Realizability in classical logic
Jean-Louis Krivine
University Paris VII, C.N.R.S.
P.P.S. Team [email protected]
Lessons in Marseille-Luminy, may 2004 (last revision : august 12, 2005)
Introduction
The essential aim is to explore theCurry-Howard correspondence: we want to associate a program with each mathematical proof and to consider each theorem as aspecification, i.e.
to find the common behavior of the programs associated with every proof of this theorem. It is a very difficult and very interesting problem, which I call the “ specification problem ” in what follows.
In the first place, we must give theprogramming languagein which we write these programs, and also the machine which will execute them. This is done in the first section, it is the
“ program side ” of the correspondence. As we shall see, this programming frame is very similar to usualimperativeprogramming. As the theory develops, many usual and important notions of imperative and system programming will naturally appear, such as : storage and call-by-value for datas, pointers, signature of files, system clock, boot, . . .
Then we must give a computational content to each logical rule and each axiom. We do this by means ofelementary instructions. The instructions for the rules of intuitionistic proposi- tional logic have been found long time ago, at the very discovery of the Curry-Howard cor- respondence ; the programming language was Church’s lambda-calculus. Then the instruc- tions for intuitionisticsecond order logicwere obtained and the programming language was still the same.
But mathematical proofs are not done in intuitionistic logic, not even in pure classical logic.
We needaxiomsand the usual axiom systems for mathematics are :
1. Second order classical Peano arithmetic with the axiom of dependent choice ; this system is also called “ Analysis ”.
2. Zermelo-Frænkel set theory with the axiom of choice.
In this paper, we consider the first case. We shall give new elementary instructions for the lacking axioms, which are : the excluded middle, the axiom of recurrence and the axiom of dependent choice. It is necessary, for that, to define an extension of lambda-calculus. We notice that some of these instructions areincompatible withβ-reduction. Therefore the ex- ecution strategy is deterministic and is given in the form of a weak head reduction machine.
The same machine is used for Zermelo-Frænkel set theory. The instructions associated with the axioms of ZF are given in [7]. The full axiom of choice remained an open problem until recently (may 2005). The new instructions necessary for this axiom and also for the contin- uum hypothesis will be given in a forthcoming paper.
Terms, stacks, processes, execution
We denote byQPthe set ofclosedλ-terms built with some set of constants which are called instructions; one of these instructions is denoted bycc. We shall denote the application oft touby (t)uort u; the application oft tonargumentsu1,. . . ,unis denoted by (t)u1. . .unor t u1. . .un. Therefore, we havet uv=(t)uv=(t u)v with this notation.
Elements ofQPare calledproof-like terms.
LetL⊃QPbe the set ofclosedλ-terms built with a new constantkand a setΠ06= ;of new constants calledstack constants.
A closedλ-term ofL of the formkt1. . .tnπ0withn ∈N, t1, . . . ,tn∈Landπ0∈Π0is called a continuation.
Aλc-termis, by definition, a closedλ-termτ∈Lwith the following properties :
- each occurrence ofkinτappears at the beginning of a subterm ofτwhich is a continua- tion ;
- each occurrence of a stack constant inτappears at the end of a subterm ofτwhich is a continuation.
Remark.
Proof-like terms are thereforeλc-terms which do not contain the symbolkor, which amounts to the same thing, which do not contain any stack constant.
The set ofλc-terms is denoted byΛc. In what follows, we almost always consider onlyλc- terms ; so, they will be called simply “ terms ” or “ closed terms ”.
Lemma 1. i)QP⊂Λc ;
ii) If t u∈Λcand u∉Π0, then t∈Λcand u∈Λc ; iii) If t u∈Λc and u∈Π0, then t u is a continuation ; iv) Ifλx t,u∈Λc, then t[u/x]∈Λc ;
v) If t1, . . . ,tn∈Λc (n∈N) andπ0∈Π0, then(kt1. . .tn)π0∈Λc. i) Trivial.
ii) Consider an occurrence of k (resp. of a stack constantπ0) in t or u ; it is therefore in t u. Sincet u∈Λc, this occurrence is at the beginning (resp. at the end) of a continuation kt1. . .tnπ0=(kt1. . .tn)π0which is a subterm oft u. Nowu6=π0, so that this subterm is nott u itself ; thus,kt1. . .tnπ0is a subterm oftoru.
iii) We haveu=π0∈Π0and this occurrence ofπ0is at the end of a subterm oftπ0which is a continuation (kt1. . .tn)π0. Therefore, this subterm istπ0itself.
iv) Consider an occurrence ofk(resp.π0) int[u/x] ; thus, it is inλx t oru. Butλx t,u∈Λc, so that this occurrence is at the beginning (resp. at the end) of a continuationkt1. . .tnπ0which is a subterm ofλx t oru. If this continuation is a subterm ofu, it is also a subterm oft[u/x].
If it is a subterm ofλx t, then this occurrence ofk (resp. π0) int[u/x] is at the beginning
(resp. at the end) of the subtermkt1[u/x] . . .tn[u/x]π0, which is a continuation.
v) Trivial.
C.Q.F.D.
Ift1, . . . ,tn∈Λc (n ∈N) andπ0∈Π0, the sequence π=(t1, . . . ,tn,π0) is called astackand is denoted byt1.t2. . .tn.π0 ; the set of stacks is denoted byΠ. The continuationkt1. . .tnπ0is denoted bykπ. Ift∈Λc andπ=t1.t2. . .tn.π0∈Π, then the stackt.t1.t2. . .tn.π0is denoted by t.π. Thus, the dot is an application ofΛc×ΠinΠ.
Every termτ∈Λc is either an application, or an abstraction, or a constantwhich is an in- struction(indeed, this term can be neitherk, nor a stack constant, by definition ofλc-terms).
From lemma 1, it follows that, for everyτ∈Λc, we are in one and only one of the following cases :
i)τis an applicationt uwithu∉Π0(and thereforet,u∈Λc) ; ii)τis an abstractionλx t ;
iii)τis an instruction (particular case :τ=cc) ;
iv)τis an applicationt uwithu∈Π0, i.e.τ=kπfor some stackπ.
