Nominal Techniques or, How Not to be Intimidated by the Variable - PowerPoint PPT Presentation

② ✻ ❂ ① ① ✻✷ ✭ ◆ ✮ ✭ ✕②✿▼ ✮❬ ① ✿❂ ◆ ❪ ❂ ✕②✿ ✭ ▼ ❬ ① ✿❂ ◆ ❪✮ ✭ ✕③✿▼ ✶ ✮❬ ① ✿❂ ◆ ❪❬ ② ✿❂ ▲ ❪ ✶ ✑ ✭ ✕③✿ ✭ ▼ ✶ ❬ ① ✿❂ ◆ ❪✮✮❬ ② ✿❂ ▲ ❪ ✥ ✷ ✑ ✕③✿ ✭ ▼ ✶ ❬ ① ✿❂ ◆ ❪❬ ② ✿❂ ▲ ❪✮ ✥ ✑ ✕③✿ ✭ ▼ ✶ ❬ ② ✿❂ ▲ ❪❬ ① ✿❂ ◆ ❬ ② ✿❂ ▲ ❪❪✮ ✷ ✑ ✭ ✕③✿ ✭ ▼ ✶ ❬ ② ✿❂ ▲ ❪✮✮❬ ① ✿❂ ◆ ❬ ② ✿❂ ▲ ❪❪✮ ✦ ✶ ✑ ✭ ✕③✿▼ ✶ ✮❬ ② ✿❂ ▲ ❪❬ ① ✿❂ ◆ ❬ ② ✿❂ ▲ ❪❪ ✦ Substitution Lemma: If ① ✻✑ ② and ① ✻✷ fv ✭ ▲ ✮ , then ▼ ❬ ① ✿❂ ◆ ❪❬ ② ✿❂ ▲ ❪ ✑ ▼ ❬ ② ✿❂ ▲ ❪❬ ① ✿❂ ◆ ❬ ② ✿❂ ▲ ❪❪ Proof: By induction on the structure of ▼ . Case 1: ▼ is a variable. Case 1.1. ▼ ✑ ① . Then both sides equal ◆ ❬ ② ✿❂ ▲ ❪ since ① ✻✑ ② . Case 1.2. ▼ ✑ ② . Then both sides equal ▲ , for ① ✻✷ fv ✭ ▲ ✮ implies ▲ ❬ ① ✿❂ ✿ ✿ ✿ ❪ ✑ ▲ . Case 1.3. ▼ ✑ ③ ✻✑ ①❀ ② . Then both sides equal ③ . Case 2: ▼ ✑ ✕③✿▼ ✶ . By the variable convention we may assume that ③ ✻✑ ①❀ ② and ③ is not free in ◆❀ ▲ . ✭ ✕③✿▼ ✶ ✮❬ ① ✿❂ ◆ ❪❬ ② ✿❂ ▲ ❪ ✑ ✕③✿ ✭ ▼ ✶ ❬ ① ✿❂ ◆ ❪❬ ② ✿❂ ▲ ❪✮ ✑ ✕③✿ ✭ ▼ ✶ ❬ ② ✿❂ ▲ ❪❬ ① ✿❂ ◆ ❬ ② ✿❂ ▲ ❪❪✮ ✑ ✭ ✕③✿▼ ✶ ✮❬ ② ✿❂ ▲ ❪❬ ① ✿❂ ◆ ❬ ② ✿❂ ▲ ❪❪ . Case 3: ▼ ✑ ▼ ✶ ▼ ✷ . The statement follows again from the induction hypothesis. ✄ Eugene, 24. July 2008 – p. 7/37

② ✻ ❂ ① ① ✻✷ ✭ ◆ ✮ ✭ ✕②✿▼ ✮❬ ① ✿❂ ◆ ❪ ❂ ✕②✿ ✭ ▼ ❬ ① ✿❂ ◆ ❪✮ ✭ ✕③✿▼ ✶ ✮❬ ① ✿❂ ◆ ❪❬ ② ✿❂ ▲ ❪ ✶ ✑ ✭ ✕③✿ ✭ ▼ ✶ ❬ ① ✿❂ ◆ ❪✮✮❬ ② ✿❂ ▲ ❪ ✥ ✷ ✑ ✕③✿ ✭ ▼ ✶ ❬ ① ✿❂ ◆ ❪❬ ② ✿❂ ▲ ❪✮ ✥ ✑ ✕③✿ ✭ ▼ ✶ ❬ ② ✿❂ ▲ ❪❬ ① ✿❂ ◆ ❬ ② ✿❂ ▲ ❪❪✮ ✷ ✑ ✭ ✕③✿ ✭ ▼ ✶ ❬ ② ✿❂ ▲ ❪✮✮❬ ① ✿❂ ◆ ❬ ② ✿❂ ▲ ❪❪✮ ✦ ✶ ✑ ✭ ✕③✿▼ ✶ ✮❬ ② ✿❂ ▲ ❪❬ ① ✿❂ ◆ ❬ ② ✿❂ ▲ ❪❪ ✦ Substitution Lemma: If ① ✻✑ ② and ① ✻✷ fv ✭ ▲ ✮ , then ▼ ❬ ① ✿❂ ◆ ❪❬ ② ✿❂ ▲ ❪ ✑ ▼ ❬ ② ✿❂ ▲ ❪❬ ① ✿❂ ◆ ❬ ② ✿❂ ▲ ❪❪ Proof: By induction on the structure of ▼ . Case 1: ▼ is a variable. Case 1.1. ▼ ✑ ① . Then both sides equal ◆ ❬ ② ✿❂ ▲ ❪ since ① ✻✑ ② . Case 1.2. ▼ ✑ ② . Then both sides equal ▲ , for ① ✻✷ fv ✭ ▲ ✮ implies ▲ ❬ ① ✿❂ ✿ ✿ ✿ ❪ ✑ ▲ . Case 1.3. ▼ ✑ ③ ✻✑ ①❀ ② . Then both sides equal ③ . Case 2: ▼ ✑ ✕③✿▼ ✶ . By the variable convention we may assume that ③ ✻✑ ①❀ ② and ③ is not free in ◆❀ ▲ . ✭ ✕③✿▼ ✶ ✮❬ ① ✿❂ ◆ ❪❬ ② ✿❂ ▲ ❪ ✑ ✕③✿ ✭ ▼ ✶ ❬ ① ✿❂ ◆ ❪❬ ② ✿❂ ▲ ❪✮ ✑ ✕③✿ ✭ ▼ ✶ ❬ ② ✿❂ ▲ ❪❬ ① ✿❂ ◆ ❬ ② ✿❂ ▲ ❪❪✮ ✑ ✭ ✕③✿▼ ✶ ✮❬ ② ✿❂ ▲ ❪❬ ① ✿❂ ◆ ❬ ② ✿❂ ▲ ❪❪ . Case 3: ▼ ✑ ▼ ✶ ▼ ✷ . The statement follows again from the induction hypothesis. ✄ Eugene, 24. July 2008 – p. 7/37

Substitution Lemma: If ① ✻✑ ② and ① ✻✷ fv ✭ ▲ ✮ , then ▼ ❬ ① ✿❂ ◆ ❪❬ ② ✿❂ ▲ ❪ ✑ ▼ ❬ ② ✿❂ ▲ ❪❬ ① ✿❂ ◆ ❬ ② ✿❂ ▲ ❪❪ Proof: By induction on the structure of ▼ . Case 1: ▼ is a variable. Remember only if ② ✻ ❂ ① and ① ✻✷ fv ✭ ◆ ✮ then Case 1.1. ▼ ✑ ① . Then both sides equal ◆ ❬ ② ✿❂ ▲ ❪ since ✭ ✕②✿▼ ✮❬ ① ✿❂ ◆ ❪ ❂ ✕②✿ ✭ ▼ ❬ ① ✿❂ ◆ ❪✮ ① ✻✑ ② . Case 1.2. ▼ ✑ ② . Then both sides equal ▲ , for ① ✻✷ fv ✭ ▲ ✮ ✭ ✕③✿▼ ✶ ✮❬ ① ✿❂ ◆ ❪❬ ② ✿❂ ▲ ❪ implies ▲ ❬ ① ✿❂ ✿ ✿ ✿ ❪ ✑ ▲ . ✶ ✑ ✭ ✕③✿ ✭ ▼ ✶ ❬ ① ✿❂ ◆ ❪✮✮❬ ② ✿❂ ▲ ❪ ✥ Case 1.3. ▼ ✑ ③ ✻✑ ①❀ ② . Then both sides equal ③ . ✷ ✑ ✕③✿ ✭ ▼ ✶ ❬ ① ✿❂ ◆ ❪❬ ② ✿❂ ▲ ❪✮ ✥ Case 2: ▼ ✑ ✕③✿▼ ✶ . By the variable convention we may ✑ ✕③✿ ✭ ▼ ✶ ❬ ② ✿❂ ▲ ❪❬ ① ✿❂ ◆ ❬ ② ✿❂ ▲ ❪❪✮ IH assume that ③ ✻✑ ①❀ ② and ③ is not free in ◆❀ ▲ . ✷ ✑ ✭ ✕③✿ ✭ ▼ ✶ ❬ ② ✿❂ ▲ ❪✮✮❬ ① ✿❂ ◆ ❬ ② ✿❂ ▲ ❪❪✮ ✦ ! ✭ ✕③✿▼ ✶ ✮❬ ① ✿❂ ◆ ❪❬ ② ✿❂ ▲ ❪ ✑ ✕③✿ ✭ ▼ ✶ ❬ ① ✿❂ ◆ ❪❬ ② ✿❂ ▲ ❪✮ ✑ ✕③✿ ✭ ▼ ✶ ❬ ② ✿❂ ▲ ❪❬ ① ✿❂ ◆ ❬ ② ✿❂ ▲ ❪❪✮ ✶ ✑ ✭ ✕③✿▼ ✶ ✮❬ ② ✿❂ ▲ ❪❬ ① ✿❂ ◆ ❬ ② ✿❂ ▲ ❪❪ . ✦ ✑ ✭ ✕③✿▼ ✶ ✮❬ ② ✿❂ ▲ ❪❬ ① ✿❂ ◆ ❬ ② ✿❂ ▲ ❪❪ . Case 3: ▼ ✑ ▼ ✶ ▼ ✷ . The statement follows again from the induction hypothesis. ✄ Eugene, 24. July 2008 – p. 7/37

Nominal Datatypes Define lambda-terms as: atom_decl name nominal_datatype lam = Var "name" ❥ App "lam" "lam" ❥ Lam "«name»lam" ("Lam [_]._") These are named alpha-equivalence classes, for example Lam [a].(Var a) ❂ Lam [b].(Var b) Eugene, 24. July 2008 – p. 8/37

lemma forget: assumes a: "x ★ L" shows "L[x::=P] = L" using a by (nominal_induct L avoiding: x P rule: lam.strong_induct) (auto simp add: abs_fresh fresh_atm) lemma fresh_fact: fixes z::"name" assumes a: "z ★ N" "z ★ L" shows "z ★ N[y::=L]" using a by (nominal_induct N avoiding: z y L rule: lam.strong_induct) (auto simp add: abs_fresh fresh_atm) lemma substitution_lemma: assumes a: "x ✻ ❂ y" "x ★ L" shows "M[x::=N][y::=L] = M[y::=L][x::=N[y::=L]]" using a by (nominal_induct M avoiding: x y N L rule: lam.strong_induct) (auto simp add: fresh_fact forget) Eugene, 24. July 2008 – p. 9/37

lemma forget: assumes a: "x ★ L" shows "L[x::=P] = L" using a by (nominal_induct L avoiding: x P rule: lam.strong_induct) (auto simp add: abs_fresh fresh_atm) lemma fresh_fact: fixes z::"name" assumes a: "z ★ N" "z ★ L" shows "z ★ N[y::=L]" stands for ① ✻✷ fv ✭ ▲ ✮ using a by (nominal_induct N avoiding: z y L rule: lam.strong_induct) reads as “ ① fresh for ▲ ” (auto simp add: abs_fresh fresh_atm) lemma substitution_lemma: assumes a: "x ✻ ❂ y" "x ★ L" shows "M[x::=N][y::=L] = M[y::=L][x::=N[y::=L]]" using a by (nominal_induct M avoiding: x y N L rule: lam.strong_induct) (auto simp add: fresh_fact forget) Eugene, 24. July 2008 – p. 9/37

lemma forget: assumes a: "x ★ L" shows "L[x::=P] = L" using a by (nominal_induct L avoiding: x P rule: lam.strong_induct) (auto simp add: abs_fresh fresh_atm) lemma fresh_fact: fixes z::"name" assumes a: "z ★ N" "z ★ L" shows "z ★ N[y::=L]" using a by (nominal_induct N avoiding: z y L rule: lam.strong_induct) (auto simp add: abs_fresh fresh_atm) lemma substitution_lemma: assumes a: "x ✻ ❂ y" "x ★ L" shows "M[x::=N][y::=L] = M[y::=L][x::=N[y::=L]]" using a by (nominal_induct M avoiding: x y N L rule: lam.strong_induct) (auto simp add: fresh_fact forget) Eugene, 24. July 2008 – p. 9/37

