\gdef\lecturenumber{lec6--8}
\input preamble.tex
\begin{document}
\Chapter{\lecturenumber: Natural deduction}
\section{Background}
In the early 1900s, the principal efforts towards
foundations for mathematical and logical reasoning---\emph{mathematical logic}---focused
on developing sets of axioms. Axioms are similar to rules in having meta-variables
that can be instantiated (to logical formulas, for example), but differ from rules
in having no premises as such. Instead, the premises are encoded as the conditions of implications.
For example, the axiom
\[
A \imp (B \imp A)
\]
says that if $A$, then: if $B$, then $A$. More clearly, it can be read ``if $A$ and $B$, then $A$.''
The first occurrence of $A$ plays the role of a premise, as does the $B$; the second
occurrence of $A$ plays the role of the conclusion.
\medskip
\[
\ifpdf
\includegraphics[height=200pt]{axioms.png}
\else
\text{[compile using pdflatex]}
\fi
\]
Such axioms (the above is an image from Gentzen's thesis, based on work by Hilbert and Glivenko)
were not user-friendly: the process of instantiating axioms
doesn't line up well with the reasoning that mathematicians actually do.
Gentzen's work has several advantages over axiom systems like the above.
First, rules clearly distinguish the premises from the conclusion.
I think this is a relatively small advantage, because with some practice the premises
are easy to see.
Second, each of Gentzen's rules of natural deduction has a close
analogue to actual mathematical reasoning, whereas axiom systems necessarily
include ``administrative'' axioms like $A \imp (B \imp A)$. This closeness arises
by modelling assumptions; while natural deduction's particular style of modelling
assumptions is somewhat awkward, Gentzen also developed \emph{sequent calculus}
which models assumptions in a different way.
Third, along with rules Gentzen developed \emph{derivations}.
Rather than searching through a proof of $A \AND B$
for the parts contributing to $A$ and the parts contributing to $B$,
a derivation proving $A \AND B$ clearly separates the proof of $A$
from the proof of $B$. This compositionality makes derivations easier
to deal with as mathematical objects, and---from a computational standpoint---as data structures.
However, a disadvantage of derivations is that they are space-inefficient.
(It was once fashionable for PL researchers to include large derivations in their papers;
these usually required a figure in ``landscape'' orientation.) Moreover, they do not
resemble traditional mathematical proofs. Some descendants of natural deduction,
such as \emph{Fitch systems}, adopt many of Gentzen's rules (and his rule notation)
but use a line-by-line proof format rather than derivations.
Such descendants seem to be a good way to teach logic, and a good way to
write careful and detailed proofs, but for our purposes we need to handle proofs
as objects (data structures) in their own right.
\section{Introduction and elimination}
A feature of natural deduction (inherited by type systems!)
is that the rules can be systematically designed, or at least systematically organized.
The rules for each \emph{connective}, such as $\AND$ or $\imp$,
can be categorized as (1) rules that \emph{introduce} the connective,
and (2) rules that \emph{eliminate} the connective.
(The number of rules in each category depends on the connective;
one very common connective has zero elimination rules.)
In addition, the rules of natural deduction are \emph{orthogonal}:
the rules to introduce and eliminate $\AND$ only mention $\AND$,
not $\imp$ or any other connective.
This makes natural deduction, and type systems based on it, easier to extend:
to incorporate a connective, we only have to design its introduction and elimination
rules---which may not be easy but can be done without regard for any other connectives.
The rules for each connective are a kind of ``module'' in the rule system.
\clearpage
\section{Natural deduction}
\begin{grammar}
atomic formulas
&
$P, Q$
\\
formulas
&
$A, B, C$
&\bnfas&
$P
\bnfaltBRKn{atomic formula}
A \imp B
\bnfaltBRKn{implication}
A \AND B
\bnfaltBRKn{conjunction (and)}
A \OR B
\bnfaltBRKn{disjunction (or)}
\All{a:\Nat} A
\bnfaltBRKn{universal quantification}
\Exists{a:\Nat} A
$ & existential quantification
\end{grammar}
\judgbox{A \True}{$A$ is true}
\begin{mathpar}
\Infer{$\AND$Intro}
{
A \True
\\
B \True
}
{A \AND B \True}
\and
\Infer{$\AND$Elim1}
{
A \AND B \True
}
{A \True}
~~~~~
\Infer{$\AND$Elim2}
{
A \AND B \True
}
{B \True}
\\
\Infer{$\imp$Intro\noteassume{\fighi{x}}}
{
\NDassume{\fighi{x}}{A \True}{
B \True
}
}
{(A \imp B) \True}
\and
\Infer{$\imp$Elim}
{
A \imp B \True
\\
A \True
}
{B \True}
\end{mathpar}
Rule $\imp$Elim is modus ponens,
but rule $\imp$Intro requires an \emph{assumption}.
The assumption ``floats'' above the subderivation in which it is available;
it is available between the floating assumption $\xNDassume{x}{A \True}$
to its point of introduction, marked with the superscript $x$
next to the rule name. I have highlighted the $x$ in the rule, but we may have
to work without highlighting.
This notation for assumptions is somewhat unfriendly:
it's easy to lose track of the scope of the assumption.
But this notation may be closer to ordinary mathematical
reasoning, and it's historically important,
so we'll keep using it for now.
Disjunction usually causes more trouble than conjunction, and this certainly
holds for natural deduction.
However, there is a duality between conjunction and disjunction.
In Boolean logic, you can get a feeling for this by comparing the truth table for AND with
the truth table for OR, after swapping ``true'' and ``false'' in one of them.
