Fallacies. James Lipton. Wesleyan University. Michael J. O'Donnell ..... Logical demonstrations are linguistic constructions, manipulating the names of objects ...
Intuitive Counterexamples for Constructive Fallacies James Lipton Michael J. O'Donnell Wesleyan University The University of Chicago Presented 25 August, 1994 This paper was presented at the Mathematical Foundations of Computer Science 1994 | 19th International Symposium, MFCS '94, Ko�sice, Slovakia, August 1994 | Proceedings, Lecture Notes in Computer Science, volume 841, Igor Pr��vara, Branislav Rovan and Peter Ru�zi�cka editors, Springer-Verlag, 1984, pp. 87{111.
Abstract
Formal countermodels may be used to justify the unprovability of formulae in the Heyting calculus (the best accepted formal system for constructive reasoning), on the grounds that unprovable formulae are constructively invalid. We argue that the intuitive impact of such countermodels becomes more transparent and convincing as we move from Kripke/Beth models based on possible worlds, to Lauchli realizability models. We introduce a new semantics for constructive reasoning, called relational realizability, which strengthens further the intuitive impact of Lauchli realizability. But, none of these model theories provides countermodels with the compelling impact of classical truth-table countermodels for classically unprovable formulae. We prove soundness of the Heyting calculus for relational realizability, and conjecture that there is a constructive choice-free proof of completeness. In this respect, relational realizability improves the metamathematical constructivity of Lauchli realizability (which uses choice in two crucial ways to prove completeness) in the same sort of way Beth semantics improves Kripke semantics.
1
1 The Intuitive Impact of Countermodels
Imagine that we believe in the suitability of a formal system P of proof as a basis for useful reasoning in some language L. We are trying to sell P to a customer. The customer is not trained in formal metamathematics, but she has an excellent intuitive grasp of the meanings of given formulae in concrete circumstances. There are a number of grounds on which the customer might challenge the suitability of P , but we focus attention on one. Suppose that she produces a formula � that is not provable in P , and argues that therefore P is not powerful enough for practical use. We must convince her, on intuitive grounds, that the failure of P to prove � is a useful feature, rather than a serious lacuna. To this end, we must describe a conceivable set of circumstances C that might occur in the real world that language L describes, and interpret the primitive nonlogical symbols of � in C in such a way that � is clearly false. So, we argue, P is excused from proving � because � is not valid (not reliably true in all circumstances). In order to prepare for such a debate, we might study formal semantics. In particular, we formalize the notion of a \conceivable set of circumstances" as a model for L, and de ne what it means for a formula � of L to be true in a particular model M. Then, we formalize validity of a formula as truth in all models. Finally, we demonstrate that P is sound (every provable formula is valid) and complete (every valid formula is provable) with respect to our formal model theory. Soundness may help to answer a challenge of incorrect proof, while completeness may help to answer the challenge of insu�cient power proposed above. Back to the customer, who has criticized P for its inability to prove �. Our demonstration of completeness, if it is appropriately constructive, provides us with a countermodel MC in which � is false. In order to convince the customer, we must translate MC into an intuitive description of conceivable real circumstances in which � is clearly false. Of course the success of our argument depends on the intuitive beliefs that our customer holds. If the customer's beliefs support classical logic, and P is a complete formal system for classical proof, then we are on very strong ground. The usual truth-table models for classical logic translate naturally into simple sorts of conceivable circumstances and absolutely concrete interpretations of primitive nonlogical symbols. But, if our customer's beliefs support constructive logic, and P is the Heyting calculus (which is complete for several well-known formal 2
model-theoretic semantics), the translation of a formal countermodel into an intuitively convincing description is quite a bit harder. In this paper, we compare the intuitive impact of three sorts of models for constructive logic: Kripke/Beth models based on possible worlds, Lauchli realizability models based on the formulae as types idea, and a new sort of model that we call relational realizability models, re ning Lauchli's ideas. There appear to be a number of di�erent intuitive ideologies that lead to a belief in constructive logic. We do not insist on Brouwer's, Heyting's, Kolmogorov's, Bishop's or any other predetermined ideology supporting constructive logic. Rather, for each formal model theory, we seek the most natural intuitive explanation of it. We do not argue about which intuitive ideologies are metaphysically correct (perhaps each is correct for a di�erent application of logical reasoning). Rather, we criticize the transparency with which each formal model theory is justi ed by its natural intuitive explanation. We nd that this transparency improves from Kripke/Beth models through Lauchli models to relational realizability models, but it never approaches the clear connection between classical intuitions and truth-table models.
2 Formulae, Proofs, and Sequents The rest of this paper discusses formulae, proofs of formulae, and models for formulae in the positive rst-order predicate calculus and the positive propositional calculus. \Positive" means that we do not allow the logical negation symbol (:). Every one of the systems that we discuss can be extended easily to deal with negation, but in some cases that extension is somewhat subtle to understand|for example see [15] for a discussion of negation in Lauchli realizability models. We use a predicate calculus without function symbols and without equality. All of the proposed systems can be extended to deal with functions and equality, but such an extension would only obscure the message of this paper. De nition 1 Assume that there is ian in nite set V of variables. Also, for each i � 0 there is an in nite set P of i-ary predicate symbols. The set of atomic formulae is AT = f (x ; : : :; xn ) j 2 Pn , x ; : : :; xn 2 Vg 1
1
3
(the degenerate case �() where � 2 P0 is written �). The set PF1 of positive rst-order predicate formulae is de ned inductively as follows: AT � PF1, and i� �; 2 PF1 and x 2 V, then
(� _ ) 2 PF (� ^ ) 2 PF (� ) ) 2 PF (8x : �) 2 PF (9x : �) 2 PF 1
1
1
1
1
The concepts of subformulae, and free and bound occurrences of variables, are de ned in the usual manner [23]. �[x=y] denotes the result of substituting x for every free occurrence of y in � after renaming bound variables of � so that the substituted xs are free in the result. A formula with no free variables is a closed formula, or a sentence. Although it does not appear in formulae, for metalogical discussion an additional formal symbol I is useful to stand for the domain of individuals over which variables range. The set PF0 of positive propositional formulae is the subset of PF1 consisting of all formulae with no occurrence of the quanti ers 8 and 9 and no occurrence of predicates with arity greater than 0.
Proofs are the formal analogues of rigorously reasoned arguments. Formal descriptions of proofs are often treated as mere syntactic devices for enumerating true formulae. In constructive logic, we can get a deeper insight into proofs by regarding a proof formula as a syntactic object denoting a semantic construction. So proof formulae, as well as propositional formulae, have semantic content. The essential idea is that a proof formula is a term in the typed lambda calculus, and the type of the term is the theorem that it proves [19, 23, 6]. It is straightforward to read a typed lambda term of type �, on the one hand as a natural deduction proof of �, or on the other hand as a program de ning a uniform construction demonstrating the validity of �. The interpretation of typed ambda terms as propositional proof formulae is discussed in more detail in [15]. Sequent derivations are less transparent to the intuition than proof terms, but more exible for certain metamathematical arguments, so for this paper we de ne proof in terms of sequents.
