define predicate A by all x ( f(x) = 0 or f(x) = 1 ); define predicate I by all n ex k f( n + k ) = x; Note that in the definition of I, x is a free variable. The free variables determine the arity of the defined predicate, and can be instantiated by parameters. If P is a defined predicate, F is its defining formula and x¯ are the free variables of F, then the predicate definition is interpreted as 8x¯(P(x¯) () F). In our example, the predicate A is the assumption: All cells are labelled either 0 or 1. The predicate I(x) states that there are infinitely many cells labelled x.

We now turn to formalizing our example proof j. In LKDe, j is

(t) (e(0)) A ` I(0); I( 1 ) I(0) ` 9p9q(p 6= q ^ f (p) = f (q)) cut (e( 1 ))

A ` 9p9q(p 6= q ^ f (p) = f (q)); I( 1 ) I( 1 ) ` 9p9q(p 6= q ^ f (p) = f (q))

A ` 9p9q(p 6= q ^ f (p) = f (q)) cut Here t is a proof of the fact that either infinitely many cells are labelled 0, or infinitely many cells are labelled 1. The two applications of cut encode the application of two lemmas e(n) for n 2 f0; 1g: if there are infinitely many cells labelled n, then there are two cells labelled by the same number.

In HandyLK , we start the specification of the proof by giving an identifier, here we choose the name the-proof: define proof the-proof

proves A :- ex p ex q ( not p = q and f(p) = f(q) ); Now, we begin by specifying the inferences from the bottom up. In HandyLK , only the active formulas of a rule have to be specified, and no structural rules (except cut) have to be written down explicitly. The HLK compiler keeps track of the formulas used in the proof, and automatically inserts the structural rules necessary to be able to apply the rules specified by the user. The first inference in j is a cut, which is a binary rule. Due to the linear nature of the HandyLK language, one of the subproofs above the binary rule has to be referenced. The following proof reference clauses are available: by proof hproof i auto propositional hsequenti explicit axiom hsequenti The first clause gives the name of the subproof with which to continue, the second clause states that the subproof ends in a propositional tautology whose proof should be computed automatically, and the last clause asserts that the subproof consists solely of an axiom. In our example we reference the proof e( 1 ).

with cut I( 1 )

right by proof \epsilon( 1 ); This specifies an application of cut with cut formula I( 1 ), where the right subproof will be e( 1 ). In LKDe, this will be a rule application (e( 1 )) G ` D; I( 1 ) I( 1 ); P ` L

G; P ` D; L

cut where G; P; D; L will be populated by the appropriate formulas automatically by the HLK compiler.

We continue the HandyLK specification of this proof part with the left subproof of the first application of cut by encoding the second application: here, we reference both the left subproof t and the right subproof e(0). ; with cut I(0) left by proof \tau right by proof \epsilon(0); This completes the HandyLK specification of j — but to be able to actually compile the proof into an LKDe-proof, the subproofs t, e(0) and e( 1 ) have to be encoded in HandyLK . We continue by showing the HandyLK rule applications in t, which are definition introduction and quantifier rules. The proof t starts by expanding the two occurrences of the defined predicate I:

A ` 8n9k f (n + k) = 0; 8n9k f (n + k) = 1

A ` I(0); 8n9k f (n + k) = 1

A ` I(0); I( 1 ) defI : r defI : r In HandyLK , it suffices to specify the predicate to be expanded and give the auxiliary formulas of the rules, the correct main formula is then found by HLK through matching: with undef I

:- all n ex k f( n + k ) = 0, all n ex k f( n + k ) = 1; Next, the two strong quantifiers are eliminated by 8 : r rules, introducing the eigenvariables n0 and n1: A ` 9k f (n0 + k) = 0; 9k f (n1 + k) = 1 A ` 9k f (n0 + k) = 0; 8n9k f (n + k) = 1 8 : r

A ` 8n9k f (n + k) = 0; 8n9k f (n + k) = 1 8 : r

with all right

:- ex k f( n_0 + k ) = 0, ex k f( n_1 + k ) = 1; Again, it suffices to specify the auxiliary formulas, the correct main formulas are found by matching. The same holds for the weak quantifier rules. In our example, we instantiate them by n1 and n0, respectively: A ` f (n0 + n1) = 0; f (n1 + n0) = 1 A ` 9k f (n0 + k) = 0; f (n1 + n0) = 1 9 : r

