sup> × PP. The domain of a heap h is denoted by *dom*(h), and we denote by |h| the finite cardinality of *dom*(h). A heap of domain 1,...,<sup>n</sup> such that h(i)=(<sup>i</sup> 1,...,<sup>i</sup> k*i* , πi) (for all i ∈ {1,...,n}) will be denoted as a set {(i, <sup>i</sup> 1,...,<sup>i</sup> k*i* , πi) | i = 1,...,n}. For every heap h we denote by *loc*(h) the set {<sup>i</sup> | <sup>0</sup> ∈ *dom*(h), h(0)=(1,...,k, π), 0 ≤ i ≤ k}. A heap may be viewed as a directed (labeled) graph: the locations in *loc*(h) are the vertices of the graph and there is a edge from to if h()=(1,...,n, π) and = <sup>i</sup> for some i ∈ {1,...,n}.

A *subheap* of h is any heap h such that *dom*(h ) ⊆ *dom*(h) and h () = h() for all ∈ *dom*(h ). A p*-weakening* of h (w.r.t. some permission model P) is any heap h such that *dom*(h ) = *dom*(h) and for all ∈ *dom*(h), if h()=(1,...,n, π) then h ()=(1,...,n, π ) with π ≤<sup>P</sup> π. We write h ≤<sup>l</sup> h (resp. h ≤<sup>p</sup> h) if h is a subheap (resp. a <sup>p</sup>-weakening) of <sup>h</sup>. The relation <sup>≤</sup> denotes the composition of ≤<sup>l</sup> and ≤p. We write h ∼ h if h and h only differ by the permissions, i.e., *dom*(h) = *dom*(h ) and for all ∈ *dom*(h), if h ()=(1,...,n, π ) then there exists π such that h()=(1,...,n, π).

*Example 3.* Consider the permission model <sup>f</sup> defined in Example <sup>2</sup> with <sup>L</sup> <sup>=</sup> <sup>N</sup>. Then

h<sup>0</sup> = {(0, 0, 1, 0.1),(1, 0, 0, 0.2)}, h<sup>1</sup> = {(0, 0, 1, 0.1)}, h<sup>2</sup> = {(0, 0, 1, 0.1),(1, 0, 0, 0.1)} h<sup>3</sup> = {(1, 0, 0, 0.1)}

are heaps, and we have, e.g., h0(0) = (0, 1, 0.1) (meaning that the location 0 is allocated and refers to (0, 1), with permission 0.1), h<sup>1</sup> ≤<sup>l</sup> h0, h<sup>2</sup> ≤<sup>p</sup> h0, h<sup>3</sup> ≤<sup>l</sup> h2, and h<sup>3</sup> ≤ h0. Moreover, h<sup>0</sup> ∼ h2.

Heaps can be composed using the following partial operator. If h1, h<sup>2</sup> are heaps, then h<sup>1</sup> h<sup>2</sup> is defined iff for all ∈ *dom*(h1) ∩ *dom*(h2), we have hi() = (i 1,...,<sup>i</sup> k*i* , πi) (for all i = 1, 2) where k<sup>1</sup> = k2, <sup>1</sup> <sup>j</sup> = <sup>2</sup> <sup>j</sup> for all j ∈ {1,...,k1} and π<sup>1</sup> ⊕<sup>P</sup> π<sup>2</sup> is defined. Then h<sup>1</sup> h<sup>2</sup> is defined as follows: if ∈ *dom*(hi) \ *dom*(h<sup>j</sup> ) with (i, j) ∈ {(1, 2),(2, 1)} then (h1h2)() def = hi(), and if ∈ *dom*(h1)∩*dom*(h2) then (h<sup>1</sup> <sup>h</sup>2)() def = (<sup>1</sup> 1,...,<sup>1</sup> <sup>k</sup><sup>1</sup> , π<sup>1</sup> ⊕<sup>P</sup> π2).

*Example 4.* Consider the permission model <sup>f</sup> defined in Example 2, with <sup>L</sup> <sup>=</sup> <sup>N</sup> and the following heaps:

$$\begin{array}{ll} \mathfrak{h}\_0 = \{ (0,0,0.5), (1,0,0.6) \} & \mathfrak{h}\_1 = \{ (0,0,0.5), (1,0,0.2), (2,0.1) \} \\ \mathfrak{h}\_2 = \{ (0,0,0.5), (1,0,0.6) \} & \mathfrak{h}\_3 = \{ (0,0,0.1), (1,0.1) \} \end{array}$$

Then h<sup>0</sup> h<sup>1</sup> is defined, and we have: h<sup>0</sup> h<sup>1</sup> = {(0, 0, 1),(1, 0, 0.8),(2, 0.1)}. However, neither h0h<sup>2</sup> nor h0h<sup>3</sup> is defined (in the former case the permissions of location 1 cannot be combined (as 0.6+0.6 > 1) and in the latter case the location 1 is associated with distinct tuples, (0) and (), respectively.

A *structure* (for a given permission model P) is a pair (s, h) where s is a store and h is a heap for P. It is *injective* if s is injective. A location is *allocated* in a structure (s, h) or in a heap h if ∈ *dom*(h), and a variable x is *allocated* in (s, h) if s(x) ∈ *dom*(h).

The semantics of spatial predicate is defined by inductive rules. A *set of inductive definitions* (SID) is a set of *rules* of the form P(x1,...,xn, y1,...,ym) ⇐ φ where n = #l(P), n+m = #(P), x1,...,x<sup>n</sup> are pairwise distinct variables in Vl, y1,...,y<sup>m</sup> are pairwise distinct variables in Vp, and φ is a formula such that *fv*(φ) ⊆ {x1,...,xn, y1,...,ym}. We write P(z1,...,zn, p1,...,pm) ⇐<sup>R</sup> ψ iff R contains a rule P(x1,...,xn, y1,...,ym) ⇐ φ with ψ = φ{x<sup>i</sup> ← zi, y<sup>j</sup> ← p<sup>j</sup> | i ∈ {1,...,n}, j ∈ {1,...,m}}.

**Definition 5.** *(Semantics) For every permission model* P *and SID* R*, the satisfiability relation* <sup>|</sup>=<sup>P</sup> <sup>R</sup> *is the smallest relation between structures (for* <sup>P</sup>*) and formulas such that:*


*A structure* (s, <sup>h</sup>) *such that* (s, <sup>h</sup>) <sup>|</sup>=<sup>P</sup> <sup>R</sup> <sup>φ</sup> *is an* (R, <sup>P</sup>)-model *of* <sup>φ</sup>*. A formula admitting an* (R, P)*-model is* (R, P)-satisfiable*. Two formulas are* sat-equivalent *(w.r.t.* R*,* P*) if they are both* (R, P)*-satisfiable or both* (R, P)*-unsatisfiable.*

*Example 6.* The formula x <sup>u</sup> <sup>→</sup> (y, z) ◦ <sup>x</sup> <sup>u</sup>- → (y , z ) is (R, P)-unsatisfiable, as x cannot be allocated in disjoint parts of the heap. x <sup>u</sup> <sup>→</sup> (y) <sup>∗</sup> <sup>x</sup> <sup>u</sup>- → (y ) ∗ y  y is also (R, <sup>P</sup>)-unsatisfiable, as <sup>x</sup> cannot refer to two distinct records, but <sup>x</sup> <sup>u</sup> → (y, z) <sup>∗</sup> <sup>x</sup> <sup>u</sup>- → (y , z ) admits the model (on the permission model f) (s, h) with s(x) = 0, s(y) = s(y ) = 1, s(z) = s(z ) = 2, s(u)=0.5, s(u )=0.2 and h = {(0, 1, 2, 0.7)}.

Note that there is no logical constant (true): no formula can be satisfied on all heaps. The constant emp is similar to but it states that the heap is empty. For all formulas φ, ψ, we write <sup>φ</sup> <sup>|</sup>=<sup>P</sup> <sup>R</sup> <sup>ψ</sup> iff the implication (s, <sup>h</sup>) <sup>|</sup>=<sup>P</sup> R <sup>φ</sup> <sup>=</sup><sup>⇒</sup> (s, <sup>h</sup>) <sup>|</sup>=<sup>P</sup> <sup>R</sup> <sup>ψ</sup> holds for all structures (s, <sup>h</sup>), and <sup>φ</sup> <sup>≡</sup><sup>P</sup> <sup>R</sup> <sup>ψ</sup> iff we have both <sup>φ</sup> <sup>|</sup>=<sup>P</sup> <sup>R</sup> <sup>ψ</sup> and <sup>ψ</sup> <sup>|</sup>=<sup>P</sup> <sup>R</sup> <sup>φ</sup>. If <sup>φ</sup> contains no predicate symbols in <sup>P</sup>, then the truth value of <sup>φ</sup> in (s, <sup>h</sup>) does not depend on <sup>R</sup>. We thus may write (s, <sup>h</sup>) <sup>|</sup>=<sup>P</sup> <sup>φ</sup> instead of (s, <sup>h</sup>) <sup>|</sup>=<sup>P</sup> <sup>R</sup> <sup>φ</sup>. If, moreover, <sup>φ</sup> is pure, then (s, <sup>h</sup>) <sup>|</sup>=<sup>P</sup> <sup>φ</sup> holds only if <sup>h</sup> is empty. We will write <sup>s</sup> <sup>|</sup>=<sup>P</sup> <sup>φ</sup> to state that (s, <sup>∅</sup>) <sup>|</sup>=<sup>P</sup> <sup>φ</sup>. Finally, if <sup>φ</sup> contains only equalities between variables then its semantics does not depend on R and <sup>P</sup> thus we write <sup>s</sup> <sup>|</sup><sup>=</sup> <sup>φ</sup> to state that (s, <sup>∅</sup>) <sup>|</sup>=<sup>P</sup> <sup>R</sup> <sup>φ</sup>. Note that the semantics of φ<sup>1</sup> ◦ φ<sup>2</sup> and φ<sup>1</sup> ∗ φ<sup>2</sup> coincide if φ<sup>1</sup> or φ<sup>2</sup> is pure, and also coincide with that of the usual standard conjunction if *both* φ<sup>1</sup> and φ<sup>2</sup> are pure.

*Shorthands.* If x = (x1,...,xn) and y = (y1,...,ym) are sequences of variables in V<sup>l</sup> then x y denotes the formula ⊥ if n = m and (x<sup>1</sup> y1) ◦ ... ◦(x<sup>n</sup> yn) otherwise. For every permission term p, we denote by *def* (p) the atom p p. By definition, (s, <sup>h</sup>) <sup>|</sup>=<sup>P</sup> <sup>R</sup> *def* (p) iff <sup>s</sup>(p) is defined and <sup>h</sup> <sup>=</sup> <sup>∅</sup>.

#### **3 h-Regular Systems**

We focus on SIDs of some particular form, defined below.

**Definition 7.** *A rule is* h-regular *if it is of the following form:*

$$P(x, \mathfrak{y}) \Leftarrow \exists u\_1, \ldots, u\_n \left(x \overset{p}{\leftrightarrow} (v\_1, \ldots, v\_k) \circ Q\_1(u\_1, \mathfrak{y}\_1) \ldots \circ Q\_n(u\_n, \mathfrak{y}\_n) \circ \phi\right)$$

*where* {u1,...,un}⊆{v1,...,vk}*,* <sup>y</sup><sup>i</sup> *is a vector of variables*3*,* <sup>Q</sup><sup>i</sup> ∈ P *and* <sup>φ</sup> *is pure. We assume by* α*-renaming that* x,y *do not occur in* {u1,...,un}*. A SID* R *is* h-regular *if all the rules in* R *are* h*-regular.*

Note that the right-hand side formula contains only the disjoint separation connective ◦ and not the usual separating conjunction ∗. As we will see (Theorem 33) this is crucial for the decidability of the satisfiability problem. However, as already observed in [5], this is also justified from a practical point of view. Assume for instance that we want to define the predicate lseg introduced in [10], denoting a list segment from x to y with some permission z. The following rules can be used<sup>4</sup>: lseg(x, y, z) ⇐ <sup>x</sup> <sup>z</sup> <sup>→</sup> (y) lseg(x, y, z) ⇐ ∃<sup>u</sup> (<sup>x</sup> <sup>z</sup> <sup>→</sup> (u) ◦ lseg(u, y, z)). A structure (s, <sup>h</sup>) satisfies lseg(x, y, z) if <sup>h</sup> <sup>=</sup> {(i, i+1, <sup>s</sup>(z)) <sup>|</sup> <sup>i</sup> = 1,...,n} with n > 0, s(x) = 1, s(y) = n+1 and <sup>i</sup> = <sup>j</sup> if i = j and i, j ∈ {1,...,n}. This fits in with the definition in [10] (except that n > 0). In contrast, if one uses instead the connective <sup>∗</sup>: lseg(x, y, z) ⇐ ∃<sup>u</sup> (<sup>x</sup> <sup>z</sup> <sup>→</sup> (u) <sup>∗</sup> lseg(u, y, z)), then one could obtain models where the list "loops" on itself an arbitrary number of times, such as, for instance (s, {(s(x), <sup>s</sup>(x), p))}), with <sup>s</sup>(y) = <sup>s</sup>(x) and <sup>p</sup> <sup>=</sup> <sup>s</sup>(z)<sup>n</sup>, for any n > 0 such that <sup>s</sup>(z)<sup>n</sup> is defined. In the former definition, <sup>s</sup>(y) possibly occurs in {1,...,n}, but each location can only be allocated once.

Intuitively, h-regular sets of inductive rules generate heaps with a regular structure (in the sense that it may be represented by a tree automaton [9]), enriched with some additional edges (referring to the nodes corresponding to the variables passed as parameters to the spatial predicates at some recursive calls). These additional edges may refer to locations corresponding to free variables (e.g. the root of the structure) but also to existential variables (for instance they may refer to the parent node in the tree). h-Regular SID are related to the Pce systems introduced in [13] (for **p**rogressing, **c**onnected and **e**stablished), extended to formulas with permissions, but our conditions are slightly stronger, because we require that every existential variable be allocated at the next recursive call. Note that structures with mixed permissions are allowed, for instance

<sup>3</sup> i.e., compound permission terms are not allowed in predicate atoms.

<sup>4</sup> As h-regular rules allocate exactly one location, we assume that the segment is non empty, the case of an empty segment must be considered apart.

the rules <sup>P</sup>(x, z1, z2) ⇐ <sup>x</sup> <sup>z</sup><sup>1</sup> <sup>→</sup> () and <sup>P</sup>(x, z1, z2) ⇐ ∃<sup>u</sup> (<sup>x</sup> <sup>z</sup><sup>1</sup> <sup>→</sup> (u) ◦ <sup>P</sup>(u, z2, z1)) defines a list with permissions alternating between z<sup>1</sup> and z2. Rules with compound permission terms in points-to or permission atoms are allowed (such as <sup>P</sup>(x, y1, y2) ⇐ <sup>x</sup> <sup>y</sup>1⊕y<sup>2</sup> → () ◦ *def* (y<sup>1</sup> ⊕ y1)), but not those with compound permission terms in spatial predicate atoms<sup>5</sup> (e.g., <sup>P</sup>(x, y1, y2) ⇐ <sup>x</sup> <sup>y</sup><sup>1</sup> → () ◦ Q(x, y<sup>1</sup> ⊕y2) is *not* h-regular).

For every quantifier-free formula φ, we denote by *roots*(φ) the set of variables x (called the *roots of* φ) inductively defined as follows: *roots*(x <sup>p</sup> <sup>→</sup> (y1,...,yk)) def = {x}, *roots*(P(x, y1,...,yk)) def = {x}, *roots*(∃y φ) = *roots*(φ)\{y}, *roots*(φ) = ∅ if φ is pure and *roots*(φ<sup>1</sup> ∗φ2) = *roots*(φ<sup>1</sup> ◦ φ2) = *roots*(φ1)∪*roots*(φ2). By Definition 7, roots are always allocated:

**Proposition 8.** *Let* <sup>R</sup> *be a* <sup>h</sup>*-regular SID. If* (s, <sup>h</sup>) <sup>|</sup>=<sup>P</sup> <sup>R</sup> <sup>φ</sup> *and* <sup>x</sup> <sup>∈</sup> *roots*(φ) *then* s(x) ∈ *dom*(h)*. Consequently, every formula of the form* φ<sup>1</sup> ◦ φ<sup>2</sup> *with roots*(φ1)∩ *roots*(φ2) = ∅ *is* (R, P)*-unsatisfiable.*

The conditions in Definition 7 are actually not sufficient to ensure that the satisfiability problem is decidable:

**Theorem 9.** *If there exist (not necessary distinct) permissions* π1, π<sup>2</sup> ∈ P<sup>P</sup> *such that* π1⊕Pπ<sup>2</sup> *is defined, then the* (R, P)*-satisfiability problem is undecidable for* h*-regular SID* R*.*

To ensure decidability, we need to further restrict the way existential variables are passed as parameters during recursive calls. This is the goal of the next definition.

**Definition 10.** *Assume that* R *is* h*-regular. Given two spatial predicates* P *and* Q*, of arities* n *and* m *respectively, we write* P <sup>R</sup> Q *if* P(x, x1,...,x<sup>n</sup>−<sup>1</sup>) ∗ <sup>Q</sup>(x, y1,...,y<sup>m</sup>−<sup>1</sup>) *is* (R, <sup>P</sup>)*-unsatisfiable*<sup>6</sup> *(where* <sup>x</sup>1,...,x<sup>n</sup>−1, y1,...,y<sup>m</sup>−<sup>1</sup> *denote pairwise distinct variables of the appropriate sorts). We denote by* γ<sup>R</sup> *the function associating every predicate symbol* P *of spatial arity* n *to a subset of* {2,...,n} *inductively defined as follows: for every rule* P(x1,...,xn, u) ⇐ ∃y1,...,y<sup>m</sup> φ *in* R*, for every predicate atom* Q(z1,...,zk, uk) *in* φ *with* #l(Q) = k *and for all* i ∈ {2,...,k}*:*

*1.* z<sup>i</sup> ∈ {y1,...,ym} ⇒ i ∈ γR(Q)*. 2.* z<sup>i</sup> ∈ {x<sup>j</sup> | j ∈ γR(P)} =⇒ i ∈ γR(Q)*.*

<sup>5</sup> Otherwise the unfolding of spatial predicates could yield terms of arbitrary depth.

<sup>6</sup> In practice, as this condition is hard to test, some stronger syntactic condition can be tested instead, for instance one can check that all the formulas φ and φ such that P(x, x1,...,x*<sup>n</sup>*−<sup>1</sup>) ⇐<sup>R</sup> φ and Q(x, y1,...,y*<sup>m</sup>*−<sup>1</sup>) ⇐<sup>R</sup> φ are of the form φ = (x → (u) ◦ ψ) and φ- = (x → (u- ) ◦ ψ- ) with |u| = |u- | (this condition is used in Theorem 33 and for the Exptime-hardness proof in Theorem 32.). More generally, it is sufficient to test that the "shape" of the structures generated by P and Q, up to a certain fixed unfolding depth, are incompatible.

