Topological Representation of Contact La

Lecture Notes in Computer Science 4136
Commenced Publication in 1973

Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
Editorial Board
David Hutchison
Lancaster University, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Zurich, Switzerland
John C. Mitchell
Stanford University, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
Oscar Nierstrasz
University of Bern, Switzerland
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
University of Dortmund, Germany
Madhu Sudan
Massachusetts Institute of Technology, MA, USA
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Moshe Y. Vardi
Rice University, Houston, TX, USA
Gerhard Weikum
Max-Planck Institute of Computer Science, Saarbruecken, Germany
Renate A. Schmidt (Ed.)
Relations
and Kleene Algebra
in Computer Science
9th International Conference on Relational

Methods in Computer Science
and 4th International Workshop on Applications
of Kleene Algebra, RelMiCS/AKA 2006
Manchester, UK, August/September, 2006
Proceedings
13
Volume Editor
Renate A. Schmidt
University of Manchester
School of Computer Science
Oxford Rd, Manchester M13 9PL, UK
E-mail: [email protected]
Library of Congress Control Number: 2006931478
CR Subject Classification (1998): F.4, I.1, I.2.3, D.2.4
LNCS Sublibrary: SL 1 – Theoretical Computer Science and General Issues
ISSN 0302-9743
ISBN-10 3-540-37873-1 Springer Berlin Heidelberg New York
ISBN-13 978-3-540-37873-0 Springer Berlin Heidelberg New York
This work is subject to copyright. All rights are reserved, whether the whole or part of the material is
concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting,
reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965,
in its current version, and permission for use must always be obtained from Springer. Violations are liable
to prosecution under the German Copyright Law.
Springer is a part of Springer Science+Business Media
springer.com
© Springer-Verlag Berlin Heidelberg 2006
Printed in Germany
Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India
Printed on acid-free paper SPIN: 11828563 06/3142 543210
Preface
This volume contains the joint proceedings of the 9th International Conference
on Relational Methods in Computer Science (RelMiCS-9) and the 4th Interna-
tional Workshop on Applications of Kleene Algebra (AKA 2006). The joint event
was hosted by the School of Computer Science at the University of Manchester,
UK, from August 29 to September 2, 2006. RelMiCS/AKA is the main forum
for the relational calculus as a conceptual and methodological tool and for topics
related to Kleene algebras. Within this general theme, the conference series is de-
voted to the theory of relation algebras, Kleene algebras and related formalisms
as well as to their diverse applications in software engineering, databases and
artificial intelligence. This year, special focus was on formal methods, logics of
programs and links with neighboring disciplines. This diversity is reflected by
the contributions to this volume.
The Programme Committee selected 25 technical contributions out of 44 ini-
tial submissions from 14 countries. Each paper was refereed by at least three
reviewers on its originality, technical soundness, quality of presentation and rel-
evance to the conference. The programme included three invited lectures by
distinguished experts in the area: “Weak Kleene Algebra and Computation
Trees” by Ernie Cohen (Microsoft, USA), “Finite Symmetric Integral Relation
Algebras with no 3-Cycles” by Roger Maddux (Iowa State University, USA),
and “Computations and Relational Bundles” by Jeff Sanders (Oxford, UK). In
addition, for the first time, a PhD programme was co-organized by Georg Struth.
It included the invited tutorials “Foundations of Relation Algebra and Kleene
Algebra” by Peter Jipsen (Chapman University, USA), and “Relational Methods
for Program Refinement” by John Derrick (Sheffield University, UK).
As in previous years, the RelMiCS Conference and the AKA Workshop were
co-organized because of their considerable overlap. Previous RelMiCS meetings
were held in 1994 at Dagstuhl, Germany, in 1995 at Parati, Brazil, in 1997 at
Hammamet, Tunisia, in 1998 at Warsaw, Poland, in 1999 at Québec, Canada,
in 2001 at Oisterwijk, The Netherlands, in 2003 at Malente, Germany and in
2005 at St.Catharines, Canada. The AKA Workshop has been held jointly with
RelMiCS since 2003, after an initial Dagstuhl Seminar in 2001.
I would like to thank the many people without whom the meeting would
not have been possible. First, I would like to thank all authors who submitted
papers, all participants of the conference as well as the invited keynote speakers
and the invited tutorial speakers for their contributions. I am very grateful to
the members of the Programme Committee and the external referees for care-
fully reviewing and selecting the papers. I thank my colleagues on the Steering
Committee for their advice and the support for the changes introduced for this
year’s event. Special thanks go to the members of the local organization team
in the School of Computer Science at the University of Manchester for all their
VI Preface
help: the staff in the ACSO office, especially Bryony Quick and Iain Hart, the
staff of the finance office, and the technical staff, as well as Zhen Li and David
Robinson. Moreover, I am extremely grateful to Georg Struth for his tremen-
dous amount of effort—as Programme Chair he helped with every aspect of the
planning and organization of RelMiCS/AKA 2006 and the PhD Programme.
Finally, it is my pleasure to acknowledge the generous support by: the UK En-
gineering and Physical Sciences Research Council (grant EP/D079926/1), the
London Mathematical Society, the British Logic Colloquium, the University of
Manchester (President’s Fund), and the School of Computer Science, University
of Manchester.
Manchester, June 2006 Renate Schmidt

General Chair
RelMiCS/AKA 2006
Organization
Conference Chairs
Renate Schmidt (UK, General Chair)
Georg Struth (UK, Program Chair)
Steering Committee
Rudolf Berghammer (Germany, Chair) Gunther Schmidt (Germany)
Jules Desharnais (Canada) Renate Schmidt (UK)
Ali Jaoua (Qatar) Harrie de Swart (Netherlands)
Bernhard Möller (Germany) Michael Winter (Canada)
Ewa Orlowska (Poland)
Program Committee
Roland Backhouse (UK) Zhiming Liu (China)
Rudolf Berghammer (Germany) Bernhard Möller (Germany)
Stéphane Demri (France) Damian Niwinski (Poland)
Jules Desharnais (Canada) Ewa Orlowska (Poland)
Zoltán Ésik (Hungary, Spain) Alban Ponse (Netherlands)
Marcelo Frı́as (Argentina) Ingrid Rewitzky (South Africa)
Hitoshi Furusawa (Japan) Ildikó Sain (Hungary)
Stéphane Gaubert (France) Holger Schlingloff (Germany)
Steven Givant (USA) Gunther Schmidt (Germany)
Valentin Goranko (South Africa) Renate Schmidt (UK)
Martin Henson (UK) Giuseppe Scollo (Italy)
Ali Jaoua (Qatar) Georg Struth (UK)
Peter Jipsen (USA) Michael Winter (Canada)
Wolfram Kahl (Canada) Harrie de Swart (Netherlands)
Yasuo Kawahara (Japan)
External Referees
Balder ten Cate Wim Hesselink Zhao Liang
Alexander Fronk Peter Höfner Kamal Lodaya
Marian Gheorghe Britta Kehden Maarten Marx
VIII Organization
Sun Meng Andrea Schalk Thomas Triebsees

Szabolcs Mikulas Nikolay V. Shilov Jeff Sanders
Venkat Murali Kim Solin Liang Zhao
Ian Pratt-Hartmann Dmitry Tishkovsky
Local Organization
Renate Schmidt (Local Organization Chair)
Bryony Cook, Iain Hart (Registration, Secretarial Support)
Zhen Li (Webpages)
David Robinson (Local Organization)
Sponsoring Institutions
British Logic Colloquium
Engineering and Physical Sciences Research Council
London Mathematical Society
University of Manchester
Table of Contents
Weak Kleene Algebra and Computation Trees . . . . . . . . . . . . . . . . . . . . . . . . 1

Ernie Cohen
Finite Symmetric Integral Relation Algebras with No 3-Cycles . . . . . . . . . . 2

Roger D. Maddux
Computations and Relational Bundles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

J.W. Sanders
An Axiomatization of Arrays for Kleene Algebra with Tests . . . . . . . . . . . . 63

Kamal Aboul-Hosn
Local Variable Scoping and Kleene Algebra with Tests . . . . . . . . . . . . . . . . . 78

Kamal Aboul-Hosn, Dexter Kozen
Computing and Visualizing Lattices of Subgroups Using Relation

Algebra and RelView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Rudolf Berghammer
On the Complexity of the Equational Theory of Relational Action

Algebras . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Wojciech Buszkowski
Demonic Algebra with Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Jean-Lou De Carufel, Jules Desharnais
Topological Representation of Contact Lattices . . . . . . . . . . . . . . . . . . . . . . . 135

Ivo Düntsch, Wendy MacCaull, Dimiter Vakarelov,
Michael Winter
Betweenness and Comparability Obtained from Binary Relations . . . . . . . . 148

Ivo Düntsch, Alasdair Urquhart
Relational Representation Theorems for General Lattices with

Negations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Wojciech Dzik, Ewa Orlowska, Clint van Alten
Monotonicity Analysis Can Speed Up Verification . . . . . . . . . . . . . . . . . . . . . 177

Marcelo F. Frias, Rodolfo Gamarra, Gabriela Steren,
Lorena Bourg
X Table of Contents
Max-Plus Convex Geometry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Stéphane Gaubert, Ricardo Katz
Lazy Semiring Neighbours and Some Applications . . . . . . . . . . . . . . . . . . . . . 207

Peter Höfner, Bernhard Möller
Omega Algebra, Demonic Refinement Algebra and Commands . . . . . . . . . . 222

Peter Höfner, Bernhard Möller, Kim Solin
Semigroupoid Interfaces for Relation-Algebraic Programming

in Haskell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Wolfram Kahl
On the Cardinality of Relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Yasuo Kawahara
Evaluating Sets of Search Points Using Relational Algebra . . . . . . . . . . . . . 266

Britta Kehden
Algebraization of Hybrid Logic with Binders . . . . . . . . . . . . . . . . . . . . . . . . . 281

Tadeusz Litak
Using Probabilistic Kleene Algebra for Protocol Verification . . . . . . . . . . . . 296

A.K. McIver, E. Cohen, C.C. Morgan
Monotone Predicate Transformers as Up-Closed Multirelations . . . . . . . . . 311

Ingrid Rewitzky, Chris Brink
Homomorphism and Isomorphism Theorems Generalized from a

Relational Perspective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Gunther Schmidt
Relational Measures and Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Gunther Schmidt
A Relational View of Recurrence and Attractors in State Transition

Dynamics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Giuseppe Scollo, Giuditta Franco, Vincenzo Manca
On Two Dually Nondeterministic Refinement Algebras . . . . . . . . . . . . . . . . 373

Kim Solin
On the Fixpoint Theory of Equality and Its Applications . . . . . . . . . . . . . . 388

Andrzej Szalas, Jerzy Tyszkiewicz
Table of Contents XI
Monodic Tree Kleene Algebra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

Toshinori Takai, Hitoshi Furusawa
Weak Relational Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

Michael Winter
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

Weak Kleene Algebra and Computation Trees
Ernie Cohen
Microsoft, US
[email protected]
Abstract. The Kleene algebra axioms are too strong for some program
models of interest (e.g. models that mix demonic choice with angelic or
probabilistic choice). This has led to proposals that weaken the right
distributivity axiom to monotonicity, and possibly weaken or eliminate
the right induction and left annihilation axioms (e.g. lazy Kleene algebra,
probabilistic Kleene algebra, monodic tree Kleene algebra, etc.). We’ll
address some of the basic metatheoretic properties of these theories using
rational trees modulo simulation equivalence.
R.A. Schmidt (Ed.): RelMiCS /AKA 2006, LNCS 4136, p. 1, 2006.

c Springer-Verlag Berlin Heidelberg 2006
Finite Symmetric Integral Relation Algebras
with No 3-Cycles
Roger D. Maddux
Department of Mathematics
396 Carver Hall
Iowa State University
Ames, Iowa 50011
U.S.A.
[email protected]
Abstract. The class of finite symmetric integral relation algebras with

no 3-cycles is a particularly interesting and easily analyzable class of
finite relation algebras. For example, it contains algebras that are not
representable, algebras that are representable only on finite sets, alge-
bras that are representable only on infinite sets, algebras that are rep-
resentable on both finite and infinite sets, and there is an algorithm for
determining which case holds.
Some questions raised in a preprint by Jipsen [1] are addressed in this paper.
Most of the results in this paper date from 1983, but some were found and
published independently by Comer [2], Jipsen [1], and Tuza [3]. The first four
sections contain background material.
1 Relation Algebras and Their Relatives

A relation algebra is an algebraic structure
,
A = A, +, , ;, ˘, 1 , (1)
where A is a nonempty set, + and ; are binary operations on A, and ˘ are

,
unary operations on A, and 1 ∈ A is a distinguished element, which satisfies
these equational axioms:
R1 x + y = y + x, +-commutativity
R2 x + (y + z) = (x + y) + z, +-associativity
R3 x + y + x + y = x, Huntington’s axiom
R4 x;(y ;z) = (x;y);z, ;-associativity
R5 (x + y);z = x;z + y ;z, right ;-distributivity
,
R6 x;1 = x, right identity law
R.A. Schmidt (Ed.): RelMiCS /AKA 2006, LNCS 4136, pp. 2–29, 2006.

Finite Symmetric Integral Relation Algebras with No 3-Cycles 3
R7 ˘ = x,
x̆ ˘-involution
R8 (x + y)˘ = x̆ + y̆, ˘-distributivity
R9 (x;y)˘ = y̆ ; x̆, ˘-involutive distributivity
R10 x̆;x;y + y = y. Tarski/De Morgan axiom
RA is the class of relation algebras, and NA is the class of nonassociative
relation algebras, algebras of the form (1) which satisfy all the RA axioms
except ;-associativity. For every A ∈ NA, A, +, is a Boolean algebra by
axioms R1 –R3 (this fact is due to E. V. Huntington [4,5,6]). Because of this,
A, +, is called the Boolean part of A, and standard concepts from the
theory of Boolean algebras may be applied to nonassociative relation algebras
by referring to the Boolean part. BA is the class of Boolean algebras. For any
,
algebra A ∈ NA, the identity element of A is 1 , and other operations and
elements, which correspond to intersection, difference, empty relation, diversity
relation, and universal relation, are defined by
x · y := x + y, (2)
x − y := x + y, (3)
, ,
0 := 1 + 1 , (4)
, ,
0 := 1 , (5)
, ,
1 := 1 + 1 . (6)
,
The zero element is 0, the diversity element is 0 , and the unit element
is 1. Every algebra A ∈ NA satisfies the cycle law:
x̆;z · y = 0 iff x;y · z = 0 iff z ; y̆ · x = 0 (7)
iff y ; z̆ · x̆ = 0 iff y̆ ; x̆ · z̆ = 0 iff z̆ ;x · y̆ = 0
and many other laws, a few of which we gather here:
, , , ,
1̆ = 1 , 0̆ = 0 , (8)
,
1 ;x = x, (9)
0;x = x;0 = 0, (10)
1;1 = 1. (11)
An algebra A ∈ NA is symmetric if it satisfies the equation
x̆ = x. (12)
If A ∈ NA is symmetric then A is also commutative, i.e., it satisfies the equation
x;y = y ;x. (13)
WA is the class of weakly associative relation algebras, those algebras in
NA which satisfy the weak associative law
, ,
((x · 1 );1);1 = (x · 1 );(1;1). (14)
4 R.D. Maddux
Finally, SA is the class of semiassociative relation algebras, those algebras

in NA which satisfy the semiassociative law
(x;1);1 = x;(1;1). (15)
Clearly NA ⊆ WA ⊆ SA ⊆ RA. Since every NA satisfies 1;1 = 1, the weak

associative law and semiassociative law can be simplified by replacing 1;1 with 1.
The set of atoms of an algebra A ∈ NA is AtA. An atom x ∈ AtA is an
, ,
identity atom if x ≤ 1 and a diversity atom if x ≤ 0 . An algebra A ∈ NA is
integral if 0 = 1 (A is nontrivial) and x;y = 0 implies x = 0 or y = 0. If A ∈ NA
,
and 1 ∈ AtA then A is integral. The converse holds if A ∈ SA. However, it fails
for some A ∈ WA. Around 1940 J. C. C. McKinsey invented a nontrivial WA
,
with zero-divisors in which 1 is an atom. This algebra shows that WA ⊃ SA. In
fact, all the inclusions are proper (see [7, Cor. 2.6, Th. 3.7] or [8, Th. 450]), so we
have
NA ⊃ WA ⊃ SA ⊃ RA.
2 Representable Relation Algebras

For every set U , let Sb (U ) be the set of subsets of U , and let
Bl (U ) := Sb (U ) , ∪, ,
where ∪ is the binary operation on Sb (U ) of forming the union of any two

subsets of U , and is the unary operation of complementation with respect
to U (so X = U ∼ X, where ∼ is the operation of forming the set-theoretic
difference of two sets). Bl (U ) is the Boolean algebra of subsets of U . For
every equivalence relation E, let

Sb (E) := Sb (E) , ∪, , |, −1 , Id ∩ E , (16)
where | is relative multiplication of binary relations, defined for binary relations

R and S by
R|S := {a, c : ∃b (a, b ∈ R, b, c ∈ S)}, (17)
−1
is conversion of binary relations, defined for any binary relation R by
R−1 := {b, a : a, b ∈ R}, (18)
and Id ∩ E is the identity relation on the field F d (E) = {x : ∃y (xEy)} of E (Id

is the class of pairs of sets of the form x, x). Sb (E) is the relation algebra
of subrelations of E, and we refer to Sb (E) as an equivalence relation
algebra. It is necessary to assume that E is an equivalence relation in order
to ensure
that Sb (E) is closed under relative multiplication and conversion.
Sb U 2 , the powerset of U 2 , is the set of binary relations on U . For every
set U , Re (U ) is the square relation algebra on U , defined by

Re (U ) := Sb U 2 . (19)
Every square relation algebra is an equivalence relation algebra, but not every
equivalence relation algebra is a square relation algebra (or even isomorphic to
one). In fact, Sb (E) is not isomorphic to a square relation algebra whenever
E is an equivalence relation with two or more equivalence classes. For example,
if U and V are nonempty disjoint sets and E = U 2 ∪ V 2 , then Sb (E) is an
equivalence relation algebra which is isomorphic to the direct product of the
two square relation algebras Re (U ) and Re (V ). The projection functions from
Sb (E) onto the two factor algebras are nontrivial homomorphisms since U and
V are not empty. However, nontrivial square relation algebras are simple and
have no nontrivial homomorphisms. Consequently Sb (E) is not isomorphic to
any square relation algebra.
We say A is a proper relation algebra if there is an equivalence relation E
such that A is a subalgebra of Sb (E). An algebra A is a representable relation
algebra if it is isomorphic to a proper relation algebra. RRA is the class of
representable relation algebras. We say that ρ is a representation of A
over E and that the field of E is the base set of ρ if E is an equivalence
relation and ρ is an embedding of A into Sb (E). Thus A ∈ RRA iff there
is a representation of A over some equivalence relation. We say that ρ is a
square representation of A on U (and that U is the base set of ρ) if ρ is a
representation of A over U 2 . Let fRRA be the class of finitely representable
relation algebras, those algebras in RRA which have a representation with a
finite base set.
It is easy to see that RRA is closed under the formation of subalgebras and
direct products. For subalgebras this is immediate from the relevant definitions.
As part of the proof for direct products, note that if E is an I-indexed system
of nonempty
pairwise disjoint equivalence relations then they also have disjoint
fields, i∈I Ei is an equivalence relation, and

Sb Ei
∼
= Sb (Ei )
i∈I
i∈I

via the isomorphism which sends each R ∈ Sb i∈I Ei to R ∩ Ei : i ∈ I. A
special case of this observation is that if E is a nonempty equivalence relation
then, letting F d (E)/E be the set of E-equivalence classes of elements in the
field F d (E) of E, we have

Sb (E) ∼= Re (U )
U∈F d(E)/E

via the isomorphism which sends each R ∈ Sb (E) to R ∩ U 2 : U ∈ F d (E)/E .
Suppose ρ is a square representation of A on a finite set U . Create a system
of pairwise disjoint sets Vi and bijections σi : U → Vi for every i ∈ ω. For every
a ∈ A, let
τ (a) := {σi (x), σi (y) : x, y ∈ ρ(a)},
i∈ω

and set E := i∈ω Vi × Vi . Then E is an equivalence relation and τ is a rep-
resentation of A over E. Since τ has an infinite base set, this shows that if a
6 R.D. Maddux
representable relation algebra has a square representation (or, in fact, any repre-
sentation) with a finite base set, then it also has a representation with an infinite
base set (but not necessarily a square representation with an infinite base set).
It is much harder to show that RRA is closed under the formation of homo-
morphic images. This was first proved by Tarski [9], and it has been reproved in
several different ways; see [8,10], Jónsson [11,12], and Hirsch-Hodkinson [13]. It
follows by Birkhoff’s HSP-Theorem [14] that RRA has an equational axiomatiza-
tion. However, Monk [15] proved that RRA does not have a finite equational (nor
even first-order) axiomatization, and Jónsson [12] proved that RRA does not have
an equational basis containing only finitely many variables (see [8, Th. 466–7]).
If ρ is a representation of A over an equivalence relation E, then, for all
a, b ∈ A, we have
ρ(a + b) = ρ(a) ∪ ρ(b), (20)

ρ(a) = E ∼ ρ(a), (21)
ρ(a · b) = ρ(a) ∩ ρ(b), (22)
ρ(0) = ∅, (23)
ρ(a;b) = ρ(a)|ρ(b), (24)
ρ(ă) = (ρ(a))−1 , (25)
,
ρ(1 ) = Id ∩ E. (26)
The concept of weak representation introduced by Jónsson [16] is obtained by

dropping conditions (20) and (21). We say that ρ is a weak representation
of A over E if (22)–(26) hold for all a, b ∈ A. An algebra A ∈ NA is weakly
representable if it has a weak representation over some equivalence relation,
and wRRA is the class of algebras in NA that have a weak representation.
3 5-Dimensional Relation Algebras

Let A ∈ NA and assume 3 ≤ n ≤ ω. A function that maps n2 into the universe A
of A is called an n-by-n matrix of A. Let Bn A be the set of those n-by-n
,
matrices of atoms of A such that, for all i, j, k < n, aii ≤ 1 , ăij = aji , and
aik ≤ aij ;ajk . Let k, l < n. We say that two matrices a, b ∈ Bn A agree up
to k if aij = bij whenever k = i, j < n, and we say that they agree up to
k, l if aij = bij whenever k, l = i, j < n. We say that N is an n-dimensional
relational basis for A ∈ NA if
1. ∅ = N ⊆ Bn A,
2. for every atom x ∈ AtA there is some a ∈ N such that a01 = x,
3. if a ∈ N , i, j, k < n, i, j = k, x, y ∈ AtA, and aij ≤ x;y, then for some
b ∈ N , a and b agree up to i, bik = x, and bkj = y.
For example, if U is any set then Bn Re (U ) is a relational basis for Re (U ). An
algebra A ∈ NA is a relation algebra of dimension n if A is a subalgebra
of a complete atomic NA that has an n-dimensional relational basis. RAn is the

class of relation algebras of dimension n. It happens (see [8]) that
SA = RA3 ⊃ RA = RA4 ⊃ RA5 ⊃ RAω = RRA. (27)
The following equation (called (M) in [8]) is true in every RA5 . The notational
convention in this equation is that xij = (xji )˘.
x01 · (x02 · x03 ;x32 );(x21 · x24 ;x41 ) ≤ (28)

x03 ; (x30 ;x01 · x32 ;x21 );x14 · x32 ;x24 · x30 ;(x01 ;x14 · x02 ;x24 ) ;x41 .
Equation (28) is part of the axiom set in Jónsson [16] and it is an equational form
of a condition on atoms given by Lyndon [17]. For a relation algebra A ∈ RA,
failure of (28) is a simple test for nonrepresentability that implies something
stronger, namely, nonmembership in RA5 .
4 Cycle Structures and Complex Algebras

The cycle structure of A ∈ NA is the ternary relation
Cy(A) := {x, y, z : x, y, z ∈ AtA, x;y ≥ z}.
For any atoms x, y, z ∈ AtA, let
[x, y, z] := {x, y, z, x̆, z, y, y, z̆, x̆, y̆, x̆, z̆, z̆, x, y̆, z, y̆, x}. (29)
The set [x, y, z] of triples of atoms is called a cycle. By the cycle law (7), the cycle
structure of A is a disjoint union of cycles. We say that [x, y, z] is a forbidden
cycle of A if [x, y, z] ∩ Cy(A) = ∅, that [x, y, z] is a cycle of A if [x, y, z] ⊆
Cy(A), that [x, y, z] is an identity cycle if one (or, equivalently, all) of its
triples contains an identity atom, and that [x, y, z] is a diversity cycle if all of
the elements in its triples are diversity atoms. In case A is symmetric, we say
that [x, y, z] is a 3-cycle (or 2-cycle or 1-cycle) of A if [x, y, z] ⊆ Cy(A) and
,
|{x, y, z}| = 3 (or 2 or 1, respectively). In case A ∈ NA is symmetric and 1 is an
atom of A, we say that A has no 3-cycles if every 3-cycle is forbidden.
Suppose that T is a ternary relation and U is the field of T , i.e.,
U := {x : ∃y ∃z (T xyz or T yxz or T yzx)}. (30)
We will use T to construct an algebra whose universe is Sb (U ). First, define a

binary operation ; on the powerset of U , by letting, for any X, Y ⊆ U ,
X ;Y := {c : ∃x ∃y (x ∈ X, y ∈ Y, T xyc)}.
Define the binary relation S ⊆ U 2 by
S := {a, b : a, b ∈ U, ∀x ∀y ((T axy ⇐⇒ T byx), (T xay ⇐⇒ T ybx))}. (31)

8 R.D. Maddux
Note that S must be a symmetric relation because of the form of its definition.
Use S to define X̆ ⊆ U for every subset X ⊆ U by
X̆ := {b : ∃x (Sxb, x ∈ X)}.
Finally, define the subset I ⊆ U by
I := {a : a ∈ U, ∀x ∀y ((T axy or T xay) =⇒ x = y)}. (32)
The operations ; and ˘ along with the distinguished subset I are enough to
define, starting from the Boolean algebra of all subsets of U , an algebra called
the complex algebra of T , namely,
Cm (T ) := Sb (U ) , ∪, , ;, ˘, I .
The Boolean part of Cm (T ) is Bl (U ), the complete atomic Boolean algebra of all

subsets of the field of T . The complex algebra Cm (T ) is a relation algebra when
certain elementary conditions are satisfied by T , as stated in the next theorem.
Theorem 1 ([7, Th. 2.2, 2.6]). Suppose T is a ternary relation. Define U , S,

and I by (30), (31), and (32). Consider the following six statements.
∀a (a ∈ U =⇒ ∃b Sab), (33)
∀a (a ∈ U =⇒ ∃i (i ∈ I, T iaa)), (34)
∀x ∀y ∀z ∀a ∀b (T xyz, T zab =⇒ ∃c (T xcb, T yac)), (35)
∀x ∀y ∀z ∀a ∀b (T xyz, T zab =⇒ ∃c T xcb), (36)
∀x ∀y ∀z ∀a ∀b (T xyz, T zab, Ix =⇒ ∃c T xcb), (37)
∀x ∀z ∀a ∀b (T xzz, T zab, Ix =⇒ T xbb). (38)
1. If (33) and (34) then S is an involution, i.e., S : U → U and S(S(x)) = x

for all x ∈ U .
2. Cm (T ) ∈ NA iff (33) and (34).
3. Cm (T ) ∈ RA iff (33), (34), and (35).
4. Cm (T ) ∈ SA iff (33), (34), and (36).
5. Cm (T ) ∈ WA iff (33), (34), and either (37) or (38).
Statement (33) says that every atom has a converse and statement (34) says that
every atom has a left identity element. Statement (35) expresses ;-associativity
for atoms (and has the same form as Pasch’s Axiom). Statement (36), which
expresses the semiassociative law applied to atoms, is a strict weakening of (35),
obtained by deleting one of the conclusions. Statements (37) and (38) are ob-
tained from (36) by weakening the hypotheses, and each of them expresses the
weak associative law applied to atoms.
The identity element of the complex algebra of T is an atom just in case
I = {e} for some e ∈ U . Whenever this is the case, (34) takes on the following
simpler form,
∀a (a ∈ U =⇒ T eaa).
Every square relation algebra on a set is a complex algebra, for if U is an arbitrary

set and T = {a, b , b, c , a, c : a, b, c ∈ U }, then the complex algebra Cm (T )
is the square relation algebra on U :
Re (U ) = Cm ({a, b , b, c , a, c : a, b, c ∈ U }).
Let G = G, ◦ be a group. Treat the group multiplication ◦ as a ternary relation,

i.e.,
◦ = {x, y, z : x, y, z ∈ G, x ◦ y = z},
and define Cm (G) to be Cm (◦). GRA is the class of group relation algebras,
the class of algebras that are isomorphic to a subalgebra of Cm (G) for some
group G. If, for every X ⊆ G, we let
σ(X) := {g, g ◦ x : g ∈ G, x ∈ X}
then σ is a square representation of Cm (G) on G. Thus every group relation

algebra is representable:
GRA ⊆ RRA. (39)
5 Cycle Structures of Algebras Without 3-Cycles

Let A ∈ RA. Define binary relations →, ⇒, and ⇔, on diversity atoms x, y ∈ AtA
as follows:
1. x → y iff x = y and x ≤ y ;y,
2. x ⇒ y iff x = y or x → y,
3. x ⇔ y iff x ⇒ y and y ⇒ x.
For every diversity atom x, let
,
[x] = {y : 0 ≥ y ∈ AtA, x ⇔ y},
,
D = {[x] : 0 ≥ x ∈ AtA}.
,
[⇒] = {[x], [y] : 0 ≥ x, y ∈ AtA, x ⇒ y}
The following theorem includes some elementary facts about cycle structures
of finite symmetric integral relation algebras, noticed by those attempting to
enumerate small finite relation algebras, such as Lyndon [17, fn. 13], Backer [18],
McKenzie [19], Wostner [20], Maddux [7,21], Comer [22,23], Jipsen [24], Jipsen-
Lukács [25,26], and Andréka-Maddux [27], and explicitly mentioned in at least
Jipsen [1, Th. 1] and Tuza [3, Th. 2.1].
Theorem 2. Assume A ∈ RA, A is symmetric, atomic, integral, and has no

,
3-cycles. Then, for all diversity atoms x, y, z ∈ AtA ∼{1 }, we have
1. if x → y, y → z, and x = z, then x → z,
2. ⇒ is reflexive and transitive,
3. either x ⇒ y or y ⇒ x,
10 R.D. Maddux
4. ⇔ is an equivalence relation,
5. [⇒] is a linear ordering of D.
Proof. For part 1, assume x → y, y → z, and x = z. Then x = y, x ≤ y ;y,
y = z, and y ≤ z ;z. Note that y · z = 0 because y and z are distinct atoms and
y ;z ≤ y + z because A has no 3-cycles. Hence
x ≤ y ;y x→y
≤ y ;(z ;z) y→z
= (y ;z);z R4
≤ (y + z);z
= y ;z + z ;z R5
= y + z + z ;z
but x · y = 0 = x · z, so x ≤ z ;z. From this and x = z we get x → z.

Part 2 is trivial.
For part 3, first note that if x = y then both y ⇒ x and x ⇒ y, so we may
assume x = y. Then x · y = 0 since distinct atoms are disjoint and x;y ≤= x + y
since A has no 3-cycles. We must therefore have either x;y · x = 0 or x;y · y = 0,
since otherwise we would have x;y = 0, which implies since A is integral that
either x = 0 or y = 0, contrary to the assumption that x and y are (nonzero)
atoms. If x;y · x = 0, then x̆;x · y = 0 by the cycle law, hence y ≤ x̆;x = x;x by
symmetry and y ∈ AtA. In this case, y → x. On the other hand, if x;y · y = 0
then x ≤ y ;y and x → y.
For part 4, notice that the relation ⇔ is transitive and reflexive by its definition
and part 1, and that ⇔ is symmetric just by its definition.
Part 5 follows from parts 3 and 4.

Assume A ∈ RA and A is symmetric, integral, and finite. By Th. 2, D is linearly
ordered by ⇒. D is finite since A is finite. Let n = |D|. We may choose repre-
sentatives a1 , . . . , an ∈ AtA from the equivalence classes of diversity atoms so
that
a1 → a2 → a3 → · · · → an−2 → an−1 → an ,
,
[a1 ] ∪ · · · ∪ [an ] = AtA ∼{1 }.
For each i ∈ {1, . . . , n}, let si be the number of atoms in [ai ] that appear in a
1-cycle of A, and let ti be the number of atoms in [ai ] that do not appear in a
1-cycle of A, i.e.,
si = |[ai ] ∩ {a : a ≤ a;a}|, (40)

ti = |[ai ] ∩ {a : 0 = a · a;a}|. (41)
We refer to these numbers as the cycle parameters of A, and define

s1 · · · sn
Cp(A) := .
t1 · · · tn
n , , ,
Notice that i=1 ti is the number of 1-cycles other than [1 , 1 , 1 ], and the
n
number of diversity atoms
of A is i=1 (si + ti ). In case A has no diversity
0
atoms, we set Cp(A) := .
0
Two basic observations, included in the following theorem, are that the
isomorphism type of A is determined by Cp(A), and that (almost) any two
sequences of nonnegative integers with the same length determine a finite sym-
metric integral relation algebra with no 3-cycles.
Theorem 3.
1. If A and B are finite symmetric integral relation algebras with no 3-cycles
and Cp(A) = Cp(B) then A ∼ = B.
2. If n ∈ ω, s1 , . . . , sn ∈ ω, t1 , . . . , tn ∈ ω, and 0 < s1 + t1 , . . . , sn + tn , then
there is some finite symmetric integral relation algebra A with no 3-cycles
such that
s · · · sn
Cp(A) = 1 .
t1 · · · tn
6 2-Cycle Products of Algebras

Next we describe a special kind of product A[B] of two finite algebras A, B ∈ NA
in which the identity element is an atom and both algebras have at least one
diversity atom. Since we only need to describe this product up to isomorphism,
,
we make the convenient assumption that 1 is the same atom in both A and B,
and that otherwise the sets of atoms of these algebras are disjoint, that is,
,
{1 } = AtA ∩ AtB. We may then define the 2-cycle product A[B] of A and B
as the complex algebra of the ternary relation T , where
, ,
T := Cy(A) ∪ Cy(B) ∪ {[a, b, b] : a ∈ AtA ∼{1 }, b ∈ AtB ∼{1 }}. (42)
(The name comes from the symmetric case, in which the cycles added to those
of A and B are all 2-cycles.) Comer [2] proved that A[B] ∈ RRA iff A, B ∈ RRA,
and A[B] ∈ GRA iff A, B ∈ GRA. This is proved below, but first we note the
connection between this operation and the cycle parameters introduced above.
, ,
Theorem 4. Assume A, B ∈ NA, A and B are finite, 1 ∈ AtA, 1 ∈ AtB,
, , ,
{1 } = AtA ∩ AtB, AtA ∼{1 } = ∅ = AtB ∼{1 }, and A[B] := Cm (T ) where T
is defined in (42). If A and B are symmetric, have no 3-cycles, and

s · · · sn s · · · sn
Cp(A) = 1 , Cp(B) = 1 ,
t1 · · · tn t1 · · · tn
where 0 < s1 + t1 , . . . , sn + tn , s1 + t1 , . . . , sn + tn , then

s1 · · · sn s1 · · · sn
Cp(A[B]) = .
t1 · · · tn t1 · · · tn
Next is the part of Comer’s theorem that we need later.
12 R.D. Maddux
,
Theorem 5 (Comer [2]). Suppose A, B ∈ NA, A and B are finite, 1 ∈ AtA,
, , , ,
1 ∈ AtB, {1 } = AtA ∩ AtB, and AtA ∼{1 } = ∅ = AtB ∼{1 }.
1. If σ is a square representation of A on U and τ is a square representation
of B on V , then there is a square representation ϕ of A[B] on U × V such
, ,
that, for all a ∈ AtA ∼{1 } and all b ∈ AtB ∼{1 },
,
ϕ(1 ) = {u0 , v0 , u1 , v1 : u0 = u1 , v0 = v1 },
ϕ(a) = {u0 , v0 , u1 , v1 : u0 , u1 ∈ σ(a), v0 = v1 },
ϕ(b) = {u0 , v0 , u1 , v1 : v0 , v1 ∈ σ(b)}.
2. If G and H are groups with identity elements eG and eH , respectively, σ is
an embedding of A into Cm (G), and τ is an embedding of B into Cm (H),
then there is an embedding ϕ of A[B] into Cm (G × H) such that, for all
, ,
a ∈ AtA ∼{1 } and all b ∈ AtB ∼{1 },
,
ϕ(1 ) = {eG , eH },
ϕ(a) = σ(a) × {eH },
ϕ(b) = G × τ (b).
Proof. The statement of part 1 describes the action of ϕ on the atoms of A[B].
What remains is to extend ϕ to all elements of A[B] by setting

ϕ(x) = ϕ(c),
x≥c∈AtA[B]
and check that the extended ϕ really is a square representation as claimed. Part 2
is handled similarly.

The 2-cycle product can also be defined for linearly ordered sets of algebras.
Suppose that Ai ∈ NA and Ai is atomic for every i ∈ I, that there is a single
,
fixed element 1 which is the identity element and also an atom of Ai for every
i ∈ I, that the sets of diversity atoms of algebras in {Ai : i ∈ I} are pairwise
disjoint, and that < is a strict linear ordering of I. Let

T := Cy(Ai ) ∪
i∈I

, ,
[ai , aj , aj ] : i, j ∈ I, i < j, ai ∈ AtAi ∼{1 }, aj ∈ AtAj ∼{1 } .
Then the 2-cycle product of the <-ordered system Ai : i ∈ I is Cm (T ).

α
7 Algebras with Parameters
0

1 2
The next theorem shows that A is group representable if Cp(A) is , ,

0 0
3 4
, , . . . . The proof shows that A can be embedded in the complex algebra
0 0
of an infinite group in every such case. As we shall see, A can be embedded in

the complex algebra finite group in the first two cases, but not in any of the
remaining cases.

α
Theorem 6. Assume A ∈ RA, A is complete, atomic, and Cp(A) = for
0
some nonzero cardinal α > 0. Then A ∈ GRA.
Proof. Let Z = {. . . , −1, 0, 1, . . . } be the integers and let ≤∗ be a lexicographical

ordering of Z × α such that, for all a, b ∈ Z and all κ, λ < α, a, κ ≤∗ b, λ iff
a < b or else a = b and κ ≤ λ. Also, a, κ <∗ b, λ iff a ≤∗ b and a, κ = b, λ.
Let G be the set of functions f : Z × α → {0, 1} such that f (a, κ) = 0 for all but
finitely many pairs a, κ ∈ Z × α. Let 0 be the function in G which maps every
pair a, κ to 0. The functions in G form a group G under addition modulo 2: if
f, g ∈ G then, for all a, κ ∈ Z× α, (f + g)(a, κ) = f (a, κ)+2 g(a, κ), where +2 is
addition modulo 2. Thus G is isomorphic to the direct sum of Z × α copies of Z2
(the cyclic group of order 2, with elements {0, 1} and operation +2 of addition
modulo 2.). The cardinality of G is α if α ≥ ω and it is ω if α ≤ ω.
Suppose f ∈ G. Let supp(f ) = {a, κ : f (a, κ) = 1}. Note that supp(f ) is
finite, so if supp(f ) is nonempty, then there is some pair a, κ ∈ supp(f ) which
is smallest with respect to the ordering ≤∗ . Let L(f ) be this smallest pair. For
every κ < α, let Gκ = {f : f ∈ G, L(f ) = κ}. This yields a partition of G into
the sets {0} and Gκ for κ < α. Note that L(f + g) = L(f ) if L(f ) ≤∗ L(g), and
L(f + g) = L(g) if L(g) ≤∗ L(f ).
We show next that the partition of G is the set of atoms of a subalgebra of
Cm (G) isomorphic to A. First, {0} is the identity element in Cm (G) since
Gκ ;{0} = {f + 0 : f ∈ Gκ } = Gκ ,
so we need only show, for distinct κ, λ < α, that
Gκ ;Gλ = Gκ ∪ Gλ , (43)
Gκ ;Gκ = G. (44)
Suppose f ∈ Gκ , g ∈ Gλ , L(f ) = a, κ, and L(g) = b, λ. Then L(f ) = L(g)
since κ = λ. If L(f ) <∗ L(g), then L(f ) = L(f + g), so f + g ∈ Gκ , and if
L(g) <∗ L(f ), then L(g) = L(f +g), so f +g ∈ Gλ . This shows Gκ ;Gλ ⊆ Gκ ∪Gλ .
To show Gκ ⊆ Gκ ;Gλ when κ = λ, suppose f ∈ Gκ and L(f ) = a, κ. Let g
be the function in G whose output is 0 at every value with one exception, namely
g(a+1, λ) = 1. Let h = f +g. Clearly g ∈ Gλ . Also, L(h) = L(f +g) = L(f ) since
L(f ) = a, κ <∗ a + 1, λ = L(g), so h ∈ Gλ . Finally, g + h = g + (f + g) = f .
Similarly, Gλ ⊆ Gκ ;Gλ . This completes the proof of (43).
To show G ⊆ Gκ ;Gκ , consider any g ∈ G with L(g) = a, λ. Let f be
the function in G whose output is 0 at every value with one exception, namely
f (a − 1, κ) = 1. Let h = g + f . Then f ∈ Gκ , L(h) = L(g + f ) = L(f ) since
a − 1, κ = L(f ) <∗ L(g) = a, λ, hence h ∈ Gκ , and g = f + h.

14 R.D. Maddux
There is exactly one relation algebra with a single atom. In the numbering system
,
of [8], this is the algebra 11 . Its sole atom is 1 . It has a single cycle, the identity
, , ,
cycle [1 , 1 , 1 ]. The cycle parameters of this algebra are

0
Cp(11 ) = .
0
The algebra 11 is group representable. In fact, it is isomorphic to the complex

algebra Cm (Z1 ) of the one-element group Z1 :
11 ∼
= Cm (Z1 ).
The two relation algebras with two atoms are called 12 and 22 in the numbering
, , , , , ,
system of [8]. The cycles of 12 are just the identity cycles [1 , 1 , 1 ] and [1 , 0 , 0 ],
, , , , , ,
while the cycles of 22 are the identity cycles [1 , 1 , 1 ], [1 , 0 , 0 ], and also the
, , ,
diversity cycle [0 , 0 , 0 ]. The multiplication tables for the atoms of these two
algebras are
, , , ,
12 1 0 22 1 0
, , , , , ,
1 1 0 1 1 0
, , , , , , ,
0 0 1 0 0 10
The second table illustrates our notational convention of omitting + signs and
avoiding abbreviations by listing all the atoms in a given product, so that, for
, , , ,
example, we put “1 0 ” instead of “1 + 0 ” or simply “1”. This notational con-
vention is followed in the tables below. The cycle parameters of 12 and 22 are

0 1
Cp(12 ) = , Cp(22 ) = .
1 0
The algebras 12 and 22 are group representable. In fact, 12 is already the complex
algebra of a group since 12 ∼ = Cm (Z2 ). Thus 12 has a square representation
on a 2-element set, but it does not have a square representation on a set of
any other cardinality. Th. 6 applies to 22 , but we may also embed 22 into the
complex algebra of the cyclic group Zn of order n ≥ 3 (whose elements are
{0, 1, 2, . . . , n − 1} and whose operation is +n , addition modulo n) by mapping
, ,
1 to {0} and 0 to {1, 2, . . . , n − 1}. Thus, using “∼=|⊆” to mean, “is isomorphic
to a subalgebra of”, we have
22 ∼
=|⊆ Cm (Zn ) for all n ≥ 3.
Thus 22 has square representations on sets of every cardinality from 3 on up.

There are seven symmetric integral relation algebras with exactly three atoms.
,
The three atoms are 1 , a, and b, and the algebras are 11 –17 in the notational
system of [8]. The cycles of these seven algebras are given in the following table
(in which we write, for example, simply “aaa” instead of “[a, a, a]”):
, , , , ,
111 1 aa 1 bb aaa bbb abb baa
, , , , ,
17 111 1 aa 1 bb ··· ··· abb ···
, , , , ,
27 111 1 aa 1 bb aaa ··· abb ···
, , , , ,
37 111 1 aa 1 bb ··· bbb abb ···
, , , , ,
47 111 1 aa 1 bb aaa bbb abb ···
, , , , ,
57 111 1 aa 1 bb ··· ··· abb baa
, , , , ,
67 111 1 aa 1 bb aaa ··· abb baa
, , , , ,
77 111 1 aa 1 bb aaa bbb abb baa
Here are the multiplication tables for the atoms of the seven algebras 11 –17 .
, , , ,
17 1 a b 27 1 a b 37 1 a b 47 1 a b
, , , , , , , ,
1 1 a b 1 1 a b 1 1 a b 1 1 a b
, , , ,
a a 1 b a a 1a b a a 1 b a a 1a b
, , , ,
b b b 1a b b b 1a b b b 1 ab b b b 1 ab
, , ,
57 1 a b 67 1 a b 77 1 a b
, , , , , ,
1 1 a b 1 1 a b 1 1 a b
, , ,
a a 1 b ab a a 1 ab ab a a 1 ab ab
, , ,
b b ab 1 a b b ab 1 a b b ab 1 ab
The cycle parameters of algebras 11 –17 are

0 0 1 0 0 1 1 1
Cp(17 ) = , Cp(27 ) = , Cp(37 ) = , Cp(47 ) = ,
1 1 0 1 1 0 0 0

0 1 2
Cp(57 ) = , Cp(67 ) = , Cp(77 ) = .
2 1 0
From Th. 4 and Th. 5 we get

17 ∼
=|⊆ Cm Z22 ,
27 =|⊆ Cm (Z3 × Z2 ) ∼
∼ = Cm (Z6 ),
∼
37 =|⊆ Cm (Z2 × Z3 ) ∼
= Cm (Z6 ),
2
∼
47 =|⊆ Cm Z3 .
Next we show that 57 , 67 , and 77 can be embedded in the complex algebras of
the finite groups Z5 , Z8 , and Z23 , respectively. We have 57 ∼=|⊆ Cm (Z5 ) via ρ if
,
ρ(1 ) = {i, i : i ∈ 5},
ρ(a) = {i, i +5 j : i ∈ 5, j ∈ {1, 4}},
ρ(b) = {i, i +5 j : i ∈ 5, j ∈ {2, 3}},
67 ∼
=|⊆ Cm (Z8 ) via ρ if
,
ρ(1 ) = {i, i : i ∈ 8},
ρ(a) = {i, i +8 j : i ∈ 8, j ∈ {2, 3, 5, 6}},
ρ(b) = {i, i +8 j : i ∈ 8, j ∈ {1, 4, 7}},
16 R.D. Maddux

and 77 ∼
=|⊆ Cm Z23 via ρ if
,
ρ(1 ) = {i, j , i, j : i ∈ 3, j ∈ 3},
ρ(a) = {i, j , i +3 k, j : i, j ∈ 3, k ∈ {1, 2}}
∪ {i, j , i, j +3 k : i, j ∈ 3, k ∈ {1, 2}},
,
ρ(b) = 92 ∼ ρ(a) ∼ ρ(1 ).
All these representations of algebras 11 –77 have been known to many mathemati-
cians, beginning with Lyndon [17]. (However, the representations of 67 and 77
given in Tuza [3, p. 680] are incorrect.) We have supplemented Th. 6 by showing
that A is embeddable in
the complex

algebra

of a finite group whenever the cycle
0 1 2
parameters of A are , , or . On the other hand, Th. 7 below shows
0 0 0
that A has no square representation

(and no representation) on a finite set if
n
n ≥ 3 and Cp(A) = . This was first proved in [21, pp. 65–66] (see [8, Th. 453]
0
or Tuza [3, Th. 2.3]), and is generalized here to cover weak representations of a
larger class of (not necessarily atomic) algebras.
Theorem 7. Let A ∈ NA. Suppose there are distinct nonzero elements a, b, c ∈
A such that
, , ,
0 =a·1 =b·1 =c·1 , (45)
c;b · a;b ≤ b ≤ c;c̆, (46)
a;c · b;c ≤ c ≤ a;ă, (47)
b;a · c;a ≤ a ≤ b; b̆. (48)
Then every weak representation of A must have an infinite base set.

Proof. Suppose ρ is a weak representation with base set U = F d (E). Then
ρ(a) = ∅ since ∅ = ρ(0), a = 0, and ρ is one-to-one. Consequently we may choose
,
some v, w ∈ U such that v, w ∈ ρ(a). If v = w then v, w = Id ∩ E = ρ(1 ), so
, ,
v, w = ρ(1 ) ∩ ρ(a) = ρ(1 · a) = ρ(0) = ∅, a contradiction. Hence v = w. Let
V1 = {v}. Then w ∈ / V1 and
V0 × {w} ⊆ ρ(a). (49)
Next, from our assumption that a ≤ b; b̆ we conclude that v, w ∈ ρ(a) ⊆

−1
ρ(b)|(ρ(b)) , so there is some x ∈ U such that v, x ∈ ρ(b) and w, x ∈ ρ(b).
,
We therefore have v = x and w = x since b · 1 = 0, and
(V1 ∪ {w}) × {x} ⊆ ρ(b). (50)
Note that |V1 | = 1. Assume that we have constructed a set Vi ⊆ U such that
|Vi | = i ≥ 1 and that we have found distinct elements w, x ∈ U ∼ Vi such that
Vi × {w} ⊆ ρ(a), (51)

(Vi ∪ {w}) × {x} ⊆ ρ(b). (52)

−1
From (52) and the assumption that b ≤ c; c̆, we get w, x ∈ ρ(b) ⊆ ρ(c)|(ρ(c)) ,
so there is some y ∈ U such that w, y ∈ ρ(c) and x, y ∈ ρ(c). Note that w = y
,
and x = y since c · 1 = 0. For every v ∈ Vi , we have v, w ∈ ρ(a) by (51) and
v, x ∈ ρ(b) by (52), so
v, y ∈ ρ(a)|ρ(c) ∩ ρ(b)|ρ(c) = ρ(a;c · b;c).
By the assumption that a;c · b;c ≤ c, this gives us v, y ∈ ρ(c), hence v = y
,
since c · 1 = 0. We have therefore proved that y ∈
/ Vi and
(Vi ∪ {w, x}) × {y} ⊆ ρ(c). (53)
Letting Vi+1 = Vi ∪ {w}, we have |Vi+1 | = |Vi | + 1 = i + 1, x, y ∈ U ∼ Vi+1 ,
x = y, and we may restate (52) and (53) as
Vi+1 × {x} ⊆ ρ(b), (54)
(Vi+1 ∪ {x}) × {y} ⊆ ρ(c). (55)
By a similar argument, starting from (54) and (55) and using the assumptions
,
c ≤ a;ă, b;a · c;a ≤ a, and a · 1 = 0, we conclude that there is some z ∈
U ∼(Vi+1 ∪ {x, y}) such that
(Vi+1 ∪ {x, y}) × {z} ⊆ ρ(a). (56)
Let Vi+2 = Vi+1 ∪ {x}. Then |Vi+2 | = i + 2, y, z ∈ U ∼ Vi+2 , y = z, and from
(55) and (56) we have
Vi+2 × {y} ⊆ ρ(c), (57)
(Vi+2 ∪ {y}) × {z} ⊆ ρ(a). (58)
By repeating the argument once more, using assumptions a ≤ b; b̆, c;b · a;b ≤ b,
,
and a · 1 = 0, we conclude that there is some u ∈ U ∼ Vi+2 such that if Vi+3 =
Vi+2 ∪ {y} then z, u ∈ U ∼ Vi+3 , z = u, and
Vi+3 × {z} ⊆ ρ(a), (59)
(Vi+3 ∪ {z}) × {u} ⊆ ρ(b). (60)
We have now completed a cycle consisting of three similar steps and have used
all the assumptions. Starting from (51) and (52), we found that there are three
distinct y, z, u ∈ U ∼ Vi such that (59) and (60) hold with Vi+3 = Vi ∪ {y, z, u}
and |Vi+3 | = i + 3. This cycle may be repeated indefinitely, so it follows that U
must be infinite.

8 A Subvariety of RA
In this section we define a variety whose finite algebras are symmetric integral
relation algebras with no 3-cycles.
18 R.D. Maddux
Theorem 8. Let A ∈ NA. Then A satisfies all or none of the following condi-
tions.
x;(x · y) ≤ x + y, (61)
x;y ≤ x;(x · y) + x + y, (62)
x · y = 0 =⇒ x;y ≤ x + y. (63)
Proof. Assume A satisfies (61). We show that A also satisfies (62). By elementary
laws from the theory of Boolean algebras we have
x;y = x;(x · y + x · y).
By applying left ;-distributivity, which is easily derived from axioms R5 , R7 –R9 ,

we obtain
x;y = x;(x · y) + x;(x · y).
To this we apply (61) and some elementary Boolean algebraic laws to get
x;y ≤ x;(x · y) + x + y,
as desired. Next we assume A satisfies (62) and show that A also satisfies (63).
Assume x · y = 0. Then
x;y ≤ x;(x · y) + x + y (62)

= x;0 + x + y hypothesis
=x+y (10)
Finally, we assume A satisfies (62) and show that A satisfies (63). By Boolean
algebra we have x · x · y = 0, so from (63) we obtain
x;(x · y) ≤ x + x · y.
But the absorption law of Boolean algebra states that x + x · y = x + y, so we

have
x;(x · y) ≤ x + y,
as desired.

Following Jipsen [1], we say an algebra A ∈ NA is subadditive if it satisfies any

(or all) of the conditions (61)–(63). Let V be the variety generated by the sym-
metric subadditive integral relation algebras. We proceed to obtain an equational
basis for V.
Theorem 9. Assume A ∈ SA and A satisfies

, , , ,
(x · 1 );1;(y · 1 ) = (x · y · 1 );1;(x · y · 1 ) (64)
Then A is trivial or is a subdirect product of integral algebras in SA.

Proof. Suppose A in nontrivial. By Birkhoff’s Theorem [28], A is a subdirect

product of a system Bi : i ∈ I, where each Bi ∈ SA is a subdirectly indecom-
posable homomorphic image of A that satisfies (64) because A does so. Every
subdirectly indecomposable algebra in SA is simple (see [8, Th. 386]). Thus, for
every i ∈ I, Bi is a simple homomorphic image of A that satisfies (64). A simple
,
algebra in SA is integral iff 1 is an atom (see [8, Th. 353]). Therefore, if Bi is
, ,
not integral, there must be some x, y ∈ Bi such that x · 1 = 0, y · 1 = 0, and
x · y = 0. In a simple SA, u = 0 iff 1;u;1 = 1 (see [8, Th. 379]), so, by the
simplicity of Bi , we have
, ,
1 = 1;(x · 1 );1, 1 = 1;(y · 1 );1. (65)
Many special cases of the associative law hold in every SA (see [29, Th. 25] or [8,
Th. 365]). Associativity may be freely applied to any relative product in which
one of the factors is 1. We therefore get
1 = 1;1
, ,
= (1;(x · 1 );1);(1;(y · 1 );1) (65)
, ,
= 1;((x · 1 );1;(y · 1 ));1 semiassociativity
, ,
= 1;((x · y · 1 );1;(x · y · 1 ));1 (64)
= 1;(0;1;0);1 x·y = 0
= 0,
contradicting the simplicity of Bi (simple algebras have at least two elements).

It follows that Bi is actually integral.

Corollary 1. The subvariety of SA generated by the integral algebras in SA has

the following equational basis: R1 –R3 , (15), R5 –R10 , (64).
Proof. If an algebra satisfies the equations, then by Th. 9 it is in the variety

generated by the integral algebras in SA. For the converse, suppose A ∈ SA is
, , , ,
integral. Then 1 is an atom of A, so for all x, y ∈ A, either x·1 = 0 or x·1 = 1 ,
, , ,
and either y · 1 = 0 or y · 1 = 1 . In all these cases, (64) is satisfied.

Corollary 2. V has the following equational basis: R1 –R10 , (12), (62), (64).
9 Classifying Finite Algebras

Now we take up the problem of classifying finite algebras in V. The next theorem
says that several otherwise distinct classes coincide on finite algebras in V. A
finite algebra A ∈ V is the direct product of finite simple algebras in V, each of
which is integral and has no 3-cycles because of subadditivity. The next theorem
shows that such an algebra is either very representable (in GRA) or very non-
representable (not in RA5 ). The equivalence of (b) and (f) in part 1 appears in
Tuza [3, Th. 2.2], while part 2 is in Tuza [3, Th. 2.3].
20 R.D. Maddux
Theorem 10. Let A

be a finite symmetric integral RA with no 3-cycles. Suppose
s · · · sn
Cp(A) = 1 .
t1 · · · tn
1. The following statements are equivalent:
(a) A ∈ GRA,
(b) A ∈ RRA,
(c) A ∈ wRRA,
(d) A ∈ RA5 ,
(e) A satisfies (28),
(f) for every i ∈ {1, . . . , n}, if ti > 0 then si + ti ≤ 2.
2. If (a)–(f) hold, then the following statements are equivalent:
(g) A is representable over a finite set,
(h) for every i ∈ {1, . . . , n}, if si = 0 then ti ≤ 2.
Proof. Part 1: (a) implies (b) by (39).

(b) implies (c) since RRA ⊆ wRRA (every representation is a weak represen-
tation).
(b) also implies (d) by (27). To prove that RRA ⊆ RA5 , the key step is to
check that if E is an equivalence relation, then B5 Sb (E) is a 5-dimensional
relational basis for Sb (E).
(c) and (d) imply part (e), and the proofs are closely related. First, one should
check that (28) holds in every equivalence relation algebra Sb (E). If (c) holds
then A has a weak representation mapping A into some Sb (E). A weak rep-
resentation preserves all the operations involved in (28), so (28) holds in A. If
(d) holds then A is a subalgebra of a complete atomic algebra that has a 5-
dimensional basis. The proof that (28) holds in every RRA can be translated
into a proof that (28) holds in every algebra with a 5-dimensional relational
basis. For details, see [8, Th. 341].
To show that (e) implies (f), assume that (f) fails, that is, there is some
i ∈ {1, . . . , n} such that ti > 0 and si + ti ≥ 3. These hypotheses imply there are
,
distinct diversity atoms a, b, c ∈ AtA ∼{1 } such that a · a;a = 0 and a ⇔ b ⇔ c.
We will show that (28) fails when x01 = c, x02 = b, x03 = b, x32 = a, x21 = c,
x24 = a, and x41 = a. First, we have b · b;a = b, c · a;a = c, and c · b;c = c since
a → b, c → a, and b → c, so
x01 · (x02 · x03 ;x32 );(x21 · x24 ;x41 ) = c · (b · b;a);(c · a;a) = c · b;c = c.
By subadditivity we have
b;c · a;c ≤ (b + c) · (a + c) = c,
c;a · b;a ≤ (c + a) · (b + a) = a,
so

x03 ; (x30 ;x01 · x32 ;x21 );x14 · x32 ;x24 · x30 ;(x01 ;x14 · x02 ;x24 ) ;x41

= b; (b;c · a;c);a · a;a · b;(c;a · b;a) ;a

≤ b; c;a · a;a · b;a ;a

≤ b; a · a;a ;a
= b;0;a
= 0.
Thus the left side of (28) evaluates to c, while the right side is 0. But c ≤ 0, so
(28) fails. This shows that (e) implies (f).

(a). By Th. 4, A is the 2-cycle product of
Finally, we show that (f) implies
s
algebras Bi where Cp(Bi ) = i for 1 ≤ i ≤ n. By (f), Cp(Bi ) appears in the
ti
following list.

0 0 1 0 1 2 3 4
, , , , , , , ,··· (66)
0 1 0 2 1 0 0 0
From Th. 6 and the remarks that follow Th. 6 we know that Bi ∈ GRA for
1 ≤ i ≤ n. By Th. 5, we may conclude that A ∈ GRA.
For part 2, note that if Cp(Bi ) is one of the first six cases in (66), then Bi
can be embedded in the complex algebra of one of the finite groups Z1 , Z2 , Z3 ,
Z5 , Z8 , or Z23 , and hence Bi has a square representation on a set of cardinality
1, 2, 3, 5, 8, or 9. Since (h) rules out all but the first six cases of (66), it follows
that (h) implies (g) whenever (a)–(f) hold. Finally, if (a)–(g) hold then by Th. 7
Cp(Bi ) must be one of the first six cases in (66), i.e., (h) must also hold.

Theorem 11. There is an algorithm for classifying each finite algebra in V as

either in fRRA, in RRA ∼ fRRA, or in SA ∼ RA5 .
Proof. Let A be a finite algebra in V, specified by its cycle structure T = Cy(A)
in the sense that Cm (T ) ∼ = A. Divide the atoms of A (the field of T ) into
equivalence classes with respect to the equivalence relation
E := {x, y : ∃z (z ∈ F d (T ), x, y, z ∈ T )}.
(That E is an equivalence relation follows from A ∈ SA.) Then the complex al-
gebra Cm (T ) is isomorphic to the direct product of the complex algebras of the
E-equivalence classes, each of which is a simple homomorphic image of A, i.e.,

Cm (T ) ∼
= Cm T ∩ C 2 . (67)
C∈F d(T )/E
Each factor in (67) is integral by Th. 9 because it satisfies the equation (64), is
symmetric by (12), and is subadditive by (62). Therefore each factor in (67) has
no 3-cycles and it has a list of cycle parameters. Compute this list of parameters,
and proceed as follows.
1. Provisionally classify A as representable on a finite set:
A ∈ fRRA. (68)
In some order, check each column that appears in the list of cycle parameters
of a factor in (67). The are two things to check, and they can be done in
either order.
22 R.D. Maddux
2. If the column indicates 3 or

more

atoms with all their 1-cycles, i.e., the
3 4
column is one of these: , , . . . , then the factor in (67) (and A it-
0 0
self) cannot have a representation on a finite set. Change the provisional
classification of A to representable but not on finite sets,
A ∈ RRA ∼ fRRA, (69)
and CONTINUE.
3. If the column indicates at least 3 atoms and at least one missing 1-cycle,
i.e., it is one of

2 3 4 1 2 3 0 1 2
, , ,··· , , , ,··· , , , ,··· ,
1 1 1 2 2 2 3 3 3
then the factor in (67) does not satisfy (28), and A is not in RA5 (nor in
RRA, GRA, or wRRA). Change the classification of A to
A ∈ SA ∼ RA5 , (70)
and STOP.
If no column summing to 3 or more is met, then (68) remains in force at the
end. The algorithm stops and the classification of A is changed to (70) if (28)
fails at some column. If that does not happen, then the ultimate classification
is one of two types of representability. (68) holds unless a column is found that
shifts the classification to (69).

Now we apply the algorithm to the symmetric integral relation algebras that
have no 3-cycles and either four or five atoms. (The data on finite algebras
in this paper and in [8] have been checked or obtained with [30].) There are 65
symmetric integral relation algebras that have four atoms. They are the algebras
,
165 –6565 in the numbering system of [8]. The atoms of these algebras are 1 , a,
b, and c. The algebras in this set of 65 which have no 3-cycles are 165 –2465 . Here
are their cycles.
aaa bbb ccc abb baa acc caa bcc cbb

165 ··· ··· ··· abb ··· acc ··· bcc ···
265 aaa ··· ··· abb ··· acc ··· bcc ···
365 ··· bbb ··· abb ··· acc ··· bcc ···
465 aaa bbb ··· abb ··· acc ··· bcc ···
565 ··· ··· ccc abb ··· acc ··· bcc ···
665 aaa ··· ccc abb ··· acc ··· bcc ···
765 ··· bbb ccc abb ··· acc ··· bcc ···
865 aaa bbb ccc abb ··· acc ··· bcc ···
965 ··· ··· ··· abb baa acc ··· bcc ···
1065 aaa ··· ··· abb baa acc ··· bcc ···
1165 aaa bbb ··· abb baa acc ··· bcc ···
aaa bbb ccc abb baa acc caa bcc cbb

1265 ··· ··· ccc abb baa acc ··· bcc ···
1365 aaa ··· ccc abb baa acc ··· bcc ···
1465 aaa bbb ccc abb baa acc ··· bcc ···
1565 ··· ··· ··· ··· baa acc caa bcc ···
1665 aaa ··· ··· ··· baa acc caa bcc ···
1765 ··· bbb ··· ··· baa acc caa bcc ···
1865 aaa bbb ··· ··· baa acc caa bcc ···
1965 aaa ··· ccc ··· baa acc caa bcc ···
2065 aaa bbb ccc ··· baa acc caa bcc ···
2165 ··· ··· ··· abb baa acc caa bcc cbb
2265 aaa ··· ··· abb baa acc caa bcc cbb
2365 aaa bbb ··· abb baa acc caa bcc cbb
2465 aaa bbb ccc abb baa acc caa bcc cbb
Next are the multiplication tables for the atoms of algebras 165 –2465 . (By the
way, the table for the nonrepresentable relation algebra 2165 given in Tuza [3,
p. 683] is incorrect; it is instead the table for an algebra in SA ∼ RA.)
, , ,
165 1 a b c 265 1 a b c 365 1 a b c
, , , , , ,
1 1 a b c 1 1 a b c 1 1 a b c
, , ,
a a 1 b c a a 1a b c a a 1 b c
, , ,
b b b 1a c b b b 1a c b b b 1 ab c
, , ,
c c c c 1 ab c c c c 1 ab c c c c 1 ab
, , ,
465 1 a b c 565 1 a b c 665 1 a b c
, , , , , ,
1 1 a b c 1 1 a b c 1 1 a b c
, , ,
a a 1a b c a a 1 b c a a 1a b c
, , ,
b b b 1 ab c b b b 1a c b b b 1a c
, , ,
c c c c 1 ab c c c c 1 abc c c c c 1 abc
, , ,
765 1 a b c 865 1 a b c 965 1 a b c
, , , , , ,
1 1 a b c 1 1 a b c 1 1 a b c
, , ,
a a 1 b c a a 1a b c a a 1 b ab c
, , ,
b b b 1 ab c b b b 1 ab c b b ab 1 a c
, , ,
c c c c 1 abc c c c c 1 abc c c c c 1 ab
, , ,
1065 1 a b c 1165 1 a b c 1265 1 a b c
, , , , , ,
1 1 a b c 1 1 a b c 1 1 a b c
, , ,
a a 1 ab ab c a a 1 ab ab c a a 1 b ab c
, , ,
b b ab 1 a c b b ab 1 ab c b b ab 1 a c
, , ,
c c c c 1 ab c c c c 1 ab c c c c 1 abc
, , ,
1365 1 a b c 1465 1 a b c 1565 1 a b c
, , , , , ,
1 1 a b c 1 1 a b c 1 1 a b c
, , ,
a a 1 ab ab c a a 1 ab ab c a a 1 bc a ac
, , ,
b b ab 1 a c b b ab 1 ab c b b a 1 c
, , ,
c c c c 1 abc c c c c 1 abc c c ac c 1 ab
24 R.D. Maddux
, , ,
1665 1 a b c 1765 1 a b c 1865 1 a b c
, , , , , ,
1 1 a b c 1 1 a b c 1 1 a b c
, , ,
a a 1 abc a ac a a 1 bc a ac a a 1 abc a ac
, , ,
b b a 1 c b b a 1b c b b a 1b c
, , ,
c c ac c 1 ab c c ac c 1 ab c c ac c 1 ab
, , ,
1965 1 a b c 2065 1 a b c 2165 1 a b c
, , , , , ,
1 1 a b c 1 1 a b c 1 1 a b c
, , ,
a a 1 abc a ac a a 1 abc a ac a a 1 bc ab ac
, , ,
b b a 1 c b b a 1b c b b ab 1 ac bc
, , ,
c c ac c 1 abc c c ac c 1 abc c c ac bc 1 ab
, , ,
2265 1 a b c 2365 1 a b c 2465 1 a b c
, , , , , ,
1 1 a b c 1 1 a b c 1 1 a b c
, , ,
a a 1 abc ab ac a a 1 abc ab ac a a 1 abc ab ac
, , ,
b b ab 1 ac bc b b ab 1 abc bc b b ab 1 abc bc
, , ,
c c ac bc 1 ab c c ac bc 1 ab c c ac bc 1 abc

000 100 010 110

Cp(165 ) = Cp(265 ) = Cp(365 ) = Cp(465 ) =
1 1 1
0 1 1
1 0 1
0 0 1
001 101 011 111

Cp(565 ) = Cp(665 ) = Cp(765 ) = Cp(865 ) =
1

1 0 0

1 0 1

0 0 0 0 0
00 10 20 01
Cp(965 ) = Cp(1065 ) = Cp(1165 ) = Cp(1265 ) =
2 1

1

1 0

1 2 0
11 21 00 01
Cp(1365 ) = Cp(1465 ) = Cp(1565 ) = Cp(1665 ) =
1

0 0

0 1

2 1 1
10 11 02 12
Cp(1765 ) = Cp(1865 ) = Cp(1965 ) = Cp(2065 ) =
0

2 0

1 1

0 0
0
0 1 2 3
Cp(2165 ) = Cp(2265 ) = Cp(2365 ) = Cp(2465 ) =
3 2 1 0
Applying the algorithm of Th. 11 to algebras 165 –2465 produces the following
results.
1. Algebras 165 –2065 are group representable relation algebras that have square
representations on finite sets.
2. Algebras 2165 –2365 fail to satisfy equation (28), and hence are nonrepre-
sentable relation algebras that are also not in RA5 and are not weakly rep-
resentable.
3. The algebra 2465 is a representable relation algebra that has no square rep-
resentation on a finite set.
There are 3013 symmetric integral relation algebras that have five atoms.
They are the algebras 13013 –823013 in the numbering system of [8]. The atoms
,
of these algebras are 1 , a, b, c, and d. Among these algebras, the ones that have
no 3-cycles are 13013 –823013 . Their cycles and cycle parameters are given in the
following tables.
aaa bbb ccc ddd abb baa acc caa add daa bcc cbb bdd dbb cdd dcc
13013 ··· ··· ··· ··· abb ··· acc ··· add ··· bcc ··· bdd ··· cdd ···
23013 aaa ··· ··· ··· abb ··· acc ··· add ··· bcc ··· bdd ··· cdd ···
33013 ··· bbb ··· ··· abb ··· acc ··· add ··· bcc ··· bdd ··· cdd ···
43013 aaa bbb ··· ··· abb ··· acc ··· add ··· bcc ··· bdd ··· cdd ···
53013 ··· ··· ccc ··· abb ··· acc ··· add ··· bcc ··· bdd ··· cdd ···
63013 aaa ··· ccc ··· abb ··· acc ··· add ··· bcc ··· bdd ··· cdd ···
73013 ··· bbb ccc ··· abb ··· acc ··· add ··· bcc ··· bdd ··· cdd ···
83013 aaa bbb ccc ··· abb ··· acc ··· add ··· bcc ··· bdd ··· cdd ···
93013 ··· ··· ··· ddd abb ··· acc ··· add ··· bcc ··· bdd ··· cdd ···
103013 aaa ··· ··· ddd abb ··· acc ··· add ··· bcc ··· bdd ··· cdd ···
113013 ··· bbb ··· ddd abb ··· acc ··· add ··· bcc ··· bdd ··· cdd ···
123013 aaa bbb ··· ddd abb ··· acc ··· add ··· bcc ··· bdd ··· cdd ···
133013 ··· ··· ccc ddd abb ··· acc ··· add ··· bcc ··· bdd ··· cdd ···
143013 aaa ··· ccc ddd abb ··· acc ··· add ··· bcc ··· bdd ··· cdd ···
153013 ··· bbb ccc ddd abb ··· acc ··· add ··· bcc ··· bdd ··· cdd ···
163013 aaa bbb ccc ddd abb ··· acc ··· add ··· bcc ··· bdd ··· cdd ···
173013 ··· ··· ··· ··· abb baa acc ··· add ··· bcc ··· bdd ··· cdd ···
183013 aaa ··· ··· ··· abb baa acc ··· add ··· bcc ··· bdd ··· cdd ···
193013 aaa bbb ··· ··· abb baa acc ··· add ··· bcc ··· bdd ··· cdd ···
203013 ··· ··· ccc ··· abb baa acc ··· add ··· bcc ··· bdd ··· cdd ···
213013 aaa ··· ccc ··· abb baa acc ··· add ··· bcc ··· bdd ··· cdd ···
223013 aaa bbb ccc ··· abb baa acc ··· add ··· bcc ··· bdd ··· cdd ···
233013 ··· ··· ··· ddd abb baa acc ··· add ··· bcc ··· bdd ··· cdd ···
243013 aaa ··· ··· ddd abb baa acc ··· add ··· bcc ··· bdd ··· cdd ···
253013 aaa bbb ··· ddd abb baa acc ··· add ··· bcc ··· bdd ··· cdd ···
263013 ··· ··· ccc ddd abb baa acc ··· add ··· bcc ··· bdd ··· cdd ···
273013 aaa ··· ccc ddd abb baa acc ··· add ··· bcc ··· bdd ··· cdd ···
283013 aaa bbb ccc ddd abb baa acc ··· add ··· bcc ··· bdd ··· cdd ···
293013 ··· ··· ··· ··· ··· baa acc caa add ··· bcc ··· bdd ··· cdd ···
303013 aaa ··· ··· ··· ··· baa acc caa add ··· bcc ··· bdd ··· cdd ···
313013 ··· bbb ··· ··· ··· baa acc caa add ··· bcc ··· bdd ··· cdd ···
323013 aaa bbb ··· ··· ··· baa acc caa add ··· bcc ··· bdd ··· cdd ···
333013 aaa ··· ccc ··· ··· baa acc caa add ··· bcc ··· bdd ··· cdd ···
343013 aaa bbb ccc ··· ··· baa acc caa add ··· bcc ··· bdd ··· cdd ···
353013 ··· ··· ··· ddd ··· baa acc caa add ··· bcc ··· bdd ··· cdd ···
363013 aaa ··· ··· ddd ··· baa acc caa add ··· bcc ··· bdd ··· cdd ···
373013 ··· bbb ··· ddd ··· baa acc caa add ··· bcc ··· bdd ··· cdd ···
383013 aaa bbb ··· ddd ··· baa acc caa add ··· bcc ··· bdd ··· cdd ···
393013 aaa ··· ccc ddd ··· baa acc caa add ··· bcc ··· bdd ··· cdd ···
403013 aaa bbb ccc ddd ··· baa acc caa add ··· bcc ··· bdd ··· cdd ···
413013 ··· ··· ··· ··· ··· baa ··· caa add daa bcc ··· bdd ··· cdd ···
423013 aaa ··· ··· ··· ··· baa ··· caa add daa bcc ··· bdd ··· cdd ···
433013 ··· bbb ··· ··· ··· baa ··· caa add daa bcc ··· bdd ··· cdd ···
443013 aaa bbb ··· ··· ··· baa ··· caa add daa bcc ··· bdd ··· cdd ···
26 R.D. Maddux
aaa bbb ccc ddd abb baa acc caa add daa bcc cbb bdd dbb cdd dcc
453013 ··· ··· ccc ··· ··· baa ··· caa add daa bcc ··· bdd ··· cdd ···
463013 aaa ··· ccc ··· ··· baa ··· caa add daa bcc ··· bdd ··· cdd ···
473013 ··· bbb ccc ··· ··· baa ··· caa add daa bcc ··· bdd ··· cdd ···
483013 aaa bbb ccc ··· ··· baa ··· caa add daa bcc ··· bdd ··· cdd ···
493013 aaa ··· ··· ddd ··· baa ··· caa add daa bcc ··· bdd ··· cdd ···
503013 aaa bbb ··· ddd ··· baa ··· caa add daa bcc ··· bdd ··· cdd ···
513013 aaa ··· ccc ddd ··· baa ··· caa add daa bcc ··· bdd ··· cdd ···
523013 aaa bbb ccc ddd ··· baa ··· caa add daa bcc ··· bdd ··· cdd ···
533013 ··· ··· ··· ··· abb baa acc caa add ··· bcc cbb bdd ··· cdd ···
543013 aaa ··· ··· ··· abb baa acc caa add ··· bcc cbb bdd ··· cdd ···
553013 aaa bbb ··· ··· abb baa acc caa add ··· bcc cbb bdd ··· cdd ···
563013 aaa bbb ccc ··· abb baa acc caa add ··· bcc cbb bdd ··· cdd ···
573013 ··· ··· ··· ddd abb baa acc caa add ··· bcc cbb bdd ··· cdd ···
583013 aaa ··· ··· ddd abb baa acc caa add ··· bcc cbb bdd ··· cdd ···
593013 aaa bbb ··· ddd abb baa acc caa add ··· bcc cbb bdd ··· cdd ···
603013 aaa bbb ccc ddd abb baa acc caa add ··· bcc cbb bdd ··· cdd ···
613013 ··· ··· ··· ··· ··· baa ··· caa add daa bcc cbb bdd ··· cdd ···
623013 aaa ··· ··· ··· ··· baa ··· caa add daa bcc cbb bdd ··· cdd ···
633013 ··· bbb ··· ··· ··· baa ··· caa add daa bcc cbb bdd ··· cdd ···
643013 aaa bbb ··· ··· ··· baa ··· caa add daa bcc cbb bdd ··· cdd ···
653013 ··· bbb ccc ··· ··· baa ··· caa add daa bcc cbb bdd ··· cdd ···
663013 aaa bbb ccc ··· ··· baa ··· caa add daa bcc cbb bdd ··· cdd ···
673013 aaa ··· ··· ddd ··· baa ··· caa add daa bcc cbb bdd ··· cdd ···
683013 aaa bbb ··· ddd ··· baa ··· caa add daa bcc cbb bdd ··· cdd ···
693013 aaa bbb ccc ddd ··· baa ··· caa add daa bcc cbb bdd ··· cdd ···
703013 ··· ··· ··· ··· abb baa ··· caa add daa ··· cbb bdd dbb cdd ···
713013 aaa ··· ··· ··· abb baa ··· caa add daa ··· cbb bdd dbb cdd ···
723013 aaa bbb ··· ··· abb baa ··· caa add daa ··· cbb bdd dbb cdd ···
733013 ··· ··· ccc ··· abb baa ··· caa add daa ··· cbb bdd dbb cdd ···
743013 aaa ··· ccc ··· abb baa ··· caa add daa ··· cbb bdd dbb cdd ···
753013 aaa bbb ccc ··· abb baa ··· caa add daa ··· cbb bdd dbb cdd ···
763013 aaa bbb ··· ddd abb baa ··· caa add daa ··· cbb bdd dbb cdd ···
773013 aaa bbb ccc ddd abb baa ··· caa add daa ··· cbb bdd dbb cdd ···
783013 ··· ··· ··· ··· abb baa acc caa add daa bcc cbb bdd dbb cdd dcc
793013 aaa ··· ··· ··· abb baa acc caa add daa bcc cbb bdd dbb cdd dcc
803013 aaa bbb ··· ··· abb baa acc caa add daa bcc cbb bdd dbb cdd dcc
813013 aaa bbb ccc ··· abb baa acc caa add daa bcc cbb bdd dbb cdd dcc
823013 aaa bbb ccc ddd abb baa acc caa add daa bcc cbb bdd dbb cdd dcc
0 0 0 0 1 0 0 0 0 1 0 0
Cp(13013 ) = Cp(23013 ) = Cp(33013 ) =
1 1 1 1
0 1 1 1
1 0 1 1
1 1 0 0 0 0 1 0 1 0 1 0
Cp(43013 ) = Cp(53013 ) = Cp(63013 ) =
0 0 1 1
1 1 0 1
0 1 0 1
0 1 1 0 1 1 1 0 0 0 0 1
Cp(73013 ) = Cp(83013 ) = Cp(93013 ) =
1 0 0 1 0 0 0 1 1 1 1 0

1 001 0 101 1101

Cp(103013 ) = Cp(113013 ) = Cp(123013 ) =
0 1 1 0
1 0 1 0
0 0 1 0
0 011 1 011 0111

Cp(133013 ) = Cp(143013 ) = Cp(153013 ) =
1 1 0 0
0 1 0
0 1 0 0
0
1 111 0 00 100
Cp(163013 ) = Cp(173013 ) = Cp(183013 ) =
0 0 0
0 2 1 1
1 1 1
2 00 0 10 110
Cp(193013 ) = Cp(203013 ) = Cp(213013 ) =
0 1 1
2 0 1
1 0 1
2 10 0 01 101
Cp(223013 ) = Cp(233013 ) = Cp(243013 ) =
0 0 1
2 1 0
1 1 0
2 01 0 11 111
Cp(253013 ) = Cp(263013 ) = Cp(273013 ) =
0 1 0
2 0 0
1 0 0
2 11 0 00 010
Cp(283013 ) = Cp(293013 ) = Cp(303013 ) =
0 0 0
1 2 1
1 1 1
1 00 1 10 020
Cp(313013 ) = Cp(323013 ) = Cp(333013 ) =
0 2 1
0 1 1
1 0 1
1 20 0 01 011
Cp(343013 ) = Cp(353013 ) = Cp(363013 ) =
0 0 1
1 2 0
1 1 0
1 01 1 11 021
Cp(373013 ) = Cp(383013 ) = Cp(393013 ) =
0 2 0
0 1 0
1 0 0
1 21 0 00 001
Cp(403013 ) = Cp(413013 ) = Cp(423013 ) =
0 0 0
1 1 2
1 1 1
1 00 1 01 010
Cp(433013 ) = Cp(443013 ) = Cp(453013 ) =
0 1 2
0 1 1
1 0 2
0 11 1 10 111
Cp(463013 ) = Cp(473013 ) = Cp(483013 ) =
1 0 1
0 0 2
0 0 1
0 02 1 02 012
Cp(493013 ) = Cp(503013 ) = Cp(513013 ) =
1 1 0
0 1
0 1 0
0
1 12 0 0 10
Cp(523013 ) = Cp(533013 ) = Cp(543013 ) =
0 0
0 3 1
2 1
2 0 3 0 01
Cp(553013 ) = Cp(563013 ) = Cp(573013 ) =
1 1
0 1
3 0
1 1 2 1 31
Cp(583013 ) = Cp(593013 ) = Cp(603013 ) =
2 0
1 0
0 0
0 0 0 1 10
Cp(613013 ) = Cp(623013 ) = Cp(633013 ) =
2 2
2 1
1 2
1 1 2 0 21
Cp(643013 ) = Cp(653013 ) = Cp(663013 ) =
1 1
0 2
0 1
0 2 1 2 22
Cp(673013 ) = Cp(683013 ) = Cp(693013 ) =
2 0
1 0
0 0
0 0 0 1 02
Cp(703013 ) = Cp(713013 ) = Cp(723013 ) =
1 3
1 2
1 1
1 0 1 1 12
Cp(733013 ) = Cp(743013 ) = Cp(753013 ) =
0 3
0 2
0
1
0 3 1 3 0
Cp(763013 ) = Cp(773013 ) = Cp(783013 ) =
1 0 0 0 4
28 R.D. Maddux

1 2 3
Cp(793013 ) = Cp(803013 ) = Cp(813013 ) =
3
2 1
4
Cp(823013 ) =
0
Applying the algorithm of Th. 11 to algebras 13013 –823013 gives the following
results.
1. Algebras 13013 –523013 and 613013 –693013 are group representable relation al-
gebras that have square representations on finite sets.
2. Algebras 533013 –553013 , 573013 –593013 , 703013 –753013 , and 783013 –813013 fail
to satisfy equation (28), and hence are nonrepresentable relation algebras
that are also not in RA5 and are not weakly representable.
3. Algebras 563013 , 603013 , 763013 , 773013 , and 823013 are representable relation
algebras that have no square representation on a finite set.
References
1. Jipsen, P.: Varieties of symmetric subadditive relation algebras. Preprint, pp. 3
(1990)
2. Comer, S.D.: Extension of polygroups by polygroups and their representations us-
ing color schemes. In: Universal algebra and lattice theory (Puebla, 1982). Volume
1004 of Lecture Notes in Math. Springer, Berlin (1983) 91–103
3. Tuza, Z.: Representations of relation algebras and patterns of colored triplets. In:
Algebraic logic (Budapest, 1988). Volume 54 of Colloq. Math. Soc. János Bolyai.
North-Holland, Amsterdam (1991) 671–693
4. Huntington, E.V.: New sets of independent postulates for the algebra of logic, with
special reference to Whitehead and Russell’s Principia Mathematica. Trans. Amer.
Math. Soc. 35(1) (1933) 274–304
5. Huntington, E.V.: Boolean algebra. A correction to: “New sets of independent
postulates for the algebra of logic, with special reference to Whitehead and Rus-
sell’s Principia Mathematica” [Trans. Amer. Math. Soc. 35 (1933), no. 1, 274–304;
1501684]. Trans. Amer. Math. Soc. 35(2) (1933) 557–558
6. Huntington, E.V.: A second correction to: “New sets of independent postulates for
the algebra of logic, with special reference to Whitehead and Russell’s Principia
Mathematica” [Trans. Amer. Math. Soc. 35 (1933), no. 1, 274–304; 1501684]. Trans.
Amer. Math. Soc. 35(4) (1933) 971
7. Maddux, R.D.: Some varieties containing relation algebras. Trans. Amer. Math.
Soc. 272(2) (1982) 501–526
8. Maddux, R.D.: Relation Algebras. Volume 150 of Studies in Logic and the Foun-
dations of Mathematics. Elsevier, Amsterdam (2006)
9. Tarski, A.: Contributions to the theory of models. III. Nederl. Akad. Wetensch.
Proc. Ser. A. 58 (1955) 56–64 = Indagationes Math. 17, 56–64 (1955)
10. Maddux, R.D.: Some sufficient conditions for the representability of relation alge-
bras. Algebra Universalis 8(2) (1978) 162–172
11. Jónsson, B.: Varieties of relation algebras. Algebra Universalis 15(3) (1982) 273–
298
12. Jónsson, B.: The theory of binary relations. In Andréka, H., Monk, J.D., Németi,
I., eds.: Algebraic Logic (Budapest, 1988). Volume 54 of Colloquia Mathematica
Societatis János Bolyai. North-Holland, Amsterdam (1991) 245–292
13. Hirsch, R., Hodkinson, I.: Relation algebras by games. Volume 147 of Studies
in Logic and the Foundations of Mathematics. North-Holland Publishing Co.,
Amsterdam (2002). With a foreword by Wilfrid Hodges.
14. Birkhoff, G.: On the structure of abstract algebras. Proc. Cambridge Philos. Soc.
31 (1935) 433–454
15. Monk, J.D.: On representable relation algebras. Michigan Math. J. 11 (1964)
207–210
16. Jónsson, B.: Representation of modular lattices and of relation algebras. Trans.
Amer. Math. Soc. 92 (1959) 449–464
17. Lyndon, R.C.: The representation of relational algebras. Ann. of Math. (2) 51
(1950) 707–729
18. Backer, F.: Representable relation algebras. Report for a seminar on relation
algebras conducted by A. Tarski, mimeographed, University of California, Berkeley
(Spring, 1970)
19. McKenzie, R.N.: The representation of relation algebras. PhD thesis, University
of Colorado, Boulder (1966)
20. Wostner, U.: Finite relation algebras. Notices of the AMS 23 (1976) A–482
21. Maddux, R.D.: Topics in Relation Algebras. PhD thesis, University of California,
Berkeley (1978)
22. Comer, S.D.: Multivalued loops and their connection with algebraic logic (1979),
monograph, 173 pp.
23. Comer, S.D.: Multi-Valued Algebras and their Graphical Representation (July
1986), monograph, 103 pp.
24. Jipsen, P.: Computer-aided investigations of relation algebras. PhD thesis, Van-
derbilt University (1992)
25. Jipsen, P., Lukács, E.: Representability of finite simple relation algebras with many
identity atoms. In: Algebraic logic (Budapest, 1988). Volume 54 of Colloq. Math.
Soc. János Bolyai. North-Holland, Amsterdam (1991) 241–244
26. Jipsen, P., Lukács, E.: Minimal relation algebras. Algebra Universalis 32(2) (1994)
189–203
27. Andréka, H., Maddux, R.D.: Representations for small relation algebras. Notre
Dame J. Formal Logic 35(4) (1994) 550–562
28. Birkhoff, G.: Subdirect unions in universal algebra. Bull. Amer. Math. Soc. 50
(1944) 764–768
29. Maddux, R.D.: Pair-dense relation algebras. Trans. Amer. Math. Soc. 328(1)
(1991) 83–131
30. The GAP Group (http://www-gap.dcs.st-and.ac.uk/~gap) Aachen, St An-
drews: GAP – Groups, Algorithms, and Programming, Version 4.2. (1999)
Computations and Relational Bundles
J.W. Sanders
Programming Research Group

Oxford University Computing Laboratory
Wolfson Building, Parks Road, Oxford, OX1 3QD
[email protected]
Abstract. We explore the view of a computation as a relational section

of a (trivial) fibre bundle: initial states lie in the base of the bundle
and final states lie in the fibres located at their initial states. This leads
us to represent a computation in ‘fibre-form’ as the angelic choice of
its behaviours from each initial state. That view is shown to have the
advantage also of permitting final states to be of different types, as might
be used for example in a semantics of probabilistic computations, and of
providing a natural setting for refinement of computations.
However we apply that view in a different direction. On computations
more general than code the two standard models, the relational and the
predicate-transformer models, obey different laws. One way to under-
stand that difference is to study the laws of more refined models, like
the semantics of probabilistic computations. Another is to characterise
each model by its laws. In spite of their differences, the relational model
is embedded in the transformer model by a Galois connection which
can be used to transfer much of the structure on transformers to the
relational model. We investigate the extent to which the conjugate on
predicate transformers translates to relations and use the result to mo-
tivate a characterisation of relational computations, achieved by using
fibre-forms.
1 Introduction
The binary-relation and predicate-transformer models of (sequential) programs
have different flavours and different properties but each satisfies all the laws re-
quired of programs. Indeed consistency of the two models is maintained by the
wp-based Galois connection between them. But the extension from programs to
more general commands, specifications, or ‘computations’ as we shall call them,
includes arbitrary (not merely finite) demonic nondeterminism and its ‘dual’,
angelic nondeterminism. Thus whilst programs may not terminate, computa-
tions may (dually) not be enabled. In this extension the equivalence of the two
semantic models is lost: the Galois connection does not preserve angelic nonde-
terminism.
Differences in the way sequential composition interacts with the two forms
of nondeterminism (demonic and angelic) are, for arbitrary computations, sum-
marised in Fig. 1. Recall that in the relational model demonic nondeterminism

Computations and Relational Bundles 31
(∪ R) o9 S = ∪ {R o9 S | R ∈ R} (1)
S (∪ R)
o
9 = ∪ {S R | R ∈ R}
o
9 if R nonempty (2)
(∩ R) o9 S ⊆ ∩ {R o9 S | R ∈ R}, = if S is injective (3)
S o9 (∩ R) ⊆ ∩ {S o9 R | R ∈ R}, = if S is predeterministic (4)
(∧T ) ◦ u = ∧ {t ◦ u | t ∈ T } (5)
u ◦ (∧T ) ≤ ∧ {u ◦ t | t ∈ T }, = if u is positively conjunctive (6)
(∨T ) ◦ u = ∨ {t ◦ u | t ∈ T } (7)
u ◦ (∨T ) ≥ ∨ {u ◦ t | t ∈ T }, = if u is disjunctive. (8)
Fig. 1. Differences between the relational model—Laws (1) to (4)—and the transformer
model—Laws (5) to (8)—for arbitrary computations. In the former, demonic choice,
angelic choice and refinement are respectively ∪, ∩ and ⊇, whilst in the latter they are
∧, ∨ and ≤. Only the first Laws ((1) and (5)) and last ((4) and (8)) coincide.
is given by union, angelic nondeterminism by intersection and refinement

by containment ⊇, whilst in the transformer model demonic nondeterminism is
given by pointwise conjunction ∧, angelic nondeterminism by pointwise disjunc-
tion ∨ and refinement by pointwise implication ≤. In the following we translate
the laws of Fig. 1 from semantic to algebraic (i.e. , , ) notation.
Thus the two models agree, for general computations, on only two of the
four laws. Firstly, by Laws (1) and (5), sequential composition distributes initial
demonic nondeterminism
( A) o9 B = {A o9 B | A ∈ A}.
Operationally it might be reasoned that the demon resolving the nondetermin-

ism (having memory but not prescience) does so initially on both sides hence,
confronted with the same choices, produces the same behaviours.
Distribution of final demonic nondeterminism is valid in the relational model
(Law (2)) but in the transformer model is valid in only one direction (Law (6))
B o9 ( A) {B o9 A | A ∈ A}.
Operationally, the demon has more choice the later it acts. Thus on the right,
where the choice is made initially, there are fewer choices and so fewer behaviours
than on the left. However the choices coincide if execution of B results in no
further choices for the demon: if B is free of angelic choice or, in other words,
forms a program (i.e. lies in the range of the Galois embedding wp and is thus
positively conjunctive as a transformer).
And secondly the two models agree, by Laws (4) and (8), on the refinement
in which sequential composition distributes final angelic nondeterminism
B o9 ( A)
{B o9 A | A ∈ A}.
32 J.W. Sanders
Operationally, angelic choice is dual to demonic choice: the angel resolving the
choice has prescience but not memory. Thus on the right the angel has an initial
choice, and hence the entire computation of B in which to make it; but on the
left it makes a choice after B , with fewer alternatives and so fewer resulting
behaviours. Equality holds if execution of B offers no further demonic choice by
which the angel might profit: from each initial state computation B is either un-
enabled, aborts or is deterministic (i.e. is predeterministic and is thus disjunctive
as a transformer).
Distribution of initial angelic choice is valid in the transformer model (Law
(7)) (operationally, the angel has the same choices on each side) but in the
relational model is valid in only one direction (Law (3)) unless computation B
terminates from distinct initial states in distinct final states.
For theoretical purposes, a richer model is better and for that reason most
semantic study has taken place inside the transformer model. For instance the
operational justification of the laws just outlined comes from the angel/demon
game interpretation supported by the transformer model [BvW98]. One vital
feature of that model has been its involution underlying the duality mentioned
above, which conflates the two simulation rules for data refinement which in the
relational model are distinct, with the result that one rule alone is complete in
the transformer model though two are required in the relational model.
But what of the system designer who is committed to formal methods only
to be confronted by an inconsistency in the laws satisfied by what he might
regard as the most intuitive model (binary relations) and the more studied model
(transformers)? The distinction may become apparent as soon as a refinement is
attempted from specification to code. Or what of the implementor who wishes to
document her clever implementation more abstractly for comparison with others;
does she allow demonic choice to ‘look ahead’ ? It would be perverse of specialists
in formal methods to confront practitioners of their subject with an inconsistent
array of techniques. And the laws of computations become important as soon as
derivation of code from specification is practiced. How should a software engineer
be expected to express a preference between the relational and transformer laws?
And what exactly are the consequences of that distinction, anyway?
One way to understand better the difference between those models of com-
putations more general than programs is to investigate stronger paradigms of
computation. For example inclusion of a binary combinator p ⊕ for probabilistic
choice leads to more subtle behaviours, even of the standard combinators, and
so to more detailed relational and transformer models. It provides, for example,
insight into memory and prescience of demon and angel.
But in this paper we take an alternative approach and characterise what it
means for a model of computation to ‘look relational’. By starting with the laws
satisfied by the binary-relation model we adopt a fibre-wise approach that en-
ables us to express a computation in terms of its fibres and hence to construct
an isomorphism—that preserves computational structure—between a model of
those laws and the relational model itself. A model that looks relational actu-
skip no op
abort divergent computation
x := e assignment
AbB binary conditional
A o9 B sequential composition
μF recursion
AB demonic choice
A B refinement: A B = A
Fig. 2. Syntax for the space (gcl .X , ) of programs over state space X
ally is relational; given a state space, the laws of relational computations are
categorical.
The underlying ingredient in our approach is the fibre-wise view of computa-
tions. To express it, we recall the definition of a (discrete) bundle from differential
geometry and topology, and consider the structure it offers for a theory of com-
putation. But first we need to recall the relational and transformer models of
computations and the Galois connection between them (Section 3); and before
that we must recall the notion of computation itself and the special case of
programs (Section 2).
Notation
This paper uses the following general notation.
If f is a function then f .x denotes its application to argument x . Function
application binds to the left.
For any set X , the set of all subsets of X is denoted P.X , the set of all finite
subsets of X is denoted F.X and the set of all predicates on X is denoted Pr.X .
The cardinality of a set E is denoted #E .
The set of all relations between sets X and Y is denoted X ↔ Y . If its field
is evident from the context we write id for the identity relation; when the field A
requires emphasis we write id .A. The converse of relation r is written r ∼ . The
image of set E by relation r is written r .(| E |). To express a relation r pointwise
we use infix notation: x r y.
2 Programs and Computations

2.1 The Space of Programs
As space of programs we adopt a commonly-used mild extension gcl .X of Dijk-
stra’s guarded-command language,1 that is closed under nonempty finite infima
1
Extended to contain recursion rather than merely iteration; and syntactically dif-
ferent by replacing general conditional with binary conditional and explicit binary
demonic choice.
34 J.W. Sanders
(gcl .X , ) is a complete partial order with min abort (9)

A = {A x ∈ F abort | F ∈ F.X } (10)
A o9 (B o9 C ) = (A o9 B ) o9 C (11)
A skip
o
9 = A = skip A o
9 (12)
abort o9 A = abort = A o9 abort (13)

( A) B o
9 = {A B | A ∈ A}
o
9 if A nonempty finite (14)
B o9 ( A) = {B o9 A | A ∈ A} if A nonempty finite (15)
Fig. 3. Laws concerning order and sequential composition for the space gcl .X of (re-
lational) programs with state space X
(representing demonic nondeterminism) and suprema of directed sets (represent-

ing common refinement). Since it also contains a least element, abort, it forms a
complete partial order: Law (9). The compact elements are those programs that
abort off some finite set of initial states, and each program is the supremum
of the directed set of its approximating compacts (cf. Law (10), which states a
special case in which the approximations from any initial state reflect the full
behaviour of the computation there).
Each assignment x := e is assumed to be terminating and deterministic; in
other words the expression e provides a total function√ on state space X . A
demonically-nondeterministic √ assignment √ (like x := ± y) is expressed using
demonic choice (i.e. (x := y) (x := − y)). Nondefinedness (like x := 1/y) is
achieved using conditional (e.g. 1/y y = 0 abort).
Sequential composition is associative, Law (11), with skip a left unit and a
right unit (Law (12)) and abort a left zero and a right zero (Law (13)). However
sequential composition is distributed, on either side, only by the of nonempty
(finite, of course) sets: Laws (14) and (15). Indeed an empty would be a greatest
element of (gcl .X , ) , a program refining every program, and no such program
exists. (In fact, it is the more general computation magic of Laws (31) and (32).
It provides an alternative description of nondefinedness: 1/y y = 0 magic.)
Laws for conditional and assignment appear in Fig. 4. In this paper we sup-
press the treatment of recursion (least fixed point) and local block (var y :
Y · A rav).
2.2 The Space of Computations
The more comprehensive space Gcl .X of computations includes that of programs

(i.e. gcl .X ); see Fig. 5. It is closed under the combinators of gcl .X but also under
arbitrary infima and hence also (by a standard general result) under arbitrary
suprema. It thus forms a complete lattice: Law (27).
A true B = A (16)
AbB = B ¬b A (17)
AbA = A (18)
(A b B ) c C = A b ∧c (B c C ) (19)
A b (B c C ) = (A b B ) c (A b C ) (20)
(A b B ) o9 C = (A o9 C ) b (B o9 C ) (21)
A (B b C ) = (A B ) b (A C ) (22)
x := x = skip (23)
(x := e) o9 (x := f ) = x := (e ; f ) (24)
(x := e) b (x := f ) = x := (e b f ) (25)
(x := e) o9 (A b B ) = (x := e) o9 A (26)
e;b
(x := e) o9 B
Fig. 4. Laws concerning conditional and (terminating deterministic) assignment for

the space gcl .X of (relational) programs over X
gcl .X programs and their combinators
magic always-unenabled computation

A arbitrary demonic choice
A arbitrary angelic choice
Fig. 5. Syntax for the space Gcl .X of (general) computations over state space X
The empty , the greatest element of Gcl .X , is called magic. The least
element of (Gcl .X , ) remains the least element, abort, of (gcl .X , ) ; it is
the empty . A computation is compact iff there is some finite set of states off
which it aborts (and on which—state by state—it is either unenabled or exhibits
arbitrary behaviour). Again, each computation is the of the directed set of its
compact approximations (cf. Law (28)). The difference between Laws (10) and
(28) is that the latter may display unenabled behaviour at some initial states.
The following shorthand is standard and convenient. For any subset E of state
space, x :∈ E denotes the demonic choice {x := e | e ∈ E }. If E is nonempty
and finite it is a program; otherwise it is just a computation, which if E is empty
is magic.
2.3 Termination, Enabledness and Determinism

The important computational concepts of termination, enabledness and
determinism are expressed algebraically (using conditionals) as follows. More
36 J.W. Sanders
(Gcl .X , ) is a complete lattice with min abort and max magic (27)
A = {A x ∈ F abort | F ∈ F .X } (28)
abort o9 A = abort (29)

A abort
o
9 = abort if A always enabled (30)
magic o9 A = magic (31)
A magic
o
9 = magic if A terminating (32)
A (B b C ) = (A B ) b (A C ) (33)
( A) o9 B = {A o9 B | A ∈ A} (34)
B o9 ( A) = {B o9 A | A ∈ A} if A nonempty (35)
( A) o9 B {A o9 B | A ∈ A} , (36)
= {A o9 B | A ∈ A} if B is injective (37)
B o9 ( A) {B o9 A | A ∈ A} , (38)
= {B o9 A | A ∈ A} if B is predeterministic (39)
Fig. 6. Laws concerning order and sequential composition for the space Gcl .X of rela-
tional computations over X
succinct equivalents will be available after introduction of the fibre notation in

Sec. 4.1.
Suppose that A is a computation and x0 : X is a state. Then A is said to abort
at x0 iff it might not (equivalently ‘will not’ in the standard (Hoare/Dijkstra)
model we adopt) terminate there:
(A x = x0 abort) = abort .
Computation A is said to be enabled at x0 iff it may (equivalently ‘does’) begin

there
(A x = x0 magic) = magic .
That inequality is equivalent (in view of Laws (30) and (31)) to the identity
(A x = x0 magic) o9 abort = (abort x = x0 magic) .
And computation A is said to terminate at x0 iff it does not abort whenever

it is enabled there. In defining termination to permit non-enabledness, the con-
cern has been foremost to ensure Law (4) holds and secondarily to maintain
consistency with the transformer characterisation of termination.
Computaton A is ‘deterministic’ at x0 iff it is enabled there and ‘terminates
in only a single final state’. To define that term: computation A is co-atomic at
x0 iff the computation (A x = x0 magic) is co-atomic: namely magic is

the only computation that strictly refines it:
(A x = x0 magic) = magic
∧
∀ B : Gcl .X · (A x = x0 magic) B ⇒ B = magic .
Then A is defined to be deterministic at x0 iff (A x = x0 magic) is co-

atomic. Finally A is predeterministic at x0 iff either it does not terminate or is
deterministic at x0 , whenever it is enabled at x0 .
A computation is terminating [always-enabled, deterministic, predeterminis-
tic] means that it is terminating [enabled, deterministic, predeterministic] at
each initial state x0 . Code is always enabled; and the celebrated loop rule en-
sures termination of code in the form of an iteration. But magic, for example,
is not enabled and (hence is) terminating.
Laws for sequential composition are more subtle for Gcl .X than gcl .X , be-
cause of partially-enabled computations like coercions; see Laws (30), (31) and
(32).
2.4 Assertions and Coercions

For any predicate b on state space the assertion at b is the program that skips at
initial states satisfying b and otherwise aborts. Its definition and basic properties
are summarised as follows; the proof is routine from the axioms above.
Lemma (assertions). The assertion function from predicates to assertions

ass : (Pr.X , ≤) → (gcl .X , )
skip b abort
ass.b =
is injective and satisfies

1. ass.true = skip ;
2. ass.(b ∧ c) = (ass.b) o9 (ass.c) and, in particular, assertions commute;
3. for any finite nonempty set B of predicates, ass.(∧B ) = {ass.b | b ∈ B }
and, in particular, ass is monotone;
4. for any finite set B of predicates, ass.(∨B ) = {ass.b | b ∈ B } and, in
particular, ass.false = abort .
Conditional is regained from assertions using angelic choice:
(ass.b o9 A) (ass.¬b o9 B ) = A b B . (40)
For any predicate b on state space the coercion at b is the computation, coer .b ,
that skips at initial states satisfying b and otherwise is magic. In the transformer
model (see Sec. 3.2) assertions and coercions are dual. In the current context,
that duality manifests itself in the following analogue of the ‘assertions’ Lemma.
38 J.W. Sanders
Lemma (coercions). The coercion function from predicates to coercions
coer : (Pr.X , ≤) → (Gcl .X , )

skip b magic
coer .b =
is injective and satisfies

1. coer .true = skip ;
2. coer .(b ∧ c) = (coer .b) o9 (coer .c) and, in particular, coercions commute;
3. for any finite nonempty set B of predicates, coer .(∧B ) = {coer .b | b ∈ B }
and, in particular, coer is antitone;
4. for any finite set B of predicates, coer .(∨B ) = {coer .b | b ∈ B } and, in
particular, coer .false = magic .
Conditional is regained from coercions by the daul of (40):
(coer .b o9 A) (coer .¬b o9 B ) = A b B . (41)
Moreover the two are dually interdefinable using the laws above:
coer .b = skip (ass.¬b o9 magic)

ass.b = skip (coer .¬b o9 magic) .
We must be careful not to allow such simply duality to raise our hopes concerning
the degree to which there is a transformer-like dual on the space of (relational)
computations.
3 Models
In this section we recall the relational and transformer models of computations
(and programs in particular) and the Galois connection between them. In the
remainder of the paper, our interest will be primarily relational. That is why
when, in the previous section, we have had to choose between laws satisfied by
the relational and transformer models, we have opted for the former.
Definition (computation structure). A (relational) computation structure

is a model satisfying the laws of Gcl .X namely those of Fig. 3, without Law
(13), and those of Figs. 4 and 6. (Note that Law (14) is superseded by Law (34)
and so need not be explicitly suppressed.) A (relational) program structure is a
model of the laws of gcl .X , namely those of Figs. 3 and 4.
3.1 Relational Semantics

In the presence of both demonic nondeterminism and divergence, the relational
model of computation employs a virtual state ⊥, distinct from each (actual)
state in X , to encode divergence. Thus state space becomes X⊥ = X ∪ {⊥}.
If A is a computation then its relational semantics [A]R is a binary relation on
[abort]R = ω⊥
[magic]R = { }⊥
[skip]R = id⊥
[x := e]R = {(x , e.x ) : X⊥ ×X⊥ | e.x terminates}⊥ e finitary
[A o9 B ]R = [A]R o9 [B ]R
[A b B ]R = {(x , y) | x [A]R y b.x x [B ]R y}
[A B ]R = [A]R ∪ [B ]R
[A B ]R = [A]R ∩ [B ]R
[μ F ]R = ∪{r : Rel .X | F .r = r } , F monotone on (Rel .X , ⊇)
A B = [A]R ⊇ [B ]R
Fig. 7. Relational semantics [A]R of computation A : Gcl .X
X⊥ that relates: the virtual state ⊥ to each state in X⊥ ; an initial state x : X

to ⊥ if computation A may diverge from x ; and initial x to a final state y : X if
execution of A from x may terminate in y. For convenience, if s is a relation on
X , we let s⊥ denote the relation on X⊥ that relates ⊥ to everything but on X
x =⊥ ∨ x s y).
behaves just like s (i.e. x s⊥ y =
Definition (relational model). The relational model of computations is the

(relational) computation structure Rel .X whose elements are the binary rela-
tions on X⊥ that are strict (i.e. ⊥ r ⊥) and upclosed with the flat order on X
(i.e. x r ⊥ ⇒ r .(| x |) = X⊥ ), and with the computations and combinators
identified in Fig. 7. The relational model of programs is the (relational) program
substructure rel .X of Rel .X consisting of the set of relations r on X⊥ that are
also finitary: r .(| x |) = X⊥ ⇒ 0 < #r .(| x |) < ∞ .
The fact that those really are computation structures, i.e. satisfy the appropriate
laws, seems largely to be folklore [H87]:
Theorem (relational model). The semantic function [−]R : Gcl .X → Rel .X

of Fig. 7 is a bijection, confirming that Rel .X is a (relational) computation struc-
ture and rel .X is a (relational) program structure.
3.2 Transformer Semantics

If A is a computation then its predicate-transformer semantics is a function [A]T
on predicates over X that maps a postcondition q to the weakest precondition
at which termination of A is sure to hold in a state satisfying q.
Definition (transformer model). The transformer model of computations

is the space T .X of monotone functions on the space of predicates over X with
implication ordering, and with the computations and combinators identified in
40 J.W. Sanders
[abort]T = false
[magic]T = true
[skip]T = {(q, q) | q ∈ Pr.X }
[x := e]T .q.x = q.(e.x ) (= q[e/x ])
[A o9 B ]T = [A]T ◦ [B ]T
[A b B ]T = [A]T b [B ]T
[A B ]T = [A]T ∧ [B ]T
[A B ]T = [A]T ∨ [B ]T
[μ F ]T = ∧{t : T .X | F .t = t} , F monotone on T .X
A B = [A]T ≤ [B ]T
Fig. 8. Transformer semantics [A]T of computation A : Gcl .X
Fig. 8. The transformer model of programs is the subspace consisting of strict,

positively conjunctive and continuous transformers.
The fact that T .X models the appropriate laws is of course standard and well
documented [D76, H92, N89]. The transformer semantics is given in Fig. 8. But
for implicit consistency with the relational semantics we prefer to deduce it—
as much as is possible—from the Galois connection between the relational and
transformer models (in the next section). For now, we record:
Theorem (transformer model). The semantic function [−]T : Gcl .X →

T .X of Fig. 8 is a bijection, confirming that T .X satisfies the laws of Fig. 3
without the last three ((13), (14), (15)), the laws of Fig. 4 and the laws of
Fig. 6 with Laws (35), (36), (37) replaced by Laws (6) and (7). Furthermore the
subspace corresponding to programs satisfies the laws of Figs. 3 and 4.
Perhaps the most important distinction between the relational and transformers
models is that the latter has a notion of dual, whilst the former does not.
Definition (transformer duality). Duality is defined on predicate trans-

formers by t ∗ .q =
¬t .¬q, and is readily shown to be well-defined on the sub-
space T .X of monotone transformers.
The fundamental properties of transformer duality [BvW98] are established by

straightforward calculation:
Theorem (transformer duality). The duality function on predicate trans-

formers is a bijection satisfying
u t ∗ = t u∗ (42)
∗ ∗ ∗
(t ◦ u) = t ◦u (43)
t ∗∗ = t (44)
[skip]∗T = [skip]T (45)
[abort]∗T = [magic]T (46)
∗
(t u) = t ∗ u∗ (47)
(t u)∗ = t ∗ u ∗ (48)
(t b u)∗ = t ∗ b u ∗ (49)
[ass.b]∗T = [coer .b]T (50)
It is easily shown that there is no dual on relations having those properties. For
example the best-behaved candidate, the translation of ∗ using the Galois con-
nection (see Sec. 3.3) between relations and transformers (i.e. r † = rp.((wp.r )∗ )),
satisfies (42), (43), (45), (46), (47), (49), (50) although it fails to be bijective and
satisfies merely r †† ⊇ r and (∩R)† ⊇ ∪R † .
3.3 Galois Connection
Recall that the function wp : Rel .X →T .X is defined, for relational computation

r : Rel .X , postcondition q : Pr.X and state x : X :
∀ y : X⊥ · x r y ⇒ (y =⊥ ∧ q.y) .
wp.r .q.x =
With the relational and transformer interpretations already given, that says:
wp.r.q holds at just those states from which termination is ensured, and in a
state satisfying q.
Since wp is universally (∪, ≥)-junctive (i.e. from (Rel .X , ⊆) to (T .X , ≥)), it
has an adjoint which we call the relational projection, rp. For t : T .X , rp.t is the
binary relation on X⊥ defined to be strict and to satisfy, for x : X and y : X⊥ ,
∀ q : Pr.X · t .q.x ⇒ q.y

x (rp.t ) y =
(where, by definition, ¬q. ⊥). Adjunction means
t ≤ wp.r ≡ r ⊆ rp.t (51)
so that the functions wp and rp form a Galois connection between the relational
and transformer spaces with their orders reversed: from (Rel .X , ⊆) to (T .X , ≥) .
Standard theory [O44] shows that the Galois connection preserves much of the
structure on the two semantics models, except for angelic nondeterminism. Gath-
ering the (elementary) properties we need:
Theorem (Galois connection). The Galois connection (51) satisfies
wp.(r o9 s) = (wp.r ) ◦ (wp.s) (52)

wp.(id .X )⊥ = id .(T .X ) (53)
rp.(t ◦ u) = (rp.t ) (rp.u)
o
9 (54)
42 J.W. Sanders
rp. id .(T .X ) = (id .X )⊥ (55)

∀ U ⊆ T .X · rp.∨U = ∩ rp.(| U |) (56)
∀ U ⊆ T .X · rp. ∧U = ∪ rp.(| U |) (57)
∀ S ⊆ Rel .X · wp.(∪S ) = ∧ wp.(| S |) (58)
∀ S ⊆ Rel .X · wp.(∩S ) ≥ ∨ wp.(| S |) . (59)
Trivial consequences, which it is helpful to have stated explicitly, are:
Corollary (Galois connection). The Galois connection (51) also satisfies
r ⊆ s ⇒ wp.r ≥ wp.s (60)

t ≥ u ⇒ rp.t ⊆ wp.u (61)
rp ◦ wp = id .(Rel .X ) (62)
id .(T .X ) ≤ wp ◦ rp (63)
rp.true = { }⊥ (64)
rp.false = X⊥ ×X⊥ (65)
wp.ω⊥ = false (66)
wp.{ }⊥ = true. (67)
The fact that inequality (59) may be strict indicates why the embedding wp
cannot be used to lift angelic nondeterminism from relations to transformers.
(For example, with r = [x := 0 x := 1]R and s = [x := 1 x := 2]R we
have wp.(r ∩ s) = [x := 1]R > (wp.r ) ∨ (wp.s), as can be seen by evaluating
each side at the postcondition x = 1.) Otherwise, the transformer semantics is
obtained from the relational semantics (Fig. 7) under the Galois embedding wp,
as summarised in Fig. 8:
Theorem (Semantics). With the exception of angelic choice, the denotations

in Fig. 8 equal those obtained from lifting the R-semantics from Fig. 7 via the
Galois embedding wp: for every computation A : Gcl .X not containing angelic
choice,
[A]T = wp.[A]R .
In particular the semantics of code A : gcl .X is given by that formula.
Proof. To indicate the nature of the calculations involved, consider the cases
of skip and demonic choice. For the former, we reason with postcondition q and
(proper) state x : X ,
wp.[skip]R .q.x
≡ definition of wp
∀ y : X⊥ · x [skip]R y ⇒ (y =⊥ ∧ q.y)
≡ Fig. 7
∀ y : X⊥ · x = y ⇒ (y =⊥ ∧ q.y)
≡ calculus
q.x
≡ definition of id
id .(Pr.X ).q.x ,
as claimed in Fig. 8. For demonic choice, we reason:

wp.[A B ]R
≡ Fig. 7
wp.([A]R ∪ [B ]R )
≡ Law (58)
wp.[A]R ∧ wp.[B ]R
≡ induction
[A]T ∧ [B ]T ,
as required by Fig. 8. 2
4 Fibre Bundles
In this section we adapt the standard concept of a ‘fibre bundle’ [S51] to the
context of computations. It enables us to consider a computation initial-state
by initial-state without the need for a homogeneous model in which initial and
final states have the same type.
4.1 Bundles and Sections

Definition (fibre bundle). Let X and E be sets. Then E forms a fibre bundle
over base X with projection π : E → X if π is a surjection. For each x : X the
inverse-image set π ∼ .(| x |) is called the fibre at x . Note that the composition
π ∼ followed by π equals the identity relation on X whilst in the reverse order it
equals the universal relation on each fibre:
π ∼ o9 π = id .X (68)
e (π o9 π ∼ ) e ≡ (π.e = π.e ) . (69)
Definition (section). By a (relational ) section of a fibre bundle we mean a

relation s : X ↔ E that relates a base point x only to members of the fibre at
x , namely
s o9 π ⊆ id .X .
See Fig. 9. In the standard theory of fibre bundles s is required to be a function;

we consider relations in order to represent nondeterministic computations from
initial states in X to final states in the fibre at x . The standard definition also
44 J.W. Sanders
s -
x q π ......E
. . . . . . . . π ∼ .(| x |)
Fig. 9. The fibre bundle E over X with projection π and (relational) section s. The
fibre at base element x : X consists of the set of bundle elements π ∼ .(| x |).
requires the previous inclusion to be an equality; we allow inclusion to permit

unenabled computations: sections that are only partial. If the base and fibres
are the same then the result is a homogeneous model of computation. One of the
strengths of the bundle setting is its appropriateness also for nonhomogeneous
models.
In this setting, the concept of fibre bundle is merely a notational convenience
since with no structure on the base (traditionally either topological, differential
or geometric) its local structure is identical to its global structure. Instead we
derive from the spirit of the definition.
4.2 Examples
Examples of bundles E are obtained by instantiating fibres π ∼ .(| x |) and imposing
healthiness conditions on sections s : X ↔ E as follows.
1. In the relational model (Sec. 3.1), the base and fibres both consist of the
extended state space X⊥ so that π ∼ .(| x |) = X⊥ . A section is interpreted as
taking an element of the base—an initial state—to an element of its fibre—a
final state; thus it is required to be strict and pointwise upclosed (unenabled
initial states lie outside its domain). This example is homogeneous; the sim-
pler nonhomogeneous alternative in which the base is simplified to just X is
not viable because initial ⊥ is required to ensure Law (29).
2. In the predicate-transformer model (Sec. 3.2), the base and fibres consist
of predicates over state space X so that π ∼ .(| x |) = Pr.X . A section is
interpreted as taking a postcondition [resp. precondition] to a weakest pre-
condition [resp. strongest postcondition]. Thus a section representing a com-
putation is required to be a monotone function, and a section representing a
program is required also to be strict, positively conjunctive and continuous.
This model is, like the relational model, homogeneous.
3. In the probabilistic relational model [HSM97, MM05], the base consists of
state space X but fibres are sets of sub-distributions (i.e. probability distri-
butions that sum to at most 1 over X ) so that

∀ x : X · π ∼ .(| x |) = {f : X → [0, 1] | X f ≤ 1}.
Divergence from initial x is represented as f .x = 0 so that no virtual state is

needed in this model. Sub-distributions are ordered pointwise (i.e. f ≤ g =
∀ x : X · f .x ≤ g.x ). A section is interpreted as taking an initial state to a
demonic choice of sub-distributions. Thus a section s is required, pointwise,
to be convex:
f , g ∈ s.(| x |) ∧ p ∈ [0, 1] ⇒ p×f + (1−p)×g ∈ s.(| x |) ;
≤-upclosed:
f ∈ s.(| x |) ∧ f ≤ g ⇒ g ∈ s.(| x |) ;
and, if state space X is infinite,2 topologically closed: each s.(| x |) is a

topologically-closed subset of the product space [0, 1]#X . This model is not
homogeneous (and requires the obvious (Kleisli/linearity) construction to
make it so).
4. In the multirelational model [R06], the base consists of state space X and
fibres are sets of states: π ∼ .(| x |) = P.X . A section s is interpreted as relating
an initial state to an angelic choice of sets of possible (demonically chosen)
final states; it is thus required to be ⊆-upclosed pointwise:
∀ x : X · Q ∈ s.(| x |) ∧ Q ⊆ Q ⇒ Q ∈ s.(| x |).
Under its angelic refinement ordering, this model might be embedded in the
previous model, by identifying a subset Q of a finite state space with the
characteristic function of Q scaled by the number of states (which results in
a uniform demonic choice of final state in Q ). A Galois embedding ε is
{(#X )−1 ξQ | x R Q }
ε.R.x =
where ξQ denotes the characteristic function of Q (upclosure is not required

on the right-hand side since it follows from that of R).
5. The expectation-transformer model [MM05] is a simple extension of the
predicate-transformer model in which predicate transformers are replaced
by expectations (i.e. non-negative-real-valued functions on state space) with
the lifted ordering. (A predicate, like a pre or post-condition, may be viewed
as a {0, 1}-valued expectation.) Thus base and fibres consist of expectations
over X , so that π ∼ .(| x |) = X → R≥0 . A section s is interpreted as taking a
post-expectation (i.e. a state-dependent expected profit) to a greatest pre-
expectation (i.e. state-dependent least expected profit) and is required to be
sublinear : for all expectations f , g and all non-negative reals a, b, c,
(a(s.f ) + b(s.g)) c ≤ s.((af + bg) c)
where x y =
(x −y) max 0 and c is the constant function λ x : X · c.
2
If X is finite this property follows automatically; indeed s.(| x |) is then the (closed)
convex hull of its (finitely many) extreme points.
46 J.W. Sanders
6. The quantum model [SZ00] is a simple restriction of the expectation trans-

former model in which state space consists of the space of quantum registers
over the standard space X of the problem

{χ : X → C | x ∈X | χ.x | = 1}.
2
A section is required to be the result of only unitary state transformations

(which in particular maintain the sum-square invariant).
Further examples appear in Sec. 5.1; more may be drawn from the various
computing paradigms, like process algebra, or from particular semantic for-
malisms, like [HH98].
4.3 Morphisms and Refinement

Definition (morphism). We define a morphism of fibre bundles π : E → X
and π : E → X to consist of a pair (χ, ε) in which χ is a relation from X to X
and ε is a relation from E to E which together maintain consistency of fibre:
χ : X ↔ X
ε : E ↔ E
ε o9 π ⊆ π o9 χ .
By (68) and (69), the fibre-consistency condition is equivalent to
π ∼ o9 ε ⊆ χ o9 π ∼ .
Definition (refinement). Given sections s : X ↔ E and s : X ↔ E
we define a refinement to be a morphism (χ, ε) of fibre bundles that acts as a
simulation
χ o9 s ⊆ s o9 ε . (70)
(The alternative condition, s o9 ε∼ ⊆ χ∼ o9s, is equivalent to (70) if both χ and ε are
injective, which is not often the case.) The advantage of this definition over the
standard definitions of simulation [dRE98] is that it permits non-homogenous
semantics of computations, of the kind demonstrated by the previous examples.
4.4 Examples
1. The special case of operational, or algorithmic, refinement in the relational
model—in which the state space is unaltered but each result of the concrete
computation is a result of the abstract—is captured by taking X = X ,
E = E , χ = id .X and ε = id .E so that inclusion (70) becomes:
s ⊆ s .
The same holds in the probabilistic relational model. In the predicate trans-
former model the rôles of s and s are reversed (so that at each postcondition
the refining computation has weaker precondition).
2. The important case of data refinement in the relational model—by a down-

wards simulation relation between abstract and concrete states—is captured
by taking χ : X ↔ X to be the simulation and ε : E ↔ E its fibre-wise
π o9 χ o9 π ∼ . Then inclusion (70) becomes:
lifting: ε =
χ o9 s ⊆ s o9 π o9 χ o9 π ∼ or χ o9 s o9 π ⊆ s o9 π o9 χ
as expected.
5 Computations Fibrewise
Reasoning about computations is by tradition a curious blend of algebraic rea-
soning (using refinement laws) and semantic reasoning (using validity in a se-
mantic model). In this section we promote to the level of algebra the kind of
semantic reasoning that enables a computation to be investigated initial-state
by initial-state or, as we shall say, fibre-wise.
We introduce another interpretation of fibre bundles as computations, focus-
ing on the fibre as a collection of computations rather than a set of final states
(the view of Sec. 4.2). It is this interpretation that we use in the remainder of
the paper.
5.1 Computation Fibres

Motivated by that diversion into fibre bundles we now consider a computation
A, an initial state x0 and define the fibre [co-fibre] of A at x0 to be the compu-
tation that is magic [aborts] off x0 , where it behaves like A. In other words the
fibre [co-fibre] of A at x0 consists of the coercion [assertion] x = x0 followed by A.
Definition (fibre and co-fibre). For A : gcl .X and E ⊆ X , the fibre of A at

E is
A∗E =
(A x ∈ E magic)
and the co-fibre of A at E is

A •E =
(A x ∈ E abort ) .
For simplicity, A ∗ {x0 } and A • {x0 } are written A ∗ x0 and A • x0 respectively.

Also, if b is a predicate on state space we abuse notation by writing A ∗ b and
A • b for the fibre and co-fibre at the set {x : X | b.x }.
Fibres and co-fibres are distributed by the computation combinators. The proofs
follow directly from the laws of Gcl .
Lemma (fibre distribution). For A, B : Gcl .X , x0 , x1 : X and predicate b on

X,
magic ∗ x0 = magic (71)
(A b B ) ∗ x0 = (A ∗ x0 ) b (B ∗ x0 ) (72)
48 J.W. Sanders
(A o9 B ) ∗ x0 = (A ∗ x0 ) o9 B (73)
(A B ) ∗ x0 = (A ∗ x0 ) (B ∗ x0 ) (74)
(A B ) ∗ x0 = (A ∗ x0 ) (B ∗ x0 ) (75)
(A ∗ x0 ) ∗ x1 = (A ∗ x0 ) x0 = x1 abort (76)
= (A ∗ x1 ) ∗ x0 . (77)
Proof.
Law (71):
magic ∗ x0
= definition of ∗
magic x = x0 magic
= Law (18)
magic.
Law (72):
(A b B ) ∗ x0
(A b B ) x = x0 magic
= Laws (17) and (20)
(A x = x0 magic) b (B x = x0 magic)
(A ∗ x0 ) b (B ∗ x0 ) .
Law (73):
(A o9 B ) ∗ x0
(A B ) x = x0 magic
o
9
= Laws (31) and (21)

(A x = x0 magic) B o
9
(A ∗ x0 ) B .
o
9
Law (74):
(A B ) ∗ x0
(A B ) x = x0 magic
= Laws (21), (12) and (31)
(skip x = x0 magic) (A B ) o
9
= Law (15)
(skip x = x0 magic) A (skip x = x0 magic) B
o
9
o
9
= Laws (21), (12) and (31) again

(A x = x0 magic) (B x = x0 magic)
(A ∗ x0 ) (B ∗ x0 ) .
Law (75):
(A B ) ∗ x0
(A B ) x = x0 magic
= Laws (21), (12) and (31)
(skip x = x0 magic) (A B )
o
9
= Law (39)
(skip x = x0 magic) A (skip x = x0 magic) B
o
9
o
9
= Laws (21), (12) and (31) yet again

(A x = x0 magic) (B x = x0 magic)
(A ∗ x0 ) (B ∗ x0 ) .
Law (76):
(A ∗ x0 ) ∗ x1
(A x = x0 magic) x = x1 magic
= Law (19)
A x = x0 = x1 (magic x = x1 magic)
= Law (18)
A x = x0 = x1 magic
= Law (18)
A x = x0 = x1 (magic x0 = x1 magic)
= Law (19)
(A x = x0 magic) x0 = x1 magic
(A ∗ x0 ) x0 = x1 magic.
Law (77) is immediate from Law (76). 2
The ‘co-fibre distribution’ lemma is proved analogously.

50 J.W. Sanders
Lemma (co-fibre distribution). For A, B : Gcl .X , x0 , x1 : X and predicate b

on X ,
abort • x0 = abort (78)
(A b B ) • x0 = (A • x0 ) b (B • x0 ) (79)
(A o9 B ) • x0 = (A • x0 ) o9 B (80)
(A B ) • x0 = (A • x0 ) (B • x0 ) (81)
(A B ) • x0 = (A • x0 ) (B • x0 ) (82)
(A • x0 ) • x1 = (A • x0 ) x0 = x1 abort (83)
= (A • x1 ) • x0 . (84)
The means for constructing fibres and co-fibres from point fibres and point co-
fibres are established similarly:
A ∗ E = {A ∗ e | e ∈ E } (85)
A • E = {A • e | e ∈ E }. (86)
In the transformer model with duality available, ‘co-fibre distribution’ follows

from ‘fibre distribution’ by duality:
(A ∗ E )∗ = (A∗ ) • E . (87)
5.2 Fibre Representation
Theorem (fibre representation). A computation is both the demonic choice

of its fibres and the angelic choice of its co-fibres: for each A : Gcl .X ,
A = {A ∗ x0 | x0 ∈ X } (88)
= {A • x0 | x0 ∈ X } (89)
(in spite of the fact that the right-hand side of (89) does not form a directed set).
In particular refinement is decided fibre-wise and co-fibre-wise:
A B = ∀ x0 : X · A ∗ x0 B ∗ x0 (90)
= ∀ x0 : X · A • x0 B • x0 . (91)
A powerful property of (singleton) fibres is this. If a predeterministic compu-

tation refines the point fibre of a demonic choice then it refines (at least) one of
the point fibres: if D is predeterministic then
(A B ) • x0 D ⇒ (A • x0 D ) ∨ (B • x0 D ). (92)
Soundness is immediate (in either the relational or transformer model). Property

(92) fails for larger fibres and for computations D that are not predeterministic,
as simple examples demonstrate.
1. Suppose that x0 and x1 are distinct states. With
(x := 0 • x0 ) (x := 1 • x1 )
A= (x := 2 • x0 ) (x := 3 • x1 )
and B =
we find A B D where D = (x := 0 • x0 ) (x := 3 • x1 ), although D

is predeterministic but refines neither A nor B . Thus the result does not
extend to larger fibres.
2. With
(x := 0 x := 1) • x0
A= (x := 1 x := 2) • x0
and B =
we find A B D where D = (x := 0 x := 2), although D refines neither

A nor B . Thus the result does not extend to non-predeterministic D .
We also use (in Sec. 6) a special case of property (92): if the demonic choice
of two computations at the same fibre aborts, then (at least) one of the fibres
aborts.
(A B ) • x0 = abort ⇒ (A • x0 = abort) ∨ (B • x0 = abort) (93)
5.3 Fibre Normal Forms

In the transformer model, the operational angel-versus-demon view of a compu-
tation results in a normal form in which any monotone predicate transformer is
the sequential composition of an angelic choice (of ‘intermediate postcondition’
which the computation is certain to achieve from its initial state) followed by a
demonic choice (of state satisfying that condition); see [BvW98], Theorem 13.10.
Since relational computations are embedded by wp as the positively conjunc-
tive predicate transformers, that normal form specialises to relations, loc. cit.,
Theorem 26.4, to show that any relational computation is the sequential com-
position of an assertion (with predicate equal to the domain of the relation)
followed by a demonic choice (of related state). Thus relational computations
are ‘generated’ by assertions, assignments, demonic choice and sequential com-
position. In our setting, with emphasis on point fibres, the relevant normal form
is this (in which E denotes the complement of set E ).
Theorem (fibre normal form). In the relational model any computation is

the demonic choice of point fibres, each of which is a demonic choice: for any
computation A there is a partial function α : X →
P.X whose domain consists
of those states from which A does not diverge and for which
A = {(x :∈ α.x0 ) ∗ x0 | x0 ∈ dom .α} abort ∗ dom .α. (94)
Proof. We forego a brief proof in the relational semantics (by explicit con-
struction for an arbitrary healthy relational) because we wish the form to hold
in any (relational) computation structure and to use the extra information pro-
vided by an algebraic proof by structural induction over computations. In each
case the required partial functions are defined as follows.
52 J.W. Sanders
abort {} (95)
magic λx : X · {} (96)
x := e λx : X · e (97)
AB λ x : dom .αA ∩ dom .αB · αA .x ∪ αB .x (98)
AB λ x : dom .αA ∪ dom .αB · αA .x ∩ αB .x (99)
A o9 B λ x : dom .αA ∩ dom .αB ·
{t : X | ∃ u : X · u ∈ α.x ∧ t ∈ β.u} (100)
2
Observe that α.x0 = { } for those states x0 at which A is unenabled; and if A is

a program then the range of α consists of only nonempty finite sets.
The dual of the ‘fibre normal form’ Theorem expresses each computation as
the angelic choice of point co-fibres of a demonic assignment; it thus requires
both forms of nondeterminism. However it does not require the ‘correction’ term
for divergence.
Corollary (co-fibre normal form). In the relational model any computation

is the angelic choice of point co-fibres, each of which is a demonic choice:
A = {(x :∈ α.x0 ) • x0 | x0 ∈ dom .α}. (101)
Those normal forms refine Laws (10) and (28) and the ‘fibre representation’
Theorem by showing that all computations are ‘generated’ by demonically non-
deterministic assignments and either point coercions and demonic choice, or
point assertions and angelic choice.
Corollary (basis). The space (Gcl .X , ) of relational computations is ‘gen-

erated’ by the set of (total deterministic) assignments, demonic choice and either
point coercions, or point assertions and angelic choice.
6 Assertions Algebraically
In view of the importance placed on assertions and coercions by the fibre-wise
approach to computations, the purpose of this section is to characterise them
algebraically. But we wish to use this algebraic characterisation in any relational
computational structure, so we prove it using the relational laws of Gcl .X , since
a semantic proof would apply to just Rel .X . (For an elegant characterisation in
the context of Kleene Algebra see [vW04].)
6.1 An Algebraic Property

We begin by formalising the observation that if ass.b refines a computation B
then B aborts off b and so the assertion followed by B equals B :
ass.b o9 B = B b B = B .
Theorem (assertions). If A : Gcl .X is an assertion then
∀ B : Gcl .X · B A ⇒ A o9 B = B . (102)
Proof. Suppose that for some predicate b on state space, A = ass.b , and that
B : Gcl .X . We begin by proving that if the antecedent of (102) holds then B
aborts off b.
B A
⇒ Law (81) (as monotonicity of − • b) and definition of A
B • ¬b (skip b abort) • ¬b
⇒ Laws (79), (19), (16), (17) and (18)
B • ¬b abort
⇒ Law (27)
B • ¬b = abort
⇒ Leibniz
(B • b B • ¬b) = (B • b abort)
⇒ Laws (40) and (27)
B b B = B •b
⇒ Law (18) and definition of •
B = B b abort .
So we reason
A o9 B
= definition of A
(skip b abort) B o
9
= Law (21)
(skip B ) b (abort B )
o
9
o
9
= Laws (12) and (13)

B b abort
= above
B.
6.2 Algebraic Characterisation

The previous result is interesting because the condition it embodies is strong
enough to characterise assertions algebraically.
Theorem (assertions algebraically). If A : Gcl .X satisfies condition (102)

then A is an assertion.
Proof. We define a predicate b on X pointwise: b holds at a point iff compu-

tation A skips there:
54 J.W. Sanders
(A • x0 = skip • x0 ).
b.x0 =
To show that A is the assertion ass.b, however, we must show that if it does not
skip at a point then it aborts there:
A • x0 = skip • x0 ⇒ A • x0 = abort. (103)
We use a succession of lemmas each of which inherits the assumptions to date.