(Weak) Induction Principles The usual induction principle is as follows: ✽ ①✿ P ① ✽ t ✶ t ✷ ✿ P t ✶ ❫ P t ✷ ✮ P ✭ t ✶ t ✷ ✮ ✽ ① t✿ P t ✮ P ✭ ✕①✿t ✮ P t It requires us in the lambda-case to show the property P for all binders ① . (This nearly always requires renamings and they can be tricky to automate.) Eugene, 24. July 2008 – p. 10/37

Strong Induction Principles Therefore we will use the following strong induction principle: ✽ ① ❝✿ P ❝ ① ✽ t ✶ t ✷ ❝✿ ✭ ✽ ❞✿ P ❞ t ✶ ✮ ❫ ✭ ✽ ❞✿P ❞ t ✷ ✮ ✮ P ❝ ✭ t ✶ t ✷ ✮ ✽ ① t ❝✿ ① ★ ❝ ❫ ✭ ✽ ❞✿P ❞ t ✮ ✮ P ❝ ✭ ✕①✿t ✮ P ❝ t Eugene, 24. July 2008 – p. 11/37

Strong Induction Principles Therefore we will use the following strong induction principle: ✽ ① ❝✿ P ❝ ① ✽ t ✶ t ✷ ❝✿ ✭ ✽ ❞✿ P ❞ t ✶ ✮ ❫ ✭ ✽ ❞✿P ❞ t ✷ ✮ ✮ P ❝ ✭ t ✶ t ✷ ✮ ✽ ① t ❝✿ ① ★ ❝ ❫ ✭ ✽ ❞✿P ❞ t ✮ ✮ P ❝ ✭ ✕①✿t ✮ P ❝ t The variable over which the induction proceeds: “. . . By induction over the structure of ▼ . . . ” Eugene, 24. July 2008 – p. 11/37

Strong Induction Principles Therefore we will use the following strong induction principle: ✽ ① ❝✿ P ❝ ① ✽ t ✶ t ✷ ❝✿ ✭ ✽ ❞✿ P ❞ t ✶ ✮ ❫ ✭ ✽ ❞✿P ❞ t ✷ ✮ ✮ P ❝ ✭ t ✶ t ✷ ✮ ✽ ① t ❝✿ ① ★ ❝ ❫ ✭ ✽ ❞✿P ❞ t ✮ ✮ P ❝ ✭ ✕①✿t ✮ P ❝ t The context of the induction; i.e. what the binder should be fresh for ✮ ✭ ①❀ ②❀ ◆❀ ▲ ✮ : “. . . By the variable convention we can assume ③ ✻✑ ①❀ ② and ③ not free in ◆ , ▲ . . . ” Eugene, 24. July 2008 – p. 11/37

Strong Induction Principles Therefore we will use the following strong induction principle: ✽ ① ❝✿ P ❝ ① ✽ t ✶ t ✷ ❝✿ ✭ ✽ ❞✿ P ❞ t ✶ ✮ ❫ ✭ ✽ ❞✿P ❞ t ✷ ✮ ✮ P ❝ ✭ t ✶ t ✷ ✮ ✽ ① t ❝✿ ① ★ ❝ ❫ ✭ ✽ ❞✿P ❞ t ✮ ✮ P ❝ ✭ ✕①✿t ✮ P ❝ t The property to be proved by induction: ✕ ✭ ①❀②❀◆❀▲ ✮ ✿ ✕▼✿ ① ✻ ❂ ② ❫ ① ★ ▲ ✮ ▼ ❬ ① ✿❂ ◆ ❪❬ ② ✿❂ ▲ ❪ ❂ ▼ ❬ ② ✿❂ ▲ ❪❬ ① ✿❂ ◆ ❬ ② ✿❂ ▲ ❪❪ Eugene, 24. July 2008 – p. 11/37

proof (nominal_induct M avoiding: x y N L rule: lam.strong_induct) case (Var z) show "Var z[x::=N][y::=L] = Var z[y::=L][x::=N[y::=L]]" ( is "?LHS = ?RHS") proof - { assume "z=x" have "(1)": "?LHS = N[y::=L]" using ‘z=x‘ by simp have "(2)": "?RHS = N[y::=L]" using ‘z=x‘ ‘x ✻ ❂ y‘ by simp from "(1)" "(2)" have "?LHS = ?RHS" by simp } moreover { assume "z=y" and "z ✻ ❂ x" have "(1)": "?LHS = L" using ‘z ✻ ❂ x‘ ‘z=y‘ by simp have "(2)": "?RHS = L[x::=N[y::=L]]" using ‘z=y‘ by simp have "(3)": "L[x::=N[y::=L]] = L" using ‘x ★ L‘ by (simp add: forget) from "(1)" "(2)" "(3)" have "?LHS = ?RHS" by simp } moreover { assume "z ✻ ❂ x" and "z ✻ ❂ y" have "(1)": "?LHS = Var z" using ‘z ✻ ❂ x‘ ‘z ✻ ❂ y‘ by simp have "(2)": "?RHS = Var z" using ‘z ✻ ❂ x‘ ‘z ✻ ❂ y‘ by simp from "(1)" "(2)" have "?LHS = ?RHS" by simp } ultimately show "?LHS = ?RHS" by blast qed next ✿ ✿ ✿ Eugene, 24. July 2008 – p. 12/37

proof (nominal_induct M avoiding: x y N L rule: lam.strong_induct) case (Var z) show "Var z[x::=N][y::=L] = Var z[y::=L][x::=N[y::=L]]" ( is "?LHS = ?RHS") proof - { assume "z=x" have "(1)": "?LHS = N[y::=L]" using ‘z=x‘ by simp have "(2)": "?RHS = N[y::=L]" using ‘z=x‘ ‘x ✻ ❂ y‘ by simp from "(1)" "(2)" have "?LHS = ?RHS" by simp } moreover { assume "z=y" and "z ✻ ❂ x" have "(1)": "?LHS = L" using ‘z ✻ ❂ x‘ ‘z=y‘ by simp have "(2)": "?RHS = L[x::=N[y::=L]]" using ‘z=y‘ by simp have "(3)": "L[x::=N[y::=L]] = L" using ‘x ★ L‘ by (simp add: forget) from "(1)" "(2)" "(3)" have "?LHS = ?RHS" by simp } moreover { assume "z ✻ ❂ x" and "z ✻ ❂ y" have "(1)": "?LHS = Var z" using ‘z ✻ ❂ x‘ ‘z ✻ ❂ y‘ by simp have "(2)": "?RHS = Var z" using ‘z ✻ ❂ x‘ ‘z ✻ ❂ y‘ by simp from "(1)" "(2)" have "?LHS = ?RHS" by simp } ultimately show "?LHS = ?RHS" by blast qed next ✿ ✿ ✿ Eugene, 24. July 2008 – p. 12/37

proof (nominal_induct M avoiding: x y N L rule: lam.strong_induct) case (Var z) show "Var z[x::=N][y::=L] = Var z[y::=L][x::=N[y::=L]]" ( is "?LHS = ?RHS") proof - { assume "z=x" have "(1)": "?LHS = N[y::=L]" using ‘z=x‘ by simp have "(2)": "?RHS = N[y::=L]" using ‘z=x‘ ‘x ✻ ❂ y‘ by simp from "(1)" "(2)" have "?LHS = ?RHS" by simp } moreover { assume "z=y" and "z ✻ ❂ x" have "(1)": "?LHS = L" using ‘z ✻ ❂ x‘ ‘z=y‘ by simp have "(2)": "?RHS = L[x::=N[y::=L]]" using ‘z=y‘ by simp have "(3)": "L[x::=N[y::=L]] = L" using ‘x ★ L‘ by (simp add: forget) from "(1)" "(2)" "(3)" have "?LHS = ?RHS" by simp } moreover { assume "z ✻ ❂ x" and "z ✻ ❂ y" have "(1)": "?LHS = Var z" using ‘z ✻ ❂ x‘ ‘z ✻ ❂ y‘ by simp have "(2)": "?RHS = Var z" using ‘z ✻ ❂ x‘ ‘z ✻ ❂ y‘ by simp from "(1)" "(2)" have "?LHS = ?RHS" by simp } ultimately show "?LHS = ?RHS" by blast qed next ✿ ✿ ✿ Eugene, 24. July 2008 – p. 12/37

proof (nominal_induct M avoiding: x y N L rule: lam.strong_induct) case (Var z) show "Var z[x::=N][y::=L] = Var z[y::=L][x::=N[y::=L]]" ( is "?LHS = ?RHS") proof - { assume "z=x" have "(1)": "?LHS = N[y::=L]" using ‘z=x‘ by simp have "(2)": "?RHS = N[y::=L]" using ‘z=x‘ ‘x ✻ ❂ y‘ by simp from "(1)" "(2)" have "?LHS = ?RHS" by simp } moreover { assume "z=y" and "z ✻ ❂ x" have "(1)": "?LHS = L" using ‘z ✻ ❂ x‘ ‘z=y‘ by simp have "(2)": "?RHS = L[x::=N[y::=L]]" using ‘z=y‘ by simp have "(3)": "L[x::=N[y::=L]] = L" using ‘x ★ L‘ by (simp add: forget) from "(1)" "(2)" "(3)" have "?LHS = ?RHS" by simp } moreover { assume "z ✻ ❂ x" and "z ✻ ❂ y" have "(1)": "?LHS = Var z" using ‘z ✻ ❂ x‘ ‘z ✻ ❂ y‘ by simp have "(2)": "?RHS = Var z" using ‘z ✻ ❂ x‘ ‘z ✻ ❂ y‘ by simp from "(1)" "(2)" have "?LHS = ?RHS" by simp } ultimately show "?LHS = ?RHS" by blast qed next ✿ ✿ ✿ Eugene, 24. July 2008 – p. 12/37

