Noname manuscript No. (will be inserted by the editor) Cathoristic logic A modal logic of incompatible propositions Richard Prideaux Evans * Martin Berger Received: date / Accepted: date Keywords Modal logic, Hennessy-Milner logic, transition systems, negation, exclusion, elementary equivalence, incompatibility semantics, knowledge representation, philosophy of language. Richard Prideaux Evans, Imperial College E-mail: richardprideauxevans@imperial.ac.uk * Martin Berger, University of Sussex. E-mail: M.F.Berger@sussex.ac.uk. 2 Richard Prideaux Evans, Martin Berger Abstract Cathoristic logic is a multi-modal logic where negation is replaced by a novel operator allowing the expression of incompatible sentences. We present the syntax and semantics of the logic including complete proof rules, and establish a number of results such as compactness, a semantic characterisation of elementary equivalence, the existence of a quadratic-time decision procedure, and Brandom's incompatibility semantics property. We demonstrate the usefulness of the logic as a language for knowledge representation. Cathoristic logic 3 Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.1 Material incompatibility and negation . . . . . . . . . . . . . . . . . . . . . . 6 1.2 Negation as the minimal incompatible . . . . . . . . . . . . . . . . . . . . . . 8 1.3 Inferences between atomic sentences . . . . . . . . . . . . . . . . . . . . . . . 9 1.4 Wittgenstein's vision of a logic of elementary propositions . . . . . . . . . . . 10 1.5 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2 Mathematical preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3 Cathoristic logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.2 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4 Inferences between atomic sentences . . . . . . . . . . . . . . . . . . . . . . . . . . 18 4.1 Intra-atomic inferences in cathoristic logic . . . . . . . . . . . . . . . . . . . . 18 4.2 Intra-atomic inferences in first-order logic . . . . . . . . . . . . . . . . . . . . 20 5 Cathoristic logic as a language for knowledge representation . . . . . . . . . . . . . 22 5.1 Representing facts in cathoristic logic . . . . . . . . . . . . . . . . . . . . . . . 22 5.2 Simpler postconditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 5.3 Using tantum ! to optimise preconditions . . . . . . . . . . . . . . . . . . . . 24 6 Semantics and Decision Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 6.1 Semantic characterisation of elementary equivalence . . . . . . . . . . . . . . 26 6.2 Quotienting models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 6.3 The bounded lattice of models . . . . . . . . . . . . . . . . . . . . . . . . . . 29 6.4 Computing the least upper bound of the models that satisfy a formula . . . . 30 6.5 A decision procedure for cathoristic logic . . . . . . . . . . . . . . . . . . . . . 36 6.6 Incompatibility semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 7 Inference Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 7.1 Example inferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 7.2 !-Left and !-Right . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 7.3 Characteristic formulae . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 7.4 Soundness and completeness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 7.5 Proofs of Lemmas 8, 9 and 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 8 Compactness and the standard translation to first-order logic . . . . . . . . . . . . 49 8.1 Translating from cathoristic to first-order logic . . . . . . . . . . . . . . . . . 49 8.2 Compactness by translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 9 Cathoristic logic and negation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 9.1 Syntax and semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 9.2 Decision procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 10 Quantified cathoristic logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 11 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 11.1 Brandom's incompatibility semantics . . . . . . . . . . . . . . . . . . . . . . . 61 11.2 Peregrin on defining a negation operator . . . . . . . . . . . . . . . . . . . . . 62 11.3 Peregrin and Turbanti on defining a necessity operator . . . . . . . . . . . . . 63 11.4 Linear logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 11.5 Process calculus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 11.6 Linguistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 12 Open problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 12.1 Excluded middle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 12.2 Understanding the expressive strength of cathoristic logic . . . . . . . . . . . 65 12.3 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 A Alternative semantics for cathoristic logic . . . . . . . . . . . . . . . . . . . . . . . 71 A.1 Pure cathoristic models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 A.2 Relationship between pure and cathoristic models . . . . . . . . . . . . . . . . 71 A.3 Non-determinism and cathoristic models . . . . . . . . . . . . . . . . . . . . . 72 A.4 Semantic characterisation of elementary equivalence . . . . . . . . . . . . . . 73 B Omitted proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 B.1 Proof of Lemma 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 4 Richard Prideaux Evans, Martin Berger B.2 Proof of Lemma 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 B.3 Proof of Lemma 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Cathoristic logic 5 1 Introduction Natural language is full of incompatible alternatives. If Pierre is the current king of France, then nobody else can simultaneously fill that role. A tra c light can be green, amber or red but it cannot be more than one colour at a time. Mutual exclusion is a natural and ubiquitous concept. First-order logic can represent mutually exclusive alternatives, of course. To say that Pierre is the only king of France, we can write, following Russell: king(france, pierre) ^ 8x.(king(france, x) ! x = pierre). To say that a particular tra c light, tl, is red and red is its only colour we could write: colour(tl, red) ^ 8x.colour(tl, x) ! x = red. In this approach, incompatibility is a derived concept, reduced to a combination of universal quantification and identity. First-order logic, in other words, uses relatively complex machinery to express a simple concept: – Quantification's complexity comes from the rules governing the distinction between free and bound variables1. – Identity's complexity comes from the infinite collection of axioms required to formalise the indiscernibility of identicals. The costs of quantification and identity, such as a larger proof search space, have to be borne every time one expresses a sentence that excludes others even though incompatibility does not, prima facie, appear to have anything to do with the free/bound variable distinction, or require the full power of the identity relation. This paper introduces an alternative approach, where exclusion is expressed directly, as a first-class concept. Cathoristic logic2 is the simplest logic we could find in which incompatible statements can be expressed. It is a multi-modal logic, a variant of Hennessy-Milner logic, that replaces negation with a new logical primitive !A pronounced tantum3 A. Here A is a finite set of alternatives, and !A says that the alternatives in A exhaust all possibilities. For example: !{green, amber, red} states that nothing but green, amber or red is possible. Our logic uses modalities to state facts, for example hamberi expresses that amber is currently the 1 E cient handling of free/bound variables is an active field of research, e.g. nominal approaches to logic [23]. The problem was put in focus in recent years with the rising interest in the computational cost of syntax manipulation in languages with binders. 2 "Cathoristic" comes from the Greek ↵✓o⇢ı⇣✏i⌫: to impose narrow boundaries. We are grateful to Tim Whitmarsh for suggesting this word. 3 "Tantum" is Latin for "only". 6 Richard Prideaux Evans, Martin Berger case. The power of the logic comes from the conjunction of modalities and tantum. For example hamberi ^ !{green, amber, red} expresses that amber is currently the case and red as well as green are the only two possible alternatives to amber. Any statement that exceeds what tantum A allows, like hbluei ^ !{green, amber, red}, is necessarily false. When the only options are green, amber, or red, then blue is not permissible. Now to say that Pierre is the only king of France, we write: hkingihfrancei(hpierreî!{pierre}). Crucially, cathoristic logic's representation involves no universal quantifier and no identity relation. It is a purely propositional formulation. To say that the tra c light is currently red, and red is its only colour, we write: htlihcolouri(hredî!{red}). This is simpler, both in terms of representation length and computational complexity, than the formulation in first-order logic given on the previous page. Properties changing over time can be expressed by adding extra modalities that can be understood as time-stamps. To say that that the tra c light was red at time t1 and amber at time t2, we can write: htlihcolouri(ht1i(hredî!{red}) ^ ht2i(hamberî!{amber})) Change over time can be expressed in first-order logic with bounded quantification but modalities are succinct and avoid introducing bound variables. Having claimed that incompatibility is a natural logical concept, not easily expressed in first-order logic4, we will now argue the following: – Incompatibility is conceptually prior to negation. – Negation arises as the weakest form of incompatibility. 1.1 Material incompatibility and negation Every English speaker knows that "Jack is male" is incompatible with "Jack is female" But why are these sentences incompatible? The orthodox position is that these sentences are incompatible because of the following general law: 4 We will precisify this claim in later sections; (1) first-order logic's representation of incompatibility is longer in terms of formula length than cathoristic logic's (see Section 4.2.1); and (2) logic programs in cathoristic logic can be optimised to run significantly faster than their equivalent in first-order logic (see Section 5.3). Cathoristic logic 7 If someone is male, then it is not the case that they are female Recast in first-order logic: 8x.(male(x) ! ¬female(x)). In other words, according to the orthodox position, the incompatibility between the two particular sentences depends on a general law involving universal quantification, implication and negation. Brandom [6] follows Sellars in proposing an alternative explanation: "Jack is male" is incompatible with "Jack is female" because "is male" and "is female" are materially incompatible predicates. They claim we can understand incompatible predicates even if we do not understand universal quantification or negation. Material incompatibility is conceptually prior to logical negation. Imagine, to make this vivid, a primitive people speaking a primordial language of atomic sentences5. These people can express sentences that are incompatible. But they cannot express that they are incompatible. They recognise when atomic sentences are incompatible, and see that one sentence entails another but their behaviour outreaches their ability to articulate it. Over time, these people may advance to a more sophisticated language where incompatibilities are made explicit, using a negation operator but this is a later (and optional) development: [If negation is added to the language], it lets one say that two claims are materially incompatible:"If a monochromatic patch is red, then it is not blue." That is, negation lets one make explicit in the form of claims something that can be said and (so) thought a relation that otherwise remained implicit in what one practically did, namely treat two claims as materially incompatible6. But before making this optional explicating step, our primitive people understand incompatibility without understanding negation. If this picture of our primordial language is coherent, then material incompatibility is conceptually independent of logical negation. Now imagine a modification of our primitive linguistic practice in which no sentences are ever treated as incompatible. If one person says "Jack is male" and another says "Jack is female", nobody counts these claims as conflicting. The native speakers never disagree, back down, retract their claims, or justify them. They just say things. Without an understanding of incompatibility, and the variety of behaviour that it engenders, we submit (following Brandom) that there is insu cient richness in the linguistic practice for their sounds to count as assertions. Without material incompatibility, their sounds are just barks. 5 In this paper, we define a sentence as atomic if it does not contain another sentence as a syntactic constituent. 6 [7] pp.47-48 8 Richard Prideaux Evans, Martin Berger Suppose the reporter's di↵erential responsive dispositions to call things red are matched by those of a parrot trained to utter the same noises under the same stimulation. What practical capacities of the human distinguish the reporter from the parrot? What, besides the exercise of regular di↵erential responsive dispositions, must one be able to do, in order to count as having or grasping concepts? ... To grasp or understand a concept is, according to Sellars, to have practical mastery over the inferences it is involved in... The parrot does not treat "That's red" as incompatible with "That's green"7. If this claim is also accepted, then material incompatibility is not just conceptually independent of logical negation, but conceptually prior. 1.2 Negation as the minimal incompatible In [6] and [7], Brandom describes logical negation as a limiting form of material incompatibility: Incompatible sentences are Aristotelian contraries. A sentence and its negation are contradictories. What is the relation between these? Well, the contradictory is a contrary: any sentence is incompatible with its negation. What distinguishes the contradictory of a sentence from all the rest of its contraries? The contradictory is the minimal contrary: the one that is entailed by all the rest. Thus every contrary of "Plane figure f is a circle" for instance "f is a triangle", "f is an octagon", and so on entails "f is not a circle". If someone asserts that it is not the case that Pierre is the (only) King of France, we have said very little. There are so many di↵erent ways in which it could be true: – The King of France might be Jacques – The King of France might be Louis – ... – There may be no King of France at all – There may be no country denoted by the word "France" Each of these concrete propositions is incompatible with Pierre being the King of France. To say "It is not the case that the King of France is Pierre" is just to claim that one of these indefinitely many concrete possibilities is true. Negation is just the logically weakest form of incompatibility. In the rest of this paper, we assume without further argument that material incompatibility is conceptually prior to logical negation. We develop a simple modal logic to articulate Brandom's intuition: a language, without negation, in which we can nevertheless make incompatible claims. 7 [6] pp.88-89, our emphasis. Cathoristic logic 9 1.3 Inferences between atomic sentences So far, we have justified the claim that incompatibility is a fundamental logical concept by arguing that incompatibility is conceptually prior to negation. Now incompatibility is an inferential relation between atomic sentences. In this subsection, we shall describe other inferential relations between atomic sentences inferential relations that first-order logic cannot articulate (or can only do so awkwardly), but that cathoristic logic handles naturally. The atomic sentences of a natural language can be characterised as the sentences which do not contain any other sentences as constituent parts8. According to this criterion, the following are atomic: – Jack is male – Jack loves Jill The following is not atomic: Jack is male and Jill is female because it contains the complete sentence "Jack is male" as a syntactic constituent. Note that, according to this criterion, the following is atomic, despite using "and": Jack loves Jill and Joan Here, "Jack loves Jill" is not a syntactic constituent9. There are many types of inferential relations between atomic sentences of a natural language. For example: – "Jack is male" is incompatible with "Jack is female" – "Jack loves Jill" implies "Jack loves" – "Jack walks slowly" implies "Jack walks" – "Jack loves Jill and Joan" implies "Jack loves Jill" – "Jack is wet and cold" implies "Jack is cold" The first of these examples involves an incompatibility relation, while the others involve entailment relations. A key question this paper seeks to answer is: what is the simplest logic that can capture these inferential relations between atomic sentences? 8 Compare Russell [24] p.117: "A sentence is of atomic form when it contains no logical words and no subordinate sentence". We use a broader notion of atomicity by focusing solely on whether or not it contains a subordinate sentence, allowing logical words such as "and" as long as they are conjoining noun-phrases and not sentences. 9 To see that "Jack loves Jill" is not a constituent of "Jack loves Jill and Joan", observe that "and" conjoins constituents of the same syntactic type. But "Jack loves Jill" is a sentence, while "Joan" is a noun. Hence the correct parsing is "Jack (loves (Jill and Joan))", rather than "(Jack loves Jill) and Joan". 