The first lemma shows that A is always enabled.
Lemma (A). If A : Gcl .X satisfies (102) then
∀ x0 : X · A • x0 = magic • x0 .
Proof.
true
= Implication (102) with B = abort, by Law (27)
A abort = abort
o
9
= Law (91)
∀ x0 : X · (A • x0 ) abort = abort • x0
o
9
= Law (78)
∀ x0 : X · (A • x0 ) abort = abort
o
9
⇒ otherwise contradicts Law (31)

∀ x0 : X · A • x0 = magic • x0 .
2
The second lemma shows that there is some assignment which refines A at x0 .
Lemma (B). If A : Gcl .X satisfies both (102) and the antecendent of implica-
tion (103) then
∃ x1 : X \ {x0 } · A • x0 (x := x1 ) • x0 .
Proof. Since A is enabled at x0 (Lemma A) either A aborts from x0 or it

terminates, taking some value (perhaps demonically). We write x :∈ E for the
demonic choice of x to a member of E ⊆ X (i.e. {x := e | e ∈ E }). Thus if
E is empty it is magic; if E is finite and nonempty it is a program; and if E is
infinite it is a computation more general than code.
Writing A in co-fibre representation (with the dependence of E on x0 made
explicit)
A = {(x :∈ E (x0 )) • x0 | x0 ∈ X } ,
we infer that the two cases of divergence and termination are, respectively,

abort • x0
A • x0 =
(x :∈ E (x0 )) • x0
where by assumption, { } = E (x0 ) = {x0 } . But in the first case the result holds
for any x1 = x0 whilst in the second it holds for any x1 ∈ E (x0 ) \ {x0 } , a choice
possible by the antecedent of (103). 2
Now we introduce an artifact,
abort ∗ x1
Y = ( = abort x = x1 magic) ,
whose use will become apparent in the final step of the proof. For the moment
we observe that Y does not abort at x0 :
Y • x0 = abort . (104)
That is indeed evident since

Y • x0
= definition of •
Y x = x0 abort
= definition of Y
(abort x = x1 magic) x = x0 abort
= calculus, since x0 = x1 by Lemma B
magic x = x0 abort
=
abort .
What we really want of Y is this:
Lemma (C).
(A • x0 ) o9 (A Y ) = abort . (105)
Proof. We reason
(A • x0 ) o9 (A Y )
Law (35) (as monotonicity of o
9− )
(A • x0 ) Y
o
9
Lemma B and Law (34) (as monotonicity of − 9)

o
(x := x1 ) • x0 o9 Y
= definition of Y
(x := x1 ) • x0 (abort x = x1 magic)
o
9
= definition of • , Laws (21), (13), (26), (16) and (27)

abort • x0
= Law (78)
abort ,
from which equality follows by Law (27). 2
56 J.W. Sanders
For the final step of the proof we recall that we are trying to establish the
A Y and observe that A Y A .
consequent of (103). To do so we set B =
Hence by (102)
A o9 (A Y ) = A Y . (106)
Thus
true
= Lemma C
(A (A Y )) • x0 = abort
o
9
⇒ by (106)
(A Y ) • x0 = abort
⇒ Law (35)
(A • x0 ) (Y • x0 ) = abort
⇒ Law (93)
(A • x0 ) = abort ∨ (Y • x0 ) = abort
⇒ Law (104)
A • x0 = abort
and so the proof of the theorem is complete. 2
6.3 Coercions
The analogous result for coercions is this; we omit the proof, which mimics that
above.
Theorem (coercions). Computation C : Gcl .X is a coercion iff
∀ B : Gcl .X · C B ⇒ C o9 B = B . (107)
Note. A proof of the ‘coercions’ Theorem from the ‘assertions Theorem’ is

available in the transformer model simply by taking duals, using the ‘transformer
duality’ Theorem. It goes like this.
∀ B : Gcl .X · C B ⇒ C o9 B = B
= T semantics and ∗ bijective (‘transformer duality’ Theorem)
∀ t : T .X · [C ]T ≤ t ∗ ⇒ [C ]T ◦ t ∗ = t ∗
= Laws (42), (43) and (44)
∀ t : T .X · t ≤ [C ]∗T ⇒ [C ]∗T ◦t =t
= ‘assertions’ Theorem
∃ b : Pr.X · [C ]∗T = [ass.b]T
= Law (44)
∃ b : Pr.X · [C ]T = [skip b abort]∗T
= T semantics and Law (49)
∃ b : Pr.X · [C ]T = [skip]∗T b [abort]∗T

= T semantics, Laws (45) and (46)
∃ b : Pr.X · [C ]T = [skip]T b [magic]T
= definition of coercion
∃ b : Pr.X · [C ]T = [coer .b]T .
2
Unfortunately the discussion in Sec. 3.2 shows that a similar proof, using a
relational dual in place of ∗ , is not possible in the relational model.
7 Representing Computation Structures

The purpose of this section is to prove that a structure satisfying the relational
laws of Gcl .X is actually isomorphic to the space of relational computations over
X , and similarly for the program substructure gcl .X and relational programs.
But first we need the appropriate notion of isomorphism.
7.1 Morphisms of Computation Structures

Definition (computation morphism). If X and X are (relational) compu-
tation structures (i.e. models of (relational) computation space Gcl .X ) then a
function T from the ‘programs’ of X to those of X is a computation morphism
iff it preserves sequential compositions, infima and suprema:
T (A o9 B ) = (T .A) o9 (T .B ) (108)
T . ∧ A = ∧ T .(| A |) (109)
T . ∨ A = ∨ T .(| A |) . (110)
Function T is a program morphism iff it preserves sequential compositions and
finite nonempty infima. A computation [resp. program] isomorphism is a bijec-
tive computation [resp. program] morphism.
Recall that the Galois embedding wp is not (∩,∨)-junctive (Law (59)) and so
wp does not preserve angelic choice (suprema). Indeed, in view of Fig. 1, the
relational and transformer models of computation are not isomorphic.
Evaluation of the trivial cases shows:
Lemma (morphed structures). A program morphism preserves the identity

for sequential composition (T .1 = 1 ) and is monotone (A ≤ B ⇒ T .A ≤ T .B ),
and a computation morphism also preserves minimum, maximum and atomic el-
ements (T . = and T .⊥ = ⊥ ) and is isotone (A ≤ B ⇔ T .A ≤ T .B ).
It is vital that the definition of isomorphism, although it focuses on only sequen-

tial composition and order, preserves also assertions and coercions as a result.
For by the ‘basis’ Corollary, preservation of other computations follows.
58 J.W. Sanders
Lemma (morphed assertions). A program isomorphism preserves asser-

tions, point assertions, coercions and point coercions.
Proof. Suppose that T : X → X is an isomorphism, where X and X are

as above. Since the proof of the ‘assertions algebraically’ Theorem used only
properties of relational computation structures, we use it to reason:
a is assertion in X
= ‘assertions algebraically’ Theorem
∀ y : Y · y ≤ a ⇒ a o9 y = y
⇒ ‘morphed structures’ Lemma
∀ y : Y · T .y ≤ T .a ⇒ T .a o
9 T .y = T .y
= T bijective
∀ y : Y y ≤ T .a ⇒ T .a o
9 y=y
= ‘assertions algebraically’ Theorem
T .a is assertion in X .
Preservation of point assertions now follows (by the ‘morphed structures’
Lemma) since an assertion is a point assertion iff it is atomic, by the ‘assertions’
Lemma. The proof for coercions is similar. 2
7.2 Representing Computation Structures

As an axiom system, Gcl has models of each infinite cardinality, one for each
choice of state space. Thus there are computation structures which are not iso-
morphic. Considering first models with a given state space X , we have:
Theorem (computation representation). Any (relational) computation

structure with state space X is isomorphic to Rel .X .
Proof. Suppose that the computation structure is R.X and define a putative
isomorphism T fibrewise
T : R.X → Rel .X
T .A.(| x0 |) =
{y : X | A • x0 x := y} ,
provided A • x0 = abort, in which case T .A.(| x0 |) = X⊥ . (Observe that if

the defining set is empty, for example A is not enabled at x0 , then T .A is not
enabled at x0 .) We must show that T is a bijective computation morphism. The
definition follows two cases, depending on abortion or not. Verification of the
former case is routine; we focus on the latter.
Firstly T is injective, since
T .A = T .B
= relational calculus
∀ x0 : X · T .A.(| x0 |) = T .B .(| x0 |)
= definition of T
∀ x0 , y : X · A • x0 x := y ⇔ B • x0 x := y
= definition of co-fibre and Law (28)
∀ x0 : X · A • x0 = B • x0
= Law (91)
A = B.
Secondly T is surjective, since if R : Rel .X with R.(| x0 |) = Yx0 , for some x0 -

dependent Yx0 ⊆ X⊥ , defining A : R.X fibrewise
∀ x0 : X · A • x0 =
(x :∈ Yx0 ) • x0 ,
we find that by definition T .A = R.

Thirdly T preserves sequential composition, since
T .(A o9 B ).(| x0 |)
= definition of T
{y : X | (A B ) • x0 x := y}
o
9
= Law (73)
{y : X | (A • x0 ) B x := y}
o
9
= hypothesis, ‘co-fibre normal form’ Corollary and (100)

T .B .(| {y : X | A • x0 x := y} |)
= definition of T
T .B .(| T .A.(| x0 |) |)
= relational calculus
((T .A) o9 (T .B )).(| x0 |).
Fourthly T preserves demonic nondeterminism, since

T .(A B ).(| x0 |)
= definition of T
{y : X | (A B ) • x0 x := y}
= Law (92)
{y : X | (A • x0 x := y) ∨ (B • x0 x := y)}
= set theory
{y : X | A • x0 x := y} ∪ {y : X | B • x0 x := y}
= definition of T
(T .A • x0 ) (T .A • x0 )
= Law (81)
(T .A T .A) • x0 .
Finally T preserves angelic nondeterminism, since

T .(A B ).(| x0 |)
60 J.W. Sanders
= definition of T
{y : X | (A B ) • x0 x := y}
= Law (82)
{y : X | (A • x0 ) (B • x0 ) x := y}
= definition of supremum
{y : X | (A • x0 x := y) ∧ (B • x0 x := y)}
= set theory
{y : X | A • x0 x := y} ∩ {y : X | B • x0 x := y}
= semantics, Fig. 7
(T .A T .B ).(| x0 |) .
2
Corollary (program representation). Any (relational) program structure

with state space X is isomorphic to rel .X .
Considering next models with different state spaces, we have:
Theorem (state-space representation). Two models of (relational) com-

putations but with possibly different states spaces are isomorphic iff there is a
bijection between their state spaces.
Proof. The proof establishes a bijective correspondence between isomorphisms

T : R.X → S .Y and bijections t : X → Y . For the forward direction, given T
we define a relation t : X ↔ Y by
T .(ass.x0 ) = ass.y0 .
x0 t y0 = (111)
Relation t is well defined because, by the ‘morphed assertions’ Lemma, T pre-

serves point assertions. It is surjective by similar reasoning and the fact that T
is surjective. It is readily shown to be a function (because if two point assertions
are equal then their points coincide) and injective (because T is injective).
Conversely, given bijection t : X → Y , define T from R.X to S .Y firstly on
assertions by (111), then to preserve and and finally on assignments by
y := t .e
T .(x := e) =
where t maps expressions (recall our assignments are total and deterministic)
over X to expressions over Y by ‘translation’ (or trivial simulation):
t .(| e.(t ∼ .y) |).

t .e.y =
Thus T .(x :∈ E ) = y :∈ t .(| E |) and in co-fibre normal form we find
T .({(x :∈ α.x0 ) • x0 | x0 ∈ dom .α}) =

{(y :∈ t .α.y0 ) • y0 | y0 ∈ dom .(t .α)}
wherein t acts on fibre-form functions α as it does on expressions.

Then T is well defined and injective by existence and uniqueness of co-fibre

normal form. It is surjective since if
B = {(y :∈ t .β.y0 ) • y0 | y0 ∈ dom .β}
then by the definition of T we find
T .({(x :∈ α.x0 ) • x0 | x0 ∈ dom .α}) = B .
Finally, since T preserves and by definition, it remains to show that it

preserves o9 . But that follows from a routine calculation using (100). 2
8 Conclusion
By taking the slightly unusual view that computations are sections of fibre bun-
dles we have emphasised the fibre-wise nature of a computation. That has en-
abled us to treat assignment initial-state-by-initial state and to use powerful
refinement laws like Law (92) that fail more generally. The result has been the
fibre normal form for a (relational) computation and the isomorphism of any (re-
lational) computation structure with the binary-relation model of computation.
Although that isomorphism is based on the order and sequential composition
combinators of the structure, by characterising assertions and coercions in those
terms we have shown that the isomorphism also preserves them, and hence by
the ‘fibre normal form’ Theorem truly is an isomorphism of computations. The
laws of (relational) computation are categorical to within cardinality of state
space.
Further work consists of capturing the transformer model similarly and of
clarifying the extent to which, as remarked only in passing here, the transformer
dual may be lifted to relations via the Galois connection between relations and
transformers. It would also be of some interest to pursue the bundle approach
to refinement, particularly in the non-homogeneous setting.
Acknowledgements
The author is grateful to the organisers of RelMiCS 2006 for the opportunity
to explore, in this paper, the fibre-wise approach to computation and, at the
conference, its connections with other approaches. He is grateful to Georg Struth
and Renate Schmidt for super-editorial corrections and clarifications and for
bringing to his attention several references.
This exposition has benefitted from drafts of joint work with Annabelle McIver
and Carroll Morgan on the application of Galois connections to the study of
various relational and transformer models of computation. Some of the work re-
ported here, and some results mentioned in passing, have been supported by the
University of Stellenbosch and the South African National Research Foundation
under the auspices of Ingrid Rewitzky.
62 J.W. Sanders
References
[BvW98] R.-J. Back and J. von Wright. Refinement Calculus: A Systematic Introduc-
tion. Graduate Texts in Computer Science, Springer Verlag, 1998.
[D76] E. W. Dijsktra. A Discipline of Programming. Prentice-Hall International,
1976.
[HSM97] He, Jifeng, K. Seidel and A. K. McIver. Probabilistic models for the guarded
command language. Science of Computer Programming, 28:171–192, 1997.
[H92] W. H. Hesselink. Programs, Recursion and Unbounded Choice. Cambridge
University Press, 1992.
[H87] C. A. R. Hoare et al, The laws of programming. Communications of the
ACM, 30:672–686, 1987.
[HH98] C. A. R. Hoare and He, Jifeng. Unifying Theories of Programming. Prentice
Hall, 1998.
[MM05] A. K. McIver and C. C. Morgan. Abstraction, Refinement and Proof for
Probabilistic Systems. Springer Monographs in Computer Science, 2005.
[N89] G. Nelson. A generalisation of Dijkstra’s calculus. ACM ToPLAS,
11(4):517–561, 1989.
[O44] O. Ore, Galois connexions. Transactions of the American Mathematical So-
ciety, 55:494–513, 1944.
[R06] I. M. Rewitzky. Monotone predicate transformers as up-closed multirela-
tions. This volume, Relations and Kleene Algebra in Computer Science
(RelMics/AKA 2006) Springer-Verlag, LNCS, 2006.
[dRE98] W.-P. de Roever and K. Engelhardt, Data Refinement: Model-Oriented
Proof Methods and their Comparison. Cambridge Tracts in Theoretical
Computer Science, Cambridge University Press, 1998.
[SZ00] J. W. Sanders and P. Zuliani. Quantum Programming. Mathematics of
Program Construction, 2000, edited by J. N. Oliviera and R. Backhouse,
Springer-Verlag LNCS 1837:80–99, 2000.
[S51] N. Steenrod. The Topology of Fibre Bundles. Princeton University Press,
1951.
[vW04] J. von Wright. Towards a refinement algebra. Science of Computer Pro-
gramming, 51:23–45, 2004.
An Axiomatization of Arrays for
Kleene Algebra with Tests
Kamal Aboul-Hosn
Department of Computer Science

Cornell University
Ithaca, NY 14853-7501, USA
[email protected]
Abstract. The formal analysis of programs with arrays is a notoriously

difficult problem due largely to aliasing considerations. In this paper we
augment the rules of Kleene algebra with tests (KAT) with rules for the
equational manipulation of arrays in the style of schematic KAT. These
rules capture and make explicit the essence of subscript aliasing, where
two array accesses can be to the same element. We prove the soundness
of our rules, as well as illustrate their usefulness with several examples,
including a complete proof of the correctness of heapsort.
1 Introduction
Much work has been done in reasoning about programs with arrays. Arrays re-
quire more complex modeling than regular variables because of issues of subscript
aliasing, where two array accesses can be to the same element, for example, A(x)
and A(y) when x = y. Proving equivalence of programs with arrays often in-
volves intricate read/write arguments based on program semantics or complex
program transformations.
Reasoning about arrays dates back to seminal work of More [1] and Downey
and Sethi [2]. Much research has also been based on early work by McCarthy on
an extensional theory of arrays based on read/write operators [3]. A standard
approach is to treat an array as a single variable that maps indices to values
[4,5,6]. When an array entry is updated, say A(i) := s, a subsequent access A(j)
is treated as the program if (i = j) then s else A(j). Several other approaches
of this nature are summarized in [7], where Bornat presents Hoare Logic rules
for reasoning about programs with aliasing considerations.
More recently, there have been many attempts to find good theories of ar-
rays in an effort to provide methods for the formal verification of programs
with arrays. Recent work, including that of Stump et al. [8], focuses on deci-
sion procedures and NP-completeness outside the context of any formal system.
Additionally, the theorem prover HOL has an applicable theory for finite maps
[9].
In this paper we augment the rules of Kleene algebra with tests (KAT) with
rules for the equational manipulation of arrays in the style of KAT. Introduced

64 K. Aboul-Hosn
in [10], KAT is an equational system for program verification that combines

Kleene algebra (KA), the algebra of regular expressions, with Boolean algebra.
KAT has been applied successfully in various low-level verification tasks involv-
ing communication protocols, basic safety analysis, source-to-source program
transformation, concurrency control, compiler optimization, and dataflow analy-
sis [10,11,12,13,14,15,16]. This system subsumes Hoare logic and is deductively
complete for partial correctness over relational models [17].
Schematic KAT (SKAT), introduced in [11], is a specialization of KAT involving
an augmented syntax to handle first-order constructs and restricted semantic
actions. Rules for array manipulation in the context of SKAT were given in [12],
but these rules were (admittedly) severely restricted; for instance, no nesting of
array references in expressions was allowed. The paper [12] attempted to provide
only enough structure to handle the application at hand, with no attempt to
develop a more generally applicable system.
We extend the rules of [12] in two significant ways: (i) we provide commuta-
tivity and composition rules for sequences of array assignments; and (ii) we allow
nested array references; that is, array references that can appear as subexpres-
sions of array indices on both the left- and right-hand sides of assignments. The
rules are schematic in the sense that they hold independent of the first-order
interpretation.
In Section 2, we provide a brief introduction to KAT and SKAT. In Section 3,
we give a set of rules for the equational manipulation of such expressions and
illustrate their use with several interesting examples. These rules capture and
make explicit the essence of subscript aliasing. Our main results are (i) a sound-
ness theorem that generalizes the soundness theorem of [12] to this extended
system; and (ii) a proof of the correctness of heapsort, presented in Section 5.
2 Preliminary Definitions
2.1 Kleene Algebra with Tests
Kleene algebra (KA) is the algebra of regular expressions [18,19]. The axiom-
atization used here is from [20]. A Kleene algebra is an algebraic structure
(K, +, ·, ∗ , 0, 1) that satisfies the following axioms:
(p + q) + r = p + (q + r) (1) (pq)r = p(qr) (2)
p+q = q+p (3) p1 = 1p = p (4)
p+0 = p+p = p (5) 0p = p0 = 0 (6)
p(q + r) = pq + pr (7) (p + q)r = pr + qr (8)
1 + pp∗ ≤ p∗ (9) q + pr ≤ r → p∗ q ≤ r (10)
1 + p∗ p ≤ p∗ (11) q + rp ≤ r → qp∗ ≤ r (12)
This a universal Horn axiomatization. Axioms (1)–(8) say that K is an idem-

potent semiring under +, ·, 0, 1. The adjective idempotent refers to (5). Axioms
(9)–(12) say that p∗ q is the ≤-least solution to q + px ≤ x and qp∗ is the ≤-least
solution to q + xp ≤ x, where ≤ refers to the natural partial order on K defined
def
by p ≤ q ⇐⇒ p + q = q.
An Axiomatization of Arrays for Kleene Algebra with Tests 65
Standard models include the family of regular sets over a finite alphabet, the
family of binary relations on a set, and the family of n × n matrices over another
Kleene algebra. Other more unusual interpretations include the min,+ algebra,
also known as the tropical semiring, used in shortest path algorithms, and models
consisting of convex polyhedra used in computational geometry.
A Kleene algebra with tests (KAT) [10] is a Kleene algebra with an embedded
Boolean subalgebra. That is, it is a two-sorted structure (K, B, +, ·, ∗ , , 0, 1)
such that
– (K, +, ·, ∗ , 0, 1) is a Kleene algebra,
– (B, +, ·, , 0, 1) is a Boolean algebra, and
– B ⊆ K.
Elements of B are called tests. The Boolean complementation operator is de-
fined only on tests.
The axioms of Boolean algebra are purely equational. In addition to the Kleene
algebra axioms above, tests satisfy the equations
BC = CB BB = B
B + CD = (B + C)(B + D) B+1 = 1
B+C = BC BC = B+C
B+B = 1 BB = 0
B = B
2.2 Schematic KAT

Schematic KAT (SKAT) is a specialization of KAT involving an augmented syntax
to handle first-order constructs and restricted semantic actions whose intended
semantics coincides with the semantics of flowchart schemes over a ranked alpha-
bet Σ [11]. Atomic propositions represent assignment operations, x := t, where
x is a variable and t is a Σ-term.
Four identities are paramount in proofs using SKAT:
x := s; y := t = y := t[x/s]; x := s (y ∈ F V (s)) (13)
x := s; y := t = x := s; y := t[x/s] (x ∈ F V (s)) (14)
x := s; x := t = x := t[x/s] (15)
ϕ[x/t]; x := t = x := t; ϕ (16)
where x and y are distinct variables and F V (s) is the set of free variables occur-
ring in s in (13) and (14). The notation s[x/t] denotes the result of substituting
t for all occurrences of x in s. Here ϕ is an atomic first order formula. When x
is not a free variable in t or in ϕ, we get the commutativity conditions
x := s; y := t = y := t; x := s (y ∈ F V (s), x ∈ F V (t)) (17)
ϕ; x := t = x := t; ϕ (x ∈ F V (ϕ)) (18)
Additional axioms include:

x := x = 1 (19)
x := s; x = s = x = s[x/s] (20)
s = t; x := s = s = t; x := t (21)
66 K. Aboul-Hosn
Using these axioms, one can also reason about imperative programs by trans-
lating them to propositional formulas [21]. One can translate program constructs
as follows:
x := s ≡ a
x=s≡A
if B then p else q ≡ Bp + Bq
while B do p ≡ (Bp)∗ B
where a, is an atomic proposition and A is a Boolean test. With this translation,

we can use propositional KAT to do most of the reasoning about a program
independent of its meaning. We use the first order axioms only to verify premises
we need at the propositional level.
3 Arrays in SKAT
Arrays have special properties that create problems when trying to reason about
program equivalence. The axioms (13)-(21) do not hold without some precondi-
tions. We want to identify the conditions under which we can apply these axioms
to assignments with arrays.
Consider the statement
A(A(2)) := 3; A(4) := A(2)
We would like to use an array-equivalent version of (13) to show that
A(A(2)) := 3; A(4) := A(2) = A(4) := A(2); A(A(2)) := 3 (22)
With simple variables, this sort of equivalence holds. However, in (22), if A(2) =
2, the two sides are not equal. The left-hand side sets both A(2) and A(4) to
3, while the right-hand side sets A(2) to 3 and A(4) to 2. The problem is that
A(2) = A(A(2)).
One solution is to limit array indices to simple expressions that contain no
array symbols, the approach taken by Barth and Kozen [12]. Let i and j be
expressions containing no array symbols. For an expression e, let ex , ey , and exy
denote e[x/A(i)], e[y/A(j)], and e[x/A(i), y/A(j)], respectively. The following
axioms hold when expressions s and t contain no array symbols and i = j:
A(i) := sx ; A(j) := txy = A(j) := ty [x/sx ]; A(i) := sx (23)

A(i) := sx ; A(j) := txy = A(i) := sx ; A(j) := ty [x/sx ] (24)
A(i) := sx ; A(i) := tx = A(i) := t[x/sx ] (25)
ϕ[y/ty ]; A(j) := ty = A(j) := ty ; ϕ (26)
where y ∈ F V (s) in (23) and x ∈ F V (s) in (24).

These rules place some strong limitations on the programs that one can reason
about, although these limitations were acceptable in the context of reasoning in
Barth and Kozen’s paper. These axioms allow no more than two array references
(in most cases, only one) in a sequence of two assignment statements, which
eliminates many simple program equivalences such as
A(3) := A(4); A(3) := A(5) = A(3) := A(5)
Our goal is to generalize these rules so we can have more than one array reference
in a sequence of assignments and so we can allow nested array references.
In attempting to adapt (13) to arrays in a general way, we first note that an
array index contains an expression that must be evaluated, which could contain
another array variable. Therefore, we need to perform a substitution in that
subterm as well:
A(i) := s; A(j) := t = A(j[A(i)/s]) := t[A(i)/s]; A(i) := s (27)
This rule poses several questions. First of all, what is meant by t[A(i)/s]? We
want this to mean “replace all occurrences of A(i) by s in the term t.” However,
this statement is somewhat ambiguous in a case such as
t = A(3) + A(2 + 1)
where i is 3. We could either replace A(i) (i) syntactically, only substituting s for
A(3) in t, or (ii) semantically, replacing both A(3) and A(2 + 1). Besides being
undecidable, (ii) is somewhat contrary to the sort of static analysis for which
we use SKAT. Moreover, implementing these sorts of rules in a system such
as KAT-ML [22] could be difficult and costly, requiring the system to perform
evaluation.
However, (i) is unsound. For example,
A(2) := 4; A(3) := A(2) + A(1 + 1) (28)

= A(3) := 4 + A(1 + 1); A(2) := 4
is not true if A(2) = 4 before execution.

Our solution is to identify the preconditions that ensure that this sort of sit-
uation does not occur. The preconditions would appear as tests in the equation
to which the axiom is being applied. While it is true that establishing these
preconditions is as difficult as replacing occurrences of array references semanti-
cally, it is more true to the style of SKAT, separating out reasoning that requires
interpreting expressions in the underlying domain.
Let Arr(e) be the set of all array references (array variable and index) that
appear in the term e and let e = e[A(i)/s]. We also define
def
Arrs(e, A, i, s) = Arr(e ) − ((Arr (s) − ((Arr (e) − {A(i)}) ∩ Arr (s)) ∩ Arr(e )
The appropriate precondition for (27) is
∀k, A(k) ∈ (Arrs(j, A, i, s) ∪ Arrs(t, A, i, s)) ⇒ k = i

68 K. Aboul-Hosn
The condition looks complex, but what it states is relatively straightforward:

any array reference that occurs in j or t must either not be equal to A(i) or it
must have been introduced when the substitution of s for A(i) occurred.
For example, the transformation in (28) would be illegal, because Arrs(A(2)+
A(1 + 1), A, 2, 4) is {A(1 + 1)}, and 1 + 1 = 2. However,
A(2) := A(2) + 1; A(3) := A(2) + 4 = A(3) := A(2) + 1 + 4; A(2) := A(2) + 1
would be legal, since Arrs(A(2) + 4, A, 2, A(2) + 1) is the empty set.
With this and a couple additional preconditions, we can use the syntactic
notion of replacement as we do in all other axioms. The complete set of axioms
corresponding to (13)-(16) is:
A(i) := s; A(j) := t = A(j ) := t ; A(i) := s (29)
if i = j
∀k, A(k) ∈ Arr(s) ∪ Arr(i) ⇒ k = j
∀k, A(k) ∈ Arrs(j) ∪ Arrs(t) ⇒ k = i
A(i) := s; A(j) := t = A(i) := s; A(j ) := t (30)

if ∀k, A(k) ∈ Arr(s) ∪ Arr(i) ⇒ k = i
A(i) := s; A(j) := t = A(j ) := t (31)

if i = j
ϕ ; A(i) := s = A(i) := s; ϕ (32)

if ∀k, A(k) ∈ Arr(ϕ) ⇒ k = i
We also have axioms for the interaction between assignments to array variables
and to regular variables.
x := s; A(j) := t = A(j[x/s]) := t[x/s]; x := s (33)
if ∀k, A(k) ∈ Arr(s) ⇒ k = j[x/s]
A(i) := s; y := t = y := t ; A(i) := s (34)

if y ∈ F V (s) ∪ F V (i)
∀k, A(k) ∈ Arrs(t) ⇒ k = i
x := s; A(j) := t = x := s; A(j[x/s]) := t[x/s] (35)

if x ∈ F V (s)
A(i) := s; y := t = A(i) := s; y := t (36)

if ∀k, A(k) ∈ Arr(s) ∪ Arr(i) ⇒ k = i
∀k, A(k) ∈ Arrs(t) ⇒ k = i
In contrast to many other treatments of arrays, we prevent aliasing through

preconditions instead of using updated arrays for subsequent accesses. In ap-
proaches such as those found in [3,6,7], a program A(i) := s; A(j) := t is trans-
lated to A(i) := s; [A(i)/s](j) := t, where [A(i)/s] represents the array A with
element i assigned to the value of s. Additionally, all occurrences of A in j and
t must be replaced by [A(i)/s]. The replacement amounts to changing all array
accesses A into the program if (i = j) then s else A(j).
Such a translation is not well suited to SKAT, where we want assignment
statements to be atomic propositions. Using the if-then-else construct still re-
quires checking all of the preconditions we have; they are captured in the test for
equality of i and j. However, our precondition approach allows one to test these
conditions only when doing program transformations using the axioms. Array
accesses outside these transformations need not be changed at all. Since consid-
erations of subscript aliasing primarily come up in the context of reasoning about
program equivalence, it makes sense to consider aliasing through preconditions
within that reasoning.
These same axioms can be extended to multidimensional arrays. Consider an
array B with n indices. Each condition requiring array references to be different
in the one-dimensional array case must be true in the multi-dimensional case
as well. In order for two array accesses of the same array to be different, they
must differ on at least one of the indices. Formally, we can state the axiom
corresponding to (29) as
B(i1 , . . . , in ) := s; B(j1 , . . . , jn ) := t = B(j1 , . . . , jn ) := t ; B(i1 . . . in ) := s
if i = j and:
n
∀k1 , . . . kn , A(k1 , . . . , kn ) ∈ Arr(s) ∪ Arr(ia ) ⇒ ∃.1 ≤ ≤ n ∧ j = k
a=1
n
∀k1 , . . . kn , A(k1 , . . . kn ) ∈ Arrs(ja ) ⇒ ∃.1 ≤ ≤ n ∧ k = i
a=1
∀k1 , . . . kn , A(k1 , . . . kn )Arrs(t) ⇒ ∃.1 ≤ ≤ n ∧ k = i
4 Soundness of Axioms
We have proven soundness for all these rules using a technique similar to the one
used in [11]. We highlight the technique for the proof in this paper. For a more
complete proof, see [23]. We consider interpretations over special Kripke frames
called Tarskian, defined with respect to a first order structure D of signature
Σ. States are valuations, assigning values in D to variables, denoted with Greek
letters θ and η. For a valuation θ, θ[x/s] is the the state that agrees with θ
on all variables except possibly x, which takes the value s. An array variable is
interpreted as a map D → D, as defined in [12]. We use θ(A(i)) to represent
θ(A)(θ(i)).
First, we need to relate substitution in the valuation and substitution in a
term. This relation corresponds to the relation between the substitution model
70 K. Aboul-Hosn
of evaluation and the environment model of evaluation. For simple terms, this
is easy:
θ(t[x/s]) = θ[x/θ(s)](t)
which was shown in [11]. For arrays, we have the same difficulties of aliasing we
have in the definition of our rules. The corresponding lemma for array references
requires a precondition:
Lemma 1.
A(θ(i))
θ(t[A(i)/s]) = θ (t)
θ(s)
if
∀A(k) ∈ Arrs(t, A, i, s), i = k

A(i)
where θ s is the valuation that agrees with θ on all variables except possibly
the array variable A, where A(i) now maps to s. The proof is by induction on t.
With this lemma, we can prove the soundness of (29) - (36). We show the
proofs for (29) - (32), as (33) - (36) are just special cases of these. For example,
for the axiom, we prove
Theorem 1. A(i) := s; A(j) := t = A(j[A(i)/s]) := t[A(i)/s]; A(i) := s if
i = j (37)
∀k, A(k) ∈ Arr (s) ∪ Arr (i) ⇒ k = j[A(i)/s] (38)
∀k, A(k) ∈ Arrs(j, A, i, s) ∪ Arrs(t, A, i, s) ⇒ k = i (39)
Proof. We need to show that for any Tarskian frame D,

[A(i) := s; A(j) := t]D = [A(j[A(i)/s]) := t[A(i)/s]; A(i) := s]D
From the left-hand side, we have
[A(i) := s; A(j) := t]D
= [A(i) := s]D ◦ [A(j) := t]D

A(θ(i)) A(η(j))
= θ, θ | θ ∈ V alD ◦ η, η | η ∈ V alD
θ(s) η(t)
⎧ ⎡ ⎤ ⎫
⎨ A(θ(i))
⎬
A(θ(i)) ⎣ A(θ θ(s) (j)) ⎦
= θ, θ | θ ∈ V alD
⎩ θ(s) θ A(θ(i)) (t) ⎭
θ(s)
Now consider the right-hand side.

[A(j[A(i)/s]) := t[A(i)/s]; A(i) := s]D

= [A(j[A(i)/s]) := t[A(i)/s]]D ◦ [A(i) := s]D
A(θ(j[A(i)/s]))
A(η(i))

| θ ∈ V alD ◦ η, η | η ∈ V al
(i))
= θ, θ

D
θ(t[A(i)/s]) η(s)
A(θ(j[A(i)/s]))
A(θ
θ(t[A(i)/s]) θ (s)
A(θ(j[A(i)/s]))
θ(t[A(i)/s])
= θ, θ
A(θ(j[A(i)/s]))
θ(t[A(i)/s])
where θ ∈ V alD .
Therefore, it suffices to show for all θ ∈ V alD ,
A(θ(i)) A(θ (j)) A(θ (i))

(t) = θ A(θ(j[A(i)/s]))
(s)
A(θ(i)) A(θ(j[A(i)/s]))
θ(s) θ(t[A(i)/s])
θ
θ(s) θ A(θ(i)) θ(t[A(i)/s]) θ A(θ(j[A(i)/s]))
θ(s) θ(t[A(i)/s])
We start with the right-hand side

A(θ
A(θ(j[A(i)/s]))

(i))

A(θ(j[A(i)/s])) θ(t[A(i)/s])
A(θ(j[A(i)/s])) A(θ(i))
θ θ(t[A(i)/s]) A(θ(j[A(i)/s])) =θ θ(t[A(i)/s]) θ(s)
by (38)
θ θ(t[A(i)/s])
(s)
by (37)
A(θ(i)) A(θ(j[A(i)/s]))
=θ θ(s) θ(t[A(i)/s])

A(θ(i))
A(θ(i)) A(θ (j))
=θ θ(s)
by Lemma 1,
θ(s) A(θ)(i)
θ θ(s)
(t)
(39)
2
The proofs for the remaining rules are similar.

With these new axioms, we can prove programs equivalent that contain arrays.
In all examples, fragments of the statements that changed from one step to the
next are in bold.
The following two programs for swapping array variables are equivalent, as-
suming that the domain of computation is the integers, x = y, and ⊕ is the
bitwise xor operator.
t := A(y); A(x) := A(x) ⊕ A(y);

A(y) := A(x); A(y) := A(x) ⊕ A(y);
A(x) := t; A(x) := A(x) ⊕ A(y);
t := 0 t := 0
The program on the left uses a temporary variable to perform the swap while
the program on the right uses properties of xor and the domain of computation
to swap without a temporary variable. We set the variable t to 0 so that the two
programs end in the same state, though we could set t to any value at the end.
By (15), we know that the right-hand side is equivalent to
A(x) := A(x) ⊕ A(y); A(y) := A(x) ⊕ A(y);

A(x) := A(x) ⊕ A(y); t := A(x); t := 0
By (34), this is equivalent to
A(x) := A(x) ⊕ A(y); A(y) := A(x) ⊕ A(y);

t := A(x) ⊕ A(y); A(x) := A(x) ⊕ A(y); t := 0
We then use (35) to show that this is equal to
A(x) := A(x) ⊕ A(y); A(y) := A(x) ⊕ A(y);

t := A(x) ⊕ A(y); A(x) := t; t := 0
72 K. Aboul-Hosn
Using (34) and (35), this is equivalent to
A(x) := A(x) ⊕ A(y); t := A(y); A(y) := A(x) ⊕ t; A(x) := t; t := 0
By (33), this is equivalent to
t := A(y); A(x) := A(x) ⊕ t; A(y) := A(x) ⊕ t; A(x) := t; t := 0
By (29), where we need the condition that x = y, commutativity of xor, and the
fact that x ⊕ x ⊕ y = y, this is equal to
t := A(y); A(y) := A(x); A(x) := A(x) ⊕ t; A(x) := t; t := 0
Finally, by (31), we end up with the left-hand side,
t := A(y); A(y) := A(x); A(x) := t; t := 0
5 Proving Heapsort Correct
We can prove heapsort on an array correct using these new axioms and the axioms
of SKAT to get some basic assumptions so that we can reason at the propositional
level of KAT. The proof is completely formal, relying only on the axioms of KAT
and some basic facts of number theory. Most proofs of this algorithm are somewhat
informal, appealing to a general examination of the code. An exception is a formal
proof of heapsort’s correctness in Coq [24]. In this section, we provide an outline
of the major steps of the proof. For the proof in its entirety, see [23].
We adapt the algorithm given in [25, Ch. 7]. Consider the function heapify(A,i),
which alters the array A such that the tree rooted at index i obeys the heap prop-
erty: for every node i other than the root,
A(par(i)) ≥ A(i)
where
par(i) = i/2
We have the following property for these operators
i ≥ 1 ⇒ (i = par(j) ⇒ rt(i) = j ∨ lt(i) = j) (40)
which states that node i is a child of its parent, where
lt(i) = 2i
rt(i) = 2i + 1
The code for the function is as follows, where the letters to the left represent
the names given to the assignments and tests at the propositional level of KAT:
heapify(A,root)
{
a: i := root;
B: while(i != size(A) + 1)
{
b: l := lt(i);
c: r := rt(i);
C: if(l <= size(A) && A(l) > A(i))
d: lgst := l
else
e: lgst := i
D: if(r <= size(A) && A(r) > A(lgst))
f: lgst := r
E: if(lgst != i)
{
g: swap(A,i,lgst);
h: i := lgst
}
else
j: i := size(A) + 1
}
}
where
swap(A,i,j)
{
t := A[i];
A[i] := A[j];
A[j] := t
}
The variable size(A) denotes the size of the heap rooted at A(1) while length(A)
is the size of the entire array.
We wish to prove that the heapify function does in fact create the heap prop-
erty for the tree rooted at index r. First, we express the property that a tree
indexed at r is a heap, except for the trees under the node i and greater:
def
HA,r,i ⇔ 1≤r<i⇒

(lt(r) ≤ size(A) ⇒ (A(r) ≥ A(lt(r)) ∧ HA,lt(r),i ))∧

(rt(r) ≤ size(A) ⇒ (A(r) ≥ A(rt(r)) ∧ HA,rt(r),i ))
Now, we can easily define what it means to be a heap rooted at node r:
def

HA,r ⇔ HA,r,size(A)
We also define the test
def
PA,r,i ⇔ i ≥ 1 ⇒ lt(i) ≤ size(A) ⇒ A(par(i)) ≥ A(lt(i))∧
rt(i) ≤ size(A) ⇒ A(par(i)) ≥ A(rt(i))
74 K. Aboul-Hosn
We wish to prove that
root ≥ 1; HA,lt(root) ; HA,rt(root); heapify (A, root ) = heapify (A, root); HA,root
First, we need a couple of lemmas. We show that swapping two values in

an array reverses the relationship between them and that swapping two values
maintains the heap property.
The majority of the proof is spent showing the loop invariant of the while
loop in the heapify function.
Lemma 2.

(i ≥ 1); PA,root,i; HA,root,i ; HA,lt(i) ; HA,rt(i) ;
(B; b; c; (C; d + C; e)(D; f + D)(E; g; h + E; j)∗
= (B; b; c; (C; d + C; e)(D; f + D)(E; g; h + E; j)∗ ;

(i ≥ 1); PA,root,i; HA,root,i ; HA,lt(i) ; HA,rt(i)
Proof. The proof proceeds by using commuting our invariants through the pro-
gram and citing distributivity and congruence. 2
Now, we can prove the original theorem.
Theorem 2.
(root ≥ 1); HA,lt(root) ; HA,rt(root) ; heapify (A, root) = heapify (A, root); HA,root
Proof. The proof proceeds by commuting our the tests through the heapify func-
tion. 2
Now that we have properties for the heapify function, we can show that the
function build-heap(A), which creates a heap from the array A, works correctly.
The program is
build-heap(A)
{
a: size(A) = length(A);
b: root := floor(size(A)/2);
B: while(root >= 1)
{
c: heapify(A,root);
d: root := root - 1
}
}
We show that the invariant of the loop (B; c; d)∗ is ∀j > root, HA,j . It suffices
to show that it is true for one iteration of the loop, i.e.
Lemma 3.
(∀j > root, HA,j ); B; c; d = B; c; d; (∀j > root, HA,j )

Proof. We define a predicate to represent the ancestor relationship:
ch(i, j) ⇔ i = par(j) ∨ ch(i, par(j))
We then define our other properties in terms of this one and use Theorem 2,
Boolean algebra rules, and (16) to prove the lemma. 2
Now we need to show
Theorem 3.
a; b; (B; c; d)∗ ; B = a; b; (B; c; d)∗ ; B; HA,1
Proof. We use the definition of HA,root and reflexivity. 2
Finally, we can prove that the function heapsort works. The function is defined
as:
heapsort(A)
{
a: build-heap(A);
B: while(size(A) != 1)
{
b: swap(A,1,size(A));
c: size(A) := size(A) - 1;
d: heapify(A,1);
}
}
Theorem 4.
heapsort(A) = heapsort(A); (∀j, k, 1 ≤ j < k ≤ length(A) ⇒ A(j) ≤ A(k))
Proof. To prove this, we prove that the invariant of the loop is
(size(A) ≤ length(A) ⇒ A(size + 1) ≥ A(size(A)));

(∀j, k, size(A) < j < k ≤ length(A) ⇒ A(k) ≥ A(j)); HA,1
We use commutativity and Theorem 2. 2
Therefore, we know that the heapsort function sorts an array A.
6 Conclusions and Future Work

We have presented an axiomatization of arrays for use with KAT. Through the
use of preconditions, we are able to capture the essence of aliasing considerations
and consider them only where they are needed: when reasoning about program
transformation. The axiomatization presented here applies to arrays. However,
we believe it could be extended to pointers, since pointer analysis suffers from
76 K. Aboul-Hosn
many of the same complications with aliasing as arrays. Providing a framework

such as KAT for reasoning about pointers could be very valuable.
We would also like to implement these axioms in KAT-ML [26]. These exten-
sions would be helpful in proving and verifying properties about everyday pro-
grams in an easily-transferable way. Arrays being so ubiquitous in programming
today makes such an extension necessary to make the system useful. Inevitably,
KAT and its implementation KAT-ML could provide an apparatus for verifying
properties of programs written in a variety of languages.
Acknowledgments
This work was supported in part by NSF grant CCR-0105586 and ONR Grant
N00014-01-1-0968. The views and conclusions contained herein are those of the
authors and should not be interpreted as necessarily representing the official
policies or endorsements, either expressed or implied, of these organizations or
the US Government.
References
1. More, T.: Axioms and theorems for a theory of arrays. IBM J. Res. Dev. 17(2)
(1973) 135–175
2. Downey, P.J., Sethi, R.: Assignment commands with array references. J. ACM
25(4) (1978) 652–666
3. McCarthy, J.: Towards a mathematical science of computation. In: IFIP Congress.
(1962) 21–28
4. McCarthy, J., Painter, J.: Correctness of a compiler for arithmetic expressions.
In Schwartz, J.T., ed.: Proceedings Symposium in Applied Mathematics, Vol. 19,
Mathematical Aspects of Computer Science. American Mathematical Society,
Providence, RI (1967) 33–41
5. Hoare, C.A.R., Wirth, N.: An axiomatic definition of the programming language
PASCAL. Acta Informatica 2(4) (1973) 335–355
6. Power, A.J., Shkaravska, O.: From comodels to coalgebras: State and arrays. Electr.
Notes Theor. Comput. Sci. 106 (2004) 297–314
7. Bornat, R.: Proving pointer programs in Hoare logic. In: MPC ’00: Proceedings
of the 5th International Conference on Mathematics of Program Construction,
London, UK, Springer-Verlag (2000) 102–126
8. Stump, A., Barrett, C.W., Dill, D.L., Levitt, J.R.: A decision procedure for an
extensional theory of arrays. In: Logic in Computer Science. (2001) 29–37
9. Collins, G., Syme, D.: A theory of finite maps. In Schubert, E.T., Windley, P.J.,
Alves-Foss, J., eds.: Higher Order Logic Theorem Proving and Its Applications.
Springer, Berlin, (1995) 122–137
10. Kozen, D.: Kleene algebra with tests. Transactions on Programming Languages
and Systems 19(3) (1997) 427–443
11. Angus, A., Kozen, D.: Kleene algebra with tests and program schematology. Tech-
nical Report 2001-1844, Computer Science Department, Cornell University (2001)
12. Barth, A., Kozen, D.: Equational verification of cache blocking in LU decompo-
sition using Kleene algebra with tests. Technical Report 2002-1865, Computer
Science Department, Cornell University (2002)
13. Cohen, E.: Lazy caching in Kleene algebra (1994) http://citeseer.nj.nec.com/

22581.html.
14. Cohen, E.: Hypotheses in Kleene algebra. Technical Report TM-ARH-023814,
Bellcore (1993)
15. Cohen, E.: Using Kleene algebra to reason about concurrency control. Technical
report, Telcordia, Morristown, N.J. (1994)
16. Kozen, D., Patron, M.C.: Certification of compiler optimizations using Kleene
algebra with tests. In Lloyd, J., Dahl, V., Furbach, U., Kerber, M., Lau, K.K.,
Palamidessi, C., Pereira, L.M., Sagiv, Y., Stuckey, P.J., eds.: Proc. 1st Int. Conf.
Computational Logic (CL2000). Volume 1861 of Lecture Notes in Artificial Intel-
ligence., London, Springer-Verlag (2000) 568–582
17. Kozen, D.: On Hoare logic and Kleene algebra with tests. Trans. Computational
Logic 1(1) (2000) 60–76
18. Kleene, S.C.: Representation of events in nerve nets and finite automata. In
Shannon, C.E., McCarthy, J., eds.: Automata Studies. Princeton University Press,
Princeton, N.J. (1956) 3–41
19. Conway, J.H.: Regular Algebra and Finite Machines. Chapman and Hall, London
(1971)
20. Kozen, D.: A completeness theorem for Kleene algebras and the algebra of regular
events. Infor. and Comput. 110(2) (1994) 366–390
21. Fischer, M.J., Ladner, R.E.: Propositional modal logic of programs. In: Proc. 9th
Symp. Theory of Comput., ACM (1977) 286–294
22. Aboul-Hosn, K., Kozen, D.: KAT-ML: An interactive theorem prover for Kleene
algebra with tests. In: Proc. 4th Int. Workshop on the Implementation of Logics,
University of Manchester (2003) 2–12
23. Aboul-Hosn, K.: An axiomatization of arrays for Kleene algebra with tests. Tech-
nical report, Cornell University (2006)
24. Filliâtre, J.C., Magaud, N.: Certification of sorting algorithms in the Coq system.
In: Theorem Proving in Higher Order Logics: Emerging Trends. (1999)
25. Cormen, T.H., Leiserson, C.E., Rivest, R.L.: Introduction to Algorithms. The
MIT Electrical Engineering and Computer Science Series. MIT Press/McGraw
Hill (1990)
26. Aboul-Hosn, K., Kozen, D.: KAT-ML: An interactive theorem prover for Kleene
algebra with tests. Journal of Applied Non-Classical Logics 16(1) (2006)
Local Variable Scoping and
Kleene Algebra with Tests
Kamal Aboul-Hosn and Dexter Kozen

Cornell University
Ithaca, New York 14853-7501, USA
{kamal, kozen}@cs.cornell.edu
Abstract. Most previous work on the semantics of programs with lo-

cal state involves complex storage modeling with pointers and memory
cells, complicated categorical constructions, or reasoning in the presence
of context. In this paper, we explore the extent to which relational se-
mantics and axiomatic reasoning in the style of Kleene algebra can be
used to avoid these complications. We provide (i) a fully compositional
relational semantics for a first-order programming language with a con-
struct for local variable scoping; and (ii) an equational proof system
based on Kleene algebra with tests for proving equivalence of programs
in this language. We show that the proof system is sound and complete
relative to the underlying equational theory without local scoping. We
illustrate the use of the system with several examples.
1 Introduction
Reasoning about programs with local state is an important and difficult prob-
lem that has attracted much attention over the years. Most previous work in-
volves complex storage modeling with pointers and memory cells or complicated
categorical constructions to capture the intricacies of programming with state.
Reasoning about the equality of such programs typically involves the notion of
contextual or observable equivalence, where two programs are considered equiv-
alent if either can be put in the context of a larger program and yield the same
value. Pitts [1] explains that these notions are difficult to define formally, because
there is no clear agreement on the meaning of program context and observable
behavior. A common goal is to design a semantics that is fully abstract, where
observable equivalence implies semantic equivalence, although this notion makes
the most sense in a purely functional context (see for example [2,3]).
Seminal work by Meyer and Sieber [4] introduced a framework for proving
the equivalence of ALGOL procedures with no parameters. Much attention has
focused on the use of denotational semantics to model a set of storage locations
[5,6,7,8]. The inability to prove some simple program equivalences using tradi-
tional techniques led several researchers to take a categorical approach [9,10,11].
See [12] for more information regarding the history of these approaches.

Local Variable Scoping and Kleene Algebra with Tests 79
More recently, several researchers have investigated the use of operational

semantics to reason about ML programs with references. While operational se-
mantics can be easier to understand, their use makes reasoning about programs
more complex. Mason and Talcott [13,14,15] considered a λ-calculus extended
with state operations. By defining axioms in the form of contextual assertions,
Mason and Talcott were able to prove the equivalence in several examples of
Meyer and Sieber. Pitts and Stark [1,16,17,18] also use operational semantics.
Others have looked at using game semantics to reason about programs with
local state [19,20,21,22]. Several full abstraction results have come from using
game semantics to represent languages with state.
In [23], we presented a fully compositional relational semantics for higher-
order programs, and showed how it could be used to avoid intricate memory
modeling and the explicit use of context in program equivalence proofs. We
showed how to handle several examples of Meyer and Sieber [4] in our frame-
work. However, in that paper, we did not attempt to formulate an equational
axiomatization; all arguments were based on semantic reasoning.
In this paper we consider a restricted language without higher-order programs
but with a let construct for declaring local variables with limited scope:
let x = t in p end. (1)
In the presence of higher-order programs, this construct can be encoded as a

λ-term (λx.p)t, but here we take (1) as primitive. The standard relational seman-
tics used in first-order KAT and Dynamic Logic involving valuations of program
variables is extended to accommodate the let construct: instead of a valuation,
a state consists of a stack of such valuations. The formal semantics captures the
operational intuition that local variables declared in a let statement push a new
valuation with finite domain, which is then popped upon exiting the scope.
This semantics is a restriction of the relational semantics of [23] for interpret-
ing higher-order programs. There, instead of a stack, we used a more complicated
tree-like structure called a closure structure. Nevertheless, it is worthwhile giving
an explicit treatment of this important special case. The let construct interacts
relatively seamlessly with the usual regular and Boolean operators of KAT, which
have a well-defined and well-studied relational semantics and deductive theory.
We are able to build on this theory to provide a deductive system for program
equivalence in the presence of let that is complete relative to the underlying
equational theory without let.
This paper is organized as follows. In Section 2, we define a compositional
relational semantics of programs with let. In Section 3, we give a set of proof rules
that allow let statements to be systematically eliminated. In Section 4, we show
that the proof system is sound and complete relative to the underlying equational
theory without local scoping, and provide a procedure for eliminating variable
scoping expressions. By “eliminating variable scoping expressions,” we do not
mean that every program is equivalent to one without scoping expressions—
that is not true, and a counterexample is given in Section 5—but rather that
the equivalence of two programs with scoping expressions can be reduced to the
80 K. Aboul-Hosn and D. Kozen
equivalence of two programs without scoping expressions. We demonstrate the

use of the proof system through several examples in Section 5.
2 Relational Semantics
The domain of computation is a first-order structure A of some signature Σ. A
partial valuation is a partial map f : Var → |A|, where Var is a set of program
variables. The domain of f is denoted dom f . A stack of partial valuations is called
an environment. Let σ, τ, . . . denote environments. The notation f :: σ denotes an
environment with head f and tail σ; thus environments grow from right to left.
The empty environment is denoted ε. The shape of an environment f1 :: · · · ::
fn is dom f1 :: · · · :: dom fn . The domain of the environment f1 :: · · · :: fn is
n
i=1 dom fi . The shape of ε is ε and the domain of ε is ∅. The set of environments
is denoted Env. A state of the computation is an environment, and programs will
be interpreted as binary relations on environments.
In Dynamic Logic and KAT, programs are built inductively from atomic pro-
grams and tests using the regular program operators +, ;, and ∗ . In the first-order
versions of these languages, atomic programs are simple assignments x := t,
where x is a variable and t is a Σ-term. Atomic tests are atomic first-order
formulas R(t1 , . . . , tn ) over the signature Σ.
To accommodate local variable scoping, we also include let expressions in the
inductive definition of programs. A let expression is an expression
let x1 = t1 , . . . , xn = tn in p end (2)
where p is a program, the xi are program variables, and the ti are terms.
Operationally, when entering the scope (2), a new partial valuation is cre-
ated and pushed onto the stack. The domain of this new partial valuation is
{x1 , . . . , xn }, and the initial values of x1 , . . . , xn are the values of t1 , . . . , tn ,
respectively, evaluated in the old environment. This partial valuation will be
popped when leaving the scope. The locals in this partial valuation shadow any
other occurrences of the same variables further down in the stack. When evaluat-
ing a variable in an environment, we search down through the stack for the first
occurrence of the variable and take that value. When modifying a variable, we
search down through the stack for the first occurrence of the variable and mod-
ify that occurrence. In reality, any attempt to evaluate or modify an undefined
variable (one that is not in the domain of the current environment) would result
in a runtime error. In the relational semantics, there would be no input-output
pair corresponding to this computation.
To capture this formally in relational semantics, we use a rebinding operator
[x/a] defined on partial valuations and environments, where x is a variable and
a is a value. For a partial valuation f : Var → |A|,
⎧
⎨ f (y), if y ∈ dom f and y = x,
f [x/a](y) = a, if y ∈ dom f and y = x,
⎩
undefined, if y ∈ dom f .
For an environment σ,
⎧
⎨ f [x/a] :: τ, if σ = f :: τ and x ∈ dom f ,
σ[x/a] = f :: τ [x/a], if σ = f :: τ and x ∈ dom f ,
⎩
ε, if σ = ε.
Note that rebinding does not change the shape of the environment. In particular,
ε[x/a] = ε.
The value of a variable x in an environment σ is
⎧
⎨ f (x), if σ = f :: τ and x ∈ dom f ,
σ(x) = τ (x), if σ = f :: τ and x ∈ dom f ,
⎩
undefined, if σ = ε.
The value of a term t in an environment σ is defined inductively on t in the usual

way. Note that σ(t) is defined iff x ∈ dom σ for all x occurring in t.
A program is interpreted as a binary relation on environments. The binary
relation associated with p is denoted [[p]]. The semantics of assignment is
[[x := t]] = {(σ, σ[x/σ(t)]) | σ(t) and σ(x) are defined}.
Note that both x and t must be defined by σ for there to exist an input-output
pair with first component σ.
The semantics of scoping is
[[let x1 = t1 , . . . , xn = tn in p end]]
= {(σ, tail(τ )) | σ(ti ) is defined, 1 ≤ i ≤ n, and (f :: σ, τ ) ∈ [[p]]}, (3)
where f is the environment such that f (xi ) = σ(ti ), 1 ≤ i ≤ n.

As usual with binary relation semantics, the semantics of the regular program
operators +, ;, and ∗ are union, relational composition, and reflexive transitive
closure, respectively. For an atomic test R(t1 , . . . , tn ),
[[R(t1 , . . . , tn )]]
= {(σ, σ) | σ(ti ) is defined, 1 ≤ i ≤ n, and A, σ R(t1 , . . . , tn )}.
where is satisfaction in the usual sense of first-order logic. The Boolean oper-
ator ! (weak negation) is defined on atomic formulas by
[[!R(t1 , . . . , tn )]]
= {(σ, σ) | σ(ti ) is defined, 1 ≤ i ≤ n, and A, σ ¬R(t1 , . . . , tn )}.
This is not the same as classical negation ¬, which we need in order to use
the axioms of Kleene algebra with tests. However, in the presence of !, classical
negation is tantamount to the ability to check whether a variable is undefined.
That is, we must have a test undefined(x) with semantics
[[undefined(x)]] = {(σ, σ) | σ(x) is undefined}.

Example 1. Consider the program

let x = 1
in x := y + z;
let y = x + 2 in y := y + z; z := y + 1 end;
y := x
end
Say we start in state (y = 5, z = 20). Here are the successive states of the com-
putation:
After. . . the state is. . .
entering the outer scope (x = 1) :: (y = 5, z = 20)
executing the first assignment (x = 25) :: (y = 5, z = 20)
entering the inner scope (y = 27) :: (x = 25) :: (y = 5, z = 20)
executing the next assignment (y = 47) :: (x = 25) :: (y = 5, z = 20)
executing the next assignment (y = 47) :: (x = 25) :: (y = 5, z = 48)
exiting the inner scope (x = 25) :: (y = 5, z = 48)
executing the last assignment (x = 25) :: (y = 25, z = 48)
exiting the outer scope (y = 25, z = 48)
Lemma 1. If (σ, τ ) ∈ [[p]], then σ and τ have the same shape.
Proof. This is true of the assignment statement and preserved by all program
operators. 2
The goal of presenting a semantics for a language with local state is to allow
reasoning about programs without the need for context. A context C[-] is just
a program expression with a distinguished free program variable. Relational
semantics captures all contextual information in the state, thus making contexts
superfluous in program equivalence arguments. This is reflected in the following
theorem.
Theorem 1. For program expressions p and q, [[C[p]]] = [[C[q]]] for all con-
texts C[-] iff [[p]] = [[q]].
This is a special case of a result proved in more generality in [23]. The direction
(→) is immediate by taking C[-] to be the trivial context consisting of a single
program variable. The reverse direction follows from an inductive argument,
observing that the semantics is fully compositional, the semantics of a compound
expression being completely determined by the semantics of its subexpressions.
3 Axioms and Basic Properties

In this section we present a set of axioms that can be used to systematically elimi-
nate all local scopes, allowing us to reduce the equivalence problem to equivalence
in the traditional “flat” semantics in which all variables are global. Although the
relational semantics presented in Section 2 is a special case of the semantics pre-
sented in [23] for higher-order programs, an axiomatization was not considered
in that work.
Axioms
A. If the yi are distinct and do not occur in p, 1 ≤ i ≤ n, then the following

two programs are equivalent:
let x1 = t1 , . . . , xn = tn in p end
let y1 = t1 , . . . , yn = tn in p[xi /yi | 1 ≤ i ≤ n] end
where p[xi /yi | 1 ≤ i ≤ n] refers to the simultaneous substitution of yi

for all occurrences of xi in p, 1 ≤ i ≤ n, including bound occurrences and
those on the left-hand sides of assignments. This transformation is known as
α-conversion.
B. If y does not occur in s and y and x are distinct, then the following two
programs are equivalent:
let x = s in let y = t in p end end

let y = t[x/s] in let x = s in p end end
In particular, the following two programs are equivalent, provided x and y

are distinct, x does not occur in t, and y does not occur in s:

let y = t in let x = s in p end end
C. If x does not occur in s, then the following two programs are equivalent:

let x = s in let y = t[x/s] in p end end
This holds even if x and y are the same variable.

D. If x1 does not occur in t2 , . . . , tn , then the following two programs are equiv-
alent:
let x1 = t1 in let x2 = t2 , . . . , xn = tn in p end end
E. If t is a closed term (no occurrences of variables), then the following two

skip let x = t in skip end
where skip is the identity function on states.

F. If x does not occur in pr, then the following two programs are equivalent:
p; let x = t in q end; r let x = t in pqr end

G. If x does not occur in p and t is closed, then the following two programs are
equivalent:
p + let x = t in q end let x = t in p + q end
The proviso “t is closed” is necessary: if value of t is initially undefined, then

the program on the left may halt, whereas the program on the right never
does.
H. If x does not occur in t, then the following two programs are equivalent:
(let x = t in p end)∗ let x = a in (x := t; p)∗ end
where a is any closed term. The proviso that x not occur in t is necessary,
as the following counterexample shows. Take t = x and p the assignment
y := a. The program on the right contains the pair (y = b, y = a) for b = a,
whereas the program on the left does not, since x must be defined in the
environment in order for the starred program to be executed once.
I. If x does not occur in t and a is a closed term, then the following two
let x = t in p end let x = a in x := t; p end
J. If x does not occur in t, then the following two programs are equivalent:
let x = s in p end; x := t x := s; p; x := t
Theorem 2. Axioms A–J are sound with respect to the binary relation seman-
tics of Section 2.
Proof. Most of the arguments are straightforward relational reasoning. Perhaps
the least obvious is Axiom H, which we argue explicitly. Suppose that x does
not occur in t. Let a be any closed term. We wish to show that the following two
(let x = t in p end)∗ let x = a in (x := t; p)∗ end
Extending the nondeterministic choice operator to infinite sets in the obvious

way, we have

(let x = t in p end)∗ = (let x = t in p end)n
n

let x = a in (x := t; p)∗ end = let x = a in (x := t; p)n end
n

= let x = a in (x := t; p)n end
n
the last by a straightforward infinitary generalization of Axiom G. It therefore

suffices to prove that for any n,
(let x = t in p end)n = let x = a in (x := t; p)n end

This is true for n = 0 by Axiom E. Now suppose it is true for n. Then
(let x = t in p end)n+1
= (let x = t in p end)n ; let x = t in p end
= let x = a in (x := t; p)n end; let x = t in p end (4)
n
= let x = a in (x := t; p) ; x := t; p end (5)
= let x = a in (x := t; p)n+1 end
where (4) follows from the induction hypothesis and (5) follows from the identity
let x = a in q end; let x = t in p end = let x = a in q; x := t; p end (6)
To justify (6), observe that since x does not occur in t by assumption, p is

executed in exactly the same environment on both sides of the equation.
When proving programs equivalent, it is helpful to know we can permute local
variable declarations and remove unnecessary ones.
Lemma 2.
(i) For any permutation π : {1, . . . , n} → {1, . . . , n}, the following two programs
are equivalent:
let xπ(1) = tπ(1) , . . . , xπ(n) = tπ(n) in p end.
(ii) If x does not occur in p, and if t is a closed term, then the following two
p let x = t in p end.
The second part of Lemma 2 is similar to the first example of Meyer and Sieber
[4] in which a local variable unused in a procedure call can be eliminated.
4 Flattening
To prove equivalence of two programs p, q with scoping, we transform the pro-
grams so as to remove all scoping expressions, then prove the equivalence of the
two resulting programs. The transformed programs are equivalent to the origi-
nal ones except for the last step. The two transformed programs are equivalent
in the “flat” semantics iff the original ones were equivalent in the semantics of
Section 2. Thus the process is complete modulo the theory of programs without
scope. The transformations are applied in the following stages.
Step 1. Apply α-conversion (Axiom A) to both programs to make all bound

variables unique. This is done from the innermost scopes outward. In particular,
no bound variable in the first program appears in the second program and vice-
versa. The resulting programs are equivalent to the originals.
Step 2. Let x1 , . . . , xn be any list of variables containing all bound variables that
occur in either program after Step 1. Use the transformation rules of Axioms
A–J to convert the programs to the form let x1 = a, . . . , xn = a in p end and
let x1 = a, . . . , xn =a in q end, where p and q do not have any scoping expressions
and a is a closed term. The scoping expressions can be moved outward using
Axioms F–H. Adjacent scoping expressions can be combined using Axioms C
and D. Finally, all bindings can be put into the form x= a using Axiom I.
Step 3. Now for p, q with no scoping and a a closed term, the two programs
let x1 = a, . . . , xn = a in p end
let x1 = a, . . . , xn = a in q end
are equivalent iff the two programs
x1 := a; · · · ; xn := a; p; x1 := a; · · · ; xn := a
x1 := a; · · · ; xn := a; q; x1 := a; · · · ; xn := a
are equivalent with respect to the “flat” binary relation semantics in which states
are just partial valuations. We have shown
Theorem 3. Axioms A–J of Section 3 are sound and complete for program
equivalence relative to the underlying equational theory without local scoping.
5 Examples
We demonstrate the use of the axiom system through several examples. The
first example proves that two versions of a program to swap the values of two
variables are equivalent when the domain of computation is the integers.
Example 2. The following two programs are equivalent:
let t = x x := x ⊕ y;
in x := y; y := x ⊕ y;
y := t x := x ⊕ y
end
where ⊕ is the bitwise xor operator. The first program uses a local variable to
store the value of x temporarily. The second program does not need a temporary
value; it uses xor to switch the bits in place. Without the ability to handle local
variables, it would be impossible to prove these two programs equivalent, because
the first program includes an additional variable t. In general, without specific
information about the domain of computation and without an operator like ⊕,
it would be impossible to prove the left-hand program equivalent to any let-free
program.
Proof. We apply Lemma 2 to convert the second program to
let t = a
in x := x ⊕ y;
y := x ⊕ y;
x := x ⊕ y
end
where a is a closed term. Next, we apply Axiom I to the first program to get
let t = a
in t := x;
x := y;
y := t
end
From Theorem 3, it suffices to show the following programs are equivalent:
t := a; t := a;
t := x; x := x ⊕ y;
x := y; y := x ⊕ y;
y := t; x := x ⊕ y;
t := a t := a
We have reduced the problem to an equation between let-free programs. The
remainder of the argument is a straightforward application of the axioms of
schematic KAT [24] and the properties of the domain of computation. 2
The second example shows that a local variable in a loop need only be declared
once if the variable’s value is not changed by the body of the loop.
Example 3. If the final value of x after exectuing program p is always a, that is,
if p is equivalent to p; (x = a) for closed term a, then the following two programs
are equivalent:
(let x = a in p end)∗ let x = a in p∗ end.
Proof. First, we use Axiom H to convert the program on the left-hand side to
let x = a in (x := a; p)∗ end.
It suffices to show the following flattened programs are equivalent:
x := a; (x := a; p)∗ ; x := a x := a; p∗ ; x := a.
The equivalence follows from basic theorems of KAT and our assumption p =
p; (x = a). 2
The next example is important in path-sensitive analysis for compilers. It shows
that a program with multiple conditionals all guarded by the same test needs
only one local variable for operations in both branches of the conditionals.
Example 4. If x and w do not occur in p and the program (y = a); p is equivalent

to the program p; (y = a) (that is, the execution of p does not affect the truth
of the test y = a), then the following two programs are equivalent:
let x = 0, w = 0
in (if y = a then x := 1 else w := 2); p; if y = a then y := x else y := w
end
let x = 0
in (if y = a then x := 1 else x := 2); p; y := x
end
Proof. First we note that it follows purely from reasoning in KAT that (y = a); p
is equivalent to (y = a); p; (y = a) and that (y = a); p is equivalent to p; (y = a)
and also to (y = a); p; (y = a).
We use laws of distributivity and Boolean tests from KAT and our assumptions
to transform the first program into
let x = 0, w = 0
in (y = a; x := 1; p; y = a; y := x) + (y = a; w := 2; p; y = a; y := w)
end
Axiom D allows us to transform this program into
let x = 0
in let w = 0
in (y = a; x := 1; p; y = a; y := x) + (y = a; w := 2; p; y = a; y := w)
end
end
By two applications of Axiom G, we get
⎛ ⎞ ⎛ ⎞
let x = 0 let w = 0
⎝ in y = a; x := 1; p; y = a; y := x ⎠ + ⎝ in y = a; w := 2; p; y = a; y := w ⎠
end end
Using α-conversion (Axiom A) to replace w with x, this becomes

⎛ ⎞ ⎛ ⎞
let x = 0 let x = 0
⎝ in y = a; x := 1; p; y = a; y := x ⎠ + ⎝ in y = a; x := 2; p; y = a; y := x ⎠
end end
This program is equivalent to
let x = 0
in (y = a; x := 1; p; y = a; y := x) + (y = a; x := 2; p; y = a; y := x)
end
by a simple identity
let x = a in p + q end = let x = a in p end + let x = a in q end

It is easy to see that this identity is true, as both p and q are executed in the
same state on both sides of the equation. It can also be justified axiomatically
using Axioms A, D, and G and a straightforward application of Theorem 3.
Finally, we use laws of distributivity and Booleans to get
let x = 0
in (if y = a then x := 1 else x := 2); p; y := x
end
which is what we wanted to prove. 2
6 Conclusion
We have presented a relational semantics for first-order programs with a let con-
struct for local variable scoping and a set of equational axioms for reasoning
about program equivalence in this language. The axiom system allows the let
construct to be systematically eliminated, thereby reducing the equivalence ar-
guments to the let -free case. This system admits algebraic equivalence proofs for
programs with local variables in the equational style of schematic KAT. We have
given several examples that illustrate that in many cases, it is possible to rea-
son purely axiomatically about programs with local variables without resorting
to semantic arguments involving heaps, pointers, or other complicated semantic
constructs.
Acknowledgments
We would like to thank Matthew Fluet, Riccardo Pucella, Sigmund Cherem, and
the anonymous referees for their valuable input.
References
1. Pitts, A.M.: Operational semantics and program equivalence. Technical report,
INRIA Sophia Antipolis (2000) Lectures at the International Summer School On
Applied Semantics, APPSEM 2000, Caminha, Minho, Portugal, September 2000.
2. Plotkin, G.: Full abstraction, totality and PCF (1997)
3. Cartwright, R., Felleisen, M.: Observable sequentiality and full abstraction. In:
Conference Record of the Nineteenth Annual ACM SIGPLAN-SIGACT Sympo-
sium on Principles of Programming Languages, Albequerque, New Mexico (1992)
328–342
4. Meyer, A.R., Sieber, K.: Towards fully abstract semantics for local variables. In:
Proc. 15th Symposium on Principles of Programming Languages (POPL’88), New
York, NY, USA, ACM Press (1988) 191–203
5. Milne, R., Strachey, C.: A Theory of Programming Language Semantics. Halsted
Press, New York, NY, USA (1977)
6. Scott, D.: Mathematical concepts in programmng language semantics. In: Proc. 1972
Spring Joint Computer Conferneces, Montvale, NJ, AFIPS Press (1972) 225–34
7. Stoy, J.E.: Denotational Semantics: The Scott-Strachey Approach to Programming

Language Theory. MIT Press, Cambridge, MA, USA (1981)
8. Halpern, J.Y., Meyer, A.R., Trakhtenbrot, B.A.: The semantics of local storage,
or what makes the free-list free?(preliminary report). In: POPL ’84: Proceedings
of the 11th ACM SIGACT-SIGPLAN symposium on Principles of programming
languages, New York, NY, USA, ACM Press (1984) 245–257
9. Stark, I.: Categorical models for local names. LISP and Symbolic Computation
9(1) (1996) 77–107
10. Reyonlds, J.: The essence of ALGOL. In de Bakker, J., van Vliet, J.C., eds.:
Algorithmic Languages, North-Holland, Amsterdam (1981) 345–372
11. Oles, F.J.: A category-theoretic approach to the semantics of programming lan-
guages. PhD thesis, Syracuse University (1982)
12. O’Hearn, P.W., Tennent, R.D.: Semantics of local variables. In M. P. Fourman,
P.T.J., Pitts, A.M., eds.: Applications of Categories in Computer Science. L.M.S.
Lecture Note Series, Cambridge University Press (1992) 217–238
13. Mason, I.A., Talcott, C.L.: Axiomatizing operational equivalence in the presence
of effects. In: Proc. 4th Symp. Logic in Computer Science (LICS’89), IEEE (1989)
284–293
14. Mason, I.A., Talcott, C.L.: Equivalence in functional languages with effects. Jour-
nal of Functional Programming 1 (1991) 287–327
15. Mason, I.A., Talcott, C.L.: References, local variables and operational reasoning.
In: Seventh Annual Symposium on Logic in Computer Science, IEEE (1992) 186–
197
16. Pitts, A.M., Stark, I.D.B.: Observable properties of higher order functions that dy-
namically create local names, or what’s new? In Borzyszkowski, A.M., Sokolowski,
S., eds.: MFCS. Volume 711 of Lecture Notes in Computer Science., Springer (1993)
122–141
17. Pitts, A.M.: Operationally-based theories of program equivalence. In Dybjer,
P., Pitts, A.M., eds.: Semantics and Logics of Computation. Publications of the
Newton Institute. Cambridge University Press (1997) 241–298
18. Pitts, A.M., Stark, I.D.B.: Operational reasoning in functions with local state. In
Gordon, A.D., Pitts, A.M., eds.: Higher Order Operational Techniques in Seman-
tics. Cambridge University Press (1998) 227–273
19. Abramsky, S., Honda, K., McCusker, G.: A fully abstract game semantics for
general references. In: LICS ’98: Proceedings of the 13th Annual IEEE Symposium
on Logic in Computer Science, Washington, DC, USA, IEEE Computer Society
(1998) 334–344
20. Laird, J.: A game semantics of local names and good variables. In Walukiewicz,
I., ed.: FoSSaCS. Volume 2987 of Lecture Notes in Computer Science., Springer
(2004) 289–303
21. Abramsky, S., McCusker, G.: Linearity, sharing and state: a fully abstract game
semantics for idealized ALGOL with active expressions. Electr. Notes Theor. Com-
put. Sci. 3 (1996)
22. Abramsky, S., McCusker, G.: Call-by-value games. In Nielsen, M., Thomas, W.,
eds.: CSL. Volume 1414 of Lecture Notes in Computer Science., Springer (1997)
1–17
23. Aboul-Hosn, K., Kozen, D.: Relational semantics for higher-order programs. In:
Proc. Mathematics of Program Construction (MPC06). (2006) To appear.
24. Angus, A., Kozen, D.: Kleene algebra with tests and program schematology. Tech-
nical Report 2001-1844, Computer Science Department, Cornell University (2001)
Computing and Visualizing Lattices of
Subgroups Using Relation Algebra and RelView
Rudolf Berghammer
Institut für Informatik und Praktische Mathematik

Christian-Albrechts-Universität Kiel
Olshausenstraße 40, D-24098 Kiel
[email protected]
Abstract. We model groups as relational systems and develop relation-

algebraic specifications for direct products of groups, quotient groups,
and the enumeration of all subgroups and normal subgroups. The lat-
ter two specifications immediately lead to specifications of the lattices
of subgroups and normal subgroups, respectively. All specifications are
algorithmic and can directly be translated into the language of the com-
puter system RelView. Hence, the system can be used for constructing
groups and for computing and visualizing their lattices of subgroups and
normal subgroups. This is demonstrated by some examples.
1 Introduction
A number of mathematical structures are generalizations of lattices. Especially
this holds for relation algebra [16,14], which additionally possesses operations
for forming complements, compositions, and transpositions. Its use in Computer
Science is mainly due to the fact that many structures/datatypes can be modeled
via relations, many problems on them can be specified naturally by relation-
algebraic expressions and formulae, and, therefore, many solutions reduce to
relation-algebraic reasoning and computations, respectively.
As demonstrated in [14], relation algebra is well suited for dealing with many
problems concerning order relations in a component-free (also called point-free)
manner. Taking ordered sets as a starting point for introducing lattices (instead
of algebras having two binary operations and ), lattices are nothing else
than partial order relations with the additional property that every pair x, y
of elements has a greatest lower bound x y and a least upper bound x y.
This suggests to apply the formal apparatus of relation algebra and tools for
its mechanization for lattice-theoretical problems, too. A first example for this
approach is [4], where relation algebra and the computer system RelView [1,3]
are combined for computing and visualizing cut completions and concept lattices.
The material presented in this paper is a continuation of [4]. We combine again
relation algebra and RelView to compute and visualize the lattices of subgroups
and normal subgroups of groups by means of appropriate algorithmic relation-
algebraic specifications. These lattices are a powerful tool in group theory since
many group theoretical properties are determined by the lattice of (normal)

92 R. Berghammer
subgroups and vice versa. As an example we mention that a finite group is cyclic
iff its subgroup lattice is distributive. A lot of further results in this vein can
be found in the monograph [15]. Fundamental for our approach is the modeling
of groups as relational systems. As a consequence, construction principles on
groups should be conducted within this framework, too, since frequently groups
are presented as compositions of other ones. In this paper we treat two important
principles, viz. the construction of direct products of groups and of quotient
groups modulo normal subgroups. Again this is done by developing appropriate
algorithmic relation-algebraic specifications.
2 Relational Preliminaries
We write R : X ↔ Y if R is a relation with domain X and range Y , i.e., a
subset of X × Y . If the sets X and Y of R’s type X ↔ Y are finite and of size
m and n, respectively, we may consider R as a Boolean matrix with m rows
and n columns. Since this Boolean matrix interpretation is well suited for many
purposes and also used by RelView to depict relations, in the following we
often use matrix terminology and matrix notation. Especially we speak about
the rows and columns of R and write Rx,y instead of x, y ∈ R or x R y.. We
assume the reader to be familiar with the basic operations on relations, viz. RT
(transposition), R (complementation), R ∪ S (union), R ∩ S (intersection), and
RS (composition), the predicate R ⊆ S (inclusion), and the special relations O
(empty relation), L (universal relation), and I (identity relation).
T
By syq(R, S) := RT S ∩ R S the symmetric quotient syq(R, S) : Y ↔ Z of
two relations R : X ↔ Y and S : X ↔ Z is defined.
We also will use the pairing (or fork ) [R, S] : Z ↔ X×Y of two relations
R : Z ↔ X and S : Z ↔ Y . Component-wisely it is defined by demanding for
all z ∈ Z and u = u1 , u2 ∈ X×Y that [R, S]z,u iff Rz,u1 and Sz,u2 . (Throughout
this paper pairs u are assumed to be of the form u1 , u2 .) Using identity and
universal relations of appropriate types, the pairing operation allows to define
the two projection relations π : X×Y ↔ X and ρ : X×Y ↔ Y of the direct
product X × Y as π := [I, L]T and ρ := [L, I]T . Then the above definition implies
for all u ∈ X × Y , x ∈ X, and y ∈ Y that πu,x iff u1 = x and ρu,y iff u2 = y. Also
the parallel composition (or product ) R ⊗ S : X×X ↔ Y ×Y of two relations
R : X ↔ Y and S : X ↔ Y , such that (R ⊗ S)u,v is equivalent to Ru1 ,v1 and
Su2 ,v2 for all u ∈ X × X and v ∈ Y × Y , can be defined by means of pairing. We
get the desired property if we define R ⊗ S := [πR, ρS], where π : X×X ↔ X
and ρ : X×X ↔ X are the projection relations on X × X .
There are some relational possibilities to model sets. Our first modeling uses
vectors, which are relations v with v = vL. Since for a vector the range is
irrelevant we consider in the following mostly vectors v : X ↔ 1 with a specific
singleton set 1 = {⊥} as range and omit in such cases the second subscript, i.e.,
write vx instead of vx,⊥ . Such a vector can be considered as a Boolean matrix
with exactly one column, i.e., as a Boolean column vector, and represents the
subset {x ∈ X | vx } of X. A non-empty vector v is said to be a point if vv T ⊆ I,
Computing and Visualizing Lattices of Subgroups 93
i.e., v is injective. This means that it represents a singleton subset of its domain
or an element from it if we identify a singleton set with the only element it
contains. In the Boolean matrix model a point v : X ↔ 1 is a Boolean column
vector in which exactly one component is true.
As a second way to model sets we will apply the relation-level equivalents of
the set-theoretic symbol ∈, i.e., membership-relations M : X ↔ 2X on X and its
powerset 2X . These specific relations are defined by demanding for all x ∈ X and
Y ∈ 2X that Mx,Y iff x ∈ Y . A Boolean matrix implementation of M requires
exponential space. However, in [12,5] an implementation of M using reduced
ordered binary decision diagrams (ROBDDs) is given, the number of nodes of
which is linear in the size of X.
Finally, we will use injective functions for modeling sets. Given an injective
function ı from Y to X, we may consider Y as a subset of X by identifying it
with its image under ı. If Y is actually a subset of X and ı is given as relation
of type Y ↔ X such that ıy,x iff y = x for all y ∈ Y and x ∈ X, then the
vector ıT L : X ↔ 1 represents Y as subset of X in the sense above. Clearly, the
transition in the other direction is also possible, i.e., the generation of a relation
inj (v) : Y ↔ X from the vector representation v : X ↔ 1 of Y ⊆ X such that
for all y ∈ Y and x ∈ X we have inj (v)y,x iff y = x.
A combination of such relations with membership-relations allows a column-
wise enumeration of sets of subsets. More specifically, if v : 2X ↔ 1 represents a
subset S of the powerset 2X in the sense defined above, then for all x ∈ X and
Y ∈ S we get the equivalence of (M inj (v)T )x,Y and x ∈ Y . This means that
S := M inj (v)T : X ↔ S is the relation-algebraic specification of membership
on S, or, using matrix terminology, the elements of S are represented precisely
by the columns of S. Furthermore, a little reflection shows for all Y, Z ∈ S the
equivalence of Y ⊆ Z and S T S Y,Z . Therefore, S T S : S ↔ S is the relation-
algebraic specification of set inclusion on S.
3 Relational Modeling of Groups

Assuming that the reader is familiar with the fundamental notions of groups
(otherwise see e.g., [11]), in this section we introduce our relational model of
groups and show how to construct direct products and quotient groups within
this framework. As usual, we denote a group (G, ·, −1 , 1) simply by its carrier set
G and write xy instead of x · y.
3.1 Basics of the Approach

Suppose G to be a group. Our relational modeling of G is rather simple. We use
a multiplication relation R : G×G ↔ G for the binary operation · : G × G →
G, an inversion relation I : G ↔ G for the unary operation −1 : G → G, and a
neutral point e : G ↔ 1 for the neutral element 1, i.e., demand for all u ∈ G × G
and x, y ∈ G the following equivalences to hold:
Ru,x ⇐⇒ u1 u2 = x Ix,y ⇐⇒ x−1 = y ex ⇐⇒ x = 1
94 R. Berghammer
Fig. 1. Relational Model of the Kleinian group V4
As a small example we consider the well-known Kleinian group V4 . Its car-

rier set consists of four elements e, a, b, c and the group structure is completely
determined by demanding that e is the neutral element and that aa = bb = e.
The pictures of Fig. 1 show the multiplication relation and inversion relation of
V4 as depicted by RelView as Boolean matrices and the point for the neutral
element e as depicted by RelView as Boolean vector. For reasons of space, the
multiplication relation is shown in transposed form.
Instead of the relational system (R, I, e), the multiplication relation R on its
own can be used to model a group G. This is due to the fact that the inversion
relation I and the neutral point e relation-algebraically can be specified using
R. Let π, ρ : G×G ↔ G be the projection relations on G × G. Then we have:
e = ρT (π ∩ R)L I = π T (ρ ∩ ReL)
We only prove the first equation. For all x ∈ G we calculate as follows:
ρT (π ∩ R)L x ⇐⇒ ¬∃ u : ρTx,u ∧ (π ∩ R)L u

⇐⇒ ∀ u : ρu,x → ((π ∩ R)L)u
⇐⇒ ∀ u : u2 = x → ∃ y : πu,y ∧ Ru,y ∧ Ly
⇐⇒ ∀ u : u2 = x → ∃ y : u1 = y ∧ Ru,y
⇐⇒ ∀ u : u2 = x → u1 u2 = u1
This shows that ρT (π ∩ R)L represents the (right) neutral element of G.

Furthermore, it should be mentioned that the usual first-order group axioms
can be translated into equivalent relational inclusions so that they can be checked
by means of RelView. But we do not want to go into details here.
3.2 Construction of Product Groups
Let G and G be two groups. Then the direct product G × G becomes a group
if we define the binary operation component-wisely. The inverse of a pair is the
pair of inverses and as neutral element we have the pair of neutral elements.
Now, suppose the relational systems (R, I, e) and (R , I , e ) to be relational
models of G and G , respectively, as introduced in Section 3.1. In the following
we develop a relational model of the direct product of G and G .
Due to the equations of Section 3.1 it suffices to develop a relation-algebraic
specification of the multiplication relation of G × G . To this end we assume that
π : G×G ↔ G and ρ : G×G ↔ G are the projection relations on G × G . Then

we are able to calculate for all pairs u, v, w ∈ G × G as follows:
w = u1 v1 , u2 v2
⇐⇒ w1 = u1 v1 ∧ w2 = u2 v2
⇐⇒ (∃ z : u1 = z1 ∧ v1 = z2 ∧ z1 z2 = w1 ) ∧
(∃ z : u2 = z1 ∧ v2 = z2 ∧ z1 z2 = w2 )

⇐⇒ (∃ z : πu,z1 ∧ πv,z2 ∧ Rz,w1 ) ∧ (∃ z : ρu,z1 ∧ ρv,z2 ∧ Rz,w 2
)

⇐⇒ (∃ z : (π ⊗ π)u,v,z ∧ Rz,w1 ) ∧ (∃ z : (ρ ⊗ ρ)u,v,z ∧ Rz,w2 )
⇐⇒ ((π ⊗ π)R)u,v,w1 ∧ ((ρ ⊗ ρ)R )u,v,w2
⇐⇒ [(π ⊗ π)R, (ρ ⊗ ρ)R ]u,v,w
If we remove the two subscripts u, v and w from the last expression of this cal-
culation following the definition of relational equality, we arrive at the following
relation-algebraic specification of the multiplication relation of G × G :
Pmrel (R, R ) = [(π ⊗ π)R, (ρ ⊗ ρ)R ] : (G×G )×(G×G ) ↔ G×G
Likewise but more easily, we are able to develop the relation-algebraic specifi-
cation [πI, ρI ] : G×G ↔ G×G of the inversion relation of G × G from the fact
that v = u−1 iff v1 = u−1 −1
1 and v2 = u2 for all u, v ∈ G × G . Also the neutral

point of the product group G × G can be computed from the neutral points of
G and G , respectively. Here we arrive at πe ∩ ρe : G×G ↔ 1. Compared with
the computations of the inversion relation and the neutral point of G × G from
the multiplication relation of G × G as shown in Section 3.1, the computations
using [πI, ρI ] and πe ∩ ρe are much more efficient in that they use the projec-
tion relations π, ρ of the direct product G × G instead of the much larger direct
product (G×G ) × (G×G ) as the equations of Section 3.1 do.
3.3 Construction of Quotient Groups

Besides direct products, forming the quotient group (or factor group) G/N of a
group G modulo a normal subgroup N ⊆ G is a further important construction
on groups. Here G/N denotes the set of all equivalence classes (called right
cosets) of the equivalence relation E : G ↔ G, that is defined component-wisely
by the equivalence of Ex,y and xy −1 ∈ N for all x, y ∈ G. The set G/N becomes a
group if the binary operation is defined by means of the classes’ representatives.
Then the inverse of an equivalence class [x] is the class [x−1 ] and the neutral
equivalence class is the class [1], which coincides with the normal subgroup N .
Again we assume that G is modeled by the relational system (R, I, e) and
π, ρ : G×G ↔ G are the projection relations on G× G. Furthermore, we suppose
that the normal subgroup N ⊆ G is represented by the vector n : G ↔ 1 in the
sense of Section 2. Fundamental for obtaining a relational model of G/N is the
following calculation, where x, y ∈ G are arbitrarily chosen group elements:
96 R. Berghammer
xy −1 ∈ N ⇐⇒ ∃ u : u1 = x ∧ u2 = y −1 ∧ u1 u2 ∈ N
⇐⇒ ∃ u : πu,x ∧ (ρI T )u,y ∧ ∃ z : u1 u2 = z ∧ z ∈ N
⇐⇒ ∃ u : πu,x ∧ (ρI)u,y ∧ ∃ z : Ru,z ∧ nz as I = I T
⇐⇒ ∃ u : πx,u
T
∧ (ρI)u,y ∧ ∃ z : Ru,z ∧ (nL)z,y
⇐⇒ ∃ u : πx,u ∧ (ρI ∩ RnL)u,y
T
⇐⇒ (π T (ρI ∩ RnL))x,y
In combination with the definition of relational equality the last expression of

this calculation yields the relation-algebraic description E = π T (ρI ∩ RnL).
T
Next, we apply a result of [2] saying that the relation M inj (syq(M, S)L) is a
1
column-wise enumeration of the set of all equivalence classes of an equivalence
relation S in the sense of Section 2. If we replace in this expression the relation
S by π T (ρI ∩ RnL) and use the corresponding membership-relation M of type
G ↔ 2G we get a relation-algebraic specification of the canonical epimorphism
f : G → G/N , where f (x) = [x], as follows:
T
Cepi (R.I, n) = M inj (syq(M, π T (ρI ∩ RnL))L) : G ↔ G/N
Now, we are almost done. Define C := Cepi (R.I, n). Then we have for all
equivalence classes a, b, c ∈ G/N the following property:
ab = c ⇐⇒ ∃v : [v1 ] = a ∧ [v2 ] = b ∧ c = [v1 v2 ]

⇐⇒ ∃v : [v1 ] = a ∧ [v2 ] = b ∧ ∃ x : [x] = c ∧ v1 v2 = x
⇐⇒ ∃v : (πC)v,a ∧ (ρC)v,b ∧ ∃ x : Cx,c ∧ Rv,x
⇐⇒ ∃v : [πC, ρC]v,a,b ∧ (RC)v,c
T
⇐⇒ ∃ v : [πC, ρC]a,b,v ∧ (RC)v,c
T
⇐⇒ ([πC, ρC] RC)a,b,c
A consequence is the following relation-algebraic specification of the multiplica-

tion relation of the quotient group G/N :
T
Qmrel(R, I, n) = [πC, ρC] RC : (G/N )×(G/N ) ↔ G/N
As in the case of direct products, also the inversion relation and the neutral
point of the quotient group G/N can be specified relation-algebraically using
the relational model (R, I, e) of the group G only. Doing so, we obtain C T IC :
G/N ↔ G/N for the inversion relation of G/N and C T e : G/N ↔ 1 for the
neutral point of G/N . However, contrary to direct products, now these “direct”
specifications are less efficient than the specifications based on the multiplication
relation of G/N . The reason is that the direct product (G/N ) × (G/N ) usually
is much smaller than the direct product G × G.
1
It should be mentioned that [2] also contains an efficient relational programm for
the column-wise enumeration of the equivalence classes, that avoids the use of a
membership-relation. We only use here M inj (syq(M, S)L)T to simplify presentation.
4 Relation-Algebraic Specification of Subgroup Lattices

Having modeled groups and two construction principles on them via relation al-
gebra, in this section we develop vector representations of the sets of subgroups
and normal subgroups, respectively. They immediately lead to column-wise enu-
merations of these sets and to specifications of the corresponding lattices.
4.1 Lattice of Subgroups

In what follows, we assume a group G that it is modeled by the relational system
(R, I, e). A non-empty subset of G is a subgroup if it is closed with respect to
both group operations. If SG denotes the set of all subgroups of G, then the
ordered set (SG , ⊆) constitutes a lattice, called the subgroup lattice of G. In this
lattice Y Z corresponds to the intersection Y ∩ Z and Y Z to Y ∪ Z, the
least subgroup of G containing the union Y ∪ Z. See e.g., [9,6].
Now, suppose G to be finite. Then Y ⊆ G is closed with respect to both group
operations iff it is closed with respect to the binary group operation only. The
latter characterization is the starting point of the following calculation, where
M : G ↔ 2G is a membership relation and π, ρ : G×G ↔ G are the projection
relations on G × G:
Y is a subgroup
⇐⇒ Y = ∅ ∧ ∀ u : u1 ∈ Y ∧ u2 ∈ Y → u1 u2 ∈ Y
⇐⇒ (∃ x : x ∈ Y ) ∧ ∀ u : u1 ∈ Y ∧ u2 ∈ Y → ∃ z : u1 u2 = z ∧ z ∈ Y
⇐⇒ (∃ x : x ∈ Y ) ∧ ∀ u : u1 ∈ Y ∧ u2 ∈ Y → ∃ z : Ru,z ∧ z ∈ Y
⇐⇒ (∃ x : Mx,Y ∧ Lx ) ∧ ∀ u : (πM)u,Y ∧ (ρM)u,Y → ∃ z : Ru,z ∧ Mz,Y
⇐⇒ (MT L)Y ∧ ∀ u : (πM)u,Y ∧ (ρM)u,Y → (RM)u,Y
⇐⇒ (MT L)Y ∧ ¬∃ u : (πM)u,Y ∧ (ρM)u,Y ∧ RM u,Y
T
⇐⇒ (MT L)Y ∧ ¬∃ u : (πM ∩ ρM ∩ RM )Y,u ∧ Lu
T
⇐⇒ (MT L ∩ (πM ∩ ρM ∩ RM ) L )Y
If we remove the subscript Y from the last expression of this calculation
following the vector representation of sets as introduced in Section 2 and apply
after that some well-known relation-algebraic rules to transpose2 only a “row
vector” instead of relations of types G ↔ 2G and G×G ↔ 2G , we get
T
SgVect(R) = (LT M ∩ LT (πM ∩ ρM ∩ RM ) ) : 2G ↔ 1
as relation-algebraic specification of the vector representing SG as subset of 2G .

The column-wise enumeration of the set SG by
T
SgList (R) = M inj (SgVect(R)) : G ↔ SG
2
Using a ROBDD-implemention of relations, transposition of a relation with domain
or range 1 only means to exchange domain and range; the ROBDD remains un-
changed. See [13] for details.
98 R. Berghammer
and the relation-algebraic specification of set inclusion on the set SG , i.e., the
partial order relation of the subgroup lattice (SG , ⊆), by
T
SgLat(R) = SgList (R) SgList (R) : SG ↔ SG
are immediate consequences of the technique shown at the end of Section 2.

T
Using LT (M ∩ IM ) : 2G ↔ 1 as vector representation of the subsets of G
closed with respect to inversion, it is possible to refine SgVect(R) to a relation-
algebraic specifications that works for general groups. In regard to computability
by a computer system like RelView, the restriction to finite groups in the devel-
opment of SgVect(R) is irrelevant. Its only reason is to simplify the calculation
and to obtain a more efficient solution.
4.2 Lattice of Normal Subgroups

A subgroup Y of a group G is a normal subgroup if for all x ∈ G and y ∈ Y
we have xyx−1 ∈ Y . Also the set NG of normal subgroups of G can be made to
a lattice. In this lattice of normal subgroups (NG , ⊆) of G again greatest lower
bounds Y Z correspond to intersections Y ∩ Z. Compared with the subgroup
lattice (SG , ⊆) of G, however, the description of the least upper bound of two
normal subgroups Y and Z is more simple. We have Y Z = {yz | y ∈ Y, z ∈ Z}.
The lattice of normal subgroups is modular; for more details see e.g., [9,6].
Making again the assumptions that the (finite) group G is modeled by the
relational system (R, I, e), the above standard definition of normal subgroups is
our starting point for developing relation-algebraic specifications of the vector
description of NG , the column-wise enumeration of NG , and the partial order
relation of the lattice (NG , ⊆). Here is the decisive part of the development,
where Y ∈ SG is an arbitrarily chosen subgroup of G:
Y is a normal subgroup
⇐⇒ ∀ u : u2 ∈ Y → u1 u2 u−1
1 ∈ Y
⇐⇒ ∀ u : (ρM)u,Y → ∃ v : u1 u2 = v1 ∧ u−1
1 = v2 ∧ v1 v2 ∈ Y
⇐⇒ ∀ u : (ρM)u,Y → ∃ v : Ru,v1 ∧ (πI)u,v2 ∧ v1 v2 ∈ Y
⇐⇒ ∀ u : (ρM)u,Y → ∃ v : Ru,v1 ∧ (πI)u,v2 ∧ ∃ z : v1 v2 = z ∧ z ∈ Y
⇐⇒ ∀ u : (ρM)u,Y → ∃ v : Ru,v1 ∧ (πI)u,v2 ∧ ∃ z : Rv,z ∧ Mz,Y
⇐⇒ ∀ u : (ρM)u,Y → ∃ v : [R, πI]u,v ∧ (RM)v,Y
⇐⇒ ∀ u : (ρM)u,Y → ([R, πI]RM)u,Y
T T
⇐⇒ ¬∃ u : (ρM)Y,u ∧ [R, πI]RM Y,u
T
⇐⇒ ¬∃ u : (ρM ∩ [R, πI]RM )Y,u ∧ Lu
T
⇐⇒ (ρM ∩ [R, πI]RM ) L Y .
If we remove the subscript Y from the last expression, apply after that, as
in Section 4.1, some simple transformations to improve efficiency in view of
an implementation of relations via ROBDDs, and intersect the result with the
vector representation of the set of all subgroups of G, this leads to
T
NsgVect(R, I) = SgVect(R) ∩ LT (ρM ∩ [R, πI]RM ) : 2G ↔ 1
as vector representing NG as subset of 2G . Immediate consequences are

T
NsgList (R, I) = M inj (NsgVect(R, I)) : G ↔ NG
as relation-algebraic specification of the column-wise enumeration of NG and

T
NsgLat (R, I) = NsgList (R, I) NsgList (R, I) : NG ↔ NG
as relation-algebraic specification of the partial order relation of the lattice of

normal subgroups (NG , ⊆).
5 Implementation and Examples

In order to illustrate our approach, in the following we give a short description
of the RelView system and show afterwards by means of three simple examples
some possibilites and special features of this tool.
5.1 The RelView-System

Relational algebra has a fixed and surprisingly small set of constants and op-
erations which – in the case of finite carrier sets – can be implemented very
efficiently. At Kiel University we have developed a visual computer system for
the visualization and manipulation of relations and for relational prototyping
and programming, called RelView. The tool is written in the C programming
language, uses ROBDDs for very efficiently implementing relations [12,13], and
makes full use of the X-windows graphical user interface. Details and applications
can be found, for instance, in [1,2,3,4,5].
One of the main purposes of the RelView tool is the evaluation of relation-
algebraic expressions. These are constructed from the relations of its workspace
using pre-defined operations (including the basic ones, symmetric quotient, and
pairing) and tests and user-defined relational functions and programs.
A relational program in RelView is much like a function procedure in the
programming languages Pascal or Modula 2, except that it only uses relations
as datatype. It starts with a head line containing the program name and the for-
mal parameters. Then the declaration of the local relational domains, functions,
and variables follows. Domain declarations can be used to introduce projection
relations. The third part of a RelView-program is the body, a while-program
over relations. Recursive calls of programs are allowed. As a RelView-program
computes a value, finally, its last part consists of a RETURN-clause, which essen-
tially is a relation-algebraic expression whose value after the execution of the
body is the result.
100 R. Berghammer
All relation-algebraic specifications we have developed so far immediately can

be translated into RelView-code. For example, the following relational pro-
gram SgVect is a RelView-implementation of the relation-algebraic specifica-
tion SgVect(R) of Section 4.1:
SgVect(R)
DECL PP = PROD(R^*R,R^*R);
pi, rho, M, L1, L2
BEG pi = p-1(PP);
rho = p-2(PP);
M = epsi(O1n(R)^);
L1 = L1n(R);
L2 = Ln1(R)^
RETURN (L1*M & -(L2 * (pi*M & rho*M & -(R*M))))^
END.
The first declaration introduces PP as a name for the direct product G×G. Using
PP, the projection relations are then computed by the first two assignments of
the body and stored as pi and rho. The next three assignments compute the
membership relation M : G ↔ 2G and two universal relations of type 1 ↔ G and
G×G ↔ 1, respectively. Finally, the RETURN-clause consists of a direct transla-
tion of the right-hand side of SgVect(R) into RelView-syntax.
5.2 A First Example

As already mentioned, the lattices of normal subgroups are modular. The same
is not true for subgroup lattices. This is e.g., shown in [9] by the subgroup
lattice of the alternating group A4 of the even permutations p1 , . . . , p12 on the
set {1, 2, 3, 4}. We have verified this example with the aid of RelView.
In doing so, we started with the following multiplication tabls of A4 , where the
number i, 1 ≤ i ≤ 12, abbreviates the permutation pi on the set {1, 2, 3, 4}. Using
cycle-notation these are specified as p1 = (), p2 = (1 2)(3 4), p3 = (1 3)(2 4),
p4 = (1 4)(2 3), p5 = (1 2 3), p6 = (1 3 2), p7 = (1 2 4), p8 = (1 4 2), p9 = (1 3 4),
p10 = (1 4 3), p11 = (2 3 4), and p12 = (2 4 3).
1 2 3 4 5 6 7 8 9 10 11 12
1 1 2 3 4 5 6 7 8 9 10 11 12
2 2 1 4 3 12 10 11 9 8 6 7 5
3 3 4 1 2 8 11 10 5 12 7 6 9
4 4 3 2 1 9 7 6 12 5 11 10 8
5 5 9 12 8 6 1 3 10 11 4 2 7
6 6 11 7 10 1 5 12 4 2 8 9 3
7 7 10 6 11 4 9 8 1 3 12 5 2
8 8 12 9 5 11 3 1 7 6 2 4 10
9 9 5 8 12 7 4 2 11 10 1 3 6
10 10 7 11 6 2 12 5 3 1 9 8 4
11 11 6 10 7 3 8 9 2 4 5 12 1
12 12 8 5 9 10 2 4 6 7 3 1 11
Fig. 2. Enumeration of Subgroups and Subgroup Lattice of A4
In the next step we transformed the above table into the relational model of
A4 . Loading the relations of this model (which are too large to be presented
here) from an ASCII-file into RelView we then computed the subgroups of
A4 and the partial order relation of the subgroup lattice. In the two pictures of
Fig. 2 the results of these computations are shown. The 12 × 10 Boolean matrix
on the left-hand side column-wisely enumerates the 10 subgroups of A4 and
the directed graph on the right-hand side depicts the inclusion order on them
by means of the Hasse diagram. Additionally we have labeled three columns
of the enumeration matrix, where the labels indicate the permutations forming
the respective subgroup, drawn the corresponding nodes of the graph as black
circles, and emphasized the subgraph generated by the black nodes and the nodes
1, 10 by boldface arrows. From the relationships drawn as boldface arrows we
immediately see that the subgraph lattice of A4 contains a “pentagon sublattice”
N5 . Hence, the so-called M3 -N5 -theorem [6] implies that it is not modular.
We also have used RelView to compute the three normal subgroups of A4 and
the corresponding lattice. The latter forms a chain of length two, with a normal
subgroup N isomorphic to the Kleinian group V4 as element in the middle. The
three pictures of Fig. 3 concern the quotient group of A4 modulo this specific
normal subgroup N , i.e., the quotient group A4 /V4 . On the left-hand side the
equivalence relation E of Section 3.3 is shown, the columns of the matrix in the
Fig. 3. Quotient Construction A4 /V4

102 R. Berghammer
Fig. 4. Column-wise Enumeration of the Normal Subgroups of V4 × D3
middle enumerate the set A4 /V4 , and the matrix on the right-hand side is the
multiplication relation of the quotient group A4 /V4 (which, obviously, coincides
with the multiplication relation of the cyclic group Z3 ).
5.3 A Second Example

In the following, we treat a product construction. Assume D3 to be the dihedral
group of order 6. This group is generated by two elements, r and s say, such that
the equations r3 = 1 = s2 and rsr = s hold. From this description we obtain
D3 = {1, r, rr, s, sr, srr} and the following multiplication table:
1 r rr s sr srr
1 1 r rr s sr srr
r r rr 1 srr s sr
rr rr 1 r sr srr s
s s sr srr 1 r rr
sr sr srr s rr 1 r
srr srr s sr r rr 1
We have computed a relational model of the dihedral group D3 and combined
it with that of the Kleinian group V4 to get a relational model of the product
group V4 × D3 with RelView’s help. Again the later model is too large to be
presented here; its multiplication relation has 576 rows and 24 columns.
Then we used the system to compute all normal subgroups of this product
group and the lattice of normal subgroups, too. The picture of Fig. 4 shows the
column-wise enumeration of the 21 normal subgroups of the group V4 × D3 by
a 24 × 21 Boolean matrix. A graphical representation of the lattice of normal
subgroups of V4 × D3 by means of the Hasse diagram is depicted in Fig 5. From
it and again the M3 -N5 -theorem we obtain that the lattice of normal subgroups
of V4 × D3 is not distributive since it contains a “diamond sublattice” M3 .
Fig. 5. The Lattice of Normal Subgroups of V4 × D3
To give an impression of the potential of RelView and the positive effects of

the ROBDD-implementation of relations, we want to mention that (on a Sun-
Fire 880 workstation running Solaris 9 at 750 MHz) the system required 0.5
sec. to filter out from the 15 777 216 subsets of V4 × D3 those 21 subsets which
form normal subgroups and to compute the partial order relation of the lattice
of normal subgroups. We also have determined the 54 subgroups of V4 × D3 and
the relation/graph of the subgroup lattice. Here RelView required 0.4 sec. For
reasons of space we renounce the corresponding RelView pictures.
5.4 A Third Example

When interested on the generation of a group G, the Frattini subgroup of G
[15] plays an important role. It is defined as the intersection of all maximal
(proper) subgroups of G and consists of the non-generating elements of G, i.e,
of all elements x ∈ G such that whenever G = X then G = X \ {x}.
Fig. 6. Maximal Subgroups and Frattini Subgroup of Z4 × Z4

104 R. Berghammer
The RelView-picture of Fig. 6 visualizes the computation of the Frattini

subgroup for the product group Z4 × Z4 . It shows the Hasse diagram of the
subgroup lattice of Z4 × Z4 , where the three maximal subgroups are drawn as
squares, the Frattini subgroup is drawn as a black circle, and the intersection
relationships are emphasized as boldface arrows. The vector representing the
maximal subgroups is m := max (Q, gre(Q, L) ) and the point representing the
Frattini subgroup is glb(Q, m), where Q is the partial order relation of the sub-
group lattice and the relational functions max , gre, and glb specify maximal
elements, greatest elements, and greatest lower bounds following [14].
We have RelView also used column-wisely to enumerate the 15 subgroups
of Z4 × Z4 as a 16 × 15 Boolean matrix. From its 10th column we obtained 0, 0,
0, 2, 2, 0, and 2, 2 as the elements of the Frattini subgroup of Z4 × Z4 . This
is what we have expected, as 0 and 2 are the non-generating elements of Z4 . In
contrast with this example, the Frattini subgroups of all our former examples
V4 , A4 , A4 /V4 , D3 , and V4 × D3 are trivial.
6 Conclusion
Besides the examples of Section 5 we have applied the RelView-programs re-
sulting from the relational specifications of Section 4 to other groups. Most
of them have been constructed as products of small groups (using RelView-
programs obtained from the specifications of Section 3.2), like D3 × D3 (26 sub-
groups; 10 are normal subgroups) and V4 ×D3 ×Z2 (236 subgroups; 83 are normal
subgroups). Due to the use of membership-relations, for groups with |G| ≥ 50
the computations can take very long time or be complete unfeasible – despite of
the very efficient ROBDD-implementation of relations in RelView. Therefore,
we can not compete with algorithms specifically tailored to the problems we
have treated (cf. e.g., the times of [10] for computing all normal subgroups).
Nowadays, systematic experiments are accepted as a way for obtaining new
mathematical insights. Hence, tools for experimental computations and visual-
izations become increasingly important in many areas as one proceeds in the
investigation of new and more complex notions. We believe that the real attrac-
tion of RelView in respect thereof lies in its flexibility, its manifold visualization
possibilities, and the concise form of its programs. RelView proved to be an
ideal tool for experimenting while avoiding unnecessary overhead. Programs are
built very quickly and their correctness is guaranteed by the completely formal
T T
developments. For example, using Inf (R) = [R, R] ∩ [R, R] R : L×L ↔ L as
relation-algebraic specification of the lattice operation in terms of the lattice’s
partial order relation R : L ↔ L, the program SgVect of Section 5.1 immedi-
ately can be used for computing all sublattices of L. Thus, we have been able
to find out that, e.g., the 32-element Boolean lattice possesses exactly 12 084
sublattices, whereas only 52 of them are Boolean sublattices.
At this place, also the advantages of the system when using it in teaching
should be mentioned. We found it very attractive to use RelView for producing
good examples. These frequently have been proven for students to be the key
of fully understanding an advanced concept. We have further recognized that

it is sometimes very helpful to demonstrate how a certain algorithm works. In
RelView this is possible by executing computations in a stepwise fashion.
Relation algebra easily allows to specify the conjugacy-relation on a group G
with multiplication relation R : G×G ↔ G as ρT (RRT ∩ πρT )π : G ↔ G, where
π, ρ : G×G ↔ G are the projection relations on G × G. Based on this fact, we
presently investigate a procedure to get the normal subgroups of a group without
using a membership-relation, viz. as normal closures of the conjugacy classes.
We also combine relation algebra and RelView to solve many other problems
on orders and lattices and to visualize their solutions, like the test of order and
lattice properties, the enumeration of specific elements and subsets, questions
concerning concept lattices [8], and the construction of free lattices from partial
order relations on the generator set following [7]. Our ultimate aim is a library
of RelView-programs for order- and lattice-theoretical tasks that hides most of
the relational notions and notation and, therefore, facilitates the use of the tool
and its manifold possibilities for people not being specialists in relation algebra.
References
1. Behnke R., et al.: RelView – A system for calculation with relations and relational
programming. In: Astesiano E. (ed.): Proc. 1st Conf. Fundamental Approaches to
Software Engineering, LNCS 1382, Springer, 318-321 (1998).
2. Berghammer R., Hoffmann T.: Modelling sequences within the RelView system.
J. Universal Comput. Sci. 7, 107-13 (2001).
3. Berghammer R., Neumann F.: RelView– An OBDD-based Computer Algebra sys-
tem for relations. In: Gansha V.G. et al. (eds.): Proc. 8th Int. Workshop Computer
Algebra in Scientific Computing, LNCS 3718, Springer, 40-51 (2005)
4. Berghammer R.: Computation of cut completions and concept lattices using rela-
tional algebra and RelView. J. Rel. Meth. in Comput. Sci. 1, 50-72 (2004).
5. Berghammer R., Leoniuk B., Milanese U.: Implementation of relation algebra using
binary decision diagrams. In: de Swart H. (ed.): Proc. 6th Int. Workshop Relational
Methods in Computer Science, LNCS 2561, Springer, 241-257 (2002).
6. Davey B.A., Priestley H.A.: Introduction to lattices and order. Cambridge Univ.
Press (1990).
7. Freese R., Jezek J., Nation J.B.: Free lattices. Mathematical Surveys and Mono-
graphs, Vol. 42, American Math. Society (1995).
8. Ganter B., Wille R.: Formal concept analysis. Springer, (1999).
9. Hermes H.: Introduction to lattice theory (in German). Springer, 2nd ed. (1967).
10. Hulpke A.: Computing normal subgroups. In: Proc. Int. Symposium on Symbolic
and Algebraic Computation, ACM Press, 194-198 (1998).
11. Lang S.: Algebra. Springer, rev. 3rd ed. (2002).
12. Leoniuk B.: ROBDD-based implementation of relational algebra with applications
(in German). Ph.D. thesis, Inst. für Informatik und Prak. Math., Univ. Kiel (2001).
13. Milanese U.: On the implementation of a ROBDD-based tool for the manipulation
and visualization of relations (in German). Ph.D. thesis, Inst. für Informatik und
Prak. Math., Univ. Kiel (2003).
14. Schmidt G., Ströhlein T.: Relations and graphs. Springer (1993).
15. Schmidt R.: Subgroup lattices of groups, de Gruyter (1994).
16. Tarski A.: On the calculus of relations. J. Symb. Logic 6, 73-89 (1941).
On the Complexity of the Equational Theory of
Relational Action Algebras
Wojciech Buszkowski
Faculty of Mathematics and Computer Science, Adam Mickiewicz University in

Poznań
Faculty of Mathematics and Computer Science, University of Warmia and Mazury in
Olsztyn
[email protected]
Abstract. Pratt [22] defines action algebras as Kleene algebras with

residuals. In [9] it is shown that the equational theory of *-continuous
action algebras (lattices) is Π10 −complete. Here we show that the equa-
tional theory of relational action algebras (lattices) is Π10 −hard, and
some its fragments are Π10 −complete. We also show that the equational
theory of action algebras (lattices) of regular languages is Π10 −complete.
1 Introduction
A Kleene algebra is an algebra A = (A, ∨, ·,∗ , 0, 1) such that (A, ∨, 0) is a join

semilattice with the least element 0, (A, ·, 1) is a monoid, product · distributes
over join ∨, 0 is an annihilator for product, and * is a unary operation on A,
fulfilling the conditions:
1 ∨ aa∗ ≤ a∗ , 1 ∨ a∗ a ≤ a∗ , (1)
ab ≤ b ⇒ a∗ b ≤ b , ba ≤ b ⇒ ba∗ ≤ b , (2)
for all a, b ∈ A. One defines: a ≤ b iff a ∨ b = b. The notion of a Kleene algebra

has been introduced by Kozen [15,16] to provide an algebraic axiomatization
of the algebra of regular expressions. Regular expressions on an alphabet Σ
can be defined as terms of the first-order language of Kleene algebras whose
variables are replaced by symbols from Σ (treated as individual constants). Each
regular expression α on Σ denotes a regular language L(α) ⊆ Σ ∗ . The Kozen
completeness theorem states that L(α) = L(β) if and only if α = β is valid in
Kleene algebras.
The class of Kleene algebras is a quasi-variety, but not a variety. Redko [23]
shows that the equations true for regular expressions cannot be axiomatized
by any finite set of equations. Pratt [22] shows that the situation is different
for Kleene algebras with residuals, called action algebras. An action algebra

On the Complexity of the Equational Theory 107
is a Kleene algebra A supplied with two binary operations /, \, fulfilling the

equivalences:
ab ≤ c ⇔ a ≤ c/b ⇔ b ≤ a\c , (3)
for all a, b, c ∈ A. Operations /, \ are called the left and right residual, respec-
tively, with respect to product. Pratt writes a → b for a\b and a ← b for a/b;
we use the slash notation of Lambek [18]. Pratt [22] proves that the class of
action algebras is a finitely based variety. Furthermore, in the language without
residuals, the equations true in all action algebras are the same as those true in
all Kleene algebras. Consequently, in the language with residuals, one obtains a
finite, equational axiomatization of the algebra of regular expressions.
On the other hand, the logic of action algebras differs in many essential aspects
from the logic of Kleene algebras. Although regular languages are (effectively)
closed under residuals, the Kozen completeness theorem is not true for terms
with residuals. For instance, since L(a) = {a}, then L(a/a) = {}, while a/a = 1
is not true in action algebras (one only gets 1 ≤ a/a). It is known that L(α) =
L(β) iff α = β is valid in relational algebras (α, β do not contain residuals).
Consequently, the equational theory of Kleene algebras equals the equational
theory of relational Kleene algebras. This is not true for action algebras (see
below).
A Kleene algebra is said to be *-continuous, if xa∗ y =sup{xan y : n ∈ ω}, for
all elements x, a, y. Relational algebras with operations defined in the standard
way and algebras of (regular) languages are *-continuous. The equational theory
of Kleene algebras equals the equational theory of *-continuous Kleene algebras.
Again, it is not the case for action algebras. The equational theory of all action
algebras is recursively enumerable (it is not known if it is decidable), while
the equational theory of *-continuous action algebras is Π10 −complete [9], and
consequently, it possesses no recursive axiomatization.
In this paper we study the complexity of relational action algebras and lat-
tices. An action lattice is an action algebra A supplied with meet ∧ such that
(A, ∨, ∧) is a lattice; Kleene lattices are defined in a similar way. If K is a class of
algebras, then Eq(K) denotes the equational theory of K, this means, the set of
all equations valid in K. KA, KL, ACTA, ACTL will denote the classes of Kleene
algebras, Kleene lattices, action algebras, and action lattices, respectively. KA*
denotes the class of *-continuous Kleene algebras, and similarly for the other
classes.
Let U be a set. P (U 2 ) (the powerset of U 2 ) is the set of all binary relations
on U . For R, S ⊆ U 2 , one defines: R ∨ S = R ∪ S, R ∧ S = R ∩ S, R · S= R ◦ S,
1 = IU = {(x, x) : x ∈ U }, 0 = ∅, R0 = IU , Rn+1 = Rn ◦ R, R∗ = n∈ω Rn ,
and:
R/S = {(x, y) ∈ U 2 : {(x, y)} ◦ S ⊆ R} , (4)
R\S = {(x, y) ∈ U 2 : R ◦ {(x, y)} ⊆ S} , (5)

108 W. Buszkowski
P (U 2 ) with so-defined operations and designated elements is an action lattice

(it is a complete lattice). Algebras of this form will be called relational action
lattices; without meet, they will be called relational action algebras. Omitting
residuals, one gets relational Kleene lattices and algebras, respectively. RKA,
RKL, RACTA, RACTL will denote the classes of relational Kleene algebras,
relational Kleene lattices, relational action algebras and relational action lattices,
respectively.
All relational algebras and lattices, mentioned above, are *-continuous. Con-
sequently, Eq(KA)⊆Eq(KA*)⊆Eq(RKA), and similar inclusions are true for
classes KL, KL*, RKL, classes ACTA, ACTA*, RACTA, and classes ACTL,
ACTL*, RACTL. It is known that Eq(KA)=Eq(KA*)=Eq(RKA) (this follows
from the Kozen completeness theorem and the fact mentioned in the third
paragraph of this section). We do not know if Eq(KL)=Eq(KL*). All rela-
tional Kleene lattices are distributive lattices, but there exist nondistributive *-
continuous Kleene lattices, which yields Eq(KL*)=Eq(RKL). Since Eq(ACTA)
is Σ10 , and Eq(ACTA*) is Π10 −complete, then Eq(ACTA)=Eq(ACTA*); also,
Eq(ACTL)=Eq(ACTL*), for similar reasons [9].
It is easy to show that Eq(ACTA*) (resp. Eq(ACTL*)) is strictly contained
in Eq(RACTA) (resp. Eq(RACTL)); see section 2. Then, Π10 −completeness of
the former theory does not directly provide any information on the complexity
of the latter. In section 3, we prove that Eq(RACTA) and Eq(RACTL) are
Π10 −hard. The argument is similar to that in [9] which yields Π10 −hardness
of Eq(ACTA*) and Eq(ACTL*): we show that the total language problem for
context-free grammars is reducible to Eq(RACTL) and Eq(RACTA).
We do not know whether Eq(RACTA) and Eq(RACTL) are Π10 . In [21], it
has been shown that Eq(ACTA*) and Eq(ACTL*) are Π10 , using an infinitary
logic for ACTL* [9], which satisfies the cut-elimination theorem and a theorem
on elimination of negative occurrences of *. The elimination procedure replaces
each negative occurrence of α∗ by the disjunction 1∨α∨. . . ∨αn , for some n ∈ ω.
As a result, one obtains expressions which contain 1. Unfortunately, the exact
complexity of Eq(RACTA), Eq(RACTL) is not known; without * they are Σ10 .
Andréka and Mikulás [1] prove a representation theorem for residuated meet
semilattices which implies that, in language with ∧, ·, /, \ only, order formulas
α ≤ β valid in RACTL possess a cut-free, finitary axiomatization (the Lambek
calculus admitting meet and empty antecedents of sequents), and consequently,
the validity problem for such formulas is decidable (other results and proofs
can be found in [10,8]). We use this fact in section 3 (lemma 2) to prove the
results mentioned in the above paragraph and to prove Π10 −completeness of
some fragments of Eq(RACTL).
In section 4, we consider analogous questions for the equational theory of
action algebras (lattices) of regular languages, and we show that this theory is
Π10 −complete. We use the completeness of the product-free fragment L (with ∧)
with respect to algebras of regular languages; the proof is a modification of the
proof of finite model property for this system [5,7].
Our results show that there exists no finitary dynamic logic (like PDL), com-
plete with respect to standard relational frames, which handles programs formed
by residuals and regular operations. Programs with residuals can express the
weakest prespecification and postspecification of a program and related condi-
tions; see Hoare and Jifeng [13].
2 Sequent Systems
To provide a cut-free axiom system for the logic of *-continuous action algebras
(lattices) it is expedient to consider sequents of the form Γ ⇒ α such that Γ is
a finite sequence of terms (of the first-order language of these algebras), and α
is a term. (Terms are often called formulas.) Given an algebra A, an assignment
is a homomorphism f from the term algebra to A; one defines f (Γ ) by setting:
f () = 1, f (α1 , . . . , αn ) = f (α1 ) · · · · · f (αn ). One says that Γ ⇒ α is true in
A under f , if f (Γ ) ≤ f (α). Clearly, f (α) = f (β) iff both f (α) ≤ f (β) and
f (β) ≤ f (α). A sequent is said to be true in A, if it is true in A under any
assignment, and valid in a class K, if it is true in all algebras from K. Since
Eq(K) and the set of sequents valid in K are simply interpretable in each other,
then the complexity of one of these sets equals the complexity of the other.
The sequents valid in ACTL* can be axiomatized by the following system.
The axioms are:
(I) α ⇒ α , (1) ⇒ 1 , (0) α, 0, β ⇒ γ , (6)
and the inference rules are:

Γ, α, Δ ⇒ γ; Γ, β, Δ ⇒ γ Γ ⇒ αi
, (7)
Γ, α ∨ β, Δ ⇒ γ Γ ⇒ α1 ∨ α2
Γ, αi , Δ ⇒ γ Γ ⇒ α; Γ ⇒ β
, , (8)
Γ, α1 ∧ α2 , Δ ⇒ γ Γ ⇒ α∧β
Γ, α, β, Δ ⇒ γ Γ ⇒ α; Δ ⇒ β
, , (9)
Γ, α · β, Δ ⇒ γ Γ, Δ ⇒ α · β
Γ, α, Δ ⇒ γ; Φ ⇒ β Γ, β ⇒ α
, , (10)
Γ, α/β, Φ, Δ ⇒ γ Γ ⇒ α/β
Γ, β, Δ ⇒ γ; Φ ⇒ α α, Γ ⇒ β
, , (11)
Γ, Φ, α\β, Δ ⇒ γ Γ ⇒ α\β
Γ, Δ ⇒ α
, (12)
Γ, 1, Δ ⇒ α
(Γ, αn , Δ ⇒ β)n∈ω Γ1 ⇒ α; . . . ; Γn ⇒ α
; . (13)
Γ, α∗ , Δ ⇒ β Γ1 , . . . , Γn ⇒ α∗
These rules are typical left- and right-introduction rules for Gentzen-style
sequent systems. For each pair of rules, the left-hand rule will be denoted by
(operation-L), and the right-hand rule by (operation-R). For instance, rules (7)
110 W. Buszkowski
will be denoted (∨−L) and (∨−R), respectively. Rule (12) will be denoted (1-
L). Rule (*-L) is an infinitary rule (a kind of ω−rule); here αn stands for the
sequence of n copies of α. (*-R) denotes an infinite set of finitary rules: one for
any fixed n ∈ ω. For n = 0, (*-R) has the empty set of premises, so it is, actually,
an axiom ⇒ α∗ ; this yields 1 ⇒ α∗ , by (1-L).
Without * and rules (13), the system is known as Full Lambek Calculus (FL);
see Ono [19], Jipsen [14]. The rule (CUT):
Γ, α, Δ ⇒ β; Φ ⇒ α
(14)
Γ, Φ, Δ ⇒ β
is admissible in FL, this means: if both premises are provable in FL, then the
conclusion is provable in FL [19]. The (·, /, \)−fragment of FL is the Lambek
calculus L (admitting empty antecedents of sequents), introduced by Lambek [18]
(in a form not admitting empty antecedents) who has proved the cut-elimination
theorem for L.
A residuated lattice is an algebra A = (A, ∨, ∧, ·, /, \, 0, 1) such that (A, ∨, ∧)
is a lattice with the least element 0, (A, ·, 1) is a monoid, and /, \ are residuals
for product (they fulfill (3)). It is known that FL is complete with respect to
residuated lattices: a sequent is provable in FL iff it is valid in the class of
residuated lattices. A residuated monoid is a structure A = (A, ≤, ·, /, \, 1) such
that (A, ≤) is a poset, (A, ·, 1) is a monoid, and /, \ are residuals for product.
L is complete with respect to residuated monoids. These completeness theorems
can be proved in a standard way: soundness is obvious, and completeness can
be shown by the construction of a Lindenbaum algebra. Residuated monoids
and lattices are applied in different areas of logic and computer science; see e.g.
[19,20,6].
The following monotonicity conditions are true in all residuated monoids: if
a ≤ c and b ≤ d, then ab ≤ cd, a/d ≤ c/b, d\a ≤ b\c (in lattices also: a∨b ≤ c∨d,
a ∧ b ≤ c ∧ d, in action algebras also: a∗ ≤ c∗ ).
FL with * and rules (13) has been introduced in [9] and denoted by ACTω.
The set of provable sequents can be defined in the following way. For a set X, of
sequents, C(X) is defined as the set of all sequents derivable from sequents from
X by a single application of some inference rule (axioms are treated as inference
rules with the empty set of premises). Then, C(∅) is the set of all axioms. One
definesa transfinite chain Cζ , for ordinals ζ, by setting: C0 = ∅, Cζ+1 = C(Cζ ),
Cλ = ζ<λ Cζ . Since C is a monotone operator and C0 ⊆ C1 , then Cζ ⊆ Cζ+1 ,
for all ζ, and consequently, Cζ ⊆ Cη whenever ζ < η. The join of this chain
equals the set of sequents provable in ACTω. The rank of a provable sequent
equals the least ζ such that this sequent belongs to Cζ .
The cut-elimination theorem for ACTω is proved in [21] by a triple induction:
(1) on the complexity of formula α in (CUT), (2) on the rank of Γ, α, Δ ⇒ β,
(3) on the rank of Φ ⇒ α (following an analogous proof for L in [4]). Let us
show one case of induction (1): α = γ ∗ . Assume that Γ, α, Δ ⇒ β and Φ ⇒ α
are provable. We start induction (2). If the left premise is an axiom (I), then
the conclusion of (CUT) is the right premise. If the left premise is an axiom (0),
then the conclusion of (CUT) is also an axiom (0). Assume that the left premise
gets its rank on the basis of an inference rule R; then, each premise of R is of
a smaller rank. If R is any rule, not introducing the designated occurrence of
α, then we directly apply the hypothesis of induction (2). If R introduces the
designated occurrence of α, then R is (*-L) with premises Γ, γ n , Δ ⇒ β, for all
n ∈ ω. We start induction (3). If Φ ⇒ α is an axiom (I), then the conclusion
of (CUT) is the left premise of (CUT). If Φ ⇒ α is an axiom (0), then the
conclusion of (CUT) is also an axiom (0). If Φ ⇒ α is a conclusion of (*-R), then
the premises are Φ1 ⇒ γ, . . ., Φn ⇒ γ, for some n ∈ ω. For n = 0, we get Φ = ,
and the conclusion of (CUT) is the premise of (*-L) for n = 0. For n > 0, one
of the premises of (*-L) is Γ, γ n , Δ ⇒ β, and we use n times the hypothesis of
induction (1). If Φ ⇒ α is a conclusion of a rule different from (*-R), then we
directly apply the hypothesis of induction (3).
Since the rule (CUT) is admissible in ACTω, then a standard argument yields
the completeness of ACTω with respect to *-continuous action lattices [21].
Soundness is obvious, and completeness can be shown by the construction of a
Lindenbaum algebra. Using (1-L),(*-L) and (*-R), one easily proves 1 ⇒ α∗ ,
α, α∗ ⇒ α∗ and, using (CUT), derives the following rules:
α, β ⇒ β β, α ⇒ β
, , (15)
α∗ , β ⇒ β β, α∗ ⇒ β
and consequently, the Lindenbaum algebra is an action lattice. By (*-L), it is
*-continuous.
Since ACTω is cut-free, then it possesses the subformula property: every prov-
able sequent admits a proof in which all sequents consist of subformulas of for-
mulas appearing in this sequent. In particular, ACTω is a conservative extension
of all its fragments, obtained by a restriction of the language, e.g. L, FL, the
∨−free fragment, the ∧−free fragment, and so on. All *-free fragments are fini-
tary cut-free systems, admitting a standard proof-search decision procedure. So,
they are decidable.
Now, we show that Eq(ACTA*)=Eq(RACTA). In relational algebras, for
R, S ⊆ IU , we have R ◦ S = R ∩ S. Fix a variable p. In L, from p ⇒ p, one
infers ⇒ p/p, by (/-R). Then, 1 ⇒ 1 yields 1/(p/p) ⇒ 1, by (/-L). So, the
sequent 1/(p/p) ⇒ (1/(p/p)) · (1/(p/p)) is valid in RACTA. It is not valid in
ACTA*, since it is not provable in L. (Use the proof-search procedure; notice
that ⇒ p, p/p ⇒ 1, ⇒ 1/(p/p) are not provable.) The same example shows
Eq(ACTL*)=Eq(RACTL) (another proof: the distribution of ∧ over ∨ is not
valid in ACTL*, since it is not provable in FL).
We define positive and negative occurrences of subterms in terms: α is positive
in α; if γ is positive (resp. negative) in α or β, then it is positive (resp. negative)
in α ∨ β, α ∧ β, α · β, α∗ ; if γ is positive (resp. negative) in β, then it is positive
(resp. negative) in β/α, α\β; if γ is positive (resp. negative) in α, then it is
negative (resp. positive) in β/α, α\β.
For n ∈ ω, let α≤n denote α0 ∨ . . . ∨ αn ; here αi stands for the product of i
copies of α and α0 is the constant 1. We define two term transformations Pn ,
Nn , for any n ∈ ω [9]. Roughly, Pn (γ) (resp. Nn (γ)) arises from γ by replacing
any positive (resp. negative) subterm of the form α∗ by α≤n .
112 W. Buszkowski
Pn (α) = Nn (α) = α , if α is a variable or a constant, (16)

Pn (α ◦ β) = Pn (α) ◦ Pn (β) , for ◦ = ∨, ∧, · , (17)
Nn (α ◦ β) = Nn (α) ◦ Nn (β) , for ◦ = ∨, ∧, · , (18)
Pn (α/β) = Pn (α)/Nn (β) , Pn (α\β) = Nn (α)\Pn (β) , (19)
Nn (α/β) = Nn (α)/Pn (β) , Nn (α\β) = Pn (α)\Nn (β) , (20)
Pn (α∗ ) = (Pn (α))≤n , Nn (α∗ ) = (Nn (α))∗ . (21)
For a sequent Γ ⇒ α, we set Nn (Γ ⇒ α) = Pn (Γ ) ⇒ Nn (α), where:
Pn () = , Pn (α1 , . . . , αk ) = Pn (α1 ), . . . , Pn (αk ) . (22)
A term occurs positively (resp. negatively) in Γ ⇒ α if it occurs positively (resp.

negatively) in α or negatively (resp. positively ) in Γ .
Palka [21] proves the following theorem on elimination of negative occurrences
of *: for any sequent Γ ⇒ α, this sequent is provable in ACTω iff, for all n ∈ ω,
the sequent Nn (Γ ⇒ α) is provable in ACTω.
As a consequence of this theorem, the set of sequents provable in ACTω is
Π10 . Indeed, the condition
Nn (Γ ⇒ α) is provable in ACTω (23)
is recursive, since Nn (Γ ⇒ α) contains no negative occurrences of *, whence it

is provable in ACTω iff it is provable in ACTω − , i.e. ACTω without rule (*-L),
and the latter system is finitary and admits an effective proof-search procedure.
Actually, no result of the present paper relies upon Palka’s theorem except for
some remark at the end of section 3.
3 Eq(RACTL) and Eq(RACTA) Are Π10 −Hard
A context-free grammar is a quadruple G = (Σ, N, s, P ) such that Σ, N are

disjoint, finite alphabets, s ∈ N , and P is a finite set of production rules of the
form p → x such that p ∈ N , x ∈ (Σ ∪ N )∗ . Symbols in Σ are called terminal
symbols and symbols in N are called nonterminal symbols. The relation ⇒G
is defined as follows: x ⇒G y iff, for some z, u, v ∈ (Σ ∪ N )∗ , p ∈ N , we have
x = upv, y = uxv and (p → x) ∈ P . The relation ⇒∗g is the reflexive and
transitive closure of ⇒G . The language of G is the set:
L(G) = {x ∈ Σ ∗ : s ⇒G x} . (24)
A context-free grammar G is said to be −free, if x = , for any rule p → x in

P . If G is −free, then ∈ L(G). The following problem is Π10 −complete [12]: for
any context-free grammar G, decide if L(G) = Σ ∗ . Since the problem if ∈ L(G)
is decidable, and every grammar G can be effectively transformed into an −free
grammar G such that L(G ) = L(G) − {}, then also the following problem is
Π10 −complete: for any −free context-free grammar G, decide if L(G) = Σ + [9].
Types will be identified with (/)−terms of the language of ACTω, this means,
terms formed out of variables by means of / only. A Lambek categorial grammar
is a tuple G = (Σ, I, s) such that Σ is a finite alphabet, I is a finite relation
between symbols from Σ and types, and s is a designated variable. For a ∈ Σ,
I(a) denotes the set of all types α such that aIα. (The relation I is called the
initial type assignment of G.) For a string a1 . . . an ∈ Σ + , ai ∈ Σ, and a type
α, we write a1 . . . an →G α if there are α1 ∈ I(a1 ), . . ., αn ∈ I(an ) such that
α1 , . . . , αn ⇒ α is provable in L. We define the language of G as the set of all
x ∈ Σ + such that x →G s. (Notice that we omit commas between symbols in
strings on Σ, but we write them in sequences of terms appearing in sequents.) In
general, Lambek categorial grammars admit types containing ·, \ and, possibly,
other operations [6], but we do not employ such grammars in this paper.
It is well-known that, for any −free context-free grammar G, one can effec-
tively construct a Lambek categorial grammar G with the same alphabet Σ
and such that L(G) = L(G ); furthermore, the relation I of G employs very
restricted types only: of the form p, p/q, (p/q)/r, where p, q, r are variables.
This fact has been proved in [2] for classical categorial grammars and extended
to Lambek categorial grammars by several authors; see e.g. [4,9]. One uses the
fact that, for sequents Γ ⇒ s such that Γ is a finite sequence of types of the
above form and s is a variable, Γ reduces to s in the sense of classical categorial
grammars iff Γ ⇒ s is provable in L.
Consequently, the problem if L(G) = Σ + , for Lambek categorial grammars G,
is Π10 −complete. In [9] it is shown that this problem is reducible to the decision
problem for ACTω. Then, Eq(ACTL*) is Π10 −hard, and the same holds for
Eq(ACTA*). Below we show that this reduction also yields the Π10 −hardness of
Eq(RACTL) and Eq(RACTA).
Let G = (Σ, I, s) be a Lambek categorial grammar. We can assume IG (a) = ∅,
for any a ∈ Σ; otherwise L(G) = Σ + immediately. We can also assume that all
types involved in I are of one of the forms: p, p/q, (p/q)/r, where p, q, r are
variables. Fix Σ = {a1 , . . . , ak }, where ai = aj for i = j. Let αi1 , . . . , αini be all
distinct types α ∈ I(ai ). For any i = 1, . . . , k, we form a term βi = αi1 ∧ . . . ∧ αini .
We also define a term γ(G) = β1 ∨. . .∨βk . The following lemma has been proved
in [9].
Lemma 1. L(G) = Σ + iff (γ(G))∗ , γ(G) ⇒ s is provable in ACTω.
Proof. For the sake of completeness, we sketch the proof. L(G) = Σ + iff, for
all n ≥ 1 and all sequences (i1 , . . . , in ) of integers from the set [k] = {1, . . . , k},
ai1 . . . ain →G s. The latter condition is equivalent to the following: for any
i
j = 1, . . . , n, there exists αljj ∈ I(aij ) such that αil11 , . . . , αilnn ⇒ s is provable in
L. The latter condition is equivalent to the following: βi1 , . . . , βin ⇒ s is provable
in FL. One uses the following fact: if Γ ⇒ α is a (∧, /)−sequent in which all
occurrences of ∧ are negative, and γ1 ∧γ2 occurs in this sequent (as a subterm of a
term), then Γ ⇒ α is provable in FL iff both Γ ⇒ α and Γ ⇒ α are provable
114 W. Buszkowski
in FL, where Γ ⇒ α (resp. Γ ⇒ α ) arises from Γ ⇒ α by replacing the

designated occurrence of γ1 ∧γ2 by γ1 (resp. γ2 ). Now, for n ≥ 1, βi1 , . . . , βin ⇒ s
is provable in FL, for all sequents (i1 , . . . , in ) ∈ [k]n , iff (γ(G))n ⇒ s is provable
in FL (here we use the distribution of product over join). By (*-L), (*-R), the
latter condition is equivalent to the following: (γ(G))∗ , γ(G) ⇒ s is provable in
ACTω.

