Sequent calculi for the modal mu-calculus over S5

Proof Theory Corner

Sequent Calculi for the Modal µ-Calculus over S5

LUCA ALBERUCCI, University of Berne, Switzerland.

E-mail: albe@iam.unibe.ch

Abstract

We present two sequent calculi for the modalµ-calculus overS5and prove their completeness by using classical methods. One sequent calculus has an analytical cut rule and could be used for a decision procedure the other uses a modified version of the induction rule. We also provide a completeness theorem for Kozen’s Axiomatization overS5without using the completeness result established by Walukiewicz for the modalµ-calculus over arbitrary models.

Keywords: Modalµ-calculus, modal logic, proof-theory, sequent calculus, completeness.

1 Introduction

Modalµ-calculus is an extension of modal logic with least and greatest fixpoint constructors and allows us to study fixpoints, which play an important role as extensions for many modal logics, on a sufficiently abstract level.

The expression ‘µ-calculus’combined with the idea to introduce fixpoint constructors to monotonic functions on complete lattices was first introduced by Scott and De Bakker (unpublished data). The book of Arnold and Niwinski [3] provides a good overview over this general notion ofµ-calculus.

Modalµ-calculus can be seen as a special case where we restrict ourselves to the complete lattice given by the powerset of states of a transition system. It was introduced by Kozen in his seminal work [7]. There, also the axiomatizationKozis introduced which is basically the extension of minimal modal logicK with the so-called Park fixpoint induction principles. Kozen himself could prove completeness for the aconjunctive fragment but failed for the full language. Full completeness was established by Walukiewicz in [10], the proof is very involved and strongly relies on methods from automata theory and infinite games.

For proof-theorists induction principles in a modal context represent a big challenge and are quite difficult to handle in a pure syntactical manner. Therefore, proof-theoretical research on the modal µ-calculus has concentrated on, mainly infinitary, systems different fromKoz(see e.g. [6,8] and [5]). One aim of our work is to study proof-theoretical fixpoints and induction onS5-models. In order to do this we present two sequent calculi,T¹_S5µ andT²_S5µ, for the modalµ-calculus overS5.

The first calculus,T_S5¹ _µ, uses a modified induction rule, compared with the one used in Kozen’s Axiomatization. We show its correctness and, by working exclusively syntactically in the calculus, that for formulae in a certain normal formT¹_S5µproves that the fixpoint is reached after two iterations.

This result has first been proved in the joint work with Facchini [2] by using game-theoretical methods and the correspondence of parity games with modalµ-calculus. Then, we show completeness of the second system, T²_S5µ, by using a canonical model construction. The calculus T²_S5µ only uses an analytical cut rule and, therefore, could provide a decision procedure for validity. By embedding T¹_S5µintoT²_S5µwe get completeness and correctness for both calculi.

Vol. 19 No. 6, © The Author, 2009. Published by Oxford University Press. All rights reserved.

For Permissions, please email: journals.permissions@oxfordjournals.org Published online 22 January 2009 doi:10.1093/logcom/exn106

Finally, we show the completeness for Kozen’s Axiomatization over S5, Koz^S5. The main ingredient of the completeness proof is the fact that for formulae in normal form the fixpoint is reached after two iterations and that Koz^S5proves the equivalence of a formula with its normal form. Our completeness proof does not use the completeness result of Walukiewicz over arbitrary structures.

In the next section we introduce the modalµ-calculus. In Section 3, we define the calculiT¹_S5µ

andT²_S5µ. Section 4 is devoted toT¹_S5µand Section 5 toT_S5² _µ. In Section 6, we embedT_S5¹ _µinT²_S5µ and prove their completeness and correctness. We conclude by showing completeness ofKoz^S5.

2 The propositional modal µ-calculus 2.1 Syntax

The language of the modalµ-calculus results by adding greatest and least fixpoint operators to propositional modal logic. More precisely, given a countable infinite setPofpropositional variables, the collection,L_µ, ofmodalµ-formulae(or simplyµ-formulae) is defined as follows:

ϕ::=p| ∼p| ⊤ | ⊥ |(ϕ∧ϕ)|(ϕ∨ϕ)|♦ϕ|ϕ|µx.ϕ|νx.ϕ

wherep,x∈Pandxoccurs only positively inσx.ϕ(σ∈ {ν,µ}), i.e.∼xis not a subformula ofϕ.L_mod denotes the pure modal fragment ofL_µ.

The fixpoint operators µ and ν can be viewed as quantifiers. Therefore we use the standard terminology and notations as for quantifiers and, for instance, free(ϕ) denotes the set of all propositional variables occurring free inϕandbound(ϕ) those occurring bound. By renaming bound variables we can achieve that bound and free variables are distinct. If nothing else mentionned we assume that this is the case. Ifψis a subformula ofϕ, we writeψ≤ϕ. We writeψ < ϕwhenψis a proper subformula.

Letϕ(x) andψbe twoµ-formulae. The substitution of all occurrences ofxwithψinϕis denoted by ϕ[x/ψ] or sometimes simplyϕ(ψ). Simultaneous substitution of allx_i by ψ_i (i∈ {1,...,n}) is denoted byϕ[x₁/ψ₁,...,x_n/ψ_n]. IfŴis the set of formulae{α₁,α₂,...}thenŴ[x/ψ]denotes the set {α₁[x/ψ],α₂[x/ψ],...}. For a formal introduction of substitution we refer to Alberucci [1].