10 Richard Prideaux Evans, Martin Berger 1.4 Wittgenstein's vision of a logic of elementary propositions In the Tractatus [34], Wittgenstein claims that the world is a set of atomic sentences in an idealised logical language. Each atomic sentence was supposed to be logically independent of every other, so that they could be combined together in every possible permutation, without worrying about their mutual compatibility. But already there were doubts and problem cases. He was aware that certain statements seemed atomic, but did not seem logically independent: For two colours, e.g., to be at one place in the visual field is impossible, and indeed logically impossible, for it is excluded by the logical structure of colour. (6.3751) At the time of writing the Tractatus, he hoped that further analysis would reveal that these statements were not really atomic. Later, in the Philosophical Remarks [33], he renounced the thesis of the logical independence of atomic propositions. In §76, talking about incompatible colour predicates, he writes: That makes it look as if a construction might be possible within the elementary proposition. That is to say, as if there were a construction in logic which didn't work by means of truth functions. What's more, it also seems that these constructions have an e↵ect on one proposition's following logically from another. For, if di↵erent degrees exclude one another it follows from the presence of one that the other is not present. In that case, two elementary propositions can contradict one another. Here, he is clearly imagining a logical language in which there are incompatibilities between atomic propositions. In §82: This is how it is, what I said in the Tractatus doesn't exhaust the grammatical rules for 'and', 'not', 'or', etc; there are rules for the truth functions which also deal with the elementary part of the proposition. The fact that one measurement is right automatically excludes all others. Wittgenstein does not, unfortunately, show us what this language would look like. In this paper, we present cathoristic logic as one way of formalising inferences between atomic sentences. 1.5 Outline The rest of this paper is organised as follows: The next section briefly recapitulates the mathematical background of our work. Section 3 introduces the syntax and semantics of cathoristic logic with examples. Section 4 discusses how cathoristic logic can be used to model inferences between atomic sentences. Section 5 describes informally how our logic is useful as a knowledge Cathoristic logic 11 representation language. Section 6 presents core results of the paper, in particular a semantic characterisation of elementary equivalence and a decision procedure with quadratic time-complexity. The decision procedure has been implemented in Haskell and is available for public use [11] under a liberal opensource license. This section also shows that Brandom's incompatibility semantics condition holds for cathoristic logic. Section 7 presents the proof rules for cathoristic logic and proves completeness. Section 8 provides two translations from cathoristic logic into first-order logic, and proves compactness using one of them. Section 9 investigates a variant of cathoristic logic with an additional negation operator, and provides a decision procedure for this extension that has an exponential time-complexity. Section 10 extends cathoristic logic with first-order quantifiers and sketches the translation of first-order formulae into first-order cathoristic logic. The conclusion surveys related work and lists open problems. Appendix A outlines a di↵erent approach to giving the semantics of cathoristic logic, including a characterisation of the corresponding elementary equivalence. The appendix also discusses the question of non-deterministic models. The remaining appendices present routine proof of facts used in the main section. 12 Richard Prideaux Evans, Martin Berger 2 Mathematical preliminaries This section briefly surveys the mathematical background of our paper. A fuller account of order-theory can be found in [8]. Labelled transition systems are explored in [26,16] and bisimulations in [25]. Finally, [10] is one of many books on first-order logic. Order-theory. A preorder is a pair (S,v) where S is a set, and v is a binary relation on S that is reflexive and transitive. Let T ✓ S and x 2 S. We say x is an upper bound of T provided t v x for all t 2 T . If in addition x v y for all upper bounds y of T , we say that x is the least upper bound of T . The set of all least upper bounds of T is denoted F T . Lower bounds, greatest lower bounds and d T are defined mutatis mutandis. A partial order is a preorder v that is also anti-symmetric. A partial order (S,v) is a lattice if every pair of elements in S has a least upper and a greatest lower bound. A lattice is a bounded lattice if it has top and bottom elements > and ? such that for all x 2 S: x u ? = ? x t ? = x x u > = x x t > = >. If (S,v) is a preorder, we can turn it into a partial-order by quotienting: let a ' b i↵ a v b as well as b v a. Clearly ' is an equivalence. Let E be the set of all '-equivalence classes of S. We get a canonical partial order, denoted v E , on E by setting: [a]' vE [b]' whenever a v b. If all relevant upper and lower bounds exist in (S,v), then (E,v E ) becomes a bounded lattice by setting [x]' u [y]' = [x u y]' [x]' t [y]' = [x t y]' ?E = [?]' >E = [>]'. Transition systems. Let ⌃ be a set of actions. A labelled transition system over ⌃ is a pair (S,!) where S is a set of states and !✓ S ⇥ ⌃ ⇥ S is the transition relation. We write x a  ! y to abbreviate (x, a, y) 2!. We let s, t, w, w 0 , x, y, z, ... range over states, a, a0, b, ... range over actions and L,L0, ... range over labelled transition systems. We usually speak of labelled transition systems when the set of actions is clear from the context. We say L is deterministic if x a  ! y and x a  ! z imply that y = z. Otherwise L is non-deterministic. A labelled transition system is finitely branching if for each state s, the set {t | s a  ! t} is finite. Simulations and bisimulations. Given two labelled transition systems L i = (S i ,! i ) over⌃ for i = 1, 2, a simulation from L1 to L2 is a relationR ✓ S1⇥S2 such that whenever (s, s0) 2 R: if s a  ! s 0 then there exists a transition t a  ! t 0 with (t, t0) 2 R. We write s   sim t whenever (s, t) 2 R for some simulation R. We say R is a bisimulation between L1 and L2 if both, R and R 1 are simulations. Here R 1 = {(y, x) | (x, y) 2 R}. We say two states s, s0 are bisimilar, written s ⇠ s0 if there is a bisimulation R with (s, s0) 2 R. First-order logic. A many-sorted first-order signature is specified by the following data. A non-empty set of sorts, a set function symbols with associated arities, i.e. non-empty list of sorts #(f) for each function symbol f ; a set Cathoristic logic 13 of relation symbols with associated arities, i.e. a list of sorts #(R) for each relation symbol R; a set of constant symbols with associated arity, i.e. a sort #(c) for each constant symbol c. Let S be a signature. An S-model M is an object with the following components. For each sort   a set U   called universe of sort  . The members of U   are called  -elements of M; an element cM of U   for each constant c of sort  ; a function fM : (U  1 ⇥ * * *⇥U n) ! U  for each function symbol f of arity ( 1, ..., n, ); a relation RM ✓ U 1 ⇥ * * *⇥U n for each relation symbol R of arity ( 1, ..., n). Given an infinite set of variables for each sort  , the terms and first-order formulae for S are given by the following grammar t ::= x | c | f(t1, ..., tn)   ::= t = t0 | R(t1, ..., tn) | ¬  |   ^ | 8x.A Here x ranges over variables of all sorts, c over constants, R over n-ary relational symbols and f over n-ary function symbols from S. Other logical constructs such as disjunction or existential quantification are given by de Morgan duality, and truth > is an abbreviation for x = x. If S has just a single sort, we speak of single-sorted first-order logic or just first-order logic. Given an S-model M, an environment, ranged over by  , is a partial function from variables to M's universe. We write x 7! u for the environment that maps x to u and is undefined for all other variables. Moreover, if  , x 7! u is the environment that is exactly like  , except that it also maps x to u, assuming that x is not in the domain of  . The interpretation [[t]]M,  of a term t w.r.t. M and   is given by the following clauses, assuming that the domain of   contains all free variables of t: – [[x]]M,  =  (x). – [[c]]M,  = cM. – [[f(t1, ..., tn)]]M,  = fM([[t1]]M, , ..., [[tn]]M, ). The satisfaction relation M |=     is given by the following clauses, this time assuming that the domain of   contains all free variables of  : – M |=   t = t0 i↵ [[t]]M,  = [[t0]]M, . – M |=   R(t1, ..., tn) i↵ RM([[t1]]M, , ..., [[tn]]M, ). – M |=   ¬  i↵ M 6|=    . – M |=     ^ i↵ M |=     and M |=   . – M |=   8x.  i↵ for all u in the universe of M we have M |=  ,x 7!v  . Note that if   and  0 agree on the free variables of t, then [[t]]M,  = [[t]]M, 0 . Likewise M |=     if and only i↵ M |=   0  , provided   and  0 agree on the free variables of  . The theory of a model M, written Th(M), is the set of all formulae made true by M, i.e. Th(M) = {  | M |=  }. We say two models M and N are elementary equivalent if Th(M) = Th(N ). In first-order logic Th(M) ✓ Th(N ) already implies that M and N are elementary equivalent. 14 Richard Prideaux Evans, Martin Berger 3 Cathoristic logic In this section we introduce the syntax and semantics of cathoristic logic. 3.1 Syntax Syntactically, cathoristic logic is a multi-modal logic with one new operator. Definition 1 Let ⌃ be a non-empty set of actions. Actions are ranged over by a, a 0 , a1, b, ..., and A ranges over finite subsets of ⌃. The formulae of cathoristic logic, ranged over by  , , ⇠..., are given by the following grammar.   ::= > |   ^ | hai  | !A The first three forms of   are standard from Hennessy-Milner logic [17]: > is logical truth, ^ is conjunction, and hai  means that the current state can transition via action a to a new state at which   holds. Tantum A, written !A, is the key novelty of cathoristic logic. Asserting !A means: in the current state at most the modalities hai that satisfy a 2 A are permissible. We assume that hai  binds more tightly than conjunction, so hai  ^ is short for (hai ) ^ . We often abbreviate hai> to hai. We define falsity ? as !; ^ hai where a is an arbitrary action in ⌃. Hence, ⌃ must be non-empty. Note that, in the absence of negation, we cannot readily define disjunction, implication, or [a] modalities by de Morgan duality. Convention 1 From now on we assume a fixed set ⌃ of actions, except where stated otherwise. 3.2 Semantics The semantics of cathoristic logic is close to Hennessy-Milner logic, but uses deterministic transition systems augmented with labels on states. Definition 2 A cathoristic transition system is a triple L = (S,!, ), where (S,!) is a deterministic labelled transition system over ⌃, and   is a function from states to sets of actions (not necessarily finite), subject to the following constraints: – For all states s 2 S it is the case that {a | 9t s a  ! t} ✓  (s). We call this condition admissibility. – For all states s 2 S,  (s) is either finite or ⌃. We call this condition wellsizedness. The intended interpretation is that  (w) is the set of allowed actions emanating from w. The   function is the semantic counterpart of the ! operator. The admissibility restriction is in place because transitions s a  ! t where a /2 Cathoristic logic 15  (s) would be saying that an a action is possible at s but at the same time prohibited at s. Well-sizedness is not a fundamental restriction but rather a convenient trick. Cathoristic transition systems have two kinds of states: – States s without restrictions on outgoing transitions. Those are labelled with  (s) = ⌃. – States s with restriction on outgoing transitions. Those are labelled by a finite set  (s) of actions. Defining   on all states and not just on those with restrictions makes some definitions and proofs slightly easier. As with other modal logics, satisfaction of formulae is defined relative to a particular state in the transition system, giving rise to the following definition. Definition 3 A cathoristic model, ranged over by M,M0, ..., is a pair (L, s), where L is a cathoristic transition system (S,!, ), and s is a state from S. We call s the start state of the model. An cathoristic model is a tree if the underlying transition system is a tree whose root is the start state. Satisfaction of a formula is defined relative to a cathoristic model. Definition 4 The satisfaction relation M |=   is defined inductively by the following clauses, where we assume that M = (L, s) and L = (S,!, ). M |= > M |=   ^ i↵ M |=   and M |= M |= hai  i↵ there is transition s a  ! t such that (L, t) |=   M |= !A i↵  (s) ✓ A The first three clauses are standard. The last clause enforces the intended meaning of !A: the permissible modalities in the model are at least as constrained as required by !A. They may even be more constrained if the inclusion  (s) ✓ A is proper. For infinite sets ⌃ of actions, allowing  (s) to return arbitrary infinite sets in addition to   does not make a di↵erence because A is finite by construction, so  (s) ✓ A can never hold anyway for infinite  (s). ⌃ {b, c} a ; c ⌃ b Fig. 1: Example Model. 16 Richard Prideaux Evans, Martin Berger We continue with concrete examples. The model in Figure 1 satisfies all the following formulae, amongst others. hai haihbi hai!{b, c} hai!{b, c, d} hci hci!; hci!{a} hci!{a, b} hai ^ hci hai(hbî!{b, c} Here we assume, as we do with all subsequent figures, that the top state is the start state. The same model does not satisfy any of the following formulae. hbi !{a} !{a, c} hai!{b} haihci haihbi!{c} Figure 2 shows various models of haihbi and Figure 3 shows one model that does, and one that does not, satisfy the formula !{a, b}. Both models validate !{a, b, c}. Cathoristic logic does not have the operators ¬,_, or !. This has the following two significant consequences. First, every satisfiable formula has a unique (up to isomorphism) simplest model. In Figure 2, the left model is the unique simplest model satisfyinghaihbi. We will clarify below that model simplicity is closely related to the process theoretic concept of similarity, and use the existence of unique simplest models in our quadratic-time decision procedure. ⌃ ⌃ a ⌃ b ⌃ {a, b, c} a ⌃ b {a} {b} a ; b Fig. 2: Three models of haihbi> {a} ⌃ a {a, b, c} {a} c Fig. 3: The model on the left validates !{a, b} while the model on the right does not. Cathoristic logic 17 Secondly, cathoristic logic is di↵erent from other logics in that there is an asymmetry between tautologies and contradictories: logics with conventional negation have an infinite number of non-trivial tautologies, as well as an infinite number of contradictories. In contrast, because cathoristic logic has no negation or disjunction operator, it is expressively limited in the tautologies it can express: > and conjunctions of > are its sole tautologies. On the other hand, the tantum operator enables an infinite number of contradictories to be expressed. For example: hai ^ !; hai ^ !{b} hai ^ !{b, c} hbi ^ !; Next, we present the semantic consequence relation. Definition 5 We say the formula   semantically implies , written   |= , provided for all cathoristic models M if it is the case that M |=   then also M |=  . We sometimes write |=   as a shorthand for > |=  . Cathoristic logic shares with other (multi)-modal logics the following implications: haihbi |= hai hai(hbi ^ hci) |= haihbi As cathoristic logic is restricted to deterministic models, it also validates the following formula: haihbi ^ haihbi |= hai(hbi ^ hci) Cathoristic logic also validates all implications in which the set of constraints is relaxed from left to right. For example: !{c} |= !{a, b, c} !; |= !{a, b} 18 Richard Prideaux Evans, Martin Berger 4 Inferences between atomic sentences Cathoristic logic arose in part as an attempt to answer the question: what is the simplest logic that can capture inferences between atomic sentences of natural language? In this section, we give examples of such inferences, and then show how cathoristic logic handles them. We also compare our approach with attempts at expressing the inferences in first-order logic. 4.1 Intra-atomic inferences in cathoristic logic Natural language admits many types of inference between atomic sentences. First, exclusion: "Jack is male" is incompatible with "Jack is female". Second, entailment inferences from dyadic to monadic predicates: "Jack loves Jill" implies "Jack loves". Third, adverbial inferences: "Jack walks quickly" implies "Jack walks". Fourth, inferences from conjunctions of sentences to conjunctions of nounphrases (and vice-versa): "Jack loves Jill" and "Jack loves Joan" together imply that "Jack loves Jill and Joan". Fifth, inferences from conjunctions of sentences to conjunction of predicates10 (and vice-versa): "Jack is bruised" and "Jack is humiliated" together imply that "Jack is bruised and humiliated". They all can be handled directly and naturally in cathoristic logic, as we shall now show. Incompatibility, such as that between "Jack is male" and "Jack is female", is translated into cathoristic logic as the pair of incompatible sentences: hjackihsexi(hmaleî!{male}) hjackihsexi(hfemaleî!{female}). 10 See [28] p.282 for a spirited defence of predicate conjunction against Fregean regimentation. Cathoristic logic 19 Cathoristic logic handles entailments from dyadic to monadic predicates11. "Jack loves Jill" is translated into cathoristic logic as: hjackihlovesihjilli. The semantics of modalities ensures that this directly entails: hjackihlovesi. Similarly, cathoristic logic supports inferences from triadic to dyadic predicates: "Jack passed the biscuit to Mary" implies "Jack passed the biscuit". This can be expressed directly in cathoristic logic as: hjackihpassedihbiscuitihtoi(hmaryî!