Andréka and Mikulás [1] prove that every residuated meet semilattice is embed-
dable into a relational algebra. The embedding h does not preserve 1; one only
gets: 1 ≤ a iff IU ⊆ h(a). It follows that the (∧, ·, /, \)−fragment of FL is (even
strongly) complete with respect to relational algebras, which is precisely stated
by the following lemma (from [1]; also see [10,8] for different proofs).
Lemma 2. Let Γ ⇒ α be a (∧, ·, /, \)−sequent of the language of FL. Then,
Γ ⇒ α is provable in FL iff it is valid in RACTL.
We use lemmas 1 and 2 to prove the following theorem.
Theorem 1. Eq(RACTL) is Π10 −hard.
Proof. We show that (γ(G))∗ , γ(G) ⇒ s is provable in ACTω iff the sequent is
valid in RACTL. The implication (⇒) is obvious. Assume that (γ(G))∗ , γ(G) ⇒
s is not provable in ACTω. Then, for some n ∈ ω, (γ(G))n , γ(G) ⇒ s is not
provable in ACTω, whence it is not provable in FL (it is *-free). By (CUT) and (·-
R), (γ(G))n ·γ(G) ⇒ s is not provable in FL The term (γ(G))n ·γ(G) is equivalent
in FL to the disjunction of all terms βi1 · · · · · βin+1 such that (i1 , . . . , in+1 ) ∈
[k]n+1 . By (∨−L), (∨−R) and (CUT), a sequent γ1 ∨ . . . ∨ γm ⇒ γ is provable
in FL iff all sequents γi ⇒ γ, for i = 1, . . . , m, are provable in FL. Consequently,
there exists a sequence (i1 , . . . , in+1 ) ∈ [k]n+1 such that βi1 · · · · · βin+1 ⇒ s
is not provable in FL. The latter sequent does not contain operation symbols
other than ∧, ·, /, \, so it is not valid in RACTL, by lemma 2. Consequently,
(γ(G))n , γ(G) ⇒ s is not valid in RACTL. Then, (γ(G))∗ , γ(G) ⇒ s is not valid
in RACTL (we use the fact that f (αn ) ⊆ f (α∗ ), for any assigment f and any
formula α). Using lemma 1, we obtain: L(G) = Σ + iff (γ(G))∗ , γ(G) ⇒ s is
valid in RACTL.

For RACTA, we need a modified reduction. We use a lemma, first proved in [4].
Lemma 3. Let α1 , . . . , αn be types, and let s be a variable. Then, α1 , . . . , αn ⇒
s is provable in L iff s/(s/α1 ), . . . , s/(s/αn ) ⇒ s is provable in L.
Proof. We outline the proof. A type α/Γ is defined by induction on the length
of Γ : α/ = α, α/(Γ β) = (α/β)/Γ . So, p/(qr) = (p/r)/q. We consider the
(/)−fragment of L. One shows: if (s/β1 . . . βk ), Δ ⇒ s is provable in this system,
then there exist Δ1 , . . . , Δk such that Δ = Δ1 . . . Δk and, for each i = 1, . . . , k,
Δi ⇒ αi is provable (use induction on cut-free proofs; the converse implication
also holds, by (I), (/−L)).
The ‘only if’ part of the lemma holds, by applying (/−R), (I), (/−L) n times.
Now, assume that the right-hand sequent is provable. Denote βi = s/(s/αi ).
By the above paragraph, β2 , . . . , βn ⇒ s/α1 is provable, so β2 , . . . , β1 , α1 ⇒ s

is provable (the rule (/−R) is reversible, by (CUT) and the provable sequent
α/β, β ⇒ α). Repeat this step n − 1 times.

Let G = (Σ, I, s) be a Lambek categorial grammar. We construct a Lambek

categorial grammars G = (Σ, I , s) such that I assigns s/(s/α) to ai ∈ Σ iff G
assigns α to ai . By lemma 3, L(G ) = L(G). For G , we construct terms (αij ) ,
(βi ) and γ(G ) in a way fully analogous to the construction of αij , βi and γ(G).
Now, the term (βi ) is of the form:
(s/(s/αi1 )) ∧ . . . ∧ (s/(s/αini )) . (25)
Using the equation (a/b) ∧ (a/c) = a/(b ∨ c), valid in residuated lattices, we can
transform the above term into an equivalent (in FL) ∧−free term:
s/[(s/αi1 ) ∨ . . . ∨ (s/αini )]. (26)
Let δ(G ) be the term arising from γ(G ) by transforming each constituent
(βi ) as above. Then, f (δ(G )) = f (γ(G )), for any assignment f .
Theorem 2. Eq(RACTA) is Π10 −hard.
Proof. L(G) = Σ + iff L(G ) = Σ + . As in the proofs of lemma 1 and theorem

1, one shows that the second condition is equivalent to: (γ(G ))∗ , γ(G ) ⇒ s is
valid in RACTL. The latter condition is equivalent to: (δ(G ))∗ , δ(G ) ⇒ s is
valid in RACTL. But the latter sequent is ∧−free, whence it is valid in RACTL
iff it is valid in RACTA.

We can also eliminate ∨ (preserving ∧). Using the equation (a ∨ b)∗ = (a∗ b)∗ a∗ ,
valid in all Kleene algebras, we can transform (γ(G))∗ into an equivalent (in
ACTω) term φ(G), containing ∗ , ∧, ·, / only. Then, (γ(G))∗ , γ(G) ⇒ s is valid
in RACTL iff φ(G), γ(G) ⇒ s is valid in RACTL iff φ(G) ⇒ s/γ(G) is valid in
RACTL, and s/γ(G) is equivalent to a ∨−free term (see the equation between
(25) and (26)). Since a ≤ b iff a ∧ b = a, then we can reduce L(G) = Σ + to a
∨−free equation.
Corollary 1. The ∨−free fragment of Eq(RACTL) is Π10 −hard.
We have found a lower bound for the complexity of Eq(RACTL): it is at least Π10 .
We did not succeed in determining the upper bound. Both 1 and ∨ cause troubles.
In section 2, we have shown a sequent with 1 which is valid in RACTL, but not
valid in ACTL*. According to the author’s knowledge, the precise complexity
of the equational theory of relational residuated lattices (upper semilattices) is
not known; it must be Σ10 , since valid equations can be faithfully interpreted as
valid formulas of first-order logic.
We can show some Π10 −complete fragments of Eq(RACTL). For instance, the
set of all sequents of the form α, γ ∗ , β ⇒ p, with α, β, γ being finite disjunctions
of (/, \, ∧)−terms, valid in RACTL is Π10 −complete. This sequent is valid iff,
116 W. Buszkowski
for all n ∈ ω, α, γ n , β ⇒ δ is valid, and the latter sequents are valid iff they are
provable in FL (see the proof of theorem 1). Consequently, this set of sequents is
0)
Π10 . It is Π1 −hard, again by the proof of theorem 1. This set can be extended
as follows.
A term is said to be good if it is formed out of (∧, /, \)−terms by · and *
only. A sequent Γ ⇒ α is said to be nice if it is a (∧, ·,∗ , /, \)−sequent, and any
negatively occurring term of the form β ∗ occurs in this sequent within a good
term γ, which appears either as an element of Γ , or in a context δ/γ or γ\δ.
Using the *-elimination theorem [21], one can prove that the set of nice sequents
valid in RACTL is Π10 −complete.
4 Algebras of Regular Languages

A language on Σ is a set L ⊆ Σ ∗ . P (Σ ∗ ) is the set of all languages on Σ; it
is a complete action lattice with operations and designated elements, defined as
follows: L1 ∨ L2 = L1 ∪ L2 , L1 ∧ L2 = L1 ∩ L2 ,L1 · L2 = {xy : x ∈ L1 , y ∈ L2 },
1 = {}, 0 = ∅, L0 = {}, Ln+1 = Ln · L, L∗ = n∈ω Ln , and:
L1 /L2 = {x ∈ Σ ∗ : {x} · L2 ⊆ L1 } , (27)
∗
L1 \L2 = {x ∈ Σ : L1 · {x} ⊆ L2 } . (28)
∗
By LAN we denote the class of all action lattices of the form P (Σ ), for
finite alphabets Σ. We add symbols from Σ to the language of ACTω as new
individual constants. Regular expressions on Σ can be defined as variable-free
terms without meet and residuals. An assignment L(a) = {a}, for a ∈ Σ, is
uniquely extended to all regular expressions; it is a homomorphism from the
term algebra to P (Σ ∗ ). Languages of the form L(α), α is a regular expression
on Σ, are called regular languages on Σ. By REGL(Σ) we denote the set of all
regular languages on Σ. It is well-known that REGL(Σ) is a subalgebra of the
action lattice P (Σ ∗ ), whence it is a *-continuous action lattice. By REGLAN
we denote the class of all action lattices REGL(Σ), for finite alphabets Σ.
We will show that Eq(REGLAN) is Π10 −complete. It is quite easy to show
that Eq(REGLAN) is Π10 . Since regular languages are effectively closed un-
der meet and residuals, L(α) can be computed for all variable-free terms α
with individual constants from Σ. An equation α = β is valid in REGLAN iff
L(σ(α))) = L(σ(β)), for all finite alphabets Σ and all substitutions σ assigning
regular expressions on Σ to variables.
We note that Eq(RACTL) is different from Eq(REGLAN) and Eq(LAN). The
sequent p, 1/p ⇒ 1 is valid in LAN, and consequently, in REGLAN. Let f be an
assignment of terms in P (Σ ∗ ). If f (p) = ∅, then f (p, 1/p) = ∅. If f (p) = {}, then
f (1/p) = {} and f (p, 1/p) = {} = f (1). Otherwise f (1/p) = ∅ and f (p, 1/p) =
∅. This sequent is not valid in RACTL. Let U = {a, b}, a = b, and f (p) =
{(a, b)}. Then, f (1/p) = {(a, b), (b, a), (b, b)}, so f (p, 1/p) = {(a, a), (a, b)} is not
contained in IU .
In [5], it has been shown that the (∧, /, \)−fragment of FL possesses finite
model property. The proof yields, actually, the completeness of this fragment
with respect to so-called co-finite models (P (Σ ∗ ), f ) such that f (p) is a co-finite

subset of Σ ∗ , for any variable p. Then, f (p) is a regular language on Σ. We
obtain the following lemma. The proof is a modification of the proof of finite
model property of this fragment, given in [7].
Lemma 4. Let Γ ⇒ α be a (∧, /, \)−sequent. Then, Γ ⇒ α is provable in FL

iff it is valid in REGLAN.
Proof. The ‘only if’ part is obvious. For the ‘if’ part, assume that Γ ⇒ α is
not provable. Let T be the set of all subterms appearing in this sequent. We
consider languages on the alphabet T . An assignment fn , n ∈ ω, is defined as
follows: for any variable p, fn (p) equals the set of all Δ ∈ T ∗ such that either
v(Δ) > n, or Δ ⇒ p is provable (v(Δ) denotes the total number of occurrences
of variables in Δ). As usual, fn is extended to a homomorphism from the term
algebra to P (T ∗ ). Since all languages fn (p) are co-finite, then all languages fn (β)
are regular. If Δ ∈ T ∗ , v(Δ) > n, then Δ ∈ fn (β), for all terms β (easy induction
on β).
By induction on β ∈ T , we prove: (i) if v(Δ) ≤ n − v(β) and Δ ∈ fn (β), then
Δ ⇒ β is provable, (ii) if v(β) ≤ v(Δ) and Δ ⇒ β is provable, then Δ ∈ fn (β).
For β = p, (i) and (ii) follow from the definition of fn .
Let β = γ/δ. Assume v(Δ) ≤ n − v(β) and Δ ∈ fn (β). Since v(δ) ≤ v(δ),
then δ ∈ fn (δ), by (I) and the induction hypothesis (use (ii)). So, (Δδ) ∈ fn (γ),
by the definition of residuals in P (T ∗ ). Since v(Δδ) ≤ n − v(γ), then Δ, δ ⇒ γ
is provable (use (i)). By (/−R), Δ ⇒ β is provable. Assume that v(β) ≤ v(Δ)
and Δ ⇒ β is provable. By the reversibility of (/−R), Δ, δ ⇒ γ is provable. Let
Φ ∈ fn (δ). Case 1: v(Φ) > n − v(δ). Then, v(ΔΦ) > n, whence (ΔΦ) ∈ fn (γ).
Case 2: v(Φ) ≤ n − v(δ). Then, Φ ⇒ δ is provable, by the induction hypothesis
(use (i)), and consequently, Δ, Φ ⇒ γ is provable, by (CUT). Since v(γ) ≤ v(ΔΦ),
then (ΔΦ) ∈ fn (γ), by the induction hypothesis (use (ii)). So, Δ ∈ fn (β). The
case β = δ\γ is dual.
Let β = γ ∧ δ. Assume v(Δ) ≤ n − v(β) and Δ ∈ fn (β). Then, v(Δ) ≤
n − v(γ) and Δ ∈ fn (γ). Also v(Δ) ≤ n − v(δ) and Δ ∈ fn (δ). By the induction
hypothesis, Δ ⇒ γ and Δ ⇒ δ are provable, and consequently, Δ ⇒ β is
provable, by (∧−R). Assume that v(β) ≤ v(Δ) and Δ ⇒ β is provable. Since
β ⇒ γ and β ⇒ δ are provable, by (I) and (∧−L), then Δ ⇒ γ and Δ ⇒ δ are
provable, by (CUT). We have v(γ) ≤ v(Δ) and v(δ) ≤ v(Δ), and consequently,
Δ ∈ fn (γ) and Δ ∈ fn (δ), by the induction hypothesis, which yields Δ ∈ fn (β).
Take n = v(Γ ⇒ α). Let Γ = α1 . . . αk . Since v(αi ) ≤ v(αi ), then αi ∈ fn (αi ),
by (I) and (ii). Consequently, Γ ∈ fn (Γ ). Since v(Γ ) = n−v(α), then Γ ∈ fn (α),
by the assumption and (i) (this also holds for Γ = ). Consequently, Γ ⇒ α is
not valid in REGLAN.

Theorem 3. Eq(REGLAN) is Π10 −complete.
Proof. We know that this set is Π10 . We show that it is Π10 −hard. We return to
lemma 1 in section 3. We show that (γ(G))∗ , γ(G) ⇒ s is provable in ACTω
iff this sequent is valid in REGLAN. The implication (⇒) is obvious. To prove
118 W. Buszkowski
(⇐) assume that (γ(G))∗ , γ(G) ⇒ s is not provable in ACTω. As in the proof
of theorem 1, we show that there exists a sequence (i1 , . . . , in ) ∈ [k]n , n ≥ 1,
such that βi1 · · · · · βin ⇒ s is not provable in FL. By (·−L), βi1 , . . . , βin ⇒ s is
not provable in FL. By lemma 4, the latter sequent is not valid in REGLAN.
As in the proof of theorem 1, we show that (γ(G))∗ , γ(G) ⇒ s is not valid in
REGLAN. So, L(G) = Σ + iff (γ(G))∗ , γ(G) ⇒ s is valid in REGLAN.

We note that Eq(LAN) belongs to a higher complexity class. The Horn formulas
valid in LAN can be expressed by equations valid in LAN. Notice that α ≤
β is true iff 1 ≤ β/α is true. Also the conjunction of formulas 1 ≤ αi , i = 1, . . . , n,
is true iff 1 ≤ α1 ∧ · · · ∧ αn is true. Finally, the implication ‘if 1 ≤ α then 1 ≤
β’x is true iff 1 ∧ α ≤ β is true.
The Horn theory of LAN, restricted to (/, \)−terms, is Σ10 −complete [3]. The
proof of theorem 3 yields the Π10 −hardness of Eq(LAN); so, it is not Σ10 . If
it were Π10 , then this restricted Horn theory of LAN would be recursive. So,
Eq(LAN) is neither Π10 , nor Σ10 .
In [17,11] the Horn theory of KA* and the Horn theory of RKA are shown to
be Π11 −complete. This yields a lower bound for the complexity of Horn theories
of ACTA* and RACTA (every *-continuous Kleene algebra is embeddable into
a complete, whence *-continuous, action lattice [9]).
References
1. H. Andréka and S. Mikulaś, Lambek calculus and its relational semantics: complete-
ness and incompleteness, Journal of Logic, Language and Information 3 (1994),
1-37.
2. Y. Bar-Hillel, C. Gaifman and E. Shamir, On categorial and phrase structure gram-
mars, Bulletin Res. Council Israel F9 (1960), 155-166.
3. W. Buszkowski, Some decision problems in the theory of syntactic categories,
Zeitschrift f. math. Logik und Grundlagen der Mathematik 28 (1982), 539-548.
4. W. Buszkowski, The equivalence of unidirectional Lambek categorial grammars and
context-free grammars, Zeitschrift f. math. Logik und Grundlagen der Mathematik
31 (1985), 369-384.
5. W. Buszkowski, The finite model property for BCI and related systems, Studia
Logica 57 (1996), 303-323.
6. W. Buszkowski, Mathematical Linguistics and Proof Theory, in [24], 683-736.
7. W. Buszkowski, Finite models of some substructural logics, Mathematical Logic
Quarterly 48 (2002), 63-72.
8. W. Buszkowski, Relational models of Lambek logics, in: Theory and Applications of
Relational Structures as Knowledge Instruments, Lecture Notes in Comp. Science
2929, 2003, 196-213.
9. W. Buszkowski, On action logic: Equational theories of action algebras, to appear
in Journal of Logic and Computation.
10. W. Buszkowski and M. Kolowska-Gawiejnowicz, Representation of residuated semi-
groups in some algebras of relations. (The method of canonical models.), Funda-
menta Informaticae 31 (1997), 1-12.
11. C. Hardin and D. Kozen, On the complexity of the Horn theory of REL, manu-
script, 2003.
12. J.E. Hopcroft and J.D. Ullman, Introduction to Automata Theory, Languages and
Computation, Addison-Wesley, Reading, 1979.
13. C. Hoare and H. Jifeng, The weakest prespecification, Fundamenta Informaticae 9
(1986), 51-84, 217-252.
14. P. Jipsen, From semirings to residuated Kleene algebras, Studia Logica 76 (2004),
291-303.
15. D. Kozen, On Kleene algebras and closed semirings, in: Proc. MFCS 1990, Lecture
Notes in Comp. Science 452, 1990, 26-47.
16. D. Kozen, A completeness theorem for Kleene algebras and the algebra of regular
events, Information and Computation 110:2 (1994), 366-390.
17. D. Kozen, On the complexity of reasoning in Kleene algebras, Information and
Computation 179 (2002), 152-162.
18. J. Lambek, The mathematics of sentence structure, American Mathematical
Monthly 65 (1958), 154-170.
19. H. Ono, Semantics for Substructural Logics, in: Substructural Logics, (P. Schroeder-
Heister and K. Dosen, eds.), Clarendon Press, Oxford, 1993, 259-291.
20. E. Orlowska and A.M. Radzikowska, Double residuated lattices and their applica-
tions, in: Relational Methods in Computer Science, Lecture Notes in Comp. Science
2561, 2002, 171-189.
21. E. Palka, An infinitary sequent system for the equational theory of *-continuous
action lattices, to appear in Fundamenta Informaticae.
22. V. Pratt, Action logic and pure induction, in: Logics in AI. Proc. JELIA’90, Lecture
Notes in Artif. Intelligence 478, 1990, 97-120.
23. V.N. Redko, On defining relations for the algebra of regular events, Ukrain. Mat.
Z. 16 (1964), 120-126. In Russian.
24. J. van Benthem and A. ter Meulen (eds.), Handbook of Logic and Language, Else-
vier, Amsterdam, The MIT Press, Cambridge Mass., 1997.
Demonic Algebra with Domain
Jean-Lou De Carufel and Jules Desharnais
Département d’informatique et de génie logiciel

Université Laval, Québec, QC, G1K 7P4, Canada
[email protected], [email protected]
Abstract. We first recall the concept of Kleene algebra with domain

(KAD). Then we explain how to use the operators of KAD to define
a demonic refinement ordering and demonic operators (many of these
definitions come from the literature). Then, taking the properties of the
KAD-based demonic operators as a guideline, we axiomatise an algebra
that we call Demonic algebra with domain (DAD). The laws of DAD
not concerning the domain operator agree with those given in the 1987
CACM paper Laws of programming by Hoare et al. Finally, we investigate
the relationship between demonic algebras with domain and KAD-based
demonic algebras. The question is whether every DAD is isomorphic to a
KAD-based demonic algebra. We show that it is not the case in general.
However, if a DAD D is isomorphic to a demonic algebra based on a
KAD K, then it is possible to construct a KAD isomorphic to K using
the operators of D. We also describe a few open problems.
1 Introduction
The basic operators of Kleene algebra (KA) or relation algebra (RA) can directly
be used to give an abstract angelic semantics of while programs. For instance,
a + b corresponds to an angelic non-deterministic choice between programs a
and b, and (t · b)∗ · ¬t is the angelic semantics of a loop with condition t and
body b. One way to express demonic semantics in KA or RA is to define demonic
operators in terms of the basic operators; these demonic operators can then be
used in the semantic definitions. In RA, this has been done frequently (see for
instance [1,2,6,7,16,19,23]); in KA, much less [11,12].
In the recent years, various algebras for program refinement have seen the
day [3,13,14,15,21,22,24]. The refinement algebra of von Wright is an abstraction
of predicate transformers, while the laws of programming of Hoare et al. have
an underlying relational model. Möller’s lazy Kleene algebra has weaker axioms
than von Wright’s and can handle systems in which infinite sequences of states
may occur.
Our goal is also to design a refinement algebra, that we call a Demonic algebra
(DA). Rather than designing it with a concrete model in mind, our first goal is
to come as close as possible to the kind of algebras that one gets by defining
demonic operators in KA with domain (KAD) [8,9,10], as is done in [11,12],
and then forgetting the basic angelic operators of KAD. Starting from KAD

Demonic Algebra with Domain 121
means that DA abstracts many concrete models, just like KA does. We hope
that the closeness to KA will eventually lead to decision procedures like those of
KA. A second longer term goal, not pursued here, is to precisely determine the
relationship of DA with the other refinement algebras; we will say a few words
about that in the conclusion.
In Section 2, we recall the definitions of Kleene algebra and its extensions,
Kleene algebra with tests (KAT) and Kleene algebra with domain (KAD). This
section also contains the definitions of demonic operators in terms of the KAD
operators. Section 3 presents the axiomatisation of DA and its extensions, DA
with tests (DAT) and DA with domain (DAD), as well as derived laws. It
turns out that the laws of DAT closely correspond to the laws of programming
of [13,14]. In Section 4, we begin to investigate the relationship between KAD
and DAD by first defining angelic operators in terms of the demonic operators
(call this transformation G). Then we investigate whether the angelic operators
thus defined by G induce a KAD. Not all answers are known there and we state
a conjecture that we believe holds and from which the conditions that force G to
induce a KAD can be determined. It is stated in Section 5 that the conjecture
holds in those DADs obtained from a KAD by defining demonic operators in
terms of the angelic operators (call this transformation F ). The good thing is
that F followed by G is the identity. Section 6 simply describes the main un-
solved problem. We conclude in Section 7 with a description of future research
and a quick comparison with other refinement algebras.
Due to restricted space, we cannot include proofs. They are published in a
research report available on the web [5].
2 Kleene Algebra with Domain and KAD-Based

Demonic Operators
In this section, we recall basic definitions about KA and its extensions, KAT
and KAD. Then we present the KAD-based definition of the demonic operators.
Definition 1 (Kleene algebra). A Kleene algebra (KA) [4,17] is a structure

(K, +, ·, ∗ , 0, 1) such that the following properties hold for all x, y, z ∈ K.
(x + y) + z = x + (y + z) (1)
x+y =y+x (2)
x+x=x (3)
0+x=x (4)
(x · y) · z = x · (y · z) (5)
0·x = x·0 =0 (6)
1·x = x·1 =x (7)
x · (y + z) = x · y + x · z (8)
(x + y) · z = x · z + y · z (9)
122 J.-L. De Carufel and J. Desharnais
x∗ = x · x∗ + 1 (10)
x∗ = x∗ · x + 1 (11)
Addition induces a partial order ≤ such that, for all x, y ∈ K,
x ≤ y ⇐⇒ x + y = y . (12)
Finally, the following properties must be satisfied for all x, y, z ∈ K.
z · x + y ≤ z =⇒ y · x∗ ≤ z (13)
∗
x · z + y ≤ z =⇒ x · y ≤ z (14)
To reason about programs, it is useful to have a concept of condition, or test.

It is provided by Kleene algebra with tests, which is further extended by Kleene
algebra with domain.
Definition 2 (Kleene algebra with tests). A KA with tests (KAT) [18] is

a structure (K, test(K), +, ·, ∗ , 0, 1, ¬) such that test(K) ⊆ {t | t ∈ K ∧ t ≤ 1},
(K, +, ·, ∗ , 0, 1) is a KA and (test(K), +, ·, ¬, 0, 1) is a Boolean algebra.
In the sequel, we use the letters s, t, u, v for tests and w, x, y, z for programs.
Definition 3 (Kleene algebra with domain). A KA with domain (KAD)

[8,9,12,10] is a structure (K, test(K), +, ·, ∗ , 0, 1, ¬, ) such that (K, test(K), +,
·, ∗ , 0, 1, ¬) is a KAT and, for all x ∈ K and t ∈ test(K),
x ≤ x · x , (15)
(t · x) ≤ t , (16)
(x · y) ≤ (x · y) . (17)
These axioms force the test algebra test(K) to be the maximal Boolean algebra
included in {x | x ≤ 1} [10]. Property (17) is called locality. There are many other
properties about KAT and KAD and we present some of the most important
ones concerning the domain operator. See [8,10,12] for proofs.
Proposition 4. The following hold for all t ∈ test(K) and all x, y ∈ K.

1. t·t=t
2. x = min≤ {t | t ∈ test(K) ∧ t · x = x}
3. x · x = x
4. t = t
5. (t · x) = t · x
6. (x + y) = x + y
The following operator characterises the set of points from which no computation
as described by x may lead outside the domain of y.
Definition 5 (KA-Implication). Let x and y be two elements of a KAD. The

KA-implication x → y is defined by x → y = ¬(x · ¬y).
We are now ready to introduce the demonic operators. Most of the proofs can
be found in [12].
Definition 6 (Demonic refinement). Let x and y be two elements of a KAD.
We say that x refines y, noted x A y, when y ≤ x and y · x ≤ y.
The subscript A in A indicates that the demonic refinement is defined with
the operators of the angelic world. An analogous notation will be introduced
when we define angelic operators in the demonic world. It is easy to show that
A is a partial order. Note that for all tests s and t, s A t ⇐⇒ t ≤ s. This
definition can be simply illustrated with relations. Let Q = {(1, 2), (2, 4)} and
R = {(1, 2), (1, 3)}. Then R = {(1, 1)} ⊆ {(1, 1), (2, 2)} = Q. Since in addition
R; Q = {(1, 2)} ⊆ R, we have Q A R (“;” is the usual relational composition).
Proposition 7 (Demonic upper semilattice).
1. The partial order A induces an upper semilattice with demonic join A :
x A y ⇐⇒ x A y = y.
2. Demonic join satisfies the following two properties.
x A y = x · y · (x + y)
(x A y) = x A y = x · y
Definition 8 (Demonic composition). The demonic composition of two el-
ements x and y of a KAD, written x 2A y, is defined by x 2A y = (x → y) · x · y.
Definition 9 (Demonic star). Let x ∈ K, where K is a KAD. The unary
iteration operator ×A is defined by x×A = x∗ 2A x.
Definition 10 (Conditional). For each t ∈ test(K) and x, y ∈ K, the t-
conditional is defined by x
At y = t · x + ¬t · y. The family of t-conditionals
corresponds to a single ternary operator
A• taking as arguments a test t and
two arbitrary elements x and y.
The demonic join operator A is used to give the semantics of demonic non-
deterministic choices and 2A is used for sequences. Among the interesting prop-
erties of 2A , we cite t 2A x = t · x, which says that composing a test t with
an arbitrary element x is the same in the angelic and demonic worlds, and
x 2A y = x · y if y = 1, which says that if the second element of a composition
is total, then again the angelic and demonic compositions coincide. The ternary
operator
A• is similar to the conditional choice operator of Hoare et
al. [13,14]. It corresponds to a guarded choice with disjoint alternatives. The it-
eration operator ×A rejects the finite computations that go through a state from
which it is possible to reach a state where no computation is defined (e.g., due
to blocking or abnormal termination).
As usual, unary operators have the highest precedence, and demonic compo-
sition 2A binds stronger than A and
A• , which have the same precedence.
Proposition 11 (KA-based demonic operators). The demonic operators
A , 2A ,
A• , ×A and satisfy the axioms of demonic algebra with domain presented
in Section 3 (Definitions 12, 13, 16).
3 Axiomatisation of Demonic Algebra with Domain

The demonic operators introduced at the end of the last section satisfy many
properties. We choose some of them to become axioms of a new structure called
demonic algebra with domain. For this definition, we follow the same path as for
the definition of KAD. That is, we first define demonic algebra, then demonic
algebra with tests and, finally, demonic algebra with domain.
3.1 Demonic Algebra

Demonic algebra, like KA, has a sum, a composition and an iteration operator.
Here is its definition.
Definition 12 (Demonic algebra). A demonic algebra (DA) is a structure

(AD , , 2 , × , 0, 1) such that the following properties are satisfied for x, y, z ∈ AD .
x (y z) = (x y) z (18)
x y =y x (19)
x x=x (20)
0 x=0 (21)
x (y 2 z) = (x 2 y) 2z
2 (22)
0 2x = x 2 0 = 0 (23)
1 2x = x 2 1 = x (24)
x 2 (y z) = x 2 y x 2 z (25)
(x y) 2 z = x 2 z y 2z (26)
x× = x 2 x× 1 (27)
x× = x× 2 x 1 (28)
There is a partial order induced by such that for all x, y ∈ AD ,
x y ⇐⇒ x y = y . (29)
The next two properties are also satisfied for all x, y, z ∈ AD .
z 2x y z =⇒ y 2 x× z (30)
x 2 z y z =⇒ x× 2y z (31)
When comparing Definitions 1 and 12, one observes the obvious correspon-
dences + ↔ , · ↔ 2 , ∗ ↔ × , 0 ↔ 0, 1 ↔ 1. The only difference in the axioma-
tisation between KA and DA is that 0 is the left and right identity of addition
in KA (+), while it is a left and right zero of addition in DA ( ). However, this
minor difference has a rather important impact. While KAs and DAs are upper
semilattices with + as the join operator for KAs and for DAs, the element 0
is the bottom of the semilattice for KAs and the top of the semilattice for DAs.
Indeed, by (21) and (29), x 0 for all x ∈ AD .
All operators are isotone with respect to the refinement ordering . That is,
for all x, y, z ∈ AD ,
x y =⇒ z x z y ∧ z 2x z 2y ∧ x 2 z y 2 z ∧ x× y × .
This can easily be derived from (19), (20), (24), (25), (26), (27), (29) and (31).
3.2 Demonic Algebra with Tests

Now comes the first extension of DA, demonic algebra with tests. This extension
has a concept of tests like the one in KAT and it also adds the conditional
operator
t . In KAT, + and · are respectively the join and meet operators of the
Boolean lattice of tests. But in DAT, it will turn out that for any tests s and t,
s t = x 2 t, and that and 2 both act as the join operator on tests (this is also
the case for the KAD-based definition of these operators given in Section 2, as
can be checked). Introducing
t provides a way to express the meet of tests, as
will be shown below. Here is how we deal with tests in a demonic world.
Definition 13 (Demonic algebra with tests). A demonic algebra with tests

(DAT) is a structure (AD , BD , , 2, × , 0, 1,
• ) such that
1. (AD , , 2 , × , 0, 1) is a DA;
2. {1, 0} ⊆ BD ⊆ AD ;
3. for all t ∈ BD , 1 t;
4.
• is a ternary operator of type BD × AD × AD → AD that can be thought of
as a family of binary operators. For each t ∈ BD ,
t is an operator of type
AD × AD → AD , and of type BD × BD → BD if its two arguments belong to
BD ;
5.
• satisfies the following properties for all s, t ∈ BD and all x, y, z ∈ AD . In
these axioms, we use the negation operator ¬, defined by
¬t = 0
t 1. (32)
x
t y = y
¬t x (33)
t 2 x
t y = x
t y (34)
x
t x = x (35)
x
t 0 = t 2 x (36)
(x
t y) 2 z = x 2 z
t y 2 z (37)
s 2 (x
t y) = (s 2 x)
t (s 2y) (38)
x
t (y z) = (x
t y) (x
t z) (39)
x (y
t z) = (x y)
t (x z) (40)
t ¬t = 0 (41)
¬(1
t s) = ¬t ¬s (42)
The elements in BD are called (demonic) tests.

The axioms for

t given in the definition of DAT are all satisfied by the choice
operator t of Hoare et al. [13,14]. The conditional operator satisfies a lot of
additional laws, as shown by the following proposition, and more can be found
in the precursor paper [20] (with a different syntax).
Proposition 14. The following properties are true for all s, t ∈ BD and all
x, x1 , x2 , y, y1 , y2 , z ∈ AD .
1. ¬¬t = t
2. x y =⇒ x
t z y
t z
3. 0
t x = ¬t 2 x
4. x
t ¬t 2 y = x
t y
5. t 2t = t
6. s t = s 2t
7. t 2 ¬t = 0
8. s 2t = t 2s
9. ¬1 = 0
10. ¬0 = 1
11. t 2 x x ⇐⇒ 0 ¬t 2 x
12. s t =⇒ ¬t ¬s
13. x y ⇐⇒ t 2 x t 2 y ∧ ¬t 2 x ¬t 2 y
14. x = y ⇐⇒ t 2x = t 2 y ∧ ¬t 2 x = ¬t 2 y
15. t 2 (x
t y) = t 2 x
16. x y
t z ⇐⇒ x t 2y ∧ x ¬t 2 z
17. x
t y z ⇐⇒ x t 2z ∧ y ¬t 2 z
18. (x1
s x2 )
t (y1
s y2 ) = (x1
t y1 )
s (x2
t y2 )
As a direct consequence, one can deduce the next corollary.

Corollary 15. The set BD of demonic tests forms a Boolean algebra with bot-
tom 1 and top 0. The supremum of s and t is s t, their infimum is 1
s t and
the negation of t is ¬t = 0
t 1 (see (32)).
Thus, tests have quite similar properties in KAT and DAT. But there are im-
portant differences. The first one is that and 2 behave the same way on tests
(Proposition 14-6). The second one concerns Laws 13 and 14 of Proposition 14,
which show how a proof of refinement or equality can be done by case analysis
by decomposing it with cases t and ¬t. The same is true in KAT. However, in
KAT, this decomposition can also be done on the right side, since for instance
the law x = y ⇐⇒ x · t = y · t ∧ x · ¬t = y · ¬t holds, while the corresponding
law does not hold in DAT. For example, {(0, 0), (0, 1), (1, 0), (1, 1)} 2{(0, 0)} =
{(0, 0), (0, 1), (1, 0), (1, 1)} 2{(1, 1)} = {}, while {(0, 0), (0, 1), (1, 0), (1, 1)} = {}.
In DAT, there is an asymmetry between left and right that can be traced back
to laws (37) and (38). In (37), right distributivity holds for arbitrary elements,
while left distributivity in (38) holds only for tests. Another law worth noting is
Proposition 14-11. On the left of the equivalence, t acts as a left preserver of x
and on the right, ¬t acts as a left annihilator.
3.3 Demonic Algebra with Domain
The next extension consists in adding a domain operator to DAT. It is denoted

by the symbol .
Definition 16 (Demonic algebra with domain). A demonic algebra with

domain (DAD) is a structure (AD , BD , , 2, × , 0, 1,
• , ), where (AD , BD , , 2 ,
×
, 0, 1,
• ) is a DAT, and the following properties hold for all t ∈ BD and all
x, y ∈ AD .
(x 2 t) 2 x = x 2 t (43)
(x y) = x y (44)
(x 2 y) = (x 2 y) (45)
As noted above, the axiomatisation of DA is very similar to that of KA, so one

might expect the resemblance to continue between DAD and KAD. In particular,
looking at the angelic version of Definition 16, namely Definition 3, one might
expect to find axioms like x 2 x x and t (t 2 x), or equivalently, t x ⇐⇒
t 2 x x. These three properties can be derived from the chosen axioms (see
Propositions 17-2, 17-3 and 17-4) but (43) cannot be derived from them, even
when assuming (44) and (45). But (43) holds in KAD-based demonic algebras.
Since our goal is to come as close as possible to these, we include (43) as an
axiom.
In KAD, it is not necessary to have an axiom like (44), because additivity
of (Proposition 4-6) follows from the axioms of KAD (Definition 3) and the
laws of KAT. The proof that works for KAD does not work here. In fact, (43),
(44) and (45) are independent.
Law (45) is locality in a demonic world.
By Proposition 17-2 below, x is a left preserver of x. By Proposition 17-4, it is
the greatest left preserver. Similarly, by Proposition 17-6, ¬x is a left annihilator
of x. By Proposition 17-5, it is the least left annihilator (since Proposition 17-5
can be rewritten as ¬x t ⇐⇒ 0 t 2 x).
Proposition 17. In a DAD, the demonic domain operator satisfies the follow-
ing properties. Take x, y ∈ AD and t ∈ BD .
1. x = max {t | t ∈ BD ∧ t 2x = x}
2. x 2 x = x
3. t (t 2 x)
4. t x ⇐⇒ t 2 x x
5. t x ⇐⇒ 0 ¬t 2 x
6. ¬x 2 x = 0
7. x y =⇒ x y
8. x (x 2 y)
9. t = t
10. (t 2 x) = t 2 x
11. x = 0 ⇐⇒ x = 0
12. (x
t y) = x
t y
All the above laws except 12 are identical to laws of , after compensating for
the reverse ordering of the Boolean lattice (on tests, corresponds to ≥).
To simplify the notation when possible, we will use the abbreviation
x
y = x
x y . (46)
Under special conditions,
has easy to use properties, as shown by the next
corollary.
Corollary 18. Let x, y, z be arbitrary elements and s, t be tests of a DAD. Then
s
t is the meet of s and t in the Boolean lattice of tests. Furthermore, the
following properties hold.
x 2 y = y 2 x =⇒ x
y = y
x (47)
x 2 y = 0 =⇒ x 2 y = y 2 x (48)
0
x=x
0=x (49)
x
x=x (50)
t 2(x
y) = t 2x
t 2y (51)
(x
y)
z = x
(y
z) (52)
x (y
z) = (x y)
(x z) (53)
x
y x (54)
(x
y) = x
y (55)
The two most useful cases of the previous corollary are when
is used on tests
and when x 2 y = 0.
4 Definition of Angelic Operators in DAD

Our goal in this section is to define angelic operators from demonic ones, as
was done when going from the angelic to the demonic universe (Section 2). This
is done in order to study transformations between KAD and DAD (Sections 5
and 6). We add a subscript D to the angelic operators defined here, to denote
that they are defined by demonic expressions. We start with the angelic partial
order ≤D .
Definition 19 (Angelic refinement). Let x, y be elements of a DAD. We say
that x ≤D y when the following two properties are satisfied.
y x (56)
x x 2 y (57)
Theorem 21 below states that ≤D is a partial order. Moreover, it gives a formula
using demonic operators for the angelic supremum with respect to this partial
order. In order to prove this theorem, we need the following lemma.
Lemma 20. The function
f : AD × AD → AD
(x, y) → (x y)
¬y 2x
¬x 2 y
satisfies the following four properties for all x, y, z ∈ AD .
1. f (x, y) = x

y
2. f (x, x) = x
3. f (x, y) = f (y, x)
4. f (x, f (y, z)) = f (f (x, y), z)
Theorem 21 (Angelic choice). The angelic refinement of Definition 19 sat-

isfies the following three properties.
1. For all x, 0 ≤D x.
2. For all x, y,
x ≤D y ⇐⇒ f (x, y) = y ,
where f is the function defined in Lemma 20.
3. ≤D is a partial order. Letting x +D y denote the supremum of x and y with
respect to ≤D , we have
x +D y = f (x, y) .
The following expected properties are a direct consequence of Lemma 20 and

Theorem 21.
(x +D y) +D z = x +D (y +D z) (58)
x +D y = y +D x (59)
x +D x = x (60)
0 +D x = x (61)
We now turn to the definition of angelic composition. But things are not as
simple as for ≤D or +D . The difficulty is due to the asymmetry between left and
right caused by the difference between axioms (37) and (38), and by the absence
of a codomain operator for “testing” the right-hand side of elements as can be
done with the domain operator on the left. Consider the two relations
Q = {(0, 0), (0, 1), (1, 2), (2, 3)} and R = {(0, 0), (2, 2)} .
The angelic composition of Q and R is Q·R = {(0, 0), (1, 2)}, while their demonic
composition is Q 2 R = {(1, 2)}. There is no way to express Q · R only in terms of
Q 2R. What we could try to do is to decompose Q as follows using the demonic
meet
Q = Q 2R
Q 2¬R
(Q1 Q2 ) ,
where Q1 = {(0, 0)} and Q2 = {(0, 1)}. Note that Q 2R = {(1, 2)} and Q 2¬R =
{(2, 3)} so that the domains of the three operands of
are disjoint. The effect
of
is then just union. With these relations, it is possible to express the angelic
composition as Q · R = Q 2 R
Q1 2R. Now, it is possible to extract Q1 Q2
from Q, since Q1 Q2 = ¬(Q 2 R) 2¬(Q 2¬R) 2 Q. The problem is that it is
not possible to extract Q1 from Q1 Q2 . On the one hand, Q1 and Q2 have the
same domain; on the other hand, there is no test t such that Q1 = (Q1 Q2 ) 2 t.
Note that Q1 2 R = Q1 and Q2 2R = ¬Q2 . This is what leads us to the following
definition.
Definition 22. Let t be a test. An element x of a DAD is said to be t-decom-
posable iff there are unique elements xt and x¬t such that
x = x 2 t
x 2 ¬t
(xt x¬t ) ,
xt = x¬t = ¬(x 2 t) 2 ¬(x 2 ¬t) 2 x ,
xt = xt 2t ,
x¬t = x¬t 2¬t .
And x is said to be decomposable iff it is t-decomposable for all tests t.
It is easy to see that all tests are decomposable. Indeed, the (unique) t-decom-
position of a test s is
s = s 2t
s 2 ¬t
(0 0) .
One may wonder whether there exists a DAD with non-decomposable ele-
ments. The answer is yes. The following nine relations constitute such a DAD,
with the operations given (they are the standard demonic operations on rela-
tions), omitting
• . The set of tests is {0, s, t, 1}.

0 0 1 0 0 0 1 0
0= s= t= 1=
0 0 0 0 0 1 0 1

1 0 1 1 1 1 1 1 0 0
a= b= c= d= e=
1 1 0 1 1 1 0 0 1 1
0s t 1abcde 2 0s t 1abcde × ¬
0 000000000 0 000000000 00 00 01
s 0s 0s s ddd0 s 0s 0s s ddd0 s s s s st
t 00t t et e0e t 00t t et e0e t t t t t s
1 0s t 1abcde 1 0s t 1abcde 11 11 10
a 0s eaaccde a 0s 0aaccd0 aa a1
b 0dt bcbcde b 00t bc bc0e bb b1
c 0dec cccde c 000cc cc 00 cc c1
d 0d0ddddd0 d 000dddd00 d0 ds
e 00eeeee0e e 000ee ee 00 e0 et
The elements a, b, c, d and e are not decomposable. For instance, to decompose
c with respect to s would require the existence of relations

1 0 0 1
and ,
1 0 0 1
which are not there.
Definition 23 (Angelic composition). Let x and y be elements of a DAD

such that x is decomposable. Then the angelic composition ·D is defined by
x ·D y = x 2 y
xy 2 y .
Proposition 24. Let x, y, z be decomposable elements of a KAD. Then,
1. 1 ·D x = x ·D 1 = x,
2. 0 ·D x = x ·D 0 = 0,
3. (x ·D (y ·D z)) = ((x ·D y) ·D z).
We have not yet been able to show the associativity of ·D nor its distributivity
over +D .
The last angelic operator that we define here is the iteration operator that
corresponds to the Kleene star.
Definition 25 (Angelic iteration). Let x be an element of a DAD. The an-

gelic finite iteration operator ∗D is defined by
x∗D = (x
1)× 1 .
Although we are still struggling to ascertain the properties of ·D (and, as a side

effect, those of ∗D ), we have a conjecture that most probably holds. At least, it
holds for a very important case (see Section 5).
Conjecture 26 (Subalgebra of decomposable elements).
1. The set of decomposable elements of a DAD AD is a subalgebra of AD .

2. For the subalgebra of decomposable elements of AD , the composition ·D is
associative and distributes over +D (properties (5), (8) and (9)).
3. For the subalgebra of decomposable elements of AD , the iteration operator ∗D
satisfies the unfolding and induction laws of the Kleene star (properties (10),
(11), (13) and (14)).
5 From KAD to DAD and Back
In this section, we introduce two transformations between the angelic and de-
monic worlds. The ultimate goal is to show how KAD and DAD are related one
to the other.
Definition 27. Let (K, test(K), +, ·, ∗ , 0, 1, ¬, ) be a KAD. Let F denote the

transformation that sends it to
(K, test(K), A , 2A , ×A , 0, 1,
A• , ) ,
where A , 2A , ×A and
A• are the operators defined in Proposition 7 and Defini-
tions 8, 9 and 10, respectively.
Similarly, let (AD , BD , , 2, × , 0, 1,

• , ) be a DAD. Let G denote the trans-
formation that sends it to
(AD , BD , +D , ·D , ∗D , 0, 1, ¬D , ) ,
where +D , ·D , ∗D and ¬D are the operators defined in Theorem 21, Definitions 23

and 25, and (32), respectively (since no special notation was introduced in De-
finition 13 to distinguish DAT negation from KAT negation, we have added a
subscript D to ¬ in order to avoid confusion in Theorem 28).
By this definition, the transformations F and G transport the domain operator

unchanged between the angelic and demonic worlds. Indeed, it turns out that
x = x is the right transformation.
Having defined F and G, we can now state the following theorem.
Theorem 28. Let K = (K, test(K), +, ·, ∗ , 0, 1, ¬, ) be a KAD and let F and

G be the transformations introduced in Definition 27.
1. F (K) is a DAD.
2. All elements of F (K) are decomposable.
3. G ◦ F is the identity on K and test(K), i.e., the algebra (K, test(K), +D , ·D ,
∗D
, 0, 1, ¬D , ) derived from the DAD F (K) is isomorphic to K (only the
symbols denoting the operators differ).
4. If a DAD D is isomorphic to F (K), then K is isomorphic to G(D).
Saying that F (K) is a DAD is just a compact restatement of Proposition 11.

Due to this theorem, the conjecture stated in the previous section holds for
the DAD F (K). This is a very important case. Since the elements of F (K) are
decomposable, this result gives much weight to the conjecture.
6 From DAD to KAD and Back
Let D = (AD , BD , , 2 , × , 0, 1,
• , ) be a DAD. If AD has non-decomposable
elements, then D cannot be the image F (K) of a KAD K, by Theorem 28-2. The
question that is still not settled is whether the subalgebra Dd of decomposable
elements of D is the image F (K) of some KAD K. If Conjecture 26 holds, then
this is the case and the composition of transformations F ◦ G is the identity on
Dd . This problem will be the subject of our future research.
7 Conclusion
The work on demonic algebra presented in this paper is just a beginning. Many
avenues for future research are open. First and foremost, Conjecture 26 must
be solved. In relation to this conjecture, the properties of non-decomposable
elements are also intriguing. Are there concrete models useful for Computer
Science where these elements play a rôle?
Another line of research is the precise relationship of DAD with the other
refinement algebras and most particularly those of [15,21,22,24]. DAD has
stronger axioms than these algebras, and thus these contain a DAD as a sub-
structure. Some basic comparisons can already be done. For instance, DADs
can be related to the command algebras of [15] as follows. Suppose a KAD
K = (K, test(K), +, ·, ∗ , 0, 1, ¬, ). A command on K is an ordered pair (x, s),
where x ∈ K and s ∈ test(K). The test s denotes the “domain of termina-
tion” of x. If s ≤ x, the command (x, s) is said to be feasible; otherwise, it is
miraculous. The set of non-miraculous commands of the form (x, x), with the
appropriate definition of the operators, is isomorphic to the KAD-based demonic
algebra D obtained from K. If K is the set of all relations over a set S, then
D is isomorphic to the non-miraculous conjunctive predicate transformers on S;
this establishes a relationship with the refinement algebras of [22,24], which have
predicate transformers as their main models. The algebras in [22,24] have two
kinds of tests, guards and assertions. Assertions correspond to the tests of DAD
and the termination operator τ of [22] corresponds to the domain operator of
DAD.
Finally, let us mention the problem of infinite iteration. In DAD, there is no
infinite iteration operator. One cannot be added by simply requiring it to be the
greatest fixed point of λ(z :: x 2A z A 1), since this greatest fixed point is always 0.
In [12], tests denoting the starting points of infinite iterations for an element x
are obtained by using the greatest fixed point (in a KAD) of λ(t :: (x · t)). We
intend to determine whether a similar technique can be used in DAD.
Acknowledgements
The authors thank Bernhard Möller and the anonymous referees for helpful
comments. This research was partially supported by NSERC (Natural Sciences
and Engineering Research Council of Canada) and FQRNT (Fond québécois de
la recherche sur la nature et les technologies).
References
1. Backhouse, R.C., van der Woude, J.: Demonic operators and monotype factors.
Mathematical Structures in Computer Science 3 (1993) 417–433
2. Berghammer, R., Zierer, H.: Relational algebraic semantics of deterministic and
nondeterministic programs. Theoretical Computer Science 43 (1986) 123–147
3. Cohen, E.: Separation and reduction. In: Mathematics of Program Construction.
Volume 1837 of Lecture Notes in Computer Science, Springer (2000) 45–59
4. Conway, J.: Regular Algebra and Finite Machines. Chapman and Hall, London
(1971)
5. De Carufel, J.L., Desharnais, J.: Demonic algebra with domain. Research re-
port DIUL-RR-0601, Département d’informatique et de génie logiciel, Université
Laval, Canada (2006). Available at http://www.ift.ulaval.ca/∼Desharnais/
Recherche/RR/DIUL-RR-0601.pdf
6. Desharnais, J., Belkhiter, N., Sghaier, S., Tchier, F., Jaoua, A., Mili, A., Zaguia,
N.: Embedding a demonic semilattice in a relation algebra. Theoretical Computer
Science 149 (1995) 333–360
7. Desharnais, J., Mili, A., Nguyen, T.: Refinement and demonic semantics. In Brink,
C., Kahl, W., Schmidt, G., eds.: Relational Methods in Computer Science, Springer
(1997) 166–183
8. Desharnais, J., Möller, B., Struth, G.: Kleene algebra with domain. Technical
Report 2003-7, Institut für Informatik, Augsburg, Germany (2003)
9. Desharnais, J., Möller, B., Struth, G.: Modal Kleene algebra and applications — a
survey. JoRMiCS — Journal on Relational Methods in Computer Science 1 (2004)
93–131
10. Desharnais, J., Möller, B., Struth, G.: Kleene algebra with domain. To appear in
ACM Transactions on Computational Logic (2006)
11. Desharnais, J., Möller, B., Tchier, F.: Kleene under a demonic star. In: AMAST
2000. Volume 1816 of Lecture Notes in Computer Science, Springer (2000) 355–370
12. Desharnais, J., Möller, B., Tchier, F.: Kleene under a modal demonic star. Journal
of Logic and Algebraic Programming, Special issue on Relation Algebra and Kleene
Algebra 66 (2006) 127–160
13. Hoare, C.A.R., Hayes, I.J., Jifeng, H., Morgan, C.C., Roscoe, A.W., Sanders, J.W.,
Sorensen, I.H., Spivey, J.M., Sufrin, B.A.: Laws of programming. Communications
of the ACM 30 (1987) 672–686
14. Hoare, C.A.R., Jifeng, H.: Unifying Theories of Programming. International Series
in Computer Science. Prentice Hall (1998)
15. Höfner, P., Möller, B., Solin, K.: Omega algebra, demonic refinement algebra and
commands. These proceedings
16. Kahl, W.: Parallel composition and decomposition of specifications. Information
Sciences 139 (2001) 197–220
events. Information and Computation 110 (1994) 366–390
18. Kozen, D.: Kleene algebra with tests. ACM Transactions on Programming Lan-
guages and Systems 19 (1997) 427–443
19. Maddux, R.: Relation-algebraic semantics. Theoretical Computer Science 160
(1996) 1–85
20. McCarthy, J.: A basis for a mathematical theory of computation. In
Braffort, P., Hirschberg, D., eds.: Computer Programming and For-
mal Systems, North-Holland, Amsterdam (1963) 33–70. Available at
http://www-formal.stanford.edu/jmc/basis/basis.html
21. Möller, B.: Lazy Kleene algebra. In Kozen, D., Shankland, C., eds.: Mathematics
of Program Construction. Volume 3125 of Lecture Notes in Computer Science,
Springer (2004) 252–273
22. Solin, K., von Wright, J.: Refinement algebra with operators for enabledness and
termination. In: Mathematics of Program Construction. Lecture Note in Computer
Science, Springer-Verlag (2006). In press
23. Tchier, F., Desharnais, J.: Applying a generalisation of a theorem of Mills to gener-
alised looping structures. In: Colloquium on Science and Engineering for Software
Development, organised in the memory of Dr. Harlan D. Mills, and affiliated to the
21st International Conference on Software Engineering, Los Angeles (1999) 31–38
24. von Wright, J.: Towards a refinement algebra. Science of Computer Programming
51 (2004) 23–45
Topological Representation of Contact Lattices
Ivo Düntsch1, , Wendy MacCaull2, ,

Dimiter Vakarelov3, , and Michael Winter1,
1
Brock University
St. Catharines, ON, Canada
{duentsch, mwinter}@brocku.ca
2
Department of Mathematics, Statistics and Computer Science
St. Francis Xavier University
Antigonish, NS, Canada
[email protected]
3
Department of Mathematical Logic
Sofia University
Sofia, Bulgaria
[email protected]
Abstract. The theory of Boolean contact algebras has been used to rep-
resent a region based theory of space. Some of the primitives of Boolean
algebras are not well motivated in that context. One possible generaliza-
tion is to drop the notion of complement, thereby weakening the algebraic
structure from Boolean algebra to distributive lattice. The main goal of
this paper is to investigate the representation theory of that weaker no-
tion, i.e., whether it is still possible to represent each abstract algebra by
a substructure of the regular closed sets of a suitable topological space
with the standard Whiteheadean contact relation.
1 Introduction
In the classical approach to space the basic primitive is the notion of a point, and
geometric figures are considered to be sets of points. Contrary to this, the region-
based approach to space adopts as its primitives more realistic spatial notions.
In this theory, regions, as abstractions of “solid” spatial bodies, and several basic
relations and operations between regions are considered. Some of the relations
have their origin in mereology, e.g. “part-of” (x ≤ y), “overlap” (xOy), its
dual “underlap” (xU y) and others definable by them. A region based theory
of space extends classical mereology by considering some new relations between

The author gratefully acknowledges support from the Natural Sciences and Engi-
neering Research Council of Canada.

This author was supported by the project NIP-1510 by the Bulgarian Ministry of
Science and Education

136 I. Düntsch et al.
regions, topological in nature, such as “contact” (xCy), “non-tangential part-

of” (x y) and many others definable mainly by means of the contact and the
part-of relations. This motivates some authors to call the new direction “mereo-
topology”. The most simple algebraic counterparts of mereotopology are contact
algebras. They appear in different papers under various names (see for instance
[4,5,6,7,8,9,13,14]). Contact algebras are Boolean algebras extended with the
contact relation C satisfying some axioms. The elements of the Boolean algebra
represent regions and the Boolean operations – join x + y, meet x · y and the
Boolean complement x∗ – allow the construction of new regions from given ones
(such as the “universal” region 1, having all other regions as its parts, and the
zero region 0, which is part of all regions). Part-of, underlap and overlap are
definable by the Boolean part of the algebra, i.e., x ≤ y is the lattice ordering,
xOy ↔ x · y = 0 (motivating the name “overlap”) and xU y ↔ x + y = 1
(motivating the name “underlap”). So, the Boolean part of a contact algebra
incorporates the mereological aspect of the theory, while the contact relation C
corresponds to the “topological” part of the formalism. The word “topology”
in this context is well motivated, because standard models of contact algebras
are the Boolean algebras of regular closed (or regular open) sets of a given
topological space. We recall that a is regular closed if a = Cl(Int(a)), and,
dually, c is regular open if c = Int(Cl(c)), where Cl and Int are the topological
operations of closure and interior in the topological space. Note that in either
case the Boolean operations are not the standard set-theoretic operations, i.e.,
we have a · b = Cl(Int(a ∩ b)), a + b = a ∪ b, and a∗ = Cl(−a) for regular closed
sets a and b, and c · d = c ∩ d, c + d = Int(Cl(c ∪ d)), and c∗ = Int(−c) for
regular open sets c and d. The contact relation between regular closed regions
is given by aCb ↔ a ∩ b = ∅ and for open regions by cCd ↔ Cl(c) ∩ Cl(d) = ∅.
Topological contact algebras correspond to the point-based aspect of the theory.
A major current stream in the theory of contact algebras is their topological
representation theory, i.e., the construction of an embedding of the contact alge-
bra into a suitable topological space. In addition, one usually requires that the
embedding generates/determines the topology. For Boolean contact algebras it
is natural to require that the image of the embedding is a basis for the topology
(similar to the Stone representation theory for Boolean algebras). In the case
of distributive lattices this approach works if and only if underlap satisfies an
additional property (Corollary 2 and Theorem 5). By relaxing that strict inter-
pretation of “generate the topology” we get a general representation theorem for
distributive contact algebras (Theorem 7). Once such a theorem is established, it
shows that, although the notion of point is not a primitive notion of the theory,
it can be defined within the algebra via its isomorphic copy in the topological
contact algebra provided by the representation theorem. This shows that the
“pointless” abstraction is adequate and corresponds to the classical point-based
approach. Recent results in this direction can be found in [4,5,8,14]. For instance,
in [4] several versions of abstract points for contact algebras are discussed such
as clans, E-filters etc. All versions generalize the notion of an ultrafilter, which
is the abstract point suitable for representing Boolean algebras as ordinary sets.
Topological Representation of Contact Lattices 137
Let us note that ordinary sets can also be considered as regions in a topological
space endowed with the discrete topology, but such regions are “bad” regions in
the sense that they do not have nice topological properties such as a boundary,
a non-tangential part etc.
One of the main goals of this paper is to generalize the notion of contact
algebras by weakening the algebraic structure from Boolean algebras to distrib-
utive lattices, but to keep the intended semantics of regions to be regular sets in
topological spaces. In other words, we simply remove the operation of Boolean
complement ∗ . From a philosophical point of view, the complement of a region
is not well motivated. If the region a represents a solid body what is then rep-
resented by a∗ ? (One can formulate similar criticisms for (certain aspects) of
some of the other Boolean primitives, which are not discussed here.) Notice that
the definitions of the mereological relations part-of, overlap and underlap do
not depend on the existence of complements. Moreover, in all known definitions
and variations of Boolean contact algebras, the axioms for contact do not rely
on complements. So, studying a theory based on weaker assumptions will re-
veal more deeply the nature of the mereological and mereotopological relations.
The mereo-topological relations usually considered such as “non-tangential part”
x y ↔ aCb∗ and dual contact aČb ↔ a∗ Cb∗ are definable from contact using
complements. In the case of distributive lattices these relations must be primi-
tives. Using this approach a deeper insight into the separate roles of the different
mereological relations and their interactions may be achieved. For instance, in
the Boolean case a certain mereological relation may possess some properties,
which must be postulated separately for distributive lattices. An example is the
property, “U is extensional”, which implies that part-of is definable by U in the
sense that a ≤ b if and only if (∀c)(bU c → aU c). It turns out (Corollary 2) that
this property is exactly the necessary and sufficient property for representing
the contact structure in the strict sense. On the other hand, for Boolean contact
algebras such a representation is always possible, because in that case underlap
is extensional.
The paper is organized as follows. Section 2 introduces the algebraic notions
such as distributive lattices, overlap and underlap, distributive contact alge-
bras, filters and clans. Section 3 provides the topological background and a pure
topological theorem relating extensionality of underlap to the generation of the
topology by means of regular closed sets. It also shows the necessity of the dis-
tributivity of the lattice. In Section 4 we show how to represent U-extensional
distributive contact lattices in a lattice of regular closed sets of some topological
space. As a side result we obtain Cornish’s theorem [3] for U-extensional distrib-
utive lattices. Here we prove also that every distributive contact lattice can be
embedded in a lattice of regular closed sets, so that the image of the lattice gen-
erates the topology in a weaker sense. This is done in two steps. First we show
that every distributive contact lattice can be embedded into a U-extensional con-
tact lattice; then, we simply apply the representation theorem for U -extensional
contact lattices. The last section contains some conclusions and future work.
A standard reference for distributive lattices is [2] and for topology [10].
2 Notation and First Observations
For any set X and Y ⊆ X we denote by −Y the complement of Y in X,

if no confusion can arise. If R is a binary relation on D, and x ∈ D, we let
R(x) = {y : xRy}, which is called the range of x with respect to R.
Distributive Lattices
Throughout this paper, (D, 0, 1, +, ·) is a bounded distributive lattice; we usu-
ally denote algebras by their base set. The dual lattice Dop of D is the lattice
(D, 1, 0, ·, +) based on the reversed order of D. A sublattice D of D is called
dense (in D) iff for each element 0 = a ∈ D there is an element 0 = b ∈ D with
b ≤ a. A dually dense sublattice of D is a dense sublattice of Dop . We call an
embedding h : D → D dense iff the image h(D ) = {h(a) : a ∈ D } of D is
dense in D. Finally, an element d ∈ D is called meet(join)-irreducible if d = a · b
(d = a + b) implies d = a or d = b for all a, b ∈ D.
We define two relations on D, which are of importance in the sequel:
(2.1) xOy ⇐⇒ x · y = 0, “overlap”,

(2.2) xU y ⇐⇒ x + y = 1, “underlap”.
The proof of the following is straightforward:
Lemma 1. If a ≤ b, then O(a) ⊆ O(b) and U (b) ⊆ U (a).
O is called extensional if
(2.3) (∀x, y)[O(x) = O(y) ⇒ x = y].
Analogously, we say that U is extensional if
(2.4) (∀a, b)[U (a) = U (b) ⇒ a = b].
In [15] distributive lattices which satisfy (2.3) are called disjunctive lattices. If D
is a Boolean algebra, then, clearly, both O and U are extensional. Extensionality
of O and U has been considered earlier in the literature, and these results show
that such extensionalities can influence the underlying algebraic structure; in
particular, the following holds for a bounded distributive pseudocomplemented
lattice (i.e., a bounded distributive lattice equipped with an operation ∗ satisfy-
ing a ≤ b∗ iff a · b = 0):
Theorem 1. 1. Suppose that D is a bounded distributive pseudocomplemented

lattice. Then, D is a Boolean algebra if and only if O is extensional.
2. Suppose that D is a bounded distributive dually pseudocomplemented lattice.
Then, D is a Boolean algebra if and only if U is extensional.
Proof. 1. was shown in [9], and 2. follows by duality.

In particular, if D is finite and not a Boolean algebra, or if D is a chain, then

neither O nor U is extensional. Furthermore, if 0 is meet irreducible then O
is not extensional, and if 1 is join irreducible, then U is not extensional. For
example, the lattice of all cofinite subsets of ω together with ∅ is U -extensional,
but not O-extensional; dually, the set of all finite subsets of ω together with ω
is O-extensional, but not U -extensional.
In [3] further characterizations of disjunctive and dually disjunctive lattices
were given; these relate to dense sublattices of Boolean algebras:
Theorem 2. 1. O is extensional if and only if D is isomorphic to a dense

sublattice of a complete Boolean algebra.
2. U is extensional if and only if D is isomorphic to a dually dense sublattice
of a complete Boolean algebra.
3. O and U are both extensional if and only if the Dedekind completion of D is
a complete Boolean algebra.
Below, we will give additional conditions for O, respectively U , to be extensional.

It is worthy of mention that each of these is strictly stronger than extensionality
in the case that D is not distributive [9].
Lemma 2. 1. O is extensional if and only if (∀a, b)[O(a) ⊆ O(b) ⇒ a ≤ b].

2. U is extensional if and only if (∀a, b)[U (b) ⊆ U (a) ⇒ a ≤ b].
Proof. 1. “⇒”: Suppose that O(a) ⊆ O(b). Then, O(b) = O(a) ∪ O(b) =
O(a + b). Extensionality of O implies that b = a + b, i.e. a ≤ b.
“⇐”: Let O(a) = O(b); then O(a) ⊆ O(b) and O(b) ⊆ O(a), and, by the
hypothesis, a ≤ b and b ≤ a, i.e., a = b.
2. is proved dually.

Later, we use extensionality in the equivalent form given by Lemma 2. If, for
instance, U is extensional then we will say that the lattice is U-extensional.
A subset F of a lattice D is called a filter if x, y ∈ F and z ∈ D implies
x · y ∈ F and x + z ∈ F . We call a filter F of D prime if x + y ∈ F implies x ∈ F
or y ∈ F . Prime(D) is the set of prime filters of D. For each x ∈ D we denote
by hPrime(x) = {F ∈ Prime(D) : x ∈ F }, the set of all prime filters containing
x. Stone’s well known representation theorem now states:
Theorem 3. [2,12]
1. The mapping hPrime is a lattice embedding of D into the lattice 2Prime(D) of

all subsets of Prime(D).
2. The collection{hPrime (a) : a ∈ D} forms a basis for the closed sets of a
compact T0 topology τ on Prime(D) for which each set (Prime(D) \ h(a)) is
compact open. Furthermore, τ is a T1 topology if and only if D is relatively
complemented, and a T2 topology if and only if D is a Boolean algebra.
For later use we observe that hPrime (a) is not necessarily regular closed.
Contact Relations and Distributive Contact Lattices

A binary relation C on D is called a contact relation (CR) if it satisfies:
C0. (∀a)0(−C)a;
C1. (∀a)[a = 0 ⇒ aCa];
C2. (∀a)(∀b)[aCb ⇒ bCa];
C3. (∀a)(∀b)(∀c)[aCb and b ≤ c ⇒ aCc];
C4. (∀a)(∀b)(∀c)[aC(b + c) ⇒ (aCb or aCc)].
The pair D, C is called a distributive contact lattice (DCL). If D is a Boolean

algebra, then D, C is a Boolean contact algebra (BCA). Let C denote the set
of contact relations on D. The next lemma shows that C is not empty.
Lemma 3. O is the smallest contact relation on D.
Proof. Suppose that C ∈ C. If x · y = 0, then (x · y)C(x · y) by C1, and C3 now

implies that xCy.

An extensive investigation of lattices of contact relations on a Boolean algebra

is provided by [7].
In the next lemma we relate a contact relation to products of prime filters:

Lemma 4. If C ∈ C, then C = {F × G : F, G ∈ Prime(D), F × G ⊆ C}.
Proof. This was proved in [6] for Boolean contact lattices, and an analysis of the
proof shows that it also holds for distributive contact lattices.

A clan is a nonempty subset Γ of D which satisfies:
CL1. If x, y ∈ Γ then xCy;

CL2. If x + y ∈ Γ then x ∈ Γ or y ∈ Γ ;
CL3. If x ∈ Γ and x ≤ y, then y ∈ Γ .
Note that each proper prime filter is a clan. The set of all clans of D will be
denoted by Clan(D).
Corollary 1. aCb iff there exists a clan Γ such that {a, b} ⊆ Γ .
Proof. Suppose that aCb; by the previous Lemma, there are F, G ∈ Prime(D)
such that a ∈ F, b ∈ G, and F × G ⊆ C. Clearly, F ∪ G is a clan containing
both a and b. The converse follows from the definition of clan.

3 Topological Models
First we want to recall some notions from topology. By a topological space

(X, C(X)) we mean a set X provided with a family C(X) of subsets, called closed
sets, which contains the empty set ∅ and the whole set X, and is closed with re-
spect to finite unions and arbitrary intersections. The system (C(X), ∅, X, ∩, ∪)
is a distributive lattice, called the lattice of closed sets of X: ∅ is the zero ele-
ment and X is the unit element of the lattice and the set inclusion is the lattice
ordering. Fixing C(X) we say that X is endowed with a topology. A subset
a ⊆ X is called open if it is the complement of a closed set. The family Op(X) of
open sets of X is also a lattice with respect to the same operations. A family of
closed sets B(X) is called a closed basis of the topology if every closed set can be
represented as an intersection of sets from B(X). Consequently, X ∈ B(X) and
B(X) is closed under finite unions; hence, (B(X), X, ∪) is an upper semi-lattice.
Finally, a family of closed sets B is called a (closed) sub-basis of the topology if
the set of finite unions of elements of B is a closed basis.
In every topological space one can define the following operations on subsets
a ⊆ X:

1. Cl(a) = {c ∈ C(X) : a ⊆ c} (the closure of a), i.e., the intersection of all
closed setscontaining a.
2. Int(a) = {o ∈ Op(X) : a ⊆ o} (the interior of a), i.e., the union of all open
sets contained in a.
Cl and Int are interdefinable, i.e. Cl(a) = −Int(−a) and Int(a) = −Cl(−a). If
B(X) is a closed base of X, then obviously:

Cl(a) = {b ∈ B(X) : a ⊆ b}.
The next two facts follow from above:
x ∈ Cl(a) iff (∀b ∈ B(X))(a ⊆ b → x ∈ b);
x ∈ Int(a) iff (∃b ∈ B(X))(a ⊆ b and x ∈ b).
A subset a of X is called regular closed if Cl(Int(a)) = a, and, dually, reg-
ular open if Int(Cl(a)) = a (in this paper we will mainly work with regular
closed sets). We denote by RC(X) the family of regular closed sets of X. It is a
well known fact that RC(X) is a Boolean algebra with respect to the following
operations and constants:
0 = ∅, 1 = X, a + b = a ∪ b and a · b = Cl(Int(a ∩ b)).
RC(X) naturally provides a contact relation C defined by aCb iff a ∩ b = ∅. C
is called the standard (or Whiteheadean) contact relation on RC(X).
A topological space is called semi-regular if it has a closed base of regular
closed sets.
Every topological space X can be made semi-regular by defining a new topol-
ogy taking the set RC(X) as a base. It is a well known fact that this new topology
generates the same set of regular closed sets.
The following topological theorem gives necessary and sufficient conditions
for a closed base of a topology to be semi-regular.
Theorem 4. [Characterization theorem for semi-regularity]
Let X be a topological space and B(X) be a closed base for X. Suppose that · is
a binary operation defined on the set B(X) so that (B(X), ∅, X, ∪, ·) is a lattice
(not necessarily distributive). Then we have:
1. The following conditions are equivalent:

(a) B(X) is U -extensional.
(b) B(X) ⊆ RC(X).
(c) For all a, b ∈ B(X), a · b = Cl(Int(a ∩ b)).
(d) (B(X), ∅, X, ∪, ·) is a dually dense sublattice of the Boolean algebra
RC(X).
2. If any of the (equivalent) conditions (a),(b),(c) or (d) of 1. is fulfilled then:
(a) (B(X), ∅, X, ∪, ·) is a U -extensional distributive lattice.
(b) X is a semi-regular space.
Proof. 1. (a) → (b). Let B(X) be U -extensional, i.e., for all a, b ∈ B(X) the
following holds:
(∀c ∈ B(X))(a ∪ c = X → b ∪ c = X) → a ⊆ b.
We must show that for every a ∈ B(X), a = Cl(Int(a)). This follows from
the following chain of equivalences:
x ∈ Cl(Int(a))
⇐⇒ (∀b ∈ B(X))(Int(a) ⊆ b → x ∈ b)
⇐⇒ (∀b ∈ B(X))((∀y)(y ∈ Int(a) → y ∈ b) → x ∈ a)
⇐⇒ (∀b ∈ B(X))((∀y)((∃c ∈ B(X))(a ∪ c = X ∧ y ∈ c) → y ∈ b) → x ∈ b)
⇐⇒ (∀b ∈ B(X))((∀y)(∀c ∈ B(X)(a ∪ c = X → y ∈ c ∨ y ∈ b)) → x ∈ b)
⇐⇒ (∀b ∈ B(X))((∀c ∈ B(X))(a ∪ c = X → (∀y)(y ∈ c ∨ y ∈ b) → x ∈ b))
⇐⇒ (∀b ∈ B(X))((∀c ∈ B(X))(a ∪ c = X → b ∪ c = X) → x ∈ b)
⇐⇒ (∀b ∈ B(X))(a ⊆ b → x ∈ b)
⇐⇒ x ∈ Cl(a) = a.
(b) → (a). Let B(X) ⊆ RC(X). In order to show that B(X) is U -extensional
let a, b ∈ B(X) with a ⊆ b and a ∪ c = X. We must show that b ∪ c = X.
The assumption (b) shows Cl(Int(a)) ⊆ b, which implies that there is an
x ∈ Cl(Int(a)) with x ∈ b. We obtain Int(a) ⊆ c implies x ∈ c for all
c ∈ B(X), and, hence, Int(a) ⊆ b. This implies the existence of a y ∈ X
such that y ∈ Int(a) and y ∈ b. Again, we obtain that there is c ∈ B(X)
such that a ∪ c = X and y ∈ c, and, hence, b ∪ c = X.
(b) → (c). Let B(X) ⊆ RC(X). Then for any a · b ∈ B(X) we have a · b =
Cl(Int(a · b)). Since · is a lattice meet we obtain that a · b ⊆ a, a · b ⊆ b,
and, hence, a · b ⊆ a ∩ b. We conclude a · b = Cl(Int(a · b)) ⊆ Cl(Int(a ∩ b)).
For the converse inclusion, we have Cl(Int(a ∩ b)) ⊆ Cl(Int(a)) = a and
Cl(Int(a ∩ b)) ⊆ Cl(Int(b)) = b, and, hence, Cl(Int(a ∩ b)) ⊆ a · b.
(c) → (b). Let Cl(Int(a ∩ b)) = a · b. Then a = a · a = Cl(Int(a ∩ a)) =
Cl(Int(a)), which shows that B(X) ⊆ RC(X).
(b) → (d). Since (b) implies (c) we conclude that (B(X), ∅, X, ∪, ·) is in fact
a sublattice of the Boolean algebra RC(X). In order to show that B(X) is
dually dense in RC(X), let a ∈ RC(X) where a = X. Since a = Cl(Int(a))
and B(X) is a basis of the closed sets, there exists c ∈ B(X) such that
Int(a) ⊆ c. Furthermore, a = X implies that there is an x ∈ Cl(Int(a)), and,
hence, x ∈ c, which implies c = X. We conclude a = Cl(Int(a)) ⊆ Cl(c) = c,
which proves the assertion.
(d) → (b). Obvious.
2. This follows immediately since all properties in 1. are equivalent and imply
(a) and (b).

We get the following corollary.
Corollary 2. Let X be a topological space, L = (L, 0, 1, +, ·) be a lattice and let

h be an embedding of the upper semi-lattice (L, 0, 1, +) into the lattice C(X) of
closed sets of X. Suppose that the set B = {h(a) : a ∈ L} forms a closed base
for the topology of X. Then we have:
1. The following conditions are equivalent:

(a) L is U -extensional.
(b) B ⊆ RC(X).
(c) For all a, b ∈ L, h(a · b) = Cl(Int(h(a) ∩ h(b))).
(d) h is a dually dense embedding of L into the Boolean algebra RC(X).
2. If any of the (equivalent) conditions (a),(b),(c) or (d) of 1. is fulfilled then:
(a) L is a U -extensional distributive lattice.
(b) X is a semi-regular space.
This corollary shows that if we require that a lattice L be embeddable into

the Boolean algebra RC(X) of some topological space X with the properties of
Corollary 2, then the lattice must be both distributive and U-extensional. In the
next section we will show that this can be extended to U -extensional distributive
contact lattices.
4 Topological Representation of Distributive Contact

Lattices
The next theorem is the first main result of the paper.
Theorem 5. [Topological representation theorem for U -extensional di-

stributive contact lattices]
Let D = (D, 0, 1, +, ·, C) be an U -extensional distributive contact lattice. Then
there exists a semi-regular T0-space and a dually dense embedding h of D into
the Boolean contact algebra RC(X) of the regular closed sets of X.
Proof. Let X = Clan(D) be the set of all clans of D and for a ∈ D, suppose
h(a) = {Γ ∈ X : a ∈ Γ }. Using the properties of clans one can easily check
that h(0) = ∅, h(1) = X and that h(a + b) = h(a) ∪ h(b). This shows that the
set B(X) = {h(a) : a ∈ D} is closed under finite unions and can be taken as a
closed basis for a topology of X.
In order to show that h is an embedding we must show that a ≤ b iff h(a) ⊆

h(b). From the left to the right this follows directly by the properties of clans.
Suppose that a ≤ b. Then there exists a prime filter F such that a ∈ F and
b ∈ F . Since prime filters are clans this shows that h(a) ⊆ h(b). Consequently,
h is an embedding of the upper semi-lattice (L, 0, 1, +) into the lattice of closed
sets C(X) of the space X. By Corollary 2, X is a semi-regular space and h is a
dually dense embedding of D into the Boolean algebra RC(X).
Now, we want to show that X is a T0-space. Let Γ = Δ be two different
points (clans) of X; we will show that there exists a closed set A containing
exactly one of them. Suppose Γ ⊆ Δ. Then there exists a ∈ Γ with a ∈ Δ, and,
hence, Γ ∈ h(a) and Δ ∈ h(a) so that the A = h(a) will work. In the case Δ ⊆ Γ
the assertion is shown analogously.
It remains to show that h preserves the contact relation C. But this is a direct
consequence of Corollary 1.

Notice that Theorem 5 generalizes Theorem 5.1 from [4] to the distributive case.
As a consequence of Theorem 5 we obtain the following corollary, which has
Theorem 2(2) as a special case. Recall that this theorem was already proved in
[3].
Corollary 3. [Topological representation theorem for U -extensional

distributive lattices]
Let D = (D, 0, 1, +, ·) be a U -extensional distributive lattice. Then there exists
a semi-regular T0-space and a dually dense embedding h of D into the Boolean
contact algebra RC(X) of the regular closed sets of X.
Proof. Since the overlap O is a contact relation on D the assertion follows im-
mediately from Theorem 5.

Due to Corollary 2 we already know that a representation in the sense of Theorem

5 for distributive contact lattices that are not U -extensional is not possible. As
mentioned in the introduction we have to use a weaker version of the property
that the image h(D) of the embedding h generates (or determines) the topology.
In order to prove such a representation theorem we consider “discrete” Boole-
an contact algebras defined in [6] as follows. Let (W, R) be a relational system
where W = ∅, and R is a reflexive and symmetric relation in W . Subsets of W
are considered as (discrete) regions and contact between two subsets a, b ⊆ W is
defined by aĈb iff there is x ∈ a and y ∈ b such that xRy. Let D(W, R) denote
the distributive lattice of all subsets of W (which is, in fact, a Boolean algebra)
with a contact Ĉ defined by R. It was shown in [6] that D(W, R) is indeed a
Boolean and, hence, a distributive contact lattice. Since Boolean algebras are al-
ways U -extensional (and in addition, O-extensional) D(W, R) is a U -extensional
distributive contact lattice. It is proved in [6] (using another terminology) that
every Boolean contact algebra can be isomorphically embedded into an algebra
of the above type. Inspecting the proof given in [6] one can see that it can be
transferred easily to the distributive case.
Theorem 6. Each distributive contact lattice D = (D, 0, 1, +, ·, C) can be iso-

morphically embedded into a Boolean contact algebra of the form D(W, R).
Proof. Let W = Prime(D) be the set of prime filters of D, let F, G ∈ Prime(D)

and define R as F RG iff F × G ⊆ C. Consider the Stone embedding hPrime :
D → Prime(D). It remains to show that h preserves the contact relation. We
observe that
hPrime(x)ĈhPrime(y)
⇐⇒ (∃F, G ∈ Prime(D))[x ∈ F, y ∈ G, and F × G ⊆ C]
⇐⇒ xCy. Lemma 4
This completes the proof.

The following corollary is a direct consequence of the last theorem.
Corollary 4. [Extension lemma for distributive contact lattices]

Each distributive contact lattice can be embedded into a (U -extensional) Boolean
contact algebra.
Now, we are ready to prove the second main result of this paper.
Theorem 7. [Topological representation theorem for distributive con-

tact lattices]
Let D = (D, 0, 1, +, ·, C) be distributive contact lattice. Then there exists a semi-
regular T0-space, an embedding h of D into the Boolean contact algebra RC(X)
of the regular closed sets of X and an embedding k of D into the Boolean algebra
RC(X)op so that {h(a) : a ∈ D} ∪ {k(a) : a ∈ D} is a sub-basis of the regular
closed sets of X.
Proof. The proof can be realized in two steps. First, by Corollary 4, D can
be embedded into a (U -extensional) Boolean contact algebra B. Let e1 be
the corresponding embedding. In the second step, we apply Theorem 5. Con-
sequently, we get an embedding e2 from B into a semi-regular T0-space X.
Now, let h = e2 ◦ e1 , i.e. h(a) = e2 (e1 (a)) and k(a) = e2 (e1 (a)∗ ) (e1 (a)∗ is the
complement (in B) of embedding of a). Then h is as required. Since the set
{e1 (a) : a ∈ D} ∪ {e1 (a)∗ : a ∈ D} generates the Boolean algebra B we get the
last assertion.

Next, we want to discuss the two representation theorems proved in this paper
in more detail.
Discussion. 1. Notice that there is a difference in the usage of topologies in
the topological representation Theorems 5 and 7, and in the Stone topological
representation theorems for distributive lattices and Boolean algebras. In Stone’s
theorem, topology is used to describe the image of the representation up to
isomorphism. In our case, the topology is used to obtain good images of the
elements of the lattice as regions, e.g., they should have a boundary, etc. For
that reason Theorems 5 and 7 are just embedding theorems. In this respect they
correspond much more to the embedding theorems for distributive lattices and
Boolean algebras in algebras of sets. In our case, sets are replaced by regular
closed sets.
2. If we consider contact structures as abstract “pointless” geometries, the
question is which notion of points is suitable. In distributive contact lattices we
may define two different kinds of points, i.e., prime filters and clans. Prime fil-
ters are in some sense “bad” points with respect to the contact structure. They
correspond to the lattice part of the structure and can provide a representation
by ordinary sets. It is possible to define a contact relation between those sets
by means of the contact relation between points. Such a representation is con-
structed, for instance, in Theorem 6. Clans are “good points” with respect to
the contact structure. They guarantee that the image h(a) of each element of
the lattice is a region, i.e., has a boundary, interior part, etc. The representation
constructed in the proof of Theorem 7 can be interpreted as follows. In a first
step we use “bad” points (prime filters) to represent the lattice as a lattice of
sets (“bad” regions) and lift the contact relation to that structure. As a positive
side-effect we end up with the property of U -extensionality. In the second step,
the “good points” (clans) and U -extensionality are used to construct a repre-
sentation with the intended topological properties. Since prime filters are clans
they are among the “good points” of the second step, but they just appear in
the interior part of the regions.
These informal explanations are reminiscent of considering prime filters and
clans as atoms and molecules – the real points of the real spatial bodies. Similar
ideas have been used in [5] for obtaining topological representation theorems for
discrete versions of region-based theories of space.
5 Conclusion and Outlook
In this paper we have generalized the notion of Boolean contact algebras by

weakening the algebraic part to distributive lattices. This provided a deeper in-
sight into the interaction of several notions used in the representation theory.
As a result we obtained a characterization theorem for semi-regularity in topo-
logical spaces, which appeared as one of the main tools in the representation
theory. We have given two representation theorems of such lattices in algebras
of regular closed sets of some topological spaces, considered as standard models
for a region-based theory of space. These theorems are direct generalizations of
some results from [6] and [4]. Because of the full duality of Boolean algebras,
representations in algebras of regular closed sets and regular open sets are dual
in that case. In fact, one can construct one representation in terms of the other
by duality. In the distributive case duality is preserved only for the lattice part.
Consequently, representations in algebras of regular open sets will need different
techniques, which we plan to investigate in the future. Kripke semantics and
associated reasoning mechanisms may also be developed (as in [1,11]). Another
direction of research is to extend the vocabulary of distributive contact lattices
with other mereotopological relations such as the non-tangential part-of, , and
dual contact, Č. Last but not least, an open problem is the representation theory
of a further generalization to non-distributive contact structures. First results of
this direction can be found in [9]. Some non-topological representation theorems
for non-distributive lattices may be found in [11]. The main problem here is that
it is not obvious what kind of structure we want to consider as a standard model
of a non-distributive contact lattice. Obviously, this question has to be resolved
before the corresponding representation theory can be developed.
References
1. Allwein, G. and MacCaull, W. (2001). A Kripke semantics for the logic of Gelfand
quantales. Studia Logica, 61:1-56.
2. Balbes, R. and Dwinger, P. (1974). Distributive Lattices. University of Missouri
Press, Columbia.
3. Cornish, W. H. (1974). Crawley’s completion of a conditionally upper continuous
lattice. Pac J Math, 51(2):397-405.
4. Dimov, G. and Vakarelov, D. (2006). Contact algebras and region–based theory of
space: A proximity approach. Fundamenta Informaticae. To appear.
5. Dimov, G. and Vakarelov, D. (2006). Topological Representation of Precontact
algebras. In: W. MacCaull, M. Winter and I. Duentsch (Eds.), Relational Methods
in Computer Science, LNCS No 3929, To appear.
6. Düntsch, I. and Vakarelov, D. (2006). Region–based theory of discrete spaces: A
proximity approach. Discrete Applied Mathematics. To appear.
7. Düntsch, I. and Winter , M. (2005). Lattices of contact relations. Preprint.
8. Düntsch, I. and Winter, M. (2005). A representation theorem for Boolean contact
algebras. Theoretical Computer Science (B), 347:498-512.
9. Düntsch, I. and Winter, M. (2006). Weak contact structures. In: W. MacCaull, M.
Winter and I. Duentsch (Eds.), Relational Methods in Computer Science, LNCS
No 3929:73-82.
10. Engelking, R., General topology, PWN, 1977.
11. MacCaull, W. and Vakarelov, D. (2001). Lattice-based Paraconsistent Logic. In:
W. MacCaull, M. Winter and I. Duentsch (Eds.), Relational Methods in Computer
Science, LNCS No 3929:178-189.
12. Stone, M. (1937). Topological representations of distributive lattices and Brouw-
erian logics. Časopis Pěst. Mat., 67:1-25.
13. Vakarelov, D., Düntsch, I., and Bennett, B. (2001). A note on proximity spaces
and connection based mereology. In Welty, C. and Smith, B., editors, Proceedings
of the 2nd International Conference on Formal Ontology in Information Systems
(FOIS’01), pages 139-150. ACM.
14. Vakarelov, D., Dimov, G.,Düntsch, I. & Bennett, B. A proximity approach to some
region-based theory of space. Journal of applied non-classical logics, vol. 12, No3-4
(2002), 527-559
15. Wallman, H. (1938). Lattices and topological spaces. Math. Ann., 39:112-136.
Betweenness and Comparability Obtained
from Binary Relations
Ivo Düntsch1, and Alasdair Urquhart2,

1 Department of Computer Science,
Brock University,
St. Catharines, Ontario, Canada, L2S 3A1
[email protected]
2 Department of Philosophy,
University of Toronto,
Toronto, Ontario, Canada, M5S 1A2
[email protected]
Abstract. We give a brief overview of the axiomatic development of between-

ness relations, and investigate the connections between these and comparability
graphs. Furthermore, we characterize betweenness relations induced by reflexive
and antisymmetric binary relations, thus generalizing earlier results on partial or-
ders. We conclude with a sketch of the algorithmic aspects of recognizing induced
betweenness relations.
1 Introduction
The study of betweenness relations goes back to at least 1917, when Huntington and
Kline [10] published “Sets of independent postulates for betweenness.” The concept of
betweenness can have rather different meanings – we quote from [10]:
– K is the class of points on a line; AXB means that point X lies between the points
A and B.
– K is the class of natural numbers, AXB means that number X is the product of the
numbers A and B.
– K is the class of human beings; AXB means that X is a descendant of A and an
ancestor of B.
– K is the class of points on the circumference of a circle; AXB means that the arc
A − X − B is less than 180◦.
In the sequel they concentrate on the geometric case. Throughout, B is a ternary relation
on a suitable set, and B(x, y, z) is read as “y lies between x and z.” Quantifier free axioms
are assumed to be universally quantified. The notation #M means that all elements of
M are different.
Both authors gratefully acknowledge support from the Natural Sciences and Engineering Re-
search Council of Canada.

Betweenness and Comparability Obtained from Binary Relations 149
Their first set of four postulates is concerned with three elements:

HK A. B(a, b, c) =⇒ B(c, b, a).
HK B. #{a, b, c} =⇒ B(b, a, c) ∨ B(c, a, b) ∨ B(a, b, c) ∨ B(c, b, a) ∨ B(a, c, b) ∨
B(b, c, a).
HK C. #{a, b, c} =⇒ ¬(B(a, b, c) ∧ B(a, c, b)).
HK D. B(a, b, c) =⇒ #{a, b, c}.
They proceed by adding another eight universal postulates which describe the configu-
rations with four distinct elements, and state “If we think of a and b as two given points
on a line, the hypotheses of these postulates state all the possible relations in which two
other distinct points x and y of the line can stand in regard to a and b.” For later use, we
mention
HK 1. #{b, c} ∧ B(a, b, c) ∧ B(b, c, d) =⇒ B(a, b, d).
HK 2. B(a, b, c) ∧ B(b, d, c) =⇒ B(a, b, d).
While HK A is widely accepted in many contexts (unless one requires one-way streets),
the other postulates make very strong assumptions: HK B says that for any three differ-
ent elements, one is between the other two, and HK D rules out what one might call de-
generate triples. Postulate HK C prohibits “nesting.” Their set of postulates completely
axiomatizes betweenness if we restrict the domain to linear orders. The postulates HK 1
and HK 2 subsequently became known as “outer transitivity” and “inner transitivity”,
respectively. Some years later, Huntington [9] proposed a ninth postulate,
H 9. #{a, b, c, x} ∧ B(a, b, c) =⇒ B(a, b, x) ∨ B(x, b, c).
and showed that the axiom system {HK A − HK D, H 9} is equivalent to the one given
in [10].
Betweenness in metric spaces was investigated by Karl Menger [12], and, in a further
development, Pitcher and Smiley [14] direct their interest to betweenness relations in
lattices, and define B(a, b, c) ⇐⇒ a · b + b · c = b = (a + b) · (b + c)., see Figure 1.
Observe that a ≤ b ≤ c implies B(a, b, c).
a+b b+c
a c
b
B(a,b,c)
ab bc
Fig. 1. Betweenness in lattices
The main difference from the system of [9] is the omission of HK B, which is geared
to linear orders, and the introduction of “degenerate triples” which contain at most two
distinct variables. Thus, their basic system consists only of the symmetry axiom HK A,
and
150 I. Düntsch and A. Urquhart
PS β . B(a, b, c) ∧ B(a, c, b) ⇐⇒ b = c. .
They continue to explore various transitivity conditions and their connection to lattice
properties. For example,
Theorem 1. [14] A lattice L is modular if and only if its betweenness relation satisfies
HK 2
In a parallel development, Tarski proposed an axiom system for first order Euclidean
plane geometry based on two relations: equidistance and betweenness. An overview
of the system and its history can be found in [16], and axiom numbers below refer to
this exposition. His axioms for betweenness are of course very much tailored for the
purpose that he had in mind, and many of these are specific to the geometric context.
We mention those which are of a more general nature:
Ax 6. B(a, b, a) ⇒ a = b. (Identity)
Ax 12. B(a, b, b). (Reflexivity)
Ax 13. a = b ⇒ B(a, b, a). (Equality)
Ax 14. B(a, b, c) ⇒ B(c, b, a). (Symmetry)
Ax 15. B(a, b, c) and B(b, d, c) ⇒ B(a, b, d). (Inner transitivity)
Ax 16. B(a, b, c) and B(b, c, d) and b = c ⇒ B(a, b, d). (Outer transitivity)
In a further generalization, Birkhoff [2] defines a betweenness relation on U by the

condition B(a, b, c) ⇐⇒ a ≤ b ≤ c or c ≤ b ≤ a, where ≤ is a partial order. The reader
is then invited to prove the following:
Birk 0. B(a, b, c) ⇒ B(c, b, a).
Birk 1. B(a, b, c) and B(a, c, b) ⇒ b = c.
Birk 2. B(a, b, c) and B(a, d, b) ⇒ B(a, d, c).
Birk 3. B(a, b, c) and B(b, c, d) and b = c ⇒ B(a, b, d).
Birk 4. B(a, b, c) and B(a, c, d) ⇒ B(b, c, d).
It turns out that Birk 1 and Birk 2 follow from Birk 0, Birk 3, and Birk 4. Further-
more, these properties are not sufficient to characterize those betweenness relations
which are induced by a partial order. In a fundamental article in 1950, Martin Altwegg
[1] obtained an axiom system for such betweenness relations:
Z1 . B(a, a, a).
Z2 . B(a, b, c) ⇒ B(c, b, a).
Z3 . B(a, b, c) ⇒ B(a, a, b).
Z4 . B(a, b, a) ⇒ a = b.
Z5 . B(a, b, c) and B(b, c, d) and b = c ⇒ B(a, b, d).
Z6 . Suppose that a0 , a1 , . . . , a2n , a2n+1
and a0 = a2n+1 . If B(ai−1 , ai−1 , ai ) for
all 0 < i ≤ 2n + 1, and not B(ai−1 , ai , ai+1 ) for all 0 < i < 2n + 1, then
B(a2n , a0 , a1 ).
Shortly after Altwegg’s paper, Sholander [15] investigated betweenness for various kind
of orderings, and derived Altwegg’s characterization as a Corollary. His system, how-
ever, is somewhat shorter. In addition to Z6 , he only supposes
Sho B. B(a, b, a) ⇐⇒ a = b.
Sho C. B(a, b, c) ∧ B(b, d, e) =⇒ B(c, b, d) ∨ B(e, b, a).
Altwegg’s work seems to have been largely forgotten – a notable exception being [3] –,
and a search on the Science Citation Index reveals only three citations since 1965. A
case in point is the widely studied area of comparability graphs that are closely con-
nected to betweenness relations; as far as we know, researchers in this area were not
aware of the earlier results. It is one of the aims of this paper to draw attention to
Altwegg’s work, and point out some connections between betweenness relations and
comparability graphs.
2 Notation
The universe of our relations is a non-empty set U. The identity relation on U is denoted
by 1U , or just 1 , if U is understood. For each n ∈ ω , n denotes the set of all k < n. For
M ⊆ U, we abbreviate by #M the statement that all elements of M are different.
A partial order ≤ is called connected if there is a path in ≤ ∪ ≥ from a to b for all
a, b ∈ U. A component of ≤ is a maximally connected subset of <.
Graphs are assumed to be undirected, without loops or multiple edges. In other
words, a graph is just a symmetric irreflexive binary relation on U. A cycle C in G of
length n is a sequence of elements a0 , . . . , an−1 of U such that a0 Ga1 . . . an−2 Gan−1Ga0 ;
repetitions are allowed. A cycle is sometimes called a closed path in G. A cycle is strict,
if #{a0, . . . , an−1 }, and we denote by Cn the strict cycle of length n. A triangular chord
of the cycle C is an edge {ai , ai+2 } of G; here, addition is modulo n. For example, the
graph of Figure 2 contains the cycle d, a, b, e, b, c, f , c, a, d of length 9, which has no
triangular chords [5].
c b
f e
Fig. 2. A graph with a 9–cycle without triangular chords
3 Comparability Graphs
If P is a partial order on U, its comparability graph GP is the set of all comparable
proper pairs, i.e. GP = (P ∪ P˘) \ 1 ; here, P˘ is the relational converse of P. A graph G
is called a comparability graph, if G = GP for some partial order P. We denote the class
of comparability graphs by G≤ .
Two partial orders P, Q on the same set U are called equivalent if for all components
MP of P, P MP = Q MP or P MP = Q˘ MP .
Example 1. Consider the partial orderings P, Q, shown in Figure 3; obviously, these

are not equivalent. In both cases, the only non–comparable elements are b and c, so
that GP = GQ .
P Q
G_P = G_Q
d a b d
b d
c
b c a c
a
Fig. 3. Non-equivalent partial orders with the same comparability graph
Comparability graphs have been investigated since the early 1960s, and we invite the
reader to consult the overview by Kelly [11] for more information. A characterization
of comparability graphs is as follows:
Theorem 2. [4,5]
GH. G is a comparability graph if and only if every odd cycle of G contains a

triangular chord.
For example, the graph of Figure 2 is not a comparability graph. It is instructive, and
will be useful later on, to consider the strict partial orders < obtained from strict cycles
of even length n. As these cycles have no triangles, each path in < has length 2, and,
consequently, a0 < a1 > a2 < a3 , > . . . , an−2 < an−1 > a0 , or its converse. see Figure 4.
Conversely, each crown induces a cycle of even length.
In the sequel, let J be the set of all odd natural numbers greater than 3.
a_1 a_3 a_(n-1)
a_0 a_2 a_4 a_(n-2)
Fig. 4. A crown ordering induced by a strict cycle of even length

If G is a graph and n ∈ J, let σn express that each cycle of G of length n has a

triangular chord:
σn : (∀x0 , . . . , xn−1 )[x0 Gx1 G . . . Gxn−1 Gx0 =⇒ x0 Gx2 ∨ x1 Gx3 ∨ . . . ∨ xn−2 Gx0 ∨ xn−1 Gx1 ].
By Theorem 2, G is a comparability graph if and only if it satisfies σn for each n ∈ J, and

thus, G≤ has a universal first order axiomatization. Hence, G≤ is closed with respect to
substructures.
The following comes as no surprise:
Theorem 3. G≤ is not axiomatizable with a finite number of variables..
Proof. Assume that Σ is a set of sentences with altogether n variables which axioma-
tizes G≤ ; we can assume w.l.o.g. that n = 2r ≥ 4. Let U = n + 1, and G be the cycle on
U of length n + 1, say, 0, 1, 2, 3, . . .n, 0. Then, since G is an odd cycle without triangular
chord, it is not in G≤ .
Suppose that U ⊆ U with |U | = n, w.l.o.g. U = {0, 1, . . ., n − 1}, and H is the
restriction of G to U . Then, H = G \ { n − 1, n
, n, 0
}, and H is the comparability
graph of the crown of Figure 4 with a0 , an−1
removed.
Now, since the satisfaction in U, G
of sentences with at most n variables depends
only on its satisfaction in the n - generated substructures of U, G
, we have U, G
|= Σ .
This contradicts the fact that G ∈ G≤ .
4 Betweenness Relations
Considering the plethora of proposed axiomatizations of betweenness relations, we

need to decide which axioms to use. Our strategy will be to start with those postulates
that are most common, present the least restrictions and still let us obtain a sensible
theory. We will allow “degenerate triples”, as it enables us to go from triples to pairs
and vice versa.
A ternary relation on a set U is called a betweenness relation if it satisfies
BT 0. B(a, a, a).
BT 1. B(a, b, c) ⇒ B(c, b, a).
BT 2. B(a, b, c) ⇒ B(a, a, b)
BT 3. B(a, b, c) and B(a, c, b) ⇒ b = c.
We denote the class of all betweenness relations by B. Observe that at this stage we do
not include any transitivity conditions. Since B is a universal Horn class, it is closed un-
der substructures, and thus, under unions of chains, and also under direct products; note
that for any set M of triples consistent with the axioms, there is a smallest betweenness
relation B containing M, and that B is finite just when M is finite.
With BT 1, BT 2, and BT 3 one can easily prove
Lemma 1. 1. B(a, b, c) implies B(a, b, b), B(b, b, c), and B(b, c, c).
2. B(a, b, a) ⇒ a = b.
e c a B(a,b,c) B(b,c,d)
B(c,d,e) B(d,e,a)
B(a,b,c)
e b
B(d,b,e)
b
a d d c
Fig. 5. A betweenness relation not induced by Fig. 6. A betweenness relation based on a pen-
a binary relation tagon
However, in the absence of transitivity axioms, B(a, a, c) does not follow.

A triple a, b, c
is called proper, if #{a, b, c}. We say that a, b are comparable, if
B(a, a, b), and let CB be the set of all comparable pairs. By BT 0, CB is reflexive, and
by Lemma 1 it is symmetric. If aCB b, and a = b we call a and b strictly comparable,
and denote the graph of all strictly comparable pairs by CB+ . Note that CB+ does not
necessarily determine B, as Example 1 shows.
Conversely, if R is a reflexive antisymmetric binary relation on U we let BR =
{ a, b, c
: aRbRc or cRbRa}, and say that B is induced by R, if B = BR ; it is straight-
forward to see that BR ∈ B. The question arises whether every betweenness relation is
induced by a binary relation. The following two examples show that the answer is “no.”
Example 2. Let U = {a, . . . , e} and B be the smallest betweenness relation on U con-

taining a, b, c
and d, b, e
, see Figure 5 ; inspection shows that these are the only
nontrivial triples of B.
Assume that B is induced by the binary relation R. Then, B(a, b, c) implies aRbRc
or cRbRa, and B(d, b, e) implies dRbRe or eRbRd. If, for example, aRbRc and dRbRe,
then dRbRc, implying B(d, b, c), which is not the case. The other cases are similar.
Another instructive example is the pentagon shown in Figure 6. We let B be the small-
est betweenness relation containing a, a, b
, b, b, c
, c, c, d
, d, d, e
, and e, e, a
;
then, CB is the pentagon, and each triple in B contains at most two different entries..
Assume that B = BR for some reflexive and antisymmetric relation R. Then, aRb
or bRa; suppose w.l.o.g. that aRb. Since B contains no proper triples, we then must
have cRb, cRd, eRd, eRa. But then, B(e, a, b), a contradiction. On the other hand, if B
is generated by { a, b, c
, b, c, d
, . . . , e, a, b
}, then B is induced by the reflexive and
antisymmetric relation aRbRcRdReRa enhanced by 1 . This shows that CB can have
cycles of odd length without a triangular chord.
5 Axiomatizing Betweenness Relations

In this section, we generalize Altwegg’s theorem characterizing betweenness relations
arising from partially ordered sets. It turns out that the basic ideas of his proof go
through even in the absence of transitivity. Our main theorem in this section charac-
terizes the betweenness relations arising from reflexive, antisymmetric orderings, from
which we obtain Altwegg’s result as a corollary.
The construction R −→ BR , as defined in §4, produces a structure satisfying the ax-
ioms of a betweenness relation, defined on the same universe, if R is reflexive and
antisymmetric. The main idea of the present section is to show that there is an inverse
map B −→ RB ; however, the map is not unique, rather it depends on an arbitrary choice
of orientation for each component of the strict comparability graph CB+ . If we produce
a new relation R , from a reflexive, antisymmetric relation R by reversing the direc-
tion of all pairs in R within a fixed component of its comparability graph, then R and
R generate the same betweenness relation. However, if we regard two such relations
as equivalent if they differ from one another only with respect to an arbitrary choice
of orientation for a set of components, then the map B −→ RB determines a relation
that is unique up to equivalence. This notion generalizes the concept of equivalence for
partially ordered sets defined in §3.
We begin by recalling some terminology from Altwegg’s paper [1]. Suppose that B
is a betweenness relation on U. A sequence a0 , a1 , a2 , . . . , an−1 , an is called a C–path in
B, if a0CB a1CB . . .CB an , i.e. every two consecutive entries are comparable. It is called a
B–path, if B(ai , ai+1 , ai+2 ) for all i ≤ n − 2. Every C–path can be made into a B–path
by doubling ai for each 0 < i < n.
Having derived a B–path a0 , a1 , . . . , an from a C–path, it can be reduced in the fol-
lowing way:
1. If ai0 = ai1 = . . . = aik , then remove ai2 , . . . , aik .
2. If ai , ai+1 , ai+2 , ai+3 , ai+1 = ai+2 , and B(ai , ai+1 , ai+3 ), then remove ai+2 .
A completely reduced path is called a chain. Note that by the construction of a chain
a0 , a1 , . . . , an from a B–path, for 0 ≤ i, i + 1, i + 2, i + 3 ≤ n,
(5.1) #{ai , ai+1 , ai+2 } ⇒ B(ai , ai+1 , ai+2 ),
(5.2) ai+1 = ai+2 ⇒ ¬B(ai , ai+1 , ai+3 ).
A chain is called simple, if consecutive entries are different. We also call a, b a simple
chain, if a = b and B(a, a, b). Clearly, for each 0 ≤ k < m ≤ n, ak , ak+1 , . . . , am is again
a simple chain, and the inverse an , . . . , a0 of a (simple) chain a0 . . . , an is also a (simple)
chain.
Definition 1. We define the notion of a B-walk of size n by induction on n:
1. A simple chain is a B-walk of size 1;
2. If W = a, . . . , p, q is a B-walk of size n, and C = q, r . . . , z a simple chain where
¬B(p, q, r), then the sequence a, . . . , p, q, r, . . . , z obtained by identifying the last
element of W with the first element of C is a B-walk of size n + 1.
In other words, a B-walk consists of a sequence obtained by gluing together simple
chains; the gluing consists of identifying their endpoints. If W = a, b, . . . , c, d is a B-
walk, then we say that it is a B-walk from a, b to c, d. A B-walk is even or odd depending
on whether its size is even or odd. The length of a B-walk is its length, considered as a
sequence, so, for example, the B-walk a, b, a, b has length 4. Note that length and size
may differ; indeed, it is the definition of size in the various scenarios that causes GH, Z6 ,
and BT 4 below to look so similar. A B-cycle is a B-walk a0 , a1 . . . , an−1 , an , in which
the first and last two elements are the same (a0 = an ), and ¬B(an−1 , a0 , a1 ).
Lemma 2. Let R be a reflexive, antisymmetric relation, and BR the betweenness rela-

tion generated by R. Assume that aRb and that W = a, b, . . . , c, d is a BR -walk from a, b
to c, d. If W is odd, then cRd, while if W is even, then dRc.
Proof. The proof is by induction on the length of W . For a BR -walk of length 2, it

holds by assumption. Assuming for walks of length n > 1, let a, b, . . . , c, d, e be an odd
BR -walk of length n + 1. If a, b, . . . , c, d is also odd, then BR (c, d, e), and cRd, hence
dRe. On the other hand, if a, b, . . . , c, d is even, then ¬BR (c, d, e), and dRc by inductive
assumption, showing that dRe. The proof for even walks is symmetrical.
The main theorem of this section is:
Theorem 4. The theory BR of betweenness relations generated by a reflexive, antisym-

metric relation is axiomatized by the following postulates:
BT 0. B(a, a, a).
BT 1. B(a, b, c) ⇒ B(c, b, a).
BT 2. B(a, b, c) ⇒ B(a, a, b).
BT 3. B(a, b, c) and B(a, c, b) ⇒ b = c.
BT 4. There are no odd B-cycles.
The fact that BT 4 holds for a betweenness relation BR generated by a reflexive, anti-
symmetric relation R follows easily from Lemma 2. Note that Altwegg’s postulate Z6
is a special case of our BT 4. The more general formulation is needed here because
the transitivity axioms are not available. To illustrate the axiom BT 4, let us consider
two of the betweenness relations from the previous section. In Example 2, the sequence
a, b, e, b, d, b, a is an odd B-cycle. The five simple chains making up the cycle are
a, b | b, e | e, b, d | d, b | b, a.
In the next example (the pentagon of Figure 6), the sequence a, b, c, d, e, a is an odd B-
cycle. For any betweenness relation that is not generated by a reflexive, antisymmetric
relation, there is an odd B-cycle that is a witness to this fact.
Lemma 3. Let B be a betweenness relation satisfying the axiom BT 4 whose strict com-
parability graph CB+ is connected. If {a, b}, {c, d} are distinct edges in this strict graph,
then there is an odd B-walk from a, b to c, d or an odd B-walk from a, b to d, c, but not
both.
Proof. Since the strict comparability graph of B is connected, there is a C-path, and
hence a B-path joining the edges {a, b} and {c, d}. This path (or its inverse) must have
one of the four forms: a, b, . . . , c, d, b, a, . . . , c, d, b, a, . . . d, c or a, b, . . . d, c. By succes-
sive reductions, we can assume that this B-path is in fact a chain. Simplify this chain by
removing immediate repetitions from it. Then the result is a B-walk from a, b to c, d, or
from b, a to c, d, or from b, a to d, c, or from a, b to d, c.
For any e, f , g, h ∈ U, there is an even B-walk from e, f to g, h. if and only if there
is an odd B-walk from e, f to h, g, since if e, f , . . . , g, h is an even B-walk from e, f to
g, h, then e, f , . . . , g, h, g is an odd B-walk from e, f to h, g, and conversely. If the B-walk
joining the edges {a, b} and {c, d} starts with a, b, then we are through. If on the other
hand, it starts with b, a, then there is a B-walk of opposite parity starting with a, b, by
the same argument as above. Hence, there is an odd B-walk from a, b to c, d or an odd
B-walk from a, b to d, c.
It remains to be shown that there cannot be odd walks from a, b to both e, f and
f , e, for any distinct comparable elements e, f . Suppose that W1 = a, b, . . . , e, f and
W2 = a, b, . . . f , e are both odd B-walks. Then the inverse of W2 , W3 = e, f , . . . b, a is
odd. Let W4 be the walk a, b, . . . , e, f , . . . b, a resulting from the identification of the last
two elements of W1 and the first two elements of W3 . Then W4 is an odd B-cycle, con-
tradicting BT 4.
If U is a fixed universe, and R a reflexive, antisymmetric relation defined on U, then
we write B(R) = U, BR
for the betweenness relation defined from R. In the next
definition, we describe the inverse construction.
Definition 2. Let B be a betweenness relation defined on the set U, satisfying the axiom
BT 4, and whose strict comparability graph CB+ is connected. In addition, let {a, b} be
an edge in CB+ . Then R(B, a, b) is the relational structure U, R
defined on U as follows.
For c, d ∈ U, cRd holds if and only if c = d, or {c, d} is an edge in CB+ , and there is an
odd B-walk from a, b to c, d.
It follows from Lemma 3 that R(B, a, b) is reflexive and antisymmetric.
Theorem 5. Let R be a reflexive, antisymmetric relation on U, and let aRb, where a = b.
In addition, assume that the strict comparability graph of B(R) is connected. Then
R(B(R), a, b) = U, R
.
Proof. This follows from Lemmas 2 and 3.
Theorem 6. Let B be a betweenness relation defined on the set U, satisfying the axiom
BT 4, and whose strict comparability graph CB+ is connected. In addition, let {a, b} be
any edge in CB+ . Then B(R(B, a, b)) = U, B
Proof. Let R be the relation defined from B in R(B, a, b). We need to show for any
c, d, e in U, that B(c, d, e) holds if and only if BR (c, d, e).
First, let us assume that B(c, c, d), c = d. Then the edge {c, d} belongs to the com-
parability graph CB+ , so that cRd or dRc holds by Lemma 3, hence BR (c, c, d). Second,
assume that B(c, d, e) holds, where #{c, d, e}. Then {c, d} and {d, e} are edges in CB+ ,
and so cRd or dRc holds, and similarly dRe or eRd. Let us suppose that {c, d} and
{d, e} are not consistently oriented, so that (say) cRd, but eRd. By construction, there
are odd B-walks W1 = a, b, . . . , c, d and W2 = a, b, . . . , e, d. Now consider the B-walk
a, b, . . . , c, d, e, . . . , b, a obtained by identifying the last element of W1 with the first ele-
ment of the inverse of W2 . This walk is an odd B-cycle, contradicting BT 4. It follows
that BR (c, d, e).
For the converse, let us assume that BR (c, d, e), where #(c, d, e), but not B(c, d, e).
By construction, there are odd B-walks W1 = a, b, . . . , c, d and W2 = a, b, . . . , d, e, hence
there is an even B-walk W3 = a, b, . . . , e, d. The B-cycle a, b, . . . , c, d, e, . . . , b, a obtained
by identifying the last element of W1 with the first element of W3 is odd, contradicting
BT 4. Hence, B(c, d, e) must hold, completing the proof.
We can now use the previous results to prove the main theorem.
Proof of Theorem 4: We have already observed that Lemma 2 implies that betweenness
relations generated from reflexive, antisymmetric relations
satisfy BT 4. Conversely,
let B be a betweenness relation satisfying BT 4. Then B = i∈I Bi , where each Bi is the
restriction of B to one of the connected components Ci of CB+ . Each such Bi also satisfies
BT 4. If Ci contains no edges, then the universe Ui of this component is a unit set, and we
can set Ri to be the identity relation on Ui . If Ci contains at least one edge {ai , bi }, then
choose an orientation a i , bi for this edge. By Theorem 6, Bi (R(Bi , ai , bi )) = Ui , Bi
.
Hence, setting R(B) = i∈I R(Bi , ai , bi ), B(R(B)) = U, B
, showing that the class of
betweenness structures satisfying BT 4 is identical with those betweenness structures
arising from reflexive, antisymmetric relations.
Theorem 4 is quite powerful, and we can deduce results for restricted classes of relations
with its help. The next theorem is equivalent to Altwegg’s result of 1950; it shows that
it is sufficient to add the outer transitivity axiom to our basic set of postulates.
Theorem 7. The theory B≤ of betweenness relations generated by a partial order is

axiomatized by the following postulates:
BT 0. B(a, a, a).
BT 1. B(a, b, c) ⇒ B(c, b, a).
BT 2. B(a, b, c) ⇒ B(a, a, b)
BT 3. B(a, b, a) ⇒ a = b.
BT 4. There are no odd B-cycles.
BT 5. B(a, b, c) and B(b, c, d) and b = c ⇒ B(a, b, d).
Proof. In view of Theorem 6, it is sufficient to prove that if a betweenness relation B

satisfies BT 5, that the relation R(B) is transitive. Suppose that aRb and bRc hold in
R(B), where #{a, b, c}. Then by Theorem 6, B(a, b, c) holds. By BT 2 and BT 5, we
have B(a, a, c), so that a and c are comparable, hence aRc or cRa. Now if cRa holds,
then we have B(b, c, a), so by BT 2, B(a, b, a), a contradiction. Hence, aRc, showing
that R is transitive.
To prove Altwegg’s theorem, that his axiom system Z1 to Z6 also characterizes
this set of betweenness relations, it is sufficient to show that BT 4 can be deduced
from BT 0, BT 1, BT 2, BT 3 and BT 5, together with Z6 . Now Altwegg’s postulate
Z6 asserts, using our earlier terminology, that there is no odd B-cycle in which the
simple chains that compose it are of length 2 (that is to say, of minimum length).
However, in the presence of the outer transitivity axiom, it is not hard to show that
if a, b, . . . , c, d, e, . . . , f , g is a simple chain, then so is a, b, . . . , c, e, . . . , f , g; that is to say,
the intermediate elements in a simple chain can be removed, and the result is still a
simple chain. Consequently, if we postulate outer transitivity, then Z6 implies the more
general version BT 4.
The following can be proved using basically the same construction as in Theorem 3:
Theorem 8. The theories B≤ and BR are not axiomatizable with a finite number of
variables.
6 Algorithmic Aspects
In this section, we give a brief sketch of the algorithmic aspects of betweenness re-
lations. In the case of comparability graphs arising from partially ordered sets, very
efficient algorithms are known for both the recognition problem and colouring prob-
lems. The reader is referred to the work of Golumbic [6,7,8] for descriptions of these
algorithms, and to the article by Möhring [13] for an informative survey of this area.
The characterization given in §5 rests on the fact that if we have assigned orientations
to some edges in the comparability graph of a betweenness relation, then other orien-
tations are forced by the betweenness structure. If we use the notation a → b, a ← b to
symbolize the fact that we have assigned the orientation (a, b) (respectively (b, a)) to
the unordered edge {a, b}, then the following implications hold:
Imp 0. [B(a, b, c) ∧ (a = b) ∧ (b = c) ∧ (a → b)] ⇒ (b → c);

Imp 1. [B(a, b, c) ∧ (a = b) ∧ (b = c) ∧ (a ← b)] ⇒ (b ← c);
Imp 2. [¬B(a, b, c) ∧ (a = b) ∧ (b = c) ∧ (a → b)] ⇒ (b ← c);
Imp 3. [¬B(a, b, c) ∧ (a = b) ∧ (b = c) ∧ (a ← b)] ⇒ (b → c).
Let us say that a set S of ordered pairs (a, b), a = b, where a, b belong to the universe
of a betweenness relation U, B
, is implicationally closed if it is closed under these
implications (interpreting “a → b" as “(a, b) ∈ S" and “a ← b" as “(b, a) ∈ S") and that
it is an implicational class of B if it is a minimal non-empty implicationally closed
subset of U. If A is an implicational class, then A˘ is the implicational class representing
the result of reversing the orientation of all edges in A. Using this terminology, we
can give an alternative characterization of betweenness relations arising from reflexive,
antisymmetric relations; this is the analogue of a corresponding theorem of Golumbic
for comparability graphs [6].
Theorem 9. A betweenness relation B is generated by a reflexive antisymmetric rela-

tion if and only A ∩ A˘ = 0/ for all implicational classes of B.
Proof. If B is a betweenness relation that is not generated by such a relation, then by

Theorem 4, there must be an odd B-cycle. Choose any edge (a, b) in this cycle, and
consider the smallest implicational class A containing it. By the argument of Lemma 2,
the oriented edge (b, a) must also belong to this class, showing that A = A˘.
For the converse, let us assume that A ∩ A˘ = 0/ for some implicational class A, and let
(a, b), (b, a) ∈ A. Since A is the smallest implicational class containing (a, b), it follows
that there is a sequence of elements of U, a0 , . . . , ak , and a sequence of statements
S1 , . . . , Si , . . . , Sk , where each statement Si is of the form (ai−1 → ai ) or (ai−1 ← ai ),
S1 = (a0 → a1 ) = (a → b), Sk = (b → a), and every statement in the sequence, except
for the first, is derived from the preceding statement by one of the implicational rules
Imp 0 – Imp 3. In Example 2 of §4, such a sequence of statements is given by: (a →
b), (b ← e), (e → b), (b → d), (d ← b), (b → a). Then it is straightforward to check that
the sequence of elements a0 , . . . , ak is an odd B-cycle.
Theorem 9 immediately suggests an algorithm to determine whether or not a between-

ness relation is generated by a reflexive, antisymmetric relation. The algorithm consists
of generating all of the implicational classes generated by directed edges in the com-
parability graph of the relation, while checking to see whether any overlap ever occurs
between an implication class A and its converse A˘. If we succeed in generating all such
classes without an overlap, then they can be used to orient the edges appropriately, while
if an overlap occurs, then Theorem 9 tells us that the betweenness relation cannot be
generated by a reflexive, antisymmetric relation.
If U, B
is a betweenness relation, and b ∈ U, then the betweenness degree of b is
the number of proper triples (a, b, c) in B; the betweenness degree Δ (B) of the relation
B is the maximum betweenness degree of any element in U. The comparability degree
δ (B) of the relation B is the maximum degree of any vertex of the comparability graph
of B.
Theorem 10. There is an algorithm to determine whether a given betweenness relation

B is generated by a reflexive, antisymmetric relation that runs in O((Δ (B) + δ (B))|B|)
time and O(|B|) space.
Proof. We provide only a brief sketch of this result. The basic ideas of the algorithm
are all to be found in the original paper of Golumbic [6], and the reader can consult this
paper for the details of the implementation.
We initialize the data structures for the algorithm by setting up two arrays of linked
lists, one for the proper triples in B, the other for the edges in the comparability graph.
This takes space O(|B|). Then we start from an arbitrarily selected edge {a, b} in the
comparability graph, and generate the smallest implicational class A containing (a, b),
simultaneously with its converse A˘. The time complexity of the algorithm can be esti-
mated through an upper bound on the time taken to look up the appropriate implication,
when extending the implication classes. Suppose that (a, b) belongs to our class, and
that we wish to see if there is an edge (b, c) or (c, b) that should be added because of
some implication. First, we search for such an edge in the array representing the compa-
rability graph; this takes time O(δ (B)). Second, if we have found such an edge, we look
for an appropriate proper triple with the middle element b; this takes time O(Δ (B)), as-
suming that we have indexed such triples by their middle elements. Consequently, the
entire procedure takes time O((Δ (B) + δ (B))|B|).
7 Summary and Outlook

We have given an outline of the history of axiomatizations of betweenness relations,
and have shown that the class of betweenness relations generated by a reflexive and an-
tisymmetric binary relation is first order axiomatizable, albeit with an infinite number
of variables. Furthermore, we have pointed out the connection of betweenness relations
to comparability graphs. Such a graph may be generated by essentially different partial
orders; in contrast, betweenness relations carry, in some sense, total information: If B
is generated by a reflexive and antisymmetric binary relation, then this relation is deter-
mined up to taking converse on its components. In further work, we plan to investigate
more deeply the relation between comparability graphs and betweenness relations, and
also to give characterizations of induced betweenness relations in terms of forbidden
substructures.
References
1. Martin Altwegg. Zur Axiomatik der teilweise geordneten Mengen. Commentarii Mathe-
matici Helvetici, 24:149–155, 1950.
2. Garrett Birkhoff. Lattice Theory. American Mathematical Society, 1948. Second revised
edition.
3. Nico Düvelmeyer and Walter Wenzel. A characterization of ordered sets and lattices via
betweenness relations. Resultate der Mathematik, 46:237–250, 2004.
4. Alain Ghouila-Houri. Caractérisation des graphes non orientés dont on peut orienter les
arêtes de manière à obtenir le graphe d’une relation d’ordre. C.R. Acad. Sci. Paris, pages
1370–1371, 1962.
5. Paul C. Gilmore and Alan J.Hoffman. A characterization of comparability graphs and of
interval graphs. Canadian Journal of Mathematics, 16:539–548, 1964.
6. Martin Charles Golumbic. Comparability graphs and a new matroid. Journal of Combinato-
rial Theory, 22:68–90, 1977.
7. Martin Charles Golumbic. The complexity of comparability graph recognition and coloring.
Computing, 18:199–208, 1977.
8. Martin Charles Golumbic. Algorithmic graph theory and perfect graphs. Academic Press,
New York, 1980.
9. Edward V. Huntington. A new set of postulates for betweenness, with proof of complete
independence. Trans Am Math Soc, 26:257–282, 1924.
10. Edward V. Huntington and J. Robert Kline. Set of independent postulates for betweenness.
Trans. Am. Math. Soc., 18:301–325, 1917.
11. David Kelly. Comparability graphs. In Ivan Rival, editor, Graphs and Order, pages 3–40. D.
Reidel Publishing Company, 1985.
12. Karl Menger. Untersuchungen über die allgemeine Metrik. Mathematische Annalen, 100:75–
163, 1928.
13. Rolf H. Möhring. Algorithmic aspects of comparability graphs and interval graphs. In Ivan
Rival, editor, Graphs and Order, pages 41–101. D. Reidel Publishing Company, 1985.
14. Everett Pitcher and M.F. Smiley. Transitivities of betweenness. Trans. Am. Math. Soc.,
52:95–114, 1942.
15. Marlow Sholander. Trees, lattices, order and betweenness. Proc. Am. Math. Soc., 3(3):369–
381, 1952.
16. Alfred Tarski and Steven Givant. Tarski’s system of geometry. The Bulletin of Symbolic
Logic, 5(2):175–214, 1998.
Relational Representation Theorems for General
Lattices with Negations
Wojciech Dzik1 , Ewa Orlowska2, and Clint van Alten3

1
Institute of Mathematics, Silesian University
Bankowa 12, 40–007 Katowice, Poland
[email protected]
2
National Institute of Telecommunications
Szachowa 1, 04–894 Warsaw, Poland
[email protected]
3
School of Mathematics, University of the Witwatersrand
Private Bag 3, Wits 2050, Johannesburg, South Africa
[email protected]
Abstract. Relational representation theorems are presented for general

(i.e., non-distributive) lattices with the following types of negations: De
Morgan, ortho, Heyting and pseudo-complement. The representation is
built on Urquhart’s representation for lattices where the associated re-
lational structures are doubly ordered sets and the canonical frame of
a lattice consists of its maximal disjoint filter-ideal pairs. For lattices
with negation, the relational structures require an additional binary re-
lation satisfying certain conditions which derive from the properties of
the negation. In each case, these conditions are sufficient to ensure that
the lattice with negation is embeddable into the complex algebra of its
canonical frame.
1 Introduction
A relational semantics for the class of lattices was developed by Urquhart in
[9]. These semantics were extended by Allwein and Dunn in [1] to include other
operations on lattices such as negation, fusion and implication. In particular,
they obtained a relational semantics for lattices with a De Morgan negation.
In this paper we shall develop relational semantics for lattices with other nega-
tions, namely, Heyting negation, pseudo-complement and ortho-negation. The
relational structures are extensions of Urquhart’s relational structures for lat-
tices, which are of the type X, 1 , 2 where 1 and 2 are quasi-orders on X
satisfying: x 1 y and x 2 y ⇒ x = y. The complex algebra of such a relational
structure is a bounded lattice with universe consisting of ‘-closed’ subsets of X

Supported by the NRF-funded bilateral Poland/RSA research project GUN 2068034:
Logical and Algebraic Methods in Formal Information Systems.