The negation¬ϕ of aµ-formulaϕ is defined inductively such that¬p≡∼pand¬(∼p)≡p, by using de Morgan dualities for boolean connectives and the usual modal dualities for♦and. For µ,νwe define

¬µx.ϕ(x)≡νx.¬ϕ(x)[x/¬x] and ¬νx.ϕ(x)≡µx.¬ϕ(x)[x/¬x].

As usual, we introduce implicationϕ→ψas¬ϕ∨ψand equivalenceϕ↔ψas (ϕ→ψ)∧(ϕ→ψ).

Ifx≤ϕandxis in the scope of a♦or in the scope of aoperator, then we say thatxisguarded in ϕ. A formulaϕofL_µis said to beguardedif for every subformula ofϕof the formσx.α(σ∈ {µ,ν}), xis guarded inα. Letϕ(x) be aµ-formula. Ifxis free and occurs only positively inϕ, then we define ϕⁿ(x) for allninductively such thatϕ¹(x)=ϕand such that

ϕ^k+1(x)≡ϕ[x/ϕ^k(x)].

We defineϕⁿ(⊥) asϕⁿ(x)[x/⊥]andϕⁿ(⊤) asϕⁿ(x)[x/⊤].

In the joint work with Alberucci and Krähenbühl (manuscript in preparation) (see also [1]) we show that there exists a measure for the syntactical complexity of formulae,rank(ϕ), which assigns to each formulaϕan ordinal number such that the following holds:

• rank(p)=rank(∼p)=rank(⊤)=rank(⊥)=1,

• rank(△α)=rank(α)+1 where△∈ {,♦},

• rank(α◦β)=max{rank(α),rank(β)}+1 where◦ ∈ {∧,∨},

• rank(σx.α)=sup{rank(αⁿ(x))+1 ; n∈N}whereσ∈ {ν,µ}.

It is an easy exercise to show that for all formulaeϕwe have thatrank(ϕ)=rank(¬ϕ).

We say that a formulaϕ well-bounded if for all subformulae of the formσx.α(σ∈ {µ,ν}) we have that x appears free at most once in α. By replacing all subformulae σx.α(x,...,x) of ϕ by σx₁....σx_n.α(x1,...,x_n), wherex₁,...,x_n are new variables and σ∈ {µ,ν}, we can convert ϕ to a well-bounded formulawb(ϕ).

Lemma 2.1

For formulaeϕ such thatxappears only positively we have that ifϕis well-bounded then for all n∈Nthe formulaϕⁿ(x) is well-bounded, too.

Proof. Follows from the fact that for alln∈Nno variable gets newly bound by the substitution ϕ[x/ϕⁿ(⊤)]. Therefore, for all subformulae ofϕ[x/ϕⁿ(⊤)]of the formσx.αwe have thatxappears

at most once free inα.

Kozen’s Axiomatization,Koz, is a Hilbert-style axiomatization and consists of the following axioms and rules.

AXIOMS

Kozcontains all axioms of the classical propositional calculus, thedistribution axiom (ϕ→ψ)→(ϕ→ψ)

and thefixpoint axiom

νx.ϕ↔ϕ(νx.ϕ).

INFERENCE RULES

In addition to the classicalModus Ponens(MP) we have theNecessitation Rule(Nec) from modal logic.

ϕ ϕ→ψ

ψ (MP) ϕ

ϕ (Nec)

Further, for any formulaϕ(x) such thatxappears only positively we have theInduction Rule(ind) to handle fixpoints.

ψ→ϕ(ψ) ψ→νx.ϕ (ind)

Kozen’s Axiomatization overS5, Koz^S5, consists of the axioms and inference rules ofKoz and additionally of theS5axiom schemes

T: ϕ→ϕ, 4: ϕ→ϕ, and 5: ♦ϕ→♦ϕ.

We writeKoz^S5⊢ϕifϕis provable inKoz^S5.S5is obtained fromKoz^S5by omitting induction and fixpoint axioms.

2.2 Semantics

The semantics of modalµ-calculus is given by transition systems. Atransition systemT is of the form (S,→^T,λ^T) whereSis a set ofstates,→^T is a binary relation onScalled theaccessibility relationandλ:P→℘(S) is avaluationfor all propositional variables. In this article, we concentrate on transition systems whose accessibility relation is an equivalence relation, i.e. reflexive, transitive and symmetric. It is the class of allS5-models.

Letλbe a valuation,pa propositional variable andS^′a subset of statesS; we set for all propositional variablesp^′

λ[p→S^′](p^′)=

S^′ ifp^′=p, λ(p^′) otherwise.

Given a transition systemT =(S,→^T,λ^T), thenT[p→S^′]denotes the transition system (S,→^T, λ^T[p→S^′]). Given a transition systemT, the denotation ofϕ inT,ϕT, i.e. the set of states satisfying a formulaϕis defined inductively on the structure ofϕ. Simultaneously for all transition systems we set

• pT =λ(p) and ∼pT=λ(p) for allp∈P,

• α∧βT = αT∩βT andα∨βT = αT ∪βT,

• αT = {s∈S | ∀t((s→^Tt)⇒t∈ αT)},

• ♦αT = {s∈S | ∃t((s→^T t)∧t∈ αT)},

• νx.αT=

{S^′⊆S | S^′⊆ α(x)T[x→S^′]}and

• µx.αT=

{S^′⊆S | α(x)T[x→S^′]⊆S^′}.

