Hostname: page-component-586b7cd67f-gb8f7 Total loading time: 0 Render date: 2024-12-08T04:54:37.559Z Has data issue: false hasContentIssue false

PROOF SYSTEMS FOR TWO-WAY MODAL MU-CALCULUS

Published online by Cambridge University Press:  04 September 2023

BAHAREH AFSHARI*
Affiliation:
DEPARTMENT OF PHILOSOPHY, LINGUISTICS AND THEORY OF SCIENCE, UNIVERSITY OF GOTHENBURG, BOX 200, 40530 GOTHENBURG, SWEDEN
SEBASTIAN ENQVIST
Affiliation:
DEPARTMENT OF PHILOSOPHY, STOCKHOLM UNIVERSITY, UNIVERSITETSVÄGEN 10, 10691 STOCKHOLM, SWEDEN E-mail: sebastian.enqvist@philosophy.su.se
GRAHAM E. LEIGH
Affiliation:
DEPARTMENT OF PHILOSOPHY, LINGUISTICS AND THEORY OF SCIENCE, UNIVERSITY OF GOTHENBURG, BOX 200, 40530 GOTHENBURG, SWEDEN E-mail: graham.leigh@gu.se
JOHANNES MARTI
Affiliation:
DEPARTMENT OF INFORMATICS, UNIVERSITY OF ZURICH, BINZMÜHLESTRASSE 14, CH-8050 ZURICH, SWITZERLAND E-mail: marti@ifi.uzh.ch URL: http://johannesmarti.com
YDE VENEMA
Affiliation:
INSTITUTE FOR LOGIC, LANGUAGE AND COMPUTATION, UNIVERSITY OF AMSTERDAM, P.O. BOX 94242, 1098 XG AMSTERDAM, NETHERLANDS E-mail: y.venema@uva.nl
Rights & Permissions [Opens in a new window]

Abstract

We present sound and complete sequent calculi for the modal mu-calculus with converse modalities, aka two-way modal mu-calculus. Notably, we introduce a cyclic proof system wherein proofs can be represented as finite trees with back-edges, i.e., finite graphs. The sequent calculi incorporate ordinal annotations and structural rules for managing them. Soundness is proved with relative ease as is the case for the modal mu-calculus with explicit ordinals. The main ingredients in the proof of completeness are isolating a class of non-wellfounded proofs with sequents of bounded size, called slim proofs, and a counter-model construction that shows slimness suffices to capture all validities. Slim proofs are further transformed into cyclic proofs by means of re-assigning ordinal annotations.

Type
Article
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted re-use, distribution, and reproduction in any medium, provided the original work is properly cited.
Copyright
© The Author(s), 2023. Published by Cambridge University Press on behalf of The Association for Symbolic Logic

1 Introduction

The modal $\mu $ -calculus is an extension of basic modal logic with least and greatest fixpoint operators. The additional operators are given an interpretation that breaks the locality of modal logic. Notably, the calculus can express all bisimulation-invariant monadic second-order properties [Reference Janin and Walukiewicz11]. As a consequence, well-studied modal logics such as the temporal logics $\mathsf {LTL}$ , $\mathsf {CTL}$ , and $\mathsf {CTL}^*$ and the program logic $\mathsf {PDL}$ can be translated into the $\mu $ -calculus. Many theoretical results on the modal $\mu $ -calculus have been established through its connection with automata theory and the theory of infinite games [Reference Grädel, Thomas and Wilke8], the central observation being that every formula can be represented as an alternating tree automaton, and vice versa, such that the automaton accepts an infinite tree if and only if the tree is a model of the formula [Reference Janin and Walukiewicz10, Reference Wilke22].

The two-way modal $\mu $ -calculus, also known as the full $\mu $ -calculus, is an extension of the $\mu $ -calculus with modal operators for converses of accessibility relations. Thus, in addition to the standard modalities $[a]$ and ${\langle {a}\rangle }$ that quantify over a-successors (states reachable via a single a-labeled transition), the two-way $\mu $ -calculus includes modalities $[\breve {a}]$ and ${\langle {\breve {a}}\rangle }$ quantifying over a-predecessors. A central result, due to Vardi [Reference Vardi21], is that the satisfiablity problem for the two-way $\mu $ -calculus is decidable in exponential time. To prove this result, Vardi introduces a notion of (alternating) two-way automaton and shows that for every formula of the two-way $\mu $ -calculus there is a two-way automaton that accepts an infinite tree if and only if the tree encodes a model of the formula. The decidability result then follows with a construction that provides for every two-way automaton an equivalent nondeterministic parity tree automaton. Vardi’s construction does not induce a translation of two-way $\mu $ -calculus formulas into equivalent $\mu $ -calculus formulas. The translation merely preserves satisfiability and validity. Indeed, two-way $\mu $ -calculus is strictly more expressive than its “one-way” fragment, for instance, it lacks the finite model property [Reference Streett20].

We present a sound and complete sequent calculus for the two-way $\mu $ -calculus. The proof theory of the logic has not been extensively explored. It is still an open question whether the calculus is complete with respect to a Hilbert-style axiomatisation that includes Kozen’s induction rule for the fixpoint operators. A complete finitary Hilbert-style axiomatisation of “flat” fragments is given in [Reference Enqvist7] and a cyclic system for the alternation-free fragment in [Reference Rooduijn, Venema, Hansen, Scedrov and de Queiroz15]. A sound and complete infinitary proof system for the full calculus is provided in [Reference Afshari, Jäger and Leigh2]. The system we present here is finitary. More precisely, proofs are represented as finite (cyclic) graphs with a local correctness criterion on simple cycles.

The proof system we introduce is a variant of systems developed for the modal $\mu $ -calculus by Dam and Gurov [Reference Dam and Gurov5] and for the first-order $\mu $ -calculus by Dam and Sprenger [Reference Sprenger and Dam18]. It further incorporates ideas developed by Jungteerapanich [Reference Jungteerapanich12] and Stirling [Reference Stirling19], using a derivation rule influenced by the Safra-construction for $\omega $ -automata to formulate the correctness criterion on cycles. This approach has been utilised in [Reference Afshari, Enqvist and Leigh1] to introduce a path-based cyclic proof system for first-order $\mu $ -calculus that is complete for the fragment corresponding to the one-way $\mu $ -calculus.

The distinguishing feature of the proof systems developed by Dam and Gurov is to work in an extended syntax with explicit variables referring to ordinal approximants of least fixed-points, permitting the expression of propositions like “the least fixed point of the map $x\mapsto \varphi (x)$ is reached at a smaller ordinal than the least fixed point of $x \mapsto \psi (x)$ .” This added expressive power plays a crucial role in our completeness proof, allowing us to build small saturated sets of formulas, called tiles, from which a tree-like counter-model for an unprovable formula is constructed step by step. The added difficulty in the counter-model construction (compared to the modal $\mu $ -calculus) is that what is true at a vertex in the tree-model depends on both successors and predecessors of the vetex, a condition that needs to be taken into account in the saturation process.

The heart of Vardi’s decision procedure for the two-way $\mu $ -calculus is the use of auxiliary second-order variables as part of an extended alphabet for simulating non-determinism, allowing the simulating automaton to guess partial information about “loops” that can occur as a result of an alternating two-way automaton traversing the tree in both directions, i.e., ancestor to descendant or descendant to ancestor. These variables can then be projected away. In our setting, the “guessing” happens in the form of cuts on formulas that encode (via ordinal variables) information about fixpoint unfoldings. We do not know whether our system is complete without the cut rule. A crucial part of our completeness argument, however, shows that the cut formulas can be chosen to belong to a relatively small finite set. Therefore, although the proof system is not cut-free, it does support automatic proof search.

Outline

The structure of this paper is as follows: In Section 2 we discuss the necessary preliminaries related to the two-way $\mu $ -calculus and annotated formulas. Section 3 contains the definition of our cyclic proof system. In Section 4 we prove that this system is sound. The completeness proof consists of two parts: In Section 5 we first show completeness for a particular class of non-wellfounded proofs, which we call slim proofs. In Section 6 we then show that every slim proof can be transformed into a cyclic proof in our system.

2 Two-way $\mu $ -calculus

The syntax of the two-way $\mu $ -calculus makes use of the following non-logical symbols: a countably infinite set $\mathrm {Prop}$ of propositional constants or proposition letters (denoted $p, q, p_0, \ldots $ ), with an involution $p \mapsto \overline {p}$ ; a countably infinite set $\mathrm {Act}$ of action symbols (denoted $a, b, a_0, \dotsc $ ), with an involution $a \mapsto \breve {a}$ ; and a countably infinite set $\mathrm {FV}$ of fixed point variable symbols (denoted $x, y, z, \dotsc $ ).

