computational content of proofsschwicht/slides/ljubljana19.pdf · only. in contrast, tcf is based...

Intro Model Terms TCF Realizers Applications

Computational content of proofs

Helmut Schwichtenberg(j.w.w. Ulrich Berger, Nils Kopp, Kenji Miyamoto, Monika

Seisenberger, Hideki Tsuiki and Franziskus Wiesnet)

Mathematisches Institut, LMU, Munchen

Computability, Continuity, Constructivity –from Logic to Algorithms (CCC)

Ljubliana University, September 2019

1 / 80


Proofs have two aspects:

1. they guarantee correctness, and

2. they may have computational content.

We address (2), and use a BHK-interpretation to extract programsfrom proofs. Features:

• The extract is a term in the underlying theory, hence we havea framework to formally prove its properties.

• Computational content in (co)inductive predicates only.

• From proofs in constructive analysis1 we can extract programsoperating on stream-represented real numbers.

1E. Bishop, Foundations of Constructive Analysis, 1967

2 / 80


In more detail:

M 7→ et(M) ∈ T+, sp(M) : et(M) r A

where

• M proof of A in TCF,

• et(M) term of “cotype” ϕ(A) in T+,

• sp(M) soundness proof in TCF, of et(M) r A,

• r Keisel’s modified realizability.

3 / 80


Related work, comparison.

• HAω and Martin-Lof style type theories use total functionalsonly. In contrast, TCF is based on the Scott2-Ershov3 modelof partial continuous functionals.

• Coq extracts programs in a programming language (OCaml,Scheme), and Agda uses whole proofs as programs. In bothcases it is difficult to formally prove properties of these.

2D. Scott, Outline of a mathematical theory of computation, Oxford 19703Y. Ershov, Model C of partial continuous functionals, Logic. Coll. 1977

4 / 80


Information system A = (A,Con,`):

• A countable set of “tokens”,

• Con set of finite subsets of A,

• ` (“entails”) subset of Con× A.

such that

U ⊆ V ∈ Con→ U ∈ Con,

{a} ∈ Con,

U ` a→ U ∪ {a} ∈ Con,

a ∈ U ∈ Con→ U ` a,

U,V ∈ Con→ ∀a∈V (U ` a)→ V ` b → U ` b.

x ⊆ A is an ideal if

U ⊆ x → U ∈ Con (x is consistent),

x ⊇ U ` a→ a ∈ x (x is deductively closed).

5 / 80


Function spacesLet A = (A,ConA,`A) and B = (B,ConB ,`B) be informationsystems. Define A→ B := (C ,Con,`) where

• C := ConA × B,

•

{ (Ui , bi ) | i ∈ I } ∈ Con :=

∀J⊆I (⋃j∈J

Uj ∈ ConA → { bj | j ∈ J } ∈ ConB),

• { (Ui , bi ) | i ∈ I } ` (U, b) means { bi | U `A Ui } `B b.

A→ B is an information system.

Application of an ideal x in A→ B to an ideal y in A is defined by

x(y) := { b ∈ B | ∃U⊆y ((U, b) ∈ x) }.

6 / 80


(Free) algebras given by constructors:

N by 0N, SN→N

Y by 0Y,CY→Y→Y (binary trees)

α× β by 〈., .〉α→β→α×β

α + β by (InLαβ)α→α+β, (InRαβ)β→α+β

L(α) by []L(α), consα→L(α)→L(α)

S(α) by SConsα→S(α)→S(α)

S(α) has no nullary constructor, hence no “total” objects.

7 / 80


Information systems C ρ = (Cρ,Conρ,`ρ)Cρ→σ := Cρ → Cσ. At base types ι:

Tokens are type correct constructor expressions Ca∗1 . . . a∗n.

(Examples: 0, C∗0, C0∗, C (C∗0)0.)

U = {a1, . . . , an} is consistent if

• all ai start with the same constructor,

• (proper) tokens at j-th argument positions are consistent.

(Example: {C∗0,C0∗}.)

U ` a (entails) if

• all ai ∈ U and also a start with the same constructor,

• (proper) tokens at j-th argument positions of ai entail j-thargument of a.

(Example: {C∗0,C0∗} ` C00).

8 / 80


Definition

• A partial continuous functional of type ρ is an ideal in Cρ.

• A partial continuous functional is computable if it is a(primitive) recursively enumerable set of tokens.

Ideals in Cρ: Scott-Ershov domain of type ρ.

• x ι is total iff x = { a | {b} ` a } for some token (i.e.,constructor expression) b without ∗.

• x ι is cototal iff every token b(∗) ∈ x has a “one-stepextension” b(C~∗ ) ∈ x .

9 / 80


Example: binary trees

Tokens: 0, Cab, Ca∗, C∗b, C∗∗, for instance

00 0

HHH��@@�� 0

∗ 0

HHH��@@��

Consistency:

0 ∗HHH��

� ↑∗ 0HHH��

�

0 0HHH�

�� 6↑0

∗ ∗

HHH��@@��

but

0 ∗HHH�

�� ↑0

∗ ∗

HHH��@@��

10 / 80


Entailment:

{0 ∗HHH��

�,

∗ 0HHH��

� } `Y

0 0HHH��

�

and also

∗∗ 0

HHH��@@��

`Y

∗∗ ∗

HHH��@@��

and

∗ ∗HHH�

��

11 / 80


Cototal ideal: R := closure of all

0

0

0

0 ∗

12 / 80


Cototal ideal: 12 := closure of all

0

0 0

0 ∗ 0

0 ∗

13 / 80


Total ideal: closure of

00 0

HHH��

�@@��

General ideal: closure of

0∗ 0

HHH��@@��

14 / 80


A common extension T+ of Godel’s T and Plotkin’s PCF

Terms of T+ are built from (typed) variables and (typed)constants (constructors C or defined constants D, see below) by(type-correct) application and abstraction:

M,N ::= xρ | Cρ | Dρ | (λxρMσ)ρ→σ | (Mρ→σNρ)σ.