*Let* <sup>P</sup> *be a subset of* <sup>P</sup>*, such that: (3)* <sup>P</sup> ∈ P- =⇒ γR(P) = ∅*; and (4)* <sup>P</sup> ∈ P- <sup>∧</sup> <sup>Q</sup> ∈P\P- =⇒ P <sup>R</sup> Q*. A* h*-regular rule is* ∃-restricted *(w.r.t.* R *and* <sup>P</sup>-*) if it satisfies the following condition (using the notations of Definition 7):*

*5.* <sup>∀</sup><sup>i</sup> ∈ {1,...,n} ∀<sup>j</sup> ∈ {1,...,n} (u<sup>i</sup> <sup>∈</sup> <sup>y</sup><sup>j</sup> <sup>=</sup><sup>⇒</sup> <sup>Q</sup><sup>i</sup> ∈ P-)*.*

*A SID* R *is* ∃-restricted *if all the rules in* R *are* ∃*-restricted.*

Conditions 1 and 2 in Definition 10 are meant to ensure that γR(P) denotes the indices of the parameters of P that may (but do not have to) be instantiated by some existential variable introduced during the unfolding of the inductive rules in R (the other parameters may only be instantiated by variables occurring in the initial formula). Condition 1 corresponds to a base case, where an existential variable is passed as a parameter to a predicate symbol, and Condition 2 handles the inductive case, when the variable is carried through recursive calls<sup>7</sup>. Then, Condition 5 ensures that an existential variable may only be passed as a parameter to a predicate symbol if it is the root of a structure defined by an atom Qi(yi) containing no variables introduced by unfolding (by Condition 3).

*Example 11.* The rules of the predicate lseg are <sup>∃</sup>-restricted (with <sup>P</sup>- = ∅). Indeed, they contain only one existential variable u, which occurs only as the first argument of a predicate. Hence Condition 5 in Definition 10 trivially holds. If <sup>R</sup> contains no other rule then <sup>γ</sup>R(lseg) = <sup>∅</sup>. Note that <sup>γ</sup>R(lseg) depends on the entire set <sup>R</sup>. For instance, if <sup>R</sup> contains a rule <sup>P</sup>(x, y) ⇐ ∃<sup>u</sup> (<sup>x</sup> <sup>y</sup> → (u) ◦ lseg(u, u, y)) then the second argument of lseg may be instantiated by an existential variable hence <sup>γ</sup>R(lseg) = {2}, and the latter rule is not <sup>∃</sup> restricted. On the other hand, if <sup>P</sup>- <sup>=</sup> {Q}, then the rules <sup>Q</sup>(x, y) ⇐ <sup>x</sup> <sup>y</sup> → (), R(x, y) ⇐ ∃u, v (<sup>x</sup> <sup>y</sup> <sup>→</sup> (u, v) ◦ lseg(u, v, y) ◦ <sup>Q</sup>(v, y)) are <sup>∃</sup>-restricted, with P- = {Q}. Indeed, the variable u occurs only at the root of a predicate, and the variable <sup>v</sup> is the root of <sup>Q</sup>(v, y). Note that lseg(x, y, z) <sup>∗</sup> <sup>Q</sup>(x, u) and <sup>R</sup>(x, y) <sup>∗</sup> <sup>Q</sup>(x, u) are (R, <sup>P</sup>)-unsatisfiable, thus lseg <sup>R</sup> <sup>Q</sup> and R <sup>R</sup> <sup>Q</sup>.

Intuitively, the structures generated by ∃-restricted rules are regular treeshaped structures, enriched with two kinds of additional edges: (i) a *bounded* number of *arbitrary* edges (corresponding to free variables, which may be freely passed as arguments to any predicate, thus may be referred to in an arbitrary way); (ii) an *unbounded* number of other edges (corresponding to existential variables) which are only allowed to point to structures that contain no edge of type (ii). Condition 4 ensures that the structures containing only edges of type (i) do not overlap with those containing both kinds of edges. Note that the conditions of Definition 10 always hold if the existential variables occur only

<sup>7</sup> For generality, one could assume that all the equalities occurring in the rules are propagated before γ<sup>R</sup> is computed (so that existential variables are eliminated if they are equal to a free variable), but this is not essential for our purposes hence the corresponding formal definitions are omitted.

as roots (with <sup>P</sup>- <sup>=</sup> <sup>P</sup> or <sup>P</sup>- = ∅). In this case there is no edge of type (ii), i.e., the obtained structures are regular sets of trees with a bounded number of additional edges (for instance trees with pointers to the root, or cyclic lists). Note that doubly linked lists cannot be captured (as they contain an unbounded number of additional edges from every node to the previous one). In the following we devise an algorithm to test the (R, P)-satisfiability of symbolic heaps when R is ∃-restricted.

# **4 A Decision Procedure for Testing Satisfiability**

Before entering into technical details we start with a general overview of the procedure for testing satisfiability (assuming the considered SID is ∃-restricted).


In the next subsections, each of these steps is explained in details.

#### **4.1 Normalization**

We first show that every formula can be transformed into an equivalent formula (that we call *normalized*) in which every allocated variable occurs as a root:

**Definition 12.** *A formula* φ *is* normalized *if it is of the form* ∃x ψ *where* ψ *is quantifier-free and for all spatial atoms* δ *in* ψ*, for all* (R, P)*-models* (s, h) *of* δ *and for all variables* y ∈ *fv*(ψ)*:* s(y) ∈ *dom*(h) ⇐⇒ y ∈ *roots*(ψ)*.*

For instance, lseg(x, y) is not normalized, because y may be allocated (e.g., if <sup>s</sup>(x) = <sup>s</sup>(y)) and does not occur in *roots*(lseg(x, y)) = {x}. To enforce this condition, we introduce new predicate symbols (called *derived predicates*), the rules of which can be automatically computed from those of the predicates already occurring in this formula. We first define predicate symbols that ensure that some given variable is not allocated.

**Definition 13.** *For all predicate atoms* P(x, p) *(where* x *and* p *are vectors of location variables and permission terms, respectively) and for all location variables* v*, we denote by* P(x, p)[v] <sup>−</sup> *any atom of the form* Q(x, v, p)*, where* Q *is a fresh predicate symbol, associated with the rules:*

$$Q(\mathfrak{y}, w, \mathfrak{z}) \Leftarrow \exists \mathfrak{u} \left( Q\_1(\mathfrak{y}\_1, \mathfrak{p}\_1)[w]^- \circ \dots \circ Q\_m(\mathfrak{y}\_m, \mathfrak{p}\_m)[w]^- \circ \phi \circ \mathfrak{y}|\_1 \not\simeq w \right)$$

*for all rules* P(y,z) ⇐ ∃u (Q1(y1, p1) ◦ ... ◦ Qm(ym, pm) ◦ φ) *in* R *(up to AC), where* y,y<sup>i</sup> *are vectors of location variables,* z*,* p<sup>i</sup> *are vectors of permission variables, and* φ *contains no predicate atom.*

For instance lseg(x, y, z)[u] <sup>−</sup> is a predicate atom Q(x, y, u, z) defined by the following rules: {Q(x, y, u, z) ⇐ ∃x (x <sup>z</sup> → (x ) ◦ Q(x , y, u, z) ◦ x  <sup>u</sup>), Q(x, y, u, z) ⇐ <sup>x</sup> <sup>z</sup> → (y) ◦ x  u}. It denotes a list segment from x to y not allocating u. The following result is straightforward to prove:

**Proposition 14.** *For every* ∃*-restricted SID* R*, the set* R *enriched with the rules associated with the predicate* Q *corresponding to* P(x, p)[v] <sup>−</sup> *in Definition <sup>13</sup> is* <sup>∃</sup>*-restricted, with* <sup>γ</sup>R(Q) = <sup>γ</sup>R(P) *and* <sup>Q</sup> ∈ P- ⇐⇒ <sup>P</sup> ∈ P-*.*

Intuitively the structures that satisfy P(x, p)[v] <sup>−</sup> are exactly those that satisfy P(x, p) and do not allocate v:

**Lemma 15.** *For all* <sup>h</sup>*-regular SID* <sup>R</sup>*,* (s, <sup>h</sup>) <sup>|</sup>=<sup>P</sup> <sup>R</sup> <sup>P</sup>(x, p)[v] <sup>−</sup> *iff* (s, <sup>h</sup>) <sup>|</sup>=<sup>P</sup> <sup>R</sup> <sup>P</sup>(x, p) *and* s(v) ∈ *dom*(h)*.*

The operator δ → δ[x] <sup>−</sup> can be applied recursively, e.g., one can consider atoms of the form δ[x] <sup>−</sup>[y] <sup>−</sup>, etc. For all predicate atoms δ, we denote by *unalloc*(δ) the set of variables inductively defined as follows: *unalloc*(δ[x] <sup>−</sup>) def = {x}∪*unalloc*(δ), and *unalloc*(δ) def = ∅ if δ is not of the form δ [x] <sup>−</sup>. The following proposition is an immediate consequence of Lemma 15:

**Proposition 16.** *If* (s, <sup>h</sup>) <sup>|</sup>=<sup>P</sup> <sup>R</sup> <sup>δ</sup> *then* <sup>s</sup>(x) <sup>∈</sup> *dom*(h)*, for all* <sup>x</sup> <sup>∈</sup> *unalloc*(δ)*.*

Next, we define predicate symbols allowing one to remove some part of a structure. Intuitively, the expression (φ −−• ψ) will hold exactly in the structures that satisfy ψ when a disjoint structure satisfying φ is added. For instance given the rules tree(x, y) ⇐ ∃x1, x<sup>2</sup> <sup>x</sup> <sup>y</sup> <sup>→</sup> (x1, x2) ◦ tree(x1, y) ◦ tree(x2, y) and tree(x, y) ⇐ <sup>x</sup> <sup>y</sup> <sup>→</sup> (), tree(z,y) and tree(x, y) denote binary trees with roots <sup>z</sup> and <sup>x</sup>, respectively, and tree(z,y) −−• tree(x, y) denotes a tree of root <sup>x</sup> with a "hole" at <sup>z</sup> (the structures satisfying tree(z,y) −−• tree(x, y) are obtained from models of tree(x, y) by removing the part of the heap that corresponds to tree(z,y)). The formula <sup>φ</sup> −−• <sup>ψ</sup> is similar to the *strong magic wand* introduced in [17] and to the *context predicates* in [12] and also close in spirit to the separating implication of SL although the semantics are slightly different.

**Definition 17.** *For all finite sequences of predicate atoms* Pi(xi, pi) *(with* i = 0,...,n*), where* x<sup>i</sup> *and* p<sup>i</sup> *are vectors of location variables and permission terms, respectively, we denote by* (P1(x1, p1) ◦ ... ◦ <sup>P</sup>ˆn(xn, pn)) −−• <sup>P</sup>0(x0, p0) *any atom* P(x, p) *with* x = x0. . . . .xn*,* p = p0. . . . .pn*, and such that* P = P<sup>0</sup> *if* n = 0 *and otherwise* P *is a fresh symbol associated with rules of the form*

$$P(\mathfrak{y}, \mathfrak{z}) \Leftarrow \exists \mathfrak{w} \left(\psi\_1 \circ \ldots \circ \psi\_m \circ \phi\right)$$

*for all rules*

$$P\_0(\mathfrak{y}\_0, \mathfrak{z}\_0) \Leftarrow \exists w \left( Q\_1(\mathfrak{u}\_1, \mathfrak{q}\_1) \circ \dots \circ Q\_m(\mathfrak{u}\_m, \mathfrak{q}\_m) \circ \phi \right)$$

*in* R *and for all decompositions* α<sup>1</sup> ◦ ... ◦ α<sup>m</sup> = P1(y1, z1) ◦ ... ◦ Pn(yn, zn) *(up to AC, where the* αi*'s may be empty), where:*

	- *either* α<sup>i</sup> −−• Qi(ui, qi)*;*
	- *or* y<sup>j</sup> u<sup>i</sup> ◦z <sup>j</sup> qi*, if* α<sup>i</sup> = P<sup>j</sup> (y<sup>j</sup> , z <sup>j</sup> ) *and* P<sup>j</sup> = Qi*.*

For instance tree(z,y) −−• tree(x, y) denotes an atom <sup>P</sup>(x, z, y, y) with the rules:

$$\begin{split} P(x,z,y\_{1},y\_{2}) &\Leftarrow \exists x\_{1},x\_{2} \; (x \xhookrightarrow{y\_{1}} (x\_{1},x\_{2}) \diamond P(x\_{1},z,y\_{1},y\_{2}) \circ \mathtt{true}(x\_{2},z,y\_{1})) \\ P(x,z,y\_{1},y\_{2}) &\Leftarrow \exists x\_{1},x\_{2} \; (x \xhookrightarrow{y\_{1}} (x\_{1},x\_{2}) \diamond \mathtt{true}(x\_{1},z,y\_{1}) \diamond P(x\_{2},z,y\_{1},y\_{2})) \\ P(x,z,y\_{1},y\_{2}) &\Leftarrow \exists x\_{1},x\_{2} \; (x \xhookrightarrow{y\_{1}} (x\_{1},x\_{2}) \diamond x\_{1} \simeq z \circ y\_{1} \simeq y\_{2} \circ \mathtt{true}(x\_{2},z,y\_{1})) \\ P(x,z,y\_{1},y\_{2}) &\Leftarrow \exists x\_{1},x\_{2} \; (x \xhookrightarrow{y\_{1}} (x\_{1},x\_{2}) \diamond \mathtt{true}(x\_{1},z,y\_{1}) \diamond x\_{2} \simeq z \circ y\_{1} \simeq y\_{2}) \end{split}$$

For readability, all the expressions of the form emp −−• tree(x2, z,y1) have been replaced by tree(x2, z,y1). Note that the rules are not h-regular, as x<sup>1</sup> and x<sup>2</sup> do not occur as roots in every rule, but they can easily be transformed into h-regular rules by replacing x<sup>1</sup> and x<sup>2</sup> by z in the third and fourth rule, respectively (using the equations x<sup>1</sup> z and x<sup>2</sup> z). The definition can be applied recursively (i.e., P0,...,P<sup>n</sup> may be derived predicates). The next proposition is an immediate consequence of Definition 17:

**Proposition 18.** *Let* R *be a* h*-regular SID. The rules associated with any predicate* P *corresponding to an expression* α −−• δ *(Definition 17) are* h*-regular, up to the following equivalence:* <sup>∃</sup><sup>x</sup> (<sup>x</sup> <sup>y</sup> ◦ <sup>φ</sup>) <sup>≡</sup><sup>P</sup> <sup>R</sup> <sup>φ</sup>{<sup>x</sup> <sup>←</sup> <sup>y</sup>}*. Moreover, the rules are also* <sup>∃</sup>*-restricted, with* <sup>γ</sup>R(P) = <sup>γ</sup>R(P0) *and* <sup>P</sup> ∈ P- ⇐⇒ <sup>P</sup><sup>0</sup> ∈ P-*. Finally if* <sup>α</sup> <sup>=</sup> emp *then* (<sup>α</sup> −−• <sup>δ</sup>) = <sup>δ</sup>*.*

Note that, however, the implication <sup>P</sup> ∈ P- <sup>∧</sup> <sup>Q</sup> ∈ P\P- =⇒ P <sup>R</sup> Q (Condition 4 in Definition 10) does *not* necessarily hold for derived predicates P, Q. The following lemma states a form of modus ponens, relating the connective ◦ with −−•:

**Lemma 19.** *If* <sup>R</sup> *is* <sup>h</sup>*-regular then* <sup>P</sup>(x, p) ◦((P(x, p) ◦ <sup>α</sup>) −−• <sup>Q</sup>(y,q)) <sup>|</sup>=<sup>P</sup> <sup>R</sup> α −−• Q(y,q)*.*

The next lemma states that every predicate atom allocating x can be written as a ◦-formula in which x occurs as a root.

**Lemma 20.** *Assume that* R *is* ∃*-restricted. Let* y,p *be vectors of location variables and permission terms, respectively. If* (s, <sup>h</sup>) <sup>|</sup>=<sup>P</sup> <sup>R</sup> <sup>Q</sup>(y,p)*,* <sup>s</sup>(x) <sup>=</sup> <sup>s</sup>(y|1) *and* s(x) ∈ *dom*(h)*, then there exist atoms of the form* P(x, z,q)*,* Pi(xi,yi, qi) *(with* i ∈ {1,...,n}*), where* z ⊆ y ∪ {x1,...,xn}*,* y<sup>i</sup> ⊆ {y|<sup>j</sup> | j ∈ γR(Q)}*,* <sup>q</sup> <sup>⊆</sup> <sup>p</sup> *and* <sup>q</sup><sup>i</sup> <sup>⊆</sup> <sup>p</sup>*, such that:* (s, <sup>h</sup>) <sup>|</sup>=<sup>P</sup> <sup>R</sup> <sup>∃</sup>x1,...,x<sup>n</sup> (<sup>β</sup> ◦(<sup>β</sup> −−• <sup>Q</sup>(y,p)))*, with* <sup>β</sup> <sup>=</sup> <sup>P</sup>(x, z,q) ◦ <sup>m</sup> <sup>i</sup>=1Pi(xi,yi, qi)*. Moreover,* <sup>P</sup><sup>i</sup> ∈ P-*,* {x1,...,xn} ⊆ (x, z)|<sup>γ</sup>R(<sup>P</sup> ) *and* y ∈ y ∩ z ∧ y ∈ {y|<sup>j</sup> | j ∈ γR(Q)} =⇒ y ∈ (x, z)|<sup>γ</sup>R(<sup>P</sup> )*.*

Intuitively, since x is allocated and the rules are h-regular, then necessarily some predicate atom of the form P(x, z,q) must be called at some point during the unfolding of the rules. Using −−•, this predicate can be removed from the call tree of Q(y,p) and lifted at the root level in the formula. The atom P(x, z,q) may contain variables not occurring in Q(y,p) corresponding to existential variables introduced by unfolding. As the rules are ∃-restricted, all such variables x<sup>i</sup> must themselves appear as the root of some predicate atom Pi(xi,yi, qi) which contains (beside xi) only variables occurring in Q(y,p) (since γR(Pi) = ∅, due to Condition 5 in Definition 10). Again, these atoms can be moved at the root level.

