THE OPEN LOGIC TEXT

Complete Build

Open Logic Project

Revision: d3a1905 (master)

2022-12-19

The Open Logic Text by

the Open Logic Project
is licensed under a Cre-
ative Commons Attribu-
tion 4.0 International Li-
cense.
About the Open Logic Project

The Open Logic Text is an open-source, collaborative textbook of formal meta-

logic and formal methods, starting at an intermediate level (i.e., after an intro-
ductory formal logic course). Though aimed at a non-mathematical audience
(in particular, students of philosophy and computer science), it is rigorous.
Coverage of some topics currently included may not yet be complete, and
many sections still require substantial revision. We plan to expand the text to
cover more topics in the future. We also plan to add features to the text, such
as a glossary, a list of further reading, historical notes, pictures, better expla-
nations, sections explaining the relevance of results to philosophy, computer
science, and mathematics, and more problems and examples. If you find an
error, or have a suggestion, please let the project team know.
The project operates in the spirit of open source. Not only is the text freely
available, we provide the LaTeX source under the Creative Commons Attri-
bution license, which gives anyone the right to download, use, modify, re-
arrange, convert, and re-distribute our work, as long as they give appropriate
credit. Please see the Open Logic Project website at openlogicproject.org for
additional information.

1
Contents

About the Open Logic Project 1

I Naı̈ve Set Theory 23

1 Sets 25
1.1 Extensionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
1.2 Subsets and Power Sets . . . . . . . . . . . . . . . . . . . . . . . 26
1.3 Some Important Sets . . . . . . . . . . . . . . . . . . . . . . . . . 28
1.4 Unions and Intersections . . . . . . . . . . . . . . . . . . . . . . 28
1.5 Pairs, Tuples, Cartesian Products . . . . . . . . . . . . . . . . . . 31
1.6 Russell’s Paradox . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

2 Relations 35
2.1 Relations as Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.2 Philosophical Reflections . . . . . . . . . . . . . . . . . . . . . . 37
2.3 Special Properties of Relations . . . . . . . . . . . . . . . . . . . 38
2.4 Equivalence Relations . . . . . . . . . . . . . . . . . . . . . . . . 39
2.5 Orders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.6 Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
2.7 Operations on Relations . . . . . . . . . . . . . . . . . . . . . . . 43
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

3 Functions 45
3.1 Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.2 Kinds of Functions . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.3 Functions as Relations . . . . . . . . . . . . . . . . . . . . . . . . 49
3.4 Inverses of Functions . . . . . . . . . . . . . . . . . . . . . . . . 50
3.5 Composition of Functions . . . . . . . . . . . . . . . . . . . . . . 52
3.6 Partial Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

2
CONTENTS

4 The Size of Sets 55

4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4.2 Enumerations and Enumerable Sets . . . . . . . . . . . . . . . . 55
4.3 Cantor’s Zig-Zag Method . . . . . . . . . . . . . . . . . . . . . . 59
4.4 Pairing Functions and Codes . . . . . . . . . . . . . . . . . . . . 60
4.5 An Alternative Pairing Function . . . . . . . . . . . . . . . . . . 61
4.6 Non-enumerable Sets . . . . . . . . . . . . . . . . . . . . . . . . 63
4.7 Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
4.8 Equinumerosity . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
4.9 Sets of Different Sizes, and Cantor’s Theorem . . . . . . . . . . 68
4.10 The Notion of Size, and Schröder-Bernstein . . . . . . . . . . . 70
4.11 Enumerations and Enumerable Sets . . . . . . . . . . . . . . . . 71
4.12 Non-enumerable Sets . . . . . . . . . . . . . . . . . . . . . . . . 72
4.13 Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

5 Arithmetization 79
5.1 From N to Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
5.2 From Z to Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
5.3 The Real Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
5.4 From Q to R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
5.5 Some Philosophical Reflections . . . . . . . . . . . . . . . . . . . 85
5.6 Ordered Rings and Fields . . . . . . . . . . . . . . . . . . . . . . 87
5.7 Appendix: the Reals as Cauchy Sequences . . . . . . . . . . . . 90
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

6 Infinite Sets 94
6.1 Hilbert’s Hotel . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
6.2 Dedekind Algebras . . . . . . . . . . . . . . . . . . . . . . . . . 95
6.3 Arithmetical Induction . . . . . . . . . . . . . . . . . . . . . . . 97
6.4 Dedekind’s “Proof” . . . . . . . . . . . . . . . . . . . . . . . . . 98
6.5 Appendix: Proving Schröder-Bernstein . . . . . . . . . . . . . . 100

II Propositional Logic 102

7 Syntax and Semantics 104

7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
7.2 Propositional Formulas . . . . . . . . . . . . . . . . . . . . . . . 105
7.3 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
7.4 Formation Sequences . . . . . . . . . . . . . . . . . . . . . . . . 108
7.5 Valuations and Satisfaction . . . . . . . . . . . . . . . . . . . . . 110
7.6 Semantic Notions . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Release : d3a1905 (2022-12-19) 3

 CONTENTS

8 Derivation Systems 114

8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
8.2 The Sequent Calculus . . . . . . . . . . . . . . . . . . . . . . . . 116
8.3 Natural Deduction . . . . . . . . . . . . . . . . . . . . . . . . . . 116
8.4 Tableaux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
8.5 Axiomatic Derivations . . . . . . . . . . . . . . . . . . . . . . . . 119

9 The Sequent Calculus 121

9.1 Rules and Derivations . . . . . . . . . . . . . . . . . . . . . . . . 121
9.2 Propositional Rules . . . . . . . . . . . . . . . . . . . . . . . . . 122
9.3 Structural Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
9.4 Derivations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
9.5 Examples of Derivations . . . . . . . . . . . . . . . . . . . . . . 125
9.6 Proof-Theoretic Notions . . . . . . . . . . . . . . . . . . . . . . . 129
9.7 Derivability and Consistency . . . . . . . . . . . . . . . . . . . . 131
9.8 Derivability and the Propositional Connectives . . . . . . . . . 132
9.9 Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

10 Natural Deduction 139

10.1 Rules and Derivations . . . . . . . . . . . . . . . . . . . . . . . . 139
10.2 Propositional Rules . . . . . . . . . . . . . . . . . . . . . . . . . 140
10.3 Derivations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
10.4 Examples of Derivations . . . . . . . . . . . . . . . . . . . . . . 142
10.5 Proof-Theoretic Notions . . . . . . . . . . . . . . . . . . . . . . . 146
10.6 Derivability and Consistency . . . . . . . . . . . . . . . . . . . . 148
10.7 Derivability and the Propositional Connectives . . . . . . . . . 149
10.8 Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

11 Tableaux 156
11.1 Rules and Tableaux . . . . . . . . . . . . . . . . . . . . . . . . . 156
11.2 Propositional Rules . . . . . . . . . . . . . . . . . . . . . . . . . 157
11.3 Tableaux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
11.4 Examples of Tableaux . . . . . . . . . . . . . . . . . . . . . . . . 159
11.5 Proof-Theoretic Notions . . . . . . . . . . . . . . . . . . . . . . . 163
11.6 Derivability and Consistency . . . . . . . . . . . . . . . . . . . . 165
11.7 Derivability and the Propositional Connectives . . . . . . . . . 167
11.8 Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

12 Axiomatic Derivations 174

12.1 Rules and Derivations . . . . . . . . . . . . . . . . . . . . . . . . 174
12.2 Axiom and Rules for the Propositional Connectives . . . . . . . 176

4 Release : d3a1905 (2022-12-19)

CONTENTS

12.3 Examples of Derivations . . . . . . . . . . . . . . . . . . . . . . 176

12.4 Proof-Theoretic Notions . . . . . . . . . . . . . . . . . . . . . . . 178
12.5 The Deduction Theorem . . . . . . . . . . . . . . . . . . . . . . . 179
12.6 Derivability and Consistency . . . . . . . . . . . . . . . . . . . . 181
12.7 Derivability and the Propositional Connectives . . . . . . . . . 182
12.8 Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

13 The Completeness Theorem 185

13.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
13.2 Outline of the Proof . . . . . . . . . . . . . . . . . . . . . . . . . 186
13.3 Complete Consistent Sets of Sentences . . . . . . . . . . . . . . 187
13.4 Lindenbaum’s Lemma . . . . . . . . . . . . . . . . . . . . . . . . 188
13.5 Construction of a Model . . . . . . . . . . . . . . . . . . . . . . . 189
13.6 The Completeness Theorem . . . . . . . . . . . . . . . . . . . . 190
13.7 The Compactness Theorem . . . . . . . . . . . . . . . . . . . . . 190
13.8 A Direct Proof of the Compactness Theorem . . . . . . . . . . . 191
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

III First-order Logic 193

14 Introduction to First-Order Logic 195

14.1 First-Order Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
14.2 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
14.3 Formulas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
14.4 Satisfaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
14.5 Sentences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
14.6 Semantic Notions . . . . . . . . . . . . . . . . . . . . . . . . . . 201
14.7 Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
14.8 Models and Theories . . . . . . . . . . . . . . . . . . . . . . . . . 202
14.9 Soundness and Completeness . . . . . . . . . . . . . . . . . . . 203

15 Syntax of First-Order Logic 205

15.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
15.2 First-Order Languages . . . . . . . . . . . . . . . . . . . . . . . . 205
15.3 Terms and Formulas . . . . . . . . . . . . . . . . . . . . . . . . . 207
15.4 Unique Readability . . . . . . . . . . . . . . . . . . . . . . . . . 210
15.5 Main operator of a Formula . . . . . . . . . . . . . . . . . . . . . 212
15.6 Subformulas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
15.7 Formation Sequences . . . . . . . . . . . . . . . . . . . . . . . . 215
15.8 Free Variables and Sentences . . . . . . . . . . . . . . . . . . . . 218
15.9 Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Release : d3a1905 (2022-12-19) 5

 CONTENTS

16 Semantics of First-Order Logic 222

16.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
16.2 Structures for First-order Languages . . . . . . . . . . . . . . . 223
16.3 Covered Structures for First-order Languages . . . . . . . . . . 224
16.4 Satisfaction of a Formula in a Structure . . . . . . . . . . . . . . 225
16.5 Variable Assignments . . . . . . . . . . . . . . . . . . . . . . . . 230
16.6 Extensionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
16.7 Semantic Notions . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

17 Theories and Their Models 238

17.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
17.2 Expressing Properties of Structures . . . . . . . . . . . . . . . . 240
17.3 Examples of First-Order Theories . . . . . . . . . . . . . . . . . 240
17.4 Expressing Relations in a Structure . . . . . . . . . . . . . . . . 243
17.5 The Theory of Sets . . . . . . . . . . . . . . . . . . . . . . . . . . 244
17.6 Expressing the Size of Structures . . . . . . . . . . . . . . . . . . 246
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

18 Derivation Systems 249

18.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
18.2 The Sequent Calculus . . . . . . . . . . . . . . . . . . . . . . . . 251
18.3 Natural Deduction . . . . . . . . . . . . . . . . . . . . . . . . . . 251
18.4 Tableaux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
18.5 Axiomatic Derivations . . . . . . . . . . . . . . . . . . . . . . . . 254

19 The Sequent Calculus 256

19.1 Rules and Derivations . . . . . . . . . . . . . . . . . . . . . . . . 256
19.2 Propositional Rules . . . . . . . . . . . . . . . . . . . . . . . . . 257
19.3 Quantifier Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
19.4 Structural Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
19.5 Derivations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
19.6 Examples of Derivations . . . . . . . . . . . . . . . . . . . . . . 261
19.7 Derivations with Quantifiers . . . . . . . . . . . . . . . . . . . . 265
19.8 Proof-Theoretic Notions . . . . . . . . . . . . . . . . . . . . . . . 266
19.9 Derivability and Consistency . . . . . . . . . . . . . . . . . . . . 268
19.10 Derivability and the Propositional Connectives . . . . . . . . . 269
19.11 Derivability and the Quantifiers . . . . . . . . . . . . . . . . . . 271
19.12 Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
19.13 Derivations with Identity predicate . . . . . . . . . . . . . . . . 276
19.14 Soundness with Identity predicate . . . . . . . . . . . . . . . . . 277
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

20 Natural Deduction 280

6 Release : d3a1905 (2022-12-19)

CONTENTS

20.1 Rules and Derivations . . . . . . . . . . . . . . . . . . . . . . . . 280

20.2 Propositional Rules . . . . . . . . . . . . . . . . . . . . . . . . . 281
20.3 Quantifier Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
20.4 Derivations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
20.5 Examples of Derivations . . . . . . . . . . . . . . . . . . . . . . 285
20.6 Derivations with Quantifiers . . . . . . . . . . . . . . . . . . . . 288
20.7 Proof-Theoretic Notions . . . . . . . . . . . . . . . . . . . . . . . 292
20.8 Derivability and Consistency . . . . . . . . . . . . . . . . . . . . 294
20.9 Derivability and the Propositional Connectives . . . . . . . . . 295
20.10 Derivability and the Quantifiers . . . . . . . . . . . . . . . . . . 296
20.11 Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
20.12 Derivations with Identity predicate . . . . . . . . . . . . . . . . 301
20.13 Soundness with Identity predicate . . . . . . . . . . . . . . . . . 303
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

21 Tableaux 306
21.1 Rules and Tableaux . . . . . . . . . . . . . . . . . . . . . . . . . 306
21.2 Propositional Rules . . . . . . . . . . . . . . . . . . . . . . . . . 307
21.3 Quantifier Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
21.4 Tableaux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
21.5 Examples of Tableaux . . . . . . . . . . . . . . . . . . . . . . . . 310
21.6 Tableaux with Quantifiers . . . . . . . . . . . . . . . . . . . . . . 314
21.7 Proof-Theoretic Notions . . . . . . . . . . . . . . . . . . . . . . . 318
21.8 Derivability and Consistency . . . . . . . . . . . . . . . . . . . . 320
21.9 Derivability and the Propositional Connectives . . . . . . . . . 321
21.10 Derivability and the Quantifiers . . . . . . . . . . . . . . . . . . 324
21.11 Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
21.12 Tableaux with Identity predicate . . . . . . . . . . . . . . . . . . 328
21.13 Soundness with Identity predicate . . . . . . . . . . . . . . . . . 329
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

22 Axiomatic Derivations 332

22.1 Rules and Derivations . . . . . . . . . . . . . . . . . . . . . . . . 332
22.2 Axiom and Rules for the Propositional Connectives . . . . . . . 334
22.3 Axioms and Rules for Quantifiers . . . . . . . . . . . . . . . . . 334
22.4 Examples of Derivations . . . . . . . . . . . . . . . . . . . . . . 335
22.5 Derivations with Quantifiers . . . . . . . . . . . . . . . . . . . . 336
22.6 Proof-Theoretic Notions . . . . . . . . . . . . . . . . . . . . . . . 337
22.7 The Deduction Theorem . . . . . . . . . . . . . . . . . . . . . . . 338
22.8 The Deduction Theorem with Quantifiers . . . . . . . . . . . . 340
22.9 Derivability and Consistency . . . . . . . . . . . . . . . . . . . . 341
22.10 Derivability and the Propositional Connectives . . . . . . . . . 342
22.11 Derivability and the Quantifiers . . . . . . . . . . . . . . . . . . 343
22.12 Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Release : d3a1905 (2022-12-19) 7

 CONTENTS

22.13 Derivations with Identity predicate . . . . . . . . . . . . . . . . 344

Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

23 The Completeness Theorem 346

23.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
23.2 Outline of the Proof . . . . . . . . . . . . . . . . . . . . . . . . . 347
23.3 Complete Consistent Sets of Sentences . . . . . . . . . . . . . . 349
23.4 Henkin Expansion . . . . . . . . . . . . . . . . . . . . . . . . . . 350
23.5 Lindenbaum’s Lemma . . . . . . . . . . . . . . . . . . . . . . . . 352
23.6 Construction of a Model . . . . . . . . . . . . . . . . . . . . . . . 353
23.7 Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
23.8 The Completeness Theorem . . . . . . . . . . . . . . . . . . . . 358
23.9 The Compactness Theorem . . . . . . . . . . . . . . . . . . . . . 358
23.10 A Direct Proof of the Compactness Theorem . . . . . . . . . . . 360
23.11 The Löwenheim-Skolem Theorem . . . . . . . . . . . . . . . . . 361
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

24 Beyond First-order Logic 364

24.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
24.2 Many-Sorted Logic . . . . . . . . . . . . . . . . . . . . . . . . . . 365
24.3 Second-Order logic . . . . . . . . . . . . . . . . . . . . . . . . . . 366
24.4 Higher-Order logic . . . . . . . . . . . . . . . . . . . . . . . . . . 370
24.5 Intuitionistic Logic . . . . . . . . . . . . . . . . . . . . . . . . . . 372
24.6 Modal Logics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
24.7 Other Logics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

IV Model Theory 379

25 Basics of Model Theory 381

25.1 Reducts and Expansions . . . . . . . . . . . . . . . . . . . . . . 381
25.2 Substructures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
25.3 Overspill . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
25.4 Isomorphic Structures . . . . . . . . . . . . . . . . . . . . . . . . 383
25.5 The Theory of a Structure . . . . . . . . . . . . . . . . . . . . . . 384
25.6 Partial Isomorphisms . . . . . . . . . . . . . . . . . . . . . . . . 385
25.7 Dense Linear Orders . . . . . . . . . . . . . . . . . . . . . . . . . 388
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

26 Models of Arithmetic 390

26.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
26.2 Standard Models of Arithmetic . . . . . . . . . . . . . . . . . . . 391
26.3 Non-Standard Models . . . . . . . . . . . . . . . . . . . . . . . . 393
26.4 Models of Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

8 Release : d3a1905 (2022-12-19)

CONTENTS

26.5 Models of PA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

26.6 Computable Models of Arithmetic . . . . . . . . . . . . . . . . . 400
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

27 The Interpolation Theorem 403

27.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
27.2 Separation of Sentences . . . . . . . . . . . . . . . . . . . . . . . 403
27.3 Craig’s Interpolation Theorem . . . . . . . . . . . . . . . . . . . 405
27.4 The Definability Theorem . . . . . . . . . . . . . . . . . . . . . . 407

28 Lindström’s Theorem 410

28.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
28.2 Abstract Logics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
28.3 Compactness and Löwenheim-Skolem Properties . . . . . . . . 412
28.4 Lindström’s Theorem . . . . . . . . . . . . . . . . . . . . . . . . 413

V Computability 416

29 Recursive Functions 418

29.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
29.2 Primitive Recursion . . . . . . . . . . . . . . . . . . . . . . . . . 419
29.3 Composition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
29.4 Primitive Recursion Functions . . . . . . . . . . . . . . . . . . . 422
29.5 Primitive Recursion Notations . . . . . . . . . . . . . . . . . . . 425
29.6 Primitive Recursive Functions are Computable . . . . . . . . . 425
29.7 Examples of Primitive Recursive Functions . . . . . . . . . . . . 426
29.8 Primitive Recursive Relations . . . . . . . . . . . . . . . . . . . 429
29.9 Bounded Minimization . . . . . . . . . . . . . . . . . . . . . . . 431
29.10 Primes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
29.11 Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
29.12 Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
29.13 Other Recursions . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
29.14 Non-Primitive Recursive Functions . . . . . . . . . . . . . . . . 438
29.15 Partial Recursive Functions . . . . . . . . . . . . . . . . . . . . . 439
29.16 The Normal Form Theorem . . . . . . . . . . . . . . . . . . . . . 441
29.17 The Halting Problem . . . . . . . . . . . . . . . . . . . . . . . . . 442
29.18 General Recursive Functions . . . . . . . . . . . . . . . . . . . . 443
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443

30 Computability Theory 445

30.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
30.2 Coding Computations . . . . . . . . . . . . . . . . . . . . . . . . 446
30.3 The Normal Form Theorem . . . . . . . . . . . . . . . . . . . . . 447

Release : d3a1905 (2022-12-19) 9

 CONTENTS

30.4 The s-m-n Theorem . . . . . . . . . . . . . . . . . . . . . . . . . 448

30.5 The Universal Partial Computable Function . . . . . . . . . . . 448
30.6 No Universal Computable Function . . . . . . . . . . . . . . . . 449
30.7 The Halting Problem . . . . . . . . . . . . . . . . . . . . . . . . . 449
30.8 Comparison with Russell’s Paradox . . . . . . . . . . . . . . . . 450
30.9 Computable Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
30.10 Computably Enumerable Sets . . . . . . . . . . . . . . . . . . . 452
30.11 Definitions of C. E. Sets . . . . . . . . . . . . . . . . . . . . . . . 453
30.12 Union and Intersection of C.E. Sets . . . . . . . . . . . . . . . . 455
30.13 Computably Enumerable Sets not Closed under Complement . 456
30.14 Reducibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
30.15 Properties of Reducibility . . . . . . . . . . . . . . . . . . . . . . 458
30.16 Complete Computably Enumerable Sets . . . . . . . . . . . . . 459
30.17 An Example of Reducibility . . . . . . . . . . . . . . . . . . . . . 460
30.18 Totality is Undecidable . . . . . . . . . . . . . . . . . . . . . . . 461
30.19 Rice’s Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
30.20 The Fixed-Point Theorem . . . . . . . . . . . . . . . . . . . . . . 464
30.21 Applying the Fixed-Point Theorem . . . . . . . . . . . . . . . . 467
30.22 Defining Functions using Self-Reference . . . . . . . . . . . . . 468
30.23 Minimization with Lambda Terms . . . . . . . . . . . . . . . . . 469
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

VI Turing Machines 471

31 Turing Machine Computations 473

31.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
31.2 Representing Turing Machines . . . . . . . . . . . . . . . . . . . 475
31.3 Turing Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
31.4 Configurations and Computations . . . . . . . . . . . . . . . . . 479
31.5 Unary Representation of Numbers . . . . . . . . . . . . . . . . . 481
31.6 Halting States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
31.7 Disciplined Machines . . . . . . . . . . . . . . . . . . . . . . . . 485
31.8 Combining Turing Machines . . . . . . . . . . . . . . . . . . . . 486
31.9 Variants of Turing Machines . . . . . . . . . . . . . . . . . . . . 488
31.10 The Church-Turing Thesis . . . . . . . . . . . . . . . . . . . . . 490
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

32 Undecidability 493
32.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
32.2 Enumerating Turing Machines . . . . . . . . . . . . . . . . . . . 495
32.3 Universal Turing Machines . . . . . . . . . . . . . . . . . . . . . 497
32.4 The Halting Problem . . . . . . . . . . . . . . . . . . . . . . . . . 499
32.5 The Decision Problem . . . . . . . . . . . . . . . . . . . . . . . . 500

10 Release : d3a1905 (2022-12-19)

CONTENTS

32.6 Representing Turing Machines . . . . . . . . . . . . . . . . . . . 501

32.7 Verifying the Representation . . . . . . . . . . . . . . . . . . . . 504
32.8 The Decision Problem is Unsolvable . . . . . . . . . . . . . . . . 509
32.9 Trakthenbrot’s Theorem . . . . . . . . . . . . . . . . . . . . . . . 510
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512

VII Incompleteness 514

33 Introduction to Incompleteness 516

33.1 Historical Background . . . . . . . . . . . . . . . . . . . . . . . . 516
33.2 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
33.3 Overview of Incompleteness Results . . . . . . . . . . . . . . . 524
33.4 Undecidability and Incompleteness . . . . . . . . . . . . . . . . 526
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528

34 Arithmetization of Syntax 529

34.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
34.2 Coding Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
34.3 Coding Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
34.4 Coding Formulas . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
34.5 Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
34.6 Derivations in LK . . . . . . . . . . . . . . . . . . . . . . . . . . 535
34.7 Derivations in Natural Deduction . . . . . . . . . . . . . . . . . 539
34.8 Axiomatic Derivations . . . . . . . . . . . . . . . . . . . . . . . . 543
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547

35 Representability in Q 548
35.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
35.2 Functions Representable in Q are Computable . . . . . . . . . . 550
35.3 The Beta Function Lemma . . . . . . . . . . . . . . . . . . . . . 551
35.4 Simulating Primitive Recursion . . . . . . . . . . . . . . . . . . 554
35.5 Basic Functions are Representable in Q . . . . . . . . . . . . . . 555
35.6 Composition is Representable in Q . . . . . . . . . . . . . . . . 558
35.7 Regular Minimization is Representable in Q . . . . . . . . . . . 559
35.8 Computable Functions are Representable in Q . . . . . . . . . . 562
35.9 Representing Relations . . . . . . . . . . . . . . . . . . . . . . . 563
35.10 Undecidability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565

36 Theories and Computability 566

36.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
36.2 Q is C.e.-Complete . . . . . . . . . . . . . . . . . . . . . . . . . . 566
36.3 ω-Consistent Extensions of Q are Undecidable . . . . . . . . . 567

Release : d3a1905 (2022-12-19) 11

 CONTENTS

36.4 Consistent Extensions of Q are Undecidable . . . . . . . . . . . 568

36.5 Axiomatizable Theories . . . . . . . . . . . . . . . . . . . . . . . 569
36.6 Axiomatizable Complete Theories are Decidable . . . . . . . . 569
36.7 Q has no Complete, Consistent, Axiomatizable Extensions . . . 569
36.8 Sentences Provable and Refutable in Q are Computably Insep-
arable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
36.9 Theories Consistent with Q are Undecidable . . . . . . . . . . . 571
36.10 Theories in which Q is Intepretable are Undecidable . . . . . . 571

37 Incompleteness and Provability 573

37.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
37.2 The Fixed-Point Lemma . . . . . . . . . . . . . . . . . . . . . . . 574
37.3 The First Incompleteness Theorem . . . . . . . . . . . . . . . . . 576
37.4 Rosser’s Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . 578
37.5 Comparison with Gödel’s Original Paper . . . . . . . . . . . . . 580
37.6 The Derivability Conditions for PA . . . . . . . . . . . . . . . . 580
37.7 The Second Incompleteness Theorem . . . . . . . . . . . . . . . 581
37.8 Löb’s Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
37.9 The Undefinability of Truth . . . . . . . . . . . . . . . . . . . . . 586
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587

VIII Second-order Logic 589

38 Syntax and Semantics 591

38.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
38.2 Terms and Formulas . . . . . . . . . . . . . . . . . . . . . . . . . 592
38.3 Satisfaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
38.4 Semantic Notions . . . . . . . . . . . . . . . . . . . . . . . . . . 595
38.5 Expressive Power . . . . . . . . . . . . . . . . . . . . . . . . . . 596
38.6 Describing Infinite and Enumerable Domains . . . . . . . . . . 597
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599

39 Metatheory of Second-order Logic 600

39.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
39.2 Second-order Arithmetic . . . . . . . . . . . . . . . . . . . . . . 601
39.3 Second-order Logic is not Axiomatizable . . . . . . . . . . . . . 602
39.4 Second-order Logic is not Compact . . . . . . . . . . . . . . . . 603
39.5 The Löwenheim-Skolem Theorem Fails for Second-order Logic 604
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604

40 Second-order Logic and Set Theory 605

40.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
40.2 Comparing Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . 605

12 Release : d3a1905 (2022-12-19)

CONTENTS

40.3 Cardinalities of Sets . . . . . . . . . . . . . . . . . . . . . . . . . 606

40.4 The Power of the Continuum . . . . . . . . . . . . . . . . . . . . 607

IX The Lambda Calculus 610

41 Introduction 612
41.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
41.2 The Syntax of the Lambda Calculus . . . . . . . . . . . . . . . . 613
41.3 Reduction of Lambda Terms . . . . . . . . . . . . . . . . . . . . 614
41.4 The Church-Rosser Property . . . . . . . . . . . . . . . . . . . . 615
41.5 Currying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
41.6 λ-Definable Arithmetical Functions . . . . . . . . . . . . . . . . 617
41.7 λ-Definable Functions are Computable . . . . . . . . . . . . . . 618
41.8 Computable Functions are λ-Definable . . . . . . . . . . . . . . 618
41.9 The Basic Primitive Recursive Functions are λ-Definable . . . . 619
41.10 The λ-Definable Functions are Closed under Composition . . . 619
41.11 λ-Definable Functions are Closed under Primitive Recursion . 619
41.12 Fixed-Point Combinators . . . . . . . . . . . . . . . . . . . . . . 622
41.13 The λ-Definable Functions are Closed under Minimization . . 622

42 Syntax 624
42.1 Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624
42.2 Unique Readability . . . . . . . . . . . . . . . . . . . . . . . . . 624
42.3 Abbreviated Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 626
42.4 Free Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
42.5 Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628
42.6 α-Conversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
42.7 The De Bruijn Index . . . . . . . . . . . . . . . . . . . . . . . . . 634
42.8 Terms as α-Equivalence Classes . . . . . . . . . . . . . . . . . . 635
42.9 β-reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
42.10 η-conversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640

43 The Church-Rosser Property 641

43.1 Definition and Properties . . . . . . . . . . . . . . . . . . . . . . 641
43.2 Parallel β-reduction . . . . . . . . . . . . . . . . . . . . . . . . . 642
43.3 β-reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
43.4 Parallel βη-reduction . . . . . . . . . . . . . . . . . . . . . . . . 646
43.5 βη-reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647

44 Lambda Definability 648

44.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648

Release : d3a1905 (2022-12-19) 13

 CONTENTS

44.2 λ-Definable Arithmetical Functions . . . . . . . . . . . . . . . . 649

44.3 Pairs and Predecessor . . . . . . . . . . . . . . . . . . . . . . . . 651
44.4 Truth Values and Relations . . . . . . . . . . . . . . . . . . . . . 652
44.5 Primitive Recursive Functions are λ-Definable . . . . . . . . . . 653
44.6 Fixpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
44.7 Minimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658
44.8 Partial Recursive Functions are λ-Definable . . . . . . . . . . . 659
44.9 λ-Definable Functions are Recursive . . . . . . . . . . . . . . . . 660
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660

X Many-valued Logic 662

45 Syntax and Semantics 664

45.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664
45.2 Languages and Connectives . . . . . . . . . . . . . . . . . . . . 665
45.3 Formulas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665
45.4 Matrices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666
45.5 Valuations and Satisfaction . . . . . . . . . . . . . . . . . . . . . 667
45.6 Semantic Notions . . . . . . . . . . . . . . . . . . . . . . . . . . 667
45.7 Many-valued logics as sublogics of C . . . . . . . . . . . . . . . 668
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669

46 Three-valued Logics 670

46.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
46.2 Łukasiewicz logic . . . . . . . . . . . . . . . . . . . . . . . . . . 670
46.3 Kleene logics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
46.4 Gödel logics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675
46.5 Designating not just T . . . . . . . . . . . . . . . . . . . . . . . . 676
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678

47 Infinite-valued Logics 681

47.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681
47.2 Łukasiewicz logic . . . . . . . . . . . . . . . . . . . . . . . . . . 681
47.3 Gödel logics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684

48 Sequent Calculus 685

48.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685
48.2 Rules and Derivations . . . . . . . . . . . . . . . . . . . . . . . . 686
48.3 Structural Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 687
48.4 Propositional Rules for Selected Logics . . . . . . . . . . . . . . 687

14 Release : d3a1905 (2022-12-19)

CONTENTS

XI Normal Modal Logics 692

49 Syntax and Semantics 694

49.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694
49.2 The Language of Basic Modal Logic . . . . . . . . . . . . . . . . 695
49.3 Simultaneous Substitution . . . . . . . . . . . . . . . . . . . . . 696
49.4 Relational Models . . . . . . . . . . . . . . . . . . . . . . . . . . 698
49.5 Truth at a World . . . . . . . . . . . . . . . . . . . . . . . . . . . 698
49.6 Truth in a Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 699
49.7 Validity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700
49.8 Tautological Instances . . . . . . . . . . . . . . . . . . . . . . . . 701
49.9 Schemas and Validity . . . . . . . . . . . . . . . . . . . . . . . . 703
49.10 Entailment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705

50 Frame Definability 708

50.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708
50.2 Properties of Accessibility Relations . . . . . . . . . . . . . . . . 709
50.3 Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710
50.4 Frame Definability . . . . . . . . . . . . . . . . . . . . . . . . . . 711
50.5 First-order Definability . . . . . . . . . . . . . . . . . . . . . . . 713
50.6 Equivalence Relations and S5 . . . . . . . . . . . . . . . . . . . 715
50.7 Second-order Definability . . . . . . . . . . . . . . . . . . . . . . 717
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719

51 Axiomatic Derivations 720

51.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720
51.2 Normal Modal Logics . . . . . . . . . . . . . . . . . . . . . . . . 721
51.3 Derivations and Modal Systems . . . . . . . . . . . . . . . . . . 723
51.4 Proofs in K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724
51.5 Derived Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726
51.6 More Proofs in K . . . . . . . . . . . . . . . . . . . . . . . . . . . 728
51.7 Dual Formulas . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729
51.8 Proofs in Modal Systems . . . . . . . . . . . . . . . . . . . . . . 729
51.9 Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731
51.10 Showing Systems are Distinct . . . . . . . . . . . . . . . . . . . 732
51.11 Derivability from a Set of Formulas . . . . . . . . . . . . . . . . 733
51.12 Properties of Derivability . . . . . . . . . . . . . . . . . . . . . . 734
51.13 Consistency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735

52 Completeness and Canonical Models 736

52.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736
52.2 Complete Σ-Consistent Sets . . . . . . . . . . . . . . . . . . . . 737

Release : d3a1905 (2022-12-19) 15

 CONTENTS

52.3 Lindenbaum’s Lemma . . . . . . . . . . . . . . . . . . . . . . . . 738

52.4 Modalities and Complete Consistent Sets . . . . . . . . . . . . . 739
52.5 Canonical Models . . . . . . . . . . . . . . . . . . . . . . . . . . 741
52.6 The Truth Lemma . . . . . . . . . . . . . . . . . . . . . . . . . . 742
52.7 Determination and Completeness for K . . . . . . . . . . . . . . 742
52.8 Frame Completeness . . . . . . . . . . . . . . . . . . . . . . . . . 743
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 746

53 Filtrations and Decidability 747

53.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747
53.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749
53.3 Filtrations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 750
53.4 Examples of Filtrations . . . . . . . . . . . . . . . . . . . . . . . 752
53.5 Filtrations are Finite . . . . . . . . . . . . . . . . . . . . . . . . . 753
53.6 K and S5 have the Finite Model Property . . . . . . . . . . . . . 754
53.7 S5 is Decidable . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755
53.8 Filtrations and Properties of Accessibility . . . . . . . . . . . . . 755
53.9 Filtrations of Euclidean Models . . . . . . . . . . . . . . . . . . 756
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 758

54 Modal Tableaux 760

54.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760
54.2 Rules for K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 761
54.3 Tableaux for K . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763
54.4 Soundness for K . . . . . . . . . . . . . . . . . . . . . . . . . . . 764
54.5 Rules for Other Accessibility Relations . . . . . . . . . . . . . . 767
54.6 Soundness for Additional Rules . . . . . . . . . . . . . . . . . . 768
54.7 Simple Tableaux for S5 . . . . . . . . . . . . . . . . . . . . . . . 770
54.8 Completeness for K . . . . . . . . . . . . . . . . . . . . . . . . . 771
54.9 Countermodels from Tableaux . . . . . . . . . . . . . . . . . . . 773
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774

XII Intuitionistic Logic 776

55 Introduction 778
55.1 Constructive Reasoning . . . . . . . . . . . . . . . . . . . . . . . 778
55.2 Syntax of Intuitionistic Logic . . . . . . . . . . . . . . . . . . . . 779
55.3 The Brouwer-Heyting-Kolmogorov Interpretation . . . . . . . . 780
55.4 Natural Deduction . . . . . . . . . . . . . . . . . . . . . . . . . . 783
55.5 Axiomatic Derivations . . . . . . . . . . . . . . . . . . . . . . . . 786
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787

56 Semantics 788

16 Release : d3a1905 (2022-12-19)

CONTENTS

56.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788

56.2 Relational models . . . . . . . . . . . . . . . . . . . . . . . . . . 789
56.3 Semantic Notions . . . . . . . . . . . . . . . . . . . . . . . . . . 790
56.4 Topological Semantics . . . . . . . . . . . . . . . . . . . . . . . . 791
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792

57 Soundness and Completeness 793

57.1 Soundness of Axiomatic Derivations . . . . . . . . . . . . . . . 793
57.2 Soundness of Natural Deduction . . . . . . . . . . . . . . . . . . 794
57.3 Lindenbaum’s Lemma . . . . . . . . . . . . . . . . . . . . . . . . 795
57.4 The Canonical Model . . . . . . . . . . . . . . . . . . . . . . . . 797
57.5 The Truth Lemma . . . . . . . . . . . . . . . . . . . . . . . . . . 798
57.6 The Completeness Theorem . . . . . . . . . . . . . . . . . . . . 799
57.7 Decidability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799

58 Propositions as Types 801

58.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801
58.2 Sequent Natural Deduction . . . . . . . . . . . . . . . . . . . . . 803
58.3 Proof Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804
58.4 Converting Derivations to Proof Terms . . . . . . . . . . . . . . 805
58.5 Recovering Derivations from Proof Terms . . . . . . . . . . . . 808
58.6 Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810
58.7 Normalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812

XIII Counterfactuals 816

59 Introduction 817
59.1 The Material Conditional . . . . . . . . . . . . . . . . . . . . . . 817
59.2 Paradoxes of the Material Conditional . . . . . . . . . . . . . . 818
59.3 The Strict Conditional . . . . . . . . . . . . . . . . . . . . . . . . 819
59.4 Counterfactuals . . . . . . . . . . . . . . . . . . . . . . . . . . . 821
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822

60 Minimal Change Semantics 824

60.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 824
60.2 Sphere Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . 825
60.3 Truth and Falsity of Counterfactuals . . . . . . . . . . . . . . . . 827
60.4 Antecedent Strengthenng . . . . . . . . . . . . . . . . . . . . . . 828
60.5 Transitivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 829
60.6 Contraposition . . . . . . . . . . . . . . . . . . . . . . . . . . . . 830
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831

Release : d3a1905 (2022-12-19) 17

 CONTENTS

XIV Set Theory 833

61 The Iterative Conception 834

61.1 Extensionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834
61.2 Russell’s Paradox (again) . . . . . . . . . . . . . . . . . . . . . . 834
61.3 Predicative and Impredicative . . . . . . . . . . . . . . . . . . . 835
61.4 The Cumulative-Iterative Approach . . . . . . . . . . . . . . . . 837
61.5 Urelements or Not? . . . . . . . . . . . . . . . . . . . . . . . . . 839
61.6 Appendix: Frege’s Basic Law V . . . . . . . . . . . . . . . . . . 840

62 Steps towards Z 842

62.1 The Story in More Detail . . . . . . . . . . . . . . . . . . . . . . 842
62.2 Separation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 842
62.3 Union . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844
62.4 Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844
62.5 Powersets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845
62.6 Infinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 846
62.7 Z− : a Milestone . . . . . . . . . . . . . . . . . . . . . . . . . . . 848
62.8 Selecting our Natural Numbers . . . . . . . . . . . . . . . . . . 848
62.9 Appendix: Closure, Comprehension, and Intersection . . . . . 849
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 850

63 Ordinals 851
63.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
63.2 The General Idea of an Ordinal . . . . . . . . . . . . . . . . . . . 851
63.3 Well-Orderings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852
63.4 Order-Isomorphisms . . . . . . . . . . . . . . . . . . . . . . . . . 853
63.5 Von Neumann’s Construction . . . . . . . . . . . . . . . . . . . 855
63.6 Basic Properties of the Ordinals . . . . . . . . . . . . . . . . . . 856
63.7 Replacement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 858
63.8 ZF− : a milestone . . . . . . . . . . . . . . . . . . . . . . . . . . . 859
63.9 Ordinals as Order-Types . . . . . . . . . . . . . . . . . . . . . . 860
63.10 Successor and Limit Ordinals . . . . . . . . . . . . . . . . . . . . 861
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 862

64 Stages and Ranks 863

64.1 Defining the Stages as the Vα s . . . . . . . . . . . . . . . . . . . 863
64.2 The Transfinite Recursion Theorem(s) . . . . . . . . . . . . . . . 863
64.3 Basic Properties of Stages . . . . . . . . . . . . . . . . . . . . . . 865
64.4 Foundation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867
64.5 Z and ZF: A Milestone . . . . . . . . . . . . . . . . . . . . . . . 868
64.6 Rank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 870

18 Release : d3a1905 (2022-12-19)

CONTENTS

65 Replacement 871
65.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 871
65.2 The Strength of Replacement . . . . . . . . . . . . . . . . . . . . 871
65.3 Extrinsic Considerations . . . . . . . . . . . . . . . . . . . . . . 872
65.4 Limitation-of-size . . . . . . . . . . . . . . . . . . . . . . . . . . 874
65.5 Replacement and “Absolute Infinity” . . . . . . . . . . . . . . . 875
65.6 Replacement and Reflection . . . . . . . . . . . . . . . . . . . . 877
65.7 Appendix: Results surrounding Replacement . . . . . . . . . . 877
65.8 Appendix: Finite axiomatizability . . . . . . . . . . . . . . . . . 880
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881

66 Ordinal Arithmetic 883

66.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883
66.2 Ordinal Addition . . . . . . . . . . . . . . . . . . . . . . . . . . . 883
66.3 Using Ordinal Addition . . . . . . . . . . . . . . . . . . . . . . . 886
66.4 Ordinal Multiplication . . . . . . . . . . . . . . . . . . . . . . . . 888
66.5 Ordinal Exponentiation . . . . . . . . . . . . . . . . . . . . . . . 889
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890

67 Cardinals 891
67.1 Cantor’s Principle . . . . . . . . . . . . . . . . . . . . . . . . . . 891
67.2 Cardinals as Ordinals . . . . . . . . . . . . . . . . . . . . . . . . 892
67.3 ZFC: A Milestone . . . . . . . . . . . . . . . . . . . . . . . . . . 893
67.4 Finite, Enumerable, Non-enumerable . . . . . . . . . . . . . . . 894
67.5 Appendix: Hume’s Principle . . . . . . . . . . . . . . . . . . . . 896

68 Cardinal Arithmetic 899

68.1 Defining the Basic Operations . . . . . . . . . . . . . . . . . . . 899
68.2 Simplifying Addition and Multiplication . . . . . . . . . . . . . 901
68.3 Some Simplifications . . . . . . . . . . . . . . . . . . . . . . . . . 902
68.4 The Continuum Hypothesis . . . . . . . . . . . . . . . . . . . . 903
68.5 ℵ-Fixed Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . 905
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 908

69 Choice 909
69.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 909
69.2 The Tarski-Scott Trick . . . . . . . . . . . . . . . . . . . . . . . . 909
69.3 Comparability and Hartogs’ Lemma . . . . . . . . . . . . . . . 910
69.4 The Well-Ordering Problem . . . . . . . . . . . . . . . . . . . . . 911
69.5 Countable Choice . . . . . . . . . . . . . . . . . . . . . . . . . . 912
69.6 Intrinsic Considerations about Choice . . . . . . . . . . . . . . . 915
69.7 The Banach-Tarski Paradox . . . . . . . . . . . . . . . . . . . . . 916
69.8 Appendix: Vitali’s Paradox . . . . . . . . . . . . . . . . . . . . . 917
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 921

Release : d3a1905 (2022-12-19) 19

 CONTENTS

XV Methods 922

70 Proofs 924
70.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 924
70.2 Starting a Proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . 925
70.3 Using Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . 926
70.4 Inference Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . 927
70.5 An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933
70.6 Another Example . . . . . . . . . . . . . . . . . . . . . . . . . . 936
70.7 Proof by Contradiction . . . . . . . . . . . . . . . . . . . . . . . 937
70.8 Reading Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941
70.9 I Can’t Do It! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 942
70.10 Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . 943
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 944

71 Induction 945
71.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 945
71.2 Induction on N . . . . . . . . . . . . . . . . . . . . . . . . . . . . 946
71.3 Strong Induction . . . . . . . . . . . . . . . . . . . . . . . . . . . 948
71.4 Inductive Definitions . . . . . . . . . . . . . . . . . . . . . . . . 949
71.5 Structural Induction . . . . . . . . . . . . . . . . . . . . . . . . . 951
71.6 Relations and Functions . . . . . . . . . . . . . . . . . . . . . . . 952
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 955

XVI History 956

72 Biographies 957
72.1 Georg Cantor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 957
72.2 Alonzo Church . . . . . . . . . . . . . . . . . . . . . . . . . . . . 958
72.3 Gerhard Gentzen . . . . . . . . . . . . . . . . . . . . . . . . . . . 959
72.4 Kurt Gödel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 960
72.5 Emmy Noether . . . . . . . . . . . . . . . . . . . . . . . . . . . . 961
72.6 Rózsa Péter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 962
72.7 Julia Robinson . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964
72.8 Bertrand Russell . . . . . . . . . . . . . . . . . . . . . . . . . . . 966
72.9 Alfred Tarski . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 967
72.10 Alan Turing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 968
72.11 Ernst Zermelo . . . . . . . . . . . . . . . . . . . . . . . . . . . . 969

73 History and Mythology of Set Theory 971

73.1 Infinitesimals and Differentiation . . . . . . . . . . . . . . . . . 971
73.2 Rigorous Definition of Limits . . . . . . . . . . . . . . . . . . . . 973
73.3 Pathologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 974

20 Release : d3a1905 (2022-12-19)

CONTENTS

73.4 More Myth than History? . . . . . . . . . . . . . . . . . . . . . . 976

73.5 Cantor on the Line and the Plane . . . . . . . . . . . . . . . . . 977
73.6 Appendix: Hilbert’s Space-filling Curves . . . . . . . . . . . . . 978

XVII Reference 981

74 The Greek Alphabet 983

75 The Fraktur Alphabet 984

Photo Credits 984

Bibliography 986

Release : d3a1905 (2022-12-19) 21

 CONTENTS

This file loads all content included in the Open Logic Project. Editorial
notes like this, if displayed, indicate that the file was compiled without
any thought to how this material will be presented. If you can read this,
it is probably not advisable to teach or study from this PDF.
The Open Logic Project provides many mechanisms by which a text
can be generate which is more appropriate for teaching or self-study. For
instance, by default, the text will make all logical operators primitives and
carry out all cases for all operators in proofs. But it is much better to leave
some of these cases as exercises. The Open Logic Project is also a work in
progress. In an effort to stimulate collaboration and improvement, mate-
rial is included even if it is only in draft form, is missing exercises, etc. A
PDF produced for a course will exclude these sections.
To find PDFs more suitable for teaching and studying, have a look at
the sample courses available on the OLP website. To make your own,
you might start from the sample driver file or look at the sources of the
derived textbooks for more fancy and advanced examples.

22 Release : d3a1905 (2022-12-19)

 Part I

Naı̈ve Set Theory

23
 CONTENTS

The material in this part is an introduction to basic naive set theory.

With the inclusion of Tim Button’s Open Set Theory, this also covers the
construction of number systems, and discussion of infinity, which are not
required for the logical parts of the OLP.

24 Release : d3a1905 (2022-12-19)

Chapter 1

Sets

1.1 Extensionality
A set is a collection of objects, considered as a single object. The objects making
up the set are called elements or members of the set. If x is an element of a set a,
we write x ∈ a; if not, we write x ∈ / a. The set which has no elements is called
the empty set and denoted “∅”.
It does not matter how we specify the set, or how we order its elements, or
indeed how many times we count its elements. All that matters are what its
elements are. We codify this in the following principle.

Definition 1.1 (Extensionality). If A and B are sets, then A = B iff every ele-
ment of A is also an element of B, and vice versa.

Extensionality licenses some notation. In general, when we have some

objects a1 , . . . , an , then { a1 , . . . , an } is the set whose elements are a1 , . . . , an . We
emphasise the word “the”, since extensionality tells us that there can be only
one such set. Indeed, extensionality also licenses the following:

{ a, a, b} = { a, b} = {b, a}.

This delivers on the point that, when we consider sets, we don’t care about
the order of their elements, or how many times they are specified.

Example 1.2. Whenever you have a bunch of objects, you can collect them
together in a set. The set of Richard’s siblings, for instance, is a set that con-
tains one person, and we could write it as S = {Ruth}. The set of positive
integers less than 4 is {1, 2, 3}, but it can also be written as {3, 2, 1} or even as
{1, 2, 1, 2, 3}. These are all the same set, by extensionality. For every element
of {1, 2, 3} is also an element of {3, 2, 1} (and of {1, 2, 1, 2, 3}), and vice versa.

Frequently we’ll specify a set by some property that its elements share.
We’ll use the following shorthand notation for that: { x : φ( x )}, where the

25
 CHAPTER 1. SETS

φ( x ) stands for the property that x has to have in order to be counted among
the elements of the set.

Example 1.3. In our example, we could have specified S also as

S = { x : x is a sibling of Richard}.

Example 1.4. A number is called perfect iff it is equal to the sum of its proper
divisors (i.e., numbers that evenly divide it but aren’t identical to the number).
For instance, 6 is perfect because its proper divisors are 1, 2, and 3, and 6 =
1 + 2 + 3. In fact, 6 is the only positive integer less than 10 that is perfect. So,
using extensionality, we can say:

{6} = { x : x is perfect and 0 ≤ x ≤ 10}

We read the notation on the right as “the set of x’s such that x is perfect and
0 ≤ x ≤ 10”. The identity here confirms that, when we consider sets, we don’t
care about how they are specified. And, more generally, extensionality guar-
antees that there is always only one set of x’s such that φ( x ). So, extensionality
justifies calling { x : φ( x )} the set of x’s such that φ( x ).

Extensionality gives us a way for showing that sets are identical: to show
that A = B, show that whenever x ∈ A then also x ∈ B, and whenever y ∈ B
then also y ∈ A.

1.2 Subsets and Power Sets

We will often want to compare sets. And one obvious kind of comparison one
might make is as follows: everything in one set is in the other too. This situation
is sufficiently important for us to introduce some new notation.

Definition 1.5 (Subset). If every element of a set A is also an element of B,

then we say that A is a subset of B, and write A ⊆ B. If A is not a subset of B
we write A ̸⊆ B. If A ⊆ B but A ̸= B, we write A ⊊ B and say that A is a
proper subset of B.

Example 1.6. Every set is a subset of itself, and ∅ is a subset of every set. The
set of even numbers is a subset of the set of natural numbers. Also, { a, b} ⊆
{ a, b, c}. But { a, b, e} is not a subset of { a, b, c}.

Example 1.7. The number 2 is an element of the set of integers, whereas the
set of even numbers is a subset of the set of integers. However, a set may hap-
pen to both be an element and a subset of some other set, e.g., {0} ∈ {0, {0}}
and also {0} ⊆ {0, {0}}.

26 Release : d3a1905 (2022-12-19)

1.2. SUBSETS AND POWER SETS

Extensionality gives a criterion of identity for sets: A = B iff every element

of A is also an element of B and vice versa. The definition of “subset” defines
A ⊆ B precisely as the first half of this criterion: every element of A is also
an element of B. Of course the definition also applies if we switch A and B:
that is, B ⊆ A iff every element of B is also an element of A. And that, in turn,
is exactly the “vice versa” part of extensionality. In other words, extensionality
entails that sets are equal iff they are subsets of one another.

Proposition 1.8. A = B iff both A ⊆ B and B ⊆ A.

Now is also a good opportunity to introduce some further bits of helpful

notation. In defining when A is a subset of B we said that “every element of A
is . . . ,” and filled the “. . . ” with “an element of B”. But this is such a common
shape of expression that it will be helpful to introduce some formal notation
for it.

Definition 1.9. (∀ x ∈ A) φ abbreviates ∀ x ( x ∈ A → φ). Similarly, (∃ x ∈ A) φ

abbreviates ∃ x ( x ∈ A ∧ φ).

Using this notation, we can say that A ⊆ B iff (∀ x ∈ A) x ∈ B.

Now we move on to considering a certain kind of set: the set of all subsets
of a given set.

Definition 1.10 (Power Set). The set consisting of all subsets of a set A is called
the power set of A, written ℘( A).

℘( A) = { B : B ⊆ A}

Example 1.11. What are all the possible subsets of { a, b, c}? They are: ∅,
{ a}, {b}, {c}, { a, b}, { a, c}, {b, c}, { a, b, c}. The set of all these subsets is
℘({ a, b, c}):

℘({ a, b, c}) = {∅, { a}, {b}, {c}, { a, b}, {b, c}, { a, c}, { a, b, c}}

Release : d3a1905 (2022-12-19) 27

 CHAPTER 1. SETS

1.3 Some Important Sets

Example 1.12. We will mostly be dealing with sets whose elements are math-
ematical objects. Four such sets are important enough to have specific names:

N = {0, 1, 2, 3, . . .}
the set of natural numbers
Z = {. . . , −2, −1, 0, 1, 2, . . .}
the set of integers
Q= {m/n : m, n ∈ Z and n ̸= 0}
the set of rationals
R = (−∞, ∞)
the set of real numbers (the continuum)
These are all infinite sets, that is, they each have infinitely many elements.
As we move through these sets, we are adding more numbers to our stock.
Indeed, it should be clear that N ⊆ Z ⊆ Q ⊆ R: after all, every natural
number is an integer; every integer is a rational; and every rational is a real.
Equally, it should be clear that N ⊊ Z ⊊ Q, since −1 is an integer but not
a natural number, and 1/2 is rational but not integer. It is less obvious that
Q ⊊ R, i.e., that there are some real numbers which are not rational.
We’ll sometimes also use the set of positive integers Z+ = {1, 2, 3, . . . } and
the set containing just the first two natural numbers B = {0, 1}.

Example 1.13 (Strings). Another interesting example is the set A∗ of finite

strings over an alphabet A: any finite sequence of elements of A is a string
over A. We include the empty string Λ among the strings over A, for every
alphabet A. For instance,

B∗ = {Λ, 0, 1, 00, 01, 10, 11,

000, 001, 010, 011, 100, 101, 110, 111, 0000, . . .}.
If x = x1 . . . xn ∈ A∗ is a string consisting of n “letters” from A, then we say
length of the string is n and write len( x ) = n.

Example 1.14 (Infinite sequences). For any set A we may also consider the
set Aω of infinite sequences of elements of A. An infinite sequence a1 a2 a3 a4 . . .
consists of a one-way infinite list of objects, each one of which is an element
of A.

1.4 Unions and Intersections

In section 1.1, we introduced definitions of sets by abstraction, i.e., definitions
of the form { x : φ( x )}. Here, we invoke some property φ, and this property

28 Release : d3a1905 (2022-12-19)

1.4. UNIONS AND INTERSECTIONS

Figure 1.1: The union A ∪ B of two sets is set of elements of A together with
those of B.

can mention sets we’ve already defined. So for instance, if A and B are sets,
the set { x : x ∈ A ∨ x ∈ B} consists of all those objects which are elements
of either A or B, i.e., it’s the set that combines the elements of A and B. We
can visualize this as in Figure 1.1, where the highlighted area indicates the
elements of the two sets A and B together.
This operation on sets—combining them—is very useful and common,
and so we give it a formal name and a symbol.
Definition 1.15 (Union). The union of two sets A and B, written A ∪ B, is the
set of all things which are elements of A, B, or both.

A ∪ B = { x : x ∈ A ∨ x ∈ B}

Example 1.16. Since the multiplicity of elements doesn’t matter, the union of
two sets which have an element in common contains that element only once,
e.g., { a, b, c} ∪ { a, 0, 1} = { a, b, c, 0, 1}.
The union of a set and one of its subsets is just the bigger set: { a, b, c} ∪
{ a} = { a, b, c}.
The union of a set with the empty set is identical to the set: { a, b, c} ∪ ∅ =
{ a, b, c}.

We can also consider a “dual” operation to union. This is the operation

that forms the set of all elements that are elements of A and are also elements
of B. This operation is called intersection, and can be depicted as in Figure 1.2.

Definition 1.17 (Intersection). The intersection of two sets A and B, written

A ∩ B, is the set of all things which are elements of both A and B.

A ∩ B = { x : x ∈ A ∧ x ∈ B}

Two sets are called disjoint if their intersection is empty. This means they have
no elements in common.

Release : d3a1905 (2022-12-19) 29

 CHAPTER 1. SETS

Figure 1.2: The intersection A ∩ B of two sets is the set of elements they have
in common.

Example 1.18. If two sets have no elements in common, their intersection is

empty: { a, b, c} ∩ {0, 1} = ∅.
If two sets do have elements in common, their intersection is the set of all
those: { a, b, c} ∩ { a, b, d} = { a, b}.
The intersection of a set with one of its subsets is just the smaller set:
{ a, b, c} ∩ { a, b} = { a, b}.
The intersection of any set with the empty set is empty: { a, b, c} ∩ ∅ = ∅.

We can also form the union or intersection of more than two sets. An
elegant way of dealing with this in general is the following: suppose you
collect all the sets you want to form the union (or intersection) of into a single
set. Then we can define the union of all our original sets as the set of all objects
which belong to at least one element of the set, and the intersection as the set
of all objects which belong to every element of the set.
S
Definition 1.19. If A is a set of sets, then A is the set of elements of elements
of A:
[
A = { x : x belongs to an element of A}, i.e.,
= { x : there is a B ∈ A so that x ∈ B}

T
Definition 1.20. If A is a set of sets, then A is the set of objects which all
elements of A have in common:
\
A = { x : x belongs to every element of A}, i.e.,
= { x : for all B ∈ A, x ∈ B}

Example 1.21. Suppose A = {{ a, b}, { a, d, e}, { a, d}}. Then A = { a, b, d, e}

S

and A = { a}.
T

30 Release : d3a1905 (2022-12-19)

1.5. PAIRS, TUPLES, CARTESIAN PRODUCTS

Figure 1.3: The difference A \ B of two sets is the set of those elements of A
which are not also elements of B.

We could also do the same for a sequence of sets A1 , A2 , . . .

[
Ai = { x : x belongs to one of the Ai }
i
\
Ai = { x : x belongs to every Ai }.
i

When we have an index of sets, i.e., some set I such that we are considering
Ai for each i ∈ I, we may also use these abbreviations:
[ [
Ai = { Ai : i ∈ I }
i∈ I
\ \
Ai = { Ai : i ∈ I }
i∈ I

Finally, we may want to think about the set of all elements in A which are
not in B. We can depict this as in Figure 1.3.
Definition 1.22 (Difference). The set difference A \ B is the set of all elements
of A which are not also elements of B, i.e.,
A \ B = { x : x ∈ A and x ∈
/ B }.

1.5 Pairs, Tuples, Cartesian Products

It follows from extensionality that sets have no order to their elements. So if
we want to represent order, we use ordered pairs ⟨ x, y⟩. In an unordered pair
{ x, y}, the order does not matter: { x, y} = {y, x }. In an ordered pair, it does:
if x ̸= y, then ⟨ x, y⟩ ̸= ⟨y, x ⟩.
How should we think about ordered pairs in set theory? Crucially, we
want to preserve the idea that ordered pairs are identical iff they share the
same first element and share the same second element, i.e.:
⟨ a, b⟩ = ⟨c, d⟩ iff both a = c and b = d.

Release : d3a1905 (2022-12-19) 31

 CHAPTER 1. SETS

We can define ordered pairs in set theory using the Wiener-Kuratowski defi-
nition.

Definition 1.23 (Ordered pair). ⟨ a, b⟩ = {{ a}, { a, b}}.

Having fixed a definition of an ordered pair, we can use it to define fur-

ther sets. For example, sometimes we also want ordered sequences of more
than two objects, e.g., triples ⟨ x, y, z⟩, quadruples ⟨ x, y, z, u⟩, and so on. We can
think of triples as special ordered pairs, where the first element is itself an or-
dered pair: ⟨ x, y, z⟩ is ⟨⟨ x, y⟩, z⟩. The same is true for quadruples: ⟨ x, y, z, u⟩ is
⟨⟨⟨ x, y⟩, z⟩, u⟩, and so on. In general, we talk of ordered n-tuples ⟨ x1 , . . . , xn ⟩.
Certain sets of ordered pairs, or other ordered n-tuples, will be useful.

Definition 1.24 (Cartesian product). Given sets A and B, their Cartesian prod-
uct A × B is defined by

A × B = {⟨ x, y⟩ : x ∈ A and y ∈ B}.

Example 1.25. If A = {0, 1}, and B = {1, a, b}, then their product is

A × B = {⟨0, 1⟩, ⟨0, a⟩, ⟨0, b⟩, ⟨1, 1⟩, ⟨1, a⟩, ⟨1, b⟩}.

Example 1.26. If A is a set, the product of A with itself, A × A, is also writ-

ten A2 . It is the set of all pairs ⟨ x, y⟩ with x, y ∈ A. The set of all triples ⟨ x, y, z⟩
is A3 , and so on. We can give a recursive definition:

A1 = A
A k +1 = A k × A

Proposition 1.27. If A has n elements and B has m elements, then A × B has n · m

elements.

Proof. For every element x in A, there are m elements of the form ⟨ x, y⟩ ∈

A × B. Let Bx = {⟨ x, y⟩ : y ∈ B}. Since whenever x1 ̸= x2 , ⟨ x1 , y⟩ ̸= ⟨ x2 , y⟩,
Bx1 ∩ Bx2 = ∅. But if A = { x1 , . . . , xn }, then A × B = Bx1 ∪ · · · ∪ Bxn , and so
has n · m elements.
To visualize this, arrange the elements of A × B in a grid:

Bx1 = {⟨ x1 , y1 ⟩ ⟨ x1 , y2 ⟩ ... ⟨ x1 , ym ⟩}
Bx2 = {⟨ x2 , y1 ⟩ ⟨ x2 , y2 ⟩ ... ⟨ x2 , ym ⟩}
.. ..
. .
Bx n = {⟨ xn , y1 ⟩ ⟨ xn , y2 ⟩ . . . ⟨ xn , ym ⟩}

Since the xi are all different, and the y j are all different, no two of the pairs in
this grid are the same, and there are n · m of them.

32 Release : d3a1905 (2022-12-19)

1.6. RUSSELL’S PARADOX

Example 1.28. If A is a set, a word over A is any sequence of elements of A. A

sequence can be thought of as an n-tuple of elements of A. For instance, if A =
{ a, b, c}, then the sequence “bac” can be thought of as the triple ⟨b, a, c⟩. Words,
i.e., sequences of symbols, are of crucial importance in computer science. By
convention, we count elements of A as sequences of length 1, and ∅ as the
sequence of length 0. The set of all words over A then is

A ∗ = { ∅ } ∪ A ∪ A2 ∪ A3 ∪ . . .

1.6 Russell’s Paradox

Extensionality licenses the notation { x : φ( x )}, for the set of x’s such that φ( x ).
However, all that extensionality really licenses is the following thought. If
there is a set whose members are all and only the φ’s, then there is only one
such set. Otherwise put: having fixed some φ, the set { x : φ( x )} is unique, if
it exists.
But this conditional is important! Crucially, not every property lends itself
to comprehension. That is, some properties do not define sets. If they all did,
then we would run into outright contradictions. The most famous example of
this is Russell’s Paradox.
Sets may be elements of other sets—for instance, the power set of a set A
is made up of sets. And so it makes sense to ask or investigate whether a set
is an element of another set. Can a set be a member of itself? Nothing about
the idea of a set seems to rule this out. For instance, if all sets form a collection
of objects, one might think that they can be collected into a single set—the set
of all sets. And it, being a set, would be an element of the set of all sets.
Russell’s Paradox arises when we consider the property of not having itself
as an element, of being non-self-membered. What if we suppose that there is a
set of all sets that do not have themselves as an element? Does

R = {x : x ∈
/ x}

exist? It turns out that we can prove that it does not.

Theorem 1.29 (Russell’s Paradox). There is no set R = { x : x ∈

/ x }.

Proof. If R = { x : x ∈
/ x } exists, then R ∈ R iff R ∈
/ R, which is a contradic-
tion.

Let’s run through this proof more slowly. If R exists, it makes sense to ask
whether R ∈ R or not. Suppose that indeed R ∈ R. Now, R was defined as
the set of all sets that are not elements of themselves. So, if R ∈ R, then R does
not itself have R’s defining property. But only sets that have this property are
in R, hence, R cannot be an element of R, i.e., R ∈ / R. But R can’t both be and
not be an element of R, so we have a contradiction.

Release : d3a1905 (2022-12-19) 33

 CHAPTER 1. SETS

Since the assumption that R ∈ R leads to a contradiction, we have R ∈ / R.

But this also leads to a contradiction! For if R ∈
/ R, then R itself does have R’s
defining property, and so R would be an element of R just like all the other
non-self-membered sets. And again, it can’t both not be and be an element
of R.
How do we set up a set theory which avoids falling into Russell’s Para-
dox, i.e., which avoids making the inconsistent claim that R = { x : x ∈ / x}
exists? Well, we would need to lay down axioms which give us very precise
conditions for stating when sets exist (and when they don’t).
The set theory sketched in this chapter doesn’t do this. It’s genuinely naı̈ve.
It tells you only that sets obey extensionality and that, if you have some sets,
you can form their union, intersection, etc. It is possible to develop set theory
more rigorously than this.

Problems
Problem 1.1. Prove that there is at most one empty set, i.e., show that if A and
B are sets without elements, then A = B.

Problem 1.2. List all subsets of { a, b, c, d}.

Problem 1.3. Show that if A has n elements, then ℘( A) has 2n elements.

Problem 1.4. Prove that if A ⊆ B, then A ∪ B = B.

Problem 1.5. Prove rigorously that if A ⊆ B, then A ∩ B = A.

Problem 1.6. Show that if A is a set and A ∈ B, then A ⊆

S
B.

Problem 1.7. Prove that if A ⊊ B, then B \ A ̸= ∅.

Problem 1.8. Using Definition 1.23, prove that ⟨ a, b⟩ = ⟨c, d⟩ iff both a = c
and b = d.

Problem 1.9. List all elements of {1, 2, 3}3 .

Problem 1.10. Show, by induction on k, that for all k ≥ 1, if A has n elements,

then Ak has nk elements.

34 Release : d3a1905 (2022-12-19)

Chapter 2

Relations

2.1 Relations as Sets

In section 1.3, we mentioned some important sets: N, Z, Q, R. You will no
doubt remember some interesting relations between the elements of some of
these sets. For instance, each of these sets has a completely standard order
relation on it. There is also the relation is identical with that every object bears
to itself and to no other thing. There are many more interesting relations that
we’ll encounter, and even more possible relations. Before we review them,
though, we will start by pointing out that we can look at relations as a special
sort of set.
For this, recall two things from section 1.5. First, recall the notion of a or-
dered pair: given a and b, we can form ⟨ a, b⟩. Importantly, the order of elements
does matter here. So if a ̸= b then ⟨ a, b⟩ ̸= ⟨b, a⟩. (Contrast this with unordered
pairs, i.e., 2-element sets, where { a, b} = {b, a}.) Second, recall the notion of
a Cartesian product: if A and B are sets, then we can form A × B, the set of all
pairs ⟨ x, y⟩ with x ∈ A and y ∈ B. In particular, A2 = A × A is the set of all
ordered pairs from A.
Now we will consider a particular relation on a set: the <-relation on the
set N of natural numbers. Consider the set of all pairs of numbers ⟨n, m⟩
where n < m, i.e.,
R = {⟨n, m⟩ : n, m ∈ N and n < m}.
There is a close connection between n being less than m, and the pair ⟨n, m⟩
being a member of R, namely:
n < m iff ⟨n, m⟩ ∈ R.
Indeed, without any loss of information, we can consider the set R to be the
<-relation on N.
In the same way we can construct a subset of N2 for any relation between
numbers. Conversely, given any set of pairs of numbers S ⊆ N2 , there is a

35
 CHAPTER 2. RELATIONS

corresponding relation between numbers, namely, the relationship n bears to

m if and only if ⟨n, m⟩ ∈ S. This justifies the following definition:
Definition 2.1 (Binary relation). A binary relation on a set A is a subset of A2 .
If R ⊆ A2 is a binary relation on A and x, y ∈ A, we sometimes write Rxy (or
xRy) for ⟨ x, y⟩ ∈ R.

Example 2.2. The set N2 of pairs of natural numbers can be listed in a 2-

dimensional matrix like this:
⟨0, 0⟩ ⟨0, 1⟩ ⟨0, 2⟩ ⟨0, 3⟩ ...
⟨1, 0⟩ ⟨1, 1⟩ ⟨1, 2⟩ ⟨1, 3⟩ ...
⟨2, 0⟩ ⟨2, 1⟩ ⟨2, 2⟩ ⟨2, 3⟩ ...
⟨3, 0⟩ ⟨3, 1⟩ ⟨3, 2⟩ ⟨3, 3⟩ ...
.. .. .. .. ..
. . . . .

We have put the diagonal, here, in bold, since the subset of N2 consisting of
the pairs lying on the diagonal, i.e.,

{⟨0, 0⟩, ⟨1, 1⟩, ⟨2, 2⟩, . . . },

is the identity relation on N. (Since the identity relation is popular, let’s define
Id A = {⟨ x, x ⟩ : x ∈ A} for any set A.) The subset of all pairs lying above the
diagonal, i.e.,

L = {⟨0, 1⟩, ⟨0, 2⟩, . . . , ⟨1, 2⟩, ⟨1, 3⟩, . . . , ⟨2, 3⟩, ⟨2, 4⟩, . . .},

is the less than relation, i.e., Lnm iff n < m. The subset of pairs below the
diagonal, i.e.,

G = {⟨1, 0⟩, ⟨2, 0⟩, ⟨2, 1⟩, ⟨3, 0⟩, ⟨3, 1⟩, ⟨3, 2⟩, . . . },

is the greater than relation, i.e., Gnm iff n > m. The union of L with I, which
we might call K = L ∪ I, is the less than or equal to relation: Knm iff n ≤ m.
Similarly, H = G ∪ I is the greater than or equal to relation. These relations L, G,
K, and H are special kinds of relations called orders. L and G have the property
that no number bears L or G to itself (i.e., for all n, neither Lnn nor Gnn).
Relations with this property are called irreflexive, and, if they also happen to
be orders, they are called strict orders.

Although orders and identity are important and natural relations, it should
be emphasized that according to our definition any subset of A2 is a relation
on A, regardless of how unnatural or contrived it seems. In particular, ∅ is a
relation on any set (the empty relation, which no pair of elements bears), and
A2 itself is a relation on A as well (one which every pair bears), called the
universal relation. But also something like E = {⟨n, m⟩ : n > 5 or m × n ≥ 34}
counts as a relation.

36 Release : d3a1905 (2022-12-19)

2.2. PHILOSOPHICAL REFLECTIONS

2.2 Philosophical Reflections

In section 2.1, we defined relations as certain sets. We should pause and ask a
quick philosophical question: what is such a definition doing? It is extremely
doubtful that we should want to say that we have discovered some metaphys-
ical identity facts; that, for example, the order relation on N turned out to be
the set R = {⟨n, m⟩ : n, m ∈ N and n < m} that we defined in section 2.1.
Here are three reasons why.
First: in Definition 1.23, we defined ⟨ a, b⟩ = {{ a}, { a, b}}. Consider in-
stead the definition ∥ a, b∥ = {{b}, { a, b}} = ⟨b, a⟩. When a ̸= b, we have that
⟨ a, b⟩ ̸= ∥ a, b∥. But we could equally have regarded ∥ a, b∥ as our definition
of an ordered pair, rather than ⟨ a, b⟩. Both definitions would have worked
equally well. So now we have two equally good candidates to “be” the order
relation on the natural numbers, namely:

R = {⟨n, m⟩ : n, m ∈ N and n < m}

S = {∥n, m∥ : n, m ∈ N and n < m}.

Since R ̸= S, by extensionality, it is clear that they cannot both be identical to

the order relation on N. But it would just be arbitrary, and hence a bit embar-
rassing, to claim that R rather than S (or vice versa) is the ordering relation,
as a matter of fact. (This is a very simple instance of an argument against set-
theoretic reductionism which Benacerraf made famous in 1965. We will revisit
it several times.)
Second: if we think that every relation should be identified with a set, then
the relation of set-membership itself, ∈, should be a particular set. Indeed,
it would have to be the set {⟨ x, y⟩ : x ∈ y}. But does this set exist? Given
Russell’s Paradox, it is a non-trivial claim that such a set exists. In fact, it is
possible to develop set theory in a rigorous way as an axiomatic theory, and
that theory will indeed deny the existence of this set. So, even if some relations
can be treated as sets, the relation of set-membership will have to be a special
case.
Third: when we “identify” relations with sets, we said that we would al-
low ourselves to write Rxy for ⟨ x, y⟩ ∈ R. This is fine, provided that the
membership relation, “∈”, is treated as a predicate. But if we think that “∈”
stands for a certain kind of set, then the expression “⟨ x, y⟩ ∈ R” just consists
of three singular terms which stand for sets: “⟨ x, y⟩”, “∈”, and “R”. And such
a list of names is no more capable of expressing a proposition than the non-
sense string: “the cup penholder the table”. Again, even if some relations can
be treated as sets, the relation of set-membership must be a special case. (This
rolls together a simple version of Frege’s concept horse paradox, and a famous
objection that Wittgenstein once raised against Russell.)
So where does this leave us? Well, there is nothing wrong with our saying
that the relations on the numbers are sets. We just have to understand the

Release : d3a1905 (2022-12-19) 37

 CHAPTER 2. RELATIONS

spirit in which that remark is made. We are not stating a metaphysical identity
fact. We are simply noting that, in certain contexts, we can (and will) treat
(certain) relations as certain sets.

2.3 Special Properties of Relations

Some kinds of relations turn out to be so common that they have been given
special names. For instance, ≤ and ⊆ both relate their respective domains
(say, N in the case of ≤ and ℘( A) in the case of ⊆) in similar ways. To get
at exactly how these relations are similar, and how they differ, we categorize
them according to some special properties that relations can have. It turns out
that (combinations of) some of these special properties are especially impor-
tant: orders and equivalence relations.

Definition 2.3 (Reflexivity). A relation R ⊆ A2 is reflexive iff, for every x ∈ A,

Rxx.

Definition 2.4 (Transitivity). A relation R ⊆ A2 is transitive iff, whenever Rxy

and Ryz, then also Rxz.

Definition 2.5 (Symmetry). A relation R ⊆ A2 is symmetric iff, whenever Rxy,

then also Ryx.

Definition 2.6 (Anti-symmetry). A relation R ⊆ A2 is anti-symmetric iff, when-

ever both Rxy and Ryx, then x = y (or, in other words: if x ̸= y then either
¬ Rxy or ¬ Ryx).

In a symmetric relation, Rxy and Ryx always hold together, or neither

holds. In an anti-symmetric relation, the only way for Rxy and Ryx to hold to-
gether is if x = y. Note that this does not require that Rxy and Ryx holds when
x = y, only that it isn’t ruled out. So an anti-symmetric relation can be reflex-
ive, but it is not the case that every anti-symmetric relation is reflexive. Also
note that being anti-symmetric and merely not being symmetric are different
conditions. In fact, a relation can be both symmetric and anti-symmetric at the
same time (e.g., the identity relation is).

Definition 2.7 (Connectivity). A relation R ⊆ A2 is connected if for all x, y ∈

A, if x ̸= y, then either Rxy or Ryx.

Definition 2.8 (Irreflexivity). A relation R ⊆ A2 is called irreflexive if, for all

x ∈ A, not Rxx.

Definition 2.9 (Asymmetry). A relation R ⊆ A2 is called asymmetric if for no

pair x, y ∈ A we have both Rxy and Ryx.

38 Release : d3a1905 (2022-12-19)

2.4. EQUIVALENCE RELATIONS

Note that if A ̸= ∅, then no irreflexive relation on A is reflexive and every

asymmetric relation on A is also anti-symmetric. However, there are R ⊆ A2
that are not reflexive and also not irreflexive, and there are anti-symmetric
relations that are not asymmetric.

2.4 Equivalence Relations

The identity relation on a set is reflexive, symmetric, and transitive. Rela-
tions R that have all three of these properties are very common.
Definition 2.10 (Equivalence relation). A relation R ⊆ A2 that is reflexive,
symmetric, and transitive is called an equivalence relation. Elements x and y
of A are said to be R-equivalent if Rxy.
Equivalence relations give rise to the notion of an equivalence class. An
equivalence relation “chunks up” the domain into different partitions. Within
each partition, all the objects are related to one another; and no objects from
different partitions relate to one another. Sometimes, it’s helpful just to talk
about these partitions directly. To that end, we introduce a definition:
Definition 2.11. Let R ⊆ A2 be an equivalence relation. For each x ∈ A, the
equivalence class of x in A is the set [ x ] R = {y ∈ A : Rxy}. The quotient of A
under R is A/R = {[ x ] R : x ∈ A}, i.e., the set of these equivalence classes.
The next result vindicates the definition of an equivalence class, in proving
that the equivalence classes are indeed the partitions of A:
Proposition 2.12. If R ⊆ A2 is an equivalence relation, then Rxy iff [ x ] R = [y] R .
Proof. For the left-to-right direction, suppose Rxy, and let z ∈ [ x ] R . By defi-
nition, then, Rxz. Since R is an equivalence relation, Ryz. (Spelling this out:
as Rxy and R is symmetric we have Ryx, and as Rxz and R is transitive we
have Ryz.) So z ∈ [y] R . Generalising, [ x ] R ⊆ [y] R . But exactly similarly,
[y] R ⊆ [ x ] R . So [ x ] R = [y] R , by extensionality.
For the right-to-left direction, suppose [ x ] R = [y] R . Since R is reflexive,
Ryy, so y ∈ [y] R . Thus also y ∈ [ x ] R by the assumption that [ x ] R = [y] R . So
Rxy.
Example 2.13. A nice example of equivalence relations comes from modular
arithmetic. For any a, b, and n ∈ N, say that a ≡n b iff dividing a by n gives
the same remainder as dividing b by n. (Somewhat more symbolically: a ≡n b
iff, for some k ∈ Z, a − b = kn.) Now, ≡n is an equivalence relation, for any n.
And there are exactly n distinct equivalence classes generated by ≡n ; that is,
N/≡n has n elements. These are: the set of numbers divisible by n without
remainder, i.e., [0]≡n ; the set of numbers divisible by n with remainder 1, i.e.,
[1]≡n ; . . . ; and the set of numbers divisible by n with remainder n − 1, i.e., [n −
1] ≡ n .

Release : d3a1905 (2022-12-19) 39

 CHAPTER 2. RELATIONS

2.5 Orders
Many of our comparisons involve describing some objects as being “less than”,
“equal to”, or “greater than” other objects, in a certain respect. These involve
order relations. But there are different kinds of order relations. For instance,
some require that any two objects be comparable, others don’t. Some include
identity (like ≤) and some exclude it (like <). It will help us to have a taxon-
omy here.

Definition 2.14 (Preorder). A relation which is both reflexive and transitive is

called a preorder.

Definition 2.15 (Partial order). A preorder which is also anti-symmetric is called

a partial order.

Definition 2.16 (Linear order). A partial order which is also connected is called
a total order or linear order.

Example 2.17. Every linear order is also a partial order, and every partial or-
der is also a preorder, but the converses don’t hold. The universal relation
on A is a preorder, since it is reflexive and transitive. But, if A has more than
one element, the universal relation is not anti-symmetric, and so not a partial
order.

Example 2.18. Consider the no longer than relation ≼ on B∗ : x ≼ y iff len( x ) ≤

len(y). This is a preorder (reflexive and transitive), and even connected, but
not a partial order, since it is not anti-symmetric. For instance, 01 ≼ 10 and
10 ≼ 01, but 01 ̸= 10.

Example 2.19. An important partial order is the relation ⊆ on a set of sets.

This is not in general a linear order, since if a ̸= b and we consider ℘({ a, b}) =
{∅, { a}, {b}, { a, b}}, we see that { a} ⊈ {b} and { a} ̸= {b} and {b} ⊈ { a}.

Example 2.20. The relation of divisibility without remainder gives us a partial

order which isn’t a linear order. For integers n, m, we write n | m to mean
n (evenly) divides m, i.e., iff there is some integer k so that m = kn. On N,
this is a partial order, but not a linear order: for instance, 2 ∤ 3 and also 3 ∤ 2.
Considered as a relation on Z, divisibility is only a preorder since it is not
anti-symmetric: 1 | −1 and −1 | 1 but 1 ̸= −1.

Definition 2.21 (Strict order). A strict order is a relation which is irreflexive,

asymmetric, and transitive.

Definition 2.22 (Strict linear order). A strict order which is also connected is
called a strict linear order.

40 Release : d3a1905 (2022-12-19)

2.5. ORDERS

Example 2.23. ≤ is the linear order corresponding to the strict linear order <.
⊆ is the partial order corresponding to the strict order ⊊.

Definition 2.24 (Total order). A strict order which is also connected is called
a total order. This is also sometimes called a strict linear order.

Any strict order R on A can be turned into a partial order by adding the
diagonal Id A , i.e., adding all the pairs ⟨ x, x ⟩. (This is called the reflexive closure
of R.) Conversely, starting from a partial order, one can get a strict order by
removing Id A . These next two results make this precise.

Proposition 2.25. If R is a strict order on A, then R+ = R ∪ Id A is a partial order.

Moreover, if R is total, then R+ is a linear order.

Proof. Suppose R is a strict order, i.e., R ⊆ A2 and R is irreflexive, asymmetric,

and transitive. Let R+ = R ∪ Id A . We have to show that R+ is reflexive,
antisymmetric, and transitive.
R+ is clearly reflexive, since ⟨ x, x ⟩ ∈ Id A ⊆ R+ for all x ∈ A.
To show R+ is antisymmetric, suppose for reductio that R+ xy and R+ yx
but x ̸= y. Since ⟨ x, y⟩ ∈ R ∪ IdX , but ⟨ x, y⟩ ∈ / IdX , we must have ⟨ x, y⟩ ∈ R,
i.e., Rxy. Similarly, Ryx. But this contradicts the assumption that R is asym-
metric.
To establish transitivity, suppose that R+ xy and R+ yz. If both ⟨ x, y⟩ ∈ R
and ⟨y, z⟩ ∈ R, then ⟨ x, z⟩ ∈ R since R is transitive. Otherwise, either ⟨ x, y⟩ ∈
IdX , i.e., x = y, or ⟨y, z⟩ ∈ IdX , i.e., y = z. In the first case, we have that R+ yz
by assumption, x = y, hence R+ xz. Similarly in the second case. In either
case, R+ xz, thus, R+ is also transitive.
Concerning the “moreover” clause, suppose R is a total order, i.e., that R
is connected. So for all x ̸= y, either Rxy or Ryx, i.e., either ⟨ x, y⟩ ∈ R or
⟨y, x ⟩ ∈ R. Since R ⊆ R+ , this remains true of R+ , so R+ is connected as
well.

Proposition 2.26. If R is a partial order on X, then R− = R \ IdX is a strict order.

Moreover, if R is linear, then R− is total.

Proof. This is left as an exercise.

Example 2.27. ≤ is the linear order corresponding to the total order <. ⊆ is
the partial order corresponding to the strict order ⊊.

The following simple result which establishes that total orders satisfy an
extensionality-like property:

Proposition 2.28. If < totally orders A, then:

(∀ a, b ∈ A)((∀ x ∈ A)( x < a ↔ x < b) → a = b)

Release : d3a1905 (2022-12-19) 41

 CHAPTER 2. RELATIONS

Proof. Suppose (∀ x ∈ A)( x < a ↔ x < b). If a < b, then a < a, contradicting
the fact that < is irreflexive; so a ≮ b. Exactly similarly, b ≮ a. So a = b, as <
is connected.

2.6 Graphs

A graph is a diagram in which points—called “nodes” or “vertices” (plural of

“vertex”)—are connected by edges. Graphs are a ubiquitous tool in discrete
mathematics and in computer science. They are incredibly useful for repre-
senting, and visualizing, relationships and structures, from concrete things
like networks of various kinds to abstract structures such as the possible out-
comes of decisions. There are many different kinds of graphs in the literature
which differ, e.g., according to whether the edges are directed or not, have la-
bels or not, whether there can be edges from a node to the same node, multiple
edges between the same nodes, etc. Directed graphs have a special connection
to relations.

Definition 2.29 (Directed graph). A directed graph G = ⟨V, E⟩ is a set of ver-

tices V and a set of edges E ⊆ V 2 .

According to our definition, a graph just is a set together with a relation

on that set. Of course, when talking about graphs, it’s only natural to expect
that they are graphically represented: we can draw a graph by connecting two
vertices v1 and v2 by an arrow iff ⟨v1 , v2 ⟩ ∈ E. The only difference between a
relation by itself and a graph is that a graph specifies the set of vertices, i.e., a
graph may have isolated vertices. The important point, however, is that every
relation R on a set X can be seen as a directed graph ⟨ X, R⟩, and conversely, a
directed graph ⟨V, E⟩ can be seen as a relation E ⊆ V 2 with the set V explicitly
specified.

Example 2.30. The graph ⟨V, E⟩ with V = {1, 2, 3, 4} and E = {⟨1, 1⟩, ⟨1, 2⟩,
⟨1, 3⟩, ⟨2, 3⟩} looks like this:

1 2 4

42 Release : d3a1905 (2022-12-19)

2.7. OPERATIONS ON RELATIONS

This is a different graph than ⟨V ′ , E⟩ with V ′ = {1, 2, 3}, which looks like this:

1 2

2.7 Operations on Relations

It is often useful to modify or combine relations. In Proposition 2.25, we con-
sidered the union of relations, which is just the union of two relations consid-
ered as sets of pairs. Similarly, in Proposition 2.26, we considered the relative
difference of relations. Here are some other operations we can perform on
relations.

Definition 2.31. Let R, S be relations, and A be any set.

The inverse of R is R−1 = {⟨y, x ⟩ : ⟨ x, y⟩ ∈ R}.
The relative product of R and S is ( R | S) = {⟨ x, z⟩ : ∃y( Rxy ∧ Syz)}.
The restriction of R to A is R↾ A = R ∩ A2 .
The application of R to A is R[ A] = {y : (∃ x ∈ A) Rxy}

Example 2.32. Let S ⊆ Z2 be the successor relation on Z, i.e., S = {⟨ x, y⟩ ∈

Z2 : x + 1 = y}, so that Sxy iff x + 1 = y.
S−1 is the predecessor relation on Z, i.e., {⟨ x, y⟩ ∈ Z2 : x − 1 = y}.
S | S is {⟨ x, y⟩ ∈ Z2 : x + 2 = y}
S↾N is the successor relation on N.
S[{1, 2, 3}] is {2, 3, 4}.

Definition 2.33 (Transitive closure). Let R ⊆ A2 be a binary relation.

The transitive closure of R is R+ = 0<n∈N Rn , where we recursively define
S

R1 = R and Rn+1 = Rn | R.
The reflexive transitive closure of R is R∗ = R+ ∪ Id A .

Example 2.34. Take the successor relation S ⊆ Z2 . S2 xy iff x + 2 = y, S3 xy iff

x + 3 = y, etc. So S+ xy iff x + n = y for some n ≥ 1. In other words, S+ xy iff
x < y, and S∗ xy iff x ≤ y.

Problems
Problem 2.1. List the elements of the relation ⊆ on the set ℘({ a, b, c}).

Release : d3a1905 (2022-12-19) 43

 CHAPTER 2. RELATIONS

Problem 2.2. Give examples of relations that are (a) reflexive and symmetric
but not transitive, (b) reflexive and anti-symmetric, (c) anti-symmetric, transi-
tive, but not reflexive, and (d) reflexive, symmetric, and transitive. Do not use
relations on numbers or sets.

Problem 2.3. Show that ≡n is an equivalence relation, for any n ∈ N, and

that N/≡n has exactly n members.

Problem 2.4. Give a proof of Proposition 2.26.

Problem 2.5. Consider the less-than-or-equal-to relation ≤ on the set {1, 2, 3, 4}

as a graph and draw the corresponding diagram.

Problem 2.6. Show that the transitive closure of R is in fact transitive.

44 Release : d3a1905 (2022-12-19)

Chapter 3

Functions

3.1 Basics
A function is a map which sends each element of a given set to a specific ele-
ment in some (other) given set. For instance, the operation of adding 1 defines
a function: each number n is mapped to a unique number n + 1.
More generally, functions may take pairs, triples, etc., as inputs and re-
turn some kind of output. Many functions are familiar to us from basic arith-
metic. For instance, addition and multiplication are functions. They take in
two numbers and return a third.
In this mathematical, abstract sense, a function is a black box: what matters
is only what output is paired with what input, not the method for calculating
the output.

Definition 3.1 (Function). A function f : A → B is a mapping of each element

of A to an element of B.
We call A the domain of f and B the codomain of f . The elements of A are
called inputs or arguments of f , and the element of B that is paired with an
argument x by f is called the value of f for argument x, written f ( x ).
The range ran( f ) of f is the subset of the codomain consisting of the values
of f for some argument; ran( f ) = { f ( x ) : x ∈ A}.

The diagram in Figure 3.1 may help to think about functions. The ellipse
on the left represents the function’s domain; the ellipse on the right represents
the function’s codomain; and an arrow points from an argument in the domain
to the corresponding value in the codomain.

Example 3.2. Multiplication takes pairs of natural numbers as inputs and maps
them to natural numbers as outputs, so goes from N × N (the domain) to N
(the codomain). As it turns out, the range is also N, since every n ∈ N is
n × 1.

45
 CHAPTER 3. FUNCTIONS

Figure 3.1: A function is a mapping of each element of one set to an element of

another. An arrow points from an argument in the domain to the correspond-
ing value in the codomain.

Example 3.3. Multiplication is a function because it pairs each input—each

pair of natural numbers—with a single output: × : N2 → N. By contrast,
√ N is not
the square root operation applied to the domain √ functional, since
each positive integer n has two square roots: n and√− n. We can make it
functional by only returning the positive square root: : N → R.

Example 3.4. The relation that pairs each student in a class with their final
grade is a function—no student can get two different final grades in the same
class. The relation that pairs each student in a class with their parents is not a
function: students can have zero, or two, or more parents.

We can define functions by specifying in some precise way what the value
of the function is for every possible argument. Different ways of doing this are
by giving a formula, describing a method for computing the value, or listing
the values for each argument. However functions are defined, we must make
sure that for each argument we specify one, and only one, value.

Example 3.5. Let f : N → N be defined such that f ( x ) = x + 1. This is a

definition that specifies f as a function which takes in natural numbers and
outputs natural numbers. It tells us that, given a natural number x, f will
output its successor x + 1. In this case, the codomain N is not the range of f ,
since the natural number 0 is not the successor of any natural number. The
range of f is the set of all positive integers, Z+ .

Example 3.6. Let g : N → N be defined such that g( x ) = x + 2 − 1. This tells

us that g is a function which takes in natural numbers and outputs natural
numbers. Given a natural number n, g will output the predecessor of the
successor of the successor of x, i.e., x + 1.

We just considered two functions, f and g, with different definitions. How-

ever, these are the same function. After all, for any natural number n, we have
that f (n) = n + 1 = n + 2 − 1 = g(n). Otherwise put: our definitions for f

46 Release : d3a1905 (2022-12-19)

3.2. KINDS OF FUNCTIONS

Figure 3.2: A surjective function has every element of the codomain as a value.

and g specify the same mapping by means of different equations. Implicitly,

then, we are relying upon a principle of extensionality for functions,

if ∀ x f ( x ) = g( x ), then f = g

provided that f and g share the same domain and codomain.

Example 3.7. We can also define functions by cases. For instance, we could
define h : N → N by
(
x
if x is even
h( x ) = 2x+1
2 if x is odd.
Since every natural number is either even or odd, the output of this function
will always be a natural number. Just remember that if you define a function
by cases, every possible input must fall into exactly one case. In some cases,
this will require a proof that the cases are exhaustive and exclusive.

3.2 Kinds of Functions

It will be useful to introduce a kind of taxonomy for some of the kinds of
functions which we encounter most frequently.
To start, we might want to consider functions which have the property that
every member of the codomain is a value of the function. Such functions are
called surjective, and can be pictured as in Figure 3.2.

Definition 3.8 (Surjective function). A function f : A → B is surjective iff B

is also the range of f , i.e., for every y ∈ B there is at least one x ∈ A such
that f ( x ) = y, or in symbols:

(∀y ∈ B)(∃ x ∈ A) f ( x ) = y.

We call such a function a surjection from A to B.

If you want to show that f is a surjection, then you need to show that every
object in f ’s codomain is the value of f ( x ) for some input x.

Release : d3a1905 (2022-12-19) 47

 CHAPTER 3. FUNCTIONS

Figure 3.3: An injective function never maps two different arguments to the
same value.

Note that any function induces a surjection. After all, given a function
f : A → B, let f ′ : A → ran( f ) be defined by f ′ ( x ) = f ( x ). Since ran( f ) is
defined as { f ( x ) ∈ B : x ∈ A}, this function f ′ is guaranteed to be a surjection
Now, any function maps each possible input to a unique output. But there
are also functions which never map different inputs to the same outputs. Such
functions are called injective, and can be pictured as in Figure 3.3.
Definition 3.9 (Injective function). A function f : A → B is injective iff for
each y ∈ B there is at most one x ∈ A such that f ( x ) = y. We call such a
function an injection from A to B.
If you want to show that f is an injection, you need to show that for any
elements x and y of f ’s domain, if f ( x ) = f (y), then x = y.
Example 3.10. The constant function f : N → N given by f ( x ) = 1 is neither
injective, nor surjective.
The identity function f : N → N given by f ( x ) = x is both injective and
surjective.
The successor function f : N → N given by f ( x ) = x + 1 is injective but
not surjective.
The function f : N → N defined by:
(
x
if x is even
f ( x ) = 2x+1
2 if x is odd.
is surjective, but not injective.
Often enough, we want to consider functions which are both injective and
surjective. We call such functions bijective. They look like the function pic-
tured in Figure 3.4. Bijections are also sometimes called one-to-one correspon-
dences, since they uniquely pair elements of the codomain with elements of
the domain.
Definition 3.11 (Bijection). A function f : A → B is bijective iff it is both sur-
jective and injective. We call such a function a bijection from A to B (or be-
tween A and B).

48 Release : d3a1905 (2022-12-19)

3.3. FUNCTIONS AS RELATIONS

Figure 3.4: A bijective function uniquely pairs the elements of the codomain
with those of the domain.

3.3 Functions as Relations

A function which maps elements of A to elements of B obviously defines a
relation between A and B, namely the relation which holds between x and
y iff f ( x ) = y. In fact, we might even—if we are interested in reducing the
building blocks of mathematics for instance—identify the function f with this
relation, i.e., with a set of pairs. This then raises the question: which relations
define functions in this way?

Definition 3.12 (Graph of a function). Let f : A → B be a function. The graph

of f is the relation R f ⊆ A × B defined by

R f = {⟨ x, y⟩ : f ( x ) = y}.

The graph of a function is uniquely determined, by extensionality. More-

over, extensionality (on sets) will immediately vindicate the implicit princi-
ple of extensionality for functions, whereby if f and g share a domain and
codomain then they are identical if they agree on all values.
Similarly, if a relation is “functional”, then it is the graph of a function.

Proposition 3.13. Let R ⊆ A × B be such that:

1. If Rxy and Rxz then y = z; and

2. for every x ∈ A there is some y ∈ B such that ⟨ x, y⟩ ∈ R.

Then R is the graph of the function f : A → B defined by f ( x ) = y iff Rxy.

Proof. Suppose there is a y such that Rxy. If there were another z ̸= y such
that Rxz, the condition on R would be violated. Hence, if there is a y such that
Rxy, this y is unique, and so f is well-defined. Obviously, R f = R.

Every function f : A → B has a graph, i.e., a relation on A × B defined by

f ( x ) = y. On the other hand, every relation R ⊆ A × B with the properties
given in Proposition 3.13 is the graph of a function f : A → B. Because of
this close connection between functions and their graphs, we can think of a

Release : d3a1905 (2022-12-19) 49

 CHAPTER 3. FUNCTIONS

function simply as its graph. In other words, functions can be identified with
certain relations, i.e., with certain sets of tuples. Note, though, that the spirit of
this “identification” is as in section 2.2: it is not a claim about the metaphysics
of functions, but an observation that it is convenient to treat functions as cer-
tain sets. One reason that this is so convenient, is that we can now consider
performing similar operations on functions as we performed on relations (see
section 2.7). In particular:

Definition 3.14. Let f : A → B be a function with C ⊆ A.

The restriction of f to C is the function f ↾C : C → B defined by ( f ↾C )( x ) =
f ( x ) for all x ∈ C. In other words, f ↾C = {⟨ x, y⟩ ∈ R f : x ∈ C }.
The application of f to C is f [C ] = { f ( x ) : x ∈ C }. We also call this the
image of C under f .

It follows from these definitions that ran( f ) = f [dom( f )], for any func-
tion f . These notions are exactly as one would expect, given the definitions
in section 2.7 and our identification of functions with relations. But two other
operations—inverses and relative products—require a little more detail. We
will provide that in section 3.4 and section 3.5.

3.4 Inverses of Functions

We think of functions as maps. An obvious question to ask about functions,
then, is whether the mapping can be “reversed.” For instance, the successor
function f ( x ) = x + 1 can be reversed, in the sense that the function g(y) =
y − 1 “undoes” what f does.
But we must be careful. Although the definition of g defines a function
Z → Z, it does not define a function N → N, since g(0) ∈ / N. So even in
simple cases, it is not quite obvious whether a function can be reversed; it
may depend on the domain and codomain.
This is made more precise by the notion of an inverse of a function.

Definition 3.15. A function g : B → A is an inverse of a function f : A → B if

f ( g(y)) = y and g( f ( x )) = x for all x ∈ A and y ∈ B.

If f has an inverse g, we often write f −1 instead of g.

Now we will determine when functions have inverses. A good candidate
for an inverse of f : A → B is g : B → A “defined by”

g(y) = “the” x such that f ( x ) = y.

But the scare quotes around “defined by” (and “the”) suggest that this is not
a definition. At least, it will not always work, with complete generality. For,
in order for this definition to specify a function, there has to be one and only

50 Release : d3a1905 (2022-12-19)

3.4. INVERSES OF FUNCTIONS

one x such that f ( x ) = y—the output of g has to be uniquely specified. More-

over, it has to be specified for every y ∈ B. If there are x1 and x2 ∈ A with
x1 ̸= x2 but f ( x1 ) = f ( x2 ), then g(y) would not be uniquely specified for
y = f ( x1 ) = f ( x2 ). And if there is no x at all such that f ( x ) = y, then g(y) is
not specified at all. In other words, for g to be defined, f must be both injective
and surjective.
Let’s go slowly. We’ll divide the question into two: Given a function f : A →
B, when is there a function g : B → A so that g( f ( x )) = x? Such a g “undoes”
what f does, and is called a left inverse of f . Secondly, when is there a function
h : B → A so that f (h(y)) = y? Such an h is called a right inverse of f — f
“undoes” what h does.
Proposition 3.16. If f : A → B is injective, then there is a left inverse g : B → A
of f so that g( f ( x )) = x for all x ∈ A.

Proof. Suppose that f : A → B is injective. Consider a y ∈ B. If y ∈ ran( f ),

there is an x ∈ A so that f ( x ) = y. Because f is injective, there is only one
such x ∈ A. Then we can define: g(y) = x, i.e., g(y) is “the” x ∈ A such that
f ( x ) = y. If y ∈
/ ran( f ), we can map it to any a ∈ A. So, we can pick an a ∈ A
and define g : B → A by:
(
x if f ( x ) = y
g(y) =
a if y ∈/ ran( f ).

It is defined for all y ∈ B, since for each such y ∈ ran( f ) there is exactly one
x ∈ A such that f ( x ) = y. By definition, if y = f ( x ), then g(y) = x, i.e.,
g( f ( x )) = x.

Proposition 3.17. If f : A → B is surjective, then there is a right inverse h : B →

A of f so that f (h(y)) = y for all y ∈ B.

Proof. Suppose that f : A → B is surjective. Consider a y ∈ B. Since f is

surjective, there is an xy ∈ A with f ( xy ) = y. Then we can define: h(y) = xy ,
i.e., for each y ∈ B we choose some x ∈ A so that f ( x ) = y; since f is surjective
there is always at least one to choose from.1 By definition, if x = h(y), then
f ( x ) = y, i.e., for any y ∈ B, f (h(y)) = y.

By combining the ideas in the previous proof, we now get that every bijec-
tion has an inverse, i.e., there is a single function which is both a left and right
inverse of f .
1 Since f is surjective, for every y ∈ B the set { x : f ( x ) = y } is nonempty. Our definition

of h requires that we choose a single x from each of these sets. That this is always possible is
actually not obvious—the possibility of making these choices is simply assumed as an axiom. In
other words, this proposition assumes the so-called Axiom of Choice, an issue we will revisit in
chapter 69. However, in many specific cases, e.g., when A = N or is finite, or when f is bijective,
the Axiom of Choice is not required. (In the particular case when f is bijective, for each y ∈ B the
set { x : f ( x ) = y} has exactly one element, so that there is no choice to make.)

Release : d3a1905 (2022-12-19) 51

 CHAPTER 3. FUNCTIONS

Proposition 3.18. If f : A → B is bijective, there is a function f −1 : B → A so that

for all x ∈ A, f −1 ( f ( x )) = x and for all y ∈ B, f ( f −1 (y)) = y.

Proof. Exercise.

There is a slightly more general way to extract inverses. We saw in sec-

tion 3.2 that every function f induces a surjection f ′ : A → ran( f ) by letting
f ′ ( x ) = f ( x ) for all x ∈ A. Clearly, if f is injective, then f ′ is bijective, so that
it has a unique inverse by Proposition 3.18. By a very minor abuse of notation,
we sometimes call the inverse of f ′ simply “the inverse of f .”

Proposition 3.19. Show that if f : A → B has a left inverse g and a right inverse h,
then h = g.

Proof. Exercise.

Proposition 3.20. Every function f has at most one inverse.

Proof. Suppose g and h are both inverses of f . Then in particular g is a left

inverse of f and h is a right inverse. By Proposition 3.19, g = h.

3.5 Composition of Functions

We saw in section 3.4 that the inverse f −1 of a bijection f is itself a function.
Another operation on functions is composition: we can define a new function
by composing two functions, f and g, i.e., by first applying f and then g. Of
course, this is only possible if the ranges and domains match, i.e., the range
of f must be a subset of the domain of g. This operation on functions is the
analogue of the operation of relative product on relations from section 2.7.
A diagram might help to explain the idea of composition. In Figure 3.5, we
depict two functions f : A → B and g : B → C and their composition ( g ◦ f ).
The function ( g ◦ f ) : A → C pairs each element of A with an element of C. We
specify which element of C an element of A is paired with as follows: given
an input x ∈ A, first apply the function f to x, which will output some f ( x ) =
y ∈ B, then apply the function g to y, which will output some g( f ( x )) =
g(y) = z ∈ C.

Definition 3.21 (Composition). Let f : A → B and g : B → C be functions.

The composition of f with g is g ◦ f : A → C, where ( g ◦ f )( x ) = g( f ( x )).

Example 3.22. Consider the functions f ( x ) = x + 1, and g( x ) = 2x. Since

( g ◦ f )( x ) = g( f ( x )), for each input x you must first take its successor, then
multiply the result by two. So their composition is given by ( g ◦ f )( x ) =
2( x + 1).

52 Release : d3a1905 (2022-12-19)

3.6. PARTIAL FUNCTIONS

Figure 3.5: The composition g ◦ f of two functions f and g.

3.6 Partial Functions

It is sometimes useful to relax the definition of function so that it is not re-
quired that the output of the function is defined for all possible inputs. Such
mappings are called partial functions.

Definition 3.23. A partial function f : A → 7 B is a mapping which assigns to

every element of A at most one element of B. If f assigns an element of B to
x ∈ A, we say f ( x ) is defined, and otherwise undefined. If f ( x ) is defined, we
write f ( x ) ↓, otherwise f ( x ) ↑. The domain of a partial function f is the subset
of A where it is defined, i.e., dom( f ) = { x ∈ A : f ( x ) ↓}.

Example 3.24. Every function f : A → B is also a partial function. Partial

functions that are defined everywhere on A—i.e., what we so far have simply
called a function—are also called total functions.

Example 3.25. The partial function f : R →7 R given by f ( x ) = 1/x is unde-

fined for x = 0, and defined everywhere else.

Definition 3.26 (Graph of a partial function). Let f : A → 7 B be a partial func-

tion. The graph of f is the relation R f ⊆ A × B defined by

R f = {⟨ x, y⟩ : f ( x ) = y}.

Proposition 3.27. Suppose R ⊆ A × B has the property that whenever Rxy and
Rxy′ then y = y′ . Then R is the graph of the partial function f : X → 7 Y defined by:
if there is a y such that Rxy, then f ( x ) = y, otherwise f ( x ) ↑. If R is also serial, i.e.,
for each x ∈ X there is a y ∈ Y such that Rxy, then f is total.

Proof. Suppose there is a y such that Rxy. If there were another y′ ̸= y such
that Rxy′ , the condition on R would be violated. Hence, if there is a y such
that Rxy, that y is unique, and so f is well-defined. Obviously, R f = R and f
is total if R is serial.

Release : d3a1905 (2022-12-19) 53

 CHAPTER 3. FUNCTIONS

Problems
Problem 3.1. Show that if f : A → B has a left inverse g, then f is injective.

Problem 3.2. Show that if f : A → B has a right inverse h, then f is surjective.

Problem 3.3. Prove Proposition 3.18. You have to define f −1 , show that it
is a function, and show that it is an inverse of f , i.e., f −1 ( f ( x )) = x and
f ( f −1 (y)) = y for all x ∈ A and y ∈ B.

Problem 3.4. Prove Proposition 3.19.

Problem 3.5. Show that if f : A → B and g : B → C are both injective, then

g ◦ f : A → C is injective.

Problem 3.6. Show that if f : A → B and g : B → C are both surjective, then

g ◦ f : A → C is surjective.

Problem 3.7. Suppose f : A → B and g : B → C. Show that the graph of g ◦ f

is R f | R g .

Problem 3.8. Given f : A → 7 B, define the partial function g : B →

7 A by: for
any y ∈ B, if there is a unique x ∈ A such that f ( x ) = y, then g(y) = x;
otherwise g(y) ↑. Show that if f is injective, then g( f ( x )) = x for all x ∈
dom( f ), and f ( g(y)) = y for all y ∈ ran( f ).

54 Release : d3a1905 (2022-12-19)

Chapter 4

The Size of Sets

This chapter discusses enumerations, countability and uncountability.

Several sections come in two versions: a more elementary one, that takes
enumerations to be lists, or surjections from Z+ ; and a more abstract one
that defines enumerations as bijections with N.

4.1 Introduction
When Georg Cantor developed set theory in the 1870s, one of his aims was
to make palatable the idea of an infinite collection—an actual infinity, as the
medievals would say. A key part of this was his treatment of the size of dif-
ferent sets. If a, b and c are all distinct, then the set { a, b, c} is intuitively larger
than { a, b}. But what about infinite sets? Are they all as large as each other?
It turns out that they are not.
The first important idea here is that of an enumeration. We can list every
finite set by listing all its elements. For some infinite sets, we can also list
all their elements if we allow the list itself to be infinite. Such sets are called
enumerable. Cantor’s surprising result, which we will fully understand by
the end of this chapter, was that some infinite sets are not enumerable.

4.2 Enumerations and Enumerable Sets

This section discusses enumerations of sets, defining them as surjec-

tions from Z+ . It does things slowly, for readers with little mathematical
background. An alternative, terser version is given in section 4.11, which
defines enumerations differently: as bijections with N (or an initial seg-
ment).

55
 CHAPTER 4. THE SIZE OF SETS

We’ve already given examples of sets by listing their elements. Let’s discuss
in more general terms how and when we can list the elements of a set, even if
that set is infinite.
Definition 4.1 (Enumeration, informally). Informally, an enumeration of a set A
is a list (possibly infinite) of elements of A such that every element of A ap-
pears on the list at some finite position. If A has an enumeration, then A is
said to be enumerable.

A couple of points about enumerations:

1. We count as enumerations only lists which have a beginning and in
which every element other than the first has a single element immedi-
ately preceding it. In other words, there are only finitely many elements
between the first element of the list and any other element. In particular,
this means that every element of an enumeration has a finite position:
the first element has position 1, the second position 2, etc.
2. We can have different enumerations of the same set A which differ by
the order in which the elements appear: 4, 1, 25, 16, 9 enumerates the
(set of the) first five square numbers just as well as 1, 4, 9, 16, 25 does.
3. Redundant enumerations are still enumerations: 1, 1, 2, 2, 3, 3, . . . enu-
merates the same set as 1, 2, 3, . . . does.
4. Order and redundancy do matter when we specify an enumeration: we
can enumerate the positive integers beginning with 1, 2, 3, 1, . . . , but the
pattern is easier to see when enumerated in the standard way as 1, 2, 3,
4, . . .
5. Enumerations must have a beginning: . . . , 3, 2, 1 is not an enumeration
of the positive integers because it has no first element. To see how this
follows from the informal definition, ask yourself, “at what position in
the list does the number 76 appear?”
6. The following is not an enumeration of the positive integers: 1, 3, 5, . . . ,
2, 4, 6, . . . The problem is that the even numbers occur at places ∞ + 1,
∞ + 2, ∞ + 3, rather than at finite positions.
7. The empty set is enumerable: it is enumerated by the empty list!
Proposition 4.2. If A has an enumeration, it has an enumeration without repeti-
tions.

Proof. Suppose A has an enumeration x1 , x2 , . . . in which each xi is an element

of A. We can remove repetitions from an enumeration by removing repeated
elements. For instance, we can turn the enumeration into a new one in which
we list xi if it is an element of A that is not among x1 , . . . , xi−1 or remove xi
from the list if it already appears among x1 , . . . , xi−1 .

56 Release : d3a1905 (2022-12-19)

4.2. ENUMERATIONS AND ENUMERABLE SETS

The last argument shows that in order to get a good handle on enumera-
tions and enumerable sets and to prove things about them, we need a more
precise definition. The following provides it.
Definition 4.3 (Enumeration, formally). An enumeration of a set A ̸= ∅ is any
surjective function f : Z+ → A.

Let’s convince ourselves that the formal definition and the informal defini-
tion using a possibly infinite list are equivalent. First, any surjective function
from Z+ to a set A enumerates A. Such a function determines an enumeration
as defined informally above: the list f (1), f (2), f (3), . . . . Since f is surjective,
every element of A is guaranteed to be the value of f (n) for some n ∈ Z+ .
Hence, every element of A appears at some finite position in the list. Since the
function may not be injective, the list may be redundant, but that is acceptable
(as noted above).
On the other hand, given a list that enumerates all elements of A, we can
define a surjective function f : Z+ → A by letting f (n) be the nth element
of the list, or the final element of the list if there is no nth element. The only
case where this does not produce a surjective function is when A is empty,
and hence the list is empty. So, every non-empty list determines a surjective
function f : Z+ → A.
Definition 4.4. A set A is enumerable iff it is empty or has an enumeration.

Example 4.5. A function enumerating the positive integers (Z+ ) is simply the
identity function given by f (n) = n. A function enumerating the natural
numbers N is the function g(n) = n − 1.

Example 4.6. The functions f : Z+ → Z+ and g : Z+ → Z+ given by

f (n) = 2n and
g(n) = 2n − 1
enumerate the even positive integers and the odd positive integers, respec-
tively. However, neither function is an enumeration of Z+ , since neither is
surjective.
( n −1)
Example 4.7. The function f (n) = (−1)n ⌈ 2 ⌉ (where ⌈ x ⌉ denotes the ceil-
ing function, which rounds x up to the nearest integer) enumerates the set of
integers Z. Notice how f generates the values of Z by “hopping” back and
forth between positive and negative integers:
f (1) f (2) f (3) f (4) f (5) f (6) f (7) ...

−⌈ 02 ⌉ ⌈ 12 ⌉ −⌈ 22 ⌉ ⌈ 32 ⌉ −⌈ 42 ⌉ ⌈ 52 ⌉ −⌈ 62 ⌉ . . .

0 1 −1 2 −2 3 ...

Release : d3a1905 (2022-12-19) 57

 CHAPTER 4. THE SIZE OF SETS

You can also think of f as defined by cases as follows:


0
 if n = 1
f (n) = n/2 if n is even

−(n − 1)/2 if n is odd and > 1


Although it is perhaps more natural when listing the elements of a set to

start counting from the 1st element, mathematicians like to use the natural
numbers N for counting things. They talk about the 0th, 1st, 2nd, and so on,
elements of a list. Correspondingly, we can define an enumeration as a surjec-
tive function from N to A. Of course, the two definitions are equivalent.

Proposition 4.8. There is a surjection f : Z+ → A iff there is a surjection g : N →

A.

Proof. Given a surjection f : Z+ → A, we can define g(n) = f (n + 1) for

all n ∈ N. It is easy to see that g : N → A is surjective. Conversely, given
a surjection g : N → A, define f (n) = g(n − 1).

This gives us the following result:

Corollary 4.9. A set A is enumerable iff it is empty or there is a surjective function

f : N → A.

We discussed above than an list of elements of a set A can be turned into

a list without repetitions. This is also true for enumerations, but a bit harder
to formulate and prove rigorously. Any function f : Z+ → A must be defined
for all n ∈ Z+ . If there are only finitely many elements in A then we clearly
cannot have a function defined on the infinitely many elements of Z+ that
takes as values all the elements of A but never takes the same value twice. In
that case, i.e., in the case where the list without repetitions is finite, we must
choose a different domain for f , one with only finitely many elements. Not
having repetitions means that f must be injective. Since it is also surjective,
we are looking for a bijection between some finite set {1, . . . , n} or Z+ and A.

Proposition 4.10. If f : Z+ → A is surjective (i.e., an enumeration of A), there is

a bijection g : Z → A where Z is either Z+ or {1, . . . , n} for some n ∈ Z+ .

Proof. We define the function g recursively: Let g(1) = f (1). If g(i ) has al-
ready been defined, let g(i + 1) be the first value of f (1), f (2), . . . not already
among g(1), . . . , g(i ), if there is one. If A has just n elements, then g(1), . . . ,
g(n) are all defined, and so we have defined a function g : {1, . . . , n} → A. If
A has infinitely many elements, then for any i there must be an element of A
in the enumeration f (1), f (2), . . . , which is not already among g(1), . . . , g(i ).
In this case we have defined a funtion g : Z+ → A.

58 Release : d3a1905 (2022-12-19)

4.3. CANTOR’S ZIG-ZAG METHOD

The function g is surjective, since any element of A is among f (1), f (2), . . .

(since f is surjective) and so will eventually be a value of g(i ) for some i. It is
also injective, since if there were j < i such that g( j) = g(i ), then g(i ) would
already be among g(1), . . . , g(i − 1), contrary to how we defined g.

Corollary 4.11. A set A is enumerable iff it is empty or there is a bijection f : N →

A where either N = N or N = {0, . . . , n} for some n ∈ N.

Proof. A is enumerable iff A is empty or there is a surjective f : Z+ → A. By

Proposition 4.10, the latter holds iff there is a bijective function f : Z → A
where Z = Z+ or Z = {1, . . . , n} for some n ∈ Z+ . By the same argument
as in the proof of Proposition 4.8, that in turn is the case iff there is a bijection
g : N → A where either N = N or N = {0, . . . , n − 1}.

4.3 Cantor’s Zig-Zag Method

We’ve already considered some “easy” enumerations. Now we will consider
something a bit harder. Consider the set of pairs of natural numbers, which
we defined in section 1.5 thus:

N × N = {⟨n, m⟩ : n, m ∈ N}

We can organize these ordered pairs into an array, like so:

0 1 2 3 ...
0 ⟨0, 0⟩ ⟨0, 1⟩ ⟨0, 2⟩ ⟨0, 3⟩ ...
1 ⟨1, 0⟩ ⟨1, 1⟩ ⟨1, 2⟩ ⟨1, 3⟩ ...
2 ⟨2, 0⟩ ⟨2, 1⟩ ⟨2, 2⟩ ⟨2, 3⟩ ...
3 ⟨3, 0⟩ ⟨3, 1⟩ ⟨3, 2⟩ ⟨3, 3⟩ ...
.. .. .. .. .. ..
. . . . . .

Clearly, every ordered pair in N × N will appear exactly once in the array.
In particular, ⟨n, m⟩ will appear in the nth row and mth column. But how
do we organize the elements of such an array into a “one-dimensional” list?
The pattern in the array below demonstrates one way to do this (although of
course there are many other options):

0 1 2 3 4 ...
0 0 1 3 6 10 ...
1 2 4 7 11 ... ...
2 5 8 12 ... ... ...
3 9 13 ... ... ... ...
4 14 ... ... ... ... ...
.. .. .. .. .. ..
. . . . . ... .

Release : d3a1905 (2022-12-19) 59

 CHAPTER 4. THE SIZE OF SETS

This pattern is called Cantor’s zig-zag method. It enumerates N × N as follows:

⟨0, 0⟩, ⟨0, 1⟩, ⟨1, 0⟩, ⟨0, 2⟩, ⟨1, 1⟩, ⟨2, 0⟩, ⟨0, 3⟩, ⟨1, 2⟩, ⟨2, 1⟩, ⟨3, 0⟩, . . .

And this establishes the following:

Proposition 4.12. N × N is enumerable.

Proof. Let f : N → N × N take each k ∈ N to the tuple ⟨n, m⟩ ∈ N × N such

that k is the value of the nth row and mth column in Cantor’s zig-zag array.

This technique also generalises rather nicely. For example, we can use it to
enumerate the set of ordered triples of natural numbers, i.e.:

N × N × N = {⟨n, m, k⟩ : n, m, k ∈ N}

We think of N × N × N as the Cartesian product of N × N with N, that is,

N3 = (N × N) × N = {⟨⟨n, m⟩, k ⟩ : n, m, k ∈ N}

and thus we can enumerate N3 with an array by labelling one axis with the
enumeration of N, and the other axis with the enumeration of N2 :

0 1 2 3 ...
⟨0, 0⟩ ⟨0, 0, 0⟩ ⟨0, 0, 1⟩ ⟨0, 0, 2⟩ ⟨0, 0, 3⟩ ...
⟨0, 1⟩ ⟨0, 1, 0⟩ ⟨0, 1, 1⟩ ⟨0, 1, 2⟩ ⟨0, 1, 3⟩ ...
⟨1, 0⟩ ⟨1, 0, 0⟩ ⟨1, 0, 1⟩ ⟨1, 0, 2⟩ ⟨1, 0, 3⟩ ...
⟨0, 2⟩ ⟨0, 2, 0⟩ ⟨0, 2, 1⟩ ⟨0, 2, 2⟩ ⟨0, 2, 3⟩ ...
.. .. .. .. .. ..
. . . . . .

Thus, by using a method like Cantor’s zig-zag method, we may similarly ob-
tain an enumeration of N3 . And we can keep going, obtaining enumerations
of Nn for any natural number n. So, we have:

Proposition 4.13. Nn is enumerable, for every n ∈ N.

4.4 Pairing Functions and Codes

Cantor’s zig-zag method makes the enumerability of Nn visually evident. But
let us focus on our array depicting N2 . Following the zig-zag line in the array
and counting the places, we can check that ⟨1, 2⟩ is associated with the num-
ber 7. However, it would be nice if we could compute this more directly. That
is, it would be nice to have to hand the inverse of the zig-zag enumeration,
g : N2 → N, such that

g(⟨0, 0⟩) = 0, g(⟨0, 1⟩) = 1, g(⟨1, 0⟩) = 2, . . . , g(⟨1, 2⟩) = 7, . . .

60 Release : d3a1905 (2022-12-19)

4.5. AN ALTERNATIVE PAIRING FUNCTION

This would enable us to calculate exactly where ⟨n, m⟩ will occur in our enu-
meration.
In fact, we can define g directly by making two observations. First: if the
nth row and mth column contains value v, then the (n + 1)st row and (m − 1)st
column contains value v + 1. Second: the first row of our enumeration con-
sists of the triangular numbers, starting with 0, 1, 3, 6, etc. The kth triangular
number is the sum of the natural numbers < k, which can be computed as
k (k + 1)/2. Putting these two observations together, consider this function:

(n + m + 1)(n + m)
g(n, m) = +n
2

We often just write g(n, m) rather that g(⟨n, m⟩), since it is easier on the eyes.
This tells you first to determine the (n + m)th triangle number, and then add
n to it. And it populates the array in exactly the way we would like. So in
particular, the pair ⟨1, 2⟩ is sent to 4×2 3 + 1 = 7.
This function g is the inverse of an enumeration of a set of pairs. Such
functions are called pairing functions.

Definition 4.14 (Pairing function). A function f : A × B → N is an arithmeti-

cal pairing function if f is injective. We also say that f encodes A × B, and that
f ( x, y) is the code for ⟨ x, y⟩.

We can use pairing functions to encode, e.g., pairs of natural numbers; or,
in other words, we can represent each pair of elements using a single number.
Using the inverse of the pairing function, we can decode the number, i.e., find
out which pair it represents.

4.5 An Alternative Pairing Function

There are other enumerations of N2 that make it easier to figure out what their
inverses are. Here is one. Instead of visualizing the enumeration in an array,
start with the list of positive integers associated with (initially) empty spaces.
Imagine filling these spaces successively with pairs ⟨n, m⟩ as follows. Starting
with the pairs that have 0 in the first place (i.e., pairs ⟨0, m⟩), put the first (i.e.,
⟨0, 0⟩) in the first empty place, then skip an empty space, put the second (i.e.,
⟨0, 2⟩) in the next empty place, skip one again, and so forth. The (incomplete)
beginning of our enumeration now looks like this

1 2 3 4 5 6 7 8 9 10 ...

⟨0, 1⟩ ⟨0, 2⟩ ⟨0, 3⟩ ⟨0, 4⟩ ⟨0, 5⟩ ...

Release : d3a1905 (2022-12-19) 61

 CHAPTER 4. THE SIZE OF SETS

Repeat this with pairs ⟨1, m⟩ for the place that still remain empty, again skip-
ping every other empty place:
1 2 3 4 5 6 7 8 9 10 ...

⟨0, 0⟩ ⟨1, 0⟩ ⟨0, 1⟩ ⟨0, 2⟩ ⟨1, 1⟩ ⟨0, 3⟩ ⟨0, 4⟩ ⟨1, 2⟩ ...

Enter pairs ⟨2, m⟩, ⟨2, m⟩, etc., in the same way. Our completed enumeration
thus starts like this:
1 2 3 4 5 6 7 8 9 10 ...

⟨0, 0⟩ ⟨1, 0⟩ ⟨0, 1⟩ ⟨2, 0⟩ ⟨0, 2⟩ ⟨1, 1⟩ ⟨0, 3⟩ ⟨3, 0⟩ ⟨0, 4⟩ ⟨1, 2⟩ ...

If we number the cells in the array above according to this enumeration, we

will not find a neat zig-zag line, but this arrangement:

0 1 2 3 4 5 ...
0 1 3 5 7 9 11 ...
1 2 6 10 14 18 ... ...
2 4 12 20 28 ... ... ...
3 8 24 40 ... ... ... ...
4 16 48 ... ... ... ... ...
5 32 ... ... ... ... ... ...
.. .. .. .. .. .. .. ..
. . . . . . . .

We can see that the pairs in row 0 are in the odd numbered places of our
enumeration, i.e., pair ⟨0, m⟩ is in place 2m + 1; pairs in the second row, ⟨1, m⟩,
are in places whose number is the double of an odd number, specifically, 2 ·
(2m + 1); pairs in the third row, ⟨2, m⟩, are in places whose number is four
times an odd number, 4 · (2m + 1); and so on. The factors of (2m + 1) for
each row, 1, 2, 4, 8, . . . , are exactly the powers of 2: 1 = 20 , 2 = 21 , 4 = 22 ,
8 = 23 , . . . In fact, the relevant exponent is always the first member of the pair
in question. Thus, for pair ⟨n, m⟩ the factor is 2n . This gives us the general
formula: 2n · (2m + 1). However, this is a mapping of pairs to positive integers,
i.e., ⟨0, 0⟩ has position 1. If we want to begin at position 0 we must subtract 1
from the result. This gives us:

Example 4.15. The function h : N2 → N given by

h(n, m) = 2n (2m + 1) − 1

is a pairing function for the set of pairs of natural numbers N2 .

Accordingly, in our second enumeration of N2 , the pair ⟨0, 0⟩ has code

h(0, 0) = 20 (2 · 0 + 1) − 1 = 0; ⟨1, 2⟩ has code 21 · (2 · 2 + 1) − 1 = 2 · 5 − 1 = 9;
⟨2, 6⟩ has code 22 · (2 · 6 + 1) − 1 = 51.

62 Release : d3a1905 (2022-12-19)

4.6. NON-ENUMERABLE SETS

Sometimes it is enough to encode pairs of natural numbers N2 without

requiring that the encoding is surjective. Such encodings have inverses that
are only partial functions.
Example 4.16. The function j : N2 → N+ given by

j(n, m) = 2n 3m

is an injective function N2 → N.

4.6 Non-enumerable Sets

This section proves the non-enumerability of Bω and ℘(Z+ ) using the

definition in section 4.2. It is designed to be a little more elementary and
a little more detailed than the version in section 4.11

Some sets, such as the set Z+ of positive integers, are infinite. So far we’ve
seen examples of infinite sets which were all enumerable. However, there are
also infinite sets which do not have this property. Such sets are called non-
enumerable.
First of all, it is perhaps already surprising that there are non-enumerable
sets. For any enumerable set A there is a surjective function f : Z+ → A. If a
set is non-enumerable there is no such function. That is, no function mapping
the infinitely many elements of Z+ to A can exhaust all of A. So there are
“more” elements of A than the infinitely many positive integers.
How would one prove that a set is non-enumerable? You have to show
that no such surjective function can exist. Equivalently, you have to show that
the elements of A cannot be enumerated in a one way infinite list. The best
way to do this is to show that every list of elements of A must leave at least
one element out; or that no function f : Z+ → A can be surjective. We can
do this using Cantor’s diagonal method. Given a list of elements of A, say, x1 ,
x2 , . . . , we construct another element of A which, by its construction, cannot
possibly be on that list.
Our first example is the set Bω of all infinite, non-gappy sequences of 0’s
and 1’s.
Theorem 4.17. Bω is non-enumerable.

Proof. Suppose, by way of contradiction, that Bω is enumerable, i.e., suppose

that there is a list s1 , s2 , s3 , s4 , . . . of all elements of Bω . Each of these si is
itself an infinite sequence of 0’s and 1’s. Let’s call the j-th element of the i-th
sequence in this list si ( j). Then the i-th sequence si is

s i (1), s i (2), s i (3), . . .

Release : d3a1905 (2022-12-19) 63

 CHAPTER 4. THE SIZE OF SETS

We may arrange this list, and the elements of each sequence si in it, in an
array:
1 2 3 4 ...
1 s 1 ( 1 ) s1 (2) s1 (3) s1 (4) . . .
2 s2 (1) s 2 ( 2 ) s2 (3) s2 (4) . . .
3 s3 (1) s3 (2) s 3 ( 3 ) s3 (4) . . .
4 s4 (1) s4 (2) s4 (3) s 4 ( 4 ) . . .
.. .. .. .. .. ..
. . . . . .
The labels down the side give the number of the sequence in the list s1 , s2 , . . . ;
the numbers across the top label the elements of the individual sequences. For
instance, s1 (1) is a name for whatever number, a 0 or a 1, is the first element
in the sequence s1 , and so on.
Now we construct an infinite sequence, s, of 0’s and 1’s which cannot pos-
sibly be on this list. The definition of s will depend on the list s1 , s2 , . . . .
Any infinite list of infinite sequences of 0’s and 1’s gives rise to an infinite
sequence s which is guaranteed to not appear on the list.
To define s, we specify what all its elements are, i.e., we specify s(n) for all
n ∈ Z+ . We do this by reading down the diagonal of the array above (hence
the name “diagonal method”) and then changing every 1 to a 0 and every 0 to
a 1. More abstractly, we define s(n) to be 0 or 1 according to whether the n-th
element of the diagonal, sn (n), is 1 or 0.
(
1 if sn (n) = 0
s(n) =
0 if sn (n) = 1.

If you like formulas better than definitions by cases, you could also define
s ( n ) = 1 − s n ( n ).
Clearly s is an infinite sequence of 0’s and 1’s, since it is just the mirror
sequence to the sequence of 0’s and 1’s that appear on the diagonal of our
array. So s is an element of Bω . But it cannot be on the list s1 , s2 , . . . Why not?
It can’t be the first sequence in the list, s1 , because it differs from s1 in the
first element. Whatever s1 (1) is, we defined s(1) to be the opposite. It can’t be
the second sequence in the list, because s differs from s2 in the second element:
if s2 (2) is 0, s(2) is 1, and vice versa. And so on.
More precisely: if s were on the list, there would be some k so that s = sk .
Two sequences are identical iff they agree at every place, i.e., for any n, s(n) =
sk (n). So in particular, taking n = k as a special case, s(k) = sk (k) would
have to hold. sk (k) is either 0 or 1. If it is 0 then s(k ) must be 1—that’s how
we defined s. But if sk (k ) = 1 then, again because of the way we defined s,
s(k) = 0. In either case s(k) ̸= sk (k ).
We started by assuming that there is a list of elements of Bω , s1 , s2 , . . .
From this list we constructed a sequence s which we proved cannot be on the
list. But it definitely is a sequence of 0’s and 1’s if all the si are sequences of

64 Release : d3a1905 (2022-12-19)

4.6. NON-ENUMERABLE SETS

0’s and 1’s, i.e., s ∈ Bω . This shows in particular that there can be no list of
all elements of Bω , since for any such list we could also construct a sequence s
guaranteed to not be on the list, so the assumption that there is a list of all
sequences in Bω leads to a contradiction.

This proof method is called “diagonalization” because it uses the diagonal

of the array to define s. Diagonalization need not involve the presence of an
array: we can show that sets are not enumerable by using a similar idea even
when no array and no actual diagonal is involved.

Theorem 4.18. ℘(Z+ ) is not enumerable.

Proof. We proceed in the same way, by showing that for every list of subsets
of Z+ there is a subset of Z+ which cannot be on the list. Suppose the follow-
ing is a given list of subsets of Z+ :

Z1 , Z2 , Z3 , . . .

We now define a set Z such that for any n ∈ Z+ , n ∈ Z iff n ∈

/ Zn :

Z = { n ∈ Z+ : n ∈
/ Zn }

Z is clearly a set of positive integers, since by assumption each Zn is, and thus
Z ∈ ℘(Z+ ). But Z cannot be on the list. To show this, we’ll establish that for
each k ∈ Z+ , Z ̸= Zk .
So let k ∈ Z+ be arbitrary. We’ve defined Z so that for any n ∈ Z+ , n ∈ Z
iff n ∈
/ Zn . In particular, taking n = k, k ∈ Z iff k ∈/ Zk . But this shows that
Z ̸= Zk , since k is an element of one but not the other, and so Z and Zk have
different elements. Since k was arbitrary, Z is not on the list Z1 , Z2 , . . .

The preceding proof did not mention a diagonal, but you can think of it
as involving a diagonal if you picture it this way: Imagine the sets Z1 , Z2 , . . . ,
written in an array, where each element j ∈ Zi is listed in the j-th column.
Say the first four sets on that list are {1, 2, 3, . . . }, {2, 4, 6, . . . }, {1, 2, 5}, and
{3, 4, 5, . . . }. Then the array would begin with

Z1 = {1, 2, 3, 4, 5, 6, ...}
Z2 ={ 2, 4, 6, ...}
Z3 = { 1, 2, 5 }
Z4 ={ 3, 4, 5, 6, ...}
.. ..
. .

Then Z is the set obtained by going down the diagonal, leaving out any num-
bers that appear along the diagonal and include those j where the array has a
gap in the j-th row/column. In the above case, we would leave out 1 and 2,
include 3, leave out 4, etc.

Release : d3a1905 (2022-12-19) 65

 CHAPTER 4. THE SIZE OF SETS

4.7 Reduction

This section proves non-enumerability by reduction, matching the

results in section 4.6. An alternative, slightly more condensed version
matching the results in section 4.12 is provided in section 4.13.

We showed ℘(Z+ ) to be non-enumerable by a diagonalization argument. We

already had a proof that Bω , the set of all infinite sequences of 0s and 1s,
is non-enumerable. Here’s another way we can prove that ℘(Z+ ) is non-
enumerable: Show that if ℘(Z+ ) is enumerable then Bω is also enumerable. Since
we know Bω is not enumerable, ℘(Z+ ) can’t be either. This is called reducing
one problem to another—in this case, we reduce the problem of enumerating
Bω to the problem of enumerating ℘(Z+ ). A solution to the latter—an enu-
meration of ℘(Z+ )—would yield a solution to the former—an enumeration
of Bω .
How do we reduce the problem of enumerating a set B to that of enu-
merating a set A? We provide a way of turning an enumeration of A into an
enumeration of B. The easiest way to do that is to define a surjective function
f : A → B. If x1 , x2 , . . . enumerates A, then f ( x1 ), f ( x2 ), . . . would enumer-
ate B. In our case, we are looking for a surjective function f : ℘(Z+ ) → Bω .
Proof of Theorem 4.18 by reduction. Suppose that ℘(Z+ ) were enumerable, and
thus that there is an enumeration of it, Z1 , Z2 , Z3 , . . .
Define the function f : ℘(Z+ ) → Bω by letting f ( Z ) be the sequence sk
such that sk (n) = 1 iff n ∈ Z, and sk (n) = 0 otherwise. This clearly defines
a function, since whenever Z ⊆ Z+ , any n ∈ Z+ either is an element of Z or
isn’t. For instance, the set 2Z+ = {2, 4, 6, . . . } of positive even numbers gets
mapped to the sequence 010101 . . . , the empty set gets mapped to 0000 . . .
and the set Z+ itself to 1111 . . . .
It also is surjective: Every sequence of 0s and 1s corresponds to some set of
positive integers, namely the one which has as its members those integers cor-
responding to the places where the sequence has 1s. More precisely, suppose
s ∈ Bω . Define Z ⊆ Z+ by:

Z = { n ∈ Z+ : s ( n ) = 1 }

Then f ( Z ) = s, as can be verified by consulting the definition of f .

Now consider the list

f ( Z1 ), f ( Z2 ), f ( Z3 ), . . .

Since f is surjective, every member of Bω must appear as a value of f for some

argument, and so must appear on the list. This list must therefore enumerate
all of Bω .

66 Release : d3a1905 (2022-12-19)

4.8. EQUINUMEROSITY

So if ℘(Z+ ) were enumerable, Bω would be enumerable. But Bω is non-

enumerable (Theorem 4.17). Hence ℘(Z+ ) is non-enumerable.

It is easy to be confused about the direction the reduction goes in. For
instance, a surjective function g : Bω → B does not establish that B is non-
enumerable. (Consider g : Bω → B defined by g(s) = s(1), the function that
maps a sequence of 0’s and 1’s to its first element. It is surjective, because
some sequences start with 0 and some start with 1. But B is finite.) Note also
that the function f must be surjective, or otherwise the argument does not go
through: f ( x1 ), f ( x2 ), . . . would then not be guaranteed to include all the
elements of B. For instance,

h(n) = 000
| {z. . . 0}
n 0’s

defines a function h : Z+ → Bω , but Z+ is enumerable.

4.8 Equinumerosity
We have an intuitive notion of “size” of sets, which works fine for finite sets.
But what about infinite sets? If we want to come up with a formal way of
comparing the sizes of two sets of any size, it is a good idea to start by defining
when sets are the same size. Here is Frege:

If a waiter wants to be sure that he has laid exactly as many knives

as plates on the table, he does not need to count either of them, if
he simply lays a knife to the right of each plate, so that every knife
on the table lies to the right of some plate. The plates and knives
are thus uniquely correlated to each other, and indeed through that
same spatial relationship. (Frege, 1884, §70)

The insight of this passage can be brought out through a formal definition:

Definition 4.19. A is equinumerous with B, written A ≈ B, iff there is a bijec-

tion f : A → B.

Proposition 4.20. Equinumerosity is an equivalence relation.

Proof. We must show that equinumerosity is reflexive, symmetric, and transi-

tive. Let A, B, and C be sets.
Reflexivity. The identity map Id A : A → A, where Id A ( x ) = x for all x ∈ A,
is a bijection. So A ≈ A.
Symmetry. Suppose A ≈ B, i.e., there is a bijection f : A → B. Since f is
bijective, its inverse f −1 exists and is also bijective. Hence, f −1 : B → A is
a bijection, so B ≈ A.

Release : d3a1905 (2022-12-19) 67

 CHAPTER 4. THE SIZE OF SETS

Transitivity. Suppose that A ≈ B and B ≈ C, i.e., there are bijections

f : A → B and g : B → C. Then the composition g ◦ f : A → C is bijective,
so that A ≈ C.

Proposition 4.21. If A ≈ B, then A is enumerable if and only if B is.

The following proof uses Definition 4.4 if section 4.2 is included and
Definition 4.27 otherwise.

Proof. Suppose A ≈ B, so there is some bijection f : A → B, and suppose that

A is enumerable. Then either A = ∅ or there is a surjective function g : Z+ →
A. If A = ∅, then B = ∅ also (otherwise there would be an element y ∈ B but
no x ∈ A with g( x ) = y). If, on the other hand, g : Z+ → A is surjective, then
f ◦ g : Z+ → B is surjective. To see this, let y ∈ B. Since f is surjective, there
is an x ∈ A such that f ( x ) = y. Since g is surjective, there is an n ∈ Z+ such
that g(n) = x. Hence,

( f ◦ g)(n) = f ( g(n)) = f ( x ) = y
and thus f ◦ g is surjective. We have that f ◦ g is an enumeration of B, and so
B is enumerable.
If B is enumerable, we obtain that A is enumerable by repeating the argu-
ment with the bijection f −1 : B → A instead of f .

4.9 Sets of Different Sizes, and Cantor’s Theorem

We have offered a precise statement of the idea that two sets have the same
size. We can also offer a precise statement of the idea that one set is smaller
than another. Our definition of “is smaller than (or equinumerous)” will re-
quire, instead of a bijection between the sets, an injection from the first set to
the second. If such a function exists, the size of the first set is less than or
equal to the size of the second. Intuitively, an injection from one set to another
guarantees that the range of the function has at least as many elements as the
domain, since no two elements of the domain map to the same element of the
range.
Definition 4.22. A is no larger than B, written A ⪯ B, iff there is an injection
f : A → B.

It is clear that this is a reflexive and transitive relation, but that it is not
symmetric (this is left as an exercise). We can also introduce a notion, which
states that one set is (strictly) smaller than another.
Definition 4.23. A is smaller than B, written A ≺ B, iff there is an injection f : A →
B but no bijection g : A → B, i.e., A ⪯ B and A ̸≈ B.

68 Release : d3a1905 (2022-12-19)

4.9. SETS OF DIFFERENT SIZES, AND CANTOR’S THEOREM

It is clear that this relation is irreflexive and transitive. (This is left as an ex-
ercise.) Using this notation, we can say that a set A is enumerable iff A ⪯ N,
and that A is non-enumerable iff N ≺ A. This allows us to restate Theo-
rem 4.32 as the observation that N ≺ ℘(N). In fact, Cantor (1892) proved that
this last point is perfectly general:

Theorem 4.24 (Cantor). A ≺ ℘( A), for any set A.

Proof. The map f ( x ) = { x } is an injection f : A → ℘( A), since if x ̸= y,

then also { x } ̸= {y} by extensionality, and so f ( x ) ̸= f (y). So we have that
A ⪯ ℘( A).

We present the slow proof if section 4.6 is present, otherwise a faster

proof matching section 4.12.

We will now show that there cannot be a surjective function g : A → ℘( A),

let alone a bijective one, and hence that A ̸≈ ℘( A). For suppose that g : A →
℘( A). Since g is total, every x ∈ A is mapped to a subset g( x ) ⊆ A. We can
show that g cannot be surjective. To do this, we define a subset A ⊆ A which
by definition cannot be in the range of g. Let

A = {x ∈ A : x ∈
/ g( x )}.

Since g( x ) is defined for all x ∈ A, A is clearly a well-defined subset of A.

But, it cannot be in the range of g. Let x ∈ A be arbitrary, we will show
that A ̸= g( x ). If x ∈ g( x ), then it does not satisfy x ∈
/ g( x ), and so by the
definition of A, we have x ∈ / A. If x ∈ A, it must satisfy the defining property
of A, i.e., x ∈ A and x ∈/ g( x ). Since x was arbitrary, this shows that for each
x ∈ A, x ∈ g( x ) iff x ∈
/ A, and so g( x ) ̸= A. In other words, A cannot be in
the range of g, contradicting the assumption that g is surjective.

It’s instructive to compare the proof of Theorem 4.24 to that of Theorem 4.18.
There we showed that for any list Z1 , Z2 , . . . , of subsets of Z+ one can con-
struct a set Z of numbers guaranteed not to be on the list. It was guaranteed
not to be on the list because, for every n ∈ Z+ , n ∈ Zn iff n ∈ / Z. This way,
there is always some number that is an element of one of Zn or Z but not the
other. We follow the same idea here, except the indices n are now elements
of A instead of Z+ . The set B is defined so that it is different from g( x ) for
each x ∈ A, because x ∈ g( x ) iff x ∈ / B. Again, there is always an element
of A which is an element of one of g( x ) and B but not the other. And just as Z
therefore cannot be on the list Z1 , Z2 , . . . , B cannot be in the range of g.
It’s instructive to compare the proof of Theorem 4.24 to that of Theorem 4.32.
There we showed that for any list N0 , N1 , N2 , . . . , of subsets of N we can con-
struct a set D of numbers guaranteed not to be on the list. It was guaranteed

Release : d3a1905 (2022-12-19) 69

 CHAPTER 4. THE SIZE OF SETS

/ D, for every n ∈ N. We follow the

not to be on the list because n ∈ Nn iff n ∈
same idea here, except the indices n are now elements of A rather than of N.
The set D is defined so that it is different from g( x ) for each x ∈ A, because
x ∈ g( x ) iff x ∈
/ D.
The proof is also worth comparing with the proof of Russell’s Paradox,
Theorem 1.29. Indeed, Cantor’s Theorem was the inspiration for Russell’s
own paradox.

4.10 The Notion of Size, and Schröder-Bernstein

Here is an intuitive thought: if A is no larger than B and B is no larger than A,

then A and B are equinumerous. To be honest, if this thought were wrong, then
we could scarcely justify the thought that our defined notion of equinumeros-
ity has anything to do with comparisons of “sizes” between sets! Fortunately,
though, the intuitive thought is correct. This is justified by the Schröder-
Bernstein Theorem.

Theorem 4.25 (Schröder-Bernstein). If A ⪯ B and B ⪯ A, then A ≈ B.

In other words, if there is an injection from A to B, and an injection from B

to A, then there is a bijection from A to B.
This result, however, is really rather difficult to prove. Indeed, although
Cantor stated the result, others proved it.1 For now, you can (and must) take
it on trust.
Fortunately, Schröder-Bernstein is correct, and it vindicates our thinking of
the relations we defined, i.e., A ≈ B and A ⪯ B, as having something to do
with “size”. Moreover, Schröder-Bernstein is very useful. It can be difficult to
think of a bijection between two equinumerous sets. The Schröder-Bernstein
Theorem allows us to break the comparison down into cases so we only have
to think of an injection from the first to the second, and vice-versa.

The following section 4.11, section 4.12, section 4.13 are alternative
versions of section 4.2, section 4.6, section 4.7 due to Tim Button for use
in his Open Set Theory text. They are slightly more advanced and use a
difference definition of enumerability more suitable in a set theory context
(i.e., bijection with N or an initial segment, rather than being listable or
being the range of a surjective function from Z+ ).

1 For more on the history, see e.g., Potter (2004, pp. 165–6).

70 Release : d3a1905 (2022-12-19)

4.11. ENUMERATIONS AND ENUMERABLE SETS

4.11 Enumerations and Enumerable Sets

This section defines enumerations as bijections with (initial segments)

of N, the way it’s done in set theory. So it conflicts slightly with the def-
initions in section 4.2, and repeats all the examples there. It is also a bit
more terse than that section.

We can specify finite set is by simply enumerating its elements. We do this

when we define a set like so:

A = { a1 , a2 , . . . , a n }.

Assuming that the elements a1 , . . . , an are all distinct, this gives us a bijection
between A and the first n natural numbers 0, . . . , n − 1. Conversely, since
every finite set has only finitely many elements, every finite set can be put
into such a correspondence. In other words, if A is finite, there is a bijection
between A and {0, . . . , n − 1}, where n is the number of elements of A.
If we allow for certain kinds of infinite sets, then we will also allow some
infinite sets to be enumerated. We can make this precise by saying that an
infinite set is enumerated by a bijection between it and all of N.

Definition 4.26 (Enumeration, set-theoretic). An enumeration of a set A is a bi-

jection whose range is A and whose domain is either an initial set of natural
numbers {0, 1, . . . , n} or the entire set of natural numbers N.

There is an intuitive underpinning to this use of the word enumeration. For

to say that we have enumerated a set A is to say that there is a bijection f
which allows us to count out the elements of the set A. The 0th element is
f (0), the 1st is f (1), . . . the nth is f (n). . . .2 The rationale for this may be made
even clearer by adding the following:

Definition 4.27. A set A is enumerable iff either A = ∅ or there is an enumer-

ation of A. We say that A is non-enumerable iff A is not enumerable.

So a set is enumerable iff it is empty or you can use an enumeration to

count out its elements.

Example 4.28. A function enumerating the natural numbers is simply the iden-
tity function IdN : N → N given by IdN (n) = n. A function enumerating the
positive natural numbers, N+ = N \ {0}, is the function g(n) = n + 1, i.e., the
successor function.
2 Yes, we count from 0. Of course we could also start with 1. This would make no big differ-

ence. We would just have to replace N by Z+ .

Release : d3a1905 (2022-12-19) 71

 CHAPTER 4. THE SIZE OF SETS

Example 4.29. The functions f : N → N and g : N → N given by

f (n) = 2n and
g(n) = 2n + 1

respectively enumerate the even natural numbers and the odd natural num-
bers. But neither is surjective, so neither is an enumeration of N.

Example 4.30. Let ⌈ x ⌉ be the ceiling function, which rounds x up to the nearest
integer. Then the function f : N → Z given by:

f (n) = (−1)n n2
 

enumerates the set of integers Z as follows:

f (0) f (1) f (2) f (3) f (4) f (5) f (6) ...

0 1 2 3 4 5 6
2 − 2 2 − 2 2 − 2 2 ...

0 −1 1 −2 2 −3 3 ...

Notice how f generates the values of Z by “hopping” back and forth between
positive and negative integers. You can also think of f as defined by cases as
follows: (
n
if n is even
f ( n ) = 2 n +1
− 2 if n is odd

4.12 Non-enumerable Sets

This section proves the non-enumerability of Bω and ℘(N) using the

definitions in section 4.11, i.e., requiring a bijection with N instead of a
surjection from Z+ .

The set N of natural numbers is infinite. It is also trivially enumerable. But

the remarkable fact is that there are non-enumerable sets, i.e., sets which are not
enumerable (see Definition 4.27).
This might be surprising. After all, to say that A is non-enumerable is to
say that there is no bijection f : N → A; that is, no function mapping the in-
finitely many elements of N to A exhausts all of A. So if A is non-enumerable,
there are “more” elements of A than there are natural numbers.
To prove that a set is non-enumerable, you have to show that no appropri-
ate bijection can exist. The best way to do this is to show that every attempt to
enumerate elements of A must leave at least one element out; this shows that

72 Release : d3a1905 (2022-12-19)

4.12. NON-ENUMERABLE SETS

no function f : N → A is surjective. And a general strategy for establishing

this is to use Cantor’s diagonal method. Given a list of elements of A, say, x1 ,
x2 , . . . , we construct another element of A which, by its construction, cannot
possibly be on that list.
But all of this is best understood by example. So, our first example is the
set Bω of all infinite strings of 0’s and 1’s. (The ‘B’ stands for binary, and we
can just think of it as the two-element set {0, 1}.)

Theorem 4.31. Bω is non-enumerable.

Proof. Consider any enumeration of a subset of Bω . So we have some list s0 ,

s1 , s2 , . . . where every sn is an infinite string of 0’s and 1’s. Let sn (m) be the
nth digit of the mth string in this list. So we can now think of our list as an
array, where sn (m) is placed at the nth row and mth column:

0 1 2 3 ...
0 s0 (0) s0 (1) s0 (2) s0 (3) ...
1 s1 (0) s1 (1) s1 (2) s1 (3) ...
2 s2 (0) s2 (1) s2 (2) s2 (3) ...
3 s3 (0) s3 (1) s3 (2) s3 (3) ...
.. .. .. .. .. ..
. . . . . .

We will now construct an infinite string, d, of 0’s and 1’s which is not on this
list. We will do this by specifying each of its entries, i.e., we specify d(n) for
all n ∈ N. Intuitively, we do this by reading down the diagonal of the array
above (hence the name “diagonal method”) and then changing every 1 to a 0
and every 1 to a 0. More abstractly, we define d(n) to be 0 or 1 according to
whether the n-th element of the diagonal, sn (n), is 1 or 0, that is:
(
1 if sn (n) = 0
d(n) =
0 if sn (n) = 1

Clearly d ∈ Bω , since it is an infinite string of 0’s and 1’s. But we have con-
structed d so that d(n) ̸= sn (n) for any n ∈ N. That is, d differs from sn in its
nth entry. So d ̸= sn for any n ∈ N. So d cannot be on the list s0 , s1 , s2 , . . .
We have shown, given an arbitrary enumeration of some subset of Bω , that
it will omit some element of Bω . So there is no enumeration of the set Bω , i.e.,
Bω is non-enumerable.

This proof method is called “diagonalization” because it uses the diagonal

of the array to define d. However, diagonalization need not involve the pres-
ence of an array. Indeed, we can show that some set is non-enumerable by
using a similar idea, even when no array and no actual diagonal is involved.
The following result illustrates how.

Release : d3a1905 (2022-12-19) 73

 CHAPTER 4. THE SIZE OF SETS

Theorem 4.32. ℘(N) is not enumerable.

Proof. We proceed in the same way, by showing that every list of subsets of N
omits some subset of N. So, suppose that we have some list N0 , N1 , N2 , . . . of
subsets of N. We define a set D as follows: n ∈ D iff n ∈
/ Nn :

D = {n ∈ N : n ∈
/ Nn }

Clearly D ⊆ N. But D cannot be on the list. After all, by construction n ∈ D

/ Nn , so that D ̸= Nn for any n ∈ N.
iff n ∈

The preceding proof did not mention a diagonal. Still, you can think of
it as involving a diagonal if you picture it this way: Imagine the sets N0 , N1 ,
. . . , written in an array, where we write Nn on the nth row by writing m in
the mth column iff if m ∈ Nn . For example, say the first four sets on that list
are {0, 1, 2, . . . }, {1, 3, 5, . . . }, {0, 1, 4}, and {2, 3, 4, . . . }; then our array would
begin with
N0 = {0, 1, 2, ...}
N1 = { 1, 3, 5, . . . }
N2 = { 0, 1, 4 }
N3 = { 2, 3, 4, ...}
.. ..
. .
Then D is the set obtained by going down the diagonal, placing n ∈ D iff n
is not on the diagonal. So in the above case, we would leave out 0 and 1, we
would include 2, we would leave out 3, etc.

4.13 Reduction

This section proves non-enumerability by reduction, matching the

results in section 4.12. An alternative, slightly more elaborate version
matching the results in section 4.6 is provided in section 4.7.

We proved that Bω is non-enumerable by a diagonalization argument. We

used a similar diagonalization argument to show that ℘(N) is non-enumerable.
But here’s another way we can prove that ℘(N) is non-enumerable: show
that if ℘(N) is enumerable then Bω is also enumerable. Since we know Bω is
non-enumerable, it will follow that ℘(N) is too.
This is called reducing one problem to another. In this case, we reduce the
problem of enumerating Bω to the problem of enumerating ℘(N). A solu-
tion to the latter—an enumeration of ℘(N)—would yield a solution to the
former—an enumeration of Bω .

74 Release : d3a1905 (2022-12-19)

4.13. REDUCTION

To reduce the problem of enumerating a set B to that of enumerating a

set A, we provide a way of turning an enumeration of A into an enumeration
of B. The easiest way to do that is to define a surjection f : A → B. If x1 , x2 , . . .
enumerates A, then f ( x1 ), f ( x2 ), . . . would enumerate B. In our case, we are
looking for a surjection f : ℘(N) → Bω .

Proof of Theorem 4.32 by reduction. For reductio, suppose that ℘(N) is enumer-
able, and thus that there is an enumeration of it, N1 , N2 , N3 , . . .
Define the function f : ℘(N) → Bω by letting f ( N ) be the string sk such
that sk (n) = 1 iff n ∈ N, and sk (n) = 0 otherwise.
This clearly defines a function, since whenever N ⊆ N, any n ∈ N either
is an element of N or isn’t. For instance, the set 2N = {2n : n ∈ N} =
{0, 2, 4, 6, . . . } of even naturals gets mapped to the string 1010101 . . . ; ∅ gets
mapped to 0000 . . . ; N gets mapped to 1111 . . . .
It is also surjective: every string of 0s and 1s corresponds to some set of nat-
ural numbers, namely the one which has as its members those natural num-
bers corresponding to the places where the string has 1s. More precisely, if
s ∈ Bω , then define N ⊆ N by:

N = { n ∈ N : s ( n ) = 1}

Then f ( N ) = s, as can be verified by consulting the definition of f .

Now consider the list

f ( N1 ), f ( N2 ), f ( N3 ), . . .

Since f is surjective, every member of Bω must appear as a value of f for some

argument, and so must appear on the list. This list must therefore enumerate
all of Bω .
So if ℘(N) were enumerable, Bω would be enumerable. But Bω is non-
enumerable (Theorem 4.31). Hence ℘(N) is non-enumerable.

Problems
Problem 4.1. Define an enumeration of the positive squares 1, 4, 9, 16, . . .

Problem 4.2. Show that if A and B are enumerable, so is A ∪ B. To do this,

suppose there are surjective functions f : Z+ → A and g : Z+ → B, and define
a surjective function h : Z+ → A ∪ B and prove that it is surjective. Also
consider the cases where A or B = ∅.

Problem 4.3. Show that if B ⊆ A and A is enumerable, so is B. To do this,

suppose there is a surjective function f : Z+ → A. Define a surjective func-
tion g : Z+ → B and prove that it is surjective. What happens if B = ∅?

Release : d3a1905 (2022-12-19) 75

 CHAPTER 4. THE SIZE OF SETS

Problem 4.4. Show by induction on n that if A1 , A2 , . . . , An are all enumer-

able, so is A1 ∪ · · · ∪ An . You may assume the fact that if two sets A and B are
enumerable, so is A ∪ B.

Problem 4.5. According to Definition 4.4, a set A is enumerable iff A = ∅ or

there is a surjective f : Z+ → A. It is also possible to define “enumerable set”
precisely by: a set is enumerable iff there is an injective function g : A → Z+ .
Show that the definitions are equivalent, i.e., show that there is an injective
function g : A → Z+ iff either A = ∅ or there is a surjective f : Z+ → A.

Problem 4.6. Show that (Z+ )n is enumerable, for every n ∈ N.

Problem 4.7. Show that (Z+ )∗ is enumerable. You may assume problem 4.6.

Problem 4.8. Give an enumeration of the set of all non-negative rational num-
bers.

Problem 4.9. Show that Q is enumerable. Recall that any rational number can
be written as a fraction z/m with z ∈ Z, m ∈ N+ .

Problem 4.10. Define an enumeration of B∗ .

Problem 4.11. Recall from your introductory logic course that each possible
truth table expresses a truth function. In other words, the truth functions are
all functions from Bk → B for some k. Prove that the set of all truth functions
is enumerable.

Problem 4.12. Show that the set of all finite subsets of an arbitrary infinite
enumerable set is enumerable.

Problem 4.13. A subset of N is said to be cofinite iff it is the complement of

a finite set N; that is, A ⊆ N is cofinite iff N \ A is finite. Let I be the set
whose elements are exactly the finite and cofinite subsets of N. Show that I is
enumerable.

Problem 4.14. Show that the enumerable union of enumerable sets is enumer-
able. That is, whenever A1 , A2 , . . . are sets, and each Ai is enumerable, then
the union i∞=1 Ai of all of them is also enumerable. [NB: this is hard!]
S

Problem 4.15. Let f : A × B → N be an arbitrary pairing function. Show that

the inverse of f is an enumeration of A × B.

Problem 4.16. Specify a function that encodes N3 .

Problem 4.17. Show that ℘(N) is non-enumerable by a diagonal argument.

76 Release : d3a1905 (2022-12-19)

4.13. REDUCTION

Problem 4.18. Show that the set of functions f : Z+ → Z+ is non-enumerable

by an explicit diagonal argument. That is, show that if f 1 , f 2 , . . . , is a list of
functions and each f i : Z+ → Z+ , then there is some f : Z+ → Z+ not on this
list.

Problem 4.19. Show that if there is an injective function g : B → A, and B is

non-enumerable, then so is A. Do this by showing how you can use g to turn
an enumeration of A into one of B.

Problem 4.20. Show that the set of all sets of pairs of positive integers is non-
enumerable by a reduction argument.

Problem 4.21. Show that the set X of all functions f : N → N is non-enumerable

by a reduction argument (Hint: give a surjective function from X to Bω .)

Problem 4.22. Show that Nω , the set of infinite sequences of natural numbers,
is non-enumerable by a reduction argument.

Problem 4.23. Let P be the set of functions from the set of positive integers
to the set {0}, and let Q be the set of partial functions from the set of positive
integers to the set {0}. Show that P is enumerable and Q is not. (Hint: reduce
the problem of enumerating Bω to enumerating Q).

Problem 4.24. Let S be the set of all surjective functions from the set of posi-
tive integers to the set {0,1}, i.e., S consists of all surjective f : Z+ → B. Show
that S is non-enumerable.

Problem 4.25. Show that the set R of all real numbers is non-enumerable.

Problem 4.26. Show that if A ≈ C and B ≈ D, and A ∩ B = C ∩ D = ∅, then

A ∪ B ≈ C ∪ D.

Problem 4.27. Show that if A is infinite and enumerable, then A ≈ N.

Problem 4.28. Show that there cannot be an injection g : ℘( A) → A, for any

set A. Hint: Suppose g : ℘( A) → A is injective. Consider D = { g( B) : B ⊆
A and g( B) ∈/ B}. Let x = g( D ). Use the fact that g is injective to derive a
contradiction.

Problem 4.29. Show that a set A is enumerable iff either A = ∅ or there is

a surjection f : N → A. Show that A is enumerable iff there is an injection
g : A → N.

Problem 4.30. Define an enumeration of the square numbers 1, 4, 9, 16, . . .

Problem 4.31. Show that if A and B are enumerable, so is A ∪ B.

Release : d3a1905 (2022-12-19) 77

 CHAPTER 4. THE SIZE OF SETS

Problem 4.32. Show by induction on n that if A1 , A2 , . . . , An are all enumer-

able, so is A1 ∪ · · · ∪ An .

Problem 4.33. Show that the set of all functions f : N → N is non-enumerable

by an explicit diagonal argument. That is, show that if f 1 , f 2 , . . . , is a list of
functions and each f i : N → N, then there is some g : N → N not on this list.

Problem 4.34. Show that if there is an injective function g : B → A, and B is

non-enumerable, then so is A. Do this by showing how you can use g to turn
an enumeration of A into one of B.

Problem 4.35. Show that the set X of all functions f : N → N is non-enumerable

by a reduction argument (Hint: give a surjective function from X to Bω .)

Problem 4.36. Show that the set of all sets of pairs of natural numbers, i.e.,
℘(N × N), is non-enumerable by a reduction argument.

Problem 4.37. Show that Nω , the set of infinite sequences of natural numbers,
is non-enumerable by a reduction argument.

Problem 4.38. Let S be the set of all surjections from N to the set {0, 1}, i.e., S
consists of all surjections f : N → B. Show that S is non-enumerable.

Problem 4.39. Show that the set R of all real numbers is non-enumerable.

78 Release : d3a1905 (2022-12-19)

Chapter 5

Arithmetization

The material in this chapter presents the construction of the number

systems in naı̈ve set theory. It is taken from Tim Button’s Open Set Theory
text.

5.1 From N to Z
Here are two basic realisations:
1. Every integer can be written in the form n − m, with n, m ∈ N.

2. The information encoded in an expression n − m can equally be encoded

by an ordered pair ⟨n, m⟩.
We already know that the ordered pairs of natural numbers are the elements
of N2 . And we are assuming that we understand N. So here is a naı̈ve sug-
gestion, based on the two realisations we have had: let’s treat integers as ordered
pairs of natural numbers.
In fact, this suggestion is too naı̈ve. Obviously we want it to be the case
that 0 − 2 = 4 − 6. But evidently ⟨0, 2⟩ ̸= ⟨4, 6⟩. So we cannot simply say that
N2 is the set of integers.
Generalising from the preceding problem, what we want is the following:

a − b = c − d iff a + d = c + b

(It should be obvious that this is how integers are meant to behave: just add b
and d to both sides.) And the easy way to guarantee this behaviour is just to
define an equivalence relation between ordered pairs, ∼, as follows:

⟨ a, b⟩ ∼ ⟨c, d⟩ iff a + d = c + b

We now have to show that this is an equivalence relation.

79
 CHAPTER 5. ARITHMETIZATION

Proposition 5.1. ∼ is an equivalence relation.

Proof. We must show that ∼ is reflexive, symmetric, and transitive.

Reflexivity: Evidently ⟨ a, b⟩ ∼ ⟨ a, b⟩, since a + b = b + a.
Symmetry: Suppose ⟨ a, b⟩ ∼ ⟨c, d⟩, so a + d = c + b. Then c + b = a + d, so
that ⟨c, d⟩ ∼ ⟨ a, b⟩.
Transitivity: Suppose ⟨ a, b⟩ ∼ ⟨c, d⟩ ∼ ⟨m, n⟩. So a + d = c + b and c + n =
m + d. So a + d + c + n = c + b + m + d, and so a + n = m + b. Hence
⟨ a, b⟩ ∼ ⟨m, n⟩.

Now we can use this equivalence relation to take equivalence classes:

Definition 5.2. The integers are the equivalence classes, under ∼, of ordered
pairs of natural numbers; that is, Z = N2 /∼ .

Now, one might have plenty of different philosophical reactions to this stip-
ulative definition. Before we consider those reactions, though, it is worth con-
tinuing with some of the technicalities.
Having said what the integers are, we shall need to define basic functions
and relations on them. Let’s write [m, n]∼ for the equivalence class under ∼
with ⟨m, n⟩ as an element.1 That is:

[m, n]∼ = {⟨ a, b⟩ ∈ N2 : ⟨ a, b⟩ ∼ ⟨m, n⟩}

So now we offer some definitions:

[ a, b]∼ + [c, d]∼ = [ a + c, b + d]∼

[ a, b]∼ × [c, d]∼ = [ ac + bd, ad + bc]∼
[ a, b]∼ ≤ [c, d]∼ iff a + d ≤ b + c

(As is common, I’m using ‘ab’ stand for ‘( a × b)’, just to make the axioms
easier to read.) Now, we need to make sure that these definitions behave
as they ought to. Spelling out what this means, and checking it through, is
rather laborious; we relegate the details to section 5.6. But the short point is:
everything works!
One final thing remains. We have constructed the integers using natural
numbers. But this will mean that the natural numbers are not themselves inte-
gers. We will return to the philosophical significance of this in section 5.5. On
a purely technical front, though, we will need some way to be able to treat
natural numbers as integers. The idea is quite easy: for each n ∈ N, we just

1 Note: using the notation introduced in Definition 2.11, we would have written [⟨ m, n ⟩] for
∼
the same thing. But that’s just a bit harder to read.

80 Release : d3a1905 (2022-12-19)

5.2. FROM Z TO Q

stipulate that nZ = [n, 0]∼ . We need to confirm that this definition is well-
behaved, i.e., that for any m, n ∈ N

( m + n )Z = mZ + nZ
( m × n )Z = mZ × nZ
m ≤ n ↔ mZ ≤ nZ

But this is all pretty straightforward. For example, to show that the second
of these obtains, we can simply help ourselves to the behaviour of the natural
numbers and reason as follows:

(m × n)Z = [m × n, 0]∼
= [m × n + 0 × 0, m × 0 + 0 × n]∼
= [m, 0]∼ × [n, 0]∼
= mZ × nZ

We leave it as an exercise to confirm that the other two conditions hold.

5.2 From Z to Q
We just saw how to construct the integers from the natural numbers, using
some naı̈ve set theory. We shall now see how to construct the rationals from
the integers in a very similar way. Our initial realisations are:

1. Every rational can be written in the form i/j, where both i and j are inte-
gers but j is non-zero.

2. The information encoded in an expression i/j can equally be encoded in

an ordered pair ⟨i, j⟩.

The obvious approach would be to think of the rationals as ordered pairs

drawn from Z × (Z \ {0Z }). As before, though, that would be a bit too naı̈ve,
since we want 3/2 = 6/4, but ⟨3, 2⟩ ̸= ⟨6, 4⟩. More generally, we will want the
following:
a/b = c/d iff a × d = b × c

To get this, we define an equivalence relation on Z × (Z \ {0Z }) thus:

⟨ a, b⟩ ∽ ⟨c, d⟩ iff a × d = b × c

We must check that this is an equivalence relation. This is very much like the
case of ∼, and we will leave it as an exercise. But it allows us to say:

Definition 5.3. The rationals are the equivalence classes, under ∽, of pairs
of integers (whose second element is non-zero). That is, Q = (Z × (Z \
{0Z }))/∽ .

Release : d3a1905 (2022-12-19) 81

 CHAPTER 5. ARITHMETIZATION

As with the integers, we also want to define some basic operations. Where
[i, j]∽ is the equivalence class under ∽ with ⟨i, j⟩ as an element, we say:

[ a, b]∽ + [c, d]∽ = [ ad + bc, bd]∽

[ a, b]∽ × [c, d]∽ = [ ac, bd]∽ .

To define r ≤ s on these rationals, we use the fact that r ≤ s iff s − r is not

negative, i.e., r − s can be written as i/j with i non-negative and j positive:

[ a, b]∽ ≤ [c, d]∽ iff [c, d]∽ − [ a, b]∽ = [iZ , jZ ]∽

for some i ∈ N and 0 ̸= j ∈ N.

We then need to check that these definitions behave as they ought to; and
we relegate this to section 5.6. But they indeed do! Finally, we want some way
to treat integers as rationals; so for each i ∈ Z, we stipulate that iQ = [i, 1Z ]∽ .
Again, we check that all of this behaves correctly in section 5.6.

5.3 The Real Line

The next step is to show how to construct the reals from the rationals. Before
that, we need to understand what is distinctive about the reals.
The reals behave very much like the rationals. (Technically, both are ex-
amples of ordered fields; for the definition of this, see Definition 5.9.) Now, if
you worked through the exercises to chapter 4, you will know that there are
strictly more reals than rationals, i.e., that Q ≺ R. This was first proved by
Cantor. But it’s been known for about two and a half millennia that there are
irrational numbers, i.e., reals which are not rational. Indeed:
√ √
Theorem 5.4. 2 is not rational, i.e., 2 ∈ /Q
√ √
Proof. Suppose, for reductio, that 2 is rational. So 2 = m/n for some natural
numbers m and n. Indeed, we can choose m and n so that the fraction cannot
be reduced any further. Re-organising, m2 = 2n2 . From here, we can complete
the proof in two ways:
First, geometrically (following Tennenbaum).2 Consider these squares:

n
m

2 This proof is reported by Conway (2006).

82 Release : d3a1905 (2022-12-19)

5.4. FROM Q TO R

Since m2 = 2n2 , the region where the two squares of side n overlap has the
same area as the region which neither of the two squares cover; i.e., the area
of the orange square equals the sum of the area of the two unshaded squares.
So where the orange square
√ has side p, and each unshaded square has side
q, p = 2q . But now 2 = p/q, with p < m and q < n and p, q ∈ N. This
2 2

contradicts the fact that m and n were chosen to be as small as possible.

Second, formally. Since m2 = 2n2 , it follows that m is even. (It is easy to
show that, if x is odd, then x2 is odd.) So m = 2r, for some r ∈ N. Rearranging,
2r2 = n2 , so n is also even. So both m and n are even, and hence the fraction
m/n can be reduced further. Contradiction!

In passing, this diagrammatic proof allows us to revisit the material from

section 73.4. Tennenbaum (1927–2006) was a thoroughly modern mathemati-
cian; but the proof is undeniably lovely, completely rigorous, and appeals to
geometric intuition!
In any case: the reals are “more expansive” than the rationals. In some
sense, there are “gaps” in the rationals, and these are filled by the reals. Weier-
strass realised that this describes a single property of the real numbers, which
distinguishes them from the rationals, namely the Completeness Property: Ev-
ery non-empty set of real numbers with an upper bound has a least upper bound.
It is easy to see that the rationals do not have the
√ Completeness Property.
For example, consider the set of rationals less than 2, i.e.:

{ p ∈ Q : p2 < 2 or p < 0}

This has an upper bound in the rationals; its elements are all smaller √ than 3,
for example. But what√ is its least upper bound? We want to say ‘ 2’; but we
have just seen
√ that 2 is not rational. And there is no least rational number
greater than 2. So the set has an upper bound but no least upper bound.
Hence the rationals lack the Completeness Property.
By contrast, the continuum “morally
√ ought” to have the Completeness
Property. We do not just want 2 to be a real number; we want to fill all
the “gaps” in the rational line. Indeed, we want the continuum itself to have
no “gaps” in it. That is just what we will get via Completeness.

5.4 From Q to R
In essence, the Completeness Property shows that any point α of the real line
divides that line into two halves perfectly: those for which α is the least upper
bound, and those for which α is the greatest lower bound. To construct the
real numbers from the rational numbers, Dedekind suggested that we simply
think
√ of the reals as the cuts that partition the rationals.
√ That is, we identify
√
2 with the cut which separates the rationals < 2 from the rationals > 2.

Release : d3a1905 (2022-12-19) 83

 CHAPTER 5. ARITHMETIZATION

Let’s tidy this up. If we cut the rational numbers into two halves, we can
uniquely identify the partition we made just by considering its bottom half. So,
getting precise, we offer the following definition:

Definition 5.5 (Cut). A cut α is any non-empty proper initial segment of the
rationals with no greatest element. That is, α is a cut iff:

1. non-empty, proper: ∅ ̸= α ⊊ Q

2. initial: for all p, q ∈ Q: if p < q ∈ α then p ∈ α

3. no maximum: for all p ∈ α there is a q ∈ α such that p < q

Then R is the set of cuts.

√
So now we can say that 2 = { p ∈ Q : p2 < 2 or p < 0}. Of course, we
need to check that this is a cut, but we relegate that to section 5.6.
As before, having defined some entities, we next need to define basic func-
tions and relations upon them. We begin with an easy one:

α ≤ β iff α ⊆ β

This definition of an order allows to state the central result, that the set of cuts
has the Completeness Property. Spelled out fully, the statement has this shape.
If S is a non-empty set of cuts with an upper bound, then S has a least upper
bound. In more detail: there is a cut, λ, which is an upper bound for S, i.e.
(∀α ∈ S)α ⊆ λ, and λ is the least such cut, i.e. (∀ β ∈ R)((∀α ∈ S)α ⊆ β → λ ⊆
β). Now here is the proof of the result:

Theorem 5.6. The set of cuts has the Completeness Property.

S
Proof. Let S be any non-empty set of cuts with an upper bound. Let λ = S.
We first claim that λ is a cut:

1. Since S has an upper bound, at least one cut is in S, so ∅ ̸= λ. Since S is

a set of cuts, λ ⊆ Q. Since S has an upper bound, some p ∈ Q is absent
from every cut α ∈ S. So p ∈/ λ, and hence λ ⊊ Q.

2. Suppose p < q ∈ λ. So there is some α ∈ S such that q ∈ α. Since α is a

cut, p ∈ α. So p ∈ λ.

3. Suppose p ∈ λ. So there is some α ∈ S such that p ∈ α. Since α is a cut,

there is some q ∈ α such that p < q. So q ∈ λ.

This proves the claim. Moreover, clearly (∀α ∈ S)α ⊆

S
S = λ, i.e. λ is
an upper bound on S. So now suppose β ∈ R is also an upper bound, i.e.
(∀α ∈ S)α ⊆ β. For any p ∈ Q, if p ∈ λ, then there is α ∈ S such that p ∈ α, so
that p ∈ β. Generalizing, λ ⊆ β. So λ is the least upper bound on S.

84 Release : d3a1905 (2022-12-19)

5.5. SOME PHILOSOPHICAL REFLECTIONS

So we have a bunch of entities which satisfy the Completeness Property.

And one way to put this is: there are no “gaps” in our cuts. (So: taking further
“cuts” of reals, rather than rationals, would yield no interesting new objects.)
Next, we must define some operations on the reals. We start by embedding
the rationals into the reals by stipulating that pR = {q ∈ Q : q < p} for each
p ∈ Q. We then define:

α + β = { p + q : p ∈ α ∧ q ∈ β}
α × β = { p × q : 0 ≤ p ∈ α ∧ 0 ≤ q ∈ β} ∪ 0R if α, β ≥ 0R

To handle the other multiplication cases, first let:

−α = { p − q : p < 0 ∧ q ∈
/ α}

and then stipulate:


−α × − β
 if α < 0R and β < 0R
α × β = −(−α × β) if α < 0R and β > 0R

−(α × − β) if α > 0R and β < 0R


We then need to check that each of these definitions always yields a cut. And
finally, we need to go through an easy (but long-winded) demonstration that
the cuts, so defined, behave exactly as they should. But we relegate all of this
to section 5.6.

5.5 Some Philosophical Reflections

So much for the technicalities. But what did they achieve?
Well, pretty uncontestably, they gave us some lovely pure mathematics.
Moreover, there were some deep conceptual achievements. It was a profound
insight, to see that the Completeness Property expresses the crucial difference
between the reals and the rationals. Moreover, the explicit construction of
reals, as Dedekind cuts, puts the subject matter of analysis on a firm footing.
We know that the notion of a complete ordered field is coherent, for the cuts form
just such a field.
For all that, we should air a few reservations about these achievements.
First, it is not clear that thinking of reals in terms of cuts is any more rig-
orous than thinking of reals in terms of their familiar (possibly infinite) deci-
mal expansions. This latter “construction” of the reals has some resemblance
to the construction of the reals via Cauchy sequence; but in fact, it was es-
sentially known to mathematicians from the early 17th century onwards (see
section 5.7). The real increase in rigour came from the realisation that the re-
als have the Completeness Property; the ability to construct real numbers as
particular sets is perhaps not, by itself, so very interesting.

Release : d3a1905 (2022-12-19) 85

 CHAPTER 5. ARITHMETIZATION

It is even less clear that the (much easier) arithmetization of the integers,
or of the rationals, increases rigour in those areas. Here, it is worth making
a simple observation. Having constructed the integers as equivalence classes
of ordered pairs of naturals, and then constructed the rationals as equivalence
classes of ordered pairs of integers, and then constructed the reals as sets of
rationals, we immediately forget about the constructions. In particular: no one
would ever want to invoke these constructions during a mathematical proof
(excepting, of course, a proof that the constructions behaved as they were
supposed to). It’s much easier to speak about a real, directly, than to speak
about some set of sets of sets of sets of sets of sets of sets of naturals.

It is most doubtful of all that these definitions tell us what the integers,
rationals, or reals are, metaphysically speaking. That is, it is doubtful that the
reals (say) are certain sets (of sets of sets. . . ). The main barrier to such a view
is that the construction could have been done in many different ways. In the
case of the reals, there are some genuinely interestingly different construc-
tions (see section 5.7). But here is a really trivial way to obtain some different
constructions: as in section 2.2, we could have defined ordered pairs slightly
differently; if we had used this alternative notion of an ordered pair, then
our constructions would have worked precisely as well as they did, but we
would have ended up with different objects. As such, there are many rival
set-theoretic constructions of the integers, the rationals, and the reals. And
now it would just be arbitrary (and embarrassing) to claim that the integers
(say) are these sets, rather than those. (As in section 2.2, this is an instance of
an argument made famous by Benacerraf 1965.)

A further point is worth raising: there is something quite odd about our
constructions. We started with the natural numbers. We then construct the
integers, and construct “the 0 of the integers”, i.e., [0, 0]∼ . But 0 ̸= [0, 0]∼ .
Indeed, given our constructions, no natural number is an integer. But that
seems extremely counter-intuitive. Indeed, in section 1.3, we claimed without
much argument that N ⊆ Q. If the constructions tell us exactly what the
numbers are, this claim was trivially false.

Standing back, then, where do we get to? Working in a naı̈ve set theory,
and helping ourselves to the naturals, we are able to treat integers, rationals,
and reals as certain sets. In that sense, we can embed the theories of these
entities within a set theory. But the philosophical import of this embedding is
just not that straightforward.

Of course, none of this is the last word! The point is only this. Showing that
the arithmetization of the reals is of deep philosophical significance would
require some additional philosophical argument.

86 Release : d3a1905 (2022-12-19)

5.6. ORDERED RINGS AND FIELDS

5.6 Ordered Rings and Fields

Throughout this chapter, we claimed that certain definitions behave “as they
ought”. In this technical appendix, we will spell out what we mean, and
(sketch how to) show that the definitions do behave “correctly”.
In section 5.1, we defined addition and multiplication on Z. We want to
show that, as defined, they endow Z with the structure we “would want” it
to have. In particular, the structure in question is that of a commutative ring.

Definition 5.7. A commutative ring is a set S, equipped with specific elements

0 and 1 and operations + and ×, satisfying these eight formulas:

Associativity a + (b + c) = ( a + b) + c
( a × b) × c = a × (b × c)
Commutativity a+b = b+a
a×b = b×a
Identities a+0 = a
a×1 = a
Additive Inverse (∃b ∈ S)0 = a + b
Distributivity a × (b + c) = ( a × b) + ( a × c)

Implicitly, these are all bound with universal quantifiers restricted to S. And
note that the elements 0 and 1 here need not be the natural numbers with the
same name.

So, to check that the integers form a commutative ring, we just need to
check that we meet these eight conditions. None of the conditions is difficult
to establish, but this is a bit laborious. For example, here is how to prove
Associativity, in the case of addition:

Proof. Fix i, j, k ∈ Z. So there are a1 , b1 , a2 , b2 , a3 , b3 ∈ N such that i = [ a1 , b1 ]

and j = [ a2 , b2 ] and k = [ a3 , b3 ] . (For legibility, we write “[ x, y] ” rather than
“[ x, y]∼ ”; we’ll do this throughout this section.) Now:

i + ( j + k) = [ a1 , b1 ] + ([ a2 , b2 ] + [ a3 , b3 ])
= [ a1 , b1 ] + [ a2 + a3 , b2 + b3 ]
= [ a1 + ( a2 + a3 ), b1 + (b2 + b3 )]
= [( a1 + a2 ) + a3 , (b1 + b2 ) + b3 ]
= [ a1 + a2 , b1 + b2 ] + [ a3 , b3 ]
= ([ a1 , b1 ] + [ a2 , b2 ]) + [ a3 , b3 ]
= (i + j ) + k

helping ourselves freely to the behavior of addition on N.

Release : d3a1905 (2022-12-19) 87

 CHAPTER 5. ARITHMETIZATION

Equally, here is how to prove Additive Inverse:

Proof. Fix i ∈ Z, so that i = [ a, b] for some a, b ∈ N. Let j = [b, a] ∈ Z.

Helping ourselves to the behaviour of the naturals, ( a + b) + 0 = 0 + ( a + b),
so that ⟨ a + b, b + a⟩ ∼Z ⟨0, 0⟩ by definition, and hence [ a + b, b + a] = [0, 0] =
0Z . So now i + j = [ a, b] + [b, a] = [ a + b, b + a] = [0, 0] = 0Z .

And here is a proof of Distributivity:

Proof. As above, fix i = [ a1 , b1 ] and j = [ a2 , b2 ] and k = [ a3 , b3 ] . Now:

i × ( j + k) = [ a1 , b1 ] × ([ a2 , b2 ] + [ a3 , b3 ])
= [ a1 , b1 ] × [ a2 + a3 , b2 + b3 ]
= [ a1 ( a2 + a3 ) + b1 (b2 + b3 ), a1 (b2 + b3 ) + b1 ( a2 + a3 )]
= [ a1 a2 + a1 a3 + b1 b2 + b1 b3 , a1 b2 + a1 b3 + a2 b1 + a3 b1 ]
= [ a1 a2 + b1 b2 , a1 b2 + a2 b1 ] + [ a1 a3 + b1 b3 , a1 b3 + a3 b1 ]
= ([ a1 , b1 ] × [ a2 , b2 ]) + ([ a1 , b1 ] × [ a3 , b3 ])
= (i × j ) + (i × k )

We leave it as an exercise to prove the remaining five conditions. Having

done that, we have shown that Z constitutes a commutative ring, i.e., that
addition and multiplication (as defined) behave as they should.
But our task is not over. As well as defining addition and multiplication
over Z, we defined an ordering relation, ≤, and we must check that this be-
haves as it should. In more detail, we must show that Z constitutes an ordered
ring.3

Definition 5.8. An ordered ring is a commutative ring which is also equipped

with a total ordering relation, ≤, such that:

a ≤ b→a+c ≤ b+c
( a ≤ b ∧ 0 ≤ c) → a × c ≤ b × c

As before, it is laborious but routine to show that Z, as constructed, is an

ordered ring. We will leave that to you.
This takes care of the integers. But now we need to show very similar
things of the rationals. In particular, we now need to show that the rationals
form an ordered field, under our given definitions of +, ×, and ≤:

Definition 5.9. An ordered field is an ordered ring which also satisfies:

Multiplicative Inverse (∀ a ∈ S \ {0})(∃b ∈ S) a × b = 1

3 Recall from Definition 2.24 that a total ordering is a relation which is reflexive, transitive,

and connected. In the context of order relations, connectedness is sometimes called trichotomy,
since for any a and b we have a ≤ b ∨ a = b ∨ a ≥ b.

88 Release : d3a1905 (2022-12-19)

5.6. ORDERED RINGS AND FIELDS

Once you have shown that Z constitutes an ordered ring, it is easy but
laborious to show that Q constitutes an ordered field.
Having dealt with the integers and the rationals, it only remains to deal
with the reals. In particular, we need to show that R constitutes a complete
ordered field, i.e., an ordered field with the Completeness Property. Now,
Theorem 5.6 established that R has the Completeness Property. However, it
remains to run through the (tedious) of checking that R is an ordered field.
Before tearing off into that laborious exercise, we need to check some more
“immediate” things. For example, we need a guarantee that α + β, as defined,
is indeed a cut, for any cuts α and β. Here is a proof of that fact:
Proof. Since α and β are both cuts, α + β = { p + q : p ∈ α ∧ q ∈ β} is a non-
empty proper subset of Q. Now suppose x < p + q for some p ∈ α and q ∈ β.
Then x − p < q, so x − p ∈ β, and x = p + ( x − p) ∈ α + β. So α + β is an initial
segment of Q. Finally, for any p + q ∈ α + β, since α and β are both cuts, there
are p1 ∈ α and q1 ∈ β such that p < p1 and q < q1 ; so p + q < p1 + q1 ∈ α + β;
so α + β has no maximum.

Similar efforts will allow you to check that α − β and α × β and α ÷ β are
cuts (in the last case, ignoring the case where β is the zero-cut). Again, though,
we will simply leave this to you.
But here
√ is a small loose end to tidy up. In section 5.4, we suggest that we
can take 2 = { p ∈ Q : p < 0 or p2 < 2}. But we do need to show that this
set is a cut. Here is a proof of that fact:
Proof. Clearly this is a nonempty proper initial segment of the rationals; so
it suffices to show that it has no maximum. In particular, it suffices to show
2p+2
that, where p is a positive rational with p2 < 2 and q = p+2 , both p < q and
q2 < 2. To see that p < q, just note:
p2 < 2
p2 + 2p < 2 + 2p
p( p + 2) < 2 + 2p
2+2p
p< p +2 =q

To see that q2 < 2, just note:

p2 < 2
2p2 + 4p + 2 < p2 + 4p + 4
4p2 + 8p + 4 < 2( p2 + 4p + 4)
(2p + 2)2 < 2( p + 2)2
(2p+2)2
( p +2)2
<2
2
q <2

Release : d3a1905 (2022-12-19) 89

 CHAPTER 5. ARITHMETIZATION

5.7 Appendix: the Reals as Cauchy Sequences

In section 5.4, we constructed the reals as Dedekind cuts. In this section, we
explain an alternative construction. It builds on Cauchy’s definition of (what
we now call) a Cauchy sequence; but the use of this definition to construct the
reals is due to other nineteenth-century authors, notably Weierstrass, Heine,
Méray and Cantor. (For a nice history, see O’Connor and Robertson 2005.)
Before we get to the nineteenth century, it’s worth considering Simon Stevin
(1548–1620). In brief, Stevin realised that we can think of each√real in terms
of its decimal expansion. Thus even an irrational number, like 2, has a nice
decimal expansion, beginning:

1.41421356237 . . .

It is very easy to model decimal expansions in set theory: simply consider

them as functions d : N → N, where d(n) is the nth decimal place that we
are interested in. We will then need a bit of tweak, to handle the bit of the
real number that comes before the decimal point (here, just 1). We will also
need a further tweak (an equivalence relation) to guarantee that, for example,
0.999 . . . = 1. But it is not difficult to offer a perfectly rigorous construction of
the real numbers, in the manner of Stevin, within set theory.
Stevin is not our focus. (For more on Stevin, see Katz √ and Katz 2012.) But
here is a closely related thought. Instead of treating 2’s decimal expansion
directly, we can instead
√ consider a sequence of increasingly accurate rational
approximations to 2, by considering the increasingly precise expansions:

1, 1.4, 1.414, 1.4142, 1.41421, . . .

The idea that reals can be considered via “increasingly good approximations”
provides us with the basis for another sequence of insights (akin to the reali-
sations that we used when constructing Q from Z, or Z from N). The basic
insights are these:

1. Every real can be written as a (perhaps infinite) decimal expansion.

2. The information encoded by a (perhaps infinite) decimal expansion can

be equally be encoded by a sequence of rational numbers.

3. A sequence of rational numbers can be thought of as a function from N

to Q; just let f (n) be the nth rational in the sequence.

Of course, not just any function from N to Q will give us a real number. For
instance, consider this function:
(
1 if n is odd
f (n) =
0 if n is even

90 Release : d3a1905 (2022-12-19)

5.7. APPENDIX: THE REALS AS CAUCHY SEQUENCES

Essentially the worry here is that the sequence 0, 1, 0, 1, 0, 1, 0, . . . doesn’t seem

to “hone in” on any real. So: to ensure that we consider sequences which do
hone in on some real, we need to restrict our attention to sequences which
have some limit.
We have already encountered the idea of a limit, in section 73.2. But we
cannot use quite the same definition as we used there. The expression “(∀ε >
0)” there tacitly involved quantification over the real numbers; and we were
considering the limits of functions on the real numbers; so invoking that def-
inition would be to help ourselves to the real numbers; and they are exactly
what we were aiming to construct. Fortunately, we can work with a closely
related idea of a limit.

Definition 5.10. A function f : N → Q is a Cauchy sequence iff for any positive

ε ∈ Q we have that (∃ℓ ∈ N)(∀m, n > ℓ)| f (m) − f (n)| < ε.

The general idea of a limit is the same as before: if you want a certain
level of precision (measured by ε), there is a “region” to look in (any input
greater than ℓ). And it is easy to see that our sequence
√ 1, 1.4, 1.414, 1.4142,
1.41421. . . has a limit: if you want to approximate 2 to within an error of
1/10n , then just look to any entry after the nth.
The obvious thought, then, would be to say that a real number just is any
Cauchy sequence. But, as in the constructions of Z and Q, this would be
too naı̈ve: for any given real number, multiple different Cauchy sequences
indicate that real number. A simple way to see this as follows. Given a Cauchy
sequence f , define g to be exactly the same function as f , except that g(0) ̸=
f (0). Since the two sequences agree everywhere after the first number, we will
(ultimately) want to say that they have the same limit, in the sense employed
in Definition 5.10, and so should be thought of “defining” the same real. So,
we should really think of these Cauchy sequences as the same real number.
Consequently, we again need to define an equivalence relation on the Cauchy
sequences, and identify real numbers with equivalence relations. First we
need the idea of a function which tends to 0 in the limit. For any function
h : N → Q, say that h tends to 0 iff for any positive ε ∈ Q we have that
(∃ℓ ∈ N)(∀n > ℓ)| f (n)| < ε.4 Further, where f and g are functions N → Q,
let ( f − g)(n) = f (n) − g(n). Now define:

f ≎ g iff ( f − g) tends to 0.

We need to check that ≎ is an equivalence relation; and it is. We can then,

if we like, define the reals as the equivalence classes, under ≎, of all Cauchy
sequences from N → Q.
Having done this, we shall as usual write [ f ]≎ for the equivalence class
with f as an element. However, to keep things readable, in what follows we
4 Compare this with the definition of limx→∞ f ( x ) = 0 in section 73.2.

Release : d3a1905 (2022-12-19) 91

 CHAPTER 5. ARITHMETIZATION

will drop the subscript and write just [ f ] . We also stipulate that, for each
q ∈ Q, we have qR = [cq ] , where cq is the constant function cq (n) = q for all
n ∈ N. We then define basic relations and operations on the reals, e.g.:
[ f ] + [ g] = [( f + g)]
[ f ] × [ g] = [( f × g)]
where ( f + g)(n) = f (n) + g(n) and ( f × g)(n) = f (n) × g(n). Of course,
we also need to check that each of ( f + g), ( f − g) and ( f × g) are Cauchy
sequences when f and g are; but they are, and we leave this to you.
Finally, we define we a notion of order. Say [ f ] is positive iff both [ f ] ̸= 0Q
and (∃ℓ ∈ N)(∀n > ℓ)0 < f (n). Then say [ f ] < [ g] iff [( g − f )] is positive. We
have to check that this is well-defined (i.e., that it does not depend upon choice
of “representative” function from the equivalence class). But having done this,
it is quite easy to show that these yield the right algebraic properties; that is:
Theorem 5.11. The Cauchy sequences constitute an ordered field.
Proof. Exercise.

It is harder to prove that the reals, so constructed, have the Completeness

Property, so we will give the proof.
Theorem 5.12. Every non-empty set of Cauchy sequences with an upper bound has
a least upper bound.

Proof sketch. Let S be any non-empty set of Cauchy sequences with an upper
bound. So there is some p ∈ Q such that pR is an upper bound for S. Let
r ∈ S; then there is some q ∈ Q such that qR < r. So if a least upper bound on
S exists, it is between qR and pR (inclusive).
We will hone in on the l.u.b., by approaching it simultaneously from below
and above. In particular, we define two functions, f , g : N → Q, with the aim
that f will hone in on the l.u.b. from above, and g will hone on in it from
below. We start by defining:
f (0) = p
g (0) = q
f (n)+ g(n)
Then, where an = 2 , let:5
(
an if (∀h ∈ S)[h] ≤ ( an )R
f ( n + 1) =
f (n) otherwise
(
an if (∃h ∈ S)[h] ≥ ( an )R
g ( n + 1) =
g(n) otherwise
5 This is a recursive definition. But we have not yet given any reason to think that recursive

definitions are ok.

92 Release : d3a1905 (2022-12-19)

5.7. APPENDIX: THE REALS AS CAUCHY SEQUENCES

Both f and g are Cauchy sequences. (This can be checked fairly easily; but
we leave it as an exercise.) Note that the function ( f − g) tends to 0, since the
difference between f and g halves at every step. Hence [ f ] = [ g] .
We will show that (∀h ∈ S)[h] ≤ [ f ] , invoking Theorem 5.11 as we go. Let
h ∈ S and suppose, for reductio, that [ f ] < [h] , so that 0R < [(h − f )] . Since
f is a monotonically decreasing Cauchy sequence, there is some n ∈ N such
that [(c f (n) − f )] < [(h − f )] . So:

( f (n))R = [c f (k) ] < [ f ] + [(h − f )] = [h] ,

contradicting the fact that, by construction, [h] ≤ ( f (k ))R .

In an exactly similar way, we can show that (∀[h]∈ S)[ g] ≤ [h] . So [ f ] = [ g]
is the least upper bound for S.

Problems
Problem 5.1. Show that (m + n)Z = mZ + nZ and m ≤ n ↔ mZ ≤ nZ , for
any m, n ∈ N.

Problem 5.2. Show that ∽ is an equivalence relation.

Problem 5.3. Show that (i + j)Q = iQ + jQ and (i × j)Q = iQ × jQ and i ≤

j ↔ iQ ≤ jQ , for any i, j ∈ Z.

Problem 5.4. Prove that Z is a commutative ring.

Problem 5.5. Prove that Z is an ordered ring.

Problem 5.6. Prove that Q is an ordered field.

Problem 5.7. Prove that R is an ordered field.

Problem 5.8. Let f (n) = 0 for every n. Let g(n) = (n+11)2 . Show that both are
Cauchy sequences, and indeed that the limit of both functions is 0, so that also
f ∼R g.

Problem 5.9. Prove that the Cauchy sequences constitute an ordered field.

Release : d3a1905 (2022-12-19) 93

Chapter 6

Infinite Sets

This chapter on infinite sets is taken from Tim Button’s Open Set The-
ory.

6.1 Hilbert’s Hotel

The set of the natural numbers is obviously infinite. So, if we do not want
to help ourselves to the natural numbers, our first step must be characterize
an infinite set in terms that do not require mentioning the natural numbers
themselves. Here is a nice approach, presented by Hilbert in a lecture from
1924. He asks us to imagine

[. . . ] a hotel with a finite number of rooms. All of these rooms

should be occupied by exactly one guest. If the guests now swap
their rooms somehow, [but] so that each room still contains no
more than one person, then no rooms will become free, and the
hotel-owner cannot in this way create a new place for a newly ar-
riving guest [. . . ¶. . . ]
Now we stipulate that the hotel shall have infinitely many num-
bered rooms 1, 2, 3, 4, 5, . . . , each of which is occupied by exactly
one guest. As soon as a new guest comes along, the owner only
needs to move each of the old guests into the room associated
with the number one higher, and room 1 will be free for the newly-
arriving guest.

1 2 3 4 5 6 7 8 9 ...

1 2 3 4 5 6 7 8 9 ...

94
6.2. DEDEKIND ALGEBRAS

(published in Hilbert 2013, 730; our translation)

The crucial point is that Hilbert’s Hotel has infinitely many rooms; and we
can take his explanation to define what it means to say this. Indeed, this was
Dedekind’s approach (presented here, of course, with massive anachronism;
Dedekind’s definition is from 1888):
Definition 6.1. A set A is Dedekind infinite iff there is an injection from A to a
proper subset of A. That is, there is some o ∈ A and an injection f : A → A
such that o ∈
/ ran( f ).

6.2 Dedekind Algebras

We not only want natural numbers to be infinite; we want them to have cer-
tain (algebraic) properties: they need to behave well under addition, multipli-
cation, and so forth.
Dedekind’s idea was to take the idea of the successor function as basic, and
then characterise the numbers as those with the following properties:
1. There is a number, 0, which is not the successor of any number
i.e., 0 ∈
/ ran(s)
i.e., ∀ x s( x ) ̸= 0

2. Distinct numbers have distinct successors

i.e., s is an injection
i.e., ∀ x ∀y(s( x ) = s(y) → x = y)

3. Every number is obtained from 0 by repeated applications of the succes-

sor function.
The first two conditions are easy to deal with using first-order logic (see above).
But we cannot deal with (3) just using first-order logic. Dedekind’s break-
through was to reformulate condition (3), set-theoretically, as follows:
3′ . The natural numbers are the smallest set that is closed under the successor
function: that is, if we apply s to any element of the set, we obtain another
element of the set.
But we shall need to spell this out slowly.
Definition 6.2. For any function f , the set X is f -closed iff (∀ x ∈ X ) f ( x ) ∈ X.
Now define, for any o:
\
clo f (o ) = { X : o ∈ X and X is f -closed}

So clo f (o ) is the intersection of all the f -closed sets with o as an element.

Intuitively, then, clo f (o ) is the smallest f -closed set with o as an element. This
next result makes that intuitive thought precise;

Release : d3a1905 (2022-12-19) 95

 CHAPTER 6. INFINITE SETS

Lemma 6.3. For any function f and any o ∈ A:

1. o ∈ clo f (o ); and

2. clo f (o ) is f -closed; and

3. if X is f -closed and o ∈ X, then clo f (o ) ⊆ X

Proof. Note that there is at least one f -closed set with o as an element, namely
ran( f ) ∪ {o }. So clo f (o ), the intersection of all such sets, exists. We must now
check (1)–(3).
Concerning (1): o ∈ clo f (o ) as it is an intersection of sets which all have o
as an element.
Concerning (2): suppose x ∈ clo f (o ). So if o ∈ X and X is f -closed, then
x ∈ X, and now f ( x ) ∈ X as X is f -closed. So f ( x ) ∈ clo f (o ).
Concerning (3): quite generally, if X ∈ C then C ⊆ X.
T

Using this, we can say:

Definition 6.4. A Dedekind algebra is a set A together with a function f : A →

A and some o ∈ A such that:

1. o ∈
/ ran( f )

2. f is an injection

3. A = clo f (o )

Since A = clo f (o ), our earlier result tells us that A is the smallest f -closed
set with o as an element. Clearly a Dedekind algebra is Dedekind infinite; just
look at clauses (1) and (2) of the definition. But the more exciting fact is that
any Dedekind infinite set can be turned into a Dedekind algebra.

Theorem 6.5. If there is a Dedekind infinite set, then there is a Dedekind algebra.

Proof. Let D be Dedekind infinite. So there is an injection g : D → D and an

element o ∈ D \ ran( g). Now let A = clog (o ); by Lemma 6.3, A exists and
o ∈ A. Let f = g↾ A . We will show that A, f , o comprise a Dedekind algebra.
Concerning (1): o ∈ / ran( g) and ran( f ) ⊆ ran( g) so o ∈
/ ran( f ).
Concerning (2): g is an injection on D; so f ⊆ g must be an injection.
Concerning (3): by Lemma 6.3, A is g-closed; a fortiori, A is f -closed. So
clo f (o ) ⊆ A by Lemma 6.3. Since also clo f (o ) is f -closed and f = g↾ A , it
follows that clo f (o ) is g-closed. So A ⊆ clo f (o ) by Lemma 6.3.

96 Release : d3a1905 (2022-12-19)

6.3. ARITHMETICAL INDUCTION

6.3 Dedekind Algebras and Arithmetical Induction

Crucially, now, a Dedekind algebra—indeed, any Dedekind algebra—will serve
as a surrogate for the natural numbers. This is thanks to the following trivial
consequence:

Theorem 6.6 (Arithmetical induction). Let N, s, o comprise a Dedekind algebra.

Then for any set X:

if o ∈ X and (∀n ∈ N ∩ X )s(n) ∈ X, then N ⊆ X.

Proof. By the definition of a Dedekind algebra, N = clos (o ). Now if both

o ∈ X and (∀n ∈ N )(n ∈ X → s(n) ∈ X ), then N = clos (o ) ⊆ X.

Since induction is characteristic of the natural numbers, the point is this.

Given any Dedekind infinite set, we can form a Dedekind algebra, and use
that algebra as our surrogate for the natural numbers.
Admittedly, Theorem 6.6 formulates induction in set-theoretic terms. But
we can easily put the principle in terms which might be more familiar:

Corollary 6.7. Let N, s, o comprise a Dedekind algebra. Then for any formula φ( x ),
which may have parameters:

if φ(o ) and (∀n ∈ N )( φ(n) → φ(s(n))), then (∀n ∈ N ) φ(n)

Proof. Let X = {n ∈ N : φ(n)}, and now use Theorem 6.6

In this result, we spoke of a formula “having parameters”. What this

means, roughly, is that for any objects c1 , . . . , ck , we can work with φ( x, c1 , . . . , ck ).
More precisely, we can state the result without mentioning “parameters” as
follows. For any formula φ( x, v1 , . . . , vk ), whose free variables are all dis-
played, we have:

∀v1 . . . ∀vk (( φ(o, v1 , . . . , vk ) ∧

(∀ x ∈ N )( φ( x, v1 , . . . , vk ) → φ(s( x ), v1 , . . . , vk ))) →
(∀ x ∈ N ) φ( x, v1 , . . . , vk ))

Evidently, speaking of “having parameters” can make things much easier to

read. (In part XIV, we will use this device rather frequently.)
Returning to Dedekind algebras: given any Dedekind algebra, we can also
define the usual arithmetical functions of addition, multiplication and expo-
nentiation. This is non-trivial, however, and it involves the technique of recur-
sive definition. That is a technique which we shall introduce and justify much
later, and in a much more general context. (Enthusiasts might want to revisit

Release : d3a1905 (2022-12-19) 97

 CHAPTER 6. INFINITE SETS

this after chapter 66, or perhaps read an alternative treatment, such as Pot-
ter 2004, pp. 95–8.) But, where N, s, o comprise a Dedekind algebra, we will
ultimately be able to stipulate the following:

a+o = a a×o = o ao = s(o )

a + s(b) = s( a + b) a × s(b) = ( a × b) + a as(b) = ab × a

and show that these behave as one would hope.

6.4 Dedekind’s “Proof” of the Existence of an Infinite Set

In this chapter, we have offered a set-theoretic treatment of the natural num-
bers, in terms of Dedekind algebras. In section 5.5, we reflected on the philo-
sophical significance of the arithmetisation of analysis (among other things).
Now we should reflect on the significance of what we have achieved here.
Throughout chapter 5, we took the natural numbers as given, and used
them to construct the integers, rationals, and reals, explicitly. In this chapter,
we have not given an explicit construction of the natural numbers. We have
just shown that, given any Dedekind infinite set, we can define a set which will
behave just like we want N to behave.
Obviously, then, we cannot claim to have answered a metaphysical ques-
tion, such as which objects are the natural numbers. But that’s a good thing.
After all, in section 5.5, we emphasized that we would be wrong to think of
the definition of R as the set of Dedekind cuts as a discovery, rather than a
convenient stipulation. The crucial observation is that the Dedekind cuts ex-
emplify the key mathematical properties of the real numbers. So too here: the
crucial observation is that any Dedekind algebra exemplifies the key math-
ematical properties of the natural numbers. (Indeed, Dedekind pushed this
point home by proving that all Dedekind algebras are isomorphic (1888, Theo-
rems 132–3). It is no surprise, then, that many contemporary “structuralists”
cite Dedekind as a forerunner.)
Moreover, we have shown how to embed the theory of the natural num-
bers into a naı̈ve simple set theory, which itself still remains rather informal,
but which doesn’t (apparently) assume the natural numbers as given. So, we
may be on the way to realising Dedekind’s own ambitious project, which he
explained thus:

In science nothing capable of proof ought to be believed without

proof. Though this demand seems reasonable, I cannot regard it
as having been met even in the most recent methods of laying the
foundations of the simplest science; viz., that part of logic which
deals with the theory of numbers. In speaking of arithmetic (al-
gebra, analysis) as merely a part of logic I mean to imply that I
consider the number-concept entirely independent of the notions

98 Release : d3a1905 (2022-12-19)

6.4. DEDEKIND’S “PROOF”

or intuitions of space and time—that I rather consider it an im-

mediate product of the pure laws of thought. (Dedekind, 1888,
preface)

Dedekind’s bold idea is this. We have just shown how to build the natural
numbers using (naı̈ve) set theory alone. In chapter 5, we saw how to con-
struct the reals given the natural numbers and some set theory. So, perhaps,
“arithmetic (algebra, analysis)” turn out to be “merely a part of logic” (in
Dedekind’s extended sense of the word “logic”).
That’s the idea. But hold on for a moment. Our construction of a Dedekind
algebra (our surrogate for the natural numbers) is conditional on the existence
of a Dedekind infinite set. (Just look back to Theorem 6.5.) Unless the exis-
tence of a Dedekind infinite set can be established via “logic” or “the pure
laws of thought”, the project stalls.
So, can the existence of a Dedekind infinite set be established by “the pure
laws of thought”? Here was Dedekind’s effort:

My own realm of thoughts, i.e., the totality S of all things which

can be objects of my thought, is infinite. For if s signifies an ele-
ment of S, then the thought s′ that s can be an object of my thought,
is itself an element of S. If we regard this as an image φ(s) of the el-
ement s, then . . . S is [Dedekind] infinite, which was to be proved.
(Dedekind, 1888, §66)

This is quite an astonishing thing to find in the middle of a book which largely
consists of highly rigorous mathematical proofs. Two remarks are worth mak-
ing.
First: this “proof” scarcely has what we would now recognize as a “math-
ematical” character. It speaks of psychological objects (thoughts), and merely
possible ones at that.
Second: at least as we have presented Dedekind algebras, this “proof”
has a straightforward technical shortcoming. If Dedekind’s argument is suc-
cessful, it establishes only that there are infinitely many things (specifically,
infinitely many thoughts). But Dedekind also needs to give us a reason to re-
gard S as a single set, with infinitely many elements, rather than thinking of S
as some things (in the plural).
The fact that Dedekind did not see a gap here might suggest that his use
of the word “totality” does not precisely track our use of the word “set”.1 But
this would not be too surprising. The project we have pursued in the last two
chapters—a “construction” of the naturals, and from them a “construction”
of the integers, reals and rationals—has all been carried out naı̈vely. We have
helped ourselves to this set, or that set, as and when we have needed them,
without laying down many general principles concerning exactly which sets
1 Indeed, we have other reasons to think it did not; see Potter (2004, p. 23).

Release : d3a1905 (2022-12-19) 99

 CHAPTER 6. INFINITE SETS

exist, and when. But we know that we need some general principles, for oth-
erwise we will fall into Russell’s Paradox.
The time has come for us to outgrow our naı̈vety.

6.5 Appendix: Proving Schröder-Bernstein

Before we depart from naı̈ve set theory, we have one last naı̈ve (but sophisti-
cated!) proof to consider. This is a proof of Schröder-Bernstein (Theorem 4.25):
if A ⪯ B and B ⪯ A then A ≈ B; i.e., given injections f : A → B and g : B → A
there is a bijection h : A → B.
In this chapter, we followed Dedekind’s notion of closures. In fact, Dedekind
provided a lovely proof of Schröder-Bernstein using this notion, and we will
present it here. The proof closely follows Potter (2004, pp. 157–8), if you want
a slightly different but essentially similar treatment. A little googling will
√ also
convince you that this is a theorem—rather like the irrationality of 2—for
which many interesting and different proofs exist.
Using similar notation as Definition 6.2, let
\
Clo f ( B) = { X : B ⊆ X and X is f -closed}

for each set B and function f . Defined thus, Clo f ( B) is the smallest f -closed
set containing B, in that:

Lemma 6.8. For any function f , and any B:

1. B ⊆ Clo f ( B); and

2. Clo f ( B) is f -closed; and

3. if X is f -closed and B ⊆ X, then Clo f ( B) ⊆ X.

Proof. Exactly as in Lemma 6.3.

We need one last fact to get to Schröder-Bernstein:

Proposition 6.9. If A ⊆ B ⊆ C and A ≈ C, then A ≈ B ≈ C.

Proof. Given a bijection f : C → A, let F = Clo f (C \ B) and define a function

g with domain C as follows:
(
f ( x ) if x ∈ F
g( x ) =
x otherwise

We’ll show that g is a bijection from C → B, from which it will follow that
g ◦ f −1 : A → B is a bijection, completing the proof.

100 Release : d3a1905 (2022-12-19)

6.5. APPENDIX: PROVING SCHRÖDER-BERNSTEIN

First we claim that if x ∈ F but y ∈ / F then g( x ) ̸= g(y). For reductio

suppose otherwise, so that y = g(y) = g( x ) = f ( x ). Since x ∈ F and F is
f -closed by Lemma 6.8, we have y = f ( x ) ∈ F, a contradiction.
Now suppose g( x ) = g(y). So, by the above, x ∈ F iff y ∈ F. If x, y ∈ F,
then f ( x ) = g( x ) = g(y) = f (y) so that x = y since f is a bijection. If x, y ∈
/ F,
then x = g( x ) = g(y) = y. So g is an injection.
It remains to show that ran( g) = B. So fix x ∈ B ⊆ C. If x ∈ / F, then
g( x ) = x. If x ∈ F, then x = f (y) for some y ∈ F, since otherwise F \ { x }
would be f -closed and extend C \ B, which is impossible by Lemma 6.8; now
g(y) = f (y) = x.

Finally, here is the proof of the main result. Recall that given a function h
and set D, we define h[ D ] = {h( x ) : x ∈ D }.

Proof of Schröder-Bernstein. Let f : A → B and g : B → A be injections. Since

f [ A] ⊆ B we have that g[ f [ A]] ⊆ g[ B] ⊆ A. Also, g ◦ f : A → g[ f [ A]] is an
injection since both g and f are; and indeed g ◦ f is a bijection, just by the
way we defined its codomain. So g[ f [ A]] ≈ A, and hence by Proposition 6.9
there is a bijection h : A → g[ B]. Moreover, g−1 is a bijection g[ B] → B. So
g−1 ◦ h : A → B is a bijection.

Release : d3a1905 (2022-12-19) 101

 Part II

Propositional Logic

102
6.5. APPENDIX: PROVING SCHRÖDER-BERNSTEIN

This part contains material on classical propositional logic. The first

chapter is relatively rudimentary and just lists definitions and results,
many proofs are not carried out but are left as exercises. The material
on proof systems and the completeness theorem is included from the part
on first-order logic, with the “FOL” tag set to false. This leaves out ev-
erything related to predicates, terms, and quantifiers, and replaces talk of
structures M with talk about valuations v.
It is planned to expand this part to include more detail, and to add
further topics and results, such as truth-functional completeness.

Release : d3a1905 (2022-12-19) 103

Chapter 7

Syntax and Semantics

This is a very quick summary of definitions only. It should be ex-

panded to provide a gentle intro to proofs by induction on formulas, with
lots more examples.

7.1 Introduction
Propositional logic deals with formulas that are built from propositional vari-
ables using the propositional connectives ¬, ∧, ∨, →, and ↔. Intuitively,
a propositional variable p stands for a sentence or proposition that is true or
false. Whenever the “truth value” of the propositional variable in a formula
is determined, so is the truth value of any formulas formed from them using
propositional connectives. We say that propositional logic is truth functional,
because its semantics is given by functions of truth values. In particular, in
propositional logic we leave out of consideration any further determination
of truth and falsity, e.g., whether something is necessarily true rather than
just contingently true, or whether something is known to be true, or whether
something is true now rather than was true or will be true. We only consider
two truth values true (T) and false (F), and so exclude from discussion the
possibility that a statement may be neither true nor false, or only half true. We
also concentrate only on connectives where the truth value of a formula built
from them is completely determined by the truth values of its parts (and not,
say, on its meaning). In particular, whether the truth value of conditionals in
English is truth functional in this sense is contentious. The material condi-
tional → is; other logics deal with conditionals that are not truth functional.
In order to develop the theory and metatheory of truth-functional propo-
sitional logic, we must first define the syntax and semantics of its expressions.
We will describe one way of constructing formulas from propositional vari-
ables using the connectives. Alternative definitions are possible. Other sys-

104
7.2. PROPOSITIONAL FORMULAS

tems will choose different symbols, will select different sets of connectives
as primitive, and will use parentheses differently (or even not at all, as in
the case of so-called Polish notation). What all approaches have in common,
though, is that the formation rules define the set of formulas inductively. If
done properly, every expression can result essentially in only one way accord-
ing to the formation rules. The inductive definition resulting in expressions
that are uniquely readable means we can give meanings to these expressions
using the same method—inductive definition.
Giving the meaning of expressions is the domain of semantics. The central
concept in semantics for propositional logic is that of satisfaction in a valua-
tion. A valuation v assigns truth values T, F to the propositional variables.
Any valuation determines a truth value v( φ) for any formula φ. A formula is
satisfied in a valuation v iff v( φ) = T—we write this as v ⊨ φ. This relation
can also be defined by induction on the structure of φ, using the truth func-
tions for the logical connectives to define, say, satisfaction of φ ∧ ψ in terms of
satisfaction (or not) of φ and ψ.
On the basis of the satisfaction relation v ⊨ φ for sentences we can then
define the basic semantic notions of tautology, entailment, and satisfiability.
A formula is a tautology, ⊨ φ, if every valuation satisfies it, i.e., v( φ) = T for
any v. It is entailed by a set of formulas, Γ ⊨ φ, if every valuation that satisfies
all the formulas in Γ also satisfies φ. And a set of formulas is satisfiable if
some valuation satisfies all formulas in it at the same time. Because formulas
are inductively defined, and satisfaction is in turn defined by induction on
the structure of formulas, we can use induction to prove properties of our
semantics and to relate the semantic notions defined.

7.2 Propositional Formulas

Formulas of propositional logic are built up from propositional variables and the
propositional constant ⊥ using logical connectives.

1. A denumerable set At0 of propositional variables p0 , p1 , . . .

2. The propositional constant for falsity ⊥.

3. The logical connectives: ¬ (negation), ∧ (conjunction), ∨ (disjunction),

→ (conditional)
4. Punctuation marks: (, ), and the comma.

We denote this language of propositional logic by L0 .

In addition to the primitive connectives introduced above, we also use the
following defined symbols: ↔ (biconditional), ⊤ (truth)
A defined symbol is not officially part of the language, but is introduced
as an informal abbreviation: it allows us to abbreviate formulas which would,

Release : d3a1905 (2022-12-19) 105

 CHAPTER 7. SYNTAX AND SEMANTICS

if we only used primitive symbols, get quite long. This is obviously an ad-
vantage. The bigger advantage, however, is that proofs become shorter. If a
symbol is primitive, it has to be treated separately in proofs. The more primi-
tive symbols, therefore, the longer our proofs.
You may be familiar with different terminology and symbols than the ones
we use above. Logic texts (and teachers) commonly use either ∼, ¬, and ! for
“negation”, ∧, ·, and & for “conjunction”. Commonly used symbols for the
“conditional” or “implication” are →, ⇒, and ⊃. Symbols for “biconditional,”
“bi-implication,” or “(material) equivalence” are ↔, ⇔, and ≡. The ⊥ sym-
bol is variously called “falsity,” “falsum,” “absurdity,” or “bottom.” The ⊤
symbol is variously called “truth,” “verum,” or “top.”

Definition 7.1 (Formula). The set Frm(L0 ) of formulas of propositional logic

is defined inductively as follows:

1. ⊥ is an atomic formula.

2. Every propositional variable pi is an atomic formula.

3. If φ is a formula, then ¬ φ is a formula.

4. If φ and ψ are formulas, then ( φ ∧ ψ) is a formula.

5. If φ and ψ are formulas, then ( φ ∨ ψ) is a formula.

6. If φ and ψ are formulas, then ( φ → ψ) is a formula.

7. Nothing else is a formula.

The definition of formulas is an inductive definition. Essentially, we con-

struct the set of formulas in infinitely many stages. In the initial stage, we
pronounce all atomic formulas to be formulas; this corresponds to the first
few cases of the definition, i.e., the cases for ⊥, pi . “Atomic formula” thus
means any formula of this form.
The other cases of the definition give rules for constructing new formulas
out of formulas already constructed. At the second stage, we can use them to
construct formulas out of atomic formulas. At the third stage, we construct
new formulas from the atomic formulas and those obtained in the second
stage, and so on. A formula is anything that is eventually constructed at such
a stage, and nothing else.

Definition 7.2. Formulas constructed using the defined operators are to be

understood as follows:

1. ⊤ abbreviates ¬⊥.

2. φ ↔ ψ abbreviates ( φ → ψ) ∧ (ψ → φ).

106 Release : d3a1905 (2022-12-19)

7.3. PRELIMINARIES

Definition 7.3 (Syntactic identity). The symbol ≡ expresses syntactic iden-

tity between strings of symbols, i.e., φ ≡ ψ iff φ and ψ are strings of symbols
of the same length and which contain the same symbol in each place.

The ≡ symbol may be flanked by strings obtained by concatenation, e.g.,

φ ≡ (ψ ∨ χ) means: the string of symbols φ is the same string as the one
obtained by concatenating an opening parenthesis, the string ψ, the ∨ symbol,
the string χ, and a closing parenthesis, in this order. If this is the case, then we
know that the first symbol of φ is an opening parenthesis, φ contains ψ as a
substring (starting at the second symbol), that substring is followed by ∨, etc.

7.3 Preliminaries
Theorem 7.4 (Principle of induction on formulas). If some property P holds for
all the atomic formulas and is such that

1. it holds for ¬ φ whenever it holds for φ;

2. it holds for ( φ ∧ ψ) whenever it holds for φ and ψ;

3. it holds for ( φ ∨ ψ) whenever it holds for φ and ψ;

4. it holds for ( φ → ψ) whenever it holds for φ and ψ;

then P holds for all formulas.

Proof. Let S be the collection of all formulas with property P. Clearly S ⊆

Frm(L0 ). S satisfies all the conditions of Definition 7.1: it contains all atomic
formulas and is closed under the logical operators. Frm(L0 ) is the smallest
such class, so Frm(L0 ) ⊆ S. So Frm(L0 ) = S, and every formula has prop-
erty P.

Proposition 7.5. Any formula in Frm(L0 ) is balanced, in that it has as many left
parentheses as right ones.

Proposition 7.6. No proper initial segment of a formula is a formula.

Proposition 7.7 (Unique Readability). Any formula φ in Frm(L0 ) has exactly

one parsing as one of the following

1. ⊥.

2. pn for some pn ∈ At0 .

3. ¬ψ for some formula ψ.

4. (ψ ∧ χ) for some formulas ψ and χ.

Release : d3a1905 (2022-12-19) 107

 CHAPTER 7. SYNTAX AND SEMANTICS

5. (ψ ∨ χ) for some formulas ψ and χ.

6. (ψ → χ) for some formulas ψ and χ.

Moreover, this parsing is unique.

Proof. By induction on φ. For instance, suppose that φ has two distinct read-
ings as (ψ → χ) and (ψ′ → χ′ ). Then ψ and ψ′ must be the same (or else one
would be a proper initial segment of the other); so if the two readings of φ are
distinct it must be because χ and χ′ are distinct readings of the same sequence
of symbols, which is impossible by the inductive hypothesis.

Definition 7.8 (Uniform Substitution). If φ and ψ are formulas, and pi is a

propositional variable, then φ[ψ/pi ] denotes the result of replacing each oc-
currence of pi by an occurrence of ψ in φ; similarly, the simultaneous substitu-
tion of p1 , . . . , pn by formulas ψ1 , . . . , ψn is denoted by φ[ψ1 /p1 , . . . , ψn /pn ].

7.4 Formation Sequences

Defining formulas via an inductive definition, and the complementary tech-
nique of proving properties of formulas via induction, is an elegant and effi-
cient approach. However, it can also be useful to consider a more bottom-up,
step-by-step approach to the construction of formulas, which we do here us-
ing the notion of a formation sequence.

Definition 7.9 (Formation sequences for formulas). A finite sequence ⟨ φ0 , . . . , φn ⟩

of strings of symbols from the language L0 is a formation sequence for φ if
φ ≡ φn and for all i ≤ n, either φi is an atomic formula or there exist j, k < i
such that one of the following holds:

1. φi ≡ ¬ φ j .

2. φi ≡ ( φ j ∧ φk ).

3. φi ≡ ( φ j ∨ φk ).

4. φi ≡ ( φ j → φk ).

Example 7.10.

⟨p0 , p1 , (p1 ∧ p0 ), ¬(p1 ∧ p0 )⟩

is a formation sequence of ¬(p1 ∧ p0 ), as is

⟨p0 , p1 , p0 , (p1 ∧ p0 ), (p0 → p1 ), ¬(p1 ∧ p0 )⟩.

As can be seen from the second example, formation sequences may contain
‘junk’: formulas which are redundant or do not contribute to the construction.

108 Release : d3a1905 (2022-12-19)

7.4. FORMATION SEQUENCES

Proposition 7.11. Every formula φ in Frm(L0 ) has a formation sequence.

Proof. Suppose φ is atomic. Then the sequence ⟨ φ⟩ is a formation sequence

for φ. Now suppose that ψ and χ have formation sequences ⟨ψ0 , . . . , ψn ⟩ and
⟨χ0 , . . . , χm ⟩ respectively.

1. If φ ≡ ¬ψ, then ⟨ψ0 , . . . , ψn , ¬ψn ⟩ is a formation sequence for φ.

2. If φ ≡ (ψ ∧ χ), then ⟨ψ0 , . . . , ψn , χ0 , . . . , χm , (ψn ∧ χm )⟩ is a formation

sequence for φ.

3. If φ ≡ (ψ ∨ χ), then ⟨ψ0 , . . . , ψn , χ0 , . . . , χm , (ψn ∨ χm )⟩ is a formation

sequence for φ.

4. If φ ≡ (ψ → χ), then ⟨ψ0 , . . . , ψn , χ0 , . . . , χm , (ψn → χm )⟩ is a formation

sequence for φ.

By the principle of induction on formulas, every formula has a formation se-

quence.

We can also prove the converse. This is important because it shows that
our two ways of defining formulas are equivalent: they give the same results.
It also means that we can prove theorems about formulas by using ordinary
induction on the length of formation sequences.

Lemma 7.12. Suppose that ⟨ φ0 , . . . , φn ⟩ is a formation sequence for φn , and that

k ≤ n. Then ⟨ φ0 , . . . , φk ⟩ is a formation sequence for φk .

Theorem 7.13. Frm(L0 ) is the set of all expressions (strings of symbols) in the lan-
guage L0 with a formation sequence.

Proof. Let F be the set of all strings of symbols in the language L0 that have a
formation sequence. We have seen in Proposition 7.11 that Frm(L0 ) ⊆ F, so
now we prove the converse.
Suppose φ has a formation sequence ⟨ φ0 , . . . , φn ⟩. We prove that φ ∈
Frm(L0 ) by strong induction on n. Our induction hypothesis is that every
string of symbols with a formation sequence of length m < n is in Frm(L0 ).
By the definition of a formation sequence, either φn is atomic or there must
exist j, k < n such that one of the following is the case:

1. φi ≡ ¬ φ j .

2. φi ≡ ( φ j ∧ φk ).

3. φi ≡ ( φ j ∨ φk ).

4. φi ≡ ( φ j → φk ).

Release : d3a1905 (2022-12-19) 109

 CHAPTER 7. SYNTAX AND SEMANTICS

Now we reason by cases. If φn is atomic then φn ∈ Frm(L0 ). Suppose in-

stead that φ ≡ ( φ j ∧ φk ). By Lemma 7.12, ⟨ φ0 , . . . , φ j ⟩ and ⟨ φ0 , . . . , φk ⟩ are
formation sequences for φ j and φk respectively. Since these are proper ini-
tial subsequences of the formation sequence for φ, they both have length less
than n. Therefore by the induction hypothesis, φ j and φk are in Frm(L0 ), and
so by the definition of a formula, so is ( φ j ∧ φk ). The other cases follow by
parallel reasoning.

7.5 Valuations and Satisfaction

Definition 7.14 (Valuations). Let {T, F} be the set of the two truth values,
“true” and “false.” A valuation for L0 is a function v assigning either T or F to
the propositional variables of the language, i.e., v : At0 → {T, F}.
Definition 7.15. Given a valuation v, define the evaluation function v : Frm(L0 ) →
{T, F} inductively by:
v(⊥) = F;
v (pn ) = v (pn );
(
T if v( φ) = F;
v(¬ φ) =
F otherwise.
(
T if v( φ) = T and v(ψ) = T;
v( φ ∧ ψ ) =
F if v( φ) = F or v(ψ) = F.
(
T if v( φ) = T or v(ψ) = T;
v( φ ∨ ψ ) =
F if v( φ) = F and v(ψ) = F.
(
T if v( φ) = F or v(ψ) = T;
v( φ → ψ ) =
F if v( φ) = T and v(ψ) = F.

The clauses correspond to the following truth tables:

φ ψ φ∧ψ φ ψ φ∨ψ
φ ¬φ T T T T T T
T F T F F T F T
F T F T F F T T
F F F F F F

φ ψ φ→ψ
T T T
T F F
F T T
F F T

110 Release : d3a1905 (2022-12-19)

7.6. SEMANTIC NOTIONS

Theorem 7.16 (Local Determination). Suppose that v1 and v2 are valuations that
agree on the propositional letters occurring in φ, i.e., v1 (pn ) = v2 (pn ) whenever pn
occurs in some formula φ. Then v1 and v2 also agree on φ, i.e., v1 ( φ) = v2 ( φ).

Proof. By induction on φ.

Definition 7.17 (Satisfaction). We can inductively define the notion of satis-

faction of a formula φ by a valuation v, v ⊨ φ, as follows. (We write v ⊭ φ to mean
“not v ⊨ φ.”)

1. φ ≡ ⊥: v ⊭ φ.

2. φ ≡ pi : v ⊨ φ iff v(pi ) = T.

3. φ ≡ ¬ψ: v ⊨ φ iff v ⊭ ψ.

4. φ ≡ (ψ ∧ χ): v ⊨ φ iff v ⊨ ψ and v ⊨ χ.

5. φ ≡ (ψ ∨ χ): v ⊨ φ iff v ⊨ ψ or v ⊨ χ (or both).

6. φ ≡ (ψ → χ): v ⊨ φ iff v ⊭ ψ or v ⊨ χ (or both).

If Γ is a set of formulas, v ⊨ Γ iff v ⊨ φ for every φ ∈ Γ.

Proposition 7.18. v ⊨ φ iff v( φ) = T.

Proof. By induction on φ.

7.6 Semantic Notions

We define the following semantic notions:

Definition 7.19. 1. A formula φ is satisfiable if for some v, v ⊨ φ; it is unsat-

isfiable if for no v, v ⊨ φ;

2. A formula φ is a tautology if v ⊨ φ for all valuations v;

3. A formula φ is contingent if it is satisfiable but not a tautology;

4. If Γ is a set of formulas, Γ ⊨ φ (“Γ entails φ”) if and only if v ⊨ φ for

every valuation v for which v ⊨ Γ.

5. If Γ is a set of formulas, Γ is satisfiable if there is a valuation v for which

v ⊨ Γ, and Γ is unsatisfiable otherwise.

Proposition 7.20. 1. φ is a tautology if and only if ∅ ⊨ φ;

2. If Γ ⊨ φ and Γ ⊨ φ → ψ then Γ ⊨ ψ;

3. If Γ is satisfiable then every finite subset of Γ is also satisfiable;

Release : d3a1905 (2022-12-19) 111

 CHAPTER 7. SYNTAX AND SEMANTICS

4. Monotonicity: if Γ ⊆ ∆ and Γ ⊨ φ then also ∆ ⊨ φ;

5. Transitivity: if Γ ⊨ φ and ∆ ∪ { φ} ⊨ ψ then Γ ∪ ∆ ⊨ ψ.

Proof. Exercise.

Proposition 7.21. Γ ⊨ φ if and only if Γ ∪ {¬ φ} is unsatisfiable.

Proof. Exercise.

Theorem 7.22 (Semantic Deduction Theorem). Γ ⊨ φ → ψ if and only if Γ ∪

{ φ} ⊨ ψ.

Proof. Exercise.

Problems
Problem 7.1. Prove Proposition 7.5

Problem 7.2. Prove Proposition 7.6

Problem 7.3. For each of the five formulas below determine whether the for-
mula can be expressed as a substitution φ[ψ/pi ] where φ is (i) p0 ; (ii) (¬p0 ∧
p1 ); and (iii) ((¬p0 → p1 ) ∧ p2 ). In each case specify the relevant substitution.

1. p1

2. (¬p0 ∧ p0 )

3. ((p0 ∨ p1 ) ∧ p2 )

4. ¬((p0 → p1 ) ∧ p2 )

5. ((¬(p0 → p1 ) → (p0 ∨ p1 )) ∧ ¬(p0 ∧ p1 ))

Problem 7.4. Give a mathematically rigorous definition of φ[ψ/p] by induc-

tion.

Problem 7.5. Consider adding to L0 a ternary connective ♢ with evaluation

given by
(
v(ψ) if v( φ) = T;
v(♢( φ, ψ, χ)) =
v(χ) if v( φ) = F.

Write down the truth table for this connective.

Problem 7.6. Prove Proposition 7.18

112 Release : d3a1905 (2022-12-19)

7.6. SEMANTIC NOTIONS

Problem 7.7. For each of the following four formulas determine whether it is
(a) satisfiable, (b) tautology, and (c) contingent.

1. (p0 → (¬p1 → ¬p0 )).

2. ((p0 ∧ ¬p1 ) → (¬p0 ∧ p2 )) ↔ ((p2 → p0 ) → (p0 → p1 )).

3. (p0 ↔ p1 ) → (p2 ↔ ¬p1 ).

4. ((p0 ↔ (¬p1 ∧ p2 )) ∨ (p2 → (p0 ↔ p1 ))).

Problem 7.8. Prove Proposition 7.20

Problem 7.9. Prove Proposition 7.21

Problem 7.10. Prove Theorem 7.22

Release : d3a1905 (2022-12-19) 113

Chapter 8

Derivation Systems

This chapter collects general material on derivation systems. A text-

book using a specific system can insert the introduction section plus the
relevant survey section at the beginning of the chapter introducing that
system.

8.1 Introduction
Logics commonly have both a semantics and a derivation system. The seman-
tics concerns concepts such as truth, satisfiability, validity, and entailment.
The purpose of derivation systems is to provide a purely syntactic method
of establishing entailment and validity. They are purely syntactic in the sense
that a derivation in such a system is a finite syntactic object, usually a sequence
(or other finite arrangement) of sentences or formulas. Good derivation sys-
tems have the property that any given sequence or arrangement of sentences
or formulas can be verified mechanically to be “correct.”
The simplest (and historically first) derivation systems for first-order logic
were axiomatic. A sequence of formulas counts as a derivation in such a sys-
tem if each individual formula in it is either among a fixed set of “axioms”
or follows from formulas coming before it in the sequence by one of a fixed
number of “inference rules”—and it can be mechanically verified if a formula
is an axiom and whether it follows correctly from other formulas by one of the
inference rules. Axiomatic derivation systems are easy to describe—and also
easy to handle meta-theoretically—but derivations in them are hard to read
and understand, and are also hard to produce.
Other derivation systems have been developed with the aim of making it
easier to construct derivations or easier to understand derivations once they
are complete. Examples are natural deduction, truth trees, also known as
tableaux proofs, and the sequent calculus. Some derivation systems are de-

114
8.1. INTRODUCTION

signed especially with mechanization in mind, e.g., the resolution method is

easy to implement in software (but its derivations are essentially impossible
to understand). Most of these other derivation systems represent derivations
as trees of formulas rather than sequences. This makes it easier to see which
parts of a derivation depend on which other parts.
So for a given logic, such as first-order logic, the different derivation sys-
tems will give different explications of what it is for a sentence to be a theorem
and what it means for a sentence to be derivable from some others. However
that is done (via axiomatic derivations, natural deductions, sequent deriva-
tions, truth trees, resolution refutations), we want these relations to match the
semantic notions of validity and entailment. Let’s write ⊢ φ for “φ is a the-
orem” and “Γ ⊢ φ” for “φ is derivable from Γ.” However ⊢ is defined, we
want it to match up with ⊨, that is:

1. ⊢ φ if and only if ⊨ φ

2. Γ ⊢ φ if and only if Γ ⊨ φ

The “only if” direction of the above is called soundness. A derivation system is
sound if derivability guarantees entailment (or validity). Every decent deriva-
tion system has to be sound; unsound derivation systems are not useful at all.
After all, the entire purpose of a derivation is to provide a syntactic guarantee
of validity or entailment. We’ll prove soundness for the derivation systems
we present.
The converse “if” direction is also important: it is called completeness. A
complete derivation system is strong enough to show that φ is a theorem
whenever φ is valid, and that Γ ⊢ φ whenever Γ ⊨ φ. Completeness is harder
to establish, and some logics have no complete derivation systems. First-order
logic does. Kurt Gödel was the first one to prove completeness for a derivation
system of first-order logic in his 1929 dissertation.
Another concept that is connected to derivation systems is that of consis-
tency. A set of sentences is called inconsistent if anything whatsoever can be
derived from it, and consistent otherwise. Inconsistency is the syntactic coun-
terpart to unsatisfiablity: like unsatisfiable sets, inconsistent sets of sentences
do not make good theories, they are defective in a fundamental way. Con-
sistent sets of sentences may not be true or useful, but at least they pass that
minimal threshold of logical usefulness. For different derivation systems the
specific definition of consistency of sets of sentences might differ, but like ⊢,
we want consistency to coincide with its semantic counterpart, satisfiability.
We want it to always be the case that Γ is consistent if and only if it is satis-
fiable. Here, the “if” direction amounts to completeness (consistency guaran-
tees satisfiability), and the “only if” direction amounts to soundness (satisfi-
ability guarantees consistency). In fact, for classical first-order logic, the two
versions of soundness and completeness are equivalent.

Release : d3a1905 (2022-12-19) 115

 CHAPTER 8. DERIVATION SYSTEMS

8.2 The Sequent Calculus

While many derivation systems operate with arrangements of sentences, the
sequent calculus operates with sequents. A sequent is an expression of the
form
φ1 , . . . , φm ⇒ ψ1 , . . . , ψm ,

that is a pair of sequences of sentences, separated by the sequent symbol ⇒.

Either sequence may be empty. A derivation in the sequent calculus is a tree
of sequents, where the topmost sequents are of a special form (they are called
“initial sequents” or “axioms”) and every other sequent follows from the se-
quents immediately above it by one of the rules of inference. The rules of
inference either manipulate the sentences in the sequents (adding, removing,
or rearranging them on either the left or the right), or they introduce a com-
plex formula in the conclusion of the rule. For instance, the ∧L rule allows the
inference from φ, Γ ⇒ ∆ to φ ∧ ψ, Γ ⇒ ∆, and the →R allows the inference
from φ, Γ ⇒ ∆, ψ to Γ ⇒ ∆, φ → ψ, for any Γ, ∆, φ, and ψ. (In particular, Γ
and ∆ may be empty.)
The ⊢ relation based on the sequent calculus is defined as follows: Γ ⊢ φ
iff there is some sequence Γ0 such that every φ in Γ0 is in Γ and there is a
derivation with the sequent Γ0 ⇒ φ at its root. φ is a theorem in the sequent
calculus if the sequent ⇒ φ has a derivation. For instance, here is a derivation
that shows that ⊢ ( φ ∧ ψ) → φ:

φ ⇒ φ
φ∧ψ ⇒ φ
∧L
→R
⇒ ( φ ∧ ψ) → φ

A set Γ is inconsistent in the sequent calculus if there is a derivation of

Γ0 ⇒ (where every φ ∈ Γ0 is in Γ and the right side of the sequent is empty).
Using the rule WR, any sentence can be derived from an inconsistent set.
The sequent calculus was invented in the 1930s by Gerhard Gentzen. Be-
cause of its systematic and symmetric design, it is a very useful formalism for
developing a theory of derivations. It is relatively easy to find derivations in
the sequent calculus, but these derivations are often hard to read and their
connection to proofs are sometimes not easy to see. It has proved to be a very
elegant approach to derivation systems, however, and many logics have se-
quent calculus systems.

8.3 Natural Deduction

Natural deduction is a derivation system intended to mirror actual reasoning
(especially the kind of regimented reasoning employed by mathematicians).
Actual reasoning proceeds by a number of “natural” patterns. For instance,

116 Release : d3a1905 (2022-12-19)

8.3. NATURAL DEDUCTION

proof by cases allows us to establish a conclusion on the basis of a disjunc-

tive premise, by establishing that the conclusion follows from either of the
disjuncts. Indirect proof allows us to establish a conclusion by showing that
its negation leads to a contradiction. Conditional proof establishes a condi-
tional claim “if . . . then . . . ” by showing that the consequent follows from
the antecedent. Natural deduction is a formalization of some of these nat-
ural inferences. Each of the logical connectives and quantifiers comes with
two rules, an introduction and an elimination rule, and they each correspond
to one such natural inference pattern. For instance, →Intro corresponds to
conditional proof, and ∨Elim to proof by cases. A particularly simple rule is
∧Elim which allows the inference from φ ∧ ψ to φ (or ψ).
One feature that distinguishes natural deduction from other derivation
systems is its use of assumptions. A derivation in natural deduction is a tree
of formulas. A single formula stands at the root of the tree of formulas, and
the “leaves” of the tree are formulas from which the conclusion is derived.
In natural deduction, some leaf formulas play a role inside the derivation but
are “used up” by the time the derivation reaches the conclusion. This corre-
sponds to the practice, in actual reasoning, of introducing hypotheses which
only remain in effect for a short while. For instance, in a proof by cases, we
assume the truth of each of the disjuncts; in conditional proof, we assume the
truth of the antecedent; in indirect proof, we assume the truth of the nega-
tion of the conclusion. This way of introducing hypothetical assumptions
and then doing away with them in the service of establishing an intermedi-
ate step is a hallmark of natural deduction. The formulas at the leaves of a
natural deduction derivation are called assumptions, and some of the rules of
inference may “discharge” them. For instance, if we have a derivation of ψ
from some assumptions which include φ, then the →Intro rule allows us to
infer φ → ψ and discharge any assumption of the form φ. (To keep track of
which assumptions are discharged at which inferences, we label the inference
and the assumptions it discharges with a number.) The assumptions that re-
main undischarged at the end of the derivation are together sufficient for the
truth of the conclusion, and so a derivation establishes that its undischarged
assumptions entail its conclusion.
The relation Γ ⊢ φ based on natural deduction holds iff there is a deriva-
tion in which φ is the last sentence in the tree, and every leaf which is undis-
charged is in Γ. φ is a theorem in natural deduction iff there is a derivation in
which φ is the last sentence and all assumptions are discharged. For instance,
here is a derivation that shows that ⊢ ( φ ∧ ψ) → φ:

[ φ ∧ ψ ]1
φ ∧Elim
1 →Intro
( φ ∧ ψ) → φ

The label 1 indicates that the assumption φ ∧ ψ is discharged at the →Intro

Release : d3a1905 (2022-12-19) 117

 CHAPTER 8. DERIVATION SYSTEMS

inference.
A set Γ is inconsistent iff Γ ⊢ ⊥ in natural deduction. The rule ⊥ I makes
it so that from an inconsistent set, any sentence can be derived.
Natural deduction systems were developed by Gerhard Gentzen and Sta-
nisław Jaśkowski in the 1930s, and later developed by Dag Prawitz and Fred-
eric Fitch. Because its inferences mirror natural methods of proof, it is favored
by philosophers. The versions developed by Fitch are often used in introduc-
tory logic textbooks. In the philosophy of logic, the rules of natural deduc-
tion have sometimes been taken to give the meanings of the logical operators
(“proof-theoretic semantics”).

8.4 Tableaux

While many derivation systems operate with arrangements of sentences, tableaux

operate with signed formulas. A signed formula is a pair consisting of a truth
value sign (T or F) and a sentence

T φ or F φ.

A tableau consists of signed formulas arranged in a downward-branching

tree. It begins with a number of assumptions and continues with signed for-
mulas which result from one of the signed formulas above it by applying one
of the rules of inference. Each rule allows us to add one or more signed formu-
las to the end of a branch, or two signed formulas side by side—in this case a
branch splits into two, with the two added signed formulas forming the ends
of the two branches.
A rule applied to a complex signed formula results in the addition of
signed formulas which are immediate sub-formulas. They come in pairs, one
rule for each of the two signs. For instance, the ∧T rule applies to T φ ∧ ψ,
and allows the addition of both the two signed formulas T φ and Tψ to the
end of any branch containing T φ ∧ ψ, and the rule φ ∧ ψF allows a branch to
be split by adding F φ and F ψ side-by-side. A tableau is closed if every one
of its branches contains a matching pair of signed formulas T φ and F φ.
The ⊢ relation based on tableaux is defined as follows: Γ ⊢ φ iff there is
some finite set Γ0 = {ψ1 , . . . , ψn } ⊆ Γ such that there is a closed tableau for
the assumptions

{F φ, Tψ1 , . . . , Tψn }

For instance, here is a closed tableau that shows that ⊢ ( φ ∧ ψ) → φ:

118 Release : d3a1905 (2022-12-19)

8.5. AXIOMATIC DERIVATIONS

1. F ( φ ∧ ψ) → φ Assumption
2. Tφ ∧ ψ →F 1
3. Fφ →F 1
4. Tφ →T 2
5. Tψ →T 2
⊗

A set Γ is inconsistent in the tableau calculus if there is a closed tableau for

assumptions
{Tψ1 , . . . , Tψn }
for some ψi ∈ Γ.
Tableaux were invented in the 1950s independently by Evert Beth and
Jaakko Hintikka, and simplified and popularized by Raymond Smullyan. They
are very easy to use, since constructing a tableau is a very systematic proce-
dure. Because of the systematic nature of tableaux, they also lend themselves
to implementation by computer. However, a tableau is often hard to read and
their connection to proofs are sometimes not easy to see. The approach is also
quite general, and many different logics have tableau systems. Tableaux also
help us to find structures that satisfy given (sets of) sentences: if the set is
satisfiable, it won’t have a closed tableau, i.e., any tableau will have an open
branch. The satisfying structure can be “read off” an open branch, provided
every rule it is possible to apply has been applied on that branch. There is also
a very close connection to the sequent calculus: essentially, a closed tableau is
a condensed derivation in the sequent calculus, written upside-down.