proof (nominal_induct M avoiding: x y N L rule: lam.strong_induct) case (Var z) show "Var z[x::=N][y::=L] = Var z[y::=L][x::=N[y::=L]]" ( is "?LHS = ?RHS") proof - { assume "z=x" have "(1)": "?LHS = N[y::=L]" using ‘z=x‘ by simp have "(2)": "?RHS = N[y::=L]" using ‘z=x‘ ‘x ✻ ❂ y‘ by simp from "(1)" "(2)" have "?LHS = ?RHS" by simp } moreover { assume "z=y" and "z ✻ ❂ x" have "(1)": "?LHS = L" using ‘z ✻ ❂ x‘ ‘z=y‘ by simp have "(2)": "?RHS = L[x::=N[y::=L]]" using ‘z=y‘ by simp have "(3)": "L[x::=N[y::=L]] = L" using ‘x ★ L‘ by (simp add: forget) from "(1)" "(2)" "(3)" have "?LHS = ?RHS" by simp } moreover { assume "z ✻ ❂ x" and "z ✻ ❂ y" have "(1)": "?LHS = Var z" using ‘z ✻ ❂ x‘ ‘z ✻ ❂ y‘ by simp have "(2)": "?RHS = Var z" using ‘z ✻ ❂ x‘ ‘z ✻ ❂ y‘ by simp from "(1)" "(2)" have "?LHS = ?RHS" by simp } ultimately show "?LHS = ?RHS" by blast qed next ✿ ✿ ✿ Eugene, 24. July 2008 – p. 12/37

proof (nominal_induct M avoiding: x y N L rule: lam.strong_induct) case (Var z) show "Var z[x::=N][y::=L] = Var z[y::=L][x::=N[y::=L]]" ( is "?LHS = ?RHS") proof - { assume "z=x" have "(1)": "?LHS = N[y::=L]" using ‘z=x‘ by simp have "(2)": "?RHS = N[y::=L]" using ‘z=x‘ ‘x ✻ ❂ y‘ by simp from "(1)" "(2)" have "?LHS = ?RHS" by simp } moreover { assume "z=y" and "z ✻ ❂ x" have "(1)": "?LHS = L" using ‘z ✻ ❂ x‘ ‘z=y‘ by simp have "(2)": "?RHS = L[x::=N[y::=L]]" using ‘z=y‘ by simp have "(3)": "L[x::=N[y::=L]] = L" using ‘x ★ L‘ by (simp add: forget) from "(1)" "(2)" "(3)" have "?LHS = ?RHS" by simp } moreover { assume "z ✻ ❂ x" and "z ✻ ❂ y" have "(1)": "?LHS = Var z" using ‘z ✻ ❂ x‘ ‘z ✻ ❂ y‘ by simp have "(2)": "?RHS = Var z" using ‘z ✻ ❂ x‘ ‘z ✻ ❂ y‘ by simp from "(1)" "(2)" have "?LHS = ?RHS" by simp } ultimately show "?LHS = ?RHS" by blast qed next ✿ ✿ ✿ Eugene, 24. July 2008 – p. 12/37

proof (nominal_induct M avoiding: x y N L rule: lam.strong_induct) case (Var z) show "Var z[x::=N][y::=L] = Var z[y::=L][x::=N[y::=L]]" ( is "?LHS = ?RHS") proof - { assume "z=x" have "(1)": "?LHS = N[y::=L]" using ‘z=x‘ by simp have "(2)": "?RHS = N[y::=L]" using ‘z=x‘ ‘x ✻ ❂ y‘ by simp from "(1)" "(2)" have "?LHS = ?RHS" by simp } moreover { assume "z=y" and "z ✻ ❂ x" have "(1)": "?LHS = L" using ‘z ✻ ❂ x‘ ‘z=y‘ by simp have "(2)": "?RHS = L[x::=N[y::=L]]" using ‘z=y‘ by simp have "(3)": "L[x::=N[y::=L]] = L" using ‘x ★ L‘ by (simp add: forget) from "(1)" "(2)" "(3)" have "?LHS = ?RHS" by simp } moreover { assume "z ✻ ❂ x" and "z ✻ ❂ y" have "(1)": "?LHS = Var z" using ‘z ✻ ❂ x‘ ‘z ✻ ❂ y‘ by simp have "(2)": "?RHS = Var z" using ‘z ✻ ❂ x‘ ‘z ✻ ❂ y‘ by simp from "(1)" "(2)" have "?LHS = ?RHS" by simp } ultimately show "?LHS = ?RHS" by blast qed next ✿ ✿ ✿ Eugene, 24. July 2008 – p. 12/37

proof (nominal_induct M avoiding: x y N L rule: lam.strong_induct) case (Var z) show "Var z[x::=N][y::=L] = Var z[y::=L][x::=N[y::=L]]" ( is "?LHS = ?RHS") proof - { assume "z=x" have "(1)": "?LHS = N[y::=L]" using ‘z=x‘ by simp have "(2)": "?RHS = N[y::=L]" using ‘z=x‘ ‘x ✻ ❂ y‘ by simp from "(1)" "(2)" have "?LHS = ?RHS" by simp } moreover { assume "z=y" and "z ✻ ❂ x" have "(1)": "?LHS = L" using ‘z ✻ ❂ x‘ ‘z=y‘ by simp have "(2)": "?RHS = L[x::=N[y::=L]]" using ‘z=y‘ by simp have "(3)": "L[x::=N[y::=L]] = L" using ‘x ★ L‘ by (simp add: forget) from "(1)" "(2)" "(3)" have "?LHS = ?RHS" by simp } moreover { assume "z ✻ ❂ x" and "z ✻ ❂ y" have "(1)": "?LHS = Var z" using ‘z ✻ ❂ x‘ ‘z ✻ ❂ y‘ by simp have "(2)": "?RHS = Var z" using ‘z ✻ ❂ x‘ ‘z ✻ ❂ y‘ by simp from "(1)" "(2)" have "?LHS = ?RHS" by simp } ultimately show "?LHS = ?RHS" by blast qed next ✿ ✿ ✿ Eugene, 24. July 2008 – p. 12/37

proof (nominal_induct M avoiding: x y N L rule: lam.strong_induct) case (Var z) show "Var z[x::=N][y::=L] = Var z[y::=L][x::=N[y::=L]]" ( is "?LHS = ?RHS") proof - { assume "z=x" have "(1)": "?LHS = N[y::=L]" using ‘z=x‘ by simp have "(2)": "?RHS = N[y::=L]" using ‘z=x‘ ‘x ✻ ❂ y‘ by simp from "(1)" "(2)" have "?LHS = ?RHS" by simp } moreover { assume "z=y" and "z ✻ ❂ x" have "(1)": "?LHS = L" using ‘z ✻ ❂ x‘ ‘z=y‘ by simp have "(2)": "?RHS = L[x::=N[y::=L]]" using ‘z=y‘ by simp have "(3)": "L[x::=N[y::=L]] = L" using ‘x ★ L‘ by (simp add: forget) from "(1)" "(2)" "(3)" have "?LHS = ?RHS" by simp } moreover { assume "z ✻ ❂ x" and "z ✻ ❂ y" have "(1)": "?LHS = Var z" using ‘z ✻ ❂ x‘ ‘z ✻ ❂ y‘ by simp have "(2)": "?RHS = Var z" using ‘z ✻ ❂ x‘ ‘z ✻ ❂ y‘ by simp from "(1)" "(2)" have "?LHS = ?RHS" by simp } ultimately show "?LHS = ?RHS" by blast qed next ✿ ✿ ✿ Eugene, 24. July 2008 – p. 12/37

next case (Lam z M ✶ ) have ih: " ❬ ❬ x ✻ ❂ y; x ★ L ❪ ❪ ❂ ✮ M ✶ [x::=N][y::=L] = M ✶ [y::=L][x::=N[y::=L]]" by fact have "x ✻ ❂ y" by fact have "x ★ L" by fact have vc: "z ★ x" "z ★ y" "z ★ N" "z ★ L" by fact+ then have "z ★ N[y::=L]" by (simp add: fresh_fact) show "(Lam [z].M ✶ )[x::=N][y::=L]=(Lam [z].M ✶ )[y::=L][x::=N[y::=L]]" ( is "?LHS=?RHS") proof - have "?LHS = Lam [z].(M ✶ [x::=N][y::=L])" using vc by simp also from ih have " ✿✿✿ = Lam [z].(M ✶ [y::=L][x::=N[y::=L]])" using ‘x ✻ ❂ y‘ ‘x ★ L‘ by simp also have " ✿✿✿ = (Lam [z].(M ✶ [y::=L]))[x::=N[y::=L]]" using ‘z ★ x‘ ‘z ★ N[y::=L]‘ by simp also have " ✿✿✿ = ?RHS" using ‘z ★ y‘ ‘z ★ L‘ by simp finally show "?LHS = ?RHS" . qed next case (App M ✶ M ✷ ) then show "(App M ✶ M ✷ )[x::=N][y::=L] = (App M ✶ M ✷ )[y::=L][x::=N[y::=L]]" by simp qed Eugene, 24. July 2008 – p. 13/37

next case (Lam z M ✶ ) have ih: " ❬ ❬ x ✻ ❂ y; x ★ L ❪ ❪ ❂ ✮ M ✶ [x::=N][y::=L] = M ✶ [y::=L][x::=N[y::=L]]" by fact have "x ✻ ❂ y" by fact have "x ★ L" by fact have vc: "z ★ x" "z ★ y" "z ★ N" "z ★ L" by fact+ then have "z ★ N[y::=L]" by (simp add: fresh_fact) show "(Lam [z].M ✶ )[x::=N][y::=L]=(Lam [z].M ✶ )[y::=L][x::=N[y::=L]]" ( is "?LHS=?RHS") proof - have "?LHS = Lam [z].(M ✶ [x::=N][y::=L])" using vc by simp also from ih have " ✿✿✿ = Lam [z].(M ✶ [y::=L][x::=N[y::=L]])" using ‘x ✻ ❂ y‘ ‘x ★ L‘ by simp also have " ✿✿✿ = (Lam [z].(M ✶ [y::=L]))[x::=N[y::=L]]" using ‘z ★ x‘ ‘z ★ N[y::=L]‘ by simp also have " ✿✿✿ = ?RHS" using ‘z ★ y‘ ‘z ★ L‘ by simp finally show "?LHS = ?RHS" . qed next case (App M ✶ M ✷ ) then show "(App M ✶ M ✷ )[x::=N][y::=L] = (App M ✶ M ✷ )[y::=L][x::=N[y::=L]]" by simp qed Eugene, 24. July 2008 – p. 13/37

next case (Lam z M ✶ ) have ih: " ❬ ❬ x ✻ ❂ y; x ★ L ❪ ❪ ❂ ✮ M ✶ [x::=N][y::=L] = M ✶ [y::=L][x::=N[y::=L]]" by fact have "x ✻ ❂ y" by fact have "x ★ L" by fact have vc: "z ★ x" "z ★ y" "z ★ N" "z ★ L" by fact+ then have "z ★ N[y::=L]" by (simp add: fresh_fact) show "(Lam [z].M ✶ )[x::=N][y::=L]=(Lam [z].M ✶ )[y::=L][x::=N[y::=L]]" ( is "?LHS=?RHS") proof - have "?LHS = Lam [z].(M ✶ [x::=N][y::=L])" using vc by simp also from ih have " ✿✿✿ = Lam [z].(M ✶ [y::=L][x::=N[y::=L]])" using ‘x ✻ ❂ y‘ ‘x ★ L‘ by simp also have " ✿✿✿ = (Lam [z].(M ✶ [y::=L]))[x::=N[y::=L]]" using ‘z ★ x‘ ‘z ★ N[y::=L]‘ by simp also have " ✿✿✿ = ?RHS" using ‘z ★ y‘ ‘z ★ L‘ by simp finally show "?LHS = ?RHS" . qed next case (App M ✶ M ✷ ) then show "(App M ✶ M ✷ )[x::=N][y::=L] = (App M ✶ M ✷ )[y::=L][x::=N[y::=L]]" by simp qed Eugene, 24. July 2008 – p. 13/37