In natural deduction, this opposition between conjunction and disjunction
shows itself in a similarity between
the elimination rules for $\AND$, which are $\AND$Elim1/$\AND$Elim2,
and the introduction rules for $\OR$:
\begin{mathpar}
\Infer{$\OR$Intro1}
{
A \True
}
{A \OR B \True}
~~~~~
\Infer{$\OR$Intro2}
{
B \True
}
{A \OR B \True}
\end{mathpar}
Observe that $\OR$Intro1 is $\AND$Elim1 turned upside down,
with $\AND$ changed to $\OR$.
Sadly, flipping the \emph{introduction} rule $\AND$Intro upside down doesn't
give us a good $\OR$-elimination rule:
\[
\Infer{??$\OR$Elim??}
{
A \OR B \True
}
{
A \True
\\
B \True
}
\]
This rule seems to have two conclusions. People sometimes write more than one conclusion
as a concise notation for two rules with identical premises---we could
combine $\AND$Elim1 and $\AND$Elim2, for example.
But it's certainly not true that, from ``$A$ or $B$'', we should get $A$ \emph{and} $B$.
Instead, our $\OR$Elim rule will \emph{reason by cases}.
If $A \OR B$ then either $A$, or $B$. As we can split a proof into cases according
to a given grammar (``Case $e = n$\dots Case $e = \plusexp{e_1}{e_2}$''),
we can have subderivations with different assumptions.
\[
\Infer{$\OR$Elim\noteassume{\fighi{x},\fighi{y}}}
{
A \OR B \True
\\
\NDassume{\fighi{x}}{A \True}
{
C \True
}
\\
\NDassume{\fighi{y}}{B \True}
{
C \True
}
}
{
C \True
}
\]
To understand why the conclusion of $\OR$Elim should be $C \True$,
where $C$ is \emph{any} formula, it may help to think about case analysis
in a (line-by-line) proof: we can case-analyze regardless of what our
goal is. We might be trying to show that $v = 0$, or that $v_1 = v_2$,
or that $e \down v$; whatever the goal, case analysis works the same way.
The only requirement is that each case must show the same goal:
if we want to show $v = 0$ we need to show $v = 0$ assuming $e = n$,
and $v = 0$ assuming $e = \plusexp{e_1}{e_2}$.
%
\subsection{Example!}
\label{sec:orelim-example}
%
\[
\Infer{$\imp$Intro\noteassume{\fighi{z}}}
{
\ndassume{\fighi{z}}{A_1 \OR A_2 \True}{
\Infer{$\OR$Elim\noteassume{\fighi{x},\fighi{y}}}
{
\Infer{$z$}
{}
{A_1 \OR A_2 \True}
\\
\ndassume{\fighi{x}}{A_1 \True}
{
\Infer{$\OR$Intro2}
{
\Infer{$x$}
{}
{A_1 \True}
}
{
A_2 \OR A_1 \True
}
}
\\
\ndassume{\fighi{y}}{A_2 \True}
{
\Infer{$\OR$Intro1}
{
\Infer{$y$}
{}
{A_2 \True}
}
{
A_2 \OR A_1 \True
}
}
}
{
A_2 \OR A_1 \True
}
}}
{
(A_1 \OR A_2) \imp (A_2 \OR A_1)
\True
}
\]
\clearpage
(In 2018, this was roughly the dividing line between the January 25th and January 30th lectures.)
\section{Natural deduction, extended}
\begin{grammar}
atomic formulas
&
$P, Q$
\\
formulas
&
$A, B, C$
&\bnfas&
$P
\bnfaltBRKn{atomic formula}
A \imp B
\bnfaltBRKn{implication}
A \AND B
\bnfaltBRKn{conjunction (and)}
A \OR B
\bnfaltBRKn{disjunction (or)}
\All{a:\Nat} A
\bnfaltBRKn{universal quantification}
\Exists{a:\Nat} A
\bnfaltBRKn{existential quantification}
\trueformula
$ & truth
\end{grammar}
\judgbox{A \True}{$A$ is true}
\begin{mathpar}
\Infer{$\AND$Intro}
{
A \True
\\
B \True
}
{A \AND B \True}
\and
\Infer{$\AND$Elim1}
{
A \AND B \True
}
{A \True}
~~~~~
\Infer{$\AND$Elim2}
{
A \AND B \True
}
{B \True}
\\
\Infer{$\imp$Intro\noteassume{\fighi{x}}}
{
\NDassume{\fighi{x}}{A \True}{
B \True
}
}
{(A \imp B) \True}
\and
\Infer{$\imp$Elim}
{
A \imp B \True
\\
A \True
}
{B \True}
\\
\Infer{$\OR$Intro1}
{
A \True
}
{A \OR B \True}
\and
\Infer{$\OR$Intro2}
{
B \True
}
{A \OR B \True}
\and
~~
\Infer{$\OR$Elim\noteassume{\fighi{x},\fighi{y}}}
{
A \OR B \True
\\
\NDassume{\fighi{x}}{A \True}
{
C \True
}
\\
\NDassume{\fighi{y}}{B \True}
{
C \True
}
}
{
C \True
}
\\
\Infer{$\trueformula$Intro}
{
}
{
\trueformula \True
}
\and\text{no elimination rules for $\trueformula$}
\end{mathpar}
\subsection{True}
To design rules for the formula $\trueformula$,
it may be helpful to view it as an ``and'' of nothing---a 0-ary conjunction.
Since $\AND$ is a binary (2-ary) conjunction whose introduction rule $\AND$Intro
has two premises, following that structure leads to the rule $\trueformula$Intro,
which has zero premises. This seems consistent with an intuitive understanding
of $\trueformula$: since $\trueformula$ has no subformulas, its truth does not depend
on the truth of the subformulas (unlike $\AND$ where $A \AND B$ is true only if
$A$ and $B$ are true).