Ifs∈ ϕT then we say thatϕis valid insand writes|=T ϕor when clear from the context simply s|=ϕ. An easy induction shows thats|=ϕ if and only ifs|= ¬ϕ. A formulaϕis valid inT if it is valid in all states ofT. We then writeT |=ϕ.ϕis valid if it is valid in allS5models. We then write

|=_S5ϕ. For any finite set of formulaeŴwe writes|=Ŵif we haves|=

Ŵ, analogously forT|=Ŵ and|=_S5Ŵ.

For a formulaϕ(x) and set of statesS^′⊆Swe sometimes writeϕ(S^′)T instead ofϕ(x)T[x→S^′]. When clear from the context we useϕ(x)T for the function

ϕ(x)T :

℘(S)→℘(S) S^′→ ϕ(S^′)T.

By the well-known Tarski–Knaster Theorem, cf. [9], νx.α(x)T is the greatest fixpoint and µx.α(x)T the least fixpoint of the operatorα(x)T, we have that

νx.α(x)T =GFP(α(x)T) and µx.α(x)T =LFP(α(x)T).

Further, by Tarski–Knaster Theorem we also have that

νx.α(x)T = ¬µx.¬α[x/¬x]T and µx.α(x)T= ¬νx.¬α[x/¬x]T.

Using this result with an easy induction we can verify that negation is well-defined in the sense that for any statesin a transition systemT and any formulaϕwe have that

s|=Tϕ if and only if s|=T¬ϕ.

Part (1) of the following proposition is the correctness ofKoz^S5is a straightforward induction on the length of the derivation, part (2) is a straightforward consequence of the completeness ofS5 (see e.g. [4]).

Proposition 2.2

(1) For all formulaeϕ∈L_µwe have that

Koz^S5⊢ϕ ⇒ |=_S5ϕ.

(2) For all formulaeϕ∈L_modwe have that

S5⊢ϕ ⇔ Koz^S5⊢ϕ ⇔ |=_S5ϕ.

3 Introducing the sequent calculi T

S5^µ

and T

S5^µ

In this section, we introduce the Tait-style sequent calculi T¹_S5µ andT²_S5µ. Our sequents are sets of formulae denoted by major Greek letters,Ŵ,,, etc. Given a sequentŴbyŴwe denote the sequent{α;α∈Ŵ}and analogously for♦Ŵand¬Ŵ.

First, for all sets of formulaeŴwe definesub(Ŵ) to be the smallest set such thatŴ⊆sub(Ŵ) and such that

• ifα∧β,α∨β∈sub(Ŵ) thenα,β∈sub(Ŵ),

• ifα,♦α,¬α∈sub(Ŵ) thenα∈sub(Ŵ),

• ifxappears at most once and guarded inαthenµx.α∈sub(Ŵ) implies thatα²(⊥)∈sub(Ŵ), and νx.α∈sub(Ŵ) implies thatα²(⊤)∈sub(Ŵ),

• ifxappears at most once and not guarded inαthenµx.α∈sub(Ŵ) implies thatα(⊥)∈sub(Ŵ), andνx.α∈sub(Ŵ) implies thatα(⊤)∈sub(Ŵ).

Note, that by definition we have thatsub(Ŵ)=

ϕ∈Ŵsub(ϕ).And therefore, by induction onrank(ϕ) we can show that ifŴis finite thensub(Ŵ) is finite, too. Theclosure ofŴ,C(Ŵ), is defined as the following set

sub(Ŵ)∪{α ; α∈sub(Ŵ) andαnot of the formβor♦β}∪...

...∪{♦α ; α∈sub(Ŵ) andαnot of the formβor♦β}.

We have that ifŴis finite thenC(Ŵ) is also finite and thatα∈C(Ŵ) if and only if¬α∈C(Ŵ). Further, by using Lemma2.1we have the following lemma.

Lemma 3.1

If all formulaeϕ∈Ŵare well-bounded then we have that all formulae inC(Ŵ) are well-bounded.

In the following we present the relevant Tait-style inference rules.

Ŵ,νx.ϕ,¬νx.ϕ (Ax^ν)

Ŵ,p,∼p (Ax) Ŵ,α Ŵ,β

Ŵ,α∧β (∧) Ŵ,α,β Ŵ,α∨β (∨)

♦,Ŵ,α

♦,Ŵ,α, () Ŵ,ϕ Ŵ,♦ϕ (♦)

Ŵ,ϕ(µx.ϕ)

Ŵ,µx.ϕ (unf^µ) Ŵ,ϕ(νx.ϕ)

Ŵ,νx.ϕ (unf^ν) ♦,Ŵ,¬ϕ,α(ϕ)

♦,Ŵ,¬ϕ,νx.α, (ind⁺) Ifxappears at most once and guarded inα(x):

Ŵ,α²(⊤)

Ŵ,νx.α (ν²) Ŵ,α²(⊥) Ŵ,µx.α (µ²) Ifxappears at most once and not guarded inα(x):

Ŵ,α(⊤)

Ŵ,νx.α (ν) Ŵ,α(⊥) Ŵ,µx.α (µ) Ŵ,α ,¬α

Ŵ, (cut) Ŵ,α ,¬α

Ŵ, (Ccut) whereα∈C(Ŵ,).

Definition 3.2

The systemsT¹_S5µandT²_S5µ are defined by the following rule schemes

• T¹_S5µ:(Ax),(Ax^ν),(∧),(∨),(),(♦),(ind⁺),(unf^µ),(unf^ν),(cut).