Aprocessis an ordered pair (τ,π) withτ∈Λc,π∈Π. It is denoted byτ?π;τis called thehead or theactive partof the process. The set of all processes will be denoted byΛc? Π.
We describe now the execution of processes, which is denoted byÂ. We give the rule to performone execution stepof the processτ?π. It depends on the form (i), . . . , (iv) ofτgiven above. In the four rules that follow,t,u,λx vdenote elements ofΛc ;π,ρdenote stacks.
i)t u?πÂt?u.π(push) ;
ii)λx v?u.πÂv[u/x]?π(pop) ; iii)cc?t.πÂt?kπ.π(store the stack) ; iv)kπ?t.ρÂt?π(restore the stack).
Rules for other instructions will be given in due time.
We say that the processt?πreduces into t0?π0(notationt?πÂt0?π0) if we gett0?π0from t?πby means of a finite (possibly null) number of execution steps.
Remark. By lemma 1, we can check that the four execution rules give processes when applied to processes.
Truth values and types
Consider an arbitrary set of processes, which is denoted by⊥⊥and which we suppose cc- saturated; it means that :
t?π∈ ⊥⊥,t0?π0Ât?π⇒t0?π0∈ ⊥⊥.
P(Π) is called theset of truth values. IfU⊂Πis a truth value andt∈Λc, we say thatt realizes U (notationt||−U) if (∀π∈U)t?π∈ ⊥⊥. The set {t∈Λc;t||−U} will be denoted by|U|. Thus, we have|S
i∈IUi| =T
i∈I|Ui|.
The truth value;(resp. Π) is calledtrue(resp. false) and denoted by>(resp. ⊥). Thus, we have|>| =Λc ;t∈ |⊥| ⇔t?π∈ ⊥⊥for every stackπ∈Π.
WheneverU,V are truth values, we define the truth value : (U→V)={t.π;t||−U,π∈V} ; we put¬U=(U→ ⊥).
We shall sometimes use the following notation, whenV is a truth value andA⊂Λc :
(A→V)={t.π;t∈A,π∈V}.
For example, {t}→V is the truth value {t.π;π∈V} ift∈Λc andV ⊂Π.
With this notation,U→V is the same as|U| →V, forU,V ⊂Π.
Remarks.If⊥⊥ = ;, then either|U| = |>| =Λcor|U| = |⊥| = ;for every truth valueU.
|⊥| = ;is equivalent to ⊥⊥ = ;. Indeed, the implication ⇐ is obvious. Conversely, if⊥⊥ 6= ;, let t?π∈ ⊥⊥; thenkπt?ρÂt?π∈ ⊥⊥for every stackρ, and thereforekπt∈ |⊥|.
Typesare usual formulas of second order logic, written in the following language : the only logical symbols are→and∀; we have function symbols of aritykwhich are functions from NkintoNand predicate symbols of aritykwhich are applications fromNkintoP(Π) (kis any integer≥0). First order variables (also calledindividual variables) are denoted byx,y, . . . ; second order variables (also calledpredicatevariables) are denoted byX,Y, . . . Each second order variable has an arity which is an integer. Predicate variables of arity 0 are also called propositional variables.
Notations.
The formulaF0→(F1→. . .→(Fn→G) . . .) is denoted byF0,F1, . . . ,Fn→G.
⊥is defined as∀X X ;¬F asF→ ⊥; F∨Gas∀X[(F →X), (G→X)→X] ; F∧Gas∀X[(F,G→X)→X] ;
∃Y F[Y] as∀X{∀Y(F[Y]→X)→X} ;∃y F[y] as∀X{∀y(F[y]→X)→X} ; We use the notation∃Y{F1[Y], . . . ,Fk[Y]} for the formula :
∀X{∀Y(F1[Y], . . . ,Fk[Y]→X)→X} ;
we have the same notation for the first order existential quantifier.
(In all these formulas,X is a propositional variable andY has an arbitrary arity).
x=yis defined as∀X(X x→X y) (whereX has arity 1).
Letx1, . . . ,xk be individual variables,X a predicate variable of arityk, AandF arbitrary for- mulas. Then, we defineA[F/X x1. . .xk] by induction on (the length of )A:
IfX is not free inA, thenA[F/X x1. . .xk] isA.
IfAisX(t1, . . . ,tk), then A[F/X x1. . .xk] isF[t1/x1, . . . ,tk/xk].
(A→B)[F/X x1. . .xk] isA[F/X x1. . .xk]→B[F/X x1. . .xk].
(∀y A)[F/X x1. . .xk] is∀y A[F/X x1. . .xk].
(∀Y A)[F/X x1. . .xk] is∀Y A[F/X x1. . .xk] ifY is a predicate variable which is6=X (as usual, we assume thatyandY are not free inF).
WhenF is an atomic formula of the formR(x1, . . . ,xk), whereRis either a second order vari- able of arityk, or a parameter (R∈P(Π)Nk), we write alsoA[R/X] instead ofA[F/X x1. . .xk].
We now give the deduction rules for classical second order logic and, at the same time, the typing rules forλcc-terms, which are the usualλ-terms (possibly not closed) written with the constantcc; in such an expresssion as “t: A”,t is aλcc-term and Ais a type, i.e. a second order formula.
LetΓbe acontext, i.e. an expression of the formx1:A1, . . . ,xn:An. 1.Γ`xi:Ai (1≤i ≤n)
2.Γ`t:A→B, Γ`u:A ⇒ Γ`t u:B. 3.Γ,x:A`t:B ⇒ Γ`λx t:A→B. 4.Γ`t: (A→B)→A ⇒ Γ`cct:A.
5.Γ`t:A ⇒ Γ`t:∀x A(resp.∀X A) ifx(resp. X) is not free inΓ.
6.Γ`t:∀x A⇒Γ`t:A[τ/x] for every termτofL. 7.Γ`t:∀X A⇒Γ`t:A[F/X x1. . .xk] for every formulaF. Rule 4 uses the interpretation of Griffin [2] for the law of Peirce.
Rule 7 uses Takeuti’s interpretation for the comprehension scheme.