Every defined constant D comes with a system of computationrules, consisting of finitely many equations

D ~Pi (~yi ) = Mi (i = 1, . . . , n)

with free variables of ~Pi (~yi ) and Mi among ~yi , where the argumentson the left hand side must be “constructor patterns”, i.e., lists ofapplicative terms built from constructors and distinct variables.

15 / 80


Examples

• +: N→ N→ N defined by

n + 0 = n

n + Sm = S(n + m)

• =N : N→ N→ B

(0 =N 0) = tt,

(0 =N Sn) = ff,

(Sm =N 0) = ff,

(Sm =N Sn) = (m =N n).

16 / 80


Recursion operators

• Introduced by Hilbert4 and Godel5.

• Used to construct maps from the algebra ι to τ , by recursionon the structure of ι.

• Example: RτN of type N→ τ → (N→ τ → τ)→ τ .

• The first argument is the recursion argument, the second onegives the base value, and the third one gives the step function,mapping the recursion argument and the previous value to thenext value.

• For example, RNNnmλn,p(Sp) defines addition m + n by

recursion on n.

4D. Hilbert, Uber das Unendliche, Math. Ann. 19255K. Godel, Uber eine bisher noch nicht benutzte Erweiterung des finiten

Standpunkts, Dialectica 1958

17 / 80


Corecursion operators

Recall

S(α) by SConsα→S(α)→S(α).

The corecursion operator coRτS(ρ) of type

τ → (τ → ρ× (S(ρ) + τ))→ S(ρ)

is defined by

coRxf :=

{SCons(y , z) if f (x) ≡ 〈y , InL(z)〉,SCons(y , coRx ′f ) if f (x) ≡ 〈y , InR(x ′)〉.

18 / 80


How to use computation rules to define a computable functional?Inductively define ( ~U, a) ∈ [[λ~xM]], where M is a term with freevariables among ~x .Case λ~x ,y ,~zM with ~x free in M, but not y .

( ~U, ~W , a) ∈ [[λ~x ,~zM]]

( ~U,V , ~W , a) ∈ [[λ~x ,y ,~zM]](K ).

Case λ~xM with ~x the free variables in M.

U ` a

(U, a) ∈ [[λxx ]](V ),

( ~U,V , a) ∈ [[λ~xM]] ( ~U,V ) ⊆ [[λ~xN]]

( ~U, a) ∈ [[λ~x(MN)]](A).

For every constructor C and defined constant D:

~U ` ~a∗

( ~U,C~a∗) ∈ [[C]](C),

( ~V , a) ∈ [[λ~xM]] ~U ` ~P( ~V )

( ~U, a) ∈ [[D]](D),

with one rule (D) for every defining equation D ~P(~x ) = M.

19 / 80


Properties of the denotational semantics.

• [[λ~xM]] is a partial continuous functional.

• The value is preserved under β, η-conversion and computationrules.

• An adequacy theorem holds: whenever a closed term Mι has atoken in its denotation [[M]], then M (head) reduces to aconstructor term entailing this token.

20 / 80


• Recall: C := (|Cρ|)ρ Scott-Ershov model.

• Recall: “xρ computable” for xρ ∈ |Cρ| is defined.

• Goal: TCF, a theory of partial computable functionals.

TCF can be seen as a variant of both HAω and Martin-Lof typetheory. Features:

• Based on the model C: partial functionals allowed.

• Logic enriched type theory6: formulas and types kept separate.

• Computational content only arises from (co)inductivedefinitions.

6N. Gambino & P. Aczel, The generalized type-theoretic interpretation ofconstructive set theory, JSL 2006

21 / 80


Definition. Clauses K have the form

∀~x(Y c → Znc → (∀~yi (Wnci → Xi ))i<n → X )

with X for X~t, and X lists of those. Call

I c := µX c ~K , I nc := µXnc ~K

a predicate form, and similarly with coI for I and ν for µ.

22 / 80


Examples. (i).

K0 := X ([], []),

K1 := ∀x ,l ,x ′,l ′(Y (x , x ′)→ X (l , l ′)→ X (x :: l , x ′ :: l ′))

are clauses and both

∼L(Y ) := µX (K0,K1) similarity

≈L(Y ) := νX (K0,K1) bisimilarity

are predicate forms with Y a parameter predicate variable.

23 / 80


Examples (continued). (ii).

K0 := X [],

K1 := ∀x ,l(Yx → Xl → X (x :: l))

are clauses and both

TL(Y ) := µX (K0,K1) totalitycoTL(Y ) := νX (K0,K1) cototality

are predicate forms with Y a parameter predicate variable.

24 / 80


Algebra form of a predicate formDefinition. From a clause K we obtain a constructor type by (i)omitting quantifiers, (ii) dropping all n.c. predicates and from thec.r. predicates their arguments, and (iii) replacing the remainingpredicate variables by type variables. That is, from the clause

∀~x(Y c → Znc → (∀~yi (Wnci → Xi ))i<n → X )

we obtain the constructor type

~α→ (ξ)i<n → ξ.