{mary}) |= hjackihpassedihbiscuiti. Adverbial inferences is captured in cathoristic logic as follows. hjackihwalksihquicklyi entails: hjackihwalksi. Cathoristic logic directly supports inferences from conjunctions of sentences to conjunctions of noun-phrases. As our models are deterministic, we have the general rule that haihbi ^ haihci |= hai(hbi ^ hci) from which it follows that hjackihlovesihjilli and hjackihlovesihjoani together imply hjackihlovesi(hjilli ^ hjoani). Using the same rule, we can infer that hjackihbruisedi ^ hjackihhumiliatedi together imply hjacki(hbruisedi ^ hhumiliatedi). 11 Although natural languages are full of examples of inferences from dyadic to monadic predicates, there are certain supposed counterexamples to the general rule that a dyadic predicate always implies a monadic one. For example, "Jack explodes the device" does not, on its most natural reading, imply that "Jack explodes". Our response to cases like this is to distinguish between two distinct monadic predicates explodes1 and explodes2: – Xexplodes1 i↵ X is an object that undergoes an explosion – Xexplodes2 i↵ X is an agent that initiates an explosion Now "Jack explodes the device" does imply that "Jack explodes2" but does not imply that "Jack explodes1". There is no deep problem here just another case where natural language overloads the same word in di↵erent situation to have di↵erent meanings. 20 Richard Prideaux Evans, Martin Berger 4.2 Intra-atomic inferences in first-order logic Next, we look at how these inferences are handled in first-order logic. 4.2.1 Incompatible predicates in first-order logic How are incompatible predicates represented in first-order logic? Brachman and Levesque [5] introduce the topic by remarking: We would consider it quite "obvious" in this domain that if it were asserted that John were a Man, then we should answer "no" to the query Woman(John). They propose adding an extra axiom to express the incompatibility: 8x.(Man(x) ! ¬Woman(x)) This proposal imposes a burden on the knowledge-representer: an extra axiom must be added for every pair of incompatible predicates. This is burdensome for large sets of incompatible predicates. For example, suppose there are 50 football teams, and a person can only support one team at a time. We would need to add   50 2   axioms, which is unwieldy. 8x.¬(SupportsArsenal(x) ^ SupportsLiverpool(x)) 8x.¬(SupportsArsenal(x) ^ SupportsManUtd(x)) 8x.¬(SupportsLiverpool(x) ^ SupportsManUtd(x)) ... Or, if we treat the football-teams as objects, and have a two-place Supports relation between people and teams, we could have: 8xyz.(Supports(x, y) ^ y 6= z ! ¬Supports(x, z)). If we also assume that each football team is distinct from all others, this certainly captures the desired uniqueness condition. But it does so by using relatively complex logical machinery. 4.2.2 Inferences from dyadic to monadic predicates in first-order logic If we want to capture the inference from "Jack loves Jill" to "Jack loves" in first-order logic, we can use a non-logical axiom: 8x.y.(Loves2(x, y) ! Loves1(x)) We would have to add an extra axiom like this for every n-place predicate. This is cumbersome at best. In cathoristic logic, by contrast, we do not need to introduce any non-logical machinery to capture these inferences because they all follow from the general rule that haihbi |= hai. Cathoristic logic 21 4.2.3 Adverbial inferences in first-order logic How can we represent verbs in traditional first-order logic so as to support adverbial inference? Davidson [9] proposes that every n-place action verb be analysed as an n+1-place predicate, with an additional slot representing an event. For example, he analyses "I flew my spaceship to the Morning Star" as 9x.(Flew(I,MySpaceship, x) ^ To(x, TheMorningStar)) This implies 9x.F lew(I,MySpaceship, x) This captures the inference from "I flew my spaceship to the Morning Star" to "I flew my spaceship". First-order logic cannot support logical inferences between atomic sentences. If it is going to support inferences from adverbial sentences, it cannot treat them as atomic and must instead reinterpret them as logically complex propositions. The cost of Davidson's proposal is that a seemingly simple sentence such as "Jones walks" turns out, on closer inspection, not to be atomic at all but to involve existential quantification: 9x.Walks(Jones, x) First-order logic can handle such inferences but only by reinterpreting the sentences as logically-complex compound propositions. 22 Richard Prideaux Evans, Martin Berger 5 Cathoristic logic as a language for knowledge representation Cathoristic logic has been used as the representation language for a large, complex, dynamic multi-agent simulation [13]. This is an industrial-sized application, involving tens of thousands of rules and facts12. In this simulation, the entire world state is stored as a cathoristic model. We found that cathoristic logic has two distinct advantages as a language for knowledge representation. First, it is ergonomic: ubiquitous concepts (such as uniqueness) can be expressed directly. Second, it is e cient: the tantum operator allows certain sorts of optimisation that would not otherwise be available. We shall consider these in turn. 5.1 Representing facts in cathoristic logic A sentence involving a one-place predicate of the form p(a) is expressed in cathoristic logic as haihpi A sentence involving a many-to-many two-place relation of the form r(a, b) is expressed in cathoristic logic as haihrihbi But a sentence involving a many-to-one two-place relation of the form r(a, b) is expressed as: haihri(hbî!{b}) So, for example, to say that "Jack likes Jill" (where "likes" is, of course, a many-many relation), we would write: hjackihlikesihjilli But to say that "Jack is married to Joan" (where"is-married-to" is a many-one relation), we would write: hjackihmarriedi(hjoanî!{joan}) Colloquially, we might say that "Jack is married to Joan and only Joan". Note that the relations are placed in infix position, so that the facts about an object are "contained" within the object. One reason for this particular way of structuring the data will be explained below. Consider the following facts about a gentleman named Brown: 12 The application has thousands of paying users, and available for download on the App Store for the iPad [12]. Cathoristic logic 23 hbrowni 0 @ hsexi(hmaleî!{male}) ^ hfriendsi(hlucyi ^ helizabethi) 1 A All facts starting with the prefix hbrowni form a sub-tree of the entire database. And all facts which start with the prefix hbrownihfriendsi form a sub-tree of that tree. A sub-tree can be treated as an individual via its prefix. A sub-tree of formulae is the cathoristic logic equivalent of an object in an object-oriented programming language. To model change over time, we assert and retract statements from the database, using a non-monotonic update mechanism. If a fact is inserted into the database that involves a state-labelling restricting the permissible transitions emanating from that state, then all transitions out of that state that are incompatible with the restriction are removed. So, for example, if the database currently contains the fact that the tra c light is amber, and then we update the database to assert the tra c light is red: htlihcolouri(hredî!{red}) Now the restriction on the state (that red is the only transition) means that the previous transition from that state (the transition labelled with amber) is automatically removed. The tree-structure of formulae allows us to express the life-time of data in a natural way. If we wish a piece of data d to exist for just the duration of a proposition t, then we make t be a sub-expression of d. For example, if we want the friendships of an agent to exist just as long as the agent, then we place the relationships inside the agent: hbrownihfriendsi Now, when we remove hbrowni all the sub-trees, including the data about who he is friends with, will be automatically deleted as well. Another advantage of our representation is that we get a form of automatic currying which simplifies queries. So if, for example, Brown is married to Elizabeth, then the database would contain hbrownihmarriedi(helizabethî!{elizabeth}) In cathoristic logic, if we want to find out whether Brown is married, we can query the sub-formula directly we just ask if hbrownihmarriedi In first-order logic, if married is a two-place predicate, then we need to fill in the extra argument place with a free variable we would need to find out if there exists an x such that married(brown, x) this is more cumbersome to type and slower to compute. 24 Richard Prideaux Evans, Martin Berger 5.2 Simpler postconditions In this section, we contrast the representation in action languages based on first-order logic13, with our cathoristic logic-based representation. Action definitions are rendered in typewriter font. When expressing the preand postconditions of an action, planners based on first-order logic have to explicitly describe the propositions that are removed when an action is performed: action move(A, X, Y) preconditions at(A, X) postconditions add: at(A, Y) remove: at(A, X) Here, we need to explicitly state that when A moves from X to Y , A is no longer at X. It might seem obvious to us that if A is now at Y , he is no longer at X but we need to explicitly tell the system this. This is unnecessary, cumbersome and error-prone. In cathoristic logic, by contrast, the exclusion operator means we do not need to specify the facts that are no longer true: action move (A, X, Y) preconditions <A><at>(<X> /\ !{X}) postconditions add: <A><at>(<Y> /\ !{Y}) The tantum operator ! makes it clear that something can only be at one place at a time, and the non-monotonic update rule described above automatically removes the old invalid location data. 5.3 Using tantum ! to optimise preconditions Suppose, for example, we want to find all married couples who are both Welsh. In Prolog, we might write something like: welsh_married_couple(X, Y) :welsh(X), welsh(Y), spouse(X,Y). Rules like this create a large search-space because we need to find all instances of welsh(X) and all instances of welsh(Y ) and take the cross-product [27]. If there are n Welsh people, then we will be searching n2 instances of (X,Y ) substitutions. 13 E.g. STRIPS [14] Cathoristic logic 25 If we express the rule in cathoristic logic, the compiler is able to use the extra information expressed in the ! operator to reorder the literals to find the result significantly faster. Assuming someone can only have a single spouse at any moment, the rule is expressed in cathoristic logic as: welsh_married_couple(X, Y) :- <welsh> <X>, <welsh> <Y>, <spouse> <X> (<Y> /\ !{Y}). Now the compiler is able to reorder these literals to minimise the search-space. It can see that, once X is instantiated, the following literal can be instantiated without increasing the search-space: <spouse> <X> (<Y> /\ !{Y}) The tantum operator can be used by the compiler to see that there is at most one Y who is the spouse of X. So the compiler reorders the clauses to produce: welsh_married_couple (X, Y) :- <welsh> <X>, <spouse> <X> (<Y> /\ !{Y}), <welsh> <Y>. Now it is able to find all results by just searching n instances a significant optimisation. In our application, this optimisation has made a significant difference to the run-time cost of query evaluation. 26 Richard Prideaux Evans, Martin Berger 6 Semantics and Decision Procedure In this section we provide our key semantic results. We define a partial ordering   on models, and show how the partial ordering can be extended into a bounded lattice. We use the bounded lattice to construct a quadratic-time decision procedure. 6.1 Semantic characterisation of elementary equivalence Elementary equivalence induces a notion of model equivalence: two models are elementarily equivalent exactly when they make the same formulae true. Elementary equivalence as a concept thus relies on cathoristic logic even for its definition. We now present an alternative characterisation that is purely semantic, using the concept of (mutual) simulation from process theory. Apart from its intrinsic interest, this characterisation will also be crucial for proving completeness of the proof rules. We first define a pre-order   on models by extending the notion of simulation on labelled transition systems to cathoristic models. Then we prove an alternative characterisation of   in terms of set-inclusion of the theories induced by models. We then show that two models are elementarily equivalent exactly when they are related by   and by   1. Definition 6 Let L i = (S i ,! i ,  i ) be cathoristic transition systems for i = 1, 2. A relation R ✓ S1 ⇥ S2 is a simulation from L1 to L2, provided: – R is a simulation on the underlying transition systems. – Whenever (x, y) 2 R then also  1(x) ◆  2(y). IfM i = (L i , x i ) are models, we sayR is a simulation from M1 to M2, provided the following hold. – R is a simulation from L1 to L2 as cathoristic transition systems. – (x1, x2) 2 R. Note that the only di↵erence from the usual definition of simulation is the additional requirement on the state labelling functions  1 and  2. Definition 7 The largest simulation fromM1 toM2 is denotedM1  sim M2. It is easy to see that   sim is itself a simulation from M1 to M2, and the union of all such simulations. If M1  sim M2 we say M2 simulates M1. We write ' for   sim \    1 sim . We call ' the mutual simulation relation. We briefly discuss the relationship of ' with bisimilarity, a notion of equality well-known from process theory and modal logic. For non-deterministic transition systems ' is a strictly coarser relation than bisimilarity. Definition 8 We say R is a bisimulation if R is a simulation from M1 to M2 and R 1 is a simulation from M2 to M1. By ⇠ we denote the largest bisimulation, and we say that M1 and M2 are bisimilar whenever M1 ⇠ M2. Lemma 1 On cathoristic models, ⇠ and ' coincide. Cathoristic logic 27 Proof: Straightforward from the definitions. ut Definition 9 Let Th(M) be the theory of M, i.e. the formulae made true by M, i.e. Th(M) = {  | M |=  }. We give an alternative characterisation on  1 sim using theories. In what follows, we will mostly be interested in   1 sim , so we give it its own symbol. Definition 10 Let   be short for   1 sim . Figure 4 gives some examples of models and how they are related by  . ⌃ {b} a ⌃ b ⌃ c ⌃ {b, c} a ⌃ b ⌃ ⌃ a ⌃ b ⌃ ⌃ a       Fig. 4: Examples of   Theorem 1 (Characterisation of elementary equivalence) 1. M0   M if and only if Th(M) ✓ Th(M0). 2. M0 ' M if and only if Th(M) = Th(M0). Proof: For (1) assume M0   M and M |=  . We must show M0 |=  . Let M = (L, w) and M0 = (L0, w0). The proof proceeds by induction on  . The cases for > and ^ are trivial. Assume   = hai and assume (L, w) |= hai . Then w a  ! x and (L, x) |= . As M0 simulates M, there is an x0 such that (x, x0) 2 R and w0 a  ! x 0. By the induction hypothesis, (L0, x0) |= . Therefore, by the semantic clause for hi, (L0, w0) |= hai . Assume now that   = ! A, for some finite A ✓ ⌃, and that (L, w) |= ! A. By the semantic clause for !,  (w) ✓ A. Since (L0, w0)   (L, w), by the definition of simulation of cathoristic transition systems,  (w) ◆  0(w0). Therefore,  0(w0) ✓  (w) ✓ A. Therefore, by the semantic clause for !, (L0, w0) |= ! A. For the other direction, letM = (L, w) andM0 = (L0, w0). Assume Th(M) ✓ Th(M0). We need to show that M0 simulates M. In other words, we need to produce a relation R ✓ S ⇥ S0 where S is the state set of L, S0 is the state set for L0 and (w,w0) 2 R and R is a simulation from (L, w) to (L0, w0). Define R = {(x, x0) | Th((L, x)) ✓ Th((L0, x0))}. Clearly, (w,w0) 2 R, as Th((L, w)) ✓ Th((L0, w0)). To show that R is a simulation, assume x a  ! y in L and (x, x0) 2 R. We need to provide a y0 such that x0 a  ! y 0 in L0 and 28 Richard Prideaux Evans, Martin Berger (y, y0) 2 R. Consider the formula haichar((L, y)). Now x |= haichar((L, y)), and since (x, x0) 2 R, x0 |= haichar((L, y)). By the semantic clause for hai, if x 0 |= haichar((L, y)) then there is a y0 such that y0 |= char((L, y)). We need to show (y, y0) 2 R, i.e. that y |=   implies y0 |=   for all  . Assume y |=  . Then by the definition of char(), char((L, y)) |=  . Since y0 |= char((L, y)), y0 |=  . So (y, y0) 2 R, as required. Finally,we need to show that whenever (x, x0) 2 R, then  (x) ◆  0(x0). Assume, first, that  (x) is finite. Then (L, x) |= !  (x). But as (x, x0) 2 R, Th((L, x)) ✓ Th((L0, x0)), so (L0, x0) |= !  (x). But, by the semantic clause for !, (L0, x0) |= !  (x) i↵  0(x0) ✓  (x). Therefore  (x) ◆  0(x0). If, on the other hand,  (x) is infinite, then  (x) = ⌃ (because the only infinite state labelling that we allow is ⌃). Every state labelling is a subset of ⌃, so here too,  (x) = ⌃ ◆  0(x0). This establishes (1), and (2) is immediate from the definitions. ut Theorem 1.1 captures one way in which the model theory of classical and cathoristic logic di↵er. In classical logic the theory of each model is complete, and Th(M) ✓ Th(N ) already implies that Th(M) = Th(N ), i.e. M and N are elementarily equivalent. Cathoristic logic's lack of negation changes this drastically, and gives   the structure of a non-trivial bounded lattice as we shall demonstrate below. Theorem 1 has various consequences. Corollary 1 1. If   has a model then it has a model whose underlying transition system is a tree, i.e. all states except for the start state have exactly one predecessor, and the start state has no predecessors. 