Natural Deduction Language

Konstantine Arkoudas

August 7, 2004

Contents

1.1 What is NDL? . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Installing NDL . . . . . . . . . . . . . . . . . . . . . . . . . . 31.3 Interacting witn NDL . . . . . . . . . . . . . . . . . . . . . . 3

1.3.1 Using the GUI . . . . . . . . . . . . . . . . . . . . . . 31.3.2 Using NDL in batch mode . . . . . . . . . . . . . . . . 41.3.3 Loading files from the GUI . . . . . . . . . . . . . . . . 4

1.4 Input phrases . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.5 NDL scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.6 Signature declarations . . . . . . . . . . . . . . . . . . . . . . 51.7 Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.8 Formulas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.9 Proof syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81.10 Proof semantics . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.10.1 The assumption base . . . . . . . . . . . . . . . . . . . 111.10.2 Rule applications . . . . . . . . . . . . . . . . . . . . . 121.10.3 Rules dealing with equality . . . . . . . . . . . . . . . 151.10.4 Composite proofs . . . . . . . . . . . . . . . . . . . . . 161.10.5 Conditional proofs . . . . . . . . . . . . . . . . . . . . 171.10.6 Proofs by contradiction . . . . . . . . . . . . . . . . . . 171.10.7 Conclusion-annotated proofs . . . . . . . . . . . . . . . 181.10.8 Quantifier reasoning . . . . . . . . . . . . . . . . . . . 18

1.11 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

1.1 What is NDL?

NDL (Natural Deduction Language) is a formal language for expressing“Fitch-style” natural-deduction proofs [3] in first-order logic with equality.The proofs are machine-checkable. NDL is a “formal” language in that it has

1

a formal syntax, and, more importantly, a formal semantics. The semanticsare given in Plotkin’s SOS1 style and are centered around the notion ofassumption bases, which is the hallmark of a whole family of proof languagesknown as DPLs (Denotational Proof Languges) [1]. NDL is a simple DPL2

for first-order logic.An assumption base is just a set of premises—a set of statements that we

take for granted for the purposes of the proof. This is traditionally known inlogic as a “context,” a notion that has been around for a while, in particularin connection with sequent systems, where the basic unit of inference is a pair(β, F ) consisting of a context and a conclusion. What is novel about DPLsis that the formal meaning—denotation—of a DPL proof is specified relativeto a given assumption base (context). That is, the meaning of a DPL proofis a function over assumption bases, in the same way that in denotationalsemantics the meaning of an imperative program is a function over stores.This turns out to be an apt viewpoint that is particularly conducive to givinga rigorous semantics to Fitch-style natural deduction. Unlike sequent sys-tems, where the manipulation of the context is explicit and burdens the user,the manipulation and threading of the context in systems such as NDL isimplicit and relegated to the underlying semantics—again, much as the ma-nipulation and threading of the store in imperative languages is hidden fromthe user.

In a DPL, every proof has a unique formal meaning. If the proof is sound,then its meaning is the conclusion established by the proof; if the proof isunsound, then its meaning is error. To obtain that meaning, we evaluatethe proof in a given assumption base. Evaluation will either produce theadvertised conclusion, which will verify that the proof is sound, or else itwill generate an error, which will indicate that the proof is unsound. Thusin DPLs evaluation is tantamount to proof checking. In NDL, in partic-ular, evaluation—and hence proof-checking—is guaranteed to terminate inquadratic time in the length of the proof (in the worst case).

This tutorial pertains to a graphical Java-based implementation of NDL.Versions are available for Windows, Linux, and the Mac operating systems.They can be obtained from the NDL web page:

www.cag.lcs.mit.edu/~kostas/dpls/ndl

and distributed in accordance with GPL, the copyright licence of GNU.

1“SOS” stands for “structured operational semantics.”2Technically, NDL is a type-α DPL [2].

2

1.2 Installing NDL

Note: You must have Java installed in your system in order to install andrun NDL.

Create a directory called ndl on your hard drive, download the appropri-ate distribution there, unpack it, and then type ndl at your system’s prompt(or ./ndl if you are on a Unix system). If there are any problems or toreport any bugs, email me at konstantine@alum.mit.edu.

1.3 Interacting witn NDL

1.3.1 Using the GUI

From top to bottom, the main window of NDL consists of:

• The menu bar, which has four items: File, Edit, Options, and Help.

• The input area, which is a scrollable text buffer for user input.

• The two buttons Process and Clear; and

• the output area, which is an uneditable text buffer where the systemprints out its responses.