A ` 9k f (n0 + k) = 0; 9k f (n1 + k) = 1 9 : r with ex right

:- f( n_0 + n_1 ) = 0, f( n_1 + n_0 ) = 1; Of course, HLK checks whether the quantifier rule applications are legal. Our proof t is nearly done — it remains to decompose our assumption A and to use the commutativity of +. We only show the latter, which is encoded with an application of paramodulation: ` n0 + n1 = n1 + n0 f (n1 + n0) = 1 ` f (n1 + n0) = 1 f (n0 + n1) = 1 ` f (n1 + n0) = 1 = : l2 Such a paramodulation application is common when formalizing proofs from mathematics: an equality axiom from the background theory is used as the active equation. For this reason, it receives special treatment in HandyLK : the active equation is simply specified in a by clause.

with paramod by n_0 + n_1 = n_1 + n_0 right f( n_1 + n_0 ) = 1 :- ; This rule application can also be encoded in the general syntax for binary rules, using a proof reference: with paramod f( n_1 + n_0 ) = 1 :left explicit axiom :- n_0 + n_1 = n_1 + n_0 ; Recall that the definition of j in HandyLK contained references to proofs e(0) and e( 1 ), which show that under the assumption that there are infinitely many cells labelled 0 and 1, respectively, it follows that two cells are labelled by the same number. Clearly, these proofs have a similar structure — this fact can be exploited in HandyLK by writing a meta proof that can be instantiated with some specific terms: define proof \epsilon with meta term i of type nat; proves

I(i) :- ex p ex q ( not p = q and f(p) = f(q) ); We omit the details of the specification of the meta proof e(i). Additionally, HandyLK supports the definition of proofs in a recursive way, which is a convenient way to encode sequences of proofs. This feature was used to encode a sequence of proofs for the formula scheme from [3]. 3.2

XML format for proofs The programs in the CERES system do not work directly with proofs written in HandyLK — these proofs are compiled into a flexible XML format using the HLK compiler. XML is a well known data representation language which allows the use of arbitrary and well known utilities for editing, transformation and presentation and standardized programming libraries. We are interested in tree-style proofs, formulas and terms. Data is structured in trees in XML, therefore the encoding and decoding of these objects is very straightforward.

The format is flexible in the sense that it only assumes that proofs are trees or directed acyclic graphs of rule applications that are labelled by sequents. In our practice, it has been used successfully to encode LKDe and resolution proofs. The following abbreviated XML code represents the proof j: <proof symbol="the-proof" calculus="LK"> <rule symbol="c:r" type="contrr" param="2"> <sequent>...</sequent> <rule symbol="cut" type="cut"> <sequent>...</sequent> <rule symbol="\pi:r" type="permr" param="( 1 2 )"> <sequent>...</sequent> <rule symbol="cut" type="cut"> <sequent>...</sequent> <prooflink symbol="\tau"/> <prooflink symbol="\epsilon(0)"/> </rule> </rule> <prooflink symbol="\epsilon( 1 )"/> </rule> </rule> </proof> The symbol attributes are used for the visual presentation of the proof trees: they allow the user to identify proofs and rules. The param attributes contain additional rule information, in the example they specify which formulas are to be contracted (by the contraction rule c:r) and how the formulas are to be permuted (by the permutation rule \pi:r). The prooflink tags reference other proofs by their name and allow the representation of proofs as DAGs.

In the above example, the formulas contained in the sequents have been left out. To give an example of how a formula is encoded in the XML format, consider the following XML code corresponding to the formula R(c; f (c)) ^ P(c): <conjunctiveformula type="and"> <constantatomformula symbol="R"> <constant symbol="c"/> <function symbol="f">

<constant symbol="c"/> </function> </constantatomformula> <constantatomformula symbol="P">

<constant symbol="c"/> </constantatomformula> </conjunctiveformula>

Data is organized in our XML format in a proofdatabase containing a number of proofs. The proofdatabase may also contain 1. a list of defined predicates and their definitions, 2. a list of sequents specifying the axioms of the background theory in which the proofs are written, 3. arbitrary lists of sequents identified by some symbol (e.g. to store a Herbrand sequent). 3.3

The CERES method To prepare for the following section, we will now introduce the theoretical background for the CERES method of cut-elimination, which is used by the CERES system to compute a proof in atomic cut normal form and, in the end, a Herbrand sequent.

