A Hybrid Intuitionistic Logic: Semantics and Decidability

A Hybrid Intuitionistic Logic: Semantics and Decidability Rohit Chadha Damiano Macedonio Vladimiro Sassone February 12, 2005 Abstract An intuitionistic, hybrid modal logic suitable for reasoning about distribution of resources was introduced in [14, 15]. The modalities of the logic allow us to validate properties in a particular place, in some place and in all places. We give a sound and complete Kripke semantics for the logic extended with disjunctive connectives. The extended logic can be seen as an instance of Hybrid IS5. We also give a sound and complete birelational semantics , and show that the semantics satisfies the finite model property: if a judgement is not valid in the logic, then there is a finite birelational countermodel. Hence we prove that the logic is decidable. 1 Introduction In current computing paradigm distributed resources spread over and shared amongst di erent nodes of a computer system are very common. For example, printers may be shared in local area networks, or distributed data may store documents in parts at di erent locations. The traditional reasoning methodologies are not easily scalable to these systems as they may lack implicitly trust-able objects such as a central control. This has resulted in the innovation of several reasoning techniques. A popular approach in the literature has been the use of algebraic systems such as process algebra [18, 13, 9]. These algebras have rich theories in terms of semantics [18], logics [12, 20, 8, 7], and types [13]. Another approach is logic-oriented [14, 15, 30, 19]: intuitionistic modal logics are used as foundations of type systems by exploiting the propositions-as-types, proofs-as-programs paradigm [11]. An instance of this was introduced in [14, 15]. The logic introduced there is the focus of our study. The formulae in this logic include names, called places. Assertions in the logic are associated with places, and are validated in places. In addition to considering ✁ ✁ Research partially supported by ‘MIKADO: Mobile Calculi based on Domains’, EU FET-GC IST-2001-32222, and ‘MyThS: Models and Types for Security in Mobile Distributed Systems’, EU FET-GC IST-2001-32617. ✂ 1 whether a formula is true, we are also interested in where a formula is true. In order to achieve this, the logic has three modalities. The modalities allow us to infer whether a property is validated in a specific place of the system (@p), or in an unspecified place of the system ( ), or in any part of the system ( ). The modality @p internalises the model in the logic, and hence can be classified as a hybrid logic [1, 2, 3, 4, 5, 24, 25, 6]. An intuitionistic natural deduction for the logic without the disjunctive connectives is given in [14, 15]. The judgements in the logic mention the places under consideration. The natural deduction rules for and resemble those for existential and universal quantification of first-order intuitionistic logic. We extend the logic with disjunctive connectives, and extend the natural deduction system to account for these. As noted in [14, 15], the logic can also be used to reason about distribution of resources in addition to serving as the foundation of a type system. The papers [14, 15], however, lack a model to match the usage of the logic as a tool to reason about distributed resources. In this paper, we bridge the gap by presenting a Kripke-style semantics [17] for the logic extended with disjunctive connectives. In Kripkestyle semantics, formulae are considered valid if they remain valid when the atoms mentioned in the formulae change their value from false to true. This is achieved by using a partially ordered set of possible states. Informally, more atoms are true in larger states. We extend the Kripke semantics of the intuitionistic logic [17], enriching each possible state with a set of places. The set of places in Kripke states are not fixed, and di erent possible Kripke states may have di erent set of places. However, the set of places vary in a conservative way: larger Kripke states contain larger set of places. In each possible state, di erent places satisfy di erent formulae. In the model, we interpret atomic formulae as resources of a distributed system, and placement of atoms in a possible state corresponds to the distribution of resources. The enrichment of the model with places reveals the true meaning of the modalities in the logic. The modality @p expresses a property in a named place. The modality corresponds to a weak form of spatial universal quantification and expresses a property common to all places, and the modality corresponds to a weak form of spatial existential quantification and expresses a property valid somewhere in the system. For the intuitionistic connectives, the satisfaction of formulae at a place in a possible state follows the standard definition [17]. In order to give semantics to a logical judgement, we allow models with more places than those mentioned in the judgement. This admits the possibility that a user may be aware of only a certain subset of names in a distributed system. This is crucial in the proof of soundness and completeness as it allows us to create witnesses for the existential ( ) and the universal ( ) modalities. The Kripke semantics reveals that the extended logic can be seen as the hybridisation of the well-known intuitionistic modal system IS5 [21, 26, 10, 28, 23, 29]. Following [10, 28, 23, 29], we also introduce a sound and complete birelational semantics for the logic. The reason for introducing birelational semantics is that it ✄ ☎ ✄ ☎ ✁ ✆ ✁ ✁ ☎ ✄ ✄ ☎ 2 allows us to prove decidability. As in Kripke models, birelational models have a partially ordered set. The elements of this set are called worlds. In addition to the partial order, birelational models also have an equivalence relation amongst worlds, called the accessibility or reachability relation. Unlike the Kripke semantics, we do not enrich each world with a set of places. Instead, we have a partial function, the evaluation function, which attaches a name to a world in its domain. As we shall see, the partiality of the function is crucial to the proof of decidability. The partial evaluation function must satisfy two important properties. One, coherence, states that if the function associates a name to a world then it also associates the same name to all larger states. The other, uniqueness, states that two di erent worlds accessible from one another do not evaluate to the same name. Coherence is essential for ensuring monotonicity of the logical connective @p, and uniqueness is essential for the ensuring soundness of introduction of conjunction and implication. Following [29], we also introduce an encoding of the Kripke models into birelational models. The encoding maps a place in a Kripke state into a world of a birelational model. The encoding ensures that if a formula is validated at a place in a state of the Kripke model, then it is also validated at the corresponding world. The encoding allows us to conclude soundness of Kripke semantics from soundness of birelational semantics. It also allows us to conclude completeness of the birelational models from completeness of Kripke semantics. Surprisingly, the soundness of the birelational models was not straightforward. The problematic cases are the inference rules for introduction of and the elimination of . In Kripke semantics, soundness is usually proved by duplicating places in a conservative way [6, 29]. The partiality of the evaluation function, along with the coherence and uniqueness conditions however impeded in obtaining such a result. It has been noted in [29] that the soundness is also non-trivial in the case of birelational models for intuitionistic modal logic. However, the problems with soundness here arise purely because of the hybrid nature of the logic. Soundness is obtained by using a mathematical construction that creates a new birelational model from a given one. In the new model, the set of worlds consist of the reachability relation of the old model, and we add new worlds to witness the existential and universal properties. The proof of completeness follows standard techniques from intuitionistic logics, and given a judgement that is not provable in the logic we construct a canonical Kripke model that invalidates the judgement. However, following [29], the construction of this model is done in a careful way so that it assists in the proof of decidability. The encoding of Kripke models into birelational models gives us a canonical birelational model. The worlds of canonical birelational models consists of triples: a finite set of places Q, a finite set of sentences , and a special place q which is the evaluation of the world. The set of worlds in the canonical birelational models may be infinite. We show that by identifying the worlds in the birelational model up-to renaming of places, we can construct an equivalent finite model, called the quotient model. This allows ✁ ☎ ✄ ✝ 3 us to deduce the finite model property for the birelational semantics: if a judgement is not provable in the logic, then we can construct a finite birelational model which invalidates the judgement. The proof is adapted from the case of intuitionistic modal logic [29]. The partiality of the evaluation function is crucial in the proof. The finite model property allows us to conclude the decidability of the logic. The rest of the paper is organised as follows. In Section 2, we introduce the logic and the Kripke semantics. In Section 3, we introduce the birelational semantics, and prove the soundness of the logic with respect to birelational models. The encoding of Kripke models into birelational models is also given which allows us to conclude soundness of Kripke semantics. The construction of canonical models and completeness is discussed in Section 4. In Section 5, we construct the quotient model and prove the finite model property for birelational models. Related work is discussed in Section 6, and our results are summarised in Section 7. We anticipate collecting some of the proofs to an Appendix in the final version. 2 Logic We now introduce, through examples, the logic presented in [14, 15] extended with disjunctive connectives. The reason for adding disjunctive connectives is that it provides us with full expressiveness of intuitionistic logic. The logic can be used to reason about heterogeneous distributed systems. To gain some intuition, consider a distributed peer to peer database where the information is partitioned over multiple communicating nodes (peers). Informally, the database has a set of nodes, or places, and a set of resources (data) distributed amongst these places. The nodes are chosen from the elements of a fixed set, denoted by p✞ q✞ r✞ s✞✠✟✡✟✠✟ . Resources are represented by atomic formulae A✞ B✞✡✟✡✟✠✟☞☛ Atoms. Intuitively, an atom A is valid in a place p if that place can access the resource identified by A. Were we reasoning about a particular place, the logical connectives of the intuitionistic framework would be su✌ cient. For example, assume that a particular document, doc, is partitioned in two parts, doc1 and doc2 , and in order to gain access to the document a place has to access both of its parts. This can be formally expressed as the logical formula: (doc1 ✍ doc2 ) ✎ doc, where ✍ and ✎ are the logical conjunction and implication. If doc1 and doc2 are stored in a particular place, then the usual intuitionistic rules allow to infer that the place can access the entire document. The intuitionistic framework is extended in [15] in order to reason about different places. An assertion in such a logic takes the form “✏ at p”, meaning that formula ✏ is valid at place p. The construct “at” is a meta-linguistic symbol and points to the place where the reasoning is located. For example, doc1 at p and doc2 at p formalises the notion that the parts doc1 and doc2 are located at the node p. If, in addition, the assertion ((doc1 ✍ doc2 ) ✎ doc) at p is valid, we can conclude that the document doc is available at p. 4 Please note that in the formula ✏ at p, ✏ does not contain any occurrences of the construct at. Instead, ✏ uses the modality @p, one for each place in the system, to cast the meta-linguistic at at the language level. The modality @p internalises resources at the location p, and the modal formula ✏ @p means that the property ✏ is valid at p, and not necessarily anywhere else. Indeed both ✏ at p and ✏ @p will have the same semantics, and it is possible to define an equivalent logic in which the construct at is not needed. However, we will prefer to keep the distinction in the logic as this was the case in [14, 15]. Also, the introduction and elimination rules for the modality @ is more elegant if we maintain this distinction. An assertion of the form ✏ @p at p✑ means that in the place p✑ we are reasoning about the property ✏ valid at the place p. For example, suppose that the place p has got the first half of the document, i.e., doc1 at p, and p✑ has got the second one, i.e., doc2 at p✑ . In the logic we can formalise the fact that p✑ can send the part doc2 to p by using the assertion (doc2 ✎ (doc2 @p)) at p✑ . The rules of the logic will conclude doc2 at p and so doc at p. The logic also has two other modalities ✁ to accommodate reasoning about the properties valid at di erent locations, which we discuss briefly. Knowing exactly where a property holds is a strong ability, and we may only know that the property holds somewhere without knowing the specific location where it holds. In order to deal with this, the logic has the modality ✄ : ✄☞✏ means that the formula ✏ holds in some place. In the example above, the location of doc2 is not important as long as we know that this document is located in some place from where it can sent to p. Formally, this can be expressed by the logical formula ✄ (doc2 ✍ (doc2 ✎ (doc2 @p))) at p✑ . By assuming this formula, we can infer doc2 at p, and hence the document doc is available at p. Even if we deal with resources distributed in heterogeneous places, certain properties are valid everywhere. For this purpose, the logic has the modality ☎ : ☎✒✏ means that the formula ✏ is valid everywhere. In the example above, p can access the document doc, if there is a place that has the part doc2 and can send it everywhere. This can be expressed by the formula ✄ (doc2 ✍ (doc2 ✎✓☎ doc2 )) at p✑ . The rules of the logic would allow us to conclude that doc2 is available at p. Therefore the document doc is also available at p. We now define formally the logic. As mentioned above, it is essentially the logic introduced in [15] enriched with the disjunctive connectives ✔ and ✕ , thus achieving the full set of intuitionistic connectives. This allows us to express properties such as: the document doc2 is located either at p itself or at q (n which case p has to fetch it). This can be expressed by the formula (doc2 ✔ ((doc2 @q) ✎ doc2 )) at p. For the rest of the paper, we shall assume a fixed countable set of atomic formulae Atoms, and we vary the set of places. Given a countable set