E.O. acknowledges a partial support from the INTAS project 04-77-7080 Algebraic
and Deduction Methods in Non-classical Logic and their Applications to Computer
Science.

Relational Representation Theorems for General Lattices with Negations 163
ordered by inclusion. To extend this to De Morgan negations, Allwein and Dunn

introduce a relation N on X which is a function with some order-preserving
properties. The complex algebra of such a relational structure is a bounded lat-
tice with a definable negation that is De Morgan. We find suitable conditions on
N that further ensure that the definable negation is, in fact, an ortho-negation
(i.e., also satisfies the Heyting property: a ∧ (¬a) = 0).
The other negations we consider are derived from Dunn’s ‘kite of negations’.
We consider a ‘quasi-minimal’ Heyting negation. In this case, a binary relation
C is added to Urquhart’s relational structures, together with some conditions on
C, 1 and 2 that ensure that the complex algebra has a definable negation that
is also quasi-minimal and Heyting. A ‘pseudo-complemented’ lattice is a lattice
with negation satisfying: a ∧ b = 0 ⇔ a ≤ ¬b. Such algebras form a subclass
of the class just considered and their relational structures require an additional
condition to ensure that that a complex algebra is a pseudo-complemented lat-
tice.
For each type of lattice with negation considered, a canonical frame may
be constructed that is a relational structure of the correct type and satisfies the
required conditions. Thus, we may consider the complex algebra of the canonical
frame of each lattice with negation. The main result stated in each case is that the
lattice with negation may be embedded into the complex algebra of its canonical
frame.
The framework described above serves, on the one hand, as a tool for inves-
tigation of classes of lattices with negation operations and, on the other hand,
as a means for developing Kripke-style semantics for the logics whose algebraic
semantics is given. The representation theorems play an essential role in proving
completeness of the logics with respect to a Kripke-style semantics determined
by a class of frames associated with a given class of algebras. In this paper we
deal with the algebraic aspects of lattices with negation. The framework pre-
sented above has been used in [8] and [5] in the context of lattice-based modal
logics. It has been applied to lattice-based relation algebras in [4] and to double
residuated lattices in [6] and [7].
2 Negations
We follow J. M. Dunn’s analysis of negations, also known as “Dunn’s Kite of

Negations”. Dunn’s study of negation in non-classical logics as a negative modal
operator is an application of his gaggle theory, cf. [3], which is a generalization of
the Jonsson-Tarski Theorem. In gaggle theory, negation ¬ is treated as a Galois
connective on an underlying poset or bounded lattice. This treatment requires
the condition:
(N2) a ≤ ¬b ⇔ b ≤ ¬a (Quasi-minimal)
and leads to the following conditions for ¬:
(N1) a ≤ b ⇒ ¬b ≤ ¬a (Preminimal)
164 W. Dzik, E. Orlowska, and C. van Alten
(N2’) a ≤ ¬¬a
(Int) a ≤ b and a ≤ ¬b ⇒ a ≤ x for all x (Intuitionistic)
(DeM) ¬¬a ≤ a (De Morgan).
Note that from (N2) one may derive (N2’) and (N1) as follows. From ¬a ≤ ¬a
we get a ≤ ¬¬a. If a ≤ b, then a ≤ ¬¬b hence ¬b ≤ ¬a. Conversely, (N2) is
derivable from (N1) and (N2’) as follows. If a ≤ ¬b, then ¬¬b ≤ ¬a hence b ≤ ¬a.
Thus, in any partially ordered set with ¬ the following implications hold:
(N1) & (N2’) ⇔ (N2)
In the presence of a lattice meet operation ∧, (Int) can be restated as
(Int) a ∧ (¬a) = 0.
We shall consider bounded, not necessarily distributive, lattices with negation.

We assume that 1 is the greatest element and 0 the smallest. From 0 ≤ ¬1 and
(N2) we get 1 ≤ ¬0 hence ¬0 = 1. In the presence of the (Int) identity, we also
have ¬1 = 0 since then 0 = 1 ∧ ¬1 = ¬1. One may also derive this from (DeM)
and (N2’) since then ¬1 = ¬¬0 = 0.
In particular, we consider the following four classes of bounded (not necessarily
distributive) lattices with negations: M, W, O and P.
1) M denotes the variety of all De Morgan lattices, i.e., bounded lattices with
De Morgan negation, that is, negation satisfying (N2) and (DeM).
2) W denotes the variety of all weakly pseudo-complemented lattices, that is,
bounded lattices with Heyting negation, that is, satisfying (N1), (N2’) and
(Int) (weak intuitionistic negation). The quasi-identity
x ≤ ¬y ⇒ x ∧ y = 0
is satisfied but the converse is not; see the Example 2.3 below.
3) O denotes the variety of all ortholattices, i.e., bounded lattices with ortho-
negation, that is, negation satisfying (N2), (DeM) and (Int);
4) P denotes the class of all pseudo-complemented lattices, i.e., bounded lat-
tices with pseudo-complement (intuitionistic negation), that is, satisfying
the quasi-identities
x ∧ y = 0 ⇔ x ≤ ¬y.
Both (N2) and (Int) are derivable from the above quasi-identities. Thus, each of
the four classes we consider satisfies (N1), (N2), (N2’), ¬0 = 1 and ¬1 = 0.
Corollary 2.1. The following connections hold between M, W, O and P:
(a) O⊂M
(b) O⊂W
(c) O = M ∩ W
= P
(d) P ⊂ W, P
⊂ M.
The proper inclusions are shown by examples below. In each case, 1 is the top
element and 0 is the bottom element with ¬1 = 0 and ¬0 = 1.
Example 2.1. Let L 3 be a lattice of 3-valued L
ukasiewicz logic with 1, 0, a, where
3 is in M, but (Int) is false: ¬a ∧ a = a
= 0, so L
¬a = a. Then L 3 is neither in
W nor in P nor in O.
Example 2.2. Let N5 be the ”pentagon”, a lattice with 5 elements 1, 0, a, b, c,
where a < b and c is incomparable with a, b. Let ¬a = ¬b = c and ¬c = b. Then
N5 is in W and in P, but, since (DeM) is false: a < b = ¬¬a, it is neither in M
nor in O.
Example 2.3. Let M02 be a lattice with 6 elements 1, 0, a, b, c, d,, where a, b, c, d
are incomparable. Let ¬a = b, ¬b = a, ¬c = d and ¬d = c. Then M02 is in M,
in O and in W but not in P as the quasi-identity: x ∧ y = 0 ⇒ x ≤ ¬y fails.
This shows that a weakly pseudo-complemented lattice need not be pseudo-
complemented.
We shall need the following lemma. We use (X] to denote the downward closure
of a subset X of a lattice and [X) for the upward closure.
Lemma 2.1. Let W = W, ∧, ∨, ¬, 0, 1 be a lattice with negation satisfying
(N2) (equivalently, (N1) and (N2’)) and let F be a proper filter of W . Then
(a) (¬F ] is an ideal of W ,
(b) ¬a ∈ F iff a ∈ (¬F ], for all a ∈ W .
If, in addition, W satisfies (Int), then
(c) F ∩ (¬F ] = ∅.
Proof. (a) By definition, (¬F ] is downward closed. Suppose that a, b ∈ (¬F ].
Then a ≤ ¬c and b ≤ ¬d for some c, d ∈ F . Since F is a filter, c ∧ d ∈ F
so ¬(c ∧ d) ∈ ¬F . From (N1) one easily derives (¬c) ∨ (¬d) ≤ ¬(c ∧ d) hence
a ∨ b ≤ ¬(c ∧ d) so a ∨ b ∈ (¬F ]. Thus, (¬F ] is an ideal.
(b) If ¬a ∈ F then ¬¬a ∈ (¬F ] hence a ∈ (¬F ] by (N2’). If a ∈ (¬F ] then
a ≤ ¬b for some b ∈ F , so b ≤ ¬a by (N2) hence ¬a ∈ F .
(c) Suppose there is some a ∈ F ∩ (¬F ]. Then a ≤ ¬b for some b ∈ F , so
b ≤ ¬a. Thus, ¬a ∈ F hence 0 = a ∧ (¬a) ∈ F which is a contradiction.
3 Preliminaries
We give here the necessary background on the relational representation of non-
distributive lattices in the style of Urquhart [9]. (see also [4] and [8]). The rep-
resentations of non-distributive lattices with negations is built on top of this
framework following the methods of Allwein and Dunn [1].
Let X be a non-empty set and let 1 and 2 be two quasi-orders on X. The
structure X, 1 , 2 is called a doubly ordered set iff it satisfies:
(∀x, y)((x 1 y and x 2 y) ⇒ x = y). (1)
For a doubly ordered set X = X, 1 , 2 , A ⊆ X is 1 –increasing (resp.,

2 –increasing) iff, for all x, y ∈ X, x ∈ A and x 1 y (resp., x 2 y) imply
y ∈ A. We define two mappings , r : 2X → 2X by
(A) = {x ∈ X : (∀y ∈ X) x 1 y ⇒ y ∈
/ A} (2)
r(A) = {x ∈ X : (∀y ∈ X) x 2 y ⇒ y ∈
/ A}. (3)
Then A ⊆ X is called –stable (resp., r–stable) iff (r(A)) = A (resp., r((A)) =

A). The family of all -stable subsets of X will be denoted by L(X).
Lemma 3.1. [4],[8] Let X, 1 , 2 be a doubly ordered set. Then, for A ⊆ X,
(a) l(A) is 1 –increasing and r(A) is 2 –increasing,
(b) if A is 1 –increasing, then A ⊆ l(r(A)),
(c) if A is 2 –increasing, then A ⊆ r(l(A)).
Lemma 3.2. [9] Let X, 1 , 2 be a doubly ordered set. Then the mappings l
and r form a Galois connection between the lattice of 1 –increasing subsets of
X and the lattice of 2 –increasing subsets of X. In particular, for every 1 –
increasing set A and 2 –increasing set B,
A ⊆ l(B) iff B ⊆ r(A).
Let X = X, 1 , 2 be a doubly ordered set. Define two binary operations ∧C

and ∨C on 2X and two constants 0C and 1C as follows: for all A, B ⊆ X,
A ∧C B = A ∩ B (4)
A ∨C B = l(r(A) ∩ r(B)) (5)
0C = ∅ (6)
1C = X. (7)
Observe that the definition of ∨C in terms of ∧C resembles a De Morgan law with

two different negations. In [9] it was shown that L(X) = L(X), ∧C , ∨C , 0C , 1C
is a bounded lattice; it is called the complex algebra of X.
Let W = W, ∧, ∨, 0, 1 be a bounded lattice. By a filter-ideal pair of W we
mean a pair (x1 , x2 ) such that x1 is a filter of W , x2 is an ideal of W and
x1 ∩ x2 = ∅. Define the following three quasi-ordering relations on filter-ideal
pairs:
(x1 , x2 ) 1 (y1 , y2 ) iff x1 ⊆ y1
(x1 , x2 ) 2 (y1 , y2 ) iff x2 ⊆ y2
(x1 , x2 ) (y1 , y2 ) iff (x1 , x2 ) 1 (y1 , y2 ) and (x1 , x2 ) 2 (y1 , y2 ).
We say that a filter-ideal pair (x1 , x2 ) is maximal iff it is maximal with respect

to . The set of all maximal filter-ideal pairs of W will be denoted by X(W ).
We shall use x, y, z, etc. to denote maximal disjoint filter-ideal pairs and, if
x ∈ X(W ), then we use the convention that the filter part of x is x1 and the
ideal part of x is x2 , so that x = (x1 , x2 ). The same convention holds for y, z,

etc.
Note that X(W ) is a binary relation on 2W . It was shown in [9] that for
any filter-ideal pair (x1 , x2 ) there exists (y1 , y2 ) ∈ X(W ) such that (x1 , x2 )
(y1 , y2 ); in this case, we say that (x1 , x2 ) has been extended to (y1 , y2 ).
If W = W, ∧, ∨, 0, 1 is a bounded lattice then the canonical frame of W
is defined as the relational structure X(W ) = X(W ), 1 , 2 .
Consider the complex algebra L(X(W )) of the canonical frame of a bounded
lattice W . Note that L(X(W )) is an algebra of subrelations of X(W ). Define
a mapping h : W → 2X(W ) by
h(a) = {x ∈ X(W ) : a ∈ x1 }.
Then h is in fact a map from W to L(X(W )) and, moreover, we have the
following result.
Proposition 3.1. [9] For every bounded lattice W , h is a lattice embedding of
W into L(X(W )).
The following theorem is a weak version of the Urquhart result.
Theorem 3.1 (Representation theorem for lattices). Every bounded lat-
tice is embeddable into the complex algebra of its canonical frame.
4 Lattices with De Morgan Negation

Recall that M denotes the variety of all De Morgan lattices, which are bounded
lattices W = W, ∧, ∨, ¬, 0, 1 with a unary operation ¬ satisfying (N2) and
(DeM). Recall that from (N2) and (DeM) one may derive (N1), (N2’), ¬1 = 0
and ¬0 = 1. The following are also derivable in M:
¬¬a = a
¬(a ∨ b) = (¬a) ∧ (¬b)
¬(a ∧ b) = (¬a) ∨ (¬b)
¬a = ¬b ⇒ a = b.
We will denote by RM the class of all relational structures of type X =
X, 1 , 2 , N , where X, 1 , 2 is a doubly ordered set (i.e., 1 and 2 are
quasi-orders satisfying (1)), N : X → X is a function and the following hold:
(M1) (∀x)(N (N (x)) = x),
(M2) (∀x, y)(x 1 y ⇒ N (x) 2 N (y)),
(M3) (∀x, y)(x 2 y ⇒ N (x) 1 N (y)).
The representation in this section essentially comes from [1], where the func-
tion N is called a ‘generalized Routley-Meyer star operator’. We give full details
here and in the next section extend the method to ortholattices.
For each W ∈ M, the canonical frame of W is defined as the relational
structure X(W ) = X(W ), 1 , 2 , N , where X(W ) is the set of all maximal
disjoint filter-ideal pairs of W and, for x = (x1 , x2 ), y = (y1 , y2 ) ∈ X(W ),
x 1 y iff x1 ⊆ y1 ,
x 2 y iff x2 ⊆ y2 ,
N (x) = (¬x2 , ¬x1 ), where ¬A = {¬a : a ∈ A} for any A ⊆ W .
Lemma 4.1. If W ∈ M then X(W ) ∈ RM .
Proof. We have already observed that X(W ), 1 , 2 is a doubly ordered set.
Condition (M1) follows from (DeM) and conditions (M2) and (M3) are imme-
diate. Thus, we need only show that N is a function from X(W ) to X(W ).
That is, if x = (x1 , x2 ) ∈ X(W ), we must show that N (x) = (¬x2 , ¬x1 ) is a
maximal disjoint filter-ideal pair. Let a1 , a2 ∈ x2 hence ¬a1 , ¬a2 ∈ ¬x2 . Then
(¬a1 ) ∧ (¬a2 ) = ¬(a1 ∨ a2 ) and a1 ∨ a2 ∈ x2 , hence ¬x2 is closed under ∧. If
¬a1 ≤ b then ¬b ≤ ¬¬a1 = a1 , so ¬b ∈ x2 . Then b = ¬¬b ∈ ¬x2 , so ¬x2 is
upward closed. Thus, ¬x2 is a filter. Similarly, ¬x1 is an ideal. Also, ¬x1 and ¬x2
can be shown disjoint using the implication: ¬b = ¬c ⇒ b = c and the fact that
x1 and x2 are disjoint. To show maximality, suppose y ∈ X(W ) and ¬x1 ⊆ y2
and ¬x2 ⊆ y1 . Then ¬¬x1 ⊆ ¬y2 , i.e., x1 ⊆ ¬y2 and also x2 ⊆ ¬y1 . Since
(¬y2 , ¬y1 ) is a disjoint filter-ideal pair, the maximality of x implies x1 = ¬y2
and x2 = ¬y1 . Thus, ¬x1 = y2 and ¬x2 = y1 so N (x) is maximal.
If X = X, 1 , 2 , N ∈ RM , then X, 1 , 2 is a doubly ordered set, so we
may consider its complex algebra L(X), ∧C , ∨C , 0C , 1C , where L(X) is the set
of -stable sets and the operations are as in (4–7). We extend this definition
to define the complex algebra of X as L(X) = L(X), ∧C , ∨C , ¬C , 0C , 1C ,
where for A ∈ L(X),
¬C A = {x ∈ X : N (x) ∈ r(A)}.
Lemma 4.2. If X ∈ RM then L(X) ∈ M.
Proof. We need to show that ¬C A is -stable, i.e., r(¬C A) = ¬C A, and that
L(X) satisfies (N2) and (DeM). Since and r form a Galois connection, by
Lemma 3.2, we have ¬C A ⊆ r(¬C A) iff r(¬C A) ⊆ r(¬C A). For the converse,
suppose that for every y, if x 1 y then y ∈
/ r(¬C A) and assume, to the contrary,
that x ∈/ ¬ A. Then N (x) ∈
C
/ r(A) and there is z such that N (x) 2 z and
z ∈ A. It follows by (M3) and (M1) that x 1 N (z) and hence, by the above
assumption, N (z) ∈ / r(¬C A). Thus, there is t such that N (z) 2 t and t ∈ ¬C A.
By application of N and (M3) and (M1), we have that z 1 N (t) and N (t) ∈
r(A), in particular N (t) ∈/ A. But z ∈ A and A is 1 –increasing, as A = r(A),
hence N (t) ∈ A, a contradiction.
To prove (N2), suppose that A ⊆ ¬C B. Then, for every x, if x ∈ A then
N (x) ∈ r(B). Suppose that x ∈ B and, to the contrary, that x ∈ / ¬C A, i.e.,
N (x) ∈
/ r(A), in which case N (x) 2 y and y ∈ A, for some y. By (M3) and (M1),
x 1 N (y) hence N (y) ∈ B since B = r(B) is 1 –increasing. But also y ∈ ¬C B,
by the assumption, and N (y) ∈ r(B), a contradiction since B ∩ r(B) = ∅.
To prove (DeM), let x ∈ ¬C ¬C A, hence N (x) ∈ r(¬C A). We show that
x ∈ (r(A)) which equals A since A is -closed. Let x ≤1 w. Then N (x) ≤2
N (w), by (M2), hence N (w) ∈ r(¬C A) since r(¬C A) is ≤2 –increasing. Thus,
N (w) ∈/ ¬C A, i.e., w = N (N (w)) ∈/ r(A). Thus, x ∈ (r(A)) = A.
The above lemmas imply that if W ∈ M, then the complex algebra of the
canonical frame of W , namely L(X(W )), is in M as well.
Theorem 4.1. Each W ∈ M is embeddable into L(X(W )).
Proof. Recall that the function h : W → L(X(W )) defined by
h(a) = {x ∈ L(X(W )) : a ∈ x1 }
is an embedding of the lattice part of W into L(X(W )). We need only show
that h(¬a) = ¬C h(a) for all a ∈ W , where
h(¬a) = {x : ¬a ∈ x1 }
and
¬C h(a) = {x : N (x) ∈ r(h(a))}

= {x : ¬x1 ⊆ y2 ⇒ a ∈
/ y1 , for all y}.
First, let x ∈ h(¬a). Then ¬a ∈ x1 , hence a = ¬¬a ∈ ¬x1 . Suppose that

¬x1 ⊆ y2 . Then a ∈ / y1 , since y1 and y2 are disjoint.
Next, let x ∈ ¬C h(a). Suppose, to the contrary, that ¬a ∈ / x1 . By Lemma 2.1
it follows that a ∈/ (¬x1 ] and hence that so [a), (¬x1 ] is a disjoint filter-ideal
pair, which may be extended to a maximal one, say y. Thus, ¬x1 ⊆ y2 , so a ∈ / y1 ,
but [a) ⊆ y1 , a contradiction.
5 Lattices with Ortho-negation (Ortholattices)
Recall that O denotes the variety of all ortholattices, which are bounded lattices
W = W, ∧, ∨, ¬, 0, 1 with a unary operation ¬ which satisfies (N2), (DeM)
and (Int) (hence also (N1) and (N2’)). That is, the negation in an ortholattice
is both De Morgan and Heyting. We extend the relational representation for De
Morgan lattices to ortholattices
We will denote by RO the class of all relational structures of type X = X, 1
, 2 , N , where X, 1 , 2 is a doubly ordered set and N : X → X is a function
such that (M1), (M2) and (M3) hold, as well as
(O) (∀x)(∃y)(x 1 y & N (x) 2 y).
That is, RO is the subclass of RM defined by (O).

If W ∈ O, then W ∈ M hence its canonical frame is the relational structure
X(W ) = X(W ), 1 , 2 , N , where X(W ) is the set of all maximal disjoint
filter-ideal pairs of W and, for x, y ∈ X(W ),
x 1 y iff x1 ⊆ y1
x 2 y iff x2 ⊆ y2
N (x) = (¬x2 , ¬x1 ), where ¬A = {¬a : a ∈ A}.
Lemma 5.1. If W ∈ O then X(W ) ∈ RO .

Proof. We must show that X(W ) satisfies (O). Let x ∈ X(W ). By Lemma 2.1,
(x1 , ¬x1 ) is a disjoint filter-ideal pair, so we may extend it to a maximal disjoint
filter-ideal pair, say y. Then x1 ⊆ y1 and ¬x1 ⊆ y2 , so we have found a y that
satisfies the required conditions of (O).
If X = X, 1 , 2 , N ∈ RO , then X ∈ RM so it has a canonical algebra
L(X) = L(X), ∧C , ∨C , ¬C , 0C , 1C defined as in the De Morgan negation case.
Lemma 5.2. If X ∈ RO then L(X) ∈ O.
Proof. We need only show that L(X) satisfies A ∧C (¬C A) = 0C . Suppose, to
the contrary, that there exists A ∈ L(X) such that A ∩ (¬C A)
= ∅, and let
x ∈ A ∩ (¬C A). By (O), there exists y such that x 1 y and N (x) 2 y. Since
A is 1 –increasing, y ∈ A. Since x ∈ ¬C A, N (x) ∈ r(A). But then N (x) 2 y
implies y ∈
/ A, a contradiction.
Thus, the above lemmas imply that if W ∈ O, then L(X(W )) ∈ O as well.
Since the map h is an embedding of De Morgan lattices, we have the following
result.
Theorem 5.1. Each W ∈ O is embeddable into L(X(W )).
6 Lattices with Heyting Negation

Recall that W denotes the variety of all weakly pseudo-complemented lattices,
which are bounded lattices W = W, ∧, ∨, ¬, 0, 1 with a unary operation ¬
satisfying (N1), (N2’) and (Int) (hence also (N2), ¬0 = 1 and ¬1 = 0).
We will denote by RW the class of all relational structures of type X =
X, 1 , 2 , C, where X, 1 , 2 is a doubly ordered set and C is a binary
relation on X such that the following hold:
(FC1) (∀x, y, z)((xCy and z 1 x) ⇒ zCy)
(FC2) (∀x, y, z)((xCy and y 2 z) ⇒ xCz)
(FC3) (∀x)(∃y)(xCy and x 1 y)
(FC4) (∀x, y)(xCy ⇒ (∃z)(yCz and x 1 z))
(FC5) (∀s, t, y)[(yCs and s 2 t) ⇒ (∃z)(y 1 z and (∀u)(z 2 u ⇒ tCu))].
The relation C is intended to capture the negation in the relational structure
in a similar manner that N was used in the De Morgan negation case.
For each W ∈ W we define the canonical frame of W as the relational
structure X(W ) = X(W ), 1 , 2 , C, where X(W ) is the set of all maximal
disjoint filter-ideal pairs of W and, for all x, y ∈ X(W ),
x 1 y iff x1 ⊆ y1
x 2 y iff x2 ⊆ y2
xCy iff (∀a)(¬a ∈ x1 ⇒ a ∈ y2 ).
Lemma 6.1. If W ∈ W then X(W ) ∈ RW .
Proof. We know that X(W ), 1 , 2 is a doubly ordered set. Properties (FC1)

and (FC2) are straightforward to prove. For (FC3), suppose x ∈ X(W ). By
Lemma 2.1, x1 , (¬x1 ] is a disjoint filter-ideal pair, so we can extend it to a
maximal one, say y. If ¬a ∈ x1 then a ∈ (¬x1 ] (by Lemma 2.1(b)) hence a ∈ y2 .
Thus, xCy. Also, x1 ⊆ y1 , i.e., x 1 y, so we have found the required y.
For (FC4), suppose x, y ∈ X(W ) and xCy. By Lemma 2.1(a), (¬y1 ] is an
ideal. If a ∈ x1 ∩ (¬y1 ] then a ∈ x1 implies ¬¬a ∈ x1 , which implies ¬a ∈ y2 .
But a ∈ (¬y1 ] implies ¬a ∈ y1 (by Lemma 2.1(b)), which contradicts the fact
that y1 ∩ y2 = ∅. Thus, x1 ∩ (¬y1 ] = ∅. Thus, we can extend x1 , (¬y1 ] to a
maximal disjoint filter-ideal pair, say z. If ¬a ∈ y1 then a ∈ (¬y1 ] hence a ∈ z2 ,
so yCz. Also, x 1 z, so we have proved (FC4).
For (FC5), suppose that s, t, y ∈ X(W ) such that yCs and s 2 t. First, we
show that y1 ∩ (¬t1 ] = ∅. Suppose a ∈ y1 ∩ (¬t1 ]. Then, ¬¬a ∈ y1 hence ¬a ∈ s2 .
Since s 2 t we have ¬a ∈ t2 . Also, a ≤ ¬b for some b ∈ t1 , so ¬a ≥ ¬¬b ≥ b
hence ¬a ∈ t1 . This contradicts the fact that t1 and t2 are disjoint.
We therefore have that y1 , (¬t1 ] is a disjoint filter-ideal pair, so we may
extend it to a maximal one, say z. Then, y1 ⊆ z1 , i.e., y 1 z. Suppose z 2 w
and ¬a ∈ t1 . Then ¬¬a ∈ ¬t1 so a ∈ (¬t1 ] ⊆ z2 ⊆ w2 hence a ∈ w2 . Thus, we
have proved (FC5).
Let X = X, 1 , 2 , C ∈ RW . Then X, 1 , 2 is a doubly ordered set hence

we may consider its complex algebra L(X), ∧C , ∨C , 0C , 1C , where L(X) is the
set of -stable sets and the operations are defined as in (4–7). The complex
algebra of X is defined as L(X) = L(X), ∧C , ∨C , ¬C , 0C , 1C , where
¬C A = {x ∈ X : ∀y(xCy ⇒ y ∈
/ A)}.
Lemma 6.2. If A is -stable then so is ¬C A.
Proof. We have ¬C A = {x : ∀y(xCy ⇒ y ∈

/ A)} and
r(¬C A) = {x : x 1 s ⇒ (∃t)(s 2 t and (∀u)(tCu ⇒ u ∈

/ A))}.
Let x ∈ ¬C A and suppose that x 1 s for some s. We claim that t = s satisfies

the required properties. Clearly, s 2 s. If sCu, then xCu since x 1 s, by (FC1)
hence u ∈/ A. Thus, x ∈ r(¬C A) so ¬C A ⊆ r(¬C A).
For the reverse inclusion, note that, since A is -stable, we have
¬C A = ¬C r(A) = {x : xCy ⇒ (∃z)(y 1 z and (∀u)(z 2 u ⇒ u ∈

/ A))}.
Let x ∈ r(¬C A) and suppose that xCy for some y. By (FC4), there exists s
such that
x 1 s and yCs.
Then, since x ∈ r(¬C A) and x 1 s, there exists t such that
s 2 t and (∀u)(tCu ⇒ u ∈
/ A)).
Since yCs and s 2 t, by (FC5) there exists z such that
y 1 z and (∀u)(z 2 u ⇒ tCu)).
Thus, (∀u)(z 2 u ⇒ u ∈
/ A)), so we have found the required z, so x ∈
¬C r(A) = ¬C A.
Lemma 6.3. If X ∈ RW then L(X) ∈ W.
Proof. To see that (N1) holds, suppose A, B are -stable sets and A ⊆ B. Let
x ∈ ¬C B. Then, xCy implies y ∈/ B hence also y ∈
/ A, so x ∈ ¬C A.
To see that (N2’) holds, note that
¬C ¬C A = {x : xCy ⇒ (∃z)(yCz and z ∈ A)}.
Let x ∈ A and suppose that xCy for some y. By (FC4), there exists z such that
yCz and x 1 z. Since A is 1 –increasing and x ∈ A, we have z ∈ A. Thus, the
required z exists, showing that x ∈ ¬C ¬C A.
To see that (Int) holds, let A be an -stable set and suppose there exists
x ∈ A ∩ ¬C A. By (FC3), there exists a y such that xCy and x 1 y. Since
x ∈ ¬C A and xCy we have y ∈ / A. But x ∈ A and A is -stable, hence 1 –
increasing, so x 1 y implies y ∈ A, a contradiction.
The above lemmas show that if W ∈ W then so is L(X(W )).
Theorem 6.1. Each W ∈ W is embeddable into L(X(W )).
Proof. Recall that the function h : W → L(X(W )) defined by
h(a) = {x ∈ L(X(W )) : a ∈ x1 }
is an embedding of the lattice part of W into L(X(W )). We need only show
that h(¬a) = ¬C h(a) for all a ∈ W , where
h(¬a) = {x : ¬a ∈ x1 }
and
¬C h(a) = {x : xCy ⇒ a ∈
/ y1 }.
First, let x ∈ h(¬a) and suppose that xCy. Then, ¬a ∈ x1 so a ∈ y2 hence
a∈/ y1 , as required.
Next, let x ∈ ¬C h(a) and suppose that ¬a ∈ / x1 . Then a ∈ / (¬x1 ] (by
Lemma 2.1(b)) so [a), (¬x1 ] forms a disjoint filter-ideal pair which we can
extend to a maximal one, say y. If ¬c ∈ x1 then c ∈ (¬x1 ] so xCy hence a ∈
/ y1 ,
a contradiction since [a) ⊆ y1 .
Remark 6.1. The class of ortholattices is the intersection of De Morgan lattices

and weakly pseudo-complemented lattices. In Section 5 we obtained a relational
representation for ortholattices by extending the relational representation for De
Morgan lattices to include the condition (O) to deal with the identity (Int). How-
ever, since ortholattices may also be considered as extensions of weakly pseudo-
complemented lattices by the identity (DeM), one would expect a connection
between the two representations.
Let X = X, 1 , 2 , N be a relational structure in RO , i.e., X satisfies (M1),
(M2), (M3) and (O). We shall show that X is equivalent to a relational structure
X, 1 , 2 , C in RW . For this we need to define a relation C in terms of N , 1
and 2 . To find the connection, consider the canonical frame of an ortholattice
W . This is X(W ), 1 , 2 , N , where
x 1 y iff x1 ⊆ y1 ,
x 2 y iff x2 ⊆ y2 ,
N (x) = (¬x2 , ¬x1 ).
Since W is also a weakly pseudo-complemented lattice it also has a canonical
frame in RW , which is X(W ), 1 , 2 , C where 1 and 2 are as above and
xCy iff (∀a)(¬a ∈ x1 ⇒ a ∈ y2 ).
In the presence of both (Int) and (DeM) we claim that the following relationship
holds between N and C:
xCy ⇔ N (x) 2 y.
To see this, suppose x, y ∈ X(W ). If xCy, then
¬a ∈ ¬x1 ⇔ a ∈ x1 ⇔ ¬¬a ∈ x1 ⇒ ¬a ∈ y2 ,
so ¬x1 ⊆ y2 , i.e., N (x) 2 y. Conversely, suppose N (x) 2 y and let ¬a ∈ x1 .

Then a = ¬¬a ∈ ¬x1 , so a ∈ y2 , hence xCy.
Starting with the relational structure X, 1 , 2 , N ∈ RO , define a binary
relation C on X(W ) by:
xCy iff N (x) 2 y.
Then one may check that the conditions (FC1–FC5) all hold for this C. In
particular, (FC1) and (FC2) are straightforward and (FC3) is just (O). For
(FC4), take z = N (y) and, for (FC5), take z = N (t). Thus, X, 1 , 2 , N is
equivalent to a relational structure X, 1 , 2 , C ∈ RW . Moreover, the complex
algebra obtained from either of these relational structures is the same. To see
this we need only check that the two definitions of ¬C coincide:
{x ∈ X : N (x) ∈ r(A)}
= {x ∈ X : N (x) 2 y ⇒ y ∈/ A}
= {x ∈ X : xCy ⇒ y ∈ / A}.
Thus, the definition of ¬C in the De Morgan case coincides with the definition
of ¬C in the Heyting case.
A natural question arising from the above remark is whether a relational se-
mantics for ortholattices can be obtained in the style of the relational structures
in RW . That is, what conditions should be added to (FC1–FC5) in order to
ensure that the complex algebra of such a structure also satisfies (DeM), i.e., so
that it’s an ortholattice.
7 Pseudo-complemented Lattices
Recall that the P denotes the class of all pseudo-complemented lattices, which
are bounded lattices W = W, ∧, ∨, ¬, 0, 1 with a unary operation ¬ satisfying:
a∧b=0 ⇔ a ≤ ¬b.
Note that (N2) is derivable by
a ≤ ¬b ⇔ a ∧ b = 0 ⇔ b ∧ a = 0 ⇔ b ≤ ¬a.
Thus, (N1), (N2’) and ¬0 = 1 are also derivable and, from a ≤ ¬¬a, we get
a ∧ ¬a = 0, i.e., (Int) is derivable. So we also have ¬1 = 0. The class W of
weakly pseudo-complemented lattices is easily seen to satisfy the quasi-identity
a ≤ ¬b ⇒ a ∧ b = 0,
hence P is the subclass of W defined by the quasi-identity
a∧b=0 ⇒ a ≤ ¬b. (8)
P is a proper subclass of W (see Example 2.3).

We will denote by RP the class of all relational structures of type X = X, 1 ,
2 , C, where X, 1 , 2 is a doubly ordered set and C is a binary relation on
X such that (FC1–FC5) hold, as well as
(FC6) (∀x, y)(xCy ⇒ (∃z)(x 1 z and y 1 z)).
That is, RP is the subclass of RW defined by (FC6).

If W ∈ P then W ∈ W as well hence its canonical frame is the relational
structure X(W ) = X(W ), 1 , 2 , C, where X(W ) is the set of all maximal
disjoint filter-ideal pairs of W and, for all x, y ∈ X(W ),
x 1 y iff x1 ⊆ y1
x 2 y iff x2 ⊆ y2
xCy iff (∀a)(¬a ∈ x1 ⇒ a ∈ y2 ).
Lemma 7.1. If W ∈ P then X(W ) ∈ RP .
Proof. We need only show that (FC6) holds. So, let x, y ∈ X(W ) such that
xCy. Consider the filter generated by x1 ∪ y1 , denoted F i(x1 ∪ y1 ). We claim
that 0 ∈/ F i(x1 ∪ y1 ). If we suppose otherwise, then there exist a1 , . . . , an ∈ x1

and b1 , . . . , bm ∈ y1 such that
n m
( i=1 ai ) ∧ ( j=1 bj ) = 0.
n m
If we set a = i=1 ai and b = j=1 bj , then a ∈ x1 and b ∈ y1 such that
a ∧ b = 0. But this implies that a ≤ ¬b by (8) hence ¬b ∈ x1 . Finally, since xCy
and ¬b ∈ x1 , we have b ∈ y2 . Thus, b ∈ y1 ∩ y2 , a contradiction.
This shows that 0 ∈ / F i(x1 ∪ y1 ) so F i(x1 ∪ y1 ), {0} is a disjoint filter-ideal
pair. This can be extended to a maximal disjoint filter-ideal pair, say z. Clearly,
x 1 z and y 1 z, as required.
Let X = X, 1 , 2 , C ∈ RP (so X satisfies (FC1–FC6)). Then X is also in
RW hence we may consider its complex algebra L = L(X), ∧C , ∨C , ¬C , 0C , 1C ,
where L(X) is the set of -stable sets, the lattice operations are defined as in
(4–7) and
¬C A = {x ∈ X : xCy ⇒ y ∈ / A}.
Lemma 7.2. If X ∈ RP then L(X) ∈ P.
Proof. We need only show that L(X) satisfies the quasi-identity (8), i.e., for
A, B ∈ L(X),
A∩B = ∅ ⇒ A ⊆ ¬C B = {x ∈ X : xCy ⇒ y ∈
/ B}.
Suppose that A ∩ B = ∅ and let x ∈ A. Let y ∈ X such that xCy. By (FC6),

there exists z ∈ X such that x 1 z and y 1 z. Since x ∈ A and A is 1 –
increasing, we have z ∈ A as well. If y ∈ B then, since B is 1 –increasing, it
would follow that z ∈ B and hence that z ∈ A∩B, contradicting our assumption
that A ∩ B = ∅. Thus, y ∈/ B hence x ∈ ¬C B, as required.
Thus, we have shown that if W ∈ P then so is L(X(W )). Moreover, from the
previous section we know that h is an embedding of W into L(X(W )), hence
we have the following result.
Theorem 7.1. Each W ∈ P is embeddable into L(X(W )).
References
1. Allwein, G., Dunn, J.M.: Kripke models for linear logic. J. Symb. Logic 58 (1993)
514–545.
2. Dunn, J.M.: Star and Perp: Two Treatments of Negation. In J. Tomberlin (ed.),
Philosophical Perspectives (Philosophy of Language and Logic) 7 (1993) 331–357.
3. Dunn, J.M., Hardegree, G.M.: Algebraic Methods in Philosophical Logic. Clarendon
Press, Oxford (2001).
4. Düntsch, I., Orlowska, E., Radzikowska, A.M.: Lattice–based relation algebras and
their representability. In: de Swart, C.C.M. et al (eds), Theory and Applications
of Relational Structures as Knowledge Instruments, Lecture Notes in Computer
Science 2929 Springer–Verlag (2003) 234–258.
5. Düntsch, I., Orlowska, E., Radzikowska, A.M., Vakarelov, D.: Relational represen-
tation theorems for some lattice-based structures. Journal of Relation Methods in
Computer Science JoRMiCS vol.1, Special Volume, ISSN 1439-2275 (2004) 132–160.
6. Orlowska, E., Radzikowska, A.M.: Information relations and operators based on
double residuated lattices. In de Swart, H.C.M. (ed), Proceedings of the 6th Seminar
on Relational Methods in Computer Science RelMiCS’2001 (2001) 185–199.
7. Orlowska, E., Radzikowska, A.M.: Double residuated lattices and their applications.
In: de Swart, H.C.M. (ed), Relational Methods in Computer Science, Lecture Notes
in Computer Science 2561 Springer–Verlag, Heidelberg (2002) 171–189.
8. Orlowska, E., Vakarelov, D. Lattice-based modal algebras and modal logics. In:
Hajek, P., Valdes, L., Westerstahl, D. (eds), Proceedings of the 12th International
Congress of Logic, Methodology and Philosophy of Science, Oviedo, August 2003,
Elsevier, King’s College London Publication (2005) 147–170.
9. Urquhart, A.: A topological representation theorem for lattices. Algebra Universalis
8 (1978) 45–58.
Monotonicity Analysis Can Speed Up
Verification
Marcelo F. Frias , Rodolfo Gamarra, Gabriela Steren, and Lorena Bourg

School of Exact and Natural Sciences
Universidad de Buenos Aires
Argentina
{mfrias, rgamarra, gsteren, lbourg}@dc.uba.ar
Abstract. We introduce a strategy for the verification of relational spec-

ifications based on the analysis of monotonicity of variables within formu-
las. By comparing with the Alloy Analyzer, we show that for a relevant
class of problems this technique outperforms analysis of the same prob-
lems using SAT-solvers, while consuming a fraction of the memory SAT-
solvers require.
1 Introduction
The analysis of relational specifications has gained a lot of acceptance with the
growing interest on the Alloy specification language [6]. Alloy’s syntax and se-
mantics are based on a first-order relational logic. Due to the automatic analysis
capabilities offered by the Alloy tool [8], Alloy has become widely accepted by
the community interested in automatic software engineering. The Alloy Ana-
lyzer wisely transforms Alloy specifications in which domains are bounded to a
fix scope, into propositions that are later fed to SAT-solvers such as Berkmin [3],
MChaff [10], or Relsat [1]. A different approach was followed in the definition of
the language NP [4], where the supporting automatic analysis tool (Nitpick [4])
searched for relation instances for the variables that would violate a provided
assertion.
In this paper we depart from the SAT-solving techniques of Alloy, and go back
to generation of instances for the relational variables as in Nitpick. We show
in this paper that for a class of problems that frequently arise when writing
relational specifications, a strategy based on monotonicity analysis outperforms
the analysis performed by Alloy using SAT-solving. This shows that the SAT-
solvers employed in Alloy do not profit from monotonicity information after the
original model is transformed by Alloy to a SAT problem.
In order to show how well this strategy performs when compared to SAT-
solving in Alloy, we will introduce a relational specification language (called
REL) and present ReMo, a tool that implements the strategy. Nevertheless,
this paper is not about relational specification languages design, and it is quite

And CONICET.

178 M.F. Frias et al.
possible that a reader might have her own preferences about how to define such
language. Similarly, the paper is not about tool design, being ReMo a prototype
tool that implements the pruning strategy subject of this paper.
The paper is organized as follows. In Section 2 we give a brief description of
the Alloy language, as well as of REL, the relational language we will analyze.
In Section 3 we discuss the analysis strategy. In Section 4 we present ReMo,
the tool that implements our strategy, and compare ReMo’s performance with
that of Alloy. Finally, in Section 5 we present our conclusions and proposals for
further work.
2 On Alloy and REL
2.1 The Alloy Modeling Language
Alloy is a modeling language designed with (fully automated) analyzability of

specifications as a priority. Alloy has its roots in the Z formal specification
language, and its few constructs and simple semantics are the result of putting
together some valuable features of Z and some constructs that are normally
found in informal notations. This is done while avoiding incorporation of other
features that would increase Alloy’s complexity more than necessary.
Alloy is defined on top of what is called relational logic, a logic with a clear
semantics based on relations. This logic provides a powerful yet simple formalism
for interpreting Alloy’s modeling constructs. The simplicity of both the relational
logic and the language as a whole makes Alloy suitable for automatic analysis.
The main analysis technique associated with Alloy is essentially a counterex-
ample extraction mechanism, based on SAT solving. Basically, given a system
specification and a statement about it, a counterexample of this statement (un-
der the assumptions of the system description) is exhaustively searched for. Since
first-order logic is not decidable (and the relational logic is a proper extension
of first-order logic), SAT solving cannot be used in general to guarantee the
consistency of (or, equivalently, the absence of counterexamples for) a theory;
then, the exhaustive search for counterexamples has to be performed up to cer-
tain bound k in the number of elements in the universe of the interpretations.
Thus, this analysis procedure can be regarded as a validation mechanism, rather
than a verification procedure. Its usefulness for validation is justified by the in-
teresting idea that, in practice, if a statement is not true, there often exists a
counterexample of it of small size:
“First-order logic is undecidable, so our analysis cannot be a decision

procedure: if no model is found, the formula may still have a model in
a larger scope. Nevertheless, the analysis is useful, since many formulas
that have models have small ones.” (cf. [5, p. 1])
The above described analysis has been implemented by the Alloy Analyzer
[8], a tool that incorporates state-of-the-art SAT solvers in order to search for
counterexamples of specifications.
Monotonicity Analysis Can Speed Up Verification 179
In Fig. 1, we describe the grammar and semantics of Alloy’s relational logic,

which is based on relations of arbitrary rank. Composition of binary relations is
well understood; but for relations of different rank, the following definition for
the composition of relations has to be considered:
R;S = {a1 , . . . , ai−1 , b2 , . . . , bj :

∃b (a1 , . . . , ai−1 , b ∈ R ∧ b, b2 , . . . , bj ∈ S)} .
Operations for transitive closure and transposition are only defined for binary
relations.
expr ::=
iden (identity)
form ::=
| expr + expr (union)
expr in expr (inclusion)
| expr & expr (intersection)
|!form (neg)
| expr − expr (difference)
| form && form (conj)
|∼ expr (transpose)
| form || form (disj)
| expr.expr (composition)
| all v : type | form (univ)
| +expr (transitive closure)
| some v : type | form (exist)
| {v : t | form} (set former)
| V ar
Fig. 1. Grammar and semantics of Alloy
The Alloy language provides, on top of the kernel, different idioms that greatly
simplify writing models. Let us consider, as a means to introduce notation, a
simple example based on memories. In order to specify a data type for memories,
data types for data and addresses are especially necessary. We can then start by
indicating the existence of disjoint sets (of atoms) for data and addresses, which
in Alloy are specified using signatures.
sig Addr { } sig Data { }
These are basic signatures. We do not assume any special properties regarding
the structure of data and addresses.
With data and addresses already defined, we can now specify what constitutes
a memory. A possible way of defining memories is by saying that a memory
consists of a partial mapping from addresses to data values:
sig Memory {
map: Addr -> lone Data }
The multiplicity marking lone in signature Memory establishes that for each
address a there must be zero or one data related.
Once data is defined, it is possible to define predicates and operations, or
constrain models adding facts (axioms), as follows.
pred NotFull (m : Memory) {
some a : Addr | no (a -> Data) }
In predicate NotFull, expression “no R” means that R is empty. Also, for
unary relations (sets) S1 and S2 , S1 ->S2 = { a, b : a ∈ S1 ∧ b ∈ S2 }.
fun Write (m : Memory, a : Addr, d : Data) : Memory {

(m.map - (a -> Data)) + (a -> d) }
fact WriteTwice {
all m : Memory, a : Addr, d : Data |
Write(m,a,d) = Write(Write(m,a,d),a,d) }
Once the model is specified, assertions about the model can be written down
and then be analyzed with the Alloy tool. The following flawed assertion (flawed
in the sense that there exist counterexamples) asserts that writing twice in a
memory address does not modify the memory.
assert ClearVsTwice {
all m : Memory, a : Addr, d : Data |
m = Write(Write(m,a,d),a,d)
}
More syntactic sugar is available in order to provide idioms ubiquitous in

object orientation that greatly simplify writing models [6].
2.2 The REL Modeling Language

In this section we introduce REL, a purely relational specification language.
REL’s syntax is introduced in Fig. 2. Notice that there are minor differences
between REL and Alloy’s relational logic. Due to the definition of the semantics
of variables, these are in REL binary relations. Also, REL does not allow quan-
tification. Actually, these two shortcomings of REL are overcome with the use
of fork [2] (fork is not present in Alloy’s relational logic).
expr ::=
1t (universal with type t)
| idt (identity with type t)
form ::= | expr + expr (union)
expr <= expr (inclusion) | expr & expr (intersection)
| !form (neg) | [expr, expr] (fork)
| form && form (conj) | −expr (complement)
| form || form (disj) |∼ expr(transpose)
| expr · expr (composition)
| +expr (transitive closure)
| V ar (variable)
Fig. 2. Grammar and semantics of REL
Notice that REL formulas are Boolean combinations of equations. In the forth-
coming sections, we will need the following result proved in [11, p. 26].
Theorem 1. Every REL formula is equivalent to a REL formula of the form

T = 1, for an appropriate term T .
In particular, we will use the property T1 <= T2 (−T1 ) + T2 = 1.

3 Monotonicity Analysis for Verification of Relational

Specifications
Let us consider a relational specification Spec in a suitable relational language

(as for instance Alloy or REL). In order to validate this specification, we want to
automatically analyze whether a given property α follows from Spec. Expressive
enough relational languages are undecidable. Thus, in order to make automatic
analysis feasible we will impose bounds on the size of domains. The analysis
procedure reduces then to finding instances (concrete relations among elements
from the bounded domains) for the relational variables that satisfy Spec, yet
falsify α.
Notice that given a family of domains D1 , . . . , Dk with bounds b1 , . . . , bk ,
respectively, and a relational variable R, there are 2b1 ×···×bk possible values (re-
lations) for R on D1 × · · · × Dk . Even for small values of b1 , . . . , bk , exhaustive
search of appropriate instances is in general unfeasible (even more if we consider
that the previous number scales up exponentially when more relational vari-
ables R1 , . . . , Rk are considered). Therefore, strategies that allow us to prune
the state space are mandatory in order to make automatic analysis feasible.
Some strategies are general, in the sense that are either specification indepen-
dent, or in general improve analysis performance. Example of such techniques is
automorphisms elimination [7], which avoids generating those models obtained
by permutations of the underlying domains. Other strategies, as the one we
present in this paper, work for certain specifications.
Definition 1. Given a relational variable R and a term t(R), we say that R is

positive (in t) if all the occurrences of R lay under an even number of complement
symbols. It is negative (in t) if all the occurrences of R lay under an odd number
of complement symbols. If R is neither positive nor negative in t, it is then said
to be undefined in t.
As an example, let us consider the terms
(a) − ((−R) · S) , (b) − ((∼ R) · R) , (c) (R · R) & (−R) .

In term (a), variable R is positive, while variable S is negative. In (b), R is
negative. Finally, in (c), R is undefined.
Definition 2. Given a relational variable R and a term t(R), t is isotonic with

respect to R if for all concrete relations r, s, r ⊆ s ⇒ t(r) ⊆ t(s). Similarly, t is
antitonic with respect to R if for all concrete relations r, s, r ⊆ s ⇒ t(r) ⊇ t(s).
Definition 2 is similar to the notion of syntactic monotonicity from the modal

μ–calculus and other logics.
Proposition 1. Let t(R) be a relational term on the variable R. If R is positive

in t, then t is isotonic with respect to R. Similarly, if R is negative in t, then t
is antitonic with respect to R.
Proof. The (easy) proof proceeds by induction on the structure of relational

terms.
In order to introduce our strategy, we will assume that the specification Spec
consists of a sequence of formulas on a single variable R. We will later drop this
assumption and generalize to variables R1 , . . . , Rn . Moreover, we will assume
that formulas are equations of the form T = 1. Notice that from Thm. 1, there
is no loss of generality in adopting this assumption. We will also assume that
variable R ranges over binary relations. Since fork allows us to simulate relations
of arity greater than 2 [2], there is no loss of generality in this assumption either.
The set of all relations on the domain A × B, ordered by inclusion, is a lattice.
Since in the worst case it will be necessary (according to our strategy) to explore
the whole lattice, it is essential to explore it in a way such that each relation is
visited (at most) once.
We will traverse the lattice in a depth-first search (DFS) manner. Actually,
we will present two DFS traversals of the lattice. One from the bottom, and
one from the top. If A contains elements a1 , . . . , an and B contains elements
b1 , . . . , bm , we can impose on A and B the total orderings a1 < · · · < an and
b1 < · · · < bm . Then, the relation on A × B defined by
a1 , b1 < a2 , b2 ⇐⇒ a1 < a2 ∨ (a1 = a2 ∧ b1 < b2 )
is a total ordering, called the lexicographic ordering. For the traversal from the
bottom, notice that any given relation R has, as immediate successors, relations
of the form R ∪ { a, b } (a ∈ A, b ∈ B), where for every a , b ∈ R, a, b >
a , b .
Once the successors of a given a relation are defined, if we are given two
different successors of R, namely R ∪ { a, b } and R ∪ { c, d }, an ordering
between them is induced by the ordering between a, b and c, d. Therefore,
in order to traverse the lattice, the successors of R will be visited according
to this ordering. Figure 3 shows an example. Each matrix represents a relation
contained in the set { 0, 1 } × { 0, 1 }. A dark square in position i, j means pair
i, j belongs to the relation modeled by the matrix. The number attached to
each matrix gives the traversal ordering.
In order to traverse the lattice in a descending order, we define the predecessors
of a relation R as the set { −P : P is a successor of − R }. Notice that since P
is a successor of −R, −R ⊆ P , and therefore, −P ⊆ R. Also, predecessors differ
from the parent relation in that the latter has one extra pair. The ordering in
which relations are visited in the descending traversal follows from the ordering
in the ascending traversal. Figure 3 shows an example of a descending traversal.
Let us consider now an equation of the form t(R) = 1 in which variable R
is negative in t. As a running example, consider the following equations stating
that R is a total (cf. (2)) functional (cf. (1)) relation. Notice that R is negative
in (1).
− ((∼ R) · R) + Id = 1 (1)
R·1=1 (2)
2 10 14 16
4 6 8 12
3 7 9 11 13 15
3 7 9 11 13 15
4 6 8 12
2 10 14 16
Fig. 3. Ascending and descending traversal
Since we want to satisfy an equation of the form t(R) = 1, we want to maxi-

mize the value of t(R) (notice that we are strongly using the assumption on the
shape of the equation). Since R is negative in t, t(R) reaches a maximum when
R = 0. Notice that in the example, while (1) is satisfied, (2) is not. Therefore,
it is necessary to search for another model. It is clear at this point that values
of R near the bottom of the lattice are more likely to satisfy (1).
Proposition 2. Let t(R) = 1 be an equation on the variable R. Assume R is

negative in t. Let r be a concrete relation such that t(r) = 1, and for a successor
r of r, t(r ) = 1. Then, for every relation x ⊇ r , t(x) = 1.
Proof. Since R is negative in t, by Prop. 1 t is antitonic with respect to R. Then,

x ⊇ r ⇒ t(x) ⊆ t(r ) = 1.
Proposition 2 provides us with a sufficient criterion for pruning part of the

lattice. If in an ascending traversal of the lattice we reach a relation r for which
t(r ) = 1, the branch with origin in r does not need to be traversed because it
cannot produce a model.
Thus, we can conclude that:
1. if we are given an equation of the form t(R) = 1,
2. variable R is negative in t,
3. we are performing an ascending traversal of the lattice,
4. we have reached a relation r in the lattice for which t(r ) = 1,
then the branch of the lattice with origin in r can be pruned.
Similarly,
1. if we are given an equation of the form t(R) = 1,
2. variable R is positive in t,
3. we are performing a descending traversal of the lattice,
4. we have reached a relation r in the lattice for which t(r ) = 1,
then the branch of the lattice with origin in r can be pruned.

Let us analyze now how general or restrictive are the hypothesis we are as-
suming. Notice that so far we have only discussed the situation where a single
equation is being analyzed. If we are given equations E1 , . . . , Ek , from Thm. 1
we can assume they are all of the form Ti (R) = 1 (1 ≤ i ≤ k). At this point
we are still considering the case in which there is a single relational variable
R. In each equation, R may be positive, negative or undefined. Let us assume,
without loss of generality, that there are more equations in which R is negative.
Then, an ascending traversal of the lattice will allow us to prune a branch when
one of the negative equations fails. Notice that the traversal ordering is chosen
upon establishing what is the prevailing monotonicity. Therefore, the only real
assumption we are making, is that variable R has a defined monotonicity in some
of the equations. Thus, this is the context in which our pruning strategy can be
applied.
Let us remove now the remaining assumption, namely, the restriction to
a single variable R. Let us consider now relational variables R1 , . . . , Rn ; and
equations E1 , . . . , Ek , which, from Thm. 1, we can assume are all of the form
Ti (R1 , . . . , Rn ) = 1 (1 ≤ i ≤ k). We compute for each variable Ri (1 ≤ i ≤ n)
the amount of equations in which it is positive or negative, and call Ri positive
(negative) if it appears positive (negative) in more equations. We now define for
each variable a traversal ordering of the lattice as follows: if Ri is positive then
the lattice is traversed from the top, and if it is negative the lattice is traversed
from the bottom. Under these conditions we can prove the following theorem.
Theorem 2. Let Ti (R1 , . . . , Rn ) = 1 (1 ≤ i ≤ k) be an equation from Spec. Let

the sign of each variable in T agree with the sign in the specification (that is, if Ri
is positive (negative) in more equations, then it is also positive (negative) in T ).
If r1 , . . . , rn are concrete relations such that Ti (r1 , . . . , rn ) = 1, and r1 , . . . , rn
are concrete relations such that rj ⊇ rj (rj ⊆ rj ) if Rj is negative (positive),
then Ti (r1 , . . . rn ) = 1.
Proof. A simple proof by induction on the structure of term Ti allows us to

show that Ti (r1 , . . . rn ) ⊆ Ti (r1 , . . . , rn ). Since Ti (r1 , . . . , rn ) = 1, it follows that
Ti (r1 , . . . rn ) = 1.
Theorem 2 allows us to prune the lattice as soon as a configuration as the one

described in the hypotheses is reached. In Section 4 we present ReMo, a tool
implementing this strategy, and evaluate its performance.
4 ReMo: RElational Verification Through MOnotonicity

Analysis
ReMo is an application that implements the analysis strategy described in Sec-

tion 3. The structure of the relational specifications that ReMo analyzes is shown
in Fig. 4.
\domains \identities \universals \properties

D1 [m1:n1] Id1 D1 Unit1 D1*D1 Formula
: : : :
Dk [mk:nk] Ids Dk Unitu Dk*D3 Formula
\constants \empties \axioms

C1 < D1*D2 Zero1 D1*D2 Formula
: : :
Cr < Dk*D1 Zerot Dk*Dk Formula
Fig. 4. Structure of a ReMo Specification
After the \domains keyword, we list the domains in the specification, as well as
a range (lower and upper bound) for their size. After the \constants keyword,
we list the relational variables in the specification, as well as their type (in
Fig. 4 all the relational variables are to be interpreted as binary relations on
the corresponding domains). Under the \identities keyword, we list those
identity relations that will be required in the specification, together with their
type. Similarly, we declare empty and universal relations under the appropriate
keywords. Finally, the specification contains the axioms and the assertions to be
verified.
ReMo receives a specification as input and transforms, using the translation
defined by Thm. 1, each axiom and assertion to an equation of the form T = 1.
It then computes the monotonicity of each relational variable, and determines a
traversal order for each one. Values for the variables are then generated for the
variables according to the traversal order, and the pruning strategy is applied
whenever possible. ReMo deals with binary relations. These were implemented
using Reduced Ordered Binary Decision Diagrams (ROBDDs) [12].
In the remaining part of this section we present several problems for which
we provide Alloy and REL specifications. We then analyze running times for
different domain sizes. In order to obtain the running times we have used a
personal computer with an AMD 3200, 64 bits processor; 2GB, dual channel
memory, and Linux Mandriva 10.2, 64 bits. We compared ReMo with the Alloy
Analyzer, Version 3.0 Beta, March 5, 2005.
4.1 First Example: Total Injective Functions
Notice that functions play an important role in specification. This is how Alloy,
for instance, provides idioms for declaring relations as being functional. Using
multiplicity idioms it is possible to define a relation as being a total injective
function (cf. (3)).
T otInjF un : A lone − > one B (3)

In Fig. 5 we present, side by side, specifications in Alloy and REL for this
problem. Despite the fact Alloy can use multiplicity markings in order to specify
a relation as being a total function (cf. (3)), in order to have a fair comparison
between the SAT-solvers and ReMo we will use the very same axioms. Notice
that the assertion in the Alloy specification is always false because iden is the
identity on all the domains (untyped). Therefore, the Alloy tool will look for
some total injective function. Similarly, the property we use in ReMo is also
false. While this looks as a simple problem, it is worthwhile to mention that
total injective functions lay somewhere in the middle of the lattice. That is,
they are neither close to the top of the lattice (those relations tend not to be
functional or injective) nor close to the bottom of the lattice (where relations
tend not to be total). Therefore, there is a real challenge in efficiently getting to
them.
module InjTotFun \domains

A[scope:scope]
sig elem { } \constants
F < A*A
sig function { \identities
F: elem -> elem id A*A
} \empties
{ 0 A*A
((∼F).F) in elem<:iden \universals
(F.(∼F)) in elem<:iden 1 A*A
(F.(elem<:univ))=(elem<:univ) \axioms
} ((∼F).F)<=id
(F.(∼F))<=id
assert funInyTotal { F.1 = 1
all f:function | f.F=iden } \properties
0 = 1
check funInyTotal for 1
but exactly [scope] elem
Fig. 5. Specification of total injective functions in Alloy and REL
After translating the axioms according to Thm. 1, we obtain the following

equations:
− ((∼ F ).F ) + id = 1 (4)

−(F.(∼ F )) + id = 1 (5)
F.1 = 1 (6)
Since in equations (4) and (5) F is negative, ReMo will traverse the lattice
from the bottom for this variable. In Table 1 we present the running times for
various scopes for ReMo, and for the same scopes for Alloy using the SAT-solvers
it provides.
Table 1. Running times for Alloy and ReMo
scope Berkmin MChaff RelSat ReMo

30 00:23 11:56 00:45 00:09
35 00:42 52:48 01:26 00:33
40 01:32 > 60’ 02:46 00:54
45 02:36 > 60’ 04:59 01:37
50 02:42 > 60’ 08:37 02:14
55 06:52 > 60’ 14:26 03:40
60 08:18 > 60’ 23:17 04:45
65 Crash Crash Crash 13:02
Regarding memory consumption, for a scope of 60 in the case of Berkmin

and RelSat, 35 for MChaff (the largest for which each SAT-solver found a model
within 60’), and 65 for ReMo we obtained the following data:
Berkmin MChaff RelSat ReMo

444.5 MB 163.8 MB 469 MB 10.24 MB
4.2 Second Example: Total Orderings
Total orderings are frequently used in specifications. For instance, they come
within the library of standard modules for Alloy, and are commonly used when
specifying properties of executions of operations [9].
In this section we will deal with two different problems involving total order-
ings.
Finding a Total Ordering. Total orderings are binary relations O that are
reflexive (id ⊆ O), antisymmetric (O& ∼ O = id), transitive (O.O ⊆ O) and
total (O+ ∼ O = 1). This is an interesting problem because, as in the case for
functions, these orderings lay somewhere in the middle of the lattice (relations
near the top of the lattice are not antisymmetric, and those near the bottom
are not total). Given a total ordering, there is a relation next that relates each
element to its successor. Given a total order O, next (known as the Hasse–
diagram for O) is defined by the equation
next = O& (−id) & (− ((O& (−id)) . (O& (−id)))) .
Is it true that this relation is functional, injective and total? The answer, con-
firmed by both Alloy and ReMo, is “No”. While next is functional and injective,
it is not total. The last element in the ordering does not belong to the domain
of next.
The specifications in Alloy and ReMo are given in Figs. 6 and 7.
After applying the translation from Thm. 1 to the axioms not involving next
(because those involving next will always be undefined), we obtain the following
equations:
− id + O = 1 (7)
−(O&(∼ O)) + id = 1 (8)
−(O.O) + O = 1 (9)
O + (∼ O) = 1 (10)
Since O is positive in (7) and (10), negative in (8) and undefined in (9), a
descending traversal of the lattice is chosen for variable O.
In Table 2 we show that, for this problem, ReMo outperforms the Alloy An-
alyzer both in running time and memory consumption.
module totalOrder
sig elem{ }
sig order {
O : elem -> elem,
next : elem -> elem
}{
elem<:iden in O
O&(∼O) in iden
O.O in O
O+(∼O) = elem->elem
next = (O - (elem<:iden)) -
((O - (elem<:iden)).(O - (elem<:iden)))
}
assert nextTotInjFun {
all o:order |
∼(o.next).(o.next) in elem<:iden &&
(o.next).∼(o.next) in elem<:iden &&
(o.next).(elem<:univ) = elem<:univ
}
check nextTotInjFun for 1

but exactly [scope] elem
Fig. 6. Specification in Alloy of Total Ordering
\domains \axioms
elem[scope:scope] id <= O
O&(∼O) <= id
\constants O.O <= O
O < elem*elem O+(∼O) = 1
next < elem*elem next = O & (-id) & (-((O&(-id)).(O&(-id))))
\identities \properties
id elem*elem ∼next.next <= id
\universals next.∼next <= id
1 elem*elem next.1 = 1
Fig. 7. Specification in REL of Total Ordering
Table 2. Running times and memory consumption for total orderings in Alloy and
ReMo
10 00:02 00:03 00:03 00:00
15 00:03 00:05 00:13 00:00
20 00:09 00:11 00:45 00:01
25 00:25 00:21 02:07 00:04
30 01:16 01:37 05:37 00:07
35 01:44 02:54 10:11 00:19
40 02:46 05:38 19:20 00:32
45 06:31 04:05 34:51 00:55
50 10:50 16:02 crashed 01:23
Memory 481.3 MB 231.4 MB 307.2 MB 81.9 MB
Testing a Valid Property. Since testing a valid property will not produce
any counterexamples, all total orderings will be visited. Notice that there are
n! different total orderings on a n elements set. Notice also that given a total
ordering O on the set elem, any other total ordering O can be obtained from O
via a permutation of elem. As an instance, for elem = { 1, 2, 3, 4, 5 }, let
O = 1 < 2 < 3 < 4 < 5, and O = 4 < 3 < 5 < 1 < 2 .

If p is the permutation: 1 → 4, 2 → 3, 3 → 5, 4 → 1, 5 → 2,, then O =

{ p(x), p(y) : x, y ∈ O } = p(O).
Since all relational operators from REL are algebraic 1 [11, p. 57], i.e., invariant
under permutations of the atomic domains, testing the equations on a single
linear ordering suffices.
Since Alloy eliminates many of the models obtained by permutations, it is not
surprising that for these problems Alloy outperforms ReMo considerably.
We will come back to this problem in Section 5 when discussing further work.
4.3 Third Example: A Specification with Two Relational Variables

The examples we have presented so far, all deal with a single relational variable.
Even in Example 4.2, where variables O and next are declared, next is introduced
as an abbreviation for a complex term and replaced by its definition in both tools.
Thus, this will be the first example where two meaningful variables appear.
The problem we will deal with is the following:
Let us consider a system in which n processes and m resources are
available. Every process has either requested a resource, or a resource
has already been allocated to the process. Every resource has already
been allocated to a process, or is being requested by one. Resources can
be allocated to exactly one process. Finally, the system is deadlock free
(no cycles in the relation reqs.allocs).
We want to analyze whether is it true that every process is requesting
a resource, and every resource has been allocated to a process.
In Figs. 8 we present the Alloy and REL specifications.
If we translate the axioms according to Thm. 1, the axioms become:
− idP + (reqs. ∼ reqs) + (∼ allocs.allocs) = 1 (11)

−idR + (∼ reqs.reqs) + (allocs. ∼ allocs) = 1 (12)
−(+(reqs.allocs)) + −idP = 1 (13)
−(∼ allocs.allocs) + idP = 1 (14)
Similarly, since the assertions must be falsified, we translate the negation of

the equations. We then obtain:
1.(idP & − (reqs. ∼ reqs)).1 = 1 (15)

1.(idR & − (allocs. ∼ allocs)).1 = 1 (16)
Variable reqs appears positive in (11) and (12), and negative in (13) and (15).
Variable allocs appears positive in (11) and (12), and negative in (13), (14)
and (16). Therefore, variable allocs is assigned an ascending traversal. Since the
number of times reqs is positive (or negative) is greater than zero, it is reasonable
1
Even fork is invariant under permutations of the atomic domains. It is not invariant
under arbitrary permutations of the field of a fork algebra.
module System \domains

sig Process{ } Process [scope:scope]
sig Resource{ } Resource [scope:scope]
sig System { \constants
reqs: Process->Resource, reqs < Process*Resource
allocs: Resource->Process allocs < Resource*Process
}{ \identities
Process<:iden in idP Process*Process
(reqs.∼reqs)+(∼allocs.allocs) idR Resource*Resource
Resource<:iden in \empties
(∼reqs.reqs)+(allocs.∼allocs) zeroP Process*Process
∼allocs.allocs in Process<:iden zeroR Resource*Resource
(Process<:iden).^(reqs.allocs) in \axioms
(Process->Process)-(Process<:iden) idP <= (reqs.∼reqs) + (∼allocs.allocs)
} idR <= (∼reqs.reqs) + (allocs.∼allocs)
assert allWaiting{ +(reqs.allocs) & idP = zeroP
all s:System | ∼allocs.allocs <= idP
iden & (Process->Process) in \properties
(s.reqs).(∼(s.reqs)) && idP <= reqs.∼reqs
iden & (Resource->Resource) in idR <= allocs.∼allocs
(s.allocs).(∼(s.allocs))
}
check allWaiting for 1 but
exactly [scope] Process,
exactly [scope] Resource
Fig. 8. Specification in Alloy and ReMo
to use one of the proposed traversals. Since in this case there is a tie between the
number of times reqs is positive and the number of times it is negative, ReMo
chooses (by default) an ascending traversal.
In Table 3 we present the running times and memory consumption for Alloy
and ReMo.
Table 3. Running times and memory consumption

10 00.17 01.12 05.36 00.03
15 00.23 03.38 48.88 00.06
20 01.42 17.51 >60 min 00.12
25 03.51 44.75 00.27
30 07.73 49.98 00.52
Memory 73.73 MB 49.15 MB 61.5 MB 10.24 MB
scope 15
5 Conclusions and Further Work

In this paper we have presented a pruning strategy that allows us to considerably
reduce the time and memory required in order to find a counterexample in a
relational specification. We conclude that the strategy is very efficient in those
cases where it can be applied. At the same time, this paper leaves open the
following problems.
1. It is essential to combine this strategy with another that allows us to han-
dle specifications where our strategy cannot be applied. We are currently
combining our strategy with isomorph free model enumeration [7].
2. Since Alloy does not profit so far from monotonicity information as ReMo
does, it seems necessary to improve the analysis capabilities of Alloy in this
direction.
References
1. Bayardo Jr, R. J. and Schrag R. C., Using CSP look-back techniques to solve real
world SAT instances. In Proc. of the 14th National Conf. on Artificial Intelligence,
pp. 203–208, 1997.
2. Frias M. F., Lopez Pombo C. G., Baum G. A., Aguirre N. and Maibaum T. S. E.,
Reasoning About Static and Dynamic Properties in Alloy: A Purely Relational
Approach, to appear in ACM TOSEM, in press.
3. Goldberg E. and Novikov Y., BerkMin: a Fast and Robust SAT-Solver, in proceed-
ings of DATE-2002, 2002, pp. 142–149.
4. Jackson, D. Nitpick: A checkable specification language. In Proceedings of the Work-
shop on Formal Methods in Software Practice (San Diego, Calif., Jan. 1996).
5. Jackson D., Automating First-Order Relational Logic, in Proceedings of SIGSOFT
FSE 2000, pp. 130-139, Proc. ACM SIGSOFT Conf. Foundations of Software En-
gineering. San Diego, November 2000.
6. Jackson D., Alloy: A Lightweight Object Modelling Notation, ACM Transactions
on Software Engineering and Methodology (TOSEM), Volume 11, Issue 2 (April
2002), pp. 256-290.
7. Jackson D., Jha S. and Damon C. A., Isomorph-Free Model Enumeration: A New
Method for Checking Relational Specifications, ACM TOPLAS, Vol. 20, No. 2, 1998,
pp. 302–343.
8. Jackson D., Schechter I. and Shlyakhter I., Alcoa: the Alloy Constraint Analyzer,
Proceedings of the International Conference on Software Engineering, Limerick,
Ireland, June 2000.
9. Jackson, D., Shlyakhter, I., and Sridharan, M., A Micromodularity Mechanism.
Proc. ACM SIGSOFT Conf. Foundations of Software Engineering/European Soft-
ware Engineering Conference (FSE/ESEC ’01), Vienna, September 2001.
10. Moskewicz M., Madigan C., Zhao Y., Zhang L. and Malik S., Chaff: Engineering
an Efficient SAT Solver, 39th Design Automation Conference (DAC 2001), Las
Vegas, June 2001.
11. Tarski, A. and Givant, S.,A Formalization of Set Theory without Variables, A.M.S.
Coll. Pub., vol. 41, 1987.
12. Wegener I., Branching Programs and Binary Decision Diagrams, SIAM Discrete
Mathematics and Applications, SIAM, 2000.
Max-Plus Convex Geometry
Stéphane Gaubert1 and Ricardo Katz2

1
INRIA, Domaine de Voluceau, 78153 Le Chesnay Cédex, France
[email protected]
2
CONICET, Instituto de Matemática “Beppo Levi”, Universidad Nacional de
Rosario, Av. Pellegrini 250, 2000 Rosario, Argentina
[email protected]
Abstract. Max-plus analogues of linear spaces, convex sets, and poly-

hedra have appeared in several works. We survey their main geometrical
properties, including max-plus versions of the separation theorem, ex-
istence of linear and non-linear projectors, max-plus analogues of the
Minkowski-Weyl theorem, and the characterization of the analogues of
“simplicial” cones in terms of distributive lattices.
1 Introduction
The max-plus semiring, Rmax , is the set R ∪ {−∞} equipped with the addition
(a, b) → max(a, b) and the multiplication (a, b) → a + b. To emphasize the
semiring structure, we write a ⊕ b := max(a, b), ab := a + b, ¼ := −∞ and ½ := 0.
Many classical notions have interesting max-plus analogues. In particular,
semimodules over the max-plus semiring can be defined essentially like linear
spaces over a field. The most basic examples consist of subsemimodules of func-
tions from a set X to Rmax , which are subsets V of RX max that are stable by
max-plus linear combinations, meaning that:
λu ⊕ μv ∈ V (1)
for all u, v ∈ V and for all λ, μ ∈ Rmax . Here, for all scalars λ and functions
u, λu denotes the function sending x to the max-plus product λu(x), and the
max-plus sum of two functions is defined entrywise. Max-plus semimodules have
many common features with convex cones. This analogy leads to define max-plus
convex subsets V of RX max by the requirement that (1) holds for all u, v ∈ V and
for all λ, μ ∈ Rmax such that λ ⊕ μ = ½. The finite dimensional case, in which
X = {1, . . . , n}, is already interesting.
Semimodules over the max-plus semiring have received much attention [1],
[2], [3], [4], [5]. They are of an intrinsic interest, due to their relation with lattice
and Boolean matrix theory, and also with abstract convex analysis [6]. They
arise in the geometric approach to discrete event systems [7], and in the study
of solutions of Hamilton-Jacobi equations associated with deterministic optimal
control problems [8,4,9,10]. Recently, relations with phylogenetic analysis have
been pointed out [11].

Max-Plus Convex Geometry 193
In this paper, we survey the basic properties of max-plus linear spaces, convex
sets, and polyhedra, emphasizing the analogies with classical convex geometry.
We shall present a synopsis of the results of [5,12], including separation theo-
rems, as well as new results, mostly taken from the recent works [13,14]. Some
motivations are sketched in the next section. The reader interested specifically
in applications to computer science might look at the work on fixed points prob-
lems in static analysis of programs by abstract interpretation [28], which is briefly
discussed at the end of Section 2.3.
2 Motivations
2.1 Preliminary Definitions
Before pointing out some motivations, we give preliminary definitions. We re-
fer the reader to [5] for background on semirings with an idempotent addition
(idempotent semirings) and semimodules over idempotent semirings. In partic-
ular, the standard notions concerning modules, like linear maps, are naturally
adapted to the setting of semimodules.
Although the results of [5] are developed in a more general setting, we shall
here only consider semimodules of functions. A semimodule of functions from a
set X to a semiring K is a subset V ⊂ K X satisfying (1), for all u, v ∈ V and
λ, μ ∈ K . When X = {1, . . . , n}, we write K n instead of K X , and we denote
by ui the i-th coordinate of a vector u ∈ K n .
We shall mostly restrict our attention to the case where K is the max-plus
semiring, Rmax , already defined in the introduction, or the completed max-plus
semiring, Rmax , which is obtained by adjoining to Rmax a +∞ element, with the
convention that (−∞) + (+∞) = −∞. Some of the results can be stated in a
simpler way in the completed max-plus semiring.
The semirings Rmax and Rmax are equipped with the usual order relation.
Semimodules of functions with values in one of these semirings are equipped
with the product order.
We say that a set of functions with values in Rmax is complete if the supremum
of an arbitrary family of elements of this set belongs to it. A convex subset V of
RXmax is defined like a convex subset of Rmax , by requiring that (1) holds for all
u, v ∈ V and λ, μ ∈ Rmax such that λ ⊕ μ = ½.
If X is a set of functions from X to Rmax , we define the semimodule that
it generates, span X , to be the set of max-plus linear combinations of a finite
number of functions of X . In other words, every function f of span X can be
written as
f (x) = max λi + gi (x) , (2)

i∈I
where I is a finite set, gi belongs to X , and λi belongs to R ∪ {−∞}.

If X is a set of functions from X to Rmax , we define the complete semimodule
that it generates, span X , to be the set of arbitrary max-plus linear combinations
of functions of X , or equivalently, the set of arbitrary suprema of elements of
194 S. Gaubert and R. Katz
span X . Thus, every function of span X can be written in the form (2), if we
allow I to be infinite, with λi ∈ R ∪ {±∞}, and if replace the “max” by a “sup”.
Then, we say that f is an infinite linear combination of the functions gi .
2.2 Solution Spaces of Max-Plus Linear Equations

An obvious motivation to introduce semimodules over Rmax or Rmax is to study
the spaces of solutions of max-plus linear equations. Such equations arise natu-
rally in relation with discrete event systems and dynamic programming.
For instance, let A = (Aij ) denote a p × q matrix with entries in Rmax , and
consider the relation
y = Ax .
Here, Ax denotes the max-plus product, so that yi = max1≤k≤q Aik + xk . This
can be interpreted as follows. Imagine a system with q initial events (arrival of
a part in a workshop, entrance of a customer in a network, etc.), and p terminal
events (completion of a task, exit of a customer, etc.). Assume that the terminal
event i cannot be completed earlier than Aij time units after the initial event j
has occurred. Then, the vector y = Ax represents the earliest completion times of
the terminal events, as a function of the vector x of occurrence times of the initial
events. The image of the max-plus linear operator A, V := {Ax | x ∈ Rqmax } is a
semimodule representing all the possible completion times. More sophisticated
examples, relative to the dynamical behavior of discrete event systems, can be
found in [7,15].
Other interesting semimodules arise as eigenspaces. Consider the eigenproblem
Ax = λx ,
that is, max1≤j≤q Aij + xj = λ + xi . We assume here that A is square. We look

for the eigenvectors x ∈ Rqmax and the eigenvalues λ ∈ Rmax . The eigenspace of
λ, which is the set of all x such that Ax = λx, is obviously a semimodule. In
dynamic programming, Aij represents the reward received when moving from
state i to state j. If Ax = λx for some vector x with finite entries, it can
be checked that the eigenvalue λ gives the maximal mean reward per move,
taken over all infinite trajectories. The eigenvector x can be interpreted as a fair
relative price vector for the different states. See [16,10,17] for more details on
the eigenproblem. The extreme generators of the eigenspace (to be defined in
Section 5) correspond to optimal stationary strategies or infinite “geodesics” [10].
The infinite dimensional version of the equation y = Ax and of the spectral
equation Ax = λx respectively arise in large deviations theory [18] and in optimal
control [10]. When the state space is non compact, the representation of max-
plus eigenvectors is intimately related with the compactification of metric spaces
in terms of horofunctions [10,19].
2.3 From Classical Convexity to Max-Plus Convexity

The most familiar examples of semimodules over the max-plus semiring arise
in classical convex analysis. In this section, unlike in the rest of the paper, the
words “convex”, “linear”, “affine”, and “polyhedra”, and the notation “·” for
the scalar product of Rn , have their usual meaning.
Recall that the Legendre-Fenchel transform of a map f from Rn to R ∪ {±∞}
is the map f from Rn to R ∪ {±∞} defined by:
f (p) = sup p · x − f (x) . (3)

x∈Rn
Legendre-Fenchel duality [20, Cor. 12.2.1] tells that (f ) = f if f is convex,

lower semicontinuous and if f (x) ∈ R ∪ {+∞} for all x ∈ Rn . Making explicit
the identity (f ) = f , we get f (x) = supp∈Rn p · x − f (p). This classical result
can be restated as follows, in max-plus terms.
Property 1 (Semimodule of convex functions). The set of convex lower semicon-

tinuous convex functions from Rn to R ∪ {+∞} is precisely the set of infinite
max-plus linear combinations of (conventional) linear forms on Rn .
The numbers −f (p), for p ∈ Rn , may be thought of as the “coefficients”, in the

max-plus sense, of f with respect to the “basis” of linear forms x → p · x. These
coefficients are not unique, since there may be several functions g such that
f = g . However, the map g giving the “coefficients” is unique if it is required
to be lower semicontinuous and if f is essentially smooth, see [21, Cor. 6.4]. The
semimodule of finite max-plus linear combinations of linear forms is also familiar:
it consists of the convex functions from Rn to R that are polyhedral [20], together
with the identically −∞ map.
By changing the set of generating functions, one obtains other spaces of func-
tions. In particular, an useful space consists of the maps f from Rn to R that
are order preserving, meaning that x ≤ y =⇒ f (x) ≤ f (y), where ≤ denotes
the standard product ordering of Rn , and commute with the addition with a
constant, meaning that f (λ + x1 , . . . , λ + xn ) = λ + f (x1 , . . . , xn ). These maps
play a fundamental role in the theory of Markov decision processes and games:
they arise as the coordinate maps of dynamic programming operators. They are
sometimes called topical maps [22]. Topical maps include min-plus linear maps
sending Rn to R, which can be written as
x → min aj + xj , (4)
1≤j≤n
where a1 , . . . , an are numbers in R ∪ {+∞} that are not all equal to +∞. Of
course, topical maps also include max-plus linear maps sending Rn to R, which
can be represented in a dual way. The following observation was made by Rubi-
nov and Singer [23], and, independently by Gunawardena and Sparrow (personal
communication).
Property 2 (Semimodule of topical functions). The set of order preserving maps

from Rn to R that commute with the addition of a constant coincides, up to
the functions identically equal to −∞ or +∞, with the set of infinite max-plus
linear combinations of the maps of the form (4).
A map from Rn to Rn is called a min-max function if each of its coordinates is a

finite max-plus linear combination of maps of the form (4). Min-max functions
arise as dynamic operators of zero-sum deterministic two player games with finite
state and action spaces, and also, in the performance analysis of discrete event
systems [24,25]. The decomposition of a min-max function as a supremum of
min-plus linear maps (or dually, as an infimum of max-plus linear maps) is used
in [26,27,25] to design policy iteration algorithms, allowing one to solve fixed
points problems related to min-max functions. These techniques are applied
in [28] to the static analysis of programs by abstract interpretation.
Another application of semimodules of functions, to the discretization of
Hamilton-Jacobi equations associated with optimal control problems, can be
found in [29].
3 Projection on Complete Semimodules

We now survey some of the main properties of the max-plus analogues of modules
(or cones) and convex sets. In the case of Hilbert spaces, a possible approach
is to define first the projection on a closed convex set, and then to show the
separation theorem. We shall follow here a similar path.
Definition 1 (Projector on a complete semimodule). If V is a complete
semimodule of functions from X to Rmax , for all functions u from X to Rmax ,
we define:
PV (u) := sup{v ∈ V | v ≤ u} .
Since V is complete, PV (u) ∈ V , and obviously, PV has all elements of V as
fixed points. It follows that
PV ◦ PV = PV .
The projector PV can be computed from a generating family of V . Assume first

that V is generated only by one function v ∈ RX
max , meaning that V = Rmax v :=
{λv | λ ∈ Rmax }. Define, for u ∈ RX
max ,
u/v := sup{λ ∈ Rmax | u ≥ λv} .
One can easily check that
u/v = inf{u(x) − v(x) | x ∈ X} ,
with the convention that (+∞) − (+∞) = (−∞) − (−∞) = +∞. Of course,
PV (u) = (u/v)v. More generally, we have the following elementary result.
Proposition 1 ([5]). If V is a complete subsemimodule of RX
max generated by
a subset X ⊂ RX
max , we have
PV (u) = sup (u/v)v .

v∈X
When X is finite and X = {1, . . . , n}, this provides an algorithm to decide

whether a function u belongs to V : it suffices to check whether PV (u) = u.
Example 1. We use here the notation of Section 2.3. When V is the complete
semimodule generated by the set of conventional linear maps x → p · x, PV (u)
can be written as

[PV (u)](x) = sup infn u(y) − p · y + p · x = (u ) (x) ,
p∈Rn y∈R
where u is the Legendre-Fenchel transform of u. Hence, PV (u) is the lower-

semicontinuous convex hull of u ([20, Th. 12.2]).
When V is the complete semimodule generated by the set of functions of the
form x → − x − a ∞ , with a ∈ Rn , it can be checked that

[PV (u)](x) = sup ( infn u(y) + y − a ∞) − x − a ∞ = infn u(a) − x − a ∞ .
a∈Rn y∈R a∈R
This is the “1-Lipschitz regularization” of u. More generally, one may consider

semimodules of maps with a prescribed continuity modulus, like Hölder contin-
uous maps, see [21].
The projection of a vector of a Hilbert space on a (conventional) closed convex
set minimizes the Euclidean distance of this vector to it. A similar property
holds in the max-plus case, but the Euclidean norm must be replaced by the
Hilbert seminorm (the additive version of Hilbert’s projective metric). For any
scalar λ ∈ Rmax , define λ− := −λ. For all vectors u, v ∈ RX
max , we define
δH (u, v) := ((u/v)(v/u))− ,
where the product is understood in the max-plus sense. When X = {1, . . . , n}

and u, v take finite values, δH (u, v) can be written as
δH (u, v) = sup (ui − vi + vj − uj ) ,

1≤i,j≤n
with the usual notation.

Theorem 1 (The projection minimizes Hilbert’s seminorm, [5]). If V is
a complete semimodule of functions from a set X to Rmax , then, for all functions
u from X to Rmax , and for all v ∈ V ,
δH (u, PV (u)) ≤ δH (u, v) .
This property does not uniquely define PV (u), even up to an additive constant,
because the balls in Hilbert’s projective metric are not “strictly convex”.
Example 2. Consider
⎡ ⎤ ⎡ ⎤
0 0 0 −∞ 0.5 1
A = ⎣1 −2 0 0 1.5⎦ , u=⎣ 0 ⎦ . (5)
0 3 2 0 3 0.5
The semimodule V generated by the columns of the matrix A is represented in

Figure 1 (left). A non-zero vector v ∈ R3max is represented by the point that is
the barycenter with weights (exp(βvi ))1≤i≤3 of the vertices of the simplex, where
β > 0 is a fixed scaling parameter. Observe that vectors that are proportional
in the max-plus sense are represented by the same point. Every vertex of the
simplex represents one basis vector ei . The point pi corresponds to the i-th
column of A. The semimodule V is represented by the closed region in dark grey
and by the bold segments joining the points p1 , p2 , p4 to it.
We deduce from Proposition 1 that
⎡ ⎤ ⎡ ⎤ ⎡ ⎤ ⎡ ⎤ ⎡ ⎤
0 0 0 −∞ 0.5
PV (u) = (−1) ⎣1⎦ ⊕ (−2.5) ⎣−2⎦ ⊕ (−1.5) ⎣0⎦ ⊕ (0) ⎣ 0 ⎦ ⊕ (−2.5) ⎣1.5⎦
0 3 2 0 3
⎡ ⎤
−1
=⎣ 0 ⎦ .
0.5
Since PV (u) < u, u does not belong to V . The vector u and its projection PV (u)
are represented in Figure 1 (right). The ball in Hilbert’s metric centered at point
u the boundary of which contains PV (u) is represented in light grey. The fact
that PV (u) is one of the points of V that are the closest to u (Theorem 1) is
clear from the figure.
e3 e3
p2
p3 p5
p4
PV (u)
u
p1
e1 e2 e1 e2
Fig. 1. A max-plus semimodule (left). A point u, its projection PV (u), and the corre-
sponding ball in Hilbert’s projective metric (right).
4 Separation Theorems
We first state separation theorems for complete subsemimodules and complete
convex subsets of RX max , since the results are simpler in this setting. Then, we
shall see how the completeness assumptions can be dispensed with.
Several max-plus separation theorems have appeared in the literature: the
first one is due to Zimmermann [2]. Other separation theorems appeared in [30],
in [5,12], and, in the polyhedral case, in [11,31]. We follow here the approach
of [5,12], in which the geometrical interpretation is apparent.
We call half-space of RXmax a set of the form
H = {v ∈ RX
max | a · v ≤ b · v} , (6)
where a, b ∈ RX
max and · denotes here the max-plus scalar product:
a · v := sup a(x) + v(x) .

x∈X
We extend the notation ·− to functions v ∈ RX −

max , so that v denotes the function
sending x ∈ X to −v(x). The following theorem is proved using residuation
(or Galois correspondence) techniques.
Theorem 2 (Universal Separation Theorem, [5, Th. 8]). Let V ⊂ RX max
denote a complete subsemimodule, and let u ∈ RX
max \ V . Then, the half-space
− −
H = {v ∈ RX
max | (PV (u)) · v ≤ u · v} (7)
contains V and not u.

Since PV (u) ≤ u, the inequality can be replaced by an equality in (7). A way to
remember Theorem 2 is to interpret the equality
(PV (u))− · v = u− · v
as the “orthogonality” of v to the direction (u, PV (u)). This is analogous to the

Hilbert space case, where the difference between a vector and its projection gives
the direction of a separating hyperplane.
Example 3. Let V , A, and u be as in Example 2. The half-space separating u
from V is readily obtained from the value of u and PV (u):
3
H = {v ∈ Rmax | 1v1 ⊕ v2 ⊕ (−0.5)v3 ≤ (−1)v1 ⊕ v2 ⊕ (−0.5)v3 } .
This half-space is represented by the zone in medium gray in Figure 2.

An affine half-space of RX
max is by definition a set of the form
H = {v ∈ RX
max | a · v ⊕ c ≤ b · v ⊕ d} , (8)
where a, b ∈ RX
max and c, d ∈ Rmax . For any complete convex subset C of Rmax
X
and u ∈ Rmax , we define

X
νC (u) := sup (u/v ∧ ½), QC (u) := sup (u/v ∧ ½)v ,

v∈C v∈C
where ∧ denotes the pointwise minimum of vectors.

e3
PV (u)
u
H
e1 e2
Fig. 2. Separating half-space
Corollary 1 ([5, Cor. 15]). If C is a complete convex subset of RX

max , and if
u ∈ RX
max \ C , then the affine half-space
− − −
max | (QC (u)) · v ⊕ (νC (u)) ≤ u · v ⊕ ½}
H = {v ∈ RX (9)
contains C and not u.

This corollary is obtained by projecting the vector (u, ½) on the complete sub-
semimodule of RX max × Rmax generated by the vectors (vλ, λ), where v ∈ C and
λ ∈ Rmax . The projection of this vector is precisely (QC (u), νC (u)). The opera-
tor u → (νC (u))− QC (u) defines a projection on the convex set C [12]. (We note
that the scalar νC (u) is invertible, except in the degenerate case where u cannot
be bounded from below by a non-zero scalar multiple of an element of C .)
We deduce as an immediate corollary of Theorem 2 and Corollary 1.
Corollary 2. A complete subsemimodule (resp. complete convex subset) of RX max
is the intersection of the half-spaces (resp. affine half-spaces) of RX
max in which
it is contained.

We now consider subsemimodules and convex subsets arising from the max-plus
semiring Rmax , rather than from the completed max-plus semiring Rmax . Results
of the best generality are perhaps still missing, so we shall restrict our attention
to subsemimodules and convex subsets of Rnmax . By analogy with convex analysis,
we call cone a subsemimodule of Rnmax .
We equip Rnmax with the usual topology, which can be defined by the metric
d(u, v) := max | exp(ui ) − exp(vi )|, ∀u, v ∈ (R ∪ {−∞})n .

1≤i≤n
A half-space of Rnmax is a set of the form H = {v ∈ Rnmax | a · v ≤ b · v},

where a, b ∈ Rnmax . An affine half-space of Rnmax is a set of the form H = {v ∈
Rnmax | a · v ⊕ c ≤ b · v ⊕ d}, where a, b ∈ Rnmax and c, d ∈ Rmax . Note that
n
the restriction to Rnmax of an (affine) half-space of Rmax need not be an (affine)
half-space of Rnmax , because the vectors a, b in (6) and (8) can have entries equal
to +∞, and the scalars c, d in (8) can be equal to +∞. However, we have the
following refinement of Theorem 2 in the case of closed cones of Rnmax , which is
slightly more precise than the result stated in [12], and can be proved along the
same lines.
Theorem 3. Let V be a closed cone of Rnmax and let u ∈ Rnmax \ V . Then, there
exist a ∈ Rnmax and disjoint subsets I and J of {1, . . . , n} such that the half-space
of Rnmax
H = {v ∈ Rnmax | ⊕i∈I ai vi ≤ ⊕j∈J aj vj } (10)
contains V and not u.
Further information on half-spaces can be found in [31].
Example 4. The restriction to R3max of the separating half-space constructed in
Example 3 can be rewritten as:
H = {v ∈ R3max | 1v1 ≤ v2 ⊕ (−0.5)v3 } ,
which is clearly of the form (10). To illustrate the technical difficulty concerning
supports, which is solved in [12] and in Theorem 3 above, let us separate the
point u = [−∞, 1, 0]T from the semimodule V of Example 2. We have PV (u) =
3
[−∞, 0, 0]T , and the half-space of Rmax defined in Theorem 2 is
3
{v ∈ Rmax | (+∞)v1 ⊕ v2 ⊕ v3 ≤ (+∞)v1 ⊕ (−1)v2 ⊕ v3 } .
Note that due to the presence of the +∞ coefficient, the restriction of this half-
space to R3max is not closed. The proof of [12] and of Theorem 3 introduces a
finite perturbation of u, for instance, w = [, 1, 0]T , where is a finite number
sufficiently close to −∞ (here, any < 0 will do), and shows that the restriction
n
to Rnmax of the half-space of Rmax constructed in the universal separation theorem
(Theorem 2), which is a half-space of Rnmax , separates u from V . For instance,
when = −1, we obtain PV (w) = [−1, 0, 0]T , which gives the half-space of R3max
H = {v ∈ R3max | 1v1 ⊕ v3 ≥ v2 }
containing V and not u.
Corollary 3. Let C ⊂ Rnmax be a closed convex set and let u ∈ Rnmax \ C . Then,
there exist a ∈ Rnmax , disjoint subsets I and J of {1, . . . , n} and c, d ∈ Rmax ,
with cd = ¼, such that the affine half-space of Rnmax
H = {v ∈ Rnmax | ⊕i∈I ai vi ⊕ c ≤ ⊕j∈J aj vj ⊕ d}
contains C and not u.
This is proved by applying the previous theorem to the point (u, ½) ∈ Rn+1
max and
to the following closed cone:
V := clo({(vλ, λ) | v ∈ C , λ ∈ Rmax }) ⊂ Rn+1
max .
We deduce as an immediate corollary of Theorem 3 and Corollary 3.

Corollary 4. A closed cone of Rnmax is the intersection of the half-spaces of

Rnmax in which it is contained. A closed convex subset of Rnmax is the intersection
of the affine half-spaces of Rnmax in which it is contained.
5 Extreme Points of Max-Plus Convex Sets

Definition 2. Let C be a convex subset of Rnmax . An element v ∈ C is an
extreme point of C , if for all u, w ∈ V and λ, μ ∈ Rmax such that λ ⊕ μ = ½,
the following property is satisfied
v = λu ⊕ μw =⇒ v = u or v = w .
The set of extreme points of C will be denoted by ext(C ).
Definition 3. Let V ⊂ Rnmax be a cone. An element v ∈ V is an extreme

generator of V if the following property is satisfied
v = u ⊕ w, u, w ∈ V =⇒ v = u or v = w .
We define an extreme ray of V to be a set of the form Rmax v = {λv | λ ∈ Rmax }

where v is an extreme generator of V . The set of extreme generators of V will
be denoted by ext-g (V ).
Note that extreme generators correspond to join irreducible elements in the

lattice theory literature.
We denote by cone (X ) the smallest cone containing a subset X of Rnmax ,
and by co(X ) the smallest convex set containing it. So cone (X ) coincides with
span X , if the operator “span” is interpreted over the semiring Rmax .
Theorem 4. Let V ⊂ Rnmax be a non-empty closed cone. Then V is the cone
generated by the set of its extreme generators, that is,
V = cone (ext-g (V )) .
The proof of Theorem 4, and of Corollary 5 and Theorem 5 below, can be

found in [13]. After the submission of the present paper, a preprint of Buktovič,
Schneider, and Sergeev has appeared [32], in which Theorem 4 is established
independently. Their approach also yields informations on non-closed cones.
Corollary 5 (Max-Plus Minkowski’s Theorem). Let C be a non-empty

compact convex subset of Rnmax . Then C is the convex hull of the set of its
extreme points, that is,
C = co(ext(C )) .
This is more precise than Helbig’s max-plus analogue of Krein-Milman’s theo-

rem [33], which only shows that a non-empty compact convex subset of Rnmax is
the closure of the convex hull of its set of extreme points. Unlike Helbig’s proof,
our proof of Theorem 4 and Corollary 5 does not use the separation theorem.
If v is a point in a convex set C , we define the recession cone of C at point v

to be the set:
rec(C ) = {u ∈ Rnmax | v ⊕ λu ∈ C for all λ ∈ Rmax } .
If C is a closed convex subset of Rnmax , it can be checked that the recession cone
is independent of the choice of v ∈ C , and that it is closed.
Theorem 5. Let C ⊂ Rnmax be a closed convex set. Then,
C = co(ext(C )) ⊕ rec(C ) .
Corollary 4 suggests the following definition.

Definition 4. A max-plus polyhedron is an intersection of finitely many affine
half-spaces of Rnmax .
Theorem 6 (Max-Plus Minkowski-Weyl Theorem). The max-plus poly-

hedra are precisely the sets of the form
co(X ) ⊕ cone (Y )
where X , Y are finite subsets of Rnmax .
Note that our notion of max-plus polyhedra is more general than the notion of
tropical polyhedra which is considered in [11]: tropical polyhedra can be identi-
fied with sets of the form cone (Y ) where Y is a finite set of vectors with only
finite entries.
Finally, we shall consider the max-plus analogues of simplicial convex cones,
which are related to the important notion of regular matrix. We need to work
again in the completed max-plus semiring, Rmax , rather than in Rmax . We say
n×p
that a matrix A ∈ Rmax is regular if it has a generalized inverse, meaning that
p×n
there exists a matrix X ∈ Rmax such that A = AXA. Regularity is equivalent
to the existence of a linear projector onto the cone generated by the columns (or
the rows) of A, see [34,35].
n
A finitely generated subsemimodule V of Rmax is a complete lattice, in which
n
the supremum coincides with the supremum in Rmax , and the infimum of any
subset of V is the greatest lower bound of this subset that belongs to V . The
following result extends a theorem proved by Zaretski [36] (see [37, Th. 2.1.29]
for a proof in English) in the case of the Boolean semiring.
n×p
Theorem 7 ([14]). A matrix A ∈ Rmax is regular if and only if the subsemi-
n
module of Rmax generated by its columns is a completely distributive lattice.
Of course, a dual statement holds for the rows of A. In fact, we know that the
semimodule generated by the rows of A is anti-isomorphic to the semimodule
generated by its columns [5].
As an illustration of Theorem 5, consider the closed convex set C ⊂ R2max
depicted in Figure 5. We have ext(C ) = {a, b, c, d, e}, where a = [5, 2]T , b =
x2
1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
6 0000000000000000000000000000000000
1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
0000000000000000000000000000000000
e
5 1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
0000000000000000000000000000000000
4 C
1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
0000000000000000000000000000000000
3 d 1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
0000000000000000000000000000000000
2 1111111111111111111111111111111111
0000000000000000000000000000000000
c a
1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
0000000000000000000000000000000000
1111111111111111111111111111111111
1 0000000000000000000000000000000000
b
1 2 3 4 5 6 x1
Fig. 3. An unbounded max-plus convex set
x2 x2
6 11111111111111111111111111111111111111
00000000000000000000000000000000000000
6
00000000000000000000000000000000000000
11111111111111111111111111111111111111
00000000000000000000000000000000000000
11111111111111111111111111111111111111
00000000000000000000000000000000000000
11111111111111111111111111111111111111
00000000000000000000000000000000000000
11111111111111111111111111111111111111
e 00000000000000000000000000000000000000
11111111111111111111111111111111111111
5
5 11111111111111111111
00000000000000000000 00000000000000000000000000000000000000
11111111111111111111111111111111111111
00000000000000000000
11111111111111111111
00000000000000000000
11111111111111111111 00000000000000000000000000000000000000
11111111111111111111111111111111111111
00000000000000000000
11111111111111111111 00000000000000000000000000000000000000
11111111111111111111111111111111111111
00000000000000000000000000000000000000
11111111111111111111111111111111111111
4 00000000000000000000
11111111111111111111 00000000000000000000000000000000000000
11111111111111111111111111111111111111
4
00000000000000000000
11111111111111111111
co(ext(C )) 00000000000000000000000000000000000000
11111111111111111111111111111111111111
00000000000000000000
11111111111111111111
00000000000000000000
11111111111111111111 00000000000000000000000000000000000000
11111111111111111111111111111111111111
00000000000000000000
11111111111111111111 00000000000000000000000000000000000000
11111111111111111111111111111111111111
00000000000000000000000000000000000000
11111111111111111111111111111111111111
3 00000000000000000000
11111111111111111111 00000000000000000000000000000000000000
11111111111111111111111111111111111111
3
d 11111111111111111111
00000000000000000000
00000000000000000000
11111111111111111111 Rec(C )
00000000000000000000000000000000000000
11111111111111111111111111111111111111
00000000000000000000000000000000000000
11111111111111111111111111111111111111
00000000000000000000
11111111111111111111 00000000000000000000000000000000000000
11111111111111111111111111111111111111
00000000000000000000
11111111111111111111
00000000000000000000
11111111111111111111 00000000000000000000000000000000000000
11111111111111111111111111111111111111
2 00000000000000000000
11111111111111111111
c a 00000000000000000000000000000000000000
11111111111111111111111111111111111111
2
00000000000000000000000000000000000000
11111111111111111111111111111111111111
00000000000000000000
11111111111111111111
00000000000000000000
11111111111111111111 00000000000000000000000000000000000000
11111111111111111111111111111111111111
00000000000000000000
11111111111111111111 00000000000000000000000000000000000000
11111111111111111111111111111111111111
00000000000000000000000000000000000000
11111111111111111111111111111111111111
1 00000000000000000000
11111111111111111111 00000000000000000000000000000000000000
11111111111111111111111111111111111111
1
00000000000000000000000000000000000000
11111111111111111111111111111111111111
00000000000000000000000000000000000000
11111111111111111111111111111111111111
00000000000000000000000000000000000000
11111111111111111111111111111111111111
00000000000000000000000000000000000000
11111111111111111111111111111111111111
b 00000000000000000000000000000000000000
11111111111111111111111111111111111111
x1 00000000000000000000000000000000000000
11111111111111111111111111111111111111
1 2 3 4 5 6 x1
1 2 3 4 5 6 00000000000000000000000000000000000000
11111111111111111111111111111111111111
00000000000000000000000000000000000000
11111111111111111111111111111111111111
00000000000000000000000000000000000000
11111111111111111111111111111111111111
000000000000000000000000000000000000000
111111111111111111111111111111111111111
000000000000000000000000000000000000000
111111111111111111111111111111111111111
Fig. 4. The sets co(ext(C )) and rec(C ) of Theorem 5 for the unbounded convex set
depicted in Figure 5

[4, 0]T , c = [3, 2]T , d = [1, 3]T , e = [2, 5]T , and rec(C ) = cone [0, 1]T , [2, 0]T .
Then,

C = co {a, b, c, d, e} ⊕ cone [0, 1]T , [2, 0]T
by Theorem 5. The sets co(ext(C )) and rec(C ) are depicted in Figure 4. The cone
rec(C ) is a distributive lattice, since the infimum and supremum laws coincide
2
with those of Rmax . Note that any n × 2 or 2 × n matrix is regular, in particular,
finitely generated cones which are not distributive lattices cannot be found in
dimension smaller than 3, see [34].
Acknowledgment. We thank the referees for their careful reading and for their
suggestions.
References
1. Korbut, A.A.: Extremal spaces. Dokl. Akad. Nauk SSSR 164 (1965) 1229–1231
2. Zimmermann, K.: A general separation theorem in extremal algebras. Ekonom.-
Mat. Obzor 13(2) (1977) 179–201
3. Maslov, V.P., Samborskiı̆, S.N.: Idempotent analysis. Volume 13 of Advances in
Soviet Mathematics. Amer. Math. Soc., Providence (1992)
4. Litvinov, G., Maslov, V., Shpiz, G.: Idempotent functional analysis: an algebraic
approach. Math. Notes 69(5) (2001) 696–729
5. Cohen, G., Gaubert, S., Quadrat, J.P.: Duality and separation theorems
in idempotent semimodules. Linear Algebra and Appl. 379 (2004) 395–422
arXiv:math.FA/0212294.
6. Rubinov, A.M.: Abstract convexity and global optimization. Kluwer (2000)
7. Cohen, G., Gaubert, S., Quadrat, J.: Max-plus algebra and system theory: where
we are and where to go now. Annual Reviews in Control 23 (1999) 207–219
8. Kolokoltsov, V.N., Maslov, V.P.: Idempotent analysis and applications. Kluwer
Acad. Publisher (1997)
9. Fathi, A.: Weak KAM theorem in Lagrangian dynamics. Lecture notes, preliminary
version (Cambridge University Press, to appear.) (2005)
10. Akian, M., Gaubert, S., Walsh, C.: The max-plus Martin boundary.
arXiv:math.MG/0412408 (2004)
11. Develin, M., Sturmfels, B.: Tropical convexity. Doc. Math. 9 (2004) 1–27 (Erratum
pp. 205–206).
12. Cohen, G., Gaubert, S., Quadrat, J., Singer, I.: Max-plus convex sets and functions.
In Litvinov, G.L., Maslov, V.P., eds.: Idempotent Mathematics and Mathematical
Physics. Contemporary Mathematics. American Mathematical Society (2005) 105–
129. Also ESI Preprint 1341, arXiv:math.FA/0308166.
13. Gaubert, S., Katz, R.: The Minkowski theorem for max-plus convex sets.
arXiv:math.GM/0605078 (2006)
14. Cohen, G., Gaubert, S., Quadrat, J.P.: Regular matrices in max-plus algebra.
Preprint (2006)
15. Katz, R.D.: Max-plus (A,B)-invariant spaces and control of timed discrete event
systems. (2005) E-print arXiv:math.OC/0503448, to appear in IEEE-TAC.
16. Akian, M., Gaubert, S., Walsh, C.: Discrete max-plus spectral theory. In Litvi-
nov, G.L., Maslov, V.P., eds.: Idempotent Mathematics and Mathematical Physics.
Contemporary Mathematics. American Mathematical Society (2005) 19–51. Also
ESI Preprint 1485, arXiv:math.SP/0405225.
17. Akian, M., Bapat, R., Gaubert, S.: Max-plus algebras. In Hogben, L., Brualdi, R.,
Greenbaum, A., Mathias, R., eds.: Handbook of Linear Algebra. Chapman & Hall
(2006)
18. Akian, M., Gaubert, S., Kolokoltsov, V.: Solutions of max-plus linear equations and
large deviations. In: Proceedings of the joint 44th IEEE Conference on Decision
and Control and European Control Conference ECC 2005 (CDC-ECC’05), Seville,
Espagne (2005) arXiv:math.PR/0509279.
19. Walsh, C.: The horofunction boundary of finite-dimensional normed spaces. To
appear in the Math. Proc. of the Cambridge. Phil. Soc., arXiv:math.GT/0510105
(2005)
20. Rockafellar, R.T.: Convex analysis. Princeton University Press Princeton, N.J.
(1970)
21. Akian, M., Gaubert, S., Kolokoltsov, V.N.: Set coverings and invertibility of func-
tional Galois connections. In Litvinov, G.L., Maslov, V.P., eds.: Idempotent Math-
ematics and Mathematical Physics. Contemporary Mathematics. American Math-
ematical Society (2005) 19–51 Also ESI Preprint 1447, arXiv:math.FA/0403441.
22. Gaubert, S., Gunawardena, J.: The Perron-Frobenius theorem for homogeneous,
monotone functions. Trans. of AMS 356(12) (2004) 4931–4950
23. Rubinov, A.M., Singer, I.: Topical and sub-topical functions, downward sets and
abstract convexity. Optimization 50(5-6) (2001) 307–351
24. Gunawardena, J.: From max-plus algebra to nonexpansive maps: a nonlinear theory
for discrete event systems. Theoretical Computer Science 293 (2003) 141–167
25. Dhingra, V., Gaubert, S., Gunawardena, J.: Policy iteration algorithm for large
scale deterministic games with mean payoff. Preprint (2006)
26. Cochet-Terrasson, J., Gaubert, S., Gunawardena, J.: A constructive fixed point
theorem for min-max functions. Dynamics and Stability of Systems 14(4) (1999)
407–433
27. Gaubert, S., Gunawardena, J.: The duality theorem for min-max functions. C. R.
Acad. Sci. Paris. 326, Série I (1998) 43–48
28. Costan, A., Gaubert, S., Goubault, E., Martel, M., Putot, S.: A policy iteration
algorithm for computing fixed points in static analysis of programs. In: Proceedings
of the 17th International Conference on Computer Aided Verification (CAV’05).
Number 3576 in LNCS, Edinburgh, Springer (2005) 462–475
29. Akian, M., Gaubert, S., Lakhoua, A.: The max-plus finite element method for
solving deterministic optimal control problems: basic properties and convergence
analysis. arXiv:math.OC/0603619 (2006)
30. Samborskiı̆, S.N., Shpiz, G.B.: Convex sets in the semimodule of bounded functions.
In: Idempotent analysis. Amer. Math. Soc., Providence, RI (1992) 135–137
31. Joswig, M.: Tropical halfspaces. In: Combinatorial and computational geometry.
Volume 52 of Math. Sci. Res. Inst. Publ. Cambridge Univ. Press, Cambridge (2005)
409–431
32. Butkovic, P., Schneider, H., Sergeev, S.: Generators, extremals and bases of max
cones. arXiv:math.RA/0604454 (2006)
33. Helbig, S.: On Caratheodory’s and Kreı̆n-Milman’s theorems in fully ordered
groups. Comment. Math. Univ. Carolin. 29(1) (1988) 157–167
34. Cohen, G., Gaubert, S., Quadrat, J.: Linear projectors in the max-plus algebra.
In: Proceedings of the IEEE Mediterranean Conference, Cyprus, IEEE (1997)
35. Cohen, G., Gaubert, S., Quadrat, J.P.: Projection and aggregation in maxplus
algebra. In Menini, L., Zaccarian, L., Abdallah, C.T., eds.: Current Trends in
Nonlinear Systems and Control, in Honor of Petar Kokotovic and Turi Nicosia.
Systems & Control: Foundations & Applications. Birkhauser (2006)
36. Zaretski, K.: Regular elements in the semigroup of binary relations. Uspeki Mat.
Nauk 17(3) (1962) 105–108
37. Kim, K.: Boolean Matrix Theory and Applications. Marcel Dekker, New York
(1982)
Lazy Semiring Neighbours and Some
Applications
Peter Höfner and Bernhard Möller
Institut für Informatik, Universität Augsburg

D-86135 Augsburg, Germany
{hoefner, moeller}@informatik.uni-augsburg.de
Abstract. We extend an earlier algebraic approach to Neighbourhood

Logic (NL) from domain semirings to lazy semirings yielding lazy semi-
ring neighbours. Furthermore we show three important applications for
these. The first one extends NL to intervals with infinite length. The sec-
ond one applies lazy semiring neighbours in an algebraic semantics of the
branching time temporal logic CTL∗ . The third one sets up a connection
between hybrid systems and lazy semiring neighbours.
1 Introduction
Chop-based interval temporal logics like ITL [5] and IL [3] are useful for spec-
ification and verification of safety properties of real-time systems. However, as
it is shown in [15], these logics cannot express all desired properties, like (un-
bounded) liveness properties. Hence Zhou and Hansen proposed Neighbourhood
Logic (NL) [14], a first-order interval logic with extra atomic formulas. In [7]
NL has been embedded and extended into the algebraic framework of semirings.
But neither NL nor the algebraic version handle intervals with infinite length.
Therefore we transfer the neighbour concept to lazy semirings [10]. This pro-
vides a combination of NL and interval logic with infinite intervals on a uniform
algebraic basis. Surprisingly, lazy semiring neighbours are not only useful for the
extension of NL; they occur in different situations and structures.
The paper is structured into two main parts. The first one presents the alge-
braic theory. Therefore we recapitulate the basic notions, like lazy semirings, in
Section 2. In Section 3 we define domain and codomain and give some important
properties. In the next section we introduce and discuss lazy semiring neighbours
and boundaries. That section contains the main contribution from a theoretical
point of view. The second part presents three different applications for the the-
ory. It starts by extending Neighbourhood Logic to intervals with infinite length
in Section 5. Afterwards, in Section 6, we show that in the algebraic character-
isation of the branching time temporal logic CTL∗ of [11], the existential and
universal path quantifiers E and A correspond to lazy semiring neighbours. The
last application is presented in Section 7 and shows how to transfer lazy semiring
neighbours to the algebraic model of hybrid systems presented in [8]; some of
them guarantee liveness, others non-reachability, i.e., a form of safety.

This research was supported by DFG (German Research Foundation).

208 P. Höfner and B. Möller
2 Algebraic Foundations
A lazy semiring (L-semiring or left semiring) is a quintuple (S, +, ·, 0, 1) where
(S, +, 0) is a commutative monoid and (S, ·, 1) is a monoid such that · is left-
distributive over + and left-strict , i.e., 0·a = 0. A lazy semiring structure is also
at the core of process algebra frameworks. The lazy semiring is idempotent if +
is idempotent and · is right-isotone, i.e., b ≤ c ⇒ a · b ≤ a · c, where the natural
order ≤ on S is given by a ≤ b ⇔df a + b = b. Left-isotony of · follows from its
left-distributivity. Moreover, 0 is the ≤-least element and a + b is the join of a
and b. Hence every idempotent L-semiring is a join semilattice. A semiring (for
clarity sometimes also called full semiring) is a lazy semiring in which · is also
right-distributive and right-strict. An L-semiring is Boolean if it is idempotent
and its underlying semilattice is a Boolean algebra. Every Boolean L-semiring
has a greatest element .
A lazy quantale is an idempotent L-semiring that is also a complete lattice
under the natural order with · being universally disjunctive in its left argument.
A quantale is a lazy quantale in which · is universally disjunctive also in its right
argument. Following [1], one might also call a quantale a standard Kleene algebra.
A lazy quantale is Boolean if it is right-distributive and a Boolean L-semiring.
An important lazy semiring (that is even a Boolean quantale) is REL, the
algebra of binary relations over a set under relational composition.
To model assertions in semirings we use the idea of tests as introduced into
Kleene algebras by Kozen [9]. In REL a set of elements can be modelled as a
subset of the identity relation; meet and join of such partial identities coincide
with their composition and union. Generalising this, one defines a test in a (left)
quantale to be an element p ≤ 1 that has a complement q relative to 1, i.e.,
p + q = 1 and p · q = 0 = q · p. The set of all tests of a quantale S is denoted
by test(S). It is not hard to show that test(S) is closed under + and · and has
0 and 1 as its least and greatest elements. Moreover, the complement ¬p of a
test p is uniquely determined by the definition. Hence test(S) forms a Boolean
algebra. If S itself is Boolean then test(S) coincides with the set of all elements
below 1. We will consistently write a, b, c . . . for arbitrary semiring elements and
p, q, r, . . . for tests.
With the above definition of tests we deviate slightly from [9], in that we do
not allow an arbitrary Boolean algebra of sub identities as test(S) but only the
maximal complemented one. The reason is that the axiomatisation of domain to
be presented below forces this maximality anyway (see [2]).
In the remainder we give another important example of an L-semiring (espe-
cially with regard to temporal logics like CTL∗ and hybrid systems). It is based
on trajectories (cf. e.g. [12]) that reflect the values of the variables over time and
was introduced in [8].
Let V be a set of values and D a set of durations (e.g. IN, Q, IR, . . .). We
assume a cancellative addition + on D and an element 0 ∈ D such that (D, +, 0)
is a commutative monoid and the relation x ≤ y ⇔df ∃ z . x + z = y is a linear
order on D. Then 0 is the least element and + is isotone w.r.t. ≤. Moreover, 0
is indivisible, i.e., x + y = 0 ⇔ x = y = 0. D may include the special value ∞.
Lazy Semiring Neighbours and Some Applications 209
It is required to be an annihilator w.r.t. + and hence the greatest element of D

(and cancellativity of + is restricted to elements in D − {∞}). For d ∈ D we
define the interval intv d of admissible times as

[0, d] if d = ∞
intv d =df
[0, d[ otherwise .
A trajectory t is a pair (d, g), where d ∈ D and g : intv d → V . Then d is the
duration of the trajectory. This view models oblivious systems in which the
evolution of a trajectory is independent of the history before the starting time.
The set of all trajectories is denoted by TRA. Composition of trajectories
(d1 , g1 ) and (d2 , g2 ) is defined by
⎧
⎨ (d1 + d2 , g) if d1 = ∞ ∧ g1 (d1 ) = g2 (0)
(d1 , g1 ) · (d2 , g2 ) =df (d1 , g1 ) if d1 = ∞
⎩
undefined otherwise
with g(x) = g1 (x) for all x ∈ [0, d1 ] and g(x + d1 ) = g2 (x) for all x ∈ intv d2 .
For a value v ∈ V , let v =df (0, g) with g(0) = v be the corresponding
zero-length trajectory. Moreover, set I =df {v | v ∈ V }.
A process is a set of trajectories. The infinite and finite parts of a process
A are the processes inf A =df {(d, g) ∈ A | d = ∞} and fin A =df A − inf A.
Composition is lifted to processes as follows:
A · B =df inf A ∪ {a · b | a ∈ fin A, b ∈ B} .
Then we obtain the lazy Boolean quantale
PRO =df (P(TRA), ∪, ·, ∅, I) ,
which can be extended to a test quantale by setting test(PRO) =df P(I).
For a discrete infinite set D, e.g. D = IN, trajectories are isomorphic to
nonempty finite or infinite words over the value set V . If V consists of states of
computations, then the elements of PRO can be viewed as sets of computation
streams; therefore we also write STR(V ) instead of PRO in this case.
Note that A ∈ PRO consists of infinite trajectories only, i.e., A = inf A, iff
A · B = A for all B ∈ PRO. We call such a process infinite, too. Contrarily, A
consists of finite trajectories only, i.e., A = fin A, iff A · ∅ = ∅. We call such a
process finite, too.
We now generalise these notions from PRO to an arbitrary L-semiring S. An
element a ∈ S is called infinite if it is a left zero, i.e., a · b = a for all b ∈ S,
which is equivalent to a · 0 = a. By this property, a · 0 may be considered as the
infinite part of a, i.e., the part consisting just of infinite computations (if any).
We assume that there exists a largest infinite element N, i.e.,
a ≤ N ⇔df a · 0 = a .
Dually, we call an element a finite if its infinite part is trivial, i.e., if a · 0 = 0.
We also assume that there is a largest finite element F, i.e.,
a ≤ F ⇔df a · 0 = 0 .
In Boolean quantales N and F always exist1 and satisfy N = · 0 and F = N,

where denotes complementation. Moreover, every element can be split into its
finite and infinite parts: a = fin a + inf a, where fin a =df a F and inf a =df
a N. In particular, = N + F.
3 Domain and Codomain in L-Semirings

Domain and codomain abstractly characterise, in the form of tests, the sets of
initial and final states of a set of computations. In contrast to the domain and
codomain operators of full semirings and Kleene algebras [2] the operators for
L-semirings are not symmetric. Therefore we recapitulate their definitions [10]
and establish some properties which we need afterwards.
Definition 3.1. A lazy semiring with domain (-L-semiring) is a structure
(S, ), where S is an idempotent lazy test semiring and the domain operation
: S → test(S) satisfies for all a, b ∈ S and p ∈ test(S)
a ≤ a · a (d1), (p · a) ≤ p (d2), (a · b) ≤ (a · b) (d3).

The axioms are the same as in [2]. Since the domain describes all possible starting
states of an element, it is easy to see that “laziness” of the underlying semiring
doesn’t matter. Most properties of [2,10] can still be proved in L-semirings with
domain. We only give some properties which we need in the following sections.
First, the conjunction of (d1) and (d2) is equivalent to each of
a ≤ p ⇔ a ≤ p · a (llp), a ≤ p ⇔ ¬p · a ≤ 0 (gla).
(llp) says that a is the least left preserver of a; (gla) that ¬a is the greatest left
annihilator of a. By Boolean algebra, (gla) is equivalent to
p · a ≤ 0 ⇔ p · a ≤ 0 . (1)
Lemma 3.2. [10] Let S be a -L-semiring.

(a) is isotone.
(b) is universally disjunctive;
in particular 0 = 0 and (a + b) = a + b.

(c) a ≤ 0 ⇔ a ≤ 0. (Full Strictness)
(d) p = p. (Stability)
(e) (p · a) = p · a. (Import/Export)
(f) (a · b) ≤ a.
We now turn to the dual case of the domain operation. In the case where we
have (as in full semirings) right-distributivity and right-strictness, a codomain
operation is easily defined as a domain operation in the opposite L-semiring
(i.e., the one that swaps the order of composition). But due to the absence of
right-distributivity and right-strictness we need an additional axiom.
1
In general N and F need not exist. In [10] lazy semirings where these elements exist
are called separated .
Definition 3.3. A lazy semiring with codomain ( -L-semiring) is a structure

(S, ), where S is an idempotent lazy test semiring and the codomain operation
: S → test(S) satisfies for all a, b ∈ S and p ∈ test(S)
a ≤ a · a (cd1), (a · p) ≤ p (cd2),

(a · b) ≤ (a · b) (cd3), (a + b) ≥ a + b (cd4).
(cd4) guarantees isotony of the codomain operator. As for domain, the conjunc-
tion of (cd1) and (cd2) is equivalent to
a ≤ p ⇔ a ≤ a · p , (lrp)
i.e., a is the least right preserver of a. However, due to lack of right-strictness ¬a
need not be the greatest right annihilator; we only have the weaker equivalence
a ≤ p ⇔ a · ¬p ≤ a · 0 . (wgra)
Lemma 3.4. Let S be a -L-semiring.

(a) is isotone.
(b) is universally disjunctive;
in particular 0 = 0 and (a + b) = a + b .
(c) a ≤ 0 ⇔ a ≤ N.
(d) p = p. (Stability)
(e) (a · p) = a · p. (Import/Export)
(f) (a · b) ≤ b .
Lemma 3.2(c) and Lemma 3.4(c) show the asymmetry of domain and codomain.
As in [10], a modal lazy semiring (ML-semiring) is an L-semiring with domain
and codomain. The following lemma has some important consequences for the
next sections, and illustrates again the asymmetry of L-semirings.
Lemma 3.5. In an ML-semiring with a greatest element , we have
(a) ¬p · a ≤ 0 ⇔ a ≤ p ⇔ a ≤ p · a ⇔ a ≤ p · .
(b) a · ¬p ≤ a · 0 ⇔ a ≤ p ⇔ a ≤ a · p ⇔ a ≤ · p.
(c) a ≤ F ⇔ (a ≤ a · p ⇔ a · ¬p ≤ 0) ⇔ (a ≤ · p ⇔ a · ¬p ≤ 0).
Therefore, in general, a ≤ a · p ⇒ a · ¬p ≤ 0 and a ≤ · p ⇒ a · ¬p ≤ 0.
Proof.
(a) The first equivalence is (gla), the second (llp). a ≤ p · a ⇒ a ≤ p ·
holds by isotony of · and a ≤ p · ⇒ a ≤ p by isotony of domain and
(p · ) 3.2(e)
= p · = p, since ≥ 1 = 1 by Lemma 3.2(d).
(b) Symmetrically to (a).
(c) a ≤ F ⇒ (a ≤ a · p ⇔ a · ¬p ≤ 0) holds by (b) and a · 0 ≤ 0 ⇔ a ≤ F.
The converse implication is shown by setting p = 1, Boolean algebra and
definition of F: a ≤ a ⇒ a · ¬1 ≤ 0 ⇔ a · 0 ≤ 0 ⇔ a ≤ F.
The second equivalence follows from a ≤ a · p ⇔ a ≤ · p (see (b)).

(c) says that we do not have a law for codomain that is symmetric to (a).
Further properties of (co)domain and ML-semirings can be found in [2,10].
4 Neighbours — Definitions and Basic Properties

In [7] semiring neighbours and semiring boundaries are motivated by Neighbour-
hood Logic [14,15]. The definitions there require full semirings as the underlying
algebraic structure. In this section we use the same axiomatisation as in [7] to de-
fine neighbours and boundaries in L-semirings. Since the domain and codomain
operators are not symmetric we also discuss some properties and consequences of
the lack of right-distributivity and right-strictness. Note that in [7] the semiring
neighbours and boundaries work on predomain and precodomain, i.e., assumed
only (d1)–(d2) and (cd1)–(cd2), resp. Here we assume (d3)/(cd3) as well.
In the remainder some proofs are done only for one of a series of similar cases.
Definition 4.1. Let S be an ML-semiring and a, b ∈ S. Then

(a) a is a left neighbour of b (or a ≤ n l b for short) iff a ≤ b ,
(b) a is a right neighbour of b (or a ≤ n r b for short) iff a ≤ b ,
(c) a is a left boundary of b (or a ≤ b l b for short) iff a ≤ b ,
(d) a is a right boundary of b (or a ≤ b r b for short) iff a ≤ b .
We will see below that the notation using ≤ is justified. By lazy semiring neigh-
bours we mean both, left/right neighbours and boundaries. Most of the proper-
ties given in [7] use Lemma 3.5(a) in their proofs and a symmetric version of it
for codomain which holds in full semirings. Unfortunately, by Lemma 3.5(b) and
3.5(c), we do not have this symmetry. Hence we have to check all properties in
the setting of L-semirings again. Definition 4.1 works for all ML-semirings. How-
ever, most of the interesting properties postulate a greatest element . Therefore
we assume the existence of such an element in the remainder.
Lemma 4.2. Neighbours and boundaries can be expressed explicitly as

n
lb = · b , n
rb = b · , b lb = b · , b rb = · b .

Proof. We use the principle of indirect (in)equality.

By definition and Lemma 3.5(b) we get
a ≤ n l b ⇔ a ≤ b ⇔ a ≤ · b .

For nested neighbours we have the following cancellation properties.

Lemma 4.3.
(a) n l n r b = b rb and n n b = b l b,

r l
(b) b l n r b = n
rb and b r n lb = n
l b,
(c) b l b l b = b lb and b r b rb = b r b,
(d) n l b l b = n b
l and n b b
r r = n b.
r
Proof. The proof of [7] can immediately be adopted, since it only uses the explicit
representations of neighbours and boundaries, which are identical for L-semirings
and full semirings. E.g., by definition (twice), p · = p and definition again,
n n b = n (b · ) = · (b · ) = · b = b b .

l r l r
Now we draw some conclusions when S is Boolean.

Lemma 4.4. For a Boolean ML-semiring S, we have

(a) ¬a ≤ a and ¬a ≤ a .
(b) p · = ¬p ·
(c) If S is right-distributive, · p = F · ¬p
Proof.
(a) By Boolean algebra and additivity of domain, 1 = = (a + a) = a + a,
and the first claim follows by shunting. The second inequality can be shown
symmetrically.
(b) By Boolean algebra we only have to show that ¬p · + p · = and
¬p · p · = 0. The first equation follows by left-distributivity, the
second one by Boolean algebra and the law [10]
p·aq·a = p·q·a . (2)
(c) By left and right distributivity, Boolean algebra and N being a left zero,
F · ¬p + · p = F · ¬p + (F + N) · p = F · ¬p + F · p + N · p
= F · (¬p + p) + N = F + N = .
Next, again by distributivity,
F · ¬p · p = F · ¬p (F + N) · p = F · ¬p (F · p + N · p)
= (F · ¬p F · p) + (F · ¬p N · p) .
The first summand is 0, since the law symmetric to (2) holds for finite a
and hence for F. The second summand is, by p, ¬p ≤ 1 and isotony, below
F N = 0 and thus 0, too.

Similarly to [7], we now define perfect neighbours and boundaries.
Definition 4.5. Let S be a Boolean ML-semiring and a, b ∈ S.

(a) a is a perfect left neighbour of b (or a ≤ n b for short) iff a · b ≤ 0,
l
(b) a is a perfect right neighbour of b (or a ≤ r b for short) iff b · a ≤ 0,
n
(c) a is a perfect left boundary of b (or a ≤ b l b for short) iff a · b ≤ 0,
(d) a is a perfect right boundary of b (or a ≤ b r b for short) iff a · b ≤ 0.
From this definition, we get the following exchange rule for perfect neighbours.
a≤
n lb ⇔ b ≤
n ra . (3)
Lemma 4.6. Perfect neighbours and perfect boundaries have the following ex-
plicit forms:
n b = · ¬b ,
n b = ¬b · ,
b l b = ¬b · ,
b r b = · ¬b .

l r
Proof. By definition, shunting and Lemma 3.5(b)

a≤ n b ⇔ a · b ≤ 0 ⇔ a ≤ ¬b ⇔ a ≤ · ¬b .

l
Lemma 4.7. Each perfect neighbour (boundary) is a neighbour (boundary):

n b ≤ n
lb ,
n b ≤ n
rb ,
b lb ≤ b lb ,
b rb ≤ b rb .

l r
Proof. The claim follows by definition, shunting, Lemma 4.4(a), Boolean algebra
and definition again:
a≤ n b ⇔ a · b ≤ 0 ⇔ a ≤ ¬b ⇒ a ≤ b ⇔ a ≤ n b .

l l
Similarly to Lemma 4.3, we have cancellative laws for all box-operators. By

a = a for all kinds of perfect lazy semiring neighbours, we have

Corollary 4.8.
(a)
n n
l rb = b rb and
n n
r lb =
b l b,
(b)
b ln b
r = n b
r and
brn b
l =
n b,
l
(c)
b lb lb = b lb and
brb rb =
b r b,
n
(d) l b lb = n b
l and
n
r b rb =
n b.
r
There are also cancellation rules for mixed diamond/box expressions, e.g.,
b l
b lb =
b lb and
bl b lb = b lb . (4)

By straightforward calculations we get the de Morgan duals of right neigh-

bours and left boundaries, respectively.
n
rb =
n b and
n b = n
rb ,

r r
(5)
b b =
b lb and
b lb = b lb .