The central idea of CERES consists in extracting a so-called characteristic clause set from a proof, and then using a resolution refutation of this set to obtain a proof with only atomic cuts. We consider the proofs in LKDe as directed trees with nodes which are labelled by sequents, where the root is labelled by the end-sequent. According to the inference rules, we distinguish binary and unary nodes. In an inference n1 : S1 n2 : S2 x

n : S where n is labelled by S, n1 by S1 and n2 by S2, we call n1; n2 predecessors of n. Similarly n0 is predecessor of n in a unary rule if n0 labels the premiss and n the consequent. Then the predecessor relation is defined as the reflexive and transitive closure of the relation above. Every node is predecessor of the root, and the axioms have only themselves as predecessors. For a formal definition of the concepts we refer to [4] and [5]. A similar relation holds between formula occurrences in sequents. Instead of a formal definition we give an example.

Consider the rule: The occurrences of P(a) and P(b) in the premiss are ancestors of the occurrence of P(a) ^ P(b) in the consequent. P(a) and P(b) are called auxiliary formulas of the inference, and P(a) ^ P(b) the main formula. 8x:P(x) in the premisses are ancestors of 8x:P(x) in the consequent. Again the ancestor relation is defined by reflexive transitive closure.

Let W be the set of all occurrences of cut-formulas in sequents of an LKDe-proof j. The cut-formulas are not ancestors of the formulas in the end-sequent, but they might have ancestors in the axioms (if the cuts are not generated by weakening only). The construction of the characteristic clause set is based on the ancestors of the cuts in the axioms. Note that clauses are just defined as atomic sequents. We define a set of clauses Cn for every node n in j inductively:

If n is an occurrence of an axiom sequent S(n), and S0 is the subsequent of S(n) containing only the ancestors of W then Cn = fS0g.

Let n0 be the predecessor of n in a unary inference then Cn = Cn0 .

Let n1; n2 be the predecessors of n in a binary inference. We distinguish two cases (a) The auxiliary formulas of n1; n2 are ancestors of W. Then (b) The auxiliary formulas of n1; n2 are not ancestors of W. Then

Cn = Cn1 [ Cn2 : Cn = Cn1

Cn2 : where C

D = fC D j C 2 C ; D 2 D g and C D is the merge of the clauses C and D.

The characteristic clause set CL(j) of j is defined as Cn0 , where n0 is the root.

Theorem 1. Let j be a proof in LKDe. Then the clause set CL(j) is equationally unsatisfiable. Remark. A clause set C is equationally unsatisfiable if C does not have a model where = is interpreted as equality over a domain.

Proof. This proof first appeared in [1]. Let n be a node in j and S0(n) the subsequent of S(n) which consists of the ancestors of W (i.e. of a cut). It is shown by induction that S0(n) is LKDe-derivable from Cn . If n0 is the root then, clearly, S0(n0) = ` and the empty sequent ` is LKDe-derivable from the axiom set Cn0 , which is just CL(j). As all inferences in LKDe are sound over equational interpretations (where new symbols introduced by definition introduction have to be interpreted according to the defining equivalence), CL(j) is equationally unsatisfiable. Note that, without the rules = : l and = : r, the set CL(j) is just unsatisfiable. Clearly the rules = : l and = : r are sound only over equational interpretations.

( 1 ) the computation of the proof projections j[C] w.r.t. clauses C 2 CL(j), ( 2 ) the refutation of the set CL(j), resulting in an RP-tree g, i.e. in a deduction tree defined by the inferences of resolution and paramodulation, and ( 3 ) “inserting” the projections j[C] into the leaves of g.

For step ( 1 ) we skip in j all inferences where the auxiliary resp. main formulas are ancestors of a cut. Instead of the end-sequent S we get S C for a C 2 CL(j).

Step ( 2 ) consists in ordinary theorem proving by resolution and paramodulation (which is equationally complete). For refuting CL(j) any first-order resolution prover can be used. By the completeness of the methods we find a refutation tree g as CL(j) is unsatisfiable by Theorem 1.