next case (Lam z M ✶ ) have ih: " ❬ ❬ x ✻ ❂ y; x ★ L ❪ ❪ ❂ ✮ M ✶ [x::=N][y::=L] = M ✶ [y::=L][x::=N[y::=L]]" by fact have "x ✻ ❂ y" by fact have "x ★ L" by fact have vc: "z ★ x" "z ★ y" "z ★ N" "z ★ L" by fact+ then have "z ★ N[y::=L]" by (simp add: fresh_fact) show "(Lam [z].M ✶ )[x::=N][y::=L]=(Lam [z].M ✶ )[y::=L][x::=N[y::=L]]" ( is "?LHS=?RHS") proof - have "?LHS = Lam [z].(M ✶ [x::=N][y::=L])" using vc by simp also from ih have " ✿✿✿ = Lam [z].(M ✶ [y::=L][x::=N[y::=L]])" using ‘x ✻ ❂ y‘ ‘x ★ L‘ by simp also have " ✿✿✿ = (Lam [z].(M ✶ [y::=L]))[x::=N[y::=L]]" using ‘z ★ x‘ ‘z ★ N[y::=L]‘ by simp also have " ✿✿✿ = ?RHS" using ‘z ★ y‘ ‘z ★ L‘ by simp finally show "?LHS = ?RHS" . qed next case (App M ✶ M ✷ ) then show "(App M ✶ M ✷ )[x::=N][y::=L] = (App M ✶ M ✷ )[y::=L][x::=N[y::=L]]" by simp qed Eugene, 24. July 2008 – p. 13/37

next case (Lam z M ✶ ) have ih: " ❬ ❬ x ✻ ❂ y; x ★ L ❪ ❪ ❂ ✮ M ✶ [x::=N][y::=L] = M ✶ [y::=L][x::=N[y::=L]]" by fact have "x ✻ ❂ y" by fact have "x ★ L" by fact have vc: "z ★ x" "z ★ y" "z ★ N" "z ★ L" by fact+ then have "z ★ N[y::=L]" by (simp add: fresh_fact) show "(Lam [z].M ✶ )[x::=N][y::=L]=(Lam [z].M ✶ )[y::=L][x::=N[y::=L]]" ( is "?LHS=?RHS") proof - have "?LHS = Lam [z].(M ✶ [x::=N][y::=L])" using vc by simp also from ih have " ✿✿✿ = Lam [z].(M ✶ [y::=L][x::=N[y::=L]])" using ‘x ✻ ❂ y‘ ‘x ★ L‘ by simp also have " ✿✿✿ = (Lam [z].(M ✶ [y::=L]))[x::=N[y::=L]]" using ‘z ★ x‘ ‘z ★ N[y::=L]‘ by simp also have " ✿✿✿ = ?RHS" using ‘z ★ y‘ ‘z ★ L‘ by simp finally show "?LHS = ?RHS" . qed next case (App M ✶ M ✷ ) then show "(App M ✶ M ✷ )[x::=N][y::=L] = (App M ✶ M ✷ )[y::=L][x::=N[y::=L]]" by simp qed Eugene, 24. July 2008 – p. 13/37

next case (Lam z M ✶ ) have ih: " ❬ ❬ x ✻ ❂ y; x ★ L ❪ ❪ ❂ ✮ M ✶ [x::=N][y::=L] = M ✶ [y::=L][x::=N[y::=L]]" by fact have "x ✻ ❂ y" by fact have "x ★ L" by fact have vc: "z ★ x" "z ★ y" "z ★ N" "z ★ L" by fact+ then have "z ★ N[y::=L]" by (simp add: fresh_fact) show "(Lam [z].M ✶ )[x::=N][y::=L]=(Lam [z].M ✶ )[y::=L][x::=N[y::=L]]" ( is "?LHS=?RHS") proof - have "?LHS = Lam [z].(M ✶ [x::=N][y::=L])" using vc by simp also from ih have " ✿✿✿ = Lam [z].(M ✶ [y::=L][x::=N[y::=L]])" using ‘x ✻ ❂ y‘ ‘x ★ L‘ by simp also have " ✿✿✿ = (Lam [z].(M ✶ [y::=L]))[x::=N[y::=L]]" using ‘z ★ x‘ ‘z ★ N[y::=L]‘ by simp also have " ✿✿✿ = ?RHS" using ‘z ★ y‘ ‘z ★ L‘ by simp finally show "?LHS = ?RHS" . qed next case (App M ✶ M ✷ ) then show "(App M ✶ M ✷ )[x::=N][y::=L] = (App M ✶ M ✷ )[y::=L][x::=N[y::=L]]" by simp qed Eugene, 24. July 2008 – p. 13/37

next case (Lam z M ✶ ) have ih: " ❬ ❬ x ✻ ❂ y; x ★ L ❪ ❪ ❂ ✮ M ✶ [x::=N][y::=L] = M ✶ [y::=L][x::=N[y::=L]]" by fact have "x ✻ ❂ y" by fact have "x ★ L" by fact have vc: "z ★ x" "z ★ y" "z ★ N" "z ★ L" by fact+ then have "z ★ N[y::=L]" by (simp add: fresh_fact) show "(Lam [z].M ✶ )[x::=N][y::=L]=(Lam [z].M ✶ )[y::=L][x::=N[y::=L]]" ( is "?LHS=?RHS") proof - have "?LHS = Lam [z].(M ✶ [x::=N][y::=L])" using vc by simp also from ih have " ✿✿✿ = Lam [z].(M ✶ [y::=L][x::=N[y::=L]])" using ‘x ✻ ❂ y‘ ‘x ★ L‘ by simp also have " ✿✿✿ = (Lam [z].(M ✶ [y::=L]))[x::=N[y::=L]]" using ‘z ★ x‘ ‘z ★ N[y::=L]‘ by simp also have " ✿✿✿ = ?RHS" using ‘z ★ y‘ ‘z ★ L‘ by simp finally show "?LHS = ?RHS" . qed next case (App M ✶ M ✷ ) then show "(App M ✶ M ✷ )[x::=N][y::=L] = (App M ✶ M ✷ )[y::=L][x::=N[y::=L]]" by simp qed Eugene, 24. July 2008 – p. 13/37

next case (Lam z M ✶ ) have ih: " ❬ ❬ x ✻ ❂ y; x ★ L ❪ ❪ ❂ ✮ M ✶ [x::=N][y::=L] = M ✶ [y::=L][x::=N[y::=L]]" by fact have "x ✻ ❂ y" by fact have "x ★ L" by fact have vc: "z ★ x" "z ★ y" "z ★ N" "z ★ L" by fact+ then have "z ★ N[y::=L]" by (simp add: fresh_fact) show "(Lam [z].M ✶ )[x::=N][y::=L]=(Lam [z].M ✶ )[y::=L][x::=N[y::=L]]" ( is "?LHS=?RHS") proof - have "?LHS = Lam [z].(M ✶ [x::=N][y::=L])" using vc by simp also from ih have " ✿✿✿ = Lam [z].(M ✶ [y::=L][x::=N[y::=L]])" using ‘x ✻ ❂ y‘ ‘x ★ L‘ by simp also have " ✿✿✿ = (Lam [z].(M ✶ [y::=L]))[x::=N[y::=L]]" using ‘z ★ x‘ ‘z ★ N[y::=L]‘ by simp also have " ✿✿✿ = ?RHS" using ‘z ★ y‘ ‘z ★ L‘ by simp finally show "?LHS = ?RHS" . qed next case (App M ✶ M ✷ ) then show "(App M ✶ M ✷ )[x::=N][y::=L] = (App M ✶ M ✷ )[y::=L][x::=N[y::=L]]" by simp qed Eugene, 24. July 2008 – p. 13/37

next case (Lam z M ✶ ) have ih: " ❬ ❬ x ✻ ❂ y; x ★ L ❪ ❪ ❂ ✮ M ✶ [x::=N][y::=L] = M ✶ [y::=L][x::=N[y::=L]]" by fact have "x ✻ ❂ y" by fact have "x ★ L" by fact have vc: "z ★ x" "z ★ y" "z ★ N" "z ★ L" by fact+ then have "z ★ N[y::=L]" by (simp add: fresh_fact) show "(Lam [z].M ✶ )[x::=N][y::=L]=(Lam [z].M ✶ )[y::=L][x::=N[y::=L]]" ( is "?LHS=?RHS") proof - have "?LHS = Lam [z].(M ✶ [x::=N][y::=L])" using vc by simp also from ih have " ✿✿✿ = Lam [z].(M ✶ [y::=L][x::=N[y::=L]])" using ‘x ✻ ❂ y‘ ‘x ★ L‘ by simp also have " ✿✿✿ = (Lam [z].(M ✶ [y::=L]))[x::=N[y::=L]]" using ‘z ★ x‘ ‘z ★ N[y::=L]‘ by simp also have " ✿✿✿ = ?RHS" using ‘z ★ y‘ ‘z ★ L‘ by simp finally show "?LHS = ?RHS" . qed next case (App M ✶ M ✷ ) then show "(App M ✶ M ✷ )[x::=N][y::=L] = (App M ✶ M ✷ )[y::=L][x::=N[y::=L]]" by simp qed Eugene, 24. July 2008 – p. 13/37

next case (Lam z M ✶ ) have ih: " ❬ ❬ x ✻ ❂ y; x ★ L ❪ ❪ ❂ ✮ M ✶ [x::=N][y::=L] = M ✶ [y::=L][x::=N[y::=L]]" by fact have "x ✻ ❂ y" by fact have "x ★ L" by fact have vc: "z ★ x" "z ★ y" "z ★ N" "z ★ L" by fact+ then have "z ★ N[y::=L]" by (simp add: fresh_fact) show "(Lam [z].M ✶ )[x::=N][y::=L]=(Lam [z].M ✶ )[y::=L][x::=N[y::=L]]" ( is "?LHS=?RHS") proof - have "?LHS = Lam [z].(M ✶ [x::=N][y::=L])" using vc by simp also from ih have " ✿✿✿ = Lam [z].(M ✶ [y::=L][x::=N[y::=L]])" using ‘x ✻ ❂ y‘ ‘x ★ L‘ by simp also have " ✿✿✿ = (Lam [z].(M ✶ [y::=L]))[x::=N[y::=L]]" using ‘z ★ x‘ ‘z ★ N[y::=L]‘ by simp also have " ✿✿✿ = ?RHS" using ‘z ★ y‘ ‘z ★ L‘ by simp finally show "?LHS = ?RHS" . qed next case (App M ✶ M ✷ ) then show "(App M ✶ M ✷ )[x::=N][y::=L] = (App M ✶ M ✷ )[y::=L][x::=N[y::=L]]" by simp qed Eugene, 24. July 2008 – p. 13/37

An Isar Proof ... The Isar proof language has been conceived by Markus Wenzel, the main developer behind Isabelle. Eugene, 24. July 2008 – p. 14/37

An Isar Proof ... goal stepping stones . . . stepping stones assumptions The Isar proof language has been conceived by Markus Wenzel, the main developer behind Isabelle. Eugene, 24. July 2008 – p. 14/37

Strong Induction Principles ✽ ① ❝✿ P ❝ ① ✽ t ✶ t ✷ ❝✿ ✭ ✽ ❞✿ P ❞ t ✶ ✮ ❫ ✭ ✽ ❞✿P ❞ t ✷ ✮ ✮ P ❝ ✭ t ✶ t ✷ ✮ ✽ ① t ❝✿ ① ★ ❝ ❫ ✭ ✽ ❞✿P ❞ t ✮ ✮ P ❝ ✭ ✕①✿t ✮ P ❝ t There is a condition for when Barendregt’s variable convention is applicable—it is almost always satisfied, but not always: The induction context ❝ needs to be finitely supported (is not allowed to mention all names as free). Eugene, 24. July 2008 – p. 15/37

Strong Induction Principles ✽ ① ❝✿ P ❝ ① ✽ t ✶ t ✷ ❝✿ ✭ ✽ ❞✿ P ❞ t ✶ ✮ ❫ ✭ ✽ ❞✿P ❞ t ✷ ✮ ✮ P ❝ ✭ t ✶ t ✷ ✮ ✽ ① t ❝✿ ① ★ ❝ ❫ ✭ ✽ ❞✿P ❞ t ✮ ✮ P ❝ ✭ ✕①✿t ✮ P ❝ t In the case of the substitution lemma: proof (nominal_induct M avoiding: x y N L rule: lam.strong_induct) ✿ ✿ ✿ Eugene, 24. July 2008 – p. 15/37