**Definition 21.** *For all atoms* Q(y,p) *we denote by* δ[x] <sup>+</sup> *the set of formulas of the form* ∃x1,...,x<sup>n</sup> (β ◦(β −−• Q(y,p))) *as defined in Lemma 20. We also denote by* δ[x] <sup>=</sup> *the formula:* <sup>δ</sup> ◦(<sup>x</sup> <sup>y</sup>|1)*.*

For every model of δ, δ[x] <sup>−</sup> holds if x is not allocated in δ, δ[x] <sup>=</sup> holds if x is equal to the root of δ and δ[x] <sup>+</sup> holds if x is allocated but is not the root of δ. The following result follows immediately from Lemmata 19 and 20:

**Lemma 22.** *Assume that* R *is* ∃*-restricted. Let* x ∈ Vl*. For every predicate atom* <sup>δ</sup> *such that* <sup>x</sup> <sup>∈</sup> *roots*(δ)*, and for all structures* (s, <sup>h</sup>)*:* (s, <sup>h</sup>) <sup>|</sup>=<sup>P</sup> <sup>R</sup> <sup>δ</sup> *iff there exists* ψ ∈ {δ[x] <sup>−</sup>, δ[x] <sup>=</sup>} ∪ <sup>δ</sup>[x] <sup>+</sup> *such that* (s, <sup>h</sup>) <sup>|</sup>=<sup>P</sup> <sup>R</sup> <sup>ψ</sup>*.*

For instance the atom lseg(x, y, z) holds iff one of the formulas lseg(x, y, z) ◦ <sup>x</sup> <sup>y</sup>, lseg(x, y, z)[y] <sup>−</sup> or lseg(y, y, z) ◦(lseg(y, y, z) −−• lseg(x, y, z)) holds. The second formula corresponds to the case where y is not allocated, and the first and third ones correspond to the case where there is a loop on y. By applying repeatedly Lemma 22 on every variable x and atom δ we eventually obtain a disjunction of normalized formulas:

**Lemma 23.** *Let* R *be a* ∃*-restricted SID. There exists an algorithm transforming any symbolic heap* φ *containing no points-to atom into a set of normalized formulas* <sup>Ψ</sup> *such that for all structures* (s, <sup>h</sup>)*:* (s, <sup>h</sup>) <sup>|</sup>=<sup>P</sup> <sup>R</sup> <sup>φ</sup> *iff there exists* <sup>ψ</sup> <sup>∈</sup> <sup>Ψ</sup> *such that* (s, <sup>h</sup>) <sup>|</sup>=<sup>P</sup> <sup>R</sup> <sup>ψ</sup>*. Furthermore, every formula in* <sup>Ψ</sup> *is a (quantified) separating conjunction of* ◦*-formulas.*

# **4.2 Commuting Separating and Disjoint Connections**

The next step consists in showing that – under some particular conditions enforced by the previous transformation – the operator ∗ can be pushed innermost in the formula (below the operator ◦). To this aim, we exploit an essential property of h-regular SIDs, namely that all the locations that occur in the heap of some model of a formula φ but are not allocated correspond to a variable in *fv*(φ). We shall denote by *cut*(L, L , h) the set of locations reachable from L in h, from a path not crossing L :

**Definition 24.** *Let* h *be a heap, let* L, L ⊆ L*. We denote by cut*(L, L , h) *the set of locations inductively defined as follows:* L ⊆ *cut*(L, L , h)*, and if* ∈ *cut*(L, L , h)*,* h( )=(1,...,k, π)*,* i ∈ {1,...,k} *and* <sup>i</sup> ∈ L *then* <sup>i</sup> ∈ *cut*(L, L , h)*.*

The following lemma characterizes the domain of the part of the heap satisfying some formula φ:

**Lemma 25.** *Let* R *be a* h*-regular SID and let* φ *be a* ◦*-formula containing no quantifier. Let* s *be a store and let* h, h *be heaps, with* h ≤ h *. Let* V *be a set of variables, with fv*(φ) ⊆ V ∪ *roots*(φ) *and* s(V ) ∩ *dom*(h ) = ∅*. If* (s, h ) <sup>|</sup>=<sup>P</sup> <sup>R</sup> φ *then dom*(h ) = *cut*(s(*roots*(φ)), s(V ), h)*.*

The commutation property, pushing ∗ below ◦, is given by Lemma 26:

**Lemma 26.** *Let* R *be a* h*-regular SID. Let* V ⊆ V<sup>l</sup> *and let* φ *be a normalized formula, of the form* <sup>φ</sup> <sup>=</sup> <sup>φ</sup> ◦(∗<sup>n</sup> <sup>i</sup>=1(φ<sup>i</sup> ◦ ψi) ∗ ψ )*, where, for all* i ∈ {1,...,n}*, roots*(φi) = V *and* (*roots*(ψi) ∪ *roots*(ψ )) ∩ V = ∅*. Then* φ *is* (R, P)*-satisfiable iff* (φ ◦ ∗<sup>n</sup> <sup>i</sup>=1φi) ◦((∗<sup>n</sup> <sup>i</sup>=1ψi) ∗ ψ ) *is* (R, P)*-satisfiable.*

Roughly speaking, as *roots*(φi) = V and φ<sup>i</sup> is normalized, it is possible to prove, using the characterization given in Lemma 25, that the parts of the heap that correspond to the formulas φ<sup>i</sup> have all the same domain. This entails that the heaps corresponding to the formulas ψ<sup>i</sup> and φ<sup>i</sup> are disjoint, which permits to prove that ∗<sup>n</sup> <sup>i</sup>=1(φ<sup>i</sup> ◦ <sup>ψ</sup>i) can be written (∗<sup>n</sup> <sup>i</sup>=1φi) ◦(∗<sup>n</sup> i=1ψi), yielding the result.

#### **4.3 Merging of Spatial Predicates**

We show that, under some particular conditions, it is possible to replace the separating conjunction of two spatial atoms having the same root by a single spatial atom. The rules defining this atom are obtained by combining the rules of the two initial atoms. More precisely, consider any h-regular SID R and two spatial atoms P(x,y,p) and P (x,y , p ) sharing the same root x, where y,y are vectors of location variables and p and p are vectors of permission terms. We denote by P(x,y,p)-P (x,y , p ) any atom Q(x,y,y , p, p ) where Q is associated with rules of the form:

$$\begin{aligned} Q(v, \mathfrak{w}, \mathfrak{w}', \mathfrak{z}, \mathfrak{z}') &\leftarrow \exists u\_1, \dots, u\_n \quad v \xleftarrow{q} (v\_1, \dots, v\_k) \\ &\circlearrowright\_{i=1}^n (Q\_i(u\_i, \mathfrak{y}\_i, \mathfrak{q}\_i) \nabla Q'\_i(u\_i, \mathfrak{y}'\_i, \mathfrak{q}'\_i)) \circ \phi \circ \phi' \circ \psi \end{aligned}$$

with q def = p ⊕ p , for all pairs of rules of the following forms in R (with the same numbers k and n, and up to α-renaming, so that the rules share the same existential variables):

$$\begin{array}{llll} P(v, \mathfrak{w}, \mathfrak{z}) & \Leftarrow \exists u\_1, \ldots, u\_n & v \stackrel{p}{\mapsto} (v\_1, \ldots, v\_k) \circlearrowright\_{i=1}^n Q\_i(u\_i, \mathfrak{y}\_i, \mathfrak{q}\_i) \circ \phi \\\ P'(v, \mathfrak{w'}, \mathfrak{z'}) & \Leftarrow \exists u\_1, \ldots, u\_n & v \stackrel{p'}{\mapsto} (v'\_1, \ldots, v'\_k) \circlearrowright\_{i=1}^n Q'\_i(u\_i, \mathfrak{y}'\_i, \mathfrak{q}'\_i) \circ \phi' \end{array}$$

where <sup>ψ</sup> <sup>=</sup> <sup>k</sup> <sup>i</sup>=1(v<sup>i</sup> v <sup>i</sup>). Note that all the produced rules are h-regular<sup>8</sup>.

**Lemma 27.** *Let* R *be a* h*-regular SID. Let* x ∈ V<sup>l</sup> *and let* (s, h) *be a structure such that* s(y) ∈ *dom*(h) *holds for all variables* y *such that* s(x) = s(y)*. Then* (s, <sup>h</sup>) <sup>|</sup>=<sup>P</sup> <sup>R</sup> <sup>P</sup>(x,y,p)-P (x,y , p ) ⇐⇒ (s, <sup>h</sup>) <sup>|</sup>=<sup>P</sup> <sup>R</sup> <sup>P</sup>(x,y,p) <sup>∗</sup> <sup>P</sup> (x,y , p )*.*

The result crucially depends on the fact that the parts of the heap that correspond to P(x,y,p) and P (x,y , p ) respectively must share the same domain, since otherwise, as R is h-regular, a free variable would be allocated, contradicting the hypothesis. This ensures that the heap can be generated by the above rules.

#### **4.4 Heap Abstractions and Main Result**

As we shall see later, the previous transformations can be used to transform any symbolic heap into a ◦-formula (while preserving satisfiability). The final step is to devise an algorithm to test the satisfiability of ◦-formulas. As it is done in [6] for standard heap models, the algorithm works by constructing relevant abstractions of the models of the predicate atoms. It suffices to keep track of the truth value of the equational atoms, of the allocated variables and of the permission atoms satisfied by the structure.

<sup>8</sup> However <sup>∃</sup>-restrictedness is not necessarily preserved.

**Definition 28.** *A* heap abstraction *is a tuple* a = (Va, ∼a, Aa, ρa) *where* V<sup>a</sup> *is a finite set of variables,* <sup>∼</sup><sup>a</sup> *is an equivalence relation on the variables of sort* <sup>l</sup> *occurring in* Va*,* A<sup>a</sup> *is a subset of* Va∩Vl*, closed under* ∼<sup>a</sup> *(i.e., for all* x, y ∈ Vl*:* x ∈ A<sup>a</sup> ∧ x ∼<sup>a</sup> y =⇒ y ∈ Aa*), and* ρ<sup>a</sup> *is a permission formula (with variables in* Va*).*

**Definition 29.** *Let* (s, h) *be a structure and let* a = (Va, ∼a, Aa, ρa) *be a heap abstraction. We write* (s, <sup>h</sup>) <sup>|</sup>=<sup>P</sup> <sup>a</sup> *if all the following conditions are satisfied: (i) For all variables* x, y ∈ V<sup>a</sup> ∩ Vl*:* x ∼<sup>a</sup> y ⇐⇒ s(x) = s(y)*; (ii) for all* <sup>x</sup> <sup>∈</sup> <sup>V</sup><sup>a</sup> ∩ Vl*,* <sup>x</sup> <sup>∈</sup> <sup>A</sup><sup>a</sup> ⇐⇒ <sup>s</sup>(x) <sup>∈</sup> *dom*(h)*; and (iii)* <sup>s</sup> <sup>|</sup>=<sup>P</sup> <sup>ρ</sup>a*. A heap abstraction is* <sup>P</sup>-satisfiable *if there exists a structure* (s, <sup>h</sup>) *such that* (s, <sup>h</sup>) <sup>|</sup>=<sup>P</sup> <sup>a</sup>*.*

**Proposition 30.** *A heap abstraction* a *is* P*-satisfiable iff* ρ<sup>a</sup> *is* P*-satisfiable.*

For all ◦-formulas φ, we define a set of heap abstractions A(φ) by mutual induction as follows. The sets A(φ) are the least sets of heap abstractions satisfying the following properties, for all finite sets of variables<sup>9</sup> <sup>V</sup> <sup>⊇</sup> *fv*(φ) and for all equivalence relations <sup>∼</sup> on <sup>V</sup> ∩ Vl: (i) if <sup>φ</sup> <sup>=</sup> <sup>x</sup> <sup>p</sup> → (y1,...,yn) then (V, ∼, {y | y | y ∼ x}, *def* (p)) ∈ A(φ). (ii) if φ = x y (resp. x  y) with x, y ∈ V<sup>l</sup> and <sup>x</sup> <sup>∼</sup> <sup>y</sup> (resp. <sup>x</sup> <sup>∼</sup> <sup>y</sup>) then (V, <sup>∼</sup>, <sup>∅</sup>, emp) <sup>∈</sup> <sup>A</sup>(φ); (iii) if <sup>φ</sup> is a permission formula then (V, ∼, ∅, φ) ∈ A(φ); (iv) if φ = ∃x ψ, (V, ∼, A, ρ) ∈ A(ψ) then (V \ {x}, ∼ , A \ {x}, ρ) ∈ A(φ), where ∼ denotes the restriction of ∼ to the variables distinct from <sup>x</sup>, i.e., <sup>∼</sup>def = {(u, v) | u ∼ v ∧ u, v = x} (note that x cannot occur in ρ, since quantification over permission variables is not allowed); (v) if φ = φ<sup>1</sup> ◦ φ2, (V, ∼, Ai, ρi) ∈ A(φi) (for all i = 1, 2) with A<sup>1</sup> ∩ A<sup>2</sup> = ∅, then (V, ∼, A1∪A2, ρ<sup>1</sup> ◦ ρ2) ∈ A(φ); (vi) if φ = P(x, p) and φ ⇐<sup>R</sup> ξ then A(ξ) ⊆ A(φ).

**Lemma 31.** *A* ◦*-formula* φ *is* (R, P)*-satisfiable iff at least one of the abstractions in* A(φ) *is* P*-satisfiable.*

Putting things together we get the following result:

**Theorem 32.** *If* P*-satisfiability is decidable for permission formulas, then there exists an algorithm that, for every* ∃*-restricted SID, decides whether a given formula* <sup>φ</sup> *is* (R, <sup>P</sup>)*-satisfiable. If, moreover,* <sup>P</sup>*-satisfiability is in* Exptime*, then* (R, <sup>P</sup>)*-satisfiability is also in* Exptime *(for* <sup>∃</sup>*-restricted SID). Finally, for every permission model* <sup>P</sup>*,* (R, <sup>P</sup>)*-satisfiability is* Exptime*-hard (for* <sup>∃</sup> *restricted SID).*

# **5 Using Separating Conjunctions Inside Rules**

To end the paper, we wish to point out that the satisfiability problem is undecidable from ∃-restricted SID if the disjoint separation ◦ is replaced by the standard

<sup>9</sup> For technical convenience we do not impose any bound on the cardinality of V , hence the set A(φ) is infinite. This simplifies the theoretical definition of the abstraction for disjoint conjunctions. In practice only variables occurring in the initial formula or in the rules need to be considered.

separating connective ∗ in the inductive definitions (see Definition 7). We think that the result is of some theoretical interest, although, as explained above, rules using ◦ are actually more convenient for describing data structures. The notions of ∗-h*-regular* and ∗-∃*-restricted* SID are defined exactly as h-regular SID and ∃-restricted SID (Definitions 7 and 10) except that the symbol ◦ is replaced by ∗ everywhere (for conciseness the formal definitions are omitted).

**Theorem 33.** *Let* <sup>P</sup> *be any permission model and assume that for every* <sup>n</sup> <sup>∈</sup> <sup>N</sup>*, there exists* <sup>π</sup> ∈ P<sup>P</sup> *such that* <sup>π</sup><sup>n</sup> *is defined. The* (R, <sup>P</sup>)*-satisfiability problem is undecidable for* ∗*-*∃*-restricted SID.*

# **6 Conclusion and Future Work**

An algorithm was devised to test the satisfiability of symbolic heaps in Separation Logic with inductively defined predicates and permissions, under some (syntactic) conditions on the inductive rules giving the semantics of the spatial predicates. The algorithm runs in exponential time, provided the satisfiability of permission formulas is in Exptime. In addition, we showed that some natural relaxings of these conditions make the problem undecidable (under some minimal assumptions on the permission model). The next step is to investigate the entailment problem for the considered fragment. The techniques devised in the present paper for transforming symbolic heaps into disjoint conjunctions of atoms should serve as a basis for this purpose, but the extension is not straightforward. Another (much easier) extension that could be of practical relevance is to consider formulas with labels (in the sense of [5]) which allow one to express additional equality conditions on some parts of the structures. In our context, labels would simply yield additional conditions on the decomposition generated during the normalization step: two formulas sharing the same label should be decomposed into formulas with the same set of roots. It could also be interesting to relax some of the conditions on the rules, for instance to allow for existential variables not occurring as roots in the rules. This is required to encode data structures with forward pointers, such as skip lists. It is also unclear whether Condition 4 in Definition 10 is required for decidability. Finally, the decision algorithm could probably be extended to handle arbitrary combinations of disjoint and separating conjunctions.

**Acknowledgments.** This work has been partially funded by the French National Research Agency (ANR-21-CE48-0011)

#### **References**

1. Berdine, J., Calcagno, C., O'Hearn, P.W.: Smallfoot: modular automatic assertion checking with separation logic. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2005. LNCS, vol. 4111, pp. 115–137. Springer, Heidelberg (2006). https://doi.org/10.1007/11804192 6


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **First-Order Logics**

# Nested Sequents for Quantified Modal Logics

Tim S. Lyon1(B) and Eugenio Orlandelli<sup>2</sup>

<sup>1</sup> Institute of Artificial Intelligence, TU Dresden, Dresden, Germany timothy\_stephen.lyon@tu-dresden.de <sup>2</sup> Department of the Arts, University of Bologna, Bologna, Italy eugenio.orlandelli@unibo.it

Abstract. This paper studies nested sequents for quantified modal logics. In particular, it considers extensions of the propositional modal logics definable by the axioms D, T, B, 4, and 5 with varying, increasing, decreasing, and constant domains. Each calculus is proved to have good structural properties: weakening and contraction are height-preserving admissible and cut is (syntactically) admissible. Each calculus is shown to be equivalent to the corresponding axiomatic system and, thus, to be sound and complete. Finally, it is argued that the calculi are internal i.e., each sequent has a formula interpretation—whenever the existence predicate is expressible in the language.

Keywords: Cut elimination · Nested sequent · Quantified modal logic

# 1 Introduction

Generalisations of Gentzen-style sequent calculi have proven useful for developing cut-free and analytic proof systems for many propositional non-classical logics, including modal and intermediate ones. Among these generalisations are *display calculi* [2], *hypersequents* [1], *labelled calculi* [23,25], and *nested sequents* [5,12]. They often allow one to give constructive proofs of important meta-theoretical properties such as decidability [3], interpolation [9], and automatic countermodel extraction [16]. These systems generalise the structural level of Gentzen-style calculi in different ways in order to express wider classes of logics. In the case of propositional modal logics they can express the structure of various relational models. In particular, nested sequents encode tree-like relational models and labelled calculi encode graph-like models. In contrast to other formalisms (e.g. labelled sequents) nested sequents have the advantage of being internal calculi: each nested sequent has a formula interpretation, and thus, such expressions are not a major departure from the modal language.

Things become more difficult when we add the quantifiers. As is well known [7,10], in quantified modal logics (QMLs) we have *interaction formulas* such as

> CBF := -<sup>∀</sup>xA ⊃ ∀x-<sup>A</sup> and BF := <sup>∀</sup>x-<sup>A</sup> <sup>⊃</sup> -<sup>∀</sup>xA

c The Author(s) 2023

Tim S. Lyon was supported by the European Research Council (ERC) Consolidator Grant 771779 (DeciGUT).