Step ( 3 ) makes use of the fact that, after computation of the simultaneous most general unifier of the inferences in g, the resulting tree g0 is actually a derivation in LKDe. Indeed, after computation of the simultaneous unifier, paramodulation becomes = : l and = : r and resolution becomes cut in LKDe. Note that the definition rules, like the logical rules, do not appear in g0. Now for every leaf n in g0, which is labelled by a clause C0 (an instance of a clause C 2 CL(j)) we insert the proof projection j[C0]. The result is a proof with only atomic cuts.

The proof projection is only sound if the proof j is skolemized, i.e. there are no strong quantifiers (i.e. quantifiers with eigenvariable conditions) in the end-sequent. If j is not skolemized a priori it can be transformed into a skolemized proof j0 in polynomial (at most quadratic) time; for details see [3].

For illustration, consider the following example: j = j1 = j2 = We have CL(j) = fP(u) ` Q(u); ` P(a); Q(v) `g. The resolution refutation d of CL(j) j1 j2 (8x)(P(x) ! Q(x)) ` (9y)(P(a) ! Q(y))

cut P(u)? ` P(u) Q(u) ` Q(u)?

P(u)?; P(u) ! Q(u) ` Q(u)? !: l

P(u) ! Q(u) ` (P(u) ! Q(u))? !: r

P(u) ! Q(u) ` (9y)(P(u) ! Q(y))? 9 : r (8x)(P(x) ! Q(x)) ` (9y)(P(u) ! Q(y))? 8 : l (8x)(P(x) ! Q(x)) ` (8x)(9y)(P(x) ! Q(y))? 8 : r

P(a) ` P(a)? Q(v)? ` Q(v)

P(a); (P(a) ! Q(v))? ` Q(v) !: l (P(a) ! Q(v))? ` P(a) ! Q(v) !: r (P(a) ! Q(v))? ` (9y)(P(a) ! Q(y)) 9 : r (9y)(P(a) ! Q(y))? ` (9y)(P(a) ! Q(y)) 9 : l (8x)(9y)(P(x) ! Q(y))? ` (9y)(P(a) ! Q(y)) 8 : l

Q(a) ` R does the job of refuting CL(j). By applying the most general unifier s of d , we obtain a ground refutation g = d s : This will serve as a skeleton for a proof in ACNF. To complete the construction, we combine the skeleton with the following projections (grounded by s ): j(C1) = j(C2) = j(C3) =

P(a) ` P(a) Q(a) ` Q(a)

P(a); P(a) ! Q(a) ` Q(a) !: l

P(a); (8x)(P(x) ! Q(x)) ` Q(a) 8 : l P(a); (8x)(P(x) ! Q(x)) ` (9y)(P(a) ! Q(y)); Q(a) w : r P(a) ` P(a)

w : r

P(a) ` P(a); Q(v) ` P(a) ! Q(v); P(a) !: r ` (9y)(P(a) ! Q(y)); P(a) 9 : r (8x)(P(x) ! Q(x)) ` (9y)(P(a) ! Q(y)); P(a) w : l

Q(a) ` Q(a)

P(a); Q(a) ` Q(a) w : l

Q(a) ` P(a) ! Q(a) !: r

Q(a) ` (9y)(P(a) ! Q(y)) 9 : r Q(a); (8x)(P(x) ! Q(x)) ` (9y)(P(a) ! Q(y)) w : l

j(C2) j(C1) B ` C; P(a) P(a); B ` C; Q(a)

cut B; B ` C;C; Q(a)

B; B; B ` C;C;C

B ` C

j(C3) Q(a); B ` C contractions cut The composition of skeleton and projections yields j(g) = where B = (8x)(P(x) ! Q(x)), C = (9y)(P(a) ! Q(y)). Clearly, j(g) is a proof of the end-sequent of j in ACNF. 3.4

Cut-elimination, proof visualization and Herbrand sequent extraction with CERES After compiling the HandyLK source to XML with HLK, it is possible to perform proof analysis using the CERES tool. In our example, we are interested in extracting a Herbrand sequent from a cut-free proof of the end-sequent of j. To this end, the CERES method is used, which extracts an unsatisfiable set of clauses from the proof and refutes it. In theory, any resolution prover can be used to refute this set of clauses; Table 1 lists the format conversions currently supported by our implementation.

In our example, we use Otter to find a resolution refutation. Running CERES yields the following characteristic clause set in Otter input format -> =("f"(+(x4, x5)), "0"), =("f"(+(x5, x4)), "1"). % (C1) =("f"(+(x4, x6)), "0"), =("f"(+(+(+(x4, x6), "1"), x7)), "0") ->. % (C2) =("f"(+(x4, x6)), "1"), =("f"(+(+(+(x4, x6), "1"), x7)), "1") ->. % (C3) which corresponds to the set of clauses which is refutable in arithmetic.

The Otter proof object resulting from the successful refutation is then converted into a resolution tree in XML format. According to the CERES method, this refutation is then transformed into an LKDe proof j0 of the end-sequent of j in ACNF. j0 consists of 1262 rules, and is clearly too large to be depicted here (a small part of it can be seen in Figure 2(b)). From j0, a Herbrand sequent is extracted and stored in XML as a list of sequents (containing only the Herbrand sequent). All proofs and sequents computed during the analysis can be visualized using ProofTool as seen in Figure 2. (a) Visualizing the input proof j.

(b) A bird’s eye view on the output proof j0.

To make the Herbrand sequent extracted in our example easier to read, the terms have been simplified modulo commutativity and associativity of +, and the following abbreviations are used: p1 = x + z + 2; p2 = x + z + 4; p3 = z + 1; p5 = w + x + y + z + 6; p6 = w + x + y + z + 8; p7 = w + x + y + z + 4; p4 = x + y + z + 3; With this, the Herbrand sequent of the ACNF of the tape proof is f (p1) = 0 _ f (p1) = 1; f (p2) = 0 _ f (p2) = 1; f (p3) = 0 _ f (p3) = 1; f (p4) = 0 _ f (p4) = 1; f (p5) = 0 _ f (p5) = 1; f (p6) = 0 _ f (p6) = 1; f (p7) = 0 _ f (p7) = 1 ` p1 6= p2 ^ f (p1) = f (p2); p3 6= p1 ^ f (p3) = f (p1); p3 6= p2 ^ f (p3) = f (p2); p1 6= p4 ^ f (p1) = f (p4); p5 6= p6 ^ f (p5) = f (p6); p7 6= p5 ^ f (p7) = f (p5); p7 6= p6 ^ f (p7) = f (p6); p4 6= p7 ^ f (p4) = f (p7): Clearly, the Herbrand sequent is much smaller than the ACNF from which it is extracted. As it contains all quantifier instantiation information from the proof, it is much better suited to human interpretation than the proof itself. The Herbrand sequent we extracted from j0 can be interpreted as the following proof: Theorem 2. On a tape with infinitely many cells where each cell is labelled 0 or 1, there are two distinct cells that are labelled the same.

p1 6= p2; p3 6= p1; p3 6= p2; p1 6= p4; p5 6= p6; p7 6= p5; p7 6= p6; p4 6= p7: We may therefore delete their occurrences from the right side of the Herbrand sequent and obtain the simplified sequent ` f (p1) = f (p2); f (p3) = f (p1); f (p3) = f (p2); f (p1) = f (p4); f (p5) = f (p6); f (p7) = f (p5); f (p7) = f (p6); f (p4) = f (p7): Now, we assume that this sequent is false and obtain a contradiction. If the sequent is false, then all formulas on the left side are true and all formulas on the right side are false, so we may assume f (pi) = 0 _ f (pi) = 1 for i 2 f1; : : : ; 7g. Let f (p1) = a with a 2 f0; 1g and let a¯ = 1 a. We have assumed that the first formula on the right side is false, so f (p2) = a¯. From the second formula we obtain f (p3) = a¯, and from the third f (p3) = a¯¯ = a, which yields the desired contradiction.

Note that the proof extracted from the Herbrand sequent uses only 3 cells even though the sequent itself is not minimal. Still, the proof yields a minimal Herbrand sequent directly: f (p1) = 0 _ f (p1) = 1; f (p2) = 0 _ f (p2) = 1; f (p3) = 0 _ f (p3) = 1; ` p1 6= p2 ^ f (p1) = f (p2); p3 6= p1 ^ f (p3) = f (p1); p3 6= p2 ^ f (p3) = f (p2): Comparing the proof obtained from the Herbrand sequent with the original proof, we have gained an important piece of information: in the original proof, it is shown that either infinitely many cells are labelled 0 or 1, while in the cut-free proof, only finitely many cells are used in the proof. 4