of places Pl, let Frm(Pl) be the set of formulae built from the following grammar: ✏ ::✖ A ✗✙✘✚✗✛✕✚✗✜✏ ✍ ✏✢✗✣✏✤✔✥✏✦✗✜✏✦✎✓✏✦✗✣✏ @p ✗✣☎✧✏✦✗✜✄☞✏★✟ Here the syntactic category p stands for elements from Pl, and the syntactic cat5 egory A stands for elements from Atoms. The elements in Frm(Pl) are said to be pure formulae, and are denoted by small Greek letters ✏★✞✡✩✪✞✬✫✭✟✠✟✡✟ An assertion of the form ✏ at p is called sentence. We denote by capital Greek letters ✮✯✞✰✮ 1 ✞✠✟✡✟✡✟ (possibly empty) finite sets of pure formulae, and by capital Greek letters ✝✱✞✲✝ 1 ✞✠✟✡✟✡✟ (possibly empty) finite sets of sentences. Each judgement in this logic is of the form ✮ ; ✝✴✳ P ✏ at p✟ where ✵ ✵ the global context ✮ is a (possibly empty) finite set of pure formulae, and represents the properties assumed to hold at every place of the system; ✵ the local context ✝ is a (possibly empty) finite set of sentences; since a sentence is a pure formula associated to a place, ✝ represents what we assume to be valid in any particular place. ✵ the sentence ✏ at p says that ✏ is derived to be valid in the place p by assuming ✮ ; ✝ . P is a set of places. It represents the part of the system we are focusing on. In the judgement, it is assumed that the places mentioned in ✮ and ✝ are drawn from the set P. More formally, if PL(X) denotes the set of places that appear in a syntactic object X, then it must be the case that PL(✮ ) ✶ PL(✝ ) ✶ PL(✏ at p) ✷ P. Any judgement not satisfying this condition is assumed to be undefined. A natural deduction system without disjunctive connectives is given in [14, 15]. The natural deduction system with disjunctive connectives is given in Figure 1. The most interesting rules are ✄ E, the elimination of ✄ , and ☎ I, the introduction of ☎ . In these rules, P ✸ p denotes the disjoint union P ✶✺✹ p ✻ , and witnesses the fact that the place p does not occur in both ✮ and ✝ . If p ☛ P, then P ✸ p, and any judgement containing such notation, is assumed to be undefined in order to avoid a side condition stating this requirement. The rule ✄ E explains how we can use formulae valid at some unspecified location: we introduce a new place and extend the local context by assuming that the formula is valid there. If any assertion that does not mention the new place is validated thus, then it is also validated using the old local context. The rule ☎ I says that if a formula is validated in some new place, without any local assumption on that new place, then that formula must be valid everywhere. The rules ✄ I and ☎ E are reminiscent of the introduction of the existential quantification, and the elimination of universal quantification in first-order intuitionistic logic. This analogy, however has to be taken carefully. For example, if ✮ ; ✝✼✳ P ✄☞✩ at p, then we can show using the rules of the logic that ✮ ; ✝✽✳ P ☎✒✄☞✩ at p. In other words, if a formula ✩ is true in some unspecified place, then every place can deduce that there is some place where ✩ is true. 6 L G ✮ ; ✝✱✞✡✏ at p ✳ P ✏ at p ✮✯✞✡✏ ; ✝✾✳ P ✏ at p ✿ I ❀ E ✮ ; ✝✾✳ P ✕ ✮ ; ✝✾✳ P ✘ ✮ ; ✝✾✳ at p ❁ I ✮ ; ✝✾✳ P ✏ 1 at p ✮ ; ✝✾✳ P ✏ 2 at p ✮ ; ✝✾✳ P ✏ 1✍ ❁ E (i❂ 1❃ 2) i ✮ ; ✝✾✳ P ✏ 1 ✍ ✏ 2 at p ✮ ; ✝✾✳ P ✏ i at p ✏ 2 at p ❄ E ✮ ; ✝✾✳ P ✏ 1 ✔✥✏ 2 at p ✮ ; ✝✱✞✡✏ 2 at p ✳ P ✩ at p ✮ ; ✝✱✞✡✏ 1 at p ✳ P ✩ at p ❄ I (i❂ 1❃ 2) ✮ ; ✝✾✳ P ✏ i at p ✮ ; ✝✾✳ P ✏ 1 ✔✥✏ 2 at p ✮ ; ✝✾✳ P ✩ ❅ I ✮ ; ✝✱✞✡✏ at p ✳ P ✩ ✮ ; ✝✾✳ P ✢ ✏ ✎❆✩ ❈ at p at p ✮ ; ✝✾✳❇✩ at p @E ✮ ; ✝✾✳ P ✏ @p at p✑ at p @p at p✑ ✮ ; ✝✾✳ P ✏ at p ❈ I ✮ ; ✝✾✳ P ✏ ✮ ; ✝✾✳ P ✄☞✏ at p ❅ E ✮ ; ✝✾✳ P ✢ ✏ ✎❆✩ at p P ✮ ; ✝✾✳ ✏ at p @I ✮ ; ✝✾✳ P ✏ ✮ ; ✝✾✳ P ✏ at p ✩ at p P E ✮ ; ✝✾✳ P ☞ ✄ ✏ at p✑ ✮ ; ✝✱✞✡✏ at q ✳ P❉ q ✩ at p at p✑ ✮ ; ✝✾✳ P ✩ at p✑❋✑ ● I ● E ✮ ; ✝✾✳ P❉ q ✏ at q ✮ ; ✝✾✳ P ☎✒✏ at p ✮✯✞✡✏ ; ✝✾✳ P ✩ at p✑ ✮ ; ✝✾✳ P ☎✒✏ at p ✮ ; ✝✾✳ P ✩ at p✑ Figure 1: Natural deduction. 7 at p✑❊✑ Also note that the rule ✕ E as stated has a local flavour: from ✕ at p, we can infer any other property in the same place, p. However, the rule has a ”global” consequence. If we have ✕ at p, then we can infer ✕ @q at p. Using @E, we can then infer ✕ at q. Hence, if a set of assumptions makes a place inconsistent, then it will make all places inconsistent. As we shall see in section 2.1, the Kripke semantics of this logic would be similar to the one given for intuitionistic system IS5 [21, 26, 29]. Hence this logic can be seen as an instance of Hybrid IS5 [6]. 2.1 Kripke Semantics There are a number of semantics for intuitionistic logic and intuitionistic modal logics that allow for a completeness theorem [6, 16, 29, 10, 28, 21, 23]. In this Section, we concentrate on the semantics introduced by Kripke [17, 31], as it is convenient for applications and fairly simple. This would provide a formalisation of the intuitive concepts introduced above. In Kripke semantics for intuitionistic propositional logic, logical assertions are interpreted over Kripke models. The validity of an assertion depends on its behaviour as the truth values of its atoms change from false to true according to a Kripke model. A Kripke model consists of a partially ordered set of Kripke states, and an interpretation, I, that maps atoms into states. The interpretation tells which atoms are true in a state. It is required that if an atom is true in a state, then it must remain true in all larger states. Hence, in a larger state more atoms may become true. Consider a logical assertion built from the atoms A1 ✞✡✟✡✟✠✟✯✞ An . The assertion is said to be valid in a state if it continues to remain valid in all larger states. In order to express the full power of the logic introduced in above, we need to enrich the model by introducing places. We achieve this by associating a set of places Pk to each Kripke state k. The formulae of the logic are validated in these places. The interpretation is indexed by the Kripke states, and the interpretation Ik maps atoms into the set Pk . Since we consider atoms to be resources, the map Ik tells how resources are distributed in the Kripke state k. In the case of intuitionistic propositional logic, an atom validated in a Kripke state is validated in all larger states. In order to achieve the corresponding thing, we shall require that all places appearing in a Kripke state appear in every larger state. Furthermore, we require that if Ik maps an atom into a place, then Il should map the atom in the same place for all states l larger than k. In terms of resources, it means that places in larger states have possibly more resources. The Kripke models that we shall define now are similar to the Kripke models defined for the intuitionistic modal system IS5 [10, 28, 21, 23, 6, 29]. In the definition, the K is the set of Kripke states, whose elements are denoted by k ✞ l✞✡✟✠✟✡✟ . The relation ❍ is the partial order on the set of states. Definition 1 (Distributed Kripke Model) A quadruple ■❏✖ (K✞✣❍✪✞✜✹ Pk ✻ k❑ ✹ Ik ✻ k❑ K ) is called a distributed Kripke model if 8 K✞ ✵ K is a (non empty) set; ✵ ❍ is a partial order on K; ✵ P is a non-empty set of places for all k ☛ K; k ✵ P ✷ P if k ❍ l; k l ✵ I : Atoms ✎ k Let Pls ✖ Pow(Pk ) is such that if Ik (A) ✷ Il (A) for all k ❍ l. Pk . We shall say that Pls is the set of places of ■ . k❑ K The definition tells only how resources, i.e. atoms, are distributed in the system. In order to give semantics to the whole set of formulae Frm(Pls), we need to extend Ik . The interpretation of a formula depends on its composite parts, and if it is valid in a place in a given state, then it remains valid at the same place in all larger states. For example, the formula ✏ ✍ ✩ is valid in a state k at place p ☛ Pk , if both ✏ and ✩ are true at place p in all states l ▲ k. The introduction of places in the model allows the interpretation of the spatial modalities of the logic. Formula ✏ @p is satisfied at a place in a state k, if it is true at p in all states l ▲ k; ✄☞✏ and ☎✧✏ are satisfied at a place in state k, if ✏ is true respectively at some or at every place in all states l ▲ k. We extend now the interpretation of atoms to interpretation of formulae by using induction on the structure of the formulae. The interpretation of formulae is similar to that used for modal intuitionistic logic [10, 28, 21, 23, 6, 29]. Definition 2 (Semantics) Let ■❆✖ (K✞✜❍✪✞✣✹ Pk ✻ k❑ K ✞✣✹ Ik ✻ k❑ K ) be a distributed Kripke model with set of places Pls. Given k ☛ K, p ☛ Pk , and a pure formula ✏ with PL(✏ ) ✷ Pls, we define (k ✞ p) ✗✖▼✏ inductively as: (k ✞ (k ✞ (k ✞ (k ✞ (k ✞ (k ✞ (k ✞ (k ✞ (k ✞ p) p) p) p) p) p) p) p) p) ✗✖ A ✗✖ ✕ ✏ ✍ ✩ ✏ ✔✥✩ ❖ ✏✢✎✓✩ ✗✖ ✗✖ ✗✖ ✗✖ ✗✖ ✗✖ ✗✖ ✁ ✘ i ✁ i ✏ @q ☎✒✏ ✄☞✏ i ✁ i ✁ i ✁ i ✁ i ✁ i ✁ p ☛ Ik (A); p ☛ Pk ; never; (k ✞ p) ✗✖◆✏ and (k ✞ p) ✗✖◆✩ ; (k ✞ p) ✗✖◆✏ or (k ✞ p) ✗✖▼✩ ; (l ▲ k and (l✞ p) ✗✖◆✏ ) implies ✗✖◆✩ ; q ☛ Pk and (k ✞ q) ✗✖▼✏ ; (l ▲ k and q ☛ Pl ) implies (l✞ q) ✗✖P✩ ; there exists q ☛ Pk such that (q✞ k) ✗✖▼✏ . We pronounce (k ✞ p) ✗✖▼✏ as (k ✞ p) forces ✏ , or (k ✞ p) satisfies ✏ . We write k ✗✖▼✏ at p if (k ✞ p) ✗✖◆✏ . It is clear from the definition that if k ✗✖◗✏ at p, then PL(✏ at p) ✷ Pk . Please note that in this extension, except for logical implication and the modality ☎ , we have not considered larger states in order to interpret a modality or a connective. It turns out that the satisfaction of a formula in a state implies the satisfaction in all larger states. 9 Proposition 1 (Kripke Monotonicity) Let ■❘✖ (K✞✣❍❙✞✣✹ Pk ✻ k❑ K ✞✣✹ Ik ✻ k❑ K ) be a distributed Kripke model with set of places Pls. The relation ✗✖ preserves the partial order on K, i.e., for each k ✞ l ☛ K, p ☛ Pk , and ✏✢☛ Frm(Pk ), if l ▲ k then (k ✞ p) ✗✖▼✏ implies (l✞ p) ✗✖P✏ . ❚ Proof: Standard, by induction on the structure of formulae. Consider now the distributed database described before. We can express the same properties that we inferred in Section 2 by using a distributed Kripke model. Fix a Kripke state k. The assumption that the two parts, doc1 ✞ doc2 , can be combined in p in a state k to give the document doc can be expressed as (k ✞ p) ✗✖ (doc1 ✍ doc2 ) ✎ doc. If the resources doc1 and doc2 are assigned to the place p, i.e., (k ✞ p) ✗✖ doc1 and (k ✞ p) ✗✖ doc2 , then, since (k ✞ p) ✗✖ doc1 ✍ doc2 , it follows that (k ✞ p) ✗✖ doc. Let us consider a slightly more complex situation. Suppose that k ✗✖✺✄ ( doc2 ✍ (doc2 ✎ ☎ doc2 ) ) at p✑ . According to the semantics of ✄ , there is some place r such that (k ✞ r) ✗✖ doc2 ✍ (doc2 ✎ ☎ doc2 ). The semantics of ✍ tells us that (k ✞ r) ✗✖ doc2 and (k ✞ r) ✗✖ (doc2 ✎❆☎ doc2 ). Since (k ✞ r) ✗✖ doc2 , we know from the semantics of ✎ that (k ✞ r) ✗✖P☎ doc2 , and from the semantics of ☎ that (k ✞ p) ✗✖ doc2 . Therefore, if doc1 is placed at p in the state k, then the whole document doc would becomes available at place p in state k. In order to give semantics to the judgements of the logic, we need to extend the definition of forcing relation to judgements. We begin by extending the definition to contexts. Definition 3 (Forcing on Contexts) Let ■❯✖ (K✞✣❍❙✞✣✹ Pk ✻ k❑ K ✞✣✹ Ik ✻ k❑ K ) be a distributed Kripke model. Given a state k in K, a finite set of pure formulae ✮ , and a finite set of sentences ✝ such that PL(✮ ; ✝ ) ✷ Pk ; we say that k forces the context ✮ ; ✝ (and we write k ✗✖❱✮ ; ✝ ) if 1. for every ✏✢☛❲✮ and every p 2. for every ✩ at q ☛❲✝ : (k ✞ q) ☛ ✗✖P✩ Pk : (k ✞ p) ✗✖P☎✒✏ ; . Finally, we extend the definition of forcing to judgements. Definition 4 (Satisfaction for a Judgment) Let ■❳✖ (K✞✣❍✪✞✜✹ Pk ✻ k❑ K ✞✜✹ Ik ✻ k❑ K ) be a distributed Kripke model. The judgement ✮ ; ✝✴✳ P ✫ at p is said to be valid in ■ if ✵ ✵ PL(✮ ) ✶ PL(✝ ) ✶ PL(✫ ) ✶✦✹ p ✻❙✷ P; for every k ☛ K such that P ✷ Pk , if k ✗✖❨✮ ; ✝ then (k ✞ p) ✗✖❩✫ . Moreover, we say that ✮ ; ✝❬✳ P ✫ at p is valid (and we write ✮ ; ✝❬✗✖◆✫ at p) if it is valid in every distributed Kripke model. 10 Although, it is possible to obtain soundness and completeness of distributed Kripke semantics directly, we shall not do so in this paper. Instead, they will be derived as corollaries. Soundness will follow from the soundness of birelational semantics and encoding of distributed Kripke models into birelational models. Completeness will emerge as a corollary in the proof of construction of finite counter-model. 3 Birelational Models One other semantics given for modal intuitionistic logics in literature is birelational semantics [10, 28, 23, 29]. The advantage of using birelational models is that they usually enjoy the finite model property, which then immediately gives the decidability of the logic. Kripke semantics for intuitionistic modal logics usually does not enjoy this property [22, 29], as would be the case with our Kripke semantics also. Birelational models, like Kripke models, have a set of partially ordered states. The partially ordered states will be called worlds, and we use u✞ v✞ w✞✠✟✡✟✠✟ to range over them. Formulae will be validated in worlds, and if a formula is validated in a world, then it will be validated in all larger worlds. In order to validate atoms we have the interpretation I, which maps atoms into a subset of worlds. If I maps an atom into a world, then it will map the atom in all larger worlds. In addition to the partial order, however, there is also a second binary relation on the set of states which is called reachability or accessibility relation. Intuitively, uRw means that w will be reachable from u. As our logic is a hybridisation for S5, the relation R will be an equivalence relation. The relation R will also satisfy a technical requirement, reachability condition, that is necessary for ensuring the monotonicity and soundness of the logic. Unlike the distributed Kripke semantics, the states will not have a set of places associated to them. Instead, we have a partial function Eval, which maps a world to a single place. In a sense which we will make precise in Section 3.2, a world in a birelational model corresponds to a place in a specific Kripke state. As we shall see later, the partiality of the function Eval is crucial in the proof of finite model property. In the case Eval(w) is defined and is p, we shall say that w evaluates to p. In addition to partiality, Eval will also satisfy two other properties: coherence and uniqueness. Coherence says that if a world evaluates to p, then all larger worlds evaluate to p. Together with the reachability condition, coherence will ensure the monotonicity of the modality @. Uniqueness will say that no two worlds reachable from each other can evaluate to t he same place. Uniqueness will be essential for the soundness of introduction of conjunction ( ✍ I), and of implication ( ✎ I). We are now ready to formally define birelational models. 11 Definition 5 (Birelational Model) Given a set of places Pls, a birelational model on Pls is a quintuple ❭ Pls ✖ (W✞✣❍✪✞ R ✞ I ✞ Eval), where 1. W is a (non empty) set, ranged over by v✞ v✑ ✞ w✞ w✑ ✞✡✟✡✟✠✟ . 