For the elimination rule(s), we can also argue by analogy to $\AND$.
However, the argument feels a little different from the argument for the introduction rule.
\[
\Infer{$\AND$Elim1}
{
A \AND B \True
}
{A \True}
~~~~~
\Infer{$\AND$Elim2}
{
A \AND B \True
}
{B \True}
\]
The trick is to find something about the above rules related to the number two.
But the only thing related to two \emph{within} $\AND$Elim1 and $\AND$Elim2
is the formula $A \AND B$ itself: each rule has one premise.
Instead, we must step back and observe that the \emph{number of elimination rules}
is two. Since $\AND$ is 2-ary and $\trueformula$ is 0-ary, this suggests that we should
have zero elimination rules for $\trueformula$!
We can justify this by analogy to $\AND$, but more intuitively:
the formula $A \AND B$ combines two facts ($A$ is true and $B$ is true),
leading to two elimination rules, each extracting one of those two facts.
But no facts are needed to justify $\trueformula$.
Therefore, no facts can be extracted.
Perhaps we could argue that $\trueformula$ itself could be extracted:
\[
\Infer{}
{\trueformula \True}
{\trueformula \True}
\]
But this rule is admissible (that is, redundant): we already have $\trueformula$Intro,
which has the same conclusion. (Any rule with a premise that is identical to its
conclusion is admissible.)
Allowing rules to have multiple conclusions is something that I'm trying to avoid,
because it can be confusing, but allowing that leads to another argument for having
no elimination rules. If we allow multiple conclusions then we can combine
$\AND$Elim1 and $\AND$Elim2:
\[
\Infer{$\AND$Elim-combined}
{
A \AND B \True
}
{A \True \\ B \True}
\]
Since this rule has two conclusions, $\trueformula$Elim should have zero conclusions.
But a rule with no conclusions isn't a rule; even if we tried to bend the definition to allow it,
it can't conclude anything because it has no conclusion.
\section{Harmony}
The above arguments for designing rules for $\trueformula$
have ``intensional flavour'': we argued for our design based on existing internal
features---our rules for $\AND$---of the system (and \emph{then} checked the resulting rules against our intuitive understanding
of $\trueformula$).
This seems to run against Carnap's aphorism, ``In logic, there are no morals.''
It suggests that we have some constraints around how the parts of
the system fit together.
While I argued (in lecture, not written up here yet) by analogy to $\True$
as an identity element for $\AND$, that wasn't strictly necessary. Whether or
not we believe that $\AND$ comports with common usage of the word ``and'',
we can ask: If $\AND$ is the 2-ary version of something, what is the 0-ary version?
We can choose to call that 0-ary version ``$\trueformula$'', or ``tonk'',
or even ``$\falseformula$'' (if we enjoy confusion).
One intensional quality-assurance tool doesn't even need to compare the
rules for different connectives: \emph{harmony} checks that the introduction
rules and elimination rules \emph{for a single connective}
match (are \emph{in harmony} with) each other.
Harmony has two parts:
\begin{itemize}
\item \emph{Local soundness} holds when the results
of applying elimination rules were already used in the introduction
rule. On a high level, facts go into an introduction rule;
the elimination rules should produce only those facts.
\item \emph{Local completeness} holds when the elimination rules
can be used to recover \emph{all} of the facts that went into the introduction.
\end{itemize}
Checking that rules satisfy these two parts of harmony gives us some protection
against two possible design mistakes: neglecting to add a necessary rule,
and adding a rule that is too powerful. Specifically:
\begin{itemize}
\item If local soundness is violated, either an elimination rule is wrong (it is producing
something outside the ``inputs'' to the introduction rule),
or we forgot an introduction rule.
\item If local completeness is violated, either we forgot an elimination rule,
or an introduction rule is wrong.
\end{itemize}
It's probably easiest to grasp these ideas by considering some relatively clear mistakes
in designing rules for conjunction.
\[
\Infer{$\AND$Intro}
{
A \True
\\
B \True
}
{A \AND B \True}
~~~~~~~
\Infer{$\AND$Elim1}
{
A \AND B \True
}
{A \True}
% ~~~~~
% \Infer{$\AND$Elim2}
% {
% A \AND B \True
% }
% {B \True}
\]
Suppose the above two rules were our only rules for $\AND$.
Local soundness holds, because our (only) elimination rule $\AND$Elim1
produces $A \True$, which ``went into'' our use of $\AND$Intro:
\[
\Infer{$\AND$Elim1}
{
\Infer{$\AND$Intro}
{\fighi{A \True} \\ B \True}
{A \AND B \True}
}
{\fighi{A \True}}
\]
But local completeness fails, because our single elimination rule can't recover the
information $B \True$. Checking local completeness ensures that we remember
to include both elimination rules.
On the other hand, suppose we have both elimination rules but forget one of the premises of $\AND$Intro.
%
\[
\Infer{$\AND$Intro??}
{
A \True
% \\ B \True
}
{A \AND B \True}
~~~~~~~
\Infer{$\AND$Elim1}
{
A \AND B \True
}
{A \True}
~~~~~
\Infer{$\AND$Elim2}
{
A \AND B \True
}
{B \True}
\]
Checking local \emph{soundness} will reveal the problem:
\[
\Infer{$\AND$Elim2}
{
\Infer{$\AND$Intro??}
{A \True}
{A \AND B \True}
}
{\fighi{B \True}}
\]
The rule $\AND$Elim2 derives $B \True$, but $B \True$ didn't go into our (wrong) introduction
rule $\AND$Intro??, so $\AND$Elim2 is locally unsound with respect to $\AND$Intro??.