8.5 Axiomatic Derivations

Axiomatic derivations are the oldest and simplest logical derivation systems.
Its derivations are simply sequences of sentences. A sequence of sentences
counts as a correct derivation if every sentence φ in it satisfies one of the fol-
lowing conditions:

1. φ is an axiom, or

2. φ is an element of a given set Γ of sentences, or

3. φ is justified by a rule of inference.

To be an axiom, φ has to have the form of one of a number of fixed sentence

schemas. There are many sets of axiom schemas that provide a satisfactory
(sound and complete) derivation system for first-order logic. Some are orga-
nized according to the connectives they govern, e.g., the schemas

φ → (ψ → φ) ψ → (ψ ∨ χ) (ψ ∧ χ) → ψ

Release : d3a1905 (2022-12-19) 119

 CHAPTER 8. DERIVATION SYSTEMS

are common axioms that govern →, ∨ and ∧. Some axiom systems aim at a
minimal number of axioms. Depending on the connectives that are taken as
primitives, it is even possible to find axiom systems that consist of a single
axiom.
A rule of inference is a conditional statement that gives a sufficient condi-
tion for a sentence in a derivation to be justified. Modus ponens is one very
common such rule: it says that if φ and φ → ψ are already justified, then ψ is
justified. This means that a line in a derivation containing the sentence ψ is
justified, provided that both φ and φ → ψ (for some sentence φ) appear in the
derivation before ψ.
The ⊢ relation based on axiomatic derivations is defined as follows: Γ ⊢ φ
iff there is a derivation with the sentence φ as its last formula (and Γ is taken
as the set of sentences in that derivation which are justified by (2) above). φ
is a theorem if φ has a derivation where Γ is empty, i.e., every sentence in the
derivation is justfied either by (1) or (3). For instance, here is a derivation that
shows that ⊢ φ → (ψ → (ψ ∨ φ)):

1. ψ → (ψ ∨ φ)
2. (ψ → (ψ ∨ φ)) → ( φ → (ψ → (ψ ∨ φ)))
3. φ → (ψ → (ψ ∨ φ))

The sentence on line 1 is of the form of the axiom φ → ( φ ∨ ψ) (with the roles
of φ and ψ reversed). The sentence on line 2 is of the form of the axiom φ →
(ψ → φ). Thus, both lines are justified. Line 3 is justified by modus ponens: if
we abbreviate it as θ, then line 2 has the form χ → θ, where χ is ψ → (ψ ∨ φ),
i.e., line 1.
A set Γ is inconsistent if Γ ⊢ ⊥. A complete axiom system will also prove
that ⊥ → φ for any φ, and so if Γ is inconsistent, then Γ ⊢ φ for any φ.
Systems of axiomatic derivations for logic were first given by Gottlob Frege
in his 1879 Begriffsschrift, which for this reason is often considered the first
work of modern logic. They were perfected in Alfred North Whitehead and
Bertrand Russell’s Principia Mathematica and by David Hilbert and his stu-
dents in the 1920s. They are thus often called “Frege systems” or “Hilbert
systems.” They are very versatile in that it is often easy to find an axiomatic
system for a logic. Because derivations have a very simple structure and only
one or two inference rules, it is also relatively easy to prove things about them.
However, they are very hard to use in practice, i.e., it is difficult to find and
write proofs.

120 Release : d3a1905 (2022-12-19)

Chapter 9

The Sequent Calculus

This chapter presents Gentzen’s standard sequent calculus LK for clas-

sical first-order logic. It could use more examples and exercises. To in-
clude or exclude material relevant to the sequent calculus as a proof sys-
tem, use the “prfLK” tag.

9.1 Rules and Derivations

For the following, let Γ, ∆, Π, Λ represent finite sequences of sentences.

Definition 9.1 (Sequent). A sequent is an expression of the form

Γ⇒∆

where Γ and ∆ are finite (possibly empty) sequences of sentences of the lan-
guage L. Γ is called the antecedent, while ∆ is the succedent.

The intuitive idea behind a sequent is: if all of the sentences in the an-
tecedent hold, then at least one of the sentences in the succedent holds. That
is, if Γ = ⟨ φ1 , . . . , φm ⟩ and ∆ = ⟨ψ1 , . . . , ψn ⟩, then Γ ⇒ ∆ holds iff

( φ1 ∧ · · · ∧ φm ) → (ψ1 ∨ · · · ∨ ψn )

holds. There are two special cases: where Γ is empty and when ∆ is empty.
When Γ is empty, i.e., m = 0, ⇒ ∆ holds iff ψ1 ∨ · · · ∨ ψn holds. When ∆ is
empty, i.e., n = 0, Γ ⇒ holds iff ¬( φ1 ∧ · · · ∧ φm ) does. We say a sequent is
valid iff the corresponding sentence is valid.
If Γ is a sequence of sentences, we write Γ, φ for the result of appending
φ to the right end of Γ (and φ, Γ for the result of appending φ to the left end
of Γ). If ∆ is a sequence of sentences also, then Γ, ∆ is the concatenation of the
two sequences.

121
 CHAPTER 9. THE SEQUENT CALCULUS

Definition 9.2 (Initial Sequent). An initial sequent is a sequent of one of the

following forms:

1. φ ⇒ φ

2. ⊥ ⇒

for any sentence φ in the language.

Derivations in the sequent calculus are certain trees of sequents, where

the topmost sequents are initial sequents, and if a sequent stands below one
or two other sequents, it must follow correctly by a rule of inference. The
rules for LK are divided into two main types: logical rules and structural rules.
The logical rules are named for the main operator of the sentence containing
φ and/or ψ in the lower sequent. Each one comes in two versions, one for
inferring a sequent with the sentence containing the logical operator on the
left, and one with the sentence on the right.

9.2 Propositional Rules

Rules for ¬

Γ ⇒ ∆, φ φ, Γ ⇒ ∆
¬L ¬R
¬ φ, Γ ⇒ ∆ Γ ⇒ ∆, ¬ φ

Rules for ∧

φ, Γ ⇒ ∆
∧L
φ ∧ ψ, Γ ⇒ ∆ Γ ⇒ ∆, φ Γ ⇒ ∆, ψ
∧R
ψ, Γ ⇒ ∆ Γ ⇒ ∆, φ ∧ ψ
∧L
φ ∧ ψ, Γ ⇒ ∆

Rules for ∨

Γ ⇒ ∆, φ
∨R
φ, Γ ⇒ ∆ ψ, Γ ⇒ ∆ Γ ⇒ ∆, φ ∨ ψ
∨L
φ ∨ ψ, Γ ⇒ ∆ Γ ⇒ ∆, ψ
∨R
Γ ⇒ ∆, φ ∨ ψ

122 Release : d3a1905 (2022-12-19)

9.3. STRUCTURAL RULES

Rules for →

Γ ⇒ ∆, φ ψ, Π ⇒ Λ φ, Γ ⇒ ∆, ψ
→L →R
φ → ψ, Γ, Π ⇒ ∆, Λ Γ ⇒ ∆, φ → ψ

9.3 Structural Rules

We also need a few rules that allow us to rearrange sentences in the left and
right side of a sequent. Since the logical rules require that the sentences in the
premise which the rule acts upon stand either to the far left or to the far right,
we need an “exchange” rule that allows us to move sentences to the right
position. It’s also important sometimes to be able to combine two identical
sentences into one, and to add a sentence on either side.

Weakening

Γ ⇒ ∆ Γ ⇒ ∆
WL WR
φ, Γ ⇒ ∆ Γ ⇒ ∆, φ

Contraction

φ, φ, Γ ⇒ ∆ Γ ⇒ ∆, φ, φ
CL CR
φ, Γ ⇒ ∆ Γ ⇒ ∆, φ

Exchange

Γ, φ, ψ, Π ⇒ ∆ Γ ⇒ ∆, φ, ψ, Λ
XL XR
Γ, ψ, φ, Π ⇒ ∆ Γ ⇒ ∆, ψ, φ, Λ

A series of weakening, contraction, and exchange inferences will often be in-

dicated by double inference lines.
The following rule, called “cut,” is not strictly speaking necessary, but
makes it a lot easier to reuse and combine derivations.

Γ ⇒ ∆, φ φ, Π ⇒ Λ
Cut
Γ, Π ⇒ ∆, Λ

Release : d3a1905 (2022-12-19) 123

 CHAPTER 9. THE SEQUENT CALCULUS

9.4 Derivations
We’ve said what an initial sequent looks like, and we’ve given the rules of
inference. Derivations in the sequent calculus are inductively generated from
these: each derivation either is an initial sequent on its own, or consists of one
or two derivations followed by an inference.

Definition 9.3 (LK derivation). An LK-derivation of a sequent S is a finite tree

of sequents satisfying the following conditions:

1. The topmost sequents of the tree are initial sequents.

2. The bottommost sequent of the tree is S.

3. Every sequent in the tree except S is a premise of a correct application of

an inference rule whose conclusion stands directly below that sequent
in the tree.

We then say that S is the end-sequent of the derivation and that S is derivable in
LK (or LK-derivable).

Example 9.4. Every initial sequent, e.g., χ ⇒ χ is a derivation. We can obtain

a new derivation from this by applying, say, the WL rule,
Γ ⇒ ∆
WL
φ, Γ ⇒ ∆

The rule, however, is meant to be general: we can replace the φ in the rule
with any sentence, e.g., also with θ. If the premise matches our initial sequent
χ ⇒ χ, that means that both Γ and ∆ are just χ, and the conclusion would
then be θ, χ ⇒ χ. So, the following is a derivation:
χ ⇒ χ
WL
θ, χ ⇒ χ

We can now apply another rule, say XL, which allows us to switch two sen-
tences on the left. So, the following is also a correct derivation:
χ ⇒ χ
WL
θ, χ ⇒ χ
XL
χ, θ ⇒ χ

In this application of the rule, which was given as

Γ, φ, ψ, Π ⇒ ∆
XL
Γ, ψ, φ, Π ⇒ ∆,

both Γ and Π were empty, ∆ is χ, and the roles of φ and ψ are played by θ
and χ, respectively. In much the same way, we also see that

124 Release : d3a1905 (2022-12-19)

9.5. EXAMPLES OF DERIVATIONS

θ ⇒ θ
WL
χ, θ ⇒ θ

is a derivation. Now we can take these two derivations, and combine them
using ∧R. That rule was

Γ ⇒ ∆, φ Γ ⇒ ∆, ψ
∧R
Γ ⇒ ∆, φ ∧ ψ

In our case, the premises must match the last sequents of the derivations end-
ing in the premises. That means that Γ is χ, θ, ∆ is empty, φ is χ and ψ is θ. So
the conclusion, if the inference should be correct, is χ, θ ⇒ χ ∧ θ.
χ ⇒ χ
WL
θ, χ ⇒ χ θ ⇒ θ
XL WL
χ, θ ⇒ χ χ, θ ⇒ θ
∧R
χ, θ ⇒ χ ∧ θ

Of course, we can also reverse the premises, then φ would be θ and ψ would
be χ.
χ ⇒ χ
WL
θ ⇒ θ θ, χ ⇒ χ
WL XL
χ, θ ⇒ θ χ, θ ⇒ χ
∧R
χ, θ ⇒ θ ∧ χ

9.5 Examples of Derivations

Example 9.5. Give an LK-derivation for the sequent φ ∧ ψ ⇒ φ.
We begin by writing the desired end-sequent at the bottom of the deriva-
tion.

φ∧ψ ⇒ φ

Next, we need to figure out what kind of inference could have a lower sequent
of this form. This could be a structural rule, but it is a good idea to start by
looking for a logical rule. The only logical connective occurring in the lower
sequent is ∧, so we’re looking for an ∧ rule, and since the ∧ symbol occurs in
the antecedent, we’re looking at the ∧L rule.

φ∧ψ ⇒ φ
∧L

There are two options for what could have been the upper sequent of the ∧L
inference: we could have an upper sequent of φ ⇒ φ, or of ψ ⇒ φ. Clearly,
φ ⇒ φ is an initial sequent (which is a good thing), while ψ ⇒ φ is not
derivable in general. We fill in the upper sequent:

Release : d3a1905 (2022-12-19) 125

 CHAPTER 9. THE SEQUENT CALCULUS

φ ⇒ φ
φ∧ψ ⇒ φ
∧L

We now have a correct LK-derivation of the sequent φ ∧ ψ ⇒ φ.

Example 9.6. Give an LK-derivation for the sequent ¬ φ ∨ ψ ⇒ φ → ψ.

Begin by writing the desired end-sequent at the bottom of the derivation.

¬φ ∨ ψ ⇒ φ → ψ

To find a logical rule that could give us this end-sequent, we look at the log-
ical connectives in the end-sequent: ¬, ∨, and →. We only care at the mo-
ment about ∨ and → because they are main operators of sentences in the end-
sequent, while ¬ is inside the scope of another connective, so we will take care
of it later. Our options for logical rules for the final inference are therefore the
∨L rule and the →R rule. We could pick either rule, really, but let’s pick the
→R rule (if for no reason other than it allows us to put off splitting into two
branches). According to the form of →R inferences which can yield the lower
sequent, this must look like:

φ, ¬ φ ∨ ψ ⇒ ψ
¬ φ ∨ ψ ⇒ φ → ψ →R

If we move ¬ φ ∨ ψ to the outside of the antecedent, we can apply the ∨L

rule. According to the schema, this must split into two upper sequents as
follows:

¬ φ, φ ⇒ ψ ψ, φ ⇒ ψ
¬ φ ∨ ψ, φ ⇒ ψ ∨L
φ, ¬ φ ∨ ψ ⇒ ψ XR
¬φ ∨ ψ ⇒ φ → ψ →R

Remember that we are trying to wind our way up to initial sequents; we seem
to be pretty close! The right branch is just one weakening and one exchange
away from an initial sequent and then it is done:
ψ ⇒ ψ
WL
φ, ψ ⇒ ψ
XL
¬ φ, φ ⇒ ψ ψ, φ ⇒ ψ
¬ φ ∨ ψ, φ ⇒ ψ ∨L
XR
φ, ¬ φ ∨ ψ ⇒ ψ
¬φ ∨ ψ ⇒ φ → ψ →R

Now looking at the left branch, the only logical connective in any sentence
is the ¬ symbol in the antecedent sentences, so we’re looking at an instance of
the ¬L rule.

126 Release : d3a1905 (2022-12-19)

9.5. EXAMPLES OF DERIVATIONS

ψ ⇒ ψ
WL
φ ⇒ ψ, φ φ, ψ ⇒ ψ
¬ φ, φ ⇒ ψ ¬L ψ, φ ⇒ ψ
XL
¬ φ ∨ ψ, φ ⇒ ψ
∨L
XR
φ, ¬ φ ∨ ψ ⇒ ψ
¬φ ∨ ψ ⇒ φ→ψ
→R

Similarly to how we finished off the right branch, we are just one weakening
and one exchange away from finishing off this left branch as well.

φ ⇒ φ
φ ⇒ φ, ψ WR ψ ⇒ ψ
φ ⇒ ψ, φ XR φ, ψ ⇒ ψ
WL
¬ φ, φ ⇒ ψ ¬L ψ, φ ⇒ ψ
XL
¬ φ ∨ ψ, φ ⇒ ψ
∨L
XR
φ, ¬ φ ∨ ψ ⇒ ψ
¬φ ∨ ψ ⇒ φ→ψ
→R

Example 9.7. Give an LK-derivation of the sequent ¬ φ ∨ ¬ψ ⇒ ¬( φ ∧ ψ)

Using the techniques from above, we start by writing the desired end-
sequent at the bottom.

¬ φ ∨ ¬ψ ⇒ ¬( φ ∧ ψ)

The available main connectives of sentences in the end-sequent are the ∨ sym-
bol and the ¬ symbol. It would work to apply either the ∨L or the ¬R rule
here, but we start with the ¬R rule because it avoids splitting up into two
branches for a moment:

φ ∧ ψ, ¬ φ ∨ ¬ψ ⇒
¬R
¬ φ ∨ ¬ψ ⇒ ¬( φ ∧ ψ)

Now we have a choice of whether to look at the ∧L or the ∨L rule. Let’s see
what happens when we apply the ∧L rule: we have a choice to start with
either the sequent φ, ¬ φ ∨ ψ ⇒ or the sequent ψ, ¬ φ ∨ ψ ⇒ . Since the
derivation is symmetric with regards to φ and ψ, let’s go with the former:

φ, ¬ φ ∨ ¬ψ ⇒
φ ∧ ψ, ¬ φ ∨ ¬ψ ⇒
∧L
¬R
¬ φ ∨ ¬ψ ⇒ ¬( φ ∧ ψ)

Continuing to fill in the derivation, we see that we run into a problem:

Release : d3a1905 (2022-12-19) 127

 CHAPTER 9. THE SEQUENT CALCULUS

?
φ ⇒ φ φ ⇒ ψ
¬ φ, φ ⇒ ¬L ¬ψ, φ ⇒ ¬L
¬ φ ∨ ¬ψ, φ ⇒ ∨L
XL
φ, ¬ φ ∨ ¬ψ ⇒
φ ∧ ψ, ¬ φ ∨ ¬ψ ⇒ ∧L
¬R
¬ φ ∨ ¬ψ ⇒ ¬( φ ∧ ψ)

The top of the right branch cannot be reduced any further, and it cannot be
brought by way of structural inferences to an initial sequent, so this is not the
right path to take. So clearly, it was a mistake to apply the ∧L rule above.
Going back to what we had before and carrying out the ∨L rule instead, we
get

¬ φ, φ ∧ ψ ⇒ ¬ψ, φ ∧ ψ ⇒
¬ φ ∨ ¬ψ, φ ∧ ψ ⇒ ∨L
XL
φ ∧ ψ, ¬ φ ∨ ¬ψ ⇒
¬R
¬ φ ∨ ¬ψ ⇒ ¬( φ ∧ ψ)

Completing each branch as we’ve done before, we get

φ ⇒ φ ψ ⇒ ψ
φ∧ψ ⇒ φ
∧L φ∧ψ ⇒ ψ
∧L
¬ φ, φ ∧ ψ ⇒ ¬ L
¬ψ, φ ∧ ψ ⇒ ¬L
¬ φ ∨ ¬ψ, φ ∧ ψ ⇒ ∨L
XL
φ ∧ ψ, ¬ φ ∨ ¬ψ ⇒
¬R
¬ φ ∨ ¬ψ ⇒ ¬( φ ∧ ψ)

(We could have carried out the ∧ rules lower than the ¬ rules in these steps
and still obtained a correct derivation).

Example 9.8. So far we haven’t used the contraction rule, but it is sometimes
required. Here’s an example where that happens. Suppose we want to prove
⇒ φ ∨ ¬ φ. Applying ∨R backwards would give us one of these two deriva-
tions:

φ ⇒
⇒ φ ⇒ ¬ φ ¬R
⇒ φ ∨ ¬ φ ∨R ⇒ φ ∨ ¬ φ ∨R

Neither of these of course ends in an initial sequent. The trick is to realize that
the contraction rule allows us to combine two copies of a sentence into one—
and when we’re searching for a proof, i.e., going from bottom to top, we can
keep a copy of φ ∨ ¬ φ in the premise, e.g.,

128 Release : d3a1905 (2022-12-19)

9.6. PROOF-THEORETIC NOTIONS

⇒ φ ∨ ¬ φ, φ
⇒ φ ∨ ¬ φ, φ ∨ ¬ φ ∨R
⇒ φ ∨ ¬φ CR

Now we can apply ∨R a second time, and also get ¬ φ, which leads to a com-
plete derivation.

φ ⇒ φ
⇒ φ, ¬ φ ¬R
⇒ φ, φ ∨ ¬ φ ∨R
⇒ φ ∨ ¬ φ, φ XR
⇒ φ ∨ ¬ φ, φ ∨ ¬ φ ∨R
⇒ φ ∨ ¬φ CR

This section collects the definitions of the provability relation and con-
sistency for natural deduction.

9.6 Proof-Theoretic Notions

Just as we’ve defined a number of important semantic notions (validity, entail-
ment, satisfiabilty), we now define corresponding proof-theoretic notions. These
are not defined by appeal to satisfaction of sentences in structures, but by ap-
peal to the derivability or non-derivability of certain sequents. It was an im-
portant discovery that these notions coincide. That they do is the content of
the soundness and completeness theorem.

Definition 9.9 (Theorems). A sentence φ is a theorem if there is a derivation

in LK of the sequent ⇒ φ. We write ⊢ φ if φ is a theorem and ⊬ φ if it is not.

Definition 9.10 (Derivability). A sentence φ is derivable from a set of sentences Γ,

Γ ⊢ φ, iff there is a finite subset Γ0 ⊆ Γ and a sequence Γ0′ of the sentences
in Γ0 such that LK derives Γ0′ ⇒ φ. If φ is not derivable from Γ we write Γ ⊬ φ.

Because of the contraction, weakening, and exchange rules, the order and
number of sentences in Γ0′ does not matter: if a sequent Γ0′ ⇒ φ is deriv-
able, then so is Γ0′′ ⇒ φ for any Γ0′′ that contains the same sentences as Γ0′ .
For instance, if Γ0 = {ψ, χ} then both Γ0′ = ⟨ψ, ψ, χ⟩ and Γ0′′ = ⟨χ, χ, ψ⟩ are
sequences containing just the sentences in Γ0 . If a sequent containing one is
derivable, so is the other, e.g.:

Release : d3a1905 (2022-12-19) 129

 CHAPTER 9. THE SEQUENT CALCULUS

ψ, ψ, χ ⇒ φ
CL
ψ, χ ⇒ φ
XL
χ, ψ ⇒ φ
WL
χ, χ, ψ ⇒ φ
From now on we’ll say that if Γ0 is a finite set of sentences then Γ0 ⇒ φ is
any sequent where the antecedent is a sequence of sentences in Γ0 and tacitly
include contractions, exchanges, and weakenings if necessary.
Definition 9.11 (Consistency). A set of sentences Γ is inconsistent iff there is a
finite subset Γ0 ⊆ Γ such that LK derives Γ0 ⇒ . If Γ is not inconsistent, i.e.,
if for every finite Γ0 ⊆ Γ, LK does not derive Γ0 ⇒ , we say it is consistent.

Proposition 9.12 (Reflexivity). If φ ∈ Γ, then Γ ⊢ φ.

Proof. The initial sequent φ ⇒ φ is derivable, and { φ} ⊆ Γ.

Proposition 9.13 (Monotonicity). If Γ ⊆ ∆ and Γ ⊢ φ, then ∆ ⊢ φ.

Proof. Suppose Γ ⊢ φ, i.e., there is a finite Γ0 ⊆ Γ such that Γ0 ⇒ φ is deriv-

able. Since Γ ⊆ ∆, then Γ0 is also a finite subset of ∆. The derivation of Γ0 ⇒ φ
thus also shows ∆ ⊢ φ.

Proposition 9.14 (Transitivity). If Γ ⊢ φ and { φ} ∪ ∆ ⊢ ψ, then Γ ∪ ∆ ⊢ ψ.

Proof. If Γ ⊢ φ, there is a finite Γ0 ⊆ Γ and a derivation π0 of Γ0 ⇒ φ. If

{ φ} ∪ ∆ ⊢ ψ, then for some finite subset ∆ 0 ⊆ ∆, there is a derivation π1 of
φ, ∆ 0 ⇒ ψ. Consider the following derivation:

π0 π1

Γ0 ⇒ φ φ, ∆ 0 ⇒ ψ
Cut
Γ0 , ∆ 0 ⇒ ψ
Since Γ0 ∪ ∆ 0 ⊆ Γ ∪ ∆, this shows Γ ∪ ∆ ⊢ ψ.

Note that this means that in particular if Γ ⊢ φ and φ ⊢ ψ, then Γ ⊢ ψ. It

follows also that if φ1 , . . . , φn ⊢ ψ and Γ ⊢ φi for each i, then Γ ⊢ ψ.
Proposition 9.15. Γ is inconsistent iff Γ ⊢ φ for every sentence φ.

Proof. Exercise.

Proposition 9.16 (Compactness). 1. If Γ ⊢ φ then there is a finite subset Γ0 ⊆

Γ such that Γ0 ⊢ φ.

130 Release : d3a1905 (2022-12-19)

9.7. DERIVABILITY AND CONSISTENCY

2. If every finite subset of Γ is consistent, then Γ is consistent.

Proof. 1. If Γ ⊢ φ, then there is a finite subset Γ0 ⊆ Γ such that the sequent

Γ0 ⇒ φ has a derivation. Consequently, Γ0 ⊢ φ.

2. If Γ is inconsistent, there is a finite subset Γ0 ⊆ Γ such that LK derives

Γ0 ⇒ . But then Γ0 is a finite subset of Γ that is inconsistent.

9.7 Derivability and Consistency

We will now establish a number of properties of the derivability relation. They
are independently interesting, but each will play a role in the proof of the
completeness theorem.

Proposition 9.17. If Γ ⊢ φ and Γ ∪ { φ} is inconsistent, then Γ is inconsistent.

Proof. There are finite Γ0 and Γ1 ⊆ Γ such that LK derives Γ0 ⇒ φ and φ, Γ1 ⇒

. Let the LK-derivation of Γ0 ⇒ φ be π0 and the LK-derivation of Γ1 , φ ⇒
be π1 . We can then derive

π0 π1

Γ0 ⇒ φ φ, Γ1 ⇒
Cut
Γ0 , Γ1 ⇒

Since Γ0 ⊆ Γ and Γ1 ⊆ Γ, Γ0 ∪ Γ1 ⊆ Γ, hence Γ is inconsistent.

Proposition 9.18. Γ ⊢ φ iff Γ ∪ {¬ φ} is inconsistent.

Proof. First suppose Γ ⊢ φ, i.e., there is a derivation π0 of Γ ⇒ φ. By adding

a ¬L rule, we obtain a derivation of ¬ φ, Γ ⇒ , i.e., Γ ∪ {¬ φ} is inconsistent.
If Γ ∪ {¬ φ} is inconsistent, there is a derivation π1 of ¬ φ, Γ ⇒ . The
following is a derivation of Γ ⇒ φ:

π1
φ ⇒ φ
⇒ φ, ¬ φ ¬R ¬ φ, Γ ⇒
Cut
Γ ⇒ φ

Proposition 9.19. If Γ ⊢ φ and ¬ φ ∈ Γ, then Γ is inconsistent.

Proof. Suppose Γ ⊢ φ and ¬ φ ∈ Γ. Then there is a derivation π of a sequent

Γ0 ⇒ φ. The sequent ¬ φ, Γ0 ⇒ is also derivable:

Release : d3a1905 (2022-12-19) 131

 CHAPTER 9. THE SEQUENT CALCULUS

π φ ⇒ φ
¬ φ, φ ⇒ ¬L
Γ0 ⇒ φ φ, ¬ φ ⇒ XL
Cut
Γ, ¬ φ ⇒

Since ¬ φ ∈ Γ and Γ0 ⊆ Γ, this shows that Γ is inconsistent.

Proposition 9.20. If Γ ∪ { φ} and Γ ∪ {¬ φ} are both inconsistent, then Γ is incon-

sistent.

Proof. There are finite sets Γ0 ⊆ Γ and Γ1 ⊆ Γ and LK-derivations π0 and π1

of φ, Γ0 ⇒ and ¬ φ, Γ1 ⇒ , respectively. We can then derive

π0
π1
φ, Γ0 ⇒
¬R
Γ0 ⇒ ¬ φ ¬ φ, Γ1 ⇒
Cut
Γ0 , Γ1 ⇒

Since Γ0 ⊆ Γ and Γ1 ⊆ Γ, Γ0 ∪ Γ1 ⊆ Γ. Hence Γ is inconsistent.

9.8 Derivability and the Propositional Connectives

We establish that the derivability relation ⊢ of the sequent calculus is strong
enough to establish some basic facts involving the propositional connectives,
such as that φ ∧ ψ ⊢ φ and φ, φ → ψ ⊢ ψ (modus ponens). These facts are
needed for the proof of the completeness theorem.

Proposition 9.21. 1. Both φ ∧ ψ ⊢ φ and φ ∧ ψ ⊢ ψ.

2. φ, ψ ⊢ φ ∧ ψ.

Proof. 1. Both sequents φ ∧ ψ ⇒ φ and φ ∧ ψ ⇒ ψ are derivable:

φ ⇒ φ ψ ⇒ ψ
φ∧ψ ⇒ φ
∧L φ∧ψ ⇒ ψ
∧L

2. Here is a derivation of the sequent φ, ψ ⇒ φ ∧ ψ:

φ ⇒ φ ψ ⇒ ψ
φ, ψ ⇒ φ ∧ ψ
∧R

Proposition 9.22. 1. φ ∨ ψ, ¬ φ, ¬ψ is inconsistent.

2. Both φ ⊢ φ ∨ ψ and ψ ⊢ φ ∨ ψ.

132 Release : d3a1905 (2022-12-19)

9.9. SOUNDNESS

Proof. 1. We give a derivation of the sequent φ ∨ ψ, ¬ φ, ¬ψ ⇒:

φ ⇒ φ ψ ⇒ ψ
¬ φ, φ ⇒ ¬L ¬ψ, ψ ⇒ ¬L
φ, ¬ φ, ¬ψ ⇒ ψ, ¬ φ, ¬ψ ⇒
φ ∨ ψ, ¬ φ, ¬ψ ⇒
∨L

(Recall that double inference lines indicate several weakening, contrac-

tion, and exchange inferences.)

2. Both sequents φ ⇒ φ ∨ ψ and ψ ⇒ φ ∨ ψ have derivations:

φ ⇒ φ ψ ⇒ ψ
φ ⇒ φ∨ψ
∨R ψ ⇒ φ∨ψ
∨R

Proposition 9.23. 1. φ, φ → ψ ⊢ ψ.

2. Both ¬ φ ⊢ φ → ψ and ψ ⊢ φ → ψ.

Proof. 1. The sequent φ → ψ, φ ⇒ ψ is derivable:

φ ⇒ φ ψ ⇒ ψ
φ → ψ, φ ⇒ ψ
→L

2. Both sequents ¬ φ ⇒ φ → ψ and ψ ⇒ φ → ψ are derivable:

φ ⇒ φ
¬ φ, φ ⇒ ¬L
φ, ¬ φ ⇒ XL ψ ⇒ ψ
φ, ¬ φ ⇒ ψ WR φ, ψ ⇒ ψ
WL
¬φ ⇒ φ → ψ →R ψ ⇒ φ→ψ
→R

9.9 Soundness
A derivation system, such as the sequent calculus, is sound if it cannot de-
rive things that do not actually hold. Soundness is thus a kind of guaranteed
safety property for derivation systems. Depending on which proof theoretic
property is in question, we would like to know for instance, that

1. every derivable φ is a tautology;

2. if a sentence is derivable from some others, it is also a consequence of

them;

3. if a set of sentences is inconsistent, it is unsatisfiable.

Release : d3a1905 (2022-12-19) 133

 CHAPTER 9. THE SEQUENT CALCULUS

These are important properties of a derivation system. If any of them do not

hold, the derivation system is deficient—it would derive too much. Conse-
quently, establishing the soundness of a derivation system is of the utmost
importance.
Because all these proof-theoretic properties are defined via derivability in
the sequent calculus of certain sequents, proving (1)–(3) above requires prov-
ing something about the semantic properties of derivable sequents. We will
first define what it means for a sequent to be valid, and then show that every
derivable sequent is valid. (1)–(3) then follow as corollaries from this result.

Definition 9.24. A valuation v satisfies a sequent Γ ⇒ ∆ iff either v ⊭ φ for

some φ ∈ Γ or v ⊨ φ for some φ ∈ ∆.
A sequent is valid iff every valuation v satisfies it.

Theorem 9.25 (Soundness). If LK derives Θ ⇒ Ξ, then Θ ⇒ Ξ is valid.

Proof. Let π be a derivation of Θ ⇒ Ξ. We proceed by induction on the num-

ber of inferences n in π.
If the number of inferences is 0, then π consists only of an initial sequent.
Every initial sequent φ ⇒ φ is obviously valid, since for every v, either v ⊭ φ
or v ⊨ φ.
If the number of inferences is greater than 0, we distinguish cases accord-
ing to the type of the lowermost inference. By induction hypothesis, we can
assume that the premises of that inference are valid, since the number of in-
ferences in the derivation of any premise is smaller than n.
First, we consider the possible inferences with only one premise.

1. The last inference is a weakening. Then Θ ⇒ Ξ is either φ, Γ ⇒ ∆ (if the

last inference is WL) or Γ ⇒ ∆, φ (if it’s WR), and the derivation ends in
one of

Γ ⇒ ∆ Γ ⇒ ∆
WL WR
φ, Γ ⇒ ∆ Γ ⇒ ∆, φ

By induction hypothesis, Γ ⇒ ∆ is valid, i.e., for every valuation v, either

there is some χ ∈ Γ such that v ⊭ χ or there is some χ ∈ ∆ such that
v ⊨ χ.
If v ⊭ χ for some χ ∈ Γ, then χ ∈ Θ as well since Θ = φ, Γ, and so v ⊭ χ
for some χ ∈ Θ. Similarly, if v ⊨ χ for some χ ∈ ∆, as χ ∈ Ξ, v ⊨ χ for
some χ ∈ Ξ. Consequently, Θ ⇒ Ξ is valid.

2. The last inference is ¬L: Then the premise of the last inference is Γ ⇒
∆, φ and the conclusion is ¬ φ, Γ ⇒ ∆, i.e., the derivation ends in

134 Release : d3a1905 (2022-12-19)

9.9. SOUNDNESS

Γ ⇒ ∆, φ
¬L
¬ φ, Γ ⇒ ∆

and Θ = ¬ φ, Γ while Ξ = ∆.
The induction hypothesis tells us that Γ ⇒ ∆, φ is valid, i.e., for every v,
either (a) for some χ ∈ Γ, v ⊭ χ, or (b) for some χ ∈ ∆, v ⊨ χ, or (c) v ⊨ φ.
We want to show that Θ ⇒ Ξ is also valid. Let v be a valuation. If (a)
holds, then there is χ ∈ Γ so that v ⊭ χ, but χ ∈ Θ as well. If (b) holds,
there is χ ∈ ∆ such that v ⊨ χ, but χ ∈ Ξ as well. Finally, if v ⊨ φ, then
v ⊭ ¬ φ. Since ¬ φ ∈ Θ, there is χ ∈ Θ such that v ⊭ χ. Consequently,
Θ ⇒ Ξ is valid.

3. The last inference is ¬R: Exercise.

4. The last inference is ∧L: There are two variants: φ ∧ ψ may be inferred
on the left from φ or from ψ on the left side of the premise. In the first
case, the π ends in

φ, Γ ⇒ ∆
∧L
φ ∧ ψ, Γ ⇒ ∆

and Θ = φ ∧ ψ, Γ while Ξ = ∆. Consider a valuation v. Since by induc-

tion hypothesis, φ, Γ ⇒ ∆ is valid, (a) v ⊭ φ, (b) v ⊭ χ for some χ ∈ Γ, or
(c) v ⊨ χ for some χ ∈ ∆. In case (a), v ⊭ φ ∧ ψ, so there is χ ∈ Θ (namely,
φ ∧ ψ) such that v ⊭ χ. In case (b), there is χ ∈ Γ such that v ⊭ χ, and
χ ∈ Θ as well. In case (c), there is χ ∈ ∆ such that v ⊨ χ, and χ ∈ Ξ
as well since Ξ = ∆. So in each case, v satisfies φ ∧ ψ, Γ ⇒ ∆. Since v
was arbitrary, Γ ⇒ ∆ is valid. The case where φ ∧ ψ is inferred from ψ is
handled the same, changing φ to ψ.

5. The last inference is ∨R: There are two variants: φ ∨ ψ may be inferred
on the right from φ or from ψ on the right side of the premise. In the first
case, π ends in

Γ ⇒ ∆, φ
∨R
Γ ⇒ ∆, φ ∨ ψ

Release : d3a1905 (2022-12-19) 135

 CHAPTER 9. THE SEQUENT CALCULUS

Now Θ = Γ and Ξ = ∆, φ ∨ ψ. Consider a valuation v. Since Γ ⇒ ∆, φ is

valid, (a) v ⊨ φ, (b) v ⊭ χ for some χ ∈ Γ, or (c) v ⊨ χ for some χ ∈ ∆. In
case (a), v ⊨ φ ∨ ψ. In case (b), there is χ ∈ Γ such that v ⊭ χ. In case (c),
there is χ ∈ ∆ such that v ⊨ χ. So in each case, v satisfies Γ ⇒ ∆, φ ∨ ψ,
i.e., Θ ⇒ Ξ. Since v was arbitrary, Θ ⇒ Ξ is valid. The case where φ ∨ ψ
is inferred from ψ is handled the same, changing φ to ψ.
6. The last inference is →R: Then π ends in

φ, Γ ⇒ ∆, ψ
→R
Γ ⇒ ∆, φ → ψ

Again, the induction hypothesis says that the premise is valid; we want
to show that the conclusion is valid as well. Let v be arbitrary. Since
φ, Γ ⇒ ∆, ψ is valid, at least one of the following cases obtains: (a) v ⊭ φ,
(b) v ⊨ ψ, (c) v ⊭ χ for some χ ∈ Γ, or (d) v ⊨ χ for some χ ∈ ∆. In cases
(a) and (b), v ⊨ φ → ψ and so there is a χ ∈ ∆, φ → ψ such that v ⊨ χ. In
case (c), for some χ ∈ Γ, v ⊭ χ. In case (d), for some χ ∈ ∆, v ⊨ χ. In
each case, v satisfies Γ ⇒ ∆, φ → ψ. Since v was arbitrary, Γ ⇒ ∆, φ → ψ
is valid.
Now let’s consider the possible inferences with two premises.
1. The last inference is a cut: then π ends in

Γ ⇒ ∆, φ φ, Π ⇒ Λ
Cut
Γ, Π ⇒ ∆, Λ

Let v be a valuation. By induction hypothesis, the premises are valid, so

v satisfies both premises. We distinguish two cases: (a) v ⊭ φ and (b)
v ⊨ φ. In case (a), in order for v to satisfy the left premise, it must satisfy
Γ ⇒ ∆. But then it also satisfies the conclusion. In case (b), in order for
v to satisfy the right premise, it must satisfy Π \ Λ. Again, v satisfies the
conclusion.
2. The last inference is ∧R. Then π ends in

Γ ⇒ ∆, φ Γ ⇒ ∆, ψ
∧R
Γ ⇒ ∆, φ ∧ ψ

136 Release : d3a1905 (2022-12-19)

9.9. SOUNDNESS

Consider a valuation v. If v satisfies Γ ⇒ ∆, we are done. So suppose

it doesn’t. Since Γ ⇒ ∆, φ is valid by induction hypothesis, v ⊨ φ.
Similarly, since Γ ⇒ ∆, ψ is valid, v ⊨ ψ. But then v ⊨ φ ∧ ψ.

3. The last inference is ∨L: Exercise.

4. The last inference is →L. Then π ends in

Γ ⇒ ∆, φ ψ, Π ⇒ Λ
→L
φ → ψ, Γ, Π ⇒ ∆, Λ

Again, consider a valuation v and suppose v doesn’t satisfy Γ, Π ⇒ ∆, Λ.

We have to show that v ⊭ φ → ψ. If v doesn’t satisfy Γ, Π ⇒ ∆, Λ, it
satisfies neither Γ ⇒ ∆ nor Π ⇒ Λ. Since, Γ ⇒ ∆, φ is valid, we have
v ⊨ φ. Since ψ, Π ⇒ Λ is valid, we have v ⊭ ψ. But then v ⊭ φ → ψ,
which is what we wanted to show.

Corollary 9.26. If ⊢ φ then φ is a tautology.

Corollary 9.27. If Γ ⊢ φ then Γ ⊨ φ.

Proof. If Γ ⊢ φ then for some finite subset Γ0 ⊆ Γ, there is a derivation of

Γ0 ⇒ φ. By Theorem 9.25, every valuation v either makes some ψ ∈ Γ0 false
or makes φ true. Hence, if v ⊨ Γ then also v ⊨ φ.

Corollary 9.28. If Γ is satisfiable, then it is consistent.

Proof. We prove the contrapositive. Suppose that Γ is not consistent. Then

there is a finite Γ0 ⊆ Γ and a derivation of Γ0 ⇒ . By Theorem 9.25, Γ0 ⇒
is valid. In other words, for every valuation v, there is χ ∈ Γ0 so that v ⊭ χ,
and since Γ0 ⊆ Γ, that χ is also in Γ. Thus, no v satisfies Γ, and Γ is not
satisfiable.

Problems
Problem 9.1. Give derivations of the following sequents:

1. φ ∧ (ψ ∧ χ) ⇒ ( φ ∧ ψ) ∧ χ.

2. φ ∨ (ψ ∨ χ) ⇒ ( φ ∨ ψ) ∨ χ.

3. φ → (ψ → χ) ⇒ ψ → ( φ → χ).

4. φ ⇒ ¬¬ φ.

Release : d3a1905 (2022-12-19) 137

 CHAPTER 9. THE SEQUENT CALCULUS

Problem 9.2. Give derivations of the following sequents:

1. ( φ ∨ ψ) → χ ⇒ φ → χ.

2. ( φ → χ) ∧ (ψ → χ) ⇒ ( φ ∨ ψ) → χ.

3. ⇒ ¬( φ ∧ ¬ φ).

4. ψ → φ ⇒ ¬ φ → ¬ψ.

5. ⇒ ( φ → ¬ φ) → ¬ φ.

6. ⇒ ¬( φ → ψ) → ¬ψ.

7. φ → χ ⇒ ¬( φ ∧ ¬χ).

8. φ ∧ ¬χ ⇒ ¬( φ → χ).

9. φ ∨ ψ, ¬ψ ⇒ φ.

10. ¬ φ ∨ ¬ψ ⇒ ¬( φ ∧ ψ).

11. ⇒ (¬ φ ∧ ¬ψ) → ¬( φ ∨ ψ).

12. ⇒ ¬( φ ∨ ψ) → (¬ φ ∧ ¬ψ).

Problem 9.3. Give derivations of the following sequents:

1. ¬( φ → ψ) ⇒ φ.

2. ¬( φ ∧ ψ) ⇒ ¬ φ ∨ ¬ψ.

3. φ → ψ ⇒ ¬ φ ∨ ψ.

4. ⇒ ¬¬ φ → φ.

5. φ → ψ, ¬ φ → ψ ⇒ ψ.

6. ( φ ∧ ψ) → χ ⇒ ( φ → χ) ∨ (ψ → χ).

7. ( φ → ψ) → φ ⇒ φ.

8. ⇒ ( φ → ψ) ∨ (ψ → χ).

(These all require the CR rule.)

Problem 9.4. Prove Proposition 19.16

Problem 9.5. Prove that Γ ⊢ ¬ φ iff Γ ∪ { φ} is inconsistent.

Problem 9.6. Complete the proof of Theorem 9.25.

138 Release : d3a1905 (2022-12-19)

Chapter 10

Natural Deduction

This chapter presents a natural deduction system in the style of

Gentzen/Prawitz.
To include or exclude material relevant to natural deduction as a proof
system, use the “prfND” tag.

10.1 Rules and Derivations

Natural deduction systems are meant to closely parallel the informal reason-
ing used in mathematical proof (hence it is somewhat “natural”). Natural
deduction proofs begin with assumptions. Inference rules are then applied.
Assumptions are “discharged” by the ¬Intro, →Intro, and ∨Elim inference
rules, and the label of the discharged assumption is placed beside the infer-
ence for clarity.

Definition 10.1 (Assumption). An assumption is any sentence in the topmost

position of any branch.

Derivations in natural deduction are certain trees of sentences, where the

topmost sentences are assumptions, and if a sentence stands below one, two,
or three other sequents, it must follow correctly by a rule of inference. The sen-
tences at the top of the inference are called the premises and the sentence below
the conclusion of the inference. The rules come in pairs, an introduction and
an elimination rule for each logical operator. They introduce a logical opera-
tor in the conclusion or remove a logical operator from a premise of the rule.
Some of the rules allow an assumption of a certain type to be discharged. To
indicate which assumption is discharged by which inference, we also assign
labels to both the assumption and the inference. This is indicated by writing
the assumption as “[ φ]n .”

139
 CHAPTER 10. NATURAL DEDUCTION

It is customary to consider rules for all the logical operators ∧, ∨, →, ¬,

and ⊥, even if some of those are defined.

10.2 Propositional Rules

Rules for ∧

φ∧ψ
φ ∧Elim
φ ψ
∧Intro
φ∧ψ φ∧ψ
ψ
∧Elim

Rules for ∨

φ [ φ]n [ψ]n
∨Intro
φ∨ψ
ψ
∨Intro φ∨ψ χ χ
φ∨ψ n ∨Elim
χ

Rules for →

[ φ]n
φ→ψ φ
ψ
→Elim
ψ
n →Intro
φ→ψ

Rules for ¬

[ φ]n
¬φ φ
¬Elim
⊥
⊥
¬ φ ¬Intro
n

140 Release : d3a1905 (2022-12-19)

10.3. DERIVATIONS

Rules for ⊥

[¬ φ]n

⊥ ⊥
φ I

n
⊥ ⊥
φ C

Note that ¬Intro and ⊥C are very similar: The difference is that ¬Intro derives
a negated sentence ¬ φ but ⊥C a positive sentence φ.
Whenever a rule indicates that some assumption may be discharged, we
take this to be a permission, but not a requirement. E.g., in the →Intro rule,
we may discharge any number of assumptions of the form φ in the derivation
of the premise ψ, including zero.

10.3 Derivations
We’ve said what an assumption is, and we’ve given the rules of inference.
Derivations in natural deduction are inductively generated from these: each
derivation either is an assumption on its own, or consists of one, two, or three
derivations followed by a correct inference.

Definition 10.2 (Derivation). A derivation of a sentence φ from assumptions Γ

is a finite tree of sentences satisfying the following conditions:

1. The topmost sentences of the tree are either in Γ or are discharged by an

inference in the tree.

2. The bottommost sentence of the tree is φ.

3. Every sentence in the tree except the sentence φ at the bottom is a premise
of a correct application of an inference rule whose conclusion stands di-
rectly below that sentence in the tree.

We then say that φ is the conclusion of the derivation and Γ its undischarged
assumptions.
If a derivation of φ from Γ exists, we say that φ is derivable from Γ, or in
symbols: Γ ⊢ φ. If there is a derivation of φ in which every assumption is
discharged, we write ⊢ φ.

Example 10.3. Every assumption on its own is a derivation. So, e.g., φ by

itself is a derivation, and so is ψ by itself. We can obtain a new derivation
from these by applying, say, the ∧Intro rule,

Release : d3a1905 (2022-12-19) 141

 CHAPTER 10. NATURAL DEDUCTION

φ ψ
∧Intro
φ∧ψ

These rules are meant to be general: we can replace the φ and ψ in it with any
sentences, e.g., by χ and θ. Then the conclusion would be χ ∧ θ, and so

χ θ
∧Intro
χ∧θ

is a correct derivation. Of course, we can also switch the assumptions, so that

θ plays the role of φ and χ that of ψ. Thus,

θ χ
∧Intro
θ∧χ

is also a correct derivation.

We can now apply another rule, say, →Intro, which allows us to conclude
a conditional and allows us to discharge any assumption that is identical to
the antecedent of that conditional. So both of the following would be correct
derivations:
[ χ ]1 θ χ [ θ ]1
∧Intro ∧Intro
χ∧θ χ∧θ
1 →Intro 1 →Intro
χ → (χ ∧ θ ) θ → (χ ∧ θ )

They show, respectively, that θ ⊢ χ → (χ ∧ θ ) and χ ⊢ θ → (χ ∧ θ ).

Remember that discharging of assumptions is a permission, not a require-
ment: we don’t have to discharge the assumptions. In particular, we can apply
a rule even if the assumptions are not present in the derivation. For instance,
the following is legal, even though there is no assumption φ to be discharged:
ψ
1 →Intro
φ→ψ

10.4 Examples of Derivations

Example 10.4. Let’s give a derivation of the sentence ( φ ∧ ψ) → φ.
We begin by writing the desired conclusion at the bottom of the derivation.

( φ ∧ ψ) → φ

Next, we need to figure out what kind of inference could result in a sen-
tence of this form. The main operator of the conclusion is →, so we’ll try to
arrive at the conclusion using the →Intro rule. It is best to write down the as-
sumptions involved and label the inference rules as you progress, so it is easy
to see whether all assumptions have been discharged at the end of the proof.

142 Release : d3a1905 (2022-12-19)

10.4. EXAMPLES OF DERIVATIONS

[ φ ∧ ψ ]1

φ
1 →Intro
( φ ∧ ψ) → φ

We now need to fill in the steps from the assumption φ ∧ ψ to φ. Since we

only have one connective to deal with, ∧, we must use the ∧ elim rule. This
gives us the following proof:

[ φ ∧ ψ ]1
φ ∧Elim
1 →Intro
( φ ∧ ψ) → φ

We now have a correct derivation of ( φ ∧ ψ) → φ.

Example 10.5. Now let’s give a derivation of (¬ φ ∨ ψ) → ( φ → ψ).

We begin by writing the desired conclusion at the bottom of the derivation.

(¬ φ ∨ ψ) → ( φ → ψ)

To find a logical rule that could give us this conclusion, we look at the logical
connectives in the conclusion: ¬, ∨, and →. We only care at the moment about
the first occurrence of → because it is the main operator of the sentence in the
end-sequent, while ¬, ∨ and the second occurrence of → are inside the scope
of another connective, so we will take care of those later. We therefore start
with the →Intro rule. A correct application must look like this:

[¬ φ ∨ ψ]1

φ→ψ
1 →Intro
(¬ φ ∨ ψ) → ( φ → ψ)

This leaves us with two possibilities to continue. Either we can keep working
from the bottom up and look for another application of the →Intro rule, or we
can work from the top down and apply a ∨Elim rule. Let us apply the latter.
We will use the assumption ¬ φ ∨ ψ as the leftmost premise of ∨Elim. For a
valid application of ∨Elim, the other two premises must be identical to the
conclusion φ → ψ, but each may be derived in turn from another assumption,
namely one of the two disjuncts of ¬ φ ∨ ψ. So our derivation will look like
this:

Release : d3a1905 (2022-12-19) 143

 CHAPTER 10. NATURAL DEDUCTION

[¬ φ]2 [ ψ ]2

[¬ φ ∨ ψ]1 φ→ψ φ→ψ

2
φ→ψ
∨Elim
1 →Intro
(¬ φ ∨ ψ) → ( φ → ψ)
In each of the two branches on the right, we want to derive φ → ψ, which
is best done using →Intro.

[¬ φ]2 , [ φ]3 [ ψ ]2 , [ φ ]4

ψ ψ
3 →Intro 4 →Intro
[¬ φ ∨ ψ]1 φ→ψ φ→ψ
2
φ→ψ
∨Elim
1 →Intro
(¬ φ ∨ ψ) → ( φ → ψ)
For the two missing parts of the derivation, we need derivations of ψ from
¬ φ and φ in the middle, and from φ and ψ on the left. Let’s take the former
first. ¬ φ and φ are the two premises of ¬Elim:

[¬ φ]2 [ φ ]3
¬Elim
⊥

By using ⊥ I , we can obtain ψ as a conclusion and complete the branch.

[ ψ ]2 , [ φ ]4
[¬ φ]2 [ φ ]3
⊥Intro
⊥ ⊥
I
ψ ψ
3 →Intro 4 →Intro
[¬ φ ∨ ψ]1 φ→ψ φ→ψ
2
φ→ψ
∨Elim
1 →Intro
(¬ φ ∨ ψ) → ( φ → ψ)
Let’s now look at the rightmost branch. Here it’s important to realize that
the definition of derivation allows assumptions to be discharged but does not re-
quire them to be. In other words, if we can derive ψ from one of the assump-
tions φ and ψ without using the other, that’s ok. And to derive ψ from ψ is
trivial: ψ by itself is such a derivation, and no inferences are needed. So we
can simply delete the assumption φ.

144 Release : d3a1905 (2022-12-19)

10.4. EXAMPLES OF DERIVATIONS

[¬ φ]2 [ φ ]3
¬Elim
⊥ ⊥
I
ψ [ ψ ]2
3 →Intro →Intro
[¬ φ ∨ ψ]1 φ→ψ φ→ψ
2
φ→ψ
∨Elim
1 →Intro
(¬ φ ∨ ψ) → ( φ → ψ)

Note that in the finished derivation, the rightmost →Intro inference does not
actually discharge any assumptions.

Example 10.6. So far we have not needed the ⊥C rule. It is special in that it al-
lows us to discharge an assumption that isn’t a sub-formula of the conclusion
of the rule. It is closely related to the ⊥ I rule. In fact, the ⊥ I rule is a special
case of the ⊥C rule—there is a logic called “intuitionistic logic” in which only
⊥ I is allowed. The ⊥C rule is a last resort when nothing else works. For in-
stance, suppose we want to derive φ ∨ ¬ φ. Our usual strategy would be to
attempt to derive φ ∨ ¬ φ using ∨Intro. But this would require us to derive
either φ or ¬ φ from no assumptions, and this can’t be done. ⊥C to the rescue!

[¬( φ ∨ ¬ φ)]1

1
⊥ ⊥C
φ ∨ ¬φ

Now we’re looking for a derivation of ⊥ from ¬( φ ∨ ¬ φ). Since ⊥ is the

conclusion of ¬Elim we might try that:

[¬( φ ∨ ¬ φ)]1 [¬( φ ∨ ¬ φ)]1

¬φ φ
¬Elim
1
⊥ ⊥C
φ ∨ ¬φ

Our strategy for finding a derivation of ¬ φ calls for an application of ¬Intro:

[¬( φ ∨ ¬ φ)]1 , [ φ]2

[¬( φ ∨ ¬ φ)]1

⊥
2
¬ φ ¬Intro φ
¬Elim
1
⊥ ⊥C
φ ∨ ¬φ

Release : d3a1905 (2022-12-19) 145

 CHAPTER 10. NATURAL DEDUCTION

Here, we can get ⊥ easily by applying ¬Elim to the assumption ¬( φ ∨ ¬ φ)

and φ ∨ ¬ φ which follows from our new assumption φ by ∨Intro:

[ φ ]2 [¬( φ ∨ ¬ φ)]1
[¬( φ ∨ ¬ φ)]1 φ ∨ ¬ φ ∨Intro
¬Elim
⊥
2
¬φ ¬ Intro φ
¬Elim
1
⊥ ⊥C
φ ∨ ¬φ

On the right side we use the same strategy, except we get φ by ⊥C :

[ φ ]2 [¬ φ]3
[¬( φ ∨ ¬ φ)]1 φ ∨ ¬φ ∨ Intro [¬( φ ∨ ¬ φ)]1 φ ∨ ¬ φ ∨Intro
¬Elim ¬Elim
⊥ ⊥ ⊥
2
¬ φ ¬Intro 3
φ C
¬Elim
1
⊥ ⊥C
φ ∨ ¬φ

10.5 Proof-Theoretic Notions

This section collects the definitions the provability relation and consis-
tency for natural deduction.

Just as we’ve defined a number of important semantic notions (validity, en-

tailment, satisfiability), we now define corresponding proof-theoretic notions.
These are not defined by appeal to satisfaction of sentences in structures, but
by appeal to the derivability or non-derivability of certain sentences from oth-
ers. It was an important discovery that these notions coincide. That they do is
the content of the soundness and completeness theorems.

Definition 10.7 (Theorems). A sentence φ is a theorem if there is a derivation

of φ in natural deduction in which all assumptions are discharged. We write
⊢ φ if φ is a theorem and ⊬ φ if it is not.

Definition 10.8 (Derivability). A sentence φ is derivable from a set of sentences Γ,

Γ ⊢ φ, if there is a derivation with conclusion φ and in which every assump-
tion is either discharged or is in Γ. If φ is not derivable from Γ we write Γ ⊬ φ.

Definition 10.9 (Consistency). A set of sentences Γ is inconsistent iff Γ ⊢ ⊥. If

Γ is not inconsistent, i.e., if Γ ⊬ ⊥, we say it is consistent.

Proposition 10.10 (Reflexivity). If φ ∈ Γ, then Γ ⊢ φ.

146 Release : d3a1905 (2022-12-19)

10.5. PROOF-THEORETIC NOTIONS

Proof. The assumption φ by itself is a derivation of φ where every undis-

charged assumption (i.e., φ) is in Γ.

Proposition 10.11 (Monotonicity). If Γ ⊆ ∆ and Γ ⊢ φ, then ∆ ⊢ φ.

Proof. Any derivation of φ from Γ is also a derivation of φ from ∆.

Proposition 10.12 (Transitivity). If Γ ⊢ φ and { φ} ∪ ∆ ⊢ ψ, then Γ ∪ ∆ ⊢ ψ.

Proof. If Γ ⊢ φ, there is a derivation δ0 of φ with all undischarged assumptions

in Γ. If { φ} ∪ ∆ ⊢ ψ, then there is a derivation δ1 of ψ with all undischarged
assumptions in { φ} ∪ ∆. Now consider:
∆, [ φ]1

δ1 Γ
δ0
ψ
1 →Intro
φ→ψ φ
ψ
→Elim

The undischarged assumptions are now all among Γ ∪ ∆, so this shows Γ ∪

∆ ⊢ ψ.

When Γ = { φ1 , φ2 , . . . , φk } is a finite set we may use the simplified nota-

tion φ1 , φ2 , . . . , φk ⊢ ψ for Γ ⊢ ψ, in particular φ ⊢ ψ means that { φ} ⊢ ψ.
Note that if Γ ⊢ φ and φ ⊢ ψ, then Γ ⊢ ψ. It follows also that if φ1 , . . . , φn ⊢
ψ and Γ ⊢ φi for each i, then Γ ⊢ ψ.
Proposition 10.13. The following are equivalent.
1. Γ is inconsistent.
2. Γ ⊢ φ for every sentence φ.
3. Γ ⊢ φ and Γ ⊢ ¬ φ for some sentence φ.

Proof. Exercise.

Proposition 10.14 (Compactness). 1. If Γ ⊢ φ then there is a finite subset

Γ0 ⊆ Γ such that Γ0 ⊢ φ.
2. If every finite subset of Γ is consistent, then Γ is consistent.

Proof. 1. If Γ ⊢ φ, then there is a derivation δ of φ from Γ. Let Γ0 be the set

of undischarged assumptions of δ. Since any derivation is finite, Γ0 can
only contain finitely many sentences. So, δ is a derivation of φ from a
finite Γ0 ⊆ Γ.
2. This is the contrapositive of (1) for the special case φ ≡ ⊥.

Release : d3a1905 (2022-12-19) 147

 CHAPTER 10. NATURAL DEDUCTION

10.6 Derivability and Consistency

We will now establish a number of properties of the derivability relation. They
are independently interesting, but each will play a role in the proof of the
completeness theorem.

Proposition 10.15. If Γ ⊢ φ and Γ ∪ { φ} is inconsistent, then Γ is inconsistent.

Proof. Let the derivation of φ from Γ be δ1 and the derivation of ⊥ from Γ ∪

{ φ} be δ2 . We can then derive:
Γ, [ φ]1
Γ
δ2
δ1
⊥
1
¬ φ ¬Intro φ
¬Elim
⊥
In the new derivation, the assumption φ is discharged, so it is a derivation
from Γ.

Proposition 10.16. Γ ⊢ φ iff Γ ∪ {¬ φ} is inconsistent.

Proof. First suppose Γ ⊢ φ, i.e., there is a derivation δ0 of φ from undischarged

assumptions Γ. We obtain a derivation of ⊥ from Γ ∪ {¬ φ} as follows:
Γ
δ0
¬φ φ
¬Elim
⊥
Now assume Γ ∪ {¬ φ} is inconsistent, and let δ1 be the corresponding
derivation of ⊥ from undischarged assumptions in Γ ∪ {¬ φ}. We obtain
a derivation of φ from Γ alone by using ⊥C :

Γ, [¬ φ]1

δ1

1
⊥ ⊥
φ C

Proposition 10.17. If Γ ⊢ φ and ¬ φ ∈ Γ, then Γ is inconsistent.

Proof. Suppose Γ ⊢ φ and ¬ φ ∈ Γ. Then there is a derivation δ of φ from Γ.

Consider this simple application of the ¬Elim rule:

148 Release : d3a1905 (2022-12-19)

10.7. DERIVABILITY AND THE PROPOSITIONAL CONNECTIVES

δ
¬φ φ
¬Elim
⊥
Since ¬ φ ∈ Γ, all undischarged assumptions are in Γ, this shows that Γ ⊢ ⊥.

Proposition 10.18. If Γ ∪ { φ} and Γ ∪ {¬ φ} are both inconsistent, then Γ is in-

consistent.

Proof. There are derivations δ1 and δ2 of ⊥ from Γ ∪ { φ} and ⊥ from Γ ∪ {¬ φ},

respectively. We can then derive

Γ, [¬ φ]2 Γ, [ φ]1

δ2 δ1

⊥ ⊥
2
¬¬ φ ¬Intro 1
¬ φ ¬Intro
¬Elim
⊥
Since the assumptions φ and ¬ φ are discharged, this is a derivation of ⊥
from Γ alone. Hence Γ is inconsistent.

10.7 Derivability and the Propositional Connectives

We establish that the derivability relation ⊢ of natural deduction is strong
enough to establish some basic facts involving the propositional connectives,
such as that φ ∧ ψ ⊢ φ and φ, φ → ψ ⊢ ψ (modus ponens). These facts are
needed for the proof of the completeness theorem.

Proposition 10.19. 1. Both φ ∧ ψ ⊢ φ and φ ∧ ψ ⊢ ψ

2. φ, ψ ⊢ φ ∧ ψ.

Proof. 1. We can derive both

φ∧ψ φ∧ψ
φ ∧Elim ψ
∧Elim

2. We can derive:
φ ψ
∧Intro
φ∧ψ

Proposition 10.20. 1. φ ∨ ψ, ¬ φ, ¬ψ is inconsistent.

Release : d3a1905 (2022-12-19) 149

 CHAPTER 10. NATURAL DEDUCTION

2. Both φ ⊢ φ ∨ ψ and ψ ⊢ φ ∨ ψ.

Proof. 1. Consider the following derivation:

¬φ [ φ ]1 ¬ψ [ ψ ]1
¬Elim ¬Elim
φ∨ψ ⊥ ⊥
1 ∨Elim
⊥

This is a derivation of ⊥ from undischarged assumptions φ ∨ ψ, ¬ φ, and

¬ψ.

2. We can derive both

φ ψ
∨Intro ∨Intro
φ∨ψ φ∨ψ

Proposition 10.21. 1. φ, φ → ψ ⊢ ψ.

2. Both ¬ φ ⊢ φ → ψ and ψ ⊢ φ → ψ.

Proof. 1. We can derive:

φ→ψ φ
ψ
→Elim

2. This is shown by the following two derivations:

¬φ [ φ ]1
¬Elim
⊥ ⊥
I
ψ ψ
1 →Intro →Intro
φ→ψ φ→ψ

Note that →Intro may, but does not have to, discharge the assumption φ.

10.8 Soundness
A derivation system, such as natural deduction, is sound if it cannot derive
things that do not actually follow. Soundness is thus a kind of guaranteed
safety property for derivation systems. Depending on which proof theoretic
property is in question, we would like to know for instance, that

1. every derivable sentence is a tautology;

150 Release : d3a1905 (2022-12-19)

10.8. SOUNDNESS

2. if a sentence is derivable from some others, it is also a consequence of

them;

3. if a set of sentences is inconsistent, it is unsatisfiable.

These are important properties of a derivation system. If any of them do not

hold, the derivation system is deficient—it would derive too much. Conse-
quently, establishing the soundness of a derivation system is of the utmost
importance.

Theorem 10.22 (Soundness). If φ is derivable from the undischarged assumptions

Γ, then Γ ⊨ φ.

Proof. Let δ be a derivation of φ. We proceed by induction on the number of

inferences in δ.
For the induction basis we show the claim if the number of inferences is 0.
In this case, δ consists only of a single sentence φ, i.e., an assumption. That
assumption is undischarged, since assumptions can only be discharged by
inferences, and there are no inferences. So, any valuation v that satisfies all of
the undischarged assumptions of the proof also satisfies φ.
Now for the inductive step. Suppose that δ contains n inferences. The
premise(s) of the lowermost inference are derived using sub-derivations, each
of which contains fewer than n inferences. We assume the induction hypothe-
sis: The premises of the lowermost inference follow from the undischarged as-
sumptions of the sub-derivations ending in those premises. We have to show
that the conclusion φ follows from the undischarged assumptions of the entire
proof.
We distinguish cases according to the type of the lowermost inference.
First, we consider the possible inferences with only one premise.

1. Suppose that the last inference is ¬Intro: The derivation has the form

Γ, [ φ]n

δ1

⊥
¬ φ ¬Intro
n

By inductive hypothesis, ⊥ follows from the undischarged assumptions

Γ ∪ { φ} of δ1 . Consider a valuation v. We need to show that, if v ⊨ Γ,
then v ⊨ ¬ φ. Suppose for reductio that v ⊨ Γ, but v ⊭ ¬ φ, i.e., v ⊨ φ.
This would mean that v ⊨ Γ ∪ { φ}. This is contrary to our inductive
hypothesis. So, v ⊨ ¬ φ.

Release : d3a1905 (2022-12-19) 151

 CHAPTER 10. NATURAL DEDUCTION

2. The last inference is ∧Elim: There are two variants: φ or ψ may be in-
ferred from the premise φ ∧ ψ. Consider the first case. The derivation δ
looks like this:
Γ
δ1

φ∧ψ
φ ∧Elim

By inductive hypothesis, φ ∧ ψ follows from the undischarged assump-

tions Γ of δ1 . Consider a structure v. We need to show that, if v ⊨ Γ,
then v ⊨ φ. Suppose v ⊨ Γ. By our inductive hypothesis (Γ ⊨ φ ∧ ψ), we
know that v ⊨ φ ∧ ψ. By definition, v ⊨ φ ∧ ψ iff v ⊨ φ and v ⊨ ψ. (The
case where ψ is inferred from φ ∧ ψ is handled similarly.)

3. The last inference is ∨Intro: There are two variants: φ ∨ ψ may be in-
ferred from the premise φ or the premise ψ. Consider the first case. The
derivation has the form
Γ
δ1
φ
∨Intro
φ∨ψ

By inductive hypothesis, φ follows from the undischarged assumptions Γ

of δ1 . Consider a valuation v. We need to show that, if v ⊨ Γ, then
v ⊨ φ ∨ ψ. Suppose v ⊨ Γ; then v ⊨ φ since Γ ⊨ φ (the inductive hypoth-
esis). So it must also be the case that v ⊨ φ ∨ ψ. (The case where φ ∨ ψ is
inferred from ψ is handled similarly.)

4. The last inference is →Intro: φ → ψ is inferred from a subproof with

assumption φ and conclusion ψ, i.e.,

Γ, [ φ]n

δ1

ψ
n →Intro
φ→ψ

By inductive hypothesis, ψ follows from the undischarged assumptions

of δ1 , i.e., Γ ∪ { φ} ⊨ ψ. Consider a valuation v. The undischarged as-
sumptions of δ are just Γ, since φ is discharged at the last inference. So
we need to show that Γ ⊨ φ → ψ. For reductio, suppose that for some

152 Release : d3a1905 (2022-12-19)

10.8. SOUNDNESS

valuation v, v ⊨ Γ but v ⊭ φ → ψ. So, v ⊨ φ and v ⊭ ψ. But by hypothesis,

ψ is a consequence of Γ ∪ { φ}, i.e., v ⊨ ψ, which is a contradiction. So,
Γ ⊨ φ → ψ.
5. The last inference is ⊥ I : Here, δ ends in

Γ
δ1

⊥ ⊥
φ I

By induction hypothesis, Γ ⊨ ⊥. We have to show that Γ ⊨ φ. Suppose

not; then for some v we have v ⊨ Γ and v ⊭ φ. But we always have v ⊭ ⊥,
so this would mean that Γ ⊭ ⊥, contrary to the induction hypothesis.
6. The last inference is ⊥C : Exercise.

Now let’s consider the possible inferences with several premises: ∨Elim,
∧Intro, and →Elim.
1. The last inference is ∧Intro. φ ∧ ψ is inferred from the premises φ and ψ
and δ has the form

Γ1 Γ2

δ1 δ2

φ ψ
∧Intro
φ∧ψ

By induction hypothesis, φ follows from the undischarged assumptions Γ1

of δ1 and ψ follows from the undischarged assumptions Γ2 of δ2 . The
undischarged assumptions of δ are Γ1 ∪ Γ2 , so we have to show that
Γ1 ∪ Γ2 ⊨ φ ∧ ψ. Consider a valuation v with v ⊨ Γ1 ∪ Γ2 . Since v ⊨ Γ1 ,
it must be the case that v ⊨ φ as Γ1 ⊨ φ, and since v ⊨ Γ2 , v ⊨ ψ since
Γ2 ⊨ ψ. Together, v ⊨ φ ∧ ψ.
2. The last inference is ∨Elim: Exercise.
3. The last inference is →Elim. ψ is inferred from the premises φ → ψ
and φ. The derivation δ looks like this:

Γ1 Γ2
δ1 δ2
φ→ψ φ
ψ
→Elim

Release : d3a1905 (2022-12-19) 153

 CHAPTER 10. NATURAL DEDUCTION

By induction hypothesis, φ → ψ follows from the undischarged assump-

tions Γ1 of δ1 and φ follows from the undischarged assumptions Γ2 of δ2 .
Consider a valuation v. We need to show that, if v ⊨ Γ1 ∪ Γ2 , then v ⊨ ψ.
Suppose v ⊨ Γ1 ∪ Γ2 . Since Γ1 ⊨ φ → ψ, v ⊨ φ → ψ. Since Γ2 ⊨ φ, we
have v ⊨ φ. This means that v ⊨ ψ (For if v ⊭ ψ, since v ⊨ φ, we’d have
v ⊭ φ → ψ, contradicting v ⊨ φ → ψ).

4. The last inference is ¬Elim: Exercise.

Corollary 10.23. If ⊢ φ, then φ is a tautology.

Corollary 10.24. If Γ is satisfiable, then it is consistent.

Proof. We prove the contrapositive. Suppose that Γ is not consistent. Then

Γ ⊢ ⊥, i.e., there is a derivation of ⊥ from undischarged assumptions in Γ. By
Theorem 10.22, any valuation v that satisfies Γ must satisfy ⊥. Since v ⊭ ⊥ for
every valuation v, no v can satisfy Γ, i.e., Γ is not satisfiable.

Problems
Problem 10.1. Give derivations that show the following:

1. φ ∧ (ψ ∧ χ) ⊢ ( φ ∧ ψ) ∧ χ.

2. φ ∨ (ψ ∨ χ) ⊢ ( φ ∨ ψ) ∨ χ.

3. φ → (ψ → χ) ⊢ ψ → ( φ → χ).

4. φ ⊢ ¬¬ φ.

Problem 10.2. Give derivations that show the following:

1. ( φ ∨ ψ) → χ ⊢ φ → χ.

2. ( φ → χ) ∧ (ψ → χ) ⊢ ( φ ∨ ψ) → χ.

3. ⊢ ¬( φ ∧ ¬ φ).

4. ψ → φ ⊢ ¬ φ → ¬ψ.

5. ⊢ ( φ → ¬ φ) → ¬ φ.

6. ⊢ ¬( φ → ψ) → ¬ψ.

7. φ → χ ⊢ ¬( φ ∧ ¬χ).

8. φ ∧ ¬χ ⊢ ¬( φ → χ).

9. φ ∨ ψ, ¬ψ ⊢ φ.

154 Release : d3a1905 (2022-12-19)

10.8. SOUNDNESS

10. ¬ φ ∨ ¬ψ ⊢ ¬( φ ∧ ψ).

11. ⊢ (¬ φ ∧ ¬ψ) → ¬( φ ∨ ψ).

12. ⊢ ¬( φ ∨ ψ) → (¬ φ ∧ ¬ψ).

Problem 10.3. Give derivations that show the following:

1. ¬( φ → ψ) ⊢ φ.

2. ¬( φ ∧ ψ) ⊢ ¬ φ ∨ ¬ψ.

3. φ → ψ ⊢ ¬ φ ∨ ψ.

4. ⊢ ¬¬ φ → φ.

5. φ → ψ, ¬ φ → ψ ⊢ ψ.

6. ( φ ∧ ψ) → χ ⊢ ( φ → χ) ∨ (ψ → χ).

7. ( φ → ψ) → φ ⊢ φ.

8. ⊢ ( φ → ψ) ∨ (ψ → χ).

(These all require the ⊥C rule.)

Problem 10.4. Prove Proposition 10.13

Problem 10.5. Prove that Γ ⊢ ¬ φ iff Γ ∪ { φ} is inconsistent.

Problem 10.6. Complete the proof of Theorem 10.22.

Release : d3a1905 (2022-12-19) 155

Chapter 11

Tableaux

This chapter presents a signed analytic tableaux system.

To include or exclude material relevant to natural deduction as a proof
system, use the “prfTab” tag.

11.1 Rules and Tableaux

A tableau is a systematic survey of the possible ways a sentence can be true
or false in a structure. The building blocks of a tableau are signed formulas:
sentences plus a truth value “sign,” either T or F. These signed formulas are
arranged in a (downward growing) tree.

Definition 11.1. A signed formula is a pair consisting of a truth value and a sen-
tence, i.e., either:
T φ or F φ.

Intuitively, we might read T φ as “φ might be true” and F φ as “φ might be

false” (in some structure).
Each signed formula in the tree is either an assumption (which are listed at
the very top of the tree), or it is obtained from a signed formula above it by
one of a number of rules of inference. There are two rules for each possible
main operator of the preceding formula, one for the case where the sign is T,
and one for the case where the sign is F. Some rules allow the tree to branch,
and some only add signed formulas to the branch. A rule may be (and often
must be) applied not to the immediately preceding signed formula, but to any
signed formula in the branch from the root to the place the rule is applied.
A branch is closed when it contains both T φ and F φ. A closed tableau
is one where every branch is closed. Under the intuitive interpretation, any
branch describes a joint possibility, but T φ and F φ are not jointly possible. In

156
11.2. PROPOSITIONAL RULES

other words, if a branch is closed, the possibility it describes has been ruled
out. In particular, that means that a closed tableau rules out all possibilities
of simultaneously making every assumption of the form T φ true and every
assumption of the form F φ false.
A closed tableau for φ is a closed tableau with root F φ. If such a closed
tableau exists, all possibilities for φ being false have been ruled out; i.e., φ
must be true in every structure.

11.2 Propositional Rules

Rules for ¬

T¬ φ F ¬φ
¬T ¬F
Fφ Tφ

Rules for ∧

Tφ ∧ ψ
∧T Fφ ∧ ψ
Tφ ∧F
F φ | Fψ
Tψ

Rules for ∨

Fφ ∨ ψ
Tφ ∨ ψ ∨F
∨T Fφ
T φ | Tψ
Fψ

Rules for →

Fφ → ψ
Tφ → ψ →F
→T Tφ
F φ | Tψ
Fψ

Release : d3a1905 (2022-12-19) 157

 CHAPTER 11. TABLEAUX

The Cut Rule

Cut
Tφ | Fφ

The Cut rule is not applied “to” a previous signed formula; rather, it allows
every branch in a tableau to be split in two, one branch containing T φ, the
other F φ. It is not necessary—any set of signed formulas with a closed tableau
has one not using Cut—but it allows us to combine tableaux in a convenient
way.

11.3 Tableaux
We’ve said what an assumption is, and we’ve given the rules of inference.
Tableaux are inductively generated from these: each tableau either is a single
branch consisting of one or more assumptions, or it results from a tableau by
applying one of the rules of inference on a branch.

Definition 11.2 (Tableau). A tableau for assumptions S1φ1 , . . . , Snφn (where

each Si is either T or F) is a finite tree of signed formulas satisfying the fol-
lowing conditions:

1. The n topmost signed formulas of the tree are Si φi , one below the other.

2. Every signed formula in the tree that is not one of the assumptions re-
sults from a correct application of an inference rule to a signed formula
in the branch above it.

A branch of a tableau is closed iff it contains both T φ and F φ, and open other-
wise. A tableau in which every branch is closed is a closed tableau (for its set
of assumptions). If a tableau is not closed, i.e., if it contains at least one open
branch, it is open.

Example 11.3. Every set of assumptions on its own is a tableau, but it will
generally not be closed. (Obviously, it is closed only if the assumptions al-
ready contain a pair of signed formulas T φ and F φ.)
From a tableau (open or closed) we can obtain a new, larger one by ap-
plying one of the rules of inference to a signed formula φ in it. The rule will
append one or more signed formulas to the end of any branch containing the
occurrence of φ to which we apply the rule.
For instance, consider the assumption T φ ∧ ¬ φ. Here is the (open) tableau
consisting of just that assumption:

1. T φ ∧ ¬φ Assumption

158 Release : d3a1905 (2022-12-19)

11.4. EXAMPLES OF TABLEAUX

We obtain a new tableau from it by applying the ∧T rule to the assumption.

That rule allows us to add two new lines to the tableau, T φ and T ¬ φ:

1. T φ ∧ ¬φ Assumption
2. Tφ ∧T 1
3. T¬ φ ∧T 1

When we write down tableaux, we record the rules we’ve applied on the right
(e.g., ∧T1 means that the signed formula on that line is the result of applying
the ∧T rule to the signed formula on line 1). This new tableau now contains
additional signed formulas, but to only one (T ¬ φ) can we apply a rule (in this
case, the ¬T rule). This results in the closed tableau

1. T φ ∧ ¬φ Assumption
2. Tφ ∧T 1
3. T¬ φ ∧T 1
4. Fφ ¬T 3
⊗

11.4 Examples of Tableaux

Example 11.4. Let’s find a closed tableau for the sentence ( φ ∧ ψ) → φ.
We begin by writing the corresponding assumption at the top of the tableau.

1. F ( φ ∧ ψ) → φ Assumption

There is only one assumption, so only one signed formula to which we can
apply a rule. (For every signed formula, there is always at most one rule that
can be applied: it’s the rule for the corresponding sign and main operator of
the sentence.) In this case, this means, we must apply →F.

1. F ( φ ∧ ψ) → φ ✓ Assumption
2. Tφ ∧ ψ →F 1
3. Fφ →F 1

To keep track of which signed formulas we have applied their corresponding

rules to, we write a checkmark next to the sentence. However, only write a
checkmark if the rule has been applied to all open branches. Once a signed
formula has had the corresponding rule applied in every open branch, we will
not have to return to it and apply the rule again. In this case, there is only one
branch, so the rule only has to be applied once. (Note that checkmarks are
only a convenience for constructing tableaux and are not officially part of the
syntax of tableaux.)
There is one new signed formula to which we can apply a rule: the T φ ∧ ψ
on line 2. Applying the ∧T rule results in:

Release : d3a1905 (2022-12-19) 159

 CHAPTER 11. TABLEAUX

1. F ( φ ∧ ψ) → φ ✓ Assumption
2. Tφ ∧ ψ ✓ →F 1
3. Fφ →F 1
4. Tφ ∧T 2
5. Tψ ∧T 2
⊗

Since the branch now contains both T φ (on line 4) and F φ (on line 3), the
branch is closed. Since it is the only branch, the tableau is closed. We have
found a closed tableau for ( φ ∧ ψ) → φ.

Example 11.5. Now let’s find a closed tableau for (¬ φ ∨ ψ) → ( φ → ψ).

We begin with the corresponding assumption:

1. F (¬ φ ∨ ψ) → ( φ → ψ) Assumption

The one signed formula in this tableau has main operator → and sign F, so
we apply the →F rule to it to obtain:

1. F (¬ φ ∨ ψ) → ( φ → ψ) ✓ Assumption
2. T¬ φ ∨ ψ →F 1
3. F ( φ → ψ) →F 1

We now have a choice as to whether to apply ∨T to line 2 or →F to line 3. It

actually doesn’t matter which order we pick, as long as each signed formula
has its corresponding rule applied in every branch. So let’s pick the first one.
The ∨T rule allows the tableau to branch, and the two conclusions of the rule
will be the new signed formulas added to the two new branches. This results
in:

1. F (¬ φ ∨ ψ) → ( φ → ψ) ✓ Assumption
2. T¬ φ ∨ ψ ✓ →F 1
3. F ( φ → ψ) →F 1

4. T¬ φ Tψ ∨T 2

We have not applied the →F rule to line 3 yet: let’s do that now. To save
time, we apply it to both branches. Recall that we write a checkmark next
to a signed formula only if we have applied the corresponding rule in every
open branch. So it’s a good idea to apply a rule at the end of every branch that
contains the signed formula the rule applies to. That way we won’t have to
return to that signed formula lower down in the various branches.

160 Release : d3a1905 (2022-12-19)

11.4. EXAMPLES OF TABLEAUX

1. F (¬ φ ∨ ψ) → ( φ → ψ) ✓ Assumption
2. T¬ φ ∨ ψ ✓ →F 1
3. F ( φ → ψ) ✓ →F 1

4. T¬ φ Tψ ∨T 2
5. Tφ Tφ →F 3
6. Fψ Fψ →F 3
⊗

The right branch is now closed. On the left branch, we can still apply the ¬T
rule to line 4. This results in F φ and closes the left branch:

1. F (¬ φ ∨ ψ) → ( φ → ψ) ✓ Assumption
2. T¬ φ ∨ ψ ✓ →F 1
3. F ( φ → ψ) ✓ →F 1

4. T¬ φ Tψ ∨T 2
5. Tφ Tφ →F 3
6. Fψ Fψ →F 3
7. Fφ ⊗ ¬T 4
⊗

Example 11.6. We can give tableaux for any number of signed formulas as
assumptions. Often it is also necessary to apply more than one rule that allows
branching; and in general a tableau can have any number of branches. For
instance, consider a tableau for {T φ ∨ (ψ ∧ χ), F ( φ ∨ ψ) ∧ ( φ ∨ χ)}. We start
by applying the ∨T to the first assumption:

1. T φ ∨ (ψ ∧ χ) ✓ Assumption
2. F ( φ ∨ ψ) ∧ ( φ ∨ χ) Assumption

3. Tφ Tψ ∧ χ ∨T 1

Now we can apply the ∧F rule to line 2. We do this on both branches simul-
taneously, and can therefore check off line 2:

1. T φ ∨ (ψ ∧ χ) ✓ Assumption
2. F ( φ ∨ ψ) ∧ ( φ ∨ χ) ✓ Assumption

3. Tφ Tψ ∧ χ ∨T 1

4. Fφ ∨ ψ Fφ ∨ χ Fφ ∨ ψ Fφ ∨ χ ∧F 2

Release : d3a1905 (2022-12-19) 161

 CHAPTER 11. TABLEAUX

Now we can apply ∨F to all the branches containing φ ∨ ψ:

1. T φ ∨ (ψ ∧ χ) ✓ Assumption
2. F ( φ ∨ ψ) ∧ ( φ ∨ χ) ✓ Assumption

3. Tφ Tψ ∧ χ ∨T 1

4. Fφ ∨ ψ ✓ Fφ ∨ χ Fφ ∨ ψ ✓ Fφ ∨ χ ∧F 2
5. Fφ Fφ ∨F 4
6. Fψ Fψ ∨F 4
⊗

The leftmost branch is now closed. Let’s now apply ∨F to φ ∨ χ:

1. T φ ∨ (ψ ∧ χ) ✓ Assumption
2. F ( φ ∨ ψ) ∧ ( φ ∨ χ) ✓ Assumption

3. Tφ Tψ ∧ χ ∨T 1

4. Fφ ∨ ψ ✓ Fφ ∨ χ ✓ Fφ ∨ ψ ✓ Fφ ∨ χ ✓ ∧F 2
5. Fφ Fφ ∨F 4
6. Fψ Fψ ∨F 4
7. ⊗ Fφ Fφ ∨F 4
8. Fχ Fχ ∨F 4
⊗

Note that we moved the result of applying ∨F a second time below for clarity.
In this instance it would not have been needed, since the justifications would
have been the same.
Two branches remain open, and Tψ ∧ χ on line 3 remains unchecked. We
apply ∧T to it to obtain a closed tableau:

162 Release : d3a1905 (2022-12-19)

11.5. PROOF-THEORETIC NOTIONS

1. T φ ∨ (ψ ∧ χ) ✓ Assumption
2. F ( φ ∨ ψ) ∧ ( φ ∨ χ) ✓ Assumption

3. Tφ Tψ ∧ χ ✓ ∨T 1

4. Fφ ∨ ψ ✓ Fφ ∨ χ ✓ Fφ ∨ ψ ✓ Fφ ∨ χ ✓ ∧F 2
5. Fφ Fφ Fφ Fφ ∨F 4
6. Fψ Fχ Fψ Fχ ∨F 4
7. ⊗ ⊗ Tψ Tψ ∧T 3
8. Tχ Tχ ∧T 3
⊗ ⊗

For comparison, here’s a closed tableau for the same set of assumptions in
which the rules are applied in a different order:

1. T φ ∨ (ψ ∧ χ) ✓ Assumption
2. F ( φ ∨ ψ) ∧ ( φ ∨ χ) ✓ Assumption

3. Fφ ∨ ψ ✓ Fφ ∨ χ ✓ ∧F 2
4. Fφ Fφ ∨F 3
5. Fψ Fχ ∨F 3

6. Tφ Tψ ∧ χ ✓ Tφ Tψ ∧ χ ✓ ∨T 1
7. ⊗ Tψ ⊗ Tψ ∧T 6
8. Tχ Tχ ∧T 6
⊗ ⊗

11.5 Proof-Theoretic Notions

This section collects the definitions of the provability relation and con-
sistency for tableaux.

Just as we’ve defined a number of important semantic notions (validity, en-

tailment, satisfiability), we now define corresponding proof-theoretic notions.
These are not defined by appeal to satisfaction of sentences in structures, but
by appeal to the existence of certain closed tableaux. It was an important dis-
covery that these notions coincide. That they do is the content of the soundness
and completeness theorems.

Release : d3a1905 (2022-12-19) 163

 CHAPTER 11. TABLEAUX

Definition 11.7 (Theorems). A sentence φ is a theorem if there is a closed tableau

for F φ. We write ⊢ φ if φ is a theorem and ⊬ φ if it is not.

Definition 11.8 (Derivability). A sentence φ is derivable from a set of sentences Γ,

Γ ⊢ φ iff there is a finite set {ψ1 , . . . , ψn } ⊆ Γ and a closed tableau for the set

{F φ, Tψ1 , . . . , Tψn }.

If φ is not derivable from Γ we write Γ ⊬ φ.

Definition 11.9 (Consistency). A set of sentences Γ is inconsistent iff there is a

finite set {ψ1 , . . . , ψn } ⊆ Γ and a closed tableau for the set

{Tψ1 , . . . , Tψn }.

If Γ is not inconsistent, we say it is consistent.

Proposition 11.10 (Reflexivity). If φ ∈ Γ, then Γ ⊢ φ.

Proof. If φ ∈ Γ, { φ} is a finite subset of Γ and the tableau

1. Fφ Assumption
2. Tφ Assumption
⊗

is closed.

Proposition 11.11 (Monotonicity). If Γ ⊆ ∆ and Γ ⊢ φ, then ∆ ⊢ φ.

Proof. Any finite subset of Γ is also a finite subset of ∆.

Proposition 11.12 (Transitivity). If Γ ⊢ φ and { φ} ∪ ∆ ⊢ ψ, then Γ ∪ ∆ ⊢ ψ.

Proof. If { φ} ∪ ∆ ⊢ ψ, then there is a finite subset ∆ 0 = {χ1 , . . . , χn } ⊆ ∆ such

that

{F ψ,T φ, Tχ1 , . . . , Tχn }

has a closed tableau. If Γ ⊢ φ then there are θ1 , . . . , θm such that

{F φ,Tθ1 , . . . , Tθm }

has a closed tableau.

Now consider the tableau with assumptions

F ψ, Tχ1 , . . . , Tχn , Tθ1 , . . . , Tθm .

164 Release : d3a1905 (2022-12-19)

11.6. DERIVABILITY AND CONSISTENCY

Apply the Cut rule on φ. This generates two branches, one has T φ in it, the
other F φ. Thus, on the one branch, all of

{F ψ, T φ, Tχ1 , . . . , Tχn }

are available. Since there is a closed tableau for these assumptions, we can
attach it to that branch; every branch through T φ closes. On the other branch,
all of
{F φ, Tθ1 , . . . , Tθm }
are available, so we can also complete the other side to obtain a closed tableau.
This shows Γ ∪ ∆ ⊢ ψ.

Note that this means that in particular if Γ ⊢ φ and φ ⊢ ψ, then Γ ⊢ ψ. It

follows also that if φ1 , . . . , φn ⊢ ψ and Γ ⊢ φi for each i, then Γ ⊢ ψ.

Proposition 11.13. Γ is inconsistent iff Γ ⊢ φ for every sentence φ.

Proof. Exercise.

Proposition 11.14 (Compactness). 1. If Γ ⊢ φ then there is a finite subset

Γ0 ⊆ Γ such that Γ0 ⊢ φ.

2. If every finite subset of Γ is consistent, then Γ is consistent.

Proof. 1. If Γ ⊢ φ, then there is a finite subset Γ0 = {ψ1 , . . . , ψn } and a

closed tableau for
{F φ, Tψ1 , . . . , Tψn }
This tableau also shows Γ0 ⊢ φ.

2. If Γ is inconsistent, then for some finite subset Γ0 = {ψ1 , . . . , ψn } there is

a closed tableau for
{Tψ1 , . . . , Tψn }
This closed tableau shows that Γ0 is inconsistent.

11.6 Derivability and Consistency

We will now establish a number of properties of the derivability relation. They
are independently interesting, but each will play a role in the proof of the
completeness theorem.

Proposition 11.15. If Γ ⊢ φ and Γ ∪ { φ} is inconsistent, then Γ is inconsistent.

Release : d3a1905 (2022-12-19) 165

 CHAPTER 11. TABLEAUX

Proof. There are finite Γ0 = {ψ1 , . . . , ψn } and Γ1 = {χ1 , . . . , χn } ⊆ Γ such that

{F φ,Tψ1 , . . . , Tψn }
{T φ,Tχ1 , . . . , Tχm }

have closed tableaux. Using the Cut rule on φ we can combine these into a
single closed tableau that shows Γ0 ∪ Γ1 is inconsistent. Since Γ0 ⊆ Γ and
Γ1 ⊆ Γ, Γ0 ∪ Γ1 ⊆ Γ, hence Γ is inconsistent.

Proposition 11.16. Γ ⊢ φ iff Γ ∪ {¬ φ} is inconsistent.

Proof. First suppose Γ ⊢ φ, i.e., there is a closed tableau for

{F φ, Tψ1 , . . . , Tψn }

Using the ¬T rule, this can be turned into a closed tableau for

{T ¬ φ, Tψ1 , . . . , Tψn }.

On the other hand, if there is a closed tableau for the latter, we can turn it
into a closed tableau of the former by removing every formula that results
from ¬T applied to the first assumption T ¬ φ as well as that assumption,
and adding the assumption F φ. For if a branch was closed before because
it contained the conclusion of ¬T applied to T ¬ φ, i.e., F φ, the corresponding
branch in the new tableau is also closed. If a branch in the old tableau was
closed because it contained the assumption T ¬ φ as well as F ¬ φ we can turn
it into a closed branch by applying ¬F to F ¬ φ to obtain T φ. This closes the
branch since we added F φ as an assumption.

Proposition 11.17. If Γ ⊢ φ and ¬ φ ∈ Γ, then Γ is inconsistent.

Proof. Suppose Γ ⊢ φ and ¬ φ ∈ Γ. Then there are ψ1 , . . . , ψn ∈ Γ such that

{F φ, Tψ1 , . . . , Tψn }

has a closed tableau. Replace the assumption F φ by T ¬ φ, and insert the

conclusion of ¬T applied to F φ after the assumptions. Any sentence in the
tableau justified by appeal to line 1 in the old tableau is now justified by appeal
to line n + 1. So if the old tableau was closed, the new one is. It shows that Γ
is inconsistent, since all assumptions are in Γ.

Proposition 11.18. If Γ ∪ { φ} and Γ ∪ {¬ φ} are both inconsistent, then Γ is in-

consistent.

166 Release : d3a1905 (2022-12-19)

11.7. DERIVABILITY AND THE PROPOSITIONAL CONNECTIVES

Proof. If there are ψ1 , . . . , ψn ∈ Γ and χ1 , . . . , χm ∈ Γ such that

{T φ,Tψ1 , . . . , Tψn } and

{T ¬ φ,Tχ1 , . . . , Tχm }
both have closed tableaux, we can construct a single, combined tableau that
shows that Γ is inconsistent by using as assumptions Tψ1 , . . . , Tψn together
with Tχ1 , . . . , Tχm , followed by an application of the Cut rule. This yields
two branches, one starting with T φ, the other with F φ.
On the left left side, add the part of the first tableau below its assumptions.
Here, every rule application is still correct, since each of the assumptions of
the first tableau, including T φ, is available. Thus, every branch below T φ
closes.
On the right side, add the part of the second tableau below its assumption,
with the results of any applications of ¬T to T ¬ φ removed. The conclusion
of ¬T to T ¬ φ is F φ, which is nevertheless available, as it is the conclusion of
the Cut rule on the right side of the combined tableau.
If a branch in the second tableau was closed because it contained the as-
sumption T ¬ φ (which no longer appears as an assumption in the combined
tableau) as well as F ¬ φ, we can applying ¬F to F ¬ φ to obtain T φ. Now
the corresponding branch in the combined tableau also closes, because it con-
tains the right-hand conclusion of the Cut rule, F φ. If a branch in the second
tableau closed for any other reason, the corresponding branch in the combined
tableau also closes, since any signed formulas other than T ¬ φ occurring on
the branch in the old, second tableau also occur on the corresponding branch
in the combined tableau.

11.7 Derivability and the Propositional Connectives

We establish that the derivability relation ⊢ of tableaux is strong enough to
establish some basic facts involving the propositional connectives, such as that
φ ∧ ψ ⊢ φ and φ, φ → ψ ⊢ ψ (modus ponens). These facts are needed for the
proof of the completeness theorem.
Proposition 11.19. 1. Both φ ∧ ψ ⊢ φ and φ ∧ ψ ⊢ ψ.
2. φ, ψ ⊢ φ ∧ ψ.

Proof. 1. Both {F φ, T φ ∧ ψ} and {F ψ, T φ ∧ ψ} have closed tableaux

1. Fφ Assumption
2. Tφ ∧ ψ Assumption
3. Tφ ∧T 2
4. Tψ ∧T 2
⊗

Release : d3a1905 (2022-12-19) 167

 CHAPTER 11. TABLEAUX

1. Fψ Assumption
2. Tφ ∧ ψ Assumption
3. Tφ ∧T 2
4. Tψ ∧T 2
⊗

2. Here is a closed tableau for {T φ, Tψ, F φ ∧ ψ}:

1. Fφ ∧ ψ Assumption
2. Tφ Assumption
3. Tψ Assumption

4. Fφ Fψ ∧F 1
⊗ ⊗

Proposition 11.20. 1. { φ ∨ ψ, ¬ φ, ¬ψ} is inconsistent.

2. Both φ ⊢ φ ∨ ψ and ψ ⊢ φ ∨ ψ.

Proof. 1. We give a closed tableau of {T φ ∨ ψ, T ¬ φ, T ¬ψ}:

1. Tφ ∨ ψ Assumption
2. T¬ φ Assumption
3. T ¬ψ Assumption
4. Fφ ¬T 2
5. Fψ ¬T 3

6. Tφ Tψ ∨T 1
⊗ ⊗

2. Both {F φ ∨ ψ, T φ} and {F φ ∨ ψ, Tψ} have closed tableaux:

1. Fφ ∨ ψ Assumption
2. Tφ Assumption
3. Fφ ∨F 1
4. Fψ ∨F 1
⊗

168 Release : d3a1905 (2022-12-19)

11.8. SOUNDNESS

1. Fφ ∨ ψ Assumption
2. Tψ Assumption
3. Fφ ∨F 1
4. Fψ ∨F 1
⊗

Proposition 11.21. 1. φ, φ → ψ ⊢ ψ.

2. Both ¬ φ ⊢ φ → ψ and ψ ⊢ φ → ψ.

Proof. 1. {F ψ, T φ → ψ, T φ} has a closed tableau:

1. Fψ Assumption
2. Tφ → ψ Assumption
3. Tφ Assumption

4. Fφ Tψ →T 2
⊗ ⊗

2. Both {F φ → ψ, T ¬ φ} and {F φ → ψ, Tψ} have closed tableaux:

1. Fφ → ψ Assumption
2. T¬ φ Assumption
3. Tφ →F 1
4. Fψ →F 1
5. Fφ ¬T 2
⊗

1. Fφ → ψ Assumption
2. Tψ Assumption
3. Tφ →F 1
4. Fψ →F 1
⊗

11.8 Soundness
A derivation system, such as tableaux, is sound if it cannot derive things that
do not actually hold. Soundness is thus a kind of guaranteed safety property
for derivation systems. Depending on which proof theoretic property is in
question, we would like to know for instance, that

Release : d3a1905 (2022-12-19) 169

 CHAPTER 11. TABLEAUX

1. every derivable φ is a tautology;

2. if a sentence is derivable from some others, it is also a consequence of

them;

3. if a set of sentences is inconsistent, it is unsatisfiable.

These are important properties of a derivation system. If any of them do not
hold, the derivation system is deficient—it would derive too much. Conse-
quently, establishing the soundness of a derivation system is of the utmost
importance.
Because all these proof-theoretic properties are defined via closed tableaux
of some kind or other, proving (1)–(3) above requires proving something about
the semantic properties of closed tableaux. We will first define what it means
for a signed formula to be satisfied in a structure, and then show that if a
tableau is closed, no structure satisfies all its assumptions. (1)–(3) then follow
as corollaries from this result.
Definition 11.22. A valuation v satisfies a signed formula T φ iff v ⊨ φ, and it
satisfies F φ iff v ⊭ φ. v satisfies a set of signed formulas Γ iff it satisfies every
S φ ∈ Γ. Γ is satisfiable if there is a valuation that satisfies it, and unsatisfiable
otherwise.

Theorem 11.23 (Soundness). If Γ has a closed tableau, Γ is unsatisfiable.

Proof. Let’s call a branch of a tableau satisfiable iff the set of signed formulas
on it is satisfiable, and let’s call a tableau satisfiable if it contains at least one
satisfiable branch.
We show the following: Extending a satisfiable tableau by one of the rules
of inference always results in a satisfiable tableau. This will prove the theo-
rem: any closed tableau results by applying rules of inference to the tableau
consisting only of assumptions from Γ. So if Γ were satisfiable, any tableau
for it would be satisfiable. A closed tableau, however, is clearly not satisfiable:
every branch contains both T φ and F φ, and no structure can both satisfy and
not satisfy φ.
Suppose we have a satisfiable tableau, i.e., a tableau with at least one sat-
isfiable branch. Applying a rule of inference either adds signed formulas to a
branch, or splits a branch in two. If the tableau has a satisfiable branch which
is not extended by the rule application in question, it remains a satisfiable
branch in the extended tableau, so the extended tableau is satisfiable. So we
only have to consider the case where a rule is applied to a satisfiable branch.
Let Γ be the set of signed formulas on that branch, and let S φ ∈ Γ be the
signed formula to which the rule is applied. If the rule does not result in a split
branch, we have to show that the extended branch, i.e., Γ together with the
conclusions of the rule, is still satisfiable. If the rule results in a split branch,
we have to show that at least one of the two resulting branches is satisfiable.

170 Release : d3a1905 (2022-12-19)

11.8. SOUNDNESS

First, we consider the possible inferences that do not result in a split branch.
1. The branch is expanded by applying ¬T to T ¬ψ ∈ Γ. Then the ex-
tended branch contains the signed formulas Γ ∪ {F ψ}. Suppose v ⊨ Γ.
In particular, v ⊨ ¬ψ. Thus, v ⊭ ψ, i.e., v satisfies F ψ.
2. The branch is expanded by applying ¬F to F ¬ψ ∈ Γ: Exercise.
3. The branch is expanded by applying ∧T to Tψ ∧ χ ∈ Γ, which results
in two new signed formulas on the branch: Tψ and Tχ. Suppose v ⊨ Γ,
in particular v ⊨ ψ ∧ χ. Then v ⊨ ψ and v ⊨ χ. This means that v satisfies
both Tψ and Tχ.
4. The branch is expanded by applying ∨F to F ψ ∨ χ ∈ Γ: Exercise.
5. The branch is expanded by applying →F to F ψ → χ ∈ Γ: This results in
two new signed formulas on the branch: Tψ and F χ. Suppose v ⊨ Γ, in
particular v ⊭ ψ → χ. Then v ⊨ ψ and v ⊭ χ. This means that v satisfies
both Tψ and F χ.
Now let’s consider the possible inferences that result in a split branch.
1. The branch is expanded by applying ∧F to F ψ ∧ χ ∈ Γ, which results in
two branches, a left one continuing through F ψ and a right one through
F χ. Suppose v ⊨ Γ, in particular v ⊭ ψ ∧ χ. Then v ⊭ ψ or v ⊭ χ. In
the former case, v satisfies F ψ, i.e., v satisfies the formulas on the left
branch. In the latter, v satisfies F χ, i.e., v satisfies the formulas on the
right branch.
2. The branch is expanded by applying ∨T to Tψ ∨ χ ∈ Γ: Exercise.
3. The branch is expanded by applying →T to Tψ → χ ∈ Γ: Exercise.
4. The branch is expanded by Cut: This results in two branches, one con-
taining Tψ, the other containing F ψ. Since v ⊨ Γ and either v ⊨ ψ or
v ⊭ ψ, v satisfies either the left or the right branch.

Corollary 11.24. If ⊢ φ then φ is a tautology.

Corollary 11.25. If Γ ⊢ φ then Γ ⊨ φ.
Proof. If Γ ⊢ φ then for some ψ1 , . . . , ψn ∈ Γ, {F φ, Tψ1 , . . . , Tψn } has a closed
tableau. By Theorem 11.23, every valuation v either makes some ψi false or
makes φ true. Hence, if v ⊨ Γ then also v ⊨ φ.
Corollary 11.26. If Γ is satisfiable, then it is consistent.
Proof. We prove the contrapositive. Suppose that Γ is not consistent. Then
there are ψ1 , . . . , ψn ∈ Γ and a closed tableau for {Tψ1 , . . . , Tψn }. By Theo-
rem 11.23, there is no v such that v ⊨ ψi for all i = 1, . . . , n. But then Γ is not
satisfiable.

Release : d3a1905 (2022-12-19) 171

 CHAPTER 11. TABLEAUX

Problems
Problem 11.1. Give closed tableaux of the following:

1. T φ ∧ (ψ ∧ χ), F ( φ ∧ ψ) ∧ χ.

2. T φ ∨ (ψ ∨ χ), F ( φ ∨ ψ) ∨ χ.

3. T φ → (ψ → χ), F ψ → ( φ → χ).

4. T φ, F ¬¬ φ.

Problem 11.2. Give closed tableaux of the following:

1. T ( φ ∨ ψ) → χ, F φ → χ.

2. T ( φ → χ) ∧ (ψ → χ), F ( φ ∨ ψ) → χ.

3. F ¬( φ ∧ ¬ φ).

4. Tψ → φ, F ¬ φ → ¬ψ.

5. F ( φ → ¬ φ) → ¬ φ.

6. F ¬( φ → ψ) → ¬ψ.

7. T φ → χ, F ¬( φ ∧ ¬χ).

8. T φ ∧ ¬χ, F ¬( φ → χ).

9. T φ ∨ ψ, ¬ψ, F φ.

10. T ¬ φ ∨ ¬ψ, F ¬( φ ∧ ψ).

11. F (¬ φ ∧ ¬ψ) → ¬( φ ∨ ψ).

12. F ¬( φ ∨ ψ) → (¬ φ ∧ ¬ψ).

Problem 11.3. Give closed tableaux of the following:

1. T ¬( φ → ψ), F φ.

2. T ¬( φ ∧ ψ), F ¬ φ ∨ ¬ψ.

3. T φ → ψ, F ¬ φ ∨ ψ.

4. F ¬¬ φ → φ.

5. T φ → ψ, T ¬ φ → ψ, F ψ.

6. T ( φ ∧ ψ) → χ, F ( φ → χ) ∨ (ψ → χ).

7. T ( φ → ψ) → φ, F φ.

172 Release : d3a1905 (2022-12-19)

11.8. SOUNDNESS

8. F ( φ → ψ) ∨ (ψ → χ).

Problem 11.4. Prove Proposition 11.13

Problem 11.5. Prove that Γ ⊢ ¬ φ iff Γ ∪ { φ} is inconsistent.

Problem 11.6. Complete the proof of Theorem 11.23.

Release : d3a1905 (2022-12-19) 173

Chapter 12

Axiomatic Derivations

No effort has been made yet to ensure that the material in this chap-
ter respects various tags indicating which connectives and quantifiers are
primitive or defined: all are assumed to be primitive, except ↔ which is
assumed to be defined. If the FOL tag is true, we produce a version with
quantifiers, otherwise without.

12.1 Rules and Derivations

Axiomatic derivations are perhaps the simplest derivation system for logic.
A derivation is just a sequence of formulas. To count as a derivation, every
formula in the sequence must either be an instance of an axiom, or must fol-
low from one or more formulas that precede it in the sequence by a rule of
inference. A derivation derives its last formula.

Definition 12.1 (Derivability). If Γ is a set of formulas of L then a derivation

from Γ is a finite sequence φ1 , . . . , φn of formulas where for each i ≤ n one of
the following holds:

1. φi ∈ Γ; or

2. φi is an axiom; or

3. φi follows from some φ j (and φk ) with j < i (and k < i) by a rule of

inference.

What counts as a correct derivation depends on which inference rules we

allow (and of course what we take to be axioms). And an inference rule is
an if-then statement that tells us that, under certain conditions, a step Ai in
a derivation is a correct inference step.

174
12.1. RULES AND DERIVATIONS

Definition 12.2 (Rule of inference). A rule of inference gives a sufficient con-

dition for what counts as a correct inference step in a derivation from Γ.

For instance, since any one-element sequence φ with φ ∈ Γ trivially counts

as a derivation, the following might be a very simple rule of inference:

If φ ∈ Γ, then φ is always a correct inference step in any derivation

from Γ.

Similarly, if φ is one of the axioms, then φ by itself is a derivation, and so this

is also a rule of inference:

If φ is an axiom, then φ is a correct inference step.

It gets more interesting if the rule of inference appeals to formulas that appear
before the step considered. The following rule is called modus ponens:

If ψ → φ and ψ occur higher up in the derivation, then φ is a correct

inference step.

If this is the only rule of inference, then our definition of derivation above
amounts to this: φ1 , . . . , φn is a derivation iff for each i ≤ n one of the follow-
ing holds:

1. φi ∈ Γ; or

2. φi is an axiom; or

3. for some j < i, φ j is ψ → φi , and for some k < i, φk is ψ.

The last clause says that φi follows from φ j (ψ) and φk (ψ → φi ) by modus
ponens. If we can go from 1 to n, and each time we find a formula φi that is
either in Γ, an axiom, or which a rule of inference tells us that it is a correct
inference step, then the entire sequence counts as a correct derivation.

Definition 12.3 (Derivability). A formula φ is derivable from Γ, written Γ ⊢ φ,

if there is a derivation from Γ ending in φ.

Definition 12.4 (Theorems). A formula φ is a theorem if there is a derivation

of φ from the empty set. We write ⊢ φ if φ is a theorem and ⊬ φ if it is not.

Release : d3a1905 (2022-12-19) 175

 CHAPTER 12. AXIOMATIC DERIVATIONS

12.2 Axiom and Rules for the Propositional Connectives

Definition 12.5 (Axioms). The set of Ax0 of axioms for the propositional con-
nectives comprises all formulas of the following forms:

( φ ∧ ψ) → φ (12.1)
( φ ∧ ψ) → ψ (12.2)
φ → (ψ → ( φ ∧ ψ)) (12.3)
φ → ( φ ∨ ψ) (12.4)
φ → (ψ ∨ φ) (12.5)
( φ → χ) → ((ψ → χ) → (( φ ∨ ψ) → χ)) (12.6)
φ → (ψ → φ) (12.7)
( φ → (ψ → χ)) → (( φ → ψ) → ( φ → χ)) (12.8)
( φ → ψ) → (( φ → ¬ψ) → ¬ φ) (12.9)
¬ φ → ( φ → ψ) (12.10)
⊤ (12.11)
⊥→φ (12.12)
( φ → ⊥) → ¬ φ (12.13)
¬¬ φ → φ (12.14)

Definition 12.6 (Modus ponens). If ψ and ψ → φ already occur in a deriva-

tion, then φ is a correct inference step.

We’ll abbreviate the rule modus ponens as “MP.”

12.3 Examples of Derivations

Example 12.7. Suppose we want to prove (¬θ ∨ α) → (θ → α). Clearly, this is

not an instance of any of our axioms, so we have to use the MP rule to derive
it. Our only rule is MP, which given φ and φ → ψ allows us to justify ψ. One
strategy would be to use eq. (12.6) with φ being ¬θ, ψ being α, and χ being
θ → α, i.e., the instance

(¬θ → (θ → α)) → ((α → (θ → α)) → ((¬θ ∨ α) → (θ → α))).

Why? Two applications of MP yield the last part, which is what we want. And
we easily see that ¬θ → (θ → α) is an instance of eq. (12.10), and α → (θ → α)
is an instance of eq. (12.7). So our derivation is:

176 Release : d3a1905 (2022-12-19)

12.3. EXAMPLES OF DERIVATIONS

1. ¬θ → (θ → α) eq. (12.10)
2. (¬θ → (θ → α)) →
((α → (θ → α)) → ((¬θ ∨ α) → (θ → α))) eq. (12.6)
3. ((α → (θ → α)) → ((¬θ ∨ α) → (θ → α)) 1, 2, MP
4. α → (θ → α) eq. (12.7)
5. (¬θ ∨ α) → (θ → α) 3, 4, MP

Example 12.8. Let’s try to find a derivation of θ → θ. It is not an instance of

an axiom, so we have to use MP to derive it. eq. (12.7) is an axiom of the
form φ → ψ to which we could apply MP. To be useful, of course, the ψ which
MP would justify as a correct step in this case would have to be θ → θ, since
this is what we want to derive. That means φ would also have to be θ, i.e., we
might look at this instance of eq. (12.7):

θ → (θ → θ )

In order to apply MP, we would also need to justify the corresponding second
premise, namely φ. But in our case, that would be θ, and we won’t be able to
derive θ by itself. So we need a different strategy.
The other axiom involving just → is eq. (12.8), i.e.,

( φ → (ψ → χ)) → (( φ → ψ) → ( φ → χ))

We could get to the last nested conditional by applying MP twice. Again, that
would mean that we want an instance of eq. (12.8) where φ → χ is θ → θ, the
formula we are aiming for. Then of course, φ and χ are both θ. How should
we pick ψ so that both φ → (ψ → χ) and φ → ψ, i.e., in our case θ → (ψ → θ )
and θ → ψ, are also derivable? Well, the first of these is already an instance of
eq. (12.7), whatever we decide ψ to be. And θ → ψ would be another instance
of eq. (12.7) if ψ were (θ → θ ). So, our derivation is:

1. θ → ((θ → θ ) → θ ) eq. (12.7)

2. (θ → ((θ → θ ) → θ )) →
((θ → (θ → θ )) → (θ → θ )) eq. (12.8)
3. (θ → (θ → θ )) → (θ → θ ) 1, 2, MP
4. θ → (θ → θ ) eq. (12.7)
5. θ→θ 3, 4, MP

Example 12.9. Sometimes we want to show that there is a derivation of some

formula from some other formulas Γ. For instance, let’s show that we can
derive φ → χ from Γ = { φ → ψ, ψ → χ}.

Release : d3a1905 (2022-12-19) 177

 CHAPTER 12. AXIOMATIC DERIVATIONS

1. φ→ψ H YP
2. ψ→χ H YP
3. (ψ → χ) → ( φ → (ψ → χ)) eq. (12.7)
4. φ → (ψ → χ) 2, 3, MP
5. ( φ → (ψ → χ)) →
(( φ → ψ) → ( φ → χ)) eq. (12.8)
6. (( φ → ψ) → ( φ → χ)) 4, 5, MP
7. φ→χ 1, 6, MP

The lines labelled “H YP” (for “hypothesis”) indicate that the formula on that
line is an element of Γ.

Proposition 12.10. If Γ ⊢ φ → ψ and Γ ⊢ ψ → χ, then Γ ⊢ φ → χ

Proof. Suppose Γ ⊢ φ → ψ and Γ ⊢ ψ → χ. Then there is a derivation of φ → ψ

from Γ; and a derivation of ψ → χ from Γ as well. Combine these into a single
derivation by concatenating them. Now add lines 3–7 of the derivation in the
preceding example. This is a derivation of φ → χ—which is the last line of the
new derivation—from Γ. Note that the justifications of lines 4 and 7 remain
valid if the reference to line number 2 is replaced by reference to the last line
of the derivation of φ → ψ, and reference to line number 1 by reference to the
last line of the derivation of B → χ.

12.4 Proof-Theoretic Notions

Just as we’ve defined a number of important semantic notions (tautology, en-
tailment, satisfiabilty), we now define corresponding proof-theoretic notions.
These are not defined by appeal to satisfaction of sentences in structures, but
by appeal to the derivability or non-derivability of certain formulas. It was an
important discovery that these notions coincide. That they do is the content
of the soundness and completeness theorems.

Definition 12.11 (Derivability). A formula φ is derivable from Γ, written Γ ⊢

φ, if there is a derivation from Γ ending in φ.

Definition 12.12 (Theorems). A formula φ is a theorem if there is a derivation

of φ from the empty set. We write ⊢ φ if φ is a theorem and ⊬ φ if it is not.

Definition 12.13 (Consistency). A set Γ of formulas is consistent if and only if

Γ ⊬ ⊥; it is inconsistent otherwise.

Proposition 12.14 (Reflexivity). If φ ∈ Γ, then Γ ⊢ φ.

Proof. The formula φ by itself is a derivation of φ from Γ.

Proposition 12.15 (Monotonicity). If Γ ⊆ ∆ and Γ ⊢ φ, then ∆ ⊢ φ.

178 Release : d3a1905 (2022-12-19)

12.5. THE DEDUCTION THEOREM

Proof. Any derivation of φ from Γ is also a derivation of φ from ∆.

Proposition 12.16 (Transitivity). If Γ ⊢ φ and { φ} ∪ ∆ ⊢ ψ, then Γ ∪ ∆ ⊢ ψ.

Proof. Suppose { φ} ∪ ∆ ⊢ ψ. Then there is a derivation ψ1 , . . . , ψl = ψ

from { φ} ∪ ∆. Some of the steps in that derivation will be correct because
of a rule which refers to a prior line ψi = φ. By hypothesis, there is a deriva-
tion of φ from Γ, i.e., a derivation φ1 , . . . , φk = φ where every φi is an axiom,
an element of Γ, or correct by a rule of inference. Now consider the sequence

φ1 , . . . , φk = φ, ψ1 , . . . , ψl = ψ.

This is a correct derivation of ψ from Γ ∪ ∆ since every Bi = φ is now justified

by the same rule which justifies φk = φ.

Note that this means that in particular if Γ ⊢ φ and φ ⊢ ψ, then Γ ⊢ ψ. It

follows also that if φ1 , . . . , φn ⊢ ψ and Γ ⊢ φi for each i, then Γ ⊢ ψ.

Proposition 12.17. Γ is inconsistent iff Γ ⊢ φ for every φ.

Proof. Exercise.

Proposition 12.18 (Compactness). 1. If Γ ⊢ φ then there is a finite subset

Γ0 ⊆ Γ such that Γ0 ⊢ φ.

2. If every finite subset of Γ is consistent, then Γ is consistent.

Proof. 1. If Γ ⊢ φ, then there is a finite sequence of formulas φ1 , . . . , φn so

that φ ≡ φn and each φi is either a logical axiom, an element of Γ or
follows from previous formulas by modus ponens. Take Γ0 to be those
φi which are in Γ. Then the derivation is likewise a derivation from Γ0 ,
and so Γ0 ⊢ φ.

2. This is the contrapositive of (1) for the special case φ ≡ ⊥.

12.5 The Deduction Theorem

As we’ve seen, giving derivations in an axiomatic system is cumbersome, and
derivations may be hard to find. Rather than actually write out long lists of
formulas, it is generally easier to argue that such derivations exist, by mak-
ing use of a few simple results. We’ve already established three such results:
Proposition 12.14 says we can always assert that Γ ⊢ φ when we know that
φ ∈ Γ. Proposition 12.15 says that if Γ ⊢ φ then also Γ ∪ {ψ} ⊢ φ. And
Proposition 12.16 implies that if Γ ⊢ φ and φ ⊢ ψ, then Γ ⊢ ψ. Here’s another
simple result, a “meta”-version of modus ponens:

Release : d3a1905 (2022-12-19) 179

 CHAPTER 12. AXIOMATIC DERIVATIONS

Proposition 12.19. If Γ ⊢ φ and Γ ⊢ φ → ψ, then Γ ⊢ ψ.

Proof. We have that { φ, φ → ψ} ⊢ ψ:

1. φ Hyp.
2. φ→ψ Hyp.
3. ψ 1, 2, MP

By Proposition 12.16, Γ ⊢ ψ.

The most important result we’ll use in this context is the deduction theo-
rem:

Theorem 12.20 (Deduction Theorem). Γ ∪ { φ} ⊢ ψ if and only if Γ ⊢ φ → ψ.

Proof. The “if” direction is immediate. If Γ ⊢ φ → ψ then also Γ ∪ { φ} ⊢

φ → ψ by Proposition 12.15. Also, Γ ∪ { φ} ⊢ φ by Proposition 12.14. So, by
Proposition 12.19, Γ ∪ { φ} ⊢ ψ.
For the “only if” direction, we proceed by induction on the length of the
derivation of ψ from Γ ∪ { φ}.
For the induction basis, we prove the claim for every derivation of length 1.
A derivation of ψ from Γ ∪ { φ} of length 1 consists of ψ by itself; and if it is
correct ψ is either ∈ Γ ∪ { φ} or is an axiom. If ψ ∈ Γ or is an axiom, then
Γ ⊢ ψ. We also have that Γ ⊢ ψ → ( φ → ψ) by eq. (12.7), and Proposition 12.19
gives Γ ⊢ φ → ψ. If ψ ∈ { φ} then Γ ⊢ φ → ψ because then last sentence φ → ψ
is the same as φ → φ, and we have derived that in Example 12.8.
For the inductive step, suppose a derivation of ψ from Γ ∪ { φ} ends with
a step ψ which is justified by modus ponens. (If it is not justified by modus
ponens, ψ ∈ Γ, ψ ≡ φ, or ψ is an axiom, and the same reasoning as in the
induction basis applies.) Then some previous steps in the derivation are χ → ψ
and χ, for some formula χ, i.e., Γ ∪ { φ} ⊢ χ → ψ and Γ ∪ { φ} ⊢ χ, and the
respective derivations are shorter, so the inductive hypothesis applies to them.
We thus have both:

Γ ⊢ φ → ( χ → ψ );
Γ ⊢ φ → χ.

But also
Γ ⊢ ( φ → (χ → ψ)) → (( φ → χ) → ( φ → ψ)),
by eq. (12.8), and two applications of Proposition 12.19 give Γ ⊢ φ → ψ, as
required.

Notice how eq. (12.7) and eq. (12.8) were chosen precisely so that the De-
duction Theorem would hold.
The following are some useful facts about derivability, which we leave as
exercises.

180 Release : d3a1905 (2022-12-19)

12.6. DERIVABILITY AND CONSISTENCY

Proposition 12.21. 1. ⊢ ( φ → ψ) → ((ψ → χ) → ( φ → χ);

2. If Γ ∪ {¬ φ} ⊢ ¬ψ then Γ ∪ {ψ} ⊢ φ (Contraposition);

3. { φ, ¬ φ} ⊢ ψ (Ex Falso Quodlibet, Explosion);

4. {¬¬ φ} ⊢ φ (Double Negation Elimination);

5. If Γ ⊢ ¬¬ φ then Γ ⊢ φ;

12.6 Derivability and Consistency

We will now establish a number of properties of the derivability relation. They
are independently interesting, but each will play a role in the proof of the
completeness theorem.

Proposition 12.22. If Γ ⊢ φ and Γ ∪ { φ} is inconsistent, then Γ is inconsistent.

Proof. If Γ ∪ { φ} is inconsistent, then Γ ∪ { φ} ⊢ ⊥. By Proposition 12.14,

Γ ⊢ ψ for every ψ ∈ Γ. Since also Γ ⊢ φ by hypothesis, Γ ⊢ ψ for every
ψ ∈ Γ ∪ { φ}. By Proposition 12.16, Γ ⊢ ⊥, i.e., Γ is inconsistent.

Proposition 12.23. Γ ⊢ φ iff Γ ∪ {¬ φ} is inconsistent.

Proof. First suppose Γ ⊢ φ. Then Γ ∪ {¬ φ} ⊢ φ by Proposition 12.15. Γ ∪

{¬ φ} ⊢ ¬ φ by Proposition 12.14. We also have ⊢ ¬ φ → ( φ → ⊥) by eq. (12.10).
So by two applications of Proposition 12.19, we have Γ ∪ {¬ φ} ⊢ ⊥.
Now assume Γ ∪ {¬ φ} is inconsistent, i.e., Γ ∪ {¬ φ} ⊢ ⊥. By the deduc-
tion theorem, Γ ⊢ ¬ φ → ⊥. Γ ⊢ (¬ φ → ⊥) → ¬¬ φ by eq. (12.13), so Γ ⊢ ¬¬ φ
by Proposition 12.19. Since Γ ⊢ ¬¬ φ → φ (eq. (12.14)), we have Γ ⊢ φ by
Proposition 12.19 again.

Proposition 12.24. If Γ ⊢ φ and ¬ φ ∈ Γ, then Γ is inconsistent.

Proof. Γ ⊢ ¬ φ → ( φ → ⊥) by eq. (12.10). Γ ⊢ ⊥ by two applications of Propo-

sition 12.19.

Proposition 12.25. If Γ ∪ { φ} and Γ ∪ {¬ φ} are both inconsistent, then Γ is in-

consistent.

Proof. Exercise.

Release : d3a1905 (2022-12-19) 181

 CHAPTER 12. AXIOMATIC DERIVATIONS

12.7 Derivability and the Propositional Connectives

We establish that the derivability relation ⊢ of axiomatic deduction is strong
enough to establish some basic facts involving the propositional connectives,
such as that φ ∧ ψ ⊢ φ and φ, φ → ψ ⊢ ψ (modus ponens). These facts are
needed for the proof of the completeness theorem.

Proposition 12.26. 1. Both φ ∧ ψ ⊢ φ and φ ∧ ψ ⊢ ψ

2. φ, ψ ⊢ φ ∧ ψ.

Proof. 1. From eq. (12.1) and eq. (12.1) by modus ponens.

2. From eq. (12.3) by two applications of modus ponens.

Proposition 12.27. 1. φ ∨ ψ, ¬ φ, ¬ψ is inconsistent.

2. Both φ ⊢ φ ∨ ψ and ψ ⊢ φ ∨ ψ.

Proof. 1. From eq. (12.9) we get ⊢ ¬ φ → ( φ → ⊥) and ⊢ ¬ψ → (ψ → ⊥).

So by the deduction theorem, we have {¬ φ} ⊢ φ → ⊥ and {¬ψ} ⊢ ψ →
⊥. From eq. (12.6) we get {¬ φ, ¬ψ} ⊢ ( φ ∨ ψ) → ⊥. By the deduction
theorem, { φ ∨ ψ, ¬ φ, ¬ψ} ⊢ ⊥.

2. From eq. (12.4) and eq. (12.5) by modus ponsens.

Proposition 12.28. 1. φ, φ → ψ ⊢ ψ.

2. Both ¬ φ ⊢ φ → ψ and ψ ⊢ φ → ψ.

Proof. 1. We can derive:

1. φ H YP
2. φ→ψ H YP
3. ψ 1, 2, MP

2. By eq. (12.10) and eq. (12.7) and the deduction theorem, respectively.

182 Release : d3a1905 (2022-12-19)

12.8. SOUNDNESS

12.8 Soundness
A derivation system, such as axiomatic deduction, is sound if it cannot de-
rive things that do not actually hold. Soundness is thus a kind of guaranteed
safety property for derivation systems. Depending on which proof theoretic
property is in question, we would like to know for instance, that

1. every derivable φ is valid;

2. if φ is derivable from some others Γ, it is also a consequence of them;

3. if a set of formulas Γ is inconsistent, it is unsatisfiable.

These are important properties of a derivation system. If any of them do not

hold, the derivation system is deficient—it would derive too much. Conse-
quently, establishing the soundness of a derivation system is of the utmost
importance.

Proposition 12.29. If φ is an axiom, then v ⊨ φ for each valuation v.

Proof. Do truth tables for each axiom to verify that they are tautologies.

Theorem 12.30 (Soundness). If Γ ⊢ φ then Γ ⊨ φ.

Proof. By induction on the length of the derivation of φ from Γ. If there are

no steps justified by inferences, then all formulas in the derivation are either
instances of axioms or are in Γ. By the previous proposition, all the axioms
are tautologies, and hence if φ is an axiom then Γ ⊨ φ. If φ ∈ Γ, then trivially
Γ ⊨ φ.
If the last step of the derivation of φ is justified by modus ponens, then
there are formulas ψ and ψ → φ in the derivation, and the induction hypoth-
esis applies to the part of the derivation ending in those formulas (since they
contain at least one fewer steps justified by an inference). So, by induction
hypothesis, Γ ⊨ ψ and Γ ⊨ ψ → φ. Then Γ ⊨ φ by Theorem 7.22.

Corollary 12.31. If ⊢ φ, then φ is a tautology.

Corollary 12.32. If Γ is satisfiable, then it is consistent.

Proof. We prove the contrapositive. Suppose that Γ is not consistent. Then Γ ⊢

⊥, i.e., there is a derivation of ⊥ from Γ. By Theorem 12.30, any valuation v
that satisfies Γ must satisfy ⊥. Since v ⊭ ⊥ for every valuation v, no v can
satisfy Γ, i.e., Γ is not satisfiable.

Release : d3a1905 (2022-12-19) 183

 CHAPTER 12. AXIOMATIC DERIVATIONS

Problems
Problem 12.1. Show that the following hold by exhibiting derivations from
the axioms:

1. ( φ ∧ ψ) → (ψ ∧ φ)

2. (( φ ∧ ψ) → χ) → ( φ → (ψ → χ))

3. ¬( φ ∨ ψ) → ¬ φ

Problem 12.2. Prove Proposition 12.17.

Problem 12.3. Prove Proposition 12.21

Problem 12.4. Prove that Γ ⊢ ¬ φ iff Γ ∪ { φ} is inconsistent.

Problem 12.5. Prove Proposition 12.25

184 Release : d3a1905 (2022-12-19)

Chapter 13

The Completeness Theorem

13.1 Introduction
The completeness theorem is one of the most fundamental results about logic.
It comes in two formulations, the equivalence of which we’ll prove. In its first
formulation it says something fundamental about the relationship between
semantic consequence and our derivation system: if a sentence φ follows from
some sentences Γ, then there is also a derivation that establishes Γ ⊢ φ. Thus,
the derivation system is as strong as it can possibly be without proving things
that don’t actually follow.
In its second formulation, it can be stated as a model existence result: ev-
ery consistent set of sentences is satisfiable. Consistency is a proof-theoretic
notion: it says that our derivation system is unable to produce certain deriva-
tions. But who’s to say that just because there are no derivations of a certain
sort from Γ, it’s guaranteed that there is valuation v with v ⊨ Γ? Before the
completeness theorem was first proved—in fact before we had the derivation
systems we now do—the great German mathematician David Hilbert held the
view that consistency of mathematical theories guarantees the existence of the
objects they are about. He put it as follows in a letter to Gottlob Frege:

If the arbitrarily given axioms do not contradict one another with

all their consequences, then they are true and the things defined by
the axioms exist. This is for me the criterion of truth and existence.

Frege vehemently disagreed. The second formulation of the completeness the-

orem shows that Hilbert was right in at least the sense that if the axioms are
consistent, then some valuation exists that makes them all true.
These aren’t the only reasons the completeness theorem—or rather, its
proof—is important. It has a number of important consequences, some of
which we’ll discuss separately. For instance, since any derivation that shows
Γ ⊢ φ is finite and so can only use finitely many of the sentences in Γ, it fol-
lows by the completeness theorem that if φ is a consequence of Γ, it is already

185
 CHAPTER 13. THE COMPLETENESS THEOREM

a consequence of a finite subset of Γ. This is called compactness. Equivalently,

if every finite subset of Γ is consistent, then Γ itself must be consistent.
Although the compactness theorem follows from the completeness theo-
rem via the detour through derivations, it is also possible to use the the proof
of the completeness theorem to establish it directly. For what the proof does is
take a set of sentences with a certain property—consistency—and constructs
a structure out of this set that has certain properties (in this case, that it satisfies
the set). Almost the very same construction can be used to directly establish
compactness, by starting from “finitely satisfiable” sets of sentences instead of
consistent ones.

13.2 Outline of the Proof

The proof of the completeness theorem is a bit complex, and upon first reading
it, it is easy to get lost. So let us outline the proof. The first step is a shift of
perspective, that allows us to see a route to a proof. When completeness is
thought of as “whenever Γ ⊨ φ then Γ ⊢ φ,” it may be hard to even come
up with an idea: for to show that Γ ⊢ φ we have to find a derivation, and
it does not look like the hypothesis that Γ ⊨ φ helps us for this in any way.
For some proof systems it is possible to directly construct a derivation, but we
will take a slightly different approach. The shift in perspective required is this:
completeness can also be formulated as: “if Γ is consistent, it is satisfiable.”
Perhaps we can use the information in Γ together with the hypothesis that it is
consistent to construct a valuation that satisfies every formula in Γ. After all,
we know what kind of valuation we are looking for: one that is as Γ describes
it!
If Γ contains only propositional variables, it is easy to construct a model
for it. All we have to do is come up with a valuation v such that v ⊨ p for all
p ∈ Γ. Well, let v( p) = T iff p ∈ Γ.
Now suppose Γ contains some formula ¬ψ, with ψ atomic. We might
worry that the construction of v interferes with the possibility of making ¬ψ
true. But here’s where the consistency of Γ comes in: if ¬ψ ∈ Γ, then ψ ∈ / Γ, or
else Γ would be inconsistent. And if ψ ∈ / Γ, then according to our construction
of v, v ⊭ ψ, so v ⊨ ¬ψ. So far so good.
What if Γ contains complex, non-atomic formulas? Say it contains φ ∧ ψ.
To make that true, we should proceed as if both φ and ψ were in Γ. And if
φ ∨ ψ ∈ Γ, then we will have to make at least one of them true, i.e., proceed
as if one of them was in Γ.
This suggests the following idea: we add additional formulas to Γ so as to
(a) keep the resulting set consistent and (b) make sure that for every possible
atomic sentence φ, either φ is in the resulting set, or ¬ φ is, and (c) such that,
whenever φ ∧ ψ is in the set, so are both φ and ψ, if φ ∨ ψ is in the set, at least
one of φ or ψ is also, etc. We keep doing this (potentially forever). Call the

186 Release : d3a1905 (2022-12-19)

13.3. COMPLETE CONSISTENT SETS OF SENTENCES

set of all formulas so added Γ ∗ . Then our construction above would provide
us with a valuation v for which we could prove, by induction, that it satisfies
all sentences in Γ ∗ , and hence also all sentence in Γ since Γ ⊆ Γ ∗ . It turns
out that guaranteeing (a) and (b) is enough. A set of sentences for which (b)
holds is called complete. So our task will be to extend the consistent set Γ to a
consistent and complete set Γ ∗ .
So here’s what we’ll do. First we investigate the properties of complete
consistent sets, in particular we prove that a complete consistent set contains
φ ∧ ψ iff it contains both φ and ψ, φ ∨ ψ iff it contains at least one of them,
etc. (Proposition 13.2). We’ll then take the consistent set Γ and show that it
can be extended to a consistent and complete set Γ ∗ (Lemma 13.3). This set Γ ∗
is what we’ll use to define our valuation v( Γ ∗ ). The valuation is determined
by the propositional variables in Γ ∗ (Definition 13.4). We’ll use the proper-
ties of complete consistent sets to show that indeed v( Γ ∗ ) ⊨ φ iff φ ∈ Γ ∗
(Lemma 13.5), and thus in particular, v( Γ ∗ ) ⊨ Γ.

13.3 Complete Consistent Sets of Sentences

Definition 13.1 (Complete set). A set Γ of sentences is complete iff for any sen-
tence φ, either φ ∈ Γ or ¬ φ ∈ Γ.

Complete sets of sentences leave no questions unanswered. For any sen-

tence φ, Γ “says” if φ is true or false. The importance of complete sets extends
beyond the proof of the completeness theorem. A theory which is complete
and axiomatizable, for instance, is always decidable.
Complete consistent sets are important in the completeness proof since we
can guarantee that every consistent set of sentences Γ is contained in a com-
plete consistent set Γ ∗ . A complete consistent set contains, for each sentence φ,
either φ or its negation ¬ φ, but not both. This is true in particular for propo-
sitional variables, so from a complete consistent set, we can construct a val-
uation where the truth value assigned to propositional variables is defined
according to which propositional variables are in Γ ∗ . This valuation can then
be shown to make all sentences in Γ ∗ (and hence also all those in Γ) true. The
proof of this latter fact requires that ¬ φ ∈ Γ ∗ iff φ ∈ / Γ ∗ , ( φ ∨ ψ) ∈ Γ ∗ iff
∗ ∗
φ ∈ Γ or ψ ∈ Γ , etc.
In what follows, we will often tacitly use the properties of reflexivity, mono-
tonicity, and transitivity of ⊢ (see sections 9.6, 10.5, 11.5 and 12.4).

Proposition 13.2. Suppose Γ is complete and consistent. Then:

1. If Γ ⊢ φ, then φ ∈ Γ.

2. φ ∧ ψ ∈ Γ iff both φ ∈ Γ and ψ ∈ Γ.

3. φ ∨ ψ ∈ Γ iff either φ ∈ Γ or ψ ∈ Γ.

Release : d3a1905 (2022-12-19) 187

 CHAPTER 13. THE COMPLETENESS THEOREM

4. φ → ψ ∈ Γ iff either φ ∈
/ Γ or ψ ∈ Γ.

Proof. Let us suppose for all of the following that Γ is complete and consistent.

1. If Γ ⊢ φ, then φ ∈ Γ.
Suppose that Γ ⊢ φ. Suppose to the contrary that φ ∈ / Γ. Since Γ is
complete, ¬ φ ∈ Γ. By Propositions 10.17, 11.17, 9.19 and 12.24, Γ is in-
consistent. This contradicts the assumption that Γ is consistent. Hence,
it cannot be the case that φ ∈
/ Γ, so φ ∈ Γ.

2. Exercise.

3. First we show that if φ ∨ ψ ∈ Γ, then either φ ∈ Γ or ψ ∈ Γ. Suppose

φ ∨ ψ ∈ Γ but φ ∈/ Γ and ψ ∈ / Γ. Since Γ is complete, ¬ φ ∈ Γ and ¬ψ ∈
Γ. By Propositions 10.20, 11.20, 9.22 and 12.27, item (1), Γ is inconsistent,
a contradiction. Hence, either φ ∈ Γ or ψ ∈ Γ.
For the reverse direction, suppose that φ ∈ Γ or ψ ∈ Γ. By Proposi-
tions 10.20, 11.20, 9.22 and 12.27, item (2), Γ ⊢ φ ∨ ψ. By (1), φ ∨ ψ ∈ Γ,
as required.

4. Exercise.

13.4 Lindenbaum’s Lemma

We now prove a lemma that shows that any consistent set of sentences is con-
tained in some set of sentences which is not just consistent, but also complete.
The proof works by adding one sentence at a time, guaranteeing at each step
that the set remains consistent. We do this so that for every φ, either φ or ¬ φ
gets added at some stage. The union of all stages in that construction then
contains either φ or its negation ¬ φ and is thus complete. It is also consistent,
since we made sure at each stage not to introduce an inconsistency.

Lemma 13.3 (Lindenbaum’s Lemma). Every consistent set Γ in a language L

can be extended to a complete and consistent set Γ ∗ .

Proof. Let Γ be consistent. Let φ0 , φ1 , . . . be an enumeration of all the sen-

tences of L. Define Γ0 = Γ, and
(
Γn ∪ { φn } if Γn ∪ { φn } is consistent;
Γn+1 =
Γn ∪ {¬ φn } otherwise.

Let Γ ∗ = n≥0 Γn .
S

Each Γn is consistent: Γ0 is consistent by definition. If Γn+1 = Γn ∪ { φn },

this is because the latter is consistent. If it isn’t, Γn+1 = Γn ∪ {¬ φn }. We have

188 Release : d3a1905 (2022-12-19)

13.5. CONSTRUCTION OF A MODEL

to verify that Γn ∪ {¬ φn } is consistent. Suppose it’s not. Then both Γn ∪ { φn }

and Γn ∪ {¬ φn } are inconsistent. This means that Γn would be inconsistent by
Propositions 10.18, 11.18, 9.20 and 12.25, contrary to the induction hypothesis.
For every n and every i < n, Γi ⊆ Γn . This follows by a simple induction
on n. For n = 0, there are no i < 0, so the claim holds automatically. For
the inductive step, suppose it is true for n. We have Γn+1 = Γn ∪ { φn } or
= Γn ∪ {¬ φn } by construction. So Γn ⊆ Γn+1 . If i < n, then Γi ⊆ Γn by
inductive hypothesis, and so ⊆ Γn+1 by transitivity of ⊆.
From this it follows that every finite subset of Γ ∗ is a subset of Γn for
some n, since each ψ ∈ Γ ∗ not already in Γ0 is added at some stage i. If n
is the last one of these, then all ψ in the finite subset are in Γn . So, every finite
subset of Γ ∗ is consistent. By Propositions 10.14, 11.14, 9.16 and 12.18, Γ ∗ is
consistent.
Every sentence of Frm(L) appears on the list used to define Γ ∗ . If φn ∈ / Γ∗ ,
then that is because Γn ∪ { φn } was inconsistent. But then ¬ φn ∈ Γ , so Γ ∗ is
∗

complete.

13.5 Construction of a Model

We are now ready to define a valuation that makes all φ ∈ Γ true. To do this,
we first apply Lindenbaum’s Lemma: we get a complete consistent Γ ∗ ⊇ Γ.
We let the propositional variables in Γ ∗ determine v( Γ ∗ ).
Definition 13.4. Suppose Γ ∗ is a complete consistent set of formulas. Then
we let (
∗ T if p ∈ Γ ∗
v( Γ )( p) =
/ Γ∗
F if p ∈

Lemma 13.5 (Truth Lemma). v( Γ ∗ ) ⊨ φ iff φ ∈ Γ ∗ .

Proof. We prove both directions simultaneously, and by induction on φ.

1. φ ≡ ⊥: v( Γ ∗ ) ⊭ ⊥ by definition of satisfaction. On the other hand,
⊥∈/ Γ ∗ since Γ ∗ is consistent.
2. φ ≡ p: v( Γ ∗ ) ⊨ p iff v( Γ ∗ )( p) = T (by the definition of satisfaction) iff
p ∈ Γ ∗ (by the construction of v( Γ ∗ )).
3. φ ≡ ¬ψ: v( Γ ∗ ) ⊨ φ iff v( Γ ∗ ) ⊭ ψ (by definition of satisfaction). By
induction hypothesis, v( Γ ∗ ) ⊭ ψ iff ψ ∈
/ Γ ∗ . Since Γ ∗ is consistent and
/ Γ ∗ iff ¬ψ ∈ Γ ∗ .
complete, ψ ∈
4. φ ≡ ψ ∧ χ: exercise.
5. φ ≡ ψ ∨ χ: v( Γ ∗ ) ⊨ φ iff v( Γ ∗ ) ⊨ ψ or v( Γ ∗ ) ⊨ χ (by definition of
satisfaction) iff ψ ∈ Γ ∗ or χ ∈ Γ ∗ (by induction hypothesis). This is the
case iff (ψ ∨ χ) ∈ Γ ∗ (by Proposition 13.2(3)).

Release : d3a1905 (2022-12-19) 189

 CHAPTER 13. THE COMPLETENESS THEOREM

6. φ ≡ ψ → χ: exercise.

13.6 The Completeness Theorem

Let’s combine our results: we arrive at the completeness theorem.

Theorem 13.6 (Completeness Theorem). Let Γ be a set of sentences. If Γ is con-

sistent, it is satisfiable.

Proof. Suppose Γ is consistent. By Lemma 13.3, there is a Γ ∗ ⊇ Γ which is

consistent and complete. By Lemma 13.5, v( Γ ∗ ) ⊨ φ iff φ ∈ Γ ∗ . From this it
follows in particular that for all φ ∈ Γ, v( Γ ∗ ) ⊨ φ, so Γ is satisfiable.

Corollary 13.7 (Completeness Theorem, Second Version). For all Γ and sen-
tences φ: if Γ ⊨ φ then Γ ⊢ φ.

Proof. Note that the Γ’s in Corollary 13.7 and Theorem 13.6 are universally
quantified. To make sure we do not confuse ourselves, let us restate Theo-
rem 13.6 using a different variable: for any set of sentences ∆, if ∆ is consistent,
it is satisfiable. By contraposition, if ∆ is not satisfiable, then ∆ is inconsistent.
We will use this to prove the corollary.
Suppose that Γ ⊨ φ. Then Γ ∪ {¬ φ} is unsatisfiable by Proposition 7.21.
Taking Γ ∪ {¬ φ} as our ∆, the previous version of Theorem 13.6 gives us that
Γ ∪ {¬ φ} is inconsistent. By Propositions 10.16, 11.16, 9.18 and 12.23, Γ ⊢ φ.

13.7 The Compactness Theorem

One important consequence of the completeness theorem is the compactness
theorem. The compactness theorem states that if each finite subset of a set
of sentences is satisfiable, the entire set is satisfiable—even if the set itself is
infinite. This is far from obvious. There is nothing that seems to rule out,
at first glance at least, the possibility of there being infinite sets of sentences
which are contradictory, but the contradiction only arises, so to speak, from
the infinite number. The compactness theorem says that such a scenario can
be ruled out: there are no unsatisfiable infinite sets of sentences each finite
subset of which is satisfiable. Like the completeness theorem, it has a version
related to entailment: if an infinite set of sentences entails something, already
a finite subset does.

Definition 13.8. A set Γ of formulas is finitely satisfiable iff every finite Γ0 ⊆ Γ

is satisfiable.

Theorem 13.9 (Compactness Theorem). The following hold for any sentences Γ
and φ:

190 Release : d3a1905 (2022-12-19)

13.8. A DIRECT PROOF OF THE COMPACTNESS THEOREM

1. Γ ⊨ φ iff there is a finite Γ0 ⊆ Γ such that Γ0 ⊨ φ.

2. Γ is satisfiable iff it is finitely satisfiable.

Proof. We prove (2). If Γ is satisfiable, then there is a valuation v such that

v ⊨ φ for all φ ∈ Γ. Of course, this v also satisfies every finite subset of Γ, so Γ
is finitely satisfiable.
Now suppose that Γ is finitely satisfiable. Then every finite subset Γ0 ⊆
Γ is satisfiable. By soundness (Corollaries 10.24, 11.26, 9.28 and 12.32), ev-
ery finite subset is consistent. Then Γ itself must be consistent by Proposi-
tions 10.14, 11.14, 9.16 and 12.18. By completeness (Theorem 13.6), since Γ is
consistent, it is satisfiable.

13.8 A Direct Proof of the Compactness Theorem

We can prove the Compactness Theorem directly, without appealing to the
Completeness Theorem, using the same ideas as in the proof of the complete-
ness theorem. In the proof of the Completeness Theorem we started with a
consistent set Γ of sentences, expanded it to a consistent and complete set Γ ∗
of sentences, and then showed that in the valuation v( Γ ∗ ) constructed from
Γ ∗ , all sentences of Γ are true, so Γ is satisfiable.
We can use the same method to show that a finitely satisfiable set of sen-
tences is satisfiable. We just have to prove the corresponding versions of
the results leading to the truth lemma where we replace “consistent” with
“finitely satisfiable.”
Proposition 13.10. Suppose Γ is complete and finitely satisfiable. Then:
1. ( φ ∧ ψ) ∈ Γ iff both φ ∈ Γ and ψ ∈ Γ.
2. ( φ ∨ ψ) ∈ Γ iff either φ ∈ Γ or ψ ∈ Γ.
3. ( φ → ψ) ∈ Γ iff either φ ∈
/ Γ or ψ ∈ Γ.

Lemma 13.11. Every finitely satisfiable set Γ can be extended to a complete and
finitely satisfiable set Γ ∗ .

Theorem 13.12 (Compactness). Γ is satisfiable if and only if it is finitely satisfi-

able.

Proof. If Γ is satisfiable, then there is a valuation v such that v ⊨ φ for all

φ ∈ Γ. Of course, this v also satisfies every finite subset of Γ, so Γ is finitely
satisfiable.
Now suppose that Γ is finitely satisfiable. By Lemma 13.11, Γ can be
extended to a complete and finitely satisfiable set Γ ∗ . Construct the valua-
tion v( Γ ∗ ) as in Definition 13.4. The proof of the Truth Lemma (Lemma 13.5)
goes through if we replace references to Proposition 13.2.

Release : d3a1905 (2022-12-19) 191

 CHAPTER 13. THE COMPLETENESS THEOREM

Problems
Problem 13.1. Complete the proof of Proposition 13.2.

Problem 13.2. Complete the proof of Lemma 13.5.

Problem 13.3. Use Corollary 13.7 to prove Theorem 13.6, thus showing that
the two formulations of the completeness theorem are equivalent.

Problem 13.4. In order for a derivation system to be complete, its rules must
be strong enough to prove every unsatisfiable set inconsistent. Which of the
rules of derivation were necessary to prove completeness? Are any of these
rules not used anywhere in the proof? In order to answer these questions,
make a list or diagram that shows which of the rules of derivation were used
in which results that lead up to the proof of Theorem 13.6. Be sure to note any
tacit uses of rules in these proofs.

Problem 13.5. Prove (1) of Theorem 13.9.

Problem 13.6. Prove Proposition 13.10. Avoid the use of ⊢.

Problem 13.7. Prove Lemma 13.11. (Hint: the crucial step is to show that if Γn
is finitely satisfiable, then either Γn ∪ { φn } or Γn ∪ {¬ φn } is finitely satisfiable.)

Problem 13.8. Write out the complete proof of the Truth Lemma (Lemma 13.5)
in the version required for the proof of Theorem 13.12.

192 Release : d3a1905 (2022-12-19)

 Part III

First-order Logic

193
 CHAPTER 13. THE COMPLETENESS THEOREM

This part covers the metatheory of first-order logic through complete-

ness. Currently it does not rely on a separate treatment of propositional
logic; everything is proved. The source files will exclude the material on
quantifiers (and replace “structure” with “valuation”, M with v, etc.) if
the “FOL” tag is false. In fact, most of the material in the part on propo-
sitional logic is simply the first-order material with the “FOL” tag turned
off.
If the part on propositional logic is included, this results in a lot of rep-
etition. It is planned, however, to make it possible to let this part take into
account the material on propositional logic (and exclude the material al-
ready covered, as well as shorten proofs with references to the respective
places in the propositional part).

194 Release : d3a1905 (2022-12-19)

Chapter 14

Introduction to First-Order Logic

14.1 First-Order Logic

You are probably familiar with first-order logic from your first introduction
to formal logic.1 You may know it as “quantificational logic” or “predicate
logic.” First-order logic, first of all, is a formal language. That means, it has
a certain vocabulary, and its expressions are strings from this vocabulary. But
not every string is permitted. There are different kinds of permitted expres-
sions: terms, formulas, and sentences. We are mainly interested in sentences
of first-order logic: they provide us with a formal analogue of sentences of
English, and about them we can ask the questions a logician typically is inter-
ested in. For instance:

• Does ψ follow from φ logically?

• Is φ logically true, logically false, or contingent?

• Are φ and ψ equivalent?

These questions are primarily questions about the “meaning” of sentences

of first-order logic. For instance, a philosopher would analyze the question
of whether ψ follows logically from φ as asking: is there a case where φ is
true but ψ is false (ψ doesn’t follow from φ), or does every case that makes φ
true also make ψ true (ψ does follow from φ)? But we haven’t been told yet
what a “case” is—that is the job of semantics. The semantics of first-order logic
provides a mathematically precise model of the philosopher’s intuitive idea
of “case,” and also—and this is important—of what it is for a sentence φ to be
true in a case. We call the mathematically precise model that we will develop
a structure. The relation which makes “true in” precise, is called the relation
of satisfaction. So what we will define is “φ is satisfied in M” (in symbols:
1 In fact, we more or less assume you are! If you’re not, you could review a more elementary

textbook, such as forall x (Magnus et al., 2021).

195
 CHAPTER 14. INTRODUCTION TO FIRST-ORDER LOGIC

M ⊨ φ) for sentences φ and structures M. Once this is done, we can also give
precise definitions of the other semantical terms such as “follows from” or “is
logically true.” These definitions will make it possible to settle, again with
mathematical precision, whether, e.g., ∀ x ( φ( x ) → ψ( x )), ∃ x φ( x ) ⊨ ∃ x ψ( x ).
The answer will, of course, be “yes.” If you’ve already been trained to sym-
bolize sentences of English in first-order logic, you will recognize this as, e.g.,
the symbolizations of, say, “All ants are insects, there are ants, therefore there
are insects.” That is obviously a valid argument, and so our mathematical
model of “follows from” for our formal language should give the same an-
swer.
Another topic you probably remember from your first introduction to for-
mal logic is that there are derivations. If you have taken a first formal logic
course, your instructor will have made you practice finding such derivations,
perhaps even a derivation that shows that the above entailment holds. There
are many different ways to give derivations: you may have done something
called “natural deduction” or “truth trees,” but there are many others. The
purpose of derivation systems is to provide tools using which the logicians’
questions above can be answered: e.g., a natural deduction derivation in which
∀ x ( φ( x ) → ψ( x )) and ∃ x φ( x ) are premises and ∃ x ψ( x ) is the conclusion (last
line) verifies that ∃ x ψ( x ) logically follows from ∀ x ( φ( x ) → ψ( x )) and ∃ x φ( x ).
But why is that? On the face of it, derivation systems have nothing to do
with semantics: giving a formal derivation merely involves arranging sym-
bols in certain rule-governed ways; they don’t mention “cases” or “true in” at
all. The connection between derivation systems and semantics has to be estab-
lished by a meta-logical investigation. What’s needed is a mathematical proof,
e.g., that a formal derivation of ∃ x ψ( x ) from premises ∀ x ( φ( x ) → ψ( x )) and
∃ x φ( x ) is possible, if, and only if, ∀ x ( φ( x ) → ψ( x )) and ∃ x φ( x ) together en-
tail ∃ x ψ( x ). Before this can be done, however, a lot of painstaking work has
to be carried out to get the definitions of syntax and semantics correct.

14.2 Syntax
We first must make precise what strings of symbols count as sentences of first-
order logic. We’ll do this later; for now we’ll just proceed by example. The
basic building blocks—the vocabulary—of first-order logic divides into two
parts. The first part is the symbols we use to say specific things or to pick out
specific things. We pick out things using constant symbols, and we say stuff
about the things we pick out using predicate symbols. E.g, we might use a as
a constant symbol to pick out a single thing, and then say something about
it using the sentence P (a). If you have meanings for “a” and “P ” in mind,
you can read P (a) as a sentence of English (and you probably have done so
when you first learned formal logic). Once you have such simple sentences
of first-order logic, you can build more complex ones using the second part

196 Release : d3a1905 (2022-12-19)

14.3. FORMULAS

of the vocabulary: the logical symbols (connectives and quantifiers). So, for
instance, we can form expressions like (P (a) ∧ Q(b )) or ∃x P (x ).
In order to provide the precise definitions of semantics and the rules of
our derivation systems required for rigorous meta-logical study, we first of
all have to give a precise definition of what counts as a sentence of first-order
logic. The basic idea is easy enough to understand: there are some simple sen-
tences we can form from just predicate symbols and constant symbols, such
as P (a). And then from these we form more complex ones using the connec-
tives and quantifiers. But what exactly are the rules by which we are allowed
to form more complex sentences? These must be specified, otherwise we have
not defined “sentence of first-order logic” precisely enough. There are a few
issues. The first one is to get the right strings to count as sentences. The sec-
ond one is to do this in such a way that we can give mathematical proofs about
all sentences. Finally, we’ll have to also give precise definitions of some rudi-
mentary operations with sentences, such as “replace every x in φ by b.” The
trouble is that the quantifiers and variables we have in first-order logic make
it not entirely obvious how this should be done. E.g., should ∃x P (a) count as
a sentence? What about ∃x ∃x P (x )? What should the result of “replace x by b
in (P (x ) ∧ ∃x P (x ))” be?

14.3 Formulas
Here is the approach we will use to rigorously specify sentences of first-order
logic and to deal with the issues arising from the use of variables. We first
define a different set of expressions: formulas. Once we’ve done that, we can
consider the role variables play in them—and on the basis of some other ideas,
namely those of “free” and “bound” variables, we can define what a sentence
is (namely, a formula without free variables). We do this not just because it
makes the definition of “sentence” more manageable, but also because it will
be crucial to the way we define the semantic notion of satisfaction.
Let’s define “formula” for a simple first-order language, one containing
only a single predicate symbol P and a single constant symbol a, and only the
logical symbols ¬, ∧, and ∃. Our full definitions will be much more general:
we’ll allow infinitely many predicate symbols and constant symbols. In fact,
we will also consider function symbols which can be combined with constant
symbols and variables to form “terms.” For now, a and the variables will be
our only terms. We do need infinitely many variables. We’ll officially use the
symbols v0 , v1 , . . . , as variables.

Definition 14.1. The set of formulas Frm is defined as follows:

1. P (a) and P (vi ) are formulas (i ∈ N).

2. If φ is a formula, then ¬ φ is formula.

Release : d3a1905 (2022-12-19) 197

 CHAPTER 14. INTRODUCTION TO FIRST-ORDER LOGIC

3. If φ and ψ are formulas, then ( φ ∧ ψ) is a formula.

4. If φ is a formula and x is a variable, then ∃ x φ is a formula.

5. Nothing else is a formula.

(1) tells us that P (a) and P (vi ) are formulas, for any i ∈ N. These are the
so-called atomic formulas. They give us something to start from. The other
clauses give us ways of forming new formulas from ones we have already
formed. So for instance, by (2), we get that ¬P (v2 ) is a formula, since P (v2 )
is already a formula by (1). Then, by (4), we get that ∃v2 ¬P (v2 ) is another
formula, and so on. (5) tells us that only strings we can form in this way count
as formulas. In particular, ∃v0 P (a) and ∃v0 ∃v0 P (a) do count as formulas, and
(¬P (a)) does not, because of the extraneous outer parentheses.
This way of defining formulas is called an inductive definition, and it allows
us to prove things about formulas using a version of proof by induction called
structural induction. These are discussed in a general way in section 71.4 and
section 71.5, which you should review before delving into the proofs later on.
Basically, the idea is that if you want to give a proof that something is true for
all formulas, you show first that it is true for the atomic formulas, and then
that if it’s true for any formula φ (and ψ), it’s also true for ¬ φ, ( φ ∧ ψ), and
∃ x φ. For instance, this proves that it’s true for ∃v2 ¬P (v2 ): from the first part
you know that it’s true for the atomic formula P (v2 ). Then you get that it’s
true for ¬P (v2 ) by the second part, and then again that it’s true for ∃v2 ¬P (v2 )
itself. Since all formulas are inductively generated from atomic formulas, this
works for any of them.

14.4 Satisfaction
We can already skip ahead to the semantics of first-order logic once we know
what formulas are: here, the basic definition is that of a structure. For our
simple language, a structure M has just three components: a non-empty set
|M| called the domain, what a picks out in M, and what P is true of in M.
The object picked out by a is denoted aM and the set of things P is true of
by P M . A structure M consists of just these three things: |M|, aM ∈ |M|
and P M ⊆ |M|. The general case will be more complicated, since there will
be many predicate symbols and constant symbols, the constant symbols can
have more than one place, and there will also be function symbols.
This is enough to give a definition of satisfaction for formulas that don’t
contain variables. The idea is to give an inductive definition that mirrors the
way we have defined formulas. We specify when an atomic formula is satis-
fied in M, and then when, e.g., ¬ φ is satisfied in M on the basis of whether or
not φ is satisfied in M. E.g., we could define:

1. P (a) is satisfied in M iff aM ∈ P M .

198 Release : d3a1905 (2022-12-19)

14.4. SATISFACTION

2. ¬ φ is satisfied in M iff φ is not satisfied in M.

3. ( φ ∧ ψ) is satisfied in M iff φ is satisfied in M, and ψ is satisfied in M as

well.

Let’s say that |M| = {0, 1, 2}, aM = 1, and P M = {1, 2}. This definition
would tell us that P (a) is satisfied in M (since aM = 1 ∈ {1, 2} = P M ). It
tells us further that ¬P (a) is not satisfied in M, and that in turn ¬¬P (a) is
and (¬P (a) ∧ P (a)) is not satisfied, and so on.
The trouble comes when we want to give a definition for the quantifiers:
we’d like to say something like, “∃v0 P (v0 ) is satisfied iff P (v0 ) is satisfied.”
But the structure M doesn’t tell us what to do about variables. What we ac-
tually want to say is that P (v0 ) is satisfied for some value of v0 . To make this
precise we need a way to assign elements of |M| not just to a but also to v0 . To
this end, we introduce variable assignments. A variable assignment is simply
a function s that maps variables to elements of |M| (in our example, to one
of 1, 2, or 3). Since we don’t know beforehand which variables might appear
in a formula we can’t limit which variables s assigns values to. The simple
solution is to require that s assigns values to all variables v0 , v1 , . . . We’ll just
use only the ones we need.
Instead of defining satisfaction of formulas just relative to a structure, we’ll
define it relative to a structure M and a variable assignment s, and write M, s ⊨
φ for short. Our definition will now include an additional clause to deal with
atomic formulas containing variables:

1. M, s ⊨ P (a) iff aM ∈ P M .

2. M, s ⊨ P (vi ) iff s(vi ) ∈ P M .

3. M, s ⊨ ¬ φ iff not M, s ⊨ φ.

4. M, s ⊨ ( φ ∧ ψ) iff M, s ⊨ φ and M, s ⊨ ψ.

Ok, this solves one problem: we can now say when M satisfies P (v0 ) for the
value s(v0 ). To get the definition right for ∃v0 P (v0 ) we have to do one more
thing: We want to have that M, s ⊨ ∃v0 P (v0 ) iff M, s′ ⊨ P (v0 ) for some way
s′ of assigning a value to v0 . But the value assigned to v0 does not necessarily
have to be the value that s(v0 ) picks out. We’ll introduce a notation for that:
if m ∈ |M|, then we let s[m/v0 ] be the assignment that is just like s (for all
variables other than v0 ), except to v0 it assigns m. Now our definition can be:

5. M, s ⊨ ∃vi φ iff M, s[m/vi ] ⊨ φ for some m ∈ |M|.

Does it work out? Let’s say we let s(vi ) = 0 for all i ∈ N. M, s ⊨ ∃v0 P (v0 ) iff
there is an m ∈ |M| so that M, s[m/v0 ] ⊨ P (v0 ). And there is: we can choose
m = 1 or m = 2. Note that this is true even if the value s(v0 ) assigned to v0 by

Release : d3a1905 (2022-12-19) 199

 CHAPTER 14. INTRODUCTION TO FIRST-ORDER LOGIC

s itself—in this case, 0—doesn’t do the job. We have M, s[1/v0 ] ⊨ P (v0 ) but
not M, s ⊨ P (v0 ).
If this looks confusing and cumbersome: it is. But the added complexity is
required to give a precise, inductive definition of satisfaction for all formulas,
and we need something like it to precisely define the semantic notions. There
are other ways of doing it, but they are all equally (in)elegant.

14.5 Sentences
Ok, now we have a (sketch of a) definition of satisfaction (“true in”) for struc-
tures and formulas. But it needs this additional bit—a variable assignment—
and what we wanted is a definition of sentences. How do we get rid of as-
signments, and what are sentences?
You probably remember a discussion in your first introduction to formal
logic about the relation between variables and quantifiers. A quantifier is al-
ways followed by a variable, and then in the part of the sentence to which that
quantifier applies (its “scope”), we understand that the variable is “bound”
by that quantifier. In formulas it was not required that every variable has a
matching quantifier, and variables without matching quantifiers are “free” or
“unbound.” We will take sentences to be all those formulas that have no free
variables.
Again, the intuitive idea of when an occurrence of a variable in a formula φ
is bound, which quantifier binds it, and when it is free, is not difficult to get.
You may have learned a method for testing this, perhaps involving counting
parentheses. We have to insist on a precise definition—and because we have
defined formulas by induction, we can give a definition of the free and bound
occurrences of a variable x in a formula φ also by induction. E.g., it might look
like this for our simplified language:
1. If φ is atomic, all occurrences of x in it are free (that is, the occurrence of
x in P ( x ) is free).
2. If φ is of the form ¬ψ, then an occurrence of x in ¬ψ is free iff the cor-
responding occurrence of x is free in ψ (that is, the free occurrences of
variables in ψ are exactly the corresponding occurrences in ¬ψ).
3. If φ is of the form (ψ ∧ χ), then an occurrence of x in (ψ ∧ χ) is free iff
the corresponding occurrence of x is free in ψ or in χ.
4. If φ is of the form ∃ x ψ, then no occurrence of x in φ is free; if it is of the
form ∃y ψ where y is a different variable than x, then an occurrence of x
in ∃y ψ is free iff the corresponding occurrence of x is free in ψ.
Once we have a precise definition of free and bound occurrences of vari-
ables, we can simply say: a sentence is any formula without free occurrences
of variables.

200 Release : d3a1905 (2022-12-19)

14.6. SEMANTIC NOTIONS

14.6 Semantic Notions

We mentioned above that when we consider whether M, s ⊨ φ holds, we (for
convenience) let s assign values to all variables, but only the values it assigns
to variables in φ are used. In fact, it’s only the values of free variables in φ
that matter. Of course, because we’re careful, we are going to prove this fact.
Since sentences have no free variables, s doesn’t matter at all when it comes
to whether or not they are satisfied in a structure. So, when φ is a sentence we
can define M ⊨ φ to mean “M, s ⊨ φ for all s,” which as it happens is true iff
M, s ⊨ φ for at least one s. We need to introduce variable assignments to get a
working definition of satisfaction for formulas, but for sentences, satisfaction
is independent of the variable assignments.
Once we have a definition of “M ⊨ φ,” we know what “case” and “true
in” mean as far as sentences of first-order logic are concerned. On the basis of
the definition of M ⊨ φ for sentences we can then define the basic semantic
notions of validity, entailment, and satisfiability. A sentence is valid, ⊨ φ, if
every structure satisfies it. It is entailed by a set of sentences, Γ ⊨ φ, if every
structure that satisfies all the sentences in Γ also satisfies φ. And a set of
sentences is satisfiable if some structure satisfies all sentences in it at the same
time.
Because formulas are inductively defined, and satisfaction is in turn de-
fined by induction on the structure of formulas, we can use induction to prove
properties of our semantics and to relate the semantic notions defined. We’ll
collect and prove some of these properties, partly because they are individu-
ally interesting, but mainly because many of them will come in handy when
we go on to investigate the relation between semantics and derivation sys-
tems. In order to do so, we’ll also have to define (precisely, i.e., by induction)
some syntactic notions and operations we haven’t mentioned yet.

14.7 Substitution
We’ll discuss an example to illustrate how things hang together, and how the
development of syntax and semantics lays the foundation for our more ad-
vanced investigations later. Our derivation systems should let us derive P (a)
from ∀v0 P (v0 ). Maybe we even want to state this as a rule of inference. How-
ever, to do so, we must be able to state it in the most general terms: not just
for P , a, and v0 , but for any formula φ, and term t, and variable x. (Recall
that constant symbols are terms, but we’ll consider also more complicated
terms built from constant symbols and function symbols.) So we want to be
able to say something like, “whenever you have derived ∀ x φ( x ) you are jus-
tified in inferring φ(t)—the result of removing ∀ x and replacing x by t.” But
what exactly does “replacing x by t” mean? What is the relation between φ( x )
and φ(t)? Does this always work?

Release : d3a1905 (2022-12-19) 201

 CHAPTER 14. INTRODUCTION TO FIRST-ORDER LOGIC

To make this precise, we define the operation of substitution. Substitution

is actually tricky, because we can’t just replace all x’s in φ by t, and not every t
can be substituted for any x. We’ll deal with this, again, using inductive defi-
nitions. But once this is done, specifying an inference rule as “infer φ(t) from
∀ x φ( x )” becomes a precise definition. Moreover, we’ll be able to show that
this is a good inference rule in the sense that ∀ x φ( x ) entails φ(t). But to prove
this, we have to again prove something that may at first glance prompt you to
ask “why are we doing this?” That ∀ x φ( x ) entails φ(t) relies on the fact that
whether or not M ⊨ φ(t) holds depends only on the value of the term t, i.e.,
if we let m be whatever element of |M| is picked out by t, then M, s ⊨ φ(t) iff
M, s[m/x ] ⊨ φ( x ). This holds even when t contains variables, but we’ll have
to be careful with how exactly we state the result.

14.8 Models and Theories

Once we’ve defined the syntax and semantics of first-order logic, we can get
to work investigating the properties of structures and the semantic notions.
We can also define derivation systems, and investigate those. For a set of
sentences, we can ask: what structures make all the sentences in that set true?
Given a set of sentences Γ, a structure M that satisfies them is called a model
of Γ. We might start from Γ and try to find its models—what do they look
like? How big or small do they have to be? But we might also start with a
single structure or collection of structures and ask: what sentences are true
in them? Are there sentences that characterize these structures in the sense
that they, and only they, are true in them? These kinds of questions are the
domain of model theory. They also underlie the axiomatic method: describing
a collection of structures by a set of sentences, the axioms of a theory. This
is made possible by the observation that exactly those sentences entailed in
first-order logic by the axioms are true in all models of the axioms.
As a very simple example, consider preorders. A preorder is a relation R
on some set A which is both reflexive and transitive. A set A with a two-place
relation R ⊆ A × A on it is exactly what we would need to give a structure for
a first-order language with a single two-place relation symbol P : we would
set |M| = A and P M = R. Since R is a preorder, it is reflexive and transitive,
and we can find a set Γ of sentences of first-order logic that say this:

∀ v 0 P ( v0 , v0 )
∀v0 ∀v1 ∀v2 ((P (v0 , v1 ) ∧ P (v1 , v2 )) → P (v0 , v2 ))

These sentences are just the symbolizations of “for any x, Rxx” (R is reflexive)
and “whenever Rxy and Ryz then also Rxz” (R is transitive). We see that
a structure M is a model of these two sentences Γ iff R (i.e., P M ), is a preorder
on A (i.e., |M|). In other words, the models of Γ are exactly the preorders. Any
property of all preorders that can be expressed in the first-order language with

202 Release : d3a1905 (2022-12-19)

14.9. SOUNDNESS AND COMPLETENESS

just P as predicate symbol (like reflexivity and transitivity above), is entailed

by the two sentences in Γ and vice versa. So anything we can prove about
models of Γ we have proved about all preorders.
For any particular theory and class of models (such as Γ and all preorders),
there will be interesting questions about what can be expressed in the cor-
responding first-order language, and what cannot be expressed. There are
some properties of structures that are interesting for all languages and classes
of models, namely those concerning the size of the domain. One can al-
ways express, for instance, that the domain contains exactly n elements, for
any n ∈ Z+ . One can also express, using a set of infinitely many sentences,
that the domain is infinite. But one cannot express that the domain is finite,
or that the domain is non-enumerable. These results about the limitations of
first-order languages are consequences of the compactness and Löwenheim-
Skolem theorems.

14.9 Soundness and Completeness

We’ll also introduce derivation systems for first-order logic. There are many
derivation systems that logicians have developed, but they all define the same
derivability relation between sentences. We say that Γ derives φ, Γ ⊢ φ, if
there is a derivation of a certain precisely defined sort. Derivations are always
finite arrangements of symbols—perhaps a list of sentences, or some more
complicated structure. The purpose of derivation systems is to provide a tool
to determine if a sentence is entailed by some set Γ. In order to serve that
purpose, it must be true that Γ ⊨ φ if, and only if, Γ ⊢ φ.
If Γ ⊢ φ but not Γ ⊨ φ, our derivation system would be too strong, prove
too much. The property that if Γ ⊢ φ then Γ ⊨ φ is called soundness, and it
is a minimal requirement on any good derivation system. On the other hand,
if Γ ⊨ φ but not Γ ⊢ φ, then our derivation system is too weak, it doesn’t
prove enough. The property that if Γ ⊨ φ then Γ ⊢ φ is called completeness.
Soundness is usually relatively easy to prove (by induction on the structure of
derivations, which are inductively defined). Completeness is harder to prove.
Soundness and completeness have a number of important consequences.
If a set of sentences Γ derives a contradiction (such as φ ∧ ¬ φ) it is called
inconsistent. Inconsistent Γs cannot have any models, they are unsatisfiable.
From completeness the converse follows: any Γ that is not inconsistent—or,
as we will say, consistent—has a model. In fact, this is equivalent to complete-
ness, and is the form of completeness we will actually prove. It is a deep and
perhaps surprising result: just because you cannot prove φ ∧ ¬ φ from Γ guar-
antees that there is a structure that is as Γ describes it. So completeness gives
an answer to the question: which sets of sentences have models? Answer: all
and only consistent sets do.
The soundness and completeness theorems have two important conse-

Release : d3a1905 (2022-12-19) 203

 CHAPTER 14. INTRODUCTION TO FIRST-ORDER LOGIC

quences: the compactness and the Löwenheim-Skolem theorem. These are

important results in the theory of models, and can be used to establish many
interesting results. We’ve already mentioned two: first-order logic cannot ex-
press that the domain of a structure is finite or that it is non-enumerable.
Historically, all of this—how to define syntax and semantics of first-order
logic, how to define good derivation systems, how to prove that they are
sound and complete, getting clear about what can and cannot be expressed
in first-order languages—took a long time to figure out and get right. We now
know how to do it, but going through all the details can still be confusing
and tedious. But it’s also important, because the methods developed here for
the formal language of first-order logic are applied all over the place in logic,
computer science, and linguistics. So working through the details pays off in
the long run.

204 Release : d3a1905 (2022-12-19)

Chapter 15

Syntax of First-Order Logic

15.1 Introduction
In order to develop the theory and metatheory of first-order logic, we must
first define the syntax and semantics of its expressions. The expressions of
first-order logic are terms and formulas. Terms are formed from variables,
constant symbols, and function symbols. Formulas, in turn, are formed from
predicate symbols together with terms (these form the smallest, “atomic” for-
mulas), and then from atomic formulas we can form more complex ones us-
ing logical connectives and quantifiers. There are many different ways to set
down the formation rules; we give just one possible one. Other systems will
chose different symbols, will select different sets of connectives as primitive,
will use parentheses differently (or even not at all, as in the case of so-called
Polish notation). What all approaches have in common, though, is that the
formation rules define the set of terms and formulas inductively. If done prop-
erly, every expression can result essentially in only one way according to the
formation rules. The inductive definition resulting in expressions that are
uniquely readable means we can give meanings to these expressions using the
same method—inductive definition.

15.2 First-Order Languages

Expressions of first-order logic are built up from a basic vocabulary containing
variables, constant symbols, predicate symbols and sometimes function symbols.
From them, together with logical connectives, quantifiers, and punctuation
symbols such as parentheses and commas, terms and formulas are formed.
Informally, predicate symbols are names for properties and relations, con-
stant symbols are names for individual objects, and function symbols are names
for mappings. These, except for the identity predicate =, are the non-logical
symbols and together make up a language. Any first-order language L is de-

205
 CHAPTER 15. SYNTAX OF FIRST-ORDER LOGIC

termined by its non-logical symbols. In the most general case, L contains

infinitely many symbols of each kind.
In the general case, we make use of the following symbols in first-order
logic:

1. Logical symbols

a) Logical connectives: ¬ (negation), ∧ (conjunction), ∨ (disjunction),

→ (conditional), ∀ (universal quantifier), ∃ (existential quantifier).
b) The propositional constant for falsity ⊥.
c) The two-place identity predicate =.
d) A denumerable set of variables: v0 , v1 , v2 , . . .

2. Non-logical symbols, making up the standard language of first-order logic

a) A denumerable set of n-place predicate symbols for each n > 0: A0n ,

A1n , A2n , . . .
b) A denumerable set of constant symbols: c0 , c1 , c2 , . . . .
c) A denumerable set of n-place function symbols for each n > 0: f0n ,
f1n , f2n , . . .

3. Punctuation marks: (, ), and the comma.

Most of our definitions and results will be formulated for the full standard
language of first-order logic. However, depending on the application, we may
also restrict the language to only a few predicate symbols, constant symbols,
and function symbols.

Example 15.1. The language L A of arithmetic contains a single two-place pred-

icate symbol <, a single constant symbol 0, one one-place function symbol ′,
and two two-place function symbols + and ×.

Example 15.2. The language of set theory L Z contains only the single two-
place predicate symbol ∈.

Example 15.3. The language of orders L≤ contains only the two-place predi-
cate symbol ≤.

Again, these are conventions: officially, these are just aliases, e.g., <, ∈,
and ≤ are aliases for A20 , 0 for c0 , ′ for f01 , + for f02 , × for f12 .
In addition to the primitive connectives and quantifiers introduced above,
we also use the following defined symbols: ↔ (biconditional), truth ⊤
A defined symbol is not officially part of the language, but is introduced
as an informal abbreviation: it allows us to abbreviate formulas which would,

206 Release : d3a1905 (2022-12-19)

15.3. TERMS AND FORMULAS

if we only used primitive symbols, get quite long. This is obviously an ad-
vantage. The bigger advantage, however, is that proofs become shorter. If a
symbol is primitive, it has to be treated separately in proofs. The more primi-
tive symbols, therefore, the longer our proofs.
You may be familiar with different terminology and symbols than the ones
we use above. Logic texts (and teachers) commonly use ∼, ¬, or ! for “nega-
tion”, ∧, ·, or & for “conjunction”. Commonly used symbols for the “condi-
tional” or “implication” are →, ⇒, and ⊃. Symbols for “biconditional,” “bi-
implication,” or “(material) equivalence” are ↔, ⇔, and ≡. The ⊥ symbol is
variously called “falsity,” “falsum,”, “absurdity,” or “bottom.” The ⊤ symbol
is variously called “truth,” “verum,” or “top.”
It is conventional to use lower case letters (e.g., a, b, c) from the begin-
ning of the Latin alphabet for constant symbols (sometimes called names),
and lower case letters from the end (e.g., x, y, z) for variables. Quantifiers
combine with variables, e.g., x; notational variations include ∀ x, (∀ x ), ( x ),
Πx, x for the universal quantifier and ∃ x, (∃ x ), ( Ex ), Σx, x for the existen-
V W

tial quantifier.
We might treat all the propositional operators and both quantifiers as prim-
itive symbols of the language. We might instead choose a smaller stock of
primitive symbols and treat the other logical operators as defined. “Truth
functionally complete” sets of Boolean operators include {¬, ∨}, {¬, ∧}, and
{¬, →}—these can be combined with either quantifier for an expressively
complete first-order language.
You may be familiar with two other logical operators: the Sheffer stroke |
(named after Henry Sheffer), and Peirce’s arrow ↓, also known as Quine’s
dagger. When given their usual readings of “nand” and “nor” (respectively),
these operators are truth functionally complete by themselves.

15.3 Terms and Formulas

Once a first-order language L is given, we can define expressions built up
from the basic vocabulary of L. These include in particular terms and formulas.

Definition 15.4 (Terms). The set of terms Trm(L) of L is defined inductively

by:

1. Every variable is a term.

2. Every constant symbol of L is a term.

3. If f is an n-place function symbol and t1 , . . . , tn are terms, then f (t1 , . . . , tn )

is a term.

4. Nothing else is a term.

A term containing no variables is a closed term.

Release : d3a1905 (2022-12-19) 207

 CHAPTER 15. SYNTAX OF FIRST-ORDER LOGIC

The constant symbols appear in our specification of the language and the
terms as a separate category of symbols, but they could instead have been in-
cluded as zero-place function symbols. We could then do without the second
clause in the definition of terms. We just have to understand f (t1 , . . . , tn ) as
just f by itself if n = 0.
Definition 15.5 (Formulas). The set of formulas Frm(L) of the language L is
defined inductively as follows:
1. ⊥ is an atomic formula.
2. If R is an n-place predicate symbol of L and t1 , . . . , tn are terms of L,
then R(t1 , . . . , tn ) is an atomic formula.
3. If t1 and t2 are terms of L, then =(t1 , t2 ) is an atomic formula.
4. If φ is a formula, then ¬ φ is formula.
5. If φ and ψ are formulas, then ( φ ∧ ψ) is a formula.
6. If φ and ψ are formulas, then ( φ ∨ ψ) is a formula.
7. If φ and ψ are formulas, then ( φ → ψ) is a formula.
8. If φ is a formula and x is a variable, then ∀ x φ is a formula.
9. If φ is a formula and x is a variable, then ∃ x φ is a formula.
10. Nothing else is a formula.

The definitions of the set of terms and that of formulas are inductive defini-
tions. Essentially, we construct the set of formulas in infinitely many stages. In
the initial stage, we pronounce all atomic formulas to be formulas; this corre-
sponds to the first few cases of the definition, i.e., the cases for ⊥, R(t1 , . . . , tn )
and =(t1 , t2 ). “Atomic formula” thus means any formula of this form.
The other cases of the definition give rules for constructing new formulas
out of formulas already constructed. At the second stage, we can use them to
construct formulas out of atomic formulas. At the third stage, we construct
new formulas from the atomic formulas and those obtained in the second
stage, and so on. A formula is anything that is eventually constructed at such
a stage, and nothing else.
By convention, we write = between its arguments and leave out the paren-
theses: t1 = t2 is an abbreviation for =(t1 , t2 ). Moreover, ¬=(t1 , t2 ) is abbre-
viated as t1 ̸= t2 . When writing a formula (ψ ∗ χ) constructed from ψ, χ
using a two-place connective ∗, we will often leave out the outermost pair of
parentheses and write simply ψ ∗ χ.
Some logic texts require that the variable x must occur in φ in order for
∃ x φ and ∀ x φ to count as formulas. Nothing bad happens if you don’t require
this, and it makes things easier.

208 Release : d3a1905 (2022-12-19)

15.3. TERMS AND FORMULAS

Definition 15.6. Formulas constructed using the defined operators are to be

understood as follows:

1. ⊤ abbreviates ¬⊥.

2. φ ↔ ψ abbreviates ( φ → ψ) ∧ (ψ → φ).

If we work in a language for a specific application, we will often write two-

place predicate symbols and function symbols between the respective terms,
e.g., t1 < t2 and (t1 + t2 ) in the language of arithmetic and t1 ∈ t2 in the
language of set theory. The successor function in the language of arithmetic
is even written conventionally after its argument: t′ . Officially, however, these
are just conventional abbreviations for A20 (t1 , t2 ), f02 (t1 , t2 ), A20 (t1 , t2 ) and f 01 (t),
respectively.

Definition 15.7 (Syntactic identity). The symbol ≡ expresses syntactic iden-

tity between strings of symbols, i.e., φ ≡ ψ iff φ and ψ are strings of symbols
of the same length and which contain the same symbol in each place.

The ≡ symbol may be flanked by strings obtained by concatenation, e.g.,

φ ≡ (ψ ∨ χ) means: the string of symbols φ is the same string as the one
obtained by concatenating an opening parenthesis, the string ψ, the ∨ symbol,
the string χ, and a closing parenthesis, in this order. If this is the case, then we
know that the first symbol of φ is an opening parenthesis, φ contains ψ as a
substring (starting at the second symbol), that substring is followed by ∨, etc.
As terms and formulas are built up from basic elements via inductive def-
initions, we can use the following induction principles to prove things about
them.

Lemma 15.8 (Principle of induction on terms). Let L be a first-order language. If

some property P holds in all of the following cases, then P(t) for every t ∈ Trm(L).

1. P(v) for every variable v,

2. P( a) for every constant symbol a of L,

3. If t1 , . . . , tn ∈ Trm(L), f is an n-place function symbol of L, and P(t1 ), . . . , P(tn ),

then P( f (t1 , . . . , tn )).

Lemma 15.9 (Principle of induction on formulas). Let L be a first-order language.

If some property P holds for all the atomic formulas and is such that

1. φ is an atomic formula.

2. it holds for ¬ φ whenever it holds for φ;

3. it holds for ( φ ∧ ψ) whenever it holds for φ and ψ;

Release : d3a1905 (2022-12-19) 209

 CHAPTER 15. SYNTAX OF FIRST-ORDER LOGIC

4. it holds for ( φ ∨ ψ) whenever it holds for φ and ψ;

5. it holds for ( φ → ψ) whenever it holds for φ and ψ;

6. it holds for ∃ xφ whenever it holds for φ;

7. it holds for ∀ xφ whenever it holds for φ;

then P holds for all formulas φ ∈ Frm(L).

15.4 Unique Readability

The way we defined formulas guarantees that every formula has a unique read-
ing, i.e., there is essentially only one way of constructing it according to our
formation rules for formulas and only one way of “interpreting” it. If this were
not so, we would have ambiguous formulas, i.e., formulas that have more
than one reading or intepretation—and that is clearly something we want to
avoid. But more importantly, without this property, most of the definitions
and proofs we are going to give will not go through.
Perhaps the best way to make this clear is to see what would happen if we
had given bad rules for forming formulas that would not guarantee unique
readability. For instance, we could have forgotten the parentheses in the for-
mation rules for connectives, e.g., we might have allowed this:

If φ and ψ are formulas, then so is φ → ψ.

Starting from an atomic formula θ, this would allow us to form θ → θ. From

this, together with θ, we would get θ → θ → θ. But there are two ways to do
this:

1. We take θ to be φ and θ → θ to be ψ.

2. We take φ to be θ → θ and ψ is θ.

Correspondingly, there are two ways to “read” the formula θ → θ → θ. It is of

the form ψ → χ where ψ is θ and χ is θ → θ, but it is also of the form ψ → χ
with ψ being θ → θ and χ being θ.
If this happens, our definitions will not always work. For instance, when
we define the main operator of a formula, we say: in a formula of the form
ψ → χ, the main operator is the indicated occurrence of →. But if we can match
the formula θ → θ → θ with ψ → χ in the two different ways mentioned above,
then in one case we get the first occurrence of → as the main operator, and in
the second case the second occurrence. But we intend the main operator to
be a function of the formula, i.e., every formula must have exactly one main
operator occurrence.

Lemma 15.10. The number of left and right parentheses in a formula φ are equal.

210 Release : d3a1905 (2022-12-19)

15.4. UNIQUE READABILITY

Proof. We prove this by induction on the way φ is constructed. This requires

two things: (a) We have to prove first that all atomic formulas have the prop-
erty in question (the induction basis). (b) Then we have to prove that when
we construct new formulas out of given formulas, the new formulas have the
property provided the old ones do.
Let l ( φ) be the number of left parentheses, and r ( φ) the number of right
parentheses in φ, and l (t) and r (t) similarly the number of left and right
parentheses in a term t.

1. φ ≡ ⊥: φ has 0 left and 0 right parentheses.

2. φ ≡ R(t1 , . . . , tn ): l ( φ) = 1 + l (t1 ) + · · · + l (tn ) = 1 + r (t1 ) + · · · +

r (tn ) = r ( φ). Here we make use of the fact, left as an exercise, that
l (t) = r (t) for any term t.

3. φ ≡ t1 = t2 : l ( φ) = l (t1 ) + l (t2 ) = r (t1 ) + r (t2 ) = r ( φ).

4. φ ≡ ¬ψ: By induction hypothesis, l (ψ) = r (ψ). Thus l ( φ) = l (ψ) =

r ( ψ ) = r ( φ ).

5. φ ≡ (ψ ∗ χ): By induction hypothesis, l (ψ) = r (ψ) and l (χ) = r (χ).

Thus l ( φ) = 1 + l (ψ) + l (χ) = 1 + r (ψ) + r (χ) = r ( φ).

6. φ ≡ ∀ x ψ: By induction hypothesis, l (ψ) = r (ψ). Thus, l ( φ) = l (ψ) =

r ( ψ ) = r ( φ ).

7. φ ≡ ∃ x ψ: Similarly.

Definition 15.11 (Proper prefix). A string of symbols ψ is a proper prefix of a

string of symbols φ if concatenating ψ and a non-empty string of symbols
yields φ.

Lemma 15.12. If φ is a formula, and ψ is a proper prefix of φ, then ψ is not a formula.

Proof. Exercise.

Proposition 15.13. If φ is an atomic formula, then it satisfies one, and only one of
the following conditions.

1. φ ≡ ⊥.

2. φ ≡ R(t1 , . . . , tn ) where R is an n-place predicate symbol, t1 , . . . , tn are terms,

and each of R, t1 , . . . , tn is uniquely determined.

3. φ ≡ t1 = t2 where t1 and t2 are uniquely determined terms.

Proof. Exercise.

Release : d3a1905 (2022-12-19) 211

 CHAPTER 15. SYNTAX OF FIRST-ORDER LOGIC

Proposition 15.14 (Unique Readability). Every formula satisfies one, and only
one of the following conditions.

1. φ is atomic.

2. φ is of the form ¬ψ.

3. φ is of the form (ψ ∧ χ).

4. φ is of the form (ψ ∨ χ).

5. φ is of the form (ψ → χ).

6. φ is of the form ∀ x ψ.

7. φ is of the form ∃ x ψ.

Moreover, in each case ψ, or ψ and χ, are uniquely determined. This means that, e.g.,
there are no different pairs ψ, χ and ψ′ , χ′ so that φ is both of the form (ψ → χ) and
( ψ ′ → χ ′ ).

Proof. The formation rules require that if a formula is not atomic, it must start
with an opening parenthesis (, ¬, or a quantifier. On the other hand, every for-
mula that starts with one of the following symbols must be atomic: a predicate
symbol, a function symbol, a constant symbol, ⊥.
So we really only have to show that if φ is of the form (ψ ∗ χ) and also of
the form (ψ′ ∗′ χ′ ), then ψ ≡ ψ′ , χ ≡ χ′ , and ∗ = ∗′ .
So suppose both φ ≡ (ψ ∗ χ) and φ ≡ (ψ′ ∗′ χ′ ). Then either ψ ≡ ψ′ or not.
If it is, clearly ∗ = ∗′ and χ ≡ χ′ , since they then are substrings of φ that begin
in the same place and are of the same length. The other case is ψ ̸≡ ψ′ . Since
ψ and ψ′ are both substrings of φ that begin at the same place, one must be a
proper prefix of the other. But this is impossible by Lemma 15.12.

15.5 Main operator of a Formula

It is often useful to talk about the last operator used in constructing a for-
mula φ. This operator is called the main operator of φ. Intuitively, it is the
“outermost” operator of φ. For example, the main operator of ¬ φ is ¬, the
main operator of ( φ ∨ ψ) is ∨, etc.

Definition 15.15 (Main operator). The main operator of a formula φ is defined

as follows:

1. φ is atomic: φ has no main operator.

2. φ ≡ ¬ψ: the main operator of φ is ¬.

3. φ ≡ (ψ ∧ χ): the main operator of φ is ∧.

212 Release : d3a1905 (2022-12-19)

15.6. SUBFORMULAS

4. φ ≡ (ψ ∨ χ): the main operator of φ is ∨.

5. φ ≡ (ψ → χ): the main operator of φ is →.

6. φ ≡ ∀ x ψ: the main operator of φ is ∀.

7. φ ≡ ∃ x ψ: the main operator of φ is ∃.

In each case, we intend the specific indicated occurrence of the main oper-
ator in the formula. For instance, since the formula ((θ → α) → (α → θ )) is of
the form (ψ → χ) where ψ is (θ → α) and χ is (α → θ ), the second occurrence
of → is the main operator.
This is a recursive definition of a function which maps all non-atomic for-
mulas to their main operator occurrence. Because of the way formulas are de-
fined inductively, every formula φ satisfies one of the cases in Definition 15.15.
This guarantees that for each non-atomic formula φ a main operator exists.
Because each formula satisfies only one of these conditions, and because the
smaller formulas from which φ is constructed are uniquely determined in each
case, the main operator occurrence of φ is unique, and so we have defined a
function.
We call formulas by the names in Table 15.1 depending on which symbol
their main operator is.Recall, however, that defined operators do not officially
appear in formulas. They are just abbreviations, so officially they cannot be
the main operator of a formula. In proofs about all formulas they therefore do
not have to be treated separately.
Main operator Type of formula Example
none atomic (formula) ⊥, R ( t1 , . . . , t n ), t1 = t2
¬ negation ¬φ
∧ conjunction ( φ ∧ ψ)
∨ disjunction ( φ ∨ ψ)
→ conditional ( φ → ψ)
↔ biconditional ( φ ↔ ψ)
∀ universal (formula) ∀x φ
∃ existential (formula) ∃x φ
Table 15.1: Main operator and names of formulas

15.6 Subformulas
It is often useful to talk about the formulas that “make up” a given formula.
We call these its subformulas. Any formula counts as a subformula of itself; a
subformula of φ other than φ itself is a proper subformula.

Definition 15.16 (Immediate Subformula). If φ is a formula, the immediate

subformulas of φ are defined inductively as follows:

Release : d3a1905 (2022-12-19) 213

 CHAPTER 15. SYNTAX OF FIRST-ORDER LOGIC

1. Atomic formulas have no immediate subformulas.

2. φ ≡ ¬ψ: The only immediate subformula of φ is ψ.
3. φ ≡ (ψ ∗ χ): The immediate subformulas of φ are ψ and χ (∗ is any one
of the two-place connectives).
4. φ ≡ ∀ x ψ: The only immediate subformula of φ is ψ.
5. φ ≡ ∃ x ψ: The only immediate subformula of φ is ψ.
Definition 15.17 (Proper Subformula). If φ is a formula, the proper subformu-
las of φ are defined recursively as follows:
1. Atomic formulas have no proper subformulas.
2. φ ≡ ¬ψ: The proper subformulas of φ are ψ together with all proper
subformulas of ψ.
3. φ ≡ (ψ ∗ χ): The proper subformulas of φ are ψ, χ, together with all
proper subformulas of ψ and those of χ.
4. φ ≡ ∀ x ψ: The proper subformulas of φ are ψ together with all proper
subformulas of ψ.
5. φ ≡ ∃ x ψ: The proper subformulas of φ are ψ together with all proper
subformulas of ψ.
Definition 15.18 (Subformula). The subformulas of φ are φ itself together with
all its proper subformulas.
Note the subtle difference in how we have defined immediate subformulas
and proper subformulas. In the first case, we have directly defined the imme-
diate subformulas of a formula φ for each possible form of φ. It is an explicit
definition by cases, and the cases mirror the inductive definition of the set of
formulas. In the second case, we have also mirrored the way the set of all
formulas is defined, but in each case we have also included the proper subfor-
mulas of the smaller formulas ψ, χ in addition to these formulas themselves.
This makes the definition recursive. In general, a definition of a function on an
inductively defined set (in our case, formulas) is recursive if the cases in the
definition of the function make use of the function itself. To be well defined,
we must make sure, however, that we only ever use the values of the function
for arguments that come “before” the one we are defining—in our case, when
defining “proper subformula” for (ψ ∗ χ) we only use the proper subformulas
of the “earlier” formulas ψ and χ.
Proposition 15.19. Suppose ψ is a subformula of φ and χ is a subformula of ψ. Then
χ is a subformula of φ. In other words, the subformula relation is transitive.
Proposition 15.20. Suppose φ is a formula with n connectives and quantifiers. Then
φ has at most 2n + 1 subformulas.

214 Release : d3a1905 (2022-12-19)

15.7. FORMATION SEQUENCES

15.7 Formation Sequences

Defining formulas via an inductive definition, and the complementary tech-
nique of proving properties of formulas via induction, is an elegant and effi-
cient approach. However, it can also be useful to consider a more bottom-up,
step-by-step approach to the construction of formulas, which we do here us-
ing the notion of a formation sequence. To show how terms and formulas can
be introduced in this way without needing to refer to their inductive defini-
tions, we first introduce the notion of an arbitrary string of symbols drawn
from some language L.

Definition 15.21 (Strings). Suppose L is a first-order language. An L-string

is a finite sequence of symbols of L. Where the language L is clearly fixed by
the context, we will often refer to a L-string as a string simpliciter.

Example 15.22. For any first-order language L, all L-formulas are L-strings,
but not conversely. For example,

)(v0 → ∃

is an L-string but not an L-formula.

Definition 15.23 (Formation sequences for terms). A finite sequence of L-strings

⟨t0 , . . . , tn ⟩ is a formation sequence for a term t if t ≡ tn and for all i ≤ n, either
ti is a variable or a constant symbol, or L contains a k-ary function symbol f
and there exist m0 , . . . , mk < i such that ti ≡ f (tm0 , . . . , tmk ).

Example 15.24. The sequence

⟨c0 , v0 , f02 (c0 , v0 ), f01 (f02 (c0 , v0 ))⟩

is a formation sequence for the term f01 (f02 (c0 , v0 )), as is

⟨v0 , c0 , f02 (c0 , v0 ), f01 (f02 (c0 , v0 ))⟩.

Definition 15.25 (Formation sequences for formulas). A finite sequence of L-

strings ⟨ φ0 , . . . , φn ⟩ is a formation sequence for φ if φ ≡ φn and for all i ≤ n,
either φi is an atomic formula or there exist j, k < i and a variable x such that
one of the following holds:

1. φi ≡ ¬ φ j .

2. φi ≡ ( φ j ∧ φk ).

3. φi ≡ ( φ j ∨ φk ).

4. φi ≡ ( φ j → φk ).

Release : d3a1905 (2022-12-19) 215

 CHAPTER 15. SYNTAX OF FIRST-ORDER LOGIC

5. φi ≡ ∀ x φ j .

6. φi ≡ ∃ x φ j .

Example 15.26.

⟨A10 (v0 ), A11 (c1 ), (A11 (c1 ) ∧ A10 (v0 )), ∃v0 (A11 (c1 ) ∧ A10 (v0 ))⟩

is a formation sequence of ∃v0 (A11 (c1 ) ∧ A10 (v0 )), as is

⟨A10 (v0 ), A11 (c1 ), (A11 (c1 ) ∧ A10 (v0 )), A11 (c1 ),
∀v1 A10 (v0 ), ∃v0 (A11 (c1 ) ∧ A10 (v0 ))⟩.

As can be seen from the second example, formation sequences may contain
“junk”: formulas which are redundant or do not contribute to the construc-
tion.

Proposition 15.27. Every formula φ in Frm(L) has a formation sequence.

Proof. Suppose φ is atomic. Then the sequence ⟨ φ⟩ is a formation sequence

for φ. Now suppose that ψ and χ have formation sequences ⟨ψ0 , . . . , ψn ⟩ and
⟨χ0 , . . . , χm ⟩ respectively.
1. If φ ≡ ¬ψ, then ⟨ψ0 , . . . , ψn , ¬ψn ⟩ is a formation sequence for φ.

2. If φ ≡ (ψ ∧ χ), then ⟨ψ0 , . . . , ψn , χ0 , . . . , χm , (ψn ∧ χm )⟩ is a formation

sequence for φ.

3. If φ ≡ (ψ ∨ χ), then ⟨ψ0 , . . . , ψn , χ0 , . . . , χm , (ψn ∨ χm )⟩ is a formation

sequence for φ.

4. If φ ≡ (ψ → χ), then ⟨ψ0 , . . . , ψn , χ0 , . . . , χm , (ψn → χm )⟩ is a formation

sequence for φ.

5. If φ ≡ ∀ x ψ, then ⟨ψ0 , . . . , ψn , ∀ x ψn ⟩ is a formation sequence for φ.

6. If φ ≡ ∃ x ψ, then ⟨ψ0 , . . . , ψn , ∃ x ψn ⟩ is a formation sequence for φ.

By the principle of induction on formulas, every formula has a formation se-

quence.

We can also prove the converse. This is important because it shows that
our two ways of defining formulas are equivalent: they give the same results.
It also means that we can prove theorems about formulas by using ordinary
induction on the length of formation sequences.

Lemma 15.28. Suppose that ⟨ φ0 , . . . , φn ⟩ is a formation sequence for φn , and that

k ≤ n. Then ⟨ φ0 , . . . , φk ⟩ is a formation sequence for φk .

216 Release : d3a1905 (2022-12-19)

15.7. FORMATION SEQUENCES

Proof. Exercise.

Theorem 15.29. Frm(L) is the set of all expressions (strings of symbols) in the lan-
guage L with a formation sequence.

Proof. Let F be the set of all strings of symbols in the language L that have a
formation sequence. We have seen in Proposition 15.27 that Frm(L) ⊆ F, so
now we prove the converse.
Suppose φ has a formation sequence ⟨ φ0 , . . . , φn ⟩. We prove that φ ∈
Frm(L) by strong induction on n. Our induction hypothesis is that every
string of symbols with a formation sequence of length m < n is in Frm(L). By
the definition of a formation sequence, either φn is atomic or there must exist
j, k < n such that one of the following is the case:

1. φi ≡ ¬ φ j .

2. φi ≡ ( φ j ∧ φk ).

3. φi ≡ ( φ j ∨ φk ).

4. φi ≡ ( φ j → φk ).

5. φi ≡ ∀ x φ j .

6. φi ≡ ∃ x φ j .

Now we reason by cases. If φn is atomic then φn ∈ Frm(L0 ). Suppose in-

stead that φ ≡ ( φ j ∧ φk ). By Lemma 15.28, ⟨ φ0 , . . . , φ j ⟩ and ⟨ φ0 , . . . , φk ⟩ are
formation sequences for φ j and φk , respectively. Since these are proper ini-
tial subsequences of the formation sequence for φ, they both have length less
than n. Therefore by the induction hypothesis, φ j and φk are in Frm(L0 ), and
by the definition of a formula, so is ( φ j ∧ φk ). The other cases follow by par-
allel reasoning.

Formation sequences for terms have similar properties to those for formu-
las.

Proposition 15.30. Trm(L) is the set of all expressions t in the language L such
that there exists a (term) formation sequence fo t.

Proof. Exercise.

There are two types of “junk” that can appear in formation sequences: re-
peated elements, and elements that are irrelevant to the construction of the
formation or term. We can eliminate both by looking at minimal formation
sequences.

Release : d3a1905 (2022-12-19) 217

 CHAPTER 15. SYNTAX OF FIRST-ORDER LOGIC

Definition 15.31 (Minimal formation sequences). A formation sequence ⟨ φ0 , . . . , φn ⟩

for φ is a minimal formation sequence for φ if for every other formation se-
quence s for φ, the length of s is greater than or equal to n + 1.

Proposition 15.32. The following are equivalent:

1. ψ is a sub-formula of φ.

2. ψ occurs in every formation sequence of φ.

3. ψ occurs in a minimal formation sequence of φ.

Proof. Exercise.

Historical Remarks Formation sequences were introduced by Raymond Smullyan

in his textbook First-Order Logic (Smullyan, 1968). Additional properties of
formation sequences were established by Zuckerman (1973).

15.8 Free Variables and Sentences

Definition 15.33 (Free occurrences of a variable). The free occurrences of a vari-
able in a formula are defined inductively as follows:

1. φ is atomic: all variable occurrences in φ are free.

2. φ ≡ ¬ψ: the free variable occurrences of φ are exactly those of ψ.

3. φ ≡ (ψ ∗ χ): the free variable occurrences of φ are those in ψ together

with those in χ.

4. φ ≡ ∀ x ψ: the free variable occurrences in φ are all of those in ψ except

for occurrences of x.

5. φ ≡ ∃ x ψ: the free variable occurrences in φ are all of those in ψ except

for occurrences of x.

Definition 15.34 (Bound Variables). An occurrence of a variable in a formula φ

is bound if it is not free.

Definition 15.35 (Scope). If ∀ x ψ is an occurrence of a subformula in a for-

mula φ, then the corresponding occurrence of ψ in φ is called the scope of the
corresponding occurrence of ∀ x. Similarly for ∃ x.
If ψ is the scope of a quantifier occurrence ∀ x or ∃ x in φ, then the free oc-
currences of x in ψ are bound in ∀ x ψ and ∃ x ψ. We say that these occurrences
are bound by the mentioned quantifier occurrence.

218 Release : d3a1905 (2022-12-19)

15.9. SUBSTITUTION

Example 15.36. Consider the following formula:

∃v0 A20 (v0 , v1 )

| {z }
ψ

ψ represents the scope of ∃v0 . The quantifier binds the occurrence of v0 in ψ,

but does not bind the occurrence of v1 . So v1 is a free variable in this case.
We can now see how this might work in a more complicated formula φ:
θ
z }| {
∀v0 (A10 (v0 ) → A20 (v0 , v1 )) →∃v1 (A21 (v0 , v1 ) ∨ ∀v0 ¬A11 (v0 ))
| {z } | {z }
ψ χ

ψ is the scope of the first ∀v0 , χ is the scope of ∃v1 , and θ is the scope of
the second ∀v0 . The first ∀v0 binds the occurrences of v0 in ψ, ∃v1 binds the
occurrence of v1 in χ, and the second ∀v0 binds the occurrence of v0 in θ. The
first occurrence of v1 and the fourth occurrence of v0 are free in φ. The last
occurrence of v0 is free in θ, but bound in χ and φ.

Definition 15.37 (Sentence). A formula φ is a sentence iff it contains no free

occurrences of variables.

15.9 Substitution
Definition 15.38 (Substitution in a term). We define s[t/x ], the result of sub-
stituting t for every occurrence of x in s, recursively:

1. s ≡ c: s[t/x ] is just s.

2. s ≡ y: s[t/x ] is also just s, provided y is a variable and y ̸≡ x.

3. s ≡ x: s[t/x ] is t.

4. s ≡ f (t1 , . . . , tn ): s[t/x ] is f (t1 [t/x ], . . . , tn [t/x ]).

Definition 15.39. A term t is free for x in φ if none of the free occurrences of x

in φ occur in the scope of a quantifier that binds a variable in t.

Example 15.40.

1. v8 is free for v1 in ∃v3 A24 (v3 , v1 )

2. f12 (v1 , v2 ) is not free for v0 in ∀v2 A24 (v0 , v2 )

Definition 15.41 (Substitution in a formula). If φ is a formula, x is a variable,

and t is a term free for x in φ, then φ[t/x ] is the result of substituting t for all
free occurrences of x in φ.

Release : d3a1905 (2022-12-19) 219

 CHAPTER 15. SYNTAX OF FIRST-ORDER LOGIC

1. φ ≡ ⊥: φ[t/x ] is ⊥.

2. φ ≡ P(t1 , . . . , tn ): φ[t/x ] is P(t1 [t/x ], . . . , tn [t/x ]).

3. φ ≡ t1 = t2 : φ[t/x ] is t1 [t/x ] = t2 [t/x ].

4. φ ≡ ¬ψ: φ[t/x ] is ¬ψ[t/x ].

5. φ ≡ (ψ ∧ χ): φ[t/x ] is (ψ[t/x ] ∧ χ[t/x ]).

6. φ ≡ (ψ ∨ χ): φ[t/x ] is (ψ[t/x ] ∨ χ[t/x ]).

7. φ ≡ (ψ → χ): φ[t/x ] is (ψ[t/x ] → χ[t/x ]).

8. φ ≡ ∀y ψ: φ[t/x ] is ∀y ψ[t/x ], provided y is a variable other than x;

otherwise φ[t/x ] is just φ.

9. φ ≡ ∃y ψ: φ[t/x ] is ∃y ψ[t/x ], provided y is a variable other than x;

otherwise φ[t/x ] is just φ.

Note that substitution may be vacuous: If x does not occur in φ at all, then
φ[t/x ] is just φ.
The restriction that t must be free for x in φ is necessary to exclude cases
like the following. If φ ≡ ∃y x < y and t ≡ y, then φ[t/x ] would be ∃y y <
y. In this case the free variable y is “captured” by the quantifier ∃y upon
substitution, and that is undesirable. For instance, we would like it to be the
case that whenever ∀ x ψ holds, so does ψ[t/x ]. But consider ∀ x ∃y x < y (here
ψ is ∃y x < y). It is a sentence that is true about, e.g., the natural numbers:
for every number x there is a number y greater than it. If we allowed y as a
possible substitution for x, we would end up with ψ[y/x ] ≡ ∃y y < y, which
is false. We prevent this by requiring that none of the free variables in t would
end up being bound by a quantifier in φ.
We often use the following convention to avoid cumbersome notation: If
φ is a formula which may contain the variable x free, we also write φ( x ) to
indicate this. When it is clear which φ and x we have in mind, and t is a term
(assumed to be free for x in φ( x )), then we write φ(t) as short for φ[t/x ]. So
for instance, we might say, “we call φ(t) an instance of ∀ x φ( x ).” By this we
mean that if φ is any formula, x a variable, and t a term that’s free for x in φ,
then φ[t/x ] is an instance of ∀ x φ.

Problems
Problem 15.1. Prove Lemma 15.8.

Problem 15.2. Prove that for any term t, l (t) = r (t).

Problem 15.3. Prove Lemma 15.12.

220 Release : d3a1905 (2022-12-19)

15.9. SUBSTITUTION

Problem 15.4. Prove Proposition 15.13 (Hint: Formulate and prove a version
of Lemma 15.12 for terms.)

Problem 15.5. Prove Proposition 15.19.

Problem 15.6. Prove Proposition 15.20.

Problem 15.7. Prove Lemma 15.28.

Problem 15.8. Prove Proposition 15.30. Hint: use a similar strategy to that
used in the proof of Theorem 15.29.

Problem 15.9. Prove Proposition 15.32.

Problem 15.10. Give an inductive definition of the bound variable occurrences

along the lines of Definition 15.33.

Release : d3a1905 (2022-12-19) 221

Chapter 16

Semantics of First-Order Logic

16.1 Introduction

Giving the meaning of expressions is the domain of semantics. The central

concept in semantics is that of satisfaction in a structure. A structure gives
meaning to the building blocks of the language: a domain is a non-empty
set of objects. The quantifiers are interpreted as ranging over this domain,
constant symbols are assigned elements in the domain, function symbols are
assigned functions from the domain to itself, and predicate symbols are as-
signed relations on the domain. The domain together with assignments to the
basic vocabulary constitutes a structure. Variables may appear in formulas,
and in order to give a semantics, we also have to assign elements of the do-
main to them—this is a variable assignment. The satisfaction relation, finally,
brings these together. A formula may be satisfied in a structure M relative to
a variable assignment s, written as M, s ⊨ φ. This relation is also defined by
induction on the structure of φ, using the truth tables for the logical connec-
tives to define, say, satisfaction of ( φ ∧ ψ) in terms of satisfaction (or not) of φ
and ψ. It then turns out that the variable assignment is irrelevant if the for-
mula φ is a sentence, i.e., has no free variables, and so we can talk of sentences
being simply satisfied (or not) in structures.

On the basis of the satisfaction relation M ⊨ φ for sentences we can then

define the basic semantic notions of validity, entailment, and satisfiability.
A sentence is valid, ⊨ φ, if every structure satisfies it. It is entailed by a set
of sentences, Γ ⊨ φ, if every structure that satisfies all the sentences in Γ also
satisfies φ. And a set of sentences is satisfiable if some structure satisfies all
sentences in it at the same time. Because formulas are inductively defined,
and satisfaction is in turn defined by induction on the structure of formulas,
we can use induction to prove properties of our semantics and to relate the
semantic notions defined.

222
16.2. STRUCTURES FOR FIRST-ORDER LANGUAGES

16.2 Structures for First-order Languages

First-order languages are, by themselves, uninterpreted: the constant symbols,
function symbols, and predicate symbols have no specific meaning attached
to them. Meanings are given by specifying a structure. It specifies the domain,
i.e., the objects which the constant symbols pick out, the function symbols
operate on, and the quantifiers range over. In addition, it specifies which con-
stant symbols pick out which objects, how a function symbol maps objects
to objects, and which objects the predicate symbols apply to. Structures are
the basis for semantic notions in logic, e.g., the notion of consequence, valid-
ity, satisfiability. They are variously called “structures,” “interpretations,” or
“models” in the literature.

Definition 16.1 (Structures). A structure M, for a language L of first-order

logic consists of the following elements:

1. Domain: a non-empty set, |M|

2. Interpretation of constant symbols: for each constant symbol c of L, an ele-

ment cM ∈ |M|

3. Interpretation of predicate symbols: for each n-place predicate symbol R of

L (other than =), an n-place relation RM ⊆ |M|n

4. Interpretation of function symbols: for each n-place function symbol f of

L, an n-place function f M : |M|n → |M|

Example 16.2. A structure M for the language of arithmetic consists of a set,

an element of |M|, 0M , as interpretation of the constant symbol 0, a one-place
function ′M : |M| → |M|, two two-place functions +M and ×M , both |M|2 →
|M|, and a two-place relation <M ⊆ |M|2 .
An obvious example of such a structure is the following:

1. |N| = N

2. 0N = 0

3. ′N (n) = n + 1 for all n ∈ N

4. +N (n, m) = n + m for all n, m ∈ N

5. ×N (n, m) = n · m for all n, m ∈ N

6. <N = {⟨n, m⟩ : n ∈ N, m ∈ N, n < m}

The structure N for L A so defined is called the standard model of arithmetic,

because it interprets the non-logical constants of L A exactly how you would
expect.

Release : d3a1905 (2022-12-19) 223

 CHAPTER 16. SEMANTICS OF FIRST-ORDER LOGIC

However, there are many other possible structures for L A . For instance,
we might take as the domain the set Z of integers instead of N, and define the
interpretations of 0, ′, +, ×, < accordingly. But we can also define structures
for L A which have nothing even remotely to do with numbers.

Example 16.3. A structure M for the language L Z of set theory requires just a
set and a single-two place relation. So technically, e.g., the set of people plus
the relation “x is older than y” could be used as a structure for L Z , as well as
N together with n ≥ m for n, m ∈ N.
A particularly interesting structure for L Z in which the elements of the
domain are actually sets, and the interpretation of ∈ actually is the relation “x
is an element of y” is the structure HF of hereditarily finite sets:

1. |HF| = ∅ ∪ ℘(∅) ∪ ℘(℘(∅)) ∪ ℘(℘(℘(∅))) ∪ . . . ;

2. ∈HF = {⟨ x, y⟩ : x, y ∈ |HF| , x ∈ y}.

The stipulations we make as to what counts as a structure impact our logic.

For example, the choice to prevent empty domains ensures, given the usual
account of satisfaction (or truth) for quantified sentences, that ∃ x ( φ( x ) ∨ ¬ φ( x ))
is valid—that is, a logical truth. And the stipulation that all constant symbols
must refer to an object in the domain ensures that the existential generaliza-
tion is a sound pattern of inference: φ( a), therefore ∃ x φ( x ). If we allowed
names to refer outside the domain, or to not refer, then we would be on our
way to a free logic, in which existential generalization requires an additional
premise: φ( a) and ∃ x x = a, therefore ∃ x φ( x ).

16.3 Covered Structures for First-order Languages

Recall that a term is closed if it contains no variables.

Definition 16.4 (Value of closed terms). If t is a closed term of the language L

and M is a structure for L, the value ValM (t) is defined as follows:

1. If t is just the constant symbol c, then ValM (c) = cM .

2. If t is of the form f (t1 , . . . , tn ), then

ValM (t) = f M (ValM (t1 ), . . . , ValM (tn )).

Definition 16.5 (Covered structure). A structure is covered if every element of

the domain is the value of some closed term.

Example 16.6. Let L be the language with constant symbols zer o, one, tw o,
. . . , the binary predicate symbol <, and the binary function symbols + and
×. Then a structure M for L is the one with domain |M| = {0, 1, 2, . . .} and

224 Release : d3a1905 (2022-12-19)

16.4. SATISFACTION OF A FORMULA IN A STRUCTURE

assignments z er o M = 0, one M = 1, tw o M = 2, and so forth. For the binary

relation symbol <, the set <M is the set of all pairs ⟨c1 , c2 ⟩ ∈ |M|2 such that
c1 is less than c2 : for example, ⟨1, 3⟩ ∈ <M but ⟨2, 2⟩ ∈ / <M . For the binary
function symbol +, define + in the usual way—for example, +M (2, 3) maps
M

to 5, and similarly for the binary function symbol ×. Hence, the value of
f our is just 4, and the value of ×(tw o, +(thr ee, z er o )) (or in infix notation,
tw o × (thr ee + z er o )) is

ValM (×(tw o, +(thr ee, z er o )) =

= ×M (ValM (tw o ), ValM (+(thr ee, z er o )))
= ×M (ValM (tw o ), +M (ValM (thr ee ), ValM (z er o )))
= ×M (tw o M , +M (thr ee M , z er o M ))
= ×M (2, +M (3, 0))
= ×M (2, 3)
=6

16.4 Satisfaction of a Formula in a Structure

The basic notion that relates expressions such as terms and formulas, on the
one hand, and structures on the other, are those of value of a term and satisfac-
tion of a formula. Informally, the value of a term is an element of a structure—
if the term is just a constant, its value is the object assigned to the constant
by the structure, and if it is built up using function symbols, the value is com-
puted from the values of constants and the functions assigned to the functions
in the term. A formula is satisfied in a structure if the interpretation given to
the predicates makes the formula true in the domain of the structure. This
notion of satisfaction is specified inductively: the specification of the struc-
ture directly states when atomic formulas are satisfied, and we define when a
complex formula is satisfied depending on the main connective or quantifier
and whether or not the immediate subformulas are satisfied.
The case of the quantifiers here is a bit tricky, as the immediate subformula
of a quantified formula has a free variable, and structures don’t specify the val-
ues of variables. In order to deal with this difficulty, we also introduce variable
assignments and define satisfaction not with respect to a structure alone, but
with respect to a structure plus a variable assignment.

Definition 16.7 (Variable Assignment). A variable assignment s for a structure M

is a function which maps each variable to an element of |M|, i.e., s : Var →
|M|.

A structure assigns a value to each constant symbol, and a variable assign-

ment to each variable. But we want to use terms built up from them to also

Release : d3a1905 (2022-12-19) 225

 CHAPTER 16. SEMANTICS OF FIRST-ORDER LOGIC

name elements of the domain. For this we define the value of terms induc-
tively. For constant symbols and variables the value is just as the structure or
the variable assignment specifies it; for more complex terms it is computed
recursively using the functions the structure assigns to the function symbols.

Definition 16.8 (Value of Terms). If t is a term of the language L, M is a struc-

ture for L, and s is a variable assignment for M, the value ValMs ( t ) is defined
as follows:

1. t ≡ c: ValM M
s (t) = c .

2. t ≡ x: ValM
s ( t ) = s ( x ).

3. t ≡ f (t1 , . . . , tn ):

ValM M M M
s ( t ) = f (Vals ( t1 ), . . . , Vals ( tn )).

Definition 16.9 (x-Variant). If s is a variable assignment for a structure M,

then any variable assignment s′ for M which differs from s at most in what it
assigns to x is called an x-variant of s. If s′ is an x-variant of s we write s′ ∼ x s.

Note that an x-variant of an assignment s does not have to assign something

different to x. In fact, every assignment counts as an x-variant of itself.

Definition 16.10. If s is a variable assignment for a structure M and m ∈ |M|,

then the assignment s[m/x ] is the variable assignment defined by
(
m if y ≡ x
s[m/x ](y) =
s(y) otherwise.

In other words, s[m/x ] is the particular x-variant of s which assigns the

domain element m to x, and assigns the same things to variables other than x
that s does.

Definition 16.11 (Satisfaction). Satisfaction of a formula φ in a structure M

relative to a variable assignment s, in symbols: M, s ⊨ φ, is defined recursively
as follows. (We write M, s ⊭ φ to mean “not M, s ⊨ φ.”)

1. φ ≡ ⊥: M, s ⊭ φ.

2. φ ≡ R(t1 , . . . , tn ): M, s ⊨ φ iff ⟨ValM M M

s ( t1 ), . . . , Vals ( tn )⟩ ∈ R .

3. φ ≡ t1 = t2 : M, s ⊨ φ iff ValM M
s ( t1 ) = Vals ( t2 ).

4. φ ≡ ¬ψ: M, s ⊨ φ iff M, s ⊭ ψ.

5. φ ≡ (ψ ∧ χ): M, s ⊨ φ iff M, s ⊨ ψ and M, s ⊨ χ.

6. φ ≡ (ψ ∨ χ): M, s ⊨ φ iff M, s ⊨ ψ or M, s ⊨ χ (or both).

226 Release : d3a1905 (2022-12-19)

16.4. SATISFACTION OF A FORMULA IN A STRUCTURE

7. φ ≡ (ψ → χ): M, s ⊨ φ iff M, s ⊭ ψ or M, s ⊨ χ (or both).

8. φ ≡ ∀ x ψ: M, s ⊨ φ iff for every element m ∈ |M|, M, s[m/x ] ⊨ ψ.

9. φ ≡ ∃ x ψ: M, s ⊨ φ iff for at least one element m ∈ |M|, M, s[m/x ] ⊨ ψ.

The variable assignments are important in the last two clauses. We cannot
define satisfaction of ∀ x ψ( x ) by “for all m ∈ |M|, M ⊨ ψ(m).” We cannot
define satisfaction of ∃ x ψ( x ) by “for at least one m ∈ |M|, M ⊨ ψ(m).” The
reason is that if m ∈ |M|, it is not a symbol of the language, and so ψ(m) is not
a formula (that is, ψ[m/x ] is undefined). We also cannot assume that we have
constant symbols or terms available that name every element of M, since there
is nothing in the definition of structures that requires it. In the standard lan-
guage, the set of constant symbols is denumerable, so if |M| is not enumerable
there aren’t even enough constant symbols to name every object.
We solve this problem by introducing variable assignments, which allow
us to link variables directly with elements of the domain. Then instead of
saying that, e.g., ∃ x ψ( x ) is satisfied in M iff for at least one m ∈ |M|, we say
it is satisfied in M relative to s iff ψ( x ) is satisfied relative to s[m/x ] for at least
one m ∈ |M|.

Example 16.12. Let L = { a, b, f , R} where a and b are constant symbols, f is a

two-place function symbol, and R is a two-place predicate symbol. Consider
the structure M defined by:

1. |M| = {1, 2, 3, 4}

2. aM = 1

3. bM = 2

4. f M ( x, y) = x + y if x + y ≤ 3 and = 3 otherwise.

5. RM = {⟨1, 1⟩, ⟨1, 2⟩, ⟨2, 3⟩, ⟨2, 4⟩}

The function s( x ) = 1 that assigns 1 ∈ |M| to every variable is a variable

assignment for M.
Then

ValM M M M
s ( f ( a, b )) = f (Vals ( a ), Vals ( b )).

Since a and b are constant symbols, ValM

s ( a) = a
M = 1 and ValM ( b ) = bM =
s
2. So

ValM M
s ( f ( a, b )) = f (1, 2) = 1 + 2 = 3.

Release : d3a1905 (2022-12-19) 227

 CHAPTER 16. SEMANTICS OF FIRST-ORDER LOGIC

To compute the value of f ( f ( a, b), a) we have to consider

ValM M M M M
s ( f ( f ( a, b ), a )) = f (Vals ( f ( a, b )), Vals ( a )) = f (3, 1) = 3,

since 3 + 1 > 3. Since s( x ) = 1 and ValM

s ( x ) = s ( x ), we also have

ValM M M M M
s ( f ( f ( a, b ), x )) = f (Vals ( f ( a, b )), Vals ( x )) = f (3, 1) = 3,

An atomic formula R(t1 , t2 ) is satisfied if the tuple of values of its ar-

guments, i.e., ⟨ValM M M
s ( t1 ), Vals ( t2 )⟩, is an element of R . So, e.g., we have
M M
M, s ⊨ R(b, f ( a, b)) since ⟨Val (b), Val ( f ( a, b))⟩ = ⟨2, 3⟩ ∈ RM , but M, s ⊭
R( x, f ( a, b)) since ⟨1, 3⟩ ∈/ RM [ s ].
To determine if a non-atomic formula φ is satisfied, you apply the clauses
in the inductive definition that applies to the main connective. For instance,
the main connective in R( a, a) → ( R(b, x ) ∨ R( x, b)) is the →, and

M, s ⊨ R( a, a) → ( R(b, x ) ∨ R( x, b)) iff

M, s ⊭ R( a, a) or M, s ⊨ R(b, x ) ∨ R( x, b)

Since M, s ⊨ R( a, a) (because ⟨1, 1⟩ ∈ RM ) we can’t yet determine the answer

and must first figure out if M, s ⊨ R(b, x ) ∨ R( x, b):

M, s ⊨ R(b, x ) ∨ R( x, b) iff
M, s ⊨ R(b, x ) or M, s ⊨ R( x, b)

And this is the case, since M, s ⊨ R( x, b) (because ⟨1, 2⟩ ∈ RM ).

Recall that an x-variant of s is a variable assignment that differs from s at

most in what it assigns to x. For every element of |M|, there is an x-variant
of s:

s1 = s[1/x ], s2 = s[2/x ],
s3 = s[3/x ], s4 = s[4/x ].

So, e.g., s2 ( x ) = 2 and s2 (y) = s(y) = 1 for all variables y other than x. These
are all the x-variants of s for the structure M, since |M| = {1, 2, 3, 4}. Note, in
particular, that s1 = s (s is always an x-variant of itself).
To determine if an existentially quantified formula ∃ x φ( x ) is satisfied, we
have to determine if M, s[m/x ] ⊨ φ( x ) for at least one m ∈ |M|. So,

M, s ⊨ ∃ x ( R(b, x ) ∨ R( x, b)),

228 Release : d3a1905 (2022-12-19)

16.4. SATISFACTION OF A FORMULA IN A STRUCTURE

since M, s[1/x ] ⊨ R(b, x ) ∨ R( x, b) (s[3/x ] would also fit the bill). But,

M, s ⊭ ∃ x ( R(b, x ) ∧ R( x, b))

since, whichever m ∈ |M| we pick, M, s[m/x ] ⊭ R(b, x ) ∧ R( x, b).

To determine if a universally quantified formula ∀ x φ( x ) is satisfied, we
have to determine if M, s[m/x ] ⊨ φ( x ) for all m ∈ |M|. So,

M, s ⊨ ∀ x ( R( x, a) → R( a, x )),

since M, s[m/x ] ⊨ R( x, a) → R( a, x ) for all m ∈ |M|. For m = 1, we have

M, s[1/x ] ⊨ R( a, x ) so the consequent is true; for m = 2, 3, and 4, we have
M, s[m/x ] ⊭ R( x, a), so the antecedent is false. But,

M, s ⊭ ∀ x ( R( a, x ) → R( x, a))

since M, s[2/x ] ⊭ R( a, x ) → R( x, a) (because M, s[2/x ] ⊨ R( a, x ) and M, s[2/x ] ⊭

R( x, a)).
For a more complicated case, consider

∀ x ( R( a, x ) → ∃y R( x, y)).

Since M, s[3/x ] ⊭ R( a, x ) and M, s[4/x ] ⊭ R( a, x ), the interesting cases where

we have to worry about the consequent of the conditional are only m = 1
and = 2. Does M, s[1/x ] ⊨ ∃y R( x, y) hold? It does if there is at least one
n ∈ |M| so that M, s[1/x ][n/y] ⊨ R( x, y). In fact, if we take n = 1, we have
s[1/x ][n/y] = s[1/y] = s. Since s( x ) = 1, s(y) = 1, and ⟨1, 1⟩ ∈ RM , the
answer is yes.
To determine if M, s[2/x ] ⊨ ∃y R( x, y), we have to look at the variable as-
signments s[2/x ][n/y]. Here, for n = 1, this assignment is s2 = s[2/x ], which
does not satisfy R( x, y) (s2 ( x ) = 2, s2 (y) = 1, and ⟨2, 1⟩ ∈ / RM ). However,
consider s[2/x ][3/y] = s2 [3/y]. M, s2 [3/y] ⊨ R( x, y) since ⟨2, 3⟩ ∈ RM , and
so M, s2 ⊨ ∃y R( x, y).
So, for all n ∈ |M|, either M, s[m/x ] ⊭ R( a, x ) (if m = 3, 4) or M, s[m/x ] ⊨
∃y R( x, y) (if m = 1, 2), and so

M, s ⊨ ∀ x ( R( a, x ) → ∃y R( x, y)).

On the other hand,

M, s ⊭ ∃ x ( R( a, x ) ∧ ∀y R( x, y)).

We have M, s[m/x ] ⊨ R( a, x ) only for m = 1 and m = 2. But for both

of these values of m, there is in turn an n ∈ |M|, namely n = 4, so that
M, s[m/x ][n/y] ⊭ R( x, y) and so M, s[m/x ] ⊭ ∀y R( x, y) for m = 1 and m = 2.
In sum, there is no m ∈ |M| such that M, s[m/x ] ⊨ R( a, x ) ∧ ∀y R( x, y).

Release : d3a1905 (2022-12-19) 229

 CHAPTER 16. SEMANTICS OF FIRST-ORDER LOGIC

16.5 Variable Assignments

A variable assignment s provides a value for every variable—and there are
infinitely many of them. This is of course not necessary. We require variable
assignments to assign values to all variables simply because it makes things a
lot easier. The value of a term t, and whether or not a formula φ is satisfied
in a structure with respect to s, only depend on the assignments s makes to
the variables in t and the free variables of φ. This is the content of the next
two propositions. To make the idea of “depends on” precise, we show that
any two variable assignments that agree on all the variables in t give the same
value, and that φ is satisfied relative to one iff it is satisfied relative to the other
if two variable assignments agree on all free variables of φ.

Proposition 16.13. If the variables in a term t are among x1 , . . . , xn , and s1 ( xi ) =

s2 ( xi ) for i = 1, . . . , n, then ValM M
s1 ( t ) = Vals2 ( t ).

Proof. By induction on the complexity of t. For the base case, t can be a con-
stant symbol or one of the variables x1 , . . . , xn . If t = c, then ValM s1 ( t ) = c
M =

ValM
s2 ( t ). If t = xi , s1 ( xi ) = s2 ( xi ) by the hypothesis of the proposition, and so
Vals1 (t) = s1 ( xi ) = s2 ( xi ) = ValM
M
s2 ( t ).
For the inductive step, assume that t = f (t1 , . . . , tk ) and that the claim
holds for t1 , . . . , tk . Then

ValM M
s1 ( t ) = Vals1 ( f ( t1 , . . . , tk )) =

= f M (ValM M
s1 ( t1 ), . . . , Vals1 ( tk ))

For j = 1, . . . , k, the variables of t j are among x1 , . . . , xn . By induction hypoth-

esis, ValM M
s1 ( t j ) = Vals2 ( t j ). So,

ValM M
s1 ( t ) = Vals1 ( f ( t1 , . . . , tk )) =

= f M (ValM M
s1 ( t1 ), . . . , Vals1 ( tk )) =

= f M (ValM M
s2 ( t1 ), . . . , Vals2 ( tk )) =
= ValM M
s2 ( f ( t1 , . . . , tk )) = Vals2 ( t ).

Proposition 16.14. If the free variables in φ are among x1 , . . . , xn , and s1 ( xi ) =

s2 ( xi ) for i = 1, . . . , n, then M, s1 ⊨ φ iff M, s2 ⊨ φ.

Proof. We use induction on the complexity of φ. For the base case, where φ is
atomic, φ can be: ⊥, R(t1 , . . . , tk ) for a k-place predicate R and terms t1 , . . . , tk ,
or t1 = t2 for terms t1 and t2 .

1. φ ≡ ⊥: both M, s1 ⊭ φ and M, s2 ⊭ φ.

230 Release : d3a1905 (2022-12-19)

16.5. VARIABLE ASSIGNMENTS

2. φ ≡ R(t1 , . . . , tk ): let M, s1 ⊨ φ. Then

⟨ValM M M
s1 ( t1 ), . . . , Vals1 ( tk )⟩ ∈ R .

For i = 1, . . . , k, ValM M
s1 ( ti ) = Vals2 ( ti ) by Proposition 16.13. So we also
M M
have ⟨Vals2 (ti ), . . . , Vals2 (tk )⟩ ∈ RM .

3. φ ≡ t1 = t2 : suppose M, s1 ⊨ φ. Then ValM M

s1 ( t1 ) = Vals1 ( t2 ). So,

ValM M
s2 ( t1 ) = Vals1 ( t1 ) (by Proposition 16.13)
= ValM
s1 ( t 2 ) (since M, s1 ⊨ t1 = t2 )
= ValM
s2 ( t 2 ) (by Proposition 16.13),

so M, s2 ⊨ t1 = t2 .

Now assume M, s1 ⊨ ψ iff M, s2 ⊨ ψ for all formulas ψ less complex than φ.

The induction step proceeds by cases determined by the main operator of φ.
In each case, we only demonstrate the forward direction of the biconditional;
the proof of the reverse direction is symmetrical. In all cases except those for
the quantifiers, we apply the induction hypothesis to sub-formulas ψ of φ.
The free variables of ψ are among those of φ. Thus, if s1 and s2 agree on the
free variables of φ, they also agree on those of ψ, and the induction hypothesis
applies to ψ.

1. φ ≡ ¬ψ: if M, s1 ⊨ φ, then M, s1 ⊭ ψ, so by the induction hypothesis,

M, s2 ⊭ ψ, hence M, s2 ⊨ φ.

2. φ ≡ ψ ∧ χ: exercise.

3. φ ≡ ψ ∨ χ: if M, s1 ⊨ φ, then M, s1 ⊨ ψ or M, s1 ⊨ χ. By induction
hypothesis, M, s2 ⊨ ψ or M, s2 ⊨ χ, so M, s2 ⊨ φ.

4. φ ≡ ψ → χ: exercise.

5. φ ≡ ∃ x ψ: if M, s1 ⊨ φ, there is an m ∈ |M| so that M, s1 [m/x ] ⊨ ψ. Let

s1′ = s1 [m/x ] and s2′ = s2 [m/x ]. The free variables of ψ are among x1 ,
. . . , xn , and x. s1′ ( xi ) = s2′ ( xi ), since s1′ and s2′ are x-variants of s1 and s2 ,
respectively, and by hypothesis s1 ( xi ) = s2 ( xi ). s1′ ( x ) = s2′ ( x ) = m
by the way we have defined s1′ and s2′ . Then the induction hypothesis
applies to ψ and s1′ , s2′ , so M, s2′ ⊨ ψ. Hence, since s2′ = s2 [m/x ], there is
an m ∈ |M| such that M, s2 [m/x ] ⊨ ψ, and so M, s2 ⊨ φ.

6. φ ≡ ∀ x ψ: exercise.

By induction, we get that M, s1 ⊨ φ iff M, s2 ⊨ φ whenever the free variables

in φ are among x1 , . . . , xn and s1 ( xi ) = s2 ( xi ) for i = 1, . . . , n.

Release : d3a1905 (2022-12-19) 231

 CHAPTER 16. SEMANTICS OF FIRST-ORDER LOGIC

Sentences have no free variables, so any two variable assignments assign

the same things to all the (zero) free variables of any sentence. The proposition
just proved then means that whether or not a sentence is satisfied in a structure
relative to a variable assignment is completely independent of the assignment.
We’ll record this fact. It justifies the definition of satisfaction of a sentence in
a structure (without mentioning a variable assignment) that follows.

Corollary 16.15. If φ is a sentence and s a variable assignment, then M, s ⊨ φ iff

M, s′ ⊨ φ for every variable assignment s′ .

Proof. Let s′ be any variable assignment. Since φ is a sentence, it has no free

variables, and so every variable assignment s′ trivially assigns the same things
to all free variables of φ as does s. So the condition of Proposition 16.14 is
satisfied, and we have M, s ⊨ φ iff M, s′ ⊨ φ.

Definition 16.16. If φ is a sentence, we say that a structure M satisfies φ, M ⊨

φ, iff M, s ⊨ φ for all variable assignments s.

If M ⊨ φ, we also simply say that φ is true in M.

Proposition 16.17. Let M be a structure, φ be a sentence, and s a variable assign-

ment. M ⊨ φ iff M, s ⊨ φ.

Proof. Exercise.

Proposition 16.18. Suppose φ( x ) only contains x free, and M is a structure. Then:

1. M ⊨ ∃ x φ( x ) iff M, s ⊨ φ( x ) for at least one variable assignment s.

2. M ⊨ ∀ x φ( x ) iff M, s ⊨ φ( x ) for all variable assignments s.

Proof. Exercise.

16.6 Extensionality
Extensionality, sometimes called relevance, can be expressed informally as fol-
lows: the only factors that bear upon the satisfaction of formula φ in a struc-
ture M relative to a variable assignment s, are the size of the domain and the
assignments made by M and s to the elements of the language that actually
appear in φ.
One immediate consequence of extensionality is that where two struc-
tures M and M′ agree on all the elements of the language appearing in a sen-
tence φ and have the same domain, M and M′ must also agree on whether or
not φ itself is true.

232 Release : d3a1905 (2022-12-19)

16.6. EXTENSIONALITY

Proposition 16.19 (Extensionality). Let φ be a formula, and M1 and M2 be struc-

tures with |M1 | = |M2 |, and s a variable assignment on |M1 | = |M2 |. If cM1 =
cM2 , RM1 = RM2 , and f M1 = f M2 for every constant symbol c, relation symbol R,
and function symbol f occurring in φ, then M1 , s ⊨ φ iff M2 , s ⊨ φ.
M
Proof. First prove (by induction on t) that for every term, Vals 1 (t) = ValM
s ( t ).
2

Then prove the proposition by induction on φ, making use of the claim just
proved for the induction basis (where φ is atomic).

Corollary 16.20 (Extensionality for Sentences). Let φ be a sentence and M1 , M2

as in Proposition 16.19. Then M1 ⊨ φ iff M2 ⊨ φ.

Proof. Follows from Proposition 16.19 by Corollary 16.15.

Moreover, the value of a term, and whether or not a structure satisfies

a formula, only depend on the values of its subterms.

Proposition 16.21. Let M be a structure, t and t′ terms, and s a variable assign-

ment. Then ValM ′ M
s ( t [ t /x ]) = Vals[ValM (t′ )/x ] ( t ).
s

Proof. By induction on t.

1. If t is a constant, say, t ≡ c, then t[t′ /x ] = c, and ValM

s (c) = c
M =
M
Vals[ValM (t′ )/x] (c).
s

2. If t is a variable other than x, say, t ≡ y, then t[t′ /x ] = y, and ValM

s (y) =
ValM M ′
s[Val (t )/x ]
( y ) since s ∼ x s [ Val M ′
s ( t ) /x ] .
s

3. If t ≡ x, then t[t′ /x ] = t′ . But ValM

s[ValM (t′ )/x ]
( x ) = ValM ′
s ( t ) by definition
s
of s[ValM ′
s ( t ) /x ].

4. If t ≡ f (t1 , . . . , tn ) then we have:

′
ValM
s ( t [ t /x ]) =
′ ′
= ValM
s ( f ( t1 [ t /x ], . . . , tn [ t /x ]))
by definition of t[t′ /x ]
′ ′
= f M (ValM M
s ( t1 [ t /x ]), . . . , Vals ( tn [ t /x ]))
by definition of ValM
s ( f ( . . . ))
= f M (ValM (t ), . . . , ValM
s[ValM (t′ )/x ] 1
(t ))
s[ValM (t′ )/x ] n
s s

by induction hypothesis
= ValM
s[ValM (t′ )/x ]
(t) by definition of ValM
s[ValM (t′ )/x ]
( f (. . . ))
s s

Release : d3a1905 (2022-12-19) 233

 CHAPTER 16. SEMANTICS OF FIRST-ORDER LOGIC

Proposition 16.22. Let M be a structure, φ a formula, t′ a term, and s a variable

assignment. Then M, s ⊨ φ[t′ /x ] iff M, s[ValM ′
s ( t ) /x ] ⊨ φ.

Proof. Exercise.

The point of Propositions 16.21 and 16.22 is the following. Suppose we

have a term t or a formula φ and some term t′ , and we want to know the
value of t[t′ /x ] or whether or not φ[t′ /x ] is satisfied in a structure M relative
to a variable assignment s. Then we can either perform the substitution first
and then consider the value or satisfaction relative to M and s, or we can first
determine the value m = ValM ′ ′
s ( t ) of t in M relative to s, change the vari-
able assignment to s[m/x ] and then consider the value of t in M and s[m/x ],
or whether M, s[m/x ] ⊨ φ. Propositions 16.21 and 16.22 guarantee that the
answer will be the same, whichever way we do it.

16.7 Semantic Notions

Given the definition of structures for first-order languages, we can define
some basic semantic properties of and relationships between sentences. The
simplest of these is the notion of validity of a sentence. A sentence is valid if
it is satisfied in every structure. Valid sentences are those that are satisfied re-
gardless of how the non-logical symbols in it are interpreted. Valid sentences
are therefore also called logical truths—they are true, i.e., satisfied, in any struc-
ture and hence their truth depends only on the logical symbols occurring in
them and their syntactic structure, but not on the non-logical symbols or their
interpretation.

Definition 16.23 (Validity). A sentence φ is valid, ⊨ φ, iff M ⊨ φ for every

structure M.

Definition 16.24 (Entailment). A set of sentences Γ entails a sentence φ, Γ ⊨ φ,

iff for every structure M with M ⊨ Γ, M ⊨ φ.

Definition 16.25 (Satisfiability). A set of sentences Γ is satisfiable if M ⊨ Γ for

some structure M. If Γ is not satisfiable it is called unsatisfiable.

Proposition 16.26. A sentence φ is valid iff Γ ⊨ φ for every set of sentences Γ.

Proof. For the forward direction, let φ be valid, and let Γ be a set of sentences.
Let M be a structure so that M ⊨ Γ. Since φ is valid, M ⊨ φ, hence Γ ⊨ φ.
For the contrapositive of the reverse direction, let φ be invalid, so there is
a structure M with M ⊭ φ. When Γ = {⊤}, since ⊤ is valid, M ⊨ Γ. Hence,
there is a structure M so that M ⊨ Γ but M ⊭ φ, hence Γ does not entail φ.

Proposition 16.27. Γ ⊨ φ iff Γ ∪ {¬ φ} is unsatisfiable.

234 Release : d3a1905 (2022-12-19)

16.7. SEMANTIC NOTIONS

Proof. For the forward direction, suppose Γ ⊨ φ and suppose to the contrary
that there is a structure M so that M ⊨ Γ ∪ {¬ φ}. Since M ⊨ Γ and Γ ⊨ φ,
M ⊨ φ. Also, since M ⊨ Γ ∪ {¬ φ}, M ⊨ ¬ φ, so we have both M ⊨ φ and
M ⊭ φ, a contradiction. Hence, there can be no such structure M, so Γ ∪ {¬ φ}
is unsatisfiable.
For the reverse direction, suppose Γ ∪ {¬ φ} is unsatisfiable. So for every
structure M, either M ⊭ Γ or M ⊨ φ. Hence, for every structure M with
M ⊨ Γ, M ⊨ φ, so Γ ⊨ φ.

Proposition 16.28. If Γ ⊆ Γ ′ and Γ ⊨ φ, then Γ ′ ⊨ φ.

Proof. Suppose that Γ ⊆ Γ ′ and Γ ⊨ φ. Let M be a structure such that M ⊨ Γ ′ ;

then M ⊨ Γ, and since Γ ⊨ φ, we get that M ⊨ φ. Hence, whenever M ⊨ Γ ′ ,
M ⊨ φ, so Γ ′ ⊨ φ.

Theorem 16.29 (Semantic Deduction Theorem). Γ ∪ { φ} ⊨ ψ iff Γ ⊨ φ → ψ.

Proof. For the forward direction, let Γ ∪ { φ} ⊨ ψ and let M be a structure so

that M ⊨ Γ. If M ⊨ φ, then M ⊨ Γ ∪ { φ}, so since Γ ∪ { φ} entails ψ, we get
M ⊨ ψ. Therefore, M ⊨ φ → ψ, so Γ ⊨ φ → ψ.
For the reverse direction, let Γ ⊨ φ → ψ and M be a structure so that M ⊨
Γ ∪ { φ}. Then M ⊨ Γ, so M ⊨ φ → ψ, and since M ⊨ φ, M ⊨ ψ. Hence,
whenever M ⊨ Γ ∪ { φ}, M ⊨ ψ, so Γ ∪ { φ} ⊨ ψ.