2. ❍ is a partial order on W. 3. R ✷ W ❪ W is an equivalence relation and satisfies the reachability condition: if w✑ ▲ w R v then there exists v✑ such that w✑ R v✑ ▲ v; 4. I : Atoms ✎ Pow(W) is such that if w ☛ I(A) then w✑✒☛ I(A) for all w✑✧▲ w. 5. Eval : W ✎ Pls is a partial function. We write v ❫ if Eval(v) is not defined, v ❴ if Eval(v) is defined, and v ❴ p if Eval(v) is defined and equal to p. Moreover, the following properties hold: (a) coherence: for any v ☛ W, if v ❴ p then w ❴ p for every w ▲ v; (b) uniqueness: for every v ☛ W such that v ❴ p, if v R v✑ and v✑❵❴ p, then v ✖ v✑ . In addition to the reachability condition, usually there is another similar condition in birelational models for intuitionistic modal logics [10, 28, 23, 29]: if w R v ❍ v✑ then there exists w✑ such that w ❍ w✑ R v✑ Please note that in our case, since R is an equivalence relation, this follows immediately from the reachability condition. We are now ready to extend the interpretation of atoms to formulae. The formula ✏ @p is true in a world w, if there is a reachable world which evaluates to p and where ✏ is valid. The formula ✄☞✏ is validated in a world w, if there is a reachable world (not necessary in the domain of Eval) where ✏ is valid. The formula ☎✒✏ is valid in a world w if ✏ is valid in all worlds reachable from worlds w✑ larger than w. Definition 6 (Bi-forcing Semantics) Let ❭ Pls ✖ (W✞✜❍✪✞ R✞ I ✞ Eval) be a birelational model on Pls. Given w ☛ W, and a pure formula ✏✦☛ Frm(Pls), we define the forcing relation w ✗✖P✏ inductively as follows: w w w w w w w w w ✗✖ A ✗✖✾✘ ✗✖✾✕ ✗✖▼✏ ✍ ✩ ✗✖▼✏✤✔✥✩ ✗✖▼✏✢✎❆✩ ✗✖▼✏ @q ✗✖▼☎✧✏ ✗✖▼✄❛✏ ✁ i ✁ i ✁ i ✁ i ✁ i ✁ i ✁ i w ☛ I(A); for all w ☛ W; never; w ✗✖▼✏ and w ✗✖▼✩ ; w ✗✖▼✏ or w ✗✖P✩ ; (v ▲ w and v ✗✖▼✏ ) implies v ✗✖◆✩ ; there exists v such that w R v, v ❴ q and v ✗✖◆✏ ; (v ▲ w and v R v✑ ) implies ✗✖▼✏ ; there exists v ☛ W such that wRv and v ✗✖◆✏ . 12 We pronounce w ✗✖▼✏ as w forces ✏ , or w satisfies ✏ . We have the monotonicity of the logic. Proposition 2 (Monotonicity) Let ❭ Pls be a birelational model on Pls. The relation ✗✖ preserves the partial order in W, namely, for every world w in W and ✏✦☛ Frm(Pls), if v ▲ w then w ✗✖▼✏ implies v ✗✖▼✏ . Proof: The proof is straightforward, and proceeds by induction on the structure of formulae. Here, we just consider the induction step in which ✏ is of the form ✏ 1 @p. Suppose that w ✗✖❜✏ 1 @p. Then there is a w✑ such that w R w✑ , w✑❝❴ p and w✑ ✗✖▼✏ 1 . Consider now v ▲ w. Since w R w✑ , we obtain by the reachability condition that there is a world v✑ such that v R v✑ and v✑ ▲ w✑ . Using induction hypothesis, since w✑❞✗✖❡✏ 1 , we obtain v✑❇✗✖❢✏ 1 . Now, since v✑❇▲ w✑ and w✑❵❴ p, we get by coherence ❚ property, v✑ ❴ p. Finally, since v✑ R v, we get v ✗✖◆✏ 1 @p by definition. As an example, consider the birelational model ❭ exam with two worlds, say w1 and w2 . We take w1 ❍ w2 , and both worlds are reachable from each other. The world w2 evaluates to p, while the evaluation of w1 is undefined. Let A be an atom. We define I(A) to be the singleton ✹ w2 ✻ . For any formula ✏ , we abbreviate ✏❨✎❣✕ as ❤✪✏ . Consider the pure formula ❤ A. Now, by definition, w2 ✗✖ A and therefore w2 ✗✖❥ ✐ ❤ A. Also, as w1 ❍ w2 , we get w1 ✗✖❜ ✐ ❤ A. This means that w2 ✗✖❜❤✧❤ A, and w1 ✗✖✾❤✧❤ A. Hence, we get w1 ✞ w2 ✗✖◆☎❦❤✒❤ A. On the other hand, consider the formula ❤✒❤✪☎ A. We have by definition that w1 ✗✖ ✐ A. As w1 is reachable from both w1 and w2 , we deduce that w1 ✞ w2 ✗✖❬ ✐ ☎ A. Using the semantics of ✎ , we get that w1 ✞ w2 ✗✖✾ ✐ ❤✧❤✪☎ A. We now extend the semantics to the judgements of the logic. We begin by extending the semantics to contexts. Definition 7 (Bi-forcing on Contexts) Let ❭ Pls ✖ (W✞✣❍❙✞ R ✞ I ✞ Eval) be a birelational model on Pls. Given a finite set of pure formulae ✮ , and a finite set of sentences ✝ , such that PL(✮ ; ✝ ) ✷ Pls; we say that w ☛ W forces the context ✮ ; ✝ (and we write w ✗✖P✮ ; ✝ ) if 1. for every ✏✢☛❲✮ : w 2. for every ✩ at q ☛❲✝ ✗✖◆☎✧✏ :w , and ✗✖P✩ @q. In order to extend the semantics to judgements, we need one more definition. We say that a place p is reachable from a world v, if there is a world which evaluates to p and is reachable from v. The set of all places reachable from a world v will be denoted by Reach(v). More formally, Reach(v) ✖✺✹ p : w ❴ p for some w v ❍ ☛ W✞ v R w ✻ It can be easily shown using the reachability condition and coherence that if w, then every place reachable from v is also reachable from w: 13 Proposition 3 (Reachability) Given any birelational model, then: 1. If v ❍ w, then Reach(v) ✷ Reach(w). 2. If v R w, then Reach(v) ✖ Reach(w). We are now ready to extend the satisfaction to judgements. Definition 8 (Bi-satisfaction for Judgments) The sequent ✮ ; ✝❧✳ to be valid in the birelational model ❭ Pls ✖ (W✞✣❍❙✞ R ✞ I ✞ Eval) if: ✵ ✵ P ✏ at p is said PL(✮ ) ✶ PL(✝ ) ✶✦✹ p ✻❙✷ P; for any w ☛ W such that P ✷ Reach(w): w ✗✖P✮ ; ✝ implies w ✗✖P✏ Moreover, we say that ✮ ; ✝♠✳ P ✫ at p is bi-valid (and we write ✮ ; ✝✥✗✖ is valid in every birelational model. @p. P ✫ at p) if it For example, consider the birelational model ❭ exam on two worlds w1 and w2 discussed before. We had w1 ✞ w2 ✗✖✽☎❦❤✒❤ A and w1 ✞ w2 ✗✖♥ ✐ ❤✧❤✪☎ A. Therefore, the ♣ p judgement ; ✳✰♦ ☎❦❤✒❤ A at p is bi-valid in the model ❭ exam , while the judgement ; ☎❦❤✒❤ A at p ✳✰♦ p♣ ❤✒❤✪☎ A at p is not bi-valid in ❭ exam . In fact, we will later on show that the judgement ; ☎✱❤✒❤ A at p ✳ ♦ p♣ ❤✒❤❙☎ A at p is valid in every finite Kripke model. Therefore, this example will demonstrate that the finite model property does not hold in the case of Kripke semantics. This example is adapted from the examples in [22, 29]. We shall now prove the soundness of the birelational semantics. 3.1 Soundness The proof of soundness of birelational models has several subtleties, that arise as a consequence of the inference rules for the introduction of ☎ (☎ I), and elimination of ✄ (✄ E). Let us illustrate this for the case of ☎ I. Recall the inference rule of ☎ I from Figure1: ✮ ;✺ ✝ ✳ P❉ q ✏ ✮ ; ✝✺✳ P ☎✒✏ at q at p In order to show the soundness of this rule, we have to show that the judgement P ☎✧✏ at p is bi-valid whenever the judgement ✮ ; ✝♥✳ P❉ q ✏ at q is bi-valid. Now, to show that the judgement ✮ ; ✝❬✳ P ☎✒✏ at p is bi-valid, we have to consider an arbitrary world, say w, in an arbitrary birelational model, say ❭ Pls , such that P ✷ Reach(w) and w ✗✖▼✮ ; ✝ . We need to prove that w ✗✖✴☎✒✏ @p also. For this, we need to show that for any world v in ❭ Pls such that w ❍ w✑ R v for some w✑ , it is the case that v ✗✖◆✏ . Pick one such v and fix it. ✮ ;♥ ✝ ✳ 14 Please note that without loss of generality, we can assume that Pls does not contain q (otherwise, we can always rename q in the model). In order to use the P q at q is bi-valid, we have to consider a modification hypothesis that ; of Pls . One strategy, that is adopted in the case of Kripke semantics [6], is to v. The new worlds vq duplicate v add new worlds vq , one for each world v in all respects except that they evaluate to q. If the resulting construction yields a birelational model, then Reach(vq ) would contain P as well as q. The next step would be to show that any formula , that does not refer to the place q, is satisfied by vq if and only if it is satisfied by v . Using this, the next step would be to show that vq forces the context ; in the new model also. Then, we can use the hypothesis to obtain that vq satisfies @q. Since vq evaluates to q, we will get that vq forces . As does not refer to q, we will get that v forces . We can then conclude the proof by observing that v v, and choosing v to be v. In fact, if the world v was in the domain of Eval, then the above outline would have worked. However, this breaks down in case v . To illustrate this, suppose that there is a world v such that v v , v and v R v . In the construction of the extension, we would thus have two worlds vq and vq reachable from each other, that evaluate to the same place q, which would violate the uniqueness condition. This breakdown is fatal for the proof and cannot be fixed. Coherence demands that vq q if vq q. So, we cannot fiddle with the evaluation. We cannot even relax uniqueness as this will be needed for soundness of introduction of conjunction ( I) and of implication ( I). Furthermore, we cannot require that the evaluation is a total function: it is the partiality of this function that gives us the finite model property. Indeed, if the function was total, the class of birelational models would be equivalent to the class of Kripke models, and we would have not gained anything by using birelational models. Our strategy to prove soundness is to construct a birelational model from Pls , called q-extension, whose worlds are the union of two sets. The first one of these sets is the reachability relation R of Pls . The second one will be the Cartesian product q W, where W is the set of worlds of Pls . Hence, the worlds of the q-extension are ordered pairs. A world (w w) will evaluate to the same place as w , and (q w) will evaluate to q. Two worlds will be reachable from each other only if they agree in the second entry. The construction would guarantee (see Lemma 2) that given Frm(Pls), the world (w w) satisfies if and only if w does, and the world (q w) satisfies if and only if w does. The proof of soundness of I would work as follows. Let v be a fixed world. Consider the world (q v) in the q-extension. We will show that v satisfies ; , and hence (q v) satisfies ; . The set of reachable places from (q v) contain P as well as q , and we can thus conclude that (q v) satisfies @q. Since (q v) evaluates to q, we conclude that (q v) satisfies @q. As mentioned above, this is equivalent to saying that v satisfies . We are ready to carry out this proof formally. We begin by constructing the q-extension, and showing that this is a birelational model. ✮ ✝q✳ ❉ ✏ ❭ ✑ ✑✤▲ ✑ ✑ ✑ ✑ ✑ ✏ ✮ ✝ ✑ ✏ ✑ ✏ ✑ ✑ ▲ ❫ ❍ ✑ ✑❫ ✑ ✑❴ ✩ ✑ ✏ ✑ ✑ ✑ ❴ ✍ ✎ ❭ ❭ ✹ ✻✯❪ ✑ ✞ ✑✞ ✞ ✮ ✝ ❭ ✑r✞ ✩ ✞ ✑ ✩❱☛ ✞ ☎ ✞ ✮ ✝ ✞ ✏ 15 ✏ ✞ ✏ ✩ ✞ Lemma 1 (q-Extension) Let ❭ Pls ✖ (W✞✜❍✪✞ R ✞ I ✞ Eval) be a birelational model on Pls. Given a new place q s Pls, we define the q-extension ❭✉t q ✈ Pls✇ to be the quintuple (W ✑①✞✜❍✯✑r✞ R ✑r✞ I✑①✞ Eval✑ ), where 1. Pls✑ 2. W ✑ 3. ✖ def ✖ def ❍ ✑✷ Pls ✶❩✹ q ✻ . ✶ ( ✹ q ✻②❪ R W✑ ❪ W). W ✑ is defined as: - (w✑r✞ w) 4. R ✑ - ✯❍ ✑ (v✑①✞ v) if and only if w✑✒❍ v✑ (q✞ w) ❍★✑ (q✞ v) if and only if w ❍ v; ✷ W✑ ❪ and w ❍ v, W ✑ is defined as: - (w✑r✞ w) R ✑ (v✑①✞ w), - (w✑ ✞ w) R ✑ (q✞ w), - (q✞ w) R ✑ (w✑ ✞ w), and - (q✞ w) R ✑ (q✞ w). 5. I ✑ : Atoms - I ✑ (A) ✎ Pow(W ✑ ) is defined as: ✖③✹ def 6. Eval✑ : W ✑✒✎ (w✑r✞ w) ✗ w✑✧☛ I(A)✞ w✑ R w ✻④✶✦✹ (q✞ w) ✗ w ☛ I(A) ✻ ; Pls✑ is defined as - Eval✑ ((w✑ ✞ w)) - Eval✑ ((q✞ w)) ✖ ✖ def def Eval(w✑ ) for every (w✑ ✞ w) q for every w ☛ ☛ R ,1 W. The q-extension is a birelational model. Proof: We need to show the five properties of Definition 5. 1. Clearly W ✑ is a non empty set if W is. 2. Since ❍ is a partial order, then ❍ ✑ is a partial order too. 3. The relation R ✑ is an equivalence by definition. We show that R ✑ satisfies the reachability condition by cases. There are four possible cases. Case a. Assume that (v✑①✞ v) ▲✯✑ (w✑①✞ w) R ✑ (w✑❊✑r✞ w). The hypothesis says that v ▲ w, v✑✤▲ w✑ , v✑ R v, w✑ R w and w✑⑤✑ R w. Since R is an equivalence, we get v✑ ▲ w✑ R w✑⑤✑ . Using reachability condition for R , there exists v✑⑤✑⑥☛ W such that v✑ R v✑⑤✑⑦▲ w✑⑤✑ . Hence, we conclude (v✑ ✞ v) R ✑ (v✑❊✑ ✞ v) ▲ (w✑ ✞ w). 1 In the equality, left hand side is defined only if the right hand side is. 16 Case b. Assume that (q✞ v) ▲★✑ (q✞ w) R ✑ (w✑①✞ w). This means that v ▲ w and w R w✑ . By reachability condition for R , there is a v✑ such that v R v✑⑦▲ w✑ , and we conclude (q✞ v) R ✑ (v✑r✞ v) ▲✯✑ (w✑r✞ w). Case c. Assume that (v✑①✞ v) ▲✯✑ (w✑①✞ w) R ✑ (q✞ w). This means v ▲ w, and we conclude (v✑✬✞ v) R ✑ (q✞ v) ▲✯✑ (q✞ w). Case d. Assume that (q✞ v) ▲★✑ (q✞ w) R ✑ (q✞ w). We have v ▲ w, and we conclude (q✞ v) R ✑ (q✞ v) ▲✯✑ (q✞ w). 4. In order to check monotonicity for I ✑ , we consider two cases: Case a. Assume that (w✑r✞ w) ☛ I✑ (A). This means that w✑⑧☛ I(A). If (v✑✬✞ v) ▲✯✑ (w✑①✞ w), then v✑⑥▲ w✑ . By the monotonicity of I, we get v✑ ☛ I(A). Hence (v✑ ✞ v) ☛ I ✑ (A). Case b. Assume that (q✞ w) ☛ I(A). This means that w ☛ I(A). If (q✞ v) ▲★✑ (q✞ w), then v ▲ monotonicity of I, we get v ☛ I(A). Hence (q✞ v) ☛ I ✑ (A). w. By the 5. According to the definition, Eval✑ is a partial function. We need to verify the two properties required for a birelational model. Coherence. We have to show that if a world in the new model evaluates to some place, then all the higher worlds evaluate to the same place. There are two possible cases. Case a. Assume that (v✑ ✞ v) ▲ ✑ (w✑ ✞ w), and (w✑ ✞ w) ❴ p We get by definition, v✑❩▲ w✑ and w✑❝❴ p. By coherence on the model ❭ Pls , we get v✑ ❴ p. Hence (v✑ ✞ v) ❴ p. Case b. Assume that (q✞ v) ▲ ✑ (q✞ w). We have by definition, (q✞ v) ❴ q and (q✞ w) ❴ q. ✁ Uniqueness. We have to show that two di erent worlds reachable from each other cannot evaluate to the same place. As (q✞ v) always evaluates to q, two worlds (w✞ v) and (q✞ w) cannot evaluate to the same place. There are two other possible cases. Case a. Suppose (v✑✬✞ v) R ✑ (w✑r✞ w), (w✑r✞ w) ❴ p and (v✑①✞ v) ❴ p. We have by definition v✑ R v, w✑ R w, v ✖ w, w✑ ❴ p and v✑ ❴ p. Since R is an equivalence and v ✖ w, we get v✑ R w✑ . By uniqueness on ❭ Pls , we get v✑ ✖ w✑ . Therefore (v✑ ✞ v) ✖ ✑ (w✑ ✞ w) Case b. Suppose that (q✞ v) R ✑ (q✞ w), (q✞ w) ❴ q and (q✞ v) ❴ q. ❚ We have by definition v ✖ w, and hence (q✞ v) ✖ (q✞ w). We will now show that if a pure formula, say ✩ , does not mention q, then (w✑r✞ w) satisfies ✩ only if w✑ does. Furthermore, (q✞ w) satisfies ✩ only if w does. 17 Lemma 2 (❭✉t u✞ q ✈ Pls✇ is conservative) Let ❭ Pls ✖ (W✞✣❍✪✞ R ✞ I ✞ Eval) be a birelational model, and let ❭✉t q ✈ Pls✇ ✖ (W ✑ ✞✣❍ ✑ ✞ R ✑ ✞ I ✑ ✞ Eval✑ ) be its q-extension. Let ✗✖ and ✗✖❙✑ extend the interpretation of atoms in ❭ Pls and ❭✉t q ✈ Pls✇ respectively. For every ✏✢☛ Frm(Pls) and w ☛ W, we have: 1. for every w✑ R w, (w✑①✞ w) 2. (q✞ w) ✗✖ ✑ ✏ ✗✖②✑✬✏ if and only if w if and only if w✑✧✗✖▼✏ ; and ✗✖◆✏ . Proof: We prove both the points simultaneously by induction on the structure of formulae in Frm(Pls). Base of induction. The two points are verified on atoms, on ✘ , and on ✕ by definition. Inductive hypothesis. We consider a formula ✏◗☛ Frm(Pls), and assume that the two points hold for all sub-formulae ✏ i of ✏ . In particular, we assume that for every w ☛ W: 1. for every w✑ R w, (w✑①✞ w) 2. (q✞ w) ✗✖ ✑ ✏ i ✗✖②✑✬✏ if and only if w i ✗✖▼✏ if and only if w✑✒✗✖P✏ i ; and i. We shall prove the Lemma only for the modal connectives and for the logical connective ✎ . The other cases can be treated similarly. We shall also only consider point 1, as the treatment of point 2 is analogous. We pick w ☛ W and w✑ R w, and fix them. ✵ Case ✏⑨✖◆✏ 1 ✎✓✏ 2. for every (v✑ ✞ v) Suppose (w✑ ✞ w) ▲ ✑ ✗✖ ✑ ✏ 1 ✎✓✏ (w✑ ✞ w), we have (v✑ ✞ v) We need to show that w✑ ✗✖◗✏ . Pick v✑ su✌ ces to show that v✑✒✗✖◆✏ 2 . ▲ 2. ✗✖ ✑ ✏ Then 1 implies (v✑ ✞ v) w✑ such that v✑ ✗✖✚✏ 1, ✗✖ ✑ ✏ 2 ✟ (1) and fix it. It We have v✑❦▲ w✑ R w. By the reachability condition, there exists v that v✑ R v ▲ w. Hence, (v✑r✞ v) ▲✯✑ (w✑✬✞ w). ☛ W such The induction hypothesis says that (v✑✬✞ v) ✗✖✪✑r✏ 1 . We have (v✑①✞ v) ✗✖❙✑✬✏ 2 by (1) above. Hence v✑ ✗✖▼✏ 2 , by applying induction hypothesis one more time. For the other direction, assume that w✑ for every v✑ ▲ ✗✖▼✏ w✑ , we have v✑ 1 ✎✓✏ ✗✖P✏ 1 2. Then implies v✑ ✗✖▼✏ 2 ✟ (2) Now consider (v✑ ✞ v) ▲ ✑ (w✑ ✞ w), and assume (v✑ ✞ v) ✗✖ ✑ ✏ 1 . From (v✑ ✞ v) ▲ ✑ (w✑r✞ w), we have v✑✭▲ w✑ . From (v✑①✞ v) ✗✖⑩✑r✏ 1 and induction hypothesis, we have v✑❶✗✖❷✏ 1 . Since v✑❶▲ w✑ , we get from (2) above, v✑❶✗✖❷✏ 2 . Therefore (v✑ ✞ v) ✗✖ ✑ ✏ 2 , by induction hypothesis once again. We conclude by definition that (v✑①✞ v) ✗✖★✑r✏ 1 ✎❆✏ 2 . 