Local soundness and local completeness are not quite the same as soundness and completeness
between different systems, but they are similar in that they depend on keeping \emph{something}
in a ``fixed position'' and comparing other stuff to the fixed thing:
Ordinary soundness takes some system as ground truth, and checks that another system
stays within that ground truth; ordinary completeness asks whether another system
covers everything within that ground truth. Local soundness keeps the introduction rules
stationary, and ensures that the elimination rules stay ``within the scope'' of the
introduction rules. Local completeness also keeps the introduction rules stationary,
and checks that the elimination rules can recover all of the information
used by the introduction rules.
Let's check that our rules for $\imp$ satisfy local soundness and local completeness.
\[
\Infer{$\imp$Intro\noteassume{\fighi{x}}}
{
\NDassume{\fighi{x}}{A \True}{
B \True
}
}
{(A \imp B) \True}
~~~~~~
\Infer{$\imp$Elim}
{
A \imp B \True
\\
A \True
}
{B \True}
\]
\subsection{Local soundness for $\imp$}
For each elimination rule for $\imp$, we ask if that rule is locally sound.
We have one elimination rule for $\imp$; is it locally sound?
\[
\Infer{$\imp$Elim}
{
\Infer{$\imp$Intro\noteassume{\fighi{x}}}
{
\NDassume{\fighi{x}}{A \True}{
B \True
}
}
{(A \imp B) \True}
\\
A \True
}
{B \True}
\]
This is a little more complicated than $\AND$, because $\imp$Elim has a second premise
$A \True$. We can apply $\imp$Elim only when $A \True$.
So the question becomes: did the information
\[
\text{``assuming $A \True$ [the other premise of $\imp$Elim],
it holds that $B \True$ [the conclusion of $\imp$Elim]''}
\]
go into the application of $\imp$Intro? Yes, because the (only) premise of $\imp$Intro
derived $B \True$ \emph{under the assumption} $A \True$.
\subsection{Local completeness for $\imp$}
\[
\Infer{$\imp$Elim}
{
\Infer{$\imp$Intro\noteassume{\fighi{x}}}
{
\NDassume{\fighi{x}}{A \True}{
B \True
}
}
{(A \imp B) \True}
\\
A \True
}
{B \True}
\]
For local completeness, we ask whether all the information going into $\imp$Intro
can be recovered using one of the elimination rules for $\imp$. Since there is only
one elimination rule, we ask whether the information going into $\imp$Intro can
be recovered using $\imp$Elim.
That information was
\[
\text{``assuming $A \True$ [the assumption within the premise of $\imp$Intro],
it holds that $B \True$ [the premise of $\imp$Intro].''}
\]
(This is the same piece of information that we used in local soundness, but
only because our rules really do satisfy local soundness and local completeness!)
The argument for local completeness goes like this:
\begin{enumerate}
\item Assume we have a derivation of $A \imp B \True$ whose concluding rule is $\imp$Intro.
\item Assume $A \True$.
\item Our goal is to derive $B \True$.
\item Applying rule $\imp$Elim to $A \imp B \True$ and $A \True$ gives $B \True$.
\end{enumerate}
Note that if we had forgotten to write $\imp$Elim, we could not take the last step of this argument.
\subsection{Local soundness for $\trueformula$}
For each elimination rule for $\trueformula$, we ask if that rule is locally sound.
We have no elimination rules for $\trueformula$, so there is nothing to check.
\subsection{Local completeness for $\trueformula$}
For local completeness, we ask whether all the information going into $\trueformula$Intro
can be recovered using one of the elimination rules for $\trueformula$.
But $\trueformula$Intro has no premises, so no information went into it.
So there is nothing to check.
\subsection{Local soundness for $\OR$}
For each elimination rule for $\OR$, we ask if that rule is locally sound.
We have only one elimination rule for $\OR$, but it is somewhat complicated:
\[
\Infer{$\OR$Elim\noteassume{\fighi{x},\fighi{y}}}
{
\Infer{$\OR$Intro\dots}
{\dots}
{A \OR B \True}
\\
\NDassume{\fighi{x}}{A \True}
{
C \True
}
\\
\NDassume{\fighi{y}}{B \True}
{
C \True
}
}
{
C \True
}
\]
Since we have more than one introduction rule for $\OR$,
we don't know which of them was used to derive $A \OR B \True$,
so I have included some ``$\dots$''.
For $\imp$ we assumed the other (second) premise of $\imp$Elim.
So here, we assume the other (second and third) premises of $\OR$Elim:
\begin{itemize}
\item Second premise of $\OR$Elim: ``assuming $A \True$, then $C \True$.''
\item Third premise of $\OR$Elim: ``assuming $B \True$, then $C \True$.''
\end{itemize}
We also assume the first premise, the derivation of $A \OR B \True$
by one of the $\OR$-introduction rules.
Consider cases of which introduction rule was used.
Our goal is to show $C \True$.
\begin{itemize}
\item Case: $\OR$Intro1 was used.
By inversion on $\OR$Intro1, $A \True$.
We know (``Second premise of $\OR$Elim'') that, if $A \True$, then $C \True$.
Since we know $A \True$, we know $C \True$.
\item Case: $\OR$Intro2 was used.
By inversion on $\OR$Intro2, $B \True$.
We know (``Third premise of $\OR$Elim'') that, if $B \True$, then $C \True$.
Since we know $B \True$, we know $C \True$.
\end{itemize}
\subsection{Local completeness for $\OR$}
Arguing local completeness for $\OR$ is tricky,
because $\OR$Elim does not literally produce the information that went into the introduction rule.
Instead, it splits into two cases, each working towards a common goal $C \True$, where $C$ may
not be the same as $A$ or $B$.
