A calculus supporting structured proofs - CiteSeerX

J. Inform. Process. Cybernet. EIK ?? (199?) , (formerly: Elektron. Inform.verarb. Kybernet.)

A calculus supporting structured proofs By Bernd I. Dahn and Andreas Wolf

Abstract: Proofs in standard logical calculi have a simple structure (mostly a sequence, tree or set of related formulas). Therefore, formal proofs are hard to understand or to present in an intelligible way. The Block Calculus for rst order logic introduced in this paper is a variant of natural deduction that has highly structured proofs. These proofs can be presented in many ways by hiding blocks of subproofs. Moreover it can be easily extended by other calculi. We characterize the semantics of incomplete proof structures in the Block Calculus and prove it's soundness and completeness.

Contents 1. 2. 3. 4. 5. 6.

Introduction Some De nitions Rules Examples Completeness and Soundness Conclusion

1 3 5 7 10 14

1. Introduction Veri ed proofs have to be written in a formalized logical calculus. This is tedious for a human user. For complex proof tasks automated theorem provers can be used perform a part of this work. However, proofs generated by these automated deductive systems are often hardly or not readable by humans, because they have very many formulas, contained in a very simple structure { a sequence, a tree or a set of formulas, where some formulas are obtained from others by inference rules. If the user wants to know only the result, i.e. if a proof or a refutation was found, that may be acceptable, but if the user wants to understand the proof, he must look at all the lot of mostly uninteresting formulas. Even if the user is not interested in the subproofs generated

2 by the automated systems, he still has to edit his part of the proof in a calculus that can be smoothly integrated with the calculi used by the provers. An intelligible presentation of a formal proof written in a standard logical calculus requires a more or less comprehensive restructuring - at least a linearisation of the proof (cf. [Li89]). Moreover, a lot of the necessary formal details have to be hidden for the bene t of the reader. On the other hand, the human user can take advantage from editing a proof in a structured way. He can concentrate on some part he is currently working on and hide other parts which have nothing to do with his actual focus of interest. It is only natural to preserve the structure of an interactively edited proof within the formal calculus until the nal proof presentation. This can save a lot of restructuring eorts. The Block Calculus (BC) developed here makes it possible to structure a proof, so that the "uninteresting" parts can be hidden. In fact, BC may be considered as a combination of natural deduction with tools similar to those used in structured procedural programming. The BC is convenient for humans, but is also easy to implement. Due to its resemblance to the Natural Deduction calculus [Ge35] it should need low eorts to translate proofs from other calculi into BC. [Ga94] gives examples for the formulation of rules of inference from other calculi in a similar style and the algorithm in [Wo95] translates model elimination proofs into BC proofs. The design of the BC makes it possible to treat not only complete proofs, but also deductions with open premises or not connected chains of inferences. This is the reason for it's ability to cooperate with other logical calculi. Therefore the given proof of soundness will use speci c technics to deal with incomplete proofs. The BC has been designed for the editing of interactive proofs in the ILF system [DGHWW94] supported by automated theorem provers like DISCOUNT [DP92], OTTER [MC90], SETHEO [LSBB92] and KoMeT using their speci c logical calculi. If the ILF system is con gured as a ProofPad, the user can edit a proof in the BC formatted as a sequence of proof lines similar to the text in a text editor. The main task is to show that each line of the proof is a logical consequence of the preceding lines. This generates a sequence of proof problems which are passed automatically by ILF to the automated theorem provers mentioned above. If a prover succeeds to solve one of these proof problems, the corresponding line in the proof changes ist status to 'proved'. While the automated systems search for a proof in the background, the user can continue to edit the proof. Thus the ILF background system works in a way similar to an on line spellchecker to verify the logical correctness of the proof. Theoretically, this is achieved by extending the BC by new rules as described below and justi ed by the included soundness proof. The concrete set of inference rules described in this paper is also the basis for a number of useful proof tactics in ILF. In general, the ILF user relies on the power of the available automated theorem provers and proof tactics. However, the completeness results of this paper make sure, that the user can in principle achieve his proof tasks by the given rules of inference, independent of the additional tools provided by the system. Thus these rules of inference are implemented as the most basic tools for the human user { not as the basis of an automated theorem prover. ILF also has tools for the restructuring and natural language presentation of BC proofs. In combination with procedures for the transformation of formal proofs from other calculi into BC proofs, these tools can be applied to obtain intelligible presen-

3 tations of proofs from other systems. The ILF proof transformation and presentation tools are available on the Internet by the ILF mail server. This server currently takes proofs in the BC or model elimination proofs from SETHEO or KoMeT and sends back natural language presentations of these proofs. The latter proofs are in a rst step converted into BC proofs according to an algorithm from the second author (see [Wo95]). For actual information on the ILF mail server, a mail with text 'help' should be sent to [email protected]. This article will present in the second section some de nitions and in the third the rules of the BC, illustrate them in the fourth by some examples and give the proof of completeness and soundness in the fth section. At last we give some conclusions.