Typically, the user interacts with the program as follows:

1. The user types one or more input phrases P1 · · ·Pn in the input area.Optionally, the phrases may be separated by periods. Section 1.4 spec-ifies what are the possible input phrases.

2. The user presses the Process button.

3. The program sequentially processes the phrases contained in the inputarea, and prints the results in the output area.

4. The user presses the Clear button to clear the input and output areas,and the process starts anew with step 1.

3

1.3.2 Using NDL in batch mode

It is not necessary to use the graphical interface of NDL. Instead, onecan invoke NDL in so-called “batch mode.” Let’s assume that the currentdirectory is the NDL directory (c:\ndl in a Windows system, or ~/ndl ina Unix system). Then if file foo contains a NDL script (see section 1.5),then typing ndl foo at a DOS prompt (or ./ndl foo at a Unix prompt)will load the file foo, process the various NDL phrases in it sequentially,and display the results to the standard output device (usually the screen).The user can choose to redirect the output to a file instead of the screen byspecifying a second file name as the last command-line argument to NDL,as in ndl foo.in foo.out. Note that any previous contents of foo.out willbe lost.

1.3.3 Loading files from the GUI

Another way to process the contents of an entire file containing a NDL scriptis to choose Load from the File option of the main menu, and then use thegraphical interface to browse your directory and select the appropriate file.Loading a file has the effect of opening up the file and processing all thephrases contained in it sequentially, sending the results to the output textarea.

1.4 Input phrases

An input phrase is one of the following:

1. A deduction D. The syntax and semantics of deductions will be coveredin Section 1.9 and Section 1.10, respectively. (Terminological note: inthis document the terms “deduction” and “proof” will be used inter-changeably.)

2. A signature declaration. These are covered in Section 1.6.

3. An assertion. This is simply a string of the form

assert F1, . . . , Fn

where each Fi is a formula (formulas are discussed in Section 1.8).

4

1.5 NDL scripts

A script is a sequence of phrases (signature declarations and/or assertionsand/or deductions), possibly separated by periods. The following is a samplescript:

Constants Mary, Tom.

Functions f:1, g:2.

Relations P:1, Q:1, loves:2.

assert (forall x (Tom loves x)).

assume Mary loves Tom

begin

specialize (forall x (Tom loves x)) with Mary;

both Tom loves Mary, Mary loves Tom

end

Here Constants Tom, Mary introduces Tom and Mary as constant sym-bols. The phrase Functions f:1, g:2 declares f and g to be function sym-bols of arity 1 and 2, respectively. Similarly, the declaration Relations P:1,

Q:1, R:2 declares P and Q to be unary relation symbols (of arity 1) and loves

to be a binary relation symbol (of arity 2). The keyword assume marks thebeginning of a deduction; we will cover deductions in Section 1.9.

1.6 Signature declarations

A signature is a collection of constant symbols and/or fuction symbols and/orrelation symbols. Lexically, symbols are just identifiers, where an identifierwill be understood as any finite sequence of letters, digits, or underscores (_)that begins with a letter.3

Constant symbols c1, . . . , cn for any n > 0 can be introduced with thephrase

Constants c1, . . . , cn

3With the exception of some predefined symbols such as numerals, =, +, etc.

5

For example:Constants pi, joe, ann, d23

Function symbols f1, . . . , fn can be introduced with the phrase

Functions f1:r1, . . . , fn:rn

where ri is the arity of fi (the number of arguments that must be suppliedin an application of fi). Example:

Functions father:1,average:2

Here average is declared to be a binary function symbol, and father a unaryone.

Relation symbols R1, . . . , Rn can be introduced with the phrase

Relations R1:r1, . . . , Rn:rn

where again ri is the arity of Ri. For instance, the phrase

Relations male:1, likes:2, between:3

declares male to be a unary relation, likes to be a binary relation, andbetween to be a ternary one.

Symbols can also be introduced via the GUI, by choosing Signature

under Options at the top menu bar.NDL comes with certain predefined symbols:

1. Predefined constant symbols: All numerals 0, 1, 2, . . .

2. Predefined unary function symbols: ^,!,++, --,$, @,?

3. Predefined binary function symbols: +, -, *, /, %,@

4. Predefined binary relation symbols: =, !=, <, <=, >, >=, ==, &&,||

Note that NDL will ignore any attempts to redeclare a symbol that hasalready been introduced.

The user can inspect the current signature at any given time by choosingOptions followed by View current signature from the top menu bar.

6

1.7 Terms

A variable is any identifier that is neither a reserved word (such as assume

or exists) nor a symbol (constant, function, or relation). We will use theletters x, y, z, and w as typical variables.