Same Problem with Rule Inductions We can specify typing-rules for lambda-terms as: ✭ ① ✿ ✜ ✮ ✷ � valid � � ❵ t ✶ ✿ ✛ ✦ ✜ � ❵ t ✷ ✿ ✛ � ❵ ① ✿ ✜ � ❵ t ✶ t ✷ ✿ ✜ ① ★ � ✭ ① ✿ ✛ ✮✿✿ � ❵ t ✿ ✜ � ❵ ✕①✿t ✿ ✛ ✦ ✜ ① ★ � valid � valid ❬❪ valid ✭ ① ✿ ✜ ✮✿✿ � If � ✶ ❵ t ✿ ✜ and valid � ✷ , � ✶ ✒ � ✷ then � ✷ ❵ t ✿ ✜ . Eugene, 24. July 2008 – p. 16/37

Same Problem with Rule Inductions We can specify typing-rules for lambda-terms as: The proof of the weakening lemma is said to be ✭ ① ✿ ✜ ✮ ✷ � valid � � ❵ t ✶ ✿ ✛ ✦ ✜ � ❵ t ✷ ✿ ✛ trivial / obvious / routine /. . . in many places. � ❵ ① ✿ ✜ � ❵ t ✶ t ✷ ✿ ✜ (I am actually still looking for a place in the lit- ① ★ � ✭ ① ✿ ✛ ✮✿✿ � ❵ t ✿ ✜ erature where a trivial / obvious / routine /. . . � ❵ ✕①✿t ✿ ✛ ✦ ✜ proof is spelled out — I know of proofs by Gal- lier, McKinna & Pollack and Pitts, but I would not ① ★ � valid � call them trivial / obvious / routine /. . . ) valid ❬❪ valid ✭ ① ✿ ✜ ✮✿✿ � If � ✶ ❵ t ✿ ✜ and valid � ✷ , � ✶ ✒ � ✷ then � ✷ ❵ t ✿ ✜ . Eugene, 24. July 2008 – p. 16/37

Recall: Rule Inductions prem ✶ ✿ ✿ ✿ prem ♥ scs rule concl Rule Inductions: 1.) Assume the property for the premises. Assume the side-conditions. 2.) Show the property for the conclusion. Eugene, 24. July 2008 – p. 17/37

Induction Principle for Typing The induction principle that comes with the typing definition is as follows: ✽ � ① ✜✿ ✭ ① ✿ ✜ ✮ ✷ � ❫ valid � ✮ P � ✭ ① ✮ ✜ ✽ � t ✶ t ✷ ✛ ✜✿ P � t ✶ ✭ ✛ ✦ ✜ ✮ ❫ P � t ✷ ✛ ✮ P � ✭ t ✶ t ✷ ✮ ✜ ✽ � ① t ✛ ✜✿ ① ★ � ❫ P ✭✭ ① ✿ ✛ ✮✿✿ � ✮ t ✜ ✮ P � ✭ ✕①✿t ✮ ✭ ✛ ✦ ✜ ✮ � ❵ t ✿ ✜ ✮ P � t ✜ Note the quantifiers! Eugene, 24. July 2008 – p. 18/37

� ✷ ❫ � ✶ ✒ � ✷ � ✷ ❫ � ✶ ✒ � ✷ ✮ � ✶ ① t ✛ ✜ ✽ � ✷ ✿ � ✷ ❫ ✭ ① ✿ ✛ ✮✿✿ � ✶ ✒ � ✷ ✮ � ✷ ❵ t ✿ ✜ ① ★ � ✶ Proof of Weakening Lemma ① ★ � ✭ ① ✿ ✛ ✮✿✿ � ❵ t ✿ ✜ � ❵ ✕①✿t ✿ ✛ ✦ ✜ If � ✶ ❵ t ✿ ✜ then ✽ � ✷ ✿ valid � ✷ ❫ � ✶ ✒ � ✷ ✮ � ✷ ❵ t ✿ ✜ Eugene, 24. July 2008 – p. 19/37

� ✷ ❫ � ✶ ✒ � ✷ � ✷ ❫ � ✶ ✒ � ✷ ✮ Proof of Weakening Lemma ① ★ � ✭ ① ✿ ✛ ✮✿✿ � ❵ t ✿ ✜ � ❵ ✕①✿t ✿ ✛ ✦ ✜ If � ✶ ❵ t ✿ ✜ then ✽ � ✷ ✿ valid � ✷ ❫ � ✶ ✒ � ✷ ✮ � ✷ ❵ t ✿ ✜ For all � ✶ , ① , t , ✛ and ✜ : We know: ✽ � ✷ ✿ valid � ✷ ❫ ✭ ① ✿ ✛ ✮✿✿ � ✶ ✒ � ✷ ✮ � ✷ ❵ t ✿ ✜ ① ★ � ✶ We have to show: ✽ � ✷ ✿ valid � ✷ ❫ � ✶ ✒ � ✷ ✮ � ✷ ❵ ✕①✿t ✿ ✛ ✦ ✜ Eugene, 24. July 2008 – p. 19/37

Proof of Weakening Lemma ① ★ � ✭ ① ✿ ✛ ✮✿✿ � ❵ t ✿ ✜ � ❵ ✕①✿t ✿ ✛ ✦ ✜ If � ✶ ❵ t ✿ ✜ then ✽ � ✷ ✿ valid � ✷ ❫ � ✶ ✒ � ✷ ✮ � ✷ ❵ t ✿ ✜ For all � ✶ , ① , t , ✛ and ✜ : We know: ✽ � ✷ ✿ valid � ✷ ❫ ✭ ① ✿ ✛ ✮✿✿ � ✶ ✒ � ✷ ✮ � ✷ ❵ t ✿ ✜ ① ★ � ✶ valid � ✷ ❫ � ✶ ✒ � ✷ valid � ✷ ❫ � ✶ ✒ � ✷ ✮ We have to show: � ✷ ❵ ✕①✿t ✿ ✛ ✦ ✜ Eugene, 24. July 2008 – p. 19/37

Proof of Weakening Lemma ① ★ � ✭ ① ✿ ✛ ✮✿✿ � ❵ t ✿ ✜ � ❵ ✕①✿t ✿ ✛ ✦ ✜ If � ✶ ❵ t ✿ ✜ then ✽ � ✷ ✿ valid � ✷ ❫ � ✶ ✒ � ✷ ✮ � ✷ ❵ t ✿ ✜ For all � ✶ , ① , t , ✛ and ✜ : We know: ✽ � ✷ ✿ valid � ✷ ❫ ✭ ① ✿ ✛ ✮✿✿ � ✶ ✒ � ✷ ✮ � ✷ ❵ t ✿ ✜ ① ★ � ✶ valid � ✷ ❫ � ✶ ✒ � ✷ valid � ✷ ❫ � ✶ ✒ � ✷ ✮ We have to show: � ✷ ❵ ✕①✿t ✿ ✛ ✦ ✜ Eugene, 24. July 2008 – p. 19/37

Proof of Weakening Lemma ① ★ � ✭ ① ✿ ✛ ✮✿✿ � ❵ t ✿ ✜ � ❵ ✕①✿t ✿ ✛ ✦ ✜ If � ✶ ❵ t ✿ ✜ then ✽ � ✷ ✿ valid � ✷ ❫ � ✶ ✒ � ✷ ✮ � ✷ ❵ t ✿ ✜ For all � ✶ , ① , t , ✛ and ✜ : � ✷ ✼✦ ✭ ① ✿ ✛ ✮✿✿ � ✷ We know: ✽ � ✷ ✿ valid � ✷ ❫ ✭ ① ✿ ✛ ✮✿✿ � ✶ ✒ � ✷ ✮ � ✷ ❵ t ✿ ✜ ① ★ � ✶ valid � ✷ ❫ � ✶ ✒ � ✷ valid � ✷ ❫ � ✶ ✒ � ✷ ✮ We have to show: � ✷ ❵ ✕①✿t ✿ ✛ ✦ ✜ Eugene, 24. July 2008 – p. 19/37

Proof of Weakening Lemma ① ★ � ✭ ① ✿ ✛ ✮✿✿ � ❵ t ✿ ✜ � ❵ ✕①✿t ✿ ✛ ✦ ✜ If � ✶ ❵ t ✿ ✜ then ✽ � ✷ ✿ valid � ✷ ❫ � ✶ ✒ � ✷ ✮ � ✷ ❵ t ✿ ✜ For all � ✶ , ① , t , ✛ and ✜ : � ✷ ✼✦ ✭ ① ✿ ✛ ✮✿✿ � ✷ We know: ✽ � ✷ ✿ valid � ✷ ❫ ✭ ① ✿ ✛ ✮✿✿ � ✶ ✒ � ✷ ✮ � ✷ ❵ t ✿ ✜ ① ★ � ✶ valid � ✷ ❫ � ✶ ✒ � ✷ ✮ ✭ ① ✿ ✛ ✮✿✿ � ✶ ✒ ✭ ① ✿ ✛ ✮✿✿ � ✷ valid � ✷ ❫ � ✶ ✒ � ✷ ✮ We have to show: � ✷ ❵ ✕①✿t ✿ ✛ ✦ ✜ Eugene, 24. July 2008 – p. 19/37

Proof of Weakening Lemma ① ★ � ✭ ① ✿ ✛ ✮✿✿ � ❵ t ✿ ✜ � ❵ ✕①✿t ✿ ✛ ✦ ✜ If � ✶ ❵ t ✿ ✜ then ✽ � ✷ ✿ valid � ✷ ❫ � ✶ ✒ � ✷ ✮ � ✷ ❵ t ✿ ✜ For all � ✶ , ① , t , ✛ and ✜ : � ✷ ✼✦ ✭ ① ✿ ✛ ✮✿✿ � ✷ We know: ✽ � ✷ ✿ valid � ✷ ❫ ✭ ① ✿ ✛ ✮✿✿ � ✶ ✒ � ✷ ✮ � ✷ ❵ t ✿ ✜ ① ★ � ✶ valid � ✷ ❫ � ✶ ✒ � ✷ ✮ ✭ ① ✿ ✛ ✮✿✿ � ✶ ✒ ✭ ① ✿ ✛ ✮✿✿ � ✷ valid � ✷ ❫ � ✶ ✒ � ✷ ✮ valid ✭ ① ✿ ✛ ✮✿✿ � ✷ ??? We have to show: � ✷ ❵ ✕①✿t ✿ ✛ ✦ ✜ Eugene, 24. July 2008 – p. 19/37

The usual proof of strong normalisation for simply- typed lambda-terms establishes first: Lemma: If for all reducible s , t ❬ ① ✿❂ s ❪ is reducible, then ✕①✿t is reducible. Then one shows for a closing (simultaneous) substitution: Theorem: If � ❵ t ✿ ✜ , then for all closing sub- stitutions ✒ containing reducible terms only, ✒ ✭ t ✮ is reducible. Lambda-Case: By ind. we know ✭ ① ✼✦ s ❬ ✒ ✮✭ t ✮ is reducible with s being reducible. This is equal ✄ to ✭ ✒ ✭ t ✮✮❬ ① ✿❂ s ❪ . Therefore, we can apply the lemma and get ✕①✿ ✭ ✒ ✭ t ✮✮ is reducible. Because this is equal ✄ to ✒ ✭ ✕①✿t ✮ , we are done. ✄ you have to take a deep breath Eugene, 24. July 2008 – p. 20/37