R. Ramanayake and J. Urban (Eds.): TABLEAUX 2023, LNAI 14278, pp. 449–467, 2023. https://doi.org/10.1007/978-3-031-43513-3\_24

whose validity depends on the interrelations between the domains of quantification (Dw) of the different worlds (w) of the model: CBF is valid only if domains are *increasing*—wR<sup>v</sup> implies <sup>D</sup><sup>w</sup> ⊆ Dv—and BF is valid only if domains are *decreasing*—wR<sup>v</sup> implies <sup>D</sup><sup>w</sup> ⊇ Dv. Axiomatically, CBF is derivable from the interaction of the axioms/rules for modalities and those for the classical quantifiers, and BF is independent from them. However, the situation is radically different for sequent calculi than for axiomatic calculi. The problem is that BF becomes derivable when we add standard sequent rules for the quantifiers to a calculus having separated left and right rules for the modalities—i.e., it is derivable in all generalisations of Gentzen-style calculi mentioned above.

To overcome this issue for nested sequents, we employ a formulation technique motivated by labelled sequent calculi. One way of making CBF and BF independent of the rules for quantifiers within labelled sequent calculi is to extend the language with *domain atoms* of shape <sup>y</sup> <sup>∈</sup> <sup>D</sup>(w) whose intended meaning is that 'y belong to the quantificational domain of the label w' [20,25]. In this way, one can restrict the rules for the quantifiers to the terms belonging to the domain of the label under consideration:

$$\frac{w:A(y/x), y \in D(w), w:\forall x A, \varGamma \Rightarrow \Delta}{y \in D(w), w:\forall x A, \varGamma \Rightarrow \Delta} \quad \frac{z \in D(w), \varGamma \Rightarrow \Delta, w:A(z/x)}{\varGamma \Rightarrow \Delta, w:\forall x A} \; \,\_z\text{ fresh}$$

As a consequence, CBF and BF are derivable only if we extend the basic calculus with rules relating the domains of the distinct labels.

In this paper, we study nested sequent calculi for QMLs with varying, increasing, decreasing, and constant domains. Similar to the use of domain atoms in labelled sequents, we will formulate our nested calculi by extending the syntax of sequents with *signatures*—i.e., multisets of terms that restrict the applicability of the rules for the quantifiers at that node of the nested sequent—as was done in [24] to define hypersequents for Gödel-Dummett logic with non-constant domains. In particular, we will use the following rules for the universal quantifier:

$$\frac{\mathcal{S}\{X, y; A(y/x), \forall x A, \varGamma \Rightarrow \Delta\}}{\mathcal{S}\{X, y; \forall x A, \varGamma \Rightarrow \Delta\}}\\_{L\forall} \qquad \frac{\mathcal{S}\{X, z; \varGamma \Rightarrow \Delta, A(z/x)\}}{\mathcal{S}\{X; \varGamma \Rightarrow \Delta, \forall x A\}}\\_{R\forall,\text{ z fresh}}$$

and will add signature structural rules for increasing, decreasing, and constant domains (Table 3).

As a consequence, we will be able to define nested calculi that are equivalent to the labelled calculi considered in [25, Ch. 6] and [20, Ch. 12.1]. We will show that our nested calculi have good structural properties—all rules are height-preserving invertible, weakening and contraction are height-preserving admissible, and cut is syntactically admissible—and that they characterise the quantified extensions of the propositional modal logics in the cube of normal modalities. One advantage of the present approach is that nested sequents with signatures have a formula interpretation given that the language can express the *existence predicate* E. In this paper, we will consider a language with identity so that <sup>E</sup><sup>x</sup> can be expressed as <sup>∃</sup>y(<sup>y</sup> <sup>=</sup> <sup>x</sup>) and it need not be taken as an additional primitive symbol; cf. [7]. Thus, our calculi utilise (nested) sequents as expressive as the modal language, showing that our calculi are syntactically economical.

The rest of the paper is organised as follows: Sect. 2 sketches the QMLs considered in the paper, and Sect. 3 introduces the nested calculi for these logics. Then, Sect. 4 shows that these calculi have good structural properties distinctive of G3-style calculi, including syntactic cut-elimination, and Sect. 5 shows that each calculus is sound and compete with respect to its intended semantics. Finally, Sect. 6 presents some future lines of research.

# 2 Quantified Modal Logics

*-Syntax.* Let *Rel* be a set containing, for each <sup>n</sup> <sup>∈</sup> <sup>N</sup>, an at most countable set of n-ary predicates R<sup>n</sup> <sup>1</sup> , R<sup>n</sup> <sup>2</sup> ,... , and let *Var* be a denumerable set of individual variables. The language L is defined by the following grammar:

$$A ::= \begin{array}{c} R\_i^n(x\_1, \dots, x\_n) \mid x\_1 = x\_2 \mid \perp \mid A \supset A \mid \forall x A \mid \Box A \end{array} \tag{\mathcal{L}}$$

where x, x1,...,x<sup>n</sup> <sup>∈</sup>*Var* and <sup>R</sup><sup>n</sup> <sup>i</sup> ∈*Rel*. An *atomic formula* is a formula of the shape R<sup>n</sup> <sup>i</sup> (x1,...,xn) or x<sup>1</sup> = x2. We use the following metavariables: x, y, z for variables; P, Q, R for atomic formulas; and A, B, C for formulas. An occurrence of a variable x in a formula is *free* if it is not in the scope of <sup>∀</sup>x; otherwise, it is *bound*. A *sentence* is a formula without free occurrences of variables. The formulas <sup>¬</sup>A, <sup>A</sup> <sup>∧</sup> <sup>B</sup>, <sup>A</sup> <sup>∨</sup> <sup>B</sup>, <sup>∃</sup>xA, and ♦<sup>A</sup> are defined as expected. We follow the usual conventions for parentheses. The *weight* of a formula <sup>|</sup>A<sup>|</sup> is defined accordingly: <sup>|</sup>R<sup>n</sup> <sup>i</sup> (x1,...,xn)<sup>|</sup> <sup>=</sup> <sup>|</sup><sup>x</sup> <sup>=</sup> <sup>y</sup><sup>|</sup> <sup>=</sup> |⊥| = 0, <sup>|</sup><sup>A</sup> <sup>⊃</sup> <sup>B</sup><sup>|</sup> <sup>=</sup> <sup>|</sup>A<sup>|</sup> <sup>+</sup> <sup>|</sup>B<sup>|</sup> + 1, and |∀xA<sup>|</sup> <sup>=</sup> <sup>|</sup>-<sup>A</sup><sup>|</sup> <sup>=</sup> <sup>|</sup>A<sup>|</sup> + 1. We use <sup>A</sup>(y/x) to denote the formula obtained from A by replacing each free occurrence of x with an occurrence of <sup>y</sup>, possibly renaming bound variables to avoid capture: if <sup>y</sup> <sup>≡</sup> <sup>x</sup>, then (∀yA)(y/x) ≡ ∀z((A(z/y))(y/x)), where <sup>z</sup> is fresh.

*-Semantics.* <sup>A</sup> *frame* is a triple <sup>F</sup> <sup>=</sup> W, <sup>R</sup>, D, where:


We say that F has:


A *model* M is a frame together with a valuation function V such that for each <sup>w</sup> <sup>∈</sup> <sup>W</sup> and each <sup>R</sup><sup>n</sup> in *Rel*, <sup>V</sup>(w, Rn) <sup>⊆</sup> (DW)<sup>n</sup>, where <sup>D</sup><sup>W</sup> <sup>=</sup> - <sup>v</sup>∈W <sup>D</sup>v. An assignment <sup>σ</sup> is a function mapping each variable to an object in <sup>D</sup>W. We let σx<sup>o</sup> be the assignment mapping <sup>x</sup> to <sup>o</sup> ∈ DW, which behaves like <sup>σ</sup> for all


Table 1. Axioms and corresponding properties

other variables. Observe that variables are *rigid designators* in that their value does not change from one world to another.

The notion of *satisfaction* of a formula <sup>A</sup> at a world <sup>w</sup> of a model <sup>M</sup> under an assignment <sup>σ</sup>—to be denoted by <sup>σ</sup> <sup>M</sup><sup>w</sup> <sup>A</sup>, possibly omitting <sup>M</sup>—is defined as follows:


The notions of *truth at a world* <sup>w</sup> (<sup>M</sup><sup>w</sup> <sup>A</sup>), *truth in a model* <sup>M</sup> (<sup>M</sup> <sup>A</sup>), *validity in a frame* <sup>F</sup> (<sup>F</sup> <sup>A</sup>), and validity in class <sup>C</sup> of frames (<sup>C</sup> <sup>A</sup>) are defined as usual. It is well-known that the formula:

CBF:= -<sup>∀</sup>xA ⊃ ∀x-A is valid over frames with increasing domains; BF:= <sup>∀</sup>x-<sup>A</sup> <sup>⊃</sup> -<sup>∀</sup>xA is valid over frames with decreasing domains; UI:= <sup>∀</sup>xA <sup>⊃</sup> <sup>A</sup>(y/x) is valid over frames with constant domains.

Over frames with non-constant domains the valid theory of quantification is that of positive free logic instead of that of classical logic. This means that the axiom UI is replaced by the weaker axiom UI◦ := <sup>∀</sup>y(∀xA <sup>⊃</sup> <sup>A</sup>(y/x)). If we extend the language with an *existence predicate* E—whose satisfaction clause is <sup>σ</sup> <sup>|</sup>=<sup>M</sup><sup>w</sup> <sup>E</sup><sup>x</sup> iff <sup>σ</sup>(x) ∈ Dw—then we have the following weaker form of UI that is valid UI<sup>E</sup> := <sup>∀</sup>xA ∧ E<sup>y</sup> <sup>⊃</sup> <sup>A</sup>(y/x). Over the language <sup>L</sup> the formula <sup>E</sup><sup>x</sup> can be defined as <sup>∃</sup>y(<sup>y</sup> <sup>=</sup> <sup>x</sup>), but over an identity-free language the existence predicate has to be taken as an additional primitive symbol. This distinction has an impact on the calculi introduced in the next section: nested sequents have a formula interpretation when E is expressible in the language.

*-Logics.* A *QML* is defined to be the set of all formulas that are valid in some given class of frames. In this paper, we consider logics that are defined by imposing combinations of the properties in Table 1. We use Q.L for a generic logic and we say that a formula is Q.L*-valid* if it belong to the logic Q.L. The formulas that

Table 2. Axiomatisation of Q.K.


are valid over the class of all frames is called Q.K and it is axiomatised by the axioms and rules given in Table 2. We notice that UI<sup>E</sup> is a theorem of Q.K, see [7, Lem. 2.1(iii)]. The additional axioms for the logics extending Q.K are given in Table 1. We follow the usual conventions for naming logics—e.g., <sup>Q</sup>.S4 <sup>⊕</sup> CBF is the set of formulas that are valid over all reflexive and transitive frames with increasing domains and it is axiomatised by adding axioms T, 4, and CBF to Q.K. We will not distinguish between a logic and its axiomatisation. This is justified by the following theorem.

Theorem 1 ([7]). *A formula is a theorem of* Q.L *if and only if it is* Q.L*-valid.*

# 3 Nested Calculi for QML

<sup>A</sup> *sequent* is an expression <sup>X</sup>; <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> where <sup>X</sup> is a multiset of variables, called a *signature*, and Γ, Δ are multisets of formulas of the language <sup>L</sup>. The signature of a sequent is a syntactic counterpart of the existence atoms used in calculi where UI is replaced by UI◦ or UI<sup>E</sup> , see [19]. *Nested sequents* are defined as follows:

$$\mathcal{S} ::= X; \varGamma \Rightarrow \Delta \mid \mathcal{S}, [\mathcal{S}], \dots, [\mathcal{S}]$$

A nested sequent <sup>S</sup> codifies the tree of sequents tr(S), as shown in Fig. 1.

Fig. 1. The tree of the sequent <sup>X</sup>; <sup>Γ</sup> <sup>⇒</sup> Δ, [S1],..., [Sn].

Substitution of free variables are extended to (nested) sequents and to multisets of formulas by applying them component-wise. The formula interpretation of a sequent is defined as follows:

$$\mathsf{fm}(X; I \Rightarrow \Delta) \equiv \bigwedge\_{x \in X} \mathcal{E}x \land \bigwedge I \supset \bigvee \Delta$$

where <sup>E</sup><sup>x</sup> is short for the formula <sup>∃</sup>y(<sup>y</sup> <sup>=</sup> <sup>x</sup>) and an empty conjunction (disjunction) is (⊥, resp.). To provide a formula reading of nested sequents over the identity-free language we could add E to the language or interpret formulas via their universal closure. In the latter case, for example, the formula interpretation of a sequent would be fm(X; <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>) ≡ ∀<sup>x</sup> <sup>∈</sup> <sup>X</sup>( <sup>Γ</sup> <sup>⊃</sup> <sup>Δ</sup>), and it seems our nested calculi would capture the QMLs in [13].<sup>1</sup> Nonetheless, we believe there are independent reasons for studying QMLs over a language containing identity; cf. [7,10]. The formula interpretation of a nested sequent is defined recursively as:

$$\mathsf{fin}(X;\varGamma\Rightarrow\Delta,[\mathcal{S}\_1],\ldots,[\mathcal{S}\_n]) \equiv (\bigwedge\_{x\in X} \mathcal{E}x \land \bigwedge \varGamma\supset\bigvee\Delta) \lor \bigvee\_{k=1}^n \Box \mathsf{fin}(\mathcal{S}\_k)$$

Rules are based on the notion of a *hole* {·}, which is a placeholder for a subtree of (the tree of) a nested sequent and, thus, allows one to apply a rule at an arbitrary node in the tree of a nested sequent. A *context* is defined as follows:

$$\mathcal{C} ::= X; \varGamma \Rightarrow \Delta, \{ \cdot \}, \dots, \{ \cdot \} \mid \mathcal{C}, [\mathcal{C}], \dots, [\mathcal{C}]$$

In other words, a context <sup>C</sup> is a nested sequent with <sup>n</sup> <sup>≥</sup> <sup>0</sup> hole occurrences, which do not occur inside formulas and must occur within consequent position. We hitherto write contexts as S{·} · · · {·} indicating each of the holes occurring within the context. The *depth* of a hole in a context is defined as the height of the branch from that hole to the root (cf. [3]), and we write Depth(S{·}) <sup>≥</sup> <sup>n</sup> for <sup>n</sup> <sup>∈</sup> <sup>N</sup> to mean that the depth of the hole in tr(S{·}) is <sup>n</sup> or greater.

We define *substitutions* of nested sequents into contexts recursively on the number and depth of holes in a given context: suppose first that our context is of the form S{·} ≡ <sup>X</sup>; <sup>Γ</sup> <sup>⇒</sup> Δ, {·}, [S1],..., [Sn] with a single hole at a depth of <sup>0</sup> and let <sup>S</sup> <sup>≡</sup> Y,Π <sup>⇒</sup> Σ, [S <sup>1</sup>],..., [S <sup>k</sup>] be a nested sequent. Then,

$$\mathcal{S}\{\mathcal{S}'\} \equiv X, Y; \Pi, \Gamma \Rightarrow \Delta, \Sigma, [\mathcal{S}\_1], \dots, [\mathcal{S}\_n], [\mathcal{S}'\_1], \dots, [\mathcal{S}'\_k] \}$$

If our context is of the form S{·} ≡ <sup>X</sup>; <sup>Γ</sup> <sup>⇒</sup> Δ, [S1{·}],..., [Sn] with a single hole at a depth greater then <sup>0</sup>, then we recursively define S{S } to be the nested sequent <sup>X</sup>; <sup>Γ</sup> <sup>⇒</sup> Δ, [S1{S }],..., [Sn]. This definition extends to a context S{·} · · · {·} with <sup>n</sup> holes in the expected way, and for nested sequents <sup>S</sup>1,..., <sup>S</sup>n, we let S{S1} · · · {Sn} denote the nested sequent obtained by replacing, for each <sup>i</sup> ∈ {1,...,n}, the <sup>i</sup>-th hole {·} in S{·} · · · {·} with <sup>S</sup>i. We may also write S{S1}{Si}<sup>n</sup> <sup>i</sup>=2 to indicate S{S1} · · · {Sn} more succinctly. Plugging ∅ into a hole suggests the removal of the hole; for instance, if S{·}{·} ≡ <sup>x</sup>; <sup>A</sup> <sup>⇒</sup> B, {·}, [x, y, B, C <sup>⇒</sup> D, {·}], then S{·}{∅} ≡ <sup>x</sup>; <sup>A</sup> <sup>⇒</sup> B, {·}, [x, y; B,C <sup>⇒</sup> <sup>D</sup>].

The rules of the nested calculi for QMLs are given in Table 3. The minimal calculus NQ.K contains initial sequents, the logical rules, and the rules for identity (rule *Rig* is needed—and is sound—because variables are rigid designators). If Q.L is an extension of Q.K as discussed in Sect. 2, then NQ.L denotes the nested

<sup>1</sup> We thank the anonymous reviewer who suggested this latter possibility.

calculus extending NQ.K with the rules for the axioms of those logics. Observe that to capture axioms D, CBF, BF, and UI we have added structural rules instead of logical ones since the former have a better behaviour.

In [3], Brünnler only considers nested calculi (for propositional modal logics) defined relative to *45-complete sets* of axioms. This restriction is required to ensure that the nested calculi contain all rules required for their completeness. Similarly, in the first-order setting, we only consider nested calculi defined relative to *properly closed* sets of axioms, which is a generalisation of 45-completeness and takes care of the interaction of B with CBF and BF (for example), ensuring the completeness of our nested calculi.

Definition 1 (Properly Closed). *Let* <sup>L</sup> ⊆ {**D**, **<sup>T</sup>**, **<sup>B</sup>**, **<sup>4</sup>**, **<sup>5</sup>**, **CBF**, **BF**, **UI**}*. We define* <sup>L</sup> *to be* properly closed *iff if all* <sup>Q</sup>.L*-frames satisfy* <sup>X</sup> ∈ {**4**, **<sup>5</sup>**, **CBF**, **BF**}*, then* <sup>X</sup> <sup>∈</sup> <sup>L</sup>*. We define a nested calculus* NQ.<sup>L</sup> *to be* properly closed *iff (1)* <sup>L</sup> *is properly closed, and (2)* <sup>R</sup>5dom <sup>∈</sup> NQ.<sup>L</sup> *iff* **<sup>5</sup>** <sup>∈</sup> <sup>L</sup> *and* {**CBF**, **BF**} ∩ <sup>L</sup> <sup>=</sup> <sup>∅</sup>*.*

*Remark 1.* All nested calculi hitherto considered will be assumed properly closed.

