Scholarly article on topic 'Layered map reasoning'

Layered map reasoning Academic research paper on "Computer and information sciences"

CC BY-NC-ND
0
0
Share paper
Keywords
{"Set Theory" / "relation algebras" / first-order / theorem-proving / "algebraic logic"}

Abstract of research paper on Computer and information sciences, author of scientific article — Andrea Formisano, Eugenio G. Omodeo, Marco Temperini

Abstract New successes in dealing with set-theories by means of state-of-the-art theorem-provers may ensue from terse and concise axiomatic systems, such as can be moulded in the framework of the (fully equational) Tarski-Givant formalism of dyadic relations, here named ‘maps’. This paper sets the ground for systematic experimentation based on such axiomatic systems. On top of a kernel axiomatization of map algebra, we develop a layered formalization of basic set-theoretic concepts. A number of concrete experiments have been carried out in this framework, as the paper reports, with the assistance of a first-order theorem-prover. The aim is to assess the potential usefulness of the proposed layered architecture and, to the extent it reveals promising, to best tune it.

Academic research paper on topic "Layered map reasoning"

Electronic Notes in Theoretical Computer Science 48 (2001)

URL: http://www.elsevier.nl/locate/entcs/volume48.html pp. 1—28

Layered map reasoning: An experimental approach put to trial on sets1

Andrea Formisano 2

Dipartimento di Matematica e Informatica, Universita di Perugia

Eugenio G. Omodeo 3

Dipartimento di Matematica Pura ed Applicata, Universita di L'Aquila

Marco Temperini4

Dipartimento di Informatica e Sistemistica, Universita 'La Sapienza' di Roma

Abstract

New successes in dealing with set-theories by means of state-of-the-art theoremprovers may ensue from terse and concise axiomatic systems, such as can be moulded in the framework of the (fully equational) Tarski-Givant formalism of dyadic relations, here named 'maps'. This paper sets the ground for systematic experimentation based on such axiomatic systems. On top of a kernel axiomatization of map algebra, we develop a layered formalization of basic set-theoretic concepts. A number of concrete experiments have been carried out in this framework, as the paper reports, with the assistance of a first-order theorem-prover. The aim is to assess the potential usefulness of the proposed layered architecture and, to the extent it reveals promising, to best tune it.

Key words: Set Theory, relation algebras, first-order

theorem-proving, algebraic logic.

1 This research was partially funded by the Italian IASI-CNR (coordinated project log(SETA)) and by MURST (PGR-2000—Automazione del ragionamento in teorie insie-mistiche).

2 Email:formis@dipmat.unipg.it

3 Email:omodeo@univaq.it

4 Email:marte@dis.uniroma1.it

©2001 Published by Elsevier Science B. V.

1 Introduction

In view of its pervasiveness in exact sciences, Set Theory deserves sustained efforts that bring to light richer and richer decidable fragments of it [7], general inference rules for reasoning in it [36,2], effective proof strategies based on its domain-knowledge [3], and so forth. While this specialized area of automated reasoning progresses and attains autonomous results and a larger horizon (cf. [9]), many experiments with set-theories have been carried out by means of standard theorem-proving systems. Still today such experiments pose considerable stress on state-of-the-art theorem provers, or demand the user to give much guidance to proof assistants; they therefore constitute ideal benchmarks. Even for those who are striving to develop something entirely ad hoc in the challenging arena of set-theories, it is important to assess what can today be achieved by unspecialized proof methods and where the context-specific bottlenecks of Set Theory precisely reside.

In its most popular first-order version, namely the Zermelo-Skolem-Fraenkel axiomatic system ZF, set theory (very much like Peano arithmetic) presents an immediate obstacle: it does not admit a finite axiomatization. This is why the von Neumann-Bernays-Godel theory GB of sets and classes is sometimes preferred to it as a basis for experimentation [5,35,30]. Various authors (e.g., [24,28,29]) have been able to retain the traits of ZF, by resorting to higher-order features of specific theorem-provers such as Isabelle.

In this paper —which continues a series inaugurated with [17]— we pursue a minimalist approach, relying on purely equational and most concise formulations of both ZF and the theory (first proposed in [33]) of finite sets. Such formulations are based on the logical system Cx deeply investigated in [34]: we designed them with the aim of offering a good starting point for experimentation—with Otter [23], say, or with a more markedly equational theorem-prover. Guidelines for our axiomatization task were drawn from [34] too: the outcome is equational and devoid of variables, and accordingly somewhat out of standards. Luckily, a theory stated in Cx can easily be emulated through a first-order system, simply by treating the meta-variables present in the schematic formulation of its axioms (both the logical axioms and the ones endowed with a genuinely set-theoretic content) as if they were first-order variables. In practice, this means treating ZF as if it were an extension of the theory of relation algebras [20,22,12,32,26,14,18], whose variables are not supposed to range over sets but over the dyadic (i.e. binary) relations on the universe of sets. Anyway, the exact relationship of our own formulation of ZF with ZF proper on the one hand, and with GB on the other, is a delicate theoretical issue which we intend to address in another paper of this series.

This paper consists of two parts:

• Sections 2-3 briefly recall —and, to a little extent, ameliorate w.r.t. [15], [17, Sec. 7.2]— our equational formulation of set-theoretic axioms. Taken in its

entirety, Set Theory offers a panorama of alternatives (cf. [31, p. x]); that is, it consists of axiomatic systems not equivalent (and sometimes antithetic, cf. [25]) to one another. This is why, rather than producing the axioms of just one theory, we indicate various options. Future work will expand the material of these sections into a toolkit for assembling class- and set-theories of all kinds—after we have singled out, through experiments, formulations of the axioms that work decidedly better than others.

• Sections 4-6 mainly report on experimental results based on the above formulation of the set-axioms.

Comparison with analogous results based on more traditional specifications of the set-axioms, which exploit in full the expressive means of first-order predicate languages, are deferred to another paper of this series.

2 Syntax, semantics, and logical axioms of Lx

Lx is a ground equational language where one can state properties of dyadic relations —maps, as we will call them— over an unspecified, yet fixed, domain U of discourse. The map whose properties we intend to specify is the membership relation e over the class U of all sets. The language Lx consists of map equalities Q = R, where Q and R are map expressions:

Definition 1 Map expressions are all terms of the signature shown at the top of Fig. 1—of whose symbols, n, A, o,\, U, f will be used as left-associative

infix operators, -1 as a postfix operator, and _ as a line topping its argument.

For an interpretation of Lx, one must fix, along with a nonempty U, a subset G® of U2 =Def U x U. Then each map expression P comes to designate a specific map P® (and, accordingly, any equality Q = R between map expressions turns out to be either true or false), on the basis of the following evaluation rules:

0® =Def l® =Def u2, I® =Def {[«,«] : a in U}]

(QnR)® =Def { [a, b] e Q® : [a, b] e R® }; (QAR)® =Def { [a, b] eU2 : [a, b] e Q® if and only if [a, b] E R® }; (QoR)® =Def { [a, b] eU2 : for some c in u, one has [a, c] e Q® and [c, b] e R® };

(Q-1)® =Def { [b, a] : [a, b] E Q® } .

Of the operators and constants in the signature of Lx, only a few deserve being regarded as primitive constructs; indeed, we choose to regard as derived constructs the ones for which we gave no evaluation rule, as well as others that we will tacitly add to the signature—see central part of Fig. 1.

The interpretation of Cx obviously extends to the new constructs; e.g.,

(P tQ)9 =Def { [a, b] eu2 : for all c in u, either [a, c] £ P9 or [c, b] £ Q9 }, funcPart( P)9 =Def {[a, b] e P9 : [a, c] £ P9 for any c = b},

so that funcPart( P) = P will mean "P is a partial function", very much like to be seen below.