De nition 2 A sequent is an ordered pair of nite subsets of PF . When ?; � PF are nite sets of formulae, the sequent h?; i is written ? ` . Furthermore, set braces are omitted in descriptions of ? and , and unions are denoted by commas. So, for example, ?; � ` ; denotes the pair 1
1
4
h? [ f�g; f g [ i. The intended meaning of ? ` is that, whenever the
conjunction of ? holds, the disjunction of holds as well. De nition 3 A sequent ? ` is derivable if and only if there is a nite sequence ? ` ; : : : ; ?n ` n of sequents such that ?n = ?, n = , and for each 0 � i � n there exists m � 0 and j ; : : :; jm < i such that ?i ` i follows from ?j1 ` j1 ; : : :; ?jm ` jm by one of the rules in Table 1. These are essentially Beth's tableaux rules [2, 5], translated into sequent notation. Notice that the basis rule (B) has no hypotheses, corresponding to m = 0 in the last clause above. The proof formulae and the constructive sequent rules are variations on the Heyting predicate calculus [8]. A formula � is said to be proved constructively when we derive the sequent ` �. The derivability of sequents ? ` with nonempty left-hand sides is important for the understanding of provable inferences, which go beyond provable formulae, but this paper is concerned mostly with the provable formulae. 0
0
1
3 Classical Truth-Table Models The de nition of classical truth-table models is very familiar [24, 28] so we omit it here, and merely consider one particular example. The propositional formula (� ) ) ) ( ) �) is not provable. When challenged by our customer to justify this omission, we may use a demonstration of completeness for classical logic to produce the countermodel given by the truth table in Figure 1a. Then, we may use this countermodel to answer the customer with the following argument. Suppose that � is the proposition, \In the diagram of Figure 1a, the symbol `�' appears in the same row with the symbol `T '," and is the proposition, \In the diagram of Figure 1a, the symbol ` ' appears in the same row with the symbol `T '." Clearly � is false, but is true. So, � ) is true, and ) � is false. Therefore (� ) ) ) ( ) �) is false. Our argument is hard to resist, because we have interpreted � and as absolutely concrete propositions in natural language, referring to a physical presentation of a diagram. And, in arguing that (� ) ) ) ( ) �), we rely 5
(B) ?; � ` �; (^L)
? ` � ^ ; �; (^R) ? ` � ^ ; ; ? ` � ^ ;
?; �; ; � ^ ` ?; � ^ `
?; �; � _ ` (_L) ?; ; � _ ` ?; � _ `
�; ; (_R) ? `? �` _� ; _ ;
?; � ) ` �; ()L) ?; ; � ) ` ?; � ) `
?; � ` ()RS) ? ` � ) ;
]; 8x : � ` (8L) ?; �?[y=x ; 8x : � `
�[y=x] (8R)1 ? `?8`x :8�; x : �;
(9L)1
?; �[y=x]; 9x : � ` ?; 9x : � ` 1
(9R)
? ` 9x : �; �[y=x]; ? ` 9x : �;
In 8R and 9L, x must not be free in ?, . Table 1: Constructive Sequent Rules
6
f�r g @I@
� F T a. Classical countermodel for (� ) ) ) ( ) �)
@ r? fg
f r g ??�
b. Kripke countermodel for (� ) ) _ ( ) �)
Figure 1: Classical and Kripke Countermodels for Unprovable Formulae only on the facts that everything implies a truth, and that truth cannot imply falsehood. These facts are admitted by constructivists as well as classical reasoners. The shortcoming of classical truth-table models for justifying formal systems of constructive proof is that they provide no countermodels for other formulae, such as (� ) ) _ ( ) �), that are provable classically but not constructively.
4 Kripke/Beth Models
In order to justify the unprovability of formulae such as (� ) ) _ ( ) �), we need new sorts of countermodels, and new translations of countermodels into intuitive circumstances. The best-known formal model theory for constructive logic is due to Kripke [14] (an important variation due to Beth [2] is technically superior for some purposes, but is open to the same critique as Kripke semantics from the standpoint of intuitive counterexamples). The Heyting calculus is sound and complete for Kripke and Beth model theory. Soundness may be proved constructively. Completeness with respect to Kripke semantics is constructive for the propositional calculus, but inherently nonconstructive for the predicate calculus; completeness with respect to a variant of Beth semantics is constructive for the predicate calculus [26]. Kripke and Beth interpret constructive logic as a modal system, in which ^ and _ behave classically, but � ) has the modal interpretation that in every reachable world where � holds, holds as well. That is, � constructively implies if necessarily � classically implies . The reachability 7
relation is required to be re exive and transitive, but not necessarily symmetric. In the terminology of modal semantics, these are the S models [13]. For brevity, we present only Kripke models for the propositional calculus|the extension to predicate calculus is known [26], but not needed here. 4
De nition 4 A Kripke model for the positive constructive propositional calculus is a quadruple M = hW ; �; � i, where W is a set of worlds, � is a re exive, transitive binary relation on W called reachability, and � is a function, called satisfaction, from W to valuations on atomic propositional symbols. � is closed under reachability, i.e., if v � w, and if �v (�), then �w(�).
Notice that we write �w (�) rather than � (w)(�). We extend the satifaction function from atomic formulae to arbitrary formulae as follows:
De nition 5 Let M = hW ; �; � i be a Kripke model. The relation M; w j=K � is de ned inductively for w 2 W and propositional formulae � as follows:
� If � is an atomic propositional symbol, then M; w j=K � if and only if
�w(�); � M; w j=K � ^ if and only if M; w j=K � and M; w j=K ; � M; w j=K � _ if and only if M; w j=K � or M; w j=K ; � M; w j=K � ) if and only if for every world v such that w � v, and such that M; v j=K �, we also have M; v j=K . � is true in M (written M j=K �) if and only if M; w j=K � for every world w in W .
The natural Kripke countermodel for (� ) ) _ ( ) �) is shown in Figure 1b. The natural intuitive interpretation of the formal model requires us to understand constructive logic in terms of temporal-epistemic concepts, with branching time. Roughly, w � v means that w and v are conceivable sets of instantaneous circumstances such that in the circumstances of w, one possible future is the circumstances of v. M; w j=K � means, not just that � is true 8
at w, but that � is constructively knowable at w. � ) means that, for every possible future in which � is knowable, is also knowable. Kripke and Beth models are very useful for metamathematical investigations, but they do not correspond convincingly to sets of intuitive circumstances. Dummet [4] discusses the intuitive shortcomings of Kripke and Beth semantics. Here, we merely note the apparent di�culties in interpreting the diagram of Figure 1b as a description of circumstances conceivable to a constructive intuition. When our customer challenges the unprovability of (� ) ) _ ( ) �), the natural response based on the countermodel of Figure 1b is something like: Suppose that neither � nor can be veri ed constructively right now. Suppose in addition that there is one possible future in which � can be veri ed constructively but not , and another possible future in which can be veri ed constructively but not �. Because of the rst possible future, � ) is not true, and because of the second one ) � is not true. This argument is inherently subjunctive, and does not hold up well if one wishes to understand the future as a single potential reality but rather requires the customer to believe in a particular layout of di�erent contingencies, not all of which will ever be realized. The requirement for branching time is particularly suspect: we know that there is only one real future, even though we do not know its nature. Why can we not use the unicity of the future in constructive reasoning? The customer must also accept that the particular diagram given by this model represents a conceivable state of a�airs. It may well be that the fundamental nature of constructions restricts the possible temporal developments of knowledge in a signi cant way. With no formal representations of constructions in the theory, it is very di�cult to judge whether a given formal model corresponds to an intuitively conceivable state of a�airs. Finally, there does not appear to be any natural interpretation of � and as concrete propositions based on a Kripke or Beth countermodel. Where classical truth-table countermodels provide concrete interpretations of atomic propositional symbols, Kripke and Beth countermodels represent the possible future results of attempting to verify those symbols, without interpreting the symbols themselves in a concrete intuitive way. 9