With every predicate form I c := (µ/ν)X c ~K we canonicallyassociate the algebra form ιI c := µξ~κ.

For examples (i), (ii): ∼L, ≈L, TL, coTL the associated algebraform is L (the µ/ν-distinction is ignored).

25 / 80


Definition of predicates and formulas.

P,Q ::= X | { ~x | A } | I (~ρ, ~P ) | coI (~ρ, ~P ) (predicates),

A,B ::= P~t | A→ B | ∀xA (formulas)

Call a predicate or formula C computationally relevant (c.r.) ornon-computational (n.c.) if its final predicate is.

Definition of the type τ(C ) of a c.r. predicate or formula C .Assume a global injective assignment of type variables ξ to X c .

τ(X c) := ξ,

τ({ ~x | A }) := τ(A),

τ((I/coI )(~ρ, ~P )) := ιI (τ(~Pc)),

τ(P~t ) := τ(P),

τ(A→ B) :=

{τ(A)→ τ(B) (A c.r.)

τ(B) (A n.c.)

τ(∀xA) := τ(A),

Call ιI (τ(~Pc)) the algebra associated with (I/coI )(~ρ, ~P).

26 / 80


Examples (continued). (iii). Leibniz equality:

EqD := µXnc(∀xX ncxx) (D for “inductively defined”).

Abbreviation: (x ≡ y) := EqD(x , y).

(iv). Union. Since the parameter predicates Y ,Z can be chosen aseither c.r. or n.c. we obtain the variants

CupDY c ,Z c := µX c (∀~x(Y c~x → X c~x ), ∀~x(Z c~x → X c~x )),

CupLY c ,Znc := µX c (∀~x(Y c~x → X c~x ), ∀~x(Znc~x → X c~x )),

CupRY nc,Z c := µX c (∀~x(Y nc~x → X c~x ), ∀~x(Z c~x → X c~x )),

CupUY nc,Znc := µX c (∀~x(Y nc~x → X c~x ), ∀~x(Znc~x → X c~x )),

CupNcY ,Z := µXnc(∀~x(Y ~x → X nc~x ), ∀~x(Z~x → X nc~x )).

D for “double”, L for “left”, R for “right”, U for “uniform”.

27 / 80


Then by definition

τ(CupD) = µξ(β0 → ξ, β1 → ξ) = β0 + β1,

τ(CupL) = µξ(β → ξ, ξ) = β + U,

τ(CupR) = µξ(ξ, β → ξ) = U + β,

τ(CupU) = µξ(ξ, ξ) = B.

In case of nullary predicates we use

A ∨d B := CupD{|A},{|B},

A ∨l B := CupL{|A},{|B},

A ∨r B := CupR{|A},{|B},

A ∨u B := CupU{|A},{|B},

A ∨nc B := CupNc{|A},{|B}.

“Decorations” determined by A,B: can be omitted except for ∨nc.∧, ∃ are treated similarly.

28 / 80


Axioms

Theory of computable functionals (TCF):

• Formulas are the ones defined above, involving typed variables.

• Proofs use the rules of minimal logic for → and ∀, and theaxioms below.

An n.c. part of a proof M : A is a subproof N : B with B n.c. Suchn.c. parts will not contribute to the computational content of thewhole proof: can ignore all decorations in those parts.

29 / 80


For each inductive predicate there are “clauses” or introductionaxioms, together with a “least-fixed-point” or elimination axiom.Write a clause ∀~x(Y c → Znc → (∀~yi (W nc

i → Xi ))i<n → X ) as

∀~x((Aν(X ))ν<n → X~t ).

I+i : ∀~xi ((Aiν(I ))ν<ni → I~ti ),

I− : (∀~xi ((Aiν(I ∩ X ))ν<ni → X~ti ))i<k → I ⊆ X

Examples.

Even+0 : 0 ∈ Even, Even+1 : ∀n(n ∈ Even→ S(Sn) ∈ Even)

The elimination axiom Even− is

0 ∈ X → ∀n(n ∈ Even→ n ∈ X → S(Sn) ∈ X )→ Even ⊆ X .

30 / 80


Examples (continued).

∃+ : ∀x(Px → ∃xPx)

∃− : ∃xPx → ∀x(Px → C )→ C (x /∈ FV(C ))

∧+ : A→ B → A ∧ B

∧− : A ∧ B → (A→ B → C )→ C

∨+i : Ai → A0 ∨ A1

∨− : A ∨ B → (A→ C )→ (B → C )→ C

(∨nci )+ : Ai → A0 ∨nc A1

(∨nc)− : A ∨nc B → (A→ C )→ (B → C )→ C (C n.c.)

31 / 80


The conjunction of the k clauses of an inductive I is equivalent to

∀~x(∨∨i<k

∃~xi (∧∧ν<ni

Aiν(I ) ∧ ~x ≡ ~ti )→ I~x ).

coI− : ∀~x(coI~x →∨∨i<k

∃~xi (∧∧ν<ni

Aiν(coI ) ∧ ~x ≡ ~ti ))

coI+ : ∀~x(X~x →∨∨i<k

∃~xi (∧∧ν<ni

Aiν(coI ∪ X ) ∧ ~x ≡ ~ti ))→ X ⊆ coI .

coI−: closure axiom.coI+: greatest-fixed-point (or coinduction) axiom.