It will be convenient for us to work with formulas that are in negation normal form. That is, the set of (plain) two-way $\mu $ -calculus formulas is given by the following grammar:

We will need the following basic syntactic definitions. The set $\mathit {Sfor}(\varphi )$ of subformulas of $\varphi $ is defined as usual. The set of variables that occur in $\varphi $ is denoted by $\mathrm {Var}(\varphi )$ . Since the fixpoint operators $\mu $ and $\nu $ bind the variables that they occur with, we can define in a standard way the notions of free and bound variables; a sentence is a formula without free variables. The unfolding of a fixpoint formula $\sigma x\, \varphi $ is the formula $\varphi [\sigma x\, \varphi /x]$ that we obtain by substituting $\sigma x\, \varphi $ for x in $\varphi $ ; here we ensure that this substitution never causes variable capture (so that no renaming of variables is needed). The closure $\mathrm {Clos}(\Gamma )$ of a set $\Gamma $ of formulas is defined as the smallest set of formulas that is closed under taking Boolean subformulas, modal subformulas, unfoldings of fixpoint formulas, and single negations. It is well-known that for every formula $\varphi $ the closure $\mathrm {Clos}(\{\varphi \})$ is a finite set.

The semantics of formulas is given in terms of models $M = (W,R,V)$ , where W is any set, R provides for every $a \in \mathrm {Act}$ a relation $R_{a} \subseteq W \times W$ such that $R_{\breve {a}}$ is the converse $R_{\breve {a}} = \{(v,w) \mid (w,v) \in R_{a} \}$ of $R_{a}$ for all $a \in \mathrm {Act}$ , and $V : \mathrm {Prop} \to \mathcal {P} W$ is any function. The elements of W are called worlds, the relation $R_{a}$ is the accessibility relation for a, and the function V is the valuation function.

The semantic clauses for the two-way $\mu $ -calculus are completely standard. The Boolean and modal connectives are interpreted as in modal logic, where the relation $R_{a}$ is used for the modality $\langle a \rangle $ . The semantic value of the fixpoint formulas $\mu x \, \varphi $ and $\nu x \, \varphi $ are the least and greatest fixpoints of the monotone map that describes the interpretation of $\varphi $ as depending on an interpretation of the variable x. A precise formulation of the semantic clauses is given in the following subsection. The two-way $\mu $ -calculus introduced here is a fragment of the language of annotated formulas that is discussed in the following subsection.

2.1 Annotated formulas

The proof systems that we shall introduce here admit formulas with quantified versions of the fixpoint operators, involving a countable set $\mathrm {OV}$ of ordinal variables (denoted $\kappa , \lambda , \kappa _0, \ldots $ ). Since we will also allow quantifiers over these ordinal variables, the formulas that we work with will be of the following form:

A formula which does not contain any ordinal variables, i.e., a formula of the two-way modal $\mu $ -calculus, is called plain. The underlying plain formula of a formula $\varphi $ , denoted $\mathsf {u}(\varphi )$ , is the plain formula obtained from erasing all ordinal annotations and quantifiers from $\varphi $ :

$$ \begin{gather*} \begin{aligned} \mathsf{u}(x) &= x & \mathsf{u}(\varphi \wedge \psi ) &= \mathsf{u}(\varphi ) \wedge \mathsf{u}(\psi) & \mathsf{u}( [a] \varphi ) &= [a] \mathsf{u}(\varphi ), \\ \mathsf{u}(p) &= p & \mathsf{u}(\varphi \vee \psi ) &= \mathsf{u}(\varphi ) \vee \mathsf{u}(\psi) & \mathsf{u}( {\langle{a}\rangle} \varphi ) &= {\langle{a}\rangle} \mathsf{u}(\varphi ), \end{aligned} \\ \begin{aligned} \mathsf{u}( \eta x^{\kappa} \varphi ) &= \eta x \, \mathsf{u}(\varphi ) & \mathsf{u}( \forall \lambda < \kappa \, \varphi ) &= \mathsf{u}(\varphi ), \\ \mathsf{u}( \eta x \varphi ) &= \eta x \, \mathsf{u}(\varphi ) & \mathsf{u}( \exists \lambda < \kappa \, \varphi ) &= \mathsf{u}(\varphi ). \end{aligned} \end{gather*} $$

The semantics of this language can be defined as follows. If $f \colon \mathcal {P} W \rightarrow \mathcal {P} W$ is a monotone function on the powerset of W we identify two ways of iterating f along ordinals: $f^{\kappa }_{\top } \in \mathcal {P} W$ denotes the result of iterating $f \ \kappa $ -many times on the starting from W, and $f^{\kappa } _{\bot } \in \mathcal {P} W$ the $\kappa $ -th iterant of f starting from $\emptyset $ :

$$\begin{align*}f^{\kappa} _{\top} = \bigcap_{\xi < \kappa } f( f^{\xi}_{\top} ) \qquad\qquad f^{\kappa} _{\bot} = \bigcup_{\xi < \kappa } f( f^{\xi}_{\bot} ). \end{align*}$$

Note that $f^0_{\top } = W$ and $f^0_{\bot } = \emptyset $ . Given a model $M = (W,R,V)$ , an ordinal assignment is a map o assigning an ordinal $o(\kappa )$ to each ordinal variable $\kappa $ . Then the meaning $[\![\varphi ]\!]^o_M$ of a formula $\varphi $ in this model and under this assignment is inductively defined as follows. We write $[\![\lambda x. \varphi ]\!]$ to express the monotone map $Z \mapsto [\![\varphi ]\!]^o_{M[x\mapsto Z]}$ on $\mathcal {P} W$ .

  • For a propositional variable p, $[\![p]\!]^o_M = V(p)$ .

  • Standard clauses for Booleans and modalities.

  • $[\![\mu x^{\kappa }.\varphi ]\!]^o_M $ is the $o(\kappa )$ -th iterant of $[\![\lambda x. \varphi ]\!]$ on $\emptyset $ , i.e., $[\![\mu x^{\kappa }.\varphi ]\!]^o_M = [\![\lambda x. \varphi ]\!]_{\bot }^{o(\kappa )}$ .

  • $[\![\nu x.\varphi ^{\kappa }]\!]^o_M $ is the $o(\kappa )$ -th iterant of $[\![\lambda x. \varphi ]\!]$ on W, i.e., $[\![\nu x^{\kappa }.\varphi ]\!]^o_M = [\![\lambda x. \varphi ]\!]_{\top }^{o(\kappa )}$ .

  • $[\![\mu x.\varphi ]\!]^o_M$ is the least fixpoint $[\![\lambda x. \varphi ]\!]$ , namely $ [\![\mu x.\varphi ]\!]^o_M = \bigcup _{\xi } [\![ \lambda x. \varphi ]\!]^{\xi }_{\bot }$ .

  • $[\![\nu x.\varphi ]\!]^o_M$ is the greatest fixpoint of $[\![\lambda x. \varphi ]\!]$ , namely $ [\![\nu x.\varphi ]\!]^o_M = \bigcap _{\xi } [\![ \lambda x. \varphi ]\!]^{\xi }_{\top }$ .

  • $[\![\exists \lambda < \kappa .\varphi ]\!]^o_M = \{u \in W \mid \exists \xi < o(\kappa ) : u \in [\![\varphi ]\!]^{o[\lambda \mapsto \xi ]} _M \}$ .

  • $[\![\forall \lambda < \kappa .\varphi ]\!]^o_M = \{u \in W \mid \forall \xi < o(\kappa ) : u \in [\![\varphi ]\!]^{o[\lambda \mapsto \xi ]} _M \}$ .

We write $M,u \vDash _o \varphi $ if $u \in [\![\varphi ]\!]^o_M$ . If $\varphi $ is a plain formula we may write simply $M,u\vDash \varphi $ .

We think of negation as an operation on sentences, extending the involution on proposition letters, and determined by connective duality. Inductively we define the operation $\varphi \mapsto \overline {\varphi }$ for all formulas:

$$ \begin{align*} \overline{x} &= x & \overline{\varphi \wedge \psi} &= \overline{\varphi } \lor \overline{\psi} & \overline{[a] \varphi } &= {\langle{a}\rangle} \overline{\varphi } & \overline{\mu x^{\kappa} \varphi } &= \nu x^{\kappa} \, \overline{\varphi } & \overline{\forall \lambda < \kappa \, \varphi } &= \exists \lambda < \kappa \, \overline{\varphi } \\ & & \overline{\varphi \lor \psi} &= \overline{\varphi } \land \overline{\psi} & \overline{{\langle{a}\rangle} \varphi } &= [a] \overline{\varphi } & \overline{\nu x^{\kappa} \varphi } &= \mu x^{\kappa} \, \overline{\varphi } & \overline{\exists \lambda < \kappa \, \varphi } &= \forall \lambda < \kappa \, \overline{\varphi }. \end{align*} $$

It is routine to show that on the set of sentences this operation indeed behaves as classical negation. Furthermore, observe that this operation is an involution on the set of formulas, and that the negation of a plain formula is plain.

2.2 Subsumption, well-annotated formulas, and active variables

In this subsection we define some notions that are not needed in the definition of the proof systems but play a key role in our reasoning about the properties of the proof system.