18 ✵ Case ✏⑨✖◆✏ @p. Since ✏ @p ☛ Frm(Pls), we have p ❸ q. 1 1 (w✑r✞ w) ✗✖⑧✑r✏ 1 @p is equivalent to saying that there is a world (v✑✬✞ w) ☛ W ✑ such that: (v✑ ✞ w) R ✑ (w✑ ✞ w), (v✑ ✞ w) ❴ p, and (v✑ ✞ w) ✗✖ ✑ ✏ 1 . By induction hypothesis and definition of q-extension, this is equivalent to saying that there exists v✑❞☛ W such that: v R w✑ , v✑❝❴ p, and v✑⑩✗✖❹✏ 1 . This is equivalent to saying that w ✗✖◆✏ 1 @p by definition. ✵ Case ✏⑨✖◆✄❛✏ . 1 Suppose (w✑r✞ w) ✗✖✒✑✬✄☞✏ 1 . Then there is a world in W ✑ such that this world is reachable from (w✑r✞ w), and which satisfies ✏ 1 . There are two possibilities for this world: it can be of the form (v✞ w), or of the form (q✞ w). If it is of the form (v✞ w), then by definition we have v R w. Since R is an equivalence and w R w✑ , we have v R w✑ . Furthermore, since (v✞ w) ✗✖❺✑①✏ , we get by induction hypothesis v ✗✖◆✏ 1 . Therefore, w✑ ✗✖▼✄❛✏ 1 by definition. If the world is of the form (q✞ w), then by induction hypothesis, w ✗✖❻✏ 1 . Since w✑ R w, we get w✑✒✗✖▼✄❛✏ 1 . For the other direction, if w✑✒✗✖▼✄❛✏ 1 then there exists v R w✑ such that v ✗✖▼✏ 1 . Since R is an equivalence, we have v R w. Hence (v✞ w) is a world of the q-extension, and (v✞ w) ✗✖ ✑ ✏ 1 by induction hypothesis. Since (v✞ w) R (v✞ w✑ ), we conclude (w✑r✞ w) ✗✖★✑r✄☞✏ 1 . ✵ Case ✏✥✖◆☎✒✏ . Suppose that (w✑ ✞ w) ✗✖ ✑ ☎✧✏ . This means that ✏ is forced by 1 1 1 every world reachable from some world larger that (w✑r✞ w). In particular, we have that for every (v✑ ✞ v) ▲ (w✑ ✞ w)✞ , if (v✑❋✑ ✞ v) R ✑ (v✑ ✞ v) then (v✑❊✑ ✞ v) ✗✖ ✑ ✏ 1 ✟ (3) We need to show that w✑❼✗✖❢☎✧✏ 1 . Pick v✑①✞ v✑❊✑ such that v✑❇▲ w✑ , and v✑⑤✑ R v✑ , and fix them. It su✌ ces to show that v✑⑤✑ ✗✖◆✏ 1 . Since v✑ ▲ w✑ and w✑ R w, reachability condition for R says that there exists v ☛ W such that v✑ R v ▲ w. By transitivity, we have v✑❊✑ R v too. Hence (v✑ ✞ v) ▲ ✑ (w✑ ✞ w) and (v✑❊✑ ✞ v) R ✑ (v✑ ✞ v). Property (3) says that (v✑❊✑ ✞ v) ✗✖ ✑ ✏ 1 , and so v✑❊✑❺✗✖P✏ 1 by induction hypothesis. For the other direction, assume w✑ ✗✖▼☎✒✏ 1 . Then for every v✑ ▲ w✑ , if v✑❊✑ R v✑ then v✑❊✑ ✗✖◆✏✯✟ (4) We need to show that (w✑①✞ w) ✗✖★✑✬☎✧✏ 1 . Consider a world (v✑①✞ v) ▲✯✑ (w✑①✞ w), and fix it. We have v✑ R v, v✑❽▲ w✑ and v ▲ w. Now, consider any world reachable from (v✑ ✞ v). We need to show that this world satisfies ✏ 1 . There are two possible cases. 19 This world is of the form (v✑❋✑r✞ v). In this case, we have that v✑❋✑ R v. Since v✑ R v, we get v✑❊✑ R v✑ . Since v✑ ▲ w✑ , we get v✑❋✑ ✗✖▼✏ 1 by Property (4). Hence, (v✑❋✑r✞ v) ✗✖✪✑❾✏ 1 , by induction hypothesis. In the other case, the world is of the form (q✞ v). Since v R v✑ and v✑❺▲ w✑ , we ❚ have v ✗✖▼✏ 1 by (4). Therefore, (q✞ v) ✗✖ ✑ ✏ 1 by induction hypothesis. We need one more proposition which says that if a world satisfies a context then any world reachable from and❿ or greater than it also satisfies the context. Proposition 4 (Forcing in Reachable Places) Let ❭ Pls ✖ (W✞✜❍✪✞ R ✞ V✞ Eval) be a birelational model on Pls. Let ✮ be a finite set of pure formulae, ✝ be a finite set of sentences ✝ , and w be a world in W such that w ✗✖❨✮ ; ✝ . Then 1. v ✗✖❱✮ ; ✝ for every v R w, and 2. v ✗✖❱✮ ; ✝ for every v ▲ w. Proof: The second part of the Proposition is an easy consequence of monotonicity of the logic. For the first part, pick v R w and fix it. We need to show that if ✩ is a formula in ✮ then v ✗✖▼✩ , and that if ✏ at p is a sentence in ✝ then v ✗✖▼✏ @p. Now, if ✩✚☛➀✮ , then we have that w ✗✖◗☎✒✩ . Let v✑ ✞ v✑⑤✑ be two worlds such that v✑❊✑ R v✑✧▲ v. We will show that v✑⑤✑❺✗✖P✩ . As v✑⑤✑ is arbitrary, we will get that v ✗✖P☎✒✩ . We have v✑❦▲ v and v R w. By reachability condition, we get there is a w✑ such that v✑ R w✑ ▲ w. Since, v✑❋✑ R v✑ , and R is an equivalence, we get v✑⑤✑ R w✑ ▲ w. Finally, since w ✗✖◆☎✧✩ , we get v✑❊✑✒✗✖▼✩ as required. If ✏ at p ☛✭✝ , then we have that w ✗✖▼✏ @p. Therefore, there is a world w✑ such that w✑❵❴ p, w R w✑ and w✑✧✗✖▼✏ . Since R is an equivalence, we get v R w✑ . Therefore v ✗✖P✏ @p, and we are done. ❚ We are ready to prove soundness, which depends on Lemmas 1 and 2. Theorem 1 (Bi-soundness) If the judgement ✮ ; ✝✓✳ logic, then it is bi-valid. P ✫ at p is derivable in the Proof: The proof proceeds by induction on n, the number of inference rules, applied in the derivation of the judgement ✮ ; ✝③✳ P ✫ at p. The inference rules are given in Figure 1. The base case, where only one inference rule is used to derive the judgement follows easily from the definition. We discuss the induction step. Inductive hypothesis (n ➁ 1). We assume that the theorem holds for any judgement that is deducible by applying less than n instances of inference rules, and consider a judgement ✮ ; ✝✽✳ P ✫ at p derivable in the logic by using exactly n instances. We fix a model ❭ Pls ✖ (W✞✣❍❙✞ R ✞ V✞ Eval) on Pls, and let ✗✖ be the forcing relation in this model. Let w ☛ W be such that P ✷ Reach(w) and w ✗✖♠✮ ; ✝ . Fix w for the rest of the proof. We have to show w ✗✖✺✫ @p. We proceed by cases by 20 considering the last rule applied to obtain ✮ ; ✝✾✳ P ✫ at p. For the sake of clarity, we consider only the cases in which the last rule is introduction of implication(✎ I), introduction of ☎ (☎ I), and elimination of ✄ (✄ E). ✵ Case ✎ I. If the last inference rule used was ✎ I then ✫ is of the form , and PL(✮ ; ✝ ) ✶ PL(✏ ) ✶ PL(✩ ) ✶⑧✹ p ✻❾✷ P. Furthermore, ✮ ; ✝✱✞✠✏ at p ✳ P ✩ at p by using less than n instances of the inference rules. By induction hypothesis, ✮ ; ✝✱✞✠✏ at p ✳ P ✩ at p is bi-valid. We have to prove that there exists v R w such that v ❴ p, and v ✗✖▼✏❩✎✓✩ . ✏✢✎❆✩ Since P ✷ Reach(w), there exists v ☛ R (w) such that v ❴ p. We will prove ✏ ✎✉✩ . Pick v✑ ▲ v and fix it. We need show that if v✑ ✗✖❡✏ , then that v ✗✖❢✴ v✑✒✗✖▼✩ also. We have v✑ ❴ p by coherence property, and v✑ ✗✖✾✮ ; ✝ by Proposition 4. Also as R is reflexive, we have v✑ R v✑ . If we assume that v✑✤✗✖➂✏ , then we get by definition that v✑ ✗✖❹✏ @p. Hence, we get v✑ ✗✖✺✮ ; ✝✱✞✡✏ at p. By induction hypothesis ✮ ; ✝✱✞✠✏ at p ✳ P ✩ at p is bi-valid, and therefore v✑✧✗✖▼✩ @p. ✵ Therefore, there is a world reachable from v✑ which evaluates to p and which forces ✩ . Since v✑➃❴ p and v✑ R v✑ , uniqueness says that this world must be v✑ itself. Therefore v✑✒✗✖◆✩ , as required. Case ☎ I. Then ✫ is of the form ☎✒✏ . Moreover, PL(✮ ; ✝ ) ✶ PL(✏ ) ✶➄✹ p ✻❾✷ P, and ✮ ; ✝➅✳ P❉ q ✏ at q for some q s P by using less that n instances of the rules. By induction hypothesis, ✮ ; ✝♠✳ P❉ q ✏ at q is bi-valid. Without loss of generality, we can assume that q s Pls (otherwise, we can rename q in Pls). We have that w ✗✖❥✮ ; ✝ , and we need to show that w ✗✖✽☎✒✏ @p. Note that p ☛ P, and P ✷ Reach(w). Therefore there is a w✑ ☛ Reach(w) such that w✑❵❴ p. Pick such a w✑ , and fix it. By Proposition 4, w✑✧✗✖❱✮ ; ✝ . We shall show that w✑✧✗✖▼☎✒✏ , and we will be done. In order to show that w✑❇✗✖❢☎✒✏ , we have to show that v✑⑧✗✖❡✏ for every v✞ v✑ such that v✑ R v ▲ w. Pick such v✞ v✑ and fix them. We have v✑❖✗✖❜✮ ; ✝ by Proposition 4. Since P ✷ Reach(w) and v✑ R v ▲ w, we get P ✷ Reach(v✑ ) by Proposition 3. Let Pls✑ ✖ Pls ✶➄✹ q ✻ , and let ❭✉t q ✈ Pls✇ be the q-extension of the birelational model. Let ✗✖❖✑ be the forcing relation on ❭✉t u✞ q ✈ . From the hypothesis v✑ ✗✖P✮ ; ✝ and Lemma 2, we get (v✑ ✞ v✑ ) ✗✖ ✑ ✮ ; ✝ . ✵ From definition of q-extension, it is clear that Reach((v✑✬✞ v✑ )) ✖ Reach(v✑ ) ✶ ✹ q ✻ . Hence P ✸ q ✷ Reach((v✑ ✞ v✑ )). We can now apply the induction hypothesis on the world (v✑r✞ v✑ ), and obtain (v✑①✞ v✑ ) ✗✖★✑r✏ @q. By the definition of the q-extension, this is equivalent to (q✞ v✑ ) ✗✖ ✑ ✏ . Lemma 2 then implies that v✑✒✗✖▼✏ , as required. Case ✄ E. Then for some p✑➀☛ P and ✏❥☛ Frm(P) we can derive ✮ ; ✝➆✳ P ✄❛✏ at p✑ and ✮ ; ✝❺✞✡✏ at q ✳ P ❉ q ✫ at p by using less than n instances of the 21 rules. By induction hypothesis, ✮ ; ✝❹✳ are bi-valid. P ✄☞✏ at p✑ and ✮ ; ✝✱✞✡✏ at q ✳ P❉ q ✫ at p As is the case of ☎ I, we can assume that q s Pls. We need to show that w ✗✖❨✫ @p. Since w ✗✖✾✮ ; ✝ , the induction hypothesis says that w ✗✖✚✄☞✏ @p✑ . Therefore using the definition of forcing and equivalence of the relation R , there is a world w✑ such that w R w✑ and w✑❺✗✖✺✏ . Since w R w✑ , Proposition 4 implies that w✑✧✗✖❱✮ ; ✝ . Consider now the q-extension ❭✉t q ✈ of ❭ , with ✗✖➇✑ as forcing relation on the q-extension. Since w✑ ✗✖▼✏ and w✑ ✗✖P✮ ; ✝ , Lemma 2 says that (q✞ w✑ ) ✗✖ ✑ ✏ and (q✞ w✑ ) ✗✖⑩✑➈✮ ; ✝ . As (q✞ w✑ ) ❴ q, we get (q✞ w✑ ) ✗✖⑩✑r✮ ; ✝✱✞✠✏ at q. Finally, as P ✸ q ✷ Reach(w✑ ) ✶✺✹ q ✻⑥✖ Reach((q✞ w✑ )), induction hypothesis gives us (q✞ w✑ ) ✗✖★✑❋✫ @p. By Lemma 2, we get that w✑✧✗✖❩✫ @p. Hence, there is a w✑⑤✑ such that w✑ R w✑⑤✑ such that w✑➉✑❼✗✖▼✫ and w✑⑤✑❝❴ p. Since w R w✑ and R is an equivalence, we get w R w✑➉✑ . Therefore w ✗✖❬✫ @p, as ❚ required. 3.2 Relating Kripke and Birelational Models In this Section, we shall present an encoding of Kripke models in birelational models that preserves the forcing relation. This will allow us to prove the soundness of the logic for Kripke models. In particular, given a Kripke model with a set of states K, we construct a birelational model whose worlds are pairs (k ✞ p) where k ☛ K and p is a place in the Kripke state k. Two worlds will be related if they come from the same Kripke state. The world (l✞ p) will be greater that (k ✞ q) only if l ▲ k and p ✖ q. The world (k ✞ p) will evaluate to p, and an atom will be interpreted in the world (k ✞ p) only if it is placed in p in the Kripke state k. The construction will guarantee that the world (k ✞ p) forces a formula ✩ if and only if the Kripke state k forces the formula ✩ @p. One thing that is worth pointing out is that in the resulting birelational model, the evaluation is total. This is no accident, and as we had pointed out before, partiality of the evaluation in birelational models is essential for the proof of finite model property. This is because the partiality allows worlds reachable from each other to be ordered: a situation that will be ruled out if the evaluation was total as a consequence of coherence and uniqueness. This was illustrated by the model ❭ exam when we defined birelational semantics. In ❭ exam , it is the case that w1 ❍ w2 , w1 R w2 , w1 ❫ and w2 ❴ p. As discussed there, this model allows us to refute the judgement ; ☎✱❤✒❤ A at p ✳ ♦ p♣ ❤✒❤❙☎ A at p. As we will see later, the judgement will be valid in every finite distributed Kripke model. Indeed, if the evaluation in birelational models was total and not partial, the encoding that we will give could be reversed giving an encoding of birelational models in Kripke models. We would have not gained anything by using birelational models. 22 Proposition 5 (Encoding) Given a distributed Kripke model, ■➊✖ (K✞✣❍✪✞✜✹ Pk ✻ k❑ K ✞ ✹ Ik ✻ k❑ K ) with set of places Pls, we define its ■ -birelational model ❭➌Pls ➋ to be the quintuple (W ✑①✞✜❍✯✑r✞ R ✑r✞ I✑①✞ Eval✑ ), where 1. W ✑ 2. ✖ ❑ ✹ (k✞ p) : p ☛ Pk ✻ ; ❍ ✑ ✷ W ✑ ❪ W ✑ is defined as: (k✞ def k K p) ❍ ✑ (l✞ ❍ q) if and only if k l and p ✖ q; 3. R ✑ : ✷ W ✑✯❪ W ✑ is defined as: (k ✞ p) R ✑ (l✞ q) if and only if k ✖ l; 4. I ✑ : Atoms ✎ Pow(W ✑ ) is defined as: I(A) 5. Eval✑ : W ✑✒✎ ✖➅✹ def Pls✑ is defined as: Eval(k ✞ p) ✖ def (k ✞ p) ✗ p ☛ Ik (A) ✻ ; p. ❭➌Pls ➋ is a birelational model. Proof: We need to check that the construction satisfies the properties of a birelational model. The proof is straightforward, and we just illustrate the proof of reachability condition here. Assume that (k✑ ✞ p✑ ) ▲ ✑ (k ✞ p) R ✑ (l✞ q). Then it must be the case that k✑ ▲ k, k ✖ l and q ☛ Pl . Since k ✖ l, we get q ☛ Pk . Furthermore, as k✑❽▲ k, we have Pk ✷ Pk✇ . Therefore q ☛ Pk✇ . Consider the world (k✑ ✞ q). We get by definition (k✑ ✞ p✑ ) R ✑ (k✑ ✞ q) ▲ ✑ (k ✞ q). ❚ We now show that the encoding preserves the forcing relation. Proposition 6 (Forcing Preservation) Let ■➍✖ (K✞✜❍✪✞✜✹ Pk ✻ k❑ K ✞✜✹ Ik ✻ k❑ K ) be a distributed Kripke model with set of places Pls. Let ❭➎Pls ➋ ✖ (W ✑①✞✜❍✯✑r✞ R ✑r✞ I✑①✞ Eval✑ ) be and ✗✖❾➏ extend the interpretation of atoms in ■ the ■ -birelational model. Let ✗✖ ➋ and ❭ ➋Pls respectively. For every ✏✦☛ Frm(Pls), k ☛ K, and p ☛ Pk , we have: (k ✞ p) ✗✖ ➋ ✏ if and only if (k ✞ p) ✗✖❾➏➐✏★✟ Proof: We proceed by induction on the formula ✏✾☛ Frm(Pls). The statement of the Proposition is easily verified on ✘ , ✕ and on atoms. Inductive hypothesis. We consider a formula ✏✢☛ Frm(Pls), and assume that the Proposition holds for each of its sub-formulae. For sake of clarity, we just illustrate the cases of logical implication, and of modalities @p and ☎ . ✵ Case ✏⑨✖◆✏ ✎✓✏ 2 . Suppose (k ✞ p) ✗✖ ➋ ✏ 1 ✎➑✏ 2 . We need to show that (k✞ p) ✗✖❾➏ ✏ 1 ✎➒✏ 2 . Pick (l✞ q) ▲✯✑ (k ✞ p) such that (l✞ q) ✗✖✪➏❣✏ 1 , and fix it. It su✌ ces to show that (l✞ q) ✗✖✪➏➐✏ 2 also. Since (l✞ q) ▲ ✑ (k ✞ p), we have q ✖ p and l ▲ k. Also, as (l✞ q) ✗✖✪➏➓✏ 1 and q ✖ p, we get (l✞ p) ✗✖ ➋ ✏ 1 by induction hypothesis. Since (k✞ p) ✗✖ ➋ ✏ 1 ✎ 1 23 ✏ and l ▲ k, we get (l✞ p) ✗✖ ➋ ✏ 2 . By induction hypothesis once again, we get (l✞ q) ✖ (l✞ p) ✗✖❾➏❳✏ 2 , and we are done. 2 For the other direction, suppose that (k ✞ p) ✗✖❾➏➔✏ 1 ✎➐✏ 2 . We need to show that (k ✞ p) ✗✖ ➋ ✏ 1 ✎➓✏ 2 . Pick l ▲ k such that (l✞ p) ✗✖ ➋ ✏ 1 , and fix it. It ✏ 2. su✌ ces to show that (l✞ p) ✗✖ ➋ ✵ As (l✞ p) ✗✖ ➋ ✏ 1 , we have by induction hypothesis that (l✞ p) ✗✖✪➏➍✏ 1 . Since l ▲ k, we get p ☛ Pl and (l✞ p) ▲★✑ (k ✞ p). Therefore, as (k ✞ p) ✗✖❾➏➔✏ 1 ✎❣✏ 2 , ✏ 2. we get that (l✞ p) ✗✖❾➏❳✏ 2 . By induction hypothesis, we get (l✞ p) ✗✖ ➋ ✵ Case ✏⑨✖◆✏ 1 @q. Then (k ✞ p) ✗✖ ➋ ✏ means that q ☛ Pk and (k✞ q) ✗✖ ➋ ✏ 1 . By induction hypothesis and definition of q-extension, this is equivalent to saying that there exists (k ✞ q) R ✑ (k ✞ p) such that (k ✞ q) ❴ q, and (k ✞ q) ✗✖✪➏→✏ 1 . This is equivalent to saying that (k ✞ p) ✗✖❾➏❳✏ 1 @q. Case ✏⑨✖◆☎✧✏ 1 . Then (k ✞ p) ✗✖ ➋ ✏ means that for every l ▲ k and every q ☛ Pl , we have ✏ (l✞ q) ✗✖ 1 . By induction hypothesis and definition of q-extension, this is ➋ equivalent to: for every (l✞ p) ▲★✑ (k ✞ p) and (l✞ q) R ✑ (l✞ p), it is the case that ❚ (l✞ q) ✗✖✪➏➐✏ 1 . This is equivalent to saying that (k ✞ p) ✗✖✪➏❳☎✒✏ 1 . We shall now use the encoding and soundness of logic with respect to birelational models to show soundness of Kripke semantics. Corollary 1 (Soundness) If ✮ ; ✝✴✳ in every distributed Kripke model. P ✫ at p is derivable in the logic, then it is valid Proof: Suppose that the judgement ✮ ; ✝✾✳ P ✫ at p is derivable. Then it must be the case that PL(✮ ) ✶ PL(✝ ) ✶ PL(✫ ) ✶➄✹ p ✻✱✷ P. Let ■❳✖ (K✞✜❍✪✞✜✹ Pk ✻ k❑ K ✞✜✹ Ik ✻ k❑ K ) be a distributed Kripke model with set of places Pls. Let ✗✖ ➋ extend the interpretation of atoms to formulae on this Kripke model. Let