Instead of trying to get the literal information $A \True$ (or $B \True$),
we must consider what we could deduce if we knew that either $A \True$ holds or $B \True$ holds.
\begin{enumerate}
\item Assume, as usual, $A \OR B \True$ by one of the introduction rules for $\OR$;
this is the first premise of $\OR$Elim.
\item Also assume, as usual, the remaining premises of $\OR$Elim.
\item Suppose that $C'$ is a formula that can be deduced assuming $A$,
and can be deduced assuming $B$.
Our goal is now to use $\OR$Elim to derive $C' \True$.
\item We want to apply $\OR$Elim. We don't get to choose $A$ and $B$; they are determined
by the pre-existing derivation of $A \OR B \True$.
However, we can choose $C$.
\item Let $C$ be $C'$.
\item Either $\OR$Intro1 was used to derive $A \OR B \True$, or $\OR$Intro2 was used to derive it.
\begin{itemize}
\item Case: $\OR$Intro1 was used.
By inversion on $\OR$Intro1, $A \True$.
The second premise of $\OR$Elim is that $C' \True$ under the assumption $A \True$.
That is, $C' \True$ can be deduced from $A \True$.
\item Case: $\OR$Intro2 was used.
By inversion on $\OR$Intro2, $B \True$.
The second premise of $\OR$Elim is that $C' \True$ under the assumption $B \True$.
That is, $C' \True$ can be deduced from $B \True$.
\end{itemize}
\item By rule $\OR$Elim, $C' \True$.
% Since $C' \True$ can be deduced from $A \True$, and separately from $B \True$,
% and either $A \True$ or $B \True$, the judgment $C' \True$ can be deduced from
% the premise of the introduction rule---regardless of whether $\OR$Intro1 or $\OR$Intro2
% was used.
\end{enumerate}
The business about $C'$ is needed to reject a possible bug in $\OR$Elim:
an insufficiently general conclusion. Consider this specialized version of $\OR$Elim,
which can express our example in \Sectionref{sec:orelim-example}, but nothing else:
\[
\Infer{$\OR$Elim-swap\noteassume{\fighi{x},\fighi{y}}}
{
A \OR B \True
\\
\NDassume{\fighi{x}}{A \True}
{
\fighi{B \OR A \True}
}
\\
\NDassume{\fighi{y}}{B \True}
{
\fighi{B \OR A \True}
}
}
{
\fighi{B \OR A \True}
}
\]
If $\OR$Elim-swap were our only elimination rule for $\OR$,
step 5---Let $C$ be $C'$---would work only in the special case of $C' = B \OR A$.
Since $\OR$Elim-swap cannot derive other conclusions, including---for example---$(A \OR B) \OR A$,
our argument fails, as it should: $\OR$Elim-swap is incomplete because it doesn't work
for most possible $C'$.
Note that $\OR$Elim-swap is locally \emph{sound}: it works for only one conclusion, but for that conclusion,
it does not go beyond the premise of the introduction rule.
\begin{exercise}
Consider the connective $\xtonk$, due to A.N.\ Prior (1960), who argued (tongue-in-cheek)
that $\xtonk$ would succeed based on its ``extreme \emph{convenience}''.
Translated to our notation, Prior gave two rules for $\xtonk$:
\[
\Infer{\xtonk Intro}
{A \True}
{(A \tonk B) \True}
~~~~~~~
\Infer{\xtonk Elim}
{(A \tonk B) \True}
{B \True}
\]
Essentially, this connective steals one of the introduction rules for $\OR$
and one of the elimination rules for $\AND$.
Argue that local soundness for $\xtonk$ does not hold.
\end{exercise}
\clearpage
\section{Quantifiers and falsehood}
For quantifiers, we need some notation that substitutes a specific natural number
for the quantified variable. Suppose wehave
\[
\All{a:\Nat} \big(\Even(a) \OR \Odd(a)\big)
\]
and we want to know that the natural number $5$ is either even or odd.
We can get
\[
\big(\Even(5) \OR \Odd(5)\big)
\]
by looking for $a$ (the quantified variable) throughout the body of the quantifier,
and wherever we find $a$, replacing it with $5$.
\[
\All{a:\Nat} \underbrace{\big(\Even(a) \OR \Odd(a)\big)}_{\text{body of the quantifier}}
\]
We will write this use of substitution as
\[
[5/a] \big(\Even(a) \OR \Odd(a)\big)
\]
or more generally,
\[
{} [n/a]A ~~=~~ \textit{$A$ with $n$ replacing each occurrence of $a$}
\]
Substitution is a \emph{meta-level} operation, like writing $n_1 + n_2$ in the rule eval-add.
As with addition, it would be better to formally define what $[n/a]A$ means.
However, the full definition of substitution has some ``interesting'' parts, which I don't want
to explain just yet.
If you're curious about what the interesting parts might be,
consider what should happen if we substitute $5$ for $b$ in the following:
\[
(b > 2)
\AND
\Big(
\Prime(a)
\imp
\big(\Exists{b:\Nat}
(b > a) \AND \Prime(b)
\big)
\Big)
\]
\subsection{Mnemonic device}
The PL research community has not converged on one standard notation for substitution.
I have a number of reasons for preferring the notation above, which I won't bore you with.
A shortcoming of my preferred notation is that the order of $n$ (the thing replacing the variable)
and $a$ (the variable being replaced) is not immediately clear. Here is a memory trick
(more snobbily, a \emph{mnemonic device}):
If we look for all occurrences of $a$ throughout $a$, and replace $a$ with $5$,
we write that as
\[
[5/a]a ~~=~~ 5
\]
If we creatively reinterpret $5/a$ as a fraction and reinterpret substitution as multiplication,
we can ``cancel'' the $a$:
\[
\frac{5}{a}\,\cdot\,a ~~=~~
\frac{5\;\cdot\not{\!a}}{\not{\!a}} ~~=~~ 5
\]
\clearpage
\subsection{Substitution as renaming}
We don't have to substitute a constant natural number like $5$.