The subsumption order $<_{\rho }$ associated with a formula $\rho $ is defined as the smallest preorder on $\mathrm {Var}(\rho )$ such that $x <_{\rho } y$ if $\rho $ has a subformula $\sigma y \psi $ of which x is a free variable. Observe that the subsumption order of a fixpoint formula is identical to that of its unfolding. By taking, if needed, alphabetic variants (i.e., renaming the bound variables in $\rho $ ) we may always assume that the subsumption order of a given formula is a strict partial order. It may occasionally be convenient to make the following assumption which is possible without loss of generality.

Convention 2.1. In some parts of this paper we will restrict attention to a fixed finite set $\Gamma _0$ of plain formulas in which distinct occurrences of fixed point quantifiers are associated with distinct variables, and its closure. We then may assume a strict partial order $<$ on the set of fixpoint variables occurring in $\Gamma _0$ which is such that $\mathord {<} \supseteq \mathord {<_{\varphi }} \cap (\mathrm {Var}(\varphi ) \times \mathrm {Var}(\varphi ))$ , for all $\varphi \in \mathrm {Clos}(\Gamma _0)$ . The order $<$ will be referred to as the subsumption order. If $x < y$ we refer to x as being higher ranked than y.

Definition 2.2. An annotation is a partial function from fixed point variables to ordinal variables. Let $x_0 , x_1 , \dotsc $ enumerate the fixed point variables in decreasing order with respect to subsumption. Given an annotation o and $n \in \omega $ , $o \upharpoonright n$ is the restriction of o to the domain $\{ x_i \mid i < n \}$ . Given a plain formula $\varphi $ and annotation $o \colon \mathrm {FV} \to \mathrm {OV}$ define a (nonplain) formula $\varphi ^o$ as follows:

$$ \begin{gather*} \begin{aligned} x^o &= x &\qquad ( \psi \wedge \theta )^o &= \psi^o \wedge \theta^o &\qquad ([a] \varphi )^o &= [a] \varphi ^o, \\ p^o &= p & ( \psi \vee \theta )^o &= \psi^o \vee \theta^o & ( {\langle{a}\rangle} \varphi )^o &= {\langle{a}\rangle} \varphi ^o, \end{aligned} \\ ( \eta x_i \psi )^o = \begin{cases} \eta x_i^{o(x_i)} \psi^{o \upharpoonright i }, & \text{if } x_i \in \mathop{dom} o, \\ \eta x_i \psi^{o \upharpoonright i }, & \text{otherwise.} \end{cases} \end{gather*} $$

Definition 2.3. A formula $ \varphi $ is well-annotated if there exists an annotation o such that $ \varphi = \mathsf {u}(\varphi )^{o}$ . The annotation o satisfying this equation with smallest domain is named $\mathsf {o}_{\varphi } $ . $\varphi $ is positively annotated if it is well-annotated and $\mathop {dom} ( \mathsf {o}_{\varphi } )$ consists only of $\nu $ -fixed point variables of $\varphi $ . The negation of a positively annotated formula is said to be negatively annotated.

Note that plain formulas are positively annotated, and that well-annotated formulas do not contain quantifiers.

Definition 2.4. Given a set of formulas $\Gamma $ , we say that an ordinal variable $ \kappa $ is active in $\Gamma $ if $\kappa $ occurs free in some positively annotated formula in $ \Gamma $ . The set of active variables in $\Gamma $ is denoted by $\mathrm {Act}(\Gamma )$ .

2.3 Game semantics

In this section we briefly review the game-theoretic semantics for the two-way $\mu $ -calculus; this will prove to be a useful approach in the completeness argument further on.

The evaluation game $\mathcal {E}(M,\varphi )$ of a formula $\varphi $ on a model $M = (W,R,V)$ is an infinite board game, the players of which we shall call Verifier and Falsifier. The positions of the game are all pairs of the form $(w,\psi )$ , where $w \in W$ and $\psi \in \mathrm {Clos}(\varphi )$ . The player to move at a given position and the moves at his or her disposal are listed in Table 1.

Table 1 The evaluation game $\mathcal {E}(M,\varphi )$ .

Any match or play of this game consists of a (finite or infinite) sequence $(w_n,\varphi _n)_{n<\kappa }$ of positions (with $\kappa \leq \omega $ ). A finite match, i.e., with $\kappa < \omega $ , is won by a player if it is their opponent who is supposed to move at the last position $(w_{\kappa -1}, \varphi _{\kappa -1})$ , while there is no move available.

To determine the winner of an infinite match $(w_n,\varphi _n)_{n<\omega }$ we observe that the induced sequence $(\varphi _n)_{n<\omega }$ of formulas is an infinite trace, that is: for every $i<\omega $ , either $\varphi _i$ is a fixpoint formula and $\varphi _{i+1}$ is its unfolding, or else $\varphi _{i+1}$ is a direct (modal or Boolean) subformula of $\varphi _i$ . It is well known that for every infinite trace $\tau = (\varphi _n)_{n<\omega }$ there is a unique formula that occurs infinitely often on $\tau $ and is a subformula of $\varphi _n$ for cofinitely many n. We will call this formula, which must be a fixpoint formula, the most significant formula of $\tau $ , and we declare Verifier (Falsifier) to be the winner of an infinite match $(w_n,\varphi _n)_{n<\omega }$ if the most significant formula of the induced trace $(\varphi _n)_{n<\omega }$ is a $\nu $ -formula (a $\mu $ -formula, respectively). It is well known that this winning condition can be formulated as a parity condition and that consequently the game $\mathcal {E}(M,\varphi )$ has positional determinacy.

Theorem 2.5 (Adequacy of evaluation games).

For any plain formula $\varphi $ , model M, and world w, we have $M,w \vDash \varphi $ if and only if the position $(w,\varphi )$ is winning for Verifier in $\mathcal {E}(M,\varphi )$ .

For a proof of the theorem see, e.g., [Reference Demri, Goranko and Lange6].

3 Proof systems

In this section we first define the finitary, cyclic proof system that is the subject of this paper and then discuss infinitary, non-wellfounded proofs that are needed for our completeness argument.

3.1 Sequents and constraints

The sequents in our proof system contain a constraint that describes the relative size of ordinal variables and keeps track of the order in which they are introduced.

Definition 3.1. A constraint is a tuple $\mathcal {O} = ( O , < , \triangleleft )$ where:

  1. 1. O is a finite set of ordinal variable symbols, called the domain,

  2. 2. $<$ is an irreflexive, transitive and upwards linear ordering $< $ (so $(O ,> )$ is a finite forest), called the descendant relation,

  3. 3. $\triangleleft $ is a total linear order on $\mathcal {O}$ , called the age relation, consistent with the ancestor relation: $\kappa < \lambda $ implies $ \lambda \triangleleft \kappa $ for all $\kappa , \lambda \in O$ .

Given a constraint $\mathcal {O} = ( O , <_{\mathcal {O}} , \triangleleft _{\mathcal {O}} )$ , we write $\mathrm {OV}(\mathcal {O})$ for O, the set of ordinal variables appearing in $\mathcal {O}$ . When there is no risk of confusion, we identify the constraint $\mathcal {O}$ with the set $\mathrm {OV}(\mathcal {O})$ , writing $\kappa \in \mathcal {O}$ rather than the formally precise $\kappa \in \mathrm {OV}(\mathcal {O})$ . The reflexive closure of $<_{\mathcal {O}}$ is denoted $\le _{\mathcal {O}}$ .

Definition 3.2. A sequent is an expression $\mathcal {O} : \Gamma $ where $\mathcal {O}$ is a constraint and $\Gamma $ is a finite set of formulas whose free ordinal variables are elements of $\mathcal {O}$ . We sometimes write a sequent $\mathcal {O} : \Gamma $ as just $ \Gamma $ , denoting $\mathcal {O}$ by $\mathcal {O}( \Gamma )$ .

Given a constraint $\mathcal {O}$ and $\kappa \in \mathcal {O}$ , a descendant of $\kappa $ is any $\lambda \in \mathcal {O}$ such that $\lambda <_{\mathcal {O}} \kappa $ , in which case $\kappa $ is called an ancestor of $\lambda $ (in $\mathcal {O}$ ). We say $\lambda $ is a child of $\kappa $ , or that $\kappa $ is the parent of $\lambda $ , if $\lambda <_{\mathcal {O}} \kappa $ and there is no $\rho \in \mathcal {O}$ such that $\lambda <_{\mathcal {O}} \rho $ and $\rho <_{\mathcal {O}} \kappa $ . Every $\kappa \in \mathcal {O}$ has at most one parent, but may have multiple children. If $\kappa \triangleleft _{\mathcal {O}} \lambda $ we say that $\kappa $ is older than $\lambda $ (relative to $\mathcal {O}$ ).

A substitution on ordinal variables is simply a map $\sigma : \mathrm {OV} \to \mathrm {OV}$ . With respect to a constraint $\mathcal {O}$ we call a substitution $\sigma $ increasing if $\lambda \le _{\mathcal {O}} \sigma (\lambda )$ for all $\lambda $ , and decreasing if $\sigma (\lambda ) \le _{\mathcal {O}} \lambda $ for all $\lambda $ .