k be a Kripke state of this model such that P ☛ Pk and k ✗✖ ➋ ✮ ; ✝ . We need to show that (k✞ p) ✗✖ ➋ ✫ at p. Consider the encoding of the Kripke model ■ into a birelational model. Let ❭➌Pls ➋ ✖ (W ✑r✞✜❍✯✑r✞ R ✑r✞ I✑①✞ Eval✑ ) be the ■ -birelational model, and consider the world (k ✞ p) ☛ W ✑ . If ✗✖❾➏ is the extension of interpretation of atoms in this model, we claim that (k ✞ p) ✗✖✪➏❯✮ ; ✝ . If ✩◆☛✭✮ then as k ✗✖ ➋ ✮ ; ✝ , we get by definition (k✞ p) ✗✖ ➋ ☎✒✩ . Using Proposition 6, we get that (k ✞ p) ✗✖❾➏➐☎✒✩ . If ✩ at q ☛❱✮ , then we have by definition (k ✞ q) ✗✖ ➋ ✩ . Using Proposition 6, we get that (k ✞ q) ✗✖❾➏ ✩ . Now, by construction (k ✞ p) R ✑ (k ✞ q), and hence we get (k ✞ p) ✗✖❾➏❳✩ @q. Therefore, we get that (k ✞ p) ✗✖✪➏➣✮ ; ✝ . As the logic is sound over birelational models, we get (k ✞ p) ✗✖❾➏➎✫ @p. This implies using Proposition 6 once again that (k ✞ p) ✗✖ ✫ @p. By definition, this is the same as (k✞ p) ✗✖ ✫ , and we are done. ❚ ➋ ➋ 24 4 Bounded contexts and Completeness In this Section, we shall prove completeness of the logic with respect to both Kripke and birelational semantics. The proof will follow a modification of standard proofs of completeness of intuitionistic logics[17, 29, 6, 31], and we will construct a particular distributed Kripke model: the canonical bounded Kripke model. The reason for term “bounded” shall become clear later on. We will prove that a judgement ✮ ; ✝➆✳ P ✫ at p is valid in the canonical bounded model if and only if it is derivable in the logic. Then we will use the encoding of the Kripke models into birelational models (see Section 3.2), which will allow us to prove completeness of birelational models. The resulting model will be used to prove the finite model property in Section 5.3. We also point out that we shall prove the completeness results in the case where P is finite. We shall indicate later how this can be extended to the case where P is infinite. The construction of the model is adapted from [29]. We begin by defining sub-formulae of a pure formula. A sub-formula of a pure formula ✏ is inductively generated as: ✵ ✏ is a sub-formula of itself; ✵ if any of ✏ 1 ✍ ✏ 2, ✏ and ✏ 2 ; and 1 ✔✤✏ 2 , and ✏ 1 ✎✓✏ 2 is a sub-formula of ✏ , then so are ✏ 1 ✵ if any of ☎✧✏ , ✄☞✏ , and ✏ @p is a sub-formula of ✏ , then so is ✏ . 1 1 1 1 Given any set of pure formulae ↔ , the sub-formula closure ↔❞↕ , is the set of subformulae of each of its members. Using sub-formulae closure, we define bounded contexts: Definition 9 (Bounded Contexts) Given a finite set of places P and a finite set of pure formulae ↔❥☛ Frm(P), a pair (Q✞✲✝ ) is a (P✞✲↔ ) ➙ bounded context if ✵ Q is a finite set of places that contains P, i.e., P ✷ Q; and ✵ ✝ is a finite set of sentences of the form ✏ at q, where ✏✢☛❲↔ ↕ and q ☛ Q. The bounded contexts will be used as Kripke states in the canonical model. However, we will need particular kinds of bounded contexts. Definition 10 (Prime Bounded Contexts) Let P be a finite set of places, and ↔⑦✞✰✮ ✷ Frm(P) be two finite sets of pure formulae. A (P✞✲↔ ) ➙ bounded context (Q✞✰✝ ) is said to be ✮❙➙ prime if ✵ ✮ ; ✝➛✳ Q ✏ at q for ✏✴☛✥↔❞↕ and q ☛ Q, implies that ✏ at q ☛➜✝ (↔ -deductive closure); ✵ ✮ ; ✝✦➝ Q ✕ at q for every q ☛ Q (Consistency); ✵ ✮ ; ✝❢✳ Q ✏⑨✔❩✩ at q for ✏➜✔❩✩✴☛➞↔ ↕ and q ☛ Q, implies that either ✏ at q ☛➞✝ or ✩ at q ☛❲✝ (↔ -disjunction property); and 25 ✵ ✮ ; ✝✾✳ Q ✄☞✏ at q for ✄☞✏✢☛✭↔ ↕ and q ☛ Q, implies that there exists q✑✱☛ Q such that ✏ at q✑ ☛❲✝ (↔ -diamond property). As an example, let A be an atom. Let P ✖❷✹ p ✻ , ↔➅✖✽✹ A@p ✻ and Q ✖❷✹ p✞ q ✻ . Consider the following sets of sentences: ✵ ✝ 1 ✖✴✹ A at p✞ A at q✞ A@p at p ✻ ; ✵ ✝ 2 ✖✴✹ A at p✞ A at q✞ A@p at p✞ A@p at q ✻ ; and ✵ ✝ 3 ✖✴✹ A at p✞ A at q✞ A@p at p✞ A@p at q✞❦✄ A at q ✻ . Clearly, we have that P ✷ Q. If ✩ at r is a sentence in ✝ 1 or ✝ 2 , then ✩ is a sub-formula of ↔ and r ☛ Q. Therefore, (Q✞✰✝ 1 ) and (Q✞✰✝ 2 ) are (P✞✲↔ ) ➙ bounded contexts. On the other hand, (Q✞✲✝ 3 ) is not a (P✞✲↔ ) ➙ bounded context as ✄ A is not a sub-formula of A@p. If, we let ✮ to be the list A, then it follows easily that ✮ ; ✝ 1 ✳ Q A at p. Using the inference rule of introduction of @, we get ✮ ; ✝ 1 ✳ Q A@p at q. However, we have that A@p at q s➜✝ 1 . Therefore, (Q✞✲✝ 1 ) is not ✮❙➙ prime. On the other hand, (Q✞✲✝ 2 ) is ✮❙➙ prime. The canonical model will be built by choosing the Kripke states to be prime bounded contexts. We will first show that bounded contexts can be extended to prime bounded contexts. Before we proceed, we state a proposition that says that the cut-rule is admissible in the logic. In [14], this has been proved for the logic without the disjunctive connectives. The proof can be extended for the logic with disjunctive connectives: Proposition 7 If ✮ ; ✝✺✳ P ✫ at p1 and ✮ ; ✝❺✞✬✫ at p1 ✳ P ✩ at p, then ✮ ; ✝✴✳ P ✩ at p. Proof: The proof is by induction on the number of inference rules used in derivation of ✮ ; ✝✱✞①✫ at p1 ✳ P ✩ at p. ❚ We now show the existence of prime extensions: Lemma 3 (Prime Bounded Extension) Let (Q✞✰✝ ) be a (P✞✰↔ ) ➙ bounded context, and ✩ be a pure formula in Frm(P). Given a finite subset ✮✺✷ Frm(P) and q ☛ Q such that ✮ ; ✝✦➝ Q ✩ at q, there exists a (P✞✰↔ ) ➙ bounded context (Q✑r✞✲✝✪✑ ) such that 1. (Q✑ ✞✲✝ ✑ ) is ✮❙➙ prime, 2. (Q✑ ✞✲✝ ✑ ) extends (Q✞✰✝ ), i.e., Q ✷ Q✑ , and ✝✺✷✢✝ ✑ , and 3. ✮ ; ✝❾✑④➝ Q✇ ✩ at q. Proof: Please note that by definition P,↔ and ↔ ↕ are finite sets. Pick new places q❈①➟ , one for each formula ✄❛✏➄☛✭↔❞↕ . Let Q ❈ be the set of all such places. As the set ↔ ↕ is finite, Q❈ is also a finite set. Finally, let ➠ be the set of sentences ✏ at q such that ✏✦☛❽↔ ↕ and q ☛ Q ✶ Q ❈ . As ↔ ↕ ✞ Q and Q❈ are finite sets, ➠ is also finite. 26 The set ✝✪✑ required in the Lemma would be a subset of ➠ , and the set Q✑ would be a subset of Q ✶ Q ❈ . These sets would be obtained by a series of extensions ✝ n ✞ Qn which will satisfy certain properties: Property 1 For every n ▲ 0 1. Qn ✷ Q ✶ Q ❈ , and ✝ 2. Qn ✷ Qn❉ 1 , ✝ 3. (Qn ✞✲✝ n) ; n ✷✢✝ n❉ 1 ; is (P✞✰↔ )-bounded context; and Qn ✩ n➝ 4. ✮ ; ➠ n ✷❩➠ at q. The series is constructed inductively. In the induction, at an odd step we will create a witness for a formula of the type ✄❛✏ . At an even step we deal with disjunction property. We shall also construct two sets: ❈ ✵ ✵ treated n , that will be the set of the formulae ✄☞✏❜☛✺↔❞↕ for which we have already created a witness. ❄ treated n , that will be the set of the formulae ✩ the disjunction property. 1 ✔❩✩ 2 at q ☛✤➠ which satisfy ✁ ❈ We❄ pick an enumeration of ↔❼↕ , and fix it. We start o by defining treated 0 ✖➢➡ , treated 0 ✖▼➡ , Q0 ✖ Q, and ✝ 0 ✖❹✝ . It is clear from the hypothesis of the Lemma that Q0 and P0 satisfy the four points of Property1. Then we proceed inductively, and assume that Qn ✞✰✝ n (n ▲ 0) have been constructed satisfying Property 1. In step n ✸ 1, we consider two cases: 1. If n ✸ 1 is odd, then pick the first formula ✩ of ↔ ↕ , such that ✵ ✵ 1 ✔❩✩ 2 ☛✤↔❞↕ in the enumeration ✮ ; ✝ n ✳ Qn ✩ 1 ✔✥✩ 2 at r, for some r ☛ Qn ; ❄ ✩ 1 ✔➀✩ 2 at r s treatedn . If no such formula exists, then let Qn❉ 1 ✖ Qn and ✝ n❉ 1 ✖❡✝ n . In this case Qn❉ 1 and ✝ n❉ 1 satisfy the four points of Property 1 by induction. Otherwise, if both ✮ ; ✝ n ✞✡✩ 1 at r ✳ Qn ✩ at q and ✮ ; ✝ n ✞✡✩ 2 at r ✳ Qn ✩ at q, then we can deduce ✮ ; ✝ n ✳ Qn ✩ at q. However, we have that ✝ n ✞ Qn satisfy Property 1. Hence, it must be the case that either ✮ ; ✝ n ✞✡✩ 1 at r ➝ Qn ✩ at q or ✮ ; ✝ n ✞✡✩ 2 at r ➝ Qn ✩ at q. We define ✝ n❉ 1 ✖♥✝ n ✶✺✹➤✩ 1 at r ✻ if ✮ ; ✝ n ✡✞ ✩ 1 at r ➝ Qn ✩ at p, and ✝ n❉ 1 ✖ ✝ n ✶P✹➤✩ 2 at r ✻ otherwise. We define Qn❉ 1 ✖ Qn . We have by construction Qn ✷ Qn❉ 1 , Qn❉ 1 ✷ Q ✶ Q ❈ and ✝ n ✷✢✝ n❉ 1 . We have r ☛ Qn . By definition, the set ↔❞↕ is closed under sub-formulae. Therefore as ✩ 1 ✔❩✩ 2 ☛❶↔ ↕ , we have both ✩ 1 and ✩ 2 are in ↔ ↕ . This implies that ✩ 1 at r and ✩ 1 at r are in ➠ , and (Qn❉ 1 ✞✰✝ n ) is (P✞✲↔ ) ➙ bounded context. 27 Also by construction ✮ ; ✝ n❉ 1 ➝ nQ❉ 1 ✩ ❄ at q. Therefore, Qn❉ 1 ✞✰✝ n❉ 1 satisfies ❄ treated n ✶❢➤✹ ✩ 1 ✔✚✩ 2 at r ✻ and Property ❈ 1. Finally,❈ we let treated n❉ 1 ✖ treated n❉ 1 ✖ treated n . 2. If n ✸ 1 is even, pick the first formula ✄❛✏ in the enumeration of ↔ ↕ such that ✵ ✵ ✮ ;✝ Qn ☞ ✄ ✏ n ✳ ✄❛✏➄s ❈ at r, for some r ☛ Qn ; treated n . Let Qn❉ ❄ 1 ✖ Qn ✸ q❈①➟ ,❄ ✝ n❉ 1 ✖❱✝ n ✶❼✹➤✏ at q❈①➟ ✻ , treatedn❉ 1 ✖ treatedn ✶❼✹➤✄☞✏➥✻ and treated n❉ 1 ✖ treatedn . We have by construction that Qn❉ 1 and ✝ n❉ 1 satisfy the first three points of Property1. We claim that ✮ ; ✝ n❉ 1 ➝ Qn ➦ 1 ✩ at q also. Suppose that ✮ ; ✝ n❉ 1 ✳ Qn➦ 1 ✩ at q, i.e., ✮ ; ✝ n ✞✡✏ at q❈①➟ ✳ Q❉ q➧①➨ ✩ at q. We also have that ✮ ; ✝ n ✳ Qn ☞ ✄ ✏ at r. In fact, by the inference rule ✄ E: ✮ ;✝ Qn ☞ ✄ ✏ n ✳ at r ✮ ✮ ; ✝ n ✳ Qn ✩ ;✝ n ✞✠✏ at q❈①➟ ✳ Q❉ q①➧ ➨ ✩ at q at q This contradicts the hypothesis on Qn ✞✲✝ n . Hence ✮ ; ✝ Therefore, Qn❉ 1 and ✝ n❉ 1 satisfy Property1. ➩ E Qn ➦ n❉ 1 ➝ 1 ✩ at q. Therefore, we get by construction that Qn ✞✲✝ n satisfy Property 1. We define ❈ n➫ 0 Qn , and ✝❾✑⑤✑❶✖ n➫ 0 ✝ n . Now, using Property 1, Q✑⑨✷ Q ✶ Q and ✝ ✑❊✑ ✷➢➠ . This implies that Q✑ and ✝ ✑❊✑ are finite sets. (Note that this means that the series (Qn ✞✲✝ n ) is eventually constant). Using Property 1, we can easily show that (Q✑r✞✲✝❾✑❊✑ ) is a (P✞✲↔ ) ➙ bounded context, and ✮ ; ✝✪✑❋✑➭➝ Q✇ ✩ at q. Finally, we define ✝ ✑ to be the set of all sentences ✏ at s ☛❲➠ such that ✮ ; ✝ ✑❋✑ ✳ Q✇ ✏ at s. As a consequence of Proposition 7, we get that Q✑✭✖ ✮ ; ✝ ✑ ✳ Q✇ ✫ at r if and only if ✮ ; ✝ ✑⑤✑ ✳ Q✇ ✫ at r (5) Clearly, ✝❾✑ extends ✝❾✑⑤✑ and hence ✝ . Furthermore, by construction (Q✑①✞✰✝❾✑ ) is (P✞✲↔ ) ➙ bounded. Also we get ✮ ; ✝✪✑✒➝ Q✇ ✩ at q, thanks to the equivalence (5). We only need to show that (Q✑ ✞✲✝ ✑ ) is ✮ -prime. 1. (Deductive Closure) The set ✝ ✑ is deductively closed, by construction. 2. (Disjunction Property) Assume that ✮ ; ✝ ✑ ✳ Q✇ ✩ 1 ✔➜✩ 2 at r, for ✩ 1 ✔➀✩ 2 ☛❲↔❞↕ and q ☛ Q✑ . Then let n be the least number such that ✮ ; ✝ n ✳ Qn ✩ 1 ✔✥✩ 2 at r. ❄ Clearly, ✩ 1 ✔✴✩ 2 at q s treatedn , and ✮ ; ✝ m ✳ Qm ✩ 1 ✔✴✩ 2 at q for every m ▲ n. Eventually ✩ 1 ✔➄✩ 2 at q has to be treated at some odd stage h ▲ n. Hence, either ✩ 1 at r ☛✢✝ h❉ 1 or ✩ 2 at r ☛✦✝ h❉ 1 . Therefore, ✩ 1 at q ☛✢✝ ✑ or ✩ 2 at q ☛❽✝✪✑ . 3. (Diamond Property) Assume that ✮ ; ✝✪✑❦✳ Q✇ ✄☞✏ at r, for ✄☞✏❨☛❶↔ ↕ and r ☛ Q✑ . Then let n be the least number such that ✮ ; ✝ n ✳ Qn ✄☞✏ at r. As in the previous case, we assert that ✄❛✏ at q is treated for some even number h ▲ n. We get ✏ at q❈①➟ ☛❲✝✪✑ by construction. 28 4. (Consistency) If ✮ ; ✝❾✑⑥✳ Q✇ ✕ at r, then ✮ ; ✝❾✑⑥✳ Q✇ ✩ @q at r by the inference rule ✕ E. Therefore, ✮ ; ✝ ✑ ✳ Q✇ ✩ at q by @E, which contradicts our construction. Hence, ✮ ; ✝❾✑④➝ Q✇ ✕ at q. We conclude that (Q✑r✞✲✝✪✑ ) is a ✮ -prime and (P✞✰↔ ) ➙ bounded context extending ❚ (Q✞✲✝ ) such that ✮ ; ✝✦➝ Q✇ ✏ at p. We finally construct the bounded canonical model. In the model, the set of Kripke states is the set of prime bounded contexts (Q✞✲✝ ) ordered by inclusion. A place belongs to the state (Q✞✲✝ ) only if it is in Q, and an atom A is placed in a place r in the state (Q✞✲✝ ) only if A at r ☛❲✝ . More formally, we have Definition 11 (Bounded Canonical Model) Given a finite set of places P and two finite sets of pure formulae ↔⑥✞✰✮➎✷ Frm(P), the ✮ -prime and (P✞✲↔ ) ➙ bounded def canonical model is the quadruple ■ can ✖ (K✞✣❍❙✞✣✹ Pk ✻ k❑ K ✞✣✹ Ik ✻ k❑ K ), where ✵ the set K is the set of all (P✞✰↔ ) ➙ bounded contexts that are ✮ -prime; ✵ (Q1 ✞✲✝ ✵ ✵ P(Q❃➲➯ ❍ 1) ✖ def ) (Q2 ✞✰✝ 2) if and only if Q1 ✷ Q2 and ✝ 1 ✷✢✝ 2; and Q; for k ✖ (Q✞✲✝ ), the function Ik : Atoms I(Q❃➳➯ ) (A) ✖➅✹ q ☛ def ✎ Pow(Pk ) is defined as Q : A at q ☛❲✝➇✻➤✟ Given a finite set of places P and a finite set of formulae ✮▼☛ Frm(P), we say that ✮ is consistent if ✮ ; ➝ P ✕ at p for any p ☛ P. If ✮ is consistent, then Lemma 3 guarantees that the set of states in the canonical model is non-empty. This ensures that the bounded canonical model is a Kripke model. Lemma 4 (Canonical Evaluation) Given a finite set places P, and two finite sets of pure formulae ↔⑥✞✲✮❨☛ Frm(P) such that ✮ is consistent, let ■ can be the ✮❙➙ prime and (P✞✰↔ ) ➙ bounded canonical model. Then 1. ■ can is a distributed Kripke model; and 2. if ✗✖ ➋ is the forcing relation on ■ can , then for all (Q✞✲✝ ) ✗✖ ✏ at q if and only if ✏ at q ☛❲✝ . ✏✴☛❩↔ ↕ , and (Q✞✲✝ ) ☛ K: ➋ Proof: Clearly, all the properties required for a distributed Kripke model are verified. All we have to prove is the part 2 of the Lemma. The proof is standard, and we proceed by induction on the structure of the formula ✏✺☛➀↔❞↕ . In the inductive hypothesis, we assume that part 2 of the Lemma is valid on all sub-formulae of ✏ that are in ↔❞↕ . Please note that if ✏❨☛➞↔❞↕ , then of the sub-formulae of ✏ are in ↔❼↕ . Hence, we can apply the induction hypothesis on all the sub-formulae of ✏ . Here, we just illustrate the inductive case in which ✏ is ☎✒✏ 1 . 