Martin-Lof's Inductive Definitions Are Not Equivalent to Cyclic Proofs FOSSACS 2017 Uppsala April, 26 2017 Stefano Berardi C.S. Dept. Torino University Italy Makoto Tatsuta National Institute of Informatics/Sokendai Japan

A Refutation of Brotherston-Simpson’s Conjecture Cyclic Proofs (2006). Cyclic proofs (Brotherston [1], Simpson [2]) are an alternative formalization of induction on data bases, suitable for proof search and for Separation Logic. Brotherston-Simpson Conjecture (2011, [2]). Cyclic proofs are equivalent to LKID, Martin-Lof's Theory of (finitary) Inductive Definitions. Brotherston-Simpson Conjecture is false (2017, this talk). The 2-Hydra statement has a cyclic proof but no proof in LKID.

LKID, Martin-Lof's Theory of (finitary) Inductive Definitions. LKID is First Order Logic with equality, plus introduction and elimination rules for any set of atomic positive inductive definitions, say: Bool(true), Bool(false) N(0), if N(n) then N(sn) List(nil), if N(a) and List(L) then List(cons(a,L)) In LKID, Classical Logic is allowed. In LKID, there is no negative axiom like true  false, 0  sx, nil  cons(x,L), … or uniqueness axiom like sx = sy  x = y …

CLKID (regular cyclic proofs) Introduction and Elimination rules for inductive definitions are replaced by case rules: ,t=0|-  ,Nx, t=sx|-  ,Nt|-  Proofs are infinite regular trees: proof search stops whenever we pass through the same sequent twice. A cyclic proof is an infinite object, yet it is decidable whether a cyclic proof is correct, using the global trace condition: in all infinite branches there is some variable whose value is decreasing infinitely many times

CLKID versus LKID All theorems of CLKID are true ([3], Prop. 3.2.8). All theorems of LKID are theorems of CLKID ([3], Lemma 7.3.1, and [2], Thm. 7.6). If we add basic arithmetic to LKID, CLKID and we restrict to the language of arithmetic then LKID = CLKID (Simpson, FOSSACS 2017). If we add basic arithmetical axioms to LKID, CLKID and we add all inductive predicates then LKID = CLKID (Berardi, Tatsuta LICS 2017) Yet 2-Hydra is provable CLKID and not in LKID: there is some basic arithmetic hidden in CLKID.

The Hydra Statements The Hydra of Lerna was a mythological monster, popping two smaller heads whenever you cut one. The original Hydra was defeated by fire, a mathematical Hydra statement says that we eventually kill Hydra just by cutting head. There is an Hydra statement for trees true but not provable in Peano Arithmetic (Kirby, Paris 1982 [3]) 2-Hydra is a miniature statement. We select some way of reducing x,yN: (x+1,y+2)|(x,y) and (0,y+2)|(y+1,y) and (x+2,0)| (x+1,x) (reducing the last non-zero value produces two smaller copies). We claim reductions terminate.

A formal definition of 2-Hydra pxy = reductions from (x,y)N2 terminate

A cyclic proof of 2-Hydra A proof of Nx,Ny|- pxy in CLKID + 0,s,N. We prove it from a proof of Nx,Ny|-pxy for a “smaller” pair (x,y), using reductions Hb, Hc, Hd at each step.

A structure M with M|= 2-Hydra We define M = N + Z + an infinite descent p for 2-Hydra (in red). p is union of 3 partial bijections and we move along p by repeating forever: (x+1,y+2)(x,y), (0,y+2)(y+1,y), (x+2,0) (x+1,x)

LKID+0,s,N |- 2-Hydra Let LKID+0,s,N be the theory of inductive definition of 0,s and N (natural numbers). We do not have order, nor sum, nor product. Since M|= 2-Hydra, we prove that LKID+0,s,N |- 2-Hydra proving that M|= LKID+0,s,N, that is, that M satisfies induction for N. This is done in two steps: all predicates in M which do not satisfy induction rule have measure 1/3 or 2/3 (one-line proof) all predicates in M have measure some n/2m (difficult part), hence satisfy induction by point 1. The only non-trivial predicate p of M is union of 3 partial bijections. Which sets are definable from it?

A Quantifier-Elimination result for Partial Bijections Q.-E. Thm. Let U be a set and Rel a set of partial bijections on U. Assume that all finite partial bijections on U are in Rel, that Dom = {dom(R)|RRel} is complement-closed, and that for all R,SRel, DDom we have idD,R-1,RS,RS, RDRel. Let S be the structure with universe U, one symbol for each uU, DDom, RRel. Then: The theory of S has quantifier-elimination. Any first-order definable set in S is in Dom: no new set is first order definable in S

The Q.E. Result decides Brotherston-Simpson’s conjecture Let Dom = the finite unions of subsets of M including (up to finitely many elements) one element every 2n. They have measure some n/2m. Let Rel = the partial bijections with domain some DDom, equal (up to finitely many elements) to y = 2zx + r, for some zZ,rQ. Then the Q.-E. result implies that all first order definable sets in M are in Dom, hence have measure some n/2m, hence satisfy induction for N. Thus: M |= LKID+0,s,N M|= 2-Hydra CLKID+0,s,N |- 2-Hydra

References [1] Brotherston, J. (2006). Sequent calculus proof systems for inductive definitions, ph.d. thesis, Laboratory for Foundations of Computer Science, School of Informatics, University of Edinburgh. [2] Brotherston, J.; Simpson, A. (2011). Sequent calculi for induction and finite descent, Journal of Logic and Computation 21 (6) 1177-1216. [3] Kirby, L.; Paris, J. (1982). "Accessible Independence Results for Peano Arithmetic" (PDF). Bulletin of the London Mathematical Society. 14 (4): 285. doi:10.1112/blms/14.4.285.

The Hydra in the book “Historiae Naturalis” of Johnston (1625)

Question 1: is the Quantifier Elimination Result new? Our interest is not the Q.E. result per se, but rather the identification of this Q.E. result as a way of proving the unprovability of 2-Hydra in LKID. Model-theorists David Evans, Victoria Gould, Bruno Poizat, Frank Wagner and Domenico Zambella never heard of this Q.E. result. However, Domenico Zambella pointed out that this kind of result is often hidden in a note or in an exercise of a larger paper, so we cannot be completely sure it is new.

Question 2: do we have LKIDCLKID if we add all inductive predicates? Open question: if we add all inductive definitions and rules to LKID and to CLKID, but nothing else, do we get LKID=CLKID ? Possibly no. However, our proof would require changes, because M=N+Z does not satisfy the induction rule for , therefore M is not a model of LKID + all inductive predicates. We conjecture that our proof goes through if we redefine M=Z+Z .