Proposition 16.30. Let M be a structure, and φ( x ) a formula with one free vari-
able x, and t a closed term. Then:

1. φ(t) ⊨ ∃ x φ( x )

2. ∀ x φ( x ) ⊨ φ(t)

Proof. 1. Suppose M ⊨ φ(t). Let s be a variable assignment with s( x ) =

ValM (t). Then M, s ⊨ φ(t) since φ(t) is a sentence. By Proposition 16.22,
M, s ⊨ φ( x ). By Proposition 16.18, M ⊨ ∃ x φ( x ).

2. Exercise.

Problems
Problem 16.1. Is N, the standard model of arithmetic, covered? Explain.

Problem 16.2. Let L = {c, f , A} with one constant symbol, one one-place
function symbol and one two-place predicate symbol, and let the structure M
be given by

1. |M| = {1, 2, 3}

Release : d3a1905 (2022-12-19) 235

 CHAPTER 16. SEMANTICS OF FIRST-ORDER LOGIC

2. cM = 3

3. f M (1) = 2, f M (2) = 3, f M (3) = 2

4. AM = {⟨1, 2⟩, ⟨2, 3⟩, ⟨3, 3⟩}

(a) Let s(v) = 1 for all variables v. Find out whether

M, s ⊨ ∃ x ( A( f (z), c) → ∀y ( A(y, x ) ∨ A( f (y), x )))

Explain why or why not.

(b) Give a different structure and variable assignment in which the formula
is not satisfied.

Problem 16.3. Complete the proof of Proposition 16.14.

Problem 16.4. Prove Proposition 16.17

Problem 16.5. Prove Proposition 16.18.

Problem 16.6. Suppose L is a language without function symbols. Given a

structure M, c a constant symbol and a ∈ |M|, define M[ a/c] to be the struc-
ture that is just like M, except that cM[ a/c] = a. Define M ||= φ for sentences φ
by:

1. φ ≡ ⊥: not M ||= φ.

2. φ ≡ R(d1 , . . . , dn ): M ||= φ iff ⟨dM M M

1 , . . . , dn ⟩ ∈ R .

3. φ ≡ d1 = d2 : M ||= φ iff dM M
1 = d2 .

4. φ ≡ ¬ψ: M ||= φ iff not M ||= ψ.

5. φ ≡ (ψ ∧ χ): M ||= φ iff M ||= ψ and M ||= χ.

6. φ ≡ (ψ ∨ χ): M ||= φ iff M ||= ψ or M ||= χ (or both).

7. φ ≡ (ψ → χ): M ||= φ iff not M ||= ψ or M ||= χ (or both).

8. φ ≡ ∀ x ψ: M ||= φ iff for all a ∈ |M|, M[ a/c] ||= ψ[c/x ], if c does not
occur in ψ.

9. φ ≡ ∃ x ψ: M ||= φ iff there is an a ∈ |M| such that M[ a/c] ||= ψ[c/x ],

if c does not occur in ψ.

Let x1 , . . . , xn be all free variables in φ, c1 , . . . , cn constant symbols not in φ,

a1 , . . . , an ∈ |M|, and s( xi ) = ai .
Show that M, s ⊨ φ iff M[ a1 /c1 , . . . , an /cn ] ||= φ[c1 /x1 ] . . . [cn /xn ].
(This problem shows that it is possible to give a semantics for first-order
logic that makes do without variable assignments.)

236 Release : d3a1905 (2022-12-19)

16.7. SEMANTIC NOTIONS

Problem 16.7. Suppose that f is a function symbol not in φ( x, y). Show that
there is a structure M such that M ⊨ ∀ x ∃y φ( x, y) iff there is an M′ such that
M′ ⊨ ∀ x φ( x, f ( x )).
(This problem is a special case of what’s known as Skolem’s Theorem;
∀ x φ( x, f ( x )) is called a Skolem normal form of ∀ x ∃y φ( x, y).)

Problem 16.8. Carry out the proof of Proposition 16.19 in detail.

Problem 16.9. Prove Proposition 16.22

Problem 16.10. 1. Show that Γ ⊨ ⊥ iff Γ is unsatisfiable.

2. Show that Γ ∪ { φ} ⊨ ⊥ iff Γ ⊨ ¬ φ.

3. Suppose c does not occur in φ or Γ. Show that Γ ⊨ ∀ x φ iff Γ ⊨ φ[c/x ].

Problem 16.11. Complete the proof of Proposition 16.30.

Release : d3a1905 (2022-12-19) 237

Chapter 17

Theories and Their Models

17.1 Introduction
The development of the axiomatic method is a significant achievement in the
history of science, and is of special importance in the history of mathemat-
ics. An axiomatic development of a field involves the clarification of many
questions: What is the field about? What are the most fundamental concepts?
How are they related? Can all the concepts of the field be defined in terms of
these fundamental concepts? What laws do, and must, these concepts obey?
The axiomatic method and logic were made for each other. Formal logic
provides the tools for formulating axiomatic theories, for proving theorems
from the axioms of the theory in a precisely specified way, for studying the
properties of all systems satisfying the axioms in a systematic way.

Definition 17.1. A set of sentences Γ is closed iff, whenever Γ ⊨ φ then φ ∈ Γ.

The closure of a set of sentences Γ is { φ : Γ ⊨ φ}.
We say that Γ is axiomatized by a set of sentences ∆ if Γ is the closure of ∆.

We can think of an axiomatic theory as the set of sentences that is axiom-

atized by its set of axioms ∆. In other words, when we have a first-order lan-
guage which contains non-logical symbols for the primitives of the axiomat-
ically developed science we wish to study, together with a set of sentences
that express the fundamental laws of the science, we can think of the theory
as represented by all the sentences in this language that are entailed by the
axioms. This ranges from simple examples with only a single primitive and
simple axioms, such as the theory of partial orders, to complex theories such
as Newtonian mechanics.
The important logical facts that make this formal approach to the axiomatic
method so important are the following. Suppose Γ is an axiom system for a
theory, i.e., a set of sentences.

238
17.1. INTRODUCTION

1. We can state precisely when an axiom system captures an intended class

of structures. That is, if we are interested in a certain class of structures,
we will successfully capture that class by an axiom system Γ iff the struc-
tures are exactly those M such that M ⊨ Γ.

2. We may fail in this respect because there are M such that M ⊨ Γ, but M
is not one of the structures we intend. This may lead us to add axioms
which are not true in M.

3. If we are successful at least in the respect that Γ is true in all the intended
structures, then a sentence φ is true in all intended structures whenever
Γ ⊨ φ. Thus we can use logical tools (such as derivation methods) to
show that sentences are true in all intended structures simply by show-
ing that they are entailed by the axioms.

4. Sometimes we don’t have intended structures in mind, but instead start

from the axioms themselves: we begin with some primitives that we
want to satisfy certain laws which we codify in an axiom system. One
thing that we would like to verify right away is that the axioms do not
contradict each other: if they do, there can be no concepts that obey
these laws, and we have tried to set up an incoherent theory. We can
verify that this doesn’t happen by finding a model of Γ. And if there are
models of our theory, we can use logical methods to investigate them,
and we can also use logical methods to construct models.

5. The independence of the axioms is likewise an important question. It

may happen that one of the axioms is actually a consequence of the oth-
ers, and so is redundant. We can prove that an axiom φ in Γ is redundant
by proving Γ \ { φ} ⊨ φ. We can also prove that an axiom is not redun-
dant by showing that ( Γ \ { φ}) ∪ {¬ φ} is satisfiable. For instance, this is
how it was shown that the parallel postulate is independent of the other
axioms of geometry.

6. Another important question is that of definability of concepts in a the-

ory: The choice of the language determines what the models of a theory
consist of. But not every aspect of a theory must be represented sepa-
rately in its models. For instance, every ordering ≤ determines a cor-
responding strict ordering <—given one, we can define the other. So it
is not necessary that a model of a theory involving such an order must
also contain the corresponding strict ordering. When is it the case, in
general, that one relation can be defined in terms of others? When is it
impossible to define a relation in terms of others (and hence must add it
to the primitives of the language)?

Release : d3a1905 (2022-12-19) 239

 CHAPTER 17. THEORIES AND THEIR MODELS

17.2 Expressing Properties of Structures

It is often useful and important to express conditions on functions and rela-
tions, or more generally, that the functions and relations in a structure satisfy
these conditions. For instance, we would like to have ways of distinguishing
those structures for a language which “capture” what we want the predicate
symbols to “mean” from those that do not. Of course we’re completely free
to specify which structures we “intend,” e.g., we can specify that the inter-
pretation of the predicate symbol ≤ must be an ordering, or that we are only
interested in interpretations of L in which the domain consists of sets and ∈
is interpreted by the “is an element of” relation. But can we do this with sen-
tences of the language? In other words, which conditions on a structure M can
we express by a sentence (or perhaps a set of sentences) in the language of M?
There are some conditions that we will not be able to express. For instance,
there is no sentence of L A which is only true in a structure M if |M| = N.
We cannot express “the domain contains only natural numbers.” But there
are “structural properties” of structures that we perhaps can express. Which
properties of structures can we express by sentences? Or, to put it another
way, which collections of structures can we describe as those making a sen-
tence (or set of sentences) true?
Definition 17.2 (Model of a set). Let Γ be a set of sentences in a language L.
We say that a structure M is a model of Γ if M ⊨ φ for all φ ∈ Γ.

Example 17.3. The sentence ∀ x x ≤ x is true in M iff ≤M is a reflexive relation.

The sentence ∀ x ∀y (( x ≤ y ∧ y ≤ x ) → x = y) is true in M iff ≤M is anti-
symmetric. The sentence ∀ x ∀y ∀z (( x ≤ y ∧ y ≤ z) → x ≤ z) is true in M iff
≤M is transitive. Thus, the models of
{ ∀ x x ≤ x,
∀ x ∀y (( x ≤ y ∧ y ≤ x ) → x = y),
∀ x ∀y ∀z (( x ≤ y ∧ y ≤ z) → x ≤ z) }
are exactly those structures in which ≤M is reflexive, anti-symmetric, and
transitive, i.e., a partial order. Hence, we can take them as axioms for the
first-order theory of partial orders.

17.3 Examples of First-Order Theories

Example 17.4. The theory of strict linear orders in the language L< is axiom-
atized by the set
{ ∀ x ¬ x < x,
∀ x ∀y (( x < y ∨ y < x ) ∨ x = y),
∀ x ∀y ∀z (( x < y ∧ y < z) → x < z) }

240 Release : d3a1905 (2022-12-19)

17.3. EXAMPLES OF FIRST-ORDER THEORIES

It completely captures the intended structures: every strict linear order is a

model of this axiom system, and vice versa, if R is a linear order on a set X,
then the structure M with |M| = X and <M = R is a model of this theory.

Example 17.5. The theory of groups in the language 1 (constant symbol), ·

(two-place function symbol) is axiomatized by
∀ x ( x · 1) = x
∀ x ∀y ∀z ( x · (y · z)) = (( x · y) · z)
∀ x ∃y ( x · y) = 1

Example 17.6. The theory of Peano arithmetic is axiomatized by the following

sentences in the language of arithmetic L A .
∀ x ∀y ( x ′ = y′ → x = y)
∀ x 0 ̸= x′
∀ x ( x + 0) = x
∀ x ∀y ( x + y′ ) = ( x + y)′
∀ x ( x × 0) = 0
∀ x ∀y ( x × y′ ) = (( x × y) + x )
∀ x ∀y ( x < y ↔ ∃z (z′ + x ) = y)

plus all sentences of the form

( φ(0) ∧ ∀ x ( φ( x ) → φ( x ′ ))) → ∀ x φ( x )
Since there are infinitely many sentences of the latter form, this axiom sys-
tem is infinite. The latter form is called the induction schema. (Actually, the
induction schema is a bit more complicated than we let on here.)
The last axiom is an explicit definition of <.

Example 17.7. The theory of pure sets plays an important role in the founda-
tions (and in the philosophy) of mathematics. A set is pure if all its elements
are also pure sets. The empty set counts therefore as pure, but a set that has
something as an element that is not a set would not be pure. So the pure sets
are those that are formed just from the empty set and no “urelements,” i.e.,
objects that are not themselves sets.
The following might be considered as an axiom system for a theory of pure
sets:
∃ x ¬∃y y ∈ x
∀ x ∀y (∀z(z ∈ x ↔ z ∈ y) → x = y)
∀ x ∀y ∃z ∀u (u ∈ z ↔ (u = x ∨ u = y))
∀ x ∃y ∀z (z ∈ y ↔ ∃u (z ∈ u ∧ u ∈ x ))

Release : d3a1905 (2022-12-19) 241

 CHAPTER 17. THEORIES AND THEIR MODELS

plus all sentences of the form

∃ x ∀y (y ∈ x ↔ φ(y))

The first axiom says that there is a set with no elements (i.e., ∅ exists); the
second says that sets are extensional; the third that for any sets X and Y, the
set { X, Y } exists; the fourth that for any set X, the set ∪ X exists, where ∪ X is
the union of all the elements of X.
The sentences mentioned last are collectively called the naive comprehension
scheme. It essentially says that for every φ( x ), the set { x : φ( x )} exists—so
at first glance a true, useful, and perhaps even necessary axiom. It is called
“naive” because, as it turns out, it makes this theory unsatisfiable: if you take
φ(y) to be ¬y ∈ y, you get the sentence

∃ x ∀y (y ∈ x ↔ ¬y ∈ y)

and this sentence is not satisfied in any structure.

Example 17.8. In the area of mereology, the relation of parthood is a fundamen-

tal relation. Just like theories of sets, there are theories of parthood that ax-
iomatize various conceptions (sometimes conflicting) of this relation.
The language of mereology contains a single two-place predicate sym-
bol P , and P ( x, y) “means” that x is a part of y. When we have this inter-
pretation in mind, a structure for this language is called a parthood structure.
Of course, not every structure for a single two-place predicate will really de-
serve this name. To have a chance of capturing “parthood,” P M must satisfy
some conditions, which we can lay down as axioms for a theory of parthood.
For instance, parthood is a partial order on objects: every object is a part (al-
beit an improper part) of itself; no two different objects can be parts of each
other; a part of a part of an object is itself part of that object. Note that in this
sense “is a part of” resembles “is a subset of,” but does not resemble “is an
element of” which is neither reflexive nor transitive.

∀ x P ( x, x )
∀ x ∀y ((P ( x, y) ∧ P (y, x )) → x = y)
∀ x ∀y ∀z ((P ( x, y) ∧ P (y, z)) → P ( x, z))

Moreover, any two objects have a mereological sum (an object that has these
two objects as parts, and is minimal in this respect).

∀ x ∀y ∃z ∀u (P (z, u) ↔ (P ( x, u) ∧ P (y, u)))

These are only some of the basic principles of parthood considered by meta-
physicians. Further principles, however, quickly become hard to formulate or
write down without first introducing some defined relations. For instance,

242 Release : d3a1905 (2022-12-19)

17.4. EXPRESSING RELATIONS IN A STRUCTURE

most metaphysicians interested in mereology also view the following as a

valid principle: whenever an object x has a proper part y, it also has a part z
that has no parts in common with y, and so that the fusion of y and z is x.

17.4 Expressing Relations in a Structure

One main use formulas can be put to is to express properties and relations in
a structure M in terms of the primitives of the language L of M. By this we
mean the following: the domain of M is a set of objects. The constant symbols,
function symbols, and predicate symbols are interpreted in M by some objects
in|M|, functions on |M|, and relations on |M|. For instance, if A20 is in L, then
M
M assigns to it a relation R = A20 . Then the formula A20 (v1 , v2 ) expresses that
very relation, in the following sense: if a variable assignment s maps v1 to
a ∈ |M| and v2 to b ∈ |M|, then

Rab iff M, s ⊨ A20 (v1 , v2 ).

Note that we have to involve variable assignments here: we can’t just say “Rab
iff M ⊨ A20 ( a, b)” because a and b are not symbols of our language: they are
elements of |M|.
Since we don’t just have atomic formulas, but can combine them using
the logical connectives and the quantifiers, more complex formulas can define
other relations which aren’t directly built into M. We’re interested in how to
do that, and specifically, which relations we can define in a structure.

Definition 17.9. Let φ(v1 , . . . , vn ) be a formula of L in which only v1 ,. . . , vn

occur free, and let M be a structure for L. φ(v1 , . . . , vn ) expresses the relation R ⊆
|M|n iff
Ra1 . . . an iff M, s ⊨ φ(v1 , . . . , vn )
for any variable assignment s with s(vi ) = ai (i = 1, . . . , n).

Example 17.10. In the standard model of arithmetic N, the formula v1 < v2 ∨

v1 = v2 expresses the ≤ relation on N. The formula v2 = v1′ expresses the suc-
cessor relation, i.e., the relation R ⊆ N2 where Rnm holds if m is the successor
of n. The formula v1 = v2′ expresses the predecessor relation. The formulas
∃v3 (v3 ̸= 0 ∧ v2 = (v1 + v3 )) and ∃v3 (v1 + v3 ′ ) = v2 both express the < re-
lation. This means that the predicate symbol < is actually superfluous in the
language of arithmetic; it can be defined.

This idea is not just interesting in specific structures, but generally when-
ever we use a language to describe an intended model or models, i.e., when
we consider theories. These theories often only contain a few predicate sym-
bols as basic symbols, but in the domain they are used to describe often many

Release : d3a1905 (2022-12-19) 243

 CHAPTER 17. THEORIES AND THEIR MODELS

other relations play an important role. If these other relations can be system-
atically expressed by the relations that interpret the basic predicate symbols
of the language, we say we can define them in the language.

17.5 The Theory of Sets

Almost all of mathematics can be developed in the theory of sets. Developing
mathematics in this theory involves a number of things. First, it requires a set
of axioms for the relation ∈. A number of different axiom systems have been
developed, sometimes with conflicting properties of ∈. The axiom system
known as ZFC, Zermelo-Fraenkel set theory with the axiom of choice stands
out: it is by far the most widely used and studied, because it turns out that its
axioms suffice to prove almost all the things mathematicians expect to be able
to prove. But before that can be established, it first is necessary to make clear
how we can even express all the things mathematicians would like to express.
For starters, the language contains no constant symbols or function symbols,
so it seems at first glance unclear that we can talk about particular sets (such as
∅ or N), can talk about operations on sets (such as X ∪ Y and ℘( X )), let alone
other constructions which involve things other than sets, such as relations and
functions.
To begin with, “is an element of” is not the only relation we are interested
in: “is a subset of” seems almost as important. But we can define “is a subset
of” in terms of “is an element of.” To do this, we have to find a formula φ( x, y)
in the language of set theory which is satisfied by a pair of sets ⟨ X, Y ⟩ iff X ⊆
Y. But X is a subset of Y just in case all elements of X are also elements of Y.
So we can define ⊆ by the formula

∀z (z ∈ x → z ∈ y)

Now, whenever we want to use the relation ⊆ in a formula, we could instead

use that formula (with x and y suitably replaced, and the bound variable z
renamed if necessary). For instance, extensionality of sets means that if any
sets x and y are contained in each other, then x and y must be the same set.
This can be expressed by ∀ x ∀y (( x ⊆ y ∧ y ⊆ x ) → x = y), or, if we replace ⊆
by the above definition, by

∀ x ∀y ((∀z (z ∈ x → z ∈ y) ∧ ∀z (z ∈ y → z ∈ x )) → x = y).

This is in fact one of the axioms of ZFC, the “axiom of extensionality.”

There is no constant symbol for ∅, but we can express “x is empty” by
¬∃y y ∈ x. Then “∅ exists” becomes the sentence ∃ x ¬∃y y ∈ x. This is an-
other axiom of ZFC. (Note that the axiom of extensionality implies that there
is only one empty set.) Whenever we want to talk about ∅ in the language of
set theory, we would write this as “there is a set that’s empty and . . . ” As an

244 Release : d3a1905 (2022-12-19)

17.5. THE THEORY OF SETS

example, to express the fact that ∅ is a subset of every set, we could write

∃ x (¬∃y y ∈ x ∧ ∀z x ⊆ z)

where, of course, x ⊆ z would in turn have to be replaced by its definition.

To talk about operations on sets, such as X ∪ Y and ℘( X ), we have to use a
similar trick. There are no function symbols in the language of set theory, but
we can express the functional relations X ∪ Y = Z and ℘( X ) = Y by

∀u ((u ∈ x ∨ u ∈ y) ↔ u ∈ z)
∀u (u ⊆ x ↔ u ∈ y)

since the elements of X ∪ Y are exactly the sets that are either elements of X or
elements of Y, and the elements of ℘( X ) are exactly the subsets of X. However,
this doesn’t allow us to use x ∪ y or ℘( x ) as if they were terms: we can only
use the entire formulas that define the relations X ∪ Y = Z and ℘( X ) = Y.
In fact, we do not know that these relations are ever satisfied, i.e., we do not
know that unions and power sets always exist. For instance, the sentence
∀ x ∃y ℘( x ) = y is another axiom of ZFC (the power set axiom).
Now what about talk of ordered pairs or functions? Here we have to ex-
plain how we can think of ordered pairs and functions as special kinds of sets.
One way to define the ordered pair ⟨ x, y⟩ is as the set {{ x }, { x, y}}. But like
before, we cannot introduce a function symbol that names this set; we can
only define the relation ⟨ x, y⟩ = z, i.e., {{ x }, { x, y}} = z:

∀u (u ∈ z ↔ (∀v (v ∈ u ↔ v = x ) ∨ ∀v (v ∈ u ↔ (v = x ∨ v = y))))

This says that the elements u of z are exactly those sets which either have x
as its only element or have x and y as its only elements (in other words, those
sets that are either identical to { x } or identical to { x, y}). Once we have this,
we can say further things, e.g., that X × Y = Z:

∀z (z ∈ Z ↔ ∃ x ∃y ( x ∈ X ∧ y ∈ Y ∧ ⟨ x, y⟩ = z))

A function f : X → Y can be thought of as the relation f ( x ) = y, i.e., as

the set of pairs {⟨ x, y⟩ : f ( x ) = y}. We can then say that a set f is a function
from X to Y if (a) it is a relation ⊆ X × Y, (b) it is total, i.e., for all x ∈ X
there is some y ∈ Y such that ⟨ x, y⟩ ∈ f and (c) it is functional, i.e., whenever
⟨ x, y⟩, ⟨ x, y′ ⟩ ∈ f , y = y′ (because values of functions must be unique). So “ f
is a function from X to Y” can be written as:

∀u (u ∈ f → ∃ x ∃y ( x ∈ X ∧ y ∈ Y ∧ ⟨ x, y⟩ = u)) ∧
∀ x ( x ∈ X → (∃y (y ∈ Y ∧ maps( f , x, y)) ∧
(∀y ∀y′ ((maps( f , x, y) ∧ maps( f , x, y′ )) → y = y′ )))

Release : d3a1905 (2022-12-19) 245

 CHAPTER 17. THEORIES AND THEIR MODELS

where maps( f , x, y) abbreviates ∃v (v ∈ f ∧ ⟨ x, y⟩ = v) (this formula ex-

presses “ f ( x ) = y”).
It is now also not hard to express that f : X → Y is injective, for instance:

f : X → Y ∧ ∀ x ∀ x ′ (( x ∈ X ∧ x ′ ∈ X ∧
∃y (maps( f , x, y) ∧ maps( f , x ′ , y))) → x = x ′ )
A function f : X → Y is injective iff, whenever f maps x, x ′ ∈ X to a single y,
x = x ′ . If we abbreviate this formula as inj( f , X, Y ), we’re already in a position
to state in the language of set theory something as non-trivial as Cantor’s
theorem: there is no injective function from ℘( X ) to X:
∀ X ∀Y (℘( X ) = Y → ¬∃ f inj( f , Y, X ))
One might think that set theory requires another axiom that guarantees
the existence of a set for every defining property. If φ( x ) is a formula of set
theory with the variable x free, we can consider the sentence
∃y ∀ x ( x ∈ y ↔ φ( x )).
This sentence states that there is a set y whose elements are all and only those
x that satisfy φ( x ). This schema is called the “comprehension principle.” It
looks very useful; unfortunately it is inconsistent. Take φ( x ) ≡ ¬ x ∈ x, then
the comprehension principle states
∃y ∀ x ( x ∈ y ↔ x ∈
/ x ),
i.e., it states the existence of a set of all sets that are not elements of them-
selves. No such set can exist—this is Russell’s Paradox. ZFC, in fact, contains
a restricted—and consistent—version of this principle, the separation princi-
ple:
∀z ∃y ∀ x ( x ∈ y ↔ ( x ∈ z ∧ φ( x )).

17.6 Expressing the Size of Structures

There are some properties of structures we can express even without using
the non-logical symbols of a language. For instance, there are sentences which
are true in a structure iff the domain of the structure has at least, at most, or
exactly a certain number n of elements.
Proposition 17.11. The sentence

φ ≥ n ≡ ∃ x1 ∃ x2 . . . ∃ x n
( x1 ̸ = x2 ∧ x1 ̸ = x3 ∧ x1 ̸ = x4 ∧ · · · ∧ x1 ̸ = x n ∧
x2 ̸ = x3 ∧ x2 ̸ = x4 ∧ · · · ∧ x2 ̸ = x n ∧
..
.
x n −1 ̸ = x n )

246 Release : d3a1905 (2022-12-19)

17.6. EXPRESSING THE SIZE OF STRUCTURES

is true in a structure M iff |M| contains at least n elements. Consequently, M ⊨

¬ φ≥n+1 iff |M| contains at most n elements.

Proposition 17.12. The sentence

φ = n ≡ ∃ x1 ∃ x2 . . . ∃ x n
( x1 ̸ = x2 ∧ x1 ̸ = x3 ∧ x1 ̸ = x4 ∧ · · · ∧ x1 ̸ = x n ∧
x2 ̸ = x3 ∧ x2 ̸ = x4 ∧ · · · ∧ x2 ̸ = x n ∧
..
.
x n −1 ̸ = x n ∧
∀y (y = x1 ∨ · · · ∨ y = xn ))

is true in a structure M iff |M| contains exactly n elements.

Proposition 17.13. A structure is infinite iff it is a model of

{ φ ≥1 , φ ≥2 , φ ≥3 , . . . } .

There is no single purely logical sentence which is true in M iff |M| is

infinite. However, one can give sentences with non-logical predicate symbols
which only have infinite models (although not every infinite structure is a
model of them). The property of being a finite structure, and the property of
being a non-enumerable structure cannot even be expressed with an infinite
set of sentences. These facts follow from the compactness and Löwenheim-
Skolem theorems.

Problems
Problem 17.1. Find formulas in L A which define the following relations:

1. n is between i and j;

2. n evenly divides m (i.e., m is a multiple of n);

3. n is a prime number (i.e., no number other than 1 and n evenly di-

vides n).

Problem 17.2. Suppose the formula φ(v1 , v2 ) expresses the relation R ⊆ |M|2
in a structure M. Find formulas that express the following relations:

1. the inverse R−1 of R;

2. the relative product R | R;

Can you find a way to express R+ , the transitive closure of R?

Release : d3a1905 (2022-12-19) 247

 CHAPTER 17. THEORIES AND THEIR MODELS

Problem 17.3. Let L be the language containing a 2-place predicate symbol

< only (no other constant symbols, function symbols or predicate symbols—
except of course =). Let N be the structure such that |N| = N, and <N =
{⟨n, m⟩ : n < m}. Prove the following:
1. {0} is definable in N;

2. {1} is definable in N;

3. {2} is definable in N;

4. for each n ∈ N, the set {n} is definable in N;

5. every finite subset of |N| is definable in N;

6. every co-finite subset of |N| is definable in N (where X ⊆ N is co-finite

iff N \ X is finite).

Problem 17.4. Show that the comprehension principle is inconsistent by giv-

ing a derivation that shows

∃y ∀ x ( x ∈ y ↔ x ∈
/ x ) ⊢ ⊥.

It may help to first show ( A → ¬ A) ∧ (¬ A → A) ⊢ ⊥.

248 Release : d3a1905 (2022-12-19)

Chapter 18

Derivation Systems

This chapter collects general material on derivation systems. A text-

book using a specific system can insert the introduction section plus the
relevant survey section at the beginning of the chapter introducing that
system.

18.1 Introduction
Logics commonly have both a semantics and a derivation system. The seman-
tics concerns concepts such as truth, satisfiability, validity, and entailment.
The purpose of derivation systems is to provide a purely syntactic method
of establishing entailment and validity. They are purely syntactic in the sense
that a derivation in such a system is a finite syntactic object, usually a sequence
(or other finite arrangement) of sentences or formulas. Good derivation sys-
tems have the property that any given sequence or arrangement of sentences
or formulas can be verified mechanically to be “correct.”
The simplest (and historically first) derivation systems for first-order logic
were axiomatic. A sequence of formulas counts as a derivation in such a sys-
tem if each individual formula in it is either among a fixed set of “axioms”
or follows from formulas coming before it in the sequence by one of a fixed
number of “inference rules”—and it can be mechanically verified if a formula
is an axiom and whether it follows correctly from other formulas by one of the
inference rules. Axiomatic derivation systems are easy to describe—and also
easy to handle meta-theoretically—but derivations in them are hard to read
and understand, and are also hard to produce.
Other derivation systems have been developed with the aim of making it
easier to construct derivations or easier to understand derivations once they
are complete. Examples are natural deduction, truth trees, also known as
tableaux proofs, and the sequent calculus. Some derivation systems are de-

249
 CHAPTER 18. DERIVATION SYSTEMS

signed especially with mechanization in mind, e.g., the resolution method is

easy to implement in software (but its derivations are essentially impossible
to understand). Most of these other derivation systems represent derivations
as trees of formulas rather than sequences. This makes it easier to see which
parts of a derivation depend on which other parts.
So for a given logic, such as first-order logic, the different derivation sys-
tems will give different explications of what it is for a sentence to be a theorem
and what it means for a sentence to be derivable from some others. However
that is done (via axiomatic derivations, natural deductions, sequent deriva-
tions, truth trees, resolution refutations), we want these relations to match the
semantic notions of validity and entailment. Let’s write ⊢ φ for “φ is a the-
orem” and “Γ ⊢ φ” for “φ is derivable from Γ.” However ⊢ is defined, we
want it to match up with ⊨, that is:

1. ⊢ φ if and only if ⊨ φ

2. Γ ⊢ φ if and only if Γ ⊨ φ

The “only if” direction of the above is called soundness. A derivation system is
sound if derivability guarantees entailment (or validity). Every decent deriva-
tion system has to be sound; unsound derivation systems are not useful at all.
After all, the entire purpose of a derivation is to provide a syntactic guarantee
of validity or entailment. We’ll prove soundness for the derivation systems
we present.
The converse “if” direction is also important: it is called completeness. A
complete derivation system is strong enough to show that φ is a theorem
whenever φ is valid, and that Γ ⊢ φ whenever Γ ⊨ φ. Completeness is harder
to establish, and some logics have no complete derivation systems. First-order
logic does. Kurt Gödel was the first one to prove completeness for a derivation
system of first-order logic in his 1929 dissertation.
Another concept that is connected to derivation systems is that of consis-
tency. A set of sentences is called inconsistent if anything whatsoever can be
derived from it, and consistent otherwise. Inconsistency is the syntactic coun-
terpart to unsatisfiablity: like unsatisfiable sets, inconsistent sets of sentences
do not make good theories, they are defective in a fundamental way. Con-
sistent sets of sentences may not be true or useful, but at least they pass that
minimal threshold of logical usefulness. For different derivation systems the
specific definition of consistency of sets of sentences might differ, but like ⊢,
we want consistency to coincide with its semantic counterpart, satisfiability.
We want it to always be the case that Γ is consistent if and only if it is satis-
fiable. Here, the “if” direction amounts to completeness (consistency guaran-
tees satisfiability), and the “only if” direction amounts to soundness (satisfi-
ability guarantees consistency). In fact, for classical first-order logic, the two
versions of soundness and completeness are equivalent.

250 Release : d3a1905 (2022-12-19)

18.2. THE SEQUENT CALCULUS

18.2 The Sequent Calculus

While many derivation systems operate with arrangements of sentences, the
sequent calculus operates with sequents. A sequent is an expression of the
form
φ1 , . . . , φm ⇒ ψ1 , . . . , ψm ,

that is a pair of sequences of sentences, separated by the sequent symbol ⇒.

Either sequence may be empty. A derivation in the sequent calculus is a tree
of sequents, where the topmost sequents are of a special form (they are called
“initial sequents” or “axioms”) and every other sequent follows from the se-
quents immediately above it by one of the rules of inference. The rules of
inference either manipulate the sentences in the sequents (adding, removing,
or rearranging them on either the left or the right), or they introduce a com-
plex formula in the conclusion of the rule. For instance, the ∧L rule allows the
inference from φ, Γ ⇒ ∆ to φ ∧ ψ, Γ ⇒ ∆, and the →R allows the inference
from φ, Γ ⇒ ∆, ψ to Γ ⇒ ∆, φ → ψ, for any Γ, ∆, φ, and ψ. (In particular, Γ
and ∆ may be empty.)
The ⊢ relation based on the sequent calculus is defined as follows: Γ ⊢ φ
iff there is some sequence Γ0 such that every φ in Γ0 is in Γ and there is a
derivation with the sequent Γ0 ⇒ φ at its root. φ is a theorem in the sequent
calculus if the sequent ⇒ φ has a derivation. For instance, here is a derivation
that shows that ⊢ ( φ ∧ ψ) → φ:

φ ⇒ φ
φ∧ψ ⇒ φ
∧L
→R
⇒ ( φ ∧ ψ) → φ

A set Γ is inconsistent in the sequent calculus if there is a derivation of

Γ0 ⇒ (where every φ ∈ Γ0 is in Γ and the right side of the sequent is empty).
Using the rule WR, any sentence can be derived from an inconsistent set.
The sequent calculus was invented in the 1930s by Gerhard Gentzen. Be-
cause of its systematic and symmetric design, it is a very useful formalism for
developing a theory of derivations. It is relatively easy to find derivations in
the sequent calculus, but these derivations are often hard to read and their
connection to proofs are sometimes not easy to see. It has proved to be a very
elegant approach to derivation systems, however, and many logics have se-
quent calculus systems.

18.3 Natural Deduction

Natural deduction is a derivation system intended to mirror actual reasoning
(especially the kind of regimented reasoning employed by mathematicians).
Actual reasoning proceeds by a number of “natural” patterns. For instance,

Release : d3a1905 (2022-12-19) 251

 CHAPTER 18. DERIVATION SYSTEMS

proof by cases allows us to establish a conclusion on the basis of a disjunc-

tive premise, by establishing that the conclusion follows from either of the
disjuncts. Indirect proof allows us to establish a conclusion by showing that
its negation leads to a contradiction. Conditional proof establishes a condi-
tional claim “if . . . then . . . ” by showing that the consequent follows from
the antecedent. Natural deduction is a formalization of some of these nat-
ural inferences. Each of the logical connectives and quantifiers comes with
two rules, an introduction and an elimination rule, and they each correspond
to one such natural inference pattern. For instance, →Intro corresponds to
conditional proof, and ∨Elim to proof by cases. A particularly simple rule is
∧Elim which allows the inference from φ ∧ ψ to φ (or ψ).
One feature that distinguishes natural deduction from other derivation
systems is its use of assumptions. A derivation in natural deduction is a tree
of formulas. A single formula stands at the root of the tree of formulas, and
the “leaves” of the tree are formulas from which the conclusion is derived.
In natural deduction, some leaf formulas play a role inside the derivation but
are “used up” by the time the derivation reaches the conclusion. This corre-
sponds to the practice, in actual reasoning, of introducing hypotheses which
only remain in effect for a short while. For instance, in a proof by cases, we
assume the truth of each of the disjuncts; in conditional proof, we assume the
truth of the antecedent; in indirect proof, we assume the truth of the nega-
tion of the conclusion. This way of introducing hypothetical assumptions
and then doing away with them in the service of establishing an intermedi-
ate step is a hallmark of natural deduction. The formulas at the leaves of a
natural deduction derivation are called assumptions, and some of the rules of
inference may “discharge” them. For instance, if we have a derivation of ψ
from some assumptions which include φ, then the →Intro rule allows us to
infer φ → ψ and discharge any assumption of the form φ. (To keep track of
which assumptions are discharged at which inferences, we label the inference
and the assumptions it discharges with a number.) The assumptions that re-
main undischarged at the end of the derivation are together sufficient for the
truth of the conclusion, and so a derivation establishes that its undischarged
assumptions entail its conclusion.
The relation Γ ⊢ φ based on natural deduction holds iff there is a deriva-
tion in which φ is the last sentence in the tree, and every leaf which is undis-
charged is in Γ. φ is a theorem in natural deduction iff there is a derivation in
which φ is the last sentence and all assumptions are discharged. For instance,
here is a derivation that shows that ⊢ ( φ ∧ ψ) → φ:

[ φ ∧ ψ ]1
φ ∧Elim
1 →Intro
( φ ∧ ψ) → φ

The label 1 indicates that the assumption φ ∧ ψ is discharged at the →Intro

252 Release : d3a1905 (2022-12-19)

18.4. TABLEAUX

inference.
A set Γ is inconsistent iff Γ ⊢ ⊥ in natural deduction. The rule ⊥ I makes
it so that from an inconsistent set, any sentence can be derived.
Natural deduction systems were developed by Gerhard Gentzen and Sta-
nisław Jaśkowski in the 1930s, and later developed by Dag Prawitz and Fred-
eric Fitch. Because its inferences mirror natural methods of proof, it is favored
by philosophers. The versions developed by Fitch are often used in introduc-
tory logic textbooks. In the philosophy of logic, the rules of natural deduc-
tion have sometimes been taken to give the meanings of the logical operators
(“proof-theoretic semantics”).

18.4 Tableaux

While many derivation systems operate with arrangements of sentences, tableaux

operate with signed formulas. A signed formula is a pair consisting of a truth
value sign (T or F) and a sentence

T φ or F φ.

A tableau consists of signed formulas arranged in a downward-branching

tree. It begins with a number of assumptions and continues with signed for-
mulas which result from one of the signed formulas above it by applying one
of the rules of inference. Each rule allows us to add one or more signed formu-
las to the end of a branch, or two signed formulas side by side—in this case a
branch splits into two, with the two added signed formulas forming the ends
of the two branches.
A rule applied to a complex signed formula results in the addition of
signed formulas which are immediate sub-formulas. They come in pairs, one
rule for each of the two signs. For instance, the ∧T rule applies to T φ ∧ ψ,
and allows the addition of both the two signed formulas T φ and Tψ to the
end of any branch containing T φ ∧ ψ, and the rule φ ∧ ψF allows a branch to
be split by adding F φ and F ψ side-by-side. A tableau is closed if every one
of its branches contains a matching pair of signed formulas T φ and F φ.
The ⊢ relation based on tableaux is defined as follows: Γ ⊢ φ iff there is
some finite set Γ0 = {ψ1 , . . . , ψn } ⊆ Γ such that there is a closed tableau for
the assumptions

{F φ, Tψ1 , . . . , Tψn }

For instance, here is a closed tableau that shows that ⊢ ( φ ∧ ψ) → φ:

Release : d3a1905 (2022-12-19) 253

 CHAPTER 18. DERIVATION SYSTEMS

1. F ( φ ∧ ψ) → φ Assumption
2. Tφ ∧ ψ →F 1
3. Fφ →F 1
4. Tφ →T 2
5. Tψ →T 2
⊗

A set Γ is inconsistent in the tableau calculus if there is a closed tableau for

assumptions
{Tψ1 , . . . , Tψn }
for some ψi ∈ Γ.
Tableaux were invented in the 1950s independently by Evert Beth and
Jaakko Hintikka, and simplified and popularized by Raymond Smullyan. They
are very easy to use, since constructing a tableau is a very systematic proce-
dure. Because of the systematic nature of tableaux, they also lend themselves
to implementation by computer. However, a tableau is often hard to read and
their connection to proofs are sometimes not easy to see. The approach is also
quite general, and many different logics have tableau systems. Tableaux also
help us to find structures that satisfy given (sets of) sentences: if the set is
satisfiable, it won’t have a closed tableau, i.e., any tableau will have an open
branch. The satisfying structure can be “read off” an open branch, provided
every rule it is possible to apply has been applied on that branch. There is also
a very close connection to the sequent calculus: essentially, a closed tableau is
a condensed derivation in the sequent calculus, written upside-down.

18.5 Axiomatic Derivations

Axiomatic derivations are the oldest and simplest logical derivation systems.
Its derivations are simply sequences of sentences. A sequence of sentences
counts as a correct derivation if every sentence φ in it satisfies one of the fol-
lowing conditions:

1. φ is an axiom, or

2. φ is an element of a given set Γ of sentences, or

3. φ is justified by a rule of inference.

To be an axiom, φ has to have the form of one of a number of fixed sentence

schemas. There are many sets of axiom schemas that provide a satisfactory
(sound and complete) derivation system for first-order logic. Some are orga-
nized according to the connectives they govern, e.g., the schemas

φ → (ψ → φ) ψ → (ψ ∨ χ) (ψ ∧ χ) → ψ

254 Release : d3a1905 (2022-12-19)

18.5. AXIOMATIC DERIVATIONS

are common axioms that govern →, ∨ and ∧. Some axiom systems aim at a
minimal number of axioms. Depending on the connectives that are taken as
primitives, it is even possible to find axiom systems that consist of a single
axiom.
A rule of inference is a conditional statement that gives a sufficient condi-
tion for a sentence in a derivation to be justified. Modus ponens is one very
common such rule: it says that if φ and φ → ψ are already justified, then ψ is
justified. This means that a line in a derivation containing the sentence ψ is
justified, provided that both φ and φ → ψ (for some sentence φ) appear in the
derivation before ψ.
The ⊢ relation based on axiomatic derivations is defined as follows: Γ ⊢ φ
iff there is a derivation with the sentence φ as its last formula (and Γ is taken
as the set of sentences in that derivation which are justified by (2) above). φ
is a theorem if φ has a derivation where Γ is empty, i.e., every sentence in the
derivation is justfied either by (1) or (3). For instance, here is a derivation that
shows that ⊢ φ → (ψ → (ψ ∨ φ)):

1. ψ → (ψ ∨ φ)
2. (ψ → (ψ ∨ φ)) → ( φ → (ψ → (ψ ∨ φ)))
3. φ → (ψ → (ψ ∨ φ))

The sentence on line 1 is of the form of the axiom φ → ( φ ∨ ψ) (with the roles
of φ and ψ reversed). The sentence on line 2 is of the form of the axiom φ →
(ψ → φ). Thus, both lines are justified. Line 3 is justified by modus ponens: if
we abbreviate it as θ, then line 2 has the form χ → θ, where χ is ψ → (ψ ∨ φ),
i.e., line 1.
A set Γ is inconsistent if Γ ⊢ ⊥. A complete axiom system will also prove
that ⊥ → φ for any φ, and so if Γ is inconsistent, then Γ ⊢ φ for any φ.
Systems of axiomatic derivations for logic were first given by Gottlob Frege
in his 1879 Begriffsschrift, which for this reason is often considered the first
work of modern logic. They were perfected in Alfred North Whitehead and
Bertrand Russell’s Principia Mathematica and by David Hilbert and his stu-
dents in the 1920s. They are thus often called “Frege systems” or “Hilbert
systems.” They are very versatile in that it is often easy to find an axiomatic
system for a logic. Because derivations have a very simple structure and only
one or two inference rules, it is also relatively easy to prove things about them.
However, they are very hard to use in practice, i.e., it is difficult to find and
write proofs.

Release : d3a1905 (2022-12-19) 255

Chapter 19

The Sequent Calculus

This chapter presents Gentzen’s standard sequent calculus LK for clas-

sical first-order logic. It could use more examples and exercises. To in-
clude or exclude material relevant to the sequent calculus as a proof sys-
tem, use the “prfLK” tag.

19.1 Rules and Derivations

For the following, let Γ, ∆, Π, Λ represent finite sequences of sentences.

Definition 19.1 (Sequent). A sequent is an expression of the form

Γ⇒∆

where Γ and ∆ are finite (possibly empty) sequences of sentences of the lan-
guage L. Γ is called the antecedent, while ∆ is the succedent.

The intuitive idea behind a sequent is: if all of the sentences in the an-
tecedent hold, then at least one of the sentences in the succedent holds. That
is, if Γ = ⟨ φ1 , . . . , φm ⟩ and ∆ = ⟨ψ1 , . . . , ψn ⟩, then Γ ⇒ ∆ holds iff

( φ1 ∧ · · · ∧ φm ) → (ψ1 ∨ · · · ∨ ψn )

holds. There are two special cases: where Γ is empty and when ∆ is empty.
When Γ is empty, i.e., m = 0, ⇒ ∆ holds iff ψ1 ∨ · · · ∨ ψn holds. When ∆ is
empty, i.e., n = 0, Γ ⇒ holds iff ¬( φ1 ∧ · · · ∧ φm ) does. We say a sequent is
valid iff the corresponding sentence is valid.
If Γ is a sequence of sentences, we write Γ, φ for the result of appending
φ to the right end of Γ (and φ, Γ for the result of appending φ to the left end
of Γ). If ∆ is a sequence of sentences also, then Γ, ∆ is the concatenation of the
two sequences.

256
19.2. PROPOSITIONAL RULES

Definition 19.2 (Initial Sequent). An initial sequent is a sequent of one of the

following forms:

1. φ ⇒ φ

2. ⊥ ⇒

for any sentence φ in the language.

Derivations in the sequent calculus are certain trees of sequents, where

the topmost sequents are initial sequents, and if a sequent stands below one
or two other sequents, it must follow correctly by a rule of inference. The
rules for LK are divided into two main types: logical rules and structural rules.
The logical rules are named for the main operator of the sentence containing
φ and/or ψ in the lower sequent. Each one comes in two versions, one for
inferring a sequent with the sentence containing the logical operator on the
left, and one with the sentence on the right.

19.2 Propositional Rules

Rules for ¬

Γ ⇒ ∆, φ φ, Γ ⇒ ∆
¬L ¬R
¬ φ, Γ ⇒ ∆ Γ ⇒ ∆, ¬ φ

Rules for ∧

φ, Γ ⇒ ∆
∧L
φ ∧ ψ, Γ ⇒ ∆ Γ ⇒ ∆, φ Γ ⇒ ∆, ψ
∧R
ψ, Γ ⇒ ∆ Γ ⇒ ∆, φ ∧ ψ
∧L
φ ∧ ψ, Γ ⇒ ∆

Rules for ∨

Γ ⇒ ∆, φ
∨R
φ, Γ ⇒ ∆ ψ, Γ ⇒ ∆ Γ ⇒ ∆, φ ∨ ψ
∨L
φ ∨ ψ, Γ ⇒ ∆ Γ ⇒ ∆, ψ
∨R
Γ ⇒ ∆, φ ∨ ψ

Release : d3a1905 (2022-12-19) 257

 CHAPTER 19. THE SEQUENT CALCULUS

Rules for →

Γ ⇒ ∆, φ ψ, Π ⇒ Λ φ, Γ ⇒ ∆, ψ
→L →R
φ → ψ, Γ, Π ⇒ ∆, Λ Γ ⇒ ∆, φ → ψ

19.3 Quantifier Rules

Rules for ∀

φ ( t ), Γ ⇒ ∆ Γ ⇒ ∆, φ( a)
∀L ∀R
∀ x φ ( x ), Γ ⇒ ∆ Γ ⇒ ∆, ∀ x φ( x )

In ∀L, t is a closed term (i.e., one without variables). In ∀R, a is a constant

symbol which must not occur anywhere in the lower sequent of the ∀R rule.
We call a the eigenvariable of the ∀R inference.1

Rules for ∃

φ ( a ), Γ ⇒ ∆ Γ ⇒ ∆, φ(t)
∃L ∃R
∃ x φ ( x ), Γ ⇒ ∆ Γ ⇒ ∆, ∃ x φ( x )

Again, t is a closed term, and a is a constant symbol which does not occur in
the lower sequent of the ∃L rule. We call a the eigenvariable of the ∃L inference.
The condition that an eigenvariable not occur in the lower sequent of the
∀R or ∃L inference is called the eigenvariable condition.
Recall the convention that when φ is a formula with the variable x free, we
indicate this by writing φ( x ). In the same context, φ(t) then is short for φ[t/x ].
So we could also write the ∃R rule as:
Γ ⇒ ∆, φ[t/x ]
∃R
Γ ⇒ ∆, ∃ x φ

Note that t may already occur in φ, e.g., φ might be P (t, x ). Thus, inferring
Γ ⇒ ∆, ∃ x P (t, x ) from Γ ⇒ ∆, P (t, t) is a correct application of ∃R—you
may “replace” one or more, and not necessarily all, occurrences of t in the
premise by the bound variable x. However, the eigenvariable conditions in
1 We use the term “eigenvariable” even though a in the above rule is a constant symbol. This

has historical reasons.

258 Release : d3a1905 (2022-12-19)

19.4. STRUCTURAL RULES

∀R and ∃L require that the constant symbol a does not occur in φ. So, you
cannot correctly infer Γ ⇒ ∆, ∀ x P ( a, x ) from Γ ⇒ ∆, P ( a, a) using ∀R.
In ∃R and ∀L there are no restrictions on the term t. On the other hand,
in the ∃L and ∀R rules, the eigenvariable condition requires that the constant
symbol a does not occur anywhere outside of φ( a) in the upper sequent. It is
necessary to ensure that the system is sound, i.e., only derives sequents that
are valid. Without this condition, the following would be allowed:

φ( a) ⇒ φ( a) φ( a) ⇒ φ( a)
*∃L *∀R
∃ x φ( x ) ⇒ φ( a) φ( a) ⇒ ∀ x φ( x )
∀R ∃L
∃ x φ( x ) ⇒ ∀ x φ( x ) ∃ x φ( x ) ⇒ ∀ x φ( x )

However, ∃ x φ( x ) ⇒ ∀ x φ( x ) is not valid.

19.4 Structural Rules

We also need a few rules that allow us to rearrange sentences in the left and
right side of a sequent. Since the logical rules require that the sentences in the
premise which the rule acts upon stand either to the far left or to the far right,
we need an “exchange” rule that allows us to move sentences to the right
position. It’s also important sometimes to be able to combine two identical
sentences into one, and to add a sentence on either side.

Weakening

Γ ⇒ ∆ Γ ⇒ ∆
WL WR
φ, Γ ⇒ ∆ Γ ⇒ ∆, φ

Contraction

φ, φ, Γ ⇒ ∆ Γ ⇒ ∆, φ, φ
CL CR
φ, Γ ⇒ ∆ Γ ⇒ ∆, φ

Exchange

Γ, φ, ψ, Π ⇒ ∆ Γ ⇒ ∆, φ, ψ, Λ
XL XR
Γ, ψ, φ, Π ⇒ ∆ Γ ⇒ ∆, ψ, φ, Λ

Release : d3a1905 (2022-12-19) 259

 CHAPTER 19. THE SEQUENT CALCULUS

A series of weakening, contraction, and exchange inferences will often be in-

dicated by double inference lines.
The following rule, called “cut,” is not strictly speaking necessary, but
makes it a lot easier to reuse and combine derivations.

Γ ⇒ ∆, φ φ, Π ⇒ Λ
Cut
Γ, Π ⇒ ∆, Λ

19.5 Derivations
We’ve said what an initial sequent looks like, and we’ve given the rules of
inference. Derivations in the sequent calculus are inductively generated from
these: each derivation either is an initial sequent on its own, or consists of one
or two derivations followed by an inference.

Definition 19.3 (LK derivation). An LK-derivation of a sequent S is a finite

tree of sequents satisfying the following conditions:

1. The topmost sequents of the tree are initial sequents.

2. The bottommost sequent of the tree is S.

3. Every sequent in the tree except S is a premise of a correct application of

an inference rule whose conclusion stands directly below that sequent
in the tree.

We then say that S is the end-sequent of the derivation and that S is derivable in
LK (or LK-derivable).

Example 19.4. Every initial sequent, e.g., χ ⇒ χ is a derivation. We can obtain

a new derivation from this by applying, say, the WL rule,
Γ ⇒ ∆
WL
φ, Γ ⇒ ∆

The rule, however, is meant to be general: we can replace the φ in the rule
with any sentence, e.g., also with θ. If the premise matches our initial sequent
χ ⇒ χ, that means that both Γ and ∆ are just χ, and the conclusion would
then be θ, χ ⇒ χ. So, the following is a derivation:
χ ⇒ χ
WL
θ, χ ⇒ χ

We can now apply another rule, say XL, which allows us to switch two sen-
tences on the left. So, the following is also a correct derivation:

260 Release : d3a1905 (2022-12-19)

19.6. EXAMPLES OF DERIVATIONS

χ ⇒ χ
WL
θ, χ ⇒ χ
XL
χ, θ ⇒ χ

In this application of the rule, which was given as

Γ, φ, ψ, Π ⇒ ∆
XL
Γ, ψ, φ, Π ⇒ ∆,

both Γ and Π were empty, ∆ is χ, and the roles of φ and ψ are played by θ
and χ, respectively. In much the same way, we also see that

θ ⇒ θ
WL
χ, θ ⇒ θ

is a derivation. Now we can take these two derivations, and combine them
using ∧R. That rule was

Γ ⇒ ∆, φ Γ ⇒ ∆, ψ
∧R
Γ ⇒ ∆, φ ∧ ψ

In our case, the premises must match the last sequents of the derivations end-
ing in the premises. That means that Γ is χ, θ, ∆ is empty, φ is χ and ψ is θ. So
the conclusion, if the inference should be correct, is χ, θ ⇒ χ ∧ θ.
χ ⇒ χ
WL
θ, χ ⇒ χ θ ⇒ θ
XL WL
χ, θ ⇒ χ χ, θ ⇒ θ
∧R
χ, θ ⇒ χ ∧ θ

Of course, we can also reverse the premises, then φ would be θ and ψ would
be χ.
χ ⇒ χ
WL
θ ⇒ θ θ, χ ⇒ χ
WL XL
χ, θ ⇒ θ χ, θ ⇒ χ
∧R
χ, θ ⇒ θ ∧ χ

19.6 Examples of Derivations

Example 19.5. Give an LK-derivation for the sequent φ ∧ ψ ⇒ φ.
We begin by writing the desired end-sequent at the bottom of the deriva-
tion.

φ∧ψ ⇒ φ

Release : d3a1905 (2022-12-19) 261

 CHAPTER 19. THE SEQUENT CALCULUS

Next, we need to figure out what kind of inference could have a lower sequent
of this form. This could be a structural rule, but it is a good idea to start by
looking for a logical rule. The only logical connective occurring in the lower
sequent is ∧, so we’re looking for an ∧ rule, and since the ∧ symbol occurs in
the antecedent, we’re looking at the ∧L rule.

φ∧ψ ⇒ φ
∧L

There are two options for what could have been the upper sequent of the ∧L
inference: we could have an upper sequent of φ ⇒ φ, or of ψ ⇒ φ. Clearly,
φ ⇒ φ is an initial sequent (which is a good thing), while ψ ⇒ φ is not
derivable in general. We fill in the upper sequent:
φ ⇒ φ
φ∧ψ ⇒ φ
∧L

We now have a correct LK-derivation of the sequent φ ∧ ψ ⇒ φ.

Example 19.6. Give an LK-derivation for the sequent ¬ φ ∨ ψ ⇒ φ → ψ.

Begin by writing the desired end-sequent at the bottom of the derivation.

¬φ ∨ ψ ⇒ φ → ψ
To find a logical rule that could give us this end-sequent, we look at the log-
ical connectives in the end-sequent: ¬, ∨, and →. We only care at the mo-
ment about ∨ and → because they are main operators of sentences in the end-
sequent, while ¬ is inside the scope of another connective, so we will take care
of it later. Our options for logical rules for the final inference are therefore the
∨L rule and the →R rule. We could pick either rule, really, but let’s pick the
→R rule (if for no reason other than it allows us to put off splitting into two
branches). According to the form of →R inferences which can yield the lower
sequent, this must look like:

φ, ¬ φ ∨ ψ ⇒ ψ
¬ φ ∨ ψ ⇒ φ → ψ →R
If we move ¬ φ ∨ ψ to the outside of the antecedent, we can apply the ∨L
rule. According to the schema, this must split into two upper sequents as
follows:
¬ φ, φ ⇒ ψ ψ, φ ⇒ ψ
¬ φ ∨ ψ, φ ⇒ ψ ∨L
φ, ¬ φ ∨ ψ ⇒ ψ XR
¬φ ∨ ψ ⇒ φ → ψ →R
Remember that we are trying to wind our way up to initial sequents; we seem
to be pretty close! The right branch is just one weakening and one exchange
away from an initial sequent and then it is done:

262 Release : d3a1905 (2022-12-19)

19.6. EXAMPLES OF DERIVATIONS

ψ ⇒ ψ
WL
φ, ψ ⇒ ψ
XL
¬ φ, φ ⇒ ψ ψ, φ ⇒ ψ
¬ φ ∨ ψ, φ ⇒ ψ ∨L
XR
φ, ¬ φ ∨ ψ ⇒ ψ
¬φ ∨ ψ ⇒ φ → ψ →R

Now looking at the left branch, the only logical connective in any sentence
is the ¬ symbol in the antecedent sentences, so we’re looking at an instance of
the ¬L rule.
ψ ⇒ ψ
WL
φ ⇒ ψ, φ φ, ψ ⇒ ψ
¬ φ, φ ⇒ ψ ¬ L
ψ, φ ⇒ ψ
XL
¬ φ ∨ ψ, φ ⇒ ψ ∨L
XR
φ, ¬ φ ∨ ψ ⇒ ψ
¬ φ ∨ ψ ⇒ φ → ψ →R
Similarly to how we finished off the right branch, we are just one weakening
and one exchange away from finishing off this left branch as well.
φ ⇒ φ
φ ⇒ φ, ψ WR ψ ⇒ ψ
φ ⇒ ψ, φ XR φ, ψ ⇒ ψ
WL
¬ φ, φ ⇒ ψ ¬L ψ, φ ⇒ ψ
XL
¬ φ ∨ ψ, φ ⇒ ψ
∨L
XR
φ, ¬ φ ∨ ψ ⇒ ψ
¬φ ∨ ψ ⇒ φ→ψ
→R

Example 19.7. Give an LK-derivation of the sequent ¬ φ ∨ ¬ψ ⇒ ¬( φ ∧ ψ)

Using the techniques from above, we start by writing the desired end-
sequent at the bottom.

¬ φ ∨ ¬ψ ⇒ ¬( φ ∧ ψ)
The available main connectives of sentences in the end-sequent are the ∨ sym-
bol and the ¬ symbol. It would work to apply either the ∨L or the ¬R rule
here, but we start with the ¬R rule because it avoids splitting up into two
branches for a moment:
φ ∧ ψ, ¬ φ ∨ ¬ψ ⇒
¬R
¬ φ ∨ ¬ψ ⇒ ¬( φ ∧ ψ)
Now we have a choice of whether to look at the ∧L or the ∨L rule. Let’s see
what happens when we apply the ∧L rule: we have a choice to start with
either the sequent φ, ¬ φ ∨ ψ ⇒ or the sequent ψ, ¬ φ ∨ ψ ⇒ . Since the
derivation is symmetric with regards to φ and ψ, let’s go with the former:

Release : d3a1905 (2022-12-19) 263

 CHAPTER 19. THE SEQUENT CALCULUS

φ, ¬ φ ∨ ¬ψ ⇒
φ ∧ ψ, ¬ φ ∨ ¬ψ ⇒
∧L
¬R
¬ φ ∨ ¬ψ ⇒ ¬( φ ∧ ψ)

Continuing to fill in the derivation, we see that we run into a problem:

?
φ ⇒ φ φ ⇒ ψ
¬ φ, φ ⇒ ¬L ¬ψ, φ ⇒ ¬L
¬ φ ∨ ¬ψ, φ ⇒ ∨ L
φ, ¬ φ ∨ ¬ψ ⇒ XL
φ ∧ ψ, ¬ φ ∨ ¬ψ ⇒ ∧L
¬R
¬ φ ∨ ¬ψ ⇒ ¬( φ ∧ ψ)

The top of the right branch cannot be reduced any further, and it cannot be
brought by way of structural inferences to an initial sequent, so this is not the
right path to take. So clearly, it was a mistake to apply the ∧L rule above.
Going back to what we had before and carrying out the ∨L rule instead, we
get

¬ φ, φ ∧ ψ ⇒ ¬ψ, φ ∧ ψ ⇒
¬ φ ∨ ¬ψ, φ ∧ ψ ⇒ ∨L
XL
φ ∧ ψ, ¬ φ ∨ ¬ψ ⇒
¬R
¬ φ ∨ ¬ψ ⇒ ¬( φ ∧ ψ)

Completing each branch as we’ve done before, we get

φ ⇒ φ ψ ⇒ ψ
φ∧ψ ⇒ φ
∧L φ∧ψ ⇒ ψ
∧L
¬ φ, φ ∧ ψ ⇒ ¬ L
¬ψ, φ ∧ ψ ⇒ ¬L
¬ φ ∨ ¬ψ, φ ∧ ψ ⇒ ∨ L
XL
φ ∧ ψ, ¬ φ ∨ ¬ψ ⇒
¬R
¬ φ ∨ ¬ψ ⇒ ¬( φ ∧ ψ)

(We could have carried out the ∧ rules lower than the ¬ rules in these steps
and still obtained a correct derivation).

Example 19.8. So far we haven’t used the contraction rule, but it is sometimes
required. Here’s an example where that happens. Suppose we want to prove
⇒ φ ∨ ¬ φ. Applying ∨R backwards would give us one of these two deriva-
tions:

φ ⇒
⇒ φ ⇒ ¬ φ ¬R
⇒ φ ∨ ¬ φ ∨R ⇒ φ ∨ ¬ φ ∨R

264 Release : d3a1905 (2022-12-19)

19.7. DERIVATIONS WITH QUANTIFIERS

Neither of these of course ends in an initial sequent. The trick is to realize that
the contraction rule allows us to combine two copies of a sentence into one—
and when we’re searching for a proof, i.e., going from bottom to top, we can
keep a copy of φ ∨ ¬ φ in the premise, e.g.,

⇒ φ ∨ ¬ φ, φ
⇒ φ ∨ ¬ φ, φ ∨ ¬ φ ∨R
⇒ φ ∨ ¬φ CR

Now we can apply ∨R a second time, and also get ¬ φ, which leads to a com-
plete derivation.
φ ⇒ φ
⇒ φ, ¬ φ ¬R
⇒ φ, φ ∨ ¬ φ ∨R
⇒ φ ∨ ¬ φ, φ XR
⇒ φ ∨ ¬ φ, φ ∨ ¬ φ ∨R
⇒ φ ∨ ¬φ CR

19.7 Derivations with Quantifiers

Example 19.9. Give an LK-derivation of the sequent ∃ x ¬ φ( x ) ⇒ ¬∀ x φ( x ).
When dealing with quantifiers, we have to make sure not to violate the
eigenvariable condition, and sometimes this requires us to play around with
the order of carrying out certain inferences. In general, it helps to try and take
care of rules subject to the eigenvariable condition first (they will be lower
down in the finished proof). Also, it is a good idea to try and look ahead and
try to guess what the initial sequent might look like. In our case, it will have to
be something like φ( a) ⇒ φ( a). That means that when we are “reversing” the
quantifier rules, we will have to pick the same term—what we will call a—for
both the ∀ and the ∃ rule. If we picked different terms for each rule, we would
end up with something like φ( a) ⇒ φ(b), which, of course, is not derivable.
Starting as usual, we write

∃ x ¬ φ( x ) ⇒ ¬∀ x φ( x )

We could either carry out the ∃L rule or the ¬R rule. Since the ∃L rule is
subject to the eigenvariable condition, it’s a good idea to take care of it sooner
rather than later, so we’ll do that one first.

¬ φ( a) ⇒ ¬∀ x φ( x )
∃L
∃ x ¬ φ( x ) ⇒ ¬∀ x φ( x )

Applying the ¬L and ¬R rules backwards, we get

Release : d3a1905 (2022-12-19) 265

 CHAPTER 19. THE SEQUENT CALCULUS

∀ x φ( x ) ⇒ φ( a)
¬L
¬ φ ( a ), ∀ x φ ( x ) ⇒
XL
∀ x φ ( x ), ¬ φ ( a ) ⇒
¬R
¬ φ( a) ⇒ ¬∀ xφ( x )
∃L
∃ x ¬ φ( x ) ⇒ ¬∀ xφ( x )

At this point, our only option is to carry out the ∀L rule. Since this rule is not
subject to the eigenvariable restriction, we’re in the clear. Remember, we want
to try and obtain an initial sequent (of the form φ( a) ⇒ φ( a)), so we should
choose a as our argument for φ when we apply the rule.

φ( a) ⇒ φ( a)
∀L
∀ x φ( x ) ⇒ φ( a)
¬L
¬ φ ( a ), ∀ x φ ( x ) ⇒
XL
∀ x φ ( x ), ¬ φ ( a ) ⇒
¬R
¬ φ( a) ⇒ ¬∀ x φ( x )
∃L
∃ x ¬ φ( x ) ⇒ ¬∀ x φ( x )

It is important, especially when dealing with quantifiers, to double check at

this point that the eigenvariable condition has not been violated. Since the
only rule we applied that is subject to the eigenvariable condition was ∃L,
and the eigenvariable a does not occur in its lower sequent (the end-sequent),
this is a correct derivation.

This section collects the definitions of the provability relation and con-
sistency for natural deduction.

19.8 Proof-Theoretic Notions

Just as we’ve defined a number of important semantic notions (validity, entail-
ment, satisfiabilty), we now define corresponding proof-theoretic notions. These
are not defined by appeal to satisfaction of sentences in structures, but by ap-
peal to the derivability or non-derivability of certain sequents. It was an im-
portant discovery that these notions coincide. That they do is the content of
the soundness and completeness theorem.

Definition 19.10 (Theorems). A sentence φ is a theorem if there is a derivation

in LK of the sequent ⇒ φ. We write ⊢ φ if φ is a theorem and ⊬ φ if it is not.

Definition 19.11 (Derivability). A sentence φ is derivable from a set of sen-

tences Γ, Γ ⊢ φ, iff there is a finite subset Γ0 ⊆ Γ and a sequence Γ0′ of the

266 Release : d3a1905 (2022-12-19)

19.8. PROOF-THEORETIC NOTIONS

sentences in Γ0 such that LK derives Γ0′ ⇒ φ. If φ is not derivable from Γ we

write Γ ⊬ φ.

Because of the contraction, weakening, and exchange rules, the order and
number of sentences in Γ0′ does not matter: if a sequent Γ0′ ⇒ φ is deriv-
able, then so is Γ0′′ ⇒ φ for any Γ0′′ that contains the same sentences as Γ0′ .
For instance, if Γ0 = {ψ, χ} then both Γ0′ = ⟨ψ, ψ, χ⟩ and Γ0′′ = ⟨χ, χ, ψ⟩ are
sequences containing just the sentences in Γ0 . If a sequent containing one is
derivable, so is the other, e.g.:

ψ, ψ, χ ⇒ φ
CL
ψ, χ ⇒ φ
XL
χ, ψ ⇒ φ
WL
χ, χ, ψ ⇒ φ

From now on we’ll say that if Γ0 is a finite set of sentences then Γ0 ⇒ φ is

any sequent where the antecedent is a sequence of sentences in Γ0 and tacitly
include contractions, exchanges, and weakenings if necessary.

Definition 19.12 (Consistency). A set of sentences Γ is inconsistent iff there is

a finite subset Γ0 ⊆ Γ such that LK derives Γ0 ⇒ . If Γ is not inconsistent, i.e.,
if for every finite Γ0 ⊆ Γ, LK does not derive Γ0 ⇒ , we say it is consistent.

Proposition 19.13 (Reflexivity). If φ ∈ Γ, then Γ ⊢ φ.

Proof. The initial sequent φ ⇒ φ is derivable, and { φ} ⊆ Γ.

Proposition 19.14 (Monotonicity). If Γ ⊆ ∆ and Γ ⊢ φ, then ∆ ⊢ φ.

Proof. Suppose Γ ⊢ φ, i.e., there is a finite Γ0 ⊆ Γ such that Γ0 ⇒ φ is deriv-

able. Since Γ ⊆ ∆, then Γ0 is also a finite subset of ∆. The derivation of Γ0 ⇒ φ
thus also shows ∆ ⊢ φ.

Proposition 19.15 (Transitivity). If Γ ⊢ φ and { φ} ∪ ∆ ⊢ ψ, then Γ ∪ ∆ ⊢ ψ.

Proof. If Γ ⊢ φ, there is a finite Γ0 ⊆ Γ and a derivation π0 of Γ0 ⇒ φ. If

{ φ} ∪ ∆ ⊢ ψ, then for some finite subset ∆ 0 ⊆ ∆, there is a derivation π1 of
φ, ∆ 0 ⇒ ψ. Consider the following derivation:

π0 π1

Γ0 ⇒ φ φ, ∆ 0 ⇒ ψ
Cut
Γ0 , ∆ 0 ⇒ ψ

Release : d3a1905 (2022-12-19) 267

 CHAPTER 19. THE SEQUENT CALCULUS

Since Γ0 ∪ ∆ 0 ⊆ Γ ∪ ∆, this shows Γ ∪ ∆ ⊢ ψ.

Note that this means that in particular if Γ ⊢ φ and φ ⊢ ψ, then Γ ⊢ ψ. It

follows also that if φ1 , . . . , φn ⊢ ψ and Γ ⊢ φi for each i, then Γ ⊢ ψ.

Proposition 19.16. Γ is inconsistent iff Γ ⊢ φ for every sentence φ.

Proof. Exercise.

Proposition 19.17 (Compactness). 1. If Γ ⊢ φ then there is a finite subset

Γ0 ⊆ Γ such that Γ0 ⊢ φ.

2. If every finite subset of Γ is consistent, then Γ is consistent.

Proof. 1. If Γ ⊢ φ, then there is a finite subset Γ0 ⊆ Γ such that the sequent

Γ0 ⇒ φ has a derivation. Consequently, Γ0 ⊢ φ.

2. If Γ is inconsistent, there is a finite subset Γ0 ⊆ Γ such that LK derives

Γ0 ⇒ . But then Γ0 is a finite subset of Γ that is inconsistent.

19.9 Derivability and Consistency

We will now establish a number of properties of the derivability relation. They
are independently interesting, but each will play a role in the proof of the
completeness theorem.

Proposition 19.18. If Γ ⊢ φ and Γ ∪ { φ} is inconsistent, then Γ is inconsistent.

Proof. There are finite Γ0 and Γ1 ⊆ Γ such that LK derives Γ0 ⇒ φ and φ, Γ1 ⇒

. Let the LK-derivation of Γ0 ⇒ φ be π0 and the LK-derivation of Γ1 , φ ⇒
be π1 . We can then derive

π0 π1

Γ0 ⇒ φ φ, Γ1 ⇒
Cut
Γ0 , Γ1 ⇒

Since Γ0 ⊆ Γ and Γ1 ⊆ Γ, Γ0 ∪ Γ1 ⊆ Γ, hence Γ is inconsistent.

Proposition 19.19. Γ ⊢ φ iff Γ ∪ {¬ φ} is inconsistent.

Proof. First suppose Γ ⊢ φ, i.e., there is a derivation π0 of Γ ⇒ φ. By adding

a ¬L rule, we obtain a derivation of ¬ φ, Γ ⇒ , i.e., Γ ∪ {¬ φ} is inconsistent.
If Γ ∪ {¬ φ} is inconsistent, there is a derivation π1 of ¬ φ, Γ ⇒ . The
following is a derivation of Γ ⇒ φ:

268 Release : d3a1905 (2022-12-19)

19.10. DERIVABILITY AND THE PROPOSITIONAL CONNECTIVES

π1
φ ⇒ φ
⇒ φ, ¬ φ ¬R ¬ φ, Γ ⇒
Cut
Γ ⇒ φ

Proposition 19.20. If Γ ⊢ φ and ¬ φ ∈ Γ, then Γ is inconsistent.

Proof. Suppose Γ ⊢ φ and ¬ φ ∈ Γ. Then there is a derivation π of a sequent

Γ0 ⇒ φ. The sequent ¬ φ, Γ0 ⇒ is also derivable:

π φ ⇒ φ
¬ φ, φ ⇒ ¬L
Γ0 ⇒ φ φ, ¬ φ ⇒ XL
Cut
Γ, ¬ φ ⇒

Since ¬ φ ∈ Γ and Γ0 ⊆ Γ, this shows that Γ is inconsistent.

Proposition 19.21. If Γ ∪ { φ} and Γ ∪ {¬ φ} are both inconsistent, then Γ is in-

consistent.

Proof. There are finite sets Γ0 ⊆ Γ and Γ1 ⊆ Γ and LK-derivations π0 and π1

of φ, Γ0 ⇒ and ¬ φ, Γ1 ⇒ , respectively. We can then derive

π0
π1
φ, Γ0 ⇒
¬R
Γ0 ⇒ ¬ φ ¬ φ, Γ1 ⇒
Cut
Γ0 , Γ1 ⇒

Since Γ0 ⊆ Γ and Γ1 ⊆ Γ, Γ0 ∪ Γ1 ⊆ Γ. Hence Γ is inconsistent.

19.10 Derivability and the Propositional Connectives

We establish that the derivability relation ⊢ of the sequent calculus is strong
enough to establish some basic facts involving the propositional connectives,
such as that φ ∧ ψ ⊢ φ and φ, φ → ψ ⊢ ψ (modus ponens). These facts are
needed for the proof of the completeness theorem.

Proposition 19.22. 1. Both φ ∧ ψ ⊢ φ and φ ∧ ψ ⊢ ψ.

2. φ, ψ ⊢ φ ∧ ψ.

Proof. 1. Both sequents φ ∧ ψ ⇒ φ and φ ∧ ψ ⇒ ψ are derivable:

Release : d3a1905 (2022-12-19) 269

 CHAPTER 19. THE SEQUENT CALCULUS

φ ⇒ φ ψ ⇒ ψ
φ∧ψ ⇒ φ
∧L φ∧ψ ⇒ ψ
∧L

2. Here is a derivation of the sequent φ, ψ ⇒ φ ∧ ψ:

φ ⇒ φ ψ ⇒ ψ
φ, ψ ⇒ φ ∧ ψ
∧R

Proposition 19.23. 1. φ ∨ ψ, ¬ φ, ¬ψ is inconsistent.

2. Both φ ⊢ φ ∨ ψ and ψ ⊢ φ ∨ ψ.

Proof. 1. We give a derivation of the sequent φ ∨ ψ, ¬ φ, ¬ψ ⇒:

φ ⇒ φ ψ ⇒ ψ
¬ φ, φ ⇒ ¬L ¬ψ, ψ ⇒ ¬L
φ, ¬ φ, ¬ψ ⇒ ψ, ¬ φ, ¬ψ ⇒
φ ∨ ψ, ¬ φ, ¬ψ ⇒
∨L

(Recall that double inference lines indicate several weakening, contrac-

tion, and exchange inferences.)

2. Both sequents φ ⇒ φ ∨ ψ and ψ ⇒ φ ∨ ψ have derivations:

φ ⇒ φ ψ ⇒ ψ
φ ⇒ φ∨ψ
∨R ψ ⇒ φ∨ψ
∨R

Proposition 19.24. 1. φ, φ → ψ ⊢ ψ.

2. Both ¬ φ ⊢ φ → ψ and ψ ⊢ φ → ψ.

Proof. 1. The sequent φ → ψ, φ ⇒ ψ is derivable:

φ ⇒ φ ψ ⇒ ψ
φ → ψ, φ ⇒ ψ
→L

2. Both sequents ¬ φ ⇒ φ → ψ and ψ ⇒ φ → ψ are derivable:

φ ⇒ φ
¬ φ, φ ⇒ ¬L
φ, ¬ φ ⇒ XL ψ ⇒ ψ
φ, ¬ φ ⇒ ψ WR φ, ψ ⇒ ψ
WL
¬φ ⇒ φ → ψ →R ψ ⇒ φ→ψ
→R

270 Release : d3a1905 (2022-12-19)

19.11. DERIVABILITY AND THE QUANTIFIERS

19.11 Derivability and the Quantifiers

The completeness theorem also requires that the sequent calculus rules rules
yield the facts about ⊢ established in this section.

Theorem 19.25. If c is a constant not occurring in Γ or φ( x ) and Γ ⊢ φ(c), then

Γ ⊢ ∀ x φ ( x ).

Proof. Let π0 be an LK-derivation of Γ0 ⇒ φ(c) for some finite Γ0 ⊆ Γ. By

adding a ∀R inference, we obtain a derivation of Γ0 ⇒ ∀ x φ( x ), since c does
not occur in Γ or φ( x ) and thus the eigenvariable condition is satisfied.

Proposition 19.26. 1. φ(t) ⊢ ∃ x φ( x ).

2. ∀ x φ( x ) ⊢ φ(t).

Proof. 1. The sequent φ(t) ⇒ ∃ x φ( x ) is derivable:

φ(t) ⇒ φ(t)
∃R
φ(t) ⇒ ∃ x φ( x )

2. The sequent ∀ x φ( x ) ⇒ φ(t) is derivable:

φ(t) ⇒ φ(t)
∀L
∀ x φ( x ) ⇒ φ(t)

19.12 Soundness
A derivation system, such as the sequent calculus, is sound if it cannot de-
rive things that do not actually hold. Soundness is thus a kind of guaranteed
safety property for derivation systems. Depending on which proof theoretic
property is in question, we would like to know for instance, that

1. every derivable φ is valid;

2. if a sentence is derivable from some others, it is also a consequence of

them;

3. if a set of sentences is inconsistent, it is unsatisfiable.

These are important properties of a derivation system. If any of them do not

hold, the derivation system is deficient—it would derive too much. Conse-
quently, establishing the soundness of a derivation system is of the utmost
importance.

Release : d3a1905 (2022-12-19) 271

 CHAPTER 19. THE SEQUENT CALCULUS

Because all these proof-theoretic properties are defined via derivability in

the sequent calculus of certain sequents, proving (1)–(3) above requires prov-
ing something about the semantic properties of derivable sequents. We will
first define what it means for a sequent to be valid, and then show that every
derivable sequent is valid. (1)–(3) then follow as corollaries from this result.
Definition 19.27. A structure M satisfies a sequent Γ ⇒ ∆ iff either M ⊭ φ for
some φ ∈ Γ or M ⊨ φ for some φ ∈ ∆.
A sequent is valid iff every structure M satisfies it.
Theorem 19.28 (Soundness). If LK derives Θ ⇒ Ξ, then Θ ⇒ Ξ is valid.
Proof. Let π be a derivation of Θ ⇒ Ξ. We proceed by induction on the num-
ber of inferences n in π.
If the number of inferences is 0, then π consists only of an initial sequent.
Every initial sequent φ ⇒ φ is obviously valid, since for every M, either M ⊭
φ or M ⊨ φ.
If the number of inferences is greater than 0, we distinguish cases accord-
ing to the type of the lowermost inference. By induction hypothesis, we can
assume that the premises of that inference are valid, since the number of in-
ferences in the derivation of any premise is smaller than n.
First, we consider the possible inferences with only one premise.
1. The last inference is a weakening. Then Θ ⇒ Ξ is either φ, Γ ⇒ ∆ (if the
last inference is WL) or Γ ⇒ ∆, φ (if it’s WR), and the derivation ends in
one of

Γ ⇒ ∆ Γ ⇒ ∆
WL WR
φ, Γ ⇒ ∆ Γ ⇒ ∆, φ

By induction hypothesis, Γ ⇒ ∆ is valid, i.e., for every structure M,

either there is some χ ∈ Γ such that M ⊭ χ or there is some χ ∈ ∆ such
that M ⊨ χ.
If M ⊭ χ for some χ ∈ Γ, then χ ∈ Θ as well since Θ = φ, Γ, and so
M ⊭ χ for some χ ∈ Θ. Similarly, if M ⊨ χ for some χ ∈ ∆, as χ ∈ Ξ,
M ⊨ χ for some χ ∈ Ξ. Consequently, Θ ⇒ Ξ is valid.
2. The last inference is ¬L: Then the premise of the last inference is Γ ⇒
∆, φ and the conclusion is ¬ φ, Γ ⇒ ∆, i.e., the derivation ends in

Γ ⇒ ∆, φ
¬L
¬ φ, Γ ⇒ ∆

272 Release : d3a1905 (2022-12-19)

19.12. SOUNDNESS

and Θ = ¬ φ, Γ while Ξ = ∆.
The induction hypothesis tells us that Γ ⇒ ∆, φ is valid, i.e., for every
M, either (a) for some χ ∈ Γ, M ⊭ χ, or (b) for some χ ∈ ∆, M ⊨ χ, or (c)
M ⊨ φ. We want to show that Θ ⇒ Ξ is also valid. Let M be a structure.
If (a) holds, then there is χ ∈ Γ so that M ⊭ χ, but χ ∈ Θ as well. If
(b) holds, there is χ ∈ ∆ such that M ⊨ χ, but χ ∈ Ξ as well. Finally, if
M ⊨ φ, then M ⊭ ¬ φ. Since ¬ φ ∈ Θ, there is χ ∈ Θ such that M ⊭ χ.
Consequently, Θ ⇒ Ξ is valid.
3. The last inference is ¬R: Exercise.
4. The last inference is ∧L: There are two variants: φ ∧ ψ may be inferred
on the left from φ or from ψ on the left side of the premise. In the first
case, the π ends in

φ, Γ ⇒ ∆
∧L
φ ∧ ψ, Γ ⇒ ∆

and Θ = φ ∧ ψ, Γ while Ξ = ∆. Consider a structure M. Since by

induction hypothesis, φ, Γ ⇒ ∆ is valid, (a) M ⊭ φ, (b) M ⊭ χ for some
χ ∈ Γ, or (c) M ⊨ χ for some χ ∈ ∆. In case (a), M ⊭ φ ∧ ψ, so there
is χ ∈ Θ (namely, φ ∧ ψ) such that M ⊭ χ. In case (b), there is χ ∈ Γ
such that M ⊭ χ, and χ ∈ Θ as well. In case (c), there is χ ∈ ∆ such
that M ⊨ χ, and χ ∈ Ξ as well since Ξ = ∆. So in each case, M satisfies
φ ∧ ψ, Γ ⇒ ∆. Since M was arbitrary, Γ ⇒ ∆ is valid. The case where
φ ∧ ψ is inferred from ψ is handled the same, changing φ to ψ.
5. The last inference is ∨R: There are two variants: φ ∨ ψ may be inferred
on the right from φ or from ψ on the right side of the premise. In the first
case, π ends in

Γ ⇒ ∆, φ
∨R
Γ ⇒ ∆, φ ∨ ψ

Now Θ = Γ and Ξ = ∆, φ ∨ ψ. Consider a structure M. Since Γ ⇒ ∆, φ

is valid, (a) M ⊨ φ, (b) M ⊭ χ for some χ ∈ Γ, or (c) M ⊨ χ for some
χ ∈ ∆. In case (a), M ⊨ φ ∨ ψ. In case (b), there is χ ∈ Γ such that M ⊭ χ.
In case (c), there is χ ∈ ∆ such that M ⊨ χ. So in each case, M satisfies
Γ ⇒ ∆, φ ∨ ψ, i.e., Θ ⇒ Ξ. Since M was arbitrary, Θ ⇒ Ξ is valid. The
case where φ ∨ ψ is inferred from ψ is handled the same, changing φ to
ψ.

Release : d3a1905 (2022-12-19) 273

 CHAPTER 19. THE SEQUENT CALCULUS

6. The last inference is →R: Then π ends in

φ, Γ ⇒ ∆, ψ
→R
Γ ⇒ ∆, φ → ψ

Again, the induction hypothesis says that the premise is valid; we want
to show that the conclusion is valid as well. Let M be arbitrary. Since
φ, Γ ⇒ ∆, ψ is valid, at least one of the following cases obtains: (a) M ⊭
φ, (b) M ⊨ ψ, (c) M ⊭ χ for some χ ∈ Γ, or (d) M ⊨ χ for some χ ∈ ∆.
In cases (a) and (b), M ⊨ φ → ψ and so there is a χ ∈ ∆, φ → ψ such that
M ⊨ χ. In case (c), for some χ ∈ Γ, M ⊭ χ. In case (d), for some χ ∈ ∆,
M ⊨ χ. In each case, M satisfies Γ ⇒ ∆, φ → ψ. Since M was arbitrary,
Γ ⇒ ∆, φ → ψ is valid.

7. The last inference is ∀L: Then there is a formula φ( x ) and a closed term t
such that π ends in

φ ( t ), Γ ⇒ ∆
∀L
∀ x φ ( x ), Γ ⇒ ∆

We want to show that the conclusion ∀ x φ( x ), Γ ⇒ ∆ is valid. Consider

a structure M. Since the premise φ(t), Γ ⇒ ∆ is valid, (a) M ⊭ φ(t),
(b) M ⊭ χ for some χ ∈ Γ, or (c) M ⊨ χ for some χ ∈ ∆. In case (a),
by Proposition 16.30, if M ⊨ ∀ x φ( x ), then M ⊨ φ(t). Since M ⊭ φ(t),
M ⊭ ∀ x φ( x ) . In case (b) and (c), M also satisfies ∀ x φ( x ), Γ ⇒ ∆. Since
M was arbitrary, ∀ x φ( x ), Γ ⇒ ∆ is valid.

8. The last inference is ∃R: Exercise.

9. The last inference is ∀R: Then there is a formula φ( x ) and a constant

symbol a such that π ends in

Γ ⇒ ∆, φ( a)
∀R
Γ ⇒ ∆, ∀ x φ( x )

where the eigenvariable condition is satisfied, i.e., a does not occur in

φ( x ), Γ, or ∆. By induction hypothesis, the premise of the last inference

274 Release : d3a1905 (2022-12-19)

19.12. SOUNDNESS

is valid. We have to show that the conclusion is valid as well, i.e., that
for any structure M, (a) M ⊨ ∀ x φ( x ), (b) M ⊭ χ for some χ ∈ Γ, or
(c) M ⊨ χ for some χ ∈ ∆.
Suppose M is an arbitrary structure. If (b) or (c) holds, we are done, so
suppose neither holds: for all χ ∈ Γ, M ⊨ χ, and for all χ ∈ ∆, M ⊭ χ.
We have to show that (a) holds, i.e., M ⊨ ∀ x φ( x ). By Proposition 16.18,
if suffices to show that M, s ⊨ φ( x ) for all variable assignments s. So let s
be an arbitrary variable assignment. Consider the structure M′ which is
′
just like M except aM = s( x ). By Corollary 16.20, for any χ ∈ Γ, M′ ⊨ χ
since a does not occur in Γ, and for any χ ∈ ∆, M′ ⊭ χ. But the premise
is valid, so M′ ⊨ φ( a). By Proposition 16.17, M′ , s ⊨ φ( a), since φ( a) is
′
a sentence. Now s ∼ x s with s( x ) = ValM s ( a ), since we’ve defined M
′
′
in just this way. So Proposition 16.22 applies, and we get M , s ⊨ φ( x ).
Since a does not occur in φ( x ), by Proposition 16.19, M, s ⊨ φ( x ). Since s
was arbitrary, we’ve completed the proof that M, s ⊨ φ( x ) for all variable
assignments.
10. The last inference is ∃L: Exercise.
Now let’s consider the possible inferences with two premises.
1. The last inference is a cut: then π ends in

Γ ⇒ ∆, φ φ, Π ⇒ Λ
Cut
Γ, Π ⇒ ∆, Λ

Let M be a structure. By induction hypothesis, the premises are valid,

so M satisfies both premises. We distinguish two cases: (a) M ⊭ φ and
(b) M ⊨ φ. In case (a), in order for M to satisfy the left premise, it must
satisfy Γ ⇒ ∆. But then it also satisfies the conclusion. In case (b), in
order for M to satisfy the right premise, it must satisfy Π \ Λ. Again, M
satisfies the conclusion.
2. The last inference is ∧R. Then π ends in

Γ ⇒ ∆, φ Γ ⇒ ∆, ψ
∧R
Γ ⇒ ∆, φ ∧ ψ

Consider a structure M. If M satisfies Γ ⇒ ∆, we are done. So suppose

it doesn’t. Since Γ ⇒ ∆, φ is valid by induction hypothesis, M ⊨ φ.
Similarly, since Γ ⇒ ∆, ψ is valid, M ⊨ ψ. But then M ⊨ φ ∧ ψ.

Release : d3a1905 (2022-12-19) 275

 CHAPTER 19. THE SEQUENT CALCULUS

3. The last inference is ∨L: Exercise.

4. The last inference is →L. Then π ends in

Γ ⇒ ∆, φ ψ, Π ⇒ Λ
→L
φ → ψ, Γ, Π ⇒ ∆, Λ

Again, consider a structure M and suppose M doesn’t satisfy Γ, Π ⇒

∆, Λ. We have to show that M ⊭ φ → ψ. If M doesn’t satisfy Γ, Π ⇒ ∆, Λ,
it satisfies neither Γ ⇒ ∆ nor Π ⇒ Λ. Since, Γ ⇒ ∆, φ is valid, we have
M ⊨ φ. Since ψ, Π ⇒ Λ is valid, we have M ⊭ ψ. But then M ⊭ φ → ψ,
which is what we wanted to show.

Corollary 19.29. If ⊢ φ then φ is valid.

Corollary 19.30. If Γ ⊢ φ then Γ ⊨ φ.

Proof. If Γ ⊢ φ then for some finite subset Γ0 ⊆ Γ, there is a derivation of

Γ0 ⇒ φ. By Theorem 19.28, every structure M either makes some ψ ∈ Γ0 false
or makes φ true. Hence, if M ⊨ Γ then also M ⊨ φ.

Corollary 19.31. If Γ is satisfiable, then it is consistent.

Proof. We prove the contrapositive. Suppose that Γ is not consistent. Then

there is a finite Γ0 ⊆ Γ and a derivation of Γ0 ⇒ . By Theorem 19.28, Γ0 ⇒
is valid. In other words, for every structure M, there is χ ∈ Γ0 so that M ⊭ χ,
and since Γ0 ⊆ Γ, that χ is also in Γ. Thus, no M satisfies Γ, and Γ is not
satisfiable.

19.13 Derivations with Identity predicate

Derivations with identity predicate require additional initial sequents and in-
ference rules.

Definition 19.32 (Initial sequents for =). If t is a closed term, then ⇒ t = t

is an initial sequent.

The rules for = are (t1 and t2 are closed terms):

t1 = t2 , Γ ⇒ ∆, φ(t1 ) t1 = t2 , Γ ⇒ ∆, φ(t2 )
= =
t1 = t2 , Γ ⇒ ∆, φ(t2 ) t1 = t2 , Γ ⇒ ∆, φ(t1 )

276 Release : d3a1905 (2022-12-19)

19.14. SOUNDNESS WITH IDENTITY PREDICATE

Example 19.33. If s and t are closed terms, then s = t, φ(s) ⊢ φ(t):

φ(s) ⇒ φ(s)
WL
s = t, φ(s) ⇒ φ(s)
=
s = t, φ(s) ⇒ φ(t)

This may be familiar as the principle of substitutability of identicals, or Leib-

niz’ Law.
LK proves that = is symmetric and transitive:
t1 = t2 ⇒ t1 = t2
⇒ t1 = t1 t2 = t3 , t1 = t2 ⇒ t1 = t2 WL
WL =
t1 = t2 ⇒ t1 = t1 t2 = t3 , t1 = t2 ⇒ t1 = t3
=
t1 = t2 ⇒ t2 = t1 t1 = t2 , t2 = t3 ⇒ t1 = t3 XL
In the derivation on the left, the formula x = t1 is our φ( x ). On the right, we
take φ( x ) to be t1 = x.

19.14 Soundness with Identity predicate

Proposition 19.34. LK with initial sequents and rules for identity is sound.

Proof. Initial sequents of the form ⇒ t = t are valid, since for every struc-
ture M, M ⊨ t = t. (Note that we assume the term t to be closed, i.e., it
contains no variables, so variable assignments are irrelevant).
Suppose the last inference in a derivation is =. Then the premise is t1 =
t2 , Γ ⇒ ∆, φ(t1 ) and the conclusion is t1 = t2 , Γ ⇒ ∆, φ(t2 ). Consider a struc-
ture M. We need to show that the conclusion is valid, i.e., if M ⊨ t1 = t2 and
M ⊨ Γ, then either M ⊨ χ for some χ ∈ ∆ or M ⊨ φ(t2 ).
By induction hypothesis, the premise is valid. This means that if M ⊨
t1 = t2 and M ⊨ Γ either (a) for some χ ∈ ∆, M ⊨ χ or (b) M ⊨ φ(t1 ).
In case (a) we are done. Consider case (b). Let s be a variable assignment
with s( x ) = ValM (t1 ). By Proposition 16.17, M, s ⊨ φ(t1 ). Since s ∼ x s,
by Proposition 16.22, M, s ⊨ φ( x ). since M ⊨ t1 = t2 , we have ValM (t1 ) =
ValM (t2 ), and hence s( x ) = ValM (t2 ). By applying Proposition 16.22 again,
we also have M, s ⊨ φ(t2 ). By Proposition 16.17, M ⊨ φ(t2 ).

Problems
Problem 19.1. Give derivations of the following sequents:

1. φ ∧ (ψ ∧ χ) ⇒ ( φ ∧ ψ) ∧ χ.

2. φ ∨ (ψ ∨ χ) ⇒ ( φ ∨ ψ) ∨ χ.

3. φ → (ψ → χ) ⇒ ψ → ( φ → χ).

Release : d3a1905 (2022-12-19) 277

 CHAPTER 19. THE SEQUENT CALCULUS

4. φ ⇒ ¬¬ φ.

Problem 19.2. Give derivations of the following sequents:

1. ( φ ∨ ψ) → χ ⇒ φ → χ.

2. ( φ → χ) ∧ (ψ → χ) ⇒ ( φ ∨ ψ) → χ.

3. ⇒ ¬( φ ∧ ¬ φ).

4. ψ → φ ⇒ ¬ φ → ¬ψ.

5. ⇒ ( φ → ¬ φ) → ¬ φ.

6. ⇒ ¬( φ → ψ) → ¬ψ.

7. φ → χ ⇒ ¬( φ ∧ ¬χ).

8. φ ∧ ¬χ ⇒ ¬( φ → χ).

9. φ ∨ ψ, ¬ψ ⇒ φ.

10. ¬ φ ∨ ¬ψ ⇒ ¬( φ ∧ ψ).

11. ⇒ (¬ φ ∧ ¬ψ) → ¬( φ ∨ ψ).

12. ⇒ ¬( φ ∨ ψ) → (¬ φ ∧ ¬ψ).

Problem 19.3. Give derivations of the following sequents:

1. ¬( φ → ψ) ⇒ φ.

2. ¬( φ ∧ ψ) ⇒ ¬ φ ∨ ¬ψ.

3. φ → ψ ⇒ ¬ φ ∨ ψ.

4. ⇒ ¬¬ φ → φ.

5. φ → ψ, ¬ φ → ψ ⇒ ψ.

6. ( φ ∧ ψ) → χ ⇒ ( φ → χ) ∨ (ψ → χ).

7. ( φ → ψ) → φ ⇒ φ.

8. ⇒ ( φ → ψ) ∨ (ψ → χ).

(These all require the CR rule.)

Problem 19.4. Give derivations of the following sequents:

1. ⇒ (∀ x φ( x ) ∧ ∀y ψ(y)) → ∀z ( φ(z) ∧ ψ(z)).

2. ⇒ (∃ x φ( x ) ∨ ∃y ψ(y)) → ∃z ( φ(z) ∨ ψ(z)).

278 Release : d3a1905 (2022-12-19)

19.14. SOUNDNESS WITH IDENTITY PREDICATE

3. ∀ x ( φ( x ) → ψ) ⇒ ∃y φ(y) → ψ.

4. ∀ x ¬ φ( x ) ⇒ ¬∃ x φ( x ).

5. ⇒ ¬∃ x φ( x ) → ∀ x ¬ φ( x ).

6. ⇒ ¬∃ x ∀y (( φ( x, y) → ¬ φ(y, y)) ∧ (¬ φ(y, y) → φ( x, y))).

Problem 19.5. Give derivations of the following sequents:

1. ⇒ ¬∀ x φ( x ) → ∃ x ¬ φ( x ).

2. (∀ x φ( x ) → ψ) ⇒ ∃y ( φ(y) → ψ).

3. ⇒ ∃ x ( φ( x ) → ∀y φ(y)).

(These all require the CR rule.)

Problem 19.6. Prove Proposition 19.16

Problem 19.7. Prove that Γ ⊢ ¬ φ iff Γ ∪ { φ} is inconsistent.

Problem 19.8. Complete the proof of Theorem 19.28.

Problem 19.9. Give derivations of the following sequents:

1. ⇒ ∀ x ∀y (( x = y ∧ φ( x )) → φ(y))

2. ∃ x φ( x ) ∧ ∀y ∀z (( φ(y) ∧ φ(z)) → y = z) ⇒ ∃ x ( φ( x ) ∧ ∀y ( φ(y) → y =

x ))

Release : d3a1905 (2022-12-19) 279

Chapter 20

Natural Deduction

This chapter presents a natural deduction system in the style of

Gentzen/Prawitz.
To include or exclude material relevant to natural deduction as a proof
system, use the “prfND” tag.

20.1 Rules and Derivations

Natural deduction systems are meant to closely parallel the informal reason-
ing used in mathematical proof (hence it is somewhat “natural”). Natural
deduction proofs begin with assumptions. Inference rules are then applied.
Assumptions are “discharged” by the ¬Intro, →Intro, ∨Elim and ∃Elim in-
ference rules, and the label of the discharged assumption is placed beside the
inference for clarity.

Definition 20.1 (Assumption). An assumption is any sentence in the topmost

position of any branch.

Derivations in natural deduction are certain trees of sentences, where the

topmost sentences are assumptions, and if a sentence stands below one, two,
or three other sequents, it must follow correctly by a rule of inference. The sen-
tences at the top of the inference are called the premises and the sentence below
the conclusion of the inference. The rules come in pairs, an introduction and
an elimination rule for each logical operator. They introduce a logical opera-
tor in the conclusion or remove a logical operator from a premise of the rule.
Some of the rules allow an assumption of a certain type to be discharged. To
indicate which assumption is discharged by which inference, we also assign
labels to both the assumption and the inference. This is indicated by writing
the assumption as “[ φ]n .”

280
20.2. PROPOSITIONAL RULES

It is customary to consider rules for all the logical operators ∧, ∨, →, ¬,

and ⊥, even if some of those are defined.

20.2 Propositional Rules

Rules for ∧

φ∧ψ
φ ∧Elim
φ ψ
∧Intro
φ∧ψ φ∧ψ
ψ
∧Elim

Rules for ∨

φ [ φ]n [ψ]n
∨Intro
φ∨ψ
ψ
∨Intro φ∨ψ χ χ
φ∨ψ n ∨Elim
χ

Rules for →

[ φ]n
φ→ψ φ
ψ
→Elim
ψ
n →Intro
φ→ψ

Rules for ¬

[ φ]n
¬φ φ
¬Elim
⊥
⊥
¬ φ ¬Intro
n

Release : d3a1905 (2022-12-19) 281

 CHAPTER 20. NATURAL DEDUCTION

Rules for ⊥

[¬ φ]n

⊥ ⊥
φ I

n
⊥ ⊥
φ C

Note that ¬Intro and ⊥C are very similar: The difference is that ¬Intro derives
a negated sentence ¬ φ but ⊥C a positive sentence φ.
Whenever a rule indicates that some assumption may be discharged, we
take this to be a permission, but not a requirement. E.g., in the →Intro rule,
we may discharge any number of assumptions of the form φ in the derivation
of the premise ψ, including zero.

20.3 Quantifier Rules

Rules for ∀

φ( a) ∀ x φ( x )
∀Intro ∀Elim
∀ x φ( x ) φ(t)

In the rules for ∀, t is a closed term (a term that does not contain any variables),
and a is a constant symbol which does not occur in the conclusion ∀ x φ( x ), or
in any assumption which is undischarged in the derivation ending with the
premise φ( a). We call a the eigenvariable of the ∀Intro inference.1

Rules for ∃

[φ( a)]n
φ(t)
∃Intro
∃ x φ( x )
∃ x φ( x ) χ
n
χ ∃Elim

1 We use the term “eigenvariable” even though a in the above rule is a constant. This has

historical reasons.

282 Release : d3a1905 (2022-12-19)

20.4. DERIVATIONS

Again, t is a closed term, and a is a constant which does not occur in the
premise ∃ x φ( x ), in the conclusion χ, or any assumption which is undischarged
in the derivations ending with the two premises (other than the assumptions
φ( a)). We call a the eigenvariable of the ∃Elim inference.
The condition that an eigenvariable neither occur in the premises nor in
any assumption that is undischarged in the derivations leading to the premises
for the ∀Intro or ∃Elim inference is called the eigenvariable condition.
Recall the convention that when φ is a formula with the variable x free, we
indicate this by writing φ( x ). In the same context, φ(t) then is short for φ[t/x ].
So we could also write the ∃Intro rule as:
φ[t/x ]
∃Intro
∃x φ
Note that t may already occur in φ, e.g., φ might be P (t, x ). Thus, inferring
∃ x P (t, x ) from P (t, t) is a correct application of ∃Intro—you may “replace”
one or more, and not necessarily all, occurrences of t in the premise by the
bound variable x. However, the eigenvariable conditions in ∀Intro and ∃Elim
require that the constant symbol a does not occur in φ. So, you cannot cor-
rectly infer ∀ x P ( a, x ) from P ( a, a) using ∀Intro.
In ∃Intro and ∀Elim there are no restrictions, and the term t can be any-
thing, so we do not have to worry about any conditions. On the other hand,
in the ∃Elim and ∀Intro rules, the eigenvariable condition requires that the
constant symbol a does not occur anywhere in the conclusion or in an undis-
charged assumption. The condition is necessary to ensure that the system
is sound, i.e., only derives sentences from undischarged assumptions from
which they follow. Without this condition, the following would be allowed:
[ φ( a)]1
*∀Intro
∃ x φ( x ) ∀ x φ( x )
∃Elim
∀ x φ( x )
However, ∃ x φ( x ) ⊭ ∀ x φ( x ).
As the elimination rules for quantifiers only allow substituting closed terms
for variables, it follows that any formula that can be derived from a set of sen-
tences is itself a sentence.

20.4 Derivations
We’ve said what an assumption is, and we’ve given the rules of inference.
Derivations in natural deduction are inductively generated from these: each
derivation either is an assumption on its own, or consists of one, two, or three
derivations followed by a correct inference.
Definition 20.2 (Derivation). A derivation of a sentence φ from assumptions Γ
is a finite tree of sentences satisfying the following conditions:

Release : d3a1905 (2022-12-19) 283

 CHAPTER 20. NATURAL DEDUCTION

1. The topmost sentences of the tree are either in Γ or are discharged by an

inference in the tree.
2. The bottommost sentence of the tree is φ.
3. Every sentence in the tree except the sentence φ at the bottom is a premise
of a correct application of an inference rule whose conclusion stands di-
rectly below that sentence in the tree.
We then say that φ is the conclusion of the derivation and Γ its undischarged
assumptions.
If a derivation of φ from Γ exists, we say that φ is derivable from Γ, or in
symbols: Γ ⊢ φ. If there is a derivation of φ in which every assumption is
discharged, we write ⊢ φ.

Example 20.3. Every assumption on its own is a derivation. So, e.g., φ by

itself is a derivation, and so is ψ by itself. We can obtain a new derivation
from these by applying, say, the ∧Intro rule,
φ ψ
∧Intro
φ∧ψ
These rules are meant to be general: we can replace the φ and ψ in it with any
sentences, e.g., by χ and θ. Then the conclusion would be χ ∧ θ, and so
χ θ
∧Intro
χ∧θ
is a correct derivation. Of course, we can also switch the assumptions, so that
θ plays the role of φ and χ that of ψ. Thus,
θ χ
∧Intro
θ∧χ
is also a correct derivation.
We can now apply another rule, say, →Intro, which allows us to conclude
a conditional and allows us to discharge any assumption that is identical to
the antecedent of that conditional. So both of the following would be correct
derivations:
[ χ ]1 θ χ [ θ ]1
∧Intro ∧Intro
χ∧θ χ∧θ
1 →Intro 1 →Intro
χ → (χ ∧ θ ) θ → (χ ∧ θ )
They show, respectively, that θ ⊢ χ → (χ ∧ θ ) and χ ⊢ θ → (χ ∧ θ ).
Remember that discharging of assumptions is a permission, not a require-
ment: we don’t have to discharge the assumptions. In particular, we can apply
a rule even if the assumptions are not present in the derivation. For instance,
the following is legal, even though there is no assumption φ to be discharged:

284 Release : d3a1905 (2022-12-19)

20.5. EXAMPLES OF DERIVATIONS

ψ
1 →Intro
φ→ψ

20.5 Examples of Derivations

Example 20.4. Let’s give a derivation of the sentence ( φ ∧ ψ) → φ.
We begin by writing the desired conclusion at the bottom of the derivation.

( φ ∧ ψ) → φ

Next, we need to figure out what kind of inference could result in a sen-
tence of this form. The main operator of the conclusion is →, so we’ll try to
arrive at the conclusion using the →Intro rule. It is best to write down the as-
sumptions involved and label the inference rules as you progress, so it is easy
to see whether all assumptions have been discharged at the end of the proof.

[ φ ∧ ψ ]1

φ
1 →Intro
( φ ∧ ψ) → φ

We now need to fill in the steps from the assumption φ ∧ ψ to φ. Since we

only have one connective to deal with, ∧, we must use the ∧ elim rule. This
gives us the following proof:

[ φ ∧ ψ ]1
φ ∧Elim
1 →Intro
( φ ∧ ψ) → φ

We now have a correct derivation of ( φ ∧ ψ) → φ.

Example 20.5. Now let’s give a derivation of (¬ φ ∨ ψ) → ( φ → ψ).

We begin by writing the desired conclusion at the bottom of the derivation.

(¬ φ ∨ ψ) → ( φ → ψ)

To find a logical rule that could give us this conclusion, we look at the logical
connectives in the conclusion: ¬, ∨, and →. We only care at the moment about
the first occurrence of → because it is the main operator of the sentence in the
end-sequent, while ¬, ∨ and the second occurrence of → are inside the scope
of another connective, so we will take care of those later. We therefore start
with the →Intro rule. A correct application must look like this:

Release : d3a1905 (2022-12-19) 285

 CHAPTER 20. NATURAL DEDUCTION

[¬ φ ∨ ψ]1

φ→ψ
1 →Intro
(¬ φ ∨ ψ) → ( φ → ψ)

This leaves us with two possibilities to continue. Either we can keep working
from the bottom up and look for another application of the →Intro rule, or we
can work from the top down and apply a ∨Elim rule. Let us apply the latter.
We will use the assumption ¬ φ ∨ ψ as the leftmost premise of ∨Elim. For a
valid application of ∨Elim, the other two premises must be identical to the
conclusion φ → ψ, but each may be derived in turn from another assumption,
namely one of the two disjuncts of ¬ φ ∨ ψ. So our derivation will look like
this:
[¬ φ]2 [ ψ ]2

[¬ φ ∨ ψ]1 φ→ψ φ→ψ

2
φ→ψ
∨Elim
1 →Intro
(¬ φ ∨ ψ) → ( φ → ψ)

In each of the two branches on the right, we want to derive φ → ψ, which

is best done using →Intro.

[¬ φ]2 , [ φ]3 [ ψ ]2 , [ φ ]4

ψ ψ
3 →Intro 4 →Intro
[¬ φ ∨ ψ]1 φ→ψ φ→ψ
2
φ→ψ
∨Elim
1 →Intro
(¬ φ ∨ ψ) → ( φ → ψ)

For the two missing parts of the derivation, we need derivations of ψ from
¬ φ and φ in the middle, and from φ and ψ on the left. Let’s take the former
first. ¬ φ and φ are the two premises of ¬Elim:

[¬ φ]2 [ φ ]3
¬Elim
⊥

By using ⊥ I , we can obtain ψ as a conclusion and complete the branch.

286 Release : d3a1905 (2022-12-19)

20.5. EXAMPLES OF DERIVATIONS

[ ψ ]2 , [ φ ]4
[¬ φ]2 [ φ ]3
⊥Intro
⊥ ⊥
I
ψ ψ
3 →Intro 4 →Intro
[¬ φ ∨ ψ]1 φ→ψ φ→ψ
2
φ→ψ
∨Elim
1 →Intro
(¬ φ ∨ ψ) → ( φ → ψ)

Let’s now look at the rightmost branch. Here it’s important to realize that
the definition of derivation allows assumptions to be discharged but does not re-
quire them to be. In other words, if we can derive ψ from one of the assump-
tions φ and ψ without using the other, that’s ok. And to derive ψ from ψ is
trivial: ψ by itself is such a derivation, and no inferences are needed. So we
can simply delete the assumption φ.

[¬ φ]2 [ φ ]3
¬Elim
⊥ ⊥
I
ψ [ ψ ]2
3 →Intro →Intro
[¬ φ ∨ ψ]1 φ→ψ φ→ψ
2
φ→ψ
∨Elim
1 →Intro
(¬ φ ∨ ψ) → ( φ → ψ)

Note that in the finished derivation, the rightmost →Intro inference does not
actually discharge any assumptions.

Example 20.6. So far we have not needed the ⊥C rule. It is special in that it al-
lows us to discharge an assumption that isn’t a sub-formula of the conclusion
of the rule. It is closely related to the ⊥ I rule. In fact, the ⊥ I rule is a special
case of the ⊥C rule—there is a logic called “intuitionistic logic” in which only
⊥ I is allowed. The ⊥C rule is a last resort when nothing else works. For in-
stance, suppose we want to derive φ ∨ ¬ φ. Our usual strategy would be to
attempt to derive φ ∨ ¬ φ using ∨Intro. But this would require us to derive
either φ or ¬ φ from no assumptions, and this can’t be done. ⊥C to the rescue!

[¬( φ ∨ ¬ φ)]1

1
⊥ ⊥C
φ ∨ ¬φ

Now we’re looking for a derivation of ⊥ from ¬( φ ∨ ¬ φ). Since ⊥ is the

conclusion of ¬Elim we might try that:

Release : d3a1905 (2022-12-19) 287

 CHAPTER 20. NATURAL DEDUCTION

[¬( φ ∨ ¬ φ)]1 [¬( φ ∨ ¬ φ)]1

¬φ φ
¬Elim
1
⊥ ⊥C
φ ∨ ¬φ

Our strategy for finding a derivation of ¬ φ calls for an application of ¬Intro:

[¬( φ ∨ ¬ φ)]1 , [ φ]2

[¬( φ ∨ ¬ φ)]1

⊥
2
¬ φ ¬Intro φ
¬Elim
1
⊥ ⊥C
φ ∨ ¬φ

Here, we can get ⊥ easily by applying ¬Elim to the assumption ¬( φ ∨ ¬ φ)

and φ ∨ ¬ φ which follows from our new assumption φ by ∨Intro:

[ φ ]2 [¬( φ ∨ ¬ φ)]1
[¬( φ ∨ ¬ φ)]1 φ ∨ ¬ φ ∨Intro
¬Elim
⊥
2
¬φ ¬ Intro φ
¬Elim
1
⊥ ⊥C
φ ∨ ¬φ

On the right side we use the same strategy, except we get φ by ⊥C :

[ φ ]2 [¬ φ]3
[¬( φ ∨ ¬ φ)]1 φ ∨ ¬φ ∨ Intro [¬( φ ∨ ¬ φ)] 1 φ ∨ ¬ φ ∨Intro
¬Elim ¬Elim
⊥ ⊥ ⊥
2
¬φ ¬ Intro 3
φ C
¬Elim
1
⊥ ⊥C
φ ∨ ¬φ

20.6 Derivations with Quantifiers

Example 20.7. When dealing with quantifiers, we have to make sure not to
violate the eigenvariable condition, and sometimes this requires us to play
around with the order of carrying out certain inferences. In general, it helps
to try and take care of rules subject to the eigenvariable condition first (they
will be lower down in the finished proof).
Let’s see how we’d give a derivation of the formula ∃ x ¬ φ( x ) → ¬∀ x φ( x ).
Starting as usual, we write

288 Release : d3a1905 (2022-12-19)

20.6. DERIVATIONS WITH QUANTIFIERS

∃ x ¬ φ( x ) → ¬∀ x φ( x )

We start by writing down what it would take to justify that last step using the
→Intro rule.

[∃ x ¬ φ( x )]1

¬∀ x φ( x )
1 →Intro
∃ x ¬ φ( x ) → ¬∀ x φ( x )

Since there is no obvious rule to apply to ¬∀ x φ( x ), we will proceed by setting

up the derivation so we can use the ∃Elim rule. Here we must pay attention
to the eigenvariable condition, and choose a constant that does not appear in
∃ x φ( x ) or any assumptions that it depends on. (Since no constant symbols
appear, however, any choice will do fine.)

[¬ φ( a)]2

[∃ x ¬ φ( x )]1 ¬∀ x φ( x )
2 ∃Elim
¬∀ x φ( x )
1 →Intro
∃ x ¬ φ( x ) → ¬∀ x φ( x )

In order to derive ¬∀ x φ( x ), we will attempt to use the ¬Intro rule: this re-
quires that we derive a contradiction, possibly using ∀ x φ( x ) as an additional
assumption. Of course, this contradiction may involve the assumption ¬ φ( a)
which will be discharged by the ∃Elim inference. We can set it up as follows:

[¬ φ( a)]2 , [∀ x φ( x )]3

⊥
3 ¬Intro
[∃ x ¬ φ( x )]1 ¬∀ x φ( x )
2 ∃Elim
¬∀ x φ( x )
1 →Intro
∃ x ¬ φ( x ) → ¬∀ x φ( x )

It looks like we are close to getting a contradiction. The easiest rule to apply is
the ∀Elim, which has no eigenvariable conditions. Since we can use any term
we want to replace the universally quantified x, it makes the most sense to
continue using a so we can reach a contradiction.

Release : d3a1905 (2022-12-19) 289

 CHAPTER 20. NATURAL DEDUCTION

[∀ x φ( x )]3
∀Elim
[¬ φ( a)]2 φ( a)
¬Elim
⊥
1
3 ¬Intro
[∃ x ¬ φ( x )] ¬∀ x φ( x )
2 ∃Elim
¬∀ x φ( x )
1 →Intro
∃ x ¬ φ( x ) → ¬∀ x φ( x )

It is important, especially when dealing with quantifiers, to double check

at this point that the eigenvariable condition has not been violated. Since the
only rule we applied that is subject to the eigenvariable condition was ∃Elim,
and the eigenvariable a does not occur in any assumptions it depends on, this
is a correct derivation.

Example 20.8. Sometimes we may derive a formula from other formulas. In

these cases, we may have undischarged assumptions. It is important to keep
track of our assumptions as well as the end goal.
Let’s see how we’d give a derivation of the formula ∃ x χ( x, b) from the
assumptions ∃ x ( φ( x ) ∧ ψ( x )) and ∀ x (ψ( x ) → χ( x, b)). Starting as usual, we
write the conclusion at the bottom.

∃ x χ( x, b)

We have two premises to work with. To use the first, i.e., try to find
a derivation of ∃ x χ( x, b) from ∃ x ( φ( x ) ∧ ψ( x )) we would use the ∃Elim rule.
Since it has an eigenvariable condition, we will apply that rule first. We get
the following:

[ φ( a) ∧ ψ( a)]1

∃ x ( φ( x ) ∧ ψ( x )) ∃ x χ( x, b)
1 ∃Elim
∃ x χ( x, b)

The two assumptions we are working with share ψ. It may be useful at this
point to apply ∧Elim to separate out ψ( a).

[ φ( a) ∧ ψ( a)]1
∧Elim
ψ( a)

∃ x ( φ( x ) ∧ ψ( x )) ∃ x χ( x, b)
1 ∃Elim
∃ x χ( x, b)

290 Release : d3a1905 (2022-12-19)

20.6. DERIVATIONS WITH QUANTIFIERS

The second assumption we have to work with is ∀ x (ψ( x ) → χ( x, b)). Since

there is no eigenvariable condition we can instantiate x with the constant sym-
bol a using ∀Elim to get ψ( a) → χ( a, b). We now have both ψ( a) → χ( a, b) and
ψ( a). Our next move should be a straightforward application of the →Elim
rule.

∀ x (ψ( x ) → χ( x, b)) [ φ( a) ∧ ψ( a)]1

∀Elim ∧Elim
ψ( a) → χ( a, b) ψ( a)
→Elim
χ( a, b)

∃ x ( φ( x ) ∧ ψ( x )) ∃ x χ( x, b)
1 ∃Elim
∃ x χ( x, b)

We are so close! One application of ∃Intro and we have reached our goal.

∀ x (ψ( x ) → χ( x, b)) [ φ( a) ∧ ψ( a)]1

∀Elim ∧Elim
ψ( a) → χ( a, b) ψ( a)
→Elim
χ( a, b)
∃Intro
∃ x ( φ( x ) ∧ ψ( x )) ∃ x χ( x, b)
1 ∃Elim
∃ x χ( x, b)

Since we ensured at each step that the eigenvariable conditions were not vio-
lated, we can be confident that this is a correct derivation.

Example 20.9. Give a derivation of the formula ¬∀ x φ( x ) from the assump-

tions ∀ x φ( x ) → ∃y ψ(y) and ¬∃y ψ(y). Starting as usual, we write the target
formula at the bottom.

¬∀ x φ( x )

The last line of the derivation is a negation, so let’s try using ¬Intro. This will
require that we figure out how to derive a contradiction.

[∀ x φ( x )]1

⊥
1 ¬Intro
¬∀ x φ( x )

So far so good. We can use ∀Elim but it’s not obvious if that will help us
get to our goal. Instead, let’s use one of our assumptions. ∀ x φ( x ) → ∃y ψ(y)
together with ∀ x φ( x ) will allow us to use the →Elim rule.

Release : d3a1905 (2022-12-19) 291

 CHAPTER 20. NATURAL DEDUCTION

∀ x φ( x ) → ∃y ψ(y) [∀ x φ( x )]1
→Elim
∃y ψ(y)

⊥
1 ¬Intro
¬∀ x φ( x )
We now have one final assumption to work with, and it looks like this will
help us reach a contradiction by using ¬Elim.

∀ x φ( x ) → ∃y ψ(y) [∀ x φ( x )]1
→Elim
¬∃y ψ(y) ∃y ψ(y)
¬Elim
⊥
1 ¬Intro
¬∀ x φ( x )

20.7 Proof-Theoretic Notions

This section collects the definitions the provability relation and consis-
tency for natural deduction.

Just as we’ve defined a number of important semantic notions (validity, en-

tailment, satisfiability), we now define corresponding proof-theoretic notions.
These are not defined by appeal to satisfaction of sentences in structures, but
by appeal to the derivability or non-derivability of certain sentences from oth-
ers. It was an important discovery that these notions coincide. That they do is
the content of the soundness and completeness theorems.

Definition 20.10 (Theorems). A sentence φ is a theorem if there is a derivation

of φ in natural deduction in which all assumptions are discharged. We write
⊢ φ if φ is a theorem and ⊬ φ if it is not.

Definition 20.11 (Derivability). A sentence φ is derivable from a set of sen-

tences Γ, Γ ⊢ φ, if there is a derivation with conclusion φ and in which every
assumption is either discharged or is in Γ. If φ is not derivable from Γ we
write Γ ⊬ φ.

Definition 20.12 (Consistency). A set of sentences Γ is inconsistent iff Γ ⊢ ⊥.

If Γ is not inconsistent, i.e., if Γ ⊬ ⊥, we say it is consistent.

Proposition 20.13 (Reflexivity). If φ ∈ Γ, then Γ ⊢ φ.

Proof. The assumption φ by itself is a derivation of φ where every undis-

charged assumption (i.e., φ) is in Γ.

292 Release : d3a1905 (2022-12-19)

20.7. PROOF-THEORETIC NOTIONS

Proposition 20.14 (Monotonicity). If Γ ⊆ ∆ and Γ ⊢ φ, then ∆ ⊢ φ.

Proof. Any derivation of φ from Γ is also a derivation of φ from ∆.

Proposition 20.15 (Transitivity). If Γ ⊢ φ and { φ} ∪ ∆ ⊢ ψ, then Γ ∪ ∆ ⊢ ψ.

Proof. If Γ ⊢ φ, there is a derivation δ0 of φ with all undischarged assumptions

in Γ. If { φ} ∪ ∆ ⊢ ψ, then there is a derivation δ1 of ψ with all undischarged
assumptions in { φ} ∪ ∆. Now consider:

∆, [ φ]1

δ1 Γ
δ0
ψ
1 →Intro
φ→ψ φ
ψ
→Elim

The undischarged assumptions are now all among Γ ∪ ∆, so this shows Γ ∪

∆ ⊢ ψ.

When Γ = { φ1 , φ2 , . . . , φk } is a finite set we may use the simplified nota-

tion φ1 , φ2 , . . . , φk ⊢ ψ for Γ ⊢ ψ, in particular φ ⊢ ψ means that { φ} ⊢ ψ.
Note that if Γ ⊢ φ and φ ⊢ ψ, then Γ ⊢ ψ. It follows also that if φ1 , . . . , φn ⊢
ψ and Γ ⊢ φi for each i, then Γ ⊢ ψ.

Proposition 20.16. The following are equivalent.

1. Γ is inconsistent.

2. Γ ⊢ φ for every sentence φ.

3. Γ ⊢ φ and Γ ⊢ ¬ φ for some sentence φ.

Proof. Exercise.

Proposition 20.17 (Compactness). 1. If Γ ⊢ φ then there is a finite subset

Γ0 ⊆ Γ such that Γ0 ⊢ φ.

2. If every finite subset of Γ is consistent, then Γ is consistent.

Proof. 1. If Γ ⊢ φ, then there is a derivation δ of φ from Γ. Let Γ0 be the set

of undischarged assumptions of δ. Since any derivation is finite, Γ0 can
only contain finitely many sentences. So, δ is a derivation of φ from a
finite Γ0 ⊆ Γ.

2. This is the contrapositive of (1) for the special case φ ≡ ⊥.

Release : d3a1905 (2022-12-19) 293

 CHAPTER 20. NATURAL DEDUCTION

20.8 Derivability and Consistency

We will now establish a number of properties of the derivability relation. They
are independently interesting, but each will play a role in the proof of the
completeness theorem.

Proposition 20.18. If Γ ⊢ φ and Γ ∪ { φ} is inconsistent, then Γ is inconsistent.

Proof. Let the derivation of φ from Γ be δ1 and the derivation of ⊥ from Γ ∪

{ φ} be δ2 . We can then derive:
Γ, [ φ]1
Γ
δ2
δ1
⊥
1
¬ φ ¬Intro φ
¬Elim
⊥
In the new derivation, the assumption φ is discharged, so it is a derivation
from Γ.

Proposition 20.19. Γ ⊢ φ iff Γ ∪ {¬ φ} is inconsistent.

Proof. First suppose Γ ⊢ φ, i.e., there is a derivation δ0 of φ from undischarged

assumptions Γ. We obtain a derivation of ⊥ from Γ ∪ {¬ φ} as follows:
Γ
δ0
¬φ φ
¬Elim
⊥
Now assume Γ ∪ {¬ φ} is inconsistent, and let δ1 be the corresponding
derivation of ⊥ from undischarged assumptions in Γ ∪ {¬ φ}. We obtain
a derivation of φ from Γ alone by using ⊥C :

Γ, [¬ φ]1

δ1

1
⊥ ⊥
φ C

Proposition 20.20. If Γ ⊢ φ and ¬ φ ∈ Γ, then Γ is inconsistent.

Proof. Suppose Γ ⊢ φ and ¬ φ ∈ Γ. Then there is a derivation δ of φ from Γ.

Consider this simple application of the ¬Elim rule:

294 Release : d3a1905 (2022-12-19)

20.9. DERIVABILITY AND THE PROPOSITIONAL CONNECTIVES

δ
¬φ φ
¬Elim
⊥
Since ¬ φ ∈ Γ, all undischarged assumptions are in Γ, this shows that Γ ⊢ ⊥.

Proposition 20.21. If Γ ∪ { φ} and Γ ∪ {¬ φ} are both inconsistent, then Γ is in-

consistent.

Proof. There are derivations δ1 and δ2 of ⊥ from Γ ∪ { φ} and ⊥ from Γ ∪ {¬ φ},

respectively. We can then derive

Γ, [¬ φ]2 Γ, [ φ]1

δ2 δ1

⊥ ⊥
2
¬¬ φ ¬Intro 1
¬ φ ¬Intro
¬Elim
⊥
Since the assumptions φ and ¬ φ are discharged, this is a derivation of ⊥
from Γ alone. Hence Γ is inconsistent.

20.9 Derivability and the Propositional Connectives

We establish that the derivability relation ⊢ of natural deduction is strong
enough to establish some basic facts involving the propositional connectives,
such as that φ ∧ ψ ⊢ φ and φ, φ → ψ ⊢ ψ (modus ponens). These facts are
needed for the proof of the completeness theorem.

Proposition 20.22. 1. Both φ ∧ ψ ⊢ φ and φ ∧ ψ ⊢ ψ

2. φ, ψ ⊢ φ ∧ ψ.

Proof. 1. We can derive both

φ∧ψ φ∧ψ
φ ∧Elim ψ
∧Elim

2. We can derive:
φ ψ
∧Intro
φ∧ψ

Proposition 20.23. 1. φ ∨ ψ, ¬ φ, ¬ψ is inconsistent.

Release : d3a1905 (2022-12-19) 295

 CHAPTER 20. NATURAL DEDUCTION

2. Both φ ⊢ φ ∨ ψ and ψ ⊢ φ ∨ ψ.

Proof. 1. Consider the following derivation:

¬φ [ φ ]1 ¬ψ [ ψ ]1
¬Elim ¬Elim
φ∨ψ ⊥ ⊥
1 ∨Elim
⊥

This is a derivation of ⊥ from undischarged assumptions φ ∨ ψ, ¬ φ, and

¬ψ.

2. We can derive both

φ ψ
∨Intro ∨Intro
φ∨ψ φ∨ψ

Proposition 20.24. 1. φ, φ → ψ ⊢ ψ.

2. Both ¬ φ ⊢ φ → ψ and ψ ⊢ φ → ψ.

Proof. 1. We can derive:

φ→ψ φ
ψ
→Elim

2. This is shown by the following two derivations:

¬φ [ φ ]1
¬Elim
⊥ ⊥
I
ψ ψ
1 →Intro →Intro
φ→ψ φ→ψ

Note that →Intro may, but does not have to, discharge the assumption φ.

20.10 Derivability and the Quantifiers

The completeness theorem also requires that the natural deduction rules yield
the facts about ⊢ established in this section.

Theorem 20.25. If c is a constant not occurring in Γ or φ( x ) and Γ ⊢ φ(c), then

Γ ⊢ ∀ x φ ( x ).

296 Release : d3a1905 (2022-12-19)

20.11. SOUNDNESS

Proof. Let δ be a derivation of φ(c) from Γ. By adding a ∀Intro inference,

we obtain a derivation of ∀ x φ( x ). Since c does not occur in Γ or φ( x ), the
eigenvariable condition is satisfied.

Proposition 20.26. 1. φ(t) ⊢ ∃ x φ( x ).

2. ∀ x φ( x ) ⊢ φ(t).

Proof. 1. The following is a derivation of ∃ x φ( x ) from φ(t):

φ(t)
∃Intro
∃ x φ( x )

2. The following is a derivation of φ(t) from ∀ x φ( x ):

∀ x φ( x )
∀Elim
φ(t)

20.11 Soundness
A derivation system, such as natural deduction, is sound if it cannot derive
things that do not actually follow. Soundness is thus a kind of guaranteed
safety property for derivation systems. Depending on which proof theoretic
property is in question, we would like to know for instance, that

1. every derivable sentence is valid;

2. if a sentence is derivable from some others, it is also a consequence of

them;

3. if a set of sentences is inconsistent, it is unsatisfiable.

These are important properties of a derivation system. If any of them do not

hold, the derivation system is deficient—it would derive too much. Conse-
quently, establishing the soundness of a derivation system is of the utmost
importance.

Theorem 20.27 (Soundness). If φ is derivable from the undischarged assumptions

Γ, then Γ ⊨ φ.

Proof. Let δ be a derivation of φ. We proceed by induction on the number of

inferences in δ.
For the induction basis we show the claim if the number of inferences is 0.
In this case, δ consists only of a single sentence φ, i.e., an assumption. That
assumption is undischarged, since assumptions can only be discharged by

Release : d3a1905 (2022-12-19) 297

 CHAPTER 20. NATURAL DEDUCTION

inferences, and there are no inferences. So, any structure M that satisfies all of
the undischarged assumptions of the proof also satisfies φ.
Now for the inductive step. Suppose that δ contains n inferences. The
premise(s) of the lowermost inference are derived using sub-derivations, each
of which contains fewer than n inferences. We assume the induction hypothe-
sis: The premises of the lowermost inference follow from the undischarged as-
sumptions of the sub-derivations ending in those premises. We have to show
that the conclusion φ follows from the undischarged assumptions of the entire
proof.
We distinguish cases according to the type of the lowermost inference.
First, we consider the possible inferences with only one premise.

1. Suppose that the last inference is ¬Intro: The derivation has the form

Γ, [ φ]n

δ1

⊥
¬ φ ¬Intro
n

By inductive hypothesis, ⊥ follows from the undischarged assumptions

Γ ∪ { φ} of δ1 . Consider a structure M. We need to show that, if M ⊨ Γ,
then M ⊨ ¬ φ. Suppose for reductio that M ⊨ Γ, but M ⊭ ¬ φ, i.e., M ⊨ φ.
This would mean that M ⊨ Γ ∪ { φ}. This is contrary to our inductive
hypothesis. So, M ⊨ ¬ φ.

2. The last inference is ∧Elim: There are two variants: φ or ψ may be in-
ferred from the premise φ ∧ ψ. Consider the first case. The derivation δ
looks like this:

Γ
δ1

φ∧ψ
φ ∧Elim

By inductive hypothesis, φ ∧ ψ follows from the undischarged assump-

tions Γ of δ1 . Consider a structure M. We need to show that, if M ⊨ Γ,
then M ⊨ φ. Suppose M ⊨ Γ. By our inductive hypothesis (Γ ⊨ φ ∧ ψ),
we know that M ⊨ φ ∧ ψ. By definition, M ⊨ φ ∧ ψ iff M ⊨ φ and M ⊨ ψ.
(The case where ψ is inferred from φ ∧ ψ is handled similarly.)

3. The last inference is ∨Intro: There are two variants: φ ∨ ψ may be in-
ferred from the premise φ or the premise ψ. Consider the first case. The
derivation has the form

298 Release : d3a1905 (2022-12-19)

20.11. SOUNDNESS

Γ
δ1
φ
∨Intro
φ∨ψ

By inductive hypothesis, φ follows from the undischarged assumptions Γ

of δ1 . Consider a structure M. We need to show that, if M ⊨ Γ, then
M ⊨ φ ∨ ψ. Suppose M ⊨ Γ; then M ⊨ φ since Γ ⊨ φ (the inductive
hypothesis). So it must also be the case that M ⊨ φ ∨ ψ. (The case where
φ ∨ ψ is inferred from ψ is handled similarly.)

4. The last inference is →Intro: φ → ψ is inferred from a subproof with

assumption φ and conclusion ψ, i.e.,

Γ, [ φ]n

δ1

ψ
n →Intro
φ→ψ

By inductive hypothesis, ψ follows from the undischarged assumptions

of δ1 , i.e., Γ ∪ { φ} ⊨ ψ. Consider a structure M. The undischarged
assumptions of δ are just Γ, since φ is discharged at the last inference.
So we need to show that Γ ⊨ φ → ψ. For reductio, suppose that for
some structure M, M ⊨ Γ but M ⊭ φ → ψ. So, M ⊨ φ and M ⊭ ψ. But
by hypothesis, ψ is a consequence of Γ ∪ { φ}, i.e., M ⊨ ψ, which is a
contradiction. So, Γ ⊨ φ → ψ.

5. The last inference is ⊥ I : Here, δ ends in

Γ
δ1

⊥ ⊥
φ I

By induction hypothesis, Γ ⊨ ⊥. We have to show that Γ ⊨ φ. Suppose

not; then for some M we have M ⊨ Γ and M ⊭ φ. But we always
have M ⊭ ⊥, so this would mean that Γ ⊭ ⊥, contrary to the induction
hypothesis.

6. The last inference is ⊥C : Exercise.

7. The last inference is ∀Intro: Then δ has the form

Release : d3a1905 (2022-12-19) 299

 CHAPTER 20. NATURAL DEDUCTION

Γ
δ1

φ( a)
∀Intro
∀ x φ( x )

The premise φ( a) is a consequence of the undischarged assumptions Γ

by induction hypothesis. Consider some structure, M, such that M ⊨ Γ.
We need to show that M ⊨ ∀ x φ( x ). Since ∀ x φ( x ) is a sentence, this
means we have to show that for every variable assignment s, M, s ⊨ φ( x )
(Proposition 16.18). Since Γ consists entirely of sentences, M, s ⊨ ψ for
′
all ψ ∈ Γ by Definition 16.11. Let M′ be like M except that aM = s( x ).
′
Since a does not occur in Γ, M ⊨ Γ by Corollary 16.20. Since Γ ⊨ φ( a),
M′ ⊨ φ( a). Since φ( a) is a sentence, M′ , s ⊨ φ( a) by Proposition 16.17.
M′ , s ⊨ φ( x ) iff M′ ⊨ φ( a) by Proposition 16.22 (recall that φ( a) is just
φ( x )[ a/x ]). So, M′ , s ⊨ φ( x ). Since a does not occur in φ( x ), by Propo-
sition 16.19, M, s ⊨ φ( x ). But s was an arbitrary variable assignment, so
M ⊨ ∀ x φ ( x ).

8. The last inference is ∃Intro: Exercise.

9. The last inference is ∀Elim: Exercise.

Now let’s consider the possible inferences with several premises: ∨Elim,
∧Intro, →Elim, and ∃Elim.
1. The last inference is ∧Intro. φ ∧ ψ is inferred from the premises φ and ψ
and δ has the form

Γ1 Γ2

δ1 δ2

φ ψ
∧Intro
φ∧ψ

By induction hypothesis, φ follows from the undischarged assumptions Γ1

of δ1 and ψ follows from the undischarged assumptions Γ2 of δ2 . The
undischarged assumptions of δ are Γ1 ∪ Γ2 , so we have to show that
Γ1 ∪ Γ2 ⊨ φ ∧ ψ. Consider a structure M with M ⊨ Γ1 ∪ Γ2 . Since M ⊨ Γ1 ,
it must be the case that M ⊨ φ as Γ1 ⊨ φ, and since M ⊨ Γ2 , M ⊨ ψ since
Γ2 ⊨ ψ. Together, M ⊨ φ ∧ ψ.

2. The last inference is ∨Elim: Exercise.

3. The last inference is →Elim. ψ is inferred from the premises φ → ψ

and φ. The derivation δ looks like this:

300 Release : d3a1905 (2022-12-19)

20.12. DERIVATIONS WITH IDENTITY PREDICATE

Γ1 Γ2
δ1 δ2
φ→ψ φ
ψ
→Elim

By induction hypothesis, φ → ψ follows from the undischarged assump-

tions Γ1 of δ1 and φ follows from the undischarged assumptions Γ2 of δ2 .
Consider a structure M. We need to show that, if M ⊨ Γ1 ∪ Γ2 , then
M ⊨ ψ. Suppose M ⊨ Γ1 ∪ Γ2 . Since Γ1 ⊨ φ → ψ, M ⊨ φ → ψ. Since
Γ2 ⊨ φ, we have M ⊨ φ. This means that M ⊨ ψ (For if M ⊭ ψ, since
M ⊨ φ, we’d have M ⊭ φ → ψ, contradicting M ⊨ φ → ψ).

4. The last inference is ¬Elim: Exercise.

5. The last inference is ∃Elim: Exercise.

Corollary 20.28. If ⊢ φ, then φ is valid.

Corollary 20.29. If Γ is satisfiable, then it is consistent.

Proof. We prove the contrapositive. Suppose that Γ is not consistent. Then

Γ ⊢ ⊥, i.e., there is a derivation of ⊥ from undischarged assumptions in Γ. By
Theorem 20.27, any structure M that satisfies Γ must satisfy ⊥. Since M ⊭ ⊥
for every structure M, no M can satisfy Γ, i.e., Γ is not satisfiable.

20.12 Derivations with Identity predicate

Derivations with identity predicate require additional inference rules.

t1 = t2 φ ( t1 )
=Elim
φ ( t2 )
=Intro
t=t
t1 = t2 φ ( t2 )
=Elim
φ ( t1 )

In the above rules, t, t1 , and t2 are closed terms. The =Intro rule allows us
to derive any identity statement of the form t = t outright, from no assump-
tions.

Example 20.30. If s and t are closed terms, then φ(s), s = t ⊢ φ(t):

s=t φ(s)
=Elim
φ(t)

Release : d3a1905 (2022-12-19) 301

 CHAPTER 20. NATURAL DEDUCTION

This may be familiar as the “principle of substitutability of identicals,” or Leib-

niz’ Law.

Example 20.31. We derive the sentence

∀ x ∀y (( φ( x ) ∧ φ(y)) → x = y)

from the sentence

∃ x ∀y ( φ(y) → y = x )

We develop the derivation backwards:

∃ x ∀y ( φ(y) → y = x ) [ φ( a) ∧ φ(b)]1

a=b
1 →Intro
(( φ( a) ∧ φ(b)) → a = b)
∀Intro
∀y (( φ( a) ∧ φ(y)) → a = y)
∀Intro
∀ x ∀y (( φ( x ) ∧ φ(y)) → x = y)

We’ll now have to use the main assumption: since it is an existential formula,
we use ∃Elim to derive the intermediary conclusion a = b.

[∀y ( φ(y) → y = c)]2

[ φ( a) ∧ φ(b)]1

∃ x ∀y ( φ(y) → y = x ) a=b
2 ∃Elim
a=b
1 →Intro
(( φ( a) ∧ φ(b)) → a = b)
∀Intro
∀y (( φ( a) ∧ φ(y)) → a = y)
∀Intro
∀ x ∀y (( φ( x ) ∧ φ(y)) → x = y)

The sub-derivation on the top right is completed by using its assumptions

to show that a = c and b = c. This requires two separate derivations. The
derivation for a = c is as follows:

[∀y ( φ(y) → y = c)]2 [ φ( a) ∧ φ(b)]1

∀Elim ∧Elim
φ( a) → a = c φ( a)
a=c →Elim

From a = c and b = c we derive a = b by =Elim.

302 Release : d3a1905 (2022-12-19)

20.13. SOUNDNESS WITH IDENTITY PREDICATE

20.13 Soundness with Identity predicate

Proposition 20.32. Natural deduction with rules for = is sound.

Proof. Any formula of the form t = t is valid, since for every structure M,
M ⊨ t = t. (Note that we assume the term t to be closed, i.e., it contains no
variables, so variable assignments are irrelevant).
Suppose the last inference in a derivation is =Elim, i.e., the derivation has
the following form:

Γ1 Γ2

δ1 δ2

t1 = t2 φ ( t1 )
=Elim
φ ( t2 )

The premises t1 = t2 and φ(t1 ) are derived from undischarged assumptions Γ1

and Γ2 , respectively. We want to show that φ(t2 ) follows from Γ1 ∪ Γ2 . Con-
sider a structure M with M ⊨ Γ1 ∪ Γ2 . By induction hypothesis, M ⊨ φ(t1 )
and M ⊨ t1 = t2 . Therefore, ValM (t1 ) = ValM (t2 ). Let s be any variable as-
signment, and m = ValM (t1 ) = ValM (t2 ). By Proposition 16.22, M, s ⊨ φ(t1 )
iff M, s[m/x ] ⊨ φ( x ) iff M, s ⊨ φ(t2 ). Since M ⊨ φ(t1 ), we have M ⊨ φ(t2 ).

Problems
Problem 20.1. Give derivations that show the following:

1. φ ∧ (ψ ∧ χ) ⊢ ( φ ∧ ψ) ∧ χ.

2. φ ∨ (ψ ∨ χ) ⊢ ( φ ∨ ψ) ∨ χ.

3. φ → (ψ → χ) ⊢ ψ → ( φ → χ).

4. φ ⊢ ¬¬ φ.

Problem 20.2. Give derivations that show the following:

1. ( φ ∨ ψ) → χ ⊢ φ → χ.

2. ( φ → χ) ∧ (ψ → χ) ⊢ ( φ ∨ ψ) → χ.

3. ⊢ ¬( φ ∧ ¬ φ).

4. ψ → φ ⊢ ¬ φ → ¬ψ.

5. ⊢ ( φ → ¬ φ) → ¬ φ.

6. ⊢ ¬( φ → ψ) → ¬ψ.

Release : d3a1905 (2022-12-19) 303

 CHAPTER 20. NATURAL DEDUCTION

7. φ → χ ⊢ ¬( φ ∧ ¬χ).

8. φ ∧ ¬χ ⊢ ¬( φ → χ).

9. φ ∨ ψ, ¬ψ ⊢ φ.

10. ¬ φ ∨ ¬ψ ⊢ ¬( φ ∧ ψ).

11. ⊢ (¬ φ ∧ ¬ψ) → ¬( φ ∨ ψ).

12. ⊢ ¬( φ ∨ ψ) → (¬ φ ∧ ¬ψ).

Problem 20.3. Give derivations that show the following:

1. ¬( φ → ψ) ⊢ φ.

2. ¬( φ ∧ ψ) ⊢ ¬ φ ∨ ¬ψ.

3. φ → ψ ⊢ ¬ φ ∨ ψ.

4. ⊢ ¬¬ φ → φ.

5. φ → ψ, ¬ φ → ψ ⊢ ψ.

6. ( φ ∧ ψ) → χ ⊢ ( φ → χ) ∨ (ψ → χ).

7. ( φ → ψ) → φ ⊢ φ.

8. ⊢ ( φ → ψ) ∨ (ψ → χ).

(These all require the ⊥C rule.)

Problem 20.4. Give derivations that show the following:

1. ⊢ (∀ x φ( x ) ∧ ∀y ψ(y)) → ∀z ( φ(z) ∧ ψ(z)).

2. ⊢ (∃ x φ( x ) ∨ ∃y ψ(y)) → ∃z ( φ(z) ∨ ψ(z)).

3. ∀ x ( φ( x ) → ψ) ⊢ ∃y φ(y) → ψ.

4. ∀ x ¬ φ( x ) ⊢ ¬∃ x φ( x ).

5. ⊢ ¬∃ x φ( x ) → ∀ x ¬ φ( x ).

6. ⊢ ¬∃ x ∀y (( φ( x, y) → ¬ φ(y, y)) ∧ (¬ φ(y, y) → φ( x, y))).

Problem 20.5. Give derivations that show the following:

1. ⊢ ¬∀ x φ( x ) → ∃ x ¬ φ( x ).

2. (∀ x φ( x ) → ψ) ⊢ ∃y ( φ(y) → ψ).

3. ⊢ ∃ x ( φ( x ) → ∀y φ(y)).

304 Release : d3a1905 (2022-12-19)

20.13. SOUNDNESS WITH IDENTITY PREDICATE

(These all require the ⊥C rule.)

Problem 20.6. Prove Proposition 20.16

Problem 20.7. Prove that Γ ⊢ ¬ φ iff Γ ∪ { φ} is inconsistent.

Problem 20.8. Complete the proof of Theorem 20.27.

Problem 20.9. Prove that = is both symmetric and transitive, i.e., give deriva-
tions of ∀ x ∀y ( x = y → y = x ) and ∀ x ∀y ∀z(( x = y ∧ y = z) → x = z)

Problem 20.10. Give derivations of the following formulas:

1. ∀ x ∀y (( x = y ∧ φ( x )) → φ(y))

2. ∃ x φ( x ) ∧ ∀y ∀z (( φ(y) ∧ φ(z)) → y = z) → ∃ x ( φ( x ) ∧ ∀y ( φ(y) → y =

x ))

Release : d3a1905 (2022-12-19) 305

Chapter 21

Tableaux

This chapter presents a signed analytic tableaux system.

To include or exclude material relevant to natural deduction as a proof
system, use the “prfTab” tag.

21.1 Rules and Tableaux

A tableau is a systematic survey of the possible ways a sentence can be true
or false in a structure. The building blocks of a tableau are signed formulas:
sentences plus a truth value “sign,” either T or F. These signed formulas are
arranged in a (downward growing) tree.

Definition 21.1. A signed formula is a pair consisting of a truth value and a sen-
tence, i.e., either:
T φ or F φ.

Intuitively, we might read T φ as “φ might be true” and F φ as “φ might be

false” (in some structure).
Each signed formula in the tree is either an assumption (which are listed at
the very top of the tree), or it is obtained from a signed formula above it by
one of a number of rules of inference. There are two rules for each possible
main operator of the preceding formula, one for the case where the sign is T,
and one for the case where the sign is F. Some rules allow the tree to branch,
and some only add signed formulas to the branch. A rule may be (and often
must be) applied not to the immediately preceding signed formula, but to any
signed formula in the branch from the root to the place the rule is applied.
A branch is closed when it contains both T φ and F φ. A closed tableau
is one where every branch is closed. Under the intuitive interpretation, any
branch describes a joint possibility, but T φ and F φ are not jointly possible. In

306
21.2. PROPOSITIONAL RULES

other words, if a branch is closed, the possibility it describes has been ruled
out. In particular, that means that a closed tableau rules out all possibilities
of simultaneously making every assumption of the form T φ true and every
assumption of the form F φ false.
A closed tableau for φ is a closed tableau with root F φ. If such a closed
tableau exists, all possibilities for φ being false have been ruled out; i.e., φ
must be true in every structure.

21.2 Propositional Rules

Rules for ¬

T¬ φ F ¬φ
¬T ¬F
Fφ Tφ

Rules for ∧

Tφ ∧ ψ
∧T Fφ ∧ ψ
Tφ ∧F
F φ | Fψ
Tψ

Rules for ∨

Fφ ∨ ψ
Tφ ∨ ψ ∨F
∨T Fφ
T φ | Tψ
Fψ

Rules for →

Fφ → ψ
Tφ → ψ →F
→T Tφ
F φ | Tψ
Fψ

Release : d3a1905 (2022-12-19) 307

 CHAPTER 21. TABLEAUX

The Cut Rule

Cut
Tφ | Fφ

The Cut rule is not applied “to” a previous signed formula; rather, it allows
every branch in a tableau to be split in two, one branch containing T φ, the
other F φ. It is not necessary—any set of signed formulas with a closed tableau
has one not using Cut—but it allows us to combine tableaux in a convenient
way.

21.3 Quantifier Rules

Rules for ∀

T ∀ x φ( x ) F ∀ x φ( x )
∀T ∀F
T φ(t) F φ( a)

In ∀T, t is a closed term (i.e., one without variables). In ∀F, a is a constant

symbol which must not occur anywhere in the branch above ∀F rule. We call
a the eigenvariable of the ∀F inference.1

Rules for ∃

T ∃ x φ( x ) F ∃ x φ( x )
∃T ∃F
T φ( a) F φ(t)

Again, t is a closed term, and a is a constant symbol which does not occur in
the branch above the ∃T rule. We call a the eigenvariable of the ∃T inference.
The condition that an eigenvariable not occur in the branch above the ∀F
or ∃T inference is called the eigenvariable condition.
Recall the convention that when φ is a formula with the variable x free, we
indicate this by writing φ( x ). In the same context, φ(t) then is short for φ[t/x ].
So we could also write the ∃F rule as:
F ∃x φ
∃F
F φ[t/x ]
1 We use the term “eigenvariable” even though a in the above rule is a constant symbol. This

has historical reasons.

308 Release : d3a1905 (2022-12-19)

21.4. TABLEAUX

Note that t may already occur in φ, e.g., φ might be P (t, x ). Thus, inferring
F P (t, t) from F ∃ x P (t, x ) is a correct application of ∃F. However, the eigen-
variable conditions in ∀F and ∃T require that the constant symbol a does not
occur in φ. So, you cannot correctly infer F P ( a, a) from F ∀ x P ( a, x ) using ∀F.
In ∀T and ∃F there are no restrictions on the term t. On the other hand,
in the ∃T and ∀F rules, the eigenvariable condition requires that the constant
symbol a does not occur anywhere in the branches above the respective infer-
ence. It is necessary to ensure that the system is sound. Without this condition,
the following would be a closed tableau for ∃ x φ( x ) → ∀ x φ( x ):

1. F ∃ x φ( x ) → ∀ x φ( x ) Assumption
2. T ∃ x φ( x ) →F 1
3. F ∀ x φ( x ) →F 1
4. T φ( a) ∃T 2
5. F φ( a) ∀F 3
⊗

However, ∃ x φ( x ) → ∀ x φ( x ) is not valid.

21.4 Tableaux
We’ve said what an assumption is, and we’ve given the rules of inference.
Tableaux are inductively generated from these: each tableau either is a single
branch consisting of one or more assumptions, or it results from a tableau by
applying one of the rules of inference on a branch.

Definition 21.2 (Tableau). A tableau for assumptions S1φ1 , . . . , Snφn (where

each Si is either T or F) is a finite tree of signed formulas satisfying the fol-
lowing conditions:

1. The n topmost signed formulas of the tree are Si φi , one below the other.

2. Every signed formula in the tree that is not one of the assumptions re-
sults from a correct application of an inference rule to a signed formula
in the branch above it.

A branch of a tableau is closed iff it contains both T φ and F φ, and open other-
wise. A tableau in which every branch is closed is a closed tableau (for its set
of assumptions). If a tableau is not closed, i.e., if it contains at least one open
branch, it is open.

Example 21.3. Every set of assumptions on its own is a tableau, but it will
generally not be closed. (Obviously, it is closed only if the assumptions al-
ready contain a pair of signed formulas T φ and F φ.)

Release : d3a1905 (2022-12-19) 309

 CHAPTER 21. TABLEAUX

From a tableau (open or closed) we can obtain a new, larger one by ap-
plying one of the rules of inference to a signed formula φ in it. The rule will
append one or more signed formulas to the end of any branch containing the
occurrence of φ to which we apply the rule.
For instance, consider the assumption T φ ∧ ¬ φ. Here is the (open) tableau
consisting of just that assumption:

1. T φ ∧ ¬φ Assumption

We obtain a new tableau from it by applying the ∧T rule to the assumption.

That rule allows us to add two new lines to the tableau, T φ and T ¬ φ:

1. T φ ∧ ¬φ Assumption
2. Tφ ∧T 1
3. T¬ φ ∧T 1

When we write down tableaux, we record the rules we’ve applied on the right
(e.g., ∧T1 means that the signed formula on that line is the result of applying
the ∧T rule to the signed formula on line 1). This new tableau now contains
additional signed formulas, but to only one (T ¬ φ) can we apply a rule (in this
case, the ¬T rule). This results in the closed tableau

1. T φ ∧ ¬φ Assumption
2. Tφ ∧T 1
3. T¬ φ ∧T 1
4. Fφ ¬T 3
⊗

21.5 Examples of Tableaux

Example 21.4. Let’s find a closed tableau for the sentence ( φ ∧ ψ) → φ.
We begin by writing the corresponding assumption at the top of the tableau.

1. F ( φ ∧ ψ) → φ Assumption

There is only one assumption, so only one signed formula to which we can
apply a rule. (For every signed formula, there is always at most one rule that
can be applied: it’s the rule for the corresponding sign and main operator of
the sentence.) In this case, this means, we must apply →F.

1. F ( φ ∧ ψ) → φ ✓ Assumption
2. Tφ ∧ ψ →F 1
3. Fφ →F 1

310 Release : d3a1905 (2022-12-19)

21.5. EXAMPLES OF TABLEAUX

To keep track of which signed formulas we have applied their corresponding

rules to, we write a checkmark next to the sentence. However, only write a
checkmark if the rule has been applied to all open branches. Once a signed
formula has had the corresponding rule applied in every open branch, we will
not have to return to it and apply the rule again. In this case, there is only one
branch, so the rule only has to be applied once. (Note that checkmarks are
only a convenience for constructing tableaux and are not officially part of the
syntax of tableaux.)
There is one new signed formula to which we can apply a rule: the T φ ∧ ψ
on line 2. Applying the ∧T rule results in:

1. F ( φ ∧ ψ) → φ ✓ Assumption
2. Tφ ∧ ψ ✓ →F 1
3. Fφ →F 1
4. Tφ ∧T 2
5. Tψ ∧T 2
⊗

Since the branch now contains both T φ (on line 4) and F φ (on line 3), the
branch is closed. Since it is the only branch, the tableau is closed. We have
found a closed tableau for ( φ ∧ ψ) → φ.

Example 21.5. Now let’s find a closed tableau for (¬ φ ∨ ψ) → ( φ → ψ).

We begin with the corresponding assumption:

1. F (¬ φ ∨ ψ) → ( φ → ψ) Assumption

The one signed formula in this tableau has main operator → and sign F, so
we apply the →F rule to it to obtain:

1. F (¬ φ ∨ ψ) → ( φ → ψ) ✓ Assumption
2. T¬ φ ∨ ψ →F 1
3. F ( φ → ψ) →F 1
We now have a choice as to whether to apply ∨T to line 2 or →F to line 3. It
actually doesn’t matter which order we pick, as long as each signed formula
has its corresponding rule applied in every branch. So let’s pick the first one.
The ∨T rule allows the tableau to branch, and the two conclusions of the rule
will be the new signed formulas added to the two new branches. This results
in:
1. F (¬ φ ∨ ψ) → ( φ → ψ) ✓ Assumption
2. T¬ φ ∨ ψ ✓ →F 1
3. F ( φ → ψ) →F 1

4. T¬ φ Tψ ∨T 2

Release : d3a1905 (2022-12-19) 311

 CHAPTER 21. TABLEAUX

We have not applied the →F rule to line 3 yet: let’s do that now. To save
time, we apply it to both branches. Recall that we write a checkmark next
to a signed formula only if we have applied the corresponding rule in every
open branch. So it’s a good idea to apply a rule at the end of every branch that
contains the signed formula the rule applies to. That way we won’t have to
return to that signed formula lower down in the various branches.

1. F (¬ φ ∨ ψ) → ( φ → ψ) ✓ Assumption
2. T¬ φ ∨ ψ ✓ →F 1
3. F ( φ → ψ) ✓ →F 1

4. T¬ φ Tψ ∨T 2
5. Tφ Tφ →F 3
6. Fψ Fψ →F 3
⊗

The right branch is now closed. On the left branch, we can still apply the ¬T
rule to line 4. This results in F φ and closes the left branch:

1. F (¬ φ ∨ ψ) → ( φ → ψ) ✓ Assumption
2. T¬ φ ∨ ψ ✓ →F 1
3. F ( φ → ψ) ✓ →F 1

4. T¬ φ Tψ ∨T 2
5. Tφ Tφ →F 3
6. Fψ Fψ →F 3
7. Fφ ⊗ ¬T 4
⊗

Example 21.6. We can give tableaux for any number of signed formulas as
assumptions. Often it is also necessary to apply more than one rule that allows
branching; and in general a tableau can have any number of branches. For
instance, consider a tableau for {T φ ∨ (ψ ∧ χ), F ( φ ∨ ψ) ∧ ( φ ∨ χ)}. We start
by applying the ∨T to the first assumption:

1. T φ ∨ (ψ ∧ χ) ✓ Assumption
2. F ( φ ∨ ψ) ∧ ( φ ∨ χ) Assumption

3. Tφ Tψ ∧ χ ∨T 1

Now we can apply the ∧F rule to line 2. We do this on both branches simul-
taneously, and can therefore check off line 2:

312 Release : d3a1905 (2022-12-19)

21.5. EXAMPLES OF TABLEAUX

1. T φ ∨ (ψ ∧ χ) ✓ Assumption
2. F ( φ ∨ ψ) ∧ ( φ ∨ χ) ✓ Assumption

3. Tφ Tψ ∧ χ ∨T 1

4. Fφ ∨ ψ Fφ ∨ χ Fφ ∨ ψ Fφ ∨ χ ∧F 2

Now we can apply ∨F to all the branches containing φ ∨ ψ:

1. T φ ∨ (ψ ∧ χ) ✓ Assumption
2. F ( φ ∨ ψ) ∧ ( φ ∨ χ) ✓ Assumption

3. Tφ Tψ ∧ χ ∨T 1

4. Fφ ∨ ψ ✓ Fφ ∨ χ Fφ ∨ ψ ✓ Fφ ∨ χ ∧F 2
5. Fφ Fφ ∨F 4
6. Fψ Fψ ∨F 4
⊗

The leftmost branch is now closed. Let’s now apply ∨F to φ ∨ χ:

1. T φ ∨ (ψ ∧ χ) ✓ Assumption
2. F ( φ ∨ ψ) ∧ ( φ ∨ χ) ✓ Assumption

3. Tφ Tψ ∧ χ ∨T 1

4. Fφ ∨ ψ ✓ Fφ ∨ χ ✓ Fφ ∨ ψ ✓ Fφ ∨ χ ✓ ∧F 2
5. Fφ Fφ ∨F 4
6. Fψ Fψ ∨F 4
7. ⊗ Fφ Fφ ∨F 4
8. Fχ Fχ ∨F 4
⊗

Note that we moved the result of applying ∨F a second time below for clarity.
In this instance it would not have been needed, since the justifications would
have been the same.
Two branches remain open, and Tψ ∧ χ on line 3 remains unchecked. We
apply ∧T to it to obtain a closed tableau:

Release : d3a1905 (2022-12-19) 313

 CHAPTER 21. TABLEAUX

1. T φ ∨ (ψ ∧ χ) ✓ Assumption
2. F ( φ ∨ ψ) ∧ ( φ ∨ χ) ✓ Assumption

3. Tφ Tψ ∧ χ ✓ ∨T 1

4. Fφ ∨ ψ ✓ Fφ ∨ χ ✓ Fφ ∨ ψ ✓ Fφ ∨ χ ✓ ∧F 2
5. Fφ Fφ Fφ Fφ ∨F 4
6. Fψ Fχ Fψ Fχ ∨F 4
7. ⊗ ⊗ Tψ Tψ ∧T 3
8. Tχ Tχ ∧T 3
⊗ ⊗

For comparison, here’s a closed tableau for the same set of assumptions in
which the rules are applied in a different order:

1. T φ ∨ (ψ ∧ χ) ✓ Assumption
2. F ( φ ∨ ψ) ∧ ( φ ∨ χ) ✓ Assumption

3. Fφ ∨ ψ ✓ Fφ ∨ χ ✓ ∧F 2
4. Fφ Fφ ∨F 3
5. Fψ Fχ ∨F 3

6. Tφ Tψ ∧ χ ✓ Tφ Tψ ∧ χ ✓ ∨T 1
7. ⊗ Tψ ⊗ Tψ ∧T 6
8. Tχ Tχ ∧T 6
⊗ ⊗

21.6 Tableaux with Quantifiers

Example 21.7. When dealing with quantifiers, we have to make sure not to
violate the eigenvariable condition, and sometimes this requires us to play
around with the order of carrying out certain inferences. In general, it helps
to try and take care of rules subject to the eigenvariable condition first (they
will be higher up in the finished tableau).
Let’s see how we’d give a tableau for the sentence ∃ x ¬ φ( x ) → ¬∀ x φ( x ).
Starting as usual, we start by recording the assumption,

1. F ∃ x ¬ φ( x ) → ¬∀ x φ( x ) Assumption

Since the main operator is →, we apply the →F:

314 Release : d3a1905 (2022-12-19)

21.6. TABLEAUX WITH QUANTIFIERS

1. F ∃ x ¬ φ( x ) → ¬∀ x φ( x ) ✓ Assumption
2. T ∃ x ¬ φ( x ) →F 1
3. F ¬∀ x φ( x ) →F 1

The next line to deal with is 2. We use ∃T. This requires a new constant
symbol; since no constant symbols yet occur, we can pick any one, say, a.

1. F ∃ x ¬ φ( x ) → ¬∀ x φ( x ) ✓ Assumption
2. T ∃ x ¬ φ( x ) ✓ →F 1
3. F ¬∀ x φ( x ) →F 1
4. T ¬ φ( a) ∃T 2

Now we apply ¬F to line 3:

1. F ∃ x ¬ φ( x ) → ¬∀ x φ( x ) ✓ Assumption
2. T ∃ x ¬ φ( x ) ✓ →F 1
3. F ¬∀ x φ( x ) ✓ →F 1
4. T ¬ φ( a) ∃T 2
5. T ∀ x φ( x ) ¬F 3

We obtain a closed tableau by applying ¬T to line 4, followed by ∀T to line 5.

1. F ∃ x ¬ φ( x ) → ¬∀ x φ( x ) ✓ Assumption
2. T ∃ x ¬ φ( x ) ✓ →F 1
3. F ¬∀ x φ( x ) ✓ →F 1
4. T ¬ φ( a) ∃T 2
5. T ∀ x φ( x ) ¬F 3
6. F φ( a) ¬T 4
7. T φ( a) ∀T 5
⊗

Example 21.8. Let’s see how we’d give a tableau for the set

F ∃ x χ( x, b), T ∃ x ( φ( x ) ∧ ψ( x )), T ∀ x (ψ( x ) → χ( x, b)).

Starting as usual, we start with the assumptions:

1. F ∃ x χ( x, b) Assumption
2. T ∃ x ( φ( x ) ∧ ψ( x )) Assumption
3. T ∀ x (ψ( x ) → χ( x, b)) Assumption

We should always apply a rule with the eigenvariable condition first; in this
case that would be ∃T to line 2. Since the assumptions contain the constant
symbol b, we have to use a different one; let’s pick a again.

Release : d3a1905 (2022-12-19) 315

 CHAPTER 21. TABLEAUX

1. F ∃ x χ( x, b) Assumption
2. T ∃ x ( φ( x ) ∧ ψ( x )) ✓ Assumption
3. T ∀ x (ψ( x ) → χ( x, b)) Assumption
4. T φ( a) ∧ ψ( a) ∃T 2

If we now apply ∃F to line 1 or ∀T to line 3, we have to decide which term t to

substitute for x. Since there is no eigenvariable condition for these rules, we
can pick any term we like. In some cases we may even have to apply the rule
several times with different ts. But as a general rule, it pays to pick one of the
terms already occurring in the tableau—in this case, a and b—and in this case
we can guess that a will be more likely to result in a closed branch.

1. F ∃ x χ( x, b) Assumption
2. T ∃ x ( φ( x ) ∧ ψ( x )) ✓ Assumption
3. T ∀ x (ψ( x ) → χ( x, b)) Assumption
4. T φ( a) ∧ ψ( a) ∃T 2
5. F χ( a, b) ∃F 1
6. Tψ( a) → χ( a, b) ∀T 3

We don’t check the signed formulas in lines 1 and 3, since we may have to use
them again. Now apply ∧T to line 4:

1. F ∃ x χ( x, b) Assumption
2. T ∃ x ( φ( x ) ∧ ψ( x )) ✓ Assumption
3. T ∀ x (ψ( x ) → χ( x, b)) Assumption
4. T φ( a) ∧ ψ( a) ✓ ∃T 2
5. F χ( a, b) ∃F 1
6. Tψ( a) → χ( a, b) ∀T 3
7. T φ( a) ∧T 4
8. Tψ( a) ∧T 4

If we now apply →T to line 6, the tableau closes:

1. F ∃ x χ( x, b) Assumption
2. T ∃ x ( φ( x ) ∧ ψ( x )) ✓ Assumption
3. T ∀ x (ψ( x ) → χ( x, b)) Assumption
4. T φ( a) ∧ ψ( a) ✓ ∃T 2
5. F χ( a, b) ∃F 1
6. Tψ( a) → χ( a, b) ✓ ∀T 3
7. T φ( a) ∧T 4
8. Tψ( a) ∧T 4

9. F ψ( a) Tχ( a, b) →T 6
⊗ ⊗

316 Release : d3a1905 (2022-12-19)

21.6. TABLEAUX WITH QUANTIFIERS

Example 21.9. We construct a tableau for the set

T ∀ x φ( x ), T ∀ x φ( x ) → ∃y ψ(y), T ¬∃y ψ(y).

Starting as usual, we write down the assumptions:

1. T ∀ x φ( x ) Assumption
2. T ∀ x φ( x ) → ∃y ψ(y) Assumption
3. T ¬∃y ψ(y) Assumption

We begin by applying the ¬T rule to line 3. A corollary to the rule “always

apply rules with eigenvariable conditions first” is “defer applying quantifier
rules without eigenvariable conditions until needed.” Also, defer rules that
result in a split.

1. T ∀ x φ( x ) Assumption
2. T ∀ x φ( x ) → ∃y ψ(y) Assumption
3. T ¬∃y ψ(y) ✓ Assumption
4. F ∃y ψ(y) ¬T 3

The new line 4 requires ∃F, a quantifier rule without the eigenvariable condi-
tion. So we defer this in favor of using →T on line 2.

1. T ∀ x φ( x ) Assumption
2. T ∀ x φ( x ) → ∃y ψ(y) ✓ Assumption
3. T ¬∃y ψ(y) ✓ Assumption
4. F ∃y ψ(y) ¬T 3

5. F ∀ x φ( x ) T ∃y ψ(y) →T 2

Both new signed formulas require rules with eigenvariable conditions, so these
should be next:

1. T ∀ x φ( x ) Assumption
2. T ∀ x φ( x ) → ∃y ψ(y) ✓ Assumption
3. T ¬∃y ψ(y) ✓ Assumption
4. F ∃y ψ(y) ¬T 3

5. F ∀ x φ( x ) ✓ T ∃y ψ(y) ✓ →T 2
6. F φ(b) Tψ(c) ∀F 5; ∃T 5

To close the branches, we have to use the signed formulas on lines 1 and 3.
The corresponding rules (∀T and ∃F) don’t have eigenvariable conditions, so
we are free to pick whichever terms are suitable. In this case, that’s b and c,
respectively.

Release : d3a1905 (2022-12-19) 317

 CHAPTER 21. TABLEAUX

1. T ∀ x φ( x ) Assumption
2. T ∀ x φ( x ) → ∃y ψ(y) ✓ Assumption
3. T ¬∃y ψ(y) ✓ Assumption
4. F ∃y ψ(y) ¬T 3

5. F ∀ x φ( x ) ✓ T ∃y ψ(y) ✓ →T 2
6. F φ(b) Tψ(c) ∀F 5; ∃T 5
7. T φ(b) F ψ(c) ∀T 1; ∃F 4
⊗ ⊗

21.7 Proof-Theoretic Notions

This section collects the definitions of the provability relation and con-
sistency for tableaux.

Just as we’ve defined a number of important semantic notions (validity, en-

tailment, satisfiability), we now define corresponding proof-theoretic notions.
These are not defined by appeal to satisfaction of sentences in structures, but
by appeal to the existence of certain closed tableaux. It was an important dis-
covery that these notions coincide. That they do is the content of the soundness
and completeness theorems.

Definition 21.10 (Theorems). A sentence φ is a theorem if there is a closed

tableau for F φ. We write ⊢ φ if φ is a theorem and ⊬ φ if it is not.

Definition 21.11 (Derivability). A sentence φ is derivable from a set of sen-

tences Γ, Γ ⊢ φ iff there is a finite set {ψ1 , . . . , ψn } ⊆ Γ and a closed tableau
for the set
{F φ, Tψ1 , . . . , Tψn }.
If φ is not derivable from Γ we write Γ ⊬ φ.

Definition 21.12 (Consistency). A set of sentences Γ is inconsistent iff there is

a finite set {ψ1 , . . . , ψn } ⊆ Γ and a closed tableau for the set

{Tψ1 , . . . , Tψn }.

If Γ is not inconsistent, we say it is consistent.

Proposition 21.13 (Reflexivity). If φ ∈ Γ, then Γ ⊢ φ.

Proof. If φ ∈ Γ, { φ} is a finite subset of Γ and the tableau

318 Release : d3a1905 (2022-12-19)

21.7. PROOF-THEORETIC NOTIONS

1. Fφ Assumption
2. Tφ Assumption
⊗

is closed.

Proposition 21.14 (Monotonicity). If Γ ⊆ ∆ and Γ ⊢ φ, then ∆ ⊢ φ.

Proof. Any finite subset of Γ is also a finite subset of ∆.

Proposition 21.15 (Transitivity). If Γ ⊢ φ and { φ} ∪ ∆ ⊢ ψ, then Γ ∪ ∆ ⊢ ψ.

Proof. If { φ} ∪ ∆ ⊢ ψ, then there is a finite subset ∆ 0 = {χ1 , . . . , χn } ⊆ ∆ such

that

{F ψ,T φ, Tχ1 , . . . , Tχn }

has a closed tableau. If Γ ⊢ φ then there are θ1 , . . . , θm such that

{F φ,Tθ1 , . . . , Tθm }

has a closed tableau.

Now consider the tableau with assumptions

F ψ, Tχ1 , . . . , Tχn , Tθ1 , . . . , Tθm .

Apply the Cut rule on φ. This generates two branches, one has T φ in it, the
other F φ. Thus, on the one branch, all of

{F ψ, T φ, Tχ1 , . . . , Tχn }

are available. Since there is a closed tableau for these assumptions, we can
attach it to that branch; every branch through T φ closes. On the other branch,
all of
{F φ, Tθ1 , . . . , Tθm }
are available, so we can also complete the other side to obtain a closed tableau.
This shows Γ ∪ ∆ ⊢ ψ.

Note that this means that in particular if Γ ⊢ φ and φ ⊢ ψ, then Γ ⊢ ψ. It

follows also that if φ1 , . . . , φn ⊢ ψ and Γ ⊢ φi for each i, then Γ ⊢ ψ.

Proposition 21.16. Γ is inconsistent iff Γ ⊢ φ for every sentence φ.

Proof. Exercise.

Proposition 21.17 (Compactness). 1. If Γ ⊢ φ then there is a finite subset

Γ0 ⊆ Γ such that Γ0 ⊢ φ.

Release : d3a1905 (2022-12-19) 319

 CHAPTER 21. TABLEAUX

2. If every finite subset of Γ is consistent, then Γ is consistent.

Proof. 1. If Γ ⊢ φ, then there is a finite subset Γ0 = {ψ1 , . . . , ψn } and a

closed tableau for
{F φ, Tψ1 , . . . , Tψn }
This tableau also shows Γ0 ⊢ φ.
2. If Γ is inconsistent, then for some finite subset Γ0 = {ψ1 , . . . , ψn } there is
a closed tableau for
{Tψ1 , . . . , Tψn }
This closed tableau shows that Γ0 is inconsistent.

21.8 Derivability and Consistency

We will now establish a number of properties of the derivability relation. They
are independently interesting, but each will play a role in the proof of the
completeness theorem.
Proposition 21.18. If Γ ⊢ φ and Γ ∪ { φ} is inconsistent, then Γ is inconsistent.

Proof. There are finite Γ0 = {ψ1 , . . . , ψn } and Γ1 = {χ1 , . . . , χn } ⊆ Γ such that

{F φ,Tψ1 , . . . , Tψn }
{T φ,Tχ1 , . . . , Tχm }
have closed tableaux. Using the Cut rule on φ we can combine these into a
single closed tableau that shows Γ0 ∪ Γ1 is inconsistent. Since Γ0 ⊆ Γ and
Γ1 ⊆ Γ, Γ0 ∪ Γ1 ⊆ Γ, hence Γ is inconsistent.

Proposition 21.19. Γ ⊢ φ iff Γ ∪ {¬ φ} is inconsistent.

Proof. First suppose Γ ⊢ φ, i.e., there is a closed tableau for

{F φ, Tψ1 , . . . , Tψn }
Using the ¬T rule, this can be turned into a closed tableau for
{T ¬ φ, Tψ1 , . . . , Tψn }.
On the other hand, if there is a closed tableau for the latter, we can turn it
into a closed tableau of the former by removing every formula that results
from ¬T applied to the first assumption T ¬ φ as well as that assumption,
and adding the assumption F φ. For if a branch was closed before because
it contained the conclusion of ¬T applied to T ¬ φ, i.e., F φ, the corresponding
branch in the new tableau is also closed. If a branch in the old tableau was
closed because it contained the assumption T ¬ φ as well as F ¬ φ we can turn
it into a closed branch by applying ¬F to F ¬ φ to obtain T φ. This closes the
branch since we added F φ as an assumption.

320 Release : d3a1905 (2022-12-19)

21.9. DERIVABILITY AND THE PROPOSITIONAL CONNECTIVES

Proposition 21.20. If Γ ⊢ φ and ¬ φ ∈ Γ, then Γ is inconsistent.

Proof. Suppose Γ ⊢ φ and ¬ φ ∈ Γ. Then there are ψ1 , . . . , ψn ∈ Γ such that

{F φ, Tψ1 , . . . , Tψn }
has a closed tableau. Replace the assumption F φ by T ¬ φ, and insert the
conclusion of ¬T applied to F φ after the assumptions. Any sentence in the
tableau justified by appeal to line 1 in the old tableau is now justified by appeal
to line n + 1. So if the old tableau was closed, the new one is. It shows that Γ
is inconsistent, since all assumptions are in Γ.

Proposition 21.21. If Γ ∪ { φ} and Γ ∪ {¬ φ} are both inconsistent, then Γ is in-

consistent.

Proof. If there are ψ1 , . . . , ψn ∈ Γ and χ1 , . . . , χm ∈ Γ such that

{T φ,Tψ1 , . . . , Tψn } and

{T ¬ φ,Tχ1 , . . . , Tχm }
both have closed tableaux, we can construct a single, combined tableau that
shows that Γ is inconsistent by using as assumptions Tψ1 , . . . , Tψn together
with Tχ1 , . . . , Tχm , followed by an application of the Cut rule. This yields
two branches, one starting with T φ, the other with F φ.
On the left left side, add the part of the first tableau below its assumptions.
Here, every rule application is still correct, since each of the assumptions of
the first tableau, including T φ, is available. Thus, every branch below T φ
closes.
On the right side, add the part of the second tableau below its assumption,
with the results of any applications of ¬T to T ¬ φ removed. The conclusion
of ¬T to T ¬ φ is F φ, which is nevertheless available, as it is the conclusion of
the Cut rule on the right side of the combined tableau.
If a branch in the second tableau was closed because it contained the as-
sumption T ¬ φ (which no longer appears as an assumption in the combined
tableau) as well as F ¬ φ, we can applying ¬F to F ¬ φ to obtain T φ. Now
the corresponding branch in the combined tableau also closes, because it con-
tains the right-hand conclusion of the Cut rule, F φ. If a branch in the second
tableau closed for any other reason, the corresponding branch in the combined
tableau also closes, since any signed formulas other than T ¬ φ occurring on
the branch in the old, second tableau also occur on the corresponding branch
in the combined tableau.

21.9 Derivability and the Propositional Connectives

We establish that the derivability relation ⊢ of tableaux is strong enough to
establish some basic facts involving the propositional connectives, such as that

Release : d3a1905 (2022-12-19) 321

 CHAPTER 21. TABLEAUX

φ ∧ ψ ⊢ φ and φ, φ → ψ ⊢ ψ (modus ponens). These facts are needed for the

proof of the completeness theorem.

Proposition 21.22. 1. Both φ ∧ ψ ⊢ φ and φ ∧ ψ ⊢ ψ.

2. φ, ψ ⊢ φ ∧ ψ.

Proof. 1. Both {F φ, T φ ∧ ψ} and {F ψ, T φ ∧ ψ} have closed tableaux

1. Fφ Assumption
2. Tφ ∧ ψ Assumption
3. Tφ ∧T 2
4. Tψ ∧T 2
⊗

1. Fψ Assumption
2. Tφ ∧ ψ Assumption
3. Tφ ∧T 2
4. Tψ ∧T 2
⊗

2. Here is a closed tableau for {T φ, Tψ, F φ ∧ ψ}:

1. Fφ ∧ ψ Assumption
2. Tφ Assumption
3. Tψ Assumption

4. Fφ Fψ ∧F 1
⊗ ⊗

Proposition 21.23. 1. { φ ∨ ψ, ¬ φ, ¬ψ} is inconsistent.

2. Both φ ⊢ φ ∨ ψ and ψ ⊢ φ ∨ ψ.

Proof. 1. We give a closed tableau of {T φ ∨ ψ, T ¬ φ, T ¬ψ}:

322 Release : d3a1905 (2022-12-19)

21.9. DERIVABILITY AND THE PROPOSITIONAL CONNECTIVES

1. Tφ ∨ ψ Assumption
2. T¬ φ Assumption
3. T ¬ψ Assumption
4. Fφ ¬T 2
5. Fψ ¬T 3

6. Tφ Tψ ∨T 1
⊗ ⊗

2. Both {F φ ∨ ψ, T φ} and {F φ ∨ ψ, Tψ} have closed tableaux:

1. Fφ ∨ ψ Assumption
2. Tφ Assumption
3. Fφ ∨F 1
4. Fψ ∨F 1
⊗

1. Fφ ∨ ψ Assumption
2. Tψ Assumption
3. Fφ ∨F 1
4. Fψ ∨F 1
⊗

Proposition 21.24. 1. φ, φ → ψ ⊢ ψ.

2. Both ¬ φ ⊢ φ → ψ and ψ ⊢ φ → ψ.

Proof. 1. {F ψ, T φ → ψ, T φ} has a closed tableau:

1. Fψ Assumption
2. Tφ → ψ Assumption
3. Tφ Assumption

4. Fφ Tψ →T 2
⊗ ⊗

2. Both {F φ → ψ, T ¬ φ} and {F φ → ψ, Tψ} have closed tableaux:

Release : d3a1905 (2022-12-19) 323

 CHAPTER 21. TABLEAUX

1. Fφ → ψ Assumption
2. T¬ φ Assumption
3. Tφ →F 1
4. Fψ →F 1
5. Fφ ¬T 2
⊗

1. Fφ → ψ Assumption
2. Tψ Assumption
3. Tφ →F 1
4. Fψ →F 1
⊗

21.10 Derivability and the Quantifiers

The completeness theorem also requires that the tableaux rules yield the facts
about ⊢ established in this section.
Theorem 21.25. If c is a constant not occurring in Γ or φ( x ) and Γ ⊢ φ(c), then
Γ ⊢ ∀ x φ ( x ).

Proof. Suppose Γ ⊢ φ(c), i.e., there are ψ1 , . . . , ψn ∈ Γ and a closed tableau for
{F φ(c),Tψ1 , . . . , Tψn }.

We have to show that there is also a closed tableau for

{F ∀ x φ( x ),Tψ1 , . . . , Tψn }.
Take the closed tableau and replace the first assumption with F ∀ x φ( x ), and
insert F φ(c) after the assumptions.

F φ(c) F ∀ x φ( x )
Tψ.. 1 Tψ.. 1
. .
Tψn Tψn
F φ(c)

The tableau is still closed, since all sentences available as assumptions before
are still available at the top of the tableau. The inserted line is the result of
a correct application of ∀F, since the constant symbol c does not occur in ψ1 ,
. . . , ψn or ∀ x φ( x ), i.e., it does not occur above the inserted line in the new
tableau.

324 Release : d3a1905 (2022-12-19)

21.11. SOUNDNESS

Proposition 21.26. 1. φ(t) ⊢ ∃ x φ( x ).

2. ∀ x φ( x ) ⊢ φ(t).

Proof. 1. A closed tableau for F ∃ x φ( x ), T φ(t) is:

1. F ∃ x φ( x ) Assumption
2. T φ(t) Assumption
3. F φ(t) ∃F 1
⊗

2. A closed tableau for F φ(t), T ∀ x φ( x ), is:

1. F φ(t) Assumption
2. T ∀ x φ( x ) Assumption
3. T φ(t) ∀T 2
⊗

21.11 Soundness
A derivation system, such as tableaux, is sound if it cannot derive things that
do not actually hold. Soundness is thus a kind of guaranteed safety property
for derivation systems. Depending on which proof theoretic property is in
question, we would like to know for instance, that

1. every derivable φ is valid;

2. if a sentence is derivable from some others, it is also a consequence of

them;

3. if a set of sentences is inconsistent, it is unsatisfiable.

These are important properties of a derivation system. If any of them do not

hold, the derivation system is deficient—it would derive too much. Conse-
quently, establishing the soundness of a derivation system is of the utmost
importance.
Because all these proof-theoretic properties are defined via closed tableaux
of some kind or other, proving (1)–(3) above requires proving something about
the semantic properties of closed tableaux. We will first define what it means
for a signed formula to be satisfied in a structure, and then show that if a
tableau is closed, no structure satisfies all its assumptions. (1)–(3) then follow
as corollaries from this result.

Release : d3a1905 (2022-12-19) 325

 CHAPTER 21. TABLEAUX

Definition 21.27. A structure M satisfies a signed formula T φ iff M ⊨ φ, and

it satisfies F φ iff M ⊭ φ. M satisfies a set of signed formulas Γ iff it satis-
fies every S φ ∈ Γ. Γ is satisfiable if there is a structure that satisfies it, and
unsatisfiable otherwise.

Theorem 21.28 (Soundness). If Γ has a closed tableau, Γ is unsatisfiable.

Proof. Let’s call a branch of a tableau satisfiable iff the set of signed formulas
on it is satisfiable, and let’s call a tableau satisfiable if it contains at least one
satisfiable branch.
We show the following: Extending a satisfiable tableau by one of the rules
of inference always results in a satisfiable tableau. This will prove the theo-
rem: any closed tableau results by applying rules of inference to the tableau
consisting only of assumptions from Γ. So if Γ were satisfiable, any tableau
for it would be satisfiable. A closed tableau, however, is clearly not satisfiable:
every branch contains both T φ and F φ, and no structure can both satisfy and
not satisfy φ.
Suppose we have a satisfiable tableau, i.e., a tableau with at least one sat-
isfiable branch. Applying a rule of inference either adds signed formulas to a
branch, or splits a branch in two. If the tableau has a satisfiable branch which
is not extended by the rule application in question, it remains a satisfiable
branch in the extended tableau, so the extended tableau is satisfiable. So we
only have to consider the case where a rule is applied to a satisfiable branch.
Let Γ be the set of signed formulas on that branch, and let S φ ∈ Γ be the
signed formula to which the rule is applied. If the rule does not result in a split
branch, we have to show that the extended branch, i.e., Γ together with the
conclusions of the rule, is still satisfiable. If the rule results in a split branch,
we have to show that at least one of the two resulting branches is satisfiable.
First, we consider the possible inferences that do not result in a split branch.
1. The branch is expanded by applying ¬T to T ¬ψ ∈ Γ. Then the extended
branch contains the signed formulas Γ ∪ {F ψ}. Suppose M ⊨ Γ. In
particular, M ⊨ ¬ψ. Thus, M ⊭ ψ, i.e., M satisfies F ψ.
2. The branch is expanded by applying ¬F to F ¬ψ ∈ Γ: Exercise.
3. The branch is expanded by applying ∧T to Tψ ∧ χ ∈ Γ, which results in
two new signed formulas on the branch: Tψ and Tχ. Suppose M ⊨ Γ,
in particular M ⊨ ψ ∧ χ. Then M ⊨ ψ and M ⊨ χ. This means that M
satisfies both Tψ and Tχ.
4. The branch is expanded by applying ∨F to F ψ ∨ χ ∈ Γ: Exercise.
5. The branch is expanded by applying →F to F ψ → χ ∈ Γ: This results in
two new signed formulas on the branch: Tψ and F χ. Suppose M ⊨ Γ,
in particular M ⊭ ψ → χ. Then M ⊨ ψ and M ⊭ χ. This means that M
satisfies both Tψ and F χ.

326 Release : d3a1905 (2022-12-19)

21.11. SOUNDNESS

6. The branch is expanded by applying ∀T to T ∀ x ψ( x ) ∈ Γ: This results

in a new signed formula T φ(t) on the branch. Suppose M ⊨ Γ, in par-
ticular, M ⊨ ∀ x φ( x ). By Proposition 16.30, M ⊨ φ(t). Consequently, M
satisfies T φ(t).

7. The branch is expanded by applying ∀F to F ∀ x ψ( x ) ∈ Γ: This results in

a new signed formula F φ( a) where a is a constant symbol not occurring
in Γ. Since Γ is satisfiable, there is a M such that M ⊨ Γ, in particular
M ⊭ ∀ x ψ( x ). We have to show that Γ ∪ {F φ( a)} is satisfiable. To do
this, we define a suitable M′ as follows.
By Proposition 16.18, M ⊭ ∀ x ψ( x ) iff for some s, M, s ⊭ ψ( x ). Now
′
let M′ be just like M, except aM = s( x ). By Corollary 16.20, for any
Tχ ∈ Γ, M′ ⊨ χ, and for any F χ ∈ Γ, M′ ⊭ χ, since a does not occur
in Γ.
By Proposition 16.19, M′ , s ⊭ φ( x ). By Proposition 16.22, M′ , s ⊭ φ( a).
Since φ( a) is a sentence, by Proposition 16.17, M′ ⊭ φ( a), i.e., M′ satisfies
F φ ( a ).

8. The branch is expanded by applying ∃T to T ∃ x ψ( x ) ∈ Γ: Exercise.

9. The branch is expanded by applying ∃F to F ∃ x ψ( x ) ∈ Γ: Exercise.

Now let’s consider the possible inferences that result in a split branch.

1. The branch is expanded by applying ∧F to F ψ ∧ χ ∈ Γ, which results in

two branches, a left one continuing through F ψ and a right one through
F χ. Suppose M ⊨ Γ, in particular M ⊭ ψ ∧ χ. Then M ⊭ ψ or M ⊭ χ. In
the former case, M satisfies F ψ, i.e., M satisfies the formulas on the left
branch. In the latter, M satisfies F χ, i.e., M satisfies the formulas on the
right branch.

2. The branch is expanded by applying ∨T to Tψ ∨ χ ∈ Γ: Exercise.

3. The branch is expanded by applying →T to Tψ → χ ∈ Γ: Exercise.

4. The branch is expanded by Cut: This results in two branches, one con-
taining Tψ, the other containing F ψ. Since M ⊨ Γ and either M ⊨ ψ or
M ⊭ ψ, M satisfies either the left or the right branch.

Corollary 21.29. If ⊢ φ then φ is valid.

Corollary 21.30. If Γ ⊢ φ then Γ ⊨ φ.

Proof. If Γ ⊢ φ then for some ψ1 , . . . , ψn ∈ Γ, {F φ, Tψ1 , . . . , Tψn } has a closed

tableau. By Theorem 21.28, every structure M either makes some ψi false or
makes φ true. Hence, if M ⊨ Γ then also M ⊨ φ.

Release : d3a1905 (2022-12-19) 327

 CHAPTER 21. TABLEAUX

Corollary 21.31. If Γ is satisfiable, then it is consistent.

Proof. We prove the contrapositive. Suppose that Γ is not consistent. Then

there are ψ1 , . . . , ψn ∈ Γ and a closed tableau for {Tψ1 , . . . , Tψn }. By Theo-
rem 21.28, there is no M such that M ⊨ ψi for all i = 1, . . . , n. But then Γ is not
satisfiable.

21.12 Tableaux with Identity predicate

Tableaux with identity predicate require additional inference rules. The rules
for = are (t, t1 , and t2 are closed terms):

Tt1 = t2 Tt1 = t2
= T φ ( t1 ) F φ ( t1 )
Tt = t
=T =F
T φ ( t2 ) F φ ( t2 )

Note that in contrast to all the other rules, =T and =F require that two
signed formulas already appear on the branch, namely both Tt1 = t2 and
S φ ( t1 ).

Example 21.32. If s and t are closed terms, then s = t, φ(s) ⊢ φ(t):

1. F φ(t) Assumption
2. Ts = t Assumption
3. T φ(s) Assumption
4. T φ(t) =T 2, 3
⊗

This may be familiar as the principle of substitutability of identicals, or Leib-

niz’ Law.
Tableaux prove that = is symmetric, i.e., that s1 = s2 ⊢ s2 = s1 :

1. F s2 = s1 Assumption
2. Ts1 = s2 Assumption
3. Ts1 = s1 =
4. Ts2 = s1 =T 2, 3
⊗

Here, line 2 is the first prerequisite formula Ts1 = s2 of =T. Line 3 is the
second one, of the form T φ(s2 )—think of φ( x ) as x = s1 , then φ(s1 ) is s1 = s1
and φ(s2 ) is s2 = s1 .
They also prove that = is transitive, i.e., that s1 = s2 , s2 = s3 ⊢ s1 = s3 :

328 Release : d3a1905 (2022-12-19)

21.13. SOUNDNESS WITH IDENTITY PREDICATE

1. F s1 = s3 Assumption
2. Ts1 = s2 Assumption
3. Ts2 = s3 Assumption
4. Ts1 = s3 =T 3, 2
⊗

In this tableau, the first prerequisite formula of =T is line 3, Ts2 = s3 (s2 plays
the role of t1 , and s3 the role of t2 ). The second prerequisite, of the form T φ(s2 )
is line 2. Here, think of φ( x ) as s1 = x; that makes φ(s2 ) into t1 = t2 (i.e., line 2)
and φ(s3 ) into the formula s1 = s3 in the conclusion.

21.13 Soundness with Identity predicate

Proposition 21.33. Tableaux with rules for identity are sound: no closed tableau is
satisfiable.

Proof. We just have to show as before that if a tableau has a satisfiable branch,
the branch resulting from applying one of the rules for = to it is also satisfi-
able. Let Γ be the set of signed formulas on the branch, and let M be a struc-
ture satisfying Γ.
Suppose the branch is expanded using =, i.e., by adding the signed for-
mula Tt = t. Trivially, M ⊨ t = t, so M also satisfies Γ ∪ {Tt = t}.
If the branch is expanded using =T, we add a signed formula S φ(t2 ),
but Γ contains both Tt1 = t2 and T φ(t1 ). Thus we have M ⊨ t1 = t2 and
M ⊨ φ(t1 ). Let s be a variable assignment with s( x ) = ValM (t1 ). By Propo-
sition 16.17, M, s ⊨ φ(t1 ). Since s ∼ x s, by Proposition 16.22, M, s ⊨ φ( x ).
since M ⊨ t1 = t2 , we have ValM (t1 ) = ValM (t2 ), and hence s( x ) = ValM (t2 ).
By applying Proposition 16.22 again, we also have M, s ⊨ φ(t2 ). By Proposi-
tion 16.17, M ⊨ φ(t2 ). The case of =F is treated similarly.

Problems
Problem 21.1. Give closed tableaux of the following:

1. T φ ∧ (ψ ∧ χ), F ( φ ∧ ψ) ∧ χ.

2. T φ ∨ (ψ ∨ χ), F ( φ ∨ ψ) ∨ χ.

3. T φ → (ψ → χ), F ψ → ( φ → χ).

4. T φ, F ¬¬ φ.

Problem 21.2. Give closed tableaux of the following:

1. T ( φ ∨ ψ) → χ, F φ → χ.

Release : d3a1905 (2022-12-19) 329

 CHAPTER 21. TABLEAUX

2. T ( φ → χ) ∧ (ψ → χ), F ( φ ∨ ψ) → χ.

3. F ¬( φ ∧ ¬ φ).

4. Tψ → φ, F ¬ φ → ¬ψ.

5. F ( φ → ¬ φ) → ¬ φ.

6. F ¬( φ → ψ) → ¬ψ.

7. T φ → χ, F ¬( φ ∧ ¬χ).

8. T φ ∧ ¬χ, F ¬( φ → χ).

9. T φ ∨ ψ, ¬ψ, F φ.

10. T ¬ φ ∨ ¬ψ, F ¬( φ ∧ ψ).

11. F (¬ φ ∧ ¬ψ) → ¬( φ ∨ ψ).

12. F ¬( φ ∨ ψ) → (¬ φ ∧ ¬ψ).

Problem 21.3. Give closed tableaux of the following:

1. T ¬( φ → ψ), F φ.

2. T ¬( φ ∧ ψ), F ¬ φ ∨ ¬ψ.

3. T φ → ψ, F ¬ φ ∨ ψ.

4. F ¬¬ φ → φ.

5. T φ → ψ, T ¬ φ → ψ, F ψ.

6. T ( φ ∧ ψ) → χ, F ( φ → χ) ∨ (ψ → χ).

7. T ( φ → ψ) → φ, F φ.

8. F ( φ → ψ) ∨ (ψ → χ).

Problem 21.4. Give closed tableaux of the following:

1. F (∀ x φ( x ) ∧ ∀y ψ(y)) → ∀z ( φ(z) ∧ ψ(z)).

2. F (∃ x φ( x ) ∨ ∃y ψ(y)) → ∃z ( φ(z) ∨ ψ(z)).

3. T ∀ x ( φ( x ) → ψ), F ∃y φ(y) → ψ.

4. T ∀ x ¬ φ( x ), F ¬∃ x φ( x ).

5. F ¬∃ x φ( x ) → ∀ x ¬ φ( x ).

6. F ¬∃ x ∀y (( φ( x, y) → ¬ φ(y, y)) ∧ (¬ φ(y, y) → φ( x, y))).

330 Release : d3a1905 (2022-12-19)

21.13. SOUNDNESS WITH IDENTITY PREDICATE

Problem 21.5. Give closed tableaux of the following:

1. F ¬∀ x φ( x ) → ∃ x ¬ φ( x ).

2. T (∀ x φ( x ) → ψ), F ∃y ( φ(y) → ψ).

3. F ∃ x ( φ( x ) → ∀y φ(y)).

Problem 21.6. Prove Proposition 21.16

Problem 21.7. Prove that Γ ⊢ ¬ φ iff Γ ∪ { φ} is inconsistent.

Problem 21.8. Complete the proof of Theorem 21.28.

Problem 21.9. Give closed tableaux for the following:

1. F ∀ x ∀y (( x = y ∧ φ( x )) → φ(y))

2. F ∃ x ( φ( x ) ∧ ∀y ( φ(y) → y = x )),
T ∃ x φ( x ) ∧ ∀y ∀z (( φ(y) ∧ φ(z)) → y = z)

Release : d3a1905 (2022-12-19) 331

Chapter 22

Axiomatic Derivations

No effort has been made yet to ensure that the material in this chap-
ter respects various tags indicating which connectives and quantifiers are
primitive or defined: all are assumed to be primitive, except ↔ which is
assumed to be defined. If the FOL tag is true, we produce a version with
quantifiers, otherwise without.

22.1 Rules and Derivations

Axiomatic derivations are perhaps the simplest derivation system for logic.
A derivation is just a sequence of formulas. To count as a derivation, every
formula in the sequence must either be an instance of an axiom, or must fol-
low from one or more formulas that precede it in the sequence by a rule of
inference. A derivation derives its last formula.

Definition 22.1 (Derivability). If Γ is a set of formulas of L then a derivation

from Γ is a finite sequence φ1 , . . . , φn of formulas where for each i ≤ n one of
the following holds:

1. φi ∈ Γ; or

2. φi is an axiom; or

3. φi follows from some φ j (and φk ) with j < i (and k < i) by a rule of

inference.

What counts as a correct derivation depends on which inference rules we

allow (and of course what we take to be axioms). And an inference rule is
an if-then statement that tells us that, under certain conditions, a step Ai in
a derivation is a correct inference step.

332
22.1. RULES AND DERIVATIONS

Definition 22.2 (Rule of inference). A rule of inference gives a sufficient con-

dition for what counts as a correct inference step in a derivation from Γ.

For instance, since any one-element sequence φ with φ ∈ Γ trivially counts

as a derivation, the following might be a very simple rule of inference:

If φ ∈ Γ, then φ is always a correct inference step in any derivation

from Γ.

Similarly, if φ is one of the axioms, then φ by itself is a derivation, and so this

is also a rule of inference:

If φ is an axiom, then φ is a correct inference step.

It gets more interesting if the rule of inference appeals to formulas that appear
before the step considered. The following rule is called modus ponens:

If ψ → φ and ψ occur higher up in the derivation, then φ is a correct

inference step.

If this is the only rule of inference, then our definition of derivation above
amounts to this: φ1 , . . . , φn is a derivation iff for each i ≤ n one of the follow-
ing holds:

1. φi ∈ Γ; or

2. φi is an axiom; or

3. for some j < i, φ j is ψ → φi , and for some k < i, φk is ψ.

The last clause says that φi follows from φ j (ψ) and φk (ψ → φi ) by modus
ponens. If we can go from 1 to n, and each time we find a formula φi that is
either in Γ, an axiom, or which a rule of inference tells us that it is a correct
inference step, then the entire sequence counts as a correct derivation.

Definition 22.3 (Derivability). A formula φ is derivable from Γ, written Γ ⊢ φ,

if there is a derivation from Γ ending in φ.

Definition 22.4 (Theorems). A formula φ is a theorem if there is a derivation

of φ from the empty set. We write ⊢ φ if φ is a theorem and ⊬ φ if it is not.

Release : d3a1905 (2022-12-19) 333

 CHAPTER 22. AXIOMATIC DERIVATIONS

22.2 Axiom and Rules for the Propositional Connectives

Definition 22.5 (Axioms). The set of Ax0 of axioms for the propositional con-
nectives comprises all formulas of the following forms:

( φ ∧ ψ) → φ (22.1)
( φ ∧ ψ) → ψ (22.2)
φ → (ψ → ( φ ∧ ψ)) (22.3)
φ → ( φ ∨ ψ) (22.4)
φ → (ψ ∨ φ) (22.5)
( φ → χ) → ((ψ → χ) → (( φ ∨ ψ) → χ)) (22.6)
φ → (ψ → φ) (22.7)
( φ → (ψ → χ)) → (( φ → ψ) → ( φ → χ)) (22.8)
( φ → ψ) → (( φ → ¬ψ) → ¬ φ) (22.9)
¬ φ → ( φ → ψ) (22.10)
⊤ (22.11)
⊥→φ (22.12)
( φ → ⊥) → ¬ φ (22.13)
¬¬ φ → φ (22.14)

Definition 22.6 (Modus ponens). If ψ and ψ → φ already occur in a deriva-

tion, then φ is a correct inference step.

We’ll abbreviate the rule modus ponens as “MP.”

22.3 Axioms and Rules for Quantifiers

Definition 22.7 (Axioms for quantifiers). The axioms governing quantifiers are
all instances of the following:

∀ x ψ → ψ ( t ), (22.15)
ψ(t) → ∃ x ψ. (22.16)

for any closed term t.

Definition 22.8 (Rules for quantifiers).

If ψ → φ( a) already occurs in the derivation and a does not occur in Γ or ψ,
then ψ → ∀ x φ( x ) is a correct inference step.
If φ( a) → ψ already occurs in the derivation and a does not occur in Γ or ψ,
then ∃ x φ( x ) → ψ is a correct inference step.

We’ll abbreviate either of these by “QR.”

334 Release : d3a1905 (2022-12-19)

22.4. EXAMPLES OF DERIVATIONS

22.4 Examples of Derivations

Example 22.9. Suppose we want to prove (¬θ ∨ α) → (θ → α). Clearly, this is
not an instance of any of our axioms, so we have to use the MP rule to derive
it. Our only rule is MP, which given φ and φ → ψ allows us to justify ψ. One
strategy would be to use eq. (22.6) with φ being ¬θ, ψ being α, and χ being
θ → α, i.e., the instance

(¬θ → (θ → α)) → ((α → (θ → α)) → ((¬θ ∨ α) → (θ → α))).

Why? Two applications of MP yield the last part, which is what we want. And
we easily see that ¬θ → (θ → α) is an instance of eq. (22.10), and α → (θ → α)
is an instance of eq. (22.7). So our derivation is:

1. ¬θ → (θ → α) eq. (22.10)
2. (¬θ → (θ → α)) →
((α → (θ → α)) → ((¬θ ∨ α) → (θ → α))) eq. (22.6)
3. ((α → (θ → α)) → ((¬θ ∨ α) → (θ → α)) 1, 2, MP
4. α → (θ → α) eq. (22.7)
5. (¬θ ∨ α) → (θ → α) 3, 4, MP

Example 22.10. Let’s try to find a derivation of θ → θ. It is not an instance

of an axiom, so we have to use MP to derive it. eq. (22.7) is an axiom of the
form φ → ψ to which we could apply MP. To be useful, of course, the ψ which
MP would justify as a correct step in this case would have to be θ → θ, since
this is what we want to derive. That means φ would also have to be θ, i.e., we
might look at this instance of eq. (22.7):

θ → (θ → θ )

In order to apply MP, we would also need to justify the corresponding second
premise, namely φ. But in our case, that would be θ, and we won’t be able to
derive θ by itself. So we need a different strategy.
The other axiom involving just → is eq. (22.8), i.e.,

( φ → (ψ → χ)) → (( φ → ψ) → ( φ → χ))

We could get to the last nested conditional by applying MP twice. Again, that
would mean that we want an instance of eq. (22.8) where φ → χ is θ → θ, the
formula we are aiming for. Then of course, φ and χ are both θ. How should
we pick ψ so that both φ → (ψ → χ) and φ → ψ, i.e., in our case θ → (ψ → θ )
and θ → ψ, are also derivable? Well, the first of these is already an instance of
eq. (22.7), whatever we decide ψ to be. And θ → ψ would be another instance
of eq. (22.7) if ψ were (θ → θ ). So, our derivation is:

Release : d3a1905 (2022-12-19) 335

 CHAPTER 22. AXIOMATIC DERIVATIONS

1. θ → ((θ → θ ) → θ ) eq. (22.7)

2. (θ → ((θ → θ ) → θ )) →
((θ → (θ → θ )) → (θ → θ )) eq. (22.8)
3. (θ → (θ → θ )) → (θ → θ ) 1, 2, MP
4. θ → (θ → θ ) eq. (22.7)
5. θ→θ 3, 4, MP

Example 22.11. Sometimes we want to show that there is a derivation of some

formula from some other formulas Γ. For instance, let’s show that we can
derive φ → χ from Γ = { φ → ψ, ψ → χ}.

1. φ→ψ H YP
2. ψ→χ H YP
3. (ψ → χ) → ( φ → (ψ → χ)) eq. (22.7)
4. φ → (ψ → χ) 2, 3, MP
5. ( φ → (ψ → χ)) →
(( φ → ψ) → ( φ → χ)) eq. (22.8)
6. (( φ → ψ) → ( φ → χ)) 4, 5, MP
7. φ→χ 1, 6, MP

The lines labelled “H YP” (for “hypothesis”) indicate that the formula on that
line is an element of Γ.

Proposition 22.12. If Γ ⊢ φ → ψ and Γ ⊢ ψ → χ, then Γ ⊢ φ → χ

Proof. Suppose Γ ⊢ φ → ψ and Γ ⊢ ψ → χ. Then there is a derivation of φ → ψ

from Γ; and a derivation of ψ → χ from Γ as well. Combine these into a single
derivation by concatenating them. Now add lines 3–7 of the derivation in the
preceding example. This is a derivation of φ → χ—which is the last line of the
new derivation—from Γ. Note that the justifications of lines 4 and 7 remain
valid if the reference to line number 2 is replaced by reference to the last line
of the derivation of φ → ψ, and reference to line number 1 by reference to the
last line of the derivation of B → χ.

22.5 Derivations with Quantifiers

Example 22.13. Let us give a derivation of (∀ x φ( x ) ∧ ∀y ψ(y)) → ∀ x ( φ( x ) ∧
ψ( x )).
First, note that

(∀ x φ( x ) ∧ ∀y ψ(y)) → ∀ x φ( x )

is an instance of eq. (22.1), and

∀ x φ( x ) → φ( a)

336 Release : d3a1905 (2022-12-19)

22.6. PROOF-THEORETIC NOTIONS

of eq. (22.15). So, by Proposition 22.12, we know that

(∀ x φ( x ) ∧ ∀y ψ(y)) → φ( a)

is derivable. Likewise, since

(∀ x φ( x ) ∧ ∀y ψ(y)) → ∀y ψ(y) and

∀y ψ(y) → ψ( a)

are instances of eq. (22.2) and eq. (22.15), respectively,

(∀ x φ( x ) ∧ ∀y ψ(y)) → ψ( a)

is derivable by Proposition 22.12. Using an appropriate instance of eq. (22.3)

and two applications of MP, we see that

(∀ x φ( x ) ∧ ∀y ψ(y)) → ( φ( a) ∧ ψ( a))

is derivable. We can now apply QR to obtain

(∀ x φ( x ) ∧ ∀y ψ(y)) → ∀ x ( φ( x ) ∧ ψ( x )).

22.6 Proof-Theoretic Notions

Just as we’ve defined a number of important semantic notions (validity, entail-
ment, satisfiabilty), we now define corresponding proof-theoretic notions. These
are not defined by appeal to satisfaction of sentences in structures, but by ap-
peal to the derivability or non-derivability of certain formulas. It was an im-
portant discovery that these notions coincide. That they do is the content of
the soundness and completeness theorems.

Definition 22.14 (Derivability). A formula φ is derivable from Γ, written Γ ⊢

φ, if there is a derivation from Γ ending in φ.

Definition 22.15 (Theorems). A formula φ is a theorem if there is a derivation

of φ from the empty set. We write ⊢ φ if φ is a theorem and ⊬ φ if it is not.

Definition 22.16 (Consistency). A set Γ of formulas is consistent if and only if

Γ ⊬ ⊥; it is inconsistent otherwise.

Proposition 22.17 (Reflexivity). If φ ∈ Γ, then Γ ⊢ φ.

Proof. The formula φ by itself is a derivation of φ from Γ.

Proposition 22.18 (Monotonicity). If Γ ⊆ ∆ and Γ ⊢ φ, then ∆ ⊢ φ.

Release : d3a1905 (2022-12-19) 337

 CHAPTER 22. AXIOMATIC DERIVATIONS

Proof. Any derivation of φ from Γ is also a derivation of φ from ∆.

Proposition 22.19 (Transitivity). If Γ ⊢ φ and { φ} ∪ ∆ ⊢ ψ, then Γ ∪ ∆ ⊢ ψ.

Proof. Suppose { φ} ∪ ∆ ⊢ ψ. Then there is a derivation ψ1 , . . . , ψl = ψ

from { φ} ∪ ∆. Some of the steps in that derivation will be correct because
of a rule which refers to a prior line ψi = φ. By hypothesis, there is a deriva-
tion of φ from Γ, i.e., a derivation φ1 , . . . , φk = φ where every φi is an axiom,
an element of Γ, or correct by a rule of inference. Now consider the sequence

φ1 , . . . , φk = φ, ψ1 , . . . , ψl = ψ.

This is a correct derivation of ψ from Γ ∪ ∆ since every Bi = φ is now justified

by the same rule which justifies φk = φ.

Note that this means that in particular if Γ ⊢ φ and φ ⊢ ψ, then Γ ⊢ ψ. It

follows also that if φ1 , . . . , φn ⊢ ψ and Γ ⊢ φi for each i, then Γ ⊢ ψ.

Proposition 22.20. Γ is inconsistent iff Γ ⊢ φ for every φ.

Proof. Exercise.

Proposition 22.21 (Compactness). 1. If Γ ⊢ φ then there is a finite subset

Γ0 ⊆ Γ such that Γ0 ⊢ φ.

2. If every finite subset of Γ is consistent, then Γ is consistent.

Proof. 1. If Γ ⊢ φ, then there is a finite sequence of formulas φ1 , . . . , φn so

that φ ≡ φn and each φi is either a logical axiom, an element of Γ or
follows from previous formulas by modus ponens. Take Γ0 to be those
φi which are in Γ. Then the derivation is likewise a derivation from Γ0 ,
and so Γ0 ⊢ φ.

2. This is the contrapositive of (1) for the special case φ ≡ ⊥.

22.7 The Deduction Theorem

As we’ve seen, giving derivations in an axiomatic system is cumbersome, and
derivations may be hard to find. Rather than actually write out long lists of
formulas, it is generally easier to argue that such derivations exist, by mak-
ing use of a few simple results. We’ve already established three such results:
Proposition 22.17 says we can always assert that Γ ⊢ φ when we know that
φ ∈ Γ. Proposition 22.18 says that if Γ ⊢ φ then also Γ ∪ {ψ} ⊢ φ. And
Proposition 22.19 implies that if Γ ⊢ φ and φ ⊢ ψ, then Γ ⊢ ψ. Here’s another
simple result, a “meta”-version of modus ponens:

338 Release : d3a1905 (2022-12-19)

22.7. THE DEDUCTION THEOREM

Proposition 22.22. If Γ ⊢ φ and Γ ⊢ φ → ψ, then Γ ⊢ ψ.

Proof. We have that { φ, φ → ψ} ⊢ ψ:

1. φ Hyp.
2. φ→ψ Hyp.
3. ψ 1, 2, MP

By Proposition 22.19, Γ ⊢ ψ.

The most important result we’ll use in this context is the deduction theo-
rem:

Theorem 22.23 (Deduction Theorem). Γ ∪ { φ} ⊢ ψ if and only if Γ ⊢ φ → ψ.

Proof. The “if” direction is immediate. If Γ ⊢ φ → ψ then also Γ ∪ { φ} ⊢

φ → ψ by Proposition 22.18. Also, Γ ∪ { φ} ⊢ φ by Proposition 22.17. So, by
Proposition 22.22, Γ ∪ { φ} ⊢ ψ.
For the “only if” direction, we proceed by induction on the length of the
derivation of ψ from Γ ∪ { φ}.
For the induction basis, we prove the claim for every derivation of length 1.
A derivation of ψ from Γ ∪ { φ} of length 1 consists of ψ by itself; and if it is
correct ψ is either ∈ Γ ∪ { φ} or is an axiom. If ψ ∈ Γ or is an axiom, then
Γ ⊢ ψ. We also have that Γ ⊢ ψ → ( φ → ψ) by eq. (22.7), and Proposition 22.22
gives Γ ⊢ φ → ψ. If ψ ∈ { φ} then Γ ⊢ φ → ψ because then last sentence φ → ψ
is the same as φ → φ, and we have derived that in Example 22.10.
For the inductive step, suppose a derivation of ψ from Γ ∪ { φ} ends with
a step ψ which is justified by modus ponens. (If it is not justified by modus
ponens, ψ ∈ Γ, ψ ≡ φ, or ψ is an axiom, and the same reasoning as in the
induction basis applies.) Then some previous steps in the derivation are χ → ψ
and χ, for some formula χ, i.e., Γ ∪ { φ} ⊢ χ → ψ and Γ ∪ { φ} ⊢ χ, and the
respective derivations are shorter, so the inductive hypothesis applies to them.
We thus have both:

Γ ⊢ φ → ( χ → ψ );
Γ ⊢ φ → χ.

But also
Γ ⊢ ( φ → (χ → ψ)) → (( φ → χ) → ( φ → ψ)),
by eq. (22.8), and two applications of Proposition 22.22 give Γ ⊢ φ → ψ, as
required.

Notice how eq. (22.7) and eq. (22.8) were chosen precisely so that the De-
duction Theorem would hold.
The following are some useful facts about derivability, which we leave as
exercises.

Release : d3a1905 (2022-12-19) 339

 CHAPTER 22. AXIOMATIC DERIVATIONS

Proposition 22.24. 1. ⊢ ( φ → ψ) → ((ψ → χ) → ( φ → χ);

2. If Γ ∪ {¬ φ} ⊢ ¬ψ then Γ ∪ {ψ} ⊢ φ (Contraposition);
3. { φ, ¬ φ} ⊢ ψ (Ex Falso Quodlibet, Explosion);
4. {¬¬ φ} ⊢ φ (Double Negation Elimination);
5. If Γ ⊢ ¬¬ φ then Γ ⊢ φ;

22.8 The Deduction Theorem with Quantifiers

Theorem 22.25 (Deduction Theorem). If Γ ∪ { φ} ⊢ ψ, then Γ ⊢ φ → ψ.

Proof. We again proceed by induction on the length of the derivation of ψ from

Γ ∪ { φ }.
The proof of the induction basis is identical to that in the proof of Theo-
rem 22.23.
For the inductive step, suppose again that the derivation of ψ from Γ ∪ { φ}
ends with a step ψ which is justified by an inference rule. If the inference rule
is modus ponens, we proceed as in the proof of Theorem 22.23. If the inference
rule is QR, we know that ψ ≡ χ → ∀ x θ ( x ) and a formula of the form χ → θ ( a)
appears earlier in the derivation, where a does not occur in χ, φ, or Γ. We thus
have that

Γ ∪ { φ } ⊢ χ → θ ( a ),

and the induction hypothesis applies, i.e., we have that

Γ ⊢ φ → (χ → θ ( a)).

By

⊢ ( φ → (χ → θ ( a))) → (( φ ∧ χ) → θ ( a))

and modus ponens we get

Γ ⊢ ( φ ∧ χ ) → θ ( a ).

Since the eigenvariable condition still applies, we can add a step to this deriva-
tion justified by QR, and get

Γ ⊢ ( φ ∧ χ ) → ∀ x θ ( x ).

We also have

⊢ (( φ ∧ χ) → ∀ x θ ( x )) → ( φ → (χ → ∀ x θ ( x )),

340 Release : d3a1905 (2022-12-19)

22.9. DERIVABILITY AND CONSISTENCY

so by modus ponens,

Γ ⊢ φ → (χ → ∀ x θ ( x )),

i.e., Γ ⊢ ψ.
We leave the case where ψ is justified by the rule QR, but is of the form
∃ x θ ( x ) → χ, as an exercise.

22.9 Derivability and Consistency

We will now establish a number of properties of the derivability relation. They
are independently interesting, but each will play a role in the proof of the
completeness theorem.

Proposition 22.26. If Γ ⊢ φ and Γ ∪ { φ} is inconsistent, then Γ is inconsistent.

Proof. If Γ ∪ { φ} is inconsistent, then Γ ∪ { φ} ⊢ ⊥. By Proposition 22.17,

Γ ⊢ ψ for every ψ ∈ Γ. Since also Γ ⊢ φ by hypothesis, Γ ⊢ ψ for every
ψ ∈ Γ ∪ { φ}. By Proposition 22.19, Γ ⊢ ⊥, i.e., Γ is inconsistent.

Proposition 22.27. Γ ⊢ φ iff Γ ∪ {¬ φ} is inconsistent.

Proof. First suppose Γ ⊢ φ. Then Γ ∪ {¬ φ} ⊢ φ by Proposition 22.18. Γ ∪

{¬ φ} ⊢ ¬ φ by Proposition 22.17. We also have ⊢ ¬ φ → ( φ → ⊥) by eq. (22.10).
So by two applications of Proposition 22.22, we have Γ ∪ {¬ φ} ⊢ ⊥.
Now assume Γ ∪ {¬ φ} is inconsistent, i.e., Γ ∪ {¬ φ} ⊢ ⊥. By the deduc-
tion theorem, Γ ⊢ ¬ φ → ⊥. Γ ⊢ (¬ φ → ⊥) → ¬¬ φ by eq. (22.13), so Γ ⊢ ¬¬ φ
by Proposition 22.22. Since Γ ⊢ ¬¬ φ → φ (eq. (22.14)), we have Γ ⊢ φ by
Proposition 22.22 again.

Proposition 22.28. If Γ ⊢ φ and ¬ φ ∈ Γ, then Γ is inconsistent.

Proof. Γ ⊢ ¬ φ → ( φ → ⊥) by eq. (22.10). Γ ⊢ ⊥ by two applications of Propo-

sition 22.22.

Proposition 22.29. If Γ ∪ { φ} and Γ ∪ {¬ φ} are both inconsistent, then Γ is in-

consistent.

Proof. Exercise.

Release : d3a1905 (2022-12-19) 341

 CHAPTER 22. AXIOMATIC DERIVATIONS

22.10 Derivability and the Propositional Connectives

We establish that the derivability relation ⊢ of axiomatic deduction is strong
enough to establish some basic facts involving the propositional connectives,
such as that φ ∧ ψ ⊢ φ and φ, φ → ψ ⊢ ψ (modus ponens). These facts are
needed for the proof of the completeness theorem.

Proposition 22.30. 1. Both φ ∧ ψ ⊢ φ and φ ∧ ψ ⊢ ψ

2. φ, ψ ⊢ φ ∧ ψ.

Proof. 1. From eq. (22.1) and eq. (22.1) by modus ponens.

2. From eq. (22.3) by two applications of modus ponens.

Proposition 22.31. 1. φ ∨ ψ, ¬ φ, ¬ψ is inconsistent.

2. Both φ ⊢ φ ∨ ψ and ψ ⊢ φ ∨ ψ.

Proof. 1. From eq. (22.9) we get ⊢ ¬ φ → ( φ → ⊥) and ⊢ ¬ψ → (ψ → ⊥).

So by the deduction theorem, we have {¬ φ} ⊢ φ → ⊥ and {¬ψ} ⊢ ψ →
⊥. From eq. (22.6) we get {¬ φ, ¬ψ} ⊢ ( φ ∨ ψ) → ⊥. By the deduction
theorem, { φ ∨ ψ, ¬ φ, ¬ψ} ⊢ ⊥.

2. From eq. (22.4) and eq. (22.5) by modus ponsens.

Proposition 22.32. 1. φ, φ → ψ ⊢ ψ.

2. Both ¬ φ ⊢ φ → ψ and ψ ⊢ φ → ψ.

Proof. 1. We can derive:

1. φ H YP
2. φ→ψ H YP
3. ψ 1, 2, MP

2. By eq. (22.10) and eq. (22.7) and the deduction theorem, respectively.

342 Release : d3a1905 (2022-12-19)

22.11. DERIVABILITY AND THE QUANTIFIERS

22.11 Derivability and the Quantifiers

The completeness theorem also requires that axiomatic deductions yield the
facts about ⊢ established in this section.

Theorem 22.33. If c is a constant symbol not occurring in Γ or φ( x ) and Γ ⊢ φ(c),

then Γ ⊢ ∀ x φ( x ).

Proof. By the deduction theorem, Γ ⊢ ⊤ → φ(c). Since c does not occur in Γ

or ⊤, we get Γ ⊢ ⊤ → φ(c). By the deduction theorem again, Γ ⊢ ∀ x φ( x ).

Proposition 22.34. 1. φ(t) ⊢ ∃ x φ( x ).

2. ∀ x φ( x ) ⊢ φ(t).

Proof. 1. By eq. (22.16) and the deduction theorem.

2. By eq. (22.15) and the deduction theorem.

22.12 Soundness
A derivation system, such as axiomatic deduction, is sound if it cannot de-
rive things that do not actually hold. Soundness is thus a kind of guaranteed
safety property for derivation systems. Depending on which proof theoretic
property is in question, we would like to know for instance, that

1. every derivable φ is valid;

2. if φ is derivable from some others Γ, it is also a consequence of them;

3. if a set of formulas Γ is inconsistent, it is unsatisfiable.

These are important properties of a derivation system. If any of them do not

hold, the derivation system is deficient—it would derive too much. Conse-
quently, establishing the soundness of a derivation system is of the utmost
importance.

Proposition 22.35. If φ is an axiom, then M, s ⊨ φ for each structure M and as-

signment s.

Proof. We have to verify that all the axioms are valid. For instance, here is the
case for eq. (22.15): suppose t is free for x in φ, and assume M, s ⊨ ∀ x φ. Then
by definition of satisfaction, for each s′ ∼ x s, also M, s′ ⊨ φ, and in particular
this holds when s′ ( x ) = ValMs ( t ). By Proposition 16.22, M, s ⊨ φ [ t/x ]. This
shows that M, s ⊨ (∀ x φ → φ[t/x ]).

Theorem 22.36 (Soundness). If Γ ⊢ φ then Γ ⊨ φ.

Release : d3a1905 (2022-12-19) 343

 CHAPTER 22. AXIOMATIC DERIVATIONS

Proof. By induction on the length of the derivation of φ from Γ. If there are

no steps justified by inferences, then all formulas in the derivation are either
instances of axioms or are in Γ. By the previous proposition, all the axioms
are valid, and hence if φ is an axiom then Γ ⊨ φ. If φ ∈ Γ, then trivially Γ ⊨ φ.
If the last step of the derivation of φ is justified by modus ponens, then
there are formulas ψ and ψ → φ in the derivation, and the induction hypoth-
esis applies to the part of the derivation ending in those formulas (since they
contain at least one fewer steps justified by an inference). So, by induction
hypothesis, Γ ⊨ ψ and Γ ⊨ ψ → φ. Then Γ ⊨ φ by Theorem 16.29.
Now suppose the last step is justified by QR. Then that step has the form
χ → ∀ x B( x ) and there is a preceding step χ → ψ(c) with c not in Γ, χ, or
∀ x B( x ). By induction hypothesis, Γ ⊨ χ → ∀ x B( x ). By Theorem 16.29, Γ ∪
{ χ } ⊨ ψ ( c ).
Consider some structure M such that M ⊨ Γ ∪ {χ}. We need to show that
M ⊨ ∀ x ψ( x ). Since ∀ x ψ( x ) is a sentence, this means we have to show that for
every variable assignment s, M, s ⊨ ψ( x ) (Proposition 16.18). Since Γ ∪ {χ}
consists entirely of sentences, M, s ⊨ θ for all θ ∈ Γ by Definition 16.11. Let
′
M′ be like M except that cM = s( x ). Since c does not occur in Γ or χ, M′ ⊨
Γ ∪ {χ} by Corollary 16.20. Since Γ ∪ {χ} ⊨ ψ(c), M′ ⊨ B(c). Since ψ(c) is
a sentence, M, s ⊨ ψ(c) by Proposition 16.17. M′ , s ⊨ ψ( x ) iff M′ ⊨ ψ(c) by
Proposition 16.22 (recall that ψ(c) is just ψ( x )[c/x ]). So, M′ , s ⊨ ψ( x ). Since
c does not occur in ψ( x ), by Proposition 16.19, M, s ⊨ ψ( x ). But s was an
arbitrary variable assignment, so M ⊨ ∀ x ψ( x ). Thus Γ ∪ {χ} ⊨ ∀ x ψ( x ). By
Theorem 16.29, Γ ⊨ χ → ∀ x ψ( x ).
The case where φ is justified by QR but is of the form ∃ x ψ( x ) → χ is left as
an exercise.

Corollary 22.37. If ⊢ φ, then φ is valid.

Corollary 22.38. If Γ is satisfiable, then it is consistent.

Proof. We prove the contrapositive. Suppose that Γ is not consistent. Then Γ ⊢

⊥, i.e., there is a derivation of ⊥ from Γ. By Theorem 22.36, any structure M
that satisfies Γ must satisfy ⊥. Since M ⊭ ⊥ for every structure M, no M can
satisfy Γ, i.e., Γ is not satisfiable.

22.13 Derivations with Identity predicate

In order to accommodate = in derivations, we simply add new axiom schemas.
The definition of derivation and ⊢ remains the same, we just also allow the
new axioms.

344 Release : d3a1905 (2022-12-19)

22.13. DERIVATIONS WITH IDENTITY PREDICATE

Definition 22.39 (Axioms for identity predicate).

t = t, (22.17)
t1 = t2 → (ψ(t1 ) → ψ(t2 )), (22.18)

for any closed terms t, t1 , t2 .

Proposition 22.40. The axioms eq. (22.17) and eq. (22.18) are valid.

Proof. Exercise.

Proposition 22.41. Γ ⊢ t = t, for any term t and set Γ.

Proposition 22.42. If Γ ⊢ φ(t1 ) and Γ ⊢ t1 = t2 , then Γ ⊢ φ(t2 ).

Proof. The formula

(t1 = t2 → ( φ(t1 ) → φ(t2 )))
is an instance of eq. (22.18). The conclusion follows by two applications of MP.

Problems
Problem 22.1. Show that the following hold by exhibiting derivations from
the axioms:

1. ( φ ∧ ψ) → (ψ ∧ φ)

2. (( φ ∧ ψ) → χ) → ( φ → (ψ → χ))

3. ¬( φ ∨ ψ) → ¬ φ

Problem 22.2. Prove Proposition 22.20.

Problem 22.3. Prove Proposition 22.24

Problem 22.4. Complete the proof of Theorem 22.25.

Problem 22.5. Prove that Γ ⊢ ¬ φ iff Γ ∪ { φ} is inconsistent.

Problem 22.6. Prove Proposition 22.29

Problem 22.7. Complete the proof of Theorem 22.36.

Problem 22.8. Prove Proposition 22.40.

Release : d3a1905 (2022-12-19) 345

Chapter 23

The Completeness Theorem

23.1 Introduction
The completeness theorem is one of the most fundamental results about logic.
It comes in two formulations, the equivalence of which we’ll prove. In its first
formulation it says something fundamental about the relationship between
semantic consequence and our derivation system: if a sentence φ follows from
some sentences Γ, then there is also a derivation that establishes Γ ⊢ φ. Thus,
the derivation system is as strong as it can possibly be without proving things
that don’t actually follow.
In its second formulation, it can be stated as a model existence result: ev-
ery consistent set of sentences is satisfiable. Consistency is a proof-theoretic
notion: it says that our derivation system is unable to produce certain deriva-
tions. But who’s to say that just because there are no derivations of a certain
sort from Γ, it’s guaranteed that there is a structure M? Before the complete-
ness theorem was first proved—in fact before we had the derivation systems
we now do—the great German mathematician David Hilbert held the view
that consistency of mathematical theories guarantees the existence of the ob-
jects they are about. He put it as follows in a letter to Gottlob Frege:

If the arbitrarily given axioms do not contradict one another with

all their consequences, then they are true and the things defined by
the axioms exist. This is for me the criterion of truth and existence.

Frege vehemently disagreed. The second formulation of the completeness the-

orem shows that Hilbert was right in at least the sense that if the axioms are
consistent, then some structure exists that makes them all true.
These aren’t the only reasons the completeness theorem—or rather, its
proof—is important. It has a number of important consequences, some of
which we’ll discuss separately. For instance, since any derivation that shows
Γ ⊢ φ is finite and so can only use finitely many of the sentences in Γ, it fol-
lows by the completeness theorem that if φ is a consequence of Γ, it is already

346
23.2. OUTLINE OF THE PROOF

a consequence of a finite subset of Γ. This is called compactness. Equivalently,

if every finite subset of Γ is consistent, then Γ itself must be consistent.
Although the compactness theorem follows from the completeness theo-
rem via the detour through derivations, it is also possible to use the the proof
of the completeness theorem to establish it directly. For what the proof does is
take a set of sentences with a certain property—consistency—and constructs
a structure out of this set that has certain properties (in this case, that it satisfies
the set). Almost the very same construction can be used to directly establish
compactness, by starting from “finitely satisfiable” sets of sentences instead
of consistent ones. The construction also yields other consequences, e.g., that
any satisfiable set of sentences has a finite or denumerable model. (This re-
sult is called the Löwenheim-Skolem theorem.) In general, the construction of
structures from sets of sentences is used often in logic, and sometimes even in
philosophy.

23.2 Outline of the Proof

The proof of the completeness theorem is a bit complex, and upon first reading
it, it is easy to get lost. So let us outline the proof. The first step is a shift of
perspective, that allows us to see a route to a proof. When completeness is
thought of as “whenever Γ ⊨ φ then Γ ⊢ φ,” it may be hard to even come
up with an idea: for to show that Γ ⊢ φ we have to find a derivation, and
it does not look like the hypothesis that Γ ⊨ φ helps us for this in any way.
For some proof systems it is possible to directly construct a derivation, but we
will take a slightly different approach. The shift in perspective required is this:
completeness can also be formulated as: “if Γ is consistent, it is satisfiable.”
Perhaps we can use the information in Γ together with the hypothesis that it is
consistent to construct a structure that satisfies every sentence in Γ. After all,
we know what kind of structure we are looking for: one that is as Γ describes
it!
If Γ contains only atomic sentences, it is easy to construct a model for it.
Suppose the atomic sentences are all of the form P( a1 , . . . , an ) where the ai
are constant symbols. All we have to do is come up with a domain |M| and
an assignment for P so that M ⊨ P( a1 , . . . , an ). But that’s not very hard: put
|M| = N, ciM = i, and for every P( a1 , . . . , an ) ∈ Γ, put the tuple ⟨k1 , . . . , k n ⟩
into PM , where k i is the index of the constant symbol ai (i.e., ai ≡ cki ).
Now suppose Γ contains some formula ¬ψ, with ψ atomic. We might
worry that the construction of M interferes with the possibility of making ¬ψ
true. But here’s where the consistency of Γ comes in: if ¬ψ ∈ Γ, then ψ ∈ / Γ, or
else Γ would be inconsistent. And if ψ ∈ / Γ, then according to our construction
of M, M ⊭ ψ, so M ⊨ ¬ψ. So far so good.
What if Γ contains complex, non-atomic formulas? Say it contains φ ∧ ψ.
To make that true, we should proceed as if both φ and ψ were in Γ. And if

Release : d3a1905 (2022-12-19) 347

 CHAPTER 23. THE COMPLETENESS THEOREM

φ ∨ ψ ∈ Γ, then we will have to make at least one of them true, i.e., proceed
as if one of them was in Γ.
This suggests the following idea: we add additional formulas to Γ so as to
(a) keep the resulting set consistent and (b) make sure that for every possible
atomic sentence φ, either φ is in the resulting set, or ¬ φ is, and (c) such that,
whenever φ ∧ ψ is in the set, so are both φ and ψ, if φ ∨ ψ is in the set, at least
one of φ or ψ is also, etc. We keep doing this (potentially forever). Call the
set of all formulas so added Γ ∗ . Then our construction above would provide
us with a structure M for which we could prove, by induction, that it satisfies
all sentences in Γ ∗ , and hence also all sentence in Γ since Γ ⊆ Γ ∗ . It turns
out that guaranteeing (a) and (b) is enough. A set of sentences for which (b)
holds is called complete. So our task will be to extend the consistent set Γ to a
consistent and complete set Γ ∗ .
There is one wrinkle in this plan: if ∃ x φ( x ) ∈ Γ we would hope to be able
to pick some constant symbol c and add φ(c) in this process. But how do we
know we can always do that? Perhaps we only have a few constant symbols
in our language, and for each one of them we have ¬ φ(c) ∈ Γ. We can’t also
add φ(c), since this would make the set inconsistent, and we wouldn’t know
whether M has to make φ(c) or ¬ φ(c) true. Moreover, it might happen that Γ
contains only sentences in a language that has no constant symbols at all (e.g.,
the language of set theory).
The solution to this problem is to simply add infinitely many constants at
the beginning, plus sentences that connect them with the quantifiers in the
right way. (Of course, we have to verify that this cannot introduce an incon-
sistency.)
Our original construction works well if we only have constant symbols in
the atomic sentences. But the language might also contain function symbols.
In that case, it might be tricky to find the right functions on N to assign to
these function symbols to make everything work. So here’s another trick: in-
stead of using i to interpret ci , just take the set of constant symbols itself as
the domain. Then M can assign every constant symbol to itself: ciM = ci . But
why not go all the way: let |M| be all terms of the language! If we do this,
there is an obvious assignment of functions (that take terms as arguments and
have terms as values) to function symbols: we assign to the function sym-
bol fin the function which, given n terms t1 , . . . , tn as input, produces the term
fin (t1 , . . . , tn ) as value.
The last piece of the puzzle is what to do with =. The predicate symbol =
has a fixed interpretation: M ⊨ t = t′ iff ValM (t) = ValM (t′ ). Now if we set
things up so that the value of a term t is t itself, then this structure will make
no sentence of the form t = t′ true unless t and t′ are one and the same term.
And of course this is a problem, since basically every interesting theory in a
language with function symbols will have as theorems sentences t = t′ where
t and t′ are not the same term (e.g., in theories of arithmetic: (0 + 0) = 0). To

348 Release : d3a1905 (2022-12-19)

23.3. COMPLETE CONSISTENT SETS OF SENTENCES

solve this problem, we change the domain of M: instead of using terms as the
objects in |M|, we use sets of terms, and each set is so that it contains all those
terms which the sentences in Γ require to be equal. So, e.g., if Γ is a theory of
arithmetic, one of these sets will contain: 0, (0 + 0), (0 × 0), etc. This will be
the set we assign to 0, and it will turn out that this set is also the value of all
the terms in it, e.g., also of (0 + 0). Therefore, the sentence (0 + 0) = 0 will be
true in this revised structure.
So here’s what we’ll do. First we investigate the properties of complete
consistent sets, in particular we prove that a complete consistent set contains
φ ∧ ψ iff it contains both φ and ψ, φ ∨ ψ iff it contains at least one of them,
etc. (Proposition 23.2). Then we define and investigate “saturated” sets of
sentences. A saturated set is one which contains conditionals that link each
quantified sentence to instances of it (Definition 23.5). We show that any con-
sistent set Γ can always be extended to a saturated set Γ ′ (Lemma 23.6). If a set
is consistent, saturated, and complete it also has the property that it contains
∃ x φ( x ) iff it contains φ(t) for some closed term t and ∀ x φ( x ) iff it contains
φ(t) for all closed terms t (Proposition 23.7). We’ll then take the saturated con-
sistent set Γ ′ and show that it can be extended to a saturated, consistent, and
complete set Γ ∗ (Lemma 23.8). This set Γ ∗ is what we’ll use to define our term
model M( Γ ∗ ). The term model has the set of closed terms as its domain, and
the interpretation of its predicate symbols is given by the atomic sentences
in Γ ∗ (Definition 23.9). We’ll use the properties of saturated, complete con-
sistent sets to show that indeed M( Γ ∗ ) ⊨ φ iff φ ∈ Γ ∗ (Lemma 23.12), and
thus in particular, M( Γ ∗ ) ⊨ Γ. Finally, we’ll consider how to define a term
model if Γ contains = as well (Definition 23.16) and show that it satisfies Γ ∗
(Lemma 23.19).

23.3 Complete Consistent Sets of Sentences

Definition 23.1 (Complete set). A set Γ of sentences is complete iff for any sen-
tence φ, either φ ∈ Γ or ¬ φ ∈ Γ.

Complete sets of sentences leave no questions unanswered. For any sen-

tence φ, Γ “says” if φ is true or false. The importance of complete sets extends
beyond the proof of the completeness theorem. A theory which is complete
and axiomatizable, for instance, is always decidable.
Complete consistent sets are important in the completeness proof since we
can guarantee that every consistent set of sentences Γ is contained in a com-
plete consistent set Γ ∗ . A complete consistent set contains, for each sentence φ,
either φ or its negation ¬ φ, but not both. This is true in particular for atomic
sentences, so from a complete consistent set in a language suitably expanded
by constant symbols, we can construct a structure where the interpretation of
predicate symbols is defined according to which atomic sentences are in Γ ∗ .
This structure can then be shown to make all sentences in Γ ∗ (and hence also

Release : d3a1905 (2022-12-19) 349

 CHAPTER 23. THE COMPLETENESS THEOREM

all those in Γ) true. The proof of this latter fact requires that ¬ φ ∈ Γ ∗ iff
φ∈ / Γ ∗ , ( φ ∨ ψ) ∈ Γ ∗ iff φ ∈ Γ ∗ or ψ ∈ Γ ∗ , etc.
In what follows, we will often tacitly use the properties of reflexivity, mono-
tonicity, and transitivity of ⊢ (see sections 19.8, 20.7, 21.7 and 22.6).

Proposition 23.2. Suppose Γ is complete and consistent. Then:

1. If Γ ⊢ φ, then φ ∈ Γ.

2. φ ∧ ψ ∈ Γ iff both φ ∈ Γ and ψ ∈ Γ.

3. φ ∨ ψ ∈ Γ iff either φ ∈ Γ or ψ ∈ Γ.

4. φ → ψ ∈ Γ iff either φ ∈
/ Γ or ψ ∈ Γ.

Proof. Let us suppose for all of the following that Γ is complete and consistent.

1. If Γ ⊢ φ, then φ ∈ Γ.
Suppose that Γ ⊢ φ. Suppose to the contrary that φ ∈ / Γ. Since Γ is
complete, ¬ φ ∈ Γ. By Propositions 19.20, 20.20, 21.20 and 22.28, Γ is in-
consistent. This contradicts the assumption that Γ is consistent. Hence,
it cannot be the case that φ ∈
/ Γ, so φ ∈ Γ.

2. Exercise.

3. First we show that if φ ∨ ψ ∈ Γ, then either φ ∈ Γ or ψ ∈ Γ. Suppose

φ ∨ ψ ∈ Γ but φ ∈ / Γ and ψ ∈ / Γ. Since Γ is complete, ¬ φ ∈ Γ and
¬ψ ∈ Γ. By Propositions 19.23, 20.23, 21.23 and 22.31, item (1), Γ is
inconsistent, a contradiction. Hence, either φ ∈ Γ or ψ ∈ Γ.
For the reverse direction, suppose that φ ∈ Γ or ψ ∈ Γ. By Proposi-
tions 19.23, 20.23, 21.23 and 22.31, item (2), Γ ⊢ φ ∨ ψ. By (1), φ ∨ ψ ∈ Γ,
as required.

4. Exercise.

23.4 Henkin Expansion

Part of the challenge in proving the completeness theorem is that the model
we construct from a complete consistent set Γ must make all the quantified
formulas in Γ true. In order to guarantee this, we use a trick due to Leon
Henkin. In essence, the trick consists in expanding the language by infinitely
many constant symbols and adding, for each formula with one free variable
φ( x ) a formula of the form ∃ x φ( x ) → φ(c), where c is one of the new constant
symbols. When we construct the structure satisfying Γ, this will guarantee
that each true existential sentence has a witness among the new constants.

350 Release : d3a1905 (2022-12-19)

23.4. HENKIN EXPANSION

Proposition 23.3. If Γ is consistent in L and L′ is obtained from L by adding a de-

numerable set of new constant symbols d0 , d1 , . . . , then Γ is consistent in L′ .

Definition 23.4 (Saturated set). A set Γ of formulas of a language L is satu-

rated iff for each formula φ( x ) ∈ Frm(L) with one free variable x there is
a constant symbol c ∈ L such that ∃ x φ( x ) → φ(c) ∈ Γ.

The following definition will be used in the proof of the next theorem.
Definition 23.5. Let L′ be as in Proposition 23.3. Fix an enumeration φ0 ( x0 ),
φ1 ( x1 ), . . . of all formulas φi ( xi ) of L′ in which one variable (xi ) occurs free.
We define the sentences θn by induction on n.
Let c0 be the first constant symbol among the di we added to L which does
not occur in φ0 ( x0 ). Assuming that θ0 , . . . , θn−1 have already been defined,
let cn be the first among the new constant symbols di that occurs neither in θ0 ,
. . . , θn−1 nor in φn ( xn ).
Now let θn be the formula ∃ xn φn ( xn ) → φn (cn ).

Lemma 23.6. Every consistent set Γ can be extended to a saturated consistent set Γ ′ .

Proof. Given a consistent set of sentences Γ in a language L, expand the lan-

guage by adding a denumerable set of new constant symbols to form L′ . By
Proposition 23.3, Γ is still consistent in the richer language. Further, let θi be
as in Definition 23.5. Let
Γ0 = Γ
Γn+1 = Γn ∪ {θn }
i.e., Γn+1 = Γ ∪ {θ0 , . . . , θn }, and let Γ ′ = n Γn . Γ ′ is clearly saturated.
S

If Γ ′ were inconsistent, then for some n, Γn would be inconsistent (Exercise:

explain why). So to show that Γ ′ is consistent it suffices to show, by induction
on n, that each set Γn is consistent.
The induction basis is simply the claim that Γ0 = Γ is consistent, which
is the hypothesis of the theorem. For the induction step, suppose that Γn is
consistent but Γn+1 = Γn ∪ {θn } is inconsistent. Recall that θn is ∃ xn φn ( xn ) →
φn (cn ), where φn ( xn ) is a formula of L′ with only the variable xn free. By the
way we’ve chosen the cn (see Definition 23.5), cn does not occur in φn ( xn ) nor
in Γn .
If Γn ∪ {θn } is inconsistent, then Γn ⊢ ¬θn , and hence both of the following
hold:
Γn ⊢ ∃ xn φn ( xn ) Γn ⊢ ¬ φn (cn )
Since cn does not occur in Γn or in φn ( xn ), Theorems 19.25, 20.25, 21.25 and 22.33
applies. From Γn ⊢ ¬ φn (cn ), we obtain Γn ⊢ ∀ xn ¬ φn ( xn ). Thus we have that
both Γn ⊢ ∃ xn φn ( xn ) and Γn ⊢ ∀ xn ¬ φn ( xn ), so Γn itself is inconsistent. (Note
that ∀ xn ¬ φn ( xn ) ⊢ ¬∃ xn φn ( xn ).) Contradiction: Γn was supposed to be con-
sistent. Hence Γn ∪ {θn } is consistent.

Release : d3a1905 (2022-12-19) 351

 CHAPTER 23. THE COMPLETENESS THEOREM

We’ll now show that complete, consistent sets which are saturated have the
property that it contains a universally quantified sentence iff it contains all its
instances and it contains an existentially quantified sentence iff it contains at
least one instance. We’ll use this to show that the structure we’ll generate from
a complete, consistent, saturated set makes all its quantified sentences true.