Notice that we are also allowing ourselves to define, through abbreviating definitions, alternative notation for map equalities that follow certain patterns. This is, e.g., the case of the notation Func( P), which means the same as funcPart( P) = P; or the case of Total( P), which states that for all a in U there is at least one pair [a,b] in P9.

The logical axioms characterizing the derivability notion ^ for Cx are shown in the third frame of Fig. 1. These will be supplemented with proper axioms reflecting one's conception of U as being a hierarchy of nested sets over which e behaves as membership.

It must be said that there is no representation theorem that plays for map algebras a role analogous to the Stone theorem for Boolean algebras (cf. [4]). In other words, there exist equalities that are true in all algebras of dyadic relations over a fixed U but which are false in some structure which, though fulfilling the axioms of map algebra, does not consist of relations. This defect will presumably propagate to any set theory formulated as an extension of the map algebra; but anyway, even in first-order logic, a set theory never reflects the intended semantics univocally, and hence the map-algebraic formulation and the logical one can, with their limitations, be on a par. The results reported in [10], which we will briefly review in Sec. 5, constitute a verification of this fact.

3 Specifying set theories in Cx

One often strives to specify the class C of interpretations that are of interest in some application through a collection of equalities that must be true in every S of C. In [15] (cf. also [17, Sec. 7.2]) we undertook a task of this nature: our aim, there, was to capture through simple map equalities the interpretations of E complying with

• standard Zermelo-Fraenkel theory, on the one hand;

• a theory of finite sets ultimately based on individuals, on the other hand.

In this section we briefly recall the main points of [15], leaving momentarily individuals out of consideration.

In part, the game consists in expressing in Cx common set-theoretic notions. To start with something obvious,

symbol : 0 1 i € n A o -i — \ U t

degree : 0 0 0 0 2 2 2 1 1 2 2 2

priority : 5 3 6 7 2 2 4

P U Q =Def P A Q A P D Q P =Def P A 1 P t Q =Def funcPart( P) =Def P \ P o i lAbs( P ) =Def P = loP P \ Q =Def P A P D Q P o Q P C Q =Def P D Q = P Func( P ) =Def P-1oP C i Total(P) =Def Pol = 1

PnQ = Q D P

P D (Q A R) A P D Q = P D R

(P *i Q) *i R = P *i (Q *i R)

ioP =P

P-i-1 =P

(P*2 Q )-1 = Q-1 *2 P-1

((P A Q) A P D Q) o R = (QoR A PoR) A QoR D PoR

P-1o (R D( P oQAl ))D Q =0

1 D P =P

e {A, n, o} and G {D, o} Fig. 1. Operators, derived constructs, and axioms of map algebra

G -Def G , 3 -Def G 1 , 3 -Def 3 ;

'' ' £n — Def £oo£io ■ ■ ■ o£n,

where each ei stands for one of G, G, 3, 3, l, 1 To see something slightly more sophisticated:

Example 1 With respect to an interpretation S, one says that a intersects b if a and b have some element in common, i.e., there is a c for which cG®a and cG®b. A map expression P such that P® = { [a,b] eU2 : a intersects b } is 3G.

Likewise, one can define in Lx the relation a includes b (i.e., "no element of b fails to belong to a"), by the map expression 3G. The expression 3GUi translates the relation a is strictly included in b, and so on.

The property of a set a being transitive in the sense that every element of any element of a belongs to a can be designated by the following map

expression trans:

trans =Def i \$GG.

Here, by requiring trans9 to be contained in t9, we have made it represent a collection of sets; then, the further requirement that trans9 be disjoint from ( ^GG )9 amounts to the condition that cG9a holds when a, c, and d are .such that a trans9 a, dG9c, and cG9a hold. □

Secondly, the reconstruction of a set-theory within Cx consists in restating ordinary axioms (and, subsequently, theorems), through map equalities.

Example 2 The sum-set axiom and the power-set axiom respectively state, for every set a, that there is a set comprising as elements all elements of elements of a and that there is a set comprising as elements all .sets included in a. The former can be formulated in the map language as

(Un) 33&o 1 = 1

(or, more succinctly, as Total( 99fG )); the latter as (Pow) Total( ).

A customary strengthening of the sum-set axiom is the transitive embedding axiom, which states that every b belongs to a set a which is transitively closed w.r.t. membership:

(T) Total( Gotrans).

The foundation (or 'regularity') axiom ensures that the membership relation G9 is cycle-free—more generally, under infinity and replacement axioms (see below), it can be used to prove that G9 is well-founded on U (cf. [13, Ch.2, Sec.5]). Regularity is usually stated by saying that vjhen some b belongs to a, there is a c also belonging to a that does not intersect a:

(R) 1G = 1 o ( G\3G ). □

In the third place, we are to prove theorems about sets by equational reasoning, moving from the equational specification of the set-axioms. In this phase we must refer to the inferential apparatus of Cx, consisting of the logical axioms displayed in Fig. 1 and of the ordinary rules of equational reasoning.

Example 3 From the above-stated regularity axiom (R), one can deduce that any transitive non-void set has a void set among its elements:

UGH trans C 1GoG.

Extensionality and subset axioms

As was observed in [15], two derived constructs can be of great help in stating the properties of membership simply; they are the following d and F:

d ( P ) =Def P O G, F( P ) =Def d( P ) \ P OG.

Plainly, ad(Q )^b and aF( R )^b will hold in an interpretation S if and only if, respectively,

• all cs in U for which aQ9c holds are 'elements' of b (in the sense that cG^b);

• the elements of b are precisely those c in U for which aR9c holds.

First in the list of axioms postulated by Zermelo (cf. [37]), extensionality, states that sets whose elements are the same are identical:

(E) F( 9 ) = t.

A useful variant of this axiom is the scheme Func( F( P)), where P ranges over all map expressions.

The subset axioms enable one to extract from any given a the set b consisting of those elements of a that meet a condition specified by means of a map expression P. A more general form of this axiom scheme depends on a second map expression Q too: To every set a, there corresponds a set b which is null unless there is exactly one d fulfilling aQ9d, and which in the latter case consists of all elements c of d for which aP9c holds. Formally:

(S) Total( F( funcPart( Q )o3HP)).

Example 4 By taking Q = t and P = lo( t\G ) in (S), we obtain that to every set a there corresponds a b consisting of exactly those elements c of a for which cG^c is false. This subset b of a does not belong to a. Notice, in fact, that b cannot belong to itself (else a contradiction would ensue from the very characterization of the elements of b); then, since bG^'b, we have that bG^'a (the opposite assumption would in fact yield bG9b). In view of the genericity of a in the above argument, we conclude that every set has a subset not belonging to it: Total( 9G\9 ).

(When (R) is postulated, the same conclusion can be reached far more easily.) □

Pairing and finiteness axioms

Two maps A, q are said to be conjugated quasi-projections if they are (partial) functions and for any pair ao,ai of entities in U there is a b in U such that A(b) = a0, Q(b) = a1. We assume in what follows that X, p are map expressions designating two conjugated quasi-projections. It is immaterial whether they are added as primitive constants to Lx, or they are map expressions suitably chosen so as to reflect one of the various notions of ordered pair available around, and subject to axioms that are adequate to ensure that the desired conditions, namely

(Pair) X-1 o p = l, Func( X), Func( p), G9 = l, hold (cf. [34, pp. 127-135]).

Under the set-axioms (E), (Vow), (S), (Pair) introduced so far, it is

reasonable to characterize a set a as being finite if and only if every set b of which a is an element has an element which is minimal w.r.t. inclusion (cf. [33, p. 49]). Accordingly, in forming a theory concerned exclusively with finite sets, one can adopt the following finiteness axiom:

(F) finite = i, where finite —Def 1o( Gn((^U3G )tG ))t3).

On the one hand, this means that a finite® a holds for every set a; on the other hand, the requirement that finite® be contained in

(lo( Gn((tU3G )tG ))t?) ®

amounts to the condition that when both a finite® a and b3®a hold, there is a cG®b such that no dG®b other than c itself is included in c.