For later use we introduce two auxiliary relations on a constraint $\mathcal {O}$ . First of all, we say that $\lambda $ is to the left of $\rho $ if $\lambda $ and $\rho $ are incomparable with respect to $\leq _{\mathcal {O}}$ and $\lambda ' \triangleleft _{\mathcal {O}} \rho '$ , where $\lambda '$ is the $<$ -greatest ancestor of $ \lambda $ that is not an ancestor of $ \rho $ and $ \rho ' $ is the $<$ -greatest ancestor of $ \rho $ that is not an ancestor of $ \lambda $ . We then define $\lambda \prec _{\mathcal {O}} \rho $ if $\lambda <_{\mathcal {O}} \rho $ or $ \lambda $ is to the left of $ \rho $ , and we sometimes denote $\lambda \prec _{\mathcal {O}} \rho $ as $\lambda \prec _{\mathcal {O}} \rho $ . As we will see later, $\prec _{\mathcal {O}}$ is in fact a strict linear order.

Here is an example to illustrate the different orders on ordinal variables and how they are related. Consider a constraint $\mathcal {O}$ containing seven ordinal variables , where $\kappa _0 \triangleleft _{\mathcal {O}} \dotsm \triangleleft _{\mathcal {O}} \kappa _{6}$ and $<_{\mathcal {O}}$ is the transitive closure of

$$\begin{align*}\{(\kappa_3,\kappa_1),(\kappa_4,\kappa_1),(\kappa_5,\kappa_2),(\kappa_6,\kappa_2),(\kappa_1,\kappa_0),(\kappa_2,\kappa_0)\}.\end{align*}$$

Represented as a tree the $<_{\mathcal {O}}$ -relation is shown in Figure 1. The figure is drawn so that, with the age relation as specified, the “left-of” relation between ${<_{\mathcal {O}}}$ -incomparable variables can be read off directly from the diagram. So $\kappa _3$ is to the left of $\kappa _2,\kappa _4,\kappa _5,\kappa _6$ , while $\kappa _1$ is to the left of $\kappa _2,\kappa _5,\kappa _6$ , etc. The $\prec _{\mathcal {O}}$ relation is thus the strict linear order given by

$$\begin{align*}\kappa_3 \prec_{\mathcal{O}} \kappa_4 \prec_{\mathcal{O}} \kappa_1 \prec_{\mathcal{O}} \kappa_5 \prec_{\mathcal{O}} \kappa_6 \prec_{\mathcal{O}} \kappa_2 \prec_{\mathcal{O}} \kappa_0.\end{align*}$$

To simplify notation we introduce a special symbol $\star $ and write $o(x) = \star $ for an annotation o if $x \notin \mathop {dom} (o)$ . Given an ordinal constraint $\mathcal {O}$ , we extend the order $<_{\mathcal {O}}$ to $\mathcal {O} \cup \{\star \}$ by setting $\kappa <_{\mathcal {O}} \star $ for every ordinal variable $\kappa $ in $\mathcal {O}$ . Note that $\prec _{\mathcal {O}}$ , with its definition extended to incorporate $\star $ , is still a linear order over $\mathcal {O} \cup \{\star \}$ and $\kappa \prec _{\mathcal {O}} \star $ for every ordinal variable $\kappa $ in $\mathcal {O}$ .

Figure 1 A sample constraint.

The semantics of sequents is given as follows.

Definition 3.3. Let $M = (W,R,V)$ be a model. A sequent $\mathcal {O} : \Gamma $ holds in M if for all ordinal assignments o such that $o(\kappa ) < o(\lambda )$ whenever $\kappa <_{\mathcal {O}} \lambda $ we have that $\bigcup \{[\![\varphi ]\!]^o_M \mid \varphi \in \Gamma \} = W$ . We say that an ordinal assignment o refutes $\mathcal {O} : \Gamma $ in M if $o(\kappa ) < o(\lambda )$ whenever $\kappa <_{\mathcal {O}} \lambda $ , but $\bigcup \{[\![\varphi ]\!]^o_M \mid \varphi \in \Gamma \} \neq W$ .

3.2 Rules and derivations

The sequent calculus we introduce makes use of three operations on constraints: The operation denoted $ \mathcal {O} + \lambda $ extends $\mathcal {O}$ by a fresh variable $ \lambda $ as the youngest element and makes no change to the descendant relation. As a variation, in $ \mathcal {O}+_{\kappa } \lambda $ the variable $ \lambda $ is also added as a child of $\kappa $ . That is, for $\mathcal {O} = ( O , < , \triangleleft )$ , $\lambda \in O$ and $\kappa \in O$ :

$$ \begin{align*} \mathcal{O} + \lambda &= ( O \cup \{ \lambda \} , \mathord< , \mathord \triangleleft \cup \{ ( \rho , \lambda ) \mid \rho \in O \} ), \\ \mathcal{O} +_{\kappa} \lambda &= ( O \cup \{ \lambda \} , \mathord< \cup \{ ( \lambda , \kappa ' ) \mid \kappa \leq \kappa' \} , \mathord \triangleleft \cup \{ ( \rho , \lambda ) \mid \rho \in O \} ). \end{align*} $$

In both the above constructions it is a requirement that $\lambda $ does not occur already in $\mathcal {O}$ .

The third construction is the restriction of a constraint to a set of ordinal variables. Given $\mathcal {O}$ as above and $V \subseteq O$ , we define $\mathcal {O} \setminus V$ to be the constraint

$$\begin{align*}\mathcal{O} \setminus V = ( O' , \mathord < \cap ( O' \times O' ) , \mathord \triangleleft \cap ( O' \times O ') ) \qquad\text{where } O' = O \setminus V. \end{align*}$$

Using these operations we can define the inference rules of our sequent calculus. These are presented in Table 2, where we use the expression $\mathcal {O}(\lambda < \kappa )$ to refer to a constraint $\mathcal {O}$ such that $\lambda <_{\mathcal {O}} \kappa $ . A tree constructed by applications of these rules, and labelled with sequents and names of the rules applied, will be called a derivation. We shall reserve the term proof for derivations satisfying one of several syntactic criteria guaranteeing validity, defined in the following sections. Given a derivation $\Pi $ and a vertex m in $\Pi $ , the sequent labelling m is denoted $\Pi (m)$ .

Table 2 Rules of sequent calculus.

Note that these rules feature no side conditions, besides the obvious constraint that all sequents involved in a rule instance must be bona fide sequents. This means that the $\forall $ -rule satisfies the usual eigenvariable condition: the variable $\lambda $ appearing in the premise cannot occur in the conclusion. If it had occurred in some formula, then by definition of a sequent it should also appear in the constraint, meaning that the constraint $\mathcal {O}+_{\kappa } \lambda $ appearing in the premise would not be well-defined. A similar eigenvariable constraint holds for the rule $\nu (\kappa )$ , and for the same reason. In the same vein, observe that in an application of $\mathsf {lw}$ , for the premise to be a well-formed sequent, no ordinal variable in the set V may occur free in $\Gamma $ .

The reader may have noticed that the cut rule also has a hidden restriction due to the definition of a sequent: the cut formula will never contain an ordinal variable that does not occur in the conclusion. This is not as restrictive as it may at first seem. Cuts can still be used to introduce new ordinal variables in proof search, since the cut formulas may contain quantifiers which can then be instantiated, such as in the following:

The calculus does not feature a rule for introducing an unapproximated least fixed point from an approximant, for instance,

Although sound, the above rule is not necessary for a complete sequent calculus. Without such a rule, derivations have the property that explicitly approximated least fixed points only arise from premises of the cut rule.

Proposition 3.4. Let R be an instance of any of the derivation rules except cut, with conclusion $\mathcal {O}:\Gamma $ . If every formula in $\Gamma $ is well-annotated, then every formula appearing in a premise of R is well-annotated.

Proof By inspection of the proof rules.

Further on we shall frequently need to employ the following minimisation rule:

This rule is easily derived via a cut:

Intuitively, we can view the minimisation rule as expressing a case distinction for how we may construct a counter-model to $\Gamma $ , in particular when $\Gamma $ contains the formula $\varphi [\nu x^{\kappa }\psi /z]$ : either we decide that $\kappa $ is the smallest ordinal approximant of the fixpoint $\nu x \psi $ for which the formula fails to hold, or we introduce a name $\kappa _0$ for smaller ordinal approximant such that $\varphi [\nu x^{\kappa _0}\psi /z]$ fails to hold. In the sequel we shall assume that the minimisation rule is a rule of our proof systems.

3.3 Cyclic proofs

We now present our main notion of a valid proof, which is based on “cyclic” derivations, which can be seen as finite representations of infinite but regular, non-wellfounded proof trees. It is straightforward to show that having no restrictions on allowed cycles trivialises the calculus, allowing any sequent to be derived by a cyclic proof. The notion of cyclic proof therefore comes equipped with a condition on cycles, called the correctness criterion, ensuring only valid sequents are derivable. First, we define more precisely what is meant by a “cycle.”