Proposition 23.7. Suppose Γ is complete, consistent, and saturated.

1. ∃ x φ( x ) ∈ Γ iff φ(t) ∈ Γ for at least one closed term t.

2. ∀ x φ( x ) ∈ Γ iff φ(t) ∈ Γ for all closed terms t.

Proof. 1. First suppose that ∃ x φ( x ) ∈ Γ. Because Γ is saturated, (∃ x φ( x ) →

φ(c)) ∈ Γ for some constant symbol c. By Propositions 19.24, 20.24,
21.24 and 22.32, item (1), and Proposition 23.2(1), φ(c) ∈ Γ.
For the other direction, saturation is not necessary: Suppose φ(t) ∈ Γ.
Then Γ ⊢ ∃ x φ( x ) by Propositions 19.26, 20.26, 21.26 and 22.34, item (1).
By Proposition 23.2(1), ∃ x φ( x ) ∈ Γ.

2. Exercise.

23.5 Lindenbaum’s Lemma

We now prove a lemma that shows that any consistent set of sentences is con-
tained in some set of sentences which is not just consistent, but also complete.
The proof works by adding one sentence at a time, guaranteeing at each step
that the set remains consistent. We do this so that for every φ, either φ or ¬ φ
gets added at some stage. The union of all stages in that construction then
contains either φ or its negation ¬ φ and is thus complete. It is also consistent,
since we made sure at each stage not to introduce an inconsistency.

Lemma 23.8 (Lindenbaum’s Lemma). Every consistent set Γ in a language L

can be extended to a complete and consistent set Γ ∗ .

Proof. Let Γ be consistent. Let φ0 , φ1 , . . . be an enumeration of all the sen-

tences of L. Define Γ0 = Γ, and
(
Γn ∪ { φn } if Γn ∪ { φn } is consistent;
Γn+1 =
Γn ∪ {¬ φn } otherwise.

Let Γ ∗ = n≥0 Γn .
S

Each Γn is consistent: Γ0 is consistent by definition. If Γn+1 = Γn ∪ { φn },

this is because the latter is consistent. If it isn’t, Γn+1 = Γn ∪ {¬ φn }. We have
to verify that Γn ∪ {¬ φn } is consistent. Suppose it’s not. Then both Γn ∪ { φn }
and Γn ∪ {¬ φn } are inconsistent. This means that Γn would be inconsistent by

352 Release : d3a1905 (2022-12-19)

23.6. CONSTRUCTION OF A MODEL

Propositions 19.21, 20.21, 21.21 and 22.29, contrary to the induction hypothe-
sis.
For every n and every i < n, Γi ⊆ Γn . This follows by a simple induction
on n. For n = 0, there are no i < 0, so the claim holds automatically. For
the inductive step, suppose it is true for n. We have Γn+1 = Γn ∪ { φn } or
= Γn ∪ {¬ φn } by construction. So Γn ⊆ Γn+1 . If i < n, then Γi ⊆ Γn by
inductive hypothesis, and so ⊆ Γn+1 by transitivity of ⊆.
From this it follows that every finite subset of Γ ∗ is a subset of Γn for
some n, since each ψ ∈ Γ ∗ not already in Γ0 is added at some stage i. If n
is the last one of these, then all ψ in the finite subset are in Γn . So, every finite
subset of Γ ∗ is consistent. By Propositions 19.17, 20.17, 21.17 and 22.21, Γ ∗ is
consistent.
Every sentence of Frm(L) appears on the list used to define Γ ∗ . If φn ∈ / Γ∗ ,
then that is because Γn ∪ { φn } was inconsistent. But then ¬ φn ∈ Γ , so Γ ∗ is
∗

complete.

23.6 Construction of a Model

Right now we are not concerned about =, i.e., we only want to show that a
consistent set Γ of sentences not containing = is satisfiable. We first extend Γ
to a consistent, complete, and saturated set Γ ∗ . In this case, the definition of a
model M( Γ ∗ ) is simple: We take the set of closed terms of L′ as the domain.
We assign every constant symbol to itself, and make sure that more generally,
∗
for every closed term t, ValM( Γ ) (t) = t. The predicate symbols are assigned
extensions in such a way that an atomic sentence is true in M( Γ ∗ ) iff it is
in Γ ∗ . This will obviously make all the atomic sentences in Γ ∗ true in M( Γ ∗ ).
The rest are true provided the Γ ∗ we start with is consistent, complete, and
saturated.

Definition 23.9 (Term model). Let Γ ∗ be a complete and consistent, saturated

set of sentences in a language L. The term model M( Γ ∗ ) of Γ ∗ is the structure
defined as follows:

1. The domain |M( Γ ∗ )| is the set of all closed terms of L.

∗)
2. The interpretation of a constant symbol c is c itself: cM( Γ = c.
3. The function symbol f is assigned the function which, given as argu-
ments the closed terms t1 , . . . , tn , has as value the closed term f (t1 , . . . , tn ):
∗
f M( Γ ) ( t 1 , . . . , t n ) = f ( t 1 , . . . , t n )

4. If R is an n-place predicate symbol, then

∗
⟨t1 , . . . , tn ⟩ ∈ RM( Γ ) iff R(t1 , . . . , tn ) ∈ Γ ∗ .

Release : d3a1905 (2022-12-19) 353

 CHAPTER 23. THE COMPLETENESS THEOREM

∗
We will now check that we indeed have ValM( Γ ) (t) = t.
∗
Lemma 23.10. Let M( Γ ∗ ) be the term model of Definition 23.9, then ValM( Γ ) (t) =
t.

Proof. The proof is by induction on t, where the base case, when t is a con-
stant symbol, follows directly from the definition of the term model. For the
∗
induction step assume t1 , . . . , tn are closed terms such that ValM( Γ ) (ti ) = ti
and that f is an n-ary function symbol. Then
∗ ∗ ∗ ∗
ValM( Γ ) ( f (t1 , . . . , tn )) = f M( Γ ) (ValM( Γ ) (t1 ), . . . , ValM( Γ ) (tn ))
∗
= f M( Γ ) ( t 1 , . . . , t n )
= f ( t1 , . . . , t n ),

and so by induction this holds for every closed term t.

A structure M may make an existentially quantified sentence ∃ x φ( x ) true

without there being an instance φ(t) that it makes true. A structure M may
make all instances φ(t) of a universally quantified sentence ∀ x φ( x ) true, with-
out making ∀ x φ( x ) true. This is because in general not every element of |M|
is the value of a closed term (M may not be covered). This is the reason the sat-
isfaction relation is defined via variable assignments. However, for our term
model M( Γ ∗ ) this wouldn’t be necessary—because it is covered. This is the
content of the next result.

Proposition 23.11. Let M( Γ ∗ ) be the term model of Definition 23.9.

1. M( Γ ∗ ) ⊨ ∃ x φ( x ) iff M( Γ ∗ ) ⊨ φ(t) for at least one term t.

2. M( Γ ∗ ) ⊨ ∀ x φ( x ) iff M( Γ ∗ ) ⊨ φ(t) for all terms t.

Proof. 1. By Proposition 16.18, M( Γ ∗ ) ⊨ ∃ x φ( x ) iff for at least one vari-

able assignment s, M( Γ ∗ ), s ⊨ φ( x ). As |M( Γ ∗ )| consists of the closed
terms of L, this is the case iff there is at least one closed term t such that
s( x ) = t and M( Γ ∗ ), s ⊨ φ( x ). By Proposition 16.22, M( Γ ∗ ), s ⊨ φ( x ) iff
M( Γ ∗ ), s ⊨ φ(t), where s( x ) = t. By Proposition 16.17, M( Γ ∗ ), s ⊨ φ(t)
iff M( Γ ∗ ) ⊨ φ(t), since φ(t) is a sentence.

2. Exercise.

Lemma 23.12 (Truth Lemma). Suppose φ does not contain =. Then M( Γ ∗ ) ⊨ φ

iff φ ∈ Γ ∗ .

Proof. We prove both directions simultaneously, and by induction on φ.

354 Release : d3a1905 (2022-12-19)

23.7. IDENTITY

1. φ ≡ ⊥: M( Γ ∗ ) ⊭ ⊥ by definition of satisfaction. On the other hand,

⊥∈/ Γ ∗ since Γ ∗ is consistent.
∗
2. φ ≡ R(t1 , . . . , tn ): M( Γ ∗ ) ⊨ R(t1 , . . . , tn ) iff ⟨t1 , . . . , tn ⟩ ∈ RM( Γ ) (by
the definition of satisfaction) iff R(t1 , . . . , tn ) ∈ Γ ∗ (by the construction
of M( Γ ∗ )).

3. φ ≡ ¬ψ: M( Γ ∗ ) ⊨ φ iff M( Γ ∗ ) ⊭ ψ (by definition of satisfaction). By

induction hypothesis, M( Γ ∗ ) ⊭ ψ iff ψ ∈
/ Γ ∗ . Since Γ ∗ is consistent and
complete, ψ ∈ ∗
/ Γ iff ¬ψ ∈ Γ .∗

4. φ ≡ ψ ∧ χ: exercise.

5. φ ≡ ψ ∨ χ: M( Γ ∗ ) ⊨ φ iff M( Γ ∗ ) ⊨ ψ or M( Γ ∗ ) ⊨ χ (by definition of

satisfaction) iff ψ ∈ Γ ∗ or χ ∈ Γ ∗ (by induction hypothesis). This is the
case iff (ψ ∨ χ) ∈ Γ ∗ (by Proposition 23.2(3)).

6. φ ≡ ψ → χ: exercise.

7. φ ≡ ∀ x ψ( x ): exercise.

8. φ ≡ ∃ x ψ( x ): M( Γ ∗ ) ⊨ φ iff M( Γ ∗ ) ⊨ ψ(t) for at least one term t

(Proposition 23.11). By induction hypothesis, this is the case iff ψ(t) ∈
Γ ∗ for at least one term t. By Proposition 23.7, this in turn is the case iff
∃ x ψ( x ) ∈ Γ∗ .

23.7 Identity
The construction of the term model given in the preceding section is enough
to establish completeness for first-order logic for sets Γ that do not contain =.
The term model satisfies every φ ∈ Γ ∗ which does not contain = (and hence
all φ ∈ Γ). It does not work, however, if = is present. The reason is that Γ ∗
then may contain a sentence t = t′ , but in the term model the value of any
term is that term itself. Hence, if t and t′ are different terms, their values in
the term model—i.e., t and t′ , respectively—are different, and so t = t′ is false.
We can fix this, however, using a construction known as “factoring.”

Definition 23.13. Let Γ ∗ be a consistent and complete set of sentences in L.

We define the relation ≈ on the set of closed terms of L by

t ≈ t′ iff t = t′ ∈ Γ ∗

Proposition 23.14. The relation ≈ has the following properties:

1. ≈ is reflexive.

2. ≈ is symmetric.

Release : d3a1905 (2022-12-19) 355

 CHAPTER 23. THE COMPLETENESS THEOREM

3. ≈ is transitive.

4. If t ≈ t′ , f is a function symbol, and t1 , . . . , ti−1 , ti+1 , . . . , tn are terms, then

f (t1 , . . . , ti−1 , t, ti+1 , . . . , tn ) ≈ f (t1 , . . . , ti−1 , t′ , ti+1 , . . . , tn ).

5. If t ≈ t′ , R is a predicate symbol, and t1 , . . . , ti−1 , ti+1 , . . . , tn are terms, then

R(t1 , . . . , ti−1 , t, ti+1 , . . . , tn ) ∈ Γ ∗ iff

R ( t 1 , . . . , t i −1 , t ′ , t i +1 , . . . , t n ) ∈ Γ ∗ .

Proof. Since Γ ∗ is consistent and complete, t = t′ ∈ Γ ∗ iff Γ ∗ ⊢ t = t′ . Thus it

is enough to show the following:

1. Γ ∗ ⊢ t = t for all terms t.

2. If Γ ∗ ⊢ t = t′ then Γ ∗ ⊢ t′ = t.

3. If Γ ∗ ⊢ t = t′ and Γ ∗ ⊢ t′ = t′′ , then Γ ∗ ⊢ t = t′′ .

4. If Γ ∗ ⊢ t = t′ , then

Γ ∗ ⊢ f (t1 , . . . , ti−1 , t, ti+1 , , . . . , tn ) = f (t1 , . . . , ti−1 , t′ , ti+1 , . . . , tn )

for every n-place function symbol f and terms t1 , . . . , ti−1 , ti+1 , . . . , tn .

5. If Γ ∗ ⊢ t = t′ and Γ ∗ ⊢ R(t1 , . . . , ti−1 , t, ti+1 , . . . , tn ), then Γ ∗ ⊢ R(t1 , . . . , ti−1 , t′ , ti+1 , . . . , tn )

for every n-place predicate symbol R and terms t1 , . . . , ti−1 , ti+1 , . . . , tn .

Definition 23.15. Suppose Γ ∗ is a consistent and complete set in a language L,

t is a term, and ≈ as in the previous definition. Then:

[t]≈ = {t′ : t′ ∈ Trm(L), t ≈ t′ }

and Trm(L)/≈ = {[t]≈ : t ∈ Trm(L)}.

Definition 23.16. Let M = M( Γ ∗ ) be the term model for Γ ∗ from Defini-

tion 23.9. Then M/≈ is the following structure:

1. |M/≈ | = Trm(L)/≈ .

2. cM/≈ = [c]≈

3. f M/≈ ([t1 ]≈ , . . . , [tn ]≈ ) = [ f (t1 , . . . , tn )]≈

4. ⟨[t1 ]≈ , . . . , [tn ]≈ ⟩ ∈ RM/≈ iff M ⊨ R(t1 , . . . , tn ), i.e., iff R(t1 , . . . , tn ) ∈ Γ ∗ .

356 Release : d3a1905 (2022-12-19)

23.7. IDENTITY

Note that we have defined f M/≈ and RM/≈ for elements of Trm(L)/≈ by
referring to them as [t]≈ , i.e., via representatives t ∈ [t]≈ . We have to make sure
that these definitions do not depend on the choice of these representatives, i.e.,
that for some other choices t′ which determine the same equivalence classes
([t]≈ = [t′ ]≈ ), the definitions yield the same result. For instance, if R is a one-
place predicate symbol, the last clause of the definition says that [t]≈ ∈ RM/≈
iff M ⊨ R(t). If for some other term t′ with t ≈ t′ , M ⊭ R(t), then the definition
would require [t′ ]≈ ∈ / RM/≈ . If t ≈ t′ , then [t]≈ = [t′ ]≈ , but we can’t have both
[t]≈ ∈ R M/ ≈ and [t]≈ ∈/ RM/≈ . However, Proposition 23.14 guarantees that
this cannot happen.
Proposition 23.17. M/≈ is well defined, i.e., if t1 , . . . , tn , t1′ , . . . , t′n are terms, and
ti ≈ ti′ then
1. [ f (t1 , . . . , tn )]≈ = [ f (t1′ , . . . , t′n )]≈ , i.e.,

f (t1 , . . . , tn ) ≈ f (t1′ , . . . , t′n )

and
2. M ⊨ R(t1 , . . . , tn ) iff M ⊨ R(t1′ , . . . , t′n ), i.e.,

R(t1 , . . . , tn ) ∈ Γ ∗ iff R(t1′ , . . . , t′n ) ∈ Γ ∗ .

Proof. Follows from Proposition 23.14 by induction on n.

As in the case of the term model, before proving the truth lemma we need
the following lemma.

Lemma 23.18. Let M = M( Γ ∗ ), then ValM/≈ (t) = [t]≈ .

Proof. The proof is similar to that of Lemma 23.10.

Lemma 23.19. M/≈ ⊨ φ iff φ ∈ Γ ∗ for all sentences φ.

Proof. By induction on φ, just as in the proof of Lemma 23.12. The only case
that needs additional attention is when φ ≡ t = t′ .

M/≈ ⊨ t = t′ iff [t]≈ = [t′ ]≈ (by definition of M/≈ )

iff t ≈ t′ (by definition of [t]≈ )
iff t = t′ ∈ Γ ∗ (by definition of ≈).

Note that while M( Γ ∗ ) is always enumerable and infinite, M/≈ may be

finite, since it may turn out that there are only finitely many classes [t]≈ . This
is to be expected, since Γ may contain sentences which require any structure
in which they are true to be finite. For instance, ∀ x ∀y x = y is a consistent
sentence, but is satisfied only in structures with a domain that contains exactly
one element.

Release : d3a1905 (2022-12-19) 357

 CHAPTER 23. THE COMPLETENESS THEOREM

23.8 The Completeness Theorem

Let’s combine our results: we arrive at the completeness theorem.

Theorem 23.20 (Completeness Theorem). Let Γ be a set of sentences. If Γ is

consistent, it is satisfiable.

Proof. Suppose Γ is consistent. By Lemma 23.6, there is a saturated consistent

set Γ ′ ⊇ Γ. By Lemma 23.8, there is a Γ ∗ ⊇ Γ ′ which is consistent and com-
plete. Since Γ ′ ⊆ Γ ∗ , for each formula φ( x ), Γ ∗ contains a sentence of the
form ∃ x φ( x ) → φ(c) and so Γ ∗ is saturated. If Γ does not contain =, then by
Lemma 23.12, M( Γ ∗ ) ⊨ φ iff φ ∈ Γ ∗ . From this it follows in particular that
for all φ ∈ Γ, M( Γ ∗ ) ⊨ φ, so Γ is satisfiable. If Γ does contain =, then by
Lemma 23.19, for all sentences φ, M/≈ ⊨ φ iff φ ∈ Γ ∗ . In particular, M/≈ ⊨ φ
for all φ ∈ Γ, so Γ is satisfiable.

Corollary 23.21 (Completeness Theorem, Second Version). For all Γ and sen-
tences φ: if Γ ⊨ φ then Γ ⊢ φ.

Proof. Note that the Γ’s in Corollary 23.21 and Theorem 23.20 are universally
quantified. To make sure we do not confuse ourselves, let us restate Theo-
rem 23.20 using a different variable: for any set of sentences ∆, if ∆ is consis-
tent, it is satisfiable. By contraposition, if ∆ is not satisfiable, then ∆ is incon-
sistent. We will use this to prove the corollary.
Suppose that Γ ⊨ φ. Then Γ ∪ {¬ φ} is unsatisfiable by Proposition 16.27.
Taking Γ ∪ {¬ φ} as our ∆, the previous version of Theorem 23.20 gives us
that Γ ∪ {¬ φ} is inconsistent. By Propositions 19.19, 20.19, 21.19 and 22.27,
Γ ⊢ φ.

23.9 The Compactness Theorem

One important consequence of the completeness theorem is the compactness
theorem. The compactness theorem states that if each finite subset of a set
of sentences is satisfiable, the entire set is satisfiable—even if the set itself is
infinite. This is far from obvious. There is nothing that seems to rule out,
at first glance at least, the possibility of there being infinite sets of sentences
which are contradictory, but the contradiction only arises, so to speak, from
the infinite number. The compactness theorem says that such a scenario can
be ruled out: there are no unsatisfiable infinite sets of sentences each finite
subset of which is satisfiable. Like the completeness theorem, it has a version
related to entailment: if an infinite set of sentences entails something, already
a finite subset does.

Definition 23.22. A set Γ of formulas is finitely satisfiable iff every finite Γ0 ⊆ Γ

is satisfiable.

358 Release : d3a1905 (2022-12-19)

23.9. THE COMPACTNESS THEOREM

Theorem 23.23 (Compactness Theorem). The following hold for any sentences Γ
and φ:

1. Γ ⊨ φ iff there is a finite Γ0 ⊆ Γ such that Γ0 ⊨ φ.

2. Γ is satisfiable iff it is finitely satisfiable.

Proof. We prove (2). If Γ is satisfiable, then there is a structure M such that

M ⊨ φ for all φ ∈ Γ. Of course, this M also satisfies every finite subset of Γ,
so Γ is finitely satisfiable.
Now suppose that Γ is finitely satisfiable. Then every finite subset Γ0 ⊆ Γ
is satisfiable. By soundness (Corollaries 20.29, 19.31, 21.31 and 22.38), ev-
ery finite subset is consistent. Then Γ itself must be consistent by Proposi-
tions 19.17, 20.17, 21.17 and 22.21. By completeness (Theorem 23.20), since
Γ is consistent, it is satisfiable.

Example 23.24. In every model M of a theory Γ, each term t of course picks

out an element of |M|. Can we guarantee that it is also true that every element
of |M| is picked out by some term or other? In other words, are there theo-
ries Γ all models of which are covered? The compactness theorem shows that
this is not the case if Γ has infinite models. Here’s how to see this: Let M be
an infinite model of Γ, and let c be a constant symbol not in the language of Γ.
Let ∆ be the set of all sentences c ̸= t for t a term in the language L of Γ, i.e.,

∆ = {c ̸= t : t ∈ Trm(L)}.

A finite subset of Γ ∪ ∆ can be written as Γ ′ ∪ ∆′ , with Γ ′ ⊆ Γ and ∆′ ⊆ ∆. Since

∆′ is finite, it can contain only finitely many terms. Let a ∈ |M| be an element
of |M| not picked out by any of them, and let M′ be the structure that is just
′
like M, but also cM = a. Since a ̸= ValM (t) for all t occuring in ∆′ , M′ ⊨ ∆′ .
Since M ⊨ Γ, Γ ′ ⊆ Γ, and c does not occur in Γ, also M′ ⊨ Γ ′ . Together,
M′ ⊨ Γ ′ ∪ ∆′ for every finite subset Γ ′ ∪ ∆′ of Γ ∪ ∆. So every finite subset
of Γ ∪ ∆ is satisfiable. By compactness, Γ ∪ ∆ itself is satisfiable. So there are
models M ⊨ Γ ∪ ∆. Every such M is a model of Γ, but is not covered, since
ValM (c) ̸= ValM (t) for all terms t of L.

Example 23.25. Consider a language L containing the predicate symbol <,

constant symbols 0, 1, and function symbols +, ×, −, ÷. Let Γ be the set
of all sentences in this language true in Q with domain Q and the obvious
interpretations. Γ is the set of all sentences of L true about the rational num-
bers. Of course, in Q (and even in R), there are no numbers which are greater
than 0 but less than 1/k for all k ∈ Z+ . Such a number, if it existed, would
be an infinitesimal: non-zero, but infinitely small. The compactness theorem
shows that there are models of Γ in which infinitesimals exist: Let ∆ be {0 <
c} ∪ {c < (1 ÷ k) : k ∈ Z+ } (where k = (1 + (1 + · · · + (1 + 1) . . . )) with

Release : d3a1905 (2022-12-19) 359

 CHAPTER 23. THE COMPLETENESS THEOREM

k 1’s). For any finite subset ∆ 0 of ∆ there is a K such that all the sentences
′
c < (1 ÷ k) in ∆ 0 have k < K. If we expand Q to Q′ with cQ = 1/K we have
that Q′ ⊨ Γ ∪ ∆ 0 , and so Γ ∪ ∆ is finitely satisfiable (Exercise: prove this in
detail). By compactness, Γ ∪ ∆ is satisfiable. Any model S of Γ ∪ ∆ contains
an infinitesimal, namely cS .

Example 23.26. We know that first-order logic with identity predicate can ex-
press that the size of the domain must have some minimal size: The sen-
tence φ≥n (which says “there are at least n distinct objects”) is true only in
structures where |M| has at least n objects. So if we take

∆ = { φ ≥ n : n ≥ 1}

then any model of ∆ must be infinite. Thus, we can guarantee that a theory
only has infinite models by adding ∆ to it: the models of Γ ∪ ∆ are all and only
the infinite models of Γ.
So first-order logic can express infinitude. The compactness theorem shows
that it cannot express finitude, however. For suppose some set of sentences Λ
were satisfied in all and only finite structures. Then ∆ ∪ Λ is finitely satisfiable.
Why? Suppose ∆′ ∪ Λ′ ⊆ ∆ ∪ Λ is finite with ∆′ ⊆ ∆ and Λ′ ⊆ Λ. Let n be the
largest number such that φ≥n ∈ ∆′ . Λ, being satisfied in all finite structures,
has a model M with finitely many but ≥ n elements. But then M ⊨ ∆′ ∪ Λ′ . By
compactness, ∆ ∪ Λ has an infinite model, contradicting the assumption that
Λ is satisfied only in finite structures.

23.10 A Direct Proof of the Compactness Theorem

We can prove the Compactness Theorem directly, without appealing to the
Completeness Theorem, using the same ideas as in the proof of the complete-
ness theorem. In the proof of the Completeness Theorem we started with a
consistent set Γ of sentences, expanded it to a consistent, saturated, and com-
plete set Γ ∗ of sentences, and then showed that in the term model M( Γ ∗ )
constructed from Γ ∗ , all sentences of Γ are true, so Γ is satisfiable.
We can use the same method to show that a finitely satisfiable set of sen-
tences is satisfiable. We just have to prove the corresponding versions of
the results leading to the truth lemma where we replace “consistent” with
“finitely satisfiable.”

Proposition 23.27. Suppose Γ is complete and finitely satisfiable. Then:

1. ( φ ∧ ψ) ∈ Γ iff both φ ∈ Γ and ψ ∈ Γ.

2. ( φ ∨ ψ) ∈ Γ iff either φ ∈ Γ or ψ ∈ Γ.

3. ( φ → ψ) ∈ Γ iff either φ ∈
/ Γ or ψ ∈ Γ.

360 Release : d3a1905 (2022-12-19)

23.11. THE LÖWENHEIM-SKOLEM THEOREM

Lemma 23.28. Every finitely satisfiable set Γ can be extended to a saturated finitely
satisfiable set Γ ′ .

Proposition 23.29. Suppose Γ is complete, finitely satisfiable, and saturated.

1. ∃ x φ( x ) ∈ Γ iff φ(t) ∈ Γ for at least one closed term t.

2. ∀ x φ( x ) ∈ Γ iff φ(t) ∈ Γ for all closed terms t.

Lemma 23.30. Every finitely satisfiable set Γ can be extended to a complete and
finitely satisfiable set Γ ∗ .

Theorem 23.31 (Compactness). Γ is satisfiable if and only if it is finitely satisfi-

able.

Proof. If Γ is satisfiable, then there is a structure M such that M ⊨ φ for all

φ ∈ Γ. Of course, this M also satisfies every finite subset of Γ, so Γ is finitely
satisfiable.
Now suppose that Γ is finitely satisfiable. By Lemma 23.28, there is a
finitely satisfiable, saturated set Γ ′ ⊇ Γ. By Lemma 23.30, Γ ′ can be extended
to a complete and finitely satisfiable set Γ ∗ , and Γ ∗ is still saturated. Construct
the term model M( Γ ∗ ) as in Definition 23.9. Note that Proposition 23.11 did
not rely on the fact that Γ ∗ is consistent (or complete or saturated, for that mat-
ter), but just on the fact that M( Γ ∗ ) is covered. The proof of the Truth Lemma
(Lemma 23.12) goes through if we replace references to Proposition 23.2 and
Proposition 23.7 by references to Proposition 23.27 and Proposition 23.29

23.11 The Löwenheim-Skolem Theorem

The Löwenheim-Skolem Theorem says that if a theory has an infinite model,
then it also has a model that is at most denumerable. An immediate con-
sequence of this fact is that first-order logic cannot express that the size of
a structure is non-enumerable: any sentence or set of sentences satisfied in all
non-enumerable structures is also satisfied in some enumerable structure.

Theorem 23.32. If Γ is consistent then it has an enumerable model, i.e., it is satisfi-

able in a structure whose domain is either finite or denumerable.

Proof. If Γ is consistent, the structure M delivered by the proof of the com-

pleteness theorem has a domain |M| that is no larger than the set of the terms
of the language L. So M is at most denumerable.

Theorem 23.33. If Γ is a consistent set of sentences in the language of first-order

logic without identity, then it has a denumerable model, i.e., it is satisfiable in a struc-
ture whose domain is infinite and enumerable.

Release : d3a1905 (2022-12-19) 361

 CHAPTER 23. THE COMPLETENESS THEOREM

Proof. If Γ is consistent and contains no sentences in which identity appears,

then the structure M delivered by the proof of the completness theorem has a
domain |M| identical to the set of terms of the language L′ . So M is denumer-
able, since Trm(L′ ) is.

Example 23.34 (Skolem’s Paradox). Zermelo-Fraenkel set theory ZFC is a very

powerful framework in which practically all mathematical statements can be
expressed, including facts about the sizes of sets. So for instance, ZFC can
prove that the set R of real numbers is non-enumerable, it can prove Can-
tor’s Theorem that the power set of any set is larger than the set itself, etc. If
ZFC is consistent, its models are all infinite, and moreover, they all contain
elements about which the theory says that they are non-enumerable, such as
the element that makes true the theorem of ZFC that the power set of the
natural numbers exists. By the Löwenheim-Skolem Theorem, ZFC also has
enumerable models—models that contain “non-enumerable” sets but which
themselves are enumerable.

Problems
Problem 23.1. Complete the proof of Proposition 23.2.

Problem 23.2. Complete the proof of Proposition 23.11.

Problem 23.3. Complete the proof of Lemma 23.12.

Problem 23.4. Complete the proof of Proposition 23.14.

Problem 23.5. Complete the proof of Lemma 23.18.

Problem 23.6. Use Corollary 23.21 to prove Theorem 23.20, thus showing that
the two formulations of the completeness theorem are equivalent.

Problem 23.7. In order for a derivation system to be complete, its rules must
be strong enough to prove every unsatisfiable set inconsistent. Which of the
rules of derivation were necessary to prove completeness? Are any of these
rules not used anywhere in the proof? In order to answer these questions,
make a list or diagram that shows which of the rules of derivation were used
in which results that lead up to the proof of Theorem 23.20. Be sure to note
any tacit uses of rules in these proofs.

Problem 23.8. Prove (1) of Theorem 23.23.

Problem 23.9. In the standard model of arithmetic N, there is no element k ∈

|N| which satisfies every formula n < x (where n is 0′...′ with n ′’s). Use
the compactness theorem to show that the set of sentences in the language of

362 Release : d3a1905 (2022-12-19)

23.11. THE LÖWENHEIM-SKOLEM THEOREM

arithmetic which are true in the standard model of arithmetic N are also true
in a structure N′ that contains an element which does satisfy every formula
n < x.

Problem 23.10. Prove Proposition 23.27. Avoid the use of ⊢.

Problem 23.11. Prove Lemma 23.28. (Hint: The crucial step is to show that if
Γn is finitely satisfiable, so is Γn ∪ {θn }, without any appeal to derivations or
consistency.)

Problem 23.12. Prove Proposition 23.29.

Problem 23.13. Prove Lemma 23.30. (Hint: the crucial step is to show that if
Γn is finitely satisfiable, then either Γn ∪ { φn } or Γn ∪ {¬ φn } is finitely satisfi-
able.)

Problem 23.14. Write out the complete proof of the Truth Lemma (Lemma 23.12)
in the version required for the proof of Theorem 23.31.

Release : d3a1905 (2022-12-19) 363

Chapter 24

Beyond First-order Logic

This chapter, adapted from Jeremy Avigad’s logic notes, gives the
briefest of glimpses into which other logical systems there are. It is in-
tended as a chapter suggesting further topics for study in a course that
does not cover them. Each one of the topics mentioned here will—
hopefully—eventually receive its own part-level treatment in the Open
Logic Project.

24.1 Overview
First-order logic is not the only system of logic of interest: there are many ex-
tensions and variations of first-order logic. A logic typically consists of the
formal specification of a language, usually, but not always, a deductive sys-
tem, and usually, but not always, an intended semantics. But the technical use
of the term raises an obvious question: what do logics that are not first-order
logic have to do with the word “logic,” used in the intuitive or philosophical
sense? All of the systems described below are designed to model reasoning of
some form or another; can we say what makes them logical?
No easy answers are forthcoming. The word “logic” is used in different
ways and in different contexts, and the notion, like that of “truth,” has been
analyzed from numerous philosophical stances. For example, one might take
the goal of logical reasoning to be the determination of which statements are
necessarily true, true a priori, true independent of the interpretation of the
nonlogical terms, true by virtue of their form, or true by linguistic convention;
and each of these conceptions requires a good deal of clarification. Even if one
restricts one’s attention to the kind of logic used in mathematics, there is little
agreement as to its scope. For example, in the Principia Mathematica, Russell
and Whitehead tried to develop mathematics on the basis of logic, in the logi-
cist tradition begun by Frege. Their system of logic was a form of higher-type

364
24.2. MANY-SORTED LOGIC

logic similar to the one described below. In the end they were forced to intro-
duce axioms which, by most standards, do not seem purely logical (notably,
the axiom of infinity, and the axiom of reducibility), but one might nonetheless
hold that some forms of higher-order reasoning should be accepted as logical.
In contrast, Quine, whose ontology does not admit “propositions” as legiti-
mate objects of discourse, argues that second-order and higher-order logic are
really manifestations of set theory in sheep’s clothing; in other words, systems
involving quantification over predicates are not purely logical.
For now, it is best to leave such philosophical issues for a rainy day, and
simply think of the systems below as formal idealizations of various kinds of
reasoning, logical or otherwise.

24.2 Many-Sorted Logic

In first-order logic, variables and quantifiers range over a single domain. But
it is often useful to have multiple (disjoint) domains: for example, you might
want to have a domain of numbers, a domain of geometric objects, a domain
of functions from numbers to numbers, a domain of abelian groups, and so
on.
Many-sorted logic provides this kind of framework. One starts with a list
of “sorts”—the “sort” of an object indicates the “domain” it is supposed to
inhabit. One then has variables and quantifiers for each sort, and (usually)
an identity predicate for each sort. Functions and relations are also “typed”
by the sorts of objects they can take as arguments. Otherwise, one keeps the
usual rules of first-order logic, with versions of the quantifier-rules repeated
for each sort.
For example, to study international relations we might choose a language
with two sorts of objects, French citizens and German citizens. We might have
a unary relation, “drinks wine,” for objects of the first sort; another unary
relation, “eats wurst,” for objects of the second sort; and a binary relation,
“forms a multinational married couple,” which takes two arguments, where
the first argument is of the first sort and the second argument is of the second
sort. If we use variables a, b, c to range over French citizens and x, y, z to range
over German citizens, then

∀ a ∀ x [(Mar r i edT o ( a, x ) → (Dr i nksW i ne ( a) ∨ ¬EatsW ur st ( x ))]]

asserts that if any French person is married to a German, either the French
person drinks wine or the German doesn’t eat wurst.
Many-sorted logic can be embedded in first-order logic in a natural way,
by lumping all the objects of the many-sorted domains together into one first-
order domain, using unary predicate symbols to keep track of the sorts, and
relativizing quantifiers. For example, the first-order language corresponding
to the example above would have unary predicate symbols “Ger man” and

Release : d3a1905 (2022-12-19) 365

 CHAPTER 24. BEYOND FIRST-ORDER LOGIC

“F r ench,” in addition to the other relations described, with the sort require-
ments erased. A sorted quantifier ∀ x φ, where x is a variable of the German
sort, translates to
∀ x (Ger man ( x ) → φ).
We need to add axioms that insure that the sorts are separate—e.g., ∀ x ¬(Ger man ( x ) ∧
F r ench ( x ))—as well as axioms that guarantee that “drinks wine” only holds
of objects satisfying the predicate F r ench ( x ), etc. With these conventions and
axioms, it is not difficult to show that many-sorted sentences translate to first-
order sentences, and many-sorted derivations translate to first-order deriva-
tions. Also, many-sorted structures “translate” to corresponding first-order
structures and vice-versa, so we also have a completeness theorem for many-
sorted logic.

24.3 Second-Order logic

The language of second-order logic allows one to quantify not just over a do-
main of individuals, but over relations on that domain as well. Given a first-
order language L, for each k one adds variables R which range over k-ary
relations, and allows quantification over those variables. If R is a variable for
a k-ary relation, and t1 , . . . , tk are ordinary (first-order) terms, R(t1 , . . . , tk ) is
an atomic formula. Otherwise, the set of formulas is defined just as in the
case of first-order logic, with additional clauses for second-order quantifica-
tion. Note that we only have the identity predicate for first-order terms: if R
and S are relation variables of the same arity k, we can define R = S to be an
abbreviation for

∀ x1 . . . ∀ xk ( R( x1 , . . . , xk ) ↔ S( x1 , . . . , xk )).

The rules for second-order logic simply extend the quantifier rules to the
new second order variables. Here, however, one has to be a little bit careful
to explain how these variables interact with the predicate symbols of L, and
with formulas of L more generally. At the bare minimum, relation variables
count as terms, so one has inferences of the form

φ( R) ⊢ ∃ R φ( R)

But if L is the language of arithmetic with a constant relation symbol <, one
would also expect the following inference to be valid:

x < y ⊢ ∃ R R( x, y)

or for a given formula φ,

φ ( x1 , . . . , x k ) ⊢ ∃ R R ( x1 , . . . , x k )

366 Release : d3a1905 (2022-12-19)

24.3. SECOND-ORDER LOGIC

More generally, we might want to allow inferences of the form

φ[λ⃗x. ψ(⃗x )/R] ⊢ ∃ R φ

where φ[λ⃗x. ψ(⃗x )/R] denotes the result of replacing every atomic formula of
the form Rt1 , . . . , tk in φ by ψ(t1 , . . . , tk ). This last rule is equivalent to having
a comprehension schema, i.e., an axiom of the form

∃ R ∀ x1 , . . . , xk ( φ( x1 , . . . , xk ) ↔ R( x1 , . . . , xk )),

one for each formula φ in the second-order language, in which R is not a free
variable. (Exercise: show that if R is allowed to occur in φ, this schema is
inconsistent!)
When logicians refer to the “axioms of second-order logic” they usually
mean the minimal extension of first-order logic by second-order quantifier
rules together with the comprehension schema. But it is often interesting to
study weaker subsystems of these axioms and rules. For example, note that
in its full generality the axiom schema of comprehension is impredicative: it
allows one to assert the existence of a relation R( x1 , . . . , xk ) that is “defined”
by a formula with second-order quantifiers; and these quantifiers range over
the set of all such relations—a set which includes R itself! Around the turn of
the twentieth century, a common reaction to Russell’s paradox was to lay the
blame on such definitions, and to avoid them in developing the foundations
of mathematics. If one prohibits the use of second-order quantifiers in the
formula φ, one has a predicative form of comprehension, which is somewhat
weaker.
From the semantic point of view, one can think of a second-order structure
as consisting of a first-order structure for the language, coupled with a set of
relations on the domain over which the second-order quantifiers range (more
precisely, for each k there is a set of relations of arity k). Of course, if com-
prehension is included in the derivation system, then we have the added re-
quirement that there are enough relations in the “second-order part” to satisfy
the comprehension axioms—otherwise the derivation system is not sound!
One easy way to insure that there are enough relations around is to take the
second-order part to consist of all the relations on the first-order part. Such
a structure is called full, and, in a sense, is really the “intended structure” for
the language. If we restrict our attention to full structures we have what is
known as the full second-order semantics. In that case, specifying a structure
boils down to specifying the first-order part, since the contents of the second-
order part follow from that implicitly.
To summarize, there is some ambiguity when talking about second-order
logic. In terms of the derivation system, one might have in mind either

1. A “minimal” second-order derivation system, together with some com-

prehension axioms.

Release : d3a1905 (2022-12-19) 367

 CHAPTER 24. BEYOND FIRST-ORDER LOGIC

2. The “standard” second-order derivation system, with full comprehen-

sion.

In terms of the semantics, one might be interested in either

1. The “weak” semantics, where a structure consists of a first-order part,

together with a second-order part big enough to satisfy the comprehen-
sion axioms.

2. The “standard” second-order semantics, in which one considers full struc-

tures only.

When logicians do not specify the derivation system or the semantics they
have in mind, they are usually refering to the second item on each list. The
advantage to using this semantics is that, as we will see, it gives us categorical
descriptions of many natural mathematical structures; at the same time, the
derivation system is quite strong, and sound for this semantics. The drawback
is that the derivation system is not complete for the semantics; in fact, no effec-
tively given derivation system is complete for the full second-order semantics.
On the other hand, we will see that the derivation system is complete for the
weakened semantics; this implies that if a sentence is not provable, then there
is some structure, not necessarily the full one, in which it is false.
The language of second-order logic is quite rich. One can identify unary
relations with subsets of the domain, and so in particular you can quantify
over these sets; for example, one can express induction for the natural num-
bers with a single axiom

∀ R (( R(0) ∧ ∀ x ( R( x ) → R( x ′ ))) → ∀ x R( x )).

If one takes the language of arithmetic to have symbols 0, ′, +, × and <, one
can add the following axioms to describe their behavior:

1. ∀ x ¬ x ′ = 0

2. ∀ x ∀y (s( x ) = s(y) → x = y)

3. ∀ x ( x + 0) = x

4. ∀ x ∀y ( x + y′ ) = ( x + y)′

5. ∀ x ( x × 0) = 0

6. ∀ x ∀y ( x × y′ ) = (( x × y) + x )

7. ∀ x ∀y ( x < y ↔ ∃z y = ( x + z′ ))

368 Release : d3a1905 (2022-12-19)

24.3. SECOND-ORDER LOGIC

It is not difficult to show that these axioms, together with the axiom of induc-
tion above, provide a categorical description of the structure N, the standard
model of arithmetic, provided we are using the full second-order semantics.
Given any structure M in which these axioms are true, define a function f
from N to the domain of M using ordinary recursion on N, so that f (0) = 0M
and f ( x + 1) = ′M ( f ( x )). Using ordinary induction on N and the fact that ax-
ioms (1) and (2) hold in M, we see that f is injective. To see that f is surjective,
let P be the set of elements of |M| that are in the range of f . Since M is full, P is
in the second-order domain. By the construction of f , we know that 0M is in P,
and that P is closed under ′M . The fact that the induction axiom holds in M
(in particular, for P) guarantees that P is equal to the entire first-order domain
of M. This shows that f is a bijection. Showing that f is a homomorphism is
no more difficult, using ordinary induction on N repeatedly.
In set-theoretic terms, a function is just a special kind of relation; for ex-
ample, a unary function f can be identified with a binary relation R satisfying
∀ x ∃!y R( x, y). As a result, one can quantify over functions too. Using the full
semantics, one can then define the class of infinite structures to be the class of
structures M for which there is an injective function from the domain of M to
a proper subset of itself:

∃ f (∀ x ∀y ( f ( x ) = f (y) → x = y) ∧ ∃y ∀ x f ( x ) ̸= y).
The negation of this sentence then defines the class of finite structures.
In addition, one can define the class of well-orderings, by adding the fol-
lowing to the definition of a linear ordering:

∀ P (∃ x P( x ) → ∃ x ( P( x ) ∧ ∀y (y < x → ¬ P(y)))).
This asserts that every non-empty set has a least element, modulo the iden-
tification of “set” with “one-place relation”. For another example, one can
express the notion of connectedness for graphs, by saying that there is no non-
trivial separation of the vertices into disconnected parts:

¬∃ A (∃ x A( x ) ∧ ∃y ¬ A(y) ∧ ∀w ∀z (( A(w) ∧ ¬ A(z)) → ¬ R(w, z))).

For yet another example, you might try as an exercise to define the class of
finite structures whose domain has even size. More strikingly, one can pro-
vide a categorical description of the real numbers as a complete ordered field
containing the rationals.
In short, second-order logic is much more expressive than first-order logic.
That’s the good news; now for the bad. We have already mentioned that there
is no effective derivation system that is complete for the full second-order
semantics. For better or for worse, many of the properties of first-order logic
are absent, including compactness and the Löwenheim-Skolem theorems.
On the other hand, if one is willing to give up the full second-order se-
mantics in terms of the weaker one, then the minimal second-order derivation

Release : d3a1905 (2022-12-19) 369

 CHAPTER 24. BEYOND FIRST-ORDER LOGIC

system is complete for this semantics. In other words, if we read ⊢ as “proves

in the minimal system” and ⊨ as “logically implies in the weaker semantics”,
we can show that whenever Γ ⊨ φ then Γ ⊢ φ. If one wants to include spe-
cific comprehension axioms in the derivation system, one has to restrict the
semantics to second-order structures that satisfy these axioms: for example, if
∆ consists of a set of comprehension axioms (possibly all of them), we have
that if Γ ∪ ∆ ⊨ φ, then Γ ∪ ∆ ⊢ φ. In particular, if φ is not provable using
the comprehension axioms we are considering, then there is a model of ¬ φ in
which these comprehension axioms nonetheless hold.
The easiest way to see that the completeness theorem holds for the weaker
semantics is to think of second-order logic as a many-sorted logic, as follows.
One sort is interpreted as the ordinary “first-order” domain, and then for each
k we have a domain of “relations of arity k.” We take the language to have
built-in relation symbols “tr ue k ( R, x1 , . . . , xk )” which is meant to assert that
R holds of x1 , . . . , xk , where R is a variable of the sort “k-ary relation” and x1 ,
. . . , xk are objects of the first-order sort.
With this identification, the weak second-order semantics is essentially the
usual semantics for many-sorted logic; and we have already observed that
many-sorted logic can be embedded in first-order logic. Modulo the trans-
lations back and forth, then, the weaker conception of second-order logic is
really a form of first-order logic in disguise, where the domain contains both
“objects” and “relations” governed by the appropriate axioms.

24.4 Higher-Order logic

Passing from first-order logic to second-order logic enabled us to talk about
sets of objects in the first-order domain, within the formal language. Why stop
there? For example, third-order logic should enable us to deal with sets of sets
of objects, or perhaps even sets which contain both objects and sets of objects.
And fourth-order logic will let us talk about sets of objects of that kind. As
you may have guessed, one can iterate this idea arbitrarily.
In practice, higher-order logic is often formulated in terms of functions
instead of relations. (Modulo the natural identifications, this difference is
inessential.) Given some basic “sorts” A, B, C, . . . (which we will now call
“types”), we can create new ones by stipulating

If σ and τ are finite types then so is σ → τ.

Think of types as syntactic “labels,” which classify the objects we want in our
domain; σ → τ describes those objects that are functions which take objects of
type σ to objects of type τ. For example, we might want to have a type Ω of
truth values, “true” and “false,” and a type N of natural numbers. In that case,
you can think of objects of type N → Ω as unary relations, or subsets of N;
objects of type N → N are functions from natural numers to natural numbers;

370 Release : d3a1905 (2022-12-19)

24.4. HIGHER-ORDER LOGIC

and objects of type (N → N) → N are “functionals,” that is, higher-type

functions that take functions to numbers.
As in the case of second-order logic, one can think of higher-order logic as
a kind of many-sorted logic, where there is a sort for each type of object we
want to consider. But it is usually clearer just to define the syntax of higher-
type logic from the ground up. For example, we can define a set of finite types
inductively, as follows:
1. N is a finite type.
2. If σ and τ are finite types, then so is σ → τ.
3. If σ and τ are finite types, so is σ × τ.
Intuitively, N denotes the type of the natural numbers, σ → τ denotes the
type of functions from σ to τ, and σ × τ denotes the type of pairs of objects,
one from σ and one from τ. We can then define a set of terms inductively, as
follows:
1. For each type σ, there is a stock of variables x, y, z, . . . of type σ
2. 0 is a term of type N
3. S (successor) is a term of type N → N
4. If s is a term of type σ, and t is a term of type N → (σ → σ ), then Rst is
a term of type N → σ
5. If s is a term of type τ → σ and t is a term of type τ, then s(t) is a term
of type σ
6. If s is a term of type σ and x is a variable of type τ, then λx. s is a term of
type τ → σ.
7. If s is a term of type σ and t is a term of type τ, then ⟨s, t⟩ is a term of
type σ × τ.
8. If s is a term of type σ × τ then p1 (s) is a term of type σ and p2 (s) is a
term of type τ.
Intuitively, Rst denotes the function defined recursively by

Rst (0) = s
Rst ( x + 1) = t( x, Rst ( x )),

⟨s, t⟩ denotes the pair whose first component is s and whose second compo-
nent is t, and p1 (s) and p2 (s) denote the first and second elements (“projec-
tions”) of s. Finally, λx. s denotes the function f defined by

f (x) = s

Release : d3a1905 (2022-12-19) 371

 CHAPTER 24. BEYOND FIRST-ORDER LOGIC

for any x of type σ; so item (6) gives us a form of comprehension, enabling us

to define functions using terms. Formulas are built up from identity predicate
statements s = t between terms of the same type, the usual propositional
connectives, and higher-type quantification. One can then take the axioms
of the system to be the basic equations governing the terms defined above,
together with the usual rules of logic with quantifiers and identity predicate.
If one augments the finite type system with a type Ω of truth values, one
has to include axioms which govern its use as well. In fact, if one is clever, one
can get rid of complex formulas entirely, replacing them with terms of type Ω!
The proof system can then be modified accordingly. The result is essentially
the simple theory of types set forth by Alonzo Church in the 1930s.
As in the case of second-order logic, there are different versions of higher-
type semantics that one might want to use. In the full version, variables of
type σ → τ range over the set of all functions from the objects of type σ to
objects of type τ. As you might expect, this semantics is too strong to ad-
mit a complete, effective derivation system. But one can consider a weaker
semantics, in which a structure consists of sets of elements Tτ for each type
τ, together with appropriate operations for application, projection, etc. If the
details are carried out correctly, one can obtain completeness theorems for the
kinds of derivation systems described above.
Higher-type logic is attractive because it provides a framework in which
we can embed a good deal of mathematics in a natural way: starting with N,
one can define real numbers, continuous functions, and so on. It is also partic-
ularly attractive in the context of intuitionistic logic, since the types have clear
“constructive” intepretations. In fact, one can develop constructive versions
of higher-type semantics (based on intuitionistic, rather than classical logic)
that clarify these constructive interpretations quite nicely, and are, in many
ways, more interesting than the classical counterparts.

24.5 Intuitionistic Logic

In constrast to second-order and higher-order logic, intuitionistic first-order

logic represents a restriction of the classical version, intended to model a more
“constructive” kind of reasoning. The following examples may serve to illus-
trate some of the underlying motivations.
Suppose someone came up to you one day and announced that they had
determined a natural number x, with the property that if x is prime, the Rie-
mann hypothesis is true, and if x is composite, the Riemann hypothesis is
false. Great news! Whether the Riemann hypothesis is true or not is one of
the big open questions of mathematics, and here they seem to have reduced
the problem to one of calculation, that is, to the determination of whether a
specific number is prime or not.

372 Release : d3a1905 (2022-12-19)

24.5. INTUITIONISTIC LOGIC

What is the magic value of x? They describe it as follows: x is the natural

number that is equal to 7 if the Riemann hypothesis is true, and 9 otherwise.
Angrily, you demand your money back. From a classical point of view, the
description above does in fact determine a unique value of x; but what you
really want is a value of x that is given explicitly.
To take another, perhaps less contrived example, consider the following
question. We know that it is possible to raise an irrational number to a rational
√ 2
power, and get a rational result. For example, 2 = 2. What is less clear
is whether or not it is possible to raise an irrational number to an irrational
power, and get a rational result. The following theorem answers this in the
affirmative:

Theorem 24.1. There are irrational numbers a and b such that ab is rational.
√ √2 √
Proof. Consider 2 . If this is rational, we are done: we can let a = b = 2.
Otherwise, it is irrational. Then we have
√ √ √
√ 2 √2 √ 2· 2 √ 2
( 2 ) = 2 = 2 = 2,
√
√ 2 √
which is certainly rational. So, in this case, let a be 2 , and let b be 2.

Does this constitute a valid proof? Most mathematicians feel that it does.
But again, there is something a little bit unsatisfying here: we have proved the
existence of a pair of real numbers with a certain property, without being able
to say which pair of numbers it is. It is possible to prove the √
same result, but in
such a way that the pair a, b is given in the proof: take a = 3 and b = log3 4.
Then √ log 4
ab = 3 3 = 31/2·log3 4 = (3log3 4 )1/2 = 41/2 = 2,
since 3log3 x = x.
Intuitionistic logic is designed to model a kind of reasoning where moves
like the one in the first proof are disallowed. Proving the existence of an x
satisfying φ( x ) means that you have to give a specific x, and a proof that it
satisfies φ, like in the second proof. Proving that φ or ψ holds requires that
you can prove one or the other.
Formally speaking, intuitionistic first-order logic is what you get if you
restrict a derivation system for first-order logic in a certain way. Similarly,
there are intuitionistic versions of second-order or higher-order logic. From
the mathematical point of view, these are just formal deductive systems, but,
as already noted, they are intended to model a kind of mathematical reason-
ing. One can take this to be the kind of reasoning that is justified on a cer-
tain philosophical view of mathematics (such as Brouwer’s intuitionism); one
can take it to be a kind of mathematical reasoning which is more “concrete”
and satisfying (along the lines of Bishop’s constructivism); and one can argue

Release : d3a1905 (2022-12-19) 373

 CHAPTER 24. BEYOND FIRST-ORDER LOGIC

about whether or not the formal description captures the informal motiva-
tion. But whatever philosophical positions we may hold, we can study intu-
itionistic logic as a formally presented logic; and for whatever reasons, many
mathematical logicians find it interesting to do so.
There is an informal constructive interpretation of the intuitionist connec-
tives, usually known as the BHK interpretation (named after Brouwer, Heyt-
ing, and Kolmogorov). It runs as follows: a proof of φ ∧ ψ consists of a proof
of φ paired with a proof of ψ; a proof of φ ∨ ψ consists of either a proof of φ,
or a proof of ψ, where we have explicit information as to which is the case;
a proof of φ → ψ consists of a procedure, which transforms a proof of φ to a
proof of ψ; a proof of ∀ x φ( x ) consists of a procedure which returns a proof
of φ( x ) for any value of x; and a proof of ∃ x φ( x ) consists of a value of x,
together with a proof that this value satisfies φ. One can describe the interpre-
tation in computational terms known as the “Curry-Howard isomorphism”
or the “formulas-as-types paradigm”: think of a formula as specifying a cer-
tain kind of data type, and proofs as computational objects of these data types
that enable us to see that the corresponding formula is true.
Intuitionistic logic is often thought of as being classical logic “minus” the
law of the excluded middle. This following theorem makes this more precise.

Theorem 24.2. Intuitionistically, the following axiom schemata are equivalent:

1. ( φ → ⊥) → ¬ φ.

2. φ ∨ ¬ φ

3. ¬¬ φ → φ

Obtaining instances of one schema from either of the others is a good exercise
in intuitionistic logic.
The first deductive systems for intuitionistic propositional logic, put forth
as formalizations of Brouwer’s intuitionism, are due, independently, to Kol-
mogorov, Glivenko, and Heyting. The first formalization of intuitionistic first-
order logic (and parts of intuitionist mathematics) is due to Heyting. Though
a number of classically valid schemata are not intuitionistically valid, many
are.
The double-negation translation describes an important relationship between
classical and intuitionist logic. It is defined inductively follows (think of φ N

374 Release : d3a1905 (2022-12-19)

24.5. INTUITIONISTIC LOGIC

as the “intuitionist” translation of the classical formula φ):

φ N ≡ ¬¬ φ for atomic formulas φ

( φ ∧ ψ) ≡ ( φ ∧ ψ N )
N N

( φ ∨ ψ) N ≡ ¬¬( φ N ∨ ψ N )
( φ → ψ) N ≡ ( φ N → ψ N )
(∀ x φ) N ≡ ∀ x φ N
(∃ x φ) N ≡ ¬¬∃ x φ N

Kolmogorov and Glivenko had versions of this translation for propositional

logic; for predicate logic, it is due to Gödel and Gentzen, independently. We
have

Theorem 24.3. 1. φ ↔ φ N is provable classically

2. If φ is provable classically, then φ N is provable intuitionistically.

We can now envision the following dialogue. Classical mathematician:

“I’ve proved φ!” Intuitionist mathematician: “Your proof isn’t valid. What
you’ve really proved is φ N .” Classical mathematician: “Fine by me!” As far as
the classical mathematician is concerned, the intuitionist is just splitting hairs,
since the two are equivalent. But the intuitionist insists there is a difference.
Note that the above translation concerns pure logic only; it does not ad-
dress the question as to what the appropriate nonlogical axioms are for classi-
cal and intuitionistic mathematics, or what the relationship is between them.
But the following slight extension of the theorem above provides some useful
information:

Theorem 24.4. If Γ proves φ classically, Γ N proves φ N intuitionistically.

In other words, if φ is provable from some hypotheses classically, then φ N

is provable from their double-negation translations.
To show that a sentence or propositional formula is intuitionistically valid,
all you have to do is provide a proof. But how can you show that it is not
valid? For that purpose, we need a semantics that is sound, and preferrably
complete. A semantics due to Kripke nicely fits the bill.
We can play the same game we did for classical logic: define the semantics,
and prove soundness and completeness. It is worthwhile, however, to note
the following distinction. In the case of classical logic, the semantics was the
“obvious” one, in a sense implicit in the meaning of the connectives. Though
one can provide some intuitive motivation for Kripke semantics, the latter
does not offer the same feeling of inevitability. In addition, the notion of a
classical structure is a natural mathematical one, so we can either take the
notion of a structure to be a tool for studying classical first-order logic, or take

Release : d3a1905 (2022-12-19) 375

 CHAPTER 24. BEYOND FIRST-ORDER LOGIC

classical first-order logic to be a tool for studying mathematical structures.

In contrast, Kripke structures can only be viewed as a logical construct; they
don’t seem to have independent mathematical interest.
A Kripke structure M = ⟨W, R, V ⟩ for a propositional language consists
of a set W, partial order R on W with a least element, and an “monotone” as-
signment of propositional variables to the elements of W. The intuition is that
the elements of W represent “worlds,” or “states of knowledge”; an element
v ≥ u represents a “possible future state” of u; and the propositional variables
assigned to u are the propositions that are known to be true in state u. The
forcing relation M, w ⊩ φ then extends this relationship to arbitrary formulas
in the language; read M, w ⊩ φ as “φ is true in state w.” The relationship is
defined inductively, as follows:

1. M, w ⊩ pi iff pi is one of the propositional variables assigned to w.

2. M, w ⊮ ⊥.

3. M, w ⊩ ( φ ∧ ψ) iff M, w ⊩ φ and M, w ⊩ ψ.

4. M, w ⊩ ( φ ∨ ψ) iff M, w ⊩ φ or M, w ⊩ ψ.

5. M, w ⊩ ( φ → ψ) iff, whenever w′ ≥ w and M, w′ ⊩ φ, then M, w′ ⊩ ψ.

It is a good exercise to try to show that ¬( p ∧ q) → (¬ p ∨ ¬q) is not intuition-

istically valid, by cooking up a Kripke structure that provides a counterexam-
ple.

24.6 Modal Logics

Consider the following example of a conditional sentence:

If Jeremy is alone in that room, then he is drunk and naked and

dancing on the chairs.

This is an example of a conditional assertion that may be materially true but

nonetheless misleading, since it seems to suggest that there is a stronger link
between the antecedent and conclusion other than simply that either the an-
tecedent is false or the consequent true. That is, the wording suggests that the
claim is not only true in this particular world (where it may be trivially true,
because Jeremy is not alone in the room), but that, moreover, the conclusion
would have been true had the antecedent been true. In other words, one can
take the assertion to mean that the claim is true not just in this world, but in
any “possible” world; or that it is necessarily true, as opposed to just true in
this particular world.
Modal logic was designed to make sense of this kind of necessity. One ob-
tains modal propositional logic from ordinary propositional logic by adding a

376 Release : d3a1905 (2022-12-19)

24.6. MODAL LOGICS

box operator; which is to say, if φ is a formula, so is □φ. Intuitively, □φ asserts

that φ is necessarily true, or true in any possible world. ♢φ is usually taken to
be an abbreviation for ¬□¬ φ, and can be read as asserting that φ is possibly
true. Of course, modality can be added to predicate logic as well.
Kripke structures can be used to provide a semantics for modal logic; in
fact, Kripke first designed this semantics with modal logic in mind. Rather
than restricting to partial orders, more generally one has a set of “possible
worlds,” P, and a binary “accessibility” relation R( x, y) between worlds. In-
tuitively, R( p, q) asserts that the world q is compatible with p; i.e., if we are
“in” world p, we have to entertain the possibility that the world could have
been like q.
Modal logic is sometimes called an “intensional” logic, as opposed to an
“extensional” one. The intended semantics for an extensional logic, like clas-
sical logic, will only refer to a single world, the “actual” one; while the seman-
tics for an “intensional” logic relies on a more elaborate ontology. In addition
to structureing necessity, one can use modality to structure other linguistic
constructions, reinterpreting □ and ♢ according to the application. For exam-
ple:
1. In provability logic, □φ is read “φ is provable” and ♢φ is read “φ is
consistent.”
2. In epistemic logic, one might read □φ as “I know φ” or “I believe φ.”
3. In temporal logic, one can read □φ as “φ is always true” and ♢φ as “φ is
sometimes true.”
One would like to augment logic with rules and axioms dealing with modal-
ity. For example, the system S4 consists of the ordinary axioms and rules of
propositional logic, together with the following axioms:

□( φ → ψ) → (□φ → □ψ)
□φ → φ
□φ → □□φ

as well as a rule, “from φ conclude □φ.” S5 adds the following axiom:

♢φ → □♢φ

Variations of these axioms may be suitable for different applications; for ex-
ample, S5 is usually taken to characterize the notion of logical necessity. And
the nice thing is that one can usually find a semantics for which the derivation
system is sound and complete by restricting the accessibility relation in the
Kripke structures in natural ways. For example, S4 corresponds to the class
of Kripke structures in which the accessibility relation is reflexive and transi-
tive. S5 corresponds to the class of Kripke structures in which the accessibility

Release : d3a1905 (2022-12-19) 377

 CHAPTER 24. BEYOND FIRST-ORDER LOGIC

relation is universal, which is to say that every world is accessible from every
other; so □φ holds if and only if φ holds in every world.

24.7 Other Logics

As you may have gathered by now, it is not hard to design a new logic. You
too can create your own a syntax, make up a deductive system, and fashion
a semantics to go with it. You might have to be a bit clever if you want the
derivation system to be complete for the semantics, and it might take some
effort to convince the world at large that your logic is truly interesting. But, in
return, you can enjoy hours of good, clean fun, exploring your logic’s mathe-
matical and computational properties.
Recent decades have witnessed a veritable explosion of formal logics. Fuzzy
logic is designed to model reasoning about vague properties. Probabilistic
logic is designed to model reasoning about uncertainty. Default logics and
nonmonotonic logics are designed to model defeasible forms of reasoning,
which is to say, “reasonable” inferences that can later be overturned in the face
of new information. There are epistemic logics, designed to model reasoning
about knowledge; causal logics, designed to model reasoning about causal re-
lationships; and even “deontic” logics, which are designed to model reason-
ing about moral and ethical obligations. Depending on whether the primary
motivation for introducing these systems is philosophical, mathematical, or
computational, you may find such creatures studies under the rubric of math-
ematical logic, philosophical logic, artificial intelligence, cognitive science, or
elsewhere.
The list goes on and on, and the possibilities seem endless. We may never
attain Leibniz’ dream of reducing all of human reason to calculation—but that
can’t stop us from trying.

378 Release : d3a1905 (2022-12-19)

 Part IV

Model Theory

379
 CHAPTER 24. BEYOND FIRST-ORDER LOGIC

Material on model theory is incomplete and experimental. It is cur-

rently simply an adaptation of Aldo Antonelli’s notes on model theory,
less those topics covered in the part on first-order logic (theories, com-
pleteness, compactness). It requires much more introduction, motivation,
and explanation, as well as exercises, to be useful for a textbook. Andy
Arana is at planning to work on this part specifically (issue #65).

380 Release : d3a1905 (2022-12-19)

Chapter 25

Basics of Model Theory

25.1 Reducts and Expansions

Often it is useful or necessary to compare languages which have symbols in
common, as well as structures for these languages. The most common case
is when all the symbols in a language L are also part of a language L′ , i.e.,
L ⊆ L′ . An L-structure M can then always be expanded to an L′ -structure
by adding interpretations of the additional symbols while leaving the inter-
pretations of the common symbols the same. On the other hand, from an
L′ -structure M′ we can obtain an L-structure simply by “forgetting” the in-
terpretations of the symbols that do not occur in L.

Definition 25.1. Suppose L ⊆ L′ , M is an L-structure and M′ is an L′ -structure.

M is the reduct of M′ to L, and M′ is an expansion of M to L′ iff

1. |M| = |M′ |
′
2. For every constant symbol c ∈ L, cM = cM .
′
3. For every function symbol f ∈ L, f M = f M .
′
4. For every predicate symbol P ∈ L, PM = PM .

Proposition 25.2. If an L-structure M is a reduct of an L′ -structure M′ , then for

all L-sentences φ,
M ⊨ φ iff M′ ⊨ φ.

Proof. Exercise.

Definition 25.3. When we have an L-structure M, and L′ = L ∪ { P} is the

expansion of L obtained by adding a single n-place predicate symbol P, and
R ⊆ |M|n is an n-place relation, then we write (M, R) for the expansion M′
′
of M with PM = R.

381
 CHAPTER 25. BASICS OF MODEL THEORY

25.2 Substructures
The domain of a structure M may be a subset of another M′ . But we should
obviously only consider M a “part” of M′ if not only |M| ⊆ |M′ |, but M and
M′ “agree” in how they interpret the symbols of the language at least on the
shared part |M|.

Definition 25.4. Given structures M and M′ for the same language L, we say
that M is a substructure of M′ , and M′ an extension of M, written M ⊆ M′ , iff

1. |M| ⊆ |M′ |,
′
2. For each constant c ∈ L, cM = cM ;
′
3. For each n-place function symbol f ∈ L f M ( a1 , . . . , an ) = f M ( a1 , . . . , an )
for all a1 , . . . , an ∈ |M|.

4. For each n-place predicate symbol R ∈ L, ⟨ a1 , . . . , an ⟩ ∈ RM iff ⟨ a1 , . . . , an ⟩ ∈

′
RM for all a1 , . . . , an ∈ |M|.

Remark 1. If the language contains no constant or function symbols, then any

N ⊆ |M| determines a substructure N of M with domain |N| = N by putting
RN = RM ∩ N n .

25.3 Overspill
Theorem 25.5. If a set Γ of sentences has arbitrarily large finite models, then it has
an infinite model.

Proof. Expand the language of Γ by adding countably many new constants c0 ,

c1 , . . . and consider the set Γ ∪ {ci ̸= c j : i ̸= j}. To say that Γ has arbitrarily
large finite models means that for every m > 0 there is n ≥ m such that Γ
has a model of cardinality n. This implies that Γ ∪ {ci ̸= c j : i ̸= j} is finitely
satisfiable. By compactness, Γ ∪ {ci ̸= c j : i ̸= j} has a model M whose
domain must be infinite, since it satisfies all inequalities ci ̸= c j .

Proposition 25.6. There is no sentence φ of any first-order language that is true in

a structure M if and only if the domain |M| of the structure is infinite.

Proof. If there were such a φ, its negation ¬ φ would be true in all and only the
finite structures, and it would therefore have arbitrarily large finite models
but it would lack an infinite model, contradicting Theorem 25.5.

382 Release : d3a1905 (2022-12-19)

25.4. ISOMORPHIC STRUCTURES

25.4 Isomorphic Structures

First-order structures can be alike in one of two ways. One way in which the
can be alike is that they make the same sentences true. We call such structures
elementarily equivalent. But structures can be very different and still make the
same sentences true—for instance, one can be enumerable and the other not.
This is because there are lots of features of a structure that cannot be expressed
in first-order languages, either because the language is not rich enough, or be-
cause of fundamental limitations of first-order logic such as the Löwenheim-
Skolem theorem. So another, stricter, aspect in which structures can be alike is
if they are fundamentally the same, in the sense that they only differ in the ob-
jects that make them up, but not in their structural features. A way of making
this precise is by the notion of an isomorphism.

Definition 25.7. Given two structures M and M′ for the same language L, we
say that M is elementarily equivalent to M′ , written M ≡ M′ , if and only if for
every sentence φ of L, M ⊨ φ iff M′ ⊨ φ.

Definition 25.8. Given two structures M and M′ for the same language L,
we say that M is isomorphic to M′ , written M ≃ M′ , if and only if there is a
function h : |M| → |M′ | such that:

1. h is injective: if h( x ) = h(y) then x = y;

2. h is surjective: for every y ∈ |M′ | there is x ∈ |M| such that h( x ) = y;

′
3. for every constant symbol c: h(cM ) = cM ;

4. for every n-place predicate symbol P:

′
⟨ a1 , . . . , a n ⟩ ∈ PM iff ⟨h( a1 ), . . . , h( an )⟩ ∈ PM ;

5. for every n-place function symbol f :

′
h( f M ( a1 , . . . , an )) = f M (h( a1 ), . . . , h( an )).

Theorem 25.9. If M ≃ M′ then M ≡ M′ .

Proof. Let h be an isomorphism of M onto M′ . For any assignment s, h ◦ s is

the composition of h and s, i.e., the assignment in M′ such that (h ◦ s)( x ) =
h(s( x )). By induction on t and φ one can prove the stronger claims:
′
a. h(ValM M
s ( t )) = Valh◦s ( t ).

b. M, s ⊨ φ iff M′ , h ◦ s ⊨ φ.

The first is proved by induction on the complexity of t.

Release : d3a1905 (2022-12-19) 383

 CHAPTER 25. BASICS OF MODEL THEORY

′ ′
1. If t ≡ c, then ValM
s (c) = c
M and ValM ( c ) = cM . Thus, h (ValM ( t )) =
h◦s s
′ ′
h(cM ) = cM (by (3) of Definition 25.8) = ValMh ◦ s ( t ).
′
2. If t ≡ x, then ValM M M
s ( x ) = s ( x ) and Valh◦s ( x ) = h ( s ( x )). Thus, h (Vals ( x )) =
′
h(s( x )) = ValM
h ◦ s ( x ).

3. If t ≡ f (t1 , . . . , tn ), then

ValM M M M
s ( t ) = f (Vals ( t1 ), . . . , Vals ( tn )) and
′ ′ M′
ValM
h◦s (t ) = f M
(ValM
h◦s ( t1 ), . . . , Valh◦s ( tn )).

′
The induction hypothesis is that for each i, h(ValM M
s ( ti )) = Valh◦s ( ti ). So,

h(ValM M M M
s ( t )) = h ( f (Vals ( t1 ), . . . , Vals ( tn ))
′ ′
= h( f M (ValM M
h◦s ( t1 ), . . . , Valh◦s ( tn )) (25.1)
M′ ′ M′
= f (ValM h◦s ( t1 ), . . . , Valh◦s ( tn )) (25.2)
′
= ValM
h◦s (t )

Here, eq. (25.1) follows by induction hypothesis and eq. (25.2) by (5) of
Definition 25.8.

Part (b) is left as an exercise.

If φ is a sentence, the assignments s and h ◦ s are irrelevant, and we have
M ⊨ φ iff M′ ⊨ φ.

Definition 25.10. An automorphism of a structure M is an isomorphism of M

onto itself.

25.5 The Theory of a Structure

Every structure M makes some sentences true, and some false. The set of all
the sentences it makes true is called its theory. That set is in fact a theory, since
anything it entails must be true in all its models, including M.

Definition 25.11. Given a structure M, the theory of M is the set Th(M) of

sentences that are true in M, i.e., Th(M) = { φ : M ⊨ φ}.

We also use the term “theory” informally to refer to sets of sentences hav-
ing an intended interpretation, whether deductively closed or not.

Proposition 25.12. For any M, Th(M) is complete.

Proof. For any sentence φ either M ⊨ φ or M ⊨ ¬ φ, so either φ ∈ Th(M) or

¬ φ ∈ Th(M).

384 Release : d3a1905 (2022-12-19)

25.6. PARTIAL ISOMORPHISMS

Proposition 25.13. If N |= φ for every φ ∈ Th(M), then M ≡ N.

Proof. Since N ⊨ φ for all φ ∈ Th(M), Th(M) ⊆ Th(N). If N ⊨ φ, then

N ⊭ ¬ φ, so ¬ φ ∈
/ Th(M). Since Th(M) is complete, φ ∈ Th(M). So, Th(N) ⊆
Th(M), and we have M ≡ N.

Remark 2. Consider R = ⟨R, <⟩, the structure whose domain is the set R of
the real numbers, in the language comprising only a 2-place predicate sym-
bol interpreted as the < relation over the reals. Clearly R is non-enumerable;
however, since Th(R) is obviously consistent, by the Löwenheim-Skolem the-
orem it has an enumerable model, say S, and by Proposition 25.13, R ≡ S.
Moreover, since R and S are not isomorphic, this shows that the converse of
Theorem 25.9 fails in general.

25.6 Partial Isomorphisms

Definition 25.14. Given two structures M and N, a partial isomorphism from M
to N is a finite partial function p taking arguments in |M| and returning values
in |N|, which satisfies the isomorphism conditions from Definition 25.8 on its
domain:

1. p is injective;

2. for every constant symbol c: if p(cM ) is defined, then p(cM ) = cN ;

3. for every n-place predicate symbol P: if a1 , . . . , an are in the domain of

p, then ⟨ a1 , . . . , an ⟩ ∈ PM if and only if ⟨ p( a1 ), . . . , p( an )⟩ ∈ PN ;

4. for every n-place function symbol f : if a1 , . . . , an are in the domain of p,

then p( f M ( a1 , . . . , an )) = f N ( p( a1 ), dots, p( an )).

That p is finite means that dom( p) is finite.

Notice that the empty function ∅ is always a partial isomorphism between

any two structures.

Definition 25.15. Two structures M and N, are partially isomorphic, written

M ≃ p N, if and only if there is a non-empty set I of partial isomorphisms
between M and N satisfying the back-and-forth property:

1. (Forth) For every p ∈ I and a ∈ |M| there is q ∈ I such that p ⊆ q and a

is in the domain of q;

2. (Back) For every p ∈ I and b ∈ |N| there is q ∈ I such that p ⊆ q and b is

in the range of q.

Theorem 25.16. If M ≃ p N and M and N are enumerable, then M ≃ N.

Release : d3a1905 (2022-12-19) 385

 CHAPTER 25. BASICS OF MODEL THEORY

Proof. Since M and N are enumerable, let |M| = { a0 , a1 , . . .} and |N| = {b0 , b1 , . . .}.
Starting with an arbitrary p0 ∈ I, we define an increasing sequence of partial
isomorphisms p0 ⊆ p1 ⊆ p2 ⊆ · · · as follows:

1. if n + 1 is odd, say n = 2r, then using the Forth property find a pn+1 ∈ I
such that pn ⊆ pn+1 and ar is in the domain of pn+1 ;

2. if n + 1 is even, say n + 1 = 2r, then using the Back property find a

pn+1 ∈ I such that pn ⊆ pn+1 and br is in the range of pn+1 .

If we now put:
[
p= pn ,
n ≥0

we have that p is a an isomorphism between M and N.

Theorem 25.17. Suppose M and N are structures for a purely relational language
(a language containing only predicate symbols, and no function symbols or con-
stants). Then if M ≃ p N, also M ≡ N.

Proof. By induction on formulas, one shows that if a1 , . . . , an and b1 , . . . , bn are

such that there is a partial isomorphism p mapping each ai to bi and s1 ( xi ) = ai
and s2 ( xi ) = bi (for i = 1, . . . , n), then M, s1 ⊨ φ if and only if N, s2 ⊨ φ. The
case for n = 0 gives M ≡ N.

Remark 3. If function symbols are present, the previous result is still true, but
one needs to consider the isomorphism induced by p between the substruc-
ture of M generated by a1 , . . . , an and the substructure of N generated by b1 ,
. . . , bn .

The previous result can be “broken down” into stages by establishing a

connection between the number of nested quantifiers in a formula and how
many times the relevant partial isomorphisms can be extended.

Definition 25.18. For any formula φ, the quantifier rank of φ, denoted by qr( φ) ∈
N, is recursively defined as the highest number of nested quantifiers in φ.
Two structures M and N are n-equivalent, written M ≡n N, if they agree on all
sentences of quantifier rank less than or equal to n.

Proposition 25.19. Let L be a finite purely relational language, i.e., a language con-
taining finitely many predicate symbols and constant symbols, and no function sym-
bols. Then for each n ∈ N there are only finitely many first-order sentences in the
language L that have quantifier rank no greater than n, up to logical equivalence.

Proof. By induction on n.

386 Release : d3a1905 (2022-12-19)

25.6. PARTIAL ISOMORPHISMS

Definition 25.20. Given a structure M, let |M|<ω be the set of all finite se-
quences over |M|. We use a, b, c, . . . to range over finite sequences of elements.
If a ∈ |M|<ω and a ∈ |M|, then aa represents the concatenation of a with a.
Definition 25.21. Given structures M and N, we define relations In ⊆ |M|<ω ×
|N|<ω between sequences of equal length, by recursion on n as follows:
1. I0 (a, b) if and only if a and b satisfy the same atomic formulas in M and
N; i.e., if s1 ( xi ) = ai and s2 ( xi ) = bi and φ is atomic with all variables
among x1 , . . . , xn , then M, s1 ⊨ φ if and only if N, s2 ⊨ φ.
2. In+1 (a, b) if and only if for every a ∈ A there is a b ∈ B such that
In (aa, bb), and vice-versa.
Definition 25.22. Write M ≈n N if In (Λ, Λ) holds of M and N (where Λ is the
empty sequence).
Theorem 25.23. Let L be a purely relational language. Then In (a, b) implies that
for every φ such that qr( φ) ≤ n, we have M, a ⊨ φ if and only if N, b ⊨ φ (where
again a satisfies φ if any s such that s( xi ) = ai satisfies φ). Moreover, if L is finite,
the converse also holds.
Proof. The proof that In (a, b) implies that a and b satisfy the same formulas
of quantifier rank no greater than n is by an easy induction on φ. For the con-
verse we proceed by induction on n, using Proposition 25.19, which ensures
that for each n there are at most finitely many non-equivalent formulas of that
quantifier rank.
For n = 0 the hypothesis that a and b satisfy the same quantifier-free for-
mulas gives that they satisfy the same atomic ones, so that I0 (a, b).
For the n + 1 case, suppose that a and b satisfy the same formulas of quan-
tifier rank no greater than n + 1; in order to show that In+1 (a, b) suffices to
show that for each a ∈ |M| there is a b ∈ |N| such that In (aa, bb), and by the
inductive hypothesis again suffices to show that for each a ∈ |M| there is a
b ∈ |N| such that aa and bb satisfy the same formulas of quantifier rank no
greater than n.
Given a ∈ |M|, let τna be set of formulas ψ( x, y) of rank no greater than
n satisfied by aa in M; τna is finite, so we can assume it is a single first-order
formula. It follows that a satisfies ∃ x τna ( x, y), which has quantifier rank no
greater than n + 1. By hypothesis b satisfies the same formula in N, so that
there is a b ∈ |N| such that bb satisfies τna ; in particular, bb satisfies the same
formulas of quantifier rank no greater than n as aa. Similarly one shows that
for every b ∈ |N| there is a ∈ |M| such that aa and bb satisfy the same formu-
las of quantifier rank no greater than n, which completes the proof.
Corollary 25.24. If M and N are purely relational structures in a finite language,
then M ≈n N if and only if M ≡n N. In particular M ≡ N if and only if for each n,
M ≈n N .

Release : d3a1905 (2022-12-19) 387

 CHAPTER 25. BASICS OF MODEL THEORY

25.7 Dense Linear Orders

Definition 25.25. A dense linear ordering without endpoints is a structure M for
the language containg a single 2-place predicate symbol < satisfying the fol-
lowing sentences:

1. ∀ x ¬ x < x;

2. ∀ x ∀y ∀z ( x < y → (y < z → x < z));

3. ∀ x ∀y ( x < y ∨ x = y ∨ y < x );

4. ∀ x ∃y x < y;

5. ∀ x ∃y y < x;

6. ∀ x ∀y ( x < y → ∃z ( x < z ∧ z < y)).

Theorem 25.26. Any two enumerable dense linear orderings without endpoints are
isomorphic.

Proof. Let M1 and M2 be enumerable dense linear orderings without end-

points, with <1 = <M1 and <2 = <M2 , and let I be the set of all partial
isomorphisms between them. I is not empty since at least ∅ ∈ I . We show
that I satisfies the Back-and-Forth property. Then M1 ≃ p M2 , and the theo-
rem follows by Theorem 25.16.
To show I satisifes the Forth property, let p ∈ I and let p( ai ) = bi for i = 1,
. . . , n, and without loss of generality suppose a1 <1 a2 <1 · · · <1 an . Given
a ∈ |M1 |, find b ∈ |M2 | as follows:

1. if a <2 a1 let b ∈ |M2 | be such that b <2 b1 ;

2. if an <1 a let b ∈ |M2 | be such that bn <2 b;

3. if ai <1 a <1 ai+1 for some i, then let b ∈ |M2 | be such that bi <2 b <2
bi + 1 .

It is always possible to find a b with the desired property since M2 is a dense

linear ordering without endpoints. Define q = p ∪ {⟨ a, b⟩} so that q ∈ I is the
desired extension of p. This establishes the Forth property. The Back property
is similar. So M1 ≃ p M2 ; by Theorem 25.16, M1 ≃ M2 .

Remark 4. Let S be any enumerable dense linear ordering without endpoints.

Then (by Theorem 25.26) S ≃ Q, where Q = (Q, <) is the enumerable dense
linear ordering having the set Q of the rational numbers as its domain. Now
consider again the structure R = (R, <) from Remark 2. We saw that there is
an enumerable structure S such that R ≡ S. But S is an enumerable dense

388 Release : d3a1905 (2022-12-19)

25.7. DENSE LINEAR ORDERS

linear ordering without endpoints, and so it is isomorphic (and hence elemen-

tarily equivalent) to the structure Q. By transitivity of elementary equivalence,
R ≡ Q. (We could have shown this directly by establishing R ≃ p Q by the
same back-and-forth argument.)

Problems
Problem 25.1. Prove Proposition 25.2.

Problem 25.2. Carry out the proof of (b) of Theorem 25.9 in detail. Make sure
to note where each of the five properties characterizing isomorphisms of Def-
inition 25.8 is used.

Problem 25.3. Show that for any structure M, if X is a definable subset of M,

and h is an automorphism of M, then X = {h( x ) : x ∈ X } (i.e., X is fixed
under h).

Problem 25.4. Show in detail that p as defined in Theorem 25.16 is in fact an

isomorphism.

Problem 25.5. Complete the proof of Theorem 25.26 by verifying that I satis-
fies the Back property.

Release : d3a1905 (2022-12-19) 389

Chapter 26

Models of Arithmetic

26.1 Introduction
The standard model of arithmetic is the structure N with |N| = N in which 0,
′, +, ×, and < are interpreted as you would expect. That is, 0 is 0, ′ is the
successor function, + is interpeted as addition and × as multiplication of the
numbers in N. Specifically,

0N = 0
′N ( n ) = n + 1
+N (n, m) = n + m
×N (n, m) = nm

Of course, there are structures for L A that have domains other than N. For
instance, we can take M with domain |M| = { a}∗ (the finite sequences of the
single symbol a, i.e., ∅, a, aa, aaa, . . . ), and interpretations

0M = ∅
′M ( s ) = s ⌢ a
+M (n, m) = an+m
×M (n, m) = anm

These two structures are “essentially the same” in the sense that the only dif-
ference is the elements of the domains but not how the elements of the do-
mains are related among each other by the interpretation functions. We say
that the two structures are isomorphic.
It is an easy consequence of the compactness theorem that any theory true
in N also has models that are not isomorphic to N. Such structures are called
non-standard. The interesting thing about them is that while the elements of a
standard model (i.e., N, but also all structures isomorphic to it) are exhausted

390
26.2. STANDARD MODELS OF ARITHMETIC

by the values of the standard numerals n, i.e.,

|N| = {ValN (n) : n ∈ N}

that isn’t the case in non-standard models: if M is non-standard, then there is

at least one x ∈ |M| such that x ̸= ValM (n) for all n.
These non-standard elements are pretty neat: they are “infinite natural
numbers.” But their existence also explains, in a sense, the incompleteness
phenomena. Consider an example, e.g., the consistency statement for Peano
arithmetic, ConPA , i.e., ¬∃ x Prf PA ( x, ⌜⊥⌝). Since PA neither proves ConPA nor
¬ConPA , either can be consistently added to PA. Since PA is consistent, N ⊨
ConPA , and consequently N ⊭ ¬ConPA . So N is not a model of PA ∪ {¬ConPA },
and all its models must be nonstandard. Models of PA ∪ {¬ConPA } must
contain some element that serves as the witness that makes ∃ x Prf PA (⌜⊥⌝)
true, i.e., a Gödel number of a derivation of a contradiction from PA. Such
an element can’t be standard—since PA ⊢ ¬Prf PA (n, ⌜⊥⌝) for every n.

26.2 Standard Models of Arithmetic

The language of arithmetic L A is obviously intended to be about numbers,
specifically, about natural numbers. So, “the” standard model N is special: it
is the model we want to talk about. But in logic, we are often just interested in
structural properties, and any two structures that are isomorphic share those.
So we can be a bit more liberal, and consider any structure that is isomorphic
to N “standard.”

Definition 26.1. A structure for L A is standard if it is isomorphic to N.

Proposition 26.2. If a structure M is standard, then its domain is the set of values
of the standard numerals, i.e.,

|M| = {ValM (n) : n ∈ N}

Proof. Clearly, every ValM (n) ∈ |M|. We just have to show that every x ∈
|M| is equal to ValM (n) for some n. Since M is standard, it is isomorphic
to N. Suppose g : N → |M| is an isomorphism. Then g(n) = g(ValN (n)) =
ValM (n). But for every x ∈ |M|, there is an n ∈ N such that g(n) = x, since g
is surjective.

If a structure M for L A is standard, the elements of its domain can all be

named by the standard numerals 0, 1, 2, . . . , i.e., the terms 0, 0′ , 0′′ , etc. Of
course, this does not mean that the elements of |M| are the numbers, just that
we can pick them out the same way we can pick out the numbers in |N|.

Proposition 26.3. If M ⊨ Q, and |M| = {ValM (n) : n ∈ N}, then M is standard.

Release : d3a1905 (2022-12-19) 391

 CHAPTER 26. MODELS OF ARITHMETIC

Proof. We have to show that M is isomorphic to N. Consider the function

g : N → |M| defined by g(n) = ValM (n). By the hypothesis, g is surjective.
It is also injective: Q ⊢ n ̸= m whenever n ̸= m. Thus, since M ⊨ Q, M ⊨
n ̸= m, whenever n ̸= m. Thus, if n ̸= m, then ValM (n) ̸= ValM (m), i.e.,
g ( n ) ̸ = g ( m ).
We also have to verify that g is an isomorphism.

1. We have g(0N ) = g(0) since, 0N = 0. By definition of g, g(0) =

ValM (0). But 0 is just 0, and the value of a term which happens to be
a constant symbol is given by what the structure assigns to that constant
symbol, i.e., ValM (0) = 0M . So we have g(0N ) = 0M as required.

2. g(′N (n)) = g(n + 1), since ′ in N is the successor function on N. Then,

g(n + 1) = ValM (n + 1) by definition of g. But n + 1 is the same term
as n′ , so ValM (n + 1) = ValM (n′ ). By the definition of the value func-
tion, this is = ′M (ValM (n)). Since ValM (n) = g(n) we get g(′N (n)) =
′M ( g(n)).

3. g(+N (n, m)) = g(n + m), since + in N is the addition function on N.

Then, g(n + m) = ValM (n + m) by definition of g. But Q ⊢ n + m =
(n + m), so ValM (n + m) = ValM (n + m). By the definition of the value
function, this is = +M (ValM (n), ValM (m)). Since ValM (n) = g(n) and
ValM (m) = g(m), we get g(+N (n, m)) = +M ( g(n), g(m)).

4. g(×N (n, m)) = ×M ( g(n), g(m)): Exercise.

5. ⟨n, m⟩ ∈ <N iff n < m. If n < m, then Q ⊢ n < m, and also M ⊨ n < m.
Thus ⟨ValM (n), ValM (m)⟩ ∈ <M , i.e., ⟨ g(n), g(m)⟩ ∈ <M . If n ̸< m,
then Q ⊢ ¬n < m, and consequently M ⊭ n < m. Thus, as before,
/ <M . Together, we get: ⟨n, m⟩ ∈ <N iff ⟨ g(n), g(m)⟩ ∈
⟨ g(n), g(m)⟩ ∈
< .M

The function g is the most obvious way of defining a mapping from N

to the domain of any other structure M for L A , since every such M contains
elements named by 0, 1, 2, etc. So it isn’t surprising that if M makes at least
some basic statements about the n’s true in the same way that N does, and g
is also bijective, then g will turn into an isomorphism. In fact, if |M| contains
no elements other than what the n’s name, it’s the only one.

Proposition 26.4. If M is standard, then g from the proof of Proposition 26.3 is the
only isomorphism from N to M.

Proof. Suppose h : N → |M| is an isomorphism between N and M. We show

that g = h by induction on n. If n = 0, then g(0) = 0M by definition of g. But
since h is an isomorphism, h(0) = h(0N ) = 0M , so g(0) = h(0).

392 Release : d3a1905 (2022-12-19)

26.3. NON-STANDARD MODELS

Now consider the case for n + 1. We have

g(n + 1) = ValM (n + 1) by definition of g
= ValM (n′ ) since n + 1 ≡ n′
= ′M (ValM (n)) by definition of ValM (t′ )
= ′M ( g(n)) by definition of g
= ′M (h(n)) by induction hypothesis
= h(′N (n)) since h is an isomorphism
= h ( n + 1)

For any denumerable set M, there’s a bijection between N and M, so every

such set M is potentially the domain of a standard model M. In fact, once you
pick an object z ∈ M and a suitable function s as 0M and ′M , the interpreta-
tions of +, ×, and < is already fixed. Only functions s : M → M \ {z} that
are both injective and surjective are suitable in a standard model as ′M . The
range of s cannot contain z, since otherwise ∀ x 0 ̸= x ′ would be false. That
sentence is true in N, and so M also has to make it true. The function s has
to be injective, since the successor function ′N in N is, and that ′N is injective
is expressed by a sentence true in N. It has to be surjective because otherwise
there would be some x ∈ M \ {z} not in the domain of s, i.e., the sentence
∀ x ( x = 0 ∨ ∃y y′ = x ) would be false in M—but it is true in N.

26.3 Non-Standard Models

We call a structure for L A standard if it is isomorphic to N. If a structure isn’t
isomorphic to N, it is called non-standard.
Definition 26.5. A structure M for L A is non-standard if it is not isomorphic
to N. The elements x ∈ |M| which are equal to ValM (n) for some n ∈ N are
called standard numbers (of M), and those not, non-standard numbers.

By Proposition 26.2, any standard structure for L A contains only standard

elements. Consequently, a non-standard structure must contain at least one
non-standard element. In fact, the existence of a non-standard element guar-
antees that the structure is non-standard.
Proposition 26.6. If a structure M for L A contains a non-standard number, M is
non-standard.

Proof. Suppose not, i.e., suppose M standard but contains a non-standard

number x. Let g : N → |M| be an isomorphism. It is easy to see (by induction
on n) that g(ValN (n)) = ValM (n). In other words, g maps standard num-
bers of N to standard numbers of M. If M contains a non-standard number, g
cannot be surjective, contrary to hypothesis.

Release : d3a1905 (2022-12-19) 393

 CHAPTER 26. MODELS OF ARITHMETIC

It is easy enough to specify non-standard structures for L A . For instance,

take the structure with domain Z and interpret all non-logical symbols as
usual. Since negative numbers are not values of n for any n, this structure
is non-standard. Of course, it will not be a model of arithmetic in the sense
that it makes the same sentences true as N. For instance, ∀ x x ′ ̸= 0 is false.
However, we can prove that non-standard models of arithmetic exist easily
enough, using the compactness theorem.

Proposition 26.7. Let TA = { φ : N ⊨ φ} be the theory of N. TA has an enumer-

able non-standard model.

Proof. Expand L A by a new constant symbol c and consider the set of sen-
tences

Γ = TA ∪ {c ̸= 0, c ̸= 1, c ̸= 2, . . . }

Any model Mc of Γ would contain an element x = cM which is non-standard,

since x ̸= ValM (n) for all n ∈ N. Also, obviously, Mc ⊨ TA, since TA ⊆ Γ. If
we turn Mc into a structure M for L A simply by forgetting about c, its domain
still contains the non-standard x, and also M ⊨ TA. The latter is guaranteed
since c does not occur in TA. So, it suffices to show that Γ has a model.
We use the compactness theorem to show that Γ has a model. If every
finite subset of Γ is satisfiable, so is Γ. Consider any finite subset Γ0 ⊆ Γ. Γ0
includes some sentences of TA and some of the form c ̸= n, but only finitely
many. Suppose k is the largest number so that c ̸= k ∈ Γ0 . Define Nk by
expanding N to include the interpretation cNk = k + 1. Nk ⊨ Γ0 : if φ ∈ TA,
Nk ⊨ φ since Nk is just like N in all respects except c, and c does not occur in φ.
And Nk ⊨ c ̸= n, since n ≤ k, and ValNk (c) = k + 1. Thus, every finite subset
of Γ is satisfiable.

26.4 Models of Q

We know that there are non-standard structures that make the same sentences
true as N does, i.e., is a model of TA. Since N ⊨ Q, any model of TA is also
a model of Q. Q is much weaker than TA, e.g., Q ⊬ ∀ x ∀y ( x + y) = (y + x ).
Weaker theories are easier to satisfy: they have more models. E.g., Q has
models which make ∀ x ∀y ( x + y) = (y + x ) false, but those cannot also be
models of TA, or PA for that matter. Models of Q are also relatively simple:
we can specify them explicitly.

394 Release : d3a1905 (2022-12-19)

26.4. MODELS OF Q

Example 26.8. Consider the structure K with domain |K| = N ∪ { a} and in-
terpretations
0K = 0
(
x+1 if x ∈ N
′K ( x ) =
a if x = a
(
x+y if x, y ∈ N
+K ( x, y) =
a otherwise
if x, y ∈ N

 xy

K
× ( x, y) = 0 if x = 0 or y = 0

a otherwise


< = {⟨ x, y⟩ : x, y ∈ N and x < y} ∪ {⟨ x, a⟩ : x ∈ |K|}

K

To show that K ⊨ Q we have to verify that all axioms of Q are true in K.

For convenience, let’s write x ∗ for ′K ( x ) (the “successor” of x in K), x ⊕ y for
+K ( x, y) (the “sum” of x and y in K, x ⊗ y for ×K ( x, y) (the “product” of x
and y in K), and x 4 y for ⟨ x, y⟩ ∈ <K . With these abbreviations, we can give
the operations in K more perspicuously as
x⊕y 0 m a x⊗y 0 m a
x x∗
0 0 m a 0 0 0 0
n n+1
n n n+m a n 0 nm a
a a
a a a a a 0 a a
We have n 4 m iff n < m for n, m ∈ N and x 4 a for all x ∈ |K|.
K ⊨ ∀ x ∀y ( x ′ = y′ → x = y) since ∗ is injective. K ⊨ ∀ x 0 ̸= x ′ since 0 is
not a ∗-successor in K. K ⊨ ∀ x ( x = 0 ∨ ∃y x = y′ ) since for every n > 0,
n = (n − 1)∗ , and a = a∗ .
K ⊨ ∀ x ( x + 0) = x since n ⊕ 0 = n + 0 = n, and a ⊕ 0 = a by definition
of ⊕. K ⊨ ∀ x ∀y ( x + y′ ) = ( x + y)′ is a bit trickier. If n, m are both standard,
we have:
(n ⊕ m∗ ) = (n + (m + 1)) = (n + m) + 1 = (n ⊕ m)∗

since ⊕ and ∗ agree with + and ′ on standard numbers. Now suppose x ∈ |K|.
Then

( x ⊕ a∗ ) = ( x ⊕ a) = a = a∗ = ( x ⊕ a)∗

The remaining case is if y ∈ |K| but x = a. Here we also have to distinguish

cases according to whether y = n is standard or y = b:

( a ⊕ n∗ ) = ( a ⊕ (n + 1)) = a = a∗ = ( a ⊕ n)∗
( a ⊕ a∗ ) = ( a ⊕ a) = a = a∗ = ( a ⊕ a)∗

Release : d3a1905 (2022-12-19) 395

 CHAPTER 26. MODELS OF ARITHMETIC

This is of course a bit more detailed than needed. For instance, since a ⊕ z = a
whatever z is, we can immediately conclude a ⊕ a∗ = a. The remaining axioms
can be verified the same way.
K is thus a model of Q. Its “addition” ⊕ is also commutative. But there are
other sentences true in N but false in K, and vice versa. For instance, a 4 a, so
K ⊨ ∃ x x < x and K ⊭ ∀ x ¬ x < x. This shows that Q ⊬ ∀ x ¬ x < x.

Example 26.9. Consider the structure L with domain |L| = N ∪ { a, b} and

interpretations ′L = ∗, +L = ⊕ given by

x x∗ x⊕y m a b
n n+1 n n+m b a
a a a a b a
b b b b b a

Since ∗ is injective, 0 is not in its range, and every x ∈ |L| other than 0 is,
axioms Q1 –Q3 are true in L. For any x, x ⊕ 0 = x, so Q4 is true as well. For
Q5 , consider x ⊕ y∗ and ( x ⊕ y)∗ . They are equal if x and y are both standard,
since then ∗ and ⊕ agree with ′ and +. If x is non-standard, and y is standard,
we have x ⊕ y∗ = x = x ∗ = ( x ⊕ y)∗ . If x and y are both non-standard, we
have four cases:

a ⊕ a∗ = b = b∗ = ( a ⊕ a)∗
b ⊕ b∗ = a = a∗ = (b ⊕ b)∗
b ⊕ a∗ = b = b∗ = (b ⊕ y)∗
a ⊕ b∗ = a = a∗ = ( a ⊕ b)∗

If x is standard, but y is non-standard, we have

n ⊕ a∗ = n ⊕ a = b = b∗ = (n ⊕ a)∗
n ⊕ b∗ = n ⊕ b = a = a∗ = (n ⊕ b)∗

So, L ⊨ Q5 . However, a ⊕ 0 ̸= 0 ⊕ a, so L ⊭ ∀ x ∀y ( x + y) = (y + x ).

We’ve explicitly constructed models of Q in which the non-standard ele-

ments live “beyond” the standard elements. In fact, that much is required by
the axioms. A non-standard element x cannot be 4 0, since Q ⊢ ∀ x ¬ x < 0
(see Lemma 35.23). Also, for every n, Q ⊢ ∀ x ( x < n′ → ( x = 0 ∨ x =
1 ∨ · · · ∨ x = n)) (Lemma 35.24), so we can’t have a 4 n for any n > 0.

26.5 Models of PA
Any non-standard model of TA is also one of PA. We know that non-standard
models of TA and hence of PA exist. We also know that such non-standard

396 Release : d3a1905 (2022-12-19)

26.5. MODELS OF PA

models contain non-standard “numbers,” i.e., elements of the domain that

are “beyond” all the standard “numbers.” But how are they arranged? How
many are there? We’ve seen that models of the weaker theory Q can contain
as few as a single non-standard number. But these simple structures are not
models of PA or TA.
The key to understanding the structure of models of PA or TA is to see
what facts are derivable in these theories. For instance, already PA proves
that ∀ x x ̸= x ′ and ∀ x ∀y ( x + y) = (y + x ), so this rules out simple structures
(in which these sentences are false) as models of PA.
Suppose M is a model of PA. Then if PA ⊢ φ, M ⊨ φ. Let’s again use z for
0M , ∗ for ′M , ⊕ for +M , ⊗ for ×M , and 4 for <M . Any sentence φ then states
some condition about z, ∗, ⊕, ⊗, and 4, and if M ⊨ φ that condition must be
satisfied. For instance, if M ⊨ Q1 , i.e., M ⊨ ∀ x ∀y ( x ′ = y′ → x = y), then ∗
must be injective.

Proposition 26.10. In M, 4 is a linear strict order, i.e., it satisfies:

1. Not x 4 x for any x ∈ |M|.

2. If x 4 y and y 4 z then x 4 z.

3. For any x ̸= y, x 4 y or y 4 x

Proof. PA proves:

1. ∀ x ¬ x < x

2. ∀ x ∀y ∀z (( x < y ∧ y < z) → x < z)

3. ∀ x ∀y (( x < y ∨ y < x ) ∨ x = y))

Proposition 26.11. z is the least element of |M| in the 4-ordering. For any x, x 4
x ∗ , and x ∗ is the 4-least element with that property. For any x, there is a unique y
such that y∗ = x. (We call y the “predecessor” of x in M, and denote it by ∗ x.)

Proof. Exercise.

Proposition 26.12. All standard elements of M are less than (according to 4) all
non-standard elements.

Proof. We’ll use n as short for ValM (n), a standard element of M. Already Q
proves that, for any n ∈ N, ∀ x ( x < n′ → ( x = 0 ∨ x = 1 ∨ · · · ∨ x = n)).
There are no elements that are 4z. So if n is standard and x is non-standard,
we cannot have x 4 n. By definition, a non-standard element is one that isn’t
ValM (n) for any n ∈ N, so x ̸= n as well. Since 4 is a linear order, we must
have n 4 x.

Release : d3a1905 (2022-12-19) 397

 CHAPTER 26. MODELS OF ARITHMETIC

Proposition 26.13. Every nonstandard element x of |M| is an element of the subset

. . .∗∗∗ x 4∗∗ x 4∗ x 4 x 4 x ∗ 4 x ∗∗ 4 x ∗∗∗ 4 . . .

We call this subset the block of x and write it as [ x ]. It has no least and no greatest
element. It can be characterized as the set of those y ∈ |M| such that, for some
standard n, x ⊕ n = y or y ⊕ n = x.

Proof. Clearly, such a set [ x ] always exists since every element y of |M| has
a unique successor y∗ and unique predecessor ∗ y. For successive elements y,
y∗ we have y 4 y∗ and y∗ is the 4-least element of |M| such that y is 4-less
than it. Since always ∗ y 4 y and y 4 y∗ , [ x ] has no least or greatest element. If
y ∈ [ x ] then x ∈ [y], for then either y∗...∗ = x or x ∗...∗ = y. If y∗...∗ = x (with n
∗’s), then y ⊕ n = x and conversely, since PA ⊢ ∀ x x ′...′ = ( x + n) (if n is the
number of ′’s).

Proposition 26.14. If [ x ] ̸= [y] and x 4 y, then for any u ∈ [ x ] and any v ∈ [y],
u 4 v.

Proof. Note that PA ⊢ ∀ x ∀y ( x < y → ( x ′ < y ∨ x ′ = y)). Thus, if u 4 v, we

also have u ⊕ n∗ 4 v for any n if [u] ̸= [v].
Any u ∈ [ x ] is 4y: x 4 y by assumption. If u 4 x, u 4 y by transitivity. And
if x 4 u but u ∈ [ x ], we have u = x ⊕ n∗ for some n, and so u 4 y by the fact
just proved.
Now suppose that v ∈ [y] is 4y, i.e., v ⊕ m∗ = y for some standard m.
This rules out v 4 x, otherwise y = v ⊕ m∗ 4 x. Clearly also, x ̸= v, otherwise
x ⊕ m∗ = v ⊕ m∗ = y and we would have [ x ] = [y]. So, x 4 v. But then also
x ⊕ n∗ 4 v for any n. Hence, if x 4 u and u ∈ [ x ], we have u 4 v. If u 4 x then
u 4 v by transitivity.
Lastly, if y 4 v, u 4 v since, as we’ve shown, u 4 y and y 4 v.

Corollary 26.15. If [ x ] ̸= [y], [ x ] ∩ [y] = ∅.

Proof. Suppose z ∈ [ x ] and x 4 y. Then z 4 u for all u ∈ [y]. If z ∈ [y], we

would have z 4 z. Similarly if y 4 x.

This means that the blocks themselves can be ordered in a way that re-
spects 4: [ x ] 4 [y] iff x 4 y, or, equivalently, if u 4 v for any u ∈ [ x ] and v ∈ [y].
Clearly, the standard block [0] is the least block. It intersects with no non-
standard block, and no two non-standard blocks intersect either. Specifically,
you cannot “reach” a different block by taking repeated successors or prede-
cessors.

Proposition 26.16. If x and y are non-standard, then x 4 x ⊕ y and x ⊕ y ∈

/ [ x ].

398 Release : d3a1905 (2022-12-19)

26.5. MODELS OF PA

Proof. If y is nonstandard, then y ̸= z. PA ⊢ ∀ x (y ̸= 0 → x < ( x + y)). Now

suppose x ⊕ y ∈ [ x ]. Since x 4 x ⊕ y, we would have x ⊕ n∗ = x ⊕ y. But
PA ⊢ ∀ x ∀y ∀z (( x + y) = ( x + z) → y = z) (the cancellation law for addition).
This would mean y = n∗ for some standard n; but y is assumed to be non-
standard.

Proposition 26.17. There is no least non-standard block.

Proof. PA ⊢ ∀ x ∃y ((y + y) = x ∨ (y + y)′ = x ), i.e., that every x is divisible

by 2 (possibly with remainder 1). If x is non-standard, so is y. By the preceding
proposition, y 4 y ⊕ y and y ⊕ y ∈/ [y]. Then also y 4 (y ⊕ y)∗ and (y ⊕ y)∗ ∈ /
∗
[y]. But x = y ⊕ y or x = (y ⊕ y) , so y 4 x and y ∈
/ [ x ].

Proposition 26.18. There is no largest block.

Proof. Exercise.

Proposition 26.19. The ordering of the blocks is dense. That is, if x 4 y and [ x ] ̸=
[y], then there is a block [z] distinct from both that is between them.

Proof. Suppose x 4 y. As before, x ⊕ y is divisible by two (possibly with re-

mainder): there is a z ∈ |M| such that either x ⊕ y = z ⊕ z or x ⊕ y = (z ⊕ z)∗ .
The element z is the “average” of x and y, and x 4 z and z 4 y.

The non-standard blocks are therefore ordered like the rationals: they form
a denumerable dense linear ordering without endpoints. One can show that
any two such denumerable orderings are isomorphic. It follows that for any
two enumerable non-standard models M1 and M2 of true arithmetic, their
reducts to the language containing < and = only are isomorphic. Indeed, an
isomorphism h can be defined as follows: the standard parts of M1 and M2
are isomorphic to the standard model N and hence to each other. The blocks
making up the non-standard part are themselves ordered like the rationals
and therefore isomorphic; an isomorphism of the blocks can be extended to
an isomorphism within the blocks by matching up arbitrary elements in each,
and then taking the image of the successor of x in M1 to be the successor of the
image of x in M2 . Note that it does not follow that M1 and M2 are isomorphic
in the full language of arithmetic (indeed, isomorphism is always relative to
a language), as there are non-isomorphic ways to define addition and multi-
plication over |M1 | and |M2 |. (This also follows from a famous theorem due
to Vaught that the number of countable models of a complete theory cannot
be 2.)

Release : d3a1905 (2022-12-19) 399

 CHAPTER 26. MODELS OF ARITHMETIC

26.6 Computable Models of Arithmetic

The standard model N has two nice features. Its domain is the natural num-
bers N, i.e., its elements are just the kinds of things we want to talk about
using the language of arithmetic, and the standard numeral n actually picks
out n. The other nice feature is that the interpretations of the non-logical sym-
bols of L A are all computable. The successor, addition, and multiplication func-
tions which serve as ′N , +N , and ×N are computable functions of numbers.
(Computable by Turing machines, or definable by primitive recursion, say.)
And the less-than relation on N, i.e., <N , is decidable.
Non-standard models of arithmetical theories such as Q and PA must con-
tain non-standard elements. Thus their domains typically include elements in
addition to N. However, any countable structure can be built on any denu-
merable set, including N. So there are also non-standard models with do-
main N. In such models M, of course, at least some numbers cannot play
the roles they usually play, since some k must be different from ValM (n) for
all n ∈ N.

Definition 26.20. A structure M for L A is computable iff |M| = N and ′M ,

+M , ×M are computable functions and <M is a decidable relation.

Example 26.21. Recall the structure K from Example 26.8. Its domain was
|K| = N ∪ { a} and interpretations

0K = 0
(
x+1 if x ∈ N
′K ( x ) =
a if x = a
(
x+y if x, y ∈ N
+K ( x, y) =
a otherwise
if x, y ∈ N

 xy

K
× ( x, y) = 0 if x = 0 or y = 0

a otherwise


< = {⟨ x, y⟩ : x, y ∈ N and x < y} ∪ {⟨ x, a⟩ : n ∈ |K|}

K

But |K| is denumerable and so is equinumerous with N. For instance, g : N →

|K| with g(0) = a and g(n) = n + 1 for n > 0 is a bijection. We can turn it
into an isomorphism between a new model K′ of Q and K. In K′ , we have to
assign different functions and relations to the symbols of L A , since different
elements of N play the roles of standard and non-standard numbers.
Specifically, 0 now plays the role of a, not of the smallest standard number.
′
The smallest standard number is now 1. So we assign 0K = 1. The successor
function is also different now: given a standard number, i.e., an n > 0, it still

400 Release : d3a1905 (2022-12-19)

26.6. COMPUTABLE MODELS OF ARITHMETIC

returns n + 1. But 0 now plays the role of a, which is its own successor. So
′
′K (0) = 0. For addition and multiplication we likewise have
(
K′ x+y−1 if x, y > 0
+ ( x, y) =
0 otherwise

1
 if x = 1 or y = 1
K′
× ( x, y) = xy − x − y + 2 if x, y > 1

0 otherwise


′
And we have ⟨ x, y⟩ ∈ <K iff x < y and x > 0 and y > 0, or if y = 0.
All of these functions are computable functions of natural numbers and
′
<K is a decidable relation on N—but they are not the same functions as suc-
′
cessor, addition, and multiplication on N, and <K is not the same relation
as < on N.

Example 26.21 shows that Q has computable non-standard models with

domain N. However, the following result shows that this is not true for mod-
els of PA (and thus also for models of TA).

Theorem 26.22 (Tennenbaum’s Theorem). N is the only computable model of PA.

Problems
Problem 26.1. Show that the converse of Proposition 26.2 is false, i.e., give
an example of a structure M with |M| = {ValM (n) : n ∈ N} that is not
isomorphic to N.

Problem 26.2. Recall that Q contains the axioms

∀ x ∀y ( x ′ = y′ → x = y) (Q1 )
∀ x 0 ̸= x′ (Q2 )
∀ x ( x = 0 ∨ ∃y x = y′ ) (Q3 )

Give structures M1 , M2 , M3 such that

1. M1 ⊨ Q1 , M1 ⊨ Q2 , M1 ⊭ Q3 ;

2. M2 ⊨ Q1 , M2 ⊭ Q2 , M2 ⊨ Q3 ; and

3. M3 ⊭ Q1 , M3 ⊨ Q2 , M3 ⊨ Q3 ;

Obviously, you just have to specify 0Mi and ′Mi for each.

Release : d3a1905 (2022-12-19) 401

 CHAPTER 26. MODELS OF ARITHMETIC

Problem 26.3. Prove that K from Example 26.8 satisifies the remaining axioms
of Q,

∀ x ( x × 0) = 0 (Q6 )
∀ x ∀y ( x × y′ ) = (( x × y) + x ) (Q7 )
∀ x ∀y ( x < y ↔ ∃z (z′ + x ) = y) (Q8 )

Find a sentence only involving ′ true in N but false in K.

Problem 26.4. Expand L of Example 26.9 to include ⊗ and 4 that interpret ×

and <. Show that your structure satisifies the remaining axioms of Q,

∀ x ( x × 0) = 0 (Q6 )
∀ x ∀y ( x × y′ ) = (( x × y) + x ) (Q7 )
∀ x ∀y ( x < y ↔ ∃z (z′ + x ) = y) (Q8 )

Problem 26.5. In L of Example 26.9, a∗ = a and b∗ = b. Is there a model of Q

in which a∗ = b and b∗ = a?

Problem 26.6. Find sentences in L A derivable in PA (and hence true in N)

which guarantee the properties of z, ∗, and 4 in Proposition 26.11

Problem 26.7. Show that in a non-standard model of PA, there is no largest

block.

Problem 26.8. Write out a detailed proof of Proposition 26.19. Which sentence
must PA derive in order to guarantee the existence of z? Why is x 4 z and z 4 y,
and why is [ x ] ̸= [z] and [z] ̸= [y]?

Problem 26.9. Give a structure L′ with |L′ | = N isomorphic to L of Exam-

ple 26.9.

402 Release : d3a1905 (2022-12-19)

Chapter 27

The Interpolation Theorem

27.1 Introduction
The interpolation theorem is the following result: Suppose ⊨ φ → ψ. Then
there is a sentence χ such that ⊨ φ → χ and ⊨ χ → ψ. Moreover, every constant
symbol, function symbol, and predicate symbol (other than =) in χ occurs
both in φ and ψ. The sentence χ is called an interpolant of φ and ψ.
The interpolation theorem is interesting in its own right, but its main im-
portance lies in the fact that it can be used to prove results about definability in
a theory, and the conditions under which combining two consistent theories
results in a consistent theory. The first result is known as the Beth definability
theorem; the second, Robinson’s joint consistency theorem.

27.2 Separation of Sentences

A bit of groundwork is needed before we can proceed with the proof of the
interpolation theorem. An interpolant for φ and ψ is a sentence χ such that
φ ⊨ χ and χ ⊨ ψ. By contraposition, the latter is true iff ¬ψ ⊨ ¬χ. A sentence χ
with this property is said to separate φ and ¬ψ. So finding an interpolant for φ
and ψ amounts to finding a sentence that separates φ and ¬ψ. As so often, it
will be useful to consider a generalization: a sentence that separates two sets
of sentences.

Definition 27.1. A sentence χ separates sets of sentences Γ and ∆ if and only if

Γ ⊨ χ and ∆ ⊨ ¬χ. If no such sentence exists, then Γ and ∆ are inseparable.

The inclusion relations between the classes of models of Γ, ∆ and χ are

represented below:

Lemma 27.2. Suppose L0 is the language containing every constant symbol, func-
.
tion symbol and predicate symbol (other than =) that occurs in both Γ and ∆, and let

403
 CHAPTER 27. THE INTERPOLATION THEOREM

Γ ∆

¬χ

Figure 27.1: χ separates Γ and ∆

L0′ be obtained by the addition of infinitely many new constant symbols cn for n ≥ 0.
Then if Γ and ∆ are inseparable in L0 , they are also inseparable in L0′ .

Proof. We proceed indirectly: suppose by way of contradiction that Γ and ∆

are separated in L0′ . Then Γ ⊨ χ[c/x ] and ∆ ⊨ ¬χ[c/x ] for some χ ∈ L0
(where c is a new constant symbol—the case where χ contains more than one
such new constant symbol is similar). By compactness, there are finite subsets
Γ0 of Γ and ∆ 0 of ∆ such that Γ0 ⊨ χ[c/x ] and ∆ 0 ⊨ ¬χ[c/x ]. Let γ be the
conjunction of all formulas in Γ0 and δ the conjunction of all formulas in ∆ 0 .
Then

γ ⊨ χ[c/x ], δ ⊨ ¬χ[c/x ].

From the former, by Generalization, we have γ ⊨ ∀ x χ, and from the latter

by contraposition, χ[c/x ] ⊨ ¬δ, whence also ∀ x χ ⊨ ¬δ. Contraposition again
gives δ ⊨ ¬∀ x χ. By monotonicity,

Γ ⊨ ∀ x χ, ∆ ⊨ ¬∀ x χ,

so that ∀ x χ separates Γ and ∆ in L0 .

Lemma 27.3. Suppose that Γ ∪ {∃ x σ } and ∆ are inseparable, and c is a new con-
stant symbol not in Γ, ∆, or σ. Then Γ ∪ {∃ x σ, σ [c/x ]} and ∆ are also inseparable.

Proof. Suppose for contradiction that χ separates Γ ∪ {∃ x σ, σ [c/x ]} and ∆,

while at the same time Γ ∪ {∃ xσ } and ∆ are inseparable. We distinguish two
cases:

1. c does not occur in χ: in this case Γ ∪ {∃ x σ, ¬χ} is satisfiable (otherwise

χ separates Γ ∪ {∃ x σ } and ∆). It remains so if σ [c/x ] is added, so χ does
not separate Γ ∪ {∃ x σ, σ[c/x ]} and ∆ after all.

2. c does occur in χ so that χ has the form χ[c/x ]. Then we have that

Γ ∪ {∃ x σ, σ [c/x ]} ⊨ χ[c/x ],

404 Release : d3a1905 (2022-12-19)

27.3. CRAIG’S INTERPOLATION THEOREM

whence Γ, ∃ x σ ⊨ ∀ x (σ → χ) by the Deduction Theorem and General-

ization, and finally Γ ∪ {∃ x σ } ⊨ ∃ x χ. On the other hand, ∆ ⊨ ¬χ[c/x ]
and hence by Generalization ∆ ⊨ ¬∃ x χ. So Γ ∪ {∃ x σ} and ∆ are sepa-
rable, a contradiction.

27.3 Craig’s Interpolation Theorem

Theorem 27.4 (Craig’s Interpolation Theorem). If ⊨ φ → ψ, then there is a sen-
tence χ such that ⊨ φ → χ and ⊨ χ → ψ, and every constant symbol, function symbol,
and predicate symbol (other than =) in χ occurs both in φ and ψ. The sentence χ is
called an interpolant of φ and ψ.

Proof. Suppose L1 is the language of φ and L2 is the language of ψ. Let L0 =

L1 ∩ L2 . For each i ∈ {0, 1, 2}, let Li′ be obtained from Li by adding the
infinitely many new constant symbols c0 , c1 , c2 , . . . .
If φ is unsatisfiable, ∃ x x ̸= x is an interpolant. If ¬ψ is unsatisfiable (and
hence ψ is valid), ∃ x x = x is an interpolant. So we may assume also that both
φ and ¬ψ are satisfiable.
In order to prove the contrapositive of the Interpolation Theorem, assume
that there is no interpolant for φ and ψ. In other words, assume that { φ} and
{¬ψ} are inseparable in L0 .
Our goal is to extend the pair ({ φ}, {¬ψ}) to a maximally inseparable pair
( Γ ∗ , ∆∗ ). Let φ0 , φ1 , φ2 , . . . enumerate the sentences of L1 , and ψ0 , ψ1 , ψ2 ,
. . . enumerate the sentences of L2 . We define two increasing sequences of sets
of sentences ( Γn , ∆ n ), for n ≥ 0, as follows. Put Γ0 = { φ} and ∆ 0 = {¬ψ}.
Assuming ( Γn , ∆ n ) are already defined, define Γn+1 and ∆ n+1 by:

1. If Γn ∪ { φn } and ∆ n are inseparable in L0′ , put φn in Γn+1 . Moreover, if

φn is an existential formula ∃ x σ then pick a new constant symbol c not
occurring in Γn , ∆ n , φn or ψn , and put σ [c/x ] in Γn+1 .

2. If Γn+1 and ∆ n ∪ {ψn } are inseparable in L0′ , put ψn in ∆ n+1 . Moreover,

if ψn is an existential formula ∃ x σ, then pick a new constant symbol c
not occurring in Γn+1 , ∆ n , φn or ψn , and put σ [c/x ] in ∆ n+1 .

Finally, define:

Γ∗ = ∆∗ =
[ [
Γn , ∆n.
n ≥0 n ≥0

By simultaneous induction on n we can now prove:

1. Γn and ∆ n are inseparable in L0′ ;

2. Γn+1 and ∆ n are inseparable in L0′ .

Release : d3a1905 (2022-12-19) 405

 CHAPTER 27. THE INTERPOLATION THEOREM

The basis for (1) is given by Lemma 27.2. For part (2), we need to distinguish
three cases:

1. If Γ0 ∪ { φ0 } and ∆ 0 are separable, then Γ1 = Γ0 and (2) is just (1);

2. If Γ1 = Γ0 ∪ { φ0 }, then Γ1 and ∆ 0 are inseparable by construction.

3. It remains to consider the case where φ0 is existential, so that Γ1 = Γ0 ∪

{∃ x σ, σ[c/x ]}. By construction, Γ0 ∪ {∃ x σ} and ∆ 0 are inseparable, so
that by Lemma 27.3 also Γ0 ∪ {∃ x σ, σ [c/x ]} and ∆ 0 are inseparable.

This completes the basis of the induction for (1) and (2) above. Now for the in-
ductive step. For (1), if ∆ n+1 = ∆ n ∪ {ψn } then Γn+1 and ∆ n+1 are inseparable
by construction (even when ψn is existential, by Lemma 27.3); if ∆ n+1 = ∆ n
(because Γn+1 and ∆ n ∪ {ψn } are separable), then we use the induction hy-
pothesis on (2). For the inductive step for (2), if Γn+2 = Γn+1 ∪ { φn+1 } then
Γn+2 and ∆ n+1 are inseparable by construction (even when φn+1 is existential,
by Lemma 27.3); and if Γn+2 = Γn+1 then we use the inductive case for (1) just
proved. This concludes the induction on (1) and (2).
It follows that Γ ∗ and ∆∗ are inseparable; if not, by compactness, there
is n ≥ 0 that separates Γn and ∆ n , against (1). In particular, Γ ∗ and ∆∗ are
consistent: for if the former or the latter is inconsistent, then they are separated
by ∃ x x ̸= x or ∀ x x = x, respectively.
We now show that Γ ∗ is maximally consistent in L1′ and likewise ∆∗ in
′
L2 . For the former, suppose that φn ∈ / Γ ∗ and ¬ φn ∈/ Γ ∗ , for some n ≥ 0. If
φn ∈/ Γ then Γn ∪ { φn } is separable from ∆ n , and so there is χ ∈ L0′ such that
∗

both:

Γ ∗ ⊨ φn → χ, ∆∗ ⊨ ¬χ.

/ Γ ∗ , there is χ′ ∈ L0′ such that both:

Likewise, if ¬ φn ∈

Γ ∗ ⊨ ¬ φn → χ′ , ∆∗ ⊨ ¬χ′ .

By propositional logic, Γ ∗ ⊨ χ ∨ χ′ and ∆∗ ⊨ ¬(χ ∨ χ′ ), so χ ∨ χ′ separates

Γ ∗ and ∆∗ . A similar argument establishes that ∆∗ is maximal.
Finally, we show that Γ ∗ ∩ ∆∗ is maximally consistent in L0′ . It is obviously
consistent, since it is the intersection of consistent sets. To show maximality,
let σ ∈ L0′ . Now, Γ ∗ is maximal in L1′ ⊇ L0′ , and similarly ∆∗ is maximal in
L2′ ⊇ L0′ . It follows that either σ ∈ Γ ∗ or ¬σ ∈ Γ ∗ , and either σ ∈ ∆∗ or
¬σ ∈ ∆∗ . If σ ∈ Γ ∗ and ¬σ ∈ ∆∗ then σ would separate Γ ∗ and ∆∗ ; and if
¬σ ∈ Γ ∗ and σ ∈ ∆∗ then Γ ∗ and ∆∗ would be separated by ¬σ. Hence, either
σ ∈ Γ ∗ ∩ ∆∗ or ¬σ ∈ Γ ∗ ∩ ∆∗ , and Γ ∗ ∩ ∆∗ is maximal.
Since Γ ∗ is maximally consistent, it has a model M1′ whose domain M1′ 
 
′
comprises all and only the elements cM1 interpreting the constant symbols—
just like in the proof of the completeness theorem (Theorem 23.20). Similarly,

406 Release : d3a1905 (2022-12-19)

27.4. THE DEFINABILITY THEOREM

′
∆∗ has a model M2′ whose domain |M2′ | is given by the interpretations cM2 of
the constant symbols.
Let M1 be obtained from M1′ by dropping interpretations for constant sym-
bols, function symbols, and predicate symbols in L1′ \ L0′ , and similarly for
′ ′
M2 . Then the map h : M1 → M2 defined by h(cM1 ) = cM2 is an isomor-
phism in L0′ , because Γ ∗ ∩ ∆∗ is maximally consistent in L0′ , as shown. This
follows because any L0′ -sentence either belongs to both Γ ∗ and ∆∗ , or to nei-
′ ′
ther: so cM1 ∈ PM1 if and only if P(c) ∈ Γ ∗ if and only if P(c) ∈ ∆∗ if and
′ ′
only if cM2 ∈ PM2 . The other conditions satisfied by isomorphisms can be
established similarly.
Let us now define a model M for the language L1 ∪ L2 as follows:
′
1. The domain |M| is just |M2 |, i.e., the set of all elements cM2 ;
′
2. If a predicate symbol P is in L2 \ L1 then PM = PM2 ;
′ M′ M′
3. If a predicate P is in L1 \ L2 then PM = h( PM2 ), i.e., ⟨c1 2 , . . . , cn 2 ⟩ ∈
M′ M′ ′
PM if and only if ⟨c1 1 , . . . , cn 1 ⟩ ∈ PM1 .
′ ′
4. If a predicate symbol P is in L0 then PM = PM2 = h( PM1 ).
5. Function symbols of L1 ∪ L2 , including constant symbols, are handled
similarly.
Finally, one shows by induction on formulas that M agrees with M1′ on all
formulas of L1′ and with M2′ on all formulas of L2′ . In particular, M ⊨ Γ ∗ ∪ ∆∗ ,
whence M ⊨ φ and M ⊨ ¬ψ, and ̸⊨ φ → ψ. This concludes the proof of Craig’s
Interpolation Theorem.

27.4 The Definability Theorem

One important application of the interpolation theorem is Beth’s definability
theorem. To define an n-place relation R we can give a formula χ with n free
variables which does not involve R. This would be an explicit definition of R in
terms of χ. We can then say also that a theory Σ( P) in a language containing
the n-place predicate symbol P explicitly defines P if it contains (or at least
entails) a formalized explicit definition, i.e.,
Σ( P) ⊨ ∀ x1 . . . ∀ xn ( P( x1 , . . . , xn ) ↔ χ( x1 , . . . , xn )).
But an explicit definition is only one way of defining—in the sense of deter-
mining completely—a relation. A theory may also be such that the interpreta-
tion of P is fixed by the interpretation of the rest of the language in any model.
The definability theorem states that whenever a theory fixes the interpreta-
tion of P in this way—whenever it implicitly defines P—then it also explicitly
defines it.

Release : d3a1905 (2022-12-19) 407

 CHAPTER 27. THE INTERPOLATION THEOREM

Definition 27.5. Suppose L is a language not containing the predicate sym-

bol P. A set Σ( P) of sentences of L ∪ { P} explicitly defines P if and only if there
is a formula χ( x1 , . . . , xn ) of L such that

Σ( P) ⊨ ∀ x1 . . . ∀ xn ( P( x1 , . . . , xn ) ↔ χ( x1 , . . . , xn )).

Definition 27.6. Suppose L is a language not containing the predicate sym-

bols P and P′ . A set Σ( P) of sentences of L ∪ { P} implicitly defines P if and
only if

Σ( P) ∪ Σ( P′ ) ⊨ ∀ x1 . . . ∀ xn ( P( x1 , . . . , xn ) ↔ P′ ( x1 , . . . , xn )),

where Σ( P′ ) is the result of uniformly replacing P with P′ in Σ( P).

In other words, for any model M and R, R′ ⊆ |M|n , if both (M, R) ⊨ Σ( P)

and (M, R′ ) ⊨ Σ( P′ ), then R = R′ ; where (M, R) is the structure M′ for the
′
expansion of L to L ∪ { P} such that PM = R, and similarly for (M, R′ ).

Theorem 27.7 (Beth Definability Theorem). A set Σ( P) of L ∪ { P}-formulas

implicitly defines P if and only Σ( P) explicitly defines P.

Proof. If Σ( P) explicitly defines P then both

Σ( P) ⊨ ∀ x1 . . . ∀ xn ( P( x1 , . . . , xn ) ↔ χ( x1 , . . . , xn ))
′
Σ( P ) ⊨ ∀ x1 . . . ∀ xn ( P′ ( x1 , . . . , xn ) ↔ χ( x1 , . . . , xn ))

and the conclusion follows. For the converse: assume that Σ( P) implicitly
defines P. First, we add constant symbols c1 , . . . , cn to L. Then

Σ ( P ) ∪ Σ ( P ′ ) ⊨ P ( c1 , . . . , c n ) → P ′ ( c1 , . . . , c n ).

By compactness, there are finite sets ∆ 0 ⊆ Σ( P) and ∆ 1 ⊆ Σ( P′ ) such that

∆ 0 ∪ ∆ 1 ⊨ P ( c1 , . . . , c n ) → P ′ ( c1 , . . . , c n ).

Let θ ( P) be the conjunction of all sentences φ( P) such that either φ( P) ∈ ∆ 0

or φ( P′ ) ∈ ∆ 1 and let θ ( P′ ) be the conjunction of all sentences φ( P′ ) such
that either φ( P) ∈ ∆ 0 or φ( P′ ) ∈ ∆ 1 . Then θ ( P) ∧ θ ( P′ ) ⊨ P(c1 , . . . , cn ) →
P′ c1 . . . cn . We can re-arrange this so that each predicate symbol occurs on one
side of ⊨:
θ ( P ) ∧ P ( c1 , . . . , c n ) ⊨ θ ( P ′ ) → P ′ ( c1 , . . . , c n ).
By Craig’s Interpolation Theorem there is a sentence χ(c1 , . . . , cn ) not contain-
ing P or P′ such that:

θ ( P ) ∧ P ( c1 , . . . , c n ) ⊨ χ ( c1 , . . . , c n ); χ ( c1 , . . . , c n ) ⊨ θ ( P ′ ) → P ′ ( c1 , . . . , c n ).

408 Release : d3a1905 (2022-12-19)

27.4. THE DEFINABILITY THEOREM

From the former of these two entailments we have: θ ( P) ⊨ P(c1 , . . . , cn ) →

χ(c1 , . . . , cn ). And from the latter, since an L ∪ { P}-model (M, R) ⊨ φ( P)
if and only if the corresponding L ∪ { P′ }-model (M, R) |= φ( P′ ), we have
χ(c1 , . . . , cn ) ⊨ θ ( P) → P(c1 , . . . , cn ), from which:

θ ( P ) ⊨ χ ( c1 , . . . , c n ) → P ( c1 , . . . , c n ).

Putting the two together, θ ( P) ⊨ P(c1 , . . . , cn ) ↔ χ(c1 , . . . , cn ), and by mono-

tonicity and generalization also

Σ( P) ⊨ ∀ x1 . . . ∀ xn ( P( x1 , . . . , xn ) ↔ χ( x1 , . . . , xn )).

Release : d3a1905 (2022-12-19) 409

Chapter 28

Lindström’s Theorem

28.1 Introduction
In this chapter we aim to prove Lindström’s characterization of first-order
logic as the maximal logic for which (given certain further constraints) the
Compactness and the Downward Löwenheim-Skolem theorems hold (Theo-
rem 23.23 and Theorem 23.32). First, we need a more general characterization
of the general class of logics to which the theorem applies. We will restrict
ourselves to relational languages, i.e., languages which only contain predicate
symbols and individual constants, but no function symbols.

28.2 Abstract Logics

Definition 28.1. An abstract logic is a pair ⟨ L, |= L ⟩, where L is a function that
assigns to each language L a set L(L) of sentences, and |= L is a relation
between structures for the language L and elements of L(L). In particular,
⟨ F, |=⟩ is ordinary first-order logic, i.e., F is the function assigning to the lan-
guage L the set of first-order sentences built from the constants in L, and |= is
the satisfaction relation of first-order logic.

Notice that we are still employing the same notion of structure for a given
language as for first-order logic, but we do not presuppose that sentences are
build up from the basic symbols in L in the usual way, nor that the relation
|= L is recursively defined in the same way as for first-order logic. So for in-
stance the definition, being completely general, is intended to capture the case
where sentences in ⟨ L, |= L ⟩ contain infinitely long conjunctions or disjunction,
or quantifiers other than ∃ and ∀ (e.g., “there are infinitely many x such that
. . . ”), or perhaps infinitely long quantifier prefixes. To emphasize that “sen-
tences” in L(L) need not be ordinary sentences of first-order logic, in this
chapter we use variables α, β, . . . to range over them, and reserve φ, ψ, . . . for
ordinary first-order formulas.

410
28.2. ABSTRACT LOGICS

Definition 28.2. Let Mod L (α) denote the class {M : M |= L α}. If the language
needs to be made explicit, we write ModL L ( α ). Two structures M and N for L
are elementarily equivalent in ⟨ L, |= L ⟩, written M ≡ L N, if the same sentences
from L(L) are true in each.

Definition 28.3. An abstract logic ⟨ L, |= L ⟩ for the language L is normal if it

satisfies the following properties:

1. (L-Monotonicity) For languages L and L′ , if L ⊆ L′ , then L(L) ⊆ L(L′ ).

2. (Expansion Property) For each α ∈ L(L) there is a finite subset L′ of L

such that the relation M |= L α depends only on the reduct of M to L′ ;
i.e., if M and N have the same reduct to L′ then M |= L α if and only if
N |= L α.

3. (Isomorphism Property) If M |= L α and M ≃ N then also N |= L α.

4. (Renaming Property) The relation |= L is preserved under renaming: if the

language L′ is obtained from L by replacing each symbol P by a symbol
P′ of the same arity and each constant c by a distinct constant c′ , then
for each structure M and sentence α, M |= L α if and only if M′ |= L α′ ,
where M′ is the L′ -structure corresponding to L and α′ ∈ L(L′ ).

5. (Boolean Property) The abstract logic ⟨ L, |= L ⟩ is closed under the Boolean

connectives in the sense that for each α ∈ L(L) there is a β ∈ L(L)
such that M |= L β if and only if M ̸|= L α, and for each α and β there
is a γ such that Mod L (γ) = Mod L (α) ∩ Mod L ( β). Similarly for atomic
formulas and the other connectives.

6. (Quantifier Property) For each constant c in L and α ∈ L(L) there is a

β ∈ L(L) such that
′
ModL L
L ( β ) = {M : (M, a )} ∈ Mod L ( α ) for some a ∈ |M|},

where L′ = L \ {c} and (M, a) is the expansion of M to L assigning a

to c.

7. (Relativization Property) Given a sentence α ∈ L(L) and symbols R, c1 ,

. . . , cn not in L, there is a sentence β ∈ L(L ∪ { R, c1 , . . . , cn }) called the
relativization of α to R( x, c1 , . . . cn ), such that for each structure M:

(M, X, b1 , . . . , bn ) |= L β) if and only if N |= L α,

where N is the substructure of M with domain |N| = { a ∈ |M| :

RM ( a, b1 , . . . , bn )} (see Remark 1), and (M, X, b1 , . . . , bn ) is the expan-
sion of M interpreting R, c1 , . . . , cn by X, b1 , . . . , bn , respectively (with
X ⊆ Mn+1 ).

Release : d3a1905 (2022-12-19) 411

 CHAPTER 28. LINDSTRÖM’S THEOREM

Definition 28.4. Given two abstract logics ⟨ L1 , |= L1 ⟩ and ⟨ L2 , |= L2 ⟩ we say that

the latter is at least as expressive as the former, written ⟨ L1 , |= L1 ⟩ ≤ ⟨ L2 , |= L2
⟩, if for each language L and sentence α ∈ L1 (L) there is a sentence β ∈
L2 (L) such that ModL L
L1 ( α ) = Mod L2 ( β ). The logics ⟨ L1 , |= L1 ⟩ and ⟨ L2 , |= L2 ⟩
are equivalent if ⟨ L1 , |= L1 ⟩ ≤ ⟨ L2 , |= L2 ⟩ and ⟨ L2 , |= L2 ⟩ ≤ ⟨ L1 , |= L1 ⟩.

Remark 5. First-order logic, i.e., the abstract logic ⟨ F, |=⟩, is normal. In fact,
the above properties are mostly straightforward for first-order logic. We just
remark that the expansion property comes down to extensionality, and that
the relativization of a sentence α to R( x, c1 , . . . , cn ) is obtained by replacing
each subformula ∀ x β by ∀ x ( R( x, c1 , . . . , cn ) → β). Moreover, if ⟨ L, |= L ⟩ is
normal, then ⟨ F, |=⟩ ≤ ⟨ L, |= L ⟩, as can be can shown by induction on first-
order formulas. Accordingly, with no loss in generality, we can assume that
every first-order sentence belongs to every normal logic.

28.3 Compactness and Löwenheim-Skolem Properties

We now give the obvious extensions of compactness and Löwenheim-Skolem
to the case of abstract logics.

Definition 28.5. An abstract logic ⟨ L, |= L ⟩ has the Compactness Property if each

set Γ of L(L)-sentences is satisfiable whenever each finite Γ0 ⊆ Γ is satisfiable.

Definition 28.6. ⟨ L, |= L ⟩ has the Downward Löwenheim-Skolem property if any

satisfiable Γ has an enumerable model.

The notion of partial isomorphism from Definition 25.15 is purely “alge-

braic” (i.e., given without reference to the sentences of the language but only
to the constants provided by the language L of the structures), and hence it
applies to the case of abstract logics. In case of first-order logic, we know
from Theorem 25.17 that if two structures are partially isomorphic then they
are elementarily equivalent. That proof does not carry over to abstract logics,
for induction on formulas need not be available for arbitrary α ∈ L(L), but
the theorem is true nonetheless, provided the Löwenheim-Skolem property
holds.

Theorem 28.7. Suppose ⟨ L, |= L ⟩ is a normal logic with the Löwenheim-Skolem prop-

erty. Then any two structures that are partially isomorphic are elementarily equiva-
lent in ⟨ L, |= L ⟩.

Proof. Suppose M ≃ p N, but for some α also M |= L α while N ̸|= L α. By the

Isomorphism Property we can assume that |M| and |N| are disjoint, and by
the Expansion Property we can assume that α ∈ L(L) for a finite language L.
Let I be a set of partial isomorphisms between M and N, and with no loss of
generality also assume that if p ∈ I and q ⊆ p then also q ∈ I .

412 Release : d3a1905 (2022-12-19)

28.4. LINDSTRÖM’S THEOREM

|M|<ω is the set of finite sequences of elements of |M|. Let S be the ternary
relation over |M|<ω representing concatenation, i.e., if a, b, c ∈ |M|<ω then
S(a, b, c) holds if and only if c is the concatenation of a and b; and let T be the
ternary relation such that T (a, b, c) holds for b ∈ M and a, c ∈ |M|<ω if and
only if a = a1 , . . . an and c = a1 , . . . an , b. Pick new 3-place predicate symbols
P and Q and form the structure M∗ having the universe |M| ∪ |M|<ω , having
M as a substructure, and interpreting P and Q by the concatenation relations
S and T (so M∗ is in the language L ∪ { P, Q}).
Define |N|<ω , S′ , T ′ , P′ , Q′ and N∗ analogously. Since by hypothesis M ≃ p
N, there is a relation I between |M|<ω and |N|<ω such that I (a, b) holds if
and only if a and b are isomorphic and satisfy the back-and-forth condition of
Definition 25.15. Now, let M be the structure whose domain is the union of the
domains of M∗ and N∗ , having M∗ and N∗ as substructures, in the language
with one extra binary predicate symbol R interpreted by the relation I and
predicate symbols denoting the domains |M|∗ and |N| ∗.

I
M N

M∗ N∗

Figure 28.1: The structure M with the internal partial isomorphism.

The crucial observation is that in the language of the structure M there is
a first-order sentence θ1 true in M saying that M |= L α and N ̸|= L α (this re-
quires the Relativization Property), as well as a first-order sentence θ2 true in
M saying that M ≃ p N via the partial isomorphism I. By the Löwenheim-
Skolem Property, θ1 and θ2 are jointly true in an enumerable model M0 con-
taining partially isomorphic substructures M0 and N0 such that M0 |= L α and
N0 ̸|= L α. But enumerable partially isomorphic structures are in fact isomor-
phic by Theorem 25.16, contradicting the Isomorphism Property of normal
abstract logics.

28.4 Lindström’s Theorem

Lemma 28.8. Suppose α ∈ L(L), with L finite, and assume also that there is an
n ∈ N such that for any two structures M and N, if M ≡n N and M |= L α then
also N |= L α. Then α is equivalent to a first-order sentence, i.e., there is a first-order
θ such that Mod L (α) = Mod L (θ ).

Release : d3a1905 (2022-12-19) 413

 CHAPTER 28. LINDSTRÖM’S THEOREM

Proof. Let n be such that any two n-equivalent structures M and N agree on
the value assigned to α. Recall Proposition 25.19: there are only finitely many
first-order sentences in a finite language that have quantifier rank no greater
than n, up to logical equivalence. Now, for each fixed structure M let θM be
the conjunction of all first-order sentences α true in M with qr(α) ≤ n (this
conjunction is finite), so that N |= θM if and only if N ≡n M. Then put θ =
{θM : M |= L α}; this disjunction is also finite (up to logical equivalence).
W

The conclusion Mod L (α) = Mod L (θ ) follows. In fact, if N |= L θ then for

some M |= L α we have N |= θM , whence also N |= L α (by the hypothesis
of the lemma). Conversely, if N |= L α then θN is a disjunct in θ, and since
N |= θN , also N |= L θ.

Theorem 28.9 (Lindström’s Theorem). Suppose ⟨ L, |= L ⟩ has the Compactness and

the Löwenheim-Skolem Properties. Then ⟨ L, |= L ⟩ ≤ ⟨ F, |=⟩ (so ⟨ L, |= L ⟩ is equivalent
to first-order logic).

Proof. By Lemma 28.8, it suffices to show that for any α ∈ L(L), with L finite,
there is n ∈ N such that for any two structures M and N: if M ≡n N then M
and N agree on α. For then α is equivalent to a first-order sentence, from which
⟨ L, |= L ⟩ ≤ ⟨ F, |=⟩ follows. Since we are working in a finite, purely relational
language, by Theorem 25.23 we can replace the statement that M ≡n N by the
corresponding algebraic statement that In (∅, ∅).
Given α, suppose towards a contradiction that for each n there are struc-
tures Mn and Nn such that In (∅, ∅), but (say) Mn |= L α whereas Nn ̸|= L α. By
the Isomorphism Property we can assume that all the Mn ’s interpret the con-
stants of the language by the same objects; furthermore, since there are only
finitely many atomic sentences in the language, we may also assume that they
satisfy the same atomic sentences (we can take a subsequence of the M’s oth-
erwise). Let M be the union of all the Mn ’s, i.e., the unique minimal structure
having each Mn as a substructure. As in the proof of Theorem 28.7, let M∗
be the extension of M with domain |M| ∪ |M|<ω , in the expanded language
comprising the concatenation predicates P and Q.
Similarly, define Nn , N and N∗ . Now let M be the structure whose domain
comprises the domains of M∗ and N∗ as well as the natural numbers N along
with their natural ordering ≤, in the language with extra predicates represent-
ing the domains |M|, |N|, |M|<ω and |N|<ω as well as predicates coding the
domains of Mn and Nn in the sense that:

|Mn | = { a ∈ |M| : R( a, n)}; |Nn | = { a ∈ |N| : S( a, n)};

|M| <
n
ω
= { a ∈ |M| <ω
: R( a, n)}; |N| <
n
ω
= { a ∈ |N|<ω : S( a, n)}.
The structure M also has a ternary relation J such that J (n, a, b) holds if and
only if In (a, b).
Now there is a sentence θ in the language L augmented by R, S, J, etc.,
saying that ≤ is a discrete linear ordering with first but no last element and

414 Release : d3a1905 (2022-12-19)

28.4. LINDSTRÖM’S THEOREM

such that Mn |= α, Nn ̸|= α, and for each n in the ordering, J (n, a, b) holds if
and only if In (a, b).
Using the Compactness Property, we can find a model M∗ of θ in which
the ordering contains a non-standard element n∗ . In particular then M∗ will
contain substructures Mn∗ and Nn∗ such that Mn∗ |= L α and Nn∗ ̸|= L α. But
now we can define a set I of pairs of k-tuples from |Mn∗ | and |Nn∗ | by putting
⟨a, b⟩ ∈ I if and only if J (n∗ − k, a, b), where k is the length of a and b. Since
n∗ is non-standard, for each standard k we have that n∗ − k > 0, and the set I
witnesses the fact that Mn∗ ≃ p Nn∗ . But by Theorem 28.7, Mn∗ is L-equivalent
to Nn∗ , a contradiction.

Release : d3a1905 (2022-12-19) 415

 Part V

Computability

416
28.4. LINDSTRÖM’S THEOREM

This part is based on Jeremy Avigad’s notes on computability theory.

Only the chapter on recursive functions contains exercises yet, and every-
thing could stand to be expanded with motivation, examples, details, and
exercises.

Release : d3a1905 (2022-12-19) 417

Chapter 29

Recursive Functions

These are Jeremy Avigad’s notes on recursive functions, revised and

expanded by Richard Zach. This chapter does contain some exercises,
and can be included independently to provide the basis for a discussion
of arithmetization of syntax.

29.1 Introduction
In order to develop a mathematical theory of computability, one has to, first
of all, develop a model of computability. We now think of computability as the
kind of thing that computers do, and computers work with symbols. But at
the beginning of the development of theories of computability, the paradig-
matic example of computation was numerical computation. Mathematicians
were always interested in number-theoretic functions, i.e., functions f : Nn →
N that can be computed. So it is not surprising that at the beginning of the
theory of computability, it was such functions that were studied. The most
familiar examples of computable numerical functions, such as addition, mul-
tiplication, exponentiation (of natural numbers) share an interesting feature:
they can be defined recursively. It is thus quite natural to attempt a general
definition of computable function on the basis of recursive definitions. Among
the many possible ways to define number-theoretic functions recursively, one
particularly simple pattern of definition here becomes central: so-called prim-
itive recursion.
In addition to computable functions, we might be interested in computable
sets and relations. A set is computable if we can compute the answer to
whether or not a given number is an element of the set, and a relation is com-
putable iff we can compute whether or not a tuple ⟨n1 , . . . , nk ⟩ is an element
of the relation. By considering the characteristic function of a set or relation,
discussion of computable sets and relations can be subsumed under that of

418
29.2. PRIMITIVE RECURSION

computable functions. Thus we can define primitive recursive relations as

well, e.g., the relation “n evenly divides m” is a primitive recursive relation.
Primitive recursive functions—those that can be defined using just primi-
tive recursion—are not, however, the only computable number-theoretic func-
tions. Many generalizations of primitive recursion have been considered, but
the most powerful and widely-accepted additional way of computing func-
tions is by unbounded search. This leads to the definition of partial recur-
sive functions, and a related definition to general recursive functions. General
recursive functions are computable and total, and the definition character-
izes exactly the partial recursive functions that happen to be total. Recursive
functions can simulate every other model of computation (Turing machines,
lambda calculus, etc.) and so represent one of the many accepted models of
computation.

29.2 Primitive Recursion

A characteristic of the natural numbers is that every natural number can be
reached from 0 by applying the successor operation +1 finitely many times—
any natural number is either 0 or the successor of . . . the successor of 0. One
way to specify a function h : N → N that makes use of this fact is this: (a) spec-
ify what the value of h is for argument 0, and (b) also specify how to, given
the value of h( x ), compute the value of h( x + 1). For (a) tells us directly what
h(0) is, so h is defined for 0. Now, using the instruction given by (b) for x = 0,
we can compute h(1) = h(0 + 1) from h(0). Using the same instructions for
x = 1, we compute h(2) = h(1 + 1) from h(1), and so on. For every natural
number x, we’ll eventually reach the step where we define h( x ) from h( x + 1),
and so h( x ) is defined for all x ∈ N.
For instance, suppose we specify h : N → N by the following two equa-
tions:

h (0) = 1
h ( x + 1) = 2 · h ( x )

If we already know how to multiply, then these equations give us the infor-
mation required for (a) and (b) above. By successively applying the second
equation, we get that

h(1) = 2 · h(0) = 2,
h(2) = 2 · h(1) = 2 · 2,
h(3) = 2 · h(2) = 2 · 2 · 2,
..
.

We see that the function h we have specified is h( x ) = 2x .

Release : d3a1905 (2022-12-19) 419

 CHAPTER 29. RECURSIVE FUNCTIONS

The characteristic feature of the natural numbers guarantees that there is

only one function h that meets these two criteria. A pair of equations like
these is called a definition by primitive recursion of the function h. It is so-called
because we define h “recursively,” i.e., the definition, specifically the second
equation, involves h itself on the right-hand-side. It is “primitive” because in
defining h( x + 1) we only use the value h( x ), i.e., the immediately preceding
value. This is the simplest way of defining a function on N recursively.
We can define even more fundamental functions like addition and mul-
tiplication by primitive recursion. In these cases, however, the functions in
question are 2-place. We fix one of the argument places, and use the other for
the recursion. E.g, to define add( x, y) we can fix x and define the value first
for y = 0 and then for y + 1 in terms of y. Since x is fixed, it will appear on the
left and on the right side of the defining equations.

add( x, 0) = x
add( x, y + 1) = add( x, y) + 1

These equations specify the value of add for all x and y. To find add(2, 3), for
instance, we apply the defining equations for x = 2, using the first to find
add(2, 0) = 2, then using the second to successively find add(2, 1) = 2 + 1 =
3, add(2, 2) = 3 + 1 = 4, add(2, 3) = 4 + 1 = 5.
In the definition of add we used + on the right-hand-side of the second
equation, but only to add 1. In other words, we used the successor func-
tion succ(z) = z + 1 and applied it to the previous value add( x, y) to define
add( x, y + 1). So we can think of the recursive definition as given in terms of
a single function which we apply to the previous value. However, it doesn’t
hurt—and sometimes is necessary—to allow the function to depend not just
on the previous value but also on x and y. Consider:

mult( x, 0) = 0
mult( x, y + 1) = add(mult( x, y), x )

This is a primitive recursive definition of a function mult by applying the func-

tion add to both the preceding value mult( x, y) and the first argument x. It
also defines the function mult( x, y) for all arguments x and y. For instance,
mult(2, 3) is determined by successively computing mult(2, 0), mult(2, 1), mult(2, 2),
and mult(2, 3):

mult(2, 0) = 0
mult(2, 1) = mult(2, 0 + 1) = add(mult(2, 0), 2) = add(0, 2) = 2
mult(2, 2) = mult(2, 1 + 1) = add(mult(2, 1), 2) = add(2, 2) = 4
mult(2, 3) = mult(2, 2 + 1) = add(mult(2, 2), 2) = add(4, 2) = 6

The general pattern then is this: to give a primitive recursive definition of

a function h( x0 , . . . , xk−1 , y), we provide two equations. The first defines the

420 Release : d3a1905 (2022-12-19)

29.3. COMPOSITION

value of h( x0 , . . . , xk−1 , 0) without reference to h. The second defines the value

of h( x0 , . . . , xk−1 , y + 1) in terms of h( x0 , . . . , xk−1 , y), the other arguments x0 ,
. . . , xk−1 , and y. Only the immediately preceding value of h may be used in
that second equation. If we think of the operations given by the right-hand-
sides of these two equations as themselves being functions f and g, then the
general pattern to define a new function h by primitive recursion is this:

h ( x 0 , . . . , x k −1 , 0 ) = f ( x 0 , . . . , x k −1 )
h( x0 , . . . , xk−1 , y + 1) = g( x0 , . . . , xk−1 , y, h( x0 , . . . , xk−1 , y))

In the case of add, we have k = 1 and f ( x0 ) = x0 (the identity function), and

g( x0 , y, z) = z + 1 (the 3-place function that returns the successor of its third
argument):

add( x0 , 0) = f ( x0 ) = x0
add( x0 , y + 1) = g( x0 , y, add( x0 , y)) = succ(add( x0 , y))

In the case of mult, we have f ( x0 ) = 0 (the constant function always return-

ing 0) and g( x0 , y, z) = add(z, x0 ) (the 3-place function that returns the sum
of its last and first argument):

mult( x0 , 0) = f ( x0 ) = 0
mult( x0 , y + 1) = g( x0 , y, mult( x0 , y)) = add(mult( x0 , y), x0 )

29.3 Composition
If f and g are two one-place functions of natural numbers, we can compose
them: h( x ) = g( f ( x )). The new function h( x ) is then defined by composition
from the functions f and g. We’d like to generalize this to functions of more
than one argument.
Here’s one way of doing this: suppose f is a k-place function, and g0 , . . . ,
gk−1 are k functions which are all n-place. Then we can define a new n-place
function h as follows:

h( x0 , . . . , xn−1 ) = f ( g0 ( x0 , . . . , xn−1 ), . . . , gk−1 ( x0 , . . . , xn−1 ))

If f and all gi are computable, so is h: To compute h( x0 , . . . , xn−1 ), first com-

pute the values yi = gi ( x0 , . . . , xn−1 ) for each i = 0, . . . , k − 1. Then feed these
values into f to compute h( x0 , . . . , xk−1 ) = f (y0 , . . . , yk−1 ).
This may seem like an overly restrictive characterization of what happens
when we compute a new function using some existing ones. For one thing,
sometimes we do not use all the arguments of a function, as when we de-
fined g( x, y, z) = succ(z) for use in the primitive recursive definition of add.
Suppose we are allowed use of the following functions:

Pin ( x0 , . . . , xn−1 ) = xi

Release : d3a1905 (2022-12-19) 421

 CHAPTER 29. RECURSIVE FUNCTIONS

The functions Pik are called projection functions: Pin is an n-place function. Then
g can be defined by
g( x, y, z) = succ( P23 ( x, y, z)).
Here the role of f is played by the 1-place function succ, so k = 1. And we
have one 3-place function P23 which plays the role of g0 . The result is a 3-place
function that returns the successor of the third argument.
The projection functions also allow us to define new functions by reorder-
ing or identifying arguments. For instance, the function h( x ) = add( x, x ) can
be defined by
h( x0 ) = add( P01 ( x0 ), P01 ( x0 )).
Here k = 2, n = 1, the role of f (y0 , y1 ) is played by add, and the roles of g0 ( x0 )
and g1 ( x0 ) are both played by P01 ( x0 ), the one-place projection function (aka
the identity function).
If f (y0 , y1 ) is a function we already have, we can define the function h( x0 , x1 ) =
f ( x1 , x0 ) by
h( x0 , x1 ) = f ( P12 ( x0 , x1 ), P02 ( x0 , x1 )).
Here k = 2, n = 2, and the roles of g0 and g1 are played by P12 and P02 , respec-
tively.
You may also worry that g0 , . . . , gk−1 are all required to have the same
arity n. (Remember that the arity of a function is the number of arguments;
an n-place function has arity n.) But adding the projection functions provides
the desired flexibility. For example, suppose f and g are 3-place functions and
h is the 2-place function defined by
h( x, y) = f ( x, g( x, x, y), y).
The definition of h can be rewritten with the projection functions, as
h( x, y) = f ( P02 ( x, y), g( P02 ( x, y), P02 ( x, y), P12 ( x, y)), P12 ( x, y)).
Then h is the composition of f with P02 , l, and P12 , where
l ( x, y) = g( P02 ( x, y), P02 ( x, y), P12 ( x, y)),
i.e., l is the composition of g with P02 , P02 , and P12 .

29.4 Primitive Recursion Functions

Let us record again how we can define new functions from existing ones using
primitive recursion and composition.
Definition 29.1. Suppose f is a k-place function (k ≥ 1) and g is a (k + 2)-
place function. The function defined by primitive recursion from f and g is the
(k + 1)-place function h defined by the equations
h ( x 0 , . . . , x k −1 , 0 ) = f ( x 0 , . . . , x k −1 )
h( x0 , . . . , xk−1 , y + 1) = g( x0 , . . . , xk−1 , y, h( x0 , . . . , xk−1 , y))

422 Release : d3a1905 (2022-12-19)

29.4. PRIMITIVE RECURSION FUNCTIONS

Definition 29.2. Suppose f is a k-place function, and g0 , . . . , gk−1 are k func-

tions which are all n-place. The function defined by composition from f and g0 ,
. . . , gk−1 is the n-place function h defined by

h( x0 , . . . , xn−1 ) = f ( g0 ( x0 , . . . , xn−1 ), . . . , gk−1 ( x0 , . . . , xn−1 )).

In addition to succ and the projection functions

Pin ( x0 , . . . , xn−1 ) = xi ,

for each natural number n and i < n, we will include among the primitive
recursive functions the function zero( x ) = 0.

Definition 29.3. The set of primitive recursive functions is the set of functions
from Nn to N, defined inductively by the following clauses:

1. zero is primitive recursive.

2. succ is primitive recursive.

3. Each projection function Pin is primitive recursive.

4. If f is a k-place primitive recursive function and g0 , . . . , gk−1 are n-

place primitive recursive functions, then the composition of f with g0 ,
. . . , gk−1 is primitive recursive.

5. If f is a k-place primitive recursive function and g is a k + 2-place primi-

tive recursive function, then the function defined by primitive recursion
from f and g is primitive recursive.

Put more concisely, the set of primitive recursive functions is the smallest
set containing zero, succ, and the projection functions Pjn , and which is closed
under composition and primitive recursion.
Another way of describing the set of primitive recursive functions is by
defining it in terms of “stages.” Let S0 denote the set of starting functions:
zero, succ, and the projections. These are the primitive recursive functions of
stage 0. Once a stage Si has been defined, let Si+1 be the set of all functions
you get by applying a single instance of composition or primitive recursion to
functions already in Si . Then
[
S= Si
i ∈N

is the set of all primitive recursive functions

Let us verify that add is a primitive recursive function.

Proposition 29.4. The addition function add( x, y) = x + y is primitive recursive.

Release : d3a1905 (2022-12-19) 423

 CHAPTER 29. RECURSIVE FUNCTIONS

Proof. We already have a primitive recursive definition of add in terms of two

functions f and g which matches the format of Definition 29.1:

add( x0 , 0) = f ( x0 ) = x0
add( x0 , y + 1) = g( x0 , y, add( x0 , y)) = succ(add( x0 , y))

So add is primitive recursive provided f and g are as well. f ( x0 ) = x0 =

P01 ( x0 ), and the projection functions count as primitive recursive, so f is prim-
itive recursive. The function g is the three-place function g( x0 , y, z) defined
by
g( x0 , y, z) = succ(z).
This does not yet tell us that g is primitive recursive, since g and succ are not
quite the same function: succ is one-place, and g has to be three-place. But we
can define g “officially” by composition as

g( x0 , y, z) = succ( P23 ( x0 , y, z))

Since succ and P23 count as primitive recursive functions, g does as well, since
it can be defined by composition from primitive recursive functions.

Proposition 29.5. The multiplication function mult( x, y) = x · y is primitive re-

cursive.

Proof. Exercise.

Example 29.6. Here’s our very first example of a primitive recursive defini-
tion:

h (0) = 1
h ( y + 1) = 2 · h ( y ).

This function cannot fit into the form required by Definition 29.1, since k = 0.
The definition also involves the constants 1 and 2. To get around the first
problem, let’s introduce a dummy argument and define the function h′ :

h ′ ( x0 , 0) = f ( x0 ) = 1
h′ ( x0 , y + 1) = g( x0 , y, h′ ( x0 , y)) = 2 · h′ ( x0 , y).

The function f ( x0 ) = 1 can be defined from succ and zero by composition:

f ( x0 ) = succ(zero( x0 )). The function g can be defined by composition from
g′ (z) = 2 · z and projections:

g( x0 , y, z) = g′ ( P23 ( x0 , y, z))

and g′ in turn can be defined by composition as

g′ (z) = mult( g′′ (z), P01 (z))

424 Release : d3a1905 (2022-12-19)

29.5. PRIMITIVE RECURSION NOTATIONS

and

g′′ (z) = succ( f (z)),

where f is as above: f (z) = succ(zero(z)). Now that we have h′ , we can

use composition again to let h(y) = h′ ( P01 (y), P01 (y)). This shows that h can
be defined from the basic functions using a sequence of compositions and
primitive recursions, so h is primitive recursive.

29.5 Primitive Recursion Notations

One advantage to having the precise inductive description of the primitive re-
cursive functions is that we can be systematic in describing them. For exam-
ple, we can assign a “notation” to each such function, as follows. Use symbols
zero, succ, and Pin for zero, successor, and the projections. Now suppose h is
defined by composition from a k-place function f and n-place functions g0 ,
. . . , gk−1 , and we have assigned notations F, G0 , . . . , Gk−1 to the latter func-
tions. Then, using a new symbol Compk,n , we can denote the function h by
Compk,n [ F, G0 , . . . , Gk−1 ].
For functions defined by primitive recursion, we can use analogous no-
tations. Suppose the (k + 1)-ary function h is defined by primitive recursion
from the k-ary function f and the (k + 2)-ary function g, and the notations
assigned to f and g are F and G, respectively. Then the notation assigned to h
is Reck [ F, G ].
Recall that the addition function is defined by primitive recursion as

add( x0 , 0) = P01 ( x0 ) = x0
add( x0 , y + 1) = succ( P23 ( x0 , y, add( x0 , y))) = add( x0 , y) + 1

Here the role of f is played by P01 , and the role of g is played by succ( P23 ( x0 , y, z)),
which is assigned the notation Comp1,3 [succ, P23 ] as it is the result of defining
a function by composition from the 1-ary function succ and the 3-ary func-
tion P23 . With this setup, we can denote the addition function by

Rec1 [ P01 , Comp1,3 [succ, P23 ]].

Having these notations sometimes proves useful, e.g., when enumerating prim-
itive recursive functions.

29.6 Primitive Recursive Functions are Computable

Suppose a function h is defined by primitive recursion

h(⃗x, 0) = f (⃗x )
h(⃗x, y + 1) = g(⃗x, y, h(⃗x, y))

Release : d3a1905 (2022-12-19) 425

 CHAPTER 29. RECURSIVE FUNCTIONS

and suppose the functions f and g are computable. (We use ⃗x to abbreviate x0 ,
. . . , xk−1 .) Then h(⃗x, 0) can obviously be computed, since it is just f (⃗x ) which
we assume is computable. h(⃗x, 1) can then also be computed, since 1 = 0 + 1
and so h(⃗x, 1) is just

h(⃗x, 1) = g(⃗x, 0, h(⃗x, 0)) = g(⃗x, 0, f (⃗x )).

We can go on in this way and compute

h(⃗x, 2) = g(⃗x, 1, h(⃗x, 1)) = g(⃗x, 1, g(⃗x, 0, f (⃗x )))

h(⃗x, 3) = g(⃗x, 2, h(⃗x, 2)) = g(⃗x, 2, g(⃗x, 1, g(⃗x, 0, f (⃗x ))))
h(⃗x, 4) = g(⃗x, 3, h(⃗x, 3)) = g(⃗x, 3, g(⃗x, 2, g(⃗x, 1, g(⃗x, 0, f (⃗x )))))
..
.

Thus, to compute h(⃗x, y) in general, successively compute h(⃗x, 0), h(⃗x, 1), . . . ,
until we reach h(⃗x, y).
Thus, a primitive recursive definition yields a new computable function if
the functions f and g are computable. Composition of functions also results
in a computable function if the functions f and gi are computable.
Since the basic functions zero, succ, and Pin are computable, and compo-
sition and primitive recursion yield computable functions from computable
functions, this means that every primitive recursive function is computable.

29.7 Examples of Primitive Recursive Functions

We already have some examples of primitive recursive functions: the addition
and multiplication functions add and mult. The identity function id( x ) = x
is primitive recursive, since it is just P01 . The constant functions constn ( x ) = n
are primitive recursive since they can be defined from zero and succ by suc-
cessive composition. This is useful when we want to use constants in primi-
tive recursive definitions, e.g., if we want to define the function f ( x ) = 2 · x
can obtain it by composition from constn ( x ) and multiplication as f ( x ) =
mult(const2 ( x ), P01 ( x )). We’ll make use of this trick from now on.

Proposition 29.7. The exponentiation function exp( x, y) = x y is primitive recur-

sive.

Proof. We can define exp primitive recursively as

exp( x, 0) = 1
exp( x, y + 1) = mult( x, exp( x, y)).

426 Release : d3a1905 (2022-12-19)

29.7. EXAMPLES OF PRIMITIVE RECURSIVE FUNCTIONS

Strictly speaking, this is not a recursive definition from primitive recursive

functions. Officially, though, we have:

exp( x, 0) = f ( x )
exp( x, y + 1) = g( x, y, exp( x, y)).

where

f ( x ) = succ(zero( x )) = 1
g( x, y, z) = mult( P03 ( x, y, z), P23 ( x, y, z)) = x · z

and so f and g are defined from primitive recursive functions by composi-

tion.

Proposition 29.8. The predecessor function pred(y) defined by

(
0 if y = 0
pred(y) =
y − 1 otherwise

is primitive recursive.

Proof. Note that

pred(0) = 0 and
pred(y + 1) = y.

This is almost a primitive recursive definition. It does not, strictly speaking, fit
into the pattern of definition by primitive recursion, since that pattern requires
at least one extra argument x. It is also odd in that it does not actually use
pred(y) in the definition of pred(y + 1). But we can first define pred′ ( x, y) by

pred′ ( x, 0) = zero( x ) = 0,
pred′ ( x, y + 1) = P13 ( x, y, pred′ ( x, y)) = y.

and then define pred from it by composition, e.g., as pred( x ) = pred′ (zero( x ), P01 ( x )).

Proposition 29.9. The factorial function fac( x ) = x ! = 1 · 2 · 3 · · · · · x is primitive

recursive.

Proof. The obvious primitive recursive definition is

fac(0) = 1
fac(y + 1) = fac(y) · (y + 1).

Release : d3a1905 (2022-12-19) 427

 CHAPTER 29. RECURSIVE FUNCTIONS

Officially, we have to first define a two-place function h

h( x, 0) = const1 ( x )
h( x, y + 1) = g( x, y, h( x, y))

where g( x, y, z) = mult( P23 ( x, y, z), succ( P13 ( x, y, z))) and then let

fac(y) = h( P01 (y), P01 (y)) = h(y, y).

From now on we’ll be a bit more laissez-faire and not give the official defini-
tions by composition and primitive recursion.

Proposition 29.10. Truncated subtraction, x −̇ y, defined by

(
0 if x < y
x −̇ y =
x − y otherwise

is primitive recursive.

Proof. We have:

x −̇ 0 = x
x −̇ (y + 1) = pred( x −̇ y)

Proposition 29.11. The distance between x and y, | x − y|, is primitive recursive.

Proof. We have | x − y| = ( x −̇ y) + (y −̇ x ), so the distance can be defined by

composition from + and −̇, which are primitive recursive.

Proposition 29.12. The maximum of x and y, max( x, y), is primitive recursive.

Proof. We can define max( x, y) by composition from + and −̇ by

max( x, y) = x + (y −̇ x ).

If x is the maximum, i.e., x ≥ y, then y −̇ x = 0, so x + (y −̇ x ) = x + 0 = x. If

y is the maximum, then y −̇ x = y − x, and so x + (y −̇ x ) = x + (y − x ) = y.

Proposition 29.13. The minimum of x and y, min( x, y), is primitive recursive.

Proof. Exercise.

Proposition 29.14. The set of primitive recursive functions is closed under the fol-
lowing two operations:

428 Release : d3a1905 (2022-12-19)

29.8. PRIMITIVE RECURSIVE RELATIONS

1. Finite sums: if f (⃗x, z) is primitive recursive, then so is the function

y
g(⃗x, y) = ∑ f (⃗x, z).
z =0

2. Finite products: if f (⃗x, z) is primitive recursive, then so is the function

y
h(⃗x, y) = ∏ f (⃗x, z).
z =0

Proof. For example, finite sums are defined recursively by the equations

g(⃗x, 0) = f (⃗x, 0)
g(⃗x, y + 1) = g(⃗x, y) + f (⃗x, y + 1).

29.8 Primitive Recursive Relations

Definition 29.15. A relation R(⃗x ) is said to be primitive recursive if its char-
acteristic function, 
1 if R(⃗x )
χ R (⃗x ) =
0 otherwise
is primitive recursive.

In other words, when one speaks of a primitive recursive relation R(⃗x ),

one is referring to a relation of the form χ R (⃗x ) = 1, where χ R is a primitive
recursive function which, on any input, returns either 1 or 0. For example,
the relation IsZero( x ), which holds if and only if x = 0, corresponds to the
function χIsZero , defined using primitive recursion by

χIsZero (0) = 1,
χIsZero ( x + 1) = 0.

It should be clear that one can compose relations with other primitive re-
cursive functions. So the following are also primitive recursive:

1. The equality relation, x = y, defined by IsZero(| x − y|)

2. The less-than relation, x ≤ y, defined by IsZero( x −̇ y)

Proposition 29.16. The set of primitive recursive relations is closed under Boolean
operations, that is, if P(⃗x ) and Q(⃗x ) are primitive recursive, so are

1. ¬ P(⃗x )

2. P(⃗x ) ∧ Q(⃗x )

Release : d3a1905 (2022-12-19) 429

 CHAPTER 29. RECURSIVE FUNCTIONS

3. P(⃗x ) ∨ Q(⃗x )

4. P(⃗x ) → Q(⃗x )

Proof. Suppose P(⃗x ) and Q(⃗x ) are primitive recursive, i.e., their characteristic
functions χ P and χQ are. We have to show that the characteristic functions of
¬ P(⃗x ), etc., are also primitive recursive.
(
0 if χ P (⃗x ) = 1
χ¬ P (⃗x ) =
1 otherwise

We can define χ¬ P (⃗x ) as 1 −̇ χ P (⃗x ).

(
1 if χ P (⃗x ) = χQ (⃗x ) = 1
χ P∧Q (⃗x ) =
0 otherwise

We can define χ P∧Q (⃗x ) as χ P (⃗x ) · χQ (⃗x ) or as min(χ P (⃗x ), χQ (⃗x )). Similarly,

χ P∨Q (⃗x ) = max(χ P (⃗x ), χQ (⃗x ))) and

χ P→Q (⃗x ) = max(1 −̇ χ P (⃗x ), χQ (⃗x )).

Proposition 29.17. The set of primitive recursive relations is closed under bounded
quantification, i.e., if R(⃗x, z) is a primitive recursive relation, then so are the relations

(∀z < y) R(⃗x, z) and

(∃z < y) R(⃗x, z).

(∀z < y) R(⃗x, z) holds of ⃗x and y if and only if R(⃗x, z) holds for every z less than y,
and similarly for (∃z < y) R(⃗x, z).

Proof. By convention, we take (∀z < 0) R(⃗x, z) to be true (for the trivial reason
that there are no z less than 0) and (∃z < 0) R(⃗x, z) to be false. A bounded
universal quantifier functions just like a finite product or iterated minimum,
i.e., if P(⃗x, y) ⇔ (∀z < y) R(⃗x, z) then χ P (⃗x, y) can be defined by

χ P (⃗x, 0) = 1
χ P (⃗x, y + 1) = min(χ P (⃗x, y), χ R (⃗x, y))).

Bounded existential quantification can similarly be defined using max. Al-

ternatively, it can be defined from bounded universal quantification, using
the equivalence (∃z < y) R(⃗x, z) ↔ ¬(∀z < y) ¬ R(⃗x, z). Note that, for ex-
ample, a bounded quantifier of the form (∃ x ≤ y) . . . x . . . is equivalent to
(∃ x < y + 1) . . . x . . . .

430 Release : d3a1905 (2022-12-19)

29.9. BOUNDED MINIMIZATION

Another useful primitive recursive function is the conditional function,

cond( x, y, z), defined by
(
y if x = 0
cond( x, y, z) =
z otherwise.

This is defined recursively by

cond(0, y, z) = y,
cond( x + 1, y, z) = z.

One can use this to justify definitions of primitive recursive functions by cases
from primitive recursive relations:

Proposition 29.18. If g0 (⃗x ), . . . , gm (⃗x ) are primitive recursive functions, and R0 (⃗x ),
. . . , Rm−1 (⃗x ) are primitive recursive relations, then the function f defined by


 g0 (⃗x ) if R0 (⃗x )

 g1 (⃗x ) if R1 (⃗x ) and not R0 (⃗x )



.

f (⃗x ) = ..


 gm−1 (⃗x ) if Rm−1 (⃗x ) and none of the previous hold




gm (⃗x ) otherwise


is also primitive recursive.

Proof. When m = 1, this is just the function defined by

f (⃗x ) = cond(χ¬ R0 (⃗x ), g0 (⃗x ), g1 (⃗x )).

For m greater than 1, one can just compose definitions of this form.

29.9 Bounded Minimization

It is often useful to define a function as the least number satisfying some prop-
erty or relation P. If P is decidable, we can compute this function simply by
trying out all the possible numbers, 0, 1, 2, . . . , until we find the least one satis-
fying P. This kind of unbounded search takes us out of the realm of primitive
recursive functions. However, if we’re only interested in the least number
less than some independently given bound, we stay primitive recursive. In other
words, and a bit more generally, suppose we have a primitive recursive rela-
tion R( x, z). Consider the function that maps x and y to the least z < y such
that R( x, z). It, too, can be computed, by testing whether R( x, 0), R( x, 1), . . . ,
R( x, y − 1). But why is it primitive recursive?

Release : d3a1905 (2022-12-19) 431

 CHAPTER 29. RECURSIVE FUNCTIONS

Proposition 29.19. If R(⃗x, z) is primitive recursive, so is the function m R (⃗x, y)

which returns the least z less than y such that R(⃗x, z) holds, if there is one, and y
otherwise. We will write the function m R as

(min z < y) R(⃗x, z),

Proof. Note than there can be no z < 0 such that R(⃗x, z) since there is no z < 0
at all. So m R (⃗x, 0) = 0.
In case the bound is of the form y + 1 we have three cases:
1. There is a z < y such that R(⃗x, z), in which case m R (⃗x, y + 1) = m R (⃗x, y).
2. There is no such z < y but R(⃗x, y) holds, then m R (⃗x, y + 1) = y.
3. There is no z < y + 1 such that R(⃗x, z), then m R (⃗z, y + 1) = y + 1.
So we can define m R (⃗x, 0) by primitive recursion as follows:

m R (⃗x, 0) = 0

m R (⃗x, y)
 if m R (⃗x, y) ̸= y
m R (⃗x, y + 1) = y if m R (⃗x, y) = y and R(⃗x, y)

y+1 otherwise.


Note that there is a z < y such that R(⃗x, z) iff m R (⃗x, y) ̸= y.

29.10 Primes
Bounded quantification and bounded minimization provide us with a good
deal of machinery to show that natural functions and relations are primitive
recursive. For example, consider the relation “x divides y”, written x | y. The
relation x | y holds if division of y by x is possible without remainder, i.e.,
if y is an integer multiple of x. (If it doesn’t hold, i.e., the remainder when
dividing x by y is > 0, we write x ∤ y.) In other words, x | y iff for some z,
x · z = y. Obviously, any such z, if it exists, must be ≤ y. So, we have that
x | y iff for some z ≤ y, x · z = y. We can define the relation x | y by bounded
existential quantification from = and multiplication by

x | y ⇔ (∃z ≤ y) ( x · z) = y.

We’ve thus shown that x | y is primitive recursive.

A natural number x is prime if it is neither 0 nor 1 and is only divisible by
1 and itself. In other words, prime numbers are such that, whenever y | x,
either y = 1 or y = x. To test if x is prime, we only have to check if y | x for
all y ≤ x, since if y > x, then automatically y ∤ x. So, the relation Prime( x ),
which holds iff x is prime, can be defined by

Prime( x ) ⇔ x ≥ 2 ∧ (∀y ≤ x ) (y | x → y = 1 ∨ y = x )

432 Release : d3a1905 (2022-12-19)

29.11. SEQUENCES

and is thus primitive recursive.

The primes are 2, 3, 5, 7, 11, etc. Consider the function p( x ) which returns
the xth prime in that sequence, i.e., p(0) = 2, p(1) = 3, p(2) = 5, etc. (For
convenience we will often write p( x ) as p x (p0 = 2, p1 = 3, etc.)
If we had a function nextPrime(x), which returns the first prime number
larger than x, p can be easily defined using primitive recursion:

p (0) = 2
p( x + 1) = nextPrime( p( x ))

Since nextPrime( x ) is the least y such that y > x and y is prime, it can be
easily computed by unbounded search. But it can also be defined by bounded
minimization, thanks to a result due to Euclid: there is always a prime number
between x and x ! + 1.

nextPrime(x) = (min y ≤ x ! + 1) (y > x ∧ Prime(y)).

This shows, that nextPrime( x ) and hence p( x ) are (not just computable but)
primitive recursive.
(If you’re curious, here’s a quick proof of Euclid’s theorem. Suppose pn
is the largest prime ≤ x and consider the product p = p0 · p1 · · · · · pn of all
primes ≤ x. Either p + 1 is prime or there is a prime between x and p + 1.
Why? Suppose p + 1 is not prime. Then some prime number q | p + 1 where
q < p + 1. None of the primes ≤ x divide p + 1. (By definition of p, each
of the primes pi ≤ x divides p, i.e., with remainder 0. So, each of the primes
pi ≤ x divides p + 1 with remainder 1, and so pi ∤ p + 1.) Hence, q is a prime
> x and < p + 1. And p ≤ x !, so there is a prime > x and ≤ x ! + 1.)

29.11 Sequences
The set of primitive recursive functions is remarkably robust. But we will be
able to do even more once we have developed a adequate means of handling
sequences. We will identify finite sequences of natural numbers with natural
numbers in the following way: the sequence ⟨ a0 , a1 , a2 , . . . , ak ⟩ corresponds to
the number
a +1 a +1 a +1
p00 · p11 · p2a2 +1 · · · · · pkk .
We add one to the exponents to guarantee that, for example, the sequences
⟨2, 7, 3⟩ and ⟨2, 7, 3, 0, 0⟩ have distinct numeric codes. We can take both 0 and 1
to code the empty sequence; for concreteness, let Λ denote 0.
The reason that this coding of sequences works is the so-called Fundamen-
tal Theorem of Arithmetic: every natural number n ≥ 2 can be written in one
and only one way in the form
a a a
n = p00 · p11 · · · · · pkk

Release : d3a1905 (2022-12-19) 433

 CHAPTER 29. RECURSIVE FUNCTIONS

with ak ≥ 1. This guarantees that the mapping ⟨⟩( a0 , . . . , ak ) = ⟨ a0 , . . . , ak ⟩ is

injective: different sequences are mapped to different numbers; to each num-
ber only at most one sequence corresponds.
We’ll now show that the operations of determining the length of a se-
quence, determining its ith element, appending an element to a sequence, and
concatenating two sequences, are all primitive recursive.

Proposition 29.20. The function len(s), which returns the length of the sequence s,
is primitive recursive.

Proof. Let R(i, s) be the relation defined by

R(i, s) iff pi | s ∧ pi+1 ∤ s.

R is clearly primitive recursive. Whenever s is the code of a non-empty se-

quence, i.e.,
a +1 a +1
s = p00 · · · · · pkk ,
R(i, s) holds if pi is the largest prime such that pi | s, i.e., i = k. The length of
s thus is i + 1 iff pi is the largest prime that divides s, so we can let
(
0 if s = 0 or s = 1
len(s) =
1 + (min i < s) R(i, s) otherwise

We can use bounded minimization, since there is only one i that satisfies R(s, i )
when s is a code of a sequence, and if i exists it is less than s itself.

Proposition 29.21. The function append(s, a), which returns the result of append-
ing a to the sequence s, is primitive recursive.

Proof. append can be defined by:

(
2 a +1 if s = 0 or s = 1
append(s, a) = a +1
s · plen (s)
otherwise.

Proposition 29.22. The function element(s, i ), which returns the ith element of s
(where the initial element is called the 0th), or 0 if i is greater than or equal to the
length of s, is primitive recursive.

Proof. Note that a is the ith element of s iff pia+1 is the largest power of pi that
divides s, i.e., pia+1 | s but pia+2 ∤ s. So:
(
0 if i ≥ len(s)
element(s, i ) =
(min a < s) ( pia+2 ∤ s) otherwise.

434 Release : d3a1905 (2022-12-19)

29.11. SEQUENCES

Instead of using the official names for the functions defined above, we
introduce a more compact notation. We will use (s)i instead of element(s, i ),
and ⟨s0 , . . . , sk ⟩ to abbreviate

append(append(. . . append(Λ, s0 ) . . . ), sk ).

Note that if s has length k, the elements of s are (s)0 , . . . , (s)k−1 .

Proposition 29.23. The function concat(s, t), which concatenates two sequences, is
primitive recursive.

Proof. We want a function concat with the property that

concat(⟨ a0 , . . . , ak ⟩, ⟨b0 , . . . , bl ⟩) = ⟨ a0 , . . . , ak , b0 , . . . , bl ⟩.

We’ll use a “helper” function hconcat(s, t, n) which concatenates the first n

symbols of t to s. This function can be defined by primitive recursion as fol-
lows:

hconcat(s, t, 0) = s
hconcat(s, t, n + 1) = append(hconcat(s, t, n), (t)n )

Then we can define concat by

concat(s, t) = hconcat(s, t, len(t)).

We will write s ⌢ t instead of concat(s, t).

It will be useful for us to be able to bound the numeric code of a sequence
in terms of its length and its largest element. Suppose s is a sequence of
length k, each element of which is less than or equal to some number x. Then
s has at most k prime factors, each at most pk−1 , and each raised to at most
x + 1 in the prime factorization of s. In other words, if we define
k ·( x +1)
sequenceBound( x, k) = pk−1 ,

then the numeric code of the sequence s described above is at most sequenceBound( x, k).
Having such a bound on sequences gives us a way of defining new func-
tions using bounded search. For example, we can define concat using bounded
search. All we need to do is write down a primitive recursive specification of
the object (number of the concatenated sequence) we are looking for, and a
bound on how far to look. The following works:

concat(s, t) = (min v < sequenceBound(s + t, len(s) + len(t)))

(len(v) = len(s) + len(t) ∧
(∀i < len(s)) ((v)i = (s)i ) ∧
(∀ j < len(t)) ((v)len(s)+ j = (t) j ))

Release : d3a1905 (2022-12-19) 435

 CHAPTER 29. RECURSIVE FUNCTIONS

Proposition 29.24. The function subseq(s, i, n) which returns the subsequence of s

of length n beginning at the ith element, is primitive recursive.

Proof. Exercise.

29.12 Trees
Sometimes it is useful to represent trees as natural numbers, just like we can
represent sequences by numbers and properties of and operations on them by
primitive recursive relations and functions on their codes. We’ll use sequences
and their codes to do this. A tree can be either a single node (possibly with a
label) or else a node (possibly with a label) connected to a number of subtrees.
The node is called the root of the tree, and the subtrees it is connected to its
immediate subtrees.
We code trees recursively as a sequence ⟨k, d1 , . . . , dk ⟩, where k is the num-
ber of immediate subtrees and d1 , . . . , dk the codes of the immediate subtrees.
If the nodes have labels, they can be included after the immediate subtrees. So
a tree consisting just of a single node with label l would be coded by ⟨0, l ⟩, and
a tree consisting of a root (labelled l1 ) connected to two single nodes (labelled
l2 , l3 ) would be coded by ⟨2, ⟨0, l2 ⟩, ⟨0, l3 ⟩, l1 ⟩.
Proposition 29.25. The function SubtreeSeq(t), which returns the code of a se-
quence the elements of which are the codes of all subtrees of the tree with code t, is
primitive recursive.

Proof. First note that ISubtrees(t) = subseq(t, 1, (t)0 ) is primitive recursive

and returns the codes of the immediate subtrees of a tree t. Now we can
define a helper function hSubtreeSeq(t, n) which computes the sequence of all
subtrees which are n nodes removed from the root. The sequence of subtrees
of t which is 0 nodes removed from the root—in other words, begins at the root
of t—is the sequence consisting just of t. To obtain a sequence of all level n + 1
subtrees of t, we concatenate the level n subtrees with a sequence consisting
of all immediate subtrees of the level n subtrees. To get a list of all these, note
that if f ( x ) is a primitive recursive function returning codes of sequences, then
g f (s, k) = f ((s)0 ) ⌢ . . . ⌢ f ((s)k ) is also primitive recursive:

g(s, 0) = f ((s)0 )
g(s, k + 1) = g(s, k) ⌢ f ((s)k+1 )

For instance, if s is a sequence of trees, then h(s) = gISubtrees (s, len(s)) gives
the sequence of the immediate subtrees of the elements of s. We can use it to
define hSubtreeSeq by

hSubtreeSeq(t, 0) = ⟨t⟩
hSubtreeSeq(t, n + 1) = hSubtreeSeq(t, n) ⌢ h(hSubtreeSeq(t, n)).

436 Release : d3a1905 (2022-12-19)

29.13. OTHER RECURSIONS

The maximum level of subtrees in a tree coded by t, i.e., the maximum dis-
tance between the root and a leaf node, is bounded by the code t. So a se-
quence of codes of all subtrees of the tree coded by t is given by hSubtreeSeq(t, t).

29.13 Other Recursions

Using pairing and sequencing, we can justify more exotic (and useful) forms
of primitive recursion. For example, it is often useful to define two functions
simultaneously, such as in the following definition:

h0 (⃗x, 0) = f 0 (⃗x )
h1 (⃗x, 0) = f 1 (⃗x )
h0 (⃗x, y + 1) = g0 (⃗x, y, h0 (⃗x, y), h1 (⃗x, y))
h1 (⃗x, y + 1) = g1 (⃗x, y, h0 (⃗x, y), h1 (⃗x, y))

This is an instance of simultaneous recursion. Another useful way of defining

functions is to give the value of h(⃗x, y + 1) in terms of all the values h(⃗x, 0),
. . . , h(⃗x, y), as in the following definition:

h(⃗x, 0) = f (⃗x )
h(⃗x, y + 1) = g(⃗x, y, ⟨h(⃗x, 0), . . . , h(⃗x, y)⟩).

The following schema captures this idea more succinctly:

h(⃗x, y) = g(⃗x, y, ⟨h(⃗x, 0), . . . , h(⃗x, y − 1)⟩)

with the understanding that the last argument to g is just the empty sequence
when y is 0. In either formulation, the idea is that in computing the “successor
step,” the function h can make use of the entire sequence of values computed
so far. This is known as a course-of-values recursion. For a particular example,
it can be used to justify the following type of definition:
(
g(⃗x, y, h(⃗x, k(⃗x, y))) if k (⃗x, y) < y
h(⃗x, y) =
f (⃗x ) otherwise

In other words, the value of h at y can be computed in terms of the value of h

at any previous value, given by k.
You should think about how to obtain these functions using ordinary prim-
itive recursion. One final version of primitive recursion is more flexible in that
one is allowed to change the parameters (side values) along the way:

h(⃗x, 0) = f (⃗x )
h(⃗x, y + 1) = g(⃗x, y, h(k(⃗x ), y))

This, too, can be simulated with ordinary primitive recursion. (Doing so is

tricky. For a hint, try unwinding the computation by hand.)

Release : d3a1905 (2022-12-19) 437

 CHAPTER 29. RECURSIVE FUNCTIONS

29.14 Non-Primitive Recursive Functions

The primitive recursive functions do not exhaust the intuitively computable
functions. It should be intuitively clear that we can make a list of all the unary
primitive recursive functions, f 0 , f 1 , f 2 , . . . such that we can effectively com-
pute the value of f x on input y; in other words, the function g( x, y), defined
by
g( x, y) = f x (y)
is computable. But then so is the function

h( x ) = g( x, x ) + 1
= f x ( x ) + 1.

For each primitive recursive function f i , the value of h and f i differ at i. So h

is computable, but not primitive recursive; and one can say the same about g.
This is an “effective” version of Cantor’s diagonalization argument.
One can provide more explicit examples of computable functions that are
not primitive recursive. For example, let the notation gn ( x ) denote g( g(. . . g( x ))),
with n g’s in all; and define a sequence g0 , g1 , . . . of functions by

g0 ( x ) = x+1
gn +1 ( x ) = gnx ( x )

You can confirm that each function gn is primitive recursive. Each successive
function grows much faster than the one before; g1 ( x ) is equal to 2x, g2 ( x ) is
equal to 2x · x, and g3 ( x ) grows roughly like an exponential stack of x 2’s. The
Ackermann–Péter function is essentially the function G ( x ) = gx ( x ), and one
can show that this grows faster than any primitive recursive function.
Let us return to the issue of enumerating the primitive recursive functions.
Remember that we have assigned symbolic notations to each primitive recur-
sive function; so it suffices to enumerate notations. We can assign a natural
number #( F ) to each notation F, recursively, as follows:

#(0) = ⟨0⟩
#( S ) = ⟨1⟩
#( Pin ) = ⟨2, n, i ⟩
#(Compk,l [ H, G0 , . . . , Gk−1 ]) = ⟨3, k, l, #( H ), #( G0 ), . . . , #( Gk−1 )⟩
#(Recl [ G, H ]) = ⟨4, l, #( G ), #( H )⟩

Here we are using the fact that every sequence of numbers can be viewed as
a natural number, using the codes from the last section. The upshot is that
every code is assigned a natural number. Of course, some sequences (and
hence some numbers) do not correspond to notations; but we can let f i be the
unary primitive recursive function with notation coded as i, if i codes such a

438 Release : d3a1905 (2022-12-19)

29.15. PARTIAL RECURSIVE FUNCTIONS

notation; and the constant 0 function otherwise. The net result is that we have
an explicit way of enumerating the unary primitive recursive functions.
(In fact, some functions, like the constant zero function, will appear more
than once on the list. This is not just an artifact of our coding, but also a result
of the fact that the constant zero function has more than one notation. We will
later see that one can not computably avoid these repetitions; for example,
there is no computable function that decides whether or not a given notation
represents the constant zero function.)
We can now take the function g( x, y) to be given by f x (y), where f x refers
to the enumeration we have just described. How do we know that g( x, y) is
computable? Intuitively, this is clear: to compute g( x, y), first “unpack” x, and
see if it is a notation for a unary function. If it is, compute the value of that
function on input y.
You may already be convinced that (with some work!) one can write
a program (say, in Java or C++) that does this; and now we can appeal to
the Church-Turing thesis, which says that anything that, intuitively, is com-
putable can be computed by a Turing machine.
Of course, a more direct way to show that g( x, y) is computable is to de-
scribe a Turing machine that computes it, explicitly. This would, in particular,
avoid the Church-Turing thesis and appeals to intuition. Soon we will have
built up enough machinery to show that g( x, y) is computable, appealing to a
model of computation that can be simulated on a Turing machine: namely, the
recursive functions.

29.15 Partial Recursive Functions

To motivate the definition of the recursive functions, note that our proof that
there are computable functions that are not primitive recursive actually estab-
lishes much more. The argument was simple: all we used was the fact that it
is possible to enumerate functions f 0 , f 1 , . . . such that, as a function of x and y,
f x (y) is computable. So the argument applies to any class of functions that can be
enumerated in such a way. This puts us in a bind: we would like to describe the
computable functions explicitly; but any explicit description of a collection of
computable functions cannot be exhaustive!
The way out is to allow partial functions to come into play. We will see
that it is possible to enumerate the partial computable functions. In fact, we
already pretty much know that this is the case, since it is possible to enumerate
Turing machines in a systematic way. We will come back to our diagonal
argument later, and explore why it does not go through when partial functions
are included.
The question is now this: what do we need to add to the primitive recur-
sive functions to obtain all the partial recursive functions? We need to do two
things:

Release : d3a1905 (2022-12-19) 439

 CHAPTER 29. RECURSIVE FUNCTIONS

1. Modify our definition of the primitive recursive functions to allow for

partial functions as well.

2. Add something to the definition, so that some new partial functions are
included.

The first is easy. As before, we will start with zero, successor, and projec-
tions, and close under composition and primitive recursion. The only differ-
ence is that we have to modify the definitions of composition and primitive
recursion to allow for the possibility that some of the terms in the definition
are not defined. If f and g are partial functions, we will write f ( x ) ↓ to mean
that f is defined at x, i.e., x is in the domain of f ; and f ( x ) ↑ to mean the
opposite, i.e., that f is not defined at x. We will use f ( x ) ≃ g( x ) to mean that
either f ( x ) and g( x ) are both undefined, or they are both defined and equal.
We will use these notations for more complicated terms as well. We will adopt
the convention that if h and g0 , . . . , gk all are partial functions, then

h( g0 (⃗x ), . . . , gk (⃗x ))

is defined if and only if each gi is defined at ⃗x, and h is defined at g0 (⃗x ),

. . . , gk (⃗x ). With this understanding, the definitions of composition and prim-
itive recursion for partial functions is just as above, except that we have to
replace “=” by “≃”.
What we will add to the definition of the primitive recursive functions to
obtain partial functions is the unbounded search operator. If f ( x, ⃗z) is any partial
function on the natural numbers, define µx f ( x, ⃗z) to be

the least x such that f (0, ⃗z), f (1, ⃗z), . . . , f ( x, ⃗z) are all defined, and
f ( x, ⃗z) = 0, if such an x exists

with the understanding that µx f ( x, ⃗z) is undefined otherwise. This defines

µx f ( x, ⃗z) uniquely.
Note that our definition makes no reference to Turing machines, or algo-
rithms, or any specific computational model. But like composition and prim-
itive recursion, there is an operational, computational intuition behind un-
bounded search. When it comes to the computability of a partial function,
arguments where the function is undefined correspond to inputs for which
the computation does not halt. The procedure for computing µx f ( x, ⃗z) will
amount to this: compute f (0, ⃗z), f (1, ⃗z), f (2, ⃗z) until a value of 0 is returned. If
any of the intermediate computations do not halt, however, neither does the
computation of µx f ( x, ⃗z).
If R( x, ⃗z) is any relation, µx R( x, ⃗z) is defined to be µx (1 −̇ χ R ( x, ⃗z)). In
other words, µx R( x, ⃗z) returns the least value of x such that R( x, ⃗z) holds. So,
if f ( x, ⃗z) is a total function, µx f ( x, ⃗z) is the same as µx ( f ( x, ⃗z) = 0). But note
that our original definition is more general, since it allows for the possibility

440 Release : d3a1905 (2022-12-19)

29.16. THE NORMAL FORM THEOREM

that f ( x, ⃗z) is not everywhere defined (whereas, in contrast, the characteristic

function of a relation is always total).

Definition 29.26. The set of partial recursive functions is the smallest set of par-
tial functions from the natural numbers to the natural numbers (of various
arities) containing zero, successor, and projections, and closed under compo-
sition, primitive recursion, and unbounded search.

Of course, some of the partial recursive functions will happen to be total,

i.e., defined for every argument.

Definition 29.27. The set of recursive functions is the set of partial recursive
functions that are total.

A recursive function is sometimes called “total recursive” to emphasize

that it is defined everywhere.

29.16 The Normal Form Theorem

Theorem 29.28 (Kleene’s Normal Form Theorem). There is a primitive recur-
sive relation T (e, x, s) and a primitive recursive function U (s), with the following
property: if f is any partial recursive function, then for some e,

f ( x ) ≃ U (µs T (e, x, s))

for every x.

The proof of the normal form theorem is involved, but the basic idea is
simple. Every partial recursive function has an index e, intuitively, a number
coding its program or definition. If f ( x ) ↓, the computation can be recorded
systematically and coded by some number s, and the fact that s codes the
computation of f on input x can be checked primitive recursively using only
x and the definition e. Consequently, the relation T, “the function with index e
has a computation for input x, and s codes this computation,” is primitive
recursive. Given the full record of the computation s, the “upshot” of s is the
value of f ( x ), and it can be obtained from s primitive recursively as well.
The normal form theorem shows that only a single unbounded search is
required for the definition of any partial recursive function. Basically, we can
search through all numbers until we find one that codes a computation of
the function with index e for input x. We can use the numbers e as “names”
of partial recursive functions, and write φe for the function f defined by the
equation in the theorem. Note that any partial recursive function can have
more than one index—in fact, every partial recursive function has infinitely
many indices.

Release : d3a1905 (2022-12-19) 441

 CHAPTER 29. RECURSIVE FUNCTIONS

29.17 The Halting Problem

The halting problem in general is the problem of deciding, given the specifica-
tion e (e.g., program) of a computable function and a number n, whether the
computation of the function on input n halts, i.e., produces a result. Famously,
Alan Turing proved that this problem itself cannot be solved by a computable
function, i.e., the function
(
1 if computation e halts on input n
h(e, n) =
0 otherwise,

is not computable.
In the context of partial recursive functions, the role of the specification
of a program may be played by the index e given in Kleene’s normal form
theorem. If f is a partial recursive function, any e for which the equation in
the normal form theorem holds, is an index of f . Given a number e, the normal
form theorem states that

φe ( x ) ≃ U (µs T (e, x, s))

is partial recursive, and for every partial recursive f : N → N, there is an

e ∈ N such that φe ( x ) ≃ f ( x ) for all x ∈ N. In fact, for each such f there is
not just one, but infinitely many such e. The halting function h is defined by
(
1 if φe ( x ) ↓
h(e, x ) =
0 otherwise.

Note that h(e, x ) = 0 if φe ( x ) ↑, but also when e is not the index of a partial
recursive function at all.

Theorem 29.29. The halting function h is not partial recursive.

Proof. If h were partial recursive, we could define

(
1 if h(y, y) = 0
d(y) =
µx x ̸= x otherwise.

Since no number x satisfies x ̸= x, there is no µx x ̸= x, and so d(y) ↑ iff

h(y, y) ̸= 0. From this definition it follows that

1. d(y) ↓ iff φy (y) ↑ or y is not the index of a partial recursive function.

2. d(y) ↑ iff φy (y) ↓.

If h were partial recursive, then d would be partial recursive as well. Thus,

by the Kleene normal form theorem, it has an index ed . Consider the value of
h(ed , ed ). There are two possible cases, 0 and 1.

442 Release : d3a1905 (2022-12-19)

29.18. GENERAL RECURSIVE FUNCTIONS

1. If h(ed , ed ) = 1 then φed (ed ) ↓. But φed ≃ d, and d(ed ) is defined iff
h(ed , ed ) = 0. So h(ed , ed ) ̸= 1.

2. If h(ed , ed ) = 0 then either ed is not the index of a partial recursive func-

tion, or it is and φed (ed ) ↑. But again, φed ≃ d, and d(ed ) is undefined iff
φ ed ( e d ) ↓.

The upshot is that ed cannot, after all, be the index of a partial recursive func-
tion. But if h were partial recursive, d would be too, and so our definition of
ed as an index of it would be admissible. We must conclude that h cannot be
partial recursive.

29.18 General Recursive Functions

There is another way to obtain a set of total functions. Say a total function
f ( x, ⃗z) is regular if for every sequence of natural numbers ⃗z, there is an x such
that f ( x, ⃗z) = 0. In other words, the regular functions are exactly those func-
tions to which one can apply unbounded search, and end up with a total func-
tion. One can, conservatively, restrict unbounded search to regular functions:

Definition 29.30. The set of general recursive functions is the smallest set of
functions from the natural numbers to the natural numbers (of various ari-
ties) containing zero, successor, and projections, and closed under composi-
tion, primitive recursion, and unbounded search applied to regular functions.

Clearly every general recursive function is total. The difference between

Definition 29.30 and Definition 29.27 is that in the latter one is allowed to
use partial recursive functions along the way; the only requirement is that
the function you end up with at the end is total. So the word “general,” a
historic relic, is a misnomer; on the surface, Definition 29.30 is less general
than Definition 29.27. But, fortunately, the difference is illusory; though the
definitions are different, the set of general recursive functions and the set of
recursive functions are one and the same.

Problems
Problem 29.1. Prove Proposition 29.5 by showing that the primitive recursive
definition of mult is can be put into the form required by Definition 29.1 and
showing that the corresponding functions f and g are primitive recursive.

Problem 29.2. Give the complete primitive recursive notation for mult.

Problem 29.3. Prove Proposition 29.13.

Release : d3a1905 (2022-12-19) 443

 CHAPTER 29. RECURSIVE FUNCTIONS

Problem 29.4. Show that

x 
.2
.. y 2’s
f ( x, y) = 2(2 )

is primitive recursive.

Problem 29.5. Show that integer division d( x, y) = ⌊ x/y⌋ (i.e., division, where
you disregard everything after the decimal point) is primitive recursive. When
y = 0, we stipulate d( x, y) = 0. Give an explicit definition of d using primitive
recursion and composition.

Problem 29.6. Show that the three place relation x ≡ y mod n (congruence
modulo n) is primitive recursive.

Problem 29.7. Suppose R(⃗x, z) is primitive recursive. Define the function m′R (⃗x, y)
which returns the least z less than y such that R(⃗x, z) holds, if there is one, and
0 otherwise, by primitive recursion from χ R .

Problem 29.8. Define integer division d( x, y) using bounded minimization.

Problem 29.9. Show that there is a primitive recursive function sconcat(s)

with the property that

sconcat(⟨s0 , . . . , sk ⟩) = s0 ⌢ . . . ⌢ sk .

Problem 29.10. Show that there is a primitive recursive function tail(s) with
the property that

tail(Λ) = 0 and
tail(⟨s0 , . . . , sk ⟩) = ⟨s1 , . . . , sk ⟩.

Problem 29.11. Prove Proposition 29.24.

Problem 29.12. The definition of hSubtreeSeq in the proof of Proposition 29.25

in general includes repetitions. Give an alternative definition which guaran-
tees that the code of a subtree occurs only once in the resulting list.

Problem 29.13. Define the remainder function r ( x, y) by course-of-values re-

cursion. (If x, y are natural numbers and y > 0, r ( x, y) is the number less
than y such that x = z × y + r ( x, y) for some z. For definiteness, let’s say that
if y = 0, r ( x, 0) = 0.)

444 Release : d3a1905 (2022-12-19)

Chapter 30

Computability Theory

Material in this chapter should be reviewed and expanded. In paticu-

lar, there are no exercises yet.

30.1 Introduction
The branch of logic known as Computability Theory deals with issues having to
do with the computability, or relative computability, of functions and sets. It is
a evidence of Kleene’s influence that the subject used to be known as Recursion
Theory, and today, both names are commonly used.
Let us call a function f : N → 7 N partial computable if it can be computed
in some model of computation. If f is total we will simply say that f is com-
putable. A relation R with computable characteristic function χ R is also called
computable. If f and g are partial functions, we will write f ( x ) ↓ to mean that
f is defined at x, i.e., x is in the domain of f ; and f ( x ) ↑ to mean the opposite,
i.e., that f is not defined at x. We will use f ( x ) ≃ g( x ) to mean that either f ( x )
and g( x ) are both undefined, or they are both defined and equal.
One can explore the subject without having to refer to a specific model
of computation. To do this, one shows that there is a universal partial com-
putable function, Un(k, x ). This allows us to enumerate the partial computable
functions. We will adopt the notation φk to denote the k-th unary partial com-
putable function, defined by φk ( x ) ≃ Un(k, x ). (Kleene used {k} for this pur-
pose, but this notation has not been used as much recently.) Slightly more
generally, we can uniformly enumerate the partial computable functions of
arbitrary arities, and we will use φnk to denote the k-th n-ary partial recursive
function.
Recall that if f (⃗x, y) is a total or partial function, then µy f (⃗x, y) is the
function of ⃗x that returns the least y such that f (⃗x, y) = 0, assuming that all of
f (⃗x, 0), . . . , f (⃗x, y − 1) are defined; if there is no such y, µy f (⃗x, y) is undefined.

445
 CHAPTER 30. COMPUTABILITY THEORY

If R(⃗x, y) is a relation, µy R(⃗x, y) is defined to be the least y such that R(⃗x, y) is

true; in other words, the least y such that one minus the characteristic function
of R is equal to zero at ⃗x, y.
To show that a function is computable, there are two ways one can pro-
ceed:
1. Rigorously: describe a Turing machine or partial recursive function ex-
plicitly, and show that it computes the function you have in mind;

2. Informally: describe an algorithm that computes it, and appeal to Church’s

thesis.
There is no fine line between the two; a detailed description of an algorithm
should provide enough information so that it is relatively clear how one could,
in principle, design the right Turing machine or sequence of partial recursive
definitions. Fully rigorous definitions are unlikely to be informative, and we
will try to find a happy medium between these two approaches; in short, we
will try to find intuitive yet rigorous proofs that the precise definitions could
be obtained.

30.2 Coding Computations

In every model of computation, it is possible to do the following:
1. Describe the definitions of computable functions in a systematic way. For
instance, you can think of Turing machine specifications, recursive def-
initions, or programs in a programming language as providing these
definitions.

2. Describe the complete record of the computation of a function given by

some definition for a given input. For instance, a Turing machine com-
putation can be described by the sequence of configurations (state of the
machine, contents of the tape) for each step of computation.

3. Test whether a putative record of a computation is in fact the record of

how a computable function with a given definition would be computed
for a given input.

4. Extract from such a description of the complete record of a computation

the value of the function for a given input. For instance, the contents of
the tape in the very last step of a halting Turing machine computation is
the value.
Using coding, it is possible to assign to each description of a computable
function a numerical index in such a way that the instructions can be recovered
from the index in a computable way. Similarly, the complete record of a com-
putation can be coded by a single number as well. The resulting arithmetical

446 Release : d3a1905 (2022-12-19)

30.3. THE NORMAL FORM THEOREM

relation “s codes the record of computation of the function with index e for
input x” and the function “output of computation sequence with code s” are
then computable; in fact, they are primitive recursive.
This fundamental fact is very powerful, and allows us to prove a number
of striking and important results about computability, independently of the
model of computation chosen.

30.3 The Normal Form Theorem

Theorem 30.1 (Kleene’s Normal Form Theorem). There are a primitive recur-
sive relation T (k, x, s) and a primitive recursive function U (s), with the following
property: if f is any partial computable function, then for some k,

f ( x ) ≃ U (µs T (k, x, s))

for every x.

Proof Sketch. For any model of computation one can rigorously define a de-
scription of the computable function f and code such description using a nat-
ural number k. One can also rigorously define a notion of “computation se-
quence” which records the process of computing the function with index k for
input x. These computation sequences can likewise be coded as numbers s.
This can be done in such a way that (a) it is decidable whether a number s
codes the computation sequence of the function with index k on input x and
(b) what the end result of the computation sequence coded by s is. In fact, the
relation in (a) and the function in (b) are primitive recursive.

In order to give a rigorous proof of the Normal Form Theorem, we would

have to fix a model of computation and carry out the coding of descriptions of
computable functions and of computation sequences in detail, and verify that
the relation T and function U are primitive recursive. For most applications,
it suffices that T and U are computable and that U is total.
It is probably best to remember the proof of the normal form theorem in
slogan form: µs T (k, x, s) searches for a computation sequence of the function
with index k on input x, and U returns the output of the computation sequence
if one can be found.
T and U can be used to define the enumeration φ0 , φ1 , φ2 , . . . . From now
on, we will assume that we have fixed a suitable choice of T and U, and take
the equation
φe ( x ) ≃ U (µs T (e, x, s))
to be the definition of φe .
Here is another useful fact:

Theorem 30.2. Every partial computable function has infinitely many indices.

Release : d3a1905 (2022-12-19) 447

 CHAPTER 30. COMPUTABILITY THEORY

Again, this is intuitively clear. Given any (description of) a computable

function, one can come up with a different description which computes the
same function (input-output pair) but does so, e.g., by first doing something
that has no effect on the computation (say, test if 0 = 0, or count to 5, etc.). The
index of the altered description will always be different from the original in-
dex. Both are indices of the same function, just computed slightly differently.

30.4 The s-m-n Theorem

The next theorem is known as the “s-m-n theorem,” for a reason that will be
clear in a moment. The hard part is understanding just what the theorem says;
once you understand the statement, it will seem fairly obvious.
Theorem 30.3. For each pair of natural numbers n and m, there is a primitive re-
cursive function sm
n such that for every sequence x, a0 , . . . , am−1 , y0 ,. . . , yn−1 , we
have

φnsmn ( x,a0 ,...,a ( y 0 , . . . , y n −1 ) ≃ φ m

x
+n
( a 0 , . . . , a m −1 , y 0 , . . . , y n −1 ).
m −1 )

It is helpful to think of sm m
n as acting on programs. That is, sn takes a pro-
gram, x, for an (m + n)-ary function, as well as fixed inputs a0 , . . . , am−1 ; and
it returns a program, sm n ( x, a0 , . . . , am−1 ), for the n-ary function of the remain-
ing arguments. It you think of x as the description of a Turing machine, then
sm
n ( x, a0 , . . . , am−1 ) is the Turing machine that, on input y0 , . . . , yn−1 , prepends
a0 , . . . , am−1 to the input string, and runs x. Each sm n is then just a primitive
recursive function that finds a code for the appropriate Turing machine.

30.5 The Universal Partial Computable Function

Theorem 30.4. There is a universal partial computable function Un(k, x ). In other
words, there is a function Un(k, x ) such that:
1. Un(k, x ) is partial computable.
2. If f ( x ) is any partial computable function, then there is a natural number k
such that f ( x ) ≃ Un(k, x ) for every x.

Proof. Let Un(k, x ) ≃ U (µs T (k, x, s)) in Kleene’s normal form theorem.

This is just a precise way of saying that we have an effective enumeration

of the partial computable functions; the idea is that if we write f k for the func-
tion defined by f k ( x ) = Un(k, x ), then the sequence f 0 , f 1 , f 2 , . . . includes all
the partial computable functions, with the property that f k ( x ) can be com-
puted “uniformly” in k and x. For simplicity, we are using a binary func-
tion that is universal for unary functions, but by coding sequences of num-
bers we can easily generalize this to more arguments. For example, note that

448 Release : d3a1905 (2022-12-19)

30.6. NO UNIVERSAL COMPUTABLE FUNCTION

if f ( x, y, z) is a 3-place partial recursive function, then the function g( x ) ≃

f (( x )0 , ( x )1 , ( x )2 ) is a unary recursive function.

30.6 No Universal Computable Function

Theorem 30.5. There is no universal computable function. In other words, the uni-
versal function Un′ (k, x ) = φk ( x ) is not computable.

Proof. This theorem says that there is no total computable function that is uni-
versal for the total computable functions. The proof is a simple diagonaliza-
tion: if Un′ (k, x ) were total and computable, then
d( x ) = Un′ ( x, x ) + 1
would also be total and computable. However, for every k, d(k ) is not equal
to Un′ (k, k).

Theorem Theorem 30.4 above shows that we can get around this diagonal-
ization argument, but only at the expense of allowing partial functions. It is
worth trying to understand what goes wrong with the diagonalization argu-
ment, when we try to apply it in the partial case. In particular, the function
h( x ) = Un( x, x ) + 1 is partial recursive. Suppose h is the k-th function in the
enumeration; what can we say about h(k)?

30.7 The Halting Problem

Since, in our construction, Un(k, x ) is defined if and only if the computation of
the function coded by k produces a value for input x, it is natural to ask if we
can decide whether this is the case. And in fact, it is not. For the Turing ma-
chine model of computation, this means that whether a given Turing machine
halts on a given input is computationally undecidable. The following theo-
rem is therefore known as the “undecidability of the halting problem.” We
will provide two proofs below. The first continues the thread of our previous
discussion, while the second is more direct.
Theorem 30.6. Let
(
1 if Un(k, x ) is defined
h(k, x ) =
0 otherwise.
Then h is not computable.

Proof. If h were computable, we would have a universal computable function,

as follows. Suppose h is computable, and define
(
f nUn(k, x ) if h(k, x ) = 1
Un′ (k, x ) =
0 otherwise.

Release : d3a1905 (2022-12-19) 449

 CHAPTER 30. COMPUTABILITY THEORY

But now Un′ (k, x ) is a total function, and is computable if h is. For instance,
we could define g using primitive recursion, by

g(0, k, x ) ≃ 0
g(y + 1, k, x ) ≃ Un(k, x );

then
Un′ (k, x ) ≃ g(h(k, x ), k, x ).
And since Un′ (k, x ) agrees with Un(k, x ) wherever the latter is defined, Un′ is
universal for those partial computable functions that happen to be total. But
this contradicts Theorem 30.5.

Proof. Suppose h(k, x ) were computable. Define the function g by

(
0 if h( x, x ) = 0
g( x ) =
undefined otherwise.

The function g is partial computable; for example, one can define it as µy h( x, x ) =

0. So, for some k, g( x ) ≃ Un(k, x ) for every x. Is g defined at k? If it is, then, by
the definition of g, h(k, k) = 0. By the definition of f , this means that Un(k, k )
is undefined; but by our assumption that g(k) ≃ Un(k, x ) for every x, this
means that g(k) is undefined, a contradiction. On the other hand, if g(k) is
undefined, then h(k, k ) ̸= 0, and so h(k, k) = 1. But this means that Un(k, k ) is
defined, i.e., that g(k ) is defined.

We can describe this argument in terms of Turing machines. Suppose there

were a Turing machine H that took as input a description of a Turing machine
K and an input x, and decided whether or not K halts on input x. Then we
could build another Turing machine G which takes a single input x, calls H to
decide if machine x halts on input x, and does the opposite. In other words, if
H reports that x halts on input x, G goes into an infinite loop, and if H reports
that x doesn’t halt on input x, then G just halts. Does G halt on input G? The
argument above shows that it does if and only if it doesn’t—a contradiction.
So our supposition that there is a such Turing machine H, is false.

30.8 Comparison with Russell’s Paradox

It is instructive to compare and contrast the arguments in this section with
Russell’s paradox:

1. Russell’s paradox: let S = { x : x ∈

/ x }. Then x ∈ S if and only if x ∈
/ S, a
contradiction.
Conclusion: There is no such set S. Assuming the existence of a “set of
all sets” is inconsistent with the other axioms of set theory.

450 Release : d3a1905 (2022-12-19)

30.8. COMPARISON WITH RUSSELL’S PARADOX

2. A modification of Russell’s paradox: let F be the “function” from the set

of all functions to {0, 1}, defined by
(
1 if f is in the domain of f , and f ( f ) = 0
F( f ) =
0 otherwise

A similar argument shows that F ( F ) = 0 if and only if F ( F ) = 1, a

contradiction.
Conclusion: F is not a function. The “set of all functions” is too big to be
the domain of a function.

3. The diagonalization argument: let f 0 , f 1 , . . . be the enumeration of the

partial computable functions, and let G : N → {0, 1} be defined by
(
1 if f x ( x ) ↓= 0
G(x) =
0 otherwise

If G is computable, then it is the function f k for some k. But then G (k) =

1 if and only if G (k ) = 0, a contradiction.
Conclusion: G is not computable. Note that according to the axioms of set
theory, G is still a function; there is no paradox here, just a clarification.

That talk of partial functions, computable functions, partial computable

functions, and so on can be confusing. The set of all partial functions from N
to N is a big collection of objects. Some of them are total, some of them are
computable, some are both total and computable, and some are neither. Keep
in mind that when we say “function,” by default, we mean a total function.
Thus we have:

1. computable functions

2. partial computable functions that are not total

3. functions that are not computable

4. partial functions that are neither total nor computable

To sort this out, it might help to draw a big square representing all the partial
functions from N to N, and then mark off two overlapping regions, corre-
sponding to the total functions and the computable partial functions, respec-
tively. It is a good exercise to see if you can describe an object in each of the
resulting regions in the diagram.

Release : d3a1905 (2022-12-19) 451

 CHAPTER 30. COMPUTABILITY THEORY

30.9 Computable Sets

We can extend the notion of computability from computable functions to com-
putable sets:
Definition 30.7. Let S be a set of natural numbers. Then S is computable iff its
characteristic function is. In other words, S is computable iff the function
(
1 if x ∈ S
χS ( x ) =
0 otherwise
is computable. Similarly, a relation R( x0 , . . . , xk−1 ) is computable if and only
if its characteristic function is.
Computable sets are also called decidable.
Notice that we now have a number of notions of computability: for partial
functions, for functions, and for sets. Do not get them confused! The Turing
machine computing a partial function returns the output of the function, for
input values at which the function is defined; the Turing machine computing
a set returns either 1 or 0, after deciding whether or not the input value is in
the set or not.

30.10 Computably Enumerable Sets

Definition 30.8. A set is computably enumerable if it is empty or the range of a
computable function.

Historical Remarks Computably enumarable sets are also called recursively

enumerable instead. This is the original terminology, and today both are com-
monly used, as well as the abbreviations “c.e.” and “r.e.”
You should think about what the definition means, and why the termi-
nology is appropriate. The idea is that if S is the range of the computable
function f , then
S = { f (0), f (1), f (2), . . . },
and so f can be seen as “enumerating” the elements of S. Note that according
to the definition, f need not be an increasing function, i.e., the enumeration
need not be in increasing order. In fact, f need not even be injective, so that
the constant function f ( x ) = 0 enumerates the set {0}.
Any computable set is computably enumerable. To see this, suppose S is
computable. If S is empty, then by definition it is computably enumerable.
Otherwise, let a be any element of S. Define f by
(
x if χS ( x ) = 1
f (x) =
a otherwise.
Then f is a computable function, and S is the range of f .

452 Release : d3a1905 (2022-12-19)

30.11. DEFINITIONS OF C. E. SETS

30.11 Equivalent Defininitions of Computably Enumerable

Sets
The following gives a number of important equivalent statements of what it
means to be computably enumerable.

Theorem 30.9. Let S be a set of natural numbers. Then the following are equivalent:

1. S is computably enumerable.

2. S is the range of a partial computable function.

3. S is empty or the range of a primitive recursive function.

4. S is the domain of a partial computable function.

The first three clauses say that we can equivalently take any non-empty
computably enumerable set to be enumerated by either a computable func-
tion, a partial computable function, or a primitive recursive function. The
fourth clause tells us that if S is computably enumerable, then for some index
e,
S = { x : φe ( x ) ↓}.
In other words, S is the set of inputs on for which the computation of φe
halts. For that reason, computably enumerable sets are sometimes called semi-
decidable: if a number is in the set, you eventually get a “yes,” but if it isn’t,
you never get a “no”!

Proof. Since every primitive recursive function is computable and every com-
putable function is partial computable, (3) implies (1) and (1) implies (2).
(Note that if S is empty, S is the range of the partial computable function that
is nowhere defined.) If we show that (2) implies (3), we will have shown the
first three clauses equivalent.
So, suppose S is the range of the partial computable function φe . If S is
empty, we are done. Otherwise, let a be any element of S. By Kleene’s normal
form theorem, we can write

φe ( x ) = U (µs T (e, x, s)).

In particular, φe ( x ) ↓ and = y if and only if there is an s such that T (e, x, s)

and U (s) = y. Define f (z) by
(
U ((z)1 ) if T (e, (z)0 , (z)1 )
f (z) =
a otherwise.

Then f is primitive recursive, because T and U are. Expressed in terms of Tur-

ing machines, if z codes a pair ⟨(z)0 , (z)1 ⟩ such that (z)1 is a halting computa-
tion of machine e on input (z)0 , then f returns the output of the computation;

Release : d3a1905 (2022-12-19) 453

 CHAPTER 30. COMPUTABILITY THEORY

otherwise, it returns a.We need to show that S is the range of f , i.e., for any
natural number y, y ∈ S if and only if it is in the range of f . In the forwards
direction, suppose y ∈ S. Then y is in the range of φe , so for some x and s,
T (e, x, s) and U (s) = y; but then y = f (⟨ x, s⟩). Conversely, suppose y is in the
range of f . Then either y = a, or for some z, T (e, (z)0 , (z)1 ) and U ((z)1 ) = y.
Since, in the latter case, φe ( x ) ↓= y, either way, y is in S.
(The notation φe ( x ) ↓= y means “φe ( x ) is defined and equal to y.” We
could just as well use φe ( x ) = y, but the extra arrow is sometimes helpful in
reminding us that we are dealing with a partial function.)
To finish up the proof of Theorem 30.9, it suffices to show that (1) and (4)
are equivalent. First, let us show that (1) implies (4). Suppose S is the range of
a computable function f , i.e.,

S = {y : for some x, f ( x ) = y}.

Let
g(y) = µx f ( x ) = y.
Then g is a partial computable function, and g(y) is defined if and only if for
some x, f ( x ) = y. In other words, the domain of g is the range of f . Expressed
in terms of Turing machines: given a Turing machine F that enumerates the
elements of S, let G be the Turing machine that semi-decides S by searching
through the outputs of F to see if a given element is in the set.
Finally, to show (4) implies (1), suppose that S is the domain of the partial
computable function φe , i.e.,

S = { x : φe ( x ) ↓}.

If S is empty, we are done; otherwise, let a be any element of S. Define f by

(
(z)0 if T (e, (z)0 , (z)1 )
f (z) =
a otherwise.

Then, as above, a number x is in the range of f if and only if φe ( x ) ↓, i.e., if and

only if x ∈ S. Expressed in terms of Turing machines: given a machine Me that
semi-decides S, enumerate the elements of S by running through all possible
Turing machine computations, and returning the inputs that correspond to
halting computations.

The fourth clause of Theorem 30.9 provides us with a convenient way of

enumerating the computably enumerable sets: for each e, let We denote the
domain of φe . Then if A is any computably enumerable set, A = We , for some
e.
The following provides yet another characterization of the computably
enumerable sets.

454 Release : d3a1905 (2022-12-19)

30.12. UNION AND INTERSECTION OF C.E. SETS

Theorem 30.10. A set S is computably enumerable if and only if there is a com-

putable relation R( x, y) such that

S = { x : ∃y R( x, y)}.

Proof. In the forward direction, suppose S is computably enumerable. Then

for some e, S = We . For this value of e we can write S as

S = { x : ∃y T (e, x, y)}.

In the reverse direction, suppose S = { x : ∃y R( x, y)}. Define f by

f ( x ) ≃ µy AtomRx, y.

Then f is partial computable, and S is the domain of f .

30.12 Computably Enumerable Sets are Closed under Union

and Intersection
The following theorem gives some closure properties on the set of computably
enumerable sets.
Theorem 30.11. Suppose A and B are computably enumerable. Then so are A ∩ B
and A ∪ B.

Proof. Theorem 30.9 allows us to use various characterizations of the com-

putably enumerable sets. By way of illustration, we will provide a few differ-
ent proofs.
For the first proof, suppose A is enumerated by a computable function f ,
and B is enumerated by a computable function g. Let

h( x ) = µy ( f (y) = x ∨ g(y) = x ) and

j( x ) = µy ( f ((y)0 ) = x ∧ g((y)1 ) = x ).

Then A ∪ B is the domain of h, and A ∩ B is the domain of j.

Here is what is going on, in computational terms: given procedures that
enumerate A and B, we can semi-decide if an element x is in A ∪ B by looking
for x in either enumeration; and we can semi-decide if an element x is in A ∩ B
for looking for x in both enumerations at the same time.
For the second proof, suppose again that A is enumerated by f and B is
enumerated by g. Let
(
f ( x/2) if x is even
k( x) =
g(( x − 1)/2) if x is odd.

Then k enumerates A ∪ B; the idea is that k just alternates between the enumer-
ations offered by f and g. Enumerating A ∩ B is tricker. If A ∩ B is empty, it

Release : d3a1905 (2022-12-19) 455

 CHAPTER 30. COMPUTABILITY THEORY

is trivially computably enumerable. Otherwise, let c be any element of A ∩ B,

and define l by
(
f (( x )0 ) if f (( x )0 ) = g(( x )1 )
l (x) =
c otherwise.

In computational terms, l runs through pairs of elements in the enumerations

of f and g, and outputs every match it finds; otherwise, it just stalls by out-
putting c.
For the last proof, suppose A is the domain of the partial function m( x ) and
B is the domain of the partial function n( x ). Then A ∩ B is the domain of the
partial function m( x ) + n( x ).
In computational terms, if A is the set of values for which m halts and B
is the set of values for which n halts, A ∩ B is the set of values for which both
procedures halt.
Expressing A ∪ B as a set of halting values is more difficult, because one
has to simulate m and n in parallel. Let d be an index for m and let e be an
index for n; in other words, m = φd and n = φe . Then A ∪ B is the domain of
the function
p( x ) = µy ( T (d, x, y) ∨ T (e, x, y)).
In computational terms, on input x, p searches for either a halting compu-
tation for m or a halting computation for n, and halts if it finds either one.

30.13 Computably Enumerable Sets not Closed under

Complement
Suppose A is computably enumerable. Is the complement of A, A = N \
A, necessarily computably enumerable as well? The following theorem and
corollary show that the answer is “no.”

Theorem 30.12. Let A be any set of natural numbers. Then A is computable if and
only if both A and A are computably enumerable.

Proof. The forwards direction is easy: if A is computable, then A is com-

putable as well (χ A = 1 −̇ χ A ), and so both are computably enumerable.
In the other direction, suppose A and A are both computably enumerable.
Let A be the domain of φd , and let A be the domain of φe . Define h by

h( x ) = µs ( T (d, x, s) ∨ T (e, x, s)).

In other words, on input x, h searches for either a halting computation of φd

or a halting computation of φe . Now, if x ∈ A, it will succeed in the first case,
and if x ∈ A, it will succeed in the second case. So, h is a total computable

456 Release : d3a1905 (2022-12-19)

30.14. REDUCIBILITY

function. But now we have that for every x, x ∈ A if and only if T (e, x, h( x )),
i.e., if φe is the one that is defined. Since T (e, x, h( x )) is a computable relation,
A is computable.

It is easier to understand what is going on in informal computational terms:

to decide A, on input x search for halting computations of φe and φ f . One of
them is bound to halt; if it is φe , then x is in A, and otherwise, x is in A.

Corollary 30.13. K0 is not computably enumerable.

Proof. We know that K0 is computably enumerable, but not computable. If

K0 were computably enumerable, then K0 would be computable by Theo-
rem 30.12.

30.14 Reducibility
We now know that there is at least one set, K0 , that is computably enumerable
but not computable. It should be clear that there are others. The method of
reducibility provides a powerful method of showing that other sets have these
properties, without constantly having to return to first principles.
Generally speaking, a “reduction” of a set A to a set B is a method of
transforming answers to whether or not elements are in B into answers as
to whether or not elements are in A. We will focus on a notion called “many-
one reducibility,” but there are many other notions of reducibility available,
with varying properties. Notions of reducibility are also central to the study
of computational complexity, where efficiency issues have to be considered as
well. For example, a set is said to be “NP-complete” if it is in NP and every
NP problem can be reduced to it, using a notion of reduction that is similar to
the one described below, only with the added requirement that the reduction
can be computed in polynomial time.
We have already used this notion implicitly. Define the set K by

K = { x : φ x ( x ) ↓},

i.e., K = { x : x ∈ Wx }. Our proof that the halting problem in unsolvable,

Theorem 30.6, shows most directly that K is not computable. Recall that K0 is
the set
K0 = {⟨e, x ⟩ : φe ( x ) ↓}.
i.e. K0 = {⟨ x, e⟩ : x ∈ We }. It is easy to extend any proof of the uncom-
putability of K to the uncomputability of K0 : if K0 were computable, we could
decide whether or not an element x is in K simply by asking whether or not
the pair ⟨ x, x ⟩ is in K0 . The function f which maps x to ⟨ x, x ⟩ is an example of
a reduction of K to K0 .

Release : d3a1905 (2022-12-19) 457

 CHAPTER 30. COMPUTABILITY THEORY

Definition 30.14. Let A and B be sets. Then A is said to be many-one reducible

to B, written A ≤m B, if there is a computable function f such that for every
natural number x,

x∈A if and only if f ( x ) ∈ B.

If A is many-one reducible to B and vice-versa, then A and B are said to be

many-one equivalent, written A ≡m B.

If the function f in the definition above happens to be injective, A is said

to be one-one reducible to B. Most of the reductions described below meet this
stronger requirement, but we will not use this fact.
It is true, but by no means obvious, that one-one reducibility really is a
stronger requirement than many-one reducibility. In other words, there are
infinite sets A and B such that A is many-one reducible to B but not one-one
reducible to B.

30.15 Properties of Reducibility

The intuition behind writing A ≤m B is that A is “no harder than” B. The
following two propositions support this intuition.

Proposition 30.15. If A ≤m B and B ≤m C, then A ≤m C.

Proof. Composing a reduction of A to B with a reduction of B to C yields a

reduction of A to C. (You should check the details!)

Proposition 30.16. Let A and B be any sets, and suppose A is many-one reducible
to B.

1. If B is computably enumerable, so is A.

2. If B is computable, so is A.

Proof. Let f be a many-one reduction from A to B. For the first claim, just
check that if B is the domain of a partial function g, then A is the domain
of g ◦ f :

x ∈ Aiff f ( x ) ∈ B
iff g( f ( x )) ↓ .

For the second claim, remember that if B is computable then B and B are
computably enumerable. It is not hard to check that f is also a many-one
reduction of A to B, so, by the first part of this proof, A and A are computably
enumerable. So A is computable as well. (Alternatively, you can check that
χ A = χ B ◦ f ; so if χ B is computable, then so is χ A .)

458 Release : d3a1905 (2022-12-19)

30.16. COMPLETE COMPUTABLY ENUMERABLE SETS

A more general notion of reducibility called Turing reducibility is useful

in other contexts, especially for proving undecidability results. Note that by
Corollary 30.13, the complement of K0 is not reducible to K0 , since it is not
computably enumerable. But, intuitively, if you knew the answers to ques-
tions about K0 , you would know the answer to questions about its comple-
ment as well. A set A is said to be Turing reducible to B if one can determine
answers to questions in A using a computable procedure that can ask ques-
tions about B. This is more liberal than many-one reducibility, in which (1)
you are only allowed to ask one question about B, and (2) a “yes” answer has
to translate to a “yes” answer to the question about A, and similarly for “no.”
It is still the case that if A is Turing reducible to B and B is computable then
A is computable as well (though, as we have seen, the analogous statement
does not hold for computable enumerability).
You should think about the various notions of reducibility we have dis-
cussed, and understand the distinctions between them. We will, however,
only deal with many-one reducibility in this chapter. Incidentally, both types
of reducibility discussed in the last paragraph have analogues in computa-
tional complexity, with the added requirement that the Turing machines run in
polynomial time: the complexity version of many-one reducibility is known as
Karp reducibility, while the complexity version of Turing reducibility is known
as Cook reducibility.

30.16 Complete Computably Enumerable Sets

Definition 30.17. A set A is a complete computably enumerable set (under many-
one reducibility) if

1. A is computably enumerable, and

2. for any other computably enumerable set B, B ≤m A.

In other words, complete computably enumerable sets are the “hardest”

computably enumerable sets possible; they allow one to answer questions
about any computably enumerable set.

Theorem 30.18. K, K0 , and K1 are all complete computably enumerable sets.

Proof. To see that K0 is complete, let B be any computably enumerable set.

Then for some index e,

B = We = { x : φe ( x ) ↓}.

Let f be the function f ( x ) = ⟨e, x ⟩. Then for every natural number x, x ∈ B if

and only if f ( x ) ∈ K0 . In other words, f reduces B to K0 .

Release : d3a1905 (2022-12-19) 459

 CHAPTER 30. COMPUTABILITY THEORY

To see that K1 is complete, note that in the proof of Proposition 30.19 we

reduced K0 to it. So, by Proposition 30.15, any computably enumerable set can
be reduced to K1 as well.
K can be reduced to K0 in much the same way.

So, it turns out that all the examples of computably enumerable sets that
we have considered so far are either computable, or complete. This should
seem strange! Are there any examples of computably enumerable sets that
are neither computable nor complete? The answer is yes, but it wasn’t until
the middle of the 1950s that this was established by Friedberg and Muchnik,
independently.

30.17 An Example of Reducibility

Let us consider an application of Proposition 30.16.

Proposition 30.19. Let

K1 = {e : φe (0) ↓}.

Then K1 is computably enumerable but not computable.

Proof. Since K1 = {e : ∃s T (e, 0, s)}, K1 is computably enumerable by Theo-

rem 30.10.
To show that K1 is not computable, let us show that K0 is reducible to it.
This is a little bit tricky, since using K1 we can only ask questions about
computations that start with a particular input, 0. Suppose you have a smart
friend who can answer questions of this type (friends like this are known as
“oracles”). Then suppose someone comes up to you and asks you whether
or not ⟨e, x ⟩ is in K0 , that is, whether or not machine e halts on input x. One
thing you can do is build another machine, ex , that, for any input, ignores that
input and instead runs e on input x. Then clearly the question as to whether
machine e halts on input x is equivalent to the question as to whether machine
ex halts on input 0 (or any other input). So, then you ask your friend whether
this new machine, ex , halts on input 0; your friend’s answer to the modified
question provides the answer to the original one. This provides the desired
reduction of K0 to K1 .
Using the universal partial computable function, let f be the 3-ary function
defined by
f ( x, y, z) ≃ φ x (y).

Note that f ignores its third input entirely. Pick an index e such that f = φ3e ;
so we have
φ3e ( x, y, z) ≃ φ x (y).

460 Release : d3a1905 (2022-12-19)

30.18. TOTALITY IS UNDECIDABLE

By the s-m-n theorem, there is a function s(e, x, y) such that, for every z,
φs(e,x,y) (z) ≃ φ3e ( x, y, z)
≃ φ x ( y ).
In terms of the informal argument above, s(e, x, y) is an index for the ma-
chine that, for any input z, ignores that input and computes φ x (y).
In particular, we have
φs(e,x,y) (0) ↓ if and only if φ x (y) ↓ .
In other words, ⟨ x, y⟩ ∈ K0 if and only if s(e, x, y) ∈ K1 . So the function g
defined by
g(w) = s(e, (w)0 , (w)1 )
is a reduction of K0 to K1 .

30.18 Totality is Undecidable

Let us consider one more example of using the s-m-n theorem to show that
something is noncomputable. Let Tot be the set of indices of total computable
functions, i.e.
Tot = { x : for every y, φ x (y) ↓}.
Proposition 30.20. Tot is not computable.

Proof. To see that Tot is not computable, it suffices to show that K is reducible
to it. Let h( x, y) be defined by
(
0 if x ∈ K
h( x, y) ≃
undefined otherwise

Note that h( x, y) does not depend on y at all. It should not be hard to see that
h is partial computable: on input x, y, the we compute h by first simulating the
function φ x on input x; if this computation halts, h( x, y) outputs 0 and halts.
So h( x, y) is just Z (µs T ( x, x, s)), where Z is the constant zero function.
Using the s-m-n theorem, there is a primitive recursive function k( x ) such
that for every x and y,
(
0 if x ∈ K
φk( x) (y) =
undefined otherwise
So φk( x) is total if x ∈ K, and undefined otherwise. Thus, k is a reduction of K
to Tot.

It turns out that Tot is not even computably enumerable—its complexity

lies further up on the “arithmetic hierarchy.” But we will not worry about this
strengthening here.

Release : d3a1905 (2022-12-19) 461

 CHAPTER 30. COMPUTABILITY THEORY

30.19 Rice’s Theorem

If you think about it, you will see that the specifics of Tot do not play into
the proof of Proposition 30.20. We designed h( x, y) to act like the constant
function j(y) = 0 exactly when x is in K; but we could just as well have made
it act like any other partial computable function under those circumstances.
This observation lets us state a more general theorem, which says, roughly,
that no nontrivial property of computable functions is decidable.
Keep in mind that φ0 , φ1 , φ2 , . . . is our standard enumeration of the partial
computable functions.

Theorem 30.21 (Rice’s Theorem). Let C be any set of partial computable func-
tions, and let A = {n : φn ∈ C }. If A is computable, then either C is ∅ or C is
the set of all the partial computable functions.

An index set is a set A with the property that if n and m are indices which
“compute” the same function, then either both n and m are in A, or neither is.
It is not hard to see that the set A in the theorem has this property. Conversely,
if A is an index set and C is the set of functions computed by these indices,
then A = {n : φn ∈ C }.
With this terminology, Rice’s theorem is equivalent to saying that no non-
trivial index set is decidable. To understand what the theorem says, it is
helpful to emphasize the distinction between programs (say, in your favorite
programming language) and the functions they compute. There are certainly
questions about programs (indices), which are syntactic objects, that are com-
putable: does this program have more than 150 symbols? Does it have more
than 22 lines? Does it have a “while” statement? Does the string “hello world”
every appear in the argument to a “print” statement? Rice’s theorem says that
no nontrivial question about the program’s behavior is computable. This in-
cludes questions like these: does the program halt on input 0? Does it ever
halt? Does it ever output an even number?

Proof of Rice’s theorem. Suppose C is neither ∅ nor the set of all the partial com-
putable functions, and let A be the set of indices of functions in C. We will
show that if A were computable, we could solve the halting problem; so A is
not computable.
Without loss of generality, we can assume that the function f which is
nowhere defined is not in C (otherwise, switch C and its complement in the
argument below). Let g be any function in C. The idea is that if we could
decide A, we could tell the difference between indices computing f , and in-
dices computing g; and then we could use that capability to solve the halting
problem.

462 Release : d3a1905 (2022-12-19)

30.19. RICE’S THEOREM

Here’s how. Using the universal computation predicate, we can define a

function (
undefined if φ x ( x ) ↑
h( x, y) ≃
g(y) otherwise.

To compute h, first we try to compute φ x ( x ); if that computation halts, we go

on to compute g(y); and if that computation halts, we return the output. More
formally, we can write

h( x, y) ≃ P02 ( g(y), Un( x, x )).

where P02 (z0 , z1 ) = z0 is the 2-place projection function returning the 0-th ar-
gument, which is computable.
Then h is a composition of partial computable functions, and the right side
is defined and equal to g(y) just when Un( x, x ) and g(y) are both defined.
Notice that for a fixed x, if φ x ( x ) is undefined, then h( x, y) is undefined for
every y; and if φ x ( x ) is defined, then h( x, y) ≃ g(y). So, for any fixed value
of x, either h( x, y) acts just like f or it acts just like g, and deciding whether or
not φ x ( x ) is defined amounts to deciding which of these two cases holds. But
this amounts to deciding whether or not h x (y) ≃ h( x, y) is in C or not, and if
A were computable, we could do just that.
More formally, since h is partial computable, it is equal to the function φk
for some index k. By the s-m-n theorem there is a primitive recursive function
s such that for each x, φs(k,x) (y) = h x (y). Now we have that for each x, if
φ x ( x ) ↓, then φs(k,x) is the same function as g, and so s(k, x ) is in A. On the
other hand, if φ x ( x ) ↑, then φs(k,x) is the same function as f , and so s(k, x )
is not in A. In other words we have that for every x, x ∈ K if and only if
s(k, x ) ∈ A. If A were computable, K would be also, which is a contradiction.
So A is not computable.

Rice’s theorem is very powerful. The following immediate corollary shows

some sample applications.

Corollary 30.22. The following sets are undecidable.

1. { x : 17 is in the range of φ x }

2. { x : φ x is constant}

3. { x : φ x is total}

4. { x : whenever y < y′ , φ x (y) ↓, and if φ x (y′ ) ↓, then φ x (y) < φ x (y′ )}

Proof. These are all nontrivial index sets.

Release : d3a1905 (2022-12-19) 463

 CHAPTER 30. COMPUTABILITY THEORY

30.20 The Fixed-Point Theorem

Let’s consider the halting problem again. As temporary notation, let us write
⌜ φ x (y)⌝ for ⟨ x, y⟩; think of this as representing a “name” for the value φ x (y).
With this notation, we can reword one of our proofs that the halting problem
is undecidable.
Question: is there a computable function h, with the following property?
For every x and y, (
1 if φ x (y) ↓
h (⌜ φ x ( y )⌝) =
0 otherwise.
Answer: No; otherwise, the partial function
(
0 if h(⌜ φ x ( x )⌝) = 0
g( x ) ≃
undefined otherwise

would be computable, and so have some index e. But then we have

(
0 if h(⌜ φe (e)⌝) = 0
φe (e) ≃
undefined otherwise,

in which case φe (e) is defined if and only if it isn’t, a contradiction.

Now, take a look at the equation with φe . There is an instance of self-
reference there, in a sense: we have arranged for the value of φe (e) to depend
on ⌜ φe (e)⌝, in a certain way. The fixed-point theorem says that we can do this,
in general—not just for the sake of proving contradictions.
Lemma 30.23 gives two equivalent ways of stating the fixed-point theo-
rem. Logically speaking, the fact that the statements are equivalent follows
from the fact that they are both true; but what we really mean is that each one
follows straightforwardly from the other, so that they can be taken as alterna-
tive statements of the same theorem.
Lemma 30.23. The following statements are equivalent:
1. For every partial computable function g( x, y), there is an index e such that for
every y,
φe (y) ≃ g(e, y).

2. For every computable function f ( x ), there is an index e such that for every y,
φ e ( y ) ≃ φ f ( e ) ( y ).

Proof. (1) ⇒ (2): Given f , define g by g( x, y) ≃ Un( f ( x ), y). Use (1) to get an
index e such that for every y,
φe (y) = Un( f (e), y)
= φ f ( e ) ( y ).