Furthermore, we have the following Galois connections.

Lemma 4.9. We have n
ra ≤b ⇔ a≤
n b and b la ≤b ⇔ a≤
b rb .

Proof. By de Morgan duality, Boolean algebra and the exchange rule (3)
n a≤ b ⇔ n a≤ b ⇔ b ≤ n a ⇔ a≤ n b .

r r r l
Since Galois connections are useful as theorem generators and dualities as theo-
rem transformers we get many properties of (perfect) neighbours and (perfect)
boundaries for free. For example we have
Corollary 4.10.
(a) n r , b l and
n , b r are isotone.

l
(b) r , l are disjunctive and
n b n ,
l b r are conjunctive.
(c) We also have cancellative laws:
n
r l a ≤ a ≤ l r a and b l
b ra ≤ a ≤
n n n b r b l a.

But, because of Lemma 4.4(c), we do not have the full semiring de Morgan
dualities of left neighbours and right boundaries, respectively. We only obtain
Lemma 4.11. Let S be right-distributive.
(a) n ≤
lb
n b and
n b≤ n
lb ,

l l
(b) b rb ≤
b rb and
b rb ≤ b ry .

Proof. (a) By Lemma 4.2, 4.4(c), isotony and Lemma 4.6,

n b = · b = F · ¬b ≤ · ¬b =
n b.

l l
The equation
n b ≤ n
lb then follows by shunting.

l
The converse inequations do not hold. For example, setting b = implies

n = · 0 = · 0 = N = F and n = · ¬0 = . But in general,
l l
≤ F is false (if there is at least one infinite element a = 0). Also, the Galois
connections of [7] are not valid for left neighbours and right boundaries, but one
implication can still be proved.
Lemma 4.12. Let S be right-distributive, then
n
la ≤b ⇒ a≤
n b , b ra ≤b ⇒ a≤
b rb .

r
Proof. By Lemma 4.11(a), Boolean algebra and the exchange rule (3)
n la ≤ b ⇒ n la ≤ b ⇔ b ≤ n la ⇔ a ≤ n rb .

By lack of Galois connections, we do not have a full analogue to Corollary 4.10.

Lemma 4.13.
(a) n l , b r ,
n and b l are isotone.

r
(b) If S is right-distributive, then n l , br are disjunctive and
n ,
b l are

r
conjunctive.
Proof.
(a) The claim follows directly by the explicit representation of (perfect) neigh-
bours and boundaries (Lemma 4.2 and Lemma 4.6).
(b) By Lemma 4.2, additivity of domain and right-distributivity we get
n (a + b) = · (a + b) = · (a + b) = · a + · b = n a + n b .

l l l
Until now, we have shown that most of the properties of [7] hold in L-semirings,
too. At some points, we need additional assumptions like right-distributivity.
Many more properties, like b ≤ n r b, can be shown. Most proofs use the explicit

forms for lazy semiring neighbours or the Galois connections (Lemma 4.9) and
Lemma 4.12. However, since L-semirings reflect some aspects of infinity, we get
some useful properties, which are different from all properties given in [7]. Some
are summarised in the following lemma.
Lemma 4.14.
(a) n l F = n r F = b l F = b r F = .

(b) b ≤ N ⇔ n r b ≤ 0 ⇔ b r b ≤ N .

(c) n N =
l b r N = N and n N =
r b lN = 0 .
(d) b ≤ N ⇔ F ≤ b ⇔ r b = ⇔
n b rb = .
Proof. First we note that by straightforward calculations using Lemma 3.2 and
3.4, we get
·p≤ ·q ⇔ p≤ q ⇔ p· ≤ q· . (6)
(a) Directly by Lemma 4.2 and F = F = 1, since 1 ≤ F:

n F = · F = · 1 = .

l
(b) By Lemma 3.4, (6), left-strictness and definition of n l

b ≤ N ⇔ b ≤ 0 ⇔ b · ≤ 0 · ⇔ n r b ≤ 0 .

(c) By Lemma 4.6 and F = 1 we get
n N = · ¬N = · ¬F = · 0 = N.
l
(d)Similar to (b).

Note that (a) implies n l = n r = b l = b r = using isotony.

(c) shows again that the inequations of Lemma 4.11 cannot be strengthened to
equations.
Since the above theory concerning lazy semiring neighbours is based on lazy
semirings, it is obvious that one can use it also in the framework of lazy Kleene
algebra and lazy omega algebra [10]. The former one provides, next to the L-semi-
ring operators, an operator for finite iteration. The latter one has an additional
operator for infinite iteration.
5 Neighbourhood Logic with Infinite Durations

Using the theory of the previous section, we can now formulate a generalisation
of NL, which includes infinite elements (intervals with infinite duration). Those
intervals are not included in the original Neighbourhood Logic of [14,15], i.e., if
we compose two intervals [a, b] and [b, c] (where intervals are defined, as usual,
as [a, b] =df {x | a ≤ x ≤ b, a ≤ b}), it is assumed that the points of [b, c] are
reached after finite duration b−a. However, for many applications, e.g. for hybrid
systems, as we will see in Section 7, a time point ∞ of infinity is reasonable. But
then the composition of the intervals [a, ∞[ and [b, c] never reaches the second
interval. This gives rise to an L-semiring.
Neighbourhood Logic and Its Embedding. In this paragraph the Neigh-

bourhood Logic [14,15] and its embedding [7] are briefly recapitulated.
Chop-based interval temporal logics, such as ITL [5] and IL [3] are useful for
the specification and verification of safety properties of real-time systems. In
these logics, one can easily express a lot of properties such as “if φ holds for
an interval, then there is a subinterval where ψ holds”. As shown in [15], these
logics cannot express all desired properties. E.g., (unbounded) liveness properties
such as “eventually there is an interval where φ holds” are not expressible in
these logics. As it is shown in [15] the reason is that the modality chop is
a contracting modality, in the sense that the truth value of φ ψ on [a, b] only
depends on subintervals of [a, b]:
φ ψ holds on [a, b] iff
there exists c ∈ [a, b] such that φ holds on [a, c] and ψ holds on [c, b].
Hence Zhou and Hansen proposed a first-order interval logic called Neighbour-
hood Logic (NL) in 1996 [14]. In this logic they introduce left and right neigh-
bourhoods as new primitive intervals to define other unary and binary modalities
of intervals in a first-order logic. The two proposed simple expanding modalities

l φ and r φ are defined as follows:

lφ holds on [a, b] iff there exists δ ≥ 0 such that φ holds on [a − δ, a], (7)

r holds on [a, b] iff there exists δ ≥ 0 such that φ holds on [b, b + δ],

φ (8)

where φ is a formula 2 of NL. These modalities can be illustrated by

φ lφ rφ φ

c a b a b d
where c = a − δ where d = b + δ
With r ( l ) one can reach the left (right) neighbourhood of the beginning (end-

ing) point of an interval. In contrast to the chop operator, the neighbourhood

modalities are expanding modalities, i.e., l and r depend not only on subin-

tervals of an interval [a, b], but also on intervals “outside”. In [14] it is shown
that the modalities of [6] and [13] as well as the chop operator can be expressed
by the neighbourhood modalities.
In [7] we present an embedding and extension of NL into the framework of
full semirings. There, (perfect) neighbours and boundaries are defined on full
semirings in the same way as we have done this for L-semirings in Section 4.
Consider the structure
INT =df (P(Int), ∪, ;, ∅, 1l) ,
where 1l =df {[a, a]} denotes the set of all intervals consisting of one single point
and Int is the set of all intervals [a, b] with a, b ∈ Time and Time is a totally
ordered poset, e.g. IR. Further we assume that there is an operation − on Time,
which gives us the duration of an interval [a, b] by b − a. By this operation 1l
consists of all 0-length intervals.
For the moment we exclude intervals with infinite duration. The symbol ;
denotes the pointwise lifted composition of intervals which is defined by

[a, d] if b = c
[a, b] ; [c, d] =df
undefined otherwise .
It can easily be checked that INT forms a full semiring. In [7] we have shown
lφ holds on [a, b] ⇔ {[a, b]} ≤ n

r Iφ ,

r φ holds on [a, b] ⇔ {[a, b]} ≤ l Iφ

n ,
where Iφ =df {i | i ∈ Int, φ holds on i}. This embedding gives us the possibility
to use the structure of a semiring to describe NL. Many simplifications of NL
and properties concerning the algebraic structure are given in [7].
2
The exact definition of the syntax of formulas can be found e.g. in [14].
Adding Infinite Durations. Now, we assume a point of infinity ∞ ∈ Time,

e.g. Time = IR ∪ {∞}. If there is such an element, it has to be the greatest
element. Consider the slightly changed structure
INTi =df (P(Int), ∪, ;, ∅, 1l) ,
where ; is now the pointwise lifted composition defined as

⎧
⎨ [a, d] if b = c, b = ∞
[a, b] ; [c, d] =df [a, ∞[ if b = ∞
⎩
undefined otherwise .
Again, it is easy to check that INTi forms an L-semiring, which even becomes
an ML-semiring by setting, for A ∈ P(Int),
A =df {[a, a] | [a, b] ∈ A} and A =df {[b, b] | [a, b] ∈ A, b = ∞} .
Note that INTi is right-distributive, so that all Lemmas and Corollaries of Sec-
tion 4 hold in this model.
Thereby we have defined a new version NLi of NL which handles intervals with
infinite durations. NLi also subsumes the theory presented in [16]. In particular,
it builds a bridge between NL and a duration calculus for infinite intervals.
6 Lazy Semiring Neighbours and CTL∗
The branching time temporal logic CTL∗ (see e.g. [4]) is a well-known tool for
analysing and describing parallel as well as reactive and hybrid systems. In CTL∗
one distinguishes state formulas and path formulas, the former ones denoting sets
of states, the latter ones sets of computation traces.
The language Ψ of CT L∗ formulas over a set Φ of atomic propositions is
defined by the grammar
Ψ ::= ⊥ | Φ | Ψ → Ψ | X Ψ | Ψ U Ψ | EΨ ,
where X and U are the next-time and until operators and E is the existential
quantifier on paths. As usual,
¬ϕ =df ϕ → ⊥ , ϕ ∧ ψ =df ¬(ϕ → ¬ψ) ,

ϕ ∨ ψ =df ¬ϕ → ψ , Aϕ =df ¬ E¬ϕ .
In [11] a connection between CTL∗ and Boolean modal quantales is presented.

Since these are right-distributive, again all the lemmas of the previous sections
are available. If A is a set of states one could, e.g., use the algebra STR(A) (cf.
Section 2) of finite and infinite streams of A-states as a basis. For an arbitrary
Boolean modal quantale S, the concrete standard semantics for CTL∗ is gener-
alised to a function [[ ]] : Ψ → S as follows, where [[ϕ]] abstractly represents the
set of paths satisfying formula ϕ. One fixes an element n (n standing for “next”)
as representing the transition system underlying the logic and sets
[[⊥]] = 0 ,
[[p]] = p · ,
[[ϕ → ψ]] = [[ϕ]] + [[ψ]] ,
[[X ϕ]] = n · [[ϕ]] ,
j k
[[ϕ U ψ]] = (n · [[ψ]] n · [[ϕ]]) ,
j≥0 k<j
[[Eϕ]] = [[ϕ]] · .
Using these definitions, it is straightforward to check that [[ϕ ∨ ψ]] = [[ϕ]] + [[ψ]],
[[ϕ ∧ ψ]] = [[ϕ]] [[ψ]] and [[¬ϕ]] = [[ϕ]].
By simple calculations we get the following result.
Lemma 6.1. [11] Let ϕ be a state formula of CTL∗ . Then
[[Aϕ]] = ¬([[ϕ]]) · .
Hence we see that [[Eϕ]] corresponds to a left boundary and [[Aϕ]] to a perfect
left boundary, i.e.,
[[Eϕ]] = b l [[ϕ]] and [[Aϕ]] =
b l [[ϕ]] .

With these equations we have connected lazy neighbours with CTL∗ . From
Lemma 4.3, Corollary 4.8 and equations (4) we obtain immediately
[[EEϕ]] = [[Eϕ]] , [[AAϕ]] = [[Aϕ]] ,
[[EAϕ]] = [[Aϕ]] , [[AEϕ]] = [[Eϕ]] .
The other two boundaries as well as all variants of (perfect) neighbours do not
occur in CTL∗ itself.
A connection to hybrid systems will be set up in the next section.
7 Lazy Semiring Neighbours and Hybrid Systems

Hybrid systems are dynamical heterogeneous systems characterised by the inter-
action of discrete and continuous dynamics. In [8] we use the L-semiring PRO
of processes from Section 2 for the description of hybrid systems.
Hybrid systems and NL. In PRO the left/right neighbours describe a kind of
composability, i.e., for processes A, B,
A≤ n
lB iff ∀ a ∈ A : ∃ b ∈ B : a · b is defined, (9)

A≤ n
rB iff ∀ a ∈ A : ∃ b ∈ fin (B) : b · a is defined. (10)

These equivalences are closely related to (7) and (8), respectively. n r and n l

each guarantee existence of a composable element. Especially, n r = 0 guaran-

tees that there exists a process, and therefore a trajectory, that can continue
the current process (trajectory). Therefore it is a form of liveness assertion. In

particular, the process n r B contains all trajectories that are composable with

the “running” one. If n r B = ∅, we know that the system will terminate if all

trajectories of the running process have finite durations. Note that in the above
characterisation of n l the composition a · b is defined if either f (d1 ) = g(0)

(assuming a = (d1 , f ) and b = (d2 , g)) or a has infinite duration, i.e., d = ∞.
The next paragraph will show that left and right boundaries of lazy semirings
are closely connected to temporal logics for hybrid systems. But, by Lemma 4.3,
they are also useful as operators that simplify nestings of semiring neighbours.
The situation for right/left perfect neighbours is more complicated. As shown
in [7],
n B is the set of those trajectories which can be reached only from B,
r
not from B. Hence it describes a situation of guaranteed non-reachability from
B. The situation with n is similar for finite processes, because of the symmetry
l
between left and right perfect neighbours.
Hybrid Systems and CTL∗ . Above we have shown how lazy semiring neigh-
bours are characterised in PRO. Although a next-time operator is not meaningful
in continuous time models, the other operators of CTL∗ still make sense. Since
PRO is a Boolean modal quantale, we simply re-use the above semantic equa-
tions (except those for X and U) and obtain a semantics of a fragment of CTL∗
for hybrid systems. In particular, the existential quantifier E is a left boundary
also in hybrid systems. The operators F, G and U can be realised as
[[Fϕ]] =df F · [[ϕ]]3 , Gϕ =df ¬F¬ϕ , [[ϕ U ψ]] =df (fin [[Gϕ]]) · [[ψ]] .
Of course all other kinds of left and right (perfect) neighbours and boundaries
have their own interpretation in PRO and in (the extended) CTL∗ , respectively.
A detailed discussion of all these interpretations is part of our future work (cf.
Section 8).
8 Conclusion and Outlook

In the paper we have presented a second extension of Neighbourhood Logic. Now
this logic is able to handle intervals which either have finite or infinite length.
For this we have established semiring neighbours over lazy semirings. During the
development of lazy semiring neighbours it turned out that they are not only
useful and necessary for NL but also in other areas of computer science; we have
sketched connections to temporal logics and to hybrid systems.
We have only given a short overview over the connections between lazy semi-
ring neighbours, CTL∗ and hybrid systems. One of our aims for further work is
a more elaborate treatment of this. Further, it will be interesting to see if there
are even more applications for semiring neighbours.
Acknowledgement. We are grateful to Kim Solin and the anonymous referees

for helpful discussions and remarks.
3
On the right hand side F is the largest finite element.
References
1. J. H. Conway: Regular Algebra and Finite State Machines. Chapman & Hall, 1971
2. J. Desharnais, B. Möller, G. Struth: Kleene Algebra with Domain. ACM Trans.
Computational Logic (to appear 2006). Preliminary version: Universität Augsburg,
Institut für Informatik, Report No. 2003-07, June 2003
3. B. Dutertre: Complete Proof Systems for First-Order Interval Temporal Logic.
In IEEE Press, editor, Tenth Annual IEEE Symb. on Logic in Computer Science,
1995, 36–43
4. E.A. Emerson: Temporal and Modal Logic. In J. van Leeuwen (ed.): Handbook
of Theoretical Computer Science. Vol. B: Formal Models and Semantics. Elsevier
1991, 995–1072
5. J.Y. Halpern, B. Moszkowski, Z. Manna: A Hardware Semantics Based on Tempo-
ral Intervals. In J. Diaz (ed.) Proc. ICALP’83. LNCS 154. Springer 1983, 278–291
6. J.Y. Halpern, Y. Shoham: A Propositional Modal Logic of Time Intervals. Pro-
ceedings of the First IEEE Symposium on Logic in Computer Science. IEEE Press,
Piscataway, NJ, 279–292.
7. P. Höfner: Semiring Neighbours — An Algebraic Embedding and Extension of
Neighbourhood Logic. In J. van de Pol, J. Romijn, G. Smith (eds.): IFM 2005
Doctoral Symposium on Integrated Formal Methods, 6–13, 2005. Extended version:
P. Höfner: Semiring Neighbours. Technical Report 2005-19, Universität Augsburg,
2005
8. P. Höfner, B. Möller: Towards an Algebra of Hybrid Systems. In W. MacCaull,
M. Winter and I. Düntsch (eds.): Relational Methods in Computer Science. LNCS
3929. Springer 2006, 121–133
9. D. Kozen: Kleene Algebra with Tests. ACM Trans. Programming Languages and
Systems 19(3), 427–443 (1997)
10. B. Möller: Kleene Getting Lazy. Science of Computer Programming, Special issue
on MPC 2004 (to appear). Previous version: B. Möller: Lazy Kleene algebra. In
D. Kozen (ed.): Mathematics of program construction. LNCS 3125. Springer 2004,
252–273
11. B. Möller, P. Höfner, G. Struth: Quantales and Temporal Logics. In M. Johnson,
V. Vene (eds.): AMAST 2006. LNCS 4019. Springer 2006, 263–277
12. M. Sintzoff: Iterative Synthesis of Control Guards Ensuring Invariance and In-
evitability in Discrete-Decision Games. In O. Owe, S. Krogdahl, T. Lyche (eds.):
From Object-Orientation to Formal Methods — Essays in Memory of Ole-Johan
Dahl. LNCS 2635. Springer 2004, 272–301
13. Y. Venema: A Modal Logic for Chopping Intervals. J. of Logic and Computation
1(4):453–476, 1990
14. C. Zhou, M.R. Hansen: An Adequate First Order Interval Logic. In W.-P. de
Roever, H. Langmaack, A. Pnueli (eds.): Compositionality: The Significant Differ-
ence: International Symposium, COMPOS’97. LNCS 1536. Springer 1998, 584–608
15. C. Zhou, M.R. Hansen: Duration Calculus – A Formal Approach to Real-Time
Systems. Monographs in Theoretical Computer Science. Springer 2004
16. C. Zhou, D. Van Hung, L. Xiaoshan: Duration Calculus with Infinite Intervals. In
H. Reichel (ed.): Fundamentals of Computation Theory. LNCS 965. Springer 1995,
16–41
Omega Algebra, Demonic Refinement Algebra
and Commands
Peter Höfner1, , Bernhard Möller1 , and Kim Solin1,2

1
Institut für Informatik, Universität Augsburg, D-86135 Augsburg, Germany
{hoefner, moeller}@informatik.uni-augsburg.de
2
Turku Centre for Computer Science
Lemminkäinengatan 14 A, FIN-20520 Åbo, Finland
[email protected]
Abstract. Weak omega algebra and demonic refinement algebra are

two ways of describing systems with finite and infinite iteration. We
show that these independently introduced kinds of algebras can actually
be defined in terms of each other. By defining modal operators on the
underlying weak semiring, that result directly gives a demonic refinement
algebra of commands. This yields models in which extensionality does
not hold. Since in predicate-transformer models extensionality always
holds, this means that the axioms of demonic refinement algebra do not
characterise predicate-transformer models uniquely. The omega and the
demonic refinement algebra of commands both utilise the convergence
operator that is analogous to the halting predicate of modal μ-calculus.
We show that the convergence operator can be defined explicitly in terms
of infinite iteration and domain if and only if domain coinduction for
infinite iteration holds.
1 Introduction
An omega algebra [2] is an extension of Kleene algebra [10] adding an infinite

iteration operator to the signature. Demonic refinement algebra is an extension
of a relaxed version of Kleene algebra (right-strictness, a · 0 = 0, does not hold
in general) adding a strong iteration operator to the signature. Demonic refine-
ment algebra was devised in [20] for reasoning about total-correctness preserving
program transformations. A structure satisfying all the axioms of omega algebra
except right strictness (called a weak omega algebra [14]) always has a greatest
element . As one of the main contributions of this paper, we show that weak
omega algebra with the extra axiom x = is equivalent to demonic refinement
algebra in the sense that they can be defined in terms of each other.
We then consider commands, that is, pairs (a, p) such that a describes the state
transition behaviour and p characterises the states with guaranteed termination.
Möller and Struth have already shown how the addition of modal operators on
the underlying semiring facilitates definitions of operators on commands such

This research was supported by DFG (German Research Foundation).

Omega Algebra, Demonic Refinement Algebra and Commands 223
that they form a weak Kleene and a weak omega algebra, respectively [14]. The
definitions of these operators use modal operators, defined from the domain
operator of Kleene algebra with domain [4]. To define a demonic refinement
algebra of commands, we need a strong iteration operator on commands [19].
We define this operator with the aid of the above-mentioned result. The demonic
refinement algebra of commands gives rise to a model that is not extensional,
thus showing that the axioms of demonic refinement algebra do not characterise
predicate-transformer models uniquely.
The definition of infinite iteration and strong iteration on commands both
utilise the convergence operator of [13], that is, the underlying structure is actu-
ally assumed to be a convergence algebra. The convergence operator is analogous
to the halting predicate of modal μ-calculus [8]. As the third result in this pa-
per, we show that the convergence operator can be explicitly defined in terms of
infinite iteration and domain if and only if domain coinduction for the infinite
iteration operator is assumed to hold in general.
The historic development of this paper has it starting point in Kozen’s axioma-
tisation of Kleene algebra and his injection of tests into the algebra [11], render-
ing reasoning about control structures possible. As mentioned earlier, Cohen [2]
conservatively extends Kleene algebra with an infinite iteration operator. Von
Wright’s demonic refinement algebra, introducing the strong iteration operator,
was the first algebra that was genuinely an algebra intended for total-correctness
reasoning about programs. Desharnais, Möller and Struth’s domain-operator ex-
tension [4] was the seminal work for modal operators in Kleene algebra. The
domain operator was investigated in the context of refinement algebra in [18].
Möller later weakened the axiomatisation to form left semirings and left Kleene
algebras [12]. The former is one of the most foundational structures found in
this paper.
The paper is organised as follows. We begin in Sect. 2 by the result concerning
the equivalence of top-left-strict weak omega algebra and demonic refinement
algebra, upon which in Sect. 3 we construct the demonic refinement algebra
of commands and relate it to the demonic algebras with domain of de Carufel
and Desharnais [3]. In Sect. 4 we give some remarks on refinement algebra in
the light of Sect. 3. Before concluding, we consider the explicit definition of the
convergence operator in Sect. 5.
2 Omega and Demonic Refinement Algebra
We begin by recapitulating some basic definitions. By a left semiring we shall

understand a structure (+, 0, ·, 1) such that the reduct (+, 0) is a commutative
and idempotent monoid, and the reduct structure (·, 1) is a monoid such that
· distributes over + in its left argument and is left-strict, i.e., 0 · a = 0. A
weak semiring is a left semiring that is also right-distributive. A weak semiring
with right-strictness is called a full semiring or simply semiring. When no risk
for confusion arises · is left implicit. We define the natural order ≤ on a left
semiring by a ≤ b ⇔df a + b = b for all a and b in the carrier set. With respect
224 P. Höfner, B. Möller, and K. Solin
to that order, 0 is the least element and multiplication as well as addition are
isotone. Moreover, a + b is the join of a and b.
A (weak) Kleene algebra is a structure (+, 0, ·, 1,∗ ) such that the reduct
(+, 0, ·, 1) is a (weak) semiring and the star ∗ satisfies the axioms
1 + aa∗ ≤ a∗ , 1 + a∗ a ≤ a∗ , (∗ unfold)
∗ ∗
b + ac ≤ c ⇒ a b ≤ c , b + ca ≤ c ⇒ ba ≤ c , (∗ induction)
for a, b and c in the carrier set of the structure. A (weak) omega algebra [14] is
a structure (+, 0, ·, 1,∗ ,ω ) such that the reduct (+, 0, ·, 1,∗ ) is a (weak) Kleene
algebra and the infinite iteration ω satisfies the axioms
aω = aaω , (ω unfold)
∗
c ≤ b + ac ⇒ c ≤ a + a b ,ω
(ω coinduction)
for a, b and c in the carrier set of the structure. In particular, aω is the greatest
fixpoint of the function f (x) = ax. The element 1ω is the greatest element and
we denote it by . Since, by the ω unfold law, aω is a fixpoint of f , we have
aω = aω for all a. We call a weak omega algebra top-left-strict iff the equation
a = holds for all a. In that case we get
aω b = aω b = aω = aω . (1)
In general omega algebra only the inequation aω b ≤ aω holds. The above deriva-
tion (1) strengthens it to an equation. In fact we have the following result.
Proposition 2.1. Top-left-strictness is equivalent to left ω annihilation, i.e.,
b = ⇔ (∀ a • aω ≤ aω b) .
Proof. The implication (⇒) follows from (1), whereas (⇐) can be calculated by
(∀ a • aω ≤ aω b)
⇒ {[ set a = 1 ]}
1 ≤ 1ω b
ω
⇔ {[ 1ω = ]}
≤ b .
The other inequation (b ≤ ) holds since is the greatest element.
A demonic refinement algebra [19] is a structure (+, 0, ·, 1,∗ ,ω ) such that the
reduct (+, 0, ·, 1,∗ ) is a weak Kleene algebra and the strong iteration operator ω
satisfies the axioms
aω = aaω + 1 , (ω unfold)
ω ∗ ω
a = a +x 0 , (ω isolation)
c ≤ ac + b ⇒ c ≤ a b , ω
(ω coinduction)
for a, b and c in the carrier set of the structure. It is easily shown that 1ω is
the greatest element and satisfies 1ω a = 1ω for all a in the carrier set [20]. This
element is again denoted by .
In the remainder of this section we present one of our main contributions,
namely that top-left-strict weak omega algebra is equivalent to demonic refine-
ment algebra in the sense that they can be defined in terms of each other. This
is done in two steps: First we show that weak omega algebra subsumes demonic
refinement algebra, then we show the converse subsumption.
Lemma 2.2. Top-left-strict weak omega algebra subsumes demonic refinement

algebra.
Proof. Given a top-left-strict weak omega algebra, the strong iteration is defined
by aω =df a∗ + aω . It is sufficient to show that this definition satisfies the
axioms of strong iteration; the other axioms of demonic refinement algebra are
immediate from the axioms of top-left-strict weak omega algebra.
1. ω unfold:
aω
= {[ definition ]}
∗
a + aω
= {[ ∗ and ω unfold ]}
∗
aa + 1 + aaω
= {[ commutativity ]}
aa∗ + aaω + 1
= {[ distributivity ]}
a(a∗ + aω ) + 1
= {[ definition ]}
ω
aa + 1
2. isolation:
aω
= {[ definition ]}
∗
a + aω
= {[ neutrality of 0 and (1) ]}
a∗ (1 + 0) + aω 0
= {[ right-distributivity ]}
a∗ + a∗ 0 + aω 0
= {[ left-distributivity ]}
a∗ + (a∗ + aω )0
= {[ definition ]}
∗
a + aω 0
3. ω coinduction:
c ≤ aω b
⇔ {[ definition ]}
c ≤ (a∗ + aω )b
⇔ {[ left-distributivity ]}
c ≤ a∗ b + aω b
⇔ {[ (1) ]}
c ≤ a∗ b + aω
⇐ {[ ω coinduction ]}
c ≤ ac + b

In a concrete predicate-transformer algebra, the same definition of ω is made

by Back and von Wright [1]. In the present paper the definition is given in
an abstract setting for which (conjunctive) predicate transformers constitute a
model.
Lemma 2.3. Demonic refinement algebra subsumes top-left-strict weak omega

algebra.
Proof. Given a demonic refinement algebra, infinite iteration is defined as

aω =df aω 0. It is sufficient to show that this definition satisfies the axioms
for infinite iteration; the other axioms of the top-left-strict weak omega algebra
are immediate from demonic refinement algebra.
1. ω unfold:
aω
= {[ definition ]}
aω 0
= {[ ω unfold ]}
(aaω + 1)0
= {[ left-distributivity and neutrality of 1 ]}
aaω 0 + 0
= {[ neutrality of 0 ]}
aaω 0
= {[ definition ]}
aaω
2. top-left-strictness:
≤ a
⇔ {[ = 1ω ]}
≤ 1ω a
≤+a
⇔ {[ join ]}
true
a ≤ holds since is the greatest element.
3. ω coinduction:
c ≤ a∗ b + aω
⇔ {[ definition ]}
c ≤ a∗ b + aω 0
⇔ {[ annihilation ]}
c ≤ a∗ b + aω 0b
⇔ {[ distributivity ]}
c ≤ (a∗ + aω 0)b
⇔ {[ isolation ]}
c ≤ aω b
c ≤ ac + b

The above lemmas directly yield the following theorem.
Theorem 2.4. Top-left-strict weak omega algebra and demonic refinement al-
gebra are equivalent in the sense that they can be defined in terms of each other.
3 The Demonic Refinement Algebra of Commands

So far, our semiring elements could be viewed as abstract representations of
state transition systems. We now want to introduce a way of dealing with sets
of states in an abstract algebraic way. This is done using tests. A test semiring
is a structure (S, test(S)), where S = (S, +, 0, ·, 1) is a semiring and test(S) is
a Boolean subalgebra of the interval [0, 1] ⊆ S with 0, 1 ∈ test(S). Join and
meet in test(S) coincide with + and ·, the complement is denoted by ¬, 0 is the
least and 1 is the greatest element. Furthermore, this definition of test semiring
coincides with the definition on Kleene algebras given in [11]. We use a, b, . . . for
general semiring elements and p, q, . . . for tests.
On a test semiring we axiomatise a domain operator : S → test(S) by
a ≤ a · a , (d1)
(pa) ≤ p , (d2)
(ab) ≤ (ab) , (d3)
for all a ∈ S and p ∈ test(S). Inequations (d1) and (d3) can be strengthened to
equations. Many properties of domain can be found in [4]. For example, we have
stability of tests and additivity of domain, i.e.,
p = p , (2)
(a + b) = a + b . (3)
With the aid of this operator, we can define modal operators by
|ap =df (ap) and |a]p =df ¬|a¬p .
This is the reason why we shall call a test semiring with a domain operator modal.
All the structures above extending a weak semiring are called modal when the
underlying weak semiring is modal.
Given a modal semiring S = (S, +, 0, ·, 1) we define the set of commands (over
S) as COM(S) =df S × test(S). Three basic non-iterative commands and two
basic operators on commands are defined by
fail =df (0, 1)

skip =df (1, 1)
loop =df (0, 0)
(a, p) [] (b, q) =df (a + b, pq)
(a, p) ; (b, q) =df (ab, p · [a]q)
As noted by Möller and Struth in [14] the structure (COM(S), [] , fail, ; , skip)
forms a weak semiring. The natural order on the command weak semiring is
given by (a, p) ≤ (b, q) ⇔ a ≤ b ∧ q ≤ p. We will discuss below how it connects
to the usual refinement relation.
If S is even a weak Kleene algebra, a star operator can be defined by
(a, p)∗ =df (a∗ , |a∗ ]p)
and then (COM(S), [] , fail, ; , skip,∗ ) forms a weak Kleene algebra [14].
Defining an omega operator over the set of commands does not work as
simply as for star. To do this, we also need to assume that the underlying modal
omega algebra (S, +, 0, ·, 1,∗ ,ω ) comes equipped with a convergence operator [14]
: S → test(S) satisfying
|a](a) ≤ a , ( unfold)
∗
q · |a]p ≤ p ⇒ a · |a ]q ≤ p . ( induction)
In [14] it is shown that a is the least (pre-)fixed point of |a]. The test a
characterises the states from which no infinite transition paths emanate. It cor-
responds to the halting predicate of the modal μ-calculus [8].
The infinite iteration operator on commands can then be defined by
(a, p)ω =df (aω , a · [a∗ ]p) .
The greatest command is chaos =df skipω = (, 0).

The semiring of commands reflects the view of general correctness as intro-
duced in [17]. Therefore it is not to be expected that it forms a demonic refine-
ment algebra which was designed for reasoning about total correctness. Indeed,
top-left-strictness fails unless it is already satisfied in the underlying semiring S,

since chaos ; (a, p) = (a, 0) = chaos iff a = .
There is, however, another possibility. One can define a refinement preorder
on commands by
(a, p) (b, q) ⇔df q ≤ p ∧ qa ≤ b .
This is the converse of the usual refinement relation: k l for any two commands
k, l means that k refines l. We have chosen this direction, since by straightforward
calculation we get the implication k ≤ l ⇒ k l. The associated equivalence
relation ≡ is defined by
k ≡ l ⇔df k l ∧ l k .
Componentwise, it works out to (a, p) ≡ (b, q) ⇔ p = q ∧ pa = pb. The equiva-

lence classes correspond to the designs of the Unifying Theories of Programming
of [9] and hence represent a total correctness view.
It has been shown in [7] (in the setting of condition semirings that is iso-
morphic to that of test semirings) that the set of these classes forms again a
left semiring and can be made into a weak Kleene and omega algebra by using
exactly the same definitions as above (as class representatives).
Now top-left-strictness holds, since chaos ≡ loop and loop is a left zero by the
definition of command composition. Therefore the set of ≡-classes of commands
can be made into a demonic refinement algebra. Let CCOM(S) be the set of all
these classes.
By Lemma 2.2 the strong iteration of commands is
(a, p)ω = (a, p)∗ [] (a, p)ω ,
and thus (CCOM(S), [] , fail, ; , skip,∗ ,ω ) constitutes a demonic refinement alge-

bra of commands. The above expression can be simplified by
(a, p)∗ [] (a, p)ω

= {[ definition of ∗ and ω on commands ]}
(a , [a∗ ]p) [] (aω , a · [a∗ ]p)
∗
= {[ definition of [] ]}
(a∗ + aω , [a∗ ]p · a · [a∗ ]p)
= {[ definition of ω , commutativity and idempotence of tests ]}
(a , a · [a∗ ]p) .
ω
Thus strong iteration of commands can also be expressed as
(a, p)ω = (aω , a · [a∗ ]p) .
We conclude this section by relating the command algebra to the demonic al-
gebras (DA) of [3]. These are intended to capture the notion of total correctness
in an algebraic fashion. Since their axiomatisation is extensive, we do not want
to repeat it here. We only want to point out that a subalgebra of the command
algebra yields a model of DA. This is formed by the ≡-classes of feasible com-
mands which are pairs (a, p) with p ≤ a. So these model programs where no
miraculous termination can occur; they correspond to the feasible designs of [9].
In [7] it is shown that the set F(S) classes of feasible commands can isomor-
phically be represented by simple semiring elements. The mediating functions
are
E : F(S) → S , D : S → F(S) ,
E((a, p)) =df pa , D(a) =df (a, a) .
Then one has E(D(a)) = a and D(E(a, p)) ≡ (a, p). Moreover, the demonic
refinement ordering of [3] is induced on S by
a b ⇔df D(a) D(b) ⇔ b ≤ a ∧ b · a ≤ b
and demonic join and composition by
a
b =df E(D(a) D(b)) = a · b · (a + b) ,
a 2 b =df E(D(a) ; D(b)) = |a]b · a · b .
Using pairs (p, p) as demonic tests in F(S) one even obtains a DA with domain.
Further details are left to a future publication.
4 Two Remarks on Refinement Algebra

In this section we remark that demonic refinement algebra does not characterise
predicate transformer models uniquely. We also remark that an equivalence sim-
ilar to that of Theorem 2.4 cannot be established between general refinement
algebra [20] and a top-left-strict strong left omega algebra.
Characterisation of the predicate transformer models. To connect the

algebra of commands to predicate transformer models we first define
wp.(a, p).q =df p · [a]q
and get
wp.fail.q = 1 and wp.chaos.q = 0 .
Hence fail can be interpreted as magic in the refinement calculus tradition and
chaos as abort. Indeed, chaos is refined by every command and every command
is refined by fail. Furthermore, we have the implications, for commands k, l,
k ≤ l ⇒ k l ⇒ (∀p ∈ test(S) • wp.k.p ≥ wp.l.p) .
However, the command model of demonic refinement algebra is, unlike predicate
transformer models as presented in [19,20], in general not extensional in that we
do not necessarily have the converse implications. In particular,
(∀p ∈ test(S) • wp.k.p = wp.l.p) ⇒ k = l

holds iff already the underlying semiring S is extensional, i.e., satisfies, for

a, b ∈ S,
[a] = [b] ⇒ a = b .
Contrarily, in concrete predicate transformer models the elements are mappings
T, U : ℘(Σ) → ℘(Σ), where Σ is any set. They can be seen as semantic values
that arise by applying the wp operator to concrete programming constructs.
Their equality is defined by
T = U ⇔df (∀p ∈ ℘(Σ) • T.p = U.p) .
Hence in concrete predicate transformer models extensionality always holds.
Since the command model of DRA is non-extensional, this observation shows
that the DRA axioms do not restrict their models to algebras isomorphic to
predicate transformer algebras and hence do not uniquely capture this type of
algebras.
A similar move for general refinement algebra? A left Kleene algebra is

a left semiring extended with two axioms for ∗
1 + aa∗ ≤ a∗ and b + ac ≤ c ⇒ a∗ b ≤ c ,
laid down in Sect. 2. A left omega algebra is a left Kleene algebra extended
with an infinite iteration operator ω axiomatised as in Sect. 2. Clearly, every left
omega algebra has a greatest element , and along the lines above we call a left
omega algebra top-left-strict when satisfies a = . A general refinement
algebra [20] is a left Kleene algebra extended with the axioms for ω found in
Sect. 2, except the isolation axiom, i.e., aω = a∗ + aω 0 does not hold in general.
A general refinement algebra becomes a demonic refinement algebra by adding
the other two axioms for ∗ of Sect. 2, right-distributivity and isolation.
It is tempting to try to show that top-left-strict left omega algebra corresponds
to general refinement algebra in a similar way as top-left-strict weak omega
algebra corresponds to demonic refinement algebra (Theorem 2.4). However,
this is not possible as the following argument shows.
Let Σ be any set and let T : ℘(Σ) → (Σ) be any predicate transformer. If
p, q∈ ℘(Σ) andT satisfies p ⊆ q ⇒ T.p ⊆ T.q then T is isotone 1 . If T satisfies
T.( i∈I pi ) = i∈I (T.pi ), for any index set I, it is conjunctive. The isotone
predicate transformers constitute a model for general refinement algebra [20].
The reason why isolation is dropped is that it does not hold for isotone predicate
transformers in general [1,20]. Since isolation is an essential property needed for
proving ω coinduction under the interpretation aω =df aω 0, it is not possible
to prove that demonic refinement algebra subsumes top-left-strict strong left
omega algebra. For the same reason, one cannot define strong iteration as aω =df
a∗ + aω since this is valid only for conjunctive predicate transformers [1]. I.e.,
one cannot prove that top-left-strict strong left omega algebra subsumes general
refinement algebra in an analogous way to the proof of Lemma 2.3.
1
In the literature these predicate transformers are usually called monotone [1]. How-
ever, in other contexts the term monotone can mean isotone or antitone.
5 Making Convergence Explicit
In this section, we prove a result concerning the convergence operator of Sect. 3:

having a convergence operator such that a = ¬aω is equivalent to having
ω coinduction for the domain operator. Since a = ¬aω does not hold in all
models of weak omega algebra [5], we also know that ω coinduction for domain
does not follow from the axioms of omega algebra.
Proposition 5.1. Omega coinduction for the domain operator, i.e.,
p ≤ (q + ap) ⇒ p ≤ (aω + a∗ q) ,
holds if and only if a = ¬aω does.
Proof. The convergence operator is given by the implicit axiomatisation of

Sect. 2. It is unique by the fact that it is a least fixpoint. We show that ¬aω
always satisfies the unfold axiom and that it satisfies the induction axiom
if and only if ω coinduction for the domain operator holds:
1. |a]¬aω ≤ ¬aω
⇔ {[ definition of | ] and Boolean algebra ]}
¬|aaω ≤ ¬aω
⇔ {[ shunting ]}
a ≤ aaω
ω
⇔ {[ definition of | ]}
aω ≤ (aaω )
⇔ {[ (d3) ]}
aω ≤ (aaω )
⇔ {[ ω unfold ]}
aω ≤ aω
⇔ {[ reflexivity ]}
true
2. q · |a]p ≤ p ⇒ ¬aω · [a∗ ]q ≤ p

⇔ {[ Boolean algebra ]}
¬p ≤ ¬|a]p + ¬q ⇒ ¬p ≤ aω + ¬|a∗ ]q
⇔ {[ definition of | ] and Boolean algebra ]}
¬p ≤ |a¬p + ¬q ⇒ ¬p ≤ aω + |a∗ ¬q
⇔ {[ definition of | ]}
¬p ≤ (a¬p) + ¬q ⇒ ¬p ≤ aω + (a∗ ¬q)
⇔ {[ set ¬p = r and ¬q = s ]}
r ≤ (ar) + s ⇒ r ≤ aω + (a∗ s)
⇔ {[ (2) and (3) ]}
r ≤ (ar + s) ⇒ r ≤ (aω + a∗ s)
Assume now that ω coinduction for the domain operator holds. By the above
calculations ¬aω then satisfies both unfold and induction. Since these
axioms impose uniqueness, we have that a = ¬aω . If, conversely, a = ¬aω
is assumed then the implication in the first line of the above calculation for 2.
is true by induction and hence ω coinduction for domain holds.
This means that in a command omega or demonic refinement algebra based on

an omega algebra where ω coinduction for the domain operator holds, infinite
and strong iteration can be defined as
(a, p)ω =df (aω , ¬aω · [a∗ ]p) and (a, p)ω =df (aω , ¬aω · [a∗ ]p) ,
respectively.
We finally note that the special case q = 0 of the ω coinduction rule for domain
(Prop. 5.1) has been termed cycle rule and used as an additional postulate in
the computation calculus of R. Dijkstra [6].
6 Conclusion
Top-left-strict omega algebra and demonic refinement algebra are equivalent in

the sense that they can be defined in terms of each other. In particular, results
from one of these frameworks can now be reused in the other. The equivalence
also facilitates the definition of a demonic refinement algebra of commands, yield-
ing a model in which extensionality does not hold. Since extensionality always
holds in predicate-transformer models, it can be concluded that demonic refine-
ment algebra does not characterise predicate transformers uniquely. A similar
equality between general refinement algebra and top-left-strict left omega algebra
as between demonic refinement algebra and top-left-strict weak omega algebra
cannot be shown. The demonic refinement algebra and the omega algebra of
commands are based on the convergence operator. In a modal demonic refine-
ment or omega algebra that satisfies domain coinduction for infinite iteration,
the convergence operator can be defined explicitly in terms of infinite iteration
and domain.
Having set up the connections between various algebraic structures allows
mutual re-use of the large existing body of results about Kleene/ω algebra with
tests and modal Kleene/ω algebra as well as demonic refinement algebra and
action systems. Having embedded the command algebras we can also apply the
general algebraic results to UTP and related systems.
References
1. R.J. Back, J. von Wright: Refinement calculus: a systematic introduction. Springer
1998
2. E. Cohen: Separation and reduction. In R. Backhouse, J. Oliveira (eds.): Mathe-
matics of Program Construction. LNCS 1837. Springer 2000, 45–59
3. J.-L. de Carufel, J. Desharnais: Demonic algebra with domain. In: R. Schmidt,

G. Struth (eds.): Relations and Kleene Algebra in Computer Science. LNCS (this
volume). Springer 2006 (to appear)
4. J. Desharnais, B. Möller, G. Struth: Kleene algebra with domain. Technical Report
2003-7, Universität Augsburg, Institut für Informatik, 2003. Revised version to
appear in ACM TOCL
5. J. Desharnais, B. Möller, G. Struth: Termination in modal Kleene algebra. In J.-J.
Lévy, E. Mayr, J. Mitchell (eds.): Exploring new frontiers of theoretical informatics.
IFIP International Federation for Information Processing Series 155. Kluwer 2004,
653–666
6. R.M. Dijkstra: Computation calculus bridging a formalisation gap. Science of Com-
puter Programming 37, 3-36 (2000)
7. W. Guttmann, B. Möller: Modal design algebra. In S. Dunne, B. Stoddart (eds.):
Proc. First International Symposium on Unifying Theories of Programming. LNCS
4010. Springer 2006, 236–256
8. D. Harel, D. Kozen, J. Tiuryn: Dynamic Logic. MIT Press 2000
9. C.A.R. Hoare, J. He: Unifying theories of programming. Prentice Hall 1998
10. D. Kozen: A completeness theorem for Kleene algebras and the algebra of regular
events. Inf. Comput. 110, 366–390 (1994)
11. D. Kozen: Kleene algebra with tests. ACM Transactions on Programming Lan-
guages and Systems 19, 427–443 (1997)
12. B. Möller: Lazy Kleene algebra. In D. Kozen (ed.): Mathematics of Program Con-
struction. LNCS 3125. Springer 2004, 252–273. Revised version: B. Möller: Kleene
getting lazy. Sci. Comput. Prog. (to appear)
13. B. Möller, G. Struth: Modal Kleene algebra and partial correctness. In C. Rattray,
S. Maharaj, C. Shankland (eds.): Algebraic methodology and software technology.
LNCS 3116. Springer 2004, 379–393. Revised and extended version: B. Möller, G.
Struth: Algebras of modal operators and partial correctness. Theoretical Computer
Science 351, 221–239 (2006)
14. B. Möller, G. Struth: wp is wlp. In W. MacCaull, M. Winter, I. Düntsch (eds.):
Relational methods in computer Science. LNCS 3929. Springer 2006, 200-211
15. C. Morgan: Data Refinement by Miracles. Inf. Process. Lett. 26, 243-246 (1988)
16. J.M. Morris, Laws of data refinement, Acta Informatica (26), 287-308 (1989)
17. G. Nelson: A generalization of Dijkstra’s calculus. ACM TOPLAS 11, 517–561
(1989)
18. K. Solin and J. von Wright: Refinement algebra with operators for enabledness and
termination. In T. Uustalu (ed.): Mathematics of Program Construction. LNCS
4014. Springer 2006, 397–415
19. J. von Wright: From Kleene algebra to refinement algebra. In E. Boiten, B. Möiller
(eds.): Mathematics of Program Construction. LNCS 2386. Springer 2002, 233–262
20. J. von Wright: Towards a refinement algebra. Sci. Comput. Prog. 51, 23–45 (2004)
Semigroupoid Interfaces for
Relation-Algebraic Programming in Haskell
Wolfram Kahl
McMaster University, Hamilton, Ontario, Canada

[email protected]
Abstract. We present a Haskell interface for manipulating finite bi-

nary relations as data in a point-free relation-algebraic programming
style that integrates naturally with the current Haskell collection types.
This approach enables seamless integration of relation-algebraic formu-
lations to provide elegant solutions of problems that, with different data
organisation, are awkward to tackle.
Perhaps surprisingly, the mathematical foundations for dealing with
finite relations in such a context are not well-established, so we provide
an appropriate generalisation of relational categories to semigroupoids
to serve as specification for our interface.
After having established an appropriate interface for relation-algebraic
programming, we also need an efficient implementation; we find this in
BDD-based kernel library KURE of recent versions of the Kiel RelView
system. We show how this combination enables high-level declarative and
efficient relational programming in Haskell.
1 Introduction
After a small demonstration of relation-algebraic programming in Haskell, we
give a quick overview over the programmer’s interface to our relation library
in Sect. 1.2. We then show in Sect. 1.3 how standard relation-algebraic theo-
ries are not an appropriate specification for this kind of relation library; as a
solution to these problems, we define in Sect. 2 an appropriate generalisation
of the relation-algebraic framework. In Sect. 3 we explain the options we offer
concerning support from the Haskell type system for relational programming;
we summarise our current implementation in Sect. 4.
1.1 Motivating Example: Dependency Graphs

One particularly useful visualisation aid when exploring software products is
a tool that produces a module dependency graph. This is, as such, not very
complex — most compilers can produce dependency output in a format that
can be used by the make utility; it is easy to parse this and then produce the
input format of a graph layout tool such as dot [9].
For extracting the dependency graph of the theorem prover Agda [5], which
is implemented in the pure functional programming language Haskell [23], my
tool HsDep [14] (also implemented in Haskell) takes 0.850 seconds (including the
dependency-generating call to the Glasgow Haskell compiler); dot then takes an
additional 45 seconds to produce a layout for this graph:

236 W. Kahl
emacsagda
PluginTable Version
AgsyPlugin InfoPlugin
ProofSearch PluginAPI AgdaPluginKit checker
RefineAll CompAgda Commands Plugin cparsermain translate EmacsUtil
RefineCase RefineElim BasicOps LoadPrelude
StratAuto StratInteractive RefineHelpFcns SearchContext RefineIntro BasicEngineOps
StratInterface Unify SearchHelpFcns CompGeneric SuggestSol
HelpFcns Debug Solve Import BuildExp TBTermination
CompInterface Typechecking
SearchTypes Generic CITranslate TransNewSyntax LazyCompute Normalize
NoRec ClassEnv ExpToExp Compute
Invariants ProofMonad
Generators ProofState
External Equal
SimpleSolve ExternalPluginTable Imitate
SimpleICTranslate ExternalPlugin ValueToExp
RemMetaVars RemMetaVarsThomas UnfoldL Unfold1 InteractionMonad
CParser PreludeDefs CPrinter SwapMetaVars Eval
Termination MiscId SwapMonad CSyntax BasicOps_Properties MetaVarState Native
ISyntax Gensym
UAbstract ISynEnv
UAnnots ISynType Parse_com
CallMatrix MetaVars PluginType CITrans Literal
Matrix Id Utilities
BinParse Lex PreStrings Monads
Parse AgdaScans FString
Error Hash AltIntMap
Util Position PPrint
AgdaTrace AgdaPretty
Even at considerable magnification, the usefulness of this graph drawing is rather

limited. One naturally would like to see only the transitively irreducible kernel
of this graph — the latest version of HsDep supports an additional flag, with
which it produces that kernel in 0.952 seconds; dot then produces the following
layout in less than half a second:
emacsagda
PluginTable Version
AgsyPlugin InfoPlugin PluginAPI
ProofSearch translate AgdaPluginKit EmacsUtil checker
RefineAll CompAgda TransNewSyntax CITranslate Plugin cparsermain Commands LoadPrelude
StratAuto RefineIntro RefineCase StratInteractive RefineElim NoRec ClassEnv BasicOps CParser RemMetaVars
StratInterface SearchContext RefineHelpFcns CompGeneric PreludeDefs Unfold1 Compute Import LazyCompute Solve CPrinter RemMetaVarsThomas
SearchHelpFcns Debug Unify Termination MetaVarState SimpleICTranslate MiscId BasicOps_Properties SwapMetaVars
HelpFcns CallMatrix Gensym Invariants ISyntax CSyntax SwapMonad UAbstract
CompInterface Matrix Generators ISynEnv UAnnots
SearchTypes Generic ISynType Parse_com
CITrans PluginType MetaVars
Literal Id Utilities
PreStrings Lex BinParse Monads
AgdaScans FString Parse
AltIntMap Hash Error
PPrint Position Util
AgdaPretty AgdaTrace
This new drawing is immediately useful (at appropriate magnification); obvi-

ously, reduction to the transitively irreducible kernel makes a real qualitative
difference, and altogether even has negative run-time cost.
Most experienced Haskell programmers would find producing a tool like HsDep
without kernel calculation to be a fairly straight-forward exercise, but would
probably consider adding the kernel calculation to be quite a challenge.
In this paper, we show how to add an appropriate relation datatype to the
libraries so that this challenge completely disappears.
For an example of the resulting programming style, let us look at the source
of HsDep, which is a two-page literate Haskell document. It uses lists of pairs of
strings to represent the dependency graph as parsed from the compiler-generated
Semigroupoid Interfaces for Relation-Algebraic Programming in Haskell 237
dependency file — this is completely natural in Haskell. Although calculating

the transitively irreducible kernel of a finite relation is a simple relation-algebraic
operation, it is rather non-trivial to implement this directly on the association
list representation of the relation. Using conversion to an abstract datatype of
finite relations, we achieve full realisation of the relation-algebraic simplicity in
the Haskell source — the following is the central part of the HsDep source code:
Then we parse the file contents into dependency pairs:
deps ← fmap parseDepFile $ readFile depfile
If “-k” was given, we have to calculate for the dependency relation D the
intransitive kernel D ∩ D ;D + .
let deps’ = if null kernel then deps
else let d :: Rel String String
d = fromList deps in toList (d −=−(d ∗∗∗ transClos d))
The dependencies are then output as dot graph.
writeFile dotfile ◦ show ◦ dotOfDeps name $ deps’
Only the second code block here is concerned with the calculation of the intran-
sitive part of the dependency graph; after seeing the mathematical formula for
this, it should be easy to follow the corresponding Haskell expressions.
1.2 Overview of the Haskell Relation Library Data.Rel

The type Rel a b implements finite relations between a and b, where a relation
can be understood as a set of pairs, and pair components are restricted to those
elements on which the equality and ordering functions provided by the Ord
interface terminate. This means roughly that Rel a b is intended to be used to
establish relationships only between finite, fully defined elements of a and b, but
no relationships with the (partially) undefined (and infinite) elements that also
inhabit most Haskell datatypes.
The relation-algebraic part of HsDep in Sect. 1.1 is connected with the list
part via the following conversion functions (a constraint “Ord a” expresses that
a linear ordering needs to be available on type a):
fromList :: (Ord a, Ord b) ⇒ [(a, b)] → Rel a b

toList :: (Ord a, Ord b) ⇒ Rel a b → [(a, b)]
Besides these, the data type constructor Rel exposes a relation-algebraic inter-
face, part of which is listed here (omitting the Ord constraints for readability).
(<==) :: Rel a b → Rel a b → Bool inclusion ⊆
(&&&) :: Rel a b → Rel a b → Rel a b meet (intersection)
(|||) :: Rel a b → Rel a b → Rel a b join (union)
(−=−) :: Rel a b → Rel a b → Rel a b difference
(∗∗∗) :: Rel a b → Rel b c → Rel a c composition ;
(/∗/) :: Rel a c → Rel b c → Rel a b restricted left residual
(\∗\) :: Rel a b → Rel a c → Rel b c restricted right residual
238 W. Kahl
(\∗/) :: Rel a b → Rel a c → Rel b c restricted symmetric quotient

converse :: Rel a b → Rel b a converse

symClos :: Rel a a → Rel a a symmetric closure R ∪ R
+
transClos :: Rel a a → Rel a a transitive closure
dom :: Rel a b → Rel a a domain dom
ran :: Rel a b → Rel b b range ran
isUnivalent :: Rel a b → Bool univalence predicate
isInjective :: Rel a b → Bool injectivity predicate
isTransitive :: Rel a a → Bool transitivity predicate
isSymmetric :: Rel a a → Bool symmetry predicate
isAntisymmetric :: Rel a a → Bool antisymmetry predicate
Besides these, we also provide some point-level functions following the naming
and argument order conventions of Data.Set and Data.Map:
empty :: Rel a b
member :: a → b → Rel a b → Bool
insert :: a → b → Rel a b → Rel a b
1.3 Finite Relations Between Infinite Types

From the HsDep fragment in the previous sections, one naturally gains the im-
pression that the formal foundations for this style of programming should be
sought in relation algebra, with its tradition of concise, point-free formulations
based on abstractly axiomatised operations on binary relations. We are obvi-
ously in the heterogeneous setting, which has partial composition in the same
way as category theory. However, the finite relations accommodated by the type
constructor Rel do not form a heterogeneous relation algebra, not even any kind
of allegory [8] or category.
The problem lies deeper, and already occurs with finite sets and finite maps.
All these finite collections are, in most programming languages, set in the con-
text of infinite types. For example, even in strict object-oriented or functional
languages, list types have infinitely many fully defined elements. In Haskell,
also types like Integer are infinite. If the types a and b are infinite, then the
types1 Set a, Map a b, and Rel a b together with their algebraic interfaces do
not satisfy the “standard” specifications of their unrestricted counterparts. In
order to provide a background for the choices made in the rather complex case
of relations, we first consider the simpler cases of sets and partial functions.
Finite subsets of an infinite set do not form a Boolean algebra: there is no
largest finite set, and therefore the concept of complement does not make sense.
Only relative complements exist — the function Data.Set.difference, which cal-
culates A − B = A ∩ B , can be defined in several ways without recurring to
1
Set a implements finite sets of elements of type a, and Map a b implements finite
partial functions from type a to type b. Both require the key type a to have a
linear ordering, specified via Ord a constraints. Both are provided, in the modules
Data.Set respectively Data.Map, by the “hierarchical libraries” currently included in
the distributions of most Haskell implementations.
complement, most typically as pseudo-complement of B in the sub-lattice of fi-

nite sets contained in A, i.e., the largest finite set X ⊆ A for which X ∩ B = ∅
hold. The problem of missing universal and complement sets of course immedi-
ately applies to sets of pairs, i.e., relations, too.
Turning our attention to finite maps, i.e., finite partial functions, we notice
that, when infinite types are considered, these do not form a category, because
identity functions on infinite types are not finite. Composition is still associa-
tive, so the appropriate algebraic structure is that of semi-groupoids (see for
example [26, 27], and Def. 2.1.1 below), which are related to categories in the
same way as semigroups are related to monoids, that is, identities are omitted.2
It is interesting to note that most libraries of finite maps, including Data.Map,
do not even provide map composition in their interface.
A (heterogeneous) relation algebra, which is a category where every homset
is a Boolean algebra and some additional laws hold [24], can be obtained from
any collection of sets by taking these sets as objects and arbitrary relations
between them as morphisms. If we move to finite relations, then we again loose
complements, largest elements, and identities, so where infinite sets are involved,
we have no category of finite relations, only a semigroupoid.
Finiteness is also not preserved by the residuals of composition; this is obvious
from the complement expressions that calculate these residuals in full relation
algebras (shown in the right-most column):
X ⊆ (Q \S ) iff Q ;X ⊆ S right-residual S /R = S ;R
X ⊆ (S /R) iff X ;R ⊆ S left-residual Q\S = Q ;S
A S - C A S - C
@ @
Q@ Q \S S /R@ R
R
@ R
@
B B
Residuals are important since they provide the standard means to translate
predicate logic formulae involving universal quantification into complement-free
relational formalisms:
(x , y) ∈ S /R iff ∀ z .(y, z ) ∈ R ⇒ (x , z ) ∈ S
(y, z ) ∈ Q \S iff ∀ x .(x , y) ∈ Q ⇒ (x , z ) ∈ S
Although to the newcomer to relational algebra, residuals may appear to be a
rather strange construction, the fact that they are the tool to translate universal
quantifications into relation-algebraic formulae frequently makes them indispens-
able for point-free formulations.
In the next section, we show how most relational formalisations can be adapted
into a generalised framework that avoids these problems.
2
I would have much preferred to use the name “semicategory”, but this is already
used for “categories with identities, but with only partial composition” [25], and the
name “semi-groupoid” seems to be reasonably well-established in the mathematical
literature.
240 W. Kahl
2 Relational Semigroupoids
Above, we showed how set difference can be defined in a point-free way, without
reference to the complement operation available only in the superstructure of
arbitrary sets, only in terms of the theory of finite sets. This way of directly
defining concepts that are better-known as derived in more general settings has
the advantage that it guarantees a certain “inherent conceptual coherence”.
In order to achieve this coherence also for the interface to our finite relation
library, we now step back from concrete finite relations and consider instead a
hierarchy of semigroupoid theories geared towards relational concepts in a similar
way as Freyd and Scedrov’s hierarchy of allegories [8] does this for category
theory. Our exposition will, however, be structured more as a generalisation of
the theory organisation of [13] from categories to semigroupoids.
This section serves simultaneously as formal specification for the point-free
aspects of our interface to the relation datatypes in Haskell, and as (rather
concise) introduction to reasoning using these tools.
2.1 Semigroupoids, Identities, and Categories

Definition 2.1.1. A semi-groupoid (Obj, Mor, src, trg, ;) is a graph with a set
Obj of objects as vertices, a set Mor of morphisms as edges, with src, trg : Mor →
Obj assigning source and target object to each morphism (we write “f : A → B”
instead of “f ∈ Mor and src f = A and trg f = B), and an additional partial
operation of composition such that the following hold:
– For f : A → B and g : B → C, the composition f ;g is defined iff B = B , and
if it is defined, then (f ;g) : A → C.
– Composition is associative, i.e., if one of (f ;g); h and f ;(g ; h) is defined, then
so is the other and they are equal.
For two objects A and B, the collections of morphisms f : A → B is also called
the homset from A to B, and written Hom(A, B).
A morphism is called an endomorphism iff its source and target objects coincide.

In typed relation algebras, such morphisms are often called homogeneous. An
endomorphism R : A → A is called idempotent if R;R = R.
Definition 2.1.2. In a semigroupoid, a morphism I : A → A is called an

identity on A (or just an identity) iff it is a local left- and right-identity for
composition, i.e., iff for all objects B and for all morphisms F : A → B and
G : B → A we have I ;F = F and G ;I = G.
If there is an identity on A, we write it IA .
A category is a semigroupoid where each object has an identity.
As in semigroups, identities are unique where they exist, and whenever we write
IA without further comment, we imply the assumption that it exists.
2.2 Ordered Semigroupoids, Subidentities

A hallmark of the relational flavour of reasoning is the use of inclusion; the
abstract variant of this directly corresponds to the categorical version:
Definition 2.2.1. A locally ordered semigroupoid, or just ordered semigroupoid,

is a groupoid in which on each homset Hom(A, B), there is an ordering A,B ,
and composition is monotonic in both arguments.
Some familiar concepts are available unchanged: In an ordered semigroupoid,

a morphism R : A → A is called transitive iff R;R R, and co-transitive iff
R R;R. The usual definitions of reflexivity and co-reflexivity, however, involve
an identity; we work around this by essentially defining the concept “included
in an identity” without actually referring to identity morphisms:
Definition 2.2.2. In an ordered semigroupoid, if for a morphism p : A → A,

and for all objects B and all morphisms R : A → B and S : B → A, we have
– p ;R R and S ;p S , then p is called a subidentity, and if we have
– R p;R and S S ;p , then p is called a superidentity.
In ordered categories (or monoids), subidentities are normally defined as ele-

ments included in identities, see e.g. [6]. If an object A in an ordered semi-
groupoid does have an identity IA , then each subidentity p : A → A is indeed
contained in the identity, since p = p ;IA IA . Therefore, we also call subiden-
tities co-reflexive, and, dually, we call superidentities reflexive.
If the homset Hom(A, B) has a least element, then this will be denoted ⊥
⊥A,B .
Existence of least morphisms is usually assumed together with the zero law :
Definition 2.2.3. An ordered semigroupoid with zero morphisms is an ordered

semigroupoid such that each homset Hom(A, B) has a least element ⊥ ⊥A,B , and
each least element ⊥
⊥A,B is a left- and right-zero for composition.
In contexts where the inclusion ordering is not primitive, but defined using
meet, the meet-subdistributivity of composition is usually listed as an axiom;
here it follows from monotonicity of composition:
Definition 2.2.4. A lower semilattice semigroupoid is an ordered semigroupoid

such that each homset is a lower semilattice with binary meet .
By demanding strict distributivity of composition over join, upper semilattice

semigroupoids are not completely dual to lower semilattice semigroupoids:
Definition 2.2.5. An upper semilattice semigroupoid is an ordered semigroupoid

such that each homset is an upper semilattice with binary join , and composi-
tion distributes over joins from both sides.
If we consider upper or lower semilattice semigroupoids with converse, then the

involution law for join respectively meet follows from isotony of converse.
242 W. Kahl
2.3 Ordered Semigroupoids with Converse (OSGCs)

We now introduce converse into ordered semigroupoids before we consider join or
meet, and we shall see that, even with only the basic axiomatisation of converse
as an involution, the resulting theory is quite expressive.
Definition 2.3.1. An ordered semigroupoid with converse (OSGC) is an or-
dered semigroupoids such that each morphism R : A → B has a converse
R : B → A; conversion is monotonic with respect to , and for all R : A → B
and S : B → C, the involution equations (R) = R and (R;S ) = S ;R hold.
Many standard properties of relations can be characterised in the context of
OSGCs — not significantly hindered by the absence of identities. Those relying
on superidentities are, of course, only of limited use in semigroupoids of finite
relations between potentially infinite sets.
Definition 2.3.2. For a morphism R : A → B in an OSGC we define:
– R is univalent iff R;R is a subidentity.
– R is injective iff R;R is a subidentity.
– R is difunctional iff R;R;R R,
– R is co-difunctional iff R R;R;R.
– R is total iff R;R is a superidentity,
– R is surjective iff R;R is a superidentity,
– R is a mapping iff R is univalent and total,
– R is bijective iff R is injective and surjective.
All concrete relations, including all finite relations, are co-difunctional.
For endomorphisms, there are a few additional properties of interest:
Definition 2.3.3. For a morphism R : A → A in an OSGC we define:
– R is symmetric iff R R,
– R is a partial equivalence iff R is symmetric and idempotent.
– R is an equivalence iff R is reflexive, transitive, and symmetric.
In the categorical context, a number of connections between the properties in-
troduced above has been shown in [13, Sect. 3.4]; is easy to see these all carry
over directly to the semigroup-based definitions presented here.
2.4 Domain
Related to the introduction of “Kleene algebras with tests” [16], which allow
the study of pre- and postconditions in a Kleene algebra setting, domain (and
range) operators have been studied in the Kleene algebra setting [21, 6].3 Much
of the material there can be transferred into our much weaker setting of ordered
semigroupoids by replacing preservation of joins with monotonicity and using
our subidentity concept of Def. 2.2.2. The definition of “predomain” is given as
a special residual of composition with respect to the ordering :
3
It is important not to confuse these domain and range operations, which only make
sense in ordered semigroupoids, with the semigroupoid (or categorical) concepts of
source and target of a morphism!
Definition 2.4.1. An ordered semigroupoid with predomain is an ordered semi-

groupoid where for every R : A → B there is a subidentity dom R : A → A such
that for every X : A → A, we have X ;R R iff X dom R.
In an ordered semigroupoid with domain, additionally the “locality” condition
dom (R;S ) = dom (R ; dom S ) has to hold.
Already in ordered semigroupoids with predomain, we have (dom R) ; R = R.

Range can be defined analogously; an OSGC with domain also has range, and
range is then related with domain via converse: ran R = (dom (R)). (Without
co-difunctionality, subidentities need not be symmetric.)
2.5 Kleene Semigroupoids

Kleene algebras are a generalisation of the algebra of regular languages; the typed
version [17] is an extension of upper semilattice categories with zero morphisms.
Since the reflexive aspect of the Kleene star is undesirable in semigroupoids, we
adapt the axiomatisation by Kozen [15] to only the transitive aspect:
Definition 2.5.1. A Kleene semigroupoid is an upper semilattice semigroupoid

with zero morphisms such that on homsets of endomorphisms there is an addi-
tional unary operation + which satisfies the following axioms for all R : A → A,
Q : B → A, and S : A → C:
R R + ;R + = R + recursive definition
QRQ ⇒
; Q ;R + Q right induction
R ;S S ⇒ R + ;S S left induction
It is interesting to note that the only change from Kozen’s definition is the
omission of the join with the identity from the left-hand side of the recursive
definition; Kozen also states the induction laws with inclusions in the conclusion,
although for reflexive transitive closure, equality immediately ensues. This is
not the case here, so this definition of transitive closure is in some sense more
“satisfactory” than the the reflexive transitive variant.
While transitive closure of concrete relations does preserve finiteness, this
is not the case for language-based models, so the usefulness of Kleene semi-
groupoids as such may be limited.
Definition 2.5.2. A Kleene semigroupoid with converse is a Kleene semi-

groupoid that is at the same time an OSGC, and the involution law for transitive
closure holds: (R + ) = (R)+ .
In Kleene semigroupoids with converse, difunctional closures always exist, and

∗
can be calculated as R := R (R;R)+ ;R.
2.6 Semi-allegories
In direct analogy with allegories and distributive allegories, we define:
244 W. Kahl
Definition 2.6.1. A semi-allegory is a lower semilattice semigroupoid with con-

verse and domain such that for all Q : A → B, R : B → C, and S : A → C, the
Dedekind rule Q ;R S (Q S ;R);(R Q ;S ) holds.
A distributive semi-allegory is a semi-allegory that is also an upper semilattice
semigroupoid with zero morphisms.
The inclusion of domain is inspired by Gutiérrez’ graphical calculus for allegories

[7]; a contributing factor is that besides the Dedekind formula, in the absence
of identities we also need domain to be able to show that, in semi-allegories, all
morphisms are co-difunctional:
R = dom R ; R R (dom R R;R);R R;R;R .
In a semi-allegory we can define R : A → A to be antisymmetric iff R R is a
subidentity.
2.7 Division Semi-allegories

We have seen in Sect. 1.3 that, in the interesting semigroupoid of finite relations
between arbitrary sets, residuals do not in general exist. But we can define a set
of restricted residuals that do exist for finite relations:
Definition 2.7.1. For morphisms S : A → C and Q : A → B and R : B → C in

an OSGC with domain, we define:
– the restricted right-residual Q\∗\S and the restricted left-residual S /∗/R:
Y (Q \∗\S ) iff Q ;Y S and dom Y ran Q ,

X (S /∗/R) iff X ;R S and ran X dom R ,
– and the restricted symmetric quotient Q\∗/S := (Q \∗\S ) (Q /∗/S )
For concrete relations, we then have (using infix notation for relations):
y(Q \∗\S )x iff ∀ x . xQy ⇒ xSz and ∃ x . xQy
x (S /∗/R)y iff ∀ z . yRz ⇒ xSz and ∃ z . yRz
For finite relations between (potentially) infinite types, this definition chooses
the largest domain, respectively range, on which each residual is still guaranteed
to be finite if its arguments are both finite. Where residuals exist, the restricted
residuals can be defined using the unrestricted residuals:
Q \∗\S = ran Q ; (Q \S ) , S /∗/R = (S /R) ; dom R .
This “definedness restriction” essentially takes away from the standard residuals
only the “uninteresting part”, where the corresponding universally quantified
formula is trivially true, and therefore is still useful in relational formalisations in
essentially the same way as the “full” residuals. Therefore, we use these restricted
residuals now for division semi-allegories:
Definition 2.7.2. A division semi-allegory is a distributive semi-allegory in

which all restricted residuals exist.
We then complete the hierarchy of semigroupoids by joining the semi-allegory

branch with the Kleene branch, adding pseudo-complements, and a “finite re-
placement” for largest elements in homsets:
Definition 2.7.3. A Dedekind semigroupoid is a division semi-allegory that is

also a Kleene semigroupoid and has pseudo-complements, and where for any two
subidentities p : A → A and q : B → B there is a largest morphism p
q such that
p = dom (pq ) and q = ran (p
q )
2.8 Direct Products, Direct Sums, Direct Powers
For product and sum types we have the problem that the natural access rela-
tions, namely the projection respectively injection mappings, will be infinite for
infinite types. Therefore, a formalisation that is useful in the context of finite
relations between infinite types has to work without projections and injections.
The natural starting point for such a formalisation are monoidal categories [19],
which easily generalise to monoidal semigroupoids.
Since the details are beyond the scope of this paper, we only shortly indicate
how we deal with product types. Since duplication and termination can again be
infinite, we axiomatise finiteness-preserving “usage patterns” of the potentially
infinite projection functions π : A × B → A and ρ : A × B → B
– The fork operation as introduced in the context of relation algebras by Hae-
berer et al. [10] can be defined by R∇S := R;π S ;ρ.
– The “target projection” operations P π := P ; π and P ρ := P ;ρ also preserve
finiteness.
– These can be axiomatised without projections by (R∇S )π = (dom S ) ; R and
(R∇S )ρ = (dom R) ; S and (P ∇Q ) ; (R∇S ) = P ;R Q ;S .
In Dedekind semigroupoid with the monoidal product bifunctor and these opera-
tions, most product-related relational programming can be adequately expressed.
Direct sums with injections and direct powers with element relations are dealt
with similarly; for the latter, the use of restricted residuals implies that set
comprehension is typically restricted to non-empty sets.
3 Programming in Different Semigroupoids
There are three ways to situate the objects of the relation semigroupoid un-
derlying a relation datatype with respect to the host language (Haskell) type
system:
“Types as objects” guarantees full type safety.
“Sets as objects” offers finer granularity at the expense of dynamic compati-
bility checks for relations on possibly different subsets of the same types.
“Elements as objects” uses elements of a single datatype as objects, with no
support from the type system for relation compatibility.
246 W. Kahl
The last approach has been taken by the relation-algebraic experimentation

toolkit RATH [11], and is motivated by a point of view that considers whole
relation algebras as data items.
Here we are concerned with concrete relation algebraic operations on finite
relations as a programming tool in a polymorphically typed programming lan-
guage. In this context, both of the first two views have natural applications, so we
support both, and we support a uniform programming style across the two views
by organising all relational operations, including those listed in Sect. 1.2, into a
wide range of Haskell type classes exported by Data.Rel, with even finer granu-
larity than the hierarchy of definitions in Sect. 2, and supplemented by classes
for the corresponding structures with identities, including categories, allegories,
and relation algebras.
Exporting all relational operations as class members first of all makes re-
lational programming implementation independent: Applications written only
against these class interfaces can be used without change on any new implemen-
tation.
Providing a class hierarchy with very fine granularity in addition extends
the scope of possible models that can be implemented; currently we only have
implementations of concrete relations, but the machinery can easily be extended
to, for example, relational graph homomorphisms [12], or fuzzy relations.
3.1 Types as Objects

It is quite obvious from the presentation of the Data.Rel interface that the choice
of relation semigroupoid here is essentially the same as in the specification nota-
tions Z and B, where only certain sets are types: If different subsets A1 , A2 : P A
and B1 , B2 : P B of two types A and B are given, the relations in A1 ↔ B1 are
still considered as having the same type as the relations in A2 ↔ B2 , namely the
type A ↔ B . Therefore, if R : A1 ↔ B1 and S : A2 ↔ B2 , writing for example
R ∩ S is perfectly legal and well-defined.
This means that in this view we are operating in a relation semigroupoid that
has only types as objects — we realise this in the Rel relation type constructor.
This has the advantage that Haskell type checking implements semigroupoid
morphism compatibility checking, so relation-algebraic Rel expressions are com-
pletely semigroupoid-type-safe. Since some Haskell types are infinite, Rel can
implement only semigroupoid interfaces, up to Dedekind semigroupoids, but no
category interfaces. Also, Rel can only provide pseudo-complements (difference),
not complements, just like the de-facto-standard library module Data.Set.
3.2 Sets as Objects

The situation described above is different from the point of view taken by the
category Rel which has all sets as objects. If an implementation wants to realise
this point of view, then the empty relation ∅ : {0, 1} ↔ {0, 1, 2}, for example,
must be different from the empty relation ∅ : {0, 1, 2, 3} ↔ {0}, since in a cate-
gory or semigroupoid, source and target objects need to be accessible for every
morphism, and operations on incompatible morphisms should not be defined.
Realising static morphism compatibility checking for this view would normally
involve dependent types. One could also use Haskell type system extensions as
implemented in GHC, the most popular compiler, to achieve most of this type
safety, but the interface would definitely become less intuitive.
Realising this “arbitrary sets as objects” view in Haskell naturally uses finite
subsets of types as objects; we provide this in the SetRel type constructor. This
still has to resort to dynamic relation compatibility checking. This forces pro-
grammers either to move all relational computations into an appropriate monad,
or to employ the common semigroupoid interface, where the operations provided
by the SetRel implementation become partial, with possible run-time failures in
the case of morphism incompatibility errors.
The “sets as objects” view has the advantage that the full relation algebra
interface becomes available, and, in the BDD-based implementations, an im-
plementation with partial operations can be realised with much lower overhead
than the total operations of the “types as objects” view.
4 Implementation
The main reason why previously no significant relation library existed for Haskell
is, in my opinion, that all “obvious” implementation choices inside the language
are unsatisfactory.
More space- and time-efficient representations that also can make use of cer-
tain regularities in the structure to achieve more compact representations are
based on binary decision diagrams (BDDs) [4]. Several BDD packages are freely
available, but the only known Haskell implementations are still rather inefficient
and incomplete. Even with a Haskell BDD library, or with a complete Haskell
binding to an external BDD library, there still would be considerable way to
go to implement relation algebraic operations; we are aware of two BDD-based
implementations of relational operations: gbdd [22] is a C++ library providing
relational operations using a choice of underlying BDD C libraries, and KURE
[20] is the BDD-based kernel library of the RelView system [1]; KURE is written
in C, and provides many special-purpose functions such as producing element
relations between sets and their powersets [18]. Since C++ is notoriously hard
to interface with Haskell, KURE remains as the natural choice for implementing
Data.Rel with reasonable effort.
However, it turned out that producing a Haskell binding KureRel to KURE
still was a non-trivial task, mainly because of heavily imperative APIs motivated
by the graphical user interaction with RelView. In addition, RelView and KURE
do not support relations where at least one dimension is zero; we take care of
this entirely on the Haskell side.
On top of KureRel, we have implemented instances for (the appropriate parts
of) the semigroupoid class hierarchy for three datatype constructors.
CRel is used for the relation algebra of finite relations between finite sets. For
this, all provided interfaces have been implemented. A CRel is implemented as a
triple consisting of two Carriers representing the source and target sets (together
with eventual sum, product, or powerset structure), and one KureRel with the
248 W. Kahl
dimensions of the two carriers. SetRel is a special case of this, where both source
and target are plain set carriers.
TypeRel is used for the Dedekind semigroupoid of finite relations between
Haskell types. Carriers provide support for choices of sum and product, and Rel
is the special case of TypeRel for unstructured carriers. The implementation of
TypeRel is just a wrapper around CRel, and the implementations of the relational
operations automatically generate adaptation injections as necessary.
NRel is used for finite relations between the sets n for n ∈ N, where 0 = ∅
and n + 1 = {0, . . . , n}. This gives rise to a relation algebra, but since no choice
of products or sums is injective, the product- and sum-related classes cannot be
implemented. NRel is a simple wrapper around KureRel that is necessary only
for typing reasons.
FinMap, finally, is a first example of an implementation that is not based on
KureRel; it is used for finite partial functions between Haskell types, which form
a lower semilattice semigroupoid with domain, range, zero-morphisms, pseudo-
complements, and a large part of the product and sum interface. FinMap uses
Data.Map.Map for its implementation; since it uses (, ) and Either as choice for
sum and product, some of the product and sum interfaces currently apparently
cannot be implemented in Haskell for constraint propagation reasons.
Our library can be used interactively from the Haskell interpreter GHCi, which
provides a very flexible environment for experimentation. For example, using
a small utility function classGraph written using the Haskell syntax datatypes
and parsing functions included with the GHC distribution, we can extract the
subclass relation for the semigroupid classes of our library by passing its the
relevant source file location, and then find out about the type of the produced
relation, its numbers of nodes and edges, and, just as an example, display those
edges that are the only incoming edges at their target and the only outgoing
edges at their source, once producing a RelView-style bit matrix drawing, and
once using dot to layout the produced subgraph; finally use a 3D graph layout
algorithm to present relation g1 in an OpenGL viewing window:
> cg <- classGraph ["Data/Rel/Classes.lhs"]
HasDifference
> :t cg
NESetCompr
cg :: SetRel HsId HsId

Edge
> Carrier.size $ source cg

81 HasComplement
LocPreOrd
> length $ Data.Rel.toList cg Power
144
> gv $ tighten $ injectivePart cg &&& univalentPart cg
> dot $ tightenEndo $ injectivePart cg &&& univalentPart cg LocPreOrd HasComplement Power
> gl’ g1
Edge HasDifference NESetCompr
5 Conclusion
Starting from the insight that, with relations as data, the usual model is one of
finite relations between both finite and infinite types, we showed that a hierarchy
of relational theories based on semigroupoids instead of categories still captures

essentially all expressivity of relation algebraic formalisations at only minimal
cost of working around the absence of identities. We believe that, in this context,
our axiomatisations of subidentities, restricted residuals, restricted top elements,
and transitive closure are interesting contributions.
We used this hierarchy of theories to guide the design of a collection of Haskell
type class interfaces, and provided implementations both for the rather intuitive
“types as objects” view where we have to live with the absence of identities, and
for a “finite sets as objects” view, where we have the full theory and interface
of relation algebras at our disposal. These implementations of concrete relations
are based on the efficient BDD routines of the RelView kernel library KURE.
To Haskell programmers, this offers a standard data type for finite relations
that had been sorely missing, with an implementation that is so efficient that
for many uses it will now be perfectly feasible to just write down a point-free
relation-algebraic formulation, without spending any effort on selecting or devel-
oping a non-point-free algorithm which usually would be much less perspicuous.
Even for hard problems this can be a viable method; Berghammer and Milanese
describe how to implement a direct SAT solver in RelView, and report that this
performs quite competitively for satisfiable problems [2]. It is straightforward to
translate such RelView algorithms into Haskell using our library; this essentially
preserves performance, and in many cases also adds type safety.
To those interested in programming with relations, we offer an interface to
the state-of-the-art BDD-based relation-algebraic toolkit KURE in the state-
of-the-art pure functional programming language Haskell. In comparison with
for example the imperative special-purpose programming language of RelView,
this has obvious advantages in flexibility, interoperability, and accessibility. Es-
pecially those who are mathematically inclined will feel more at home in Haskell
than in the RelView programming language or in C or Java, which are the other
alternatives for access to KURE.
Acknowledgements. I am grateful to Scott West for his collaboration in the
implementation of the KURE Haskell binding, supported by an NSERC USRA
and a McMaster Workstudy position, and to Shiqi Cao for his work on the
OpenGL visualisation and 3D graph layout, supported by McMaster Engineering
UROP and Workstudy positions, and to NSERC for additional funding.
References
[1] R. Berghammer, T. Hoffmann, B. Leoniuk, U. Milanese. Prototyping and
Programming with Relations. ENTCS 44(3) 3.1–3.24, 2003.
[2] R. Berghammer, U. Milanese. Relational Approach to Boolean Logic Prob-
lems. In I. Düntsch, W. McCaull, M. Winter, eds., 8th Intl. Conf. Relational
Methods in Computer Science, RelMiCS 8, LNCS 3929. Springer, 2006.
[3] C. Brink, W. Kahl, G. Schmidt, eds. Relational Methods in Computer Science.
Advances in Computing Science. Springer, Wien, New York, 1997.
[4] R. E. Bryant. Graph-Based Algorithms for Boolean Function Manipulation.
IEEE Transactions on Computers C-35(8) 677–691, 1986.
250 W. Kahl
[5] C. Coquand. Agda, 2000. http://www.cs.chalmers.se/˜catarina/agda/.

[6] J. Desharnais, B. Möller, G. Struth. Kleene Algebra with Domain. ACM
Transactions on Computational Logic , 2006.
[7] D. Dougherty, C. Gutiérrez. Normal Forms and Reduction for Theories of
Binary Relations. In L. Bachmair, ed., Rewriting Techniques and Applications,
Proc. RTA 2000, LNCS 1833, pp. 95–109. Springer, 2000.
[8] P. J. Freyd, A. Scedrov. Categories, Allegories, North-Holland Mathematical
Library 39. North-Holland, Amsterdam, 1990.
[9] E. R. Gansner, E. Koutsofios, S. C. North, K.-P. Vo. A Technique for
Drawing Directed Graphs. IEEE-TSE 19 214–230, 1993.
[10] A. Haeberer et al. Fork Algebras. In [3], Chapt. 4, pp. 54–69.
[11] W. Kahl, G. Schmidt. Exploring (Finite) Relation Algebras Using Tools Written
in Haskell. Technical Report 2000-02, Fakultät für Informatik, Universität der
Bundeswehr München, 2000. http://ist.unibw-muenchen.de/relmics/tools/RATH/.
[12] W. Kahl. A Relation-Algebraic Approach to Graph Structure Transformation,
2001. Habil. Thesis, Fakultät für Informatik, Univ. der Bundeswehr München,
Techn. Bericht 2002-03.
[13] W. Kahl. Refactoring Heterogeneous Relation Algebras around Ordered Cate-
gories and Converse. J. Relational Methods in Comp. Sci. 1 277–313, 2004.
[14] W. Kahl. HsDep: Dependency Graph Generator for Haskell. Available at
http://www.cas.mcmaster.ca/˜kahl/Haskell/, 2004.
[15] D. Kozen. A Completeness Theorem for Kleene Algebras and the Algebra of
Regular Events. Inform. and Comput. 110(2) 366–390, 1991.
[16] D. Kozen. Kleene Algebra with Tests. ACM Transactions on Programming Lan-
guages and Systems pp. 427–443, 1997.
[17] D. Kozen. Typed Kleene Algebra. Technical Report 98-1669, Computer Science
Department, Cornell University, 1998.
[18] B. Leoniuk. ROBDD-basierte Implementierung von Relationen und relationalen
Operationen mit Anwendungen. PhD thesis, Institut für Informatik und Praktis-
che Mathematik, Christian-Albrechts-Universität Kiel, 2001.
[19] S. Mac Lane. Categories for the Working Mathematician. Springer-Verlag, 1971.
[20] U. Milanese. KURE: Kiel University Relation Package, Release 1.0.
http://www.informatik.uni-kiel.de/˜progsys/relview/kure, 2004.
[21] B. Möller. Typed Kleene algebras. Technical Report 1999-8, Institut für Infor-
matik, Universität Augsburg, 1999.
[22] M. Nilsson. GBDD — A package for representing relations with BDDs. Available
from http://www.regularmodelchecking.com/, 2004.
[23] S. Peyton Jones et al. The Revised Haskell 98 Report. Cambridge Univ. Press,
2003. Also on http://haskell.org/.
[24] G. Schmidt, C. Hattensperger, M. Winter. Heterogeneous Relation Algebra.
In [3], Chapt. 3, pp. 39–53.
[25] L. Schröder. Isomorphisms and splitting of idempotents in semicategories.
Cahiers de Topologie et Géométrie Différentielle catégoriques 41 143–153, 2000.
[26] B. Tilson. Categories as algebra: an essential ingredient in the theory of monoids.
Journal of Pure and Applied Algebra 48 83–198, 1987.
[27] P. Weil. Profinite methods in semigroup theory. Intl. J. Algebra Comput. 12
137–178, 2002.
On the Cardinality of Relations
Yasuo Kawahara
Department of Informatics, Kyushu University 33, Fukuoka 812-8581, Japan

[email protected]
Abstract. This paper will discuss and characterise the cardinality of

boolean (crisp) and fuzzy relations. The main result is a Dedekind in-
equality for the cardinality, which enables us to manipulate the cardinal-
ity of the composites of relations. As applications a few relational proofs
for the basic theorems on graph matchings, and fundamentals about net-
work flows will be given.
1 Introduction
The obvious relationship between relations and graphs has been recoginsed by
many researchers. Given a graph, the numbers of its nodes and edges, that is, the
cardinalities of the sets of nodes and edges respectively, are fundamental data to
analyse and characterise it. Since graphs are one of importnant data structure in
computer science, their formal or computational study from a relational point of
view is interesting for computer science. The book “Relations and Graphs” [4]
by Schmidt and Ströhlein is an excellent exposition for the subjects in computer
science and applied mathematics. Unfortunately, the cardinality of relations is
treated rather implicitly or intuitively treated in the book. The aim of this paper
is to find a law on the cardinality of relations, which enables us to solve problems
on graphs and algorithms by relational methods. To achieve the subject the
author recalls Dedekind formula (or the law of modularity [2]), namely the most
significant law of relations, and has found out that an inequality, which we will
call Dedekind inequality, effectively dominates the behaviors of cardinalities of
fuzzy relations as well as boolean (crisp) relations. The soundness of formulation
for cardinalities in the paper will be seen as characterisation Theorems 2 and 6.
The paper will be organised as follows. In Section 2 we prove the Dedekind in-
equality and some basic properties of the cardinality as consequences of Dedekind
inequality. Also a characterisation of the cardinality of relations between finite
sets will be given. In Section 3, Dedekind inequality will be applied to basic
graph theory. That is, Hall’s theorem and König’s theorem will be demonstrated
using the relational calculus. In Section 4 we recall some fundamantals on fuzzy
relations. In Section 5 the cardinality of fuzzy relations between finite sets will
be defined and a Dedekind inequality will be showed for fuzzy relations. Also we
will show a characterisation of the cardinality of fuzzy relations between finite
sets. In Section 6 we will try to give a relational framework for network flows.
Finally another proof of Hall’s thoerem is given as an application of relational
theory of network flows.

252 Y. Kawahara
2 Cardinality of Boolean Relations

In this section we intend to define and discuss the cardinality of relations. First
we recall the elements on the cardinality of sets. For two sets A and B the
notation |A| = |B| means that there is a bijection from A onto B, and |A| ≤ |B|
means that there is an injection from A into B. It is a basic fact that (1) |A| ≤ |A|,
(2) if |A| ≤ |B| and |B| ≤ |C| then |A| ≤ |C|, (3) |A| = |B| iff |A| ≤ |B| and
|B| ≤ |A| (Bernstein and Schröder’s Theorem). On the other hand the cardinality
of a finite set may be regarded as a natural number.
We now review some relational notations and terminology used in this paper.
A (boolean) relation α : X Y of a set X into a set Y is usually defined to
be a subset of the cartesian product X × Y . Let α, α : X Y and β : Y Z
be relations. The composite of α followed by β will be written as αβ. The join
and the meet of α and α are denoted by α α and α α , respectively. The
converse and the complement of α are presented by α and α− , respectively. Also
idX : X X, 0XY : X Y and ∇XY : X Y denote the identity relation, the
least (or zero) relation and the greatest (or universal) relation, respectively. α is
univalent if α α idY , and it is total if idX αα . A function is a univalent and
total relation. It will be introduced as f : X → Y . (Univalent relations are often
called partial functions. In this view a partial function is not always a function,
unless it is total.) A function f : X → Y is called a surjection if f f = idY ,
and an injection if f f = idX . In what follows, the word boolean relation is a
synonym for relation on sets.
As a relation α : X Y is a subset of X × Y , the cardinality |α| of α is
defined to be its cadinality as a set. For relations α, α : X Y it trivially holds
that (i) |α | = |α| and (ii) if α α then |α| ≤ |α |.
It is the most fundamental question to find out how the cardinality of rela-
tions behaves under the composition of relations. The next theorem answers the
question by establishing an inequality for the cardinality of relations that we will
call Dedekind inequality. The proof of Theorem 1 is the only non-calculational
argument in the paper.
Theorem 1. Let α : X Y , β : Y Z and γ : X Z be relations. If α is
univalent, i.e. if α α idY , then the following inequalities hold:
|β α γ| ≤ |αβ γ| and |α γβ | ≤ |αβ γ|.
Proof. Let (x, z) ∈ αβ γ. Then by the definition of composition of relations

and the univalency of α, there exists a unique element y ∈ Y such that (x, y) ∈
α ∧ (y, z) ∈ β. Hence we have the following two mapping
φ : αβ γ → α γβ and ψ : αβ γ → α γ β
by φ(x, z) = (x, y) and ψ(x, z) = (y, z), respectively. It is clear that both of φ
and ψ are surjective, which shows the desired inequalites.

A relation α : X Y is called a matching (or partial bijection) if α α idY and
αα idX . Matchings are closed under composition and converse. Let I denote
On the Cardinality of Relations 253
the singleton set {∗}. It is readily seen that idI = ∇II and ∇XI ∇IX = ∇XX for
all sets X.
The Dedekind inequality is very fruitful as we will see below:
Corollary 1. Let α : X Y , β : Y Z and γ : X Z be relations. Then
the following holds:
(a) If α and β are univalent, then |αβ γ| = |α γβ |.
(b) If α is a matching, then |αβ γ| = |β α γ|.
(c) If α is univalent and β is a function, then |αβ| = |α|.
(d) If α is a matching, then |α αβ| = |αβ|.
(e) If α is a matching, then |∇IX α| = |α|.
(f) If u idX , then |∇IX u| = |u|. In particular |∇IX | = |idX | (= |X|).
(g) If β is an injection, then |α| = |αβ|.
(h) If α is an injection, then |∇IX | ≤ |∇IY |.
Proof. (a) Let α and β be univalent. Then we have
|α γβ | ≤ |αβ γ| { Theorem 1, α : univalent }

= |γ β α | { (i), (αβ γ) = γ β α }
≤ |βγ α | { Theorem 1, β : univalent }
= |α γβ |. { (i), (βγ α ) = α γβ }
(b) Let α be a matching. Then it follows that
|β α γ| ≤ |αβ γ| { Theorem 1, α : univalent }

≤ |α γ β|. { Theorem 1, α : univalent }
(c) Let α be univalent and β a function. It follows from the totality of β that
∇XZ β = ∇XY . Hence we have
|αβ| = |α ∇XZ β | { (a) }

= |α|. { ∇XZ β = ∇XY }
(d) Assume α is a matching. Then α is a matching too and so
|α αβ| = |αβ α∇Y Z | { (b), α : matching }

= |αβ|. { αβ α∇Y Z }
(e) Assume α is a matching. Then we have
|∇IX α| = |α ∇XI | { (i) }

= |α | { (c), α : univalent, ∇XI : function }
= |α|. { (i) }
(f) Every subidentity u idX is a matching. Hence it holds by (e).

(g) Assume β is an injection. Then it follows that
|α| = |αββ | { idY = ββ }

= |αβ|. { (d), β : matching }
254 Y. Kawahara
(h) Assume α is an injection. Noticing that ∇XI is a function, we have
|∇IX | = |∇IX α| { (c) }

≤ |∇IY |. { (ii), ∇IX α ∇IY }

Now recall an interesting example given by Tarski [5]. Let α, β : X X be a

pair of univalent relations with α β = ∇XX . Then it follows that
|∇XX | = |α β ∇XX | { α β = ∇XX }

≤ |β α∇XX | { Dedekind inequality }
= |β idX ∇XX α |
≤ |idX β∇XX α | { Dedekind inequality }
≤ |idX |,
which means |X × X| ≤ |X|. But it is obvious that the last inequality holds only
if X is the empty set, a singleton set or an infinite set. The example suggests
that the validity of a relational formula
α β [(α α)− id] [(β β)− id] = ∇
depends on the interpretation set X of relations.

Throughout the rest of the paper we assume that symbols X, Y , Z and V
denote finite sets. Thus all relations α : X Y are finite sets and so the
cardinality |α| can be represented by a natural number. For finite sets X and
Y the set of all relations from X into Y will be denoted by Rel(X, Y ). The
cardinalities of relations on finite sets are characterised as follows.
Theorem 2. A family of mappings | · | : Rel(X, Y ) → N defined for all pairs
(X, Y ) of finite sets coincides with the cardinality of relations iff it satisfies the
following four conditions:
(a) |α| = 0 iff α = 0XY .
(b) |idI | = 1 and |α | = |α|.
(c) |α α | = |α| + |α | − |α α |. In particular α α implies |α| ≤ |α |.
(d) (Dedekind inequality) If α is univalent, then |β α γ| ≤ |αβ γ| and |α
γβ | ≤ |αβ γ| hold.

For the proof of the last theorem we note that every element of X can be
identified with a point relation x̂ : I X defined by x̂ = {(∗, x)}. Note that
all point relations x = x̂ : I X are injections. And the so-called point axioms
hold: (PA1) x x = 0IX iff x = x , and (PA2) for all relations ρ : I X
an identity ρ = xρ x holds. In particular x∈X x = ∇IX . (Remark that the
subscript x ρ in (PA2) is an abbreviation of x ∈ X and x ρ.) Note that by
the point axiom a relation ρ : I X bijectively corresponds to a subset S of X
such that S = {x ∈ X | x ρ}.
The following proposition seems to be an expansion formula for the cardinality
of relations and gives a proof of Theorem 2. (Cf. Proof of Theorem 6 in Section 4.)
Proposition 1. Assume a family of mappings | · | : Rel(X, Y ) → N defined for

all pairs (X, Y ) of finite sets satisfies all the conditions in Theorem 2. Then for
relations α : X Y , ρ, ρ0 , ρ1 : I X and μ : I Y the following holds:
(a) 0 ≤ |α| ≤ |∇XY | = |X||Y |.
(b) |α x μ| = |xα μ|.
(c) |α (ρ0 ρ1) μ| = |α ρ0 μ| +
ρ1 μ| − |α (ρ0 ρ1 ) μ|.
|α
(d) |α ρ μ| = xρ |xα μ| = xρ yμ |xαy |.

(e) |α| = |xαy |.

x∈X y∈Y
Remark. (1) Let α : X Y be a relation. Then (x, y) ∈ α iff xαy = idI .

(2) There are exactly two relations on I, namely 0II and idI (= ∇II ).
3 Application to Graphs
Let α : X Y be a relation. A matching f : X Y is called a matching of α
if f α. The following proposition shows a simple inequality deduced from the
condition (c) in Theorem 2 and a fact that a matching is a partial bijection.
Proposition 2. Let α : X Y be a relation and f : X Y a matching of α.
Then an inequality |f | ≤ |∇IX | − (|ρ| − |ρα|) holds for all relations ρ : I X.
Proof. It follows from Dedekind formula that ρ ∇IY f = ρf f . Hence we have
|ρ ∇IY f | = |ρf f | { ρ ∇IY f = ρf f }

= |ρf |. { Corollary 1(d) }
and
|∇IY f | = |f | { Corollary 1(e) }
= |f |. { (i) }
Therefore we have an inequality
|∇IX | ≥ |ρ ∇IY f | { ρ ∇IY f ∇IX }

= |ρ| + |∇IY f | − |ρ ∇IY f |

= |ρ| + |f | − |ρf |
≥ |ρ| + |f | − |ρα|. {f α}

Corollary 2. Let α : X Y be a relation. For all matchings f : X Y of α
an inequality
|f | ≤ |∇IX | − δ(α)
holds, where δ(α) = max{|ρ| − |ρα| | ρ : I X}.

The number δ(α) is an integer with 0 ≤ δ(α) ≤ |∇IX | (because, |ρ| − |ρα| = 0
when ρ = 0IX ). For example, δ(0XY ) = |∇IX | and if α is a matching then
δ(α) = 0.
256 Y. Kawahara
Theorem 3 (Hall’s Theorem). Let α : X Y be a relation and X a non-

empty set. Then there exists an injection (or total matching ) f : X → Y with
f α iff for all relations ρ : I X an inequality |ρ| ≤ |ρα| holds.
Proof. (Neccssity) Let f be an injection with f α. Then it simply holds that
|ρ| = |ρf | { Corollary 1(g) }

≤ |ρα|. { f α }
(Sufficiency) Few traditional graph theoretic proofs are known. However in the
paper we will give another proof using the existence of maximal flows at the end
of Section 6.
The following theorem shows a relational version of the so-called König’s

theorem.
Theorem 4. Let α : X Y be a relation. If δ(α) > 0, then there exists a

maximal matching f : X → Y of α such that |f | = |∇XI | − δ(α).
Proof. Choose a set Z with |∇IZ | = δ(α) and construct a coproduct Y + Z of

Y and Z together with injections i : Y → Y + Z and j : Z → Y + Z. (Recall
that i i j j = idY +Z , ii = idY , jj = idZ and ij = 0Y Z .) Define a relation
α̂ : X Y + Z by α̂ = αi ∇XZ j. Then for all relations ρ : I X we have
|ρα̂| = |ρ(αi ∇XZ j)| { α̂ = αi ∇XZ j }

= |ρα| + |ρ∇XZ | { |ραi| = |ραii | = |ρα| }
= |ρα| + |∇IZ | { ρ = 0IX implies ρ∇XZ = ∇IZ }
= |ρα| + δ(α) { |∇IZ | = δ(α) }
≥ |ρα| + (|ρ| − |ρα|)
= |ρ|.
By Hall’s theorem there is an injection g : X → Y + Z with g α̂. Now we set

f = gi : X Y . Then f is a matching, because
f f = (gi ) (gi ) = ig gi ii = idY ,
f f = (gi )(gi ) = gi ig gg = idX .

Also we have
|∇IX | = |g| = |g(i i j j)| = |gi | + |gj |
and so
|f | = |gi | = |∇IX | − |gj | ≥ |∇IX | − |∇IZ | = |∇IX | − δ(α).
On the other hand |f | ≤ |∇IX | − δ(α) holds by Corollary 2. Therefore |f | =

|∇IX | − δ(α) and f is maximal.

4 Fuzzy Relations
First we recall some binary operations on the unit interval that are useful for
defining opearations on fuzzy relations. The unit interval [0, 1] is a set whose
elements are all reals r with 0 ≤ r ≤ 1. We use four binary operations “ ∨ ”,
“ ∧ ”, “ ” and “ ⊕ ” on [0, 1] defined by a• = 0 if a = 0 and a• = 1 otherwise,
a∨b = max{a, b}, a∧b = min{a, b}, ab = max{0, a−b} and a⊕b = min{1, a+b}
for all a, b ∈ [0, 1]. A real a ∈ [0, 1] is called boolean if a = 0 or a = 1. It is easy
to see the following basic facts:
Proposition 3. For reals a, b, c ∈ [0, 1] the following holds:

(a) a ≤ a• = a• • and (a b) ∧ (b a) = 0.
(b) a b = (a ∨ b) − b. In particular, a b = a − b if b ≤ a.
(c) a = (a b) ⊕ (a ∧ b).
(d) If a ≤ c and b ≤ c a, then a ⊕ b = a + b ≤ c.
(e) If a is boolean, then a ∧ (b c) = (a ∧ b) (a ∧ c).
(f) If a is boolean, then a ∧ (b ⊕ c) = (a ∧ b) ⊕ (a ∧ c).

Note that 1 a = 1 − a, a ⊕ b = 1 ((1 a) (1 b)), a ∧ b = a (a b) and

a ∨ b = 1 ((1 a) ((1 a) (1 b))) hold.
A fuzzy relation from X into Y , denoted by α : X Y , is a function α :
X × Y → [0, 1]. Algebraic properties of fuzzy relations have been discussed in
[3] and we prefer to use the same notations as in [3]. Now we define operations
which have not been defined in [3] yet. For fuzzy relations α, β : X Y the
following three relations α β, α ⊕ β, α• : X Y are obtained by point-wise
lifting as a standard construction:
(a) ∀x ∈ X∀y ∈ Y. (α β)(x, y) = α(x, y) β(x, y),
(b) ∀x ∈ X∀y ∈ Y. (α ⊕ β)(x, y) = α(x, y) ⊕ β(x, y),
(c) ∀x ∈ X∀y ∈ Y. α• (x, y) = α(x, y)• .
A fuzzy relation α : X Y is called boolean (or crisp) if α(x, y) is boolean
for all x ∈ X and y ∈ Y . Remark that boolean relations are just relations as
discussed in Section 2, because a function α : X × Y → {0, 1} can be identified
with a subset of X × Y .
Proposition 4. Let α, β, γ : X Y and μ : V X be fuzzy relations. Then

the following holds:
(a) α β α, α 0XY = α and (α β) (β α) = 0XY .
(b) If α γ and β γ α, then α ⊕ β γ.
(c) If γ is boolean, then (α β) γ = (α γ) (β γ) and (α ⊕ β) γ =
(α γ) ⊕ (β γ).
(d) If μ is boolean and univalent, then μ(α β) = (μα) (μβ) and μ(α ⊕ β) =
(μα) ⊕ (μβ).
(e) α α• = α• • , 0XY • = 0XY , ∇XY • = ∇XY and idX • = idX .
(f) α • = α• , (α β)• = α• β • , (α β)• = α• β • and (αβ)• = α• β • .

258 Y. Kawahara
j
Let M be a natural number with M ≥ 2. The set { | j = 0, 1, · · · , M − 1}
M −1
with M elements will be denoted by BM . A fuzzy relation α : X Y is called
M -valued if α(x, y) ∈ BM for all x ∈ X and y ∈ Y . It is trivial that a fuzzy
relation is 2-valued iff it is boolean. The following proposition is immediate from
the definition of M -valued fuzzy relations.
Proposition 5. (a) M -valued fuzzy relations are closed under the join , the
meet , the composition and the converse of fuzzy relations.
(b) For all reals k ∈ BM and boolean relations ξ : X Y the semi-scalar
multiplication k · ξ is an M -valued fuzzy relation.

5 The Cardinality of Fuzzy Relations

In this section the cardinality of fuzzy relations is defined and its fundamental
properties are discussed.
Definition 1. The cardinality |α| of a fuzzy relation α : X Y is defined by

|α| = α(x, y). (finite sum)
x∈X y∈Y
Of course the cardinality |α| of a fuzzy relation α is given by a nonnegative

real.

The following are the basic properties of the cardinality of fuzzy relations.
Proposition 6. Let α, β, γ : X Y be fuzzy relations and x ∈ X and y ∈ Y .
Then the following holds:
(a) |xαy | = α(x, y) and xαy = α(x, y) · idI .
(b) |α β| = |α β| − |β|. In particular, if β α then |α β| = |α| − |β|.
(c) If α γ and β γ α, then |α ⊕ β| = |α| + |β|.
As the Dedekind inequality also holds for fuzzy relations, Proposition 1 is also
valid for fuzzy relations.
Theorem 5. Let α : X Y , β : Y Z and γ : X Z be fazzy relations. If
α is univalent, i.e. if α α idY , then the Dedekind inequality holds:
|β α γ| ≤ |αβ γ| and |α γβ | ≤ |αβ γ|.
Proof. Let α be univalent. Then it follows from the univalency α α idY that
(α α)(y, y ) = ∨x∈X [α(x, y) ∧ α(x, y )] ≤ idY (y, y ).
Hence for each x ∈ X there exists at most one y ∈ Y such that α(x, y) > 0, and
so we have

|αβ γ| = x∈X,z∈Z ∨y∈Y [α(x, y) ∧ β(y, z) ∧ γ(x, z)]

= x∈X,y∈Y,z∈Z [α(x, y) ∧ β(y, z) ∧ γ(x, z)].

Remark that the inequality |αβ γ| ≤ x∈X,y∈Y,z∈Z [α(x, y) ∧ β(y, z) ∧ γ(x, z)]
always holds. Therefore we have

|α γβ | ≤ x∈X,y∈Y,z∈Z [α(x, y) ∧ β(y, z) ∧ γ(x, z)]
= |αβ γ|,
and
|β α γ| ≤ x∈X,y∈Y,z∈Z [α(x, y) ∧ β(y, z) ∧ γ(x, z)]
= |αβ γ|.

It is immediate that Theorem 1 and Corollary 1 also hold for fuzzy relations.
Similarly we characterise the cardinality of fuzzy relations as follows.
Theorem 6. Let R+ be the set of all nonnegative reals. A family of mappings

| · | : Rel(X, Y ) → R+ defined for all pairs (X, Y ) of finite sets gives the cardi-
nality iff it satisfies the following five conditions:
(a) |α| = 0 iff α = 0XY .
(b) |idI | = 1 and |α | = |α|.
(c) |α α | = |α| + |α | − |α α |.
(d) If α is univalent, then the Dedekind inequalities |β α γ| ≤ |αβ γ| and
|α γβ | ≤ |αβ γ| hold.
(e) |k · α| = k|α| for all k ∈ [0, 1].
Proof. It is trivial that the cardinality satisfies the above five conditions. Con-
versely assume that a family of mappings | · | satisfies the five conditions. Then
one easily understands that the family of mapppings | · | has all the properties
proved in Proposition 1 as well as Theorem 1 and Corollary 1. Hence for all
fuzzy relations α : X Y we have

|α| = x∈X y∈Y |xαy | { Proposition 1(e) }

= x∈X y∈Y |α(x, y) · idI | { Proposition 6(a) }

= x∈X y∈Y α(x, y). { (e) and (b) }

For a fuzzy relation α : X X the reflexive transitive closure α∗ : X X of α

is defined by
α∗ = n≥0 αn ,
where α0 = idX and αn+1 = αn α for all natural numbers n.
The next lemma shows a basic relationship between the reflexive transitive
closure and paths (or flows) of relations.
Lemma 1. Let α : X X be a fuzzy relation, and s, t ∈ X two distinct

elements of X. Then there exists a fuzzy relation ξ : X X satisfying the
following conditions:
260 Y. Kawahara
(a) ξ α, sξ = tξ = 0IX and |sξ| = |sα∗ t |.

(b) |ξ ρ0 ∇IX | = |ξ ρ0 ∇IX | for all boolean relations ρ0 : I X such that
ρ0 (s t)− .
(c) ξ ξ = 0XX .
Proof. Assume X has n elements. Then the fundamental argument shows that
αn 0≤j≤n−1 αj and hence α∗ = 0≤j≤n−1 αj . Set k = |sα∗ t | = α∗ (s, t) (Cf.
Proposition 6(a)). Then there is a sequence s = v0 , v1 , · · · , vp = t of distinct
elements of X such that k = ∧pj=1 α(vj−1 , vj ). We now define a fuzzy relation
ξ : X X by ξ = k · (pj=1 vj−1

vj ). Then (b) is clear and (a) follows from a
computation:

k · (vj−1 vj ) α(vj−1 , vj ) · (vj−1 idI vj ) { k ≤ α(vj−1 , vj ) }

= vj−1 [α(vj−1 , vj ) · idI ]vj

= vj−1 vj−1 α vj vj
α.
Condition (c) can be similarly obtained.

6 Network Flows
Network flows are usually defined as directed graphs with edges labelled by reals
[1]. But their labels can be restricted to [0,1] without loss of generality. This
idea enables us to regard networks and flows as fuzzy relations, and to develop a
relational method for theory of network flows. It should be noticed that networks
treated here are just simple graphs.
Definition 2. A network N is a triple (α : X X, s, t) consisting of a fuzzy

relation α : X X and two distinct elements s and t of X such that
sα = 0XI , tα = 0IX and α α = 0XX .
The relation α is the capacity relation of N , s is the source of N , and t the exit
of N .

In the above definition the conditions sα = 0XI and tα = 0IX intuitively mean
that the network has no capacity into a source and from a target. On the other
hand the last condition α α = 0XX may look like too strong. However, for an
arbitrary relation α : X X we can construct a relation α̂ = α α satisfying
α̂ α̂ = 0XX and α = α̂ ⊕ (α α ). (Cf. Proposition 3 (a) and (c).) Flows of
the network are defined to be an assignment of amount of flow satisfying global
conservation within the capacity.
Definition 3. A flow ϕ of a network N = (α : X X, s, t) is a fuzzy relation

ϕ : X X such that ϕ α and |ϕ ρ0 ∇IX | = |ϕ ρ0 ∇IX | for all boolean
relations ρ0 : I X such that ρ0 (s t)− .

The following proposition shows the basic property of network flows.
Proposition 7. Let N = (α : X X, s, t) be a network. For each flow ϕ :

X X of N the identity |sϕ| = |tϕ | holds.
Proof. Set ρ0 = (s t)− . Then we have s t ρ0 = ∇IX and
|ϕ| = |ϕ (s t ρ0 ) ∇IX | { ∇XX = ∇XI ∇IX }
= |sϕ| + |tϕ| + |ϕ ρ0 ∇IX | { Proposition 1(c) }
= |sϕ| + |ϕ ρ0 ∇IX |. { tϕ = 0IX }
Dually |ϕ | = |tϕ | + |ϕ ρ0 ∇IX | is valid. Hence |sϕ| = |tϕ | holds, because
|ϕ| = |ϕ | and |ϕ ρ0 ∇IX | = |ϕ ρ0 ∇IX |.

Next we review several fundamental notions on network flows.
Definition 4. Let N = (α : X X, s, t) be a network.

(a) The value val(ϕ) of a flow ϕ of N is defined by val(ϕ) = |sϕ| = |tϕ |.
(b) A flow ϕ of N is maximal if val(ψ) ≤ val(ϕ) holds for all flows ψ of N .
(c) A cut ρ of N is a boolean relation ρ : I X such that s ρ t− .
(d) A cut ρ of N is minimal if |α ρ ρ− | ≤ |α μ μ− | for all cuts μ of N .
(e) A fuzzy relation ϕα : X X is defined by ϕα = (α ϕ) ϕ .

Proposition 8. Let N = (α : X X, s, t) be a network. For all flows ϕ : X

X of N and all cuts ρ : I X of N the identity
val(ϕ) = |α ρ ρ− | − |ϕα ρ ρ− |
holds.
Proof. First note that ϕ α and (α ϕ)ϕ α α = 0XX . Since ρ is boolean
it follows from Proposition 4(c) that
ϕα ρ ρ− = [(α ρ ρ− ) (ϕ ρ ρ− )] (ϕ ρ ρ− ),
and so from Proposition 6(b) that
|ϕα ρ ρ− | = |α ρ ρ− | − |ϕ ρ ρ− | + |ϕ ρ ρ− |.
Set ρ0 = s− ρ. Then we have
val(ϕ) = |sϕ| − |sϕ |
{ sϕ sα = 0IX }
= |ϕ (s ρ0 ) ∇IX | − |ϕ (s ρ0 ) ∇IX |
{ Proposition 1(c), |ϕ ρ0 ∇IX | = |ϕ ρ0 ∇IX | }
= |ϕ ρ ∇IX | − |ϕ ρ ∇IX |
{ s ρ0 = ρ }
= |ϕ ρ ρ| + |ϕ ρ ρ− | − |ϕ ρ ρ| − |ϕ ρ ρ− |
= |ϕ ρ ρ− | − |ϕ ρ ρ− |
{ |ϕ ρ ρ| = |ϕ ρ ρ| }
= |α ρ ρ− | − (|α ρ ρ− | − |ϕ ρ ρ− | + |ϕ ρ ρ− |)
= |α ρ ρ− | − |ϕα ρ ρ− |.

262 Y. Kawahara
Remark. ϕα ρ ρ− = 0XX iff ρϕα ρ− = 0IX iff ρϕα ρ.
For a network N there exist finitely many cuts ρ : I X, because X is finite, and
consequently a minimal cut exists. The following lemma indicates a construction
of a new greater flow when ϕα contains a flow.
Lemma 2. Let N = (α : X X, s, t) be a network and ϕ a flow of N . If
ξ : X X is a fuzzy relation satisfying ξ ϕα , sξ = 0IX and |ξ ρ0 ∇IX | =
|ξ ρ0 ∇IX | for all boolean relations ρ0 : I X such that ρ0 (s t)− , then a
fuzzy relation
ψ = [ϕ (α ξ )] ⊕ (α ξ)
is a flow of N such that val(ψ) = val(ϕ) + |sξ|.
Proof. First note that
ξ α (α ϕ) α { ξ ϕα α ϕ }
= ϕ, { α α = 0XX }
and
ξ α [(α ϕ) ϕ ] α { ξ ϕα }
= α ϕ. { ϕ α α α = 0XX }
Thus, since ϕ α and ξ α α ϕ, it follows from Proposition 4(b) that
ψ ϕ ⊕ (ξ α) α.
Let ρ0 : I X be a boolean relation such that ρ0 (st)− and set ρ̂0 = ρ0 ∇IX .
Next we will see that |ψ ρ̂0 | = |ψ ρ̂0 |. As ρ̂0 is boolean, an equation
ψ ρ̂0 = [(ϕ ρ̂0 ) (α ξ ρ̂0 )] ⊕ (α ξ ρ̂0 )
holds by Proposition 4(c), and so
|ψ ρ̂0 | = |ϕ ρ̂0 | − |α ξ ρ̂0 | + |α ξ ρ̂0 |
applying Proposition 4(e), since ϕ (α ξ ) α, α ξ α [ϕ (α ξ )] and
α ξ ϕ. Hence by using ξ α α we have
|ψ ρ̂0 | − |ξ ρ̂0 | = |ϕ ρ̂0 | − |α ξ ρ̂0 | − |α ξ ρ̂0 |.
Dually |ψ ρ̂0 | − |ξ ρ̂0 | = |ϕ ρ̂0 | − |α ξ ρ̂0 | − |α ξ ρ̂0 | holds. Therefore
|ψ ρ̂0 | = |ψ ρ̂0 | follows from |ϕ ρ̂0 | = |ϕ ρ̂0 | and |ξ ρ̂0 | = |ξ ρ̂0 |.
Finally we obtain
val(ψ) = |sϕ| − |s(α ξ )| + |s(α ξ)| { val(ψ) = |sψ| }
= |sϕ| + |s(α ξ)| { sξ = 0IX }
= |sϕ| + |s[(α α ) ξ]| { sα = 0IX }
= val(ϕ) + |sξ|. { ξ α α }

The next theorem [1] essentially due to Ford and Fulkerson (1956) characterises
the maximality of network flows.
Theorem 7. Let N = (α : X X, s, t) be a network and ϕ a flow of N . Then

the following three statements are equivalent:
(a) ϕ is maximal,
(b) t sϕ∗α = 0IX (or equivalently |sϕ∗α t | = 0),
(c) There exists a cut ρ such that val(ϕ) = |α ρ ρ− |.
Proof. (a)⇒(b) Assume ϕ is maximal and set k = |sϕ∗α t | (0 ≤ k ≤ 1). From

Lemma 1 there is a fuzzy relation ξ : X X such that ξ ϕα , sξ = 0IX ,
|sξ| = k and |ξ ρ0 ∇IX | = |ξ ρ0 ∇IX | for all boolean relations ρ0 : I X
such that ρ0 (s t)− . By the last Lemma 2 a fuzzy relation
ψ = [ϕ (ξ α)] ⊕ (ξ α)
is a flow of N with val(ψ) = val(ϕ) + k. As ϕ is maximal we have k = 0.

(b)⇒(c) Assume t sϕ∗α = 0IX . Then a boolean relation ρ = (sϕ∗α )• is a cut of
N , since s sϕ∗α ρ and t ρ = (t sϕ∗α )• = 0IX . Also it is easy to verify
ϕα ρ ρ− = 0IX from
ρϕα (sϕ∗α )• ϕ•α = (sϕ∗α ϕα )• (sϕ∗α )• = ρ
Therefore val(ϕ) = |α ρ ρ− | holds by Proposition 8. (In fact ρ is minimal.)

(c)⇒(a) Assume a cut ρ satisfies val(ϕ) = |α ρ ρ− | and let ψ be a flow. Then
we have
val(ψ) = |α ρ ρ− | − |ψα ρ ρ− | { Proposition 8 }
≤ |α ρ ρ− | { |ψα ρ ρ− | ≥ 0 }
= val(ϕ),
which means that ϕ is maximal.

The following theorem is the so-called integral flow theorem.
Theorem 8. A network N = (α : X X, s, t) over M -valued relations has an

M -valued maximal flow ϕ.
Proof. Construct a sequence of M -valued flows of N by the following algorithm:

(I) Set ϕ0 = 0XX . It is trivial that ϕ0 is an M -flow of N . (II) In the case that
ϕi has already been defined. Set ki = |s[(α ϕi ) ϕi ]∗ t |. If ki = 0 then ϕi
is maximal by Theorem 7. If ki > 0 then by the same construction as in the
proof (a)⇒(b) in Theorem 7 we have the next flow ϕi+1 such that val(ϕi+1 ) =
val(ϕi ) + ki . As ki ≥ 1/M this algorithm terminates within M |X|2 steps.

As promised in Section 3 we now give a sufficiency proof for Hall’s Theorem.
[Proof of Hall’s theorem] Let α : X Y be a boolean relation such that

|ρ0 | ≤ |ρ0 α| for all boolean relations ρ0 : I X. First construct the coproduct
X̂ = I + X + Y + I together with injections s : I → X̂, i : X → X̂, j :
264 Y. Kawahara
Y → X̂ and t : I → X̂ such that ss = tt = idI , ii = idX , jj = idY ,

s s i i j j t t = idX̂ , si = 0IX , sj = 0IY , st = 0II , ij = 0XY , it = 0XI ,
jt = 0Y I . Set α̂ = s ∇IX i i αj j ∇Y I t. Then it is trivial that sα̂ = 0I X̂ ,
tα̂ = 0I X̂ and α̂ α̂ = 0X̂ X̂ . Hence we have a network N = (α̂ : X̂ X̂, s, t).
By Theorem 8 there is a maximal flow ϕ of N which is boolean. On the other
s : I → X̂ is a minimal cut of N with |α̂ s s− | = |∇IX |. For an arbitrary
cut ρ = s ρ0 i ρ1 j : I X̂ of N with boolean relations ρ0 : I X and
ρ1 : I Y , we have ρ− = ρ− −
0 i ρ1 j t and
α̂ ρ ρ− = s ρ− −
1 i i (α ρ0 ρ1 )j j ρ1 t,

and so
|α̂ ρ ρ− | = |s ρ− −
0 i| + |i (α ρ0 ρ1 )j| + |j ρ1 t|

= |ρ− −
0 | + |α ρ0 ρ1 | + |ρ1 |

{ s, i, j, t : injections }
− −
≥ |ρ0 | + |ρ0 α ρ1 | + |ρ1 | { Dedekind inequality }
= |ρ−0 | + |(ρ 0 α ρ −
1 ) ρ 1 | { Theorem 6(c) }
≥ |ρ−0 | + |ρ 0 α| { (ρ0 α ρ− 1 ) ρ1 ρ0 α }
≥ |ρ−0 | + |ρ0 | { |ρ0 | ≤ |ρ0 α| }
= |∇IX |
= |∇IX i| { i : injection }
= |sα̂ s− | { ∇IX i = sα̂ s− }
= |α̂ s s− |. { s : injection }
Thus s is a minimal cut and val(ϕ) = |α̂ s s− | = |∇IX | by Theorem 7. Set

f = iϕj : X Y . It is clear that f α. Also one can easily see that |xf | = 1
for all x ∈ X and |yf | ≤ 1 for all y ∈ Y , as follows:
(1) ϕ(s, xi) = 1; |∇IX | = val(ϕ)

= |sϕ| { val(ϕ) = |sϕ| }
= |sϕ ∇IX i| { sϕ sα̂ ∇IX i }
=|sϕi | { i : matching }
= x∈X ϕ(s, xi). { ϕ(s, xi) = 0 or 1 }
(2) f j = iϕ; iϕ = iϕ αj (iϕj α)j iϕj j iϕ.
(3) |xf | = 1; |xf | = |xf j| { j : injection }

= |xiϕ| { f j = iϕ }
= |ϕ(xi) | { ϕ : flow }
= |(s s i i j j t t)ϕ(xi) | { idX̂ = s s i i j j t t }
= |sϕ(xi) | { ϕi s ∇IX }
= ϕ(s, xi)
= 1.
(4) |yf | ≤ 1; |f y | = |f jj y | { j : injection }

= |iϕj y | { (2) }
= |i iϕ(yj) | { i : injection }
≤ |ϕ(yj) | { i i idX̂ }
= |yjϕ| { ϕ : flow }
≤ |t| { yjϕ yj α̂ = y∇Y I t t }
= 1.

7 Conclusion
This paper proposed Dedekind inequalities for the cardinality of boolean and
fuzzy relations, and illustrated applications to graphs and network flows. Also
we reviewed Tarski’s example for decision problem on relational formulas.
Future work is to study on proof mechanisms for the cardinality of relations
and to look for more applications in mathematics and computer science, for ex-
ample to greedoids and electrical circuits.
Acknowledgements. The author is grateful to Georg Struth and anonymous

referees for helpful discussions and comments.
References
1. R. Diestel, Graph theory, Graduate texts in mathematics 173, Third Edition,
Springer, Berlin, 2005.
2. P. Freyd and A. Scedrov, Categories, allegories, North-Holland, Amsterdam, 1990.
3. Y. Kawahara and H. Furusawa, An algebraic formalization of fuzzy relations. Fuzzy
Sets and Systems 101 (1999), 125 - 135.
4. G. Schmidt and T. Ströhlein, Relations and graphs – Discrete Mathematics for
Computer Science – (Springer-Verlag, Berlin, 1993).
5. A. Tarski, Some metalogical results concerning the calculus of relations, Journal of
Symbolic Logic, 18 (2) (1953) 188–189.
Evaluating Sets of Search Points Using
Relational Algebra
Britta Kehden
Christian-Albrechts-Univ. of Kiel, 24098 Kiel, Germany

[email protected]
Abstract. We model a set of search points as a relation and use rela-

tional algebra to evaluate all elements of the set in one step in order to
select search points with certain properties. Therefore we transform rela-
tions into vectors and prove a formula to translate properties of relations
into properties of the corresponding vectors. This approach is applied to
timetable problems.
1 Introduction
Randomized search heuristics have found many applications in solving combi-

natorial optimization problems in recent years. This class of heuristics contains
well-known approaches such as Randomized Local Search, the Metropolis Algo-
rithm, Simulated Annealing and Evolutionary Algorithms. Such heuristics are
often applied to problems whose structure is not known or if there are not enough
resources such as time and money to obtain good specific algorithms. Particu-
larly evolutionary computation has become quite popular in the last years.
Especially in the case of discrete structures, relational algebra has been suc-
cessfully applied for algorithm development. Relational algebra has a small, but
efficiently to implement, set of operations. On the other hand it allows a formal
development of algorithms and expressions starting usually with a predicate logic
description of the problem, like it is demonstrated for example in [1] and [2].
We think it’s worth combining relational methods with evolutionary compu-
tation. First steps into this direction have been made in [3] and [4]. By having a
relational view on problems of discrete structures, search points are represented
as relations, so that parts of the search process can be carried out using relation
algebraic expressions. In [4] that approach is applied to well-known graph prob-
lems and it is demonstrated, that relational methods can reduce the computation
time of evolutionary algorithms.
Evolutionary algorithms work with sets of search points, called populations,
that have to be evaluated. This means, as a first step, one has to determine
the subset of individuals in the population satisfying the desired properties. By
modeling single search points as vectors and populations as relations we can use
relational expressions to carry out this evaluation. The aim of this paper is to
extend this approach and have a more general view on it. On the one hand,
we want to take a closer look at the relational expressions we can use in such

Evaluating Sets of Search Points Using Relational Algebra 267
an evaluation process. Therefore we define in Section 3 a set of predicates for

vectors. These are mappings modeling properties of vectors and are represented
by certain relational expressions. Each vector predicate can be transformed into
a test mapping that can be applied to a population in order to determine the
individuals fulfilling the property modeled by the predicate.
On the other hand we want to extend the combination of evolutionary al-
gorithms and relational methods to a larger problem domain. Up to now, this
approach has been applied to problems from combinatorial optimization, where
the search points are sets of vertices or edges of a given graph or hypergraph.
In our relational model, sets are represented as vectors in a natural way. In
this work, we extend our considerations to problems, where the search points
are binary relations. Typical examples are coloring problems for graphs or hy-
pergraphs, where edges or vertices have to be assigned to colors, and timetable
problems, where meetings have to be assigned to time slots. To be able to apply
our methods to the search for such relations, it is necessary to model relations
as vectors. Hence, the desired properties of the relations have to be transformed
into properties of the corresponding vectors. In Section 4 we prove a formula
that is helpful in doing this transformation and apply it to several relational
properties.
In the last part of the paper, the results are used to discuss timetable problems.
In our model, a solution of a timetable problem is a relation assigning meetings
to time slots and fulfilling certain properties. By using the results of Section
4, these conditions are transformed into vector properties. So we get a simple
criterium in the form of a predicate to test whether a vector represents a solution
of a given timetable. With the results of Section 3 we can derive a test mapping,
which is applied to a set of vectors to select the solutions for the timetable
problem.
2 Relation-Algebraic Preliminaries
In the sequel we introduce the basics of abstract and concrete relation algebra.
Starting with a definition of an abstract relation algebra, we state a selection
of relational properties and specify the classes of relations that are used in the
remainder of the paper. In the second part of this section we give a brief intro-
duction to the algebra of set-theoretic relations.
2.1 Abstract Relational Algebra

A relational algebra is a structure (R, ∩, ∪, , ⊆, ·) over a non-empty set R of
elements called relations. Every R ∈ R belongs to a subset RR ⊆ R, so that the
following conditions are fulfilled.
• (RR , ∩, ∪, , ⊆) is a complete atomistic Boolean algebra. The null element
and the universal element of RR are denoted by O and L.
• For every R ∈ R there exist a transposed relation R and the products R R
and RR .
268 B. Kehden
• The multiplication is associative and the existence of RS implies the exis-

tence of QS for every Q ∈ RR .
• For every RR , there exist left and right identities, which are denoted by I.
• The Tarski-rule holds, which means
R = O ⇐⇒ LRL = L.
• The Schröder-rule holds, which means
RS ⊆ Q ⇐⇒ R Q ⊆ S ⇐⇒ QS ⊆ R,
assuming the existence of RS.