Definition 3.5. A derivation with back-edges is a pair $( \Pi , c )$ where $\Pi $ is a derivation and c is a partial function from the leaves of $\Pi $ to inner nodes of $\Pi $ , called the companion function, such that for every leaf $l \in \mathop {dom} c$ ,

  • l and $c(l)$ are labelled by the same sequent, i.e., $\Pi (l) = \Pi (c(l))$ , and

  • l is an ancestor of $c(l)$ .

We call $c(l)$ the companion of l.

Note that our requirement that a leaf l is labelled by the same sequent as its companion $c(l)$ entails more than just the same formulas occurring in the leaf and companion. It also implies that the constraints are identical, which means in particular that the relative ages of ordinal variables in leaf and companion are the same. This plays a dual role. On one hand, it facilitates proof search, and will be used extensively in our completeness argument. For this purpose, however, it is not clear that the age ordering needs to be incorporated directly into the definition of a valid proof. We shall see that, in fact, the age ordering also plays a crucial role in ensuring that the proof system is sound. It is for this reason that it is explicitly part of the proof system, rather than just an auxiliary technical device used to prove completeness.

It remains to formulate a criterion for distinguishing valid cyclic proofs from invalid derivations. For our purposes, the correctness criterion can be formulated as a particular instance of the structural rule $\mathsf {lw}$ occurring on the path between companion and leaf. We thus begin with isolating these special instances of weakening, henceforth called resets.

Definition 3.6. The reset rule is any instance of constraint weakening of the form

such that:

  1. 1. $\kappa \in \mathcal {O}$ and $\kappa $ does not occur in $\Gamma $ .

  2. 2. K is the set of children of $\kappa $ in $\mathcal {O}$ .

Note that, since derivations are assumed to be well formed, the children of $\kappa $ , namely the variables in K above, do not occur in $\Gamma $ .

Definition 3.7. Let $( \Pi , c )$ be a derivation with back-edges and let $l \in \mathop {dom} c$ be labelled by a sequent $\mathcal {O} : \Gamma $ . An ordinal variable $\kappa \in \mathcal {O}$ is a reset variable for l if::

  1. 1. $\kappa $ occurs in the constraint at every vertex on the path from $c(l)$ to l.

  2. 2. An instance of $\mathsf {reset}(\kappa )$ occurs on this path.

A leaf of $\Pi $ is successful if some variable is a reset variable for the leaf.

We can now stipulate the correctness criterion for cyclic proofs.

Definition 3.8. A cyclic proof is a finite derivation with back-edges $( \Pi , c )$ such that $\mathop {dom} c$ contains all non-axiomatic leaves of $\Pi $ and every leaf in $\mathop {dom} c$ is successful. We write $\vdash \mathcal {O} : \Gamma $ to express the existence of a cyclic proof with root labelled by $\mathcal {O} : \Gamma $ .

Given a plain formula $\rho $ , a cyclic proof of $\rho $ is a cyclic proof with end sequent $\emptyset : \rho $ , where $\emptyset $ denotes the empty constraint, i.e., the unique constraint in which the underlying set of ordinal variables is empty. We write $\vdash \rho $ to say there exists a cyclic proof of $\rho $ .

Examples of cyclic proofs are given in Figures 2 and 3. The former presents a simple case of excluded middle for the formula $\mu y.\, p \vee {\langle {a}\rangle } y$ . The proof involves a single non-axiomatic leaf, denoted by $\ast $ . Along the path from this leaf to its companion (also marked $\ast $ ), the variable $\kappa $ appears in every constraint and is reset. Hence, this path is successful. A cyclic proof of the formula $p \rightarrow \nu x.\, [\breve {a}] x \wedge \mu y.\, p \vee {\langle {a}\rangle } y$ is given in Figure 3. This formula expresses the property that for every $\breve {a}$ -path there is a “returning” a-path. The proof in Figure 3 also displays a single non-axiomatic leaf whose companion is the inner sequent marked as †, though each of the five omitted subproofs of $\overline Y , Y$ also involves an internal leaf-companion pair as per Figure 2. As the variable $\kappa $ occurs in the constraint of every sequent along the connecting path, this leaf is successful. Note that in both examples, the repeating cycles require two applications of the reset rule. The reason for this is that we require leaves and companions to be identical as sequents. This is just a technical convenience; one could instead formulate a weaker condition on leaf-companion pairs, requiring identity only up to a renaming of ordinal variables. Some care is needed to ensure soundness however; the precise formulation of such a condition was worked out in [Reference Afshari, Enqvist and Leigh1].

Figure 2 Cyclic proof of the sequent $\overline {\mu y.\, p \vee {\langle {a}\rangle } y} , \mu y.\, p \vee {\langle {a}\rangle } y$ . The relation of non-axiomatic leaves to companions is denoted by $\ast $ . The proof employs the following abbreviations: Y and $Y^{\kappa }$ denote the formulas $\mu y.\, p \vee {\langle {a}\rangle } y$ and $\mu y^{\kappa }.\, p \vee {\langle {a}\rangle } y$ respectively; constraints are abbreviated to $\kappa $ for $( \{ \kappa \} , \emptyset , \emptyset )$ , $\kappa \kappa '$ for $\kappa +_{\kappa } \kappa '$ and $\kappa \kappa ' \kappa "$ for $(\kappa \kappa ') +_{\kappa '} \kappa "$ .

Figure 3 Cyclic proof of the formula $\overline p \vee \nu x.\, [\breve {a}] x \wedge \mu y.\, p \vee {\langle {a}\rangle } y$ . Subproofs of the sequent $\emptyset : \overline Y , Y$ are as in Figure 2 and omitted. The relation of non-axiomatic leaves to companions is denoted by †. The proof employs the same abbreviations as Figure 2 with, in addition, X and $X^{\kappa }$ denoting formulas $\nu x.\, [\breve {a}] x \wedge Y$ and $\nu x^{\kappa }.\, [\breve {a}] x \wedge Y$ respectively.

For certain proofs in the following, it will be convenient to consider a conditional notion of cyclic proof, i.e., cyclic proofs from assumptions. For this notion of proof it is important to restrict the application of structural rules on paths from the conclusion to assumptions.

Definition 3.9. Let $\mathcal S \cup \{ \mathcal {O} : \Gamma \}$ be a set of sequents. A (cyclic) proof of $\mathcal {O} : \Gamma $ from assumptions $\mathcal S$ is a finite derivation with back-edges $( \Pi , c )$ such that every leaf $l \in \mathop {dom} c$ is successful and every leaf $l \in \mathop {dom} c$ is either an axiom, or else (i) it is labelled by a sequent in $\mathcal S$ , and (ii) there is no application of $\mathsf {lw}$ (including reset rules) on the path from the root of $\Pi $ to l.

We are now ready to state our main result:

Theorem 3.10 (Soundness and completeness).

Let $\rho $ be any plain formula of the two-way $\mu $ -calculus. Then $\rho $ is valid if, and only if, it has a cyclic proof.

The remainder of the paper is devoted to proving Theorem 3.10. Section 4 culminates in the proof of soundness. Completeness is the subject of Sections 5 and 6.

The proof of completeness of the cyclic proof system relies on completeness of non-wellfounded proofs, where the correctness condition on infinite branches is stipulated in terms of infinite descending chains of ordinal variables in the controls of sequents along infinite paths. In their most general formulation, completeness for such proofs is easy to prove, but not very helpful towards proving the main theorem since non-wellfounded proofs can be highly non-regular without any bound on the size of sequents in a proof tree.

Therefore, we isolate a sub-class of non-wellfounded proofs, called slim proofs, which, although not finitely presentable in general, are in an important sense closer to the finitary notion of provability: in slim proofs, the number of formulas that can appear in sequents is bounded. Constraints, however, can grow without bound. Finitising the constraints is the second step towards obtaining a cyclic proof for a valid sequent. Completeness with respect to slim proofs is established via a two-player game that we call the mosaic game, in which one player (Prover) tries to construct a proof of the root formula, and the opposing player (Refuter) attempts to build a counter-model by selecting certain “saturated” sequents called tiles.

With completeness of slim proofs in place, the next step is to insert uses of the reset rule in order to bound the size of constraints. This transformation alters the correctness condition on infinite paths from an infinite descent condition to an infinitary version of the reset condition from cyclic proofs: every infinite branch features some ordinal variable that is reset infinitely often. The final step of the completeness argument is to show that any non-wellfounded slim derivation satisfying the infinite reset condition can be pruned to a finite, cyclic proof.

3.4 Non-wellfounded proofs

In the proof of completeness for cyclic derivations we will make extensive use of an intermediate notion of proof based on infinite, or non-wellfounded, derivations. In analogy with the case of cyclic proofs, an infinite derivation will be considered a proof provided every infinite path in the derivation fulfils a syntactic criterion. Later we will consider infinite proofs where correctness is based on an (infinitary) notion of reset variable. For now we introduce the concept of an infinite descent proof where the requirement on infinite paths is that the sequence of constraints in the path induces an infinite descending sequence of ordinal variables.