32 / 80


Example. The conjunction of the 2 clauses of Even is equivalent to

∀n(n ≡ 0 ∨ ∃n′(n′ ∈ Even ∧ n ≡ S(Sn′))→ n ∈ Even).

coEven is defined by its closure axiom coEven−:

∀n(n ∈ coEven→ n ≡ 0 ∨ ∃n′(n′ ∈ coEven ∧ n ≡ S(Sn′)))

and its greatest-fixed-point axiom coEven+:

∀n(Xn→ n ≡ 0 ∨ ∃n′(n′ ∈ (coEven ∪ X ) ∧ n ≡ S(Sn′)))→X ⊆ coEven.

33 / 80


Example of a proof by coinduction.

• We show cototality of corecursion: coRxf ∈ coTS(ρ).

• Recall: the corecursion operator coRτS(ρ) of type

τ → (τ → ρ× (S(ρ) + τ))→ S(ρ)

is defined by

coRxf :=

{SCons(y , z) if f (x) ≡ 〈y , InL(z)〉,SCons(y , coRx ′f ) if f (x) ≡ 〈y , InR(x ′)〉.

34 / 80


Lemma (Cototality of corecursion)

Let f : τ → ρ× (S(ρ) + τ) be of InR-form, i.e., f (x) has the form〈y , InR(x ′)〉 for all x . Then coRxf ∈ coTS(ρ) for all x .

Proof.By coinduction with competitor predicate

X := { z | ∃x(z ≡ coRxf ) }.

Need to prove that X satisfies the clause defining coTS(ρ):

∀z(z ∈ X → ∃y∃z ′(z ′ ∈ X ∧ z ≡ SCons(y , z ′))).

Let z ≡ coRxf for some x . Since f is assumed to be of InR-formwe have y , x ′ such that f (x) ≡ 〈y , InR(x ′)〉. By the definition ofcoRτS(ρ) obtain coRxf ≡ SCons(y , coRx ′f ). Use coRx ′f ∈ X .

35 / 80


Recall: (co)totality on closed base types, e.g., Y.

(TY)+0 : 0 ∈ TY,

(TY)+1 : ∀x ,x ′(x , x ′ ∈ TY → Cxx ′ ∈ TY)

T−Y : 0 ∈ X → ∀x ′,x ′′(x ′, x ′′ ∈ X → Cx ′x ′′ ∈ X )→ TY ⊆ X

coT−Y : ∀x(x ∈ coTY → x ≡ 0 ∨ ∃x ′,x ′′(x ′, x ′′ ∈ coTY ∧ x ≡ Cx ′x ′′))

and coT+Y :

∀x(x ∈ X → x ≡ 0 ∨ ∃x ′,x ′′(x ′, x ′′ ∈ (coTY ∪ X ) ∧ x ≡ Cx ′x ′′))→X ⊆ coTY.

We have

TY ⊂ coTY ⊂ |CY| (proper inclusions)

36 / 80


For arbitrary cotypes ϕ we define Eϕ (exists) by

(x ∈ Eι) := (x ∈ Tι),

(x ∈ Ecoι) := (x ∈ coTι),

(f ∈ Eϕ→ψ) := ∀x(x ∈ Eϕ → fx ∈ Eψ).

Similary for.

=ϕ (pointwise equal)

(x.

=ι y) := (x ∼ι y),

(x.

=coι y) := (x ≈ι y),

(f.

=ϕ→ψ g) := ∀x ,y (x.

=ϕ y → fx.

=ψ gy).

37 / 80


What is the relation between.

= and Leibniz equality ≡? Firstconsider closed base cotypes.

• Case ι. In the model C we have

(x ∼ι y)↔ (x ∈ Tι ∧ x ≡ y).

This is also provable in TCF.

• Case coι. In the model C we have

(x ≈ι y)↔ (x ∈ coTι ∧ x ≡ y).

(Write x =⋃

n(x�n) and use induction on n). In TCF this isan axiom, called Bisimilarity Axiom.

38 / 80


Recall that at higher types, pointwise equality relative to a cotypeis defined as a logical relation:

(f.

=ϕ→ψ g) := ∀x ,y (x.

=ϕ y → fx.

=ψ gy).

Then extensionality7 relative to a cotype ϕ is defined by

Extϕ(f ) := (f.

=ϕ f ).

Lemma. For closed cotypes ϕ the relation.

=ϕ is a partialequivalence relation (i.e., symmetric and transitive) whose domainis the set Extϕ of objects extensional w.r.t. ϕ.

7R. Gandy, PhD 1953, and On the axiom of extensionality – part I. JSL1956 and also G. Takeuti, On a generalized logic calculus, Jap. J. Math. 1953

39 / 80


Lemma. Eϕ and Extϕ are equivalent for closed cotypes ϕ of level≤ 1.

Proof. For level 0 this holds be definition. For level 1 use inductionon the height of the cotype. Let ϕ→ ψ be a closed cotype of level1. The following are equivalent.

f ∈ Extϕ→ψ

f.

=ϕ→ψ f

∀x ,y (x.

=ϕ y → fx.

=ψ fy)

∀x(x ∈ Eϕ → fx.

=ψ fx) by definition, since lev(ϕ) = 0

∀x(x ∈ Eϕ → fx ∈ Extψ)

Now use the induction hypothesis and the definition of Eϕ→ψ.

40 / 80


Are Eϕ and Extϕ equivalent for levels ≥ 2? No: we would needx.

=ϕ y → x ≡ y for ϕ of level 1. But the following are equivalent:

f.

=N→N g

∀n,m(n.

=N m→ fn.

=N gm)

∀n(n ∈ TN → fn.