LetA be a closed second order formula with first order parameters inN and second order parameters of aritykinP(Π)Nk for each integerk. We define below its truth value, which is denoted bykAk. We denote by|A|the set of terms inΛc which realize A, i.e. |A| ={t∈Λc; (∀π∈ kAk)t?π∈ ⊥⊥}. We writet||−A(read “t realizesA”) ift∈ |A|.
The definition ofkAkis given by induction onA:
IfAis atomic, i.e. A≡R(t1, . . . ,tk), thent1, . . . ,tkare closed terms andR∈P(Π)Nk is a second order parameter. Letai∈Nbe the value ofti ; then, we put :
kR(t1, . . . ,tk)k =R(a1, . . . ,ak)⊂Π.
The other steps of induction are as follows : kA→Bk ={t.π;t∈ |A|,π∈ kBk} ; k∀x Ak = [
a∈NkA[a/x]k; (and therefore|∀x A| = \
a∈N|A[a/x]|) ; k∀X Ak =[
{kA[R/X]k;R∈P(Π)Nk} ifX is a predicate variable of arityk (and therefore|∀X A| =\
{|A[R/X]|;R∈P(Π)Nk}).
We getk⊥k =Πand|⊥|is the least truth value. There is a greatest truth value, denoted by>, which is;; thus,|>| =Λc.
Lemma 2. i) t||−A→B , u||−A⇒t u||−B .
ii) If(∀u∈Λc)(u||−A→t u||−B)thenλx t x||−A→B .
i) Ifπ∈ kBk, thent u?πÂt?u.π. Nowu.π∈ kA→Bkandt||−A→B, thust?u.π∈ ⊥⊥.
ii) Letu||−Aandπ∈ kBk. We haveλx t x?u.πÂt u?π∈ ⊥⊥.
C.Q.F.D.
The following theorem shows that realizability is compatible with deduction in classical sec- ond order logic. It is an essential tool in this theory.
Theorem 3(Adequation lemma). Let A1, . . . ,Ak,A be closed formulas such that x1:A1, . . . ,xk:Ak`t:A is provable with the rules above.
If ti ||−Ai for1≤i≤k, then t[t1/x1, . . . ,tk/xk]||−A.
In particular, ifAis a closed formula and `t:Ais provable, thent||−A.
The following lemma is a stronger, but more complicated, form of this theorem ; it is suitable for a proof by induction.
Lemma 4.
Let A1, . . . ,Ak,A be formulas, free variables of which are amongst y1, . . . ,ym,Y1, . . . ,Yn. Let bi∈ N (1≤i ≤m)and Pj ∈P(Π)Nk j (1≤ j ≤n), where kj is the arity of Yj. Suppose that x1: A1, . . . ,xk:Ak`t:A is provable with the above rules.
If ti ||−Ai[b1/y1, . . . ,bm/ym,P1/Y1, . . . ,Pn/Yn]for1≤i≤k, then t[t1/x1, . . . ,tk/xk]||−A[b1/y1, . . . ,bm/ym,P1/Y1, . . . ,Pn/Yn].
We make an induction on the length of the proof of Γ`t:A
whereΓis the context x1: A1, . . . ,xk :Ak. We shall use the notationt0for t[t1/x1, . . . ,tk/xk] andA0forA[b1/y1, . . . ,bm/ym,P1/Y1, . . . ,Pn/Yn]. Consider the rule used in the last step of the proof :
If it is rule 1 the result is trivial ;
If it is rule 2, we have t =uv andΓ`u : A →B, v : A. We must show that t0∈ |B0|, that isu0v0?π∈ ⊥⊥for every stackπ∈ kB0k. Butu0v0?πÂu0?v0.π, hence the result since, by induction hypothesis, we haveu0∈ |A0→B0|,v0∈ |A0|and thusv0.π∈ kA0→B0k.
If it is rule 3, we havet=λx u, A=(B→C) andΓ, x:B `u:C. We must show thatλx u0∈
|B0→C0|, that isλx u0?π∈ ⊥⊥for everyπ∈ kB0→C0k. Now, we haveπ=v.$withv∈ |B0|and
$∈ kC0k. By induction hypothesis, we haveu0[v/x]||−C0and thereforeu0[v/x]?$∈ ⊥⊥. Thus λx u0?v.$∈ ⊥⊥, because⊥⊥iscc-saturated.
If it is rule 4, we havet=ccu andΓ`u: (A→B)→ A. We must show thatt0∈ |A0|, that is ccu0?π∈ ⊥⊥for everyπ∈ kA0k. Since⊥⊥iscc-saturated, it is sufficient to show thatu0?kπ.π∈
⊥⊥. We first show thatkπ∈ |A0→B0|: indeed, ifv∈ |A0|andρ∈ kB0k, thenkπ?v.ρÂv?π∈ ⊥⊥. Now, by induction hypothesis, we know thatu0∈ |(A0→B0)→A0|, hence the result.
If it is rule 5 for a first orderx, we have A= ∀x BandΓ`t:B. By induction hypothesis, we gett0∈ |B0[a/x]|for eacha∈N. Thust0∈T
a∈N|B0[a/x]| = |∀x B0| = |A0|.
If it is rule 5 for a second order variable X of arityk, we have A = ∀X B andΓ`t :B. By induction hypothesis, we havet0∈ |B0[R/X]|for everyR∈P(Π)Nk.
Thust0∈ |∀X B0| = |A0|.
If it is rule 6, we have A =B[τ/x] and Γ`t : ∀x B. By induction hypothesis, we get t0∈
|∀x B0|. But, ifa∈Nis the value ofτ, we have|B0[τ/x]| = |B0[a/x]| ⊃ |∀x B0|and therefore t∈ |B0[τ/x]| = |A0|.
If it is rule 7, we haveA=B[Φ(z1, . . . ,zp)/X z1. . .zp] and therefore :
A0=B0[Φ0(z1, . . . ,zp)/X z1. . .zp]. We haveΓ`t :∀X B and we must show thatt0∈ |A0|. By induction hypothesis, we know thatt0∈ |∀X B0|and the result follows from lemma 5.