2. Some De nitions Let L be a xed countable signature. In the following, signatures will be identi ed with the set of their nonlogical symbols. Moreover we x a rst order theory T in L .

D e f i n i t i o n 2.1 A marked formula is a pair (A; S ) where A is a formula and S is one of the reserved symbols pr, un or ass or a block.

A block is a nonempty sequence of marked formulas. A block is said to be of level 0, if it contains no marked formula (A; S ) with a block S ; and it is said to be of level n+1, if the maximum of the levels of the contained marked formulas (Ai ; Si ) is n.

D e f i n i t i o n 2.2 Let B be a block and (A; S ) be a marked formula. If (A; S ) is a member of B and S is a block itself, then S is a direct subblock of B. A block S is a subblock of a block T , if S = T or S is a direct subblock of a subblock of T . A marked formula is a submember of a block B, if it is a member of a subblock of B.

A marked formula (A; S ) can be viewed in a canonic way as a tree where nodes are labelled with rst order formulas. If S is a reserved symbol, the tree has a single node labelled with A. If S is a block, the root of the tree - labelled with A - has below itself the subtrees represented by the members of S . We see a block S in a marked formula (A; S ) as an attempt to prove A. This attempt may require other attempts to prove other formulas in subblocks. (A; pr), (A; un) and (A; ass) are to read as A is proved, A is unproved and A is assumed, respectively. Proofs in everyday mathematics make frequent use of temporal constants. E. g. in order to prove that 8x8y(r(x; y) ! x = y) it is common practice to start the proof saying let a, b be arbitrary elements such that r(a; b). We show, that a = b. In this case, the constants a and b have no meaning outside this subproof. Also the assumption r(a; b) can only be used within this proof. This kind of inference will be re ected in the BC by the concepts of local constants which is similar to the concept of local constants in procedural programming languages - and of usable formulas.

4

D e f i n i t i o n 2.3 Given a block B. L(B) is the language consisting of L and a countably in nite set of constants (the local constants of B). We assume, that B 6= B implies L(B ) \ L(B ) = L. Let S be a direct subblock of a subblock B of B. Then L(B; S ) = L(B; B ) [ L(S ). Furthermore L(B; B) = L(B). L(B; S ) is called the language of S inherited from B. D e f i n i t i o n 2.4 Let G = (A; ) be a member of a block B. Then the set of formulas of B usable for G use(B; G) is the set of all formulas H , where a member (H; ) precedes G in B. If G = (A; ) is a member of a subblock B of B, then use(B; G) = use(B ; G) [ use(B; B ). If G = (A; S ) is a submember of B and S is a block, then use(B; S ) = use(B; (A; S )). 1

2

1

2

1

1

1

1

1

Hence, usable for a marked formula G are all formulas standing in the same block S before G, the formulas before ( ; S ), and so on. Example 2.1 Consider the block B = ((A ! A _ B; B1) with B1 = ((A; ass)(A _ B; B2 )) and B2 = ((:A; ass); (:B; ass); (2; pr)), which can be written as ((A ! A _ B; ((A; ass)(A _ B; ((:A; ass); (:B; ass); (2; pr)))))) or represented in tabular form as A ! A _ B ,! A ass A _ B ,! :A ass :B ass 2 pr Here, the set of usable formulas of the formula :B is fA; :Ag. D e f i n i t i o n 2.5 Let G = (A; ) be a member of a subblock of B. Then the raw proof of G with respect to B is raw(B; G) = V Vuse(B; G) ?! A. The raw proof to B is the universal closure of raw(B; G) of all members G of B without those of the form (A; ass) and with all local constants substituted by variables. Example 2.2 Consider again the block given above. raw(B; (2; pr)) = A ^ :A ^ :B ! 2 raw(B) = A ! A _ B raw(B1 ) = A ! A _ B raw(B2 ) = :A ^ :B ! 2 use(B; (A _ B; B2)) = fAg D e f i n i t i o n 2.6 A block B is said to be correct with respect to the theory T and the language L if for all members G of B the following conditions hold: 1. If G = (A; ) is a member of B, then A is a rst order sentence in the language L [ L(B ). 2. If G = (A; pr), so T [ use(B; G) j= A. 3. If G = (A; S ) and S is a block, then (a) S is correct with respect to T [ use(B; G) and L [ L(B; S ) and (b) T [ use(B; G) [ fraw(S )g j= A.