2. If   has a model then it has a model where every state is reachable from the start state. Proof: Both are straightforward because ' is closed under tree-unfolding as well as under removal of states not reachable from the start state. ut 6.2 Quotienting models The relation   is not a partial order, only a pre-order. For example M1 = (({w}, ;, {w 7! ⌃}), w) M2 = (({v}, ;, {v 7! ⌃}), v) are two distinct models with M1   M2 and M2   M1. The di↵erence between the two models, the name of the unique state, is trivial and not relevant for the formulae they make true: Th(M1) = Th(M2). As briefly mentioned in the mathematical preliminaries (Section 2), we obtain a proper partial-order by simply quotienting models: M ' M0 i↵ M   M0 and M0   M Cathoristic logic 29 and then ordering the '-equivalence classes as follows: [M]'   [M 0]' i↵ M   M 0 . Greatest lower and least upper bounds can also be computed on representatives: G {[M]' | M 2 S } = [ G S]' whenever F S exists, and likewise for the greatest lower bound. We also define [M]' |=   i↵ M |=  . It is easy to see that these definitions are independent of the chosen representatives. In the rest of this text we will usually be sloppy and work with concrete models instead of '-equivalence classes of models because the quotienting process is straightforward and not especially interesting. We can do this because all relevant subsequent constructions are also representation independent. 6.3 The bounded lattice of models It turns out that   on ('-equivalence classes of) models is not just a partial order, but a bounded lattice, except that a bottom element is missing. Definition 11 We extend the collection of models with a single bottom element ?, where ? |=   for all  . We also write ? for [?]'. We extend the relation   and stipulate that ?   M for all models M. Theorem 2 The collection of (equivalence classes of) models together with ?, and ordered by   is a bounded lattice. Proof: The topmost element in the lattice is the model (({w}, ;, {w 7! ⌃}), w) (for some state w): this is the model with no transitions and no transition restrictions. The bottom element is ?. Below, we shall define two functions glb and lub, and show that they satisfy the required properties of u and t respectively. ut Cathoristic logic is unusual in that every set of models has a unique (up to isomorphism) least upper bound. Logics with disjunction, negation or implication do not have this property. Consider propositional logic, for example. Define a model of propositional logic as a set of atomic formulae that are set to true. Then we have a natural ordering on propositional logic models: M  M0 i↵ M ◆ M0 Consider all the possible models that satisfy   _ : { } { } { , } { , , ⇠} * * * 30 Richard Prideaux Evans, Martin Berger This set of satisfying models has no least upper bound, since { } ⇥ { } and { } ⇥ { }. Similarly, the set of models satisfying ¬(¬  ^ ¬ ) has no least upper bound. The fact that cathoristic logic models have unique least upper bounds is used in proving completeness of our inference rules, and implementing the quadratic-time decision procedure. 6.4 Computing the least upper bound of the models that satisfy a formula In our decision procedure, we will see if   |= by constructing the least upper bound of the models satisfying  , and checking whether it satisfies . In this section, we define a function simpl( ) that satisfies the following condition: simpl( ) = G {M|M |=  } Define simpl( ) as: simpl(>) = (({v}, ;, {v 7! ⌃}), v) simpl(!A) = (({v}, ;, {v 7! A}), v) simpl( 1 ^  2) = glb(simpl( 1), simpl( 2)) simpl(hai ) = ((S [ {w0},! [(w0 a  ! w),  [ {w0 7! ⌃}]), w0) where simpl( ) = ((S,!, ), w)and w0 is a new state not appearing in S ⌃ ⌃ a ⌃ ⌃ b ⌃ ⌃ a ⌃ b u = Fig. 5: Example of u. ⌃ {b} a ⌃ b ⌃ ⌃ a ⌃ c ⌃ b ?u = Fig. 6: Example of u. Cathoristic logic 31 {a, b} ⌃ a ⌃ b {a, c} {b, c} a ⌃ c ⌃ d {a} {b, c} a ⌃ b ⌃ c ⌃ d u = Fig. 7: Example of u. ⌃ {c} a ⌃ b ⌃ d ⌃ ⌃ a {d} b ⌃ c ⌃ {c} a {d} b ⌃ c ⌃ d u = Fig. 8: Example of u. Note that, by our conventions, simpl( ) really returns a '-equivalence class of models. The only complex case is the clause for simpl( 1 ^  2), which uses the glb function, defined as follows, where we assume that the sets of states in the two models are disjoint and are trees. It is easy to see that simpl(*) always returns tree models. glb(?,M) = ? glb(M,?) = ? glb(M,M0) = merge(L,L0, {(w,w0)}) where M = (L, w) and M0 = (L0, w0) The merge function returns ? if either of its arguments are ?. Otherwise, it merges the two transition systems together, given a set of state-identification pairs (a set of pairs of states from the two transition systems that need to be identified). The state-identification pairs are used to make sure that the resulting model is deterministic. 32 Richard Prideaux Evans, Martin Berger merge(L,L0, ids) = 8 >>>< >>>: ? if inconsistent(L,L0, ids) join(L,L0) if ids = ; merge(L,L00, ids0) else, where L00 = applyIds(ids,L0) and ids0 = getIds(L,L0, ids) The inconsistent predicate is true if there is pair of states in the state-identification set such that the out-transitions of one state is incompatible with the statelabelling on the other state: inconsistent(L,L0, ids) i↵ 9(w,w0) 2 ids with out(L, w) *  0(w0) or out(L0, w0) *  (w). Here the out function returns all the actions immediately available from the given state w. out(((S,!, ), w)) = {a | 9w0.w a  ! w 0 } The join function takes the union of the two transition systems. join((S,!, ), (S0,!0, 0)) = (S [ S0,! [ !0, 00) Here  00 takes the constraints arising from both,   and  0 into account:   00(s) = { (s) \  0(s) | s 2 S [ S0} [ { (s) | s 2 S \ S0} [ { (s) | s 2 S0 \ S}. The applyIds function applies all the state-identification pairs as substitutions to the Labelled Transition System: applyIds(ids, (S,!, )) = (S0,!0, 0) where S 0 = S [w/w0 | (w,w0) 2 ids] ! 0 = ! [w/w0 | (w,w0) 2 ids]   0 =   [w/w0 | (w,w0) 2 ids] Here [w/w0 | (w,w0) 2 ids] means the simultaneous substitution of w for w0 for all pairs (w,w0) in ids. The getIds function returns the set of extra stateidentification pairs that need to be added to respect determinism: getIds(L,L0, ids) = {(x, x0) | (w,w0) 2 ids, 9a . w a  ! x,w 0 a  ! x 0 } The function simpl(*) has the expected properties, as the next lemma shows. Lemma 2 simpl( ) |=  . Cathoristic logic 33 Proof: By induction on  . ut Lemma 3 glb as defined is the greatest lower bound We will show that: – glb(M,M0)   M and glb(M,M0)   M0 – If N   M and N   M0, then N   glb(M,M0) If M, M0 or glb(M,M0) are equal to ?, then we just apply the rule that ?   m for all models m. So let us assume that consistent(M,M0) and that glb(M,M0) 6= ?. Proof: To show glb(M,M0)   M, we need to provide a simulation R from M to glb(M,M0). If M = ((S,!, ), w), then define R as the identity relation on the states of S: R = {(x, x) | x 2 S} It is straightforward to show that R as defined is a simulation from M to glb(M,M0). If there is a transition x a  ! y in M, then by the construction of merge, there is also a transition x a  ! y in glb(M,M0). We also need to show that  M(x) ◆   glb(M,M0)(x) for all states x in M. This is immediate from the construction of merge. ut Proof: To show that N   M and N   M0 imply N   glb(M,M0), assume there is a simulation R from M to N and there is a simulation R0 from M0 to N. We need to provide a simulation R⇤ from glb(M,M0) to N. Assume the states of M and M0 are disjoint. Define: R⇤ = R [R0 We need to show that R⇤ as defined is a simulation from glb(M,M0) to N. Suppose x a  ! y in glb(M,M0) and that (x, x2) 2 R [ R0. We need to provide a y2 such that x2 a  ! y2 in N and (y, y2) 2 R [ R0. If x a  ! y in glb(M,M0), then, from the definition of merge, either x a  ! y in M or x a  ! y in M0. If the former, and given that R is a simulation from M to N, then there is a y2 such that (y, y2) 2 R and x2 a  ! y2 in N. But, if (y, y2) 2 R, then also (y, y2) 2 R [R0. Finally, we need to show that if (x, y) 2 R [R0 then   glb(M,M0)(x) ◆  N(y) If (x, y) 2 R [ R0 then either (x, y) 2 R or (x, y) 2 R0. Assume the former. Given that R is a simulation from M to N, we know that if (x, y) 2 R, then  M(x) ◆  N(y) Let M = ((S,!, ), w). If x 6= w (i.e. x is some state other than the start state), then, from the definition of merge,   glb(M,M0)(x) =  M(x). So, given 34 Richard Prideaux Evans, Martin Berger  M ◆  N(y),   glb(M,M0)(x) ◆  N(y). If, on the other hand, x = w (i.e. x is the start state of our cathoristic model M), then, from the definition of merge:   glb(M,M0)(w) =  M(w) \  M0(w 0) where w0 is the start state of M0. In this case, given  M(w) ◆  N(y) and  M0(w0) ◆  N(y), it follows that  M(w) \  M0(w0) ◆  N(y) and hence   glb(M,M0)(w) ◆  N(y) ut Next, define the least upper bound (lub) of two models as: lub(M,?) = M lub(?,M) = M lub((L, w), (L0, w0)) = lub2(L,L 0 , (M>, z), {(w,w 0 , z)}) where M> is the topmost model (W = {z},!= ;,  = {z 7! ⌃}) for some state z. lub2 takes four parameters: the two cathoristic transition systems L and L0, an accumulator representing the constructed result so far, and a list of state triples (each triple contains one state from each of the two input models plus the state of the accumulated result) to consider next. It is defined as: lub2(L,L 0 ,M, ;) = M lub2(L,L 0 , ((W,!, ), y), {(w,w0, x)} [R) = lub2(L,L 0 , ((W [W 0,! [ !0, 0), y), R0 [R} where: {(a i , w i , w 0 i ) | i = 1...n} = sharedT((L, w), (L0, w0)) W 0 = {x i | i = 1...n} ! 0 = {(x, a i , x i ) | i = 1...n}   0 =  [x 7!  (w) [  (w)0] R 0 = {(w i , w 0 i , x i ) | i = 1...n} Here  [x 7! S] is the state labelling function that is exactly like  , except that it maps x to S. Moreover, sharedT returns the shared transitions between two models, and is defined as: sharedT(((W,!, ), w)((W 0,!0, 0), w0)) = {(a, x, x0) | w a  ! x ^ w 0 a  ! 0 x 0 } If ((S⇤,! ⇤, ⇤), w⇤) = ((S,!, ), w) t ((S0,!0, 0), w0) then define the set triples lub as the set of triples (x, x0, x⇤) | x 2 S, x0 2 S0, x⇤ 2 S⇤ that were used during the construction of lub above. So triples lub stores the associations between states in M, M0 and M tM0. Cathoristic logic 35 ⌃ ⌃ a ⌃ b ⌃ ⌃ a ⌃ c ⌃ ⌃ a t = Fig. 9: Example of t {a} ⌃ a {b} ⌃ b {a, b}t = Fig. 10: Example of t {a} ⌃ a {c} b {a, b} {b, c} a {d} b ⌃ c {a, b} ⌃ a {c, d} b t = Fig. 11: Example of t Lemma 4 lub as defined is the least upper bound We will show that: – M   lub(M,M0) and M0   lub(M,M0) – If M   N and M0   N, then lub(M,M0)   N If M or M0 are equal to ?, then we just apply the rule that ?   m for all models m. So let us assume that neither M not M0 are ?. Proof: To see that M   lub(M,M0), observe that, by construction of lub above, every transition in lub(M,M0) has a matching transition in M, and every state label in lub(M,M0) is a superset of the corresponding state label in M. 36 Richard Prideaux Evans, Martin Berger To show that M   N and M0   N together imply lub(M,M0)   N, assume a simulation R from N to M and a simulation R0 from N to M0. We need to produce a simulation relation R⇤ from N to lub(M,M0). Define R⇤ = {(x, y⇤) | 9y1.9y2.(x, y1) 2 R, (x, y2) 2 R 0 , (y1, y2, y⇤) 2 triples lub } In other words, R⇤ contains the pairs corresponding to the pairs in both R and R0. We just need to show that R⇤ as defined is a simulation from N to lub(M,M0). Assume (x, x⇤) 2 R⇤ and x a  ! y in N. We need to produce a y⇤ such that (x⇤, y⇤) 2 R⇤ and x⇤ a  ! y⇤ in lub(M,M0). Given that R is a simulation from N to M, and that R0 is a simulation from N to M0, we know that there is a pair of states x1, y1 in M and a pair of states x2, y2 in M0 such that (x, x1) 2 R and (x, x2) 2 R0 and x1 a  ! y1 in M and x2 a  ! y2 in M0. Now, from the construction of lub above, there is a triple (y1, y2, y⇤) 2 triples lub . Now, from the construction of R⇤ above, (x⇤, y⇤) 2 R⇤. Finally, we need to show that for all states x and y, if (x, y) 2 R⇤, N(x) ◆   lub(M,M0)(y). Given that R is a simulation from N to M, and that R 0 is a simulation from N to M0, we know that if (x, y1) 2 R, then  N(x) ◆  M(y1). Similarly, if (x, y2) 2 R, then  N(x) ◆  0M(y2). Now, from the construction of lub,   lub(M,M0)(y⇤) =  M(y1)[ M(y2) for all triples (y1, y2, y⇤) 2 triples lub . So  N(x) ◆   lub(M,M0)(y), as required. ut 6.5 A decision procedure for cathoristic logic We use the semantic constructions above to provide a quadratic-time decision procedure. The complexity of the decision procedure is an indication that cathoristic logic is useful as a query language in knowledge representation. Cathoristic logic's lack of connectives for negation, disjunction or implication is the key reason for the e ciency of the decision procedure. Although any satisfiable formula has an infinite number of models, we have shown that the satisfying models form a bounded lattice with a least upper bound. The simpl() function defined above gives us the least upper bound of all models satisfying an expression. Using this least upper bound, we can calculate entailment by checking a single model. To decide whether   |= , we use the following algorithm. 1. Compute simpl( ). 2. Check if simpl( ) |= . The correctness of this algorithm is given by the follow theorem. Theorem 3 The following are equivalent: 1. For all cathoristic models M, M |=   implies M |= . 2. simpl( ) |= . Cathoristic logic 37 Proof: The implication from (1) to (2) is trivial because simpl( ) |=   by construction. For the reverse direction, we make use of the following lemma (proved in the Appendix): Lemma 5 If M |=   then M   simpl( ). With Lemma 5 in hand, the proof of Theorem 3 is straightforward. Assume M |=  . We need to show M |= . Now if M |=   then M   simpl( ) (by Lemma 5). Further, if M0 |= ⇠ and M   M0 then M |= ⇠ by Theorem 1. So, substituting for ⇠ and simpl( ) for M0, it follows that M |= . ut Construction of simpl( ) is quadratic in the size of  , and computing whether a model satisfies is of order | |⇥ | |, so computing whether   |= is quadratic time. 6.6 Incompatibility semantics One of cathoristic logic's unusual features is that it satisfies Brandom's incompatibility semantics constraint, even though it has no negation operator. In this section, we formalise what this means, and prove it. Define the incompatibility set of   as: I( ) = { | 8M.M 6|=   ^ } The reason why Brandom introduces the incompatibility set 14 is that he wants to use it define semantic content : Here is a semantic suggestion: represent the propositional content expressed by a sentence with the set of sentences that express propositions incompatible with it15. Now if the propositional content of a claim determines its logical consequences, and the propositional content is identified with the incompatibility set, then the incompatibility set must determine the logical consequences. A logic satisfies Brandom's incompatibility semantics constraint if   |= i↵ I( ) ✓ I( ) Not all logics satisfy this property. Brandom has shown that first-order logic and the modal logic S5 satisfy the incompatibility semantics property. HennessyMilner logic satisfies it, but Hennessy-Milner logic without negation does not. Cathoristic logic is the simplest logic we have found that satisfies the property. To establish the incompatibility semantics constraint for cathoristic logic, we 14 Brandom [7] defines incompatibility slightly di↵erently: he defines the set of sets of formulae which are incompatible with a set of formulae. But in cathoristic logic, if a set of formulae is incompatible, then there is an incompatible subset of that set with exactly two members. So we can work with the simpler definition in the text above. 15 [7] p.123. 38 Richard Prideaux Evans, Martin Berger need to define a related incompatibility function on models. J (M) is the set of models that are incompatible with M: J (M) = {M2 | M uM2 = ?} We shall make use of two lemmas, proved in Appendix B: Lemma 6 If   |= then simpl( )   simpl( ) Lemma 7 I( ) ✓ I( ) implies J (simpl( )) ✓ J (simpl( )) Theorem 4   |= i↵ I( ) ✓ I( ) Proof: Left to right: Assume   |= and ⇠ 2 I( ). We need to show ⇠ 2 I( ). By the definition of I, if ⇠ 2 I( ) then simpl(⇠) u simpl( ) = ?. If simpl(⇠) u simpl( ) = ?, then either – simpl(⇠) = ? – simpl( ) = ? – Neither simpl(⇠) nor simpl( ) are ?, but simpl(⇠) u simpl( ) = ?. If simpl(⇠) = ?, then simpl(⇠)usimpl( ) = ? and we are done. If simpl( ) = ?, then as   |= , by Lemma 6, simpl( )   simpl( ). Now the only model that is   ? is ? itself, so simpl( ) = ?. Hence simpl(⇠) u simpl( ) = ?, and we are done. The interesting case is when neither simpl(⇠) nor simpl( ) are ?, but simpl(⇠) u simpl( ) = ?. Then (by the definition of consistent in Section 6.4), either out(simpl(⇠)) *  (simpl( )) or out(simpl( )) *  (simpl(⇠)). In the first sub-case, if out(simpl(⇠)) *  (simpl( )), then there is some action a such that ⇠ |= hai> and a /2  (simpl( )). If a /2  (simpl( )) then |=!A where a /2 A. Now   |= , so   |=!A. In other words,   also entails the A-restriction that rules out the a transition. So simpl(⇠) u simpl( ) = ? and ⇠ 2 I( ). In the second sub-case, out(simpl( )) *  (simpl(⇠)). Then there is some action a such that |= hai> and a /2  (simpl(⇠)). If a /2  (simpl(⇠)) then ⇠ |=!A where a /2 A. But if |= hai> and   |= , then   |= hai> and   is also incompatible with ⇠'s A-restriction. So simpl(⇠) u simpl( ) = ? and ⇠ 2 I( ). Right to left: assume, for reductio, that M |=   and M 2 . we will show that I( ) * I( ). Assume M |=   and M 2 . We will construct another model M2 such that M2 2 J (simpl( )) but M2 /2 J (simpl( )). This will entail, via Lemma 7, that I( ) * I( ). If M 2 , then there is a formula 0 that does not contain ^ such that |= 0 and M 2 0. 0 must be either of the form (i) ha1i...hani> (for n > 0) or (ii) of the form ha1i...hani !{A} where A ✓ S and n >= 0. In case (i), there must be an i between 0 and n such that M |= ha1i...haii> but M 2 ha1i...hai+1i>. We need to construct another model M2 such that M2u simpl( ) = ?, but M2u simpl( ) 6= ?. Letting M = ((W,!, ), w), then M |= ha1i...haii> implies that there is at least one sequence of states of the form w,w1, ..., wi such that w a1  ! w1 ! ... ai  ! w i . Now let M2 be just like M but with additional transition-restrictions on each w i that it not include a i+1. Cathoristic logic 39 In other words,  M2(wi) =  M(wi)   {ai+1} for all wi in sequences of the form w a1  ! w1 ! ... ai  ! w i . Now M2 u simpl( ) = ? because of the additional transition restriction we added to M2, which rules out ha1i...hai+1i>, and afortiori . ButM2usimpl( ) 6= ?, becauseM |=   andM2   M together imply M2 |=  . So M2 is indeed the model we were looking for, that is incompatible with simpl( ) while being compatible with simpl( ). In case (ii), M |= ha1i...hani> but M 2 ha1i...hani!A for some A ⇢ S. We need to produce a model M2 that is incompatible with simpl( ) but not with simpl( ). Given that M |= ha1i...hani>, there is a sequence of states w,w1, ..., wn such that w a1  ! w1 ! ... ai  ! w n . Let M2 be the model just like M except it has an additional transition from each such w n with an action a /2 A. Clearly, M2u simpl( 0) = ? because of the additional a-transition, and given that |= 0, it follows that M2usimpl( ) = ?. Also, M2usimpl( ) 6= ?, because M2   M and M |=  . ut 40 Richard Prideaux Evans, Martin Berger 7 Inference Rules     `   Id     ` > >-Right   ? `   ?