Strong Induction Principle ✽ � ① ✜ ❝ ✿ ✭ ① ✿ ✜ ✮ ✷ � ❫ valid � ✮ P ❝ � ✭ ① ✮ ✜ ✽ � t ✶ t ✷ ✛ ✜ ❝ ✿ ❞ � t ✶ ✭ ✛ ✦ ✜ ✮ ✮ ❫ ✭ ✽ ❞✿ P ✭ ✽ ❞✿ P ❞ � t ✷ ✛ ✮ ✮ P ❝ � ✭ t ✶ t ✷ ✮ ✜ ✽ � ① t ✛ ✜ ❝ ✿ ① ★ � ❫ ① ★ ❝ ❫ ❞ ✭✭ ① ✿ ✛ ✮✿✿ � ✮ t ✜ ✮ ✮ P ❝ � ✭ ✕①✿t ✮ ✭ ✛ ✦ ✜ ✮ ✭ ✽ ❞✿ P � ❵ t ✿ ✜ ✮ P ❝ � t ✜ Instead we are going to use the strong induction principle and set up the induction so that it “avoids” � ✷ (in case of the weakening lemma) and ✒ (in case of SN). Eugene, 24. July 2008 – p. 21/37

Proof of Weakening Lemma ① ★ � ✭ ① ✿ ✛ ✮✿✿ � ❵ t ✿ ✜ � ❵ ✕①✿t ✿ ✛ ✦ ✜ If � ✶ ❵ t ✿ ✜ then valid � ✷ ❫ � ✶ ✒ � ✷ ✮ � ✷ ❵ t ✿ ✜ For all � ✶ , ① , t , ✛ and ✜ : We know: ✽ � ✷ ✿ valid � ✷ ❫ ✭ ① ✿ ✛ ✮✿✿ � ✶ ✒ � ✷ ✮ � ✷ ❵ t ✿ ✜ ① ★ � ✶ valid � ✷ ❫ � ✶ ✒ � ✷ ① ★ � ✷ We have to show: � ✷ ❵ ✕①✿t ✿ ✛ ✦ ✜ Eugene, 24. July 2008 – p. 22/37

Proof of Weakening Lemma ① ★ � ✭ ① ✿ ✛ ✮✿✿ � ❵ t ✿ ✜ � ❵ ✕①✿t ✿ ✛ ✦ ✜ If � ✶ ❵ t ✿ ✜ then valid � ✷ ❫ � ✶ ✒ � ✷ ✮ � ✷ ❵ t ✿ ✜ For all � ✶ , ① , t , ✛ and ✜ : We know: ✽ � ✷ ✿ valid � ✷ ❫ ✭ ① ✿ ✛ ✮✿✿ � ✶ ✒ � ✷ ✮ � ✷ ❵ t ✿ ✜ ① ★ � ✶ valid � ✷ ❫ � ✶ ✒ � ✷ ✮ ✭ ① ✿ ✛ ✮✿✿ � ✶ ✒ ✭ ① ✿ ✛ ✮✿✿ � ✷ ① ★ � ✷ ✮ valid ✭ ① ✿ ✛ ✮✿✿ � ✷ We have to show: � ✷ ❵ ✕①✿t ✿ ✛ ✦ ✜ Eugene, 24. July 2008 – p. 22/37

In Nominal Isabelle abbreviation "sub_ctx" :: "(name ✂ ty) list ✮ (name ✂ ty) list ✮ bool" ("_ ✒ _") where " � ✶ ✒ � ✷ ✑ ✽ x T. (x,T) ✷ set � ✶ � ✦ (x,T) ✷ set � ✷ " lemma weakening_lemma: fixes � ✶ � ✷ ::"(name ✂ ty) list" assumes a: " � ✶ ❵ t : T" and b: "valid � ✷ " and c: " � ✶ ✒ � ✷ " shows " � ✷ ❵ t : T" using a b c by (nominal_induct � ✶ t T avoiding: � ✷ rule: typing.strong_induct) (auto simp add: atomize_all atomize_imp) Eugene, 24. July 2008 – p. 23/37

SN (Again) Theorem: If � ❵ t ✿ ✜ , then for all closing sub- stitutions ✒ containing reducible terms only, ✒ ✭ t ✮ is reducible. Since we say that the strong induction should avoid ✒ , we get the assumption ① ★ ✒ then: Lambda-Case: By ind. we know ✭ ① ✼✦ s ❬ ✒ ✮✭ t ✮ is reducible with s being reducible. This is equal to ✭ ✒ ✭ t ✮✮❬ ① ✿❂ s ❪ . Therefore, we can apply the lemma and get ✕①✿ ✭ ✒ ✭ t ✮✮ is reducible. Because this is equal to ✒ ✭ ✕①✿t ✮ , we are done. ① ★ ✒ ✮ ✭ ① ✼✦ s ❬ ✒ ✮✭ t ✮ ❂ ✭ ✒ ✭ t ✮✮❬ ① ✿❂ s ❪ ✒ ✭ ✕①✿t ✮ ❂ ✕①✿ ✭ ✒ ✭ t ✮✮ Eugene, 24. July 2008 – p. 24/37

So Far So Good A Faulty Lemma with the Variable Convention? Variable Convention: If ▼ ✶ ❀ ✿ ✿ ✿ ❀ ▼ ♥ occur in a certain mathematical context (e.g. definition, proof), then in these terms all bound variables are chosen to be different from the free variables. Barendregt in “The Lambda-Calculus: Its Syntax and Semantics” Inductive Definitions: Rule Inductions: 1.) Assume the property for prem ✶ ✿ ✿ ✿ prem ♥ scs the premises. Assume concl the side-conditions. 2.) Show the property for the conclusion. Eugene, 24. July 2008 – p. 25/37

t ✼✦ t ✵ ② ★ t ✵ ② ★ t Faulty Reasoning Consider the two-place relation foo: t ✼✦ t ✵ ① ✼✦ ① t ✶ t ✷ ✼✦ t ✶ t ✷ ✕①✿t ✼✦ t ✵ Eugene, 24. July 2008 – p. 26/37

Faulty Reasoning Consider the two-place relation foo: t ✼✦ t ✵ ① ✼✦ ① t ✶ t ✷ ✼✦ t ✶ t ✷ ✕①✿t ✼✦ t ✵ The lemma we going to prove: Let t ✼✦ t ✵ . If ② ★ t then ② ★ t ✵ . Eugene, 24. July 2008 – p. 26/37

Faulty Reasoning Consider the two-place relation foo: t ✼✦ t ✵ ① ✼✦ ① t ✶ t ✷ ✼✦ t ✶ t ✷ ✕①✿t ✼✦ t ✵ The lemma we going to prove: Let t ✼✦ t ✵ . If ② ★ t then ② ★ t ✵ . Cases 1 and 2 are trivial: If ② ★ ① then ② ★ ① . If ② ★ t ✶ t ✷ then ② ★ t ✶ t ✷ . Eugene, 24. July 2008 – p. 26/37

② ★ t ✵ ② ★ t Faulty Reasoning Consider the two-place relation foo: t ✼✦ t ✵ ① ✼✦ ① t ✶ t ✷ ✼✦ t ✶ t ✷ ✕①✿t ✼✦ t ✵ The lemma we going to prove: Let t ✼✦ t ✵ . If ② ★ t then ② ★ t ✵ . Case 3: We know ② ★ ✕①✿t . We have to show ② ★ t ✵ . The IH says: if ② ★ t then ② ★ t ✵ . Eugene, 24. July 2008 – p. 26/37

② ★ t ✵ ② ★ t Faulty Reasoning Variable Convention: If ▼ ✶ ❀ ✿ ✿ ✿ ❀ ▼ ♥ occur in a certain mathematical context Consider the two-place relation foo: (e.g. definition, proof), then in these terms all bound vari- ables are chosen to be different from the free variables. t ✼✦ t ✵ In our case: ① ✼✦ ① t ✶ t ✷ ✼✦ t ✶ t ✷ ✕①✿t ✼✦ t ✵ The free variables are ② and t ✵ ; the bound one is ① . The lemma we going to prove: By the variable convention we conclude that ① ✻ ❂ ② . Let t ✼✦ t ✵ . If ② ★ t then ② ★ t ✵ . Case 3: We know ② ★ ✕①✿t . We have to show ② ★ t ✵ . The IH says: if ② ★ t then ② ★ t ✵ . Eugene, 24. July 2008 – p. 26/37

② ★ t ✵ ② ★ t Faulty Reasoning Variable Convention: If ▼ ✶ ❀ ✿ ✿ ✿ ❀ ▼ ♥ occur in a certain mathematical context Consider the two-place relation foo: (e.g. definition, proof), then in these terms all bound vari- ables are chosen to be different from the free variables. t ✼✦ t ✵ In our case: ① ✼✦ ① t ✶ t ✷ ✼✦ t ✶ t ✷ ✕①✿t ✼✦ t ✵ The free variables are ② and t ✵ ; the bound one is ① . The lemma we going to prove: By the variable convention we conclude that ① ✻ ❂ ② . Let t ✼✦ t ✵ . If ② ★ t then ② ★ t ✵ . ① ✻ ❂ ② ② ✻✷ fv ✭ ✕①✿t ✮ ✭ ✮ ② ✻✷ fv ✭ t ✮ �❢ ① ❣ ✭ ✮ ② ✻✷ fv ✭ t ✮ Case 3: We know ② ★ ✕①✿t . We have to show ② ★ t ✵ . The IH says: if ② ★ t then ② ★ t ✵ . Eugene, 24. July 2008 – p. 26/37

Faulty Reasoning Variable Convention: If ▼ ✶ ❀ ✿ ✿ ✿ ❀ ▼ ♥ occur in a certain mathematical context Consider the two-place relation foo: (e.g. definition, proof), then in these terms all bound vari- ables are chosen to be different from the free variables. t ✼✦ t ✵ In our case: ① ✼✦ ① t ✶ t ✷ ✼✦ t ✶ t ✷ ✕①✿t ✼✦ t ✵ The free variables are ② and t ✵ ; the bound one is ① . The lemma we going to prove: By the variable convention we conclude that ① ✻ ❂ ② . Let t ✼✦ t ✵ . If ② ★ t then ② ★ t ✵ . ① ✻ ❂ ② ② ✻✷ fv ✭ ✕①✿t ✮ ✭ ✮ ② ✻✷ fv ✭ t ✮ �❢ ① ❣ ✭ ✮ ② ✻✷ fv ✭ t ✮ Case 3: We know ② ★ ✕①✿t . We have to show ② ★ t ✵ . The IH says: if ② ★ t then ② ★ t ✵ . So we have ② ★ t . Hence ② ★ t ✵ by IH. Done! Eugene, 24. July 2008 – p. 26/37

Faulty Reasoning Consider the two-place relation foo: t ✼✦ t ✵ ① ✼✦ ① t ✶ t ✷ ✼✦ t ✶ t ✷ ✕①✿t ✼✦ t ✵ The lemma we going to prove: Let t ✼✦ t ✵ . If ② ★ t then ② ★ t ✵ . Case 3: We know ② ★ ✕①✿t . We have to show ② ★ t ✵ . The IH says: if ② ★ t then ② ★ t ✵ . So we have ② ★ t . Hence ② ★ t ✵ by IH. Done! Eugene, 24. July 2008 – p. 26/37

VC-Compatibility We introduced two conditions that make the VC safe to use in rule inductions: the relation needs to be equivariant , and the binder is not allowed to occur in the support of the conclusion (not free in the conclusion) Once a relation satisfies these two conditions, then Nominal Isabelle derives the strong induction principle automatically. Eugene, 24. July 2008 – p. 27/37