• T²_S5µ:(Ax),(∧),(∨),(),(♦),(µ),(ν),(ν²),(µ²),(Ccut).

We writeT_S5¹ µ⊢Ŵif there is a proof ofŴinT¹_S5µ,T¹_S5µ⊢ⁿŴif the proof has length (depth of the proof tree) at mostn, and we writeT¹_S5µ⊢^<nŴif it has length less thann; analogously forT²_S5µ. By using the definition of negation we can get different formulations of the inference rules above, such as,

¬Ŵ,α

¬Ŵ,α, () or Ŵ,¬α²(⊤)

Ŵ,¬νx.α (µ²) or Ŵ,¬α²(⊥) Ŵ,¬µx.α (ν²).

Note, that in the case ofT²_S5µ, since we have an analytical cut rule, the search space for finding a proof of a given sequent is finite. Therefore, provability inT²_S5µis decidable.

4 Correctness and more for T

S5^µ Proposition 4.1 (Correctness)

For all sequentsŴ⊂L_µwe have that

T¹_S5µ⊢Ŵ ⇒ |=_S5Ŵ.

Proof. By induction on the length of derivationn. We restrict ourselves to transition systems such that for all statess,s^′we have thats→s^′ands^′→s. This is an admissible restriction since this is the case for all statess,s^′wheres^′is reachable froms, and since validity in a state depends only on the reachable part (including the state itself) of the transition system. The base cases of the induction are trivial. For the induction step we prove only the case where the last inference rule was (ind⁺). In this case we have thatŴis of the form♦,^′,¬ϕ,νx.α,and we have that

T¹_S5µ⊢^<n♦,^′,¬ϕ,α(ϕ).

By induction hypothesis for allS5-modelsT we have that T |=♦,^′,¬ϕ,α(ϕ).

Letsbe a state in T. Ifs|=♦,^′ then we trivially have s|=Ŵ. If this is not the case then it can easily be seen that since the reachability relation is an equivalence relation for alls^′ which are reachable fromswe haves^′|=ϕ→α(ϕ). Therefore we have that

T|=ϕ→α(ϕ).

But thenϕT ⊆ α(ϕ)T and by definition ofνx.αT we getϕT⊆ νx.αT and therefore we

get thatT |=Ŵ.

In the remaining part of this section we prove that for well-bounded and guarded formulaeνx.α we have that T_S5¹ µ⊢νx.α↔α²(⊤) and that if x is not guarded in αthen we have that T¹_S5µ⊢ α(⊤)↔νx.α. We first show some structural properties ofT¹_S5µ. The weakening lemma is proved by a straightforward induction on the length of derivation.

Lemma 4.2 (Weakening)

For all sequentsŴ,we have that

T¹_S5µ⊢Ŵ ⇒ T¹_S5µ⊢Ŵ,.

The following lemma states some basic properties ofT_S5¹ _µ. The proof is left to the reader.

Lemma 4.3

The following facts hold

(1) For allϕwe haveT_S5¹ µ⊢ ¬ϕ,ϕ.

(2) T¹_S5µ⊢Ŵ,σx.α⇐⇒T¹_S5µ⊢Ŵ,α(σx.α) whereσ∈ {µ,ν}.

(3) T¹_S5µ⊢Ŵ⇒T_S5¹ _µ⊢Ŵ[x/ϕ]for allϕ.

(4) Ifxappears positively inα(x) then fromT_S5¹ _µ⊢Ŵ,α(β) andT_S5¹ _µ⊢ ¬β,γ we inferT¹_S5µ⊢ Ŵ,α(γ).

Lemma 4.4

The following facts hold

(1) T¹_S5µ⊢ ¬σx.α(x,x),σx.σy.α(x,y) whereσ∈ {ν,µ}.

(2) T¹_S5µ⊢σx.α(x,x),¬σx.σy.α(x,y) whereσ∈ {ν,µ}.

Proof. Note, that if we prove both parts for the case whereσ=νthen the case whereσ=µfollows by definition of negation, indeed, part (1) follows from part (2) and vice versa.

For part (1) andσ=ν observe that by part (1) in Lemma 4.3¬α(νx.α,νx.α),α(νx.α,νx.α) is provable and by rule (unf^µ) we get that the sequent¬νx.α,α(νx.α,νx.α) is provable, too. Applying twice the rule (ind⁺) leads to the first part.

For part (2) in observe that by parts (1) and (2), Lemma4.3the sequent

¬νx.νy.α(x,y),νy.α(νx.νy.α(x,y),y) (1) is provable. Define ψ:≡νy.α(νx.νy.α(x,y),y) then, by parts (1) and (2), in Lemma 4.3, we have that ¬ψ,α(νx.νy.α(x,y),ψ) is provable. By applying this sequent and Equation (1) to part (4) in

Lemma4.3, we get thatT_S5¹ µ⊢ ¬ψ,α(ψ,ψ) and with (ind⁺) we get T¹_S5µ⊢ ¬ψ,νx.α(x,x).

With Equation (1) and (cut) we get the result.

Proposition 4.5

For all formulaeϕ∈L_µwe have that

T_S5¹ µ⊢ϕ↔wb(α).

Proof. By formula structure ofϕ. The base cases whereϕis a propositional variablepof∼pare clear. Ifϕis of the formα∧β,α∨β,αor♦αthen the induction steps are straightforward. Ifϕis of the formνx.α(x,...,x) then by Lemma4.4we have thatνx.α(x,...,x)↔νx₁....νx_n.α(x₁,...,x_n) is provable and we get the induction step. Similarly forϕof the formµx.α.

