A Direct Version of Veldman’s Proof of Open Induction on Cantor Space via Delimited Control Operators

First, we reconstruct Wim Veldman’s result that Open Induction on Cantor space can be derived from Double-negation Shift and Markov’s Principle. In doing this, we notice that one has to use a countable choice axiom in the proof and that Markov’s Principle is replaceable by slightly strengthening the Double-negation Shift schema. We show that this strengthened version of Double-negation Shift can nonetheless be derived in a constructive intermediate logic based on delimited control operators, extended with axioms for higher-type Heyting Arithmetic. We formalize the argument and thus obtain a proof term that directly derives Open Induction on Cantor space by the shift and reset delimited control operators of Danvy and Filinski. 1998 ACM Subject Classiﬁcation F.4.1 Mathematical Logic, F.3.3 Studies of Program Constructs


Introduction
Let X be a set with an equality relation = X and a binary relation < X .We denote by X ω and X * the set of infinite sequences, or streams, over X and the set of finite sequences over X, respectively.Let elements of X ω be denoted by Greek letters α, β, γ, let natural numbers be denoted by n, k, l, m, and let αn denote the finite sequence α(0), α(1), . . ., α(n − 1) , i.e., the initial segment of length n of the sequence α.The lexicographic extension < X ω of < X is a binary relation on streams, defined by where = X * denotes the equality relation induced from = X by element-wise comparison, i.e., p = X * q iff p and q are of the same length and element-wise equal with respect to = X .
A non-empty subset U of X ω is called open if there is an enumeration π : N → X * which can approximate U , in the sense that membership in U can be defined1 by α ∈ U iff ∃n∃k(αn = X * π(k)).
The Principle of Open Induction on X ω (equipped with < X and = X ) is the following statement, for U open: (OI-X) One immediately sees that OI-X has the form of a well-founded induction principle.However, one should note that, even for the simple choice of X = {0, 1} equipped with the usual decidable order and equality relation, an open set U is generally uncountable, and the lexicographic ordering < X ω is not well-founded!
The utility of this principle has been recognized by Raoult [15] who gave, using OI-X, a new version of Nash-Williams' proof of Kruskal's theorem that does not explicitly use the Axiom of Dependent Choice2 .
OI-X was introduced in the context of Constructive Mathematics by Coquand [4].He proved OI-X by relativized Bar Induction, and also first considered separately the version for X ω being the Cantor space [5].
Berger [3] showed that OI-X in higher-type Arithmetic, where X can be any type ρ, is classically equivalent to the Axiom of Dependent Choice (DC) for the type ρ.He also gave a modified realizability interpretation of OI-X by a schema of Open Recursion, and showed that, unlike DC, OI-X is closed under double-negation-and A-translation -this means that there is a simple way to extract open-recursive programs from classical proofs of Π 0 2 -statements that use DC or OI-X.
In the context of Constructive Reverse Mathematics, in a series of lectures [18], Veldman showed that Open Induction for Cantor space is equivalent to Double-negation Shift, ∀n¬¬A(n) → ¬¬∀nA(n) (for any formula A(n)), (DNS) in presence of Markov's Principle, Given that it is possible to obtain proofs for both MP [9] and DNS [11] using constructive logical systems based on delimited control operators, it is a natural next step to attempt to provide a direct constructive proof of OI for Cantor space based on delimited control operators.This is what we do in this paper.
The remainder of the paper is organized as follows.In Section 2, we reconstruct in detail Veldman's argument that proves OI on Cantor space from DNS and MP via the principle EnDec.In Section 3, we recall the logical system MQC + (S) from [11] that is able to prove a strengthened version DNS S of DNS using delimited control operators.DNS S allows us to prove (a minimal logic version of) EnDec without explicitly using MP.In Section 4, we give a formalized proof term for OI on Cantor space in a variant of HA ω based on the logical system MQC + (S).In the concluding Section 5, we explain the current limitation of our approach for extracting proofs from programs and we mention directly related works.