-Left   ` ` ⇠   ` ⇠ Trans   `   ^ ⇠ ` ^-Left 1   ` ⇠ ^   ` ^-Left 2   `   ` ⇠   ` ^ ⇠ ^-Right a /2 A !A ^ hai  ` ? ?-Right 1   hai? ` ? ?-Right 2   `!A A ✓ A0   `!A0 !-Right 1   `!A   `!B   `!(A \B) !-Right 2   ` hai  ` hai Normal   ` hai ^ hai⇠   ` hai( ^ ⇠) Det Fig. 12: Proof rules. We now present the inference rules for cathoristic logic. There are no axioms. Definition 12 Judgements are of the following form.   ` . We also write `   as a shorthand for > `  . Figure 12 presents all proof rules. Note that   and are single formulae, not sequents. By using single formulae, we can avoid structural inference rules. The proof rules can be grouped in two parts: standard rules and rules unique to cathoristic logic. Standard rules are [Id], [>-Right], [?-Left], [Trans], [^-Left 1], [^-Left 2] and [^-Right]. They hardly need explanation as they are variants of familiar rules for propositional logic, see e.g. [30,32]. We now explain the rules that give cathoristic logic its distinctive properties. The rule [?-Right 1] captures the core exclusion property of the tantum !: for example if A = {male, female} then horangei  is incompatible with !A. Thus !A ^ horangei  must be false. The rule [?-Right 2] expresses that falsity is 'global' and cannot be suppressed by the modalities. For example horangei? is false, simply because ? is already false. [Normal] enables us to prefix an inference with a may-modality. This rule can also be stated in the the following more general form:  1 ^ ... ^  n ` hai 1 ^ ... ^ hai n ` hai Normal-Multi But it is not necessary because [Normal-Multi] is derivable from [Normal] as we show in the examples below. Cathoristic logic 41 7.1 Example inferences We prove that we can use   ^ ` ⇠ to derive hai  ^ hai ` hai⇠:   ^ ` ⇠ Normal hai(  ^ ) ` hai⇠ hai  ^ hai ` hai  ^ hai Det hai  ^ hai ` hai(  ^ ) Trans hai  ^ hai ` hai⇠ Figure 13 demonstrates how to infer hai!{b, c}^hai!{c, d} ` hai!{c} and hai!{b}^ haihci> ` hdi>. 7.2 !-Left and !-Right The rules [!-Right 1, !-Right 2] jointly express how the subset relation ✓ on sets of actions relates to provability. Why don't we need a corresponding rule !-Left for strengthening ! on the left hand side?  ^ !A ` A0 ✓ A  ^ !A0 ` !-Left The reason is that [!-Left] can be derived as follows.  ^ !A0 `  ^ !A0 A0 ✓ A !-Right 1  ^ !A0 `  ^ !A  ^ !A ` Trans  ^ !A0 ` Readers familiar with object-oriented programming will recognise [!-Left] as contravariant and [!-Right 1] as covariant subtyping. Honda [18] develops a full theory of subtyping based on similar ideas. All three rules embody the intuition that whenever A ✓ A0 then asserting that !A0 is as strong as, or a stronger statement than !A. [!-Left] simply states that we can always strengthen our premise, while [!-right 1] allows us to weaken the conclusion. 7.3 Characteristic formulae In order to prove completeness, below, we need the notion of a characteristic formula of a model. The function simpl(*) takes a formula as argument and returns the least upper bound of the satisfying models. Characteristic formulae go the other way: given a model M, char(M) is the logically weakest formula that describes that model. 42 Richard Prideaux Evans, Martin Berger !{ b , c} ` !{ b , c} ^ L e f t 1 !{ b , c}^ !{ c , d} ` !{ b , c} !{ c , d} ` !{ c , d} ^ L e f t 2 !{ b , c}^ !{ c , d} ` !{ c , d} ! R i g h t 2 !{ b , c}^ !{ c , d} ` !{ c} N o r m a l h ai(!{ b , c}^ !{ c , d} ) ` h ai!{ c} h ai!{ b , c} ^ h ai!{ c , d} ` h ai!{ b , c} ^ h ai!{ c , d} D e t h ai!{ b , c} ^ h ai!{ c , d} ` h ai(!{ b , c}^ !{ c , d} ) T r a n s h ai!{ b , c} ^ h ai!{ c , d} ` h ai!{ c} !{ b} ^ h ci> ` ? N o r m a l h ai(!{ b} ^ h ci> ) ` h ai? h ai!{ b} ^ h aih ci> ` h ai!{ b} ^ h aih ci> D e t h ai!{ b} ^ h aih ci> ` h ai(!{ b} ^ h ci> ) T r a n s h ai!{ b} ^ h aih ci> ` h ai? h ai? ` ? T r a n s h ai!{ b} ^ h aih ci> ` ? ? ` h di> T r a n s h ai!{ b} ^ h aih ci> ` h di> F ig. 13: D erivation s of h a i! { b , c } ^ h a i! { c , d } ` h a i! { c } (top ) an d h a i! { b } ^ h a i h c i > ` h d i > (b ottom ). Cathoristic logic 43 Definition 13 Let M be a cathoristic model that is a tree. char(?) = hai>^!; for some fixed action a 2 ⌃ char(M, w) = bang(M, w) ^ ^ w a  !w 0 haichar(M, w0) Note that ? requires a particular action a 2 ⌃. This is why we required, in Section 3.1, that ⌃ is non-empty. The functions bang(*) on models are given by the following clauses. bang((S,!, ), w) = ( > if  (w) = ⌃ !  (w) otherwise Note that char(M) is finite if M contains no cycles and if  (x) is either ⌃ or finite for all states x. We state without proof that simpl(*) and char(*) are inverses of each other (for tree models M) in that: – simpl(char(M)) ' M. – |= char(simpl( )) i↵ |=  . 7.4 Soundness and completeness Theorem 5 The rules in Figure 12 are sound and complete: 1. (Soundness)   ` implies   |= . 2. (Completeness)   |= implies   ` . Soundness is immediate from the definitions. To prove completeness we will show that   |= implies there is a derivation of   ` . Our proof will make use of two key facts (proved in Sections 7.5.1 and 7.5.2 below): Lemma 8 If M |=   then char(M) `  . Lemma 9 For all formulae  , we can derive   ` char(simpl( )). Lemma 8 states that, if   is satisfied by a model, then there is a proof that the characteristic formula describing that model entails  . In Lemma 9, simpl( ) is the simplest model satisfying  , and char(M) is the simplest formula describing m, so char(simpl( )) is a simplified form of  . This lemma states that cathoristic logic has the inferential capacity to transform any proposition into its simplified form. With these two lemmas in hand, the proof of completeness is straightforward. Assume   |= . Then all models which satisfy   also satisfy . In particular, simpl( ) |= . Then char(simpl( )) ` by Lemma 8. But we also have, by Lemma 9,   ` char(simpl( )). So by transitivity, we have   ` . 44 Richard Prideaux Evans, Martin Berger 7.5 Proofs of Lemmas 8, 9 and 10 7.5.1 Proof of Lemma 8 If M |=   then char(M) `  . We proceed by induction on  . Case   is >. Then we can prove char(M) `   immediately using axiom [> Right. Case   is ^ 0. By the induction hypothesis, char(M) ` and char(M) ` 0. The proof of char(M) ` ^ 0 follows immediately using [^ Right. Case   is hai . If M |= hai , then either M = ? or M is a model of the form (L, w). Subcase M = ?. In this case, char(M) = char(?) = ?. (Recall, that we are overloading ? to mean both the model at the bottom of our lattice and a formula (such as hai>^!;) which is always false). In this case, char(?) ` hai using [? Left. Subcase m is a model of the form (L, w). Given M |= hai , and that M is a model of the form (L, w), we know that: (L, w) |= hai From the satisfaction clause for hai, it follows that: 9w 0 such that w a  ! w 0 and (L, w0) |= By the induction hypothesis: char((L, w0)) ` Now by [Normal]: haichar((L, w0)) ` hai Using repeated application of [^ Left], we can show: char((L, w)) ` haichar((L, w0)) Finally, using [Trans], we derive: char((L, w)) ` hai Case   is ! . If (L, w) |=!A, then  (w) ✓ A. Then char((L, w)) =!  (w)^ . Now we can prove !  (w)^  `!A using [! Right 1] and repeated applications of [^ Left]. 7.5.2 Proof of Lemma 9 Now we prove Lemma 9: for all formulae  , we can derive   ` char(simpl( )). Cathoristic logic 45 Proof: Induction on  . Case   is >. Then we can prove > ` > using either [> Right] or [Id]. Case   is ^ 0. By the induction hypothesis, ` char(simpl( )) and 0 ` char(simpl( 0)). Using [^ Left] and [^ Right], we can show: ^ 0 ` char(simpl( )) ^ char(simpl( 0)) In order to continue the proof, we need the following lemma, proven in the next subsection. Lemma 10 For all cathoristic models M and M2 that are trees, char(M) ^ char(M2) ` char(M uM2). From Lemma 10 (substituting simpl( ) forM and simpl( 0) forM2, and noting that simpl() always produces acyclic models), it follows that: char(simpl( )) ^ char(simpl( 0)) ` char(simpl( ^ 0)) Our desired result follows using [Trans]. Case   is hai . By the induction hypothesis, ` char(simpl( )). Now there are two sub-cases to consider, depending on whether or not char(simpl( )) = ?. Subcase char(simpl( )) = ?. In this case, char(simpl(hai )) also equals ?. By the induction hypothesis: ` ? By [Normal]: hai ` hai? By [? Right 2]: hai? ` ? The desired proof that: hai ` ? follows by [Trans]. Subcase char(simpl( )) 6= ?. By the induction hypothesis, ` char(simpl( )). So, by [Normal]: hai ` haichar(simpl( )) The desired conclusion follows from noting that: haichar(simpl( )) = char(simpl(hai )) Case   is !A. If   is !A, then char(simpl( )) is !A ^ >. We can prove !A ` !A ^ > using [^ Right], [> Right] and [Id]. ut 7.5.3 Proof of Lemma 10 We can now finish the proof of Lemma 9 by giving the missing proof of Lemma 10. 46 Richard Prideaux Evans, Martin Berger Proof: There are two cases to consider, depending on whether or not (M u M2) = ?. Case (M uM2) = ?. If (M uM2) = ?, there are three possibilities: – M = ? – M2 = ? – Neither M nor M2 are ?, but together they are incompatible. If either M or M2 is ?, then the proof is a simple application of [Id] followed by [^ Left]. Next, let us consider the case where neither M nor M2 are ?, but together they are incompatible. Let M = (L, w1) and M0 = (L0, w01). If M uM2 = ?, then there is a finite sequence of actions a1, ..., an 1 such that both M and M0 satisfy ha1i...han 1i>, but they disagree about the state-labelling on the final state of this chain. In other words, there is a b-transition from the final state in M which is ruled-out by the  0 state-labelling in M0. So there is a set of states w1, ..., w01, ... and a finite set X of actions such that: – w1 a1  ! w2 a2  ! ... an 1    ! w n . – w01 a1  ! w 0 2 a2  ! ... an 1    ! w 0 n . – w n b  ! w n+1. –  0(w0 n ) = X with b /2 X. Now it is easy to show, using [^ Left], that char(M) ` ha1i...han 1ihbi> char(M0) ` ha1i...han 1i!X Now using [^ Left] and [^ Right]: char(M) ^ char(M0) ` ha1i...han 1ihbi>^ ` ha1i...han 1i!X Now using [Det]: char(M) ^ char(M0) ` ha1i...han 1i(hbi>^!X) Now, using [? Right 1]: hbi>^!X ` ? Using n  1 applications of [? Right 2]: ha1i...han 1i(hbi>^!X) ` ? Finally, using [Trans], we derive: char(M) ^ char(M0) ` ? Case (M uM2) 6= ?. From the construction of merge, if M and M0 are acyclic, thenMuM0 is also acyclic. IfMuM0 is acyclic, then char(MuM0) is equivalent to a set   of sentences of one of two forms: ha1i...hani> ha1i...hani!X Cathoristic logic 47 ⌃ {c, d} a ⌃ b ⌃ c Fig. 14: Example of u For example, if M uM0 is as in Figure 14, then char(M uM0) = hai(!{c, d} ^ hci>) ^ hbi> This is equivalent to the set   of sentences: haihci> hbi> hai!{c, d} Now using [^ Right] and [Det] we can show that ^  2    ` char(M uM0) We know that for all   2   M uM0 |=   We just need to show that: char(M) ^ char(M0) `   Take any   2   of the form ha1i...hani!X for some finite X ✓ ⌃. (The case where   is of the form ha1i...hani> is very similar, but simpler). If MuM0 |= ha1i...hani!X then either: 1. M |= ha1i...hani!X but M0 2 ha1i...hani> 2. M0 |= ha1i...hani!X but M 2 ha1i...hani> 3. M |= ha1i...hani!X1 and M0 |= ha1i...hani!X2 and X1 \X2 ✓ X In the first two cases, showing char(M) ^ char(M0) `   is just a matter of repeated application of [^ Left] and [^ Right]. In the third case, let M = (L, w1) and M0 = (L0, w01). If M |= ha1i...hani!X1 and M 0 |= ha1i...hani!X2 then there exists sequences w1, ..., wn+1 and w01, ..., w 0 n+1 of states such that – w1 a1  ! ... an   ! w n+1. – w01 a1  ! ... an   ! w 0 n+1. –  (w n+1) ✓ X1. –  0(w0 n+1) ✓ X2. 48 Richard Prideaux Evans, Martin Berger Now from the definition of char(): char((L, w n1)) `!X1 char((L 0 , w 0 n1 )) `!X2 Now using [!Right 2]: char((L, w n1)) ^ char((L 0 , w 0 n1 )) `!(X1 \X2) Using [!Right 1]: char((L, w n1)) ^ char((L 0 , w 0 n1 )) `!X Using n applications of [Normal]: ha1i...hani(char((L, wn1)) ^ char((L 0 , w 0 n1 ))) ` ha1i...hani!X Finally, using n applications of [Det]: char((L, w1)) ^ char((L 0 , w 0 1)) ` ha1i...hani(char((L, wn1)) ^ char((L 0 , w 0 n1 ))) So, by [Trans] char(M) ^ char(M0) ` ha1i...hani!X ut Cathoristic logic 49 8 Compactness and the standard translation to first-order logic This section studies two embeddings of cathoristic logic into first-order logic. The second embedding is used to prove that cathoristic logic satisfies compactness. 8.1 Translating from cathoristic to first-order logic The study of how a logic embeds into other logics is interesting in parts because it casts a new light on the logic that is the target of the embedding. A good example is the standard translation of modal into first-order logic. The translation produces various fragments: the finite variable fragments, the fragment closed under bisimulation, guarded fragments. These fragments have been investigated deeply, and found to have unusual properties not shared by the whole of first-order logic. Translations also enable us to push techniques, constructions and results between logics. In this section, we translate cathoristic logic into first-order logic. Definition 14 The first-order signature S has a nullary predicate >, a family of unary predicates Restrict A (*), one for each finite subset A ✓ ⌃, and a family of binary predicates Arrow a (x, y), one for each action a 2 ⌃. The intended interpretation is as follows. – The universe is composed of states. – The predicate > is true everywhere. – For each finite A ✓ ⌃ and each state s, Restrict A (s) is true if  (x) ✓ A. – A set of two-place predicates Arrow a (x, y), one for each a 2 ⌃, where x and y range over states. Arrow a (x, y) is true if x a  ! y. If ⌃ is infinite, then Restrict A (*) and Arrow a (*, *) are infinite families of relations. Definition 15 Choose two fixed variables x, y, let a range over actions in ⌃, and A over finite subsets of ⌃. Then the restricted fragment of first-order logic that is the target of our translation is given by the following grammar, where w, z range over x, y.   ::= > | Arrow a (w, z) | Restrict A (z) |   ^ | 9x.  This fragment has no negation, disjunction, implication, or universal quantification. Definition 16 The translations [[ ]] x and [[ ]] y of cathoristic formula   are given relative to a state, denoted by either x or y. 50 Richard Prideaux Evans, Martin Berger [[>]] x = > [[>]] y = > [[  ^ ]] x = [[ ]] x ^ [[ ]] x [[  ^ ]] y = [[ ]] y ^ [[ ]] y [[hai ]] x = 9y.(Arrow a (x, y) ^ [[ ]] y ) [[hai ]] y = 9x.(Arrow a (y, x) ^ [[ ]] x ) [[!A]] x = Restrict A (x) [[!A]] y = Restrict A (y) The translations on the left and right are identical, except for switching x and y. Here is an example translation. [[hai>^!{a}]] x = 9y.(Arrow a (x, y) ^ >) ^ Restrict{a}(x) We now establish the correctness of the encoding. The key issue is that not every first-order model of our first-order signature corresponds to a cathoristic model because determinism, well-sizedness and admissibility are not enforced by our signature alone. In other words, models may contain 'junk'. We deal with this problem following ideas from modal logic [4]: we add a translation [[L]] for cathoristic transition systems, and then prove the following theorem. Theorem 6 (correspondence theorem) Let   be a cathoristic logic formula and M = (L, s) a cathoristic model. M |=   i↵ [[L]] |= x 7!s [[ ]]x. And likewise for [[ ]] y . The definition of [[L]] is simple. Definition 17 Let L = (S,!, ) be a cathoristic transition system. Clearly L gives rise to an S-model [[L]] as follows. – The universe is the set S of states. – The relation symbols are interpreted as follows. – >[[L]] always holds. – Restrict [[L]] A = {s 2 S |  (s) ✓ A}. – Arrow[[L]] a = {(s, t) 2 S ⇥ S | s a  ! t}. We are now ready to prove Theorem 6. Proof: By induction on the structure of  . The cases > and  1^ 2 are straightforward. The case hai is handled as follows. [[L]] |= x 7!s [[hai ]]x i↵ [[L]] |= x 7!s 9y.(Arrowa(x, y) ^ [[ ]]y) i↵ exists t 2 S.[[L]] |= x 7!s,y 7!t Arrowa(x, y) ^ [[ ]]y i↵ exists t 2 S.[[L]] |= x 7!s,y 7!t Arrowa(x, y) and [[L]] |=x 7!s,y 7!t [[ ]]y i↵ exists t 2 S.s a  ! t and [[L]] |= x 7!s,y 7!t [[ ]]y i↵ exists t 2 S.s a  ! t and [[L]] |= y 7!t [[ ]]y (as x is not free in ) i↵ exists t 2 S.s a  ! t and M |= i↵ M |= hai Cathoristic logic 51 Finally, if   is !A the derivation comes straight from the definitions. [[L]] |= x 7!s [[!A]]x i↵ [[L]] |=x 7!s RestrictA(x) i↵  (s) ✓ A i↵ M |= !A. ut 8.2 Compactness by translation First-order logic satisfies compactness: a set S of sentences has a model exactly when every finite subset of S does. What about cathoristic logic? We can prove compactness of modal logics using the standard translation from modal to first-order logic [4]: we start from a set of modal formula such that each finite subset has a model. We translate the modal formulae and models to first-order logic, getting a set of first-order formulae such that each finite subset has a first-order model. By compactness of first-order logic, we obtain a first-order model of the translated modal formulae. Then we translate that first-order model back to modal logic, obtaining a model for the original modal formulae, as required. The last step proceeds without a hitch because the modal and the first-order notions of model are identical, save for details of presentation. Unfortunately we cannot do the same with the translation from cathoristic logic to first-order logic presented in the previous section. The problem are the first-order models termed 'junk' above. The target language of the translation is not expressive enough to have formulae that can guarantee such constraints. As we have no reason to believe that the first-order model whose existence is guaranteed by compactness isn't 'junk', we cannot prove compactness with the translation. We solve this problem with a second translation, this time into a more expressive first-order fragment where we can constrain first-order models easily using formulae. The fragment we use now lives in two-sorted first-order logic (which can easily be reduced to first-order logic [10]). Definition 18 The two-sorted first-order signature S 0 is given as follows. – S 0 has two sorts, states and actions. – The action constants are given by ⌃. There are no state constants. – S 0 has a nullary predicate >. – A binary predicate Allow(*, *). The intended meaning of Allow(x, a) is that at the state denoted by x we are allowed to do the action a. – A ternary predicate Arrow(*, *, *) where Arrow(x, a, y) means that there is a transition from the state denoted by x to the state denoted by y, and that transition is labelled a. So S 0 is a relational signature, i.e. has no function symbols. 52 Richard Prideaux Evans, Martin Berger Definition 19 The encoding hh ii x of cathoristic logic formulae is given by the following clauses. hh>ii x = > hh  ^ ii x = hh ii x ^ hh ii x hhhai ii x = 9sty.(Arrow(x, a, y) ^ hh ii y ) hh!Aii x = 8acta.(Allow(x, a) ! a 2 A) Here we use 9st to indicate that this existential quantifier ranges over the sort of states, and 8act for the universal quantifier ranging over actions. The expression a 2 A is a shorthand for the first-order formula a = a1 _ a = a2 _ * * * _ a = an assuming that A = {a1, ..., an}. Since by definition, A is always a finite set, this is well-defined. The translation could be restricted to a two-variable fragment. Moreover, the standard reduction from many-sorted to one-sorted first-order logic does not increase the number of variables used (although predicates are added, one per sort). We will not consider this matter further here. We also translate cathoristic transition systems hhLii. Definition 20 Let L = (S,!, ) be a cathoristic transition system. L gives rise to an S 0-model hhLii as follows. – The sort of states is interpreted by the set S. – The sort of actions is interpreted by the set ⌃. – For each constant a 2 ⌃, ahhLii is a itself. – The relation symbols are interpreted as follows. – >hhLii always holds. – AllowhhLii(s, a) holds whenever a 2  (s). – ArrowhhLii(s, a, t) holds whenever s a  ! t. Theorem 7 (correspondence theorem) Let   be a cathoristic logic formula and M = (L, s) a cathoristic model. M |=   i↵ hhLii |= x 7!s hh iix. Proof: The proof proceeds by induction on the structure of   and is similar to that of Theorem 7. The case for the may modality proceeds as follows. M |= hai  i↵ exists state t with s a  ! t and (L, t) |=   i↵ exists state t with s a  ! t and hhLii |= y 7!t hh iiy by (IH) i↵ hhLii |= x 7!s 9 st y.(Arrow(x, a, y) ^ hh ii y ) i↵ hhLii |= x 7!s hhhai iix Cathoristic logic 53 Finally !A. M |=!A i↵  (s) ✓ A i↵ for all a 2 ⌃.a 2 A i↵ hhLii |= x 7!s 8 act a.(Allow(x, a) ! a 2 A) i↵ hhLii |= x 7!s hh!Aiix ut We use the following steps in our compactness proof. 1. Choose a set   of cathoristic logic formulae such that each finite subset   0 of   has a cathoristic model (L, s). 2. The translation gives a set hh  ii = {hh ii |   2  } of first-order formulae such that each finite subset has a first-order model hhLii. 3. By compactness of (two-sorted) first-order logic, we can find a first-order model M of hh  ii. 4. Convert M into a cathoristic transition system M] such that (M], s) |=   . The problematic step is (4) for how would we know that the first-order model M can be converted back to a cathoristic transition system? What if it contains 'junk' in the sense described above? We solve this by adding formulae to hh  ii that preserve finite satisfiability but force the first-order models to be convertible to cathoristic models. To ensure admissibility we use this formula.   admis = 8sts.8acta.8stt.(Arrow(s, a, t) ! Allow(s, a)) The formula   det ensures model determinism.   det = 8sts.8acta.8stt.8stt0.((Arrow(s, a, t) ^ Arrow(s, a, t0)) ! t = t0) Lemma 11 If L is a cathoristic transition system then hhLii |=   admis ^  det . Proof: Straightforward from the definitions. ut We can now add, without changing satisfiability,   admis ^   det to any set of first-order formulae that has a model that is the translation of a cathoristic model. We also need to deal with well-sizedness in first-order models, because nothing discussed so far prevents models whose state labels are infinite sets without being ⌃. Moreover, a model may interpret the set of actions with a proper superset of ⌃. This also prevents conversion to cathoristic models. We solve these problems by simply removing all actions that are not in ⌃ and all transitions involving such actions. We map all infinite state labels to ⌃. It is easy to see that this does not change satisfiability of (translations of) cathoristic formulae. 54 Richard Prideaux Evans, Martin Berger Definition 21 Let L = (S,!, ) be a cathoristic transition system and X a set, containing actions. The restriction of L to X, written L \ X is the cathoristic model (S,!0, 0) where !0= {(s, a, t) 2! | a /2 X}, and for all states s we set:   0(s) = (  (s) \X whenever  (s) 6= ⌃ ⌃ otherwise Lemma 12 Let   be a cathoristic logic formula and X be a set such that no action occurring in   is in X. Then: (L, s) |=   i↵ (L \X, s) |=  . Proof: By straightforward induction on the structure of  , using the fact that by assumption X only contains actions not occurring in  . ut Definition 22 Let M be a first-order model for the signature S 0. We construct a cathoristic transition system M] = (S,!, ). – The actions ⌃ are given by the M interpretation of actions. – The states S are given by the M interpretation of states. – The reduction relation s a  ! t holds exactly when ArrowM(s, a, t). – The function   is given by the following clause:  (s) = ( X whenever X = {a | AllowM(s, a)} is finite ⌃ otherwise Lemma 13 If M be a first-order model for S 0 such that M |=   admis ^   det . Then M] is an cathoristic transition system with actions ⌃. Proof: Immediate from the definitions. ut Theorem 8 (correspondence theorem) Let M be a first-order model for the signature S 0 such that M |=   admis ^  det . Then we have for all cathoristic logic formulae   with actions from ⌃: M |= x 7!s hh iix i↵ (M ] \X, s) |=  . Here X is the set of all elements in the universe of M interpreting actions that are not in ⌃. Proof: The proof proceeds by induction on the structure of  . ut Definition 23 Let   be a set of cathoristic formulae, and M a cathoristic model. We write M |= T provided M |=   for all   2 T . We say   is satisfiable provided M |= T . Theorem 9 (Compactness of cathoristic logic) A set   of cathoristic logic formulae is satisfiable i↵ each finite subset of   is satisfiable. Cathoristic logic 55 Proof: For the non-trivial direction, let   be a set of cathoristic logic formulae such that any finite subset has a cathoristic model. Define hh  ii = {hh ii |   2  }   ⇤ = hh  ii [ {  admis ^   det } which both are sets of first-order formulae. Clearly each finite subset   0 of   ⇤ has a first-order model. Why? First consider the subset   0 CL of   0 which is given as follows.   0 CL = {  2   | hh ii 2   0} Since   0 CL is finite, by assumption there is a cathoristic model (L, s) |=   0 CL which means we can apply Theorem 8 to get hhLii |= x 7!s hh  0 CL ii, By construction   0 \ hh  0 CL ii ✓ {  admis ^   det }, so all we have to show for   0 to have a model is that hhLii |= x 7!s { admis} [ { a | a 2 ⌃}, but that is a direct consequence of Lemma 11. That means each finite subset of   ⇤ has a model and by appealing to compactness of first-order many-sorted logic (which is an immediate consequence of compactness of one-sorted firstorder logic [10]), we know there must be a first-order model M of   ⇤, i.e. M |=   ⇤. Since M |=   admis ^   det we can apply Theorem 8 that also (M] \X, s) |=   where X is the set of all actions in M] that are not in ⌃. Hence   is satisfiable. ut 56 Richard Prideaux Evans, Martin Berger 9 Cathoristic logic and negation We have presented cathoristic logic as a language that can express incompatible claims without negation. In this section, we briefly consider cathoristic logic enriched with negation. 9.1 Syntax and semantics Definition 24 Given a set ⌃ of actions, the formulae of cathoristic logic with negation are given by the following grammar.   ::= ... | ¬  We can now define disjunction   _ and implication   ! by de Morgan duality:   _ is short for ¬(¬  ^ ¬ ), and  ! abbreviates ¬  _ . The semantics of cathoristic logic with negation is just that of plain cathoristic logic except for the obvious clause for negation. M |= ¬  i↵ M 2   Negation is a core operation of classical logic, and its absence makes cathoristic logic unusual. In order to understand cathoristic logic better, we now investigate how negation can be seen as a definable abbreviation in cathoristic logic with disjunction. The key idea is to use the fact that ¬hai  can be false in two ways: either there is no a-labelled action at the current state or there is, but   is false. Both arms of this disjunction can be expressed in cathoristic logic, the former as !⌃ \ {a}, the latter as hai¬ . Hence, we can see ¬hai  as a shorthand for !(⌃ \ {a}) _ hai¬  Negation still occurs in this term, but prefixing a formula of lower complexity. This leaves the question of negating the tantum. That's easy: when ¬!A, then clearly the current state can do an action a /2 A. In other words _ a2⌃ hai> When ⌃ is infinite, then so is the disjunction. Note that both the negation of the modality and the negation of the tantum involve the set ⌃ of actions. So far, we have defined negation with respect to the whole (possibly infinite) set ⌃. For technical reasons, we generalise negation and define it with respect to a finite subset S ✓ ⌃. We use this finitely-restricted version of negation in the decision procedure below. Cathoristic logic 57 Definition 25 The function ¬ S ( ) removes negation from   relative to a finite subset S ✓ ⌃: ¬ S (>) = ? ¬ S (?) = > ¬ S (  ^ ) = ¬ S ( ) _ ¬ S ( ) ¬ S (  _ ) = ¬ S ( ) ^ ¬ S ( ) ¬ S (hai ) = !(S   {a}) _ hai¬ S ( ) ¬ S (!A) = _ a2S A hai> 9.2 Decision procedure We can use the fact that cathoristic logic has a quadratic-time decision procedure to build a super-polynomial time decision procedure for cathoristic logic with negation. Given   |= , let S = actions( ) [ actions( ) [ {a}, where a is a fresh action. The function actions(*) returns all actions occurring in a formula, e.g. actions(hai ) = {a} [ actions( ) and actions(!A) = A. The decision procedure executes the following steps. 1. Inductively translate away all negations in   using ¬ S ( ) as defined above. Let the result be  0. 2. Reduce  0 to disjunctive normal form by repeated application of the rewrite rules:   ^ ( _ ⇠) ; (  ^ ) _ (  ^ ⇠) (  _ ) ^ ⇠ ; (  ^ ⇠) _ ( ^ ⇠). 3. Let the resulting disjuncts be  1, ..., n. Note that   |= i↵   i |= for all i = 1, ..., n. For each disjunct   i do the following. – Notice that   i |= if and only if all S-extensions (defined below) of simpl(  i ) satisfy . So, to check whether   i |= , we enumerate the S-extensions of simpl(  i ) (there are a finite number of such extensions the exact number is exponential in the size of simpl(  i )) and check for each such S-extension M whether M |= , using the algorithm of Section 6.5. Here is the definition of S-extension. Definition 26 Given an cathoristic transition system L = (W,!, ), and a set S of actions, then (W 0,!0, 0) is a S-extension of L if it is a valid cathoristic transition system (recall Definition 2) and for all (x, a, y) 2!0, either: – (x, a, y) 2 !, or; – x 2 W, a 2 S, a 2  (x), and y is a new state not appearing elsewhere in W or W 0. 58 Richard Prideaux Evans, Martin Berger The state-labelling  0 is:   0(x) =  (x) if x 2 W   0(x) = ⌃ if x /2 W In other words, M0 is an extension of an annotated model M, if all its transitions are either from M or involve states of M transitioning via elements of S to new states not appearing in M or M0. The number of extensions grows quickly. If the model M has n states, then the number of possible extensions is: (2|S|)n But recall that we are computing these extensions in order to verify . So we can make a significant optimisation by restricting the height of each tree to | |. We state, without proof, that this optimisation preserves correctness. A Haskell implementation of the decision procedure is available [11]. Cathoristic logic 59 10 Quantified cathoristic logic So far, we have presented cathoristic logic as a propositional modal logic. This section sketches quantified cathoristic logic, primarily to demonstrate that this extension works smoothly. Definition 27 Let ⌃ be a non-empty set of actions, ranged over by a, a0, ... as before. Given a set V of variables, with x, x0, y, y0, ... ranging over V, the terms, ranged over by t, t0, ... and formulae of quantified cathoristic logic are given by the following grammar: t ::= x | a   ::= > |   ^ | hti  | !A | 9x.  | 8x.  Now A ranges over finite subsets of terms. The free variables of a  , denoted fv( ) is given as expected, e.g. fv(hti ) = fv(t)[ fv( ) and fv(!A) = S t2A fv(t) where fv(a) = ; and fv(x) = {x}. Definition 28 The semantics of quantified cathoristic logic is constructed along conventional lines. An environment is a map   : V ! ⌃ with finite domain. We write  , x : a for the environment that is just like  , except it also maps x to a, implicitly assuming that x is not in  's domain. The denotation [[t]]   of a term t under an environment   is given as follows: [[a]]   = a [[x]]   =  (x) where we assume that fv(t) is a subset of the domain of  . The satisfaction relation M |=     is defined whenever fv( ) is a subset of  's domain. It is given by the following clauses, where we assume that M = (L, s) and L = (S,!, ). M |=   > M |=     ^ i↵ M |=     and M |=   M |=   hti  i↵ there is transition s [[t]]   ! s 0 such that (L, s0) |=     M |=   !A i↵  (s) ✓ {[[t]] | t 2 A} M |=   8x.  i↵ for all a 2 ⌃ we have M |=  ,x:a   M |=   9x.  i↵ there exists a 2 ⌃ such that M |=  ,x:a   In quantified cathoristic logic, we can say that there is exactly one king of France, and he is bald, as: 9x.(hkingihfrancei!{x} ^ hxihbaldi) Expressing this in first-order logic is more cumbersome: 9x.(king(france, x) ^ bald(x) ^ 8y.(king(france, y) ! y = x)) The first-order logic version uses an extra universal quantifier, and also requires the identity relation with concomitant axioms. 60 Richard Prideaux Evans, Martin Berger To say that every person has exactly one sex, which is either male or female, we can write in quantified cathoristic logic: 8x.(hxihpersoni ! hxihsexi!{male, female} ^ 9y.hxihsexi(hyî!{y})) This is more elegant than the equivalent in first-order logic: 8x.(person(x) ! 9y. 0 BBBB@ sex(x, y) ^ (y = male _ y = female) ^ 8z.sex(x, z) ! y = z 1 CCCCA ) To say that every tra c light is coloured either green, amber or red, we can write in quantified cathoristic logic: 8x.(hxihlighti ! hxihcolouri!{green, amber, red} ^ 9y.hxihcolouri(hyî!{y})) Again, this is less verbose than the equivalent in first-order logic: 8x.(light(x) ! 9y. 0 BBBB@ colour(x, y) ^ (y = green _ y = amber _ y = red) ^ 8z.colour(x, z) ! y = z 1 CCCCA ) Cathoristic logic 61 11 Related work This section surveys cathoristic logic's intellectual background, and related approaches. 11.1 Brandom's incompatibility semantics In [7], Chapter 5, Appendix I, Brandom developed a new type of semantics, incompatibility semantics, that takes material incompatibility rather than truth-assignment as the semantically primitive notion. Incompatibility semantics applies to any language, L, given as a set of sentences. Given a predicate Inc(X) which is true of sets X ✓ L that are incompatible, he defines an incompatibility function I from subsets of L to sets of subsets of L: X 2 I(Y ) i↵ Inc(X [ Y ). We assume that I satisfies the monotonicity requirement (Brandom calls it "Persistence"): If X 2 I(Y ) and X ✓ X 0 then X 0 2 I(Y ). Now Brandom defines entailment in terms of the incompatibility function. Given a set X ✓ L and an individual sentence   2 L: X |=   i↵ I({ }) ✓ I(X). Now, given material incompatibility (as captured by the I function) and entailment, he introduces logical negation as a derived concept via the rule: {¬ } 2 I(X) i↵ X |=  . Brandom goes on to show that the ¬ operator, as defined, satisfies the laws of classical negation. He also introduces a modal operator, again defined in terms of material incompatibility, and shows that this operator satisfies the laws of S5. Cathoristic logic was inspired by Brandom's vision that material incompatibility is conceptually prior to logical negation: in other words, it is possible for a community of language users to make incompatible claims, even if that language has no explicit logical operators such as negation. The language users of this simple language may go on to introduce logical operators, in order to make certain inferential properties explicit but this is an optional further development. The language before that addition was already in order as it is. The approach taken in this paper takes Brandom's original insight in a di↵erent direction. While Brandom defines an unusual (non truth-conditional) semantics that applies to any language, we have defined an unusual logic with a standard (truth-conditional) semantics, and then shown that this logic satisfies the Brandomian connection between incompatibility and entailment. 