Given a calculus NQ.L, an NQ.L*-derivation* of a nested sequent <sup>S</sup> is a tree of nested sequents, whose leaves are initial sequents, whose root is S, and which grows according to the rules of NQ.L. We consider only derivations of *pure sequents*, meaning no variable has both free and bound occurrences and each *eigenvariable* (i.e., a fresh variable participating in an <sup>R</sup><sup>∀</sup> inference) is distinct. The *height* of an NQ.L-derivation is the number of nodes of one of its longest branches. We say that <sup>S</sup> is NQ.L-derivable if there is an NQ.L-derivation of <sup>S</sup> or of an alphabetical variant of <sup>S</sup>. We let NQ.<sup>L</sup> S denote that <sup>S</sup> is NQ.Lderivable. A rule is said to be *(height-preserving) admissible* in NQ.L, if, whenever its premisses are NQ.L-derivable (with height at most n), also its conclusion is NQ.L-derivable (with height at most n). A rule is said to be *(height-preserving) invertible* in NQ.L, if, whenever its conclusion is NQ.L-derivable (with height at most n), each premiss is NQ.L-derivable (with height at most n). For each rule displayed in Table 3, the formulas explicitly displayed in the conclusion are called *principal*, those explicitly displayed in the premisses are called *auxiliary*, and everything else constitutes the *context*.

# 4 Properties and Cut-Elimination

We now show that our nested calculi satisfy fundamental admissibility and invertibility properties. Ultimately, we will apply these properties in our proof of syntactic cut-elimination.

Lemma 1 (Generalised Initial Sequents). NQ.<sup>L</sup> S{X; A, Γ <sup>⇒</sup> Δ, A}*, for any arbitrary* <sup>L</sup>*-formula* <sup>A</sup>*.*

*Proof.* By a standard induction on the weight of <sup>A</sup>.

Lemma 2. *The sequents* S{ ⇒ <sup>x</sup> <sup>=</sup> <sup>x</sup>} *and* S{<sup>x</sup> <sup>=</sup> y, A(x/z) <sup>⇒</sup> <sup>A</sup>(y/z)} *are* NQ.L*-derivable.*

#### Initial Sequents: S{X; P, Γ ⇒ Δ, P} with P atomic Logical Rules: S{X; Γ ⇒ Δ, A} S{X; B,Γ ⇒ Δ} S{X; <sup>A</sup> <sup>⊃</sup> B,Γ <sup>⇒</sup> <sup>Δ</sup>} <sup>L</sup><sup>⊃</sup> S{X; A, Γ ⇒ Δ, B} S{X; <sup>Γ</sup> <sup>⇒</sup> Δ, A <sup>⊃</sup> <sup>B</sup>} <sup>R</sup><sup>⊃</sup> S{X; <sup>⊥</sup>, Γ <sup>⇒</sup> <sup>Δ</sup>} <sup>L</sup><sup>⊥</sup> S{X, z; A(z/x), ∀xA, Γ ⇒ Δ} S{X, z; <sup>∀</sup>xA, Γ <sup>⇒</sup> <sup>Δ</sup>} <sup>L</sup><sup>∀</sup> S{X, y; Γ ⇒ Δ, A(y/x)} S{X; <sup>Γ</sup> <sup>⇒</sup> Δ, <sup>∀</sup>xA} <sup>R</sup>∀, y fresh S{X; -A, Γ ⇒ Δ, [Y ; A, Π ⇒ Σ]} S{X; -A, Γ <sup>⇒</sup> Δ, [<sup>Y</sup> ; <sup>Π</sup> <sup>⇒</sup> <sup>Σ</sup>]} <sup>L</sup>- S{X; Γ ⇒ Δ, [∅; ⇒ A]} S{X; Γ ⇒ Δ, -<sup>A</sup>} <sup>R</sup>- Identity Rules: S{X; x = x, Γ ⇒ Δ} S{X; Γ ⇒ Δ} Ref S{X; P(y/z), x = y, P(x/z), Γ ⇒ Δ} S{X; x = y, P(x/z), Γ ⇒ Δ} Repl S{X, x, y; x = y, Γ ⇒ Δ} S{X, x; <sup>x</sup> <sup>=</sup> y, Γ <sup>⇒</sup> <sup>Δ</sup>} Repl*<sup>X</sup>* S{X; x = y, Γ ⇒ Δ}{Y ; x = y,Π ⇒ Σ} S{X; x = y, Γ ⇒ Δ}{Y ; Π ⇒ Σ} Rig Rules for Propositional Axioms: S{X; Γ ⇒ Δ, [∅; ⇒ ]} S{X; <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>} <sup>R</sup>*<sup>D</sup>* S{X; A, Γ ⇒ Δ, [Y ; -A, Π ⇒ Σ]} S{X; Γ ⇒ Δ, [Y ; -A, Π <sup>⇒</sup> <sup>Σ</sup>]} <sup>R</sup>*<sup>B</sup>* S{X; A, -A, Γ ⇒ Δ} S{X; -A, Γ <sup>⇒</sup> <sup>Δ</sup>} <sup>R</sup>*<sup>T</sup>* S{X; -A, Γ ⇒ Δ, [Y ; -A, Π ⇒ Σ]} S{X; -A, Γ <sup>⇒</sup> Δ, [<sup>Y</sup> ; <sup>Π</sup> <sup>⇒</sup> <sup>Σ</sup>]} <sup>R</sup><sup>4</sup> S{X; -A, Γ ⇒ Δ}{Y ; -A, Π ⇒ Σ} S{X; -A, Γ <sup>⇒</sup> <sup>Δ</sup>}{<sup>Y</sup> ; <sup>Π</sup> <sup>⇒</sup> <sup>Σ</sup>} <sup>R</sup>5, Depth(S{·}{∅})≥<sup>1</sup> Rules for Domains: S{X, x; Γ ⇒ Δ, [Y,x; Π ⇒ Σ]} S{X, x; <sup>Γ</sup> <sup>⇒</sup> Δ, [<sup>Y</sup> ; <sup>Π</sup> <sup>⇒</sup> <sup>Σ</sup>]} <sup>R</sup>*cbf* S{X, x; Γ ⇒ Δ, [Y,x; Π ⇒ Σ]} S{X; <sup>Γ</sup> <sup>⇒</sup> Δ, [Y,x; <sup>Π</sup> <sup>⇒</sup> <sup>Σ</sup>]} <sup>R</sup>*bf* S{X, x; Γ ⇒ Δ} S{X; <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>} <sup>R</sup>*ui* S{X, x; Γ ⇒ Δ}{Y,x; Π ⇒ Σ} S{X, x; <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>}{<sup>Y</sup> ; <sup>Π</sup> <sup>⇒</sup> <sup>Σ</sup>} <sup>R</sup>5*dom*, Depth(S{∅}{·})≥<sup>1</sup> and Depth(S{·}{∅})≥<sup>1</sup>

*Proof.* S{ ⇒ <sup>x</sup> <sup>=</sup> <sup>x</sup>} is derivable by applying an instance of rule *Ref* to the initial sequent S{ <sup>x</sup> <sup>=</sup> <sup>x</sup> <sup>⇒</sup> <sup>x</sup> <sup>=</sup> <sup>x</sup>}. The case of S{<sup>x</sup> <sup>=</sup> y, A(x/z) <sup>⇒</sup> <sup>A</sup>(y/z)} is handled by induction on <sup>|</sup>A(x/z)|. We consider only the case where <sup>A</sup>(x/z) = -B(x/z).

$$\begin{array}{c} \overline{\mathcal{S}\{x=y,\Box B(x/z)\Rightarrow,[x=y,B(x/z)\Rightarrow B(y/z)]\}} \, ^{IH}\overline{\mathcal{S}\{x=y,\Box B(x/z)\Rightarrow,[B(x/z)\Rightarrow B(y/z)]\}} \, ^{IH}\overline{\mathcal{S}\{x=y,\Box B(x/z)\Rightarrow,[x\Rightarrow B(y/z)]\}} \\ \hline \overline{\mathcal{S}\{x=y,\Box B(x/z)\Rightarrow,[\Rightarrow B(y/z)]\}} \, ^{L\Box}\overline{\mathcal{S}\{x=y,\Box B(x/z)\Rightarrow,\Box B(y/z)]} \end{array}$$

Lemma 3. *The following* <sup>R</sup><sup>⊥</sup> *rule is height-preserving admissible in* NQ.L*:*

$$\frac{\mathcal{S}\{X;\varGamma\Rightarrow\Delta,\bot\}}{\mathcal{S}\{X;\varGamma\Rightarrow\Delta\}}\;\_{R\bot}$$

*Proof.* By a straightforward induction on the height of the derivation D of the premiss. The proof is almost trivial as any application of <sup>R</sup><sup>⊥</sup> to an initial sequent

#### Table 3. Nested rules for QML

of an instance of <sup>L</sup><sup>⊥</sup> gives another initial sequent or instance of <sup>L</sup>⊥, respectively, and <sup>R</sup><sup>⊥</sup> permutes above every other rule of NQ.L.

Lemma 4 (Substitution). *The following rule of substitution of free variables is height-preserving admissible in* NQ.L*:*

$$\frac{\mathcal{S}\{X;\varGamma\Rightarrow\Delta\}}{\mathcal{S}(y/x)\{X(y/x);\varGamma(y/x)\Rightarrow\Delta(y/x)\}}\,\,^{\{y/x\}}$$

*Proof.* By induction on the height of the derivation D of the premiss. The only interesting case is when the last step of <sup>D</sup> is an instance of <sup>R</sup>∀:

$$\frac{\mathcal{S}\{X, z\_2; \varGamma \Rightarrow \Delta, A(z\_2/z\_1)\}}{\mathcal{S}\{X; \varGamma \Rightarrow \Delta, \forall z\_1 A\}}\text{ }\_{R\text{\textquotedblleft}, z\_2\text{ fresh}}$$

We transform the derivation of the premiss by applying the inductive hypothesis twice to ensure the freshness condition is preserved: the first time to replace z<sup>2</sup> with a fresh variable z<sup>3</sup> and then to replace x with y. We conclude by applying <sup>R</sup><sup>∀</sup> with <sup>z</sup><sup>3</sup> as the *eigenvariable*.

Typically, admissible structural rules operate on either formulas (e.g., see the internal weakening rule IW below) or nesting structure (e.g., see the Merge rule below) in nested calculi. An interesting observation in the first-order setting is that admissible structural rules also act on the signatures occurring in nested sequents. This gives rise to forms of weakening and contraction for terms, which are reminiscent of analogous rules formulated in the context of hypersequents with signatures [24].

Lemma 5 (Signature Structural Rules). *The following rules of signature weakening and signature contraction are height-preserving admissible in* NQ.L*:*

$$\frac{\mathcal{S}\{X;\varGamma\Rightarrow\varDelta\}}{\mathcal{S}\{X,x;\varGamma\Rightarrow\varDelta\}}\text{ }\_{\text{SW}}\qquad\frac{\mathcal{S}\{X,x,x;\varGamma\Rightarrow\varDelta\}}{\mathcal{S}\{X,x;\varGamma\Rightarrow\varDelta\}}\text{ }\_{\text{SC}}$$

*Proof.* By a standard induction on the height of the derivation D of the premiss. Proving height-preserving admissibility of SC is trivial as the rule permutes above all rules of NQ.L. Proving the height-preserving admissibility of SW is also straightforward with the only interesting case arising when D ends with an instance of <sup>R</sup><sup>∀</sup> with <sup>x</sup> as the *eigenvariable*. However, this case is easily managed by applying the height-preserving admissible substitution (y/x) to ensure the freshness condition for <sup>R</sup><sup>∀</sup> is satisfied, followed by the inductive hypothesis, and an application of <sup>R</sup>∀.

As in the setting of first-order intuitionistic logics with increasing and constant domains (see [14]), we find that our structural rules for domains give rise to admissible logical rules generalising the <sup>L</sup><sup>∀</sup> rule. Such rules (presented in the proposition below) combine the functionality of the associated domain structural rules with the <sup>L</sup><sup>∀</sup> rule. The <sup>L</sup>∀bf and <sup>L</sup>∀cbf rules are instances of *reachability rules* [16,17], which bottom-up operate by searching for terms along edges in a nested sequent used to instantiate universal formulas.

Proposition 1. *The following logical rules for 'domain-axioms' and for axiom* D *are admissible in the nested calculi including the appropriate structural rules for domains or* RD*:*

$$\begin{array}{c} \begin{array}{c} \mathcal{S}\{X;A(y/x),\forall xA,\varGamma\Rightarrow\Delta,[Y,y;\varPi\Rightarrow\Sigma]\} \\ \hline \mathcal{S}\{X;\forall xA,\varGamma\Rightarrow\Delta,[Y,y;\varPi\Rightarrow\Sigma]\} \end{array} \begin{array}{c} \mathcal{L}\forall\_{bf} \quad \begin{array}{c} \mathcal{S}\{X;A(y/x),\forall xA,\varGamma\Rightarrow\Delta\} \\ \hline \mathcal{S}\{X;\forall xA,\varGamma\Rightarrow\Delta\} \end{array} \begin{array}{c} L\forall\_{wi} \end{array} \end{array} \end{array} \begin{array}{c} \begin{array}{c} \mathcal{S}\{X;A(y/x),\forall xA,\varGamma\Rightarrow\Delta\} \\ \hline \mathcal{S}\{X;\forall xA,\varGamma\Rightarrow\Delta\} \end{array} L\forall\_{wi} \end{array} \begin{array}{c} \begin{array}{c} L\forall\_{wi} \\ \mathcal{S}\{X;\forall xA,\varGamma\Rightarrow\Delta\} \end{array} \end{array} \begin{array}{c} L\forall\_{wi} \quad \begin{array}{c} \mathcal{S}\{X;\Box A,\varGamma\Rightarrow\Delta,[\emptyset;A\Rightarrow\Box] \end{array} \\ L\forall\_{wi} \quad \begin{array}{c} \mathcal{S}\{X;\Box A,\varGamma\Rightarrow\Delta,[\emptyset;A\Rightarrow\Box] \end{array} \end{array} \begin{array}{c} \begin{array}{c} \mathcal{S}\{X;\Box A,\varGamma\Rightarrow\Delta,[\emptyset;A\Rightarrow\Box] \end{array} \end{array} \begin{array}{c} L\forall\_{wi} \quad \begin{array}{c} \mathcal{S}\{X;\Box A,\mathcal{T}\Rightarrow\Delta\} \\ \hline \mathcal{S}\{X;\Box A,\varGamma\Rightarrow\Delta\} \end{array} \end{array} \begin{array}{c} L\forall\_{wi} \quad \begin{array}{c} \mathcal{S}\{X;\Box A,\mathcal{T}\Rightarrow\Delta\} \end{array} \end{array}$$

*Proof.* The admissibility of <sup>L</sup>∀cbf from <sup>R</sup>cbf and SW is proven as follows:

$$\frac{\frac{\mathcal{S}\{X,y;\varGamma\Rightarrow\Delta,[Y;A(y/x),\forall xA,\varPi\Rightarrow\Sigma]\}}{\mathcal{S}\{X,y;\varGamma\Rightarrow\Delta,[Y,y;A(y/x),\forall xA,\varPi\Rightarrow\Sigma]\}}\_{L\forall}\text{ SW}$$

$$\frac{\mathcal{S}\{X,y;\varGamma\Rightarrow\Delta,[Y,y;\forall xA,\varPi\Rightarrow\Sigma]\}}{\mathcal{S}\{X,y;\varGamma\Rightarrow\Delta,[Y;\forall xA,\varPi\Rightarrow\Sigma]\}}\_{R\_{cbf}}\text{ R}\_{cbf}$$

The cases of <sup>L</sup>∀bf and <sup>L</sup>∀ui are similar, and the case of <sup>L</sup><sup>D</sup> follows immediately from <sup>R</sup>D.

Lemma 6 (Weakenings). *The following rules of internal and external weakening are height-preserving admissible in* NQ.L*:*

$$\frac{\mathcal{S}\{X;\varGamma\Rightarrow\varDelta\}}{\mathcal{S}\{X;\varPi,\varGamma\Rightarrow\varDelta,\varSigma\}}\;^{\mathit{I}W}\qquad\frac{\mathcal{S}\{X;\varGamma\Rightarrow\varDelta\}}{\mathcal{S}\{X;\varGamma\Rightarrow\varDelta,[\varGamma,\varPi\Rightarrow\varSigma]\}}\;^{\mathit{E}W}$$

*Proof.* By induction on the height of the derivation D of the premiss. If D ends with an instance of rule <sup>R</sup><sup>∀</sup> with <sup>y</sup> the *eigenvariable*, we apply the (heightpreserving admissible) substitution rule to replace y with a fresh variable z occurring neither in S{X; <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>}, nor in Π, Σ (in the IW case) or in Y, Π, Σ (in the EW case). Then, we apply the inductive hypothesis and an instance of <sup>R</sup><sup>∀</sup> to conclude S{X; Π, Γ <sup>⇒</sup> Δ, Σ} in the IW case and S{X; <sup>Γ</sup> <sup>⇒</sup> Δ, [<sup>Y</sup> ; <sup>Π</sup> <sup>⇒</sup> <sup>Σ</sup>]} in the EW case.

Lemma 7 (Necessitation and Merge). *The following rules are heightpreserving admissible in* N.QL*:*

$$\begin{array}{ll} \mathcal{S} & \mathcal{S}\_{\text{/}C} \\ \hline \Rightarrow, [\mathcal{S}] & \begin{array}{c} \mathcal{S} \{ X; \varGamma \Rightarrow \Delta, [Y; \varPi\_{1} \Rightarrow \Delta\_{1}], [Z; \varPi\_{2} \Rightarrow \Delta\_{2}] \} \\ \hline \mathcal{S} \{ X; \varGamma \Rightarrow \Delta, [Y, Z; \varPi\_{1}, \varPi\_{2} \Rightarrow \Delta\_{1}, \Delta\_{2}] \} \end{array} \; \mathit{Merge} \end{array}$$

*Proof.* By a simple induction on the height of the derivation of the premiss.

Lemma 8 (Invertibility). *Each rule of* NQ.L *is height-preserving invertible.*

*Proof.* The proof is by induction on the height of the derivation. The heightpreserving invertibility of all rules but <sup>L</sup>⊃, <sup>R</sup>⊃, <sup>R</sup><sup>∀</sup> and <sup>R</sup> follows from Lemmas 5 and 6, and the proof of the remaining cases is standard.