464 Release : d3a1905 (2022-12-19)

30.20. THE FIXED-POINT THEOREM

(2) ⇒ (1): Given g, use the s-m-n theorem to get f such that for every x
and y, φ f ( x) (y) ≃ g( x, y). Use (2) to get an index e such that
φe ( y ) = φ f (e) ( y )
= g(e, y).
This concludes the proof.
Before showing that statement (1) is true (and hence (2) as well), consider
how bizarre it is. Think of e as being a computer program; statement (1) says
that given any partial computable g( x, y), you can find a computer program
e that computes ge (y) ≃ g(e, y). In other words, you can find a computer
program that computes a function that references the program itself.
Theorem 30.24. The two statements in Lemma 30.23 are true. Specifically, for every
partial computable function g( x, y), there is an index e such that for every y,
φe (y) ≃ g(e, y).
Proof. The ingredients are already implicit in the discussion of the halting
problem above. Let diag( x ) be a computable function which for each x re-
turns an index for the function f x (y) ≃ φ x ( x, y), i.e.
φdiag( x) (y) ≃ φ x ( x, y).
Think of diag as a function that transforms a program for a 2-ary function into
a program for a 1-ary function, obtained by fixing the original program as its
first argument. The function diag can be defined formally as follows: first
define s by
s( x, y) ≃ Un2 ( x, x, y),
where Un2 is a 3-ary function that is universal for partial computable 2-ary
functions. Then, by the s-m-n theorem, we can find a primitive recursive func-
tion diag satisfying
φdiag( x) (y) ≃ s( x, y).
Now, define the function l by
l ( x, y) ≃ g(diag( x ), y).
and let ⌜l⌝ be an index for l. Finally, let e = diag(⌜l⌝). Then for every y, we
have
φe (y) ≃ φdiag(⌜l⌝) (y)
≃ φ⌜l⌝ (⌜l⌝, y)
≃ l (⌜l⌝, y)
≃ g(diag(⌜l⌝), y)
≃ g(e, y),
as required.

Release : d3a1905 (2022-12-19) 465

 CHAPTER 30. COMPUTABILITY THEORY

What’s going on? Suppose you are given the task of writing a computer
program that prints itself out. Suppose further, however, that you are working
with a programming language with a rich and bizarre library of string func-
tions. In particular, suppose your programming language has a function diag
which works as follows: given an input string s, diag locates each instance of
the symbol ‘x’ occuring in s, and replaces it by a quoted version of the original
string. For example, given the string

hello x world

as input, the function returns

hello ’hello x world’ world

as output. In that case, it is easy to write the desired program; you can check
that

print(diag(’print(diag(x))’))

does the trick. For more common programming languages like C++ and Java,
the same idea (with a more involved implementation) still works.
We are only a couple of steps away from the proof of the fixed-point theo-
rem. Suppose a variant of the print function print( x, y) accepts a string x and
another numeric argument y, and prints the string x repeatedly, y times. Then
the “program”

getinput(y); print(diag(’getinput(y); print(diag(x), y)’), y)

prints itself out y times, on input y. Replacing the getinput—print—diag

skeleton by an arbitrary funtion g( x, y) yields

g(diag(’g(diag(x), y)’), y)

which is a program that, on input y, runs g on the program itself and y. Think-
ing of “quoting” with “using an index for,” we have the proof above.
For now, it is o.k. if you want to think of the proof as formal trickery, or
black magic. But you should be able to reconstruct the details of the argument
given above. When we prove the incompleteness theorems (and the related
“fixed-point theorem”) we will discuss other ways of understanding why it
works.
The same idea can be used to get a “fixed point” combinator. Suppose you
have a lambda term g, and you want another term k with the property that k
is β-equivalent to gk. Define terms

diag( x ) = xx

and
l ( x ) = g(diag( x ))

466 Release : d3a1905 (2022-12-19)

30.21. APPLYING THE FIXED-POINT THEOREM

using our notational conventions; in other words, l is the term λx. g( xx ). Let
k be the term ll. Then we have
k = (λx. g( xx ))(λx. g( xx ))
−
→
→ g((λx. g( xx ))(λx. g( xx )))
= gk.
If one takes
Y = λg. ((λx. g( xx ))(λx. g( xx )))
then Yg and g(Yg) reduce to a common term; so Yg ≡ β g(Yg). This is known
as “Curry’s combinator.” If instead one takes
Y = (λxg. g( xxg))(λxg. g( xxg))
then in fact Yg reduces to g(Yg), which is a stronger statement. This latter
version of Y is known as “Turing’s combinator.”

30.21 Applying the Fixed-Point Theorem

The fixed-point theorem essentially lets us define partial computable func-
tions in terms of their indices. For example, we can find an index e such that
for every y,
φe (y) = e + y.
As another example, one can use the proof of the fixed-point theorem to de-
sign a program in Java or C++ that prints itself out.
Remember that if for each e, we let We be the domain of φe , then the se-
quence W0 , W1 , W2 , . . . enumerates the computably enumerable sets. Some of
these sets are computable. One can ask if there is an algorithm which takes as
input a value x, and, if Wx happens to be computable, returns an index for its
characteristic function. The answer is “no,” there is no such algorithm:
Theorem 30.25. There is no partial computable function f with the following prop-
erty: whenever We is computable, then f (e) is defined and φ f (e) is its characteristic
function.

Proof. Let f be any computable function; we will construct an e such that We

is computable, but φ f (e) is not its characteristic function. Using the fixed point
theorem, we can find an index e such that
(
0 if y = 0 and φ f (e) (0) ↓= 0
φe (y) ≃
undefined otherwise.
That is, e is obtained by applying the fixed-point theorem to the function de-
fined by (
0 if y = 0 and φ f ( x) (0) ↓= 0
g( x, y) ≃
undefined otherwise.

Release : d3a1905 (2022-12-19) 467

 CHAPTER 30. COMPUTABILITY THEORY

Informally, we can see that g is partial computable, as follows: on input x and

y, the algorithm first checks to see if y is equal to 0. If it is, the algorithm
computes f ( x ), and then uses the universal machine to compute φ f ( x) (0). If
this last computation halts and returns 0, the algorithm returns 0; otherwise,
the algorithm doesn’t halt.
But now notice that if φ f (e) (0) is defined and equal to 0, then φe (y) is de-
fined exactly when y is equal to 0, so We = {0}. If φ f (e) (0) is not defined,
or is defined but not equal to 0, then We = ∅. Either way, φ f (e) is not the
characteristic function of We , since it gives the wrong answer on input 0.

30.22 Defining Functions using Self-Reference

It is generally useful to be able to define functions in terms of themselves.
For example, given computable functions k, l, and m, the fixed-point lemma
tells us that there is a partial computable function f satisfying the following
equation for every y:
(
k(y) if l (y) = 0
f (y) ≃
f (m(y)) otherwise.

Again, more specifically, f is obtained by letting

(
k(y) if l (y) = 0
g( x, y) ≃
φ x (m(y)) otherwise

and then using the fixed-point lemma to find an index e such that φe (y) =
g(e, y).
For a concrete example, the “greatest common divisor” function gcd(u, v)
can be defined by
(
v if 0 = 0
gcd(u, v) ≃
gcd(mod(v, u), u) otherwise

where mod(v, u) denotes the remainder of dividing v by u. An appeal to the

fixed-point lemma shows that gcd is partial computable. (In fact, this can be
put in the format above, letting y code the pair ⟨u, v⟩.) A subsequent induction
on u then shows that, in fact, gcd is total.
Of course, one can cook up self-referential definitions that are much fancier
than the examples just discussed. Most programming languages support def-
initions of functions in terms of themselves, one way or another. Note that
this is a little bit less dramatic than being able to define a function in terms
of an index for an algorithm computing the functions, which is what, in full
generality, the fixed-point theorem lets you do.

468 Release : d3a1905 (2022-12-19)

30.23. MINIMIZATION WITH LAMBDA TERMS

30.23 Minimization with Lambda Terms

When it comes to the lambda calculus, we’ve shown the following:

1. Every primitive recursive function is represented by a lambda term.

2. There is a lambda term Y such that for any lambda term G, YG −

→
→
G (YG ).

To show that every partial computable function is represented by some lambda

term, we only need to show the following.

Lemma 30.26. Suppose f ( x, y) is primitive recursive. Let g be defined by

g( x ) ≃ µy f ( x, y) = 0.

Then g is represented by a lambda term.

Proof. The idea is roughly as follows. Given x, we will use the fixed-point
lambda term Y to define a function h x (n) which searches for a y starting at n;
then g( x ) is just h x (0). The function h x can be expressed as the solution of a
fixed-point equation:
(
n if f ( x, n) = 0
h x (n) ≃
h x (n + 1) otherwise.

Here are the details. Since f is primitive recursive, it is represented by

some term F. Remember that we also have a lambda term D such that D ( M, N, 0) −
→
→
M and D ( M, N, 1) −→
→ N. Fixing x for the moment, to represent h x we want
to find a term H (depending on x) satisfying

H (n) ≡ D (n, H (S(n)), F ( x, n)).

We can do this using the fixed-point term Y. First, let U be the term

λh. λz. D (z, (h(Sz)), F ( x, z)),

and then let H be the term YU. Notice that the only free variable in H is x. Let
us show that H satisfies the equation above.
By the definition of Y, we have

H = YU ≡ U (YU ) = U ( H ).

In particular, for each natural number n, we have

H (n) ≡ U ( H, n)
−
→
→ D (n, H (S(n)), F ( x, n)),

Release : d3a1905 (2022-12-19) 469

 CHAPTER 30. COMPUTABILITY THEORY

as required. Notice that if you substitute a numeral m for x in the last line, the
expression reduces to n if F (m, n) reduces to 0, and it reduces to H (S(n)) if
F (m, n) reduces to any other numeral.
To finish off the proof, let G be λx. H (0). Then G represents g; in other
words, for every m, G (m) reduces to reduces to g(m), if g(m) is defined, and
has no normal form otherwise.

Problems
Problem 30.1. Give a reduction of K to K0 .

470 Release : d3a1905 (2022-12-19)

 Part VI

Turing Machines

471
 CHAPTER 30. COMPUTABILITY THEORY

The material in this part is a basic and informal introduction to Turing

machines. It needs more examples and exercises, and perhaps informa-
tion on available Turing machine simulators. The proof of the unsolvabil-
ity of the decision problem uses a successor function, hence all models
are infinite. One could strengthen the result by using a successor rela-
tion instead. There probably are subtle oversights; use these as checks on
students’ attention (but also file issues!).

472 Release : d3a1905 (2022-12-19)

Chapter 31

Turing Machine Computations

31.1 Introduction
What does it mean for a function, say, from N to N to be computable? Among
the first answers, and the most well known one, is that a function is com-
putable if it can be computed by a Turing machine. This notion was set out
by Alan Turing in 1936. Turing machines are an example of a model of compu-
tation—they are a mathematically precise way of defining the idea of a “com-
putational procedure.” What exactly that means is debated, but it is widely
agreed that Turing machines are one way of specifying computational proce-
dures. Even though the term “Turing machine” evokes the image of a physi-
cal machine with moving parts, strictly speaking a Turing machine is a purely
mathematical construct, and as such it idealizes the idea of a computational
procedure. For instance, we place no restriction on either the time or memory
requirements of a Turing machine: Turing machines can compute something
even if the computation would require more storage space or more steps than
there are atoms in the universe.
It is perhaps best to think of a Turing machine as a program for a spe-
cial kind of imaginary mechanism. This mechanism consists of a tape and a
read-write head. In our version of Turing machines, the tape is infinite in one
direction (to the right), and it is divided into squares, each of which may con-
tain a symbol from a finite alphabet. Such alphabets can contain any number of
different symbols, but we will mainly make do with three: ▷, 0, and 1. When
the mechanism is started, the tape is empty (i.e., each square contains the sym-
bol 0) except for the leftmost square, which contains ▷, and a finite number of
squares which contain the input. At any time, the mechanism is in one of a
finite number of states. At the outset, the head scans the leftmost square and
in a specified initial state. At each step of the mechanism’s run, the content
of the square currently scanned together with the state the mechanism is in
and the Turing machine program determine what happens next. The Turing
machine program is given by a partial function which takes as input a state q

473
 CHAPTER 31. TURING MACHINE COMPUTATIONS

Figure 31.1: A Turing machine executing its program.

and a symbol σ and outputs a triple ⟨q′ , σ′ , D ⟩. Whenever the mechanism is in

state q and reads symbol σ, it replaces the symbol on the current square with
σ′ , the head moves left, right, or stays put according to whether D is L, R, or
N, and the mechanism goes into state q′ .
For instance, consider the situation in Figure 31.1. The visible part of the
tape of the Turing machine contains the end-of-tape symbol ▷ on the leftmost
square, followed by three 1’s, a 0, and four more 1’s. The head is reading
the third square from the left, which contains a 1, and is in state q1 —we say
“the machine is reading a 1 in state q1 .” If the program of the Turing machine
returns, for input ⟨q1 , 1⟩, the triple ⟨q2 , 0, N ⟩, the machine would now replace
the 1 on the third square with a 0, leave the read/write head where it is, and
switch to state q2 . If then the program returns ⟨q3 , 0, R⟩ for input ⟨q2 , 0⟩, the
machine would now overwrite the 0 with another 0 (effectively, leaving the
content of the tape under the read/write head unchanged), move one square
to the right, and enter state q3 . And so on.
We say that the machine halts when it encounters some state, qn , and sym-
bol, σ such that there is no instruction for ⟨qn , σ ⟩, i.e., the transition function
for input ⟨qn , σ ⟩ is undefined. In other words, the machine has no instruction
to carry out, and at that point, it ceases operation. Halting is sometimes repre-
sented by a specific halt state h. This will be demonstrated in more detail later
on.
The beauty of Turing’s paper, “On computable numbers,” is that he presents
not only a formal definition, but also an argument that the definition captures
the intuitive notion of computability. From the definition, it should be clear
that any function computable by a Turing machine is computable in the in-
tuitive sense. Turing offers three types of argument that the converse is true,
i.e., that any function that we would naturally regard as computable is com-
putable by such a machine. They are (in Turing’s words):

1. A direct appeal to intuition.

2. A proof of the equivalence of two definitions (in case the new definition
has a greater intuitive appeal).

474 Release : d3a1905 (2022-12-19)

31.2. REPRESENTING TURING MACHINES

3. Giving examples of large classes of numbers which are computable.

Our goal is to try to define the notion of computability “in principle,” i.e.,
without taking into account practical limitations of time and space. Of course,
with the broadest definition of computability in place, one can then go on
to consider computation with bounded resources; this forms the heart of the
subject known as “computational complexity.”

Historical Remarks Alan Turing invented Turing machines in 1936. While

his interest at the time was the decidability of first-order logic, the paper has
been described as a definitive paper on the foundations of computer design.
In the paper, Turing focuses on computable real numbers, i.e., real numbers
whose decimal expansions are computable; but he notes that it is not hard to
adapt his notions to computable functions on the natural numbers, and so on.
Notice that this was a full five years before the first working general purpose
computer was built in 1941 (by the German Konrad Zuse in his parent’s living
room), seven years before Turing and his colleagues at Bletchley Park built the
code-breaking Colossus (1943), nine years before the American ENIAC (1945),
twelve years before the first British general purpose computer—the Manch-
ester Small-Scale Experimental Machine—was built in Manchester (1948), and
thirteen years before the Americans first tested the BINAC (1949). The Manch-
ester SSEM has the distinction of being the first stored-program computer—
previous machines had to be rewired by hand for each new task.

31.2 Representing Turing Machines

Turing machines can be represented visually by state diagrams. The diagrams
are composed of state cells connected by arrows. Unsurprisingly, each state
cell represents a state of the machine. Each arrow represents an instruction
that can be carried out from that state, with the specifics of the instruction
written above or below the appropriate arrow. Consider the following ma-
chine, which has only two internal states, q0 and q1 , and one instruction:

0, 1, R
start q0 q1

Recall that the Turing machine has a read/write head and a tape with the
input written on it. The instruction can be read as if reading a 0 in state q0 , write
a 1, move right, and move to state q1 . This is equivalent to the transition function
mapping ⟨q0 , 0⟩ to ⟨q1 , 1, R⟩.

Example 31.1. Even Machine: The following Turing machine halts if, and only
if, there are an even number of 1’s on the tape (under the assumption that all

Release : d3a1905 (2022-12-19) 475

 CHAPTER 31. TURING MACHINE COMPUTATIONS

1’s come before the first 0 on the tape).

0, 0, R
1, 1, R

start q0 q1

1, 1, R

The state diagram corresponds to the following transition function:

δ(q0 , 1) = ⟨q1 , 1, R⟩,
δ(q1 , 1) = ⟨q0 , 1, R⟩,
δ(q1 , 0) = ⟨q1 , 0, R⟩

The above machine halts only when the input is an even number of strokes.
Otherwise, the machine (theoretically) continues to operate indefinitely. For
any machine and input, it is possible to trace through the configurations of the
machine in order to determine the output. We will give a formal definition
of configurations later. For now, we can intuitively think of configurations
as a series of diagrams showing the state of the machine at any point in time
during operation. Configurations show the content of the tape, the state of the
machine and the location of the read/write head.
Let us trace through the configurations of the even machine if it is started
with an input of four 1’s. In this case, we expect that the machine will halt.
We will then run the machine on an input of three 1’s, where the machine will
run forever.
The machine starts in state q0 , scanning the leftmost 1. We can represent
the initial state of the machine as follows:
▷10 1110 . . .
The above configuration is straightforward. As can be seen, the machine starts
in state one, scanning the leftmost 1. This is represented by a subscript of the
state name on the first 1. The applicable instruction at this point is δ(q0 , 1) =
⟨q1 , 1, R⟩, and so the machine moves right on the tape and changes to state q1 .
▷111 110 . . .
Since the machine is now in state q1 scanning a 1, we have to “follow” the
instruction δ(q1 , 1) = ⟨q0 , 1, R⟩. This results in the configuration
▷1110 10 . . .
As the machine continues, the rules are applied again in the same order, re-
sulting in the following two configurations:
▷11111 0 . . .

476 Release : d3a1905 (2022-12-19)

31.2. REPRESENTING TURING MACHINES

▷111100 . . .
The machine is now in state q0 scanning a 0. Based on the transition diagram,
we can easily see that there is no instruction to be carried out, and thus the
machine has halted. This means that the input has been accepted.
Suppose next we start the machine with an input of three 1’s. The first few
configurations are similar, as the same instructions are carried out, with only
a small difference of the tape input:

▷10 110 . . .

▷111 10 . . .
▷1110 0 . . .
▷11101 . . .
The machine has now traversed past all the 1’s, and is reading a 0 in state q1 .
As shown in the diagram, there is an instruction of the form δ(q1 , 0) = ⟨q1 , 0, R⟩.
Since the tape is filled with 0 indefinitely to the right, the machine will con-
tinue to execute this instruction forever, staying in state q1 and moving ever
further to the right. The machine will never halt, and does not accept the
input.
It is important to note that not all machines will halt. If halting means that
the machine runs out of instructions to execute, then we can create a machine
that never halts simply by ensuring that there is an outgoing arrow for each
symbol at each state. The even machine can be modified to run indefinitely
by adding an instruction for scanning a 0 at q0 .
Example 31.2.

0, 0, R 0, 0, R
1, 1, R

start q0 q1

1, 1, R

Machine tables are another way of representing Turing machines. Machine

tables have the tape alphabet displayed on the x-axis, and the set of machine
states across the y-axis. Inside the table, at the intersection of each state and
symbol, is written the rest of the instruction—the new state, new symbol, and
direction of movement. Machine tables make it easy to determine in what
state, and for what symbol, the machine halts. Whenever there is a gap in the
table is a possible point for the machine to halt. Unlike state diagrams and
instruction sets, where the points at which the machine halts are not always
immediately obvious, any halting points are quickly identified by finding the
gaps in the machine table.

Release : d3a1905 (2022-12-19) 477

 CHAPTER 31. TURING MACHINE COMPUTATIONS

1, 1, R 1, 1, R

1, 0, R 0, 0, R
start q0 q1 q2

0, 0, R 0, 1, R

q5 q4 q3
0, 0, L 1, 1, L

1, 1, L 1, 1, L 0, 1, L

Figure 31.2: A doubler machine

Example 31.3. The machine table for the even machine is:

0 1 ▷
q0 1, q1 , R
q1 0, q1 , R 1, q0 , R

As we can see, the machine halts when scanning a 0 in state q0 .

So far we have only considered machines that read and accept input. How-
ever, Turing machines have the capacity to both read and write. An example
of such a machine (although there are many, many examples) is a doubler. A
doubler, when started with a block of n 1’s on the tape, outputs a block of 2n
1’s.

Example 31.4. Before building a doubler machine, it is important to come up

with a strategy for solving the problem. Since the machine (as we have formu-
lated it) cannot remember how many 1’s it has read, we need to come up with
a way to keep track of all the 1’s on the tape. One such way is to separate the
output from the input with a 0. The machine can then erase the first 1 from
the input, traverse over the rest of the input, leave a 0, and write two new 1’s.
The machine will then go back and find the second 1 in the input, and double
that one as well. For each one 1 of input, it will write two 1’s of output. By
erasing the input as the machine goes, we can guarantee that no 1 is missed
or doubled twice. When the entire input is erased, there will be 2n 1’s left
on the tape. The state diagram of the resulting Turing machine is depicted in
Figure 31.2.

478 Release : d3a1905 (2022-12-19)

31.3. TURING MACHINES

31.3 Turing Machines

The formal definition of what constitutes a Turing machine looks abstract,
but is actually simple: it merely packs into one mathematical structure all
the information needed to specify the workings of a Turing machine. This
includes (1) which states the machine can be in, (2) which symbols are allowed
to be on the tape, (3) which state the machine should start in, and (4) what the
instruction set of the machine is.

Definition 31.5 (Turing machine). A Turing machine M is a tuple ⟨ Q, Σ, q0 , δ⟩

consisting of

1. a finite set of states Q,

2. a finite alphabet Σ which includes ▷ and 0,

3. an initial state q0 ∈ Q,

4. a finite instruction set δ : Q × Σ →

7 Q × Σ × { L, R, N }.
The partial function δ is also called the transition function of M.

We assume that the tape is infinite in one direction only. For this reason
it is useful to designate a special symbol ▷ as a marker for the left end of the
tape. This makes it easier for Turing machine programs to tell when they’re
“in danger” of running off the tape. We could assume that this symbol is never
overwritten, i.e., that δ(q, ▷) = ⟨q′ , ▷, x ⟩ if δ(q, ▷) is defined. Some textbooks
do this, we do not. You can simply be careful when constructing your Turing
machine that it never overwrites ▷. Moreover, there are cases where allowing
such overwriting provides some convenient flexibility.

Example 31.6. Even Machine: The even machine is formally the quadruple
⟨ Q, Σ, q0 , δ⟩ where

Q = { q0 , q1 }
Σ = {▷, 0, 1},
δ(q0 , 1) = ⟨q1 , 1, R⟩,
δ(q1 , 1) = ⟨q0 , 1, R⟩,
δ(q1 , 0) = ⟨q1 , 0, R⟩.

31.4 Configurations and Computations

Recall tracing through the configurations of the even machine earlier. The
imaginary mechanism consisting of tape, read/write head, and Turing ma-
chine program is really just an intuitive way of visualizing what a Turing ma-
chine computation is. Formally, we can define the computation of a Turing

Release : d3a1905 (2022-12-19) 479

 CHAPTER 31. TURING MACHINE COMPUTATIONS

machine on a given input as a sequence of configurations—and a configuration

in turn is a sequence of symbols (corresponding to the contents of the tape
at a given point in the computation), a number indicating the position of the
read/write head, and a state. Using these, we can define what the Turing
machine M computes on a given input.

Definition 31.7 (Configuration). A configuration of Turing machine M = ⟨ Q, Σ, q0 , δ⟩

is a triple ⟨C, m, q⟩ where

1. C ∈ Σ∗ is a finite sequence of symbols from Σ,

2. m ∈ N is a number < len(C ), and

3. q ∈ Q

Intuitively, the sequence C is the content of the tape (symbols of all squares
from the leftmost square to the last non-blank or previously visited square),
m is the number of the square the read/write head is scanning (beginning
with 0 being the number of the leftmost square), and q is the current state of
the machine.

The potential input for a Turing machine is a sequence of symbols, usually

a sequence that encodes a number in some form. The initial configuration of
the Turing machine is that configuration in which we start the Turing machine
to work on that input: the tape contains the tape end marker immediately
followed by the input written on the squares to the right, the read/write head
is scanning the leftmost square of the input (i.e., the square to the right of the
left end marker), and the mechanism is in the designated start state q0 .

Definition 31.8 (Initial configuration). The initial configuration of M for input

I ∈ Σ∗ is
⟨▷ ⌢ I, 1, q0 ⟩.

The ⌢ symbol is for concatenation—the input string begins immediately to

the left end marker.

Definition 31.9. We say that a configuration ⟨C, m, q⟩ yields the configuration

⟨C ′ , m′ , q′ ⟩ in one step (according to M), iff
1. the m-th symbol of C is σ,

2. the instruction set of M specifies δ(q, σ ) = ⟨q′ , σ′ , D ⟩,

3. the m-th symbol of C ′ is σ′ , and

4. a) D = L and m′ = m − 1 if m > 0, otherwise m′ = 0, or

b) D = R and m′ = m + 1, or
c) D = N and m′ = m,

480 Release : d3a1905 (2022-12-19)

31.5. UNARY REPRESENTATION OF NUMBERS

5. if m′ = len(C ), then len(C ′ ) = len(C ) + 1 and the m′ -th symbol of C ′

is 0. Otherwise len(C ′ ) = len(C ).

6. for all i such that i < len(C ) and i ̸= m, C ′ (i ) = C (i ),

Definition 31.10. A run of M on input I is a sequence Ci of configurations of

M, where C0 is the initial configuration of M for input I, and each Ci yields
Ci+1 in one step.
We say that M halts on input I after k steps if Ck = ⟨C, m, q⟩, the mth symbol
of C is σ, and δ(q, σ ) is undefined. In that case, the output of M for input I is O,
where O is a string of symbols not ending in 0 such that C = ▷ ⌢ O ⌢ 0 j for
some i, j ∈ N.

According to this definition, the output O of M always ends in a symbol

other than 0, or, if at time k the entire tape is filled with 0 (except for the
leftmost ▷), O is the empty string.

31.5 Unary Representation of Numbers

Turing machines work on sequences of symbols written on their tape. De-
pending on the alphabet a Turing machine uses, these sequences of symbols
can represent various inputs and outputs. Of particular interest, of course, are
Turing machines which compute arithmetical functions, i.e., functions of natu-
ral numbers. A simple way to represent positive integers is by coding them
as sequences of a single symbol 1. If n ∈ N, let 1n be the empty sequence if
n = 0, and otherwise the sequence consisting of exactly n 1’s.

Definition 31.11 (Computation). A Turing machine M computes the function

f : Nk → N iff M halts on input

1n1 01n2 0 . . . 01nk

with output 1 f (n1 ,...,nk ) .

Example 31.12. Addition: Let’s build a machine that computes the function
f (n, m) = n + m. This requires a machine that starts with two blocks of 1’s of
length n and m on the tape, and halts with one block consisting of n + m 1’s.
The two input blocks of 1’s are separated by a 0, so one method would be to
write a stroke on the square containing the 0, and erase the last 1.

In Example 31.4, we gave an example of a Turing machine that takes as

input a sequence of 1’s and halts with a sequence of twice as many 1’s on
the tape—the doubler machine. However, because the output contains 0’s to
the left of the doubled block of 1’s, it does not actually compute the function
f ( x ) = 2x, as you might have assumed. We’ll describe two ways of fixing
that.

Release : d3a1905 (2022-12-19) 481

 CHAPTER 31. TURING MACHINE COMPUTATIONS

1, 1, R 1, 1, R 1, 0, N

0, 1, N 0, 0, L
start q0 q1 q2

Figure 31.3: A machine computing f ( x, y) = x + y

1, 1, R 1, 1, L

0, 1, L
q2 q3

q6
0, 0, R 0, 0, L

R
1,
0, 0, 1, R
1, 1, R q1 q4

q7 1, 1, R
1, 0, R 1, 1, L

0, 0, L
start q0 q5
0, 1, R
q8 1, 0, N
1, 1, L

Figure 31.4: A machine computing f ( x ) = 2x

Example 31.13. The machine in Figure 31.4 computes the function f ( x ) = 2x.
Instead of erasing the input and writing two 1’s at the far right for every 1 in
the input as the machine from Example 31.4 does, this machine adds a single 1
to the right for every 1 in the input. It has to keep track of where the input
ends, so it leaves a 0 between the input and the added strokes, which it fills
with a 1 at the very end. And we have to “remember” where we are in the
input, so we temporarily replace a 1 in the input block by a 0.

Example 31.14. A second possibility for computing f ( x ) = 2x is to keep the

original doubler machine, but add states and instructions at the end which

482 Release : d3a1905 (2022-12-19)

31.5. UNARY REPRESENTATION OF NUMBERS

0, 0, R 1, 1, R

0, 0, R 1, 1, R
start q6 q7 q8

0, 0, L 0, ▷, L

1, 0, L
q11 q10 q9 1, 1, L
0, 0, R
1,

▷, ▷, R
0,
L

1, 1, R

0, 1, R ▷, 0, N
q12 q13 q14

0, 0, R

Figure 31.5: Moving a block of 1’s to the left

move the doubled block of strokes to the far left of the tape. The machine
in Figure 31.5 does just this last part: started on a tape consisting of a block
of 0’s followed by a block of 1’s (and the head positioned anywhere in the
block of 0’s), it erases the 1’s one at a time and writes them at the beginning
of the tape. In order to be able to tell when it is done, it first marks the end
of the block of 1’s with a ▷ symbol, which gets deleted at the end. We’ve
started numbering the states at q6 , so they can be added to the doubler ma-
chine. All you’ll need is an additional instruction δ(q5 , 0) = ⟨q6 , 0, N ⟩, i.e., an
arrow from q5 to q6 labelled 0, 0, N. (There is one subtle problem: the resulting
machine does not work for input x = 0. We’ll leave this as an exercise.)

Definition 31.15. A Turing machine M computes the partial function f : Nk →

7
N iff,

1. M halts on input 1n1 ⌢ 0 ⌢ . . . ⌢ 0 ⌢ 1nk with output 1m if f (n1 , . . . , nk ) =

m.

2. M does not halt at all, or with an output that is not a single block of 1’s
if f (n1 , . . . , nk ) is undefined.

Release : d3a1905 (2022-12-19) 483

 CHAPTER 31. TURING MACHINE COMPUTATIONS

31.6 Halting States

Although we have defined our machines to halt only when there is no in-
struction to carry out, common representations of Turing machines have a
dedicated halting state h, such that h ∈ Q.
The idea behind a halting state is simple: when the machine has finished
operation (it is ready to accept input, or has finished writing the output), it
goes into a state h where it halts. Some machines have two halting states, one
that accepts input and one that rejects input.

Example 31.16. Halting States. To elucidate this concept, let us begin with an
alteration of the even machine. Instead of having the machine halt in state q0 if
the input is even, we can add an instruction to send the machine into a halting
state.
0, 0, R
1, 1, R

start q0 q1

1, 1, R
0, 0, N

Let us further expand the example. When the machine determines that the
input is odd, it never halts. We can alter the machine to include a reject state
by replacing the looping instruction with an instruction to go to a reject state r.

1, 1, R

start q0 q1

1, 1, R
0, 0, N 0, 0, N

h r

Adding a dedicated halting state can be advantageous in cases like this,

where it makes explicit when the machine accepts/rejects certain inputs. How-
ever, it is important to note that no computing power is gained by adding a
dedicated halting state. Similarly, a less formal notion of halting has its own

484 Release : d3a1905 (2022-12-19)

31.7. DISCIPLINED MACHINES

advantages. The definition of halting used so far in this chapter makes the
proof of the Halting Problem intuitive and easy to demonstrate. For this rea-
son, we continue with our original definition.

31.7 Disciplined Machines

In section section 31.6, we considered Turing machines that have a single, des-
ignated halting state h—such machines are guaranteed to halt, if they halt at
all, in state h. In this way, machines with a single halting state are more “dis-
ciplined” than we allow Turing machines in general to be. There are other
restrictions we might impose on the behavior of Turing machines. For in-
stance, we also have not prohibited Turing machines from ever erasing the
tape-end marker on square 0, or to attempt to move left from square 0. (Our
definition states that the head simply stays on square 0 in this case; other def-
initions have the machine halt.) It is likewise sometimes desirable to be able
to assume that a Turing machine, if it halts at all, halts on square 1.

Definition 31.17. A Turing machine M is disciplined iff

1. it has a designated single halting state h,

2. it halts, if it halts at all, while scanning square 1,

3. it never erases the ▷ symbol on square 0, and

4. it never attempts to move left from square 0.

We have already discussed that any Turing machine can be changed into
one with the same behavior but with a designated halting state. This is done
simply by adding a new state h, and adding an instruction δ(q, σ ) = ⟨h, σ, N ⟩
for any pair ⟨q, σ⟩ where the original δ is undefined. It is true, although te-
dious to prove, that any Turing machine M can be turned into a disciplined
Turing machine M′ which halts on the same inputs and produces the same
output. For instance, if the Turing machine halts and is not on square 1, we
can add some instructions to make the head move left until it finds the tape-
end marker, then move one square to the right, then halt. We’ll leave you to
think about how the other conditions can be dealt with.

Example 31.18. In Figure 31.6, we turn the addition machine from Example 31.12
into a disciplined machine.

Proposition 31.19. For every Turing machine M, there is a disciplined Turing ma-
chine M′ which halts with output O if M halts with output O, and does not halt if
M does not halt. In particular, any function f : Nn → N computable by a Turing
machine is also computable by a disciplined Turing machine.

Release : d3a1905 (2022-12-19) 485

 CHAPTER 31. TURING MACHINE COMPUTATIONS

0, 1, N
start q0 q1

0, 0, L
1, 1, R 1, 1, R
q2

1, 1, L
1, 0, L

h q3
▷, ▷, R

Figure 31.6: A disciplined addition machine

31.8 Combining Turing Machines

The examples of Turing machines we have seen so far have been fairly simple
in nature. But in fact, any problem that can be solved with any modern pro-
gramming language can also be solved with Turing machines. To build more
complex Turing machines, it is important to convince ourselves that we can
combine them, so we can build machines to solve more complex problems by
breaking the procedure into simpler parts. If we can find a natural way to
break a complex problem down into constituent parts, we can tackle the prob-
lem in several stages, creating several simple Turing machines and combining
them into one machine that can solve the problem. This point is especially
important when tackling the Halting Problem in the next section.
How do we combine Turing machines M = ⟨ Q, Σ, q0 , δ⟩ and M′ = ⟨ Q′ , Σ′ , q0′ , δ′ ⟩?
We now use the configuration of the tape after M has halted as the input con-
figuration of a run of machine M′ . To get a single Turing machine M ⌢ M′
that does this, do the following:

1. Renumber (or relabel) all the states Q′ of M′ so that M and M′ have no

states in common (Q ∩ Q′ = ∅).

2. The states of M ⌢ M′ are Q ∪ Q′ .

3. The tape alphabet is Σ ∪ Σ′ .

4. The start state is q0 .

486 Release : d3a1905 (2022-12-19)

31.8. COMBINING TURING MACHINES

5. The transition function is the function δ′′ given by:


δ(q, σ)
 if q ∈ Q
δ′′ (q, σ ) = δ′ (q, σ ) if q ∈ Q′
 ′

⟨q0 , σ, N ⟩ if q ∈ Q and δ(q, σ) is undefined

The resulting machine uses the instructions of M when it is in a state q ∈ Q,

the instructions of M′ when it is in a state q ∈ Q′ . When it is in a state q ∈ Q
and is scanning a symbol σ for which M has no transition (i.e., M would have
halted), it enters the start state of M′ (and leaves the tape contents and head
position as it is).

Note that unless the machine M is disciplined, we don’t know where the
tape head is when M halts, so the halting configuration of M need not have
the head scanning square 1. When combining machines, it’s important to keep
this in mind.

Example 31.20. Combining Machines: We’ll design a machine which, when

started on input consisting of two blocks of 1’s of length n and m, halts with
a single block of 2(m + n) 1’s on the tape. In order to build this machine, we
can combine two machines we are already familiar with: the addition ma-
chine, and the doubler. We begin by drawing a state diagram for the addition
machine.

1, 1, R 1, 1, R 1, 0, N

0, 1, N 0, 0, L
start q0 q1 q2

Instead of halting in state q2 , we want to continue operation in order to double

the output. Recall that the doubler machine erases the first stroke in the input
and writes two strokes in a separate output. Let’s add an instruction to make
sure the tape head is reading the first stroke of the output of the addition

Release : d3a1905 (2022-12-19) 487

 CHAPTER 31. TURING MACHINE COMPUTATIONS

machine.

1, 1, R 1, 1, R

0, 1, N 0, 0, L
start q0 q1 q2

1, 0, L

1, 1, L q3

▷, ▷, R

q4

It is now easy to double the input—all we have to do is connect the doubler

machine onto state q4 . This requires renaming the states of the doubler ma-
chine so that they start at q4 instead of q0 —this way we don’t end up with two
starting states. The final diagram should look as in Figure 31.7.

Proposition 31.21. If M and M′ are disciplined and compute the functions f : Nk →

N and f ′ : N → N, respectively, then M ⌢ M′ is disciplined and computes f ′ ◦ f .

Proof. Since M is disciplined, when it halts with output f (n1 , . . . , nk ) = m, the

head is scanning square 1. If we now enter the start state of M′ , the machine
will halt with output f ′ (m), again scanning square 1. The other conditions of
Definition 31.17 are also satisfied.

31.9 Variants of Turing Machines

There are in fact many possible ways to define Turing machines, of which
ours is only one. In some ways, our definition is more liberal than others.
We allow arbitrary finite alphabets, a more restricted definition might allow
only two tape symbols, 1 and 0. We allow the machine to write a symbol to
the tape and move at the same time, other definitions allow either writing or
moving. We allow the possibility of writing without moving the tape head,
other definitions leave out the N “instruction.” In other ways, our definition
is more restrictive. We assumed that the tape is infinite in one direction only,
other definitions allow the tape to be infinite both to the left and the right. In
fact, one can even allow any number of separate tapes, or even an infinite grid
of squares. We represent the instruction set of the Turing machine by a tran-
sition function; other definitions use a transition relation where the machine
has more than one possible instruction in any given situation.

488 Release : d3a1905 (2022-12-19)

31.9. VARIANTS OF TURING MACHINES

1, 1, R 1, 1, R

0, 1, N 0, 0, L
start q0 q1 q2

1, 0, L

1, 1, L q3

1, 1, R 1, 1, R
▷, ▷, R
1, 0, R 0, 0, R
q4 q5 q6

0, 0, R 0, 1, R

q9 q8 q7
0, 0, L 1, 1, L

1, 1, L 1, 1, L 0, 1, L

Figure 31.7: Combining adder and doubler machines

This last relaxation of the definition is particularly interesting. In our def-

inition, when the machine is in state q reading symbol σ, δ(q, σ) determines
what the new symbol, state, and tape head position is. But if we allow the
instruction set to be a relation between current state-symbol pairs ⟨q, σ ⟩ and
new state-symbol-direction triples ⟨q′ , σ′ , D ⟩, the action of the Turing machine
may not be uniquely determined—the instruction relation may contain both
⟨q, σ, q′ , σ′ , D ⟩ and ⟨q, σ, q′′ , σ′′ , D ′ ⟩. In this case we have a non-deterministic
Turing machine. These play an important role in computational complexity
theory.
There are also different conventions for when a Turing machine halts: we
say it halts when the transition function is undefined, other definitions require
the machine to be in a special designated halting state. We have explained in
section 31.6 why requiring a designated halting state is not a restriction which
impacts what Turing machines can compute. Since the tapes of our Turing
machines are infinite in one direction only, there are cases where a Turing
machine can’t properly carry out an instruction: if it reads the leftmost square

Release : d3a1905 (2022-12-19) 489

 CHAPTER 31. TURING MACHINE COMPUTATIONS

and is supposed to move left. According to our definition, it just stays put
instead of “falling off”, but we could have defined it so that it halts when that
happens. This definition is also equivalent: we could simulate the behavior
of a Turing machine that halts when it attempts to move left from square 0
by deleting every transition δ(q, ▷) = ⟨q′ , σ, L⟩—then instead of attempting to
move left on ▷ the machine halts.1
There are also different ways of representing numbers (and hence the input-
output function computed by a Turing machine): we use unary representa-
tion, but you can also use binary representation. This requires two symbols in
addition to 0 and ▷.
Now here is an interesting fact: none of these variations matters as to
which functions are Turing computable. If a function is Turing computable ac-
cording to one definition, it is Turing computable according to all of them.
We won’t go into the details of verifying this. Here’s just one example:
we gain no additional computing power by allowing a tape that is infinite
in both directions, or multiple tapes. The reason is, roughly, that a Turing
machine with a single one-way infinite tape can simulate multiple or two-way
infinite tapes. E.g., using additional states and instructions, we can “translate”
a program for a machine with multiple tapes or two-way infinite tape into
one with a single one-way infinite tape. The translated machine can use the
even squares for the squares of tape 1 (or the “positive” squares of a two-way
infinite tape) and the odd squares for the squares of tape 2 (or the “negative”
squares).

31.10 The Church-Turing Thesis

Turing machines are supposed to be a precise replacement for the concept of
an effective procedure. Turing thought that anyone who grasped both the
concept of an effective procedure and the concept of a Turing machine would
have the intuition that anything that could be done via an effective procedure
could be done by Turing machine. This claim is given support by the fact
that all the other proposed precise replacements for the concept of an effective
procedure turn out to be extensionally equivalent to the concept of a Turing
machine —that is, they can compute exactly the same set of functions. This
claim is called the Church-Turing thesis.

Definition 31.22 (Church-Turing thesis). The Church-Turing Thesis states that

anything computable via an effective procedure is Turing computable.

The Church-Turing thesis is appealed to in two ways. The first kind of

use of the Church-Turing thesis is an excuse for laziness. Suppose we have a
1 This doesn’t quite work, since nothing prevents us from writing and reading ▷ on squares

other than square 0 (see Example 31.14). We can get around that by adding a second ▷′ symbol to
use instead for such a purpose.

490 Release : d3a1905 (2022-12-19)

31.10. THE CHURCH-TURING THESIS

description of an effective procedure to compute something, say, in “pseudo-

code.” Then we can invoke the Church-Turing thesis to justify the claim that
the same function is computed by some Turing machine, even if we have not
in fact constructed it.
The other use of the Church-Turing thesis is more philosophically interest-
ing. It can be shown that there are functions which cannot be computed by
Turing machines. From this, using the Church-Turing thesis, one can conclude
that it cannot be effectively computed, using any procedure whatsoever. For
if there were such a procedure, by the Church-Turing thesis, it would follow
that there would be a Turing machine for it. So if we can prove that there is
no Turing machine that computes it, there also can’t be an effective procedure.
In particular, the Church-Turing thesis is invoked to claim that the so-called
halting problem not only cannot be solved by Turing machines, it cannot be
effectively solved at all.

Problems
Problem 31.1. Choose an arbitary input and trace through the configurations
of the doubler machine in Example 31.4.

Problem 31.2. Design a Turing-machine with alphabet {▷, 0, A, B} that accepts,

i.e., halts on, any string of A’s and B’s where the number of A’s is the same as
the number of B’s and all the A’s precede all the B’s, and rejects, i.e., does not
halt on, any string where the number of A’s is not equal to the number of B’s
or the A’s do not precede all the B’s. (E.g., the machine should accept AABB,
and AAABBB, but reject both AAB and AABBAABB.)

Problem 31.3. Design a Turing-machine with alphabet {▷, 0, A, B} that takes

as input any string α of A’s and B’s and duplicates them to produce an output
of the form αα. (E.g. input ABBA should result in output ABBAABBA).

Problem 31.4. Alphabetical?: Design a Turing-machine with alphabet {▷, 0, A, B}

that when given as input a finite sequence of A’s and B’s checks to see if all
the A’s appear to the left of all the B’s or not. The machine should leave the
input string on the tape, and either halt if the string is “alphabetical”, or loop
forever if the string is not.

Problem 31.5. Alphabetizer: Design a Turing-machine with alphabet {▷, 0, A, B}

that takes as input a finite sequence of A’s and B’s rearranges them so that all
the A’s are to the left of all the B’s. (e.g., the sequence BABAA should be-
come the sequence AAABB, and the sequence ABBABB should become the
sequence AABBBB).

Problem 31.6. Give a definition for when a Turing machine M computes the
function f : Nk → Nm .

Release : d3a1905 (2022-12-19) 491

 CHAPTER 31. TURING MACHINE COMPUTATIONS

Problem 31.7. Trace through the configurations of the machine from Exam-
ple 31.12 for input ⟨3, 2⟩. What happens if the machine computes 0 + 0?

Problem 31.8. In Example 31.14 we described a machine consisting of a com-

bination of the doubler machine from Figure 31.4 and the mover machine from
Figure 31.5. What happens if you start this combined machine on input x = 0,
i.e., on an empty tape? How would you fix the machine so that in this case the
machine halts with output 2x = 0? (You should be able to do this by adding
one state and one transition.)

Problem 31.9. Subtraction: Design a Turing machine that when given an input
of two non-empty strings of strokes of length n and m, where n > m, computes
the function f (n, m) = n − m.

Problem 31.10. Equality: Design a Turing machine to compute the following

function: (
1 if n = m
equality(n, m) =
0 if n ̸= m
where n and m ∈ Z+ .

Problem 31.11. Design a Turing machine to compute the function min( x, y)

where x and y are positive integers represented on the tape by strings of 1’s
separated by a 0. You may use additional symbols in the alphabet of the ma-
chine.
The function min selects the smallest value from its arguments, so min(3, 5) =
3, min(20, 16) = 16, and min(4, 4) = 4, and so on.

Problem 31.12. Give a disciplined machine that computes f ( x ) = x + 1.

Problem 31.13. Find a disciplined machine which, when started on input 1n

produces output 1n ⌢ 0 ⌢ 1n .

Problem 31.14. Give a disciplined Turing machine computing f ( x ) = x + 2

by taking the machine M from problem 31.12 and construct M ⌢ M.

492 Release : d3a1905 (2022-12-19)

Chapter 32

Undecidability

32.1 Introduction
It might seem obvious that not every function, even every arithmetical func-
tion, can be computable. There are just too many, whose behavior is too
complicated. Functions defined from the decay of radioactive particles, for
instance, or other chaotic or random behavior. Suppose we start counting 1-
second intervals from a given time, and define the function f (n) as the num-
ber of particles in the universe that decay in the n-th 1-second interval after
that initial moment. This seems like a candidate for a function we cannot ever
hope to compute.
But it is one thing to not be able to imagine how one would compute such
functions, and quite another to actually prove that they are uncomputable.
In fact, even functions that seem hopelessly complicated may, in an abstract
sense, be computable. For instance, suppose the universe is finite in time—
some day, in the very distant future the universe will contract into a single
point, as some cosmological theories predict. Then there is only a finite (but
incredibly large) number of seconds from that initial moment for which f (n)
is defined. And any function which is defined for only finitely many inputs is
computable: we could list the outputs in one big table, or code it in one very
big Turing machine state transition diagram.
We are often interested in special cases of functions whose values give the
answers to yes/no questions. For instance, the question “is n a prime num-
ber?” is associated with the function
(
1 if n is prime
isprime(n) =
0 otherwise.
We say that a yes/no question can be effectively decided, if the associated 1/0-
valued function is effectively computable.
To prove mathematically that there are functions which cannot be effec-
tively computed, or problems that cannot effectively decided, it is essential to

493
 CHAPTER 32. UNDECIDABILITY

fix a specific model of computation, and show that there are functions it can-
not compute or problems it cannot decide. We can show, for instance, that not
every function can be computed by Turing machines, and not every problem
can be decided by Turing machines. We can then appeal to the Church-Turing
thesis to conclude that not only are Turing machines not powerful enough to
compute every function, but no effective procedure can.

The key to proving such negative results is the fact that we can assign
numbers to Turing machines themselves. The easiest way to do this is to enu-
merate them, perhaps by fixing a specific way to write down Turing machines
and their programs, and then listing them in a systematic fashion. Once we
see that this can be done, then the existence of Turing-uncomputable functions
follows by simple cardinality considerations: the set of functions from N to N
(in fact, even just from N to {0, 1}) are non-enumerable, but since we can enu-
merate all the Turing machines, the set of Turing-computable functions is only
denumerable.

We can also define specific functions and problems which we can prove
to be uncomputable and undecidable, respectively. One such problem is the
so-called Halting Problem. Turing machines can be finitely described by list-
ing their instructions. Such a description of a Turing machine, i.e., a Turing
machine program, can of course be used as input to another Turing machine.
So we can consider Turing machines that decide questions about other Tur-
ing machines. One particularly interesting question is this: “Does the given
Turing machine eventually halt when started on input n?” It would be nice if
there were a Turing machine that could decide this question: think of it as a
quality-control Turing machine which ensures that Turing machines don’t get
caught in infinite loops and such. The interesting fact, which Turing proved,
is that there cannot be such a Turing machine. There cannot be a single Turing
machine which, when started on input consisting of a description of a Turing
machine M and some number n, will always halt with either output 1 or 0
according to whether M machine would have halted when started on input n
or not.

Once we have examples of specific undecidable problems we can use them

to show that other problems are undecidable, too. For instance, one celebrated
undecidable problem is the question, “Is the first-order formula φ valid?”.
There is no Turing machine which, given as input a first-order formula φ, is
guaranteed to halt with output 1 or 0 according to whether φ is valid or not.
Historically, the question of finding a procedure to effectively solve this prob-
lem was called simply “the” decision problem; and so we say that the decision
problem is unsolvable. Turing and Church proved this result independently
at around the same time, so it is also called the Church-Turing Theorem.

494 Release : d3a1905 (2022-12-19)

32.2. ENUMERATING TURING MACHINES

0, 0, R
1, 1, R

start q0 q1

1, 1, R
0, 0, R
A, A, R

start s h

A, A, R

Figure 32.1: Variants of the Even machine

32.2 Enumerating Turing Machines

We can show that the set of all Turing machines is enumerable. This follows
from the fact that each Turing machine can be finitely described. The set of
states and the tape vocabulary are finite sets. The transition function is a par-
tial function from Q × Σ to Q × Σ × { L, R, N }, and so likewise can be spec-
ified by listing its values for the finitely many argument pairs for which it is
defined.
This is true as far as it goes, but there is a subtle difference. The definition
of Turing machines made no resriction on what elements the set of states and
tape alphabet can have. So, e.g., for every real number, there technically is
a Turing machine that uses that number as a state. However, the behavior
of the Turing machine is independent of which objects serve as states and
vocabulary. Consider the two Turing machines in Figure 32.1. These two
diagrams correspond to two machines, M with the tape alphabet Σ = {▷, 0, 1}
and set of states {q0 , q1 }, and M′ with alphabet Σ′ = {▷, 0, A} and states {s, h}.
But their instructions are otherwise the same: M will halt on a sequence of n
1’s iff n is even, and M′ will halt on a sequence of n A’s iff n is even. All
we’ve done is rename 1 to A, q0 to s, and q1 to h. This example generalizes:
we can think of Turing machines as the same as long as one results from the
other by such a renaming of symbols and states. In fact, we can simply think
of the symbols and states of a Turing machine as positive integers: instead of
σ0 think 1, instead of σ1 think 2, etc.; ▷ is 1, 0 is 2, etc. In this way, the Even
machine becomes the machine depicted in Figure 32.2. We might call a Turing
machine with states and symbols that are positive integers a standard machine,
and only consider standard machines from now on.1
1 The terminology “standard machine” is not standard.

Release : d3a1905 (2022-12-19) 495

 CHAPTER 32. UNDECIDABILITY

2, 2, R
3, 3, R

start 1 2

3, 3, R

Figure 32.2: A standard Even machine

We wanted to show that the set of Turing machines is enumerable, and

with the above considerations in mind, it is enough to show that the set of
standard Turing machines is enumerable. Suppose we are given a standard
Turing machine M = ⟨ Q, Σ, q0 , δ⟩. How could we describe it using a finite
string of positive integers? We’ll first list the number of states, the states them-
selves, the number of symbols, the symbols themselves, and the starting state.
(Remember, all of these are positive integers, since M is a standard machine.)
What about δ? The set of possible arguments, i.e., pairs ⟨q, σ ⟩, is finite, since
Q and Σ are finite. So the information in δ is simply the finite list of all 5-
tuples ⟨q, σ, q′ , σ′ , d⟩ where δ(q, σ) = ⟨q′ , σ′ , D ⟩, and d is a number that codes
the direction D (say, 1 for L, 2 for R, and 3 for N).
In this way, every standard Turing machine can be described by a finite list
of positive integers, i.e., as a sequence s M ∈ (Z+ )∗ . For instance, the standard
Even machine is coded by the sequence

Σ δ(2,2)=⟨2,2,R⟩
z }| { z }| {
2, 1, 2 , 3, 1, 2, 3, 1, 1, 3, 2, 3, 2 , 2, 2, 2, 2, 2 , 2, 3, 1, 3, 2 .
|{z} | {z } | {z }
Q δ(1,3)=⟨2,3,R⟩ δ(2,3)=⟨1,3,R⟩

Theorem 32.1. There are functions from N to N which are not Turing computable.

Proof. We know that the set of finite sequences of positive integers (Z+ )∗ is
enumerable (problem 4.7). This gives us that the set of descriptions of stan-
dard Turing machines, as a subset of (Z+ )∗ , is itself enumerable. Every Turing
computable function N to N is computed by some (in fact, many) Turing ma-
chines. By renaming its states and symbols to positive integers (in particular,
▷ as 1, 0 as 2, and 1 as 3) we can see that every Turing computable function is
computed by a standard Turing machine. This means that the set of all Turing
computable functions from N to N is also enumerable.
On the other hand, the set of all functions from N to N is not enumerable
(problem 4.35). If all functions were computable by some Turing machine,
we could enumerate the set of all functions by listing all the descriptions of

496 Release : d3a1905 (2022-12-19)

32.3. UNIVERSAL TURING MACHINES

Turing machines that compute them. So there are some functions that are not
Turing computable.

32.3 Universal Turing Machines

In section 32.2 we discussed how every Turing machine can be described by
a finite sequence of integers. This sequence encodes the states, alphabet, start
state, and instructions of the Turing machine. We also pointed out that the set
of all of these descriptions is enumerable. Since the set of such descriptions
is denumerable, this means that there is a surjective function from N to these
descriptions. Such a surjective function can be obtained, for instance, using
Cantor’s zig-zag method. It gives us a way of enumerating all (descriptions)
of Turing machines. If we fix one such enumeration, it now makes sense to
talk of the 1st, 2nd, . . . , eth Turing machine. These numbers are called indices.

Definition 32.2. If M is the eth Turing machine (in our fixed enumeration), we
say that e is an index of M. We write Me for the eth Turing machine.

A machine may have more than one index, e.g., two descriptions of M
may differ in the order in which we list its instructions, and these different
descriptions will have different indices.
Importantly, it is possible to give the enumeration of Turing machine de-
scriptions in such a way that we can effectively compute the description of M
from its index, and to effectively compute an index of a machine M from its
description. By the Church-Turing thesis, it is then possible to find a Turing
machine which recovers the description of the Turing machine with index e
and writes the corresponding description on its tape as output. The descrip-
tion would be a sequence of blocks of 1’s (representing the positive integers in
the sequence describing Me ).
Given this, it now becomes natural to ask: what functions of Turing ma-
chine indices are themselves computable by Turing machines? What proper-
ties of Turing machine indices can be decided by Turing machines? An ex-
ample: the function that maps an index e to the number of states the Turing
machine with index e has, is computable by a Turing machine. Here’s what
such a Turing machine would do: started on a tape containing a single block
of e 1’s, it would first decode e into its description. The description is now
represented by a sequence of blocks of 1’s on the tape. Since the first element
in this sequence is the number of states. So all that has to be done now is to
erase everything but the first block of 1’s and then halt.
A remarkable result is the following:

Theorem 32.3. There is a universal Turing machine U which, when started on

input ⟨e, n⟩

1. halts iff Me halts on input n, and

Release : d3a1905 (2022-12-19) 497

 CHAPTER 32. UNDECIDABILITY

2. if Me halts with output m, so does U.

U thus computes the function f : N × N → 7 N given by f (e, n) = m if Me started

on input n halts with output m, and undefined otherwise.

Proof. To actually produce U is basically impossible, since it is an extremely

complicated machine. But we can describe in outline how it works, and then
invoke the Church-Turing thesis. When it starts, U’s tape contains a block of e
1’s followed by a block of n 1’s. It first “decodes” the index e to the right of the
input n. This produces a list of numbers (i.e., blocks of 1’s separated by 0’s)
that describes the instructions of machine Me . U then writes the number of the
start state of Me and the number 1 on the tape to the right of the description
of Me . (Again, these are represented in unary, as blocks of 1’s.) Next, it copies
the input (block of n 1’s) to the right—but it replaces each 1 by a block of three
1’s (remember, the number of the 1 symbol is 3, 1 being the number of ▷ and
2 being the number of 0). At the left end of this sequence of blocks (separated
by 0 symbols on the tape of U), it writes a single 1, the code for ▷.
U now has on its tape: the index e, the number n, the code number of the
start state (the “current state”), the number of the initial head position 1 (the
“current head position”), and the initial contents of the “tape” (a sequence
of blocks of 1’s representing the code numbers of the symbols of Me —the
“symbols”—separated by 0’s).
It now simulates what Me would do if started on input n, by doing the
following:

1. Find the number k of the “current head position” (at the beginning,
that’s 1),

2. Move to the kth block in the “tape” to see what the “symbol” there is,

3. Find the instruction matching the current “state” and “symbol,”

4. Move back to the kth block on the “tape” and replace the “symbol” there
with the code number of the symbol Me would write,

5. Move the head to where it records the current “state” and replace the
number there with the number of the new state,

6. Move to the place where it records the “tape position” and erase a 1 or
add a 1 (if the instruction says to move left or right, respectively).

7. Repeat.2
2 We’re glossing over some subtle difficulties here. E.g., U may need some extra space when

it increases the counter where it keeps track of the “current head position”—in that case it will
have to move the entire “tape” to the right.

498 Release : d3a1905 (2022-12-19)

32.4. THE HALTING PROBLEM

If Me started on input n never halts, then U also never halts, so its output is
undefined.
If in step (3) it turns out that the description of Me contains no instruction
for the current “state”/“symbol” pair, then Me would halt. If this happens, U
erases the part of its tape to the left of the “tape.” For each block of three 1’s
(representing a 1 on Me ’s tape), it writes a 1 on the left end of its own tape, and
successively erases the “tape.” When this is done, U’s tape contains a single
block of 1’s of length m.
If U encounters something other than a block of three 1’s on the “tape,” it
immediately halts. Since U’s tape in this case does not contain a single block
of 1’s, its output is not a natural number, i.e., f (e, n) is undefined in this case.

32.4 The Halting Problem

Assume we have fixed some enumeration of Turing machine descriptions.
Each Turing machine thus receives an index: its place in the enumeration M1 ,
M2 , M3 , . . . of Turing machine descriptions.
We know that there must be non-Turing-computable functions: the set of
Turing machine descriptions—and hence the set of Turing machines—is enu-
merable, but the set of all functions from N to N is not. But we can find
specific examples of non-computable functions as well. One such function is
the halting function.

Definition 32.4 (Halting function). The halting function h is defined as

(
0 if machine Me does not halt for input n
h(e, n) =
1 if machine Me halts for input n

Definition 32.5 (Halting problem). The Halting Problem is the problem of de-
termining (for any e, n) whether the Turing machine Me halts for an input of n
strokes.

We show that h is not Turing-computable by showing that a related func-

tion, s, is not Turing-computable. This proof relies on the fact that anything
that can be computed by a Turing machine can be computed by a disciplined
Turing machine (section 31.7), and the fact that two Turing machines can be
hooked together to create a single machine (section 31.8).

Definition 32.6. The function s is defined as

(
0 if machine Me does not halt for input e
s(e) =
1 if machine Me halts for input e

Lemma 32.7. The function s is not Turing computable.

Release : d3a1905 (2022-12-19) 499

 CHAPTER 32. UNDECIDABILITY

Proof. We suppose, for contradiction, that the function s is Turing computable.

Then there would be a Turing machine S that computes s. We may assume,
without loss of generality, that when S halts, it does so while scanning the
first square (i.e., that it is disciplined). This machine can be “hooked up” to
another machine J, which halts if it is started on input 0 (i.e., if it reads 0 in the
initial state while scanning the square to the right of the end-of-tape symbol),
and otherwise wanders off to the right, never halting. S ⌢ J, the machine
created by hooking S to J, is a Turing machine, so it is Me for some e (i.e., it
appears somewhere in the enumeration). Start Me on an input of e 1s. There
are two possibilities: either Me halts or it does not halt.

1. Suppose Me halts for an input of e 1s. Then s(e) = 1. So S, when started

on e, halts with a single 1 as output on the tape. Then J starts with a 1
on the tape. In that case J does not halt. But Me is the machine S ⌢ J,
so it should do exactly what S followed by J would do (i.e., in this case,
wander off to the right and never halt). So Me cannot halt for an input
of e 1’s.

2. Now suppose Me does not halt for an input of e 1s. Then s(e) = 0, and
S, when started on input e, halts with a blank tape. J, when started on
a blank tape, immediately halts. Again, Me does what S followed by J
would do, so Me must halt for an input of e 1’s.

In each case we arrive at a contradiction with our assumption. This shows

there cannot be a Turing machine S: s is not Turing computable.

Theorem 32.8 (Unsolvability of the Halting Problem). The halting problem is

unsolvable, i.e., the function h is not Turing computable.

Proof. Suppose h were Turing computable, say, by a Turing machine H. We

could use H to build a Turing machine that computes s: First, make a copy
of the input (separated by a 0 symbol). Then move back to the beginning,
and run H. We can clearly make a machine that does the former (see prob-
lem 31.13), and if H existed, we would be able to “hook it up” to such a copier
machine to get a new machine which would determine if Me halts on input e,
i.e., computes s. But we’ve already shown that no such machine can exist.
Hence, h is also not Turing computable.

32.5 The Decision Problem

We say that first-order logic is decidable iff there is an effective method for
determining whether or not a given sentence is valid. As it turns out, there is
no such method: the problem of deciding validity of first-order sentences is
unsolvable.

500 Release : d3a1905 (2022-12-19)

32.6. REPRESENTING TURING MACHINES

In order to establish this important negative result, we prove that the de-
cision problem cannot be solved by a Turing machine. That is, we show that
there is no Turing machine which, whenever it is started on a tape that con-
tains a first-order sentence, eventually halts and outputs either 1 or 0 depend-
ing on whether the sentence is valid or not. By the Church-Turing thesis, every
function which is computable is Turing computable. So if this “validity func-
tion” were effectively computable at all, it would be Turing computable. If it
isn’t Turing computable, then, it also cannot be effectively computable.
Our strategy for proving that the decision problem is unsolvable is to re-
duce the halting problem to it. This means the following: We have proved that
the function h(e, w) that halts with output 1 if the Turing machine described
by e halts on input w and outputs 0 otherwise, is not Turing computable. We
will show that if there were a Turing machine that decides validity of first-
order sentences, then there is also Turing machine that computes h. Since h
cannot be computed by a Turing machine, there cannot be a Turing machine
that decides validity either.
The first step in this strategy is to show that for every input w and a Turing
machine M, we can effectively describe a sentence τ ( M, w) representing the
instruction set of M and the input w and a sentence α( M, w) expressing “M
eventually halts” such that:

⊨ τ ( M, w) → α( M, w) iff M halts for input w.

The bulk of our proof will consist in describing these sentences τ ( M, w) and α( M, w)
and in verifying that τ ( M, w) → α( M, w) is valid iff M halts on input w.

32.6 Representing Turing Machines

In order to represent Turing machines and their behavior by a sentence of
first-order logic, we have to define a suitable language. The language consists
of two parts: predicate symbols for describing configurations of the machine,
and expressions for numbering execution steps (“moments”) and positions on
the tape.
We introduce two kinds of predicate symbols, both of them 2-place: For
each state q, a predicate symbol Qq , and for each tape symbol σ, a predicate
symbol Sσ . The former allow us to describe the state of M and the position of
its tape head, the latter allow us to describe the contents of the tape.
In order to express the positions of the tape head and the number of steps
executed, we need a way to express numbers. This is done using a constant
symbol 0, and a 1-place function ′, the successor function. By convention it
is written after its argument (and we leave out the parentheses). So 0 names
the leftmost position on the tape as well as the time before the first execution
step (the initial configuration), 0′ names the square to the right of the leftmost
square, and the time after the first execution step, and so on. We also introduce

Release : d3a1905 (2022-12-19) 501

 CHAPTER 32. UNDECIDABILITY

a predicate symbol < to express both the ordering of tape positions (when it
means “to the left of”) and execution steps (then it means “before”).
Once we have the language in place, we list the “axioms” of τ ( M, w), i.e.,
the sentences which, taken together, describe the behavior of M when run on
input w. There will be sentences which lay down conditions on 0, ′, and <,
sentences that describes the input configuration, and sentences that describe
what the configuration of M is after it executes a particular instruction.
Definition 32.9. Given a Turing machine M = ⟨ Q, Σ, q0 , δ⟩, the language L M
consists of:
1. A two-place predicate symbol Qq ( x, y) for every state q ∈ Q. Intu-
itively, Qq (m, n) expresses “after n steps, M is in state q scanning the
mth square.”

2. A two-place predicate symbol Sσ ( x, y) for every symbol σ ∈ Σ. Intu-

itively, Sσ (m, n) expresses “after n steps, the mth square contains sym-
bol σ.”

3. A constant symbol 0

4. A one-place function symbol ′

5. A two-place predicate symbol <

For each number n there is a canonical term n, the numeral for n, which
represents it in L M . 0 is 0, 1 is 0′ , 2 is 0′′ , and so on. More formally:

0=0
n + 1 = n′

The sentences describing the operation of the Turing machine M on input

w = σi1 . . . σik are the following:
1. Axioms describing numbers and <:

a) A sentence that says that every number is less than its successor:

∀x x < x′

b) A sentence that ensures that < is transitive:

∀ x ∀y ∀z (( x < y ∧ y < z) → x < z)

2. Axioms describing the input configuration:

a) After 0 steps—before the machine starts—M is in the inital state q0 ,

scanning square 1:
Qq0 (1, 0)

502 Release : d3a1905 (2022-12-19)

32.6. REPRESENTING TURING MACHINES

b) The first k + 1 squares contain the symbols ▷, σi1 , . . . , σik :

S▷ (0, 0) ∧ Sσi (1, 0) ∧ · · · ∧ Sσi (k, 0)

1 k

c) Otherwise, the tape is empty:

∀ x (k < x → S0 ( x, 0))

3. Axioms describing the transition from one configuration to the next:

For the following, let φ( x, y) be the conjunction of all sentences of the
form
∀z (((z < x ∨ x < z) ∧ Sσ (z, y)) → Sσ (z, y′ ))
where σ ∈ Σ. We use φ(m, n) to express “other than at square m, the
tape after n + 1 steps is the same as after n steps.”
a) For every instruction δ(qi , σ ) = ⟨q j , σ′ , R⟩, the sentence:

∀ x ∀y ((Qqi ( x, y) ∧ Sσ ( x, y)) →
(Qq j ( x ′ , y′ ) ∧ Sσ′ ( x, y′ ) ∧ φ( x, y)))
This says that if, after y steps, the machine is in state qi scanning
square x which contains symbol σ, then after y + 1 steps it is scan-
ning square x + 1, is in state q j , square x now contains σ′ , and every
square other than x contains the same symbol as it did after y steps.
b) For every instruction δ(qi , σ ) = ⟨q j , σ′ , L⟩, the sentence:

∀ x ∀y ((Qqi ( x ′ , y) ∧ Sσ ( x ′ , y)) →
(Qq j ( x, y′ ) ∧ Sσ′ ( x ′ , y′ ) ∧ φ( x, y))) ∧
∀y ((Qqi (0, y) ∧ Sσ (0, y)) →
(Qq j (0, y′ ) ∧ Sσ′ (0, y′ ) ∧ φ(0, y)))
Take a moment to think about how this works: now we don’t start
with “if scanning square x . . . ” but: “if scanning square x + 1 . . . ” A
move to the left means that in the next step the machine is scanning
square x. But the square that is written on is x + 1. We do it this
way since we don’t have subtraction or a predecessor function.
Note that numbers of the form x + 1 are 1, 2, . . . , i.e., this doesn’t
cover the case where the machine is scanning square 0 and is sup-
posed to move left (which of course it can’t—it just stays put). That
special case is covered by the second conjunction: it says that if, af-
ter y steps, the machine is scanning square 0 in state qi and square 0
contains symbol σ, then after y + 1 steps it’s still scanning square 0,
is now in state q j , the symbol on square 0 is σ′ , and the squares
other than square 0 contain the same symbols they contained ofter
y steps.

Release : d3a1905 (2022-12-19) 503

 CHAPTER 32. UNDECIDABILITY

c) For every instruction δ(qi , σ ) = ⟨q j , σ′ , N ⟩, the sentence:

∀ x ∀y ((Qqi ( x, y) ∧ Sσ ( x, y)) →
(Qq j ( x, y′ ) ∧ Sσ′ ( x, y′ ) ∧ φ( x, y)))

Let τ ( M, w) be the conjunction of all the above sentences for Turing machine M
and input w.
In order to express that M eventually halts, we have to find a sentence that
says “after some number of steps, the transition function will be undefined.”
Let X be the set of all pairs ⟨q, σ ⟩ such that δ(q, σ ) is undefined. Let α( M, w)
then be the sentence
_
∃ x ∃y ( (Qq ( x, y) ∧ Sσ ( x, y)))
⟨q,σ⟩∈ X

If we use a Turing machine with a designated halting state h, it is even

easier: then the sentence α( M, w)

∃ x ∃y Qh ( x, y)

expresses that the machine eventually halts.

Proposition 32.10. If m < k, then τ ( M, w) ⊨ m < k

Proof. Exercise.

32.7 Verifying the Representation

In order to verify that our representation works, we have to prove two things.
First, we have to show that if M halts on input w, then τ ( M, w) → α( M, w) is
valid. Then, we have to show the converse, i.e., that if τ ( M, w) → α( M, w) is
valid, then M does in fact eventually halt when run on input w.
The strategy for proving these is very different. For the first result, we have
to show that a sentence of first-order logic (namely, τ ( M, w) → α( M, w)) is
valid. The easiest way to do this is to give a derivation. Our proof is supposed
to work for all M and w, though, so there isn’t really a single sentence for
which we have to give a derivation, but infinitely many. So the best we can do
is to prove by induction that, whatever M and w look like, and however many
steps it takes M to halt on input w, there will be a derivation of τ ( M, w) →
α( M, w).
Naturally, our induction will proceed on the number of steps M takes be-
fore it reaches a halting configuration. In our inductive proof, we’ll estab-
lish that for each step n of the run of M on input w, τ ( M, w) ⊨ χ( M, w, n),
where χ( M, w, n) correctly describes the configuration of M run on w after n
steps. Now if M halts on input w after, say, n steps, χ( M, w, n) will describe

504 Release : d3a1905 (2022-12-19)

32.7. VERIFYING THE REPRESENTATION

a halting configuration. We’ll also show that χ( M, w, n) ⊨ α( M, w), when-

ever χ( M, w, n) describes a halting configuration. So, if M halts on input w,
then for some n, M will be in a halting configuration after n steps. Hence,
τ ( M, w) ⊨ χ( M, w, n) where χ( M, w, n) describes a halting configuration, and
since in that case χ( M, w, n) ⊨ α( M, w), we get that T ( M, w) ⊨ α( M, w), i.e.,
that ⊨ τ ( M, w) → α( M, w).
The strategy for the converse is very different. Here we assume that ⊨
τ ( M, w) → α( M, w) and have to prove that M halts on input w. From the hy-
pothesis we get that τ ( M, w) ⊨ α( M, w), i.e., α( M, w) is true in every structure
in which τ ( M, w) is true. So we’ll describe a structure M in which τ ( M, w)
is true: its domain will be N, and the interpretation of all the Qq and Sσ
will be given by the configurations of M during a run on input w. So, e.g.,
M ⊨ Qq (m, n) iff T, when run on input w for n steps, is in state q and scan-
ning square m. Now since τ ( M, w) ⊨ α( M, w) by hypothesis, and since M ⊨
τ ( M, w) by construction, M ⊨ α( M, w). But M ⊨ α( M, w) iff there is some
n ∈ |M| = N so that M, run on input w, is in a halting configuration after n
steps.

Definition 32.11. Let χ( M, w, n) be the sentence

Qq (m, n) ∧ Sσ0 (0, n) ∧ · · · ∧ Sσk (k, n) ∧ ∀ x (k < x → S0 ( x, n))

where q is the state of M at time n, M is scanning square m at time n, square i

contains symbol σi at time n for 0 ≤ i ≤ k and k is the right-most non-blank
square of the tape at time 0, or the right-most square the tape head has visited
after n steps, whichever is greater.

Lemma 32.12. If M run on input w is in a halting configuration after n steps, then

χ( M, w, n) ⊨ α( M, w).

Proof. Suppose that M halts for input w after n steps. There is some state q,
square m, and symbol σ such that:

1. After n steps, M is in state q scanning square m on which σ appears.

2. The transition function δ(q, σ ) is undefined.

χ( M, w, n) is the description of this configuration and will include the clauses

Qq (m, n) and Sσ (m, n). These clauses together imply α( M, w):
_
∃ x ∃y ( (Qq ( x, y) ∧ Sσ ( x, y)))
⟨q,σ⟩∈ X

since Qq′ (m, n) ∧ Sσ′ (m, n) ⊨ ⟨q,σ⟩∈ X (Qq ( m, n ) ∧ Sσ ( m, n )), as ⟨q′ , σ′ ⟩ ∈ X.

W

So if M halts for input w, then there is some n such that χ( M, w, n) ⊨

α( M, w). We will now show that for any time n, τ ( M, w) ⊨ χ( M, w, n).

Release : d3a1905 (2022-12-19) 505

 CHAPTER 32. UNDECIDABILITY

Lemma 32.13. For each n, if M has not halted after n steps, τ ( M, w) ⊨ χ( M, w, n).

Proof. Induction basis: If n = 0, then the conjuncts of χ( M, w, 0) are also con-

juncts of τ ( M, w), so entailed by it.
Inductive hypothesis: If M has not halted before the nth step, then τ ( M, w) ⊨
χ( M, w, n). We have to show that (unless χ( M, w, n) describes a halting con-
figuration), τ ( M, w) ⊨ χ( M, w, n + 1).
Suppose n > 0 and after n steps, M started on w is in state q scanning
square m. Since M does not halt after n steps, there must be an instruction of
one of the following three forms in the program of M:

1. δ(q, σ ) = ⟨q′ , σ′ , R⟩
2. δ(q, σ ) = ⟨q′ , σ′ , L⟩
3. δ(q, σ ) = ⟨q′ , σ′ , N ⟩

We will consider each of these three cases in turn.

1. Suppose there is an instruction of the form (1). By Definition 32.9(3a),

this means that
∀ x ∀y ((Qq ( x, y) ∧ Sσ ( x, y)) →
(Qq′ ( x ′ , y′ ) ∧ Sσ′ ( x, y′ ) ∧ φ( x, y)))

is a conjunct of τ ( M, w). This entails the following sentence (universal

instantiation, m for x and n for y):

(Qq (m, n) ∧ Sσ (m, n)) →

(Qq′ (m′ , n′ ) ∧ Sσ′ (m, n′ ) ∧ φ(m, n)).

By induction hypothesis, τ ( M, w) ⊨ χ( M, w, n), i.e.,

Qq (m, n) ∧ Sσ0 (0, n) ∧ · · · ∧ Sσk (k, n)∧

∀ x (k < x → S0 ( x, n))

Since after n steps, tape square m contains σ, the corresponding conjunct

is Sσ (m, n), so this entails:

Qq (m, n) ∧ Sσ (m, n)

We now get

Qq′ (m′ , n′ ) ∧ Sσ′ (m, n′ ) ∧

Sσ0 (0, n′ ) ∧ · · · ∧ Sσk (k, n′ ) ∧
∀ x (k < x → S0 ( x, n′ ))

506 Release : d3a1905 (2022-12-19)

32.7. VERIFYING THE REPRESENTATION

as follows: The first line comes directly from the consequent of the pre-
ceding conditional, by modus ponens. Each conjunct in the middle
line—which excludes Sσm (m, n′ )—follows from the corresponding con-
junct in χ( M, w, n) together with φ(m, n).
If m < k, τ ( M, w) ⊢ m < k (Proposition 32.10) and by transitivity of <,
we have ∀ x (k < x → m < x ). If m = k, then ∀ x (k < x → m < x ) by
logic alone. The last line then follows from the corresponding conjunct
in χ( M, w, n), ∀ x (k < x → m < x ), and φ(m, n). If m < k, this already is
χ( M, w, n + 1).
Now suppose m = k. In that case, after n + 1 steps, the tape head has
also visited square k + 1, which now is the right-most square visited.
′
So χ( M, w, n + 1) has a new conjunct, S0 (k , n′ ), and the last conjuct is
′
∀ x (k < x → S0 ( x, n′ )). We have to verify that these two sentences are
also implied.
We already have ∀ x (k < x → S0 ( x, n′ )). In particular, this gives us k <
′ ′ ′
k → S0 (k , n′ ). From the axiom ∀ x x < x ′ we get k < k . By modus
′ ′
ponens, S0 (k , n ) follows.
′
Also, since τ ( M, w) ⊢ k < k , the axiom for transitivity of < gives us
′
∀ x (k < x → S0 ( x, n′ )). (We leave the verification of this as an exercise.)

2. Suppose there is an instruction of the form (2). Then, by Definition 32.9(3b),

∀ x ∀y ((Qq ( x ′ , y) ∧ Sσ ( x ′ , y)) →
(Qq′ ( x, y′ ) ∧ Sσ′ ( x ′ , y′ ) ∧ φ( x, y))) ∧
∀y ((Qqi (0, y) ∧ Sσ (0, y)) →
(Qq j (0, y′ ) ∧ Sσ′ (0, y′ ) ∧ φ(0, y)))

is a conjunct of τ ( M, w). If m > 0, then let l = m − 1 (i.e., m = l + 1).

The first conjunct of the above sentence entails the following:

′ ′
(Qq (l , n) ∧ Sσ (l , n)) →
′
(Qq′ (l, n′ ) ∧ Sσ′ (l , n′ ) ∧ φ(l, n))

Otherwise, let l = m = 0 and consider the following sentence entailed

by the second conjunct:

((Qqi (0, n) ∧ Sσ (0, n)) →

(Qq j (0, n′ ) ∧ Sσ′ (0, n′ ) ∧ φ(0, n)))

Release : d3a1905 (2022-12-19) 507

 CHAPTER 32. UNDECIDABILITY

Either sentence implies

Qq′ (l, n′ ) ∧ Sσ′ (m, n′ ) ∧

Sσ0 (0, n′ ) ∧ · · · ∧ Sσk (k, n′ ) ∧
∀ x (k < x → S0 ( x, n′ ))
′
as before. (Note that in the first case, l ≡ l + 1 ≡ m and in the second
case l ≡ 0.) But this just is χ( M, w, n + 1).
3. Case (3) is left as an exercise.
We have shown that for any n, τ ( M, w) ⊨ χ( M, w, n).
Lemma 32.14. If M halts on input w, then τ ( M, w) → α( M, w) is valid.
Proof. By Lemma 32.13, we know that, for any time n, the description χ( M, w, n)
of the configuration of M at time n is entailed by τ ( M, w). Suppose M halts af-
ter k steps. At that point, it will be scanning square m, for some m ∈ N. Then
χ( M, w, k) describes a halting configuration of M, i.e., it contains as conjuncts
both Qq (m, k ) and Sσ (m, k ) with δ(q, σ ) undefined. Thus, by Lemma 32.12,
χ( M, w, k) ⊨ α( M, w). But since τ ( M, w) ⊨ χ( M, w, k), we have τ ( M, w) ⊨
α( M, w) and therefore τ ( M, w) → α( M, w) is valid.
To complete the verification of our claim, we also have to establish the
reverse direction: if τ ( M, w) → α( M, w) is valid, then M does in fact halt when
started on input w.
Lemma 32.15. If ⊨ τ ( M, w) → α( M, w), then M halts on input w.
Proof. Consider the L M -structure M with domain N which interprets 0 as 0,
′ as the successor function, and < as the less-than relation, and the predicates
Qq and Sσ as follows:
started on w, after n steps,
QM
q = {⟨ m, n ⟩ : }
M is in state q scanning square m
started on w, after n steps,
SσM = {⟨m, n⟩ : }
square m of M contains symbol σ
In other words, we construct the structure M so that it describes what M
started on input w actually does, step by step. Clearly, M ⊨ τ ( M, w). If
⊨ τ ( M, w) → α( M, w), then also M ⊨ α( M, w), i.e.,
_
M ⊨ ∃ x ∃y ( (Qq ( x, y) ∧ Sσ ( x, y))).
⟨q,σ⟩∈ X

As |M| = N, there must be m, n ∈ N so that M ⊨ Qq (m, n) ∧ Sσ (m, n) for

some q and σ such that δ(q, σ ) is undefined. By the definition of M, this means
that M started on input w after n steps is in state q and reading symbol σ, and
the transition function is undefined, i.e., M has halted.

508 Release : d3a1905 (2022-12-19)

32.8. THE DECISION PROBLEM IS UNSOLVABLE

32.8 The Decision Problem is Unsolvable

Theorem 32.16. The decision problem is unsolvable: There is no Turing machine D,
which when started on a tape that contains a sentence ψ of first-order logic as input,
D eventually halts, and outputs 1 iff ψ is valid and 0 otherwise.

Proof. Suppose the decision problem were solvable, i.e., suppose there were
a Turing machine D. Then we could solve the halting problem as follows.
We construct a Turing machine E that, given as input the number e of Turing
machine Me and input w, computes the corresponding sentence τ ( Me , w) →
α( Me , w) and halts, scanning the leftmost square on the tape. The machine
E ⌢ D would then, given input e and w, first compute τ ( Me , w) → α( Me , w)
and then run the decision problem machine D on that input. D halts with out-
put 1 iff τ ( Me , w) → α( Me , w) is valid and outputs 0 otherwise. By Lemma 32.15
and Lemma 32.14, τ ( Me , w) → α( Me , w) is valid iff Me halts on input w. Thus,
E ⌢ D, given input e and w halts with output 1 iff Me halts on input w and
halts with output 0 otherwise. In other words, E ⌢ D would solve the halting
problem. But we know, by Theorem 32.8, that no such Turing machine can
exist.

Corollary 32.17. It is undecidable if an arbitrary sentence of first-order logic is sat-

isfiable.

Proof. Suppose satisfiability were decidable by a Turing machine S. Then we

could solve the decision problem as follows: Given a sentence B as input,
move ψ to the right one square. Return to square 1 and write the symbol ¬.
Now run the Turing machine S. It eventually halts with output either 1
(if ¬ψ is satisfiable) or 0 (if ¬ψ is unsatisfiable) on the tape. If there is a 1 on
square 1, erase it; if square 1 is empty, write a 1, then halt.
This Turing machine always halts, and its output is 1 iff ¬ψ is unsatisfiable
and 0 otherwise. Since ψ is valid iff ¬ψ is unsatisfiable, the machine outputs 1
iff ψ is valid, and 0 otherwise, i.e., it would solve the decision problem.

So there is no Turing machine which always gives a correct “yes” or “no”

answer to the question “Is ψ a valid sentence of first-order logic?” However,
there is a Turing machine that always gives a correct “yes” answer—but sim-
ply does not halt if the answer is “no.” This follows from the soundness and
completeness theorem of first-order logic, and the fact that derivations can be
effectively enumerated.

Theorem 32.18. Validity of first-order sentences is semi-decidable: There is a Turing

machine E, which when started on a tape that contains a sentence ψ of first-order logic
as input, E eventually halts and outputs 1 iff ψ is valid, but does not halt otherwise.

Release : d3a1905 (2022-12-19) 509

 CHAPTER 32. UNDECIDABILITY

Proof. All possible derivations of first-order logic can be generated, one after
another, by an effective algorithm. The machine E does this, and when it finds
a derivation that shows that ⊢ ψ, it halts with output 1. By the soundness
theorem, if E halts with output 1, it’s because ⊨ ψ. By the completeness the-
orem, if ⊨ ψ there is a derivation that shows that ⊢ ψ. Since E systematically
generates all possible derivations, it will eventually find one that shows ⊢ ψ,
so will eventually halt with output 1.

32.9 Trakthenbrot’s Theorem

In section 32.6 we defined sentences τ ( M, w) and α( M, w) for a Turing ma-
chine M and input string w. Then we showed in Lemma 32.14 and Lemma 32.15
that τ ( M, w) → α( M, w) is valid iff M, started on input w, eventually halts.
Since the Halting Problem is undecidable, this implies that validity and satisfi-
ability of sentences of first-order logic is undecidable (Theorem 32.16 and Corol-
lary 32.17).
But validity and satisfiability of sentences is defined for arbitrary struc-
tures, finite or infinite. You might suspect that it is easier to decide if a sen-
tence is satisfiable in a finite structure (or valid in all finite structures). We can
adapt the proof of the unsolvability of the decision problem so that it shows
this is not the case.
First, if you go back to the proof of Lemma 32.15, you’ll see that what
we did there is produce a model M of τ ( M, w) which describes exactly what
machine M does when started on input w. The domain of that model was N,
i.e., infinite. But if M actually halts on input w, we can build a finite model M′
in the same way. Suppose M started on input w halts after k steps. Take as
domain |M′ | the set {0, . . . , n}, where n is the larger of k and the length of w,
and let (
M′ x + 1 if x < n
′ (x) =
n otherwise,
′
and ⟨ x, y⟩ ∈ <M iff x < y or x = y = n. Otherwise M′ is defined just like M.
By the definition of M′ , just like in the proof of Lemma 32.15, M′ ⊨ τ ( M, w).
And since we assumed that M halts on input w, M′ ⊨ α( M, w). So, M′ is a
finite model of τ ( M, w) ∧ α( M, w) (note that we’ve replaced → with ∧).
We are halfway to a proof: we’ve shown that if M halts on input w, then
τ ( M, e) ∧ α( M, w) has a finite model. Unfortunately, the “only if” direction
does not hold. For instance, if M after n steps is in state q and reads a sym-
bol σ, and δ(q, σ) = ⟨q, σ, N ⟩, then the configuration after n + 1 steps is exactly
the same as the configuration after n steps (same state, same head position,
same tape contents). But the machine never halts; it’s in an infinite loop. The
corresponding structure M′ above satisfies τ ( M, w) but not α( M, w). (In it,
the values of n + l are all the same, so it is finite). But by changing τ ( M, w) in
a suitable way we can rule out structures like this.

510 Release : d3a1905 (2022-12-19)

32.9. TRAKTHENBROT’S THEOREM

Consider the sentences describing the operation of the Turing machine M

on input w = σi1 . . . σik :

1. Axioms describing numbers and < (just like in the definition of τ ( M, w)

in section 32.6).

2. Axioms describing the input configuration: just like in the definition

of τ ( M, w).

3. Axioms describing the transition from one configuration to the next:

For the following, let φ( x, y) be as before, and let

ψ ( y ) ≡ ∀ x ( x < y → x ̸ = y ).

a) For every instruction δ(qi , σ ) = ⟨q j , σ′ , R⟩, the sentence:

∀ x ∀y ((Qqi ( x, y) ∧ Sσ ( x, y)) →
(Qq j ( x ′ , y′ ) ∧ Sσ′ ( x, y′ ) ∧ φ( x, y) ∧ ψ(y′ )))

b) For every instruction δ(qi , σ ) = ⟨q j , σ′ , L⟩, the sentence

∀ x ∀y ((Qqi ( x ′ , y) ∧ Sσ ( x ′ , y)) →
(Qq j ( x, y′ ) ∧ Sσ′ ( x ′ , y′ ) ∧ φ( x, y))) ∧
∀y ((Qqi (0, y) ∧ Sσ (0, y)) →
(Qq j (0, y′ ) ∧ Sσ′ (0, y′ ) ∧ φ(0, y) ∧ ψ(y′ )))

c) For every instruction δ(qi , σ ) = ⟨q j , σ′ , N ⟩, the sentence:

∀ x ∀y ((Qqi ( x, y) ∧ Sσ ( x, y)) →
(Qq j ( x, y′ ) ∧ Sσ′ ( x, y′ ) ∧ φ( x, y) ∧ ψ(y′ )))

As you can see, the sentences describing the transitions of M are the
same as the corresponding sentence in τ ( M, w), except we add ψ(y′ ) at
the end. ψ(y′ ) ensures that the number y′ of the “next” configuration is
different from all previous numbers 0, 0′ , . . . .

Let τ ′ ( M, w) be the conjunction of all the above sentences for Turing ma-
chine M and input w.

Lemma 32.19. If M started on input w halts, then τ ′ ( M, w) ∧ α( M, w) has a finite

model.

Release : d3a1905 (2022-12-19) 511

 CHAPTER 32. UNDECIDABILITY

Proof. Let M′ be as in the proof of Lemma 32.15, except

 ′
M  = {0, . . . , n},
(
M′ x + 1 if x < n
′ (x) =
n otherwise,
′
⟨ x, y⟩ ∈ <M iff x < y or x = y = n,

where n = max(k, len(w)) and k is the least number such that M started on
input w has halted after k steps. We leave the verification that M′ ⊨ τ ′ ( M, w) ∧
E( M, w) as an exercise.

Lemma 32.20. If τ ′ ( M, w) ∧ α( M, w) has a finite model, then M started on input w

halts.

Proof. We show the contrapositive. Suppose that M started on w does not

halt. If τ ′ ( M, w) ∧ α( M, w) has no model at all, we are done. So assume M is
a model of τ ( M, w) ∧ α( M, w). We have to show that it cannot be finite.
We can prove, just like in Lemma 32.13, that if M, started on input w, has
not halted after n steps, then τ ′ ( M, w) ⊨ χ( M, w, n) ∧ ψ(n). Since M started
on input w does not halt, τ ′ ( M, w) ⊨ χ( M, w, n) ∧ ψ(n) for all n ∈ N. Note
that by Proposition 32.10, τ ′ ( M, w) ⊨ k < n for all k < n. Also ψ(n) ⊨ k <
n → k ̸= n. So, M ⊨ k ̸= n for all k < n, i.e., the infinitely many terms k
must all have different values in M. But this requires that |M| be infinite, so
M cannot be a finite model of τ ′ ( M, w) ∧ α( M, w).

Theorem 32.21 (Trakthenbrot’s Theorem). It is undecidable if an arbitrary sen-

tence of first-order logic has a finite model (i.e., is finitely satisfiable).

Proof. Suppose there were a Turing machine F that decides the finite satisfi-
ability problem. Then given any Turing machine M and input w, we could
compute the sentence τ ′ ( M, w) ∧ α( M, w), and use F to decide if it has a finite
model. By Lemmata 32.19 and 32.20, it does iff M started on input w halts. So
we could use F to solve the halting problem, which we know is unsolvable.

Corollary 32.22. There can be no derivation system that is sound and complete for
finite validity, i.e., a derivation system which has ⊢ ψ iff M ⊨ ψ for every finite
structure M.

Proof. Exercise.

Problems
Problem 32.1. Can you think of a way to describe Turing machines that does
not require that the states and alphabet symbols are explicitly listed? You may

512 Release : d3a1905 (2022-12-19)

32.9. TRAKTHENBROT’S THEOREM

define your own notion of “standard” machine, but say something about why
every Turing machine can be computed by a “standard” machine in your new
sense.

Problem 32.2. The Three Halting (3-Halt) problem is the problem of giving a
decision procedure to determine whether or not an arbitrarily chosen Turing
Machine halts for an input of three 1’s on an otherwise blank tape. Prove that
the 3-Halt problem is unsolvable.

Problem 32.3. Show that if the halting problem is solvable for Turing machine
and input pairs Me and n where e ̸= n, then it is also solvable for the cases
where e = n.

Problem 32.4. We proved that the halting problem is unsolvable if the input
is a number e, which identifies a Turing machine Me via an enumaration of all
Turing machines. What if we allow the description of Turing machines from
section 32.2 directly as input? Can there be a Turing machine which decides
the halting problem but takes as input descriptions of Turing machines rather
than indices? Explain why or why not.

Problem 32.5. Show that the partial function s′ is defined as

(
1 if machine Me halts for input e
s′ (e) =
undefined if machine Me does not halt for input e
is Turing computable.

Problem 32.6. Prove Proposition 32.10. (Hint: use induction on k − m).

Problem 32.7. Complete case (3) of the proof of Lemma 32.13.

Problem 32.8. Give a derivation of Sσi (i, n′ ) from Sσi (i, n) and φ(m, n) (as-
suming i ̸= m, i.e., either i < m or m < i).
′
Problem 32.9. Give a derivation of ∀ x (k < x → S0 ( x, n′ )) from ∀ x (k < x →
S0 ( x, n′ )), ∀ x x < x ′ , and ∀ x ∀y ∀z (( x < y ∧ y < z) → x < z).)

Problem 32.10. Complete the proof of Lemma 32.19 by proving that M′ ⊨

τ ( M, w) ∧ E( M, w).

Problem 32.11. Complete the proof of Lemma 32.20 by proving that if M,

started on input w, has not halted after n steps, then τ ′ ( M, w) ⊨ ψ(n).

Problem 32.12. Prove Corollary 32.22. Observe that ψ is satisfied in every

finite structure iff ¬ψ is not finitely satisfiable. Explain why finite satisfiability
is semi-decidable in the sense of Theorem 32.18. Use this to argue that if there
were a derivation system for finite validity, then finite satisfiability would be
decidable.

Release : d3a1905 (2022-12-19) 513

 Part VII

Incompleteness

514
32.9. TRAKTHENBROT’S THEOREM

Material in this part covers the incompleteness theorems. It depends

on material in the parts on first-order logic (esp., the proof system), the
material on recursive functions (in the computability part). It is based on
Jeremy Avigad’s notes with revisions by Richard Zach.

Release : d3a1905 (2022-12-19) 515

Chapter 33

Introduction to Incompleteness

33.1 Historical Background

In this section, we will briefly discuss historical developments that will help
put the incompleteness theorems in context. In particular, we will give a very
sketchy overview of the history of mathematical logic; and then say a few
words about the history of the foundations of mathematics.
The phrase “mathematical logic” is ambiguous. One can interpret the
word “mathematical” as describing the subject matter, as in, “the logic of
mathematics,” denoting the principles of mathematical reasoning; or as de-
scribing the methods, as in “the mathematics of logic,” denoting a mathemat-
ical study of the principles of reasoning. The account that follows involves
mathematical logic in both senses, often at the same time.
The study of logic began, essentially, with Aristotle, who lived approxi-
mately 384–322 BCE. His Categories, Prior analytics, and Posterior analytics in-
clude systematic studies of the principles of scientific reasoning, including a
thorough and systematic study of the syllogism.
Aristotle’s logic dominated scholastic philosophy through the middle ages;
indeed, as late as eighteenth century Kant maintained that Aristotle’s logic
was perfect and in no need of revision. But the theory of the syllogism is far
too limited to model anything but the most superficial aspects of mathemati-
cal reasoning. A century earlier, Leibniz, a contemporary of Newton’s, imag-
ined a complete “calculus” for logical reasoning, and made some rudimentary
steps towards designing such a calculus, essentially describing a version of
propositional logic.
The nineteenth century was a watershed for logic. In 1854 George Boole
wrote The Laws of Thought, with a thorough algebraic study of propositional
logic that is not far from modern presentations. In 1879 Gottlob Frege pub-
lished his Begriffsschrift (Concept writing) which extends propositional logic
with quantifiers and relations, and thus includes first-order logic. In fact,
Frege’s logical systems included higher-order logic as well, and more. In his

516
33.1. HISTORICAL BACKGROUND

Basic Laws of Arithmetic, Frege set out to show that all of arithmetic could be
derived in his Begriffsschrift from purely logical assumption. Unfortunately,
these assumptions turned out to be inconsistent, as Russell showed in 1902.
But setting aside the inconsistent axiom, Frege more or less invented mod-
ern logic singlehandedly, a startling achievement. Quantificational logic was
also developed independently by algebraically-minded thinkers after Boole,
including Peirce and Schröder.
Let us now turn to developments in the foundations of mathematics. Of
course, since logic plays an important role in mathematics, there is a good deal
of interaction with the developments just described. For example, Frege de-
veloped his logic with the explicit purpose of showing that all of mathematics
could be based solely on his logical framework; in particular, he wished to
show that mathematics consists of a priori analytic truths instead of, as Kant
had maintained, a priori synthetic ones.
Many take the birth of mathematics proper to have occurred with the
Greeks. Euclid’s Elements, written around 300 B.C., is already a mature rep-
resentative of Greek mathematics, with its emphasis on rigor and precision.
The definitions and proofs in Euclid’s Elements survive more or less in tact
in high school geometry textbooks today (to the extent that geometry is still
taught in high schools). This model of mathematical reasoning has been held
to be a paradigm for rigorous argumentation not only in mathematics but in
branches of philosophy as well. (Spinoza even presented moral and religious
arguments in the Euclidean style, which is strange to see!)
Calculus was invented by Newton and Leibniz in the seventeenth century.
(A fierce priority dispute raged for centuries, but most scholars today hold
that the two developments were for the most part independent.) Calculus in-
volves reasoning about, for example, infinite sums of infinitely small quanti-
ties; these features fueled criticism by Bishop Berkeley, who argued that belief
in God was no less rational than the mathematics of his time. The methods of
calculus were widely used in the eighteenth century, for example by Leonhard
Euler, who used calculations involving infinite sums with dramatic results.
In the nineteenth century, mathematicians tried to address Berkeley’s crit-
icisms by putting calculus on a firmer foundation. Efforts by Cauchy, Weier-
strass, Bolzano, and others led to our contemporary definitions of limits, con-
tinuity, differentiation, and integration in terms of “epsilons and deltas,” in
other words, devoid of any reference to infinitesimals. Later in the century,
mathematicians tried to push further, and explain all aspects of calculus, in-
cluding the real numbers themselves, in terms of the natural numbers. (Kro-
necker: “God created the whole numbers, all else is the work of man.”) In
1872, Dedekind wrote “Continuity and the irrational numbers,” where he
showed how to “construct” the real numbers as sets of rational numbers (which,
as you know, can be viewed as pairs of natural numbers); in 1888 he wrote
“Was sind und was sollen die Zahlen” (roughly, “What are the natural num-

Release : d3a1905 (2022-12-19) 517

 CHAPTER 33. INTRODUCTION TO INCOMPLETENESS

bers, and what should they be?”) which aimed to explain the natural numbers
in purely “logical” terms. In 1887 Kronecker wrote “Über den Zahlbegriff”
(“On the concept of number”) where he spoke of representing all mathemati-
cal object in terms of the integers; in 1889 Giuseppe Peano gave formal, sym-
bolic axioms for the natural numbers.
The end of the nineteenth century also brought a new boldness in dealing
with the infinite. Before then, infinitary objects and structures (like the set of
natural numbers) were treated gingerly; “infinitely many” was understood
as “as many as you want,” and “approaches in the limit” was understood as
“gets as close as you want.” But Georg Cantor showed that it was possible to
take the infinite at face value. Work by Cantor, Dedekind, and others help to
introduce the general set-theoretic understanding of mathematics that is now
widely accepted.
This brings us to twentieth century developments in logic and founda-
tions. In 1902 Russell discovered the paradox in Frege’s logical system. In 1904
Zermelo proved Cantor’s well-ordering principle, using the so-called “axiom
of choice”; the legitimacy of this axiom prompted a good deal of debate. Be-
tween 1910 and 1913 the three volumes of Russell and Whitehead’s Principia
Mathematica appeared, extending the Fregean program of establishing mathe-
matics on logical grounds. Unfortunately, Russell and Whitehead were forced
to adopt two principles that seemed hard to justify as purely logical: an axiom
of infinity and an axiom of “reducibility.” In the 1900’s Poincaré criticized the
use of “impredicative definitions” in mathematics, and in the 1910’s Brouwer
began proposing to refound all of mathematics in an “intuitionistic” basis,
which avoided the use of the law of the excluded middle (φ ∨ ¬ φ).
Strange days indeed! The program of reducing all of mathematics to logic
is now referred to as “logicism,” and is commonly viewed as having failed,
due to the difficulties mentioned above. The program of developing mathe-
matics in terms of intuitionistic mental constructions is called “intuitionism,”
and is viewed as posing overly severe restrictions on everyday mathemat-
ics. Around the turn of the century, David Hilbert, one of the most influen-
tial mathematicians of all time, was a strong supporter of the new, abstract
methods introduced by Cantor and Dedekind: “no one will drive us from the
paradise that Cantor has created for us.” At the same time, he was sensitive
to foundational criticisms of these new methods (oddly enough, now called
“classical”). He proposed a way of having one’s cake and eating it too:

1. Represent classical methods with formal axioms and rules; represent

mathematical questions as formulas in an axiomatic system.

2. Use safe, “finitary” methods to prove that these formal deductive sys-
tems are consistent.

Hilbert’s work went a long way toward accomplishing the first goal. In
1899, he had done this for geometry in his celebrated book Foundations of ge-

518 Release : d3a1905 (2022-12-19)

33.1. HISTORICAL BACKGROUND

ometry. In subsequent years, he and a number of his students and collabo-

rators worked on other areas of mathematics to do what Hilbert had done
for geometry. Hilbert himself gave axiom systems for arithmetic and analy-
sis. Zermelo gave an axiomatization of set theory, which was expanded on by
Fraenkel, Skolem, von Neumann, and others. By the mid-1920s, there were
two approaches that laid claim to the title of an axiomatization of “all” of
mathematics, the Principia mathematica of Russell and Whitehead, and what
came to be known as Zermelo-Fraenkel set theory.
In 1921, Hilbert set out on a research project to establish the goal of proving
these systems to be consistent. He was aided in this project by several of
his students, in particular Bernays, Ackermann, and later Gentzen. The basic
idea for accomplishing this goal was to cast the question of the possibility of
a derivation of an inconsistency in mathematics as a combinatorial problem
about possible sequences of symbols, namely possible sequences of sentences
which meet the criterion of being a correct derivation of, say, φ ∧ ¬ φ from
the axioms of an axiom system for arithmetic, analysis, or set theory. A proof
of the impossibility of such a sequence of symbols would—since it is itself
a mathematical proof—be formalizable in these axiomatic systems. In other
words, there would be some sentence Con which states that, say, arithmetic
is consistent. Moreover, this sentence should be provable in the systems in
question, especially if its proof requires only very restricted, “finitary” means.
The second aim, that the axiom systems developed would settle every
mathematical question, can be made precise in two ways. In one way, we can
formulate it as follows: For any sentence φ in the language of an axiom system
for mathematics, either φ or ¬ φ is provable from the axioms. If this were true,
then there would be no sentences which can neither be proved nor refuted
on the basis of the axioms, no questions which the axioms do not settle. An
axiom system with this property is called complete. Of course, for any given
sentence it might still be a difficult task to determine which of the two alter-
natives holds. But in principle there should be a method to do so. In fact, for
the axiom and derivation systems considered by Hilbert, completeness would
imply that such a method exists—although Hilbert did not realize this. The
second way to interpret the question would be this stronger requirement: that
there be a mechanical, computational method which would determine, for a
given sentence φ, whether it is derivable from the axioms or not.
In 1931, Gödel proved the two “incompleteness theorems,” which showed
that this program could not succeed. There is no axiom system for mathemat-
ics which is complete, specifically, the sentence that expresses the consistency
of the axioms is a sentence which can neither be proved nor refuted.
This struck a lethal blow to Hilbert’s original program. However, as is so
often the case in mathematics, it also opened up exciting new avenues for re-
search. If there is no one, all-encompassing formal system of mathematics, it
makes sense to develop more circumscribesd systems and investigate what

Release : d3a1905 (2022-12-19) 519

 CHAPTER 33. INTRODUCTION TO INCOMPLETENESS

can be proved in them. It also makes sense to develop less restricted methods
of proof for establishing the consistency of these systems, and to find ways to
measure how hard it is to prove their consistency. Since Gödel showed that
(almost) every formal system has questions it cannot settle, it makes sense to
look for “interesting” questions a given formal system cannot settle, and to
figure out how strong a formal system has to be to settle them. To the present
day, logicians have been pursuing these questions in a new mathematical dis-
cipline, the theory of proofs.

33.2 Definitions
In order to carry out Hilbert’s project of formalizing mathematics and show-
ing that such a formalization is consistent and complete, the first order of busi-
ness would be that of picking a language, logical framework, and a system of
axioms. For our purposes, let us suppose that mathematics can be formalized
in a first-order language, i.e., that there is some set of constant symbols, func-
tion symbols, and predicate symbols which, together with the connectives and
quatifiers of first-order logic, allow us to express the claims of mathematics.
Most people agree that such a language exists: the language of set theory, in
which ∈ is the only non-logical symbol. That such a simple language is so
expressive is of course a very implausible claim at first sight, and it took a
lot of work to establish that practically of all mathematics can be expressed
in this very austere vocabulary. To keep things simple, for now, let’s restrict
our discussion to arithmetic, so the part of mathematics that just deals with
the natural numbers N. The natural language in which to express facts of
arithmetic is L A . L A contains a single two-place predicate symbol <, a sin-
gle constant symbol 0, one one-place function symbol ′, and two two-place
function symbols + and ×.

Definition 33.1. A set of sentences Γ is a theory if it is closed under entailment,

i.e., if Γ = { φ : Γ ⊨ φ}.

There are two easy ways to specify theories. One is as the set of sentences
true in some structure. For instance, consider the structure for L A in which
the domain is N and all non-logical symbols are interpreted as you would
expect.

Definition 33.2. The standard model of arithmetic is the structure N defined as

follows:

1. |N| = N

2. 0N = 0

3. ′N (n) = n + 1 for all n ∈ N

520 Release : d3a1905 (2022-12-19)

33.2. DEFINITIONS

4. +N (n, m) = n + m for all n, m ∈ N

5. ×N (n, m) = n · m for all n, m ∈ N
6. <N = {⟨n, m⟩ : n ∈ N, m ∈ N, n < m}

Note the difference between × and ·: × is a symbol in the language of

arithmetic. Of course, we’ve chosen it to remind us of multiplication, but ×
is not the multiplication operation but a two-place function symbol (officially,
f12 ). By contrast, · is the ordinary multiplication function. When you see some-
thing like n · m, we mean the product of the numbers n and m; when you see
something like x × y we are talking about a term in the language of arith-
metic. In the standard model, the function symbol times is interpreted as the
function · on the natural numbers. For addition, we use + as both the function
symbol of the language of arithmetic, and the addition function on the natural
numbers. Here you have to use the context to determine what is meant.
Definition 33.3. The theory of true arithmetic is the set of sentences satisfied in
the standard model of arithmetic, i.e.,
TA = { φ : N ⊨ φ}.

TA is a theory, for whenever TA ⊨ φ, φ is satisfied in every structure which

satisfies TA. Since M ⊨ TA, M ⊨ φ, and so φ ∈ TA.
The other way to specify a theory Γ is as the set of sentences entailed by
some set of sentences Γ0 . In that case, Γ is the “closure” of Γ0 under entailment.
Specifying a theory this way is only interesting if Γ0 is explicitly specified, e.g.,
if the elements of Γ0 are listed. At the very least, Γ0 has to be decidable, i.e.,
there has to be a computable test for when a sentence counts as an element
of Γ0 or not. We call the sentences in Γ0 axioms for Γ, and Γ axiomatized by Γ0 .
Definition 33.4. A theory Γ is axiomatized by Γ0 iff
Γ = { φ : Γ0 ⊨ φ}

Definition 33.5. The theory Q axiomatized by the following sentences is known

as “Robinson’s Q” and is a very simple theory of arithmetic.
∀ x ∀y ( x ′ = y′ → x = y) (Q1 )
∀ x 0 ̸= x′ (Q2 )
∀ x ( x = 0 ∨ ∃y x = y′ ) (Q3 )
∀ x ( x + 0) = x (Q4 )
∀ x ∀y ( x + y′ ) = ( x + y)′ (Q5 )
∀ x ( x × 0) = 0 (Q6 )
∀ x ∀y ( x × y′ ) = (( x × y) + x ) (Q7 )
∀ x ∀y ( x < y ↔ ∃z (z′ + x ) = y) (Q8 )

Release : d3a1905 (2022-12-19) 521

 CHAPTER 33. INTRODUCTION TO INCOMPLETENESS

The set of sentences { Q1 , . . . , Q8 } are the axioms of Q, so Q consists of all

sentences entailed by them:

Q = { φ : { Q1 , . . . , Q8 } ⊨ φ }.

Definition 33.6. Suppose φ( x ) is a formula in L A with free variables x and y1 ,

. . . , yn . Then any sentence of the form

∀y1 . . . ∀yn (( φ(0) ∧ ∀ x ( φ( x ) → φ( x ′ ))) → ∀ x φ( x ))

is an instance of the induction schema.

Peano arithmetic PA is the theory axiomatized by the axioms of Q together
with all instances of the induction schema.

Every instance of the induction schema is true in N. This is easiest to see

if the formula φ only has one free variable x. Then φ( x ) defines a subset X φ
of N in N. X φ is the set of all n ∈ N such that N, s ⊨ φ( x ) when s( x ) = n. The
corresponding instance of the induction schema is

(( φ(0) ∧ ∀ x ( φ( x ) → φ( x ′ ))) → ∀ x φ( x )).

If its antecedent is true in N, then 0 ∈ X φ and, whenever n ∈ X φ , so is n + 1.

Since 0 ∈ X φ , we get 1 ∈ X φ . With 1 ∈ X φ we get 2 ∈ X φ . And so on. So for
every n ∈ N, n ∈ X φ . But this means that ∀ x φ( x ) is satisfied in N.
Both Q and PA are axiomatized theories. The big question is, how strong
are they? For instance, can PA prove all the truths about N that can be ex-
pressed in L A ? Specifically, do the axioms of PA settle all the questions that
can be formulated in L A ?
Another way to put this is to ask: Is PA = TA? TA obviously does prove
(i.e., it includes) all the truths about N, and it settles all the questions that
can be formulated in L A , since if φ is a sentence in L A , then either N ⊨ φ or
N ⊨ ¬ φ, and so either TA ⊨ φ or TA ⊨ ¬ φ. Call such a theory complete.

Definition 33.7. A theory Γ is complete iff for every sentence φ in its language,
either Γ ⊨ φ or Γ ⊨ ¬ φ.

By the Completeness Theorem, Γ ⊨ φ iff Γ ⊢ φ, so Γ is complete iff for

every sentence φ in its language, either Γ ⊢ φ or Γ ⊢ ¬ φ.
Another question we are led to ask is this: Is there a computational pro-
cedure we can use to test if a sentence is in TA, in PA, or even just in Q? We
can make this more precise by defining when a set (e.g., a set of sentences) is
decidable.

Definition 33.8. A set X is decidable iff there is a computational procedure

which on input x returns 1 if x ∈ X and 0 otherwise.

522 Release : d3a1905 (2022-12-19)

33.2. DEFINITIONS

So our question becomes: Is TA (PA, Q) decidable?

The answer to all these questions will be: no. None of these theories are
decidable. However, this phenomenon is not specific to these particular theo-
ries. In fact, any theory that satisfies certain conditions is subject to the same
results. One of these conditions, which Q and PA satisfy, is that they are ax-
iomatized by a decidable set of axioms.

Definition 33.9. A theory is axiomatizable if it is axiomatized by a decidable

set of axioms.

Example 33.10. Any theory axiomatized by a finite set of sentences is axioma-

tizable, since any finite set is decidable. Thus, Q, for instance, is axiomatizable.
Schematically axiomatized theories like PA are also axiomatizable. For to
test if ψ is among the axioms of PA, i.e., to compute the function χ X where
χ X (ψ) = 1 if ψ is an axiom of PA and = 0 otherwise, we can do the following:
First, check if ψ is one of the axioms of Q. If it is, the answer is “yes” and the
value of χ X (ψ) = 1. If not, test if it is an instance of the induction schema. This
can be done systematically; in this case, perhaps it’s easiest to see that it can be
done as follows: Any instance of the induction schema begins with a number
of universal quantifiers, and then a sub-formula that is a conditional. The
consequent of that conditional is ∀ x φ( x, y1 , . . . , yn ) where x and y1 , . . . , yn are
all the free variables of φ and the initial quantifiers of ψ bind the variables y1 ,
. . . , yn . Once we have extracted this φ and checked that its free variables match
the variables bound by the universal qauntifiers at the front and ∀ x, we go on
to check that the antecedent of the conditional matches

φ(0, y1 , . . . , yn ) ∧ ∀ x ( φ( x, y1 , . . . , yn ) → φ( x ′ , y1 , . . . , yn ))

Again, if it does, ψ is an instance of the induction schema, and if it doesn’t, ψ

isn’t.

In answering this question—and the more general question of which theo-

ries are complete or decidable—it will be useful to consider also the following
definition. Recall that a set X is enumerable iff it is empty or if there is a sur-
jective function f : N → X. Such a function is called an enumeration of X.

Definition 33.11. A set X is called computably enumerable (c.e. for short) iff it
is empty or it has a computable enumeration.

In addition to axiomatizability, another condition on theories to which the

incompleteness theorems apply will be that they are strong enough to prove
basic facts about computable functions and decidable relations. By “basic
facts,” we mean sentences which express what the values of computable func-
tions are for each of their arguments. And by “strong enough” we mean that
the theories in question count these sentences among its theorems. For in-
stance, consider a prototypical computable function: addition. The value of

Release : d3a1905 (2022-12-19) 523

 CHAPTER 33. INTRODUCTION TO INCOMPLETENESS

+ for arguments 2 and 3 is 5, i.e., 2 + 3 = 5. A sentence in the language of

arithmetic that expresses that the value of + for arguments 2 and 3 is 5 is:
(2 + 3) = 5. And, e.g., Q proves this sentence. More generally, we would
like there to be, for each computable function f ( x1 , x2 ) a formula φ f ( x1 , x2 , y)
in L A such that Q ⊢ φ f (n1 , n2 , m) whenever f (n1 , n2 ) = m. In this way, Q
proves that the value of f for arguments n1 , n2 is m. In fact, we require that
it proves a bit more, namely that no other number is the value of f for argu-
ments n1 , n2 . And the same goes for decidable relations. This is made precise
in the following two definitions.

Definition 33.12. A formula φ( x1 , . . . , xk , y) represents the function f : Nk →

N in Γ iff whenever f (n1 , . . . , nk ) = m, then

1. Γ ⊢ φ(n1 , . . . , nk , m), and

2. Γ ⊢ ∀y( φ(n1 , . . . , nk , y) → y = m).

Definition 33.13. A formula φ( x1 , . . . , xk ) represents the relation R ⊆ Nk iff,

1. whenever R(n1 , . . . , nk ), Γ ⊢ φ(n1 , . . . , nk ), and

2. whenever not R(n1 , . . . , nk ), Γ ⊢ ¬ φ(n1 , . . . , nk ).

A theory is “strong enough” for the incompleteness theorems to apply if

it represents all computable functions and all decidable relations. Q and its
extensions satisfy this condition, but it will take us a while to establish this—
it’s a non-trivial fact about the kinds of things Q can prove, and it’s hard
to show because Q has only a few axioms from which we’ll have to prove
all these facts. However, Q is a very weak theory. So although it’s hard to
prove that Q represents all computable functions, most interesting theories
are stronger than Q, i.e., prove more than Q does. And if Q proves some-
thing, any stronger theory does; since Q represents all computable functions,
every stronger theory does. This means that many interesting theories meet
this condition of the incompleteness theorems. So our hard work will pay
off, since it shows that the incompleteness theorems apply to a wide range of
theories. Certainly, any theory aiming to formalize “all of mathematics” must
prove everything that Q proves, since it should at the very least be able to cap-
ture the results of elementary computations. So any theory that is a candidate
for a theory of “all of mathematics” will be one to which the incompleteness
theorems apply.

33.3 Overview of Incompleteness Results

Hilbert expected that mathematics could be formalized in an axiomatizable
theory which it would be possible to prove complete and decidable. More-
over, he aimed to prove the consistency of this theory with very weak, “fini-

524 Release : d3a1905 (2022-12-19)

33.3. OVERVIEW OF INCOMPLETENESS RESULTS

tary,” means, which would defend classical mathematics against the chal-
lenges of intuitionism. Gödel’s incompleteness theorems showed that these
goals cannot be achieved.
Gödel’s first incompleteness theorem showed that a version of Russell and
Whitehead’s Principia Mathematica is not complete. But the proof was actu-
ally very general and applies to a wide variety of theories. This means that it
wasn’t just that Principia Mathematica did not manage to completely capture
mathematics, but that no acceptable theory does. It took a while to isolate
the features of theories that suffice for the incompleteness theorems to apply,
and to generalize Gödel’s proof to apply make it depend only on these fea-
tures. But we are now in a position to state a very general version of the first
incompleteness theorem for theories in the language L A of arithmetic.

Theorem 33.14. If Γ is a consistent and axiomatizable theory in L A which repre-

sents all computable functions and decidable relations, then Γ is not complete.

To say that Γ is not complete is to say that for at least one sentence φ,
Γ ⊬ φ and Γ ⊬ ¬ φ. Such a sentence is called independent (of Γ ). We can in
fact relatively quickly prove that there must be independent sentences. But
the power of Gödel’s proof of the theorem lies in the fact that it exhibits a
specific example of such an independent sentence. The intriguing construction
produces a sentence γΓ , called a Gödel sentence for Γ, which is unprovable
because in Γ, γΓ is equivalent to the claim that γΓ is unprovable in Γ. It does
so constructively, i.e., given an axiomatization of Γ and a description of the
derivation system, the proof gives a method for actually writing down γΓ .
The construction in Gödel’s proof requires that we find a way to express
in L A the properties of and operations on terms and formulas of L A itself.
These include properties such as “φ is a sentence,” “δ is a derivation of φ,”
and operations such as φ[t/x ]. This way must (a) express these properties
and relations via a “coding” of symbols and sequences thereof (which is what
terms, formulas, derivations, etc. are) as natural numbers (which is what L A
can talk about). It must (b) do this in such a way that Γ will prove the relevant
facts, so we must show that these properties are coded by decidable properties
of natural numbers and the operations correspond to computable functions on
natural numbers. This is called “arithmetization of syntax.”
Before we investigate how syntax can be arithmetized, however, we will
consider the condition that Γ is “strong enough,” i.e., represents all com-
putable functions and decidable relations. This requires that we give a precise
definition of “computable.” This can be done in a number of ways, e.g., via
the model of Turing machines, or as those functions computable by programs
in some general-purpose programming language. Since our aim is to repre-
sent these functions and relations in a theory in the language L A , however, it
is best to pick a simple definition of computability of just numerical functions.
This is the notion of recursive function. So we will first discuss the recursive

Release : d3a1905 (2022-12-19) 525

 CHAPTER 33. INTRODUCTION TO INCOMPLETENESS

functions. We will then show that Q already represents all recursive functions
and relations. This will allow us to apply the incompleteness theorem to spe-
cific theories such as Q and PA, since we will have established that these are
examples of theories that are “strong enough.”
The end result of the arithmetization of syntax is a formula Prov Γ ( x ) which,
via the coding of formulas as numbers, expresses provability from the axioms
of Γ. Specifically, if φ is coded by the number n, and Γ ⊢ φ, then Γ ⊢ ProvΓ (n).
This “provability predicate” for Γ allows us also to express, in a certain sense,
the consistency of Γ as a sentence of L A : let the “consistency statement” for Γ
be the sentence ¬ProvΓ (n), where we take n to be the code of a contradiction,
e.g., of ⊥. The second incompleteness theorem states that consistent axioma-
tizable theories also do not prove their own consistency statements. The con-
ditions required for this theorem to apply are a bit more stringent than just
that the theory represents all computable functions and decidable relations,
but we will show that PA satisifes them.

33.4 Undecidability and Incompleteness

Gödel’s proof of the incompleteness theorems require arithmetization of syn-
tax. But even without that we can obtain some nice results just on the assump-
tion that a theory represents all decidable relations. The proof is a diagonal
argument similar to the proof of the undecidability of the halting problem.

Theorem 33.15. If Γ is a consistent theory that represents every decidable relation,

then Γ is not decidable.

Proof. Suppose Γ were decidable. We show that if Γ represents every decid-

able relation, it must be inconsistent.
Decidable properties (one-place relations) are represented by formulas with
one free variable. Let φ0 ( x ), φ1 ( x ), . . . , be a computable enumeration of all
such formulas. Now consider the following set D ⊆ N:

D = {n : Γ ⊢ ¬ φn (n)}

The set D is decidable, since we can test if n ∈ D by first computing φn ( x ), and

from this ¬ φn (n). Obviously, substituting the term n for every free occurrence
of x in φn ( x ) and prefixing φ(n) by ¬ is a mechanical matter. By assumption,
Γ is decidable, so we can test if ¬ φ(n) ∈ Γ. If it is, n ∈ D, and if it isn’t, n ∈
/ D.
So D is likewise decidable.
Since Γ represents all decidable properties, it represents D. And the for-
mulas which represent D in Γ are all among φ0 ( x ), φ1 ( x ), . . . . So let d be a
number such that φd ( x ) represents D in Γ. If d ∈ / D, then, since φd ( x ) repre-
sents D, Γ ⊢ ¬ φd (d). But that means that d meets the defining condition of D,
and so d ∈ D. This contradicts d ∈ / D. So by indirect proof, d ∈ D.

526 Release : d3a1905 (2022-12-19)

33.4. UNDECIDABILITY AND INCOMPLETENESS

Since d ∈ D, by the definition of D, Γ ⊢ ¬ φd (d). On the other hand, since

φd ( x ) represents D in Γ, Γ ⊢ φd (d). Hence, Γ is inconsistent.

The preceding theorem shows that no consistent theory that represents all
decidable relations can be decidable. We will show that Q does represent all
decidable relations; this means that all theories that include Q, such as PA and
TA, also do, and hence also are not decidable. (Since all these theories are true
in the standard model, they are all consistent.))
We can also use this result to obtain a weak version of the first incomplete-
ness theorem. Any theory that is axiomatizable and complete is decidable.
Consistent theories that are axiomatizable and represent all decidable proper-
ties then cannot be complete.

Theorem 33.16. If Γ is axiomatizable and complete it is decidable.

Proof. Any inconsistent theory is decidable, since inconsistent theories contain

all sentences, so the answer to the question “is φ ∈ Γ” is always “yes,” i.e.,
can be decided.
So suppose Γ is consistent, and furthermore is axiomatizable, and com-
plete. Since Γ is axiomatizable, it is computably enumerable. For we can
enumerate all the correct derivations from the axioms of Γ by a computable
function. From a correct derivation we can compute the sentence it derives,
and so together there is a computable function that enumerates all theorems
of Γ. A sentence is a theorem of Γ iff ¬ φ is not a theorem, since Γ is consistent
and complete. We can therefore decide if φ ∈ Γ as follows. Enumerate all
theorems of Γ. When φ appears on this list, we know that Γ ⊢ φ. When ¬ φ
appears on this list, we know that Γ ⊬ φ. Since Γ is complete, one of these
cases eventually obtains, so the procedure eventually produces an answer.

Corollary 33.17. If Γ is consistent, axiomatizable, and represents every decidable

property, it is not complete.

Proof. If Γ were complete, it would be decidable by the previous theorem

(since it is axiomatizable and consistent). But since Γ represents every de-
cidable property, it is not decidable, by the first theorem.

Once we have established that, e.g., Q, represents all decidable properties,

the corollary tells us that Q must be incomplete. However, its proof does not
provide an example of an independent sentence; it merely shows that such
a sentence must exist. For this, we have to arithmetize syntax and follow
Gödel’s original proof idea. And of course, we still have to show the first
claim, namely that Q does, in fact, represent all decidable properties.
It should be noted that not every interesting theory is incomplete or unde-
cidable. There are many theories that are sufficiently strong to describe inter-
esting mathematical facts that do not satisify the conditions of Gödel’s result.

Release : d3a1905 (2022-12-19) 527

 CHAPTER 33. INTRODUCTION TO INCOMPLETENESS

For instance, Pres = { φ ∈ L A+ : N ⊨ φ}, the set of sentences of the language

of arithmetic without × true in the standard model, is both complete and de-
cidable. This theory is called Presburger arithmetic, and proves all the truths
about natural numbers that can be formulated just with 0, ′, and +.

Problems
Problem 33.1. Show that TA = { φ : N ⊨ φ} is not axiomatizable. You may
assume that TA represents all decidable properties.

528 Release : d3a1905 (2022-12-19)

Chapter 34

Arithmetization of Syntax

Note that arithmetization for signed tableaux is not yet available.

34.1 Introduction
In order to connect computability and logic, we need a way to talk about the
objects of logic (symbols, terms, formulas, derivations), operations on them,
and their properties and relations, in a way amenable to computational treat-
ment. We can do this directly, by considering computable functions and re-
lations on symbols, sequences of symbols, and other objects built from them.
Since the objects of logical syntax are all finite and built from an enumerable
sets of symbols, this is possible for some models of computation. But other
models of computation—such as the recursive functions—-are restricted to
numbers, their relations and functions. Moreover, ultimately we also want
to be able to deal with syntax within certain theories, specifically, in theo-
ries formulated in the language of arithmetic. In these cases it is necessary to
arithmetize syntax, i.e., to represent syntactic objects, operations on them, and
their relations, as numbers, arithmetical functions, and arithmetical relations,
respectively. The idea, which goes back to Leibniz, is to assign numbers to
syntactic objects.
It is relatively straightforward to assign numbers to symbols as their “codes.”
Some symbols pose a bit of a challenge, since, e.g., there are infinitely many
variables, and even infinitely many function symbols of each arity n. But of
course it’s possible to assign numbers to symbols systematically in such a way
that, say, v2 and v3 are assigned different codes. Sequences of symbols (such
as terms and formulas) are a bigger challenge. But if we can deal with se-
quences of numbers purely arithmetically (e.g., by the powers-of-primes cod-
ing of sequences), we can extend the coding of individual symbols to coding
of sequences of symbols, and then further to sequences or other arrangements

529
 CHAPTER 34. ARITHMETIZATION OF SYNTAX

of formulas, such as derivations. This extended coding is called “Gödel num-

bering.” Every term, formula, and derivation is assigned a Gödel number.
By coding sequences of symbols as sequences of their codes, and by chos-
ing a system of coding sequences that can be dealt with using computable
functions, we can then also deal with Gödel numbers using computable func-
tions. In practice, all the relevant functions will be primitive recursive. For
instance, computing the length of a sequence and computing the i-th element
of a sequence from the code of the sequence are both primitive recursive. If
the number coding the sequence is, e.g., the Gödel number of a formula φ,
we immediately see that the length of a formula and the (code of the) i-th
symbol in a formula can also be computed from the Gödel number of φ. It
is a bit harder to prove that, e.g., the property of being the Gödel number of
a correctly formed term or of a correct derivation is primitive recursive. It
is nevertheless possible, because the sequences of interest (terms, formulas,
derivations) are inductively defined.
As an example, consider the operation of substitution. If φ is a formula,
x a variable, and t a term, then φ[t/x ] is the result of replacing every free
occurrence of x in φ by t. Now suppose we have assigned Gödel numbers to φ,
x, t—say, k, l, and m, respectively. The same scheme assigns a Gödel number
to φ[t/x ], say, n. This mapping—of k, l, and m to n—is the arithmetical analog
of the substitution operation. When the substitution operation maps φ, x, t to
φ[t/x ], the arithmetized substitution functions maps the Gödel numbers k, l,
m to the Gödel number n. We will see that this function is primitive recursive.
Arithmetization of syntax is not just of abstract interest, although it was
originally a non-trivial insight that languages like the language of arithmetic,
which do not come with mechanisms for “talking about” languages can, after
all, formalize complex properties of expressions. It is then just a small step to
ask what a theory in this language, such as Peano arithmetic, can prove about
its own language (including, e.g., whether sentences are provable or true).
This leads us to the famous limitative theorems of Gödel (about unprovability)
and Tarski (the undefinability of truth). But the trick of arithmetizing syntax
is also important in order to prove some important results in computability
theory, e.g., about the computational power of theories or the relationship be-
tween different models of computability. The arithmetization of syntax serves
as a model for arithmetizing other objects and properties. For instance, it is
similarly possible to arithmetize configurations and computations (say, of Tur-
ing machines). This makes it possible to simulate computations in one model
(e.g., Turing machines) in another (e.g., recursive functions).

34.2 Coding Symbols

The basic language L of first order logic makes use of the symbols

⊥ ¬ ∨ ∧ → ∀ ∃ = ( ) ,

530 Release : d3a1905 (2022-12-19)

34.2. CODING SYMBOLS

together with enumerable sets of variables and constant symbols, and enu-
merable sets of function symbols and predicate symbols of arbitrary arity. We
can assign codes to each of these symbols in such a way that every symbol is
assigned a unique number as its code, and no two different symbols are as-
signed the same number. We know that this is possible since the set of all
symbols is enumerable and so there is a bijection between it and the set of nat-
ural numbers. But we want to make sure that we can recover the symbol (as
well as some information about it, e.g., the arity of a function symbol) from
its code in a computable way. There are many possible ways of doing this,
of course. Here is one such way, which uses primitive recursive functions.
(Recall that ⟨n0 , . . . , nk ⟩ is the number coding the sequence of numbers n0 , . . . ,
nk .)

Definition 34.1. If s is a symbol of L, let the symbol code cs be defined as fol-

lows:

1. If s is among the logical symbols, cs is given by the following table:

⊥ ¬ ∨ ∧ → ∀
⟨0, 0⟩ ⟨0, 1⟩ ⟨0, 2⟩ ⟨0, 3⟩ ⟨0, 4⟩ ⟨0, 5⟩
∃ = ( ) ,
⟨0, 6⟩ ⟨0, 7⟩ ⟨0, 8⟩ ⟨0, 9⟩ ⟨0, 10⟩

2. If s is the i-th variable vi , then cs = ⟨1, i ⟩.

3. If s is the i-th constant symbol ci , then cs = ⟨2, i ⟩.

4. If s is the i-th n-ary function symbol fin , then cs = ⟨3, n, i ⟩.

5. If s is the i-th n-ary predicate symbol Pin , then cs = ⟨4, n, i ⟩.

Proposition 34.2. The following relations are primitive recursive:

1. Fn( x, n) iff x is the code of fin for some i, i.e., x is the code of an n-ary function
symbol.

2. Pred( x, n) iff x is the code of Pin for some i or x is the code of = and n = 2,
i.e., x is the code of an n-ary predicate symbol.

Definition 34.3. If s0 , . . . , sn−1 is a sequence of symbols, its Gödel number is

⟨ c s 0 , . . . , c s n −1 ⟩ .

Note that codes and Gödel numbers are different things. For instance, the
variable v5 has a code cv5 = ⟨1, 5⟩ = 22 · 36 . But the variable v5 considered as
a term is also a sequence of symbols (of length 1). The Gödel number # v5 # of the
2 6
term v5 is ⟨cv5 ⟩ = 2cv5 +1 = 22 ·3 +1 .

Release : d3a1905 (2022-12-19) 531

 CHAPTER 34. ARITHMETIZATION OF SYNTAX

Example 34.4. Recall that if k0 , . . . , k n−1 is a sequence of numbers, then the

code of the sequence ⟨k0 , . . . , k n−1 ⟩ in the power-of-primes coding is
k
2k0 +1 · 3k1 +1 · · · · · pnn−−11 ,

where pi is the i-th prime (starting with p0 = 2). So for instance, the formula
v0 = 0, or, more explicitly, =(v0 , c0 ), has the Gödel number

⟨c= , c( , cv0 , c, , cc0 , c) ⟩.

Here, c= is ⟨0, 7⟩ = 20+1 · 37=1 , cv0 is ⟨1, 0⟩ = 21+1 · 30+1 , etc. So # = (v0 , c0 )# is

2c= +1 · 3c( +1 · 5cv0 +1 · 7c, +1 · 11cc0 +1 · 13c) +1 =

1 · 38 + 1 1 · 39 + 1 2 · 31 + 1 1 ·311 +1 3 · 31 + 1 1 ·310 +1
22 · 32 · 52 · 72 · 112 · 132 =
13 123 39 367 13 354 295
2 ·3 ·5 ·7 · 11 · 13118 099 .
25

34.3 Coding Terms

A term is simply a certain kind of sequence of symbols: it is built up induc-
tively from constants and variables according to the formation rules for terms.
Since sequences of symbols can be coded as numbers—using a coding scheme
for the symbols plus a way to code sequences of numbers—assigning Gödel
numbers to terms is not difficult. The challenge is rather to show that the
property a number has if it is the Gödel number of a correctly formed term is
computable, or in fact primitive recursive.
Variables and constant symbols are the simplest terms, and testing whether
x is the Gödel number of such a term is easy: Var( x ) holds if x is # vi # for some i.
In other words, x is a sequence of length 1 and its single element ( x )0 is the
code of some variable vi , i.e., x is ⟨⟨1, i ⟩⟩ for some i. Similarly, Const( x ) holds
if x is # ci # for some i. Both of these relations are primitive recursive, since if
such an i exists, it must be < x:

Var( x ) ⇔ (∃i < x ) x = ⟨⟨1, i ⟩⟩

Const( x ) ⇔ (∃i < x ) x = ⟨⟨2, i ⟩⟩

Proposition 34.5. The relations Term( x ) and ClTerm( x ) which hold iff x is the
Gödel number of a term or a closed term, respectively, are primitive recursive.

Proof. A sequence of symbols s is a term iff there is a sequence s0 , . . . , sk−1 = s

of terms which records how the term s was formed from constant symbols
and variables according to the formation rules for terms. To express that such
a putative formation sequence follows the formation rules it has to be the case
that, for each i < k, either

532 Release : d3a1905 (2022-12-19)

34.3. CODING TERMS

1. si is a variable v j , or

2. si is a constant symbol c j , or

3. si is built from n terms t1 , . . . , tn occurring prior to place i using an n-

place function symbol f jn .

To show that the corresponding relation on Gödel numbers is primitive re-

cursive, we have to express this condition primitive recursively, i.e., using
primitive recursive functions, relations, and bounded quantification.
Suppose y is the number that codes the sequence s0 , . . . , sk−1 , i.e., y =
⟨# s0 # , . . . , # sk−1 # ⟩. It codes a formation sequence for the term with Gödel num-
ber x iff for all i < k:

1. Var((y)i ), or

2. Const((y)i ), or

3. there is an n and a number z = ⟨z1 , . . . , zn ⟩ such that each zl is equal to

some (y)i′ for i′ < i and

(y)i = # f jn (# ⌢ flatten(z) ⌢ # )# ,

and moreover (y)k−1 = x. (The function flatten(z) turns the sequence ⟨# t1 # , . . . , # tn # ⟩

into # t1 , . . . , tn # and is primitive recursive.)
The indices j, n, the Gödel numbers zl of the terms tl , and the code z of the
sequence ⟨z1 , . . . , zn ⟩, in (3) are all less than y. We can replace k above with
len(y). Hence we can express “y is the code of a formation sequence of the
term with Gödel number x” in a way that shows that this relation is primitive
recursive.
We now just have to convince ourselves that there is a primitive recursive
bound on y. But if x is the Gödel number of a term, it must have a formation
sequence with at most len( x ) terms (since every term in the formation se-
quence of s must start at some place in s, and no two subterms can start at the
same place). The Gödel number of each subterm of s is of course ≤ x. Hence,
k ( x +1)
there always is a formation sequence with code ≤ pk−1 , where k = len( x ).
For ClTerm, simply leave out the clause for variables.

Proposition 34.6. The function num(n) = # n# is primitive recursive.

Proof. We define num(n) by primitive recursion:

num(0) = # 0#
num(n + 1) = # ′(# ⌢ num(n) ⌢ # )# .

Release : d3a1905 (2022-12-19) 533

 CHAPTER 34. ARITHMETIZATION OF SYNTAX

34.4 Coding Formulas

Proposition 34.7. The relation Atom( x ) which holds iff x is the Gödel number of
an atomic formula, is primitive recursive.

Proof. The number x is the Gödel number of an atomic formula iff one of the
following holds:

1. There are n, j < x, and z < x such that for each i < n, Term((z)i ) and
x=
# n #
P j ( ⌢ flatten(z) ⌢ # )# .

2. There are z1 , z2 < x such that Term(z1 ), Term(z2 ), and x =

#
=(# ⌢ z1 ⌢ # ,# ⌢ z2 ⌢ # )# .

3. x = # ⊥# .

Proposition 34.8. The relation Frm( x ) which holds iff x is the Gödel number of
a formula is primitive recursive.

Proof. A sequence of symbols s is a formula iff there is formation sequence s0 ,

. . . , sk−1 = s of formula which records how s was formed from atomic formu-
las according to the formation rules. The code for each si (and indeed of the
code of the sequence ⟨s0 , . . . , sk−1 ⟩) is less than the code x of s.

Proposition 34.9. The relation FreeOcc( x, z, i ), which holds iff the i-th symbol of
the formula with Gödel number x is a free occurrence of the variable with Gödel num-
ber z, is primitive recursive.

Proof. Exercise.

Proposition 34.10. The property Sent( x ) which holds iff x is the Gödel number of
a sentence is primitive recursive.

Proof. A sentence is a formula without free occurrences of variables. So Sent( x )

holds iff

(∀i < len( x )) (∀z < x )

((∃ j < z) z = # v j # → ¬FreeOcc( x, z, i )).

534 Release : d3a1905 (2022-12-19)

34.5. SUBSTITUTION

34.5 Substitution
Recall that substitution is the operation of replacing all free occurrences of
a variable u in a formula φ by a term t, written φ[t/u]. This operation, when
carried out on Gödel numbers of variables, formulas, and terms, is primitive
recursive.

Proposition 34.11. There is a primitive recursive function Subst( x, y, z) with the

property that
Subst(# φ# , # t# , # u# ) = # φ[t/u]# .

Proof. We can then define a function hSubst by primitive recursion as follows:

hSubst( x, y, z, 0) = Λ
hSubst( x, y, z, i + 1) =
(
hSubst( x, y, z, i ) ⌢ y if FreeOcc( x, z, i )
append(hSubst( x, y, z, i ), ( x )i ) otherwise.

Subst( x, y, z) can now be defined as hSubst( x, y, z, len( x )).

Proposition 34.12. The relation FreeFor( x, y, z), which holds iff the term with Gödel
number y is free for the variable with Gödel number z in the formula with Gödel num-
ber x, is primitive recursive.

Proof. Exercise.

34.6 Derivations in LK
In order to arithmetize derivations, we must represent derivations as num-
bers. Since derivations are trees of sequents where each inference carries also
a label, a recursive representation is the most obvious approach: we represent
a derivation as a tuple, the components of which are the end-sequent, the la-
bel, and the representations of the sub-derivations leading to the premises of
the last inference.

Definition 34.13. If Γ is a finite sequence of sentences, Γ = ⟨ φ1 , . . . , φn ⟩, then

# #
Γ = ⟨# φ1 # , . . . , # φ n # ⟩.
If Γ ⇒ ∆ is a sequent, then a Gödel number of Γ ⇒ ∆ is
#
Γ ⇒ ∆# = ⟨# Γ# , # ∆# ⟩

If π is a derivation in LK, then # π # is defined as follows:

1. If π consists only of the initial sequent Γ ⇒ ∆, then # π # is

⟨0, # Γ ⇒ ∆# ⟩.

Release : d3a1905 (2022-12-19) 535

 CHAPTER 34. ARITHMETIZATION OF SYNTAX

2. If π ends in an inference with one or two premises, has Γ ⇒ ∆ as its

conclusion, and π1 and π2 are the immediate subproof ending in the
premise of the last inference, then # π # is

⟨1, # π1 # , # Γ ⇒ ∆# , k⟩ or
⟨2, # π1 # , # π2 # , # Γ ⇒ ∆# , k⟩,
respectively, where k is given by the following table according to which
rule was used in the last inference:
Rule: WL WR CL CR XL XR
k: 1 2 3 4 5 6

Rule: ¬L ¬R ∧L ∧R ∨L ∨R
k: 7 8 9 10 11 12

Rule: →L →R ∀L ∀R ∃L ∃R
k: 13 14 15 16 17 18

Rule: Cut =
k: 19 20

Example 34.14. Consider the very simple derivation

φ ⇒ φ
φ∧ψ ⇒ φ
∧L
→R
⇒ ( φ ∧ ψ) → φ
The Gödel number of the initial sequent would be p0 = ⟨0, # φ ⇒ φ# ⟩. The
Gödel number of the derivation ending in the conclusion of ∧L would be p1 =
⟨1, p0 , # φ ∧ ψ ⇒ φ# , 9⟩ (1 since ∧L has one premise, the Gödel number of the
conclusion φ ∧ ψ ⇒ φ, and 9 is the number coding ∧L). The Gödel number of
the entire derivation then is ⟨1, p1 , # ⇒ ( φ ∧ ψ) → φ)# , 14⟩, i.e.,

⟨1, ⟨1, ⟨0, # φ ⇒ φ)# ⟩, # φ ∧ ψ ⇒ φ# , 9⟩, # ⇒ ( φ ∧ ψ) → φ# , 14⟩.

Having settled on a representation of derivations, we must also show that

we can manipulate such derivations primitive recursively, and express their
essential properties and relations so. Some operations are simple: e.g., given
a Gödel number p of a derivation, EndSeq( p) = ( p)( p)0 +1 gives us the Gödel
number of its end-sequent and LastRule( p) = ( p)( p)0 +2 the code of its last
rule. The property Sequent(s) defined by

len(s) = 2 ∧ (∀i < len((s)0 ) + len((s)1 )) Sent(((s)0 ⌢ (s)1 )i )

holds of s iff s is the Gödel number of a sequent consisting of sentences. Some

are much harder. We’ll at least sketch how to do this. The goal is to show that
the relation “π is a derivation of φ from Γ” is a primitive recursive relation of
the Gödel numbers of π and φ.

536 Release : d3a1905 (2022-12-19)

34.6. DERIVATIONS IN LK

Proposition 34.15. The property Correct( p) which holds iff the last inference in the
derivation π with Gödel number p is correct, is primitive recursive.

Proof. Γ ⇒ ∆ is an initial sequent if either there is a sentence φ such that

Γ ⇒ ∆ is φ ⇒ φ, or there is a term t such that Γ ⇒ ∆ is ∅ ⇒ t = t. In terms of
Gödel numbers, InitSeq(s) holds iff

(∃ x < s) (Sent( x ) ∧ s = ⟨⟨ x ⟩, ⟨ x ⟩⟩) ∨

(∃t < s) (Term(t) ∧ s = ⟨0, ⟨# =(# ⌢ t ⌢ # ,# ⌢ t ⌢ # )# ⟩⟩).

We also have to show that for each rule of inference R the relation FollowsByR ( p)
is primitive recursive, where FollowsByR ( p) holds iff p is the Gödel number
of derivation π, and the end-sequent of π follows by a correct application of R
from the immediate sub-derivations of π.
A simple case is that of the ∧R rule. If π ends in a correct ∧R inference, it
looks like this:

π1 π2

Γ ⇒ ∆, φ Γ ⇒ ∆, ψ
∧R
Γ ⇒ ∆, φ ∧ ψ

So, the last inference in the derivation π is a correct application of ∧R iff there
are sequences of sentences Γ and ∆ as well as two sentences φ and ψ such that
the end-sequent of π1 is Γ ⇒ ∆, φ, the end-sequent of π2 is Γ ⇒ ∆, ψ, and the
end-sequent of π is Γ ⇒ ∆, φ ∧ ψ. We just have to translate this into Gödel
numbers. If s = # Γ ⇒ ∆# then (s)0 = # Γ# and (s)1 = # ∆# . So, FollowsBy∧R ( p)
holds iff

(∃ g < p) (∃d < p) (∃ a < p) (∃b < p)

EndSequent( p) = ⟨ g, d ⌢ ⟨# (# ⌢ a ⌢ # ∧# ⌢ b ⌢ # )# ⟩⟩ ∧
EndSequent(( p)1 ) = ⟨ g, d ⌢ ⟨ a⟩⟩ ∧
EndSequent(( p)2 ) = ⟨ g, d ⌢ ⟨b⟩⟩ ∧
( p)0 = 2 ∧ LastRule( p) = 10.

The individual lines express, respectively, “there is a sequence (Γ) with Gödel
number g, there is a sequence (∆) with Gödel number d, a formula (φ) with
Gödel number a, and a formula (ψ) with Gödel number b,” such that “the
end-sequent of π is Γ ⇒ ∆, φ ∧ ψ,” “the end-sequent of π1 is Γ ⇒ ∆, φ,” “the
end-sequent of π2 is Γ ⇒ ∆, ψ,” and “π has two immediate subderivations
and the last inference rule is ∧R (with number 10).”
The last inference in π is a correct application of ∃R iff there are sequences
Γ and ∆, a formula φ, a variable x, and a term t, such that the end-sequent of

Release : d3a1905 (2022-12-19) 537

 CHAPTER 34. ARITHMETIZATION OF SYNTAX

π is Γ ⇒ ∆, ∃ x φ and the end-sequent of π1 is Γ ⇒ ∆, φ[t/x ]. So in terms of

Gödel numbers, we have FollowsBy∃R ( p) iff

(∃ g < p) (∃d < p) (∃ a < p) (∃ x < p) (∃t < p)

EndSequent( p) = ⟨ g, d ⌢ ⟨# ∃# ⌢ x ⌢ a⟩⟩ ∧
EndSequent(( p)1 ) = ⟨ g, d ⌢ ⟨Subst( a, t, x )⟩⟩ ∧
( p)0 = 1 ∧ LastRule( p) = 18.

We then define Correct( p) as

Sequent(EndSequent( p)) ∧
[(LastRule( p) = 1 ∧ FollowsByWL ( p)) ∨ · · · ∨
(LastRule( p) = 20 ∧ FollowsBy= ( p)) ∨
( p)0 = 0 ∧ InitialSeq(EndSequent( p))]

The first line ensures that the end-sequent of d is actually a sequent consisting
of sentences. The last line covers the case where p is just an initial sequent.

Proposition 34.16. The relation Deriv( p) which holds if p is the Gödel number of a
correct derivation π, is primitive recursive.

Proof. A derivation π is correct if every one of its inferences is a correct ap-

plication of a rule, i.e., if every one of its sub-derivations ends in a correct
inference. So, Deriv(d) iff

(∀i < len(SubtreeSeq( p))) Correct((SubtreeSeq( p))i .

Proposition 34.17. Suppose Γ is a primitive recursive set of sentences. Then the

relation PrfΓ ( x, y) expressing “x is the code of a derivation π of Γ0 ⇒ φ for some
finite Γ0 ⊆ Γ and y is the Gödel number of φ” is primitive recursive.

Proof. Suppose “y ∈ Γ” is given by the primitive recursive predicate R Γ (y).

We have to show that PrfΓ ( x, y) which holds iff y is the Gödel number of a
sentence φ and x is the code of an LK-derivation with end-sequent Γ0 ⇒ φ is
primitive recursive.
By the previous proposition, the property Deriv( x ) which holds iff x is the
code of a correct derivation π in LK is primitive recursive. If x is such a code,
then EndSequent( x ) is the code of the end-sequent of π, and so (EndSequent( x ))0
is the code of the left side of the end sequent and (EndSequent( x ))1 the right
side. So we can express “the right side of the end-sequent of π is φ” as
len((EndSequent( x ))1 ) = 1 ∧ ((EndSequent( x ))1 )0 = x. The left side of the

538 Release : d3a1905 (2022-12-19)

34.7. DERIVATIONS IN NATURAL DEDUCTION

end-sequent of π is of course automatically finite, we just have to express that

every sentence in it is in Γ. Thus we can define PrfΓ ( x, y) by
PrfΓ ( x, y) ⇔ Deriv( x ) ∧
(∀i < len((EndSequent( x ))0 )) R Γ (((EndSequent( x ))0 )i ) ∧
len((EndSequent( x ))1 ) = 1 ∧ ((EndSequent( x ))1 )0 = y.

34.7 Derivations in Natural Deduction

In order to arithmetize derivations, we must represent derivations as num-
bers. Since derivations are trees of formulas where each inference carries one
or two labels, a recursive representation is the most obvious approach: we
represent a derivation as a tuple, the components of which are the number of
immediate sub-derivations leading to the premises of the last inference, the
representations of these sub-derivations, and the end-formula, the discharge
label of the last inference, and a number indicating the type of the last infer-
ence.
Definition 34.18. If δ is a derivation in natural deduction, then # δ# is defined
inductively as follows:
1. If δ consists only of the assumption φ, then # δ# is ⟨0, # φ# , n⟩. The num-
ber n is 0 if it is an undischarged assumption, and the numerical label
otherwise.
2. If δ ends in an inference with one, two, or three premises, then # δ# is
⟨1, # δ1 # , # φ# , n, k⟩,
⟨2, # δ1 # , # δ2 # , # φ# , n, k⟩, or
⟨3, # δ1 # , # δ2 # , # δ3 # , # φ# , n, k⟩,
respectively. Here δ1 , δ2 , δ3 are the sub-derivations ending in the premise(s)
of the last inference in δ, φ is the conclusion of the last inference in δ, n
is the discharge label of the last inference (0 if the inference does not dis-
charge any assumptions), and k is given by the following table according
to which rule was used in the last inference.
Rule: ∧Intro ∧Elim ∨Intro ∨Elim
k: 1 2 3 4
Rule: →Intro →Elim ¬Intro ¬Elim
k: 5 6 7 8
Rule: ⊥I ⊥C ∀Intro ∀Elim
k: 9 10 11 12
Rule: ∃Intro ∃Elim =Intro =Elim
k: 13 14 15 16

Release : d3a1905 (2022-12-19) 539

 CHAPTER 34. ARITHMETIZATION OF SYNTAX

Example 34.19. Consider the very simple derivation

[ φ ∧ ψ ]1
φ ∧Elim
1 →Intro
( φ ∧ ψ) → φ

The Gödel number of the assumption would be d0 = ⟨0, # φ ∧ ψ# , 1⟩. The

Gödel number of the derivation ending in the conclusion of ∧Elim would be
d1 = ⟨1, d0 , # φ# , 0, 2⟩ (1 since ∧Elim has one premise, the Gödel number of con-
clusion φ, 0 because no assumption is discharged, and 2 is the number coding
∧Elim). The Gödel number of the entire derivation then is ⟨1, d1 , # (( φ ∧ ψ) → φ)# , 1, 5⟩,
i.e.,
⟨1, ⟨1, ⟨0, # ( φ ∧ ψ)# , 1⟩, # φ# , 0, 2⟩, # (( φ ∧ ψ) → φ)# , 1, 5⟩.

Having settled on a representation of derivations, we must also show that

we can manipulate Gödel numbers of such derivations primitive recursively,
and express their essential properties and relations. Some operations are sim-
ple: e.g., given a Gödel number d of a derivation, EndFmla(d) = (d)(d)0 +1
gives us the Gödel number of its end-formula, DischargeLabel(d) = (d)(d)0 +2
gives us the discharge label and LastRule(d) = (d)(d)0 +3 the number indicat-
ing the type of the last inference. Some are much harder. We’ll at least sketch
how to do this. The goal is to show that the relation “δ is a derivation of φ
from Γ” is a primitive recursive relation of the Gödel numbers of δ and φ.

Proposition 34.20. The following relations are primitive recursive:

1. φ occurs as an assumption in δ with label n.

2. All assumptions in δ with label n are of the form φ (i.e., we can discharge the
assumption φ using label n in δ).

Proof. We have to show that the corresponding relations between Gödel num-
bers of formulas and Gödel numbers of derivations are primitive recursive.

1. We want to show that Assum( x, d, n), which holds if x is the Gödel num-
ber of an assumption of the derivation with Gödel number d labelled n,
is primitive recursive. This is the case if the derivation with Gödel num-
ber ⟨0, x, n⟩ is a sub-derivation of d. Note that the way we code deriva-
tions is a special case of the coding of trees introduced in section 29.12,
so the primitive recursive function SubtreeSeq(d) gives a sequence of
Gödel numbers of all sub-derivations of d (of length a most d). So we
can define

Assum( x, d, n) ⇔ (∃i < d) (SubtreeSeq(d))i = ⟨0, x, n⟩.

540 Release : d3a1905 (2022-12-19)

34.7. DERIVATIONS IN NATURAL DEDUCTION

2. We want to show that Discharge( x, d, n), which holds if all assumptions

with label n in the derivation with Gödel number d all are the formula
with Gödel number x. But this relation holds iff (∀y < d) (Assum(y, d, n) →
y = x ).

Proposition 34.21. The property Correct(d) which holds iff the last inference in the
derivation δ with Gödel number d is correct, is primitive recursive.

Proof. Here we have to show that for each rule of inference R the relation
FollowsByR (d) is primitive recursive, where FollowsByR (d) holds iff d is the
Gödel number of derivation δ, and the end-formula of δ follows by a correct
application of R from the immediate sub-derivations of δ.
A simple case is that of the ∧Intro rule. If δ ends in a correct ∧Intro infer-
ence, it looks like this:

δ1 δ2

φ ψ
∧Intro
φ∧ψ

Then the Gödel number d of δ is ⟨2, d1 , d2 , # ( φ ∧ ψ)# , 0, k ⟩ where EndFmla(d1 ) =

# #
φ , EndFmla(d2 ) = # B# , n = 0, and k = 1. So we can define FollowsBy∧Intro (d)
as

(d)0 = 2 ∧ DischargeLabel(d) = 0 ∧ LastRule(d) = 1 ∧

EndFmla(d) = # (# ⌢ EndFmla((d)1 ) ⌢ # ∧# ⌢ EndFmla((d)2 ) ⌢ # )# .

Another simple example if the =Intro rule. Here the premise is an empty
derivation, i.e., (d)1 = 0, and no discharge label, i.e., n = 0. However, φ must
be of the form t = t, for a closed term t. Here, a primitive recursive definition
is

(d)0 = 1 ∧ (d)1 = 0 ∧ DischargeLabel(d) = 0 ∧

(∃t < d) (ClTerm(t) ∧ EndFmla(d) = # =(# ⌢ t ⌢ # ,# ⌢ t ⌢ # )# )

For a more complicated example, FollowsBy→Intro (d) holds iff the end-
formula of δ is of the form ( φ → ψ), where the end-formula of δ1 is ψ, and
any assumption in δ labelled n is of the form φ. We can express this primitive
recursively by

( d )0 = 1 ∧
(∃ a < d) (Discharge( a, (d)1 , DischargeLabel(d)) ∧
EndFmla(d) = (# (# ⌢ a ⌢ # →# ⌢ EndFmla((d)1 ) ⌢ # )# ))

Release : d3a1905 (2022-12-19) 541

 CHAPTER 34. ARITHMETIZATION OF SYNTAX

(Think of a as the Gödel number of φ).

For another example, consider ∃Intro. Here, the last inference in δ is correct
iff there is a formula φ, a closed term t and a variable x such that φ[t/x ] is
the end-formula of the derivation δ1 and ∃ x φ is the conclusion of the last
inference. So, FollowsBy∃Intro (d) holds iff

(d)0 = 1 ∧ DischargeLabel(d) = 0 ∧
(∃ a < d) (∃ x < d) (∃t < d) (ClTerm(t) ∧ Var( x ) ∧
Subst( a, t, x ) = EndFmla((d)1 ) ∧ EndFmla(d) = (# ∃# ⌢ x ⌢ a)).

We then define Correct(d) as

Sent(EndFmla(d)) ∧
(LastRule(d) = 1 ∧ FollowsBy∧Intro (d)) ∨ · · · ∨
(LastRule(d) = 16 ∧ FollowsBy=Elim (d)) ∨
(∃n < d) (∃ x < d) (d = ⟨0, x, n⟩).

The first line ensures that the end-formula of d is a sentence. The last line
covers the case where d is just an assumption.

Proposition 34.22. The relation Deriv(d) which holds if d is the Gödel number of a
correct derivation δ, is primitive recursive.

Proof. A derivation δ is correct if every one of its inferences is a correct ap-

plication of a rule, i.e., if every one of its sub-derivations ends in a correct
inference. So, Deriv(d) iff

(∀i < len(SubtreeSeq(d))) Correct((SubtreeSeq(d))i )

Proposition 34.23. The relation OpenAssum(z, d) that holds if z is the Gödel num-
ber of an undischarged assumption φ of the derivation δ with Gödel number d, is
primitive recursive.

Proof. An occurrence of an assumption is discharged if it occurs with label n

in a sub-derivation of δ that ends in a rule with discharge label n. So φ is
an undischarged assumption of δ if at least one of its occurrences is not dis-
charged in δ. We must be careful: δ may contain both discharged and undis-
charged occurrences of φ.
Consider a sequence δ0 , . . . , δk where δ0 = δ, δk is the assumption [ φ]n (for
some n), and δi+1 is an immediate sub-derivation of δi . If such a sequence
exists in which no δi ends in an inference with discharge label n, then φ is
an undischarged assumption of δ.
The primitive recursive function SubtreeSeq(d) provides us with a sequence
of Gödel numbers of all sub-derivations of δ. Any sequence of Gödel numbers

542 Release : d3a1905 (2022-12-19)

34.8. AXIOMATIC DERIVATIONS

of sub-derivations of δ is a subsequence of it. Being a subsequence of is a prim-

itive recursive relation: Subseq(s, s′ ) holds iff (∀i < len(s)) ∃ j < len(s′ ) (s)i =
(s) j . Being an immediate sub-derivation is as well: Subderiv(d, d′ ) iff (∃ j <
(d′ )0 ) d = (d′ ) j . So we can define OpenAssum(z, d) by

(∃s < SubtreeSeq(d)) (Subseq(s, SubtreeSeq(d)) ∧ (s)0 = d ∧

(∃n < d) ((s)len(s)−̇1 = ⟨0, z, n⟩ ∧
(∀i < (len(s) −̇ 1)) (Subderiv((s)i+1 , (s)i )] ∧
DischargeLabel((s)i+1 ) ̸= n))).

Proposition 34.24. Suppose Γ is a primitive recursive set of sentences. Then the

relation PrfΓ ( x, y) expressing “x is the code of a derivation δ of φ from undischarged
assumptions in Γ and y is the Gödel number of φ” is primitive recursive.

Proof. Suppose “y ∈ Γ” is given by the primitive recursive predicate R Γ (y).

We have to show that PrfΓ ( x, y) which holds iff y is the Gödel number of
a sentence φ and x is the code of a natural deduction derivation with end
formula φ and all undischarged assumptions in Γ is primitive recursive.
By Proposition 34.22, the property Deriv( x ) which holds iff x is the Gödel
number of a correct derivation δ in natural deduction is primitive recursive.
Thus we can define PrfΓ ( x, y) by

PrfΓ ( x, y) ⇔ Deriv( x ) ∧ EndFmla( x ) = y ∧

(∀z < x ) (OpenAssum(z, x ) → R Γ (z)).

34.8 Axiomatic Derivations

In order to arithmetize axiomatic derivations, we must represent derivations
as numbers. Since derivations are simply sequences of formulas, the obvious
approach is to code every derivation as the code of the sequence of codes of
formulas in it.

Definition 34.25. If δ is an axiomatic derivation consisting of formulas φ1 ,

. . . , φn , then # δ# is
⟨# φ1 # , . . . , # φ n # ⟩.

Example 34.26. Consider the very simple derivation:

1. ψ → (ψ ∨ φ)
2. (ψ → (ψ ∨ φ)) → ( φ → (ψ → (ψ ∨ φ)))
3. φ → (ψ → (ψ ∨ φ))

Release : d3a1905 (2022-12-19) 543

 CHAPTER 34. ARITHMETIZATION OF SYNTAX

The Gödel number of this derivation would be

⟨ # ψ → ( ψ ∨ φ )# ,
#
(ψ → (ψ ∨ φ)) → ( φ → (ψ → (ψ ∨ φ)))# ,
#
φ → (ψ → (ψ ∨ φ))# ⟩.

Having settled on a representation of derivations, we must also show that

we can manipulate such derivations primitive recursively, and express their
essential properties and relations so. Some operations are simple: e.g., given
a Gödel number d of a derivation, (d)len(d)−1 gives us the Gödel number of its
end-formula. Some are much harder. We’ll at least sketch how to do this. The
goal is to show that the relation “δ is a derivation of φ from Γ” is primitive
recursive in the Gödel numbers of δ and φ.

Proposition 34.27. The following relations are primitive recursive:

1. φ is an axiom.

2. The i-th line in δ is justified by modus ponens

3. The i-th line in δ is justified by QR.

4. δ is a correct derivation.

Proof. We have to show that the corresponding relations between Gödel num-
bers of formulas and Gödel numbers of derivations are primitive recursive.

1. We have a given list of axiom schemas, and φ is an axiom if it is of the

form given by one of these schemas. Since the list of schemas is finite,
it suffices to show that we can test primitive recursively, for each axiom
schema, if φ is of that form. For instance, consider the axiom schema

ψ → ( χ → ψ ).

φ is an instance of this axiom schema if there are formulas ψ and χ such

that we obtain φ when we concatenate ‘(’ with ψ with ‘→’ with ‘(’ with χ
with ‘→’ with ψ and with ‘))’. We can test the corresponding property of
the Gödel number n of φ, since concatenation of sequences is primitive
recursive and the Gödel numbers of ψ and χ must be smaller than the
Gödel number of φ, since when the relation holds, both ψ and χ are
sub-formulas of φ. Hence, we can define:

IsAxψ→(χ→ψ) (n) ⇔ (∃b < n) (∃c < n) (Sent(b) ∧ Sent(c) ∧

n = # (# ⌢ b ⌢ # →# ⌢ # (# ⌢ c ⌢ # →# ⌢ b ⌢ # ))# ).

If we have such a definition for each axiom schema, their disjunction

defines the property IsAx(n), “n is the Gödel number of an axiom.”

544 Release : d3a1905 (2022-12-19)

34.8. AXIOMATIC DERIVATIONS

2. The i-th line in δ is justified by modus ponens iff there are lines j and
k < i where the sentence on line j is some formula φ, the sentence on
line k is φ → ψ, and the sentence on line i is ψ.

MP(d, i ) ⇔ (∃ j < i ) (∃k < i )

( d ) k = # (# ⌢ ( d ) j ⌢ # →# ⌢ ( d ) i ⌢ # )#

Since bounded quantification, concatenation, and = are primitive recur-

sive, this defines a primitive recursive relation.

3. A line in δ is justified by QR if it is of the form ψ → ∀ x φ( x ), a preceding

line is ψ → φ(c) for some constant symbol c, and c does on occur in ψ.
This is the case iff

a) there is a sentence ψ and

b) a formula φ( x ) with a single variable x free so that
c) line i contains ψ → ∀ x φ( x )
d) some line j < i contains ψ → φ[c/x ] for a constant c
e) which does not occur in ψ.

All of these can be tested primitive recursively, since the Gödel numbers
of ψ, φ( x ), and x are less than the Gödel number of the formula on line i,
and that of a less than the Gödel number of the formula on line j:

QR1 (d, i ) ⇔ (∃b < (d)i ) (∃ x < (d)i ) (∃ a < (d)i ) (∃c < (d) j ) (
Var( x ) ∧ Const(c) ∧
( d ) i = ( ⌢ b ⌢ # →# ⌢ # ∀# ⌢ x ⌢ a ⌢ # )# ∧
# #

(d) j = # (# ⌢ b ⌢ # →# ⌢ Subst( a, c, x ) ⌢ # )# ∧
Sent(b) ∧ Sent(Subst( a, c, x )) ∧ (∀k < len(b)) (b)k ̸= (c)0 )

Here we assume that c and x are the Gödel numbers of the variable and
constant considered as terms (i.e., not their symbol codes). We test that x
is the only free variable of φ( x ) by testing if φ( x )[c/x ] is a sentence, and
ensure that c does not occur in ψ by requiring that every symbol of ψ is
different from c.
We leave the other version of QR as an exercise.

4. d is the Gödel number of a correct derivation iff every line in it is an

axiom, or justified by modus ponens or QR. Hence:

Deriv(d) ⇔ (∀i < len(d)) (IsAx((d)i ) ∨ MP(d, i ) ∨ QR(d, i ))

Release : d3a1905 (2022-12-19) 545

 CHAPTER 34. ARITHMETIZATION OF SYNTAX

Proposition 34.28. Suppose Γ is a primitive recursive set of sentences. Then the

relation PrfΓ ( x, y) expressing “x is the code of a derivation δ of φ from Γ and y is the
Gödel number of φ” is primitive recursive.

Proof. Suppose “y ∈ Γ” is given by the primitive recursive predicate R Γ (y).

We have to show that the relation PrfΓ ( x, y) is primitive recursive, where
PrfΓ ( x, y) holds iff y is the Gödel number of a sentence φ and x is the code
of a derivation of φ from Γ.
By the previous proposition, the property Deriv( x ) which holds iff x is the
code of a correct derivation δ is primitive recursive. However, that definition
did not take into account the set Γ as an additional way to justify lines in the
derivation. Our primitive recursive test of whether a line is justified by QR also
left out of consideration the requirement that the constant c is not allowed to
occur in Γ. It is possible to amend our definition so that it takes into account
Γ directly, but it is easier to use Deriv and the deduction theorem. Γ ⊢ φ iff
there is some finite list of sentences ψ1 , . . . , ψn ∈ Γ such that {ψ1 , . . . , ψn } ⊢ φ.
And by the deduction theorem, this is the case if ⊢ (ψ1 → (ψ2 → · · · (ψn →
φ) · · · )). Whether a sentence with Gödel number z is of this form can be
tested primitive recursively. So, instead of considering x as the Gödel number
of a derivation of the sentence with Gödel number y from Γ, we consider x as
the Gödel number of a derivation of a nested conditional of the above form
from ∅.
First, if we have a sequence of sentences, we can primitive recursively form
the conditional with all these sentences as antecedents and given sentence as
consequent:

hCond(s, y, 0) = y
hCond(s, y, n + 1) = # (# ⌢ (s)n ⌢ # →# ⌢ Cond(s, y, n) ⌢ # )#
Cond(s, y) = hCond(s, y, len(s))

So we can define PrfΓ ( x, y) by

PrfΓ ( x, y) ⇔ (∃s < sequenceBound( x, x )) (

( x )len(x)−1 = Cond(s, y) ∧
(∀i < len(s)) (s)i ∈ Γ ∧
Deriv( x )).

The bound on s is given by considering that each (s)i is the Gödel number of
a sub-formula of the last line of the derivation, i.e., is less than ( x )len( x)−1 . The
number of antecedents ψ ∈ Γ, i.e., the length of s, is less than the length of the
last line of x.

546 Release : d3a1905 (2022-12-19)

34.8. AXIOMATIC DERIVATIONS

Problems
Problem 34.1. Show that the function flatten(z), which turns the sequence
⟨# t1 # , . . . , # tn # ⟩ into # t1 , . . . , tn # , is primitive recursive.

Problem 34.2. Give a detailed proof of Proposition 34.8 along the lines of the
first proof of Proposition 34.5.

Problem 34.3. Prove Proposition 34.9. You may make use of the fact that any
substring of a formula which is a formula is a sub-formula of it.

Problem 34.4. Prove Proposition 34.12

Problem 34.5. Define the following properties as in Proposition 34.15:

1. FollowsByCut ( p),
2. FollowsBy→L ( p),
3. FollowsBy= ( p),
4. FollowsBy∀R ( p).
For the last one, you will have to also show that you can test primitive recur-
sively if the last inference of the derivation with Gödel number p satisfies the
eigenvariable condition, i.e., the eigenvariable a of the ∀R does not occur in
the end-sequent.

Problem 34.6. Define the following properties as in Proposition 34.21:

1. FollowsBy→Elim (d),
2. FollowsBy=Elim (d),
3. FollowsBy∨Elim (d),
4. FollowsBy∀Intro (d).
For the last one, you will have to also show that you can test primitive recur-
sively if the last inference of the derivation with Gödel number d satisfies the
eigenvariable condition, i.e., the eigenvariable a of the ∀Intro inference occurs
neither in the end-formula of d nor in an open assumption of d. You may use
the primitive recursive predicate OpenAssum from Proposition 34.23 for this.

Problem 34.7. Define the following relations as in Proposition 34.27:

1. IsAx φ→(ψ→( φ∧ψ)) (n),
2. IsAx∀ x φ( x)→ φ(t) (n),
3. QR2 (d, i ) (for the other version of QR).

Release : d3a1905 (2022-12-19) 547

Chapter 35

Representability in Q

35.1 Introduction
The incompleteness theorems apply to theories in which basic facts about
computable functions can be expressed and proved. We will describe a very
minimal such theory called “Q” (or, sometimes, “Robinson’s Q,” after Raphael
Robinson). We will say what it means for a function to be representable in Q,
and then we will prove the following:
A function is representable in Q if and only if it is computable.
For one thing, this provides us with another model of computability. But we
will also use it to show that the set { φ : Q ⊢ φ} is not decidable, by reducing
the halting problem to it. By the time we are done, we will have proved much
stronger things than this.
The language of Q is the language of arithmetic; Q consists of the fol-
lowing axioms (to be used in conjunction with the other axioms and rules of
first-order logic with identity predicate):

∀ x ∀y ( x ′ = y′ → x = y) (Q1 )
∀ x 0 ̸= x′ (Q2 )
∀ x ( x = 0 ∨ ∃y x = y′ ) (Q3 )
∀ x ( x + 0) = x (Q4 )
∀ x ∀y ( x + y′ ) = ( x + y)′ (Q5 )
∀ x ( x × 0) = 0 (Q6 )
∀ x ∀y ( x × y′ ) = (( x × y) + x ) (Q7 )
∀ x ∀y ( x < y ↔ ∃z (z′ + x ) = y) (Q8 )

For each natural number n, define the numeral n to be the term 0′′...′ where
there are n tick marks in all. So, 0 is the constant symbol 0 by itself, 1 is 0′ , 2 is
0′′ , etc.

548
35.1. INTRODUCTION

As a theory of arithmetic, Q is extremely weak; for example, you can’t even

prove very simple facts like ∀ x x ̸= x ′ or ∀ x ∀y ( x + y) = (y + x ). But we will
see that much of the reason that Q is so interesting is because it is so weak. In
fact, it is just barely strong enough for the incompleteness theorem to hold.
Another reason Q is interesting is because it has a finite set of axioms.
A stronger theory than Q (called Peano arithmetic PA) is obtained by adding
a schema of induction to Q:

( φ(0) ∧ ∀ x ( φ( x ) → φ( x ′ ))) → ∀ x φ( x )

where φ( x ) is any formula. If φ( x ) contains free variables other than x, we add

universal quantifiers to the front to bind all of them (so that the corresponding
instance of the induction schema is a sentence). For instance, if φ( x, y) also
contains the variable y free, the corresponding instance is

∀y (( φ(0) ∧ ∀ x ( φ( x ) → φ( x ′ ))) → ∀ x φ( x ))

Using instances of the induction schema, one can prove much more from the
axioms of PA than from those of Q. In fact, it takes a good deal of work to
find “natural” statements about the natural numbers that can’t be proved in
Peano arithmetic!

Definition 35.1. A function f ( x0 , . . . , xk ) from the natural numbers to the nat-

ural numbers is said to be representable in Q if there is a formula φ f ( x0 , . . . , xk , y)
such that whenever f (n0 , . . . , nk ) = m, Q proves

1. φ f (n0 , . . . , nk , m)

2. ∀y ( φ f (n0 , . . . , nk , y) → m = y).

There are other ways of stating the definition; for example, we could equiv-
alently require that Q proves ∀y ( φ f (n0 , . . . , nk , y) ↔ y = m).

Theorem 35.2. A function is representable in Q if and only if it is computable.

There are two directions to proving the theorem. The left-to-right direction
is fairly straightforward once arithmetization of syntax is in place. The other
direction requires more work. Here is the basic idea: we pick “general recur-
sive” as a way of making “computable” precise, and show that every general
recursive function is representable in Q. Recall that a function is general re-
cursive if it can be defined from zero, the successor function succ, and the
projection functions Pin , using composition, primitive recursion, and regular
minimization. So one way of showing that every general recursive function is
representable in Q is to show that the basic functions are representable, and
whenever some functions are representable, then so are the functions defined
from them using composition, primitive recursion, and regular minimization.

Release : d3a1905 (2022-12-19) 549

 CHAPTER 35. REPRESENTABILITY IN Q

In other words, we might show that the basic functions are representable, and
that the representable functions are “closed under” composition, primitive
recursion, and regular minimization. This guarantees that every general re-
cursive function is representable.
It turns out that the step where we would show that representable func-
tions are closed under primitive recursion is hard. In order to avoid this step,
we show first that in fact we can do without primitive recursion. That is, we
show that every general recursive function can be defined from basic func-
tions using composition and regular minimization alone. To do this, we show
that primitive recursion can actually be done by a specific regular minimiza-
tion. However, for this to work, we have to add some additional basic func-
tions: addition, multiplication, and the characteristic function of the identity
relation χ= . Then, we can prove the theorem by showing that all of these basic
functions are representable in Q, and the representable functions are closed
under composition and regular minimization.

35.2 Functions Representable in Q are Computable

We’ll prove that every function that is representable in Q is computable. We
first have to establish a lemma about functions representable in Q.

Lemma 35.3. If f ( x0 , . . . , xk ) is representable in Q, there is a formula φ( x0 , . . . , xk , y)

such that
Q ⊢ φ f (n0 , . . . , nk , m) iff m = f (n0 , . . . , nk ).

Proof. The “if” part is Definition 35.1(1). The “only if” part is seen as follows:
Suppose Q ⊢ φ f (n0 , . . . , nk , m) but m ̸= f (n0 , . . . , nk ). Let l = f (n0 , . . . , nk ).
By Definition 35.1(1), Q ⊢ φ f (n0 , . . . , nk , l ). By Definition 35.1(2), ∀y ( φ f (n0 , . . . , nk , y) →
l = y). Using logic and the assumption that Q ⊢ φ f (n0 , . . . , nk , m), we get that
Q ⊢ l = m. On the other hand, by Lemma 35.14, Q ⊢ l ̸= m. So Q is incon-
sistent. But that is impossible, since Q is satisfied by the standard model (see
Definition 33.2), N ⊨ Q, and satisfiable theories are always consistent by the
Soundness Theorem (Corollaries 20.29, 19.31, 21.31 and 22.38).

Lemma 35.4. Every function that is representable in Q is computable.

Proof. Let’s first give the intuitive idea for why this is true. To compute f , we
do the following. List all the possible derivations δ in the language of arith-
metic. This is possible to do mechanically. For each one, check if it is a deriva-
tion of a formula of the form φ f (n0 , . . . , nk , m) (the formula representing f in Q
from Lemma 35.3). If it is, m = f (n0 , . . . , nk ) by Lemma 35.3, and we’ve found
the value of f . The search terminates because Q ⊢ φ f (n0 , . . . , nk , f (n0 , . . . , nk )),
so eventually we find a δ of the right sort.

550 Release : d3a1905 (2022-12-19)

35.3. THE BETA FUNCTION LEMMA

This is not quite precise because our procedure operates on derivations

and formulas instead of just on numbers, and we haven’t explained exactly
why “listing all possible derivations” is mechanically possible. But as we’ve
seen, it is possible to code terms, formulas, and derivations by Gödel numbers.
We’ve also introduced a precise model of computation, the general recursive
functions. And we’ve seen that the relation PrfQ (d, y), which holds iff d is the
Gödel number of a derivation of the formula with Gödel number y from the
axioms of Q, is (primitive) recursive. Other primitive recursive functions we’ll
need are num (Proposition 34.6) and Subst (Proposition 34.11). From these, it
is possible to define f by minimization; thus, f is recursive.
First, define

A ( n0 , . . . , n k , m ) =
Subst(Subst(. . . Subst(# φ f # , num(n0 ), # x0 # ),
. . . ), num(nk ), # xk # ), num(m), # y# )
This looks complicated, but it’s just the function A(n0 , . . . , nk , m) = # φ f (n0 , . . . , nk , m)# .
Now, consider the relation R(n0 , . . . , nk , s) which holds if (s)0 is the Gödel
number of a derivation from Q of φ f (n0 , . . . , nk , (s)1 ):
R ( n0 , . . . , n k , s ) iff PrfQ ((s)0 , A(n0 , . . . , nk , (s)1 ))
If we can find an s such that R(n0 , . . . , nk , s) hold, we have found a pair of
numbers—(s)0 and (s1 )—such that (s)0 is the Gödel number of a derivation
of A f (n0 , . . . , nk , (s)1 ). So looking for s is like looking for the pair d and m
in the informal proof. And a computable function that “looks for” such an
s can be defined by regular minimization. Note that R is regular: for ev-
ery n0 , . . . , nk , there is a derivation δ of Q ⊢ φ f (n0 , . . . , nk , f (n0 , . . . , nk )), so
R(n0 , . . . , nk , s) holds for s = ⟨# δ# , f (n0 , . . . , nk )⟩. So, we can write f as
f (n0 , . . . , nk ) = (µs R(n0 , . . . , nk , s))1 .

35.3 The Beta Function Lemma

In order to show that we can carry out primitive recursion if addition, multi-
plication, and χ= are available, we need to develop functions that handle se-
quences. (If we had exponentiation as well, our task would be easier.) When
we had primitive recursion, we could define things like the “n-th prime,”
and pick a fairly straightforward coding. But here we do not have primitive
recursion—in fact we want to show that we can do primitive recursion using
minimization—so we need to be more clever.
Lemma 35.5. There is a function β(d, i ) such that for every sequence a0 , . . . , an there
is a number d, such that for every i ≤ n, β(d, i ) = ai . Moreover, β can be defined
from the basic functions using just composition and regular minimization.

Release : d3a1905 (2022-12-19) 551

 CHAPTER 35. REPRESENTABILITY IN Q

Think of d as coding the sequence ⟨ a0 , . . . , an ⟩, and β(d, i ) returning the

i-th element. (Note that this “coding” does not use the power-of-primes cod-
ing we’re already familiar with!). The lemma is fairly minimal; it doesn’t say
we can concatenate sequences or append elements, or even that we can com-
pute d from a0 , . . . , an using functions definable by composition and regular
minimization. All it says is that there is a “decoding” function such that every
sequence is “coded.”
The use of the notation β is Gödel’s. To repeat, the hard part of proving
the lemma is defining a suitable β using the seemingly restricted resources,
i.e., using just composition and minimization—however, we’re allowed to use
addition, multiplication, and χ= . There are various ways to prove this lemma,
but one of the cleanest is still Gödel’s original method, which used a number-
theoretic fact called the Chinese Remainder theorem.

Definition 35.6. Two natural numbers a and b are relatively prime iff their great-
est common divisor is 1; in other words, they have no other divisors in com-
mon.

Definition 35.7. Natural numbers a and b are congruent modulo c, a ≡ b mod c,

iff c | ( a − b), i.e., a and b have the same remainder when divided by c.

Here is the Chinese Remainder theorem:

Theorem 35.8. Suppose x0 , . . . , xn are (pairwise) relatively prime. Let y0 , . . . , yn be

any numbers. Then there is a number z such that

z ≡ y0 mod x0
z ≡ y1 mod x1
..
.
z ≡ yn mod xn .

Here is how we will use the Chinese Remainder theorem: if x0 , . . . , xn are

bigger than y0 , . . . , yn respectively, then we can take z to code the sequence
⟨y0 , . . . , yn ⟩. To recover yi , we need only divide z by xi and take the remainder.
To use this coding, we will need to find suitable values for x0 , . . . , xn .
A couple of observations will help us in this regard. Given y0 , . . . , yn , let

j = max(n, y0 , . . . , yn ) + 1,

552 Release : d3a1905 (2022-12-19)

35.3. THE BETA FUNCTION LEMMA

and let

x0 = 1 + j !
x1 = 1 + 2 · j !
x2 = 1 + 3 · j !
..
.
x n = 1 + ( n + 1) · j !

Then two things are true:

1. x0 , . . . , xn are relatively prime.

2. For each i, yi < xi .

To see that (1) is true, note that if p is a prime number and p | xi and p | xk ,
then p | 1 + (i + 1) j ! and p | 1 + (k + 1) j !. But then p divides their difference,

(1 + (i + 1) j !) − (1 + (k + 1) j !) = (i − k) j !.

Since p divides 1 + (i + 1) j !, it can’t divide j ! as well (otherwise, the first

division would leave a remainder of 1). So p divides i − k, since p divides
(i − k) j !. But |i − k| is at most n, and we have chosen j > n, so this implies
that p | j !, again a contradiction. So there is no prime number dividing both
xi and xk . Clause (2) is easy: we have yi < j < j ! < xi .
Now let us prove the β function lemma. Remember that we can use 0,
successor, plus, times, χ= , projections, and any function defined from them
using composition and minimization applied to regular functions. We can
also use a relation if its characteristic function is so definable. As before we
can show that these relations are closed under Boolean combinations and
bounded quantification; for example:

not( x ) = χ= ( x, 0)
(min x ≤ z) R( x, y) = µx ( R( x, y) ∨ x = z)
(∃ x ≤ z) R( x, y) ⇔ R((min x ≤ z) R( x, y), y)

We can then show that all of the following are also definable without primitive
recursion:

1. The pairing function, J ( x, y) = 12 [( x + y)( x + y + 1)] + x;

2. the projection functions

K (z) = (min x ≤ z) (∃y ≤ z) z = J ( x, y),

L(z) = (min y ≤ z) (∃ x ≤ z) z = J ( x, y);

Release : d3a1905 (2022-12-19) 553

 CHAPTER 35. REPRESENTABILITY IN Q

3. the less-than relation x < y;

4. the divisibility relation x | y;

5. the function rem( x, y) which returns the remainder when y is divided

by x.

Now define

β∗ (d0 , d1 , i ) = rem(1 + (i + 1)d1 , d0 ) and

β(d, i ) = β∗ (K (d), L(d), i ).

This is the function we want. Given a0 , . . . , an as above, let

j = max(n, a0 , . . . , an ) + 1,

and let d1 = j !. By (1) above, we know that 1 + d1 , 1 + 2d1 , . . . , 1 + (n + 1)d1

are relatively prime, and by (2) that all are greater than a0 , . . . , an . By the
Chinese Remainder theorem there is a value d0 such that for each i,

d0 ≡ a i mod (1 + (i + 1)d1 )

and so (because d1 is greater than ai ),

ai = rem(1 + (i + 1)d1 , d0 ).

Let d = J (d0 , d1 ). Then for each i ≤ n, we have

β(d, i ) = β∗ (d0 , d1 , i )
= rem(1 + (i + 1)d1 , d0 )
= ai

which is what we need. This completes the proof of the β-function lemma.

35.4 Simulating Primitive Recursion

Now we can show that definition by primitive recursion can be “simulated”
by regular minimization using the beta function. Suppose we have f (⃗x ) and
g(⃗x, y, z). Then the function h( x, ⃗z) defined from f and g by primitive recur-
sion is

h(⃗x, 0) = f (⃗x )
h(⃗x, y + 1) = g(⃗x, y, h(⃗x, y)).

We need to show that h can be defined from f and g using just composition
and regular minimization, using the basic functions and functions defined
from them using composition and regular minimization (such as β).

554 Release : d3a1905 (2022-12-19)

35.5. BASIC FUNCTIONS ARE REPRESENTABLE IN Q

Lemma 35.9. If h can be defined from f and g using primitive recursion, it can be
defined from f , g, the functions zero, succ, Pin , add, mult, χ= , using composition
and regular minimization.

Proof. First, define an auxiliary function ĥ(⃗x, y) which returns the least num-
ber d such that d codes a sequence which satisfies

1. (d)0 = f (⃗x ), and

2. for each i < y, (d)i+1 = g(⃗x, i, (d)i ),

where now (d)i is short for β(d, i ). In other words, ĥ returns the sequence
⟨h(⃗x, 0), h(⃗x, 1), . . . , h(⃗x, y)⟩. We can write ĥ as

ĥ(⃗x, y) = µd ( β(d, 0) = f (⃗x ) ∧ (∀i < y) β(d, i + 1) = g(⃗x, i, β(d, i )).

Note: no primitive recursion is needed here, just minimization. The function

we minimize is regular because of the beta function lemma Lemma 35.5.
But now we have
h(⃗x, y) = β(ĥ(⃗x, y), y),
so h can be defined from the basic functions using just composition and regu-
lar minimization.

35.5 Basic Functions are Representable in Q

First we have to show that all the basic functions are representable in Q. In the
end, we need to show how to assign to each k-ary basic function f ( x0 , . . . , xk−1 )
a formula φ f ( x0 , . . . , xk−1 , y) that represents it.
We will be able to represent zero, successor, plus, times, the characteristic
function for equality, and projections. In each case, the appropriate represent-
ing function is entirely straightforward; for example, zero is represented by
the formula y = 0, successor is represented by the formula x0′ = y, and addi-
tion is represented by the formula ( x0 + x1 ) = y. The work involves showing
that Q can prove the relevant sentences; for example, saying that addition
is represented by the formula above involves showing that for every pair of
natural numbers m and n, Q proves

n + m = n + m and
∀y ((n + m) = y → y = n + m).

Proposition 35.10. The zero function zero( x ) = 0 is represented in Q by φzero ( x, y) ≡

y = 0.

Proposition 35.11. The successor function succ( x ) = x + 1 is represented in Q by

φsucc ( x, y) ≡ y = x ′ .

Release : d3a1905 (2022-12-19) 555

 CHAPTER 35. REPRESENTABILITY IN Q

Proposition 35.12. The projection function Pin ( x0 , . . . , xn−1 ) = xi is represented

in Q by
φ P n ( x 0 , . . . , x n −1 , y ) ≡ y = x i .
i

Proposition 35.13. The characteristic function of =,

(
1 if x0 = x1
χ = ( x0 , x1 ) =
0 otherwise

is represented in Q by

φ χ = ( x0 , x1 , y ) ≡ ( x0 = x1 ∧ y = 1) ∨ ( x0 ̸ = x1 ∧ y = 0).

The proof requires the following lemma.

Lemma 35.14. Given natural numbers n and m, if n ̸= m, then Q ⊢ n ̸= m.

Proof. Use induction on n to show that for every m, if n ̸= m, then Q ⊢ n ̸= m.

In the base case, n = 0. If m is not equal to 0, then m = k + 1 for some
natural number k. We have an axiom that says ∀ x 0 ̸= x ′ . By a quantifier
′ ′
axiom, replacing x by k, we can conclude 0 ̸= k . But k is just m.
In the induction step, we can assume the claim is true for n, and consider
n + 1. Let m be any natural number. There are two possibilities: either m = 0
or for some k we have m = k + 1. The first case is handled as above. In the
second case, suppose n + 1 ̸= k + 1. Then n ̸= k. By the induction hypothesis
for n we have Q ⊢ n ̸= k. We have an axiom that says ∀ x ∀y x ′ = y′ → x = y.
′
Using a quantifier axiom, we have n′ = k → n = k. Using propositional
′
logic, we can conclude, in Q, n ̸= k → n′ ̸= k . Using modus ponens, we can
′ ′
conclude n′ ̸= k , which is what we want, since k is m.

Note that the lemma does not say much: in essence it says that Q can
prove that different numerals denote different objects. For example, Q proves
0′′ ̸= 0′′′ . But showing that this holds in general requires some care. Note also
that although we are using induction, it is induction outside of Q.

Proof of Proposition 35.13. If n = m, then n and m are the same term, and
χ= (n, m) = 1. But Q ⊢ (n = m ∧ 1 = 1), so it proves φ= (n, m, 1). If n ̸= m,
then χ= (n, m) = 0. By Lemma 35.14, Q ⊢ n ̸= m and so also (n ̸= m ∧ 0 = 0).
Thus Q ⊢ φ= (n, m, 0).
For the second part, we also have two cases. If n = m, we have to show
that Q ⊢ ∀y ( φ= (n, m, y) → y = 1). Arguing informally, suppose φ= (n, m, y),
i.e.,
( n = n ∧ y = 1) ∨ ( n ̸ = n ∧ y = 0)
The left disjunct implies y = 1 by logic; the right contradicts n = n which is
provable by logic.

556 Release : d3a1905 (2022-12-19)

35.5. BASIC FUNCTIONS ARE REPRESENTABLE IN Q

Suppose, on the other hand, that n ̸= m. Then φ= (n, m, y) is

( n = m ∧ y = 1) ∨ ( n ̸ = m ∧ y = 0)

Here, the left disjunct contradicts n ̸= m, which is provable in Q by Lemma 35.14;

the right disjunct entails y = 0.

Proposition 35.15. The addition function add( x0 , x1 ) = x0 + x1 is represented

in Q by
φadd ( x0 , x1 , y) ≡ y = ( x0 + x1 ).

Lemma 35.16. Q ⊢ (n + m) = n + m

Proof. We prove this by induction on m. If m = 0, the claim is that Q ⊢ (n +

0) = n. This follows by axiom Q4 . Now suppose the claim for m; let’s prove
the claim for m + 1, i.e., prove that Q ⊢ (n + m + 1) = n + m + 1. Note that
′
m + 1 is just m′ , and n + m + 1 is just n + m . By axiom Q5 , Q ⊢ (n + m′ ) =
(n + m)′ . By induction hypothesis, Q ⊢ (n + m) = n + m. So Q ⊢ (n + m′ ) =
′
n+m .

Proof of Proposition 35.15. The formula φadd ( x0 , x1 , y) representing add is y =

( x0 + x1 ). First we show that if add(n, m) = k, then Q ⊢ φadd (n, m, k), i.e.,
Q ⊢ k = (n + m). But since k = n + m, k just is n + m, and we’ve shown in
Lemma 35.16 that Q ⊢ (n + m) = n + m.
We also have to show that if add(n, m) = k, then

Q ⊢ ∀y ( φadd (n, m, y) → y = k).

Suppose we have (n + m) = y. Since

Q ⊢ (n + m) = n + m,

we can replace the left side with n + m and get n + m = y, for arbitrary y.

Proposition 35.17. The multiplication function mult( x0 , x1 ) = x0 · x1 is repre-

sented in Q by
φmult ( x0 , x1 , y) ≡ y = ( x0 × x1 ).

Proof. Exercise.

Lemma 35.18. Q ⊢ (n × m) = n · m

Proof. Exercise.

Release : d3a1905 (2022-12-19) 557

 CHAPTER 35. REPRESENTABILITY IN Q

Recall that we use × for the function symbol of the language of arith-
metic, and · for the ordinary multiplication operation on numbers. So · can
appear between expressions for numbers (such as in m · n) while × appears
only between terms of the language of arithmetic (such as in (m × n)). Even
more confusingly, + is used for both the function symbol and the addition
operation. When it appears between terms—e.g., in (n + m)—it is the 2-place
function symbol of the language of arithmetic, and when it appears between
numbers—e.g., in n + m—it is the addition operation. This includes the case
n + m: this is the standard numeral corresponding to the number n + m.

35.6 Composition is Representable in Q

Suppose h is defined by

h( x0 , . . . , xl −1 ) = f ( g0 ( x0 , . . . , xl −1 ), . . . , gk−1 ( x0 , . . . , xl −1 )).

where we have already found formulas φ f , φ g0 , . . . , φ gk−1 representing the func-

tions f , and g0 , . . . , gk−1 , respectively. We have to find a formula φh represent-
ing h.
Let’s start with a simple case, where all functions are 1-place, i.e., consider
h( x ) = f ( g( x )). If φ f (y, z) represents f , and φ g ( x, y) represents g, we need
a formula φh ( x, z) that represents h. Note that h( x ) = z iff there is a y such
that both z = f (y) and y = g( x ). (If h( x ) = z, then g( x ) is such a y; if such a
y exists, then since y = g( x ) and z = f (y), z = f ( g( x )).) This suggests that
∃y ( φ g ( x, y) ∧ φ f (y, z)) is a good candidate for φh ( x, z). We just have to verify
that Q proves the relevant formulas.
Proposition 35.19. If h(n) = m, then Q ⊢ φh (n, m).

Proof. Suppose h(n) = m, i.e., f ( g(n)) = m. Let k = g(n). Then

Q ⊢ φ g (n, k)

since φ g represents g, and

Q ⊢ φ f (k, m)

since φ f represents f . Thus,

Q ⊢ φ g (n, k) ∧ φ f (k, m)

and consequently also

Q ⊢ ∃y ( φ g (n, y) ∧ φ f (y, m)),

i.e., Q ⊢ φh (n, m).

558 Release : d3a1905 (2022-12-19)

35.7. REGULAR MINIMIZATION IS REPRESENTABLE IN Q

Proposition 35.20. If h(n) = m, then Q ⊢ ∀z ( φh (n, z) → z = m).

Proof. Suppose h(n) = m, i.e., f ( g(n)) = m. Let k = g(n). Then

Q ⊢ ∀y ( φ g (n, y) → y = k )

since φ g represents g, and

Q ⊢ ∀z ( φ f (k, z) → z = m)

since φ f represents f . Using just a little bit of logic, we can show that also

Q ⊢ ∀z (∃y ( φ g (n, y) ∧ φ f (y, z)) → z = m).

i.e., Q ⊢ ∀y ( φh (n, y) → y = m).

The same idea works in the more complex case where f and gi have arity
greater than 1.

Proposition 35.21. If φ f (y0 , . . . , yk−1 , z) represents f (y0 , . . . , yk−1 ) in Q, and φ gi ( x0 , . . . , xl −1 , y)

represents gi ( x0 , . . . , xl −1 ) in Q, then

∃ y 0 . . . ∃ y k − 1 ( φ g0 ( x 0 , . . . , x l − 1 , y 0 ) ∧ · · · ∧
φ gk−1 ( x0 , . . . , xl −1 , yk−1 ) ∧ φ f (y0 , . . . , yk−1 , z))

represents

h( x0 , . . . , xl −1 ) = f ( g0 ( x0 , . . . , xl −1 ), . . . , gk−1 ( x0 , . . . , xl −1 )).

Proof. Exercise.

35.7 Regular Minimization is Representable in Q

Let’s consider unbounded search. Suppose g( x, z) is regular and representable
in Q, say by the formula φ g ( x, z, y). Let f be defined by f (z) = µx [ g( x, z) =
0]. We would like to find a formula φ f (z, y) representing f . The value of f (z)
is that number x which (a) satisfies g( x, z) = 0 and (b) is the least such, i.e.,
for any w < x, g(w, z) ̸= 0. So the following is a natural choice:

φ f (z, y) ≡ φ g (y, z, 0) ∧ ∀w (w < y → ¬ φ g (w, z, 0)).

In the general case, of course, we would have to replace z with z0 , . . . , zk .

The proof, again, will involve some lemmas about things Q is strong enough
to prove.

Release : d3a1905 (2022-12-19) 559

 CHAPTER 35. REPRESENTABILITY IN Q

Lemma 35.22. For every constant symbol a and every natural number n,

Q ⊢ ( a′ + n) = ( a + n)′ .

Proof. The proof is, as usual, by induction on n. In the base case, n = 0, we

need to show that Q proves ( a′ + 0) = ( a + 0)′ . But we have:

Q ⊢ ( a ′ + 0) = a ′ by axiom Q4 (35.1)
Q ⊢ ( a + 0) = a by axiom Q4 (35.2)
′ ′
Q ⊢ ( a + 0) = a by eq. (35.2) (35.3)
′ ′
Q ⊢ ( a + 0) = ( a + 0) by eq. (35.1) and eq. (35.3)

In the induction step, we can assume that we have shown that Q ⊢ ( a′ + n) =

( a + n)′ . Since n + 1 is n′ , we need to show that Q proves ( a′ + n′ ) = ( a + n′ )′ .
We have:

Q ⊢ ( a′ + n′ ) = ( a′ + n)′ by axiom Q5 (35.4)

′ ′ ′ ′
Q ⊢ (a + n ) = (a + n ) inductive hypothesis (35.5)
′ ′ ′ ′
Q ⊢ ( a + n) = ( a + n ) by eq. (35.4) and eq. (35.5).

It is again worth mentioning that this is weaker than saying that Q proves
∀ x ∀y ( x ′ + y) = ( x + y)′ . Although this sentence is true in N, Q does not
prove it.

Lemma 35.23. Q ⊢ ∀ x ¬ x < 0.

Proof. We give the proof informally (i.e., only giving hints as to how to con-
struct the formal derivation).
We have to prove ¬ a < 0 for an arbitrary a. By the definition of <, we
need to prove ¬∃y (y′ + a) = 0 in Q. We’ll assume ∃y (y′ + a) = 0 and prove a
contradiction. Suppose (b′ + a) = 0. Using Q3 , we have that a = 0 ∨ ∃y a = y′ .
We distinguish cases.
Case 1: a = 0 holds. From (b′ + a) = 0, we have (b′ + 0) = 0. By axiom Q4
of Q, we have (b′ + 0) = b′ , and hence b′ = 0. But by axiom Q2 we also have
b′ ̸= 0, a contradiction.
Case 2: For some c, a = c′ . But then we have (b′ + c′ ) = 0. By axiom Q5 ,
we have (b′ + c)′ = 0, again contradicting axiom Q2 .

Lemma 35.24. For every natural number n,

Q ⊢ ∀ x ( x < n + 1 → ( x = 0 ∨ · · · ∨ x = n)).

Proof. We use induction on n. Let us consider the base case, when n = 0. In

that case, we need to show a < 1 → a = 0, for arbitrary a. Suppose a < 1.
Then by the defining axiom for <, we have ∃y (y′ + a) = 0′ (since 1 ≡ 0′ ).

560 Release : d3a1905 (2022-12-19)

35.7. REGULAR MINIMIZATION IS REPRESENTABLE IN Q

Suppose b has that property, i.e., we have (b′ + a) = 0′ . We need to show

a = 0. By axiom Q3 , we have either a = 0 or that there is a c such that a = c′ .
In the former case, there is nothing to show. So suppose a = c′ . Then we have
(b′ + c′ ) = 0′ . By axiom Q5 of Q, we have (b′ + c)′ = 0′ . By axiom Q1 , we
have (b′ + c) = 0. But this means, by axiom Q8 , that c < 0, contradicting
Lemma 35.23.
Now for the inductive step. We prove the case for n + 1, assuming the case
for n. So suppose a < n + 2. Again using Q3 we can distinguish two cases:
a = 0 and for some b, a = c′ . In the first case, a = 0 ∨ · · · ∨ a = n + 1 follows
′
trivially. In the second case, we have c′ < n + 2, i.e., c′ < n + 1 . By axiom Q8 ,
′ ′
for some d, (d′ + c′ ) = n + 1 . By axiom Q5 , (d′ + c)′ = n + 1 . By axiom Q1 ,
(d′ + c) = n + 1, and so c < n + 1 by axiom Q8 . By inductive hypothesis,
c = 0 ∨ · · · ∨ c = n. From this, we get c′ = 0′ ∨ · · · ∨ c′ = n′ by logic, and so
a = 1 ∨ · · · ∨ a = n + 1 since a = c′ .

Lemma 35.25. For every natural number m,

Q ⊢ ∀y ((y < m ∨ m < y) ∨ y = m).

Proof. By induction on m. First, consider the case m = 0. Q ⊢ ∀y (y = 0 ∨

∃z y = z′ ) by Q3 . Let a be arbitrary. Then either a = 0 or for some b, a = b′ .
In the former case, we also have ( a < 0 ∨ 0 < a) ∨ a = 0. But if a = b′ ,
then (b′ + 0) = ( a + 0) by the logic of =. By Q4 , ( a + 0) = a, so we have
(b′ + 0) = a, and hence ∃z (z′ + 0) = a. By the definition of < in Q8 , 0 < a. If
0 < a, then also (0 < a ∨ a < 0) ∨ a = 0.
Now suppose we have

Q ⊢ ∀y ((y < m ∨ m < y) ∨ y = m)

and we want to show

Q ⊢ ∀y ((y < m + 1 ∨ m + 1 < y) ∨ y = m + 1)

Let a be arbitrary. By Q3 , either a = 0 or for some b, a = b′ . In the first case,

we have m′ + a = m + 1 by Q4 , and so a < m + 1 by Q8 .
Now consider the second case, a = b′ . By the induction hypothesis, (b <
m ∨ m < b) ∨ b = m.
The first disjunct b < m is equivalent (by Q8 ) to ∃z (z′ + b) = m. Suppose
c has this property. If (c′ + b) = m, then also (c′ + b)′ = m′ . By Q5 , (c′ + b)′ =
(c′ + b′ ). Hence, (c′ + b′ ) = m′ . We get ∃u (u′ + b′ ) = m + 1 by existentially
generalizing on c′ and keeping in mind that m′ ≡ m + 1. Hence, if b < m then
b′ < m + 1 and so a < m + 1.
Now suppose m < b, i.e., ∃z (z′ + m) = b. Suppose c is such a z, i.e.,
(c + m) = b. By logic, (c′ + m)′ = b′ . By Q5 , (c′ + m′ ) = b′ . Since a = b′ and
′

m′ ≡ m + 1, (c′ + m + 1) = a. By Q8 , m + 1 < a.

Release : d3a1905 (2022-12-19) 561

 CHAPTER 35. REPRESENTABILITY IN Q

Finally, assume b = m. Then, by logic, b′ = m′ , and so a = m + 1.

Hence, from each disjunct of the case for m and b, we can obtain the corre-
sponding disjunct for for m + 1 and a.

Proposition 35.26. If φ g ( x, z, y) represents g( x, z) in Q, then

φ f (z, y) ≡ φ g (y, z, 0) ∧ ∀w (w < y → ¬ φ g (w, z, 0))

represents f (z) = µx [ g( x, z) = 0].

Proof. First we show that if f (n) = m, then Q ⊢ φ f (n, m), i.e.,

Q ⊢ φ g (m, n, 0) ∧ ∀w (w < m → ¬ φ g (w, n, 0)).

Since φ g ( x, z, y) represents g( x, z) and g(m, n) = 0 if f (n) = m, we have

Q ⊢ φ g (m, n, 0).

If f (n) = m, then for every k < m, g(k, n) ̸= 0. So

Q ⊢ ¬ φ g (k, n, 0).

We get that

Q ⊢ ∀w (w < m → ¬ φ g (w, n, 0)). (35.6)

by Lemma 35.23 in case m = 0 and by Lemma 35.24 otherwise.

Now let’s show that if f (n) = m, then Q ⊢ ∀y ( φ f (n, y) → y = m). We
again sketch the argument informally, leaving the formalization to the reader.
Suppose φ f (n, b). From this we get (a) φ g (b, n, 0) and (b) ∀w (w < b →
¬ φ g (w, n, 0)). By Lemma 35.25, (b < m ∨ m < b) ∨ b = m. We’ll show that
both b < m and m < b leads to a contradiction.
If m < b, then ¬ φ g (m, n, 0) from (b). But m = f (n), so g(m, n) = 0, and so
Q ⊢ φ g (m, n, 0) since φ g represents g. So we have a contradiction.
Now suppose b < m. Then since Q ⊢ ∀w (w < m → ¬ φ g (w, n, 0)) by
eq. (35.6), we get ¬ φ g (b, n, 0). This again contradicts (a).

35.8 Computable Functions are Representable in Q

Theorem 35.27. Every computable function is representable in Q.

Proof. For definiteness, and using the Church-Turing Thesis, let’s say that a
function is computable iff it is general recursive. The general recursive func-
tions are those which can be defined from the zero function zero, the successor

562 Release : d3a1905 (2022-12-19)

35.9. REPRESENTING RELATIONS

function succ, and the projection function Pin using composition, primitive re-
cursion, and regular minimization. By Lemma 35.9, any function h that can
be defined from f and g can also be defined using composition and regular
minimization from f , g, and zero, succ, Pin , add, mult, χ= . Consequently, a
function is general recursive iff it can be defined from zero, succ, Pin , add,
mult, χ= using composition and regular minimization.
We’ve furthermore shown that the basic functions in question are rep-
resentable in Q (Propositions 35.10 to 35.13, 35.15 and 35.17), and that any
function defined from representable functions by composition or regular min-
imization (Proposition 35.21, Proposition 35.26) is also representable. Thus
every general recursive function is representable in Q.

We have shown that the set of computable functions can be characterized

as the set of functions representable in Q. In fact, the proof is more general.
From the definition of representability, it is not hard to see that any theory
extending Q (or in which one can interpret Q) can represent the computable
functions. But, conversely, in any derivation system in which the notion of
derivation is computable, every representable function is computable. So,
for example, the set of computable functions can be characterized as the set
of functions representable in Peano arithmetic, or even Zermelo-Fraenkel set
theory. As Gödel noted, this is somewhat surprising. We will see that when
it comes to provability, questions are very sensitive to which theory you con-
sider; roughly, the stronger the axioms, the more you can prove. But across a
wide range of axiomatic theories, the representable functions are exactly the
computable ones; stronger theories do not represent more functions as long as
they are axiomatizable.

35.9 Representing Relations

Let us say what it means for a relation to be representable.
Definition 35.28. A relation R( x0 , . . . , xk ) on the natural numbers is representable
in Q if there is a formula φ R ( x0 , . . . , xk ) such that whenever R(n0 , . . . , nk ) is
true, Q proves φ R (n0 , . . . , nk ), and whenever R(n0 , . . . , nk ) is false, Q proves
¬ φ R ( n0 , . . . , n k ).

Theorem 35.29. A relation is representable in Q if and only if it is computable.

Proof. For the forwards direction, suppose R( x0 , . . . , xk ) is represented by the

formula φ R ( x0 , . . . , xk ). Here is an algorithm for computing R: on input n0 ,
. . . , nk , simultaneously search for a proof of φ R (n0 , . . . , nk ) and a proof of
¬ φ R (n0 , . . . , nk ). By our hypothesis, the search is bound to find one or the
other; if it is the first, report “yes,” and otherwise, report “no.”
In the other direction, suppose R( x0 , . . . , xk ) is computable. By definition,
this means that the function χ R ( x0 , . . . , xk ) is computable. By Theorem 35.2,

Release : d3a1905 (2022-12-19) 563

 CHAPTER 35. REPRESENTABILITY IN Q

χ R is represented by a formula, say φχR ( x0 , . . . , xk , y). Let φ R ( x0 , . . . , xk ) be

the formula φχR ( x0 , . . . , xk , 1). Then for any n0 , . . . , nk , if R(n0 , . . . , nk ) is true,
then χ R (n0 , . . . , nk ) = 1, in which case Q proves φχR (n0 , . . . , nk , 1), and so
Q proves φ R (n0 , . . . , nk ). On the other hand, if R(n0 , . . . , nk ) is false, then
χ R (n0 , . . . , nk ) = 0. This means that Q proves

∀ y ( φ χ R ( n0 , . . . , n k , y ) → y = 0).
Since Q proves 0 ̸= 1, Q proves ¬ φχR (n0 , . . . , nk , 1), and so it proves ¬ φ R (n0 , . . . , nk ).

35.10 Undecidability
We call a theory T undecidable if there is no computational procedure which, af-
ter finitely many steps and unfailingly, provides a correct answer to the ques-
tion “does T prove φ?” for any sentence φ in the language of T. So Q would
be decidable iff there were a computational procedure which decides, given a
sentence φ in the language of arithmetic, whether Q ⊢ φ or not. We can make
this more precise by asking: Is the relation ProvQ (y), which holds of y iff y is
the Gödel number of a sentence provable in Q, recursive? The answer is: no.
Theorem 35.30. Q is undecidable, i.e., the relation

ProvQ (y) ⇔ Sent(y) ∧ ∃ x PrfQ ( x, y)

is not recursive.

Proof. Suppose it were. Then we could solve the halting problem as follows:
Given e and n, we know that φe (n) ↓ iff there is an s such that T (e, n, s), where
T is Kleene’s predicate from Theorem 29.28. Since T is primitive recursive it
is representable in Q by a formula ψT , that is, Q ⊢ ψT (e, n, s) iff T (e, n, s). If
Q ⊢ ψT (e, n, s) then also Q ⊢ ∃y ψT (e, n, y). If no such s exists, then Q ⊢
¬ψT (e, n, s) for every s. But Q is ω-consistent, i.e., if Q ⊢ ¬ φ(n) for every n ∈
N, then Q ⊬ ∃y φ(y). We know this because the axioms of Q are true in the
standard model N. So, Q ⊬ ∃y ψT (e, n, y). In other words, Q ⊢ ∃y ψT (e, n, y)
iff there is an s such that T (e, n, s), i.e., iff φe (n) ↓. From e and n we can
compute # ∃y ψT (e, n, y)# , let g(e, n) be the primitive recursive function which
does that. So (
1 if ProvQ ( g(e, n))
h(e, n) =
0 otherwise.
This would show that h is recursive if ProvQ is. But h is not recursive, by
Theorem 29.29, so ProvQ cannot be either.

Corollary 35.31. First-order logic is undecidable.

Proof. If first-order logic were decidable, provability in Q would be as well,

since Q ⊢ φ iff ⊢ ω → φ, where ω is the conjunction of the axioms of Q.

564 Release : d3a1905 (2022-12-19)

35.10. UNDECIDABILITY

Problems
Problem 35.1. Show that the relations x < y, x | y, and the function rem( x, y)
can be defined without primitive recursion. You may use 0, successor, plus,
times, χ= , projections, and bounded minimization and quantification.

Problem 35.2. Prove that y = 0, y = x ′ , and y = xi represent zero, succ, and

Pin , respectively.

Problem 35.3. Prove Lemma 35.18.

Problem 35.4. Use Lemma 35.18 to prove Proposition 35.17.

Problem 35.5. Using the proofs of Proposition 35.20 and Proposition 35.20 as
a guide, carry out the proof of Proposition 35.21 in detail.

Problem 35.6. Show that if R is representable in Q, so is χ R .

This chapter depends on material in the chapter on computability the-

ory, but can be left out if that hasn’t been covered. It’s currently a basic
conversion of Jeremy Avigad’s notes, has not been revised, and is missing
exercises.

Release : d3a1905 (2022-12-19) 565

Chapter 36

Theories and Computability

36.1 Introduction

This section should be rewritten.

We have the following:

1. A definition of what it means for a function to be representable in Q

(Definition 35.1)

2. a definition of what it means for a relation to be representable in Q (Def-

inition 35.28)

3. a theorem asserting that the representable functions of Q are exactly the

computable ones (Theorem 35.2)

4. a theorem asserting that the representable relations of Q are exactly the

computable ones Theorem 35.29)

A theory is a set of sentences that is deductively closed, that is, with the
property that whenever T proves φ then φ is in T. It is probably best to think
of a theory as being a collection of sentences, together with all the things that
these sentences imply. From now on, we will use Q to refer to the theory con-
sisting of the set of sentences derivable from the eight axioms in section 35.1.
Remember that we can code formula of Q as numbers; if φ is such a formula,
let # φ# denote the number coding φ. Modulo this coding, we can now ask
whether various sets of formulas are computable or not.

36.2 Q is C.e.-Complete
Theorem 36.1. Q is c.e. but not decidable. In fact, it is a complete c.e. set.

566
36.3. ω-CONSISTENT EXTENSIONS OF Q ARE UNDECIDABLE

Proof. It is not hard to see that Q is c.e., since it is the set of (codes for) sen-
tences y such that there is a proof x of y in Q:

Q = {y : ∃ x PrfQ ( x, y)}.

But we know that PrfQ ( x, y) is computable (in fact, primitive recursive), and
any set that can be written in the above form is c.e.
Saying that it is a complete c.e. set is equivalent to saying that K ≤m Q,
where K = { x : φ x ( x ) ↓}. So let us show that K is reducible to Q. Since
Kleene’s predicate T (e, x, s) is primitive recursive, it is representable in Q, say,
by φ T . Then for every x, we have

x ∈ K → ∃s T ( x, x, s)
→ ∃s (Q ⊢ φ T ( x, x, s))
→ Q ⊢ ∃s φ T ( x, x, s).

Conversely, if Q ⊢ ∃s φ T ( x, x, s), then, in fact, for some natural number n the

formula φ T ( x, x, n) must be true. Now, if T ( x, x, n) were false, Q would prove
¬ φ T ( x, x, n), since φ T represents T. But then Q proves a false formula, which
is a contradiction. So T ( x, x, n) must be true, which implies φ x ( x ) ↓.
In short, we have that for every x, x is in K if and only if Q proves ∃s T ( x, x, s).
So the function f which takes x to (a code for) the sentence ∃s T ( x, x, s) is a re-
duction of K to Q.

36.3 ω-Consistent Extensions of Q are Undecidable

The proof that Q is c.e.-complete relied on the fact that any sentence prov-
able in Q is “true” of the natural numbers. The next definition and theorem
strengthen this theorem, by pinpointing just those aspects of “truth” that were
needed in the proof above. Don’t dwell on this theorem too long, though, be-
cause we will soon strengthen it even further. We include it mainly for histori-
cal purposes: Gödel’s original paper used the notion of ω-consistency, but his
result was strengthened by replacing ω-consistency with ordinary consistency
soon after.

Definition 36.2. A theory T is ω-consistent if the following holds: if ∃ x φ( x )

is any sentence and T proves ¬ φ(0), ¬ φ(1), ¬ φ(2), . . . then T does not prove
∃ x φ ( x ).

Theorem 36.3. Let T be any ω-consistent theory that includes Q. Then T is not
decidable.

Proof. If T includes Q, then T represents the computable functions and rela-

tions. We need only modify the previous proof. As above, if x ∈ K, then
T proves ∃s φ T ( x, x, s). Conversely, suppose T proves ∃s φ T ( x, x, s). Then x

Release : d3a1905 (2022-12-19) 567

 CHAPTER 36. THEORIES AND COMPUTABILITY

must be in K: otherwise, there is no halting computation of machine x on input

x; since φ T represents Kleene’s T relation, T proves ¬ φ T ( x, x, 0), ¬ φ T ( x, x, 1),
. . . , making T ω-inconsistent.

36.4 Consistent Extensions of Q are Undecidable

Remember that a theory is consistent if it does not prove both φ and ¬ φ for any
formula φ. Since anything follows from a contradiction, an inconsistent theory
is trivial: every sentence is provable. Clearly, if a theory if ω-consistent, then it
is consistent. But being consistent is a weaker requirement (i.e., there are theo-
ries that are consistent but not ω-consistent.). We can weaken the assumption
in Definition 36.2 to simple consistency to obtain a stronger theorem.
Lemma 36.4. There is no “universal computable relation.” That is, there is no binary
computable relation R( x, y), with the following property: whenever S(y) is a unary
computable relation, there is some k such that for every y, S(y) is true if and only if
R(k, y) is true.

Proof. Suppose R( x, y) is a universal computable relation. Let S(y) be the

relation ¬ R(y, y). Since S(y) is computable, for some k, S(y) is equivalent to
R(k, y). But then we have that S(k) is equivalent to both R(k, k ) and ¬ R(k, k),
which is a contradiction.

Theorem 36.5. Let T be any consistent theory that includes Q. Then T is not decid-
able.

Proof. Suppose T is a consistent, decidable extension of Q. We will obtain a

contradiction by using T to define a universal computable relation.
Let R( x, y) hold if and only if
x codes a formula θ (u), and T proves θ (y).
Since we are assuming that T is decidable, R is computable. Let us show that
R is universal. If S(y) is any computable relation, then it is representable in Q
(and hence T) by a formula θS (u). Then for every n, we have

S(n) → T ⊢ θS (n)
→ R (# θ S ( u )# , n )
and

¬S(n) → T ⊢ ¬θS (n)

→ T ̸⊢ θS (n) (since T is consistent)
→ ¬ R (# θ S ( u )# , n ).
That is, for every y, S(y) is true if and only if R(# θS (u)# , y) is. So R is universal,
and we have the contradiction we were looking for.

568 Release : d3a1905 (2022-12-19)

36.5. AXIOMATIZABLE THEORIES

Let “true arithmetic” be the theory { φ : N ⊨ φ}, that is, the set of sentences
in the language of arithmetic that are true in the standard interpretation.

Corollary 36.6. True arithmetic is not decidable.

36.5 Axiomatizable Theories

A theory T is said to be axiomatizable if it has a computable set of axioms A.
(Saying that A is a set of axioms for T means T = { φ : A ⊢ φ}.) Any “rea-
sonable” axiomatization of the natural numbers will have this property. In
particular, any theory with a finite set of axioms is axiomatizable.

Lemma 36.7. Suppose T is axiomatizable. Then T is computably enumerable.

Proof. Suppose A is a computable set of axioms for T. To determine if φ ∈ T,

just search for a derivation of φ from the axioms.
Put slightly differently, φ is in T if and only if there is a finite list of axioms
ψ1 , . . . , ψk in A and a derivation of (ψ1 ∧ · · · ∧ ψk ) → φ in first-order logic.
But we already know that any set with a definition of the form “there exists
. . . such that . . . ” is c.e., provided the second “. . . ” is computable.

36.6 Axiomatizable Complete Theories are Decidable

A theory is said to be complete if for every sentence φ, either φ or ¬ φ is prov-
able.

Lemma 36.8. Suppose a theory T is complete and axiomatizable. Then T is decid-

able.

Proof. Suppose T is complete and A is a computable set of axioms. If T is

inconsistent, it is clearly computable. (Algorithm: “just say yes.”) So we can
assume that T is also consistent.
To decide whether or not a sentence φ is in T, simultaneously search for
a derivation of φ from T and a derivation of ¬ φ. Since T is complete, you are
bound to find one or the other; and since T is consistent, if you find a deriva-
tion of ¬ φ, there is no derivation of φ.
Put in different terms, we already know that T is c.e.; so by a theorem we
proved before, it suffices to show that the complement of T is c.e. also. But
a formula φ is in T̄ if and only if ¬ φ is in T; so T̄ ≤m T.

36.7 Q has no Complete, Consistent, Axiomatizable

Extensions
Theorem 36.9. There is no complete, consistent, axiomatizable extension of Q.

Release : d3a1905 (2022-12-19) 569

 CHAPTER 36. THEORIES AND COMPUTABILITY

Proof. We already know that there is no consistent, decidable extension of Q.

But if T is complete and axiomatized, then it is decidable.

This theorems is not that far from Gödel’s original 1931 formulation of the
First Incompleteness Theorem. Aside from the more modern terminology, the
key differences are this: Gödel has “ω-consistent” instead of “consistent”; and
he could not say “axiomatizable” in full generality, since the formal notion of
computability was not in place yet. (The formal models of computability were
developed over the following decade, including by Gödel, and in large part to
be able to characterize the kinds of theories that are susceptible to the Gödel
phenomenon.)
The theorem says you can’t have it all, namely, completeness, consistency,
and axiomatizability. If you give up any one of these, though, you can have
the other two: Q is consistent and computably axiomatized, but not com-
plete; the inconsistent theory is complete, and computably axiomatized (say,
by {0 ̸= 0}), but not consistent; and the set of true sentence of arithmetic is
complete and consistent, but it is not computably axiomatized.

36.8 Sentences Provable and Refutable in Q are Computably

Inseparable
Let Q̄ be the set of sentences whose negations are provable in Q, i.e., Q̄ = { φ :
Q ⊢ ¬ φ}. Remember that disjoint sets A and B are said to be computably
inseparable if there is no computable set C such that A ⊆ C and B ⊆ C.
Lemma 36.10. Q and Q̄ are computably inseparable.

Proof. Suppose C is a computable set such that Q ⊆ C and Q̄ ⊆ C. Let R( x, y)

be the relation
x codes a formula θ (u) and θ (y) is in C.
We will show that R( x, y) is a universal computable relation, yielding a con-
tradiction.
Suppose S(y) is computable, represented by θS (u) in Q. Then

S(n) → Q ⊢ θS (n)
→ θS (n) ∈ C
and

¬S(n) → Q ⊢ ¬θS (n)

→ θS (n) ∈ Q̄
→ θS (n) ̸∈ C
So S(y) is equivalent to R(#(θS (u)), y).

570 Release : d3a1905 (2022-12-19)

36.9. THEORIES CONSISTENT WITH Q ARE UNDECIDABLE

36.9 Theories Consistent with Q are Undecidable

The following theorem says that not only is Q undecidable, but, in fact, any
theory that does not disagree with Q is undecidable.

Theorem 36.11. Let T be any theory in the language of arithmetic that is consistent
with Q (i.e., T ∪ Q is consistent). Then T is undecidable.

Proof. Remember that Q has a finite set of axioms, Q1 , . . . , Q8 . We can even

replace these by a single axiom, α = Q1 ∧ · · · ∧ Q8 .
Suppose T is a decidable theory consistent with Q. Let

C = { φ : T ⊢ α → φ }.

We show that C would be a computable separation of Q and Q̄, a contra-

diction. First, if φ is in Q, then φ is provable from the axioms of Q; by the
deduction theorem, there is a derivation of α → φ in first-order logic. So φ is
in C.
On the other hand, if φ is in Q̄, then there is a proof of α → ¬ φ in first-
order logic. If T also proves α → φ, then T proves ¬α, in which case T ∪ Q
is inconsistent. But we are assuming T ∪ Q is consistent, so T does not prove
α → φ, and so φ is not in C.
We’ve shown that if φ is in Q, then it is in C, and if φ is in Q̄, then it is in C.
So C is a computable separation, which is the contradiction we were looking
for.

This theorem is very powerful. For example, it implies:

Corollary 36.12. First-order logic for the language of arithmetic (that is, the set { φ :
φ is provable in first-order logic}) is undecidable.

Proof. First-order logic is the set of consequences of ∅, which is consistent

with Q.

36.10 Theories in which Q is Intepretable are Undecidable

We can strengthen these results even more. Informally, an interpretation of a
language L1 in another language L2 involves defining the universe, relation
symbols, and function symbols of L1 with formulas in L2 . Though we won’t
take the time to do this, one can make this definition precise.

Theorem 36.13. Suppose T is a theory in a language in which one can interpret the
language of arithmetic, in such a way that T is consistent with the interpretation of
Q. Then T is undecidable. If T proves the interpretation of the axioms of Q, then no
consistent extension of T is decidable.

Release : d3a1905 (2022-12-19) 571

 CHAPTER 36. THEORIES AND COMPUTABILITY

The proof is just a small modification of the proof of the last theorem; one
could use a counterexample to get a separation of Q and Q̄. One can take ZFC,
Zermelo-Fraenkel set theory with the axiom of choice, to be an axiomatic foun-
dation that is powerful enough to carry out a good deal of ordinary mathemat-
ics. In ZFC one can define the natural numbers, and via this interpretation,
the axioms of Q are true. So we have

Corollary 36.14. There is no decidable extension of ZFC.

Corollary 36.15. There is no complete, consistent, computably axiomatizable exten-

sion of ZFC.

The language of ZFC has only a single binary relation, ∈. (In fact, you
don’t even need equality.) So we have

Corollary 36.16. First-order logic for any language with a binary relation symbol is
undecidable.

This result extends to any language with two unary function symbols,
since one can use these to simulate a binary relation symbol. The results just
cited are tight: it turns out that first-order logic for a language with only unary
relation symbols and at most one unary function symbol is decidable.
One more bit of trivia. We know that the set of sentences in the language
0, ′ , +, ×, < true in the standard model is undecidable. In fact, one can de-
fine < in terms of the other symbols, and then one can define + in terms of
× and ′ . So the set of true sentences in the language 0, ′ , × is undecidable.
On the other hand, Presburger has shown that the set of sentences in the lan-
guage 0, ′ , + true in the language of arithmetic is decidable. The procedure is
computationally infeasible, however.

572 Release : d3a1905 (2022-12-19)

Chapter 37

Incompleteness and Provability

37.1 Introduction

Hilbert thought that a system of axioms for a mathematical structure, such

as the natural numbers, is inadequate unless it allows one to derive all true
statements about the structure. Combined with his later interest in formal
systems of deduction, this suggests that he thought that we should guarantee
that, say, the formal systems we are using to reason about the natural numbers
is not only consistent, but also complete, i.e., every statement in its language
is either derivable or its negation is. Gödel’s first incompleteness theorem
shows that no such system of axioms exists: there is no complete, consistent,
axiomatizable formal system for arithmetic. In fact, no “sufficiently strong,”
consistent, axiomatizable mathematical theory is complete.
A more important goal of Hilbert’s, the centerpiece of his program for the
justification of modern (“classical”) mathematics, was to find finitary consis-
tency proofs for formal systems representing classical reasoning. With regard
to Hilbert’s program, then, Gödel’s second incompleteness theorem was a
much bigger blow. The second incompleteness theorem can be stated in vague
terms, like the first incompleteness theorem. Roughly speaking, it says that no
sufficiently strong theory of arithmetic can prove its own consistency. We will
have to take “sufficiently strong” to include a little bit more than Q.
The idea behind Gödel’s original proof of the incompleteness theorem can
be found in the Epimenides paradox. Epimenides, a Cretan, asserted that all
Cretans are liars; a more direct form of the paradox is the assertion “this sen-
tence is false.” Essentially, by replacing truth with derivability, Gödel was
able to formalize a sentence which, in a roundabout way, asserts that it it-
self is not derivable. If that sentence were derivable, the theory would then
be inconsistent. Gödel showed that the negation of that sentence is also not
derivable from the system of axioms he was considering. (For this second
part, Gödel had to assume that the theory T is what’s called “ω-consistent.”

573
 CHAPTER 37. INCOMPLETENESS AND PROVABILITY

ω-Consistency is related to consistency, but is a stronger property.1 A few

years after Gödel, Rosser showed that assuming simple consistency of T is
enough.)
The first challenge is to understand how one can construct a sentence that
refers to itself. For every formula φ in the language of Q, let ⌜φ⌝ denote the
numeral corresponding to # φ# . Think about what this means: φ is a formula in
the language of Q, # φ# is a natural number, and ⌜φ⌝ is a term in the language
of Q. So every formula φ in the language of Q has a name, ⌜φ⌝, which is a
term in the language of Q; this provides us with a conceptual framework in
which formulas in the language of Q can “say” things about other formulas.
The following lemma is known as the fixed-point lemma.

Lemma 37.1. Let T be any theory extending Q, and let ψ( x ) be any formula with
only the variable x free. Then there is a sentence φ such that T ⊢ φ ↔ ψ(⌜φ⌝).

The lemma asserts that given any property ψ( x ), there is a sentence φ that
asserts “ψ( x ) is true of me,” and T “knows” this.
How can we construct such a sentence? Consider the following version of
the Epimenides paradox, due to Quine:

“Yields falsehood when preceded by its quotation” yields false-

hood when preceded by its quotation.

This sentence is not directly self-referential. It simply makes an assertion

about the syntactic objects between quotes, and, in doing so, it is on par with
sentences like

1. “Robert” is a nice name.

2. “I ran.” is a short sentence.

3. “Has three words” has three words.

But what happens when one takes the phrase “yields falsehood when pre-
ceded by its quotation,” and precedes it with a quoted version of itself? Then
one has the original sentence! In short, the sentence asserts that it is false.

37.2 The Fixed-Point Lemma

The fixed-point lemma says that for any formula ψ( x ), there is a sentence φ
such that T ⊢ φ ↔ ψ(⌜φ⌝), provided T extends Q. In the case of the liar sen-
tence, we’d want φ to be equivalent (provably in T) to “⌜φ⌝ is false,” i.e., the
statement that # φ# is the Gödel number of a false sentence. To understand the
idea of the proof, it will be useful to compare it with Quine’s informal gloss
1 That is, any ω-consistent theory is consistent, but not vice versa.

574 Release : d3a1905 (2022-12-19)

37.2. THE FIXED-POINT LEMMA

of φ as, “‘yields a falsehood when preceded by its own quotation’ yields a

falsehood when preceded by its own quotation.” The operation of taking an
expression, and then forming a sentence by preceding this expression by its
own quotation may be called diagonalizing the expression, and the result its
diagonalization. So, the diagonalization of ‘yields a falsehood when preceded
by its own quotation’ is “‘yields a falsehood when preceded by its own quo-
tation’ yields a falsehood when preceded by its own quotation.” Now note
that Quine’s liar sentence is not the diagonalization of ‘yields a falsehood’ but
of ‘yields a falsehood when preceded by its own quotation.’ So the property
being diagonalized to yield the liar sentence itself involves diagonalization!
In the language of arithmetic, we form quotations of a formula with one
free variable by computing its Gödel numbers and then substituting the stan-
dard numeral for that Gödel number into the free variable. The diagonal-
ization of α( x ) is α(n), where n = # α( x )# . (From now on, let’s abbreviate
# α ( x )# as ⌜α ( x )⌝.) So if ψ ( x ) is “is a falsehood,” then “yields a falsehood if

preceded by its own quotation,” would be “yields a falsehood when applied

to the Gödel number of its diagonalization.” If we had a symbol di ag for the
function diag(n) which computes the Gödel number of the diagonalization of
the formula with Gödel number n, we could write α( x ) as ψ(di ag ( x )). And
Quine’s version of the liar sentence would then be the diagonalization of it,
i.e., α(⌜α( x )⌝) or ψ(di ag (⌜ψ(di ag ( x ))⌝)). Of course, ψ( x ) could now be any
other property, and the same construction would work. For the incomplete-
ness theorem, we’ll take ψ( x ) to be “x is not derivable in T.” Then α( x ) would
be “yields a sentence not derivable in T when applied to the Gödel number of
its diagonalization.”
To formalize this in T, we have to find a way to formalize diag. The func-
tion diag(n) is computable, in fact, it is primitive recursive: if n is the Gödel
number of a formula α( x ), diag(n) returns the Gödel number of α(⌜α( x )⌝).
(Recall, ⌜α( x )⌝ is the standard numeral of the Gödel number of α( x ), i.e.,
# α ( x )# ). If di ag were a function symbol in T representing the function diag,

we could take φ to be the formula ψ(di ag (⌜ψ(di ag ( x ))⌝)). Notice that

diag(# ψ(di ag ( x ))# ) = # ψ(di ag (⌜ψ(di ag ( x ))⌝))#

= # φ# .

Assuming T can derive

di ag (⌜ψ(di ag ( x ))⌝) = ⌜φ⌝,

it can derive ψ(di ag (⌜ψ(di ag ( x ))⌝)) ↔ ψ(⌜φ⌝). But the left hand side is, by
definition, φ.
Of course, di ag will in general not be a function symbol of T, and cer-
tainly is not one of Q. But, since diag is computable, it is representable in Q
by some formula θdiag ( x, y). So instead of writing ψ(di ag ( x )) we can write

Release : d3a1905 (2022-12-19) 575

 CHAPTER 37. INCOMPLETENESS AND PROVABILITY

∃y (θdiag ( x, y) ∧ ψ(y)). Otherwise, the proof sketched above goes through,

and in fact, it goes through already in Q.

Lemma 37.2. Let ψ( x ) be any formula with one free variable x. Then there is a
sentence φ such that Q ⊢ φ ↔ ψ(⌜φ⌝).

Proof. Given ψ( x ), let α( x ) be the formula ∃y (θdiag ( x, y) ∧ ψ(y)) and let φ be

its diagonalization, i.e., the formula α(⌜α( x )⌝).
Since θdiag represents diag, and diag(# α( x )# ) = # φ# , Q can derive

θdiag (⌜α( x )⌝, ⌜φ⌝) (37.1)

∀y (θdiag (⌜α( x )⌝, y) → y = ⌜φ⌝). (37.2)

Now we show that Q ⊢ φ ↔ ψ(⌜φ⌝). We argue informally, using just logic

and facts derivable in Q.
First, suppose φ, i.e., α(⌜α( x )⌝). Going back to the definition of α( x ), we
see that α(⌜α( x )⌝) just is

∃y (θdiag (⌜α( x )⌝, y) ∧ ψ(y)).

Consider such a y. Since θdiag (⌜α( x )⌝, y), by eq. (37.2), y = ⌜φ⌝. So, from ψ(y)
we have ψ(⌜φ⌝).
Now suppose ψ(⌜φ⌝). By eq. (37.1), we have

θdiag (⌜α( x )⌝, ⌜φ⌝) ∧ ψ(⌜φ⌝).

It follows that

∃y (θdiag (⌜α( x )⌝, y) ∧ ψ(y)).

But that’s just α(⌜α( x )⌝), i.e., φ.

You should compare this to the proof of the fixed-point lemma in com-
putability theory. The difference is that here we want to define a statement in
terms of itself, whereas there we wanted to define a function in terms of itself;
this difference aside, it is really the same idea.

37.3 The First Incompleteness Theorem

We can now describe Gödel’s original proof of the first incompleteness theo-
rem. Let T be any computably axiomatized theory in a language extending
the language of arithmetic, such that T includes the axioms of Q. This means
that, in particular, T represents computable functions and relations.
We have argued that, given a reasonable coding of formulas and proofs
as numbers, the relation PrfT ( x, y) is computable, where PrfT ( x, y) holds if

576 Release : d3a1905 (2022-12-19)

37.3. THE FIRST INCOMPLETENESS THEOREM

and only if x is the Gödel number of a derivation of the formula with Gödel
number y in T. In fact, for the particular theory that Gödel had in mind, Gödel
was able to show that this relation is primitive recursive, using the list of 45
functions and relations in his paper. The 45th relation, xBy, is just PrfT ( x, y)
for his particular choice of T. Remember that where Gödel uses the word
“recursive” in his paper, we would now use the phrase “primitive recursive.”
Since PrfT ( x, y) is computable, it is representable in T. We will use Prf T ( x, y)
to refer to the formula that represents it. Let Prov T (y) be the formula ∃ x Prf T ( x, y).
This describes the 46th relation, Bew(y), on Gödel’s list. As Gödel notes, this
is the only relation that “cannot be asserted to be recursive.” What he proba-
bly meant is this: from the definition, it is not clear that it is computable; and
later developments, in fact, show that it isn’t.
Let T be an axiomatizable theory containing Q. Then PrfT ( x, y) is decid-
able, hence representable in Q by a formula Prf T ( x, y). Let Prov T (y) be the
formula we described above. By the fixed-point lemma, there is a formula γT
such that Q (and hence T) derives

γT ↔ ¬Prov T (⌜γT ⌝). (37.3)

Note that γT says, in essence, “γT is not derivable in T.”

Lemma 37.3. If T is a consistent, axiomatizable theory extending Q, then T ⊬ γT .

Proof. Suppose T derives γT . Then there is a derivation, and so, for some
number m, the relation PrfT (m, # γT # ) holds. But then Q derives the sentence
Prf T (m, ⌜γT ⌝). So Q derives ∃ x Prf T ( x, ⌜γT ⌝), which is, by definition, Prov T (⌜γT ⌝).
By eq. (37.3), Q derives ¬γT , and since T extends Q, so does T. We have
shown that if T derives γT , then it also derives ¬γT , and hence it would be
inconsistent.

Definition 37.4. A theory T is ω-consistent if the following holds: if ∃ x φ( x )

is any sentence and T derives ¬ φ(0), ¬ φ(1), ¬ φ(2), . . . then T does not prove
∃ x φ ( x ).

Note that every ω-consistent theory is also consistent. This follows simply
from the fact that if T is inconsistent, then T ⊢ φ for every φ. In particular, if T
is inconsistent, it derives both ¬ φ(n) for every n and also derives ∃ x φ( x ). So,
if T is inconsistent, it is ω-inconsistent. By contraposition, if T is ω-consistent,
it must be consistent.

Lemma 37.5. If T is an ω-consistent, axiomatizable theory extending Q, then T ⊬

¬ γT .

Proof. We show that if T derives ¬γT , then it is ω-inconsistent. Suppose T

derives ¬γT . If T is inconsistent, it is ω-inconsistent, and we are done. Oth-
erwise, T is consistent, so it does not derive γT by Lemma 37.3. Since there is

Release : d3a1905 (2022-12-19) 577

 CHAPTER 37. INCOMPLETENESS AND PROVABILITY

no derivation of γT in T, Q derives

¬Prf T (0, ⌜γT ⌝), ¬Prf T (1, ⌜γT ⌝), ¬Prf T (2, ⌜γT ⌝), . . .

and so does T. On the other hand, by eq. (37.3), ¬γT is equivalent to ∃ x Prf T ( x, ⌜γT ⌝).
So T is ω-inconsistent.

Theorem 37.6. Let T be any ω-consistent, axiomatizable theory extending Q. Then

T is not complete.

Proof. If T is ω-consistent, it is consistent, so T ⊬ γT by Lemma 37.3. By

Lemma 37.5, T ⊬ ¬γT . This means that T is incomplete, since it derives neither
γT nor ¬γT .

37.4 Rosser’s Theorem

Can we modify Gödel’s proof to get a stronger result, replacing “ω-consistent”
with simply “consistent”? The answer is “yes,” using a trick discovered by
Rosser. Rosser’s trick is to use a “modified” derivability predicate RProv T (y)
instead of Prov T (y).

Theorem 37.7. Let T be any consistent, axiomatizable theory extending Q. Then T

is not complete.

Proof. Recall that Prov T (y) is defined as ∃ x Prf T ( x, y), where Prf T ( x, y) repre-
sents the decidable relation which holds iff x is the Gödel number of a deriva-
tion of the sentence with Gödel number y. The relation that holds between x
and y if x is the Gödel number of a refutation of the sentence with Gödel num-
ber y is also decidable. Let not( x ) be the primitive recursive function which
does the following: if x is the code of a formula φ, not( x ) is a code of ¬ φ.
Then RefT ( x, y) holds iff PrfT ( x, not(y)). Let Ref T ( x, y) represent it. Then, if
T ⊢ ¬ φ and δ is a corresponding derivation, Q ⊢ Ref T (⌜δ⌝, ⌜φ⌝). We define
RProv T (y) as

∃ x (Prf T ( x, y) ∧ ∀z (z < x → ¬Ref T (z, y))).

Roughly, RProv T (y) says “there is a proof of y in T, and there is no shorter

refutation of y.” Assuming T is consistent, RProv T (y) is true of the same
numbers as Prov T (y); but from the point of view of provability in T (and we
now know that there is a difference between truth and provability!) the two
have different properties. If T is inconsistent, then the two do not hold of the
same numbers! (RProv T (y) is often read as “y is Rosser provable.” Since, as
just discussed, Rosser provability is not some special kind of provability—
in inconsistent theories, there are sentences that are provable but not Rosser
provable—this may be confusing. To avoid the confusion, you could instead
read it as “y is shmovable.”)

578 Release : d3a1905 (2022-12-19)

37.4. ROSSER’S THEOREM

By the fixed-point lemma, there is a formula ρT such that

Q ⊢ ρT ↔ ¬RProv T (⌜ρT ⌝). (37.4)

In contrast to the proof of Theorem 37.6, here we claim that if T is consistent,

T doesn’t derive ρT , and T also doesn’t derive ¬ρT . (In other words, we don’t
need the assumption of ω-consistency.)
First, let’s show that T ⊬ ρ T . Suppose it did, so there is a derivation of ρ T
from T; let n be its Gödel number. Then Q ⊢ Prf T (n, ⌜ρ T ⌝), since Prf T repre-
sents PrfT in Q. Also, for each k < n, k is not the Gödel number of a deriva-
tion of ¬ρ T , since T is consistent. So for each k < n, Q ⊢ ¬Ref T (k, ⌜ρ T ⌝). By
Lemma 35.24, Q ⊢ ∀z (z < n → ¬Ref T (z, ⌜ρ T ⌝)). Thus,

Q ⊢ ∃ x (Prf T ( x, ⌜ρ T ⌝) ∧ ∀z (z < x → ¬Ref T (z, ⌜ρ T ⌝))),

but that’s just RProv T (⌜ρ T ⌝). By eq. (37.4), Q ⊢ ¬ρ T . Since T extends Q, also
T ⊢ ¬ρ T . We’ve assumed that T ⊢ ρ T , so T would be inconsistent, contrary to
the assumption of the theorem.
Now, let’s show that T ⊬ ¬ρ T . Again, suppose it did, and suppose n is
the Gödel number of a derivation of ¬ρ T . Then RefT (n, # ρ T # ) holds, and since
Ref T represents RefT in Q, Q ⊢ Ref T (n, ⌜ρ T ⌝). We’ll again show that T would
then be inconsistent because it would also derive ρ T . Since

Q ⊢ ρ T ↔ ¬RProv T (⌜ρ T ⌝),

and since T extends Q, it suffices to show that

Q ⊢ ¬RProv T (⌜ρ T ⌝).

The sentence ¬RProv T (⌜ρ T ⌝), i.e.,

¬∃ x (Prf T ( x, ⌜ρ T ⌝) ∧ ∀z (z < x → ¬Ref T (z, ⌜ρ T ⌝))),

is logically equivalent to

∀ x (Prf T ( x, ⌜ρ T ⌝) → ∃z (z < x ∧ Ref T (z, ⌜ρ T ⌝))).

We argue informally using logic, making use of facts about what Q derives.
Suppose x is arbitrary and Prf T ( x, ⌜ρ T ⌝). We already know that T ⊬ ρ T , and
so for every k, Q ⊢ ¬Prf T (k, ⌜ρ T ⌝). Thus, for every k it follows that x ̸= k. In
particular, we have (a) that x ̸= n. We also have ¬( x = 0 ∨ x = 1 ∨ · · · ∨ x =
n − 1) and so by Lemma 35.24, (b) ¬( x < n). By Lemma 35.25, n < x. Since
Q ⊢ Ref T (n, ⌜ρ T ⌝), we have n < x ∧ Ref T (n, ⌜ρ T ⌝), and from that ∃z (z <
x ∧ Ref T (z, ⌜ρ T ⌝)). Since x was arbitrary we get, as required, that

∀ x (Prf T ( x, ⌜ρ T ⌝) → ∃z (z < x ∧ Ref T (z, ⌜ρ T ⌝))).