A term is either a constant symbol, or a variable, or else it is an expressionof the form f(t1,...,tn), where f is a function symbol of arity n and eachti is a term. We will use the letters s and t as typical variables.

For instance, joe, father(joe), and average(x,y) are all legal terms.NDL allows infix syntax for all binary function symbols, e.g. x average y

and 2 + 5 are alternative notations for average(x,y) and +(2,5). Subex-pressions in nested infix applications must be parenthesized, e.g., 2 * (5 + x).

1.8 Formulas

There are three types of formulas in NDL: atomic formulas (or simplyatoms); sentential formulas; and quantified formulas. We explain each inturn:

1. An atom is either the constant true; or the constant false; or else itis of the form R(t1,. . .,tn), where R is a relation symbol of arity n andt1, . . . , tn are terms. An example of an atom is between(x,y,z). Infixnotation is allowed in the case of binary relation symbols, for instance

foo = 2

x * 3 < 15

father(joe) loves mary

2. A sentential formula is either:

(a) a negation ~F for any formula F ;

(b) a conjunction F1 & F2 for any formulas F1, F2;

(c) a disjunction F1 \/ F2 for any formulas F1, F2;

(d) a conditional F1 ==> F2 for any formulas F1, F2; or

(e) a biconditional F1 <==> F2 for any formulas F1, F2.

7

The negation sign ˜ binds tighter than all other four connectives. Con-junctions and disjunctions have equal precedence, bind tigher than con-ditionals and biconditionals, and associate to the right. Conditionalsand biconditionals have equal precedence and associate to the right.Accordingly,

A & ~B \/ C ==> D & E

is parsed as[A & ((~B) \/ C)] ==> [D & E]

To override these conventions, use parentheses or square brackets.

3. A quantified formula is either of the form (forall x F) (a universalquantification); or (exists x F) (a existential quantification) for anyvariable x and formula F . Brackets can also be used for grouping, sowe can write [exists x F] instead of (exists x F).

We will use the letters F and G as typical formulas.We assume the reader is familiar with notions such as free and bound

variable occurrences. These are defined in the standard way. Two formulasare said to be alphabetically equivalent iff each can be obtained from theother by consistently renaming bound variables. Alphabetically equivalentformulas will be viewed as identical. We write F [x 7→ t] to denote theformula obtained from F by replacing every occurrence of x in it by the termt, renaming bound variables if necessary in order to avoid variable capture.

1.9 Proof syntax

The following grammar describes the syntax of NDL proofs:

D ::= RuleApp | assume F D | suppose-absurd F D | D1;D2

| F BY D | begin D end

| pick-any x D

| pick-witness w for (exists x F) D

| specialize (forall x F) with t

| ex-generalize (exists x F) from t

| cong f(s1,...,sn) = f(t1,...,tn) from s1 = t1,...,sn = tn

| rel-cong R(t1,...,tn) from R(s1,...,sn),s1 = t1,...,sn = tn

8

where the syntax of inference rule applications is as follows:

RuleApp ::= modus-ponens F ==> G,F

| modus-tollens F ==> G,~G

| double-negation ~ ~F

| absurd F,~F

| left-and F & G

| right-and F & G

| both F,G

| left-either F,G

| right-either F,G

| cases F1 \/ F2,F1 ==> G,F2 ==> G

| left-iff F <==> G

| right-iff F <==> G

| equiv F ==> G,G ==> F

| ref t

| swap s = t

| tran t1 = t2,t2 = t3

Proofs of the form D1;D2 are called composite. Proofs of the form

assume F D

are called conditional (or hypothetical) proofs. The formula F is called thehypothesis and the subproof D is called the body of the conditional proof.We say that the body D represents the scope of the hypothesis F . Proofs ofthe form suppose-absurd F D are called proofs by contradiction. As withconditional proofs, F is called the hypothesis and D—the scope of F—iscalled the body. Proofs of the form

pick-any x D

are called universal generalizations. We refer to the variable x as an eigen-variable. Proofs of the form

pick-witness w for (exists x F) D

9

are called existential specializations. We refer to the variable w as the witnessvariable; we also say that w is an eigenvariable. Proofs of the form

specialize (forall x F) with t

are called universal specializations , while proofs of the form

ex-generalize (exists x F) from t

are called existential generalizations. Proofs of the form F BY D are calledconclusion-annotated proofs.

assume, suppose-absurd, pick-any, pick-witness, and BY all bindtighter than the composition operator ;. For example,

assume A claim A; claim true

is parsed as the composition of assume A claim A and claim true, notas the hypothetical proof with A as the hypothesis and the compositionclaim A; claim true as the body.