29 Case ☎✒✏ 1 . Assume that (Q✞✲✝ ) ✗✖ ➋ ☎✒✏ 1 at q, where ☎✧✏ 1 ☛✚↔ ↕ . By definition, this means that for every (Q✑ ✞✰✝ ✑ ) ▲ (Q✞✲✝ ) and every r ☛ Q✑ , it is the case that (Q✑r✞✲✝❾✑ ) ✗✖ ➋ ✏ 1 at r (and therefore ✏ 1 at r ☛❲✝❾✑ by inductive hypothesis). Chose a new place s s Q and fix it. We claim that ✮ ; ✝◗✳ Q❉ s ✏ 1 at s. Suppose ✮ ; ✝✺➝ Q❉ s ✏ 1 at s. Then by Lemma 3, there is a set of places Q✑ extending Q ✸ s and, a ✮ -prime and (P✞✰↔ ) ➙ bounded context (Q✑ ✞✲✝ ✑ ) extending (Q✞✲✝ ) such that ✮ ; ✝✪✑②➝ Q✇ ✏ 1 at s. This means ✏ 1 at s s❲✝✪✑ . Since (Q✑✬✞✰✝❾✑ ) is greater than (Q✞✰✝ ), we obtain a contradiction. Therefore, we conclude that ✮ ; ✝➛✳ P❉ q ✏ 1 at s. By using the inference rule of introduction of ☎ (☎ I), we get that ✮ ; ✝❬✳ Q ☎✒✏ 1 at q. Since (Q✞✲✝ ) is ✮ -prime and (P✞✲↔ )-bounded, ☎✧✏ 1 at q ☛❲✝ . For the other direction, let ☎✧✏ 1 at q ☛✭✝ . Pick a Kripke state (Q✑✬✞✰✝❾✑ ) ▲ (Q✞✲✝ ), and fix it. We need to show that (Q✑①✞✲✝✪✑ ) ✗✖ ➋ ✏ 1 at q. Now ✝❬✷◆✝❾✑ , and therefore ☎✒✏ 1 at q ☛➀✝ ✑ . We can apply the inference rule of elimination of ☎ (☎ E) to prove that ✮✯✞✲✝❾✑✧✳ Q✇ ✏ 1 at s for every s ☛ Q✑ . By definition of the canonical model, (Q✑ ✞✰✝ ✑ ) is ✮ -prime. Therefore, ✏ 1 at s ☛ ✝❾✑ for every s ☛ Q✑ . Hence by inductive hypothesis, (Q✑✬✞✲✝✪✑ ) ✗✖ ➋ ✏ 1 at s for every s ☛ Q✑ . As (Q✑ ✞✲✝ ✑ ) is an arbitrary Kripke state larger than (Q✞✰✝ ), we get that ☎✧✏ 1 at q. ❚ (Q✞✲✝ ) ✗✖ ➋ We are now ready to prove completeness. It will imply the completeness theorem for birelational models as a corollary. We will later on recall the proof of this theorem when we deal with finite model property. Theorem 2 (Completeness) If P is finite and the judgement ✮ ; ✝✴✳ in every Kripke model, then it is provable in the logic. Proof: Assume that ✮ ; ✝✴✗✖ P ✏ P ✏ at p is valid at p is valid. We have: 1. PL(✮ ) ✶ PL(✝ ) ✶ PL(✏ ) ✶✦✹ p ✻❙✷ P. 2. If ■➐✖ (K✞✣❍❙✞✣✹ Pk ✻ k❑ K ✞✣✹ Ik ✻ k❑ K ) is a distributed Kripke model, then for every k ☛ K such that P ✷ Pk , k ✗✖◆✏ at p whenever k ✗✖P✮ ; ✝ . We need to show that ✮ ; ✝✺✳ P ✏ at p. def Assume that ✮ ; ✝✦➝ P ✏ at p. We fix ↔ ✖③✹➤☎✒✩ : ✩◆☛❽✮✪✻④✶✦✹➳✫ : ✫ at q ☛❲✝➵✻②✶✦✹➤✏❙✻ . Please note that ↔❜☛ Frm(P) and (P✞✰✝ ) is a (P✞✲↔ )-bounded context. By Lemma 3, there is a ✮ -prime and (P✞✲↔ ) ➙ bounded context (Q✞✰➠ ) extending (P✞✰✝ ) such that ✮ ; ➠❖➝ Q ✏ at p. We get ✏ at p s❲➠ . Fix (Q✞✰➠ ). Now consider the ✮ -prime and (P✞✰↔ )-bounded canonical model ■ can as constructed in Definition 11, and let ✗✖ ➋ be the forcing relation in ■ can . Consider the Kripke state (Q✞✰➠ ). We claim that (Q✞✰➠ ) ✗✖ ➋ ✮ ;✝ . Pick ✩❜☛➢✮ , r ☛ Q and fix them. We first show that ✮ ; ➠❬✳ Q ☎✒✩ at r. In the proof, we first choose a new place m s Q, and then use the inference rule G to 30 conclude that ✩ at r is derivable from ✮➸✞✰➠ . We then use the inference rule ☎ I to obtain ✮ ; ➠➢✳ Q ☎✒✩ at r. More formally, ✮ ;➢ ➠ ✳ Q❉ m ✩ at m ✮ ; ➠❨✳ Q ☎✒✩ at r G ➺ I As ✩P☛❲✮ , we have that ☎✧✩◆☛⑦↔ . As r ☛ Q, we have by definition of prime contexts, ☎✒✩ at r ☛❲➠ . Using Lemma 4, we get that (Q✞✰➠ ) ✗✖ ➋ ☎✒✩ at r. Furthermore, ✝ is contained in ➠ . Therefore, by Lemma 4, (Q✞✲➠ ) ✗✖ ➋ ✫ at q whenever ✫ at q ☛❲✝ . Hence, we get that the Kripke state (Q✞✲➠ ) ✗✖✾✮ ; ✝ . By our assumption, we get (Q✞✲➠ ) ✗✖ ➋ ✏ at p also. By Lemma 4, we get ✏ at p ☛❩➠ . However our choice of Q✞✲➠ was such that ✏ at p s❩➠ . We have just reach a contradiction, and hence we ❚ can conclude that ✮ ; ✝✴✳ P ✏ at p. Now, by the encoding of Kripke models into birelational models (see Proposition 6), if a judgement is valid in all birelational models then it is valid in all Kripke models. As the class of Kripke models is complete, we get that the class of birelational models is also complete for the logic: Corollary 2 If P is finite and the judgement ✮ ; ✝➻✳ birelational model, then it is provable in the logic. P ✏ at p is bi-valid in every Proof: Suppose that the judgement ✮ ; ✝✴✳ P ✏ at p that is not provable in the logic. Then by Theorem 2, there is a Kripke model ■ with a state k such that k forces ✮ ; ✝ but does not force ✏ at p. Let ❭ Pls ➋ be the ■ -birelational model obtained by the encoding of ■ as defined in Proposition 5, and consider the world (k ✞ p). It can be shown using Proposition 6 that the world (k ✞ p) forces ✮ ; ✝ but not ✏ at p. ❚ Hence, the judgement ✮ ; ✝✾✳ P ✏ at p is not bi-valid. Now, if P is infinite then the proofs in this Section can be modified. The proofs actually do not require the sets in contexts to be finite. The requirement for finiteness is actually for the proof of finite model property, and not for completeness. There is another way in which we can deduce the completeness results when P is infinite. For this, we take recourse to the following Proposition which states that for provability, it is su✌ cient to just consider the set of places appearing in the formulae of the judgement. This was proved for the logic without disjunctive connectives in [14], and the proof can be extended for the whole logic. Proposition 8 Let P0 ✖ PL(✮ ) ✶ PL(✝ ) ✶ PL(✏ ) ✶✦✹ p ✻ , and P0 ✏ at p if and only if ✮ ; ✝✴✳ P0 ✏ at p. Proof: The proof is by induction on the length of derivations. 31 ✷ P. Then ✮ ; ✝✚✳ ❚ P Now, we extend the completeness result for Kripke semantics to the infinite P case as follows. Suppose that ✮ ; ✝◆➝ P ✏ at p. Then by the above Proposition, it must be the case ✮ ; ✝✢➝ P0 ✏ at p, where P0 ✖ PL(✮ ) ✶ PL(✝ ) ✶ PL(✏ ) ✶❞✹ p ✻ . Theorem 2 says that there is a Kripke model ■ with a Kripke state k such that k forces ✮ ; ✝ but not ✏ at p. Without loss of generality, we can assume that ■ does not contain any place in the set P ➼ P0 (otherwise we can rename them). Now pick p0 ☛ P, and fix it. In each Kripke state of ■ add new places P ➼ P0 , each duplicating p0 . It can be shown that in the resulting model the Kripke state k still forces ✮ ; ✝ but not ✏ at p. Hence, we obtain completeness for Kripke semantics when P is infinite. For the birelational models, we can once again use the encoding of Kripke models into birelational models. 5 Finite Model Property In this Section, we will show that if a judgement ✮ ; ✝③✳ P ✏ at p is not provable in the logic, then there is a finite birelational model that invalidates it. The proof will use the counter-model from the proof of completeness in Section 4. The birelational model constructed in the proof of completeness consists of worlds of the form (Q✞✲✝❺✞ q), where (Q✞✰✝ ) are prime bounded contexts and q ☛ Q. The model constructed may be infinite as it may contain infinite worlds. However, by using techniques similar to those used in [29], we will be able to construct a finite model that is equivalent to the counter-model. The key technique in the construction is the ✁ identification of triples (Q✞✰✝✱✞ q) that di er only in renaming of places other than those in P. We start the proof by discussing renaming functions. 5.1 Renaming functions In this Section, we shall discuss renaming of places in formulae and judgements. Given any two sets of places Q1 ✞ Q2 , a renaming function is a function f : Q1 ✎ Q2 . Intuitively, f renames a place q in Q1 as f (q). Given a renaming function f : Q1 ✎ Q2 , we can extend f to a function from the set Frm(Q1 ) into the set Frm(Q2 ) by replacing all occurrences of places q by f (q). More formally, ✵ f (A) ✖ ✵ f (✏ ✵ f (✏ @q) ✖ ✵ f (✄☞✏ ) ✖♥✄ f (✏ ) and f (☎✒✏ ) ✖❧☎ f (✏ ). def A for all atoms A; def 1 ➽ ✏ 2) ✖ def def f (✏ 1 ) ➽ f (✏ 2 ) for ➽ ☛✤✹r✔❾✞ ✍ ✞✣✎✴✻ ; f (✏ )@ f (q); def def Furthermore, we can extend f to sentences by defining f (✏ at q) ✖ f (✏ ) at f (q). f can then be extended to any context ✮ ; ✝ by applying f to all the formulae and sentence. 32 If f is a renaming function, then we can transform a proof of a judgement ✮ ; ✝✴✳ Q1 ✏ at q to a proof of the judgement f (✮ ; ✝ ) ✳ Q2 f (✏ ) at f (q): Lemma 5 (Provability Preservation Under Renaming) Let f : Q1 ✎ Q2 be a renaming function. Then for any set of pure formulae ✮ , any set of sentences ✝ , any formula ✏ and any place q such that PL(✮ ) ✶ PL(✝ ) ✶ PL(✏ ) ✶❨✹ q ✻⑩✷ Q1 , we have: ✮ ; ✝✾✳ Q1 ✏ at q implies f (✮ ; ✝ ) ✳ Q2 f (✏ ) at f (q)✟ Proof: Intuitively, in order to obtain a proof of f (✮ ; ✝ ) ✳ Q2 f (✏ ) at f (q), replace all occurrences of places r in the proof of ✮ ; ✝✾✳ Q1 ✏ at q by f (r). More formally, we prove the Lemma by induction on n, the number of inference rules applied to derive the judgement ✮ ; ✝③✳ Q1 ✏ at q. Please note that the induction is on the number of inference rules applied, and we will vary the sets Qi ✞✰✝ , and the formula ✏ in the proof. Please recall that the inference rules are given in Figure 1. Base Case (n ✖ 1). Then the rule applied is one amongst L, G, and ✘ I. If the applied rule is L, then ✏ at q ☛➀✝ . Hence f (✏ ) at f (q) ☛ f (✝ ). An application of the rule L gives us f (✮ ; ✝ ) ✳ Q2 f (✏ ) at f (q). The cases of G and ✘ I follow immediately. Inductive hypothesis (n ➁ 1). We proceed by cases, and consider the last rule applied to obtain ✮ ; ✝❬✳ Q1 ✏ at q. The treatment of the rules involving the logical connectives is fairly straightforward, and we show the three most interesting cases: @I, ☎ I, and ✄ E. @I: Assume that the last rule applied is @I. Then ✏❥✖➆✩ @r, for some pure formula ✩✺☛ Frm(Q1 ) and some place r ☛ Q1 . Furthermore, ✮ ; ✝♠✳ Q1 ✩ at p is derivable by using less than n instances of the rules. The induction hypothesis says that f (✮ ; ✝ ) ✳ Q2 f (✩ ) at f (r). Using the rule @I, we get ✮ ; ✝➊✳ Q2 f (✩ )@ f (r) at f (q). We conclude by observing that f (✩ )@ f (r) is f (✏ ) by definition. ☎ I: Assume that the last rule applied is ☎ I. Then ✏⑨✖◆☎✧✩ for some pure formula ✩❜☛ Frm(Q1 ). Moreover, there is a q✑1 s Q1 such that ✮ ; ✝♥✳ Q1 ❉ q✇1 ✩ at q✑1 is derivable by using less than n instances of the inference rules. Let Q1✑ ✖ Q1 ✶❩✹ q1✑❝✻ . Choose q✑2 s Q2 , and let Q2 ✑ ✖ Q2 ✶❩✹ q2✑❝✻ . We define f ✑ : Q1 ✑ ✎ Q2 ✑ as f ✑ (r) ✖ f (r) for r ☛ Q1 , and f ✑ (q✑1 ) ✖ q✑2 . The induction hypothesis says that f ✑ (✮ ; ✝ ) ✳ Q2 ❉ q✇2 f ✑ (✩ ) at q✑2 . As ✮➸✞✰✝ and ✩ do not contain q✑1 , we have f ✑ (✮ ; ✝ ) ✖ f (✮ ; ✝ ) and f ✑ (✩ ) ✖ f (✩ ). Therefore, by using the inference rule ☎ I, we get f (✮ ; ✝ ) ✳ Q2 ☎ f (✩ ) at f (q). We conclude by observing that f (☎✒✩ ) ✖◆☎ f (✩ ). ✄ E: Assume that the last rule applied is ✄ E. Then ✏⑨✖◆✄☞✩ for some pure formula ✩P☛ Frm(Q1 ). Moreover, there exist q✑1 s Q1 , q✑⑤1✑ ☛ Q1 , and ✫❨☛ Frm(P) such that: 33 – – ✮ ;✽ ✝ ✳ at q✑❊1✑ is derivable by using less than n instances of inference rules; and Q1 ✄✣✫ at q✑1 ✳ Q1 ❉ inference rules. ✇ ✩ ✮ ;✱ ✝ ✞①✫ q1 at q is derivable by using less than n instances of Applying the induction hypothesis on the first judgement, we get f (✮ ; ✝ ) ✄ f (✫ ) at f (q✑❋1✑ ). Now, let Q1✑ ✖ Q1 ✶➄✹ q1 ✑❝✻ and ✝❾✑✒✖✺✝P✶➢✹➳✫ at q✑1 ✻ . We choose q✑2 define f ✑ : Q✑1 ✎ Q✑2 as f ✑ (r) ✖ f (r) for r ☛ Q1 , and f ✑ (q✑1 ) ✖ q✑2 . s ✳ Q2 Q2 . We Applying the induction hypothesis on the second judgement, we obtain that f ✑ (✮ ; ✝✱✞①✫ at q✑1 ) ✳ Q2 ❉ q✇2 f ✑ (✩ ) at f ✑ (q). Now, f ✑ is the same as f on Q1 , and therefore by definition f ✑ (✮ ; ✝❺✞✬✫ at q✑1 ) ✖ f (✮ ; ✝ )✞ f (✫ ) at q✑2 . Hence, we get that f (✮ ; ✝ )✞ f (✫ ) at q✑2 ✳ Q2 ❉ q✇2 f (✩ ) at q. We conclude f (✮ ; ✝ ) ✳ Q2 f (✩ ) at f (q), by using the inference rule ✄ E. ❚ For example, let us consider Q1 ✖✺✹ p✞ q ✻ and let Q2 ✖✾✹ r ✻ . Let f : Q1 ✎ Q2 be the function f (p) ✖ r✞ f (q) ✖ r. Let A be an atom, and let ✮ to be the empty list. We have ✮ ; A at p ✳ Q1 A@p at q. Then by the Lemma 5, ✮ ; A at r ✳ Q2 A@r at r. 5.2 Pointed Contexts and Morphisms Let P✞ Q be finite sets of places such that P ✷ Q. Let ↔❜✷ Frm(P) be a finite set of pure formulae with sub-formula closure ↔ ↕ . Please recall that given a finite set of sentences ✝ , we say that (Q✞✲✝ ) is a (P✞✰↔ ) ➙ bounded context if for every sentence ✏ at r it is the case that ✏✢☛❲↔ ↕ and r ☛ Q. Given a (P✞✲↔ ) ➙ bounded context (Q✞✲✝ ), we will say that (Q✞✲✝❺✞ q) is a pointed (P✞✰↔ ) ➙ bounded context if q ☛ Q. Henceforth, we refer to such triples as (P✞✰↔ ) ➙ pcontexts. The element q is said to be the point of the pcontext (Q✞✲✝✱✞ q). Following [29], we lift the notion of renaming functions to morphisms between pcontexts: Definition 12 (Morphism) Let w1 and w2 be two (P✞✰↔ ) ➙ pcontexts, and let wi ✖ (Qi ✞✰✝ i ✞ qi ) for i ✖ 1✞ 2. A morphism from w1 to w2 is a renaming function f : Q1 ✎ Q2 such that 1. f (p) ✖ p for every p 2. if ✏ at q ☛❲✝ 1 ☛ P; then ✏ at f (q) ☛❲✝ 2; and 3. f (q1 ) ✖ q2 . We write w1 ➾ w2 whenever there is a morphism from w1 to w2 . Furthermore, we write w1 ➚ w2 if w1 ➾ w2 and w2 ➾ w1 . The first part of the definition says that the renaming function does not change the places in P. Now for every sentence ✏ at q ☛❲✝ 1 , it is the case that ✏✦☛ Frm(P). 34 ✝ ✷♠✝ Therefore, the second condition is equivalent to saying that f ( 1 ) 2 . Hence, (Q1 1 q1 ) (Q2 2 q2 ) intuitively means that 2 has ”more” sentences than 1 up-to renaming. Finally, the third part says that a morphism preserves the point of a pcontext. p A , and Q1 Q2 p q r . Let f : Q1 Q2 For example, let P be the renaming function defined as f (p) p f (q) r and f (r) q. Consider the three sets of sentences: ✞✰✝ ✞ ➾ ✞✰✝ ✞ ✝ ✖❹✹ ✻➤✞❦↔◗✖✚✹ ✻ ✖ ✞ ✖ ✖❹✹ ✞ ✞ ✻ ✖ ✖ ✝ ✎ ✵ ✝ ❱✖ ✝ ✖✺✹ A at q✞ A at p✻ , and ✵ ✝ ✑ ✖✴✹ A at p✞ A at r ✻ . We have f (A at q) ✖ A at r. Now, we have that A at r s✢✝ and A at r ☛❩✝ ✑ . Therefore, f is not a morphism from (Q ✞✲✝ ) to (Q ✞✲✝ ). On the other hand, f is a morphism from (Q ✞✲✝ ) to (Q ✞✲✝❾✑ ). Clearly, ➾ is a preorder. The identity function gives reflexivity, and function composition gives transitivity. This makes the relation ➚ an equivalence relation. If w is a pcontext, then we shall use [w] to denote the class of the pcontexts equivalent to w with respect to the relation ➚ . We shall use these equivalence classes as the worlds of the finite counter-model, and the order amongst the worlds will be given by the preorder ➾ . We will now show that the relation ➚ partitions the set of 1 2 2 1 1 1 1 2 2 2 pcontexts into finite number of classes: ✞✰↔ ➙ Lemma 6 (Finite Partition) The set of (P ) pcontexts is partitioned into a finite number of equivalence classes by the equivalence . ✞✲↔ ➙ ➚ Proof: We will show that every (P ) pcontext is equivalent to a canonical pcontext. The set of canonical pcontexts will be finite. Before we proceed, please note that P and are finite sets by definition. Hence, the sub-formula closure and the powerset Pow( ) must be finite sets. We will now define the set of canonical pcontexts. For each we choose def a new place r P such that r 1 r 2 if 1 r : . 2 . Let R The cardinality of R is the same as the cardinality of Pow( ), and hence R is finite. A canonical pcontext will have places amongst P R. Furthermore, the canonical pcontext will contain the sentence at r if and only if r is a place in the . More formally, we say that the triple (Q q) is a canonical pcontext and (P )-pcontext if ↔ ➶✚s ✞✲↔ ➶ ❸ ➶ ✏ ✏❱☛⑨➪ ✵ ↔↕ ↔↕ ➶ ➪ ❸❱➪ ↔↕ ✶ ➪ ✷✢↔❞↕ ➛ ✖➻✹ ➶ ➪❧✷❨↔❼↕✣✻ ➶ ✲✞ ➠➥✞ ✷ Q ✷ P ✶ R. ✵ ✝ is the union of two sets ✝ and ✝ , where 1. ✝ is a set of sentences such that ✏ at s ☛❩✝ means that ✏✴☛❩↔❞↕ and s ☛ P; and 2. ✝ is the set of all sentences ✏ at r ➶ , where ✏❱☛✤➪ and r ➶ ☛ Q ➹ R. In other words, ✝ ✖③✹➤✏ at r ➶ : ✏✦☛❲➪⑥✞ r ➶ ☛ Q ➹ R✻ . Q is a set of places such that P P R P P R def R 35 ✵ q ☛ Q. ✞✲↔ ➙ Clearly, a triple that satisfies the above points is a (P ) pcontext. Furthermore, as the sets P R are finite, the set of canonical pcontexts must be finite also. (Q q) there is a canoniWe will now show that for every pcontext w cal pcontext equivalent to it. This would immediately give us that the number of equivalence classes induced by is finite. be Let w (Q q) be a (P ) pcontext, and fix it. For s Q, let H(s) the set of formulae such that at s . (Q q ), the canonical pcontext equivalent to w as We now define w follows. P will be contained in Q . For each s Q P, we add the place r H(s) only if it is in . A sentence to Q . For p P, a sentence at p will be in at r H(s) will be in Q only if H(s). Finally, the point q will be q if q P. Otherwise the point q will be r H(q) . More formally, we define: ✞ ✞✲↔ ↕ ✖ ✞✰✝✱✞ ✏ ➚ ✞✲↔ ➙ ✏ ☛❲✝ ✑ ✞✲✝ ✑ ✞ ✑ ✑ ✏ ✏◆☛ ✑ ✖ ☛ ✑ ✏ ✖ ✑ ✑ ✞✲✝✱✞ ✷➄↔ ↕ ☛ ☛ ✝✑ ➼ ✑ ✵ Q✑ def✖ P ✶✦✹ r H(s) : s ☛ Q ➼ P ✻ ✵ ✝ ✑ def✖❷✝ P ✶⑨✝ R, where def – ✝ P ✖③✹➤✏ at p : ✏ at p ☛❲✝ and p ☛ P ✻ def – ✝ R ✖✼✹➤✏ at r H(s) : s ☛ Q ➼ P and ✏✢☛ r H(s) ✻ if q ☛ P; ✵ q✑ def✖ q r H(q) if q ☛ Q ➼ P✟ Clearly, (Q✑ ✞✰✝ ✑ ✞ q✑ ) is a canonical (P✞✲↔ ) ➙ pcontext. ✝ ☛ Moreover, the renaming functions f :Q ➙➘✎ ✑ ➙➘✎ g:Q ✑ Q Q ✖ def f (s) g(t) ☛ s if s P; r H(s) otherwise ✟ ☛ t if t P; q if t q ; l otherwise, where l t r H(l) ✖ ✑ ✖ def ✖ ✑ ✑ ✟ ☛ ➼ Q P is chosen s.t. are morphisms from w to w and from w to w, respectively. We conclude that w w. ➚ ✑ ❚ 5.3 The Finite Counter-Model ✮✯✞✲↔❳✷ Given a finite set of places P, two finite sets of pure formulae Frm(P), prime and (P ) bounded canonical Kripke model as defined let can be the in Section 4 (see Definition 11). Now, let can (W R I Eval) be the can birelational model obtained by using the encoding of can into a birelational model ■ ✮❙➙ ✞✰↔ ➙ ❭ 36 ✖ ■ ✞✣❍❙✞ ✞ ✞ ■ ➙ (see Section 3.2). We call ❭ can the ✮❙➙ prime and (P✞✲↔ ) ➙ bounded canonical birelational model. Please recall from the proof of completeness (see Section 4) that if a judgement ✮ ; ➠✺✳ P ✏ at p is not provable, then ❭ can provides