Release : d3a1905 (2022-12-19) 579

 CHAPTER 37. INCOMPLETENESS AND PROVABILITY

37.5 Comparison with Gödel’s Original Paper

It is worthwhile to spend some time with Gödel’s 1931 paper. The introduc-
tion sketches the ideas we have just discussed. Even if you just skim through
the paper, it is easy to see what is going on at each stage: first Gödel describes
the formal system P (syntax, axioms, proof rules); then he defines the prim-
itive recursive functions and relations; then he shows that xBy is primitive
recursive, and argues that the primitive recursive functions and relations are
represented in P. He then goes on to prove the incompleteness theorem, as
above. In Section 3, he shows that one can take the unprovable assertion to
be a sentence in the language of arithmetic. This is the origin of the β-lemma,
which is what we also used to handle sequences in showing that the recursive
functions are representable in Q. Gödel doesn’t go so far to isolate a minimal
set of axioms that suffice, but we now know that Q will do the trick. Finally,
in Section 4, he sketches a proof of the second incompleteness theorem.

37.6 The Derivability Conditions for PA

Peano arithmetic, or PA, is the theory extending Q with induction axioms for
all formulas. In other words, one adds to Q axioms of the form

( φ(0) ∧ ∀ x ( φ( x ) → φ( x ′ ))) → ∀ x φ( x )

for every formula φ. Notice that this is really a schema, which is to say, in-
finitely many axioms (and it turns out that PA is not finitely axiomatizable).
But since one can effectively determine whether or not a string of symbols is
an instance of an induction axiom, the set of axioms for PA is computable. PA
is a much more robust theory than Q. For example, one can easily prove that
addition and multiplication are commutative, using induction in the usual
way. In fact, most finitary number-theoretic and combinatorial arguments can
be carried out in PA.
Since PA is computably axiomatized, the derivability predicate PrfPA ( x, y)
is computable and hence represented in Q (and so, in PA). As before, we will
take Prf PA ( x, y) to denote the formula representing the relation. Let ProvPA (y)
be the formula ∃ x PrfPA ( x, y), which, intuitively says, “y is derivable from the
axioms of PA.” The reason we need a little bit more than the axioms of Q is
we need to know that the theory we are using is strong enough to derive a
few basic facts about this derivability predicate. In fact, what we need are the
following facts:

P1. If PA ⊢ φ, then PA ⊢ ProvPA (⌜φ⌝).

P2. For all formulas φ and ψ,

PA ⊢ ProvPA (⌜φ → ψ⌝) → (ProvPA (⌜φ⌝) → ProvPA (⌜ψ⌝)).

580 Release : d3a1905 (2022-12-19)

37.7. THE SECOND INCOMPLETENESS THEOREM

P3. For every formula φ,

PA ⊢ ProvPA (⌜φ⌝) → ProvPA (⌜ProvPA (⌜φ⌝)⌝).

The only way to verify that these three properties hold is to describe the for-
mula ProvPA (y) carefully and use the axioms of PA to describe the relevant
formal derivations. Conditions (1) and (2) are easy; it is really condition (3)
that requires work. (Think about what kind of work it entails . . . ) Carrying
out the details would be tedious and uninteresting, so here we will ask you
to take it on faith that PA has the three properties listed above. A reasonable
choice of ProvPA (y) will also satisfy

P4. If PA ⊢ ProvPA (⌜φ⌝), then PA ⊢ φ.

But we will not need this fact.

Incidentally, Gödel was lazy in the same way we are being now. At the
end of the 1931 paper, he sketches the proof of the second incompleteness
theorem, and promises the details in a later paper. He never got around to it;
since everyone who understood the argument believed that it could be carried
out (he did not need to fill in the details.)

37.7 The Second Incompleteness Theorem

How can we express the assertion that PA doesn’t prove its own consistency?
Saying PA is inconsistent amounts to saying that PA ⊢ 0 = 1. So we can take
the consistency statement ConPA to be the sentence ¬ProvPA (⌜0 = 1⌝), and
then the following theorem does the job:

Theorem 37.8. Assuming PA is consistent, then PA does not derive ConPA .

It is important to note that the theorem depends on the particular represen-

tation of ConPA (i.e., the particular representation of ProvPA (y)). All we will
use is that the representation of ProvPA (y) satisfies the three derivability con-
ditions, so the theorem generalizes to any theory with a derivability predicate
having these properties.
It is informative to read Gödel’s sketch of an argument, since the theorem
follows like a good punch line. It goes like this. Let γPA be the Gödel sentence
that we constructed in the proof of Theorem 37.6. We have shown “If PA is
consistent, then PA does not derive γPA .” If we formalize this in PA, we have
a proof of
ConPA → ¬ProvPA (⌜γPA ⌝).
Now suppose PA derives ConPA . Then it derives ¬ProvPA (⌜γPA ⌝). But since
γPA is a Gödel sentence, this is equivalent to γPA . So PA derives γPA .
But: we know that if PA is consistent, it doesn’t derive γPA ! So if PA is
consistent, it can’t derive ConPA .

Release : d3a1905 (2022-12-19) 581

 CHAPTER 37. INCOMPLETENESS AND PROVABILITY

To make the argument more precise, we will let γPA be the Gödel sentence
for PA and use the derivability conditions (P1)–(P3) to show that PA derives
ConPA → γPA . This will show that PA doesn’t derive ConPA . Here is a sketch
of the proof, in PA. (For simplicity, we drop the PA subscripts.)

γ ↔ ¬Prov(⌜γ⌝) (37.5)
γ is a Gödel sentence
γ → ¬Prov(⌜γ⌝) (37.6)
from eq. (37.5)
γ → (Prov(⌜γ⌝) → ⊥) (37.7)
from eq. (37.6) by logic
Prov(⌜γ → (Prov(⌜γ⌝) → ⊥)⌝) (37.8)
by from eq. (37.7) by condition P1
Prov(⌜γ⌝) → Prov(⌜(Prov(⌜γ⌝) → ⊥)⌝) (37.9)
from eq. (37.8) by condition P2
Prov(⌜γ⌝) → (Prov(⌜Prov(⌜γ⌝)⌝) → Prov(⌜⊥⌝)) (37.10)
from eq. (37.9) by condition P2 and logic
Prov(⌜γ⌝) → Prov(⌜Prov(⌜γ⌝)⌝) (37.11)
by P3
Prov(⌜γ⌝) → Prov(⌜⊥⌝) (37.12)
from eq. (37.10) and eq. (37.11) by logic
Con → ¬Prov(⌜γ⌝) (37.13)
contraposition of eq. (37.12) and Con ≡ ¬Prov(⌜⊥⌝)
Con → γ
from eq. (37.5) and eq. (37.13) by logic

The use of logic in the above just elementary facts from propositional logic,
e.g., eq. (37.7) uses ⊢ ¬ φ ↔ ( φ → ⊥) and eq. (37.12) uses φ → (ψ → χ), φ → ψ ⊢
φ → χ. The use of condition P2 in eq. (37.9) and eq. (37.10) relies on instances
of P2, Prov(⌜φ → ψ⌝) → (Prov(⌜φ⌝) → Prov(⌜ψ⌝)). In the first one, φ ≡ γ and
ψ ≡ Prov(⌜γ⌝) → ⊥; in the second, φ ≡ Prov(⌜G⌝) and ψ ≡ ⊥.
The more abstract version of the second incompleteness theorem is as fol-
lows:

Theorem 37.9. Let T be any consistent, axiomatized theory extending Q and let
Prov T (y) be any formula satisfying derivability conditions P1–P3 for T. Then T
does not derive ConT .

The moral of the story is that no “reasonable” consistent theory for math-
ematics can derive its own consistency statement. Suppose T is a theory of

582 Release : d3a1905 (2022-12-19)

37.8. LÖB’S THEOREM

mathematics that includes Q and Hilbert’s “finitary” reasoning (whatever that

may be). Then, the whole of T cannot derive the consistency statement of T,
and so, a fortiori, the finitary fragment can’t derive the consistency statement
of T either. In that sense, there cannot be a finitary consistency proof for “all
of mathematics.”
There is some leeway in interpreting the term “finitary,” and Gödel, in the
1931 paper, grants the possibility that something we may consider “finitary”
may lie outside the kinds of mathematics Hilbert wanted to formalize. But
Gödel was being charitable; today, it is hard to see how we might find some-
thing that can reasonably be called finitary but is not formalizable in, say, ZFC,
Zermelo-Fraenkel set theory with the axiom of choice.

37.8 Löb’s Theorem

The Gödel sentence for a theory T is a fixed point of ¬Prov T (y), i.e., a sen-
tence γ such that
T ⊢ ¬Prov T (⌜γ⌝) ↔ γ.
It is not derivable, because if T ⊢ γ, (a) by derivability condition (1), T ⊢
Prov T (⌜γ⌝), and (b) T ⊢ γ together with T ⊢ ¬Prov T (⌜γ⌝) ↔ γ gives T ⊢
¬Prov T (⌜γ⌝), and so T would be inconsistent. Now it is natural to ask about
the status of a fixed point of Prov T (y), i.e., a sentence δ such that

T ⊢ Prov T (⌜δ⌝) ↔ δ.

If it were derivable, T ⊢ Prov T (⌜δ⌝) by condition (1), but the same conclusion
follows if we apply modus ponens to the equivalence above. Hence, we don’t
get that T is inconsistent, at least not by the same argument as in the case of
the Gödel sentence. This of course does not show that T does derive δ.
We can make headway on this question if we generalize it a bit. The left-to-
right direction of the fixed point equivalence, Prov T (⌜δ⌝) → δ, is an instance
of a general schema called a reflection principle: Prov T (⌜φ⌝) → φ. It is called
that because it expresses, in a sense, that T can “reflect” about what it can
derive; basically it says, “If T can derive φ, then φ is true,” for any φ. This is
true for sound theories only, of course, and this suggests that theories will in
general not derive every instance of it. So which instances can a theory (strong
enough, and satisfying the derivability conditions) derive? Certainly all those
where φ itself is derivable. And that’s it, as the next result shows.

Theorem 37.10. Let T be an axiomatizable theory extending Q, and suppose Prov T (y)
is a formula satisfying conditions P1–P3 from section 37.7. If T derives Prov T (⌜φ⌝) →
φ, then in fact T derives φ.

Put differently, if T ⊬ φ, then T ⊬ Prov T (⌜φ⌝) → φ. This result is known as

Löb’s theorem.

Release : d3a1905 (2022-12-19) 583

 CHAPTER 37. INCOMPLETENESS AND PROVABILITY

The heuristic for the proof of Löb’s theorem is a clever proof that Santa
Claus exists. (If you don’t like that conclusion, you are free to substitute any
other conclusion you would like.) Here it is:

1. Let X be the sentence, “If X is true, then Santa Claus exists.”

2. Suppose X is true.

3. Then what it says holds; i.e., we have: if X is true, then Santa Claus
exists.

4. Since we are assuming X is true, we can conclude that Santa Claus exists,
by modus ponens from (2) and (3).

5. We have succeeded in deriving (4), “Santa Claus exists,” from the as-
sumption (2), “X is true.” By conditional proof, we have shown: “If X is
true, then Santa Claus exists.”

6. But this is just the sentence X. So we have shown that X is true.

7. But then, by the argument (2)–(4) above, Santa Claus exists.

A formalization of this idea, replacing “is true” with “is derivable,” and “Santa
Claus exists” with φ, yields the proof of Löb’s theorem. The trick is to apply
the fixed-point lemma to the formula Prov T (y) → φ. The fixed point of that
corresponds to the sentence X in the preceding sketch.

Proof of Theorem 37.10. Suppose φ is a sentence such that T derives Prov T (⌜φ⌝) →
φ. Let ψ(y) be the formula Prov T (y) → φ, and use the fixed-point lemma to
find a sentence θ such that T derives θ ↔ ψ(⌜θ⌝). Then each of the following

584 Release : d3a1905 (2022-12-19)

37.8. LÖB’S THEOREM

is derivable in T:
θ ↔ (Prov T (⌜θ⌝) → φ) (37.14)
θ is a fixed point of ψ(y)
θ → (Prov T (⌜θ⌝) → φ) (37.15)
from eq. (37.14)
Prov T (⌜θ → (Prov T (⌜θ⌝) → φ)⌝) (37.16)
from eq. (37.15) by condition P1
Prov T (⌜θ⌝) → Prov T (⌜Prov T (⌜θ⌝) → φ⌝) (37.17)
from eq. (37.16) using condition P2
Prov T (⌜θ⌝) → (Prov T (⌜Prov T (⌜θ⌝)⌝) → Prov T (⌜φ⌝)) (37.18)
from eq. (37.17) using P2 again
Prov T (⌜θ⌝) → Prov T (⌜Prov T (⌜θ⌝)⌝) (37.19)
by derivability condition P3
Prov T (⌜θ⌝) → Prov T (⌜φ⌝) (37.20)
from eq. (37.18) and eq. (37.19)
Prov T (⌜φ⌝) → φ (37.21)
by assumption of the theorem
Prov T (⌜θ⌝) → φ (37.22)
from eq. (37.20) and eq. (37.21)
(Prov T (⌜θ⌝) → φ) → θ (37.23)
from eq. (37.14)
θ (37.24)
from eq. (37.22) and eq. (37.23)
Prov T (⌜θ⌝) (37.25)
from eq. (37.24) by condition P1
φ from eq. (37.21) and eq. (37.25)
With Löb’s theorem in hand, there is a short proof of the second incom-
pleteness theorem (for theories having a derivability predicate satisfying con-
ditions P1–P3): if T ⊢ Prov T (⌜⊥⌝) → ⊥, then T ⊢ ⊥. If T is consistent, T ⊬ ⊥.
So, T ⊬ Prov T (⌜⊥⌝) → ⊥, i.e., T ⊬ ConT . We can also apply it to show that δ,
the fixed point of Prov T ( x ), is derivable. For since
T ⊢ Prov T (⌜δ⌝) ↔ δ

in particular

T ⊢ Prov T (⌜δ⌝) → δ
and so by Löb’s theorem, T ⊢ δ.

Release : d3a1905 (2022-12-19) 585

 CHAPTER 37. INCOMPLETENESS AND PROVABILITY

37.9 The Undefinability of Truth

The notion of definability depends on having a formal semantics for the lan-
guage of arithmetic. We have described a set of formulas and sentences in
the language of arithmetic. The “intended interpretation” is to read such sen-
tences as making assertions about the natural numbers, and such an assertion
can be true or false. Let N be the structure with domain N and the standard in-
terpretation for the symbols in the language of arithmetic. Then N ⊨ φ means
“φ is true in the standard interpretation.”
Definition 37.11. A relation R( x1 , . . . , xk ) of natural numbers is definable in N
if and only if there is a formula φ( x1 , . . . , xk ) in the language of arithmetic
such that for every n1 , . . . , nk , R(n1 , . . . , nk ) if and only if N ⊨ φ(n1 , . . . , nk ).

Put differently, a relation is definable in N if and only if it is representable

in the theory TA, where TA = { φ : N ⊨ φ} is the set of true sentences of
arithmetic. (If this is not immediately clear to you, you should go back and
check the definitions and convince yourself that this is the case.)
Lemma 37.12. Every computable relation is definable in N.

Proof. It is easy to check that the formula representing a relation in Q defines

the same relation in N.

Now one can ask, is the converse also true? That is, is every relation defin-
able in N computable? The answer is no. For example:
Lemma 37.13. The halting relation is definable in N.

Proof. Let H be the halting relation, i.e.,

H = {⟨e, x ⟩ : ∃s T (e, x, s)}.

Let θ T define T in N. Then

H = {⟨e, x ⟩ : N ⊨ ∃s θ T (e, x, s)},

so ∃s θ T (z, x, s) defines H in N.

What about TA itself? Is it definable in arithmetic? That is: is the set

{ φ# : N ⊨ φ} definable in arithmetic? Tarski’s theorem answers this in the
#

negative.
Theorem 37.14. The set of true sentences of arithmetic is not definable in arithmetic.

Proof. Suppose θ ( x ) defined it, i.e., N ⊨ φ iff N ⊨ θ (⌜φ⌝). By the fixed-point

lemma, there is a formula φ such that Q ⊢ φ ↔ ¬θ (⌜φ⌝), and hence N ⊨ φ ↔
¬θ (⌜φ⌝). But then N ⊨ φ if and only if N ⊨ ¬θ (⌜φ⌝), which contradicts the
fact that θ (y) is supposed to define the set of true statements of arithmetic.

586 Release : d3a1905 (2022-12-19)

37.9. THE UNDEFINABILITY OF TRUTH

Tarski applied this analysis to a more general philosophical notion of truth.

Given any language L, Tarski argued that an adequate notion of truth for L
would have to satisfy, for each sentence X,

‘X’ is true if and only if X.

Tarski’s oft-quoted example, for English, is the sentence

‘Snow is white’ is true if and only if snow is white.

However, for any language strong enough to represent the diagonal function,
and any linguistic predicate T ( x ), we can construct a sentence X satisfying
“X if and only if not T (‘X’).” Given that we do not want a truth predicate
to declare some sentences to be both true and false, Tarski concluded that
one cannot specify a truth predicate for all sentences in a language without,
somehow, stepping outside the bounds of the language. In other words, a the
truth predicate for a language cannot be defined in the language itself.

Problems
Problem 37.1. A formula φ( x ) is a truth definition if Q ⊢ ψ ↔ φ(⌜ψ⌝) for all
sentences ψ. Show that no formula is a truth definition by using the fixed-
point lemma.

Problem 37.2. Every ω-consistent theory is consistent. Show that the con-
verse does not hold, i.e., that there are consistent but ω-inconsistent theories.
Do this by showing that Q ∪ {¬γQ } is consistent but ω-inconsistent.

Problem 37.3. Two sets A and B of natural numbers are said to be computably
inseparable if there is no decidable set X such that A ⊆ X and B ⊆ X (X is the
complement, N \ X, of X). Let T be a consistent axiomatizable extension of
Q. Suppose A is the set of Gödel numbers of sentences provable in T and B
the set of Gödel numbers of sentences refutable in T. Prove that A and B are
computably inseparable.

Problem 37.4. Show that PA derives γPA → ConPA .

Problem 37.5. Let T be a computably axiomatized theory, and let Prov T be

a derivability predicate for T. Consider the following four statements:

1. If T ⊢ φ, then T ⊢ Prov T (⌜φ⌝).

2. T ⊢ φ → Prov T (⌜φ⌝).

3. If T ⊢ Prov T (⌜φ⌝), then T ⊢ φ.

4. T ⊢ Prov T (⌜φ⌝) → φ

Release : d3a1905 (2022-12-19) 587

 CHAPTER 37. INCOMPLETENESS AND PROVABILITY

Under what conditions are each of these statements true?

Problem 37.6. Show that Q(n) ⇔ n ∈ {# φ# : Q ⊢ φ} is definable in arith-

metic.

588 Release : d3a1905 (2022-12-19)

 Part VIII

Second-order Logic

589
 CHAPTER 37. INCOMPLETENESS AND PROVABILITY

This is the beginnings of a part on second-order logic.

590 Release : d3a1905 (2022-12-19)

Chapter 38

Syntax and Semantics

Basic syntax and semantics for SOL covered so far. As a chapter it’s
too short. Substitution for second-order variables has to be covered to
be able to talk about derivation systems for SOL, and there’s some subtle
issues there.

38.1 Introduction
In first-order logic, we combine the non-logical symbols of a given language,
i.e., its constant symbols, function symbols, and predicate symbols, with the
logical symbols to express things about first-order structures. This is done
using the notion of satisfaction, which relates a structure M, together with a
variable assignment s, and a formula φ: M, s ⊨ φ holds iff what φ expresses
when its constant symbols, function symbols, and predicate symbols are in-
terpreted as M says, and its free variables are interpreted as s says, is true.
The interpretation of the identity predicate = is built into the definition of
M, s ⊨ φ, as is the interpretation of ∀ and ∃. The former is always interpreted
as the identity relation on the domain |M| of the structure, and the quanti-
fiers are always interpreted as ranging over the entire domain. But, crucially,
quantification is only allowed over elements of the domain, and so only object
variables are allowed to follow a quantifier.
In second-order logic, both the language and the definition of satisfaction
are extended to include free and bound function and predicate variables, and
quantification over them. These variables are related to function symbols and
predicate symbols the same way that object variables are related to constant
symbols. They play the same role in the formation of terms and formulas
of second-order logic, and quantification over them is handled in a similar
way. In the standard semantics, the second-order quantifiers range over all
possible objects of the right type (n-place functions from |M| to |M| for func-

591
 CHAPTER 38. SYNTAX AND SEMANTICS

tion variables, n-place relations for predicate variables). For instance, while
∀v0 (P01 (v0 ) ∨ ¬P01 (v0 )) is a formula in both first- and second-order logic, in
the latter we can also consider ∀V01 ∀v0 (V01 (v0 ) ∨ ¬V01 (v0 )) and ∃V01 ∀v0 (V01 (v0 ) ∨
¬V01 (v0 )). Since these contain no free variables, they are sentences of second-
order logic. Here, V01 is a second-order 1-place predicate variable. The allow-
able interpretations of V01 are the same that we can assign to a 1-place predicate
symbol like P01 , i.e., subsets of |M|. Quantification over them then amounts
to saying that ∀v0 (V01 (v0 ) ∨ ¬V01 (v0 )) holds for all ways of assigning a subset
of |M| as the value of V01 , or for at least one. Since every set either contains or
fails to contain a given object, both are true in any structure.

38.2 Terms and Formulas

Like in first-order logic, expressions of second-order logic are built up from
a basic vocabulary containing variables, constant symbols, predicate symbols and
sometimes function symbols. From them, together with logical connectives,
quantifiers, and punctuation symbols such as parentheses and commas, terms
and formulas are formed. The difference is that in addition to variables for
objects, second-order logic also contains variables for relations and functions,
and allows quantification over them. So the logical symbols of second-order
logic are those of first-order logic, plus:

1. A denumerable set of second-order relation variables of every arity n:

V0n , V1n , V2n , . . .

2. A denumerable set of second-order function variables: u0n , u1n , u2n , . . .

Just as we use x, y, z as meta-variables for first-order variables vi , we’ll use

X, Y, Z, etc., as metavariables for Vin and u, v, etc., as meta-variables for uin .
The non-logical symbols of a second-order language are specified the same
way a first-order language is: by listing its constant symbols, function sym-
bols, and predicate symbols.
In first-order logic, the identity predicate = is usually included. In first-
order logic, the non-logical symbols of a language L are crucial to allow us to
express anything interesting. There are of course sentences that use no non-
logical symbols, but with only = it is hard to say anything interesting. In
second-order logic, since we have an unlimited supply of relation and func-
tion variables, we can say anything we can say in a first-order language even
without a special supply of non-logical symbols.

Definition 38.1 (Second-order Terms). The set of second-order terms of L, Trm2 (L),
is defined by adding to Definition 15.4 the clause

1. If u is an n-place function variable and t1 , . . . , tn are terms, then u(t1 , . . . , tn )

is a term.

592 Release : d3a1905 (2022-12-19)

38.3. SATISFACTION

So, a second-order term looks just like a first-order term, except that where
a first-order term contains a function symbol fi n , a second-order term may
contain a function variable uin in its place.

Definition 38.2 (Second-order formula). The set of second-order formulas Frm2 (L)
of the language L is defined by adding to Definition 15.4 the clauses

1. If X is an n-place predicate variable and t1 , . . . , tn are second-order terms

of L, then X (t1 , . . . , tn ) is an atomic formula.

2. If φ is a formula and u is a function variable, then ∀u φ is a formula.

3. If φ is a formula and X is a predicate variable, then ∀ X φ is a formula.

4. If φ is a formula and u is a function variable, then ∃u φ is a formula.

5. If φ is a formula and X is a predicate variable, then ∃ X φ is a formula.

38.3 Satisfaction
To define the satisfaction relation M, s ⊨ φ for second-order formulas, we
have to extend the definitions to cover second-order variables. The notion
of a structure is the same for second-order logic as it is for first-order logic.
There is only a difference for variable assignments s: these now must not just
provide values for the first-order variables, but also for the second-order vari-
ables.

Definition 38.3 (Variable Assignment). A variable assignment s for a structure M

is a function which maps each

1. object variable vi to an element of |M|, i.e., s(vi ) ∈ |M|

2. n-place relation variable Vi n to an n-place relation on |M|, i.e., s(Vi n ) ⊆

|M| n ;

3. n-place function variable uin to an n-place function from |M| to |M|, i.e.,
s(uin ) : |M|n → |M|;

A structure assigns a value to each constant symbol and function symbol,

and a second-order variable assignment assigns objects and functions to each
object and function variable. Together, they let us assign a value to every
term.

Definition 38.4 (Value of a Term). If t is a term of the language L, M is a struc-

ture for L, and s is a variable assignment for M, the value ValM s ( t ) is defined
as for first-order terms, plus the following clause:

Release : d3a1905 (2022-12-19) 593

 CHAPTER 38. SYNTAX AND SEMANTICS

t ≡ u ( t1 , . . . , t n ):

ValM M M
s ( t ) = s ( u )(Vals ( t1 ), . . . , Vals ( tn )).

Definition 38.5 (x-Variant). If s is a variable assignment for a structure M,

then any variable assignment s′ for M which differs from s at most in what it
assigns to x is called an x-variant of s. If s′ is an x-variant of s we write s′ ∼ x s.
(Similarly for second-order variables X or u.)

Definition 38.6. If s is a variable assignment for a structure M and m ∈ |M|,

then the assignment s[m/x ] is the variable assignment defined by
(
m if y ≡ x
s[m/y] =
s(y) otherwise,

If X is an n-place relation variable and M ⊆ |M|n , then s[ M/X ] is the variable

assignment defined by
(
M if y ≡ X
s[ M/y] =
s(y) otherwise.

If u is an n-place function variable and f : |M|n → |M|, then s[ f /u] is the

variable assignment defined by
(
f if y ≡ u
s[ f /y] =
s(y) otherwise.

In each case, y may be any first- or second-order variable.

Definition 38.7 (Satisfaction). For second-order formulas φ, the definition of

satisfaction is like Definition 16.11 with the addition of:

1. φ ≡ X n (t1 , . . . , tn ): M, s ⊨ φ iff ⟨ValM M n

s ( t1 ), . . . , Vals ( tn )⟩ ∈ s ( X ).

2. φ ≡ ∀ X ψ: M, s ⊨ φ iff for every M ⊆ |M|n , M, s[ M/X ] ⊨ ψ.

3. φ ≡ ∃ X ψ: M, s ⊨ φ iff for at least one M ⊆ |M|n so that M, s[ M/X ] ⊨ ψ.

4. φ ≡ ∀u ψ: M, s ⊨ φ iff for every f : |M|n → |M|, M, s[ f /u] ⊨ ψ.

5. φ ≡ ∃u ψ: M, s ⊨ φ iff for at least one f : |M|n → |M| so that M, s[ f /u] ⊨

ψ.

Example 38.8. Consider the formula ∀z ( X (z) ↔ ¬Y (z)). It contains no second-

order quantifiers, but does contain the second-order variables X and Y (here
understood to be one-place). The corresponding first-order sentence ∀z ( P(z) ↔

594 Release : d3a1905 (2022-12-19)

38.4. SEMANTIC NOTIONS

¬ R(z)) says that whatever falls under the interpretation of P does not fall un-
der the interpretation of R and vice versa. In a structure, the interpretation of
a predicate symbol P is given by the interpretation PM . But for second-order
variables like X and Y, the interpretation is provided, not by the structure
itself, but by a variable assignment. Since the second-order formula is not
a sentence (it includes free variables X and Y), it is only satisfied relative to
a structure M together with a variable assignment s.
M, s ⊨ ∀z ( X (z) ↔ ¬Y (z)) whenever the elements of s( X ) are not elements
of s(Y ), and vice versa, i.e., iff s(Y ) = |M| \ s( X ). For instance, take |M| =
{1, 2, 3}. Since no predicate symbols, function symbols, or constant symbols
are involved, the domain of M is all that is relevant. Now for s1 ( X ) = {1, 2}
and s1 (Y ) = {3}, we have M, s1 ⊨ ∀z ( X (z) ↔ ¬Y (z)).
By contrast, if we have s2 ( X ) = {1, 2} and s2 (Y ) = {2, 3}, M, s2 ⊭ ∀z ( X (z) ↔
¬Y (z)). That’s because M, s2 [2/z] ⊨ X (z) (since 2 ∈ s2 [2/z]( X )) but M, s2 [2/z] ⊭
¬Y (z) (since also 2 ∈ s2 [2/z](Y )).

Example 38.9. M, s ⊨ ∃Y (∃y Y (y) ∧ ∀z ( X (z) ↔ ¬Y (z))) if there is an N ⊆

|M| such that M, s[ N/Y ] ⊨ (∃y Y (y) ∧ ∀z ( X (z) ↔ ¬Y (z))). And that is the
case for any N ̸= ∅ (so that M, s[ N/Y ] ⊨ ∃y Y (y)) and, as in the previous
example, M = |M| \ s( X ). In other words, M, s ⊨ ∃Y (∃y Y (y) ∧ ∀z ( X (z) ↔
¬Y (z))) iff |M| \ s( X ) is non-empty, i.e., s( X ) ̸= |M|. So, the formula is sat-
isfied, e.g., if |M| = {1, 2, 3} and s( X ) = {1, 2}, but not if s( X ) = {1, 2, 3} =
|M|.
Since the formula is not satisfied whenever s( X ) = |M|, the sentence
∀ X ∃Y (∃y Y (y) ∧ ∀z ( X (z) ↔ ¬Y (z)))
is never satisfied: For any structure M, the assignment s( X ) = |M| will make
the sentence false. On the other hand, the sentence
∃ X ∃Y (∃y Y (y) ∧ ∀z ( X (z) ↔ ¬Y (z)))
is satisfied relative to any assignment s, since we can always find M ⊆ |M|
but M ̸= |M| (e.g., M = ∅).

Example 38.10. The second-order sentence ∀ X ∀y X (y) says that every 1-place
relation, i.e., every property, holds of every object. That is clearly never true,
since in every M, for a variable assignment s with s( X ) = ∅, and s(y) = a ∈
|M| we have M, s ⊭ X (y). This means that φ → ∀ X ∀y X (y) is equivalent in
second-order logic to ¬ φ, that is: M ⊨ φ → ∀ X ∀y X (y) iff M ⊨ ¬ φ. In other
words, in second-order logic we can define ¬ using ∀ and →.

38.4 Semantic Notions

The central logical notions of validity, entailment, and satisfiability are defined
the same way for second-order logic as they are for first-order logic, except

Release : d3a1905 (2022-12-19) 595

 CHAPTER 38. SYNTAX AND SEMANTICS

that the underlying satisfaction relation is now that for second-order formu-
las. A second-order sentence, of course, is a formula in which all variables,
including predicate and function variables, are bound.
Definition 38.11 (Validity). A sentence φ is valid, ⊨ φ, iff M ⊨ φ for every
structure M.

Definition 38.12 (Entailment). A set of sentences Γ entails a sentence φ, Γ ⊨ φ,

iff for every structure M with M ⊨ Γ, M ⊨ φ.

Definition 38.13 (Satisfiability). A set of sentences Γ is satisfiable if M ⊨ Γ for

some structure M. If Γ is not satisfiable it is called unsatisfiable.

38.5 Expressive Power

Quantification over second-order variables is responsible for an immense in-
crease in the expressive power of the language over that of first-order logic.
Second-order existential quantification lets us say that functions or relations
with certain properties exists. In first-order logic, the only way to do that is
to specify a non-logical symbol (i.e., a function symbol or predicate symbol)
for this purpose. Second-order universal quantification lets us say that all
subsets of, relations on, or functions from the domain to the domain have a
property. In first-order logic, we can only say that the subsets, relations, or
functions assigned to one of the non-logical symbols of the language have a
property. And when we say that subsets, relations, functions exist that have
a property, or that all of them have it, we can use second-order quantification
in specifying this property as well. This lets us define relations not definable
in first-order logic, and express properties of the domain not expressible in
first-order logic.

Definition 38.14. If M is a structure for a language L, a relation R ⊆ |M|2 is

definable in L if there is some formula φ R ( x, y) with only the variables x and y
free, such that R( a, b) holds (i.e., ⟨ a, b⟩ ∈ R) iff M, s ⊨ φ R ( x, y) for s( x ) = a
and s(y) = b.

Example 38.15. In first-order logic we can define the identity relation Id|M|
(i.e., {⟨ a, a⟩ : a ∈ |M|}) by the formula x = y. In second-order logic, we can
define this relation without =. For if a and b are the same element of |M|, then
they are elements of the same subsets of |M| (since sets are determined by
their elements). Conversely, if a and b are different, then they are not elements
of the same subsets: e.g., a ∈ { a} but b ∈ / { a} if a ̸= b. So “being elements
of the same subsets of |M|” is a relation that holds of a and b iff a = b. It is
a relation that can be expressed in second-order logic, since we can quantify
over all subsets of |M|. Hence, the following formula defines Id|M| :
∀ X ( X ( x ) ↔ X (y))

596 Release : d3a1905 (2022-12-19)

38.6. DESCRIBING INFINITE AND ENUMERABLE DOMAINS

Example 38.16. If R is a two-place predicate symbol, RM is a two-place re-

lation on |M|. Perhaps somewhat confusingly, we’ll use R as the predicate
symbol for R and for the relation RM itself. The transitive closure R∗ of R is the
relation that holds between a and b iff for some c1 , . . . , ck , R( a, c1 ), R(c1 , c2 ),
. . . , R(ck , b) holds. This includes the case if k = 0, i.e., if R( a, b) holds, so does
R∗ ( a, b). This means that R ⊆ R∗ . In fact, R∗ is the smallest relation that in-
cludes R and that is transitive. We can say in second-order logic that X is a
transitive relation that includes R:

ψR ( X ) ≡ ∀ x ∀y ( R( x, y) → X ( x, y)) ∧
∀ x ∀y ∀z (( X ( x, y) ∧ X (y, z)) → X ( x, z)).

The first conjunct says that R ⊆ X and the second that X is transitive.
To say that X is the smallest such relation is to say that it is itself included in
every relation that includes R and is transitive. So we can define the transitive
closure of R by the formula

R∗ ( X ) ≡ ψR ( X ) ∧ ∀Y (ψR (Y ) → ∀ x ∀y ( X ( x, y) → Y ( x, y))).

We have M, s ⊨ R∗ ( X ) iff s( X ) = R∗ . The transitive closure of R cannot be

expressed in first-order logic.

38.6 Describing Infinite and Enumerable Domains

A set M is (Dedekind) infinite iff there is an injective function f : M → M
which is not surjective, i.e., with dom( f ) ̸= M. In first-order logic, we can
consider a one-place function symbol f and say that the function f M assigned
to it in a structure M is injective and ran( f ) ̸= |M|:

∀ x ∀ y ( f ( x ) = f ( y ) → x = y ) ∧ ∃ y ∀ x y ̸ = f ( x ).

If M satisfies this sentence, f M : |M| → |M| is injective, and so |M| must

be infinite. If |M| is infinite, and hence such a function exists, we can let f M
be that function and M will satisfy the sentence. However, this requires that
our language contains the non-logical symbol f we use for this purpose. In
second-order logic, we can simply say that such a function exists. This no-
longer requires f , and we obtain the sentence in pure second-order logic

Inf ≡ ∃u (∀ x ∀y (u( x ) = u(y) → x = y) ∧ ∃y ∀ x y ̸= u( x )).

M ⊨ Inf iff |M| is infinite. We can then define Fin ≡ ¬Inf; M ⊨ Fin iff |M| is
finite. No single sentence of pure first-order logic can express that the domain
is infinite although an infinite set of them can. There is no set of sentences of
pure first-order logic that is satisfied in a structure iff its domain is finite.

Proposition 38.17. M ⊨ Inf iff |M| is infinite.

Release : d3a1905 (2022-12-19) 597

 CHAPTER 38. SYNTAX AND SEMANTICS

Proof. M ⊨ Inf iff M, s ⊨ ∀ x ∀y (u( x ) = u(y) → x = y) ∧ ∃y ∀ x y ̸= u( x ) for

some s. If it does, s(u) is an injective function, and some y ∈ |M| is not in
the domain of s(u). Conversely, if there is an injective f : |M| → |M| with
dom( f ) ̸= |M|, then s(u) = f is such a variable assignment.

A set M is enumerable if there is an enumeration

m0 , m1 , m2 , . . .

of its elements (without repetitions but possibly finite). Such an enumeration

exists iff there is an element z ∈ M and a function f : M → M such that z,
f (z), f ( f (z)), . . . , are all the elements of M. For if the enumeration exists,
z = m0 and f (mk ) = mk+1 (or f (mk ) = mk if mk is the last element of the
enumeration) are the requisite element and function. On the other hand, if
such a z and f exist, then z, f (z), f ( f (z)), . . . , is an enumeration of M, and M
is enumerable. We can express the existence of z and f in second-order logic
to produce a sentence true in a structure iff the structure is enumerable:

Count ≡ ∃z ∃u ∀ X (( X (z) ∧ ∀ x ( X ( x ) → X (u( x )))) → ∀ x X ( x ))

Proposition 38.18. M ⊨ Count iff |M| is enumerable.

Proof. Suppose |M| is enumerable, and let m0 , m1 , . . . , be an enumeration.

By removing repetitions we can guarantee that no mk appears twice. Define
f (mk ) = mk+1 and let s(z) = m0 and s(u) = f . We show that

M, s ⊨ ∀ X (( X (z) ∧ ∀ x ( X ( x ) → X (u( x )))) → ∀ x X ( x ))

Suppose M ⊆ |M| is arbitrary. Suppose further that M, s[ M/X ] ⊨ ( X (z) ∧

∀ x ( X ( x ) → X (u( x )))). Then s[ M/X ](z) ∈ M and whenever x ∈ M, also
(s[ M/X ](u))( x ) ∈ M. In other words, since s[ M/X ] ∼ X s, m0 ∈ M and if
x ∈ M then f ( x ) ∈ M, so m0 ∈ M, m1 = f (m0 ) ∈ M, m2 = f ( f (m0 )) ∈ M,
etc. Thus, M = |M|, and so M, s[ M/X ] ⊨ ∀ x X ( x ). Since M ⊆ |M| was
arbitrary, we are done: M ⊨ Count.
Now assume that M ⊨ Count, i.e.,

M, s ⊨ ∀ X (( X (z) ∧ ∀ x ( X ( x ) → X (u( x )))) → ∀ x X ( x ))

for some s. Let m = s(z) and f = s(u) and consider M = {m, f (m), f ( f (m)), . . . }.
M so defined is clearly enumerable. Then

M, s[ M/X ] ⊨ ( X (z) ∧ ∀ x ( X ( x ) → X (u( x )))) → ∀ x X ( x )

by assumption. Also, M, s[ M/X ] ⊨ X (z) since M ∋ m = s[ M/X ](z), and also

M, s[ M/X ] ⊨ ∀ x ( X ( x ) → X (u( x ))) since whenever x ∈ M also f ( x ) ∈ M.
So, since both antecedent and conditional are satisfied, the consequent must
also be: M, s[ M/X ] ⊨ ∀ x X ( x ). But that means that M = |M|, and so |M| is
enumerable since M is, by definition.

598 Release : d3a1905 (2022-12-19)

38.6. DESCRIBING INFINITE AND ENUMERABLE DOMAINS

Problems
Problem 38.1. Show that in second-order logic ∀ and → can define the other
connectives:

1. Prove that in second-order logic φ ∧ ψ is equivalent to ∀ X ( φ → (ψ →

∀ x X ( x )) → ∀ x X ( x )).
2. Find a second-order formula using only ∀ and → equivalent to φ ∨ ψ.

Problem 38.2. Show that ∀ X ( X ( x ) → X (y)) (note: → not ↔!) defines Id|M| .

Problem 38.3. The sentence Inf ∧ Count is true in all and only denumerable
domains. Adjust the definition of Count so that it becomes a different sentence
that directly expresses that the domain is denumerable, and prove that it does.

Release : d3a1905 (2022-12-19) 599

Chapter 39

Metatheory of Second-order Logic

39.1 Introduction

First-order logic has a number of nice properties. We know it is not decidable,

but at least it is axiomatizable. That is, there are proof systems for first-order
logic which are sound and complete, i.e., they give rise to a derivability re-
lation ⊢ with the property that for any set of sentences Γ and sentence Q,
Γ ⊨ φ iff Γ ⊢ φ. This means in particular that the validities of first-order logic
are computably enumerable. There is a computable function f : N → Sent(L)
such that the values of f are all and only the valid sentences of L. This is so be-
cause derivations can be enumerated, and those that derive a single sentence
are then mapped to that sentence. Second-order logic is more expressive than
first-order logic, and so it is in general more complicated to capture its validi-
ties. In fact, we’ll show that second-order logic is not only undecidable, but
its validities are not even computably enumerable. This means there can be
no sound and complete proof system for second-order logic (although sound,
but incomplete proof systems are available and in fact are important objects
of research).

First-order logic also has two more properties: it is compact (if every fi-
nite subset of a set Γ of sentences is satisfiable, Γ itself is satisfiable) and the
Löwenheim-Skolem Theorem holds for it (if Γ has an infinite model it has a de-
numerable model). Both of these results fail for second-order logic. Again, the
reason is that second-order logic can express facts about the size of domains
that first-order logic cannot.

600
39.2. SECOND-ORDER ARITHMETIC

39.2 Second-order Arithmetic

Recall that the theory PA of Peano arithmetic includes the eight axioms of Q,

∀ x x′ ̸= 0
∀ x ∀y ( x ′ = y′ → x = y)
∀ x ( x = 0 ∨ ∃y x = y′ )
∀ x ( x + 0) = x
∀ x ∀y ( x + y′ ) = ( x + y)′
∀ x ( x × 0) = 0
∀ x ∀y ( x × y′ ) = (( x × y) + x )
∀ x ∀y ( x < y ↔ ∃z (z′ + x ) = y)

plus all sentences of the form

( φ(0) ∧ ∀ x ( φ( x ) → φ( x ′ ))) → ∀ x φ( x ).

The latter is a “schema,” i.e., a pattern that generates infinitely many sen-
tences of the language of arithmetic, one for each formula φ( x ). We call this
schema the (first-order) axiom schema of induction. In second-order Peano arith-
metic PA2 , induction can be stated as a single sentence. PA2 consists of the
first eight axioms above plus the (second-order) induction axiom:

∀ X ( X (0) ∧ ∀ x ( X ( x ) → X ( x ′ ))) → ∀ x X ( x ).

It says that if a subset X of the domain contains 0M and with any x ∈ |M| also
contains ′M ( x ) (i.e., it is “closed under successor”) it contains everything in
the domain (i.e., X = |M|).
The induction axiom guarantees that any structure satisfying it contains
only those elements of |M| the axioms require to be there, i.e., the values of n
for n ∈ N. A model of PA2 contains no non-standard numbers.

Theorem 39.1. If M ⊨ PA2 then |M| = {ValM (n) : n ∈ N}.

Proof. Let N = {ValM (n) : n ∈ N}, and suppose M ⊨ PA2 . Of course, for any
n ∈ N, ValM (n) ∈ |M|, so N ⊆ |M|.
Now for inclusion in the other direction. Consider a variable assignment s
with s( X ) = N. By assumption,

M ⊨ ∀ X ( X (0) ∧ ∀ x ( X ( x ) → X ( x ′ ))) → ∀ x X ( x ), thus

M, s ⊨ ( X (0) ∧ ∀ x ( X ( x ) → X ( x ′ ))) → ∀ x X ( x ).

Consider the antecedent of this conditional. ValM (0) ∈ N, and so M, s ⊨

X (0). The second conjunct, ∀ x ( X ( x ) → X ( x ′ )) is also satisfied. For suppose

Release : d3a1905 (2022-12-19) 601

 CHAPTER 39. METATHEORY OF SECOND-ORDER LOGIC

x ∈ N. By definition of N, x = ValM (n) for some n. That gives ′M ( x ) =

ValM (n + 1) ∈ N. So, ′M ( x ) ∈ N.
We have that M, s ⊨ X (0) ∧ ∀ x ( X ( x ) → X ( x ′ )). Consequently, M, s ⊨
∀ x X ( x ). But that means that for every x ∈ |M| we have x ∈ s( X ) = N. So,
|M| ⊆ N.

Corollary 39.2. Any two models of PA2 are isomorphic.

Proof. By Theorem 39.1, the domain of any model of PA2 is exhausted by

ValM (n). Any such model is also a model of Q. By Proposition 26.3, any
such model is standard, i.e., isomorphic to N.

Above we defined PA2 as the theory that contains the first eight arith-
metical axioms plus the second-order induction axiom. In fact, thanks to the
expressive power of second-order logic, only the first two of the arithmetical
axioms plus induction are needed for second-order Peano arithmetic.

Proposition 39.3. Let PA2† be the second-order theory containing the first two arith-
metical axioms (the successor axioms) and the second-order induction axiom. Then
≤, +, and × are definable in PA2† .

Proof. To show that ≤ is definable, we have to find a formula φ≤ ( x, y) such

that N ⊨ φ≤ (n, m) iff n ≤ m. Consider the formula

ψ( x, Y ) ≡ Y ( x ) ∧ ∀y (Y (y) → Y (y′ ))

Clearly, ψ(n, Y ) is satisfied by a set Y ⊆ N iff {m : n ≤ m} ⊆ Y, so we can

take φ≤ ( x, y) ≡ ∀Y (ψ( x, Y ) → Y (y)).
To see that addition is definable observe that k + l = m iff there is a func-
tion u such that u(0) = k, u(n′ ) = u(n)′ for all n, and m = u(l ). We can use
this equivalence to define addition in PA2† by the following formula:

φ+ ( x, y, z) ≡ ∃u (u(0) = x ∧ ∀w u( x ′ ) = u( x )′ ∧ u(y) = z)

It should be clear that N ⊨ φ+ (k, l, m) iff k + l = m.

39.3 Second-order Logic is not Axiomatizable

Theorem 39.4. Second-order logic is undecidable.

Proof. A first-order sentence is valid in first-order logic iff it is valid in second-

order logic, and first-order logic is undecidable.

Theorem 39.5. There is no sound and complete derivation system for second-order
logic.

602 Release : d3a1905 (2022-12-19)

39.4. SECOND-ORDER LOGIC IS NOT COMPACT

Proof. Let φ be a sentence in the language of arithmetic. N ⊨ φ iff PA2 ⊨ φ.

Let P be the conjunction of the nine axioms of PA2 . PA2 ⊨ φ iff ⊨ P → φ, i.e.,
M ⊨ P → φ . Now consider the sentence ∀z ∀u ∀u′ ∀u′′ ∀ L ( P′ → φ′ ) resulting
by replacing 0 by z, ′ by the one-place function variable u, + and × by the
two-place function-variables u′ and u′′ , respectively, and < by the two-place
relation variable L and universally quantifying. It is a valid sentence of pure
second-order logic iff the original sentence was valid iff PA2 ⊨ φ iff N ⊨ φ.
Thus if there were a sound and complete proof system for second-order logic,
we could use it to define a computable enumeration f : N → Sent(L A ) of the
sentences true in N. This function would be representable in Q by some first-
order formula ψ f ( x, y). Then the formula ∃ x ψ f ( x, y) would define the set of
true first-order sentences of N, contradicting Tarski’s Theorem.

39.4 Second-order Logic is not Compact

Call a set of sentences Γ finitely satisfiable if every one of its finite subsets is
satisfiable. First-order logic has the property that if a set of sentences Γ is
finitely satisfiable, it is satisfiable. This property is called compactness. It has
an equivalent version involving entailment: if Γ ⊨ φ, then already Γ0 ⊨ φ for
some finite subset Γ0 ⊆ Γ. In this version it is an immediate corollary of the
completeness theorem: for if Γ ⊨ φ, by completeness Γ ⊢ φ. But a derivation
can only make use of finitely many sentences of Γ.
Compactness is not true for second-order logic. There are sets of second-
order sentences that are finitely satisfiable but not satisfiable, and that entail
some φ without a finite subset entailing φ.

Theorem 39.6. Second-order logic is not compact.

Proof. Recall that

Inf ≡ ∃u (∀ x ∀y (u( x ) = u(y) → x = y) ∧ ∃y ∀ x y ̸= u( x ))

is satisfied in a structure iff its domain is infinite. Let φ≥n be a sentence that
asserts that the domain has at least n elements, e.g.,

φ ≥ n ≡ ∃ x 1 . . . ∃ x n ( x 1 ̸ = x 2 ∧ x 1 ̸ = x 3 ∧ · · · ∧ x n −1 ̸ = x n ).

Consider the set of sentences

Γ = {¬Inf, φ≥1 , φ≥2 , φ≥3 , . . . }.

It is finitely satisfiable, since for any finite subset Γ0 ⊆ Γ there is some k so that
φ≥k ∈ Γ but no φ≥n ∈ Γ for n > k. If |M| has k elements, M ⊨ Γ0 . But, Γ is not
satisfiable: if M ⊨ ¬Inf, |M| must be finite, say, of size k. Then M ⊭ φ≥k+1 .

Release : d3a1905 (2022-12-19) 603

 CHAPTER 39. METATHEORY OF SECOND-ORDER LOGIC

39.5 The Löwenheim-Skolem Theorem Fails for

Second-order Logic
The (Downward) Löwenheim-Skolem Theorem states that every set of sen-
tences with an infinite model has an enumerable model. It, too, is a conse-
quence of the completeneness theorem: the proof of completeness generates
a model for any consistent set of sentences, and that model is enumerable.
There is also an Upward Löwenheim-Skolem Theorem, which guarantees that
if a set of sentences has a denumerable model it also has a non-enumerable
model. Both theorems fail in second-order logic.

Theorem 39.7. The Löwenheim-Skolem Theorem fails for second-order logic: There
are sentences with infinite models but no enumerable models.

Proof. Recall that

Count ≡ ∃z ∃u ∀ X (( X (z) ∧ ∀ x ( X ( x ) → X (u( x )))) → ∀ x X ( x ))

is true in a structure M iff |M| is enumerable, so ¬Count is true in M iff |M| is

non-enumerable. There are such structures—take any non-enumerable set as
the domain, e.g., ℘(N) or R. So ¬Count has infinite models but no enumer-
able models.

Theorem 39.8. There are sentences with denumerable but no non-enumerable mod-
els.

Proof. Count ∧ Inf is true in N but not in any structure M with |M| non-
enumerable.

Problems
Problem 39.1. Complete the proof of Proposition 39.3.

Problem 39.2. Give an example of a set Γ and a sentence φ so that Γ ⊨ φ but

for every finite subset Γ0 ⊆ Γ, Γ0 ⊭ φ.

604 Release : d3a1905 (2022-12-19)

Chapter 40

Second-order Logic and Set Theory

This section deals with coding powersets and the continuum in

second-order logic. The results are stated but proofs have yet to be filled
in. There are no problems yet—and the definitions and results themselves
may have problems. Use with caution and report anything that’s false or
unclear.

40.1 Introduction
Since second-order logic can quantify over subsets of the domain as well as
functions, it is to be expected that some amount, at least, of set theory can be
carried out in second-order logic. By “carry out,” we mean that it is possible
to express set theoretic properties and statements in second-order logic, and is
possible without any special, non-logical vocabulary for sets (e.g., the mem-
bership predicate symbol of set theory). For instance, we can define unions
and intersections of sets and the subset relationship, but also compare the
sizes of sets, and state results such as Cantor’s Theorem.

40.2 Comparing Sets

Proposition 40.1. The formula ∀ x ( X ( x ) → Y ( x )) defines the subset relation, i.e.,
M, s ⊨ ∀ x ( X ( x ) → Y ( x )) iff s( X ) ⊆ s(Y ).

Proposition 40.2. The formula ∀ x ( X ( x ) ↔ Y ( x )) defines the identity relation on

sets, i.e., M, s ⊨ ∀ x ( X ( x ) ↔ Y ( x )) iff s( X ) = s(Y ).

Proposition 40.3. The formula ∃ x X ( x ) defines the property of being non-empty,

i.e., M, s ⊨ ∃ x X ( x ) iff s( X ) ̸= ∅.

605
 CHAPTER 40. SECOND-ORDER LOGIC AND SET THEORY

A set X is no larger than a set Y, X ⪯ Y, iff there is an injective function

f : X → Y. Since we can express that a function is injective, and also that its
values for arguments in X are in Y, we can also define the relation of being no
larger than on subsets of the domain.

Proposition 40.4. The formula

∃u (∀ x ( X ( x ) → Y (u( x ))) ∧ ∀ x ∀y (u( x ) = u(y) → x = y))

defines the relation of being no larger than.

Two sets are the same size, or “equinumerous,” X ≈ Y, iff there is a bijec-
tive function f : X → Y.

Proposition 40.5. The formula

∃u (∀ x ( X ( x ) → Y (u( x ))) ∧
∀ x ∀y (u( x ) = u(y) → x = y) ∧
∀y (Y (y) → ∃ x ( X ( x ) ∧ y = u( x ))))

defines the relation of being equinumerous with.

We will abbreviate these formulas, respectively, as X ⊆ Y, X = Y, X ̸=

∅, X ⪯ Y, and X ≈ Y. (This may be slightly confusing, since we use the
same notation when we speak informally about sets X and Y—but here the
notation is an abbreviation for formulas in second-order logic involving one-
place relation variables X and Y.)

Proposition 40.6. The sentence ∀ X ∀Y (( X ⪯ Y ∧ Y ⪯ X ) → X ≈ Y ) is valid.

Proof. The sentence is satisfied in a structure M if, for any subsets X ⊆ |M|
and Y ⊆ |M|, if X ⪯ Y and Y ⪯ X then X ≈ Y. But this holds for any sets X
and Y—it is the Schröder-Bernstein Theorem.

40.3 Cardinalities of Sets

Just as we can express that the domain is finite or infinite, enumerable or non-
enumerable, we can define the property of a subset of |M| being finite or infi-
nite, enumerable or non-enumerable.

Proposition 40.7. The formula Inf( X ) ≡

∃u (∀ x ∀y (u( x ) = u(y) → x = y) ∧
∃y ( X (y) ∧ ∀ x ( X ( x ) → y ̸= u( x )))

is satisfied with respect to a variable assignment s iff s( X ) is infinite.

606 Release : d3a1905 (2022-12-19)

40.4. THE POWER OF THE CONTINUUM

Proposition 40.8. The formula Count( X ) ≡

∃z ∃u ( X (z) ∧ ∀ x ( X ( x ) → X (u( x ))) ∧

∀Y ((Y (z) ∧ ∀ x (Y ( x ) → Y (u( x )))) → X = Y ))

is satisfied with respect to a variable assignment s iff s( X ) is enumerable.

We know from Cantor’s Theorem that there are non-enumerable sets, and
in fact, that there are infinitely many different levels of infinite sizes. Set the-
ory develops an entire arithmetic of sizes of sets, and assigns infinite cardinal
numbers to sets. The natural numbers serve as the cardinal numbers measur-
ing the sizes of finite sets. The cardinality of denumerable sets is the first infi-
nite cardinality, called ℵ0 (“aleph-nought” or “aleph-zero”). The next infinite
size is ℵ1 . It is the smallest size a set can be without being countable (i.e., of
size ℵ0 ). We can define “X has size ℵ0 ” as Aleph0 ( X ) ↔ Inf( X ) ∧ Count( X ).
X has size ℵ1 iff all its subsets are finite or have size ℵ0 , but is not itself of
size ℵ0 . Hence we can express this by the formula Aleph1 ( X ) ≡ ∀Y (Y ⊆
X → (¬Inf(Y ) ∨ Aleph0 (Y ))) ∧ ¬Aleph0 ( X ). Being of size ℵ2 is defined simi-
larly, etc.
There is one size of special interest, the so-called cardinality of the contin-
uum. It is the size of ℘(N), or, equivalently, the size of R. That a set is the size
of the continuum can also be expressed in second-order logic, but requires a
bit more work.

40.4 The Power of the Continuum

In second-order logic we can quantify over subsets of the domain, but not over
sets of subsets of the domain. To do this directly, we would need third-order
logic. For instance, if we wanted to state Cantor’s Theorem that there is no
injective function from the power set of a set to the set itself, we might try to
formulate it as “for every set X, and every set P, if P is the power set of X, then
not P ⪯ X”. And to say that P is the power set of X would require formalizing
that the elements of P are all and only the subsets of X, so something like
∀Y ( P(Y ) ↔ Y ⊆ X ). The problem lies in P(Y ): that is not a formula of second-
order logic, since only terms can be arguments to one-place relation variables
like P.
We can, however, simulate quantification over sets of sets, if the domain is
large enough. The idea is to make use of the fact that two-place relations R re-
lates elements of the domain to elements of the domain. Given such an R, we
can collect all the elements to which some x is R-related: {y ∈ |M| : R( x, y)}
is the set “coded by” x. Conversely, if Z ⊆ ℘(|M|) is some collection of sub-
sets of |M|, and there are at least as many elements of |M| as there are sets
in Z, then there is also a relation R ⊆ |M|2 such that every Y ∈ Z is coded by
some x using R.

Release : d3a1905 (2022-12-19) 607

 CHAPTER 40. SECOND-ORDER LOGIC AND SET THEORY

Definition 40.9. If R ⊆ |M|2 , then x R-codes {y ∈ |M| : R( x, y)}.

If an element x ∈ |M| R-codes a set Z ⊆ |M|, then a set Y ⊆ |M| codes a

set of sets, namely the sets coded by the elements of Y. So a set Y can R-code
℘( X ). It does so iff for every Z ⊆ X, some x ∈ Y R-codes Z, and every x ∈ Y
R-codes a Z ⊆ X.
Proposition 40.10. The formula
Codes( x, R, Z ) ≡ ∀y ( Z (y) ↔ R( x, y))
expresses that s( x ) s( R)-codes s( Z ). The formula

Pow(Y, R, X ) ≡
∀ Z ( Z ⊆ X → ∃ x (Y ( x ) ∧ Codes( x, R, Z ))) ∧
∀ x (Y ( x ) → ∀ Z (Codes( x, R, Z ) → Z ⊆ X )
expresses that s(Y ) s( R)-codes the power set of s( X ), i.e., the elements of s(Y ) s( R)-
code exactly the subsets of s( X ).

With this trick, we can express statements about the power set by quantify-
ing over the codes of subsets rather than the subsets themselves. For instance,
Cantor’s Theorem can now be expressed by saying that there is no injective
function from the domain of any relation that codes the power set of X to X
itself.
Proposition 40.11. The sentence

∀ X ∀Y ∀ R (Pow(Y, R, X )→
¬∃u (∀ x ∀y (u( x ) = u(y) → x = y) ∧
∀ x (Y ( x ) → X (u( x )))))
is valid.

The power set of a denumerable set is non-enumerable, and so its cardinal-

ity is larger than that of any denumerable set (which is ℵ0 ). The size of ℘(N)
is called the “power of the continuum,” since it is the same size as the points
on the real number line, R. If the domain is large enough to code the power
set of a denumerable set, we can express that a set is the size of the continuum
by saying that it is equinumerous with any set Y that codes the power set of
set X of size ℵ0 . (If the domain is not large enough, i.e., it contains no subset
equinumerous with R, then there can also be no relation that codes ℘( X ).)
Proposition 40.12. If R ⪯ |M|, then the formula

Cont(Y ) ≡ ∃ X ∃ R ((Aleph0 ( X ) ∧ Pow(Y, R, X ))∧

∀ x ∀y ((Y ( x ) ∧ Y (y) ∧ ∀z R( x, z) ↔ R(y, z)) → x = y))
expresses that s(Y ) ≈ R.

608 Release : d3a1905 (2022-12-19)

40.4. THE POWER OF THE CONTINUUM

Proof. Pow(Y, R, X ) expresses that s(Y ) s( R)-codes the power set of s( X ), which
Aleph0 ( X ) says is countable. So s(Y ) is at least as large as the power of the
continuum, although it may be larger (if multiple elements of s(Y ) code the
same subset of X). This is ruled out be the last conjunct, which requires the
association between elements of s(Y ) and subsets of s( Z ) via s( R) to be injec-
tive.

Proposition 40.13. |M| ≈ R iff

M ⊨ ∃ X ∃Y ∃ R (Aleph0 ( X ) ∧ Pow(Y, R, X )∧
∃u (∀ x ∀y (u( x ) = u(y) → x = y) ∧
∀y (Y (y) → ∃ x y = u( x )))).

The Continuum Hypothesis is the statement that the size of the continuum
is the first non-enumerable cardinality, i.e, that ℘(N) has size ℵ1 .

Proposition 40.14. The Continuum Hypothesis is true iff

CH ≡ ∀ X (Aleph1 ( X ) ↔ Cont( X ))

is valid.

Note that it isn’t true that ¬CH is valid iff the Continuum Hypothesis is
false. In an enumerable domain, there are no subsets of size ℵ1 and also no
subsets of the size of the continuum, so CH is always true in an enumerable
domain. However, we can give a different sentence that is valid iff the Con-
tinuum Hypothesis is false:

Proposition 40.15. The Continuum Hypothesis is false iff

NCH ≡ ∀ X (Cont( X ) → ∃Y (Y ⊆ X ∧ ¬Count(Y ) ∧ ¬ X ≈ Y ))

is valid.

Release : d3a1905 (2022-12-19) 609

 Part IX

The Lambda Calculus

610
40.4. THE POWER OF THE CONTINUUM

This part deals with the lambda calculus. The introduction chapter
is based on Jeremy Avigad’s notes; part of it is now redundant and cov-
ered in later chapters. The chapters on syntax, Church-Rosser property,
and lambda definability were produced by Zesen Qian during his Mitacs
summer internship. They still have to be reviewed and revised.

Release : d3a1905 (2022-12-19) 611

Chapter 41

Introduction

This chapter consists of Jeremy’s original concise notes on the lambda

calculus. The sections need to be combined, and the material on lambda
definability merged with the material in the separate, more detailed chap-
ter on lambda definability.

41.1 Overview
The lambda calculus was originally designed by Alonzo Church in the early
1930s as a basis for constructive logic, and not as a model of the computable
functions. But it was soon shown to be equivalent to other definitions of com-
putability, such as the Turing computable functions and the partial recursive
functions. The fact that this initially came as a small surprise makes the char-
acterization all the more interesting.
Lambda notation is a convenient way of referring to a function directly
by a symbolic expression which defines it, instead of defining a name for it.
Instead of saying “let f be the function defined by f ( x ) = x + 3,” one can
say, “let f be the function λx. ( x + 3).” In other words, λx. ( x + 3) is just a
name for the function that adds three to its argument. In this expression, x
is a dummy variable, or a placeholder: the same function can just as well
be denoted by λy. (y + 3). The notation works even with other parameters
around. For example, suppose g( x, y) is a function of two variables, and k is a
natural number. Then λx. g( x, k) is the function which maps any x to g( x, k).
This way of defining a function from a symbolic expression is known as
lambda abstraction. The flip side of lambda abstraction is application: assuming
one has a function f (say, defined on the natural numbers), one can apply it to
any value, like 2. In conventional notation, of course, we write f (2) for the
result.

612
41.2. THE SYNTAX OF THE LAMBDA CALCULUS

What happens when you combine lambda abstraction with application?

Then the resulting expression can be simplified, by “plugging” the applicand
in for the abstracted variable. For example,

(λx. ( x + 3))(2)

can be simplified to 2 + 3.
Up to this point, we have done nothing but introduce new notations for
conventional notions. The lambda calculus, however, represents a more radi-
cal departure from the set-theoretic viewpoint. In this framework:
1. Everything denotes a function.

2. Functions can be defined using lambda abstraction.

3. Anything can be applied to anything else.

For example, if F is a term in the lambda calculus, F ( F ) is always assumed
to be meaningful. This liberal framework is known as the untyped lambda
calculus, where “untyped” means “no restriction on what can be applied to
what.”
There is also a typed lambda calculus, which is an important variation on
the untyped version. Although in many ways the typed lambda calculus is
similar to the untyped one, it is much easier to reconcile with a classical set-
theoretic framework, and has some very different properties.
Research on the lambda calculus has proved to be central in theoretical
computer science, and in the design of programming languages. LISP, de-
signed by John McCarthy in the 1950s, is an early example of a language that
was influenced by these ideas.

41.2 The Syntax of the Lambda Calculus

One starts with a sequence of variables x, y, z, . . . and some constant symbols
a, b, c, . . . . The set of terms is defined inductively, as follows:
1. Each variable is a term.

2. Each constant is a term.

3. If M and N are terms, so is ( MN ).

4. If M is a term and x is a variable, then (λx. M ) is a term.

The system without any constants at all is called the pure lambda calculus.
We’ll mainly be working in the pure λ-calculus, so all lowerce letters will
stand for variables. We use uppercase letters (M, N, etc.) to stand for terms of
the λ-calculus.
We will follow a few notational conventions:

Release : d3a1905 (2022-12-19) 613

 CHAPTER 41. INTRODUCTION

Convention 1. 1. When parentheses are left out, application takes place from
left to right. For example, if M, N, P, and Q are terms, then MNPQ ab-
breviates ((( MN ) P) Q).

2. Again, when parentheses are left out, lambda abstraction is to be given

the widest scope possible. From example, λx. MNP is read (λx. (( MN ) P)).

3. A lambda can be used to abstract multiple variables. For example, λxyz. M

is short for λx. λy. λz. M.

For example,
λxy. xxyxλz. xz
abbreviates
λx. λy. (((( xx )y) x )(λz. ( xz))).
You should memorize these conventions. They will drive you crazy at first,
but you will get used to them, and after a while they will drive you less crazy
than having to deal with a morass of parentheses.
Two terms that differ only in the names of the bound variables are called α-
equivalent; for example, λx. x and λy. y. It will be convenient to think of these
as being the “same” term; in other words, when we say that M and N are the
same, we also mean “up to renamings of the bound variables.” Variables that
are in the scope of a λ are called “bound”, while others are called “free.” There
are no free variables in the previous example; but in

(λz. yz) x

y and x are free, and z is bound.

41.3 Reduction of Lambda Terms

What can one do with lambda terms? Simplify them. If M and N are any
lambda terms and x is any variable, we can use M[ N/x ] to denote the result
of substituting N for x in M, after renaming any bound variables of M that
would interfere with the free variables of N after the substitution. For exam-
ple,
(λw. xxw)[yyz/x ] = λw. (yyz)(yyz)w.
Alternative notations for substitution are [ N/x ] M, [ x/N ] M, and also M [ x/N ].
Beware!
Intuitively, (λx. M) N and M [ N/x ] have the same meaning; the act of re-
placing the first term by the second is called β-contraction. (λx. M ) N is called
a redex and M [ N/x ] its contractum. Generally, if it is possible to change a term
P to P′ by β-contraction of some subterm, we say that P β-reduces to P′ in one
step, and write P −→ P′ . If from P we can obtain P′ with some number of one-
step reductions (possibly none), then P β-reduces to P′ ; in symbols, P − →→ P′ . A

614 Release : d3a1905 (2022-12-19)

41.4. THE CHURCH-ROSSER PROPERTY

term that cannot be β-reduced any further is called β-irreducible, or β-normal.

We will say “reduces” instead of “β-reduces,” etc., when the context is clear.
Let us consider some examples.

1. We have

(λx. xxy)λz. z −
→ (λz. z)(λz. z)y
−
→ (λz. z)y
−
→ y.

2. “Simplifying” a term can make it more complex:

(λx. xxy)(λx. xxy) −

→ (λx. xxy)(λx. xxy)y
−
→ (λx. xxy)(λx. xxy)yy
−
→ ...

3. It can also leave a term unchanged:

(λx. xx )(λx. xx ) −
→ (λx. xx )(λx. xx ).

4. Also, some terms can be reduced in more than one way; for example,

(λx. (λy. yx )z)v −

→ (λy. yv)z

by contracting the outermost application; and

(λx. (λy. yx )z)v −

→ (λx. zx )v

by contracting the innermost one. Note, in this case, however, that both
terms further reduce to the same term, zv.

The final outcome in the last example is not a coincidence, but rather il-
lustrates a deep and important property of the lambda calculus, known as the
“Church-Rosser property.”

41.4 The Church-Rosser Property

Theorem 41.1. Let M, N1 , and N2 be terms, such that M −
→
→ N1 and M −
→
→ N2 .
Then there is a term P such that N1 −
→
→ P and N2 −
→
→ P.

Corollary 41.2. Suppose M can be reduced to normal form. Then this normal form
is unique.

Proof. If M −
→→ N1 and M − →→ N2 , by the previous theorem there is a term P
such that N1 and N2 both reduce to P. If N1 and N2 are both in normal form,
this can only happen if N1 ≡ P ≡ N2 .

Release : d3a1905 (2022-12-19) 615

 CHAPTER 41. INTRODUCTION

Finally, we will say that two terms M and N are β-equivalent, or just equiv-
alent, if they reduce to a common term; in other words, if there is some P such
β
that M −
→
→ P and N −
→
→ P. This is written M = N. Using Theorem 41.1, you
β
can check that = is an equivalence relation, with the additional property that
β
for every M and N, if M −
→
→ N or N −
→
→ M, then M = N. (In fact, one can
β
show that = is the smallest equivalence relation having this property.)

41.5 Currying
A λ-abstract λx. M represents a function of one argument, which is quite a
limitation when we want to define function accepting multiple arguments.
One way to do this would be by extending the λ-calculus to allow the for-
mation of pairs, triples, etc., in which case, say, a three-place function λx. M
would expect its argument to be a triple. However, it is more convenient to
do this by Currying.
Let’s consider an example. We’ll pretend for a moment that we have a
+ operation in the λ-calculus. The addition function is 2-place, i.e., it takes
two arguments. But a λ-abstract only gives us functions of one argument: the
syntax does not allow expressions like λ( x, y). ( x + y). However, we can con-
sider the one-place function f x (y) given by λy. ( x + y), which adds x to its
single argument y. Actually, this is not a single function, but a family of dif-
ferent functions “add x,” one for each number x. Now we can define another
one-place function g as λx. f x . Applied to argument x, g( x ) returns the func-
tion f x —so its values are other functions. Now if we apply g to x, and then
the result to y we get: ( g( x ))y = f x (y) = x + y. In this way, the one-place
function g can do the same job as the two-place addition function. “Curry-
ing” simply refers to this trick for turning two-place functions into one place
functions (whose values are one-place functions).
Here is an example properly in the syntax of the λ-calculus. How do we
represent the function f ( x, y) = x? If we want to define a function that accepts
two arguments and returns the first, we can write λx. λy. x, which literally is
a function that accepts an argument x and returns the function λy. x. The
function λy. x accepts another argument y, but drops it, and always returns x.
Let’s see what happens when we apply λx. λy. x to two arguments:

β
(λx. λy. x ) MN −
→(λy. M) N
β
−
→M

In general, to write a function with parameters x1 , . . . , xn defined by some

term N, we can write λx1 . λx2 . . . . λxn . N. If we apply n arguments to it we

616 Release : d3a1905 (2022-12-19)

41.6. λ-DEFINABLE ARITHMETICAL FUNCTIONS

get:

β
(λx1 . λx2 . . . . λxn . N ) M1 . . . Mn −
→
β
−
→ ((λx2 . . . . λxn . N )[ M1 /x1 ]) M2 . . . Mn
≡ (λx2 . . . . λxn . N [ M1 /x1 ]) M2 . . . Mn
..
.
β
−
→ P[ M1 /x1 ] . . . [ Mn /xn ]

The last line literally means substituting Mi for xi in the body of the function
definition, which is exactly what we want when applying multiple arguments
to a function.

41.6 λ-Definable Arithmetical Functions

How can the lambda calculus serve as a model of computation? At first, it is
not even clear how to make sense of this statement. To talk about computabil-
ity on the natural numbers, we need to find a suitable representation for such
numbers. Here is one that works surprisingly well.

Definition 41.3. For each natural number n, define the Church numeral n to be
the lambda term λx. λy. ( x ( x ( x (. . . x (y))))), where there are n x’s in all.

The terms n are “iterators”: on input f , n returns the function mapping y

to f n (y). Note that each numeral is normal. We can now say what it means
for a lambda term to “compute” a function on the natural numbers.

Definition 41.4. Let f ( x0 , . . . , xk−1 ) be an n-ary partial function from N to N.

We say a λ-term F λ-defines f iff for every sequence of natural numbers n0 ,
. . . , n k −1 ,
F n 0 n 1 . . . n k −1 −→→ f ( n 0 , n 1 , . . . , n k −1 )
if f (n0 , . . . , nk−1 ) is defined, and F, n0 n1 . . . nk−1 has no normal form other-
wise.

Theorem 41.5. A function f is a partial computable function if and only if it is λ-

defined by a lambda term.

This theorem is somewhat striking. As a model of computation, the lambda

calculus is a rather simple calculus; the only operations are lambda abstrac-
tion and application! From these meager resources, however, it is possible to
implement any computational procedure.

Release : d3a1905 (2022-12-19) 617

 CHAPTER 41. INTRODUCTION

41.7 λ-Definable Functions are Computable

Theorem 41.6. If a partial function f is λ-defined by a lambda term, it is com-
putable.

Proof. Suppose a function f is λ-defined by a lambda term X. Let us describe

an informal procedure to compute f . On input m0 , . . . , mn−1 , write down the
term Xm0 . . . mn−1 . Build a tree, first writing down all the one-step reductions
of the original term; below that, write all the one-step reductions of those
(i.e., the two-step reductions of the original term); and keep going. If you
ever reach a numeral, return that as the answer; otherwise, the function is
undefined.
An appeal to Church’s thesis tells us that this function is computable. A
better way to prove the theorem would be to give a recursive description of
this search procedure. For example, one could define a sequence primitive re-
cursive functions and relations, “IsASubterm,” “Substitute,” “ReducesToInOneStep,”
“ReductionSequence,” “Numeral,” etc. The partial recursive procedure for
computing f (m0 , . . . , mn−1 ) is then to search for a sequence of one-step reduc-
tions starting with Xm0 . . . mn−1 and ending with a numeral, and return the
number corresponding to that numeral. The details are long and tedious but
otherwise routine.

41.8 Computable Functions are λ-Definable

Theorem 41.7. Every computable partial function is λ-definable.

Proof. Wwe need to show that every partial computable function f is λ-defined
by a lambda term F. By Kleene’s normal form theorem, it suffices to show that
every primitive recursive function is λ-defined by a lambda term, and then
that the functions λ-definable are closed under suitable compositions and un-
bounded search. To show that every primitive recursive function is λ-defined
by a lambda term, it suffices to show that the initial functions are λ-definable,
and that the partial functions that are λ-definable are closed under composi-
tion, primitive recursion, and unbounded search.

We will use a more conventional notation to make the rest of the proof
more readable. For example, we will write M ( x, y, z) instead of Mxyz. While
this is suggestive, you should remember that terms in the untyped lambda
calculus do not have associated arities; so, for the same term M, it makes just
as much sense to write M ( x, y) and M ( x, y, z, w). But using this notation indi-
cates that we are treating M as a function of three variables, and helps make
the intentions behind the definitions clearer. In a similar way, we will say
“define M by M ( x, y, z) = . . . ” instead of “define M by M = λx. λy. λz. . . ..”

618 Release : d3a1905 (2022-12-19)

41.9. THE BASIC PRIMITIVE RECURSIVE FUNCTIONS ARE
λ-DEFINABLE
41.9 The Basic Primitive Recursive Functions are λ-Definable
Lemma 41.8. The functions zero, succ, and Pin are λ-definable.

Proof. zero is just λx. λy. y.

The successor function succ, is defined by Succ(u) = λx. λy. x (uxy). You
should think about why this works; for each numeral n, thought of as an iter-
ator, and each function f , Succ(n, f ) is a function that, on input y, applies f n
times starting with y, and then applies it once more.
There is nothing to say about projections: Projin ( x0 , . . . , xn−1 ) = xi . In
other words, by our conventions, Projin is the lambda term λx0 . . . . λxn−1 . xi .

41.10 The λ-Definable Functions are Closed under

Composition
Lemma 41.9. The λ-definable functions are closed under composition.

Proof. Suppose f is defined by composition from h, g0 , . . . , gk−1 . Assuming h,

g0 , . . . , gk−1 are λ-defined by H, G0 , . . . , Gk−1 , respectively, we need to find a
term F that λ-defines f . But we can simply define F by
F ( x0 , . . . , xl −1 ) = H ( G0 ( x0 , . . . , xl −1 ), . . . , Gk−1 ( x0 , . . . , xl −1 )).
In other words, the language of the lambda calculus is well suited to represent
composition.

41.11 λ-Definable Functions are Closed under Primitive

Recursion
When it comes to primitive recursion, we finally need to do some work. We
will have to proceed in stages. As before, on the assumption that we already
have terms G and H that λ-define functions g and h, respectively, we want a
term H that λ-defines the function f defined by
f (0, ⃗z) = g(⃗z)
f ( x + 1, ⃗z) = h(z, f ( x, ⃗z), ⃗z).
So, in general, given lambda terms G ′ and H ′ , it suffices to find a term F such
that
F (0, ⃗z) ≡ G (⃗z)
F (n + 1, ⃗z) ≡ H (n, F (n, ⃗z), ⃗z)
for every natural number n; the fact that G ′ and H ′ λ-define g and h means
that whenever we plug in numerals m ⃗ for ⃗z, F (n + 1, m
⃗ ) will normalize to the
right answer.

Release : d3a1905 (2022-12-19) 619

 CHAPTER 41. INTRODUCTION

But for this, it suffices to find a term F satisfying

F (0) ≡ G
F (n + 1) ≡ H (n, F (n))

for every natural number n, where

G = λ⃗z. G ′ (⃗z) and

H (u, v) = λ⃗z. H ′ (u, v(u, ⃗z), ⃗z).

In other words, with lambda trickery, we can avoid having to worry about the
extra parameters ⃗z—they just get absorbed in the lambda notation.
Before we define the term F, we need a mechanism for handling ordered
pairs. This is provided by the next lemma.

Lemma 41.10. There is a lambda term D such that for each pair of lambda terms M
and N, D ( M, N )(0) −
→
→ M and D ( M, N )(1) −
→
→ N.

Proof. First, define the lambda term K by

K (y) = λx. y.

In other words, K is the term λy. λx. y. Looking at it differently, for every M,
K ( M ) is a constant function that returns M on any input.
Now define D ( x, y, z) by D ( x, y, z) = z(K (y)) x. Then we have

D ( M, N, 0) −
→
→ 0(K ( N )) M −
→
→ M and
D ( M, N, 1) −
→
→ 1(K ( N )) M −
→
→ K( N ) M −
→
→ N,

as required.

The idea is that D ( M, N ) represents the pair ⟨ M, N ⟩, and if P is assumed

to represent such a pair, P(0) and P(1) represent the left and right projections,
( P)0 and ( P)1 . We will use the latter notations.
Lemma 41.11. The λ-definable functions are closed under primitive recursion.

Proof. We need to show that given any terms, G and H, we can find a term F
such that

F (0) ≡ G
F (n + 1) ≡ H (n, F (n))

for every natural number n. The idea is roughly to compute sequences of pairs

⟨0, F (0)⟩, ⟨1, F (1)⟩, . . . ,

620 Release : d3a1905 (2022-12-19)

41.11. λ-DEFINABLE FUNCTIONS ARE CLOSED UNDER PRIMITIVE
RECURSION
using numerals as iterators. Notice that the first pair is just ⟨0, G ⟩. Given a
pair ⟨n, F (n)⟩, the next pair, ⟨n + 1, F (n + 1)⟩ is supposed to be equivalent to
⟨n + 1, H (n, F (n))⟩. We will design a lambda term T that makes this one-step
transition.
The details are as follows. Define T (u) by
T (u) = ⟨S((u)0 ), H ((u)0 , (u)1 )⟩.
Now it is easy to verify that for any number n,
T (⟨n, M ⟩) −
→
→ ⟨n + 1, H (n, M)⟩.
As suggested above, given G and H, define F (u) by
F (u) = (u( T, ⟨0, G ⟩))1 .
In other words, on input n, F iterates T n times on ⟨0, G ⟩, and then returns the
second component. To start with, we have
1. 0( T, ⟨0, G ⟩) ≡ ⟨0, G ⟩
2. F (0) ≡ G
By induction on n, we can show that for each natural number one has the
following:
1. n + 1( T, ⟨0, G ⟩) ≡ ⟨n + 1, F (n + 1)⟩
2. F (n + 1) ≡ H (n, F (n))
For the second clause, we have
F ( n + 1) −
→
→ (n + 1( T, ⟨0, G ⟩))1
≡ ( T (n( T, ⟨0, G ⟩)))1
≡ ( T (⟨n, F (n)⟩))1
≡ (⟨n + 1, H (n, F (n))⟩)1
≡ H (n, F (n)).
Here we have used the induction hypothesis on the second-to-last line. For
the first clause, we have
n + 1( T, ⟨0, G ⟩) ≡ T (n( T, ⟨0, G ⟩))
≡ T (⟨n, F (n)⟩)
≡ ⟨n + 1, H (n, F (n))⟩
≡ ⟨n + 1, F (n + 1)⟩.
Here we have used the second clause in the last line. So we have shown
F (0) ≡ G and, for every n, F (n + 1) ≡ H (n, F (n)), which is exactly what
we needed.

Release : d3a1905 (2022-12-19) 621

 CHAPTER 41. INTRODUCTION

41.12 Fixed-Point Combinators

Suppose you have a lambda term g, and you want another term k with the
property that k is β-equivalent to gk. Define terms

diag( x ) = xx

and
l ( x ) = g(diag( x ))
using our notational conventions; in other words, l is the term λx. g( xx ). Let
k be the term ll. Then we have

k = (λx. g( xx ))(λx. g( xx ))
−
→
→ g((λx. g( xx ))(λx. g( xx )))
= gk.

If one takes
Y = λg. ((λx. g( xx ))(λx. g( xx )))
then Yg and g(Yg) reduce to a common term; so Yg ≡ β g(Yg). This is known
as “Curry’s combinator.” If instead one takes

Y = (λxg. g( xxg))(λxg. g( xxg))

then in fact Yg reduces to g(Yg), which is a stronger statement. This latter

version of Y is known as “Turing’s combinator.”

41.13 The λ-Definable Functions are Closed under

Minimization
Lemma 41.12. Suppose f ( x, y) is primitive recursive. Let g be defined by

g( x ) ≃ µy f ( x, y).

Then g is λ-definable.

Proof. The idea is roughly as follows. Given x, we will use the fixed-point
lambda term Y to define a function h x (n) which searches for a y starting at n;
then g( x ) is just h x (0). The function h x can be expressed as the solution of a
fixed-point equation:
(
n if f ( x, n) = 0
h x (n) ≃
h x (n + 1) otherwise.

Here are the details. Since f is primitive recursive, it is λ-defined by some

term F. Remember that we also have a lambda term D, such that D ( M, N, 0̄) − →
→

622 Release : d3a1905 (2022-12-19)

41.13. THE λ-DEFINABLE FUNCTIONS ARE CLOSED UNDER
MINIMIZATION
M and D ( M, N, 1̄) −
→
→ N. Fixing x for the moment, to λ-define h x we want to
find a term H (depending on x) satisfying

H (n) ≡ D (n, H (S(n)), F ( x, n)).

We can do this using the fixed-point term Y. First, let U be the term

λh. λz. D (z, (h(Sz)), F ( x, z)),

and then let H be the term YU. Notice that the only free variable in H is x. Let
us show that H satisfies the equation above.
By the definition of Y, we have

H = YU ≡ U (YU ) = U ( H ).

In particular, for each natural number n, we have

H (n) ≡ U ( H, n)
−
→
→ D (n, H (S(n)), F ( x, n)),

as required. Notice that if you substitute a numeral m for x in the last line, the
expression reduces to n if F (m, n) reduces to 0, and it reduces to H (S(n)) if
F (m, n) reduces to any other numeral.
To finish off the proof, let G be λx. H (0). Then G λ-defines g; in other
words, for every m, G (m) reduces to reduces to g(m), if g(m) is defined, and
has no normal form otherwise.

Release : d3a1905 (2022-12-19) 623

Chapter 42

Syntax

42.1 Terms
The terms of the lambda calculus are built up inductively from an infinite
supply of variables v0 , v1 , . . . , the symbol “λ”, and parentheses. We will use
x, y, z, . . . to designate variables, and M, N, P, . . . to desginate terms.

Definition 42.1 (Terms). The set of terms of the lambda calculus is defined
inductively by:

1. If x is a variable, then x is a term.

2. If x is a variable and M is a term, then (λx. M) is a term.

3. If both M and N are terms, then ( MN ) is a term.

If a term (λx. M) is formed according to (2) we say it is the result of an ab-

straction, and the x in λx is called a parameter. A term ( MN ) formed according
to (3) is the result of an application.
The terms defined above are fully parenthesized. This can get rather cum-
bersome, as the term (λx. ((λx. x )(λx. ( xx )))) demnostrates. We will intro-
duce conventions for avoiding parentheses. However, the official definition
makes it easy to determine how a term is constructed according to Defini-
tion 42.1. For example, the last step of forming the term (λx. ((λx. x )(λx. ( xx ))))
must be abstraction where the parameter is x. It results by abstraction from
the term ((λx. x )(λx. ( xx ))), which is an application of two terms. Each of
these two terms is the result of an abstraction, and so on.

42.2 Unique Readability

We may wonder if for each term there is a unique way of forming it, and there
is. For each lambda term there is only one way to construct and interpret it. In

624
42.2. UNIQUE READABILITY

the following discussion, a formation is the procedure of constructing a term

using the formation rules (one or several times) of Definition 42.1.

Lemma 42.2. A term starts with either a variable or a parenthesis.

Proof. Something counts as a term only if it is constructed according to Defi-

nition 42.1. If it is the result of (1), it must be a variable. If it is the result of (2)
or (3), it starts with a parenthesis.

Lemma 42.3. The result of an application starts with either two parentheses or a
parenthesis and a variable.

Proof. If M is the result of an application, it is of the form ( PQ), so it begins

with a parenthesis. Since P is a term, by Lemma 42.2, it begins either with a
parenthesis or a variable.

Lemma 42.4. No proper initial part of a term is itself a term.

Proposition 42.5 (Unique Readability). There is a unique formation for each term.
In other words, if a term M is formed by a formation, then it is the only formation
that can form this term.

Proof. We prove this by induction on the formation of terms.

1. M is of the form x, where x is some variable. Since the results of abstrac-

tions and applications always start with parentheses, they cannot have
been used to construct M; Thus, the formation of M must be a single
step of Definition 42.1(1).

2. M is of the form (λx. N ), where x is some variable and N is a term.

It could not have been constructed according to Definition 42.1(1), be-
cause it is not a single variable. It is not the result of an application, by
Lemma 42.3. Thus M can only be the result of an abstraction on N. By
inductive hypothesis we know that formation of N is itself unique.

3. M is of the form ( PQ), where P and Q are terms. Since it starts with
a parentheses, it cannot also be constructed by Definition 42.1(1). By
Lemma 42.2, P cannot begin with λ, so ( PQ) cannot be the result of an
abstraction. Now suppose there were another way of constructing M by
application, e.g., it is also of the form ( P′ Q′ ). Then P is a proper initial
segment of P′ (or vice versa), and this is impossible by Lemma 42.4. So P
and Q are uniquely determined, and by inductive hypothesis we know
that formations of P and Q is unique.

A more readable paraphrase of the above proposition is as follows:

Proposition 42.6. A term M can only be one of the following forms:

Release : d3a1905 (2022-12-19) 625

 CHAPTER 42. SYNTAX

1. x, where x is a variable uniquely determined by M.

2. (λx. N ), where x is a variable and N is another term, both of which is uniquely
determined by M.
3. ( PQ), where P and Q are two terms uniquely determined by M.

42.3 Abbreviated Syntax

Terms as defined in Definition 42.1 are sometimes cumbersome to write, so it
is useful to introduce a more concise syntax. We must of course be careful to
make sure that the terms in the concise notation also are uniquely readable.
One widely used version called abbreviated terms is as follows.

1. When parentheses are left out, application takes place from left to right.
For example, if M, N, P, and Q are terms, then MNPQ abbreviates
((( MN ) P) Q).
2. Again, when parentheses are left out, lambda abstraction is given the
widest scope possible. From example, λx. MNP is read as (λx. MNP).
3. A lambda can be used to abstract multiple variables. For example, λxyz. M
is short for λx. λy. λz. M.

For example,
λxy. xxyxλz. xz
abbreviates
(λx. (λy. (((( xx )y) x )(λz. ( xz))))).

42.4 Free Variables

Lambda calculus is about functions, and lambda abstraction is how functions
arise. Intuitively, λx. M is the function with values given by M when the
argument to the function is assigned to x. But not every occurrence of x in M
is relevant: if M contains another abstract λx. N then the occurrences of x
in N are relevant to λx. N but not to λx. M. So, a lambda abstract λx inside
λx. M binds those occurrences of x in M that are not already bound by another
lambda abstract—the free occurrences of x in M.
Definition 42.7 (Scope). If λx. M occurs inside a term N, then the correspond-
ing occurrence of N is the scope of the λx.

Definition 42.8 (Free and bound occurrence). An occurrence of variable x in

a term M is free if it is not in the scope of a λx, and bound otherwise. An
occurrence of a variable x in λx. M is bound by the initial λx iff the occurrence
of x in M is free.

626 Release : d3a1905 (2022-12-19)

42.4. FREE VARIABLES

Example 42.9. In λx. xy, both x and y are in the scope of λx, so x is bound by
λx. Since y is not in the scope of any λy, it is free. In λx. xx, both occurrences of
x are bound by λx, since both are free in xx. In ((λx. xx ) x ), the last occurrence
of x is free, since it is not in the scope of a λx. In λx. (λx. x ) x, the scope of
the first λx is (λx. x ) x and the scope of the second λx is the second-to-last
occurrence of x. In (λx. x ) x, the last occurrence of x is free, and the second-to-
last is bound. Thus, the second-to-last occurrence of x in λx. (λx. x ) x is bound
by the second λx, and the last occurrence by the first λx.

For a term P, we can check all variable occurrences in it and get a set of free
variables. This set is denoted by FV( P) with a natural definition as follows:

Definition 42.10 (Free variables of a term). The set of free variables of a term
is defined inductively by:

1. FV( x ) = { x }

2. FV(λx. N ) = FV( N ) \ { x }

3. FV( PQ) = FV( P) ∪ FV( Q)

A free variable is like a reference to the outside world (the environment),

and a term containing free variables can be seen as a partially specified term,
since its behaviour depends on how we set up the environment. For exam-
ple, in the term λx. f x, which accepts an argument x and returns f of that
argument, the variable f is free. This value of the term is dependent on the
environment it is in, in particular the value of f in that environment.
If we apply abstraction to this term, we get λ f . λx. f x. This term is no
longer dependent on the environment variable f , because it now designates
a function that accepts two arguments and returns the result of applying the
first to the second. Changing f in the environment won’t have any effect on
the behavior of this term, as the term will only use whatever is passed as an
argument, and not the value of f in the environment.

Definition 42.11 (Closed term, combinator). A term with no free variables is

called a closed term, or a combinator.

Lemma 42.12. 1. If y ̸= x, then y ∈ FV(λx. N ) iff y ∈ FV( N ).

2. y ∈ FV( PQ) iff y ∈ FV( P) or y ∈ FV( Q).

Proof. Exercise.

Release : d3a1905 (2022-12-19) 627

 CHAPTER 42. SYNTAX

42.5 Substitution
Free variables are references to environment variables, thus it makes sense to
actually use a specific value in the place of a free variable. For example, we
may want to replace f in λx. f x with a specific term, like the identity function
λy. y. This results in λx. (λy. y) x. The process of replacing free variables with
lambda terms is called substitution.

Definition 42.13 (Substitution). The substitution of a term N for a variable x

in a term M, M[ N/x ], is defined inductively by:

1. x [ N/x ] = N.

2. y[ N/x ] = y if x ̸= y.

3. PQ[ N/x ] = ( P[ N/x ])( Q[ N/x ]).

4. (λy. P)[ N/x ] = λy. P[ N/x ], if x ̸= y and y ∈

/ FV( N ), otherwise unde-
fined.

In Definition 42.13(4), we require x ̸= y because we don’t want to replace

bound occurrences of the variable x in M by N. For example, if we compute
the substitution λx. x [y/x ], the result should not be λx. y but simply λx. x.
When substituting N for x in λy. P, we also require that y ∈ / FV( N ). For
example, we cannot substitute y for x in λy. x, i.e., λy. x [y/x ], because it would
result in λy. y, a term that stands for the function that accepts an argument and
returns it directly. But the term λy. x stands for a function that always returns
the term x (or whatever x refers to). So the result we actually want is a function
that accepts an argument, drop it, and returns the environment variable y. To
do this properly, we would first have to “rename” the bound variable y.

Theorem 42.14. If x ∈
/ FV( M ), then FV( M [ N/x ]) = FV( M ), if the left-hand side
is defined.

Proof. By induction on the formation of M.

1. M is a variable: exercise.

2. M is of the form ( PQ): exercise.

3. M is of the form λy. P, and since λy. P[ N/x ] is defined, it has to be

λy. P[ N/x ]. Then P[ N/x ] has to be defined; also, x ̸= y and x ∈
/ FV( Q).

628 Release : d3a1905 (2022-12-19)

42.5. SUBSTITUTION

Then:

FV(λy. P[ N/x ]) =
= FV(λy. P[ N/x ]) by (4)
= FV( P[ N/x ]) \ {y} by Definition 42.10(2)
= FV( P) \ {y} by inductive hypothesis
= FV(λy. P) by Definition 42.10(2)

Theorem 42.15. If x ∈ FV( M )), then FV( M [ N/x ]) = (FV( M ) \ { x }) ∪ FV( N ),

provided the left hand is defined.

Proof. By induction on the formation of M.

1. M is a variable: exercise.

2. M is of the form PQ: Since ( PQ)[ N/y] is defined, it has to be ( P[ N/x ])( Q[ N/x ])
with both substitution defined. Also, since x ∈ FV( PQ), either x ∈
FV( P) or x ∈ FV( Q) or both. The rest is left as an exercise.

3. M is of the form λy. P. Since λy. P[ N/x ] is defined, it has to be λy. P[ N/x ],
with P[ N/x ] defined, x ̸= y and y ∈ / FV( N ); also, since y ∈ FV(λx. P),
we have y ∈ FV( P) too. Now:

FV((λy. P)[ N/x ]) =

= FV(λy. P[ N/x ])
= FV( P[ N/x ]) \ {y}
= ((FV( P) \ {y}) ∪ (FV( N ) \ { x }) by inductive hypothesis
= (FV( P) \ { x, y}) ∪ FV( N ) x∈/ FV( N )
= (FV(λy. P) \ { x }) ∪ FV( N )

Theorem 42.16. x ∈
/ FV( M [ N/x ]), if the right-hand side is defined and x ∈
/
FV( N ).

Proof. Exercise.

Theorem 42.17. If M[y/x ] is defined and y ∈

/ FV( M), then M [y/x ][ x/y] = M.

Proof. By induction on the formation of M.

1. M is a variable z: Exercise.

Release : d3a1905 (2022-12-19) 629

 CHAPTER 42. SYNTAX

2. M is of the form ( PQ). Then:

( PQ)[y/x ][ x/y] = (( P[y/x ])( Q[y/x ]))[ x/y]

= ( P[y/x ][ x/y])( Q[y/x ][ x/y])
= ( PQ) by inductive hypothesis

3. M is of the form λz. N. Because λz. N [y/x ] is defined, we know that

z ̸= y. So:

(λz. N )[y/x ][ x/y]

= (λz. N [y/x ])[ x/y]
= λz. N [y/x ][ x/y]
= λz. N by inductive hypothesis

42.6 α-Conversion
What is the relation between λx. x and λy. y? They both represent the identity
function. They are, of course, syntactically different terms. They differ only in
the name of the bound variable, and one is the result of “renaming” the bound
variable in the other. This is called α-conversion.
α
Definition 42.18 (Change of bound variable, − →). If a term M contains an oc-
currence of λx. N, y ∈
/ FV( N ), and N [y/x ] is defined, then replacing this oc-
currence by
λy. N [y/x ]

resulting in M′ is called a change of bound variable, written as M −

→ M′ .
α

Definition 42.19 (Compatibility of relation). A relation R on terms is said to

be compatible if it satisfies following conditions:

1. If RNN ′ then Rλx. Nλx. N ′

2. If RPP′ then R( PQ)( P′ Q)

3. If RQQ′ then R( PQ)( PQ′ )

Thus let’s rephrase the definition:

α α
Definition 42.20 (Change of bound variable, − →). Change of bound variable (−
→)
is the smallest compatible relation on terms satisfying following condition:
α
λx. N −
→ λy. N [y/x ] if x ̸= y, y ∈
/ FV( N )
and N [y/x ] is defined

630 Release : d3a1905 (2022-12-19)

42.6. α-CONVERSION

“Smallest” here means the relation contains only pairs that are required
by compatibility and the additional condition, and nothing else. Thus this
relation can also be defined as follows:
α α
Definition 42.21 (Change of bound variable, −
→). Change of bound variable (−
→)
is inductively defined as follows:

→ N ′ then λx. N −
→ λx. N ′
α α
1. If N −

→ P′ then ( PQ) −
→ ( P′ Q)
α α
2. If P −

→ Q′ then ( PQ) −
→ ( PQ′ )
α α
3. If Q −
α
4. If x ̸= y, y ∈
/ FV( N ) and N [y/x ] is defined, then λx. N −
→ λy. N [y/x ].

The definitions are equivalent, but we leave the proof as an exercise. From
now on we will use the inductive definition.
α α
Definition 42.22 (α-conversion, − →→). α-conversion (−
→
→) is the smallest reflexi-
α
tive and transitive relation on terms containing −
→.

As above, “smallest” means the relation only contains pairs required by

α
transitivity, and −
→, which leads to the following equivalent definition:
α α
Definition 42.23 (α-conversion, −
→
→). α-conversion (−
→
→) is inductively defined
as follows:
α α α
1. If P −
→
→ Q and Q −
→
→ R, then P −
→
→ R.
α α
2. If P −
→ Q, then P −
→
→ Q.
α
3. P −
→
→ P.

Example 42.24. λx. f x α-converts to λy. f y, and conversely. Informally speak-

ing, they are both functions that accept an argument and return f of that ar-
gument, refering to the environment variable f .
λx. f x does not α-convert to λx. gx. Informally speaking, they refer to the
environment variables f and g respectively, and this makes them different
functions: they behave differently in environments where f and g are differ-
ent.
α
Lemma 42.25. If P −
→ Q then FV( P) = FV( Q).
α
Proof. By induction on the derivation of P −
→ Q.
1. If the last rule is (4), then P is of the form λx. N and Q of the form
λy. N [y/x ], with x ̸= y, y ∈
/ FV( N ) and N [y/x ] defined. We distinguish
cases according to whether x ∈ FV( N ):

Release : d3a1905 (2022-12-19) 631

 CHAPTER 42. SYNTAX

a) If x ∈ FV ( N ), then:

FV(λy. N [y/x ]) = FV( N [y/x ]) \ {y}

= ((FV( N ) \ { x }) ∪ {y}) \ {y} by Theorem 42.15
= FV( N ) \ { x }
= FV(λx. N )

b) If x ∈
/ FV ( N ), then:

FV(λy. N [y/x ]) = FV N [y/x ] \ {y}

= FV( N ) \ { x } by Theorem 42.14
= FV(λx. N ).

2. The other three cases are left as exercises.

α α
Lemma 42.26. If P −
→ Q then Q −
→ P.
α
Proof. Induction on the derivation of P −
→ Q.

1. If the last rule is (4), then P is of the form λx. N and Q of the form
λy. N [y/x ], where x ̸= y, y ∈ / FV( N ) and N [y/x ] defined. First, we
have y ∈ / FV( N [y/x ]) by Theorem 42.16. By Theorem 42.17 we have
that N [y/x ][ x/y] is not only defined, but also equal to N. Then by (4),
α
we have λy. N [y/x ] − → λx. N [y/x ][ x/y] = λx. N.

Theorem 42.27. α-Conversion is an equivalence relation on terms, i.e., it is reflexive,

symmetric, and transitive.

Proof. 1. For each term M, M can be changed to M by zero changes of

bound variables.

2. If P is α-converts to Q by a series of changes of bound variables, then

from Q we can just inverse these changes (by Lemma 42.26) in opposite
order to obtain P.

3. If P α-converts to Q by a series of changes of bound variables, and Q to

R by another series, then we can change P to R by first applying the first
series and then the second series.
α
From now on we say that M and N are α-equivalent, M = N, iff M α-
converts to N (which, as we’ve just shown, is the case iff N α-converts to M).
α
Theorem 42.28. If M = N, then FV( M ) = FV( N ).

632 Release : d3a1905 (2022-12-19)

42.6. α-CONVERSION

Proof. Immediate from Lemma 42.25.

Lemma 42.29. If R = R′ and M[ R/y] is defined, then M [ R′ /y] is defined and

α

α-equivalent to M [ R/y].

Proof. Exercise.

Recall that in section 42.5, substitution is undefined in some cases; how-

ever, using α-conversion on terms, we can make substitution always defined
by renaming bound variables. The result preserves α-equivalence, as shown
in this theorem:

Theorem 42.30. For any M, R, and y, there exists M′ such that M = M′ and
α

M′ [ R/y] is defined. Moreover, if there is another pair M′′ = M and R′′ where
α

M′′ [ R′′ /y] is defined and R′′ = R, then M′ [ R/y] = M′′ [ R′′ /y].
α α

Proof. By induction on the formation of M:

1. M is a variable z: Exercise.

2. Suppose M is of the form λx. N. Select a variable z other than x and

y and such that z ∈ / FV( N ) and z ∈ / FV( R). By inductive hypothe-
sis, we there is N such that N = N and N ′ [z/x ] is defined. Then
′ ′ α

λx. N = λx. N ′ too, by Definition 42.21(1). Now λx. N ′ = λz. N ′ [z/x ]

α α

by Definition 42.21(4). We can do this because z ̸= x, z ∈ / FV ( N ′ ) and

′ ′
N [z/x ] is defined. Finally, λz. N [z/x ][ R/y] is defined, because z ̸= y
and z ∈
/ FV ( R).
Moreover, if there is another N ′′ and R′′ satisfying the same conditions,

(λz. N ′′ [z/x ])[ R′′ /y] =

= λz. N ′′ [z/x ][ R′′ /y]
= λz. N ′′ [z/x ][ R/y] by Lemma 42.29
= λz. N ′ [z/x ][ R/y] by inductive hypothesis
′
= (λz. N [z/x ])[ R/y]

3. M is of the form ( PQ): Exercise.

Corollary 42.31. For any M, R, and y, there exists a pair of M′ and R′ such that
M′ = M, R = R′ and M′ [ R′ /y] is defined. Moreover, if there is another pair
α α

M′′ = M and R′′ with M′ [ R′ /y] defined, then M′ [ R′ /y] = M′′ [ R′′ /y].
α α

Proof. Immediate from Theorem 42.30.

Release : d3a1905 (2022-12-19) 633

 CHAPTER 42. SYNTAX

42.7 The De Bruijn Index

α-Equivalence is very natural, as terms that are α-equivalent “mean the same.”
In fact, it is possible to give a syntax for lambda terms which does not distin-
guish terms that can be α-converted to each other. The best known replaces
variables by their De Bruijn index.
When we write λx. M, we explicitly state that x is the parameter of the
function, so that we can use x in M to refer to this parameter. In the de Bruijn
index, however, parameters have no name and reference to them in the func-
tion body is denoted by a number denoting the levels of abstraction between
them. For example, consider the example of λx. λy. yx: the outer abstraction
is on binds the variable x; the inner abstraction binds the variable is y; the
sub-term yx lies in the scope of the inner abstraction: there is no abstraction
between y and its abstract λy, but one abstract between x and its abstract λx.
Thus we write 0 1 for yx, and λ. λ. 01 for the entire term.

Definition 42.32. De Bruijn terms are inductively defines as follows:

1. n, where n is any natural number.

2. PQ, where P and Q are both De Bruijn terms.

3. λ. N, where N is a De Bruijn term.

A formalized translation from ordinary lambda terms to De Bruijn indexed

terms is as follows:

Definition 42.33.

FΓ ( x ) = Γ ( x )
FΓ ( PQ) = FΓ ( P) FΓ ( Q)
FΓ (λx. N ) = λ. Fx,Γ ( N )

where Γ is a list of variables indexed from zero, and Γ ( x ) denotes the position
of the variable x in Γ. For example, if Γ is x, y, z, then Γ ( x ) is 0 and Γ (z) is 2.
x, Γ denotes the list resulted from pushing x to the head of Γ; for instance,
continuing the Γ in last example, w, Γ is w, x, y, z.

Recovering a standard lambda term from a de Bruijn term is done as fol-

lows:

Definition 42.34.

GΓ ( n ) = Γ [ n ]
GΓ ( PQ) = GΓ ( P) GΓ ( Q)
GΓ (λ. N ) = λx. Gx,Γ ( N )

634 Release : d3a1905 (2022-12-19)

42.8. TERMS AS α-EQUIVALENCE CLASSES

where Γ is again a list of variables indexed from zero, and Γ [n] denotes the
variable in position n. For example, if Γ is x, y, z, then Γ [1] is y.
The variable x in last equation is chosen to be any variable that not in Γ.

Here we give some results without proving them:

→ M′ , and Γ is any list containing FV( M), then FΓ ( M) ≡

α
Proposition 42.35. If M −
′
FΓ ( M ).

42.8 Terms as α-Equivalence Classes

From now on, we will consider terms up to α-equivalence. That means when
we write a term, we mean its α-equivalance class it is in. For example, we
write λa. λb. ac for the set of all terms α-equivalent to it, such as λa. λb. ac,
λb. λa. bc, etc.
Also, while in previous sections letters such as N, Q are used to denote a
term, from now on we use them to denote a class, and it is these classes instead
of terms that will be our subjects of study in what follows. Letters such as x, y
continues to denote a variable.
We also adopt the notation M to denote an arbitrary element of the class M,
and M0 , M1 , etc. if we need more than one.
We reuse the notations from terms to simplify our wording. We have fol-
lowing definition on classes:

Definition 42.36. 1. λx. N is defined as the class containing λx. N.

2. PQ is defined to be the class containing PQ.

It is not hard to see that they are well defined, because α-conversion is
compatible.

Definition 42.37. The free variables of an α-equivalence class M, or FV ( M ), is

defined to be FV ( M).

This is well defined since FV ( M0 ) = FV ( M1 ), as shown in Theorem 42.28.

We also reuse the notation for substition into classes:

Definition 42.38. The substitution of R for y in M, or M [ R/y], is defined to be

M R/y , for any M and R making the substition defined.

This is also well defined as shown in Corollary 42.31.

Release : d3a1905 (2022-12-19) 635

 CHAPTER 42. SYNTAX

Note how this definition significantly simplifies our reasoning. For exam-
ple:

λx. x [y/x ] = (42.1)

= λz. z[y/x ] (42.2)
= λz. z[y/x ] (42.3)
= λz. z (42.4)

eq. (42.1) is undefined if we still regard it as substitution on terms; but as

mentioned earlier, we now consider it a substitution on classes, which is why
eq. (42.2) can happen: we can replace λx. x with λz. z because they belong to
the same class.
For the same reason, from now on we will assume that the representatives
we choose always satisfy the conditions needed for substitution. For example,
when we see λx. N [ R/y], we will assume the representative λx. N is chosen
so that x ̸= y and x ∈ / FV ( R).
Since it is a bit strange to call λx. x a “class”, let’s call them Λ-terms (or
simply “terms” in the rest of the part) from now on, to distinguish them from
λ-terms that we are familiar with.

We cannot say goodbye to terms yet: the whole definition of Λ-terms is

based on λ-terms, and we haven’t provided a method to define functions
on Λ-terms, which means all such functions have to be first defined on
λ-terms, and then “projected” to Λ-terms, as we did for substitutions.
However we assume the reader can intuitively understand how we can
define functions on Λ-terms.

42.9 β-reduction
When we see (λm. (λy. y)m), it is natural to conjecture that it has some connec-
tion with λm. m, namely the second term should be the result of “simplifying”
the first. The notion of β-reduction captures this intuition formally.

β β
Definition 42.39 (β-contraction, −→). The β-contraction (−
→) is the smallest com-
patible relation on terms satisfying the following condition:

β
(λx. N ) Q −
→ N [ Q/x ]
β
We say P is β-contracted to Q if P −
→ Q. A term of the form (λx. N ) Q is called
a redex.

636 Release : d3a1905 (2022-12-19)

42.9. β-REDUCTION

β β
Definition 42.40 (β-reduction, −
→
→). β-reduction (−
→
→) is the smallest reflexive,
β β
transitive relation on terms containing −
→. We say P is β-reduced to Q if P −
→
→
Q.

β β
We will write −
→ instead of −
→, and −
→
→ instead of −
→
→ when context is clear.
β
Informally speaking, M − →
→ N if and only if M can be changed to N by
zero or several steps of β-contraction.

Definition 42.41 (β-normal). A term that cannot be β-contracted any further

is said to be β-normal.

β
If M − →→ N and N is β-normal, then we say N is a normal form of M. One
may ask if the normal form of a term is unique, and the answer is yes, as we
will see later.
Let us consider some examples.

1. We have

(λx. xxy)λz. z −
→ (λz. z)(λz. z)y
−
→ (λz. z)y
−
→y

2. “Simplifying” a term can actually make it more complex:

(λx. xxy)(λx. xxy) −

→ (λx. xxy)(λx. xxy)y
−
→ (λx. xxy)(λx. xxy)yy
−
→ ...

3. It can also leave a term unchanged:

(λx. xx )(λx. xx ) −
→ (λx. xx )(λx. xx )

4. Also, some terms can be reduced in more than one way; for example,

(λx. (λy. yx )z)v −

→ (λy. yv)z

by contracting the outermost application; and

(λx. (λy. yx )z)v −

→ (λx. zx )v

by contracting the innermost one. Note, in this case, however, that both
terms further reduce to the same term, zv.

Release : d3a1905 (2022-12-19) 637

 CHAPTER 42. SYNTAX

The final outcome in the last example is not a coincidence, but rather il-
lustrates a deep and important property of the lambda calculus, known as the
Church-Rosser property.
In general, there is more than one way to β-reduce a term, thus many
reduction strategies have been invented, among which the most common is
the natural strategy. The natural strategy always contracts the left-most redex,
where the position of a redex is defined as its starting point in the term. The
natural strategy has the useful property that a term can be reduced to a normal
form by some strategy iff it can be reduced to normal form using the natural
strategy. In what follows we will use the natural stratuegy unless otherwise
specified.

Definition 42.42 (β-equivalence, =). β-Equivalence (=) is the relation induc-

tively defined as follows:

1. M = M.

2. If M = N, then N = M.

3. If M = N, N = O, then M = O.

4. If M = N, then PM = PN.

5. If M = N, then MQ = NQ.

6. If M = N, then λx. M = λx. N.

7. (λx. N ) Q = N [ Q/x ].

The first three rules make the relation an equivalence relation; the next
three make it compatible; the last ensures that it contains β-contraction.
Informally speaking, two terms are β-equivalent if and only if one of them
can be changed to the other in zero or more steps of β-contraction, or “inverse”
of β-contraction. The inverse of β-contraction is defined so that M inverse-β-
contracts to N iff N β-contracts to M.
Besides the above rules, we will extend the relation with more rules, and
X
denote the extended equivalence relation as =, where X is the extending rule.

42.10 η-conversion
There is another relation on λ terms. In section 42.4 we used the example
λx. ( f x ), which accepts an argument and applies f to it. In other words, it
is the same function as f : λx. ( f x ) N and f N both reduce to f N. We use η-
reduction (and η-extension) to capture this idea.

638 Release : d3a1905 (2022-12-19)

42.10. η-CONVERSION

η η
Definition 42.43 (η-contraction, − →). η-contraction (−
→) is the smallest compat-
ible relation on terms satisfying the following condition:
η
λx. Mx −
→ M provided x ∈
/ FV ( M)
βη βη
Definition 42.44 (βη-reduction, −→
→). βη-reduction (−→
→) is the smallest reflex-
β η
ive, transitive relation on terms containing −
→ and −
→, i.e., the rules of reflex-
ivity and transitive plus the following two rules:
β βη
1. If M −
→ N then M −→
→ N.
η βη
2. If M −
→ N then M −→
→ N.

Definition 42.45. We extend the equivalence relation = with the η-conversion

rule:
λx. f x = f
η
and denote the extended relation as =.

η-equivalence is important because it is related to extensionality of lambda

terms:
Definition 42.46 (Extensionality). We extend the equivalence relation = with
the (ext) rule:
If Mx = Nx then M = N, provided x ∈
/ FV ( MN ).
ext
and denote the extended relation as = .

Roughly speaking, the rule states that two terms, viewed as functions,
should be considered equal if they behave the same for the same argument.
We now prove that the η rule provides exactly the extensionality, and noth-
ing else.
ext η
Theorem 42.47. M = N if and only if M = N.
η
Proof. First we prove that = is closed under the extensionality rule. That is, ext
η η ext ext
rule doesn’t add anything to =. We then have = contains = , and if M = N,
η
then M = N.
η
To prove = is closed under ext, note that for any M = N derived by the ext
η η
rule, we have Mx = Nx as premise. Then we have λx. Mx = λx. Nx by a rule
η
of =, applying η on both side gives us M = N.
ext
Similarly we prove that the η rule is contained in = . For any λx. Mx and
ext ext
M with x ∈ / FV ( M ), we have that (λx. Mx ) x = Mx, giving us λx. Mx = M
by the ext rule.

Release : d3a1905 (2022-12-19) 639

 CHAPTER 42. SYNTAX

Problems
Problem 42.1. Describe the formation of (λg. (λx. ( g( xx )))(λx. ( g( xx )))).

Problem 42.2. Prove Lemma 42.4 by induction on the length of terms.

Problem 42.3. Expand the abbreviated term λg. (λx. g( xx ))λx. g( xx ).

Problem 42.4. 1. Identify the scopes of λg and the two λx in this term:
λg. (λx. g( xx ))λx. g( xx ).
2. In λg. (λx. g( xx ))λx. g( xx ), are all occurrences of variables bound? By
which abstractions are they bound respectively?
3. Give FV(λx. (λy. (λz. xy)z)y)

Problem 42.5. Prove Lemma 42.12.

Problem 42.6. What is the result of the following substitutions?

1. λy. x (λw. vwx )[(uv)/x ]
2. λy. x (λx. x )[(λy. xy)/x ]
3. y(λv. xv)[(λy. vy)/x ]

Problem 42.7. Complete the proof of Theorem 42.14.

Problem 42.8. Complete the proof of Theorem 42.15.

Problem 42.9. Prove Theorem 42.16.

Problem 42.10. Complete the proof of Theorem 42.17.

Problem 42.11. Are the following pairs of terms α-convertible?

1. λx. λy. x and λy. λx. y
2. λx. λy. x and λc. λb. a
3. λx. λy. x and λc. λb. a

Problem 42.12. Complete the proof of Lemma 42.25.

Problem 42.13. Complete the proof of Lemma 42.26

Problem 42.14. Prove Lemma 42.29.

Problem 42.15. Complete the proof of Theorem 42.30.

Problem 42.16. Spell out the equivalent inductive definitions of β-contraction

as we did for change of bound variable in Definition 42.21.

640 Release : d3a1905 (2022-12-19)

Chapter 43

The Church-Rosser Property

43.1 Definition and Properties

In this chapter we introduce the concept of Church-Rosser property and some
common properties of this property.
X
Definition 43.1 (Church-Rosser property, CR). A relation −
→ on terms is said
X X
to satisfy the Church-Rosser property iff, whenever M −
→ P and M −
→ Q, then
X X
there exists some N such that P −
→ N and Q −
→ N.

We can view the lambda calculus as a model of computation in which

terms in normal form are “values” and a reducibility relation on terms are
the “calculation rules.” The Church-Rosser property states is that when there
is more than one way to proceed with a calculation, there is still only a single
value of the expression.
To take an example from elementary algebra, there’s more than one way
to calculate 4 × (1 + 2) + 3. It can either be reduced to 4 × 3 + 3 (if we first
reduce 1 + 2 to 3) or to 4 × 1 + 4 × 2 + 3 (if we first reduce 4 × (1 + 2) using
distributivity). Both of these, however, can be further reduced to 12 + 3.
X
If we take −→ to be β-reduction, we easily see that a consequence of the
Church-Rosser property is that if a term has a normal form, then it is unique.
For suppose M can be reduced to P and Q, both of which are normal forms. By
Church-Rosser property, there exists some N such that both P and Q reduce
to it. Since by assumption P and Q are normal forms, the reduction of P and
Q to N can only be the trivial reduction, i.e., P, Q, and N are identical. This
justifies our speaking of the normal form of a term.
In viewing the lambda calculus as a model of computation, then, the nor-
mal form of a term can be thought of as the “final result” of the computation
starting with that term. The above corollary means there’s only one, if any,
final result of a computation, just like there is only one result of computing
4 × (1 + 2) + 3, namely 15.

641
 CHAPTER 43. THE CHURCH-ROSSER PROPERTY

X X
Theorem 43.2. If a relation −
→ satisfies the Church-Rosser property, and −
→→ is the
X X
smallest transitive relation containing −
→, then −
→→ satisfies the Church-Rosser prop-
erty too.

Proof. Suppose
X X X
M−
→ P1 −
→ ... −
→ Pm and
X X X
M−
→ Q1 −
→ ... −
→ Qn .

We will prove the theorem by constructing a grid N of terms of height is m +

1 and width n + 1. We use Ni,j to denote the term in the i-th row and j-th
column.
X X
We construct N in such a way that Ni,j −
→ Ni+1,j and Ni,j −→ Ni,j+1 . It is
defined as follows:

N0,0 = M
Ni,0 = Pi if 1 ≤ i ≤ m
N0,j = Q j if 1 ≤ j ≤ n

and otherwise:

Ni,j = R

X X
where R is a term such that Ni−1,j −
→ R and Ni,j−1 −
→ R. By the Church-Rosser
X
property of −
→, such a term always exists.
X X X X
Now we have Nm,0 −
→ ... −
→ Nm,n and N0,n −
→ ... −
→ Nm,n . Note Nm,0 is
X
P and N0,n is Q. By definition of −
→→ the theorem follows.

43.2 Parallel β-reduction

We introduce the notion of parallel β-reduction, and prove the it has the Church-
Rosser property.
β β
Definition 43.3 (parallel β-reduction, =⇒). Parallel reduction (=⇒) of terms
is inductively defined as follows:
β
1. x =⇒ x.
β β
→ N ′ then λx. N =⇒ λx. N ′ .
2. If N −
β β β
3. If P =⇒ P′ and Q =⇒ Q′ then PQ =⇒ P′ Q′ .
β β β
4. If N =⇒ N ′ and Q =⇒ Q′ then (λx. N ) Q =⇒ N ′ [ Q′ /x ].

642 Release : d3a1905 (2022-12-19)

43.2. PARALLEL β-REDUCTION

Parallel β-reduction allows us to reduce any number of redices in a term in

one step. It is different from β-reduction in the sense that we can only contract
redices that occur in the original term, but not redices arising from parallel
β-reduction. For example, the term (λ f . f x )(λy. y) can only be parallel β-
reduced to itself or to (λy. y) x, but not further to x, although it β-reduces to x,
because this redex arises only after one step of parallel β-reduction. A second
parallel β-reduction step yields x, though.
β
Theorem 43.4. M =⇒ M.

Proof. Exercise.

Definition 43.5 (β-complete development). The β-complete development M∗ β

of M is defined inductively as follows:

x∗β = x (43.1)
∗β ∗β
(λx. N ) = λx. N (43.2)
∗β
( PQ) = P∗ β Q∗ β if P is not a λ-abstract (43.3)
∗β ∗β ∗β
((λx. N ) Q) = N [ Q /x ] (43.4)

The β-complete development of a term, as its name suggests, is a “com-

plete parallel reduction.” While for parallel β-reduction we still can choose to
not contract a redex, for complete development we have no choice but to con-
tract all of them. Thus the complete development of (λ f . f x )(λy. y) is (λy. y) x,
not itself.

This definition has the problem that we haven’t introduced how to

define functions on (λ-)terms recursively. Will fix in future.

β β β
Lemma 43.6. If M =⇒ M′ and R =⇒ R′ , then M [ R/y] =⇒ M′ [ R′ /y].

β
Proof. By induction on the derivation of M =⇒ M′ .

1. The last step is (1): Exercise.

β
2. The last step is (2): Then M is λx. N and M′ is λx. N ′ , where N =⇒ N ′ .
β β
We want to prove that (λx. N )[ R/y] =⇒ (λx. N ′ )[ R′ /y], i.e., λx. N [ R/y] =⇒
λx. N ′ [ R/y]. This follows immediately by (2) and the induction hypoth-
esis.

3. The last step is (3): Exercise.

Release : d3a1905 (2022-12-19) 643

 CHAPTER 43. THE CHURCH-ROSSER PROPERTY

4. The last step is (4): M is (λx. N ) Q and M′ is N ′ [ Q′ /x ]. We want to prove

β β
that ((λx. N ) Q)[ R/y] =⇒ N ′ [ Q′ /x ][ R′ /y], i.e., (λx. N [ R/y]) Q[ R/y] =⇒
N ′ [ R′ /y][ Q′ [ R′ /y]/x ]. This follows by (4) and the induction hypothesis.

β β
Lemma 43.7. If M =⇒ M′ then M′ =⇒ M∗ β .

β
Proof. By induction on the derivation of M =⇒ M′ .

1. The last rule is (1): Exercise.

β
2. The last rule is (2): M is λx. N and M′ is λx. N ′ with N =⇒ N ′ . We want
to show that λx. N ′ =⇒ (λx. N )∗ β , i.e., λx. N ′ =⇒ λx. N ∗ β by eq. (43.2).
β β

It follows by (2) and the induction hypothesis.

3. The last rule is (3):M is PQ and M′ is P′ Q′ for some P, Q, P′ and Q′ , with

β β β
P =⇒ P′ and Q =⇒ Q′ . By induction hypothesis, we have P′ =⇒ P∗ β
β
and Q′ =⇒ Q∗ β .

a) If P is λx. N for some x and N, then P′ must be λx. N ′ for some N ′

β β
with N =⇒ N ′ . By induction hypothesis we have N ′ =⇒ N ∗ β and
β β
Q′ =⇒ Q∗ β . Then (λx. N ′ ) Q′ =⇒ N ∗ β [ Q∗ β /x ] by (4).
β
b) If P is not a λ-abstract, then P′ Q′ =⇒ P∗ β Q∗ β by (3), and the right-
hand side is PQ∗ β by eq. (43.3).

4. The last rule is (4): M is (λx. N ) Q and M′ is N ′ [ Q′ /x ] for some x, N,

β β
Q, N ′ , and Q′ , with N =⇒ N ′ and Q =⇒ Q′ . By induction hypoth-
β β
esis we know N ′ =⇒ N ∗ β and Q′ =⇒ Q∗ β . By Lemma 43.6 we have
N ′ [ Q′ /x ] =⇒ N ∗ β [ Q∗ β /x ], the right-hand side of which is exactly ((λx. N ) Q)∗ β .
β

β
Theorem 43.8. =⇒ has the Church-Rosser property.

Proof. Immediate from Lemma 43.7.

43.3 β-reduction
β β
→ M′ , then M =⇒ M′ .
Lemma 43.9. If M −

644 Release : d3a1905 (2022-12-19)

43.3. β-REDUCTION

β
→ M′ , then M is (λx. N ) Q, M′ is N [ Q/x ], for some x, N, and Q.
Proof. If M −
β β β
Since N =⇒ N and Q =⇒ Q by Theorem 43.4, we immediately have (λx. N ) Q =⇒
N [ Q/x ] by Definition 43.3(4).

β β
Lemma 43.10. If M =⇒ M′ , then M −
→ M′ .
→

β
Proof. By induction on the derivation of M =⇒ M′ .
β
1. The last rule is (1): Then M and M′ are just x, and x −
→
→ x.

2. The last rule is (2): M is λx. N and M′ is λx. N ′ for some x, N, N ′ , where
β β β
N =⇒ N ′ . By induction hypothesis we have N −
→ N ′ . Then λx. N −
→ →
→
β β
λx. N ′ (by the same series of − → N ′ ).
→ contractions as N −
→

3. The last rule is (3): M is PQ and M′ is P′ Q′ for some P, Q, P′ , Q′ , where

β β β
P =⇒ P′ and Q =⇒ Q′ . By induction hypothesis we have P −
→ P′ and
→
β β β
→ Q′ . So PQ −
Q−
→ → P′ Q′ by the reduction sequence P −
→ → P′ followed
→
β
→ Q′ .
by the reduction Q −
→

4. The last rule is (4): M is (λx. N ) Q and M′ is N ′ [ Q′ /x ] for some x, N,

β β
M′ , Q, Q′ , where N =⇒ N ′ and Q =⇒ Q′ . By induction hypothesis
β β β β
→ Q′ and N −
we get Q −
→ → N ′ . So (λx. N ) Q −
→ → N ′ [ Q′ /x ] by N −
→ → N′
→
β
→ Q′ and finally contraction of (λx. N ′ ) Q′ to N ′ [ Q′ /x ].
followed by Q −
→

β β
Lemma 43.11. −
→
→ is the smallest transitive relation containing =⇒.

X β
Proof. Let −
→→ be the smallest transitive relation containing =⇒.
β X β β β
−
→
→⊆−
→ → M′ , i.e., M ≡ M1 −
→: Suppose M −
→ → Mk ≡ M′ . By
→ ... −
β β X β
Lemma 43.9, M ≡ M1 =⇒ . . . =⇒ Mk ≡ M′ . Since is −
→→ contains =⇒ and is
X
transitive, M −
→→ M′ .
X β X β β
−
→→⊆−
→
→: Suppose M −
→→ M′ , i.e., M ≡ M1 =⇒ . . . =⇒ Mk ≡ M′ . By
β β β β
Lemma 43.10, M ≡ M1 −
→ → Mk ≡ M′ . Since −
→ ... −
→ →
→ is transitive, M −
→
→
M.′

β
Theorem 43.12. −
→
→ satisfies the Church-Rosser property.

Proof. Immediate from Theorem 43.2, Theorem 43.8, and Lemma 43.11.

Release : d3a1905 (2022-12-19) 645

 CHAPTER 43. THE CHURCH-ROSSER PROPERTY

43.4 Parallel βη-reduction

In this section we prove the Church-Rosser property for parallel βη-reduction,
the parallel reduction notion corresponding to βη-reduction.
βη βη
Definition 43.13 (Parallel βη-reduction, =⇒). Parallel βη-reduction (=⇒) on
terms is inductively defined as follows:
βη
1. x =⇒ x.
β βη
→ N ′ then λx. N =⇒ λx. N ′ .
2. If N −
βη βη βη
3. If P =⇒ P′ and Q =⇒ Q′ then PQ =⇒ P′ Q′ .
βη βη βη
4. If N =⇒ N ′ and Q =⇒ Q′ then (λx. N ) Q =⇒ N ′ [ Q′ /x ].
βη βη
5. If N =⇒ N ′ then λx. Nx =⇒ N ′ , provided x ∈
/ FV ( N ).

βη
Theorem 43.14. M =⇒ M.

Proof. Exercise.

Definition 43.15 (βη-complete development). The βη-complete development M∗ βη

of M is defined as follows:

x ∗ βη = x (43.5)
∗ βη ∗ βη
(λx. N ) = λx. N (43.6)
( PQ)∗ βη = P∗ βη Q∗ βη if P is not a λ-abstract (43.7)
∗ βη ∗ βη ∗ βη
((λx. N ) Q) =N [Q /x ] (43.8)
(λx. Nx )∗ βη = N ∗ βη if x ∈
/ FV ( N ) (43.9)

βη βη βη
Lemma 43.16. If M =⇒ M′ and R =⇒ R′ , then M[ R/y] =⇒ M′ [ R′ /y].

βη
Proof. By induction on the derivation of M =⇒ M′ .
The first four cases are exactly like those in Lemma 43.6. If the last rule
is (5), then M is λx. Nx, M′ is N ′ for some x and N ′ where x ∈ / FV ( N ),
βη βη
and N =⇒ N ′ . We want to show that (λx. Nx )[ R/y] =⇒ N ′ [ R′ /y], i.e.,
βη
λx. N [ R/y] x =⇒ N ′ [ R′ /y]. It follows by Definition 43.13(5) and the induc-
tion hypothesis.

βη βη
Lemma 43.17. If M =⇒ M′ then M′ =⇒ M∗ βη .

646 Release : d3a1905 (2022-12-19)

43.5. βη-REDUCTION

βη
Proof. By induction on the derivation of M =⇒ M′ .
The first four cases are like those in Lemma 43.7. If the last rule is (5),
then M is λx. Nx and M′ is N ′ for some x, N, N ′ where x ∈ / FV ( N ) and
N =⇒ N ′ . We want to show that N ′ =⇒ (λx. Nx )∗ βη , i.e., N ′ =⇒ N ∗ βη ,
βη βη βη

which is immediate by induction hypothesis.

βη
Theorem 43.18. =⇒ has the Church-Rosser property.

Proof. Immediate from Lemma 43.17.

43.5 βη-reduction
βη
The Church-Rosser property holds for βη-reduction (−→
→).
βη βη
Lemma 43.19. If M −→ M′ , then M =⇒ M′ .
βη β
Proof. By induction on the derivation of M −→ M′ . If M − → M′ by η-conversion
(i.e., Definition 42.43), we use Theorem 43.14. The other cases are as in Lemma 43.9.
βη βη
Lemma 43.20. If M =⇒ M′ , then M −→
→ M′ .
βη
Proof. Induction on the derivation of M =⇒ M′ .
If the last rule is (5), then M is λx. Nx and M′ is N ′ for some x, N, N ′
βη
/ FV ( N ) and N =⇒ N ′ . Thus we can first reduce λx. Nx to N by
where x ∈
βη βη
→ N′,
η-conversion, followed by the series of −→ steps that show that N −→
which holds by induction hypothesis.
βη βη
Lemma 43.21. −→
→ is the smallest transitive relation containing =⇒.
Proof. As in Lemma 43.11
βη
Theorem 43.22. −→
→ satisfies Church-Rosser property.
Proof. By Theorem 43.2, Theorem 43.18 and Lemma 43.21.

Problems
Problem 43.1. Prove Theorem 43.4.

Problem 43.2. Complete the proof of Lemma 43.6.

Problem 43.3. Complete the proof of Lemma 43.7.

Problem 43.4. Prove Theorem 43.14.

Release : d3a1905 (2022-12-19) 647

Chapter 44

Lambda Definability

This chapter is experimental. It needs more explanation, and the ma-

terial should be structured better into definitions and propositions with
proofs, and more examples.

44.1 Introduction
At first glance, the lambda calculus is just a very abstract calculus of expres-
sions that represent functions and applications of them to others. Nothing in
the syntax of the lambda calculus suggests that these are functions of partic-
ular kinds of objects, in particular, the syntax includes no mention of natural
numbers. Its basic operations—application and lambda abstractions—are op-
erations that apply to any function, not just functions on natural numbers.
Nevertheless, with some ingenuity, it is possible to define arithmetical
functions, i.e., functions on the natural numbers, in the lambda calculus. To
do this, we define, for each natural number n ∈ N, a special λ-term n, the
Church numeral for n. (Church numerals are named for Alonzo Church.)

Definition 44.1. If n ∈ N, the corresponding Church numeral n represents n:

n ≡ λ f x. f n ( x )

Here, f n ( x ) stands for the result of applying f to x n times. For example, 0 is

λ f x. x, and 3 is λ f x. f ( f ( f x )).

The Church numeral n is encoded as a lambda term which represents a

function accepting two arguments f and x, and returns f n ( x ). Church numer-
als are evidently in normal form.
A represention of natural numbers in the lambda calculus is only useful,
of course, if we can compute with them. Computing with Church numerals

648
44.2. λ-DEFINABLE ARITHMETICAL FUNCTIONS

in the lambda calculus means applying a λ-term F to such a Church numeral,

and reducing the combined term F n to a normal form. If it always reduces to
a normal form, and the normal form is always a Church numeral m, we can
think of the output of the computation as being the number m. We can then
think of F as defining a function f : N → N, namely the function such that
f (n) = m iff F n −
→→ m. Because of the Church-Rosser property, normal forms
are unique if they exist. So if F n −
→
→ m, there can be no other term in normal
form, in particular no other Church numeral, that F n reduces to.
Conversely, given a function f : N → N, we can ask if there is a term F
that defines f in this way. In that case we say that F λ-defines f , and that f is
λ-definable. We can generalize this to many-place and partial functions.

Definition 44.2. Suppose f : Nk → N. We say that a lambda term F λ-defines

f if for all n0 , . . . , nk−1 ,

F n 0 n 1 . . . n k −1 −
→
→ f ( n 0 , n 1 , . . . , n k −1 )

if f (n0 , . . . , nk−1 ) is defined, and F n0 n1 . . . nk−1 has no normal form other-

wise.

A very simple example are the constant functions. The term Ck ≡ λx. k λ-
defines the function ck : N → N such that c(n) = k. For Ck n ≡ (λx. k)n − →k
for any n. The identity function is λ-defined by λx. x. More complex functions
are of course harder to define, and often require a lot of ingenuity. So it is per-
haps surprising that every computable function is λ-definable. The converse
is also true: if a function is λ-definable, it is computable.

44.2 λ-Definable Arithmetical Functions

Proposition 44.3. The successor function succ is λ-definable.

Proof. A term that λ-defines the successor function is

Succ ≡ λa. λ f x. f ( a f x ).

Given our conventions, this is short for

Succ ≡ λa. λ f . λx. ( f (( a f ) x )).

Succ is a function that accepts as argument a number a, and evaluates to an-

other function, λ f x. f ( a f x ). That function is not itself a Church numeral.
However, if the argument a is a Church numeral, it reduces to one. Consider:

(λa. λ f x. f ( a f x )) n −
→ λ f x. f (n f x ).

Release : d3a1905 (2022-12-19) 649

 CHAPTER 44. LAMBDA DEFINABILITY

The embedded term n f x is a redex, since n is λ f x. f n x. So n f x −

→ f n x and so,
for the entire term we have

→ λ f x. f ( f n ( x )),
Succ n −
→

i.e., n + 1.

Example 44.4. Let’s look at what happens when we apply Succ to 0, i.e., λ f x. x.
We’ll spell the terms out in full:

Succ 0 ≡ (λa. λ f . λx. ( f (( a f ) x )))(λ f . λx. x )

−
→ λ f . λx. ( f (((λ f . λx. x ) f ) x ))
−
→ λ f . λx. ( f ((λx. x ) x ))
−
→ λ f . λx. ( f x ) ≡ 1

Proposition 44.5. The addition function add is λ-definable.

Proof. Addition is λ-defined by the terms

Add ≡ λab. λ f x. a f (b f x )

or, alternatively,

Add′ ≡ λab. a Succ b.

The first addition works as follows: Add first accept two numbers a and b.
The result is a function that accepts f and x and returns a f (b f x ). If a and b
are Church numerals n and m, this reduces to f n+m ( x ), which is identical to
f n ( f m ( x )). Or, slowly:

(λab. λ f x. a f (b f x ))n m −
→ λ f x. n f (m f x )
→ λ f x. n f ( f m x )
−
→ λ f x. f n ( f m x ) ≡ n + m.
−

The second representation of addition Add′ works differently: Applied to two

Church numerals n and m,

Add′ n m −
→ n Succ m.

But n f x always reduces to f n ( x ). So,

→ Succn (m).
n Succ m −
→
And since Succ λ-defines the successor function, and the successor function
applied n times to m gives n + m, this in turn reduces to n + m.

650 Release : d3a1905 (2022-12-19)

44.3. PAIRS AND PREDECESSOR

Proposition 44.6. Multiplication is λ-definable by the term

Mult ≡ λab. λ f x. a(b f ) x

Proof. To see how this works, suppose we apply Mult to Church numerals
n and m: Mult n m reduces to λ f x. n(m f ) x. The term m f defines a function
which applies f to its argument m times. Consequently, n(m f ) x applies the
function “apply f m times” itself n times to x. In other words, we apply f to
x, n · m times. But the resulting normal term is just the Church numeral nm.

We can actually simplify this term further by η-reduction:

Mult ≡ λab. λ f . a(b f ).

But then we first have to explain η-reduction.

The definition of exponentiation as a λ-term is surprisingly simple:

Exp ≡ λbe. eb.
The first argument b is the base and the second e is the exponent. Intuitively,
e f is f e by our encoding of numbers. If you find it hard to understand, we can
still define exponentiation also by iterated multiplication:
Exp′ ≡ λbe. e(Mult b)1.
Predecessor and subtraction on Church numeral is not as simple as we
might think: it requires encoding of pairs.

44.3 Pairs and Predecessor

Definition 44.7. The pair of M and N (written ⟨ M, N ⟩) is defined as follows:
⟨ M, N ⟩ ≡ λ f . f MN.

Intuitively it is a function that accepts a function, and applies that function

to the two elements of the pair. Following this idea we have this constructor,
which takes two terms and returns the pair containing them:
Pair ≡ λmn. λ f . f mn
Given a pair, we also want to recover its elements. For this we need two ac-
cess functions, which accept a pair as argument and return the first or second
elements in it:
Fst ≡ λp. p(λmn. m)
Snd ≡ λp. p(λmn. n)

Release : d3a1905 (2022-12-19) 651

 CHAPTER 44. LAMBDA DEFINABILITY

Now with pairs we can λ-define the predecessor function:

Pred ≡ λn. Fst(n(λp. ⟨Snd p, Succ(Snd p)⟩)⟨0, 0⟩)

Remember that n f x reduces to f n ( x ); in this case f is a function that accepts

a pair p and returns a new pair containing the second component of p and the
successor of the second component; x is the pair ⟨0, 0⟩. Thus, the result is ⟨0, 0⟩
for n = 0, and ⟨n − 1, n⟩ otherwise. Pred then returns the first component of
the result.
Subtraction can be defined as Pred applied to a, b times:

Sub ≡ λab. bPred a.

44.4 Truth Values and Relations

We can encode truth values in the pure lambda calculus as follows:

true ≡ λx. λy. x

false ≡ λx. λy. y

Truth values are represented as selectors, i.e., functions that accept two ar-
guments and returning one of them. The truth value true selects its first argu-
ment, and false its second. For example, true MN always reduces to M, while
false MN always reduces to N.

Definition 44.8. We call a relation R ⊆ Nn λ-definable if there is a term R

such that
β
R n1 . . . n k −
→
→ true

whenever R(n1 , . . . , nk ) and

β
R n1 . . . n k −
→
→ false

otherwise.

For instance, the relation IsZero = {0} which holds of 0 and 0 only, is
λ-definable by
IsZero ≡ λn. n(λx. false) true.
How does it work? Since Church numerals are defined as iterators (functions
which apply their first argument n times to the second), we set the initial value
to be true, and for every step of iteration, we return false regardless of the
result of the last iteration. This step will be applied to the initial value n times,
and the result will be true if and only if the step is not applied at all, i.e., when
n = 0.

652 Release : d3a1905 (2022-12-19)

44.5. PRIMITIVE RECURSIVE FUNCTIONS ARE λ-DEFINABLE

On the basis of this representation of truth values, we can further define

some truth functions. Here are two, the representations of negation and con-
junction:

Not ≡ λx. x false true

And ≡ λx. λy. xy false

The function “Not” accepts one argument, and returns true if the argument is
false, and false if the argument is true. The function “And” accepts two truth
values as arguments, and should return true iff both arguments are true. Truth
values are represented as selectors (described above), so when x is a truth
value and is applied to two arguments, the result will be the first argument if x
is true and the second argument otherwise. Now And takes its two arguments
x and y, and in return passes y and false to its first argument x. Assuming x is
a truth value, the result will evaluate to y if x is true, and to false if x is false,
which is just what is desired.
Note that we assume here that only truth values are used as arguments to
And. If it is passed other terms, the result (i.e., the normal form, if it exists)
may well not be a truth value.

44.5 Primitive Recursive Functions are λ-Definable

Recall that the primitive recursive functions are those that can be defined from
the basic functions zero, succ, and Pin by composition and primitive recursion.

Lemma 44.9. The basic primitive recursive functions zero, succ, and projections Pin
are λ-definable.

Proof. They are λ-defined by the following terms:

Zero ≡ λa. λ f x. x
Succ ≡ λa. λ f x. f ( a f x )
Projin ≡ λx0 . . . xn−1 . xi

Lemma 44.10. Suppose the k-ary function f , and n-ary functions g0 , . . . , gk−1 , are
λ-definable by terms F, G0 , . . . , Gk , and h is defined from them by composition. Then
H is λ-definable.

Proof. h can be λ-defined by the term

H ≡ λx0 . . . xn−1 . F ( G0 x0 . . . xn−1 ) . . . ( Gk−1 x0 . . . xn−1 )

We leave verification of this fact as an exercise.

Release : d3a1905 (2022-12-19) 653

 CHAPTER 44. LAMBDA DEFINABILITY

Note that Lemma 44.10 did not require that f and g0 , . . . , gk−1 are primitive
recursive; it is only required that they are total and λ-definable.
Lemma 44.11. Suppose f is an n-ary function and g is an n + 2-ary function, they
are λ-definable by terms F and G, and the function h is defined from f and g by
primitive recursion. Then h is also λ-definable.
Proof. Recall that h is defined by
h ( x1 , . . . , x n , 0) = f ( x1 , . . . , x n )
h( x1 , . . . , xn , y + 1) = h( x1 , . . . , xn , y, h( x1 , . . . , xn , y)).
Informally speaking, the primitive recursive definition iterates the application
of the function h y times and applies it to f ( x1 , . . . , xn ). This is reminiscent of
the definition of Church numerals, which is also defined as a iterator.
For simplicity, we give the definition and proof for a single additional ar-
gument x. The function h is λ-defined by:
H ≡λx. λy. Snd(yD ⟨0, Fx ⟩)

where

D ≡λp. ⟨Succ(Fst p), ( Gx (Fst p)(Snd p))⟩

The iteration state we maintain is a pair, the first of which is the current y
and the second is the corresponding value of h. For every step of iteration we
create a pair of new values of y and h; after the iteration is done we return
the second part of the pair and that’s the final h value. We now prove this is
indeed a representation of primitive recursion.
We want to prove that for any n and m, H n m − →→ h(n, m). To do this we
first show that if Dn ≡ D [n/x ], then Dnm ⟨0, F n⟩ −→
→ ⟨m, h(n, m)⟩ We proceed
by induction on m.
If m = 0, we want Dn0 ⟨0, F n⟩ −
→ ⟨0, h(n, 0)⟩. But Dn0 ⟨0, F n⟩ just is ⟨0, F n⟩.
→
Since F λ-defines f , this reduces to ⟨0, f (n)⟩, and since f (n) = h(n, 0), this is
⟨0, h(n, 0)⟩
Now suppose that Dnm ⟨0, F n⟩ − →
→ ⟨m, h(n, m)⟩. We want to show that
m + 1
Dn ⟨0, F n⟩ − →→ ⟨m + 1, h(n, m + 1)⟩.
Dnm+1 ⟨0, F n⟩ ≡ Dn ( Dnm ⟨0, F n⟩)
−
→
→ Dn ⟨m, h(n, m)⟩ (by IH)
≡ (λp. ⟨Succ(Fst p), ( G n(Fst p)(Snd p))⟩)⟨m, h(n, m)⟩
−
→ ⟨Succ(Fst ⟨m, h(n, m)⟩),
( G n(Fst ⟨m, h(n, m)⟩)(Snd ⟨m, h(n, m)⟩))⟩
−
→
→ ⟨Succ m, ( G n m h(n, m))⟩
−
→
→ ⟨m + 1, g(n, m, h(n, m))⟩

654 Release : d3a1905 (2022-12-19)

44.6. FIXPOINTS

Since g(n, m, h(n, m)) = h(n, m + 1), we are done.

Finally, consider

H n m ≡ λx. λy. Snd(y(λp.⟨Succ(Fst p), ( G x (Fst p) (Snd p))⟩)⟨0, Fx ⟩)

nm
−
→
→ Snd(m (λp.⟨Succ(Fst p), ( G n (Fst p)(Snd p))⟩)⟨0, Fn⟩)
| {z }
Dn
≡ Snd(m Dn ⟨0, Fn⟩)
→ Snd ( Dnm ⟨0, Fn⟩)
−
→
−
→
→ Snd ⟨m, h(n, m)⟩
−
→
→ h(n, m).

Proposition 44.12. Every primitive recursive function is λ-definable.

Proof. By Lemma 44.9, all basic functions are λ-definable, and by Lemma 44.10
and Lemma 44.11, the λ-definable functions are closed under composition and
primitive recursion.

44.6 Fixpoints
Suppose we wanted to define the factorial function by recursion as a term Fac
with the following property:

Fac ≡ λn. IsZero n 1(Mult n(Fac(Pred n)))

That is, the factorial of n is 1 if n = 0, and n times the factorial of n − 1 other-

wise. Of course, we cannot define the term Fac this way since Fac itself occurs
in the right-hand side. Such recursive definitions involving self-reference are
not part of the lambda calculus. Defining a term, e.g., by

Mult ≡ λab. a(Add a)0

only involves previously defined terms in the right-hand side, such as Add.
We can always remove Add by replacing it with its defining term. This would
give the term Mult as a pure lambda term; if Add itself involved defined terms
(as, e.g., Add′ does), we could continue this process and finally arrive at a pure
lambda term.
However this is not true in the case of recursive definitions like the one of
Fac above. If we replace the occurrence of Fac on the right-hand side with the
definition of Fac itself, we get:

Fac ≡ λn. IsZero n 1

(Mult n((λn. IsZero n 1 (Mult n (Fac(Pred n))))(Pred n)))

Release : d3a1905 (2022-12-19) 655

 CHAPTER 44. LAMBDA DEFINABILITY

and we still haven’t gotten rid of Fac on the right-hand side. Clearly, if we
repeat this process, the definition keeps growing longer and the process never
results in a pure lambda term. Thus this way of defining factorial (or more
generally recursive functions) is not feasible.
The recursive definition does tell us something, though: If f were a term
representing the factorial function, then the term

Fac′ ≡ λg. λn. IsZero n 1 (Mult n ( g(Predn)))

applied to the term f , i.e., Fac′ f , also represents the factorial function. That is,
if we regard Fac′ as a function accepting a function and returning a function,
the value of Fac′ f is just f , provided f is the factorial. A function f with the
β
property that Fac′ f = f is called a fixpoint of Fac′ . So, the factorial is a fixpoint
of Fac′ .
There are terms in the lambda calculus that compute the fixpoints of a
given term, and these terms can then be used to turn a term like Fac′ into the
definition of the factorial.

Definition 44.13. The Y-combinator is the term:

Y ≡ (λux. x (uux ))(λux. x (uux )).

Theorem 44.14. Y has the property that Yg −

→
→ g(Yg) for any term g. Thus, Yg is
always a fixpoint of g.

Proof. Let’s abbreviate (λux. x (uux )) by U, so that Y ≡ UU. Then

Yg ≡ (λux. x (uux ))U g

−
→
→ (λx. x (UUx )) g
−
→
→ g(UUg) ≡ g(Yg).
β
Since g(Yg) and Yg both reduce to g(Yg), g(Yg) = Yg, so Yg is a fixpoint
of g.

Of course, since Yg is a redex, the reduction can continue indefinitely:

Yg −
→
→ g(Yg)
−
→→ g( g(Yg))
−
→→ g( g( g(Yg)))
...

So we can think of Yg as g applied to itself infinitely many times. If we apply g

to it one additional time, we—so to speak—aren’t doing anything extra; g ap-
plied to g applied infinitely many times to Yg is still g applied to Yg infinitely
many times.

656 Release : d3a1905 (2022-12-19)

44.6. FIXPOINTS

Note that the above sequence of β-reduction steps starting with Yg is infi-
nite. So if we apply Yg to some term, i.e., consider (Yg) N, that term will also
reduce to infinitely many different terms, namely ( g(Yg)) N, ( g( g(Yg))) N,
. . . . It is nevertheless possible that some other sequence of reduction steps
does terminate in a normal form.
Take the factorial for instance. Define Fac as Y Fac′ (i.e., a fixpoint of Fac′ ).
Then:
→ Y Fac′ 3
Fac 3 −
→
→ Fac′ (Y Fac′ ) 3
−
→
≡ (λx. λn. IsZero n 1 (Mult n ( x (Pred n)))) Fac 3
−
→
→ IsZero 3 1 (Mult 3 (Fac(Pred 3)))
−
→
→ Mult 3 (Fac 2).

Similarly,

Fac 2 −
→
→ Mult 2 (Fac 1)
Fac 1 −
→
→ Mult 1 (Fac 0)

but

→ Fac′ (Y Fac′ ) 0
Fac 0 −
→
≡ (λx. λn. IsZero n 1 (Mult n ( x (Pred n)))) Fac 0
−
→
→ IsZero 0 1 (Mult 0 (Fac(Pred 0))).
−
→
→ 1.

So together

Fac 3 −
→
→ Mult 3 (Mult 2 (Mult 1 1)).
What goes for Fac′ goes for any recursive definition. Suppose we have a
recursive equation
β
g x1 . . . x n = N

where N may contain g and x1 , . . . , xn . Then there is always a term G ≡

(Yλg. λx1 . . . xn . N ) such that
β
G x1 . . . xn = N [ G/g].

For by the fixpoint theorem,

G ≡ (Yλg. λx1 . . . xn . N ) −
→
→ λg. λx1 . . . xn . N (Yλg. λx1 . . . xn . N )
≡ (λg. λx1 . . . xn . N ) G

Release : d3a1905 (2022-12-19) 657

 CHAPTER 44. LAMBDA DEFINABILITY

and consequently

G x1 . . . x n −
→
→ (λg. λx1 . . . xn . N ) G x1 . . . xn
−
→
→ (λx1 . . . xn . N [ G/g]) x1 . . . xn
−
→
→ N [ G/g].

The Y combinator of Definition 44.13 is due to Alan Turing. Alonzo Church

had proposed a different version which we’ll call YC :

YC ≡ λg. (λx. g( xx ))(λx. g( xx )).

β
Church’s combinator is a bit weaker than Turing’s in that Yg = g(Yg) but not
β
Yg −
→
→ g(Yg). Let V be the term λx. g( xx ), so that YC ≡ λg. VV. Then

VV ≡ (λx. g( xx ))V −
→
→ g(VV ) and thus
YC g ≡ (λg. VV ) g −
→
→ VV −
→
→ g(VV ), but also
g(YC g) ≡ g((λg. VV ) g) −
→
→ g(VV ).

β
In other words, YC g and g(YC g) reduce to a common term g(VV ); so YC g =
g(YC g). This is often enough for applications.

44.7 Minimization
The general recursive functions are those that can be obtained from the ba-
sic functions zero, succ, Pin by composition, primitive recursion, and regular
minimization. To show that all general recursive functions are λ-definable we
have to show that any function defined by regular minimization from a λ-
definable function is itself λ-definable.

Lemma 44.15. If f ( x1 , . . . , xk , y) is regular and λ-definable, then g defined by

g( x1 , . . . , xk ) = µy f ( x1 , . . . , xk , y) = 0

is also λ-definable.

Proof. Suppose the lambda term F λ-defines the regular function f (⃗x, y). To
λ-define h we use a search function and a fixpoint combinator:

Search ≡ λg. λ f ⃗x y. IsZero( f ⃗x y) y ( g ⃗x (Succ y)

H ≡ λ⃗x. (Y Search) F ⃗x 0,

where Y is any fixpoint combinator. Informally speaking, Search is a self-

referencing function: starting with y, test whether f ⃗x y is zero: if so, return y,

658 Release : d3a1905 (2022-12-19)

44.8. PARTIAL RECURSIVE FUNCTIONS ARE λ-DEFINABLE

otherwise call itself with Succ y. Thus (Y Search) Fn1 . . . nk 0 returns the least m
for which f (n1 , . . . , nk , m) = 0.
Specifically, observe that

(Y Search) Fn1 . . . nk m −
→
→m

if f (n1 , . . . , nk , m) = 0, or

−
→
→ (Y Search) F n1 . . . nk m + 1

otherwise. Since f is regular, f (n1 , . . . , nk , y) = 0 for some y, and so

(Y Search) Fn1 . . . nk 0 −
→
→ h ( n1 , . . . , n k ).

Proposition 44.16. Every general recursive function is λ-definable.

Proof. By Lemma 44.9, all basic functions are λ-definable, and by Lemma 44.10,
Lemma 44.11, and Lemma 44.15, the λ-definable functions are closed under
composition, primitive recursion, and regular minimization.

44.8 Partial Recursive Functions are λ-Definable

Partial recursive functions are those obtained from the basic functions by com-
position, primitive recursion, and unbounded minimization. They differ from
general recursive function in that the functions used in unbounded search are
not required to be regular. Not requiring regularity means that functions de-
fined by minimization may sometimes not be defined.
At first glance it might seem that the same methods used to show that the
(total) general recursive functions are all λ-definable can be used to prove that
all partial recursive functions are λ-definable. For instance, the composition of
f with g is λ-defined by λx. F ( Gx ) if f and g are λ-defined by terms F and G,
respectively. However, when the functions are partial, this is problematic.
When g( x ) is undefined, meaning Gx has no normal form. In most cases this
means that F ( Gx ) has no normal forms either, which is what we want. But
consider when F is λx. λy. y, in which case F ( Gx ) does have a normal form
(λy. y).
This problem is not insurmountable, and there are ways to λ-define all par-
tial recursive functions in such a way that undefined values are represented
by terms without a normal form. These ways are, however, somewhat more
complicated and less intuitive than the approach we have taken for general
recursive functions. We record the theorem here without proof:

Theorem 44.17. All partial recursive functions are λ-definable.

Release : d3a1905 (2022-12-19) 659

 CHAPTER 44. LAMBDA DEFINABILITY

44.9 λ-Definable Functions are Recursive

Not only are all partial recursive functions λ-definable, the converse is true,
too. That is, all λ-definable functions are partial recursive.

Theorem 44.18. If a partial function f is λ-definable, it is partial recursive.

Proof. We only sketch the proof. First, we arithmetize λ-terms, i.e., systema-
tially assign Gödel numbers to λ-terms, using the usual power-of-primes cod-
ing of sequences. Then we define a partial recursive function normalize(t)
operating on the Gödel number t of a lambda term as argument, and which
returns the Gödel number of the normal form if it has one, or is undefined oth-
erwise. Then define two partial recursive functions toChurch and fromChurch
that maps natural numbers to and from the Gödel numbers of the correspond-
ing Church numeral.
Using these recursive functions, we can define the function f as a par-
tial recursive function. There is a λ-term F that λ-defines f . To compute
f (n1 , . . . , nk ), first obtain the Gödel numbers of the corresponding Church nu-
merals using toChurch(ni ), append these to # F# to obtain the Gödel number of
the term Fn1 . . . nk . Now use normalize on this Gödel number. If f (n1 , . . . , nk )
is defined, Fn1 . . . nk has a normal form (which must be a Church numeral),
and otherwise it has no normal form (and so

normalize(# Fn1 . . . nk # )

is undefined). Finally, use fromChurch on the Gödel number of the normal-

ized term.

Problems
Problem 44.1. The term

Succ′ ≡ λn. λ f x. n f ( f x )

λ-defines the successor function. Explain why.

Problem 44.2. Multiplication can be λ-defined by the term

Mult′ ≡ λab. a(Add a)0.

Explain why this works.

Problem 44.3. Explain why the access functions Fst and Snd work.

Problem 44.4. Define the functions Or and Xor representing the truth func-
tions of inclusive and exclusive disjunction using the encoding of truth values
as λ-terms.

660 Release : d3a1905 (2022-12-19)

44.9. λ-DEFINABLE FUNCTIONS ARE RECURSIVE

Problem 44.5. Complete the proof of Lemma 44.10 by showing that Hn0 . . . nn−1 −
→
→
h ( n 0 , . . . , n n −1 ).

Release : d3a1905 (2022-12-19) 661

 Part X

Many-valued Logic

662
44.9. λ-DEFINABLE FUNCTIONS ARE RECURSIVE

This part contains draft material on propositional many-valued logics.

Release : d3a1905 (2022-12-19) 663

Chapter 45

Syntax and Semantics

45.1 Introduction
In classical logic, we deal with formulas that are built from propositional vari-
ables using the propositional connectives ¬, ∧, ∨, →, and ↔. When we define
a semantics for classical logic, we do so using the two truth values T and F.
We interpret propositional variables in a valuation v, which assigns these truth
values T, F to the propositional variables. Any valuation then determines a
truth value v( φ) for any formula φ, and A formula is satisfied in a valuation v,
v ⊨ φ, iff v( φ) = T.
Many-valued logics are generalizations of classical two-valued logic by
allowing more truth values than just T and F. So in many-valued logic, a val-
uation v is a function assigning to every propositional variable p one of a
range of possible truth values. We’ll generally call the set of allowed truth
values V. Classical logic is a many-valued logic where V = {T, F}, and the
truth value v( φ) is computed using the familiar characteristic truth tables for
the connectives.
Once we add additional truth values, we have more than one natural op-
tion for how to compute v( φ) for the connectives we read as “and,” “or,”
“not,” and “if—then.” So a many-valued logic is determined not just by the
set of truth values, but also by the truth functions we decide to use for each
connective. Once these are selected for a many-valued logic L, however, the
truth value vL ( φ) is uniquely determined by the valuation, just like in classical
logic. Many-valued logics, like classical logic, are truth functional.
With this semantic building blocks in hand, we can go on to define the
analogs of the semantic concepts of tautology, entailment, and satisfiability.
In classical logic, a formula is a tautology if its truth value v( φ) = T for any v.
In many-valued logic, we have to generalize this a bit as well. First of all,
there is no requirement that the set of truth values V contains T. For instance,
some many-valued logics use numbers, such as all rational numbers between
0 and 1 as their set of truth values. In such a case, 1 usually plays the rule of T.

664
45.2. LANGUAGES AND CONNECTIVES

In other logics, not just one but several truth values do. So, we require that
every many-valued logic have a set V + of designated values. We can then say
that a formula is satisfied in a valuation v, v ⊨L φ, iff vL ( φ) ∈ V + . A formula φ
is a tautology of the logic, ⊨L φ, iff v( φ) ∈ V + for any v. And, finally, we say
that φ is entailed by a set of formulas, Γ ⊨L φ, if every valuation that satisfies
all the formulas in Γ also satisfies φ.

45.2 Languages and Connectives

Classical propositional logic, and many other logics, use a set supply of propo-
sitional constants and connectives. For instance, we use the following as primi-
tives:

1. The propositional constant for falsity ⊥.

2. The logical connectives: ¬ (negation), ∧ (conjunction), ∨ (disjunction),

→ (conditional)

In addition to the primitive connectives above, we also use symbols defined

as abbreviations, such as ↔ (biconditional), ⊤ (truth)
The same connectives are used in many-valued logics as well. However,
it is often useful to include different versions of, say, conjunction, in the same
logic, and that would require different symbols to keep the versions separate.
Some many-valued logics also include connectives that have no equivalent in
classical logic. So, we’ll be a bit more general than usual.

Definition 45.1. A propositional language consists of a set L of connectives. Each

connective ⋆ has an arity; a connective of arity n is said to be n-place. Connec-
tives of arity 0 are also called constants; connectives of arity 1 are called unary,
and connectives of arity 2, binary.

Example 45.2. The standard language of propositional logic L0 consists of the

following connectives (with associated arities): ⊥ (0) ¬ (1), ∧ (2), ∨ (2), → (2).
Most logics we consider will use this language. Some logics by tradition an
convention use different symbols for some connectives. For instance, in prod-
uct logic, the conjunction symbol is often ⊙ instead of ∧. Sometimes it is con-
venient to add a new operator, e.g., the determinateness operator △ (1-place).

45.3 Formulas
Definition 45.3 (Formula). The set Frm(L) of formulas of a propositional lan-
guage L is defined inductively as follows:

1. Every propositional variable pi is an atomic formula.

Release : d3a1905 (2022-12-19) 665

 CHAPTER 45. SYNTAX AND SEMANTICS

2. Every 0-place connective (propositional constant) of L is an atomic for-

mula.

3. If ⋆ is an n-place connective of L, and φ1 , . . . , φn are formulas, then

⋆( φ1 , . . . , φn ) is a formula.

4. Nothing else is a formula.

If ⋆ is 1-place, then ⋆( φ1 ) will often be written simply as ⋆ φ1 . If ⋆ is 2-place

⋆( φ1 , φ2 ) will often be written as ( φ1 ⋆ φ2 ).

As usual, we will often silently leave out the outermost parentheses.

Example 45.4. In the standard language L0 , p1 → (p1 ∧ ¬p2 ) is a formula. In

the language of product logic, it would be written instead as p1 → (p1 ⊙ ¬p2 ).
If we add the 1-place △ to the language, we would also have formulas such
as △(p1 ∧ p2 ) → (△p1 ∧ △p2 ).

45.4 Matrices
A many-valued logic is defined by its language, its set of truth values V, a sub-
set of designated truth values, and truth functions for its connective. Together,
these elements are called a matrix.

Definition 45.5 (Matrix). A matrix for the logic L consists of:

1. a set of connectives making up a language L;

2. a set V ̸= ∅ of truth values;

3. a set V + ⊆ V of designated truth values;

⋆ : V n → V. If n = 0,
4. for each n-place connective ⋆ in L, a truth function e
⋆ is just an element of V.
then e

Example 45.6. The matrix for classical logic C consists of:

1. The standard propositional language L0 with ⊥, ¬, ∧, ∨, →.

2. The set of truth values V = {T, F}.

3. T is the only designated value, i.e., V + = {T}.

4. For ⊥, we have ⊥ e = F. The other truth functions are given by the usual
truth tables (see Figure 45.1).

666 Release : d3a1905 (2022-12-19)

45.5. VALUATIONS AND SATISFACTION

¬
e ∧
e T F ∨
e T F →
f T F
T F T T F T T T T T F
F T F F F F T F F T T

Figure 45.1: Truth functions for classical logic C.

45.5 Valuations and Satisfaction

Definition 45.7 (Valuations). Let V be a set of truth values. A valuation for L
into V is a function v assigning an element of V to the propositional variables
of the language, i.e., v : At0 → V.

Definition 45.8. Given a valuation v into the set of truth values V of a many-
valued logic L, define the evaluation function v : Frm(L) → V inductively
by:

1. v(pn ) = v(pn );

2. If ⋆ is a 0-place connective, then v(⋆) = e

⋆L ;

3. If ⋆ is an n-place connective, then

v(⋆( φ1 , . . . , φn )) = e
⋆L (v( φ1 ), . . . , v( φn )).

Definition 45.9 (Satisfaction). The formula φ is satisfied by a valuation v, v ⊨L

φ, iff vL ( φ) ∈ V + , where V + is the set of designated truth values of L.
We write v ⊭L φ to mean “not v ⊨L φ.” If Γ is a set of formulas, v ⊨L Γ iff
v ⊨L φ for every φ ∈ Γ.

45.6 Semantic Notions

Suppose a many-valued logic L is given by a matrix. Then we can define the
usual semantic notions for L.

Definition 45.10. 1. A formula φ is satisfiable if for some v, v ⊨ φ; it is

unsatisfiable if for no v, v ⊨ φ;

2. A formula φ is a tautology if v ⊨ φ for all valuations v;

3. If Γ is a set of formulas, Γ ⊨ φ (“Γ entails φ”) if and only if v ⊨ φ for

every valuation v for which v ⊨ Γ.

4. If Γ is a set of formulas, Γ is satisfiable if there is a valuation v for which

v ⊨ Γ, and Γ is unsatisfiable otherwise.

Release : d3a1905 (2022-12-19) 667

 CHAPTER 45. SYNTAX AND SEMANTICS

We have some of the same facts for these notions as we do for the case of
classical logic:

Proposition 45.11. 1. φ is a tautology if and only if ∅ ⊨ φ;

2. If Γ is satisfiable then every finite subset of Γ is also satisfiable;

3. Monotonicity: if Γ ⊆ ∆ and Γ ⊨ φ then also ∆ ⊨ φ;

4. Transitivity: if Γ ⊨ φ and ∆ ∪ { φ} ⊨ ψ then Γ ∪ ∆ ⊨ ψ;

Proof. Exercise.

In classical logic we can connect entailment and the conditional. For in-
stance, we have the validity of modus ponens: If Γ ⊨ φ and Γ ⊨ φ → ψ then
Γ ⊨ ψ. Another important relationship between ⊨ and → in classical logic is
the semantic deduction theorem: Γ ⊨ φ → ψ if and only if Γ ∪ { φ} ⊨ ψ. These
results do not always hold in many-valued logics. Whether they do depends
on the truth function →
f.

45.7 Many-valued logics as sublogics of C

The usual many-valued logics are all defined using matrices in which the
value of a truth-function for arguments in {T, F} agrees with the classical
truth functions. Specifically, in these logics, if x ∈ {T, F}, then ¬ e L (x) =
e C ( x ), and for ⋆ any one of ∧, ∨, →, if x, y ∈ {T, F}, then e
¬ ⋆L ( x, y) = e
⋆C ( x, y).
In other words, the truth functions for ¬, ∧, ∨, → restricted to {T, F} are
exactly the classical truth functions.

Proposition 45.12. Suppose that a many-valued logic L contains the connectives ¬,

∧, ∨, → in its language, T, F ∈ V, and its truth functions satisfy:

1. ¬ e C ( x ) if x = T or x = F;
e L (x) = ¬

2. ∧
e L ( x, y) = ∧
e C ( x, y),

3. ∨
e L ( x, y) = ∨
e C ( x, y),

4. → f C ( x, y), if x, y ∈ {T, F}.

f L ( x, y) = →

Then, for any valuation v into V such that v( p) ∈ {T, F}, vL ( φ) = vC ( φ).

Proof. By induction on φ.

1. If φ ≡ p is atomic, we have vL ( φ) = v( p) = vC ( φ).

668 Release : d3a1905 (2022-12-19)

45.7. MANY-VALUED LOGICS AS SUBLOGICS OF C

2. If φ ≡ ¬ B, we have

vL ( φ ) = ¬
e L (vL (ψ)) by Definition 45.8
=¬
e L (vC (ψ)) by inductive hypothesis
=¬
e C (vC (ψ)) by assumption (1),
since vC (ψ) ∈ {T, F},
= vC ( φ ) by Definition 45.8.

3. If φ ≡ (ψ ∧ χ), we have

vL ( φ ) = ∧
e L (vL (ψ), vL (χ)) by Definition 45.8
=∧e L (vC (ψ), vC (χ)) by inductive hypothesis
=∧
e C (vC (ψ), vC (χ)) by assumption (2),
since vC (ψ), vC (χ) ∈ {T, F},
= vC ( φ ) by Definition 45.8.

The cases where φ ≡ (ψ ∨ χ) and φ ≡ (ψ → χ) are similar.

Corollary 45.13. If a many-valued logic satisfies the conditions of Proposition 45.12,

T ∈ V + and F ∈ / V + , then ⊨L ⊆ ⊨C , i.e., if Γ ⊨L ψ then Γ ⊨C ψ. In particular,
every tautology of L is also a classical tautology.

Proof. We prove the contrapositive. Suppose Γ ⊭C ψ. Then there is some

valuation v : At0 → {T, F} such that vC ( φ) = T for all φ ∈ Γ and vC (ψ) = F.
Since T, F ∈ V, the valuation v is also a valuation for L. By Proposition 45.12,
vL ( φ) = T for all φ ∈ Γ and vL (ψ) = F. Since T ∈ V + and F ∈ / V + that
means v ⊨L Γ and v ⊭L ψ, i.e., Γ ⊭L ψ.

Problems
Problem 45.1. Prove Proposition 45.11

Release : d3a1905 (2022-12-19) 669

Chapter 46

Three-valued Logics

46.1 Introduction
If we just add one more value U to T and F, we get a three-valued logic. Even
though there is only one more truth value, the possibilities for defining the
truth-functions for ¬, ∧, ∨, and → are quite numerous. Then a logic might
use any combination of these truth functions, and you also have a choice of
making only T designated, or both T and U.
We present here a selection of the most well-known three-valued logics,
their motivations, and some of their properties.

46.2 Łukasiewicz logic

One of the first published, worked out proposals for a many-valued logic is
due to the Polish philosopher Jan Łukasiewicz in 1921. Łukasiewicz was mo-
tivated by Aristotle’s sea battle problem: It seems that, today, the sentence
“There will be a sea battle tomorrow” is neither true nor false: its truth value
is not yet settled. Łukasiewicz proposed to introduce a third truth value, to
such “future contingent” sentences.

I can assume without contradiction that my presence in Warsaw

at a certain moment of next year, e.g., at noon on 21 December, is
at the present time determined neither positively nor negatively.
Hence it is possible, but not necessary, that I shall be present in
Warsaw at the given time. On this assumption the proposition “I
shall be in Warsaw at noon on 21 December of next year,” can at the
present time be neither true nor false. For if it were true now, my
future presence in Warsaw would have to be necessary, which is
contradictory to the assumption. If it were false now, on the other
hand, my future presence in Warsaw would have to be impossi-
ble, which is also contradictory to the assumption. Therefore the

670
46.2. ŁUKASIEWICZ LOGIC

proposition considered is at the moment neither true nor false and

must possess a third value, different from “0” or falsity and “1”
or truth. This value we can designate by “ 12 .” It represents “the
possible,” and joins “the true” and “the false” as a third value.
We will use U for Łukasiewicz’s third truth value.1
The truth functions for the connectives ¬, ∧, and ∨ are easy to determine
on this interpretation: the negation of a future contingent sentence is also a
future contingent sentence, so ¬e (U) = U. If one conjunct of a conjunction is
undetermined and the other is true, the conjunction is also undetermined—
after all, depending on how the future contingent conjunct turns out, the con-
junction might turn out to be true, and it might turn out to be false. So
e (T, U) = ∧
∧ e (U, T) = U.

If the other conjunct is false, however, it cannot turn out true, so

e (F, U) = ∧
∧ e (F, U) = F.

The other values (if the arguments are settled truth values, T or F, are like in
classical logic.
For the conditional, the situation is a little trickier. Suppose q is a future
contingent statement. If p is false, then p → q will be true, regardless of how
q turns out, so we should set →f (F, U) = T. And if p is true, then q → p will
be true, regardless of what q turns out to be, so → f (U, T) = T. If p is true,
then p → q might turn out to be true or false, so → f (T, U) = U. Similarly, if p
is false, then q → p might turn out to be true or false, so → f (U, F) = U. This
leaves the case where p and q are both future contingents. On the basis of the
motivation, we should really assign U in this case. However, this would make
φ → φ not a tautology. Łukasiewicz had not trouble giving up φ ∨ ¬ φ and
¬( φ ∧ ¬ φ), but balked at giving up φ → φ. So he stipulated → f (U, U) = T.
Definition 46.1. Three-valued Łukasiewicz logic is defined using the matrix:
1. The standard propositional language L0 with ¬, ∧, ∨, →.
2. The set of truth values V = {T, U, F}.
3. T is the only designated value, i.e., V + = {T}.
4. Truth functions are given by the following tables:

¬
e ∧
e Ł3 T U F
T F T T U F
U U U U U F
F T F F F F
1 Łukasiewicz here uses “possible” in a way that is uncommon today, namely to mean possible

but not necessary.

Release : d3a1905 (2022-12-19) 671

 CHAPTER 46. THREE-VALUED LOGICS

∨
e Ł3 T U F →
f Ł3 T U F
T T T T T T U F
U T U U U T T U
F T U F F T T T

As can easily be seen, any formula φ containing only ¬, ∧, and ∨ will

take the truth value U if all its propositional variables are assigned U. So for
instance, the classical tautologies p ∨ ¬ p and ¬( p ∧ ¬ p) are not tautologies in
Ł3 , since v( φ) = U whenever v( p) = U.
On valuations where v( p) = T or F, v( φ) will coincide with its classical
truth value.

Proposition 46.2. If v( p) ∈ {T, F} for all p in φ, then vŁ3 ( φ) = vC ( φ).

Many classical tautologies are also tautologies in Ł3 , e.g, ¬ p → ( p → q).

Just like in classical logic, we can use truth tables to verify this:

p q ¬ p → (p → q)
T T F T T T T T
T U F T T T U U
T F F T T T F F
U T U U T U T T
U U U U T U T U
U F U U T U U F
F T T F T F T T
F U T F T F T U
F F T F T F T F

One might therefore perhaps think that although not all classical tautolo-
gies are tautologies in Ł3 , they should at least take either the value T or the
value U on every valuation. This is not the case. A counterexample is given
by
¬( p → ¬ p) ∨ ¬(¬ p → p)
which is F if p is U.
Łukasiewicz hoped to build a logic of possibility on the basis of his three-
valued system, by introducing a one-place connective ♢φ (for “φ is possible”)
and a corresponding □φ (for “φ is necessary”):

♢
e □
e
T T T T
U T U F
F F F F

In other words, p is possible iff it is not already settled as false; and p is nec-
essary iff it is already settled as true.

672 Release : d3a1905 (2022-12-19)

46.3. KLEENE LOGICS

However, the shortcomings of this proposed modal logic soon became ev-
ident: However things turn out, p ∧ ¬ p can never turn out to be true. So even
if it is not now settled (and therefore undetermined), it should count as im-
possible, i.e., ¬♢( p ∧ ¬ p) should be a tautology. However, if v( p) = U, then
v(¬♢( p ∧ ¬ p)) = U. Although Łukasiewicz was correct that two truth values
will not be enough to accommodate modal distinctions such as possiblity and
necessity, introducing a third truth value is also not enough.

46.3 Kleene logics

Stephen Kleene introduced two three-valued logics motivated by a logic in
which truth values are thought of the outcomes of computational procedures:
a procedure may yield T or F, but it may also fail to terminate. In that case
the corresponding truth value is undefined, represented by the truth value U.
To compute the negation of a proposition φ, you would first compute the
value of φ, and then return the opposite of the result. If the computation of φ
does not terminate, then the entire procedure does not either: so the negation
of U is U.
To compute a conjunction φ ∧ ψ, there are two options: one can first com-
pute φ, then ψ, and then the result would be T if the outcome of both is T,
and F otherwise. If either computation fails to halt, the entire procedure does
as well. So in this case, the if one conjunct is undefined, the conjunction is as
well. The same goes for disjunction.
However, if we can evaluate φ and ψ in parallel, we can do better. Then, if
one of the two procedures halts and returns F, we can stop, as the answer must
be false. So in that case a conjunction with one false conjunct is false, even
if the other conjunct is undefined. Similarly, when computing a disjunction
in parallel, we can stop once the procedure for one of the two disjuncts has
returned true: then the disjunction must be true. So in this case we can know
what the outcome of a compound claim is, even if one of the components is
undefined. On this interpretation, we might read U as “unknown” rather
than “undefined.”
The two interpretations give rise to Kleene’s strong and weak logic. The
conditional is defined as equivalent to ¬ φ ∨ ψ.

Definition 46.3. Strong Kleene logic Ks is defined using the matrix:

1. The standard propositional language L0 with ¬, ∧, ∨, →.

2. The set of truth values V = {T, U, F}.

3. T is the only designated value, i.e., V + = {T}.

4. Truth functions are given by the following tables:

Release : d3a1905 (2022-12-19) 673

 CHAPTER 46. THREE-VALUED LOGICS

¬
e ∧
e Ks T U F
T F T T U F
U U U U U F
F T F F F F

∨
e Ks T U F →
f Ks T U F
T T T T T T U F
U T U U U T U U
F T U F F T T T

Definition 46.4. Weak Kleene logic Kw is defined using the matrix:

1. The standard propositional language L0 with ¬, ∧, ∨, →.

2. The set of truth values V = {T, U, F}.

3. T is the only designated value, i.e., V + = {T}.

4. Truth functions are given by the following tables:

¬
e ∧
e Kw T U F
T F T T U F
U U U U U U
F T F F U F

∨
e Kw T U F →
f Kw T U F
T T U T T T U F
U U U U U U U U
F T U F F T U T

Proposition 46.5. Ks and Kw have no tautologies.

Proof. If v( p) = U for all propositional variables p, then any formula φ will

have truth value v( φ) = U, since

e (U) = ∨
¬ e (U, U) = ∧
e (U, U) = →
f (U, U) = U

in both logics. As U ∈
/ V + for either Ks or Kw, on this valuation, φ will not
be designated.

Although both weak and strong Kleene logic have no tautologies, they
have non-trivial consequence relations.
Dmitry Bochvar interpreted U as “meaningless” and attempted to use it
to solve paradoxes such as the Liar paradox by stipulating that paradoxical
sentences take the value U. He introduced a logic which is essentially weak
Kleene logic extended by additional connectives, two of which are “external
negation” and the “is undefined” operator:

674 Release : d3a1905 (2022-12-19)

46.4. GÖDEL LOGICS

∼
e +
e
T F T F
U T U T
F T F F

46.4 Gödel logics

Kurt Gödel introduced a sequence of n-valued logics that each contain all for-
mulas valid in intuitionistic logic, and are contained in classical logic. Here is
the first interesting one:
Definition 46.6. 3-valued Gödel logic G is defined using the matrix:
1. The standard propositional language L0 with ⊥, ¬, ∧, ∨, →.
2. The set of truth values V = {T, U, F}.
3. T is the only designated value, i.e., V + = {T}.
4. For ⊥, we have ⊥ e = F. Truth functions for the remaining connectives
are given by the following tables:

¬
eG ∧
eG T U F
T F T T U F
U F U U U F
F T F F F F

∨
eG T U F →
fG T U F
T T T T T T U F
U T U U U T T F
F T U F F T T T

You’ll notice that the truth tables for ∧ and ∨ are the same as in Łukasiewicz
and strong Kleene logic, but the truth tables for ¬ and → differ for each.
In Gödel logic, ¬ e (U) = F. In contrast to Łukasiewicz logic and Kleene
f (U, F) = F; in contrast to Kleene logic (but as in Łukasiewicz logic),
logic, →
f (U, U) = T.
→
As the connection to intuitionistic logic alluded to above suggests, G3 is
close to intuitionistic logic. All intuitionistic truths are tautologies in G3 , and
many classical tautologies that are not valid intuitionistically also fail to be
tautologies in G3 . For instance, the following are not tautologies:
p ∨ ¬p ( p → q) → (¬ p ∨ q)
¬¬ p → p ¬( p ∧ q) → (¬ p ∨ ¬q)
(( p → q) → p) → p
However, not every tautology of G3 is also intuitionistically valid, e.g., ( p →
q ) ∨ ( q → p ).

Release : d3a1905 (2022-12-19) 675

 CHAPTER 46. THREE-VALUED LOGICS

46.5 Designating not just T

So far the logics we’ve seen all had the set of designated truth values V + =
{T}, i.e., something counts as true iff its truth value is T. But one might
also count something as true if it’s just not F. Then one would get a logic by
stipulating in the matrix, e.g., that V + = {T, U}.

Definition 46.7. The logic of paradox LP is defined using the matrix:

1. The standard propositional language L0 with ¬, ∧, ∨, →.

2. The set of truth values V = {T, U, F}.

3. T and U are designated, i.e., V + = {T, U}.

4. Truth functions are the same as in strong Kleene logic.

Definition 46.8. Halldén’s logic of nonsense Hal is defined using the matrix:

1. The standard propositional language L0 with ¬, ∧, ∨, → and a 1-place

connective +.

2. The set of truth values V = {T, U, F}.

3. T and U are designated, i.e., V + = {T, U}.

4. Truth functions are the same as weak Kleene logic, plus the “is mean-
ingless” operator:

+
e
T F
U T
F F

By contrast to the Kleene logics with which they share truth tables, these
do have tautologies.

Proposition 46.9. The tautologies of LP are the same as the tautologies of classical
propositional logic.

Proof. By Proposition 45.12, if ⊨LP φ then ⊨C φ. To show the reverse, we show

that if there is a valuation v : At0 → {F, T, U} such that vKs ( φ) = F then
there is a valuation v′ : At0 → {F, T} such that v′ C ( φ) = F. This establishes
the result for LP, since Ks and LP have the same characteristic truth functions,
and F is the only truth value of LP that is not designated (that is the only
difference between LP and Ks). Thus, if ⊭LP φ, for some valuation v, vLP ( φ) =
vKs ( φ) = F. By the claim we’re proving, v′ C ( φ) = F, i.e., ⊭C φ.

676 Release : d3a1905 (2022-12-19)

46.5. DESIGNATING NOT JUST T

To establish the claim, we first define v′ as

(
′ T if v( p) ∈ {T, U}
v ( p) =
F otherwise

We now show by induction on φ that (a) if vKs ( φ) = F then v′ C ( φ) = F, and

(b) if vKs ( φ) = T then v′ C ( φ) = T

1. Induction basis: φ ≡ p. By Definition 45.8, vKs ( φ) = v( p) = v′ C ( φ),

which implies both (a) and (b).
For the induction step, consider the cases:

2. φ ≡ ¬ψ.

a) Suppose vKs (¬ψ) = F. By the definition of ¬ e Ks , vKs (ψ) = T. By

inductive hypothesis, case (b), we get v′ C (ψ) = T, so v′ C (¬ψ) = F.
b) Suppose vKs (¬ψ) = T. By the definition of ¬ e Ks , vKs (ψ) = F. By
inductive hypothesis, case (a), we get v′ C (ψ) = F, so v′ C (¬ψ) = T.

3. φ ≡ (ψ ∧ χ).

a) Suppose vKs (ψ ∧ χ) = F. By the definition of ∧e Ks , vKs (ψ) = F or

vKs (ψ) = F. By inductive hypothesis, case (a), we get v′ C (ψ) = F
or v′ C (χ) = F, so v′ C (ψ ∧ χ) = F.
b) Suppose vKs (ψ ∧ χ) = T. By the definition of ∧
e Ks , vKs (ψ) = T and
vKs (ψ) = T. By inductive hypothesis, case (b), we get v′ C (ψ) = T
and v′ C (χ) = T, so v′ C (ψ ∧ χ) = T.

The other two cases are similar, and left as exercises. Alternatively, the
proof above establishes the result for all formulas only containing ¬ and ∧.
One may now appeal to the facts that in both Ks and C, for any v, v(ψ ∨ χ) =
v(¬(¬ψ ∧ ¬χ)) and v(ψ → χ) = v(¬(ψ ∧ ¬χ)).

Although they have the same tautologies as classical logic, their conse-
quence relations are different. LP, for instance, is paraconsistent in that ¬ p, p ⊭
q, and so the principle of explosion ¬ φ, φ ⊨ ψ does not hold in general. (It
holds for some cases of φ and ψ, e.g., if ψ is a tautology.)
What if you make U designated in Ł3 ?

Definition 46.10. The logic 3-valued R-Mingle RM3 is defined using the ma-
trix:

1. The standard propositional language L0 with ⊥, ¬, ∧, ∨, →.

2. The set of truth values V = {T, U, F}.

3. T and U are designated, i.e., V + = {T, U}.

Release : d3a1905 (2022-12-19) 677

 CHAPTER 46. THREE-VALUED LOGICS

4. Truth functions are the same as Łukasiewicz logic Ł3 .

Different truth tables can sometimes generate the same logic (entailment
relation) just by changing the designated values. E.g., this happens if in Gödel
logic we take V + = {T, U} instead of {T}.

Proposition 46.11. The matrix with V = {F, U, T}, V + = {T, U}, and the truth
functions of 3-valued Gödel logic defines classical logic.

Proof. Exercise.

Problems
Problem 46.1. Suppose we define v( φ ↔ ψ) = v(( φ → ψ) ∧ (ψ → φ)) in Ł3 .
What truth table would ↔ have?

Problem 46.2. Show that the following are tautologies in Ł3 :

1. p → (q → p)

2. ¬( p ∧ q) ↔ (¬ p ∨ ¬q)

3. ¬( p ∨ q) ↔ (¬ p ∧ ¬q)

(In (2) and (3), take φ ↔ ψ as an abbreviation for ( φ → ψ) ∧ (ψ → φ), or refer

to your solution to problem 46.1.)

Problem 46.3. Show that the following classical tautologies are not tautolo-
gies in Ł3 :

1. (¬ p ∧ p) → q)

2. (( p → q) → p) → p

3. ( p → ( p → q)) → ( p → q)

Problem 46.4. Which of the following relations hold in Łukasiewicz logic?

Give a truth table for each.

1. p, p → q ⊨ q

2. ¬¬ p ⊨ p

3. p ∧ q ⊨ p

4. p ⊨ p ∧ p

5. p ⊨ p ∨ q

678 Release : d3a1905 (2022-12-19)

46.5. DESIGNATING NOT JUST T

Problem 46.5. Show that □p ↔ ¬♢¬ p and ♢p ↔ ¬□¬ p are tautologies in Ł3 ,

extended with the truth tables for □ and ♢.

Problem 46.6. Which of the following relations hold in (a) strong and (b) weak
Kleene logic? Give a truth table for each.

1. p, p → q ⊨ q

2. p ∨ q, ¬ p ⊨ q

3. p ∧ q ⊨ p

4. p ⊨ p ∧ p

5. p ⊨ p ∨ q

Problem 46.7. Can you define ∼ in Bochvar’s logic in terms of ¬ and +, i.e.,
find a formula with only the propositional variable p and not involving ∼
which always takes the same truth value as ∼ p? Give a truth table to show
you’re right.

Problem 46.8. Give a truth table to show that ( p → q) ∨ (q → p) is a tautology

of G3 .

Problem 46.9. Give truth tables that show that the following are not tautolo-
gies of G3

( p → q) → (¬ p ∨ q)
¬( p ∧ q) → (¬ p ∨ ¬q)
(( p → q) → p) → p

Problem 46.10. Which of the following relations hold in Gödel logic? Give a
truth table for each.

1. p, p → q ⊨ q

2. p ∨ q, ¬ p ⊨ q

3. p ∧ q ⊨ p

4. p ⊨ p ∧ p

5. p ⊨ p ∨ q

Problem 46.11. Complete the proof Proposition 46.9, i.e., establish (a) and (b)
for the cases where φ ≡ (ψ ∨ χ) and φ ≡ (ψ → χ).

Problem 46.12. Prove that every classical tautology is a tautology in Hal.

Release : d3a1905 (2022-12-19) 679

 CHAPTER 46. THREE-VALUED LOGICS

Problem 46.13. Which of the following relations hold in (a) LP and in (b) Hal?
Give a truth table for each.

1. p, p → q ⊨ q

2. ¬q, p → q ⊨ ¬ p

3. p ∨ q, ¬ p ⊨ q

4. ¬ p, p ⊨ q

5. p ⊨ p ∨ q

6. p → q, q → r ⊨ p → r

Problem 46.14. Which of the following relations hold in RM3 ?

1. p, p → q ⊨ q

2. p ∨ q, ¬ p ⊨ q

3. ¬ p, p ⊨ q

4. p ⊨ p ∨ q

Problem 46.15. Prove Proposition 46.11 by showing that for the logic L de-
fined just like Gödel logic but with V + = {T, U}, if Γ ⊭L ψ then Γ ⊭C ψ. Use
the ideas of Proposition 46.9, except instead of proving properties (a) and (b),
show that vG ( φ) = F iff v′ C ( φ) = F (and hence that vG ( φ) ∈ {T, U} iff
v′ C ( φ) = T). Explain why this establishes the proposition.

680 Release : d3a1905 (2022-12-19)

Chapter 47

Infinite-valued Logics

47.1 Introduction
The number of truth values of a matrix need not be finite. An obvious choice
for a set of infinitely many truth values is the set of rational numbers between
0 and 1, V∞ = [0, 1] ∩ Q, i.e.,

n
V∞ = { : n, m ∈ N and n ≤ m}.
m

When considering this infinite truth value set, it is often useful to also consider
the subsets

n
Vm = { : n ∈ N and n ≤ m}
m−1

For instance, V5 is the set with 5 evenly spaced truth values,

1 1 3
V5 = {0, , , , 1}.
4 2 4

In logics based on these truth value sets, usually only 1 is designated, i.e.,
V + = {1}. In other words, we let 1 play the role of (absolute) truth, 0 as
absolute falsity, but formulas may take any intermediate value in V.
One can also consider the set V[0,1] = [0, 1] of all real numbers between 0
and 1, or other infinite subsets of [0, 1], however. Logics with this truth value
set are often called fuzzy.

47.2 Łukasiewicz logic

681
 CHAPTER 47. INFINITE-VALUED LOGICS

This is a short “stub” of a section on infinite-valued Łukasiewicz logic.

Definition 47.1. Infinite-valued Łukasiewicz logic Ł∞ is defined using the ma-

trix:
1. The standard propositional language L0 with ¬, ∧, ∨, →.
2. The set of truth values V∞ .
3. 1 is the only designated value, i.e., V + = {1}.
4. Truth functions are given by the following functions:
¬
e Ł (x) = 1 − x
∧
e Ł ( x, y) = min( x, y)
∨
e Ł ( x, y) = max( x, y)
(
1 if x ≤ y
→
f Ł ( x, y) = min(1, 1 − ( x − y)) =
1 − ( x − y) otherwise.

m-valued Łukasiewicz logic is defined the same, except V = Vm .

Proposition 47.2. The logic Ł3 defined by Definition 46.1 is the same as Ł3 defined
by Definition 47.1.

Proof. This can be seen by comparing the truth tables for the connectives given
in Definition 46.1 with the truth tables determined by the equations in Defini-
tion 47.1:
¬
e ∧
e Ł3 1 1/2 0
1 0 1 1 1/2 0
1/2 1/2 1/2 1/2 1/2 0
0 1 0 0 0 0

∨
e Ł3 1 1/2 0 →
f Ł3 1 1/2 0
1 1 1 1 1 1 1/2 0
1/2 1 1/2 1/2 1/2 1 1 1/2
0 1 1/2 0 0 1 1 1

Proposition 47.3. If Γ ⊨Ł∞ ψ then Γ ⊨Łm ψ for all m ≥ 2.

Proof. Exercise.

In fact, the converse holds as well.

Infinite-valued Łukasiewicz logic is the most popular fuzzy logic. In the
fuzzy logic literature, the conditional is often defined as ¬ φ ∨ ψ. The result
would be an infinite-valued strong Kleene logic.

682 Release : d3a1905 (2022-12-19)

47.3. GÖDEL LOGICS

47.3 Gödel logics

This is a short “stub” of a section on infinite-valued Gödel logic.

Definition 47.4. Infinite-valued Gödel logic G∞ is defined using the matrix:

1. The standard propositional language L0 with ⊥, ¬, ∧, ∨, →.

2. The set of truth values V∞ .

3. 1 is the only designated value, i.e., V + = {1}.

4. Truth functions are given by the following functions:

⊥
e =0
(
1 if x = 0
¬
e G (x) =
0 otherwise
∧
e G ( x, y) = min( x, y)
∨
e G ( x, y) = max( x, y)
(
1 if x ≤ y
→
f G ( x, y) =
y otherwise.

m-valued Gödel logic is defined the same, except V = Vm .

Proposition 47.5. The logic G3 defined by Definition 46.6 is the same as G3 defined
by Definition 47.4.

Proof. This can be seen by comparing the truth tables for the connectives given
in Definition 46.6 with the truth tables determined by the equations in Defini-
tion 47.4:
¬
e G3 ∧
eG 1 1/2 0
1 0 1 1 1/2 0
1/2 0 1/2 1/2 1/2 0
0 1 0 0 0 0

∨
eG 1 1/2 0 →
fG 1 1/2 0
1 1 1 1 1 1 1/2 0
1/2 1 1/2 1/2 1/2 1 1 0
0 1 1/2 0 0 1 1 1

Proposition 47.6. If Γ ⊨G∞ ψ then Γ ⊨Gm ψ for all m ≥ 2.

Release : d3a1905 (2022-12-19) 683

 CHAPTER 47. INFINITE-VALUED LOGICS

Proof. Exercise.

In fact, the converse holds as well.

Like G3 , G∞ has all intuitionistically valid formulas as tautologies, and the
same examples of non-tautologies are non-tautologies of G∞ :

p ∨ ¬p ( p → q) → (¬ p ∨ q)
¬¬ p → p ¬( p ∧ q) → (¬ p ∨ ¬q)
(( p → q) → p) → p

The example of an intuitionistically invalid formula that is nevertheless a tau-

tology of G3 , ( p → q) ∨ (q → p), is also a tautology in G∞ . In fact, G∞ can be
characterized as intuitionistic logic to which the schema ( φ → ψ) ∨ (ψ → φ) is
added. This was shown by Michael Dummett, and so G∞ is often referred to
as Gödel-Dummett logic LC.

Problems
Problem 47.1. Prove Proposition 47.3.

Problem 47.2. Show that ( p → q) ∨ (q → p) is a tautology of Ł∞ .

Problem 47.3. Prove Proposition 47.6.

Problem 47.4. Show that ( p → q) ∨ (q → p) is a tautology of G∞ .

684 Release : d3a1905 (2022-12-19)

Chapter 48

Sequent Calculus

48.1 Introduction
The sequent calculus for classical logic is an efficient and simple derivation
system. If a many-valued logic is defined by a matrix with finitely many truth
values, i.e., V is finite, it is possible to provide a sequent calculus for it. The
idea for how to do this comes from considering the meanings of sequents and
the form of inference rules in the classical case.
Now recall that a sequent

φ1 , . . . , φn ⇒ ψ1 , . . . , ψn

can be interpreted as the formula

( φ1 ∧ · · · ∧ φm ) → (ψ1 ∨ · · · ∨ ψn )

In other words, A valuation v satisfies a sequent Γ ⇒ ∆ iff either v( φ) = F

for some φ ∈ Γ or v( φ) = T for some φ ∈ ∆. On this interpretation, initial
sequents φ ⇒ φ are always satisfied, because either v( φ) = T or ( φ) = F.
Here are the inference rules for the conditional in LK, with side formulas
Γ, ∆ left out:

⇒ φ ψ ⇒ φ ⇒ ψ
φ→ψ ⇒
→L ⇒ φ → ψ →R

If we apply the above semantic interpretation of a sequent, we can read

the →L rule as saying that if v( φ) = T and v(ψ) = F, then v( φ → ψ) = F.
Similarly, the →R rule says that if either v( φ) = F or v(ψ) = T, then v( φ →
ψ) = T. And in fact, these conditionals are actually biconditionals. In the
case of the ∧L and ∨R rules in their standard formulation, the corresponding

685
 CHAPTER 48. SEQUENT CALCULUS

conditionals would not be biconditionals. But there are alternative versions of

these rules where they are:

φ, ψ, Γ ⇒ ∆ Γ ⇒ ∆, φ, ψ
∧L ∨R
φ ∧ ψ, Γ ⇒ ∆ Γ ⇒ ∆, φ ∨ ψ

This basic idea, applied to an n-valued logic, then results in a sequent cal-
culus with n instead of two places, one for each truth value. For a three-valued
logic with V = {F, U, T}, a sequent is an expression Γ | Π | ∆. It is satisfied
in a valuation v iff either v( φ) = F for some φ ∈ Γ or v( φ) = T for some
φ ∈ ∆ or v( φ) = U for some φ ∈ Π. Consequently, initial sequents φ | φ | φ
are always satisfied.

48.2 Rules and Derivations

For the following, let Γ, ∆, Π, Λ represent finite sequences of sentences.
Definition 48.1 (Sequent). An n-sided sequent is an expression of the form
Γ1 | . . . | Γn
where each Γ1 is a finite (possibly empty) sequences of sentences of the lan-
guage L.

Definition 48.2 (Initial Sequent). An n-sided initial sequent is an n-sided se-

quent of the form φ | . . . | φ for any sentence φ in the language.
If the language contains a 0-place connective ⋆, i.e., a propositional con-
stant, then we also take the sequent . . . | ⋆ | . . . where ⋆ appears in the space
for the truth value associated with e ⋆ ∈ V, and is empty otherwise.

For each connective of an n-valued logic L, there is a logical rule for each
truth value that this connective can take in L. Derivations in an n-sided se-
quent calculus for L are trees of sequents, where the topmost sequents are
initial sequents, and if a sequent stands below one or more other sequents, it
must follow correctly by a rule of inference for the connectives of L.
Definition 48.3 (Theorems). A sentence φ is a theorem of an n-valued logic L
if there is a derivation of the n-sequent containing φ in each position corre-
sponding to a designated truth value of L. We write ⊢L φ if φ is a theorem
and ⊬L φ if it is not.

Definition 48.4 (Derivability). A sentence φ is derivable from a set of sentences Γ

in an n-valued logic L, Γ ⊢L φ, iff there is a finite subset Γ0 ⊆ Γ and a sequence
Γ0′ of the sentences in Γ0 such that the following sequent has a derivation:
Λ1 | . . . | Λ n

686 Release : d3a1905 (2022-12-19)

48.3. STRUCTURAL RULES

where Λi is φ if position i corresponds to a designated truth value, and Γ0′ otherwise.

If φ is not derivable from Γ we write Γ ⊬ φ.

For instance, 3-valued Łukasiewicz logic has a 3-sided sequent calculus. In

a 3-sided sequent Γ | Π | ∆, Γ corresponds to F, ∆ to T, and Π to U. Axioms
are φ | φ | φ. Since only T is designated, Γ ⊢Ł3 φ iff the sequent Γ | Γ | φ
has a derivation. (If U were also designated, we would need a derivation of
Γ | φ | φ.)

48.3 Structural Rules

The structural rules for n-sided sequent calculus operate as in the classical
case, except for each position i.

Γ1 | . . . | Γi | . . . | Γn
Wi
Γ1 | . . . | φ, Γi | . . . | Γn

Γ1 | . . . | φ, φ, Γi | . . . | Γn
Ci
Γ1 | . . . | φ, Γi | . . . | Γn

Γ1 | . . . | Γi , φ, ψ, Γi′ | . . . | Γn
Xi
Γ1 | . . . | Γi , ψ, φ, Γi′ | . . . | Γn

A series of weakening, contraction, and exchange inferences will often be

indicated by double inference lines.
The Cut rule comes in several forms, one for every combination of distinct
positions in the sequent i ̸= j:

Γ1 | . . . | φ, Γi | . . . | Γn ∆ 1 | . . . | φ, ∆ j | . . . | ∆ n
Cuti, j
Γ1 , ∆ 1 | . . . | Γn , ∆ n

48.4 Propositional Rules for Selected Logics

The inference rules for a connective in an n-sided sequent calculus only de-
pend on the characteristic truth function for the connective. Thus, if some
connective is defined by the same truth function in different logics, these n-
sided sequent rules for the connective are the same in those logics.

Release : d3a1905 (2022-12-19) 687

 CHAPTER 48. SEQUENT CALCULUS

Rules for ¬
The following rules for ¬ apply to Łukasiewicz and Kleene logics, and their
variants.

Γ | Π | ∆, φ
¬F
¬ φ, Γ | Π | ∆

Γ | φ, Π | ∆
¬U
Γ | ¬ φ, Π | ∆

φ, Γ | Π | ∆
¬T
Γ | Π | ∆, ¬ φ

The following rules for ¬ apply to Gödel logic.

Γ | φ, Π | ∆, φ φ, Γ | Π | ∆
¬G F ¬G T
¬ φ, Γ | Π | ∆ Γ | Π | ∆, ¬ φ

(In Gödel logic, ¬ φ can never take the value U, so there is no rule for the
middle position.)

Rules for ∧
These are the rules for ∧ in Łukasiewicz, strong Kleene, and Gödel logic.

φ, ψ, Γ | Π | ∆
∧F
φ ∧ ψ, Γ | Π | ∆

Γ | φ, Π | φ, ∆ Γ | ψ, Π | ψ, ∆ Γ | φ, ψ, Π | ∆
∧U
Γ | φ ∧ ψ, Π | ∆

Γ | Π | ∆, φ Γ | Π | ∆, ψ
∧T
Γ | Π | ∆, φ ∧ ψ

Rules for ∨
These are the rules for ∨ in Łukasiewicz, strong Kleene, and Gödel logic.

688 Release : d3a1905 (2022-12-19)

48.4. PROPOSITIONAL RULES FOR SELECTED LOGICS

φ, Γ | Π | ∆ ψ, Γ | Π | ∆
∨F
φ ∨ ψ, Γ | Π | ∆

φ, Γ | φ, Π | ∆ ψ, Γ | ψ, Π | ∆ Γ | φ, ψ, Π | ∆
∨U
Γ | φ ∨ ψ, Π | ∆

Γ | Π | ∆, φ, ψ
∨T
Γ | Π | ∆, φ ∨ ψ

Rules for →
These are the rules for → in Łukasiewicz logic.

Γ | Π | ∆, φ ψ, Γ | Π | ∆
→ Ł3 F
φ → ψ, Γ | Π | ∆

Γ | φ, ψ, Π | ∆ ψ, Γ | Π | ∆, φ
→Ł3 U
Γ | φ → ψ, Π | ∆

φ, Γ | ψ, Π | ∆, ψ φ, Γ | φ, Π | ∆, ψ
→Ł3 T
Γ | Π | ∆, φ → ψ

These are the rules for → in strong Kleene logic.

Γ | Π | ∆, φ ψ, Γ | Π | ∆
→Ks F
φ → ψ, Γ | Π | ∆

ψ, Γ | ψ, Π | ∆ Γ | φ, ψ, Π | ∆ Γ | φ, Π | ∆, φ
→Ks U
Γ | φ → ψ, Π | ∆

φ, Γ | Π | ∆, ψ
→Ks T
Γ | Π | ∆, φ → ψ

These are the rules for → in Gödel logic.

Release : d3a1905 (2022-12-19) 689

 CHAPTER 48. SEQUENT CALCULUS

Γ | φ, Π | ∆, φ ψ, Γ | Π | ∆
→ G3 F
φ → ψ, Γ | Π | ∆

Γ | ψ, Π | ∆ Γ | Π | ∆, φ
→ G3 U
Γ | φ → ψ, Π | ∆

φ, Γ | ψ, Π | ∆, ψ φ, Γ | φ, Π | ∆, ψ
→ G3 T
Γ | Π | ∆, φ → ψ

690 Release : d3a1905 (2022-12-19)

Release : d3a1905 (2022-12-19)
B|B|B
WU
B | A, B | B
XU
A|A|A A|A|A B | B, A | B A|A|A
WT WT WU WT
A | A | B, A A | A | A, A B | A, B, A | B A | A | B, A
WU WT WF WF
A | B, A | B, A A | A | B, A, A A, B | A, B, A | B B, A | A | B, A
WU WF XF WF
A | A, B, A | B, A B, A | A | B, A, A B, A | A, B, A | B B, B, A | A | B, A
→U →U
A | A → B, A | B, A B, A | A → B, A | B
→F
A → B, A | A → B, A | B

Figure 48.1: Example derivation in Ł3

48.4. PROPOSITIONAL RULES FOR SELECTED LOGICS

691
 Part XI

Normal Modal Logics

692
48.4. PROPOSITIONAL RULES FOR SELECTED LOGICS

This part covers the metatheory of normal modal logics. It currently

consists of Aldo Antonelli’s notes on classical correspondence theory for
basic modal logic.

Release : d3a1905 (2022-12-19) 693

Chapter 49

Syntax and Semantics

49.1 Introduction
Modal logic deals with modal propositions and the entailment relations among
them. Examples of modal propositions are the following:

1. It is necessary that 2 + 2 = 4.

2. It is necessarily possible that it will rain tomorrow.

3. If it is necessarily possible that φ then it is possible that φ.

Possibility and necessity are not the only modalities: other unary connectives
are also classified as modalities, for instance, “it ought to be the case that φ,”
“It will be the case that φ,” “Dana knows that φ,” or “Dana believes that φ.”
Modal logic makes its first appearance in Aristotle’s De Interpretatione: he
was the first to notice that necessity implies possibility, but not vice versa; that
possibility and necessity are inter-definable; that If φ ∧ ψ is possibly true then
φ is possibly true and ψ is possibly true, but not conversely; and that if φ → ψ
is necessary, then if φ is necessary, so is ψ.
The first modern approach to modal logic was the work of C. I. Lewis, cul-
minating with Lewis and Langford, Symbolic Logic (1932). Lewis & Langford
were unhappy with the representation of implication by means of the material
conditional: φ → ψ is a poor substitute for “φ implies ψ.” Instead, they pro-
posed to characterize implication as “Necessarily, if φ then ψ,” symbolized
as φ J ψ. In trying to sort out the different properties, Lewis identified five
different modal systems, S1, . . . , S4, S5, the last two of which are still in use.
The approach of Lewis and Langford was purely syntactical: they identi-
fied reasonable axioms and rules and investigated what was provable with
those means. A semantic approach remained elusive for a long time, until a
first attempt was made by Rudolf Carnap in Meaning and Necessity (1947) us-
ing the notion of a state description, i.e., a collection of atomic sentences (those

694
49.2. THE LANGUAGE OF BASIC MODAL LOGIC

that are “true” in that state description). After lifting the truth definition to
arbitrary sentences φ, Carnap defines φ to be necessarily true if it is true in all
state descriptions. Carnap’s approach could not handle iterated modalities, in
that sentences of the form “Possibly necessarily . . . possibly φ” always reduce
to the innermost modality.
The major breakthrough in modal semantics came with Saul Kripke’s arti-
cle “A Completeness Theorem in Modal Logic” (JSL 1959). Kripke based his
work on Leibniz’s idea that a statement is necessarily true if it is true “at all
possible worlds.” This idea, though, suffers from the same drawbacks as Car-
nap’s, in that the truth of statement at a world w (or a state description s) does
not depend on w at all. So Kripke assumed that worlds are related by an ac-
cessibility relation R, and that a statement of the form “Necessarily φ” is true at
a world w if and only if φ is true at all worlds w′ accessible from w. Semantics
that provide some version of this approach are called Kripke semantics and
made possible the tumultuous development of modal logics (in the plural).
When interpreted by the Kripke semantics, modal logic shows us what re-
lational structures look like “from the inside.” A relational structure is just a set
equipped with a binary relation (for instance, the set of students in the class
ordered by their social security number is a relational structure). But in fact re-
lational structures come in all sorts of domains: besides relative possibility of
states of the world, we can have epistemic states of some agent related by epis-
temic possibility, or states of a dynamical system with their state transitions,
etc. Modal logic can be used to model all of these: the first gives us ordinary,
alethic, modal logic; the others give us epistemic logic, dynamic logic, etc.
We focus on one particular angle, known to modal logicians as “corre-
spondence theory.” One of the most significant early discoveries of Kripke’s
is that many properties of the accessibility relation R (whether it is transitive,
symmetric, etc.) can be characterized in the modal language itself by means
of appropriate “modal schemas.” Modal logicians say, for instance, that the
reflexivity of R “corresponds” to the schema “If necessarily φ, then φ”. We
explore mainly the correspondence theory of a number of classical systems of
modal logic (e.g., S4 and S5) obtained by a combination of the schemas D, T,
B, 4, and 5.

49.2 The Language of Basic Modal Logic

Definition 49.1. The basic language of modal logic contains

1. The propositional constant for falsity ⊥.

2. A denumerable set of propositional variables: p0 , p1 , p2 , . . .

3. The propositional connectives: ¬ (negation), ∧ (conjunction), ∨ (disjunc-

tion), → (conditional).

Release : d3a1905 (2022-12-19) 695

 CHAPTER 49. SYNTAX AND SEMANTICS

4. The modal operator □.

5. The modal operator ♢.

Definition 49.2. Formulas of the basic modal language are inductively defined
as follows:

1. ⊥ is an atomic formula.

2. Every propositional variable pi is an (atomic) formula.

3. If φ is a formula, then ¬ φ is a formula.

4. If φ and ψ are formulas, then ( φ ∧ ψ) is a formula.

5. If φ and ψ are formulas, then ( φ ∨ ψ) is a formula.

6. If φ and ψ are formulas, then ( φ → ψ) is a formula.

7. If φ is a formula, then □φ is a formula.

8. If φ is a formula, then ♢φ is a formula.

9. Nothing else is a formula.

Definition 49.3. Formulas constructed using the defined operators are to be

understood as follows:

1. ⊤ abbreviates ¬⊥.

2. φ ↔ ψ abbreviates ( φ → ψ) ∧ (ψ → φ).

If a formula φ does not contain □ or ♢, we say it is modal-free.

49.3 Simultaneous Substitution

An instance of a formula φ is the result of replacing all occurrences of a propo-
sitional variable in φ by some other formula. We will refer to instances of for-
mulas often, both when discussing validity and when discussing derivability.
It therefore is useful to define the notion precisely.

Definition 49.4. Where φ is a modal formula all of whose propositional vari-

ables are among p1 , . . . , pn , and θ1 , . . . , θn are also modal formulas, we define
φ[θ1 /p1 , . . . , θn /pn ] as the result of simultaneously substituting each θi for pi
in φ. Formally, this is a definition by induction on φ:

1. φ ≡ ⊥: φ[θ1 /p1 , . . . , θn /pn ] is ⊥.

2. φ ≡ q: φ[θ1 /p1 , . . . , θn /pn ] is q, provided q ̸≡ pi for i = 1, . . . , n.

696 Release : d3a1905 (2022-12-19)

49.3. SIMULTANEOUS SUBSTITUTION

3. φ ≡ pi : φ[θ1 /p1 , . . . , θn /pn ] is θi .

4. φ ≡ ¬ψ: φ[θ1 /p1 , . . . , θn /pn ] is ¬ψ[θ1 /p1 , . . . , θn /pn ].

5. φ ≡ (ψ ∧ χ): φ[θ1 /p1 , . . . , θn /pn ] is

(ψ[θ1 /p1 , . . . , θn /pn ] ∧ χ[θ1 /p1 , . . . , θn /pn ]).

6. φ ≡ (ψ ∨ χ): φ[θ1 /p1 , . . . , θn /pn ] is

(ψ[θ1 /p1 , . . . , θn /pn ] ∨ χ[θ1 /p1 , . . . , θn /pn ]).

7. φ ≡ (ψ → χ): φ[θ1 /p1 , . . . , θn /pn ] is

(ψ[θ1 /p1 , . . . , θn /pn ] → χ[θ1 /p1 , . . . , θn /pn ]).

8. φ ≡ (ψ ↔ χ): φ[θ1 /p1 , . . . , θn /pn ] is

(ψ[θ1 /p1 , . . . , θn /pn ] ↔ χ[θ1 /p1 , . . . , θn /pn ]).

9. φ ≡ □ψ: φ[θ1 /p1 , . . . , θn /pn ] is □ψ[θ1 /p1 , . . . , θn /pn ].

10. φ ≡ ♢ψ: φ[θ1 /p1 , . . . , θn /pn ] is ♢ψ[θ1 /p1 , . . . , θn /pn ].

The formula φ[θ1 /p1 , . . . , θn /pn ] is called a substitution instance of φ.

Example 49.5. Suppose φ is p1 → □( p1 ∧ p2 ), θ1 is ♢( p2 → p3 ) and θ2 is ¬□p1 .

Then φ[θ1 /p1 , θ2 /p2 ] is

♢( p2 → p3 ) → □(♢( p2 → p3 ) ∧ ¬□p1 )

while φ[θ2 /p1 , θ1 /p2 ] is

¬□p1 → □(¬□p1 ∧ ♢( p2 → p3 ))

Note that simultaneous substitution is in general not the same as iterated sub-
stitution, e.g., compare φ[θ1 /p1 , θ2 /p2 ] above with ( φ[θ1 /p1 ])[θ2 /p2 ], which
is:

♢( p2 → p3 ) → □(♢( p2 → p3 ) ∧ p2 )[¬□p1 /p2 ], i.e.,

♢(¬□p1 → p3 ) → □(♢(¬□p1 → p3 ) ∧ ¬□p1 )

and with ( φ[θ2 /p2 ])[θ1 /p1 ]:

p1 → □( p1 ∧ ¬□p1 )[♢( p2 → p3 )/p1 ], i.e.,

♢( p2 → p3 ) → □(♢( p2 → p3 ) ∧ ¬□♢( p2 → p3 )).

Release : d3a1905 (2022-12-19) 697

 CHAPTER 49. SYNTAX AND SEMANTICS

p
w2
q

p
w1
¬q

¬p
w3
¬q

Figure 49.1: A simple model.

49.4 Relational Models

The basic concept of semantics for normal modal logics is that of a relational
model. It consists of a set of worlds, which are related by a binary “accessibility
relation,” together with an assignment which determines which propositional
variables count as “true” at which worlds.

Definition 49.6. A model for the basic modal language is a triple M = ⟨W, R, V ⟩,
where

1. W is a nonempty set of “worlds,”

2. R is a binary accessibility relation on W, and

3. V is a function assigning to each propositional variable p a set V ( p) of

possible worlds.

When Rww′ holds, we say that w′ is accessible from w. When w ∈ V ( p) we say

p is true at w.

The great advantage of relational semantics is that models can be repre-

sented by means of simple diagrams, such as the one in Figure 49.1. Worlds
are represented by nodes, and world w′ is accessible from w precisely when
there is an arrow from w to w′ . Moreover, we label a node (world) by p
when w ∈ V ( p), and otherwise by ¬ p. Figure 49.1 represents the model
with W = {w1 , w2 , w3 }, R = {⟨w1 , w2 ⟩, ⟨w1 , w3 ⟩}, V ( p) = {w1 , w2 }, and
V ( q ) = { w2 } .

49.5 Truth at a World

Every modal model determines which modal formulas count as true at which
worlds in it. The relation “model M makes formula φ true at world w” is the

698 Release : d3a1905 (2022-12-19)

49.6. TRUTH IN A MODEL

basic notion of relational semantics. The relation is defined inductively and

coincides with the usual characterization using truth tables for the non-modal
operators.

Definition 49.7. Truth of a formula φ at w in a M, in symbols: M, w ⊩ φ, is

defined inductively as follows:

1. φ ≡ ⊥: Never M, w ⊩ ⊥.

2. M, w ⊩ p iff w ∈ V ( p).

3. φ ≡ ¬ψ: M, w ⊩ φ iff M, w ⊮ ψ.

4. φ ≡ (ψ ∧ χ): M, w ⊩ φ iff M, w ⊩ ψ and M, w ⊩ χ.

5. φ ≡ (ψ ∨ χ): M, w ⊩ φ iff M, w ⊩ ψ or M, w ⊩ χ (or both).

6. φ ≡ (ψ → χ): M, w ⊩ φ iff M, w ⊮ ψ or M, w ⊩ χ.

7. φ ≡ □ψ: M, w ⊩ φ iff M, w′ ⊩ ψ for all w′ ∈ W with Rww′ .

8. φ ≡ ♢ψ: M, w ⊩ φ iff M, w′ ⊩ ψ for at least one w′ ∈ W with Rww′ .

Note that by clause (7), a formula □ψ is true at w whenever there are no w′

with Rww′ . In such a case □ψ is vacuously true at w. Also, □ψ may be satisfied
at w even if ψ is not. The truth of ψ at w does not guarantee the truth of ♢ψ
at w. This holds, however, if Rww, e.g., if R is reflexive. If there is no w′ such
that Rww′ , then M, w ⊮ ♢φ, for any φ.

Proposition 49.8. 1. M, w ⊩ □φ iff M, w ⊩ ¬♢¬ φ.

2. M, w ⊩ ♢φ iff M, w ⊩ ¬□¬ φ.

Proof. 1. M, w ⊩ ¬♢¬ φ iff M ⊮ ♢¬ φ by definition of M, w ⊩. M, w ⊩ ♢¬ φ

iff for some w′ with Rww′ , M, w′ ⊩ ¬ φ. Hence, M, w ⊮ ♢¬ φ iff for all
w′ with Rww′ , M, w′ ⊮ ¬ φ. We also have M, w′ ⊮ ¬ φ iff M, w′ ⊩ φ.
Together we have M, w ⊩ ¬♢¬ φ iff for all w′ with Rww′ , M, w′ ⊩ φ.
Again by definition of M, w ⊩, that is the case iff M, w ⊩ □φ.

2. Exercise.

49.6 Truth in a Model

Sometimes we are interested which formulas are true at every world in a given
model. Let’s introduce a notation for this.

Definition 49.9. A formula φ is true in a model M = ⟨W, R, V ⟩, written M ⊩ φ,

if and only if M, w ⊩ φ for every w ∈ W.

Release : d3a1905 (2022-12-19) 699

 CHAPTER 49. SYNTAX AND SEMANTICS

Proposition 49.10. 1. If M ⊩ φ then M ⊮ ¬ φ, but not vice-versa.

2. If M ⊩ φ → ψ then M ⊩ φ only if M ⊩ ψ, but not vice-versa.

Proof. 1. If M ⊩ φ then φ is true at all worlds in W, and since W ̸= ∅, it

can’t be that M ⊩ ¬ φ, or else φ would have to be both true and false at
some world.
On the other hand, if M ⊮ ¬ φ then φ is true at some world w ∈ W.
It does not follow that M, w ⊩ φ for every w ∈ W. For instance, in the
model of Figure 49.1, M ⊮ ¬ p, and also M ⊮ p.

2. Assume M ⊩ φ → ψ and M ⊩ φ; to show M ⊩ ψ let w ∈ W be an

arbitrary world. Then M, w ⊩ φ → ψ and M, w ⊩ φ, so M, w ⊩ ψ, and
since w was arbitrary, M ⊩ ψ.
To show that the converse fails, we need to find a model M such that
M ⊩ φ only if M ⊩ ψ, but M ⊮ φ → ψ. Consider again the model
of Figure 49.1: M ⊮ p and hence (vacuously) M ⊩ p only if M ⊩ q.
However, M ⊮ p → q, as p is true but q false at w1 .

49.7 Validity
Formulas that are true in all models, i.e., true at every world in every model,
are particularly interesting. They represent those modal propositions which
are true regardless of how □ and ♢ are interpreted, as long as the interpreta-
tion is “normal” in the sense that it is generated by some accessibility relation
on possible worlds. We call such formulas valid. For instance, □( p ∧ q) → □p
is valid. Some formulas one might expect to be valid on the basis of the alethic
interpretation of □, such as □p → p, are not valid, however. Part of the interest
of relational models is that different interpretations of □ and ♢ can be captured
by different kinds of accessibility relations. This suggests that we should de-
fine validity not just relative to all models, but relative to all models of a certain
kind. It will turn out, e.g., that □p → p is true in all models where every world
is accessible from itself, i.e., R is reflexive. Defining validity relative to classes
of models enables us to formulate this succinctly: □p → p is valid in the class
of reflexive models.

Definition 49.11. A formula φ is valid in a class C of models if it is true in

every model in C (i.e., true at every world in every model in C ). If φ is valid
in C , we write C ⊨ φ, and we write ⊨ φ if φ is valid in the class of all models.

Proposition 49.12. If φ is valid in C it is also valid in each class C ′ ⊆ C .

Proposition 49.13. If φ is valid, then so is □φ.

700 Release : d3a1905 (2022-12-19)

49.8. TAUTOLOGICAL INSTANCES

Proof. Assume ⊨ φ. To show ⊨ □φ let M = ⟨W, R, V ⟩ be a model and w ∈ W.

If Rww′ then M, w′ ⊩ φ, since φ is valid, and so also M, w ⊩ □φ. Since M and
w were arbitrary, ⊨ □φ.

49.8 Tautological Instances

A modal-free formula is a tautology if it is true under every truth-value as-
signment. Clearly, every tautology is true at every world in every model. But
for formulas involving □ and ♢, the notion of tautology is not defined. Is it the
case, e.g., that □p ∨ ¬□p—an instance of the principle of excluded middle—is
valid? The notion of a tautological instance helps: a formula that is a substitu-
tion instance of a (non-modal) tautology. It is not surprising, but still requires
proof, that every tautological instance is valid.
Definition 49.14. A modal formula ψ is a tautological instance if and only if
there is a modal-free tautology φ with propositional variables p1 , . . . , pn and
formulas θ1 , . . . , θn such that ψ ≡ φ[θ1 /p1 , . . . , θn /pn ].

Lemma 49.15. Suppose φ is a modal-free formula whose propositional variables are

p1 , . . . , pn , and let θ1 , . . . , θn be modal formulas. Then for any assignment v, any
model M = ⟨W, R, V ⟩, and any w ∈ W such that v( pi ) = T if and only if M, w ⊩ θi
we have that v ⊨ φ if and only if M, w ⊩ φ[θ1 /p1 , . . . , θn /pn ].

Proof. By induction on φ.
1. φ ≡ ⊥: Both v ⊭ ⊥ and M, w ⊮ ⊥.
2. φ ≡ pi :

v ⊨ p i ⇔ v( p i ) = T
by definition of v ⊨ pi
⇔ M, w ⊩ θi
by assumption
⇔ M, w ⊩ pi [θ1 /p1 , . . . , θn /pn ]
since pi [θ1 /p1 , . . . , θn /pn ] ≡ θi .

3. φ ≡ ¬ψ:

v ⊨ ¬ψ ⇔ v ⊭ ψ
by definition of v ⊨;
⇔ M, w ⊮ ψ[θ1 /p1 , . . . , θn /pn ]
by induction hypothesis
⇔ M, w ⊩ ¬ψ[θ1 /p1 , . . . , θn /pn ]
by definition of v ⊨.

Release : d3a1905 (2022-12-19) 701

 CHAPTER 49. SYNTAX AND SEMANTICS

4. φ ≡ (ψ ∧ χ):

v ⊨ ψ ∧ χ ⇔ v ⊨ ψ and v ⊨ χ
by definition of v ⊨
⇔ M, w ⊩ ψ[θ1 /p1 , . . . , θn /pn ] and
M, w ⊩ χ[θ1 /p1 , . . . , θn /pn ]
by induction hypothesis
⇔ M, w ⊩ (ψ ∧ χ)[θ1 /p1 , . . . , θn /pn ]
by definition of M, w ⊩.

5. φ ≡ (ψ ∨ χ):

v ⊨ ψ ∨ χ ⇔ v ⊨ ψ or v ⊨ χ
by definition of v ⊨;
⇔ M, w ⊩ ψ[θ1 /p1 , . . . , θn /pn ] or
M, w ⊩ χ[θ1 /p1 , . . . , θn /pn ]
by induction hypothesis
⇔ M, w ⊩ (ψ ∨ χ)[θ1 /p1 , . . . , θn /pn ]
by definition of M, w ⊩.

6. φ ≡ (ψ → χ):

v ⊨ ψ → χ ⇔ v ⊭ ψ or v ⊨ χ
by definition of v ⊨
⇔ M, w ⊮ ψ[θ1 /p1 , . . . , θn /pn ] or
M, w ⊩ χ[θ1 /p1 , . . . , θn /pn ]
by induction hypothesis
⇔ M, w ⊩ (ψ → χ)[θ1 /p1 , . . . , θn /pn ]
by definition of M, w ⊩.

Proposition 49.16. All tautological instances are valid.

Proof. Contrapositively, suppose φ is such that M, w ⊮ φ[θ1 /p1 , . . . , θn /pn ],

for some model M and world w. Define an assignment v such that v( pi ) = T
if and only if M, w ⊩ θi (and v assigns arbitrary values to q ∈
/ { p1 , . . . , pn }).
Then by Lemma 49.15, v ⊭ φ, so φ is not a tautology.

702 Release : d3a1905 (2022-12-19)

49.9. SCHEMAS AND VALIDITY

49.9 Schemas and Validity

Definition 49.17. A schema is a set of formulas comprising all and only the
substitution instances of some modal formula χ, i.e.,

{ψ : ∃θ1 , . . . , ∃θn (ψ = χ[θ1 /p1 , . . . , θn /pn ])}.

The formula χ is called the characteristic formula of the schema, and it is

unique up to a renaming of the propositional variables. A formula φ is an
instance of a schema if it is a member of the set.

It is convenient to denote a schema by the meta-linguistic expression ob-

tained by substituting ‘φ’, ‘ψ’, . . . , for the atomic components of χ. So, for
instance, the following denote schemas: ‘φ’, ‘φ → □φ’, ‘φ → (ψ → φ)’. They
correspond to the characteristic formulas p, p → □p, p → (q → p). The schema
‘φ’ denotes the set of all formulas.

Definition 49.18. A schema is true in a model if and only if all of its instances
are; and a schema is valid if and only if it is true in every model.

Proposition 49.19. The following schema K is valid

□( φ → ψ) → (□φ → □ψ). (K)

Proof. We need to show that all instances of the schema are true at every world
in every model. So let M = ⟨W, R, V ⟩ and w ∈ W be arbitrary. To show that
a conditional is true at a world we assume the antecedent is true to show that
consequent is true as well. In this case, let M, w ⊩ □( φ → ψ) and M, w ⊩ □φ.
We need to show M ⊩ □ψ. So let w′ be arbitrary such that Rww′ . Then by the
first assumption M, w′ ⊩ φ → ψ and by the second assumption M, w′ ⊩ φ. It
follows that M, w′ ⊩ ψ. Since w′ was arbitrary, M, w ⊩ □ψ.

Proposition 49.20. The following schema DUAL is valid

♢φ ↔ ¬□¬ φ. (DUAL)

Proof. Exercise.

Proposition 49.21. If φ and φ → ψ are true at a world in a model then so is ψ.

Hence, the valid formulas are closed under modus ponens.

Proposition 49.22. A formula φ is valid iff all its substitution instances are. In
other words, a schema is valid iff its characteristic formula is.

Release : d3a1905 (2022-12-19) 703

 CHAPTER 49. SYNTAX AND SEMANTICS

Valid Schemas Invalid Schemas

□( φ → ψ) → (♢φ → ♢ψ) □( φ ∨ ψ) → (□φ ∨ □ψ)
♢( φ → ψ) → (□φ → ♢ψ) (♢φ ∧ ♢ψ) → ♢( φ ∧ ψ)
□( φ ∧ ψ) ↔ (□φ ∧ □ψ) φ → □φ
□φ → □(ψ → φ) □♢φ → ψ
¬♢φ → □( φ → ψ) □□φ → □φ
♢( φ ∨ ψ) ↔ (♢φ ∨ ♢ψ) □♢φ → ♢□φ.
Table 49.1: Valid and (or?) invalid schemas.

Proof. The “if” direction is obvious, since φ is a substitution instance of itself.

To prove the “only if” direction, we show the following: Suppose M =
⟨W, R, V ⟩ is a modal model, and ψ ≡ φ[θ1 /p1 , . . . , θn /pn ] is a substitution
instance of φ. Define M′ = ⟨W, R, V ′ ⟩ by V ′ ( pi ) = {w : M, w ⊩ θi }. Then
M, w ⊩ ψ iff M′ , w ⊩ φ, for any w ∈ W. (We leave the proof as an exercise.)
Now suppose that φ was valid, but some substitution instance ψ of φ was not
valid. Then for some M = ⟨W, R, V ⟩ and some w ∈ W, M, w ⊮ ψ. But then
M′ , w ⊮ φ by the claim, and φ is not valid, a contradiction.

Note, however, that it is not true that a schema is true in a model iff its
characteristic formula is. Of course, the “only if” direction holds: if every
instance of φ is true in M, φ itself is true in M. But it may happen that φ
is true in M but some instance of φ is false at some world in M. For a very
simple counterexample consider p in a model with only one world w and
V ( p) = {w}, so that p is true at w. But ⊥ is an instance of p, and not true at w.

49.10 Entailment
With the definition of truth at a world, we can define an entailment relation
between formulas. A formula ψ entails φ iff, whenever ψ is true, φ is true as
well. Here, “whenever” means both “whichever model we consider” as well
as “whichever world in that model we consider.”

Definition 49.23. If Γ is a set of formulas and φ a formula, then Γ entails φ,

in symbols: Γ ⊨ φ, if and only if for every model M = ⟨W, R, V ⟩ and world
w ∈ W, if M, w ⊩ ψ for every ψ ∈ Γ, then M, w ⊩ φ. If Γ contains a single
formula ψ, then we write ψ ⊨ φ.

Example 49.24. To show that a formula entails another, we have to reason

about all models, using the definition of M, w ⊩. For instance, to show p →
♢p ⊨ □¬ p → ¬ p, we might argue as follows: Consider a model M = ⟨W, R, V ⟩
and w ∈ W, and suppose M, w ⊩ p → ♢p. We have to show that M, w ⊩
□¬ p → ¬ p. Suppose not. Then M, w ⊩ □¬ p and M, w ⊮ ¬ p. Since M, w ⊮

704 Release : d3a1905 (2022-12-19)

49.10. ENTAILMENT

w2 p w3 p

w1 ¬ p

Figure 49.2: Counterexample to p → ♢p ⊨ □p → p.

¬ p, M, w ⊩ p. By assumption, M, w ⊩ p → ♢p, hence M, w ⊩ ♢p. By defini-

tion of M, w ⊩ ♢p, there is some w′ with Rww′ such that M, w′ ⊩ p. Since also
M, w ⊩ □¬ p, M, w′ ⊩ ¬ p, a contradiction.
To show that a formula ψ does not entail another φ, we have to give a
counterexample, i.e., a model M = ⟨W, R, V ⟩ where we show that at some
world w ∈ W, M, w ⊩ ψ but M, w ⊮ φ. Let’s show that p → ♢p ⊭ □p → p.
Consider the model in Figure 49.2. We have M, w1 ⊩ ♢p and hence M, w1 ⊩
p → ♢p. However, since M, w1 ⊩ □p but M, w1 ⊮ p, we have M, w1 ⊮ □p → p.

Often very simple counterexamples suffice. The model M′ = {W ′ , R′ , V ′ }

with W ′ = {w}, R′ = ∅, and V ′ ( p) = ∅ is also a counterexample: Since
M′ , w ⊮ p, M′ , w ⊩ p → ♢p. As no worlds are accessible from w, we have
M′ , w ⊩ □p, and so M′ , w ⊮ □p → p.

Problems
Problem 49.1. Consider the model of Figure 49.1. Which of the following
hold?

1. M, w1 ⊩ q;

2. M, w3 ⊩ ¬q;

3. M, w1 ⊩ p ∨ q;

4. M, w1 ⊩ □( p ∨ q);

5. M, w3 ⊩ □q;

6. M, w3 ⊩ □⊥;

7. M, w1 ⊩ ♢q;

8. M, w1 ⊩ □q;

9. M, w1 ⊩ ¬□□¬q.

Release : d3a1905 (2022-12-19) 705

 CHAPTER 49. SYNTAX AND SEMANTICS

Problem 49.2. Complete the proof of Proposition 49.8.

Problem 49.3. Let M = ⟨W, R, V ⟩ be a model, and suppose w1 , w2 ∈ W are

such that:

1. w1 ∈ V ( p) if and only if w2 ∈ V ( p); and

2. for all w ∈ W: Rw1 w if and only if Rw2 w.

Using induction on formulas, show that for all formulas φ: M, w1 ⊩ φ if and

only if M, w2 ⊩ φ.

Problem 49.4. Let M = ⟨W, R, V ⟩. Show that M, w ⊩ ¬♢φ if and only if

M, w ⊩ □¬ φ.

Problem 49.5. Consider the following model M for the language comprising
p1 , p2 , p3 as the only propositional variables:

p1 p1
¬ p 2 w1 w3 p 2
¬ p3 p3

p1
w2 p2
¬ p3

Are the following formulas and schemas true in the model M, i.e., true at
every world in M? Explain.

1. p → ♢p (for p atomic);

2. φ → ♢φ (for φ arbitrary);

3. □p → p (for p atomic);

4. ¬ p → ♢□p (for p atomic);

5. ♢□φ (for φ arbitrary);

6. □♢p (for p atomic).

Problem 49.6. Show that the following are valid:

1. ⊨ □p → □(q → p);

2. ⊨ □¬⊥;

3. ⊨ □p → (□q → □p).

706 Release : d3a1905 (2022-12-19)

49.10. ENTAILMENT

Problem 49.7. Show that φ → □φ is valid in the class C of models M = ⟨W, R, V ⟩

where W = {w}. Similarly, show that ψ → □φ and ♢φ → ψ are valid in the
class of models M = ⟨W, R, V ⟩ where R = ∅.

Problem 49.8. Prove Proposition 49.20.

Problem 49.9. Prove the claim in the “only if” part of the proof of Proposi-
tion 49.22. (Hint: use induction on φ.)

Problem 49.10. Show that none of the following formulas are valid:

D: □p → ♢p;

T: □p → p;

B: p → □♢p;

4: □p → □□p;

5: ♢p → □♢p.

Problem 49.11. Prove that the schemas in the first column of Table 49.1 are
valid and those in the second column are not valid.

Problem 49.12. Decide whether the following schemas are valid or invalid:

1. (♢φ → □ψ) → (□φ → □ψ);

2. ♢( φ → ψ) ∨ □(ψ → φ).

Problem 49.13. For each of the following schemas find a model M such that
every instance of the formula is true in M:

1. p → ♢♢p;

2. ♢p → □p.

Problem 49.14. Show that □( φ ∧ ψ) ⊨ □φ.

Problem 49.15. Show that □( p → q) ⊭ p → □q and p → □q ⊭ □( p → q).

Release : d3a1905 (2022-12-19) 707

Chapter 50

Frame Definability

50.1 Introduction
One question that interests modal logicians is the relationship between the
accessibility relation and the truth of certain formulas in models with that ac-
cessibility relation. For instance, suppose the accessibility relation is reflexive,
i.e., for every w ∈ W, Rww. In other words, every world is accessible from
itself. That means that when □φ is true at a world w, w itself is among the
accessible worlds at which φ must therefore be true. So, if the accessibility
relation R of M is reflexive, then whatever world w and formula φ we take,
□φ → φ will be true there (in other words, the schema □p → p and all its
substitution instances are true in M).
The converse, however, is false. It’s not the case, e.g., that if □p → p is
true in M, then R is reflexive. For we can easily find a non-reflexive model M
where □p → p is true at all worlds: take the model with a single world w,
not accessible from itself, but with w ∈ V ( p). By picking the truth value of p
suitably, we can make □φ → φ true in a model that is not reflexive.
The solution is to remove the variable assignment V from the equation. If
we require that □p → p is true at all worlds in M, regardless of which worlds
are in V ( p), then it is necessary that R is reflexive. For in any non-reflexive
model, there will be at least one world w such that not Rww. If we set V ( p) =
W \ {w}, then p will be true at all worlds other than w, and so at all worlds
accessible from w (since w is guaranteed not to be accessible from w, and w is
the only world where p is false). On the other hand, p is false at w, so □p → p
is false at w.
This suggests that we should introduce a notation for model structures
without a valuation: we call these frames. A frame F is simply a pair ⟨W, R⟩
consisting of a set of worlds with an accessibility relation. Every model ⟨W, R, V ⟩
is then, as we say, based on the frame ⟨W, R⟩. Conversely, a frame determines
the class of models based on it; and a class of frames determines the class of
models which are based on any frame in the class. And we can define F ⊨ φ,

708
50.2. PROPERTIES OF ACCESSIBILITY RELATIONS

If R is . . . then . . . is true in M:
serial: ∀u∃vRuv □p → ♢p (D)
reflexive: ∀wRww □p → p (T)
symmetric: p → □♢p (B)
∀u∀v( Ruv → Rvu)
transitive: □p → □□p (4)
∀u∀v∀w(( Ruv ∧ Rvw) → Ruw)
euclidean: ♢p → □♢p (5)
∀w∀u∀v(( Rwu ∧ Rwv) → Ruv)
Table 50.1: Five correspondence facts.

the notion of a formula being valid in a frame as: M ⊩ φ for all M based on F.
With this notation, we can establish correspondence relations between for-
mulas and classes of frames: e.g., F ⊨ □p → p if, and only if, F is reflexive.

50.2 Properties of Accessibility Relations

Many modal formulas turn out to be characteristic of simple, and even famil-
iar, properties of the accessibility relation. In one direction, that means that
any model that has a given property makes a corresponding formula (and all
its substitution instances) true. We begin with five classical examples of kinds
of accessibility relations and the formulas the truth of which they guarantee.

Theorem 50.1. Let M = ⟨W, R, V ⟩ be a model. If R has the property on the left side
of Table 50.1, every instance of the formula on the right side is true in M.

Proof. Here is the case for B: to show that the schema is true in a model we
need to show that all of its instances are true at all worlds in the model. So
let φ → □♢φ be a given instance of B, and let w ∈ W be an arbitrary world.
Suppose the antecedent φ is true at w, in order to show that □♢φ is true at
w. So we need to show that ♢φ is true at all w′ accessible from w. Now, for
any w′ such that Rww′ we have, using the hypothesis of symmetry, that also
Rw′ w (see Figure 50.1). Since M, w ⊩ φ, we have M, w′ ⊩ ♢φ. Since w′ was an
arbitrary world such that Rww′ , we have M, w ⊩ □♢φ.
We leave the other cases as exercises.

Notice that the converse implications of Theorem 50.1 do not hold: it’s not
true that if a model verifies a schema, then the accessibility relation of that
model has the corresponding property. In the case of T and reflexive models,
it is easy to give an example of a model in which T itself fails: let W = {w} and
V ( p) = ∅. Then R is not reflexive, but M, w ⊩ □p and M, w ⊮ p. But here we
have just a single instance of T that fails in M, other instances, e.g., □¬ p → ¬ p

Release : d3a1905 (2022-12-19) 709

 CHAPTER 50. FRAME DEFINABILITY

w w′
⊩φ ⊩ ♢φ
⊩ □♢φ

Figure 50.1: The argument from symmetry.

are true. It is harder to give examples where every substitution instance of T is

true in M and M is not reflexive. But there are such models, too:

Proposition 50.2. Let M = ⟨W, R, V ⟩ be a model such that W = {u, v}, where
worlds u and v are related by R: i.e., both Ruv and Rvu. Suppose that for all p:
u ∈ V ( p) ⇔ v ∈ V ( p). Then:

1. For all φ: M, u ⊩ φ if and only if M, v ⊩ φ (use induction on φ).

2. Every instance of T is true in M.

Since M is not reflexive (it is, in fact, irreflexive), the converse of Theorem 50.1 fails
in the case of T (similar arguments can be given for some—though not all—the other
schemas mentioned in Theorem 50.1).

Although we will focus on the five classical formulas D, T, B, 4, and 5, we

record in Table 50.2 a few more properties of accessibility relations. The acces-
sibility relation R is partially functional, if from every world at most one world
is accessible. If it is the case that from every world exactly one world is accessi-
ble, we call it functional. (Thus the functional relations are precisely those that
are both serial and partially functional). They are called “functional” because
the accessibility relation operates like a (partial) function. A relation is weakly
dense if whenever Ruv, there is a w “between” u and v. So weakly dense rela-
tions are in a sense the opposite of transitive relations: in a transitive relation,
whenever you can reach v from u by a detour via w, you can reach v from u
directly; in a weakly dense relation, whenever you can reach v from u directly,
you can also reach it by a detour via some w. A relation is weakly directed if
whenever you can reach worlds u and v from some world w, you can reach
a single world t from both u and v—this is sometimes called the “diamond
property” or “confluence.”

50.3 Frames
Definition 50.3. A frame is a pair F = ⟨W, R⟩ where W is a non-empty set of
worlds and R a binary relation on W. A model M is based on a frame F =
⟨W, R⟩ if and only if M = ⟨W, R, V ⟩ for some valuation V.

710 Release : d3a1905 (2022-12-19)

50.4. FRAME DEFINABILITY

If R is . . . then . . . is true in M:
partially functional:
♢p → □p
∀w∀u∀v(( Rwu ∧ Rwv) → u = v)
functional: ∀w∃v∀u( Rwu ↔ u = v) ♢p ↔ □p
weakly dense:
□□p → □p
∀u∀v( Ruv → ∃w( Ruw ∧ Rwv))
weakly connected:
□(( p ∧ □p) → q) ∨
∀w∀u∀v(( Rwu ∧ Rwv) → (L)
□((q ∧ □q) → p)
( Ruv ∨ u = v ∨ Rvu))
weakly directed:
∀w∀u∀v(( Rwu ∧ Rwv) → ♢□p → □♢p (G)
∃t( Rut ∧ Rvt))
Table 50.2: Five more correspondence facts.

Definition 50.4. If F is a frame, we say that φ is valid in F, F ⊨ φ, if M ⊩ φ for

every model M based on F.
If F is a class of frames, we say φ is valid in F , F ⊨ φ, iff F ⊨ φ for every
frame F ∈ F .

The reason frames are interesting is that correspondence between schemas

and properties of the accessibility relation R is at the level of frames, not of
models. For instance, although T is true in all reflexive models, not every model
in which T is true is reflexive. However, it is true that not only is T valid on all
reflexive frames, also every frame in which T is valid is reflexive.
Remark 6. Validity in a class of frames is a special case of the notion of validity
in a class of models: F ⊨ φ iff C ⊨ φ where C is the class of all models based
on a frame in F .
Obviously, if a formula or a schema is valid, i.e., valid with respect to the
class of all models, it is also valid with respect to any class F of frames.

50.4 Frame Definability

Even though the converse implications of Theorem 50.1 fail, they hold if we
replace “model” by “frame”: for the properties considered in Theorem 50.1, it
is true that if a formula is valid in a frame then the accessibility relation of that
frame has the corresponding property. So, the formulas considered define the
classes of frames that have the corresponding property.
Definition 50.5. If F is a class of frames, we say φ defines F iff F ⊨ φ for all
and only frames F ∈ F .

We now proceed to establish the full definability results for frames.