A relation R is called unique if R R ⊆ I. If R fulfills one of the equivalent
conditions RL = L or I ⊆ RR , it is called total. A function is a total and unique
relation. We call R injective if R is unique, and surjective if R is total.
In [5] several properties of abstract relation algebra are shown. The following
selection of it is used in Sections 3 and 4:
1. (Q ∪ R) = Q ∪ R and (Q ∩ R) = Q ∩ R
2. (SR) = R S
3. Dedekind-rule: QR ∩ S ⊆ (Q ∩ SR )(R ∩ Q S)
4. (Q ∪ R)S = QS ∪ RS and S(Q ∪ R) = SQ ∪ SR
5. (Q ∩ R)S ⊆ QS ∩ RS and S(Q ∩ R) ⊆ SQ ∩ SR
6. If S is unique, even S(Q ∩ R) = SQ ∩ SR holds.
If S is injective, even (Q ∩ R)S = QS ∩ RS holds.
7. If S is injective and surjective, RS = RS holds.
In Section 4 we also use direct products. A pair (π, ρ) of relations is called a
direct product if it fulfills the following conditions:
1. π π = I and ρ ρ = I
2. ππ ∩ ρρ = I
3. π ρ = L and ρ π = L
Obviously π and ρ are surjective functions.
2.2 Concrete Relational Algebra

We write R : X ↔ Y if R is a (concrete) relation with domain X and range Y ,
i.e. a subset of X × Y . The set of all relations of the type X ↔ Y is denoted
by [X ↔ Y ]. In the case of finite carrier sets, we may consider a relation as
a Boolean matrix. Since this Boolean matrix interpretation is well suited for
many purposes, we often use matrix terminology and matrix notation in the
following. Especially, we speak of the rows, columns and entries of R and write
Rij instead of (i, j) ∈ R. We assume the reader to be familiar with the basic
operations on relations, viz. R (transposition), R (negation), R ∪ S (union),
R ∩ S (intersection), RS (composition), R ⊆ S (inclusion), and the special
relations O (empty relation), L (universal relation), and I (identity relation).
A relation R is called vector, if RL = R holds. As for a vector therefore the

range is irrelevant, we consider in the following vectors v : X ↔ 1 with a specific
singleton set 1 = {⊥} as range and omit in such cases the second subscript, i.e.
write vi instead of vi⊥ . Such a vector can be considered as a Boolean matrix with
exactly one column, i.e., as a Boolean column vector, and describes the subset
{x ∈ X : vx } of X. A vector v is called a point if it is injective and surjective.
For v : X ↔ 1 these properties mean that it describes a singleton set, i.e., an
element of X. In the matrix model, a point is a Boolean column vector in which
exactly one component is true. The set [1 ↔ 1] only contains the elements L and
O, which can be regarded as boolean values true and false.
A pair (π, ρ) of natural projections of X × Y , i.e.,
π : X × Y ↔ X and ρ : X × Y ↔ Y
with
π<x,y>x ⇐⇒ x = x and ρ<x,y>y ⇐⇒ y = y
is a direct product in the concrete relation algebra.
3 Predicates of Vectors
We define a set of vector predicates as a special set of mappings which can be
applied to vectors and return a boolean value represented by the relations L
and O of the type 1 ↔ 1. As a first step we introduce a more general set Φ of
mappings, that is a generalization of the set of relational functions that model
column-wise, described in [6]. The set of vector predicates we are interested in is
then a special subset of Φ. In detail, given a set X and a set of sets U, we define
a set of mappings
Φ⊆ [[X ↔ 1] → [Y ↔ 1]]
Y ∈U
so that for each element ϕ ∈ Φ of the type [X ↔ 1] → [Y ↔ 1] and every set
Z there exists a mapping ϕ : [X ↔ Z] → [Y ↔ Z] with the property, that for
every point p : Z ↔ 1 and every relation M : X ↔ Z the equation
ϕ(M p) = ϕ (M )p
holds. Assuming Z as the set of the first n numbers [1..n] we can regard the
relation M as a set of n vectors v (1) , . . . , v (n) (e.g. a population of an evolutionary
(i)
algorithm) of type X ↔ 1 so that vx if and only if Mxi for i ∈ [1..n] and

x ∈ X. Then the relation ϕ (M ) is of type Y ↔ Z and consists of the vectors
ϕ(v (1) ), . . . , ϕ(v (n) ) ∈ [Y ↔ 1].
First, we define the set Φ inductively and clarify how to construct a suitable ϕ
from a given ϕ. After that we prove the equation given above for every ϕ ∈ Φ. For
the definition of the set Φ we need the following two notations concerning certain
mappings. Given four sets X, Y, Z, W and a relation C : Z ↔ W we denote by
χC the constant mapping of type [X ↔ Y ] → [Z ↔ W ] with χC (R) = C for
every R : X ↔ Y . Furthermore, let id[X↔Y ] be the identity mapping of type
[X ↔ Y ] → [X ↔ Y ].
270 B. Kehden
Definition 1. Let U be a set of sets and X ∈ U. We define the set Φ of mappings

inductively:
1. Identity:
id[X↔1] ∈ Φ
2. Constant mappings: For each set Y ∈ U and every c : Y ↔ 1 it is

χc ∈ Φ
with χc : [X ↔ 1] → [Y ↔ 1].
3. Cut, union, complement: For every two mappings ϕ1 , ϕ2 ∈ Φ with the same
type [X ↔ 1] → [Y ↔ 1] there are also
ϕ1 ∩ ϕ2 ∈ Φ,
ϕ1 ∪ ϕ2 ∈ Φ,
ϕ1 ∈ Φ,
whereas ϕ1 ∩ ϕ2 , ϕ1 ∪ ϕ2 and ϕ1 have the type [X ↔ 1] → [Y ↔ 1] and are
defined by (ϕ1 ∩ ϕ2 )(v) = ϕ1 (v) ∩ ϕ2 (v), (ϕ1 ∪ ϕ2 )(v) = ϕ1 (v) ∪ ϕ2 (v) and
ϕ1 (v) = ϕ1 (v) for each vector v : [X ↔ 1].
4. Left-muliplication: Given sets W , Y ∈ U, for every R : W ↔ Y and every
ϕ ∈ Φ with the type [X ↔ 1] → [Y ↔ 1] it is
Rϕ ∈ Φ,
whereas Rϕ : [X ↔ 1] → [W ↔ 1] is defined by (Rϕ)(v) = R(ϕ(v)).
In the following we use this inductive definition to assign to each mapping ϕ ∈ Φ
of the type [X ↔ 1] → [Y ↔ 1] a related mapping ϕ that can be applied to a
relation of the type [X ↔ Z], representing a population of size |Z|.
Definition
2. Let Z be a set. For every ϕ ∈ Φ we define a mapping ϕ ∈
Y ∈U [[X ↔ Z] → [Y ↔ Z]] inductively.
1. Identity:
id[X↔1] := id[X↔Z]
2. Constant mappings: For each Y ∈ U and every vector c : Y ↔ 1 we define

χc := χcL ,
where the universal relation L has the type 1 ↔ Z.
3. Cut, union, complement: For Y ∈ U and ϕ1 , ϕ2 ∈ Φ with the same type
[X ↔ 1] → [Y ↔ 1] we define
(ϕ1 ∩ ϕ2 ) := ϕ1 ∩ ϕ2 ,
(ϕ1 ∪ ϕ2 ) := ϕ1 ∪ ϕ2 ,
ϕ := ϕ .
4. Left-muliplication: For sets W, Y ∈ U, relations R : W ↔ Y and mappings

ϕ ∈ Φ with the type [X ↔ 1] → [Y ↔ 1] we define
(Rϕ) := Rϕ .
For every Y ∈ U and ϕ ∈ Φ with ϕ : [X ↔ 1] → [Y ↔ 1] the type of the
corresponding mapping ϕ is [X ↔ Z] → [Y ↔ Z]. There is a close correlation
between the two mappings ϕ and ϕ , stated in the following theorem. The proof
has been moved to the appendix.
Theorem 1. For every mapping ϕ ∈ Φ, every point p : Z ↔ 1 and every
relation M : X ↔ Z the equation
ϕ(M p) = ϕ (M )p
holds.
For every set Y and every ϕ ∈ Φ we get the following commutative diagram,
where the mapping μp denotes the right-multiplication with a point p : Z ↔ 1.
ϕ -
[X ↔ Z] [Y ↔ Z]
μp μp
? ϕ ?
[X ↔ 1] - [Y ↔ 1]
Denoting the composition of mappings as ◦, the statement of Theorem 1 can
also be expressed by the equation
ϕ ◦ μp = μp ◦ ϕ .
In this work, we are especially interested in the subset of Φ that consists of the
mappings with range [1 ↔ 1]. We call
Ψ := Φ ∩ [[X ↔ 1] → [1 ↔ 1]]
the set of vector predicates. Considering the elements L and O of [1 ↔ 1] as the
boolean values ’true’ and ’false’, each ψ ∈ Ψ represents a property of vectors in
the following way. A vector v : X ↔ 1 has a certain property - modeled by ψ -
if and only if ψ(v) = L holds.
Given a ψ ∈ Ψ , the related mapping ψ has the type [X ↔ Z] → [1 ↔ Z].
Modeling a population of |Z| vectors as a relation M : X ↔ Z, the mapping
ψ determines the subset of individuals in the population fulfilling ψ, which
means that for every point p ⊆ ψ (M ) the vector M p satisfies the property
modeled by ψ. In other words, with Z = [1..n] and k ∈ Z we have the following
connection between ψ and ψ . The k th column of M fulfills the predicate ψ
if and only if ψ (M )
k holds. Hence, ψ is a kind of test mapping, testing the
columns of a relation M (representing the individuals in a population) whether
they satisfy the predicate ψ. As demonstrated in [3] and [4], the stated approach
can be applied to graph theoretical problems where the search points are sets
of vertices or edges, for example covering problems. In the next section we will
focus on the issue of relations as search points.
272 B. Kehden
4 Vectors and Relations
Some problems in combinatorial optimization (like graph coloring and timetable

problems) deal with binary relations that have certain properties. In the case
that the search points are relations of the type X ↔ Y , it is useful to encode
them as vectors of the type X × Y ↔ 1, so that sets of n search points can be
represented as relations of type X × Y ↔ [1..n] to be evaluated as described in
Section 3. Hence, the desired properties of a relation have to be translated into
properties of the corresponding vector, so that can be decided if the relation R
has a certain property only knowing the vector-representation r (and without
computing R). In the case that the vector-property can be expressed as a vector
predicate in the sense of Section 3, we achieve a test-mapping, that can be applied
to a population in order to select the suitable individuals. Theorem 3 states a
formula, that is helpful for the transformation of relation-properties into vector-
properties. We carry out all proofs in abstract relation algebra so that we don’t
have to argue with components of concrete relations und achieve more readable
and elegant proofs. First, we use direct products to define two constructions on
relations, called parallel composition and tupling.
Definition 3. For every two relations A and B there exist two direct products
(π1 , ρ1 ) and (π2 , ρ2 ), so that π1 Aπ2 ∩ ρ1 Bρ
2 is defined. In the following, let
A B := π1 Aπ2 ∩ ρ1 Bρ
2
be the parallel composition of A and B. If AB exists, there is a direct product

(π, ρ), so that πA ∩ ρB is defined. In the following, let
[A, B] := πA ∩ ρB
be the tupling of A and B.
Obviously, it holds A B = [Aπ2 , Bρ

2 ]. In the concrete relation algebra the two
constructions have the following meaning. Given concrete relations A : X ↔ Y
and B : Z ↔ W , we use the natural projections (π1 , ρ1 ) and (π2 , ρ2 ) of X × Z
and Y × W respectively. Then the relation A B has the type X × Z ↔ Y × W
and it holds
(A B)<x,z><y,w> ⇐⇒ Axy and Bzw .
For the tupling, we need the existence of AB . In the case of concrete relations
that means A and B have the same range, i.e. A : X ↔ Y and B : Z ↔ Y .
With (π, ρ) as the natural projections of X × Z, the relation [A, B] has the type
X × Z ↔ Y and
[A, B]<x,z>y ⇐⇒ Axy and Bzy
holds.
In the following, we prove several properties concerning parallel composition
and tupling. Some similar - but not as general as ours - results can be found in
[7]. The first lemma follows immediately from the Dedekind rule.
Lemma 1. Let A, B, C and D be relations so that AB ∩ C is defined. Then

from A C ⊆ D it follows AB ∩ C ⊆ A(B ∩ D).
The next lemma states a few properties of the parallel composition.

Lemma 2. Let Q and R be relations and (π, ρ) and (τ, σ) direct products, so
that πQτ ∩ ρRσ exists. Then the following statements hold.
1. (Q R) = Q R
2. (Q R)τ ⊆ πQ
If R is total, even (Q R)τ = πQ holds.
3. (Q R)σ ⊆ ρR
If Q is total, even (Q R)σ = ρR holds.
Proof. The first equation follows immediately from the definition of the parallel
composition. To show the second statement, we use the properties of direct
products stated in Section 2.1. With τ τ = I we achieve
(Q R)τ = (πQτ ∩ ρRσ )τ ⊆ πQτ τ = πQ
for arbitrary relations Q and R. Now let R be total. Because ρ is also total and
σ τ = L, it follows
ρRσ τ = ρRL = ρL = L,
and therefore
πQ = L ∩ πQ
= ρRσ τ ∩ πQ
⊆ (ρRσ ∩ πQτ )(τ ∩ (ρRσ ) πQ) (Dedekind rule)
⊆ (Q R)τ .
The remaining statement can be proven in the same way.
In particular, we obtain the special cases
(Q I)τ = πQ and (I R)σ = ρR,
since the identity relations are total. Using these equations and Lemma 1, we
are able to prove multiplication formulas for parallel composition and tupling
for the special cases, where one of the relations in the parallel composition is the
identity relation. Later we will prove a formula for arbitrary relations.
Lemma 3. Let Q, R, (π, ρ) and (τ, σ) be as in Lemma 2 and S, T relations so
that τ S ∩ σT exists.
1. If ρσ exists, (Q I)[S, T ] = [QS, T ] holds.
2. if πτ exists, (I R)[S, T ] = [S, RT ] holds.
Proof. We only prove the first equation, because the second statement can be
shown in a similar way. The proof of the first inclusion basically uses Lemma 2:
274 B. Kehden
(Q I)[S, T ] = (Q I)(τ S ∩ σT )
⊆ (Q I)τ S ∩ (Q I)σT
⊆ πQS ∩ ρIT (Lemma 2)
= [QS, T ].
To show the second inclusion we use the fact, that
(∗) (Q I) ρT ⊆ σT
holds, which follows immediately from Lemma 2. With the inclusion (∗), we can
apply Lemma 1.
[QS, T ] = πQS ∩ ρT
= (Q I)τ S ∩ ρT (Lemma 2)
⊆ (Q I)(τ S ∩ σT ) (with (∗), Lemma 1 can be used)
= (Q I)[S, T ].

Lemma 3 enables us to prove a formula concerning a special case of the multi-

plication of parallel compositions.
Lemma 4. For arbitrary relations Q and R the following equation holds.
(Q I)(I R) = (I R)(Q I) = (Q R)
Proof. Since (I R) = [τ , Rσ ] holds, we can apply Lemma 3:
(Q I)(I R) = (Q I)[τ , Rσ ] = [Qτ , Rσ ] = (Q R).
The second equation can be shown in the same way.
In the following, Lemma 3 and Lemma 4 are used to prove a multiplication

formula for parallel composition and tupling. The theorem is a generalization of
a statement given in [7], where the formula is shown for injective S and R.
Theorem 2. Let Q, R, S and T be relations such that [S, T ], QS and RT exist.
Then the following equation holds:
(Q R)[S, T ] = [QS, RT ].
Proof. The proof is a simple application of Lemma 3 and Lemma 4:
(Q R)[S, T ] = (Q I)(I R)[S, T ] = (Q I)[S, RT ] = [QS, RT ].
In the following, we use the tupling to define the vector-representation of re-

lations. We examine the mapping vec, that transforms relations into vectors.
After stating several basic properties of vec, we use Theorem 2 to prove a for-
mula concerning the vector-representation of the composition of relations, stated
in Theorem 3.
Definition 4. For every relation A there exists an identity relation I and an

universal relation L so that [A, I]L is defined. In the following, let
vec(A) := [A, I]L
be the vector-representation of A.
Given a concrete relation A : X ↔ Y and the universal vector L : Y ↔ 1
the calculation of vec(A) transforms A into a vector a : X × Y ↔ 1, so that
a<x,y> ⇐⇒ Axy . In [5] it is shown that the mapping
rel : [X × Y ↔ 1] → [X ↔ Y ]
defined by
rel(a) = π (ρ ∩ sL)
is the inverse mapping of
vec : [X ↔ Y ] → [X × Y ↔ 1].
The properties of vec stated in the following lemma obviously hold in the concrete
relation algebra. Their proofs for the abstract relation algebra can be found
in [5].
Lemma 5. For relations A and B with B ∈ RA the following properties hold.
1. vec(A) = vec(A)
2. A ⊆ B ⇐⇒ vec(A) ⊆ vec(B)
3. vec(A ∩ B) = vec(A) ∩ vec(B)
4. vec(A ∪ B) = vec(A) ∪ vec(B)
5. vec(O) = O
6. vec(L) = L,
We finally need the following lemma, that enables us to prove Theorem 3. It is

proven in [5] as well.
Lemma 6. The equation
[AB, I]L = [A, B ]L
holds, if AB is defined.
The next theorem, which is the main result of this section, solves the following
problem. Given a vector s that is a vector-representation of a relation S, we want
to compute the vector-representation of the composition of S with other rela-
tions, for example vec(QS). Obviously, we can calculate vec(QS) = vec(Qrel(s))
but in this case, we have to do the transformations between vector- and relation-
representation. The formula stated in the following theorem enables us to
compute such expressions without calculating rel(s). The proof basically uses
Theorem 2.
276 B. Kehden
Theorem 3. Let Q, S, R be relations so that QSR exists. Then it holds
vec(QSR) = (Q R )vec(S).
Proof. The equation follows immediately from Theorem 2:

vec(QSR) = [QSR, I]L
= [QS, R ]L (Lemma 6)
= (Q R )[S, I]L (Theorem 2)
= (Q R )vec(S).

In the case of concrete relations, we can visualize the formula stated above with
the following diagram. Therefore, let Q : Z ↔ X , R : Y ↔ W and νQ the
left-multiplication with Q.
νQ - μR -
[X ↔ Y ] [Z ↔ Y ] [Z ↔ W ]
vec vec
? νQR ?
[X × Y ↔ 1] - [Z × W ↔ 1]
The statement of Theorem 3 can also be expressed as
vec ◦ μR ◦ νQ = νQR ◦ vec.
Theorem 3 can be used to describe fundamental properties of relations, like

uniqueness, totality, injectivity and surjectivity as properties of their vector-
representation. The proof of the following corollary has been moved to the ap-
pendix.
Corollary 1. Let S be a relation, (π, ρ) a direct product so that πSρ is defined
and s = vec(S) the vector-representation of S. Then the following equivalences
hold.
1. S is unique ⇐⇒ (I|I)s ⊆ s
2. S is injective ⇐⇒ (I I)s ⊆ s
3. S is total ⇐⇒ s ⊆ (I I)s ⇐⇒ π s = L
4. S is surjective ⇐⇒ s ⊆ (I I)s ⇐⇒ ρ s = L
5 Application in Concrete Relational Algebra

In this section we use the formula of Theorem 3 to discuss a simple timetable
problem. In our relational model of timetables, which is similar to the model in
[8] and [9], meetings have to be assigned to time slots, so that specific conditions
are satisfied. This means that we search for relations with certain properties.
Timetable problems are typical applications for evolutionary algorithms. In each
step a population, which is a set of possible solutions, is created randomly and
then evaluated w.r.t. the desired properties. Modeling the possible solutions as
vectors enables us to represent a population as a relation, that can be evaluated
by applying a test mapping in the sense of Section 3. We apply Theorem 3
to formulate the desired properties of a timetable as a vector predicate. Hence
we can derive a test mapping that can be applied to populations in order to
determine, which of the individuals are suitable solutions for the given timetable
problem.
Definition 5. A timetable problem is a tuple
T = (M, P, H, A, P )
where
• M is a finite set of meetings,
• P is a finite set of participants,
• H is a finite set of hours,
• A : M ↔ H and
• P : M ↔ P are relations.
The relation A describes the availabilities of the meetings, i.e. Amh holds if the
meeting m can take place in time slot h. The relation P assigns participants
to meetings. The participant p takes part in meeting m, if Pmp holds. We say
that two different meetings m and m are in conflict if they have a common
participant, i.e. there is an participant p so that Pmp and Pm p holds, which
means, that p attends both meetings m and m . Defining the conflict relation
C:M↔M by C = P P ∩ I,
m and m are in conflict if and only if Cmm holds. Solving a timetable problem
means to assign a time slot to every meeting, so that the meeting is available
and two meetings that are in conflict don’t take place at the same time.
Definition 6. A timetable (a solution for the timetable problem T ) is a relation
S:M↔H
that satisfies the following four conditions.
1. ∀ m, h : Smh → Amh
2. ∀ m, m , h : (Cm m ∧ Smh ) → ¬Sm h
3. S is unique
4. S is total
The first property describes that each meeting is available in the time slot it is
assigned to, the second property ensures that no meetings in conflict are assigned
to the same time slot. The univalence and totality of S means that each meeting
takes place in exactly one time slot. Translated into relational expressions, S is
a timetable if and only if
278 B. Kehden
1. S⊆A
2. CS ⊆ S
3. SI ⊆ S
4. SL = L
A relation S fulfilling only the first three conditions is called a state or a partial
solution.
By assuming A to be the universal relation L : M ↔ H, we can ignore the first
condition. Then the problem to find a solution for T corresponds to the problem
of graph coloring in the following sense. With C being irreflexive and symmetric,
it can be interpreted as the adjacency relation of an undirected graph with the
vertex set M. Viewing H as a set of k = |H| colors, the task is to find a coloring
of the vertices with k colors, so that two vertices that are connected by an edge
don’t have the same color. This means we have to find a relation S : M ↔ H
with the properties (2) - (4) as given above. In [10] it is shown that the problem of
coloring a graph with k colors is NP-complete for k ≥ 3, therefore the timetable
problem is also NP-complete.
To simplify matters we call a vector s : M × H ↔ 1 a solution or a state of
a timetable problem T if and only if rel(s) is a solution or a state of T . In the
following, Theorem 3 will be used to translate the conditions 1 - 4 for a relation
S into conditions for the corresponding vector s = vec(S). Theorem 4 enables
us decide whether a vector s is a solution or state without computing rel(s).
Theorem 4. Let a := vec(A) and s := vec(S). Then s is a timetable if and
only if the following 4 conditions hold.
1. aa s ⊆ s
2. (C I)s ⊆ s
3. (I I)s ⊆ s
4. π s = L
If s fulfills the first three conditions, it is a state.
Proof. It is easy to show that the four conditions correspond to the four proper-
ties of Definition 6. The equivalence S ⊆ A ⇐⇒ aa s ⊆ s follows immediately
from Lemma 5 and the Schröder-rule. As a consequence of Theorem 3 we achieve
CS ⊆ S ⇐⇒ vec(CS) ⊆ vec(S) ⇐⇒ (C I)s ⊆ s.
The remaining conditions are already stated in Corollary 1.

By combining the first three conditions we achieve a simple criteria to test
whether a vector is a state. Defining the verification relation
V := aa ∪ (C I) ∪ (I I)
of the type V : M × H ↔ M × H, the following equivalence holds:
s is a state ⇐⇒ V s ⊆ s.
Note, that a similar result, but with a much more complicated proof, can be
found in [8].
The verification relation V enables us to model the timetable problem
T = (M, P, H, A, P ) as a 3-tuple (M, H, V ). For V being symmetric and ir-
reflexive, it can be regarded as a adjacency relation of an undirected graph G.
A vector s with V s ⊆ s then represents an independent set of G. Hence, the
problem to find a state of T with a maximum number of assigned meetings can
be transformed into the problem to find an independent set of a graph with a
maximum number of vertices.
It is quite simple to derive a vector predicate in the sense of Section 3 of the
inclusion stated above. It holds
V s ⊆ s ⇐⇒ L(V s ∩ s) = L,
where the first universal relation is of the type 1 ↔ M × H and the second one
of the type 1 ↔ 1. We obtain the vector predicate ψst : [M × H ↔ 1] → [1 ↔ 1]
defined by
ψst (s) = L(V s ∩ s)
to test, whether a vector s is a state of the timetable problem T . Following
Section 3, we derive for an arbitrary n ∈ N the corresponding test mapping

ψst : [M × H ↔ [1..n]] → [1 ↔ [1..n]] by

ψst (M ) = L(V M ∩ M ),
that enables us to filter all states of T out of a set of n vectors, modeled as a

relation M : M × H ↔ [1..n].
To select the complete solutions we determine a second test mapping to decide
whether a vector represents a total relation. From Corollary 1 we know that S
is total if and only if π s = L holds for s = vec(S). This condition can easily be
transformed into the predicate ψto : [M × H ↔ 1] → [1 ↔ 1] defined by
ψto (s) = Lπ s
to test whether the a vector corresponds to a total relation. We can immediately

derive the test mapping ψto : [M × H ↔ [1..n]] → [1 ↔ [1..n]] defined by

ψto (M ) = Lπ M ,
that select all columns of M representing total relations. Hence we achieve the
predicate ψsol = ψst ∩ψto to decide, whether a vector is a solution of the timetable

problem T . According to Section 3, the test mapping ψsol = ψst ∩ ψto can be
used to select timetables of a set of possible solutions.
6 Conclusions
The combination of relational algebra and evolutionary algorithms is a promising
research direction. Sets of search points can be modeled and evaluated with
280 B. Kehden
relational algebra. We interpret relations columnwise as sets of vectors and use

relational expressions to evaluate all included vectors in one step. Therefore
we have defined a set of vector predicates that can be easily transformed into
test mappings for sets of search points, modeled as relations. By applying these
mappings to relations we can select the vectors fulfilling certain properties.
In this work we have extended this approach to a greater class of problems,
where the search points are binary relations. We have discussed the transfor-
mation of relations to vectors and have proven a formula to translate certain
properties of relations into properties of the corresponding vectors.
By applying our approach to a simple timetable problem we have given an
example of its usefulness. Our results lead to a simple criteria to decide whether
search points are solutions or partial solutions of a timetable problem.
References
1. Berghammer R.: A generic program for minimal subsets with applications. Leuschel
M., editor, “Logic-based Program Development and Transformation” (LOPSTR
’02) (proceedings), LNCS 2664, Springer, 144-157, 2003.
2. Berghammer R., Milanese U.: Relational approach to Boolean logic problems.
W.MacCaull, M.Winter and I.Duentsch: Relational Methods in Computer Science,
LNCS 3929, Springer, 2006
3. Kehden B., Neumann F., Berghammer R.: Relational implementation of simple
parallel evolutionary algorithms. W.MacCaull, M.Winter and I.Duentsch: Rela-
tional Methods in Computer Science, LNCS 3929, Springer, 2006
4. Kehden, B., Neumann F.: A Relation-Algebraic View on Evolutionary Algorithms
for Some Graph Problems. Gottlieb and Raidl (Eds.): 6th European Conference on
Evolutionary Computation in Combinatorial Optimization, LNCS 3906, Springer,
147 - 158, 2006.
5. Schmidt G., Ströhlein T.: Relations and graphs. Springer,1993.
6. Berghammer R.: Relational-algebraic computation of fixed points with applica-
tions. The Journal of Logic and Algebraic Programming 66, 112 - 126, 2006.
7. Berghammer R., Zierer H.: Relational algebraic semantics of deterministic and
nondeterministic programs. Theoretical Computer Science 43, 1986.
8. Schmidt, G. Ströhlein, T: Some aspects in the construction of timetables. Infor-
mation processing 74 , Proc. IFIP Congress, Stockholm, 516 - 520, 1074 North-
Holland, Amsterdam, 1974.
9. Schmidt G., Ströhlein, T.: A Boolean matrix iteration in timetable construction.
Linear Algebra and Appl. 15, no. 1, 27 - 51, 1976.
10. Wegener I.: Complexity Theory. Springer, 2005.
Algebraization of Hybrid Logic with Binders
Tadeusz Litak
School of Information Science, JAIST

Asahidai 1–1, Nomi-shi, Ishikawa-ken
923-1292 Japan
[email protected]
Abstract. This paper introduces an algebraic semantics for hybrid logic

with binders H(↓, @). It is known that this formalism is a modal counter-
part of the bounded fragment of the first-order logic, studied by Feferman
in the 1960’s. The algebraization process leads to an interesting class of
boolean algebras with operators, called substitution-satisfaction algebras.
We provide a representation theorem for these algebras and thus provide
an algebraic proof of completeness of hybrid logic.
1 Introduction
1.1 Motivation
The aim of this paper is to provide an algebraic semantics for hybrid logic with
binders H(↓, @). This formalism is, as was proven in the 1990’s [1], the modal
counterpart of the bounded fragment of first-order logic. Hence, an algebraiza-
tion of H(↓, @) provides also an algebraic insight into the nature of bounded
quantification, i.e., quantification of the form ∀x(tRx → φ) and ∃x(tRx ∧ φ),
where t is a term not containing x. The fragment of first-order logic obtained by
allowing only such quantifiers was investigated in the 1960’s by Feferman and
Kreisel [2], [3]. A discovery they made is that formulas in this fragment are ex-
actly those which are preserved by formation of generated submodels, as modal
logicians would say, or — to use Feferman’s term — outer extensions.
The aim of this paper is to present a class of algebras which are hybrid (or
bounded) equivalent of cylindric algebras for first-order logic. These algebras are
substitution-satisfaction algebras (SSA’s), boolean algebras equipped with three
kinds of operators: ↓k corresponding to binding of variable ik to the present state,
@k saying that a formula is satisfied in the state named by ik and standard
modal operator 3, corresponding to restricted quantification itself. The theory
of cylindric algebras proves to be an important source of insights and methods,
but not all techniques can be applied directly to SSA’s. For example, cylindric
algebras often happen to be simple. For locally finite dimensional ones, subdirect
irreducibility is equivalent to simplicity and in the finitely dimensional case, we
even have a discriminator term. SSA’s are not so well-behaved. Another example:
in cylindric algebras, the operation of substitution of one variable for another
is always definable in terms of quantifier operators. SSA’s do not allow such a

282 T. Litak
feat. And yet, it turns out that their representation theory is not much more
complicated than in the cylindric case.
Algebraic operators formalizing substitutions in first-order logic have been
studied since Halmos started working on polyadic algebras [4]. In particular,
they play a prominent role in formalisms developed by Pinter in the 1970’s, cf.,
e.g., [5]. Nevertheless, algebras studied in the present paper do not have full
substitution algebras as reducts — certain substitution operators are missing.
Besides, as Halmos himself observed, the most interesting thing about satisfac-
tion operators is their interplay with quantifiers — and bounded quantifiers do
not interact with substitution operators in the same way as standard quantifiers
do.
The structure of the present paper is as follows. In Section 1.2, we introduce
the bounded fragment and H(↓, @) as well as the truth preserving translation
that show they are expressively equivalent. In Section 2, we introduce concrete,
set-theoretical instantiation of SSA’s — our counterpart of cylindric set alge-
bras. In Section 3 we characterize SSA’s axiomatically. Also, we prove some
useful arithmetical facts and characterize basic algebraic notions, such as con-
gruence filters or subdirect irreducibility. Section 4 contains main results of the
paper. First, we identify Lindenbaum-Tarski algebras of hybrid theories as those
which are properly generated. It is a more restrictive notion than the notion of
local finiteness in the case of cylindric algebras. Then we show that every prop-
erly generated algebra of infinite (countable) dimension can be represented as a
subdirect product of set algebras. In other words, we provide a representation
theorem for SSA’s and thus an algebraic proof of completeness of H(↓, @). The
proof was inspired by a concise proof of representation theorem for cylindric
algebras by Andréka and Németi [6].
The author wishes to thank heartfully Ian Hodkinson for inspiration to begin
the present research and for invaluable suggestions how to tackle the issue. The
author can only hope that this advice was not entirely wasted. Thanks are also
due to Patrick Blackburn for his ability to seduce people into doing hybrid logic
and to the anonymous referee for suggestions and comments on the first version
of this paper.
1.2 H(↓, @) and the Bounded Fragment

This subsection briefly recalls some results of Areces et al. [1]; cf. also ten Cate
[7]. For any ordinal α, define α+ = α − {0}. It will become clear soon that
zero is going to play the role of a distinguished variable. Fix a countable supply
of propositional variables {pa }a∈P ROP (the restriction on cardinality is of no
importance here) and nominal variables {ik }k∈α+ ; most of the time, we assume
α = ω. Formulas of hybrid language are given by
φ ::= pa | ik | ¬φ | φ ∧ ψ | 3φ | @ik φ |↓ik .φ
2, ∨ and → are introduced as usual. Some papers introduced one more kind
of syntactic objects: nominal constants, which cannot be bound by ↓. They do
not increase the expressive power of the language and for our present goal the
Algebraization of Hybrid Logic with Binders 283
disadvantages of introducing such objects would outweigh the merits. They can
be replaced by free unquantified variables.
Hybrid formulas are interpreted in models. A model M := W, R, V consists
of an arbitrary non–empty set W , a binary accessibility relation R ⊆ W × W
and a (propositional) valuation V : pa → A ∈ P(W ) mapping propositional
variables to subsets of W . A (nominal) assignment in a model is any mapping
v : ik → w ∈ W of nominal variables to elements of W . For an assignment
v, k ∈ α+ and w ∈ W , define vw k
to be the same assignment as v except for
v(ik ) = w. The notion of satisfaction of formula at a point is defined inductively:
w M,v ik if w = v(ik ) w M,v pa if w ∈ V (pa )

w M,v ψ∧φ if w M,v ψ and w M,v φ w M,v ¬ψ if not w M,v ψ
w M,v 3ψ if ∃y.(wRy and w M,v ψ)
w M,v @ik ψ if v(ik ) M,v ψ w M,v ↓ik .ψ if w M,vwk ψ.
Fix any first order-language with a fixed binary relation constant R, unary
predicate constants {Pa }a∈P ROP and variables in V AR := {xk }k∈α+ ∪ {x, y}.
The bounded fragment is generated by the following grammar:
φ ::= Pa (v) | vRv | v ≈ v | ¬φ | φ ∧ ψ | ∃v.(tRv&ψ),
where v, v ∈ V AR and t is a term which do not contain v. The last require-

ment is crucial. Define the following mapping from hybrid language to first-order
language by mutual recursion between two functions STx and STy :
STx STy
ik x ≈ xk y ≈ xk
pa Pa (x) Pa (y)
ψ ∧ φ STx (ψ) ∧ STx (φ) STy (ψ) ∧ STy (φ)
¬ψ ¬STx (ψ) ¬STy (ψ)
3φ ∃y.(xRy ∧ STy (φ)) ∃x.(yRx ∧ STx (φ))
@ik φ ∃x.(x ≈ xk ∧ STx (φ)) ∃y.(y ≈ xk ∧ STy (φ))
↓ik .φ ∃xk .(x ≈ xk ∧ STx (φ)) ∃xk .(y ≈ xk ∧ STy (φ))
This mapping is known as the standard translation.
Theorem 1. Let M := W, R, V be a hybrid model, v a nominal assignment.

Let also ν be a valuation of first-order individual variables satisfying ν(xk ) =
v(ik ), ν(x) and ν(y) being arbitrary; recall that unary predicate constants corre-
spond to propositional variables. For every w ∈ W and every hybrid formula φ,
w M,v φ iff νw x
, w STx (φ).
Proof: See, e.g., Section 3.1 of Areces et al. [1] or Section 9.1 of ten Cate [7].
The special role, then, is played by x: we sometimes call it the distinguished

variable and identify it with x0 . The role of y is purely auxiliary. It is never used
as a non-bound variable.
284 T. Litak
The apparatus of binders and satisfaction operators makes also the reverse
translation possible. Let the supply of individual variables be {xk }k∈α+ ; no dis-
tinguished variables this time. Define
HT (Pa (xk )) := @ik pa , HT (xk ≈ xl ) := @ik il , HT (xk Rxl ) := @ik 3il ,

HT (¬φ) := ¬H(φ), HT (φ ∧ ψ) := HT (φ) ∧ HT (ψ),
HT (∃xk .xl Rxk ∧ ψ) := @il 3 ↓ik .HT (ψ),
Theorem 2. Let M be a first-order model in the signature {Pa } ∪ {R} and ν

be a valuation of first-order individual variables. Define a nominal assignment
v(ik ) := ν(xk ). For every formula ψ in the bounded fragment and every point
x ∈ M, ν, x φ iff x M,v HT (ψ).
Proof: See Section 3.1 of Areces et al. [1] or Section 9.1 of ten Cate [7].
In short, H(↓, @) and the bounded fragment of first-order logic have the same
expressive power. There is a beautiful semantic characterization of first-order
formulas equivalent to those in the bounded fragment: these are exactly formulas
invariant for generated submodels. Unfortunately, we cannot enter into details
here: cf. Feferman [3] or Areces et al. [1].
2 Concrete Algebras
A set substitution-satisfaction algebra or a concrete substitution-satisfaction al-

gebra of dimension α (cssaα ) with base W, R , where R ⊆ W 2 , is defined as
a structure A := A, ∨, ¬, ∅, A, @i , si0 , di , 3 i∈α+ , where A is a field of subsets
of W α closed under all operations defined below and for every i ∈ α+ and
X ∈ P(W α ):
– di := {x | x0 = xi },
– @i X := {y | ∃x ∈ X.x0 = xi &∀j = 0.xj = yj },
– ↓i X := {y | ∃x ∈ X.x0 = xi &∀j = i.xj = yj },
– 3X := {y | ∃x ∈ X.y0 Rx0 }.
di corresponds to d0i in cylindric algebras, hence our present notation. ∅

is often denoted as ⊥ and P(W α ) as . The zero coordinate of an element
from W α is called the distinguished axis. Geometrically, @k X corresponds to the
effect of intersecting X with the hyperplane dk and moving the set thus obtained
parallel to the distinguished axis. Analogously, ↓k X corresponds to the effect of
intersecting X with the hyperplane dk and moving the set thus obtained parallel
to the k-axis. Logical counterparts of these operations will be made explicit
in the next section, but the notation should suggest the proper interpretation.
Those cssaα ’s whose universe consists of the whole W α form the class of full-
set substitution-satisfaction algebras of dimension α, denoted by fssaα . Thus,
cssaα = S(fssaα ). The class of representable substitution-satisfaction algebras
of dimension α is defined as rssaα = ISP (fssaα ).
2.1 Connection with Logic
With every model M = W, R, V we can associate the structure SsM. Namely,
with every formula φ whose nominal variables are in {ik }k∈α+ we can associate
the set φM = {v ∈ W α | v0 M,v|α+ φ}; v|α+ is identified with the corresponding
assignment of nominal variables. Such sets form a field of sets closed under ↓k,
@k , 3R and all diagonals. This is exactly the algebra SsM ∈ cssaα . Let us
record the following basic
Fact 1. For all hybrid formulas φ, ψ, every k ∈ α+ , every hybrid model M,

iM
k = dk , (ψ ∧ φ)
M
= ψ M ∧ φM , (¬ψ)M = ¬ψ M , (3ψ)M = 3ψ M , (@ik ψ)M =
@k ψ , (↓ .ψ) =↓k ψ M .
M ik M
In order to characterize those cssaα ’s which are of the form SsM for some
M, let us introduce the notion of a dimension set Δa := {i ∈ α+ |↓k a = a}.
An element a is zero-dimensional if Δa = 0. The family of all zero-dimensional
elements of A is denoted by A[0] . The algebra generated (as cssaα ; of course, all
constant elements are also treated as generators) from A[0] is denoted as [A0 ]. A
is called properly generated 1 if A = [A0 ]. A is called locally finitely dimensional
if #Δa < ω for every a. Finally, A ∈ cssaα with base W, R is called 0-regular
if for every a ∈ A, every v, w ∈ W α , v ∈ a and v0 = w0 implies w ∈ a.
Lemma 2. Every algebra of the form SsM, where M = W, R, V is some

hybrid model, is properly generated and 0-regular.
Proof: The proof of proper generation consists of three straightforward claims.

First, every hybrid formula is by definition built from {pa }a∈P ROP and {ik }k∈α+
by finitely many applications of ¬, ∧, 3, @ik and ↓ik. Second, by Fact 1, the
connectives are interpreted by corresponding operations in algebra. Third, for
every propositional variable p, pM is zero-dimensional, as v ∈ pM iff v0 ∈ V (p)
iff (vvi 0 )0 ∈ V (p) iff v ∈↓k pM .
For 0-regularity, for any 0-dimensional φM let us assume that var(φ) = {k ∈
α+ | ik occurs in φ}. If f ∈ φM , g|var(φ) = f |var(φ) , then g ∈ φM , as it is irrelevant
what values g assigns to variables which do not occur in φ. Assume now g0 = f0 .
In case var(φ) is non-empty, let iv(0) , . . . , iv(n) be an enumeration of it. Let f
(g ) be a valuation obtained from f (g) by substituting f0 (= g0 ) for every iv(k) ,
where k ∈ {0, . . . , n}. f ∈ φM =↓v(0) . . . ↓v(k) φM , hence f ∈ φM , by the above
observation g ∈ φM , thus g ∈↓v(0) . . . ↓v(k) φM = φM .
The above observation can be strengthened to an equivalence.
Theorem 3. A ∈ cssaα based on W, R is of the form SsM for some hybrid
model M with the same base iff it is properly generated and regular.
1
We avoid the notion zero-generated as it could be misleading: algebraists usually call
this way the smallest subalgebra, i.e., the algebra generated from constants.
286 T. Litak
Proof: The left-to-right direction has already been proven. For the converse, let
A ∈ fssaα be a properly generated and regular algebra based on F = W, R .
For any a ∈ A[0] , let V (pa ) = {w ∈ W | ∃v ∈ a.w = v0 }. Let M = F, V . We
want to show A = SsM. The bases of both algebras and hence the fundamental
operations on the intersection of both universes coincide. Thus, in order to show
the ⊆-direction, it is enough to show that for every a ∈ A[0] , a = pM a . For
every v ∈ W α , v ∈ pM a iff v0 ∈ V (pa ) iff v0 = w0 for some w ∈ a iff (by 0-
regularity) v ∈ a. For the reverse inclusion, observe that the atomic formulas in
the language of M are always of the form pa or ik . The proof proceeds then by
standard induction on the complexity of formulas.
3 Abstract Approach
3.1 Axioms and Basic Arithmetics
Let i, j, k . . . be arbitrary ordinals in α+ . The class of substitution-satisfaction

algebras of dimension α ssaα is defined as the class of algebras satisfying the
following axioms
Ax1. Axioms for boolean algebras

Ax2. Axioms for the modal operator
(a) 3⊥ = ⊥
(b) 3(p ∨ q) = 3p ∨ 3q
Ax3. Axioms governing @k
(a) ¬@k p = @k ¬p
(b) @k (p ∨ q) = @k p ∨ @k q
(c) @k dk =
(d) @k @j p = @j p
(e) dk ≤ p ↔ @k p
Ax4. Interaction of 3 and @k : 3@k p ≤ @k p
Ax5. Axioms governing ↓k
(a) ¬ ↓k p =↓k ¬p
(b) ↓k (p ∨ q) =↓k p∨ ↓k q
(c) ↓k↓j p =↓j↓k p
(d) ↓k↓k p =↓k p
(e) ↓j dk = dk for j = k and ↓k dk =
Ax6. Interaction of ↓k and @j
(a) ↓k @j ↓k p = @j ↓k p
(b) ↓k @k p =↓k p
(c) @k ↓k p = @k p
Ax7. Interaction of ↓k and 3: ↓k 3 ↓k p = 3 ↓k p
Ax8. The Blackburn-ten Cate axiom BG: @k 2 ↓j @k 3dj =
Fact 3. fssaα ⊆ ssaα and thus rssaα ⊆ ssaα .

Lemma 4. The following are deriviable:

Ar1. 2(p → q) ≤ 3p → 3q
Ar2. @k (p → q) = @k p → @k q
Ar3. ↓k (p → q) =↓k p →↓k q
Ar4. @k dj ≤ @k p ↔ @j x
Ar5. @k dj ≤ @j dk
Ar6. dj ∧ p ≤ @j p
Ar7. @k 3dj ∧ @j p ≤ @k 3p.
Proof: The only one which requires some calculation is Ar7 and we will need
this one later. From Ax3e we get that @j p ≤ dj → p, this by Ax4 gives us
@j p ≤ 2(dj → p). Using Ax3d, we get @j p ≤ @k 2(dj → p). By Ar1, this gives
us @j p ≤ @k (3dj → 3p). By Ar2, we get the desired conclusion.
3.2 Proper Generation and Finite Dimensionality

The notions of dimension of an element, locally finitely dimensional and properly
generated algebra are introduced in exactly the same way as in the concrete case.
The class of locally finite algebras of dimension α is denoted as Lf α , the properly
generated ones — as Propα
Fact 5. Δdk = {k}, Δ3a ⊆ Δa, Δ¬a = Δa, Δ(a∧b) ⊆ Δa∪Δb, Δ@k a ⊆ Δa∪{k},
Δ ↓k a ⊆ Δa − {k}
Corollary 1. Propα ⊆ Lf α
From now on, we use the fact that ↓k and @k distribute over all boolean connec-
tives without explicit reference to Ax3a, Ax3b, Ax5a, Ax5b and Ar2. A straight-
forward consequence of Ax6b is
Fact 6. For every k ∈ Δp, p = ⊥ implies @k p = ⊥. Consequently for any
a ∈ A ∈ Lf α , a = ⊥ iff there is k s.t. @k a = ⊥.
The following result is an algebraic counterpart of an observation of ten Cate
and Blackburn. [8], [7]
Lemma 7. Assume α ≥ ω, A ∈ Lf α , p ∈ A. Then

@j 3p = (@j 3dl ∧ @l p) (1)
l∈Δp
Proof: @j 3dl ∧ @l p ≤ @j 3p by Ar7. Thus, in order to show 1, it is enough to

prove that for any z, if @j 3dl ∧@l p ≤ z for every l ∈ Δp, then @j 3p ≤ z. Choose
some l, k ∈ Δp∪Δz (here is where we use assumptions on A). By assumption and
by Ax3d, @j 3dl ∧ @l p ≤ @k z. This in turn, by l ∈ Δz ∪ Δp and Lemma 5 implies
↓l @j 3dl ∧ p → @k z = , from which we get @j 2(↓l @j 3dl → (p → @k z)) = .
Here is where we use Ax8 to obtain @j 2(p → @k z) = . This implies @j 3p =
@j 3p ∧ @j 2(p → @k z). By Ar1, we get thus @j 3p ≤ @j 3@k z and by Ax4 and
Ax3d we obtain @j 3p ≤ @k z. By k ∈ Δz ∪ Δp and Lemma 5, the conclusion
follows.
288 T. Litak
3.3 Ideals, Homomorphisms, The Rasiowa-Sikorski Lemma
Let us introduce several standard algebraic notions concerning the structure of

ssaα ’s. An open ideal is a lattice-theoretical ideal closed under 3, all @i and ↓i. It
is a standard observation that congruence ideals correspond to homomorphisms.
An ideal generated by p is the smallest open ideal containing p; it is denoted by
Gen(p). Let Modα be the set of words in the alphabet {3, ↓i, @i | i ∈ α+ }.
Fact 8. Gen(p) = {q | q ≤ 1 p ∨ · · · ∨ n p, 1 , . . . , n ∈ Modα }
A subdirectly irreducible algebra is one which contains smallest nontrivial open

ideal. By the above observation, we can reformulate it as follows.
Corollary 2. A ∈ ssaα is subdirectly irreducible iff there exists o = ⊥ s.t. for

every p = ⊥ there are 1 , . . . , n ∈ Modα s.t. o ≤ 1 p ∨ · · · ∨ n p. o is called a
(dual) opremum element.
Of course, we don’t really have to consider all members of Modα ; it is possible to

restrict the set significantly. In particular, for zero-dimensional p we can restrict
attention to 1 , . . . , n ∈ {3n , @i 3n | i ∈ α+ , n ∈ ω}.
Combining Corollary 2 and Lemma 6 we arrive at the following:
Corollary 3. A ∈ Lf α is subdirectly irreducible iff there is o ∈ A and k ∈ α+

s.t. @k o = ⊥ and for every p = ⊥ there are 1 , . . . , n ∈ Modα s.t. @k o ≤
@k 1 p ∨ · · · ∨ @k n p. Of course, we can take @k o to be opremum itself.
Definition 1. Let A ∈ ssaα . An ultrafilter H of A is elegant if for every i ∈ α+

and every p ∈ A, @i 3p ∈ H iff there is j ∈ α+ s.t. @i 3dj ∧ @j p ∈ H.
Lemma 9. Let α be countably infinite, A ∈ Lf α , #A ≤ ω. For every a = ⊥,

there exists an elegant ultrafilter containing a.
Proof: Follows from Lemma 7 and The Rasiowa-Sikorski Lemma: cf. Koppel-
berg [9, Theorem 2.21] . We briefly sketch the proof here to make the paper
more self-contained. Let b0 , b1 , b2 . . . be an enumeration of all elements of the
form @j 3p for some j ∈ α+ and p ∈ A: here is where we use the fact that
universe of A is countable. Define a0 := a. If an is defined, let an+1 := an if
an ∧ bn = ⊥. Otherwise, assume bn = @j 3p. Lemma 7 implies there is k ∈ α+
s.t. an+1 := an ∧ @j 3dk ∧ @k p = ⊥. In this way we obtain an infinite descending
chain of nonzero points. Any ultrafilter containing {an }n∈ω is elegant.
4 The Representation Theorem
This section proves the main result of the paper. We identify those SSA’s which
correspond to Lindenbaum-Tarski algebras of H(↓, @)-theories and prove a rep-
resentation theorem for them.
4.1 Transformations, Retractions, Replacements
Halmos [4] developed general theory of transformations and used it as a foun-

dation for theory of polyadic algebras. Let us recall some basic results. A trans-
formation of α+ is any mapping of α+ into itself. We call a transformation τ
finite if τ (i) = i for almost all i (i.e., cofinitely many). We will be interested
only in finite transformations. The intuitive reason is that transformations will
correspond to substitutions of variables — and, for a given formula, only fi-
nitely many variables are relevant. From now on, finiteness of transformations is
assumed tacitly.
A transformation τ is called a transposition if for some k and l, τ (k) = l,
τ (l) = k and for all other arguments, τ is equal to identity. Such mappings
are denoted as (k, l). A product of transpositions is called a permutation. τ is
called a replacement if τ is different from identity for exactly one argument, say
τ (l) = k. τ is then written as (l/k). A transformation τ is called a retraction
if τ 2 = τ . It is a well-known mathematical fact that every bijection of α+ onto
itself is a permutation. Halmos generalized this fact as follows:
Lemma 10. Every retraction is a product of replacements and every transfor-

mation is a product of a permutation and a retraction.
In case of locally finite algebras of infinite dimension, we can restrict our at-
tention only to retractions, i.e., products of replacements: this will be justified
further on. A similar observation for locally finite polyadic algebras was made
by Halmos [4]. Finally, a bit of notation. For τ a transformation, τkl be the sub-
stitution defined as τkl (j) = τ (j) for j = l and τkl (l) = k. Also, let τ − l be the
transformation which is the same as τ except that it leaves l unchanged. Thus,
τkl is the composition of τ − l and (l/k).
4.2 Axioms for H(↓, @)
We present an axiom system for H(↓, @) taken from Blackburn and ten Cate [8],
[7]. A nominal variable ik is called bound in a formula φ if it occurs within the
scope of some ↓ik and free otherwise.
Definition 2. Let τ : α+ → α+ be a transformation. The nominal substitution

associated with τ of formulas of hybrid language is a function ψ → ψ τ which
replaces all free occurrences of ik and @ik with iτ (k) and @iτ (k) , respectively, in
those places which are not in the scope of some ↓iτ (k).
A H(↓, @)-theory is any set of hybrid formulas T containing all instances of
H1. classical tautologies,

H2. 2(ψ → φ) → (2ψ → 2φ),
H3. @ik (ψ → φ) → (@ik ψ → @ik φ),
H4. @ik ψ ↔ ¬@ik ¬ψ,
H5. @ik ik ,
290 T. Litak
H6. @ij @ik ψ ↔ @ik ψ,

H7. ik → (ψ ↔ @ik ψ),
H8. 3@ik ψ → @ik ψ,
H9. @ik (↓il .ψ ↔ ψ (l/k) ),
H10. ↓ik .(ik → ψ) → ψ, if ik does not occur free in ψ,
H11. @ij 2 ↓ik .@ij 3ik
and closed under Modus Ponens, Substitution (i.e., if ψ ∈ T , then ψ τ ∈ T for

every substitution τ ), and Generalization for all operators (i.e., if ψ ∈ T , then
@ik ψ ∈ T , ↓ik ψ ∈ T and 2ψ ∈ T ). It is easy to see that our Ax1–Ax4 and Ax8
are direct translations of corresponding H(↓, @) axioms. Those governing ↓ could
not be translated straightforwardly into equations. See the concluding section
for further comments on the relationship between these two axiomatizations.
Blackburn and ten Cate [8], [7] prove the following
Theorem 4 (Hybrid Completeness). For every consistent H(↓, @)-theory
T , there is a hybrid model MT such that T is exactly the set of all formulas
whose value under all assignments is equal to the universe of MT .
In this work, we provide an algebraic counterpart of their result. First, let us
characterize Lindenbaum-Tarski algebras of H(↓, @)-theories.
4.3 Lindenbaum-Tarski Algebras

From now on, we always assume we work with a countably infinite α. Fix a
supply a propositional variables and denote the set of all hybrid formulas as
F orm. With every H(↓, @)-theory T we can associate an equivalence relation on
the set of hybrid formulas: [ψ]T = {φ | ψ ↔ φ ∈ T }. With every connective, we
can associate a corresponding operator on equivalence classes, i.e., 3[φ] = [3φ],
@k [φ] = [@ik φ], ↓k [φ] = [↓ik φ] etc. It is a matter of routine verification that this
definition is correct, i.e., independent of the choice of representatives. We have
to show that F orm/T with operators corresponding to logical connectives and
constants is an element of Propα . Such a structure is called the Lindenbaum-
Tarski algebra of T . Verification that Ax1–Ax4 and Ax8 hold does not pose any
problems by the remark above. Verification of axioms governing ↓k can be done
in uniform manner: first, use H9 and axioms governing @ij to prove an instance
of the axiom preceded by arbitrary @ij , e.g. @ij (¬ ↓ik φ ↔↓ik ¬φ) ∈ T . As ij can
be chosen such that ij does not appear in φ, we can use H7, generalization rule
for ↓ij and H10 to get rid of initial @ij . The same strategy can be used to show
that equivalence classes of propositional variables are zero-dimensional and thus
the algebra is properly generated.
In the reverse direction, we use the same strategy as in the proof of Theorem
3. With every element a ∈ A[0] , associate a distinct propositional variable pa .
Hybrid formulas φ in the language whose propositional variables are pa ’s and
nominal variables are in α+ are in 1 − 1 correspondence with constant terms in
the language of ssaα ’s extended with a name for every a ∈ [A0 ]. And so, for every
such formula φ, let Φ be the corresponding term. The substitution associated
with τ for terms is defined in the same way as for hybrid formulas with dk , ↓k and
@k replacing, respectively, ik , ↓ik and @ik . Define TA := {φ ∈ F orm | Φ = }.
First, we show this is a H(↓, @)-theory. The only part which is not immediate is
showing that all instances of H9 belong to T .
Lemma 11. Ψ (l/k) =↓l Ψ (l/k) for l = k.
Proof: The only relevant information for the basic inductive step is that pa ’s
correspond to a ∈ A[0] . The inductive steps are trivial for booleans and use Ax7,
Ax6a and Ax5c for modal, satisfaction and substitution operators.
Lemma 12. For every retraction τ , @k Φτk = @k ↓l Φτ −l .

l
Proof: To prove the lemma, it is enough to show that
@l dk ≤ Ψ ↔ Ψ (l/k) . (2)
For then we get that dk ≤↓l Ψ ↔↓l Ψ (l/k) . By Lemma 11, it is equivalent to
dk ≤↓l Ψ ↔ Ψ (l/k) . By laws of boolean algebras, it is equivalent to dk ∧ ↓l Ψ =
dk ∧ Ψ (l/k) . But then
@k ↓l Ψ = @k (dk ∧ ↓l Ψ ) = @k (dk ∧ Ψ (l/k) ) = @k Ψ (l/k) .
Thus, let us prove 2 by induction on the complexity of Ψ . For nominals, it’s

(l/k)
a consequence of Ax3c and Ar5. For propositional variables, pa = pa . For
booleans, the inductive step is trivial. For 3, it follows from Ax4 and Ar1. For
@j , it follows from Ax3d. Finally, for ↓j, we use the fact that either j ∈ Δ(@l dk )
or j ∈ {k, l}. If the latter is the case, then ↓j Ψ (l/k) =↓j Ψ , by definition of
nominal substitution.
We have proven that T is indeed a H(↓, @)-theory, but before proceeding with
the proof that A is isomorphic to F orm/TA let us record two useful consequences
of the Lemma just proven.
Corollary 4. If Ψ = , then for arbitrary retraction τ and arbitrary k in the
range of τ , @k Ψ τ = .
We can also justify the observation made before: that in locally finite algebras
of infinite dimension, the only kind of transformations which are relevant are
retractions, i.e., products of replacements. In view of Lemma 10, it is enough to
show the following.
Corollary 5. For arbitrary transposition (k, l) and for every Φ, there exists a
retraction τ s.t. Φ(k,l) = Φτ .
Proof: Choose any m ∈ ΔΦ ∪ {k, l} (here is where we use the fact that A
is locally finite and of infinite dimension). Define τ = (m/k)(k/l)(l/m). The
only argument where τ can possibly differ from (k, l) is m, for τ (m) = k and
(k, l)(m) = m. But then Ψ τ =↓m Ψ τ =↓m @m ↓m Ψ τ =↓m @m Ψ (k,l) =↓m Ψ (k,l) =
Ψ (k,l) .
292 T. Litak
Now, arbitrary a ∈ A is named by a certain term Ψ . Thus, for arbitrary a we can

arbitrarily choose one Ψa and define a mapping f (a) = [Ψa ]. It is straightforward
to observe this mapping is correctly defined, 1 − 1 and onto. Hence, we have
shown
Theorem 5. For every H(↓, @)-theory T , F orm/T with operators correspond-
ing to logical connectives and constants is an element of Propα . Conversely,
for every A ∈ Propα there is a H(↓, @)-theory TA s.t. F orm/TA is isomorphic
to A.
4.4 The Main Result

In this section, we finally prove the main result of the paper: a representation
theorem for SSA’s after the manner of Andréka and Németi [6].
Definition and Lemma 13. Let α be countably infinite, A ∈ ssaα and F be
any filter. Define ∼F on α+ as k ∼F l if @k dl ∈ F . This is a congruence
relation. Define also RF on α+ / ∼F as [k]F RF [l]F if @k 3dl ∈ F . This is a
correct definition.
Proof: That ∼F is a congruence relation follows from Ax3c, Ar4 and Ar5.
Correctness of the definition of RF follows from Ar4 and Ar7.
Theorem 6 (Countable Representation). Let α be countably infinite, A ∈

Propα be a subdirectly irreducible algebra, #A ≤ ω. A is embeddable in a fssaα .
More specifically, let H be an elegant ultrafilter containing an opremum element
of A. A is embeddable in the full set algebra with base FH := α+ /H, RH .
Proof: Just like in Section 4.3, associate with elements of A formulas of the
language whose propositional variables are {pa | a ∈ A[0] }, so that every formula
ψ corresponds to a term Ψ in the extended language and every element a ∈ A is
named by such a term. Define a valuation VH of propositional variables in FH
by
VH (pa ) := {[k] | @k a ∈ H}.
Let M = FH , VH . We are going to show that A is isomorphic to SsM. By
Corollary 5, we can restrict our attention only to those τ ’s which are retractions.
Thus, by Lemma 10 it is enough to formulate all claims and proofs only for
replacements. For a mapping τ : α → α+ , let τ + := τ |α+ . For arbitrary term Ψ ,
define auxiliary mapping g as
+
g (Ψ ) := {τ : α → α+ | @τ (0) Ψ τ ∈ H},
and then
g(Ψ ) := {τ : α → α+ /H|∃τ ∈ g (Ψ ).∀i ∈ α.τ (i) ∈ τ (i)}

Now, for arbitrary a choose ψa to be arbitrary formula s.t. Ψa = a and define
f (a) := g(Ψa ). We have to show that this is a correct definition, i.e., that f
is independent of the choice of ψ. It is enough to prove that for arbitrary Ψ ,

Φ, Ψ → Φ = implies g(Ψ ) ≤ g(Φ). Assume g(Ψ ) ≤ g(Φ). Let τ be such
+ + +
that @τ (0) Ψ τ ∈ H and @τ (0) Φτ ∈ H. It means that @τ (0) (Ψ ∧ ¬Φ)τ ∈ H, i.e,
+ +
@τ (0) (Ψ ∧¬Φ)τ = ⊥ and hence (Ψ ∧¬Φ)τ = ⊥. Choose arbitrary k ∈ Δ(Ψ ∧¬Φ)
+
in the range of τ . By Lemma 6, @k (Ψ ∧ ¬Φ)τ = ⊥ and hence by Corollary 4,
Ψ ≤ Φ.
Let us prove that f is a homomorphism. We don’t need the assumption of sub-
direct irreducibility here, only the fact that H is an elegant ultrafilter. Subdirect
irreducibility will be used only to show f is an embedding.
Given τ : α → α+ , let [τ ] : α → α+ /H be a mapping defined as [τ ](i) = [τ (i)].
Thus, g can be redefined as g(Ψ ) = {[τ ]|τ ∈ g (Ψ )}. With every σ : α+ → α+ ,
we can associate a nominal assignment v σ in M defined as v σ (ik ) := [σ(k)].
v σ (l/k)(il ) := [k] and v σ (l/k)(ij ) := v σ (ij ) for j = l. Sometimes, we denote by v
the mapping v(ik ) = [k], i.e., v id . As we are interested only in finitary retractions,
every v σ is of the form v(l1 /k1 ) . . . (ln /kn ) for some l1 , . . . , ln , k1 , . . . , kn . By
[k] ∈ v σ (ψ) we mean that ψ holds at [k] in M under v σ .
Claim 1: [k] ∈ v σ (↓l ψ) iff [k] ∈ v σ (l/k)(ψ). In fact, this is just a clause

from definition of satisfaction, as v σ (l/k) = (v σ )l[k] . We just use more elegant
notation to avoid clumsiness.
Claim 2: v(l/k)(ψ) = v(ψ (l/k) ). Thus, for every σ, v σ (ψ) = v(ψ σ ) and
l
v σ (l/k)(ψ) = v(ψ σk ).
Claim 3: [j] ∈ v(ψ σ ) iff @j Ψ σ ∈ H.
Proof of claim: For ψ = pa it follows from the definition of VH . For ψ = ik

— from the definition of ∼H . For booleans: from distributivity of @k over
boolean connectives and the fact that H is an ultrafilter. The clause for 3 is
the one where we use the fact that H is elegant: [j] ∈ v(3φσ ) iff (by definition
of valuation in hybrid model) exists [k] s.t. [j]RH [k] and k ∈ v(φσ ) iff (by
definition of RH and IH) there is [k] s.t. @j 3dk ∈ H and @k Φσ ∈ H iff (by
assumption on H) @j 3Φσ ∈ H.
Assume now ψ = @k φ. Then [j] ∈ v((@k φ)σ ) iff [j] ∈ v(@σ(k) φσ ) iff [σ(k)] ∈
v(φσ ) iff (by IH) @σ(k) Φσ ∈ H iff Ψ σ ∈ H iff (by Ax3d) @j Ψ σ ∈ H.
Finally, assume ψ =↓k φ. Then [j] ∈ v((↓k φ)σ ) iff [j] ∈ v(↓k φσ−k ) iff (by
k k
Claim 1) [j] ∈ v(k/j)(φσ−k ) iff (by Claim 2) [j] ∈ v(φσj ) iff (by IH) @j Φσj ∈
H iff (by Lemma 12) @j ↓k Φσ−k ∈ H iff @j Ψ σ ∈ H.
Claim 3 immediately implies that f is a homomorphism: for every τ : α → α+

+
and every a ∈ A, τ ∈ f (a) iff [τ (0)] ∈ v τ (ψa ).
In order to show f is an embedding we finally use assumption of subdirect
irreducibility and the fact that H contains opremum. We want to show that a ≤ b
implies f (a) ≤ f (b). By Lemma 3 Ψa → Ψb = implies there is 1 , . . . , n ∈
Modα s.t. @k 1 (Ψa ∧ ¬Ψb ) ∨ · · · ∨ @k n (Ψa ∧ ¬Ψb ) ∈ H. By the fact that H is an
ultrafilter, we obtain that there is ∈ Modα s.t. @k (Ψa ∧ ¬Ψb ) ∈ H. Because
294 T. Litak
of Ax3d and the fact that H is elegant, if @k (Ψa ∧ ¬Ψb ) = @k 1 2 (Ψa ∧ ¬Ψb )
for some 1 consisting only of diamonds and satisfaction operators, then for
some l ∈ α+ , @l 2 (Ψa ∧ ¬Ψb ) ∈ H. In other words, we can get rid of initial
diamonds and satisfaction operators. @l ↓m (2 (Ψa ∧¬Ψb )) ∈ H can be rewritten
as @l (2 (Ψa ∧ ¬Ψb ))(m/l) ∈ H. Proceeding in this way, we finally obtain that for
some j and some σ, @j (Ψaσ ∧ ¬Ψbσ ) ∈ H. Reasoning the same way as in the proof
that f is correctly defined, we finally obtain that Ψa → Ψb = , i.e., a ≤ b.
f is in fact an isomorphism onto SsM, cf. the proof of Theorem 3.
Theorem 7 (Representation). For a countably infinite α, every subdirectly

irreducible A ∈ Propα is isomorphic to a fssaα . Consequently, Propα = rssaα .
Proof: For countable algebras, this already follows from Theorem 6. For un-
countable A, we can prove it very similarly to Lemma 3 in [6]. Namely, let
{Bl }l∈β be a directed system
of s.i. algebras in I(cssaα ) sharing a common
opremum element. Then Bl ∈ I(cssaα ). Lack of space (i.e., LNCS 15 pages
l∈β
limit) prevents us from proving the theorem in detail.
5 Open Problems and Further Developments

The algebraic axiomatization of Section 3 suggests there should exist a H(↓, @)
analogue of Tarski’s axiomatization of first-order logic which uses neither the
notion of a free variable nor the notion of proper substitution of a variable in
a formula. [10] Also, our Andréka-Németi style proof of The Representation
Theorem employs a slightly different strategy from the one used by Henkin,
based on the notion of thin elements and rich algebras — cf. [11] or [12]. It
could be interesting to prove the representation theorem for SSA’s also in this
way.
Another path open for exploration: Monk [13] shows that significant part of
algebraic model theory can be presented by focusing on set-theoretical algebras,
without any axiomatic definition of abstract cylindric algebras. By analogy, it
could be tempting to develop a part of algebraic H(↓, @)-model theory or alge-
braic bounded model theory by means of set SSA’s.
The referee of the present paper posed two interesting questions, which are
currently investigated by the author. First, the bounded fragment is known
to be a conservative reduction class for first-order logic. That suggests that
known results about cylindric algebras may be derivable from theorems con-
cerning SSA’s. Second, both bounded fragment and hybrid logic with binders
are model-theoretically well-behaved: one example is the interpolation property.
This should translate into nice algebraic characteristics of SSA’s (e.g., the amal-
gamation property).
Finally, the possible connection with computer science, which was in fact a
motivation to present these results to the computer science community. It is
known that cylindric algebras capture exactly those database queries which are
first-order expressible, cf. [14] for details. Is there an a related interpretation for
SSA’s — for example, in terms of databases where the user is allowed to ask
questions concerning only accessible entries?
References
1. Areces, C., Blackburn, P., Marx, M.: Hybrid logic is the bounded fragment of first
order logic. In de Queiroz, R., Carnielli, W., eds.: Proceedings of 6th Workshop
on Logic, Language , Information and Computation, WOLLIC99, Rio de Janeiro,
Brazil (1999) 33–50
2. Feferman, S., Kreisel, G.: Persistent and invariant formulas relative to theories of
higher order. Bulletin of the American Mathematical Society 72 (1966) 480–485
Research Announcement.
3. Feferman, S.: Persistent and invariant formulas for outer extensions. Compositio
Mathematica 20 (1968) 29–52
4. Halmos, P.: Algebraic Logic. Chelsea Publishing Company (1962)
5. Pinter, C.: A simple algebra of first order logic. Notre Dame Journal of Formal
Logic 1 (1973) 361–366
6. Andréka, H., Németi, I.: A simple, purely algebraic proof of the completeness of
some first order logics. Algebra Universalis 5 (1975) 8–15
7. ten Cate, B.: Model theory for extended modal languages. PhD thesis, University
of Amsterdam (2005) ILLC Dissertation Series DS-2005-01.
8. Blackburn, P., Cate, B.: Pure extensions, proof rules, and hybrid axiomatics. In
Schmidt, R., Pratt-Hartmann, I., Reynolds, M., Wansing, H., eds.: Preliminary
proceedings of Advances in Modal Logic (AiML 2004), Manchester (2004)
9. Koppelberg, S.: Handbook of boolean algebras. Volume I. Elsevier, North-Holland
(1989)
10. Tarski, A.: A simplified formalization of predicate logic with identity. Archiv für
Mathematische Logik und Grundlagenforschung 7 (1965)
11. Henkin, L., Monk, J., Tarski, A.: Cylindric algebras, Part II. North Holland,
Amsterdam (1985)
12. Andréka, H., Givant, S., Mikulás, S., Németi, I., Simon, A.: Notions of density
that imply representability in algebraic logic. Annals of Pure and Applied Logic
91 (1998) 93–190
13. Monk, D.: An introduction to cylindric set algebras (with an appendix by H.
Andréka). Logic Journal of the IGPL 8 (2000) 451–506
14. Van den Bussche, J.: Applications of Alfred Tarski’s ideas in database theory.
Lecture Notes in Computer Science 2142 (2001) 20–37
Using Probabilistic Kleene Algebra
for Protocol Verification
AK McIver1 , E Cohen2 , and CC Morgan3

1
Dept. Computer Science, Macquarie University, NSW 2109 Australia
[email protected]
2
Microsoft, US
[email protected]
3
School of Engineering and Computer Science, University of New South Wales,
NSW 2052 Australia
[email protected]
Abstract. We describe pKA, a probabilistic Kleene-style algebra, based

on a well known model of probabilistic/demonic computation [3,16,10].
Our technical aim is to express probabilistic versions of Cohen’s separa-
tion theorems[1].
Separation theorems simplify reasoning about distributed systems,
where with purely algebraic reasoning they can reduce complicated in-
terleaving behaviour to “separated” behaviours each of which can be
analysed on its own. Until now that has not been possible for probabilis-
tic distributed systems.
Algebraic reasoning in general is very robust, and easy to check: thus
an algebraic approach to probabilistic distributed systems is attractive
because in that “doubly hostile” environment (probability and interleav-
ing) the opportunities for subtle error abound. Especially tricky is the
interaction of probability and the demonic or “adversarial” scheduling
implied by concurrency.
Our case study — based on Rabin’s Mutual exclusion with bounded
waiting [6] — is one where just such problems have already occurred: the
original presentation was later shown to have subtle flaws [15]. It mo-
tivates our interest in algebras, where assumptions relating probability
and secrecy are clearly exposed and, in some cases, can be given simple
characterisations in spite of their intricacy.
Keywords: Kleene algebra, probabilistic systems, probabilistic verifica-

tion.
1 Introduction
The verification of probabilistic systems creates significant challenges for formal
proof techniques. The challenge is particularly severe in the distributed context
where quantitative system-wide effects must be assembled from a collection of
disparate localised behaviours. Here carefully prepared probabilities may become
inadvertently skewed by the interaction of so-called adversarial scheduling, the
well-known abstraction of unpredictable execution order.

Using Probabilistic Kleene Algebra for Protocol Verification 297
One approach is probabilistic model checking, but it may quickly become over-
whelmed by state-space explosion, and so verification is often possible only for
small problem instances. On the other hand quantitative proof-based approaches
[10,4], though in principle independent of state-space issues, may similarly fail
due to the difficulties of calculating complicated probabilities, effectively “by
hand”.
In this paper we propose a third way, in which we apply proof as a “pre-
processing” stage that simplifies a distributed architecture without the need to
do any numerical calculations whatsoever, bringing the problem within range
of quantitative model-based analysis after all. It uses reduction, the well-known
technique allowing simplification of distributed algorithms, but applied in the
probabilistic context.
We describe a program algebra pKA introduced elsewhere [8] in which stan-
dard Kleene algebra [5] has been adapted to reflect the interaction of proba-
bilistic assignments with nondeterminism, a typical phenomenon in distributed
algorithms. Standard (i.e. non-probabilistic) Kleene algebra his been used ef-
fectively to verify some non-trivial distributed protocols [1], and we will argue
that the benefits carry over to the probabilistic setting as well. The main dif-
ference between pKA and standard Kleene Algebra is that pKA prevents cer-
tain distributions of nondeterminism +, just in those cases where whether that
nondeterminism can “see” probabilistic choices is important [16,3,10]. That dis-
tribution failure however removes some conventional axioms on which familiar
techniques depend: and so we must replace those axioms with adjusted (weaker)
probabilistic versions.
Our case study is inspired by Rabin’s solution to the mutual exclusion problem
with bounded waiting [14,6], whose original formulation was found to contain
some subtle flaws [15] due precisely to the combination of adversarial and prob-
abilistic choice we address. Later it became clear that the assumptions required
for the correctness of Rabin’s probabilistic protocol — that the outcome of some
probabilistic choices are invisible to the adversary — cannot be supported by
the usual model for probabilistic systems. We investigate the implications on the
model and algebra of adopting those assumptions which, we argue, have wider
applications for secrecy and probabilities.
Our specific contributions are as follows.
1. A summary of pKA’s characteristics (Sec. 2), including a generalisation of
Cohen’s work on separation [1] for probabilistic distributed systems using
pKA (Sec. 4);
2. Application of the general separation results to Rabin’s solution to distrib-
uted mutual exclusion with bounded waiting (Sec. 5);
3. Introduction of a model which supports the algebraic characterisation of
secrecy in a context of probability (Sec. 6).
The notational conventions used are as follows. Function application is repre-
sented by a dot, as in f.x. If K is a set then K is the set of discrete probability
distributions over K, that is the normalised functions from K into the real in-
terval [0, 1]. A point distribution centered at a point k is denoted by δk . The
298 A.K. McIver, E. Cohen, and C.C. Morgan
(p, 1−p)-weighted average of distributions d and d is denoted d p ⊕ d . If K is

a subset, and d a distribution, we write d.K for s∈K d.s. The power set of K
is denoted PK. We use early letters a, b, c for general Kleene expressions, late
letters x, y for variables, and t for tests.
2 Probabilistic Kleene Algebra

Given a (discrete) state space S, the set of functions S → PS, from (initial) states
to subsets of distributions over (final) states has now been thoroughly worked
out as a basis for the transition-system style model now generally accepted for
probabilistic systems [10] though, depending on the particular application, the
conditions imposed on the subsets of (final) probability distributions can vary
[12,3]. Briefly the idea is that probabilistic systems comprise both quantifiable
arbitrary behaviour (such as the chance of winning an automated lottery) to-
gether with un-quantifiable arbitrary behaviour (such as the precise order of
interleaved events in a distributed system). The functions S → PS model the
unquantifiable aspects with powersets (P(·)) and the quantifiable aspects with
distributions (S).
For example, a program that simulates a fair coin is modelled by a func-
tion that maps an arbitrary state s to (the singleton set containing only) the
distribution weighted evenly between states 0 and 1; we write it
flip =
ˆ s := 0 1/2 ⊕ s := 1 . (1)
In contrast a program that simulates a possible bias favouring 0 of at most
2/3 is modelled by a nondeterministic choice delimiting a range of behaviours:
biasFlip =
ˆ s := 0 1/2 ⊕ s := 1 s := 0 2/3 ⊕ s := 1 , (2)
and in the semantics (given below) its result set is represented by the set of
distributions defined by the two specified probabilistic choices at (2).
In setting out the details, we follow Morgan et al. [12] and take a domain the-
oretical approach, restricting the result sets of the semantic functions according
to an underlying order on the state space. We take a flat domain (S , ), where
S is S ∪ {} (in which is a special state used to model miraculous behav-
iour) and the order is constructed so that dominates all (proper) states in
S, which are otherwise unrelated.
Definition 1. Our probabilistic power domain is a pair (S , ), where S is

the set of normalised functions from S into the real interval [0, 1], and is
induced from the underlying on S so that
d d iff (∀K ⊆ S · d.K + d. ≤ d .K + d .) .
Probabilistic programs are now modelled as the set of functions from initial
state in S to sets of final distributions over S , where the result sets are
restricted by so-called healthiness conditions characterising viable probabilistic
behaviour, motivated in detail elsewhere [10]. By doing so the semantics accounts

for specific features of probabilistic programs. In this case we impose up-closure
(the inclusion of all -dominating distributions), convex closure (the inclusion
of all convex combinations of distributions), and Cauchy closure (the inclusion
of all limits of distributions according to the standard Cauchy metric on real-
valued functions [12]). Thus, by construction, viable computations are those in
which miracles dominate (refine) all other behaviours (implied by up-closure),
nondeterministic choice is refined by probabilistic choice (implied by convex
closure), and classic limiting behaviour of probabilistic events (such as so-called
“zero-one laws” 1 ) is also accounted for (implied by Cauchy closure). A further
bonus is that (as usual) program refinement is simply defined as reverse set-
inclusion. We observe that probabilistic properties are preserved with increase
in this order.
Definition 2. The space of probabilistic programs is given by (LS, ) where LS
is the set of functions from S to the power set of S , restricted to subsets
which are Cauchy- , convex- and up-closed with respect to . All programs are
-preserving (mapping to {δ }). The order between programs is defined
Prog Prog iff (∀s : S · Prog.s ⊇ Prog .s) .
For example the healthiness conditions mean that the semantics of the program
at (2) contains all mappings of the form
s → δ0 q ⊕ δ1 , for 2/3 ≥ q ≥ 1/2 ,
where respectively δ0 and δ1 are the point distributions on the states s = 0 and
s = 1.
In Fig.1 we define some mathematical operators on the space of programs: they
will be used to interpret our language of Kleene terms. Informally composition
Prog; Prog corresponds to a program Prog being executed followed by Prog , so
that from initial state s, any result distribution d of Prog.s can be followed by
an arbitrary distribution of Prog . The probabilistic operator takes the weighted
average of the distributions of its operands, and the nondeterminism operator
takes their union (with closure).
Iteration is the most intricate of the operations — operationally Prog∗ rep-
resents the program that can execute Prog an arbitrary finite number of times.
In the probabilistic context, as well as generating the results of all “finite itera-
tions” of (Prog skip) (viz, a finite number of compositions of (Prog skip)),
imposition of Cauchy closure acts as usual on metric spaces, in that it also gen-
erates all limiting distributions — i.e. if d0 , d1 , . . . are distributions contained
in a result set U , and they converge to d, then d is contained in U as well. To
illustrate, we consider
halfFlip =
ˆ if (s = 0) then flip else skip , (3)
1
An easy consequence of a zero-one law is that if a fair coin is flipped repeatedly,
then with probability 1 a head is observed eventually. See the program ‘flip’ inside
an iteration, which is discussed below.
Skip skip.s =
ˆ {δs } ,
Miracle magic .s =
ˆ {δ } ,
Chaos
Composition
chaosK .s
(Prog; Prog ).s
=
ˆ
=
ˆ

PK
{ u : S (d.u)×du | d ∈ Prog.s; du ∈ Prog .u} ,
Choice (if B then Prog else Prog ).s =
ˆ if B.s, then Prog.s, otherwise Prog .s
Probability (Prog p ⊕ Prog ).s =
ˆ {d p ⊕ d | d ∈ r.s; d ∈ r .s} ,
Nondeterminism (Prog
Prog ).s =
ˆ {d | d ∈ (Prog.s ∪ Prog .s)} ,
Iteration Prog∗ =
ˆ (νX · Prog; X
1) .
In the above definitions s is a state in S and K is the smallest up-, convex- and Cauchy-closed
subset of distributions containing K. Programs are denoted by Prog and Prog , and the expression
(νX · f.X) denotes the greatest fixed point of the function f — in the case of iteration the function is
the monotone -program-to-program function λX · (Prog; X
1). All programs map to {δ }.
Fig. 1. Mathematical operators on the space of programs [10]
where flip was defined at (1). It is easy to see that the iteration halfFlip∗ cor-
responds to a transition system which can (but does not have to) flip the state
from s = 0 an arbitrary number of times. Thus after n iterations of halfFlip,
the result set contains the distribution δ0 /2n + (1−1/2n )δ1 . Cauchy Closure im-
plies the result distribution must contain δ1 as well, because δ0 /2n + (1−1/2n)δ1
converges to that point distribution as n approaches infinity.
We shall repeatedly make use of tests, defined as follows. Given a predicate
B over the state s, we write [B] for the test
(if B then skip else magic ) , (4)
viz. the program which skips if the initial state satisfies B, and behaves like a
miracle otherwise. We use [¬B] for the complement of [B]. Tests are standard
(non-probabilistic) programs which satisfy the following properties.
• skip [B], meaning that the identity is refined by a test.

• Prog ; [B] determines the greatest probability that Prog may establish B. For
example if Prog is the program biasFlip at (2), then biasFlip ; [s = 0] is
s := 0 1/2 ⊕ magic s := 0 2/3 ⊕ magic = s := 0 2/3 ⊕ magic ,
a program whose probability of not blocking (2/3) is the maximum proba-

bility that biasFlip establishes s = 0.
• Similarly, Prog ; [B] ; chaosK = magic ps ⊕ chaosK , where (1−ps ) is the
greatest probability that Prog may establish B from initial state s, because
chaosK masks all information except for the probability that the test is
successful.
• If Prog contains no probabilistic choice, then Prog distributes , i.e. for any
Prog and Prog , we have Prog; (Prog Prog ) = Prog; Prog Prog; Prog .
Now we have introduced a model for general probabilistic contexts, our next
task is to investigate its program algebra. That is the topic of the next section.
2.1 Mapping pKA into LS

Kleene algebra consists of a sequential composition operator (with a distin-
guished identity (1) and zero (0)); a binary plus (+) and unary star (∗). Terms
are ordered by ≤ defined by + (see Fig.2), and both binary as well as the unary
operators are monotone with respect to it. Sequential composition is indicated
by the sequencing of terms in an expression so that ab means the program de-
noted by a is executed first, and then b. The expression a + b means that either
a or b is executed, and the Kleene star a∗ represents an arbitrary number of
executions of the program a.
In Fig.2 we set out the rules for the probabilistic Kleene algebra, pKA. We
shall also use tests, whose denotations are programs of the kind (4). We normally
denote a test by t, and for us its complement is ¬t.
The next definition gives an interpretation of pKA in LS.
Definition 3. Assume that for all simple variables x, the denotation |[x]| ∈ LS
as a program (including tests) is given explicitly. We interpret the Kleene oper-
ators over terms as follows:
|[1]| =ˆ skip , |[0]| = ˆ magic ,

|[ab]| = ˆ |[a]| |[b]| , |[a∗ ]| =
ˆ |[a]|; |[b]| , |[a + b]| = ˆ |[a]|∗ .
Here a and b stand for other terms, including simple variables.
We use ≥ for the order in pKA, which we identify with from Def. 2; the
next result shows that Def. 3 is a valid interpretation for the rules in 1, in that
theorems in pKA apply in general to probabilistic programs.
Theorem 1. ([8]) Let |[·]| be an interpretation as set out at Def. 3. The rules
at Fig.2 are all satisfied, namely if a ≤ b is a theorem of pKA set out at Fig.2,
then |[b]| |[a]|.
To see why we cannot have equality at (†) in Fig.2, consider the expressions
a(b + c) and ab + ac, and an interpretation where a is flip at (1), and b is skip
and c is s := 1−s. In this case in the interpretation of a(b + c), the demon (at +)
is free to make his selection after the probabilistic choice in a has been resolved,
and for example could arrange to set the final state to s = 0 with probability
1, since if a sets it to 0 then the demon chooses to execute b, and if a sets it
to 1, the demon may reverse it by executing c. On the other hand, in ab + ac,
the demon must choose which of ab or ac to execute before the probability in a
has been resolved, and either way there is a chance of at least 1/2 that the final
state is 1. (The fact that distribution fails says that there is more information
available to the demon after execution of a than before.)
Similarly the rule at Fig.2 (‡) is not the usual one for Kleene-algebra. Normally
this induction rule only requires a weaker hypothesis, but that rule, ab ≤ a ⇒
ab∗ = a, is unsound for the interpretation in LS, again due to the interaction
of probability and nondeterminism. Consider, for example, the interpretation
where each of a, b and c represent the flip defined at (1) above. We may prove
directly that flip ; flip∗ = s := 0 s := 1, i.e. flip ; flip∗ = flip in spite of the
fact that flip ; flip = flip. To see why, we note that from Def. 3 the Kleene-star
is interpreted as an iteration which may stop at any time. In this case, if a result
s = 1 is required, then flip executes for as long as necessary (probability theory
ensures that s = 1 will eventually be satisfied). On the other hand if s = 0 is
required then that result too may be guaranteed eventually by executing flip
long enough. To prevent an incorrect conclusion in this case, we use instead the
sound rule (‡) (for which the antecedent fails). Indeed the effect of the (1 + ·)
in rule (‡) is to capture explicitly the action of the demon, and the hypothesis
is satisfied only if the demon cannot skew the probabilistic results in the way
illustrated above.
(i) 0 + a = a (viii) ab + ac ≤ a(b + c) (†)

(ii) a + b = b + a (ix) (a + b)c = ac + bc
(iii) a + a = a (x) a ≤ b iff a + b = b
(iv) a + (b + c) = (a + b) + c
(v) a(bc) = (ab)c (xi) a∗ = 1 + aa∗
(vi) 0a = a0 = 0 (xii) a(b + 1) ≤ a ⇒ ab∗ = a (‡)
(vii) 1a = a1 = a (xiii) ab ≤ b ⇒ a∗ b = b
Fig. 2. Rules of Probabilistic Kleene algebra, pKA[8]
pKA purposefully treats probabilistic choice implicitly, and it is only the fail-
ure of the equality at (†) which suggests that the interpretation may include
probability: in fact it is this property that characterises probabilistic-like mod-
els, separating them from those which contain only pure demonic nondetermin-
ism. Note in the case that the interpretation is standard — where probabilities
are not present in a — then the distribution goes through as usual. The use
of implicit probabilities fits in well with our applications, where probability is
usually confined to code residing at individual processors within a distributed
protocol and nondeterminism refers to the arbitrary sequencing of actions that
is controlled by a so-called adversarial scheduler [16]. For example, if a and b
correspond to atomic program fragments (containing probability), then the ex-
pression (a + b)∗ means that either a or b (possibly containing probability) is
executed an arbitrary number of times (according to the scheduler), and in any
order — in other words it corresponds to the concurrent execution of a and b.
Typically a two-stage verification of a probabilistic distributed protocol might
involve first the transformation a distributed implementation architecture, such
as (a + b)∗ , to a simple, separated specification architecture, such as a∗ b∗ (first
a executes for an arbitrary number of times, and then b does), using general
hypotheses, such as ab = ba (program fragments a and b commute). The second
stage would then involve a model-based analysis in which the hypotheses pos-
tulated to make the separation go through would be individually validated by
examining the semantics in LS of the precise code for each. We do not deal with
that stage here: indeed our purpose is precisely to make that stage a separate
concern, not further complicated by the algorithm under study.
In the following sections we introduce our case study and illustrate how pKA
may be used to simplify the overall analysis.
3 Mutual Exclusion with Bounded Waiting
In this section we describe the mutual exclusion protocol, and discuss how to
apply the algebraic approach to it.
Let P1 , . . . PN be N processes that from time to time need to have

exclusive access to a shared resource.
The mutual exclusion problem is to define a protocol which will ensure
both the exclusive access, and the “lockout free” property, namely that
any process needing to access the shared resource will eventually be
allowed to access it.
A protocol is said to satisfy the bounded waiting condition if, when-
ever no more than k processes are actively competing for the resource,
each has probability at least α/k of obtaining it, for some fixed α (inde-
pendent of N ). 2
The randomised solution we consider is based on one proposed by Rabin

[6]. Processes can coordinate their activities by use of a shared “test-and-set”
variable, so that “testing and setting” is an atomic action. The solution as-
sumes an “adversarial scheduler”, the mechanism which controls the otherwise
autonomous executions of the individual Pi . The scheduler chooses nondeter-
ministically between the Pi , and the chosen process then may perform a single
atomic action, which might include the test and set of the shared variable to-
gether with some updates of its own local variables. Whilst the scheduler is not
restricted in its choice, it must treat the processes fairly in the sense that it must
always eventually schedule any particular process.
The broad outline of the protocol is as follows — more details are set out
at Fig.3. Each process executes a program which is split into two phases, one
voting, and one notifying. In the voting phase, processes participate in a lottery;
the current winner’s lottery number is recorded as part of the shared variable.
Processes draw at most once in a competition, and the winner is notified when
it executes its notification phase. The notification phase may only begin when
the critical section becomes free.
Our aim is to show that when processes follow the above protocol, the bounded
waiting condition is satisfied. Rabin observed [6] that in a lottery with k partic-
ipants in which tickets are drawn according to (independent) exponential distri-
butions, there is a probability of at least 1/3 of a unique winner. However that
model-based proof cannot be applied directly here, since it assumes (a) that
2
Note that this is a much stronger condition than a probability α/N for some constant
α, since it is supposed that in practice k N .
there is no scheduler/probability interaction; (b) that the voting is unbiased be-

tween processes, and (c) that the voting may be separated from the notification.
In Rabin’s original solution, (c) was false (which led to the protocol’s overall in-
correctness); in fact both (a) and (b) are also not true, although the model-based
argument still applies provided that the voting may be (almost) separated. We
shall use an algebraic approach to do exactly that.
– Voting phase. Pi checks if it is eligible to vote, then draws a number randomly;

if that number is strictly greater than the largest value drawn so far, it sets the
shared variable to that value, and keeps a record. If Pi is ineligible to vote, it skips.
– Notification phase. Pi checks if it is eligible to test, and if it is, then checks whether
its recorded vote is the same as the maximum drawn (by examining the shared
variable); if it is, it sets itself to be the winner. If P is ineligible, then it just skips.
– Release of the critical section. When this is executed, the critical section becomes
free, and processes may begin notification.
These events occur in a single round of the protocol; the verifier of the protocol must
ensure that when these program fragments are implemented, they satisfy the algebraic
properties set out at Fig.4.
Fig. 3. The key events in a single round of the mutual exclusion protocol
4 Separation Theorems and Their Applications

In this section we extend some standard separation theorems of Cohen [1] to
the probabilistic context, so that we may apply them to the mutual exclusion
problem set out above. Although the lemmas are somewhat intricate we stress
their generality: proved once, they can be used in many applications.
Our first results at Lem. 1 consider a basic iteration, generalising loop-
invariant rules to allow the body of an iteration to be transformed by passage
of a program a.
Lemma 1.
a(b + 1) ≤ ca + d ⇒ ab∗ ≤ c∗ (a + db∗ ) (5)

ac ≤ cb ⇒ a∗ c ≤ cb∗ (6)
Proof. The proof of (5) is set out elsewhere [8]. For (6) we have the following
inequalities, justified by the hypothesis and monotonicity.
acb∗ ≤ cbb∗ ≤ cb∗ .
Now applying (xiii), we deduce that a∗ cb∗ = cb∗ , and the result now follows since
a∗ c ≤ a∗ cb∗ .
Note that the weaker commutativity condition of ab ≤ ca + d will not do at (5),

as the example with a, b, c =
ˆ flip and d =ˆ magic illustrate. In this case we see,
that a∗ and b∗ both correspond to the program (s := 0 s := 1), and this is
not the same as the corresponding interpretation for c∗ a which corresponds to
flip again.
Lem. 1 implies that with suitable commutativity between phases a and b of a
program, an iteration involving the interleaving of the phases may be thought of
as executing in two separated pieces. Note that again we need to use a hypothesis
b(1 + a) ≤ (1 + a)b, rather than a weaker ba ≤ ab.
Lemma 2. b(1 + a) ≤ (1 + a)b∗ ⇒ (a + b)∗ ≤ a∗ b∗ .
Proof. We reason as follows
(a + b)∗
≤ (a + b)∗ a∗ b∗ 1 ≤ a ∗ b∗
≤ a∗ b ∗ . ∗ ∗ ∗ ∗
(a + b)a b ≤ a b , see below; (xiii)
For the “see below”, we argue
(a + b)a∗ b∗
= aa∗ b∗ + ba∗ b∗
≤ a∗ b∗ + b(1 + a)∗ b∗ a ≤ a∗ ≤ a∗ ≤ (1 + a)∗
≤ a∗ b∗ + (1 + a)∗ b∗ b∗ hyp; (5) ⇒ b(1 + a)∗ ≤ (1 + a)∗ b∗
= a∗ b ∗ .
5 The Probability That a Participating Process Loses

We now show how the lemmas of Sec. 4 can be applied to the example of Sec. 3:
we show how to compute the probability that a particular process P (one of the
Pi ’s) participating in the lottery loses. Writing V and T for the two phases of
P , respectively vote and notify (recall Fig.3) and representing scheduler choice
by “+”, we see that the chance that P loses can be expressed as
(V + T + V + T + C)∗ A ,
where V = ˆ +Pi =P Vi , and T =
ˆ +Pi =P Ti are the two phases (overall) of the
remaining processes, and A tests for whether P has lost. Thus A is a test of
the form “skip if P has not drawn yet, or has lost, otherwise magic ”, followed
by an abstraction function which forgets the values of all variables except those
required to decide whether P has lost or not.
The crucial algebraic properties of the program fragments are set out at Fig.4,
and as a separate analysis the verifier must ensure that the actual code fragments
implementing the various phases of the protocol satisfy them. This task how-
ever is considerably easier than analysing an explicit model of the distributed
architecture, because the code fragments can be treated one-by-one, in isolation.
The next lemma uses separation to show show that we can separate the voting
from the notification within a single round, with the round effectively ending the
voting phase with the execution of the critical section.
1. Voting and notification commute: Vi Tj = Tj Vi .

2. Notification occurs when the critical section is free: Tj (C + 1) ≤ (C + 1)Tj .
3. Voting occurs when the critical section is busy: C(Vj + 1) ≤ (Vj + 1)C.
4. It’s more likely to lose, the later the vote: V A(V A + 1) ≤ (V A + 1)V A.
Here V corresponds to a distinguished process P ’s voting phase, Vi to Pi ’s voting phase,

and V to the nondeterministic choice of all the voting phases (not P ’s). Similarly T
and Tj are the various notification phases. A essentially tests for whether P has lost
or not.
Fig. 4. Algebraic properties of the system
Lemma 3. (V + T + V + T + C)∗ ≤ (V + V )∗ C ∗ (T + T)∗ .

Proof. We use Lem. 2 twice, first to pull (T + T) to the right of everything else,
and then to pull (V + V ) to the left of C. In detail, we can verify from Fig.4,
that
(T + T) (V + V + C + 1) ≤ (V + V + C + 1) (T + T)∗ ,
(since T + T has a standard denotation, so distributes +) to deduce from Lem. 2
that (V + T + V + T + C)∗ ≤ (V + V + C)∗ (T + T)∗ . Similarly C(V + V +
1) ≤ (V + V + 1)C ∗ , so that (V + V + C)∗ ≤ (V + V )∗ C ∗ .
Next we may consider the voting to occur in an orderly manner in which the
selected processor P votes last, with the other processors effectively acting as a
“pool” of anonymous opponents who collectively “attempt” to lower the chance
that P will win — this is the fact allowing us to use the model-based observation
of Rabin to compute a lower bound on the chance that P wins.
Lemma 4. (V + V )∗ A ≤ V ∗ (V A)∗ .
Proof. We reason as follows.
(V + V )∗ A
≤ A(V A + V A)∗ see below
≤ A(V A)∗ (V A)∗ Fig.4 (4); Lem. 2
≤ V ∗ (V A)∗ . P not voted, implies AV A = V
For the “see below” we note that

(V + V )A(V A + V A)∗
= (V A + V A)(V A + V A)∗ A A(V + V ) = (V + V )A, then (6), (5)
≤ (V A + V A)∗ (V A + V A)∗ A
= A(V A + V A)∗ ,
so that (V + V )∗ A(V A + V A)∗ ≤ A(V A + V A)∗ by (xiii), and therefore that

(V + V )∗ A ≤ A(V A + V A)∗ .
The calculation above is based on the assumption that P is eligible to vote when
it is first scheduled in a round. The mechanism for testing eligibility uses a round
number as part of the shared variable, and after a process votes, it sets a local
variable to the same value as the round number recorded by the shared variable.
By this means the process is prevented from voting more than once in any round.
In the case that the round number is unbounded, P will indeed be eligible to
vote the first time it is scheduled. However one of Rabin’s intentions was to
restrict the size of the shared variable, and in particular the round number. His
observation was that round numbers may be reused provided they are chosen
randomly at the start of the round, and that the scheduler cannot see the result
when it decides which process to schedule. In the next section we discuss the
implications of this assumption on L and pKA.
6 Secrecy and Its Algebraic Characterisation

The actual behaviour of Rabin’s protocol includes probabilistically setting the
round number, which we denote R and which makes the protocol in fact
R(V + T + V + T + C)∗ . (7)
The problem is that the interpretation in LS assumes that the value chosen by R
is observable by all, in particular by the adversarial scheduler, that latter imply-
ing that the scheduler can use the value during voting to determine whether to
schedule P . In a multi-round scenario, that would in turn allow the policy that P
is scheduled only when its just-selected round variable is (accidentally) the same
as the current global round: while satisfying fairness (since that equality happens
infinitely often with probability one), it would nevertheless allow P to be sched-
uled only when it cannot possibly win (in fact will not even be allowed to vote).
Clearly that strategy must be prevented (if the algorithm is to be correct!) —
and it is prevented provided the scheduler cannot see the value set by R. Thus
we need a model to support algebraic characterisations for “cannot see”.
The following (sketched) description of a model QS [9, Key QMSRM] —
necessarily more detailed than QS — is able to model cases where probabilistic
outcomes cannot be seen by subsequent demonic choice. The idea (based on
“non-interference” in security) is to separate the state into visible and hidden
parts, the latter not accessible directly by demonic choice. The state s is now a
pair (v, h) where v, like s, is given some conventional type but h now has type
distribution over some conventional type. The QS model is effectively the LS
model built over this more detailed foundation.3
For example, if a sets the hidden h probabilistically to 0 or 1 then (for some
p) in the QS model a denotes
a
Hidden resolution of probability. (v, h) → { (v, (0 p ⊕ 1) ) } .4
3
Thus we have “distributions over values-and-distributions” so that the type of a
program in QS is (V × H) → P (V × H) , that is LS where S = V × H.
4
Strictly speaking we should write δ0 p ⊕ δ1 .
In contrast, if b sets the visible v similarly we’d have b denoting

b
Visible resolution of probability. (v, h) → { (0, h) 1/2 ⊕ (1, h) } .
The crucial difference between a and b above is in their respective interactions

with subsequent nondeterminism; for we find
a(c + d) = ac + ad
but in general b(c + d) = bc + bd ,
because in the a case the nondeterminism between c and d “cannot see” the
probability hidden in h. In the b case, the probability (in v) is not hidden.
A second effect of hidden probability is that tests are no longer necessarily
“read-only”. For example if t denotes the test [h = 0] then we would have (after
a say)
t
(v, (0 p ⊕ 1) ) → {(v, 0) p ⊕ magic }
where the test, by its access to h, has revealed the probability that was formerly
hidden and, in doing so, has changed the state (in what could be called a par-
ticularly subtle way — which is precisely the problem when dealing with these
issues informally!)
In fact this state-changing property gives us an algebraic characterisation of
observability.
Definition 4. Observability; resolution.
For any program a and test t we say that “t is known after a” just when
a(t + ¬t) = a. (8)
As a special case, we say that “t is known” just when t + ¬t = 1.

Say that Program a “contains no visible probability” just when for all programs
b, c we have
a(b + c) = ab + ac .
Thus the distributivity through + in Def. 4 expresses the adversary’s ignorance
in the case that a contains hidden probabilistic choice. If instead the choice were
visible, then the +-distribution would fail: if occurring first it could not see the
probabilistic choice5 whereas, if occurring second, it could.
Secrecy for the Randomised Round Number

We illustrate the above by returning to mutual exclusion. Interpret R as the
random selection of a local round number (as suggested above), and consider the
probability that the adversarial scheduler can guess the outcome. For example, if
the adversary may guess the round number with probability 1 during the voting
phase, according to Def. 4 we would have
R (V + V )∗ ([rn = 0] + [rn = 1]) chaos = chaos ,

5
Here it cannot see it because it has not yet happened, not because it is hidden.
(because [rn = 0] + [rn = 1] would be skip).6 But since (V + V + 1)([rn =

0] + [rn = 1]) = ([rn = 0] + [rn = 1])(V + V + 1) we may reason otherwise:
R(V + V )∗ ([rn = 0] + [rn = 1])chaos

= R([rn = 0] + [rn = 1])(V + V )∗ chaos Lem. 1
= R[rn = 0]chaos + R[rn = 1]chaos , Def. 4 and (8)
which, now back in the model we can compute easily to be magic 1/2 ⊕ chaos,
deducing that the chance that the scheduler may guess the round number is at
most 1/2, and not 1 at all.
7 Conclusions and Other Work
Rabin’s probabilistic solution to the mutual exclusion problem with bounded

waiting is particularly apt for demonstrating the difficulties of verifying proba-
bilistic protocols, as the original solution contained a particularly subtle flaw [15].
The use of pKA makes it clear what assumptions need to be checked relating to
the individual process code and the interaction with the scheduler, and more-
over a model-based verification of a complex distributed architecture is reduced
to checking the appropriate hypotheses are satisfied. Our decision to introduce
the models separately stems from QSH’s complexity to LS, and the fact that in
many protocols LS is enough. The nice algebraic characterisations of hidden and
visible state, may suggest that QSH may support a logic for probabilities and
ignorance in the refinement context, though that remains an interesting topic
for research.
Others have investigated instances of Rabin’s algorithm using model checking
[13]; there are also logics for “probability-one properties” [7], and models for
investigating the interaction of probability, knowledge and adversaries [2].
There are other variations on Kleene Algebra which allow for the relaxation
of distributivity laws [11], including those which are equivalent to pKA, except
for the left 0-annihilation [17].
References
1. E. Cohen. Separation and reduction. In Mathematics of Program Construction,

5th Intern. Conference, volume 1837 of LNCS, pages 45–59. Springer, July 2000.
2. J. Halpern and M. Tuttle. Knowledge, probabilities and adversaries. J. ACM,
40(4):917–962, 1993.
3. Jifeng He, K. Seidel, and A.K. McIver. Probabilistic models for the guarded com-
mand language. Science of Computer Programming, 28:171–92, 1997. Earlier ap-
peared in Proc. FMTA ’95, Warsaw, May 1995. Available at [9, key HSM95].
6
Here we are abusing notation, by using program syntax directly in algebraic expres-
sions.
4. Joe Hurd. A formal approach to probabilistic termination. In Vı́ctor A. Carreño,

César A. Muñoz, and Sofiène Tahar, editors, 15th International Conference on
Theorem Proving in Higher Order Logics: TPHOLs 2002, volume 2410 of LNCS,
pages 230–45, Hampton, VA., August 2002. Springer.
www.cl.cam.ac.uk/~jeh1004/research/papers.
5. D. Kozen. Kleene algebra with tests. ACM Transactions on Programming Lan-
guages and Systems (TOPLAS), 19(3):427–443, 1997.
6. Eyal Kushilevitz and M.O. Rabin. Randomized mutual exclusion algorithms revis-
ited. In Proc. 11th Annual ACM Symp. on Principles of Distributed Computing,
1992.
7. D. Lehmann and S. Shelah. Reasoning with time and chance. Information and
Control, 53(3):165–98, 1982.
8. A. McIver and T. Weber. Towards automated proof support for probabilistic
distributed systems. In Proceedings of Logic for Programming and Automated Rea-
soning, volume 3835 of LNAI, pages 534–548. Springer, 2005.
9. A.K. McIver, C.C. Morgan, J.W. Sanders, and K. Seidel. Probabilistic Systems
Group: Collected reports.
web.comlab.ox.ac.uk/oucl/research/areas/probs.
10. Annabelle McIver and Carroll Morgan. Abstraction, Refinement and Proof for
Probabilistic Systems. Technical Monographs in Computer Science. Springer, 2004.
11. B. Moeller. Lazy Kleene Algebra. In D. Kozen and C. Shankland, editors, MPC,
volume 3125 of Lecture Notes in Computer Science, pages 252–273. Springer, 2004.
12. C.C. Morgan, A.K. McIver, and K. Seidel. Probabilistic predicate transformers.
ACM Transactions on Programming Languages and Systems, 18(3):325–53, 1996.
doi.acm.org/10.1145/229542.229547.
13. PRISM. Probabilistic symbolic model checker.
www.cs.bham.ac.uk/~dxp/prism.
14. M.O. Rabin. N-process mutual exclusion with bounded waiting by 4 log 2n-valued
shared variable. Journal of Computer and System Sciences, 25(1):66–75, 1982.
15. I. Saias. Proving probabilistic correctness statements: the case of Rabin’s algorithm
for mutual exclusion. In Proc. 11th Annual ACM Symp. on Principles of Distributed
Computing, 1992.
16. Roberto Segala. Modeling and Verification of Randomized Distributed Real-Time
Systems. PhD thesis, MIT, 1995.
17. T. Takai and H. Furusawa. Monadic tree Kleene Algebra. This proceedings:
Relations and Kleene Algebras in Computer Science LNCS 4136.
A Equational Identities That Still Apply in pKA
a∗ a∗ = a∗ (9)
∗ ∗ ∗ ∗
a (b + c) = a (a b + a c) (10)
Monotone Predicate Transformers
as Up-Closed Multirelations
Ingrid Rewitzky and Chris Brink
Department of Mathematical Sciences, University of Stellenbosch, South Africa
Abstract. In the study of semantic models for computations two inde-

pendent views predominate: relational models and predicate transformer
semantics. Recently the traditional relational view of computations as
binary relations between states has been generalised to multirelations
between states and properties allowing the simultaneous treatment of
angelic and demonic nondeterminism. In this paper the two-level nature
of multirelations is exploited to provide a factorisation of up-closed mul-
tirelations which clarifies exactly how multirelations model nondetermin-
ism. Moreover, monotone predicate transformers are, in the precise sense
of duality, up-closed multirelations. As such they are shown to provide a
notion of effectivity of a specification for achieving a given postcondition.
1 Introduction
Until recently it was commonly accepted that if programs and specifications are
to be modelled in a single framework then a predicate transformer semantics
could be defined in terms of monotone predicate transformers but there is no
traditional relational model. However, game theoretic descriptions [16,3] of a
specification computation with both angelic and demonic nondeterminism have
suggested that there is indeed a relational representation in terms of binary
multirelations as introduced in [24]. The basic idea is that binary multirelations,
being relations from states to sets of states, specify computations at the level
of properties that an atomic step has to satisfy, while binary relations, being
relations between states, specify computations at the level of states that an
atomic step may reach.
Within the multirelational model we may still define the traditional relational
model capturing angelic- or demonic nondeterminism. But in addition multirela-
tions can model two kinds of nondeterminism: demonic nondeterminism in terms
of states at the level of the computations specified, and angelic nondeterminism
in terms of properties at the level of the specifications. This multirelational
model is more than just an empty generalisation of the traditional relational
model. It in fact corresponds, in the precise sense of a Jónsson/Tarski [17] du-
ality, to monotone predicate transformer semantics. This and lattice-theoretic
properties of families of multirelations have been studied in [24]. A subsequent
paper [18] demonstrates how multirelations can be used for the specification of
multi-agent systems involving human-information interactions including resource
sharing protocols and games.

312 I. Rewitzky and C. Brink
This paper begins with a description of multirelations and their operations

and properties useful for modelling angelic and demonic nondeterminism. Here
the presentation differs from that in [24] in that it emphasises the two levels
at which nondeterminism is being modelled. In Section 3 monotone predicate
transformers are shown to correspond in the precise sense of duality to up-
closed multirelations. The topological perspective of multirelations introduced
in Section 4 leads to a new and illuminating topological characterisation of
strongest postconditions. Section 5 considers two factorisations: a factorisation
of binary multirelations which reveals exactly how multirelations can model two
kinds of nondeterminism, and a generalisation of the known [12] factorisation
of monotone predicate transformers which provides a notion of effectivity of a
computation for achieving a given postcondition.
2 Relations and Multirelations
In standard relational models for programs a binary relation specifies the input-
output behaviour of a program in terms of the states it may reach from a given
state. Lifting this description from the level of states to the level of properties,
and using an idea that goes back to Hoare’s [15] seminal paper of 1969, the
behaviour of a program α may be specified in terms of the postconditions (or
the properties) that it has to satisfy, that is, if α has demonic choice then
sRα Q iff every execution of program α, from state s,

reaches a state in which Q is true.
or, if α has angelic choice then
sRα Q iff some execution of program α, from state s,

reaches a state in which Q is true.
We now use these ideas to move towards a relational representation of specifica-

tion computations with demonic and angelic nondeterminism. One way to think
of such a specification α is as a two-player two-step game of choice. We may
refer colloquially to the players as ‘the user’ and ‘the machine’. The user makes
the first move by selecting a set of possible winning positions, and the machine
makes the second move by selecting the actual final position from this set. The
game is lost by the player who is faced with the choice from an empty set. It
is assumed that the user will take any available opportunity to win, while the
machine assumes the role of a devil’s advocate who is trying to make sure the
user loses. In this context the angelic choices are interpreted as those made by
the user, while the demonic choices are those made by the machine. A loss for
the user is the empty family, and the user has the opportunity of winning the
game whenever the family of choices contains the empty set. From each starting
position s the user may have the choice of more than one set of possible winning
positions. Therefore, the set
{ Q | sRα Q }
Monotone Predicate Transformers as Up-Closed Multirelations 313
captures the angelic choices available to the user (or angel). If this set includes
the empty set then it is a winning strategy for the angel. While for each Q with
sRα Q, the set
{t | t ∈ Q}
captures the choices available to the machine (or demon). Therefore, a specifica-
tion computation α may be represented as a relation Rα , the idea being that α,
when started in state s is guaranteed to achieve postcondition Q for some angelic
choice regardless of the demonic choices. We may formalise this representation
of a specification computation α in terms of a binary multirelation Rα relating
states and postconditions.
Definition 1. Let X and Y be sets. A binary multirelation is a subset of the
Cartesian product X × P(Y ), that is, a set of ordered pairs (x, Q) where x ∈ X
and Q ⊆ Y . The image under a multirelation R of any x ∈ X is denoted R(x)
and defined to be the set {Q ⊆ Y | xRQ}. Mostly we will deal with the case of
X = Y = S.
For any binary multirelations R, T ⊆ S ×P(S), their composition may be defined
as follows:
R 9◦ T = {(s, Q) | (∃Q )[sRQ and Q ⊆ {y | yT Q}]}.
So, given input value s, the angel can only guarantee that R 9◦ T will achieve
postcondition Q if s/he can ensure that R will establish some intermediate post-
condition Q and if s/he can also guarantee that T will establish Q given any
value in Q .
Multirelations model two kinds of nondeterminism: angelic nondeterminism
captured in terms of sets {Q | sRQ} of properties or postconditions at the level
of the specifications, and demonic nondeterminism in terms of sets {t | t ∈ Q} of
states at the level of the computations specified. So there are two levels at which
multirelations may be compared. At the level of specifications a comparison of
multirelations may be based on the number of sets Q each relates to a given
state s. That is, for multirelations R, T ⊆ S × P(S),
R a T iff R⊇T iff ∀s ∈ S, {Q | sRQ} ⊇ {Q | sT Q},
with the intuition that T is ‘better’ from the demon’s perspective than R if T
has less angelic choice (and possible more demonic choice) than R. This provides
a notion of angelic refinement of R by T since the angelic nondeterminism is re-
duced. At the level of computations a comparison of multirelations may be based
on the size of the sets Q related to a given state s. That is, for multirelations
R, T ⊆ S × P(S),
R d T iff (∀s ∈ S)(∀Q ∈ R(s))(∃Q ∈ T (s))[Q ⊆ Q]
with the intuition that T is ‘better’ from the angel’s perspective than R if T has
less demonic choice (and possible more angelic choice) than R. This provides a
notion of demonic refinement of R by T since the demonic nondeterminism is

reduced.
We distinguish two extreme multirelations, namely the universal multirelation
defined by
+ = {(s, Q) | s ∈ S and Q ⊆ S}
and the empty multirelation ⊥+ = ∅. Then for all multirelations R ⊆ S × P(S),
+ a R and R d + ,
that is, + has the most angelic choice and the least demonic choice (since sR∅,
for each s ∈ S). Dually, for all multirelations R ⊆ S × P(S),
R a ⊥+ and ⊥+ d R,
that is, ⊥+ has the least angelic choice (since sR∅, for each s ∈ S) and the most
demonic choice .
With respect to the refinement orderings a and d , notions of lub and glb
may be defined: a and a are defined in terms of intersection and union of
subsets of P(S) respectively, and hence at the level of the specifications; while
d and d are defined as union or intersection of subsets of S respectively, and
hence at the level of the computations specified.
Definition 2. Let R and T be binary multirelations over a set S.

Angelic intersection R a T = {(s, Q) | sRQ or sT Q}.
Angelic union R a T = {(s, Q) | sRQ and sT Q}.
Demonic intersection R d T = {(s, P1 ∩ P2 ) | sRP1 and sT P2 }.
Demonic union R d T = {(s, P1 ∪ P2 ) | sRP1 and sT P2 }.
Since the image set of any s ∈ S under any binary multirelation is an element
of P(P(S)) the demonic union and intersection may be viewed as pointwise
extensions of the power operations [7,8] of union and intersection on the powerset
Boolean algebra P(S) = (P(S), ∪, ∩,− , ∅, S). The order d is a pre-order given
by the upper power order, in the sense of [7], of set inclusion.
With these operations we may give a semantics of program and specification
constructs in extensions [19,21,2] of Dijkstra’s guarded command language [9,10].
For example,
Definition 3.
No op Rskip = {(s, Q) | s ∈ S and s ∈ Q}
divergence Rabort = ⊥+
miracle Rmagic = +
sequential composition Rα;β = Rα ◦9 Rβ
angelic choice Rαβ = Rα a Rβ
demonic choice Rαβ = Rα d Rβ .
Binary multirelations have many interesting and useful properties. Here are some
of them.
Definition 4. Let R ⊆ S × P(S) be a binary multirelation. Then

(a) R is proper if, for each s ∈ S, R(s) = ∅.
(b) R is total if, for each s ∈ S, ∅ ∈ R(s).
(c) R is up-closed if, for each s ∈ S and any Q ⊆ S,
sRQ iff ∀Q ⊆ S, Q ⊆ Q ⇒ sRQ .
(d) R is multiplicative if, for each s ∈ S and any non-empty Q of subsets of S,
sR(∩Q) iff ∀Q ∈ Q, sRQ.
(e) R is additive if, for each s ∈ S and any non-empty set Q of subsets of S
sR(∪Q) iff ∃Q ∈ Q, sRQ.
For the remainder of the paper we will consider only up-closed multirelations
since these are the multirelations that are, in the sense of the duality of Sec-
tion 3, monotone predicate transformers. As shown in [24], the family of up-
closed binary multirelations over S has a very rich lattice-theoretic structure
inherited from the lattice of up-closed sets of the powerset Boolean algebra
P(S) = (P(S), ∪, ∩,− , ∅, P(S)). Formally,
Theorem 1. The family of up-closed binary multirelations is a complete ring

of sets in which

{Ri | i ∈ I} = ∩{Ri | i ∈ I} = d {Ri | i ∈ I}

{Ri | i ∈ I} = ∪{Ri | i ∈ I} = a {Ri | i ∈ I}.
The bottom element is ⊥+ and the top element is + . The finite elements
are the finite joins of proper multiplicative multirelations. The completely join-
irreducible elements are the proper multiplicative multirelations and the com-
pletely meet-irreducible elements are the total additive multirelations.

Since a proper multiplicative multirelation is completely join-irredicuble it can-

not be expressed as a union of distinct non-empty multirelations, that is, it
contains no angelic choice and hence will be referred to as a demonic multirela-
tion. Dually, a total additive multirelation contains no demonic choice and will
be referred to as an angelic multirelation.
The next theorem provides some distributivity properties of multirelational
composition; the proofs are easy and left for the reader.
Theorem 2. For any up-closed multirelations R, T1 , T1 ⊆ S × P(S),

(a) + 9◦ R = +
R 9◦ + = + , if R is proper.
(b) ⊥+ 9◦ R = ⊥+
R 9◦ ⊥+ = ⊥+ , if R is total.
(c) T1 ⊆ T2 implies T1 ∩ R ⊆ T2 ∩ R and T1 ∪ R ⊆ T2 ∪ R.

T1 ⊆ T2 implies T1 9◦ R ⊆ T2 9◦ R and R 9◦ T1 ⊆ R 9◦ T2 .
(d) (T1 ∩ T2 ) ◦9 R ⊆ T1 9◦ R ∩ T2 9◦ R
R 9◦ (T1 ∩ T2 ) = R 9◦ T1 ∩ R 9◦ T2 , if R is multiplicative.
(e) (T1 ∪ T2 ) ◦9 R = T1 9◦ R ∪ T2 9◦ R
R 9◦ (T1 ∪ T2 ) = R 9◦ T1 ∪ R 9◦ T2 , if R is additive.

We conclude this description of multirelations with the correspondence between

demonic multirelations and binary relations, and between angelic multirelations
and binary relations. Any binary relation r over the state space S may be viewed
as a demonic multirelation Rd ⊆ S × P(S) given by:
sRrd Q iff (∀t)[srt ⇒ t ∈ Q], for any s ∈ S and any Q ⊆ S,
and as an angelic binary multirelation Ra ⊆ S × P(S) given by:
sRra Q iff (∃t)[srt ∧ t ∈ Q], for any s ∈ S and any Q ⊆ S.
It is easy to check that Rrd is a demonic multirelation and Rra an angelic mul-
tirelation. To each demonic multirelation R ⊆ S × P(S) there corresponds some
binary relation rR ⊆ S × S given by rR (s) = {Q | Q ∈ R(s)} for s ∈ S. Dually,
if R is an angelic multirelation
then the corresponding binary relation rR ⊆ S ×S
is given by rR (s) = {Q | Q ∈ R(s)} for s ∈ S. It is easy to check that for any
demonic multirelation R over S, R = RrdR ; for any angelic multirelation R over
S, R = RraR ; and for any binary relation r over S, r = rRar = rRdr .
3 Up-Closed Multirelations Are Monotone Predicate

Transformers
In this section we establish a bijective correspondence between up-closed binary

multirelations and monotone predicate transformers which is a generalisation
of Jónsson/Tarski duality [17] for binary relations and certain monotone unary
operators. For monotone predicate transformers g : P(S) → P(S) the correspon-
dence is somewhat trivial, and involves finding the states from which a speci-
fication will achieve a given postcondition. The correspondence for monotone
predicate transformers g over a (not necessarily powerset) Boolean algebra B is
more interesting in that it invokes the canonical extension[13,14] of g.
For an up-closed binary multirelation R ⊆ S × P(S), a predicate transformer
gR over P(S) is defined by
gR (Q) = {s ∈ S | sRQ}, for any Q ⊆ S.
Since R is up-closed, gR is monotone. Conversely, for a monotone predicate

transformer g : P(S) → P(S), a multirelation Rg ⊆ S × P(S) is defined by
sRg Q iff s ∈ g(Q), for any s ∈ S and any Q ⊆ S.

Since g is monotone, Rg is up-closed. As a trivial consequence of these definitions,

we have
RgR = R and gRg = g.
Therefore, up-closed binary multirelations are monotone predicate transformers
over a powerset Boolean algebra. In what follows we show that the restriction
to powerset Boolean algebras can be dropped.
Definition 5. A binary multirelational structure S = (S, {Ri | i ∈ I}) is such

that S is a set and {Ri | i ∈ I} is a collection of up-closed binary multirelations
over S.
By translating each up-closed binary multirelation R in a binary multirelational

structure into a monotone predicate transformer gR we obtain a certain kind of
Boolean algebra with operators. Since we wish to establish a bijective correspon-
dence we define these in general.
Definition 6. A Boolean algebra with monotone predicate transformers
B = (B, ∨, ∧,− , 0, 1, {gi | i ∈ I})
is such that B = (B, ∨, ∧,− , 0, 1) is a Boolean algebra and {gi | i ∈ I} is a

collection of monotone predicate transformers over B.
In order to establish a bijective correspondence between Boolean algebras with

monotone predicate transformers and binary multirelational structures, we must
show how each gives rise to and can be recovered from the other. From above
we have,
Theorem 3. Given any binary multirelational structure S = (S, {Ri | i ∈ I})

its power algebra P(S) = (P(S), ∪, ∩,− , ∅, S, {gRi | i ∈ I}) is a Boolean algebra
with monotone predicate transformers.
Next we show that any Boolean algebra with monotone predicate transformers in
turn gives rise to a binary multirelational structure by invoking the basic Stone
representation [25]. That is, we represent the elements of the Boolean algebra as
subsets of some universal set, namely the set of all prime filters, and then define
binary multirelations over this universe.
Let B = (B, ∨, ∧,− , 0, 1, {gi | i ∈ I}) be a Boolean algebra with monotone
predicate transformers, and let F (B) be the set of all prime filters in B considered
as a Boolean algebra. For each monotone operator g : B → B, we may define a
mapping g σ over P(F (B)), called the canonical extension [13,14] of g, by
σ
g σ (Y) = {g (NY ) | NY ⊆ Y}, for Y ⊆ F(B),
where NY = {F ∈ F(B) | Y ⊆ F },
for Y ⊆ B
g σ (NY ) = {g σ (Ny ) | y ∈ Y }, for Y ⊆ B
g σ (Ny ) = {F ∈ F(B) | g(y) ∈ F } for y ∈ B.
Using these mappings we may define, for each monotone operator g : B → B, a

binary multirelation Rg ⊆ F(B) × P(F (B)) by
XRg Y iff X ∈ g σ (Y) iff ∃NY ⊆ Y ∀y ∈ Y g(y) ∈ X,
for any X ∈ F(B) and any Y ⊆ F(B).
If elements of B are viewed as properties then prime filters in F (B) may be
viewed as states. A subset Y of F (B) may then be viewed as an angelic/demonic
joint strategy, as follows. The demon chooses a postcondition NY from the set
{NY ⊆ F(B) | Y ⊆ B and NY ⊆ Y}
of postconditions stronger that postcondition Y, and the angel chooses from the
set
{g(y) | y ∈ Y and g(y) ∈ X}
of preconditions a property of the state X from which the chosen postcondition
NY will be achieved.
In the case of a complete atomic Boolean algebra with monotone predicate
transformers, g and g σ coincide so the above translation reduces to
xRg Q iff x ∈ g(Q), for any x ∈ S and any Q ⊆ S.
If Y is a set {F ∈ F(B) | y ∈ F } (for y ∈ B), then
XRg Y iff g(y) ∈ X.
If Y is a set {F ∈ F(B) | Y ⊆ F } (for Y ⊆ B), then
XRg Y iff Y ⊆ g −1 (X).
Theorem 4. Given any Boolean algebra with monotone predicate transformers

B = (B, ∨, ∧,− , 0, 1, {gi | i ∈ I})
its prime filter structure (F (B), {Rgi | i ∈ I}) is a binary multirelational struc-
ture.
Proof. For each monotone operator g : B → B, the mapping g σ over P(F (B)) is
monotone. Hence the binary multirelation Rg ⊆ F(B) × P(F (B)) is up-closed.

Thus every binary multirelational structure gives rise to a Boolean algebra with
monotone predicate transformers, and conversely. The next two theorems show
that each can also be recovered from the other. Let B = (B, ∨, ∧,− , 0, 1, {gi |
i ∈ I}) be a Boolean algebra with monotone predicate transformers. Then the
Stone [25] mapping h : B → P(F (B)), given by h(a) = {F ∈ F(B) | a ∈ F },
is an embedding of the Boolean algebra B = (B, ∨, ∧,− , 0, 1) into the powerset
Boolean algebra
P(F (B)) = (P(F (B)), ∪, ∩,− , ∅, F (B)).
Now we need to show that h preserves monotone predicate transformers over B.
Theorem 5. Any Boolean algebra with monotone predicate transformers is iso-

morphic to a subalgebra of the Boolean algebra with predicate transformers of its
underlying binary multirelational structure.
Proof. Given any monotone operator g : B → B and any a ∈ B, we have to

show that h(g(a)) = gRg (h(a)).
gRg (h(a))
= {F ∈ F(B) | F Rg h(a)}
by definition on page 316 of gRg from Rg
= {F ∈ F(B) | g(a) ∈ F }
by a special case of definition on page 318 of Rg from g
= h(g(a))
by definition of h.

Consider any binary multirelational structure S = (S, {Ri | i ∈ I}). The power-
set P(S) of S endowed with the mappings gR yields the Boolean algebra with
monotone predicate transformers P(S) = (P(S), ∪, ∩,− , ∅, S, {gRi | i ∈ I}).
Forming the prime filter structure of this yields a binary multirelational struc-
ture which contains an isomorphic copy of the original binary multirelational
structure. Each of the original up-closed binary multirelations R over S gives rise
to a monotone predicate transformer gR : P(S) → P(S), which in turn gives rise
to an up-closed binary multirelation RgR over F (P(S)). There is a bijective cor-
respondence between the elements of S and certain prime filters in P(S), namely
the principal prime filters under the mapping a → k(a) = {A ⊆ S | a ∈ A}. An
extension of this mapping provides a bijective correspondence between subsets
of S and principal filters, namely Y → k(Y ) = {A ⊆ S | Y ⊆ A}. We need to
show that this mapping preserves structure.
Theorem 6. Any binary multirelational structure is isomorphic to a substruc-

ture of the prime filter binary multirelational structure of its Boolean algebra
with monotone predicate transformers.
Proof. Consider any up-closed binary multirelation R ⊆ S × P(S). For x ∈ S

and Y ⊆ S, we show that
k(x)RgR Nk(Y ) iff xRY, where Nk(Y ) = {Q ∈ F(P(S)) | k(Y ) ⊆ Q}.
k(x)RgR Nk(Y )
iff k(Y ) ⊆ (gR )−1 (k(x))
by special case of definition on page 318 of RgR from gR
iff {Z ⊆ S | Y ⊆ Z} ⊆ (gR )−1 (k(x))
by definition of k(Y )
iff (∀Z ⊆ S)[Y ⊆ Z ⇒ gR (Z) ∈ k(x)]
by definition of ⊆
iff (∀Z ⊆ S)[Y ⊆ Z ⇒ x ∈ gR (Z)]
by definition of k(x)
iff (∀Z ⊆ S)[Y ⊆ Z ⇒ xRZ]
by definition on page 316 of gR from R
iff xRY
since R(x) is up−closed

Therefore, the relational counterpart of a monotone predicate transformers are

binary multirelations.
As a consequence of these bijective correspondences, there is a translation
between properties of up-closed binary multirelations and properties of monotone
predicate transformers.
Theorem 7. Let g : B → B be a monotone predicate transformer. Then prop-

erties of g translate into properties of Rg as (i) and (ii) below. Conversely, let
R ⊆ S × P(S) be an up-closed binary multirelation. Then the properties of R
translate into properties of gR as (ii) to (i) below.
(a) (i) g is normal (ii) R is total;

(b) (i) g is full (ii) R is proper;
(c) (i) g is multiplicative (ii) R is multiplicative;
(d) (i) g is additive (ii) R is additive.

It may also be shown (as in [24] p269) that sequential composition of up-closed
multirelations corresponds to composition of monotone predicate transformers.
4 Strongest Postconditions as Closed Sets
Up-closed multirelations R ⊆ S × P(S) satisfy the property that for any state
s ∈ S and postcondition Q ⊆ S,
sRQ iff ∀Q ⊆ S, Q ⊂ Q ⇒ sRQ .
This suggests that it suffices to consider the strongest postconditions Q of R

with respect to s, that is, the postconditions Q ⊆ S, with the property that
sRQ and ∀Q ⊆ S, sRQ ⇒ Q ⊂ Q.
However, the set of postconditions for an up-closed multirelation with respect

to a state s does not necessarily contain a strongest postcondition. For example,
consider the multirelational structure (R, ν) where R is the set of real numbers
and
ν(0) = ↑{(0, x0 ) | x0 > 0} = {X ⊆ R | {x | 0 < x < x0 } ⊆ X for some x0 > 0}.

Then {Q | 0νQ ∧ ∀Q0 ⊂ Q Q0 ∈ ν(0)} = ∅. This kind of descending chain of

postconditions does not occur in up-closed multirelations R ⊆ S×P(S) satisfying
the property that for any state s ∈ S and any postcondition Q ⊆ S,
sRQ iff ∃Q ⊆ S, sRQ ∧ Q ⊂ Q.
In order to distinguish between postconditions and strongest postconditions, we

invoke some ideas from topology.
Definition 7. A general multirelational structure (S, {Ri | i ∈ I}, A) is a mul-
tirelational structure (S, {Ri | i ∈ I}) together with a set A of basic open sets
for a topology ΩS on S. In such a structure the interaction of the multirelations
R with the topology is captured by the following properties:
(a) For any set Q ⊆ S, sRQ iff ∃ closed set C ⊆ S, sRC ∧ C ⊆ Q.
(b) For any closed set C ⊆ S, sRC iff ∀Q ⊆ S, C ⊆ Q ⇒ sRQ.
As a consequence of the properties (a) and (b) of multirelations we have the
following characterisation of strongest postconditions as closed sets of the topo-
logical space (S, ΩS , {Ri }i∈I ).
Theorem 8. For any multirelation R ⊆ S × P(S) of a general multirelational

structure, the set {Q ⊆ S | sRQ ∧ ∀Q ⊆ S, sRQ ⇒ Q ⊂ Q} of strongest
postconditions of R with respect to s is a set of closed sets.
Proof. For any s ∈ S and Q ⊆ S, assume sRQ and ∀Q , sRQ ⇒ Q ⊂ Q.

Then, by Definition 7 (a), for some closed set C ⊆ S, sRC and C ⊆ Q and
∀Q ⊆ S, sRQ ⇒ Q ⊂ Q. Thus, by predicate calculus, Q = C and hence Q is
a closed set.