C.Q.F.D.
Lemma 5. LetΦ(resp. A) be a formula with parameters, with the only free variables z1, . . . ,zp (resp. X of arity p). Define R∈P(Π)Np by :
R(a1, . . . ,ap)= kΦ[a1/z1, . . . ,ap/zp]kfor a1, . . . ,ap∈N. ThenkA[Φ/X z1. . .zp]k = kA[R/X]kand therefore :
kA[Φ/X z1. . .zp]k ⊂ k∀X Akand|∀X A| ⊂ |A[Φ/X z1. . .zp]|.
We showkA[Φ/X z1. . .zp]k = kA[R/X]kby induction on the length ofA.
The result is trivial ifX is not free inA, ifAis atomic, or ifA=(B→C).
IfA= ∀x B, thenkA[Φ/X z1. . .zp]k =S
a∈NkB[Φ/X z1. . .zp][a/x]k
=S
a∈NkB[a/x][Φ/X z1. . .zp]k =S
a∈NkB[a/x][R/X]kby induction hypothesis
=S
a∈NkB[R/X][a/x]k = k∀x B[R/X]k = kA[R/X]k. IfA= ∀Y B, withY of arityq andY 6=X, then : kA[Φ/X z1. . .zp]k =S
{kB[Φ/X z1. . .zp][S/Y]k;S∈P(Π)Nq}
=S
{kB[S/Y][Φ/X z1. . .zp]k;S∈P(Π)Nq}
=S
{kB[S/Y][R/X]k;S∈P(Π)Nq} by induction hypothesis
=S
{kB[R/X][S/Y]k;S∈P(Π)Nq}= k∀Y B[R/X]k = kA[R/X]k.
C.Q.F.D.
Remark.The terms we obtain by means of proofs in classical second order logic areλcc-terms, that isλ-terms with the constantcc, not necessarily closed. On the other hand, the terms which appear in processes are inΛc(i.e. closed terms with instructions and continuations). The common elements are proof-like terms with the only instructioncc(hence the name “ proof-like ”).
Theorem 6. For U,V ∈P(Π), we put U≤V ⇔(∃θ∈QP)θ||−U→V .
Suppose that ⊥⊥ is coherent, which means that (∀θ ∈QP)θ6||− ⊥. Then ≤is a preorder (i.e.
reflexive and transitive) and(P(Π),≤)is a Boolean algebra.
Proof that≤is a preorder : ifU≤V andV ≤W, then there areξ,η∈QPsuch thatξ||−U→V, η||−V →W. Thereforeη◦ξ||−U→W, henceU≤W.
Proof that (P(Π),≤) is a Boolean algebra : we haveU∧V ≤U andU∧V ≤V (the proofs of U∧V →U andU∧V →V give the requested terms). Moreover, ifZ ≤U,V, thenξ||−Z →U, η||−Z →V thusλzλf((f)(ξ)z)(η)z||−Z →U∧V. Therefore we haveZ ≤U∧V andU∧V = inf(U,V). In the same way, we getU∨V =sup(U,V).
We haveI ||− ⊥ →UandI ||−U → >. Therefore⊥is the least element and>is the greatest.
We have¬U∧U≤ ⊥and> ≤ ¬U∨U since¬U∧U→ ⊥and> → ¬U∨Uare provable. Thus
¬U is the complement ofU.
It remains to show that> 6≤ ⊥. This clearly follows from the hypothesis that⊥⊥is coherent.
C.Q.F.D.
As soon as we choose a coherent set⊥⊥, each closed formula with parameters is given a value in this Boolean algebra. The setT⊥⊥of formulas with value 1, i.e. formulas which are realized by a proof-like term, is a consistent theory which contains second order logic. We are inter- ested in the models of this theory ; we call themgeneric models.
The case when⊥⊥ = ; is trivial : the Boolean algebra is {0, 1} and we get back the standard model we started with.
We say that a closed formulaF, with parameters, isrealizedif there exists a proof-like termθ such thatθ||−F for any choice of thecc-saturated set⊥⊥.
All axioms of second order logic are realized. Thus, generic models satisfy second order logic.
The tools we have built up to now are sufficient in order to solve the specification problem for some very simple valid formulas.
Theorem 7. If `θ:∀X(X →X), thenθ?t.πÂt?πfor every t∈Λc andπ∈Π.
Giventandπ, we put⊥⊥ ={p∈Λc?Π;pÂt?π} andkXk ={π}. Thus, we havet||−X. But, by theorem 3, we haveθ||−X →X, henceθ?t.π∈ ⊥⊥. It is exactly what we wanted to show.
C.Q.F.D.
We denote byBool(x) the formula∀X(X1,X0→X x), which is equivalent tox=0∨x=1 in classical second order logic.
Theorem 8. If `θ:Bool(1)(resp. Bool(0)), thenθ?t.u.πÂt?π(resp. u?π) for every t,u∈Λc
andπ∈Π.
Givent andπ, we put ⊥⊥ ={p ∈Λc? Π; pÂt?π} and we define a unary parameter X by puttingkX1k ={π},kX nk = ;forn6=1. Thus, we havet||−X1 andu||−X0.
If `θ:Bool(1), by theorem 3, we haveθ||−X1,X0→X1, henceθ?t.u.π∈ ⊥⊥, which is the result.
C.Q.F.D.
Remark.The meaning of these theorems is that the terms of type∀X(X→X) (resp.Bool(1),Bool(0)) behave essentially likeI=λx x(resp.λxλy x,λxλy y).
Axiom of recurrence and call by value
We should now realize the axiom of recurrence, which is : ∀x I nt(x) where I nt(x) is the formula∀X[∀y(X y→X s y),X0→X x] that says that the individualxis an integer. Unfortu- nately, this axiom is not realized. This means that, in a generic model, there may be individ- uals which are not integers. Moreover, we shall see later that, in general, there may be also non standard integers in generic models.
In order to solve this problem, we introduce now some simple tools, which will appear es- sential in what follows.