Release : d3a1905 (2022-12-19) 711

 CHAPTER 50. FRAME DEFINABILITY

Theorem 50.6. If the formula on the right side of Table 50.1 is valid in a frame F,
then F has the property on the left side.

Proof. 1. Suppose D is valid in F = ⟨W, R⟩, i.e., F ⊨ □p → ♢p. Let M =

⟨W, R, V ⟩ be a model based on F, and w ∈ W. We have to show that there
is a v such that Rwv. Suppose not: then both M ⊩ □φ and M, w ⊮ ♢φ
for any φ, including p. But then M, w ⊮ □p → ♢p, contradicting the
assumption that F ⊨ □p → ♢p.

2. Suppose T is valid in F, i.e., F ⊨ □p → p. Let w ∈ W be an arbitrary

world; we need to show Rww. Let u ∈ V ( p) if and only if Rwu (when q
is other than p, V (q) is arbitrary, say V (q) = ∅). Let M = ⟨W, R, V ⟩. By
construction, for all u such that Rwu: M, u ⊩ p, and hence M, w ⊩ □p.
But by hypothesis □p → p is true at w, so that M, w ⊩ p, but by definition
of V this is possible only if Rww.

3. We prove the contrapositive: Suppose F is not symmetric, we show that

B, i.e., p → □♢p is not valid in F = ⟨W, R⟩. If F is not symmetric, there
are u, v ∈ W such that Ruv but not Rvu. Define V such that w ∈ V ( p) if
and only if not Rvw (and V is arbitrary otherwise). Let M = ⟨W, R, V ⟩.
Now, by definition of V, M, w ⊩ p for all w such that not Rvw, in par-
ticular, M, u ⊩ p since not Rvu. Also, since Rvw iff w ∈ / V ( p), there is
no w such that Rvw and M, w ⊩ p, and hence M, v ⊮ ♢p. Since Ruv, also
M, u ⊮ □♢p. It follows that M, u ⊮ p → □♢p, and so B is not valid in F.

4. Suppose 4 is valid in F = ⟨W, R⟩, i.e., F ⊨ □p → □□p, and let u, v,

w ∈ W be arbitrary worlds such that Ruv and Rvw; we need to show
that Ruw. Define V such that z ∈ V ( p) if and only if Ruz (and V is
arbitrary otherwise). Let M = ⟨W, R, V ⟩. By definition of V, M, z ⊩ p
for all z such that Ruz, and hence M, u ⊩ □p. But by hypothesis 4,
□p → □□p, is true at u, so that M, u ⊩ □□p. Since Ruv and Rvw, we
have M, w ⊩ p, but by definition of V this is possible only if Ruw, as
desired.

5. We proceed contrapositively, assuming that the frame F = ⟨W, R⟩ is not

euclidean, and show that it falsifies 5, i.e., F ⊭ ♢p → □♢p. Suppose there
are worlds u, v, w ∈ W such that Rwu and Rwv but not Ruv. Define
V such that for all worlds z, z ∈ V ( p) if and only if it is not the case
that Ruz. Let M = ⟨W, R, V ⟩. Then by hypothesis M, v ⊩ p and since
Rwv also M, w ⊩ ♢p. However, there is no world y such that Ruy and
M, y ⊩ p so M, u ⊮ ♢p. Since Rwu, it follows that M, w ⊮ □♢p, so that
5, ♢p → □♢p, fails at w.

You’ll notice a difference between the proof for D and the other cases: no
mention was made of the valuation V. In effect, we proved that if M ⊩ D then
M is serial. So D defines the class of serial models, not just frames.

712 Release : d3a1905 (2022-12-19)

50.5. FIRST-ORDER DEFINABILITY

Corollary 50.7. Any model where D is true is serial.

Corollary 50.8. Each formula on the right side of Table 50.1 defines the class of
frames which have the property on the left side.

Proof. In Theorem 50.1, we proved that if a model has the property on the left,
the formula on the right is true in it. Thus, if a frame F has the property on
the left, the formula on the right is valid in F. In Theorem 50.6, we proved
the converse implications: if a formula on the right is valid in F, F has the
property on the left.

Theorem 50.6 also shows that the properties can be combined: for instance
if both B and 4 are valid in F then the frame is both symmetric and transitive,
etc. Many important modal logics are characterized as the set of formulas
valid in all frames that combine some frame properties, and so we can charac-
terize them as the set of formulas valid in all frames in which the correspond-
ing defining formulas are valid. For instance, the classical system S4 is the
set of all formulas valid in all reflexive and transitive frames, i.e., in all those
where both T and 4 are valid. S5 is the set of all formulas valid in all reflexive,
symmetric, and euclidean frames, i.e., all those where all of T, B, and 5 are
valid.
Logical relationships between properties of R in general correspond to re-
lationships between the corresponding defining formulas. For instance, every
reflexive relation is serial; hence, whenever T is valid in a frame, so is D. (Note
that this relationship is not that of entailment. It is not the case that whenever
M, w ⊩ T then M, w ⊩ D.) We record some such relationships.

Proposition 50.9. Let R be a binary relation on a set W; then:

1. If R is reflexive, then it is serial.

2. If R is symmetric, then it is transitive if and only if it is euclidean.

3. If R is symmetric or euclidean then it is weakly directed (it has the “diamond

property”).

4. If R is euclidean then it is weakly connected.

5. If R is functional then it is serial.

50.5 First-order Definability

We’ve seen that a number of properties of accessibility relations of frames
can be defined by modal formulas. For instance, symmetry of frames can
be defined by the formula B, p → □♢p. The conditions we’ve encountered
so far can all be expressed by first-order formulas in a language involving

Release : d3a1905 (2022-12-19) 713

 CHAPTER 50. FRAME DEFINABILITY

a single two-place predicate symbol. For instance, symmetry is defined by

∀ x ∀y ( Q( x, y) → Q(y, x )) in the sense that a first-order structure M with |M| =
W and QM = R satisfies the preceding formula iff R is symmetric. This sug-
gests the following definition:

Definition 50.10. A class F of frames is first-order definable if there is a sen-

tence φ in the first-order language with a single two-place predicate symbol Q
such that F = ⟨W, R⟩ ∈ F iff M ⊨ φ in the first-order structure M with
|M| = W and QM = R.

It turns out that the properties and modal formulas that define them con-
sidered so far are exceptional. Not every formula defines a first-order de-
finable class of frames, and not every first-order definable class of frames is
definable by a modal formula.
A counterexample to the first is given by the Löb formula:

□(□p → p) → □p. (W)

W defines the class of transitive and converse well-founded frames. A relation

is well-founded if there is no infinite sequence w1 , w2 , . . . such that Rw2 w1 ,
Rw3 w2 , . . . . For instance, the relation < on N is well-founded, whereas the
relation < on Z is not. A relation is converse well-founded iff its converse is
well-founded. So converse well-founded relations are those where there is no
infinite sequence w1 , w2 , . . . such that Rw1 w2 , Rw2 w3 , . . . .
There is, however, no first-order formula defining transitive converse well-
founded relations. For suppose M ⊨ β iff R = QM is transitive converse
well-founded. Let φn be the formula

( Q( a1 , a2 ) ∧ · · · ∧ Q( an−1 , an ))

Now consider the set of formulas

Γ = { β, φ1 , φ2 , . . . }.

Every finite subset of Γ is satisfiable: Let k be largest such that φk is in the

M
subset, |Mk | = {1, . . . , k }, ai k = i, and QMk =<. Since < on {1, . . . , k} is
transitive and converse well-founded, Mk ⊨ β. Mk ⊨ φi by construction, for
all i ≤ k. By the Compactness Theorem for first-order logic, Γ is satisfiable in
some structure M. By hypothesis, since M ⊨ β, the relation QM is converse
well-founded. But clearly, aM M
1 , a2 , . . . would form an infinite sequence of the
kind ruled out by converse well-foundedness.
A counterexample to the second claim is given by the property of univer-
sality: for every u and v, Ruv. Universal frames are first-order definable by
the formula ∀ x ∀y Q( x, y). However, no modal formula is valid in all and only
the universal frames. This is a consequence of a result that is independently
interesting: the formulas valid in universal frames are exactly the same as

714 Release : d3a1905 (2022-12-19)

50.6. EQUIVALENCE RELATIONS AND S5

those valid in reflexive, symmetric, and transitive frames. There are reflexive,
symmetric, and transitive frames that are not universal, hence every formula
valid in all universal frames is also valid in some non-universal frames.

50.6 Equivalence Relations and S5

The modal logic S5 is characterized as the set of formulas valid on all univer-
sal frames, i.e., every world is accessible from every world, including itself. In
such a scenario, □ corresponds to necessity and ♢ to possibility: □φ is true if φ
is true at every world, and ♢φ is true if φ is true at some world. It turns out that
S5 can also be characterized as the formulas valid on all reflexive, symmetric,
and transitive frames, i.e., on all equivalence relations.

Definition 50.11. A binary relation R on W is an equivalence relation if and only

if it is reflexive, symmetric and transitive. A relation R on W is universal if and
only if Ruv for all u, v ∈ W.

Since T, B, and 4 characterize the reflexive, symmetric, and transitive frames,

the frames where the accessibility relation is an equivalence relation are ex-
actly those in which all three formulas are valid. It turns out that the equiv-
alence relations can also be characterized by other combinations of formu-
las, since the conditions with which we’ve defined equivalence relations are
equivalent to combinations of other familiar conditions on R.

Proposition 50.12. The following are equivalent:

1. R is an equivalence relation;

2. R is reflexive and euclidean;

3. R is serial, symmetric, and euclidean;

4. R is serial, symmetric, and transitive.

Proof. Exercise.

Proposition 50.12 is the semantic counterpart to Proposition 51.29, in that

it gives an equivalent characterization of the modal logic of frames over which
R is an equivalence relation (the logic traditionally referred to as S5).
What is the relationship between universal and equivalence relations? Al-
though every universal relation is an equivalence relation, clearly not every
equivalence relation is universal. However, the formulas valid on all univer-
sal relations are exactly the same as those valid on all equivalence relations.

Proposition 50.13. Let R be an equivalence relation, and for each w ∈ W define the
equivalence class of w as the set [w] = {w′ ∈ W : Rww′ }. Then:

Release : d3a1905 (2022-12-19) 715

 CHAPTER 50. FRAME DEFINABILITY

[w]

[z]

[u]
[v]

Figure 50.2: A partition of W in equivalence classes.

1. w ∈ [w];

2. R is universal on each equivalence class [w];

3. The collection of equivalence classes partitions W into mutually exclusive and

jointly exhaustive subsets.

Proposition 50.14. A formula φ is valid in all frames F = ⟨W, R⟩ where R is an

equivalence relation, if and only if it is valid in all frames F = ⟨W, R⟩ where R is
universal. Hence, the logic of universal frames is just S5.

Proof. It’s immediate to verify that a universal relation R on W is an equiva-

lence. Hence, if φ is valid in all frames where R is an equivalence it is valid in
all universal frames. For the other direction, we argue contrapositively: sup-
pose ψ is a formula that fails at a world w in a model M = ⟨W, R, V ⟩ based
on a frame ⟨W, R⟩, where R is an equivalence on W. So M, w ⊮ ψ. Define a
model M′ = ⟨W ′ , R′ , V ′ ⟩ as follows:

1. W ′ = [w];

2. R′ is universal on W ′ ;

3. V ′ ( p) = V ( p) ∩ W ′ .

(So the set W ′ of worlds in M′ is represented by the shaded area in Figure 50.2.)
It is easy to see that R and R′ agree on W ′ . Then one can show by induction
on formulas that for all w′ ∈ W ′ : M′ , w′ ⊩ φ if and only if M, w′ ⊩ φ for each
φ (this makes sense since W ′ ⊆ W). In particular, M′ , w ⊮ ψ, and ψ fails in a
model based on a universal frame.

716 Release : d3a1905 (2022-12-19)

50.7. SECOND-ORDER DEFINABILITY

50.7 Second-order Definability

Not every frame property definable by modal formulas is first-order defin-
able. However, if we allow quantification over one-place predicates (i.e., monadic
second-order quantification), we define all modally definable frame proper-
ties. The trick is to exploit a systematic way in which the conditions under
which a modal formula is true at a world are related to first-order formulas.
This is the so-called standard translation of modal formulas into first-order
formulas in a language containing not just a two-place predicate symbol Q
for the accessibility relation, but also a one-place predicate symbol Pi for the
propositional variables pi occurring in φ.

Definition 50.15. The standard translation STx ( φ) is inductively defined as fol-

lows:

1. φ ≡ ⊥: STx ( φ) = ⊥.

2. φ ≡ pi : STx ( φ) = Pi ( x ).

3. φ ≡ ¬ψ: STx ( φ) = ¬STx (ψ).

4. φ ≡ (ψ ∧ χ): STx ( φ) = (STx (ψ) ∧ STx (χ)).

5. φ ≡ (ψ ∨ χ): STx ( φ) = (STx (ψ) ∨ STx (χ)).

6. φ ≡ (ψ → χ): STx ( φ) = (STx (ψ) → STx (χ)).

7. φ ≡ □ψ: STx ( φ) = ∀y ( Q( x, y) → STy (ψ)).

8. φ ≡ ♢ψ: STx ( φ) = ∃y ( Q( x, y) ∧ STy (ψ)).

For instance, STx (□p → p) is ∀y ( Q( x, y) → P(y)) → P( x ). Any structure

for the language of STx ( φ) requires a domain, a two-place relation assigned
to Q, and subsets of the domain assigned to the one-place predicate sym-
bols Pi . In other words, the components of such a structure are exactly those of
a model for φ: the domain is the set of worlds, the two-place relation assigned
to Q is the accessibility relation, and the subsets assigned to Pi are just the as-
signments V (pi ). It won’t surprise that satisfaction of φ in a modal model and
of STx ( φ) in the corresponding structure agree:

Proposition 50.16. Let M = ⟨W, R, V ⟩, M′ be the first-order structure with |M′ | =

′ ′
W, QM = R, and PiM = V (pi ), and s( x ) = w. Then

M, w ⊩ φ iff M′ , s ⊨ STx ( φ)

Proof. By induction on φ.

Release : d3a1905 (2022-12-19) 717

 CHAPTER 50. FRAME DEFINABILITY

Proposition 50.17. Suppose φ is a modal formula and F = ⟨W, R⟩ is a frame. Let

′
F′ be the first-order structure with |F′ | = W and QF = R, and let φ′ be the second-
order formula
∀ X1 . . . ∀ Xn ∀ x STx ( φ)[ X1 /P1 , . . . , Xn /Pn ],
where P1 , . . . , Pn are all one-place predicate symbols in STx ( φ). Then

F ⊨ φ iff F′ ⊨ φ′
′
Proof. F′ ⊨ φ′ iff for every structure M′ where PiM ⊆ W for i = 1, . . . , n, and
for every s with s( x ) ∈ W, M′ , s ⊨ STx ( φ). By Proposition 50.16, that is the
case iff for all models M based on F and every world w ∈ W, M, w ⊩ φ, i.e.,
F ⊨ φ.

Definition 50.18. A class F of frames is second-order definable if there is a sen-

tence φ in the second-order language with a single two-place predicate sym-
bol P and quantifiers only over monadic set variables such that F = ⟨W, R⟩ ∈
F iff M ⊨ φ in the structure M with |M| = W and PM = R.

Corollary 50.19. If a class of frames is definable by a formula φ, the corresponding

class of accessibility relations is definable by a monadic second-order sentence.

Proof. The monadic second-order sentence φ′ of the preceding proof has the
required property.

As an example, consider again the formula □p → p. It defines reflexivity.

Reflexivity is of course first-order definable by the sentence ∀ x Q( x, x ). But it
is also definable by the monadic second-order sentence

∀ X ∀ x (∀y ( Q( x, y) → X (y)) → X ( x )).

This means, of course, that the two sentences are equivalent. Here’s how you
might convince yourself of this directly: First suppose the second-order sen-
tence is true in a structure M. Since x and X are universally quantified, the
remainder must hold for any x ∈ W and set X ⊆ W, e.g., the set {z : Rxz}
where R = QM . So, for any s with s( x ) ∈ W and s( X ) = {z : Rxz} we have
M ⊨ ∀y ( Q( x, y) → X (y)) → X ( x ). But by the way we’ve picked s( X ) that
means M, s ⊨ ∀y ( Q( x, y) → Q( x, y)) → Q( x, x ), which is equivalent to Q( x, x )
since the antecedent is valid. Since s( x ) is arbitrary, we have M ⊨ ∀ x Q( x, x ).
Now suppose that M ⊨ ∀ x Q( x, x ) and show that M ⊨ ∀ X ∀ x (∀y ( Q( x, y) →
X (y)) → X ( x )). Pick any assignment s, and assume M, s ⊨ ∀y ( Q( x, y) →
X (y)). Let s′ be the y-variant of s with s′ (y) = s( x ); we have M, s′ ⊨ Q( x, y) →
X (y), i.e., M, s ⊨ Q( x, x ) → X ( x ). Since M ⊨ ∀ x Q( x, x ), the antecedent is true,
and we have M, s ⊨ X ( x ), which is what we needed to show.
Since some definable classes of frames are not first-order definable, not
every monadic second-order sentence of the form φ′ is equivalent to a first-
order sentence. There is no effective method to decide which ones are.

718 Release : d3a1905 (2022-12-19)

50.7. SECOND-ORDER DEFINABILITY

Problems
Problem 50.1. Complete the proof of Theorem 50.1.

Problem 50.2. Prove the claims in Proposition 50.2.

Problem 50.3. Let M = ⟨W, R, V ⟩ be a model. Show that if R satisfies the left-
hand properties of Table 50.2, every instance of the corresponding right-hand
formula is true in M.

Problem 50.4. Show that if the formula on the right side of Table 50.2 is valid
in a frame F, then F has the property on the left side. To do this, consider a
frame that does not satisfy the property on the left, and define a suitable V
such that the formula on the right is false at some world.

Problem 50.5. Prove Proposition 50.9.

Problem 50.6. Prove Proposition 50.12 by showing:

1. If R is symmetric and transitive, it is euclidean.

2. If R is reflexive, it is serial.

3. If R is reflexive and euclidean, it is symmetric.

4. If R is symmetric and euclidean, it is transitive.

5. If R is serial, symmetric, and transitive, it is reflexive.

Explain why this suffices for the proof that the conditions are equivalent.

Release : d3a1905 (2022-12-19) 719

Chapter 51

Axiomatic Derivations

51.1 Introduction
We have a semantics for the basic modal language in terms of modal models,
and a notion of a formula being valid—true at all worlds in all models—or
valid with respect to some class of models or frames—true at all worlds in
all models in the class, or based on the frame. Logic usually connects such
semantic characterizations of validity with a proof-theoretic notion of deriv-
ability. The aim is to define a notion of derivability in some system such that
a formula is derivable iff it is valid.
The simplest and historically oldest derivation systems are so-called Hilbert-
type or axiomatic derivation systems. Hilbert-type derivation systems for
many modal logics are relatively easy to construct: they are simple as ob-
jects of metatheoretical study (e.g., to prove soundness and completeness).
However, they are much harder to use to prove formulas in than, say, natural
deduction systems.
In Hilbert-type derivation systems, a derivation of a formula is a sequence
of formulas leading from certain axioms, via a handful of inference rules, to
the formula in question. Since we want the derivation system to match the
semantics, we have to guarantee that the set of derivable formulas are true
in all models (or true in all models in which all axioms are true). We’ll first
isolate some properties of modal logics that are necessary for this to work:
the “normal” modal logics. For normal modal logics, there are only two in-
ference rules that need to be assumed: modus ponens and necessitation. As
axioms we take all (substitution instances) of tautologies, and, depending on
the modal logic we deal with, a number of modal axioms. Even if we are just
interested in the class of all models, we must also count all substitution in-
stances of K and Dual as axioms. This alone generates the minimal normal
modal logic K.

Definition 51.1. The rule of modus ponens is the inference schema

720
51.2. NORMAL MODAL LOGICS

φ φ→ψ
MP
ψ

We say a formula ψ follows from formulas φ, χ by modus ponens iff χ ≡ φ → ψ.

Definition 51.2. The rule of necessitation is the inference schema

φ
NEC
□φ

We say the formula ψ follows from the formulas φ by necessitation iff ψ ≡ □φ.

Definition 51.3. A derivation from a set of axioms Σ is a sequence of formulas

ψ1 , ψ2 , . . . , ψn , where each ψi is either

1. a substitution instance of a tautology, or

2. a substitution instance of a formula in Σ, or

3. follows from two formulas ψj , ψk with j, k < i by modus ponens, or

4. follows from a formula ψj with j < i by necessitation.

If there is such a derivation with ψn ≡ φ, we say that φ is derivable from Σ, in

symbols Σ ⊢ φ.

With this definition, it will turn out that the set of derivable formulas forms
a normal modal logic, and that any derivable formula is true in every model
in which every axiom is true. This property of derivations is called soundness.
The converse, completeness, is harder to prove.

51.2 Normal Modal Logics

Not every set of modal formulas can easily be characterized as those formulas
derivable from a set of axioms. We want modal logics to be well-behaved.
First of all, everything we can derive in classical propositional logic should
still be derivable, of course taking into account that the formulas may now
contain also □ and ♢. To this end, we require that a modal logic contain all
tautological instances and be closed under modus ponens.

Definition 51.4. A modal logic is a set Σ of modal formulas which

1. contains all tautologies, and

2. is closed under substitution, i.e., if φ ∈ Σ, and θ1 , . . . , θn are formulas,

then
φ[θ1 /p1 , . . . , θn /pn ] ∈ Σ,

3. is closed under modus ponens, i.e., if φ and φ → ψ ∈ Σ, then ψ ∈ Σ.

Release : d3a1905 (2022-12-19) 721

 CHAPTER 51. AXIOMATIC DERIVATIONS

In order to use the relational semantics for modal logics, we also have to re-
quire that all formulas valid in all modal models are included. It turns out that
this requirement is met as soon as all instances of K and DUAL are derivable,
and whenever a formula φ is derivable, so is □φ. A modal logic that satisfies
these conditions is called normal. (Of course, there are also non-normal modal
logics, but the usual relational models are not adequate for them.)

Definition 51.5. A modal logic Σ is normal if it contains

□( p → q) → (□p → □q), (K)

♢p ↔ ¬□¬ p (DUAL)

and is closed under necessitation, i.e., if φ ∈ Σ, then □φ ∈ Σ.

Observe that while tautological implication is “fine-grained” enough to

preserve truth at a world, the rule NEC only preserves truth in a model (and
hence also validity in a frame or in a class of frames).

Proposition 51.6. Every normal modal logic is closed under rule RK,
φ 1 → ( φ 2 → · · · ( φ n −1 → φ n ) · · · )
RK
□φ1 → (□φ2 → · · · (□φn−1 → □φn ) · · · ).

Proof. By induction on n: If n = 1, then the rule is just NEC, and every normal
modal logic is closed under NEC.
Now suppose the result holds for n − 1; we show it holds for n.
Assume

φ 1 → ( φ 2 → · · · ( φ n −1 → φ n ) · · · ) ∈ Σ

By the induction hypothesis, we have

□φ1 → (□φ2 → · · · □( φn−1 → φn ) · · · ) ∈ Σ

Since Σ is a normal modal logic, it contains all instances of K, in particular

□( φn−1 → φn ) → (□φn−1 → □φn ) ∈ Σ

Using modus ponens and suitable tautological instances we get

□φ1 → (□φ2 → · · · (□φn−1 → □φn ) · · · ) ∈ Σ.

Proposition 51.7. Every normal modal logic Σ contains ¬♢⊥.

Proposition 51.8. Let φ1 , . . . , φn be formulas. Then there is a smallest modal logic

Σ containing all instances of φ1 , . . . , φn .

722 Release : d3a1905 (2022-12-19)

51.3. DERIVATIONS AND MODAL SYSTEMS

Proof. Given φ1 , . . . , φn , define Σ as the intersection of all normal modal log-

ics containing all instances of φ1 , . . . , φn . The intersection is non-empty as
Frm(L), the set of all formulas, is such a modal logic.

Definition 51.9. The smallest normal modal logic containing φ1 , . . . , φn is

called a modal system and denoted by Kφ1 . . . φn . The smallest normal modal
logic is denoted by K.

51.3 Derivations and Modal Systems

We first define what a derivation is for normal modal logics. Roughly, a deriva-
tion is a sequence of formulas in which every element is either (a substitution
instance of) one of a number of axioms, or follows from previous elements by
one of a few inference rules. For normal modal logics, all instances of tau-
tologies, K, and DUAL count as axioms. This results in the modal system K,
the smallest normal modal logic. We may wish to add additional axioms to
obtain other systems, however. The rules are always modus ponens MP and
necessitation NEC.
Definition 51.10. Given a modal system Kφ1 . . . φn and a formula ψ we say
that ψ is derivable in Kφ1 . . . φn , written Kφ1 . . . φn ⊢ ψ, if and only if there
are formulas χ1 , . . . , χk such that χk = ψ and each χi is either a tautologi-
cal instance, or an instance of one of K, DUAL, φ1 , . . . , φn , or it follows from
previous formulas by means of the rules MP or NEC.

The following proposition allows us to show that ψ ∈ Σ by exhibiting a

Σ-derivation of ψ.
Proposition 51.11. Kφ1 . . . φn = {ψ : Kφ1 . . . φn ⊢ ψ}.

Proof. We use induction on the length of derivations to show that {ψ : Kφ1 . . . φn ⊢

ψ} ⊆ Kφ1 . . . φn .
If the derivation of ψ has length 1, it contains a single formula. That for-
mula cannot follow from previous formulas by MP or NEC, so must be a tau-
tological instance, an instance of K, DUAL, or an instance of one of φ1 , . . . , φn .
But Kφ1 . . . φn contains these as well, so ψ ∈ Kφ1 . . . φn .
If the derivation of ψ has length > 1, then ψ may in addition be obtained
by MP or NEC from formulas not occurring as the last line in the derivation.
If ψ follows from χ and χ → ψ (by MP), then χ and χ → ψ ∈ Kφ1 . . . φn by
induction hypothesis. But every modal logic is closed under modus ponens,
so ψ ∈ Kφ1 . . . φn . If ψ ≡ □χ follows from χ by NEC, then χ ∈ Kφ1 . . . φn by
induction hypothesis. But every normal modal logic is closed under NEC, so
ψ ∈ Kφ1 . . . φn .
The converse inclusion follows by showing that Σ = {ψ : Kφ1 . . . φn ⊢ ψ}
is a normal modal logic containing all the instances of φ1 , . . . , φn , and the
observation that Kφ1 . . . φn is, by definition, the smallest such logic.

Release : d3a1905 (2022-12-19) 723

 CHAPTER 51. AXIOMATIC DERIVATIONS

1. Every tautology ψ is a tautological instance, so Kφ1 . . . φn ⊢ ψ, so Σ

contains all tautologies.

2. If Kφ1 . . . φn ⊢ χ and Kφ1 . . . φn ⊢ χ → ψ, then Kφ1 . . . φn ⊢ ψ: Combine

the derivation of χ with that of χ → ψ, and add the line ψ. The last line
is justified by MP. So Σ is closed under modus ponens.

3. If ψ has a derivation, then every substitution instance of ψ also has a

derivation: apply the substitution to every formula in the derivation.
(Exercise: prove by induction on the length of derivations that the re-
sult is also a correct derivation). So Σ is closed under uniform substitu-
tion. (We have now established that Σ satisfies all conditions of a modal
logic.)

4. We have Kφ1 . . . φn ⊢ K, so K ∈ Σ.

5. We have Kφ1 . . . φn ⊢ DUAL, so DUAL ∈ Σ.

6. If Kφ1 . . . φn ⊢ χ, the additional line □χ is justified by NEC. Conse-

quently, Σ is closed under NEC. Thus, Σ is normal.

51.4 Proofs in K
In order to practice proofs in the smallest modal system, we show the valid
formulas on the left-hand side of Table 49.1 can all be given K-proofs.

Proposition 51.12. K ⊢ □φ → □(ψ → φ)

Proof.

1. φ → (ψ → φ) TAUT
2. □( φ → (ψ → φ)) NEC , 1
3. □( φ → (ψ → φ)) → (□φ → □(ψ → φ)) K
4. □φ → □(ψ → φ) MP , 2, 3

Proposition 51.13. K ⊢ □( φ ∧ ψ) → (□φ ∧ □ψ)

Proof.

724 Release : d3a1905 (2022-12-19)

51.4. PROOFS IN K

1. ( φ ∧ ψ) → φ TAUT
2. □(( φ ∧ ψ) → φ) NEC
3. □(( φ ∧ ψ) → φ) → (□( φ ∧ ψ) → □φ) K
4. □( φ ∧ ψ) → □φ MP , 2, 3
5. ( φ ∧ ψ) → ψ TAUT
6. □(( φ ∧ ψ) → ψ) NEC
7. □(( φ ∧ ψ) → ψ) → (□( φ ∧ ψ) → □ψ) K
8. □( φ ∧ ψ) → □ψ MP , 6, 7
9. (□( φ ∧ ψ) → □φ) →
((□( φ ∧ ψ) → □ψ) →
(□( φ ∧ ψ) → (□φ ∧ □ψ))) TAUT
10. (□( φ ∧ ψ) → □ψ) →
(□( φ ∧ ψ) → (□φ ∧ □ψ)) MP , 4, 9
11. □( φ ∧ ψ) → (□φ ∧ □ψ) MP , 8, 10.

Note that the formula on line 9 is an instance of the tautology

( p → q) → (( p → r ) → ( p → (q ∧ r ))).

Proposition 51.14. K ⊢ (□φ ∧ □ψ) → □( φ ∧ ψ)

Proof.

1. φ → (ψ → ( φ ∧ ψ)) TAUT
2. □( φ → (ψ → ( φ ∧ ψ))) NEC , 1
3. □( φ → (ψ → ( φ ∧ ψ))) → (□φ → □(ψ → ( φ ∧ ψ))) K
4. □φ → □(ψ → ( φ ∧ ψ)) MP , 2, 3
5. □(ψ → ( φ ∧ ψ)) → (□ψ → □( φ ∧ ψ)) K
6. (□φ → □(ψ → ( φ ∧ ψ))) →
(□(ψ → ( φ ∧ ψ)) → (□ψ → □( φ ∧ ψ))) →
(□φ → (□ψ → □( φ ∧ ψ)))) TAUT
7. (□(ψ → ( φ ∧ ψ)) → (□ψ → □( φ ∧ ψ))) →
(□φ → (□ψ → □( φ ∧ ψ))) MP , 4, 6
8. □φ → (□ψ → □( φ ∧ ψ))) MP , 5, 7
9. (□φ → (□ψ → □( φ ∧ ψ)))) →
((□φ ∧ □ψ) → □( φ ∧ ψ)) TAUT
10. (□φ ∧ □ψ) → □( φ ∧ ψ) MP , 8, 9

The formulas on lines 6 and 9 are instances of the tautologies

( p → q) → ((q → r ) → ( p → r ))
( p → (q → r )) → (( p ∧ q) → r )

Proposition 51.15. K ⊢ ¬□p → ♢¬ p

Release : d3a1905 (2022-12-19) 725

 CHAPTER 51. AXIOMATIC DERIVATIONS

Proof.
1. ♢¬ p ↔ ¬□¬¬ p DUAL
2. (♢¬ p ↔ ¬□¬¬ p) →
(¬□¬¬ p → ♢¬ p) TAUT
3. ¬□¬¬ p → ♢¬ p MP , 1, 2
4. ¬¬ p → p TAUT
5. □(¬¬ p → p) NEC , 4
6. □(¬¬ p → p) → (□¬¬ p → □p) K
7. (□¬¬ p → □p) MP , 5, 6
8. (□¬¬ p → □p) → (¬□p → ¬□¬¬ p) TAUT
9. ¬□p → ¬□¬¬ p MP , 7, 8
10. (¬□p → ¬□¬¬ p) →
((¬□¬¬ p → ♢¬ p) → (¬□p → ♢¬ p)) TAUT
11. (¬□¬¬ p → ♢¬ p) → (¬□p → ♢¬ p) MP , 9, 10
12. ¬□p → ♢¬ p MP , 3, 11
The formulas on lines 8 and 10 are instances of the tautologies

( p → q) → (¬q → ¬ p)
( p → q) → ((q → r ) → ( p → r )).

51.5 Derived Rules

Finding and writing derivations is obviously difficult, cumbersome, and repet-
itive. For instance, very often we want to pass from φ → ψ to □φ → □ψ, i.e.,
apply rule RK. That requires an application of NEC, then recording the proper
instance of K, then applying MP. Passing from φ → ψ and ψ → χ to φ → χ
requires recording the (long) tautological instance

( φ → ψ) → ((ψ → χ) → ( φ → χ))

and applying MP twice. Often we want to replace a sub-formula by a formula

we know to be equivalent, e.g., ♢φ by ¬□¬ φ, or ¬¬ φ by φ. So rather than
write out the actual derivation, it is more convenient to simply record why
the intermediate steps are derivable. For this purpose, let us collect some facts
about derivability.
Proposition 51.16. If K ⊢ φ1 , . . . , K ⊢ φn , and ψ follows from φ1 , . . . , φn by
propositional logic, then K ⊢ ψ.

Proof. If ψ follows from φ1 , . . . , φn by propositional logic, then

φ1 → ( φ2 → · · · ( φ n → ψ ) . . . )

is a tautological instance. Applying MP n times gives a derivation of ψ.

726 Release : d3a1905 (2022-12-19)

51.5. DERIVED RULES

We will indicate use of this proposition by PL.

Proposition 51.17. If K ⊢ φ1 → ( φ2 → · · · ( φn−1 → φn ) . . . ) then K ⊢ □φ1 →

(□φ2 → · · · (□φn−1 → □φn ) . . . ).

Proof. By induction on n, just as in the proof of Proposition 51.6.

We will indicate use of this proposition by RK. Let’s illustrate how these
results help establishing derivability results more easily.

Proposition 51.18. K ⊢ (□φ ∧ □ψ) → □( φ ∧ ψ)

Proof.

1. K ⊢ φ → (ψ → ( φ ∧ ψ)) TAUT
2. K ⊢ □φ → (□ψ → □( φ ∧ ψ))) RK , 1
3. K ⊢ (□φ ∧ □ψ) → □( φ ∧ ψ) PL , 2

Proposition 51.19. If K ⊢ φ ↔ ψ and K ⊢ χ[ φ/q] then K ⊢ χ[ B/q]

Proof. Exercise.

This proposition comes in handy especially when we want to convert ♢

into □ (or vice versa), or remove double negations inside a formula. In what
follows, we will mark applications of Proposition 51.19 by “φ for ψ” whenever
we re-write a formula χ(ψ) for χ( φ). In other words, “φ for ψ” abbreviates:

⊢ χ( φ)
⊢ φ↔ψ
⊢ χ(ψ) by Proposition 51.19

For instance:

Proposition 51.20. K ⊢ ¬□p → ♢¬ p

Proof.

1. K ⊢ ♢¬ p ↔ ¬□¬¬ p DUAL
2. K ⊢ ¬□¬¬ p → ♢¬ p PL ,1
3. K ⊢ ¬□p → ♢¬ p p for ¬¬ p

In the above derivation, the final step “p for ¬¬ p” is short for

K ⊢ ¬□¬¬ p → ♢¬ p
K ⊢ ¬¬ p ↔ p TAUT
K ⊢ ¬□p → ♢¬ p by Proposition 51.19

Release : d3a1905 (2022-12-19) 727

 CHAPTER 51. AXIOMATIC DERIVATIONS

The roles of χ(q), φ, and ψ in Proposition 51.19 are played here, respectively,
by ¬□q → ♢¬ p, ¬¬ p, and p.
When a formula contains a sub-formula ¬♢φ, we can replace it by □¬ φ us-
ing Proposition 51.19, since K ⊢ ¬♢φ ↔ □¬ φ. We’ll indicate this and similar
replacements simply by “□¬ for ¬♢.”
The following proposition justifies that we can establish derivability re-
sults schematically. E.g., the previous proposition does not just establish that
K ⊢ ¬□p → ♢¬ p, but K ⊢ ¬□φ → ♢¬ φ for arbitrary φ.

Proposition 51.21. If φ is a substitution instance of ψ and K ⊢ ψ, then K ⊢ φ.

Proof. It is tedious but routine to verify (by induction on the length of the
derivation of ψ) that applying a substitution to an entire derivation also re-
sults in a correct derivation. Specifically, substitution instances of tautological
instances are themselves tautological instances, substitution instances of in-
stances of DUAL and K are themselves instances of DUAL and K, and applica-
tions of MP and NEC remain correct when substituting formulas for proposi-
tional variables in both premise(s) and conclusion.

51.6 More Proofs in K

Let’s see some more examples of derivability in K, now using the simplified
method introduced in section 51.5.

Proposition 51.22. K ⊢ □( φ → ψ) → (♢φ → ♢ψ)

Proof.

1. K ⊢ ( φ → ψ) → (¬ψ → ¬ φ) PL
2. K ⊢ □( φ → ψ ) → (□¬ ψ → □¬ φ ) RK , 1
3. K ⊢ (□¬ψ → □¬ φ) → (¬□¬ φ → ¬□¬ψ) TAUT
4. K ⊢ □( φ → ψ) → (¬□¬ φ → ¬□¬ψ) PL , 2, 3
5. K ⊢ □( φ → ψ) → (♢φ → ♢ψ) ♢ for ¬□¬.

Proposition 51.23. K ⊢ □φ → (♢( φ → ψ) → ♢ψ)

Proof.

1. K ⊢ φ → (¬ψ → ¬( φ → ψ)) TAUT

2. K ⊢ □φ → (□¬ψ → □¬( φ → ψ)) RK ,1
3. K ⊢ □φ → (¬□¬( φ → ψ) → ¬□¬ψ) PL ,2
4. K ⊢ □φ → (♢( φ → ψ) → ♢ψ) ♢ for ¬□¬.

Proposition 51.24. K ⊢ (♢φ ∨ ♢ψ) → ♢( φ ∨ ψ)

728 Release : d3a1905 (2022-12-19)

51.7. DUAL FORMULAS

Proof.

1. K ⊢ ¬( φ ∨ ψ) → ¬ φ TAUT
2. K ⊢ □¬( φ ∨ ψ) → □¬ φ RK , 1
3. K ⊢ ¬□¬ φ → ¬□¬( φ ∨ ψ) PL , 2
4. K ⊢ ♢φ → ♢( φ ∨ ψ) ♢ for ¬□¬
5. K ⊢ ♢ψ → ♢( φ ∨ ψ) similarly
6. K ⊢ (♢φ ∨ ♢ψ) → ♢( φ ∨ ψ) PL , 4, 5.

Proposition 51.25. K ⊢ ♢( φ ∨ ψ) → (♢φ ∨ ♢ψ)

Proof.

1. K ⊢ ¬ φ → (¬ψ → ¬( φ ∨ ψ) TAUT
2. K ⊢ □¬ φ → (□¬ψ → □¬( φ ∨ ψ) RK
3. K ⊢ □¬ φ → (¬□¬( φ ∨ ψ) → ¬□¬ψ)) PL , 2
4. K ⊢ ¬□¬( φ ∨ ψ) → (□¬ φ → ¬□¬ψ) PL , 3
5. K ⊢ ¬□¬( φ ∨ ψ) → (¬¬□¬ψ → ¬□¬ φ) PL , 4
6. K ⊢ ♢( φ ∨ ψ) → (¬♢ψ → ♢φ) ♢ for ¬□¬
7. K ⊢ ♢( φ ∨ ψ) → (♢ψ ∨ ♢φ) PL , 6.

51.7 Dual Formulas

Definition 51.26. Each of the formulas T, B, 4, and 5 has a dual, denoted by a
subscripted diamond, as follows:

p → ♢p (T♢ )
♢□p → p (B♢ )
♢♢p → ♢p (4♢ )
♢□p → □p (5♢ )

Each of the above dual formulas is obtained from the corresponding for-
mula by substituting ¬ p for p, contraposing, replacing ¬□¬ by ♢, and replac-
ing ¬♢¬ by □. D, i.e., □φ → ♢φ is its own dual in that sense.

51.8 Proofs in Modal Systems

We now come to proofs in systems of modal logic other than K.

Proposition 51.27. The following provability results obtain:

1. KT5 ⊢ B;

2. KT5 ⊢ 4;

Release : d3a1905 (2022-12-19) 729

 CHAPTER 51. AXIOMATIC DERIVATIONS

3. KDB4 ⊢ T;

4. KB4 ⊢ 5;

5. KB5 ⊢ 4;

6. KT ⊢ D.

Proof. We exhibit proofs for each.

1. KT5 ⊢ B:

1. KT5 ⊢ ♢φ → □♢φ 5
2. KT5 ⊢ φ → ♢φ T♢
3. KT5 ⊢ φ → □♢φ PL .

2. KT5 ⊢ 4:

1. KT5 ⊢ ♢□φ → □♢□φ 5 with □φ for p

2. KT5 ⊢ □φ → ♢□φ T♢ with □φ for p
3. KT5 ⊢ □φ → □♢□φ PL , 1, 2
4. KT5 ⊢ ♢□φ → □φ 5♢
5. KT5 ⊢ □♢□φ → □□φ RK , 4
6. KT5 ⊢ □φ → □□φ PL , 3, 5.

3. KDB4 ⊢ T:

1. KDB4 ⊢ ♢□φ → φ B♢
2. KDB4 ⊢ □□φ → ♢□φ D with □φ for p
3. KDB4 ⊢ □□φ → φ PL 1, 2
4. KDB4 ⊢ □φ → □□φ 4
5. KDB4 ⊢ □φ → φ PL , 1, 4.

4. KB4 ⊢ 5:

1. KB4 ⊢ ♢φ → □♢♢φ B with ♢φ for p

2. KB4 ⊢ ♢♢φ → ♢φ 4♢
3. KB4 ⊢ □♢♢φ → □♢φ RK , 2
4. KB4 ⊢ ♢φ → □♢φ PL , 1, 3.

5. KB5 ⊢ 4:

1. KB5 ⊢ □φ → □♢□φ B with □φ for p

2. KB5 ⊢ ♢□φ → □φ 5♢
3. KB5 ⊢ □♢□φ → □□φ RK , 2
4. KB5 ⊢ □φ → □□φ PL , 1, 3.

730 Release : d3a1905 (2022-12-19)

51.9. SOUNDNESS

6. KT ⊢ D:

1. KT ⊢ □φ → φ T
2. KT ⊢ φ → ♢φ T♢
3. KT ⊢ □φ → ♢φ PL , 1, 2

Definition 51.28. Following tradition, we define S4 to be the system KT4, and

S5 the system KTB4.

The following proposition shows that the classical system S5 has several
equivalent axiomatizations. This should not surprise, as the various combina-
tions of axioms all characterize equivalence relations (see Proposition 50.12).
Proposition 51.29. KTB4 = KT5 = KDB4 = KDB5.

Proof. Exercise.

51.9 Soundness
A derivation system is called sound if everything that can be derived is valid.
When considering modal systems, i.e., derivations where in addition to K we
can use instances of some formulas φ1 , . . . , φn , we want every derivable for-
mula to be true in any model in which φ1 , . . . , φn are true.
Theorem 51.30 (Soundness Theorem). If every instance of φ1 , . . . , φn is valid in
the classes of models C1 , . . . , Cn , respectively, then Kφ1 . . . φn ⊢ ψ implies that ψ is
valid in the class of models C1 ∩ · · · ∩ Cn .

Proof. By induction on length of proofs. For brevity, put C = C1 ∩ · · · ∩ Cn .

1. Induction Basis: If ψ has a proof of length 1, then it is either a tautological
instance, an instance of K, or of DUAL, or an instance of one of φ1 , . . . , φn .
In the first case, ψ is valid in C , since tautological instance are valid in
any class of models, by Proposition 49.16. Similarly in the second case,
by Proposition 49.19 and Proposition 49.20. Finally in the third case,
since ψ is valid in Ci and C ⊆ Ci , we have that ψ is valid in C as well by
Proposition 49.12.
2. Inductive step: Suppose ψ has a proof of length k > 1. If ψ is a tauto-
logical instance or an instance of one of φ1 , . . . , φn , we proceed as in the
previous step. So suppose ψ is obtained by MP from previous formulas
χ → ψ and χ. Then χ → ψ and χ have proofs of length < k, and by in-
ductive hypothesis they are valid in C . By Proposition 49.21, ψ is valid in
C as well. Finally suppose ψ is obtained by NEC from χ (so that ψ = □χ).
By inductive hypothesis, χ is valid in C , and by Proposition 49.13 so is ψ.

Release : d3a1905 (2022-12-19) 731

 CHAPTER 51. AXIOMATIC DERIVATIONS

51.10 Showing Systems are Distinct

In section 51.8 we saw how to prove that two systems of modal logic are in fact
the same system. Theorem 51.30 allows us to show that two modal systems
Σ and Σ′ are distinct, by finding a formula φ such that Σ′ ⊢ φ that fails in a
model of Σ.

Proposition 51.31. KD ⊊ KT

Proof. This is the syntactic counterpart to the semantic fact that all reflexive
relations are serial. To show KD ⊆ KT we need to see that KD ⊢ ψ implies
KT ⊢ ψ, which follows from KT ⊢ D, as shown in Proposition 51.27(6). To
show that the inclusion is proper, by Soundness (Theorem 51.30), it suffices
to exhibit a model of KD where T, i.e., □p → p, fails (an easy task left as an
exercise), for then by Soundness KD ⊬ □p → p.

Proposition 51.32. KB ̸= K4.

Proof. We construct a symmetric model where some instance of 4 fails; since

obviously the instance is derivable for K4 but not in KB, it will follow K4 ⊈
KB. Consider the symmetric model M of Figure 51.1. Since the model is
symmetric, K and B are true in M (by Proposition 49.19 and Theorem 50.1,
respectively). However, M, w1 ⊮ □p → □□p.

¬p p
w1 w2
⊩ □p ⊮ □p
⊮ □□p

Figure 51.1: A symmetric model falsifying an instance of 4.

Theorem 51.33. KTB ⊬ 4 and KTB ⊬ 5.

Proof. By Theorem 50.1 we know that all instances of T and B are true in every
reflexive symmetric model (respectively). So by soundness, it suffices to find
a reflexive symmetric model containing a world at which some instance of 4
fails, and similarly for 5. We use the same model for both claims. Consider
the symmetric, reflexive model in Figure 51.2. Then M, w1 ⊮ □p → □□p, so 4
fails at w1 . Similarly, M, w2 ⊮ ♢¬ p → □♢¬ p, so the instance of 5 with φ = ¬ p
fails at w2 .

Theorem 51.34. KD5 ̸= KT4 = S4.

732 Release : d3a1905 (2022-12-19)

51.11. DERIVABILITY FROM A SET OF FORMULAS

w1 p w2 p w3 ¬ p
⊩ □p ⊩ ♢¬ p
⊮ □□p ⊮ □♢¬ p
⊮ ♢¬ p

Figure 51.2: The model for Theorem 51.33.

w4 ¬ p

p p
w2 w3

w1 ¬ p
⊩ □p, ⊮ □□p

Figure 51.3: The model for Theorem 51.34.

Proof. By Theorem 50.1 we know that all instances of D and 5 are true in all se-
rial euclidean models. So it suffices to find a serial euclidean model containing
a world at which some instance of 4 fails. Consider the model of Figure 51.3,
and notice that M, w1 ⊮ □p → □□p.

51.11 Derivability from a Set of Formulas

In section 51.8 we defined a notion of provability of a formula in a system Σ.

We now extend this notion to provability in Σ from formulas in a set Γ.

Definition 51.35. A formula φ is derivable in a system Σ from a set of for-

mulas Γ, written Γ ⊢Σ φ if and only if there are ψ1 , . . . , ψn ∈ Γ such that
Σ ⊢ ψ1 → (ψ2 → · · · (ψn → φ) · · · ).

Release : d3a1905 (2022-12-19) 733

 CHAPTER 51. AXIOMATIC DERIVATIONS

51.12 Properties of Derivability

Proposition 51.36. Let Σ be a modal system and Γ a set of modal formulas. The
following properties hold:

1. Monotonicity: If Γ ⊢Σ φ and Γ ⊆ ∆ then ∆ ⊢Σ φ;

2. Reflexivity: If φ ∈ Γ then Γ ⊢Σ φ;

3. Cut: If Γ ⊢Σ φ and ∆ ∪ { φ} ⊢Σ ψ then Γ ∪ ∆ ⊢Σ ψ;

4. Deduction theorem: Γ ∪ {ψ} ⊢Σ φ if and only if Γ ⊢Σ ψ → φ;

5. Γ ⊢Σ φ1 and . . . and Γ ⊢Σ φn and φ1 → ( φ2 → · · · ( φn → ψ) · · · ) is a

tautological instance, then Γ ⊢Σ ψ.

The proof is an easy exercise. Part (5) of Proposition 51.36 gives us that, for
instance, if Γ ⊢Σ φ ∨ ψ and Γ ⊢Σ ¬ φ, then Γ ⊢Σ ψ. Also, in what follows, we
write Γ, φ ⊢Σ ψ instead of Γ ∪ { φ} ⊢Σ ψ.

Definition 51.37. A set Γ is deductively closed relatively to a system Σ if and

only if Γ ⊢Σ φ implies φ ∈ Γ.

51.13 Consistency
Consistency is an important property of sets of formulas. A set of formulas is
inconsistent if a contradiction, such as ⊥, is derivable from it; and otherwise
consistent. If a set is inconsistent, its formulas cannot all be true in a model at a
world. For the completeness theorem we prove the converse: every consistent
set is true at a world in a model, namely in the “canonical model.”

Definition 51.38. A set Γ is consistent relatively to a system Σ or, as we will

say, Σ-consistent, if and only if Γ ⊬Σ ⊥.

So for instance, the set {□( p → q), □p, ¬□q} is consistent relatively to propo-
sitional logic, but not K-consistent. Similarly, the set {♢p, □♢p → q, ¬q} is not
K5-consistent.

Proposition 51.39. Let Γ be a set of formulas. Then:

1. Γ is Σ-consistent if and only if there is some formula φ such that Γ ⊬Σ φ.

2. Γ ⊢Σ φ if and only if Γ ∪ {¬ φ} is not Σ-consistent.

3. If Γ is Σ-consistent, then for any formula φ, either Γ ∪ { φ} is Σ-consistent or

Γ ∪ {¬ φ} is Σ-consistent.

734 Release : d3a1905 (2022-12-19)

51.13. CONSISTENCY

Proof. These facts follow easily using classical propositional logic. We give the
argument for (3). Proceed contrapositively and suppose neither Γ ∪ { φ} nor
Γ ∪ {¬ φ} is Σ-consistent. Then by (2), both Γ, φ ⊢Σ ⊥ and Γ, ¬ φ ⊢Σ ⊥. By the
deduction theorem Γ ⊢Σ φ → ⊥ and Γ ⊢Σ ¬ φ → ⊥. But ( φ → ⊥) → ((¬ φ →
⊥) → ⊥) is a tautological instance, hence by Proposition 51.36(5), Γ ⊢Σ ⊥.

Problems
Problem 51.1. Prove Proposition 51.7.

Problem 51.2. Find derivations in K for the following formulas:

1. □¬ p → □( p → q)

2. (□p ∨ □q) → □( p ∨ q)

3. ♢p → ♢( p ∨ q)

Problem 51.3. Prove Proposition 51.19 by proving, by induction on the com-

plexity of χ, that if K ⊢ φ ↔ ψ then K ⊢ χ[ φ/q] ↔ χ[ψ/q].

Problem 51.4. Show that the following derivability claims hold:

1. K ⊢ ♢¬⊥ → (□φ → ♢φ);

2. K ⊢ □( φ ∨ ψ) → (♢φ ∨ □ψ);

3. K ⊢ (♢φ → □ψ) → □( φ → ψ).

Problem 51.5. Show that for each formula φ in Definition 51.26: K ⊢ φ ↔ φ♢ .

Problem 51.6. Prove Proposition 51.29.

Problem 51.7. Give an alternative proof of Theorem 51.34 using a model with
3 worlds.

Problem 51.8. Provide a single reflexive transitive model showing that both
KT4 ⊬ B and KT4 ⊬ 5.

Release : d3a1905 (2022-12-19) 735

Chapter 52

Completeness and Canonical

Models

52.1 Introduction
If Σ is a modal system, then the soundness theorem establishes that if Σ ⊢ φ,
then φ is valid in any class C of models in which all instances of all formulas
in Σ are valid. In particular that means that if K ⊢ φ then φ is true in all
models; if KT ⊢ φ then φ is true in all reflexive models; if KD ⊢ φ then φ is
true in all serial models, etc.
Completeness is the converse of soundness: that K is complete means that
if a formula φ is valid, ⊢ φ, for instance. Proving completeness is a lot harder
to do than proving soundness. It is useful, first, to consider the contrapositive:
K is complete iff whenever ⊬ φ, there is a countermodel, i.e., a model M such
that M ⊮ φ. Equivalently (negating φ), we could prove that whenever ⊬
¬ φ, there is a model of φ. In the construction of such a model, we can use
information contained in φ. When we find models for specific formulas we
often do the same: e.g., if we want to find a countermodel to p → □q, we know
that it has to contain a world where p is true and □q is false. And a world
where □q is false means there has to be a world accessible from it where q is
false. And that’s all we need to know: which worlds make the propositional
variables true, and which worlds are accessible from which worlds.
In the case of proving completeness, however, we don’t have a specific
formula φ for which we are constructing a model. We want to establish that
a model exists for every φ such that ⊬Σ ¬ φ. This is a minimal requirement,
since if ⊢Σ ¬ φ, by soundness, there is no model for φ (in which Σ is true).
Now note that ⊬Σ ¬ φ iff φ is Σ-consistent. (Recall that Σ ⊬Σ ¬ φ and φ ⊬Σ ⊥
are equivalent.) So our task is to construct a model for every Σ-consistent
formula.
The trick we’ll use is to find a Σ-consistent set of formulas that contains φ,
but also other formulas which tell us what the world that makes φ true has to

736
52.2. COMPLETE Σ-CONSISTENT SETS

look like. Such sets are complete Σ-consistent sets. It’s not enough to construct
a model with a single world to make φ true, it will have to contain multiple
worlds and an accessibility relation. The complete Σ-consistent set contain-
ing φ will also contain other formulas of the form □ψ and ♢χ. In all accessible
worlds, ψ has to be true; in at least one, χ has to be true. In order to accom-
plish this, we’ll simply take all possible complete Σ-consistent sets as the basis
for the set of worlds. A tricky part will be to figure out when a complete
Σ-consistent set should count as being accessible from another in our model.
We’ll show that in the model so defined, φ is true at a world—which is
also a complete Σ-consistent set—iff φ is an element of that set. If φ is Σ-
consistent, it will be an element of at least one complete Σ-consistent set (a
fact we’ll prove), and so there will be a world where φ is true. So we will have
a single model where every Σ-consistent formula φ is true at some world. This
single model is the canonical model for Σ.

52.2 Complete Σ-Consistent Sets

Suppose Σ is a set of modal formulas—think of them as the axioms or defining
principles of a normal modal logic. A set Γ is Σ-consistent iff Γ ⊬Σ ⊥, i.e., if
there is no derivation of φ1 → ( φ2 → · · · ( φn → ⊥) . . . ) from Σ, where each
φi ∈ Γ. We will construct a “canonical” model in which each world is taken
to be a special kind of Σ-consistent set: one which is not just Σ-consistent,
but maximally so, in the sense that it settles the truth value of every modal
formula: for every φ, either φ ∈ Γ or ¬ φ ∈ Γ:

Definition 52.1. A set Γ is complete Σ-consistent if and only if it is Σ-consistent

and for every φ, either φ ∈ Γ or ¬ φ ∈ Γ.

Complete Σ-consistent sets Γ have a number of useful properties. For one,

they are deductively closed, i.e., if Γ ⊢Σ φ then φ ∈ Γ. This means in particu-
lar that every instance of a formula φ ∈ Σ is also ∈ Γ. Moreover, membership
in Γ mirrors the truth conditions for the propositional connectives. This will
be important when we define the “canonical model.”

Proposition 52.2. Suppose Γ is complete Σ-consistent. Then:

1. Γ is deductively closed in Σ.

2. Σ ⊆ Γ.

3. ⊥ ∈
/Γ

4. ¬ φ ∈ Γ if and only if φ ∈
/ Γ.

5. φ ∧ ψ ∈ Γ iff φ ∈ Γ and ψ ∈ Γ

6. φ ∨ ψ ∈ Γ iff φ ∈ Γ or ψ ∈ Γ

Release : d3a1905 (2022-12-19) 737

 CHAPTER 52. COMPLETENESS AND CANONICAL MODELS

7. φ → ψ ∈ Γ iff φ ∈
/ Γ or ψ ∈ Γ

Proof. 1. Suppose Γ ⊢Σ φ but φ ∈

/ Γ. Then since Γ is complete Σ-consistent,
¬ φ ∈ Γ. This would make Γ inconsistent, since φ, ¬ φ ⊢Σ ⊥.
2. If φ ∈ Σ then Γ ⊢Σ φ, and φ ∈ Γ by deductive closure, i.e., case (1).

3. If ⊥ ∈ Γ, then Γ ⊢Σ ⊥, so Γ would be Σ-inconsistent.

4. If ¬ φ ∈ Γ, then by consistency φ ∈
/ Γ; and if φ ∈
/ Γ then φ ∈ Γ since Γ is
complete Σ-consistent.

5. Exercise.

6. Suppose φ ∨ ψ ∈ Γ, and φ ∈ / Γ and ψ ∈

/ Γ. Since Γ is complete Σ-
consistent, ¬ φ ∈ Γ and ¬ψ ∈ Γ. Then ¬( φ ∨ ψ) ∈ Γ since ¬ φ →
(¬ψ → ¬( φ ∨ ψ)) is a tautological instance. This would mean that Γ
is Σ-inconsistent, a contradiction.

7. Exercise.

52.3 Lindenbaum’s Lemma

Lindenbaum’s Lemma establishes that every Σ-consistent set of formulas is
contained in at least one complete Σ-consistent set. Our construction of the
canonical model will show that for each complete Σ-consistent set ∆, there is a
world in the canonical model where all and only the formulas in ∆ are true. So
Lindenbaum’s Lemma guarantees that every Σ-consistent set is true at some
world in the canonical model.

Theorem 52.3 (Lindenbaum’s Lemma). If Γ is Σ-consistent then there is a com-

plete Σ-consistent set ∆ extending Γ.

Proof. Let φ0 , φ1 , . . . be an exhaustive listing of all formulas of the language

(repetitions are allowed). For instance, start by listing p0 , and at each stage
n ≥ 1 list the finitely many formulas of length n using only variables among
p0 , . . . , pn . We define sets of formulas ∆ n by induction on n, and we then set
S
∆ = n ∆ n . We first put ∆ 0 = Γ. Supposing that ∆ n has been defined, we
define ∆ n+1 by:
(
∆ n ∪ { φ n }, if ∆ n ∪ { φn } is Σ-consistent;
∆ n +1 =
∆ n ∪ {¬ φn }, otherwise.

Now let ∆ = ∞
S
n =0 ∆ n .
We have to show that this definition actually yields a set ∆ with the re-
quired properties, i.e., Γ ⊆ ∆ and ∆ is complete Σ-consistent.

738 Release : d3a1905 (2022-12-19)

52.4. MODALITIES AND COMPLETE CONSISTENT SETS

It’s obvious that Γ ⊆ ∆, since ∆ 0 ⊆ ∆ by construction, and ∆ 0 = Γ. In

fact, ∆ n ⊆ ∆ for all n, since ∆ is the union of all ∆ n . (Since in each step of
the construction, we add a formula to the set already constructed, ∆ n ⊆ ∆ n+1 ,
so since ⊆ is transitive, ∆ n ⊆ ∆ m whenever n ≤ m.) At each stage of the
construction, we either add φn or ¬ φn , and every formula appears (at least
once) in the list of all φn . So, for every φ either φ ∈ ∆ or ¬ φ ∈ ∆, so ∆ is
complete by definition.
Finally, we have to show, that ∆ is Σ-consistent. To do this, we show that
(a) if ∆ were Σ-inconsistent, then some ∆ n would be Σ-inconsistent, and (b)
all ∆ n are Σ-consistent.
So suppose ∆ were Σ-inconsistent. Then ∆ ⊢Σ ⊥, i.e., there are φ1 , . . . , φk ∈
∆ such that Σ ⊢ φ1 → ( φ2 → · · · ( φk → ⊥) . . . ). Since ∆ = ∞
S
n=0 ∆ n , each
φi ∈ ∆ ni for some ni . Let n be the largest of these. Since ni ≤ n, ∆ ni ⊆ ∆ n . So,
all φi are in some ∆ n . This would mean ∆ n ⊢Σ ⊥, i.e., ∆ n is Σ-inconsistent.
To show that each ∆ n is Σ-consistent, we use a simple induction on n.
∆ 0 = Γ, and we assumed Γ was Σ-consistent. So the claim holds for n = 0.
Now suppose it holds for n, i.e., ∆ n is Σ-consistent. ∆ n+1 is either ∆ n ∪ { φn }
if that is Σ-consistent, otherwise it is ∆ n ∪ {¬ φn }. In the first case, ∆ n+1 is
clearly Σ-consistent. However, by Proposition 51.39(3), either ∆ n ∪ { φn } or
∆ n ∪ {¬ φn } is consistent, so ∆ n+1 is consistent in the other case as well.

Corollary 52.4. Γ ⊢Σ φ if and only if φ ∈ ∆ for each complete Σ-consistent set ∆

extending Γ (including when Γ = ∅, in which case we get another characterization
of the modal system Σ.)

Proof. Suppose Γ ⊢Σ φ, and let ∆ be any complete Σ-consistent set extending

Γ. If φ ∈
/ ∆ then by maximality ¬ φ ∈ ∆ and so ∆ ⊢Σ φ (by monotonicity) and
∆ ⊢Σ ¬ φ (by reflexivity), and so ∆ is inconsistent. Conversely if Γ ⊬Σ φ, then
Γ ∪ {¬ φ} is Σ-consistent, and by Lindenbaum’s Lemma there is a complete
consistent set ∆ extending Γ ∪ {¬ φ}. By consistency, φ ∈/ ∆.

52.4 Modalities and Complete Consistent Sets

When we construct a model MΣ whose set of worlds is given by the complete
Σ-consistent sets ∆ in some normal modal logic Σ, we will also need to define
an accessibility relation RΣ between such “worlds.” We want it to be the case
that the accessibility relation (and the assignment V Σ ) are defined in such a
way that MΣ , ∆ ⊩ φ iff φ ∈ ∆. How should we do this?
Once the accessibility relation is defined, the definition of truth at a world
ensures that MΣ , ∆ ⊩ □φ iff MΣ , ∆′ ⊩ φ for all ∆′ such that RΣ ∆∆′ . The proof
that MΣ , ∆ ⊩ φ iff φ ∈ ∆ requires that this is true in particular for formulas
starting with a modal operator, i.e., MΣ , ∆ ⊩ □φ iff □φ ∈ ∆. Combining this
requirement with the definition of truth at a world for □φ yields:
□φ ∈ ∆ iff φ ∈ ∆′ for all ∆′ with RΣ ∆∆′

Release : d3a1905 (2022-12-19) 739

 CHAPTER 52. COMPLETENESS AND CANONICAL MODELS

Consider the left-to-right direction: it says that if □φ ∈ ∆, then φ ∈ ∆′ for

any φ and any ∆′ with RΣ ∆∆′ . If we stipulate that RΣ ∆∆′ iff φ ∈ ∆′ for all
□φ ∈ ∆, then this holds. We can write the condition on the right of the “iff”
more compactly as: { φ : □φ ∈ ∆} ⊆ ∆′ .
So the question is: does this definition of RΣ in fact guarantee that □φ ∈ ∆
iff MΣ , ∆ ⊩ □φ? Does it also guarantee that ♢φ ∈ ∆ iff MΣ , ∆ ⊩ ♢φ? The next
few results will establish this.

Definition 52.5. If Γ is a set of formulas, let

□Γ = {□ψ : ψ ∈ Γ }
♢Γ = {♢ψ : ψ ∈ Γ }

and

□−1 Γ = {ψ : □ψ ∈ Γ }
♢−1 Γ = {ψ : ♢ψ ∈ Γ }

In other words, □Γ is Γ with □ in front of every formula in Γ; □−1 Γ is

all the □’ed formulas of Γ with the initial □’s removed. This definition is not
terribly important on its own, but will simplify the notation considerably.
Note that □□−1 Γ ⊆ Γ:

□□−1 Γ = {□ψ : □ψ ∈ Γ }

i.e., it’s just the set of all those formulas of Γ that start with □.

Lemma 52.6. If Γ ⊢Σ φ then □Γ ⊢Σ □φ.

Proof. If Γ ⊢Σ φ then there are ψ1 , . . . , ψk ∈ Γ such that Σ ⊢ ψ1 → (ψ2 →

· · · (ψn → φ) · · · ). Since Σ is normal, by rule RK, Σ ⊢ □ψ1 → (□ψ2 → · · · (□ψn →
□φ) · · · ), where obviously □ψ1 , . . . , □ψk ∈ □Γ. Hence, by definition, □Γ ⊢Σ
□φ.

Lemma 52.7. If □−1 Γ ⊢Σ φ then Γ ⊢Σ □φ.

Proof. Suppose □−1 Γ ⊢Σ φ; then by Lemma 52.6, □□−1 Γ ⊢ □φ. But since
□□−1 Γ ⊆ Γ, also Γ ⊢Σ □φ by monotonicity.

Proposition 52.8. If Γ is complete Σ-consistent, then □φ ∈ Γ if and only if for

every complete Σ-consistent ∆ such that □−1 Γ ⊆ ∆, it holds that φ ∈ ∆.

740 Release : d3a1905 (2022-12-19)

52.5. CANONICAL MODELS

Proof. Suppose Γ is complete Σ-consistent. The “only if” direction is easy:

Suppose □φ ∈ Γ and that □−1 Γ ⊆ ∆. Since □φ ∈ Γ, φ ∈ □−1 Γ ⊆ ∆, so φ ∈ ∆.
For the “if” direction, we prove the contrapositive: Suppose □φ ∈
/ Γ. Since
Γ is complete Σ-consistent, it is deductively closed, and hence Γ ⊬Σ □φ.
By Lemma 52.7, □−1 Γ ⊬Σ φ. By Proposition 51.39(2), □−1 Γ ∪ {¬ φ} is Σ-
consistent. By Lindenbaum’s Lemma, there is a complete Σ-consistent set ∆
such that □−1 Γ ∪ {¬ φ} ⊆ ∆. By consistency, φ ∈/ ∆.

Lemma 52.9. Suppose Γ and ∆ are complete Σ-consistent. Then □−1 Γ ⊆ ∆ if and
only if ♢∆ ⊆ Γ.

Proof. “Only if” direction: Assume □−1 Γ ⊆ ∆ and suppose ♢φ ∈ ♢∆ (i.e.,

φ ∈ ∆). In order to show ♢φ ∈ Γ, it suffices to show □¬ φ ∈ / Γ, for then by
maximality, ¬□¬ φ ∈ Γ. Now, if □¬ φ ∈ Γ then by hypothesis ¬ φ ∈ ∆, against
the consistency of ∆ (since φ ∈ ∆). Hence □¬ φ ∈ / Γ, as required.
“If” direction: Assume ♢∆ ⊆ Γ. We argue contrapositively: suppose φ ∈ /∆
in order to show □φ ∈ / Γ. If φ ∈ / ∆ then by maximality ¬ φ ∈ ∆ and so by
hypothesis ♢¬ φ ∈ Γ. But in a normal modal logic ♢¬ φ is equivalent to ¬□φ,
and if the latter is in Γ, by consistency □φ ∈/ Γ, as required.

Proposition 52.10. If Γ is complete Σ-consistent, then ♢φ ∈ Γ if and only if for

some complete Σ-consistent ∆ such that ♢∆ ⊆ Γ, it holds that φ ∈ ∆.

Proof. Suppose Γ is complete Σ-consistent. ♢φ ∈ Γ iff ¬□¬ φ ∈ Γ by DUAL

and closure. ¬□¬ φ ∈ Γ iff □¬ φ ∈ / Γ by Proposition 52.2(4) since Γ is com-
plete Σ-consistent. By Proposition 52.8, □¬ φ ∈ / Γ iff, for some complete
Σ-consistent ∆ with □−1 Γ ⊆ ∆, ¬ φ ∈ / ∆. Now consider any such ∆. By
Lemma 52.9, □−1 Γ ⊆ ∆ iff ♢∆ ⊆ Γ. Also, ¬ φ ∈ / ∆ iff φ ∈ ∆ by Proposi-
tion 52.2(4). So ♢φ ∈ Γ iff, for some complete Σ-consistent ∆ with ♢∆ ⊆ Γ,
φ ∈ ∆.

52.5 Canonical Models

The canonical model for a modal system Σ is a specific model MΣ in which
the worlds are all complete Σ-consistent sets. Its accessibility relation RΣ and
valuation V Σ are defined so as to guarantee that the formulas true at a world ∆
are exactly the formulas making up ∆.

Definition 52.11. Let Σ be a normal modal logic. The canonical model for Σ is
MΣ = ⟨W Σ , RΣ , V Σ ⟩, where:

1. W Σ = {∆ : ∆ is complete Σ-consistent}.

2. RΣ ∆∆′ holds if and only if □−1 ∆ ⊆ ∆′ .

3. V Σ ( p) = {∆ : p ∈ ∆}.

Release : d3a1905 (2022-12-19) 741

 CHAPTER 52. COMPLETENESS AND CANONICAL MODELS

52.6 The Truth Lemma

The canonical model MΣ is defined in such a way that MΣ , ∆ ⊩ φ iff φ ∈ ∆.
For propositional variables, the definition of V Σ yields this directly. We have
to verify that the equivalence holds for all formulas, however. We do this by
induction. The inductive step involves proving the equivalence for formulas
involving propositional operators (where we have to use Proposition 52.2)
and the modal operators (where we invoke the results of section 52.4).
Proposition 52.12 (Truth Lemma). For every formula φ, MΣ , ∆ ⊩ φ if and only
if φ ∈ ∆.

Proof. By induction on φ.
1. φ ≡ ⊥: MΣ , ∆ ⊮ ⊥ by Definition 49.7, and ⊥ ∈
/ ∆ by Proposition 52.2(3).
2. φ ≡ p: MΣ , ∆ ⊩ p iff ∆ ∈ V Σ ( p) by Definition 49.7. Also, ∆ ∈ V Σ ( p) iff
p ∈ ∆ by definition of V Σ .
3. φ ≡ ¬ψ: MΣ , ∆ ⊩ ¬ψ iff MΣ , ∆ ⊮ ψ (Definition 49.7) iff ψ ∈
/ ∆ (by
inductive hypothesis) iff ¬ψ ∈ ∆ (by Proposition 52.2(4)).
4. φ ≡ ψ ∧ χ: Exercise.
5. φ ≡ ψ ∨ χ: MΣ , ∆ ⊩ ψ ∨ χ iff MΣ , ∆ ⊩ ψ or MΣ , ∆ ⊩ χ (by Defini-
tion 49.7) iff ψ ∈ ∆ or χ ∈ ∆ (by inductive hypothesis) iff ψ ∨ χ ∈ ∆ (by
Proposition 52.2(6)).
6. φ ≡ ψ → χ: Exercise.
7. φ ≡ □ψ: First suppose that MΣ , ∆ ⊩ □ψ. By Definition 49.7, for every
∆′ such that RΣ ∆∆′ , MΣ , ∆′ ⊩ ψ. By inductive hypothesis, for every ∆′
such that RΣ ∆∆′ , ψ ∈ ∆′ . By definition of RΣ , for every ∆′ such that
□−1 ∆ ⊆ ∆′ , ψ ∈ ∆′ . By Proposition 52.8, □ψ ∈ ∆.
Now assume □ψ ∈ ∆. Let ∆′ ∈ W Σ be such that RΣ ∆∆′ , i.e., □−1 ∆ ⊆
∆′ . Since □ψ ∈ ∆, ψ ∈ □−1 ∆. Consequently, ψ ∈ ∆′ . By inductive
hypothesis, MΣ , ∆′ ⊩ ψ. Since ∆′ is arbitrary with RΣ ∆∆′ , for all ∆′ ∈ W Σ
such that RΣ ∆∆′ , MΣ , ∆′ ⊩ ψ. By Definition 49.7, MΣ , ∆ ⊩ □ψ.
8. φ ≡ ♢ψ: Exercise.

52.7 Determination and Completeness for K

We are now prepared to use the canonical model to establish completeness.
Completeness follows from the fact that the formulas true in the canonical
model for Σ are exactly the Σ-derivable ones. Models with this property are
said to determine Σ.

742 Release : d3a1905 (2022-12-19)

52.8. FRAME COMPLETENESS

Definition 52.13. A model M determines a normal modal logic Σ precisely

when M ⊩ φ if and only if Σ ⊢ φ, for all formulas φ.

Theorem 52.14 (Determination). MΣ ⊩ φ if and only if Σ ⊢ φ.

Proof. If MΣ ⊩ φ, then for every complete Σ-consistent ∆, we have MΣ , ∆ ⊩ φ.

Hence, by the Truth Lemma, φ ∈ ∆ for every complete Σ-consistent ∆, whence
by Corollary 52.4 (with Γ = ∅), Σ ⊢ φ.
Conversely, if Σ ⊢ φ then by Proposition 52.2(1), every complete Σ-consistent
∆ contains φ, and hence by the Truth Lemma, MΣ , ∆ ⊩ φ for every ∆ ∈ W Σ ,
i.e., MΣ ⊩ φ.

Since the canonical model for K determines K, we immediately have com-

pleteness of K as a corollary:

Corollary 52.15. The basic modal logic K is complete with respect to the class of all
models, i.e., if ⊨ φ then K ⊢ φ.

Proof. Contrapositively, if K ⊬ φ then by Determination MK ⊮ φ and hence φ

is not valid.

For the general case of completeness of a system Σ with respect to a class of

models, e.g., of KTB4 with respect to the class of reflexive, symmetric, tran-
sitive models, determination alone is not enough. We must also show that
the canonical model for the system Σ is a member of the class, which does
not follow obviously from the canonical model construction—nor is it always
true!

52.8 Frame Completeness

The completeness theorem for K can be extended to other modal systems,
once we show that the canonical model for a given logic has the corresponding
frame property.

Theorem 52.16. If a normal modal logic Σ contains one of the formulas on the left-
hand side of Table 52.1, then the canonical model for Σ has the corresponding property
on the right-hand side.

Proof. We take each of these up in turn.

Suppose Σ contains D, and let ∆ ∈ W Σ ; we need to show that there is a
∆ such that RΣ ∆∆′ . It suffices to show that □−1 ∆ is Σ-consistent, for then by
′

Lindenbaum’s Lemma, there is a complete Σ-consistent set ∆′ ⊇ □−1 ∆, and

by definition of RΣ we have RΣ ∆∆′ . So, suppose for contradiction that □−1 ∆
is not Σ-consistent, i.e., □−1 ∆ ⊢Σ ⊥. By Lemma 52.7, ∆ ⊢Σ □⊥, and since Σ

Release : d3a1905 (2022-12-19) 743

 CHAPTER 52. COMPLETENESS AND CANONICAL MODELS

If Σ contains . . . . . . the canonical model for Σ is:

D: □φ → ♢φ serial;
T: □φ → φ reflexive;
B: φ → □♢φ symmetric;
4: □φ → □□φ transitive;
5: ♢φ → □♢φ euclidean.
Table 52.1: Basic correspondence facts.

contains D, also ∆ ⊢Σ ♢⊥. But Σ is normal, so Σ ⊢ ¬♢⊥ (Proposition 51.7),

whence also ∆ ⊢Σ ¬♢⊥, against the consistency of ∆.
Now suppose Σ contains T, and let ∆ ∈ W Σ . We want to show RΣ ∆∆, i.e.,
− 1
□ ∆ ⊆ ∆. But if □φ ∈ ∆ then by T also φ ∈ ∆, as desired.
Now suppose Σ contains B, and suppose RΣ ∆∆′ for ∆, ∆′ ∈ W Σ . We need
to show that RΣ ∆′ ∆, i.e., □−1 ∆′ ⊆ ∆. By Lemma 52.9, this is equivalent to
♢∆ ⊆ ∆′ . So suppose φ ∈ ∆. By B, also □♢φ ∈ ∆. By the hypothesis that
RΣ ∆∆′ , we have that □−1 ∆ ⊆ ∆′ , and hence ♢φ ∈ ∆′ , as required.
Now suppose Σ contains 4, and suppose RΣ ∆ 1 ∆ 2 and RΣ ∆ 2 ∆ 3 . We need to
show RΣ ∆ 1 ∆ 3 . From the hypothesis we have both □−1 ∆ 1 ⊆ ∆ 2 and □−1 ∆ 2 ⊆
∆ 3 . In order to show RΣ ∆ 1 ∆ 3 it suffices to show □−1 ∆ 1 ⊆ ∆ 3 . So let ψ ∈
□−1 ∆ 1 , i.e., □ψ ∈ ∆ 1 . By 4, also □□ψ ∈ ∆ 1 and by hypothesis we get, first,
that □ψ ∈ ∆ 2 and, second, that ψ ∈ ∆ 3 , as desired.
Now suppose Σ contains 5, suppose RΣ ∆ 1 ∆ 2 and RΣ ∆ 1 ∆ 3 . We need to
show RΣ ∆ 2 ∆ 3 . The first hypothesis gives □−1 ∆ 1 ⊆ ∆ 2 , and the second hy-
pothesis is equivalent to ♢∆ 3 ⊆ ∆ 2 , by Lemma 52.9. To show RΣ ∆ 2 ∆ 3 , by
Lemma 52.9, it suffices to show ♢∆ 3 ⊆ ∆ 2 . So let ♢φ ∈ ♢∆ 3 , i.e., φ ∈ ∆ 3 . By
the second hypothesis ♢φ ∈ ∆ 1 and by 5, □♢φ ∈ ∆ 1 as well. But now the first
hypothesis gives ♢φ ∈ ∆ 2 , as desired.

As a corollary we obtain completeness results for a number of systems.

For instance, we know that S5 = KT5 = KTB4 is complete with respect to
the class of all reflexive euclidean models, which is the same as the class of all
reflexive, symmetric and transitive models.

Theorem 52.17. Let CD , CT , CB , C4 , and C5 be the class of all serial, reflexive, sym-
metric, transitive, and euclidean models (respectively). Then for any schemas φ1 , . . . ,
φn among D, T, B, 4, and 5, the system Kφ1 . . . φn is determined by the class of
models C = C φ1 ∩ · · · ∩ C φn .

Proposition 52.18. Let Σ be a normal modal logic; then:

1. If Σ contains the schema ♢φ → □φ then the canonical model for Σ is partially

functional.

2. If Σ contains the schema ♢φ ↔ □φ then the canonical model for Σ is functional.

744 Release : d3a1905 (2022-12-19)

52.8. FRAME COMPLETENESS

3. If Σ contains the schema □□φ → □φ then the canonical model for Σ is weakly
dense.

(see Table 50.2 for definitions of these frame properties).

Proof. 1. Suppose that Σ contains the schema ♢φ → □φ, to show that RΣ is

partially functional we need to prove that for any ∆ 1 , ∆ 2 , ∆ 3 ∈ W Σ , if
RΣ ∆ 1 ∆ 2 and RΣ ∆ 1 ∆ 3 then ∆ 2 = ∆ 3 . Since RΣ ∆ 1 ∆ 2 we have □−1 ∆ 1 ⊆
∆ 2 and since RΣ ∆ 1 ∆ 3 also □−1 ∆ 1 ⊆ ∆ 3 . The identity ∆ 2 = ∆ 3 will
follow if we can establish the two inclusions ∆ 2 ⊆ ∆ 3 and ∆ 3 ⊆ ∆ 2 . For
the first inclusion, let φ ∈ ∆ 2 ; then ♢φ ∈ ∆ 1 , and by the schema and
deductive closure of ∆ 1 also □φ ∈ ∆ 1 , whence by the hypothesis that
RΣ ∆ 1 ∆ 3 , φ ∈ ∆ 3 . The second inclusion is similar.

2. This follows immediately from part (1) and the seriality proof in Theo-
rem 52.16.

3. Suppose Σ contains the schema □□φ → □φ and to show that RΣ is

weakly dense, let RΣ ∆ 1 ∆ 2 . We need to show that there is a complete
Σ-consistent set ∆ 3 such that RΣ ∆ 1 ∆ 3 and RΣ ∆ 3 ∆ 2 . Let:

Γ = □−1 ∆ 1 ∪ ♢∆ 2 .

It suffices to show that Γ is Σ-consistent, for then by Lindenbaum’s

Lemma it can be extended to a complete Σ-consistent set ∆ 3 such that
□−1 ∆ 1 ⊆ ∆ 3 and ♢∆ 2 ⊆ ∆ 3 , i.e., RΣ ∆ 1 ∆ 3 and RΣ ∆ 3 ∆ 2 (by Lemma 52.9).

Suppose for contradiction that Γ is not consistent. Then there are formu-
las □φ1 , . . . , □φn ∈ ∆ 1 and ψ1 , . . . , ψm ∈ ∆ 2 such that

φ1 , . . . , φn , ♢ψ1 , . . . , ♢ψm ⊢Σ ⊥.

Since ♢(ψ1 ∧ · · · ∧ ψm ) → (♢ψ1 ∧ · · · ∧ ♢ψm ) is derivable in every normal

Release : d3a1905 (2022-12-19) 745

 CHAPTER 52. COMPLETENESS AND CANONICAL MODELS

modal logic, we argue as follows, contradicting the consistency of ∆ 2 :

φ1 , . . . , φn ,♢ψ1 , . . . , ♢ψm ⊢Σ ⊥
φ1 , . . . , φn ⊢Σ (♢ψ1 ∧ · · · ∧ ♢ψm ) → ⊥
by the deduction theorem
Proposition 51.36(4), and TAUT
φ1 , . . . , φn ⊢Σ ♢(ψ1 ∧ · · · ∧ ψm ) → ⊥
since Σ is normal
φ1 , . . . , φn ⊢Σ ¬♢(ψ1 ∧ · · · ∧ ψm )
by PL
φ1 , . . . , φn ⊢Σ □¬(ψ1 ∧ · · · ∧ ψm )
□¬ for ¬♢
□φ1 , . . . , □φn ⊢Σ □□¬(ψ1 ∧ · · · ∧ ψm )
by Lemma 52.6
□φ1 , . . . , □φn ⊢Σ □¬(ψ1 ∧ · · · ∧ ψm )
by schema □□φ → □φ
∆ 1 ⊢Σ □¬(ψ1 ∧ · · · ∧ ψm )
by monotonicity, Proposition 51.36(1)
□¬(ψ1 ∧ · · · ∧ ψm ) ∈ ∆ 1
by deductive closure;
¬(ψ1 ∧ · · · ∧ ψm ) ∈ ∆ 2
since RΣ ∆ 1 ∆ 2 .

On the strength of these examples, one might think that every system Σ of
modal logic is complete, in the sense that it proves every formula which is valid
in every frame in which every theorem of Σ is valid. Unfortunately, there are
many systems that are not complete in this sense.

Problems
Problem 52.1. Complete the proof of Proposition 52.2.

Problem 52.2. Show that if Γ is complete Σ-consistent, then ♢φ ∈ Γ if and

only if there is a complete Σ-consistent ∆ such that □−1 Γ ⊆ ∆ and φ ∈ ∆. Do
this without using Lemma 52.9.

Problem 52.3. Complete the proof of Proposition 52.12.

746 Release : d3a1905 (2022-12-19)

Chapter 53

Filtrations and Decidability

53.1 Introduction
One important question about a logic is always whether it is decidable, i.e., if
there is an effective procedure which will answer the question “is this formula
valid.” Propositional logic is decidable: we can effectively test if a formula is
a tautology by constructing a truth table, and for a given formula, the truth
table is finite. But we can’t obviously test if a modal formula is true in all
models, for there are infinitely many of them. We can list all the finite models
relevant to a given formula, since only the assignment of subsets of worlds
to propositional variables which actually occur in the formula are relevant. If
the accessibility relation is fixed, the possible different assignments V ( p) are
just all the subsets of W, and if |W | = n there are 2n of those. If our formula φ
contains m propositional variables there are then 2nm different models with n
worlds. For each one, we can test if φ is true at all worlds, simply by comput-
ing the truth value of φ in each. Of course, we also have to check all possible
accessibility relations, but there are only finitely many relations on n worlds
2
as well (specifically, the number of subsets of W × W, i.e., 2n .
If we are not interested in the logic K, but a logic defined by some class of
models (e.g., the reflexive transitive models), we also have to be able to test
if the accessibility relation is of the right kind. We can do that whenever the
frames we are interested in are definable by modal formulas (e.g., by testing if
T and 4 valid in the frame). So, the idea would be to run through all the finite
frames, test each one if it is a frame in the class we’re interested in, then list all
the possible models on that frame and test if φ is true in each. If not, stop: φ
is not valid in the class of models of interest.
There is a problem with this idea: we don’t know when, if ever, we can stop
looking. If the formula has a finite countermodel, our procedure will find it.
But if it has no finite countermodel, we won’t get an answer. The formula may
be valid (no countermodels at all), or it have only an infinite countermodel,
which we’ll never look at. This problem can be overcome if we can show that

747
 CHAPTER 53. FILTRATIONS AND DECIDABILITY

every formula that has a countermodel has a finite countermodel. If this is the
case we say the logic has the finite model property.
But how would we show that a logic has the finite model property? One
way of doing this would be to find a way to turn an infinite (counter)model
of φ into a finite one. If that can be done, then whenever there is a model
in which φ is not true, then the resulting finite model also makes φ not true.
That finite model will show up on our list of all finite models, and we will
eventually determine, for every formula that is not valid, that it isn’t. Our
procedure won’t terminate if the formula is valid. If we can show in addition
that there is some maximum size that the finite model our procedure provides
can have, and that this maximum size depends only on the formula φ, we
will have a size up to which we have to test finite models in our search for
countermodels. If we haven’t found a countermodel by then, there are none.
Then our procedure will, in fact, decide the question “is φ valid?” for any
formula φ.
A strategy that often works for turning infinite structures into finite struc-
tures is that of “identifying” elements of the structure which behave the same
way in relevant respects. If there are infinitely many worlds in M that be-
have the same in relevant respects, then we might hope that there are only
finitely many “classes” of such worlds. In other words, we partition the set
of worlds in the right way. Each partition contains infinitely many worlds,
but there are only finitely many partitions. Then we define a new model M∗
where the worlds are the partitions. Finitely many partitions in the old model
give us finitely many worlds in the new model, i.e., a finite model. Let’s call
the partition a world w is in [w]. We’ll want it to be the case that M, w ⊩ φ iff
M∗ , [w] ⊩ φ, since we want the new model to be a countermodel to φ if the old
one was. This requires that we define the partition, as well as the accessibility
relation of M∗ in the right way.
To see how this would go, first imagine we have no accessibility relation.
M, w ⊩ □ψ iff for some v ∈ W, M, v ⊩ □ψ, and the same for M∗ , except with
[w] and [v]. As a first idea, let’s say that two worlds u and v are equivalent
(belong to the same partition) if they agree on all propositional variables in M,
i.e., M, u ⊩ p iff M, v ⊩ p. Let V ∗ ( p) = {[w] : M, w ⊩ p}. Our aim is to show
that M, w ⊩ φ iff M∗ , [w] ⊩ φ. Obviously, we’d prove this by induction: The
base case would be φ ≡ p. First suppose M, w ⊩ p. Then [w] ∈ V ∗ by
definition, so M∗ , [w] ⊩ p. Now suppose that M∗ , [w] ⊩ p. That means that
[w] ∈ V ∗ ( p), i.e., for some v equivalent to w, M, v ⊩ p. But “w equivalent to v”
means “w and v make all the same propositional variables true,” so M, w ⊩ p.
Now for the inductive step, e.g., φ ≡ ¬ψ. Then M, w ⊩ ¬ψ iff M, w ⊮ ψ
iff M∗ , [w] ⊮ ψ (by inductive hypothesis) iff M∗ , [w] ⊩ ¬ψ. Similarly for the
other non-modal operators. It also works for □: suppose M∗ , [w] ⊩ □ψ. That
means that for every [u], M∗ , [u] ⊩ ψ. By inductive hypothesis, for every u,
M, u ⊩ ψ. Consequently, M, w ⊩ □ψ.

748 Release : d3a1905 (2022-12-19)

53.2. PRELIMINARIES

In the general case, where we have to also define the accessibility relation
for M∗ , things are more complicated. We’ll call a model M∗ a filtration if its
accessibility relation R∗ satisfies the conditions required to make the induc-
tive proof above go through. Then any filtration M∗ will make φ true at [w]
iff M makes φ true at w. However, now we also have to show that there are
filtrations, i.e., we can define R∗ so that it satisfies the required conditions. In
order for this to work, however, we have to require that worlds u, v count as
equivalent not just when they agree on all propositional variables, but on all
sub-formulas of φ. Since φ has only finitely many sub-formulas, this will still
guarantee that the filtration is finite. There is not just one way to define a fil-
tration, and in order to make sure that the accessibility relation of the filtration
satisfies the required properties (e.g., reflexive, transitive, etc.) we have to be
inventive with the definition of R∗ .

53.2 Preliminaries
Filtrations allow us to establish the decidability of our systems of modal logic
by showing that they have the finite model property, i.e., that any formula that
is true (false) in a model is also true (false) in a finite model. Filtrations are
defined relative to sets of formulas which are closed under subformulas.

Definition 53.1. A set Γ of formulas is closed under subformulas if it contains

every subformula of a formula in Γ. Further, Γ is modally closed if it is closed
under subformulas and moreover φ ∈ Γ implies □φ, ♢φ ∈ Γ.

For instance, given a formula φ, the set of all its sub-formulas is closed
under sub-formulas. When we’re defining a filtration of a model through the
set of sub-formulas of φ, it will have the property we’re after: it makes φ true
(false) iff the original model does.
The set of worlds of a filtration of M through Γ is defined as the set of all
equivalence classes of the following equivalence relation.

Definition 53.2. Let M = ⟨W, R, V ⟩ and suppose Γ is closed under sub-formulas.

Define a relation ≡ on W to hold of any two worlds that make the same for-
mulas from Γ true, i.e.:

u≡v if and only if ∀ φ ∈ Γ : M, u ⊩ φ ⇔ M, v ⊩ φ.

The equivalence class [w]≡ of a world w, or [w] for short, is the set of all worlds
≡-equivalent to w:
[ w ] = { v : v ≡ w }.

Proposition 53.3. Given M and Γ, ≡ as defined above is an equivalence relation,

i.e., it is reflexive, symmetric, and transitive.

Release : d3a1905 (2022-12-19) 749

 CHAPTER 53. FILTRATIONS AND DECIDABILITY

Proof. The relation ≡ is reflexive, since w makes exactly the same formulas
from Γ true as itself. It is symmetric since if u makes the same formulas from Γ
true as v, the same holds for v and u. It is also transitive, since if u makes the
same formulas from Γ true as v, and v as w, then u makes the same formulas
from Γ true as w.

The relation ≡, like any equivalence relation, divides W into partitions, i.e.,
subsets of W which are pairwise disjoint, and together cover all of W. Every
w ∈ W is an element of one of the partitions, namely of [w], since w ≡ w. So
the partitions [w] cover all of W. They are pairwise disjoint, for if u ∈ [w] and
u ∈ [v], then u ≡ w and u ≡ v, and by symmetry and transitivity, w ≡ v, and
so [w] = [v].

53.3 Filtrations
Rather than define “the” filtration of M through Γ, we define when a model M∗
counts as a filtration of M. All filtrations have the same set of worlds W ∗ and
the same valuation V ∗ . But different filtrations may have different accessibil-
ity relations R∗ . To count as a filtration, R∗ has to satisfy a number of condi-
tions, however. These conditions are exactly what we’ll require to prove the
main result, namely that M, w ⊩ φ iff M∗ , [w] ⊩ φ, provided φ ∈ Γ.

Definition 53.4. Let Γ be closed under subformulas and M = ⟨W, R, V ⟩. A

filtration of M through Γ is any model M∗ = ⟨W ∗ , R∗ , V ∗ ⟩, where:

1. W ∗ = {[w] : w ∈ W };

2. For any u, v ∈ W:

a) If Ruv then R∗ [u][v];

b) If R∗ [u][v] then for any □φ ∈ Γ, if M, u ⊩ □φ then M, v ⊩ φ;
c) If R∗ [u][v] then for any ♢φ ∈ Γ, if M, v ⊩ φ then M, u ⊩ ♢φ.

3. V ∗ ( p) = {[u] : u ∈ V ( p)}.

It’s worthwhile thinking about what V ∗ ( p) is: the set consisting of the
equivalence classes [w] of all worlds w where p is true in M. On the one
hand, if w ∈ V ( p), then [w] ∈ V ∗ ( p) by that definition. However, it is not
necessarily the case that if [w] ∈ V ∗ ( p), then w ∈ V ( p). If [w] ∈ V ∗ ( p) we are
only guaranteed that [w] = [u] for some u ∈ V ( p). Of course, [w] = [u] means
that w ≡ u. So, when [w] ∈ V ∗ ( p) we can (only) conclude that w ≡ u for some
u ∈ V ( p ).

Theorem 53.5. If M∗ is a filtration of M through Γ, then for every φ ∈ Γ and

w ∈ W, we have M, w ⊩ φ if and only if M∗ , [w] ⊩ φ.

750 Release : d3a1905 (2022-12-19)

53.3. FILTRATIONS

Proof. By induction on φ, using the fact that Γ is closed under subformulas.

Since φ ∈ Γ and Γ is closed under sub-formulas, all sub-formulas of φ are
also ∈ Γ. Hence in each inductive step, the induction hypothesis applies to
the sub-formulas of φ.

1. φ ≡ ⊥: Neither M, w ⊩ φ nor M∗ , [w] ⊩ φ.

2. φ ≡ p: The left-to-right direction is immediate, as M, w ⊩ φ only if

w ∈ V ( p), which implies [w] ∈ V ∗ ( p), i.e., M∗ , [w] ⊩ φ. Conversely,
suppose M∗ , [w] ⊩ φ, i.e., [w] ∈ V ∗ ( p). Then for some v ∈ V ( p), w ≡ v.
Of course then also M, v ⊩ p. Since w ≡ v, w and v make the same
formulas from Γ true. Since by assumption p ∈ Γ and M, v ⊩ p, M, w ⊩
φ.

3. φ ≡ ¬ψ: M, w ⊩ φ iff M, w ⊮ ψ. By induction hypothesis, M, w ⊮ ψ iff

M∗ , [w] ⊮ ψ. Finally, M∗ , [w] ⊮ ψ iff M∗ , [w] ⊩ φ.

4. Exercise.

5. φ ≡ (ψ ∨ χ): M, w ⊩ φ iff M, w ⊩ ψ or M, w ⊩ χ. By induction

hypothesis, M, w ⊩ ψ iff M∗ , [w] ⊩ ψ, and M, w ⊩ χ iff M∗ , [w] ⊩ χ.
And M∗ , [w] ⊩ φ iff M∗ , [w] ⊩ ψ or M∗ , [w] ⊩ χ.

6. Exercise.

7. φ ≡ □ψ: Suppose M, w ⊩ φ; to show that M∗ , [w] ⊩ φ, let v be such

that R∗ [w][v]. From Definition 53.4(2b), we have that M, v ⊩ ψ, and by
inductive hypothesis M∗ , [v] ⊩ ψ. Since v was arbitrary, M∗ , [w] ⊩ φ
follows.
Conversely, suppose M∗ , [w] ⊩ φ and let v be arbitrary such that Rwv.
From Definition 53.4(2a), we have R∗ [w][v], so that M∗ , [v] ⊩ ψ; by in-
ductive hypothesis M, v ⊩ ψ, and since v was arbitrary, M, w ⊩ φ.

8. Exercise.

What holds for truth at worlds in a model also holds for truth in a model
and validity in a class of models.

Corollary 53.6. Let Γ be closed under subformulas. Then:

1. If M∗ is a filtration of M through Γ then for any φ ∈ Γ: M ⊩ φ if and only if

M∗ ⊩ φ.

2. If C is a class of models and Γ (C) is the class of Γ-filtrations of models in C ,

then any formula φ ∈ Γ is valid in C if and only if it is valid in Γ (C).

Release : d3a1905 (2022-12-19) 751

 CHAPTER 53. FILTRATIONS AND DECIDABILITY

53.4 Examples of Filtrations

We have not yet shown that there are any filtrations. But indeed, for any
model M, there are many filtrations of M through Γ. We identify two, in
particular: the finest and coarsest filtrations. Filtrations of the same models
will differ in their accessibility relation (as Definition 53.4 stipulates directly
what W ∗ and V ∗ should be). The finest filtration will have as few related
worlds as possible, whereas the coarsest will have as many as possible.

Definition 53.7. Where Γ is closed under subformulas, the finest filtration M∗

of a model M is defined by putting:

R∗ [u][v] if and only if ∃u′ ∈ [u] ∃v′ ∈ [v] : Ru′ v′ .

Proposition 53.8. The finest filtration M∗ is indeed a filtration.

Proof. We need to check that R∗ , so defined, satisfies Definition 53.4(2). We

check the three conditions in turn.
If Ruv then since u ∈ [u] and v ∈ [v], also R∗ [u][v], so (2a) is satisfied.
For (2b), suppose □φ ∈ Γ, R∗ [u][v], and M, u ⊩ □φ. By definition of R∗ ,
there are u′ ≡ u and v′ ≡ v such that Ru′ v′ . Since u and u′ agree on Γ, also
M, u′ ⊩ □φ, so that M, v′ ⊩ φ. By closure of Γ under sub-formulas, v and v′
agree on φ, so M, v ⊩ φ, as desired.
We leave the verification of (2c) as an exercise.

Definition 53.9. Where Γ is closed under subformulas, the coarsest filtration M∗

of a model M is defined by putting R∗ [u][v] if and only if both of the following
conditions are met:

1. If □φ ∈ Γ and M, u ⊩ □φ then M, v ⊩ φ;

2. If ♢φ ∈ Γ and M, v ⊩ φ then M, u ⊩ ♢φ.

Proposition 53.10. The coarsest filtration M∗ is indeed a filtration.

Proof. Given the definition of R∗ , the only condition that is left to verify is
the implication from Ruv to R∗ [u][v]. So assume Ruv. Suppose □φ ∈ Γ and
M, u ⊩ □φ; then obviously M, v ⊩ φ, and (1) is satisfied. Suppose ♢φ ∈ Γ and
M, v ⊩ φ. Then M, u ⊩ ♢φ since Ruv, and (2) is satisfied.

Example 53.11. Let W = Z+ , Rnm iff m = n + 1, and V ( p) = {2n : n ∈ N}.

The model M = ⟨W, R, V ⟩ is depicted in Figure 53.1. The worlds are 1, 2, etc.;
each world can access exactly one other world—its successor—and p is true
at all and only the even numbers.
Now let Γ be the set of sub-formulas of □p → p, i.e., { p, □p, □p → p}. p
is true at all and only the even numbers, □p is true at all and only the odd

752 Release : d3a1905 (2022-12-19)

53.5. FILTRATIONS ARE FINITE

1 2 3 4
¬p p ¬p p

[1] [2] [1] [2]

¬p p ¬p p

Figure 53.1: An infinite model and its filtrations.

numbers, so □p → p is true at all and only the even numbers. In other words,
every odd number makes □p true and p and □p → p false; every even number
makes p and □p → p true, but □p false. So W ∗ = {[1], [2]}, where [1] =
{1, 3, 5, . . . } and [2] = {2, 4, 6, . . . }. Since 2 ∈ V ( p), [2] ∈ V ∗ ( p); since 1 ∈
/
V ( p ), [1] ∈ ∗ ∗
/ V ( p). So V ( p) = {[2]}.
Any filtration based on W ∗ must have an accessibility relation that in-
cludes ⟨[1], [2]⟩, ⟨[2], [1]⟩: since R12, we must have R∗ [1][2] by Definition 53.4(2a),
and since R23 we must have R∗ [2][3], and [3] = [1]. It cannot include ⟨[1], [1]⟩:
if it did, we’d have R∗ [1][1], M, 1 ⊩ □p but M, 1 ⊮ p, contradicting (2b). Noth-
ing requires or rules out that R∗ [2][2]. So, there are two possible filtrations
of M, corresponding to the two accessibility relations

{⟨[1], [2]⟩, ⟨[2], [1]⟩} and {⟨[1], [2]⟩, ⟨[2], [1]⟩, ⟨[2], [2]⟩}.

In either case, p and □p → p are false and □p is true at [1]; p and □p → p are
true and □p is false at [2].

53.5 Filtrations are Finite

We’ve defined filtrations for any set Γ that is closed under sub-formulas. Noth-
ing in the definition itself guarantees that filtrations are finite. In fact, when Γ
is infinite (e.g., is the set of all formulas), it may well be infinite. However, if
Γ is finite (e.g., when it is the set of sub-formulas of a given formula φ), so is
any filtration through Γ.

Proposition 53.12. If Γ is finite then any filtration M∗ of a model M through Γ is

also finite.

Proof. The size of W ∗ is the number of different classes [w] under the equiva-
lence relation ≡. Any two worlds u, v in such class—that is, any u and v such
that u ≡ v—agree on all formulas φ in Γ, φ ∈ Γ either φ is true at both u and
v, or at neither. So each class [w] corresponds to subset of Γ, namely the set of
all φ ∈ Γ such that φ is true at the worlds in [w]. No two different classes [u]

Release : d3a1905 (2022-12-19) 753

 CHAPTER 53. FILTRATIONS AND DECIDABILITY

and [v] correspond to the same subset of Γ. For if the set of formulas true at u
and that of formulas true at v are the same, then u and v agree on all formulas
in Γ, i.e., u ≡ v. But then [u] = [v]. So, there is an injective function from
W ∗ to ℘( Γ ), and hence |W ∗ | ≤ |℘( Γ )|. Hence if Γ contains n sentences, the
cardinality of W ∗ is no greater than 2n .

53.6 K and S5 have the Finite Model Property

Definition 53.13. A system Σ of modal logic is said to have the finite model
property if whenever a formula φ is true at a world in a model of Σ then φ is
true at a world in a finite model of Σ.

Proposition 53.14. K has the finite model property.

Proof. K is the set of valid formulas, i.e., any model is a model of K. By Theo-
rem 53.5, if M, w ⊩ φ, then M∗ , w ⊩ φ for any filtration of M through the set Γ
of sub-formulas of φ. Any formula only has finitely many sub-formulas, so Γ
is finite. By Proposition 53.12, |W ∗ | ≤ 2n , where n is the number of formulas
in Γ. And since K imposes no restriction on models, M∗ is a K-model.

To show that a logic L has the finite model property via filtrations it is
essential that the filtration of an L-model is itself a L-model. Often this re-
quires a fair bit of work, and not any filtration yields a L-model. However, for
universal models, this still holds.

Proposition 53.15. Let U be the class of universal models (see Proposition 50.14)
and UFin the class of all finite universal models. Then any formula φ is valid in U if
and only if it is valid in UFin .

Proof. Finite universal models are universal models, so the left-to-right direc-
tion is trivial. For the right-to left direction, suppose that φ is false at some
world w in a universal model M. Let Γ contain φ as well as all of its sub-
formulas; clearly Γ is finite. Take a filtration M∗ of M; then M∗ is finite by
Proposition 53.12, and by Theorem 53.5, φ is false at [w] in M∗ . It remains to
observe that M∗ is also universal: given u and v, by hypothesis Ruv and by
Definition 53.4(2), also R∗ [u][v].

Corollary 53.16. S5 has the finite model property.

Proof. By Proposition 50.14, if φ is true at a world in some reflexive and eu-

clidean model then it is true at a world in a universal model. By Proposi-
tion 53.15, it is true at a world in a finite universal model (namely the filtration
of the model through the set of sub-formulas of φ). Every universal model is
also reflexive and euclidean; so φ is true at a world in a finite reflexive eu-
clidean model.

754 Release : d3a1905 (2022-12-19)

53.7. S5 IS DECIDABLE

53.7 S5 is Decidable
The finite model property gives us an easy way to show that systems of modal
logic given by schemas are decidable (i.e., that there is a computable procedure
to determine whether a formula is derivable in the system or not).

Theorem 53.17. S5 is decidable.

Proof. Let φ be given, and suppose the propositional variables occurring in φ

are among p1 , . . . , pk . Since for each n there are only finitely many models
with n worlds assigning a value to p1 , . . . , pk , we can enumerate, in parallel,
all the theorems of S5 by generating proofs in some systematic way; and all
the models containing 1, 2, . . . worlds and checking whether φ fails at a world
in some such model. Eventually one of the two parallel processes will give
an answer, as by Theorem 52.17 and Corollary 53.16, either φ is derivable or it
fails in a finite universal model.

The above proof works for S5 because filtrations of universal models are
automatically universal. The same holds for reflexivity and seriality, but more
work is needed for other properties.

53.8 Filtrations and Properties of Accessibility

As noted, filtrations of universal, serial, and reflexive models are always also
universal, serial, or reflexive. But not every filtration of a symmetric or tran-
sitive model is symmetric or transitive, respectively. In some cases, however,
it is possible to define filtrations so that this does hold. In order to do so, we
proceed as in the definition of the coarsest filtration, but add additional condi-
tions to the definition of R∗ . Let Γ be closed under sub-formulas. Consider the
relations Ci (u, v) in Table 53.1 between worlds u, v in a model M = ⟨W, R, V ⟩.
We can define R∗ [u][v] on the basis of combinations of these conditions. For
instance, if we stipulate that R∗ [u][v] iff the condition C1 (u, v) holds, we get
exactly the coarsest filtration. If we stipulate R∗ [u][v] iff both C1 (u, v) and
C2 (u, v) hold, we get a different filtration. It is “finer” than the coarsest since
fewer pairs of worlds satisfy C1 (u, v) and C2 (u, v) than C1 (u, v) alone.

Theorem 53.18. Let M = ⟨W, R, V ⟩ be a model, Γ closed under sub-formulas. Let

W ∗ and V ∗ be defined as in Definition 53.4. Then:

1. Suppose R∗ [u][v] if and only if C1 (u, v) ∧ C2 (u, v). Then R∗ is symmetric,

and M∗ = ⟨W ∗ , R∗ , V ∗ ⟩ is a filtration if M is symmetric.

2. Suppose R∗ [u][v] if and only if C1 (u, v) ∧ C3 (u, v). Then R∗ is transitive, and
M∗ = ⟨W ∗ , R∗ , V ∗ ⟩ is a filtration if M is transitive.

Release : d3a1905 (2022-12-19) 755

 CHAPTER 53. FILTRATIONS AND DECIDABILITY

if □φ ∈ Γ and M, u ⊩ □φ then M, v ⊩ φ; and

C1 (u, v):
if ♢φ ∈ Γ and M, v ⊩ φ then M, u ⊩ ♢φ;
if □φ ∈ Γ and M, v ⊩ □φ then M, u ⊩ φ; and
C2 (u, v):
if ♢φ ∈ Γ and M, u ⊩ φ then M, v ⊩ ♢φ;
if □φ ∈ Γ and M, u ⊩ □φ then M, v ⊩ □φ; and
C3 (u, v):
if ♢φ ∈ Γ and M, v ⊩ ♢φ then M, u ⊩ ♢φ;
if □φ ∈ Γ and M, v ⊩ □φ then M, u ⊩ □φ; and
C4 (u, v):
if ♢φ ∈ Γ and M, u ⊩ ♢φ then M, v ⊩ ♢φ;
Table 53.1: Conditions on possible worlds for defining filtrations.

3. Suppose R∗ [u][v] if and only if C1 (u, v) ∧ C2 (u, v) ∧ C3 (u, v) ∧ C4 (u, v).

Then R∗ is symmetric and transitive, and M∗ = ⟨W ∗ , R∗ , V ∗ ⟩ is a filtration if
M is symmetric and transitive.

4. Suppose R∗ is defined as R∗ [u][v] if and only if C1 (u, v) ∧ C3 (u, v) ∧ C4 (u, v).

Then R∗ is transitive and euclidean, and M∗ = ⟨W ∗ , R∗ , V ∗ ⟩ is a filtration if
M is transitive and euclidean.

Proof. 1. It’s immediate that R∗ is symmetric, since C1 (u, v) ⇔ C2 (v, u) and

C2 (u, v) ⇔ C1 (v, u). So it’s left to show that if M is symmetric then M∗ is
a filtration through Γ. Condition C1 (u, v) guarantees that (2b) and (2c) of
Definition 53.4 are satisfied. So we just have to verify Definition 53.4(2a),
i.e., that Ruv implies R∗ [u][v].
So suppose Ruv. To show R∗ [u][v] we need to establish that C1 (u, v) and
C2 (u, v). For C1 : if □φ ∈ Γ and M, u ⊩ □φ then also M, v ⊩ φ (since
Ruv). Similarly, if ♢φ ∈ Γ and M, v ⊩ φ then M, u ⊩ ♢φ since Ruv. For
C2 : if □φ ∈ Γ and M, v ⊩ □φ then Ruv implies Rvu by symmetry, so
that M, u ⊩ φ. Similarly, if ♢φ ∈ Γ and M, u ⊩ φ then M, v ⊩ ♢φ (since
Rvu by symmetry).

2. Exercise.

3. Exercise.

4. Exercise.

53.9 Filtrations of Euclidean Models

The approach of section 53.8 does not work in the case of models that are
euclidean or serial and euclidean. Consider the model at the top of Figure 53.2,
which is both euclidean and serial. Let Γ = { p, □p}. When taking a filtration
through Γ, then [w1 ] = [w3 ] since w1 and w3 are the only worlds that agree
on Γ. Any filtration will also have the arrow inherited from M, as depicted

756 Release : d3a1905 (2022-12-19)

53.9. FILTRATIONS OF EUCLIDEAN MODELS

in Figure 53.3. That model isn’t euclidean. Moreover, we cannot add arrows
to that model in order to make it euclidean. We would have to add double
arrows between [w2 ] and [w4 ], and then also between w2 and w5 . But □p is
supposed to be true at w2 , while p is false at w5 .
¬ p w1 w2 p
⊩ □p ⊩ □p

¬ p w3 w4 p w5 ¬ p
⊩ □p ⊮ □p ⊮ □p

Figure 53.2: A serial and euclidean model.

[ w2 ] p

⊩ □p
¬ p [ w1 ] [ w1 ] = [ w3 ]

⊩ □p

[ w4 ] p [ w5 ] ¬ p

⊮ □p ⊮ □p

Figure 53.3: The filtration of the model in Figure 53.2.

In particular, to obtain a euclidean flitration it is not enough to consider
filtrations through arbitrary Γ’s closed under sub-formulas. Instead we need
to consider sets Γ that are modally closed (see Definition 53.1). Such sets of
sentences are infinite, and therefore do not immediately yield a finite model
property or the decidability of the corresponding system.

Theorem 53.19. Let Γ be modally closed, M = ⟨W, R, V ⟩, and M∗ = ⟨W ∗ , R∗ , V ∗ ⟩

be a coarsest filtration of M.

1. If M is symmetric, so is M∗ .

2. If M is transitive, so is M∗ .

3. If M is euclidean, so is M∗ .

Proof. 1. If M∗ is a coarsest filtration, then by definition R∗ [u][v] holds if

and only if C1 (u, v). For transitivity, suppose C1 (u, v) and C1 (v, w); we
have to show C1 (u, w). Suppose M, u ⊩ □φ; then M, u ⊩ □□φ since
4 is valid in all transitive models; since □□φ ∈ Γ by closure, also by

Release : d3a1905 (2022-12-19) 757

 CHAPTER 53. FILTRATIONS AND DECIDABILITY

C1 (u, v), M, v ⊩ □φ and by C1 (v, w), also M, w ⊩ φ. Suppose M, w ⊩ φ;

then M, v ⊩ ♢φ by C1 (v, w), since ♢φ ∈ Γ by modal closure. By C1 (u, v),
we get M, u ⊩ ♢♢φ since ♢♢φ ∈ Γ by modal closure. Since 4♢ is valid
in all transitive models, M, u ⊩ ♢φ.

2. Exercise. Use the fact that both 5 and 5♢ are valid in all euclidean mod-
els.

3. Exercise. Use the fact that B and B♢ are valid in all symmetric models.

Problems
Problem 53.1. Complete the proof of Theorem 53.5

Problem 53.2. Complete the proof of Proposition 53.8.

Problem 53.3. Consider the following model M = ⟨W, R, V ⟩ where W =

{0σ : σ ∈ B∗ }, the set of sequences of 0s and 1s starting with 0, with Rσσ′
iff σ′ = σ0 or σ′ = σ1, and V ( p) = {σ0 : σ ∈ B∗ } and V (q) = {σ1 : σ ∈
B∗ \ {1}}. Here’s a picture:

000

p
00
¬q
p
001
¬q
¬p
0 q
p
¬q 010

p
01
¬q
¬p
011
q
¬p
q

We have M, w ⊮ □( p ∨ q) → (□p ∨ □q) for every w.

Let Γ be the set of sub-formulas of □( p ∨ q) → (□p ∨ □q). What are W ∗
and V ∗ ? What is the accessibility relation of the finest filtration of M? Of the
coarsest?

758 Release : d3a1905 (2022-12-19)

53.9. FILTRATIONS OF EUCLIDEAN MODELS

Problem 53.4. Show that any filtration of a serial or reflexive model is also
serial or reflexive (respectively).

Problem 53.5. Find a non-symmetric (non-transitive, non-euclidean) filtration

of a symmetric (transitive, euclidean) model.

Problem 53.6. Complete the proof of Theorem 53.18.

Problem 53.7. Complete the proof of Theorem 53.19.

Release : d3a1905 (2022-12-19) 759

Chapter 54

Modal Tableaux

Draft chapter on prefixed tableaux for modal logic. Needs more ex-
amples, completeness proofs, and discussion of how one can find coun-
termodels from unsuccessful searches for closed tableaux.

54.1 Introduction
Tableaux are certain (downward-branching) trees of signed formulas, i.e., pairs
consisting of a truth value sign (T or F) and a sentence

T φ or F φ.

A tableau begins with a number of assumptions. Each further signed formula

is generated by applying one of the inference rules. Some inference rules add
one or more signed formulas to a tip of the tree; others add two new tips,
resulting in two branches. Rules result in signed formulas where the formula
is less complex than that of the signed formula to which it was applied. When
a branch contains both T φ and F φ, we say the branch is closed. If every branch
in a tableau is closed, the entire tableau is closed. A closed tableau consititues
a derivation that shows that the set of signed formulas which were used to
begin the tableau are unsatisfiable. This can be used to define a ⊢ relation:
Γ ⊢ φ iff there is some finite set Γ0 = {ψ1 , . . . , ψn } ⊆ Γ such that there is a
closed tableau for the assumptions

{F φ, Tψ1 , . . . , Tψn }.

For modal logics, we have to both extend the notion of signed formula
and add rules that cover □ and ♢ In addition to a sign(T or F), formulas in
modal tableaux also have prefixes σ. The prefixes are non-empty sequences of
positive integers, i.e., σ ∈ (Z+ )∗ \ {Λ}. When we write such prefixes without

760
54.2. RULES FOR K

σ T¬ φ σ F ¬φ
¬T ¬F
σFφ σ Tφ
σ Tφ ∧ ψ
∧T σFφ ∧ ψ
σ Tφ ∧F
σ F φ | σ Fψ
σ Tψ
σFφ ∨ ψ
σ Tφ ∨ ψ ∨F
∨T σFφ
σ T φ | σ Tψ
σ Fψ
σFφ → ψ
σ Tφ → ψ →F
→T σ Tφ
σ F φ | σ Tψ
σ Fψ

Table 54.1: Prefixed tableau rules for the propositional connectives

the surrounding ⟨ ⟩, and separate the individual elements by .’s instead of ,’s.
If σ is a prefix, then σ.n is σ ⌢ ⟨n⟩; e.g., if σ = 1.2.1, then σ.3 is 1.2.1.3. So for
instance,
1.2 T□φ → φ
is a prefixed signed formula (or just a prefixed formula for short).
Intuitively, the prefix names a world in a model that might satisfy the for-
mulas on a branch of a tableau, and if σ names some world, then σ.n names a
world accessible from (the world named by) σ.

54.2 Rules for K

The rules for the regular propositional connectives are the same as for regu-
lar propositional signed tableaux, just with prefixes added. In each case, the
rule applied to a signed formula σ S φ produces new formulas that are also
prefixed by σ. This should be intuitively clear: e.g., if φ ∧ ψ is true at (a world
named by) σ, then φ and ψ are true at σ (and not at any other world). We
collect the propositional rules in Table 54.1.
The closure condition is the same as for ordinary tableaux, although we
require that not just the formulas but also the prefixes must match. So a branch
is closed if it contains both

σ Tφ and σFφ

for some prefix σ and formula φ.

Release : d3a1905 (2022-12-19) 761

 CHAPTER 54. MODAL TABLEAUX

σ T□φ σ F □φ
□T □F
σ.n T φ σ.n F φ

σ.n is used σ.n is new

σ T♢φ σ F ♢φ
♢T ♢F
σ.n T φ σ.n F φ

σ.n is new σ.n is used

Table 54.2: The modal rules for K.

The rules for setting up assumptions is also as for ordinary tableaux, ex-
cept that for assumptions we always use the prefix 1. (It does not matter which
prefix we use, as long as it’s the same for all assumptions.) So, e.g., we say that

ψ1 , . . . , ψn ⊢ φ

iff there is a closed tableau for the assumptions

1 Tψ1 , . . . , 1 Tψn , 1 F φ.

For the modal operators □ and ♢, the prefix of the conclusion of the rule
applied to a formula with prefix σ is σ.n. However, which n is allowed de-
pends on whether the sign is T or F.
The T□ rule extends a branch containing σ T□φ by σ.n T φ. Similarly, the
F♢ rule extends a branch containing σ F ♢φ by σ.n F φ. They can only be ap-
plied for a prefix σ.n which already occurs on the branch in which it is applied.
Let’s call such a prefix “used” (on the branch).
The F□ rule extends a branch containing σ F □φ by σ.n F φ. Similarly, the
T♢ rule extends a branch containing σ T♢φ by σ.n T φ. These rules, however,
can only be applied for a prefix σ.n which does not already occur on the branch
in which it is applied. We call such prefixes “new” (to the branch).
The rules are given in Table 54.2.
The requirement that the restriction that the prefix for □T must be used is
necessary as otherwise we would count the following as a closed tableau:

762 Release : d3a1905 (2022-12-19)

54.3. TABLEAUX FOR K

1. 1 T □φ Assumption
2. 1 F ♢φ Assumption
3. 1.1 T φ □T 1
4. 1.1 F φ ♢F 2
⊗

But □φ ⊭ ♢φ, so our proof system would be unsound. Likewise, ♢φ ⊭ □φ,

but without the restriction that the prefix for □F must be new, this would be
a closed tableau:

1. 1 T ♢φ Assumption
2. 1 F □φ Assumption
3. 1.1 T φ ♢T 1
4. 1.1 F φ □F 2
⊗

54.3 Tableaux for K

Example 54.1. We give a closed tableau that shows ⊢ (□φ ∧ □ψ) → □( φ ∧ ψ).

1. 1 F (□φ ∧ □ψ) → □( φ ∧ ψ) Assumption

2. 1 T □φ ∧ □ψ →F 1
3. 1 F □( φ ∧ ψ ) →F 1
4. 1 T □φ ∧T 2
5. 1 T □ψ ∧T 2
6. 1.1 F φ ∧ ψ □F 3

7. 1.1 F φ 1.1 F ψ ∧F 6
8. 1.1 T φ 1.1 T ψ □T 4; □T 5
⊗ ⊗

Example 54.2. We give a closed tableau that shows ⊢ ♢( φ ∨ ψ) → (♢φ ∨ ♢ψ):

Release : d3a1905 (2022-12-19) 763

 CHAPTER 54. MODAL TABLEAUX

1. 1 F ♢( φ ∨ ψ) → (♢φ ∨ ♢ψ) Assumption

2. 1 T ♢( φ ∨ ψ ) →F 1
3. 1 F ♢φ ∨ ♢ψ →F 1
4. 1 F ♢φ ∨F 3
5. 1 F ♢ψ ∨F 3
6. 1.1 T φ ∨ ψ ♢T 2

7. 1.1 T φ 1.1 T ψ ∨T 6
8. 1.1 F φ 1.1 F ψ ♢F 4; ♢F 5
⊗ ⊗

54.4 Soundness for K

This soundness proof reuses the soundness proof for classical propo-
sitional logic, i.e., it proves everything from scratch. That’s ok if you want
a self-contained soundness proof. If you already have seen soundness for
ordinary tableau this will be repetitive. It’s planned to make it possible
to switch between self-contained version and a version building on the
non-modal case.

In order to show that prefixed tableaux are sound, we have to show that if

1 Tψ1 , . . . , 1 Tψn , 1 F φ

has a closed tableau then ψ1 , . . . , ψn ⊨ φ. It is easier to prove the contraposi-

tive: if for some M and world w, M, w ⊩ ψi for all i = 1, . . . , n but M, w ⊩ φ,
then no tableau can close. Such a countermodel shows that the initial assump-
tions of the tableau are satisfiable. The strategy of the proof is to show that
whenever all the prefixed formulas on a tableau branch are satisfiable, any
application of a rule results in at least one extended branch that is also satis-
fiable. Since closed branches are unsatisfiable, any tableau for a satisfiable set
of prefixed formulas must have at least one open branch.
In order to apply this strategy in the modal case, we have to extend our
definition of “satisfiable” to modal modals and prefixes. With that in hand,
however, the proof is straightforward.

Definition 54.3. Let P be some set of prefixes, i.e., P ⊆ (Z+ )∗ \ {Λ} and let M
be a model. A function f : P → W is an interpretation of P in M if, whenever σ
and σ.n are both in P, then R f (σ ) f (σ.n).
Relative to an interpretation of prefixes P we can define:

1. M satisfies σ T φ iff M, f (σ ) ⊩ φ.

764 Release : d3a1905 (2022-12-19)

54.4. SOUNDNESS FOR K

2. M satisfies σ F φ iff M, f (σ) ⊮ φ.

Definition 54.4. Let Γ be a set of prefixed formulas, and let P( Γ ) be the set of
prefixes that occur in it. If f is an interpretation of P( Γ ) in M, we say that M
satisfies Γ with respect to f , M, f ⊩ Γ, if M satisfies every prefixed formula
in Γ with respect to f . Γ is satisfiable iff there is a model M and interpretation f
of P( Γ ) such that M, f ⊩ Γ.

Proposition 54.5. If Γ contains both σ T φ and σ F φ, for some formula φ and pre-
fix σ, then Γ is unsatisfiable.

Proof. There cannot be a model M and interpretation f of P( Γ ) such that both

M, f (σ ) ⊩ φ and M, f (σ ) ⊮ φ.

Theorem 54.6 (Soundness). If Γ has a closed tableau, Γ is unsatisfiable.

Proof. We call a branch of a tableau satisfiable iff the set of signed formulas
on it is satisfiable, and let’s call a tableau satisfiable if it contains at least one
satisfiable branch.
We show the following: Extending a satisfiable tableau by one of the rules
of inference always results in a satisfiable tableau. This will prove the theo-
rem: any closed tableau results by applying rules of inference to the tableau
consisting only of assumptions from Γ. So if Γ were satisfiable, any tableau
for it would be satisfiable. A closed tableau, however, is clearly not satisfiable,
since all its branches are closed and closed branches are unsatisfiable.
Suppose we have a satisfiable tableau, i.e., a tableau with at least one sat-
isfiable branch. Applying a rule of inference either adds signed formulas to a
branch, or splits a branch in two. If the tableau has a satisfiable branch which
is not extended by the rule application in question, it remains a satisfiable
branch in the extended tableau, so the extended tableau is satisfiable. So we
only have to consider the case where a rule is applied to a satisfiable branch.
Let Γ be the set of signed formulas on that branch, and let σ S φ ∈ Γ be
the signed formula to which the rule is applied. If the rule does not result in a
split branch, we have to show that the extended branch, i.e., Γ together with
the conclusions of the rule, is still satisfiable. If the rule results in split branch,
we have to show that at least one of the two resulting branches is satisfiable.
First, we consider the possible inferences with only one premise.

1. The branch is expanded by applying ¬T to σ T ¬ψ ∈ Γ. Then the ex-

tended branch contains the signed formulas Γ ∪ {σ F ψ}. Suppose M, f ⊩
Γ. In particular, M, f (σ ) ⊩ ¬ψ. Thus, M, f (σ ) ⊮ ψ, i.e., M satisfies σ F ψ
with respect to f .

2. The branch is expanded by applying ¬F to σ F ¬ψ ∈ Γ: Exercise.

Release : d3a1905 (2022-12-19) 765

 CHAPTER 54. MODAL TABLEAUX

3. The branch is expanded by applying ∧T to σ Tψ ∧ χ ∈ Γ, which re-

sults in two new signed formulas on the branch: σ Tψ and σ Tχ. Sup-
pose M, f ⊩ Γ, in particular M, f (σ ) ⊩ ψ ∧ χ. Then M, f (σ ) ⊩ ψ and
M, f (σ ) ⊩ χ. This means that M satisfies both σ Tψ and σ Tχ with re-
spect to f .

4. The branch is expanded by applying ∨F to F ψ ∨ χ ∈ Γ: Exercise.

5. The branch is expanded by applying →F to σ F ψ → χ ∈ Γ: This re-

sults in two new signed formulas on the branch: σ Tψ and σ F χ. Sup-
pose M, f ⊩ Γ, in particular M, f (σ) ⊮ ψ → χ. Then M, f (σ ) ⊩ ψ and
M, f (σ ) ⊮ χ. This means that M, f satisfies both σ Tψ and σ F χ.

6. The branch is expanded by applying □T to σ T□ψ ∈ Γ: This results in

a new signed formula σ.n Tψ on the branch, for some σ.n ∈ P( Γ ) (since
σ.n must be used). Suppose M, f ⊩ Γ, in particular, M, f (σ ) ⊩ □ψ. Since
f is an interpretation of prefixes and both σ, σ.n ∈ P( Γ ), we know that
R f (σ ) f (σ.n). Hence, M, f (σ.n) ⊩ ψ, i.e., M, f satisfies σ.n Tψ.

7. The branch is expanded by applying □F to σ F □ψ ∈ Γ: This results in

a new signed formula σ.n F φ, where σ.n is a new prefix on the branch,
i.e., σ.n ∈
/ P( Γ ). Since Γ is satisfiable, there is a M and interpretation f of
P( Γ ) such that M, f ⊨ Γ, in particular M, f (σ) ⊮ □ψ. We have to show
that Γ ∪ {σ.n F ψ} is satisfiable. To do this, we define an interpretation
of P( Γ ) ∪ {σ.n} as follows:
Since M, f (σ ) ⊮ □ψ, there is a w ∈ W such that R f (σ )w and M, w ⊮ ψ.
Let f ′ be like f , except that f ′ (σ.n) = w. Since f ′ (σ ) = f (σ ) and R f (σ )w,
we have R f ′ (σ ) f ′ (σ.n), so f ′ is an interpretation of P( Γ ) ∪ {σ.n}. Ob-
viously M, f ′ (σ.n) ⊮ ψ. Since f (σ′ ) = f ′ (σ′ ) for all prefixes σ′ ∈ P( Γ ),
M, f ′ ⊩ Γ. So, M, f ′ satisfies Γ ∪ {σ.n F ψ}.

Now let’s consider the possible inferences with two premises.

1. The branch is expanded by applying ∧F to σ F ψ ∧ χ ∈ Γ, which results

in two branches, a left one continuing through σ F ψ and a right one
through σ F χ. Suppose M, f ⊩ Γ, in particular M, f (σ ) ⊮ ψ ∧ χ. Then
M, f (σ) ⊮ ψ or M, f (σ ) ⊮ χ. In the former case, M, f satisfies σ F ψ,
i.e., the left branch is satisfiable. In the latter, M, f satisfies σ F χ, i.e., the
right branch is satisfiable.

2. The branch is expanded by applying ∨T to σ Tψ ∨ χ ∈ Γ: Exercise.

3. The branch is expanded by applying →T to σ Tψ → χ ∈ Γ: Exercise.

Corollary 54.7. If Γ ⊢ φ then Γ ⊨ φ.

766 Release : d3a1905 (2022-12-19)

54.5. RULES FOR OTHER ACCESSIBILITY RELATIONS

σ T□φ σ F ♢φ
T□ T♢
σ Tφ σFφ

σ T□φ σ F ♢φ
D□ D♢
σ T♢φ σ F □φ

σ.n T□φ σ.n F ♢φ

B□ B♢
σ Tφ σFφ

σ T□φ σ F ♢φ
4□ 4♢
σ.n T□φ σ.n F ♢φ

σ.n is used σ.n is used

σ.n T□φ σ.n F ♢φ

4r□ 4r♢
σ T□φ σ F ♢φ

Table 54.3: More modal rules.

Proof. If Γ ⊢ φ then for some ψ1 , . . . , ψn ∈ Γ, ∆ = {1 F φ, 1 Tψ1 , . . . , 1 Tψn }

has a closed tableau. We want to show that Γ ⊨ φ. Suppose not, so for some
M and w, M, w ⊩ ψi for i = 1, . . . , n, but M, w ⊮ φ. Let f (1) = w; then f is
an interpretation of P(∆) into M, and M satisfies ∆ with respect to f . But by
Theorem 54.6, ∆ is unsatisfiable since it has a closed tableau, a contradiction.
So we must have Γ ⊢ φ after all.

Corollary 54.8. If ⊢ φ then φ is true in all models.

54.5 Rules for Other Accessibility Relations

In order to deal with logics determined by special accessibility relations, we

consider the additional rules in Table 54.3.
Adding these rules results in systems that are sound and complete for the
logics given in Table 54.4.

Example 54.9. We give a closed tableau that shows S5 ⊢ 5, i.e., □φ → □♢φ.

Release : d3a1905 (2022-12-19) 767

 CHAPTER 54. MODAL TABLEAUX

Logic R is . . . Rules
T = KT reflexive T□, T♢
D = KD serial D□, D♢
K4 transitive 4□, 4♢
B = KTB reflexive, T□, T♢
symmetric B□, B♢
S4 = KT4 reflexive, T□, T♢,
transitive 4□, 4♢
S5 = KT4B reflexive, T□, T♢,
transitive, 4□, 4♢,
euclidean 4r□, 4r♢

Table 54.4: Tableau rules for various modal logics.

1. 1 F □φ → □♢φ Assumption
2. 1 T □φ →F 1
3. 1 F □♢φ →F 1
4. 1.1 F ♢φ □F 3
5. 1 F ♢φ 4r♢ 4
6. 1.1 F φ ♢F 5
7. 1.1 T φ □T 2
⊗

54.6 Soundness for Additional Rules

We say a rule is sound for a class of models if, whenever a branch in a tableau
is satisfiable in a model from that class, the branch resulting from applying
the rule is also satisfiable in a model from that class.

Proposition 54.10. T□ and T♢ are sound for reflexive models.

Proof. 1. The branch is expanded by applying T□ to σ T□ψ ∈ Γ: This re-

sults in a new signed formula σ Tψ on the branch. Suppose M, f ⊩ Γ, in
particular, M, f (σ ) ⊩ □ψ. Since R is reflexive, we know that R f (σ) f (σ ).
Hence, M, f (σ ) ⊩ ψ, i.e., M, f satisfies σ Tψ.

2. The branch is expanded by applying T♢ to σ F ♢ψ ∈ Γ: Exercise.

Proposition 54.11. D□ and D♢ are sound for serial models.

Proof. 1. The branch is expanded by applying D□ to σ T□ψ ∈ Γ: This

results in a new signed formula σ T♢ψ on the branch. Suppose M, f ⊩
Γ, in particular, M, f (σ ) ⊩ □ψ. Since R is serial, there is a w ∈ W such

768 Release : d3a1905 (2022-12-19)

54.6. SOUNDNESS FOR ADDITIONAL RULES

that R f (σ )w. Then M, w ⊩ ψ, and hence M, f (σ ) ⊩ ♢ψ. So, M, f satisfies

σ T♢ψ.

2. The branch is expanded by applying D♢ to σ F ♢ψ ∈ Γ: Exercise.

Proposition 54.12. B□ and B♢ are sound for symmetric models.

Proof. 1. The branch is expanded by applying B□ to σ.n T□ψ ∈ Γ: This

results in a new signed formula σ Tψ on the branch. Suppose M, f ⊩ Γ,
in particular, M, f (σ.n) ⊩ □ψ. Since f is an interpretation of prefixes on
the branch into M, we know that R f (σ) f (σ.n). Since R is symmetric,
R f (σ.n) f (σ). Since M, f (σ.n) ⊩ □ψ, M, f (σ) ⊩ ψ. Hence, M, f satisfies
σ Tψ.

2. The branch is expanded by applying B♢ to σ.n F ♢ψ ∈ Γ: Exercise.

Proposition 54.13. 4□ and 4♢ are sound for transitive models.

Proof. 1. The branch is expanded by applying 4□ to σ T□ψ ∈ Γ: This re-

sults in a new signed formula σ.n T□ψ on the branch. Suppose M, f ⊩
Γ, in particular, M, f (σ) ⊩ □ψ. Since f is an interpretation of prefixes on
the branch into M and σ.n must be used, we know that R f (σ ) f (σ.n).
Now let w be any world such that R f (σ.n)w. Since R is transitive,
R f (σ )w. Since M, f (σ ) ⊩ □ψ, M, w ⊩ ψ. Hence, M, f (σ.n) ⊩ □ψ,
and M, f satisfies σ.n T□ψ.

2. The branch is expanded by applying 4♢ to σ F ♢ψ ∈ Γ: Exercise.

Proposition 54.14. 4r□ and 4r♢ are sound for euclidean models.

Proof. 1. The branch is expanded by applying 4r□ to σ.n T□ψ ∈ Γ: This re-
sults in a new signed formula σ T□ψ on the branch. Suppose M, f ⊩ Γ,
in particular, M, f (σ.n) ⊩ □ψ. Since f is an interpretation of prefixes on
the branch into M, we know that R f (σ ) f (σ.n). Now let w be any world
such that R f (σ )w. Since R is euclidean, R f (σ.n)w. Since M, f (σ ).n ⊩
□ψ, M, w ⊩ ψ. Hence, M, f (σ ) ⊩ □ψ, and M, f satisfies σ T□ψ.

2. The branch is expanded by applying 4r♢ to σ.n F ♢ψ ∈ Γ: Exercise.

Corollary 54.15. The tableau systems given in Table 54.4 are sound for the respective
classes of models.

Release : d3a1905 (2022-12-19) 769

 CHAPTER 54. MODAL TABLEAUX

n T□φ n F □φ
□T □F
m Tφ mFφ

m is used m is new

n T♢φ n F ♢φ
♢T ♢F
m Tφ mFφ

m is new m is used

Table 54.5: Simplified rules for S5.

54.7 Simple Tableaux for S5

S5 is sound and complete with respect to the class of universal models, i.e.,
models where every world is accessible from every world. In universal mod-
els the accessibility relation doesn’t matter: “there is a world w where M, w ⊩
φ” is true if and only if there is such a w that’s accessible from u. So in S5, we
can define models as simply a set of worlds and a valuation V. This suggests
that we should be able to simplify the tableau rules as well. In the general
case, we take as prefixes sequences of positive integers, so that we can keep
track of which such prefixes name worlds which are accessible from others:
σ.n names a world accessible from σ. But in S5 any world is accessible from
any world, so there is no need to so keep track. Instead, we can use positive
integers as prefixes. The simplified rules are given in Table 54.5.

Example 54.16. We give a simplified closed tableau that shows S5 ⊢ 5, i.e.,

♢φ → □♢φ.

1. 1 F ♢φ → □♢φ Assumption
2. 1 T ♢φ →F 1
3. 1 F □♢φ →F 1
4. 2 F ♢φ □F 3
5. 3T φ ♢T 2
6. 3F φ ♢F 4
⊗

770 Release : d3a1905 (2022-12-19)

54.8. COMPLETENESS FOR K

54.8 Completeness for K

To show that the method of tableaux is complete, we have to show that when-
ever there is no closed tableau to show Γ ⊢ φ, then Γ ⊭ φ, i.e., there is a
countermodel. But “there is no closed tableau” means that every way we
could try to construct one has to fail to close. The trick is to see that if ev-
ery such way fails to close, then a specific, systematic and exhaustive way also
fails to close. And this systematic and exhaustive way would close if a closed
tableau exists. The single tableau will contain, among its open branches, all
the information required to define a countermodel. The countermodel given
by an open branch in this tableau will contain the all the prefixes used on that
branch as the worlds, and a propositional variable p is true at σ iff σ T p occurs
on the branch.

Definition 54.17. A branch in a tableau is called complete if, whenever it con-

tains a prefixed formula σ S φ to which a rule can be applied, it also contains

1. the prefixed formulas that are the corresponding conclusions of the rule,
in the case of propositional stacking rules;

2. one of the corresponding conclusion formulas in the case of proposi-

tional branching rules;

3. at least one possible conclusion in the case of modal rules that require a
new prefix;

4. the corresponding conclusion for every prefix occurring on the branch

in the case of modal rules that require a used prefix.

For instance, a complete branch contains σ Tψ and σ Tχ whenever it con-

tains Tψ ∧ χ. If it contains σ Tψ ∨ χ it contains at least one of σ F ψ and σ Tχ.
If it contains σ F □ it also contains σ.n F □ for at least one n. And whenever it
contains σ T□ it also contains σ.n T□ for every n such that σ.n is used on the
branch.

Proposition 54.18. Every finite Γ has a tableau in which every branch is complete.

Proof. Consider an open branch in a tableau for Γ. There are finitely many
prefixed formulas in the branch to which a rule could be applied. In some
fixed order (say, top to bottom), for each of these prefixed formulas for which
the conditions (1)–(4) do not already hold, apply the rules that can be applied
to it to extend the branch. In some cases this will result in branching; apply
the rule at the tip of each resulting branch for all remaining prefixed formu-
las. Since the number of prefixed formulas is finite, and the number of used
prefixes on the branch is finite, this procedure eventually results in (possibly
many) branches extending the original branch. Apply the procedure to each,
and repeat. But by construction, every branch is closed.

Release : d3a1905 (2022-12-19) 771

 CHAPTER 54. MODAL TABLEAUX

Theorem 54.19 (Completeness). If Γ has no closed tableau, Γ is satisfiable.

Proof. By the proposition, Γ has a tableau in which every branch is complete.

Since it has no closed tableau, it thas has a tableau in which at least one branch
is open and complete. Let ∆ be the set of prefixed formulas on the branch, and
P(∆) the set of prefixes occurring in it.
We define a model M(∆) = ⟨ P(∆), R, V ⟩ where the worlds are the prefixes
occurring in ∆, the accessibility relation is given by:

Rσσ′ iff σ′ = σ.n for some n

and
V ( p) = {σ : σ T p ∈ ∆}.
We show by induction on φ that if σ T φ ∈ ∆ then M(∆), σ ⊩ φ, and if σ F φ ∈ ∆
then M(∆), σ ⊮ φ.

1. φ ≡ p: If σ T φ ∈ ∆ then σ ∈ V ( p) (by definition of V) and so M(∆), σ ⊩

φ.
If σ F φ ∈ ∆ then σ T φ ∈
/ ∆, since the branch would otherwise be closed.
So σ ∈/ V ( p) and thus M(∆), σ ⊮ φ.

2. φ ≡ ¬ψ: If σ T φ ∈ ∆, then σ F ψ ∈ ∆ since the branch is complete. By

induction hypothesis, M(∆), σ ⊮ ψ and thus M(∆), σ ⊩ φ.
If σ F φ ∈ ∆, then σ Tψ ∈ ∆ since the branch is complete. By induction
hypothesis, M(∆), σ ⊩ ψ and thus M(∆), σ ⊮ φ.

3. φ ≡ ψ ∧ χ: Exercise.

4. φ ≡ ψ ∨ χ: If σ T φ ∈ ∆, then either σ Tψ ∈ ∆ or σ Tχ ∈ ∆ since

the branch is complete. By induction hypothesis, either M(∆), σ ⊩ ψ or
M(∆), σ ⊩ χ. Thus M(∆), σ ⊩ φ.
If σ F φ ∈ ∆, then both σ F ψ ∈ ∆ and σ F χ ∈ ∆ since the branch is
complete. By induction hypothesis, both M(∆), σ ⊮ ψ and M(∆), σ ⊮ ψ.
Thus M(∆), σ ⊮ φ.

5. φ ≡ ψ → χ: Exercise.

6. φ ≡ □ψ: If σ T φ ∈ ∆, then, since the branch is complete, σ.n Tψ ∈ ∆

for every σ.n used on the branch, i.e., for every σ′ ∈ P(∆) such that
Rσσ′ . By induction hypothesis, M(∆), σ′ ⊩ ψ for every σ′ such that
Rσσ′ . Therefore, M(∆), σ ⊩ φ.
If σ F φ ∈ ∆, then for some σ.n, σ.n F ψ ∈ ∆ since the branch is complete.
By induction hypothesis, M(∆), σ.n ⊮ ψ. Since Rσ (σ.n), there is a σ′
such that M(∆), σ′ ⊮ ψ. Thus M(∆), σ ⊮ φ.

772 Release : d3a1905 (2022-12-19)

54.9. COUNTERMODELS FROM TABLEAUX

7. φ ≡ ♢ψ: Exercise.

Since Γ ⊆ ∆, M(∆) ⊩ Γ.

Corollary 54.20. If Γ ⊨ φ then Γ ⊢ φ.

Corollary 54.21. If φ is true in all models, then ⊢ φ.

54.9 Countermodels from Tableaux

The proof of the completeness theorem doesn’t just show that if ⊨ φ then
⊢ φ, it also gives us a method for constructing countermodels to φ if ⊭ A.
In the case of K, this method constitutes a decision procedure. For suppose
⊭ φ. Then the proof of Proposition 54.18 gives a method for constructing a
complete tableau. The method in fact always terminates. The propositional
rules for K only add prefixed formulas of lower complexity, i.e., each propo-
sitional rule need only be applied once on a branch for any signed formula
σ S φ. New prefixes are only generated by the □F and ♢T rules, and also only
have to be applied once (and produce a single new prefix). □T and ♢F have
to be applied potentially multiple times, but only once per prefix, and only
finitely many new prefixes are generated. So the construction either results in
a closed branch or a complete branch after finitely many stages.
Once a tableau with an open complete branch is constructed, the proof
of Theorem 54.19 gives us an explict model that satisfies the original set of
prefixed formulas. So not only is it the case that if Γ ⊨ φ, then a closed tableau
exists and Γ ⊢ φ, if we look for the closed tableau in the right way and end
up with a “complete” tableau, we’ll not only know that Γ ⊭ φ but actually be
able to construct a countermodel.

Example 54.22. We know that ⊬ □( p ∨ q) → (□p ∨ □q). The construction of a

tableau begins with:

1. 1 F □( p ∨ q) → (□p ∨ □q) ✓ Assumption

2. 1 T □( p ∨ q ) →F 1
3. 1 F □p ∨ □q ✓ →F 1
4. 1 F □p ✓ ∨F 3
5. 1 F □q ✓ ∨F 3
6. 1.1 F p ✓ □F 4
7. 1.2 F q ✓ □F 5

The tableau is of course not finished yet. In the next step, we consider the
only line without a checkmark: the prefixed formula 1 T□( p ∨ q) on line 2.
The construction of the closed tableau says to apply the □T rule for every
prefix used on the branch, i.e., for both 1.1 and 1.2:

Release : d3a1905 (2022-12-19) 773

 CHAPTER 54. MODAL TABLEAUX

1. 1 F □( p ∨ q) → (□p ∨ □q) ✓ Assumption

2. 1 T □( p ∨ q ) →F 1
3. 1 F □p ∨ □q ✓ →F 1
4. 1 F □p ✓ ∨F 3
5. 1 F □q ✓ ∨F 3
6. 1.1 F p ✓ □F 4
7. 1.2 F q ✓ □F 5
8. 1.1 T p ∨ q □T 2
9. 1.2 T p ∨ q □T 2

Now lines 2, 8, and 9, don’t have checkmarks. But no new prefix has been
added, so we apply ∨T to lines 8 and 9, on all resulting branches (as long as
they don’t close):

1. 1 F □( p ∨ q) → (□p ∨ □q) ✓ Assumption

2. 1 T □( p ∨ q ) →F 1
3. 1 F □p ∨ □q ✓ →F 1
4. 1 F □p ✓ ∨F 3
5. 1 F □q ✓ ∨F 3
6. 1.1 F p ✓ □F 4
7. 1.2 F q ✓ □F 5
8. 1.1 T p ∨ q ✓ □T 2
9. 1.2 T p ∨ q ✓ □T 2

10. 1.1 T p ✓ 1.1 T q ✓ ∨T 8

11. ⊗ 1.2 T p ✓ 1.2 T q ✓ ∨T 9

⊗

There is one remaining open branch, and it is complete. From it we define the
model with worlds W = {1, 1.1, 1.2} (the only prefixes appearing on the open
branch), the accessibility relation R = {⟨1, 1.1⟩, ⟨1, 1.2⟩}, and the assignment
V ( p) = {1.2} (because line 11 contains 1.2 T p) and V (q) = {1.1} (because
line 10 contains 1.1 Tq). The model is pictured in Figure 54.1, and you can
verify that it is a countermodel to □( p ∨ q) → (□p ∨ □q).

Problems
Problem 54.1. Find closed tableaux in K for the following formulas:

1. □¬ p → □( p → q)

2. (□p ∨ □q) → □( p ∨ q)

774 Release : d3a1905 (2022-12-19)

54.9. COUNTERMODELS FROM TABLEAUX

¬p p
1.1 q 1.2 ¬q

¬p
1 ¬q

Figure 54.1: A countermodel to □( p ∨ q) → (□p ∨ □q).

3. ♢p → ♢( p ∨ q)

4. □( p ∧ q) → □p

Problem 54.2. Complete the proof of Theorem 54.6.

Problem 54.3. Give closed tableaux that show the following:

1. KT5 ⊢ B;

2. KT5 ⊢ 4;

3. KDB4 ⊢ T;

4. KB4 ⊢ 5;

5. KB5 ⊢ 4;

6. KT ⊢ D.

Problem 54.4. Complete the proof of Proposition 54.10

Problem 54.5. Complete the proof of Proposition 54.11

Problem 54.6. Complete the proof of Proposition 54.12

Problem 54.7. Complete the proof of Proposition 54.13

Problem 54.8. Complete the proof of Proposition 54.14

Problem 54.9. Complete the proof of Theorem 54.19.

Release : d3a1905 (2022-12-19) 775

 Part XII

Intuitionistic Logic

776
54.9. COUNTERMODELS FROM TABLEAUX

This is a brief introduction to intuitionistic logic produced by Zesen

Qian and revised by RZ. It is not yet well integrated with the rest of the
text and needs examples and motivations.

Release : d3a1905 (2022-12-19) 777

Chapter 55

Introduction

55.1 Constructive Reasoning

In contrast to extensions of classical logic by modal operators or second-order

quantifiers, intuitionistic logic is “non-classical” in that it restricts classical
logic. Classical logic is non-constructive in various ways. Intuitionistic logic
is intended to capture a more “constructive” kind of reasoning characteristic
of a kind of constructive mathematics. The following examples may serve to
illustrate some of the underlying motivations.
Suppose someone claimed that they had determined a natural number n
with the property that if n is even, the Riemann hypothesis is true, and if n
is odd, the Riemann hypothesis is false. Great news! Whether the Riemann
hypothesis is true or not is one of the big open questions of mathematics, and
they seem to have reduced the problem to one of calculation, that is, to the
determination of whether a specific number is even or not.
What is the magic value of n? They describe it as follows: n is the natural
number that is equal to 2 if the Riemann hypothesis is true, and 3 otherwise.
Angrily, you demand your money back. From a classical point of view, the
description above does in fact determine a unique value of n; but what you
really want is a value of n that is given explicitly.
To take another, perhaps less contrived example, consider the following
question. We know that it is possible to raise an irrational number to a rational
√ 2
power, and get a rational result. For example, 2 = 2. What is less clear
is whether or not it is possible to raise an irrational number to an irrational
power, and get a rational result. The following theorem answers this in the
affirmative:

Theorem 55.1. There are irrational numbers a and b such that ab is rational.

778
55.2. SYNTAX OF INTUITIONISTIC LOGIC

√ √2 √
Proof. Consider 2 . If this is rational, we are done: we can let a = b = 2.
Otherwise, it is irrational. Then we have
√ √2 √ √ √2· √2 √ 2
( 2 ) 2= 2 = 2 = 2,
√
√ 2 √
which is rational. So, in this case, let a be 2 , and let b be 2.

Does this constitute a valid proof? Most mathematicians feel that it does.
But again, there is something a little bit unsatisfying here: we have proved the
existence of a pair of real numbers with a certain property, without being able
to say which pair of numbers it is. It is possible to prove the √
same result, but in
such a way that the pair a, b is given in the proof: take a = 3 and b = log3 4.
Then √ log 4
ab = 3 3 = 31/2·log3 4 = (3log3 4 )1/2 = 41/2 = 2,
since 3log3 x = x.
Intuitionistic logic is designed to capture a kind of reasoning where moves
like the one in the first proof are disallowed. Proving the existence of an x
satisfying φ( x ) means that you have to give a specific x, and a proof that it
satisfies φ, like in the second proof. Proving that φ or ψ holds requires that
you can prove one or the other.
Formally speaking, intuitionistic logic is what you get if you restrict a deriva-
tion system for classical logic in a certain way. From the mathematical point
of view, these are just formal deductive systems, but, as already noted, they
are intended to capture a kind of mathematical reasoning. One can take this
to be the kind of reasoning that is justified on a certain philosophical view of
mathematics (such as Brouwer’s intuitionism); one can take it to be a kind of
mathematical reasoning which is more “concrete” and satisfying (along the
lines of Bishop’s constructivism); and one can argue about whether or not
the formal description captures the informal motivation. But whatever philo-
sophical positions we may hold, we can study intuitionistic logic as a formally
presented logic; and for whatever reasons, many mathematical logicians find
it interesting to do so.

55.2 Syntax of Intuitionistic Logic

The syntax of intuitionistic logic is the same as that for propositional logic. In
classical propositional logic it is possible to define connectives by others, e.g.,
one can define φ → ψ by ¬ φ ∨ ψ, or φ ∨ ψ by ¬(¬ φ ∧ ¬ψ). Thus, presentations
of classical logic often introduce some connectives as abbreviations for these
definitions. This is not so in intuitionistic logic, with two exceptions: ¬ φ can
be—and often is—defined as an abbreviation for φ → ⊥. Then, of course, ⊥
must not itself be defined! Also, φ ↔ ψ can be defined, as in classical logic, as
( φ → ψ ) ∧ ( ψ → φ ).

Release : d3a1905 (2022-12-19) 779

 CHAPTER 55. INTRODUCTION

Formulas of propositional intuitionistic logic are built up from propositional

variables and the propositional constant ⊥ using logical connectives. We have:

1. A denumerable set At0 of propositional variables p0 , p1 , . . .

2. The propositional constant for falsity ⊥.

3. The logical connectives: ∧ (conjunction), ∨ (disjunction), → (conditional)

4. Punctuation marks: (, ), and the comma.

Definition 55.2 (Formula). The set Frm(L0 ) of formulas of propositional intu-

itionistic logic is defined inductively as follows:

1. ⊥ is an atomic formula.

2. Every propositional variable pi is an atomic formula.

3. If φ and ψ are formulas, then ( φ ∧ ψ) is a formula.

4. If φ and ψ are formulas, then ( φ ∨ ψ) is a formula.

5. If φ and ψ are formulas, then ( φ → ψ) is a formula.

6. Nothing else is a formula.

In addition to the primitive connectives introduced above, we also use

the following defined symbols: ¬ (negation) and ↔ (biconditional). Formulas
constructed using the defined operators are to be understood as follows:

1. ¬ φ abbreviates φ → ⊥.

2. φ ↔ ψ abbreviates ( φ → ψ) ∧ (ψ → φ).

Although ¬ is officially treated as an abbreviation, we will sometimes give

explicit rules and clauses in definitions for ¬ as if it were primitive. This is
mostly so we can state practice problems.

55.3 The Brouwer-Heyting-Kolmogorov Interpretation

Proofs of validity of intuitionistic propositions using the BHK inter-

pretation are confusing; they have to be explained better.

780 Release : d3a1905 (2022-12-19)

55.3. THE BROUWER-HEYTING-KOLMOGOROV INTERPRETATION

There is an informal constructive interpretation of the intuitionist connectives,

usually known as the Brouwer-Heyting-Kolmogorov interpretation. It uses
the notion of a “construction,” which you may think of as a constructive proof.
(We don’t use “proof” in the BHK interpretation so as not to get confused with
the notion of a derivation in a formal derivation system.) Based on this intu-
itive notion, the BHK interpretation explains the meanings of the intuitionistic
connectives.

1. We assume that we know what constitutes a construction of an atomic

statement.

2. A construction of φ1 ∧ φ2 is a pair ⟨ M1 , M2 ⟩ where M1 is a construction

of φ1 and M2 is a construction of φ2 .

3. A construction of φ1 ∨ φ2 is a pair ⟨s, M ⟩ where s is 1 and M is a con-

struction of φ1 , or s is 2 and M is a construction of φ2 .

4. A construction of φ → ψ is a function that converts a construction of φ

into a construction of ψ.

5. There is no construction for ⊥ (absurdity).

6. ¬ φ is defined as synonym for φ → ⊥. That is, a construction of ¬ φ is a

function converting a construction of φ into a construction of ⊥.

Example 55.3. Take ¬⊥ for example. A construction of it is a function which,

given any construction of ⊥ as input, provides a construction of ⊥ as output.
Obviously, the identity function Id is such a construction: given a construc-
tion M of ⊥, Id ( M) = M yields a construction of ⊥.

Generally speaking, ¬ φ means “A construction of φ is impossible”.

Example 55.4. Let us prove φ → ¬¬ φ for any proposition φ, which is φ →

(( φ → ⊥) → ⊥). The construction should be a function f that, given a con-
struction M of φ, returns a construction f ( M) of ( φ → ⊥) → ⊥. Here is how f
constructs the construction of ( φ → ⊥) → ⊥: We have to define a function g
which, when given a construction h of φ → ⊥ as input, outputs a construction
of ⊥. We can define g as follows: apply the input h to the construction M of
φ (that we received earlier). Since the output h( M) of h is a construction of ⊥,
f ( M )(h) = h( M) is a construction of ⊥ if M is a construction of φ.

Example 55.5. Let us give a construction for ¬( φ ∧ ¬ φ), i.e., ( φ ∧ ( φ → ⊥)) →

⊥. This is a function f which, given as input a construction M of φ ∧ ( φ → ⊥),
yields a construction of ⊥. A construction of a conjunction ψ1 ∧ ψ2 is a pair
⟨ N1 , N2 ⟩ where N1 is a construction of ψ1 and N2 is a construction of ψ2 . We

Release : d3a1905 (2022-12-19) 781

 CHAPTER 55. INTRODUCTION

can define functions p1 and p2 which recover from a construction of ψ1 ∧ ψ2

the constructions of ψ1 and ψ2 , respectively:

p1 (⟨ N1 , N2 ⟩) = N1
p2 (⟨ N1 , N2 ⟩) = N2

Here is what f does: First it applies p1 to its input M. That yields a con-
struction of φ. Then it applies p2 to M, yielding a construction of φ → ⊥.
Such a construction, in turn, is a function p2 ( M) which, if given as input a
construction of φ, yields a construction of ⊥. In other words, if we apply
p2 ( M) to p1 ( M), we get a construction of ⊥. Thus, we can define f ( M ) =
p2 ( M )( p1 ( M)).

Example 55.6. Let us give a construction of (( φ ∧ ψ) → χ) → ( φ → (ψ → χ)),

i.e., a function f which turns a construction g of ( φ ∧ ψ) → χ into a construc-
tion of ( φ → (ψ → χ)). The construction g is itself a function (from construc-
tions of φ ∧ ψ to constructions of C). And the output f ( g) is a function h g from
constructions of φ to functions from constructions of ψ to constructions of χ.
Ok, this is confusing. We have to construct a certain function h g , which
will be the output of f for input g. The input of h g is a construction M of φ.
The output of h g ( M ) should be a function k M from constructions N of ψ to
constructions of χ. Let k g,M ( N ) = g(⟨ M, N ⟩). Remember that ⟨ M, N ⟩ is a con-
struction of φ ∧ ψ. So k g,M is a construction of ψ → χ: it maps constructions N
of ψ to constructions of χ. Now let h g ( M) = k g,M . That’s a function that
maps constructions M of φ to constructions k g,M of ψ → χ. Now let f ( g) = h g .
That’s a function that maps constructions g of ( φ ∧ ψ) → χ to constructions of
φ → (ψ → χ). Whew!

The statement φ ∨ ¬ φ is called the Law of Excluded Middle. We can prove

it for some specific φ (e.g., ⊥ ∨ ¬⊥), but not in general. This is because the
intuitionistic disjunction requires a construction of one of the disjuncts, but
there are statements which currently can neither be proved nor refuted (say,
Goldbach’s conjecture). However, you can’t refute the law of excluded middle
either: that is, ¬¬( φ ∨ ¬ φ) holds.

Example 55.7. To prove ¬¬( φ ∨ ¬ φ), we need a function f that transforms

a construction of ¬( φ ∨ ¬ φ), i.e., of ( φ ∨ ( φ → ⊥)) → ⊥, into a construction
of ⊥. In other words, we need a function f such that f ( g) is a construction
of ⊥ if g is a construction of ¬( φ ∨ ¬ φ).
Suppose g is a construction of ¬( φ ∨ ¬ φ), i.e., a function that transforms a
construction of φ ∨ ¬ φ into a construction of ⊥. A construction of φ ∨ ¬ φ is a
pair ⟨s, M ⟩ where either s = 1 and M is a construction of φ, or s = 2 and M is
a construction of ¬ φ. Let h1 be the function mapping a construction M1 of φ
to a construction of φ ∨ ¬ φ: it maps M1 to ⟨1, M2 ⟩. And let h2 be the function

782 Release : d3a1905 (2022-12-19)

55.4. NATURAL DEDUCTION

mapping a construction M2 of ¬ φ to a construction of φ ∨ ¬ φ: it maps M2 to

⟨2, M2 ⟩.
Let k be g ◦ h1 : it is a function which, if given a construction of φ, returns a
construction of ⊥, i.e., it is a construction of φ → ⊥ or ¬ φ. Now let l be g ◦ h2 .
It is a function which, given a construction of ¬ φ, provides a construction
of ⊥. Since k is a construction of ¬ φ, l (k) is a construction of ⊥.
Together, what we’ve done is describe how we can turn a construction g
of ¬( φ ∨ ¬ φ) into a construction of ⊥, i.e., the function f mapping a con-
struction g of ¬( φ ∨ ¬ φ) to the construction l (k ) of ⊥ is a construction of
¬¬( φ ∨ ¬ φ).

As you can see, using the BHK interpretation to show the intuitionistic
validity of formulas quickly becomes cumbersome and confusing. Luckily,
there are better derivation systems for intuitionistic logic, and more precise
semantic interpretations.

55.4 Natural Deduction

Natural deduction without the ⊥C rules is a standard derivation system for
intuitionistic logic. We repeat the rules here and indicate the motivation using
the BHK interpretation. In each case, we can think of a rule which allows us
to conclude that if the premises have constructions, so does the conclusion.
Since natural deduction derivations have undischarged assumptions, we
should consider such a derivation, say, of φ from undischarged assumptions Γ,
as a function that turns constructions of all ψ ∈ Γ into a construction of φ. If
there is a derivation of φ from no undischarged assumptions, then there is a
construction of φ in the sense of the BHK interpretation. For the purpose of
the discussion, however, we’ll suppress the Γ when not needed.
An assumption φ by itself is a derivation of φ from the undischarged as-
sumption φ. This agrees with the BHK-interpretation: the identity function
on constructions turns any construction of φ into a construction of φ.

Conjunction

φ∧ψ
φ ∧Elim
φ ψ
∧Intro
φ∧ψ φ∧ψ
ψ
∧Elim

Suppose we have constructions N1 , N2 of φ1 and φ2 , respectively. Then we

also have a construction φ1 ∧ φ2 , namely the pair ⟨ N1 , N2 ⟩.

Release : d3a1905 (2022-12-19) 783

 CHAPTER 55. INTRODUCTION

A construction of φ1 ∧ φ1 on the BHK interpretation is a pair ⟨ N1 , N2 ⟩.

So assume we have such a pair. Then we also have a construction of each
conjunct: N1 is a construction of φ1 and N2 is a construction of φ2 .

Conditional

[ φ]u
φ→ψ φ
ψ
→Elim
ψ
u →Intro
φ→ψ

If we have a derivation of ψ from undischarged assumption φ, then there is

a function f that turns constructions of φ into constructions of ψ. That same
function is a construction of φ → ψ. So, if the premise of →Intro has a con-
struction conditional on a construction of φ, the conclusion φ → ψ has a con-
struction.
On the other hand, suppose there are constructions N of φ and f of φ → ψ.
A construction of φ → ψ is a function that turns constructions of φ into con-
structions of ψ. So, f ( N ) is a construction of ψ, i.e., the conclusion of →Elim
has a construction.

Disjunction

φ [ φ]n [ψ]n
∨Intro
φ∨ψ
ψ
∨Intro φ∨ψ χ χ
φ∨ψ n ∨Elim
χ

If we have a construction Ni of φi we can turn it into a construction ⟨i, Ni ⟩

of φ1 ∨ φ2 . On the other hand, suppose we have a construction of φ1 ∨ φ2 , i.e.,
a pair ⟨i, Ni ⟩ where Ni is a construction of φi , and also functions f 1 , f 2 , which
turn constructions of φ1 , φ2 , respectively, into constructions of χ. Then f i ( Ni )
is a construction of χ, the conclusion of ∨Elim.

784 Release : d3a1905 (2022-12-19)

55.4. NATURAL DEDUCTION

Absurdity

⊥ ⊥
φ I

If we have a derivation of ⊥ from undischarged assumptions ψ1 , . . . , ψn , then

there is a function f ( M1 , . . . , Mn ) that turns constructions of ψ1 , . . . , ψn into
a construction of ⊥. Since ⊥ has no construction, there cannot be any con-
structions of all of ψ1 , . . . , ψn either. Hence, f also has the property that if M1 ,
. . . , Mn are constructions of ψ1 , . . . , ψn , respectively, then f ( M1 , . . . , Mn ) is a
construction of φ.

Rules for ¬
Since ¬ φ is defined as φ → ⊥, we strictly speaking do not need rules for ¬.
But if we did, this is what they’d look like:

[ φ]n
¬φ φ
¬Elim
⊥
⊥
¬ φ ¬Intro
n

Examples of Derivations
1. ⊢ φ → (¬ φ → ⊥), i.e., ⊢ φ → (( φ → ⊥) → ⊥)

[ φ ]2 [ φ → ⊥]1
→Elim
⊥
1 →Intro
( φ → ⊥) → ⊥
2 →Intro
φ → ( φ → ⊥) → ⊥

2. ⊢ (( φ ∧ ψ) → χ) → ( φ → (ψ → χ))

[ φ ]2 [ ψ ]1
∧Intro
[( φ ∧ ψ) → χ]3 φ∧ψ
χ →Elim
1 →Intro
ψ→χ
2 →Intro
φ → (ψ → χ)
3 →Intro
(( φ ∧ ψ) → χ) → ( φ → (ψ → χ))

Release : d3a1905 (2022-12-19) 785

 CHAPTER 55. INTRODUCTION

3. ⊢ ¬( φ ∧ ¬ φ), i.e., ⊢ ( φ ∧ ( φ → ⊥)) → ⊥

[ φ ∧ ( φ → ⊥)]1 [ φ ∧ ( φ → ⊥)]1
∧Elim ∧Elim
φ→⊥ φ
→Elim
⊥
1 →Intro
( φ ∧ ( φ → ⊥)) → ⊥

4. ⊢ ¬¬( φ ∨ ¬ φ), i.e., ⊢ (( φ ∨ ( φ → ⊥)) → ⊥) → ⊥

[ φ ]1
∨Intro
[( φ ∨ ( φ → ⊥)) → ⊥]2 φ ∨ ( φ → ⊥)
→Elim
⊥
1 →Intro
φ→⊥
2 ∨Intro
[( φ ∨ ( φ → ⊥)) → ⊥] φ ∨ ( φ → ⊥)
→Elim
⊥
2 →Intro
(( φ ∨ ( φ → ⊥)) → ⊥) → ⊥

Proposition 55.8. If Γ ⊢ φ in intuitionistic logic, Γ ⊢ φ in classical logic. In

particular, if φ is an intuitionistic theorem, it is also a classical theorem.

Proof. Every natural deduction rule is also a rule in classical natural deduc-
tion, so every derivation in intuitionistic logic is also a derivation in classical
logic.

55.5 Axiomatic Derivations

Axiomatic derivations for intuitionistic propositional logic are the conceptu-
ally simplest, and historically first, derivation systems. They work just as in
classical propositional logic.

Definition 55.9 (Derivability). If Γ is a set of formulas of L then a derivation

from Γ is a finite sequence φ1 , . . . , φn of formulas where for each i ≤ n one of
the following holds:

1. φi ∈ Γ; or

2. φi is an axiom; or

3. φi follows from some φ j and φk with j < i and k < i by modus ponens,
i.e., φk ≡ φ j → φi .

786 Release : d3a1905 (2022-12-19)

55.5. AXIOMATIC DERIVATIONS

Definition 55.10 (Axioms). The set of Ax0 of axioms for the intuitionistic propo-
sitional logic are all formulas of the following forms:

( φ ∧ ψ) → φ (55.1)
( φ ∧ ψ) → ψ (55.2)
φ → (ψ → ( φ ∧ ψ)) (55.3)
φ → ( φ ∨ ψ) (55.4)
φ → (ψ ∨ φ) (55.5)
( φ → χ) → ((ψ → χ) → (( φ ∨ ψ) → χ)) (55.6)
φ → (ψ → φ) (55.7)
( φ → (ψ → χ)) → (( φ → ψ) → ( φ → χ)) (55.8)
⊥→φ (55.9)

Definition 55.11 (Derivability). A formula φ is derivable from Γ, written Γ ⊢

φ, if there is a derivation from Γ ending in φ.

Definition 55.12 (Theorems). A formula φ is a theorem if there is a derivation

of φ from the empty set. We write ⊢ φ if φ is a theorem and ⊬ φ if it is not.

Proposition 55.13. If Γ ⊢ φ in intuitionistic logic, Γ ⊢ φ in classical logic. In

particular, if φ is an intuitionistic theorem, it is also a classical theorem.

Proof. Every intuitionistic axiom is also a classical axiom, so every derivation

in intuitionistic logic is also a derivation in classical logic.

Problems
Problem 55.1. Give derivations in intutionistic logic of the following formu-
las:

1. (¬ φ ∨ ψ) → ( φ → ψ)

2. ¬¬¬ φ → ¬ φ

3. ¬¬( φ ∧ ψ) ↔ (¬¬ φ ∧ ¬¬ψ)

4. ¬( φ ∨ ψ) ↔ (¬ φ ∧ ¬ψ)

5. (¬ φ ∨ ¬ψ) → ¬( φ ∧ ψ)

6. ¬¬( φ ∧ ψ) → (¬¬ φ ∨ ¬¬ψ)

Release : d3a1905 (2022-12-19) 787

Chapter 56

Semantics

This chapter collects definitions for semantics for intuitionistic logic.

So far only Kripke and topological semantics are covered. There are no
examples yet, either of how models make formulas true or of proofs that
formulas are valid.

56.1 Introduction
No logic is satisfactorily described without a semantics, and intuitionistic logic
is no exception. Whereas for classical logic, the semantics based on valu-
ations is canonical, there are several competing semantics for intuitionistic
logic. None of them are completely satisfactory in the sense that they give an
intuitionistically acceptable account of the meanings of the connectives.
The semantics based on relational models, similar to the semantics for
modal logics, is perhaps the most popular one. In this semantics, proposi-
tional variables are assigned to worlds, and these worlds are related by an
accessibility relation. That relation is always a partial order, i.e., it is reflexive,
antisymmetric, and transitive.
Intuitively, you might think of these worlds as states of knowledge or “ev-
identiary situations.” A state w′ is accessible from w iff, for all we know, w′ is
a possible (future) state of knowledge, i.e., one that is compatible with what’s
known at w. Once a proposition is known, it can’t become un-known, i.e.,
whenever φ is known at w and Rww′ , φ is known at w′ as well. So “knowl-
edge” is monotonic with respect to the accessibility relation.
If we define “φ is known” as in epistemic logic as “true in all epistemic
alternatives,” then φ ∧ ψ is known at w if in all epistemic alternatives, both φ
and ψ are known. But since knowledge is monotonic and R is reflexive, that
means that φ ∧ ψ is known at w iff φ and ψ are known at w. For the same

788
56.2. RELATIONAL MODELS

reason, φ ∨ ψ is known at w iff at least one of them is known. So for ∧ and ∨,

the truth conditions of the connectives coincide with those in classical logic.
The truth conditions for the conditional, however, differ from classical
logic. φ → ψ is known at w iff at no w′ with Rww′ , φ is known without ψ
also being known. This is not the same as the condition that φ is unknown or
ψ is known at w. For if we know neither φ nor ψ at w, there might be a future
epistemic state w′ with Rww′ such that at w′ , φ is known without also coming
to know ψ.
We know ¬ φ only if there is no possible future epistemic state in which
we know φ. Here the idea is that if φ were knowable, then in some possible
future epistemic state φ becomes known. Since we can’t know ⊥, in that future
epistemic state, we would know φ but not know ⊥.
On this interpretation the principle of excluded middle fails. For there are
some φ which we don’t yet know, but which we might come to know. For
such a formula φ, both φ and ¬ φ are unknown, so φ ∨ ¬ φ is not known. But
we do know, e.g., that ¬( φ ∧ ¬ φ). For no future state in which we know both
φ and ¬ φ is possible, and we know this independently of whether or not we
know φ or ¬ φ.
Relational models are not the only available semantics for intuitionistic
logic. The topological semantics is another: here propositions are interpreted
as open sets in a topological space, and the connectives are interpreted as
operations on these sets (e.g., ∧ corresponds to intersection).

56.2 Relational models

In order to give a precise semantics for intuitionistic propositional logic, we
have to give a definition of what counts as a model relative to which we can
evaluate formulas. On the basis of such a definition it is then also possible to
define semantics notions such as validity and entailment. One such semantics
is given by relational models.

Definition 56.1. A relational model for intuitionistic propositional logic is a

triple M = ⟨W, R, V ⟩, where

1. W is a non-empty set,

2. R is a partial order (i.e., a reflexive, antisymmetric, and transitive binary

relation) on W, and

3. V is a function assigning to each propositional variable p a subset of W,

such that

4. V is monotone with respect to R, i.e., if w ∈ V ( p) and Rww′ , then w′ ∈

V ( p ).

Release : d3a1905 (2022-12-19) 789

 CHAPTER 56. SEMANTICS

Definition 56.2. We define the notion of φ being true at w in M, M, w ⊩ φ,

inductively as follows:

1. φ ≡ p: M, w ⊩ φ iff w ∈ V ( p).

2. φ ≡ ⊥: not M, w ⊩ φ.

3. φ ≡ ¬ψ: M, w ⊩ φ iff for no w′ such that Rww′ , M, w′ ⊩ ψ.

4. φ ≡ ψ ∧ χ: M, w ⊩ φ iff M, w ⊩ ψ and M, w ⊩ χ.

5. φ ≡ ψ ∨ χ: M, w ⊩ φ iff M, w ⊩ ψ or M, w ⊩ χ (or both).

6. φ ≡ ψ → χ: M, w ⊩ φ iff for every w′ such that Rww′ , not M, w′ ⊩ ψ or

M, w′ ⊩ χ (or both).

We write M, w ⊮ φ if not M, w ⊩ φ. If Γ is a set of formulas, M, w ⊩ Γ means

M, w ⊩ ψ for all ψ ∈ Γ.

Proposition 56.3. Truth at worlds is monotonic with respect to R, i.e., if M, w ⊩ φ

and Rww′ , then M, w′ ⊩ φ.

Proof. Exercise.

56.3 Semantic Notions

Definition 56.4. We say φ is true in the model M = ⟨W, R, V ⟩, M ⊩ φ, iff
M, w ⊩ φ for all w ∈ W. φ is valid, ⊨ φ, iff it is true in all models. We say
a set of formulas Γ entails φ, Γ ⊨ φ, iff for every model M and every w such
that M, w ⊩ Γ, M, w ⊩ φ.

Proposition 56.5. 1. If M, w ⊩ Γ and Γ ⊨ φ, then M, w ⊩ φ.

2. If M ⊩ Γ and Γ ⊨ φ, then M ⊩ φ.

Proof. 1. Suppose M ⊩ Γ. Since Γ ⊨ φ, we know that if M, w ⊩ Γ, then

M, w ⊩ φ. Since M, u ⊩ Γ for all every u ∈ W, M, w ⊩ Γ. Hence
M, w ⊩ φ.

2. Follows immediately from (1).

Definition 56.6. Suppose M is a relational model and w ∈ W. The restriction

Mw = ⟨Ww , Rw , Vw ⟩ of M to w is given by:

Ww = {u ∈ W : Rwu},
Rw = R ∩ (Ww )2 , and
Vw ( p) = V ( p) ∩ Ww .

790 Release : d3a1905 (2022-12-19)

56.4. TOPOLOGICAL SEMANTICS

Proposition 56.7. M, w ⊩ φ iff Mw ⊩ φ.

Proposition 56.8. Suppose for every model M such that M ⊩ Γ, M ⊩ φ. Then

Γ ⊨ φ.

Proof. Suppose that M, w ⊩ Γ. By the Proposition 56.7 applied to every ψ ∈ Γ,

we have Mw ⊩ Γ. By the assumption, we have Mw ⊩ φ. By Proposition 56.7
again, we get M, w ⊩ φ.

56.4 Topological Semantics

Another way to provide a semantics for intuitionistic logic is using the math-
ematical concept of a topology.

Definition 56.9. Let X be a set. A topology on X is a set O ⊆ ℘( X ) that satisfies

the properties below. The elements of O are called the open sets of the topology.
The set X together with O is called a topological space.

1. The empty set and the entire space are open: ∅, X ∈ O .

2. Open sets are closed under finite intersections: if U, V ∈ O then U ∩ V ∈

O
3. Open sets are closed under arbitrary unions: if Ui ∈ O for all i ∈ I, then
{Ui : i ∈ I } ∈ O .
S

We may write X for a topology if the collection of open sets can be inferred
from the context; note that, still, only after X is endowed with open sets can it
be called a topology.

Definition 56.10. A topological model of intuitionistic propositional logic is a

triple X = ⟨ X, O , V ⟩ where O is a topology on X and V is a function assigning
an open set in O to each propositional variable.
Given a topological model X, we can define [ φ]X inductively as follows:

1. [⊥]]X = ∅

2. [ p]X = V ( p)

3. [ φ ∧ ψ]X = [ φ]X ∩ [ψ]X

4. [ φ ∨ ψ]X = [ φ]X ∪ [ψ]X

5. [ φ → ψ]X = Int(( X \ [ φ]X ) ∪ [ψ]X )

Here, Int(V ) is the function that maps a set V ⊆ X to its interior, that is, the
union of all open sets it contains. In other words,
[
Int(V ) = {U : U ⊆ V and U ∈ O}.

Release : d3a1905 (2022-12-19) 791

 CHAPTER 56. SEMANTICS

Note that the interior of any set is always open, since it is a union of open
sets. Thus, [ φ]X is always an open set.
Although topological semantics is highly abstract, there are ways to think
about it that might motivate it. Suppose that the elements, or “points,” of X
are points at which statements can be evaluated. The set of all points where φ
is true is the proposition expressed by φ. Not every set of points is a potential
proposition; only the elements of O are. φ ⊨ ψ iff ψ is true at every point at
which φ is true, i.e., [ φ]X ⊆ [ψ]X , for all X. The absurd statement ⊥ is never
true, so [⊥]]X = ∅. How must the propositions expressed by ψ ∧ χ, ψ ∨ χ, and
ψ → χ be related to those expressed by ψ and χ for the intuitionistically valid
laws to hold, i.e., so that φ ⊢ ψ iff [ φ]X ⊂ [ψ]X . ⊥ ⊢ φ for any φ, and only
∅ ⊆ U for all U. Since ψ ∧ χ ⊢ ψ, [ψ ∧ χ]X ⊆ [ψ]X , and similarly [ψ ∧ χ]X ⊆
[χ]X . The largest set satisfying W ⊆ U and W ⊆ V is U ∩ V. Conversely,
ψ ⊢ ψ ∨ χ and χ ⊢ ψ ∨ χ, and so [ψ]X ⊆ [ψ ∨ χ]X and [χ]X ⊆ [ψ ∨ χ]X . The
smallest set W such that U ⊆ W and V ⊆ W is U ∪ V. The definition for
→ is tricky: φ → ψ expresses the weakest proposition that, combined with φ,
entails ψ. That φ → ψ combined with φ entails ψ is clear from ( φ → ψ) ∧ φ ⊢ ψ.
So [ φ → ψ]X should be the greatest open set such that [ φ → ψ]X ∩ [ φ]X ⊂ [ψ]X ,
leading to our definition.

Problems
Problem 56.1. Show that according to Definition 56.2, M, w ⊩ ¬ φ iff M, w ⊩
φ → ⊥.

Problem 56.2. Prove Proposition 56.3.

Problem 56.3. Prove Proposition 56.7.

792 Release : d3a1905 (2022-12-19)

Chapter 57

Soundness and Completeness

This chapter collects soundness and completeness results for propo-

sitional intuitionistic logic. It needs an introduction. The completeness
proof makes use of facts about provability that should be stated and
proved explicitly somehwere.

57.1 Soundness of Axiomatic Derivations

The soundness proof relies on the fact that all axioms are intuitionisti-
cally valid; this still needs to be proved, e.g., in the Semantics chapter.

Theorem 57.1 (Soundness). If Γ ⊢ φ, then Γ ⊨ φ.

Proof. We prove that if Γ ⊢ φ, then Γ ⊨ φ. The proof is by induction on

the number n of formulas in the derivation of φ from Γ. We show that if φ1 ,
. . . , φn = φ is a derivation from Γ, then Γ ⊨ φn . Note that if φ1 , . . . , φn is
a derivation, so is φ1 , . . . , φk for any k < n.
There are no derivations of length 0, so for n = 0 the claim holds vacuously.
So the claim holds for all derivations of length < n. We distinguish cases
according to the justification of φn .

1. φn is an axiom. All axioms are valid, so Γ ⊨ φn for any Γ.

2. φn ∈ Γ. Then for any M and w, if M, w ⊩ Γ, obviously M ⊩ Γφn [w], i.e.,

Γ ⊨ φ.

3. φn follows by MP from φi and φ j ≡ φi → φn . φ1 , . . . , φi and φ1 , . . . , φ j are

derivations from Γ, so by inductive hypothesis, Γ ⊨ φi and Γ ⊨ φi → φn .

793
 CHAPTER 57. SOUNDNESS AND COMPLETENESS

Suppose M, w ⊩ Γ. Since M, w ⊩ Γ and Γ ⊨ φi → φn , M, w ⊩ φi → φn .

By definition, this means that for all w′ such that Rww′ , if M, w′ ⊩ φi
then M, w′ ⊩ φn . Since R is reflexive, w is among the w′ such that Rww′ ,
i.e., we have that if M, w ⊩ φi then M, w ⊩ φn . Since Γ ⊨ φi , M, w ⊩ φi .
So, M, w ⊩ φn , as we wanted to show.

57.2 Soundness of Natural Deduction

We will now prove soundness of natural deduction with regards to the rela-
tional semantics, that is, showing that if a formula is derivable from a set of
assumptions then the set of assumptions entails the formula.

Theorem 57.2 (Soundness). If Γ ⊢ φ, then Γ ⊨ φ.

Proof. We prove that if Γ ⊢ φ, then Γ ⊨ φ. The proof is by induction on the

derivation of φ from Γ.

1. If the derivation consists of just the assumption φ, we have φ ⊢ φ, and

want to show that φ ⊨ φ. Suppose that M, w ⊩ φ. Then trivially M, w ⊩
φ.

2. The derivation ends in ∧Intro: Exercise.

3. The derivation ends in ∧Elim: Exercise.

4. The derivation ends in ∨Intro: Suppose the premise is ψ, and the undis-
charged assumptions of the derivation ending in ψ are Γ. Then we have
Γ ⊢ ψ and by inductive hypothesis, Γ ⊨ ψ. We have to show that
Γ ⊨ ψ ∨ χ. Suppose M, w ⊩ Γ. Since Γ ⊨ ψ, M, w ⊩ ψ. But then
also M, w ⊩ ψ ∨ χ. Similarly, if the premise is χ, we have that Γ ⊨ χ.

5. The derivation ends in ∨Elim: The derivations ending in the premises

are of ψ ∨ χ from undischarged assumptions Γ, of θ from undischarged
assumptions ∆ 1 ∪ {ψ}, and of θ from undischarged assumptions ∆ 2 ∪
{χ}. So we have Γ ⊢ ψ ∨ χ, ∆ 1 ∪ {ψ} ⊢ θ, and ∆ 2 ∪ {χ} ⊢ θ. By
induction hypothesis, Γ ⊨ ψ ∨ χ, ∆ 1 ∪ {ψ} ⊨ θ, and ∆ 2 ∪ {χ} ⊨ θ. We
have to prove that Γ ∪ ∆ 1 ∪ ∆ 2 ⊨ θ.
Suppose M, w ⊩ Γ ∪ ∆ 1 ∪ ∆ 2 . Then M, w ⊩ Γ and since Γ ⊨ ψ ∨ χ,
M, w ⊩ ψ ∨ χ. By definition of M ⊩, either M, w ⊩ ψ or M, w ⊩ χ.
So we distinguish cases: (a) M ⊩ ψ[w]. Then M, w ⊩ ∆ 1 ∪ {ψ}. Since
∆ 1 ∪ ψ ⊨ θ, we have M, w ⊩ θ. (b) M, w ⊩ χ. Then M, w ⊩ ∆ 2 ∪ {χ}.
Since ∆ 2 ∪ χ ⊨ θ, we have M, w ⊩ θ. So in either case, M, w ⊩ θ, as we
wanted to show.

794 Release : d3a1905 (2022-12-19)

57.3. LINDENBAUM’S LEMMA

6. The derivation ends with →Intro concluding ψ → χ. Then the premise

is χ, and the derivation ending in the premise has undischarged assump-
tions Γ ∪ {ψ}. So we have that Γ ∪ {ψ} ⊢ χ, and by induction hypothesis
that Γ ∪ {ψ} ⊨ χ. We have to show that Γ ⊨ ψ → χ.
Suppose M, w ⊩ Γ. We want to show that for all w′ such that Rww′ , if
M, w′ ⊩ ψ, then M, w′ ⊩ χ. So assume that Rww′ and M, w′ ⊩ ψ. By
Proposition 56.3, M, w′ ⊩ Γ. Since Γ ∪ {ψ} ⊨ χ, M, w′ ⊩ χ, which is
what we wanted to show.
7. The derivation ends in →Elim and conclusion χ. The premises are ψ → χ
and ψ, with derivations from undischarged assumptions Γ, ∆. So we
have Γ ⊢ ψ → χ and ∆ ⊢ ψ. By inductive hypothesis, Γ ⊨ ψ → χ and
∆ ⊨ ψ. We have to show that Γ ∪ ∆ ⊨ χ.
Suppose M, w ⊩ Γ ∪ ∆. Since M, w ⊩ Γ and Γ ⊨ ψ → χ, M, w ⊩ ψ → χ.
By definition, this means that for all w′ such that Rww′ , if M, w′ ⊩ ψ
then M, w′ ⊩ χ. Since R is reflexive, w is among the w′ such that Rww′ ,
i.e., we have that if M, w ⊩ ψ then M, w ⊩ χ. Since M, w ⊩ ∆ and ∆ ⊨ ψ,
M, w ⊩ ψ. So, M, w ⊩ χ, as we wanted to show.
8. The derivation ends in ⊥ I , concluding φ. The premise is ⊥ and the
undischarged assumptions of the derivation of the premise are Γ. Then
Γ ⊢ ⊥. By inductive hypothesis, Γ ⊨ ⊥. We have to show Γ ⊨ φ.
We proceed indirectly. If Γ ⊭ φ there is a model M and world w such that
M, w ⊩ Γ and M, w ⊮ φ. Since Γ ⊨ ⊥, M, w ⊩ ⊥. But that’s impossible,
since by definition, M, w ⊮ ⊥. So Γ ⊨ φ.
9. The derivation ends in ¬Intro: Exercise.
10. The derivation ends in ¬Elim: Exercise.

57.3 Lindenbaum’s Lemma

The completeness theorem for intuitionistic logic is proved by assuming Γ ⊬ φ
and constructing a model M ⊩ Γ and M ⊮ φ.
In classical logic the relation of derivability can be reduced to the notion
of consistency since a formula φ is derivable from a set of formulas iff the
set together with the negation of φ is inconsistent. This is not possible in
intuitionistic logic. In intuitionistic logic, if ¬ φ is inconsistent, we only get
that ⊢ ¬¬ φ. Since ¬¬ φ → φ does not hold intuitionistically in general, we
cannot conclude that ⊢ φ.
Thus, when constructing the model M, we will need to keep track of the
non-derivability of the formula φ and thus we will not be able to use a com-
plete set Γ ∗ ⊇ Γ to build the model M, as in every complete set Γ ∗ , we have
Γ ∗ ⊢ φ ∨ ¬ φ.

Release : d3a1905 (2022-12-19) 795

 CHAPTER 57. SOUNDNESS AND COMPLETENESS

Instead of using a complete set Γ ∗ , we will us the notion of a prime set of

formulas:

Definition 57.3. A set of formulas Γ is prime iff

1. Γ is consistent, i.e., Γ ⊬ ⊥;

2. if Γ ⊢ φ then φ ∈ Γ; and

3. if φ ∨ ψ ∈ Γ then φ ∈ Γ or ψ ∈ Γ.

Lemma 57.4 (Lindenbaum’s Lemma). If Γ ⊬ φ, there is a Γ ∗ ⊇ Γ such that Γ ∗

is prime and Γ ∗ ⊬ φ.

Proof. Let ψ1 ∨ χ1 , ψ2 ∨ χ2 , . . . , be an enumeration of all formulas of the form ψ ∨

χ. We’ll define an increasing sequence of sets of formulas Γn , where each Γn+1
is defined as Γn together with one new formula. Γ ∗ will be the union of all Γn .
The new formulas are selected so as to ensure that Γ ∗ is prime and still Γ ∗ ⊬ φ.
This means that at each step we should find the first disjunction ψi ∨ χi such
that:

1. Γn ⊢ ψi ∨ χi

2. ψi ∈
/ Γn and χi ∈
/ Γn

We add to Γn either ψi if Γn ∪ {ψi } ⊬ φ, or χi otherwise. We’ll have to show

that this works. For now, let’s define i (n) as the least i such that (1) and (2)
hold.
Define Γ0 = Γ and
(
Γn ∪ {ψi(n) } if Γn ∪ {ψi(n) } ⊬ φ
Γn+1 =
Γn ∪ {χi(n) } otherwise

If i (n) is undefined, i.e., whenever Γn ⊢ ψ ∨ χ, either ψ ∈ Γn or χ ∈ Γn , we let

Γn+1 = Γn . Now let Γ ∗ = ∞
S
n=0 Γn
First we show that for all n, Γn ⊬ φ. We proceed by induction on n. For
n = 0 the claim holds by the hypothesis of the theorem, i.e., Γ ⊬ φ. If n > 0,
we have to show that if Γn ⊬ φ then Γn+1 ⊬ φ. If i (n) is undefined, Γn+1 = Γn
and there is nothing to prove. So suppose i (n) is defined. For simplicity, let
i = i ( n ).
We’ll prove the contrapositive of the claim. Suppose Γn+1 ⊢ φ. By con-
struction, Γn+1 = Γn ∪ {ψi } if Γn ∪ {ψi } ⊬ φ, or else Γn+1 = Γn ∪ {χi }. It
clearly can’t be the first, since then Γn+1 ⊬ φ. Hence, Γn ∪ {ψi } ⊢ φ and
Γn+1 = Γn ∪ {χi }. By definition of i (n), we have that Γn ⊢ ψi ∨ χi . We have
Γn ∪ {ψi } ⊢ φ. We also have Γn+1 = Γn ∪ {χi } ⊢ φ. Hence, Γn ⊢ φ, which is
what we wanted to show.

796 Release : d3a1905 (2022-12-19)

57.4. THE CANONICAL MODEL

If Γ ∗ ⊢ φ, there would be some finite subset Γ ′ ⊆ Γ ∗ such that Γ ′ ⊢ φ. Each

θ ∈ Γ ′ must be in Γi for some i. Let n be the largest of these. Since Γi ⊆ Γn if
i ≤ n, Γ ′ ⊆ Γn . But then Γn ⊢ φ, contrary to our proof above that Γn ⊬ φ.
Lastly, we show that Γ ∗ is prime, i.e., satisfies conditions (1), (2), and (3) of
Definition 57.3.
First, Γ ∗ ⊬ φ, so Γ ∗ is consistent, so (1) holds.
We now show that if Γ ∗ ⊢ ψ ∨ χ, then either ψ ∈ Γ ∗ or χ ∈ Γ ∗ . This
proves (3), since if ψ ∨ χ ∈ Γ ∗ then also Γ ∗ ⊢ ψ ∨ χ. So assume Γ ∗ ⊢ ψ ∨ χ
but ψ ∈ / Γ ∗ and χ ∈ / Γ ∗ . Since Γ ∗ ⊢ ψ ∨ χ, Γn ⊢ ψ ∨ χ for some n. ψ ∨ χ
appears on the enumeration of all disjunctions, say, as ψj ∨ χ j . ψj ∨ χ j satisfies
the properties in the definition of i (n), namely we have Γn ⊢ ψj ∨ χ j , while
ψj ∈/ Γn and χ j ∈ / Γn . At each stage, at least one fewer disjunction ψi ∨ χi
satisfies the conditions (since at each stage we add either ψi or χi ), so at some
stage m we will have j = i (m). But then either ψ ∈ Γm+1 or χ ∈ Γm+1 , contrary
to the assumption that ψ ∈ / Γ ∗ and χ ∈/ Γ∗ .
Now suppose Γ ∗ ⊢ ψ. Then Γ ∗ ⊢ ψ ∨ ψ. But we’ve just proved that if
Γ ⊢ ψ ∨ ψ then ψ ∈ Γ ∗ . Hence, Γ ∗ satisfies (2) of Definition 57.3.
∗

57.4 The Canonical Model

The worlds in our model will be finite sequences σ of natural numbers, i.e.,
σ ∈ N∗ . Note that N∗ is inductively defined by:

1. Λ ∈ N∗ .

2. If σ ∈ N∗ and n ∈ N, then σ.n ∈ N∗ (where σ.n is σ ⌢ ⟨n⟩ and σ ⌢ σ′

is the concatenation if σ and σ′ ).

3. Nothing else is in N∗ .

So we can use N∗ to give inductive definitions.

Let ⟨ψ1 , χ1 ⟩, ⟨ψ2 , χ2 ⟩, . . . , be an enumeration of all pairs of formulas. Given
a set of formulas ∆, define ∆(σ ) by induction as follows:

1. ∆(Λ) = ∆

2. ∆(σ.n) =
(
(∆(σ) ∪ {ψn })∗ if ∆(σ ) ∪ {ψn } ⊬ χn
∆(σ ) otherwise

Here by (∆(σ ) ∪ {ψn })∗ we mean the prime set of formulas which exists by
Lemma 57.4 applied to the set ∆(σ ) ∪ {ψn } and the formula χn . Note that by
this definition, if ∆(σ ) ∪ {ψn } ⊬ χn , then ∆(σ.n) ⊢ ψn and ∆(σ.n) ⊬ χn . Note
also that ∆(σ ) ⊆ ∆(σ.n) for any n. If ∆ is prime, then ∆(σ ) is prime for all σ.

Release : d3a1905 (2022-12-19) 797

 CHAPTER 57. SOUNDNESS AND COMPLETENESS

Definition 57.5. Suppose ∆ is prime. Then the canonical model M(∆) for ∆ is
defined by:

1. W = N∗ , the set of finite sequences of natural numbers.

2. R is the partial order according to which Rσσ′ iff σ is an initial segment

of σ′ (i.e., σ′ = σ ⌢ σ′′ for some sequence σ′′ ).

3. V ( p) = {σ : p ∈ ∆(σ )}.

It is easy to verify that R is indeed a partial order. Also, the monotonic-

ity condition on V is satisfied. Since ∆(σ ) ⊆ ∆(σ.n) we get ∆(σ ) ⊆ ∆(σ′ )
whenever Rσσ′ by induction on σ.

57.5 The Truth Lemma

Lemma 57.6. If ∆ is prime, then M(∆), σ ⊩ φ iff ∆(σ ) ⊢ φ.

Proof. By induction on φ.

1. φ ≡ ⊥: Since ∆(σ) is prime, it is consistent, so ∆(σ ) ⊬ φ. By definition,

M(∆), σ ⊮ φ.

2. φ ≡ p: By definition of ⊩, M(∆), σ ⊩ φ iff σ ∈ V ( p), i.e., ∆(σ ) ⊢ φ.

3. φ ≡ ¬ψ: exercise.

4. φ ≡ ψ ∧ χ: M(∆), σ ⊩ φ iff M(∆), σ ⊩ ψ and M(∆), σ ⊩ χ. By induction

hypothesis, M(∆), σ ⊩ ψ iff ∆(σ ) ⊢ ψ, and similarly for χ. But ∆(σ ) ⊢ ψ
and ∆(σ ) ⊢ χ iff ∆(σ) ⊢ φ.

5. φ ≡ ψ ∨ χ: M(∆), σ ⊩ φ iff M(∆), σ ⊩ ψ or M(∆), σ ⊩ χ. By induction

hypothesis, this holds iff ∆(σ ) ⊢ ψ or ∆(σ ) ⊢ χ. We have to show that
this in turn holds iff ∆(σ ) ⊢ φ. The left-to-right direction is clear. The
right-to-left direction follows since ∆(σ ) is prime.

6. φ ≡ ψ → χ: First the contrapositive of the left-to-right direction: As-

sume ∆(σ ) ⊬ ψ → χ. Then also ∆(σ) ∪ {ψ} ⊬ χ. Since ⟨ψ, χ⟩ is ⟨ψn , χn ⟩
for some n, we have ∆(σ.n) = (∆(σ) ∪ {ψ})∗ , and ∆(σ.n) ⊢ ψ but
∆(σ.n) ⊬ χ. By inductive hypothesis, M(∆), σ.n ⊩ ψ and M(∆), σ.n ⊮ χ.
Since Rσ (σ.n), this means that M(∆), σ ⊮ φ.
Now assume ∆(σ ) ⊢ ψ → χ, and let Rσσ′ . Since ∆(σ ) ⊆ ∆(σ′ ), we have:
if ∆(σ′ ) ⊢ ψ, then ∆(σ′ ) ⊢ χ. In other words, for every σ′ such that Rσσ′ ,
either ∆(σ′ ) ⊬ ψ or ∆(σ′ ) ⊢ χ. By induction hypothesis, this means that
whenever Rσσ′ , either M(∆), σ′ ⊮ ψ or M(∆), σ′ ⊩ χ, i.e., M(∆), σ ⊩ φ.

798 Release : d3a1905 (2022-12-19)

57.6. THE COMPLETENESS THEOREM

57.6 The Completeness Theorem

Theorem 57.7. If Γ ⊨ φ then Γ ⊢ φ.

Proof. We prove the contrapositive: Suppose Γ ⊬ φ. Then by Lemma 57.4,

there is a prime set Γ ∗ ⊇ Γ such that Γ ∗ ⊬ φ. Consider the canonical model M( Γ ∗ )
for Γ ∗ as defined in Definition 57.5. For any ψ ∈ Γ, Γ ∗ ⊢ ψ. Note that
Γ ∗ (Λ) = Γ ∗ . By the Truth Lemma (Lemma 57.6), we have M( Γ ∗ ), Λ ⊩ ψ
for all ψ ∈ Γ and M( Γ ∗ ), Λ ⊮ φ. This shows that Γ ⊭ φ.

57.7 Decidability
Observe that the proof of the completeness theorem gives us for every Γ ⊬ φ
a model with an infinite number of worlds witnessing the fact that Γ ⊭ φ.
The following proposition shows that to prove ⊨ φ it is enough to prove that
M ⊩ φ for all finite models (i.e., models with a finite set of worlds).

Theorem 57.8. If ⊭ φ then there is a finite model M′ ⊮ φ.

Proof. Assume M = ⟨W, R, V ⟩ is such that M ⊮ φ and P is the set of propo-

sitional variables occurring in φ. Define M′ = ⟨W ′ , R′ , V ′ ⟩ by letting W ′ =
{[w] : w ∈ W } where [w] = { p ∈ P : w ∈ V ( p)}, R′ be the subset relation,
and V ′ ( p) = {[w] : p ∈ [w]}. It should be clear that W ′ is a finite set and that
M′ is a relational model.
It can be shown, by induction on φ, that

M, w ⊩ φ iff M′ , [w] ⊩ φ

for all formulas φ with only propositional variables from P. This is left as an
exercise for the reader.

From Theorem 57.8 it follows that there is an algorithm to decide whether ⊨

φ.

Problems
Problem 57.1. Complete the proof of Theorem 57.2. For the cases for ¬Intro
and ¬Elim, use the definition of M, w ⊩ ¬ φ in Definition 56.2, i.e., don’t treat
¬ φ as defined by φ → ⊥.

Problem 57.2. Show that the following formulas are not derivable in intu-
itionistic logic:

1. ( φ → ψ) ∨ (ψ → φ)

2. (¬¬ φ → φ) → ( φ ∨ ¬ φ)

Release : d3a1905 (2022-12-19) 799

 CHAPTER 57. SOUNDNESS AND COMPLETENESS

3. ( φ → ψ ∨ χ) → ( φ → ψ) ∨ ( φ → χ)

Problem 57.3. Show that if Γ ⊬ ⊥ then Γ is consistent in classical logic, i.e.,

there is a valuation making all formulas in Γ true.

Problem 57.4. Show that if φ only contains propositional variables, ∨, and ∧,

then ⊭ φ. Use this to conclude that → is not definable in intuitionistic logic
from ∨ and ∧.

Problem 57.5. By using the completeness theorem prove that if ⊢ φ ∨ ψ then

⊢ φ or ⊢ ψ. (Hint: Assume M1 ⊮ φ and M2 ⊮ ψ and contruct a new model M
such that M ⊮ φ ∨ ψ.)

Problem 57.6. Show that if M is a relational model using a linear order then
M ⊩ ( φ → ψ ) ∨ ( ψ → φ ).

Problem 57.7. Finish the proof of Theorem 57.8 by showing that M, w ⊩ φ iff
M′ , [w] ⊩ φ for all formulas φ with only propositional variables from P.

800 Release : d3a1905 (2022-12-19)

Chapter 58

Propositions as Types

This is a very experimental draft of a chapter on the Curry-Howard cor-

respondence. It needs more explanation and motivation, and there are
probably errors and omissions. The proof of normalization should be re-
viewed and expanded. There are no examples for the product type. Per-
muation and simplification conversions are not covered. It will make a
lot more sense once there is also material on the (typed) lambda calculus
which is basically presupposed here. Use with extreme caution.

58.1 Introduction
Historically the lambda calculus and intuitionistic logic were developed sepa-
rately. Haskell Curry and William Howard independently discovered a close
similarity: types in a typed lambda calculus correspond to formulas in intu-
itionistic logic in such a way that a derivation of a formula corresponds di-
rectly to a typed lambda term with that formula as its type. Moreover, beta re-
duction in the typed lambda calculus corresponds to certain transformations
of derivations.
For instance, a derivation of φ → ψ corresponds to a term λx φ . N ψ , which
has the function type φ → ψ. The inference rules of natural deduction corre-
spond to typing rules in the typed lambda calculus, e.g.,
[ φ] x

ψ x:φ ⇒ N:ψ
x →Intro λ
φ→ψ corresponds to ⇒ λx φ . N ψ : φ → ψ
where the rule on the right means that if x is of type φ and N is of type ψ, then
λx φ . N is of type φ → ψ.

801
 CHAPTER 58. PROPOSITIONS AS TYPES

The →Elim rule corresponds to the typing rule for composition terms, i.e.,

φ→ψ φ
ψ
→Elim corresponds to
⇒ P : φ→ψ ⇒ Q:φ
app
⇒ P φ → ψ φ
Q :ψ

If a →Intro rule is followed immediately by a →Elim rule, the derivation

can be simplified:

[ φ] x

φ
−
→
ψ
x →Intro
φ→ψ φ
ψ
→Elim
ψ

which corresponds to the beta reduction of lambda terms

(λx φ . Pψ ) Q −
→ P[ Q/x ].

Similar correspondences hold between the rules for ∧ and “product” types,
and between the rules for ∨ and “sum” types.
This correspondence between terms in the simply typed lambda calculus
and natural deduction derivations is called the “Curry-Howard”, or “propo-
sitions as types” correspondence. In addition to formulas (propositions) cor-
responding to types, and proofs to terms, we can summarize the correspon-
dences as follows:

logic program
proposition type
proof term
assumption variable
discharged assumption bind variable
not discharged assumption free variable
implication function type
conjunction product type
disjunction sum type
absurdity bottom type

The Curry-Howard correspondence is one of the cornerstones of auto-

mated proof assistants and type checkers for programs, since checking a proof
witnessing a proposition (as we did above) amounts to checking if a program
(term) has the declared type.

802 Release : d3a1905 (2022-12-19)

58.2. SEQUENT NATURAL DEDUCTION

58.2 Sequent Natural Deduction

Let us write Γ ⇒ φ if there is a natural deduction derivation with Γ as undis-
charged assumptions and φ as conclusion; or ⇒ φ if Γ is empty.
We write Γ, φ1 , . . . , φn for Γ ∪ { φ1 , . . . , φn }, and Γ, ∆ for Γ ∪ ∆.
Observe that when we have Γ ⇒ φ ∧ φ, meaning we have a derivation
with Γ as undischarged assumptions and φ ∧ φ as end-formula, then by ap-
plying ∧Elim at the bottom, we can get a derivation with the same undis-
charged assumptions and φ as conclusion. In other words, if Γ ⇒ φ ∧ ψ, then
Γ ⇒ φ.
Γ ⇒ φ∧ψ Γ ⇒ φ∧ψ
∧Elim ∧Elim
Γ ⇒ φ Γ ⇒ ψ

The label ∧Elim hints at the relation with the rule of the same name in natural
deduction.
Likewise, suppose we have Γ, φ ⇒ ψ, meaning we have a derivation with
undischarged assumptions Γ, φ and end-formula ψ. If we apply the →Intro
rule, we have a derivation with Γ as undischarged assumptions and φ → ψ as
the end-formula, i.e., Γ ⇒ φ → ψ. Note how this has made the discharge of
assumptions more explicit.
Γ, φ ⇒ ψ
→Intro
Γ ⇒ φ→ψ

We can draw conclusions from other rules in the same fashion, which is
spelled out as follows:

Γ ⇒ φ ∆ ⇒ ψ
∧Intro
Γ, ∆ ⇒ φ ∧ ψ
Γ ⇒ φ∧ψ Γ ⇒ φ∧ψ
∧Elim1 ∧Elim2
Γ ⇒ φ Γ ⇒ ψ
Γ ⇒ φ Γ ⇒ ψ
∨Intro1 ∨Intro2
Γ ⇒ φ∨ψ Γ ⇒ φ∨ψ
Γ ⇒ φ∨ψ ∆, φ ⇒ χ ∆′ , ψ ⇒ χ
∨Elim
Γ, ∆, ∆′ ⇒ χ
Γ, φ ⇒ ψ ∆ ⇒ φ→ψ Γ ⇒ φ
→Intro →Elim
Γ ⇒ φ→ψ Γ, ∆ ⇒ ψ
Γ ⇒ ⊥ ⊥
I
Γ ⇒ φ

Any assumption by itself is a derivation of φ from φ, i.e., we always have

φ ⇒ φ.

φ ⇒ φ

Release : d3a1905 (2022-12-19) 803

 CHAPTER 58. PROPOSITIONS AS TYPES

Together, these rules can be taken as a calculus about what natural deduc-
tion derivations exist. They can also be taken as a notational variant of natural
deduction, in which each step records not only the formula derived but also
the undischarged assumptions from which it was derived.
φ ⇒ φ
φ ⇒ φ ∨ ( φ → ⊥) ψ ⇒ ψ
φ, ψ→ ⇒ ⊥
(ψ ⇒ φ → ⊥
(ψ ⇒ φ ∨ ( φ → ⊥) (ψ ⇒ ψ
(ψ ⇒ ⊥
⇒ ψ→⊥

where ψ is short for ( φ ∨ ( φ → ⊥)) → ⊥.

58.3 Proof Terms

We give the definition of proof terms, and then establish its relation with nat-
ural deduction derivations.

Definition 58.1 (Proof terms). Proof terms are inductively generated by the
following rules:

1. A single variable x is a proof term.

2. If P and Q are proof terms, then PQ is also a proof term.

3. If x is a variable, φ is a formula, and N is a proof term, then λx φ . N is

also a proof term.

4. If P and Q are proof terms, then ⟨ P, Q⟩ is a proof term.

5. If M is a proof term, then pi ( M) is also a proof term, where i is 1 or 2.

φ
6. If M is a proof term, and φ is a formula, then ini ( M ) is a proof term,
where i is 1 or 2.

7. If M, N1 , N2 is proof terms, and x1 , x2 are variables, then case( M, x1 .N1 , x2 .N2 )

is a proof term.

8. If M is a proof term and φ is a formula, then contr φ ( M ) is proof term.

Each of the above rules corresponds to an inference rule in natural deduc-

tion. Thus we can inductively assign proof terms to the formulas in a deriva-
tion. To make this assignment unique, we must distinguish between the two
versions of ∧Elim and of ∨Intro. For instance, the proof terms assigned to
the conclusion of ∨Intro must carry the information whether φ ∨ ψ is inferred

804 Release : d3a1905 (2022-12-19)

58.4. CONVERTING DERIVATIONS TO PROOF TERMS

from φ or from ψ. Suppose M is the term assigned to φfrom which φ ∨ ψ is

φ
inferred. Then the proof term assigned to φ ∨ ψ is in1 ( M ). If we instead infer
φ
ψ ∨ φ then the proof term assigned is in2 ( M).
The term λx φ . N is assigned to the conclusion of →Intro. The φ represents
the assumption being discharged; only have we included it can we infer the
formula of λx φ . N based on the formula of N.

Definition 58.2 (Typing context). A typing context is a mapping from variables

to formulas. We will call it simply the “context” if there is no confusion. We
write a context Γ as a set of pairs ⟨ x, φ⟩.

A pair Γ ⇒ M where M is a proof term represents a derivation of a formula

with context Γ.

Definition 58.3 (Typing pair). A typing pair is a pair ⟨ Γ, M⟩, where Γ is a typ-
ing context and M is a proof term.

Since in general terms only make sense with specific contexts, we will
speak simply of “terms” from now on instead of “typing pair”; and it will
be apparent when we are talking about the literal term M.

58.4 Converting Derivations to Proof Terms

We will describe the process of converting natural deduction derivations to
pairs. We will write a proof term to the left of each formula in the derivation,
resulting in expressions of the form M : φ. We’ll then say that, M witnesses φ.
Let’s call such an expression a judgment.
First let us assign to each assumption a variable, with the following con-
straints:

1. Assumptions discharged in the same step (that is, with the same number
on the square bracket) must be assigned the same variable.

2. For assumptions not discharged, assumptions of different formulas should

be assigned different variables.

Such an assignment translates all assumptions of the form

φ into x : φ.

With assumptions all associated with variables (which are terms), we can now
inductively translate the rest of the deduction tree. The modified natural de-
duction rules taking into account context and proof terms are given below.
Given the proof terms for the premise(s), we obtain the corresponding proof
term for conclusion.

Release : d3a1905 (2022-12-19) 805

 CHAPTER 58. PROPOSITIONS AS TYPES

M1 : φ1 M2 : φ2
∧Intro
⟨ M1 , M2 ⟩ : φ1 ∧ φ2
M : φ1 ∧ φ2 M : φ1 ∧ φ2
∧Elim1 ∧Elim2
pi ( M ) : φ 1 pi ( M ) : φ 2
In ∧Intro we assume we have φ1 witnessed by term M1 and φ2 witnessed
by term M2 . We pack up the two terms into a pair ⟨ M1 , M2 ⟩ which witnesses
φ1 ∧ φ2 .
In ∧Elimi we assume that M witnesses φ1 ∧ φ2 . The term witnessing φi
is pi ( M). Note that M is not necessary of the form ⟨ M1 , M2 ⟩, so we cannot
simply assign M1 to the conclusion φi .
Note how this coincides with the BHK interpretation. What the BHK in-
terpretation does not specify is how the function used as proof for φ → ψ is
supposed to be obtained. If we think of proof terms as proofs or functions of
proofs, we can be more explicit.
[ x : φ]

P : φ→ψ Q:φ
→Elim
PQ : ψ
N:ψ
→Intro
λx φ . N : φ → ψ
The λ notation should be understood as the same as in the lambda calculus,
and PQ means applying P to Q.

M1 : φ1 M2 : φ2
φ1 ∨Intro1 φ2 ∨Intro2
in1 ( M1 ) : φ1 ∨ φ2 in2 ( M2 ) : φ1 ∨ φ2
[ x1 : φ1 ] [ x2 : φ2 ]

M : A1 ∨ φ2 N1 : χ N2 : χ
∨Elim
case( M, x1 .N1 , x2 .N2 ) : χ
φ
The proof term in1 1 ( M1 ) is a term witnessing φ1 ∨ φ2 , where M1 witnesses
φ1 .
The term case( M, x1 .N1 , x2 .N2 ) mimics the case clause in programming
languages: we already have the derivation of φ ∨ ψ, a derivation of χ assum-
ing φ, and a derivation of χ assuming ψ. The case operator thus select the
appropriate proof depending on M; either way it’s a proof of χ.

N:⊥ ⊥I
contr φ ( N ) : φ

806 Release : d3a1905 (2022-12-19)

58.4. CONVERTING DERIVATIONS TO PROOF TERMS

contr φ ( N ) is a term witnessing φ, whenever N is a term witnessing ⊥.

Now we have a natural deduction derivation with all formulas associated
with a term. At each step, the relevant typing context Γ is given by the list of
assumptions remaining undischarged at that step. Note that Γ is well defined:
since we have forbidden assumptions of different undischarged assumptions
to be assigned the same variable, there won’t be any disagreement about the
formulas mapped to which a variable is mapped.
We now give some examples of such translations:
Consider the derivation of ¬¬( φ ∨ ¬ φ), i.e., (( φ ∨ ( φ → ⊥)) → ⊥) → ⊥.
Its translation is:

[ x : φ ]1
φ→⊥
[y : ( φ ∨ ( φ → ⊥)) → ⊥]2 in1 ( x ) : φ ∨ ( φ → ⊥)
φ→⊥
y(in1 ( x )) : ⊥
1
φ→⊥
φ
λx . y(in1 ( x )) : φ → ⊥
φ φ→⊥
[y : ( φ ∨ ( φ → ⊥)) → ⊥]2 in2 (λx φ . y(in1 ( x ))) : φ ∨ ( φ → ⊥)
φ φ →⊥
y(in2 (λx φ . yin1 ( x ))) : ⊥
2
→⊥
λy( φ∨( φ→⊥))→⊥ . y(in2 (λx φ . yin1
φ φ
( x ))) : (( φ ∨ ( φ → ⊥)) → ⊥) → ⊥
The tree has no assumptions, so the context is empty; we get:
φ→⊥
⊢ λy( φ∨( φ→⊥))→⊥ . y(in2 (λx φ . yin1
φ
( x ))) : (( φ ∨ ( φ → ⊥)) → ⊥) → ⊥
If we leave out the last →Intro, the assumptions denoted by y would be in the
context and we would get:
φ φ→⊥
y : (( φ ∨ ( φ → ⊥)) → ⊥) ⊢ y(in2 (λx φ . yin1 ( x ))) : ⊥
Another example: ⊢ φ → ( φ → ⊥) → ⊥

[ x : φ ]2 [y : φ → ⊥]1
yx : ⊥
1
λy φ→⊥ . yx : ( φ → ⊥) → ⊥
2
λx φ . λy φ→⊥ . yx : φ → ( φ → ⊥) → ⊥
Again all assumptions are discharged and thus the context is empty, the re-
sulting term is
⊢ λx φ . λy φ→⊥ . yx : φ → ( φ → ⊥) → ⊥
If we leave out the last two →Intro inferences, the assumptions denoted by
both x and y would be in context and we would get
x : φ, y : φ → ⊥ ⊢ yx : ⊥

Release : d3a1905 (2022-12-19) 807

 CHAPTER 58. PROPOSITIONS AS TYPES

58.5 Recovering Derivations from Proof Terms

Now let us consider the other direction: translating terms back to natural de-
duction trees. We will use still use the double refutation of the excluded mid-
dle as example, and let S denote this term, i.e.,
φ→⊥
λy( φ∨( φ→⊥))→⊥ . y(in2 (λx φ . yin1
φ
( x ))) : (( φ ∨ ( φ → ⊥)) → ⊥) → ⊥

For each natural deduction rule, the term in the conclusion is always formed
by wrapping some operator around the terms assigned to the premise(s). Rules
correspond uniquely to such operators. For example, from the structure of
the S we infer that the last rule applied must be →Intro, since it is of the form
λy... . . . ., and the λ operator corresponds to →Intro. In general we can recover
the skeleton of the derivation solely by the structure of the term, e.g.,

[ x ]1
φ→⊥
∨Intro1
[ y : ]2 in1 (x) :
φ→⊥
→Elim
y(in1 ( x )) :
1
φ→⊥
→Intro
λx φ . y(in1 ( x )) :
φ φ→⊥
∨Intro2
[ y : ]2 in2 (λx φ . yin1 ( x )) :
φ φ→⊥
→Elim
y(in2 (λx φ . yin1 ( x ))) :
2
φ→⊥
→Intro
λy( φ∨( φ→⊥))→⊥ . y(in2 (λx φ . y(in1
φ
( x )))) :

Our next step is to recover the formulas these terms witness. We define a
function F ( Γ, M) which denotes the formula witnessed by M in context Γ, by
induction on M as follows:

F ( Γ, x ) = Γ ( x )
F ( Γ, ⟨ N1 , N2 ⟩ = F ( Γ, N1 ) ∧ F ( Γ, N2 )
F ( Γ, pi ( N ) = φi if F ( Γ, N ) = φ1 ∧ φ2
(
φ F ( N ) ∨ φ if i = 1
F ( Γ, ini ( N ) =
φ ∨ F ( N ) if i = 2
F ( Γ, case( M, x1 .N1 , x2 .N2 )) = F ( Γ ∪ { xi : F ( Γ, M)}, Ni )
F ( Γ, λx φ . N ) = φ → F ( Γ ∪ { x : φ}, N )
F ( Γ, N M ) = ψ if F ( Γ, N ) = φ → ψ

where Γ ( x ) means the formula mapped to by x in Γ and Γ ∪ { x : φ} is a

context exactly as Γ except mapping x to φ, whether or not x is already in Γ.
Note there are cases where F ( Γ, M) is not defined, for example:

1. In the first line, it is possible that x is not in Γ.

808 Release : d3a1905 (2022-12-19)

58.5. RECOVERING DERIVATIONS FROM PROOF TERMS

2. In recursive cases, the inner invocation may be undefined, making the

outer one undefined too.

3. In the third line, its only defined when F ( Γ, M) is of the form φ1 ∨ φ2 ,

and the right hand is independent on i.

As we recursively compute F ( Γ, M), we work our way up the natural

deduction derivation. The every step in the computation of F ( Γ, M ) corre-
sponds to a term in the derivation to which the derivation-to-term translation
assigns M, and the formula computed is the end-formula of the derivation.
However, the result may not be defined for some choices of Γ. We say that
such pairs ⟨ Γ, M ⟩ are ill-typed, and otherwise well-typed. However, if the term
M results from translating a derivation, and the formulas in Γ correspond to
the undischarged assumptions of the derivation, the pair ⟨ Γ, M ⟩ will be well-
typed.

Proposition 58.4. If D is a derivation with undischarged assumptions φ1 , . . . , φn ,

M is the proof term associated with D and Γ = { x1 : φ1 , . . . , xn : φn }, then the
result of recovering derivation from M in context Γ is D.

In the other direction, if we first translate a typing pair to natural deduction

and then translate it back, we won’t get the same pair back since the choice of
variables for the undischarged assumptions is underdetermined. For exam-
ple, consider the pair ⟨{ x : φ, y : φ → ψ}, yx ⟩. The corresponding derivation
is

φ→ψ φ
ψ
→Elim

By assigning different variables to the undischarged assumptions, say, u to

φ → ψ and v to φ, we would get the term uv rather than yx. There is a connec-
tion, though: the terms will be the same up to renaming of variables.
Now we have established the correspondence between typing pairs and
natural deduction, we can prove theorems for typing pairs and transfer the
result to natural deduction derivations.
Similar to what we did in the natural deduction section, we can make some
observations here too. Let Γ ⊢ M : φ denote that there is a pair ( Γ, M ) wit-
nessing the formula φ. Then always Γ ⊢ x : φ if x : φ ∈ Γ, and the following
rules are valid:

Release : d3a1905 (2022-12-19) 809

 CHAPTER 58. PROPOSITIONS AS TYPES

Γ ⊢ M1 : φ1 ∆ ⊢ M2 : φ2 Γ ⊢ M : φ1 ∧ φ2
∧Intro ∧Elimi
Γ, ∆ ⊢ ⟨ M1 , M2 ⟩ : φ1 ∧ φ2 Γ ⊢ pi ( M ) : φ i
Γ ⊢ M1 : φ1 Γ ⊢ M2 : φ2
φ2 ∨Intro1 φ ∨Intro2
Γ ⊢ in1 ( M ) : φ1 ∨ φ2 Γ ⊢ in2 1 ( M ) : φ1 ∨ φ2
Γ ⊢ M : φ∨ψ ∆ 1 , x1 : φ1 ⊢ N1 : χ ∆ 2 , x2 : φ2 ⊢ N2 : χ
′ ∨Elim
Γ, ∆, ∆ ⊢ case( M, x1 .N1 , x2 .N2 ) : χ
Γ, x : φ ⊢ N : ψ Γ⊢Q:φ ∆⊢ P : φ→ψ
→Intro →Elim
Γ ⊢ λx φ . N : φ → ψ Γ, ∆ ⊢ PQ : ψ
Γ⊢M:⊥
⊥Elim
Γ ⊢ contr φ ( M ) : φ

These are the typing rules of the simply typed lambda calculus extended
with product, sum and bottom.
In addition, the F ( Γ, M ) is actually a type checking algorithm; it returns
the type of the term with respect to the context, or is undefined if the term is
ill-typed with respect to the context.

58.6 Reduction

In natural deduction derivations, an introduction rule that is followed by an

elimination rule is redundant. For instance, the derivation

φ φ→ψ
ψ
→Elim [χ]
∧Intro
ψ∧χ
ψ
∧Elim
→Intro
χ→ψ

can be replaced with the simpler derivation:

φ φ→ψ
ψ
→Elim
→Intro
χ→ψ

As we see, an ∧Intro followed by ∧Elim “cancel out.” In general, we see

that the conclusion of ∧Elim is always the formula on one side of the conjunc-
tion, and the premises of ∧Intro requires both sides of the conjunction, thus if
we need a derivation of either side, we can simply use that derivation without
introducing the conjunction followed by eliminating it.

810 Release : d3a1905 (2022-12-19)

58.6. REDUCTION

Thus in general we have

D1 D2
φ1 φ2
∧Intro Di
φ1 ∧ φ2
φi ∧ Elim i −
→ φi

The − → symbol has a similar meaning as in the lambda calculus, i.e., a

single step of a reduction. In the proof term syntax for derivations, the above
reduction rule thus becomes:
φ φ
( Γ, pi ⟨ M1 1 , M2 2 ⟩) −
→ ( Γ, Mi )

In the typed lambda calculus, this is the beta reduction rule for the product
type.
Note the type annotation on M1 and M2 : while in the standard term syntax
only λx φ . N has such notion, we reuse the notation here to remind us of the
formula the term is associated with in the corresponding natural deduction
derivation, to reveal the correspondence between the two kinds of syntax.
In natural deduction, a pair of inferences such as those on the left, i.e., a
pair that is subject to cancelling is called a cut. In the typed lambda calculus
the term on the left of −→ is called a redex, and the term to the right is called
the reductum. Unlike untyped lambda calculus, where only (λx. N ) Q is con-
sidered to be redex, in the typed lambda calculus the syntax is extended to
φ
terms involving ⟨ N, M ⟩, pi ( N ), ini ( N ), case( N, x1 .M1 , x2 .M2 ), and contr N (),
with corresponding redexes.
Similarly we have reduction for disjunction:

D
[ φ1 ] u [ φ2 ] u
D φi
D1 D2
φi
Di
φ1 ∨ φ2 ∨Intro χ χ
u
χ ∨Elim −
→ χ

This corresponds to a reduction on proof terms:

φ φ φ φ
( Γ, case(ini i ( M φi ), x1 1 .N1χ , x2 2 .N2χ )) −
→ ( Γ, Niχ [ M φi /xi i ])

This is the beta reduction rule of for sum types. Here, M[ N/x ] means replac-
ing all assumptions denoted by variable x in M with N,
It would be nice if we pass the context Γ to the substitution function so that
it can check if the substitution makes sense. For example, xy[ ab/y] does not
make sense under the context { x : φ → θ, y : φ, a : ψ → χ, b : ψ} since then we

Release : d3a1905 (2022-12-19) 811

 CHAPTER 58. PROPOSITIONS AS TYPES

would be substituting a derivation of χ where a derivation of φ is expected.

However, as long as our usage of substitution is careful enough to avoid such
errors, we won’t have to worry about such conflicts. Thus we can define it
recursively as we did for untyped lambda calculus as if we are dealing with
untyped terms.
Finally, the reduction of the function type corresponds to removal of a de-
tour of a →Intro followd by a →Elim.

[ φ]u
D′
D φ
ψ D′
u →Intro D
φ→ψ φ
ψ
→Elim −
→ ψ

For proof terms, this amounts to ordinary beta reduction:

( Γ, (λx φ . N ψ ) Q φ ) −
→ ( Γ, N ψ [ Q φ /x φ ])
Absurdity has only an elimination rule and no introduction rule, thus there
is no such reduction for it.
Note that the above notion of reduction concerns only deductions with a
cut at the end of a derivation. We would of course like to extend it to reduction
of cuts anywhere in a derivation, or reductions of subterms of proof terms
which constitute redexes. Note that, however, the conclusion of the reduction
does not change after reduction, thus we are free to continue applying rules
to both sides of −→. The resulting pairs of trees constitutes an extended notion
of reduction; it is analogous to compatibility in the untyped lambda calculus.
It’s easy to see that the context Γ does not change during the reduction
(both the original and the extended version), thus it’s unnecessary to men-
tion the context when we are discussing reductions. In what follows we will
assume that every term is accompanied by a context which does no change
during reduction. We then say “proof term” when we mean a proof term ac-
companied by a context which makes it well-typed.
As in lambda calculus, the notion of normal-form term and normal deduc-
tion is given:
Definition 58.5. A proof term with no redex is said to be in normal form; like-
wise, a derivation without cuts is a normal derivation. A proof term is in normal
form if and only if its counterpart derivation is normal.

58.7 Normalization
In this section we prove that, via some reduction order, any deduction can
be reduced to a normal deduction, which is called the normalization property.

812 Release : d3a1905 (2022-12-19)

58.7. NORMALIZATION

We will make use of the propositions-as-types correspondence: we show that

every proof term can be reduced to a normal form; normalization for natural
deduction derivations then follows.
Firstly we define some functions that measure the complexity of terms.
The length len( φ) of a formulas is defined by

len( p) = 0
len( φ ∧ ψ) = len( φ) + len(ψ) + 1
len( φ ∨ ψ) = len( φ) + len(ψ) + 1
len( φ → ψ) = len( φ) + len(ψ) + 1.

The complexity of a redex M is measured by its cut rank cr( M):

cr((λx φ . N ψ ) Q) = len( φ) + len(ψ) + 1

cr(pi (⟨ M φ , N ψ ⟩)) = len( φ) + len(ψ) + 1
φ φ χ φ χ
cr(case(ini i ( M φi ), x1 1 .N1 , x2 2 .N2 )) = len( φ) + len(ψ) + 1

The complexity of a proof term is measured by the most complex redex in it,
and 0 if it is normal:

mr( M ) = max{cr( N )| N is a sub term of M and is redex}

Lemma 58.6. If M [ N φ /x φ ] is a redex and M ̸≡ x, then one of the following cases

holds:
1. M is itself a redex, or

2. M is of the form pi ( x ), and N is of the form ⟨ P1 , P2 ⟩

3. M is of the form case(i, x1 .P1 , x2 .P2 ), and N is of the form ini ( Q)

4. M is of the form xQ, and N is of the form λx. P

In the first case, cr( M [ N/x ]) = cr( M); in the other cases, cr( M [ N/x ]) = len( φ)).

Proof. Proof by induction on M.

1. If M is a single variable y and y ̸≡ x, then y[ N/x ] is y, hence not a redex.
φ
2. If M is of the form ⟨ N1 , N2 ⟩, or λx. N, or ini ( N ), then M [ N φ /x φ ] is also
of that form, and so is not a redex.

3. If M is of the form pi ( P), we consider two cases.

a) If P is of the form ⟨ P1 , P2 ⟩, then M ≡ pi (⟨ P1 , P2 ⟩) is a redex, and

clearly
M[ N/x ] ≡ pi (⟨ P1 [ N/x ], P2 [ N/x ]⟩)
is also a redex. The cut ranks are equal.

Release : d3a1905 (2022-12-19) 813

 CHAPTER 58. PROPOSITIONS AS TYPES

b) If P is a single variable, it must be x to make the substitution a

redex, and N must be of the form ⟨ P1 , P2 ⟩. Now consider

M [ N/x ] ≡ pi ( x )[⟨ P1 , P2 ⟩/x ],

which is pi (⟨ P1 , P2 ⟩). Its cut rank is equal to cr( x ), which is len( φ).
The cases of case( N, x1 .N1 , x2 .N2 ) and PQ are similar.

Lemma 58.7. If M contracts to M′ , and cr( M ) > cr( N ) for all proper redex sub-
terms N of M, then cr( M ) > mr( M′ ).

Proof. Proof by cases.

1. If M is of the form pi (⟨ M1 , M2 ⟩), then M′ is Mi ; since any sub-term of
Mi is also proper sub-term of M, the claim holds.
2. If M is of the form (λx φ . N ) Q φ , then M′ is N [ Q φ /x φ ]. Consider a redex
in M′ . Either there is corresponding redex in N with equal cut rank,
which is less than cr( M ) by assumption, or the cut rank equals len( φ),
which by definition is less than cr((λx φ . N ) Q).
3. If M is of the form
φ χ φ χ
case(ini ( N φi ), x1 1 .N1 , x2 2 .N2 ),

then M′ ≡ Ni [ N/xi i ]. Consider a redex in M′ . Either there is corre-

φ

sponding redex in Ni with equal cut rank, which is less than cr( M ) by
assumption; or the cut rank equals len( φi ), which by definition is less
φ χ φ χ
than cr(case(ini ( N φi ), x1 1 .N1 , x2 2 .N2 )).

Theorem 58.8. All proof terms reduce to normal form; all derivations reduce to nor-
mal derivations.

Proof. The second follows from the first. We prove the first by complete in-
duction on m = mr( M), where M is a proof term.
1. If m = 0, M is already normal.
2. Otherwise, we proceed by induction on n, the number of redexes in M
with cut rank equal to m.
a) If n = 1, select any redex N such that m = cr( N ) > cr( P) for any
proper sub-term P which is also a redex of course. Such a redex
must exist, since any term only has finitely many subterms.
Let N ′ denote the reductum of N. Now by the lemma mr( N ′ ) <
mr( N ), thus we can see that n, the number of redexes with cr(=)m
is decreased. So m is decreased (by 1 or more), and we can apply
the inductive hypothesis for m.

814 Release : d3a1905 (2022-12-19)

58.7. NORMALIZATION

b) For the induction step, assume n > 1. the process is similar, except
that n is only decreased to a positive number and thus m does not
change. We simply apply the induction hypothesis for n.

The normalization of terms is actually not specific to the reduction order

we chose. In fact, one can prove that regardless of the order in which redexes
are reduced, the term always reduces to a normal form. This property is called
strong normalization.

Release : d3a1905 (2022-12-19) 815

 Part XIII

Counterfactuals

816
Chapter 59

Introduction

59.1 The Material Conditional

In its simplest form in English, a conditional is a sentence of the form “If

. . . then . . . ,” where the . . . are themselves sentences, such as “If the butler
did it, then the gardener is innocent.” In introductory logic courses, we earn to
symbolize conditionals using the → connective: symbolize the parts indicated
by . . . , e.g., by formulas φ and ψ, and the entire conditional is symbolized by
φ → ψ.
The connective → is truth-functional, i.e., the truth value—T or F—of φ →
ψ is determined by the truth values of φ and ψ: φ → ψ is true iff φ is false
or ψ is true, and false otherwise. Relative to a truth value assignment v, we
define v ⊨ φ → ψ iff v ⊭ φ or v ⊨ ψ. The connective → with this semantics is
called the material conditional.
This definition results in a number of elementary logical facts. First of all,
the deduction theorem holds for the material conditional:

If Γ, φ ⊨ ψ then Γ ⊨ φ → ψ (59.1)

It is truth-functional: φ → ψ and ¬ φ ∨ ψ are equivalent:

φ → ψ ⊨ ¬φ ∨ ψ (59.2)
¬φ ∨ ψ ⊨ φ → ψ (59.3)

A material conditional is entailed by its consequent and by the negation of its

antecedent:

ψ ⊨ φ→ψ (59.4)
¬φ ⊨ φ → ψ (59.5)

817
 CHAPTER 59. INTRODUCTION

A false material conditional is equivalent to the conjunction of its antecedent

and the negation of its consequent: if φ → ψ is false, φ ∧ ¬ψ is true, and vice
versa:

¬( φ → ψ) ⊨ φ ∧ ¬ψ (59.6)
φ ∧ ¬ψ ⊨ ¬( φ → ψ) (59.7)

The material conditional supports modus ponens:

φ, φ → ψ ⊨ ψ (59.8)

The material conditional agglomerates:

φ → ψ, φ → χ ⊨ φ → (ψ ∧ χ) (59.9)

We can always strengthen the antecedent, i.e., the conditional is monotonic:

φ → ψ ⊨ ( φ ∧ χ) → ψ (59.10)

The material conditional is transitive, i.e., the chain rule is valid:

φ → ψ, ψ → χ ⊨ φ → χ (59.11)

The material conditional is equivalent to its contrapositive:

φ → ψ ⊨ ¬ψ → ¬ φ (59.12)
¬ψ → ¬ φ ⊨ φ → ψ (59.13)

These are all useful and unproblematic inferences in mathematical rea-

soning. However, the philosophical and linguistic literature is replete with
purported counterexamples to the equivalent inferences in non-mathematical
contexts. These suggest that the material conditional → is not—or at least
not always—the appropriate connective to use when symbolizing English “if
. . . then . . . ” statements.

59.2 Paradoxes of the Material Conditional

One of the first to criticize the use of φ → ψ as a way to symbolize “if . . . then
. . . ” statements of English was C. I. Lewis. Lewis was criticizing the use of
the material condition in Whitehead and Russell’s Principia Mathematica, who
pronounced → as “implies.” Lewis rightly complained that if → meant “im-
plies,” then any false proposition p implies that p implies q, since p → ( p → q)
is true if p is false, and that any true proposition q implies that p implies q,
since q → ( p → q) is true if q is true.

818 Release : d3a1905 (2022-12-19)

59.3. THE STRICT CONDITIONAL

Logicians of course know that implication, i.e., logical entailment, is not

a connective but a relation between formulas or statements. So we should
just not read → as “implies” to avoid confusion.1 As long as we don’t, the
particular worry that Lewis had simply does not arise: p does not “imply” q
even if we think of p as standing for a false English sentence. To determine
if p ⊨ q we must consider all valuations, and p ⊭ q even when we use p to
symbolize a sentence which happens to be false.
But there is still something odd about “if . . . then. . . ” statements such as
Lewis’s

If the moon is made of green cheese, then 2 + 2 = 4.

and about the inferences

The moon is not made of green cheese. Therefore, if the moon is

made of green cheese, then 2 + 2 = 4.

2 + 2 = 4. Therefore, if the moon is made of green cheese, then

2 + 2 = 4.

Yet, if “if . . . then . . . ” were just →, the sentence would be unproblematically

true, and the inferences unproblematically valid.
Another example of concerns the tautology ( φ → ψ) ∨ (ψ → φ). This would
suggest that if you take two indicative sentences S and T from the newspaper
at random, the sentence “If S then T, or if T then S” should be true.

59.3 The Strict Conditional

Lewis introduced the strict conditional J and argued that it, not the material
conditional, corresponds to implication. In alethic modal logic, φ J ψ can
be defined as □( φ → ψ). A strict conditional is thus true (at a world) iff the
corresponding material conditional is necessary.
How does the strict conditional fare vis-a-vis the paradoxes of the material
conditional? A strict conditional with a false antecedent and one with a true
consequent, may be true, or it may be false. Moreover, ( φ J ψ) ∨ (ψ J φ) is
not valid. The strict conditional φ J ψ is also not equivalent to ¬ φ ∨ ψ, so it is
not truth functional.

1 Reading “→” as “implies” is still widely practised by mathematicians and computer scien-

tists, although philosophers try to avoid the confusions Lewis highlighted by pronouncing it as
“only if.”

Release : d3a1905 (2022-12-19) 819

 CHAPTER 59. INTRODUCTION

We have:
φ J ψ ⊨ ¬ φ ∨ ψ but: (59.14)
¬φ ∨ ψ ⊭ φ J ψ (59.15)
ψ⊭ φJψ (59.16)
¬φ ⊭ φ J ψ (59.17)
¬( φ → ψ) ⊭ φ ∧ ¬ψ but: (59.18)
φ ∧ ¬ψ ⊨ ¬( φ J ψ) (59.19)

However, the strict conditional still supports modus ponens:

φ, φ J ψ ⊨ ψ (59.20)

The strict conditional agglomerates:

φ J ψ, φ J χ ⊨ φ J (ψ ∧ χ) (59.21)

Antecedent strengthening holds for the strict conditional:

φ J ψ ⊨ ( φ ∧ χ) J ψ (59.22)

The strict conditional is also transitive:

φ J ψ, ψ J χ ⊨ φ J χ (59.23)

Finally, the strict conditional is equivalent to its contrapositive:

φ J ψ ⊨ ¬ψ J ¬ φ (59.24)
¬ψ J ¬ φ ⊨ φ J ψ (59.25)
However, the strict conditional still has its own “paradoxes.” Just as a ma-
terial conditional with a false antecedent or a true consequent is true, a strict
conditional with a necessarily false antecedent or a necessarily true consequent
is true. Moreover, any true strict conditional is necessarily true, and any false
strict conditional is necessarily false. In other words, we have
□¬ φ ⊨ φ J ψ (59.26)
□ψ ⊨ φ J ψ (59.27)
φ J ψ ⊨ □( φ J ψ ) (59.28)
¬( φ J ψ) ⊨ □¬( φ J ψ) (59.29)
These are not problems if you think of J as “implies.” Logical entailment rela-
tionships are, after all, mathematical facts and so can’t be contingent. But they
do raise issues if you want to use J as a logical connective that is supposed to
capture “if . . . then . . . ,” especially the last two. For surely there are “if . . . then
. . . ” statements that are contingently true or contingently false—in fact, they
generally are neither necessary nor impossible.

820 Release : d3a1905 (2022-12-19)

59.4. COUNTERFACTUALS

59.4 Counterfactuals
A very common and important form of “if . . . then . . . ” constructions in En-
glish are built using the past subjunctive form of to be: “if it were the case that
. . . then it would be the case that . . . ” Because usually the antecedent of such
a conditional is false, i.e., counter to fact, they are called counterfactual con-
ditionals (and because they use the subjunctive form of to be, also subjunctive
conditionals. They are distinguished from indicative conditionals which take
the form of “if it is the case that . . . then it is the case that . . . ” Counterfac-
tual and indicative conditionals differ in truth conditions. Consider Adams’s
famous example:

If Oswald didn’t kill Kennedy, someone else did.

If Oswald hadn’t killed Kennedy, someone else would have.

The first is indicative, the second counterfactual. The first is clearly true: we
know President John F. Kennedy was killed by someone, and if that someone
wasn’t (contrary to the Warren Report) Lee Harvey Oswald, then someone
else killed Kennedy. The second one says something different. It claims that
if Oswald hadn’t killed Kennedy, i.e., if the Dallas shooting had been avoided
or had been unsuccessful, history would have subsequently unfolded in such
a way that another assassination would have been successful. In order for it
to be true, it would have to be the case that powerful forces had conspired to
ensure JFK’s death (as many JFK conspiracy theorists believe).
It is a live debate whether the indicative conditional is correctly captured
by the material conditional, in particular, whether the paradoxes of the ma-
terial conditional can be “explained” in a way that is compatible with it giv-
ing the truth conditions for English indicative conditionals. By contrast, it
is uncontroversial that counterfactual conditionals cannot be symbolized cor-
rectly by the material conditionals. That is clear because, even though gener-
ally the antecedents of counterfactuals are false, not all counterfactuals with
false antecedents are true—for instance, if you believe the Warren Report, and
there was no conspiracy to assassinate JFK, then Adams’s counterfactual con-
ditional is an example.
Counterfactual conditionals play an important role in causal reasoning: a
prime example of the use of counterfactuals is to express causal relationships.
E.g., striking a match causes it to light, and you can express this by saying
“if this match were struck, it would light.” Material, and generally indicative
conditionals, cannot be used to express this: “the match is struck → the match
lights” is true if the match is never struck, regardless of what would happen
if it were. Even worse, “the match is struck → the match turns into a bouquet
of flowers” is also true if it is never struck, but the match would certainly not
turn into a bouquet of flowers if it were struck.

Release : d3a1905 (2022-12-19) 821

 CHAPTER 59. INTRODUCTION

It is still debated What exactly the correct logic of counterfactuals is. An

influential analysis of counterfactuals was given by Stalnaker and Lewis. Ac-
cording to them, a counterfactual “if it were the case that S then it would be
the case that T” is true iff T is true in the counterfactual situation (“possible
world”) that is closest to the way the actual world is and where S is true. This
is called an “ontic” analysis, since it makes reference to an ontology of possi-
ble worlds. Other analyses make use of conditional probabilities or theories
of belief revision. There is a proliferation of different proposed logics of coun-
terfactuals. There isn’t even a single Lewis-Stalnaker logic of counterfactuals:
even though Stalnaker and Lewis proposed accounts along similar lines with
reference to closest possible worlds, the assumptions they made result in dif-
ferent valid inferences.

Problems
Problem 59.1. Give S5-counterexamples to the entailment relations which do
not hold for the strict conditional, i.e., for:

1. ¬ p ⊭ □( p → q)

2. q ⊭ □( p → q)

3. ¬□( p → q) ⊭ p ∧ ¬q

4. ⊭ □( p → q) ∨ □(q → p)

Problem 59.2. Show that the valid entailment relations hold for the strict con-
ditional by giving S5-proofs of:

1. □( φ → ψ) ⊨ ¬ φ ∨ ψ

2. φ ∧ ¬ψ ⊨ ¬□( φ → ψ)

3. φ, □( φ → ψ) ⊨ ψ

4. □( φ → ψ), □( φ → χ) ⊨ □( φ → (ψ ∧ χ))

5. □( φ → ψ) ⊨ □(( φ ∧ χ) → ψ)

6. □( φ → ψ), □(ψ → χ) ⊨ □( φ → χ)

7. □( φ → ψ) ⊨ □(¬ψ → ¬ φ)

8. □(¬ψ → ¬ φ) ⊨ □( φ → ψ)

Problem 59.3. Give proofs in S5 of:

1. □¬ψ ⊨ φ J ψ

822 Release : d3a1905 (2022-12-19)

59.4. COUNTERFACTUALS

2. φ J ψ ⊨ □( φ J ψ)

3. ¬( φ J ψ) ⊨ □¬( φ J ψ)

Use the definition of J to do so.