Lemma 9 (Contraction). *The following rules of left and right contraction are height-preserving admissible in* NQ.L*:*

$$\frac{\mathcal{S}\{X;\varGamma,A,A\Rightarrow\Delta\}}{\mathcal{S}\{X;\varGamma,A\Rightarrow\Delta\}}\;CL \qquad \frac{\mathcal{S}\{X;\varGamma\Rightarrow\Delta,A,A\}}{\mathcal{S}\{X;\varGamma\Rightarrow\Delta,A\}}\;CR$$

*Proof.* By simultaneous induction on the height of the derivation of the premisses of CL and CR. We consider only the non-trivial <sup>R</sup><sup>∀</sup> case for CR as the remaining cases are similar or simpler. Assume that the last step of D is:

$$\frac{\mathcal{S}\{X, y; \varGamma \Rightarrow \Delta, A(y/x), \forall x A\}}{\mathcal{S}\{X; \varGamma \Rightarrow \Delta, \forall x A, \forall x A\}}\;\_{R\text{\textquotedblleft}}$$

To resolve the case, we apply the height-preserving invertibility of <sup>R</sup>∀, the heightpreserving admissibility of (y/z) and SC, followed by the inductive hypothesis. Finally, an application of <sup>R</sup><sup>∀</sup> gives the desired conclusion.

S{X, y; <sup>Γ</sup> <sup>⇒</sup> Δ, A(y/x), <sup>∀</sup>xA} S{X, y, z; <sup>Γ</sup> <sup>⇒</sup> Δ, A(y/x), A(z/x)} Lemma <sup>8</sup> S{X, y, y; <sup>Γ</sup> <sup>⇒</sup> Δ, A(y/x), A(y/x)} (y/z) S{X, y; <sup>Γ</sup> <sup>⇒</sup> Δ, A(y/x), A(y/x)} SC S{X, y; <sup>Γ</sup> <sup>⇒</sup> Δ, A(y/x)} IH S{X; <sup>Γ</sup> <sup>⇒</sup> Δ, <sup>∀</sup>xA} <sup>R</sup><sup>∀</sup>

Due to the presence of R<sup>4</sup> and R<sup>5</sup> in specific nested calculi, our cut elimination theorem (Theorem 2 below) requires us to simultaneously eliminate a second form of cut that acts on modal formulas. We refer to this rule as L-Cut and note that it is essentially Brünnler's Y-cut rule [3]. Since the principal and auxiliary formulas of R<sup>4</sup> and R<sup>5</sup> are of the same weight (i.e. both are -A), L-Cut is needed to permute the cut upward in these special cases as cuts cannot be reduced to formulas of a smaller weight.

Definition 2 (L-Cut and L-Str). *Let* NQ.L *be properly closed. We define* L*-Cut to be the following rule:*

$$\frac{\mathcal{S}\{X;\varGamma\Rightarrow\Delta,\square A\}\{Y\_{i};\varPi\_{i}\Rightarrow\varSigma\_{i}\}\_{i=1}^{n}}{\mathcal{S}\{X;\varGamma\Rightarrow\Delta\}\{Y\_{i};\varPi\_{i}\Rightarrow\varSigma\_{i}\}\_{i=1}^{n}}\mathbb{L}\_{\ulartsuitCut}$$

*which is subject to the following side conditions:*



Table 4. Structural rules for propositional axioms

*We define* L*-Str to be the following rule:*

$$\frac{\mathcal{S}\{Y\_1; \varPi\_1 \Rightarrow \Sigma\_1, [X; \varGamma \Rightarrow \varDelta] \}\{Y\_2; \varPi\_2 \Rightarrow \Sigma\_2\}}{\mathcal{S}\{Y\_1; \varPi\_1 \Rightarrow \Sigma\_1\}\{Y\_2; \varPi\_2 \Rightarrow \Sigma\_2, [X; \varGamma \Rightarrow \varDelta] \}} \mathsf{L}\text{-}Str$$

*which is subject to the following side conditions:*


Lemma 10 (Special Structural Rules). *If* NQ.L *contains the rule* R<sup>X</sup> *for the propositional axiom* X*, then the corresponding structural rule from Table 4 is admissible in* NQ.L*. Moreover,* L*-Str is admissible in* NQ.L*.*

*Proof.* We argue the S<sup>B</sup> case by induction on the height of the given derivation; the remaining cases are considered in the appended version of this paper [18]. We only consider the Rbf and R5dom cases of the inductive step as the remaining cases are simple or similar.

$$\begin{array}{c} \mathcal{S}\{Z;\Pi\_{1}\Rightarrow\Sigma\_{1},[X,x;\varGamma\Rightarrow\Delta,[Y,x;\varPi\_{2}\Rightarrow\Sigma\_{2}]]\} \\ \hline \mathcal{S}\{Z;\varPi\_{1}\Rightarrow\Sigma\_{1},[X;\varGamma\Rightarrow\Delta,[Y,x;\varPi\_{2}\Rightarrow\Sigma\_{2}]]\} \\ \hline \mathcal{S}\{Z,Y,x;\varPi\_{1},\varPi\_{2}\Rightarrow\Sigma\_{1},\Sigma\_{2},[X;\varGamma\Rightarrow\Delta]\} \end{array} \begin{array}{c} R\_{bf} \\ R\_{f} \end{array}$$

As our nested calculi are assumed to be properly closed, we know that if NQ.L contains R<sup>B</sup> and Rbf , then it must contain Rcbf , showing that we can apply IH first and then Rcbf as shown below.

$$\begin{array}{c} \mathcal{S}\{Z;\Pi\_{1}\Rightarrow\Sigma\_{1},[X,x;\varGamma\Rightarrow\Delta,[Y,x;\varPi\_{2}\Rightarrow\Sigma\_{2}]]\} \\ \hline \mathcal{S}\{Z,Y,x;\varPi\_{1},\varPi\_{2}\Rightarrow\Sigma\_{1},\Sigma\_{2},[X,x;\varGamma\Rightarrow\Delta]\} \\ \hline \mathcal{S}\{Z,Y,x;\varPi\_{1},\varPi\_{2}\Rightarrow\Sigma\_{1},\Sigma\_{2},[X;\varGamma\Rightarrow\Delta]\} \end{array} \_{R\_{cbf}}$$

Last, we consider an interesting R5dom case:

$$\begin{array}{c} Z; \varPi\_{1} \Rightarrow \Sigma\_{1}, [X\_{1}; \varGamma\_{1} \Rightarrow \varDelta\_{1}, [X\_{2}, x; \varGamma\_{2} \Rightarrow \varDelta\_{2}]], [\varmathscr{S}\{Y, x; \varPi\_{2} \Rightarrow \varSigma\_{2}\}]\\\hline \hline Z; \varPi\_{1} \Rightarrow \Sigma\_{1}, [X\_{1}; \varGamma\_{1} \Rightarrow \varDelta\_{1}, [X\_{2}, x; \varGamma\_{2} \Rightarrow \varDelta\_{2}]], [\varmathscr{S}\{Y; \varPi\_{2} \Rightarrow \varSigma\_{2}\}]\\\hline Z, X\_{2}, x; \varPi\_{1}, \varGamma\_{2} \Rightarrow \varSigma\_{1}, \varDelta\_{2}, [X\_{1}, \varGamma\_{1} \Rightarrow \varDelta\_{1}], [\varmathscr{S}\{Y; \varPi\_{2} \Rightarrow \varSigma\_{2}\}] \end{array} \begin{array}{c} R\_{\delta dom} \\\hline \end{array}$$

To resolve the case, we apply the inductive hypothesis, followed by the heightpreserving admissible rule SW. We apply the SW rule <sup>n</sup> <sup>−</sup> <sup>1</sup> times adding the variable <sup>x</sup> along the path from the root to Y,x; <sup>Π</sup><sup>2</sup> <sup>⇒</sup> <sup>Σ</sup>2, and then the <sup>R</sup>cbf rule <sup>n</sup> times to delete the <sup>n</sup> <sup>−</sup> <sup>1</sup> copies of <sup>x</sup> up to the root. We may apply <sup>R</sup>cbf as our nested calculi are properly closed, that is, **<sup>B</sup>**, **BF** <sup>∈</sup> <sup>L</sup> only if **CBF** <sup>∈</sup> <sup>L</sup>.

<sup>Z</sup>; <sup>Π</sup><sup>1</sup> <sup>⇒</sup> <sup>Σ</sup>1, [X; <sup>Γ</sup><sup>1</sup> <sup>⇒</sup> <sup>Δ</sup>1, [X2, x; <sup>Γ</sup><sup>2</sup> <sup>⇒</sup> <sup>Δ</sup>2]], [S{Y,x; <sup>Π</sup><sup>2</sup> <sup>⇒</sup> <sup>Σ</sup>2}] IH Z, X2, x; <sup>Π</sup>1, Γ<sup>2</sup> <sup>⇒</sup> <sup>Σ</sup>1, Δ2, [X, Γ<sup>1</sup> <sup>⇒</sup> <sup>Δ</sup>1], [S{Y,x; <sup>Π</sup><sup>2</sup> <sup>⇒</sup> <sup>Σ</sup>2}] SW (<sup>n</sup> <sup>−</sup> <sup>1</sup> times) Z, X2, x; <sup>Π</sup>1, Γ<sup>2</sup> <sup>⇒</sup> <sup>Σ</sup>1, Δ2, [X, Γ<sup>1</sup> <sup>⇒</sup> <sup>Δ</sup>1], [S{Y,x; <sup>Π</sup><sup>2</sup> <sup>⇒</sup> <sup>Σ</sup>2}] <sup>R</sup>*cbf* (<sup>n</sup> times) Z, X2, x; <sup>Π</sup>1, Γ<sup>2</sup> <sup>⇒</sup> <sup>Σ</sup>1, Δ2, [X, Γ<sup>1</sup> <sup>⇒</sup> <sup>Δ</sup>1], [S{<sup>Y</sup> ; <sup>Π</sup><sup>2</sup> <sup>⇒</sup> <sup>Σ</sup>2}] 

In our cut-elimination theorem below, we provide a procedure to eliminate an additive (i.e. context-sharing) version of cut as in the work on nested sequents for propositional modal logics by Brünnler [3]. We note that we could have considered an equivalent, multiplicative (i.e. context-independent) version—like the cut rule shown eliminable in the tree-hypersequent systems of Poggiolesi [22] however, we find the additive version of the rule to be simpler as we can forgo considerations of how to fuse nested sequents of a different form.<sup>2</sup>

Theorem 2 (Cut). L*-Cut and the following rule of Cut are admissible in* NQ.L*:*

$$\frac{\mathcal{S}\{X;\varGamma\Rightarrow\Delta,A\}\quad\mathcal{S}\{X;A,\varGamma\Rightarrow\Delta\}}{\mathcal{S}\{X;\varGamma\Rightarrow\Delta\}}\;\_{Cut}$$

*Proof.* We consider an uppermost instance of <sup>L</sup>-Cut or *Cut* with <sup>A</sup> <sup>≡</sup> -B and A the cut formula of each rule, respectively. We argue by simultaneous induction on the lexicographic ordering of pairs (|A|, h<sup>1</sup> <sup>+</sup> <sup>h</sup>2), where <sup>|</sup>A<sup>|</sup> is the weight of <sup>A</sup> and <sup>h</sup><sup>1</sup> (h2) is the height of the derivation <sup>D</sup><sup>1</sup> (D2) of the left (right) premiss of the instance of L-Cut or *Cut* under consideration.

Let us first consider the case where the weight of A is zero, i.e. A is a formula of the form R<sup>n</sup> <sup>i</sup> (x1,...,xn), <sup>⊥</sup>, or <sup>x</sup> <sup>=</sup> <sup>y</sup>. The first two cases are standard, so we consider the case when A is of the form x = y. We suppose first that x = y is not principal in the left premiss of *Cut*. If the left premiss is an initial sequent or an instance of <sup>L</sup>⊥, then the conclusion will be as well, so we may assume that the left premiss was derived by means of another rule. We suppose w.l.o.g. that the left premiss was derived by means of a unary rule as the binary case for <sup>L</sup> <sup>⊃</sup> is similar, meaning our Cut is of the following form:

$$\begin{array}{cc} \mathcal{S}\_1 \{ X\_1; \varGamma\_1 \Rightarrow \Delta\_1, x = y \} \\ \hline \mathcal{S} \{ X; \varGamma \Rightarrow \Delta, x = y \} \\ \hline \end{array} \begin{array}{c} \mathcal{S}\_2 \{ X\_2; x = y, \varGamma\_2 \Rightarrow \Delta\_2 \} \\ \hline \mathcal{S} \{ X; x = y, \varGamma \Rightarrow \Delta \} \\ \hline \end{array} \begin{array}{c} R2 \\ \end{array} $$

<sup>2</sup> Nested sequents and tree-hypersequents are equivalent formalisms; cf. [3,22].

As shown below, we can resolve the case by applying the height-preserving invertibility of *R1* to the right premiss of *Cut*, applying *Cut* with the premiss of *R1*, and then applying *R1* after (note that *R1* is applicable after the Cut since x = y is neither auxiliary nor principal in *R1* by the shape of the rules in NQ.L).

<sup>S</sup>1{X1; <sup>Γ</sup><sup>1</sup> <sup>⇒</sup> <sup>Δ</sup>1, x <sup>=</sup> <sup>y</sup>} <sup>S</sup>2{X2; <sup>x</sup> <sup>=</sup> y, Γ<sup>2</sup> <sup>⇒</sup> <sup>Δ</sup>2} <sup>R</sup><sup>2</sup> S{X; <sup>x</sup> <sup>=</sup> y, Γ <sup>⇒</sup> <sup>Δ</sup>} Lemma 8 <sup>S</sup>1{X1; <sup>x</sup> <sup>=</sup> y, Γ<sup>1</sup> <sup>⇒</sup> <sup>Δ</sup>1} Cut <sup>S</sup>1{X1; <sup>Γ</sup><sup>1</sup> <sup>⇒</sup> <sup>Δ</sup>1} <sup>R</sup><sup>1</sup> S{X; <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>}

If we suppose now that x = y is principal in the left premiss of *Cut*, then the left premiss must be an initial sequent of the form S{X, x <sup>=</sup> y, Γ <sup>⇒</sup> Δ, x <sup>=</sup> <sup>y</sup>}. We have cases according to whether x = y is principal or not in the right premiss. If it is principal then the right premiss is either (i) an initial sequent or (ii) the conclusion of an instance of a rule in {Repl, ReplX, Rig}. In case (i) the conclusion of *Cut* is an initial sequent and in case (ii) the conclusion of *Cut* is identical to the conclusion of its right premiss, which is cut-free derivable. Else, the Cut is of the form shown below, where two copies of x = y must occur in the right premiss since the contexts must match in Cut.

$$\frac{\mathcal{S}\{X; x = y, \varGamma \Rightarrow \Delta, x = y\}}{\mathcal{S}\{X; x = y, \varGamma \Rightarrow y, x = y, \varGamma \Rightarrow \Delta\}} \xrightarrow[\varGamma \{X; x = y, x = y, \varGamma \Rightarrow \Delta\}]{R2} {}\_{Cut}$$

Applying the height-preserving admissible rule CL to the right premiss of *Cut* gives the desired conclusion.

Let us suppose now that the weight of the cut formula is greater than zero. We also assume that the cut formula is principal in both premisses of *Cut* and consider the interesting cases when <sup>A</sup> ≡ ∀xB and <sup>A</sup> <sup>≡</sup> -B as all other cases are standard, see [3, Thm. 5]. If the cut formula <sup>A</sup> ≡ ∀xB is principal in both premisses of *Cut*, then our Cut is of the following form:

$$\begin{array}{cc} \mathcal{S}\{X,y,z;\Gamma\Rightarrow\Delta,B(y/x)\} \\ \hline \mathcal{S}\{X,z;\Gamma\Rightarrow\Delta,\forall xB\} \\ \hline \end{array}\_{R\forall} \quad \begin{array}{c} \mathcal{S}\{X,z;B(z/x),\forall xB,\Gamma\Rightarrow\Delta\} \\ \hline \mathcal{S}\{X,z;\forall xB,\Gamma\Rightarrow\Delta\} \\ \hline \end{array}\_{Cut}$$

We first shift the Cut upward by applying the height-preserving admissibility of IW to the left premiss of *Cut*, and then apply *Cut* with the premiss of <sup>L</sup><sup>∀</sup> as shown below, thus reducing h<sup>1</sup> + h2.

$$\begin{array}{c} \mathcal{S}\{X,y,z;\varGamma\Rightarrow\Delta,B(y/x)\} \\ \hline \mathcal{S}\{X,z;\varGamma\Rightarrow\Delta,\forall xB\} \\ \hline \mathcal{S}\{X,z;B(z/x),\varGamma\Rightarrow\Delta,\forall xB\} \\ \hline \end{array}\_{IV}^{IV} \quad \begin{array}{c} \mathcal{S}\{X,z;B(z/x),\forall xB,\varGamma\Rightarrow\Delta\} \\ \hline \end{array}\_{Cut}$$

Let us refer to the above proof as D. We now reduce the weight of the cut formula by applying Cut as shown below, giving the desired conclusion.

$$\frac{\frac{\mathcal{S}\{X,y,z;\varGamma\Rightarrow\Delta,B(y/x)\}}{\mathcal{S}\{X,z,z;\varGamma\Rightarrow\Delta,B(z/x)\}}}{\frac{\mathcal{S}\{X,z,z;\varGamma\Rightarrow\Delta,B(z/x)\}}{\mathcal{S}\{X,z;\varGamma\Rightarrow\Delta,B(z/x)\}}}\frac{c^{(z/y)}}{\mathcal{D}}\;\_{Cut}$$

We now assume that the cut formula <sup>A</sup> <sup>≡</sup> -B is principal in both premisses and we may assume w.l.o.g. that the cut is an instance of L-Cut. We consider the case where the right premiss of L-Cut is an instance of R<sup>T</sup> and the left premiss of L-Cut is an instance of R-. The remaining cases are proven in a similar fashion. The trick is to use the height-preserving admissibility of the special structural rules (see Lemma 10), namely, the S<sup>T</sup> rule. Our L-Cut is of the following form:

$$\begin{array}{cc} \mathcal{S}\{X;\varGamma\Rightarrow\Delta,[\varnothing\!] \Rightarrow B\} \{Y\_{i};\varPi\_{i}\Rightarrow\Sigma\_{i}\}\_{i=1}^{n} & \vbox{0.0pt{ $\mathring{\lambda}$ }}\\ \hline \mathcal{S}\{X;\varGamma\Rightarrow\Delta,\Box B\} \{Y\_{i};\varPi\_{i}\Rightarrow\Sigma\_{i}\}\_{i=1}^{n} & \vbox{0.0pt{ $\mathring{\lambda}$ }}\\ \hline \mathcal{S}\{X;\varGamma\Rightarrow\Delta,\Box B\} \{Y\_{i};\varPi\_{i}\Rightarrow\Sigma\_{i}\}\_{i=1}^{n} & \vbox{0.0pt{ $\mathring{\lambda}$ }}\\ \hline \mathcal{S}\{X;\varGamma B,\varPi\Rightarrow\Delta\} \{Y\_{i};\varPi B,\varPi\Rightarrow\Sigma\_{i}\}\_{i=1}^{n} & \vbox{0.0pt{ $\mathring{\lambda}$ }}\\ \hline \end{array}$$

Let D<sup>1</sup> and D<sup>2</sup> denote the derivation of the left and right premiss of L-Cut, respectively. To resolve the case, we first apply the height-preserving admissible rule IW to the conclusion of D1, yielding the derivation D<sup>3</sup> shown below top. We then apply <sup>L</sup>-Cut to the conclusion of <sup>D</sup><sup>3</sup> and the premiss of <sup>D</sup><sup>2</sup> (where <sup>h</sup><sup>1</sup> <sup>+</sup> <sup>h</sup><sup>2</sup> is strictly smaller), giving the second derivation shown below, which we refer to as <sup>D</sup>4. Finally, as shown in the third derivation below, we can apply Cut to <sup>B</sup> (which has a strictly smaller weight than -B), and derive the desired conclusion after applying a single application of the admissible rule S<sup>T</sup> to the left premiss.