Single-element addition and removal

This section is a digression on techniques for forming pairs with sets.

One of the axioms in [37] states that "there exists a set ■ ■■ that contains no elements at all. If a is any object of the domain, there exists a set {a} containing a and only a as element; if a and b are any two objects of the domain, there always exists a set {a, b} containing as elements a and b but no object x distinct from both." As one easily sees, the axioms (E), (S), (Un), and (Pair) make the null set and the adjunction operation available; therefore they also enable singleton- and doubleton-formation, and hence they make the above Zermelo's axiom of elementary sets unnecessary.

Sometimes, though, one likes to work within a very weak membership theory, e.g. a theory whose only postulates are (E) and the axiom of elementary sets. These axioms have (Pair) as a consequence, because they enable the formation of {{a,b }, { a }} from given sets a, b, which is Kuratowski's classical encoding of the ordered pair with left component a and right component b. The components of such an entity can be retrieved by means of

A — funcPart( 3ofuncPart( 3 )),

p — 33n((33UA t )n( 3t31),

respectively, and it can indeed be shown that A and p, so defined, fulfill

(Pair)2,3,4.

An ordered pair can, alternatively, be conceived of as a set of the form {{b } \ {a }, { b } U {a }}. The ongoing is based on this idea. Instead of directly postulating doubleton formation (as Zermelo did), we postulate (E), null-set existence

(N) iieol = 1,

and single-element addition and removal, intended as the possibility of forming c U{a} and c \{a} out of given sets c, a. Stating that these two operations can

be performed singularly is almost certainly impossible (cf. [21]), and hence we resort to an axiom directly stating that {{b }\{ a }, { b }U{ a }} can always be constructed:

(WL) ( gen valvegg, gg)) o3 = 1,

valve(P,Q) =Def P \ I ◦ ( P \ Q).

This means: If c and a are any two objects in the domain, there always exists a sets d containing c as element, for which a is the sole object x fulfilling both xgg^d and xgg^d.

Conjugated quasi-projections associated with the pair

{{b }\ { a }, { b }U{ a }}

A =Def V-1 and p =Def valve-1(€€, v),

V =Def gg n valvegg, gg). As we will discuss later on, (Pair) is derivable from (E), (N), and (WL).

An infinity axiom, and the replacement axioms

We have collected in Fig. 2 all the axioms introduced so far, along with an additional clause of (Pair), a version (Repl) of the classical replacement axiom, and an axiom (I) which, presupposing (R), states the existence of infinite sets (cf. [27]). Of course this infinity axiom is antithetic to the axiom (F) seen earlier: one can adopt either one, but only one of the two.

The new axioms (Pair)5, (Repl), and (I) are not discussed here: the interested reader can find in [15] detailed comments.

4 Layers of experiments set up on Otter

To follow [34] orthodoxly, we should treat Lx as an autonomous formalism, on a par with first-order predicate calculus. This, however, would pose us two problems: we should develop from scratch a theorem-prover for Lx, and we should cope with the infinitely many instances of (S) and of (Repl). Luckily, this is unnecessary if we treat as first-order variables the meta-variables that occur in the logical axioms or in (S), (Repl) (as well as in induction schemes, should any enter into play either as additional axioms or as theses to be proved). Within the framework of first-order logic, the logical axioms lose their status and become just axioms on relation algebras, conceptually forming a chapter of axiomatic set theory interesting per se, richer than Boolean algebra and more fundamental and stable than the rest of the axiomatic system.

(E) F( 3 ) = i (N) Total(1G )

(WL)_(GGn ( GG\i o ( GGnGG ))) o3 = 1

(vow) Total (d (3G))

(un) Total(d( 33))

(T) Total ( Go (i n d( 33 ))

(S)_Total ( F( funcPart( Q )o3nP ) )_

(Pair)1)2)3 4 A-1 o p = 1, Func( A), Func( p), G3 = 1 (Pair)5 A o A-1 n p o p-1 \ i = 0

(F )_1 c 1 ^Gn((tu3g)tG^ t3_

(R) 1G = 1 o ( G\3G )

(I) Total ( 1o( d ( 33 ) n d ( 33 )-1\ G\3\i \3 oG))

(Repl) Tota^ d ((A o3o A~ 1n p o p~1) o funcPart( Q )) )

where d( P) —Def Pog, F( P) — Drf d( P) \ P oG

Fig. 2. Toolkit for axiomatizing set theories within map calculus

Any standard theorem-prover, e.g. Otter, can be exploited to experiment with axioms like the ones on relation algebras (cf. Fig. 1) and the ones on sets we have examined so far (condensed in Fig. 2).

Otter (Organized Techniques for Theorem-proving and Effective Research) is a resolution-style theorem prover developed at the Argonne National Laboratory (refer to [23] for a detailed description). It can manipulate statements written in full first-order logic with equality. The inference rules available in Otter are: binary resolution, (ordered) hyperresolution, UR-resolution, and binary paramodulation. Otter's main features are:

• the input may be in conjunctive normal form, or in full first-order logic;

• forward demodulation rewrites and simplifies any newly inferred clause with a set of equalities, and back demodulation uses newly inferred equalities to rewrite all existing clauses;

• forward subsumption deletes an inferred clause if it is subsumed by any existing clause, and back subsumption deletes all clauses subsumed by an inferred one;

• a variant of the Knuth-Bendix Method can search for a complete set of reductions;

• weight functions and lexical ordering decide the 'goodness' of clauses and terms;

• a set-of-support strategy is employed.

Otter offers a large number of parameters and options to help the user in guiding the inference process. In what follows we briefly illustrate those we found more useful in our experimentation. This will be done by giving the reader a description of the basic strategy we adopted in proving theorems with Otter. As we will see, in most cases this strategy worked well, whereas we needed some kind of tuning in order to successfully cope with a few theorems.

Since we are dealing with equality, we selected the Knuth-Bendix completion procedure; whenever non-unit clauses or non-equational predicates entered into play, we enabled hyperresolution and binary resolution. Paramodulation was employed. We usually exploited the default strategies for ordering, demodulation of clauses, and weighting. On the other hand, we made systematic use of the parameters devoted to limit the search space. To get into details, all theorems were proved imposing bounds on the maximum number of literals in a derived clause, and on the maximum number of distinct variables occurring in a derived clause. Moreover, we often imposed a threshold on the weight of derived clauses: the ones 'heavier' than this value were discarded. We also adopted Otter's default weighting strategy (cf. [23]); in some cases we found it useful to give extra weight to certain terms or literals in order to reduce the time spent for finding a proof. Here are the Otter settings we used in proving almost all theorems of map calculus (for the parameters and flags not mentioned here, we kept the values adopted by Otter's autonomous mode):

% Strategy:

set(knuth_bendix). set(back_demod).

set(para_from). set(hyper_res).

set(para_into). set(binary_res).

set(dynamic_demod_all).

% Limits on the search space:

assign(max_distinct_vars,3).

assign(max_literals,1).

assign(max_weight,18).

Notice that the value assigned to max_weight was usually 'guessed' by taking into account the syntactical structural complexity of the theorem to be proved.

Initial experimentation in map reasoning with Otter has been described in [1,17]; in [15] an equational re-engineering of set theories is presented. Automated set reasoning based on this equational formulation of ZF set theory was explored in [10,16]. In particular, in [10] the authors obtained a (semi-)automated proof of a fundamental result: under very weak set-axioms, namely (E), (N), and (WL), it was possible to derive the existence of a pair

of projections satisfying the pairing axiom (cf. Sec. 5, to be seen). This result, to be briefly surveyed in Sec. 5, guarantees the equipollence in means of proof of the equational formulation of ZF with its first-order version (cf. [34]).

The experimentation activity reported in [10] was carried out by relying completely on the autonomous mode supplied by Otter, and by always adopting the default settings. The explicit tuning of parameters and flags was avoided in order to obtain a higher independence of the approach from the specific theorem-prover. Since the syntactic complexity of the theorems tackled in [10] was quite low, this approach represented a viable choice.