This result may be seen as the multirelational analogue of a result in [6] showing
that relations of a differentiated and compact general relational structure are
point closed, i.e. the image set of each point is closed.
It turns out that if a general multirelational structure (S, {Ri | i ∈ I}, A) is
(a) differentiated (i.e., w = v iff ∀A ∈ A, (w ∈ A ⇔ v ∈ A))
(b) compact (i.e., ∀A ⊆ A, A = ∅ if A has the finite intersection property)
then the topology ΩS is the Stone topology on S with A as clopen basis.
In this context, we obtain alternative characterisations of the binary mul-
tirelation Rg defined from a monotone operator g : B → B. For this we note
that given a Boolean algebra with monotone predicate transformers (B, {gi }i∈I ),
the set F (B) of prime filters has a natural topology called the Stone topology
generated by a subbasis of sets of form
Na = {F ∈ F(B) | a ∈ F } for a ∈ B.
Then subsets of F (B) of the form
OA = {F ∈ F(B) | A ∩ F = ∅} for A ⊆ B
are called open sets while those of them form

CA = {F ∈ F(B) | A ⊆ F } for A ⊆ B
are called closed sets. Let C(F (B)) denote the set of all closed sets. For any
X ∈ F(B) and any Y ⊆ F(B), if Y is a closed set CY then
XRg Y iff Y ⊆ g −1 (X) iff ∀a ∈ B, a ∈ Y ⇒ g(a) ∈ X.
Also, for any X ∈ F(B) and any Y ⊆ F(B),
XRg Y iff X ∈ g σ (Y) iff ∃CY ∈ C(F (B)), CY ⊆ Y ∧ Y ⊆ g −1 (X).
Thus Rg satisfies property (a) of Definition 7. Since Rg is up-closed, property (b)
is satisfied. Hence (F (B), {Rgi }i∈I , {Na | a ∈ B}) is a general multirelational
structure. Moreover, the interpretation in Section 3 of a subset Y of F (B) as an
angelic/demonic joint strategy can be refined to one where the demon chooses a
strongest postcondition.
The topological perspective of this section may be used to establish a full topo-
logical duality between Boolean algebras with monotone predicate transformers
and general multirelational structures.
5 Angelic/Demonic Factorisation
It is known that the standard epi/monic factorisation [1] can be obtained uniquely
for meet- and join operators but for monotone operators in general there is no
unique such factorisation. However, in the case of monotone operators over a power
set Boolean algebra (as shown in [12]) we have a meet/join factorisation which was
used in [11] for proving the completeness of Morgan’s [20] refinement laws. In this
section we give a factorisation for up-closed multirelations and for monotone oper-
ators over a (not necessarily power set) Boolean algebra. The multirelational fac-
torisation will be used to justify the intuition of Section 2 that multirelations can
model both angelic and demonic nondeterminism; the monotone predicate trans-
former factorisation will be used to refine the notion of winning strategy for the
game theoretic interpretation of specifications with angelic and demonic nonde-
terminism.
First we recall a well-known fact from category theory used in [4] for a cat-
egorical description of the power construction [7] lifting structure from states
(or individuals) to postconditions (or sets of individuals). Namely, the power set
functor P induces a monad (P, η, μ) on the category SET of sets, where P(S) is
the set of all subsets of S, η : idSET → P is given by ηS : S → P(S) defined by
ηS (s) = {s} (for s ∈ S) and μ : P ◦ P → P is given by μS : P(P(S)) → P(S) de-
fined by μA (X) = ∪X (for X ⊂ P(S)). Any monotone map g : P(S) → P(S) gives
rise to a monotone map g + : P(P(S)) → P(P(S)) by g + (Q) = {g(Q) | Q ∈ Q}
(for Q ⊆ P(S)).
Given an up-closed multirelation R ⊆ S × P(S) it may be viewed as a
monotone map R : S → P(P(S)). Then, it is easy to show that
R = μP(S) ◦ R+ ◦ ηS .
Observe that, for any s ∈ S,
R(s) = ∪R+ ({s}) = ∪{Q ⊆ P(S) | ∃Q ∈ Q, sRQ}
and
Q ∈ ∪{Q ⊆ P(S) | ∃Q ∈ Q sRQ} iff ∃Q ⊆ P(S), Q ∈ Q ∧ Q ⊆ {Q | sRQ}.
Hence, for any s ∈ S and any Q ⊆ S,
sRQ iff ∃Q ⊆ P(S), Q ∈ Q ∧ Q ⊆ {Q ⊆ S | sRQ }.
Thus a factorisation of an up-closed multirelation R ⊆ S × P(S) is given by
R = AR 9◦ DR ,
where the relation AR ⊆ S × P(P(S)) defined by
sAR Q iff Q ⊆ {Q ⊆ S | sRQ }, for any s ∈ S and any Q ⊆ P(S)
is an angelic multirelation, and the relation DR ⊆ P(P(S)) × P(S) defined by
QDR Q iff Q ∈ Q, for any Q ⊆ P (S) and any Q ⊆ S
is a demonic multirelation. Now suppose that there is another factorisation of R

given by R = A 9◦ D where A is an angelic multirelation and D is a demonic
multirelation. Then AR = A 9◦ A for some angelic multirelation A . Define
A : P(P(S)) × P(P(S)) by
Q A Q iff Q D (∩Q), for any Q , Q ⊆ P(S).
Then A is angelic, and for any s ∈ S and any Q ⊆ P(S),

sAR Q iff ∀Q ∈ Q, sRQ by definition of AR
iff ∀Q ∈ Q, sA 9◦ D Q since R = A 9◦ D
iff sA ◦9 D (∩Q) since D is multiplicative
iff ∃Q , sA Q ∧ Q D (∩Q)} definition of 9◦
iff sA ◦9 A (Q) by definition of A
Therefore, the angelic/demonic factorisation of an up-closed multirelation has a

uniqueness property similar to that for the standard epi/monic factorisation.
This factorisation of an up-closed multirelation may seem one-sided with only
AR being dependent on R but it reflects how multirelations capture angelic and
demonic nondeterminism. If {Q | sRQ} is a singleton, then there is only one
computation starting from s and hence there is no angelic nondeterminism. If
each Q in {Q | sRQ} is a singleton, there may be more than one computation
starting from s but in each case the postcondition has a singleton and hence
there is no demonic nondeterminism. Thus demonic nondeterminism depends
on the size of the sets Q in {Q | sRQ} and is captured by the relation DR ,
while angelic nondeterminism depends on the number of sets in {Q | sRQ} and

is captured by the relation AR .
Given a monotone predicate transformer g : P(S) → P(S),
g ◦ μS = μS ◦ g + .
So a factorisation of a monotone predicate transformer g : P(S) → P(S) is given
by
g =j◦m
where j : P(P(S)) → P(S) defined by

j(Q) = (μS ◦ g + )(Q) = {g(Q) | Q ∈ Q}, for any Q ⊆ P(S)
is an additive predicate transformer, and m : P(S) → P(P(S)) defined by

m(Q) = (μS )−1 (Q) = {Q | Q ⊆ Q}, for any Q ⊆ S
is a multiplicative predicate transformer. Now suppose that there is another
factorisation of g : P(S) → P(S) given by g = j ◦ m where j is an additive
predicate transformer j and m is a multiplicative predicate transformer. Then
there is an additive predicate transformer, j such that j = j ◦ j . Define
j : P(P(S)) → P(P(S)) by
j (Q) = ∪{m (Q) | Q ∈ Q}, for any Q ⊆ P(S).
Then j is additive and
j(Q) = μS ◦ g + (Q) by definition of j
= ∪{g(Q) | Q ∈ Q} by definition of μS , g +
= ∪{j ◦ m (Q) | Q ∈ Q} since g = j ◦ m
= j (∪{m (Q) | Q ∈ Q}) since j additive
= j ◦ j (Q) by definition of j
Therefore, the additive/multiplicative factorisation of a monotone predicate
transformer has a uniqueness property similar to that for the epi/monic fac-
torisation.
This factorisation may be viewed as providing an angelic/demonic joint strat-
egy for achieving a postcondition Q. Namely, the demon chooses a (strongest)
postcondition Q ⊆ Q and for the angel chooses a property g(Q ) of states from
which the chosen (strongest) postcondition Q can be achieved. Thus demonic
nondeterminism depends on the size of the postcondition Q and is captured by
predicate transformer m, while angelic nondeterminism depends on the number
of sets in {g(Q) | Q ∈ Q} and is captured by predicate transformer j.
For a monotone predicate transformer g : B → B over a (not necessarily
power set) Boolean algebra B we combine the above unique factorisation (with
S = F (B)) and the fact that the Stone mapping h : B → P(F (B)) preserves
monotone operators g over B, that is, h ◦ g = gRg ◦ h. This yields a factorisation
of a monotone predicate transformer g : B → B given by
g =j◦m
where j : P(P(F (B))) → B defined by
j(A) = h−1 (∪{gRg (Y) | Y ∈ A}), for any A ⊆ P(F (B))

= {b ∈ B | ∃Y ∈ A, ∀X ∈ F(B), b ∈ X iff X ∈ g σ (Y)}
is an additive predicate transformer and m : B → P(P(F (B))) defined by

m(a) = (μF (B) )−1 ◦ h = {A ⊆ P(F (B)) | a ∈ F }, for any a ∈ B
F ∈A
is a multiplicative predicate transformer. Uniqueness of this factorisation follows

from the uniqueness of the factorisation of gRg . The factorisation may be viewed
as providing an angelic/demonic joint strategy for effectively achieving a post-
condition a. Namely, the demon chooses a (strongest) postcondition A from the
set
{A ⊆ F(B) | ∀F ∈ A a ∈ F }
of postconditions stronger than postcondition a, and the angel chooses from the
set
{b ∈ B | ∃Y ∈ A, ∀X ∈ F(B), b ∈ X iff X ∈ g σ (Y)}
of preconditions a property b of the states from which the chosen (strongest)
postcondition will be achieved. Thus demonic nondeterminism depends on the
postcondition a ∈ B and is captured by the predicate transformer m, while
angelic nondeterminism depends on the number of sets in {gRg (Y) | Y ∈ A} and
is captured by the predicate transformer j.
6 Conclusion
The aim of this paper has been to stimulate interest in multirelations as a model
for simultaneously reasoning about angelic and demonic nondeterminism, and
in duality as a tool for unifying semantic models.
Multirelations were introduced in [24] as an alternative to monotone predicate
transformers, and their expressivity for modelling nondeterminism has been ex-
plored in [18]. In the book [8], the classical dualities of Stone [25], Jónsson/Tarski
[17] and Priestley [22] are invoked to compare semantic models, notwithstand-
ing their differences in formulation, and provide a surprisingly uniform picture
of program semantics.
This paper builds on the earlier work in a number of ways. First, the fac-
torisation of up-closed multirelations is new and reveals the two levels at which
multirelations capture angelic and demonic nondeterminism. Second, the topo-
logical perspective of multirelations introduced here provides a natural char-
acterisation of strongest postconditions as closed sets. Third, the translation
between monotone predicate transformers and up-closed multirelations formu-
lated in terms of canonical extensions is equivalent to that in [24], but is more
useful since it suggests a natural interpretation of monotone predicate transform-
ers in terms of angelic/demonic joint strategies for effectively achieving given
postconditions. Fourth, the framework of [23,8] for program semantics has been
extended and applied to semantic models for specification computations.
A number of challenges remain. For example: to develop an approach based
on binary multirelations for deriving strategies of games, to extend the relational
calculus for program derivation of [5], and to use multirelations for proving com-
pleteness of data refinement in the relational model. Perhaps further questions
will occur to the reader.
References
1. Adámek, J., Herrlich, H., Strecker, G.E.: Abstract and Concrete Categories. John
Wiley and Sons, Inc (1991).
2. Back, R.J.R., von Wright, J.: Combining angels, demons and miracles in program
specifications. Theoretical Computer Science 100 (1992) 365–383.
3. Back, R.J.R., J. von Wright, J.:. Refinement Calclulus: A Systematic Introduction.
Graduate Texts in Computer Science. Springer-Verlag, New York (1998).
4. Bargenda, H.W., Brink, C., Vajner, V.: Categorical aspects of power algebras.
Quaestiones Mathematica 16 (1993) 133–147.
5. Bird, R., de Moor, O.: Algebra of Programming. Prentice Hall (1997).
6. Blackburn, P., De Rijke, M., Venema, Y.: Modal Logic. Cambridge Tracts in The-
oretical Computer Science 53. Cambridge University Press, Cambridge (2001).
7. Brink, C.: Power structures. Algebra Universalis 30 (1993) 177–216.
8. Brink, C., Rewitzky, I.: A Paradigm for Program Semantics: Power Structures and
Duality. CSLI Publications, Stanford (2001).
9. Dijkstra, E.W.: Guarded commands, nondeterminacy and formal derivation of pro-
grams. Communications of the ACM 18 (8) (1975) 453–458.
10. Dijkstra, E.W.: A Discipline of Programming. Englewood Cliffs, New Jersey:
Prentice-Hall (1976).
11. Gardiner, P.H., Morgan, C.C.: Data refinement of predicate transformers. Theo-
retical Computer Science 87 (1) (1991) 143–162.
12. Gardiner, P.H., Martin, C.E., de Moor, O.: An algebraic construction of predicate
transformers. Science of Computer Programming 22 (1-2) (1994) 21–44.
13. Gehrke, M., Jónsson, B.: Bounded distributive lattices with operators. Mathemat-
ica Japonica 40 (2) (1994) 207–215.
14. Gehrke, M., Jónsson, B.: Monotone bounded distributive lattice expansions. Math-
ematica Japonica 52 (2) (2000) 197–213.
15. Hoare, C.A.R.: An axiomatic basis for computer programming. Communications
of the ACM 12(10) (1969) 576–583.
16. Hoare, C.A.R.: An algebra of games of choice. Unpublished manuscript, 4 pages
(1996).
17. Jónsson, B., Tarski, A.: Boolean algebras with operators I. American Journal of
Mathematics 73 (1951) 891–939.
18. Martin, C., Curtis, S., Rewitzky, I.: Modelling nondeterminism. In Proceedings
of the 7th International Conference on Mathematics of Program Construction.
Lecture Notes in Computer Science Vol 3125. Spinger-Verlag, Berlin Heidelberg
New York (2004) 228–251.
19. Morgan, C.C.: The specification statement. Transactions of Programming Lan-
guage Systems 10 (3) (1998) 403–491.
20. Morgan, C.C., Robertson, K.A.: Specification statements and refinement. IBM
Journal of Research and Development 31 (5) (1987) 546–555.
21. Nelson, G.: A generalisation of Dijkstra’s calculus. ACM Transactions on Program-
ming Languages and Systems 11 (4) (1989) 517–562.
22. Priestley, H.A.: Representation of distributive lattices by means of ordered Stone
spaces. Bulletin of the London Mathematical Society 2 (1970) 186–190.
23. Rewitzky, I., Brink, C.: Predicate transformers as power operations. Formal As-
pects of Computing 7 (1995) 169–182.
24. Rewitzky, I.: Binary multirelations. In Theory and Application of Relational Struc-
tures as Knowledge Instruments. (eds: H de Swart, E Orlowska, G Schmidt, M
Roubens). Lecture Notes in Computer Science Vol 2929. Spinger-Verlag, Berlin
Heidelberg New York (2003) 259–274.
25. Stone, M.H.: Topological representations of distributive lattices and Brouwerian
logics. Casopis Pro Potovánı́ Mathematiky 67 (1937) 1–25.
Homomorphism and Isomorphism Theorems
Generalized from a Relational Perspective
Gunther Schmidt
Institute for Software Technology, Department of Computing Science

Universität der Bundeswehr München, 85577 Neubiberg, Germany
[email protected]
Abstract. The homomorphism and isomorphism theorems traditionally

taught to students in a group theory or linear algebra lecture are by no
means theorems of group theory. They are for a long time seen as general
concepts of universal algebra. This article goes even further and identifies
them as relational properties which to study does not even require the
concept of an algebra. In addition it is shown how the homomorphism
and isomorphism theorems generalize to not necessarily algebraic and
thus relational structures.
Keywords: homomorphism theorem, isomorphism theorem, relation al-
gebra, congruence, multi-covering.
1 Introduction
Relation algebra has received increasing interest during the last years. Many
areas have been reconsidered from the relational point of view, which often pro-
vided additional insight. Here, the classical homomorphism and isomorphism
theorems (see [1], e.g.) are reviewed from a relational perspective, thereby sim-
plifying and slightly generalizing them.
The paper is organized as follows. First we recall the notion of a heterogeneous
relation algebra and some of the very basic rules governing work with relations.
With these, function and equivalence properties may be formulated concisely.
The relational concept of homomorphism is defined as well as the concept of a
congruence which is related with the concept of a multi-covering, which have
connections with topology, complex analysis, and with the equivalence problem
for flow-chart programs. We deal with the relationship between mappings and
equivalence relations. The topics include the so-called substitution property and
the forming of quotients.
Homomorphisms may be used to give universal characterizations of domain
constructions. Starting from sets, further sets may be obtained by construc-
tion, as pair sets (direct product), as variant sets (direct sum), as power sets
(direct power), or as the quotient of a set modulo some equivalence. Another

Cooperation and communication around this research was partly sponsored by the
European Cost Action 274: Tarski (Theory and Applications of Relational Struc-
tures as Knowledge Instruments), which is gratefully acknowledged.

Homomorphism and Isomorphism Theorems 329
construction that is not so easily identified as such is subset extrusion. It serves

to promote a subset of a set, which needs the larger one to exist, to a set of its
own right.
Using the so-called dependent types, quotient set and subset extrusion, we
then formulate the homomorphism and isomorphism theorems and prove them
in a fully algebraic style. The paper ends with hints on coverings with locally
univalent outgoing fans.
2 Homogeneous and Heterogeneous Relation Algebras
A homogeneous relation algebra (R, ∪, ∩, , ;, T ) consists of a set R = ∅,

whose elements are called relations, such that (R, ∪, ∩, ) is a complete, atomic
boolean algebra with zero element , universal element , and ordering ⊆ , that
(R, ; ) is a semigroup with precisely one unit element , and, finally, the Schröder
equivalences Q; R ⊆ S ⇐⇒ QT ; S ⊆ R ⇐⇒ S ; RT ⊆ Q are satisfied.
One may switch to heterogeneous relation algebra, which has been proposed
in, e.g., [2,3]. A heterogeneous relation algebra is a category R consisting of
a set O of objects and sets Mor(A, B) of morphisms, where A, B ∈ O. Composi-
tion is denoted by ; while identities are denoted by A ∈ Mor(A, A). In addition,
there is a totally defined unary operation TA,B : Mor(A, B) −→ Mor(B, A) be-
tween morphism sets. Every set Mor(A, B) carries the structure of a complete,
atomic boolean algebra with operations ∪, ∩, , zero element A,B , universal el-
ement A,B (the latter two non-equal), and inclusion ordering ⊆ . The Schröder
equivalences—where the definedness of one of the three formulae implies that of
the other two—are postulated to hold.
Most of the indices of elements and operations are usually omitted for brevity
and can easily be reinvented. For the purpose of self-containedness, we recall the
following computational rules; see, e.g., [4,5].
2.1 Proposition.
i) ; R = R; = ;
ii) R ⊆ S =⇒ Q; R ⊆ Q; S, R; Q ⊆ S ; Q;
iii) Q; (R ∩ S) ⊆ Q; R ∩ Q; S, (R ∩ S); Q ⊆ R; Q ∩ S ; Q
Q; (R ∪ S) = Q; R ∪ Q; S, (R ∪ S); Q = R; Q ∪ S ; Q
iv) (RT )T = R;
v) (R; S)T = S T ;RT ;
vi) R ⊆ S ⇐⇒ RT ⊆ S T;
T
vii) R = R ; T
viii) (R ∪ S)T = RT ∪ S T;
(R ∩ S)T = RT ∩ S T;
ix) Q; R ∩ S ⊆ (Q ∩ S ; RT ); (R ∩ QT ; S). (Dedekind rule)
A relation R is called univalent (or a partial function) if RT ; R ⊆ . When

R satisfies ⊆ R ; RT (or equivalently if ⊆ R ; ), then R is said to be
total. If both these requirements are satisfied, i.e., if R resembles a total and
330 G. Schmidt
univalent function, we shall often speak of a mapping. A relation R is called

injective, surjective and bijective, if RT is univalent, total, or both, respectively.
Furthermore
R ⊆ Q, Q univalent, R; ⊇ Q; =⇒ R=Q (*)
The following basic properties are mainly recalled from [4,5].
2.2 Proposition (Row and column masks). The following formulae hold for
arbitrary relations P : V −→ W, Q : U −→ V, R : U −→ W, S : V −→ W ,
provided the constructs are defined.
i) (Q ∩ R; W V ); S = Q; S ∩ R; W W ;
ii) (Q ∩ (P ; W U )T ); S = Q; (S ∩ P ; W W ).
We now recall a rule which is useful for calculations involving equivalence rela-
tions; it deals with the effect of composition with an equivalence relation with
regard to intersection. For a proof see [4,5].
2.3 Proposition. Let Θ be an equivalence and let A, B be arbitrary relations.

(A; Θ ∩ B); Θ = A; Θ ∩ B ; Θ = (A ∩ B ; Θ); Θ
It is sometimes useful to consider a vector, which is what has at other occasions

been called a right ideal element. It is characterized by U = U ; and thus
corresponds to a subset or a predicate. One may, however, also use a partial
diagonal to characterize a subset. There is a one-to-one correspondence between
the two concepts. Of course, p ⊆ =⇒ p2 = pT = p. The symmetric
quotient has been applied in various applications:
T
syq (A, B) := AT ; B ∩ A ; B
3 Homomorphisms
We recall the concept of homomorphism for relational structures with Fig. 3.1.
Structure and mappings shall commute, however, not as an equality but just as
containment.
Ψ
R S
Fig. 3.1. Relational homomorphism
3.1 Definition. Given two relations R, S, we call the pair (Φ, Ψ ) of relations a
homomorphism from R to S, if Φ, Ψ are mappings satisfying
R; Ψ ⊆ Φ; S.
The homomorphism condition has four variants

R; Ψ ⊆ Φ; S ⇐⇒ R ⊆ Φ; S ; Ψ T ⇐⇒ ΦT ; R ⊆ S ; Ψ T ⇐⇒ ΦT ; R; Ψ ⊆ S
which may be used interchangeably. This is easily recognized applying the map-
ping properties
ΦT ; Φ ⊆ , ⊆ Φ; ΦT , Ψ T ; Ψ ⊆ , ⊆ Ψ ;Ψ T
As usual, also isomorphisms are introduced.
3.2 Definition. We call (Φ, Ψ ) an isomorphism between the two relations

R, S, if it is a homomorphism from R to S and if (ΦT , Ψ T ) is a homomorphism
from S to R.
The following lemma will sometimes help in identifying an isomorphism.
3.3 Lemma. Let relations R, S be given together with a homomorphism (Φ, Ψ )

from R to S such that
Φ, Ψ are bijective mappings and R; Ψ = Φ; S.
Then (Φ, Ψ ) is an isomorphism.
Proof . S ; Ψ T = ΦT ; Φ; S ; Ψ T = ΦT ; R; Ψ ; Ψ T = ΦT ; R.
4 Universal Characterizations
Given a mathematical structure, one is immediately interested in homomor-
phisms, substructures, and congruences. When handling these, there is a char-
acteristic difference between algebraic and relational structures.
Algebraic structures are defined by composition laws such as a binary mul-
tiplication mult: A × A −→ A or the unary operation of forming the inverse
inv: A −→ A. These operations can, of course, be interpreted as relations. The
first example furnishes a “ternary” relation Rmult : (A × A) −→ A, the second,
a binary relation Rinv : A −→ A, and both are univalent and total.
Relational structures are also defined by certain relations, but these need no
longer be univalent or total. Purely relational structures are orders, strictorders,
equivalences, and graphs. Typically, however, mixed structures with both, alge-
braic and relational, features occur, such as ordered fields, for example.
4.1 Standard Domain Constructions

The direct product resembling the pair set construction is given via two generic
relations π, ρ, the left and the right projection, satisfying
π T ; π = , ρT ; ρ = , π ; π T ∩ ρ ; ρT = , π T ; ρ =
Whenever a second pair π1 , ρ1 of relations with these properties should be pre-
sented, one may construct the isomorphism Φ := π; π1T ∩ ρ; ρT1 , thus showing that
the direct product is defined uniquely up to isomorphism.
332 G. Schmidt
The direct sum resembling variant set forming (disjoint union) is given via
two generic relations ι, κ, the left and the right injection, satisfying
ι; ιT = , κ ; κT = , ιT ; ι ∪ κT ; κ = , ι ; κT =
Whenever a second pair ι1 , κ1 of relations with these properties should be pre-
sented, one may construct the isomorphism Φ := ιT;ι1 ∪ κT;κ1 , thus showing that
the direct sum is defined uniquely up to isomorphism.
The direct power resembling powerset construction is given via a generic re-
lation ε, the membership relation, satisfying
syq (ε, ε) ⊆ and that syq (ε, X) is surjective for every relation X
Should a second membership relation ε1 with these properties be presented, one
may construct the isomorphism Φ := syq (ε, ε1 ), thus showing that the direct
power is defined uniquely up to isomorphism. These constructions are by now
standard; proofs may be found in [4,5].
4.2 Quotient Forming and Subset Extrusion
In addition to these, other domain constructions are possible which are usually
not handled as such. Although relatively simple, they need a bit of care. Known
as dependent types they do not just start with a domain or two, but with an
additional construct, namely an equivalence or a subset.
4.1 Proposition (Quotient set ). Given an equivalence Ξ on the set V , one

may generically define the quotient set VΞ together with the natural projection
η : V −→ VΞ postulating both to satisfy
Ξ = η ; ηT , ηT ; η = VΞ .
The natural projection η is uniquely determined up to isomorphism: should a
second natural projection η1 be presented, the isomorphism is ( , η T ; η1 ).
η η1
Proof . Assume two such projections VΞ ←− V −→ WΞ , for which therefore
Ξ = η1 ; η1T , η1T ; η1 = WΞ .
Looking at this setting, the only way to relate VΞ with WΞ is to define Φ := η T;η1
and proceed showing
ΦT ; Φ = (η1T ; η); (η T ; η1 ) by definition of Φ
= η1T ; (η ; η T ); η1 associative
= η1T ; Ξ ; η1 as Ξ = η ; η T
= η1T ; (η1 ; η1T ); η1 as Ξ = η1 ; η1T
= (η1T ; η1 ); (η1T ; η1 ) associative
= WΞ ; WΞ since η1T ; η1 = WΞ
= WΞ since WΞ ; WΞ = WΞ
Φ ; ΦT = VΞ is shown analogously. Furthermore, ( , Φ) satisfies the property of

an isomorphism between η and η1 following Lemma 3.3:
η ; Φ = η ; η T ; η1 = Ξ ; η1 = η1 ; η1T ; η1 = η1 ; WΞ = η1
Not least when working on a computer, one is interested in such quotients as the
quotient set is usually smaller and may be handled more efficiently. The same
reason leads us to consider subset extrusion in a very formal way.
A subset is assumed to exist relatively to some other set so that it is not a
first-class citizen in our realm of domains. With a bit of formalism, however, it
can be managed to convert a subset so as to have it as a set of its own right, a
process which one might call a subset extrusion.
4.2 Proposition (Extruded subset ). Given a subset U of some set V , one may
generically define the extruded set DU together with the natural injection χ :
DU −→ V postulating both to satisfy
χ; χT = DU , χT ; χ = V ∩ U ; V,V .
The natural injection χ is uniquely determined up to isomorphism: should a
second natural injection χ1 be presented, the isomorphism is (χ; χT1 , ).
χ χ1
Proof . We have DU −→ V ←−D with the corresponding properties:
χ1 ; χT1 ⊆ D , χT1 ; χ1 = V ∩ U ; V,V
and show
ΦT ; Φ = χ1 ; χT ; χ; χT1 = χ1 ; ( V ∩ U ; ); χT1 = χ1 ; χT1 ; χ1 ; χT1 = D ; D = D
and analogously also Φ ; ΦT = DU . Furthermore, (Φ, ) satisfies the property of
an isomorphism between χ and χ1 using Lemma 3.3:
χ; V = χ = DU ; χ = χ; χT ; χ = χ; ( V ∩ U ; ) = χ; χT1 ; χ1 = Φ; χ1
A point to mention is that subset extrusion allows to switch from set-theoretic

consideration to an algebraic one. When using a computer and a formula ma-
nipulation system or a theorem prover, this means a considerable restriction in
expressivity which is honored with much better efficiency.
An important application of extrusion is the concept of tabulation introduced
by Roger Maddux. It now turns out to be a composite construction; see [6,7],
e.g. An arbitrary relation R : X −→ Y is said to be tabulated by relations (due
to the following characterization, they turn out to be mappings) P, Q if
P T; Q = R, P T; P = X ∩ R; Y X , QT; Q = Y ∩ RT; XY , P ; P T ∩ Q;QT = X×Y
This may indeed be composed of extruding with χ : DU −→ X × Y the subset
of related pairs out of a direct product
U := (π ; R ∩ ρ); Y,X×Y = (π ; R ∩ ρ); Y X ; π T = (π ; R; ρT ∩ ); ρ; Y X ; π T
= (π ; R; ρT ∩ ); X×Y,X×Y = (ρ; RT ; π T ∩ ); X×Y,X×Y
= (ρ; RT ; π T ∩ ); π ; XY ; ρT = (ρ; RT ∩ π); XY ; ρT = (ρ; RT ∩ π); X,X×Y
and defining P := χ; π and Q := χ; ρ. This is proved quite easily as follows.
P T ; Q = π T ; χT ; χ; ρ = π T ; (π ; R; ρT ∩ ); ρ
= π T ; (π ; R ∩ ρ)
= R ∩ πT ; ρ
=R∩ =R
P P = π T ; χT ; χ; π = π T ; ( ∩ (π ; R ∩ ρ); ρT ; π ; π T ); π
T;
334 G. Schmidt
= π T ; (π ∩ (π ; R ∩ ρ); ρT ; π)
= ∩ π T ; (π ; R ∩ ρ); ρT ; π
= ∩ (R ∩ π T ; ρ); ρT ; π = ∩ R; Y X
QT ; Q is handled analogously
P ; P T ∩ Q; QT = χ; π ; π T ; χT ∩ χ; ρ; ρT ; χT = χ; (π ; π T ∩ ρ; ρT ); χT = χ; ; χT =
5 Congruences and Multi-coverings

Whenever equivalences behave well with regard to some other structure, we are
accustomed to call them congruences. This is well-known for algebraic structures,
i.e., those defined by mappings on some set. We define it correspondingly for
the non-algebraic case, including heterogeneous relations; i.e., possibly neither
univalent nor total. While the basic idea is known from many application fields,
the following general concepts may be a novel abstraction.
5.1 Definition. Let B be a relation and Ξ, Θ equivalences. The pair (Ξ, Θ) is

called a B-congruence if Ξ ; B ⊆ B ; Θ.
If B were an operation on a given set and we had Ξ = Θ, we would say that B

“has the substitution property with regard to Ξ”. The concept of congruence is
related to the concept of a multi-covering.
5.2 Definition. A homomorphism (Φ, Ψ ) from B to B is called a multi-

covering, provided the functions are surjective and satisfy Φ ; B ⊆ B ; Ψ in
addition to being a homomorphism.
The relationship between congruences and multi-coverings is close and seems not
to have been pointed out yet.
5.3 Theorem.
i) If (Φ, Ψ ) is a multi-covering from B to B , then (Ξ, Θ) := (Φ; ΦT , Ψ ; Ψ T ) is a
B-congruence.
ii) If the pair (Ξ, Θ) is a B-congruence, then there exists up to isomorphism at
most one multi-covering (Φ, Ψ ) satisfying Ξ = Φ; ΦT and Θ = Ψ ; Ψ T .
Proof . i) Ξ is certainly reflexive and transitive, as Φ is total and univalent. In

the same way, Θ is reflexive and transitive. The relation Ξ = Φ; ΦT is symmetric
by construction and so is Θ. Now we prove
Ξ ; B = Φ; ΦT ; B ⊆ Φ; B ; Ψ T ⊆ B ; Ψ ; Ψ T = B ; Θ
applying one after the other the definition of Ξ, one of the four homomorphism
definitions, the multi-covering condition, and the definition of Θ.
ii) Let (Φi , Ψi ) be a multi-covering from B to Bi , i = 1, 2. Then
Bi ⊆ ΦTi ; Φi ; Bi ⊆ ΦTi ; B ; Ψi ⊆ Bi , and therefore everywhere “=”,
applying surjectivity, the multi-covering property and one of the homomorphism

conditions. Now we indicate how to prove that (ξ, ϑ) := (ΦT1 ; Φ2 , Ψ1T ; Ψ2 ) is a
homomorphism from B1 onto B2 — which is then of course also an isomorphism.
ξ T ; ξ = ΦT2 ; Φ1 ; ΦT1 ; Φ2 = ΦT2 ; Ξ ; Φ2 = ΦT2 ; Φ2 ; ΦT2 ; Φ2 = ; =
B1 ; ϑ = ΦT1 ; B ; Ψ1 ; Ψ1T ; Ψ2 = ΦT1 ; B ; Θ ; Ψ2 = ΦT1 ; B ; Ψ2 ; Ψ2T ; Ψ2
⊆ ΦT1 ; Φ2 ; B2 ; = ξ ; B2
The multi-covering (Φ, Ψ ) for some given congruences Ξ, Θ need not exist in
the given relation algebra. It may, however, be constructed by setting Φ, Ψ to
be the quotient mappings according to the two equivalences Ξ, Θ together with
R := ΦT ; R; Ψ .
A multi-covering between relational structures most closely resembles a homo-
morphism on algebraic structures:
5.4 Proposition. A homomorphism between algebraic structures is necessarily
a multi-covering.
Proof . Assume two mappings B, B and the homomorphism (Ψ, Φ) from B to

B , so that B ; Ψ ⊆ Φ ; B . The relation Φ ; B is univalent, since Φ and B are
mappings. The domains B; Ψ ; = = Φ; B ; of B; Ψ and Φ; B coincide, because
all the relations are mappings and, therefore, are total. So we may use (*) and
obtain B ; Ψ = Φ; B .
6 Homomorphism and Isomorphism Theorems
Now we study the homomorphism and isomorphism theorems (see [1], e.g.) tra-
ditionally offered in a course on group theory or on universal algebra from the
relational point of view. In the courses mentioned, R, S are often n-ary mappings
such as addition and multiplication. In Fig. 6.1, we are more general allowing
them to be relations, i.e., not necessarily mappings. The algebraic laws they
satisfy in the algebra are completely irrelevant.
Θ1
ϕ1
Ξ1
R
S
ϕ2
Θ2 Ξ2
Fig. 6.1. Basic situation of the homomorphism theorem
6.1 Proposition (Homomorphism Theorem). Let a relation R be given with

an R-congruence (Θ2 , Θ1 ) as well as a relation S together with an S-congruence
(Ξ2 , Ξ1 ). Assume a multi-covering (ϕ2 , ϕ1 ) from R to S such that at the same
time we have Θi = ϕi ; Ξi ; ϕTi for i = 1, 2; see Fig. 6.1. Introducing the natural
336 G. Schmidt
projections ηi for Θi as well as δi for Ξi , one has that ψi := ηiT ; ϕi ; δi , i = 1, 2,

establish an isomorphism from R := η2T ; R; η1 to S := δ2T ; S ; δ1 .
Proof . The equivalences (Θ2 , Θ1 ) satisfy Θ2 ; R ⊆ R; Θ1 while (Ξ2 , Ξ1 ) satisfy
Ξ2 ; S ⊆ S ; Ξ1 . Furthermore, we have that (ϕ2 , ϕ1 ) are surjective mappings
satisfying R;ϕ1 ⊆ ϕ2;S for homomorphism and R;ϕ1 ⊇ ϕ2;S for multi-covering.
Θ1 ϕ1
Ξ1
R
S
η1 δ1
ϕ2
Ξ2
Θ2
ψ1
η2 δ2
R S
ψ2
Fig. 6.2. Natural projections added to Fig. 6.1
The ψi are bijective mappings, which we prove omitting indices:

ψ T ; ψ = (η T ; ϕ; δ)T ; η T ; ϕ; δ by definition
= δ T ; ϕT ; η ; η T ; ϕ; δ executing transposition
= δ T ; ϕT ; Θ ; ϕ; δ natural projection η
= δ T ; ϕT ; ϕ; Ξ ; δ multi-covering
= δT ; Ξ ; δ as ϕ is surjective and univalent
= δT ; δ ; δT ; δ = ; = natural projection δ
and
ψ ; ψ T = η T ; ϕ; δ ; (η T ; ϕ; δ)T by definition
= η T ; ϕ; δ ; δ T ; ϕT ; η transposing
= η T ; ϕ; Ξ ; ϕT ; η natural projection δ
= ηT ; Θ; η property of ϕ wrt. Θ, Ξ
= ηT ; η ; ηT ; η = ; = natural projection η
Proof of the isomorphism property:
R ; ψ1 = η2T ; R; η1 ; η1T ; ϕ1 ; δ1 by definition
= η2T ; R; Θ1 ; ϕ1 ; δ1 natural projection η1
= η2T ; R; ϕ1 ; Ξ1 ; ϕT1 ; ϕ1 ; δ1 property of ϕ wrt. Θ, Ξ
= η2T ; R; ϕ1 ; Ξ1 ; δ1 as ϕ1 is surjective and univalent
= η2T ; ϕ2 ; S ; Ξ1 ; δ1 multi-covering
= η2T ; ϕ2 ; Ξ2 ; S ; Ξ1 ; δ1 S ; Ξ1 ⊆ Ξ2 ; S ; Ξ1 ⊆ S ; Ξ1 ; Ξ1 = S ; Ξ1
= η2T ; ϕ2 ; δ2 ; δ2T ; S ; δ1 ; δ1T ; δ1 natural projections
= η2T ; ϕ2 ; δ2 ; S ; δ1T ; δ1 definition of S
= η2T ; ϕ2 ; δ2 ; S as δ1 is surjective and univalent
= ψ2 ; S definition of ψ2
According to Lemma 3.3, this suffices for an isomorphism.
One should bear in mind that this proposition was in several respects slightly
more general than the classical homomorphism theorem: R, S need not be map-
pings, nor need they be homogeneous relations, Ξ was not confined to be the
identity congruence, and not least does relation algebra admit non-standard
models.
6.2 Proposition (First Isomorphism Theorem). Let a homogeneous relation

R on X together with an equivalence Ξ and a non-empty subset U . Assume
that U is contracted by R and that Ξ is an R-congruence:
RT ; U ⊆ U and Ξ ; R ⊆ R; Ξ.
Now extrude both, U and its Ξ-saturation Ξ;U so as to obtain natural injections
ι : Y −→ X and λ : Z −→ X,
universally characterized by (see Fig. 6.3)
ιT ; ι = X ∩ U ; , ι; ιT = Y ,
λ λ = X ∩ Ξ ; U ; , λ; λT = Z .
T;
On Y and Z, we consider the derived equivalences ΞY := ι;Ξ;ιT and ΞZ := λ;Ξ;λT

and in addition their natural projections η : Y −→ YΞ and δ : Z −→ ZΞ . In a
standard way, restrictions of R may be defined, namely
S := η T ; ι; R; ιT ; η and T := δ T ; λ; R; λT ; δ.
In this setting, ϕ := δ T ; λ; ιT ; η gives an isomorphism (ϕ, ϕ) between S and T .
R Ξ
X
ι λ
ΞY
ΞZ
Y Z
η δ
S ϕ T
Fig. 6.3. Situation of the First Isomorphism Theorem
Proof . We prove several results in advance, namely

Ξ ; ιT ; ι; Ξ = Ξ ; λT ; λ; Ξ, (1)
proved using rules for composition of equivalences:
Ξ ; ιT ; ι; Ξ = Ξ ; ( ∩ U ; ); Ξ definition of natural injection ι
= Ξ ; Ξ ; ( ∩ U ; ; Ξ); Ξ ; Ξ Ξ surjective and an equivalence
= Ξ ; ( ∩ Ξ ; U ; ); Ξ several applications of Prop. 2.3
= Ξ ; λT ; λ; Ξ definition of natural injection λ
In a similar way follow
ι; λT ; λ = ι ι; R; ιT ; ι = ι; R (2)
338 G. Schmidt
The left identity is proved with

ι; λT ; λ = ι; ιT ; ι; λT ; λ ι is injective and total
= ι; ( ∩ U ; ); ( ∩ Ξ ; U ; ) definition of natural injections
= ι; ( ∩ U ; ∩ Ξ ; U ; ) intersecting partial identities
= ι; ( ∩ U ; ) = ι; ιT = ι
The contraction condition RT;U ⊆ U and Ξ;R ⊆ R;Ξ allows to prove the right
one for which “ ⊆ ” is obvious. For “ ⊇ ”, we apply ι; ιT = after having shown
ιT ; ι; R = ( ∩ U ; ); R = U ; ; ∩ R according to Prop. 2.2
⊆ (U ; ∩ R; T ); ( ∩ (U ; )T ; R) Dedekind
⊆ (R ∩ U ; ); ( ∩ ; U T ) since RT ; U ⊆ U
= (R ∩ U ; ); ( ∩ U ; ) as Q ⊆ implies Q = QT
= ( ∩ U ; ); R ; ( ∩ U ; ) according to Prop. 2.2 again
= ιT ; ι; R; ιT ; ι definition of natural injection
With RT ; Ξ ; U ⊆ Ξ ; RT ; U ⊆ Ξ ; U , we get in a completely similar way
λ; R; λT ; λ = λ; R (3)
We show that ϕ is univalent and surjective:
ϕT ; ϕ = η T ; ι; λT ; δ ; δ T ; λ; ιT ; η by definition
= η T ; ι; λT ; ΞZ ; λ; ιT ; η natural projection
= η T ; ι; λT ; λ; Ξ ; λT ; λ; ιT ; η definition of ΞZ
= η T ; ι; Ξ ; ιT ; η as proved initially
= η T ; ΞY ; η definition of ΞY
= ηT ; η ; ηT ; η = ; = natural projection
To show that ϕ is injective and total, we start
δ ; ϕ; ϕT ; δ T = δ ; δ T ; λ; ιT ; η ; η T ; ι; λT ; δ ; δ T by definition
= ΞZ ; λ; ιT ; ΞY ; ι; λT ; ΞZ natural projections
= λ; Ξ ; λT ; λ; ιT ; ι; Ξ ; ιT ; ι; λT ; λ; Ξ ; λT by definition of ΞY , ΞZ
= λ; Ξ ; ιT ; ι; Ξ ; ιT ; ι; Ξ ; λT as ι; λT ; λ = ι
= λ; Ξ ; λT ; λ; Ξ ; λT ; λ; Ξ ; λT see above
= ΞZ ; ΞZ ; ΞZ = ΞZ by definition of ΞZ
so that we may go on with
ϕ; ϕT = δ T ; δ ; ϕ; ϕT ; δ T ; δ as δ is univalent and surjective
= δ T ; ΞZ ; δ as before
= δT ; δ ; δT ; δ = ; = natural projection
The interplay of subset forming and equivalence classes is visualized in Fig. 6.4.
ι λ
η δ
Fig. 6.4. Visualization of the First Isomorphism Theorem

It turns out that ΞY is an RY -congruence for RY := ι; R; ιT :

ΞY ; RY = ι; Ξ ; ιT ; ι; R; ιT by definition
⊆ ι; Ξ ; R; ιT ι is univalent
⊆ ι; R; Ξ ; ιT congruence
⊆ ι; R; ιT ; ι; Ξ ; ιT (2)
⊆ RY ; ΞY definition of RY , ΞY
T
The construct α := ι; Ξ ; λ ; δ is a surjective mapping:
αT ; α = δ T ; λ; Ξ ; ιT ; ι; Ξ ; λT ; δ by the definition just given
= δ T ; λ; Ξ ; λT ; λ; Ξ ; λT ; δ (1)
= δ T ; ΞZ ; ΞZ ; δ definition of ΞZ
= δ T ; ΞZ ; δ ΞZ is indeed an equivalence
= δT ; δ ; δT ; δ = ; = δ is natural projection for ΞZ
T T T T
α ; α = ι; Ξ ; λ ; δ ; δ ; λ; Ξ ; ι by definition
= ι; Ξ ; λT ; ΞZ ; λ; Ξ ; ιT δ is natural projection for ΞZ
= ι; Ξ ; λT ; λ; Ξ ; λT ; λ; Ξ ; ιT definition of ΞZ
= ι; Ξ ; ιT ; ι; Ξ ; ιT ; ι; Ξ ; ιT (1)
= ΞY ; ΞY ; ΞY = ΞY ⊇ definition of equivalence ΞY
With α, we may express S, T in a shorter way:
αT ; RY ; α = δ T ; λ; Ξ ; ιT ; RY ; ι; Ξ ; λT ; δ definition of α
= δ T ; λ; Ξ ; ιT; ι; R; ιT; ι; Ξ ; λT; δ definition of RY
= δ T ; λ; Ξ ; ιT ; ι; R; Ξ ; λT ; δ (2)
= δ T ; λ; Ξ ; ιT ; ι; Ξ ; R; Ξ ; λT ; δ Ξ ; R; Ξ ⊆ R; Ξ ; Ξ = R; Ξ ⊆ Ξ ; R; Ξ
= δ T ; λ; Ξ ; λT; λ; Ξ ; R; Ξ ; λT; δ (1)
= δ T ; ΞZ ; λ; R; Ξ ; λT ; δ as before, definition of ΞZ
= δ T ; ΞZ ; λ; R; λT ; λ; Ξ ; λT ; δ (3)
= δ T ; ΞZ ; λ; R; λT ; ΞZ ; δ definition of ΞZ
= δ T ; δ ; δ T ; λ; R; λT ; δ ; δ T ; δ δ is natural projection for ΞZ
= δ T ; λ; R; λT ; δ = T δ is a surjective mapping
η RY η = η T ; ι; R; ιT ; η
T; ; definition of RY
= S definition of S
Relations α and ϕ are closely related:
α; ϕ = ι; Ξ ; λT ; δ ; δ T ; λ; ιT ; η definition of α, ϕ
= ι; Ξ ; λT ; ΞZ ; λ; ιT ; η δ is natural projection for ΞZ
= ι; Ξ ; λT ; λ; Ξ ; λT ; λ; ιT ; η definition of ΞZ
= ι; Ξ ; λT ; λ; Ξ ; ιT ; η (2)
= ι; Ξ ; ιT ; ι; Ξ ; ιT ; η (1)
= ΞY ; ΞY ; η definition of ΞY
= η ; ηT ; η ; ηT ; η = η η is natural projection for ΞY
αT ; η = αT ; α; ϕ see before
=ϕ α is univalent and surjective
This enables us already to prove the homomorphism condition:
T ; ϕ = αT ; RY ; α; αT ; η above results on T, ϕ
= αT ; RY ; ΞY ; η α; αT = ΞY , see above
T;
= α ΞY ; RY ; ΞY ; η ΞY is an RY -congruence
340 G. Schmidt
= αT ; η ; η T ; RY ; η ; η T ; η η is natural projection for ΞY

= ϕ; η T ; RY ; η η is univalent and surjective
= ϕ; S see above
This was an equality, so that it suffices according to Lemma 3.3.
It will have become clear, that these proofs completely rely on generic con-
structions and their algebraic laws. When elaborated they seem lengthy. With a
supporting system, however, they reduce considerably to a sequence of rules to
be applied.
ΞY ψ
Y V
ΘV
R
S
ηY δV
ΞX ϕ ΘU
X U
β
ηX δU
R S
Fig. 6.5. Situation of the Second Isomorphism Theorem
6.3 Proposition (Second Isomorphism Theorem). Let a multi-covering (ϕ, ψ)

between any two relations R : X −→ Y and S : U −→ V be given as well as an R-
congruence (ΞX , ΞY ) and an S-congruence (ΘU , ΘV ). Let also the equivalences
be related through ϕ, ψ as ΞY = ψ ; ΘV ; ψ T and ΞX = ϕ ; ΘU ; ϕT . Given this
situation, introduce the natural projections ηX , ηY , δU , δV for the equivalences
and proceed to relations R := ηXT ;
R; ηY and S := δU
T ; T ; ;
S ; δV . Then α := ηX ϕ δU
T ;
and β := ηY ψ ; δV constitute an isomorphism from R to S (see Fig. 6.5).
Proof . α is univalent and surjective (β follows completely analogous)

αT ; α = (ηX
T ; ;
ϕ δU )T ; ηXT ; ;
ϕ δU by definition
T ; T; T
= δU ϕ ηX ; ηX ; ϕ; δU transposing
T ; T;
= δU ϕ Ξ X ; ϕ ; δU natural projection
T ; T; ;
= δU ϕ ϕ ΘU ; ϕT ; ϕ; δU condition on mapping equivalences
T ;
= δU ΘU ; δU as ϕ is a surjective mapping
T ; T ;
= δU δU ; δU δU natural projection
= ; =
We show that α is total and injective (β follows completely analogous)
α; αT = ηX
T ;
ϕ; δU ; (ηXT ; ;
ϕ δU )T by definition
= ηX ϕ; δU ; δU ; ϕT ; ηX
T ; T
transposing
T ;
= ηX ϕ; ΘU ; ϕT ; ηX natural projection
T ;
= ηX ΞX ; ηX condition on mapping equivalences
T ; T ;
= ηX ηX ; ηX ηX natural projection
= ; =
We show that α, β is a homomorphism:

R ; β = ηX
T ;
R; ηY ; ηYT ; ψ ; δV by definition
T ;
= ηX R; ΞY ; ψ ; δV natural projection
T ;
= ηX R; ψ ; ΘV ; ψ T ; ψ ; δV condition on mapping equivalences
T ;
= ηX R; ψ ; ΘV ; δV as ψ is surjective and univalent
T ;
= ηX ϕ; S ; ΘV ; δV multi-covering
T ;
= ηX ϕ; ΘU ; S ; ΘV ; δV S ; ΘV ⊆ ΘU ; S ; ΘV ⊆ S ; ΘV ; ΘV = S ; ΘV
T ;
= ηX ϕ; ΘU ; S ; δV ; δVT ; δV natural projection
T ;
= ηX ϕ; ΘU ; S ; δV as δ is a surjective mapping
T ; T ;
= ηX ϕ ; δU ; δU S ; δV natural projection
= α; S by definition
This was an equality, so that it suffices according to Lemma 3.3.
7 Covering of Graphs and Path Equivalence

There is another point to mention here which has gained considerable interest
in an algebraic or topological context, not least for Riemann surfaces.
7.1 Proposition (Lifting property). Let a homogeneous relation B be given

together with a multi-covering (Φ, Φ) on the relation B . Let furthermore some
rooted graph B0 with root a0 , i.e., satisfying and B0T ∗; a0 = , be given together
with a homomorphism Φ0 that sends the root a0 to a := ΦT0 ; a0 . If a ⊆ ΦT ; a is
some point mapped by Φ to a , there exists always a relation Ψ — not necessarily
a mapping — satisfying the properties
Ψ T ; a0 = a and B0 ; Ψ ⊆ Ψ ; B.
Idea of proof: Define Ψ := inf{X | a0 ; aT ∪ (B0T ; X ; B ∩ Φ0 ; ΦT ) ⊆ X}.
The relation Ψ enjoys the homomorphism property but fails to be a mapping in

general. In order to make it a mapping, one will choose one of the following two
possibilities:
– Firstly, one might follow the recursive definition starting from a0 and at
every stage make an arbitrary choice among the relational images offered,
thus choosing a fiber.
– Secondly, one may further restrict the multi-covering condition to “locally
univalent” fans in Φ, requiring B0T ; Ψ ; B ∩ Φ0 ; ΦT ⊆ to hold for it, which
leads to a well-developed theory, see [2,3,8].
In both cases, one will find a homomorphism from B0 to B. The effect of a flow
chart diagram is particularly easy to understand when the underlying rooted
graph is also a rooted tree, so that the view is not blocked by nested circuits
which can be traveled several times. When dealing with a rooted graph that
does contain such circuits one has to keep track of the possibly infinite number
of ways in which the graph can be traversed from its root. To this end there
exists a theory of coverings which is based on the notion of homomorphy.
342 G. Schmidt
The idea is to unfold circuits. We want to characterize those homomorphisms

of a graph that preserve to a certain extent the possibilities of traversal. We shall
see that such a homomorphism is surjective and that it carries the successor
relation at any point onto that at the image point.
7.2 Definition. A surjective homomorphism Φ: G −→ G is called a covering,

provided that it is a multi-covering satisfying B T ; B ∩ Φ; ΦT ⊆ .
The multi-covering Φ compares two relations between the points of G and of G

and ensures that for any inverse image point x of some point x and successor
y of x there is at least one successor y of x which is mapped onto y . The new
condition guarantees that there is at most one such y since it requires that the
relation “have a common predecessor according to B, and have a common image
under Φ” is contained in the identity.
8 Concluding Remark
We have reworked mathematical basics from a relational perspective. First the
step from an algebraic to a relational structure has been made. This is so serious
a generalization, that one would not expect much of the idea of homomorphism
and isomorphism theorems to survive. With the concept of a multi-covering, how-
ever, a new and adequate concept seems to have been found. Prop. 5.4 shows that
it reduces completely to homomorphisms when going back to the algebraic case.
For relational structures, a multi-covering behaves nicely with respect to quotient
forming. This relates to earlier papers (see [2,3,8]) where semantics of programs
(partial correctness, total correctness, and flow equivalence, even for systems of
recursive procedures) has first been given a componentfree relational form.
References
1. Grätzer, G.: Universal Algebra, 2nd Ed. Springer-Verlag (1978)
2. Schmidt, G.: Programme als partielle Graphen. Habil. Thesis 1977 und Bericht
7813, Fachbereich Mathematik der Techn. Univ. München (1977) English as [3,8].
3. Schmidt, G.: Programs as partial graphs I: Flow equivalence and correctness. The-
oret. Comput. Sci. 15 (1981) 1–25
4. Schmidt, G., Ströhlein, T.: Relationen und Graphen. Mathematik für Informatiker.
Springer-Verlag (1989) ISBN 3-540-50304-8, ISBN 0-387-50304-8.
5. Schmidt, G., Ströhlein, T.: Relations and Graphs — Discrete Mathematics for Com-
puter Scientists. EATCS Monographs on Theoretical Computer Science. Springer-
Verlag (1993) ISBN 3-540-56254-0, ISBN 0-387-56254-0.
6. Freyd, P.J., Scedrov, A.: Categories, Allegories. Volume 39 of North-Holland Math-
ematical Library. North-Holland, Amsterdam (1990)
7. Kahl, W.: A Relation-Algebraic Approach to Graph Structure Transformation.
Technical Report 2002/03, Fakultät für Informatik, Universität der Bundeswehr
München (2002) http://ist.unibw-muenchen.de/Publications/TR/2002-03/.
8. Schmidt, G.: Programs as partial graphs II: Recursion. Theoret. Comput. Sci. 15
(1981) 159–179
Relational Measures and Integration
Gunther Schmidt
Institute for Software Technology, Department of Computing Science

Universität der Bundeswehr München, 85577 Neubiberg, Germany
[email protected]
Abstract. Work in fuzzy modeling has recently made its way from the
interval [0, 1] ⊆ IR to the ordinal or even to the qualitative level. We pro-
ceed further and introduce relational measures and relational integration.
First ideas of this kind, but for the real-valued linear orderings stem from
Choquet (1950s) and Sugeno (1970s). We generalize to not necessarily
linear order and handle it algebraically and in a componentfree manner.
We thus open this area of research for treatment with theorem provers
which would be extremely difficult for the classical presentation of Cho-
quet and Sugeno integrals.
Keywords: Sugeno integral, Choquet integral, relation algebra, evidence

and belief, plausibility, necessity, and possibility measures, relational
measure.
1 Introduction
Mankind has developed a multitude of concepts to reason about something that
is better than or is more attractive than something else or similar to something
else. Such concepts lead to an enormous bulk of formulae and interdependencies.
We start from the concept of an order and a strictorder, defined as a transitive,
antisymmetric, reflexive relation or as a transitive and asymmetric, respectively.
In earlier times it was not at all clear that orderings need not be linear order-
ings. But since the development of lattice theory in the 1930s it became more
and more evident that most of our reasoning with orderings was also possible
when they failed to be linear ones. So the people studied fuzziness mainly along
the linear order of IR and began only later to generalize to the ordinal level:
Numbers indicate the relative position of items, but no longer the magnitude of
difference. Then they moved to the interval level: Numbers indicate the magni-
tude of difference between items, but there is no absolute zero point. Examples
are attitude scales and opinion scales. We proceed even further and introduce
relational measures with values in a lattice. Measures traditionally provide a
basis for integration. Astonishingly, this holds true for these relational measures
so that it becomes possible to introduce a concept of relational integration.

Cooperation and communication around this research was partly sponsored by the
European Cost Action 274: Tarski (Theory and Applications of Relational Struc-
tures as Knowledge Instruments), which is gratefully acknowledged.

344 G. Schmidt
2 Modelling Preferences
Who is about to make severe decisions will usually base these on carefully se-
lected basic information and clean lines of reasoning. It is in general not too
difficult to apply just one criterion and to operate according to this criterion.
If several criteria must be taken into consideration, one has also to consider the
all too often occurring situation that these provide contradictory information:
“This car looks nicer, but it is much more expensive”. Social and economical
sciences have developed techniques to model what takes place when decisions
are to be made in an environment with a multitude of diverging criteria. Prefer-
ence is assumed to represent the degree to which one alternative is preferred to
another. Often it takes the form of expressing that alternative A is considered
being “not worse than” alternative B. Sometimes a linear ranking of the set of
alternatives is assumed, which we avoid.
So finding decisions became abstracted to a scientific task. We may observe
two lines of development. The Anglo-Saxon countries, in particular, formulated
utility theory, in which numerical values shall indicate the intensity of some
preference. Mainly in continental Europe, on the other hand side, binary relations
were used to model pairwise preference; see [1], e.g. While the former idea allows
to easily relate to statistics, the latter is based on evidence via direct comparison.
In earlier years indeed, basic information was quite often statistical in nature
and expressed in real numbers. Today we have more often fuzzy, vague, rough,
etc. forms of qualification.
3 Introductory Example
We first give an example of relational integration deciding for a car to be bought
out of several offers. We intend to follow a set C of three criteria, namely color,
price, and speed. They are, of course, not of equal importance for us; price will
most certainly outweigh the color of the car, e.g. Nevertheless let the valuation
with these criteria be given on an ordinal scale L with 5 linearly ordered values
as indicated on the left side of (1). (Here for simplicity, the ordering is linear,
but it need not.) We name these values 1,2,3,4,5, but do not combine this with
any arithmetic; i.e., value 4 is not intended to mean two times as good as value
2. Rather they might be described with linguistic variables as bad, not totally
bad, medium, outstanding, absolutely outstanding; purposefully these example
qualifications have not been chosen “equidistant”.

color 0 0 0 1 0 4 = lub glb (4v(color) , 4μ{c,p} ),
price 0 0 0 1 0 glb (4v(price) , 4μ{c,p} ), (1)
speed 0 1 0 0 0 glb (2v(speed) , 5μ{c,p,s} )
First we concentrate on the left side of (1). The task is to arrive at one overall
valuation of the car out of these three. In a simple-minded approach, we might
Relational Measures and Integration 345
indeed conceive numbers 1, 2, 3, 4, 5 ∈ IR and then evaluate in a classical way

the average value as 13 (4 + 4 + 2) = 3.3333 . . ., which is a value not expressible
in the given scale. When considering the second example (2), we would arrive at
the same average value although the switch from (1) to (2) between price and
speed would trigger most people to decide differently.

color 0 0 0 1 0 3 = lub glb (4v(color) , 3μ{c,s} ),
price 0 1 0 0 0 glb (2v(price) , 5μ{c,p,s}), (2)
speed 0 0 0 1 0 glb (4v(speed) , 3μ{c,s} )
With relational integration, we learn to make explicit which set of criteria to

apply with which weight. It is conceivable that criteria c1 , c2 are given a low
weight but the criteria set {c1 , c2 } in conjunction a high one. This means that
we introduce a relational measure assigning values in L to subsets of C.
{} 1 0 0 0 0
{color} 1 0 0 0 0

{price} 0 0 1 0 0

{color,price} 0 0 0 1 0

μ=
{speed} 0 1 0 0 0

{color,speed} 0 0 1 0 0

{price,speed} 0 0 1 0 0
{color,price,speed} 0 0 0 0 1
For gauging purposes we demand that the empty criteria set gets assigned the
least value in L and the full criteria set the greatest. A point to stress is that we
assume the criteria themselves as well as the measuring of subsets of criteria as
commensurable.
The relational measure μ should obviously be monotonic with respect to the
ordering Ω on the powerset of C and the ordering E on L. We do not demand con-
tinuity (additivity), however. The price alone is ranked of medium importance 3,
higher than speed alone, while color alone is considered completely unimportant
and ranks 1. However, color and price together are ranked 4, i.e., higher than
the supremum of ranks for color alone and for price alone, etc.
As now the valuations according to the criteria as well as the valuation ac-
cording to the relative measuring of the criteria are given, we may proceed as
visualized on the right sides of (1) and (2). We run through the criteria and al-
ways look for two items: their corresponding value and in addition for the value
of that subset of criteria assigning equal or higher values. Then we determine
the greatest lower bound for the two values. From the list thus obtained, the
least upper bound is taken. The two examples above show how by simple evalu-
ation along this concept, one will arrive at the overall values 4 or 3, respectively.
This results from the fact that in the second case only such rather unimportant
criteria as color and speed assign the higher values.
The effect is counterrunning: Low values of criteria as for s in (1) are intersected
with rather high μ’s as many criteria give higher scores and μ is monotonic. Highest
346 G. Schmidt
values of criteria as for color or speed in (2) are intersected with the μ of a small or
even one-element criteria set; i.e., with a rather small one. In total we find that here
are two operations applied in a way we already know from matrix multiplication:
a “sum” operator, lub or ∨, following application a “product” operator, glb or ∧.
This example gave a first idea of how relational integration works and how
it may be useful. Introducing a relational measure and using it for integration
serves an important purpose: Concerns are now separated. One may design the
criteria and the measure in a design phase prior to polling. Only then shall the
questionnaire be filled, or the voters be polled. The procedure of coming to an
overall valuation is now just computation and should no longer lead to quarrels.
4 Order-Theoretic Functionals
Given the page limit, we cannot present all the prerequisites on relation algebra
and give [2,3] as a general reference for handling relations as boolean matrices
and subsets of a set as boolean vectors. Let an order relation E be given on a
set V . An element e is called an upper bound (also: majorant ) of the subset of
V characterized by the vector u of V provided ∀x ∈ u : Exe . From the predicate
T
logic version, we easily derive a relation-algebraic formulation as e ⊆ E ; u, so
T
that we introduce the order-theoretic functional ubd E (u) := E ; u to return the
possibly empty vector of all upper bounds. Analogously, we have the set of lower
bounds lbd E (u) := E ; u.
Starting herefrom, also the other traditional functionals may be obtained, as
the least upper bound u, (also: supremum), the at most 1-element set of least
elements among the set of all upper bounds of u
lub E (u) = ubd E (u) ∩ lbd E (ubd E (u))
In contrast to our expectation that a least upper bound may exist or not, it will
here always exist as a vector; it may, however be the null vector resembling that
there is none.
As a tradition, a vector is often a column vector. In many cases, however, a row
vector would be more convenient. We decided to introduce a variant denotation
for order-theoretic functionals working on row vectors:
lubR E (X) := [lub E (X T )]T , etc.
We are here concerned with lattice orderings E only. For convenience we intro-
duce notation for least and greatest elements as
0E = glb E ( ), 1E = lub E ( )
5 Relational Measures
Assume the following basic setting with a set C of so-called criteria and a mea-
suring lattice L. Depending on the application envisaged, the set C may also be
interpreted as one of players in a cooperative game, of attributes, of experts,
or of voters in an opinion polling problem. This includes the setting with L
the interval [0, 1] ⊆ IR or a linear ordering for measuring. We consider a (re-

lational) measure generalizing the concept of a fuzzy measure (or capacité in
French origin) assigning measures in L for subsets of C.
P(C)
μ
ε M E
C m, X L
Fig. 5.1. Basic situation for relational integration
The relation ε is the membership relation between C and its powerset P(C).
The measures envisaged will be called μ, other relations will be denoted as M .
Valuations according to the criteria will be X or m depending on the context.
For a running example assume the task to assess persons of the staff according
to their intellectual abilities as well as according to the workload they achieve
to master.
(medium,bulldozer)
(high,bulldozer)
(medium,good)
(low,bulldozer)
(medium,lazy)
(medium,fair)
(high,good)
(high,lazy)
(low,good)
(high,fair)
(low,lazy)
(low,fair)
(low,lazy) 1 1 1 1 1 1 1 1 1 1 1 1
(medium,lazy) 0 1 0 1 1 0 1 1 0 1 1 1

(low,fair) 0 0 1 0 1 1 1 1 1 1 1 1

(high,lazy) 0 0 0 1 0 0 1 0 0 1 0 1

(medium,fair) 0 0 0 0 1 0 1 1 0 1 1 1

(low,good) 0 0 0 0 0 1 0 1 1 1 1 1

bulldozer
E=
(high,fair) 0 0 0 0 0 0 1 0 0 1 0 1

(medium,good) 0 0 0 0 0 0 0 1 0 1 1 1

high good
(low,bulldozer) 0 0 0 0 0 0 0 0 1 0 1 1

(high,good) 0 0 0 0 0 0 0 0 0 1 0 1

medium fair
(medium,bulldozer) 0 0 0 0 0 0 0 0 0 0 1 1
low lazy
(high,bulldozer) 0 0 0 0 0 0 0 0 0 0 0 1
Fig. 5.2. Value lattice L ordered with E
5.1 Definition. Suppose a set of criteria C to be given together with some

lattice L, ordered by E, in which subsets of these criteria shall be given a measure
348 G. Schmidt
μ : P(C) −→ L. Let Ω be the ordering on P(C). We call a mapping μ : P(C) → L

a (relational) measure provided
– Ω ; μ ⊆ μ; E, meaning that μ is isotonic wrt. to the

orderings Ω and E.
– μT ; 0Ω = 0E , meaning that the empty subset of P(C) is
mapped to the least element of L.
– μT ; 1Ω = 1E , meaning that the full subset of P(C)
is mapped to the greatest element of L.
A (relational) measure for s ∈ P(C), i.e., μ(s) when written as a mapping or μT; s
when written in relation form, may be interpreted as the weight of importance
we attribute to the combination s of criteria. It should not be mixed up with a
probability. The latter would require the setting L = [0, 1] ⊆ IR and in addition
that μ be continuous.
Many ideas of this type have been collected by Glenn Shafer under the heading
theory of evidence, calling μ a belief function. Using it, he explained a basis of
rational behaviour. We attribute certain weights to evidence, but do not explain
in which way. These weights shall in our case be lattice-ordered. This alone
gives us reason to rationally decide this or that way. Real-valued belief functions
have numerous applications in artificial intelligence, expert systems, approximate
reasoning, knowledge extraction from data, and Bayesian Networks.
Concerning additivity, the example of Glenn Shafer [4] is when one is won-
dering whether a Ming vase is a genuine one or a fake. We have to put the full
amount of our belief on the disjunction “genuine or fake” as one of the alterna-
tives will certainly be the case. But the amount of trust we are willing to put on
the alternatives may in both cases be very small as we have only tiny hints for
being genuine, but also very tiny hints for being a fake.
With the idea of probability, we could not so easily cope with the ignorance
just mentioned. Probability does not allow one to withhold belief from a propo-
sition without according the withheld amount of belief to the negation. When
thinking on the Ming vase in terms of probability we would have to attribute p
to genuine and 1 − p to fake.
In the extreme case, we have complete ignorance expressed by the so-called
vacuous belief mapping

0E if C =
/s
μ0 (s) =
1E if C = s
On the other side, we may completely overspoil our trust expressed by what we
may call a light-minded belief mapping

0E if 0Ω = s
μ1 (s) =
1E otherwise
To an arbitrary non-empty set of criteria, the light-minded belief mapping at-
tributes all the components of trust or belief.
5.2 Definition. Given this setting, we call μ

i) a Bayesian measure if it is lattice-continuous, i.e.,
lub E (μT ; s) = μT ; lub Ω (s)
for a subset s ⊆ P(C), or expressed differently, a set of subsets of C.
ii) a simple support mapping focused on U valued with v, if U is a non-empty
subset U ⊆ C and v ∈ L an element such that

0E if s ⊇/U
μ(s) = v if C =/s⊇U
1E if C = s
In particular, μ1 is Bayesian while μ0 is not. In the real-valued environment, the

condition for a Bayesian measure is: additive when non-overlapping. Lattice-
continuity incorporates two concepts, namely additivity
μT ; (s1 ∪ s2 ) = μT ; s1 ∪L μT ; s2
and sending 0Ω to 0E .
Combining measures
Dempster [5] found for the real-valued case a way of combining measures in
a form closely related to conditional probability. It shows a way of adjusting
opinion in the light of new evidence. We have re-modeled this for the relational
case. One should be aware of how a measure behaves on upper and lower cones:
μ = lubR E (Ω T ; μ) μ = glbR E (Ω ; μ)
When one has in addition to μ got further evidence from a second measure μ ,
one will intersect the upper cones resulting in a possibly smaller cone positioned
higher up and take its greatest lower bound:
μ ⊕ μ := glbR E (μ; E ∩ μ ; E)
One might, however, also look where μ and μ agree, and thus intersect the
lower bound cones resulting in a possibly smaller cone positioned deeper down
and take its least upper bound:
μ ⊗ μ := lubR E (μ; E T ∩ μ ; E T )
5.3 Proposition. If the measures μ, μ are given, μ ⊕ μ as well as μ ⊗ μ are

measures again. Both operations are commutative and associative. The vacuous
belief mapping μ0 is the null element while the light-minded belief mapping μ1
is the unit element among measures:
μ ⊕ μ0 = μ, μ ⊗ μ1 = μ, and μ ⊗ μ0 = μ0
Proof : The least element must be sent to the least element. This result is
prepared observing that 0Ω is a transposed mapping, in
lbd E ([μ; E ∩ μ ; E]T ); 0Ω
= E ; [μ; E ∩ μ ; E]T ; 0Ω
= E ; [μ; E ∩ μ ; E]T ; 0Ω a mapping may slip under a negation from the left
350 G. Schmidt
= E ; [E T ; μT ∩ E T ; μ T ]; 0Ω
= E ; [E T ; μT ; 0Ω ∩ E T ; μ T ; 0Ω ] multiplying an injective relation from the right
= E ; [E T ; 0E ∩ E T ; 0E ] definition of measure
= E ; E T ; 0E
= E ; in the complete lattice E
= lbd ( ) = 0E in the complete lattice E
Now
(μ ⊕ μ )T ; 0Ω = glb E ([μ; E ∩ μ ; E]T ); 0Ω
= lbd E ([μ; E ∩ μ ; E]T ) ∩ ubd (lbd E ([μ; E ∩ μ ; E]T ) ; 0Ω
= lbd E ([μ; E ∩ μ ; E]T ); 0Ω ∩ E ; lbd E ([μ; E ∩ μ ; E]T ); 0Ω
T
T
= 0E ∩ E ; lbd E ([μ; E ∩ μ ; E]T ); 0Ω
T
= 0E ∩ E ; 0E
= 0E ∩ ubd (0E )
= 0E ∩ = 0E
For reasons of space, the other parts of the proof are left to the reader.
6 Relational Integration
Assume now that for all the criteria C a valuation has taken place resulting in a
mapping X : C −→ L. The question is how to arrive at an overall valuation by
rational means, for which μ shall be the guideline.
6.1 Definition. Given a relational measure μ and a mapping X indicating the

values
given by the criteria, we define the relational integral
(R) X ◦ μ := lubR E ( ; glbR E [(X ∪ syq (X ; E ; X T , ε) ; μ)])
As already mentioned, we apply a sum operator lub after applying the product
operator glb . When values are assigned with X, we look with E for those greater
or equal, then with X T for the criteria so valuated. Now comes a technically
difficult step, namely proceeding to the union of the resulting sets with the
symmetric quotient syq and the membership relation ε. The μ-score of this set
is then taken.
The tables in Fig. 6.1 show a measure, a valuation and then the relational
integral computed with the TituRel system.
We are now in a position to understand why gauging μT; 1Ω = 1E is necessary
for μ, or “greatest element is sent to greatest element”. Consider, e.g., the special
case of an X with all criteria assigning the same value. We certainly expect the
relational integral to precisely deliver this value regardless of the measure chosen.
But this might not be the case if a measure should assign too small a value to
the full set.
(medium,bulldozer)
(high,bulldozer)
(medium,good)
(low,bulldozer)
(medium,lazy)
(medium,fair)
(high,good)
(high,lazy)
(low,good)
(high,fair)
(low,lazy)
(low,fair)
{} ⎛ 1 0 0 0 0 0 0 0 0 0 0 0⎞
{Abe} ⎜ 0 0 0 1 0 0 0 0 0 0 0 0⎟
{Bob} ⎜ ⎜0 0 0 0 1 0 0 0 0 0 0 0⎟⎟
{Abe,Bob} ⎜ 0 0 0 0 0 0 0 0 0 1 0 0⎟
⎜ ⎟
{Carl} ⎜ 0 0 1 0 0 0 0 0 0 0 0 0⎟
{Abe,Carl} ⎜⎜0 0 0 0 0 0 0 0 0 1 0 0⎟⎟
{Bob,Carl} ⎜⎜0 0 0 0 0 0 0 1 0 0 0 0⎟⎟
{Abe,Bob,Carl} ⎜⎜0 0 0 0 0 0 0 0 0 1 0 0⎟⎟
μ=
{Don} ⎜ ⎜0 1 0 0 0 0 0 0 0 0 0 0⎟⎟
{Abe,Don} ⎜ 0 0 0 0 0 0 1 0 0 0 0 0⎟
⎜ ⎟
{Bob,Don} ⎜ 0 0 0 0 0 0 1 0 0 0 0 0⎟
{Abe,Bob,Don} ⎜ ⎜0 0 0 0 0 0 0 0 0 1 0 0⎟⎟
{Carl,Don} ⎜⎜0 0 0 0 1 0 0 0 0 0 0 0⎟⎟
{Abe,Carl,Don} ⎜ ⎝0 0 0 0 0 0 0 0 0 1 0 0⎟⎠
{Bob,Carl,Don} 0 0 0 0 0 0 0 0 0 1 0 0
{Abe,Bob,Carl,Don} 0 0 0 0 0 0 0 0 0 0 0 1
⎛ ⎞
Abe 0 0 0 1 0 0 0 0 0 0 0 0
Bob ⎜ 0 0 0 0 0 0 1 0 0 0 0 0⎟
Carl ⎝ 0 0⎠
X=
1 0 0 0 0 0 0 0 0 0
Don 0 0 0 0 1 0 0 0 0 0 0 0

(R) X ◦ μ = (0 0 0 0 0 0 1 0 0 0 0 0)
Fig. 6.1. Measure, a valuation and the relational integral
These considerations originate from a free re-interpretation of the following con-

cepts for work in [0, 1] ⊆ IR. The Sugeno integral operator is in the literature
defined as

m
MS,μ (x1 . . . . , xm ) = (S) x ◦ μ = [xi ∧ μ(Ai )]
i=1
and the Choquet integral operator as

m
MC,μ (x1 , . . . , xm ) = (C) x ◦ μ = [(xi − xi−1 ) · μ(Ai )]
i=1
In both cases the elements of vector (x1 , . . . , xm ), and parallel to this, the criteria
set C = {C1 , . . . , Cm } have each time been reordered such that
0 = x0 ≤ x1 ≤ x2 ≤ · · · ≤ xm ≤ xm+1 = 1 and μ(Ai ) = μ(Ci , . . . , Cm ).
The concept of Choquet integral was first introduced for a real-valued context
in [6] and later used by Michio Sugeno [7]. This integral has nice properties for
352 G. Schmidt
aggregation: It is continuous, non-decreasing, and stable under certain interval

preserving transformations. Not least reduces it to the weighted arithmetic mean
as soon as it becomes additive.
7 Defining Relational Measures

Such measures may be given directly, which is, however, a costly task as a power-
set is involved all of whose elements need values. Therefore, they mainly originate
in some other way.
Measures originating from direct valuation of criteria

Let a direct valuation of the criteria be given as any relation m between C
and L. Although it is allowed to be contradictory and non-univalent, we provide
for a way of defining a relational measure based on it. This will happen via the
following constructs
T
σ(m) := εT ; m; E π(μ) := ε; μ; E , (3)
which very obviously satisfy the Galois correspondence requirement
m ⊆ π(μ) ⇐⇒ μ ⊆ σ(m).
They satisfy σ(m ; E T ) = σ(m) and π(μ ; E) = π(μ), so that in principle only
lower, respectively upper, cones occur as arguments. Applying W ; E = W ; E; E T ,
we get
σ(m); E = εT ; m; E ; E = εT ; m; E ; E T ; E = εT ; m; E = σ(m),
so that images of σ are always upper cones — and thus best described by their
greatest lower bound glbR E (σ(m)).
7.1 Proposition. Given any relation m : C → L, the construct

μm := μ0 ⊕ glbR E (σ(m))
forms a relational measure, the so-called possibility measure.
Addition of the vacuous belief mapping μ0 is again necessary for gauging pur-
poses. In case m is a mapping, the situation becomes even nicer. From
T
π(σ(m; E T )) = π(σ(m)) = ε; εT ; m; E ; E
T
= m; E ; E as it can be shown that in general ε; εT ; X = X for all X
T
= m; E ; E as m was assumed to be a mapping
T
= m; E ; E
T
= m; E
we see that this is an adjunction on cones. The lower cones m ; E T in turn are
1 : 1 represented by their least upper bounds lubR E (m; E).
The following proposition exhibits that a Bayesian measure is a rather special
case, namely more or less directly determined as a possibility measure for a direct
valuation via a mapping m. Fig. 7.1 shows an example. One may proceed from
m to the measure according to Prop. 7.1 or vice versa according to Prop. 7.2.
7.2 Proposition. Let μ be a Bayesian measure. Then mμ := lubR E (π(μ)) is

that direct valuation for which μ = μmμ .
(medium,bulldozer)
(high,bulldozer)
(medium,good)
(low,bulldozer)
(medium,lazy)
(medium,fair)
(high,good)
(high,lazy)
(low,good)
(high,fair)
(low,lazy)
(low,fair)
{} 1 0 0 0 0 0 0 0 0 0 0 0
{Abe} 0 0 0 0 1 0 0 0 0 0 0 0

{Bob} 0 0 0 0 0 0 1 0 0 0 0 0

{Abe,Bob} 0 0 0 0 0 0 1 0 0 0 0 0

{Carl} 0 0 1 0 0 0 0 0 0 0 0 0

{Abe,Carl} 0 0 0 0 1 0 0 0 0 0 0 0

{Bob,Carl} 0 0 0 0 0 0 1 0 0 0 0 0

{Abe,Bob,Carl} 0 0 0 0 0 0 1 0 0 0 0 0

μB =
{Don} 0 0 0 0 0 1 0 0 0 0 0 0

{Abe,Don} 0 0 0 0 0 0 0 1 0 0 0 0

{Bob,Don} 0 0 0 0 0 0 0 0 0 1 0 0

{Abe,Bob,Don} 0 0 0 0 0 0 0 0 0 1 0 0

{Carl,Don} 0 0 0 0 0 1 0 0 0 0 0 0

{Abe,Carl,Don} 0 0 0 0 0 0 0 1 0 0 0 0

{Bob,Carl,Don} 0 0 0 0 0 0 0 0 0 1 0 0
{Abe,Bob,Carl,Don} 0 0 0 0 0 0 0 0 0 0 0 1
Abe 0 0 0 0 1 0 0 0 0 0 0 0
mμB =
Bob 0 0 0 0 0 0 1 0 0 0 0 0

Carl 0 0 1 0 0 0 0 0 0 0 0 0
Don 0 0 0 0 0 1 0 0 0 0 0 0
Fig. 7.1. Direct valuation with corresponding Bayesian measure
With this method just a few of the many relational measures will be found. By
construction they are all continuous (or additive).
Measures originating from a body of evidence

We may also derive relational measures out of some relation between P(C) and
L. Although it is allowed to be non-univalent, we provide for a way of defining
two measures based on it — which may coincide.
7.3 Definition. Let our general setting be given.
i) A body of evidence is an arbitrary relation M : P(C) −→ L, restricted by

the requirement that M T ; 0Ω ⊆ 0E .
354 G. Schmidt
ii) When the body of evidence M is in addition a mapping, we speak — following

[4] — of a basic probability assignment.
If I dare saying that occurrence of A ⊆ C deserves my trust to the amount M (A),

then A ⊆ A ⊆ C deserves at least this amount of trusting as it occurs whenever
A occurs. I might, however, not be willing to consider that A ⊆ C with A ⊆ A
deserves to be trusted with the same amount as there is a chance that it occurs
not so often.
(medium,bulldozer)
(high,bulldozer)
(medium,good)
(low,bulldozer)
(medium,lazy)
(medium,fair)
(high,good)
(high,lazy)
(low,good)
(high,fair)
(low,lazy)
(low,fair)
{} 0 0 0 0 0 0 0 0 0 0 0 0
{Abe} 0 0 0 0 0 0 0 0 0 0 0 0

{Bob} 0 0 1 0 0 0 0 0 0 0 0 0

{Abe,Bob} 0 0 0 0 0 0 0 0 0 0 0 0

{Carl} 0 0 0 0 0 0 0 0 0 0 0 0

{Abe,Carl} 0 0 0 0 0 0 0 0 0 0 0 0

{Bob,Carl} 0 0 0 0 0 0 0 0 0 0 0 0

{Abe,Bob,Carl} 0 0 0 0 0 0 0 0 0 0 0 0

M :=
{Don} 0 0 0 0 0 0 0 0 0 0 0 0

{Abe,Don} 0 0 0 0 0 0 0 0 0 0 0 0

{Bob,Don} 0 0 0 0 0 0 0 0 0 0 0 0

{Abe,Bob,Don} 0 0 0 0 1 0 0 0 0 0 0 0

{Carl,Don} 0 0 0 0 0 0 0 0 0 0 0 0

{Abe,Carl,Don} 0 0 0 0 0 0 0 0 1 0 0 0

{Bob,Carl,Don} 0 0 0 0 0 0 0 0 0 0 0 0
{Abe,Bob,Carl,Don} 0 0 0 0 0 0 0 0 0 0 0 0
Fig. 7.2. A body of evidence
We should be aware that the basic probability assignment is meant to assign

something to a set regardless of what is assigned to its proper subsets. The
condition M T ; 0Ω ⊆ 0E expresses that M either does not assign any belief to
the empty set or assigns it just 0E .
Now a construction similar to that in (3) becomes possible, introducing
σ (M ) := Ω T ; M ; E π (μ) := Ω ; μ; E ,
T
(4)
which again satisfies the Galois correspondence requirement
M ⊆ π (μ) ⇐⇒ μ ⊆ σ (M ).
Obviously σ (M ; E T ) = σ (M ) and π (μ ; E) = π (μ), so that in principle only
upper (E) and lower (E T ), respectively, cones are set into relation. But again
applying W ; E = W ; E ; E T , we get
σ (M ); E = Ω T ; M ; E ; E = Ω T ; M ; E ; E T ; E = Ω T ; M ; E = σ (M ),
so that images of σ are always upper cones — and thus best described by their
greatest lower bound glbR E (σ (M )).
7.4 Proposition. Should some body of evidence M be given, there exist two
relational measures closely resembling M ,
i) the belief measure μbelief (M ) := μ0 ⊕ lubR E (Ω T ; M )

ii) the plausibility measure μplausibility (M ) := μ0 ⊕ lubR E ((Ω ∩ Ω; )T; Ω; M )
iii) In general, the belief measure assigns values not exceeding those of the plau-
sibility measure, i.e., μbelief (M ) ⊆ μplausibility (M ); E T .
(medium,bulldozer)
(medium,bulldozer)
(high,bulldozer)
(high,bulldozer)
(medium,good)
(medium,good)
(low,bulldozer)
(low,bulldozer)
(medium,lazy)
(medium,lazy)
(medium,fair)
(medium,fair)
(high,good)
(high,good)
(high,lazy)
(high,lazy)
(low,good)
(low,good)
(high,fair)
(high,fair)
(low,lazy)
(low,lazy)
(low,fair)
(low,fair)
{} 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0
{Abe}
1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0

{Bob}
0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0

{Abe,Bob}
0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0

{Carl}
1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0

{Abe,Carl}
1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0

{Bob,Carl}
0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0

{A,B,C}
0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0

{Don}
1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0

{Abe,Don}
1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0

{Bob,Don}
0 0 1 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 0 0 1 0

{A,B,D}
0 0 0 0 1 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 1 0

{Carl,Don}
1 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 1 0

{A,C,D}
0 0 0 0 0 0 0 0 1 0 0 0 0
0 0 0 0 0 0 0 0 0 1 0

{B,C,D} 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0
{A,B,C,D} 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1
μbelief (M ) μplausibility (M )
Fig. 7.3. Belief measure and plausibility measure for M of Fig. 7.2
The belief measure adds information to the extent that all evidence of subsets
with an evidence attached is incorporated. Another idea is followed by the plau-
sibility measure. One asks which sets have a non-empty intersection with some
set with an evidence attached and determines the least upper bound of all these.
The plausibility measure collects those pieces of evidence that do not indicate
trust against occurrence of the event or non-void parts of it. The belief as well
as the plausibility measure more or less precisely determine their original body
of evidence.
356 G. Schmidt
7.5 Proposition. Should the body of evidence be concentrated on singleton

sets only, the belief and the plausibility measure will coincide.
Proof : That M is concentrated on arguments which are singleton sets means

that M = a; M with a the partial diagonal relation describing the atoms of the
ordering Ω. For Ω and a one can prove (Ω ∩ Ω; );a = a as the only other element
less or equal to an atom, namely the least one, has been cut out via Ω. Then
T
(Ω ∩ Ω ; )T ; Ω ; M = (Ω T ∩ ; Ω ); Ω ; a; M M = a; M and transposing
= Ω (Ω ∩ Ω ; ); a; M
T;
mask shifting
= Ω T ; a; M see above
= ΩT; M again since M = a; M
One should compare this result with the former one assuming m to be a mapping
putting m := ε; M . One may also try to go in reverse direction, namely from a
measure back to a body of evidence.
7.6 Definition. Let some measure μ be given and define strict subset contain-
ment C := ∩ Ω. We introduce two basic probability assignments, namely
i) Aμ := lubR E (C T ; μ), its purely additive part,
ii) Jμ := μ1 ⊗ (μ ∩ lubR E (C T ; μ)), its jump part.
As an example, the purely additive part Aμ of the μ of Fig. 6.1 would assign
in line {Abe,Bob} the value {high,fair} only as μ({Abe}) = {high,lazy} and
μ({Bob}) = {medium,fair}. In excess to this, μ assigns {high,good}, and is,
thus, not additive or Bayesian. We have for Aμ taken only what could have been
computed already by summing up the values attached to strictly smaller subsets.
In Jμ the excess of μ to Aμ is collected. In the procedure for Jμ all the values
attached to atoms of the lattice will be saved as from an atom only one step
down according to C is possible. The value for the least element is, however, the
least element of L. Multiplication with μ1 serves the purpose that rows full of
0 ’s be converted to rows with the least element 0E attached as a value.
Now some arithmetic on these parts is possible, not least providing the insight
that a measure decomposes into an additive part and a jump part.
7.7 Proposition. Given the present setting, we have

i) Aμ ⊕ Jμ = μ.
ii) μbelief (Jμ ) = μ.
In the real-valued case, this result is not surprising at all as one may always
decompose into a part continuous from the left and a jump part.
In view of these results it seems promising to investigate in which way also
concepts such as commonality, consonance, necessity measures, focal sets, and
cores may be found in the relational approach. This seems particularly inter-
esting as also the concepts of De Morgan triples have been transferred to the
componentfree relational side. We leave this to future research.
8 Concluding Remark
There exists a bulk of literature around the topic of Dempster-Shafer belief. It

concentrates mostly on work with real numbers and their linear order and applies
traditional free-hand mathematics. This makes it sometimes difficult to follow
the basic ideas, not least as authors are all too often falling back to probability
considerations.
We feel that the componentfree relational reformulation of this field and the
important generalization accompanying it is a clarification — at least for the
strictly growing community of those who do not fear to use relations. Proofs
may now be supported via proof systems. The results of this paper have been
formulated also in the relational language TituRel [8,9], for which some system
support is available making it immediately operational. Not least has it provided
computation and representation of the example matrices.
Acknowledgement. My thanks go to the unknown referees for their detailed

comments which considerably improved the exposition.
References
1. Fodor, J., Roubens, M.: Fuzzy Preference Modelling and Multicriteria Decision
Support. Volume 14 of Theory and Decision Library, Series D: System Theory,
Knowledge Engineering and Problem Solving. Kluwer Academic Publishers (1994)
2. Schmidt, G., Ströhlein, T.: Relationen und Graphen. Mathematik für Informatiker.
Springer-Verlag (1989) ISBN 3-540-50304-8, ISBN 0-387-50304-8.
3. Schmidt, G., Ströhlein, T.: Relations and Graphs — Discrete Mathematics for Com-
puter Scientists. EATCS Monographs on Theoretical Computer Science. Springer-
Verlag (1993) ISBN 3-540-56254-0, ISBN 0-387-56254-0.
4. Shafer, G.: A Mathematical Theory of Evidence. Princeton University Press (1976)
5. Dempster, A.P.: Upper and lower probabilities induced by a multivalued mapping.
Annals of Math. Statistics 38 (1967) 325–339
6. Choquet, G.: Theory of capacities. Annales de l’Institut Fourier 5 (1953) 131–295
7. Sugeno, M., ed.: Industrial Applications fo Fuzzy Control. North-Holland (1985)
8. Schmidt, G.: Relational Language. Technical Report 2003-05, Fakultät für Infor-
matik, Universität der Bundeswehr München (2003) 101 pages, http://homepage.
mac.com/titurel/Papers/LanguageProposal.html.
9. Schmidt, G.: The Relational Language TituRel: Revised Version (2005) In prepa-
ration; see http://homepage.mac.com/titurel/TituRel/LanguageProposal2.pdf.
A Relational View of Recurrence and Attractors
in State Transition Dynamics
Giuseppe Scollo1 , Giuditta Franco2 , and Vincenzo Manca2

1
University of Catania, Department of Mathematics and Computer Science,
Viale A. Doria, 6, I-95125 Catania, Italy
[email protected]
http://www.dmi.unict.it/~scollo
2
University of Verona, Department of Computer Science, Strada Le Grazie, 15,
I-37134 Verona, Italy
[email protected], [email protected]
http://www.sci.univr.it/~manca
Abstract. The classical dynamics concepts of recurrence and attrac-

tor are analysed in the basic mathematical setting of state transition
systems, where both time and space are discrete, and no structure is
assumed on the state space besides a binary transition relation. This
framework proves useful to the dynamical analysis of computations and
biomolecular processes. Here a relational formulation of this framework
is presented, where the concepts of attractor and recurrence surface in
two variants, respectively relating to the two fundamental modalities. A
strong link between recurrence and both existence and extent of attrac-
tors, in either variant, is established by a novel characterization theorem.
1 Introduction
Analyses of dynamical systems represent the main application of mathematical
sciences to the study of natural phenomena. Three constituents are essential in
a dynamical system: space, collecting all the possible states of the system; time,
collecting the different instants at which the system is considered; and dynamics,
which associates, to each instant, the system state at that instant. The various
kinds of dynamical systems are essentially determined by the structure of the
space, by the nature of the time, and the way dynamics is characterized [5,9].
The classical approach to study dynamical systems is focused on differential
equations, that impose local (infinitesimal) relations on quantity variations, from
which, under suitable hypotheses, one can analytically reconstruct the global
dynamical behaviour of the system. Recent developments of discrete models to
analyse biological processes motivate the revisitation of typical concepts of clas-
sical dynamics in a completely discrete context. A couple of discrete models
already applied with remarkable success are cellular automata [16], having the
Lindenmayer systems as a special case, and Kauffman networks [7]. In these sys-
tems, viewed as dynamical systems, typical properties that are relevant in com-
putation models, such as termination, confluence, and reducibility, are replaced

A Relational View of Recurrence and Attractors 359
by other properties, which share nontermination as their outstanding prominent

feature: periodicity, recurrence, emergence, propagation, stability, evolution. In-
deed, the dynamics of biological adaptive systems may be viewed as a computa-
tion where the “result”, which a system searches for, is not a state but a stable
pattern, that is an attractor which fulfils certain desirable conditions.
Dynamics of discrete systems, besides being instrumental to their direct al-
gorithmic simulation, often proves most natural in the representation of bio-
molecular dynamics, where the symbolic entities which come into play are easily
amenable to strings or closely related structures, or to dynamical networks [3].
The book [1] is a fundamental pioneering work where state transition graphs,
called kinetic graphs, are introduced in the context of dynamical concepts. How-
ever, despite its strong biological relevance, the book does not cope with the
mathematical aspects of its conceptual apparatus. Most interesting results on
dynamical indicators have been identified in [16], that discriminate classes of
behaviour which appear to be different, but with no formal definition of the
specific characteristics of a given behaviour. Important experimental results in
this perspective may be found in [7] and [17].
In [9], we addressed the problem of considering, in general terms, dynamical
systems that are completely discrete in that, not only the instants are natural
or integer numbers, but also the space is a discrete entity. We introduced state
transition dynamics, and we showed a few applications to computational and
biomolecular dynamics. We argued that string manipulation systems from for-
mal language theory may be naturally expressed as string transition systems. In
this perspective, notable concepts from grammars and automata theory take up
a purely dynamic character; for instance, the language generated by a grammar
is an attractor in the computation dynamics. Concepts of periodicity and quasi-
periodicity of state transition dynamics were applied to P systems with boundary
rules and dynamical environment (PBE systems) [4], and to Metabolic P sys-
tems [10]. P systems are formalisms based on distributed rewriting rules [12,13]
simulating the space distributed action of different agents that rule system global
patterns such as oscillations and synchronization phenomena [11].
In this paper we cast the conceptual framework developed in [9] in purely rela-
tional terms. The generality of this formulation seems apt to present definitions
of typically discrete dynamical concepts at a convenient abstraction level, which
supports reasoning and insight. Here, we actually move beyond the first results
presented in [9], to build a (fairly complex) full proof of a characterization of
deep connections between both existence and extent of recurrence and attractors
in discrete dynamics, that were only conjectured in [9].
The rest of the paper is organized as follows. In Sect. 3 we shall recast basic
concepts and definitions relating to state transition dynamics, as proposed in [9],
in terms of relation algebra concepts [15]. Some of these are preliminarily recalled
in Sect. 2, where we also introduce the notation that will serve our purpose. In
Sect. 4 a characterization theorem is achieved which links recurrence, eternal
recurrence and attractors. Possible applications and a future extension of this
work are outlined in Sect. 5, which concludes the article.
360 G. Scollo, G. Franco, and V. Manca
2 Notational Preliminaries
Let us designate the universal and identity binary relations on an arbitrary set
S, with 1S and 1S , respectively. We shall omit the subscript whenever it is clear
from the context. Let q, r be binary relations on S. Boolean difference is defined
by q\r = q·r−1 , with standard notation for the Boolean product and complement
operations, while 0 denotes the empty binary relation in any relation algebra.
The standard Boolean ordering ≤ is defined in any relation algebra just like in
its Boolean algebra reduct. This reduct is actually a complete Boolean algebra,
hence the binary Boolean sum operation is extended to summation over arbitrary
sets of binary relations.
Let r˘ denote the relation-algebraic converse of r. Consistently, we let f ˘
denote the inverse of an invertible function f , as well as the inverse image relation
of any function f . The binary relation q ; r is the relation-algebraic composition
of binary relations q and r. That is, x q ; r y if and only if there exists an element
z (in S) such that both x q z and z r y.
If q i denotes the i-fold iterated composition of q with itself, then the reflexive-
transitive closure of q, the transitive closure of q, and the at least n-fold iterated
composition of q with itself, are respectively defined as follows.

q ∗ = i∈N q i

q + = i>0 q i

q ≥n = i≥n q i
One may note that q ∗ = q ≥0 and q + = q ≥1 .

We recall here that a monotype binary relation x is a subrelation of the iden-
tity: x≤ 1S , for more details see [2]. The domain and the image of a binary
relation q may be expressed as monotypes, respectively defined by the equa-
tions: dom q = 1 ·(q ; 1), and img q = 1 ·(1 ; q). A few higher-order binary
relations on monotypes will prove useful.
First, if q is a binary relation and x, y are monotypes on S, then we define
img(x ; q ≥n )≤ y .
(n)
x ≤q y iff
Then we define when a monotype is eventually below another one, under the
iterated composition with a binary relation q, by a simple summation in the
higher-order relation algebra on such monotypes, as follows:
(n)
≤q = ≤q .
n∈N
Two useful operations will allow us to lift binary relations to (atomic) mono-
types of a higher-order relation algebra and, conversely, to flatten higher-order
monotypes to lower-order binary relations. These operations are respectively
defined as follows.
If r ≤ 1S , then ↑r is the higher-order one-element monotype generated by r,

that is ↑r ≤ 12S×S and it is defined by
p ↑r q ⇔ p = q = r.
Clearly, the binary relation ↑r on 2S×S has only one element, that is (r, r).
If x ≤ 12S×S , that is x is a higher-order monotype, then ↓x is the lower-order
binary relation, ↓x ≤ 1S , defined by:

↓x = r.
rxr
At times we shall need to refer to individual elements of binary relations in

terms of relation algebra. We shall do so by letting them be represented by
the singleton monotypes they generate, which are atoms of the relation algebra.
Atomicity may be formalized quasiequationally in relation algebra, by requiring
that the monotype be the only nonempty subrelation of itself, so we get three
factors to this purpose, where the equation 1 ; x ; 1 = 1 specifies nonemptiness
(by Tarski rule, cf. [14]): x is an atomic monotype if
x ≤ 1 , 1 ; x ; 1 = 1, and y ≤ x ∧ 1 ; y ; 1 = 1 ⇒ y = x .
If x is a monotype, the notation x≤ y means that x is atomic and x ≤ y.
3 A Relational View of State Transition Dynamics

Definition 1. A state transition dynamics is a pair S, q , where S is a set of
states and q is a binary relation on S, the transition relation on states.
As in [9], we call quasistate any subset of S, and often we shall actually be

concerned with subsets rather than elements of S. For this reason, we shall
refer to quasistates as states, whereas the lengthier term individual state will
refer to elements of S. In terms of binary relations, states may be represented by
monotypes in the relation algebra over S; in this respect, we adopt the notational
convention of letting lowercase letters a, b, r, s, x, y, z, possibly with subscripts,
denote monotypes that represent subsets of S, and we shall often confuse such
monotypes with the subsets they represent. We may thus say that the notation
x≤ a means that “x is an individual state within state a”, rather than the more
accurate “x represents an individual state within the state represented by a”.
A state transition dynamics is eternal if the transition relation q is total. This
condition is easily expressed in the language of relation algebra by the equation
dom q = 1S . This condition is not met iff there is some final state in S, viz.
there is a nonzero monotype x such that x ; q = 0. Every final state may be
easily turned into a nonfinal one by suitably extending the transition relation;
thus, for example, one can extend every dynamics to become an eternal one by
turning each final state into a fixed point of the transition relation, also called
q-dynamics, according to the following definition.
Definition 2. An individual state x is a fixed point of the q-dynamics if it turns

out that img(x ; q) = x .
The previous definition actually applies to any state as well, not just to individual
ones. We shall henceforth consider eternal dynamics only. With reference to such
a q-dynamics, the following definitions prove straightforward.
Definition 3. An orbit is an infinite sequence of states (xi | i ∈ N) such that
xi+1 = img(xi ; q) . State x0 is the origin of the orbit.
Definition 4. (Periodicity, eventual periodicity).
An orbit (xi | i ∈ N) is periodic if ∃n > 0 : xn = x0 , that is img(x0 ; q n ) = x0 .
An orbit is eventually periodic if, for some k ≥ 0, it evolves into a periodic one
after a k-step transient, that is, if ∃n > 0: img(x0 ; q k+n ) = img(x0 ; q k ) .
Definition 5. (Orbits’ inclusion, eventual inclusion).
An orbit (xi | i ∈ N) is included in the orbit (yi | i ∈ N) if xi ≤yi ∀ i ∈ N .
An orbit (xi | i ∈ N) is eventually included in the orbit (yi | i ∈ N) if, for some
j ∈ N, xi ≤yi holds ∀ i ≥ j .
We may also use this terminology for any infinite sequences of states, rather than
just for orbits. So, for example, we may say that orbit (xi | i ∈ N) is eventually
included in aω = (ai | i ∈ N), with ai = a for all i∈N, without thereby implying
a = img(a ; q).
Definition 6. A basin b is a nonempty state, b = 0, that is closed under q, that
is img(b ; q) ≤ b .
In the terminology of [14], basins are nonempty states that are “contracted” by
the q-dynamics. The higher-order binary relations defined in Sect. 2, as well as
the lifting and flattening operations, find their first application in the following
formalization of the two notions of attracting set introduced in [9].
Definition 7. (Attracting sets). Let a and b be a nonempty state and a basin,
respectively, such that a≤b.
(i) a is an unavoidable attracting set of b if b ≤ ↓dom( ≤q ; ↑a) .
(ii) a is a potential attracting set of b if b ≤ dom(q ∗ ; ↓dom( ≤q ; ↑a)) .
The previous definition deserves a few explanations.
An unavoidable attracting set a of basin b is characterized by the property
that every orbit taking its origin inside b is eventually included in aω . For a
correct formalization of this property, one must take into account that
• the higher-order eventually below relation ≤q on monotypes fits nicely, but
it lives in the higher-order relation algebra on the 2S×S universe, whence the
lifting of the a monotype proves necessary to composition with ≤q ;
• it would not be correct to require b ≤q a, since orbits starting at different
origins inside b may have transients of different length, before getting in-
cluded in aω , and the cardinality of b may well be infinite, hence the set of
the transients’ lengths may well be unbounded.
The following couple of facts may further elucidate the matter.

Proposition 1. The definitions of ≤q and of the lifting operation entail
↑r≤ dom( ≤q ; ↑a) ⇔ r ≤q a .
Proposition 2. Prop. 1 and the definition of the flattening operation entail

↓dom( ≤q ; ↑a) = r.
r ≤q a
This should be sufficient to see the correctness of the formalization of the concept
of unavoidable attracting set. Unlike this, a potential attracting set may be
infinitely often escaped from by orbits starting inside the basin; however, it
can never be definitely escaped from, since it is always reachable (in a finite
number of steps) from every individual state in the basin, and furthermore the
basin is closed under q transitions. It should not be difficult to recognize such
a “persistent q ∗ -reachability of unavoidable eventual inclusion” character in the
formalization proposed in Def. 7.(ii), where the composition with q ∗ makes the
essential difference with the preceding definition of unavoidable attracting set.
The two notions of attracting set may be expressed as binary relations on
monotypes, in the relation algebra on 2S×S , where they are designated by
-attracts, ♦-attracts. That is, given a q-dynamics on S, for any monotypes
a, b in the relation algebra on S we define:
• a -attracts b if b is a basin and a is an unavoidable attracting set of b;
• a ♦-attracts b if b is a basin and a is a potential attracting set of b.
For a given basin, the search for minimal attracting sets is supported by
the following definition, which has to do with removability of states from an
attracting set while preserving its attractiveness, in either form.
Definition 8. (Removable states). Let b be a basin in the q-dynamics.
(i) x b -removable from a (read: x is “must-removable” from a w.r.t. b) if
x≤a, a -attracts b and a\x -attracts b ;
(ii) x ♦b -removable from a (read: x is “may-removable” from a w.r.t. b) if
x≤a, a ♦-attracts b and a\x ♦-attracts b .
Minimal attracting sets are called attractors. This is formalized as follows.
Definition 9. (Attractors). Let b be a basin in the q-dynamics.
(i) An unavoidable attractor of b is an unavoidable attracting set a of b that
is minimal in the standard Boolean ordering, viz. no nonempty subset of a
is must-removable from a w.r.t. b :
a -attractor of b if a -attracts b and x b -removable from a ⇒ x = 0 .
(ii) A potential attractor of b is a potential attracting set a of b that is
minimal in the standard Boolean ordering, viz. no nonempty subset of a is
may-removable from a w.r.t. b :
a ♦-attractor of b if a ♦-attracts b and x ♦b -removable from a ⇒ x = 0 .
When we write “attractor” or “attracting set” without qualification, then “po-

tential” is implicitly understood.
We recall a few useful facts from [9], while recasting them in our present
notation. Those collected in Prop. 3 below easily follow from the definitions,
whereas Prop. 4, which is proven in [9], offers a first characterization of either
form of removability of individual states from attracting sets (of corresponding
form, of course).
Proposition 3. Let b be a basin in the q-dynamics.
(i) b -attracts b .
(ii) a -attracts b ⇒ a ♦-attracts b .
(iii) a -attracts b ∧ a ≤ a ≤ b ⇒ a -attracts b .
(iv) a ♦-attracts b ∧ a ≤ a ≤ b ⇒ a ♦-attracts b .
(v) x b -removable from a ⇒ x ♦b -removable from a .
(vi) An attractor of b is unique, if it exists. We then speak of the attractor a♦
of b, whereas the notation a♦ = 0 means that b has no attractor.
(vii) An unavoidable attractor of b is unique, if it exists. We then speak of the
unavoidable attractor a of b, whereas the notation a = 0 means that b
has no unavoidable attractor.
(viii) The (unavoidable) attractor of b is also the (unavoidable) attractor of any
x ≤ b that is a basin and is above the (unavoidable) attractor of b in the
standard Boolean ordering. In particular, every (unavoidable) attractor is
also its own (unavoidable) attractor.
(i) If a ♦-attracts b and y≤ a, then y ♦b -removable from a iff y≤ img( x ; q ∗ ; q ∗−1 )
for all x≤ b .
(ii) If a -attracts b and y≤ a, then y b -removable from a iff for no x≤ b does
y occur infinitely often in the x-orbit.
Recurrence is defined in [9] for individual states in a given basin. Individual
states may be represented as atomic monotypes in the relation algebra on the
state set S. Two modal shapes of recurrence are defined: recurrence as occurrence
of an individual state in its own orbit, and eternal recurrence as occurrence of
an individual state in all orbits of individual states that fall in the orbit of the
given individual state. This is formalized as follows.
Definition 10. (Recurrence). Let x be an individual state in a basin in the q-
dynamics.
(i) x is recurrent if x≤ img(x ; q + )
(ii) x is eternally recurrent if x ; q ∗ ≤ x ; q˘∗
We write x ♦-rec b to mean that b is a basin where x is recurrent, while x -rec b
means that x is eternally recurrent in basin b, with x≤b in both cases. Henceforth,
with reference to a fixed basin b, r♦ denotes the monotype of recurrent states in
b, while r denotes the monotype of eternally recurrent states in b, that is we
have the following concepts.
Definition 11. (Recurrence sets). Let b be a basin in the q-dynamics, then with
respect to b, r♦ and r are defined by the following equations:

r♦ = x, r = x.
x ♦-rec b x -rec b
The following facts easily follow from the definitions.

(i) Every eternally recurrent state is recurrent, thus r ≤ r♦ .
(ii) The set of eternally recurrent states is closed under transitions, i.e. it is either
a basin or empty, and in both cases img(r ; q) ≤ r , whence img(r ; q ∗ ) = r .
4 A Characterization of Recurrence and Attractors

A first link between recurrence and attractors surfaces as a cross-connection
between eternal recurrence and ♦-nonremovability of individual states. We speak
of a cross-connection because of the difference in the modalities involved—this
turns out to be a recurrent phenomenon in this section.
Prop. 4(i) and Def. 10(ii) entail that an individual state is ♦-nonremovable
from any attracting set of a basin b, hence from b itself (cf. Prop. 3(i),(ii)) iff it
is eternally recurrent. Thus, r is the monotype of ♦-nonremovable individual
states in b. One may formalize this, for a fixed basin b, by letting

♦-removable = y,
y ♦b -removable from b
in the following equation.

Proposition 6. For any basin b in the q-dynamics, r = b \ ♦-removable .
A modal dual of Prop. 6 does not hold in the general case, but only under certain
assumptions. In order to state them precisely, a few concepts are needed, that
are phrased in celestial terminology as in [9].
Definition 12. (Trajectory, flight, antiflight, blackhole).

Let x represent an individual state in the q-dynamics on the state space S.
(i) A trajectory of origin x, briefly an x-trajectory, is a function ξ : N → 1S
such that, with subscript argument, ξ 0 = x and ξ n+1 ≤ img(ξ n ; q) . ξ N de-
notes the image of this function.
(ii) A flight of origin x, or x-flight, is an injective x-trajectory.
(iii) An antiflight of target x, or x-antiflight, in the q-dynamics is an x-flight
in the converse q˘-dynamics.
(iv) A flight ξ is antiflight-free if no individual state in ξ N is the target of an
antiflight.
(v) An x-flight ξ is an x-blackhole if img(x ; q ∗ ) ≤ ξ N .
So, in summary: a trajectory develops through an infinite sequence of transitions

between individual states; a flight is a trajectory where every individual state
occurs at most once; an antiflight is a backward flight; an antiflight-free flight
has no backward flight starting at any of its individual states; and a blackhole
is a flight that is closed under transitions.
In absence of flights and antiflights, a modal dual of Prop. 6 holds, where the
dual of r actually is img(r♦ ; q ∗ ). This is duality proper, thanks to Prop. 5(ii).
Flights and antiflights introduce further possibilities of -nonremovability, in
agreement with the next proposition. For a fixed basin b, let

-removable = y.
y b -removable from b
We then have the following situation.
Proposition 7. For any basin b in the q-dynamics:

(i) img(r♦ ; q ∗ ) ≤ b \ -removable ,
(ii) img(r♦ ; q ∗ ) = b \ -removable , if the basin has neither flights nor antiflights.
Flights affect not only the aforementioned duality but also the existence of at-
tractors, of either kind. As shown in [9], in the presence of certain kinds of
flights in a basin, it may happen that a♦ = 0 while a = 0, as well as that a♦ = 0
while a = 0. The examples presented there reveal that the presence of a flight
in the basin may, but need not, hamper the validity of either or both of the
dual equations a♦ = r and a = img(r♦ ; q ∗ ). Purpose of the rest of this section
is to establish necessary and sufficient conditions for the validity of each of these
equations, thereby characterizing both the existence and the extent of attractors
of either kind. The following definitions prove purposeful.
Definition 13. (Recurrent flights).

Let b be a basin and ξ be a flight in b, with the q-dynamics.
(i) ξ is recurrent in b if ξ n ≤ img(r♦ ; q ∗ ) for some n∈N .
(ii) ξ is eternally recurrent in b if ξ N ≤ img(r ; q˘∗ ) .
Definition 14. (Finitary dynamics).

The q-dynamics is finitary if the q relation is image-finite on individual states,
i.e. img (x ; q) represents a finite state whenever x represents an individual state.
A few preliminary lemmas will shorten part of the proof of the subsequent the-
orem. The first one relates to existence of nonrecurrent flights in a basin.
Lemma 1. (Existence of nonrecurrent flights).

Let b be a basin in a finitary q-dynamics. If there exists x≤ b such that for no
n∈N img(x ; q ≥n ) ≤ img(r♦ ; q ∗ ), then there is a nonrecurrent x-flight in b.
Proof. Let’s arrange the x-orbit in a tree, with the root labeled by x and where
the children of node labeled by individual state y are labeled by the individual
states in img(y ; q). In this tree, which is finitely branching since the q-dynamics
is finitary, if a node is labeled by some individual state in b\img(r♦ ; q ∗ ), then
so are all nodes in the path leading from the root to that node—otherwise one
would get a nonempty intersection of disjoint monotypes, which is clearly absurd.
Now, let’s prune the tree by removing those nodes that are labeled by individual
states in img(r♦ ; q ∗ ), so all remaining nodes are labeled by individual states
in b\img(r♦ ; q ∗ ). It is fairly immediate to see that the hypothesis on x entails
that the pruned tree is infinite, but since it is the outcome of pruning a finitely
branching tree, it is finitely branching as well, therefore it must have an infinite
path, by König’s Lemma. Since all nodes in this path are labelled by states in
b\img(r♦ ; q ∗ ), none of these is recurrent, hence each of them occurs only once
in the path, thus the path corresponds to an x-flight in b, indeed a nonrecurrent
one, since no state in the path may ever be found in img(r♦ ; q ∗ ).

Remark 1. The hypothesis that the q-dynamics is finitary is fairly essential. This
is apparent in the use of König’s Lemma in the proof, and is further corroborated
by the following counterexample to validity of the statement in a case where that
hypothesis does not hold.
Let the q-dynamics consist of antiflight ξ, with ξ 0 the only fixed point in basin
b, and an additional individual state x≤ b with img(x ; q) = ξ N . Clearly, this dy-
namics is not finitary. However, state x does fulfil the condition required by
Lemma 1, since the x-orbit is eventually periodic, with transient x and period
ξ N , whereas r♦ = img(r♦ ; q ∗ ) = ξ 0 . Nonetheless, there’s no x-flight in b, a fortiori
no nonrecurrent x-flight.
The next lemma provides a sufficient condition for nonexistence of the unavoid-
able attractor.
Lemma 2. (Nonexistence of the unavoidable attractor).

For any basin b in the q-dynamics, a = 0 if
(i) the converse q˘-dynamics is finitary, and

(ii) there is a nonrecurrent antiflight-free flight in b, under the q-dynamics.
Proof. Let ξ be a nonrecurrent antiflight-free flight in b. We claim that for no

individual state x≤ b may ξ 0 occur infinitely often in the x-orbit. This will entail
ξ 0 b -removable from b by Prop. 4(ii), and much the same for any individual state
ξ n in ξ N , since the ξ n -flight in ξ meets the same conditions stated above for the
ξ 0 -flight. Then it will follow that ξ N ≤ -removable, but no infinite subset of ξ N
is -removable from the basin b, whence a = 0. Here is the proof of the claim.
First, if ξ 0 occurs in the x-orbit, then x is not recurrent, indeed not even
x≤ img(r♦ ; q ∗ ), by nonrecurrence of the ξ 0 -flight.
Second, hypothesis (i) entails that img(ξ 0 ; q˘n ) is finite for all n > 0, hence
these images may be displayed in a finitely branching tree, with the root labeled
by ξ 0 , where the children of node labeled by individual state y are labeled by
the individual states in img(y ; q˘).
Again, by the nonrecurrence of the ξ 0 -flight, one observes that no individual

state may occur more than once as a node label in any given path from the root
in the aforementioned tree.
Now, by contradiction, assume ξ 0 occurs infinitely often in the x-orbit, then
the set of lengths of paths from the root in the tree is unbounded, hence the
set of individual states that label the nodes of the aforementioned tree must be
infinite, by the previous observation. Thus, the tree itself must have an infinite
number of nodes, hence it has an infinite path from the root, by König’s Lemma.
It follows that ξ 0 is the target of an antiflight, again by the previous observation
now relating to the infinite path, but this outcome is against the hypothesis that
ξ is antiflight-free.

Our final lemma provides a sufficient condition for the existence of flights in the
basin of any q-dynamics. It tells something more, viz. in the absence of eternal
recurrence, flights start everywhere in the basin.
Lemma 3. (Flights in absence of eternal recurrence).

If b is a basin in the q-dynamics with no eternally recurrent states, then every
x≤ b is the origin of a flight.
Proof. Since no state is eternally recurrent, by Def. 10(ii) one gets immediately
nonemptiness of img(x ; q + ) \ img(x ; q˘∗ ) for every x≤ b. Furthermore, one may
always find an individual state x in this set such that there exists a finite
sequence of n+2 individual states (ξi | 0 ≤ i ≤ n + 1), for some n ≥ 0, that satisfies
the following requirements:
1. ξ 0 = x, ξ n+1 = x , ξ i+1 ≤ img(ξ i ; q), for 0 ≤ i ≤ n ;

2. ξ i ≤ img(x ; q˘∗ ), for 0 < i ≤ n ;
3. ξ i =ξ j ⇔ i = j, for 0 ≤ i, j ≤ n+1 .
Satisfiability of the third requirement comes from the simple observation that,
if there is a path that links a given pair of distinct source and target nodes,
through a set of nodes in a directed graph, then there is a cycle-free path which
links the given pair through the same set of nodes.
The construction of an x-flight takes place by iterating the procedure specified
above to x , then to x , and so on. More precisely, the mapping ξ : N → img(x ; q ∗ )
is defined as follows. Let x0 = x, xk+1 = xk , nk the (possibly 0) number of in-
termediate states in the chosen finite sequence (xk j | 0 ≤ j ≤ nk +1) linking the
source state xk = xk0 to the target state xknk+1 = xk+1 . By convening that sum-
mation is 0-valued when the upper bound index is negative, we define for all
k∈N, 0 ≤ j ≤ nk :

k−1
ξ :j+k+ nh → xkj .
h=0
It is easy to see that the mapping ξ is indeed defined for all n∈N. To see that
it is injective, it is enough to observe that
– xk+1 lies outside of img(xk ; q˘∗ ) by construction;

– more generally, it is a fact that if m < k, then xk lies outside of img(xm ; q˘∗ ),
for otherwise we should have xk ≤ img(xk−1 ; q˘∗ ), against the previous ob-
servation;
– xki =xkj ⇔ i = j, for 0 ≤ i, j ≤ nk+1 by construction as well (third requirement
above);
– if m < k and nk > 0, then for 0 < i ≤ nk it must be xki = xm , otherwise it
would be xk ≤ img(xm ; q˘∗ ) with m < k, against the aforementioned fact;
– and, finally, that if there were some m < k, with nm > 0, nk > 0, and some
i, j, such that 0 < i ≤ nm , 0 < j ≤ nk , and xkj = xmi , then by construction
(second requirement above) it would follow that xkj ≤ img(xm ; q˘∗ ), and since
xk ≤ img(xkj ; q˘∗ ), it would turn out that xk ≤ img(xm ; q˘∗ ) with m < k,
against the aforementioned fact.

We now have all ingredients to state and prove the desired characterization.
Theorem 1. (Recurrence and Attractors).
In any basin b with the q-dynamics:
(i) a = img(r♦ ; q ∗ ) if the q-dynamics is finitary and every flight is recurrent,
otherwise a = 0 if the converse q˘ -dynamics is finitary and if there is a
nonrecurrent antiflight-free flight, under the q-dynamics.
(ii) a♦ = r if every flight is eternally recurrent, otherwise a♦ = 0 .
Proof. The basic fact is that, in the presence of flights that do not meet the
conditions stated for the existence of attractors, one may find nonremovable
(infinite) subsets of the basin that consist of removable individual states, for
either modality. Typically, if y represents such a set, it so happens that any
finite z ≤ y is removable, while no infinite z ≤ y so is. Clearly, whenever such a
situation occurs, the modally corresponding attractor does not exist.
Proof of (i).
First, if a -attracts b, then b \ -removable ≤ a by Def. 8(i) and Prop. 3(iii) with
contraposition, hence img(r♦ ; q ∗ ) ≤ a by Prop. 7(i).
Next, we show that, provided the q-dynamics is finitary, if r♦ =0 and all flights
are recurrent, then img(r♦ ; q ∗ ) -attracts b. According to Def. 7(i) and Prop. 2,
we have got to show that

b≤ r.
r ≤q img(r♦ ; q∗ )
To this purpose, it suffices to show that for every x≤ b the eventual inclusion
x ≤q img(r♦ ; q ∗ ) holds, i.e., ∃n∈N : img(x ; q ≥n ) ≤ img(r♦ ; q ∗ ). By contradiction,
let’s assume the existence of x≤ b such that for no n∈N img(x ; q ≥n ) ≤ img(r♦ ; q ∗ ).
Since the q-dynamics is finitary, by Lemma 1 a nonrecurrent x-flight exists in b,
against the hypothesis that all flights in b are recurrent.
Putting together what is proven so far, we get that, in finitary q-dynamics,
a = img(r♦ ; q ∗ ) if r♦ =0 and every flight in b is recurrent. For the case r♦ = 0,
the condition that every flight in b be recurrent would only be met if there were
no flights in b, since there are no recurrent states. However, the assumption of
eternal dynamics (made throughout this paper) entails that all trajectories in the
basin are nonrecurrent flights, whereby the second part of statement (i) applies.
The first part of statement (i) is thus proven, while its second part is Lemma 2.
Proof of (ii).
By Prop. 6, the only ♦-nonremovable individual states are the eternally recurrent
ones, viz. those in r . So, whenever all sets consisting of ♦-removable individ-
ual states are ♦-removable themselves, then a♦ = r holds. This is immediate
for r = 0, while the case r = 0 deserves special treatment. In such a case, all
individual states in the basin are ♦-removable, but the basin itself cannot be
so (since no attracting set may be empty), and the basin must be infinite (by
a corollary of Lemma 3), hence the attractor does not exist, or a♦ = 0, in this
case—formally, a♦ = r holds in this case, too. We shall thus prove two facts:
1. y ≤ ♦-removable ⇒ y ♦b -removable from b if every flight is eternally recurrent.
2. If there is a flight that is not eternally recurrent, then a♦ = 0 .
We prove fact 1 by contraposition. Assume y ♦b -removable from b does not
hold, while for every x≤ y x ♦b -removable from b holds, that is y ≤ ♦-removable,
we then show the existence of a flight that is not eternally recurrent.
First, y ≤ ♦-removable by Prop. 6 entails y ≤ b\r (†).
Second, for all individual states z≤ b we have img(z ; q ∗ ) · y = 0 ⇒ z≤ b\r ,
by Prop. 5(ii), therefore img(y ; q˘∗ ) ≤ b\r (‡).
Now, the first assumption just means that b\y is not an attracting set. We
have two cases where this may happen:
• y = b, thus r = 0. By Lemma 3 there exist flights in the basin; none of them
is eternally recurrent, since there is no eternally recurrent state in the basin.
• b\y = 0, actually r = 0 and r ≤ b\y , by (†) above. Since b\y is not an at-
tracting set, by Def. 7(ii) there is an x≤ b such that for all z≤ img(x ; q ∗ ) one has
img(z ; q ∗ ) · 1 \(b\y) = 0 , and since basin b is closed under transitions, this is
equivalent to img(z ; q ∗ ) · y = 0 for every z≤ img(x ; q ∗ ) . For such an x it must
hold that img(x ; q ∗ ) · r = 0, by (‡) above. If we can show the existence of an
x-flight, this surely would not be eternally recurrent, according to Def. 13(ii),
since x≤ b\img(r ; q˘∗ ), by the previously inferred equation. The existence of
such a flight is a consequence of the absence of eternally recurrent states in
img(x ; q ∗ ), according to Lemma 3, since img(x ; q ∗ ) is a basin.
Finally, here is a proof of fact 2 stated above. Suppose ξ is a flight such
that for some k∈N img(ξ k ; q ∗ ) · r = 0 . Then img(ξ n ; q ∗ ) · r = 0 ∀ n ≥ k, so
for the ξ k -flight ξ defined by ξi = ξ k+i we have img(ξN ; q ∗ ) · r = 0 , thus by
Prop. 6 img(ξN ; q ∗ ) ≤ ♦-removable . We now have to show that there exists an
infinite subset of img(ξN ; q ∗ ) that is not ♦b -removable from b. This may well
be img(ξN ; q ∗ ) itself. This set is infinite, since ξ is a flight, and furthermore
img(ξN ; q ∗ ) ♦b -removable from b does not hold because img(ξN ; q ∗ ) is closed under
transitions; to see this, consider that b\img(ξN ; q ∗ ) cannot be an attracting set
of b since, ∀ x≤ img(ξN ; q ∗ ) ≤ b , y≤ img(x ; q ∗ ) ⇒ img(y ; q ∗ ) · (b\img(ξN ; q ∗ )) = 0,
therefore y ≤q b\img(ξN ; q ∗ ) cannot hold, by Def. 7(ii) and Prop. 2.

Remark 2. Finitarity assumptions are only needed for the characterization of the
unavoidable attractor. The modal difference between the two forms of attractor,
and of recurrence alike, obviously disappears in deterministic dynamics, yet it is
not easy to translate the content of Theorem 1 in terms of classical dynamical
systems, not even those of symbolic dynamics [8]. These are deterministic sys-
tems but rely on a metric structure of the state space, enabling seriously different
concepts of attraction and recurrence, that are based on approximate transition
through states, i.e. transition at arbitrarily small distance from the given state.
While no easy translation of our theorem can be given in so different a setting, a
certain analogy with Poincaré Recurrence Theorem surfaces, with boundedness
and invariance replaced by finitarity and flight recurrence hypotheses.
5 Applications and Future Perspectives
Generally speaking, discrete models of system dynamics prove especially use-

ful when the locality structure has a spatial rather than temporal profile and
the evolution of the system is “computed” by some sort of algorithms. In such
contexts, a few properties may surface in the discrete approach that are not
apparent in the differential theory.
An application area of the relational formulation of state transition dynamics
could be the formal description of biomolecular processes in the cell, as they
are the result of many individual reactions, each of these being formed by sub-
processes whose extension is limited in space and in time. These subprocesses
only get information on what is happening in the whole organism from their
respective neighbourhood. Nonetheless, they often exhibit a surprising overall
co-ordination, and in this sense biomolecular processes are by all means asyn-
chronous. We expect that the development of an analysis of the local reactions
in terms of binary transition relations would take place at a convenient ab-
straction level, to represent the independent subprocesses and their interaction
dynamics.
Even the assumption to work on a state space with no metric structure seems
suitable for such an application area. If one thinks of chemical reactions that
involve molecules inside the cytoplasm or the nucleus of a cell, topological fea-
tures of a model seem to be important to simulate these processes. The concept
of distance is not necessary, though, at least at a certain level of abstraction.
Let us explain this view by way of example; we suppose to have two molecules
that interact (namely by transforming each other) just by contact, rather than
by sending signals to each other. In this case, having a distance would be im-
portant; as a matter of fact, one could evaluate their relative distance at any
computational step of the system, and assume that they interact when this dis-
tance is zero. Such an approach even allows one to estimate in how many steps
do the two molecules meet each other in the system. On the other hand, however,
in this way one is forced to dive very much into the gory details of processes,
which fact may clutter one’s ability to observe the global properties of the sys-
tem. Indeed, the only relevant information for the dynamics of the system may
just be that those specific molecules interact eventually, given that they stay
‘close enough’, no matter when and how exactly [6].
We aim at continuing the relational formulation and analysis undertaken in
the present paper on other dynamical concepts of actual biological interest, such
as “creods”, “centers”, “focuses”, “saddles”, and of “weak” forms of chaos, which
could be defined by combining some of the features defined here.
We think that the work outlined above could suggest definitions of other forms
of attractors, more directly connected to the relational formulation of state tran-
sition dynamics, in that suitable concepts of stability, control, and randomness
could be analyzed by associating information sources to relational dynamical
systems. In this perspective, informational and entropic concepts could point
out interesting characterizations of fundamental dynamical concepts for com-
plex biological dynamics.
References
1. W.R. Ashby, An Introduction to Cybernetics, Chapman and Hall (1956)
2. R. Backhouse and J. van der Woude, Demonic Operators and Monotype Factors,
Mathematical Structures in Computer Science, 3:4 (1993) 417–433
3. C. Bonanno and V. Manca, Discrete dynamics in biological models, Gh. Păun, C.
Calude (Eds.), Romanian Journal of Information Science and Technology, 1-2:5
(2002) 45–67
4. L. Bianco, F. Fontana, G. Franco and V. Manca, P Systems for Biological Dynam-
ics, G. Ciobanu, Gh. Păun, M. J. Perez-Jimenez (Eds.), Applications of Membrane
Computing, Natural Computing Series, Springer (2006) 81–126
5. R.L. Devaney, Introduction to chaotic dynamical systems, Addison-Wesley (1989)
6. G. Franco, Biomolecular Computing — Combinatorial Algorithms and Laboratory
Experiments, PhD thesis, University of Verona, Italy (2006)
7. S. Kauffman, Investigations, Oxford University Press (2000)
o
8. P. Kurka, Topological and Symbolic Dynamics, Cours Spécialisés 11, Société
Mathématique de France (2003)
9. V. Manca, G. Franco and G. Scollo, State transition dynamics: basic concepts and
molecular computing perspectives, M. Gheorghe (Ed.), Molecular Computational
Models: Unconventional Approaches, Idea Group, Hershey, PA, USA (2005) 32–55
10. V. Manca and L. Bianco, Biological Networks in Metabolic P Systems, (2006)
submitted.
11. V. Manca, L. Bianco and F. Fontana, Evolutions and oscillations of P systems:
Theoretical considerations and applications to biochemical phenomena, G. Mauri,
Gh. Păun, M.J. Pérez-Jiménez, G. Rozenberg, A. Salomaa (Eds.), Membrane
Computing, LNCS 3365, Springer (2005) 63–84
12. Gh. Păun, Computing with membranes, J. Comput. System Sci., 61:1 (2000)
108–143
13. Gh. Păun, Membrane Computing. An Introduction, Springer (2002)
14. G. Schmidt, Th. Ströhlein, Relations and Graphs, Springer (1993)
15. A. Tarski, On the calculus of relations, Journal of Symbolic Logic, 6 (1941) 73–89
16. S. Wolfram Theory and Application of Cellular Automata, Addison-Wesley (1986)
17. A. Wuensche, Basins of Attraction in Network Dynamics: A Conceptual Frame-
work for Biomolecular Networks, G. Schlosser, G.P. Wagner (Eds.), Modularity in
Development and Evolution, Chicago University Press (2002)
On Two Dually Nondeterministic Refinement
Algebras
Kim Solin
Turku Centre for Computer Science

Lemminkäinengatan 14 A, FIN-20520 Åbo, Finland
[email protected]
Abstract. A dually nondeterministic refinement algebra with a nega-

tion operator is proposed. The algebra facilitates reasoning about total-
correctness preserving program transformations and nondeterministic
programs. The negation operator is used to express enabledness and
termination operators through a useful explicit definition. As a small
application, a property of action systems is proved employing the alge-
bra. A dually nondeterministic refinement algebra without the negation
operator is also discussed.
1 Introduction
Refinement algebras are abstract algebras for reasoning about program refine-
ment [18,21,22,20]. Axiomatic reasoning can, in a certain sense, provide a sim-
pler reasoning tool than the classical set and order-theoretic frameworks [1,5,16].
Different classes of predicate transformers over a fixed state space form the mo-
tivating models, but should not be seen as exclusive.
The first papers on refinement algebras, in our sense of the term, were von
Wright’s initial paper [21], followed by [22], which builds on the aforementioned.
In these papers von Wright outlines an axiomatisation with the set of isotone
predicate transformers as an intended model. He also proposes the introduction
of angelic choice as a separate operator in the algebra.
This paper proposes a refinement algebra that extends the original framework
with three operators: the angelic choice (as suggested by von Wright), strong
angelic iteration and a negation operator. Looking at the predicate-transformer
models, the negation operator demands that the set of all predicate transformers
be a model, whereas the iteration operator demands that the predicate trans-
formers be isotone (as a consequence of needing to establish the existence of fix-
points via the Knaster-Tarski theorem). To solve this conflict, we let the carrier
set be the set of all predicate transformers over a fixed state space and impose
isotony conditions on elements of axioms involving iteration. Taking one step
further, we also add ways of imposing conjunctivity and disjunctivity conditions

Currently visiting Institut für Informatik, Universität Augsburg.

374 K. Solin
on elements. Thus one could say that the algebra we propose is an algebra in-
tended for reasoning about isotone predicate transformers, but having the whole
class of predicate transformers as a model.
In the earlier frameworks, assertions were always defined in terms of guards. In
the framework we propose here, guards can also be defined in terms of assertions.
The guards and the assertions thus have equal status. Together with von Wright
we have investigated an enabledness and a termination operator in refinement
algebra [20]. The enabledness operator applied to a program denotes those states
from which the program is enabled, that is those states from which the program
will not terminate miraculously. The termination operator, on the other hand,
yields those states from which the program is guaranteed to terminate in some
state, that is, the program will not abort. In this paper, these operators are
defined in terms of the other operators as opposed to our earlier work where
they were introduced with an implicit axiomatisation. Thus, the framework of
this paper subsumes the one of [20].
Action systems comprise a formalism for reasoning about parallel programs
[2,4]. The intuition is that an action system is an iteration of a fixed number
of demonic choices that terminates when none of the conjunctive actions are
enabled any longer. In the refinement algebra, an action system can be expressed
using the enabledness operator. An action system can be decomposed so that
the order of execution is clearly expressed; this has been shown by Back and von
Wright using predicate transformer reasoning [6]. In the axiomatisation of [20]
we were able to prove one direction of action system decomposition, but the
other direction seems to be harder. Using the framework we present here, both
directions can be derived quite easily.
When the negation operator is left out we obtain a dually nondeterminis-
tic refinement algebra for which the isotone predicate transformers constitute
a model. This means that no special conditions need to be imposed on the el-
ements to guarantee the existence of fixpoints. Also in this framework guards
and assertions can be defined in terms of each other. On the other hand, explicit
definitions of the enabledness and termination operators, upon which the proof
of action-system decomposition relies, seem not to be possible.
The following work can be traced in the history of this paper. Kozen’s ax-
iomatisation of Kleene algebra and his introduction of tests into the algebra has
been a very significant inspiration for us [12,14]. Von Wright’s non-conservative
extension of Kleene algebra with tests was the first abstract algebra that was gen-
uinely an algebra for total correctness (it drops right-annihilation) [21]. It rests
upon previous work on algebraic program reasoning by Back and von Wright [6].
Desharnais, Möller, and Struth extended Kleene algebra with a domain opera-
tor [8], upon which Möller relaxed Kleene algebra by giving up right-annihilation
(as in [21]) and right-distributivity of composition. These two papers laid a firm
ground to the the developments in [20], where the enabledness and termination
operators were introduced. Angelic nondeterminism takes off in the theory of
nondeterministic automata and Floyd’s nondeterministic programs [10]. In the
context of program refinement, Broy and Nelson [15,7], Back and von Wright [3],
On Two Dually Nondeterministic Refinement Algebras 375
and Gardiner and Morgan [11] are early names. The present paper extends an
earlier workshop version [19].
The paper is set up as follows. First the abstract algebra is proposed and a
program intuition is given. Then a predicate-transformer model for the algebra
is provided, which serves as a program-semantical justification. After the model,
basic properties of the algebra are discussed. The third section extends the alge-
bra by guards and assertions. After this the termination and enabledness opera-
tors are introduced. Action systems are considered under the abstract-algebraic
view in Section 4. The final section before the concluding one, remarks on a
dually nondetereministic refinement algebra without the negation operator.
The purpose of this paper is not to provide more grandiose applications nor to
give a complete algebraic treatment; the purpose is to lay down the first strokes
of the brush, the purpose is to get started.
2 A Dually Nondeterministic Refinement Algebra with

Negation
In this section we propose a dually nondeterministic refinement algebra with
negation, give a predicate transformer model, and have a glance at some basic
properties that should be taken into account.
2.1 Axiomatisation
A dually nondeterministic refinement algebra with negation (dndRAn) is a struc-
ture over the signature (, , ¬, ; ,ω ,† , ⊥, , 1) such that (, , ¬, ⊥, ) is a
Boolean algebra, (; , 1) is a monoid, and the following equations hold (; left
implicit, x y ⇔ x y = x):
def
¬xy = ¬(xy),
x = , ⊥x = ⊥,
(x y)z = xz yz and (x y)z = xz yz.
Moreover, if an element x satisfies y z ⇒ xy xz we say that x is isotone

and if x and y are isotone, then
xω = xxω 1, xz y z ⇒ xω y z,
x = xx 1 and z xz y ⇒ z x† y
† †
hold. If x satisfies x(y z) = xy xz and x(y z) = xy xz we say that x is con-

junctive and disjunctive, respectively. Of course, conjunctivity or disjunctivity
implies isotony.
The operator ¬ binds stronger than the equally strong ω and † , which in turn
bind stronger than ;, which, finally, binds stronger than the equally strong
and .
Let us remark that the signature could be reduced to (, ¬, ; ,ω , 1), since the
other operators can be defined in terms of these. Some of the axioms could also
376 K. Solin
be left out, since they can be derived as theorems. For clarity, we choose to have
the more spelled-out axiomatisation.
As a rough intuition, the elements of the carrier set can be seen as program
statements. The operators should be understood so that is demonic choice (a
choice we cannot affect), is angelic choice (a choice we can affect), ; is sequen-
tial composition, ¬x terminates in any state where x would not terminate and the
other way around, ω , the strong (demonic) iteration, is an iteration that either
terminates or goes on infinitely, in which case it aborts; and † , the strong angelic
iteration, is an iteration that terminates or goes on infinitely, in which case a
miracle occurs. If y establishes anything that x does and possibly more, then
x is refined by y: x y. The constant ⊥ is abort, an always aborting program
statement; is magic, a program statement that establishes any postcondition;
and 1 is skip. A conjunctive element can be seen as facilitating demonic non-
determinism, but not angelic, whereas a disjunctive element can have angelic
nondeterminism, but not demonic. An isotone element permits both kinds of
nondeterminism.
2.2 A Model
A predicate transformer S is a function S : ℘(Σ) → ℘(Σ), where Σ is any set.
Programs can be modelled by predicate transformers according to a weakest
precondition semantics [9,5]: S.q denotes those sets of states from which the
execution of S is bound to terminate in q.
If p, q ∈ ℘(Σ) and S satisfies
p ⊆ q ⇒ S.p ⊆ S.q then S is isotone.
If
S for any set I satisfies S.( i∈I pi ) = i∈I S.pi and S.( i∈I pi ) = i∈I S.pi
it is conjunctive and disjunctive, respectively. There are three named predicate
transformers abort = (λq • ∅), magic = (λq • Σ), and skip = (λq • q). A predicate
transformer S is refined by T , written S T , if (∀q ∈ ℘(Σ) • S.q ⊆ T.q). This
paper deals with six operations on predicate transformers defined by
(S T ).q = S.q ∩ T.q,
(S T ).q = S.q ∪ T.q,
¬S.q = (S.q)C ,
(S; T ).q = S.(T.q),
S ω = μ.(λX • S; X skip) and
S † = ν.(λX • S; X skip),
where is set complement, μ denotes the least fixpoint with respect to , and
C
ν denotes the greatest.