5 Realizability Models In order to provide stronger connections between formal models and constructive intuitions, we seek models that contain explicit representatives for constructions. Such models arise from the realizability concepts of Kleene [10, 11, 12] and Lauchli [16] and the formulae as types concepts of Howard and Tait [9, 3]. We call such models, with explicit objects standing for constructions, realizability models. The word \realizability" comes from the notion that a formula is constructively valid precisely if it is realized by some construction that demonstrates its validity. Roughly, a realizability model provides classes of primitive objects representing evidence for each atomic formula, and builds up evidence for other formulae by the following rules � evidence for � ^ consists of evidence for � paired with evidence for � evidence for � _ consists either of evidence for � or of evidence for , marked in such a way that we can tell which formula it supports � evidence for � ) is some sort of function transforming evidence for � into evidence for � evidence for 8x : � is some sort of function transforming each individual value d into evidence for �[d=x] � evidence for 9x : � consists of an individual value d paired with evidence for �[d=x] The basic idea of the nature of constructive evidence results from a long discussion of evidence with key contributions by Brouwer, Heyting, and Kolmogorov, for which it is often called the BHK interpretation [26]. But, depending on the precise way in which each item above is interpreted, the BHK interpretation may support a variety of formal systems, including classical logic [26]. A realizability model theory consists of a precise formalization of the BHK rules (there are many ways to do this), and also a formal criterion for distinguishing certain pieces of evidence as realizers. A formula is true in a model if it has a realizer in the model, and a formula is valid if it has a realizer in every model. A piece of evidence for � that is not a realizer has no direct 10
impact on the truth of �, but it a�ects the truth of formulae containing �, such as � ) , since a realizer for the implication must map every piece of evidence for �, not just the realizers. This a posteriori judgement that certain evidence is a constructively valid realizer, rather than an a priori inclusion of only the realizers in a model, appears to be crucial to the technical success of realizability model theories. It is natural, straightforward, and plausible to interpret classes of evidence as sets (constructively conceived), and to construct evidence sets for nonatomic formulae by associating ^ with Cartesian product, _ with disjoint union, ) with the function space, 8 with the dependent product, and 9 with the dependent sum (for certain higher-order formal systems, a classical settheoretic interpretation fails [20], but a constructive set theory succeeds [18]). The problem is to de ne what are the realizers in each of these evidence sets. If we de ne every piece of evidence to be a realizer, then we get classical logic|the empty set represents falsehood, each nonempty set represents truth, and it is easy to see that the set-theoretic constructions are equivalent to the classical truth-functional rules. Ideally, we would de ne the realizers to be precisely the uniformly constructible objects, if we only had a formal characterization of uniform constructibility. The most natural attempt at such a characterization is to de ne realizers as the computable objects in each evidence set. Kleene [10, 11, 12] studied this idea, and developed an important theory of computability on higher types. But, Rose [21] showed that the formula ((:: ) ) ) (:: _ : )) ) (:: _ : ) where = (:� _ : ) has a Kleene realizer. The Rose formula is not provable in the Heyting calculus, and is generally believed to be invalid for a constructive intuition (it is known to be invalid in formal Kripke and Beth semantics, as well as several varieties of realizability semantics). There is some reason to believe that it is impossible to give a satisfactory precise characterization of the uniformly constructible objects, for roughly the same reasons that it is impossible to enumerate the total computable functions. So, we consider model theories in which the formal realizers include objects that are clearly not computable, and therefore not uniformly constructible. That is, we de ne the realizers to be the objects satisfying some intuitively plausible necessary but not su�cient condition for uniform 11
constructibility. If a formula � has no evidence satisfying these necessary conditions, then a fortiori it has no uniformly constructible evidence. In this way, we get countermodels whose intuitive interpretations no longer depend on the disturbing notions of contingency and branching time involved in the usual temporal interpretation of Kripke and Beth models. Unfortunately, we still cannot produce interpretations of propositional formulae with the concrete impact of those associated with classical truth table countermodels in Section 3 above. 5.1
L auchli's Realizability Models
The material in this section summarizes work by Kurtz, Mitchell and O'Donnell [15] based on Lauchli's seminal paper [16]. Lauchli analyzed realizability models in which a piece of evidence is a realizer if and only if it is invariant under certain permutations. We generalize Lauchli's semantics in the obvious way to allow models built from arbitrary groups of permutations at the atomic level, and we vary Lauchli's treatment of quanti cation to make the connection between evidence in models and intuitive constructions easier to follow. De nition 6 A Lauchli realizability model is a quadruple M = hD; U ; P; Ni, where � D is a set, called the domain of individuals � U is a set, called the domain of evidence � P is a mapping from fI g [ Si Pi toi subsets of Di [ Si (U Di ) such that P (I ) � D and, for all i � 0, � 2 P , P (�) � U D � N is a group of permutations of D [ U , setwise stabilizing D and U , that represent noise in the interpretation of members of D and U It is convenient to discuss formulae that use arbitrary members of D as if they were constant symbols. De nition 7 Let M = hD; U ; P; Ni be a Lauchli model. The set EFM of extended formulae for M is the same as PF (De nition 1) except that individuals d 2 D may appear wherever free variables x 2 V may appear. An extended formula � is closed if and only if there is no free variable in �. 1
12
De nition 8 Extend P to closed extended formulae inductively as follows: � for atomic �(d ; : : :; dn ), P (�(d ; : : :; dn )) = P (�)(d ; : : :; dn ) (and P (I ) = D) � P (� ^ ) = P (�) � P ( ) (cross product) � P (� _ ) = (f0g � P (�)) [ (f1g � P ( )) (marked union) � P (� ) ) = P ( )P � (function space) � P (8x : ) = fc 2 (Sd P ( [d=x]))D j (cd) 2 P ( [d=x]) for all d 2 Dg 1
1
1
( )
(dependent product) � P (9x : ) = fhd; bij d 2 D and b 2 P ( [d=x])g (dependent sum)
Finally, we extend the noise permutations to P (�) for all � 2 PF . De nition 9 If M = hU ; P; Ni is a Lauchli model, then we de ne the permutations f� of P (�) for every f 2 N and formula � 2 PF as follows: � if � is an atomic formula, and a 2 P (�), then f�(a) = f (a) (and if d 2 D, then fI (d) = f (d)) � if ha; bi 2 P (� ^ ), then f�^ (ha; bi) = hf�(a); f (b)i � if h0; ai 2 P (� _ ), then f�_ (h0; ai) = h0; f� (a)i � if h1; bi 2 P (� _ ), then f�_ (h1; bi) = h1; f (b)i � if c 2 P (� ) ), then f�) (c) = f � c � f�? � if c 2 P (8x : �), then f8x : �(c) = f � c � fI? � if hd; ai 2 P (9x : �), then f9x : �(hd; ai) = hfI (d); f� fI d =x (a)i A formula � is true in the Lauchli model M above if and only if P (�) is inhabited by at least one object that is invariant under f� for all permutations f 2 N. 1
1
1
1
[
13
( )
]
The hierarchies of permutations ff�g de ned by Lauchli models are examples of the logical relations [22, 17] used to study de nability in the lambda calculus. Lauchli proved that the rst-order Heyting predicate calculus is sound and complete for Lauchli models. The proof of completeness is highly nonconstructive, and appears to depend in an essential way on the axiom of choice. [15] explains in some detail a plausible intuition behind Lauchli models, and reformulates the proof of completeness at the propositional level to make the constructive and nonconstructive elements more transparent. We summarize below the argument that invariance under the permutations in Lauchli models is a plausible necessary condition for uniform constructibility. Logical demonstrations are linguistic constructions, manipulating the names of objects rather than the objects themselves. Since the atomic formulae have no predetermined logical meanings, the assignment of names to constructions for atomic formulae is essentially arbitrary, except that a single name may not be assigned to two di�erent objects. The symbols ^, _, ), 8 and 9 however, have de nite logical meanings, so the names for their constructions have logical content, and the assignment of names to constructions is derived from the assignments associated with atomic formulae. Given the arbitrary nature of the assignment of names to constructions of atomic formulae, we would expect that di�erent minds would make di�erent assignments. Indeed, a single mind might make di�erent assignments at di�erent times. This renders impossiblethe task of communicating (or even remembering, which might viewed as the special case of communicating with oneself) constructions for atomic formulae by purely logical methods. For composite formulae, however, there is hope. For example, the lambda term (�x: � : x) reliably names a speci c construction of � ) �|the identity function. This description of the identity function says essentially, \Whatever you are given as input, give it back as output." This description does not depend on the identities of speci c objects of type �. We are con dent that we will interpret the identity function the same way next year as we do today, and that when we communicate it to others, they will interpret it in the same way as we do. Every constructive proof formula should, like (�x: � : x), denote a uniform piece of evidence, in the sense that it reliably names a construction independently of the assignment of names to evidence for atomic formulae. Suppose that m maps some xed set of names to a xed set of pieces of evi1