Definition 3.11. Let $P =( \mathcal {O}_i )_{ i < \omega }$ be an infinite sequence of constraints.

We say that P has an infinite $<$ -descending chain of ordinals if there are an infinite sequence $(\kappa _i)_{i < \omega }$ of ordinal variables and an increasing function $\sigma : \omega \to \omega $ such that for every i it holds that $\kappa _{i + 1} <_{\mathcal {O}_{\sigma (i)}} \kappa _i$ and $\kappa _{i + 1} \in \mathrm {OV}(\mathcal {O}_l)$ for all $l \in \{\sigma (i),\sigma (i) + 1,\dots ,\sigma (i + 1)\}$ . An infinite $\prec $ -descending chain of ordinals is defined analogously.

An infinite derivation is said to be an infinite descent proof if every leaf is an axiom, and every infinite path is such that the sequence of constraints through this path has an infinite $<$ -descending chain of ordinal variables.

Definition 3.12. A finite proof tree is said to be a wellfounded proof if every leaf is labelled by a sequent of the form $\mathcal {O} : \varphi , \overline {\varphi }$ .

4 Soundness

In this section we show how to prove soundness for the cyclic and non-wellfounded variants of the proof system that is defined in the previous section. We start with the soundness proof for the cyclic proof system.

Definition 4.1. A strongly connected component, abbreviated SCC, in a cyclic proof tree is a set X of nodes which is connected, seen as a subgraph of the proof tree, where the (directed) edge relation is given as the union of the parent–child and the back-edge relation.

It is clear that every strongly connected component X of a cyclic proof tree has a lowest element, i.e., a unique element with the shortest path to the root of the proof tree, which must be the companion node of some leaf. We call this the root of X. (Note that we imagine trees as growing upwards, with the root at the bottom, in line with the way that we depict proof trees.)

The following characterization of cyclic proofs will be useful:

Proposition 4.2. Let $\Pi $ be a cyclic proof tree. Then $\Pi $ is a valid cyclic proof if, and only if, for every SCC X of $\Pi $ there is some ordinal variable $\kappa _X$ that appears in the constraint of each sequent in X, and is reset in at least one vertex of X.

Proof For right to left, it suffices to note that for every leaf l, the path from the companion of l to l is a strongly connected component of $\Pi $ .

For left to right, let $\Pi $ be a valid cyclic proof.

Claim 1. Let X be any SCC of $\Pi $ . Then there exists an ordinal variable $\kappa _X$ that belongs to the constraint of every vertex in X, and is equal to the variable $\kappa _l$ associated with some leaf l.

Proof of Claim

We prove this by induction on the number of non-axiom leaves in X. The base case consists of the case where X is a single cycle (comprising all nodes on the path to a leaf l from its companion), and in this case we just take $\kappa _X = \kappa _l$ .

Now, suppose that X has more than one non-axiom leaf. Consider the set S of vertices in X that are ancestors of all non-axiom leaves in X. It is clear that any two vertices in this set are comparable with respect to the descendant relation, so we can pick the maximum element s of the set, i.e., $s \in S$ and s is a descendant of every member of S. We call s the splitting point of X. Because all proof rules have at most two premises it follows that s has exactly two children, a left child and a right child. Every non-axiom leaf is a descendant of either the left child of s or the right child of s. In the first case we speak of a left leaf and in the second case a right leaf. Note that some leaf of X must have the root of X as companion, and this leaf must be either a left or right leaf. We may assume without loss of generality that it is a left leaf, the other case is symmetrical. Note that some right leaf must have a companion that is an ancestor of s, since X is strongly connected. Let c denote the lowest ancestor of s (closest to the root of X) that is the companion of some right leaf. Let $X_0$ be the set of vertices that lie on a path from the root of X to some left leaf, and let $X_1$ be the set of vertices that lie on a path from c to some right leaf. Then $X_0 \cup X_1 = X$ , and both $X_0$ and $X_1$ are SCCs with fewer non-axiom leaves than X (note that c is the root of $X_1$ ). So by the induction hypothesis, there are variables $\lambda _0,\lambda _1$ such that $\lambda _0$ appears in the constraint of every vertex in $X_0$ and $\lambda _1$ appears in the constraint of every vertex in $X_1$ . In particular, since $c \in X_0\cap X_1$ , both $\lambda _0$ and $\lambda _1$ appear in the constraint of c. We now consider two cases.

Case 1: $\lambda _0$ is older than $\lambda _1$ in the constraint of c. By assumption $\lambda _0$ appears in the constraint of every vertex in $X_0$ . We define the depth of a right leaf l as the number of leaves passed on the shortest path from the leaf to c. More precisely, if the companion of l is c then l has depth $0$ . Otherwise the depth of l is the smallest number $k+1$ such that the companion of l belongs to the path from the companion of $l'$ to $l'$ , where $l'$ is some right leaf of depth k. We prove by induction on the depth of a leaf l that $\lambda _0$ belongs to the constraint of every vertex on the path from the companion of l to l, and furthermore is older than $\lambda _1$ in every such constraint.

For depth $= 0$ , suppose l has c as companion. If there is some u on the path from c to l in which $\lambda _0$ does not appear in the constraint, then it has to be re-introduced later since the label of l is equal to that of c. But since $\lambda _1$ is on the constraint of every vertex on the path from c to l, $\lambda _0$ can only be re-introduced as a younger variable than $\lambda _1$ , and remain so. So the label of l cannot equal that of c after all, contradiction.

For depth $= k + 1$ , suppose l has companion v that is on the path from the companion of $l'$ to $l'$ , where $l'$ has depth k. Then again, $\lambda _0$ is introduced as a younger variable than $\lambda _1$ in the companion v, and we can repeat the same argument.

Case 2: $\lambda _1$ is older than $\lambda _0$ in c. Then in fact, $\lambda _1$ must appear in the constraint of the root of X, since $\lambda _0$ belongs to the constraint of every vertex on the path from the root of X to c, and so if $\lambda _1$ were introduced on this path it would have to be younger than $\lambda _0$ . With this observation in place we can repeat the whole argument from the previous case, but with the root of X in place of c.

To finish the proof, take any connected component X of $\Pi $ , and let $\kappa _X$ be the variable provided by the Claim. Then $\kappa _X = \kappa _l$ for some leaf l. By definition of a valid cyclic proof, $\kappa _l$ is reset at least once on the path from the companion of l to l. But this path is contained in X, so $\kappa _X = \kappa _l$ is reset in some vertex in X.

Proposition 4.3. If $\rho $ has a cyclic proof then $\rho $ is valid.

Proof Let $\Pi $ be a cyclic proof of $\rho $ .

Assume for a contradiction that there are some model M, a world w in M, and an ordinal assignment o such that $M, w \nvDash _o \rho $ . Our strategy is to find an infinite walk through the cyclic proof $\Pi $ , inducing a series of ordinal assignments, from which we can read off an infinitely descending sequence of ordinals. This contradiction then gives the proposition. We construct the walk by induction as follows. We define a vertex $v_n$ of $\Pi $ , an element $w_n$ of W, and an ordinal assignment $o_n$ by induction on n. We shall maintain the invariant that for each n, $o_n$ refutes the label of $v_n$ (henceforth denoted $\Gamma _n$ ) at $w_n$ . Note that this means that we never reach a leaf labelled by an axiom. For the base case, we define $v_0$ to be the root of the proof tree labelled $\vdash \rho $ , set $w_0 = w$ , and set $o_0 = o$ . Note that o can be taken to be the empty assignment if $\rho $ does not contain any ordinal variables. The assignment $o_0$ refutes the sequent $\vdash \rho $ at $w_0$ by the assumption that $M,w\nvDash _o \rho $ . The inductive step is by case distinction depending on the rule applied at the vertex $v_n$ . We distinguish between applications of the left weakening rule that correspond to the reset of a variable from other applications of left weakening. These need to be treated separately as they allow us to build the decreasing chain of ordinals.

Case $v_n$ is the conclusion of an application of $\kappa : x$ . Here, $\kappa $ is a fresh variable and the principal formula of the rule is of the form $\nu x\,\varphi $ , which is replaced by $ \nu x^{\kappa }\varphi $ . We define $o_{n+1}$ to be the extension of $o_n$ obtained by mapping $\kappa $ to the closure ordinal of the map $\varphi ^{o_n}_M$ , and set $v_{n+1}$ to be the premise of $v_n$ and $w_{n+1} = w_n$ .

Case $v_n$ is the conclusion of an application of the modal rule. Let the principal formula be $[a] \varphi $ . Since $o_n$ refutes the label of $\Gamma _n$ at $w_n$ , it is clear that there is some ${a}$ -successor $w'$ at which $o_n$ refutes the premise. So we set $w_{n+1} = w'$ , $v_{n+1}$ to be the premise of the rule application and $o_{n+1} = o_{n}$ .