The composition operator ; associates to the right, meaning that

D1;D2;D3

is parsed asD1;(D2;D3) (1.1)

and not as(D1;D2);D3 (1.2)

This is an important convention, because proof composition in NDL is notassociative—proofs (1.1) and (1.2) do not have the same semantics. This willbecome more clear in the sequel.

These conventions can be overriden by using begin–end pairs.Finally, we note that pick-any and pick-witness are variable-binding

constructs; they introduce variable scope. In particular, in a deduction of theform

pick-any x D

we say that the scope of the eigenvariable x is the deduction D. And in adeduction of the form

pick-witness w for (exists x F) D

10

we say that the scope of the witness variable w is D. Two deductions thatonly differ in the names of their bound eigenvariables are condidered identical.For instance, the two deductions

pick-any x

pick-any y

assume x = y

swap x = y

and

pick-any foo1

pick-any foo2

assume foo1 = foo2

swap foo1 = foo2

are considered identical.We can define a notion of substitution (free variable occurrence replace-

ment) for deductions much as we do for formulas. Specifically, for any deduc-tion D, variable x and term t, we define {x 7→ t}D as the deduction obtainedfrom D by replacing every free occurrence of x inside D by t, possibly renam-ing bound eigenvariables to avoid variable capture. For a rigorous definitionrefer to Chapter 6 of [1].

1.10 Proof semantics

1.10.1 The assumption base

NDL maintains a global set of formulas called the assumption base. We canthink of the elements of the assumption base as our premises—formulas thatwe regard as true. Initially the system starts with the empty assumptionbase. Every time an assertion is made or a theorem is proved, the corre-sponding formula is inserted into the assumption base. We will use the letterβ to designate a typical assumption base. In what follows we describe theassumption-base semantics of each possible type of NDL proof.

A key idea behind NDL is that the meaning of a proof is a functionover assumption bases. Put more plainly, the meaning of a proof dependson what assumption base we evaluate that proof in. This is similar to howthe meaning of an imperative program is formally captured. We say that the

11

meaning of x := y + 3; is a function over stores. That is, the result we getby executing this instruction depends on (or “is relative to”) a given store.

Note: the assumption base can be inspected at any point by selectingOptions and then View assumption base from the top menu bar.

1.10.2 Rule applications

Perhaps the simplest inference rule of NDL is claim, a unary “reiteration”rule which takes one formula F as its sole argument. If the argument F is inthe current assumption base, then claim simply returns F (i.e., it reiteratesF ). Otherwise, if F is not in the assumption base, then claim reports anerror.

Suppose, for example, that the current assumption base contains theformula male(joe) but does not contain the formula female(ann). Thenthe deduction claim male(joe) will succeed, eliciting the reply

Theorem: male(joe)

By contrast, the deduction claim female(ann) will fail, generating an errormessage of the form:

Evaluation error at line 3, position 27:

the claim female(ann) is not in the assumption base.

So the first claim succeeds, but the second fails. Note that NDL reportsthe precise position of the failed claim (say, line 3, column 27 for this hypo-thetical example). Also note that NDL pronounces the successful claim atheorem. In fact every time a proof is successfully evaluated at the top level,NDL reports the resulting formula as a theorem. There is a reason for this:It can be proved rigorously that if any NDL proof successfully produces aformula F in the context of an assumption base β, then F is a logical conse-quence of β. This is the main soundness guarantee provided by NDL, andit is the sense in which the result of a proof is understood to be a theorem.

One question about claim that comes up sometimes is this: If a formulaF is in the assumption base and we try to claim F ′, where F ′ is a variant of Fthat is logically equivalent to F but is not itself in the assumption base, willthe claim succeed? The answer is no. An application claim F will succeedif and only if F itself, as a syntactic object, is in the assumption base. For in-stance, suppose that F is the formula male(joe) and F ′ is true & male(joe)

12

where F is in the assumption base but F ′ is not. Then claim F will succeed,but claim F ′ will fail, even though F ′ is logically equivalent to F . Thereis a reason for this too: The problem of deciding whether two formulas arelogically equivalent is very difficult. If fact it is undecidable, meaning thatthere is no algorithm that could solve every instance the problem.

However, claim, like all other NDL rules, determines formula identityup to alphabetic equivalence. For instance, if F is

(forall x male(father(x)))

and F ′ is(forall y male(father(y)))

then claim F will succeed if and only if claim F ′ suceeds.All of the remaining inference rules can be can be classified either as

introduction or as elimination rules for one of the sentential connectives orquantifiers. Consider, for instance, conjunctions of the form F1 & F2. Thereare two elimination rules for conjunctions, left-and and right-and. Theformer will produce F1, the left part of the conjunction, while the latterwill produce F2, the right part. Specifically, if the conjunction F1 & F2

is in the current assumption base, then the application left-and F1 & F2

will produce the formula F1 as a result. If the conjunction is not in theassumption base, then the application will fail. The rule right-and worksexactly like left-and, save that it produces the right component of the givenconjunction.

