A Uniﬁed Procedure for Provability and Counter-Model Generation in Minimal Implicational Logic

This paper presents results on the deﬁnition of a sequent calculus for Minimal Implicational Propositional Logic ( M → ) aimed to be used for provability and counter-model generation in this logic. The system tracks the attempts to construct a proof in such a way that, if the original formula is a M → tautology, the tree structure produced by the proving process is a proof, otherwise, it is used to construct a counter-model using Kripke semantics.

M → polynomially simulates Intuitionistic Propositional Logic (IPL). This simulation can be used to polynomially simulate Classical Logic too, although Classical Logic seems to be in a smaller complexity class 5 . This result points out that M → is as hard to implement as the most popular propositional logics. Haeusler shows in [7] that M → can polynomially simulate not only Classical and Intuitionistic Propositional Logic but also Full Minimal Propositional Logic and any other decidable propositional logic with a Natural Deduction system with the sub-formula property. Because of those features, M → can be used as a base tool to study complexity of many other logics.
Our goal here is to present a sequent calculus for M → which allows the definition of a unified procedure for provability and counter-model generation in this logic. The calculus is based on a set of rules and in a general strategy for application of the rules in such a way that we can avoid the usage of loop checkers and the necessity of working with different systems for provability and refutation. To the best of our knowledge, this is the first proof calculus for M → where validity and counter-model generation are done in a single procedure.
Counter-model generation (using Kripke semantics) is achieved as a consequence of the completeness of the system. We are also developing an interactive theorem prover for M → based on the in here proposed calculus. Its source code can be found at https://github.com/jeffsantos/sequent-prover.

Semantics
The Minimal Implicational Logic (M → ) is the fragment of Minimal Logic containing only the logical constant →. Its semantics is the intuitionistic semantics restricted to → only. Thus, given a propositional language L, a M → model is a structure U, , V , where U is a non-empty set (worlds), is a partial order relation on U and V is a function from U into the power set of L, such that if i, j ∈ U and i j then V(i) ⊆ V(j). Given a model, the satisfaction relationship |= between worlds in models and formulae is defined as in Intuitionistic Logic, namely: As usual a formula α is valid in a model M, namely M |= α, if and only if, it is satisfiable in every world i of the model, namely ∀i ∈ U, M |= i α. A formula is a M → tautology, if and only if, it is valid in every model.

Syntax
It is known that Prawitz Natural deduction system for Minimal Logic with only the →-rules (→-Elim and →-Intro) is sound and complete for the M → regarding Kripke semantics. As a consequence of this, Gentzen's LJ system ( [15, p. 81]) containing only right and left →-rules is also sound and complete. As it is well known the →-left rule of LJ does not preserve invalidity. Figure 1 shows structural and logic rules of an adapted Gentzen's sequent calculus for M → based on [16, p. 18, §3]. Basically, we restrict the right side of a sequent to one and only one formula (we are in M → thus sequents with empty right side does not make sense). This implies that structural rules can only be considered for main formulae on the left side of a sequent.
A central aspect when considering mechanisms for proof search in M → (and also for IPL) is the application of the →-left rule. Sequent calculus for classical logic (Gentzen's LK system - [15, p. 81]) ensures that each rule when applied in a bottom-up manner in the proof search reduces the degree of the main formula of the sequent (the formula to which the rule is applied). This implies the termination of the system. For LJ we have the restriction that the right side of a sequent only allows one formula and, as we can reuse a hypothesis in different parts of a proof, the main formula must be available to be used again by the generated premises. Thus, →-left rule has the repetition of the main formula in the premises, a scenario that allows the occurrence of loops in automatic procedures.

The Sequent Calculus LMT →
In this section we present a sound and complete sequent calculus for M → . We call this system LMT → . We can prove for each rule that if all premises are valid, then the conclusion is also valid and if at least one premise is invalid then the conclusion also is. Besides that, this proof is constructive in the sense that for any sequent we have an effective way to produce either a proof or a counter-model of it.
We start defining the concept of sequent used in the proposed calculus. A sequent in our system has the following general form: where ϕ is a formula in L and Δ, Υ p 1 1 , Υ p 2 2 , ..., Υ pn n are bags 6 of formulae. Each Υ p i i represents formulae associated with an atomic formula p i . A sequent has two focus areas, one in the left side (curly bracket) and another in the right (square bracket). Curly brackets are used to control the application of the →-left rule and square brackets are used to keep control of formulae that are related to a particular counter-model definition. Δ is a set of formulae and p 1 , p 2 , ..., p n is a sequence that does not allow repetition. We call context of the sequent a pair (α, q), where α ∈ Δ and ϕ = q, where q is an atomic formula on the right side of the sequent.
The axioms and rules of LMT → are presented in Figure 2. In each rule, Δ ⊆ Δ. Rules are inspired by their backward application. In a →-left rule application, the atomic formula, q, on the right side of the conclusion goes to the []-area in the left premise. Δ formulae in the conclusion are copied to the left premise and marked with a label relating each of them with q. Left premise also has a copy of Δ formulae without the q-label. This is a mechanism to keep track of proving attempts. The form of the restart rule is better understood in the completeness proof on Section 6. A forward reading of rules can be achieved considering the notion of validity, as described Section 5.