In order to prove the next lemma we define a measure,m(x,ϕ(x)), for the complexity ofϕrelative tox. Given a formulaϕ(x) and a variablexwe definem(x,ϕ(x)) such that

• m(x,ϕ)=0 ifx∈free(ϕ),

• m(x,x)=m(x,∼x)=0,

• m(x,α◦β)=max(m(x,α),m(x,β))+1 where◦ ∈ {∧,∨}and

• m(x,△α)=m(x,σy.α)=m(x,α)+1 where△ ∈ {,♦}andσ∈ {µ,ν}.

Lemma 4.6

The following facts hold

(1) For any formulaϕ(x) such thatx∈free(α,β) and such thatxappears only positively inϕwe have that

T¹_S5µ⊢♦,Ŵ,¬α,β ⇒ T¹_S5µ⊢♦,Ŵ,¬ϕ(α),ϕ(β).

(2) Ifxappears guarded, positive and only once inαthen we have T¹_S5µ⊢ ¬α²(⊤),α³(⊤).

Proof. The first part is proved by induction on m(x,ϕ(x)). Ifm(x,ϕ(x))=0 then either ϕ≡xor x∈free(ϕ). Ifϕ≡xthen the implication of the claim is trivially true. Ifx∈free(ϕ) then the claim follows by part (1) in Lemma4.3. Ifm(x,ϕ)>0 thenϕis of the formγ∧δ,γ∨δ,γ,♦γ,µy.γ(x,y) orνy.γ(x,y). We prove the case whereϕis of the formνy.γ(x,y). The case whereϕis of the form µy.γ(x,y) is dual and all the other cases are a straightforward induction.

So, let ϕ be of the form νy.γ(x,y). Note, that for all α such that x∈free(α,β) we have thatm(x,γ(x,νy.γ(α,y)))<m(x,νy.γ(x,y)). Therefore, if we assume thatT¹_S5µ⊢♦,Ŵ,¬α,βby induction hypothesis we can infer

T¹_S5µ⊢♦,Ŵ,¬γ(α,νy.γ(α,y)),γ(β,νy.γ(α,y)).

An application of (unf^µ) gives us that♦,Ŵ,¬νy.γ(α,y),γ(β,νy.γ(α,y)) is provable and with (ind⁺) we get the induction step

T¹_S5µ⊢♦,Ŵ,¬νy.γ(α,y),νy.γ(β,y).

In order to prove that second part assume thatα(x) is of the formβ(△γ(x)) where △ ∈ {,♦}.

Further, note thatα(⊤)≡β(△γ(⊤)). By part (1) in Lemma4.3, we have that T¹_S5µ⊢ ¬△γ(β(△γ(⊤))),△γ(β(△γ(⊤))),¬△γ(⊤)

and with part (1) whereϕ≡ △γ(β(x)) we get that

T¹_S5µ⊢ ¬△γ(β(△γ(⊤))),△γ(β(△γ(β(△γ(⊤))))),¬△γ(β(△γ(⊤))) which means

T¹_S5µ⊢ ¬△γ(β(△γ(⊤))),△γ(β(△γ(β(△γ(⊤)))))

and by applying part (1) whereϕ≡β(x) again we have that

T_S5¹ µ⊢ ¬β(△γ(β(△γ(⊤)))),β(△γ(β(△γ(β(△γ(⊤))))))

which ends the proof of part (2).

The next theorem shows that for certain formulae the fixpoints are reached after two iterations and, therefore, provides a purely syntactical proof of a result which was proven with game theoretical methods in the joint work with Facchini [2].

Theorem 4.7

Ifxappears guarded, positive and only once inα(x) then we have that (1) T¹_S5µ⊢(α²(⊤)↔νx.α)∧(α²(⊥)↔µx.α), and

(2) |=_S5(α²(⊤)↔νx.α)∧(α²(⊥)↔µx.α).

Proof. For part (1) the fact thatα²(⊤)→νx.αis an easy consequence of part (2) in Lemma4.6.

The converse direction follows from the fact thatα²(νx.α)←νx.αis provable and from part (4) in Lemma4.3. The provability ofα²(⊥)↔µx.αfollows from the provability ofα²(⊤)↔νx.αand from definition of negation. Part (2) follows from Proposition4.1and part (1).

Let us end the section by proving that not guarded fixpoints are reached after one iteration.

Lemma 4.8

Ifxappears not guarded, positively and only once inϕ∈L_µ, and ifϕis well-bounded then we have that

(1) T¹_S5µ⊢ϕ(⊤)↔νx.ϕ, (2) T¹_S5µ⊢ϕ(⊥)↔µx.ϕand

(3) T¹_S5µ⊢(α→β)→(ϕ(α)→ϕ(β)).

Proof. We first prove that part (3) implies part (1). The proof of the fact that part (1) implies part (2) is left to the reader. In order to see that part (3) implies part (1) first observe thatT¹_S5µ⊢νx.ϕ→ϕ(⊤) is a consequence of part (4) in Lemma4.3and of the fact thatνx.ϕ→ϕ(νx.ϕ) is provable. In order to show the other implication we assume that we have part (1) forϕand arbitraryα,β. Setα≡ ⊤and β≡ϕ(⊤). Then from part (1) we get

T¹_S5µ⊢(⊤ →ϕ(⊤))→(ϕ(⊤)→ϕ(ϕ(⊤))).