We could also substitute a variable.
\[
\big[a'\big/a\big]\big((b > a) \AND \Prime(b)\big)
~~=~~
\big((b > \fighi{a'}) \AND \Prime(b)\big)
\]
We could then substitute a constant for $a'$:
\begin{align*}
\fighi{\big[2\big/a'\big]}\big[a'\big/a\big]\big((b > a) \AND \Prime(b)\big)
&~=~
\fighi{\big[2\big/a'\big]}\big((b > \fighi{a'}) \AND \Prime(b)\big)
\\
&~=~
\big((b > \fighi{2}) \AND \Prime(b)\big)
\end{align*}
A nice feature of this notation is that such ``double substitutions''
have the same variable in the centre: ``$2$ replaces $a'$ which replaces $a$, so $2$ is replacing $a$'',
or (reading right to left) ``replace $a$ with $a'$, then replace $a'$ with $2$''.
\clearpage
\subsection{Natural deduction, extended again (2018--02--01)}
\begin{grammar}
atomic formulas
&
$P, Q$
\\
formulas
&
$A, B, C$
&\bnfas&
$P
\bnfaltBRKn{atomic formula}
A \imp B
\bnfaltBRKn{implication}
A \AND B
\bnfaltBRKn{conjunction (and)}
A \OR B
\bnfaltBRKn{disjunction (or)}
\All{a:\Nat} A
\bnfaltBRKn{universal quantification}
\Exists{a:\Nat} A
\bnfaltBRKn{existential quantification}
\trueformula
\bnfaltBRKn{truth}
\falseformula
\BRKn{falsehood}
$
\end{grammar}
\judgbox{A \True}{$A$ is true}
\vspace*{-3ex}
\begin{mathpar}
\Infer{$\imp$Intro\noteassume{\fighi{x}}}
{
\NDassume{\fighi{x}}{A \True}{
B \True
}
}
{(A \imp B) \True}
\and
\Infer{$\imp$Elim}
{
A \imp B \True
\\
A \True
}
{B \True}
\\
\Infer{$\trueformula$Intro}
{
}
{
\trueformula \True
}
\and\text{no elimination rules for $\trueformula$}
\\
\Infer{$\AND$Intro}
{
A \True
\\
B \True
}
{A \AND B \True}
\and
\Infer{$\AND$Elim1}
{
A \AND B \True
}
{A \True}
~~~~~
\Infer{$\AND$Elim2}
{
A \AND B \True
}
{B \True}
\\
\Infer{$\forall$Intro\noteassume{\fighi{x}}}
{
\NDassume{\fighi{x}}{a:\Nat}{
B \True
}
}
{(\All{a:\Nat} B) \True}
~~~~~
\Infer{$\forall$Elim}
{
(\All{a:\Nat} B) \True
\\
n : \Nat
}
{[n/a]B \True}
\\
\Infer{$\OR$Intro1}
{
A \True
}
{A \OR B \True}
\and
\Infer{$\OR$Intro2}
{
B \True
}
{A \OR B \True}
\and
~~
\Infer{$\OR$Elim\noteassume{\fighi{x},\fighi{y}}}
{
A \OR B \True
\\
\NDassume{\fighi{x}}{A \True}
{
C \True
}
\\
\NDassume{\fighi{y}}{B \True}
{
C \True
}
}
{
C \True
}
\\
\text{no introduction rules for $\falseformula$}
\and
\Infer{$\falseformula$Elim}
{
\falseformula \True
}
{
C \True
}
\\
\Infer{$\exists$Intro}
{
n : \Nat
\\{}
\big([n/a]B\big) \True
}
{(\Exists{a:\Nat} B) \True}
~~~~~
\Infer{$\exists$Elim\noteassume{\fighi{x,y}}}
{
(\Exists{a:\Nat} B) \True
\\{}
\ndassume{\fighi{x}}{a:\Nat}{
\NDassume{\fighi{y}}{B \True}{
C \True
}}
}
{C \True}
\end{mathpar}
\subsubsection{Motivation for the new rules}
Here we have added rules for $\forall$, $\exists$, and $\falseformula$.
In class, I motivated the design through various symmetries:
\begin{itemize}
\item $\trueformula$ is a 0-ary conjunction, $\AND$ is a 2-ary (binary) conjunction,
$\forall$ is an $\infty$-ary (infinitary) conjunction.
\item $\falseformula$ is a 0-ary disjunction, $\OR$ is a 2-ary (binary) disjunction,
$\exists$ is an $\infty$-ary (infinitary) disjunction.
\end{itemize}
For $\forall$Intro, the 2 premises of $\AND$Intro for the 2-ary $\AND$
became ``infinite premises'', one for each natural number.
\[
\Infer{$\forall$Intro?}
{
[0/a]B \True
\\
[1/a]B \True
\\
[2/a]B \True
\\
\cdots
}
{(\All{a:\Nat} B) \True}
\]
Our actual $\forall$Intro rule represents this infinite set of premises as \emph{one} premise with an assumption
that $a$ is a natural number.