2
From DNS and MP to Open Induction for Cantor Space We will consider the case X = B, where B = {0, 1} with 0 < B 1 and 0 = B 0, 1 = B 1, that is, Open Induction on Cantor space, OI-B.We will show that OI-B is provable from DNS, MP, and AC! 0,B , where is a restriction of the Axiom of Unique Countable Choice (also known as Countable Comprehension).All the arguments of this section take place in plain intuitionistic logic; if a principle that is not intuitionistically derivable is used, that is explicitly noted.
In addition to the already introduced notational conventions, let p, q, r, s denote finite binary sequences (bit-strings), B * , and let p * q denote the concatenation of p and q.For a natural number k, B k denotes the set of bit-strings of length k.Concrete bit-strings are constructed using the notation • , e.g.denotes an empty sequence, 0 the bit-string of length 1 that contains a 0, 1, 1, 1, 1 the bit-string that contains four 1's, etc.Thus p * 0 means that a zero bit is appended at the end of p.The function len(p) computes the length of p. Analogously to the initial segment function αn on infinite sequences, we denote by pn the initial segment function on finite sequences, with default value pn := p when n > len(p).Instead of writing < B ω and = B * , we simply write < and =.We abbreviate (S 1 → S 2 ) ∧ (S 2 → S 1 ) to (S 1 ↔ S 2 ).We may write n ∈ A to mean ¬(n ∈ A).
By a Σ-formula, we mean a formula built only from existential quantifiers (over the set N), disjunction, conjunction, and the equality symbol "=" for N.This definition is equivalent to the usual definition of Σ 0 1 -formula if the language has all the primitive recursive symbols, as is the case for the system from Section 4.
We say that a set B ⊆ N is enumerable when the membership in B is a Σ-formula, i.e., n ∈ B is defined as S(n) for a Σ-formula S. Equivalently3 , B is enumerable when B is given by a function f : N → N such that n ∈ B is a notation for ∃m(f (m) = n + 1).A set B ⊆ N is decidable when we have that ∀n(n ∈ B ∨ n ∈ B) 4 .
Veldman introduced the following principle.
Note that EnDec holds classically, since classically any B is decidable, so we may set C := B to obtain N ⊆ B. Our interest in EnDec here is because it is a stepping stone to proving OI-B.
Proof.Let A be a non-empty open subset of Cantor space5 i.e., there exists π : N → B * such that "α ∈ A" is a notation for ∃l, m(αl = π(m)).Let also A be progressive, that is, We want to show that ∀α(α ∈ A).Define B ⊆ B * as such that p is in B if p is "uniformly barred" by π.That is, p ∈ B if there exists k such that any extension of p by a finite bit-string of length k is covered by π(m) for some m 6 .
It suffices to show ∈ B for the empty bit-string , since we then know that π covers the entire Cantor space.We show that B is actually equal to B * , using EnDec.Notice that B * is bijective to N by primitive recursive functions and B is enumerable7 , hence we may transport EnDec from N to B * .It is left to show that, for any decidable subset C ⊆ B, if ∃q(q ∈ C), then ∃r(r ∈ C ∧ r ∈ B).
Suppose that such C and q are given.If ∈ C ⊆ B, then we have that q ∈ B. So we are done.We assume ∈ C. Since C is decidable, we can construct α, using AC! 0,B , such that The sequence α tries to stay outside of C for as long as possible and tries to be minimal.It first tries to "turn left" (value 0).If it was not possible, i.e., αn * 0 ∈ C, then it tries to "turn right" (value 1).If neither was possible, then it defaults to "turning left".One may notice that if α fails to stay outside of C at n + 1, i.e., αn * 0 ∈ C and αn * 1 ∈ C, then we have αn ∈ B. This fact, a manifestation of the compactness of Cantor space, will be used later in the proof.Now, we can find a prefix of α that is in B but not in C, by following α up to the first point where it enters B. Let us first prove that α is in A, which guarantees that α has a prefix in B, hence that α will enter B. We use progressiveness of A. Let β < α i.e., ∃n(βn We conclude that β ∈ A, which was to be shown. From α ∈ A, we obtain l, m such that αl = π(m).We finish the proof by proving the following more general statement by induction Indeed, since we have ∈ C, by instantiating the above statement with n := l, we obtain p such that p ∈ C and p ∈ B.
In the base case, n = 0, we have that αl ∈ C by the hypothesis and that αl ∈ B (from α ∈ A); so we set l ′ := l.In the induction case for n + 1 we consider three possibilities: and we close the case by induction hypothesis; and we close the case by induction hypothesis; as we noted earlier.Recalling that we also have α(l − (n + 1)) / ∈ C by hypothesis, we can set l ′ := l − (n + 1).The first two cases could be merged into one, verifying only whether α(l−(n+1)+1) ∈ C. ◭ ◮ Remark.In the previous proof, we used AC! 0,B when constructing the sequence α by course-of-values recursion using the choice function extracted from the decidability of C. Since the principle EnDec is classically valid, not using a choice axiom would mean that one can reduce OI-B (and, using Berger's results [3], also Dependent Choice for B) to plain classical logic without choice 8 .
We now consider the principle of Double-negation Shift (DNS), which is independently important because it allows to interpret the double-negation translation of the Axiom of Countable Choice [16].Following Veldman, we find it useful to consider the following variant of DNS.
◮ Remark.The proof of equivalence between DNS and DNS V is analogous to the proof of equivalence between the law of double-negation elimination (DNE) and the law of excluded middle (EM).In minimal logic, which is intuitionistic logic without the rule of ⊥-elimination (ex falso quodlibet), EM is weaker than DNE [1].We expect a similar result for DNS, i.e., that DNS V is weaker than DNS in minimal logic.
When quantifier-free formulas and decidable formulas coincide, as in Arithmetic, we may state Markov's Principle using Σ-formulas.
We can now prove EnDec from DNS V and MP.
Proof.Let the premises of EnDec hold.Given n ∈ N, we have to prove n ∈ B, which is a Σ-formula.We are entitled to apply MP.Now, we have to show that ¬¬(n ∈ B).Suppose ¬(n ∈ B).Thanks to DNS V , it suffices to prove ⊥ assuming moreover that B is decidable, i.e., ∀n(n ∈ B ∨ ¬(n ∈ B)).We use the premise of EnDec by taking C := B and recalling that we have ¬(n ∈ B).This gives us ∃m(m ∈ B ∧ ¬(m ∈ B)), from which we derive ⊥. ◭