the birelational counter-model for the judgement for an appropriate choice of ↔ . The worlds of ❭ can are pcontexts (Q✞✲✝❺✞ q) where (Q✞✲✝ ) are ✮❙➙ prime and (P✞✲↔ ) ➙ bounded. Two worlds w1 ✖ (Q1 ✞✲✝ 1 ✞ q1 ) and w2 ✖ (Q2 ✞✲✝ 2 ✞ q2 ) are reachable from each other if Q1 ✖ Q2 and ✝ 1 ✖◆✝ 2 . Furthermore, (Q1 ✞✲✝ 1 ✞ q1 ) ❍ (Q2 ✞✲✝ 2 ✞ q2 ) if Q1 ✷ Q2 , ✝ 1 ✷❩✝ 2 and q1 ✖ q2 . A world w ✖ (Q✞✲✝❺✞ q) ☛ I(A) for some atom A if A at q ☛⑨✝ . The evaluation is a total function, and E((Q✞✲✝❺✞ q)) ✖ q. Furthermore, as a consequence of definition of canonical models, a world w ✖ (Q✞✲✝❺✞ q) forces a formula ✏✦☛❲↔❞↕ if and only if ✏ at q ☛❲✝ . Even though the worlds in canonical birelational are composed of bounded pcontexts, the set of the worlds may itself be finite. Following [29], we shall construct a model, called the quotient model, equivalent to the canonical model. For this model, we will use morphisms between pcontexts. Please recall that given pcontexts w1 and w2 , w1 ➾ w2 if there is a morphism from w1 into w2 , and w1 ➚ w2 if w1 ➾ w2 and w2 ➾ w1 . The relation ➾ is a preorder and ➚ is an equivalence. The set of equivalence classes generated by ➚ is finite by Lemma 6. We write [w] for the equivalence class of w. In the quotient canonical model, the set of worlds will be W➴❝➷ , the set of equivalence classes generated by ➚ on W. We have that W➴❝➷ is finite. Our construction will ensure that w in the canonical birelational model forces a formula ✏✦☛❽↔ ↕ only if [w] forces ✏ . In the quotient model, [w1 ] will be less than [w2 ] only if w1 ➾ w2 . As ➾ is a preorder, it follows easily that this ordering is well-defined. If R is the reachability relation on the canonical model, then [w1 ] is reachable from [w2 ] in the quotient model only if there is some w✑1 ☛ [w1 ] and w✑2 ☛ [w2 ] such that w✑1 R w✑2 . The equivalence of ➚ ensures that reachability relation is well-defined. If I is the interpretation of atoms in the canonical model and w ✖ (Q✞✲✝❺✞ q), then an atom A will be placed in a world [w] only if A at q ☛✤✝ . Since a morphism between pcontexts always preserves points, the interpretation function is also well-defined. Finally, the evaluation of a world [w] in the canonical model will be partial. It is defined only if the point of w is in P, and in that case the evaluation of [w] is the point of w. Please note that as morphisms between pcontexts always fixes elements in P, and therefore the evaluation is also well-defined. The other thing to note is that it is in the well-definedness of the evaluation that we need partiality (a morphism of pcontexts does not need to preserve places other than the set P). We start by defining the quotient model formally, and then we will prove that this is indeed a birelational model. Definition 13 (Quotient Canonical Model) Given a finite set of places P, two finite sets of pure formulae ✮✯✞✲↔➌✷ Frm(P), let ❭ can ✖ (W✞✣❍❙✞ R ✞ I ✞ Eval) be the ✮✪➙ prime and (P✞✰↔ ) ➙ bounded canonical birelational model with set of places Pls. The quotient model of ❭ can has set of places P, and is defined to be the quintuple 37 (W➴❵➷➬✞✜❍✯✑➮✞ R ✑➮✞ I✑✬✞ Eval✑ ), where 1. The set W➴❝➷ is the set of the equivalence classes generated by the relation ➚ on W. 2. The binary relation ❍ ✑ is defined as: [w1 ] ❍ ✑ [w2 ] if and only if w1 ➾ w2 . 3. The binary relation R ✑ is defined as: [w1 ] R ✑ [w2 ] if and only if there exists w✑1 ☛ [w1 ] and w✑2 ☛ [w2 ] such that w✑1 R w✑2 . 4. The function I ✑ : Atoms ✎ Pow(W➴❝➷ ) is defined as: def I ✑ (A) ✖③✹ [w] : w ☛ I(A) ✻ 5. The partial function Eval✑ : W➴❝➷➞✎ def Eval✑ ([w]) ✖ P is defined as: p if w ✖ (Q✞✲✝❺✞ p) and p ☛ P; not defined otherwise. As we discussed before, ❍★✑ , R ✑ , I ✑ and Eval✑ in the quotient model are welldefined. We will show that the quotient model that we just constructed is a birelational model. In order to show this, we first show that the relation R ✑ is an equivalence: Lemma 7 (Reachability is an Equivalence) Given a finite set of places P, two finite sets of pure formulae ✮✯✞✲↔➱✷ Frm(P), let ❭ can ✖ (W✞✣❍❙✞ R ✞ I ✞ Eval) be the ✮✪➙ prime and (P✞✲↔ ) ➙ bounded canonical birelational model. Let ❭ ➴❝➷ ✖ (W➴❝➷ ✞✣❍ ✑ ✞ R ✑r✞ I ✑r✞ Eval✑ ) be the quotient model of ❭ can . Then R ✑ is an equivalence. Proof: The reflexivity and symmetry of R ✑ follow from the reflexivity and symmetry of R in the model ❭ can . We need to show that R ✑ is transitive. Pick [w1 ]✞ [w2 ]✞ [w3 ] ☛ W➴❵➷ such that [w1 ] R ✑ [w2 ] R ✑ [w3 ], and fix them. By definition, the assumption [w1 ] R ✑ [w2 ] R ✑ [w3 ] is equivalent to saying that there are w✑1 ✞ w✑2 ✞ w✑➉2✑ ✞ w✑3 ☛ W such that w1 ➚ w✑1 R w✑2 ➚ w2 and w2 ➚ w✑➉2✑ R w✑3 ➚ w3 . As ➚ is an equivalence, we get w✑1 R w✑2 ➚ w✑➉2✑ R w✑3 ✟ (6) In order to prove transitivity, we will first show that there are two worlds v1 and v3 in W such that w✑1 ➚ v1 R v3 ➚ w✑3 . This will give us by definition [w✑1 ] R ✑ [w✑3 ], and hence [w1 ] R ✑ [w3 ]. Now, the assumptions in (6) and the definition of R say that 1. w✑1 ✖ (Q1 ✞✲✝ 1 ✞ q1 ) and w✑2 ✖ (Q1 ✞✲✝ 1 ✞ q2 ), where (Q1 ✞✰✝ (P✞✲↔ ) ➙ bounded context, and q1 ✞ q2 ☛ Q1 . 1) is a ✮ -prime and 2. w✑❊2✑ ✖ (Q2 ✞✰✝ 2 ✞ q✑2 ) and w✑➉3✑ ✖ (Q2 ✞✲✝ 2 ✞ q3 ), where (Q2 ✞✲✝ (P✞✲↔ ) ➙ bounded context, and q✑2 ✞ q3 ☛ Q2 . 2) is a ✮ -prime and 38 ✞✲✝ ✞ ✎ ➚ ✞✰✝ ✞ ✑ 3. (Q1 1 q2 ) (Q2 2 q2 ), i.e., there exist two morphisms f : Q1 Q1 such that f (q2 ) q2 and g(q2 ) q2 . g : Q2 ✖ ✑ ✎ Q2 and ✑ ✖ Without loss of generality, we can assume that Q1 ✖ P ✶ R1 and Q2 ✖ P ✶ R2 with R1 ➹ R2 ✖✦➡ (otherwise, we can rename the places in ✝ 2 and R2 ). (Q1 ✶ Q2 ✞✲✝ 1 ✶➢✝ 2 ) is (P✞✰↔ ) ➙ bounded as (Q1 ✞✲✝ 1 ) and (Q2 ✞✲✝ 2 ) are bounded def def contexts. We let v1 ✖ (Q1 ✶ Q2 ✞✲✝ 1 ✶⑨✝ 2 ✞ q1 ) and v3 ✖ (Q1 ✶ Q2 ✞✲✝ 1 ✶➀✝ 2 ✞ q3 ). Now, consider the triple v1 ✖ (Q1 ✶ Q2 ✞✰✝ 1 ✶➀✝ 2 ✞ q1 ). We have (Q1 ✶ Q2 ✞✲✝ 1 ✶ ✝ 2 ✞ q1) ➚ (Q1 ✞✰✝ 1 ✞ q1 ), by considering the two renaming functions G1 : Q1 ✶ Q2 ➙➘✎ Q1 G2 : Q1 ➙➘✎ Q1 ✶ Q2 q if q ☛ Q1 ; def def G1 (q) ✖ G2 (q) ✖ q g(q) if q ☛ Q2 Please note that as g is a morphism, g(q) ✖ q if q ☛ Q1 ➹ Q2 ✖ P. Therefore, G1 is well-defined and G1 (q1 ) ✖ q1 . Now, suppose that ✏ at q ☛♠✝ 1 ✶P✝ 2 . If ✏ at q ☛✥✝ 1 , then ✏ at G1(q) ☛✢✝ 1 as G1(q) ✖ q in that case. If ✏ at q ☛✥✝ 2 , then ✏ at G1(q) ☛❲✝ 1 because in this case G1(q) ✖ g(q) and g is a morphism. Therefore, G1 is a morphism of pcontexts. G2 is a morphism between pcontexts trivially, and hence we get w✑1 ➚ v1 . Similarly, (Q1 ✶ Q2 ✞✲✝ 1 ✶⑨✝ 2 ✞ q3 ) ➚ (Q2 ✞✲✝ 2 ✞ q3 ) by considering the morphisms F2 : Q2 ➙➘✎ Q1 ✶ Q2 F1 : Q1 ✶ Q2 ➙➘✎ Q2 f (q) if q ☛ Q1 ; def def F1 (q) ✖ F2 (q) ✖ q q if q ☛ Q2 We get that v3 ➚ w✑3 . If v1 and v3 are worlds in ❭ can , then v1 R v3 by definition. In that case v1 and v3 are the worlds we are looking for. In order to show that v1 and v3 are indeed worlds in ❭ can we need to show that the (P✞✰↔ ) ➙ bounded context (Q1 ✶ Q2 ✞✲✝ 1 ✶❩✝ 2 ) is ✮ -prime. In order to show that (Q1 ✶ Q2 ✞✰✝ 1 ✶➀✝ 2 ) is ✮❙➙ prime we need to show the four properties required by Definition 10. We will prove here only the ↔ -deductive closure property. The treatment of other properties is similar. Assume that ✮ ; ✝ 1 ✶◆✝ 2 ✳ Q ✃ Q ✏ at q for some ✏➅☛❡↔ . We consider two cases. If q ☛ Q1 , then consider the renaming function G1 defined above. Now G1 fixes Q1 and applies g to Q2 . Therefore, G1 (✮ ) ✖◗✮ , G1 (✝ 1 ✶✢✝ 2 ) ✖❢✝ 1 ✶ g(✝ 2 ), G1 (✏ ) ✖➆✏ and G1 (q) ✖ q. Now, as g is a morphism we get that g(✝ 2 ) ✷❜✝ 1 . Therefore, using Lemma 5 and applying the renaming function G1 to the judgement ✮ ; ✝ 1 ✶➜✝ 2 ✳ Q ✃ Q ✏ at q, we get that ✮ ; ✝ 1 ✳ Q ✏ at q. As ✝ 1 is ✮ -prime, ✏ at q ☛ ✝ 1 ✷❩✝ 1 ✶➀✝ 2 . Likewise, if q ☛ Q2, we conclude that ✏ at q ☛❲✝ 2 ✷✢✝ 1 ✶➀✝ 2 . ❚ 1 1 2 2 1 We now show that the quotient model is a birelational model. ❭ ✖ ✞✣❍❙✞ ✞ ✞ (W R I Eval) be the Proposition 9 (Birelational Preservation) Let can prime and (P ) bounded canonical birelational model with set of places Pls. ✮✪➙ ✞✲↔ ➙ 39 ❭✓➴❝➷❶✖ ➴❵➷➬✞✜❍✯✑r✞ ✑①✞ r✑ ✞ ✑ ❭ . Then ❭➊➴❝➷ is a Proof: The finiteness of ❭ ➴❝➷ follows from Lemma 6. We need to verify all the properties listed in Definition 5. 1. Clearly W➴❝➷ is a non empty set. 2. The relation ❍ ✑ is a partial order since ➾ is a preorder, and ➚ is the equivalence induced by ➾ . 3. R ✑ is an equivalence by Lemma 7. We prove the reachability condition. Consider [w ]✞ [w✑ ]✞ [w ] ☛ W➴❵➷ such that [w ] ▲★✑ [w ] R ✑ [w✑ ]. We need to prove that there exists [w✑ ] ☛ W➴❝➷ such that [w ] R ✑ [w✑ ] ▲ ✑ [w✑ ]. Now, the hypothesis [w ] ▲ ✑ [w ] R ✑ [w✑ ] means: ✵ w ✖ (Q ✞✲✝ ✞ q ) and w✑ ✖ (Q ✞✰✝ ✞ q✑ ) where (Q ✞✲✝ ) is a ✮❙➙ prime (P✞✲↔ ) ➙ bounded context, and q ✞ q✑ ☛ Q ; ✵ and w ✖ (Q ✞✲✝ ✞ q ) where (Q ✞✲✝ ) is a ✮❙➙ prime and (P✞✲↔ ) ➙ bounded and q ☛ Q ; and ✵ context, there is a morphism f : Q ✎ Q from w to w . We define w✑ ✖ (Q ✞✰✝ ✞ f (q✑ )). Clearly w ☛ W, w R w✑ , and f is also a morphism from w✑ to w✑ . Therefore [w ] R ✑ [w✑ ] ▲ ✑ [w✑ ], as required. 4. In order to check the monotonicity of I ✑ , consider [w ]✞ [w ] ☛ W➴❝➷ such that [w ] ❍✯✑ [w ]. Then w ✖ (Q ✞✲✝ ✞ q ), w ✖ (Q ✞✲✝ ✞ q ), and there exists a morphism f from w to w such that f (q ) ✖ q . We need to prove that if [w ] ☛ I ✑ (A), then [w ] ☛ I ✑ (A) also. Now assume that [w ] ☛ I ✑ (A). By definition, this means that A at q ☛◗✝ . As f is a morphism, we get A at f (q ) ☛✺✝ , and hence A at q ☛✺✝ . Therefore [w ] ☛ I ✑ (A) as required. 5. According to the definition, Eval✑ is a partial function. We need to verify coherence and uniqueness. Coherence. Consider [w ]✞ [w ] ☛ W➴❝➷ such that [w ] ❍ ✑ [w ], and assume that [w ] ❴ q. Then q ☛ P, and w ✖ (Q ✞✲✝ ✞ q) for some Q ✞✰✝ . [w ] ❍✯✑ [w ] means that is a morphism from w to w that fixes q. Therefore, w ✖ (Q ✞✲✝ ✞ q) for some Q and ✝ . By definition, we conclude that [w ] ❴ q. Uniqueness Consider [w ]✞ [w ] ☛ W➴❝➷ such that [w ] R ✑ [w ]. This means that there exist w✑ ✞ w✑ ☛ W such that w ➚ w✑ R w✑ ➚ w . Assume that [w ] ❴ q and [w ] ❴ q. Then w✑ ❴ q and w✑ ❴ q in ❭ . The uniqueness says that w✑ ✖ w✑ . Hence w ➚ w✑ ➚ w . We property in ❭ conclude [w ] ✖ [w ] as required. ❚ Let (W R I Eval ) be the quotient model of finite birelational model with set of places P. 1 2 1 2 1 2 1 1 1 2 1 1 1 2 2 2 2 1 2 1 1 1 2 1 2 2 1 can 1 1 1 1 1 2 2 1 2 1 2 def 2 2 2 1 2 2 1 2 2 2 2 1 1 2 1 1 1 1 1 1 2 2 2 2 1 2 2 2 2 1 1 1 1 2 1 2 2 2 2 1 1 1 1 2 1 1 2 1 2 2 2 1 1 1 2 2 2 2 1 1 1 2 1 1 2 2 1 can 1 2 1 2 40 2 1 2 2 can 1 2 1 2 ↔ ↕ We will show that a world w forces a formula in in the canonical birelational model if and only if [w] forces the formula in the quotient model. For this, we will need the following proposition which states that given worlds w1 w2 in the canonical model, if w1 forces a formula in then so does w2 : ➾ ↔❼↕ Proposition 10 (Forcing Preservation Under Morphisms) Given a finite set of places P, two finite sets of pure formulae Frm(P), let can (W R I Eval) be the prime and (P ) bounded canonical birelational model. Let be the extension of interpretation I to formulae. Then for every w1 w2 W, and : ✮❙➙ ✏✦☛❲↔❞↕ ✗✖❾➏❳✏ 2. If w1 ➚ w2 , then w1 ✗✖❾➏❳✏ 1. If w1 ➾ ✮✯✞✰↔❥✷ ✞✲↔ ➙ w2 , then w1 implies w2 ❭ ✗✖❾➏❳✏ if and only if w2 ✖ ✞✣❍❙✞ ✞ ✞ ✗✖❾➏ ✞ ☛ . ✗✖❾➏❳✏ . Proof: We prove the first point as the second one is straightforward consequence of the first one. Consider w1 w2 W, such that w1 w2 . This means that w1 (Q1 1 q1 ) and w2 (Q2 2 q2 ) where (Qi i ) are -prime and (P )-bounded contexts for i 1 2. Moreover, there is a morphism f : Q1 Q2 such that f (q1 ) q2 . for some . This means from the definition of Assume that w1 canonical birelational model that at q1 1 . Since f is a morphism from w1 to . Once again, we get from the definition of canonical w2 , we get that at q2 2 . birelational model that w2 ✞✰✝ ✞ ✖ ✖ ✞ ✏ ✞ ☛ ✞✰✝ ✞ ✖ ✗✖❾➏ ✏ ☛⑨✝ ✏ ➾ ✞✰✝ ✮ ✎ ✖ ✞✰↔ ✏◗☛➢↔ ↕ ☛⑨✝ ✗✖❾➏❳✏ ❚ We are now ready to prove that if the world w in the canonical birelational model forces , then the world [w] in the quotient model also forces , and vice-versa. ✏◆☛✥↔❞↕ ✏ Lemma 8 (Quotient Forcing Preservation) Given a finite set of places P, two fiFrm(P), let (W R I Eval) be the nite sets of pure formulae can prime and (P ) bounded canonical birelational model. Let (W R I Eval ) be the quotient model of can . Let and extend the interpreand w W: tations I and I to formulae respectively. Then, for every ✮✯✞✲↔➎✷ ❭ ✖ ✣✞ ❍❙✞ ✞ ✞ ✮✪➙ ✞✲↔ ➙ ❭ ❝➴ ➷ ✖ ❝➴ ➷ ✞✣❍★✑①✞ ❭ ✗✖❾➏ ✗✖ ➴❝➷ ✑✞ ✑✞ ✑ ✑ ✏✢☛❲↔ ↕ ☛ w ✗✖❾➏❳✏ if and only if [w] ✗✖ ❝➴ ➷ ✏✯✟ Proof: The proof proceeds by induction on the structure of the formula ✏✦☛❽↔❼↕ . Base case. The Lemma is verified on ✘ , and on ✕ by definition. Consider now the case when ✏❢✖ A ☛ Atoms. Then w ✗✖✪➏ A means w ✖ (Q✞✰✝✱✞ q) for some Q✞✲✝❺✞ q and A at q ☛❲✝ . Hence, [w] ☛ I ✑ (A), and therefore [w] ✗✖ ➴❝➷ A. Inductive hypothesis. We consider a formula ✏➅☛❢↔ ↕ , and we assume that the Lemma holds for each sub-formula of ✏ that is in ↔❼↕ . We will proceed by cases on the structure of ✏ . For the sake of clarity, we will just consider the case of implication and the modalities. The other cases can be dealt with similarly. 41 Please note that as ↔ ↕ is closed under sub-formulae, the induction hypothesis can be applied to all sub-formulae of ✏ . Before we proceed with the cases, we observe that if w1 ✖ (Q1 ✞✰✝ 1 ✞ q1 ) and w2 ✖ (Q2 ✞✰✝ 2 ✞ q2 ) are two worlds in W such w1 ❍ w2 , then w1 ➾ w2 . This is because by definition w1 ❍ w2 means that Q1 ✷ Q2 , ✝ 1 ✷❹✝ 2 and q1 ✖ q2 . The morphism between w1 and w2 is given by the injection of Q1 into Q2 . Case ✏➀✖P✏ 1 ✎❆✏ 2 . Let w ✗✖✪➏ ✏ . We need to show that [w] ✗✖ ➴❝➷ ✏ . Consider [w✑ ] ✯ ▲ ✑ [w]. Then w✑✤❐ w. By Proposition 10, we have w✑✥✗✖✪➏ ✏ . As ✏⑨✖◆✏ 1 ✎➊✏ 2 , we get that w✑ ✗✖❾➏❳✏ 2 whenever w✑ ✗✖❾➏➐✏ 1 . If we assume [w✑ ] ✗✖ ➴❝➷ ✏ 1 then w✑ ✗✖✪➏➒✏ 1 by induction hypothesis. Hence w✑⑥✗✖❾➏❒✏ 2 . The induction hypothesis says that [w✑ ] ✗✖ ➴❝➷ ✏ 2 . As [w✑ ] is an arbitrary world larger that [w], we can conclude that [w] ✗✖ ➴❝➷ ✏ 1 ✎❆✏ 2 . For the other direction, let [w] ✗✖ ➴❝➷ ✏ . This means that for every [w✑ ] ▲ ✑ [w]: if [w✑ ] ✗✖ ➴❝➷ ✏ 1 , then [w✑ ] ✗✖ ➴❝➷ ✏ 2 . Consider now w✑➇▲✯✑ w. We have [w✑ ] ❐ [w] also. If we assume w✑➇✗✖❾➏➔✏ 1 , then the induction hypothesis says that [w✑ ] ✗✖✪➴❝➷⑨✏ 1 . Then [w✑ ] ✗✖✪➴❝➷⑨✏ 2 , and so w✑ ✗✖❾➏❳✏ 2 by induction hypothesis. We conclude that w ✗✖✪➏➐✏ 1 ✎❆✏ 2 . Case ✏➀✖P☎✒✏ 1 . Let w ✗✖❾➏ ✏ . We need to show that [w] ✗✖ ➴❵➷ ☎✧✏ 1 . Consider [w1 ] ▲ ✑ [w] and [w2 ] R ✑ [w1 ]. It su✌ ces to show that [w2 ] ✗✖ ➴❝➷ ✏ 1 . The hypothesis [w2 ] R ✑ [w1 ] ▲★✑ [w] means that w1 ❐ w and w2 ➚ w3 R w4 ➚ w1 for some worlds w3 ✞ w4 ☛ W. We get that w4 ❐ w as ➾ is a preorder . We have w4 ❐ w, and hence w4 ✗✖❾➏➐☎✒✏ 1 by Proposition 10. By definition of forcing, w3 ✗✖✪➏→✏ 1 . Therefore w2 ✗✖❾➏→✏ 1 by Proposition 10. The induction hypothesis says that [w2 ] ✗✖ ➴❝➷ ✏ 1 , and so we conclude [w] ✗✖ ➴❵➷ ☎✧✏ 1 . For the other direction, let [w] ✗✖ ➴❵➷ ☎✒✏ 1 . Consider w1 ▲ w and w2 R w1 . We have to show that w2 ✗✖P✏ 1 . We have w1 ❐ w, and hence [w1 ] ▲ [w]. We also have by the definition of the quotient model that [w2 ] R ✑ [w1 ]. Therefore, as [w] ✗✖ ➴❝➷ ☎✒✏ 1 , we get that [w2 ] ✗✖✪➴❝➷✥✏ 1 . Hence w2 ✗✖❾➏❮✏ 1 by induction hypothesis. We conclude that w ✗✖❾➏❳☎✧✏ 1 . Case ✏➀✖P✄☞✏ 1 . Let w ✗✖❾➏➐✏ . Then there exists w1 R w such that w1 ✗✖✪➏➐✏ 1 . So we have [w1 ] R ✑ [w] by the definition of quotient model. Also [w1 ] ✗✖ ➴❝➷ ✏ 1 by induction hypothesis. Hence [w] ✗✖ ➴❝➷ ✄☞✏ 1 . For the other direction, let [w] ✗✖ ➴❵➷ ✏ . Then there exists [w1 ] R ✑ [w] such that [w1 ] ✗✖ ➴❝➷ ✏ 1 . This means that there are w✑1 and w✑ such that w1 ➚ w✑1 R w✑ ➚ w, and w1 ✗✖✪➏➒✏ 1 by induction hypothesis. By Proposition 6, we get that w✑1 ✗✖✪➏❣✏ 1 . Therefore, by definition of forcing, w✑✒✗✖✪➏❣✄❛✏ 1 . By Proposition 6 once again, w ✗✖❾➏❳✄❛✏ 1 . 