5 E. g. the de nition 2.6.3.(b) means for B, T = ; and G = (A _ B; B2 ) with the block of the example above fAg [ f:A ^ :B ! 2g j= A _ B . D e f i n i t i o n 2.7 A block is said to be complete, if there is no subblock containing members of the form ( ; un). T h e o r e m 0.1 Let G = (A; S ) be a member of a block B with S 6= ass. If G is complete and correct with respect to a theory T and a language L, then T [ use(B; G) j= A. P r o o f . The theorem will be proved by induction on the level of B. If the level of B is 0, i. e. S = pr, the correctness of B implies the assertion immediately. Otherwise S is a complete block; then it is correct with respect to T [ use(B; G) and L [ L(B; S ). So T [ use(B; G) [ fraw(S )g j= A. The local constants of S do not occur in T [ use(B; G). Let G = (A ; S ) be a member of S . Then by induction hypothesis T [ use(B; G) [ use(S; G ) j= A . So T [ use(B; G) j= raw(S; G ) = V use(S; G ) ! A . Therefore T [ use(B; G) j= raw(S ) and so T [ use(B; G) j= A. 2 C o r o l l a r y 0.1 Let B = ((A; S )) be a block, that is complete and correct with respect to T and L. Then T j= A. P r o o f . Here use(B; (A; S )) = ;. 2 0

0

0

0

0

0

0

0

3. Rules By corollary 0.1 a sentence A is a logical consequence of a theory T if a complete and correct block ((A; )) exists. Obviously, ((A; un)) is a correct block. Below we shall give sets of rules, which transform blocks preserving their correctness. Then a sound proof concept is de ned as follows. D e f i n i t i o n 3.1 A complete block B resulting from the application of a sequence of rules to the block ((A; un)) is a proof of A. Now, the rules of the calculus will be given.

Insertion Rule {

insert

Let G be a member of a subblock B1 of B. If A is an arbitrary formula of L(B; B1 ), then the marked formula (A; un) can be inserted in B1 immediately before G. For a uniform treatment of the rules we introduce the following metarule.

Metarule

(A ; : : : ; An ) =) A means: Let G be a member of a subblock B of a block B. Let A ; : : : ; An 2 use(B; G) [T and A be a sentence of L(B; B ). Then the marked formula (A; pr) can be inserted in B immediately before G. 1

1

1

1

1

6

Introduce Contradiction Rule { (2) in

(A; :A) =) 2

Introduce And Rule { (^) in

(A; B ) =) A ^ B

A ^ B =) A A ^ B =) B

(^ 1)

Eliminate And Rule 1 {

out

(^ 2)

Eliminate And Rule 2 { Eliminate Or Rule {

;

out

;

(_)

out

((A _ B ); (A ! C ); (B ! C )) =) C

Eliminate Implication Rule {

(!)

out

((A); (A ! B )) =) B

Introduce Equivalence Rule { ($) in

((A ! B ); (B ! A)) =) (A $ B )

Eliminate Equivalence Rule 1 {

(A $ B ) =) (A ! B )

Eliminate Equivalence Rule 2 {

(A $ B ) =) (B ! A)

($ 1)

out

;

($ 2)

out

;

Introduce Exists Rule { (9) in

A(t) =) 9xA(x), if x is a variable not occuring in A(t). It is not necessary to substitute the term t by x at all it's occurences in A.

Eliminate Forall Rule {

(8)

out

8xA(x) =) A(t) for a term t. Note, that A(t) must be a sentence of L(B; B ). Hence t must be a ground term of this language. The x must be substituted at all its occurences. 1

7

Closure Rule {

since

If A 2 use(B; (A; S )) [ T , then (A; S ) can be substituted by (A; pr). If (A; pr) then occurs twice immediatly one behind the other, one occurence can be omitted.

Indirect Rule {

indirect

(A; S ) can be substituted by (A; ((:A; ass); (2; un))).

Direct Rule {

direct

(A; S ) can be substituted by (A; (A; un)).

Introduce Not Rule { (:) in

(:A; S ) can be substituted by (:A; ((A; ass); (2; un))).

Introduce Implication Rule { (!) in

(A ! B; S ) can be substituted by (A ! B; ((A; ass); (B; un))).

Introduce Or Rule { (_) in

(A _ B; S ) can be substituted by (A _ B; ((:A; ass); (:B; ass); (2; un))).

(9) Let 9xA(x) 2 use(B; G) [ T , G be a member of B as a subblock of B. Let also c be a local constant of B not yet occuring in the block B. Then (A(c); ass) can be inserted in B immediately before G.