By some classical propositional reasoning we get that

(⊤ →ϕ(⊤))→(ϕ(⊤)→ϕ(ϕ(⊤)))

is equivalent toϕ(⊤)→ϕ(ϕ(⊤)) and an application of (ind⁺) gives part (1).

It remains to prove part (3). This is done by induction onrank(ϕ). Note, that for the induction hypothesis we can use the statements of parts (1) and (2). The base cases are where ϕ is the propositional variablexor a variablepare trivial. The induction steps forϕof the formγ∧δ,γ∨δ are straightforward.

Ifϕis of the formγor♦γthen sincexis not guarded inϕwe have thatx∈free(γ) and the claim of part (3) is trivial.

Ifϕis of the formνy.γ(x,y) then we distinguish two cases. In the first caseyis not guarded inγ.

Then, by induction hypothesis for allα,βhave that

T_S5¹ µ⊢(α→β)→(γ(α,⊤)→γ(β,⊤)). (2)

By induction hypothesis for part (1) we get that

T_S5¹ µ⊢γ(x,⊤)↔νy.γ(x,y) and with part (3) in Lemma4.3we get that

T_S5¹ µ⊢γ(α,⊤)↔νy.γ(α,y) andT¹_S5µ⊢γ(β,⊤)↔νy.γ(β,y).

Two applications of part (4) in Lemma4.3to Equation (2) give us the induction step. In the second case, we have thatyis guarded in γ. The induction step goes similarly by using the fact that by induction hypothesis we have that

T¹_S5µ⊢(α→β)→(γ(α,γ(α,⊤))→γ(β,γ(β,⊤)))

and that from Theorem4.7, sinceνy.γis assumed to be well-bounded, we have that T¹_S5µ⊢γ(α,γ(α,⊤))↔νy.γ(α,y) andT¹_S5µ⊢γ(β,γ(β,⊤))↔νy.γ(β,y).

The case whereϕis of the formµx.γis proven similarly as the case whereϕis of the formνx.γ.

Corollary 4.9

Ifxappears not guarded, positive and only once inϕ(x)∈L_µ, and ifϕis well-bounded then we have that

|=_S5(νx.ϕ↔ϕ(⊤))∧(µx.ϕ↔ϕ(⊥)).

5 Completeness of T

S5^µ

In this section, we prove completeness for well-bounded ofT_S5² _µ. We start with a lemma showing some basic properties ofT²_S5µ. The proof is left to the reader.

Lemma 5.1

For all formulaeαand sets of formulaeŴ,we have that (1) IfT_S5² _µ⊢ŴthenT²_S5µ⊢Ŵ,,

(2) T²_S5µ⊢α,¬α,

(3) T²_S5µ⊢ ¬α,α,T_S5² µ⊢ ¬α,α, andT²_S5µ⊢ ¬♦α,♦α.

In order to prove completeness we need some well-known notions: a set of formulaeŴis called consistentif for all finite subsetsŴ^′⊆Ŵwe have thatT²_S5µ⊢ ¬Ŵ^′. It ismaximal consistentif for all formulaeαsuch thatŴ,αis consistent we have thatα∈Ŵ. Thecanonical modelfor a formulaϕ,M_ϕ, is defined such that the set of states is

{M∩C(ϕ);Mis maximal consistent and{ϕ,¬ϕ}∩M= ∅},

for two statesM,M^′we have thatM→M^′if{α;α∈M} ⊆M^′, and for all propositional variables p≤ϕwe have thatλ(p)= {M;p∈M}.

Note that by the part (1) in the following Lemma5.2, we cannot have that a propositional variablep and its negation∼poccur in the same maximal consistent set and that the valuationλis well-defined.

The next lemma shows some basic properties of canonical models.

Lemma 5.2

LetM_ϕbe a canonical model. For all statesMand all formulaeα,β∈C(ϕ) we have that (1) α∈M ⇔ ¬α∈M.

(2) Ifα∧β∈C(ϕ) then:α∧β∈M ⇔ α,β∈M.

(3) Ifα∨β∈C(ϕ) then:α∨β∈M ⇔ (α∈M) or (β∈M).

(4) α∈MandT²_S5µ⊢ ¬α,βthenβ∈M.

Proof. We prove only part (1). All other parts go through with similar arguments. First, we see that ifα,¬α∈M then by definition of consistent set we have thatT¹_S5µ⊢ ¬α,αbut by Lemma5.1this is not the case. Now, assume that there is anα∈C(ϕ) such thatα,¬α∈M and assume thatϕ∈M (instead of¬ϕ∈M). We claim that eitherM∪{α}orM∪{¬α}is consistent. For, this was not the case then we would haveT²_S5µ⊢ ¬M,¬αandT_S5² _µ⊢ ¬M,α. But sinceϕ∈M andα∈C(ϕ) by (Ccut) we have that

T_S5² µ⊢ ¬M

and, therefore, thatMis not consistent.

Proposition 5.3

For any formulaϕ∈L_µthe canonical modelM_ϕis anS5model, that is, the accessibility relation is reflexive, transitive and symmetric.

Proof. Forreflexivitywe have to show that for all statesM of M_ϕ we have thatα∈M implies α∈M. But this is a consequence of part (3) in Lemma5.1and part (4) in Lemma5.2.

Fortransitivitywe have to show that

M→M^′andM^′→M^′′ ⇒ (α∈M ⇒ α∈M^′′).

Assume that α∈M. We distinguish two cases. In the first case we have thatα∈C(ϕ). Then, since by part (3) in Lemma5.1we have that

T²_S5µ⊢ ¬α,α (3)

with part (4) in Lemma5.2we get thatα∈M, and by construction alsoα∈M^′′. In the second case we have thatα∈C(ϕ). Then, by construction ofC(ϕ) we have thatαis either of the form βor of the form♦β. In the first case, we have thatβ∈M^′ and since we have Equation (3) also forβwe get thatβ∈M^′and from that we getβ∈M^′′. In the latter case we that♦β∈M^′. Since by part (3) in Lemma5.1we have

T²_S5µ⊢ ¬♦β,♦β with similar arguments we get that♦β∈M^′′.

For thesymmetrywe have to show that

M→M^′ ⇒ (α∈M^′ ⇒ α∈M).

Assume the contrapositive, i.e.M→M^′andα∈M^′and¬α∈M. Then, by part (3) in Lemma5.1 and part (4) in Lemma5.2, we have that¬α∈M. Again we distinguish following two cases.

If¬α∈C(ϕ), then, since by part (3) in Lemma5.1we have thatT²_S5µ⊢α,¬αby part (4) in Lemma5.2we get that¬α∈Mand by construction that¬α∈M^′, which is a contradiction.

If ¬α∈C(ϕ) then by constructionαis of the formβor ♦β. In the former case we have that¬β∈M but then¬β∈Mand, therefore,¬β∈M^′, which is a contradiction. In the latter case we have that¬♦β∈Mbut then¬♦β∈Mand, therefore,¬♦β∈M^′, which is a contradiction,

too.

Lemma 5.4

Letϕbe a well-bounded formula. For all formulaeα≤ϕand all statesMof the canonical modelM_ϕ we have that

α∈M ⇒ M|=α.

Proof. By induction on therankofα. Note, that by Lemma3.1we have that allα∈M are well- bounded. The cases where αis of the form p,∼p,β∧γ,β∨γ go through straightforwardly with Lemma5.2. The cases whereαis of the form♦βorβgo through with standard arguments.

Ifαis of the formµx.βsinceαis well-bounded we have thatxhas at most one free occurrence inβ.

Ifxappears guarded inβthen note that by part (2) in Lemma5.1we have thatT²_S5µ⊢ ¬β²(⊥),β²(⊥) and one application of (ν²) yieldsT²_S5µ⊢ ¬µx.β,β²(⊥) and, therefore by part (4) in Lemma5.2, that β²(⊥)∈M. We can apply the induction hypothesis and we get thatM|=β²(⊥). With Theorem4.7 we get that

M|=µx.β.

The case wherexis not guarded inβgoes similarly and ifαis of the formνx.βthen we also use

similar arguments.

Theorem 5.5

For all well-bounded formulaeϕ∈L_µwe have that

|=_S5ϕ ⇒ T²_S5µ⊢ϕ.

Proof. We prove the contrapositive. If we have thatT_S5² µ⊢ϕ then¬ϕ is consistent and can be extended to a maximal consistent set. Therefore, in the canonical modelM_ϕthere is a stateM such that¬ϕ∈M. Since¬ϕis also well-bounded by Lemma5.4we have thatM|= ¬ϕand, therefore, that

|=_S5ϕ.

6 Completeness and correctness of T

S5^µ

and T

S5^µ Lemma 6.1

For all sequentsŴwe have that

T²_S5µ⊢wb(Ŵ) ⇒ T¹_S5µ⊢Ŵ.

Proof. By Proposition4.5we equivalently can show that

T²_S5µ⊢wb(Ŵ) ⇒ T_S5¹ µ⊢wb(Ŵ).

This is shown by induction on the proof lengthnofT_S5² µ⊢wb(Ŵ). The case wheren=0 is clear. If n>0 the induction step goes by case distinction on the last inference rule. All cases except the case where the last inference rule was (ν²),(µ²),(µ),(ν) are straightforward. For the case where it was (µ²) we have thatwb(Ŵ) is of the form,νx.ϕ(x) and that

T²_S5µ⊢^<n,ϕ²(⊤).

By induction hypothesis we have thatT¹_S5µ⊢,ϕ²(⊤). Sincexappears guarded and at most once inϕ(x) by part (2) in Lemma4.6we have thatT_S5¹ _µ⊢ ¬ϕ²(⊤),ϕ³(⊤) and, therefore, with (ind⁺) we get thatT¹_S5µ⊢ ¬ϕ²(⊤),νx.ϕ. Withcutwe get the desired result. The case for (ν²) goes similar. The

cases for (µ),(ν) use Lemma4.8and are analogous.

Combining Lemma6.1with Theorem5.5and Proposition4.1yields the following theorem.

Theorem 6.2 (Completeness and correctness) LetŴbe any sequent. We have that

|=_S5Ŵ ⇔ T²_S5µ⊢wb(Ŵ) ⇔ T¹_S5µ⊢Ŵ.

7 Conclusion: completeness of Koz

We first define a translationt:L^wb_µ →L_modfrom the class of well-boundedµ-formulae to the modal fragment recursively such thatt(p)≡pandt(∼p)≡∼p, such thattdistributes over boolean and modal connectives and such that:

• Ifxappears guarded inαthen

t(µx.α)≡t(α)[x/t(α)[x/⊥]]andt(νx.α)≡t(α)[x/t(α)[x/⊤]].

• Ifxis not guarded inαthen

t(µx.α)≡t(α)[x/⊥]andt(νx.α)≡t(α)[x/⊤].

The fact that the definition oftterminates follows from the in the defining clausesrankdecreases and the formula remains well-bounded. Further, note that we have thatt(ϕ)∈L_mod.

Lemma 7.1

For all well-bounded formulaeϕwe have that

Koz^S5⊢ϕ↔t(ϕ).

Proof. By induction onrank(ϕ). In the proof we abbreviatet(α)[x/t(α)]by (t(α))², and analogously for (t(α))³. The base cases of the induction are trivial and the induction steps where the formulaϕis of the fromα∧β,α∨β,αor♦αare straightforward. Ifϕis of the formνx.αandxis guarded inα then, sincet(α)∈L_mod, by Proposition2.2and Theorem4.7, we have that

Koz^S5⊢(t(α))²[x/⊤] ↔(t(α))³[x/⊤].

An application of (ind) yieldsKoz^S5⊢(t(α))²[x/⊤] →νx.t(α).And since alsoνx.t(α)→(t(α))²[x/⊤]

is provable, we get

Koz^S5⊢(t(α))²[x/⊤] ↔νx.t(α)

Since by induction hypothesis we have that Koz^S5⊢α↔t(α) we also can show thatKoz^S5⊢ νx.α↔νx.t(α) and, therefore, we get that

Koz^S5⊢(t(α))²[x/⊤] ↔νx.α.

The induction step follows from the fact thatt(νx.α)≡(t(α))²[x/⊤]. Ifϕis of the formνx.αandx is not guarded inαthen the induction step follows by an analogous argument using the fact that by Proposition2.2and Corollary4.9we have thatKoz^S5⊢t(α)[x/⊤] ↔(t(α))²[x/⊤].The cases where

ϕis of the formµx.αare analogous to the previous cases.

The next lemma is proved like Proposition4.5by using the fact that the proof of Lemma4.4goes through also with the normal induction rule (ind) instead of (ind⁺).

Lemma 7.2

For all formulaeϕ∈L_µwe have that

Koz^S5⊢ϕ↔wb(ϕ).

Theorem 7.3 (Completeness and correctness ofKoz^S5) For all formulaeϕ∈L_µwe have that

|=_S5ϕ ⇔ Koz^S5⊢ϕ.

Proof. The correctness is Proposition2.2. For the completeness note that by correctness, Lemma7.1 and Lemma7.2we have that

|=_S5ϕ↔t(wb(ϕ)).

Therefore if |=_S5ϕ then|=_S5t(wb(ϕ)). Sincet(wb(ϕ))∈L_mod by Proposition 2.2we have that Koz^S5⊢t(wb(ϕ)) and with Lemmas7.2and7.1we finish the proof.

C^ONCLUDINGR^EMARK. We have three crucial steps in the completeness proof ofKoz^S5. First, the completeness ofKoz^S5over the modal fragment; second, the fact thatKoz^S5proves the equivalence

ofϕandt(wb(ϕ)); and, third, that for guarded and well-boundedϕwe have thatϕ²(⊤) andϕ³(⊤) are semantically equivalent (and analogously for not guarded formulae). As said in the introduction the third fact was shown in a joint work with Facchini [2] by using game-theoretical methods and the correspondence of parity games and modalµ-calculus. Therefore, by using this game-theoretical result the completeness proof forKoz^S5would have been possible without the ‘detour’ viaT_S5¹ µ

andT²_S5µ. Nevertheless, introducingT¹_S5µandT_S5² _µ allowes us to give a purely proof-theoretically proof of this equivalence without using any connections to game-theory. Further, in the case ofT²_S5µ, it allows us provide a calculus with analytical cut.

Funding

Hasler Foundation [Project-Nr.: 2192].

References

[1] L. Alberucci. A syntactical treatment of simultaneous fixpoints in the modal µ-calculus.

Technical Report IAM-09-001. University of Berne, 2009.

[2] L. Alberucci and A. Facchini. The modal µ-calculus hierarchy on restricted classes of transition systems.Journal of Symbolic Logic(inpress).

[3] A. Arnold and D. Niwinski.Rudiments of Mu-calculus. Elsevier Science, North-Holland, 2001.

[4] B. Chellas.Modal Logic. Cambridge University Press, 1980.

[5] M. Dam and C. Sprenger. On the structure of inductive reasoning: circular and tree- shaped proofs in the µ-calculus. InFoundations of Software Science and Computational Structures: 6th International Conference. Vol. 2620 of theLecture Notes in Computer Science.

A. D. Gordon (ed.). pp. 425–440. Springer, 2003.

[6] G. Jäger, M. Kretz and T. Studer. Canonical completeness of infinitary mu.Journal of Logic and Algebraic Programming,76, 270–292, 2008.

[7] D. Kozen. Results on the propositional mu-calculus. Theoretical Computer Science, 27, 333–354, 1983.

[8] T. Studer. On the proof theory of modal mu-calculus.Studia Logica,89, 343–363, 2008.

[9] A. Tarski. A lattice-theoretical fixpoint theorem and its applications. Pacific Journal of Mathematics,5, 285–309, 1955.

[10] I. Walukiewicz. Completeness of Kozen’s axiomatisation of the propositional mu-calculus.

Information and Computation,157, 142–182, 2000.

Received 24 July 2008