Case $v_n$ is the conclusion of an application of the cut rule. Since $o_n$ refutes $\Gamma _n$ at $w_n$ , it has to refute one of the premises at $w_n$ also. We pick $v_{n+1}$ to be this premise, and set $w_{n+1} = w_n$ , $o_{n+1} = o_n$ .

Case $v_n$ is the conclusion of an application of the $\wedge $ -rule. Since $o_n$ refutes $\Gamma _n$ at $w_n$ , it has to refute one of the premises at $w_n$ also. We pick $v_{n+1}$ to be this premise, and set $w_{n+1} = w_n$ , $o_{n+1} = o_n$ .

Case $v_n$ is the conclusion of an application of the $\vee $ -rule, $\eta $ -rule, or $\exists $ -rule. We set $v_{n+1}$ to be the premise, and set $w_{n + 1} = w_n$ and $o_{n+1} = o_n$ . The invariant is easily seen to be maintained.

Case $v_n$ is the conclusion of an application of $\mu (\kappa )$ . We define $w_{n + 1} = w_n$ and $o_{n + 1} = o_n$ . By assumption we have that $w_n \notin [\![\mu x^{\kappa } \varphi ]\!]^{o_n} = f^{o_n(\kappa )}(\emptyset )$ , where f is the monotone map with $f(Z) = [\![\varphi ]\!]^{o_n}_{M[x \mapsto Z]}$ . If we now consider any $\lambda $ such that $o_n(\lambda ) < o_n(\kappa )$ we have that $f^{o_n(\lambda ) + 1}(\emptyset ) \subseteq f^{o_n(\kappa )}(\emptyset )$ , because $o_n(\lambda ) + 1 \leq o_n(\kappa )$ . Thus it follows that $w_{n + 1} = w_n \notin f^{o_n(\lambda ) + 1}(\emptyset ) = f(f^{o_n(\lambda )}(\emptyset )) = [\![\varphi [\mu x^{\lambda }. \varphi / x]]\!]^{o_n}$ . Thus the invariant is maintained.

Case $v_n$ is the conclusion of an application of the $\forall $ -rule. Let $\lambda < \kappa $ be the fresh variable introduced. Since $o_n$ refutes $\Gamma _n$ at $w_n$ there must be some $\xi < o_n(\kappa )$ such that $o_n[\lambda \mapsto \xi ]$ refutes the premise at $w_n$ . So we set $v_{n+1}$ to be the premise of $v_n$ , $w_{n+1} = w_n$ , and $o_{n+1} = o_n[\lambda \mapsto \xi ]$ .

Case $v_n$ is the conclusion of an application of the $\nu (\kappa )$ -rule. Let $\lambda < \kappa $ be the fresh variable introduced. Since $o_n$ refutes $\Gamma _n$ at $w_n$ we have that $w_n \notin [\![\nu x^{\kappa }. \varphi ]\!]^{o_n}$ . If we write f for the monotone map with $f(Z) = [\![\varphi ]\!]^{o_n}_{M[x \mapsto Z]}$ this means that $w_n \notin f^{o_n(\kappa )}(W)$ . By the definition of $f^{o_n(\kappa )}$ we have that

$$\begin{align*}f^{o_n(\kappa)}(W) = \bigcap_{\zeta < \kappa} f(f^{o_n(\zeta)}(W)).\end{align*}$$

Thus there exists some ordinal $\zeta < o_n(\kappa )$ such that $w_n \notin f(f^{\zeta }(W))$ . We set $w_{n + 1} = w_n$ and $o_{n + 1} = o_n[\lambda \mapsto \zeta ]$ . This refutes the premise because $w_{n + 1} = w_n \notin f(f^{\zeta }(W)) = [\![\varphi [\nu x^{\lambda }. \varphi / x]]\!]^{o_{n + 1}}$ .

Case $v_n$ is a leaf with companion $v'$ . We set $o_{n + 1} = o_n$ , and set $w_{n+1} = w_{n}$ and $v_{n+1} = v'$ . The invariant is obviously maintained.

Case $v_n$ is the conclusion of an application of left weakening in which the variable $\kappa $ is reset. This means that neither $\kappa $ nor any of its children appear on the right-hand side of $\Gamma _n$ , and all children of $\kappa $ are removed. List the children of $\kappa $ as $\lambda _1,...,\lambda _m$ . We define the new assignment $o_{n+1}$ by setting

$$ \begin{align*}o_{n+1}(\kappa) = \mathsf{max}(o_n(\lambda_1),...,o_n(\lambda_m)), \end{align*} $$

and $o_{n+1}(\lambda ) = o_{n}(\lambda )$ for $\lambda \neq \kappa $ . We set $w_{n+1} = w_n$ and we set $v_{n+1}$ to be the premise of the rule application. We need to check that the new assignment $o_{n+1}$ refutes $\Gamma _{n+1}$ at $w_{n+1}$ . Since none of the variables $\kappa ,\lambda _1,...,\lambda _m$ appear on the right-hand side of $\Gamma _n$ or $\Gamma _{n+1}$ , it suffices to show that the new assignment is consistent with the constraint $\mathcal {O}_{n+1}$ of $\Gamma _{n+1}$ .

First, note that $o_{n+1}(\kappa ) < o_{n}(\kappa )$ , since we have $o_n(\lambda _i) < o_{n}(\kappa )$ for each $i \in \{1,...,m\}$ and since $o_{n+1}(\kappa )$ was defined as $\mathsf {max}(o_n(\lambda _1),...,o_n(\lambda _m))$ (this observation will be important later!). Hence if $\kappa '$ is the parent of $\kappa $ in $\mathcal {O}_{n+1}$ then

$$ \begin{align*}o_{n+1}(\kappa) < o_{n}(\kappa) < o_{n}(\kappa') = o_{n+1}(\kappa'),\end{align*} $$

as required. Now, suppose $\xi $ is a child of $\kappa $ in $\mathcal {O}_{n+1}$ . Then there must be some $\lambda _i$ , $i \in \{1,...,m\}$ , such that $\xi $ was a descendant of $\lambda _i$ in the constraint of $\Gamma _n$ . Hence we get

$$ \begin{align*} o_{n+1}(\xi) & = o_{n}(\xi) \\ & < o_n(\lambda_i) \\ & \leq \mathsf{max}(o_n(\lambda_1),...,o_n(\lambda_m)) \\ & = o_{n+1}(\kappa), \end{align*} $$

so $o_{n+1}(\xi ) < o_{n+1}(\kappa )$ as required.

Other cases. The other cases of left or right weakening are trivial.

With this construction in place, consider the infinite walk $v_0v_1v_2\ldots $ through $\Pi $ that we obtain in the limit. Let X be the set of all vertices that are visited infinitely many times on $\Pi $ . This is obviously a strongly connected component, so since $\Pi $ was a valid cyclic proof, by Proposition 4.2 there is some $\kappa $ that appears in the constraint of every vertex in X, and is reset on the path from the root of X to one of its leaves. Hence, it is clear that the value assigned to $\kappa $ by the ordinal assignments $o_i$ never increases, and decreases every time the walk passes through the vertex at which $\kappa $ is reset. So the successive values that these ordinal assignments give to $\kappa $ produce an infinite descending series of ordinals, which is impossible. This contradiction concludes the proof.

We now briefly sketch to adapt the soundness proof for the cyclic system to non-wellfounded proofs.

Proposition 4.4. If $\rho $ has a non-wellfounded proof then $\rho $ is valid.

Proof sketch

The argument is similar to the proof of Proposition 4.3: Let $\Pi $ be a non-wellfounded proof of $\rho $ . We assume for contradiction that there are some model M, world w in M, and an ordinal assignment o such that $M,w \not \models _o \rho $ . We find an infinite path $v_0,v_1$ through $\Pi $ and ordinal assignments $o_0,o_1,\dots $ such that $o_i$ refutes $\mathcal {O}_i : \Gamma _i$ , where $\mathcal {O}_i : \Gamma _i$ is the sequent at $v_i$ . The construction of this infinite path is similar as in the proof of Proposition 4.3. We can omit the case for leafs with companions and treat all instances of left weakening as left weakenings that do not correspond to a reset. In the end a contradiction arises from an infinite descending chain of ordinals that can be read of from the sequence $o_1,o_2,\dots $ using the condition from Definition 3.11.

5 Completeness for infinite proofs

In this section we will prove completeness for infinite non-wellfounded proofs, as the first step towards our main result, i.e., completeness for cyclic proofs. More precisely, we introduce a special class of non-wellfounded proofs that we call slim proofs and prove that any valid formula has a slim proof. Slim proofs are genuinely infinite (non-regular), and can contain infinitely many different sequents. However, they do have the property that there is a fixed bound on the number of formulas occurring in any sequent, although the constraints can grow without bound. This property will be important later when we transform slim proofs into finite, cyclic proofs.

5.1 Slim proofs

We start by defining the notion of a slim proof.