Eliminate Exists Rule {

out

1

1

1

Introduce Forall Rule { (8) in

(8xA(x); S ) can be substituted by (8xA(x); ((A(c); un))), if c is a local constant of the new created subblock ((A(c); un))).

4. Examples Example 4.1 To prove the formula A _ :A we start with the block A _ :A un By in(_) this will be expanded to the block A _ :A ,! :A ass ::A ass 2

un

8 Applying in(2) at the subblock we get the block

A _ :A ,! :A ::A 2 2

At last, since completes the block to a proof:

ass ass pr un

A _ :A ,! :A ass ::A ass 2 pr Example 4.2 Now we prove the formula A ! B from B starting with the block A ! B un Using insert and since with the formula B the block can be expanded to B pr A ! B un By in(!) on the second member of the block we get B pr A ! B ,! A ass B un since leads to a complete block B pr A ! B ,! A ass B pr Example 4.3 We prove A ! A _ B from the start block using in(!) rst and get A ! A _ B ,! A ass A _ B un in(_) brings the block A ! A _ B ,! A ass A _ B ,! :A ass :B ass 2 un A and :A are usable for (2; un), and so in(2) will create A ! A _ B ,! A ass A _ B ,! :A ass :B ass 2 pr 2 un

9 and since will complete this to

A ! A _ B ,!

A ass A _ B ,! :A ass :B ass 2 pr

Example 4.4 At last we prove a quanti ed formula. To prove :8xA(x) ! 9x:A(x) we apply at rst in(!) and get :8xA(x) ! 9x:A(x) ,! :8xA(x) ass 9x:A(x) un By indirect this can be transformed to

:8xA(x) ! 9x:A(x) ,! :8xA(x) ass 9x:A(x) ,! :9x:A(x) ass 2 un Using insert with the formula 8xA(x), then in(2) and then since we get :8xA(x) ! 9x:A(x) ,! :8xA(x) ass 9x:A(x) ,! :9x:A(x) ass 8xA(x) un 2 pr Now, only 8xA(x) is unproved. Here we apply in(8) with the new local constant c and then indirect. In the following only the rst subblock is displayed. :8xA(x) ass 9x:A(x) ,! :9x:A(x) ass 8xA(x) ,! A(c) ,! :A(c) ass 2 un 2 pr At last, an 9 will be introduced for :A(c) with in(9), then in(2) and since will be applied to bet a complete block.

:8xA(x) ass 9x:A(x) ,! :9x:A(x) ass 8xA(x) ,! A(c) ,! 2

pr

:A(c) ass 9x:A(x) pr 2 pr

This description also illustrates the intention of the de nition of usable formulas, use(G; B) of a member G is the set of all formulas of the block which lie above the line leading from G always one step left and up.

10

5. Completeness and Soundness T h e o r e m 0.2 Let B be a block created by application of a rule of BC to a correct block B. Then B is correct. 0

0

P r o o f . The rst condition of the de nition of correctness 2. is obviously preserved, demanding that the formulas in a block are from the appropriate language. Furthermore, for each member G of B is use(B; G)  use(B ; G), since no formulas are removed. Therefore the second condition must be shown only for those members (A; pr) of B not contained in B. In order to show the third condition of de nition 2. it suces to show that: {for marked formulas G = (A; S ) with a block S raw(S ) follows from T [ use(B ; G) [ fraw(S )g where the rule has transformed S into S and {the condition holds for all members of B introduced by the rule. We show this for the submembers of B of level 0, then for those of level 1, and so on. Condition (3.b) is to be seen immediately. Now we verify the remaining conditions for the rules of BC. Insert Rule: It is to show, that for each submember G = (A; S ) of B with a block S raw(S ) follows from T [ use(B ; G) [ fraw(S )g, where S results from S by insertion of a marked formula (H; un). The local constants of S do not occur in the formulas of T [ use(B ; G) [fraw(S )g. So it is only toVverify that for members G = (A ; S ) of S with S 6= ass the formulas raw(S; G ) = use(S ; G ) ! A follow from T [ use(B ; G) [ fraw(S )g. If (H; un) is inserted after G , raw(S; G ) equals raw(S ; G ) and is a consequence of raw(S ). In the Vother case use(S ; G ) = use(S; G ) [ fH g and raw(S ; G ) is logically equivalent to use(S; G ) ! (H ! A ). V raw(S ; G ) and raw(S ; (H; un)) = use(S ; (H; un)) ! H follow from raw(S ). Furthermore in this case use(S ; (H; unV))  use(S; G ). Therefore raw(S ) j= raw(S; G ) = use(S; G ) ! A . Metarule: Let H1 ; : : : ; Hn =) H be a metarule. Then H1 ^ : : : ^ Hn ! H is a tautology. Let (H; pr) be inserted immediately before (A ; S ). For each submember G of B there is use(B ; G) = use(B; G) oder use(B ; G) = use(B; G) [ fH g. In the last case H 1; : : : ; Hn 2 use(B; G) [ T , and so use(B ; G) [ T and use(B; G) [ T are always logically equivalent. Therefore the correctness is valid for all members of B. For (H; pr) it is obvious. The correctness of the Closure Rule is obvious. Use Exists Rule: Let (H (c); ass) be inserted by the rule in a subblock S immediately before a member G0 . We assume, that 9xH (x) 2 T [ use(B; G0 ) and that c is a new local constant of S . Let S result in that way from S . We show T [ use(B; S ) [ fraw(S )g j= raw(S ). The local constants of S do not occur in T [ use(B; S ) [fraw(S )g. Therefore it is only to show, that for each member G = (A ; S ) of S with S 6= ass the formula raw(S; G ) = V use(S; G ) ! A follows from T [ use(B; S ) [ fraw(S )g. raw(S ; G ) follows from raw(S ). If G lies before G0 , then raw(S; G ) = raw(S G ) and it was taken into account by the construction of raw(S ). In the other case 9xH (x) 2 T [Vuse(B; G ) = T [ use(B; S ) [ use(S; G ). Furthermore raw(S ; G ) is equivalent to use(S; G ) ! 0