For $\forall$Elim, the 2 elimination rules of $\AND$Elim for the 2-ary $\AND$
became an infinite number of elimination rules.
\begin{mathpar}
\Infer{$\forall$Elim0}
{(\All{a:\Nat} B) \True}
{[0/a]B \True}
\and
\Infer{$\forall$Elim1}
{(\All{a:\Nat} B) \True}
{[1/a]B \True}
\and
\Infer{$\forall$Elim2}
{(\All{a:\Nat} B) \True}
{[2/a]B \True}
\and
\cdots
\end{mathpar}
Since we cannot directly write all the rules in the infinite set
$\{\forall\text{Elim0},
\forall\text{Elim1},
\forall\text{Elim2},
\forall\text{Elim3},
\dots\}$,
we replaced them with one rule that requires a specific $n$:
\begin{mathpar}
\Infer{$\forall$Elim}
{
(\All{a:\Nat} B) \True
\\
n : \Nat
}
{[n/a]B \True}
\end{mathpar}
If we choose $n = 0$, our $\forall$Elim does the same thing as $\forall$Elim0;
if we choose $n = 1$, it does the same thing as $\forall$Elim1, and so forth.
Moving on to $\exists$, I waved my hands about duality between $\forall$
and $\exists$---which suggests that aspects of $\forall$Intro,
should find their way into $\exists$'s elimination rule,
and that aspects of $\forall$Elim should show up in $\exists$'s introduction rule.
I also (perhaps more clearly) used our rules for 2-ary disjunction $\OR$
to inform the rules for the infinitary disjunction $\exists$.
Thus, the 2 introduction rules for the 2-ary $\OR$
became an infinite number of introduction rules
\begin{mathpar}
\Infer{$\exists$Intro0}
{
\big([0/a]B\big) \True
}
{(\Exists{a:\Nat} B) \True}
\and
\Infer{$\exists$Intro1}
{
\big([1/a]B\big) \True
}
{(\Exists{a:\Nat} B) \True}
\and
\Infer{$\exists$Intro2}
{
\big([2/a]B\big) \True
}
{(\Exists{a:\Nat} B) \True}
\cdots
\end{mathpar}
which we coalesced into $\exists$Intro, noting that since the \emph{elimination}
rule for $\forall$ has a premise $n : \Nat$,
duality between $\forall$ and $\exists$ suggests that the \emph{introduction} rule
for $\exists$ should also assume
$a : \Nat$ within a premise.
Our elimination rule for $\exists$ has similar structure to our elimination rule for $\OR$.
We arrived at that structure by, first, replicating the two $C \True$ premises of $\OR$ into an infinite set gives
\[
\Infer{$\exists$Elim\noteassume{\fighi{y_0}, \fighi{y_1}, \fighi{y_2}, \dots}}
{
(\Exists{a:\Nat} B) \True
~~~~
\NDassume{\fighi{y_0}}{[0/a]B \True}{
C \True
}
~~~
\NDassume{\fighi{y_1}}{[1/a]B \True}{
C \True
}
~~~
\NDassume{\fighi{y_2}}{[2/a]B \True}{
C \True
}
~~~
\cdots
}
{
C \True
}
\]
Second, we coalesced the infinite premises into a premise under the assumption $a : \Nat$.
\subsection{Historical notes (optional reading)}
\subsubsection{Assumptions and substitution}
In Gentzen's natural deduction system (``NJ'', essentially a misprint of ``NI''),
the assumptions $\xNDassume{x}{a : \Nat}$
are not written out. Moreover, Gentzen's rules rename the variable in the
quantifier (\eg the $a$ in $\All{a:\Nat} B$)
to a new variable $a'$: Instead of assuming $a : \Nat$ and $B \True$,
Gentzen assumes $[a'/a]B \True$ and calls the new variable $a'$ an \emph{Eigenvariable}.
(\emph{Eigen} is German for ``own'': the eigenvariable ``belongs'' to the particular application
of the rule.)
This ``extra'' substitution is painless in Gentzen's notation, because he wrote
quantifiers differently: instead of $\All{a:\Nat} A$, with
$\All{a:\Nat} \Prime(a)$ as a concrete example,
he wrote (roughly) $\All{a:\Nat} A(a)$.
Then the substitution of $a'$ for $a$ in the body $A(a)$ of the quantifier
can be written as $A(a')$. If this course were entirely about natural deduction,
I might have used Gentzen's notation since it is more compact than square-bracket substitutions,
but Gentzen's notation is not suited for code in programming languages.
By using square-bracket substitution, we can use the same notation consistently.
\subsubsection{Judgment form}
Gentzen did not write $\xTrue$ in judgments or derivations.
For example, Gentzen's original $\AND$Intro looked like this:
\[
\Infer{$\AND$--\textit{I}}
{\mathfrak A \\ \mathfrak B}
{\mathfrak A \AND \mathfrak B}
\]
\subsubsection{Included connectives}
Apart from such notational differences,
Gentzen's NJ differs from our development in several ways:
\begin{itemize}
\item NJ does not include $\trueformula$.
Without $\trueformula$, I think our $\falseformula$Elim would seem less plausible.
\item NJ does include negation, which still lurks on our horizon.
Also, while Gentzen has our exact $\falseformula$Elim,
he calls it a negation elimination rule\dots because he \emph{does} have
a way to derive $\falseformula$ through a negation-elimination rule.
\end{itemize}
\subsubsection{Local soundness}
For \citet[\S 5.13]{Gentzen35}, the introduction rules for a connective are its definition.
He informally explained (without using the term) an example of local soundness (for $\imp$),
noting that ``we need not go into the `informal sense' of the $\imp$-symbol'': local soundness
is an intensional (internal) property of the rules.
Later, the view that introduction rules define a connective became known as
\emph{verificationism} (we ``verify'' that $A \AND B \True$ is derivable by applying the introduction rule
for $\AND$). An opposing view, known as \emph{pragmatism}, regards the elimination rules
as ``the'' definition: the meaning of $A \AND B \True$ is \emph{what you can do with it}.
\section{Negation ($\lnot$)}
In Boolean logic, we may treat propositions as variables that are either true or false.