14
dence so that for each name x, m (x) is the object that we choose to name by x. Similarly, m (x) is the (possibly di�erent) object that our colleague Jane Doe names by x. m and m are type consistent if and only if for every name x and formula �, m (x) and m (x) are either both in P (�), or both not in this set. In a realizability model, we can lift m and m to act consistently on names of realizers of arbitrary type. A name x is (m ; m )-uniform (that is, it is understood in the same way by Jane Doe and by us) if m (x) = m (x). In the special case where m and m are bijections, f = m � m? is a permutation on the set of evidence; when m and m are furthermore type consistent, then f setwise stabilizes the evidence for each formula �. When we try to communicate a to Jane Doe, she will misunderstand it to be f (a). Clearly, a name x is (m ; m )-uniform if and only if m (x) is invariant under f . Lauchli's permutations may be understood as derived in this way from different ways of naming evidence, but given the permutations we have no need to formalize names in the model. So, even though our explanation of Lauchli models refers to the use of some language for communicating constructions, there is no commitment to any particular formal language|rather Lauchli model theory deals with communicability in principle. If we have more than one colleague (Richard Roe, Peter Poe, etc.), then there are more than two possible naming functions, and we get more permutations. Notice that if an object is invariant under two permutations, it is also invariant under their compositions and inverses. Therefore, there is no advantage in considering arbitrary sets of permutations: it su�ces to consider just those sets that form groups. There may in reality be naming functions that are not bijections, but we may legitimately ignore them since we demand only a necessary condition for uniform constructibility. We do not claim that all invariant evidence is uniformly constructible (in fact, some arbitrarily high degree uncomputable functions are invariant), nor do we claim that invariance provides an adequate formalization of the notion of uniformity. It su�ces for our purposes that we can justify the informal claim that every uniform construction is an invariant piece of evidence, so that Lauchli countermodels can be understood intuitively as evidence for nonvalidity. Given a permutation f and an atomic formula �, we de ne f� to be the restriction of f to P (�). This is guaranteed to be a permutation by the setwise stabilizing clause of De nition 6. Assume that we have de ned the action of f 2 N on P (�) and P ( ). Clearly, the action of f on an element of P (� ^ ) must be to permute the components of each distinguished pair 1
2
1
2
1
2
1
2
1
2
1
1
2
2
1
1
2
2
1
15
1
2 1
� a
c
1
- b
1
f
f�
?
a
f�) c
2
?
- b
2
Figure 2: Diagram of the permuted function f�) c independently, according to the action that has already been de ned on P (�) and P ( ). Similarly, the action of f on P (� _ ) must be to permute each marked member of P (�) according to its action on P (�), leaving the mark unchanged, and analogously for marked elements of P ( ). The action of permutation f on P (� ) ) must be to map c 2 P (� ) ) to a new function f�) (c). Since c operates from and to unpermuted evidence, and f�) (c) operates from and to permuted evidence, f�) (c) should have the same action on permuted evidence that c has on unpermuted evidence (see Figure 2). From this diagram, it is clear that f�) (c) must satisfy f�) (c)a = f (c(f�? a)), so f�) c = f � c � f�? . The arguments for f8x : � and f9x : � are analogous to those for f�) and f�^ , respectively. We see now that, e.g., the identity function on each class P (�) is invariant under all permutations, as well as the function in P ((� ^ (� ) )) ) ) that applies the P (� ) ) component of its input to the P (�) component. Now, consider the natural Lauchli countermodel for the unprovable formula (� ) ) _ ( ) �), shown in Figure 3. No function from P (�) to P ( ) can be invariant under f , and no function from P ( ) to P (�) can be invariant under f , so (� ) ) _ ( ) �) is not true in the model.When our customer challenges the unprovability of (� ) ) _ ( ) �), we might respond with an argument like: 1
1
1
2
16
P (�)
P ( )
f � � z # :
f � � z # :
1
2
a
b
1
f
f
2
1
f
2
" �a y�9 ! ��
f
1
1
" �b y�9 ! ��
2
2
f f Figure 3: Lauchli Countermodel for (� ) ) _ ( ) �) 1
2
17
Suppose that there are two pieces of evidence for �, and two others for . Suppose also that a construction for (� ) ) _ ( ) �) must be communicated to two colleagues, Jane Doe and Richard Roe. Suppose that Jane Doe uses the same names that we do for � evidence, but reverses our naming of evidence; Richard Roe agrees with our naming of evidence, but reverses our naming of � evidence. No construction for � ) can be communicated uniquely to Jane Doe, and no construction for ) � can be communicated uniquely to Richard Roe, so we cannot communicate to the community of our colleagues constructive evidence for (� ) ) _ ( ) �).
The Lauchli countermodel does not provide obvious and natural concrete interpretations of � and |in this respect it is intuitively inferior to classical truth-table countermodels. But, it avoids some of the most unfortunate qualities of the Kripke countermodel. The circumstances represented by the Lauchli countermodel consist entirely of a single potential reality, without any subjunctive or contingent components. For a constructive reasoner who believes that constructions must be uniquely communicable, the Lauchli countermodel carries substantial intuitive force, although it is not absolutely compelling. Lauchli countermodels have two obvious intuitive weakness: they rely on metacircumstances relating to the language in which constructions are communicated, and they insist on communicating constructions uniquely, while it may be su�cient for reasoning to have con dence in the correctness of a construction even if there is confusion as to which of several correct constructions it is. At a technical level, there is a straightforward construction of a Kripke model given a Lauchli model [15]. The essential idea is that each subgroup of N represents a Kripke world, and that the subgroup relation determines accessibility. Truth in an individual world is just posession of an invariant under the smaller permutation group. The translation from Lauchli models produces Kripke models with a lot of structure (for example, they are lattices). It is intriguing to try to interpret this structure as a restriction on the layouts of possible futures that can actually arise in the circumstances of constructive reasoning. 18
5.2
Relational Realizability Models
Sections 5.2 and 6 describe work in progress by Lipton and O'Donnell. All of the proofs in these sections are constructive and in particular choice-free. We designed relational realizability models to improve on Lauchli models for two purposes: to support constructive proofs of soundness and completeness, and to strengthen the intuitive force of countermodels by allowing a construction to be communicated ambiguously, as long as all parties agree that the construction is correct. Both of these purposes seem to demand that constructions are allowed to be nondeterministic, as long as all of their possible outcomes are satisfactory. With nondeterministic evidence functions (in e�ect, relations), it is unproductive to de ne the realizers to be invariants under permutations, since for example the universal relation is invariant under all permutations. Rather, we must now allow permutations to confuse elements of di�erent types, and de ne realizers to be pieces of evidence that land in the right type under all permutations.
De nition 10 Let S; T be sets, and let r � S � T be a relation. r is entire from S to T if and only if, for all s 2 S , there exists t 2 T such
that s[r]t. r is injective from S to T if and only if, for all s1; s2 2 S , t 2 T , if s1[r]t and s2[r]t, then s1 = s2 . r is surjective from S to T if and only if, for all t 2 T , there exists s 2 S such that s[r]t. r is a partial function from S to T if and only if, for all s 2 S , t1; t2 2 T , if s[r]t1 and s[r]t2, then t1 = t2. r is a function if and only if it is an entire partial function. A set S is nite if and only if there exists an integer n and a surjective function r from f1; : : : ; ng to S .