0

0

0

0

0

0

0

0

0

0

0

00

00

0

00

00

00

00

0

00

0

00

0

00

0

00

0

0

00

00

00

0

0

00

00

00

0

0

0

0

00

0

00

00

00

0

0

0

0

0

0

0

0

0

00

00

0

0

00

00

00

0

0

00

0

00

00

0

00

0

00

0

00

00

00

0

00

00

11

V

(H (c) ! A ). c occurs only in H (c), and so that is equivalent to use(S; G ) ! (9xH (x) ! A ). V If 9xH (x) 2 use(S; G ), the formula raw(S ; G ) is equivalent to use(S; G ) ! A = raw(S; G ), i. e. raw(S; G ) and raw(S ; G ) are equivalent. Else 9xH (x) 2 T [ use(B; S ) and the equivalence of raw(S; G ) and raw(S ; G ) follows from T [ use(B; S ). In this case also T [ use(B; S ) [ fraw(S )g j= raw(S; G ). To treat the other rules we prove a general principle, from which all the other rules follow immediately. Principle: Let ((H1 ; ass); : : : ; (Hn ; ass); (H; un)) be a block. Let H be constructed from H1 ^ : : : ^ Hn ! H by replacing all local constants by variables and closing up universally. Assume fH g [ T [ use(B; (A; S )) j= A. Then the block B obtained from a block B which is correct with respect to T and L by replacing (A; S ) by (A; ((H1 ; ass); : : : ; (Hn ; ass); (H; un))), is also correct with respect to T and L. Noe we prove this principle. Let S = ((H1 ; ass); : : : ; (Hn ; ass); (H; un)). Then raw(S ; (H; un)) = H1 ^ : : : ^ Hn ! H and raw(S ) = H . Furthermore use(B ; (A; S )) = use(B; (A; S )). The assumption then leads to T [ use(B ; (A; S )) [ fraw(S )g ` A. 00

00

00

00

00

00

0

00

0

00

00

00

00

0

0

00

0

00

0

0

0

0

0

0

0

0

0

0

0

0

2

C o r o l l a r y 0.2 The calculus BC is sound, i. e. if there is a correct and complete block gotten from ((A; un)) with respect to T and L, then A is valid in T .