The activity we are going to describe here is aimed at proving theorems that involve set-theoretical concepts whose syntactical and semantic complexity keep growing as experimentation proceeds. This fact can easily be grasped by considering the higher level of abstraction of notions such as totality or functionality w.r.t. the basic map constructs. To reflect this growth in complexity, we will develop a layered hierarchy of lemmas. Starting with a 'kernel' consisting of the constructs and axioms of Fig. 1, we will proceed systematically by defining new set-theoretical concepts and by proving groups of laws that characterize the new set-constructs. Each one of these extension steps will be a (potential) part of the basis for the next extension. Moreover, in proving a generic theorem, it will be possible to select a subset of the available constructs, together with their laws. This, actually, will help the search for the proof in two orthogonal ways: firstly, Otter will deal only with the part of the global environment that the user judges to be relevant and related to the theorem to be proved; and secondly, the inference activity will be better focused at the most suitable level of abstraction. For instance, in proving a law that infers the totality of the composition of maps from the totality of the components (cf. Fig. 11), a deep treatment of 'low level' concepts such as the intrinsic properties of symmetric difference should not be needed.

The first step in the development of our layers consists in proving a series of auxiliary laws for the kernel constructs (namely, A, n, o,-1). From the theoretical point of view, these laws are not necessary to prove any (provable) theorem of map calculus. Nevertheless, experimentation revealed that Otter was unable to prove several simple theorems in a reasonable amount of time, unless by employing these auxiliary laws. A conspicuous part of the laws regarding A and n are shown in Fig. 3, while the laws on map composition (group C1) and map inversion (group G1) are listed in Fig. 4.

The laws are divided into groups because each group usually corresponds to an input file that could be loaded into Otter; moreover, the laws in the same group were usually proved by adopting similar settings for parameters and search controls, and often by using the same groups of premises as hypotheses.

For each law in the tables, we indicated:

a) the groups of formulas given to Otter as input;

b) the length of the proof found by Otter;

law premises len. time gen. kept

II Pi"l 0 = 0 Ax 20 7 1120 185

P[~lP = P Ax 20 13 2304 382

Pn (P n Q) = PnQ Ax 27 13 2157 318

I2 PC\Q = P A QnP = Q ^ Q = P Ax, Ii 1 < 1 2 24

PC\Q = Q A QnR = Q ^ PnR = P Ax, Ii 2 3 162 62

Si P A Q = Q A P Ax 7 2 195 52

P (Q R) = Q (P R) Ax 8 4 258 54

0A P = P Ax 20 8 1124 190

PAP = 0 Ax 16 5 1110 180

P (P Q) = Q Ax 5 2 234 52

in (PAP-1) = 0 Ax, Si 199 5m 30s 6.4 • 106 13842

P (Q R) = (P Q) (P R) Ax, I1, S1 2 2 120 45

Fig. 3. Laws on n and A

law premises len. time gen. kept

Gi 0-1 = 0 Ax 22 8 1434 226

l-1 = l Ax 4 < 1 85 40

-1 = Ax 3 < 1 38 22

(P l)-1 = P-1 l Ax, Si 43 1.33s 24972 2033

(P Q)-1 = P-1 Q-1 Ax, Si, Gi 89 1.12s 17147 1554

Ci 00 P = 0 Ax 26 9 1447 231

Po 0 = 0 Ax 17 8 1378 219

POL = P Ax 4 2 38 23

l l = l Ax 29 20 3215 526

((P P-1) ) P =P Ax, Gi, Ci 66 18.53s 221080 8774

P ((P P-1) ) =P Ax, Gi, Ci 71 19.02s 227467 8844

P (P l) = P Ax 62 6.36s 68558 6734

P ( l P) = P Ax 61 6.08s 67926 6646

Fig. 4. Laws on 1 and o

c) the time spent (if not differently specified, it is expressed in hundredth of seconds);

d) the number of clauses generated during the inference process:

e) the number of clauses being kept (i.e., the generated clauses that fulfill all restrictions on weight, number of variables, number of literals, etc.).

In our experimentation we used Otter 3.0.6 running under Linux on a PC (Pentium III-450, with 128Mbyte of RAM).

Notice that sometimes there are more kept clauses than generated clauses. This is because the former include all clauses obtained by processing the input set of formulas. The writing 'Ax' reported for most of the laws, does not necessarily mean that all of the axioms of Fig. 1 have been fed into Otter; usually this is the case only when no other group of laws is employed in the

law premises len. time gen. kept

N1 P = P Ax 5 2 195 53

0 = 1 Ax 21 9 1229 318

1 = 0 Ax 17 9 1215 308

PnQ = QA (P n Q) Ax 11 4 361 77

PAQ=PAQ Ax 9 2 257 57

PAP = 1 Ax 2 < 1 40 24

PnP = 0 Ax 18 15 2210 496

N2 til 1 = 1 Ax, N1, S1,11, G1 1 2 0 40

PAP = 1 n 1 2 0 40

PnQ = P ^ PC\Q = 0 n 4 3 164 68

PC\Q = 0 ^ PnQ = P n 8 4 181 71

tnP-1 0 P = t n 20 17 2336 467

PAQ = PnQnPnQ n 18 37 5012 1435

PAQ = PnQnPnQ n 42 10m 36s 1.2 • 107 13860

PAQ = PnQnPnQ Ax, N1, S1,11, G1, N2.6 7 10 1645 385

P^n Q-1 = (Q n P)-1 --1 (PAQ)-1 = PnQnPnQ n 5 4 560 182

n 3 2 0 43

Fig. 5. Laws on map complementation

proof; otherwise, just (part of) the axioms regarding the constructs occurring in the theorem have been given in input. For instance, to prove the law

(1) ((P o P-1) n i) o P = P

of group Ci, we exploited the laws of Gi and those of Ci (meaning with this that Otter was allowed to use the laws listed before (1) in C1); moreover, we loaded the portion of Ax relative to o and to -1.

Figures 5 and 6 list the laws on map complementation and map union, respectively. The definitions of these constructs in terms of the primitive ones are listed in Fig. 1, together with the map formalization of other notions that will come into play in the sequel.

Other laws on map composition and expressing properties of i are listed in Fig. 8. In order to prove these laws, Otter needed to employ the defined map constructs of complementation and union, together with their laws. It should be noticed that Otter was not able to prove, in a reasonable amount of time, several of the laws of Fig. 8 without using the laws in I1, C1; G1; U^2,3,4.

Next come the laws on map inclusion and left-absoluteness. This extension of the signature can be considered as preparatory for the study on totality and functionality of maps. In turn, the laws on totality and functionality will play a crucial role in proving the set-theoretical theses we will report on in later sections.