=N gn)

∀n(n ∈ TN → fn, gn ∈ TN ∧ fn ≡ gn)

f , g ∈ EN→N ∧ ∀n(n ∈ TN → fn ≡ gn)

This cannot be Leibniz equality, since nothing is said on thebehaviour of f , g on non-total arguments.

41 / 80


Lemma (Extensionality of the recursion operator)

Let I be an inductive predicate and ιI its associated algebra. Thenthe extracted term et(I−) := RτιI of its least-fixed-point (orelimination) axiom I− is extensional w.r.t. the formula of I−.

Lemma (Extensionality of the corecursion operator)

Let coI be a coinductive predicate and ιI its associated algebra.Then the extracted term et(coI+) := coRτιI of itsgreatest-fixed-point (or coinduction) axiom coI+ is extensionalw.r.t. the formula of coI+.

42 / 80


Proofs have two aspects:

• they provide insight into why an argument is correct, and

• they can also have computational content.

The Brouwer-Heyting-Kolmogorov8 (BHK)-interpretation gives agood analysis of the latter. Modification here: computationalcontent only arises from (co)inductive predicates.

• p proves A→ B if and only if p is a construction transformingany proof q of A into a proof p(q) of B.

• p proves ∀xA if and only if p is a construction such that pproves A, irrespective of what x is.

8A. Kolmogorov, Zur Deutung der intuitionistischen Logik, Math. Z. 1932

43 / 80


Unexplained notions:

what is a “construction”?

what is a proof of a prime formula?

Here we propose to take

construction := computable functional,

proof of a prime formula I~t := a “construction tree” for I~t,

proof of a prime formula coI~t := a “destruction tree” for coI~t.

Such a construction or destruction tree can seen as a (co)totalideal in the algebra ιI associated with the clauses of I .

44 / 80


Realizability extension C r of c.r. predicates or formulas C

For n.c. C let C r := C . If C is c.r. C r is a predicate of arity(~σ, τ(C )) (~σ arity of C ). Write z r C for C rz if C is a c.r. formula.For X c let X r be the n.c. predicate variable provided, and

{ ~x | A }r := { ~x , z | z r A }.

CaseI/coI := (µ/ν)X ((Ki (X ))i<k

with algebra form ιI = µξ(κi (ξ))i<k where κi (ξ) := τ(Ki (X )). Thei-th constructor of ιI is Ci : κi (ιI ). Let

I r/coI r := (µ/ν)X r(Ci r Ki (X ))i<k .

45 / 80


For c.r. formulas let

z r P~t := P r~tz ,

z r (A→ B) :=

{∀w (w r A→ zw r B) if A is c.r.

A→ z r B if A is n.c.

z r ∀xA := ∀x(z r A).

46 / 80


Example. Let

I := µX (∀p,x(p ∈ TB → x ∈ T ncN→B → x ∈ X → px ∈ X ))

with px the function mapping 0 to p and Sn to xn. The type ofthe (single) clause K is the κ := B→ ξ → ξ (ξ := τ(X )) andτ(coI ) = µξ(B→ ξ → ξ) = S(B). Then

SCons r K :=

∀p,x ,q(T rBpq → x ∈ T nc

N→B → ∀s(X rxs → X r(px ,SCons(q, s))).

andcoI r = νX r(SCons r K ).

47 / 80


Lemma (Realizers of totality). For closed base types ι the followingare equivalent.

• T rι xy ,

• x ∼ncι y ,

• x ∈ T ncι ∧ x ≡ y .

Lemma (Realizers of cototality). For closed base types ι thefollowing are equivalent.

• coT rι xy ,

• x ≈ncι y ,

• x ∈ coT ncι ∧ x ≡ y .

48 / 80


z r ∃xA↔ ∃x(z r A) for A c.r.

z r (A ∧ B)↔z ≡ 〈lft(z), rht(z)〉 ∧ (lft(z) r A) ∧ (rht(z) r B) (A c.r., B c.r.)

(z r A) ∧ B (A c.r., B n.c.)

A ∧ (z r B) (A n.c., B c.r.)

z r (A ∨ B)↔∃x(x r A ∧ z ≡ InL(x)) ∨nc ∃y (y r B ∧ z ≡ InR(y)) (A c.r., B c.r.)

∃x(x r A ∧ z ≡ Inl(x)) ∨nc (B ∧ z ≡ DummyR) (A c.r., B n.c.)

(A ∧ z ≡ DummyL) ∨nc ∃y (y r B ∧ z ≡ Inr(y)) (A n.c., B c.r.)

(A ∧ z ≡ tt) ∨nc (B ∧ z ≡ ff) (A n.c., B n.c.)

49 / 80


Extracted term et(M) of a proof MA with A c.r.

et(uA) := zτ(A)u (z

τ(A)u uniquely associated to uA),

et((λuAMB)A→B) :=

{λτ(A)zu et(M) if A is c.r.

et(M) if A is n.c.

et((MA→BNA)B) :=

{et(M)et(N) if A is c.r.

et(M) if A is n.c.

et((λxMA)∀xA) := et(M),

et((M∀xA(x)t)A(t)) := et(M).

Extracted terms for the axioms. Let ι := ιI .

et(I+i ) := Ci (Ci i-th constructor of ι, i < k)

et(I−) := Rτι

et(coI−) := Dι

et(coI+) := coRτι 50 / 80


Soundness theorem

Recall: an n.c. part of a proof M : A is a subproof N : B with B n.c.Such n.c. parts will not contribute to the computational content ofthe whole proof: can ignore all decorations in those parts.