A Constructive Logic Proving EnDec
In this section, we recall the logical system MQC + (S) from [11], and show that EnDec is provable in MQC + (S) (with a suitably instantiated parameter S), without an explicit use of MP, thanks to the slightly stronger form of DNS that MQC + (S) proves.MQC + (S) is a pure predicate logic system, parameterized over a closed Σ-formula S, that, in addition to the usual rules of minimal intuitionistic predicate logic, adds two rules for proving the Σ-formula S9 .The rule "reset", Γ ⊢ S S # ("reset"), Γ ⊢ ⋄ S sets a marker (under the turnstile) meaning that one wants to prove S. Once the marker is set, one can use the "shift" rule, to prove by a principle related to double-negation elimination from classical logic.The idea is to internalize in the formal system the fact, known from Friedman-Dragalin's A-translation, that a classical proof of a Σ 0 1 -formula can be translated to an intuitionistic proof of the same formula, showing that classical proofs of such formulas are in fact constructive.The first system built around this internalization idea was Herbelin's [9] with the power to derive Markov's Principle.It satisfies, like MQC + (S), the disjunction and existence properties, characteristic of plain intuitionistic logic.
The names "shift" and "reset" come from the computational intention behind the normalization of these proof rules, Danvy and Filinski's delimited control operators [6,7,8].These operators were developed in the theory of programming languages with the aim of enabling to write continuation-passing style (CPS) programs in so-called direct style.Since CPS transformations are known to be one and the same thing as double-negation translations [14], one can think of shift/reset in Logic as enabling to prove directly theorems whose double-negation translation is intuitionistically provable.In order for this facility to remain constructive, we allow its use only for proving Σ-formulas.
The natural deduction system for MQC + (S) is given in Table 1 with proof term annotations.The diamond in the subscript of ⊢ is a wild-card: ⊢ ⋄ denotes either ⊢ or ⊢ S , where in the latter the subscript S is the same formula as the parameter S. We mark ⊢ with the parameter to record that a reset has been set.The rules should be read bottom-up, so that the marker is propagated from below to above the line.The usual intuitionistic rules neither "read" nor "write" this marker, hence ⋄ denotes the same below and above the line.The reset rule is the one that sets the marker (if it is not already set).If the marker has been already set, then the marker is simply kept.This kind of use of reset would have no logical purpose, but it would affect the course of normalization, hence the computational behavior of the proof term.The rule shift can only be applied when the marker is set, hence it is assured that we are ultimately proving the Σ-formula S.
The following theorem shows a utility of proving with shift and reset.

◮ Theorem 3. Let S be a closed Σ-formula and A(x) an arbitrary formula. The following version of DNS
is provable in MQC + (S).
Proof.Using the proof term λh.#h λx.Sk.k already has some form of MP built in, as can be seen from the proof of Theorem 4 below.We now state a version of EnDec which is suitable for use in minimal logic, where ⊥-elimination is absent.
◮ Axiom 4 (A minimal-logic version of Axiom 1).Assume that B ⊆ N is enumerable and n ∈ N. Let, for any s ∈ N and any C ⊆ B, such that
◮ Theorem 4. Assume that B ⊆ N is enumerable and n ∈ N. The instance of Axiom 4 with conclusion n ∈ B is derivable in the system MQC + (n ∈ B).