42 Case ✏✦☛❲↔ ↕ and ↔ ↕ ✷ Frm(P), we get that q ☛ P. Now, if w ✗✖✪➏ ✏ then there exists w R w such that w ✗✖❾➏ ✏ and w ❴ q. We have [w ] R ✑ [w] by definition of quotient model. As q ☛ P, we also have [w ] ❴ q. Therefore, [w] ✗✖ ➴❵➷ ✏ @q. For the other direction, let [w] ✗✖ ➴❵➷ ✏ . Then there exists [w ] R ✑ [w] such that [w ] ✗✖ ➴❝➷ ✏ , and [w ] ❴ q. This means that there are w✑ and w✑ such that w ➚ w✑ R w✑ ➚ w, and w ✗✖✪➏➓✏ by induction hypothesis. Furthermore, w ❴ q and w✑ ❴ q. By Proposition 6, we get that w✑ ✗✖❾➏➍✏ . Hence, by definition ❚ of forcing, w✑ ✗✖✪➏➐✏ @q. By Proposition 6 once again, w ✗✖❾➏❳✏ @q. ✏➀✖P✏ 1 @q. As 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 Finally, we have the finite model property: ✮ ✝◗✳ ✏ Theorem 3 (Finite Model Property) Assume that P is a finite set of places. If P at p is not provable, then there exists a finite birelational the judgement ; P model with set of places P, such that ; at p is not valid in . ❭ ✮ ✾✝ ✳ ✏ ❭ (✏ ) ✶➀✹ p ✻ . Consider the Proof: We fix ↔ ✖➅✹➤☎✧✩ ; ✩◆☛❲✮❙✻❰✶❶✮➞✶➀✹➤✩ : ✩ at q ☛❲✝➵✻❛✶ ✮ -prime and (P✞✰↔ )➙ bounded canonical birelational model ❭ . From the proof of completeness in Section 4 there is a world of ❭ , say w, such that w evaluates to P and w forces ✮ ; ✝ but not ✏ . . ❭✓➴❵➷ is a finite birelational model and Consider the quotient ❭✓➴❵➷ of ❭ has set of places P. The world [w] evaluates to p. Furthermore, as a consequence of Lemma 8, we can easily show that [w] forces ✮ ; ✝ but not ✏ . Therefore, ❭ ➴❝➷ is ❚ the required finite counter-model. def PL can can can Please recall from Section 4 that for the provability of a judgement, we just need to consider the places appearing in the formulae of the judgement (see Proposition 8). Using this fact and the finite model property, we get that the logic is decidable: ✮ ✝✴✳ ✏ at p is deProof: Let P✑ be (✮ ) ✶ (✝ ) ✶ (✏ ) ✶➢✹ p ✻ . By Proposition 8, ✮ ; ✝❬✳ ✏ at p ✁ can be e ectively computed, we if and only if ✮ ; ✝✚✳ ✇ ✏ at p. As the function just need to consider the judgement ✮ ; ✝✾✳ ✇ ✏ at p for the decidability result. We can enumerate all proofs in the logic in which the set of places considered ✁ is finite. Hence, we obtain an e ective enumeration of all provable judgements. We ✁ ✁ can also e ectively enumerate all finite birelational models, and e ectively check whether the judgement ✮ ; ✝❏✳ ✇ ✏ at p is refutable in a given finite birelational model. As a consequence of finite model property proved above, ✮ ; ✝✽✳ ✇ ✏ at p is refutable only if it is refutable in some finite birelational model. By perform✁ ing these enumerations and checks simultaneously, we obtain an e ective test for ❚ provability of ✮ ; ✝✾✳ ✇ ✏ at p. Corollary 3 (Decidability) The provability of the judgement ; cidable in the logic. PL PL P P PL P PL P P P P 43 The procedure detailed in the Corollary above would not have worked if we had used Kripke models instead of birelational models. This is because the finite model property fails for Kripke models. For example, consider the judgement ; ☎❦❤✒❤ A at p ✳ ♦ p♣ ❤✒❤❙☎ A at p. We claim that this judgement is valid for every finite distributed Kripke model. Indeed, let k be a Kripke state in some finite distributed Kripke model ■ such that (k ✞ p) ✗✖❷☎❦❤✒❤ A. Pick l ▲ k in ■ such that l is maximal with respect to the ordering of Kripke states. As (k ✞ p) ✗✖◆☎❦❤✧❤ A, we get by definition that (l✞ r) ✗✖✴❤✒❤ A for every place r in the state l. From the semantics of implication and the fact that l is a maximal state, it must be the case that (l✞ r) ✗✖ A for every place r in the state l. Again, as l is maximal, we get (l✞ p) ✗✖❹☎ A. As l ▲ k, we get that (l✞ p) ✗✖◗❤✧❤✪☎ A from the semantics of implication. On the other hand, we showed that the judgement is not valid in the finite model ❭ exam in Section 3. The model ❭ exam has two worlds w1 and w2 such that w1 ❍ w2 ✞ w1 R w2 ✞ I(A) ✖➊✹ w2 ✻➤✞ w1 ❫ and w2 ❴ p. As we discussed there, w2 ✗✖❡☎❦❤✧❤ A and w2 ✗✖❥ ✐ ❤✒❤❙☎ A. As we mentioned before, this example is adapted from [22, 29]. 6 Related Work The logic we studied is an extension of the logic introduced in [14, 15]. In [14, 15], it was used as the foundation of a type system for a distributed Ï -calculus by exploiting the proofs-as-terms and propositions-as-types paradigm. The proof terms corresponding to modalities have computational interpretation in terms of remote procedure calls (@p), commands to broadcast computations (☎ ), and commands to use portable code (✄ ). The authors also introduce a sequent calculus for the logic without disjunctive connectives, and prove that it enjoys cut elimination. Although the authors demonstrate the usefulness of logic in reasoning about the distribution of resources, they do not have a corresponding model. From a logical point of view, this logic can be viewed as a hybrid modal logic [1, 2, 3, 4, 5, 24, 25]. A hybrid logic internalises the model in the logic by using modalities built from pure names. The original idea of internalising the model into formulae was proposed in [24, 25], and has been further investigated in [1, 2, 3, 4, 5]. This work has been mostly carried out in the classical setting. More recently, intuitionistic versions of hybrid logics were investigated in [6, 14, 15]. There are several intuitionistic modal logics in the literature, and [29] is a good source on them. The modalities in [29] have a temporal flavour, and the spatial interpretation was not recognised then. The work in [6] extends the modal systems in [29], and creates hybrid versions of the modal systems by introducing nominals. A natural deduction system for these hybrid systems along with a normalisation result is also given in [6]. A Kripke semantics along with a proof of soundness and completeness is also introduced. The extension we gave to the logic in [14, 15] is a hybrid version of the intu- 44 itionistic modal system IS5 [21, 26, 29]. The modality @p internalises the model in the logic. In the modal system IS5, first introduced in [26], the accessibility relation among places is total. The main di erence in the logic presented in [6] and the logic in [14, 15] is that names in [14, 15] only occur in the modality @p. In [6], names also occur as propositions. From the point of view of semantics, Kripke semantics were first introduced in [17] for intuitionistic first-order logic. Kripke semantics for intuitionistic modal systems were developed in [10, 21, 23, 28, 29]. Birelational models for intuitionistic modal logic were introduced independently in [10, 28, 23]. They are in general useful to prove finite model property as demonstrated in [22, 29]. The finite model property fails for Kripke semantics [29, 22], and the example for this was adapted to our distributed Kripke semantics. Some other examples of work on logics of resources are separation logics [27] and logic of bunched implications [20]. In [20], the authors give a Kripke model based on monoids. The formulae of the logic are the resources, and are interpreted as elements of the monoid. The focus of this work is the sharing of resources, and not their distribution. There is no notion of places, and the logic has no modalities. In the classical setting, there are a number of logics used to study spatial properties. In [7, 8], for example, the authors use process calculi as their models. They have a classical modal logic to study spatial and temporal properties of processes. ✁ 7 Conclusions and Future Work We studied the hybrid modal logic presented in [14, 15], and extended the logic with disjunctive connectives. Formulae in the logic contain names, also called places. The logic is useful to reason about placement of resources in a distributed system. We gave two sound and complete semantics for the logic. In one semantics, we interpreted the judgements of the logic over Kripke-style models [17]. Typically, Kripke models [17] consist of partially ordered Kripke states. In our case, each Kripke state has a set of places, and di erent places satisfy di erent formulae. Larger Kripke states have larger sets of places, and the satisfaction of atoms corresponds to the placement of resources. The modalities of the logic allow formulae to be satisfied in a named place (@p), some place ( ) and every place ( ). The Kripke semantics can be seen as an instance of hybrid IS5 [21, 26, 6, 29]. In the second semantics, we interpreted the judgements over birelational models [10, 28, 23, 29]. Typically, birelational models have a set of partially ordered worlds. In addition to the partial order, there is also a reachability relation amongst worlds. In order to interpret the modality @p in the system, we also introduced a partial evaluation function on the set of worlds. The hybrid nature of the logic presented di culties in the proof of soundness. The di culties are addressed using a mathematical construction that creates a new model from a given one. The set of world in the constructed model is the union of two sets. One of these sets is the ✁ ✁ ✄ ☎ ✌ ✌ 45 reachability relation, and the worlds in the second set witness the existential and universal properties. As in the case of intuitionistic modal systems [10, 28, 21, 23, 29], we demonstrated that the birelational models introduced here enjoy the finite model property: a judgement is not provable in the logic if and only if it is refutable in some finite model. The finite model property allowed us to conclude decidability. The partiality of the evaluation function was essential in the proof of finite model property. As future work, we are considering other extensions of the logic. A major limitation of the logic presented in [14, 15] is that if a formula ✏ is validated at some named place, say p, then the formula ✏ @p can be inferred at every other place. Similarly, if ✄❛✏ or ☎✧✏ can be inferred at one place, then they can be inferred at any other place. In a large distributed system, we may want to restrict the rights of accessing information in a place. This can be done by adding an accessibility relation as is done in the case of other intuitionistic modal systems [29, 6]. We are currently investigating if the proof of finite model property can be adapted to the hybrid versions of other intuitionistic modal systems. We are also investigating the computational interpretation of these extensions. This would result in extensions of Ï -calculus presented in [14, 15]. Acknowledgements. We thank Annalisa Bossi, Giovanni Conforti, Valeria de Paiva, Matthew Hennessy, and Bernhard Reus for interesting and useful discussions. References [1] C. Areces and P. Blackburn. Bringing them all together. Journal of Logic and Computation, 11(5):657–669, 2001. [2] C. Areces, P. Blackburn, and M. Marx. Hybrid logics: Characterization, interpolation and complexity. Journal of Symbolic Logic, 66:997–1010, 2001. [3] P. Blackburn. Internalizing labelled deduction. Journal of Logic and Computation, 10:137–168, 2000. [4] P. Blackburn. Representation, reasoning, and relational structures: a hybrid logic manifesto. Logic Journal of the IGPL, 8:339–365, 2000. [5] P. Blackburn and J. Seligman. What are hybrid languages? In M. Kracht, M. de Rijke, H. Wansing, and M. Zakharyaschev, editors, Advances in modal logic, volume 1, pages 41–62. CSLI, 1996. [6] T. Braüner and V. de Paiva. Towards constructive hybrid logic (extended abstract). In Elec. Proc. of Methods for Modalities 3, 2003. [7] L. Caires and L. Cardelli. A spatial logic for concurrency (part I). In TACS’01, volume 2215 of LNCS, pages 1–37. Springer Verlag, 2001. 46 [8] L. Cardelli and A.D. Gordon. Anytime, anywhere. Modal logics for mobile ambients. In POPL’00, pages 365–377. ACM Press, 2000. [9] L. Cardelli and A.D. Gordon. Mobile ambients. Theoretical Computer Science, Special Issue on Coordination, 240(1):177–213, 2000. [10] W. B. Ewald. Time, Modality and Intuitionism. PhD thesis, University of Oxford, 1978. [11] J.-Y. Girard. Proofs and Types. Cambridge University Press, 1989. [12] M. Hennessy and R. Milner. Algebraic laws for nondeterminism and concurrency. Journal of the ACM, 32(1):137–161, 1985. [13] M. Hennessy and J. Riely. Resource access control in systems of mobile agents. Information and Computation, 173:82–120, 2002. [14] L. Jia and D. Walker. Modal proofs as distributed programs. Technical Report TR-671-03, Princeton University, 2003. [15] L. Jia and D. Walker. Modal proofs as distributed programs (extended abstract). In ESOP’04, volume 2986 of LNCS, pages 219–233. Springer Verlag, 2004. [16] S.A. Kripke. Semantical analysis of modal logic I: Normal modal propositional calculi. In Zeitschrift für Mathematische Logik und Grundlagen der Mathematik, volume 9, pages 67–96, 1963. [17] S.A. Kripke. Semantical analysis of intuitionistic logic, I. In Proc. of Logic Colloquium, Oxford, 1963, pages 92–130. North-Holland Publishing Company, 1965. [18] R. Milner, J. Parrow, and D. Walker. A calculus of mobile processes, parts I and II. Information and Computation, 100(1):1–77, 1992. [19] J. Moody. Modal logic as a basis for distributed computation. Technical Report CMU-CS-03-194, Carnegie Mellon University, 2003. [20] P.W. O’Hearn and D. Pym. The logic of bunched implications. Bulletin of Symbolic Logic, 5(2):215–244, 1999. [21] H. Ono. On Some Intuitionistic Modal Logics, volume 13, pages 687–722. Publications of RIMS, Kyoto University, 1977. [22] H. Ono and N.-Y. Suzuki. Relations between intuitionistic modal logics and intermediate predicate logics. Reports on Mathematical Logic, 22:65–87, 1988. 47 [23] G. D Plotkin and C. P Stirling. Theoretical Aspects of Reasoning About Knowledge, chapter A Framework for Intuititionistic Modal Logic. J. Y. Halpern, 1986. [24] A. Prior. Past, Present and Future. Oxford University Press, 1967. [25] A. Prior. Papers on Time and Tense. Oxford University Press, 1968. [26] A. N. Prior. Time and Modality. Oxford University Press, 1957. [27] J. Reynolds. Separation logic: a logic for shared mutable data structures. In LICS’02, pages 55–74. IEEE Computer Society Press, 2002. [28] G. Fisher Servi. Semantics for a class of intuitionistic modal calculi. In M. L. dalla Chiara, editor, Italian Studies in the Philosophy of Science, pages 59–72. Reidel Publishing Company, 1981. [29] A.K. Simpson. The Proof Theory and Semantics of Intuitionistic Modal Logic. PhD thesis, University of Edinburgh, 1994. [30] K. Crary T. Murphy, R. Harper, and F. Pfenning. A symmetric modal lambda calculus for distributed computing. In LICS’04, 2004. To appear. [31] D. van Dalen. Logic and Structure. Springer Verlag, 4th extended edition, 2004. 48