An assumption variable u : C with C c.r. must be replaced by acorresponding realizability assumption u : zu r C . However, if u : Cappears in an n.c. part of the proof we can keep it (sincecomputational content is ignored in such parts), and consider thetwo assumption variables u : zu r C and u : C to be the same.

Theorem (Soundness)

Let M be a proof of a c.r. formula A from assumptions u : C (c.r.)and v : D (n.c.) Then we can find a proof sp(M) of et(M) r Afrom assumptions u : zu r C and v : D.

51 / 80


Exact real numbers can be given in different formats:

• Cauchy sequences (of rationals, with Cauchy modulus).

• Infinite sequences (“streams”) of signed digits {−1, 0, 1}, or

• {−1, 1,⊥} with at most one ⊥ ( “undefined”): Gray code.

Want formally verified algorithms on reals given as streams.

• Consider formal proofs M and apply realizability to extracttheir computational content.

• Switch between different formats of reals by relativising tocoinductive predicates. Instead of ∀x(x ∈ Realc → A) use

∀x(x ∈ Realnc → x ∈ coI → A) or

∀x(x ∈ Realnc → x ∈ coG → A).

Computational content of x ∈ coI (x ∈ coG ) is a representation of xas stream (via Gray code).

52 / 80


A real number can be represented as a Cauchy sequence (an)n ofrationals together with a Cauchy modulus M satisfying

|an − am| ≤1

2pfor n,m ≥ M(p).

A real x := ((an)n,M) is called nonnegative (written x ∈ R0+) if

− 1

2p≤ aM(p) for all p ∈ Z+.

It is p-positive (written x ∈p R+, or x ∈ R+ if p is not needed) if

1

2p≤ aM(p+1).

53 / 80


Arithmetical operations on real numbers x , y are defined by

cn L(p)

x + y an + bn max(M(p + 1),N(p + 1)

)−x −an M(p)|x | |an| M(p)x · y an · bn max

(M(p + 1 + py ),N(p + 1 + px)

)1x (|x | ∈q R+)

{1an

(an 6= 0)

0 (an = 0)M(2(q + 1) + p)

where 2px is an upper bound of x (Archimedian property).

54 / 80


Comparison of reals. Write

(x ≤ y) := (y − x ∈ R0+),

(x < y) := (y − x ∈ R+).

From the existential and universal character of < and ≤ we obtain

x ≤ y ↔ y 6< x .

Lemma (ApproxSplit)

Let x , y , z be given and assume x < y . Then z ≤ y or x ≤ z .

55 / 80


For simplicity x ∈ [−1, 1]. Dyadic rationals:∑i<k

ai2i+1

with ai ∈ {−1, 1}

0

−12

12

−34

34

−78

78

−1516

1516

1 1

1 1 1 1

1 1 1 1 1 1 1 1

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

with 1 := −1. Adjacent dyadics can differ in many digits:

7

16∼ 1111,

9

16∼ 1111.

56 / 80


Cure: flip after 1. Binary reflected (or Gray-) code.

0

−12

12

−34

34

−78

78

−1516

1516

L R

L R R L

L R R L L R R L

L R R L L R R L L R R L L R R L

7

16∼ RRRL,

9

16∼ RLRL.

57 / 80


Problem with productivity:

1111 + 1111 · · · = ? (or LRLL . . . + RRRL · · · = ?)

What is the first digit? Cure: delay.

• For binary code: add 0. Signed digit code∑i<k

di2i+1

with di ∈ {−1, 0, 1}.

Widely used for real number computation. There is a lot ofredundancy: 11 and 01 both denote −1

4 .

• For Gray-code: add U (undefined), D (delay), FinL/R (finallyleft / right). Pre-Gray code.

58 / 80


Pre-Gray code

0

12

14

34

38

58

716

916

U

D

R

R LU

FinR

UR

FinRD

FinL

RU

UL

FinR FinLD U

L

After computation in pre-Gray code, one can remove Fina by

U ◦ Fina 7→ a ◦ R, D ◦ Fina 7→ Fina ◦ L.

59 / 80


RRRLLL . . . RLRLLL . . . RUDDDD . . .

all denote 12 . Only keep the latter to denote 1

2 . Then, generally,

• U occurs in a context UDDDD . . . only, and

• U appears iff we have a dyadic rational.

Result: unique representation, called pure Gray code.

60 / 80


Average for pre-Gray code

Pre-Gray code: “cototal objects” in the (simultaneously defined)free algebras G and H given by the constructors

Lr : B→ G→ G

U : H→ G

Fin : B→ G→ H

D : H→ H

with B = {tt, ff}

61 / 80


Predicates coG and coHLet Psd := {−1, 1} and

Γ(X ,Y ) := { x | ∃x ′∈X∃a∈Psd(x = −ax′ − 1

2) ∨ ∃x ′∈Y (x =

x ′

2) },

∆(X ,Y ) := { x | ∃x ′∈X∃a∈Psd(x = ax ′ + 1

2) ∨ ∃x ′∈Y (x =

x ′

2) }

and define

(coG , coH) := ν(X ,Y )(Γ(X ,Y ),∆(X ,Y )) (greatest fixed point)

Consequences:

∀x∈coG (∃x ′∈coG∃a∈Psd(x = −ax′ − 1

2) ∨ ∃x ′∈coH(x =

x ′

2))

∀x∈coH(∃x ′∈coG∃a∈Psd(x = ax ′ + 1

2) ∨ ∃x ′∈coH(x =

x ′

2))

62 / 80


Lemma (CoGUMinus)

∀x(coG (−x)→ coGx),

∀x(coH(−x)→ coHx).