We define a binary predicate constant, denoted by6=, by puttingkm6=nk = ;ifm6=nand km6=nk =Πifm=n. The following theorem shows that we can profitably use the formula x6=yinstead ofx=y→ ⊥.
Theorem 9. The formula∀x∀y[x6=y↔(x=y→ ⊥)]is realized. Indeed :
λx x I||− ∀x∀y[(x=y→ ⊥)→x6=y]andλxλy y x||− ∀x∀y[x6=y→(x=y→ ⊥)].
We first check that|m=n| = |∀X(X → X)|ifm =n and|m=n| = |> → ⊥|ifm 6=n. It is immediate, sincem=nis the formula∀X(X m→X n).
We have to show thatλx x I ||−(m=n → ⊥)→m 6=n andλxλy y x||−m6=n,m=n→ ⊥for everym,n∈N. In the first case, we only need to check that :
λx x I||−(m=m→ ⊥)→ ⊥, which is obvious sinceI||−m=m.
In the second case, we must check that :
λxλy y x||− >,m=n→ ⊥ifm6=nandλxλy y x||− ⊥,m=n→ ⊥ifm=n which is immediate, using the above computation of|m=n|.
C.Q.F.D.
Theorem 10. Suppose thatθ?kπ.ρ∈ ⊥⊥for any stackπ∈ kXkandρ∈ kYk. Then : Vθ||− ¬X →Y with V =λxλy(cc)λh(y)(cc)λk(h)(x)k.
Let t||− ¬X and ρ ∈ kYk. We must show thatVθ?t.ρ ∈ ⊥⊥ ; but Vθ?t.ρ ÂV ?θ.t.ρ  (cc)λh(t)(cc)λk(h)(θ)k?ρÂt?(cc)λk(kρ)(θ)k.ρ. Sincet||−X → ⊥, it is therefore sufficient to prove that (cc)λk(kρ)(θ)k||−X, in other words (cc)λk(kρ)(θ)k?π∈ ⊥⊥for everyπ∈ kXk.
This is true because this process reduces intoθ?kπ.ρ.
C.Q.F.D.
Remark.With the notation introduced page 3, the hypothesis of theorem 10 is :
θ||−{kπ;π∈ kXk}→Y. Theorem 10 says that the set|¬X|behaves, in some sense, like its subset {kπ; π∈ kXk} ; and it gives a simple way to check thatX∨Y is realized.
Theorem 11(Storage of integers). We put T =λfλn(nλg g◦s)f0, where s is aλ-term for the successor (for instance s=λnλfλx(f)(n)f x).
Ifφ∈Λc is such thatφ?sn0.π∈ ⊥⊥for everyπ∈ kXk, then Tφ||−I nt[sn0]→X . Remarks.
1. With the notation introduced page 3, the hypothesis of theorem 11 is :φ||−{sn0}→X. Theorem 11 says that the set|I nt[sn0]|behaves, in some sense, like its subset {sn0}.
2. T is called astorage operator[6]. We understand intuitively its behavior by comparing the weak head reductions ofφνandTφν, whereφandνareλ-terms,ν'βλfλx(f)nx(Church integer). We getTφνÂ(φ)(s)n0, which means that the integer argumentνofφis computed first. In other words, T simulate call by value in a weak head reduction, that is a call by name execution.
Note that we use the same symbolsfor aλ-term and a function symbol ofL. Proof. Letν||−I nt[sn0] andπ∈ kXk; we must show thatTφ?ν.π∈ ⊥⊥.
We define a unary predicateP by putting :
kP(j)k ={sn−j0.π} for 0≤j≤nandkP(j)k = ;for j>n.
We haveφ||−P0 by hypothesis onφ.
Let us show thatλg g◦s||− ∀x(P x →P sx), which means thatλg g◦s ∈ |P(j)→P(j+1)|for every j∈N. It is trivial forj ≥n.
Ifj <n, letξ∈ |P(j)|; we must show thatλg g◦s?ξ.sn−j−10.π∈ ⊥⊥. But we have : λg g◦s?ξ.sn−j−10.πÂξ◦s?sn−j−10.πÂξ?sn−j0.π∈ ⊥⊥by hypothesis onξ.
Now, we haveTφ?ν.πÂν?λg g◦s.φ.0.πwhich is in⊥⊥because : ν||−∀x(P x→P sx),P0→P sn0 by hypothesis,φ||−P0 and 0.π∈ kP sn0k.
C.Q.F.D.
We are interested in the theory calledAnalysis orSecond order Peano arithmetic, which is classical second order logic with the following supplementary axioms :
1. A set ofequationalformulas, i.e. formulas of the form :
∀x1. . .∀xk[t(x1, . . . ,xk)=u(x1, . . . ,xk)], wheret,uare terms which represent functions from Nk intoN. Of course, all these formulas are supposed to be true inN. For instance, we can take the following equational formulas, where 0,s,p,+, . are function symbols that represent respectively the integer 0, the successor function, the predecessor, the addition and multi- plication on integers :
p0=0 ;∀x(p sx=x) ;∀x(x+0=x) ;∀x[x+s y=s(x+y)] ;
∀x(x.0=0) ;∀x∀y[x.s y=x.y+x].
2.∀x(06=sx).
3. The recurrence axiom∀x I nt(x).
4. The axiom of dependent choice.
All equational axioms 1 are realized byI=λx x. Axiom 2 is realized by any proof-like term.
But there is a problem with axiom 3, as is shown by the following theorem :
Theorem 12. There is no proof-like term and even no instruction which realizes∀x I nt(x).
Letξbe such an instruction ; thus, we haveξ||−I nt(0) andξ||−I nt(1) for every choice of the set⊥⊥. Letδ=λx xx,α0=δδ0,α1=δδ1 ; letπbe some stack.
We first take ⊥⊥ ={p ∈Λc? Π; pÂα0?π} (recall thatΛc? Π is the set of processes). We define a unary predicateX by puttingkX0k ={π},kX(i+1)k = ;for everyi ∈N. Thus, we
haveα0||−X0 and t||−∀y(X y → X s y) for every t ∈Λc. Butξ||−I nt(0), thus ξ||−∀y(X y → X s y),X0→X0. It follows thatξ?λxα1.α0.π∈ ⊥⊥. In other words,ξ?λxα1.α0.πÂα0?π.