It is instructive to compare NDL’s formulation of these inference ruleswith a more conventional presentation. For instance, the left conjunctionelimination rule is usually depicted graphically as follows:

` F1 & F2

` F1

This says that if the premise F1 & F2 above the horizontal line has alreadyshown to be a theorem (where theoremhood is signified by the turnstile ` ),then we may also derive F1 as a theorem. Or, more loosely, if we alreadyknow that F1 & F2 holds then we may conclude F1.

In the case of NDL, “F1 & F2 holds” boils down to no more and noless than it being in the assumption base. Therefore, the NDL semantics ofleft-and can be understood as saying that if F1 & F2 is in the assumptionbase, then we may conclude F1.

13

The semantics of a proof form D can often be expressed succinctly withjudgements of the form β ` D F , which can be read as follows:

Evaluating D in the context of assumption base β produces the conclusion F .

For instance, the semantics of left-and can be captured by the followingrule:

β ∪ {F1 & F2} ` left-and F1 & F2 F1 (1.3)

which says that applying left-and to a conjunction of the form F1 & F2 inany assumption base that contains this conjunction will produce the conclu-sion F1. Rule (1.3) can be viewed as a pattern that can give rise to differentrule instances depending on what particular values we choose to substitutefor β, F1, and F2. For instance, both of the following are instances of (1.3):

{true & true} ` left-and true & true true

{true, male(joe) & female(ann)} `left-and male(joe) & female(ann) male(joe)

The first is obtained from (1.3) via the substitution

β 7→ ∅, F1 7→ true, F2 7→ true

while the second is obtained through the substitution

β 7→ {true}, F1 7→ male(joe), F2 7→ female(ann).

The rule does not tell us what happens when the assumption base does notcontain the premise F1 & F2. We could explicitly introduce rules such as

β ` left-and F1 & F2 error

whenever (F1 & F2) 6∈ β

but we will instead tacitly understand that in all such cases the result willbe an error. We will follow that convention in the sequel when we come tostate other similar rules.

14

The semantics of rule applications are summarized below:

β ∪ {F} ` claim F F

β ∪ {F ==> G, F} ` modus-ponens F ==> G, F G

β ∪ {F ==> G, ~G} ` modus-tollens F ==> G, ~G ~F

β ∪ {~ ~F} ` double-negation ~ ~F F

β ∪ {F1, F2} ` both F1, F2 F1 & F2

β ∪ {F1 & F2} ` left-and F1 & F2 F1

β ∪ {F1 & F2} ` right-and F1 & F2 F2

β ∪ {F1} ` left-either F1, F2 F1 \/ F2

β ∪ {F2} ` right-either F1, F2 F1 \/ F2

β ∪ {F1 \/ F2, F1 ==> G, F2 ==> G} ` cases F1 \/ F2, F1 ==> G, F2 ==> G G

β ∪ {F1 ==> F2, F2 ==> F1} ` equiv F1 ==> F2, F2 ==> F1 F1 <==> F2

β ∪ {F1 <==> F2} ` left-iff F1 <==> F2 F1 ==> F2

β ∪ {F1 <==> F2} ` right-iff F1 <==> F2 F2 ==> F1

β ∪ {F, ~F} ` absurd F, ~F false

β ` true-intro true

1.10.3 Rules dealing with equality

There are five rules for equality reasoning:

1. ref (for equality reflexivity)

2. swap (symmetry)

3. tran (transitivity)

4. cong (functional congruence)

5. rel-cong (relational congruence)

15

The syntax of such rule applications was described in Section 1.9. Theirsemantics are as follows:

β ` ref s s = s

β ∪ {s = t} ` swap s = t t = s

β ∪ {t1 = t2, t2 = t3} ` tran t1 = t2, t2 = t3 t1 = t3

β ∪ {s1 = t1,...,sn = tn} ` cong f(s1,...,sn) = f(t1,...,tn) from s1 = t1,...,sn = tn

f(s1,...,sn) = f(t1,...,tn)

β ∪ {s1 = t1,...,sn = tn} ` rel-cong R(t1,...,tn) from R(s1,...,sn), s1 = t1,...,sn = tn

R(t1,...,tn)