Notice that the n associated with a nite set S is not neccessarily the cardinality of S , because the surjective function r is not required to be injective. Lemma 1 Let S be a nite set of nite sets. Then S S is nite.
Lemma 2 Let S be a nite set, such that every member S 2 S is an inhabited set (there exists x 2 S). Then there is a nite set T such that, for every S 2 S , T \ S is inhabited. 19
Proof: By induction on n such that there is a surjective function from f1; : : : ; ng to S . Basis. Assume n = 0. Let T = ;. Induction. Assume the lemma holds for 0; : : : ; n ? 1. Let r be a surjective function from f1; : : : ; ng to S . Write S = fS ; : : :; Sng, where each Si is the unique member of S such that i[r]Si. By induction hypothesis, there is a nite set Tn? such that, for every S 2 fS ; : : : ; Sn? g, Tn? \ S is inhabited. Since Sn 2 S is inhabited, there exists an x 2 S . De ne T = Tn? [ fxg. For i � n ? 1, T \ Si is inhabited by de nition of Tn? . T \ Sn is inhabited by 1
1
1
1
1
1
1
x.
Lemma 1 2
De nition 11 Let S; S 0; T; T 0 be sets, with S � S 0, T � T 0, and let r � S 0 � T 0 be a relation. � r is S {T entire from S 0 to T 0 if and only if S � r? [T ] (that is, for all s 2 S , there exists t 2 T such that s[R]t). � r is S {T reliable from S 0 to T 0 if and only if r[S ] � T (that is, for all s 2 S and t 2 T 0 such that s[r]t, t 2 T ). 1
r is a reliable mapping from S in S 0 to T in T 0 if and only if r is S 0{T 0 entire and S {T reliable. Notice that this implies S {T entirety as well. The set of reliable mappings from S in S 0 to T in T 0 is written S 0 ; S ,! T; T 0. S 0 and/or T 0 may be omitted when clear from the context.
De nition 12 Let S be a set, and let T (s) be a set for each s 2 S . Let S T = fT (s) j s 2 S g. The dependent sum of T over S is X T (s) = fhs; tij t 2 T (s)g s2S
The reliable relational dependent product of T over S is
Y T (s) = fr � S �T j r is entire from S to T , and s[r]t implies t 2 T (s) for all s; tg
s2S
20
De nition 13 Let S be a set. The nite approximation universe for S is AS = fA � S j A is niteg. Let T � S . The set of nite approximations to T in S is ATS = fA 2 AS j A \ T is inhabitedg. De nition 14 A relational realizability model is a quadruple M = hD; U ; P; Ni where � D is a set, called the domain of individuals � U is a set, called the domain of evidence � P is a mapping from fI g [ Si i Pi to subsets of Si(Di � U ) such that P (I ) � D and, for all � 2 P , P (�) � Di � U � N � (D [ U )D[U is a set of permutations, setwise stabilizing D and U , that represent noise in the interpretation of members of D and U Notice that N is an arbitrary set of permutations, not necessarily a group. De nition 15 Let M = hD; U ; P; Ni be a relational realizability model. The set of nite approximations for D is D^ = AD . The set EFM of
extended formulae for M is the same as PF (De nition 1) except that approximate individuals D 2 D^ may appear wherever free variables x 2 V may appear. An extended formula � is closed if and only if there is no free variable in �. 1
De nition 16 For each closed extended formula � 2 EFM de ne the set U� inductively by � for atomic �(D ; : : :; Dm ), U� D ;:::;Dm = U � U�^ = U^� � U^ (cross product) � U�_ = (f0g � U^�) [ (f1g � U^ ) (marked union) � U�) = fr � U^� � U^ j r is entire from U^� to U^ g (space of entire 1
(
1
)
binary relations) � U8x : � = QD2D U^� D=x (reliable relational product) � U9x : � = PD2D U^� D=x (dependent sum) ^
[
]
^
[
]
21
where for each formula �, U^� = AU� . Notice that U� and U^� depend on the structure of �, but not on the identities of the atomic formulae and individuals in it. The relational realizability closure of U is U� = SfU^� j � 2 PF1g. P extends to a function mapping each closed extended formula � to a subset of U�, and also to a function P^ mapping each � to a subset of U^� . Each noise permutation f 2 N induces permutations f� on U� , and also permutations f^� on U^�, as follows:
�
{
P (�(D ; : : :; Dm )) = fu 2 U j hd ; : : : ; dm; ui 2 P (�) for some d 2 D ; : : : ; dm 2 Dm g (and P (I ) = D) f� D1;:::;Dm (a) = f (a) (and fI (d) = f (d)) P (� ^ ) = P^ (�) � P^ ( ) (cross product) f�^ (hA; B i) = hf^�(A); f^ (B )i P (� _ ) = (f0g � P^ (�)) [ (f1g � P^ ( )) (marked union) f�_ (h0; Ai) = h0; f^�(A)i f�_ (h1; Ai) = h1; f^ (B )i P (� ) ) = U^�; P^ (�) ,! P^ ( ); U^ (space of reliable mappings) f�) (r) = fhf^�(A); f^ (B )ij A[r]B g 1
1
{
�
{ {
�
{ {
�
{ {
�
(
1
)
P (8x : �) = fr 2 QD2D U^� D=x j (D 2 P^ (I ) and D[r]A) implies A 2 P^ (�[D=x])g (reliable relational product) { f8x : � (r) = fhf^I (D); f^� fI D =x (A)ij D[r]Ag (since f^ depends only on the structure of , f^� fI D =x = f^� D=x , but the former is
{
^
[
[^(
)
]
]
[^ (
�
1
)
]
[
]
more informative intensionally) { P (9x : �) = fhD; Aij D 2 P^ (I ) and A 2 P^ (�[D=x])g (dependent sum) { f9x : � (hD; Ai) = hf^I (D); f^�[f^I (D)=x](A)i
where for each formula �
22
P^ (�) = APU�� (and P^ (I ) = APD I ) { f^� (A) = ff� (a) j a 2 Ag (and f^I (D) = ffI (d) j d 2 Dg) Notice that P (�) and P^ (�) depend on �, but f� and f^�, like U� and U^� before, depend only on the structure of �, and not on the identities of its
�
{
( ) ^
( )
^
atomic formulae and its individuals.
De nition 17 Let M = hD; U ; P; Ni be a relational realizability model. An environment for M is a function �: V ! D^ . Let � be an environment for M. Extend � to a function from EFM to D^ by �(�) = �[�(x ); : : :; �(xm)=x ; : : :; xm] 1
1
where x1; : : :; xm is a list of the free variables in �.
Lemma 3 Let M = hD; U ; P; Ni be a relational realizability model, let � ; � be environments for M, and let � be an extended formula with free variables x ; : : : ; xm. If � (xi) = � (xi) for all i � m, then � (�) = � (�). If � is 1
1
1
2
1
closed, then �1(�) = �2(�) = �.
2
2
De nition 18 Let M = hD; U ; P; Ni be a relational realizability model, � an environment for M.
� For A 2 U�, M; � j=n A: � if and only if, for all f 2 N , f^�(A) 2 P^ (�(�)). � M; � j=n � if and only if there exists A 2 U^� such that M; � j=n A: �. � When � is closed, M j=n A: � if and only if M; � j=n A: � for an arbitrary environment �; similarly for M j=n �. Consider the relational realizability countermodel for (� ) ) _ ( ) �)
shown in Figure 4. Because of the noise functions f i, there can be no reliable mapping from P^ (�) to P^ ( ), and the f j s prevent a mapping from P^ ( ) to from P^ (�). When our customer challenges the unprovability of (� ) ) _ ( ) �), we might respond with an argument like: 1
2
23
f � � f � �
9 f 9 f 9 f 1
���
a?
2
1
2
- a?