VC-Compatibility We introduced two conditions that make the VC safe to use in rule inductions: the relation needs to be equivariant , and the binder is not allowed to occur in the A relation ❘ is equivariant iff support of the conclusion (not free in the ✽ ✙ t ✶ ✿ ✿ ✿ t ♥ conclusion) ❘ t ✶ ✿ ✿ ✿ t ♥ ✮ ❘ ✭ ✙ ✁ t ✶ ✮ ✿ ✿ ✿ ✭ ✙ ✁ t ♥ ✮ Once a relation satisfies these two conditions, This means the relation has to be invariant under then Nominal Isabelle derives the strong permutative renaming of variables. induction principle automatically. (This property can be checked automatically if the inductive definition is composed of equivariant “things”.) Eugene, 24. July 2008 – p. 27/37

VC-Compatibility We introduced two conditions that make the VC safe to use in rule inductions: the relation needs to be equivariant , and the binder is not allowed to occur in the support of the conclusion (not free in the conclusion) Once a relation satisfies these two conditions, then Nominal Isabelle derives the strong induction principle automatically. Eugene, 24. July 2008 – p. 27/37

Honest Toil, No Theft! The sacred principle of HOL: “The method of ‘postulating’ what we want has many advantages; they are the same as the advantages of theft over honest toil.” B. Russell, Introduction of Mathematical Philosophy I will show next that the weak structural induction principle implies the strong structural induction principle. (I am only going to show the lambda-case.) Eugene, 24. July 2008 – p. 28/37

Permutations A permutation acts on variable names as follows: def ❬❪ ✁ ❛ ❂ ❛ ✽ ❛ ✶ if ✙ ✁ ❛ ❂ ❛ ✷ ❃ ❁ def ✭✭ ❛ ✶ ❛ ✷ ✮✿✿ ✙ ✮ ✁ ❛ ❂ if ✙ ✁ ❛ ❂ ❛ ✶ ❛ ✷ ❃ ✙ ✁ ❛ otherwise ✿ ❬❪ stands for the empty list (the identity permutation), and ✭ ❛ ✶ ❛ ✷ ✮✿✿ ✙ stands for the permutation ✙ followed by the swapping ✭ ❛ ✶ ❛ ✷ ✮ . Eugene, 24. July 2008 – p. 29/37

Permutations on Lambda-Terms Permutations act on lambda-terms as follows: def ❂ “action on variables” ✙ ✁ ① def ✙ ✁ ✭ t ✶ t ✷ ✮ ❂ ✭ ✙ ✁ t ✶ ✮ ✭ ✙ ✁ t ✷ ✮ def ✙ ✁ ✭ ✕①✿t ✮ ❂ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ Alpha-equivalence can be defined as: t ✶ ❂ t ✷ ✕①✿t ✶ ❂ ✕①✿t ✷ ① ✻ ❂ ② t ✶ ❂ ✭ ① ② ✮ ✁ t ✷ ① ★ t ✷ ✕①✿t ✶ ❂ ✕②✿t ✷ Eugene, 24. July 2008 – p. 30/37

Permutations on Lambda-Terms Permutations act on lambda-terms as follows: def ❂ “action on variables” ✙ ✁ ① def ✙ ✁ ✭ t ✶ t ✷ ✮ ❂ ✭ ✙ ✁ t ✶ ✮ ✭ ✙ ✁ t ✷ ✮ def ✙ ✁ ✭ ✕①✿t ✮ ❂ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ Alpha-equivalence can be defined as: t ✶ ❂ t ✷ ✕①✿t ✶ ❂ ✕①✿t ✷ ① ✻ ❂ ② t ✶ ❂ ✭ ① ② ✮ ✁ t ✷ ① ★ t ✷ ✕①✿t ✶ ❂ ✕②✿t ✷ Notice, I wrote equality here! Eugene, 24. July 2008 – p. 30/37

My Claim ✽ ①✿ P ① ✽ t ✶ t ✷ ✿ P t ✶ ❫ P t ✷ ✮ P ✭ t ✶ t ✷ ✮ ✽ ① t✿ P t ✮ P ✭ ✕①✿t ✮ P t implies ✽ ① ❝✿ P ❝ ① ✽ t ✶ t ✷ ❝✿ ✭ ✽ ❞✿ P ❞ t ✶ ✮ ❫ ✭ ✽ ❞✿ P ❞ t ✷ ✮ ✮ P ❝ ✭ t ✶ t ✷ ✮ ✽ ① t ❝✿ ① ★ ❝ ❫ ✭ ✽ ❞✿ P ❞ t ✮ ✮ P ❝ ✭ ✕①✿t ✮ P ❝ t Eugene, 24. July 2008 – p. 31/37

P ❝ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ ✽ ✙ ❝✿ P ❝ ✭ ✙ ✁ t ✮ ① ✻ ❂ ② t ✶ ❂ ✭ ① ② ✮ ✁ t ✷ ② ★ t ✷ ✕②✿t ✶ ❂ ✕①✿t ✷ ✽ ① t ❝✿ ① ★ ❝ ❫ ✭ ✽ ❝✿ P ❝ t ✮ ✮ P ❝ ✭ ✕①✿t ✮ ② ★ ✭ ✙ ✁ ①❀ ✙ ✁ t❀ ❝ ✮ ② ✽ ❝✿ P ❝ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ ✕②✿ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ ❂ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ P ❝ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ Proof for the Strong Induction Principle We prove P ❝ t by induction on t . Eugene, 24. July 2008 – p. 32/37

P ❝ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ ✽ ✙ ❝✿ P ❝ ✭ ✙ ✁ t ✮ ① ✻ ❂ ② t ✶ ❂ ✭ ① ② ✮ ✁ t ✷ ② ★ t ✷ ✕②✿t ✶ ❂ ✕①✿t ✷ ✽ ① t ❝✿ ① ★ ❝ ❫ ✭ ✽ ❝✿ P ❝ t ✮ ✮ P ❝ ✭ ✕①✿t ✮ ② ★ ✭ ✙ ✁ ①❀ ✙ ✁ t❀ ❝ ✮ ② ✽ ❝✿ P ❝ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ ✕②✿ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ ❂ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ P ❝ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ Proof for the Strong Induction Principle We prove ✽ ✙ ❝✿ P ❝ ✭ ✙ ✁ t ✮ by induction on t . Eugene, 24. July 2008 – p. 32/37

✽ ✙ ❝✿ P ❝ ✭ ✙ ✁ t ✮ ① ✻ ❂ ② t ✶ ❂ ✭ ① ② ✮ ✁ t ✷ ② ★ t ✷ ✕②✿t ✶ ❂ ✕①✿t ✷ ✽ ① t ❝✿ ① ★ ❝ ❫ ✭ ✽ ❝✿ P ❝ t ✮ ✮ P ❝ ✭ ✕①✿t ✮ ② ★ ✭ ✙ ✁ ①❀ ✙ ✁ t❀ ❝ ✮ ② ✽ ❝✿ P ❝ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ ✕②✿ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ ❂ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ P ❝ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ Proof for the Strong Induction Principle We prove ✽ ✙ ❝✿ P ❝ ✭ ✙ ✁ t ✮ by induction on t . I.e., we have to show P ❝ ✭ ✙ ✁ ✭ ✕①✿t ✮✮ . Eugene, 24. July 2008 – p. 32/37

✽ ✙ ❝✿ P ❝ ✭ ✙ ✁ t ✮ ① ✻ ❂ ② t ✶ ❂ ✭ ① ② ✮ ✁ t ✷ ② ★ t ✷ ✕②✿t ✶ ❂ ✕①✿t ✷ ✽ ① t ❝✿ ① ★ ❝ ❫ ✭ ✽ ❝✿ P ❝ t ✮ ✮ P ❝ ✭ ✕①✿t ✮ ② ★ ✭ ✙ ✁ ①❀ ✙ ✁ t❀ ❝ ✮ ② ✽ ❝✿ P ❝ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ ✕②✿ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ ❂ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ P ❝ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ Proof for the Strong Induction Principle We prove ✽ ✙ ❝✿ P ❝ ✭ ✙ ✁ t ✮ by induction on t . I.e., we have to show P ❝ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ . Eugene, 24. July 2008 – p. 32/37

① ✻ ❂ ② t ✶ ❂ ✭ ① ② ✮ ✁ t ✷ ② ★ t ✷ ✕②✿t ✶ ❂ ✕①✿t ✷ ✽ ① t ❝✿ ① ★ ❝ ❫ ✭ ✽ ❝✿ P ❝ t ✮ ✮ P ❝ ✭ ✕①✿t ✮ ② ★ ✭ ✙ ✁ ①❀ ✙ ✁ t❀ ❝ ✮ ② ✽ ❝✿ P ❝ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ ✕②✿ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ ❂ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ P ❝ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ Proof for the Strong Induction Principle We prove ✽ ✙ ❝✿ P ❝ ✭ ✙ ✁ t ✮ by induction on t . I.e., we have to show P ❝ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ . We have ✽ ✙ ❝✿ P ❝ ✭ ✙ ✁ t ✮ by induction. Eugene, 24. July 2008 – p. 32/37

① ✻ ❂ ② t ✶ ❂ ✭ ① ② ✮ ✁ t ✷ ② ★ t ✷ ✕②✿t ✶ ❂ ✕①✿t ✷ ② ★ ✭ ✙ ✁ ①❀ ✙ ✁ t❀ ❝ ✮ ② ✽ ❝✿ P ❝ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ ✕②✿ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ ❂ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ P ❝ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ Proof for the Strong Induction Principle We prove ✽ ✙ ❝✿ P ❝ ✭ ✙ ✁ t ✮ by induction on t . I.e., we have to show P ❝ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ . We have ✽ ✙ ❝✿ P ❝ ✭ ✙ ✁ t ✮ by induction. Our weaker precondition says that: ✽ ① t ❝✿ ① ★ ❝ ❫ ✭ ✽ ❝✿ P ❝ t ✮ ✮ P ❝ ✭ ✕①✿t ✮ Eugene, 24. July 2008 – p. 32/37

① ✻ ❂ ② t ✶ ❂ ✭ ① ② ✮ ✁ t ✷ ② ★ t ✷ ✕②✿t ✶ ❂ ✕①✿t ✷ ✽ ❝✿ P ❝ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ ✕②✿ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ ❂ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ P ❝ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ Proof for the Strong Induction Principle We prove ✽ ✙ ❝✿ P ❝ ✭ ✙ ✁ t ✮ by induction on t . I.e., we have to show P ❝ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ . We have ✽ ✙ ❝✿ P ❝ ✭ ✙ ✁ t ✮ by induction. Our weaker precondition says that: ✽ ① t ❝✿ ① ★ ❝ ❫ ✭ ✽ ❝✿ P ❝ t ✮ ✮ P ❝ ✭ ✕①✿t ✮ We choose a fresh ② such that ② ★ ✭ ✙ ✁ ①❀ ✙ ✁ t❀ ❝ ✮ . Eugene, 24. July 2008 – p. 32/37

① ✻ ❂ ② t ✶ ❂ ✭ ① ② ✮ ✁ t ✷ ② ★ t ✷ ✕②✿t ✶ ❂ ✕①✿t ✷ ✕②✿ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ ❂ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ P ❝ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ Proof for the Strong Induction Principle We prove ✽ ✙ ❝✿ P ❝ ✭ ✙ ✁ t ✮ by induction on t . I.e., we have to show P ❝ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ . We have ✽ ✙ ❝✿ P ❝ ✭ ✙ ✁ t ✮ by induction. Our weaker precondition says that: ✽ ① t ❝✿ ① ★ ❝ ❫ ✭ ✽ ❝✿ P ❝ t ✮ ✮ P ❝ ✭ ✕①✿t ✮ We choose a fresh ② such that ② ★ ✭ ✙ ✁ ①❀ ✙ ✁ t❀ ❝ ✮ . Now we can use ✽ ❝✿ P ❝ ✭✭✭ ② ✙ ✁ ① ✮✿✿ ✙ ✮ ✁ t ✮ Eugene, 24. July 2008 – p. 32/37