A few remarks on the behavior of Otter confronted with map calculus are due. Firstly, experimentation revealed that, in general, proving a theorem/law

law premises len. time gen. kept

Ui P U Q = QUP Ax 8 < 1 107 46

0U P = P Ax 19 3 675 122

1 U P = 1 Ax 6 3 210 65

PUP = P Ax 24 13 1746 478

(P n Q) U (P n R) = Pn (Q U R) Ax 27 18 1939 597

(P n R) U (Q n R) = (^Q^ R Ax 42 38 4669 1046

Pn (PUQ) = P Ax 32 17 1920 567

Pn (Qn (PU R)) = PnQ Ax 37 17 1951 604

P (P Q) = P Ax 33 16 1916 559

PU (P n Q) = PUQ Ax 39 16 1986 648

PU (PnQ) = PUQ Ax 36 17 1981 622

(PnQ)U(PnQ) = Q Ax 35 18 1996 624

PUP =1 Ax, N1 9 2 0 28

PUQ = PnQ Ax 19 11 1298 448

PnQ = PUQ Ax 18 12 1275 435

U2 PU (PUQ) = PUQ Ax, Ui 6 2 101 68

(P Q) R = P (Q R) Ax, Ii, Ci, Ui 6 2.74s 69861 1047

P (Q R) = Q (P R) n 4 2.62s 68421 1035

(P Q) (P R) = P (Q R) n 13 1.41s 39504 709

(P R) (Q R) = (P Q) R n 30 1.44 39550 729

PU (QU (P n R)) = PUQ n 37 1.48 39872 735

(PUQ)u(PnR) = PU (Q U R) n 11 11 2232 300

Us PUQ = 0 ^ P = 0 Ax, U2 2 4 233 68

P A Q = (PnQ)U(PnQ) n 82 1.84s 26090 2116

(PUQ)n(PnQ) = Q) n 53 37 7033 792

P A Q = (PUQ)n(PDQ) n 43 1.44s 25517 1802

P-1 )) = 0 n 35 9.60s 101784 9462

P-1 )) = 0 Ax, U2, Us 6 5 0 94

U4 (PuQ)o R = (PoR)U(QoR) Ax 9 2 288 144

(Po (Q U R))-1 = R))-1 Ax, Gi 42 42 5959 1508

P (Q R) = (P Q) (P R) Ax, U4 2 4 377 141

Fig. 6. Laws on map union

law premises len. time gen. kept

Yi PoQnR = 0 ^ P-1 0 R n Q = 0 Ax 56 13 2104 328

Ti P = 0 v 1 0 Pol = 1 Simpl, Ax 13 22 6252 362

Pol =1 v lo P = 1 Simpl, Ax 2 2 240 62

Fig. 7. Cycle law and some consequences of simplicity

seems to be more challenging (with our inference machinery) when the map i or some of its properties are involved. Consider, for instance, the penultimate law in Fig. 3, and the laws involving i in Ci or C2. The same can be said for those laws that correspond to deep intrinsic characteristics of i, such as the

law premises len. time gen. kept

C2 Pn (P 0 (Q n «.)) = Po (Q n t) Ax, Ii, Ci, Gi, Uj, Yi 21 20.61s 236370 13644

Pn ((Q n t) 0 P) = (Q n t) 0 P n 21 40.52s 584457 15052

pru = P-1 m n 76 40.34s 568993 14885

(Pn t)-1 = P-1 ni n 3 7 946 160

(P )-1 = P n 74 43.47s 616878 15167

P-1 0 Pn t = t Ax, Ii, Ci,2, Gi, Uj, Yi 13 4.78s 59433 6707

C3 (P-1 0 ((PoQ) A l))n Q = 0 Ax 5 9 1217 241

(P-1 o (Pn ( lA (PoQ))))n Q = 0 Ax 34 15 2472 442

C'a (PPoQ)n Q = 0 Ax, Ii, Ci,a, Gi, Yi 2 2 204 46

(P-1 o (^n^Q)^ Q = 0 Ax, Ii, Ci,a, Gi, Yi 4 9 2335 192

Fig. 8. More laws on map composition and i

property:

(2) for each P C i, it holds that P-1 = P.

This phenomenon could be intuitively explained by observing that statements such as (2) assert properties that do not concern the map as a single object, but predicate on a relationship holding between the components of each pair belonging to the map. In a sense, this kind of statements can be thought of as having a 'deeper character', or, in other words, to model a sort of deep knowledge on the domain(s) of discourse.

Secondly, simple syntactical changes (preserving the semantics) in the thesis to be proved sometimes badly affect Otter's performances. Consider, for instance, the law

(3) P A Q = P n Q n PnQ

in Fig. 5. Its proof was relatively easy for Otter, if compared with the one of

(4) P A Q = PnQ n P n Q which is obtainable from (3) by just applying the rule

P = Q P P = Q

and by exploiting the double-negation law P = P.

To find a possible justification of this 'unstable' behavior, we have to consider that Otter adopts a default lexicographic ordering of terms (whenever the user does not supply his own criterion), in order to orient the rewriting rules (recall that Knuth-Bendix completion is employed), and to handle demodulation and weighting. In the above-mentioned case, the default ordering is the same for both theses, but it works better with the former of them. Changing the criterion for lexicographic ordering (in proving (4)) would have determined a better performance.

As a last remark on this phenomenon, notice that, as one expects, the proof of (4) turns out to be extremely easy (cf. Fig. 5) when (3) is included

law premises len. time gen. kept

Inci PCP Ax, I1, C1, G1, N1, U1 1 3 46 58

P Ç Q — (Q Ç R — PGR) ff 8 4 362 107

PC Q — P-1 C Q-1 ff 7 7 1582 229

PC Q — (R Ç S — (PC\RÇ Q n S)) ff 16 74 19377 1638

PC Q — PnQ = P ff 1 2 0 50

0 C P ff 1 3 32 50

Inc2 PC Q — (R Ç S — (PoRC QoS)) Ax, I1, C1, G1, N1, U1i4, Y1, Inc1 16 1m 16s 2 • 106 3425

Inc3 PnQ = P — PC Q Ax, I1, C1, G1, N1, U1,4, Y1, Inc1,2 1 3 1 54

P C Q — (Q C P — P = Q) ff 3 3 205 65

PP ff 4 5 413 90

P P-1 ff 24 2m 30s 3.3 • 106 25386

PC Q — Q C P ff 9 8 1641 268

PC Q — (R Ç S — (PrtSÇ QnR)) ff 10 11.46s 76721 28971

lo PoP-1 = 0 ff 19 37 8199 1002

P C l ff 2 3 210 65

lolo P = lo P ff 36 10.23s 166778 8485

PC Q — (PC R — (PC QnR)) ff 2 15 3381 730

PC Q — PoP-1 Ç QoQ-1 ff 2 25 6067 1586

Ax, I1, C1, G1, N1, U1,4, Y1

InC4 loP D P = 0 25 87 18861 1713

P l P Ax, I1,2, C1i2,3', G1, N1,2, Ui, Y1 1 4 201 104

P C Po l ff 1 6 164 99

P Q ( l P) Q Ax, Inc1,2,3 3 5 818 235

P (( l Q) R) = ( l Q) (P R) Ax, lAbs1.10 77 1.57s 17442 2695

InC5 (PnQ)o R C PoRnQoR Ax, Inc1,2,3 6 18 5199 281

P (Q R) P Q P R Ax, Inc1,2,3 6 18 5199 281

Fig. 9. Laws on map inclusion

among hypotheses.

There are also cases of laws whose proofs become easier if some additional lemmas are given in input (cf., for instance, U3 or lAbsi). This is a motivation for our choice of splitting in several groups the laws regarding a particular map construct.

Otter exhibited different behaviors even in proving the same thesis when formulated at different levels of our 'layered architecture'. For example, consider the two laws

l o P n P = 0 and P Ç l o P 17

law premises len. time gen. kept

lAbsi lAbs( l) Ax, I1, C1, G1, Ni, Ui,4, Yi 1 1 48 48

lAbs( 0) n 1 2 11 47

lAbs( l o P) n 3 6 958 188

lAbs( P) ^ lAbs( P) n 16 24.38s 257235 10844

lAbs( P) ^ lAbs( P ) Ax, I1, C1, G1, N1, U1>4, Y1, lAbs1 21 76 18640 1525

lAbs( P) ^ lAbs( PoQ) n 6 12 2831 314

lAbs( P) A lAbs( Q) ^ lAbs( PuQ) Ax, U4, lAbs1 5 99 8229 5234

lAbs( P) A lAbs( Q ) ^ lAbs( PnQ ) Ax, N4, U4, lAbs1 4 21 3114 2159

lo P = P ^ (RoQ)n P = Ro (Q n P) Ax, C1, G1, N1, U1>4, Y1, lAbs1 139 18.75s 172397 13368

lAbs( P) ^ (RoQ)n P = Ro (Q n P) n 6 65 7659 4056

lAbs( P) A lAbs( Q) ^ lo (PnQ) = PnQ Ax, lAbs1 2 32 4942 4733

Fig. 10. Laws on left absoluteness of maps

listed in Fig. 9, or the following two:

l o P = P ^ (R o Q) n P = R o (Q n P)

lAbs( P) ^ (R o Q) n P = R o (Q n P),

taken from Fig. 10. Experimentation revealed that, in general, the proof turns out to be easier when the thesis is expressed by employing the constructs of the higher layer (e.g. C instead of _ and n, or lAbs( •) instead of 'l o•'). Clearly, this is because the higher the layer, the greater is the expressiveness of the constructs/operators involved and, obviously, the larger is the set of previously proved laws that can be usefully exploited by Otter. This fact strongly supports our choice of developing experimentation in a 'layered' fashion.