1
1
2
-a
0
2
P ( ) f � �
f � � f � �
9 f 9 f 9 f 2
���
P (�) f � �
b?
2
2
1
- b?
1
2
1
- b
0
1
f � � f � �
9 f 9 1
-a
1
1
2
-a
2
f � � f � �
9 f 9 2
- b
1
2
1
- b
2
The iterated functions f i and f j are present for all integers i, j 1
2
Figure 4: Relational Realizability Countermodel for (� ) ) _ ( ) �)
24
���
���
Suppose that there is one piece of evidence a0 for �, and another piece of evidence b0 for . Suppose also that a construction for (� ) ) _ ( ) �) must be communicated to both Jane Doe and Richard Roe. Suppose that Jane Doe understands our name for a0 as a correct name of evidence for �, but takes our name for b0 to refer to di�erent nonevidence bi6=0 depending on circumstances; Richard Roe understands our name for b0, but takes our name for a0 to refer to nonevidence aj6=0. No construction for � ) can be communicated to Jane Doe in such a way that she recognizes its correctness, and no construction for ) � can be communicated to Richard Roe so that he recognizes its correctness, so we cannot communicate to the community of our colleagues constructive evidence for (� ) ) _ ( ) �).
Relational realizability countermodels still lack the concreteness of the truth-table countermodels, they still depend on metacircumstances and the requirement that constructions be communicable in spite of noise, and they must be in nite to disprove even the simple formula (� ) ) _ ( ) �). To the good, they share with Lauchli countermodels the virtue of being single potential realities, without subjunctive or contingent components. And, they strengthen the intuitive force of Lauchli countermodels by demonstrating that no construction supporting an unprovable formula can be communicated in a way that generates common knowledge of its correctness as a construction supporting , even if we allow ambiguity as to the precise identity of the construction.
6 Proof of Soundness for Relational Realizability We conjecture that the Heyting calculus is complete for relational realizability semantics, and that the proof of completeness is constructive. The proof of completeness is work in progress. We have already proved soundness.
De nition 19 A sequent ? ` is valid for relational realizability if and only if, for every relational realizability model M = hD; U ; P; Ni, (1) implies (2) below:
25
1. there is a nite subset A � U� such that, for each noise function f 2 N , and each 2 ?, there exists an A 2 A with f^ (A) 2 P^ ( ) 2. there is a nite subset B � U� such that, for each noise function f 2 N , for some 2 , there exists a B 2 B with f^ (B ) 2 P^ ( ) Note that the condition above can be shown equivalent to: for every M, if the conjunction of ? holds in M, then the disjunction of holds in M.
De nition 20 Let M = hD; U ; P; Ni be a relational realizability model, M � N , A ^ � 2 PF , and A 2 U�. Then real� (M) = ff 2 Mj f^�(A) 2 P^ (�)g. Similarly, realDI (M) = ff 2 Mj f^I (D) 2 P^ (I )g. A subset P � N is a realizing subset for M if and only if there exist � 2 PF and A 2 U� such that P = realA� (N ), or there exists D 2 D such that P = realDI (N ). Lemma 4 Let M = hD; U ; P; Ni be a relational realizability model, � an 1
1
environment for M. 1. M; � j=n � ^ if and only if M; � j=n � and M; � j=n . 2. M; � j=n � _ if and only if there are two subsets N� ; N � N such that N� [ N = N , hD; U ; P; N� i; � j=n �, and hD; U ; P; N i; � j=n . 3. M; � j=n � ) if and only if, for every subset M � N , hD; U ; P; Mi; � j=n � implies hD; U ; P; Mi; � j=n . 4. M; � j=n � ) if and only if, for every A 2 U^� , hD; U ; P; realA�(M)i; � j=n . 5. M; � j=n � ) if and only if, for every a 2 U� , hD; U ; P; realf�ag(M)i; � j=n . 6. M; � j=n 8x : � if and only if, for every M � N and every D 2 D^ , f^I (D) 2 P^ (I ) implies hD; U ; P; Mi; � j=n �[D=x]. 7. M; � j=n 9x : � if and only if there is a D 2 D^ such that M; � j=n �[D=x]. 8. If there is a nite collection of subsets N1 ; : : :; Nm � N such that N1 [ ��� [ Nm = N and for each i � m hD; U ; P; Ni i; � j=n �, then M; � j=n �.
26
9. If ? ` � is valid, and � = f�1; : : : ; �ng, then
All of the equivalences above hold when the subets of N range over the realizing subsets for M. Similarly, the equivalences hold when the subsets of N range over a cover class C , where each realizing subset is the nite union of sets in C .
Proof: In all of the proof below, the environment � must be applied
systematically. So, let �0 = �(�), and 0 = �( ) to condense the notation.
1 ()) Assume M; � j=n � ^ . By De nitions 16 and 18, there is a C 2 U^�0^ 0 such that, for all f 2 N f^�0^ 0 (C ) 2 P^ (�0 ^ 0). Let C = fhA ; B i; : : : ; hAn; Bn ig. De ne C� = fA ; : : :; Ang and C = fB ; : : :; Bn g. De ne A = S C�, B = S C . Since C� is a nite set of nite subsets of U�0 , the union A of C� is also a nite subset of U�0 , that is, A 2 U^�0 . For each f 2 N , f^�0^ 0 (C ) 2 P^ (�0 ^ 0), so there is a tuple hAi; Bii such that f�0^ 0 (hAi; Bii) 2 P (�0 ^ 0). By De nition 16 of f and f^, f^�0 (Ai) 2 P^ (�0); applying the de nition again, there is an a 2 Ai such that f�0 (a) 2 P (�0 ). But, a 2 A as well, so f^�0 (A) 2 P^ (�0). A symmetric argument shows that B 2 U^ 0 and f^ 0 (B ) 2 P^ ( 0). Therefore, M; � j=n A: � and M; � j=n B : . 1
1
1
1