A Proof Term for Open Induction
In this section, we give a proof term for OI on Cantor space in the system HA ω + (S) (by suitably instantiating the parameter S), which is the system of axioms HA ω (from § §1.6.15 of [17]) and AC! 0,B added on top of the predicate logic MQC + (S) -the need of AC! 0,B is justified by Remark 2. Basic ingredients to construct the proof term are at hand: Theorem 1 and Theorem 4. We are to interpret them in HA ω + (S) and combine the thus obtained proof terms for Theorem 1 and Theorem 4.

The system HA ω + (S)
Let S be a closed Σ-formula.First, we take a multi-sorted version of MQC + (S), that is, given different sorts (denoted by σ, ρ, τ, δ), the language is extended with individual variables (denoted by x, y, z) of any sort, and quantifiers for all sorts.We will not annotate quantifiers with their sorts, since those will be clear from the context; we may annotate variables by their sorts when we want to avoid ambiguity.The sorts are built inductively, according to the following rules: there is a sort named 0; if ρ and σ are sorts, then there is a sort named ρ → σ.The intended interpretation is that the sort 0 stands for N, the sort 0 → 0 stands for functions N → N, the sort ((0 → 0) → 0) for functionals (N → N) → N, etc.We will employ the word 'type' instead of sort, henceforth, and we abbreviate the type 0 → 0 by 1. Now, we add to the language a binary predicate symbol = for individual terms of type 0, intended to be interpreted as (the decidable) equality on N. We emphasize that we only have decidable equality.The individual terms will be built from the function symbols 0 0 (zero), (•+1) 1 (successor), Π ρ→τ →ρ and Σ (δ→ρ→τ )→(δ→ρ)→δ→τ (combinators), and R 0→ρ→(ρ→0→ρ)→ρ (recursor of type ρ).There is also the function symbol of juxtaposition which is not explicitly denoted: for terms t σ→τ and s σ , t s is a term of type τ .
The axioms defining these symbols are (the universal closures of each of): We also add the axiom schema of induction, for arbitrary formula A(x), but only for variables x of type 0:

T Y P E S 2 0 1 3
Since "=" is the only predicate symbol, all atomic (prime) formulas are of form t = s.This allows us to show that x = y → A(x) → A(y), by induction on the complexity of formula A.
It is known that using the combinators one may define an individual term for lambda abstraction, denoted λx.t, of type 1, which satisfies the usual β-reduction axiom, Using this and the recursor R, one can easily define all the usual primitive recursive functions.Using the thus defined predecessor function, and the induction axiom, one can derive the remaining Peano axioms, x + 1 = y + 1 → x = y, and (x + 1 = 0) → 1 = 0, where we took 1 = 0 instead of ⊥ because we are in minimal logic.In fact, in the presence of arithmetic, one can prove, again by induction, that the rule of ⊥-elimination (with ⊥ replaced by 1 = 0) is derivable, although we will not need it.
Some notational conventions follow.We shall need to speak of bits, finite sequences of bits (bit-strings), and infinite sequences of bits (bit-streams).Bits and bit-strings can be encoded by natural numbers, but, instead of using the type 0 for terms of that kind, to be more pragmatic, we will write bool (intended to interpret B) and bool * (intended to interpret B * ).Bitstreams are represented by terms of type 0 → 0, but we will write 0 → bool instead.We will need the operations for concatenation and initial segments of both bit-strings and bit-streams, that we already introduced.In addition, the operator head(p) returns the first bit of p, while tail(p) returns the string that follows the first bit of p.Although p is not a function, we will use the notation p(n) to extract the (n + 1)-th bit of p10 .We will also use the fact that one can define by primitive recursion a term if We will also need the usual operation min : 0 → 0 → 0 on numbers.All the mentioned operations can be defined by a restricted amount of primitive recursion at higher types, level 3 of the Grzegorcyk hierarchy would suffice.Hence we could work in a corresponding subsystem of HA ω , like for example G 3 A ω i from §3.5 of [12].
Finally, we shall also need the following choice axiom, a restriction of the usual Axiom of Countable Choice (AC 0,0 ): Neither AC 0,0 nor AC! 0,B is provable in HA ω .For arithmetical formulas, AC 0,0 (and hence AC! 0,B ) is an admissible rule for HA ω [2].