1.10.4 Composite proofs

Composite proofs are used to link together multiple inference steps in sucha way that the conclusions of earlier deductions become available in subse-quent deductions. Specifically, to evaluate a composite proof D1; D2 in someassumption base β, we first evaluate D1 in β, obtaining some conclusion F1;and we then evaluate D2 in the augmented assumption base β ∪ {F1}. Thismeans that the conclusion of D1 becomes available (serves as a “lemma”)inside D2. The conclusion we obtain by evaluating D2 in β ∪ {F1} becomesthe conclusion of the entire composition D1; D2. This is formally specified asfollows:

β `D1 F1 β ∪ {F1} `D2 F2

β `D1; D2 F2

As an example, suppose we have the premise A & B & ~~C in the assumptionbase and we want to derive the conclusion C. This can be done in three steps:first we use right-and to obtain B & ~~C, then we use right-and again toobtain ~~C, and finally we use double-negation to get C. These three stepscan be put together using the semi-colon proof-composition operator:

right-and A & B & ~~C; // this puts B & ~~C in the a.b.

right-and B & ~~C; // this puts ~~C in the a.b.

double-negation ~~C // and finally we get C

Note that the convention that ; associates to the right is important in parsingthe above deduction correctly.

16

1.10.5 Conditional proofs

When mathematicians want to establish a conditional statement F1 ⇒ F2,they add the hypothesis F1 to the set of their current working assumptions β,and proceed to derive the desired conclusion F2. When the derivation of F2

is complete, F1 ceases to be an active assumption—it is “discharged”. Notethat the discharge is not explicitly made; mathematicians do not say “andnow we discharge F1.” Rather, the scope of the hypothesis F1 is lexicallyapparent by the division of the proof text into units such as paragraphs.

Conditional reasoning as described above is captured in NDL by proofsof the form assume F D. To evaluate such a proof in an assumption baseβ, we add the hypothesis F to β and proceed to evaluate the body D in theaugmented assumption base β ∪ {F}. Once we obtain a conclusion G, wereturn the implication F ==> G as the final result:

β ∪ {F} `D G

β ` assume F D F ==> G

As a simple example, here is a proof of A ==> A:

assume A

claim A

1.10.6 Proofs by contradiction

A common indirect technique for proving a statement F is to reason bycontradiction: we assume that F does not hold and proceed to show thatthis is an absurd hypothesis, in that it allows us to derive a contradiction.NDL models such reasoning with proofs of the form suppose-absurd F D.To evaluate such a proof in an assumption base β, we add the hypothesis Fto β and proceed to evaluate the body D in β ∪ {F}. If that produces thecontradiction false, then we return ~F as the conclusion:

β ∪ {F} `D false

β ` suppose-absurd F D ~F

Note that false can be derived if the assumption base contains two formulasof the form F and ~F : we can then apply the rule absurd to these two for-mulas and derive false (recall the semantics of absurd from Section 1.10.2).As a simple example, here is a proof of A ==> A:

17

assume A

suppose-absurd ~A

absurd A, ~A

1.10.7 Conclusion-annotated proofs

Sometimes a proof can be made more readable if we explicitly state at theoutset what the intended conclusion is. This is a common idiom in math-ematical reasoning, whereby authors will often say “We now derive F asfollows: · · · ”

In NDL we can declare the purported conclusion of the proof with theBY keyword. Specifically, a deduction of the form F BY D “promises” thatD will derive F . An error occurs if we evaluate D and obtain some otherconclusion instead. The formal semantics of such deductions are simple:

β `D F

β ` F BY D F

For instance, an alternative—and perhaps slightly more readable—way toexpress the previous example is the following:

assume A

suppose-absurd ~A

false BY absurd A, ~A

1.10.8 Quantifier reasoning

There are four remaining syntax forms in NDL, pick-any, specialize,pick-witness, and ex-generalize. These perform quantifier reasoning.Specifically, pick-any and ex-generalize perform universal and existentialquantifier introduction, respectively; while specialize and pick-witness

perform universal and existential quantifier elimination, respectively. Theirprecise assumption-base semantics are presented below.

Universal quantifier introduction

When they need to prove a universally quantified formula, say ∀ x .Even(x)∨Odd(x), mathematicians often reason as follows:

Consider an arbitrary x. Then · · ·

18

where · · · is a proof that establishes the claim for x—in this case a proof ofthe disjunction Even(x) ∨ Odd(x). The adjective “arbitrary” can be meta-physically misleading (leading one to believe in fictitious “arbitrary” objects),but nevertheless serves an important purpose: to emphasize that no specialassumptions about x can be made.