We now take⊥⊥ ={p∈Λc? Π;pÂα1?π} and we define the unary predicate X by putting kX0k = ;, kX(i+1)k ={π} for everyi ∈N. Therefore, we havet ||−X0 for everyt ∈Λc and λxα1||− ∀y(X y→ X s y). Butξ||−I nt(1), thusξ||− ∀y(X y →X s y),X0→ X1. It follows that ξ?λxα1.α0.π∈ ⊥⊥. In other words,ξ?λxα1.α0.πÂα1?π. This is obviously a contradiction with the preceding result, because no process can reduce both toα0?πandα1?π.
C.Q.F.D.
A solution for axiom 3 (we shall give another method later) is simply to remove it by means of the following well known property :
Every proof of a formulaΘ in second order classical logic, using axioms 1, 2 and 3, can be converted into a proof ofΘI nt using axioms 1, 2 and the following axioms :
3’.∀x1. . .∀xk{I nt[x1], . . . ,I nt[xk]→I nt[f(x1, . . . ,xk)]}for each function symbol f ofL. ΘI nt is the formula that we obtain by restricting toI ntall first order quantifiers inΘ. It is inductively defined as follows :
IfAis atomic, then AI nt ≡A; (A→B)I nt ≡AI nt→BI nt ; (∀X A)I nt ≡ ∀X AI nt ; (∀x A)I nt ≡ ∀x(I nt[x]→AI nt).
It remains to find for which functions fromNk intoNthe formulas 3’ are realised. The solu- tion is given by the following theorem :
Theorem 13. Let f be a function symbol of arity k, which represents a (total) recursive func- tion. Then the formula∀x1. . .∀xk{I nt[x1], . . . ,I nt[xk]→I nt[f(x1, . . . ,xk)]}is realised.
We first need a result about usualλ-calculus.
Notations.
Λis the set of usualλ-terms.
Ift,u∈Λ, thent'βt0means thattisβ-equivalent tot0;
t Ât0means thatt reduce to t0 byweak head reduction: a step of weak head reduction is (λx u)v v1. . .vnÂ(u[v/x])v1. . .vn.
The following lemma explains why we use the same symbolÂfor weak head reduction of usualλ-terms and for the execution des processes.
Lemma 14.
Letξ,η,t1, . . . ,tk∈Λbe usual closedλ-terms and letπ∈Π. Ifηis not an application (in other words,ηis aλ-constant orη=λxη0) and ifξÂ(η)t1. . .tk, then
ξ?πÂη?t1. . . . .tk.π.
The proof is by induction on the length of the weak head reductionξÂ(η)t1. . .tk. The first step isξ=(λy u)v v1. . .vnÂ(u[v/y])v1. . .vnand, by induction hypothesis :
(u[v/y])v1. . .vn?πÂη?t1. . . . .tk.π. Now, during the firstn−1 reduction steps of the left hand side, the head of the process is an application ; sinceηis not, we did not reach yet the right hand process after these steps. Thus, we have :
(u[v/y])?v1. . .vn.πÂη?t1. . . . .tk.π. It follows that :
ξ?π=(λy u)v v1. . .vn?πÂ(u[v/y])?v1. . .vn.πÂη?t1. . . . .tk.π.
C.Q.F.D.
Notations.
Fort,u∈Λc, we define :
(t)nupourn∈Nby : (t)0u=u, (t)n+1u=(t)(t)nu.
t◦ubyλx(t)(u)x, wherexdoes appear int,u.
Lemma 15. Let f,a beλ-constants andξ∈Λsuch thatξ'β(f)na.
Suppose thatφ||− ∀y(X y→X s y)andα||−X0. Thenξ[φ/f,α/a]||−X sn0.
Proof by induction on n. If n =0, then ξ 'β a and therefore ξ  a. If π ∈ kX0k, then ξ?πÂa?π, by lemma 14. Thusξ[φ/f,α/a]?πÂα?π∈ ⊥⊥.
Ifn>0, thenξÂ(f)ηwithη'β(f)n−1a. Letπ∈ kX sn0k; thenξ?πÂf ?η.π, by lemma 14 and thereforeξ[φ/f,α/a]?πÂφ?η[φ/f,α/a].π. Now,φ∈ |X sn−10→X sn0|and, by induc- tion hypothesis,η[φ/f,α/a]∈ |X sn−10|. Thusφ?η[φ/f,α/a].π∈ ⊥⊥.
C.Q.F.D.
Theorem 16. Let n∈Nandν∈Λsuch thatν'βλfλx(f)nx. Thenν||−I nt[sn0].
Letφ||−∀y(X y →X s y), α||−X0 andπ∈ kX sn0k; we must show thatν?φ.α.π∈ ⊥⊥. Since ν'βλfλx(f)nx, we haveνÂλf η,ηÂλaξandξ'β(f)na. By lemma 14, we haveν?φ.α.π λf η?φ.α.πÂη[φ/f]?α.π. Again by lemma 14, we have :
η?α.πÂλaξ?α.πÂξ[α/a]?πand thusη[φ/f]?α.πÂξ[φ/f,α/a]?π. Finally, we have ν?φ.α.πÂξ[φ/f,α/a]?π. But, by lemma 15, we haveξ[φ/f,α/a]||−X sn0 and therefore ν?φ.α.πÂξ[φ/f,α/a]?π∈ ⊥⊥.
C.Q.F.D.
We can now prove theorem 13. For simplicity, we suppose k =1 ; thus, we have a recur- sive function f :N →N. Letφ ∈Λbe aλ-term which represents f : for each n ∈N, we have φsn0'β λfλx(f)px with p = f(n). By theorem 16, we have φsn0||−I nt[sp0]. Let π∈ kI nt[sp0]k; we haveφsn0?π∈ ⊥⊥and thereforeφ0?sn0.π∈ ⊥⊥, withφ0=λxφx. Since this holds for eachπ∈ kI nt[sp0]k, theorem 11 shows thatTφ0||−I nt[sn0]→I nt[sp0]. Since this is true for everyn∈N, withp=f(n), it follows thatTφ0||− ∀x(I nt[x]→I nt[f(x)]).