62 Richard Prideaux Evans, Martin Berger 11.2 Peregrin on defining a negation operator Peregrin [22] investigates the structural rules that any logic must satisfy if it is to connect incompatibility (Inc) and entailment (|=) via the Brandomian incompatibility semantics constraint: X |=   i↵ I({ }) ✓ I(X). The general structural rules are: (?) If Inc(X) and X ✓ Y then Inc(Y ). (|= 1)  , X |=  . (|= 2) If X,  |= and Y |=   then X,Y |= . (? |= 2) If X |=   for all  , then Inc(X). (|= ?2) If Inc(Y [ { }) implies Inc(Y [X) for all Y, then X |=  . Peregrin shows that if a logic satisfied the above laws, then incompatibility and entailment are mutually interdefinable, and the logic satisfies the Brandomian incompatibility semantics constraint. Next, Peregrin gives a pair of laws for defining negation in terms of Inc and |=16: (¬1) Inc({ ,¬ }). (¬2) If Inc(X, ) then X |= ¬ . These laws characterise intuitionistic negation as the minimal incompatible17. Now, in [7], Brandom defines negation slightly di↵erently. He uses the rule: (¬B) Inc(X,¬ ) i↵ X |=  . Using this stronger rule, we can infer the classical law of double-negation: ¬¬  |=  . Peregrin establishes that Brandom's rule for negation entail (¬1) and (¬2) above, but not conversely: Brandom's rule is stronger than Peregrin's minimal laws (¬1) and (¬2). Peregrin concludes that the Brandomian constraint between incompatibility and entailment is satisfied by many di↵erent logics. Brandom happened to choose a particular rule for negation that led to classical logic, but the general connection between incompatibility and entailment is satisfied by many di↵erent logics, including intuitionistic logic. This paper supports Peregrin's conclusion: we have shown that cathoristic logic also satisfies the Brandomian constraint. 16 The converse of (¬2) follows from (¬1) and the general structural laws above. 17 is the minimal incompatible of   i↵ for all ⇠, if Inc({ } [ {⇠}) then ⇠ |= . Cathoristic logic 63 11.3 Peregrin and Turbanti on defining a necessity operator In [7], Brandom gives a rule for defining necessity in terms of incompatibility and entailment: X 2 I({2 }) i↵ Inc(X) _ 9Y. Y /2 I(X) ^ Y 2  . In other words, X is incompatible with 2  if X is compatible with something that does not entail  . The trouble is, as Peregrin and Turbanti point out, if   is not tautological, then every set X ✓ L is incompatible with 2 . To show this, take any set X ✓ L. If Inc(X), then X 2 I(2 ) by definition. If, on the other hand, ¬Inc(X), then let Y = ;. Now ¬Inc(X [ Y ) as Y = ;, and Y 2   as   is not tautological. Hence X 2 I(2 ) for all X ✓ L. Brandom's rule, then, is only capable of specifying a very specific form of necessity: logical necessity. In [22] and [31], Peregrin and Turbanti describe alternative ways of defining necessity. These alternative rule sets can be used to characterise modal logics other than S5. For example, Turbanti defines the accessibility relation between worlds in terms of a compossibility relation, and then argues that the S4 axiom of transitivity fails because compossibility is not transitive. We draw two conclusions from this work. The first is, once again, that a commitment to connecting incompatibility and entailment via the Brandomian constraint: X |=   i↵ I({ }) ✓ I(X) does not commit us to any particular logical system. There are a variety of logics that can satisfy this constraint. Second, questions about the structure of the accessibility relation in Kripke semantics questions that can seem hopelessly abstract and di cult to answer can be re-cast in terms of concrete questions about the incompatibility relation. Incompatibility semantics can shed light on possible-world semantics [31]. 11.4 Linear logic Linear logic [15] is a refinement of first-order logic and was introduced by J.-Y. Girard and brings the symmetries of classical logic to constructive logic. Linear logic splits conjunction into additive and multiplicative parts. The former, additive conjunction A&B, is especially interesting in the context of cathoristic logic. In the terminology of process calculus it can be interpreted as an external choice operation [1]. ('External', because the choice is o↵ered to the environment). This interpretation has been influential in the study of types for process calculus, e.g. [19,20,29]. Implicitly, additive conjunction gives an explicit upper bound on how many di↵erent options the environment can choose from. For example A&B&C has three options (assuming that none of A,B,C can be decomposed into further additive conjunctions). With this in mind, and simplifying a great deal, a key di↵erence between !A and additive 64 Richard Prideaux Evans, Martin Berger conjunction A&B is that the individual actions in !A have no continuation, while they do with A&B: the tantum !{l, r} says that the only permitted actions are l and r. What happens at later states is not constrained by !A. In contrast, A&B says not only that at this point the only permissible options are A and B, but also that if we choose A, then A holds 'for ever', and likewise for choosing B. To be sure, the alternatives in A&B may themselves contain further additive conjunctions, and in this way express how exclusion changes 'over time'. In summary, cathoristic logic and linear logic o↵er operators that restrict the permissible options. How are they related? Linear logic has an explicit linear negation (*)? which, unlike classical negation, is constructive. In contrast, cathoristic logic defines a restricted form of negation using !A. Can these two perspectives be fruitfully reconciled? 11.5 Process calculus Process calculi are models of concurrent computation. They are based on the idea of message passing between actors running in parallel. Labelled transition systems are often used as models for process calculi, and many concepts used in the development of cathoristic logic for example, bisimulations and Hennessy-Milner logic originated in process theory (although some, such as bisimulation, evolved independently in other contexts). Process calculi typically feature a construct called sum, that is an explicit description of mutually exclusive option: X i2I P i That is a process that can internally choose, or be chosen externally by the environment to evolve into the process P i for each i. Once the choice is made, all other options disappear. Sums also relate closely to linear logic's additive conjunction. Is this conceptual proximity a coincidence or indicative of deeper common structure? 11.6 Linguistics Linguists have also investigated how mutually exclusive alternatives are expressed, often in the context of antonymy [2,3,21], but, to the best of our knowledge have not proposed formal theories of linguistic exclusion. Cathoristic logic 65 12 Open problems In this paper, we have introduced cathoristic logic and established key metalogical properties. However, many questions are left open. 12.1 Excluded middle One area we would like to investigate further is what happens to the law of excluded middle in cathoristic logic. The logical law of excluded middle states that either a proposition or its negation must be true. In cathoristic logic |=   _ ¬ S ( ) does not hold in general. (The negation operator ¬ S (*) was defined in Section 9.) For example, let   be hai> and S = ⌃ = {a, b}. Then   _ ¬ S   = hai> _ !{b} _ hai? Now this will not in general be valid it will be false for example in the model (({x}, ;, {(x,⌃)}), x), the model having just the start state (labelled ⌃) and no transitions. Restricting S to be a proper subset of ⌃ = {a, b} is also not enough. For example with S = {a} we have hai> _ ¬ S (hai>) = hai> _ !; _ hai? This formula cannot hold in any cathoristic model which contains a b-labelled transition, but no a-transition from the start state. Is it possible to identify classes of models that nevertheless verify excluded middle? The answer to this question appears to depend on the chosen notion of semantic model. 12.2 Understanding the expressive strength of cathoristic logic 12.2.1 Comparing cathoristic logic and Hennessy-Milner logic Section 8.1 investigated the relationship between cathoristic logic and firstorder logic. Now we compare cathoristic logic with a logic that is much closer in spirit: Hennessy-Milner logic [17], a multi-modal logic designed to reason about process calculi. Indeed, the present shape of cathoristic logic owes much to Hennessy-Milner logic. We contrast both by translation from the former into the latter. This will reveal, more clearly than the translation into first-order logic, the novelty of cathoristic logic. Definition 29 Assume a set ⌃ of symbols, with s ranging over ⌃, the formulae of Hennessy-Milner logic are given by the following grammar:   ::= > | V i2I  i | hsi  | ¬  66 Richard Prideaux Evans, Martin Berger The index set I in the conjunction can be infinite, and needs to be so for applications in process theory. Definition 30 Models of Hennessy-Milner logic are simply pairs (L, s) where L = (S,!) is a labelled transition system over ⌃, and s 2 S. The satisfaction relation (L, s) |=   is given by the following inductive clauses. (L, s) |= > (L, s) |= V i2I  i i↵ for all i 2 I : (L, s) |=  i (L, s) |= hai  i↵ there is a s a  ! s 0 such that (l, s0) |=   (L, s) |= ¬  i↵ (L, s) 2   There are two di↵erences between cathoristic logic and Hennessy-Milner logic one syntactic, the other semantic. – Syntactically, cathoristic logic has the tantum operator (!) instead of logical negation (¬). – Semantically, cathoristic models are deterministic, while (typically) models of Hennessy-Milner logic are non-deterministic (although the semantics makes perfect sense for deterministic transition systems, too). Moreover, models of Hennessy-Milner logic lack state labels. Definition 31 We translate formulae of cathoristic logic into Hennessy-Milner logic using the function [[*]]: [[>]] = > [[ 1 ^  2]] = [[ 1]] ^ [[ 2]] [[hai ]] = hai[[ ]] [[!A]] = ^ a2⌃\A ¬hai> If ⌃ is an infinite set, then the translation of a !-formula will be an infinitary conjunction. If ⌃ is finite, then the size of the Hennessy-Milner logic formula will be of the order of n * |⌃| larger than the original cathoristic formula, where n is the number of tantum operators occurring in the cathoristic formula). In both logics we use the number of logical operators as a measure of size. We can also translate cathoristic models by forgetting state-labelling: [[((S,!, ), s)]] = ((S,!), s) We continue with an obvious consequence of the translation. Theorem 10 Let M be a (deterministic or non-deterministic) cathoristic model. Then M |=   implies [[M]] |= [[ ]]. Cathoristic logic 67 Proof: Straightforward by induction on  . ut However, note that the following natural extension is not true under the translation above: If   |= then [[ ]] |= [[ ]] To see this, consider an entailment which relies on determinism, such as haihbi ^ haihci |= hai(hbi ^ hci) The first entailment is valid in cathoristic logic because of the restriction to deterministic models, but not in Hennessy-Milner logic, where it is invalidated by any model with two outgoing a transitions, one of which satisfies hbi and one of which satisfies hci. We can restore the desired connection between cathoristic implication and Hennessy-Milner logic implication in two ways. First we can restrict our attention to deterministic models of Hennessy-Milner logic. The second solution is to add a determinism constraint to our translation. Given a set   of cathoristic formulae, closed under sub formulae, that contains actions from the set A ✓ ⌃, let the determinism constraint for   be: ^ a2A, 2 , 2  ¬ (hai  ^ hai ^ ¬hai(  ^ )) If we add this sentence as part of our translation [[*]], we do get the desired result that If   |= then [[ ]] |= [[ ]] 12.2.2 Comparing cathoristic logic with Hennessy-Milner logic and propositional logic Consider the following six languages: Language Description PL[^] Propositional logic without negation Hennessy-Milner logic[^] Hennessy-Milner logic without negation CL[^, !] Cathoristic logic PL [^,¬] Full propositional logic HML [^,¬] Full Hennessy-Milner logic CL [^, !,¬] Cathoristic logic with negation The top three languages are simple. In each case: there is no facility for expressing disjunction, every formula that is satisfiable has a simplest satisfying model, and there is a simple quadratic-time decision procedure But there are two ways in which CL[^, !] is more expressive. Firstly, CL[^, !], unlike HML[^], is expressive enough to be able to distinguish between any two models that are not bisimilar, cf. Theorem 11. The second way in which CL[^, !] is significantly more expressive than both PL[^] and HML[^] is in its ability to express incompatibility. No two formulae of PL[^] or HML[^] are incompatible18 with each other. But many pairs of formulae of CL[^, !] are incompatible. 18 The notion of incompatibility applies to all logics: two formulae are incompatible if there is no model which satisfies both. 68 Richard Prideaux Evans, Martin Berger PL[^] PL [^,¬] HML[^] HML [^,¬] CL[^, !] CL [^, !,¬] ✓ ✓ ✓ ✓ ✓ ✓ ✓ Fig. 15: Conjectured relationships of expressivity between logics. Here L1 ✓ L2 means that the logic L2 is more expressive than L1. We leave the precise meaning of logical expressivity open. (For example: hai> and !;). Because CL[^, !] is expressive enough to be able to make incompatible claims, it satisfies Brandom's incompatibility semantics constraint. CL[^, !] is the only logic (we are aware of) with a quadratic-time decision procedure that is expressive enough to respect this constraint. The bottom three language can all be decided in super-polynomial time. We claim that Hennessy-Milner logic is more expressive than PL, and CL[^, !,¬] is more expressive than full Hennessy-Milner logic. To see that full HennessyMilner logic is more expressive than full propositional logic, fix a propositional logic with the nullary operator > plus an infinite number of propositional atoms P(i,j), indexed by i and j. Now translate each formula of HennessyMilner logic via the rules: [[>]] = > [[  ^ ]] = [[ ]] ^ [[ ]] [[¬ ]] = ¬[[ ]] [[ha i i  j ]] = P(i,j) We claim Hennessy-Milner logic is more expressive because there are formulae   and of Hennessy-Milner logic such that   |=HML but [[ ]] 2PL [[ ]] For example, let   = haihbi> and = hai>. Clearly,   |=HML . But [[ ]] = P(i,j) and [[ ]] = P(i0,j0) for some i, j, i 0 , j 0, and there are no entailments in propositional logic between arbitrary propositional atoms. We close by stating that CL[^, !,¬] is more expressive than full HennessyMilner logic. As mentioned above, the formula !A of cathoristic logic can be translated into Hennessy-Milner logic as: ^ a2⌃ A ¬hai> But if ⌃ is infinite, then this is an infinitary disjunction. Cathoristic logic can express the same proposition in a finite sentence. Cathoristic logic 69 12.3 Acknowledgements We thank Tom Smith and Giacomo Turbanti for their thoughtful comments. 70 Richard Prideaux Evans, Martin Berger References 1. S. Abramsky. Computational interpretations of linear logic. TCS, 111, 1993. 2. K. Allan, editor. Concise Encyclopedia of Semantics. Elsevier, 2009. 3. M. Arono↵ and J. Rees-Miller, editors. The Handbook of Linguistics. Wiley-Blackwell, 2003. 4. P. Blackburn, M. de Rijke, and Y. Venema. Modal Logic. Cambridge University Press, 2001. 5. R. Brachman and H. Levesque. Knowledge Representation and Reasoning. Morgan Kaufmann, 2004. 6. R. Brandom. Making It Explicit. Harvard University Press, 1998. 7. R. Brandom. Between Saying and Doing. Oxford University Press, 2008. 8. B. A. Davey and H. A. Priestley. Introduction to Lattices and Order. Cambridge University Press, Cambridge, 1990. 9. D. Davidson. Essays on Actions and Events. Oxford University Press, 1980. 10. H. B. Enderton. A Mathematical Introduction to Logic. Academic Press, 2001. 11. R. Evans. Haskell implementation of cathoristic logic. Available for download from https://github.com/RichardEvans/cathoristic-logic, 2014. 12. R. Evans and E. Short. Versu. http://www.versu.com, available at https://itunes. apple.com/us/app/blood-laurels/id882505676?mt=8. 13. R. Evans and E. Short. Versu a simulationist storytelling system. IEEE Transactions on Computational Intelligence and AI in Games, 2014. 14. R. Fikes and N. Nilsson. Strips: a new approach to the application of theorem proving to problem solving. Artificial Intelligence, 2, 1971. 15. J.-Y. Girard. Linear logic. TCS, 50, 1987. 16. M. Hennessy. Algebraic theory of processes. MIT Press series in the foundations of computing. MIT Press, 1988. 17. M. Hennessy and R. Milner. Algebraic Laws for Non-Determinism and Concurrency. JACM, 32(1), 1985. 18. K. Honda. A Theory of Types for the ⇡-Calculus. Available at: http://www.dcs.qmul. ac.uk/ ~ kohei/logics, March 2001. 19. K. Honda, V. T. Vasconcelos, and M. Kubo. Language primitives and type disciplines for structured communication-based programming. In Proc. ESOP, volume 1381 of LNCS, pages 22–138, 1998. 20. K. Honda and N. Yoshida. A uniform type structure for secure information flow. SIGPLAN Not., 37:81–92, January 2002. 21. A. O'Kee↵e and M. McCarthy, editors. The Routledge Handbook of Corpus Linguistics. Routledge, 2010. 22. J. Peregrin. Logic as based on incompatibility. Available from http://philpapers.org/ rec/PERLAB-2, 2010. 23. A. M. Pitts. Nominal Sets: Names and Symmetry in Computer Science. Cambridge Tracts in Theoretical Computer Science. Cambridge University Press, 2013. 24. B. Russell. An Inquiry into Meaning and Truth. Norton and Co, 1940. 25. D. Sangiorgi. Introduction to Bisimulation and Coinduction. Cambridge University Press, 2012. 26. V. Sassone, M. Nielsen, and G. Winskel. Models for Concurrency: Towards a Classification. TCS, 170(1-2):297–348, 1996. 27. D. Smith and M. Genesereth. Ordering conjunctive queries. Artificial Intelligence, 26, 1985. 28. F. Sommers. The Logic of Natural Language. Clarendon Press, 1982. 29. K. Takeuchi, K. Honda, and M. Kubo. An Interaction-based Language and its Typing System. In Proc. PARLE, volume 817 of LNCS, pages 398–413, 1994. 30. H. Troelstra, A. S. and Schwichtenberg. Basic proof theory (2nd ed.). Cambridge University Press, 2000. 31. G. Turbanti. Modality in Brandom's Incompatibility Semantics. In Proceedings of the Amsterdam Graduate Conference Truth, Meaning, and Normativity, 2011. 