A Termination Strategy for LMT →
The following is a general strategy to be applied with the rules of LMT → to generate proofs from an input sequent (a sequent that is candidate to be the conclusion of a proof), that is based on bottom-up application of the rules. From the proposed strategy, we can then state a proposition about termination of the proving process.
A goal sequent is a new sequent in the form of 1, premise of one of the system's rule, generated by the application of this rule during the proving process. If the goal sequent is an axiom, this branch stops. If it is not and this goal can not be expanded anymore in this branch, then halt and empty the bag of goals. A goal can not be expanded anymore in a branch when we have applied the restarted rule for every atomic formula that appear on the right side over that branch. Otherwise apply the first applicable rule in the following order: (i) Apply →-right rule if it is possible, i.e., if the formula on the right side of the sequent, outside de []-area is not atomic. The premise generated by this application is the new goal of this branch.
(ii) Choose the leftmost formula of a highest degree on the left side of the sequent, 6 Sets that take repetitions into account: . . , p n , we have: not labeled yet, i.e., a formula α ∈ Δ that is not occurring in Δ , then apply the focus rule. The premise generated by this application is the new goal of this branch.
(iii) If all formulae on the left side have already been focused, choose the first formula α ∈ Δ such that the context (α, q) was not yet tried since the last application of a restart rule. We say that a context (α, q) is already tried when a formula α on the left was expanded (by the application of →-left rule) with q as the formula outside the []-area on the right side of the sequent. The premises generated by this application become new goals of the respective new branches.
(iv) Choose the leftmost formula inside the []-area that was not chosen before in this branch and apply the restart rule. The premise generated by this application is the new goal of this branch. Figure 3 shows an attempt proof tree generated by the application of the aforementioned strategy.

Proposition 4.1 Given that the bag of goals contains only one copy of
, ϕ then, based on the aforementioned strategy, LMT → eventually stops.

Proof.
• →-right rule is applied until we obtain an atomic formula on the right side.
• focus rule is applied until every non-labeled formula become focused. The same formula can not be focused twice, unless a restart rule is applied.
• →-left rule can not be applied more than once to a formula, unless a restart rule is applied.
• between two applications of the restart rule in a branch there is only one possible application of a →-left rule for a context (α, q).
• restart rule is applied only once for each atomic formula that appears on the right side of sequents in a branch. This implies a finite number of application of the restart rule. (iii) In every sequent of the tree, Δ ⊆ Δ.
(iv) For i = 1, . . . n, Υ The proof of completeness of LMT → is closely related with this strategy and with the way the proof tree is labeled during the proving process. Section 5 presents the soundness proof of LMT → and Section 6, the completeness proof.

Soundness of LMT →
In this section we prove the soundness of LMT → . A few basic facts and definitions used in the proof follow.
Definition 5. 2 We say that a rule is sound, if and only if, in the case of the premises of the sequent are valid sequents, then its conclusion also is.
A calculus is sound, if and only if, each of its rules are sound. We prove the soundness of LMT → by showing that this is the case for each one of its rules.

Proposition 5.3 Considering validity of a sequent as defined in Definition 5.1, LMT → is sound.
Proof. We show that supposing that premises of a rule is valid then, the validity of the conclusion follows. In the sequel we analyze each rule of LMT → .
→-left We need to analyze both premises together, thus we have the combinations described below.
• Supposing the left premise is valid because α → β, Δ , Δ |= α and the right premise is valid because α → β, Δ , Δ, β |= q. We also know that α → β ∈ Δ and Δ ⊆ Δ. In this case, the conclusion holds: the conclusion holds as it is the same. Supposing the left premise is true because Δ q |= q, the conclusion also holds, as Δ q = Δ.
• Supposing the right premise is valid because ∃i( then conclusion also holds.
restart Here, we have three cases to evaluate.
• Supposing the premise is valid because ∃j( then conclusion also holds.
. . , n. This is also valid in the conclusion.
• Supposing the premise is valid because Δ , α, Δ, α |= β, then the conclusion also holds as Δ , Δ, α |= β. (ii) Consider a world w 0 in M, such that w w 0 . By the definition of an invalid sequent, Δ , Δ q. w 0 will be used to guarantee this. We set q false in w 0 , i.e, M w 0 q. This implies that M w q. We also set every atomic formula that is in Δ (remember that Δ ∈ Δ) as true, i.e., ∀p, p ∈ Δ, M w 0 p. This is consistent with the values of the same atomic formulae in w.
(iii) By the definition of an invalid sequent, we also need that ∀i( Proof. We can prove this by induction on the degree of formulas in Δ and in Υ p i i , for i = 1, . . . n. From definition 6.1 ii we know that every atomic formula in Δ is true in w 0 and that w 0 q. From definition 6.1 iii we know that every atomic formula in Υ p i i is true in w i and that w i p i . The inductive hypothesis is that every formula in Δ is true in w 0 and that every formula in Υ p i i is true in w i . Thus, we have two cases: Consider that α ≡ (γ 1 → (γ 2 → ... → (γ m → q))). By the proof strategy, γ 1 , γ 2 , . . . , γ m also are in Δ. The degree of each of these formulae are less than the degree of α → β and, by the induction hypothesis, all of them are true in w 0 . This makes w 0 α and w 0 α → β.
(ii) Let α → β be a formula in M → that is in Υ p i i , for i = 1, . . . n. We show that M w i α → β. Consider that α ≡ (γ 1 → (γ 2 → ... → (γ m → q))). By the proof strategy, γ 1 , γ 2 , . . . , γ m also are in Υ p i i . The degree of each of these formulae are less than the degree of α → β and, by the induction hypothesis, all of them are true in w i . This makes w i α and w i α → β. 2 Definition 6.3 A rule is said invertible or double-sound iff the validity of its conclusion implies the validity of its premisses.
In other words, by Definition 6.3 we know that a counter-model for a top sequent of a proof tree which can not be expanded anymore can be used to construct a counter-model to every sequent in the same branch of the tree until the conclusion (root sequent). In the case of →-right rule in our system, not just that if a premiss of the rule has a counter-model then so does the conclusion, but the same counter-model will do. Weich called rules with this property preserving counter model rules [19]. Dyckhoff proposed call them strongly invertible rules (personal communication).