C.Q.F.D.
Arithmetical formulas
We can now consider the specification problem for arithmetical theorems. We begin by two simple forms : ∀x∃y[f(x,y)=0] and∃x∀y[f(x,y)=0] where f is a recursive function. We suppose that these formulas are proved in classical second order arithmetic, using equa- tional axioms written with total recursive function symbols (so that theorem 13 applies). In order to remove the recurrence axiom, we write these theorems in this form :
∀x[I nt(x)→ ∃y{I nt(y),f(x,y)=0}] and∃x{I nt(x),∀y[I nt(y)→ f(x,y)=0]}.
Theorem 17. If `θ:∀x[I nt(x),∀y{I nt(y)→ f(x,y)6=0}→ ⊥], then for every n∈N,κ∈Λc
andπ∈Π, we haveθ?n.Tκ.πÂκ?sp0.π0with f(n,p)=0(T is defined in theorem 11).
Remark. If we take forκ a “ stop ” instruction, we see that the programθ can compute, for each integern, an integerp such that f(n,p)=0. A “ stop ” instruction has no reduction rule when it comes in head position ; therefore, execution stops at this moment.
Of course, the theorem remains true if we use other axioms in the proof of the formula∀x∃y[f(x,y)= 0], provided that these axioms are realized by suitable instructions. For instance, as we shall see later, we can use the axiom of dependent choice for this proof ; then, the programθwill contain aclock instructionħthe reduction rule of which is :
ħ?t.πÂt?n.π, wherenis an integer which is the current time.
Proof. We choosen∈Nand we put⊥⊥ ={p∈Λc?Π;pÂκ?sp0.ρwithρ∈Πandf(n,p)=0}.
By theorem 3 (adequation lemma), we have : (∗) θ||−I nt(n),∀y{I nt(y)→f(n,y)6=0}→ ⊥.
We haven||−I nt(n) by theorem 16. We show thatTκ||− ∀y{I nt(y)→ f(n,y)6=0}, in other words thatTκ||−I nt(p)→ f(n,p)6=0 for every integer p. By theorem 11, it is sufficient to prove thatκ?sp0.ρ∈ ⊥⊥for everyρ∈ kf(n,p)6=0k. It is trivial if f(n,p)6=0 sincekf(n,p)6=
0k = ;. If f(n,p)=0, it is again true by definition of⊥⊥.
It follows from (∗) thatθ?Tκ.π∈ ⊥⊥for everyπ∈Π, which is the desired result.
C.Q.F.D.
We consider now an arithmetical theoremΦof the form :
∃x{I nt(x),∀y[I nt(y)→f(x,y)=0]}.
We define a game between two players called∃and∀:∃plays an integerm,∀answers by an integern; the play stops as soon asf(m,n)=0 and then∃won ; therefore∀wins if and only if the play does not stop.
Intuitively, ∃ is the “ defender ” of the theorem and∀“ attacks ” this theorem, searching to exhibit a counter-example. It is clear that∃has a winning strategy if and only ifN|= Φ; moreover, in this case, there is an obvious strategy for∃: simply play successively 0, 1, 2, . . . We shall show (theorem 18) that the program associated with a proof ofΦbehaves exactly as a winning strategy for∃ in this game. For this, we need to add an instructionκ to our programming language, in order to allow an interactive execution. The execution rule ofκis the following :
κ?sn0.ξ.πÂξ?sp0.κnp.π0
forn,p∈N,ξ∈Λc,π,π0∈Π;s is a fixedλ-term for the successor in Church integers ;κnpis a double sequence of “ stop ” instructions.
Observe thatthis execution rule is non deterministic, since the integerpand the stackπ0are arbitrary. The intuitive meaning of this rule is as follows : in the left hand side, the program, which is also the player∃, plays the integern; in the right hand side, the attacker∀answers by playing p and the execution goes on ; κnp keeps the trace of the ordered pair (n,p) of integers.
Theorem 18. If `θ: [∃x∀y(f(x,y)=0)]I nt, thenevery reductionofθ?Tκ.πends up into κnp?π0with f(n,p)=0. T is the storage operator defined in theorem 11.
We take for ⊥⊥ the set of processes every reduction of which ends up into κnp?π0 with f(n,p)=0 andπ0∈Π. We must show thatθ?Tκ.π∈ ⊥⊥for everyπ∈Π.
By theorem 3, we haveθ||− ∀x[I nt(x),∀y(I nt(y)→f(x,y)=0)→ ⊥]→ ⊥.
Therefore, by definition of ||−, it is sufficient to show that : Tκ||− ∀x[I nt(x),∀y(I nt(y)→ f(x,y)=0)→ ⊥].
Letn∈N; we must show thatTκ||−I nt[sn0]→[∀y(I nt(y)→f(n,y)=0)→ ⊥].
By theorem 11, we only need to show that, ifπ∈Πandξ||− ∀y(I nt(y)→ f(n,y)=0) then
κ?sn0.ξ.π∈ ⊥⊥. By definition of⊥⊥, it is sufficient to show thatξ?sp0.κnp.π∈ ⊥⊥for every p ∈N andπ∈Π. But, by hypothesis onξ, for everyp ∈N and$∈ kf(n,p)=0k, we have ξ?sp0.$∈ ⊥⊥. Therefore, it suffices to show thatκnp.π∈ kf(n,p)=0k for everyp∈Nand π∈Π.
Iff(n,p)=0, thenkf(n,p)=0kisk∀X(X →X)kthat is to say :
{t.ρ;t∈Λc,ρ∈Π,t?ρ∈ ⊥⊥}. But, by definition of⊥⊥, we have alsoκnp?π∈ ⊥⊥and therefore κnp.π∈ kf(n,p)=0k.
If f(n,p)6=0, thenkf(n,p)=0k = k> → ⊥kthat is to say {t.ρ;t ∈Λc,ρ∈Π} ; thus, we have againκnp.π∈ kf(n,p)=0k.