It is sometimes convenient to add to the axioms of Fig. 1 one further axiom: (Simpl) R = 0 ^ 11 o R o l = l.

It can be shown that any theorem that is proved under this 'simplicity' assumption is also provable without it. Fig. 7 lists some of the consequences of simplicity, proved by Otter.

5 Set-reasoning in map calculus (case studies)

An alternative formulation of extensionality.

A useful variant of the extensionality axiom we stated in Sec. 3, is the scheme Func( F( P)), where P ranges over all map expressions.

law premises len. time gen. kept

Total(l) Ax, Ii, Ci, Gi, Yi 1 < 1 99 34

Total(t) Ax, Ii, Ci, Gi, Yi, Tot i 1 < 1 98 33

Total (!) Ax, N4, Ui>4, lAbsi 5 1.37s 21280 2311

Total(P n Q) ^ Total (Q) Ax, Ii, Ci, Gi, Yi, Ni, Ui, Toti 7 12 3530 133

Total(PoQ) ^ Total(P) ff 8 11 3530 128

Total(P U P o l) a 22 1.07s 25650 1791

Total(P A Po l) ff 53 85 9111 1277

Total (P-1) V Total(P) Ax, Ci, Gi, Ni, Toti, Simpl 4 2 275 92

Total (P ) V Total (P -1) ff 4 2 349 107

Total (P ) V Total ( l 0 P-1) ff 6 5 531 132

P n P-1 = 0 ^ Total(P) Ax, Ii, Ci, Gi, Yi, Ni, Ui, Toti 7 6 1148 225

Total (P ) A Total(Q) ^ Total(PoQ) ff 7 11 1584 419

Total (P ) A Total(Q) ^ Total ((Po l)n(Qo l)) ff 3 2 8 40

Total(P) A Total(Q) A Total(R) ^ Total((PoQ)n(Rol)) ff 5 13 1705 651

PoQ = l ^ Total(P) V Total(Q) ff 2 < 1 80 50

PoQ-1 = l ^ Total(P) A Total(Q) ff 5 56 3130 1718

PoQ = l ^ Total(P) A Total(Q-1) ff 5 5 334 114

P[~|Q = P A Total(P) ^ Total(Q) ff 2 4 89 76

PoQ-1 = l A Total (R) ^ Po(Q-1oR-1) = l ff 5 3 189 83

PoQ-1 = l ^ Total(PriQ) ff 2 1 11 8

PoQ-1 = l A Total(R) ^ Total (Pri(RoQ)) ff 7 31 10191 568

Total(P) A Qo (RoS) = l ^ Total (P o (Qo (RoS))) ff 2 1 8 23

PoQ-1 = l A Total (R) A Total(S) ^ Total((SoP)n(RoQ)) ff 45 9m 12s 6.6 • 106 30429

lAbs( P ) ^ (P = 0) V Total(P) Ax, Ci, lAbsi, Simpl 7 1.91 44040 1809

Func( 0 ) Ax, Ii, Ci, Gi 2 2 92 39

Func( t ) Ax, Ii, Ci, Gi 2 2 110 44

Func( P ) ^ Func( P[~|Q ) Ax, Ii, Inci,2,3 9 74 20065 913

Func( P ) A Func( Q ) A PÇQ A QC Po l ^ P = Q Ax, Ii,2, Ci,2, Si, Ni,2, Yi 288 51m 36s 3.4 • 107 24052

Fig. 11. Totality and functionality of maps

Our first task in automated set-reasoning consists in proving the equivalence of the two formulations of (E), i.e., that:

F( 9 ) = i H^ Func( F( P)) .

Otter was unable to prove this theorem in a single shot. Hence we had to

split the theorem into two. First, we got a proof of (5) Func( F( P)) F F( 9 ) = i,

via the sequence of intermediate results listed in Fig. 12.

law length timing note

i Q F( 9) 3 4 by using Ii, 01,3, Gi, Ni, Ui)2,3,4, Yi

Func( F( 9)) — -- immediately from the hypotheses

F( 9) Q iol 3 2 by Ax, Inci, Funci

F( 9) = i 0 < 1 immediately from Funci

Fig. 12. Automated proof of (5)

The converse, i.e. (6) F( 9 ) = i F Func( F( P)),

was proved as shown in Fig. 13.

law length timing note

F( P )-1oF( P) Q 9oP-1oPoE 10 12.29s by Ax, Gi, Ni

F( P )-1oF( P) Q 9oP-1 oPoE 9 12.38s by Ax, Gi, Ni

F( P )-1oF( P) Q F( 9 ) 3 2 by Incj

F( P)-1oF( P) Q i 1 < 1 by Inc^

Fig. 13. Automated proof of (6)

Designing pairs of conjugated projections.

In [10] it was shown that the axioms of a weak theory of sets —namely, the extensionality, null set, single-element addition, and single-element removal axioms recapitulated in Fig. 14—5 suffice to enable Otter to prove that two specific maps X, p satisfy (Pair)1 2 3. In that context, the approach to experimentation was aimed at 'miniaturizing' the obtained proofs, i.e., at developing the proofs by starting with the raw axiomatization of Fig. 1, without the explicit introduction of defined constructs, and by strictly interacting with and guiding Otter, to make it perform only the essential inference steps.

The main result of [10] consisted in proving within map algebra (under minimal assumptions on membership), that X and p designate conjugated

5 A first-order statement of the binomial (WL) is

(WL) 3 d(Y Ed AVu(u = X ^3 v 3 w (uEvEd A uEwEd)))

(where it goes without saying that X, Y are universally quantified). It turns out that in first-order logic this sentence yields —with the determinant contribution of (E), too— (N) as a derivable consequence.

(E) V v (vEX^vEY) ^ X = Y,

(N) 32VvvEz,

(W) 3 w vv (vEw ^ vEXvv = Y), (L) 3 £ v v (vEt ^ vEX a v = Y)

(E) Q i

(N) JLEol = l

(WL) ( EEn valve(EE, EE)) o 9 = l with valve(P, Q) =Def P\io( P\Q)

Fig. 14. Specification of a weak set theory in first-order logic and in map algebra

projections. As already mentioned, the important consequence is that the equational specification of our assumptions on membership has the same deductive power as its counterpart formulated in quantified first-order logic; this follows from results in [34].

The experimentation reported in [10] proceeded through a number of intermediate lemmas ultimately yielding the desired result. Most crucial, among them, is the following:

Lemma 1 (Functionality)

Q o Q-1 Q i entails valve(P, Q) o valve-1 (P, Q) Q i.

This lemma mainly relies on various elementary Boolean identities, and on some obvious consequences of the Peircean axioms (i.e., the logical axioms regarding o,-1, and i). The only non-obvious laws on maps needed are the so-called cycle law (cf. Fig. 7) and Dedekind law (cf. [32]):

P o Q n R Q (P n R o Q-1) o (Q n P-1o R).

A 'miniaturized' derivation of the Dedekind law was obtained from the bare axioms in Fig. 1. It consists in 25 verifications of the average CPU-time cost of 6 to 8 seconds (depending on the machine). 6 It is worth stressing that these 25 steps included the proofs of basic facts such as some of the laws on symmetric difference, intersection, and composition already seen in Figures 3 and 4.