1 (() Conversely, assume M; � j=n A: � and M� j=n A: �. For each f 2 N , f^�0 (A) 2 P^ (�0) and f^ 0 (B ) 2 P^ ( 0). So, f^�0^ 0 (fhA; B ig) = ff�0^ 0 (hA; B i)g = fhf^�0 (A); f^ 0 (B )ig 2 P^ (�0 ^ 0). Therefore, M; � j=n fhA; B ig: � ^ . 2 ()) Assume M; � j=n C : � _ . By De nition 18, for each f 2 N , f^�0_ 0 (C ) 2 P^ (�0 _ 0). Write SfA ; : : :; Amg, C = fh 0 ; A i ; : : : ; h 0 ; A i ; h 1 ; B i ; : : :; h 1 ; B ig . De ne A = m n B = SfB ; : : : ; Bng. Let N� = ff 2 N j f^�0 (Ai) 2 P^ (�0) for some i � mg and N = ff 2 N j f^ 0 (Bj ) 2 P^ ( 0) for some j � ng 1
1
1
1
Claim: hD; U ; P; N� i j=n A: �. Clearly, A 2 U^�0 (same argument as in 3 above). For each f 2 N�, there is an A0 2 C� such that f^�0 (A0) 2 P^ (�0). Since A0 � A, f^�0 (A) 2 P^ (�0). 27
Claim: hD; U ; P; N i j=n B : . Symmetric to the argument above. Claim: N� [ N = N. Let f 2 N . By assumption, f^�0_ 0 (C ) 2 P^ (�0 _ 0). So, there is a c 2 C such that f�0_ 0 (c) 2 P (�0 _ 0). c must be of the form h0; A0i with f^�0 (A0) 2 P^ (�0), or c is of the form h1; B 0i, with f^ 0 (B 0) 2 P^ ( 0). In the rst case, f 2 N�; in the second case, f 2 N . 2 (() Assume hD; U ; P; N� i; � j=n A: � and hD; U ; P; N i; � j=n B : , where N� [ N = N . Let f 2 N be arbitrary. f^�0_ 0 (fh0; Ai; h1; B ig) = ff�0_ 0 (h0; Ai); f�0_ 0 (h1; B i)g = fh0; f^�0 (A)i; h1; f^ 0 (B )ig If f 2 N�, then f^�0 (A) 2 P^ (�0), so f�0_ 0 (h0; Ai) 2 P (�0 _ 0), so f^�0_ 0 (fh0; Ai; h1; B ig) 2 P^ (�0 _ 0). By de nition, hD; U ; P; Ni� j=n fh0; Ai; h1; B ig: � _ . A symmetric argument holds when f 2 N . 3 ()) Assume that M; � j=n C : � ) , that M � N , and that hD; U ; P; Mi j=n A: �. Let C = fc ; : : :; cng. For each 1 � i � n, choose Bi such that A[ci]Bi (there is such a Bi because ci is entire from U^�0 to U^ 0 , and nite choice is allowed by Lemma 2). De ne B = B [ ��� [ Bn . Let f 2 N be an arbitrary noise function. f^�0) 0 (C ) 2 P^ (�0 ) 0), so for some ci 2 C , f�0) 0 (ci) 2 P (�0 ) 0). By de nition of f�0) 0 , f^�0 (A)[f�0) 0 (ci)]f^ 0 (Bi). Since f^�0 (A) 2 P^ (�0), and since f�0) 0 (ci) is reliable from P^ (�0) to P^ ( 0), f^ 0 (Bi) 2 P^ ( 0). Since Bi � B , f^ 0 (B ) 2 P^ ( 0) as well. So, hD; U ; P; Mi; � j=n B : . 1
1
3 (() Conversely, assume that, for every subset M � N , if hD; U ; P; Mi; � j=n � then AhD; U ; P; Mi; � j=n . De ne c 2 U�0) 0 by c = fhA; B ij hD; U ; P; real�0 (N )i j=n B : g. The assumption guarantees that c is entire from U^�0 to U^ 0 (let M = realA�0 (N )). Let f 2 N be an arbitrary noise function, and let A 2 P^ (�0), B 2 U^ 0 be arbitrary realizers
such that A[f�0) 0 (c)]B. By de nition of f�0) 0 , f^�?0 (A)[c]f^ ?0 (B ) (f ? is well-de ned because noise is required to be injective). By the de nition of c ?1 above, since f 2 realf�0 A (N ), B = f^ 0 (f^ ?0 (B )) 2 P^ ( 0). So, f�0) 0 (c) is reliable from P^�0 to P^ 0 . Therefore, M j=n ; �fcg: � ) . 1
^
( )
1
28
1
1
4 Follows from inspection of the proof of 3. 5 Straightforward. 6 ()) Assume that M; � j=n R: 8x : �, M � N , D 2 D^ , and that f^I (D) 2 P^ (I ). Then hD; U ; P; Mi; � j=n R: 8x : �. Write R = fr ; : : : ; rng. For each 1 � i � n, choose Bi such that D[ri]Bi (there is such a Bi because ri is entire from D^ to U^�0 D=x , and because nite choice is allowed by Lemma 2). De ne B = B [ ��� [ Bn . Let f 2 N be an arbitrary noise function. f^8x : �0 (R) 2 P^ (8x : �0), so for some ri 2 R, f8x : �0 (ri) 2 P (8x : �0). 1
[
]
1
By de nition of f8x : �0 , f^I (D)[f8x : �0 (ri)]f^�0 D=x (Bi), hence f^�0 D=x (Bi) 2 P^ (�0[D=x]). Since Bi � B , we also have f^�0 D=x (B ) 2 P^ (�0[D=x]). Therefore, hD; U ; P; Mi; � j=n B : �[D=x]. [
[
]
[
]
]
6 (() Conversely, assume that, for every subset M � N , and every D 2 D^ , if f^I (D) 2 P^ (I ) then hD; U ; P; Mi; � j=n �[D=x]. De ne r 2 U8x : �0 by r = fhD; B ij hD; U ; P; realDI (N )i j=n B : �0[D=x]g. The assumption guarantees that r is entire from D^ to U^�0 D=x . Let f 2 N be an arbitrary noise function, and let D 2 P^ (I ), B 2 U^�0 D=x be arbitrary realizers such [
]
[
]
that D[f8x : �0 (r)]B. By de nition of f8x : �0 , f^I? (D)[r]f^�?0 D=x (B ). By the ?1 de nition of r above, since f 2 realIf D (N ), B = f^�0 D=x (f^�?0 D=x (B )) 2 P^ (�0[D=x]). So, f8x : �0 (r) is reliable from P^I to P^�0 D=x . Therefore, M; � j=n frg: 8x : �. 1
^
[
[
]
1 [
(
1 [
]
)
]
]
7 ()) Assume M; � j=n C : 9x : �. By De nition 18, for each f 2 N , C = fhD ; A i; : : : ; hDm ; Amig. De ne f^9x : �S0 (C ) 2 P^ (9x : �0). Write S D = fD ; : : : ; Dmg, A = fA ; : : :; Amg. D 2 D^ since each Di 2 D^ . Similarly, A 2 A^�0 . For each f 2 N , f^9x : �0 (C ) 2 P^ (9x: : �0). So, there is a tuple hDi ; Aii 2 C such that f9x : �0 (hDi ; Aii) 2 P (9x : �0). So, f^�0 Di=x (Ai) 2 P^ (�0[Di=x]). Since Di � D and Ai � A, f^�0 D=x (A) 2 P^ (�0[D=x]). Therefore, M; � j=n A: �0[D=x]. 1
1
1
1
:
[
[
]
]
7 (() Conversely, assume that M; � j=n A: �[D=x]. For each f 2 N , f^�0 D=x (A) 2 P^ (�0[D=x]). So, f^9x : �0 (fhD; Aig) 2 P^ (9x : �0). Therefore, M; � j=n fhD; Aig: 9x : �. [
]
29
8 If hD; U ; P; Ni i; � j=n Ai: � then M; � j=n Si Ai: �. Lemma 4 2 Theorem 5 If a sequent ? ` is derivable, then it is valid. Proof: Straightforward induction on the length of the derivation, using
Lemma 4 at each step.
Theorem 5 2 Lemma 4 may also be used to construct from each relational realizability model an elementarily equivalent Beth model. Let M = hDR ; U ; P; Ni be a relational realizability model. De ne the Beth model [26, 7] B = hDB ; W ; �; �; Covi by W = P (N ), DB = D^R. The forcing relation is given by �w;�(�) if and only if hDR ; U ; P; wi; � j=n �S. Cov � W � AW is a binary predicate given by Cov(w; S ) if and only if S = w. By Lemma 4 clause 8, this is a legal cover predicate for a Beth model. It is straightforward to show that B is elementarily equivalent to M.