That our isotony condition of the axiomatisation actually singles out the iso-
tone predicate transformers is settled by the next lemma. Similarly it can be
proved that our conjunctivity and disjunctivity conditions single out the con-
junctive and disjunctive predicate transformers, respectively.
Lemma 1. Let S : ℘(Σ) → ℘(Σ). Then S is isotone if and only if for all
predicate transformers T, U : ℘(Σ) → ℘(Σ), if T U then S; T S; U .
Proof. If S is isotone, then clearly T U ⇒ S; T S; U . Assume now that for

all predicate transformers U and T it holds that T U ⇒ S; T S; U . We show
that this implies that S is isotone. Indeed, suppose that p, q ∈ ℘(Σ) and p ⊆ q.
Then construct two predicate transformers I and J such that for any r ∈ ℘(Σ)
it holds that I.r = p and J.r = q. Since p ⊆ q, we then have that I J. By the
assumption, this means that S; I S; J, that is (∀r ∈ ℘(Σ) • S.I.r ⊆ S.J.r), or
in other words (∀r ∈ ℘(Σ) • S.p ⊆ S.q). Removing the idle quantifier, this says
exactly that S.p ⊆ S.q.

With the aid of the above lemma and the Knaster-Tarski theorem, it is easily
verified that the set of all predicate transformers forms a model for the dndRAn
with the interpretation of the operators given as above.
Proposition 1. Let PtranΣ be the set of all predicate transformers over a set
Σ. Then
(PtranΣ , ¬, , , ; ,ω ,† , magic, abort, skip)
is a dndRAn, when the interpretation of the operators is given according to the
above.
2.3 What Is Going on?

The basic properties of the algebra differ from the algebras in [21,20] in the fact
that not all operators are isotone any longer and that some propositions are
weakened.
The ; is not right isotone for all elements, but for isotone elements it is. In
fact, the isotony condition on elements says exactly this. All other operators are
isotone, except the negation operator which is antitone
x y ⇒ ¬y ¬x.
This is to be kept in mind when doing derivations. The leapfrog property of
strong iteration (strong angelic iteration is dual) is weakened, but the decompo-
sition property is not. That is, if x and y are isotone, then
x(yx)ω (xy)ω x (1)
is in general only a refinement, whereas
(x y)ω = xω (yxω )ω (2)
is always an equality. If x and y are conjunctive, then (1) can be strengthened
to an equality [21].
3 Guards and Assertions

This section extends the algebra with guards and assertions, shows that they
can be defined in terms of each other, and provides an interpretation in the
predicate-transformer model.
378 K. Solin
3.1 Definitions and Properties
First, some notation. If an element of a dndRAn is both conjunctive and disjunc-

tive, then we say that it is functional. A functional element thus permits no kind
of nondeterminism.
Guards should be thought of as programs that check if some predicate holds,
skip if that is the case, and otherwise a miracle occurs.
Definition 1. An element g of a dndRAn is a guard if
(1g) g is functional,
(2g) g has a complement ḡ satisfying
gḡ = and g ḡ = 1, and
(3g) for any g also satisfying (1g) and (2g) it holds that
gg = g g .
Assertions are similar to guards, but instead of performing a miracle when the
predicate does not hold, they abort. That is to say, an assertion that is executed
in a state where the predicate does not hold establishes no postcondition.
Definition 2. An element p is an assertion if
(1a) p is functional,
(2a) p has a complement p̄ satisfying
pp̄ = ⊥ and p p̄ = 1, and
(3a) for any p also satisfying (1a) and (2a) it holds that
pp = p p .
It is easily established that the guards and the assertions form Boolean algebras,
since guards and assertions are closed under the operators , , and ;.
Proposition 2. Let G be the set of guards and let A be the set of assertions of
a dndRAn. Then
(G, , ; ,¯, 1, ) and (A, ; , ,¯, ⊥, 1)
are Boolean algebras.
From this we get the following useful fact, by verifying that g⊥ 1 is the unique
complement of ḡ in the sense of (2g).
Corollary 1. For any guard g of a dndRAn, we have that g = g⊥ 1.
We will also need the following lemma.
Lemma 2. For any x in the carrier set of an dndRAn it holds that x⊥ and x
are functional.
Proof. The first case is proved by

x⊥(y z) = x⊥ = x⊥ x⊥ = x⊥y x⊥z
and the other three cases are similar.

With the aid of the previous lemma, the guard and assertion conditions yielding
the following proposition are easily verified.
Proposition 3. Let g be a guard and let p be an assertion in a dndRAn. Then
ḡ⊥ 1 is an assertion with the complement g⊥ 1, and
p̄ 1 is a guard with the complement p 1.

We can now prove the following the following theorem.
Theorem 1. Any guard/assertion can be defined in terms of an assertion/guard.
Proof. Let G be the set of guards and let A be the set of assertions in a dndRAn.
We establish a bijection between the set of guards and the set of assertions. First
define ◦ : G → A by
g ◦ = ḡ⊥ 1

and : A → G by
p = p̄ 1.
Clearly, the mappings are well-defined by Proposition 3. Now, we show that they
are surjective and each other’s inverses, thus bijections. Take any g ∈ G. Then
(g ◦ ) = g⊥ 1 = g, by Proposition 3 and Corollary 1. Thus is surjective and
is the inverse function of ◦ . The case for ◦ is analogous.

This means that the set of guards and the set of assertions can be defined in
terms of each other.
3.2 A Predicate-Transformer Model

Consider the function [·] : ℘(Σ) → (℘(Σ) → ℘(Σ)) such that [p].q = pC ∪q, when
p, q ∈ ℘(Σ). For every element p ∈ ℘(Σ) there is thus a predicate transformer
Sp : ℘(Σ) → ℘(Σ), q → pC ∪ q. These predicate transformers are called guards.
There is also a dual, an assertion and it is defined by {p}.q = p∩q. Complement ¯
is defined on guards and assertions by [p] = [pC ] and {p} = {pC }.
It follows directly from the definitions that the complement of any guard is
also a guard, and moreover, that the guards are closed under the operators , ,
and ; defined in Section 2.2. If [p] is any guard, it holds that
[p].(q1 ∩ q2 ) = pC ∪ (q1 ∩ q2 ) = (pC ∪ q1 ) ∩ (pC ∪ q2 ) = [p].q1 ∩ [p].q2
for any q1 , q2 ∈ ℘(Σ). Similarly one can show that [p].(q1 ∪ q2 ) = [p].q1 ∪ [p].q2 ,
so any guard is functional. Finally, it is easily verified that the axioms (g2) and
380 K. Solin
(g3) also hold when the guards are interpreted in the predicate-transformer sense
above. This means that guards in the predicate-transformer sense constitute a
model for the guards in the abstract-algebraic sense. A similar argumentation
shows that assertions in the predicate-transformer sense are a model for asser-
tions in the abstract-algebraic sense.
4 Enabledness and Termination

We here introduce explicit definitions of the enabledness and the termination
operators and show that, in this framework, the explicit definitions are equivalent
to the implicit ones of [20].
4.1 Definitions
The enabledness operator is an operator that maps any program to a guard
that skips in those states in which the program is enabled, that is, in those states
from which the program will not terminate miraculously. It binds stronger than
all the other operators and is a mapping from the set of isotone elements to the
set of guards defined by
x = x⊥ 1. (3)
To see that the operator is well-defined, note that x⊥ 1 can be shown to be a
guard with
¬x⊥ 1 (4)
as the complement.
In [20] the enabledness operator was defined implicitly similarly to the domain
operator of Kleene algebra with domain (KAD) [8]. The next theorem shows that,
in this framework, the implicit definition found in [20] is equivalent to the explicit
definition above (in fact, as shown below only the two first axioms of the implicit
axiomatisation are needed). Note that a similar move could not be done in KAD,
since the explicit definition (3) relies on the lack of the right annihilation axiom
for .
Theorem 2. For any guard g and any isotone x in the carrier set of an dndRAn,
x satisfies
xx = x and (5)
g (gx) (6)
if and only if
x = x⊥ 1. (7)
Proof. The first two axioms of can be replaced by the equivalence

gx x ⇔ g x. (8)
This can proved by reusing the proofs from [8]. Uniqueness of x then follows
from the principle of indirect equality and (8). Then it suffices to show that the
right hand side of the explicit definition satisfies (5–6). This is verified by
(x⊥ 1)x x
⇔ {axiom}
x⊥x x x
⇔ {axioms}
x⊥ x x1 x
⇐ {isotony}
⊥1
⇔ {⊥ bottom element}
True
and
g gx⊥ 1
⇔ {Corollary 1}
g⊥ 1 gx⊥ 1
⇔ {axiom}
g⊥⊥ 1 gx⊥ 1
⇐ {isotony}
⊥x
⇔ {⊥ bottom element and left annihilator}
True
which proves the proposition.

Moreover, in contrast to the domain operator of [8], the compositionality prop-

erty
(xy) = (xy) (9)
can be shown to always hold for the enabledness operator in a dndRAn (in [20]
this was taken as an axiom of ):
(xy) = (xy)
⇔ {definitions}
xy⊥ 1 = x(y⊥ 1)⊥ 1
⇔ {axiom}
xy⊥ 1 = x(y⊥⊥ ⊥) 1
xy⊥ 1 = xy⊥ 1
⇔ {reflexivity}
True.
Using the explicit definition, the properties
(x y) = x y and (10)
(x y) = x y (11)
382 K. Solin
can be proved by the calculations

(x y) = (x y)⊥ 1 = (x⊥ y⊥) 1 = (x⊥ 1) (y⊥ 1) = x y
and
(x y) = (x y)⊥ 1 = x⊥ y⊥ 1 1 = x⊥ 1 y⊥ 1 = x y
respectively. From this, isotony of enabledness
x y ⇒ x y (12)
easily follows.
The termination operator τ is a mapping from isotone elements to the set of
assertions defined by
τ x = x 1.
It binds equally strong as . The intuition is that the operator τ applied to a
program denotes those states from which the program is guaranteed to terminate,
that is, states from which it will not abort. Analogously to the enabledness
operator, it can be shown that x 1 is an assertion with complement ¬x 1,
so τ is well-defined. Moreover, using similar reasoning as above, it can also be
shown that τ can equivalently be defined by
τ xx = x and (13)
τ (px) p. (14)
That τ satisfies the properties
τ (x y) = τ τ y, (15)
τ (x y) = τ τ y and (16)
x y ⇒ τx τy (17)
can be proved as for enabledness.
4.2 A Predicate-Transformer Model and a Digression

In [5] the miracle guard is defined by ¬( q∈℘(Σ) S.q) and the abortion guard by

q∈℘(Σ) S.q. Intuitively, the miracle guard is a predicate that holds in a state
σ ∈ Σ if and only if the program S is guaranteed not to perform a miracle, that
is S does not establish every postcondition starting in σ. The abortion guard
holds in a state σ ∈ Σ if and only if the program S will always terminate starting
in σ, it will establish some postcondition when starting in σ. When S is isotone
the least S.q is S.∅ and the greatest S.Σ, so the miracle guard can be written
¬(S.∅) and the abortion guard S.Σ.
A predicate-transformer interpretation of x is [¬S.∅], when x is interpreted
as the predicate transformer S. The termination operator τ x is interpreted as
{S.Σ}. The enabledness operator and the termination operator thus correspond
to the miracle guard and the abortion guard of [5], respectively, but lifted to
predicate-transformer level. That the interpretation is sound is seen by the fact
that [¬S.∅] = S; abort 1 and {S.Σ} = S; magic 1.
The following is a slight digression. What we did above was to turn the miracle
and abortion guards into a guard and an assertion (in the predicate-transformer
and the abstract-algebraic sense), respectively, since predicate transformers make
up our concrete carrier set in this model. There is, however, another way of lifting
the miracle and the abortion guard to the predicate-transformer level which is
closer to their original definition. This is done by setting the miracle guard
to be ¬S⊥ and the termination guard to be S. This interpretation does not,
however, satisfy the the respective axioms of enabledness and termination, so the
connection to KAD is lost. Nonetheless, in certain applications the possibility to
work with miracle and abortion guard without turning them into a guard and
an assertion could prove useful.
4.3 Expressing Relations Between Programs

The enabledness and the termination operator can be used to express relations
between programs [20]. We list here some examples of the use of the first-
mentioned operator. First note that x is a guard that skips in those states
where x is disabled.
A program x excludes a program y if whenever x is enabled y is not. This can
be formalised by saying that x is equal to first executing a guard that checks
that y is disabled and then executing x: x = yx. A program x enables y if y
is enabled after having executed x: x = xy. Similarly as above x disables y if
x = xy. The exclusion condition will be used in the application of the next
section.
5 A Small Application: Action-System Decomposition

Action systems comprise a formalism for reasoning about parallel programs [2,4].
The intuition is that an action system do x1 [] . . . []xn od is an iteration of a de-
monic choice x0 · · ·xn between a fixed number of demonically nondeterministic
actions, x0 , . . . , xn , that terminates when none of them are any longer enabled.
In dndRAn, an action system can be expressed as (x0 · · · xn )ω (x0 ) . . . (xn )
where x0 , . . . , xn are conjunctive. The actions are thus iterated, expressed with
the strong iteration operator, until none of them is any longer enabled, expressed
with the enabledness operator.
An action system can be decomposed so that the order of execution is clearly
expressed: if x excludes y, i.e. x = yx, then
(x y)ω x y = y ω y(xy ω y)ω (xy ω y).
Note that (xy ω y)ω (xy ω y) is of the form z ω z.
384 K. Solin
Action-system decomposition has been shown by Back and von Wright using
predicate transformer reasoning [6]. We now prove this axiomatically. We begin
by an outer derivation, collecting assumptions as needed:
(x y)ω x y
= {(2)}
y ω (xy ω )ω x y
= {assumption}
y ω (yxy ω )ω x y
= {guards Boolean algebra}
y ω (yxy ω )ω y x
= {leapfrog, conjunctivity}
y ω y(xy ω y)ω x
= {collect: if x = (xy ω y)}
y ω y(xy ω y)ω (xy ω y).
The collected assumption is then, in turn, proved by two refinements. First we

refine the left term into the right by (setting z = y ω y)
x (xz)
⇔ {definitions}
x⊥ 1 xz⊥ 1
⇐ {isotony}
⊥ z⊥
True
and then the right into the left by
(xy ω y) x
⇔ {definition}
xy ω y⊥ 1 x⊥ 1
⇐ {isotony}
y ω y⊥ ⊥
⇐ {induction}
y⊥ y⊥ ⊥
⇔ {definition and (4)}
y⊥ (¬y⊥ 1)⊥ ⊥
⇔ {axioms}
y⊥ (¬y⊥ ⊥) ⊥
y⊥ ¬y⊥ ⊥
⇔ {axiom}
(y ¬y)⊥ ⊥
⇔ {axioms}
True.
Using the implicit definition without the negation operator, the first refinement
of the assumption can also easily be proved [20], but the second refinement seems
to require some additional axioms for the enabledness operator (see below).
6 Leaving Out the Negation

This section contains some remarks on a dually nondeterministic refinement
algebra wihtout negation. The algebra was suggested by von Wright in [21,22],
but without the strong angelic iteration. The negation operator with its axiom
is dropped and we strenghten the axioms so that all elements are isotone by
adding the axioms x(y z) xy xz and xy xz x(y z). The structure
over (, ; , , 1) is thus a left semiring [17]. Dropping the negation means that
we no longer have a Boolean algebra, however we have a complete bounded
distributive lattice over (, , ⊥, ). The spelled out axiomatisation over the
signature (, , ; ,ω ,† , ⊥, , 1) is thus given by the following:
x (y z) = (x y) z x (y z) = (x y) z
xy =yx xy = yx
x=x x⊥ = x
xx=x xx =x
x (y z) = (x y) (x z) x (y z) = (x y) (x z)
x(yz) = (xy)z
1x = x
x1 = x
x =
⊥x = ⊥
x(y z) xy xz x(y z) xy xz
(x y)z = xz yz (x y)z = xz yz
xω = xxω 1 x† = xx† 1
xz y z ⇒ xω y z z xz y ⇒ z x† y
Since the isotone predicate transformers are closed under union, they constitute
a predicate-transfomer model for the algebra under the interpretation given in
Section 2.2.
By examining the proofs of Section 3, it is clear that the results regarding
guards and assertions can be re-proved without the negation operator. On the
other hand, it seems to us that the enabledness operator cannot be cast in
the explicit form, since we cannot express the complement ¬x⊥ 1 of x⊥ 1
and this is needed for showing that x⊥ 1 actually is a guard. Analogously,
the termination operator cannot be given an explicit definition either. Thus,
the operators have to be axiomatised along the lines of [20]. The termination
operator is axiomatized by
x = τ xx, (18)
◦ ◦
τ (g x) g , (19)
386 K. Solin
τ (xτ y) = τ (xy) and (20)

τ (x y) = τ x τ y, (21)
and the enabledness operator by

xx = x, (22)
g (gx), (23)
(xy) = (xy) and (24)
(x y) = x y. (25)
The last axiom for was not given in [20], since in that framework angelic choice
is not even present. We conjecture that (21) and (25) are independent from the
other axioms of their respective operators.
In [20] it is noted that to prove action-system decomposition an additional
axiom for the enabledeness operator seems to be required: x⊥ = x⊥. The
addition of the angelic choice operator does not seem to facilitate a proof. Due
to this, the proof of action-system decomposition does not follow as neatly as
when the negation operator is at hand. Dually, it is possible that τ x = x
needs to be postulated for some specific purpose.
The dually nondeterminisitic refinement algebra without negation thus gives
a cleaner treatment of iteration, but as a drawback the enabledness and the
termination operators start crackling.
7 Concluding Remarks
We have proposed a dually nondeterministic refinement algebra with a negation
operator for reasoning about program refinement and applied it to proving a
rather humble property of action systems. The negation operator facilitates use-
ful explicit definitions of the enabledness and the termination operators and it
is a powerful technical tool. It is, however, antitone, which perhaps makes the
reasoning a bit more subtle. When dropping the negation operator, but keeping
the angelic choice, guards and assertions can still be defined in terms of each
other, whereas the enabledness and termination operators no longer can be given
explicit definitions.
Finding more application areas of this refinement algebra is one of our intents.
Applications that genuinely include angelic nondeterminism (here it only comes
into play indirectly via the definition of enabledness) is a field where the algebra
could be put to use. The strong angelic iteration and the termination operator
beg for application. A systematic investigation striving towards a collection of
calculational rules is yet to be done.
Acknowledgements. Thanks are due to Orieta Celiku, Peter Höfner, Linas

Laibinis, Bernhard Möller, Ville Piirainen, Joakim von Wright and the anonymous
referees for stimulating discussions, helpful suggestions, and careful scrutiny.
References
1. R.-J. Back. Correctness Preserving Program Refinements: Proof Theory and Ap-
plications, volume 131 of Mathematical Centre Tracts. Mathematical Centre, Am-
sterdam, 1980.
2. R.-J. Back and R. Kurki-Suonio. Decentralization of Process Nets with Central-
ized Control. In 2nd ACM SIGACT-SIGOPS Symp. on Principles of Distributed
Computing, ACM, Montreal, Quebec, Canada, 1983.
3. R.-J. Back and J. von Wright. Duality in specification languages: A lattice theo-
retical approach. Acta Informatica, 27(7), 1990.
4. R.-J. Back and K. Sere. Stepwise refinement of action systems. Structured Pro-
gramming, 12, 1991.
5. R.-J. Back and J. von Wright. Refinement Calculus: A Systematic Introduction.
Springer-Verlag, 1998.
6. R.-J. Back and J. von Wright. Reasoning algebraically about loops. Acta Infor-
matica, 36, 1999.
7. M. Broy and G. Nelson. Adding Fair Choice to Dijkstra’s Calculus. ACM Trans-
actions on Programming Languages and Systems, Vol 16, NO 3, 1994.
8. J. Desharnais, B. Möller and G. Struth. Kleene algebra with domain. Technical
Report 2003-7, Universität Augsburg, Institut für Informatik, 2003.
9. E.W. Dijkstra. A Discipline of Programming. Prentice-Hall International, 1976.
10. R.W. Floyd. Nondeterministic algorithms. Journal of the ACM, 14(4), 1967.
11. P.H. Gardiner and C.C. Morgan. Data refinement of predicate transformers. The-
oretical Computer Science, 87(1), 1991.
12. D. Kozen. A Completeness Theorem for Kleene Algebras and the Algebra of
Regular Events. Inf. Comput. 110(2), 1994.
13. D. Kozen. Automata and Computability. Springer-Verlag, 1997.
14. D. Kozen. Kleene algebra with tests. ACM Transactions on Programming Lan-
guages and Systems, 19(3), 1997.
15. G. Nelson. A Generalization of Dijkstra’s Calculus. ACM Transactions on Pro-
gramming Languages and Systems, 11(4), 1989.
16. C.C. Morgan. Programming from Specifications (2nd edition). Prentice-Hall, 1994.
17. B. Möller. Lazy Kleene algebra. In D. Kozen (ed.): Mathematics of Program
Construction, LNCS 3125, Springer, 2004.
18. Sampaio, A.C.A. An Algebraic Approach To Compiler Design. World Scientific,
1997.
19. K. Solin. An Outline of a Dually Nondeterministic Refinement Algebra with Nega-
tion. In Peter Mosses, John Power, and Monika Seisenberger (eds.): CALCO Young
Researchers Workshop 2005, Selected Papers. Univ. of Wales, Swansea, Technical
Report CSR 18-2005, 2005.
20. K. Solin and J. von Wright. Refinement Algebra with Operators for Enabledness
and Termination. Accepted to MPC 2006.
21. J. von Wright. From Kleene algebra to refinement algebra. In E.A. Boiten and
B. Möller (eds.): Mathematics of Program Construction, volume 2386 of Lecture
Notes in Computer Science, Germany, Springer-Verlag, 2002.
22. J. von Wright. Towards a refinement algebra. Science of Computer Programming,
51, 2004.
On the Fixpoint Theory of Equality and Its
Applications
Andrzej Szałas1,2 and Jerzy Tyszkiewicz3

1
Dept. of Computer and Information Science, Linköping University
SE-581 83 Linköping, Sweden
[email protected]
2
The University of Economics and Computer Science, Olsztyn, Poland
3
Institute of Informatics, University of Warsaw, ul. Banacha 2, 02-097 Warsaw, Poland
[email protected]
Abstract. In the current paper we first show that the fixpoint theory of equality
is decidable. The motivation behind considering this theory is that second-order
quantifier elimination techniques based on a theorem given in [16], when success-
ful, often result in such formulas. This opens many applications, including auto-
mated theorem proving, static verification of integrity constraints in databases as
well as reasoning with weakest sufficient and strongest necessary conditions.
1 Introduction
In this paper we investigate the fixpoint theory of equality, F EQ, i.e., the classical first-
order theory with equality as the only relation symbol, extended by allowing least and
greatest fixpoints. We show that F EQ is decidable.
The motivation behind considering this theory follows from important applications
naturally appearing in artificial intelligence and databases. Namely, we propose a tech-
nique, which basically depends on expressing some interesting properties as second-
order formulas with all relation symbols appearing in the scope of second-order quanti-
fiers, then on eliminating second-order quantifiers, if possible, and obtaining formulas
expressed in the theory F EQ and finally, on reasoning in F EQ.
Second-order formalisms are frequent in knowledge representation. On the other
hand, second-order logic is too complex1 to be directly applied in practical reasoning.
The proposed technique allows one to reduce second-order reasoning to fixpoint calcu-
lus for a large class of formulas and then to apply the decision procedure for F EQ.
To achieve our goal we first introduce a logic with simultaneous least fixpoints (Sec-
tion 2) and then define the theory F EQ, prove its decidability and estimate complexity
of reasoning (see Section 3). Next, in Section 4, we recall the fixpoint theorem of [16].
Then we discuss some applications of the proposed technique in automated theorem
proving (Section 5.1), static verification of integrity constraints in deductive databases

Supported in part by the grants 3 T11C 023 29 and 4 T11C 042 25 of the Polish Ministry of
Science and Information Society Technologies.
1
It is totally undecidable over arbitrary models and PS PACE-complete over finite models.

On the Fixpoint Theory of Equality and Its Applications 389
(Section 5.2) and reasoning with weakest sufficient and strongest necessary conditions
as considered in [12,7] (Section 5.3).
To our best knowledge, the method proposed in Section 5.1 is original. The method
discussed in Section 5.2 substantially extends the method of [9] by allowing recursive
rules in addition to relational databases considered in [9]. The method presented in
Section 5.3 shows a uniform approach to various forms of reasoning important in many
artificial intelligence applications.
2 Fixpoint Logic
In this paper we deal with classical first-order logic (FOL) and the simultaneous least
fixpoint logic (SLFP) with equality as a logical symbol, i.e., whenever we refer to the
empty signature, we still allow the equality symbol within formulas.
We assume that the reader is familiar with FOL and define below syntax and seman-
tics of SLFP.
Many of the notions of interest for us are syntax independent, so the choice of a syn-
tactical representation of a particular semantics of fixpoints is immaterial. In this se-
mantical sense the logic we consider has been introduced by Chandra and Harel in
[5,4]. However, here we use a different syntax. A number of different definitions of
SLFP, though of the same expressive power, can be found in the literature. All of them
allow iterating a FOL formula up to a fixpoint. The difference is in the form of iteration.
Definition 2.1. A relation symbol R occurs positively (respectively negatively) in a for-

mula A if it appears under an even (respectively odd) number of negations.2
A formula A is positive w.r.t. relation symbol R iff all occurrences of R in A are
positive. A formula A is negative w.r.t. relation symbol R iff all occurrences of R in A
are negative.
Definition 2.2. Let ϕi (R1 , . . . , R , x̄i , ȳi ), for i = 1, . . . , , be FOL formulas, where
x̄i and ȳi are all free first-order variables of ϕi , | x̄i | = ki , none of the x’s is among
the y’s and where, for i = 1, . . . , , Ri are ki -argument relation symbols, all of whose
occurrences in ϕ1 , . . . , ϕ are positive. Then the formula
S LFP [R1 (x̄1 ) ≡ ϕ1(R1 , . . . , R , x̄1 , ȳ1 ), . . . , R (x̄ ) ≡ ϕ (R1 , . . . , R , x̄ , ȳ )]
is called a simultaneous fixpoint formula (with variables x̄1 , . . . , x̄ , ȳ1 . . . , ȳ free). In
the rest of the paper we often abbreviate the above formula by S LFP [R̄ ≡ ϕ̄].
Let σ be a signature. Then the set of SLFP formulas over σ is inductively defined as
the least set containing formulas of FOL over σ, closed under the usual syntax rules of
first-order logic and applications of simultaneous least fixpoints.
Note that according to the above rules, the fixpoint operators cannot be nested in SLFP,
however, it is permitted to use boolean combinations of fixpoints, as well as to quantify
variables outside of them.
2
It is assumed here that all implications of the form p → q are substituted by ¬p ∨ q and all
equivalences of the form p ≡ q are substituted by (¬p ∨ q) ∧ (¬q ∨ p).
390 A. Szałas and J. Tyszkiewicz
FOLk and SLFPk stand for the sets of those formulas in FOL and SLFP, respec-
tively, in which only at most k distinct first-order variable symbols occur.
For a structure A, by A we denote the domain of A. By Ak we denote the cartesian
product A × . . . × A. By ω we denote the set of natural numbers.

k−times
We assume the standard semantics of FOL. For SLFP we need a semantical rule
concerning the semantics of the formula S LFP [R̄ ≡ ϕ̄].
Further on x̄ : ā, R1 : Φ1 , . . . , R : Φ denotes a valuation assigning ā to x̄ and Φi to
Ri , for i = 1, . . . , . The values of the remaining variables play the rôle of parameters
and are not reflected in the notation.
Given a structure A, we define the sequence (Φ̄α ) = (Φα 1 , . . . , Φ ) indexed by
α
ordinals α, by the following rules,

Φ0i = ∅ for i = 1, . . . ,
Φα+1
i = {
b̄ ∈ Aki | A, x̄i : b̄, R1 : Φα
1 , . . . , R : Φ |= ϕi } for i = 1, . . . ,
α
α β
Φi = Φi for i = 1, . . . , , when α is a limit ordinal.
β<α
Since each ϕi is positive in all the Rj ’s, a simple transfinite induction shows that the
sequence (Φ̄α ) is ascending in each of the coordinates.

Let Φ̄∞ = Φ∞ ∞
def
1 , . . . , Φ = Φα1,..., Φα . Then we define
α α
A, x̄i : āi |= S LFP [R̄ ≡ ϕ̄] iff āi ∈ Φ∞

i for i = 1, . . . , .
3 Fixpoint Theory of Equality

3.1 The Main Results
Before proceeding, we introduce the main tools.

Below by A(x̄)[t̄] we mean the application of A(x̄) to terms (or, dependently on the
context, to domain values) t̄.
Definition 3.1. Let A, B be two structures over a common signature. We write A ≡k B

iff A and B cannot be distinguished by any FOLk sentence, i.e., when for every sentence
ϕ of first-order logic with k variables, A |= ϕ iff B |= ϕ.
For two tuples ā ∈ Ak and b̄ ∈ B k we write A, ā ≡k B, b̄ iff those tuples cannot be
distinguished by any FOLk formula in A and B, i.e., when for every formula ϕ(x̄) ∈
FOLk , A |= ϕ[ā] iff B |= ϕ[b̄].
Another fact that we will need is a characterization of the expressive power of FOLk
in terms of an infinitary Ehrenfeucht-Fraı̈ssé-style pebble game. This game character-
izes the expressive power of the logic we have introduced in the sense formulated in
Theorem 3.3 of [3,8,17].
Definition 3.2 (The Game).
Players, board and pebbles. The game is played by two players, Spoiler and Dupli-
cator, on two σ-structures A, A with two distinguished tuples ā ∈ Ak and ā ∈ A .
There are k pairs of pebbles: (1, 1 ), . . . , (k, k ). Pebbles without primes are in-
tended to be placed on elements of A, while those with primes on elements of A .
Initial position. Initially, the pebbles are located as follows: pebble i is located on ai ,
and pebble i is located on ai , for i = 1, . . . , k.
Moves. In each of the moves of the game, Spoiler is allowed to choose one of the
structures and one of the pebbles placed on an element of that structure and move
it onto some other element of the same structure. Duplicator must place the other
pebble from that pair on some element in the other structure so that the partial
function from A to A mapping x ∈ A on which pebble i is placed onto the element
x ∈ A on which pebble i is placed and constants in A onto the corresponding
constants in A , is a partial isomorphism. Spoiler is allowed to alternate between
the structures as often as he likes, when choosing elements.
Who wins? Spoiler wins if Duplicator does not have any move preserving the isomor-
phism. We say that Duplicator has a winning strategy if he can play forever despite
of the moves of Spoiler, preventing him from winning.
Theorem 3.3. Let A, B be any two structures of a common signature. Then Duplicator
has a winning strategy in the game on A, ā and B, b̄ iff A, ā ≡k B, b̄.
Henceforth we restrict our attention to the theory and models of pure equality. Let for
a cardinal number m the symbol Em stand for the only (up to isomorphism) model of
pure equality of cardinality m.
The following theorem can easily be proved using Theorem 3.3.
Theorem 3.4. Let k ∈ ω. Then for any cardinal numbers m, n ≥ k and any two tuples
ā, b̄ of length k over Em and En , respectively, Em , ā ≡k En , b̄ if and only if for every
i, j ≤ k the equivalence ai = aj ≡ bi = bj holds.
Proof. By theorem 3.3 it suffices to prove that the Duplicator has a winning strategy in
the game iff for every i, j ≤ k, ai = aj ≡ bi = bj .
If the equivalence does not hold, then certainly the Duplicator lost already at the
beginning. In turn, if it does, than the initial position has the required isomorphism,
and this can be preserved by the Duplicator, since the structures have at least as many
elements as the number of pebbles, so the Duplicator can mimic any move of the
Spoiler.
Henceforth if the equivalence ai = aj ≡ bi = bj holds for every i, j ≤ k for two tuples

ā, b̄ of length k, we will write ā ≡k b̄. Note that already in Ek there are tuples which
are representatives of all the equivalence classes of ≡k .
Definition 3.5. The quantifier rank of a formula α, denoted by r(α), is defined induc-
def def
tively by setting r(α) = 0 when α contains no quantifiers, r(¬α) = r(α), for any bi-
def def def
nary propositional connective ◦, r(α ◦ β) = max{r(α), r(β)} and r(∃α) = r(∀α) =
r(α) + 1.
An important result is the following theorem, provided in [10, Theorem 2.7].
Theorem 3.6. Let 0 < n ∈ ω and let all the first-order formulas ϕi in an SLFP
formula S LFP [R̄ ≡ ϕ̄] have at most k free variables and be of quantifier rank at most
d. Then, over the empty signature,3 each component Φni is definable by a first-order
formula with at most k variables and of quantifier rank at most dn, i.e., for any 0 < n ∈ ω
there are formulas ϕn1 , . . . , ϕn of FOLk of quantifier rank ≤ dn such that for any
structure A over the empty signature, Φni = {ā ∈ Aki | A, x̄i : ā |= ϕ(x̄i )}.
Next, an application of Theorem 3.4 and the previous results, yields the following con-
sequence.
Corollary 3.7. Let 0 < k ∈ ω. If A is a model of pure equality of cardinality at least
k, ā ∈ Ak , and ϕ(x̄) ∈ SLFPk, then A |= ϕ[ā] iff Ek |= ϕ[ā ], where ā ≡k ā.
Proof. First, we claim that every subformula of ϕ of the form S LFP [R̄ ≡ ϕ̄] can be
substituted by an FOLk formula, equivalent to the former both in A and Ek .
Indeed, in Ek the sequence of stages (Φ̄α ) = (Φα
1 , . . . , Φ ) reaches a fixpoint in
α
∞ K
a finite number of iterations, say K, i.e., Φ̄ = Φ̄ . The reason is that this sequence
is ascending in each of the coordinates, and each coordinate for each α is a subset of
a fixed, finite set. Therefore

Ek |= ∀x̄ ϕK
i (x̄) ≡ ϕi
K+1
(x̄) ,
i=1
i (x̄) are the formulas from Theorem 3.6. A is isomorphic to

where ϕK some Em for some
m ≥ k, so by Theorem 3.4,

A |= ∀x̄ ϕK
i (x̄) ≡ ϕi
K+1
(x̄) ,
i=1
This sentence asserts that the iteration of S LFP [R̄ ≡ ϕ̄] stops in A after at most K
steps, too. It is now routine to use the FOLk formulas ϕK i (x̄) to replace S LFP [R̄ ≡ ϕ̄]
in ϕ.
Our claim has been proven. So let ϕ ∈ FOLk be equivalent to ϕ in both A and Ek ,
and obtained by the substitution of all fixpoints of ϕ by their FOLk -equivalents.
Now by Theorem 3.4 it follows that A |= ϕ [ā] iff Ek |= ϕ [ā ], where ā ≡k ā, and
this carries over to the formula ϕ, as desired.
3.2 The Complexity

Now we turn to the problem of satisfiability of SLFP formulas over the empty signature.
This means that still the only predicate allowed in formulas is the equality.
By the results of the previous section, we have the following equivalence:
Theorem 3.8. A formula ϕ of SLFPk is satisfiable if and only if it is satisfiable in one

of the structures E1 , . . . , Ek .
3
Recall that equality is still allowed, since it is a logical symbol.
Proof. Indeed, any structure over the empty signature is isomorphic to one of the form
Em , and since Em ≡k Ek , the equivalence follows.
This suggests the following algorithm for testing satisfiability of fixpoint formulas over
the empty signature: for a given formula ϕ(x̄) ∈ SLFPk we test if it is satisfied by
A, ā, where A ranges over all (pure equality) structures of cardinality at most k, and
ā ranges over all equality types of vectors of length |x̄| of elements from A.
Concerning the complexity of this procedure, the number of structures to be tested is
linear in k. The number of iterations of any fixpoint in SLFPk is bounded by O(B(k) ),
where B(n) is the n-th Bell number and the maximal number of formulas whose
simultaneous fixed point is used. Indeed, B(k) is the number of ≡k -equivalence classes.
Thus computing the fixpoints literally, according to the definition, takes time bounded
by a polynomial of B(k) , and computing the first-order constructs increases this by
only a polynomial factor.
Therefore the algorithm we obtained is of exponential complexity.
4 The Fixpoint Theorem
Further on we deal with the first- and the second-order classical logic with equality.
Below we recall the theorem for elimination of second-order quantifiers, proved
in [16]. This theorem, combined with the decidability result given in Section 3.2, pro-
vides us with a powerful tool for deciding many interesting properties, as shown in
Section 5. For an overview of the related techniques see [15].
Let B(X) be a second-order formula, where X is a k-argument relational variable
and let C(x̄) be a first-order formula with free variables x̄ = x1 , . . . , xk . Then by
B[X(t̄) := C(x̄)] we mean the formula obtained from B(X) by substituting each
occurrence of X of the form X(t̄) in B(X) by C(t̄), renaming the bound variables in
C(x̄) with fresh variables.
Example 4.1. Let B(X) ≡ ∀z[X(y, z) ∨ X(f (y), g(x, z))], where X is a relational
variable and let C(x, y) ≡ ∃zR(x, y, z). Then B[X(t1 , t2 ) := C(x, y)] is defined by
∀z[ ∃z R(y, z, z ) ∨ ∃z R(f (y), g(x, z), z ) ],

C (y,z) C (f (y),g(x,z))
where C (x, y) is obtained from C(x, y) by renaming the bound variable z with z .
Recall that by A(x̄)[t̄] we mean the application of A(x̄) to terms t̄.

The following theorem, substantial for the applications considered in Section 5, has
been provided in [16]. Below, for simplicity, we use the standard least and greatest
fixpoint operators L FP and G FP rather than simultaneous fixpoints.
Theorem 4.2. Assume that formula A is a first-order formula positive w.r.t. X.
– if B is a first-order formula negative w.r.t. X then
∃X∀ȳ[A(X) → X(ȳ)] ∧ [B(X)] ≡ B[X(t̄) := L FP X(ȳ).A(X)[t̄]] (1)

– if B is a first-order formula positive w.r.t. X then

∃X∀ȳ[X(ȳ) → A(X)] ∧ [B(X)] ≡ B[X(t̄) := G FP X(ȳ).A(X)[t̄]]. (2)

Remark 4.3. Observe that, whenever formula A in Theorem 4.2 does not contain X,
the resulting formula is easily reducible to a first-order formula, as in this case both
L FP X(ȳ).A and G FP X(ȳ).A are equivalent to A. Thus the Ackermann’s lemma (see,
e.g., [2,15,18]) is subsumed by Theorem 4.2).
An online implementation of the algorithm based on the above theorem is available

online (see [13]). Observe that the techniques applied in that algorithm, initiated in [18]
and further developed in [6], allow one to transform a large class of formulas to the
form required in Theorem 4.2.
Example 4.4. Consider the following second-order formula:
∃X∀x∀y[(S(x, y)∨X(y, x)) → X(x, y)] ∧ [¬X(a, b)∨∀z(¬X(a, z))] (3)
According to Theorem 4.2(1), formula (3) is equivalent to:
¬L FP X(x, y).(S(x, y) ∨ X(y, x))[a, b]∨
∀z(¬L FP X(x, y).(S(x, y) ∨ X(y, x))[a, z]). (4)
Observe that the definition of the least fixpoint appearing in (4) is obtained on the ba-
sis of the first conjunct of (3). The successive lines of (4) represent substitutions of
¬X(a, b) and ∀z(¬X(a, z)) of (3) by the obtained definition of the fixpoint.
5 Applications
It can easily be observed that, whenever the elimination of all predicate variables in
a formula is possible by applications of Theorem 4.2, the resulting formula is a fixpoint
formula over the signature containing equality only. Thus the method applied in the
next sections depends on first eliminating all relations appearing in respective formulas
and then to apply reasoning in the fixpoint theory of equality.
5.1 Automated Theorem Proving

Introduction. Automated theorem proving in the classical first-order logic is consid-
ered fundamental in such applications as formal verification of software4 and properties
of data structures, as well as in the whole spectrum of reasoning techniques appearing
in AI, etc. The majority of techniques in these fields are based on various proof systems
with resolution-based ones and natural deduction supplemented with algebraic meth-
ods, like term rewriting systems etc.
Below we propose another method, which seems to be new in the field. It is not based
on any particular proof system. Instead, we first introduce second-order quantifiers in
an obvious way, then try to eliminate them and, if this is successful, use the decision
procedure for the theory F EQ.
4
In particular, verification of logic programs, where the method we propose is applicable di-
rectly.
The Method. Let A(R1 , . . . , Rn ) be a first-order formula. It is assumed that all re-
lation symbols appearing in this formula are R1 , . . . , Rn , =. In order to prove that
A(R1 , . . . , Rn ) is a tautology, |= A(R1 , . . . , Rn ), we prove instead that the follow-
ing second-order formula
∀R1 . . . ∀Rn A(R1 , . . . , Rn ) (5)
is a tautology. Of course, A(R1 , . . . , Rn ) is a tautology iff (5) is a tautology. In gen-
eral this problem is totally undecidable. However, to prove (5) we negate formula (5),
eliminate second-order quantifiers ∃R1 . . . ∃Rn applying Theorem 4.2 and, if this is
successful, apply the decision procedure of Section 3.2. The result is FALSE iff the
original formula is equivalent to T RUE .
It should be emphasized that whenever A(R1 , . . . , Rn ) itself is second-order, we can
first try to eliminate second-order quantifiers from A(R1 , . . . , Rn ) and then apply the
proposed method to the resulting formula. So, in fact, we have a decision procedure for
a fragment of the second-order logic, too. This is important in many AI applications,
e.g., in reasoning based on various forms of circumscription (see, e.g., [14,11,6]).
Example. Assume a is a constant and consider formula

∀x, y[R(x, y) → R(y, x)] → [∃zR(a, z) → ∃uR(u, a)] (6)
The proof of validity of (6) involves the following steps5 :
— introduce
second-order quantifiers over relations (here only over
R):
∀R ∀x, y[R(x, y) → R(y, x)] → [∃zR(a, z) → ∃uR(u, a)]

— negate: ∃R ∀x, y[R(x, y) → R(y, x)] ∧ ∃zR(a, z) ∧ ∀u¬R(u, a)
— transform
the formula to the form required in Theorem 4.2:
∃R ∀x, y[R(x, y) → (R(y, x) ∧ x = a)] ∧ ∃zR(a, z)

— apply Theorem 4.2(2): ∃z G FP R(x, y).(R(y, x) ∧ x = a)[a, z] .
To see that the last formula is FALSE, meaning that the formula (6) is T RUE, we unfold
the greatest fixpoint and obtain that
G FP R(x, y).(R(y, x) ∧ x = a) ≡ (y = a ∧ x = a).

Thus the resulting formula is equivalent to ∃z (y = a ∧ x = a)[a, z] , i.e., to

∃z (z = a ∧ a = a) , being equivalent to FALSE. This proves the validity of
formula (6).
5.2 Static Verification of Integrity Constraints in Deductive Databases

Introduction. In [9] a method for static verification of integrity constraints in rela-
tional databases has been presented. According to the relational database paradigm, in-
tegrity constraints express certain conditions that should be preserved by all instances of
5
These steps can fully be automated, as done in [18,6] and implemented in [13].
a given database, where by an integrity constraint we understand a classical first-order

formula in the signature of the database. In the existing implementations these con-
ditions are checked dynamically during the database updates. In the case of software
systems dealing with rapidly changing environment and reacting in real time, checking
integrity constraints after each update is usually unacceptable from the point of view of
the required reaction time. Such situations are frequent in many artificial intelligence
applications, including autonomous systems.
The Method. In the method of [9] it is assumed that the database can be modified
only by well-defined procedures, called transactions, supplied by database designers.
In such a case the task of verification of integrity constraints reduces to the following
two steps:
1. verify that the initial contents of the database satisfies the defined constraints
2. verify that all transactions preserve the constraints.
If both above conditions hold, a simple induction, where the first point is the base step
and the second point is the induction step, shows that all possible instances of the data-
base preserve the considered integrity constraints. Of course, the first step can be com-
puted in time polynomial w.r.t. the size of the initial database. In what follows we then
concentrate on the second step.
Consider a transaction, which modifies relations R1 , . . . , Rn giving as a result re-
lations R1 , . . . , Rn . The second of the steps mentioned earlier reduces to verification
whether the following second-order formula is a tautology:
∀R1 , . . . , Rn [I(R1 , . . . , Rn ) → I(R1 , . . . , Rn )].
The method of [9] depends on the application of the Ackermann’s lemma of [2], which
itself is subsumed by Theorem 4.2 (see Remark 4.3). If the Ackermann’s lemma is
successful, the resulting formula is expressed in the classical theory of equality, but
the requirement is that formulas involved in integrity constraints are, among others,
nonrecursive. Therefore [9] considers relational databases rather that deductive ones,
which usually require recursion (see, e.g., [1]).
Definition 5.1. By an update of a deductive database DB we shall mean an expression

of one of the forms A DD ē T O R or D ELETE ē F ROM R , where R is an k-ary
relation of DB and ē is a tuple of k elements.
The meaning of A DD and D ELETE updates is rather obvious. Namely, A DD e T O

R denotes adding a new tuple e to the relation R, whereas D ELETE e F ROM R
denotes deleting e from R. From the logical point of view, the above updates are formula
transformers defined as follows, where A(R) is a formula:
def
(A DD ē T O R)(A(R(x̄))) ≡ A(R(x̄) := (R(x̄) ∨ x̄ = ē))
def (7)
(D ELETE ē F ROM R(A(R(x̄))) ≡ A(R(x̄) := (R(x̄) ∧ x̄ = ē)).
Definition 5.2. By a transaction on a deductive database DB we shall mean any finite

sequence of updates on DB. Transaction T is correct with respect to integrity constraint
I(R1 , . . . , Rk ) iff the following implication:
I(R1 , . . . , Rk ) → T (I(R1 , . . . , Rk )) (8)
is a tautology.
Formula (8) is a tautology iff the following second-order formula is a tautology, too:
∀R1 . . . ∀Rk [I(R1 , . . . , Rk ) → T (I(R1 , . . . , Rk ))]. (9)
In order to eliminate quantifiers ∀R1 . . . ∀Rk we first negate (9), as done in Section 5.1:
∃R1 . . . ∃Rk [I(R1 , . . . , Rk ) ∧ ¬T (I(R1 , . . . , Rk ))], (10)
then try to transform formula (10) into the form suitable for application of Theorem 4.2.
This transformation can be based on those given in [6,18] and considered in Section 5.1.
If the decision procedure of Section 3.2, applied to (10) results in FALSE, then the
formula (9) and, consequently (8), are equivalent to T RUE.
Example. Let R(x) stand for “x is rich”, C(y, x) stand for “y is a child of x”, j stand
for “John” and m for “Mary”. Consider the constraint
∀x, y{[R(x) ∧ C(y, x)] → R(y)} (11)
and the transaction A DD j, m T O C; D ELETE m F ROM R.

To prove correctness of the transaction we first consider the formula reflecting (9),

∀C∀R ∀x, y{[R(x) ∧ C(y, x)] → R(y)} →
(12)
∀x, y{[R(x) ∧ (C(y, x) ∨ (y = j ∧ x = m))] → [R(y) ∧ y = m]} .
After negating (12) and renaming variables we obtain

∃C∃R ∀x, y{[R(x) ∧ C(y, x)] → R(y)}∧
(13)
∃u, v{[R(u) ∧ (C(v, u) ∨ (v = j ∧ u = m))] ∧ [¬R(v) ∨ v = m]} .
Some transformations of (13) made in the spirit of algorithms [18,6,13] result in

∃u, v∃C∃R ∀x, y{[R(x) ∧ C(y, x)] → R(y)} ∧ [¬R(v) ∨ v = m]∧

R(u) ∧ ∀x, y[(x = v ∧ y = u ∧ (v = j ∨ u = m)) → C(x, y)] .
We first eliminate ∃C which, according to Remark 4.3, results in the following formula
without fixpoints

∃u, v∃R ∀x, y{[R(x) ∧ y = v ∧ x = u ∧ (v = j ∨ u = m)] → R(y)}∧

[¬R(v) ∨ v = m] ∧ R(u) ,
equivalent to

∃u, v∃R
∀y{[∃x[R(x) ∧ y = v ∧ x = u ∧ (v = j ∨ u = m)] ∨ y = u] → R(y)}∧
[¬R(v) ∨ v = m] .
Now an application of Theorem 4.2(1) results in

∃u, v v = m ∨
(14)
¬L FP R(y).[∃x[R(x) ∧ y = v ∧ x = u ∧ (v = j ∨ u = m)] ∨ y = u] .
Applying the decision procedure of Section 3.2 shows that formula (14) is equivalent
to FALSE, which proves correctness of the considered transaction.
5.3 Reasoning with Weakest Sufficient and Strongest Necessary Conditions

Introduction. Weakest sufficient and strongest necessary conditions have been intro-
duced by Lin in [12] in the context of propositional reasoning and extended to the
first-order case in [7].
Consider a formula A expressed in some logical language. Assume that one is inter-
ested in approximating A in a less expressive language, say L, which allows for more
efficient reasoning. A sufficient condition of A, expressed in L, is a formula implying
A and a necessary condition of A, expressed in L, is a formula implied A. Thus the
weakest sufficient condition provides “the best” approximation of A that guarantees its
satisfiability and the strongest necessary condition provides “the best” approximation
of A that still cannot exclude A, both expressed in the less expressive language.
Let us emphasize that sufficient and necessary conditions are vital for providing so-
lutions to important problems concerning, e.g., approximate reasoning, abduction and
hypotheses generation, building communication interfaces between agents or knowl-
edge compilation.
Below we assume that theories are finite, i.e., can be expressed by finite conjunctions
of axioms.
The Method. The following are definitions for necessary and sufficient conditions of
a formula A relativized to a subset P̄ of relation symbols under a theory T , as introduced
in [12].
Definition 5.3. By a necessary condition of a formula A on the set of relation sym-

bols P̄ under theory T we shall understand any formula B containing only symbols
T |= A → B. It is the strongest necessary condition, denoted by
in P̄
such that
S NC A; T ; P̄ if, additionally, for any necessary condition C of A on P̄ under T ,
we have T |= B → C.
By a sufficient condition of a formula A on the set of relation symbols P̄ under
theory T we shall understand any formula B containing only symbols in
P̄ such that
T |= B → A. It is the weakest sufficient condition, denoted by W SC A; T ; P̄ if,
additionally, for any sufficient condition C of A on P̄ under T , we have T |= C → B.
The set P̄ in Definition 5.3 is referred to as the target language.

According to [7], we have the following characterization of weakest sufficient and
strongest necessary conditions.
Lemma 5.4. For any formula A, any set of relation symbols P̄ and a closed theory T :

1. S NC
A; T ; P̄ is defined by ∃X̄[T ∧ A]
2. W SC A; T ; P̄ is defined by ∀X̄[T → A],
where X̄ consists of all relation symbols appearing in T or A, but not in P̄.
Thus, reasoning with weakest sufficient and strongest necessary conditions can again,
in many cases, be reduced to F EQ. Namely, one can first try to eliminate second-
order quantifiers from second-order formulas appearing in characterizations provided
in Lemma 5.4 and then to apply the method of Section 5.1.
The method is best visible in
the case when we are interested

in formulas of the
target language implied by S NC A; T ; P̄ and implying W SC A; T ; P̄ . In these cases
we deal with formulas of the form ∀R̄{∃X̄[T ∧ A] → B} and ∀R̄{B → ∀X̄[T →
A]}, where R̄ consists of all relation symbols appearing free in the respective formulas
and B contains no relation symbols of X̄. Of course, these forms are equivalent to
∀R̄∀X̄{[T ∧ A] → B} and ∀R̄∀X̄{B → [T → A]}. Thus the proposed method
applies here in an obvious manner.
Example. Consider a theory given by formula (11) of Section 5.2 and

S NC (¬R(m) ∧ R(j); (11); {C}) . (15)
Suppose we are interested in verifying whether (15) implies ∃x, y¬C(y, x).
According to Lemma 5.4, (15) is equivalent to
∃R∀x, y{[R(x) ∧ C(y, x)] → R(y)} ∧ ¬R(m) ∧ R(j).
i.e., we are interested in verifying whether
∀R∀C{∀x, y{[R(x) ∧ C(y, x)] → R(y)} ∧ ¬R(m) ∧ R(j)} →
(16)
∃x, y¬C(y, x),
i.e., whether
¬∃R∃C∀x, y{[C(y, x) → [R(x) → R(y)]} ∧ ¬R(m) ∧ R(j)∧
(17)
∀x, yC(y, x).
According to Theorem 4.2(2), the elimination of ∃C from (17) results in
¬∃R∀x, y[R(x) → R(y)] ∧ ¬R(m) ∧ R(j),
which is equivalent to
¬∃R∀y[(y = j ∨ ∃xR(x)) → R(y)] ∧ ¬R(m). (18)
According to Theorem 4.2(1), the elimination of ∃R from (18) results in
¬¬L FP R(y).[y = j ∨ ∃xR(x)][m].
Applying the decision procedure of Section 3.2, one can easily verify that the above
formula is T RUE only when m = j.
6 Conclusions
In the current paper we have investigated the fixpoint theory of equality and have shown
its applications in automatizing various forms of reasoning in theorem proving, deduc-
tive databases and artificial intelligence.
Since many non-classical logics can be translated into the classical logic, the method
is applicable to non-classical logics, too.
References
1. S. Abiteboul, R. Hull, and V. Vianu. Foundations of Databases. Addison-Wesley Pub. Co.,
1996.
2. W. Ackermann. Untersuchungen über das eliminationsproblem der mathematischen logik.
Mathematische Annalen, 110:390–413, 1935.
3. J. Barwise. On Moschovakis closure ordinals. Journal of Symbolic Logic, 42:292–296,
1977.
4. A. Chandra and D. Harel. Computable queries for relational databases. Journal of Computer
and System Sciences, 21:156–178, 1980.
5. A. Chandra and D. Harel. Structure and complexity of relational queries. Journal of Com-
puter and System Sciences, 25:99–128, 1982.
6. P. Doherty, W. Łukaszewicz, and A. Szałas. Computing circumscription revisited. Journal
of Automated Reasoning, 18(3):297–336, 1997.
7. P. Doherty, W. Łukaszewicz, and A. Szałas. Computing strongest necessary and weakest suf-
ficient conditions of first-order formulas. International Joint Conference on AI (IJCAI’2001),
pages 145 – 151, 2000.
8. N. Immerman. Upper and lower bounds for first-order expressibility. Journal of Computer
and System Sciences, 25:76–98, 1982.
9. J. Kachniarz and A. Szałas. On a static approach to verification of integrity constraints in
relational databases. In E. Orłowska and A. Szałas, editors, Relational Methods for Computer
Science Applications, pages 97–109. Springer Physica-Verlag, 2001.
10. Phokion Kolaitis and Moshe Vardi. Ph. kolaitis and m. vardi. on the expressive power of
variable-confined logics. In Proc. IEEE Conf. Logic in Computer Science, pages 348–359,
1996.
11. V. Lifschitz. Circumscription. In D. M. Gabbay, C. J. Hogger, and J. A. Robinson, edi-
tors, Handbook of Artificial Intelligence and Logic Programming, volume 3, pages 297–352.
Oxford University Press, 1991.
12. F. Lin. On strongest necessary and weakest sufficient conditions. In A.G. Cohn,
F. Giunchiglia, and B. Selman, editors, Proc. 7th International Conf. on Principles of Knowl-
edge Representation and Reasoning, KR2000, pages 167–175. Morgan Kaufmann Pub., Inc.,
2000.
13. M. Magnusson. D LS*. http://www.ida.liu.se/labs/kplab/projects/dlsstar/, 2005.
14. J. McCarthy. Circumscription: A form of non-monotonic reasoning. Artificial Intelligence
Journal, 13:27–39, 1980.
15. A. Nonnengart, H.J. Ohlbach, and A. Szałas. Elimination of predicate quantifiers. In H.J.
Ohlbach and U. Reyle, editors, Logic, Language and Reasoning. Essays in Honor of Dov
Gabbay, Part I, pages 159–181. Kluwer, 1999.
16. A. Nonnengart and A. Szałas. A fixpoint approach to second-order quantifier elimination

with applications to correspondence theory. In E. Orłowska, editor, Logic at Work: Essays
Dedicated to the Memory of Helena Rasiowa, volume 24 of Studies in Fuzziness and Soft
Computing, pages 307–328. Springer Physica-Verlag, 1998.
17. B. Poizat. Deux ou trois choses que je sais de Ln . Journal of Symbolic Logic, 47:641–658,
1982.
18. A. Szałas. On the correspondence between modal and classical logic: An automated ap-
proach. Journal of Logic and Computation, 3:605–620, 1993.
Monodic Tree Kleene Algebra
Toshinori Takai1 and Hitoshi Furusawa2

1
Research Center for Verification and Semantics (CVS),
National Institute of Advanced Industrial Science and Technology (AIST)
2
Faculty of Science, Kagoshima University
Abstract. We propose a quasi-equational sound axiomatization of reg-

ular tree languages, called monodic tree Kleene algebra. The algebra is
weaker than Kleene algebra introduced by Kozen. We find a subclass of
regular tree languages, for which monodic tree Kleene algebra is com-
plete. While regular tree expressions may have two or more kinds of
place holders, the subclass can be equipped with only one kind of them.
Along the lines of the original proof by Kozen, we prove the completeness
theorem based on determinization and minimization of tree automata
represented by matrices on monodic tree Kleene algebra.
1 Introduction
A tree language is a set of first-order terms and a tree automaton is a natural
extension of a finite automaton. Instead of strings, inputs of a tree automaton are
first-order terms[1]. The class of regular tree languages, which are recognized by
tree automata, inherits some desirable properties including complexity of some
decision problems and closeness under boolean operations. The goal of our study
is to make clear the algebraic structure of regular tree expressions.
In 1998, Ésik[2] proposed a complete axiomatization of regular tree languages
based on terms with μ-operators. A μ-operator is the same one in the μ-calculus
and it is not first-order. Our interest is to find a first-order axiomatization of
regular tree languages. In the last year, the authors proposed essentially algebraic
structure of a certain subclass of tree languages[3]. But the subclass and the class
of regular tree languages are incomparable.
Although regular tree expressions and Kleene theorem for trees have been
proposed[1,4], they are rarely used in practice because the structure is too com-
plicated. Generally, regular tree expressions have two or more multiplication,
Kleene stars, and place holders. In this paper, we propose a subclass of regu-
lar tree expressions, called monodic regular tree expressions, and also propose a
complete first-order axiomatization, called a monodic tree Kleene algebra, of the
subclass of regular tree languages corresponding to monodic regular tree expres-
sions. A monodic regular tree expression has at most one kind of multiplications,
Kleene stars, and place holders. The subclass corresponds to tree automata in
which only one kind of states occurs in the left-hand side of each transition rule.
A monodic tree Kleene algebra is a similar to a Kleene algebra by Kozen[5,6]
and a Kleene algebra is always a monodic tree Kleene algebra. The essential dif-
ference is the lack of the right-distributivity of the multiplication over addition

Monodic Tree Kleene Algebra 403
+. For example, let f be a binary function symbol, a and b be constants. Then

f (, ) and a + b are regular tree expressions with place holder and so is
f (, ) · (a + b). The expression f (, ) · (a + b) is interpreted as a set of terms
obtained by replacing with a or b, i.e. {f (a, a), f (a, b), f (b, a), f (b, b)}. On the
other hand, the interpretation of f (, ) · a + f (, ) · b is {f (a, a), f (b, b)}. An-
other differences are shapes of right-unfold and right-induction laws. We compare
the original laws with the new ones.
After giving preliminaries, we define monodic tree Kleene algebras and show
some basic properties of them. In Section 4, a subclass of regular tree expressions
and a subclass of tree automata are proposed and show the correspondence of
them via matrices. Since the proof flow of the completeness theorem is the same
as the original one by Kozen[5], this paper concentrates showing the lemmas
used in the proof.
2 Preliminaries
We review some notions of the language theory on trees. After defining the syntax
of regular tree expressions, we give some functions on tree languages. Using the
functions, we give an interpretation function of regular tree expressions.
For a signature Σ, we denote the set of all first-order terms without variables
constructed from Σ by TΣ . A tree language is a set of terms. For a signature
Σ and a set Γ of substitution constants, the set RegExp(Σ, Γ ) of regular tree
expressions is inductively defined as follows. A substitution constant is a constant
not included in the signature.
1. The symbol 0 is a regular tree expression.

2. A term in TΣ∪Γ is a regular tree expression.
3. If e1 and e2 are regular tree expressions and is a substitution constant, so
∗
are e1 + e2 , e1 · e2 and e1 .
Let P(S) denote the power set of a set S. We define binary function ◦ and
unary function on P(TΣ∪Γ ) for any ∈ Γ and define tree substitutions. A
tree substitution is given by a finite set of pairs of a substitution constant and a
tree language. For a tree substitution θ = {(1 , L1 ), . . . , (n , Ln )} and a term
t ∈ TΣ∪Γ , define θ(t) as follows.
1. If t ∈ Γ and t = i , then θ(t) = Li .

2. If t ∈ Γ \ {i | 1 ≤ i ≤ n}, then θ(t) = {t}.
3. If t = f (t1 , . . . , tn ), then θ(t) = {f (t1 , . . . , tn ) | ti ∈ θ(ti ), 1 ≤ i ≤ n}.
For tree languages L1 and L2 and a substitution constant , define L1 ◦ L2 as

follows. If L1 = {t}, then {t} ◦L2 = {(, L2 )}(t). If |L1 | = 1, then L1 ◦ L2 =

t∈L1 {t} ◦ L2 . Define L

= j≥0 Lj, where
L0, = {}
Ln+1, = Ln, ∪ L ◦ Ln,
404 T. Takai and H. Furusawa
In the book by Comon et al.[1], languages do not contains symbols in Γ . In the

survey by Gécseg[4], substitution constants can be elements of languages. This
paper follows the latter one because substitution constants are essential in the
algebraic structure as we see later.
Using the above functions, we define an interpretation of regular tree expres-
sions by the following function.
[[ ]] : RegExp(Σ, Γ ) → P(TΣ∪Γ )
Let e be a regular tree expression.

1. [[0]] is the empty set.
2. If e ∈ TΣ∪Γ , then [[e]] = {e}.
3. If e has the form e1 + e2 , then [[e1 + e2 ]] = [[e1 ]] ∪ [[e2 ]].
4. If e has the form e1 · e2 , then [[e1 · e2 ]] = [[e1 ]] ◦ [[e2 ]].
∗ ∗
5. If e has the form e0 , then [[e0 ]] = [[e0 ]] .
The image of the interpretation function above coincides with the class of regular
tree languages[1]. Let Reg(Σ, Γ ) be the set of regular tree languages on signature
Σ and set Γ of substitution constants. The definition of can be changed into
L = j≥0 Lj, where
L0, = {}
L n+1,
= Ln, ◦ (L ∪ {})
The proposition below can be shown by induction on n of Ln, and Ln, .

Proposition 1. For a tree language L, L = L holds.

3 Monodic Tree Kleene Algebra

In this section, we give an essentially algebraic structure of the subclass of regular
tree languages. The definition of the subclass will be shown in the next section.
After giving the axioms, we show some basic properties of the algebra.
Definition 1. A monodic tree Kleene algebra (A, +, ·, ∗ , 0, 1) satisfies the fol-
lowing equations and Horn clauses where · is omitted.
a + (b + c) = (a + b) + c (1)
a+b=b+a (2)
a+0=a (3)
a+a =a (4)
a(bc) = (ab)c (5)
1a = a (6)
a1 = a (7)
ac + bc = (a + b)c (8)
ab + ac ≤ a(b + c) (9)
0a = 0 (10)
1 + aa∗ ≤ a∗ (11)
1 + a∗ (a + 1) ≤ a∗ (12)
b + ax ≤ x → a∗ b ≤ x (13)
b + x(a + 1) ≤ x → ba∗ ≤ x (14)
The order is defined as a ≤ b if a + b = b.

Operators +, · and ∗ are respectively called an addition, a multiplication and
a Kleene star. Axioms (11) and (12) are sometimes called unfold laws. Axioms
(13) and (14), which are called induction laws, can be replaced by the following
axioms, respectively.
ax ≤ x → a∗ x ≤ x (15)
x(a + 1) ≤ x → xa∗ ≤ x (16)
The equivalence between (13) and (15) can be shown in the same way of Kleene
algebras. From (14) to (16), for showing xa∗ ≤ x, it is sufficient to hold that
x + x(a + 1) ≤ x, which can be shown by the assumption. From (16) to (14),
we assume b + x(a + 1) ≤ x. From the assumption, b ≤ x, x(a + 1) ≤ x and
xa∗ ≤ x hold. ba∗ ≤ x is from b ≤ x. Remark that if x is either 0 or 1, we have
the right-induction law b + ax ≤ x → ba∗ ≤ x of Kleene algebras.
We compare to the original Kleene algebras. The proof will be shown later.
Proposition 2. The right-unfold law 1 + a∗ a ≤ a∗ of Kleene algebras is a the-
orem of monodic tree Kleene algebras but the right-induction law b + xa ≤ x →
ba∗ ≤ x of Kleene algebras is not a theorem.

The right-unfold law 1 + a∗ a ≤ a∗ of Kleene algebras holds according to the

axiom 1 + a∗ (a + 1) ≤ a∗ with partial right-distributivity (9).
A lazy Kleene algebra by Möller[7] also gives up right-distributivity but does
not have right-unfold and right-induction laws.
∗
Lemma 1. Operations · and in a monodic tree Kleene algebra are monotone.
Proof. Assuming a ≤ b, we show ac ≤ bc, ca ≤ cb and a∗ ≤ b∗ . From the fact
that a + b = b, we have bc = (a + b)c. By (8), ac + bc = bc holds and thus
ac ≤ bc. From a + b = b, we have cb = c(a + b). By (10), ca + cb ≤ cb holds
and thus ca ≤ cb. To obtain a∗ ≤ b∗ , we first show 1 + ab∗ ≤ b∗ (by (13)). From
monotonicity of + and ·, we have 1 + ab∗ ≤ 1 + b · b∗ . From (11), 1 + b · b∗ ≤ b∗
holds and thus 1 + ab∗ ≤ b∗ .

The theorems below are used in the proof of the completeness theorem.
Lemma 2. The following are theorems of monodic tree Kleene algebras.
(a + 1)∗ = a∗ (17)
(a∗ )∗ = a∗ (18)
1 + aa∗ = a∗ (19)
1 + a∗ (a + 1) = a∗ (20)
(a + b)∗ = a∗ (ba∗ )∗ (21)
(ab)∗ a ≤ a(ba)∗ (22)
Proof. By (13), to show that (a + 1)∗ ≤ a∗ , it is sufficient to show 1 + (a + 1)a∗ ≤

a∗ , which is obtained by distributivity and (11). The inequation (a∗ )∗ ≤ a∗ can
be shown as follows.
a∗ + aa∗ ≤ a∗ (by (11))

∗ ∗ ∗
1+a a ≤a (by (13))
(a∗ )∗ ≤ a∗ (by (13))
By (13), to show a∗ ≤ 1 + aa∗ , it is sufficient to show 1 + a(1 + aa∗ ) ≤ 1 + aa∗ ,

which is from (11). By (14), to show, a∗ ≤ 1 + a∗ (a + 1) it is sufficient to
show 1 + (1 + a∗ (a + 1))(a + 1) ≤ 1 + a∗ (a + 1), which is obtained by (12) and
monotonicity.
Since the original proof of (a + b)∗ ≤ a∗ (b∗ a)∗ in Kleene algebras does not
involve the right-induction law and right-distributivity[5], the above equation
also holds in our setting. The inequation a∗ (b∗ a)∗ ≤ (a + b)∗ in (22) can be
shown as follows. First, we have (a∗ b)∗ a∗ ≤ ((a + b + 1)∗ (a + b + 1))∗ (a + b + 1)∗
from monotonicity.
((a + b + 1)∗ (a + b + 1))∗ (a + b + 1)∗
≤ ((a + b + 1)∗ (a + b + 1 + 1))∗ ((a + b + 1)∗ + 1)
≤ ((a + b + 1)∗ )∗ ((a + b + 1)∗ + 1) (by (12))
≤ ((a + b + 1)∗ )∗ (by (12))
≤ (a + b + 1)∗ (by (18))
≤ (a + b)∗ (by (17))
By (13), to show (ab)∗ a ≤ a(ba)∗ , it is sufficient to show a + aba(ba)∗ ≤ a(ba)∗ ,

which holds by (11).

Next, we show the set of regular tree expressions satisfies the axioms of monodic
tree Kleene algebras.
Lemma 3. For two tree languages S and T in TΣ∪{} , (i) T ◦ S is the least
fixed point of function λX. S ∪ T ◦ X and (ii) S ◦ T is the least fixed point
of function λX. S ∪ X ◦ (T ∪ {}).
Proof. In the proof, we write ◦ and for ◦ and , respectively. (i) T ◦ S =
S ∪ T ◦ (T ◦ S) can be shown easily. For tree language α, we assume
α=S∪T ◦α (23)
and show that T ◦ S ⊆ α. For any n ≥ 0, it is sufficient to show that T n ◦ S ⊆ α.

For the base case n = 0, the lemma holds from (23). Assume the lemma holds
for the case n = i, and we show the case when n = i + 1.
T i+1 ◦ S = (T ∪ T ◦ T i ) ◦ S
= T ◦ S ∪ (T ◦ T i ) ◦ S
By inductive hypothesis, we have T ◦S ⊆ α. For (T ◦T i )◦S by (23), it is sufficient

to show (T ◦ T i ) ◦ S ⊆ T ◦ α, which can be shown by inductive hypothesis and
monotonicity and associativity of ◦.
(ii) We can show S ◦ T = S ∪ (S ◦ T ) ◦ (T ∪ {}) easily. For tree language
β, assume
β = S ∪ β ◦ (T ∪ {}) (24)
and we show S ◦ T ⊆ β. By Proposition 1, we can use another definition of
Kleene star. For n ≥ 0, it is sufficient to show S ◦ T n ⊆ β. For the base case
n = 0, the lemma holds from (24). Assume the lemma holds for n = i, we show
n = i + 1.
S ◦ T i+1 = S ◦ (T i ◦ (T ∪ {}))
= (S ◦ T i ) ◦ (T ∪ {})
The lemma holds from (24), inductive hypothesis and monotonicity of ◦.

We can show that the other axioms from (1) to (10) of monodic tree Kleene
algebras are satisfied by tree languages with functions ∪, ◦ , and constants
∅, {} via easy observations. Using the lemma above, we have the following
theorem.
Theorem 1. Let Σ be a signature and Γ be a set of substitution constants. For
any ∈ Γ ,
(Reg(Σ, Γ ), ∪, ◦ , , ∅, {})
is a monodic tree Kleene algebra.

Since Lemma 3 does not depend on the regularity of the two languages in the
claim, we can obtain the following proposition.
Proposition 3. Let Σ be a signature and Γ be a set of substitution constants.
For any ∈ Γ , (P(TΣ∪Γ ), ∪, ◦ , , ∅, {}) is a monodic tree Kleene algebra.

Here, we prove Proposition 2 by giving a counterexample.
For a tree language
L and a substitution constant , define L by L = j≥0 Lj, where
L0, = {} and

Ln+1, = Ln, ◦ L.
For tree language {f (, )}, {f (, )} consists of complete binary trees and
we have {} ∪ {f (, )} ◦ {f (, )} ⊆ {f (, )}, which corresponds to the
assumption of the right-induction law of a Kleene algebra. On the other hand,

we can see that {f (, )} ⊆ {f (, )} since {f (, )} contains more terms
than complete binary trees.
Next, we introduce matrices on monodic tree Kleene algebras and operations
on the matrices. Let K be a monodic tree Kleene algebra and M(n, K) be the
class of n by n matrices on K. In the following, we assume E and X are matrices
as follows.
ab xy
E= X= (25)
cd zw
The addition and multiplication matrices in M(n, K) is defined in the usual way.
Lemma 4. M(n, K) satisfies axioms (1)–(10).

Kleene star is defined essentially in the same way of Kleene algebras.
∗
∗ ab (a + bd∗ c)∗ (a + bd∗ c)∗ bd∗
E = =
cd (d + ca∗ b)∗ ca∗ (d + ca∗ b)∗
The definition of Kleene star for n by n matrices is inductively given in a similar
way of Kleene algebras.
∗
AB (A + BD∗ C)∗ (A + BD∗ C)∗ BD∗
=
CD (D + CA∗ B)∗ CA∗ (D + CA∗ B)∗
Lemma 5. For matrices E and X in M(n, K), the matrix E ∗ satisfies the fol-
lowing monodic tree Kleene algebra axioms (11)–(13) where I is the identity
matrix.
I + EE ∗ ≤ E ∗ (26)
I + E ∗ (E + I) ≤ E ∗ (27)
EX ≤ X → E ∗ X ≤ X (28)
Proof. Since in this proof, the axiom (14) is not used, the cases for arbitrary
n ≥ 1 can be shown by induction and thus we give only the base, i.e. n = 2.
Let E and X be the matrices in (25). The inequation (26) can be written as the
following four inequations.
1 + a(a + bd∗ c)∗ + b(d + ca∗ b)∗ ca∗ ≤ (a + bd∗ c)∗
a(a + bd∗ c)∗ bd∗ + b(d + ca∗ b)∗ d∗ ≤ (a + bd∗ c)∗ bd∗
c(a + bd∗ c) + d(d + ca∗ b)∗ ca∗ ≤ (d + ca∗ b)∗ ca∗
1 + c(a + bd∗ c)∗ bd∗ + d(d + ca∗ b)∗ ≤ (d + ca∗ b)∗
For example, we can show b(d + ca∗ b)∗ ca∗ ≤ (a + bd∗ c)∗ as follows.
b(d + ca∗ b)∗ ca∗ ≤ bd∗ (ca∗ bd∗ )∗ ca∗ (by (21))
≤ bd∗ c(a∗ bd∗ c)∗ a∗ (by (22))
≤ bd∗ ca∗ (bd∗ ca∗ )∗ (by (22))
≤ (a + bd∗ c)a∗ (bd∗ ca∗ )∗
= (a + bd∗ c)(a + bd∗ c)∗
≤ (a + bd∗ c)∗
The rests can be shown in similar ways.

The inequation (27) consists of the following four inequations and each of
them can be easily shown.
1 + (a + bd∗ c)∗ (a + 1) + (a + bd∗ c)∗ bd∗ c ≤ (a + bd∗ c)∗

(a + bd∗ c)∗ b + (a + bd∗ c)∗ bd∗ (d + 1) ≤ (a + bd∗ c)∗ bd∗
(d + ca∗ b)∗ ca∗ (a + 1) + (d + ca∗ b)∗ c ≤ (d + ca∗ b)∗ c
1 + (d + ca∗ b)ca∗ b + (d + ca∗ b)∗ (d + 1) ≤ (d + ca∗ b)∗
For (28), we show that the assumptions ax + by ≤ x and cx + dy ≤ y imply the

following inequations.
(a + bd∗ c)∗ x + (a + bd∗ c)∗ bd∗ y ≤ x

(d + ca∗ b)∗ ca∗ x + (d + ca∗ b)∗ y ≤ y
We only show (a + bd∗ c)∗ x ≤ x.

d∗ y ≤ y (dy ≤ y and (15))
bd∗ y ≤ x (by ≤ x)
bd∗ cx ≤ x (cx ≤ y)
ax + bd∗ cx ≤ x (ax ≤ x)
(a + bd∗ c)x ≤ x
(a + bd∗ c)∗ x ≤ x

Consequently, the set of matrices on a monodic tree Kleene algebra satisfies all
the axioms of a monodic tree Kleene algebra except for (14).
According to Lemmas 4 and 5, we can see that matrices on a monodic tree
Kleene algebra has a monodic tree Kleene algebra like structure. Some of theo-
rems of monodic tree Kleene algebras also hold in M(n, K).
Lemma 6. (i) Operations · and ∗ on M(n, K) is monotone. (ii) The equations
and inequations (17)–(19) and (21)–(22) hold in M(n, K).

A matrix in which any entries are either 0 or 1 is called a 0-1 matrix. Althouh
the lemma below mentions properties of M(n, K) concerning 0-1 matrices, each
statement in the lemma can also be applied to 0-1 vectors.
Lemma 7. Let X be a 0-1 matrix, P be a permutation matrix and A and B be
matrices, then the following equations hold where P T is the transpose of P .
X(A + B) = XA + XB (29)
XA ≤ X → XA∗ ≤ X (30)
B + XA ≤ X → BA∗ ≤ X (31)
AX = XB → A∗ X = XB ∗ (32)
X(AX)∗ = (XA)∗ X (33)
(P T AP )∗ = P T A∗ P (34)
Proof. Since in this proof, the axiom (14) is only used for the base case and for
the inductive step, (31) can be used as an inductive hypothesis. Hence, we give
only the base n = 2. The first one is obvious. Let E and X be the matrices in
(25). To prove (30), we show the following statement.
X(A + I) ≤ X → XA∗ ≤ X (35)
The left-hand side of (35) consists of the following inequations.
x(a + 1) + yc ≤ x
xb + y(d + 1) ≤ y
z(a + 1) + wc ≤ z
zb + w(d + 1) ≤ w
The right-hand side consists the following inequations.
x(a + bd∗ c)∗ + y(d + ca∗ b)∗ ca∗ ≤ x

x(a + bd∗ c)∗ bd∗ + y(d + ca∗ b)∗ ≤ y
z(a + bd∗ c)∗ + w(d + ca∗ b)∗ ca∗ ≤ z
z(a + bd∗ c)∗ bd∗ + w(d + ca∗ b)∗ ≤ z
For example, x(a + bd∗ c)∗ ≤ x can be shown as follows.
yd∗ ≤ y (y(d + 1) ≤ y)
∗
yd c ≤ x (yd∗ ≤ y and yc ≤ x)
xbd∗ c ≤ x (yd∗ c ≤ x and xb ≤ y)
x(a + bd∗ c + 1) ≤ x (xbd∗ c ≤ x and x(a + 1) ≤ x)
x(a + bd∗ c)∗ ≤ x (x(a + bd∗ c + 1) ≤ x)
The last step is by the axiom (14) for the base case or by the inductive hypothesis
of for the induction step. Finally, we can see that EX ≤ X implies E(X +I) ≤ X
and the lemma holds.
The Horn clause (31) is directly obtained from (30).
The simulation law (32) can be shown in the same way of the original proof
by Kozen[5], since as we have shown that the Kleene algebra axioms (Lemma 5
and (31)) hold in our setting if X is restricted to a 0-1 matrix.
The shift law for specific case (33), i.e. X(AX)∗ = (XA)∗ X, is obtained from
(32) by replacing A with XA and B with AX, respectively.
To prove (34), we show A∗ P = P (P T AP )∗ . Multiplying P T from left and
the facts that P T P = I and P P T = I, we obtain (P T AP )∗ = P T A∗ P . By
Lemma 6, we obtain (P P T A)∗ P ≤ P (P T AP )∗ . Since P is a 0-1 matrix, by (31)
in this lemma, to show P (P T AP )∗ ≤ (P P T A)∗ P , it is sufficient to show that
P + (P P T B)∗ (P P T B)P ≤ (P P T B)∗ P .

4 Subclass of Regular Tree Expressions
In this section, we give subclass of regular tree expressions, called monodic reg-
ular tree expressions.
Definition 2. Let Σ be a signature and be a substitution constant. The set
RegExp(Σ, ) of monodic regular tree expressions is defined as follows.
1. The symbol 0 is a monodic regular tree expression.

2. A term of the form f (, . . . , ) is a monodic regular tree expression.
3. If e1 and e2 are monodic regular tree expressions, so are e1 + e2 , e1 · e2 and
e∗1 .
The set of monodic regular tree expressions is a subclass of regular tree expres-
sions when the multiplication · and the Kleene star ∗ are regarded as · and ∗ ,
respectively. The interpretation of monodic regular tree expressions is given by
functions ∪, ◦ and on tree languages.
Definition 3. A tree language L which can be expressed by a monodic regular
tree expressions is called monodic regular.
We denote the set of all monodic regular tree languages by Reg(Σ, ).
Proposition 4. (i) The set Reg(Σ, ) of monodic regular tree language is closed
under functions ∪, ◦ and . (ii) (Reg(Σ, ), ∪, ◦ , , ∅, {}) is a monodic
tree Kleene algebra.

Example 1. A regular tree expression f (, ) · (g() + h(, )) is monodic

but f (a, c) and (f (, 1 ) · a) ·1 c are not.

Next, we introduce the subclass of tree automata corresponding to monodic
regular tree languages. For the definition of behaviors of tree automata, please
refer to the books[1,4].
Definition 4 ([1]). A tree automaton is a tuple (Σ, Q, Qfinal , Δ) where Σ is a
signature, Q is a finite set of states, Qfinal ⊆ Q is a set of final states and Δ is
a set of transition rules. A transition rule has the form either f (q1 , . . . , qn ) → q
or q → q where f ∈ Σn , q1 , . . . , qn , q, q ∈ Q.
Definition 5. A tree automaton in which the left-hand side of each transition
rule has only one kind of states is called monodic.
In the following, we give a matrix representation of monodic tree automaton
A = (Σ, Q, Qfinal , Δ). Without loss of generality, Q can be written as {1, . . . , n}
for some integer n ≥ 1. Let MA be a matrix in M(n + 1, RegExp(Σ, )) where
the (p, q) entry is given by the following formula.

{f (, . . . , ) | f (q, . . . , q) → p ∈ Δ, arity(f ) ≥ 1}∪
{ | q → p ∈ Δ} ∪ {c | c → p ∈ Δ, q = n + 1}
Let v be a n + 1 vector in which the n + 1-th row is and the others are 0 and
u be a n + 1 vector in which for each q ∈ Qfinal , the q-th row is and the others
are 0. The triple (v, MA , u) is called a matrix representation of A where v and
u are vectors and MA is a matrix on the free monodic tree Kleene algebra over
Σ and , i.e. the quotient of monodic regular tree expressions modulo provable
equivalence. We call the vector u the final vector and v the initial vector.
Example 2. Let A0 be a tree automaton in which Δ consists of the following
transition rules
f (1, 1) → 1 g(1, 1) → 2 a → 1 b → 1 b → 2
and the final state is just 2. Then the matrix representation is as follows.
⎛⎛ ⎞ ⎛ ⎞ ⎛ ⎞⎞
0 f (, ) 0 a + b 0
⎝⎝ 0 ⎠ , ⎝ g(, ) 0 b ⎠ , ⎝ ⎠⎠
0 0 0 0
Since Q = {1, 2}, the matrix has size 2 + 1 = 3.

Next, we justify the matrix representation of tree automata via regular tree
equation systems[1]. Let X1 , . . . , Xn be variables and si,j (1 ≤ i ≤ mj , 1 ≤
j ≤ p) be terms in TΣ ({X1 , . . . , Xn }), which is the set of terms with variables
{X1 , . . . , Xn }. A regular tree equation system S is given by the following set of
equations.
X1 = s1,1 + · · · + sm1 ,1
···
Xp = s1,p + · · · + smp ,p
A solution of S is a p-tuple of tree languages (L1 , . . . , Lp ) ∈ P(TΣ )p satisfying

the following condition.
L1 = θ(s1,1 ) ∪ · · · ∪ θ(sm1 ,1 )
···
Lp = θ(s1,p ) ∪ · · · ∪ θ(smp ,p )
where θ is a tree substitution {(X1 , L1 ), . . . , (Xp , Lp )}. For regular tree equation
system S, we define Ŝ : P(TΣ )p → P(TΣ )p as λ(L1 , . . . , Lp ). (L1 , . . . , Lp ) where
L1 = L1 ∪ θ(s1,1 ) ∪ · · · ∪ θ(sm1 ,1 ),

···
Lp = Lp ∪ θ(s1,p ) ∪ · · · ∪ θ(smp ,p )
and θ = {(X1 , L1 ), . . . , (Xp , Lp )}. The order on P(TΣ )p is defined component-

wise.
Lemma 8 ([1]). For regular tree equation system S, the least fixed-point of Ŝ
is the least solution of S.

Theorem 2 ([1]). For any regular tree equations, the least solution is a regular
tree language. Conversely, for any regular tree language, there exists a regular
tree equations representing the regular tree language.

In the proof of the above theorem, tree automaton A = (Σ, Q, Qfinal , Δ) with
Q = {1, . . . , n} is translated into regular tree equation system SA consisting of

i= {l | l → i ∈ Δ} (1 ≤ i ≤ n)
where states are regarded as variables. For instance, a tree automaton consisting
of
f (1, 2) → 1 g(2, 1) → 2 a → 1 b → 1 b → 2
corresponds to the following regular tree equation system.
1 = f (1, 2) + a + b
2 = g(2, 1) + b
If A is monodic, then we can obtain another definition of SÂ as
λ(L1 , . . . , Lp ). (L1 , . . . , Lp )
where
L1 = L1 ∪ θ1 (s1,1 ) ∪ · · · ∪ θ1 (sp,1 ),

···
Lp = Lp ∪ θ1 (s1,p ) ∪ · · · ∪ θp (sp,p )
and θn = {(n, Ln )} for 1 ≤ n ≤ p. For a substitution constant , we have

θn = {(n, {})} ◦ {(, Ln )} for 1 ≤ n ≤ p.
Summarizing the observations above, the fixed-point operator SÂ of the above
regular tree equation system SA can be written as the matrix
X = (P + I + C)X = (P + I)X + C
where , . . . , Xn )T , C = (C1 , . . . , Cn )T ,
I is the identity matrix of size n, X = (X1
Ci = {c | c → i ∈ Δ, c ∈ Σ0 } and Pi,j = {f (, . . . , ) | f (j, . . . , j) →
i ∈ Δ, f ∈ Σ}. The matrix P + I corresponds to the fixed-point operator. The
least solution is given by the least-fixed point and thus we have (P + I)∗ C =
P ∗ C. This is the language represented by the tree automaton A. More precisely,
the sequence of languages represented by each state of A. Although A can be
represented by matrices C and P and final 0-1 vector U , for the discussions
below initial vectors also have to be given by 0-1 vectors. Henceforth, we give
an initial vector, a final vector and a matrix MA as follows.

0 P C U
, ,
1 0 0 0
This matrix-represented automaton corresponds to the following regular tree

equation system in which entries of C are produced from the new variable x0 .

X 1 P C X
= + +I
x0 0 0 0 x0
The least-fixed point can be computed as follows.

∗ ∗ ∗ ∗
P C 0 P P C 0 P C
= =
0 0 1 0 1 1 1
Using the initial vector, we have the following expressions.

P ∗C
U0
1
Finally, by the final vector, we can retrieve the language represented by the tree
automaton.
In the following, we also deal with languages including substitution constants.
This means that we also consider tree automata in which a initial vector may
not only be of the form (1, 0)T but also any 0-1 vectors.
Lemma 9. For a tree automaton A and its matrix representation (v, MA , u),
the language accepted by A is [uT MA∗ v].
Proof. (sketch) We regard the tree automaton as a regular tree equation system,
then the lemma holds because of Lemmas 3 and 8 and the discussion after
Theorem 2.

Example 3. Let A0 be the tree automaton considered in Example 2. Then the
corresponding expression can be obtained as follows.
⎛ ⎞∗
f (, ) 0 a + b
MA∗ 0 = ⎝ g(, ) 0 b ⎠
0 0 0
(A + BD∗ C)∗ (A + BD∗ C)∗ BD∗
= ∗ ∗ ∗
(D∗ +∗CA B) CA (D + CA∗ B)∗
A A B
=
⎛0 0 ⎞
f (, )∗ f (, )∗ f (, )∗ · (a + b) + f (, )∗ · b
= ⎝ g(, ) · f (, )∗ g(, ) · f (, )∗ · (a + b) + b ⎠
0 0 0
Finally, we have the following expression.

⎛ ⎞
∗ 0
0 0 MA0 ⎝ 0 ⎠ = g(, ) · f (, )∗ · (a + b) + b

The proof of the following theorem follows the original one by Kozen[5] as follows.
1. First, we construct tree automata for given two regular tree expressions.
2. Second, we translate the tree automata for deterministic ones.
3. Then, we minimamize the tree automata.
In the proof, we use the following lemmas.
– Lemma 2 of monodic tree Kleene algebras

– Lemmas 4, 5 and 6 of arbitrary matrices on a monodic tree Kleene algebra
– Lemma 7 of 0-1 matrices on a monodic tree Kleene algebra
Theorem 3. Let α and β be monodic regular tree expressions such that [α] = [β]
and [α] ⊆ TΣ . Then α = β is a theorem of monodic tree Kleene algebras.

5 Remarks and Future Work
In this paper, we have not yet considered the independence of the axioms in
Definition 1. Since for defining the class of regular tree languages, only one func-
tion in the statement of Lemma 3 is needed, the axiom (14) may be redundant.
Moreover, the axiom (14) is used in the proof of completeness theorem only in
the case that x is a 0-1 matrix. However, the argument of the independence does
not affect the soundness and the completeness theorems (Theorems 1 and 3).
After submitting the paper, we learned that almost the same system has
been proposed by McIver and Weber, called a probabilistic Kleene algebra[8], for
analyzing probabilistic distributed systems. In this conference, McIver, Cohen
and Morgan show that probabilistic Kleene algebras can be used for protocol
verification[9]. A probabilistic Kleene algebra has the same axioms except for it
includes the left annihilation law, i.e. a0 = 0.
The class of monodic regular tree languages is given by monodic regular tree
expressions, i.e. the number of kinds of place-holders is restricted to one. We
conjecture that the expressive power of the class coincides with the subclass
of regular tree expressions defined below. Let Σ be a signature and a set Γ of
substitution constants. The set of essentially monodic regular tree expressions is
defined as follows.
1. The symbol 0 is an essentially monodic regular tree expression.

2. A term of the form f (, . . . , ) is an essentially monodic regular tree ex-
pression for any ∈ Γ .
3. If e1 and e2 are essentially monodic regular tree expressions, so are e1 + e2 ,
∗
e1 · e2 and e1 for any ∈ Γ .
For dealing with the whole class of regular tree expressions, there may be two
directions. The first one is to use modal Kleene algebras[10]. A tree can be
encoded with two modalities in a modal Kleene algebra. Another direction is
to consider products of two monodic tree Kleene algebras. The whole class of
regular tree expressions seems a many-sorted monodic tree Kleene algebra.
Acknowledgments
The authors appreciate Georg Struth, who visited us with the grant from the
International Information Science Foundation (IISF), for a lot of his valuable
comments to this study. We also thank to Yasuo Kawahara and Yoshihiro Mi-
zoguchi for fruitful discussions on this study. This research was supported by
Core Research for Evolutional Science and Technology (CREST) Program “New
High-performance Information Processing Technology Supporting Information-
oriented Society” of Japan Science and Technology Agency (JST).
References
1. Comon, H., Dauchet, M., Gilleron, R., Jacquemard, F., Lugiez, D., Tison, S., Tom-
masi, M.: Tree automata techniques and applications. Available on: http://www.
grappa.univ-lille3.fr/tata/ (1997)
2. Ésik, Z.: Axiomatizing the equational theory of regular tree languages (extended
anstract). In Morvan, M., Meinel, C., Krob, D., eds.: STACS. Volume 1373 of
Lecture Notes in Computer Science., Springer (1998) 455–465
3. Takai, T., Furusawa, H., Kahl, W.: Reasoning about term rewriting in Kleene
categories with converse. In Düntsch, I., Winter, M., eds.: Proceedings of the 3rd
Workshop on Applications of Kleene algebera. (2005) 259–266
4. Gécseg, F., Steinby, M.: Tree languages. In: Handbook of formal languages, 3:
beyond words. Springer (1997) 1–68
events. In Kahn, G., ed.: Proceedings of the Sixth Annual IEEE Symp. on Logic
in Computer Science, LICS 1991, IEEE Computer Society Press (1991) 214–225
events. Information and Computation 110(2) (1994) 366–390
7. Möller, B.: Lazy Kleene algebra. In Kozen, D., Shankland, C., eds.: MPC. Volume
3125 of Lecture Notes in Computer Science., Springer (2004) 252–273
8. McIver, A., Weber, T.: Towards automated proof support for probabilistic distrib-
uted systems. In Sutcliffe, G., Voronkov, A., eds.: LPAR. Volume 3835 of Lecture
Notes in Computer Science., Springer (2005) 534–548
9. McIver, A., Cohen, E., Morgan, C.: Using probabilistic Kleene algebra for protocol
verification. In: Relations and Kleene Algebra in Computer Science. Volume 4136
of Lecture Notes in Computer Science. (2006)
10. Möller, B., Struth, G.: Modal Kleene algebra and partial correctness. In Rattray,
C., Maharaj, S., Shankland, C., eds.: AMAST. Volume 3116 of Lecture Notes in
Computer Science., Springer (2004) 379–393
Weak Relational Products
Michael Winter
Department of Computer Science,

Brock University,
St. Catharines, Ontario, Canada, L2S 3A1
[email protected]
Abstract. The existence of relational products in categories of relations

is strongly connected with the representability of that category. In this
paper we propose a canonical weakening of the notion of a relational
product. Unlike the strong version, any (small) category of relations
can be embedded into a suitable category providing all weak relational
products. Furthermore, we investigate the categorical properties of the
new construction and prove several (weak) versions of propositions well-
known for relational products.
1 Introduction
The relational product of two objects A and B in a category of relations is an
abstract version of the cartesian product of two sets. It is characterized by an
object A × B together with two projections π and ρ from A × B to A and B,
respectively. A category of relations may provide a relational product for every
pair of objects. In this case, it can be shown that the category is representable,
i.e. there is an embedding into the category Rel of sets and relations. On the
other hand, not every reasonable category of relations is representable. This
indicates, that one cannot always embed the given structure into a category that
provides relational products. This is a major disadvantage of this construction
since products are usually needed to model certain concepts by relations such as
programming languages and most kinds of logics. Other constructions usually
required such as sums and powers, i.e. the counterparts of disjoint unions and
powersets, can always be created.
In this paper we propose a canonical weakening of the concept of a relational
product, the weak relational product. This will be done within the theory of
allegories - a categorical model of relations. We will investigate certain properties
of the new construction and compare them to those of relational products. In
particular, we are interested in the following list of properties. Notice, that those
properties are not necessarily independent.
– Product in MAP(R): The given construction may establish a product in

the subcategory of mappings (in the sense of category theory). If valid, this

The author gratefully acknowledges support from the Natural Sciences and Engi-
neering Research Council of Canada.

418 M. Winter
property ensures that the corresponding concept is suitable as an abstract

version of cartesian products of sets. Therefore, it is essential for any notion
of products.
– R representable: A category of relations might be representable, i.e. the mor-
phisms are (up to a suitable mapping) concrete relations between sets. There
are non-representable allegories. Depending on the product construction con-
sidered the existence of all possible products may force the allegory to be
representable.
– Unsharpness property: The unsharpness property is a violation of an equality
in terms of relational products. It was claimed [2] that this property may be
important to model certain behavior of concurrent processes.
– Embedding property: It might be possible to embed a given allegory into
another allegory providing all products of a certain kind. With this property
we refer to whether this can be always done.
– Equational theory: Since the theory of allegories and several of its extensions
are/can be defined as an equational theory it is interesting whether a given
concept of products can also be expressed by equations.
In the following table we have summarized the validity of the properties above
within the concepts of relational and weak relational products.
Property Relational Product Weak Relational Product

Product in MAP(R) + +
R representable + -
Unsharpness property - +
Embedding property - +
Equational theory + -/+∗
∗ can be defined by equations in division allegories where all partial identities split
Fig. 1. Properties of relational products
In addition to the properties of Table 1 we are going to prove several (weak)

versions of propositions well-known for relational products.
2 Relational Preliminaries
Throughout this paper, we use the following notation. To indicate that a mor-
phism R of a category R has source A and target B we write R : A → B. The
collection of all morphisms R : A → B is denoted by R[A, B] and the compo-
sition of a morphism R : A → B followed by a morphism S : B → C by R; S.
Last but not least, the identity morphism on A is denoted by IA .
We recall briefly some fundamentals on allegories [5] and relational construc-
tions within them. For further details we refer to [5,9,10]. Furthermore, we as-
sume that the reader is familiar with the basic notions from category theory
such as products and co-products. For unexplained material we refer to [1].
Weak Relational Products 419
Definition 1. An allegory R is a category satisfying the following:

1. For all objects A and B the collection R[A, B] is a meet semi-lattice, whose
elements are called relations. Meet and the induced ordering are denoted by
and , respectively.
2. There is a monotone operation (called converse) such that for all relations

Q : A → B and R : B → C the following holds: (Q; R) = R ; Q and

(Q ) = Q.
3. For all relations Q : A → B, R, S : B → C we have Q; (RS) Q; RQ; S.
4. For all relations Q : A → B, R : B → C and S : A → C the modular law
Q; R S Q; (R Q ; S) holds.
An allegory is called a distributive allegory if
5. the collection R[A, B] is a distributive lattice with a least element. Join and
the least element are denoted by and ⊥ ⊥AB , respectively.
6. For all relations Q : A → B and objects C we have Q; ⊥ ⊥BC = ⊥ ⊥AC .
7. For all relations Q : A → B, R, S : B → C we have Q; (RS) = Q; RQ; S.
A distributive allegory is called locally complete iff each R[A, B] is a complete lat-
tice. Finally, a division allegory is a distributive allegory with a binary operation
/ satisfying the following:
8. For all relations R : B → C and S : A → C there is a relation S/R : A → B
(called the left residual of S and R) such that for all Q : A → B the following
holds: Q; R S ⇐⇒ Q S/R.
If R[A, B] has a greatest element it is denoted by
AB .
Notice, that allegories and distributive allegories are defined by equations. The
same can be done for division allegories [5].
The left residual can be used to define another residual operation Q\S :=

(S /Q ) , called the right residual of S and Q. A symmetric version, called the
symmetric quotient, of the residuals may be defined as
syq(Q, R) := (Q\R) (Q /R ).
For further properties of relations in allegories we refer to [5,9,10].

An important class of relations is given by mappings.
Definition 2. Let Q : A → B be a relation. Then we call
1. Q univalent (or functional) iff Q ; Q IB ,
2. Q total iff IA Q; Q ,
3. Q a map (or a mapping) iff Q is univalent and total,
4. Q injective iff Q is univalent,
5. Q surjective iff Q is total.
In the next lemma we have summarized some properties of the residuals and the
symmetric quotient. Proofs can be found in [5,4,9,10].
420 M. Winter
Lemma 1. Let R be a division allegory and Q : A → B, R : A → C, S : A → D

be relations, and f : D → A be a mapping. Then we have
1. Q; (Q\R) R,
2. f ; syq(Q, R) = syq(Q; f , R),

3. syq(Q, R) = syq(R, Q),
4. syq(Q, R); syq(R, S) syq(Q, S),
5. if syq(Q, R) is total then equality holds in 4.,
6. if syq(Q, R) is surjective then Q; syq(Q, R) = R.
In the next lemma we have collected several properties of univalent relations

used in this paper. A proof can be found in [9,10].
Lemma 2. Let R be an allegory so that

AA exists, Q : A → B be univalent,
P : A → B, R, S : B → C, T : C → B and U : C → A. Then we have
1. Q; (R S) = Q; R Q; S,
2. (T ; Q U ); Q = T U ; Q,
AA (Q P ) Q = Q P .
3.
The collection of all mappings of a division allegory R constitutes a subcategory

and is denoted by MAP(R).
The subcategory of mappings may provide products (in the sense of category
theory) for certain objects. As mentioned in the introduction any useful concept
of products should establish a categorical product in MAP(R). Notice, that R
itself may have categorical products. But, contrary to the products in MAP(R),
those products are not suitable to provide an abstract description of pairs. Any
allegory is self-dual (i.e. isomorphic to its co-category) by the converse operation

, which implies that products and co-products coincide. Therefore, they are
called bi-products, and they are related to the relational sums defined below,
which constitutes the abstract counterpart of a disjoint union.
Definition 3. Let {Ai | i ∈ I} be a set of objectsof a locally complete distrib-

utive allegory indexed by some set I. An object Ai , together with relations
i∈I
ιj ∈ R[Aj , Ai ] for all j ∈ I, is called a relational sum of {Ai | i ∈ I} iff for
i∈I
all i, j ∈ I with i = j the following holds
ιi ; ι
i = IAi , ιi ; ι
j =⊥
⊥Ai Aj ,

(ι
i ; ιi ) = I
A .
i
i∈I
i∈I
R has (binary) relational sums iff for every (pair) set of objects the relational
sum does exist.
The relational sum is a categorical product and co-product, and hence, unique
up to isomorphism. In Rel the relational sum is given by the disjoint union of
sets and the corresponding injection functions.
Definition 4. Let Q : A → A be a symmetric idempotent relation, i.e., Q = Q

and Q; Q = Q. An object B together with a relation R : B → A is called a
splitting of Q (or R splits Q) iff R; R = IB and R ; R = Q.
In Rel the splitting of Q is given by the set of equivalence classes (note that it
is not assumed that Q is reflexive, so the union of the equivalence classes is in
general just a subset of A), and R relates each equivalence class to its elements.
A splitting is unique up to isomorphism.
The last construction we want to introduce is the abstract counterpart of a
power set - the relational power.
Definition 5. Let R be a division allegory. An object P(A), together with a
relation ε : A → P(A) is called a relational power of A iff
syq(ε, ε) IP(A) and syq(R, ε) is total
for all relation R : B → A. If the relational power does exist for any object then
R is called a power allegory.
Notice, that syq(ε, ε) = IP(A) , and that syq(R, ε) is, in fact, a mapping. In Rel
the relation eA := syq(IA , ε) : A → P(A) maps each element to the singleton set
containing that element. This relation is always (in all allegories) an injective
mapping (cf. [10]).
Definition 6. An allegory is called systemic complete iff it is a power allegory
that has relational sums, and in which all symmetric idempotent relations split.
The univalent part unp(R) of a relation R was introduced in [9] in the con-
text of (heterogeneous) relation algebras, i.e. division allegories where the order
structure is a complete atomic Boolean algebra.
Definition 7. Let R be a division allegory, and let be R : A → B in R. The

univalent part of R is defined by unp(R) := R (R \IB ).
The following lemma was already proved in [9]. The proof provided there makes
use of complements, which are not available in an arbitrary division allegory.
Here we provide a complement free proof.
Lemma 3. Let R be a division allegory and R : A → B. Then we have
1. unp(R) is univalent and included in R,
2. unp(unp(R)) = unp(R),
3. R is univalent iff unp(R) = R.
Proof. 1. The second assertion is obvious, and the first is shown by

unp(R) ; unp(R) = (R (R \IB )) ; (R (R \IB ))
R ; (R \IB )
IB .
422 M. Winter
2. The inclusion ’’ is obvious, and unp(R) ; (R \IB ) R ; (R \IB ) IB
implies (R \IB ) (unp(R) \IB ) and hence

unp(R) = unp(R) (R \IB ) unp(R) (unp(R) \IB ) = unp(unp(R)).
3. This follows immediately from

R ; R IB ⇔ R (unp(R) \IB )
⇔ R (unp(R) \IB ) = R
⇔ unp(R) = R.

3 Weak Relational Products

A relational product, as defined in the introduction, is also a categorical product
in the subcategory of mappings but not necessarily vice versa. The equation
π ; ρ =
AB may not be valid. This equation states that the greatest relation
is tabular [5]. We will weaken this axiom by requiring that each tabulation is
included in this relation.
Definition 8 (Weak relational product). Let R be an allegory and A and
B objects of R. An object A × B together with two relations π : A × B → A and
ρ : A × B → B is called a weak relational product iff
(P1) π ; π IA ,
(P2) ρ ; ρ IB ,
(P3) π; π ρ; ρ = IA×B ,
(P4) f ; g π ; ρ for all mappings f : C → A and g : C → B.
R is called a weak pairing allegory iff a weak relational product for each pair of
objects exists.
Example 1. Consider the concrete allegory with one object A = {0, 1} and the
⊥A := ∅, IA , IA := {(0, 1), (1, 0)} and
four relations ⊥ A := A × A. It is easy to
verify that this structure establishes indeed an allegory with exactly two map-
pings IA and IA . It is well-known that the matrices with entries of a (complete)
allegory form an allegory. Mappings in our example are matrices with exactly
one entry IA or IA in each row and ⊥ ⊥A otherwise. The pair
⎛ ⎞ ⎛ ⎞
IA ⊥ ⊥A IA ⊥
⊥A
⎜ IA ⊥ ⊥A ⎟ ⎜⊥⊥A IA ⎟
π := ⎜⎝⊥
⎟
⎠ ρ := ⎜
⎝
⎟
⊥A IA ⊥A ⎠
IA ⊥
⊥
⊥A IA ⊥
⊥A IA
establishes a weak relational product. Notice, that if we replace IA by the great-

est element we obtain the well-known matrix representation of the projections
(cf. [9]).
The weak version still establishes a categorical product in MAP(R), and is,
therefore, unique (up to isomorphism).
Theorem 1. Let R be an allegory. Then a weak relational product (A × B, π, ρ)
is a categorical product of A and B in MAP(R).
Proof. Let (A × B, π, ρ) be a weak relational product. By P1, P2 and P3 the
relations π and ρ are mappings, and hence in MAP(R). Let f : C → A and
g : C → B be mappings. Then we have
(f ; π g; ρ ); ρ = f ; π ; ρ g Lemma 2(2)
=g
where the last equality follows from
g f ; f ; g f is total,

f; π ; ρ Axiom P4.
The equality (f ; π g; ρ ); π = f is shown analogously. Furthermore, the fol-

lowing computation shows that f ; π g; ρ is a mapping, and hence an element
of MAP(R)

(f ; π g; ρ ) ; (f ; π g; ρ )
= (π; f ρ; g ); (f ; π g; ρ )
π; f ; f ; π ρ; g ; g; ρ
π; π ρ; ρ f and g are univalent,
= IA×B Axiom P3

(f ; π g; ρ ); (f ; π g; ρ )
= (f ; π g; ρ ); (π; f ρ; g )
= (f ; π g; ρ ); π; f (f ; π g; ρ ); ρ; g Lemma 2(1)

= f ; f g; g previous computation
IC f and g are total.
Last but not least, let h be a mapping with h; π = f and h; ρ = g. Then we

conclude
f ; π g; ρ = h; π; π h; ρ; ρ
= h; (π; π ρ; ρ ) Lemma 2(1)
=h Axiom P3

Notice, that we have also shown that for a weak relational product the product
morphism induced by the mappings f : C → A and g : C → B, i.e. the unique
424 M. Winter
mapping h : C → A × B satisfying h; π = f and h; ρ = g, is actually given by

the relation f ; π g; ρ .
Unfortunately, we are just able to prove parts of the converse implication.
Lemma 4. Let R be an allegory. Then a categorical product (A × B, π, ρ) of A

and B in MAP(R) fulfils the axioms P1, P2, P4 and the inclusion of P3.
Proof. Suppose (A × B, π, ρ) is a categorical product of A and B in MAP(R).

Axioms P1, P2 and the inclusion of P3 are trivial since π and ρ are mappings.
Now, let f : C → A and g : C → B be mappings. Then there is a unique
mapping h : C → A × B with h; π = f and h; ρ = g. We conclude
g = h; ρ
h; (π; π ρ; ρ ); ρ inclusion of P3

h; π; π ; ρ
= f ; π ; ρ,
which implies f ; g f ; f ; π ; ρ π ; ρ since f is univalent.

We have not been able to find an example showing that the full converse does
not hold. Constructing such an example is a non-trivial problem since the next
lemma indicates that the remaining inclusion is not hard to fulfill. In particular,
we prove that inclusion in the case the allegory provides a suitable splitting.
Lemma 5. Let R be an allegory, and let (A×B, π, ρ) be a categorical product in

MAP(R). Furthermore, assume that there exists an ∈ R that splits π; π ρ; ρ .
Then (A × B, π, ρ) is a weak relational product.
Proof. By Lemma 4 it remains to show the inclusion of P3. Let R : C → A×B

be the splitting of π; π ρ; ρ , and define π̃ := R; π and ρ̃ := R; ρ. We want to
show that (C, π̃, ρ̃) is a weak relational product of A and B. Once verified Lemma
1 implies that (C, π̃, ρ̃) is another categorical product of A and B in MAP(R),
and hence isomorphic to A × B. It is easy to verify (cf. [1]) that the isomorphism
is given by the two mapping h : C → A × B and k : A × B → C fulfilling
h; π = π̃, h; ρ = ρ̃, k; π̃ = π and k; ρ̃ = ρ. Theorem 1 also shows k = π; π̃ ρ; ρ̃ .
Furthermore, in [5] it was shown the inverse of an isomorphism in an allegory is
its converse so that h = k follows. We conclude
IA×B = k; h pair of isomorphisms

= (π; π̃ ρ; ρ̃ ); h
= (π; π ; h ρ; ρ ; h ); h
= (π; π ρ; ρ ); h ; h Lemma 2(1)

= (π; π ρ; ρ ); k; h
= π; π ρ; ρ
In order to show that (C, π̃, ρ̃) is a weak relational product we derive Axiom P1
from
π̃ ; π̃ = π ; R ; R; π
= π ; (π; π ρ; ρ ); π
= IA π ; ρ; ρ ; π Lemma 2(2)
IA ,
and Axiom P2 analogously. We get the totality of π̃ from IC = R; R

R; π; π ; R = π̃; π̃ and for ρ̃ analogously. Together with
π̃; π̃ ρ̃; ρ̃

= R; π; π ; R R; ρ; ρ ; R
R; (π; π ; R R ; R; ρ; ρ ; R )
R; (π; π R ; R; ρ; ρ ; R ; R); R
R; (π; π (π; π ρ; ρ ); ρ; ρ ; (π; π ρ; ρ )); R
= R; (π; π (π; π ; ρ ρ); (ρ ; π; π ρ )); R Lemma 2(2)

R; (π; π ρ; ρ ); R
= R; R ; R; R
= IC
we have shown Axiom P3. Last but not least, the computation
π̃ ; ρ̃ = π ; R ; R; ρ
= π ; (π; π ρ; ρ ); ρ
= π ; ρ π ; ρ Lemma 2(2)

= π ;ρ
implies Axiom P4.

Even though every allegory can be embedded into one providing the splitting
required by the last lemma, it is not clear that the given product remains one
after embedding.
Now we want to show that for certain allegories the weak relational product
can be defined by equations. This seems to be of particular interest because the
allegories considered to construct weak relational products (cf. next section) are
of that kind.
Lemma 6. Let R be a division allegory in which all partial identities split. Then
(A × B, π, ρ) is a weak relational product iff the Axioms P1-P3 and

unp(R) ; unp(S) π ; ρ
for all relations R : C → A and S : C → B hold.

426 M. Winter
Proof. The implication ⇒ is trivial since unp(f ) = f for all mappings by Lemma
3 (3). For the converse implication assume P1-P4 and let R : C → A and S : C →

B be arbitrary relations. Now, let i := IC unp(R); unp(R) unp(S); unp(S)
and s : D → C be its splitting. Then s; unp(R) is univalent since s and R
are. Furthermore, this relation is total because ID = s; s ; s; s = s; i; s

sunp(R); unp(R) ; s . Analogously, we get that s; unp(S) is a mapping. Notice,
that we have Q = (IA Q; Q ); Q for arbitrary relations Q : A → B and
i; j = i j for partial identities i, j : A → A. Proofs of those properties can be
found in [5,9,10]. We conclude
unp(R) ; unp(S)
= unp(R) ; (ID unp(R); unp(R) ); (ID unp(S); unp(S) ); unp(S)

= unp(R) ; (ID unp(R); unp(R) ID unp(S); unp(S) ); unp(S)

= unp(R) ; i; unp(S)

= unp(R) ; s ; s; unp(S)

= (s; unp(R)) ; s; unp(S)
π ; ρ.

Example 2. In this example we want to show that, in contrast to relational

products, unsharpness may hold for a weak relational product, i.e. there are
relations Q, R, S and T with (Q; π R; ρ ); (π; S ρ; T ) = Q; S R; T . Our
example will show that even under the additional assumption of totality of the
relations involved unsharpness is possible. Suppose R is a weak pairing allegory
with a greatest element in R[A, B] and π ; ρ =
AB . Then we have
(IA ; π
AB ; ρ ); (π;
AB ρ; IB ) = (π
A(A×B) ); (
(A×B)B ρ)
= π ; ρ

= AB
= IA ;
AB
AB ; IB .
One important property of relational products is that one can transform any
relation into the abstract counterpart of a set of pairs, i.e. by a vector or a left
ideal element AA ; v = v. We want to investigate whether this is also possible
for weak relational products. Consider the two operations
AA ; (π R; ρ )
τ (R) := and AA ; v π ); ρ.
σ(v) := (
τ maps relations to vectors and σ vectors to relations.
Lemma 7. Let R be a weak pairing allegory with greatest elements, R : A → B,

v : A → A × B be a vector, Q : C → A univalent, and S : C → A × B. Then we
have
1. R; π (Q; π S); ρ; ρ = Q; π S,
2. τ (σ(v)) = v,
3. σ(τ (R)) R with ’=’ if R π ; ρ.
Proof. 1.-2. These properties were shown in [9,10,11] for relational products.
The proofs provided there also apply to weak relational products without
modifications.
3. Consider the computation
σ(τ (R)) = ( AA ; (π R; ρ ) π ); ρ
AA ;
AA ; (π R; ρ ) π ); ρ
= (
= (π R; ρ ); ρ Lemma 2(3)

= π ;ρ R Lemma 2(2)
R.
Obviously, we get ’=’ if R π ; ρ.

4 Creating Weak Relational Products
The main proposition of this section (Corollary 1) states that any (small) allegory
can be embedded into a weak pairing allegory. This theorem is based on the fact
that the cartesian product of two power sets can be constructed by the power
set of the disjoint union of the sets. An abstract version of this proposition is
given in the next lemma and summarized by the following diagram.
P(A) gO P(B)
O OOO
OOsyq oooo7 O
OOO
(ι;ε,ε)
o
OO ooo
ooo syq(κ;ε,ε)
P(A + B)
O
ε ε ε
A + B hP
nnn7 PPP
ι n
n n PPκP
nnn PPP
n PPP
nnn
A B
Notice, that the constructed weak relational product is not necessarily a re-
lational product [10].
Lemma 8. Let R be an allegory, A and B objects of R so that the relational sum

(A + B, ιAB , κAB ) and the relational powers P(A), P(B) and P(A + B) exist.
Then (P(A + B), syq(ιAB ; εA+B , εA ), syq(κAB ; εA+B , εB )) is a weak relational
product of P(A) and P(B).
428 M. Winter
Proof. Axiom P1 follows immediately from

π ; π = syq(ι; ε, ε) ; syq(ι; ε, ε)
= syq(ε, ι; ε); syq(ι; ε, ε) Lemma 1(3)
syq(ε, ε) Lemma 1(4)
= IP(A) .
Axiom P2 is shown analogously. Since syq(ι; ε, ε) is total by definition we get
π; π = syq(ι; ε, ε); syq(ι; ε, ε)
= syq(ι; ε, ε); syq(ε, ι; ε) Lemma 1(3)
= syq(ι; ε, ι; ε) Lemma 1(5)
and ρ; ρ = syq(κ; ε, κ; ε) analogously. Furthermore, we have
ε; ((ι; ε)\(ι; ε) (κ; ε)\(κ; ε))
= (ι ; ι κ ; κ); ε; ((ι; ε)\(ι; ε) (κ; ε)\(κ; ε))
ι ; ι; ε; (ι; ε)\(ι; ε) κ ; κ; ε; (κ; ε)\(κ; ε)
ι ; ι; ε κ ; κ; ε Lemma 1(1)

= (ι ; ι κ ; κ); ε
=ε
so that (ι; ε)\(ι; ε) (κ; ε)\(κ; ε) ε\ε follows. Again, the similar inclusion
(ι; ε) /(ι; ε) (κ; ε) /(κ; ε) ε /ε is shown analogously. Together, we
conclude
π; π ρ; ρ = syq(ι; ε, ι; ε) syq(κ; ε, κ; ε)

= (ι; ε)\(ι; ε) (ι; ε) /(ι; ε) (κ; ε)\(κ; ε) (κ; ε) /(κ; ε)
= ε\ε ε /ε
= syq(ε, ε)
= IP)(A+B) .
In order to prove P4 let f : C → A and g : C → B be mappings. The relation
syq(ι ; ε; f κ ; ε; g , ε) is a mapping by definition, and we have
syq(ι ; ε; f κ ; ε; g , ε); π
= syq(ι ; ε; f κ ; ε; g , ε); syq(ι; ε, ε)

= syq(ι; ε; syq(ι ; ε; f κ ; ε; g , ε) , ε) Lemma 1(2)

= syq(ι; ε; syq(ε, ι ; ε; f κ ; ε; g ), ε) Lemma 1(3)

= syq(ι; (ι ; ε; f κ ; ε; g ), ε) Lemma 1(6)
= syq(ε; f , ε)
= f ; syq(ε, ε) Lemma 1(2)
= f.
syq(ι ; ε; f κ ; ε; g , ε); ρ = g is shown analogously. We conclude

f ; g = f ; syq(ι ; ε; f κ ; ε; g , ε); ρ
= f ; syq(ι ; ε; f κ ; ε; g , ε); (π; π ρ; ρ ); ρ

f ; syq(ι ; ε; f κ ; ε; g , ε); π; π ; ρ
= f ; f ; π ; ρ
π ; ρ.

If the allegory provides splitting of partial identities, the construction described
above can be distributed to any pair of objects.
Theorem 2. Any systemic complete allegory is a weak pairing allegory.
Proof. Let R be a systemic complete power allegory, and let A and B be objects
of R. By Lemma 8 there is a weak relational product (P(A) × P(B), π, ρ) of
P(A) and P(B). Let be i := π; e
A ; eA ; π ρ; eB ; eB ; ρ . The relation i is a
partial identity, which is shown as follows
i = π; e
A ; eA ; π ρ; eB ; eB ; ρ

= π; π ρ; ρ eA and eB are univalent

= IP(A)×P(B) . Axiom P3
Since R is systemic complete there is an object C and a relation s : C →
P(A) × P(B) that splits i. Notice, that s is an injective mapping since i is a
partial identity. We want to show that C together with the relations π̃ := s; π; e
A
and ρ̃ := s; ρ; e
B is a weak relational product of A and B.
P(A) jVVV h4 P(B)
hhhh

O VVVV i=π;eA ;eA ;π ρ;eB ;eB ;ρ h O
VVVV hhhh
π VVV hhhh ρ
P(A) × P(B)
O
eA s eB
ggggg C WWWWWWW s;ρ;e

A ggg
s;π;e WWWWWB
gg
ggggg WWWWW
s gggg
g WWW+
A B
Axiom P1 is shown by

π̃ ; π̃ = (s; π; e
A ) ; s; π; eA
= eA ; π ; s ; s; π; e
A
= eA ; π ; π; e
A s is total and injective
eA ; e
A Axiom P1
= IA , eA is total and injective
430 M. Winter
and Axiom P2 follows analogously. The computation
π̃; π̃ ρ̃; ρ̃ = s; π; e

A ; eA ; π ; s s; ρ; eB ; eB ; ρ ; s
= s; (π; e
A ; eA ; π ρ; eB ; eB ; ρ ); s

Lemma 2(1)

= s; i; s
= s; s ; s; s
= IC
verifies Axiom P3. In order to prove Axiom P4 we first observe
π̃ ; ρ̃ = eA ; π ; s ; s; ρ; e
B
= eA ; π ; i; ρ; e
B s splits i
= eA ; π ; (π; e

A ; eA ; π ρ; eB ; eB ; ρ ); ρ; eB
= eA ; (e
A ; eA ; π ; ρ π ; ρ; eB ; eB ); eB Lemma 2(2)
= eA ; e
A ; eA ; π ; ρ; eB eA ; π ; ρ; eB ; eB ; eB Lemma 2(2)
= eA ; π ; ρ; e

B eA ; π ; ρ; eB eA , eB total and injective
= eA ; π ; ρ; e
B.
Now, let f : D → A and g : D → B be mappings. Then f ; eA and g; eB are also

mappings from C to P(A) and P(B), respectively. This implies e
A ; f ; g; eB =

(f ; eA ) ; g; eB π ; ρ. We conclude
f ; g = eA ; e
A ; f ; g; eB ; eB eA , eB total and injective
eA ; π ; ρ; e
B
= π̃ ; ρ̃,
which finally verifies Axiom P4.

Since the systemic completion of a small allegory is systemic complete ([5] 2.221
and 2.434) we have shown the main result of this section.
Corollary 1. Any small allegory may be faithfully represented in a weak pairing

allegory.
This corollary also shows that there are indeed weak pairing allegories in which
the weak relational product is not always a relational product. For example,
consider the allegory induced by the non-representable McKenzie relation alge-
bra. According to Corollary 1 this allegory can be embedded into a weak pairing
allegory. This allegory can not have all relational products since then it would
be representable [5], which is a contradiction.
References
1. Asperti A., Longo G.: Categories, Types and Structures. The MIT Press, Cam-
bridge, Massachusetts, London, England (1991)
2. Berghammer R., Haeberer A., Schmidt G., Veloso P.A.S.: Comparing two different
approaches to products in abstract relation algebra. Algebraic Methodology and
Software Technology, Proc. 3rd Int’l Conf. Algebraic Methodology and Software
Technology (AMAST’93), Springer (1994), 167-176.
3. Desharnais, J.: Monomorphic Characterization of n-ary Direct Products. Informa-
tion Sciences, 119 (3-4) (1999), 275-288
4. Furusawa H., Kahl W.: A Study on Symmetric Quotients. Technical Report 1998-
06, University of the Federal Armed Forces Munich (1998)
5. Freyd P., Scedrov A.: Categories, Allegories. North-Holland (1990).
6. Maddux, R.D.: On the Derivation of Identities involving Projection Functions.
Logic Colloquium’92, ed. Csirmaz, Gabbay, de Rijke, Center for the Study of Lan-
guage and Information Publications, Stanford (1995), 145-163.
7. Olivier J.P., Serrato D.: Catégories de Dedekind. Morphismes dans les Catégories
de Schröder. C.R. Acad. Sci. Paris 290 (1980), 939-941.
8. Olivier J.P., Serrato D.: Squares and Rectangles in Relational Categories - Three
Cases: Semilattice, Distributive lattice and Boolean Non-unitary. Fuzzy sets and
systems 72 (1995), 167-178.
9. Schmidt G., Ströhlein T.: Relationen und Graphen. Springer (1989); English ver-
sion: Relations and Graphs. Discrete Mathematics for Computer Scientists, EATCS
Monographs on Theoret. Comput. Sci., Springer (1993).
10. Winter M.: Strukturtheorie heterogener Relationenalgebren mit Anwendung auf
Nichtdetermismus in Programmiersprachen. Dissertationsverlag NG Kopierladen
GmbH, München (1998)
11. Zierer H.: Relation algebraic domain constructions. TCS 87 (1991), 163-188
Author Index
Aboul-Hosn, Kamal 63, 78 Litak, Tadeusz 281
Berghammer, Rudolf 91 MacCaull, Wendy 135

Bourg, Lorena 177 Maddux, Roger D. 2
Brink, Chris 311 Manca, Vincenzo 358
Buszkowski, Wojciech 106 McIver, A.K. 296
Möller, Bernhard 207, 222
Cohen, Ernie 1, 296 Morgan, C.C. 296
De Carufel, Jean-Lou 120 Orlowska, Ewa 162

Desharnais, Jules 120
Düntsch, Ivo 135, 148 Rewitzky, Ingrid 311
Dzik, Wojciech 162
Sanders, J.W. 30
Schmidt, Gunther 328, 343
Franco, Giuditta 358
Scollo, Giuseppe 358
Frias, Marcelo F. 177
Solin, Kim 222, 373
Furusawa, Hitoshi 402
Steren, Gabriela 177
Szalas, Andrzej 388
Gamarra, Rodolfo 177
Gaubert, Stéphane 192 Takai, Toshinori 402
Tyszkiewicz, Jerzy 388
Höfner, Peter 207, 222
Urquhart, Alasdair 148
Kahl, Wolfram 235
Katz, Ricardo 192 Vakarelov, Dimiter 135
Kawahara, Yasuo 251 van Alten, Clint 162
Kehden, Britta 266
Kozen, Dexter 78 Winter, Michael 135, 417

Topological Representation of Contact La

Uploaded by

Copyright:

Available Formats

Topological Representation of Contact La

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Topological Representation of Contact La

Uploaded by

Copyright:

Available Formats

Lecture Notes in Computer Science 4136

Commenced Publication in 1973

9th International Conference on Relational

Library of Congress Control Number: 2006931478

CR Subject Classification (1998): F.4, I.1, I.2.3, D.2.4

LNCS Sublibrary: SL 1 – Theoretical Computer Science and General Issues

Manchester, June 2006 Renate Schmidt

Sun Meng Andrea Schalk Thomas Triebsees

Weak Kleene Algebra and Computation Trees . . . . . . . . . . . . . . . . . . . . . . . . 1

Finite Symmetric Integral Relation Algebras with No 3-Cycles . . . . . . . . . . 2

Computations and Relational Bundles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

An Axiomatization of Arrays for Kleene Algebra with Tests . . . . . . . . . . . . 63

Local Variable Scoping and Kleene Algebra with Tests . . . . . . . . . . . . . . . . . 78

Computing and Visualizing Lattices of Subgroups Using Relation

On the Complexity of the Equational Theory of Relational Action

Demonic Algebra with Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Topological Representation of Contact Lattices . . . . . . . . . . . . . . . . . . . . . . . 135

Betweenness and Comparability Obtained from Binary Relations . . . . . . . . 148

Relational Representation Theorems for General Lattices with

Monotonicity Analysis Can Speed Up Veriﬁcation . . . . . . . . . . . . . . . . . . . . . 177

Max-Plus Convex Geometry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Lazy Semiring Neighbours and Some Applications . . . . . . . . . . . . . . . . . . . . . 207

Omega Algebra, Demonic Reﬁnement Algebra and Commands . . . . . . . . . . 222

Semigroupoid Interfaces for Relation-Algebraic Programming

On the Cardinality of Relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Evaluating Sets of Search Points Using Relational Algebra . . . . . . . . . . . . . 266

Algebraization of Hybrid Logic with Binders . . . . . . . . . . . . . . . . . . . . . . . . . 281

Using Probabilistic Kleene Algebra for Protocol Veriﬁcation . . . . . . . . . . . . 296

Monotone Predicate Transformers as Up-Closed Multirelations . . . . . . . . . 311

Homomorphism and Isomorphism Theorems Generalized from a

Relational Measures and Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

A Relational View of Recurrence and Attractors in State Transition

On Two Dually Nondeterministic Reﬁnement Algebras . . . . . . . . . . . . . . . . 373

On the Fixpoint Theory of Equality and Its Applications . . . . . . . . . . . . . . 388

Monodic Tree Kleene Algebra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

Weak Relational Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

R.A. Schmidt (Ed.): RelMiCS /AKA 2006, LNCS 4136, p. 1, 2006.

Abstract. The class of ﬁnite symmetric integral relation algebras with

1 Relation Algebras and Their Relatives

where A is a nonempty set, + and ; are binary operations on A, and ˘ are

Finally, SA is the class of semiassociative relation algebras, those algebras

(x;1);1 = x;(1;1). (15)

Clearly NA ⊆ WA ⊆ SA ⊆ RA. Since every NA satisﬁes 1;1 = 1, the weak

2 Representable Relation Algebras

where ∪ is the binary operation on Sb (U ) of forming the union of any two

where | is relative multiplication of binary relations, deﬁned for binary relations

R−1 := {b, a : a, b ∈ R}, (18)

and Id ∩ E is the identity relation on the ﬁeld F d (E) = {x : ∃y (xEy)} of E (Id

ρ(a + b) = ρ(a) ∪ ρ(b), (20)

The concept of weak representation introduced by Jónsson [16] is obtained by

3 5-Dimensional Relation Algebras

of a complete atomic NA that has an n-dimensional relational basis. RAn is the

SA = RA3 ⊃ RA = RA4 ⊃ RA5 ⊃ RAω = RRA. (27)

x01 · (x02 · x03 ;x32 );(x21 · x24 ;x41 ) ≤ (28)

4 Cycle Structures and Complex Algebras

Cy(A) := {x, y, z : x, y, z ∈ AtA, x;y ≥ z}.

For any atoms x, y, z ∈ AtA, let

U := {x : ∃y ∃z (T xyz or T yxz or T yzx)}. (30)

We will use T to construct an algebra whose universe is Sb (U ). First, deﬁne a

but x · y = 0 = x · z, so x ≤ z ;z. From this and x = z we get x → z.