Proof term for OI-B
We now formalize the concepts involved in the proof of OI-B.An open set A in Cantor space is given, as a parameter to the logical system, by a term π of type 0 → bool * , an enumeration of basic opens.Each bit-string π(n) is a basic open and the union of them makes A. Membership in A, α ∈ A, means that α is covered by some basic open from the enumeration.Formally, we define and we see that membership in A is a closed Σ-formula.(Recall that π is a parameter of the logical system.)The relation < on bit-streams is formalized as We use an instance of Axiom 4 for the enumerable set B given by a Σ-formula B(x), to be defined below, and n given by the natural number encoding an empty sequence.We define where ∀q bool k denotes a bounded universal quantification over bit-strings of length k.Bounded quantification can be encoded away using primitive recursive symbols, hence B(x) is still a Σ-formula.We define p ∈ B by B(p).We have that, for any α, ∃n(αn ∈ B) iff α ∈ A. We instantiate the parameter S of HA ω + (S) by ∈ B. Next, we give an interpretation of the instance of Axiom 4 in HA ω + ( ∈ B).We cannot literally formalize Axiom 4 in HA ω + (S), since HA ω + (S) does not have higher-order quantification (but only quantification over higher types), hence we cannot quantify over subsets.We therefore "interpret" (the instance of) Axiom 4: The enumerable set B is represented by the Σ-formula B(x), the decidable subset C by a characteristic function χ bool * →bool C , replacing the premise ∀x The characteristic function should intuitively read as χ C (p) = 1 iff "p ∈ C", but we take B(s) for ⊥.
The proof term for OI-B is shown in Figure 1.We obtained it by formalizing the proofs of Theorems 1 and 4 in HA ω + ( ∈ B), and then by normalizing and (hand-)optimizing the formalized proof term, to obtain a compact and direct program proving OI-B.
To ease the presentation, at certain places, we have put after a semicolon the type annotations for individual terms, and the formulas for proof terms.Some parts, being too long, have been put below the main proof term.We suppress the use of equality axioms, to keep the proof term simple without equality-rewriting terms.It is known that equality proofs have no computational content when extracting programs, as they are realized by singleton data types.

Conclusion
We gave a direct proof for OI-B in a constructive predicate logic incorporating delimited control operators.While computational interpretation of MQC + (S) is available, namely the standard call-by-value weak-head reduction semantics for lambda calculus with shift and reset, we cannot directly analyze the computational behavior of the proof term for OI-B because, at the moment, we do not have a proof term for AC! 0,B used in the proof term for OI-B.The best way to overcome this limitation would be to extend MQC + (S) so that it can derive AC! 0,B as it is done in Martin-Löf Type Theory or constructive versions of Hilbert's epsilon calculus.Another way to overcome the limitation would be to use a realizability or functional interpretation that extracts programs from constructive proofs even in presence of choice axioms.For example, by using Spector's extension of Gödel's functional interpretation with bar recursion, we could extract a program from our proof.However, to replace bar recursion is the point of using delimited control operators in the first place.
If and when our future work is successful, it would allow, at least for the case of the compact Cantor space, to replace Berger's general-recursive computation schema of open recursion by a terminating computation schema based on control operators.
The work of Krivine on Classical Realizability gives an interpretation of the Axiom of Dependent Choice [13] using control operators for classical logic.Herbelin recently gave a more direct version of that work [10], using classical control operators and coinduction.
Finally, we would like to mention Veldman's recent work in Constructive Reverse Mathematics [19,20] that has served as inspiration for our work.An article of Veldman on the equivalence of Open Induction with a number of other axioms is in preparation.In our paper, we showed one direction of this equivalence for the topology of Cantor space seen as the infinite binary tree rather than as the subset of the real line.

Proof.
Let the premises of Axiom 4 hold.To show that n ∈ B, which is a Σ-formula, we use DNS V S for A(x) := x ∈ B and S := n ∈ B. Now, given ∀x(x ∈ B ∨ (x ∈ B → n ∈ B)), we have to show n ∈ B. We use the premise of Axiom 4 for s := n and C := B, and, using the trivial proof of ∃m(m ∈ B → n ∈ B) for m := n, the premise gives us a proof of ∃m(m ∈ B ∧ (m ∈ B → n ∈ B)), from which we derive n ∈ B. ◭

Table 1
Natural deduction system for MQC + (S), parameterized over a closed Σ-formula S, with proof terms annotating the rules.