D<sup>3</sup> ⎧ ⎪⎨ ⎪⎩ S{X; <sup>Γ</sup> <sup>⇒</sup> Δ, [∅; <sup>⇒</sup> <sup>B</sup>]}{Yi; <sup>Π</sup><sup>i</sup> <sup>⇒</sup> <sup>Σ</sup>i}<sup>n</sup> i=1 R- S{X; <sup>Γ</sup> <sup>⇒</sup> Δ, -<sup>B</sup>}{Yi; <sup>Π</sup><sup>i</sup> <sup>⇒</sup> <sup>Σ</sup>i}<sup>n</sup> <sup>i</sup>=1 IW S{X; B,Γ <sup>⇒</sup> Δ, -<sup>B</sup>}{Yi; <sup>Π</sup><sup>i</sup> <sup>⇒</sup> <sup>Σ</sup>i}<sup>n</sup> i=1 D<sup>4</sup> <sup>D</sup><sup>3</sup> S{X; -B,B,Γ <sup>⇒</sup> <sup>Δ</sup>}{Yi; -B,Π<sup>i</sup> <sup>⇒</sup> <sup>Σ</sup>i}<sup>n</sup> <sup>i</sup>=1 <sup>L</sup>-Cut S{X; B,Γ <sup>⇒</sup> <sup>Δ</sup>}{Yi; <sup>Π</sup><sup>i</sup> <sup>⇒</sup> <sup>Σ</sup>i}<sup>n</sup> i=1 S{X; <sup>Γ</sup> <sup>⇒</sup> Δ, [∅; <sup>⇒</sup> <sup>B</sup>]}{Yi; <sup>Π</sup><sup>i</sup> <sup>⇒</sup> <sup>Σ</sup>i}<sup>n</sup> <sup>i</sup>=1 <sup>S</sup>*<sup>T</sup>* S{X; <sup>Γ</sup> <sup>⇒</sup> Δ, B}{Yi; <sup>Π</sup><sup>i</sup> <sup>⇒</sup> <sup>Σ</sup>i}<sup>n</sup> <sup>i</sup>=1 D<sup>4</sup> Cut S{X; <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>}{Yi; <sup>Π</sup><sup>i</sup> <sup>⇒</sup> <sup>Σ</sup>i}<sup>n</sup> i=1

# 5 Soundness and Completeness

Theorem 3 (Soundness). *If* NQ.<sup>L</sup> S *then fm*(S) *is* <sup>Q</sup>.L*-valid.*

*Proof.* We first note that nested application of rules is sound: for each context S{·}, if <sup>A</sup> <sup>⊃</sup> <sup>B</sup> is <sup>Q</sup>.L-valid then fm(S{A}) <sup>⊃</sup> fm(S{B}) is <sup>Q</sup>.L-valid. This can be shown by induction on the depth of the context S{·}; see [3, Lem. 3] for details.

The Q.L-soundness of the rules of NQ.L is proved by induction on the height of the derivation. The cases of initial sequents and of propositional rules of NQ.<sup>L</sup> are given in [3, Thm. 1]. We present the cases of <sup>L</sup>∀, <sup>R</sup>cbf , Rig, and <sup>R</sup>5dom, all other cases being similar. If fm(X, z; <sup>A</sup>(z/x), <sup>∀</sup>xA, Γ <sup>⇒</sup> <sup>Δ</sup>) is <sup>Q</sup>.Lvalid, then the <sup>Q</sup>.L-validity of fm(X, z; <sup>∀</sup>xA, Γ <sup>⇒</sup> <sup>Δ</sup>) follows by the soundness of the axiom UI<sup>E</sup> . If fm(X, x; <sup>Γ</sup> <sup>⇒</sup> Δ, [Y,x; <sup>Π</sup> <sup>⇒</sup> <sup>Σ</sup>]) is <sup>Q</sup>.L.CBF-valid, then the formula fm(X, x; <sup>Γ</sup> <sup>⇒</sup> Δ, [<sup>Y</sup> ; <sup>Π</sup> <sup>⇒</sup> <sup>Σ</sup>]) is as well because frames for <sup>Q</sup>.L.CBF have increasing domains. The <sup>Q</sup>.L-validity of fm(S{X; <sup>x</sup> <sup>=</sup> y, Γ <sup>⇒</sup> <sup>Δ</sup>}{<sup>Y</sup> ; <sup>Π</sup> <sup>⇒</sup> <sup>Σ</sup>}) follows from that of fm(S{X; <sup>x</sup> <sup>=</sup> y, Γ <sup>⇒</sup> <sup>Δ</sup>}{<sup>Y</sup> ; <sup>x</sup> <sup>=</sup> y,Π <sup>⇒</sup> <sup>Σ</sup>}) since variables are rigid designators—i.e., the validity of **NI** := <sup>x</sup> <sup>=</sup> <sup>y</sup> <sup>⊃</sup> -(x = y) and that of **ND** allow identities to be duplicated up and down the accessibility relation, respectively. Finally, we argue that R5dom preserves Q.L-validity when either **<sup>5</sup>**, **CBF** <sup>∈</sup> <sup>L</sup> or **<sup>5</sup>**, **BF** <sup>∈</sup> <sup>L</sup>. We show this holds for the following one-context rules from which R5dom is NQ.L-derivable (if x is in the signature of a non-root node, these rules bottom-up copy x into the signature of another non-root node):

$$\frac{\mathcal{S}\{[X,x;\varGamma\Rightarrow\Delta],[Y,x;\varPi\Rightarrow\Sigma]\}}{\mathcal{S}\{[X,x;\varGamma\Rightarrow\Delta],[Y;\varPi\Rightarrow\Sigma]\}}\;\_{R\_{\deltadom\_{1}}}\quad\frac{\mathcal{S}\{[X,x;\varGamma\Rightarrow\Delta,[Y,x;\varPi\Rightarrow\Sigma]]\}}{\mathcal{S}\{[X,x;\varGamma\Rightarrow\Delta,[Y;\varPi\Rightarrow\Sigma]]\}}\;\_{R\_{\deltadom\_{2}}}$$

$$\frac{\mathcal{S}\{[Y,x;\varPi\Rightarrow\Sigma,[X,x;\varGamma\Rightarrow\Delta]]\}}{\mathcal{S}\{[Y;\varPi\Rightarrow\Sigma,[X,x;\varGamma\Rightarrow\Delta]]\}}\;\_{R\_{\deltadom\_{3}}}$$

If the premiss of one of these rules is Q.L-valid, then so is the respective conclusion since for 5-frames with increasing or decreasing domains the points satisfying X, x; <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> and <sup>Y</sup> ; <sup>Π</sup> <sup>⇒</sup> <sup>Σ</sup> are mutually accessible and have the same domain.

# Theorem 4 (Completeness). *If fm*(S) *is* <sup>Q</sup>.L*-valid, then* NQ.<sup>L</sup> S*.*

*Proof.* We show that <sup>Q</sup>.<sup>L</sup> fm(S) implies NQ.<sup>L</sup> S; the theorem follows by the completeness of Q.L (Theorem 1). We proceed by induction on the height of the derivation of fm(S) in <sup>Q</sup>.L. The NQ.L-admissibility of rule MP/UG/<sup>N</sup> is a corollary of Theorem 2/Lemma 6/Lemma 7. We consider only axioms UI◦ (assuming <sup>y</sup> <sup>∈</sup> <sup>A</sup> for simplicity), ND, and CBF. The cases of axioms REF and REPL follows from Lemma 2 and the other cases are similar. <sup>∀</sup>xA <sup>⇒</sup>, [y; <sup>A</sup>(y/x), <sup>∀</sup>xA <sup>⇒</sup> <sup>A</sup>(y/x)] L. <sup>1</sup>

# 6 Conclusion and Future Work

We provided a uniform nested sequent presentation of quantified modal logics characterised by combinations of fundamental properties. Due to the inclusion of equality in the language of the QMLs considered, our nested calculi permit a formula translation by means of the (definable) existence predicate. As a consequence, our systems possess both a good degree of modularity *and* utilise a language as expressive as that of each logic, yielding more economical systems in contrast to the labelled calculi given for the same QMLs, which employ a more expressive language [20,25]. Beyond formula interpretability, our nested calculi satisfy fundamental properties such as the admissibility of important structural rules, invertibility of all rules, and syntactic cut-elimination.

In future work, we aim to investigate constructive proofs of interpolation properties with our nested calculi (cf. [9,15]), to use (variations of) our nested calculi to identify decidable QML fragments, as well as extend the present approach to QMLs with non-rigid designators and, possibly, definite descriptions based on λ-abstraction (see [10]) as was done in [21] for labelled sequent calculi. Another open problem is to give nested sequents with a formula interpretation for QMLs where the existence predicate is not expressible; we conjecture that this might be achieved by using the 'universally closed nesting' defined by Brünner for free logics [4].

We also aim to generalise our approach by employing a wider selection of propagation rules [6,8] and reachability rules [16,17] in our systems. As shown in various works [11,16], diverse classes of logics characterised by Horn properties can be supplied cut-free nested calculi by utilising logical rules that propagate or consume data along paths within nested sequents specified by formal grammars. Applying this technique, we plan to see if we can capture a much wider class of QMLs in a uniform and modular fashion, and plan to investigate admissibility and invertibility properties as well as cut-elimination in this more general setting. It would also be worthwhile to examine the relationship between our nested calculi and other calculi for QMLs; e.g., we could study the computational relationship between our nested calculi and the labelled calculi for QMLs, showing how proofs can be translated and determining complexity bounds for the relative sizes of proofs.

# References


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **A Naive Prover for First-Order Logic: A Minimal Example of Analytic Completeness**

Asta Halkjær From and Jørgen Villadsen(B)

Technical University of Denmark, Kongens Lyngby, Denmark jovi@dtu.dk

**Abstract.** The analytic technique for proving completeness gives a very operational perspective: build a countermodel to the unproved formula from a failed proof attempt in your calculus. We have to be careful, however, that the proof attempt did not fail because our strategy in finding it was flawed. Overcoming this concern requires designing a prover. We design and formalize in Isabelle/HOL a sequent calculus prover for firstorder logic with functions. We formalize soundness and completeness theorems using an existing framework and extract executable code to Haskell. The crucial idea is to move complexity from the prover itself to a stream of instructions that it follows. The result serves as a minimal example of the analytic technique, a naive prover for first-order logic, and a case study in formal verification.

**Keywords:** First-Order Logic · Prover · Completeness · Isabelle/HOL

### **1 Introduction**

We present a sound and complete (naive) prover for classical first-order logic with functions. There are several ways to prove that a proof system for firstorder logic is complete. G¨odel's approach [14], later refined by Henkin [15] is now known as the *synthetic* way. This technique abstractly builds *maximal consistent (and saturated) sets* of formulas as a bridge between the proof system and the semantics. This is a useful technique and has been used in formalizations of the completeness of axiomatic systems for first-order logic [9] and epistemic logic [8], a tableau system for hybrid logic [7] and more. Unfortunately, as pointed out by Blanchette et al. [5] in the context of formalization in Isabelle/HOL, there is no useful connection between this technique and the execution of an actual prover.

The technique by Beth and Hintikka [17] offers a more operational perspective. Here, we consider unsuccessful proof attempts in the given calculus and build countermodels from these. Such a countermodel refutes the validity of the formula that we tried to prove. To build such a countermodel, however, we must ensure that the proof attempt was sufficiently sophisticated and, essentially, that it would have found a proof if one existed. In proving this property of the proof strategy, we are effectively designing a prover based on the calculus. This means that, in practice, we can extract a prover from our completeness proof.

c The Author(s) 2023

R. Ramanayake and J. Urban (Eds.): TABLEAUX 2023, LNAI 14278, pp. 468–480, 2023. https://doi.org/10.1007/978-3-031-43513-3\_25

Blanchette et al. [5] have made this very concrete by developing a framework in Isabelle/HOL for analytic completeness proofs. Their paper includes a firstorder logic example, but their entry in the Archive of Formal Proofs [3] only includes a propositional example. In this paper, we describe a *naive prover* based on the framework, designed to be as simple as possible. This augments the framework with a concrete first-order logic example showcasing the analytic technique. Moreover it serves as an introduction to automated reasoning by making explicit the requirements for completeness of a prover for first-order logic. It also serves as a small case study for formal verification in a proof assistant.

Then the question remains of how to design this proof strategy. We want it to be sufficiently intricate to be both sound and complete, but we also want it to be simple enough that we can reasonably demonstrate these properties (in a proof assistant). We might follow something like Ben-Ari's tableau algorithm [1] (essentially sequent calculus), but we discover that it is surprisingly complex. There are nodes with labels, branches with markings, and concerns about which kinds of formulas to process first, later or even together. Instead, we will design a prover with minimal structure that tries to apply sequent calculus proof rules over and over, in the belief that we will eventually apply the right ones.

The problem changes from working out which rule to apply in a given situation, to designing a stream of instructions that will cover whatever we encounter and embedding enough structure into these instructions to keep the prover itself elementary. This perspective shift greatly simplifies the prover: the rules are indexed by formulas and specify exactly what the prover should do in each case. Moreover, the nodes in the proof tree are simply sequents, no additional state is needed. The rules apply straightforwardly to these sequents to form the next nodes of the tree. This simplifies the completeness proof and makes it a nonissue to handle first-order logic with functions, which can otherwise require extra consideration.

The formalization of the (naive) prover is available in the Archive of Formal Proofs [11]. It consists of less than 900 lines of Isabelle/HOL listings, the majority of which are proofs that are not included when exporting Haskell code for the prover. A short, manually written Main.hs file augments the exported code with a command line interface and pretty-printed output. The Isabelle theory *Export.thy* includes instructions on how to export and compile the Haskell code (which closely resembles the programs listed here). The code in this paper is exported to LATEX by Isabelle from the formalization, but differs slightly in names and layout for presentation reasons. Likewise, to focus on essentials, we often omit the technical commands needed in the formalization.

#### **2 Related Work**

Blanchette [2] gives an overview of a number of verification efforts including the metatheory of SAT and SMT solvers, the resolution and superposition calculi, and a series of proof systems for propositional logic [18]. The aim is to develop a methodology for formalizing modern research in automated reasoning and the present work points in this direction with a minimal example of a formally verified prover for classical first-order logic based on the sequent calculus.

The prover is based on the abstract completeness framework by Blanchette, Popescu and Traytel [4,5]. Their formalization contains a simple example prover for propositional logic, while their paper contains the ideas for a (naive) prover for first-order logic. Our prover realizes these ideas by formalizing them in Isabelle/HOL. Instead of a prover, Blanchette et al. [5] used the framework to formalize soundness and completeness of a *calculus* for first-order logic with equality in negation normal form. From and Jacobsen [10,12] used the framework to formalize a much less naive prover for first-order logic based on the SeCaV proof system [13]. Instead of indexed rules, they employ "multi-rules" that apply to every applicable formula in a sequent at once and they store more than just the sequent at each node in the proof tree. Their prover performs better, but the formalization does not enjoy the simplicity of the naive prover, with close to 3000 lines of Isabelle/HOL against 900 lines.

The indexed rules of the naive prover automatically yield readable proofs. In the same vein, THINKER by Pelletier [21] is a natural deduction proof system and attached automated theorem prover, designed for "direct proofs", as opposed to proofs based on reduction to a resolution system. MUSCADET by Pastre [20] is another automated theorem prover based on natural deduction. Neither of these has been formally verified. Schulz and Pease [24] focused on readable code rather than proofs. They have developed a saturation-based theorem prover in Python for first-order logic to teach automated theorem proving by example. They have not formally verified soundness and completeness, but our projects are similar.

In the world of formalization, Schlichtkrull et al. [23] formalized an ordered resolution prover for *clausal* first-order logic in Isabelle/HOL. Jensen et al. [16] formalized the soundness, but not the completeness, of a prover for first-order logic with equality in Isabelle/HOL. Villadsen et al. [25] verified a simple prover for first-order logic in Isabelle/HOL aiming for students to understand both the prover and the formalization. That work simplified a formalization by Ridge and Margetson [22]. Neither of the last two provers support functions.

#### **3 Isabelle/HOL Overview**

We give a quick overview of the Isabelle/HOL features used in the present paper. Nipkow and Klein [19, Part 1] give a more complete introduction.

The **datatype** command defines a new inductive type from a series of constructors, where each can be given custom syntax. The natural numbers are built from the nullary constructor *0* and unary *Suc*. The constructors *True* and *False* belong to the built-in type *bool*. The usual connectives and quantifiers from first-order logic (−→, ∀ , etc.) are available for *bool*, as well as *if-then-else* expressions. The parametric *a list* is the type of lists with elements of type *a*. The type variable *a* stands in the place of another type. Lists are built from [], the empty list, and #, an infix constructor that adjoins an element to an


**Fig. 1.** The first-order logic syntax in Isabelle/HOL.

existing list. The notation [*a, b, c*] is shorthand for these primitive operations. The function *set* turns a list into a set of its elements, *map* applies a given function to every element of a list, @ appends two lists, *concat* flattens a list of lists and *upt j k* creates the list [j, j + 1,...,k − 1]. We use [∈] for list membership and [÷] to remove all occurrences of a given element from a list. The two types *a set* and *a fset* form sets and finite sets respectively. The usual operations are available on sets. On finite sets they are typically prefixed by *f* as in *fimage*. Two additional types are important: sum types with the two unary constructors *Inl* and *Inr*, and *option* types constructed by the unary *Some* or nullary *None*. Constructors can be examined using *case* expressions.

The **codatatype** command defines a new coinductive type from a series of constructors. The canonical example is the type *a stream* of "lists with no base case", i.e. infinite sequences. The functions *shd* and *stl* return the head and tail of a stream, respectively, while *flat* transforms a stream of lists into a stream of all the elements in the constituent lists, *sset* returns a set of its elements, *smap* applies a function to every element, !! returns the element at a given index and *sdrop-while* removes a prefix of a stream that satisfies a given predicate. The stream *nats* contains all natural numbers.