If we analyze this reasoning in terms of programming language theory,we see that what is inside the dots · · · is essentially a method for provingthat something is even or odd, parameterized over x. That is, a method thattakes any given term x and produces the conclusion Even(x) ∨ Odd(x). Tomake sure that no special assumptions are made about x, we need to applythis method to a fresh variable v: a newly generated term that has not beenseen or used before. If that succeeds in deriving Even(v) ∨ Odd(v) then weare entitled to conclude that everything has this property (of being even orodd). This idea can be succinctly captured by the following semantics:

β ` {x 7→ v}D F

β ` pick-any x D (∀v)F

provided v does not occur in β or in D.

The proviso that v must not occur in β or in D ensures that v is fresh.For example, consider the proof

pick-any x

ref x

To evaluate this proof in a given assumption base, we generate a fresh vari-able, say v85, and evaluate the body ref x with every free occurrence of xreplaced by v85. Hence, in this case we will evaluate ref v85. According tothe semantics of ref, the rule application ref v85 will yield the conclusionv85 = v85. Having finished evaluating the (renamed) body, the semanticsof pick-any tell us that we can now produce the universal quantification(forall v85 (v85 = v85)) as the final conclusion of the entire pick-any.

To make the result more readable, NDL will display this conclusion as(forall x (x = x)) instead of (forall v85 (v85 = v85)). That is, itwill alphabetically rename the result, replacing the fresh variable with theactual eigenvariable that was used (in this case x). This is sound becauserecall that NDL treats alphabetically equivalent formulas as identical, sothat

(forall v85 (v85 = v85))

19

and(forall x (x = x))

mean the exact same thing. In summary, if you evaluate this proof, NDLwill reply with

Theorem: (forall x (x = x)).

Universal quantifier elimination

If we know that something is true of everything, then we should be able toconclude that it is true of a particular individual t. This is called universalelimination because we go from statements of the form ∀ x . F to F [x 7→ t],thereby removing the universal quantifier. In NDL this is performed byspecialize, whose semantics are as follows:

β ∪ {(forall x F)} ` specialize (forall x F) with t F [x 7→ t]

It is an error if the universal quantification (forall x F) is not in the as-sumption base. As an example, if β contains (forall x male(father(x))),then

specialize (forall x male(father(x))) with ann

will produce the conclusion male(father(ann)).

Existential quantifier introduction

If we know that a particular object t has a certain property F , then weshould be able to conclude that there exists something that has the propertyF . This is called existential quantifier introduction. In NDL, it is performedwith proofs of the form

ex-generalize (exists x F) from t

whose semantics are as follows:

β ∪ {F [x 7→ t]} ` ex-generalize (exists x F) from t (exists x F)

For instance, assuming that the assumption base contains the atomic formulaodd(3), the deduction

ex-generalize (exists x odd(x)) from 3

will produce the conclusion (exists x odd(x)).

20

Existential quantifier elimination

Oftentimes when we know a statement of the form ∃ x . F , we reason asfollows: “We know that there is something for which F holds. Let w be aname for that something, so that F holds for w. Then · · · ” where · · · is aderivation of some conclusion G, presumably with the help of the assumptionthat F holds for w, i.e., the premise F [x 7→ w]. It is customary to refer tow as a witness, and to the formula F [x 7→ w] as the witness premise. Nospecial assumptions about the witness w must be made. It must serve onlyas a “dummy”—any other name should do just as well. In particular, thewitness should not occur in the final conclusion G.

This form of reasoning is captured in NDL with deductions of the form

pick-witness w for (exists x F) D

Their semantics are as follows:

β ∪ {F [x 7→ v]} ` {w 7→ v}D G

β ` pick-witness w for (exists x F) D G

provided v does not occur in β, in D, or in G.

Here v is a freshly generated variable, which helps to ensure that the witnessis used only as a dummy.

1.11 Examples

Below are the verbatim contents of the file examples.ndl that comes withthe NDL distribution. The user can load this file all at once and observethe output, or experiment by cutting and pasting bits and pieces. Regardingcomments: everything from a double slash // all the way to the end of theline is ignored.

//********************************************************************//********************************************************************//// Some examples illustrating proofs in NDL.//// Copyright (C) 2004 Konstantine Arkoudas <konstantine@alum.mit.edu>// Licensed under the terms of the GNU GPL.

21

//// Last modified on August 6, 2004.////********************************************************************//********************************************************************

// We begin by introducing a small "signature": a few// relation symbols and a couple of constant symbols.// The notation S:n indicates that the arity of the// symbol S is n.

Relations P:1, Q:1, R:2, S:1, T:1, A:0, B:0.

Constants c, d.