While the functionality lemma easily allowed Otter to prove (Pair)23, in order to prove (Pair)i it was necessary to proceed as follows. First, the temporary assumption was added to (WL) that a singleton set {a} can be formed out of any given a. This assumption can be stated formally as follows:

(Sng) sng o l = l, where sng =Def E\iE.

Then the following lemma was obtained:

Lemma 2 Assume (Sng) and (WL). It follows that v o p = l. □

6 These verifications were run on a G3 Macintosh and under Linux.

It turned out that in order to prove this result Otter had to make extensive use of map-inclusion laws drawn from the ones listed in Fig. 9.

The next step consisted in proving that it is actually possible to do without a postulate of singleton formation. Verifying this claim amounted to getting an automated proof of the derivability of (Sng) from (WL) and (N). In this case, an analysis of Otter's proof showed that the most useful intermediate results (implicitly proved in the main proof) were the laws on totality.

Totality of some elementary relations on sets.

By using the laws of Sec. 4, Otter was able to prove the totality of a number of relations on sets. We give below an excerpt of the results we obtained. The laws of Fig. 11 intervene in these proofs crucially.

• Total(E9). Thanks to (Pair), this thesis reduces to proving that Total(l) holds. It was immediately derived from the laws on totality.

• Total(Gl) follows from the previous result and from the laws in Fig. 11. It was proved in 0.02 seconds; the proof-length is 3.

• Total(E) follows from the previous results and from the laws in Fig. 11. It was proved in 0.02 seconds; the proof-length is 1.

A general technique for proving totality of .set constructors.

The next task consists in obtaining the proof of a general law for deriving the totality of expressions of the form Total(F( R)). This law will give us the capability of defining a number of set-constructs (cf. [11, Sec. 5]). Let us start with two useful lemmas.

Lemma 3 For any P, Q such that

(7) P-1 o Q C3 and Func( p) it holds that:

(8) (P o X-1 n p-1) o F( A o3Hp o Q) C F( Q).

In the following we describe Otter's proof. The thesis (8) can be rewritten as

(9) (P o A"1 n p-1) o F( A o3Hp o Q) C Q ognQ o£

By assuming the hypothesis (7).1, Otter was able to prove the following intermediate result: (A o P-1 n p o Q ) C A o 3 n p o Q. Otter proved this result in 0.31 seconds; it generated 4162 clauses (the number of kept clauses was 915). The proof-length was 4. The proof was easily obtained by extensive use of the map-inclusion laws (cf. Fig. 9). The main settings used to drive Otter imposed any generated clause consisting of more than two literals, or having more than two distinct variables, to be discarded. From (9), by

exploiting the cycle law and the laws on inclusion, Otter easily proved that:

(10) (P o X-1 n p-1) o F( A o9np o Q) Q Q^E

The proof was found in 1.30 seconds (its length was 9), by generating 13729 unit clauses (max_literals=1 and max_distinct_vars=3) and keeping 2652 clauses.

On the other hand, the following map inclusion was proved by assuming the functionality of p (cf. hypothesis (7).2), in 0.81 seconds. The proof-length was 13, the numbers of generated and the kept clauses were 9848 and 2097, respectively:

(11) ( P o A-1 n p-1) o F( A o9np o Q ) Q Q oE

Putting together the two results (10) and (11), in order to obtain the thesis (8), took 0.08 seconds (two inference steps, by hyper-resolution).

Lemma 4 Assume (Pair)i 2 and (S). Then for any P,Q

Total(P) F Total( (PoA-1np-1) o F( Ao9npoQ)).

Otter proved this lemma (by proving two intermediate results) in a total time of 0.24 seconds. On this ground, the following proposition was proved.

Proposition 1 Assume (Pair)i 2 3 and (S). Then for any P, Q,

(12) Total(P), P-1oQ Q9 F Total(F( Q)).

This proposition was proved in two stages. We first drew from the hypotheses a series of intermediate lemmas yielding

(PoA-1np-1) o F( Ao9npoQ) Q F( Q).

The thesis then readily followed, with the help of the laws on totality. The overall time of this proof was 3.57 seconds.

By using this general tactic, Otter proved the totality of several map expressions, certifying in this way that these expressions characterize legal operations on sets:

• Total(F(i)). The expression F(i) defines the singleton operation a ^ {a}. Its totality was proved in 0.05 seconds (length:7, generated:768, kept: 108), by using the result previously obtained: Total(E) (Otter instantiated P = E and Q = i in proposition (12)).

• Total(F(0)). The expression F(0) characterizes the nullset construction: a ^ { }. As in the previous case, its totality was proved in 0.04 seconds (length:3, generated:335, kept:52). Notice that this thesis was proved also

without resorting to the above proposition, but in this case Otter's task was more difficult: the proof was produced in much more time: 1.15 seconds. Otter used the laws in C\, I1)2, Gi, N1>2 and in particular those in Tot1; it generated 21521 clauses, keeping 343 of them.

• Consider the two axioms Total( d( 3G)) and Total( d( 33)) in Fig. 2. Otter was able to prove their strengthened versions Total( F( 3G)) and Total(F( 33)) by using, among others, the law (12) and the cycle law. The first proof was generated in 0.11 seconds (length:4, generated:2616, kept:265). The strong version of the second axiom was proved in 17.88 seconds (length:6, generated:386130, kept:5070).

• A more general result was also proved. Namely, under the axioms (Pair) and (S), Otter proved this property of totality:

Total(d(P)) £ Total(F( P)).

The proof was found in 0.12 seconds (length:4, generated:2616, kept:265) by using the above proposition, the cycle law, and the laws of Fig. 11.

A lemma on transitive sets

The basic fact, stated in Example 3, that there is a void set in any non-void transitive set, ensues from the law

(13) R C P ^ l o R \ Q o P C Q o R,

which Otter was able to derive in 2 steps and 21.63 seconds from the two laws

R Ç P — Q o P Ç Q o R, R Ç P — l o R \ Qo P Ç l o R \ Qo R.

In turn, proving these required 19 steps and 15.44 seconds, and 5 steps and 4.94 seconds, respectively.

In consequence of (13), and since by virtue of the general law T \ S Ç T and of the monotonicity of o the inclusion

Go ( G\3G) Ç GG

holds (Otter proved it in 2 steps and 0.98 seconds), we get

lG o(G\G3)\^GG Ç 3Go(G\3G)

(1 step, 0.05 seconds); therefore

( lG o(G\3G)\^GG ) n i Ç 3Go(G\3G)ni

Ç i = 0 .

These intermediate lemmas have been obtained in different runs, in an overall time of 5.08 seconds.

On the basis of the definition of trans, of the law Rn( S\T ) = ( R\T )nS, and of (14), we then have

. . ieo( €\Э€) n trans = lGo( €\Э€) П ( i\$ee )

= ( lGo( €\Э€)\$ee ) n i = 0 .

The proof that the first member of this chain equals the null map 0 was obtained directly, in 1.43 seconds; it consists of 2 steps.

At this point we can easily obtain the desired thesis by means of the following chain of equalities and inclusions (making use of (R) to get the first equality, and exploiting (15) subsequently):

len trans = 11 o ( e\эe) П trans

= ( leuie ) o ( е\эе) n trans = ( ieo( е\эе) u îëo( е\эе)) n trans = ieo( е\эе) n trans u îëo( е\эе) n trans = 0 u Te o ( е\эе) n trans = Te o ( e\ эе) n trans ç ïëo(е\эе) ç Teo e,

These eight equalities and inclusions were proved by Otter with the following respective proof-lengths and times: 8 steps, 0.07 seconds; 4 steps, 0.09 seconds; 4 steps, 0.01 seconds; 24 steps, 3.57 seconds; 4 steps, 0.16 seconds; 3 steps, 0.04 seconds; 3 steps, 4.97 seconds; 3 steps, 9.03 seconds.

6 Conclusions

The language Lx may look distasteful to reading, but it ought to be clear that techniques for moving back and forth between first-order logic and map logic exist and are partly implemented (cf. [34,19,6,17,8]); moreover they can be ameliorated, and can easily be extended to meet the specific needs of settheories. Thanks to these, the automatic crunching of set-axioms of the kind discussed in this paper can be hidden inside the back-end of an automated reasoner.

Anyhow, we think that it is worthwhile to riddle through experiments our expectation that a few basic machine reasoning layers designed on top of Lx may significantly raise the degree of automatizability of set-theoretic proofs. This expectation relies on the merely equational character of Lx and on the

good properties of the map constructs; moreover, when the calculus of Cx gets emulated by means of first-order predicate calculus, we see an advantage in the finiteness of the axiomatization of the set-theoretic framework.

Acknowledgements

Annalisa Chiacchiaretta, and four students of an Artificial Intelligence class, contributed to the first phase of the experimentation with Otter reported above.

References

[1] Aureli, F., A. Formisano, E. G. Omodeo and M. Temperini, Map calculus: Initial application scenarios and experiments based on Otter, Technical Report 466, IASI-CNR (1998).

[2] Bailin, S. C. and D. Barker-Plummer, Z-match: An Inference Rule for Incrementally Elaborating Set Instantiations, Journal of Automated Reasoning 11 (1993), pp. 391-428, (Errata in 12(3):411-412 1994).

[3] Belinfante, J. G. F., On a modification of Godel's algorithm for class formation, AAR Newsletter 34 (1996), pp. 10-15.

[4] Bell, J. L. and A. B. Slomson, "Models and Ultraproducts: An Introduction (third revised printing)," North-Holland/American Elsevier, Amsterdam/New York, 1974.

[5] Boyer, R., E. Lusk, W. McCune, R. Overbeek, M. Stickel and L. Wos, Set theory in first-order logic: Clauses for Godel's axioms, Journal of Automated Reasoning 2 (1986), pp. 287-327.

[6] Cantone, D., A. Cavarra and E. G. Omodeo, On existentially quantified conjunctions of atomic formulae of L+, in: M. P. Bonacina and U. Furbach, editors, Proceedings of the FTP97 International workshop on first-order theorem proving, 1997, pp. 45-52, RISC-Linz Report Series No. 97-50.

[7] Cantone, D., A. Ferro and E. G. Omodeo, "Computable Set Theory. Vol. 1," Oxford University Press, 1989, Int. Series of Monographs on Computer Science.

[8] Cantone, D., A. Formisano, E. G. Omodeo and C. G. Zarba, Compiling dyadic first-order specifications into map algebra, in: Proceedings, of the 16th Twente Workshop on Language Technology—2nd AMAST Workshop Algebraic Methods in Language Processing (AMILP 2000), TWLT 16, University of Twente, 2000, pp. 35-54.

[9] Cantone, D., E. G. Omodeo and A. Policriti, "Set Theory for Computing — From decision procedures to declarative programming with sets," SpringerVerlag, 2001, Texts and Monographs in Computer Science.

[10] Chiacchiaretta, A., A. Formisano and E. G. Omodeo, Benchmark #1 for equational set theory, in: Giornata "Analisi Sperimentale di Algoritmi per I'Intelligenza Artificiale", Roma, 1999.

URL http://www.dis.uniroma1.it/~rcra/roma99

[11] Chiacchiaretta, A., A. Formisano and E. G. Omodeo, Map reasoning through existential multigraphs, Technical Report 05/00, Dipartimento di Matematica Pura ed Applicata, Universita di L'Aquila (2000).

[12] Chin, L. H. and A. Tarski, Distributive and modular laws in relation algebras, University of California Publications in Mathematics 1 (1951), pp. 341-384.

[13] Cohen, P. J., "Set Theory and the Continuum Hypothesis," Benjamin, New York, 1966.

[14] Diintsch, I., Rough relation algebras, Fundamenta Informaticae 21 (1994).

[15] Formisano, A. and E. G. Omodeo, An equational re-engineering of set theories, in: R. Caferra and G. Salzer, editors, Automated Deduction in Classical and Non-Classical Logics, LNCS 1761 (LNAI) (2000), pp. 175-190.

[16] Formisano, A. and E. G. Omodeo, Equational set-reasoning by automated map calculus, Technical Report 16/00, Dipartimento di Matematica Pura ed Applicata, Universita di L'Aquila (2000).

[17] Formisano, A., E. G. Omodeo and M. Temperini, Goals and benchmarks for automated map reasoning, Journal of Symbolic Computation 29 (2000).

[18] Frias, M. F., A. M. Haeberer and P. A. S. Veloso, A finite axiomatization for fork algebras, Journal of the IGPL 5 (1997), pp. 311-319.

[19] Haeberer., A. M., G. A. Baum and G. Schmidt, On the smooth calculation of relational recursive expressions out of first-order non-constructive specifications involving quantifiers, in: D. Bj0rner, M. Broy and I. Pottosin, editors, Formal Methods in Programming and Their Applications, LNCS 735 (1993), pp. 281298.

[20] Jonsson, B. and A. Tarski, Representation problems for relation algebras, Bull. Amer. Math. Soc. 54 (1948), pp. 80,1192.

[21] Kwatinetz, M. K., "Problems of expressibility in finite languages," Ph.D. thesis, University of California, Berkeley (1981).

[22] Lyndon, R. C., The representation of relational algebras, Ann. of Math., Ser 2 51 (1950), pp. 707-729.

[23] McCune, W. W., "OTTER 3.0 Reference Manual and Guide," Argonne National Laboratory/IL, USA (1994).

[24] Noel, P. A. J., Experimenting with Isabelle in ZF set theory, Journal of Automated Reasoning 10 (1993), pp. 15-58.

[25] Omodeo, E. G. and A. Policriti, Solvable set/hyperset contexts: I. Some decision procedures for the pure, finite case, Comm. Pure App. Math. 48 (1995), pp. 1123-1155, Special Issue in honor of J.T. Schwartz.

[26] Orlowska, E., Relational semantics for nonclassical logics: Formulas are relations, in: J. Wolenski, editor, Philosophical Logic in Polland, 1994 pp. 167186.

[27] Parlamento, F. and A. Policriti, Expressing Infinity without Foundation, Journal of Symbolic Logic 56 (1991), pp. 1230-1235.

[28] Paulson, L. C., Set Theory for Verification: I. From Foundations to Functions, Journal of Automated Reasoning 11 (1993), pp. 353-389.

[29] Paulson, L. C., Set Theory for Verification. II: Induction and Recursion, Journal of Automated Reasoning 15 (1995), pp. 167-215.

[30] Quaife, A., "Automates development of fundamental mathematical theories," Kluwer Academic Publishers, 1992.

[31] Quine, W. V., "Set theory and its logic." The Belknap Press of Harvard University Press, Cambridge, Massachussetts, 1971, revised edition, 3rd printing.

[32] Schmidt, G. and T. Ströhlein, Relation algebras: Concept of points and representability, Discrete Mathematics 54 (1985), pp. 83-92.

[33] Tarski, A., Sur les ensembles fini, Fundamenta Mathematicae VI (1924), pp. 45-95.

[34] Tarski, A. and S. Givant, "A formalization of Set Theory without variables," Colloquium Publications 41, American Mathematical Society, 1987.

[35] Wos, L., "Automated Reasoning. 33 basic research problems," Prentice Hall, 1988.

[36] Wos, L., The problem of finding an inference rule for set theory, Journal of Automated Reasoning 5 (1989), pp. 93-95.

[37] Zermelo, E., Untersuchungen über die Grundlagen der Mengenlehre I, in: From Frege to Godel - A source book in Mathematical Logic, 1879-1931, Harvard University Press, 1977 pp. 199-215, 3rd printing.