Proof by coinduction (:= Gfp-axiom), using properties of the unaryminus function.

Implicit algorithm. f : G→ G and f ′ : H→ H defined by

f (Lra(u)) = Lr−a(u), f ′(Fina(u)) = Fin−a(u),

f (U(v)) = U(f ′(v)), f ′(D(v)) = D(f ′(v)).

63 / 80


Using CoGUMinus we prove that coG and coH are equivalent.

Lemma (CoHToCoG)

∀x(x ∈ coH → x ∈ coG ),

∀x(x ∈ coG → x ∈ coH).

Implicit algorithm. g : H→ G and h : G→ H:

g(Fina(u)) = Lra(f −(u)), h(Lra(u)) = Fina(f −(u)),

g(D(v)) = U(v), h(U(v)) = D(v)

where f − := cCoGUMinus (cL denotes the function extractedfrom the proof of a lemma L). No corecursive call is involved.

64 / 80


Let Sd2 := {−2,−1, 0, 1, 2}. To prove

∀x ,y∈coG (x + y

2∈ coG )

consider9 two sets of averages, the second one with a “carry”:

P := { x + y

2| x , y ∈ coG }, Q := { x + y + i

4| x , y ∈ coG , i ∈ Sd2 }.

Suffices: Q satisfies the clause coinductively defining coG .

• By the greatest-fixed-point axiom for coG we have Q ⊆ coG .

• Since also P ⊆ Q we obtain P ⊆ coG , which is our claim.

9U. Berger & M. Seisenberger, Proofs, programs, processes, Th. Computing2012

65 / 80


Lemma (CoGAvToAvc)

∀x ,y∈coG∃i∈Sd2∃x ′,y ′∈coG (x + y

2=

x ′ + y ′ + i

4).

Proof needs CoGPsdTimes: ∀a∈Psd∀x∈coG (ax ∈ coG ). Rest easy,using CoGClause.

Implicit algorithm.Write f ∗ for cCoGPsdTimes and s for cCoHToCoG.

f (Lra(u),Lra′(u′)) = (a + a′, f ∗(−a, u), f ∗(−a′, u′)),

f (Lra(u),U(v)) = (a, f ∗(−a, u), s(v)),

f (U(v),Lra(u)) = (a, s(v), f ∗(−a, u)),

f (U(v),U(v ′)) = (0, s(v), s(v ′)).

66 / 80


Lemma (CoGAvcSatCoICl).

∀i∈Sd2∀x ,y∈coG∃j∈Sd2∃k∈Sd∃x ′,y ′∈coG (x + y + i

4=

x ′+y ′+j4 + k

2).

Proof. We can relate x+d2 and x+y+i

4 by

x+d2 + y+e

2 + i

4=

x+y+J(d+e+2i)4 + K (d + e + 2i)

2with J,K : Z→ Z such that

∀i (i = J(i) + 4K (i)) ∀i (|J(i)| ≤ 2) ∀i (|i | ≤ 6→ |K (i)| ≤ 1)

Implicit algorithm.

f (i ,Lra(u),Lra′(u′))=(J(a+a′+2i),K (a+a′+2i), f ∗(−a, u), f ∗(−a′, u′)),

f (i ,Lra(u),U(v))=(J(a + 2i),K (a + 2i), f ∗(−a, u), s(v)),

f (i ,U(v),Lra(u))=(J(a + 2i),K (a + 2i), s(v), f ∗(−a, u)),

f (i ,U(v),U(v ′))=(J(2i),K (2i), s(v), s(v ′)).

67 / 80


Lemma (CoGAvcToCoG)

∀z(∃x ,y∈coG∃i∈Sd2(z =x + y + i

4)→ z ∈ coG ),

∀z(∃x ,y∈coG∃i∈Sd2(z =x + y + i

4)→ z ∈ coH).

Proof (by coinduction) uses CoGAvcSatCoICl. Need

SdDisj : ∀d∈Sd(d = 0 ∨ d ∈ Psd).

68 / 80


Implicit algorithm.

g(i , u, u′) = let (i1, k , u1, u′1) = cCoGAvcSatCoICl(i , u, u′) in

case cSdDisj(k) of

0→ U(h(i1, u1, u′1))

a→ Lra(g(−ai1, f ∗(−a, u1), f ∗(−a, u′1))),

h(i , u, u′) = let (i1, k , u1, u′1) = cCoGAvcSatCoICl(i , u, u′) in

case cSdDisj(k) of

0→ D(h(i1, u1, u′1))

a→ Fina(g(−ai1, f ∗(−a, u1), f ∗(−a, u′1))).

69 / 80


Theorem (CoGAverage)

∀x ,y∈coG (x + y

2∈ coG ).

Implicit algorithm. Compose cCoGAvToAvc with cCoGAvcToCoG.

70 / 80


Multiplication for pre-Gray code

To prove∀x ,x ′(x , x ′ ∈ coG → x · x ′ ∈ coG ),

consider the two sets

P := { x · y | x , y ∈ coG },

Q := { x · y + z + i

4| x , y , z ∈ coG , i ∈ Sd2 }.

Suffices: Q satisfies the clause coinductively defining coG .

• By the greatest-fixed-point axiom for coG we have Q ⊆ coG .

• Since also P ⊆ Q we obtain P ⊆ coG , which is our claim.

71 / 80


Lemma (CoGMultToMultc).

∀x ,y∈coG∃i∈Sd2∃x ′,y ′,z∈coG (xy =x ′y ′ + z + i

4).