//******************************************************// EXAMPLE 1//******************************************************

// The first proof derives the tautology// A & B ==> B & A

assume A & Bbegin

left-and A & B; // this gives Aright-and A & B; // this gives Bboth B, A // and finally this gets B & A

end

//******************************************************// EXAMPLE 2//******************************************************

// The second proof derives the tautology// (forall x P(x)) ==> ~ (exists x ~ P(x))//// E.g., if everything is red then there isn’t anything// that is NOT red.

22

assume (forall x P(x))suppose-absurd (exists x ~P(x))pick-witness w for (exists x ~P(x)) // we now have ~P(w)

beginP(w) BY pecialize (forall x P(x)) with w;absurd P(w), ~P(w)

end.

//******************************************************// EXAMPLE 3//******************************************************

// The third proof derives the tautology// [forall x P(x) & Q(x)] ==> [(forall y P(y)) & (forall y Q(y))]

assume [forall x P(x) & Q(x)]beginpick-any y

beginspecialize (forall x P(x) & Q(x)) with y;left-and P(y) & Q(y)

end;pick-any y

beginspecialize (forall x P(x) & Q(x)) with y;right-and P(y) & Q(y)

end;both (forall y P(y)), (forall (y) Q(y))

end

//******************************************************// EXAMPLE 4//******************************************************

// The fourth proof derives the tautology// ~ [forall x P(x)] ==> [exists x ~P(x)]//// I.e., if it’s not the case that everything is red, there must be// something that is not red. (Recall that in first-order logic the

23

// universe of discourse is always non-empty.)

assume ~(forall x P(x))beginsuppose-absurd ~(exists x ~P(x))

beginpick-any y

beginsuppose-absurd ~P(y)begin

ex-generalize (exists x ~P(x)) from y;absurd (exists x ~P(x)), ~(exists x ~P(x))

end;double-negation ~~P(y)

end;absurd (forall x P(x)), ~(forall x P(x))

end;double-negation ~~(exists x ~P(x))

end

//******************************************************// EXAMPLE 5//******************************************************

// The fifth proof derives the tautology// [forall x (forall y R(x,y))] ==>// [forall x (forall y R(y,x))]

assume (forall x (forall y R(x,y)))pick-any x1pick-any x2

beginspecialize (forall x (forall y R(x,y))) with x2;specialize (forall y R(x2,y)) with x1

end

//******************************************************// EXAMPLE 6//******************************************************

24

// The sixth proof derives the tautology// [forall x P(x) & Q(x)] ==>// [forall x Q(x) ==> T(x)] ==> (forall y T(y))

assume (forall x P(x) & Q(x))assume (forall x Q(x) ==> T(x))pick-any y

beginspecialize (forall x P(x) & Q(x)) with y;right-and P(y) & Q(y);specialize (forall x Q(x) ==> T(x)) with y;modus-ponens Q(y) ==> T(y), Q(y)

end

//******************************************************// EXAMPLE 7//******************************************************

// The seventh proof derives the tautology// [forall x P(y) ==> Q(x)] ==> [P(y) ==> (forall x Q(x))]//

assume (forall x P(y) ==> Q(x))assume P(y)pick-any z

beginspecialize (forall x P(y) ==> Q(x)) with z;modus-ponens P(y) ==> Q(z), P(y)

end

//******************************************************// EXAMPLE 8//******************************************************

// The eigth proof derives the tautology// [forall x P(x) ==> Q(x)] ==>// [exists x S(x) & P(x)] ==> [exists x Q(x) & S(x)]

25

assume (forall x P(x) ==> Q(x))assume (exists x S(x) & P(x))pick-witness z for (exists x S(x) & P(x))

beginright-and S(z) & P(z);specialize (forall x P(x) ==> Q(x)) with z;modus-ponens P(z) ==> Q(z), P(z);left-and S(z) & P(z);both Q(z), S(z);ex-generalize (exists y Q(y) & S(y)) from z

end

//******************************************************// EXAMPLE 9//******************************************************

// The ninth proof derives the tautology// [exists x (exists y R(x,y))] ==> [exists y (exists x R(x,y))]

assume (exists x (exists y R(x,y)))pick-witness x1 for (exists x (exists y R(x,y)))pick-witness y1 for (exists y R(x1,y))

beginex-generalize (exists foo R(foo,y1)) from x1;ex-generalize (exists y (exists x R(x,y))) from y1

end

26

Bibliography

[1] K. Arkoudas. Denotational Proof Languages. PhD dissertation, MIT, 2000.

[2] K. Arkoudas. Type-α DPLs. MIT AI Memo 2001-25.

[3] F. J. Pelletier. A Brief History of Natural Deduction. History and Philosophyof Logic, 20:1–31, 1999.

27