32. D. van Dalen. Logic and Structure. Springer Verlag, 2004. 33. L. Wittgenstein. Philosophische Bemerkungen. Suhrkamp Verlag, 1981. Edited by R. Rhees. 34. L. Wittgenstein. Tractatus logico-philosophicus: Logisch-philosophische Abhandlung. Suhrkamp Verlag, 2003. Originally published: 1921. Cathoristic logic 71 A Alternative semantics for cathoristic logic We use state-labelled transition systems as models for cathoristic logic. The purpose of the labels on states is to express constraints, if any, on outgoing actions. This concern is reflected in the semantics of !A. ((S,!, ), s) |= !A i↵  (s) ✓ A There is an alternative, and in some sense even simpler approach to giving semantics to !A which does not require state-labelling: we simply check if all actions of all outgoing transitions at the current state are in A. As the semantics of other formula requires statelabelling in its satisfaction condition, this means we can use plain labelled transition systems (together with a current state) as models. This gives rise to a subtly di↵erent theory that we now explore, albeit not in depth. A.1 Pure cathoristic models Definition 32 By a pure cathoristic model, ranged over by P,P0, ..., we mean a pair (L, s) where L = (S,!) is a deterministic labelled transition system and s 2 S a state. Adapting the satisfaction relation to pure cathoristic models is straightforward. Definition 33 Using pure cathoristic models, the satisfaction relation is defined inductively by the following clauses, where we assume that M = (L, s) and L = (S,!). M |= > M |=   ^ i↵ M |=   and M |= M |= hai  i↵ there is a s a ! t such that (L, t) |=   M |= A i↵ {a | 9t.s a ! t} ✓ A Note that all but the last clause are unchanged from Definition 4. In this interpretation, !A restricts the out-degree of the current state s, i.e. it constraints the 'width' of the graph. It is easy to see that all rules in Figure 12 are sound with respect to the new semantics. The key advantage pure cathoristic models have is their simplicity: they are unadorned labelled transition systems, the key model of concurrency theory [26]. The connection with concurrency theory is even stronger than that, because, as we show below (Theorem 11), the elementary equivalence on (finitely branching) pure cathoristic models is bisimilarity, one of the more widely used notions of process equivalence. This characterisation even holds if we remove the determinacy restriction in Definition 32. A.2 Relationship between pure and cathoristic models The obvious way of converting an cathoristic model into a pure cathoristic model is by forgetting about the state-labelling: ((S,!, ), s) 7! ((S,!), s) Let this function be forget(*). For going the other way, we have two obvious choices: – ((S,!), s) 7! ((S,!, ), s) where  (t) = ⌃ for all states t. Call this map max(*). – ((S,!), s) 7! ((S,!, ), s) where  (t) = {a | 9t0.t a ! t0} for all states t. Call this map min(*). Lemma 14 Let M be an cathoristic model, and P a pure cathoristic model. 1. M |=   implies forget(M) |=  . The reverse implication does not hold. 2. max(P) |=   implies P |=  . The reverse implication does not hold. 3. min(P) |=   if and only if P |=  . 72 Richard Prideaux Evans, Martin Berger Proof: The implication in (1) is immediate by induction on  . A counterexample for the reverse implication is given by the formula   =!{a} and the cathoristic model M = ({s, t}, s a ! t, ), s) where  (s) = {a, b, c}: clearly forget(M) |=  , but M 6|=  . The implication in (2) is immediate by induction on  . To construct a counterexample for the reverse implication, assume that ⌃ is a strict superset of {a} a. The formula   =!{a} and the pure cathoristic model P = ({s, t}, s a ! t), s) satisfy P |=  , but clearly max(P) 6|=  . Finally, (3) is also straightforward by induction on  . ut A.3 Non-determinism and cathoristic models Both, cathoristic models and pure cathoristic models must be deterministic. That is important for the incompatibility semantics. However, formally, the definition of satisfaction makes sense for non-deterministic models as well, pure or otherwise. Such models are important in the theory of concurrent processes. Many of the theorems of the precious section either hold directly, or with small modifications for non-deterministic models. The rules of inference in Figure 12 are sound except for [Determinism] which cannot hold in properly non-deterministic models. With this omission, they are also complete. Elementary equivalence on non-deterministic cathoristic models also coincides with mutual simulation, while elementary equivalence on non-deterministic pure cathoristic models is bisimilarity. The proofs of both facts follow those of Theorems 1 and 11, respectively. Compactness by translation can be shown following the proof in Section 8, except that the constraint  det is unnecessary. We have experimented with a version of cathoristic logic in which the models are nondeterministic labelled-transition systems. Although non-determinism makes some of the constructions simpler, non-deterministic cathoristic logic is unable to express incompatibility properly. Consider, for example, the claim that Jack is married19 to Jill In standard deterministic cathoristic logic this would be rendered as: hjackihmarriedi(hjillî!{jill}) There are three levels at which this claim can be denied. First, we can claim that Jack is married to someone else Joan, say: hjackihmarriedi(hjoanî!{joan}) Second, we can claim that Jack is unmarried (specifically, that being unmarried is Jack's only property): hjacki!{unmarried} Third, we can claim that Jack does not exist at all. Bob and Jill, for example, are the only people in our domain: !{bob, jill} Now we can assert the same sentences in non-deterministic cathoristic logic, but they are no longer incompatible with our original sentence. In non-deterministic cathoristic logic, the following sentences are compatible (as long as there are two separate transitions labelled with married, or two separate transitions labelled with jack): hjackihmarriedi(hjillî!{jill}) hjackihmarriedi(hjoanî!{joan}) 19 We assume, in this discussion, that married is a many-to-one predicate. We assume that polygamy is one person attempting to marry two people (but failing to marry the second). Cathoristic logic 73 Similarly, the following sentences are fully compatible as long as there are two separate transitions labelled with jack: hjackihmarriedi hjacki!{unmarried} Relatedly, non-deterministic cathoristic logic does not satisfy Brandom's incompatibility semantics property:   |= i↵ I( ) ✓ I( ) To take a simple counter-example, haihbi implies hai, but not conversely. But in nondeterministic cathoristic logic, the set of sentences incompatible with haihbi is identical with the set of sentences incompatible with hai. A.4 Semantic characterisation of elementary equivalence In Section 6.1 we presented a semantic analysis of elementary equivalence, culminating in Theorem 1 which showed that elementary equivalence coincides with ', the relation of mutual simulation of models. We shall now carry out a similar analysis for pure cathoristic models, and show that elementary equivalence coincides with bisimilarity, an important concept in process theory and modal logics [25]. Bisimilarity is strictly finer on non-deterministic transition systems than ', and more sensitive to branching structure. In the rest of this section, we allow non-deterministic pure models, because the characterisation is more interesting that in the deterministic case. Definition 34 A pure cathoristic model (L, s) is finitely branching if its underlying transition system L is finitely branching. Definition 35 A binary relation R is a bisimulation between pure cathoristic models Pi = (Li), si) for i = 1, 2 provided (1)R is a bisimulation between L1 and L2, and (2) (s1, s2) 2 R. We say P1 and P2 are bisimilar, written P1 ⇠ P2 if there is a bisimulation between P1 and P2. Definition 36 The theory of P, written Th(P), is the set {  | P |=  }. Theorem 11 Let P and P0 be two finitely branching pure cathoristic models. Then: P ⇠ P0 if and only if Th(P) = Th(P0). Proof: Let P = (L, w) and P0 = (L0, w0) be finitely branching, where L = (W,!) and (W 0,!0). We first show the left to right direction, so assume that P ⇠ P0. The proof is by induction on formulae. The only case which di↵ers from the standard Hennessy-Milner theorem is the case for !A, so this is the only case we shall consider. Assume w ⇠ w0 and w |=!A. We need to show w0 |=!A. From the semantic clause for !, w |=!A implies  (w) ✓ A. If w ⇠ w0, then  (w) =  0(w0). Therefore  0(w0) ✓ A, and hence w0 |=!A. The proof for the other direction is more involved. For states x 2 W and x0 2 W , we write x ⌘ x0 i↵ Th((L, x)) = Th((L0, x0)). We define the bisimilarity relation: Z = {(x, x0) 2 W ⇥W 0 | x ⌘ x0} To prove w ⇠ w0, we need to show: – (w,w0) 2 Z. This is immediate from the definition of Z. – The relation Z respects the transition-restrictions: if (x, x0) 2 Z then  (x) =  0(x0) – The forth condition: if (x, x0) 2 Z and x a ! y, then there exists a y0 such that x0 a ! y0 and (y, y0) 2 Z. 74 Richard Prideaux Evans, Martin Berger – The back condition: if (x, x0) 2 Z and x0 a ! y0, then there exists a y such that x a ! y and (y, y0) 2 Z. To show that (x, x0) 2 Z implies  (x) =  0(x0), we will argue by contraposition. Assume  (x) 6=  0(x0). Then either  0(x0) *  (x) or  (x) *  0(x0). If  0(x0) *  (x), then x0 2! (x). But x |=! (x), so x and x0 satisfy di↵erent sets of propositions and are not equivalent. Similarly, if  (x) *  0(x0) then x 2! 0(x0). But x0 |=! 0(x0), so again x and x0 satisfy di↵erent sets of propositions and are not equivalent. We will show the forth condition in detail. The back condition is very similar. To show the forth condition, assume that x a ! y and that (x, x0) 2 Z (i.e. x ⌘ x0). We need to show that 9y0 such that x0 a ! y0 and (y, y0) 2 Z (i.e. y ⌘ y0). Consider the set of y0i such that x 0 a ! y0i. Since x a ! y, x |= hai>, and as x ⌘ x0, x 0 |= hai>, so we know this set is non-empty. Further, since (W 0,!0) is finitely-branching, there is only a finite set of such y0i, so we can list them y 0 1, ..., y 0 n, where n >= 1. Now, in the Hennessy-Milner theorem for Hennessy-Milner logic, the proof proceeds as follows: assume, for reductio, that of the y01, ..., y 0 n, there is no y 0 i such that y ⌘ y0i. Then, by the definition of ⌘, there must be formulae  1, ..., n such that for all i in 1 to n: y 0 i |=  i and y 2  i Now consider the formula: [a]( 1 _ ... _  n) As each y0i |=  i, x0 |= [a]( 1 _ ... _  n), but x does not satisfy this formula, as each  i is not satisfied at y. Since there is a formula which x and x0 do not agree on, x and x0 are not equivalent, contradicting our initial assumption. But this proof cannot be used in cathoristic logic because it relies on a formula [a]( 1 _ ... _  n) which cannot be expressed in cathoristic logic: Cathoristic logic does not include the box operator or disjunction, so this formula is ruled out on two accounts. But we can massage it into a form which is more amenable to cathoristic logic's expressive resources: [a]( 1 _ ... _  n) = ¬hai¬( 1 _ ... _  n) = ¬hai(¬ 1 ^ ... ^ ¬ n) Further, if the original formula [a]( 1 _ ..._  n) is true in x0 but not in x, then its negation will be true in x but not in x0. So we have the following formula, true in x but not in x0: hai(¬ 1 ^ ... ^ ¬ n) The reason for massaging the formula in this way is so we can express it in cathoristic logic (which does not have the box operator or disjunction). At this moment, the revised formula is still outside cathoristic logic because it uses negation. But we are almost there: the remaining negation is in innermost scope, and innermost scope negation can be simulated in cathoristic logic by the ! operator. We are assuming, for reductio, that of the y01, ..., y 0 n, there is no y 0 i such that y ⌘ y0i. But in cathoristic logic without negation, we cannot assume that each y0i has a formula  i which is satisfied by y0i but not by y it might instead be the other way round:  i may be satisfied by y but not by y0i. So, without loss of generality, assume that y 0 1, ..., y 0 m fail to satisfy formulae  1, ..., m which y does satisfy, and that y0m+1, ..., y 0 n satisfy formulae  m+1, ..., n which y does not: y |=  i and y0i 2  i i = 1 to m y 2  j and y0j |=  j j = m+ 1 to n The formula we will use to distinguish between x and x0 is: hai( m i=1  i ^ n j=m+1 neg(y, j)) Cathoristic logic 75 Here, neg is a meta-language function that, given a state y and a formula  j , returns a formula that is true in y but incompatible with  j . We will show that, since y 2  j , it is always possible to construct neg(y, j) using the ! operator. Consider the possible forms of  j : – >: this case cannot occur since all models satisfy >. –  1 ^  2: we know y0j |=  1 ^  2 and y 2  1 ^  2. There are three possibilities: 1. y 2  1 and y |=  2. In this case, neg(y, 1 ^  2) = neg(y, 1) ^  2. 2. y |=  1 and y 2  2. In this case, neg(y, 1 ^  2) =  1 ^ neg(y, 2). 3. y 2  1 and y 2  2. In this case, neg(y, 1 ^  2) = neg(y, 1) ^ neg(y, 2). – !A: if y 2!A and y0j |=!A, then there is an action a 2 ⌃  A such that y a ! z for some z but there is no such z such that y0j a ! z. In this case, let neg(y, j) = hai>. – hai . There are two possibilities: 1. y |= hai>. In this case, neg(y, hai ) = V y a !z haineg(z, ). 2. y 2 hai>. In this case, neg(y, hai ) =!{b | 9z.y b ! z}. This set of bs is finite since we are assuming the transition system is finitely-branching. ut y z1 a z2 a w1 b w2 c y 0 j z 0 a w 0 1 b w 0 2 c Fig. 16: Worked example of neg. Note that the transition system on the left is nondeterministic. We continue with a worked example of neg. Consider y and y0j as in Figure 16. One formula that is true in y0j but not in y is hai(hbi> ^ hci>) Now: neg(y, hai(hbi> ^ hci>)) = ^ y a !z haineg(z, hbi> ^ hci>) = haineg(z1, hbi> ^ hci>) ^ haineg(z2, hbi> ^ hci>) = hai(hbi> ^ neg(z1, hci>)) ^ haineg(z2, hbi> ^ hci>) = hai(hbi> ^ neg(z1, hci>)) ^ hai(neg(z2, hbi>) ^ hci>) = hai(hbi>^!{b}) ^ hai(neg(z2, hbi>) ^ hci>) = hai(hbi>^!{b}) ^ hai(!{c} ^ hci>) The resulting formula is true in y but not in y0j . 76 Richard Prideaux Evans, Martin Berger B Omitted proofs B.1 Proof of Lemma 5 If M |=   then M   simpl( ). Proof: We shall show Th(simpl( )) ✓ Th(M). The desired result will then follow by applying Theorem 1. We shall show that If M |=   then Th(simpl( )) ✓ Th(M) by induction on  . In all the cases below, let simpl( ) = (L, w) and let M = (L0, w0). The case where   = > is trivial. Next, assume   = hai . We know M |= hai and need to show that Th(simpl(hai )) ✓ Th(M). Since (L0, w0) |= hai , there is an x0 such that w0 a ! x0 and (L0, x0) |= . Now from the definition of simpl(), simpl(hai ) is a model combining simpl( ) with a new state w not appearing in simpl( ) with an arrow w a ! x (where x is the start state in simpl( )), and  (w) = ⌃. Consider any sentence ⇠ such that simpl(hai ) |= ⇠. Given the construction of simpl(hai ), ⇠ must be a conjunction of > and formulae of the form hai⌧ . In the first case, (L0, x0) satisfies >; in the second case, (L0, x0) |= ⌧ by the induction hypothesis and hence (L0, w0) |= hai⌧ . Next, consider the case where   =!A, for some finite set A ⇢ ⌃. From the definition of simpl(), simpl(!A) is a model with one state s, no transitions, with  (s) = A. Now the only formulae that are true in simpl(!A) are conjunctions of > and !B, for supersets B ◆ A. If M |=!A then by the semantic clause for !,  0(w0) ✓ A, hence M models all the formulae that are true in simpl(!A). Finally, consider the case where   = 1^ 2. Assume M |= 1 and M |= 2. We assume, by the induction hypothesis that Th(simpl( 1)) ✓ Th(M) and Th(simpl( 2)) ✓ Th(M). We need to show that Th(simpl( 1 ^ 2)) ✓ Th(M). By the definition of simpl(), simpl( 1 ^ 2) = simpl( 1) u simpl( 2). If simpl( 1) and simpl( 2) are inconsistent (see the definition of inconsistent in Section 6.4) then M = ?. In this case, Th(simpl( 1)^ simpl( 2)) ✓ Th(?). If, on the other hand, simpl( 1) and simpl( 2) are not inconsistent, we shall show that Th(simpl( 1 ^ 2)) ✓ Th(M) by reductio. Assume a formula ⇠ such that simpl( 1 ^ 2) |= ⇠ but M 2 ⇠. Now ⇠ 6= > because all models satisfy >. ⇠ cannot be of the form hai⌧ because, by the construction of merge (see Section 6.4), all transitions in simpl( 1 ^ 2) are transitions from simpl( 1) or simpl( 2) and we know from the inductive hypothesis that Th(simpl( 1)) ✓ Th(M) and Th(simpl( 2)) ✓ Th(M). ⇠ cannot be !A for some A ⇢ ⌃, because, from the construction of merge, all state-labellings in simpl( 1 ^ 2) are no more specific than the corresponding state-labellings in simpl( 1) and simpl( 2), and we know from the inductive hypothesis that Th(simpl( 1)) ✓ Th(M) and Th(simpl( 2)) ✓ Th(M). Finally, ⇠ cannot be ⇠1^xi2 because the same argument applies to xi1 and xi2 individually. We have exhausted the possible forms of ⇠, so conclude that there is no formula ⇠ such that simpl( 1 ^ 2) |= ⇠ but M 2 ⇠. Hence Th(simpl( 1 ^ 2)) ✓ Th(M). ut B.2 Proof of Lemma 6 If   |= then simpl( )   simpl( ) Proof: By Theorem 1, simpl( )   simpl( ) i↵ Th(simpl( )) ✓ Th(simpl( )). Assume   |= , and assume ⇠ 2 Th(simpl( )). We must show ⇠ 2 Th(simpl( )). Now simpl() is constructed so that: simpl( ) = G {M | M |= } So ⇠ 2 Th(simpl( )) i↵ for all models M, M |= implies M |= ⇠. We must show that M |=   implies M |= ⇠ for all models M. Assume M |=  . Then since   |= , M |= . But since ⇠ 2 Th(simpl( )), M |= ⇠ also. ut Cathoristic logic 77 B.3 Proof of Lemma 7 If I( ) ✓ I( ) then J (simpl( )) ✓ J (simpl( )) Proof: Assume I( ) ✓ I( ) and M u simpl( ) = ?. We need to show M u simpl( ) = ?. If I( ) ✓ I( ) then for all formulae ⇠, if simpl(⇠) u simpl( ) = ? then simpl(⇠) u simpl( ) = ?. Let ⇠ be char(M). Given that M u simpl( ) = ? and simpl(char(M))   M, simpl(char(M)) u simpl( ) = ?. Then as I( ) ✓ I( ), simpl(char(M)) u simpl( ) = ?. Now as M   simpl(char(M)), M u simpl( ) = ?. ut