Up to about 1900, this conception was predominant in mathematical logic;
its first main challenge came from Brouwer (who, like Gentzen, wasn't a great human being)
in 1907. By the 1930s, Brouwer's \emph{intuitionism} had gained some popularity;
two of the four calculi of Gentzen's thesis are intuitionistic.
I won't cover the philosophical side of intuitionism; for that, look at the Stanford Encyclopedia's
``Intuitionistic Logic'' and follow the links in its second paragraph.
I will discuss a narrow technical side of intuitionism---how it affects the specific rules of
natural deduction---and the broader relationship of intuitionism and computing.
A bit is a binary digit, either 0 or 1.
Thinking of the truth of a logical proposition as a bit-value is well suited to digital circuits,
and to applications such as SAT solving.
Being clearly either 0 or 1 is the essential feature of a bit, which may suggest that the truth of a logical proposition
should be similarly clear:
\begin{itemize}
\item Consider an integer $m$. If $m$ is odd, $m$ is not even; if $m$ is even, $m$ is not odd.
Since every integer is either odd or even, every integer is either odd or not-odd.
So it seems reasonable for ``oddness'' to be a Boolean property, either true (odd) or false (not-odd $=$ even).
\item Consider a Turing machine, whose configuration is given by a tuple including the number of
its current state. Some states are designated as \emph{final states} (meaning that the machine has halted).
At any step of time, the machine is either \emph{in} a final state (its current state is in the set of final states)
or \emph{not} in a final state (its current state is not in the set of final states),
so the truth value of the proposition ``the current state'' is either true or false.
\end{itemize}
But undecidability spoils this clarity. We can ask whether a known integer (the current state)
is part of a small finite set of integers (the set of final states), and the answer will be immediate.
However, not all questions have answers.
\begin{itemize}
\item Consider a Turing machine, whose configuration is given by a tuple including the number of
its current state. If the machine is allowed to run indefinitely, will it reach a halting state?
\end{itemize}
While the Boolean formula $\textit{halts}(H)$ \emph{looks} like the Boolean formula
$\textit{in-a-final-state}(H)$, the truth value of $\textit{halts}(H)$ is much less clear,
because this is an undecidable problem. For \emph{specific} Turing machines we can
give an answer. For example:
\begin{itemize}
\item If the initial state of $H$ is a final state, then $\textit{halts}(H)$ is true.
\item If the Turing machine has only one state, which is not a final state, then $\textit{halts}(H)$
is false.
\end{itemize}
Being able to answer specific instances of the general question
does not mean the problem is decidable. In fact, we can answer the question for a
large number of Turing machines, by simulating the machine for a few million steps and checking
if it halts. If it halts, then $\textit{halts}(H)$ is true. If it doesn't halt, we haven't answered
the question. For some machines that never halt, we can say definitively that they don't halt
by providing a proof: ``The machine has only one state; therefore, it will always be in that state;
since that state is not a final state, the machine never halts.''
In intuitionistic logics, statements of existence must be
backed with a \emph{witness} to the existence.
If I claim that the machine halts, I must show you when it halts.
If I claim that the machine doesn't halt, I must prove that to you.
A proposition is \emph{true} if \emph{and only if} you have a proof.
Thus, in intuitionistic logics, a statement like
\[
\text{either $\textit{halts}(H)$ or $\lnot\textit{halts}(H)$}
\]
is interpreted as
\[
\text{either there exists a proof of $\textit{halts}(H)$ or there exists a proof of $\lnot\textit{halts}(H)$}
\]
Since the halting problem is undecidable, the statement
\[
\text{for all $H$, either there exists a proof of $\textit{halts}(H)$ or there exists a proof of $\lnot\textit{halts}(H)$}
\]
is not true. (Whether we also say the statement is false is, I think, a matter of taste.)
So the statement
\[
\text{\tabularenvl{
for all propositions $P$,
\\ ~~~~ either there exists a proof of $P$ or there exists a proof of $\lnot P$
}}
\]
is false.
In natural deduction, the truth of a formula $A$ is determined by whether there exists a derivation of $A \True$.
Since natural deduction (through the atomic formulas that I deliberately haven't specified)
can talk about pretty much anything, we should not expect (after we add negation)
\[
\text{\tabularenvl{
for all formulas $A$,
\\ ~~~~ either there exists a natural-deduction derivation of $A \True$
\\ ~~~~ or there exists a natural-deduction derivation of $(\lnot A) \True$
}}
\]
This means we should not want a rule ``LEM'' (Law of the Excluded Middle):
\[
\Infer{LEM?}
{}
{(A \OR \lnot A) \True}
\]
If our mental model includes undecidable questions (and it should),
including this rule would make natural deduction unsound with respect to that mental model.
Rejecting LEM does \emph{not} reject negation entirely!
We can still have the Law of Contradiction:
\[
\Infer{LoC}
{
A \True
\\
(\lnot A) \True
}
{\falseformula \True}
\]
In fact, LoC was Gentzen's elimination rule for $\lnot$.
What was Gentzen's \emph{introduction} rule for $\lnot$?
\[
\Infer{$\lnot$Intro\noteassume{x}}
{\NDassume{x}{A \True}{
\falseformula \True
}
}
{(\lnot A) \True}
\]
Both LoC and $\lnot$Intro are laws permitted in Brouwer's intuitionistic mathematics.
Classical (not intuitionistic) logics do include LEM.
In addition to NJ (which is essentially the same as our rules),
Gentzen presented NK (for \emph{klassische}),
which is identical to NJ but adds the rule LEM.
\input{coda.tex}
\end{document}
% Local Variables:
% TeX-master: "lec6-8"
% End: