Anselm's God in Isabelle/HOL Ben Blumson September 18, 2017 Contents 1 Introduction 1 2 Free Logic 2 3 Definite Descriptions 3 4 Anselm's Argument 4 5 The Prover9 Argument 6 6 Soundness 7 7 Conclusion 7 8 Acknowledgements 8 1 Introduction theory AnselmGod imports Main begin This paper presents an automated verification of Anselm's ontological argument, as reconstructed by Paul Oppenheimer and Edward Zalta [5], in Isabelle/HOL, an interactive theorem prover for higher-order logic. Previously, the argument has being automated by Oppenheimer and Zalta in Prover9 [6], an automated theorem prover for first-order logic, and by John Rushby in PVS [8], an automated theorem prover for higher-order logic. Automations of other versions of the argument include [1], [9] and [3]. My purpose here is to present a basis for comparison in the spirit of [10], which compares automated proofs of the irrationality of √ 2. Oppenheimer and Zalta's reconstruction is based on the idea of treating 'that than which nothing greater can be conceived' as a definite description, 1 and treating definite descriptions as singular terms. But in Isabelle/HOL all terms, including definite descriptions, are assumed to denote. So the main task is to embed a free logic for definite descriptions within Isabelle/HOL. (Previously, a free logic has been embedded into Isabelle/HOL by Christoph Benzmuller and Dana Scott [2]. But theirs differs from Zalta and Oppenheimer's in several ways). Once Isabelle/HOL is equipped with free definite descriptions, reconstructing the argument is straightforward. 2 Free Logic Isabelle treats definite descriptions as singular terms of the form THE x . φ x. However, all terms in Isabelle are assumed to denote, and so from universal elimination we have the validity of the argument form: lemma ∀ x . ψ x =⇒ ψ (THE x . φ x ) by (rule allE ) In the presence of definite descriptions which do not denote, this argument form is invalid; for example, from 'everyone has hair' we should not infer 'the present King of France has hair', since the present King of France does not exist. This problem can be avoided by introducing a null individual n to serve as the reference of non-denoting definite descriptions, as follows: typedecl i - the type of individuals consts n:: i (n) - the null individual Then the universal and particular quantifiers can be restricted to individuals excluding the null-individual as follows, where the new free quantifiers are distinguished from the classical quantifiers by bold type: abbreviation universal-quantifier :: (i ⇒ bool) ⇒ bool (∀ ) where ∀ φ ≡ ∀ x ::i . (¬ x = n −→ φ x ) abbreviation universal-syntax :: (i ⇒ bool) ⇒ bool (binder ∀ [8 ] 9 ) where ∀ x . φ x ≡ ∀ φ abbreviation particular-quantifier :: (i ⇒ bool) ⇒ bool (∃ ) where ∃ φ ≡ ∃ x ::i . (x 6= n ∧ φ x ) abbreviation particular-syntax :: (i ⇒ bool) ⇒ bool (binder ∃ [8 ] 9 ) where ∃ x . φ x ≡ ∃ φ Note that the quantifiers here range over both existent and non-existent individuals, whereas the quantifiers in [2] range only over existent individuals. In the free logic employed by Oppenheimer and Zalta, statements of identity in which terms do not denote are always false [5], p. 511. So the domain of the identity relation should be restricted to exclude the null-individual: abbreviation identity :: i ⇒ i ⇒ bool (is) 2 where is x y ≡ x 6= n ∧ x = y abbreviation identity-syntax :: i ⇒ i ⇒ bool (infix = 50 ) where x = y ≡ is x y Once identity is introduced, the uniqueness quantifier can then be defined in the usual way: abbreviation uniqueness-quantifier :: (i ⇒ bool) ⇒ bool (unique) where unique φ ≡ (∃ x ::i . φ x ∧ (∀ y ::i . φ y −→ x = y)) abbreviation uniqueness-syntax :: (i ⇒ bool) ⇒ bool (binder unique [8 ] 9 ) where unique x . φ x ≡ unique φ Finally, the logic employed by Oppenheimer and Zalta is a negative free logic, in that applications of atomic predicates to non-denoting terms are always false [5], p. 511. So it's necessary to introduce a higher-order predicate distinguishing between atomic and non-atomic predicates, and to introduce an axiom stipulating that no atomic predicate is true of the null individual: consts atomic-predicates:: (i ⇒ bool) ⇒ bool (atomic) axiomatization where negativity-constraint : atomic φ =⇒ ¬ φ n In addition, it has to be stated that identity is atomic: axiomatization where identity-atomic: ∧ x . atomic (is x ) One of the most controversial premises of the ontological argument is that 'exists' is a genuine or atomic predicate. But surprisingly, we shall see below that the argument does not require this premise. 3 Definite Descriptions The main idea of Oppenheimer and Zalta's reconstruction of the ontological argument is to treat definite descriptions as genuine singular terms, which leads to the following syntax in Isabelle/HOL: consts definite-description:: (i ⇒ bool) ⇒ i (τ ) abbreviation description-syntax :: (i ⇒ bool) ⇒ i (binder τ [8 ] 9 ) where τ x . φ x ≡ τ φ In Oppenheimer and Zalta's reconstruction of the argument, definite descriptions are governed by the Russellian axiom schema [5], p. 513: axiomatization where description-axiom: atomic ψ =⇒ ψ (τ x . φ x ) ≡ (∃ x . φ x ∧ (∀ y . φ y −→ x = y) ∧ ψ x ) From this axiom schema, Oppenheimer and Zalta derive two intermediary theorems to be used in the reconstruction of their argument [5], pp. 513-4. According to the first: theorem description-theorem-1 : unique x . φ x =⇒ ∃ y . y = (τ x . φ x ) using description-axiom identity-atomic by blast 3 The second theorem follows directly from the following lemma: lemma lemma-1 : a = (τ x . φ x ) =⇒ φ (τ x . φ x ) using description-axiom identity-atomic by blast theorem description-theorem-2 : ∃ x . x = (τ x . φ x ) =⇒ φ (τ x . φ x ) by (simp add : lemma-1 ) In the course of verifying the argument using Prover9, Oppenheimer and Zalta discovered a simplified proof which uses instead [6], p. 345: theorem description-theorem-3 : atomic ψ =⇒ ψ (τ x . φ x ) =⇒ ∃ y . y = (τ x . φ x ) using negativity-constraint by fastforce Notice that it is only this last theorem which presupposes the negativity constraint, whereas the first two theorems depend only on the atomicity of identity. 4 Anselm's Argument The argument proper employs the following non-logical vocabulary: consts existence:: i ⇒ bool (E ) - exists in reality consts greater-than:: i⇒i⇒bool (G) - is greater than consts conceivable:: i⇒bool (C ) - exists in the understanding Note that E a is not intended by Oppenheimer and Zalta to be equivalent to ∃ x . a = x since according to their reading of the argument, some things do not exist in reality [5], p. 514. Finally, the presentation of the argument is simplified by introducing the following abbreviation for the predicate 'is a being greater than which none can be conceived': abbreviation none-greater-than :: i⇒bool (Φ) where Φ x ≡ (C x ∧ ¬(∃ y . G y x ∧ C y)) With this vocabulary in place, a name for God can be introduced as an abbreviation for the description 'the being greater than which none can be conceived': definition g :: i where g ≡ (τ x . Φ x ) In Oppenheimer and Zalta's presentation every name is assumed to denote, so a name for God cannot be introduced until it is proved that the description τx . Φ x denotes [5], p, 520. But since it's not assumed in this presentation that every name denotes or, in other words, since it's not assumed that no names denote the null individual, it's not necessary to postpone this step. 4 The final quasi-logical premise in Oppenheimer and Zalta's reconstruction of the argument is the connectivity of 'is greater than', which is used in the proof of the following lemma [5], p. 518: lemma lemma-2 : assumes connectivity : ∀ x . ∀ y . G x y ∨ G y x ∨ x = y shows ∃ x . Φ x =⇒ unique x . Φ x using connectivity by blast Note that connectivity disallows any ties with respect to greatness. This is implausible, since you and I, for example, may be equally great, without being the same person. So connectivity should not be thought of as merely stipulative, and a weaker premise would be desirable. With this vocabulary in place, Anselm's ontological argument, as reconstructed by Oppenheimer and Zalta, can be stated as follows: theorem assumes premise-1 : ∃ x . Φ x - there exists in the understanding a being greater than which none can be conceived and premise-2 : ¬ E (τ x . Φ x ) −→ (∃ y . G y (τ x . Φ x ) ∧ C y) - if the being greater than which none can be conceived does not exist in reality, then a being exists in the understanding which is greater than the being greater than which none can be conceived and connectivity : ∀ x . ∀ y . G x y ∨ G y x ∨ x = y shows E g - God exists. Isabelle can verify the argument in one line with the command using premise-1 premise-2 connectivity lemma-1 g-def description-theorem-1 by smt. But since proofs in Isabelle using smt are currently considered impermanent, I instead give Zalta and Oppenheimer's handwritten proof [6], p. 337: proof (rule ccontr) assume atheism: ¬ E g from premise-1 and connectivity and lemma-2 have unique x . Φ x by simp with description-theorem-1 have ∃ y . y = (τ x . Φ x ) by simp with description-theorem-2 have Φ (τ x . Φ x ) by simp hence god-is-greatest : ¬(∃ y . G y (τ x . Φ x ) ∧ C y) by (rule conjE ) from atheism and premise-2 and g-def have (∃ y . G y (τ x . Φ x ) ∧ C y) by simp with god-is-greatest show False.. qed Note that neither Oppenheimer and Zalta's proof nor the one line smt proof depend on the negativity constraint or whether any of the non-logical vocabulary is atomic (though they do depend indirectly on the atomicity of identity). 5 5 The Prover9 Argument In the course of verifying the argument using Prover9, Oppenheimer and Zalta discovered a simplified version which employs only premise-2, but not premise-1 or the connectivity of 'greater than' [6]. theorem assumes premise-2 : ¬ E (τ x . Φ x ) −→ (∃ y . G y (τ x . Φ x ) ∧ C y) shows E g nitpick [user-axioms] oops However, Isabelle not only fails to verify this argument, but finds a counterexample using nitpick. The reason is that it needs to be specified that 'greater than' is atomic, in order for description-theorem-3 to be applicable: theorem Prover9Argument : assumes premise-2 : ¬ E (τ x . Φ x ) −→ (∃ y . G y (τ x . Φ x ) ∧ C y) and G-atomic: ∧ x . atomic (G x ) shows E g Once the atomicity of 'greater than' is added as a premise, a call to sledgehammer suggests the following two-step proof, which Isabelle verifies easily: proof − have C g ∧ (∀ i . i = n ∨ ¬ G i g ∨ ¬ C i) ∨ n = g by (metis (lifting , full-types) g-def lemma-1 ) then show ?thesis by (metis (lifting) G-atomic g-def negativity-constraint premise-2 ) qed If provided with all premises, sledgehammer still suggests a proof using only premise-2 : theorem assumes connectivity : ∀ x . ∀ y . G x y ∨ G y x ∨ x = y and premise-1 : ∃ x . Φ x and premise-2 : ¬ E (τ x . Φ x ) −→ (∃ y . G y (τ x . Φ x ) ∧ C y) and G-atomic: ∧ x . atomic (G x ) shows E g proof − have Φ g ∨ n = g by (metis (lifting , full-types) g-def lemma-1 ) then show ?thesis by (metis (lifting) G-atomic g-def negativity-constraint premise-2 ) qed Note that this version of the argument does employ the negativity-constraint, as well as the premise that identity is atomic via lemma-1. So although it has less non-logical premises than the original version of the argument, it has more, and more controversial, logical premises. 6 6 Soundness Since premise-1 and the connectivity of 'is greater than' are both dispensable, and the atomicity of 'is greater than' is not especially controversial, the main non-logical premise of the argument turns out to be premise-2. Note that premise-2 is entailed by God's existence: theorem assumes theism: E g shows ¬ E (τ x . Φ x ) −→ (∃ y . G y (τ x . Φ x ) ∧ C y) using g-def theism by auto So under the supposition that 'is greater than' is atomic, premise-2 is equivalent to God's existence, suggesting an atheist might wish to reject it as question-begging (see [6], pp. 348-9 and [4] for more detailed discussion of this point). However, Ted Parent has pointed out that premise-2 need not stand on its own, but may be further supported by the following argument [7], p. 478: lemma assumes premise-3 : ∀ y . ∀ z . ((E y ∧ ¬ E z ) −→ ((y = (τ x . Φ x ) ∨ z = (τ x . Φ x )) −→ y = (τ x . Φ x ))) and something-exists: ∃ x . E x and god-is-conceivable: C g and C-atomic: atomic C shows ¬ E (τ x . Φ x ) −→ (∃ y . C y ∧ G y (τ x . Φ x )) by (metis (no-types, lifting) C-atomic description-theorem-3 g-def god-is-conceivable premise-3 something-exists) But as Parent says, the premise that 'exists in the understanding' is atomic is particularly questionable. If 'exists in the understanding' is atomic, then it follows from description-theorem-3 that, for example, if the largest positive integer exists in the understanding, then something is the largest positive integer. But since 'the largest positive integer' is a grammatical description, there is a case to be made that the largest positive integer does exist in the understanding, even though nothing is the largest positive integer [7], p. 480-1. 7 Conclusion The main difference between Oppenheimer and Zalta's reconstruction of the argument in Prover9 and the reconstruction presented here in Isabelle/HOL is that whereas Prover9 employs first-order logic, Isabelle/HOL employs higher-order logic. That means that the Russellian description-axiom schema can be stated directly in Isabelle/HOL, whereas in Prover9 it has to be represented indirectly using first-order quantifiers ranging over predicates and relations [6], pp. 338-41. 7 Because of the way Oppenheimer and Zalta carry out this embedding, it is presupposed in their presentation that all the non-logical predicates which occur in their argument are atomic. In contrast, in the presentation in Isabelle/HOL, whenever the assumption that a certain predicate is atomic is needed, this has to be made explicit as a premise of the argument. This is not a merely practical matter since, as Parent points out, the question of whether 'exists in the understanding' is an atomic predicate turns out to be crucial. Abstracting from the peculiarities of different software, a surprising result is that whereas every version of the argument requires the premise that identity is atomic, and some versions require the additional premises that 'is greater than' is atomic and 'exists in the understanding' is atomic, no version of the argument requires the premises that 'exists in reality', or in other words 'exists' simpliciter, is atomic. This is in spite of the fact that the question of whether 'exists' is a genuine predicate has historically being one of the most controversial questions raised by Anselm's argument. end 8 Acknowledgements I thank Bob Beddor, Christoph Benzmuller, Dana Goswick, Frank Jackson, Paul Oppenheimer, Michael Pelczar, Abelard Podgorski, Hsueh Qu, Neil Sinhababu, Weng-Hong Tang, Jennifer Wang, Alastair Wilson and an audience at the University of Sydney for comments on this paper. References [1] C. Benzmuller and W. Paleo. Godel's God in Isabelle/HOL. Archive of Formal Proofs, 2013. [2] C. Benzmuller and D. Scott. Automating Free Logic in Isabelle/HOL. In Mathematical Software ICMS 2016, pages 43–50. Springer International Publishing, July 2016. DOI: 10.1007/978-3-319-42432-3 6. [3] D. Fuenmayor and C. Benzmuller. Types, Tableaus and Godel's God in Isabelle/HOL. Archive of Formal Proofs, 2017. [4] P. Garbacz. Prover9's Simplification Explained Away. Australasian Journal of Philosophy, 90(3):585–592, 2012. [5] P. E. Oppenheimer and E. N. Zalta. On the Logic of the Ontological Argument. Philosophical Perspectives, 5:509–529, 1991. 8 [6] P. E. Oppenheimer and E. N. Zalta. A Computationally-Discovered Simplification of the Ontological Argument. Australasian Journal of Philosophy, 89(2):333–349, 2011. [7] T. Parent. On the Prover9 Ontological Argument. Philosophia, 43(2):475–483, 2015. [8] J. Rushby. The Ontological Argument in PVS. Fun With Formal Methods, St Petersburg, Russia, 2013. [9] J. Rushby. Mechanized Analysis Of a Formalization of Anselms Ontological Argument by Eder and Ramharter. CSL technical note, SRI International, Menlo Park, CA, 2016. [10] F. Wiedijk. The Seventeen Provers of the World: Foreword by Dana S. Scott (Lecture Notes in Computer Science / Lecture Notes in Artificial Intelligence). Springer-Verlag New York, Inc., Secaucus, NJ, USA, 2006.