P r o o f . Follows immediately from Theorem 0.2 and Corollary 0.1. 2 Now we prove the completeness of BC with standard methods. D e f i n i t i o n 5.1 Let C0 be a countably in nite set of constants usable as local constants of a block. A sequence (A1 ; : : : ; An ) of formulas of L [ C0 is said to be consistent, if it is not possible to transform the block ((A1 ; ass); : : : ; (An ; ass); (2; un)) with C0 as the set of local constants into a complete block using the rules. L e m m a 0.1 Let (A1 ; : : : ; An) be consistent and A be a formula of L [ C0. Then one of the sequences (A1 ; : : : ; An ; A), (A1 ; : : : ; An ; :A) is consistent. P r o o f . We prove the lemma indirectly. We assume, that both sequences are not consistent. In ((A1 ; ass); : : : ; (An ; ass); (2; un)) we insert by insert the marked formula (A _ :A; un) before the last member of the block. By in(_) we replace it by (A _ :A; ((:A; ass); (::A; ass); (2; un))). The created subblock can be completed by in(2). Now the marked formula (A ! 2) will be inserted before the last member of the main block and transformed by the rule in(!) to (A ! 2; ((A; ass); (2; un))). For (2; un), the formulas A and A1 ; : : : ; An are usable. Therefore, by the assumption the subblock can be completed. Analogously, it is possible to transform the main block in such a way, that the last but one member is (:A ! 2; S ) with a complete block S . Now, by out(_) the marked formula (2; un) can be replaced by (2; pr). This leads to a complete block. 2 L e m m a 0.2 Let be H1; : : : ; Hn 2 fA1 ; : : : ; An g and H1; : : : ; Hn =) H be a special case of the metarule,, which is a rule of the BC, and let H be a formula of L [ C0 .

12 Then (A1 ; : : : ; An ; :H ) is not consistent. P r o o f . If not, ((A1 ; ass); : : : ; (An ; ass); (:H; ass); (2; un)) can be transformed to a complete block inserting (H; pr) by the rule and by in(2). 2 L e m m a 0.3 Let be A 2 fA1 ; : : : ; Ang or B 2 fA1 ; : : : ; Ang. Then (A1 ; : : : ; An ; :(A _ B )) is not consistent. P r o o f . First insert (A _ B; un) before (2; un) and replace that member by in(_) by ((:A; ass); (:B; ass); (2; un)). A or B are usable in this subblock, and so it can be completed and the last member of the main block can be replaced by (2; pr) according to in(2) . 2 L e m m a 0.4 If :A; :B 2 fA1 ; : : : ; Ang, then (A1 ; : : : ; An ; A _ B ) is not consistent. P r o o f . Insert (A ! 2; un) and (B ! 2; un) before the last member in ((A1 ; ass); : : : ; (An ; ass); (A _ B; ass); (2; un)). Replace the un of the inserted members by in(!) by ((A; ass); (2; un)). The formula :A is usable for (A; ass), so the subblock can be completed. Analogously, the subblock with B can be treated. At last, the last (2; un) can be replaced by out(_) by (2; pr).

2

L e m m a 0.5 If B 2 fA ; : : : ; An g, then (A ; : : : ; An ; :(A ! B )) is not consistent. P r o o f . Insert (A ! B; un) as the last but one member in ((A ; ass); : : : ; (An ; ass); (:(A ! B ); ass); (2; un)). The rules in(!) and since complete (A ! B; ), the in(2) rule leads to a complete 1

1

1

2

block.

L e m m a 0.6 If :A 2 fA ; : : : ; An g, then (A ; : : : ; An ; :(A ! B )) is not consistent. P r o o f . At rst insert as the last but one member (A ! B; un) and replace it by in(!) by ((A; ass); (B; un)). The last member of that block can be replaced by indirect by (B; ((:B; ass); (2; un))). Because A and :A are usable for (2; un), the 1

1

block can be completed. 2 L e m m a 0.7 Let (A1 ; : : : ; An ) be consistent, 9xA(x) 2 fA1 ; : : : ; Ang and let c be a local constant of C0 not occuring in A1 ; : : : ; An . Then (A1 ; : : : ; An ; A(c)) is consistent. P r o o f . Follows immediately from the rule out(9). 2 L e m m a 0.8 Let (A1 ; : : : ; An ) be consistent, :8xA(x) 2 fA1 ; : : : ; An g and let c be a local constant of C0 not occuring in A1 ; : : : ; An . Then (A1 ; : : : ; An ; :A(c)) is consistent. P r o o f . Consider the block ((A1 ; ass); : : : ; (An ; ass); (8xA(x); un); (2; pr)), that was created from ((A1 ; ass); : : : ; (An ; ass); (2; un)) using insert and in(2). The unproved member can be replaced by (8xA(x); ((A(c1 ); un))) with a new local constant c1 . ((A(c1 ); un))) will be replaced by ((A(c1 ); ((:A(c1 ); ass); (2; un))) using the rule indirect. The formulas A1 ; : : : ; An are usable for the subblocks occuring there.

13 If ((A1 ; ass); : : : ; (An ; ass); (:A(c); ass); (2; un)) can be completed, i. e. if the sequence (A1 ; : : : ; An ; :A(c)) is not consistent, then a completion can be transformed by renaming of constants to a completion of the block considered above. But then (A1 ; : : : ; An ) is not consistent. 2 T h e o r e m 0.3 Each consistent sequence has a model, that is a model of T , too. P r o o f . Let F0 be a consistent sequence. Let (H0 ; H1 ; : : :) be a sequence of all formulas of L [ C0 with in nitely many occurences of each formula. Then we de ne a sequence (F0 ; F1 ; : : :) of consistent sequences where Fn is the beginning of Fn+1 . Let Fn be de ned and let (Fn ; Hn ) be consistent. If Hn has the form 9xA(x), then let Fn+1 = (Fn ; Hn ; A(c)) for a constant c 2 C0 not occuring in Fn and Hn. Fn+1 is consistent (Lemma 0.7). If Hn has the form :8xA(x), then let Fn+1 = (Fn ; Hn ; :A(c)) for a constant c 2 C0 not occuring in Fn and Hn . Fn+1 is consistent (Lemma 0.8). Otherwise Fn+1 = (Fn ; Hn ). If (Fn ; Hn ) is not consistent, then Fn+1 = (Fn ; :Hn) is consistent (Lemma 0.1). Let M be a interpretation, whose universe is the set of ground terms of the language L [ C0, and where an atomic formula is valid if and only if it occurs in a sequence Fn . We claim, that for all formulas H the following hold: M j= H , i H occurs in one of the sequences Fn . By construction Hn or :Hn occurs in Fn+1 , but not both can occur in the same Fm because of in(2). So :Hn occurs in a Fm , i Hn does not. The rules in(^) and out(^) ensure, that A ^ B occurs in a Fn , i both A and B occur in such a Fn . If A or B occur in a Fn with Hn = A _ B , then by Lemma 0.3 :(A _ B ) can not be appended consistently to Fn . Thus A _ B occurs in Fn+1 . If both A and B do not occur in a Fn , then :A and :B occur in a Fn with Hn = A _ B . Then by Lemma 0.4 :(A _ B ) is contained in Fn+1 and so A _ B does not occur in a Fm . If B occurs in a Fn , then :(A ! B ) cannot occur in any Fn (Lemma 0.5), and so A ! B is in a Fn . Assumed that :B occurs in a Fn. If A also does, then because of the rule in(!) the formula A ! B cannot occur in any of the Fn . If A does not occur, then :A must occur in a Fn , thus :(A ! B ) can not occur (Lemma 0.6). Therefore A ! B must occur in a Fn. Because of the rules for treating the equivalence and of Lemma 0.2, A $ B occurs in a Fn , i both formulas A ! B and B ! A occur in one of the Fn . If 9xA(x) or :8xA(x) occur, then A(c) or :A(c) do so for a constant c because of the construction of the sequences Fn . Because of the rules in(9) and out(8) for each ground term t of L [ C0 one of the formulas :A(t) or A(t) lies in a Fn , if :9xA(x) or 8xA(x) occur in a Fn . Now, by induction on the construction of H it is easy to see, that M j= H , i H occurs in a Fn . The formulas of T are usable for each block. Thus none of the Fn can contain a negation of any of the axioms of T . So M j= T . 2 C o r o l l a r y 0.3 T j= A if and only if there is a proof of A from T in BC. P r o o f . Assume, that there is a proof of A from T . ((A; un)) is transformed by direct into ((A; (A; un))). By our assumption (A; un) in this block can be transformed

14 into a complete block S . Hence (A; un) can be transformed into a complete block of the form (A; S ) giving T j= A by Corollary 0.1. Assume, that ((A; un)) can not be transformed into a complete block. If (:A) would not be consistent, the block (A; ((:A; ass); (2; un))) obtained from ((A; un)) by indirect can be completed. Thus (:A) is consistent. Because of Theorem 0.3 there is a model of T , that is not a model of A. 2

6. Conclusion We have shown the soundness and completeness of a proof system for rst order logic that has highly structured proofs. It must be admitted, that a problem of the Block Calculus is, that it's proofs tend to be overstructured. However, there are additional rules of inference that can be used to simplify blocks. These rules are easily seen to preserve the correctness of blocks. Hence they can be added without violating the soundness of the logic.

Deleting multiple formulas

If G0 ; : : : ; Gn are submembers of a block B such that each Gi has the form (A;) for some sentence A and such that G0 < : : : < Gn, then G1 ; : : : ; Gn can be omitted.

Lifting the last block

If G0 = (A0 ; S0 ) is the last member of a block S and S0 is a block, G0 can be replaced by the members of S0 after replacing local constants of S0 by new local constants of S . Note that only the last block can be lifted this way in order not to intoduce formulas into S that should not be used to prove later members of S .

Lifting assumption free blocks

If G = (A ; S ) is a member of a block S and S is a block such that no member of S has the form ( ; ass), G can be replaced by the members of S after replacing local constants of S by new local constants of S . 0

0

0

0

0

0

0

0

However, the main tool to obtain an intelligible layout of the proofs will certainly be, not to display speci c subblocks which are of less interest to the reader. Understanding proofs in the Block Calculus is also facilitated by the fact, that the structure of it's proofs is essentially linear so that proofs can be traversed in a canonic way from the rst to the last formula. D e f i n i t i o n 6.1 The linear order  can be de ned on the set of submembers of a proof as the least partial order that satis es the following conditions: 1. If G1 , G2 are members of the same block S and G1 occurs in S before G2 , then G1  G2. 2. If G1 = (A1 ; S1 ) is a marked formula, S1 is a block and G is a submember of S1 , then G  G1 . 3. If G2 = (A2 ; S2 ) is a marked formula, S2 is a block, G is a submember of S2 and G1  G2, then G1  G.

15

Example 6.1 The example given as 4. displayed using the order  looks like the following.

j :8xA(x) j j :9x:A(x) j j j j :A(c) j j j j 9x:A(x) j j j j 2 j j j A(c) j j 8xA(x) j j 2 j 9x:A(x) :8xA(x) ! 9x:A(x)

ass ass ass pr pr * * pr * *

If D is any other correct deductive system that proved A1 ^ : : : ^ An ! A, the block calculus can be extended by adding a new rule of inference A1 ^ : : : ^ An =) A. The proof of Theorem 0.1 shows immediately, that the resulting system will still be correct. In this way the ILF{system combines the Block Calculus for interactive proof editing with the calculi used by the integrated theorem provers DISCOUNT, SETHEO and OTTER. The rules of BC are in direct correspondence with the rules of natural deduction The only dierence is the rule for the introduction of disjunction because it is easier to derive the natural deduction rule A =) A _ B from our rule than conversely. However, there are important dierences in the actual use of both calculi. A natural deduction proof can start with any axiom working forward generating sequents. In the Block Calculus the formula to be proved must be known before a proof can be started. Nevertheless forward chaining proofs are still possible. In a natural deduction proof as decribed in [Ge35] each sequent contains in it's body all formulas necessary to prove it's head. Taken literally, this leads to many duplications of formulas. Therefore an ecient implementation of natural deduction has to introduce an additional management of formulas which is not required for an implementation of BC. In order to proceed with an incomplete proof in natural deduction the user can chose any of the available sequents to be treated by a rule of inference and it is not clear how this choice can be supported by the machine. In the Block Calculus the set of usable formulas for a given subblock gives much more speci c hints. Moreover, this set of formulas together with the input theory can be given to an automated theorem prover that may try to complete the subproof. Finally, to present a natural deduction proof (see [Hu94]) it has to be considered as a directed acyclic graph with sequents in it's nodes. This graph is traversed and the formulae of the sequents are extracted keeping track of their logical dependencies as they are coded in the graph and the individual sequents. In this way a linear sequence of formulas has to be build which is immediate in a proof in the Block Calculus.

References [DP92]

Denzinger, J., Pitz, W.: Das DISCOUNT-System: Benutzerhandbuch;

16 SEKI Working Paper SWP-92-16 [DGHWW94] Dahn, B. I.; Gehne, J.; Honigmann, Th.; Walther, L.; Wolf, A.: Integrating Logical Functions with ILF; to appear [Ga94] Gabbay, Dov: LDS { Labelled Deductive Systems, Vol. 1 - Foundations, Max-Planck-Institut fur Informatik, Report MPI-I-94-223 [Ge35] Gentzen, G.: Untersuchungen uber das logische Schlieen, Mathematische Zeitschrift 39, Berlin, 1935 [Hu94] Huang, Xiaorong: Reconstructing Proofs at the Assertion Level; Proceedings of CADE-94, pp 738{752, Springer, 1994 [LSBB92] Letz, R.; Schumann, J.; Bayerl, S.; Bibel, W.: SETHEO: A HighPerformance Theorem Prover, Journal of Automated Reasoning, 8 (1992), S. 183{212 [Li89] Lingenfelder, Christoph: Structuring Computer Generated Proofs, in: N.S. Sridharan (ed.), Proc. IJCAI 89, pp. 378-383, Morgan Kaufmann, 1989 [MC90] McCune, W.: Otter 2.0, in: Stickel, M.E. (ed.): Proceedings of the 10th CADE, pp. 663-664, Springer, Berlin, 1990 [Wo95] Wolf, Andreas, A Translation of Model Elimination Proofs into a Structured Natural Deduction, preprint 1995