① ✻ ❂ ② t ✶ ❂ ✭ ① ② ✮ ✁ t ✷ ② ★ t ✷ ✕②✿t ✶ ❂ ✕①✿t ✷ ✕②✿ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ ❂ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ P ❝ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ Proof for the Strong Induction Principle We prove ✽ ✙ ❝✿ P ❝ ✭ ✙ ✁ t ✮ by induction on t . I.e., we have to show P ❝ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ . We have ✽ ✙ ❝✿ P ❝ ✭ ✙ ✁ t ✮ by induction. Our weaker precondition says that: ✽ ① t ❝✿ ① ★ ❝ ❫ ✭ ✽ ❝✿ P ❝ t ✮ ✮ P ❝ ✭ ✕①✿t ✮ We choose a fresh ② such that ② ★ ✭ ✙ ✁ ①❀ ✙ ✁ t❀ ❝ ✮ . Now we can use ✽ ❝✿ P ❝ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ Eugene, 24. July 2008 – p. 32/37

① ✻ ❂ ② t ✶ ❂ ✭ ① ② ✮ ✁ t ✷ ② ★ t ✷ ✕②✿t ✶ ❂ ✕①✿t ✷ ✕②✿ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ ❂ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ P ❝ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ Proof for the Strong Induction Principle We prove ✽ ✙ ❝✿ P ❝ ✭ ✙ ✁ t ✮ by induction on t . I.e., we have to show P ❝ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ . We have ✽ ✙ ❝✿ P ❝ ✭ ✙ ✁ t ✮ by induction. Our weaker precondition says that: ✽ ① t ❝✿ ① ★ ❝ ❫ ✭ ✽ ❝✿ P ❝ t ✮ ✮ P ❝ ✭ ✕①✿t ✮ We choose a fresh ② such that ② ★ ✭ ✙ ✁ ①❀ ✙ ✁ t❀ ❝ ✮ . Now we can use ✽ ❝✿ P ❝ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ to infer P ❝ ✕②✿ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ Eugene, 24. July 2008 – p. 32/37

P ❝ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ Proof for the Strong Induction Principle We prove ✽ ✙ ❝✿ P ❝ ✭ ✙ ✁ t ✮ by induction on t . I.e., we have to show P ❝ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ . We have ✽ ✙ ❝✿ P ❝ ✭ ✙ ✁ t ✮ by induction. Our weaker precondition says that: ① ✻ ❂ ② t ✶ ❂ ✭ ① ② ✮ ✁ t ✷ ② ★ t ✷ ✕②✿t ✶ ❂ ✕①✿t ✷ ✽ ① t ❝✿ ① ★ ❝ ❫ ✭ ✽ ❝✿ P ❝ t ✮ ✮ P ❝ ✭ ✕①✿t ✮ We choose a fresh ② such that ② ★ ✭ ✙ ✁ ①❀ ✙ ✁ t❀ ❝ ✮ . Now we can use ✽ ❝✿ P ❝ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ to infer P ❝ ✕②✿ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ However ✕②✿ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ ❂ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ Eugene, 24. July 2008 – p. 32/37

① ✻ ❂ ② t ✶ ❂ ✭ ① ② ✮ ✁ t ✷ ② ★ t ✷ ✕②✿t ✶ ❂ ✕①✿t ✷ Proof for the Strong Induction Principle We prove ✽ ✙ ❝✿ P ❝ ✭ ✙ ✁ t ✮ by induction on t . I.e., we have to show P ❝ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ . We have ✽ ✙ ❝✿ P ❝ ✭ ✙ ✁ t ✮ by induction. Our weaker precondition says that: ✽ ① t ❝✿ ① ★ ❝ ❫ ✭ ✽ ❝✿ P ❝ t ✮ ✮ P ❝ ✭ ✕①✿t ✮ We choose a fresh ② such that ② ★ ✭ ✙ ✁ ①❀ ✙ ✁ t❀ ❝ ✮ . Now we can use ✽ ❝✿ P ❝ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ to infer P ❝ ✕②✿ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ However ✕②✿ ✭✭ ② ✙ ✁ ① ✮ ✁ ✙ ✁ t ✮ ❂ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ Therefore P ❝ ✕ ✭ ✙ ✁ ① ✮ ✿ ✭ ✙ ✁ t ✮ and we are done. Eugene, 24. July 2008 – p. 32/37

This Proof in Isabelle lemma lam_strong_induct: fixes c::"’a::fs_name" assumes h ✶ : " ❱ x c. P c (Var x)" and h ✷ : " ❱ t ✶ t ✷ c. ❬ ❬ ✽ d. P d t ✶ ; ✽ d. P d t ✷ ❪ ❪ ❂ ✮ P c (App t ✶ t ✷ )" and h ✸ : " ❱ x t c. ❬ ❬ x ★ c; ✽ d. P d t ❪ ❪ ❂ ✮ P c (Lam [x].t)" shows "P c t" proof - interesting bit have " ✽ ( ✙ ::name prm) c. P c ( ✙ ✁ t)" ✿ ✿ ✿ then have "P c (([]::name prm) ✁ t)" by blast then show "P c t" by simp qed Eugene, 24. July 2008 – p. 33/37

❱ ❬ ❬ ★ ✽ ❪ ❪ ❂ ✮ ✸ Interesting Bit ✿ ✿ ✿ have " ✽ ( ✙ ::name prm) c. P c ( ✙ ✁ t)" proof (induct t rule: lam.induct) case (Lam x t) have ih: " ✽ ( ✙ ::name prm) c. P c ( ✙ ✁ t)" by fact { fix ✙ ::"name prm" and c::"’a::fs_name" obtain y::"name" where fc: "y ★ ( ✙ ✁ x, ✙ ✁ t,c)" by (rule exists_fresh) (auto simp add: fs_name1) from ih have " ✽ c. P c (([(y, ✙ ✁ x)]@ ✙ ) ✁ t)" by simp then have " ✽ c. P c ([(y, ✙ ✁ x)] ✁ ( ✙ ✁ t))" by (auto simp only: pt_name2) with h ✸ have "P c (Lam [y].[(y, ✙ ✁ x)] ✁ ( ✙ ✁ t))" using fc by (simp add: fresh_prod) moreover have "Lam [y].[(y, ✙ ✁ x)] ✁ ( ✙ ✁ t) = Lam [( ✙ ✁ x)].( ✙ ✁ t)" using fc by (simp add: lam.inject alpha fresh_atm fresh_prod) ultimately have "P c (Lam [( ✙ ✁ x)].( ✙ ✁ t))" by simp } then have " ✽ ( ✙ ::name prm) c. P c (Lam [( ✙ ✁ x)].( ✙ ✁ t))" by simp then show " ✽ ( ✙ ::name prm) c. P c ( ✙ ✁ (Lam [x].t))" by simp qed (auto intro: h ✶ h ✷ ) ✿ ✿ ✿ Eugene, 24. July 2008 – p. 34/37

❱ ❬ ❬ ★ ✽ ❪ ❪ ❂ ✮ ✸ Interesting Bit ✿ ✿ ✿ have " ✽ ( ✙ ::name prm) c. P c ( ✙ ✁ t)" proof (induct t rule: lam.induct) case (Lam x t) have ih: " ✽ ( ✙ ::name prm) c. P c ( ✙ ✁ t)" by fact { fix ✙ ::"name prm" and c::"’a::fs_name" obtain y::"name" where fc: "y ★ ( ✙ ✁ x, ✙ ✁ t,c)" by (rule exists_fresh) (auto simp add: fs_name1) from ih have " ✽ c. P c (([(y, ✙ ✁ x)]@ ✙ ) ✁ t)" by simp then have " ✽ c. P c ([(y, ✙ ✁ x)] ✁ ( ✙ ✁ t))" by (auto simp only: pt_name2) with h ✸ have "P c (Lam [y].[(y, ✙ ✁ x)] ✁ ( ✙ ✁ t))" using fc by (simp add: fresh_prod) moreover have "Lam [y].[(y, ✙ ✁ x)] ✁ ( ✙ ✁ t) = Lam [( ✙ ✁ x)].( ✙ ✁ t)" using fc by (simp add: lam.inject alpha fresh_atm fresh_prod) ultimately have "P c (Lam [( ✙ ✁ x)].( ✙ ✁ t))" by simp } then have " ✽ ( ✙ ::name prm) c. P c (Lam [( ✙ ✁ x)].( ✙ ✁ t))" by simp then show " ✽ ( ✙ ::name prm) c. P c ( ✙ ✁ (Lam [x].t))" by simp qed (auto intro: h ✶ h ✷ ) ✿ ✿ ✿ Eugene, 24. July 2008 – p. 34/37

❱ ❬ ❬ ★ ✽ ❪ ❪ ❂ ✮ ✸ Interesting Bit ✿ ✿ ✿ have " ✽ ( ✙ ::name prm) c. P c ( ✙ ✁ t)" proof (induct t rule: lam.induct) case (Lam x t) have ih: " ✽ ( ✙ ::name prm) c. P c ( ✙ ✁ t)" by fact { fix ✙ ::"name prm" and c::"’a::fs_name" obtain y::"name" where fc: "y ★ ( ✙ ✁ x, ✙ ✁ t,c)" by (rule exists_fresh) (auto simp add: fs_name1) from ih have " ✽ c. P c (([(y, ✙ ✁ x)]@ ✙ ) ✁ t)" by simp then have " ✽ c. P c ([(y, ✙ ✁ x)] ✁ ( ✙ ✁ t))" by (auto simp only: pt_name2) with h ✸ have "P c (Lam [y].[(y, ✙ ✁ x)] ✁ ( ✙ ✁ t))" using fc by (simp add: fresh_prod) moreover have "Lam [y].[(y, ✙ ✁ x)] ✁ ( ✙ ✁ t) = Lam [( ✙ ✁ x)].( ✙ ✁ t)" using fc by (simp add: lam.inject alpha fresh_atm fresh_prod) ultimately have "P c (Lam [( ✙ ✁ x)].( ✙ ✁ t))" by simp } then have " ✽ ( ✙ ::name prm) c. P c (Lam [( ✙ ✁ x)].( ✙ ✁ t))" by simp then show " ✽ ( ✙ ::name prm) c. P c ( ✙ ✁ (Lam [x].t))" by simp qed (auto intro: h ✶ h ✷ ) ✿ ✿ ✿ Eugene, 24. July 2008 – p. 34/37

❱ ❬ ❬ ★ ✽ ❪ ❪ ❂ ✮ ✸ Interesting Bit ✿ ✿ ✿ have " ✽ ( ✙ ::name prm) c. P c ( ✙ ✁ t)" proof (induct t rule: lam.induct) case (Lam x t) have ih: " ✽ ( ✙ ::name prm) c. P c ( ✙ ✁ t)" by fact { fix ✙ ::"name prm" and c::"’a::fs_name" obtain y::"name" where fc: "y ★ ( ✙ ✁ x, ✙ ✁ t,c)" by (rule exists_fresh) (auto simp add: fs_name1) from ih have " ✽ c. P c (([(y, ✙ ✁ x)]@ ✙ ) ✁ t)" by simp then have " ✽ c. P c ([(y, ✙ ✁ x)] ✁ ( ✙ ✁ t))" by (auto simp only: pt_name2) with h ✸ have "P c (Lam [y].[(y, ✙ ✁ x)] ✁ ( ✙ ✁ t))" using fc by (simp add: fresh_prod) moreover have "Lam [y].[(y, ✙ ✁ x)] ✁ ( ✙ ✁ t) = Lam [( ✙ ✁ x)].( ✙ ✁ t)" using fc by (simp add: lam.inject alpha fresh_atm fresh_prod) ultimately have "P c (Lam [( ✙ ✁ x)].( ✙ ✁ t))" by simp } then have " ✽ ( ✙ ::name prm) c. P c (Lam [( ✙ ✁ x)].( ✙ ✁ t))" by simp then show " ✽ ( ✙ ::name prm) c. P c ( ✙ ✁ (Lam [x].t))" by simp qed (auto intro: h ✶ h ✷ ) ✿ ✿ ✿ Eugene, 24. July 2008 – p. 34/37