The type *A* ⇒ *B* denotes a function from *A* to *B*. Type signatures are specified after "::". Types can be shortened using type synonyms. The term *UNIV* stands for the set of all values of a given type. In this paper, both = and ≡ are used to form new definitions. Function application resembles functional programming languages: f(x, y) is written as *fxy* and partial application is allowed. Anonymous functions are built using λ-expressions, e.g. λ*n. n + n* for f(n) = n + n.

A **locale** in Isabelle/HOL **fixes** a number of terms, then **assumes** a number of properties about those terms. The meta-logical implication =⇒ separates premises from conclusions in each assumption. The keyword **and** acts as a separator. A locale for a group, for instance, *fixes* a set and a binary operation and *assumes* the group axioms.

#### **4 First-Order Logic in Isabelle/HOL**

Figure 1 contains a formalization of the syntax of first-order logic as a datatype in Isabelle/HOL. The syntax is *deeply embedded* as an object in the meta-logic so we can manipulate it. We use de Bruijn indices [6] to represent binding: each variable n is bound by the quantifier that is n quantifiers away, moving outwards.

**Fig. 2.** The semantics of first-order logic in Isabelle/HOL.

A term t, type *tm*, is then either a variable #n for some de Bruijn index n (a natural number) or a function application *†*f [...] for some natural number f representing the function name and list of argument terms. [...]. A formula p, type *fm*, is the constant for falsity, *⊥*, a predicate *‡*P [...] for some natural number P representing the predicate name and list of argument terms [...], an implication p<sup>1</sup> *−→* p<sup>2</sup> between two formulas p1, p<sup>2</sup> or a universally quantified formula *∀*p.

Figure 2 contains a formalization of the semantics in Isabelle/HOL. A model consists of three denotations: one each for variables (*E*), function symbols (*F*) and predicate symbols (*G*). Terms evaluate to a member of the domain, here represented as a type variable, while formulas evaluate to truth values in the higher-order logic. We can use the connectives and quantifiers of Isabelle/HOL to interpret the first-order logic syntax. For the universal quantifier, we modify the environment such that we evaluate the quantified variable 0 as every element of the domain.

Figure 3 lists the rules for instantiating a quantifier with a term without capturing any free variables in the process. The operation *lift-tm* increments every variable in the term t by one. The operation *sub-tm s t* applies the substitution s to every variable in term t. The operation *sub-fm s p* applies the substitution s to the formula p, taking account of binders. In the case for *∀*p, the substitution is augmented using <sup>o</sup> <sup>9</sup> to preserve the bound variable #0 in p and to *lift* the variables in the output of the substitution s to point past the binder. We write the instantiation of a quantified formula *∀*p with a concrete term t as tp. The notation t represents the simultaneous substitution that maps variable 0 to t and every other variable n + 1 to n to account for the removed binder. Figure 4 lists the operations for generating a variable *fresh* to a list of formulas, i.e. one that does not appear in any formula in the list.

$$\begin{array}{l} \begin{array}{l} l:tm :: tm \Rightarrow tm\\ l:tm \left(\#\text{m}\right) = \#\left(n+1\right)\\ l:tm \left(\uparrow\text{f}\right) = \uparrow\text{f}\left(\text{map}\ \kern-1.tm\right)\\ \begin{array}{l} sub-tm:\left(\#\text{m}\right) \Rightarrow tm \Rightarrow tm\\ sub-tm \ s\ \left(\#\text{n}\right) = s\ n\\ sub-tm \ s\ \left(\uparrow\text{f}\right) = \uparrow\text{f}\left(\text{map}\ \left(sub\stackrel{\text{-}}{\text{sub-}}\text{m}\right)\ \kern-1.tm\right)\\ \end{array}\\ \begin{array}{l} sub-fm:\left(\text{nat}\Rightarrow tm\right) \Rightarrow fm \Rightarrow fm\\ sub-fm \ \kern-1.tm\right)\\ \end{array} \end{array}$$
  $\begin{array}{l} sub-fm:\left(\text{nat}\Rightarrow tm\right) \Rightarrow fm \Rightarrow fm\\ sub-fm \ \kern-1.tm\right)$   $\begin{array}{l} sub-fm \ \kern-1.tm\end{array}$   $\begin{array}{l} \text{sub-f}\left(\text{map}\ \left(\text{sub-tm\ s}\ \underset{\text{-}p}\right)\ \kern-1.tm\right)$   $\begin{array}{l} sub-fm \ \kern-1.tm\end{array}\end{array}$   $\begin{array}{l} \text{sub-f}\left(\text{map}\ \left(\text{sub-tm\ s}\ \underset{\text{-}p}\right)\ \kern-1.tm\right)$   $\begin{array}{l} \\ \text{sub-f}\left(\text{sub-f}\left(\text{not-fm}\right)\ \kern-1.tm\right)\end{array}$   $\begin{array}{l} \text{-}t\stackrel{-}{\text{$ 

**Fig. 3.** The simultaneous substitution and quantifier instantiation in Isabelle/HOL.

**Fig. 4.** The rules for generating a fresh variable in Isabelle/HOL.

**Fig. 5.** The syntax and semantics of sequents in Isabelle/HOL.

$$\begin{array}{c} \text{IDL} \xrightarrow{A \vdash B} \\\\ \text{ILs} \xrightarrow{A \vdash B} \\\\ \text{FLs} \xrightarrow{A \vdash B} \\\\ \text{IMs} \xrightarrow{A} \begin{array}{c} \text{ILs} \ \overline{\begin{array}{c}} \text{I} \ \overline{\begin{array}{c} \text{I} \ \overline{\begin{array}{c}} \text{I} \ \overline{\begin{array}{c} \text{I} \end{array}} \end{array} \end{array}} \begin{array}{c} \text{I} \ \overline{\begin{array}{c} \text{I} \ \overline{\begin{array}{c} \text{I} \end{array}} \text{I} \ \overline{\begin{array}{c} \text{I} \end{array}} \text{I} \ \overline{\begin{array}{c} \text{I} \end{array}} \end{array} \begin{array}{c} \text{I} \ \overline{\begin{array}{c} \text{I} \end{array}} \text{I} \ \overline{\begin{array}{c} \text{I} \end{array}} \text{I} \ \overline{\begin{array}{c} \text{I} \end{array}} \end{array} \end{array} \begin{array}{c} \text{I} \ \overline{\begin{array}{c} \text{I} \end{array}} \text{I} \ \overline{\begin{array}{c} \text{I} \end{array}} \text{I} \ \overline{\begin{array}{c} \text{I} \end{array}} \text{I} \ \overline{\begin{array}{c} \text{I} \end{array}} \text{I} \ \overline{\begin{array}{c} \text{I} \end{array}} \text{I} \ \overline{\begin{array}{c} \text{I} \end{array}} \text{I} \ \overline{\begin{array}{c} \text{I} \end{array}} \text{I} \ \overline{\begin{array}{c} \text{I} \end{array}} \text{I} \ \overline{\begin{array}{c} \text{I} \end{array}} \text{I}$$

**Fig. 6.** The rules of the sequent calculus presented visually.

The calculus works on two-sided sequents, of type *sequent*, which are represented as pairs of lists of formulas (cf. Fig. 5). We can think of the left-hand side as assumptions and the right-hand side as conclusions. Moreover, the left-hand side is conjunctive, so we can assume all of the formulas there to be true, while the right-hand side is disjunctive, so we only need to prove one.

Sequent calculus has the benefit of the *subformula property*: to prove a formula we only need to look at its subformulas. Contrast this with axiomatic systems using modus ponens (from p *−→* q and p infer q), where we need to guess a suitable "lemma" formula. However, a sequent calculus may still leave too much freedom for comfort. In particular, we want to remove the need for structural rules, since these are too applicable.

Figure 6 lists the underlying rules of the prover in a somewhat idiosyncratic manner. The reason will become apparent later. Each rule has a name to the left of the horizontal line. Below the horizontal line is the conclusion and above are the premises, if any. Any side conditions are given to the right of the line. Note that each rule is indexed by the exact (sub)formulas it works on: the rule Axiom 0 [] is distinct from the rule Axiom 1 [] etc. This rigidity means that we do not need any structural rules. It also means that there is no pattern matching in any of the rules and that the three primary operations are membership checking ([∈]), removal of concrete formulas ([÷]) and adding new formulas to a list (#).

The Idle rule appears for technical reasons (there should always be an enabled rule). The Axiom rule is indexed by a predicate symbol P and argument list ts and checks whether such a predicate appears on both sides of the sequent: if so, the rule applies and there are no child sequents. The FlsL rule checks if *<sup>⊥</sup>* occurs among the assumptions, in which case the sequent is proved. The FlsR rule, when it applies, drops all occurrences of *⊥* from the conclusions, since we can never prove any of them. The ImpL and ImpR rules decompose implications on either side of the sequent in the standard way. The UniL rule is indexed by a term t and a formula p. If *∀*p occurs on the left, then the rule instantiates it with <sup>t</sup>, adding t<sup>p</sup> to the left-hand side of the child sequent. The UniR rule is only indexed by a formula p. When *∀*p occurs on the right, it is instantiated with a fresh variable and removed.

In order to obtain a prover based on the rules of the sequent calculus we use the abstract completeness framework for Isabelle/HOL developed by Blanchette, Popescu and Traytel [3,5]. This framework formalizes the mechanics of sequent calculus and semantic tableaux provers in an abstract way that we can instantiate with concrete rules. There are two possible perspectives on the framework: (i) the proof perspective, where we use the framework to obtain theorems about proof trees built from our rules and (ii) the code generation perspective, where we use the framework to generate an executable prover. In this paper, both perspectives come into play but the two perspectives can be used on their own.

The framework needs: a stream of rules, a function describing their effect, a proof that some rule is always enabled and a guarantee that rules are persistent. We formalize the calculus in Isabelle/HOL as a datatype of rules, *rule*, with constructors *Idle*, *Axiom*, *FlsL*, *FlsR*, *ImpL*, *ImpR*, *UniL* and *UniR*, and an effect function, *eff*, that encodes the relationship between premises and conclusions in the manner expected by the framework.

### **5 Soundness and Completeness**

Soundness requires that we do not prove a sequent without having proper reasons to do so. It is a local property of our calculus that we can easily check. Completeness, on the other hand, requires that we have sufficient rules available to prove every valid formula. Thus, proving completeness requires a more involved strategy.

**Lemma 1 (Local soundness).** *If all premises of a rule are valid, then its conclusion is valid. In Isabelle, if eff r* (*A*, *B*) = *Some ss and* ∀ *A B*. (*A*, *B*) |∈| *ss* −→ (∀ (*E* :: *-* ⇒ *a*). *sc* (*E*, *F*, *G*) (*A*, *B*))*, then sc* (*E*, *F*, *G*) (*A*, *B*)*.*

*Proof.* By induction on the call structure of *eff*. The induction hypothesis then applies to the sequents produced by *eff*. All cases except UniR are trivial. For UniR, by the induction hypothesis, the premise holds under all variable denotations: no matter the assignment to the fresh variable. This justifies forming the universal quantifier and since the fresh variable does not appear elsewhere in the sequent, the semantics there are unaffected.

**Theorem 1 (Prover soundness).** *If a proof tree (attempt) is well formed and finite, then the root sequent is valid. In Isabelle, if tfinite t and wf t, then sc* (*E*, *F*, *G*) (*fst* (*root t*))*.*

*Proof.* By induction on the *finite* proof tree using Lemma 1.

**Fig. 7.** Formalizations of Hintikka sets and the countermodel *M A*.

For completeness we must now show that, for every valid sequent, the prover finds a proof. We do so contrapositively: if the prover does not find a proof, we produce a countermodel to the sequent. To do so, we characterize saturated escape paths syntactically using Hintikka sets and show that such sets induce countermodels. Figure 7 characterizes Hintikka sets in our setting. There are two perspectives on these: one, that they characterize saturated escape paths and two, that they characterize the semantics of the countermodel.

To understand the first perspective, read the set *A* as consisting of all formulas that appear as assumptions on the saturated escape path (on the left-hand side of sequents) and the set *B* as consisting of all formulas that appear as conclusions (on the right-hand side of sequents). The Isabelle/HOL functions *treeA* and *treeB* collect these sets, respectively.

**Lemma 2 (Hintikka sets characterize saturated escape paths).** *Let A and B be sets of assumption and conclusion formulas on a saturated escape path. Then they fulfill all Hintikka requirements. In Isabelle, if epath steps and Saturated steps, then Hintikka* (*treeA steps*) (*treeB steps*)*.*

*Proof.* We check each condition separately.

*Basic* states that a predicate cannot appear as both assumption and conclusion on the epath. Otherwise the Axiom rule would have terminated the (infinite) epath.

*FlsA* states that *⊥* does not appear among the assumptions. Similar to the above, the FlsL rule would have terminated the epath if so.

*ImpA* and *ImpB* break down implications in accordance with the ImpL and ImpR rules. For a given p, q, if <sup>p</sup> *−→* <sup>q</sup> appears in *<sup>A</sup>* (respectively *<sup>B</sup>*), then at some point in the proof tree attempt, the rule ImpL p q (respectively ImpR p q) becomes enabled. Since the epath is saturated, any enabled rule is eventually taken and the effect matches the thesis.

*UniA* states that any universally quantified formula *∀*p on the left is instantiated with all possible terms. Fix an arbitrary term *t*. Since *∀*p occurs as an assumption, the specific rule UniL p t is eventually enabled, taken, and has the desired effect.

*UniB* is similar, except the witnessing term is the fresh variable.

*Remark 1.* We see the usefulness of indexed rules in the above proof. If we simply had an ImpR rule, rather than an ImpR p q rule for each formula p and q, we would have to further argue that this rule eventually applies to exactly the implication p *−→* q we need it to. Perhaps we need to argue first that p *−→* q eventually reaches the front of the sequent or similar delicate reasoning. This is where fairness concerns would show up. We have sidestepped the issue by using very specific rules.

Consider now the second perspective. The countermodel in Fig. 7 uses the term universe (also called Herbrand universe) where every variable and function symbol evaluates to itself. Thus, the universal quantifier, which ranges over a given domain, ranges over terms. Now, read the sets *A* and *B* as formulas we wish to satisfy and falsify, respectively.

**Lemma 3 (A Hintikka set induces a countermodel).** *Let* A *and* B *be sets of formulas fulfilling the Hintikka requirements. Then M A satisfies formulas in* A *and falsifies formulas in* B*. In Isabelle, if Hintikka A B then* (*p* ∈ *A* −→ *M A p*) ∧ (*p* ∈ *B* −→ ¬ *MAp*)*.*

*Proof.* By well founded induction on the size of the formula, such that the induction hypothesis applies to subformulas and instances of universally quantified formulas.

For *⊥* ∈ A, this contradicts *FlsA* so the thesis holds vacuously. For *⊥* ∈ B, the thesis holds trivially since *⊥* is falsified by every model.

For *†*P ts ∈ A, the thesis holds by the definition of *M*. For *†*P ts ∈ B, we cannot have *†*P ts ∈ A due to *Basic* and so the thesis holds by the definition of *M*.

For p *−→* q ∈ A and p *−→* q ∈ B the theses hold by the induction hypotheses at p and q and the conditions *ImpA* and *ImpB*, respectively.

For *∀*p ∈ A and *∀*p ∈ B the theses hold by the induction hypotheses at tp for all t and by the conditions *UniA* and *UniB*, respectively.

Any saturated escape path induces a countermodel, contradicting validity.

#### **Theorem 2 (Prover completeness).** *For any valid sequent, the prover terminates.*

*Proof.* If the prover does not find a proof, then by the framework, the proof attempt contains a saturated escape path. By Lemma 2, this epath fulfills the Hintikka requirements. By Lemma 3, we can build a model that satisfies every assumption formula and falsifies every conclusion formula. This model contradicts the validity of the sequent.

We join the soundness and completeness theorems in a corollary on formulas.

**Corollary 1.** *The prover terminates if, and only if, the given formula is valid. In Isabelle, fix p* :: *fm and let t* ≡ *prover* ([], [*p*])*, then tfinite t* ∧ *wf t* ←→ (∀ (*E* :: *-* ⇒ *tm*) *F G*. [[*E*, *F*, *G*]] *p*)*.*

# **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Author Index**

#### **A**

Acclavio, Matteo 342 Afshari, Bahareh 223 Alassaf, Ruba 24 Areces, Carlos 37 Ayers, Edward 175

#### **B**

Bibel, Wolfgang 153

#### **C**

Cassano, Valentin 37 Catta, Davide 342

#### **D**

Dalmonte, Tiziano 302 Das, Anupam 283 de Boer, Frank S. 407 De Domenico, Andrea 49 de Gouw, Stijn 407 Dekker, Maurice 242

**E** Eisenhofer, Clemens 24

#### **F**

Fervari, Raul 37 From, Asta Halkjær 468

#### **G**

Gheorghiu, Alexander V. 367 Goré, Rajeev 73 Greco, Giuseppe 49 Grotenhuis, Lide 223 Gu, Tao 367

#### **H**

Haniková, Zuzana 386 Hiep, Hans-Dieter A. 407 Hoffmann, Guillaume 37

**I** Iemhoff, Rosalie 73 Indrzejczak, Andrzej 112, 131

#### **J**

Jalali, Raheleh 263

#### **K**

Kloibhofer, Johannes 242 Kovács, Laura 24 Kürbis, Nils 112 Kuznets, Roman 263

#### **L**

Lang, Timo 94 Leigh, Graham E. 223 Lyon, Tim S. 449

#### **M**

Manoorkar, Krishna B. 49 Manyà, Felip 386 Marin, Sonia 283 Marti, Johannes 242 Mazzullo, Andrea 302 Mir, Ramon Fernández 175

**N** Nalon, Cláudia 322

#### **O**

Olimpieri, Federico 342 Olivetti, Nicola 322 Orlandelli, Eugenio 449

#### **P**

Palmigiano, Alessandra 49 Panettiere, Mattia 49 Pattinson, Dirk 322

© The Editor(s) (if applicable) and The Author(s) 2023 R. Ramanayake and J. Urban (Eds.): TABLEAUX 2023, LNAI 14278, pp. 481–482, 2023. https://doi.org/10.1007/978-3-031-43513-3

Peltier, Nicolas 427 Piotrowski, Bartosz 175 Pym, David J. 367

#### **R**

Rawson, Michael 24, 153

#### **S**

Saurin, Alexis 203 Shillito, Ian 73 Shminke, Boris 187

#### **V**

van der Berg, Ineke 49 van der Giessen, Iris 73, 263 Venema, Yde 242 Vidal, Amanda 386 Villadsen, Jørgen 468

#### **W**

Wernhard, Christoph 3, 153

#### **Z**

Zenger, Lukas 223 Zombori, Zsolt 153