7 Directions for Further Research
� Extend Lauchli and relational realizability models to higher-order lan-
guages, and prove soundness and completeness for appropriate formal systems of proof. As the language gets more powerful, the necessary conditions for uniform constructibility should get stronger in order to characterize intuitively constructive truth. � Completeness guarantees that every valid formula is provable, but it does not address the brevity, computational e�ciency, or other quality of a constructive proof besides the formula that is proved. Adapt the characterization of de nability in typed lambda calculus [22, 17] to Lauchli and relational realizability models. Investigate more expressive proof calculi that prove the same theories as the Heyting calculus, but provide better constructions in some technical sense such as brevity or computational e�ciency. 30
� The now conventional approach to giving semantics for modal logics is
to design models consisting of systems of possible worlds with an accessibility relation [13]. Modal operators are de ned to make assertions about the possible worlds that are connected to the actual one (for example, knowledge is often de ned as truth in all accessible worlds). Another approach is to interpret modal operators within realizability models as additional constraints on the realizers. Design modal realizability models to generate the traditional theories of various modal logics, and also other theories that have not been explained by possible worlds. For example, design models for the logic of knowledge that avoid the well-known paradoxes of possible-worlds interpretations. � Make Lauchli models classical by letting every set-theoretic object in P (�) be a realizer for �. Add two modal operators, + and *. De ne P (+�) to be the invariant objects in P (�), and P (* �) to be f0g if P (�) contains an invariant, ; otherwise. In a reasonable sense, +� expresses the constructive content of � within classical logic, and * � expresses the classical content of � within constructive logic. What is the theory of this modal system? Clearly +� is valid if and only if � is constructively valid. Contrast this behavior with the usual encoding of constructive logic into the classical modal logic of necessity, where the necessity mode is added to every subformula of � [27, 4]. Notice that � with + at every subformula is valid if and only if � is classically valid. The modal realizability approach appears to give a very di�erent combination of classical and constructive logic than the well-known one based on necessity in possible worlds. In the new view, constructive reasoning (where each entire construction is invariant) is pinned between two di�erent semantic interpretations of classical reasoning: one requiring no invariance, and the other requiring invariance at every level of the type hierarchy. � Characterize useful concepts of relevant implication [1] in realizability models. For example, in Lauchli realizability models a candidate de nition is � relevantly implies if and only if there is a function from P (�) to P ( ) that is an isomorphism on each orbit of P (�) (invariance requires only a homomorphism). Or, in relational realizability models, de ne relevant implication to require a relation on U^(�) to U (^ ) that 31
reliably maps the complement U^(�) ? P^ (�) to U^( ) ? P^ ( ), as well as P^ (�) to P^ ( ). � Consider variations on the usual logical connectives. For example, constructivists generally believe that � _ should be regarded as true only when there is a uniform construction realizing either � or , and we know which one is realized. That is why P (� _ ) is de ned to be the marked union of P (�) and P ( ). What if we introduce another connective, t, with P (� t ) = P (�) [ P ( )? � Characterize precisely the Kripke models that are natural translations of Lauchli realizability models. This relates to important open problems in the relation between group theory and lattice theory.
References [1] Allan Ross Anderson and Nuel D. Belnap. Entailment: the Logic of Relevance and Necessity, volume I. Princeton University Press, Princeton NJ, 1975. ~ Beth. The Foundations of Mathematics, A Study in the Philosophy [2] E.W. of Science. Studies in Logic and the Foundations of Mathematics. NorthHolland Publishing Company, Amsterdam, 1959. [3] H. B. Curry and R. Feys. Combinatory Logic Volume I. Studies in Logic and the Foundations of Mathematics. North-Holland Publishing Company, Amsterdam, 1958. [4] M. A. E. Dummett. Elements of Intuitionism. Oxford University Press, 1977. [5] M. C. Fitting. Intuitionistic Logic, Model Theory, and Forcing. Studies in Logic and the Foundations of Mathematics. North-Holland Publishing Company, Amsterdam, London, 1969. [6] J.-Y. Girard, Y. Lafont, and P. Taylor. Proofs and Types. Cambridge Tracts in Theoretical Computer Science. Cambridge University Press, 1989. 32
[7] R. Grayson. Forcing in intuitionistic set theory without power set. Journal of Symbolic Logic, 48:670{682, 1983. [8] A. Heyting. Die formalen Regeln der intuitionistischen Logik. Sitzungsberichte der Preussischen Academie der Wissenschaften, PhysikalischMatematische Klasse, pages 42{56, 1930. [9] W. A. Howard. The formulae-as-types notion of construction. In J. P. Seldin and J. R. Hindley, editors, To H. B. Curry: Essays on Combinatory Logic, Lambda Calculus and Formalism, pages 479{490. Academic Press, 1980. [10] S. C. Kleene. On the interpretation of intuitionistic number theory. The Journal of Symbolic Logic, 10(4):109{124, December 1945. [11] S. C. Kleene. Realizability. In A. Heyting, editor, Constructivity in Mathematics, pages 285{289. North-Holland Publishing Company, Amsterdam, 1959. Proceedings of the Colloquium Held in Amsterdam, August 26{31, 1957. [12] S. C. Kleene and R. E. Vesley. The Foundations of Intuitionistic Mathematics, Especially in Relation to Recursive Functions. Studies in Logic and the Foundations of Mathematics. North-Holland Publishing Company, Amsterdam, London, 1965. [13] S. A. Kripke. Semantical analysis of modal logic I: Normal modal propositional calculi. Zeitschrift fur Mathematische Logik und Grundlagen der Mathematik, 9:67{96, 1963. [14] S. A. Kripke. Semantical analysis of intuitionistic logic, I. In J. N. Crossley and M. A. E. Dummett, editors, Formal Systems and Recursive Functions, pages 92{130. North-Holland Publishing Company, Amsterdam, 1965. Proceedings of the Eighth Logic Colloquium, Oxford, July 1963. [15] Stuart A. Kurtz, John C. Mitchell, and Michael J. O'Donnell. Connecting formal semantics to constructive intuitions. In J.P~ . Myers and M.~J. O'Donnell, editors, Constructivity in Computer Science, volume 613 of 33
Lecture Notes in Computer Science, pages 1{21, Berlin, 1992. SpringerVerlag. Proceedings of the Summer Symposium, San Antonio, TX, June 1991.
[16] H. Lauchli. An abstract notion of realizability for which intuitionistic predicate calculus is complete. In A. Kino, J. Myhill, and R. E. Vesley, editors, Intuitionism and Proof Theory, Studies in Logic and the Foundations of Mathematics, pages 277{234. North-Holland Publishing Company, Amsterdam, London, 1970. Proceedings of the Conference on Intuitionism and Proof Theory, Bu�alo, New York, August 1968. [17] J. C. Mitchell. Type systems for programming languages. In J. van Leeuwen, editor, Handbook of Theoretical Computer Science, Volume B, pages 365{458. North-Holland, Amsterdam, 1990. [18] Andrew M. Pitts. Poloymorphism is set-theoretic, constructively. In D. Pitt, editor, Proceedings of the Conference on Category Theory and Computer Science, Edinburgh, 1987, volume 283 of Lecture Notes in Computer Science, pages 12{39, Berlin, 1987. Springer-Verlag. [19] D. Prawitz. Natural Deduction. Almqvist & Wiksell, Stockholm, 1965. [20] John C. Reynolds. Polymorphism is Not Set-Theoretic, volume 173 of Lecture Notes in Computer Science, pages 145{156. Springer-Verlag, Berlin, 1984. [21] G. F. Rose. Propositional calculus and realizability. Transactions of the American Mathematical Society, 75:1{19, July{September 1953. [22] R. Statman. Logical relations and the typed lambda calculus. Information and Control, 65:85{97, 1985. [23] Soren Stenlund. Combinators, �-terms, and Proof Theory. D. Riedel Publishing Company, Dordrecht-Holland, 1972. [24] Alfred Tarski. Poj�ecie prawdy w j�ezykach nauk dedukcyjnch. Prace Towarzystwa Naukowego Warzawskiego, 1933. English translation in [25]. 34
[25] Alfred Tarski. Logic, Semantics, and Metamathematics. Oxford University Press, 1956. [26] A. S. Troelstra and D. van Dalen. Constructivism in Mathematics: an Introduction. Studies in Logic and the Foundations of Mathematics. North-Holland, 1988. [27] D. van Dalen. Intuitionistic logic. In D. Gabbay and F. Guenther, editors, Handbook of Philosophical Logic III, pages 225{339. D. Reidel, Dordrecht, 1986. [28] L. Wittgenstein. Tractatus logico-philosophicus. Annalen der Naturphilosophie, 1921. English translation in [29]. [29] L. Wittgenstein. Tractatus Logico-Philosophicus. Routledge and Kegan Paul, 1961.
35