C.Q.F.D.
It follows that every proof ofΦin classical analysis gives rise to an interactive program which wins against any attacker.
Indeed, at each answer of the attacker∀, the program, which is nobody else than the player
∃, provides anobject(sn0,ξ) constituted with an integern (the “ provisional solution ”) and anexception handlerξ, which will be used in case of a pertinent answer of the opponent.
They are the two arguments ofκwhich can therefore be considered as apointertowards this object.
We can, without any supplementary effort, add a universal quantifier, which gives the Theorem 19. If `θ: [∀x∃y∀z(f(x,y,z)=0)]I nt, thenevery reductionof θ?m.Tκ.πends up intoκnp?π0with f(m,n,p)=0.
The generalization to the case of an arithmetical formula with an arbitrary number of alter- nating quantifiers is given in [8].
True arithmetical formulas
We shall now prove thatevery arithmetical formula which is true inNis realized.We use for this the trivial winning strategy of the player∃, which we express by a program. We consider first the simpler case of∀∃∀formulas.
Theorem 20.
Letθ be a closedλ-term such thatθt i Â(t i)(θt)(s)i . If N|= ∀x∃y∀z[f(x,y,z)6=g(x,y,z)], thenλxθx0||−∀x∃y{I nt(y),∀z(f(x,y,z)6=g(x,y,z))}.
Remark.This formula is obviously stronger than [∀x∃y∀z(f(x,y,z)6=g(x,y,z))]I ntwhich is therefore also realized.
Suppose that there exists an integermsuch that :
λxθx06||− ∀y[I nt(y),∀z(f(m,y,z)6=g(m,y,z))→ ⊥]→ ⊥. Thus, there existst∈Λc andπ0∈ Πsuch that t||− ∀y[I nt(y),∀z(f(m,y,z)6=g(m,y,z))→ ⊥] andθt0?π0∉ ⊥⊥.
Thus, we havet?0.θt1.π0∉ ⊥⊥and thereforeθt16||− ∀z(f(m, 0,z)6=g(m, 0,z)). This means that there existsp0∈Nandπ1∈Πsuch that f(m, 0,p0)=g(m, 0,p0) andθt1?π1∉ ⊥⊥. Therefore, we havet?1.θt2.π1∉ ⊥⊥and so on. Therefore we build, in this way, a sequence of integerspi(i∈N) such that f(m,i,pi)=g(m,i,pi). This is a contradiction with the hypoth- esis thatN|= ∀x∃y∀z[f(x,y,z)6=g(x,y,z)].
C.Q.F.D.
We consider now prenex formulas with an arbitrary number of alternating quantifiers. Let Φbe a formula of the form∃x1∀y1. . .∃xk∀yk(f(x1,y1, . . . ,xk,yk)6=0) wheref :N2k→Nis an arbitraryfunction.
We define a game associated withΦ(players∃and∀are respectively the “ defender ” and the “ attacker ” of the formulaΦ) ; we also define the notion ofreached positionat a given moment :
Aposition of the game is a finite sequence of integersn1p1. . .nipi (0≤i ≤k). The player
∃chooses first analready reachedpositionn1p1. . .nipi with 0≤i <k and an integerni+1; then, the player∀chooses an integerpi+1. The positionn1p1. . .ni+1pi+1is then reached.
Ifi+1=k and f(n1,p1, . . . ,nk,pk)6=0, then the play stops and∃won. In every other case, the play goes on. Therefore∀wins if and only if the play does not stop.
It is easy to see thatN|=Φif and only if the player∃has a winning strategy for this game.
Moreover, we can effectively (and very simply) describe such a strategy. It does not even depend on the functionf, but only on the numberkof quantifiers :
The player∃uses an effective enumeration ofNk. When he reaches thek-uplen1. . .nk, he chooses the longest already reached position of the formn1p1. . .nipi. We havei<kbecause this position was reached for ak-uple of integers which is different fromn1. . .nk. Then, he plays successivelyni+1, . . . ,nk without taking any account of the choices of player∀. Then, he continues with the nextk-uple of integers.
If the play is infinite, we obtainkfunctionsφi(x1, . . . ,xi) such that :
N|= ∀x1. . .∀xk{f[x1,φ1(x1),x2,φ2(x1,x2), . . . ,xk,φk(x1, . . . ,xk)]=0}
which is the Skolem form of¬Φ; thusN|= ¬Φ.
Conversely, ifN|= ¬Φ, there existkfunctionsφi(x1, . . . ,xi) such that the Skolem form of¬Φ is satisfied. They obviously provide a winning strategy for the opponent∀.
Theorem 21. Suppose that N|= ∃x1∀y1. . .∃xk∀yk(f(x1,y1, . . . ,xk,yk)6=0) where f :N2k→Nis an arbitrary function. Then the formula :
∃x1{I nt(x1),∀y1∃x2{I nt(x2), . . .∃xk{I nt(xk),∀yk(f(x1,y1, . . . ,xk,yk)6=0)} . . .}
is realized by a proof-like term which is independent of f (it is, in fact, a usual closedλ-term).
Remarks.
This formula is obviously stronger thanΦI nt, which is therefore also realized. Theorem 21 is a gener- alization of theorem 20.
The integers of a generic model give therefore a first order model which is elementarily equivalent to N.
The term which realizesΦis obtained by means of a program for the winning strategy given above.
For simplicity, we only consider the case whereN|=Φ≡ ∃m∀n∃p(f(m,n,p)6=0).
We shall now write a proof-like termindependent of f which realizes the formula :
∃m{I nt(m),∀n∃p{I nt(p),f(m,n,p)6=0)}}.
Notations.m,pareλ-variables, which represent Church integers ;s0ands1are closed usual λ-terms such that the ordered pair (s0mp,s1mp) is the successor of the pair (m,p) in a fixed recursive enumeration ofN2which begins with (0, 0).
σis a variable which represents a finite sequence of ordered pairs (m0,η0), . . . , (mk,ηk) where mi is a Church integer andηi aλc-term. In other words,σrepresents aλc-term of the form λhλx(hm0η0)· · ·(hmkηk)x.