Definition 5.1. Let $\mathcal {O} : \Gamma $ be any sequent and let $o_0$ and $o_1$ be any annotations that have their range is in $\mathrm {OV}(\mathcal {O})$ . We write $o_0 \prec ^x_{\mathcal {O}} o_1$ if $o_0(x) \prec _{\mathcal {O}} o_1(x)$ while, for all y higher ranking than x, we have $o_0(y) = o_1(y)$ . We write $o_0 \prec _{\mathcal {O}} o_1$ if there is some ordinal variable x such that $o_0 \prec ^x_{\mathcal {O}} o_1$ .

Definition 5.2. Let $\mathcal {O} : \Gamma $ be any sequent, and let $ \varphi , \psi \in \Gamma $ be positively annotated formulas. We write $ \varphi \prec _{\mathcal {O}} \psi $ , or just $ \varphi \prec \psi $ when $\mathcal {O}$ is clear from context, if $\mathsf {u}( \varphi ) = \mathsf {u}( \psi )$ and, $\mathsf {o}_{\varphi } \prec \mathsf {o}_{\psi }$ .

We write $\preceq _{\mathcal {O}}$ as shorthand for “ $\prec _{\mathcal {O}}$ or $=$ .” A positively annotated formula $\varphi $ is minimal with respect to a constraint $\mathcal {O}$ if there is no formula $\psi $ such that $\psi \prec _{\mathcal {O}} \varphi $ . A sequent $\mathcal {O} : \Gamma $ is said to be minimal if every positively annotated formula occurring in $\Gamma $ is minimal with respect to $\mathcal {O}$ .

Definition 5.3. Let $\Gamma $ be a set of plain formulas. The set $OC(\Gamma )$ consists of all positively or negatively annotated formulas $\varphi $ such that $\mathsf {u}(\varphi ) \in \mathrm {Clos}(\Gamma )$ . The set $QC(\Gamma )$ consists of $OC(\Gamma )$ , together with all formulas of the form $Q\kappa < \lambda : \varphi $ , where $Q \in \{ \forall , \exists \}$ and $\varphi \in OC(\Gamma )$ . The extended closure $EC(\Gamma )$ of $\Gamma $ consists of $QC(\Gamma )$ , together with all formulas of the form $[a]\bigvee \Delta $ or $\bigvee \Delta $ , where $\Delta $ is a subset of $QC(\Gamma )$ .

A proof tree $\Pi $ is said to be slim if:

  1. 1. All formulas in $\Pi $ belong to the extended closure of the root formula.

  2. 2. For any formula $\varphi $ that occurs in some sequent $\Gamma $ in $\Pi $ , all free ordinal variables of $\varphi $ are active in $\Gamma $ . Equivalently, for any sequent $\Gamma $ in $\Pi $ , any ordinal variable that occurs freely in some formula in $\Gamma $ also occurs freely in some positively annotated formula in $\Gamma $ .

  3. 3. Any sequent in $ \Pi $ which is not minimal with respect to its constraint is the conclusion of an application of right weakening.

  4. 4. There is no application of left weakening in $\Pi $ .

  5. 5. In any application of the cut rule, $\mu (\kappa )$ or $\exists $ , all ordinal variables occurring free in the cut formula or minor formula of the rule application are active variables in the conclusion.

Observe that because infinite branches in slim proofs do not contain applications of $\mathsf {lw}$ the set of ordinal variables in the constraint only grows as we move along the branch. We can thus define the following notion of the limit constraint of a branch:

Definition 5.4. Fix an infinite branch $\beta = v_0,v_1,\dots $ of a slim proof and let $\mathcal {O}_i = (O_i,<_i,\triangleleft _i)$ be the constraint at $v_i$ for all $i \in \omega $ . Define the infinite set $O_{\beta } = \bigcup _{i \in \omega } O_i$ , and the orders $<_{\beta }$ , $\triangleleft _{\beta }$ , and $\prec _{\beta }$ over $O_i$ such that ${\ll _{\beta }} = \bigcup _i {\ll _i}$ for ${\ll } \in \{ <, \le , \triangleleft \}$ .

It is clear that in slim proofs an infinite $<$ -descending chain of ordinals in a branch $\beta $ , according to Definition 3.11 is the same as an infinite descending chain in the order $<_{\beta }$ , according to the usual definition of an infinite descending chain in some order. The same holds for infinite $\prec $ -descending chains.

Proposition 5.5. If $\beta = v_0,v_1,\dots $ is an infinite branch in a slim proof, then:

  1. 1. $<_{\beta }$ is irreflexive, transitive, and upwards linear.

  2. 2. $\triangleleft _{\beta }$ is a linear order.

  3. 3. $\prec _{\beta }$ is a linear order.

  4. 4. $<_{\beta }$ is conversely well-founded and $\triangleleft _{\beta }$ is well-founded.

  5. 5. $\lambda \prec _{\beta } \kappa $ iff $\lambda <_{\beta } \kappa $ or $\lambda $ is to the left of $\kappa $ with respect to the orders $<_{\beta }$ and $\triangleleft _{\beta }$ .

Proof First observe that left weakening is never applied on $\beta $ because by assumption it is a branch in a slim proof. It follows then from an inspection of the proof rules that for all $i \in \omega $ it holds that either $\mathcal {O}_{i + 1} = \mathcal {O}_i$ , $\mathcal {O}_{i + 1} = \mathcal {O}_i + \lambda $ , or $\mathcal {O}_{i + 1} = \mathcal {O}_i +_{\kappa } \lambda $ , for some ordinal variable $\lambda $ . Thus, in every step there is at most one variable $\lambda $ added; this $\lambda $ is made maximal in $\triangleleft _{i + 1}$ , and it is either a new leaf in $<_{i + 1}$ or $<_{i + 1}$ -incomparable to all existing variables. Using this observation it is relatively straightforward to verify items 1–4.

For item 5 first recall that $\lambda $ is to the left of $\kappa $ with respect to the orders $<_{\beta }$ and $\triangleleft _{\beta }$ if $\lambda $ and $\kappa $ are $<_{\beta }$ -incomparable and $\lambda ' \triangleleft _{\beta } \kappa '$ holds, where $\lambda '$ is the $<_{\beta }$ -greatest $<_{\beta }$ -ancestor of $\lambda $ that is not a $<_{\beta }$ -ancestor of $\kappa $ and $\kappa '$ is the $<_{\beta }$ -greatest $<_{\beta }$ -ancestor of $\kappa $ that is not a $<_{\beta }$ -ancestor of $\lambda $ . Note that the $<_{\beta }$ -greatest node with some property is well-defined because $<_{\beta }$ is conversely well-founded.

The details of the proof of item 5 are left to the reader. The crucial step in the argument is to show that the following are equivalent:

  1. 1. $\lambda '$ is the $<_{\beta }$ -greatest $<_{\beta }$ -ancestor of $\lambda $ that is not a $<_{\beta }$ -ancestor of $\kappa $ .

  2. 2. For some i, $\lambda ', \lambda , \kappa $ exist and $\lambda '$ is the $<_i$ -greatest $<_i$ -ancestor of $\lambda $ that is not a $<_i$ -ancestor of $\kappa $ .

The proof of this equivalence relies on the observation that when moving from $\mathcal {O}_i$ to $\mathcal {O}_{i + 1}$ only new leafs or new roots are added to the order $<_{i + 1}$ . Thus, variables that are comparable at stage i stay comparable at stage $i + 1$ , and variables that exist in $\mathcal {O}_i$ and are incomparable stay incomparable.

Proposition 5.6. Let $\beta $ be an infinite branch of a slim proof tree $\Pi $ . Then it contains an infinite $\prec $ -descending chain of ordinal variables if, and only if, it contains an infinite $<$ -descending chain of ordinal variables.

Proof It is clear that it suffices to prove this result for the orders $\prec _{\beta }$ and $<_{\beta }$ from Definition 5.4. We write $\mathcal {O}, \prec , <$ , and $\triangleleft $ for $\mathcal {O}_{\beta }, \prec _{\beta }, <_{\beta }$ , and $\triangleleft _{\beta }$ , respectively. The direction from right to left follows directly from the definitions of $<_{\beta }$ and $\prec _{\beta }$ and the relation between $<_i$ and $\prec _i$ at any finite $i \in \omega $ .

For the direction from left to right assume that we have an infinite descending chain $\kappa _0 \succ \kappa _1 \succ \cdots $ of ordinal variables in $\mathcal {O}$ . The aim is to use König’s lemma to prove that there is an infinite descending chain in $<_{\mathcal {O}_{\beta }}$ .

Consider the following set of variables from $\mathcal {O}$ :

$$\begin{align*}F = \{ \lambda \in \mathcal{O} \mid \lambda \geq \kappa_i \mbox{ for some } i \in \omega\}. \end{align*}$$

Because by Proposition 5.5 $<$ is upwards linear and conversely well-founded we can consider F to be a forest under the order $<$ . The set F is infinite because it contains the infinitely many distinct