Implicit algorithm. We use s for cCoHToCoG, and au for f ∗(a, u).

g(Lra(u),Lrb(u′)) = case cCoGAverage(−abu,−abu′) of

Lrc(u′′)→ (c + ab, au, bu′,−cu′′)U(v)→ (ab, au, bu′, s(v))

g(Lra(u),U(v))) = (0,−au, s(v), as(v))

g(U(v),Lra(u)) = (0, s(v),−au, as(v))

g(U(v),U(v ′)) = (0, s(v), s(v ′), cCoGZero).

72 / 80


Lemma (JKLr).

∀i∈Sd2∀a∈Psd∀v∈coG∃j∈Sd2∃d∈Sd∃z∈coG (v +a + i

4=

z + j

4+ d).

Implicit algorithm We use s for cCoHToCoG.

g(i , a,Lrb0(Lrb(w))) = (J(−b0b+2b0+a+i),K (−b0b+2b0+a+i), b0bw)

g(i , a,Lrb0(U(w))) = (J(2b0 + a + i),K (2b0 + a + i),−b0s(w))

g(i , a,U(Lrb(w))) = (J(b + a + i),K (b + a + i), bw)

g(i , a,U(U(w))) = (J(a + i),K (a + i), s(w))

Lemma (JKU).

∀i∈Sd2∀v∈coG∃j∈Sd2∃d∈Sd∃z∈coG (v +i

4=

z + j

4+ d)

73 / 80


Lemma (CoGMultcSatCoICl).

∀y∈coG∀i∈Sd2∀x ,z∈coG∃d∈Sd∃j∈Sd2∃x ′,z ′∈coG (xy + z + i

4=

x ′y+z ′+j4 + d

2).

Implicit algorithm. We use h for cCoGAvcToCoG, w0 for cCoGZero

g(u0, i ,Lra(u),Lrb(u′)) =

let (j , d ,w) = cJKLr(i , b, h(i , au0,−bu′)) in (d , j ,−au,w)

g(u0, i ,Lra(u),U(v)) =

let (j , d ,w) = cJKU(i , h(i , au0, s(v))) in (d , j ,−au,w)

g(u0, i ,U(v),Lra(u)) =

let (j , d ,w) = cJKLr(i , a, h(i ,w0,−au)) in (d , j , s(v),w)

g(u0, i ,U(v),U(v ′)) =

let (j , d ,w) = cJKU(i , h(i ,w0, s(v ′))) in (d , j , s(v),w)

74 / 80


Lemma (CoGMultcToCoG).

∀z0(∃i∈Sd2∃x ,y ,z∈coG (z0 =xy + z + i

4)→ z0 ∈ coG ),

∀z0(∃i∈Sd2∃x ,y ,z∈coG (z0 =xy + z + i

4)→ z0 ∈ coH).

Proof (by coinduction) uses CoGMultcSatCoICl. Again need

SdDisj : ∀d∈Sd(d = 0 ∨ d ∈ Psd).

75 / 80


Implicit algorithm.

g(i , u, u′, u′′) = let (d , j , u1, u′1) = cCoGMultcSatCoICl(u′, i , u, u′′) in

case cSdDisj(d) of

0→ U(h(j , u1, u′, u′1))

a→ Lra(g(−aj , u1, f ∗(−a, u′), f ∗(−a, u′1))),

h(i , u, u′, u′′) = let (d , j , u1, u′1) = cCoGMultcSatCoICl(u′, i , u, u′′) in

case cSdDisj(d) of

0→ D(h(j , u1, u′, u′1))

a→ Fina(g(aj , u1, f∗(a, u′), f ∗(a, u′1))).

76 / 80


[iggg](CoRec sdtwo yprod ag yprod ag yprod ag=>ag

sdtwo yprod ag yprod ag yprod ag=>ah)iggg

([iggg0][let djgg (cCoGMultcSatCoICl

clft crht crht iggg0 clft iggg0

clft crht iggg0 crht crht crht iggg0)

[case (cSdDisj clft djgg)

(DummyL -> InR(InR(clft crht djgg pair

clft crht crht djgg pair

clft crht crht iggg0 pair

crht crht crht djgg)))

(Inr boole -> InL(boole pair

InR(cIntTimesSdtwoPsdToSdtwo

clft crht djgg(cPsdUMinus boole)pair

clft crht crht djgg pair

cCoGPsdTimes clft crht crht iggg0

(cPsdUMinus boole)pair

cCoGPsdTimes crht crht crht djgg

(cPsdUMinus boole))))]])

([iggg0][let djgg ...])

77 / 80


Theorem (CoGMult)

∀x ,y∈coG (xy ∈ coG ).

Implicit algorithm.Compose cCoGMultToMultc with cCoGMultcToCoG.

78 / 80


Method also works for average, multiplication and division:

x , y ∈ coG → x + y

2∈ coG ,

x , y ∈ coG → x · y ∈ coG ,

x , y ∈ coG → 1

4≤ y → x

y∈ coG ,

both w.r.t. signed digits (coI ) and Gray code (coG ).

79 / 80


Slides:

http://www.math.lmu.de/∼schwicht/slides/ljubliana19.pdf

Course notes:

http://www.math.lmu.de/∼schwicht/lectures/logic/ss19/index.php

Implementation (Minlog, in examples/analysis):

git clone http://www.math.lmu.de/∼minlogit/git/minlog.git

(Use the development branch: git checkout dev).

80 / 80

computational content of proofsschwicht/slides/ljubljana19.pdf · only. in contrast, tcf is based...

Documents