Lemma 6.4 The rules of LMT → are invertible.
Proof. We show that the rules of LMT → are invertible when considering a proof tree labeled in the schema presented in Section 3. We prove that from the existence of a Kripke model that makes a premise of the rule invalid then, conclusion is also invalid. → · Thus, the conclusion is invalid too.
· We also know by M that there is a world v q , u v q , where vq Δ q and vq q. We also have that Δ ⊆ Δ and that α → β ∈ Δ. Therefore, vq Δ and vq α → β. · Thus, the conclusion can not be valid.
focus If we have a model that invalidates the premise, this model also invalidates the conclusion as the sequents in the premise and in the conclusion are the same despite the repetition of the focused formula α. restart We also have that Δ ⊆ Δ. Therefore, vq Δ .
• Thus, the conclusion is invalid. 2 Now we can state a proposition about completeness of LMT → : Proposition 6.5 LMT → is complete regarding the proof strategy presented in Section 3 Proof. It follows direct from Proposition 4.1 (the process always terminates) and Lemmas 6.4 and 6.2 above. 2 7 An automatic theorem prover for M → Based on the aforementioned system, we developed a theorem prover for M → (its source code can be found at https://github.com/jeffsantos/sequent-prover). Figure 5 shows a fragment of the proof tree generated by this prover for the formula: a formula that is shown in [2] to need to use the assumption (((A → C) → A) → A) → C at least twice to be proved in M → . As presented in [6] this formula is used as the base to define a family of formulae in M → with no bounds on the use of assumptions. Figure 5 shows the expansion of the left branch of the final proof.

Related Work
A common way to control the proof search procedure in M → (and in IPL) is by the definition of routines for loop verification as proposed in [17]. Loop checkers are very expensive procedures, although they are effective to guarantee termination in automatic provers for M → (and other logics with the same characteristic). The work in [9] and in [10] are examples of techniques that can be used to minimize the performance problems that can arise with the usage of such procedures.
To avoid the use of loop checkers, Dyckhoff [3] proposed a terminating contraction-free sequent calculus for IPL, named LJT, using a technique based on the work of Vorob'ev [18] in the 50s. Pinto and Dyckhoff, in [13], extended this work showing a method to generate counter-examples in this system. They proposed two calculi, one for proof search and another for counter-model generation, forming a way to decide about the validity or not of formulae in IPL. A characteristic of their systems is that the sub-formula property does not hold on them. In [5], a similar approach is presented using systems where the sub-formula property holds. They also proposed a single decision procedure for IPL which guarantee minimal depth counter-model.
Focused sequent calculi appeared initially in the Andreoli's work on linear logic ( [1]). The author identified a subset of proofs from Gentzen style sequent calculus, which are complete and tractable. Liang and Miller [12] proposed the focused sequent calculi LJF where they used a mapping of IPL into linear logic and adapted the Andreoli's system to work with the image. Dyckhoff and Lengrand [4] presented the focused system LJQ that work direct in IPL. Focusing is used in their system as a way to implement restrictions in the →-left rule as proposed by [18] and [11]. The work of Dyckhoff and Lengrand follows from the calculus with the same name presented in [8]. In our approach, focusing is used as a technique to guarantee the completeness of the system and to produce the counter-model from a failed proof search process.

Conclusion and Future Work
We presented here the definition of a unified procedure (the LMT → system) to generate Kripke counter-models from trees generated by unsuccess proving processes for M → .
Regarding the LMT → system, we know that the size of the generated countermodel still takes into account every possible combination of sub-formulae yielding Kripke models with quite a lot worlds. There are still work to be done in order to produce smaller models.
On the theorem prover side, our research has a lot of work to be done. Further work includes the implementation of user strategies that can be combined with the built-in prover strategy to customize the way the prover conducts the proving process. Interface and user interaction with the system are other options to improve.