Release : d3a1905 (2022-12-19) 823

Chapter 60

Minimal Change Semantics

60.1 Introduction
Stalnaker and Lewis proposed accounts of counterfactual conditionals such
as “If the match were struck, it would light.” Their accounts were propos-
als for how to properly understand the truth conditions for such sentences.
The idea behind both proposals is this: to evaluate whether a counterfactual
conditional is true, we have to consider those possible worlds which are min-
imally different from the way the world actually is to make the antecedent
true. If the consequent is true in these possible worlds, then the counterfac-
tual is true. For instance, suppose I hold a match and a matchbook in my
hand. In the actual world I only look at them and ponder what would hap-
pen if I were to strike the match. The minimal change from the actual world
where I strike the match is that where I decide to act and strike the match. It
is minimal in that nothing else changes: I don’t also jump in the air, striking
the match doesn’t also light my hair on fire, I don’t suddenly lose all strength
in my fingers, I am not simultaneously doused with water in a SuperSoaker
ambush, etc. In that alternative possibility, the match lights. Hence, it’s true
that if I were to strike the match, it would light.
This intuitive account can be paired with formal semantics for logics of
counterfactuals. Lewis introduced the symbol “€” for the counterfactual
while Stalnaker used the symbol “>”. We’ll use €, and add it as a binary
connective to propositional logic. So, we have, in addition to formulas of the
form φ → ψ also formulas of the form φ € ψ. The formal semantics, like the
relational semantics for modal logic, is based on models in which formulas are
evaluated at worlds, and the satisfaction condition defining M, w ⊩ φ € ψ is
given in terms of M, w′ ⊩ φ and M, w′ ⊩ ψ for some (other) worlds w′ . Which
w′ ? Intuitively, the one(s) closest to w for which it holds that M, w′ ⊩ φ. This
requires that a relation of “closeness” has to be included in the model as well.
Lewis introduced an instructive way of representing counterfactual situa-
tions graphically. Each possible world is at the center of a set of nested spheres

824
60.2. SPHERE MODELS

containing other worlds—we draw these spheres as concentric circles. The

worlds between two spheres are equally close to the world at the center as
each other, those contained in a nested sphere are closer, and those in a sur-
rounding sphere further away.

w φ

The closest φ-worlds are those worlds w′ where φ is satisfied which lie in the
smallest sphere around the center world w (the gray area). Intuitively, φ € ψ
is satisfied at w if ψ is true at all closest φ-worlds.

60.2 Sphere Models

One way of providing a formal semantics for counterfactuals is to turn Lewis’s
informal account into a mathematical structure. The spheres around a world w
then are sets of worlds. Since the spheres are nested, the sets of worlds around w
have to be linearly ordered by the subset relation.

Definition 60.1. A sphere model is a triple M = ⟨W, O, V ⟩ where W is a non-

empty set of worlds, V : At0 → ℘(W ) is a valuation, and O : W → ℘(℘(W ))
assigns to each world w a system of spheres Ow . For each w, Ow is a set of sets
of worlds, and must satisfy:

1. Ow is centered on w: {w} ∈ Ow .

2. Ow is nested: whenever S1 , S2 ∈ Ow , S1 ⊆ S2 or S2 ⊆ S1 , i.e., Ow is

linearly ordered by ⊆.

3. Ow is closed under non-empty unions.

4. Ow is closed under non-empty intersections.

The intuition behind Ow is that the worlds “around” w are stratified ac-
cording to how far away they are from w. The innermost sphere is just w by
itself, i.e., the set {w}: w is closer to w than the worlds in any other sphere. If
S ⊊ S′ , then the worlds in S′ \ S are further way from w than the worlds in S:
S′ \ S is the “layer” between the S and the worlds outside of S′ . In particular,
we have to think of the spheres as containing all the worlds within their outer
surface; they are not just the individual layers.

Release : d3a1905 (2022-12-19) 825

 CHAPTER 60. MINIMAL CHANGE SEMANTICS

w1 w7

w5
w p
w6
w2
w3

w4

Figure 60.1: Diagram of a sphere model

The diagram in Figure 60.1 corresponds to the sphere model with W =

{w, w1 , . . . , w7 }, V ( p) = {w5 , w6 , w7 }. The innermost sphere S1 = {w}. The
closest worlds to w are w1 , w2 , w3 , so the next larger sphere is S2 = {w, w1 , w2 , w3 }.
The worlds further out are w4 , w5 , w6 , so the outermost sphere is S3 = {w, w1 , . . . , w6 }.
The system of spheres around w is Ow = {S1 , S2 , S3 }. The world w7 is not in
any sphere around w. The closest worlds in which p is true are w5 and w6 , and
so the smallest p-admitting sphere is S3 .
To define satisfaction of a formula φ at world w in a sphere model M,
M, w ⊩ φ, we expand the definition for modal formulas to include a clause
for ψ € χ:

Definition 60.2. M, w ⊩ ψ € χ iff either

1. For all u ∈
S
Ow , M, u ⊮ ψ, or

2. For some S ∈ Ow ,

a) M, u ⊩ ψ for some u ∈ S, and

b) for all v ∈ S, either M, v ⊮ ψ or M, v ⊩ χ.

According to this definition, M, w ⊩ ψ € χ iff either the antecedent ψ

is false everywhere in the spheres around w, or there is a sphere S where ψ
is true, and the material conditional ψ → χ is true at all worlds in that “ψ-
admitting” sphere. Note that we didn’t require in the definition that S is the
innermost ψ-admitting sphere, contrary to what one might expect from the
intuitive explanation. But if the condition in (2) is satisfied for some sphere S,
then it is also satisfied for all spheres S contains, and hence in particular for
the innermost sphere.
Note also that the definition of sphere models does not require that there
is an innermost ψ-admitting sphere: we may have an infinite sequence S1 ⊋

826 Release : d3a1905 (2022-12-19)

60.3. TRUTH AND FALSITY OF COUNTERFACTUALS

w φ

Figure 60.2: Non-vacuously true counterfactual

w φ

Figure 60.3: Vacuously true counterfactual

S2 ⊋ · · · ⊋ {w} of ψ-admitting spheres, and hence no innermost ψ-admitting

spheres. In that case, M, w ⊩ ψ € χ iff ψ → χ holds throughout the spheres
Si , Si+1 , . . . , for some i.

60.3 Truth and Falsity of Counterfactuals

A counterfactual φ € ψ is (non-vacuously) true if the closest φ-worlds are all
ψ-worlds, as depicted in Figure 60.2. A counterfactual is also true at w if the
system of spheres around w has no φ-admitting spheres at all. In that case it
is vacuously true (see Figure 60.3).
It can be false in two ways. One way is if the closest φ-worlds are not
all ψ-worlds, but some of them are. In this case, φ € ¬ψ is also false (see
Figure 60.4). If the closest φ-worlds do not overlap with the ψ-worlds at all,
then φ € ψ. But, in this case all the closest φ-worlds are ¬ψ-worlds, and so
φ € ¬ψ is true (see Figure 60.5).
In contrast to the strict conditional, counterfactuals may be contingent.
Consider the sphere model in Figure 60.6. The φ-worlds closest to u are all
ψ-worlds, so M, u ⊩ φ € ψ. But there are φ-worlds closest to v which are not

Release : d3a1905 (2022-12-19) 827

 CHAPTER 60. MINIMAL CHANGE SEMANTICS

w φ

Figure 60.4: False counterfactual, false opposite

w φ

Figure 60.5: False counterfactual, true opposite

ψ-worlds, so M, v ⊮ φ € ψ.

60.4 Antecedent Strengthenng

“Strengthening the antecedent” refers to the inference φ → χ ⊨ ( φ ∧ ψ) → χ. It
is valid for the material conditional, but invalid for counterfactuals. Suppose
it is true that if I were to strike this match, it would light. (That means, there is
nothing wrong with the match or the matchbook surface, I will not break the
match, etc.) But it is not true that if I were to light this match in outer space, it
would light. So the following inference is invalid:

I the match were struck, it would light.

Therefore, if the match were struck in outer space, it would light.

The Lewis-Stalnaker account of conditionals explains this: the closest world

where I light the match and I do so in outer space is much further removed
from the actual world than the closest world where I light the match is. So
although it’s true that the match lights in the latter, it is not in the former. And
that is as it schould be.

828 Release : d3a1905 (2022-12-19)

60.5. TRANSITIVITY

u v

Figure 60.6: Contingent counterfactual

w1

w
w2
q

Figure 60.7: Counterexample to antecedent strengthening

Example 60.3. The sphere semantics invalidates the inference, i.e., we have
p € r ⊭ ( p ∧ q) € r. Consider the model M = ⟨W, O, V ⟩ where W =
{w, w1 , w2 }, Ow = {{w}, {w, w1 }, {w, w1 , w2 }}, V ( p) = {w1 , w2 }, V (q) =
{w2 }, and V (r ) = {w1 }. There is a p-admitting sphere S = {w, w1 } and p → r
is true at all worlds in it, so M, w ⊩ p € r. There is also a ( p ∧ q)-admitting
sphere S′ = {w, w1 , w2 } but M, w2 ⊮ ( p ∧ q) → r, so M, w ⊮ ( p ∧ q) € r (see
Figure 60.7).

60.5 Transitivity
For the material conditional, the chain rule holds: φ → ψ, ψ → χ ⊨ φ → χ.
In other words, the material conditional is transitive. Is the same true for
counterfactuals? Consider the following example due to Stalnaker.

Release : d3a1905 (2022-12-19) 829

 CHAPTER 60. MINIMAL CHANGE SEMANTICS

If J. Edgar Hoover had been born a Russian, he would have been a

Communist.
If J. Edgar Hoover were a Communist, he would have been be a
traitor.
Therefore, If J. Edgar Hoover had been born a Russian, he would
have been be a traitor.

If Hoover had been born (at the same time he actually did), not in the United
States, but in Russia, he would have grown up in the Soviet Union and become
a Communist (let’s assume). So the first premise is true. Likewise, the second
premise, considered in isolation is true. The conclusion, however, is false:
in all likelihood, Hoover would have been a fervent Communist if he had
been born in the USSR, and not been a traitor (to his country). The intuitive
assignment of truth values is borne out by the Stalnaker-Lewis account. The
closest possible world to ours with the only change being Hoover’s place of
birth is the one where Hoover grows up to be a good citizen of the USSR.
This is the closest possible world where the antecedent of the first premise
and of the conclusion is true, and in that world Hoover is a loyal member of
the Communist party, and so not a traitor. To evaluate the second premise, we
have to look at a different world, however: the closest world where Hoover is
a Communist, which is one where he was born in the United States, turned,
and thus became a traitor.1

Example 60.4. The sphere semantics invalidates the inference, i.e., we have
p € q, q € r ⊭ p € r. Consider the model M = ⟨W, O, V ⟩ where W =
{w, w1 , w2 }, Ow = {{w}, {w, w1 }, {w, w1 , w2 }}, V ( p) = {w2 }, V (q) = {w1 , w2 },
and V (r ) = {w1 }. There is a p-admitting sphere S = {w, w1 , w2 } and p → q is
true at all worlds in it, so M, w ⊩ p € q. There is also a q-admitting sphere
S′ = {w, w1 } and M ⊮ q → r is true at all worlds in it, so M, w ⊩ q € r. How-
ever, the p-admitting sphere {w, w1 , w2 } contains a world, namely w2 , where
M, w2 ⊮ p → r.

60.6 Contraposition
Material and strict conditionals are equivalent to their contrapositives. Coun-
terfactuals are not. Here is an example due to Kratzer:

If Goethe hadn’t died in 1832, he would (still) be dead now.

If Goethe weren’t dead now, he would have died in 1832.
1 Of course, to appreciate the force of the example we have to take on board some metaphysi-

cal and political assumptions, e.g., that it is possible that Hoover could have been born to Russian
parents, or that Communists in the US of the 1950s were traitors to their country.

830 Release : d3a1905 (2022-12-19)

60.6. CONTRAPOSITION

¬q
q

w w1

w2

p
¬p

Figure 60.8: Counterexample to contraposition

The first sentence is true: humans don’t live hundreds of years. The second
is clearly false: if Goethe weren’t dead now, he would be still alive, and so
couldn’t have died in 1832.

Example 60.5. The sphere semantics invalidates contraposition, i.e., we have

p € q ⊭ ¬q € ¬ p. Think of p as “Goethe didn’t die in 1832” and q as
“Goethe is dead now.” We can capture this in a model M1 = ⟨W, O, V ⟩ with
W = {w, w1 , w2 }, O = {{w}, {w, w1 }, {w, w1 , w2 }}, V ( p) = {w1 , w2 } and
V (q) = {w, w1 }. So w is the actual world where Goethe died in 1832 and is still
dead; w1 is the (close) world where Goethe died in, say, 1833, and is still dead;
and w2 is a (remote) world where Goethe is still alive. There is a p-admitting
sphere S = {w, w1 } and p → q is true at all worlds in it, so M, w ⊩ p € q.
However, the ¬q-admitting sphere {w, w1 , w2 } contains a world, namely w2 ,
where q is false and p is true, so M, w2 ⊮ ¬q → ¬ p.

Problems
Problem 60.1. Find a convincing, intuitive example for the failure of transi-
tivity of counterfactuals.

Problem 60.2. Draw the sphere diagram corresponding to the counterexam-

ple in Example 60.4.

Problem 60.3. In Example 60.4, world w2 is where Hoover is born in Russia,

is a communist, and not a traitor, and w1 is the world where Hoover is born in
the US, is a communist, and a traitor. In this model, w1 is closer to w than w2 is.
Is this necessary? Can you give a counterexample that does not assume that

Release : d3a1905 (2022-12-19) 831

 CHAPTER 60. MINIMAL CHANGE SEMANTICS

Hoover’s being born in Russia is a more remote possibility than him being a
Communist?

832 Release : d3a1905 (2022-12-19)

 Part XIV

Set Theory

833
Chapter 61

The Iterative Conception

61.1 Extensionality
The very first thing to say is that sets are individuated by their members. More
precisely:
Axiom (Extensionality). For any sets A and B: ∀ x ( x ∈ A ↔ x ∈ B) → A = B

We assumed this throughout part I. But it bears repeating. The Axiom of

Extensionality expresses the basic idea that a set is determined by its elements.
(So sets might be contrasted with concepts, where precisely the same objects
might fall under many different concepts.)
Why embrace this principle? Well, it is plausible to say that any denial of
Extensionality is a decision to abandon anything which might even be called
set theory. Set theory is no more nor less than the theory of extensional collec-
tions.
The real challenge in part XIV, though, is to lay down principles which tell
us which sets exist. And it turns out that the only truly “obvious” answer to
this question is provably wrong.

61.2 Russell’s Paradox (again)

In part I, we worked with a naı̈ve set theory. But according to a very naı̈ve con-
ception, sets are just the extensions of predicates. This naı̈ve thought would
mandate the following principle:

Naı̈ve Comprehension. { x : φ( x )} exists for any formula φ.

Tempting as this principle is, it is provably inconsistent. We saw this in

section 1.6, but the result is so important, and so straightforward, that it’s
worth repeating. Verbatim.

834
61.3. PREDICATIVE AND IMPREDICATIVE

Theorem 61.1 (Russell’s Paradox). There is no set R = { x : x ∈

/ x}

Proof. If R = { x : x ∈
/ x } exists, then R ∈ R iff R ∈
/ R, which is a contradic-
tion.

Russell discovered this result in June 1901. (He did not, though, put the
paradox in quite the form we just presented it, since he was considering Frege’s
set theory, as outlined in Grundgesetze. We will return to this in section 61.6.)
Russell wrote to Frege on June 16, 1902, explaining the inconsistency in Frege’s
system. For the correspondence, and a bit of background, see Heijenoort
(1967, pp. 124–8).
It is worth emphasising that this two-line proof is a result of pure logic.
Granted, we implicitly used a (non-logical?) axiom, Extensionality, in our no-
tation { x : x ∈
/ x }; for { x : φ( x )} is to be the unique (by Extensionality) set of
the φs, if one exists. But we can avoid even the hint of Extensionality, just by
stating the result as follows: there is no set whose members are exactly the non-self-
membered sets. And this has nothing much to do with sets. As Russell himself
observed, exactly similar reasoning will lead you to conclude: no man shaves
exactly the men who do not shave themselves. Or: no pug sniffs exactly the pugs
which don’t sniff themselves. And so on. Schematically, the shape of the result is
just:
¬∃ x ∀z( Rzx ↔ ¬ Rzz).
And that’s just a theorem (scheme) of first-order logic. Consequently, we can’t
avoid Russell’s Paradox just by tinkering with our set theory; it arises before
we even get to set theory. If we’re going to use (classical) first-order logic, we
simply have to accept that there is no set R = { x : x ∈
/ x }.
The upshot is this. If you want to accept Naı̈ve Comprehension whilst
avoiding inconsistency, you cannot just tinker with the set theory. Instead, you
would have to overhaul your logic.
Of course, set theories with non-classical logics have been presented. But
they are—to say the least—non-standard. The standard approach to Russell’s
Paradox is to treat it as a straightforward non-existence proof, and then to try
to learn how to live with it. That is the approach we will follow.

61.3 Predicative and Impredicative

The Russell set, R, was defined via { x : x ∈ / x }. Spelled out more fully, R
would be the set which contains all and only those sets which are not non-
self-membered. So in defining R, we quantify over the domain which would
contain R (if it existed).
This is an impredicative definition. More generally, we might say that a
definition is impredicative iff it quantifies over a domain which contains the
object that is being defined.

Release : d3a1905 (2022-12-19) 835

 CHAPTER 61. THE ITERATIVE CONCEPTION

In the wake of the paradoxes, Whitehead, Russell, Poincaré and Weyl re-
jected such impredicative definitions as “viciously circular”:
An analysis of the paradoxes to be avoided shows that they all
result from a kind of vicious circle. The vicious circles in ques-
tion arise from supposing that a collection of objects may contain
members which can only be defined by means of the collection as
a whole[. . . . ¶]
The principle which enables us to avoid illegitimate totalities may
be stated as follows: ‘Whatever involves all of a collection must not
be one of the collection’; or, conversely: ‘If, provided a certain col-
lection had a total, it would have members only definable in terms
of that total, then the said collection has no total.’ We shall call
this the ‘vicious-circle principle,’ because it enables us to avoid the
vicious circles involved in the assumption of illegitimate totalities.
(Whitehead and Russell, 1910, p. 37)
If we follow them in rejecting the vicious-circle principle, then we might attempt
to replace the disastrous Naı̈ve Comprehension Scheme (of section 61.2) with
something like this:

Predicative Comprehension. For every formula φ quantifying only over

sets: the set′ { x : φ( x )} exists.

So long as sets′ are not sets, no contradiction will ensue.

Unfortunately, Predicative Comprehension is not very comprehensive. After
all, it introduces us to new entities, sets′ . So we will have to consider formulas
which quantify over sets′ . If they always yield a set′ , then Russell’s paradox
will arise again, just by considering the set′ of all non-self-membered sets′ .
So, pursuing the same thought, we must say that a formula quantifying over
sets′ yields a corresponding set′′ . And then we will need sets′′′ , sets′′′′ , etc.
To prevent a rash of primes, it will be easier to think of these as sets0 , sets1 ,
sets2 , sets3 , sets4 ,. . . . And this would give us a way into the (simple) theory of
types.
There are a few obvious objections against such a theory (though it is not
obvious that they are overwhelming objections). In brief: the resulting theory
is cumbersome to use; it is profligate in postulating different kinds of objects;
and it is not clear, in the end, that impredicative definitions are even all that
bad.
To bring out the last point, consider this remark from Ramsey:
we may refer to a man as the tallest in a group, thus identifying
him by means of a totality of which he is himself a member without
there being any vicious circle. (Ramsey, 1925)

836 Release : d3a1905 (2022-12-19)

61.4. THE CUMULATIVE-ITERATIVE APPROACH

Ramsey’s point is that “the tallest man in the group” is an impredicative defi-
nition; but it is obviously perfectly kosher.
One might respond that, in this case, we could pick out the tallest person
by predicative means. For example, maybe we could just point at the man in
question. The objection against impredicative definitions, then, would clearly
need to be limited to entities which can only be picked out impredicatively.
But even then, we would need to hear more, about why such “essential im-
predicativity” would be so bad.1
Admittedly, impredicative definitions are extremely bad news, if we want
our definitions to provide us with something like a recipe for creating an ob-
ject. For, given an impredicative definition, one would genuinely be caught in
a vicious circle: to create the impredicatively specified object, one would first
need to create all the objects (including the impredicatively specified object),
since the impredicatively specified object is specified in terms of all the ob-
jects; so one would need to create the impredicatively specified object before
one had created it itself. But again, this is only a serious objection against “es-
sentially impredicatively” specified sets, if we think of sets as things that we
create. And we (probably) don’t.
As such—for better or worse—the approach which became common does
not involve taking a hard line concerning (im)predicativity. Rather, it involves
what is now regarded as the cumulative-iterative approach. In the end, this
will allow us to stratify our sets into “stages”—a bit like the predicative ap-
proach stratifies entities into sets0 , sets1 , sets2 , . . . —but we will not postulate
any difference in kind between them.

61.4 The Cumulative-Iterative Approach

Here is a slightly fuller statement of how we will stratify sets into stages:

Sets are formed in stages. For each stage S, there are certain stages
which are before S. At stage S, each collection consisting of sets
formed at stages before S is formed into a set. There are no sets
other than the sets which are formed at stages. (Shoenfield, 1977,
p. 323)

This is a sketch of the cumulative-iterative conception of set. It will underpin the

formal set theory that we present in part XIV.
Let’s explore this in a little more detail. As Shoenfield describes the pro-
cess, at every stage, we form new sets from the sets which were available to
us from earlier stages. So, on Shoenfield’s picture, at the initial stage, stage 0,
there are no earlier stages, and so a fortiori there are no sets available to us from

1 For more, see Linnebo (2010).

Release : d3a1905 (2022-12-19) 837

 CHAPTER 61. THE ITERATIVE CONCEPTION

earlier stages.2 So we form only one set: the set with no elements ∅. At stage
1, exactly one set is available to us from earlier stages, so only one new set is
{∅}. At stage 2, two sets are available to us from earlier stages, and we form
two new sets {{∅}} and {∅, {∅}}. At stage 3, four sets are available to us
from earlier stages, so we form twelve new sets. . . . As such, the cumulative-
iterative picture of the sets will look a bit like this (with numbers indicating
stages):

6
5
4
3
2
1
0

So: why should we embrace this story?

One reason is that it is a nice, tractable story. Given the demise of the most
obvious story, i.e., Naı̈ve Comprehension, we are in want of something nice.
But the story is not just nice. We have a good reason to believe that any set
theory based on this story will be consistent. Here is why.
Given the cumulative-iterative conception of set, we form sets at stages;
and their elements must be objects which were available already. So, for any
stage S, we can form the set

RS = { x : x ∈
/ x and x was available before S}

The reasoning involved in proving Russell’s Paradox will now establish that
RS itself is not available before stage S. And that’s not a contradiction. More-
over, if we embrace the cumulative-iterative conception of set, then we shouldn’t
even have expected to be able to form the Russell set itself. For that would be
the set of all non-self-membered sets that “will ever be available”. In short:
the fact that we (provably) can’t form the Russell set isn’t surprising, given the
cumulative-iterative story; it’s what we would predict.

2 Why should we assume that there is a first stage? See the footnote to Stages-are-ordered in

section 62.1.

838 Release : d3a1905 (2022-12-19)

61.5. URELEMENTS OR NOT?

61.5 Urelements or Not?

In the next few chapters, we will try to extract axioms from the cumulative-
iterative conception of set. But, before going any further, we need to say some-
thing more about urelements.
The picture of section 61.4 allowed us only to form new sets from old sets.
However, we might want to allow that certain non-sets—cows, pigs, grains of
sand, or whatever—can be elements of sets. In that case, we would start with
certain basic elements, urelements, and then say that at each stage S we would
form “all possible” sets consisting of urelements or sets formed at stages be-
fore S (in any combination). The resulting picture would look more like this:

6
5
4
3
2
1
0

So now we have a decision to take: Should we allow urelements?

Philosophically, it makes sense to include urelements in our theorising.
The main reason for this is to make our set theory applicable. To illustrate the
point, recall from chapter 4 that we say that two sets A and B have the same
size, i.e., A ≈ B, iff there is a bijection between them. Now, if the cows in
the field and the pigs in the sty both form sets, we can offer a set-theoretical
treatment of the claim “there are as many cows as pigs”. But if we ban urele-
ments, so that the cows and the pigs do not form sets, then that set-theoretical
treatment will be unavailable. Indeed, we will have no straightforward ability
to apply set theory to anything other than sets themselves. (For more reasons
to include urelements, see Potter 2004, pp. vi, 24, 50–1.)
Mathematically, however, it is quite rare to allow urelements. In part, this
is because it is very slightly easier to formulate set theory without urelements.
But, occasionally, one finds more interesting justifications for excluding urele-
ment from set theory:

In accordance with the belief that set theory is the foundation of

mathematics, we should be able to capture all of mathematics by
just talking about sets, so our variable should not range over ob-
jects like cows and pigs. (Kunen, 1980, p. 8)

Release : d3a1905 (2022-12-19) 839

 CHAPTER 61. THE ITERATIVE CONCEPTION

So: a focus on applicability would suggest including urelements; a focus on a

reductive foundational goal (reducing mathematics to pure set theory) might
suggest excluding them. Mild laziness, too, points in the direction of excluding
urelements.
We will follow the laziest path. Partly, though, there is a pedagogical jus-
tification. Our aim is to introduce you to the elements of set theory that you
would need in order to get started on the philosophy of set theory. And most
of that philosophical literature discusses set theories formulated without ure-
lements. So this book will, perhaps, be of more use, if it hews fairly closely to
that literature.

61.6 Appendix: Frege’s Basic Law V

In section 61.2, we explained that Russell’s formulated his paradox as a prob-
lem for the system Frege outlined in his Grundgesetze. Frege’s system did not
include a direct formulation of Naı̈ve Comprehension. So, in this appendix,
we will very briefly explain what Frege’s system did include, and how it re-
lates to Naı̈ve Comprehension and how it relates to Russell’s Paradox.
Frege’s system is second-order, and was designed to formulate the notion
of an extension of a concept. Using notation inspired by Frege, we will write
ϵx F ( x ) for the extension of the concept F. This is a device which takes a predicate,
“F”, and turns it into a (first-order) term, “ϵx F ( x )”. Using this device, Frege
offered the following definition of membership:

a ∈ b =df ∃ G (b = ϵx G ( x ) ∧ Ga)

roughly: a ∈ b iff a falls under a concept whose extension is b. (Note that the
quantifier “∃ G” is second-order.) Frege also maintained the following princi-
ple, known as Basic Law V:

ϵx F ( x ) = ϵx G ( x ) ↔ ∀ x ( Fx ↔ Gx )

roughly: concepts have identical extensions iff they are coextensive. (Again,
both “F” and “G” are in predicate position.) Now a simple principle connects
membership with property-satisfaction:

Lemma 61.2 (in Grundgesetze). ∀ F ∀ a( a ∈ ϵx F ( x ) ↔ Fa)

Proof. Fix F and a. Now a ∈ ϵx F ( x ) iff ∃ G (ϵx F ( x ) = ϵx G ( x ) ∧ Ga) (by the

definition of membership) iff ∃ G (∀ x ( Fx ↔ Gx ) ∧ Ga) (by Basic Law V) iff Fa
(by elementary second-order logic).

And this yields Naı̈ve Comprehension almost immediately:

Lemma 61.3 (in Grundgesetze.). ∀ F ∃s∀ a( a ∈ s ↔ Fa)

840 Release : d3a1905 (2022-12-19)

61.6. APPENDIX: FREGE’S BASIC LAW V

Proof. Fix F; now Lemma 61.2 yields ∀ a( a ∈ ϵx F ( x ) ↔ Fa); so ∃s∀ a( a ∈ s ↔

Fa) by existential generalisation. The result follows since F was arbitrary.

Russell’s Paradox follows by taking F as given by ∀ x ( Fx ↔ x ∈

/ x ).

Release : d3a1905 (2022-12-19) 841

Chapter 62

Steps towards Z

62.1 The Story in More Detail

In section 61.4, we quoted Schoenfield’s description of the process of set-
formation. We now want to write down a few more principles, to make this
story a bit more precise. Here they are:

Stages-are-key. Every set is formed at some stage.

Stages-are-ordered. Stages are ordered: some come before others.1

Stages-accumulate. For any stage S, and for any sets which were formed
before stage S: a set is formed at stage S whose members are exactly those
sets. Nothing else is formed at stage S.

These are informal principles, but we will be able to use them to vindicate
several of the axioms of Zermelo’s set theory.
(We should offer a word of caution. Although we will be presenting some
completely standard axioms, with completely standard names, the italicized
principles we have just presented have no particular names in the literature.
We simply monikers which we hope are helpful.)

62.2 Separation
We start with a principle to replace Naı̈ve Comprehension:

Axiom (Scheme of Separation). For every formula φ( x ), this is an axiom: for

any A, the set { x ∈ A : φ( x )} exists.
1 We will actually assume—tacitly—that the stages are well-ordered. What this amounts to is

explained in chapter 63. This is a substantial assumption. In fact, using a very clever technique
due to Scott (1974), this assumption can be avoided and then derived. (This will also explain why
we should think that there is an initial stage.) We cannot go into that here; for more, see Button
(forthcoming).

842
62.2. SEPARATION

Note that this is not a single axiom. It is a scheme of axioms. There are
infinitely many Separation axioms; one for every formula φ( x ). The scheme
can equally well be (and normally is) written down as follows:

For any formula φ( x ) which does not contain “S”, this is an axiom:

∀ A∃S∀ x ( x ∈ S ↔ ( φ( x ) ∧ x ∈ A)).

In keeping with the convention noted at the start of part XIV, the formu-
las φ in the Separation axioms may have parameters.2
Separation is immediately justified by our cumulative-iterative conception
of sets we have been telling. To see why, let A be a set. So A is formed by some
stage S (by Stages-are-key). Since A was formed at stage S, all of A’s members
were formed before stage S (by Stages-accumulate). Now in particular, consider
all the sets which are members of A and which also satisfy φ; clearly all of
these sets, too, were formed before stage S. So they are formed into a set
{ x ∈ A : φ( x )} at stage S too (by Stages-accumulate).
Unlike Naı̈ve Comprehension, this avoid Russell’s Paradox. For we cannot
simply assert the existence of the set { x : x ∈
/ x }. Rather, given some set A, we
can assert the existence of the set R A = { x ∈ A : x ∈/ x }. But all this proves is
that R A ∈/ R A and R A ∈/ A, none of which is very worrying.
However, Separation has an immediate and striking consequence:

Theorem 62.1. There is no universal set, i.e., { x : x = x } does not exist.

Proof. For reductio, suppose V is a universal set. Then by Separation, R =

{x ∈ V : x ∈
/ x} = {x : x ∈
/ x } exists, contradicting Russell’s Paradox.

The absence of a universal set—indeed, the open-endedness of the hier-

archy of sets—is one of the most fundamental ideas behind the cumulative-
iterative conception. So it is worth seeing that, intuitively, we could reach it
via a different route. A universal set must be an element of itself. But, on
our cumulative-iterative conception, every set appears (for the first time) in
the hierarchy at the first stage immediately after all of its elements. But this
entails that no set is self-membered. For any self-membered set would have
to first occur immediately after the stage at which it first occurred, which is
absurd. (We will see in Definition 64.15 how to make this explanation more
rigorous, by using the notion of the “rank” of a set. However, we will need to
have a few more axioms in place to do this.)
Here are a few more consequences of Separation and Extensionality.

Proposition 62.2. If any set exists, then ∅ exists.

2 For an explanation of what this means, see the discussion immediately after Corollary 6.7.

Release : d3a1905 (2022-12-19) 843

 CHAPTER 62. STEPS TOWARDS Z

Proof. If A is a set, ∅ = { x ∈ A : x ̸= x } exists by Separation.

Proposition 62.3. A \ B exists for any sets A and B

Proof. A \ B = { x ∈ A : x ∈
/ B} exists by Separation.

It also turns out that (almost) arbitrary intersections exist:

Proposition 62.4. If A ̸= ∅, then A = { x : (∀y ∈ A) x ∈ y} exists.

T

Proof. Let A ̸= ∅, so there is some c ∈ A. Then A = { x : (∀y ∈ A) x ∈ y} =

T

{ x ∈ c : (∀y ∈ A) x ∈ y}, which exists by Separation.

Note the condition that A ̸= ∅, though; for ∅ would be the universal

T

set, vacuously, contradicting Theorem 62.1.

62.3 Union
Proposition 62.4 gave us intersections. But if we want arbitrary unions to exist,
we need to lay down another axiom:

A = { x : (∃b ∈ A) x ∈ b} exists.
S
Axiom (Union). For any set A, the set
∀ A∃U ∀ x ( x ∈ U ↔ (∃b ∈ A) x ∈ b)

This axiom is also justified by the cumulative-iterative conception. Let A

be a set, so A is formed at some stage S (by Stages-are-key). Every member
of A was formed before S (by Stages-accumulate); so, reasoning similarly, every
member of every member of A was formed before S. Thus all of those sets are
S
available before S, to be formed into a set at S. And that set is just A.

62.4 Pairs
The next axiom to consider is the following:

Axiom (Pairs). For any sets a, b, the set { a, b} exists.

∀ a∀b∃ P∀ x ( x ∈ P ↔ ( x = a ∨ x = b))

Here is how to justify this axiom, using the iterative conception. Suppose
a is available at stage S, and b is available at stage T. Let M be whichever of
stages S and T comes later. Then since a and b are both available at stage M,
the set { a, b} is a possible collection available at any stage after M (whichever
is the greater).
But hold on! Why assume that there are any stages after M? If there are
none, then our justification will fail. So, to justify Pairs, we will have to add
another principle to the story we told in section 62.1, namely:

844 Release : d3a1905 (2022-12-19)

62.5. POWERSETS

Stages-keep-going. There is no last stage.

Is this principle justified? Nothing in Shoenfield’s story stated explicitly that
there is no last stage. Still, even if it is (strictly speaking) an extra addition to
our story, it fits well with the basic idea that sets are formed in stages. We will
simply accept it in what follows. And so, we will accept the Axiom of Pairs
too.
Armed with this new Axiom, we can prove the existence of plenty more
sets. For example:
Proposition 62.5. For any sets a and b, the following sets exist:
1. { a}

2. a ∪ b

3. ⟨ a, b⟩

Proof. (1). By Pairs, { a, a} exists, which is { a} by Extensionality.

(2). By Pairs, { a, b} exists. Now a ∪ b = { a, b} exists by Union.
S

(3). By (1), { a} exists. By Pairs, { a, b} exists. Now {{ a}, { a, b}} = ⟨ a, b⟩

exists, by Pairs again.

62.5 Powersets
We will proceed with another axiom:
Axiom (Powersets). For any set A, the set ℘( A) = { x : x ⊆ A} exists.
∀ A∃ P∀ x ( x ∈ P ↔ (∀z ∈ x )z ∈ A)

Our justification for this is pretty straightforward. Suppose A is formed at

stage S. Then all of A’s members were available before S (by Stages-accumulate).
So, reasoning as in our justification for Separation, every subset of A is formed
by stage S. So they are all available, to be formed into a single set, at any stage
after S. And we know that there is some such stage, since S is not the last
stage (by Stages-keep-going). So ℘( A) exists.
Here is a nice consequence of Powersets:
Proposition 62.6. Given any sets A, B, their Cartesian product A × B exists.

Proof. The set ℘(℘( A ∪ B)) exists by Powersets and Proposition 62.5. So by
Separation, this set exists:

C = {z ∈ ℘(℘( A ∪ B)) : (∃ x ∈ A)(∃y ∈ B)z = ⟨ x, y⟩}.

Now, for any x ∈ A and y ∈ B, the set ⟨ x, y⟩ exists by Proposition 62.5.

Moreover, since x, y ∈ A ∪ B, we have that { x }, { x, y} ∈ ℘( A ∪ B), and
⟨ x, y⟩ ∈ ℘(℘( A ∪ B)). So A × B = C.

Release : d3a1905 (2022-12-19) 845

 CHAPTER 62. STEPS TOWARDS Z

In this proof, Powerset interacts with Separation. And that is no surprise.

Without Separation, Powersets wouldn’t be a very powerful principle. After
all, Separation tells us which subsets of a set exist, and hence determines just
how “fat” each Powerset is.

62.6 Infinity
We already have enough axioms to ensure that there are infinitely many sets
(if there are any). For suppose some set exists, and so ∅ exists (by Proposi-
tion 62.2). Now for any set x, the set x ∪ { x } exists by Proposition 62.5. So,
applying this a few times, we will get sets as follows:

0. ∅

1. {∅}

2. {∅, {∅}}

3. {∅, {∅}, {∅, {∅}}}

4. {∅, {∅}, {∅, {∅}}, {∅, {∅}, {∅, {∅}}}}

and we can check that each of these sets is distinct.

We have started the numbering from 0, for a few reasons. But one of them
is this. It is not that hard to check that the set we have labelled “n” has exactly
n members, and (intuitively) is formed at the nth stage.
But. This gives us infinitely many sets, but it does not guarantee that there is
an infinite set, i.e., a set with infinitely many members. And this really matters:
unless we can find a (Dedekind) infinite set, we cannot construct a Dedekind
algebra. But we want a Dedekind algebra, so that we can treat it as the set of
natural numbers. (Compare section 6.4.)
Importantly, the axioms we have laid down so far do not guarantee the
existence of any infinite set. So we have to lay down a new axiom:

Axiom (Infinity). There is a set, I, such that ∅ ∈ I and x ∪ { x } ∈ I whenever

x∈I
∃ I ((∃o ∈ I )∀ x x ∈
/ o∧
(∀ x ∈ I )(∃s ∈ I )∀z(z ∈ s ↔ (z ∈ x ∨ z = x )))

It is easy to see that the set I given to us by the Axiom of Infinity is

Dedekind infinite. Its distinguished element is ∅, and the injection on I is
given by s( x ) = x ∪ { x }. Now, Theorem 6.5 showed how to extract a Dedekind
Algebra from a Dedekind infinite set; and we will treat this as our set of natu-
ral numbers. More precisely:

846 Release : d3a1905 (2022-12-19)

62.6. INFINITY

Definition 62.7. Let I be any set given to us by the Axiom of Infinity. Let s be
the function s( x ) = x ∪ { x }. Let ω = clos (∅). We call the members of ω the
natural numbers, and say that n is the result of n-many applications of s to ∅.

You can now look back and check that the set labelled “n”, a few para-
graphs earlier, will be treated as the number n.
We will discuss this significance of this stipulation in section 62.8. For now,
it enables us to prove an intuitive result:

Proposition 62.8. No natural number is Dedekind infinite.

Proof. The proof is by induction, i.e., Theorem 6.6. Clearly 0 = ∅ is not

Dedekind infinite. For the induction step, we will establish the contraposi-
tive: if (absurdly) s(n) is Dedekind infinite, then n is Dedekind infinite.
So suppose that s(n) is Dedekind infinite, i.e., there is some injection f
with ran( f ) ⊊ dom( f ) = s(n) = n ∪ {n}. There are two cases to consider.
Case 1: n ∈ / ran( f ). So ran( f ) ⊆ n, and f (n) ∈ n. Let g = f ↾n ; now
ran( g) = ran( f ) \ { f (n)} ⊊ n = dom( g). Hence n is Dedekind infinite.
Case 2: n ∈ ran( f ). Fix m ∈ dom( f ) \ ran( f ), and define a function h with
domain s(n) = n ∪ {n}:
(
f ( x ) if f ( x ) ̸= n
h( x ) =
m if f ( x ) = n

So h and f agree everywhere, except that h( f −1 (n)) = m ̸= n = f ( f −1 (n)).

Since f is an injection, n ∈
/ ran(h); and ran(h) ⊊ dom(h) = s(n). Now n is
Dedekind infinite, using the argument of Case 1.

The question remains, though, of how we might justify the Axiom of Infin-
ity. The short answer is that we will need to add another principle to the story
we have been telling. That principle is as follows:

Stages-hit-infinity. There is an infinite stage. That is, there is a stage

which (a) is not the first stage, and which (b) has some stages before
it, but which (c) has no immediate predecessor.

The Axiom of Infinity follows straightforwardly from this principle. We know

that natural number n is formed at stage n. So the set ω is formed at the first
infinite stage. And ω itself witnesses the Axiom of Infinity.
This, however, simply pushes us back to the question of how we might jus-
tify Stages-hit-infinity. As with Stages-keep-going, it was not an explicit part of
the story we told about the cumulative-iterative hierarchy. But more than that:
nothing in the very idea of an iterative hierarchy, in which sets are formed
stage by stage, forces us to think that the process involves an infinite stage. It
seems perfectly coherent to think that the stages are ordered like the natural
numbers.

Release : d3a1905 (2022-12-19) 847

 CHAPTER 62. STEPS TOWARDS Z

This, however, gives rise to an obvious problem. In section 6.4, we con-

sidered Dedekind’s “proof” that there is a Dedekind infinite set (of thoughts).
This may not have struck you as very satisfying. But if Stages-hit-infinity is
not “forced upon us” by the iterative conception of set (or by “the laws of
thought”), then we are still left without an intrinsic justification for the claim
that there is a Dedekind infinite set.
There is much more to say here, of course. But hopefully you are now
at a point to start thinking about what it might take to justify an axiom (or
principle). In what follows we will simply take Stages-hit-infinity for granted.

62.7 Z− : a Milestone
We will revisit Stages-hit-infinity in the next section. However, with the Axiom
of Infinity, we have reached an important milestone. We now have all the
axioms required for the theory Z− . In detail:

Definition 62.9. The theory Z− has these axioms: Extensionality, Union, Pairs,
Powersets, Infinity, and all instances of the Separation scheme.

The name stands for Zermelo set theory (minus something which we will
come to later). Zermelo deserves the honour, since he essentially formulated
this theory in his 1908a.3
This theory is powerful enough to allow us to do an enormous amount
of mathematics. In particular, you should look back through part I, and con-
vince yourself that everything we did, naı̈vely, could be done more formally
within Z− . (Once you have done that for a bit, you might want to skip ahead
and read section 62.9.) So, henceforth, and without any further comment, we
will take ourselves to be working in Z− (at least).

62.8 Selecting our Natural Numbers

In Definition 62.7, we explicitly defined the expression “natural numbers”.
How should you understand this stipulation? It is not a metaphysical claim,
but just a decision to treat certain sets as the natural numbers. We touched
upon reasons for thinking this in section 2.2, section 5.5 and section 6.4. But
we can make these reasons even more pointed.
Our Axiom of Infinity follows von Neumann (1925). But here is another
axiom, which we could have adopted instead:

Zermelo’s 1908a Axiom of Infinity. There is a set A such that ∅ ∈ A and

(∀ x ∈ A){ x } ∈ A.

3 For interesting comments on the history and technicalities, see Potter (2004, Appendix A).

848 Release : d3a1905 (2022-12-19)

62.9. APPENDIX: CLOSURE, COMPREHENSION, AND INTERSECTION

Had we used Zermelo’s axiom, instead of our (von Neumann-inspired)

Axiom of Infinity, we would equally well have been given a Dedekind infinite
set, and so a Dedekind algebra. On Zermelo’s approach, the distinguished
element of our algebra would again have been ∅ (our surrogate for 0), but
the injection would have been given by the map x 7→ { x }, rather than x 7→
x ∪ { x }. The simplest upshot of this is that Zermelo treats 2 as {{∅}}, whereas
we (with von Neumann) treat 2 as {∅, {∅}}.
Why choose one axiom of Infinity rather than the other? The main practi-
cal reason is that von Neumann’s approach “scales up” to handle transfinite
numbers rather well. We will explore this from chapter 63 onwards. How-
ever, from the simple perspective of doing arithmetic, both approaches would
do equally well. So if someone tells you that the natural numbers are sets, the
obvious question is: Which sets are they?
This precise question was made famous by Benacerraf (1965). But it is
worth emphasising that it is just the most famous example of a phenomenon
that we have encountered many times already. The basic point is this. Set
theory gives us a way to simulate a bunch of “intuitive” kinds of entities: the
reals, rationals, integers, and naturals, yes; but also ordered pairs, functions,
and relations. However, set theory never provides us with a unique choice of
simulation. There are always alternatives which—straightforwardly—would
have served us just as well.

62.9 Appendix: Closure, Comprehension, and Intersection

In section 62.7, we suggested that you should look back through the naı̈ve
work of part I and check that it can be carried out in Z− . If you followed
that advice, one point might have tripped you up: the use of intersection in
Dedekind’s treatment of closures.
Recall from Definition 6.2 that
\
clo f (o ) = { X : o ∈ X and X is f -closed}.

The general shape of this is a definition of the form:

\
C= { X : φ( X )}.

But this should ring alarm bells: since Naı̈ve Comprehension fails, there is
no guarantee that { X : φ( X )} exists. It looks dangerously, then, like such
definitions are cheating.
Fortunately, they are not cheating; or rather, if they are cheating as they
stand, then we can engage in some honest toil to render them kosher. That
honest toil was foreshadowed in Proposition 62.4, when we explained why
A exists for any A ̸= ∅. But we will spell it out explicitly.
T

Release : d3a1905 (2022-12-19) 849

 CHAPTER 62. STEPS TOWARDS Z

Given Extensionality, if we attempt to define C as { X : φ( X )}, all we are

T

really asking is for an object C which obeys the following:

∀ x ( x ∈ C ↔ ∀ X ( φ( X ) → x ∈ X )) (*)

Now, suppose there is some set, S, such that φ(S). Then to deliver eq. (*), we
can simply define C using Separation, as follows:

C = { x ∈ S : ∀ X ( φ( X ) → x ∈ X )}.

We leave it as an exercise to check that this definition yields eq. (*), as desired.
And this general strategy will allow us to circumvent any apparent use of
Naı̈ve Comprehension in defining intersections. In the particular case which
got us started on this line of thought, namely that of clo f (o ), here is how that
would work. We began the proof of Lemma 6.3 by noting that o ∈ ran( f ) ∪
{o } and that ran( f ) ∪ {o } is f -closed. So, we can define what we want thus:

clo f (o ) = { x ∈ ran( f ) ∪ {o } : (∀ X ∋ o )( X is f -closed → x ∈ X )}.

Problems
Problem 62.1. Show that, for any sets a, b, c, the set { a, b, c} exists.

Problem 62.2. Show that, for any sets a1 , . . . , an , the set { a1 , . . . , an } exists.

Problem 62.3. Show that, for any sets A, B: (i) the set of all relations with
domain A and range B exists; and (ii) the set of all functions from A to B
exists.

Problem 62.4. Let A be a set, and let ∼ be an equivalence relation on A. Prove

that the set of equivalence classes under ∼ on A, i.e., A/∼ , exists.

850 Release : d3a1905 (2022-12-19)

Chapter 63

Ordinals

63.1 Introduction
In chapter 62, we postulated that there is an infinite-th stage of the hierarchy,
in the form of Stages-hit-infinity (see also our axiom of Infinity). However,
given Stages-keep-going, we can’t stop at the infinite-th stage; we have to keep
going. So: at the next stage after the first infinite stage, we form all possible
collections of sets that were available at the first infinite stage; and repeat; and
repeat; and repeat; . . .
Implicitly what has happened here is that we have started to invoke an
“intuitive” notion of number, according to which there can be numbers after
all the natural numbers. In particular, the notion involved is that of a transfinite
ordinal. The aim of this chapter is to make this idea more rigorous. We will
explore the general notion of an ordinal, and then explicitly define certain sets
to be our ordinals.

63.2 The General Idea of an Ordinal

Consider the natural numbers, in their usual order:

0 < 1 < 2 < 3 < 4 < 5 < ...

We call this, in the jargon, an ω-sequence. And indeed, this general ordering
is mirrored in our initial construction of the stages of the set hierarchy. But,
now suppose we move 0 to the end of this sequence, so that it comes after all
the other numbers:

1 < 2 < 3 < 4 < 5 < ... < 0

We have the same entities here, but ordered in a fundamentally different way:
our first ordering had no last element; our new ordering does. Indeed, our

851
 CHAPTER 63. ORDINALS

new ordering consists of an ω-sequence of entities (1, 2, 3, 4, 5, . . .), followed

by another entity. It will be an ω + 1-sequence.
We can generate even more types of ordering, using just these entities. For
example, consider all the even numbers (in their natural order) followed by
all the odd numbers (in their natural order):

0 < 2 < 4 < ... < 1 < 3 < ...

This is an ω-sequence followed by another ω-sequence; an ω + ω-sequence.

Well, we can keep going. But what we would like is a general way to
understand this talk about orderings.

63.3 Well-Orderings
The fundamental notion is as follows:

Definition 63.1. The relation < well-orders A iff it meets these two conditions:

1. < is connected, i.e., for all a, b ∈ A, either a < b or a = b or b < a;

2. every non-empty subset of A has a <-minimal element, i.e., if ∅ ̸= X ⊆

A then (∃m ∈ X )(∀z ∈ X )z ≮ m

It is easy to see that three examples we just considered were indeed well-
ordering relations.
Here are some elementary but extremely important observations concern-
ing well-ordering.

Proposition 63.2. If < well-orders A, then every non-empty subset of A has a

unique <-least member, and < is irreflexive, asymmetric and transitive.

Proof. If X is a non-empty subset of A, it has a <-minimal element m, i.e.,

(∀z ∈ X )z ≮ m. Since < is connected, (∀z ∈ X )m ≤ z. So m is the <-least
element of X.
For irreflexivity, fix a ∈ A; the <-least element of { a} is a, so a ≮ a. For
transitivity, if a < b < c, then since { a, b, c} has a <-least element, a < c.
Asymmetry follows from irreflexivity and transitivity

Proposition 63.3. If < well-orders A, then for any formula φ( x ):

if (∀ a ∈ A)((∀b < a) φ(b) → φ( a)), then (∀ a ∈ A) φ( a).

Proof. We will prove the contrapositive. Suppose ¬(∀ a ∈ A) φ( a), i.e., that
X = { x ∈ A : ¬ φ( x )} ̸= ∅. Then X has an <-minimal element, a. So
(∀b < a) φ(b) but ¬ φ( a).

852 Release : d3a1905 (2022-12-19)

63.4. ORDER-ISOMORPHISMS

This last property should remind you of the principle of strong induction on
the naturals, i.e.: if (∀n ∈ ω )((∀m < n) φ(m) → φ(n)), then (∀n ∈ ω ) φ(n).
And this property makes well-ordering into a very robust notion.1

63.4 Order-Isomorphisms
To explain how robust well-ordering is, we will start by introducing a method
for comparing well-orderings.

Definition 63.4. A well-ordering is a pair ⟨ A, <⟩, such that < well-orders A.

The well-orderings ⟨ A, <⟩ and ⟨ B, ⋖⟩ are order-isomorphic iff there is a bijection
f : A → B such that: x < y iff f ( x ) ⋖ f (y). In this case, we write ⟨ A, <⟩ ∼ =
⟨ B, ⋖⟩, and say that f is an order-isomorphism.

In what follows, for brevity, we will speak of “isomorphisms” rather than

“order-isomorphisms”. Intuitively, isomorphisms are structure-preserving bi-
jections. Here are some simple facts about isomorphisms.

Lemma 63.5. Compositions of isomorphisms are isomorphisms, i.e.: if f : A → B

and g : B → C are isomorphisms, then ( g ◦ f ) : A → C is an isomorphism.

Proof. Left as an exercise.

Corollary 63.6. X ∼
= Y is an equivalence relation.

Proposition 63.7. If ⟨ A, <⟩ and ⟨ B, ⋖⟩ are isomorphic well-orderings, then the iso-
morphism between them is unique.

Proof. Let f and g be isomorphisms A → B. We will prove the result by

induction, i.e. using Proposition 63.3. Fix a ∈ A, and suppose (for induction)
that (∀b < a) f (b) = g(b). Fix x ∈ B.
If x ⋖ f ( a), then f −1 ( x ) < a, so g( f −1 ( x )) ⋖ g( a), invoking the fact that
f and g are isomorphisms. But since f −1 ( x ) < a, by our supposition x =
f ( f −1 ( x )) = g( f −1 ( x )). So x ⋖ g( a). Similarly, if x ⋖ g( a) then x ⋖ f ( a).
Generalising, (∀ x ∈ B)( x ⋖ f ( a) ↔ x ⋖ g( a)). It follows that f ( a) = g( a)
by Proposition 2.28. So (∀ a ∈ A) f ( a) = g( a) by Proposition 63.3.

This gives some sense that well-orderings are robust. But to continue explain-
ing this, it will help to introduce some more notation.

Definition 63.8. When ⟨ A, <⟩ is a well-ordering with a ∈ A, let A a = { x ∈

A : x < a}. We say that A a is a proper initial segment of A (and allow that A
itself is an improper initial segment of A). Let < a be the restriction of < to the
initial segment, i.e., <↾ A2a .
1A reminder: all formulas can have parameters (unless explicitly stated otherwise).

Release : d3a1905 (2022-12-19) 853

 CHAPTER 63. ORDINALS

Using this notation, we can state and prove that no well-ordering is isomor-
phic to any of its proper initial segments.

Lemma 63.9. If ⟨ A, <⟩ is a well-ordering with a ∈ A, then ⟨ A, <⟩ ≇ ⟨ A a , < a ⟩

Proof. For reductio, suppose f : A → A a is an isomorphism. Since f is a bijec-

tion and A a ⊊ A, using Proposition 63.2 let b ∈ A be the <-least element of A
such that b ̸= f (b). We’ll show that (∀ x ∈ A)( x < b ↔ x < f (b)), from which
it will follow by Proposition 2.28 that b = f (b), completing the reductio.
Suppose x < b. So x = f ( x ), by the choice of b. And f ( x ) < f (b), as f is
an isomorphism. So x < f (b).
Suppose x < f (b). So f −1 ( x ) < b, since f is an isomorphism, and so
f −1 ( x ) = x by the choice of b. So x < b.

Our next result shows, roughly put, that an “initial segment” of an isomor-
phism is an isomorphism:

Lemma 63.10. Let ⟨ A, <⟩ and ⟨ B, ⋖⟩ be well-orderings. If f : A → B is an isomor-

phism and a ∈ A, then f ↾ Aa : A a → B f (a) is an isomorphism.

Proof. Since f is an isomorphism:

f [ A a ] = f [{ x ∈ A : x < a}]
= f [{ f −1 (y) ∈ A : f −1 (y) < a}]
= {y ∈ B : y ⋖ f ( a)}
= B f ( a)

And f ↾ Aa preserves order because f does.

Our next two results establish that well-orderings are always comparable:

Lemma 63.11. Let ⟨ A, <⟩ and ⟨ B, ⋖⟩ be well-orderings. If ⟨ A a1 , < a1 ⟩ ∼

= ⟨ Bb1 , ⋖b1 ⟩
and ⟨ A a2 , < a2 ⟩ ∼
= ⟨ Bb2 , ⋖b2 ⟩, then a1 < a2 iff b1 ⋖ b2

Proof. We will prove left to right; the other direction is similar. Suppose both
⟨ A a1 , < a1 ⟩ ∼
= ⟨ Bb1 , ⋖b1 ⟩ and ⟨ A a2 , < a2 ⟩ ∼ = ⟨ Bb2 , ⋖b2 ⟩, with f : A a2 → Bb2 our
isomorphism. Let a1 < a2 ; then ⟨ A a1 , < a1 ⟩ ∼ = ⟨ B f (a1 ) , ⋖ f (a1 ) ⟩ by Lemma 63.10.
So ⟨ Bb1 , ⋖b1 ⟩ ∼= ⟨ B f (a1 ) , ⋖ f (a1 ) ⟩, and so b1 = f ( a1 ) by Lemma 63.9. Now b1 ⋖ b2
as f ’s domain is Bb2 .

Theorem 63.12. Given any two well-orderings, one is isomorphic to an initial seg-
ment (not necessarily proper) of the other.

854 Release : d3a1905 (2022-12-19)

63.5. VON NEUMANN’S CONSTRUCTION

Proof. Let ⟨ A, <⟩ and ⟨ B, ⋖⟩ be well-orderings. Using Separation, let

f = {⟨ a, b⟩ ∈ A × B : ⟨ A a , < a ⟩ ∼
= ⟨ Bb , ⋖b ⟩}.
By Lemma 63.11, a1 < a2 iff b1 ⋖ b2 for all ⟨ a1 , b1 ⟩, ⟨ a2 , b2 ⟩ ∈ f . So f : dom( f ) →
ran( f ) is an isomorphism.
If a2 ∈ dom( f ) and a1 < a2 , then a1 ∈ dom( f ) by Lemma 63.10; so dom( f )
is an initial segment of A. Similarly, ran( f ) is an initial segment of B. For
reductio, suppose both are proper initial segments. Then let a be the <-least
element of A \ dom( f ), so that dom( f ) = A a , and let b be the ⋖-least element
of B \ ran( f ), so that ran( f ) = Bb . So f : A a → Bb is an isomorphism, and
hence ⟨ a, b⟩ ∈ f , a contradiction.

63.5 Von Neumann’s Construction of the Ordinals

Theorem 63.12 gives rise to a thought. We could introduce certain objects,
called order types, to go proxy for the well-orderings. Writing ord( A, <) for the
order type of the well-ordering ⟨ A, <⟩, we would hope to secure the following
two principles:

ord( A, <) = ord( B, ⋖) iff ⟨ A, <⟩ ∼

= ⟨ B, ⋖⟩
ord( A, <) < ord( B, ⋖) iff ⟨ A, <⟩ ∼
= ⟨ Bb , ⋖b ⟩ for some b ∈ B
Moreover, we might hope to introduce order-types as certain sets, just as we
can introduce the natural numbers as certain sets.
The most common way to do this—and the approach we will follow—
is to define these order-types via certain canonical well-ordered sets. These
canonical sets were first introduced by von Neumann:
Definition 63.13. The set A is transitive iff (∀ x ∈ A) x ⊆ A. Then A is an
ordinal iff A is transitive and well-ordered by ∈.

In what follows, we will use Greek letters for ordinals. It follows immedi-
ately from the definition that, if α is an ordinal, then ⟨α, ∈α ⟩ is a well-ordering,
where ∈α = {⟨ x, y⟩ ∈ α2 : x ∈ y}. So, abusing notation a little, we can just say
that α itself is a well-ordering.
Here are our first few ordinals:

∅, {∅}, {∅, {∅}}, {∅, {∅}, {∅, {∅}}}, . . .

You will note that these are the first few ordinals that we encountered in our
Axiom of Infinity, i.e., in von Neumann’s definition of ω (see section 62.6).
This is no coincidence. Von Neumann’s definition of the ordinals treats natu-
ral numbers as ordinals, but allows for transfinite ordinals too.
As always, we can now ask: are these the ordinals? Or has von Neumann
simply given us some sets that we can treat as the ordinals? The kinds of

Release : d3a1905 (2022-12-19) 855

 CHAPTER 63. ORDINALS

discussions one might have about this question are similar to the discussions
we had in section 2.2, section 5.5, section 6.4, and section 62.8, so we will not
belabour the point. Instead, in what follows, we will simply use “the ordinals”
to speak of “the von Neumann ordinals”.

63.6 Basic Properties of the Ordinals

We observed that the first few ordinals are the natural numbers. The main rea-
son for developing a theory of ordinals is to extend the principle of induction
which holds on the natural numbers. We will build up to this via a sequence
of elementary results.

Lemma 63.14. Every element of an ordinal is an ordinal.

Proof. Let α be an ordinal with b ∈ α. Since α is transitive, b ⊆ α. So ∈ well-

orders b as ∈ well-orders α.
To see that b is transitive, suppose x ∈ c ∈ b. So c ∈ α as b ⊆ α. Again, as
α is transitive, c ⊆ α, so that x ∈ α. So x, c, b ∈ α. But ∈ well-orders α, so that
∈ is a transitive relation on α by Proposition 63.2. So since x ∈ c ∈ b, we have
x ∈ b. Generalising, c ⊆ b

Corollary 63.15. α = { β ∈ α : β is an ordinal}, for any ordinal α

Proof. Immediate from Lemma 63.14.

The rough gist of the next two main results, Theorem 63.16 and Theo-
rem 63.17, is that the ordinals themselves are well-ordered by membership:

Theorem 63.16 (Transfinite Induction). For any formula φ( x ):

if ∃αφ(α), then ∃α( φ(α) ∧ (∀ β ∈ α)¬ φ( β))

where the displayed quantifiers are implicitly restricted to ordinals.

Proof. Suppose φ(α), for some ordinal α. If (∀ β ∈ α)¬ φ( β), then we are done.
Otherwise, as α is an ordinal, it has some ∈-least element which is φ, and this
is an ordinal by Lemma 63.14.

Note that we can equally express Theorem 63.16 as the scheme:

if ∀α((∀ β ∈ α) φ( β) → φ(α)), then ∀αφ(α)

just by taking ¬ φ(α) in Theorem 63.16, and then performing elementary logi-
cal manipulations.

Theorem 63.17 (Trichotomy). α ∈ β ∨ α = β ∨ β ∈ α, for any ordinals α and β.

856 Release : d3a1905 (2022-12-19)

63.6. BASIC PROPERTIES OF THE ORDINALS

Proof. The proof is by double induction, i.e., using Theorem 63.16 twice. Say
that x is comparable with y iff x ∈ y ∨ x = y ∨ y ∈ x.
For induction, suppose that every ordinal in α is comparable with every or-
dinal. For further induction, suppose that α is comparable with every ordinal
in β. We will show that α is comparable with β. By induction on β, it will
follow that α is comparable with every ordinal; and so by induction on α, ev-
ery ordinal is comparable with every ordinal, as required. It suffices to assume
that α ∈/ β and β ∈
/ α, and show that α = β.
To show that α ⊆ β, fix γ ∈ α; this is an ordinal by Lemma 63.14. So by
the first induction hypothesis, γ is comparable with β. But if either γ = β or
β ∈ γ then β ∈ α (invoking the fact that α is transitive if necessary), contrary
to our assumption; so γ ∈ β. Generalising, α ⊆ β.
Exactly similar reasoning, using the second induction hypothesis, shows
that β ⊆ α. So α = β.

As such, we will sometimes write α < β rather than α ∈ β, since ∈ is behaving

as an ordering relation. There are no deep reasons for this, beyond familiarity,
and because it is easier to write α ≤ β than α ∈ β ∨ α = β.2
Here are two quick consequences of our last results, the first of which puts
our new notation into action:

Corollary 63.18. If ∃αφ(α), then ∃α( φ(α) ∧ ∀ β( φ( β) → α ≤ β)). Moreover, for

any ordinals α, β, γ, both α ∈
/ α and α ∈ β ∈ γ → α ∈ γ.

Proof. Just like Proposition 63.2.

Corollary 63.19. A is an ordinal iff A is a transitive set of ordinals.

Proof. Left-to-right. By Lemma 63.14. Right-to-left. If A is a transitive set of

ordinals, then ∈ well-orders A by Theorem 63.16 and Theorem 63.17.

Now, we glossed Theorem 63.16 and Theorem 63.17 as telling us that ∈

well-orders the ordinals. However, we have to be very cautious about this sort
of claim, thanks to the following result:

Theorem 63.20 (Burali-Forti Paradox). There is no set of all the ordinals

Proof. For reductio, suppose O is the set of all ordinals. If α ∈ β ∈ O, then α

is an ordinal, by Lemma 63.14, so α ∈ O. So O is transitive, and hence O is an
ordinal by Corollary 63.19. Hence O ∈ O, contradicting Corollary 63.18.

This result is named after Burali-Forti. But, it was Cantor in 1899—in a letter
to Dedekind—who first saw clearly the contradiction in supposing that there is
a set of all the ordinals. As van Heijenoort explains:
2 We could write α ∈ β; but that would be wholly non-standard.

Release : d3a1905 (2022-12-19) 857

 CHAPTER 63. ORDINALS

Burali-Forti himself considered the contradiction as establishing,

by reductio ad absurdum, the result that the natural ordering of the
ordinals is just a partial ordering. (Heijenoort, 1967, p. 105)

Setting Burali-Forti’s mistake to one side, we can summarize the foregoing

as follows. Ordinals are sets which are individually well-ordered by mem-
bership, and collectively well-ordered by membership (without collectively
constituting a set).
Rounding this off, here are some more basic properties about the ordinals
which follow from Theorem 63.16 and Theorem 63.17.

Proposition 63.21. Any strictly descending sequence of ordinals is finite.

Proof. Any infinite strictly descending sequence of ordinals α0 > α1 > α2 >
. . . has no <-minimal member, contradicting Theorem 63.16.

Proposition 63.22. α ⊆ β ∨ β ⊆ α, for any ordinals α, β.

Proof. If α ∈ β, then α ⊆ β as β is transitive. Similarly, if β ∈ α, then β ⊆ α.

And if α = β, then α ⊆ β and β ⊆ α. So by Theorem 63.17 we are done.

Proposition 63.23. α = β iff α ∼

= β, for any ordinals α, β.

Proof. The ordinals are well-orders; so this is immediate from Trichotomy

(Theorem 63.17) and Lemma 63.9.

63.7 Replacement
In section 63.5, we motivated the introduction of ordinals by suggesting that
we could treat them as order-types, i.e., canonical proxies for well-orderings.
In order for that to work, we would need to prove that every well-ordering
is isomorphic to some ordinal. This would allow us to define ord( A, <) as the
ordinal α such that ⟨ A, <⟩ ∼
= α.
Unfortunately, we cannot prove the desired result only the Axioms we pro-
vided introduced so far. (We will see why in section 65.2, but for now the point
is: we can’t.) We need a new thought, and here it is:

Axiom (Scheme of Replacement). For any formula φ( x, y), the following is

an axiom:

for any A, if (∀ x ∈ A)∃!y φ( x, y), then {y : (∃ x ∈ A) φ( x, y)} exists.

As with Separation, this is a scheme: it yields infinitely many axioms, for each
of the infinitely many different φ’s. And it can equally well be (and normally
is) written down thus:

858 Release : d3a1905 (2022-12-19)

63.8. ZF− : A MILESTONE

For any formula φ( x, y) which does not contain “B”, the following is an
axiom:

∀ A[(∀ x ∈ A)∃!y φ( x, y) → ∃ B∀y(y ∈ B ↔ (∃ x ∈ A) φ( x, y))]

On first encounter, however, this is quite a tangled formula. The following

quick consequence of Replacement probably gives a clearer expression to the
intuitive idea we are working with:

Corollary 63.24. For any term τ ( x ), and any set A, this set exists:

{τ ( x ) : x ∈ A} = {y : (∃ x ∈ A)y = τ ( x )}.

Proof. Since τ is a term, ∀ x ∃!y τ ( x ) = y. A fortiori, (∀ x ∈ A)∃!y τ ( x ) = y. So

{y : (∃ x ∈ A)τ ( x ) = y} exists by Replacement.

This suggests that “Replacement” is a good name for the Axiom: given a set
A, you can form a new set, {τ ( x ) : x ∈ A}, by replacing every member of A
with its image under τ. Indeed, following the notation for the image of a set
under a function, we might write τ [ A] for {τ ( x ) : x ∈ A}.
Crucially, however, τ is a term. It need not be (a name for) a function, in
the sense of section 3.3, i.e., a certain set of ordered pairs. After all, if f is a
function (in that sense), then the set f [ A] = { f ( x ) : x ∈ A} is just a particular
subset of ran( f ), and that is already guaranteed to exist, just using the axioms
of Z− .3 Replacement, by contrast, is a powerful addition to our axioms, as we
will see in chapter 65.

63.8 ZF− : a milestone

The question of how to justify Replacement (if at all) is not straightforward.
As such, we will reserve that for chapter 65. However, with the addition of
Replacement, we have reached another important milestone. We now have all
the axioms required for the theory ZF− . In detail:

Definition 63.25. The theory ZF− has these axioms: Extensionality, Union,
Pairs, Powersets, Infinity, and all instances of the Separation and Replacement
schemes. Otherwise put, ZF− adds Replacement to Z− .

This stands for Zermelo–Fraenkel set theory (minus something which we will
come to later). Fraenkel gets the honour, since he is credited with the formu-
lation of Replacement in 1922, although the first precise formulation was due
to Skolem (1922).
3 Just consider {y ∈
SS
f : (∃ x ∈ A)y = f ( x )}.

Release : d3a1905 (2022-12-19) 859

 CHAPTER 63. ORDINALS

63.9 Ordinals as Order-Types

Armed with Replacement, and so now working in ZF− , we can finally prove
the result we have been aiming for:
Theorem 63.26. Every well-ordering is isomorphic to a unique ordinal.
Proof. Let ⟨ A, <⟩ be a well-order. By Proposition 63.23, it is isomorphic to at
most one ordinal. So, for reductio, suppose ⟨ A, <⟩ is not isomorphic to any
ordinal. We will first “make ⟨ A, <⟩ as small as possible”. In detail: if some
proper initial segment ⟨ A a , < a ⟩ is not isomorphic to any ordinal, there is a
least a ∈ A with that property; then let B = A a and ⋖ = < a . Otherwise, let
B = A and ⋖ = <.
By definition, every proper initial segment of B is isomorphic to some or-
dinal, which is unique as above. So by Replacement, the following set exists,
and is a function:
f = {⟨ β, b⟩ : b ∈ B and β ∼
= ⟨ Bb , ⋖b ⟩}
To complete the reductio, we’ll show that f is an isomorphism α → B, for
some ordinal α.
It is obvious that ran( f ) = B. And by Lemma 63.11, f preserves ordering,
i.e., γ ∈ β iff f (γ) ⋖ f ( β). To show that dom( f ) is an ordinal, by Corol-
lary 63.19 it suffices to show that dom( f ) is transitive. So fix β ∈ dom( f ),
i.e., β ∼ = ⟨ Bb , ⋖b ⟩ for some b. If γ ∈ β, then γ ∈ dom( f ) by Lemma 63.10;
generalising, β ⊆ dom( f ).
This result licenses the following definition, which we have wanted to offer
since section 63.5:
Definition 63.27. If ⟨ A, <⟩ is a well-ordering, then its order type, ord( A, <),
is the unique ordinal α such that ⟨ A, <⟩ ∼
= α.
Moreover, this definition licenses two nice principles:
Corollary 63.28. Where ⟨ A, <⟩ and ⟨ B, ⋖⟩ are well-orderings:
ord( A, <) = ord( B, ⋖) iff ⟨ A, <⟩ ∼
= ⟨ B, ⋖⟩
∼ ⟨ Bb , ⋖b ⟩ for some b ∈ B
ord( A, <) ∈ ord( B, ⋖) iff ⟨ A, <⟩ =
Proof. The identity holds by Proposition 63.23. To prove the second claim, let
ord( A, <) = α and ord( B, ⋖) = β, and let f : β → ⟨ B, ⋖⟩ be our isomorphism.
Then:
α ∈ β iff f ↾α : α → B f (α) is an isomorphism
iff ⟨ A, <⟩ ∼= ⟨ B f (α) , ⋖ f (α) ⟩
∼
iff ⟨ A, <⟩ = ⟨ Bb , ⋖b ⟩ for some b ∈ B
by Proposition 63.7, Lemma 63.10, and Corollary 63.15.

860 Release : d3a1905 (2022-12-19)

63.10. SUCCESSOR AND LIMIT ORDINALS

63.10 Successor and Limit Ordinals

In the next few chapters, we will use ordinals a great deal. So it will help if we
introduce some simple notions.

Definition 63.29. For any ordinal α, its successor is α+ = α ∪ {α}. We say that
α is a successor ordinal if β+ = α for some ordinal β. We say that α is a limit
ordinal iff α is neither empty nor a successor ordinal.

The following result shows that this is the right notion of successor:

Proposition 63.30. For any ordinal α:

1. α ∈ α+ ;

2. α+ is an ordinal;

3. there is no ordinal β such that α ∈ β ∈ α+ .

Proof. Trivially, α ∈ α ∪ {α} = α+ . Equally, α+ is a transitive set of ordinals,

and hence an ordinal by Corollary 63.19. And it is impossible that α ∈ β ∈ α+ ,
since then either β ∈ α or β = α, contradicting Corollary 63.18.

This also licenses a variant of proof by transfinite induction:

Theorem 63.31 (Simple Transfinite Induction). Let φ( x ) be a formula such that:

1. φ(∅); and

2. for any ordinal α, if φ(α) then φ(α+ ); and

3. if α is a limit ordinal and (∀ β ∈ α) φ( β), then φ(α).

Then ∀αφ(α).

Proof. We prove the contrapositive. So, suppose there is some ordinal which
is ¬ φ; let γ be the least such ordinal. Then either γ = ∅, or γ = α+ for some
α such that φ(α); or γ is a limit ordinal and (∀ β ∈ γ) φ( β).

A final bit of notation will prove helpful later on:

α+ .
S
Definition 63.32. If X is a set of ordinals, then lsub( X ) = α∈ X

Here, “lsub” stands for “least strict upper bound”.4 The following result ex-
plains this:
4 Some books use “sup( X )” for this. But other books use “sup( X )” for the least non-strict
S
upper bound, i.e., simply X. If X has a greatest element, α, these notions come apart: the least
strict upper bound is α+ , whereas the least non-strict upper bound is just α.

Release : d3a1905 (2022-12-19) 861

 CHAPTER 63. ORDINALS

Proposition 63.33. If X is a set of ordinals, lsub( X ) is the least ordinal greater than
every ordinal in X.

Proof. Let Y = {α+ : α ∈ X }, so that lsub( X ) = Y. Since ordinals are

S

transitive and every member of an ordinal is an ordinal, lsub( X ) is a transitive

set of ordinals, and so is an ordinal by Corollary 63.19.
If α ∈ X, then α+ ∈ Y, so α+ ⊆ Y = lsub( X ), and hence α ∈ lsub( X ). So
S

lsub( X ) is strictly greater than every ordinal in X.

Conversely, if α ∈ lsub( X ), then α ∈ β+ ∈ Y for some β ∈ X, so that
α ≤ β ∈ X. So lsub( X ) is the least strict upper bound on X.

Problems
Problem 63.1. Section 63.2 presented three example orderings on the natural
numbers. Check that each is a well-ordering.

Problem 63.2. Prove Lemma 63.5.

Problem 63.3. Complete the “exactly similar reasoning” in the proof of Theo-
rem 63.17.
S
Problem 63.4. Prove that, if every member of X is an ordinal, then X is an
ordinal.

862 Release : d3a1905 (2022-12-19)

Chapter 64

Stages and Ranks

64.1 Defining the Stages as the Vα s

In chapter 63, we defined well-orderings and the (von Neumann) ordinals. In
this chapter, we will use these to characterise the hierarchy of sets itself. To
do this, recall that in section 63.10, we defined the idea of successor and limit
ordinals. We use these ideas in following definition:

Definition 64.1.

V∅ = ∅
Vα+ = ℘(Vα ) for any ordinal α
[
Vα = Vγ when α is a limit ordinal
γ<α

This will be a definition by transfinite recursion on the ordinals. In this regard,

we should compare this with recursive definitions of functions on the natural
numbers.1 As when dealing with natural numbers, one defines a base case
and successor cases; but when dealing with ordinals, we also need to describe
the behaviour of limit cases.
This definition of the Vα s will be an important milestone. We have infor-
mally motivated our hierarchy of sets as forming sets by stages. The Vα s are,
in effect, just those stages. Importantly, though, this is an internal characteri-
sation of the stages. Rather than suggesting a possible model of the theory, we
will have defined the stages within our set theory.

64.2 The Transfinite Recursion Theorem(s)

The first thing we must do, though, is confirm that Definition 64.1 is a suc-
cessful definition. More generally, we need to prove that any attempt to offer
1 Cf. the definitions of addition, multiplication, and exponentiation in section 6.2.

863
 CHAPTER 64. STAGES AND RANKS

a transfinite by (transfinite) recursion will succeed. That is the aim of this

section.
Warning: this is tricky material. The overarching moral, though, is quite
simple: Transfinite Induction plus Replacement guarantee the legitimacy of
(several versions of) transfinite recursion.2
Definition 64.2. Let τ ( x ) be a term; let f be a function; let α be an ordinal. We
say that f is an α-approximation for τ iff both dom( f ) = α and (∀ β ∈ α) f ( β) =
τ ( f ↾ β ).

Lemma 64.3 (Bounded Recursion). For any term τ ( x ) and any ordinal α, there
is a unique α-approximation for τ.

Proof. We will show that, for any γ ≤ α, there is a unique γ-approximation.

We first establish uniqueness. Let g and h (respectively) be γ- and δ-
approximations. A transfinite induction on their arguments shows that g( β) =
h( β) for any β ∈ dom( g) ∩ dom(h) = γ ∩ δ = min(γ, δ). So our approxima-
tions are unique (if they exist), and agree on all values.
To establish existence, we now use a simple transfinite induction (Theo-
rem 63.31) on ordinals δ ≤ α.
The empty function is trivially an ∅-approximation.
If g is a γ-approximation, then g ∪ {⟨γ+ , τ ( g)⟩} is a γ+ -approximation.
If γ is a limit ordinal and gδ is a δ-approximation for all δ < γ, let g =
S
δ∈γ gδ . This is a function, since our various gδ s agree on all values. And if
δ ∈ γ then g(δ) = gδ+ (δ) = τ ( gδ+ ↾δ ) = τ ( g↾δ ).
This completes the proof by transfinite induction.

If we allow ourselves to define a term rather than a function, then we can

remove the bound α from the previous result. In the statement and proof of
the following result, when σ is a term, we let σ↾α = {⟨ β, σ ( β)⟩ : β ∈ α}.
Theorem 64.4 (General Recursion). For any term τ ( x ), we can explicitly define
a term σ ( x ), such that σ (α) = τ (σ↾α ) for any ordinal α.

Proof. For each α, by Lemma 64.3 there is a unique α-approximation, f α , for τ.

Define σ (α) as f α+ (α). Now:

σ ( α ) = f α+ ( α )
= τ ( f α + ↾α )
= τ ({⟨ β, f α+ ( β)⟩ : β ∈ α})
= τ ({⟨ β, f α ( β)⟩ : β ∈ α})
= τ (σ↾α )

noting that f α ( β) = f α+ ( β) for all β < α, as in Lemma 64.3.

2 A reminder: all formulas and terms can have parameters (unless explicitly stated otherwise).

864 Release : d3a1905 (2022-12-19)

64.3. BASIC PROPERTIES OF STAGES

Note that Theorem 64.4 is a schema. Crucially, we cannot expect σ to define a

function, i.e., a certain kind of set, since then dom(σ ) would be the set of all
ordinals, contradicting the Burali-Forti Paradox (Theorem 63.20).
It still remains to show, though, that Theorem 64.4 vindicates our defini-
tion of the Vα s. This may not be immediately obvious; but it will become
apparent with a last, simple, version of transfinite recursion.

Theorem 64.5 (Simple Recursion). For any terms τ ( x ) and θ ( x ) and any set A,
we can explicitly define a term σ ( x ) such that:

σ(∅) = A
σ(α+ ) = τ (σ (α)) for any ordinal α
σ (α) = θ (ran(σ↾α )) when α is a limit ordinal

Proof. We start by defining a term, ξ ( x ), as follows:




 A if x is not a function whose

 domain is an ordinal; otherwise:
ξ (x) =


 τ ( x (α)) if dom( x ) = α+

θ (ran( x )) if dom( x ) is a limit ordinal

By Theorem 64.4, there is a term σ ( x ) such that σ (α) = ξ (σ↾α ) for every or-
dinal α; moreover, σ↾α is a function with domain α. We show that σ has the
required properties, by simple transfinite induction (Theorem 63.31).
First, σ (∅) = ξ (∅) = A.
Next, σ (α+ ) = ξ (σ↾α+ ) = τ (σ↾α+ (α)) = τ (σ (α)).
Last, σ (α) = ξ (σ↾α ) = θ (ran(σ↾α )), when α is a limit.

Now, to vindicate Definition 64.1, just take A = ∅ and τ ( x ) = ℘( x ) and

S
θ ( x ) = x. At long last, this vindicates the definition of the Vα s!

64.3 Basic Properties of Stages

To bring out the foundational importance of the definition of the Vα s, we will
present a few basic results about them. We start with a definition:3

Definition 64.6. The set A is potent iff ∀ x ((∃y ∈ A) x ⊆ y → x ∈ A).

Lemma 64.7. For each ordinal α:

1. Each Vα is transitive.

2. Each Vα is potent.
3 There’s no standard terminology for “potent”; this is the name used by Button (forthcom-
ing).

Release : d3a1905 (2022-12-19) 865

 CHAPTER 64. STAGES AND RANKS

3. If γ ∈ α, then Vγ ∈ Vα (and hence also Vγ ⊆ Vα by (1))

Proof. We prove this by a (simultaneous) transfinite induction. For induction,

suppose that (1)–(3) holds for each ordinal β < α.
The case of α = ∅ is trivial.
Suppose α = β+ . To show (3), if γ ∈ α then Vγ ⊆ Vβ by hypothesis, so
Vγ ∈ ℘(Vβ ) = Vα . To show (2), suppose A ⊆ B ∈ Vα i.e., A ⊆ B ⊆ Vβ ; then
A ⊆ Vβ so A ∈ Vα . To show (1), note that if x ∈ A ∈ Vα we have A ⊆ Vβ , so
x ∈ Vβ , so x ⊆ Vβ as Vβ is transitive by hypothesis, and so x ∈ Vα .
Suppose α is a limit ordinal. To show (3), if γ ∈ α then γ ∈ γ+ ∈ α, so
that Vγ ∈ Vγ+ by assumption, hence Vγ ∈ β∈α Vβ = Vα . To show (1) and (2),
S

just observe that a union of transitive (respectively, potent) sets is transitive

(respectively, potent).

Lemma 64.8. For each ordinal α, Vα ∈

/ Vα .

Proof. By transfinite induction. Evidently V∅ ∈/ V∅ .

If Vα+ ∈ Vα+ = ℘(Vα ), then Vα+ ⊆ Vα ; and since Vα ∈ Vα+ by Lemma 64.7,
we have Vα ∈ Vα . Conversely: if Vα ∈ / Vα then Vα+ ∈
/ Vα+
If α is a limit and Vα ∈ Vα = β∈α Vβ , then Vα ∈ Vβ for some β ∈ α; but
S

then also Vβ ∈ Vα so that Vβ ∈ Vβ by Lemma 64.7 (twice). Conversely, if

Vβ ∈
/ Vβ for all β ∈ α, then Vα ∈
/ Vα .

Corollary 64.9. For any ordinals α, β: α ∈ β iff Vα ∈ Vβ

Proof. Lemma 64.7 gives one direction. Conversely, suppose Vα ∈ Vβ . Then

α ̸= β by Lemma 64.8; and β ∈
/ α, for otherwise we would have Vβ ∈ Vα and
hence Vβ ∈ Vβ by Lemma 64.7 (twice), contradicting Lemma 64.8. So α ∈ β by
Trichotomy.

All of this allows us to think of each Vα as the αth stage of the hierarchy. Here
is why.
Certainly our Vα s can be thought of as being formed in an iterative process,
for our use of ordinals tracks the notion of iteration. Moreover, if one stage is
formed before the other, i.e., Vβ ∈ Vα , i.e., β ∈ α, then our process of forma-
tion is cumulative, since Vβ ⊆ Vα . Finally, we are indeed forming all possible
collections of sets that were available at any earlier stage, since any successor
stage Vα+ is the power-set of its predecessor Vα .
In short: with ZF− , we are almost done, in articulating our vision of the
cumulative-iterative hierarchy of sets. (Though, of course, we still need to
justify Replacement.)

866 Release : d3a1905 (2022-12-19)

64.4. FOUNDATION

64.4 Foundation
We are only almost done—and not quite finished—because nothing in ZF−
guarantees that every set is in some Vα , i.e., that every set is formed at some
stage.
Now, there is a fairly straightforward (mathematical) sense in which we
don’t care whether there are sets outside the hierarchy. (If there are any there,
we can simply ignore them.) But we have motivated our concept of set with
the thought that every set is formed at some stage (see Stages-are-key in sec-
tion 62.1). So we will want to preclude the possibility of sets which fall outside
of the hierarchy. Accordingly, we must add a new axiom, which ensures that
every set occurs somewhere in the hierarchy.
Since the Vα s are our stages, we might simply consider adding the follow-
ing as an axiom:

Regularity. ∀ A∃α A ⊆ Vα

This would be a perfectly reasonable approach. However, for reasons that

will be explained in the next section, we will instead adopt an alternative ax-
iom:

Axiom (Foundation). (∀ A ̸= ∅)(∃ B ∈ A) A ∩ B = ∅.

With some effort, we can show (in ZF− ) that Foundation entails Regular-
ity:

Definition 64.10. For each set A, let:

cl0 ( A) = A,
[
cln+1 ( A) = cln ( A),
[
trcl( A) = cln ( A).
n<ω

We call trcl( A) the transitive closure of A.

The name “transitive closure” is apt:

Proposition 64.11. A ⊆ trcl( A) and trcl( A) is a transitive set.

Proof. Evidently A = cl0 ( A) ⊆ trcl( A). And if x ∈ b ∈ trcl( A), then b ∈

cln ( A) for some n, so x ∈ cln+1 ( A) ⊆ trcl( A).

Lemma 64.12. If A is a transitive set, then there is some α such that A ⊆ Vα .

Release : d3a1905 (2022-12-19) 867

 CHAPTER 64. STAGES AND RANKS

Proof. Recalling the definition of “lsub( X )” from Definition 63.32, define two
sets:

D = { x ∈ A : ∀δ x ⊈ Vδ }
α = lsub{δ : (∃ x ∈ A)( x ⊆ Vδ ∧ (∀γ ∈ δ) x ⊈ Vγ )}

Suppose D = ∅. So if x ∈ A, then there is some δ such that x ⊆ Vδ and, by the

well-ordering of the ordinals, (∀γ ∈ δ) x ⊈ Vγ ; hence δ ∈ α and so x ∈ Vα by
Lemma 64.7. Hence A ⊆ Vα , as required.
So it suffices to show that D = ∅. For reductio, suppose otherwise. By
Foundation, there is some B ∈ D ⊆ A such that D ∩ B = ∅. If x ∈ B then
x ∈ A, since A is transitive, and since x ∈
/ D, it follows that ∃δ x ⊆ Vδ . So now
let
β = lsub{δ : (∃ x ∈ b)( x ⊆ Vδ ∧ (∀γ < δ) x ⊈ Vγ )}.
As before, B ⊆ Vβ , contradicting the claim that B ∈ D.

Theorem 64.13. Regularity holds.

Proof. Fix A; now A ⊆ trcl( A) by Proposition 64.11, which is transitive. So

there is some α such that A ⊆ trcl( A) ⊆ Vα by Lemma 64.12

These results show that ZF− proves the conditional Foundation ⇒ Regularity.
In Proposition 64.22, we will show that ZF− proves Regularity ⇒ Foundation.
As such, Foundation and Regularity are equivalent (modulo ZF− ). But this
means that, given ZF− , we can justify Foundation by noting that it is equiva-
lent to Regularity. And we can justify Regularity immediately on the basis of
Stages-are-key.

64.5 Z and ZF: A Milestone

With Foundation, we reach another important milestone. We have considered
theories Z− and ZF− , which we said were certain theories “minus” a certain
something. That certain something is Foundation. So:

Definition 64.14. The theory Z adds Foundation to Z− . So its axioms are Ex-
tensionality, Union, Pairs, Powersets, Infinity, Foundation, and all instances of
the Separation scheme.
The theory ZF adds Foundation to ZF− . Otherwise put, ZF adds all in-
stances of Replacement to Z.

Still, one question might have occurred to you. If Regularity is equivalent

over ZF− to Foundation, and Regularity’s justification is clear, why bother to
go around the houses, and take Foundation as our basic axiom, rather than
Regularity?

868 Release : d3a1905 (2022-12-19)

64.6. RANK

Setting aside historical reasons (to do with who formulated what and when),
the basic reason is that Foundation can be presented without employing the
definition of the Vα s. That definition relied upon all of the work of section 64.2:
we needed to prove Transfinite Recursion, to show that it was justified. But
our proof of Transfinite Recursion employed Replacement. So, whilst Foun-
dation and Regularity are equivalent modulo ZF− , they are not equivalent
modulo Z− .
Indeed, the matter is more drastic than this simple remark suggests. Though
it goes well beyond this book’s remit, it turns out that both Z− and Z are too
weak to define the Vα s. So, if you are working only in Z, then Regularity (as
we have formulated it) does not even make sense. This is why our official
axiom is Foundation, rather than Regularity.
From now on, we will work in ZF (unless otherwise stated), without any
further comment.

64.6 Rank
Now that we have defined the stages as the Vα ’s, and we know that every set
is a subset of some stage, we can define the rank of a set. Intuitively, the rank
of A is the first moment at which A is formed. More precisely:

Definition 64.15. For each set A, rank( A) is the least ordinal α such that A ⊆
Vα .

Proposition 64.16. rank( A) exists, for any A.

Proof. Left as an exercise.

The well-ordering of ranks allows us to prove some important results:

Proposition 64.17. For any ordinal α, Vα = { x : rank( x ) ∈ α}.

Proof. If rank( x ) ∈ α then x ⊆ Vrank( x) ∈ Vα , so x ∈ Vα as Vα is potent (in-

voking Lemma 64.7 multiple times). Conversely, if x ∈ Vα then x ⊆ Vα , so
rank( x ) ≤ α; now a simple transfinite induction shows that x ∈/ Vα .

Proposition 64.18. If B ∈ A, then rank( B) ∈ rank( A).

Proof. A ⊆ Vrank( A) = { x : rank( x ) ∈ rank( A)} by Proposition 64.17.

Using this fact, we can establish a result which allows us to prove things about
all sets by a form of induction:

Theorem 64.19 (∈-Induction Scheme). For any formula φ:

∀ A((∀ x ∈ A) φ( x ) → φ( A)) → ∀ Aφ( A).

Release : d3a1905 (2022-12-19) 869

 CHAPTER 64. STAGES AND RANKS

Proof. We will prove the contrapositive. So, suppose ¬∀ Aφ( A). By Transfi-
nite Induction (Theorem 63.16), there is some non-φ of least possible rank;
i.e. some A such that ¬ φ( A) and ∀ x (rank( x ) ∈ rank( A) → φ( x )). Now
if x ∈ A then rank( x ) ∈ rank( A), by Proposition 64.18, so that φ( x ); i.e.
(∀ x ∈ A) φ( x ) ∧ ¬ φ( A).

Here is an informal way to gloss this powerful result. Say that φ is hereditary
iff whenever every element of a set is φ, the set itself is φ. Then ∈-Induction
tells you the following: if φ is hereditary, every set is φ.
To wrap up the discussion of ranks (for now), we’ll prove a few claims
which we have foreshadowed a few times.

Proposition 64.20. rank( A) = lsubx∈ A rank( x ).

Proof. Let α = lsubx∈ A rank( x ). By Proposition 64.18, α ≤ rank( A). But if

x ∈ A then rank( x ) ∈ α, so that x ∈ Vα by Proposition 64.17, and hence
A ⊆ Vα , i.e., rank( A) ≤ α. Hence rank( A) = α.

Corollary 64.21. For any ordinal α, rank(α) = α.

Proof. Suppose for transfinite induction that rank( β) = β for all β ∈ α. Now
rank(α) = lsubβ∈α rank( β) = lsubβ∈α β = α by Proposition 64.20.

Finally, here is a quick proof of the result promised at the end of sec-
tion 64.4, that ZF− proves the conditional Regularity ⇒ Foundation. (Note
that the notion of “rank” and Proposition 64.18 are available for use in this
proof since—as mentioned at the start of this section—they can be presented
using ZF− + Regularity.)

Proposition 64.22 (working in ZF− + Regularity). Foundation holds.

Proof. Fix A ̸= ∅, and some B ∈ A of least possible rank. If c ∈ B then

rank(c) ∈ rank( B) by Proposition 64.18, so that c ∈
/ A by choice of B.

Problems
Problem 64.1. Prove Proposition 64.16.

Problem 64.2. Complete the simple transfinite induction mentioned in Propo-

sition 64.17.

870 Release : d3a1905 (2022-12-19)

Chapter 65

Replacement

65.1 Introduction

Replacement is the axiom scheme which makes the difference between ZF

and Z. We helped ourselves to it throughout chapters 63 to 64. In this chapter,
we will finally consider the question: is Replacement justified?
To make the question sharp, it is worth observing that Replacement is re-
ally rather strong. We will get a sense of just how strong it is, during this chap-
ter (and again in section 68.5). But this will suggest that justification really is
required.
We will discuss two kinds of justification. Roughly: an extrinsic justifica-
tion is an attempt to justify an axiom by its fruits; an intrinsic justification is
an attempt to justify an axiom by suggesting that it is vindicated by the math-
ematical concepts in question. We will get a greater sense of what this means
during this chapter, but it is just the tip of an iceberg. For more, see in partic-
ular Maddy (1988a and 1988b).

65.2 The Strength of Replacement

We begin with a simple observation about the strength of Replacement: unless

we go beyond Z, we cannot prove the existence of any von Neumann ordinal
greater than or equal to ω + ω.
Here is a sketch of why. Working in ZF, consider the set Vω +ω . This set
acts as the domain for a model for Z. To see this, we introduce some notation
for the relativization of a formula:

Definition 65.1. For any set M, and any formula φ, let φ M be the formula
which results by restricting all of φ’s quantifiers to M. That is, replace “∃ x”
with “(∃ x ∈ M )”, and replace “∀ x” with “(∀ x ∈ M)”.

871
 CHAPTER 65. REPLACEMENT

It can be shown that, for every axiom φ of Z, we have that ZF ⊢ φVω+ω . But
ω + ω is not in Vω +ω , by Corollary 64.21. So Z is consistent with the non-
existence of ω + ω.
This is why we said, in section 63.7, that Theorem 63.26 cannot be proved
without Replacement. For it is easy, within Z, to define an explicit well-
ordering which intuitively should have order-type ω + ω. Indeed, we gave
an informal example of this in section 63.2, when we presented the ordering
on the natural numbers given by:

n ⋖ m iff either n < m and m − n is even,

or n is even and m is odd.

But if ω + ω does not exist, this well-ordering is not isomorphic to any ordinal.
So Z does not prove Theorem 63.26.
Flipping things around: Replacement allows us to prove the existence of
ω + ω, and hence must allow us to prove the existence of Vω +ω . And not just
that. For any well-ordering we can define, Theorem 63.26 tells us that there
is some α isomorphic with that well-ordering, and hence that Vα exists. In a
straightforward way, then, Replacement guarantees that the hierarchy of sets
must be very tall.
Over the next few sections, and then again in section 68.5, we’ll get a better
sense of better just how tall Replacement forces the hierarchy to be. The simple
point, for now, is that Replacement really does stand in need of justification!

65.3 Extrinsic Considerations about Replacement

We start by considering an extrinsic attempt to justify Replacement. Boolos
suggests one, as follows.

[. . . ] the reason for adopting the axioms of replacement is quite

simple: they have many desirable consequences and (apparently)
no undesirable ones. In addition to theorems about the iterative
conception, the consequences include a satisfactory if not ideal
theory of infinite numbers, and a highly desirable result that justi-
fies inductive definitions on well-founded relations. (Boolos, 1971,
229)

The gist of Boolos’s idea is that we should justify Replacement by its fruits.
And the specific fruits he mentions are the things we have discussed in the
past few chapters. Replacement allowed us to prove that the von Neumann
ordinals were excellent surrogates for the idea of a well-ordering type (this is
our “satisfactory if not ideal theory of infinite numbers”). Replacement also al-
lowed us to define the Vα s, establish the notion of rank, and prove ∈-Induction

872 Release : d3a1905 (2022-12-19)

65.3. EXTRINSIC CONSIDERATIONS

(this amounts to our “theorems about the iterative conception”). Finally, Re-
placement allows us to prove the Transfinite Recursion Theorem (this is the
“inductive definitions on well-founded relations”).
These are, indeed, desirable consequences. But do these desirable conse-
quences suffice to justify Replacement? No. Or at least, not straightforwardly.
Here is a simple problem. Whilst we have stated some desirable conse-
quences of Replacement, we could have obtained many of them via other
means. This is not as well known as it ought to be, though, so we should
pause to explain the situation.
There is a simple theory of sets, Level Theory, or LT for short.1 LT’s axioms
are just Extensionality, Separation, and the claim that every set is a subset of
some level, where “level” is cunningly defined so that the levels behave like
our friends, the Vα s. So ZF proves LT; but LT is much weaker than ZF. In fact,
LT does not give you Pairs, Powersets, Infinity, or Replacement. Let Zr be the
result of adding Infinity and Powersets to LT; this delivers Pairs too, so, Zr is
at least as strong as Z. But, in fact, Zr is strictly stronger than Z, since it adds
the claim that every set has a rank (hence my suggestion that we call it Zr).
Indeed, Zr delivers: a perfectly satisfactory theory of ordinals; results which
stratify the hierarchy into well-ordered stages; a proof of ∈-Induction; and a
version of Transfinite Recursion.
In short: although Boolos didn’t know this, all of the desirable conse-
quences which he mentions could have been arrived at without Replacement;
he simply needed to use Zr rather than Z.
(Given all of this, why did we follow the conventional route, of teaching
you ZF, rather than LT and Zr? There are two reasons. First: for purely
historical reasons, starting with LT is rather nonstandard; we wanted to equip
you to be able to read more standard discussions of set theory. Second: when
you are ready to appreciate LT and Zr, you can simply read Potter 2004 and
Button forthcoming.)
Of course, since Zr is strictly weaker than ZF, there are results which ZF
proves which Zr leaves open. So one could try to justify Replacement on
extrinsic grounds by pointing to one of these results. But, once you know
how to use Zr, it is quite hard to find many examples of things that are (a)
settled by Replacement but not otherwise, and (b) are intuitively true. (For
more on this, see Potter 2004, §13.2.)
The bottom line is this. To provide a compelling extrinsic justification for
Replacement, one would need to find a result which cannot be achieved with-
out Replacement. And that’s not an easy enterprise.
Let’s consider a further problem which arises for any attempt to offer a
purely extrinsic justification for Replacement. (This problem is perhaps more
1 The first versions of LT are offered by Montague (1965) and Scott (1974); this was simpli-

fied, and given a book-length treatment, by Potter (2004); and Button (forthcoming) has recently
simplified LT further.

Release : d3a1905 (2022-12-19) 873

 CHAPTER 65. REPLACEMENT

fundamental than the first.) Boolos does not just point out that Replacement
has many desirable consequences. He also states that Replacement has “(ap-
parently) no undesirable” consequences. But this paranthetical caveat, “ap-
parently,” is surely absolutely crucial.
Recall how we ended up here: Naı̈ve Comprehension ran into inconsis-
tency, and we responded to this inconsistency by embracing the cumulative-
iterative conception of set. This conception comes equipped with a story
which, we hope, assures us of its consistency. But if we cannot justify Replace-
ment from within that story, then we have (as yet) no reason to believe that
ZF is consistent. Or rather: we have no reason to believe that ZF is consistent,
apart from the (perhaps merely contingent) fact that no one has discovered
a contradiction yet. In exactly that sense, Boolos’s comment seems to come
down to this: “(apparently) ZF is consistent”. We should demand greater re-
assurance of consistency than this.
This issue will affect any purely extrinsic attempt to justify Replacement,
i.e., any justification which is couched solely in terms of the (known) conse-
quences of ZF. As such, we will want to look for an intrinsic justification of
Replacement, i.e., a justification which suggests that the story which we told
about sets somehow “already” commits us to Replacement.

65.4 Limitation-of-size
Perhaps the most common attempt to offer an “intrinsic” justification of Re-
placement comes via the following notion:

Limitation-of-size. Any things form a set, provided that there are not too
many of them.

This principle will immediately vindicate Replacement. After all, any set
formed by Replacement cannot be any larger than any set from which it was
formed. Stated precisely: suppose you form a set τ [ A] = {τ ( x ) : x ∈ A} using
Replacement; then τ [ A] ⪯ A; so if the elements of A were not too numerous
to form a set, their images are not too numerous to form τ [ A].
The obvious difficulty with invoking Limitation-of-size to justify Replace-
ment is that we have not yet laid down any principle like Limitation-of-size.
Moreover, when we told our story about the cumulative-iterative conception
of set in chapters 61 to 62, nothing ever hinted in the direction of Limitation-of-
size. This, indeed, is precisely why Boolos at one point wrote: “Perhaps one
may conclude that there are at least two thoughts ‘behind’ set theory” (1989,
p. 19). On the one hand, the ideas surrounding the cumulative-iterative con-
ception of set are meant to vindicate Z. On the other hand, Limitation-of-size is
meant to vindicate Replacement.
But the issue it is not just that we have thus far been silent about Limitation-
of-size. Rather, the issue is that Limitation-of-size (as just formulated) seems to

874 Release : d3a1905 (2022-12-19)

65.5. REPLACEMENT AND “ABSOLUTE INFINITY”

sit quite badly with the cumulative-iterative notion of set. After all, it men-
tions nothing about the idea of sets as formed in stages.
This is really not much of a surprise, given the history of these “two thoughts”
(i.e., the cumulative-iterative conception of set, and Limitation-of-size). These
“two thoughts” ultimately amount to two rather different projects for block-
ing the set-theoretic paradoxes. The cumulative-iterative notion of set blocks
Russell’s paradox by saying, roughly: we should never have expected a Russell
set to exist, because it would not be “formed” at any stage. By contrast, Limitation-
of-size is meant to rule out the Russell set, by saying, roughly: we should never
have expected a Russell set to exist, because it would have been too big.
Put like this, then, let’s be blunt: considered as a reply to the paradoxes,
Limitation-of-size stands in need of much more justification. Consider, for ex-
ample, this version of Russell’s Paradox: no pug sniffs exactly the pugs which
don’t sniff themselves (see section 61.2). If you ask “why is there no such pug?”,
it is not a good answer to be told that such a pug would have to sniff too many
pugs. So why would it be a good intuitive explanation, of the non-existence
of a Russell set, that it would have to be “too big” to exist?
In short, it’s forgivable if you are a bit mystified concerning the “intuitive”
motivation for Limitation-of-size.

65.5 Replacement and “Absolute Infinity”

We will now put Limitation-of-size behind us, and explore a different family of
(intrinsic) attempts to justify Replacement, which do take seriously the idea of
the sets as formed in stages.
When we first outlined the iterative process, we offered some principles
which explained what happens at each stage. These were Stages-are-key, Stages-
are-ordered, and Stages-accumulate. Later, we added some principles which told
us something about the number of stages: Stages-keep-going told us that the
process of set-formation never ends, and Stages-hit-infinity told us that the pro-
cess goes through an infinite-th stage.
It is reasonable to suggest that these two latter principles fall out of some
a broader principle, like:

Stages-are-inexhaustible. There are absolutely infinitely many stages; the

hierarchy is as tall as it could possibly be.

Obviously this is an informal principle. But even if it is not immediately en-

tailed by the cumulative-iterative conception of set, it certainly seems consonant
with it. At the very least, and unlike Limitation-of-size, it retains the idea that
sets are formed stage-by-stage.
The hope, now, is to leverage Stages-are-inexhaustible into a justification of
Replacement. So let us see how this might be done.

Release : d3a1905 (2022-12-19) 875

 CHAPTER 65. REPLACEMENT

In section 63.2, we saw that it is easy to construct a well-ordering which

(morally) should be isomorphic to ω + ω. Otherwise put, we can easily imag-
ine a stage-by-stage iterative process, whose order-type (morally) is ω + ω.
As such, if we have accepted Stages-are-inexhaustible, then we should surely
accept that there is at least an ω + ω-th stage of the hierarchy, i.e., Vω +ω , for
the hierarchy surely could continue thus far.
This thought generalizes as follows: for any well-ordering, the process of
building the iterative hierarchy should run at least as far as that well-ordering.
And we could guarantee this, just by treating Theorem 63.26 as an axiom. This
would tell us that any well-ordering is isomorphic to a von Neumann ordinal.
Since each von Neumann ordinal will be equal to its own rank, Theorem 63.26
will then tell us that, whenever we can describe a well-ordering in our set
theory, the iterative process of set building must outrun that well-ordering.
This idea certainly seems like a corollary of Stages-are-inexhaustible. Un-
fortunately, if our aim is to extract Replacement from this idea, then we face a
simple, technical, barrier: Replacement is strictly stronger than Theorem 63.26.
(This observation is made by Potter (2004, §13.2); we will prove it in sec-
tion 65.8.)
The upshot is that, if we are going to understand Stages-are-inexhaustible in
such a way as to yield Replacement, then it cannot merely say that the hierar-
chy outruns any well-ordering. It must make a stronger claim than that. To
this end, Shoenfield (1977) proposed a very natural strengthening of the idea,
as follows: the hierarchy is not cofinal with any set.2 In slightly more detail: if
τ is a mapping which sends sets to stages of the hierarchy, the image of any
set A under τ does not exhaust the hierarchy. Otherwise put (schematically):

Stages-are-super-cofinal. If A is a set and τ ( x ) is a stage for every x ∈ A,

then there is a stage which comes after each τ ( x ) for x ∈ A.

It is obvious that ZF proves a suitably formalised version of Stages-are-super-

cofinal. Conversely, we can informally argue that Stages-are-super-cofinal justi-
fies Replacement.3 For suppose (∀ x ∈ A)∃!y φ( x, y). Then for each x ∈ A, let
σ( x ) be the y such that φ( x, y), and let τ ( x ) be the stage at which σ ( x ) is first
formed. By Stages-are-super-cofinal, there is a stage V such that (∀ x ∈ A)τ ( x ) ∈
V. Now since each τ ( x ) ∈ V and σ ( x ) ⊆ τ ( x ), by Separation we can obtain
{y ∈ V : (∃ x ∈ A)σ( x ) = y} = {y : (∃ x ∈ A) φ( x, y)}.
So Stages-are-super-cofinal vindicates Replacement. And it is at least plausi-
ble that Stages-are-inexhaustible vindicates Stages-are-super-cofinal. For suppose
Stages-are-super-cofinal fails. So the hierarchy is cofinal with some set A, i.e.,
2 Gödel seems to have proposed a similar thought; see Potter (2004, p. 223). For discussion of

Gödel and Shoenfield, see Incurvati (2020, 90–5).

3 It would be harder to prove Replacement using some formalisation of Stages-are-super-cofinal,

since Z on its own is not strong enough to define the stages, so it is not clear how one would
formalise Stages-are-super-cofinal. One option, though, is to work in some extension of LT, as
discussed in section 65.3.

876 Release : d3a1905 (2022-12-19)

65.6. REPLACEMENT AND REFLECTION

we have a map τ such that for any stage S there is some x ∈ A such that
S ∈ τ ( x ). In that case, we do have a way to get a handle on the supposed “ab-
solute infinity” of the hierarchy: it is exhausted by the range of τ applied to A.
And that compromises the thought that the hierarchy is “absolutely infinite”.
Contraposing: Stages-are-inexhaustible entails Stages-are-super-cofinal, which in
turn justifies Replacement.
This represents a genuinely promising attempt to provide an intrinsic jus-
tification for Replacement. But whether it ultimately works, or not, we will
have to leave to you to decide.

65.6 Replacement and Reflection

Our last attempt to justify Replacement, via Stages-are-inexhaustible, begins
with a deep and lovely result:4

Theorem 65.2 (Reflection Schema). For any formula φ:

∀α∃ β > α(∀ x1 . . . , xn ∈ Vβ )( φ( x1 , . . . , xn ) ↔ φVβ ( x1 , . . . , xn ))

As in Definition 65.1, φVβ is the result of restricting every quantifier in φ to the

set Vβ . So, intuitively, Reflection says this: if φ is true in the entire hierarchy,
then φ is true in arbitrarily many initial segments of the hierarchy.
Montague (1961) and Lévy (1960) showed that (suitable formulations of)
Replacement and Reflection are equivalent, modulo Z, so that adding either
gives you ZF. (We prove these results in section 65.7.) Given this equiva-
lence, one might hope to justify Reflection and Replacement via Stages-are-
inexhaustible as follows: given Stages-are-inexhaustible, the hierarchy should be
very, very tall; so tall, in fact, that nothing we can say about it is sufficient to
bound its height. And we can understand this as the thought that, if any sen-
tence φ is true in the entire hierarchy, then it is true in arbitrarily many initial
segments of the hierarchy. And that is just Reflection.
Again, this seems like a genuinely promising attempt to provide an intrin-
sic justification for Replacement. But there is much too much to say about it
here. You must now decide for yourself whether it succeeds.5

65.7 Appendix: Results surrounding Replacement

In this section, we will prove Reflection within ZF. We will also prove a sense
in which Reflection is equivalent to Replacement. And we will prove an inter-
esting consequence of all this, concerning the strength of Reflection/Replacement.
Warning: this is easily the most advanced bit of mathematics in this textbook.
4A reminder: all formulas can have parameters (unless explicitly stated otherwise).
5 Though you might like to continue by reading Incurvati (2020, 95–100).

Release : d3a1905 (2022-12-19) 877

 CHAPTER 65. REPLACEMENT

We’ll start with a lemma which, for brevity, employs the notational device
of overlining to deal with sequences of variables or objects. So: “ak ” abbrevi-
ates “ak1 , . . . , akn ”, where n is determined by context.
Lemma 65.3. For each 1 ≤ i ≤ k, let φi (vi , x ) be a formula. Then for each α there
is some β > α such that, for any a1 , . . . , ak ∈ Vβ and each 1 ≤ i ≤ k:

∃ xφi ( ai , x ) → (∃ x ∈ Vβ ) φi ( ai , x )

Proof. We define a term µ as follows: µ( a1 , . . . , ak ) is the least stage, V, which

satisfies all of the following conditionals, for 1 ≤ i ≤ k:

∃ xφi ( ai , x ) → (∃ x ∈ V ) φi ( ai , x ))
It is easy to confirm that µ( a1 , . . . , ak ) exists for all a1 , . . . , ak . Now, using Re-
placement and our recursion theorem, define:

S0 = Vα+1
[
S n +1 = S n ∪ { µ ( a1 , . . . , a k ) : a1 , . . . , a k ∈ Sn }
[
S= Sn .
m<ω

Each Sn , and hence S itself, is a stage after Vα . Now fix a1 , . . . , ak ∈ S; so

there is some n < ω such that a1 , . . . , ak ∈ Sn . Fix some 1 ≤ i ≤ k, and
suppose that ∃ xφi ( ai , x ). So (∃ x ∈ µ( a1 , . . . , ak )) φi ( ai , x ) by construction, so
(∃ x ∈ Sn+1 ) φi ( ai , x ) and hence (∃ x ∈ S) φi ( ai , x ). So S is our Vβ .

We can now prove Theorem 65.2 quite straightforwardly:

Proof. Fix α. Without loss of generality, we can assume φ’s only connectives
are ∃, ¬ and ∧ (since these are expressively adequate). Let ψ1 , . . . , ψk enu-
merate each of φ’s subformulas according to complexity, so that ψk = φ. By
Lemma 65.3, there is a β > α such that, for any ai ∈ Vβ and each 1 ≤ i ≤ k:

∃ xψi ( ai , x ) → (∃ x ∈ Vβ )ψi ( ai , x ) (*)

Vβ
By induction on complexity of ψi , we will show that ψi ( ai ) ↔ ψi ( ai ), for any
ai ∈ Vβ . If ψi is atomic, this is trivial. The biconditional also establishes that,
when ψi is a negation or conjunction of subformulas satisfying this property,
ψi itself satisfies this property. So the only interesting case concerns quantifi-
cation. Fix ai ∈ Vβ ; then:
V
(∃ xψi ( ai , x ))Vβ iff (∃ x ∈ Vβ )ψi β ( ai , x ) by definition
iff (∃ x ∈ Vβ )ψi ( ai , x ) by hypothesis
iff ∃ xψi ( ai , x ) by (*)

This completes the induction; the result follows as ψk = φ.

878 Release : d3a1905 (2022-12-19)

65.7. APPENDIX: RESULTS SURROUNDING REPLACEMENT

We have proved Reflection in ZF. Our proof essentially followed Mon-

tague (1961). We now want to prove in Z that Reflection entails Replacement.
The proof follows Lévy (1960), but with a simplification.
Since we are working in Z, we cannot present Reflection in exactly the form
given above. After all, we formulated Reflection using the “Vα ” notation, and
that cannot be defined in Z (see section 64.5). So instead we will offer an
apparently weaker formulation of Replacement, as follows:

Weak-Reflection. For any formula φ, there is a transitive set S such that 0,

1, and any parameters to φ are elements of S, and (∀ x ∈ S)( φ ↔ φS ).

To use this to prove Replacement, we will first follow Lévy (1960, first part
of Theorem 2) and show that we can “reflect” two formulas at once:

Lemma 65.4 (in Z + Weak-Reflection.). For any formulas ψ, χ, there is a transi-

tive set S such that 0 and 1 (and any parameters to the formulas) are elements of S,
and (∀ x ∈ S)((ψ ↔ ψS ) ∧ (χ ↔ χS )).

Proof. Let φ be the formula (z = 0 ∧ ψ) ∨ (z = 1 ∧ χ).

Here we use an abbreviation; we should spell out “z = 0” as “∀t t ∈ / z” and
“z = 1” as “∀s(s ∈ z ↔ ∀t t ∈ / s)”. But since 0, 1 ∈ S and S is transitive, these
formulas are absolute for S; that is, they will apply to the same object whether
we restrict their quantifiers to S.6
By Weak-Reflection, we have some appropriate S such that:

(∀z, x ∈ S)( φ ↔ φS )
i.e. (∀z, x ∈ S)(((z = 0 ∧ ψ) ∨ (z = 1 ∧ χ)) ↔
((z = 0 ∧ ψ) ∨ (z = 1 ∧ χ))S )
i.e. (∀z, x ∈ S)(((z = 0 ∧ ψ) ∨ (z = 1 ∧ χ)) ↔
((z = 0 ∧ ψS ) ∨ (z = 1 ∧ χS )))
i.e. (∀ x ∈ S)((ψ ↔ ψS ) ∧ (χ ↔ χS ))

The second claim entails the third because “z = 0” and “z = 1” are absolute
for S; the fourth claim follows since 0 ̸= 1.

We can now obtain Replacement, just by following and simplifying Lévy (1960,
Theorem 6):

Theorem 65.5 (in Z + Weak-Reflection). For any formula φ(v, w), and any A, if
(∀ x ∈ A)∃!y φ( x, y), then {y : (∃ x ∈ A) φ( x, y} exists.
6 More formally, letting ξ be either of these formulas, ξ (z) ↔ ξ S (z).

Release : d3a1905 (2022-12-19) 879

 CHAPTER 65. REPLACEMENT

Proof. Fix A such that (∀ x ∈ A)∃!y φ( x, y), and define formulas:

ψ is ( φ( x, z) ∧ A = A)
χ is ∃y φ( x, y)
Using Lemma 65.4, since A is a parameter to ψ, there is a transitive S such that
0, 1, A ∈ S (along with any other parameters), and such that:
(∀ x, z ∈ S)((ψ ↔ ψS ) ∧ (χ ↔ χS ))
So in particular:
(∀ x, z ∈ S)( φ( x, z) ↔ φS ( x, z))
(∀ x ∈ S)(∃yφ( x, y) ↔ (∃y ∈ S) φS ( x, y))
Combining these, and observing that A ⊆ S since A ∈ S and S is transitive:
(∀ x ∈ A)(∃yφ( x, y) ↔ (∃y ∈ S) φ( x, y))
Now (∀ x ∈ A)(∃!y ∈ S) φ( x, y), because (∀ x ∈ A)∃!y φ( x, y). Now Separa-
tion yields {y ∈ S : (∃ x ∈ A) φ( x, y)} = {y : (∃ x ∈ A) φ( x, y)}.

65.8 Appendix: Finite axiomatizability

We close this chapter by extracting some results from Replacement. The first
result is due to Montague (1961); note that it is not a proof within ZF, but a
proof about ZF:
Theorem 65.6. ZF is not finitely axiomatizable. More generally: if T is finite and
T ⊢ ZF, then T is inconsistent.
(Here, we tacitly restrict ourselves to first-order sentences whose only non-logical
primitive is ∈, and we write T ⊢ ZF to indicate that T ⊢ φ for all φ ∈ ZF.)
Proof. Fix finite T such that T ⊢ ZF. So, T proves Reflection, i.e. Theorem 65.2.
Since T is finite, we can rewrite it as a single conjunction, θ. Reflecting with
this formula, T ⊢ ∃ β(θ ↔ θ Vβ ). Since trivially T ⊢ θ, we find that T ⊢ ∃ β θ Vβ .
Now, let ψ( X ) abbreviate:
θ X ∧ X is transitive ∧ (∀Y ∈ X )(Y is transitive → ¬θ Y )
roughly this says: X is a transitive model of θ, and ∈-minimal in this regard.
Now, recalling that T ⊢ ∃ β θ Vβ , by basic facts about ranks within ZF and hence
within T, we have:
T ⊢ ∃ Mψ( M). (*)
Using the first conjunct of ψ( X ), whenever T ⊢ σ, we have that T ⊢ ∀ X (ψ( X ) →
σ X ). So, by (*):
T ⊢ ∀ X (ψ( X ) → (∃ Nψ( N )) X )

880 Release : d3a1905 (2022-12-19)

65.8. APPENDIX: FINITE AXIOMATIZABILITY

Using this, and (*) again:

T ⊢ ∃ M(ψ( M ) ∧ (∃ Nψ( N )) M )

In particular, then:

T ⊢ ∃ M(ψ( M ) ∧ (∃ N ∈ M )(( N is transitive) N ∧ (θ N ) M ))

So, by elementary reasoning concerning transitivity:

T ⊢ ∃ M(ψ( M ) ∧ (∃ N ∈ M )( N is transitive ∧ θ N ))

So that T is inconsistent.7

Here is a similar result, noted by Potter (2004, 223):

Proposition 65.7. Let T extend Z with finitely many new axioms. If T ⊢ ZF, then
T is inconsistent. (Here we use the same tacit restrictions as for Theorem 65.6.)

Proof. Use θ for the conjunction of all of T’s axioms except for the (infinitely
many) instances of Separation. Defining ψ from θ as in Theorem 65.6, we can
show that T ⊢ ∃ Mψ( M).
As in Theorem 65.6, we can establish the schema that, whenever T ⊢ σ,
we have that T ⊢ ∀ X (ψ( X ) → σ X ). We then finish our proof, exactly as in
Theorem 65.6.
However, establishing the schema involves a little more work than in The-
orem 65.6. After all, the Separation-instances are in T, but they are not con-
juncts of θ. However, we can overcome this obstacle by proving that T ⊢
∀ X ( X is transitive → σ X ), for every Separation-instance σ. We leave this to
the reader.

As remarked in section 65.5, this shows that Replacement is strictly stronger

than Theorem 63.26. Or, slightly more strictly: if Z + “every well-ordering
is isomorphic to a unique ordinal” is consistent, then it fails to prove some
Replacement-instance.

Problems
Problem 65.1. Formalize Stages-are-super-cofinal within ZF.

Problem 65.2. Show that, for every Separation-instance σ, we have: Z ⊢ ∀ X ( X is transitive →

σ X ). (We used this schema in Proposition 65.7.)
7 This “elementary reasoning” involves proving certain “absoluteness facts” for transitive
sets.

Release : d3a1905 (2022-12-19) 881

 CHAPTER 65. REPLACEMENT

Problem 65.3. Show that, for every φ ∈ Z, we have ZF ⊢ φVω+ω .

Problem 65.4. Confirm the remaining schematic results invoked in the proofs
of Theorem 65.6 and Proposition 65.7.

882 Release : d3a1905 (2022-12-19)

Chapter 66

Ordinal Arithmetic

66.1 Introduction
In chapter 63, we developed a theory of ordinal numbers. We saw in chap-
ter 64 that we can think of the ordinals as a spine around which the remainder
of the hierarchy is constructed. But that is not the only role for the ordinals.
There is also the task of performing ordinal arithmetic.
We already gestured at this, back in section 63.2, when we spoke of ω,
ω + 1 and ω + ω. At the time, we spoke informally; the time has come to
spell it out properly. However, we should mention that there is not much phi-
losophy in this chapter; just technical developments, coupled with a (mildly)
interesting observation that we can do the same thing in two different ways.

66.2 Ordinal Addition

Suppose we want to add α and β. We can simply put a copy of β immedi-
ately after a copy of α. (We need to take copies, since we know from Propo-
sition 63.22 that either α ⊆ β or β ⊆ α.) The intuitive effect of this is to run
through an α-sequence of steps, and then to run through a β-sequence. The
resulting sequence will be well-ordered; so by Theorem 63.26 it is isomorphic
to a (unique) ordinal. That ordinal can be regarded as the sum of α and β.
That is the intuitive idea behind ordinal addition. To define it rigorously,
we start with the idea of taking copies of sets. The idea here is to use arbitrary
tags, 0 and 1, to keep track of which object came from where:

Definition 66.1. The disjoint sum of A and B is A ⊔ B = ( A × {0}) ∪ ( B × {1}).

We next define an ordering on pairs of ordinals:

883
 CHAPTER 66. ORDINAL ARITHMETIC

Definition 66.2. For any ordinals α1 , α2 , β 1 , β 2 , say that:

⟨α1 , α2 ⟩ ∢ ⟨ β 1 , β 2 ⟩ iff either α2 ∈ β 2
or both α2 = β 2 and α1 ∈ β 1
This is a reverse lexicographic ordering, since you order by the second ele-
ment, then by the first. Now recall that we wanted to define α + β as the order
type of a copy of α followed by a copy of β. To achieve that, we say:
Definition 66.3. For any ordinals α, β, their sum is α + β = ord(α ⊔ β, ∢).
Note that we slgihtly abused notation here; strictly we should write “{⟨ x, y⟩ ∈
α ⊔ β : x ∢ y}” in place of “∢”. For brevity, though, we will continue to abuse
notation in this way in what follows.
The following result, together with Theorem 63.26, confirms that our defi-
nition is well-formed:
Lemma 66.4. ⟨α ⊔ β, ∢⟩ is a well-order, for any ordinals α and β.
Proof. Obviously ∢ is connected on α ⊔ β. To show it is well-founded, fix a
non-empty X ⊆ α ⊔ β. Let Y be the subset of X whose second coordinate is as
small as possible, i.e. Y = {⟨γ, i ⟩ ∈ X : (∀⟨δ, j⟩ ∈ X )i ≤ j}. Now choose the
element of Y with smallest first coordinate.
So we have a nice, explicit definition of ordinal addition. Here is an unsur-
prising fact (recall that 1 = {0}, by Definition 62.7):
Proposition 66.5. α + 1 = α+ , for any ordinal α.
Proof. Consider the isomorphism f from α+ = α ∪ {α} to α ⊔ 1 = (α × {0}) ⊔
({0} × {1}) given by f (γ) = ⟨γ, 0⟩ for γ ∈ α, and f (α) = ⟨0, 1⟩.
Moreover, it is easy to show that addition obeys certain recursive conditions:
Lemma 66.6. For any ordinals α, β, we have:
α+0 = α
α + ( β + 1) = ( α + β ) + 1
α + β = lsub(α + δ) if β is a limit ordinal
δ< β

Proof. We check case-by-case; first:

α + 0 = ord((α × {0}) ∪ (0 × {1}), ∢)
= ord((α × {0}) ∪ {0}, ∢)
=α
α + ( β + 1) = ord((α × {0}) ∪ ( β+ × {1}), ∢)
= ord((α × {0}) ∪ ( β × {1}), ∢) + 1
= (α + β) + 1

884 Release : d3a1905 (2022-12-19)

66.2. ORDINAL ADDITION

Now let β ̸= ∅ be a limit. If δ < β then also δ + 1 < β, so α + δ is a proper

initial segment of α + β. So α + β is a strict upper bound on X = {α + δ : δ <
β}. Moreover, if α ≤ γ < α + β, then clearly γ = α + δ for some δ < β. So
α + β = lsubδ< β (α + δ).

But here is a striking fact. To define ordinal addition, we could instead have
simply used the Transfinite Recursion Theorem, and laid down the recursion
equations, exactly as given in Lemma 66.6 (though using “β+ ” rather than
“β + 1”).
There are, then, two different ways to define operations on the ordinals.
We can define them synthetically, by explicitly constructing a well-ordered set
and considering its order type. Or we can define them recursively, just by
laying down the recursion equations. Done correctly, though, the outcome is
identical. For Theorem 63.26 guarantees that these recursion equations pin
down unique ordinals.
In many ways, ordinal arithmetic behaves just like addition of the natural
numbers. For example, we can prove the following:

Lemma 66.7. If α, β, γ are ordinals, then:

1. if β < γ, then α + β < α + γ

2. if α + β = α + γ, then β = γ

3. α + ( β + γ) = (α + β) + γ, i.e., addition is associative

4. If α ≤ β, then α + γ ≤ β + γ

Proof. We prove (3), leaving the rest as an exercise. The proof is by Simple
Transfinite Induction on γ, using Lemma 66.6. When γ = 0:

( α + β ) + 0 = α + β = α + ( β + 0)

When γ = δ + 1, suppose for induction that (α + β) + δ = α + ( β + δ); now

using Lemma 66.6 three times:

(α + β) + (δ + 1) = ((α + β) + δ) + 1
= (α + ( β + δ)) + 1
= α + (( β + δ) + 1)
= α + ( β + (δ + 1))

Release : d3a1905 (2022-12-19) 885

 CHAPTER 66. ORDINAL ARITHMETIC

When γ is a limit ordinal, suppose for induction that if δ ∈ γ then (α + β) +

δ = α + ( β + δ); now:

(α + β) + γ = lsub((α + β) + δ)
δ<γ

= lsub(α + ( β + δ))
δ<γ

= α + lsub( β + δ)
δ<γ

= α + ( β + γ)

In these ways, ordinal addition should be very familiar. But, there is a cru-
cial way in which ordinal addition is not like addition on the natural numbers.

Proposition 66.8. Ordinal addition is not commutative; 1 + ω = ω < ω + 1.

Proof. Note that 1 + ω = lsubn<ω (1 + n) = ω ∈ ω ∪ {ω } = ω + = ω + 1.

Whilst this may initially come as a surprise, it shouldn’t. On the one hand,
when you consider 1 + ω, you are thinking about the order type you get by
putting an extra element before all the natural numbers. Reasoning as we did
with Hilbert’s Hotel in section 6.1, intuitively, this extra first element shouldn’t
make any difference to the overall order type. On the other hand, when you
consider ω + 1, you are thinking about the order type you get by putting an
extra element after all the natural numbers. And that’s a radically different
beast!

66.3 Using Ordinal Addition

Using addition on the ordinals, we can explicitly calculate the ranks of various
sets, in the sense of Definition 64.15:

Lemma 66.9. If rank( A) = α and rank( B) = β, then:

1. rank(℘( A)) = α + 1

2. rank({ A, B}) = max(α, β) + 1

3. rank( A ∪ B) = max(α, β)

4. rank(⟨ A, B⟩) = max(α, β) + 2

5. rank( A × B) ≤ max(α, β) + 2
S S
6. rank( A) = α when α is empty or a limit; rank( A) = γ when α = γ + 1

886 Release : d3a1905 (2022-12-19)

66.3. USING ORDINAL ADDITION

Proof. Throughout, we invoke Proposition 64.20 repeatedly.

(1). If x ⊆ A then rank( x ) ≤ rank( A). So rank(℘( A)) ≤ α + 1. Since
A ∈ ℘( A) in particular, rank(℘( A)) = α + 1.
(2). By Proposition 64.20
(3). By Proposition 64.20.
(4). By (2), twice.
(5). Note that A × B ⊆ ℘(℘( A ∪ B)), and invoke (4).
(6). If α = γ + 1, there is some c ∈ A with rank(c) = γ, and no element
S
of A has higher rank; so rank( A) = γ. If α is a limit ordinal, then A has
S
elements with rank arbitrarily close to (but strictly less than) α, so that A
also has elements with rank arbitrarily close to (but strictly less than) α, so
S
that rank( A) = α.

We leave it as an exercise to show why (5) involves an inequality.

We are also now in a position to show that several reasonable notions of
what it might mean to describe an ordinal as “finite” or “infinite” coincide:

Lemma 66.10. For any ordinal α, the following are equivalent:

1. α ∈
/ ω, i.e., α is not a natural number

2. ω ≤ α

3. 1 + α = α

4. α ≈ α + 1, i.e., α and α + 1 are equinumerous

5. α is Dedekind infinite

So we have five provably equivalent ways to understand what it takes for an

ordinal to be (in)finite.

Proof. (1) ⇒ (2). By Trichotomy.

(2) ⇒ (3). Fix α ≥ ω. By Transfinite Induction, there is some least ordinal
γ (possibly 0) such that there is a limit ordinal β with α = β + γ. Now:

1 + α = 1 + ( β + γ) = (1 + β) + γ = lsub(1 + δ) + γ = β + γ = α.
δ< β

(3) ⇒ (4). There is clearly a bijection f : (α ⊔ 1) → (1 ⊔ α). If 1 + α = α, there

is an isomorphism g : (1 ⊔ α) → α. Now consider g ◦ f .
(4) ⇒ (5). If α ≈ α + 1, there is a bijection f : (α ⊔ 1) → α. Define g(γ) =
f (γ, 0) for each γ < α; this injection witnesses that α is Dedekind infinite,
since f (0, 1) ∈ α \ ran( g).
(5) ⇒ (1). This is Proposition 62.8.

Release : d3a1905 (2022-12-19) 887

 CHAPTER 66. ORDINAL ARITHMETIC

66.4 Ordinal Multiplication

We now turn to ordinal multiplication, and we approach this much like or-
dinal addition. So, suppose we want to multiply α by β. To do this, you
might imagine a rectangular grid, with width α and height β; the product of
α and β is now the result of moving along each row, then moving through the
next row. . . until you have moved through the entire grid. Otherwise put, the
product of α and β arises by replacing each element in β with a copy of α.
To make this formal, we simply use the reverse lexicographic ordering on
the Cartesian product of α and β:

Definition 66.11. For any ordinals α, β, their product α · β = ord(α × β, ∢).

We must again confirm that this is a well-formed definition:

Lemma 66.12. ⟨α × β, ∢⟩ is a well-order, for any ordinals α and β.

Proof. Exactly as for Lemma 66.4.

And it is not hard to prove that multiplication behaves thus:

Lemma 66.13. For any ordinals α, β:

α·0 = 0
α · ( β + 1) = ( α · β ) + α
α · β = lsub(α · δ) when β is a limit ordinal.
δ< β

Proof. Left as an exercise.

Indeed, just as in the case of addition, we could have defined ordinal multi-
plication via these recursion equations, rather than offering a direct definition.
Equally, as with addition, certain behaviour is familiar:

Lemma 66.14. If α, β, γ are ordinals, then:

1. if α ̸= 0 and β < γ, then α · β < α · γ;

2. if α ̸= 0 and α · β = α · γ, then β = γ;

3. α · ( β · γ) = (α · β) · γ;

4. If α ≤ β, then α · γ ≤ β · γ;

5. α · ( β + γ) = (α · β) + (α · γ).

Proof. Left as an exercise.

888 Release : d3a1905 (2022-12-19)

66.5. ORDINAL EXPONENTIATION

You can prove (or look up) other results, to your heart’s content. But, given
Proposition 66.8, the following should not come as a surprise:

Proposition 66.15. Ordinal multiplication is not commutative: 2 · ω = ω < ω · 2

Proof. 2 · ω = lsubn<ω (2 · n) = ω ∈ lsubn<ω (ω + n) = ω + ω = ω · 2.

Again, the intuitive rationale is quite straightforward. To compute 2 · ω, you

replace each natural number with two entities. You would get the same order
type if you simply inserted all the “half” numbers into the natural numbers,
i.e., you considered the natural ordering on {n/2 : n ∈ ω }. And, put like that,
the order type is plainly the same as that of ω itself. But, to compute ω · 2, you
place down two copies of ω, one after the other.

66.5 Ordinal Exponentiation

We now move to ordinal exponentiation. Sadly, there is no nice synthetic def-
inition for ordinal exponentiation.
Sure, there are explicit synthetic definitions. Here is one. Let finfun(α, β) be
the set of all functions f : α → β such that {γ ∈ α : f (γ) ̸= 0} is equinumerous
with some natural number. Define a well-ordering on finfun(α, β) by f ⊏ g iff
f ̸= g and f (γ0 ) < g(γ0 ), where γ0 = max{γ ∈ α : f (γ) ̸= g(γ)}. Then we
can define α( β) as ord(finfun(α, β), ⊏). Potter employs this explicit definition,
and then immediately explains:

The choice of this ordering is determined purely by our desire to

obtain a definition of ordinal exponentiation which obeys the ap-
propriate recursive condition. . . , and it is much harder to picture
than either the ordered sum or the ordered product. (Potter, 2004,
p. 199)

Quite. We explained addition as “a copy of α followed by a copy of β”, and

multiplication as “a β-sequence of copies of α”. But we have nothing pithy to
say about finfun(α, γ). So instead, we’ll offer the definition of ordinal expo-
nentiation just by transfinite recursion, i.e.:

Definition 66.16.

α (0) = 1
α ( β +1) = α ( β ) · α
α( β) = α(δ)
[
when β is a limit ordinal
δ< β

If we were working as set theorists, we might want to explore some of

the properties of ordinal exponentiation. But we have nothing much more to

Release : d3a1905 (2022-12-19) 889

 CHAPTER 66. ORDINAL ARITHMETIC

add, except to note the unsurprising fact that ordinal exponentiation does not
commute. Thus 2(ω ) = δ<ω 2(δ) = ω, whereas ω (2) = ω · ω. But then, we
S

should not expect exponentiation to commute, since it does not commute with
natural numbers: 2(3) = 8 < 9 = 3(2) .

Problems
Problem 66.1. Prove the remainder of Lemma 66.7.

Problem 66.2. Produce sets A and B such that rank( A × B) = max(rank( A), rank( B)).
Produce sets A and B such that rank( A × B) max(rank( A), rank( B)) + 2. Are
any other ranks possible?

Problem 66.3. Prove Lemma 66.12, Lemma 66.13, and Lemma 66.14

Problem 66.4. Using Transfinite Induction, prove that, if we define α( β) =

ord(finfun(α, β), ⊏), we obtain the recursion equations of Definition 66.16.

890 Release : d3a1905 (2022-12-19)

Chapter 67

Cardinals

67.1 Cantor’s Principle

Cast your mind back to section 63.5. We were discussing well-ordered sets,
and suggested that it would be nice to have objects which go proxy for well-
orders. With this is mind, we introduced ordinals, and then showed in Corol-
lary 63.28 that these behave as we would want them to, i.e.:

ord( A, <) = ord( B, ⋖) iff ⟨ A, <⟩ ∼

= ⟨ B, ⋖⟩.

Cast your mind back even further, to section 4.8. There, working naı̈vely, we
introduced the notion of the “size” of a set. Specifically, we said that two sets
are equinumerous, A ≈ B, just in case there is a bijection f : A → B. This
is an intrinsically simpler notion than that of a well-ordering: we are only
interested in bijections, and not (as with order-isomorphisms) whether the
bijections “preserve any structure”.
This all gives rise to an obvious thought. Just as we introduced certain
objects, ordinals, to calibrate well-orders, we can introduce certain objects, car-
dinals, to calibrate size. That is the aim of this chapter.
Before we say what these cardinals will be, we should lay down a principle
which they ought to satisfy. Writing | X | for the cardinality of the set X, we
would want them to obey:

| A| = | B| iff A ≈ B.

We’ll call this Cantor’s Principle, since Cantor was probably the first to have it
very clearly in mind. (We’ll say more about its relationship to Hume’s Principle
in section 67.5.) So our aim is to define | X |, for each X, in such a way that it
delivers Cantor’s Principle.

891
 CHAPTER 67. CARDINALS

67.2 Cardinals as Ordinals

In fact, our theory of cardinals will just make (shameless) use of our theory of
ordinals. That is: we will just define cardinals as certain specific ordinals. In
particular, we will offer the following:

Definition 67.1. If A can be well-ordered, then | A| is the least ordinal γ such

that A ≈ γ. For any ordinal γ, we say that γ is a cardinal iff γ = |γ|.

We just used the phrase “A can be well-ordered”. As is almost always the

case in mathematics, the modal locution here is just a hand-waving gloss on
an existential claim: to say “A can be well-ordered” is just to say “there is a
relation which well-orders A”.
But there is a snag with Definition 67.1. We would like it to be the case that
every set has a size, i.e., that | A| exists for every A. The definition we just gave,
though, begins with a conditional: “If A can be well-ordered. . . ”. If there is
some set A which cannot be well-ordered, then our definition will simply fail
to define an object | A|.
So, to use Definition 67.1, we need a guarantee that every set can be well-
ordered. Sadly, though, this guarantee is unavailable in ZF. So, if we want to
use Definition 67.1, there is no alternative but to add a new axiom, such as:

Axiom (Well-Ordering). Every set can be well-ordered.

We will discuss whether the Well-Ordering Axiom is acceptable in chapter 69.

From now on, though, we will simply help ourselves to it. And, using it, it
is quite straightforward to prove that cardinals (as defined in Definition 67.1)
exist and behave nicely:

Lemma 67.2. For every set A:

1. | A| exists and is unique;

2. | A| ≈ A;

3. | A| is a cardinal, i.e., | A| = || A||;

Proof. Fix A. By Well-Ordering, there is a well-ordering ⟨ A, R⟩. By Theo-

rem 63.26, ⟨ A, R⟩ is isomorphic to a unique ordinal, β. So A ≈ β. By Trans-
finite Induction, there is a uniquely least ordinal, γ, such that A ≈ γ. So
| A| = γ, establishing (1) and (2). To establish (3), note that if δ ∈ γ then
δ ≺ A, by our choice of γ, so that also δ ≺ γ since equinumerosity is an
equivalence relation (Proposition 4.20). So γ = |γ|.

The next result guarantees Cantor’s Principle, and more besides. (Note
that cardinals inherit their ordering from the ordinals, i.e., a < b iff a ∈ b. In

892 Release : d3a1905 (2022-12-19)

67.3. ZFC: A MILESTONE

formulating this, we will use Fraktur letters for objects we know to be cardi-
nals. This is fairly standard. A common alternative is to use Greek letters,
since cardinals are ordinals, but to choose them from the middle of the alpha-
bet, e.g.: κ, λ.):

Lemma 67.3. For any sets A and B:

A ≈ B iff | A| = | B|
A ⪯ B iff | A| ≤ | B|
A ≺ B iff | A| < | B|

Proof. We will prove the left-to-right direction of the second claim (the other
cases are similar, and left as an exercise). So, consider the following diagram:

A B

| A| | B|

The double-headed arrows indicate bijections, whose existence is guaranteed

by Lemma 67.2. In assuming that A ⪯ B, there is an injection A → B. Now,
chasing the arrows around from | A| to A to B to | B|, we obtain an injection
| A| → | B| (the dashed arrow).

We can also use Lemma 67.3 to re-prove Schröder–Bernstein. This is the claim
that if A ⪯ B and B ⪯ A then A ≈ B. We stated this as Theorem 4.25, but first
proved it—with some effort—in section 6.5. Now consider:

Re-proof of Schröder-Bernstein. If A ⪯ B and B ⪯ A, then | A| ≤ | B| and | B| ≤

| A| by Lemma 67.3. So | A| = | B| and A ≈ B by Trichotomy and Lemma 67.3.

Whilst this is a very simple proof, it implicitly relies on both Replacement (to
secure Theorem 63.26) and on Well-Ordering (to guarantee Lemma 67.3). By
contrast, the proof of section 6.5 was much more self-standing (indeed, it can
be carried out in Z− ).

67.3 ZFC: A Milestone

With the addition of Well-Ordering, we have reached the final theoretical mile-
stone. We now have all the axioms required for ZFC. In detail:

Definition 67.4. The theory ZFC has these axioms: Extensionality, Union,
Pairs, Powersets, Infinity, Foundation, Well-Ordering and all instances of the
Separation and Replacement schemes. Otherwise put, ZFC adds Well-Ordering
to ZF.

Release : d3a1905 (2022-12-19) 893

 CHAPTER 67. CARDINALS

ZFC stands for Zermelo-Fraenkel set theory with Choice. Now this might
seem slightly odd, since the axiom we added was called “Well-Ordering”, not
“Choice”. But, when we later formulate Choice, it will turn out that Well-
Ordering is equivalent (modulo ZF) to Choice (see Theorem 69.6). So which
to take as our “basic” axiom is a matter of indifference. And the name “ZFC”
is entirely standard in the literature.

67.4 Finite, Enumerable, Non-enumerable

Now that we have been introduced to cardinals, it is worth spending a little
time talking about different varieties of cardinals; specifically, finite, enumer-
able, and non-enumerable cardinals.
Our first two results entail that the finite cardinals will be exactly the finite
ordinals, which we defined as our natural numbers back in Definition 62.7:

Proposition 67.5. Let n, m ∈ ω. Then n = m iff n ≈ m.

Proof. Left-to-right is trivial. To prove right-to-left, suppose n ≈ m although

n ̸= m. By Trichotomy, either n ∈ m or m ∈ n; suppose n ∈ m without loss
of generality. Then n ⊊ m and there is a bijection f : m → n, so that m is
Dedekind infinite, contradicting Proposition 62.8.

Corollary 67.6. If n ∈ ω, then n is a cardinal.

Proof. Immediate.

It also follows that several reasonable notions of what it might mean to de-
scribe a cardinal as “finite” or “infinite” coincide:

Theorem 67.7. For any set A, the following are equivalent:

1. | A| ∈
/ ω, i.e., A is not a natural number;

2. ω ≤ | A|;

3. A is Dedekind infinite.

Proof. From Lemma 66.10, Lemma 67.3, and Corollary 67.6.

This licenses the following definition of some notions which we used rather
informally in part I:

Definition 67.8. We say that A is finite iff | A| is a natural number, i.e., | A| ∈ ω.

Otherwise, we say that A is infinite.

894 Release : d3a1905 (2022-12-19)

67.4. FINITE, ENUMERABLE, NON-ENUMERABLE

But note that this definition is presented against the background of ZFC. After
all, we needed Well-Ordering to guarantee that every set has a cardinality.
And indeed, without Well-Ordering, there can be a set which is neither finite
nor Dedekind infinite. We will return to this sort of issue in chapter 69. For
now, we continue to rely upon Well-Ordering.
Let us now turn from the finite cardinals to the infinite cardinals. Here are
two elementary points:

Corollary 67.9. ω is the least infinite cardinal.

Proof. ω is a cardinal, since ω is Dedekind infinite and if ω ≈ n for any n ∈ ω

then n would be Dedekind infinite, contradicting Proposition 62.8. Now ω is
the least infinite cardinal by definition.

Corollary 67.10. Every infinite cardinal is a limit ordinal.

Proof. Let α be an infinite successor ordinal, so α = β + 1 for some β. By

Proposition 67.5, β is also infinite, so β ≈ β + 1 by Lemma 66.10. Now | β| =
| β + 1| = |α| by Lemma 67.3, so that α ̸= |α|.

Now, as early as Definition 4.27, we flagged we can distinguish between

enumerable and non-enumerable infinite sets. That definition naturally leads
to the following:

Proposition 67.11. A is enumerable iff | A| ≤ ω, and A is non-enumerable iff ω <

| A |.

Proof. By Trichotomy, the two claims are equivalent, so it suffices to prove

that A is enumerable iff | A| ≤ ω. For right-to-left: if | A| ≤ ω, then A ⪯ ω
by Lemma 67.3 and Corollary 67.9. For left-to-right: suppose A is enumerable;
then by Definition 4.27 there are three possible cases:

1. if A = ∅, then | A| = 0 ∈ ω, by Corollary 67.6 and Lemma 67.3.

2. if n ≈ A, then | A| = n ∈ ω, by Corollary 67.6 and Lemma 67.3.

3. if ω ≈ A, then | A| = ω, by Corollary 67.9.

So in all cases, | A| ≤ ω.

Indeed, ω has a special place. Whilst there are many countable ordinals:

Corollary 67.12. ω is the only enumerable infinite cardinal.

Proof. Let a be an enumerable infinite cardinal. Since a is infinite, ω ≤ a. Since

a is an enumerable cardinal, a = |a| ≤ ω. So a = ω by Trichotomy.

Release : d3a1905 (2022-12-19) 895

 CHAPTER 67. CARDINALS

Of course, there are infinitely many cardinals. So we might ask: How many
cardinals are there? The following results show that we might want to recon-
sider that question.
S
Proposition 67.13. If every member of X is a cardinal, then X is a cardinal.

Proof. It is easy to check that X is an ordinal. Let α ∈ X be an ordinal; then

S S

α ∈ b ∈ X for some cardinal b. Since b is a cardinal, α ≺ b. Since b ⊆ X, we

S

have b ⪯ X, and so α ̸≈ X. Generalising, X is a cardinal.

S S S

Theorem 67.14. There is no largest cardinal.

Proof. For any cardinal a, Cantor’s Theorem (Theorem 4.24) and Lemma 67.2
entail that a < |℘(a)|.

Theorem 67.15. The set of all cardinals does not exist.

Proof. For reductio, suppose C = {a : a is a cardinal}. Now C is a cardinal

S
S
by Proposition 67.13, so by Theorem 67.14 there is a cardinal b > C. By
definition b ∈ C, so b ⊆ C, so that b ≤ C, a contradiction.
S S

You should compare this with both Russell’s Paradox and Burali-Forti.

67.5 Appendix: Hume’s Principle

In section 67.1, we described Cantor’s Principle. This was:

| A| = | B| iff A ≈ B.

This is very similar to what is now called Hume’s Principle, which says:

#x F ( x ) = #x G ( x ) iff F ∼ G

where ‘F ∼ G’ abbreviates that there are exactly as many Fs as Gs, i.e., the Fs
can be put into a bijection with the Gs, i.e.:

∃ R(∀v∀y( Rvy → ( Fv ∧ Gy)) ∧

∀v( Fv → ∃!y Rvy) ∧
∀y( Gy → ∃!v Rvy))
But there is a type-difference between Hume’s Principle and Cantor’s Prin-
ciple. In the statement of Cantor’s Principle, the variables “A” and “B” are
first-order terms which stand for sets. In the statement of Hume’s Principle,
“F”, “G” and “R” are not first-order terms; rather, they are in predicate posi-
tion. (Maybe they stand for properties.) So we might gloss Hume’s Principle in
English as: the number of Fs is the number of Gs iff the Fs are bijective with
the Gs. This is called Hume’s Principle, because Hume once wrote this:

896 Release : d3a1905 (2022-12-19)

67.5. APPENDIX: HUME’S PRINCIPLE

When two numbers are so combined as that the one has always
an unit answering to every unit of the other, we pronounce them
equal. (Hume, 1740, Pt.III Bk.1 §1)
And Hume’s Principle was brought to contemporary mathematico-logical promi-
nence by Frege (1884, §63), who quoted this passage from Hume, before (in
effect) sketching (what we have called) Hume’s Principle.
You should note the structural similarity between Hume’s Principle and
Basic Law V. We formulated this in section 61.6 as follows:

ϵx F ( x ) = ϵx G ( x )iff ∀ x ( F ( x ) ↔ G ( x )).

And, at this point, some commentary and comparison might help.

There are two ways to take a principle like Hume’s Principle or Basic
Law V: predicatively or impredicatively (recall section 61.3). On the impredica-
tive reading of Basic Law V, for each F, the object ϵx F ( x ) falls within the
domain of quantification that we used in formulating Basic Law V itself. Sim-
ilarly, on the impredicative reading of Hume’s Principle, for each F, the object
#x F ( x ) falls within the domain of quantification that we used in formulating
Hume’s Principle. By contrast, on the predicative understanding, the objects
ϵx F ( x ) and #x F ( x ) would be entities from some different domain.
Now, if we read Basic Law V impredicatively, it leads to inconsistency,
via Naı̈ve Comprehension (for the details, see section 61.6). Much like Naı̈ve
Comprehension, it can be rendered consistent by reading it predicatively. But
it probably will not do everything that we wanted it to.
Hume’s Principle, however, can consistently be read impredicatively. And,
read thus, it is quite powerful.
To illustrate: consider the predicate “x ̸= x”, which obviously nothing sat-
isfies. Hume’s Principle now yields an object #x ( x ̸= x ). We might treat this as
the number 0. Now, on the impredicative understanding—but only on the im-
predicative understanding—this entity 0 falls within our original domain of
quantification. So we can sensibly apply Hume’s Principle with the predicate
“x = 0” to obtain an object #x ( x = 0). We might treat this as the number 1.
Moreover, Hume’s Principle entails that 0 ̸= 1, since there cannot be a bijec-
tion from the non-self-identical objects to the objects identical with 0 (there
are none of the former, but one of the latter). Now, working impredicatively
again, 1 falls within our original domain of quantification. So we can sensibly
apply Hume’s Principle with the predicate “( x = 0 ∨ x = 1)” to obtain an
object #x ( x = 0 ∨ x = 1). We might treat this as the number 2, and we can
show that 0 ̸= 2 and 1 ̸= 2 and so on.
In short, taken impredicatively, Hume’s Principle entails that there are
infinitely many objects. And this has encouraged neo-Fregean logicists to take
Hume’s Principle as the foundation for arithmetic.
Frege himself, though, did not take Hume’s Principle as his foundation for
arithmetic. Instead, Frege proved Hume’s Principle from an explicit defini-

Release : d3a1905 (2022-12-19) 897

 CHAPTER 67. CARDINALS

tion: #x F ( x ) is defined as the extension of the concept F ∼ Φ. In modern

terms, we might attempt to render this as #x F ( x ) = { G : F ∼ G }; but this will
pull us back into the problems of Naı̈ve Comprehension.

898 Release : d3a1905 (2022-12-19)

Chapter 68

Cardinal Arithmetic

68.1 Defining the Basic Operations

Since we do not need to keep track of order, cardinal arithmetic is rather easier
to define than ordinal arithmetic. We will define addition, multiplication, and
exponentiation simultaneously.

Definition 68.1. When a and b are cardinals:

a ⊕ b = |a ⊔ b|
a ⊗ b = |a × b|
 
ab = b a
 

where X Y = { f : f is a function X → Y }. (It is easy to show that X Y exists for

any sets X and Y; we leave this as an exercise.)

It might help to explain this definition. Concerning addition: this uses the
notion of disjoint sum, ⊔, as defined in Definition 66.1; and it is easy to see
that this definition gives the right verdict for finite cases. Concerning mul-
tiplication: Proposition 1.27 tells us that if A has n members and B has m
members then A × B has n · m members, so our definition simply generalises
the idea to transfinite multiplication. Exponentiation is similar: we are simply
generalising the thought from the finite to the transfinite. Indeed, in certain
ways, transfinite cardinal arithmetic looks much more like “ordinary” arith-
metic than does transfinite ordinal arithmetic:

Proposition 68.2. ⊕ and ⊗ are commutative and associative.

Proof. For commutativity, by Lemma 67.3 it suffices to observe that (a ⊔ b) ≈

(b ⊔ a) and (a × b) ≈ (b × a). We leave associativity as an exercise.

Proposition 68.3. A is infinite iff | A| ⊕ 1 = 1 ⊕ | A| = | A|.

899
 CHAPTER 68. CARDINAL ARITHMETIC

Proof. As in Theorem 67.7, from Lemma 66.10 and Lemma 67.3.

This explains why we need to use different symbols for ordinal versus car-
dinal addition/multiplication: these are genuinely different operations. This
next pair of results shows that ordinal versus cardinal exponentiation are also
different operations. (Recall that Definition 62.7 entails that 2 = {0, 1}):

Lemma 68.4. |℘( A)| = 2| A| , for any A.

Proof. For each subset B ⊆ A, let χ B ∈ A 2 be given by:

(
1 if x ∈ B
χB (x) =
0 otherwise.

A 2. A 2.
 f : ℘( A) →
Now let f ( B) = χ B ; this defines a bijection
 So ℘( A) ≈
| |
Hence ℘( A) ≈ 2, so that |℘( A)| =  2 = 2| A| .
A | A| 

This snappy proof essentially subsumes the discussion of section 4.13. There,
we showed how to “reduce” the uncountability of ℘(ω ) to the uncountability
of the set of infinite binary strings, Bω . In effect, Bω is just ω 2; and the pre-
ceding proof showed that the reasoning we went through in section 4.13 will
go through using any set A in place of ω. The result also yields a quick fact
about cardinal exponentiation:

Corollary 68.5. a < 2a for any cardinal a.

Proof. From Cantor’s Theorem (Theorem 4.24) and Lemma 68.4.

So ω < 2ω . But note: this is a result about cardinal exponentiation. It should

be contrasted with ordinal exponentation, since in the latter case ω = 2(ω ) (see
section 66.5).
Whilst we are on the topic of cardinal exponentiation, we can also be a bit
more precise about the “way” in which R is non-enumerable.

Theorem 68.6. |R| = 2ω

Proof skeleton. There are plenty of ways to prove this. The most straightfor-
ward is to argue that ℘(ω ) ⪯ R and R ⪯ ℘(ω ), and then use Schröder-
Bernstein to infer that R ≈ ℘(ω ), and Lemma 68.4 to infer that |R| = 2ω . We
leave it as an (illuminating) exercise to define injections f : ℘(ω ) → R and
g : R → ℘(ω ).

900 Release : d3a1905 (2022-12-19)

68.2. SIMPLIFYING ADDITION AND MULTIPLICATION

68.2 Simplifying Addition and Multiplication

It turns out that transfinite cardinal addition and multiplication is extremely
easy. This follows from the fact that cardinals are (certain) ordinals, and so
well-ordered, and so can be manipulated in a certain way. Showing this,
though, is not so easy. To start, we need a tricksy definition:

Definition 68.7. We define a canonical ordering, ◁, on pairs of ordinals, by stip-

ulating that ⟨α1 , α2 ⟩ ◁ ⟨ β 1 , β 2 ⟩ iff either:

1. max(α1 , α2 ) < max( β 1 , β 2 ); or

2. max(α1 , α2 ) = max( β 1 , β 2 ) and α1 < β 1 ; or

3. max(α1 , α2 ) = max( β 1 , β 2 ) and α1 = β 1 and α2 < β 2

Lemma 68.8. ⟨α × α, ◁⟩ is a well-order, for any ordinal α.

Proof. Evidently ◁ is connected on α × α. For suppose that neither ⟨α1 , α2 ⟩ nor

⟨ β 1 , β 2 ⟩ is ◁-less than the other. Then max(α1 , α2 ) = max( β 1 , β 2 ) and α1 = β 1
and α2 = β 2 , so that ⟨α1 , α2 ⟩ = ⟨ β 1 , β 2 ⟩.
To show well-ordering, let X ⊆ α × α be non-empty. Since α is an ordinal,
some δ is the least member of {max(γ1 , γ2 ) : ⟨γ1 , γ2 ⟩ ∈ X }. Now discard
all pairs from {⟨γ1 , γ2 ⟩ ∈ X : max(γ1 , γ2 ) = δ} except those with least first
coordinate; from among these, the pair with least second coordinate is the
◁-least element of X.

Now for a teensy, simple observation:

Proposition 68.9. If α ≈ β, then α × α ≈ β × β.

Proof. Just let f : α → β induce ⟨γ1 , γ2 ⟩ 7→ ⟨ f (γ1 ), f (γ2 )⟩.

And now we will put all this to work, in proving a crucial lemma:

Lemma 68.10. α ≈ α × α, for any infinite ordinal α

Proof. For reductio, let α be the least infinite ordinal for which this is false.
Proposition 4.12 shows that ω ≈ ω × ω, so ω ∈ α. Moreover, α is a cardi-
nal: suppose otherwise, for reductio; then |α| ∈ α, so that |α| ≈ |α| × |α|, by
hypothesis; and |α| ≈ α by definition; so that α ≈ α × α by Proposition 68.9.
Now, for each ⟨γ1 , γ2 ⟩ ∈ α × α, consider the segment:

Seg(γ1 , γ2 ) = {⟨δ1 , δ2 ⟩ ∈ α × α : ⟨δ1 , δ2 ⟩ ◁ ⟨γ1 , γ2 ⟩}

Release : d3a1905 (2022-12-19) 901

 CHAPTER 68. CARDINAL ARITHMETIC

Letting γ = max(γ1 , γ2 ), note that ⟨γ1 , γ2 ⟩ ◁ ⟨γ + 1, γ + 1⟩. So, when γ is

infinite, observe:

Seg(γ1 , γ2 ) ≾ ((γ + 1) · (γ + 1))

≈ (γ · γ), by Lemma 66.10 and Proposition 68.9
≈ γ, by the induction hypothesis
≺ α, since α is a cardinal
So ord(α × α, ◁) ≤ α, and hence α × α ⪯ α. Since of course α ⪯ α × α, the
result follows by Schröder-Bernstein.

Finally, we get to our simplifying result:

Theorem 68.11. If a, b are infinite cardinals, then:

a ⊗ b = a ⊕ b = max(a, b).

Proof. Without loss of generality, suppose a = max(a, b). Then invoking

Lemma 68.10, a ⊗ a = a ≤ a ⊕ b ≤ a ⊕ a ≤ a ⊗ a.

Similarly, if a is infinite, an a-sized union of ≤ a-sized sets has size ≤ a:

Proposition 68.12. Let a be an infinite cardinal. For each ordinal β ∈ a, let X β be a
  S 
set with  X β  ≤ a. Then  β∈a X β  ≤ a.
 

Proof. For each β ∈ a, fix an injection f β : X β → a.1 Define an injection

g : β∈a X β → a × a by g(v) = ⟨ β, f β (v)⟩, where v ∈ X β and v ∈
S
/ Xγ for
any γ ∈ β. Now β∈a X β ⪯ a × a ≈ a by Theorem 68.11.
S

68.3 Some Simplification with Cardinal Exponentiation

Whilst defining ◁ was a little involved, the upshot is a useful result concern-
ing cardinal addition and multiplication, Theorem 68.11. Transfinite exponen-
tiation, however, cannot be simplified so straightforwardly. To explain why,
we start with a result which extends a familiar pattern from the finitary case
(though its proof is at a high level of abstraction):
Proposition 68.13. ab⊕c = ab ⊗ ac and (ab )c = ab⊗c , for any cardinals a, b, c.

Proof. For the first claim, consider a function f : (b ⊔ c) → a. Now “split this”,
by defining f b ( β) = f ( β, 0) for each β ∈ b, and f c (γ) = f (γ, 1) for each γ ∈ c.
The map f 7→ ( f b × f c ) is a bijection b⊔c a → (b a × c a).
For the second claim, consider a function f : c → (b a); so for each γ ∈ c we
have some function f (γ) : b → a. Now define f ∗ ( β, γ) = ( f (γ))( β) for each
⟨ β, γ⟩ ∈ b × c. The map f 7→ f ∗ is a bijection c (b a) → b⊗c a.
1 How are these “fixed”? See section 69.5.

902 Release : d3a1905 (2022-12-19)

68.4. THE CONTINUUM HYPOTHESIS

Now, what we would like is an easy way to compute ab when we are deal-
ing with infinite cardinals. Here is a nice step in this direction:

Proposition 68.14. If 2 ≤ a ≤ b and b is infinite, then ab = 2b

Proof.

2b ≤ ab , as 2 ≤ a
≤ (2a )b , by Lemma 68.4
= 2a⊗b , by Proposition 68.13
= 2b , by Theorem 68.11

We should not really expect to be able to simplify this any further, since
b < 2b by Lemma 68.4. However, this does not tell us what to say about ab
when b < a. Of course, if b is finite, we know what to do.

Proposition 68.15. If a is infinite and n ∈ ω then an = a

Proof. an = a ⊗ a ⊗ . . . ⊗ a = a, by Theorem 68.11.

Additionally, in some other cases, we can control the size of ab :

Proposition 68.16. If 2 ≤ b < a ≤ 2b and b is infinite, then ab = 2b

Proof. 2b ≤ ab ≤ (2b )b = 2b⊗b = 2b , reasoning as in Proposition 68.14.

But, beyond this point, things become rather more subtle.

68.4 The Continuum Hypothesis

The previous result hints (correctly) that cardinal exponentiation would be
quite easy, if infinite cardinals are guaranteed to “play straightforwardly” with
powers of 2, i.e., (by Lemma 68.4) with taking powersets. But we cannot as-
sume that infinite cardinals do play straightforwardly powersets.
To start unpacking this, we introduce some nice notation.

Definition 68.17. Where a⊕ is the least cardinal strictly greater than a, we de-
fine two infinite sequences:

ℵ0 = ω ℶ0 = ω
ℵα+1 = (ℵα )⊕ ℶα+1 = 2ℶα
[ [
ℵα = ℵβ ℶα = ℶβ when α is a limit ordinal.
β<α β<α

Release : d3a1905 (2022-12-19) 903

 CHAPTER 68. CARDINAL ARITHMETIC

The definition of a⊕ is in order, since Theorem 67.14 tells us that, for each
cardinal a, there is some cardinal greater than a, and Transfinite Induction
guarantees that there is a least cardinal greater than a. The rest of the definition
of a is provided by transfinite recursion.
Cantor introduced this “ℵ” notation; this is aleph, the first letter in the He-
brew alphabet and the first letter in the Hebrew word for “infinite”. Peirce
introduced the “ℶ” notation; this is beth, which is the second letter in the He-
brew alphabet.2 Now, these notations provide us with infinite cardinals.

Proposition 68.18. ℵα and ℶα are cardinals, for every ordinal α.

Proof. Both results hold by a simple transfinite induction. ℵ0 = ℶ0 = ω is a

cardinal by Corollary 67.9. Assuming ℵα and ℶα are both cardinals, ℵα+1 and
ℶα+1 are explicitly defined as cardinals. And the union of a set of cardinals is
a cardinal, by Proposition 67.13.

Moreover, every infinite cardinal is an ℵ:

Proposition 68.19. If a is an infinite cardinal, then a = ℵγ for some unique γ.

Proof. By transfinite induction on cardinals. For induction, suppose that if

b < a then b = ℵγb . If a = b⊕ for some b, then a = (ℵγb )⊕ = ℵγb +1 . If a is not
S
the successor of any cardinal, then since cardinals are ordinals a = b<a b =
b<a ℵγb , so a = ℵγ where γ = b<a γb .
S S

Since every infinite cardinal is an ℵ, this prompts us to ask: is every infinite

cardinal a ℶ? Certainly if that were the case, then the infinite cardinals would
“play straightforwardly” with the operation of taking powersets. Indeed, we
would have the following:

Generalized Continuum Hypothesis (GCH). ℵα = ℶα , for all α.

Moreover, if GCH held, then we could make some considerable simplifi-

cations with cardinal exponentiation. In particular, we could show that when
b < a, the value of ab is trapped by a ≤ ab ≤ a⊕ . We could then go on to give
precise conditions which determine which of the two possibilities obtains (i.e.,
whether a = ab or ab = a⊕ ).3
But GCH is a hypothesis, not a theorem. In fact, Gödel (1938) proved that if
ZFC is consistent, then so is ZFC + GCH. But it later turned out that we can
equally add ¬GCH to ZFC. Indeed, consider the simplest non-trivial instance
of GCH, namely:
2 Peirce used this notation in a letter to Cantor of December 1900. Unfortunately, Peirce also

gave a bad argument there that ℶα does not exist for α ≥ ω.

3 The condition is dictated by cofinality.

904 Release : d3a1905 (2022-12-19)

68.5. ℵ-FIXED POINTS

Continuum Hypothesis (CH). ℵ1 = ℶ1 .

Cohen (1963) proved that if ZFC is consistent then so is ZFC + ¬CH. So

the Continuum Hypothesis is independent from ZFC.
The Continuum Hypothesis is so-called, since “the continuum” is another
name for the real line, R. Theorem 68.6 tells us that |R| = ℶ1 . So the Contin-
uum Hypothesis states that there is no cardinal between the cardinality of the
natural numbers, ℵ0 = ℶ0 , and the cardinality of the continuum, ℶ1 .
Given the independence of (G)CH from ZFC, what should say about their
truth? Well, there is much to say. Indeed, and much fertile recent work in
set theory has been directed at investigating these issues. But two very quick
points are certainly worth emphasising.
First: it does not immediately follow from these formal independence re-
sults that either GCH or CH is indeterminate in truth value. After all, maybe
we just need to add more axioms, which strike us as natural, and which will
settle the question one way or another. Gödel himself suggested that this was
the right response.
Second: the independence of CH from ZFC is certainly striking, but it is
certainly not incredible (in the literal sense). The point is simply that, for all
ZFC tells us, moving from cardinals to their successors may involve a less
blunt tool than simply taking powersets.
With those two observations made, if you want to know more, you will
now have to turn to the various philosophers and mathematicians with horses
in the race.4

68.5 ℵ-Fixed Points

In chapter 64, we suggested that Replacement stands in need of justification,
because it forces the hierarchy to be rather tall. Having done some cardinal
arithmetic, we can give a little illustration of the height of the hierarchy.
Evidently 0 < ℵ0 , and 1 < ℵ1 , and 2 < ℵ2 . . . and, indeed, the difference
in size only gets bigger with every step. So it is tempting to conjecture that
κ < ℵκ for every ordinal κ.
But this conjecture is false, given ZFC. In fact, we can prove that there are
ℵ-fixed-points, i.e., cardinals κ such that κ = ℵκ .

Proposition 68.20. There is an ℵ-fixed-point.

4 Though you might want to start by reading Potter (2004, §15.6).

Release : d3a1905 (2022-12-19) 905

 CHAPTER 68. CARDINAL ARITHMETIC

Proof. Using recursion, define:

κ0 = 0
κ n +1 = ℵ κ n
[
κ= κn
n<ω

Now κ is a cardinal by Proposition 67.13. But now:

[ [ [
κ= κ n +1 = ℵκ n = ℵ α = ℵκ
n<ω n<ω α <κ

Boolos once wrote an article about exactly the ℵ-fixed-point we just con-
structed. After noting the existence of κ, at the start of his article, he said:

[κ is] a pretty big number, by the lights of those with no previous

exposure to set theory, so big, it seems to me, that it calls into ques-
tion the truth of any theory, one of whose assertions is the claim
that there are at least κ objects. (Boolos, 2000, p. 257)

And he ultimately concluded his paper by asking:

[do] we suspect that, however it may have been at the beginning of

the story, by the time we have come thus far the wheels are spin-
ning and we are no longer listening to a description of anything
that is the case? (Boolos, 2000, p. 268)

If we have, indeed, outrun “anything that is the case”, then we must point the
finger of blame directly at Replacement. For it is this axiom which allows our
proof to work. In which case, one assumes, Boolos would need to revisit the
claim he made, a few decades earlier, that Replacement has “no undesirable”
consequences (see section 65.3).
But is the existence of κ so bad? It might help, here, to consider Russell’s
Tristram Shandy paradox. Tristram Shandy documents his life in his diary, but
it takes him a year to record a single day. With every passing year, Tristram
falls further and further behind: after one year, he has recorded only one day,
and has lived 364 days unrecorded days; after two years, he has only recorded
two days, and has lived 728 unrecorded days; after three years, he has only
recorded three days, and lived 1092 unrecorded days . . . 5 Still, if Tristram is
immortal, Tristram will manage to record every day, for he will record the nth
day on the nth year of his life. And so, “at the end of time”, Tristram will have
a complete diary.
Now: why is this so different from the thought that α is smaller than ℵα —
and indeed, increasingly, desperately smaller—up until κ, at which point, we
catch up, and κ = ℵκ ?
5 Forgetting about leap years.

906 Release : d3a1905 (2022-12-19)

68.5. ℵ-FIXED POINTS

Setting that aside, and assuming we accept ZFC, let’s close with a little
more fun concerning fixed-point constructions. The next three results estab-
lish, intuitively, that there is a (non-trivial) point at which the hierarchy is as
wide as it is tall:
Proposition 68.21. There is a ℶ-fixed-point, i.e., a κ such that κ = ℶκ .

Proof. As in Proposition 68.20, using “ℶ” in place of “ℵ”.

Proposition 68.22. |Vω +α | = ℶα . If ω · ω ≤ α, then |Vα | = ℶα .

Proof. The first claim holds by a simple transfinite induction. The second
claim follows, since if ω · ω ≤ α then ω + α = α. To establish this, we use facts
about ordinal arithmetic from chapter 66. First note that ω · ω = ω · (1 + ω ) =
(ω · 1) + (ω · ω ) = ω + (ω · ω ). Now if ω · ω ≤ α, i.e., α = (ω · ω ) + β for some
β, then ω + α = ω + ((ω · ω ) + β) = (ω + (ω · ω )) + β = (ω · ω ) + β = α.

Corollary 68.23. There is a κ such that |Vκ | = κ.

Proof. Let κ be a ℶ-fixed point, as given by Proposition 68.21. Clearly ω · ω <

κ. So |Vκ | = ℶκ = κ by Proposition 68.22.

There are as many stages beneath Vκ as there are elements of Vκ . Intu-

itively, then, Vκ is as wide as it is tall. This is very Tristram-Shandy-esque:
we move from one stage to the next by taking powersets, thereby making our
hierarchy much bigger with each step. But, “in the end”, i.e., at stage κ, the
hierarchy’s width catches up with its height.
One might ask: How often does the hierarchy’s width match its height? The
answer is: As often as there are ordinals. But this needs a little explanation.
We define a term τ as follows. For any A, let:
τ0 ( A) = | A|
τn+1 ( A) = ℶτn ( A)
[
τ ( A) = τn ( A)
n<ω

As in Proposition 68.21, τ ( A) is a ℶ-fixed point for any A, and trivially | A| <

τ ( A). So now consider this recursive definition:

W0 = 0
Wα+1 = τ (Wα )
[
Wα = Wβ , when α is a limit
β<α

The construction is defined for all ordinals. Intuitively, then, W is “an injec-
tion” from the ordinals to ℶ-fixed points. And, exactly as before, VWα is as
wide as it is tall, for any α.

Release : d3a1905 (2022-12-19) 907

 CHAPTER 68. CARDINAL ARITHMETIC

Problems
Problem 68.1. Prove in Z− that X Y exists for any sets X and Y. Working in ZF,
compute rank( X Y ) from rank( X ) and rank(Y ), in the manner of Lemma 66.9.

Problem 68.2. Prove that ⊕ and ⊗ are associative.

Problem 68.3. Complete the proof of Theorem 68.6, by showing that ℘(ω ) ⪯
R and R ⪯ ℘(ω ).

908 Release : d3a1905 (2022-12-19)

Chapter 69

Choice

69.1 Introduction
In chapters 67 to 68, we developed a theory of cardinals by treating cardinals
as ordinals. That approach depends upon the Axiom of Well-Ordering. It
turns out that Well-Ordering is equivalent to another principle—the Axiom of
Choice—and there has been serious philosophical discussion of its acceptabil-
ity. Our question for this chapter are: How is the Axiom used, and can it be
justified?

69.2 The Tarski-Scott Trick

In Definition 67.1, we defined cardinals as ordinals. To do this, we assumed
the Axiom of Well-Ordering. We did this, for no other reason than that it is
the “industry standard”.
Before we discuss any of the philosophical issues surrounding Well-Ordering,
then, it is important to be clear that we can depart from the industry standard,
and develop a theory of cardinals without assuming Well-Ordering. We can
still employ the definitions of A ≈ B, A ⪯ B and A ≺ B, as they appeared in
chapter 4. We will just need a new notion of cardinal.
A naı̈ve thought would be to attempt to define A’s cardinality thus:

{ x : A ≈ x }.

You might want to compare this with Frege’s definition of #xFx, sketched at
the very end of section 67.5. And, for reasons we gestured at there, this defi-
nition fails. Any singleton set is equinumerous with {∅}. But new singleton
sets are formed at every successor stage of the hierarchy (just consider the sin-
gleton of the previous stage). So { x : A ≈ x } does not exist, since it cannot
have a rank.

909
 CHAPTER 69. CHOICE

To get around this problem, we use a trick due to Tarski and Scott:1

Definition 69.1 (Tarski-Scott). For any formula φ( x ), let [ x : φ( x )] be the set

of all x, of least possible rank, such that φ( x ) (or ∅, if there are no φs).

We should check that this definition is legitimate. Working in ZF, Theo-

rem 64.13 guarantees that rank( x ) exists for every x. Now, if there are any en-
tities satisfying φ, then we can let α be the least rank such that (∃ x ⊆ Vα ) φ( x ),
i.e., (∀ β ∈ α)(∀ x ⊆ Vβ )¬ φ( x ). We can then define [ x : φ( x )] by Separation as
{ x ∈ Vα+1 : φ( x )}.
Having justified the Tarski-Scott trick, we can now use it to define a notion
of cardinality:

Definition 69.2. The TS-cardinality of A is tsc( A) = [ x : A ≈ x ].

The definition of a TS-cardinal does not use Well-Ordering. But, even with-
out that Axiom, we can show that TS-cardinals behave rather like cardinals
as defined in Definition 67.1. For example, if we restate Lemma 67.3 and
Lemma 68.4 in terms of TS-cardinals, the proofs go through just fine in ZF,
without assuming Well-Ordering.
Whilst we are on the topic, it is worth noting that we can also develop
a theory of ordinals using the Tarski-Scott trick. Where ⟨ A, <⟩ is a well-
ordering, let tso( A, <) = [⟨ X, R⟩ : ⟨ A, <⟩ ∼
= ⟨ X, R⟩]. For more on this treat-
ment of cardinals and ordinals, see Potter (2004, chs. 9–12).

69.3 Comparability and Hartogs’ Lemma

That’s the plus side. Here’s the minus side. Without Choice, things get messy.
To see why, here is a nice result due to Hartogs (1915):

Lemma 69.3 (in ZF). For any set A, there is an ordinal α such that α ⪯̸ A

Proof. If B ⊆ A and R ⊆ B2 , then ⟨ B, R⟩ ⊆ Vrank( A)+4 by Lemma 66.9. So,

using Separation, consider:

C = {⟨ B, R⟩ ∈ Vrank( A)+5 : B ⊆ A and ⟨ B, R⟩ is a well-ordering}

Using Replacement and Theorem 63.26, form the set:

α = {ord( B, R) : ⟨ B, R⟩ ∈ C }.

By Corollary 63.19, α is an ordinal, since it is a transitive set of ordinals. After

all, if γ ∈ β ∈ α, then β = ord( B, R) for some B ⊆ R, whereupon γ =
ord( Bb , Rb ) for some b ∈ B by Lemma 63.10, so that γ ∈ α.
1A reminder: all formulas may have parameters (unless explicitly stated otherwise).

910 Release : d3a1905 (2022-12-19)

69.4. THE WELL-ORDERING PROBLEM

For reductio, suppose there is an injection f : α → A. Then, where:

B = ran( f )
R = {⟨ f (α), f ( β)⟩ ∈ A × A : α ∈ β}.

Clearly α = ord( B, R) and ⟨ B, R⟩ ∈ C. So α ∈ α, which is a contradiction.

This entails a deep result:

Theorem 69.4 (in ZF). The following claims are equivalent:

1. The Axiom of Well-Ordering

2. Either A ⪯ B or B ⪯ A, for any sets A and B

Proof. (1) ⇒ (2). Fix A and B. Invoking (1), there are well-orderings ⟨ A, R⟩
and ⟨ B, S⟩. Invoking Theorem 63.26, let f : α → ⟨ A, R⟩ and g : β → ⟨ B, S⟩ be
isomorphisms. By Proposition 63.22, either α ⊆ β or β ⊆ α. If α ⊆ β, then
g ◦ f −1 : A → B is an injection, and hence A ⪯ B; similarly, if β ⊆ α then
B ⪯ A.
(2) ⇒ (1). Fix A; by Lemma 69.3 there is some ordinal β such that β ⪯̸ A.
Invoking (2), we have A ⪯ β. So there is some injection f : A → β, and we
can use this injection to well-order the elements of A, by defining an order
{⟨ a, b⟩ ∈ A × A : f ( a) ∈ f (b)}.

As an immediate consequence: if Well-Ordering fails, then some sets are lit-

erally incomparable with regard to their size. So, if Well-Ordering fails, then
transfinite cardinal arithmetic will be messy. For example, we will have to
abandon the idea that if A and B are infinite then A ⊔ B ≈ A × B ≈ M, where
M is the larger of A and B (see Theorem 68.11). The problem is simple: if we
cannot compare the size of A and B, then it is nonsensical to ask which is larger.

69.4 The Well-Ordering Problem

Evidently rather a lot hangs on whether we accept Well-Ordering. But the
discussion of this principle has tended to focus on an equivalent principle, the
Axiom of Choice. So we will now turn our attention to that (and prove the
equivalence).
In 1883, Cantor expressed his support for the Axiom of Well-Ordering,
calling it “a law of thought which appears to me to be fundamental, rich in
its consequences, and particularly remarkable for its general validity” (cited
in Potter 2004, p. 243). But Cantor ultimately became convinced that the “Ax-
iom” was in need of proof. So did the mathematical community.
The problem was “solved” by Zermelo in 1904. To explain his solution, we
need some definitions.

Release : d3a1905 (2022-12-19) 911

 CHAPTER 69. CHOICE

Definition 69.5. A function f is a choice function iff f ( x ) ∈ x for all x ∈

dom( f ). We say that f is a choice function for A iff f is a choice function with
dom( f ) = A \ {∅}.

Intuitively, for every (non-empty) set x ∈ A, a choice function for A chooses

a particular element, f ( x ), from x. The Axiom of Choice is then:

Axiom (Choice). Every set has a choice function.

Zermelo showed that Choice entails well-ordering, and vice versa:

Theorem 69.6 (in ZF). Well-Ordering and Choice are equivalent.

S
Proof. Left-to-right. Let A be a set of sets. Then A exists by the Axiom of
S
Union, and so by Well-Ordering there is some < which well-orders A. Now
let f ( x ) = the <-least member of x. This is a choice function for A.
Right-to-left. Fix A. By Choice, there is a choice function, f , for ℘( A) \ {∅}.
Using Transfinite Recursion, define a function:

g (0) = f ( A )
(
stop! if A = g[α]
g(α) =
f ( A \ g[α]) otherwise

The indication to “stop!” is just a shorthand for what would otherwise be a

more long-winded definition. That is, when A = g[α] for the first time, let
g(δ) = A for all δ ≤ α. Now, in the first instance, we can only be sure that this
defines a term (see the remarks after Theorem 64.4); but we will show that we
indeed have a function.
Since f is a choice function, for each α (when defined) we have g(α) =
f ( A \ g[α]) ∈ A \ g[α]; i.e., g(α) ∈
/ g[α]. So if g(α) = g( β) then g( β) ∈/ g [ α ],
i.e., β ∈
/ α, and similarly α ∈/ β. So α = β, by Trichotomy. So g is injective.
Next, observe that we do stop!, i.e. that there is some (least) ordinal α such
that A = g[α]. For suppose otherwise; then as g is injective we would have
α ≺ ℘( A) \ {∅} for every ordinal α, contradicting Lemma 69.3. Hence also
ran( g) = A.
Assembling these facts, g is a bijection from some ordinal to A. Now g can
be used to well-order A.

So Well-Ordering and Choice stand or fall together. But the question re-
mains: do they stand or fall?

69.5 Countable Choice

It is easy to prove, without any use of Choice/Well-Ordering, that:

912 Release : d3a1905 (2022-12-19)

69.5. COUNTABLE CHOICE

Lemma 69.7 (in Z− ). Every finite set has a choice function.

Proof. Let a = {b1 , . . . , bn }. Suppose for simplicity that each bi ̸= ∅. So there

are objects c1 , . . . , cn such that c1 ∈ b1 , . . . , cn ∈ bn . Now by Proposition 62.5,
the set {⟨b1 , c1 ⟩, . . . , ⟨bn , cn ⟩} exists; and this is a choice function for a.

But matters get murkier as soon as we consider infinite sets. For example,
consider this “minimal” extension to the above:

Countable Choice. Every countable set has a choice function.

This is a special case of Choice. And it transpires that this principle was
invoked fairly frequently, without an obvious awareness of its use. Here are
two nice examples.2
Example 69.8. Here is a natural thought: for any set A, either ω ⪯ A, or
A ≈ n for some n ∈ ω. This is one way to state the intuitive idea, that every set
is either finite or infinite. Cantor, and many other mathematicians, made this
claim without proving it. Cautious as we are, we proved this in Theorem 67.7.
But in that proof we were working in ZFC, since we were assuming that any
set A can be well-ordered, and hence that | A| is guaranteed to exist. That is:
we explicitly assumed Choice.
In fact, Dedekind (1888) offered his own proof of this claim, as follows:
Theorem 69.9 (in Z− + Countable Choice). For any A, either ω ⪯ A or A ≈ n
for some n ∈ ω.

Proof. Suppose A ̸≈ n for all n ∈ ω. Then in particular for each n < ω there is
subset An ⊆ A with exactly 2n elements. Using this sequence A0 , A1 , A2 , . . .,
we define for each n: [
Bn = An \ Ai .
i <n
Now note the following
 
[ 
A n  ≤ | A 0 | + | A 1 | + . . . + | A n −1 |
 

 
i <n
= 1 + 2 + . . . + 2n −1
= 2n − 1
< 2n = | A n |
Hence each Bn has at least one member, cn . Moreover, the Bn s are pairwise
disjoint; so if cn = cm then n = m. But every cn ∈ A. So the function f (n) = cn
is an injection ω → A.
2 Due to Potter (2004, §9.4) and Luca Incurvati.

Release : d3a1905 (2022-12-19) 913

 CHAPTER 69. CHOICE

Dedekind did not flag that he had used Countable Choice. But, did you spot
its use? Look again. (Really: look again.)
The proof used Countable Choice twice. We used it once, to obtain our
sequence of sets A0 , A1 , A2 , . . . We then used it again to select our elements
cn from each Bn . Moreover, this use of Choice is ineliminable. Cohen (1966,
p. 138) proved that the result fails if we have no version of Choice. That is: it
is consistent with ZF that there are sets which are incomparable with ω.

Example 69.10. In 1878, Cantor stated that a countable union of countable sets
is countable. He did not present a proof, perhaps indicating that he took the
proof to be obvious. Now, cautious as we are, we proved a more general
version of this result in Proposition 68.12. But our proof explicitly assumed
Choice. And even the proof of the less general result requires Countable
Choice.
Theorem 69.11 (in Z− + Countable Choice). If An is countable for each n ∈ ω,
S
then n<ω An is countable.

Proof. Without loss of generality, suppose that each An ̸= ∅. So for each n ∈ ω

there is a surjection f n : ω → An . Define f : ω × ω → n<ω An by f (m, n) =
S

f n (m). The result follows because ω × ω is countable (Proposition 4.12) and f

is a surjection.

Did you spot the use of the Countable Choice? It is used to choose our se-
quence of functions f 0 , f 1 , f 2 , . . . 3 And again, the result fails in the absence of
any Choice principle. Specifically, Feferman and Levy (1963) proved that it is
consistent with ZF that a countable union of countable sets has cardinality ℶ1 .
But here is a much funnier statement of the point, from Russell:
This is illustrated by the millionaire who bought a pair of socks
whenever he bought a pair of boots, and never at any other time,
and who had such a passion for buying both that at last he had ℵ0
pairs of boots and ℵ0 pairs of socks. . . Among boots we can distin-
guish right and left, and therefore we can make a selection of one
out of each pair, namely, we can choose all the right boots or all the
left boots; but with socks no such principle of selection suggests it-
self, and we cannot be sure, unless we assume the multiplicative
axiom [i.e., in effect Choice], that there is any class consisting of
one sock out of each pair. (Russell, 1919, p. 126)
In short, some form of Choice is needed to prove the following: If you have
countably many pairs of socks, then you have (only) countably many socks.
And in fact, without Countable Choice (or something equivalent), a countable
union of countable sets can fail to be countable.
3 A similar use of Choice occurred in Proposition 68.12, when we gave the instruction “For

each β ∈ a, fix an injection f β ”.

914 Release : d3a1905 (2022-12-19)

69.6. INTRINSIC CONSIDERATIONS ABOUT CHOICE

The moral is that Countable Choice was used repeatedly, without much
awareness of its users. The philosophicaly question is: How could we justify
Countable Choice?
An attempt at an intuitive justification might invoke an appeal to a super-
task. Suppose we make the first choice in 1/2 a minute, our second choice in
1/4 a minute, . . . , our n-th choice in 1/2n a minute, . . . Then within 1 minute,
we will have made an ω-sequence of choices, and defined a choice function.
But what, really, could such a thought-experiment tell us? For a start, it
relies upon taking this idea of “choosing” rather literally. For another, it seems
to bind up mathematics in metaphysical possibility.
More important: it is not going to give us any justification for Choice tout
court, rather than mere Countable Choice. For if we need every set to have a
choice function, then we’ll need to be able to perform a “supertask of arbitrary
ordinal length.” Bluntly, that idea is laughable.

69.6 Intrinsic Considerations about Choice

The broader question, then, is whether Well-Ordering, or Choice, or indeed
the comparability of all sets as regards their size—it doesn’t matter which—
can be justified.
Here is an attempted intrinsic justification. Back in section 62.1, we intro-
duced several principles about the hierarchy. One of these is worth restating:

Stages-accumulate. For any stage S, and for any sets which were formed
before stage S: a set is formed at stage S whose members are exactly those
sets. Nothing else is formed at stage S.

In fact, many authors have suggested that the Axiom of Choice can be justified
via (something like) this principle. We will briefly provide a gloss on that
approach.
We will start with a simple little result, which offers yet another equivalent
for Choice:

Theorem 69.12 (in ZF). Choice is equivalent to the following principle. If the el-
ements of A are disjoint and non-empty, then there is some C such that C ∩ x is a
singleton for every x ∈ A. (We call such a C a choice set for A.)

The proof of this result is straightforward, and we leave it as an exercise

for the reader.
The essential point is that a choice set for A is just the range of a choice
function for A. So, to justify Choice, we can simply try to justify its equivalent
formulation, in terms of the existence of choice sets. And we will now try to
do exactly that.
Let A’s elements be disjoint and non-empty. By Stages-are-key (see sec-
S
tion 62.1), A is formed at some stage S. Note that all the elements of A are

Release : d3a1905 (2022-12-19) 915

 CHAPTER 69. CHOICE

available before stage S. Now, by Stages-accumulate, for any sets which were
formed before S, a set is formed whose members are exactly those sets. Other-
wise put: every possible collections of earlier-available sets will exist at S. But
it is certainly possible to select objects which could be formed into a choice set
S
for A; that is just some very specific subset of A. So: some such choice set
exists, as required.
Well, that’s a very quick attempt to offer a justification of Choice on intrin-
sic grounds. But, to pursue this idea further, you should read Potter’s (2004,
§14.8) neat development of it.

69.7 The Banach-Tarski Paradox

We might also attempt to justify Choice, as Boolos attempted to justify Re-
placement, by appealing to extrinsic considerations (see section 65.3). After
all, adopting Choice has many desirable consequences: the ability to compare
every cardinal; the ability to well-order every set; the ability to treat cardinals
as a particular kind of ordinal; etc.
Sometimes, however, it is claimed that Choice has undesirable consequences.
Mostly, this is due to a result by Banach and Tarski (1924).

Theorem 69.13 (Banach-Tarski Paradox (in ZFC)). Any ball can be decomposed
into finitely many pieces, which can be reassembled (by rotation and transportation)
to form two copies of that ball.

At first glance, this is a bit amazing. Clearly the two balls have twice the vol-
ume of the original ball. But rigid motions—rotation and transportation—do
not change volume. So it looks as if Banach-Tarski allows us to magick new
matter into existence.
It gets worse.4 Similar reasoning shows that a pea can be cut into finitely
many pieces, which can then be reassembled (by rotation and transportation)
to form an entity the shape and size of Big Ben.
None of this, however, holds in ZF on its own.5 So we face a decision:
reject Choice, or learn to live with the “paradox”.
We’re going to suggest that we should learn to live with the “paradox”.
Indeed, we don’t think it’s much of a paradox at all. In particular, we don’t
see why it is any more or less paradoxical than any of the following results:6

1. There are as many points in the interval (0, 1) as in R.

Proof : consider tan(π (r − 1/2))).
4 See Tomkowicz and Wagon (2016, Theorem 3.12).
5 Though Banach-Tarski can be proved with principles which are strictly weaker than Choice;
see Tomkowicz and Wagon (2016, 303).
6 Potter (2004, 276–7), Weston (2003, 16), Tomkowicz and Wagon (2016, 31, 308–9), make simi-

lar points, using other examples.

916 Release : d3a1905 (2022-12-19)

69.8. APPENDIX: VITALI’S PARADOX

2. There are as many points in a line as in a square.

See section 73.3 and section 73.5.

3. There are space-filling curves.

See section 73.3 and section 73.6.

None of these three results require Choice. Indeed, we now just regard them
as surprising, lovely, bits of mathematics. Maybe we should adopt the same
attitude to the Banach-Tarski Paradox.
To be sure, a technical observation is required here; but it only requires
keeping a level head. Rigid motions preserve volume. Consequently, the five7
pieces into which the ball is decomposed cannot all be measurable. Roughly
put, then, it makes no sense to assign a volume to these individual pieces. You
should think of these as unpicturable, “infinite scatterings” of points. Now,
maybe it is “weird” to conceive of such “infinitely scattered” sets. But their
existence seems to fall out from the injunction, embodied in Stages-accumulate,
that you should form all possible collections of earlier-available sets.
If none of that convinces, here is a final (extrinsic) argument in favour of
embracing the Banach-Tarski Paradox. It immediately entails the best math
joke of all time:

Question. What’s an anagram of “Banach-Tarski”?

Answer. “Banach-Tarski Banach-Tarski”.

69.8 Appendix: Vitali’s Paradox

To get a real sense of whether the Banach-Tarski construction is acceptable
or not, we should examine its proof. Unfortunately, that would require much
more algebra than we can present here. However, we can offer some quick
remarks which might shed some insight on the proof of Banach-Tarski,8 by
focussing on the following result:

Theorem 69.14 (Vitali’s Paradox (in ZFC)). Any circle can be decomposed into
countably many pieces, which can be reassembled (by rotation and transportation)
to form two copies of that circle.

Vitali’s Paradox is much easier to prove than the Banach–Tarski Paradox.

We have called it “Vitali’s Paradox”, since it follows from Vitali’s 1905 con-
struction of an unmeasurable set. But the set-theoretic aspects of the proof of
Vitali’s Paradox and the Banach-Tarski Paradox are very similar. The essen-
tial difference between the results is just that Banach-Tarski considers a finite
7 We stated the Paradox in terms of “finitely many pieces”. In fact, Robinson (1947) proved

that the decomposition can be achieved with five pieces (but no fewer). For a proof, see Tomkow-
icz and Wagon (2016, pp. 66–7).
8 For a much fuller treatment, see Weston (2003) or Tomkowicz and Wagon (2016).

Release : d3a1905 (2022-12-19) 917

 CHAPTER 69. CHOICE

decomposition, whereas Vitali’s Paradox onsiders a countably infinite decom-

position. As Weston (2003) puts it, Vitali’s Paradox “is certainly not nearly
as striking as the Banach–Tarski paradox, but it does illustrate that geometric
paradoxes can happen even in ‘simple’ situations.”
Vitali’s Paradox concerns a two-dimensional figure, a circle. So we will
work on the plane, R2 . Let R be the set of (clockwise) rotations of points
around the origin by rational radian values between [0, 2π ). Here are some
algebraic facts about R (if you don’t understand the statement of the result,
the proof will make its meaning clear):

Lemma 69.15. R forms an abelian group under composition of functions.

Proof. Writing 0R for the rotation by 0 radians, this is an identity element for
R, since ρ ◦ 0R = 0R ◦ ρ = ρ for any ρ ∈ R.
Every element has an inverse. Where ρ ∈ R rotates by r radians, ρ−1 ∈ R
rotates by 2π − r radians, so that ρ ◦ ρ−1 = 0R .
Composition is associative: (τ ◦ σ ) ◦ ρ = τ ◦ (σ ◦ ρ) for any ρ, σ, τ ∈ R
Composition is commutative: σ ◦ ρ = ρ ◦ σ for any ρ, σ ∈ R.

In fact, we can split our group R in half, and then use either half to recover
the whole group:

Lemma 69.16. There is a partition of R into two disjoint sets, R1 and R2 , both of
which are a basis for R.

Proof. Let R1 consist of the rotations by rational radian values in [0, π ); let
R2 = R \ R1 . By elementary algebra, {ρ ◦ ρ : ρ ∈ R1 } = R. A similar result
can be obtained for R2 .

We will use this fact about groups to establish Theorem 69.14. Let S be
the unit circle, i.e., the set of points
√ exactly 1 unit away from the origin of
the plane, i.e., {⟨r, s⟩ ∈ R2 : r2 + s2 = 1}. We will split S into parts by
considering the following relation on S:

r ∼ s iff (∃ρ ∈ R)ρ(r ) = s.

That is, the points of S are linked by this relation iff you can get from one to
the other by a rational-valued rotation about the origin. Unsurprisingly:

Lemma 69.17. ∼ is an equivalence relation.

Proof. Trivial, using Lemma 69.15.

918 Release : d3a1905 (2022-12-19)

69.8. APPENDIX: VITALI’S PARADOX

We now invoke Choice to obtain a set, C, containing exactly one mem-

ber from each equivalence class of S under ∼. That is, we consider a choice
function f on the set of equivalence classes,9

E = {[r ]∼ : r ∈ S},

and let C = ran( f ). For each rotation ρ ∈ R, the set ρ[C ] consists of the points
obtained by applying the rotation ρ to each point in C. These next two results
show that these sets cover the circle completely and without overlap:
S
Lemma 69.18. S = ρ∈ R ρ [ C ].

Proof. Fix s ∈ S; there is some r ∈ C such that r ∈ [s]∼ , i.e., r ∼ s, i.e., ρ(r ) = s
for some ρ ∈ R.

Lemma 69.19. If ρ1 ̸= ρ2 then ρ1 [C ] ∩ ρ2 [C ] = ∅.

Proof. Suppose s ∈ ρ1 [C ] ∩ ρ2 [C ]. So s = ρ1 (r1 ) = ρ2 (r2 ) for some r1 , r2 ∈ C.

Hence ρ2−1 (ρ1 (r1 )) = r2 , and ρ2−1 ◦ ρ1 ∈ R, so r1 ∼ r2 . So r1 = r2 , as C selects
exactly one member from each equivalence class under ∼. So s = ρ1 (r1 ) =
ρ2 (r1 ), and hence ρ1 = ρ2 .

We now apply our earlier algebraic facts to our circle:

Lemma 69.20. There is a partition of S into two disjoint sets, D1 and D2 , such that
D1 can be partitioned into countably many sets which can be rotated to form a copy
of S (and similarly for D2 ).

Proof. Using R1 and R2 from Lemma 69.16, let:

[ [
D1 = ρ[C ] D2 = ρ[C ]
ρ ∈ R1 ρ ∈ R2

This is a partition of S, by Lemma 69.18, and D1 and D2 are disjoint by Lemma 69.19.
By construction, D1 can be partitioned into countably many sets, ρ[C ] for each
ρ ∈ R1 . And these can be rotated to form a copy of S, since S = ρ∈ R ρ[C ] =
S

ρ∈ R1 ( ρ ◦ ρ )[C ] by Lemma 69.16 and Lemma 69.18. The same reasoning ap-
S

plies to D2 .

This immediately entails Vitali’s Paradox. For we can generate two copies
of S from S, just by splitting it up into countably many pieces (the various
ρ[C ]’s) and then rigidly moving them (simply rotate each piece of D1 , and
first transport and then rotate each piece of D2 ).
9 Since R is enumerable, each element of E is enumerable. Since S is non-enumerable, it

follows from Lemma 69.18 and Proposition 68.12 that E is non-enumerable. So this is a use of
uncountable Choice.

Release : d3a1905 (2022-12-19) 919

 CHAPTER 69. CHOICE

Let’s recap the proof-strategy. We started with some algebraic facts about
the group of rotations on the plane. We used this group to partition S into
equivalence classes. We then arrived at a “paradox”, by using Choice to select
elements from each class.
We use exactly the same strategy to prove Banach–Tarski. The main differ-
ence is that the algebraic facts used to prove Banach–Tarski are significantly
more complicated than those used to prove Vitali’s Paradox. But those alge-
braic facts have nothing to do with Choice. We will summarise them quickly.
To prove Banach–Tarski, we start by establishing an analogue of Lemma 69.16:
any free group can be split into four pieces, which intuitively we can “move
around” to recover two copies of the whole group.10 We then show that we
can use two particular rotations around the origin of R3 to generate a free
group of rotations, F.11 (No Choice yet.) We now regard points on the surface
of the sphere as “similar” iff one can be obtained from the other by a rotation
in F. We then use Choice to select exactly one point from each equivalence class
of “similar” points. Applying our division of F to the surface of the sphere, as
in Lemma 69.20, we split that surface into four pieces, which we can “move
around” to obtain two copies of the surface of the sphere. And this establishes
(Hausdorff, 1914):

Theorem 69.21 (Hausdorff’s Paradox (in ZFC)). The surface of any sphere can
be decomposed into finitely many pieces, which can be reassembled (by rotation and
transportation) to form two disjoint copies of that sphere.

A couple of further algebraic tricks are needed to obtain the full Banach-
Tarski Theorem (which concerns not just the sphere’s surface, but its interior
too). Frankly, however, this is just icing on the algebraic cake. Hence Weston
writes:

[. . . ] the result on free groups is the key step in the proof of the
Banach-Tarski paradox. From this point of view, the Banach-Tarski
paradox is not a statement about R3 so much as it is a statement
about the complexity of the group [of translations and rotations in
R3 ]. (Weston, 2003, p. 16)

That is: whether we can offer a finite decomposition (as in Banach–Tarski) or a

countably infinite decomposition (as in Vitali’s Paradox) comes down to certain
group-theoretic facts about working in two-dimension or three-dimensions.
Admittedly, this last observation slightly spoils the joke at the end of sec-
tion 69.7. Since it is two dimensional, “Banach-Tarski” must be divided into
a countable infinity of pieces, if one wants to rearrange those pieces to form
10 The fact that we can use four pieces is due to Robinson (1947). For a recent proof, see

Tomkowicz and Wagon (2016, Theorem 5.2). We follow Weston (2003, p. 3) in describing this
as “moving” the pieces of the group.
11 See Tomkowicz and Wagon (2016, Theorem 2.1).

920 Release : d3a1905 (2022-12-19)

69.8. APPENDIX: VITALI’S PARADOX

“Banach-Tarski Banach-Tarski”. To repair the joke, one must write in three

dimensions. We leave this as an exercise for the reader.
One final comment. In section 69.7, we mentioned that the “pieces” of the
sphere one obtains cannot be measurable, but must be unpicturable “infinite
scatterings”. The same is true of our use of Choice in obtaining Lemma 69.20.
And this is all worth explaining.
Again, we must sketch some background (but this is just a sketch; you may
want to consult a textbook entry on measure). To define a measure for a set X
is to assign a value µ( E) ∈ R for each E in some “σ-algebra” on X. Details
here are not essential, except that the function µ must obey the principle of
countable additivity: the measure of a countable union of disjoint sets is the
sum of their individual measures, i.e., µ( n<ω Xn ) = ∑n<ω µ( Xn ) whenever
S

the Xn s are disjoint. To say that a set is “unmeasurable” is to say that no

measure can be suitably assigned. Now, using our R from before:

Corollary 69.22 (Vitali). Let µ be a measure such that µ(S) = 1, and such that
µ( X ) = µ(Y ) if X and Y are congruent. Then ρ[C ] is unmeasurable for all ρ ∈ R.

Proof. For reductio, suppose otherwise. So let µ(σ [C ]) = r for some σ ∈ R

and some r ∈ R. For any ρ ∈ C, ρ[C ] and σ [C ] are congruent, and hence
µ(ρ[C ]) = r for any ρ ∈ C. By Lemma 69.18 and Lemma 69.19, S = ρ∈ R ρ[C ]
S

is a countable union of pairwise disjoint sets. So countable additivity dictates

that µ(S) = 1 is the sum of the measures of each ρ[C ], i.e.,

1 = µ(S) = ∑ µ(ρ[C]) = ∑ r
ρ∈ R ρ∈ R

But if r = 0 then ∑ρ∈ R r = 0, and if r > 0 then ∑ρ∈ R r = ∞.

Problems
Problem 69.1. Prove Theorem 69.12. If you struggle, you can find a proof in
(Potter, 2004, pp. 242–3).

Release : d3a1905 (2022-12-19) 921

Part XV

Methods

922
69.8. APPENDIX: VITALI’S PARADOX

This part covers general and methodological material, especially ex-

planations of various proof methods a non-methematics student may be
unfamiliar with. It currently contains a chapter on how to write proofs,
and a chapter on induction, but additional sections for thos, exercises, and
a chapter on mathematical terminology is also planned.

Release : d3a1905 (2022-12-19) 923

Chapter 70

Proofs

70.1 Introduction
Based on your experiences in introductory logic, you might be comfortable
with a derivation system—probably a natural deduction or Fitch style deriva-
tion system, or perhaps a proof-tree system. You probably remember doing
proofs in these systems, either proving a formula or show that a given argu-
ment is valid. In order to do this, you applied the rules of the system un-
til you got the desired end result. In reasoning about logic, we also prove
things, but in most cases we are not using a derivation system. In fact, most
of the proofs we consider are done in English (perhaps, with some symbolic
language thrown in) rather than entirely in the language of first-order logic.
When constructing such proofs, you might at first be at a loss—how do I prove
something without a derivation system? How do I start? How do I know if
my proof is correct?
Before attempting a proof, it’s important to know what a proof is and how
to construct one. As implied by the name, a proof is meant to show that some-
thing is true. You might think of this in terms of a dialogue—someone asks
you if something is true, say, if every prime other than two is an odd number.
To answer “yes” is not enough; they might want to know why. In this case,
you’d give them a proof.
In everyday discourse, it might be enough to gesture at an answer, or give
an incomplete answer. In logic and mathematics, however, we want rigorous
proof—we want to show that something is true beyond any doubt. This means
that every step in our proof must be justified, and the justification must be
cogent (i.e., the assumption you’re using is actually assumed in the statement
of the theorem you’re proving, the definitions you apply must be correctly
applied, the justifications appealed to must be correct inferences, etc.).
Usually, we’re proving some statement. We call the statements we’re prov-
ing by various names: propositions, theorems, lemmas, or corollaries. A
proposition is a basic proof-worthy statement: important enough to record,

924
70.2. STARTING A PROOF

but perhaps not particularly deep nor applied often. A theorem is a signifi-
cant, important proposition. Its proof often is broken into several steps, and
sometimes it is named after the person who first proved it (e.g., Cantor’s The-
orem, the Löwenheim-Skolem theorem) or after the fact it concerns (e.g., the
completeness theorem). A lemma is a proposition or theorem that is used
in the proof of a more important result. Confusingly, sometimes lemmas are
important results in themselves, and also named after the person who intro-
duced them (e.g., Zorn’s Lemma). A corollary is a result that easily follows
from another one.
A statement to be proved often contains assumptions that clarify which
kinds of things we’re proving something about. It might begin with “Let φ
be a formula of the form ψ → χ” or “Suppose Γ ⊢ φ” or something of the
sort. These are hypotheses of the proposition, theorem, or lemma, and you may
assume these to be true in your proof. They restrict what we’re proving, and
also introduce some names for the objects we’re talking about. For instance, if
your proposition begins with “Let φ be a formula of the form ψ → χ,” you’re
proving something about all formulas of a certain sort only (namely, condi-
tionals), and it’s understood that ψ → χ is an arbitrary conditional that your
proof will talk about.

70.2 Starting a Proof

But where do you even start?

You’ve been given something to prove, so this should be the last thing that
is mentioned in the proof (you can, obviously, announce that you’re going to
prove it at the beginning, but you don’t want to use it as an assumption). Write
what you are trying to prove at the bottom of a fresh sheet of paper—this way
you don’t lose sight of your goal.
Next, you may have some assumptions that you are able to use (this will
be made clearer when we talk about the type of proof you are doing in the next
section). Write these at the top of the page and make sure to flag that they are
assumptions (i.e., if you are assuming p, write “assume that p,” or “suppose
that p”). Finally, there might be some definitions in the question that you
need to know. You might be told to use a specific definition, or there might
be various definitions in the assumptions or conclusion that you are working
towards. Write these down and ensure that you understand what they mean.
How you set up your proof will also be dependent upon the form of the
question. The next section provides details on how to set up your proof based
on the type of sentence.

Release : d3a1905 (2022-12-19) 925

 CHAPTER 70. PROOFS

70.3 Using Definitions

We mentioned that you must be familiar with all definitions that may be used
in the proof, and that you can properly apply them. This is a really impor-
tant point, and it is worth looking at in a bit more detail. Definitions are used
to abbreviate properties and relations so we can talk about them more suc-
cinctly. The introduced abbreviation is called the definiendum, and what it
abbreviates is the definiens. In proofs, we often have to go back to how the
definiendum was introduced, because we have to exploit the logical structure
of the definiens (the long version of which the defined term is the abbrevia-
tion) to get through our proof. By unpacking definitions, you’re ensuring that
you’re getting to the heart of where the logical action is.
We’ll start with an example. Suppose you want to prove the following:

Proposition 70.1. For any sets A and B, A ∪ B = B ∪ A.

In order to even start the proof, we need to know what it means for two sets
to be identical; i.e., we need to know what the “=” in that equation means for
sets. Sets are defined to be identical whenever they have the same elements.
So the definition we have to unpack is:

Definition 70.2. Sets A and B are identical, A = B, iff every element of A is

an element of B, and vice versa.

This definition uses A and B as placeholders for arbitrary sets. What it

defines—the definiendum—is the expression “A = B” by giving the condition
under which A = B is true. This condition—“every element of A is an element
of B, and vice versa”—is the definiens.1 The definition specifies that A = B is
true if, and only if (we abbreviate this to “iff”) the condition holds.
When you apply the definition, you have to match the A and B in the
definition to the case you’re dealing with. In our case, it means that in order
for A ∪ B = B ∪ A to be true, each z ∈ A ∪ B must also be in B ∪ A, and
vice versa. The expression A ∪ B in the proposition plays the role of A in the
definition, and B ∪ A that of B. Since A and B are used both in the definition
and in the statement of the proposition we’re proving, but in different uses,
you have to be careful to make sure you don’t mix up the two. For instance, it
would be a mistake to think that you could prove the proposition by showing
that every element of A is an element of B, and vice versa—that would show
that A = B, not that A ∪ B = B ∪ A. (Also, since A and B may be any two
sets, you won’t get very far, because if nothing is assumed about A and B they
may well be different sets.)
1 In this particular case—and very confusingly!—when A = B, the sets A and B are just one

and the same set, even though we use different letters for it on the left and the right side. But the
ways in which that set is picked out may be different, and that makes the definition non-trivial.

926 Release : d3a1905 (2022-12-19)

70.4. INFERENCE PATTERNS

Within the proof we are dealing with set-theoretic notions such as union,
and so we must also know the meanings of the symbol ∪ in order to under-
stand how the proof should proceed. And sometimes, unpacking the defini-
tion gives rise to further definitions to unpack. For instance, A ∪ B is defined
as {z : z ∈ A or z ∈ B}. So if you want to prove that x ∈ A ∪ B, unpacking
the definition of ∪ tells you that you have to prove x ∈ {z : z ∈ A or z ∈ B}.
Now you also have to remember that x ∈ {z : . . . z . . .} iff . . . x . . . . So, further
unpacking the definition of the {z : . . . z . . .} notation, what you have to show
is: x ∈ A or x ∈ B. So, “every element of A ∪ B is also an element of B ∪ A”
really means: “for every x, if x ∈ A or x ∈ B, then x ∈ B or x ∈ A.” If we fully
unpack the definitions in the proposition, we see that what we have to show
is this:

Proposition 70.3. For any sets A and B: (a) for every x, if x ∈ A or x ∈ B, then
x ∈ B or x ∈ A, and (b) for every x, if x ∈ B or x ∈ A, then x ∈ A or x ∈ B.

What’s important is that unpacking definitions is a necessary part of con-

structing a proof. Properly doing it is sometimes difficult: you must be careful
to distinguish and match the variables in the definition and the terms in the
claim you’re proving. In order to be successful, you must know what the
question is asking and what all the terms used in the question mean—you
will often need to unpack more than one definition. In simple proofs such as
the ones below, the solution follows almost immediately from the definitions
themselves. Of course, it won’t always be this simple.

70.4 Inference Patterns

Proofs are composed of individual inferences. When we make an inference,
we typically indicate that by using a word like “so,” “thus,” or “therefore.”
The inference often relies on one or two facts we already have available in our
proof—it may be something we have assumed, or something that we’ve con-
cluded by an inference already. To be clear, we may label these things, and in
the inference we indicate what other statements we’re using in the inference.
An inference will often also contain an explanation of why our new conclusion
follows from the things that come before it. There are some common patterns
of inference that are used very often in proofs; we’ll go through some below.
Some patterns of inference, like proofs by induction, are more involved (and
will be discussed later).
We’ve already discussed one pattern of inference: unpacking, or applying,
a definition. When we unpack a definition, we just restate something that
involves the definiendum by using the definiens. For instance, suppose that
we have already established in the course of a proof that D = E (a). Then we
may apply the definition of = for sets and infer: “Thus, by definition from (a),
every element of D is an element of E and vice versa.”

Release : d3a1905 (2022-12-19) 927

 CHAPTER 70. PROOFS

Somewhat confusingly, we often do not write the justification of an in-

ference when we actually make it, but before. Suppose we haven’t already
proved that D = E, but we want to. If D = E is the conclusion we aim for,
then we can restate this aim also by applying the definition: to prove D = E
we have to prove that every element of D is an element of E and vice versa. So
our proof will have the form: (a) prove that every element of D is an element
of E; (b) every element of E is an element of D; (c) therefore, from (a) and (b)
by definition of =, D = E. But we would usually not write it this way. Instead
we might write something like,

We want to show D = E. By definition of =, this amounts to

showing that every element of D is an element of E and vice versa.
(a) . . . (a proof that every element of D is an element of E) . . .
(b) . . . (a proof that every element of E is an element of D) . . .

Using a Conjunction
Perhaps the simplest inference pattern is that of drawing as conclusion one of
the conjuncts of a conjunction. In other words: if we have assumed or already
proved that p and q, then we’re entitled to infer that p (and also that q). This is
such a basic inference that it is often not mentioned. For instance, once we’ve
unpacked the definition of D = E we’ve established that every element of D is
an element of E and vice versa. From this we can conclude that every element
of E is an element of D (that’s the “vice versa” part).

Proving a Conjunction
Sometimes what you’ll be asked to prove will have the form of a conjunc-
tion; you will be asked to “prove p and q.” In this case, you simply have
to do two things: prove p, and then prove q. You could divide your proof
into two sections, and for clarity, label them. When you’re making your first
notes, you might write “(1) Prove p” at the top of the page, and “(2) Prove q”
in the middle of the page. (Of course, you might not be explicitly asked to
prove a conjunction but find that your proof requires that you prove a con-
junction. For instance, if you’re asked to prove that D = E you will find that,
after unpacking the definition of =, you have to prove: every element of D is
an element of E and every element of E is an element of D).

Proving a Disjunction
When what you are proving takes the form of a disjunction (i.e., it is an state-
ment of the form “p or q”), it is enough to show that one of the disjuncts is true.
However, it basically never happens that either disjunct just follows from the
assumptions of your theorem. More often, the assumptions of your theorem

928 Release : d3a1905 (2022-12-19)

70.4. INFERENCE PATTERNS

are themselves disjunctive, or you’re showing that all things of a certain kind
have one of two properties, but some of the things have the one and others
have the other property. This is where proof by cases is useful (see below).

Conditional Proof
Many theorems you will encounter are in conditional form (i.e., show that if
p holds, then q is also true). These cases are nice and easy to set up—simply
assume the antecedent of the conditional (in this case, p) and prove the con-
clusion q from it. So if your theorem reads, “If p then q,” you start your proof
with “assume p” and at the end you should have proved q.
Conditionals may be stated in different ways. So instead of “If p then q,”
a theorem may state that “p only if q,” “q if p,” or “q, provided p.” These all
mean the same and require assuming p and proving q from that assumption.
Recall that a biconditional (“p if and only if (iff) q”) is really two conditionals
put together: if p then q, and if q then p. All you have to do, then, is two
instances of conditional proof: one for the first conditional and another one
for the second. Sometimes, however, it is possible to prove an “iff” statement
by chaining together a bunch of other “iff” statements so that you start with
“p” an end with “q”—but in that case you have to make sure that each step
really is an “iff.”

Universal Claims
Using a universal claim is simple: if something is true for anything, it’s true
for each particular thing. So if, say, the hypothesis of your proof is A ⊆ B, that
means (unpacking the definition of ⊆), that, for every x ∈ A, x ∈ B. Thus, if
you already know that z ∈ A, you can conclude z ∈ B.
Proving a universal claim may seem a little bit tricky. Usually these state-
ments take the following form: “If x has P, then it has Q” or “All Ps are Qs.”
Of course, it might not fit this form perfectly, and it takes a bit of practice to
figure out what you’re asked to prove exactly. But: we often have to prove
that all objects with some property have a certain other property.
The way to prove a universal claim is to introduce names or variables, for
the things that have the one property and then show that they also have the
other property. We might put this by saying that to prove something for all Ps
you have to prove it for an arbitrary P. And the name introduced is a name
for an arbitrary P. We typically use single letters as these names for arbitrary
things, and the letters usually follow conventions: e.g., we use n for natural
numbers, φ for formulas, A for sets, f for functions, etc.
The trick is to maintain generality throughout the proof. You start by as-
suming that an arbitrary object (“x”) has the property P, and show (based only
on definitions or what you are allowed to assume) that x has the property Q.
Because you have not stipulated what x is specifically, other that it has the

Release : d3a1905 (2022-12-19) 929

 CHAPTER 70. PROOFS

property P, then you can assert that all every P has the property Q. In short,
x is a stand-in for all things with property P.

Proposition 70.4. For all sets A and B, A ⊆ A ∪ B.

Proof. Let A and B be arbitrary sets. We want to show that A ⊆ A ∪ B. By

definition of ⊆, this amounts to: for every x, if x ∈ A then x ∈ A ∪ B. So let
x ∈ A be an arbitrary element of A. We have to show that x ∈ A ∪ B. Since
x ∈ A, x ∈ A or x ∈ B. Thus, x ∈ { x : x ∈ A ∨ x ∈ B}. But that, by definition
of ∪, means x ∈ A ∪ B.

Proof by Cases
Suppose you have a disjunction as an assumption or as an already established
conclusion—you have assumed or proved that p or q is true. You want to
prove r. You do this in two steps: first you assume that p is true, and prove r,
then you assume that q is true and prove r again. This works because we
assume or know that one of the two alternatives holds. The two steps establish
that either one is sufficient for the truth of r. (If both are true, we have not one
but two reasons for why r is true. It is not necessary to separately prove that
r is true assuming both p and q.) To indicate what we’re doing, we announce
that we “distinguish cases.” For instance, suppose we know that x ∈ B ∪ C.
B ∪ C is defined as { x : x ∈ B or x ∈ C }. In other words, by definition, x ∈ B
or x ∈ C. We would prove that x ∈ A from this by first assuming that x ∈ B,
and proving x ∈ A from this assumption, and then assume x ∈ C, and again
prove x ∈ A from this. You would write “We distinguish cases” under the
assumption, then “Case (1): x ∈ B” underneath, and “Case (2): x ∈ C halfway
down the page. Then you’d proceed to fill in the top half and the bottom half
of the page.
Proof by cases is especially useful if what you’re proving is itself disjunc-
tive. Here’s a simple example:

Proposition 70.5. Suppose B ⊆ D and C ⊆ E. Then B ∪ C ⊆ D ∪ E.

Proof. Assume (a) that B ⊆ D and (b) C ⊆ E. By definition, any x ∈ B is also

∈ D (c) and any x ∈ C is also ∈ E (d). To show that B ∪ C ⊆ D ∪ E, we have to
show that if x ∈ B ∪ C then x ∈ D ∪ E (by definition of ⊆). x ∈ B ∪ C iff x ∈ B
or x ∈ C (by definition of ∪). Similarly, x ∈ D ∪ E iff x ∈ D or x ∈ E. So, we
have to show: for any x, if x ∈ B or x ∈ C, then x ∈ D or x ∈ E.

So far we’ve only unpacked definitions! We’ve reformulated our

proposition without ⊆ and ∪ and are left with trying to prove a
universal conditional claim. By what we’ve discussed above, this
is done by assuming that x is something about which we assume
the “if” part is true, and we’ll go on to show that the “then” part is

930 Release : d3a1905 (2022-12-19)

70.4. INFERENCE PATTERNS

true as well. In other words, we’ll assume that x ∈ B or x ∈ C and

show that x ∈ D or x ∈ E.2

Suppose that x ∈ B or x ∈ C. We have to show that x ∈ D or x ∈ E. We

distinguish cases.
Case 1: x ∈ B. By (c), x ∈ D. Thus, x ∈ D or x ∈ E. (Here we’ve made the
inference discussed in the preceding subsection!)
Case 2: x ∈ C. By (d), x ∈ E. Thus, x ∈ D or x ∈ E.

Proving an Existence Claim

When asked to prove an existence claim, the question will usually be of the
form “prove that there is an x such that . . . x . . . ”, i.e., that some object that
has the property described by “. . . x . . . ”. In this case you’ll have to identify a
suitable object show that is has the required property. This sounds straightfor-
ward, but a proof of this kind can be tricky. Typically it involves constructing
or defining an object and proving that the object so defined has the required
property. Finding the right object may be hard, proving that it has the re-
quired property may be hard, and sometimes it’s even tricky to show that
you’ve succeeded in defining an object at all!
Generally, you’d write this out by specifying the object, e.g., “let x be . . . ”
(where . . . specifies which object you have in mind), possibly proving that . . .
in fact describes an object that exists, and then go on to show that x has the
property Q. Here’s a simple example.

Proposition 70.6. Suppose that x ∈ B. Then there is an A such that A ⊆ B and

A ̸= ∅.

Proof. Assume x ∈ B. Let A = { x }.

Here we’ve defined the set A by enumerating its elements. Since

we assume that x is an object, and we can always form a set by
enumerating its elements, we don’t have to show that we’ve suc-
ceeded in defining a set A here. However, we still have to show
that A has the properties required by the proposition. The proof
isn’t complete without that!

Since x ∈ A, A ̸= ∅.

This relies on the definition of A as { x } and the obvious facts that

/ ∅.
x ∈ { x } and x ∈

Since x is the only element of { x }, and x ∈ B, every element of A is also

an element of B. By definition of ⊆, A ⊆ B.
2 This paragraph just explains what we’re doing—it’s not part of the proof, and you don’t

have to go into all this detail when you write down your own proofs.

Release : d3a1905 (2022-12-19) 931

 CHAPTER 70. PROOFS

Using Existence Claims

Suppose you know that some existence claim is true (you’ve proved it, or it’s
a hypothesis you can use), say, “for some x, x ∈ A” or “there is an x ∈ A.” If
you want to use it in your proof, you can just pretend that you have a name
for one of the things which your hypothesis says exist. Since A contains at
least one thing, there are things to which that name might refer. You might of
course not be able to pick one out or describe it further (other than that it is
∈ A). But for the purpose of the proof, you can pretend that you have picked
it out and give a name to it. It’s important to pick a name that you haven’t
already used (or that appears in your hypotheses), otherwise things can go
wrong. In your proof, you indicate this by going from “for some x, x ∈ A” to
“Let a ∈ A.” Now you can reason about a, use some other hypotheses, etc.,
until you come to a conclusion, p. If p no longer mentions a, p is independent
of the asusmption that a ∈ A, and you’ve shown that it follows just from the
assumption “for some x, x ∈ A.”

Proposition 70.7. If A ̸= ∅, then A ∪ B ̸= ∅.

Proof. Suppose A ̸= ∅. So for some x, x ∈ A.

Here we first just restated the hypothesis of the proposition. This

hypothesis, i.e., A ̸= ∅, hides an existential claim, which you get
to only by unpacking a few definitions. The definition of = tells
us that A = ∅ iff every x ∈ A is also ∈ ∅ and every x ∈ ∅ is also
∈ A. Negating both sides, we get: A ̸= ∅ iff either some x ∈ A
/ ∅ or some x ∈ ∅ is ∈
is ∈ / A. Since nothing is ∈ ∅, the second
disjunct can never be true, and “x ∈ A and x ∈ / ∅” reduces to just
x ∈ A. So x ̸= ∅ iff for some x, x ∈ A. That’s an existence claim.
Now we use that existence claim by introducing a name for one of
the elements of A:

Let a ∈ A.

Now we’ve introduced a name for one of the things ∈ A. We’ll

continue to argue about a, but we’ll be careful to only assume that
a ∈ A and nothing else:

Since a ∈ A, a ∈ A ∪ B, by definition of ∪. So for some x, x ∈ A ∪ B, i.e.,

A ∪ B ̸= ∅.

In that last step, we went from “a ∈ A ∪ B” to “for some x, x ∈

A ∪ B.” That doesn’t mention a anymore, so we know that “for
some x, x ∈ A ∪ B” follows from “for some x, x ∈ A alone.” But
that means that A ∪ B ̸= ∅.

932 Release : d3a1905 (2022-12-19)

70.5. AN EXAMPLE

It’s maybe good practice to keep bound variables like “x” separate from
hypothetical names like a, like we did. In practice, however, we often don’t
and just use x, like so:

Suppose A ̸= ∅, i.e., there is an x ∈ A. By definition of ∪, x ∈

A ∪ B. So A ∪ B ̸= ∅.

However, when you do this, you have to be extra careful that you use different
x’s and y’s for different existential claims. For instance, the following is not a
correct proof of “If A ̸= ∅ and B ̸= ∅ then A ∩ B ̸= ∅” (which is not true).

Suppose A ̸= ∅ and B ̸= ∅. So for some x, x ∈ A and also for

some x, x ∈ B. Since x ∈ A and x ∈ B, x ∈ A ∩ B, by definition
of ∩. So A ∩ B ̸= ∅.

Can you spot where the incorrect step occurs and explain why the result does
not hold?

70.5 An Example
Our first example is the following simple fact about unions and intersections
of sets. It will illustrate unpacking definitions, proofs of conjunctions, of uni-
versal claims, and proof by cases.

Proposition 70.8. For any sets A, B, and C, A ∪ ( B ∩ C ) = ( A ∪ B) ∩ ( A ∪ C )

Let’s prove it!

Proof. We want to show that for any sets A, B, and C, A ∪ ( B ∩ C ) = ( A ∪ B) ∩

( A ∪ C)

First we unpack the definition of “=” in the statement of the propo-

sition. Recall that proving sets identical means showing that the
sets have the same elements. That is, all elements of A ∪ ( B ∩ C )
are also elements of ( A ∪ B) ∩ ( A ∪ C ), and vice versa. The “vice
versa” means that also every element of ( A ∪ B) ∩ ( A ∪ C ) must
be an element of A ∪ ( B ∩ C ). So in unpacking the definition, we
see that we have to prove a conjunction. Let’s record this:

By definition, A ∪ ( B ∩ C ) = ( A ∪ B) ∩ ( A ∪ C ) iff every element of A ∪ ( B ∩ C )

is also an element of ( A ∪ B) ∩ ( A ∪ C ), and every element of ( A ∪ B) ∩ ( A ∪ C )
is an element of A ∪ ( B ∩ C ).

Since this is a conjunction, we must prove each conjunct separately.

Lets start with the first: let’s prove that every element of A ∪ ( B ∩
C ) is also an element of ( A ∪ B) ∩ ( A ∪ C ).

Release : d3a1905 (2022-12-19) 933

 CHAPTER 70. PROOFS

This is a universal claim, and so we consider an arbitrary element

of A ∪ ( B ∩ C ) and show that it must also be an element of ( A ∪
B) ∩ ( A ∪ C ). We’ll pick a variable to call this arbitrary element by,
say, z. Our proof continues:

First, we prove that every element of A ∪ ( B ∩ C ) is also an element of ( A ∪

B) ∩ ( A ∪ C ). Let z ∈ A ∪ ( B ∩ C ). We have to show that z ∈ ( A ∪ B) ∩ ( A ∪ C ).

Now it is time to unpack the definition of ∪ and ∩. For instance,

the definition of ∪ is: A ∪ B = {z : z ∈ A or z ∈ B}. When we
apply the definition to “A ∪ ( B ∩ C ),” the role of the “B” in the
definition is now played by “B ∩ C,” so A ∪ ( B ∩ C ) = {z : z ∈
A or z ∈ B ∩ C }. So our assumption that z ∈ A ∪ ( B ∩ C ) amounts
to: z ∈ {z : z ∈ A or z ∈ B ∩ C }. And z ∈ {z : . . . z . . .} iff . . . z . . . ,
i.e., in this case, z ∈ A or z ∈ B ∩ C.

By the definition of ∪, either z ∈ A or z ∈ B ∩ C.

Since this is a disjunction, it will be useful to apply proof by cases.

We take the two cases, and show that in each one, the conclusion
we’re aiming for (namely, “z ∈ ( A ∪ B) ∩ ( A ∪ C )”) obtains.

Case 1: Suppose that z ∈ A.

There’s not much more to work from based on our assumptions.

So let’s look at what we have to work with in the conclusion. We
want to show that z ∈ ( A ∪ B) ∩ ( A ∪ C ). Based on the definition
of ∩, if we want to show that z ∈ ( A ∪ B) ∩ ( A ∪ C ), we have to
show that it’s in both ( A ∪ B) and ( A ∪ C ). But z ∈ A ∪ B iff z ∈ A
or z ∈ B, and we already have (as the assumption of case 1) that
z ∈ A. By the same reasoning—switching C for B—z ∈ A ∪ C.
This argument went in the reverse direction, so let’s record our
reasoning in the direction needed in our proof.

Since z ∈ A, z ∈ A or z ∈ B, and hence, by definition of ∪, z ∈ A ∪ B.

Similarly, z ∈ A ∪ C. But this means that z ∈ ( A ∪ B) ∩ ( A ∪ C ), by definition
of ∩.

This completes the first case of the proof by cases. Now we want
to derive the conclusion in the second case, where z ∈ B ∩ C.

Case 2: Suppose that z ∈ B ∩ C.

Again, we are working with the intersection of two sets. Let’s ap-
ply the definition of ∩:

Since z ∈ B ∩ C, z must be an element of both B and C, by definition of ∩.

934 Release : d3a1905 (2022-12-19)

70.5. AN EXAMPLE

It’s time to look at our conclusion again. We have to show that z is

in both ( A ∪ B) and ( A ∪ C ). And again, the solution is immediate.
Since z ∈ B, z ∈ ( A ∪ B). Since z ∈ C, also z ∈ ( A ∪ C ). So, z ∈ ( A ∪ B) ∩
( A ∪ C ).
Here we applied the definitions of ∪ and ∩ again, but since we’ve
already recalled those definitions, and already showed that if z is
in one of two sets it is in their union, we don’t have to be as explicit
in what we’ve done.
We’ve completed the second case of the proof by cases, so now we
can assert our first conclusion.
So, if z ∈ A ∪ ( B ∩ C ) then z ∈ ( A ∪ B) ∩ ( A ∪ C ).
Now we just want to show the other direction, that every element
of ( A ∪ B) ∩ ( A ∪ C ) is an element of A ∪ ( B ∩ C ). As before, we
prove this universal claim by assuming we have an arbitrary ele-
ment of the first set and show it must be in the second set. Let’s
state what we’re about to do.
Now, assume that z ∈ ( A ∪ B) ∩ ( A ∪ C ). We want to show that z ∈ A ∪ ( B ∩
C ).
We are now working from the hypothesis that z ∈ ( A ∪ B) ∩ ( A ∪
C ). It hopefully isn’t too confusing that we’re using the same z here
as in the first part of the proof. When we finished that part, all the
assumptions we’ve made there are no longer in effect, so now we
can make new assumptions about what z is. If that is confusing to
you, just replace z with a different variable in what follows.
We know that z is in both A ∪ B and A ∪ C, by definition of ∩. And
by the definition of ∪, we can further unpack this to: either z ∈ A
or z ∈ B, and also either z ∈ A or z ∈ C. This looks like a proof
by cases again—except the “and” makes it confusing. You might
think that this amounts to there being three possibilities: z is either
in A, B or C. But that would be a mistake. We have to be careful,
so let’s consider each disjunction in turn.
By definition of ∩, z ∈ A ∪ B and z ∈ A ∪ C. By definition of ∪, z ∈ A or
z ∈ B. We distinguish cases.
Since we’re focusing on the first disjunction, we haven’t gotten our
second disjunction (from unpacking A ∪ C) yet. In fact, we don’t
need it yet. The first case is z ∈ A, and an element of a set is also
an element of the union of that set with any other. So case 1 is easy:
Case 1: Suppose that z ∈ A. It follows that z ∈ A ∪ ( B ∩ C ).

Release : d3a1905 (2022-12-19) 935

 CHAPTER 70. PROOFS

Now for the second case, z ∈ B. Here we’ll unpack the second ∪
and do another proof-by-cases:
Case 2: Suppose that z ∈ B. Since z ∈ A ∪ C, either z ∈ A or z ∈ C. We
distinguish cases further:
Case 2a: z ∈ A. Then, again, z ∈ A ∪ ( B ∩ C ).
Ok, this was a bit weird. We didn’t actually need the assumption
that z ∈ B for this case, but that’s ok.
Case 2b: z ∈ C. Then z ∈ B and z ∈ C, so z ∈ B ∩ C, and consequently,
z ∈ A ∪ ( B ∩ C ).
This concludes both proofs-by-cases and so we’re done with the
second half.
So, if z ∈ ( A ∪ B) ∩ ( A ∪ C ) then z ∈ A ∪ ( B ∩ C ).

70.6 Another Example

Proposition 70.9. If A ⊆ C, then A ∪ (C \ A) = C.

Proof. Suppose that A ⊆ C. We want to show that A ∪ (C \ A) = C.

We begin by observing that this is a conditional statement. It is
tacitly universally quantified: the proposition holds for all sets A
and C. So A and C are variables for arbitrary sets. To prove such a
statement, we assume the antecedent and prove the consequent.
We continue by using the assumption that A ⊆ C. Let’s unpack
the definition of ⊆: the assumption means that all elements of A
are also elements of C. Let’s write this down—it’s an important
fact that we’ll use throughout the proof.
By the definition of ⊆, since A ⊆ C, for all z, if z ∈ A, then z ∈ C.
We’ve unpacked all the definitions that are given to us in the as-
sumption. Now we can move onto the conclusion. We want to
show that A ∪ (C \ A) = C, and so we set up a proof similarly
to the last example: we show that every element of A ∪ (C \ A) is
also an element of C and, conversely, every element of C is an ele-
ment of A ∪ (C \ A). We can shorten this to: A ∪ (C \ A) ⊆ C and
C ⊆ A ∪ (C \ A). (Here we’re doing the opposite of unpacking a
definition, but it makes the proof a bit easier to read.) Since this is
a conjunction, we have to prove both parts. To show the first part,
i.e., that every element of A ∪ (C \ A) is also an element of C, we
assume that z ∈ A ∪ (C \ A) for an arbitrary z and show that z ∈ C.
By the definition of ∪, we can conclude that z ∈ A or z ∈ C \ A
from z ∈ A ∪ (C \ A). You should now be getting the hang of this.

936 Release : d3a1905 (2022-12-19)

70.7. PROOF BY CONTRADICTION

A ∪ (C \ A) = C iff A ∪ (C \ A) ⊆ C and C ⊆ ( A ∪ (C \ A). First we prove

that A ∪ (C \ A) ⊆ C. Let z ∈ A ∪ (C \ A). So, either z ∈ A or z ∈ (C \ A).

We’ve arrived at a disjunction, and from it we want to prove that

z ∈ C. We do this using proof by cases.

Case 1: z ∈ A. Since for all z, if z ∈ A, z ∈ C, we have that z ∈ C.

Here we’ve used the fact recorded earlier which followed from the
hypothesis of the proposition that A ⊆ C. The first case is com-
plete, and we turn to the second case, z ∈ (C \ A). Recall that
C \ A denotes the difference of the two sets, i.e., the set of all ele-
ments of C which are not elements of A. But any element of C not
in A is in particular an element of C.

Case 2: z ∈ (C \ A). This means that z ∈ C and z ∈

/ A. So, in particular, z ∈ C.

Great, we’ve proved the first direction. Now for the second direc-
tion. Here we prove that C ⊆ A ∪ (C \ A). So we assume that
z ∈ C and prove that z ∈ A ∪ (C \ A).

Now let z ∈ C. We want to show that z ∈ A or z ∈ C \ A.

Since all elements of A are also elements of C, and C \ A is the set of

all things that are elements of C but not A, it follows that z is either
in A or in C \ A. This may be a bit unclear if you don’t already
know why the result is true. It would be better to prove it step-by-
step. It will help to use a simple fact which we can state without
proof: z ∈ A or z ∈ / A. This is called the “principle of excluded
middle:” for any statement p, either p is true or its negation is true.
(Here, p is the statement that z ∈ A.) Since this is a disjunction, we
can again use proof-by-cases.

Either z ∈ A or z ∈
/ A. In the former case, z ∈ A ∪ (C \ A). In the latter case,
z ∈ C and z ∈
/ A, so z ∈ C \ A. But then z ∈ A ∪ (C \ A).

Our proof is complete: we have shown that A ∪ (C \ A) = C.

70.7 Proof by Contradiction

In the first instance, proof by contradiction is an inference pattern that is used
to prove negative claims. Suppose you want to show that some claim p is false,
i.e., you want to show ¬ p. The most promising strategy is to (a) suppose that
p is true, and (b) show that this assumption leads to something you know to
be false. “Something known to be false” may be a result that conflicts with—
contradicts—p itself, or some other hypothesis of the overall claim you are

Release : d3a1905 (2022-12-19) 937

 CHAPTER 70. PROOFS

considering. For instance, a proof of “if q then ¬ p” involves assuming that

q is true and proving ¬ p from it. If you prove ¬ p by contradiction, that means
assuming p in addition to q. If you can prove ¬q from p, you have shown that
the assumption p leads to something that contradicts your other assumption q,
since q and ¬q cannot both be true. Of course, you have to use other inference
patterns in your proof of the contradiction, as well as unpacking definitions.
Let’s consider an example.

Proposition 70.10. If A ⊆ B and B = ∅, then A has no elements.

Proof. Suppose A ⊆ B and B = ∅. We want to show that A has no elements.

Since this is a conditional claim, we assume the antecedent and

want to prove the consequent. The consequent is: A has no ele-
ments. We can make that a bit more explicit: it’s not the case that
there is an x ∈ A.

A has no elements iff it’s not the case that there is an x such that x ∈ A.

So we’ve determined that what we want to prove is really a nega-

tive claim ¬ p, namely: it’s not the case that there is an x ∈ A. To
use proof by contradiction, we have to assume the corresponding
positive claim p, i.e., there is an x ∈ A, and prove a contradiction
from it. We indicate that we’re doing a proof by contradiction by
writing “by way of contradiction, assume” or even just “suppose
not,” and then state the assumption p.

Suppose not: there is an x ∈ A.

This is now the new assumption we’ll use to obtain a contradic-

tion. We have two more assumptions: that A ⊆ B and that B = ∅.
The first gives us that x ∈ B:

Since A ⊆ B, x ∈ B.

But since B = ∅, every element of B (e.g., x) must also be an ele-

ment of ∅.

Since B = ∅, x ∈ ∅. This is a contradiction, since by definition ∅ has no

elements.

This already completes the proof: we’ve arrived at what we need

(a contradiction) from the assumptions we’ve set up, and this means
that the assumptions can’t all be true. Since the first two assump-
tions (A ⊆ B and B = ∅) are not contested, it must be the last
assumption introduced (there is an x ∈ A) that must be false. But
if we want to be thorough, we can spell this out.

938 Release : d3a1905 (2022-12-19)

70.7. PROOF BY CONTRADICTION

Thus, our assumption that there is an x ∈ A must be false, hence, A has no

elements by proof by contradiction.

Every positive claim is trivially equivalent to a negative claim: p iff ¬¬ p.

So proofs by contradiction can also be used to establish positive claims “indi-
rectly,” as follows: To prove p, read it as the negative claim ¬¬ p. If we can
prove a contradiction from ¬ p, we’ve established ¬¬ p by proof by contradic-
tion, and hence p.
In the last example, we aimed to prove a negative claim, namely that A
has no elements, and so the assumption we made for the purpose of proof
by contradiction (i.e., that there is an x ∈ A) was a positive claim. It gave
us something to work with, namely the hypothetical x ∈ A about which we
continued to reason until we got to x ∈ ∅.
When proving a positive claim indirectly, the assumption you’d make for
the purpose of proof by contradiction would be negative. But very often you
can easily reformulate a positive claim as a negative claim, and a negative
claim as a positive claim. Our previous proof would have been essentially the
same had we proved “A = ∅” instead of the negative consequent “A has no
elements.” (By definition of =, “A = ∅” is a general claim, since it unpacks to
“every element of A is an element of ∅ and vice versa”.) But it is easily seen
to be equivalent to the negative claim “not: there is an x ∈ A.”
So it is sometimes easier to work with ¬ p as an assumption than it is to
prove p directly. Even when a direct proof is just as simple or even simpler
(as in the next examples), some people prefer to proceed indirectly. If the dou-
ble negation confuses you, think of a proof by contradiction of some claim as
a proof of a contradiction from the opposite claim. So, a proof by contradic-
tion of ¬ p is a proof of a contradiction from the assumption p; and proof by
contradiction of p is a proof of a contradiction from ¬ p.
Proposition 70.11. A ⊆ A ∪ B.

Proof. We want to show that A ⊆ A ∪ B.

On the face of it, this is a positive claim: every x ∈ A is also in
A ∪ B. The negation of that is: some x ∈ A is ∈ / A ∪ B. So we can
prove the claim indirectly by assuming this negated claim, and
showing that it leads to a contradiction.
Suppose not, i.e., A ⊈ A ∪ B.
We have a definition of A ⊆ A ∪ B: every x ∈ A is also ∈ A ∪ B.
To understand what A ⊈ A ∪ B means, we have to use some ele-
mentary logical manipulation on the unpacked definition: it’s false
that every x ∈ A is also ∈ A ∪ B iff there is some x ∈ A that is
∈
/ C. (This is a place where you want to be very careful: many stu-
dents’ attempted proofs by contradiction fail because they analyze

Release : d3a1905 (2022-12-19) 939

 CHAPTER 70. PROOFS

the negation of a claim like “all As are Bs” incorrectly.) In other

words, A ⊈ A ∪ B iff there is an x such that x ∈ A and x ∈ / A ∪ B.
From then on, it’s easy.
So, there is an x ∈ A such that x ∈
/ A ∪ B. By definition of ∪, x ∈ A ∪ B
iff x ∈ A or x ∈ B. Since x ∈ A, we have x ∈ A ∪ B. This contradicts the
assumption that x ∈/ A ∪ B.

Proposition 70.12. If A ⊆ B and B ⊆ C then A ⊆ C.

Proof. Suppose A ⊆ B and B ⊆ C. We want to show A ⊆ C.

Let’s proceed indirectly: we assume the negation of what we want
to etablish.
Suppose not, i.e., A ⊈ C.
As before, we reason that A ⊈ C iff not every x ∈ A is also ∈ C,
i.e., some x ∈ A is ∈
/ C. Don’t worry, with practice you won’t have
to think hard anymore to unpack negations like this.
In other words, there is an x such that x ∈ A and x ∈
/ C.
Now we can use this to get to our contradiction. Of course, we’ll
have to use the other two assumptions to do it.
Since A ⊆ B, x ∈ B. Since B ⊆ C, x ∈ C. But this contradicts x ∈
/ C.

Proposition 70.13. If A ∪ B = A ∩ B then A = B.

Proof. Suppose A ∪ B = A ∩ B. We want to show that A = B.

The beginning is now routine:
Assume, by way of contradiction, that A ̸= B.
Our assumption for the proof by contradiction is that A ̸= B. Since
A = B iff A ⊆ B an B ⊆ A, we get that A ̸= B iff A ⊈ B or B ⊈ A.
(Note how important it is to be careful when manipulating nega-
tions!) To prove a contradiction from this disjunction, we use a
proof by cases and show that in each case, a contradiction follows.
A ̸= B iff A ⊈ B or B ⊈ A. We distinguish cases.
In the first case, we assume A ⊈ B, i.e., for some x, x ∈ A but ∈
/ B.
A ∩ B is defined as those elements that A and B have in common,
so if something isn’t in one of them, it’s not in the intersection.
A ∪ B is A together with B, so anything in either is also in the
union. This tells us that x ∈ A ∪ B but x ∈ / A ∩ B, and hence that
A ∩ B ̸= A ∪ B.

940 Release : d3a1905 (2022-12-19)

70.8. READING PROOFS

Case 1: A ⊈ B. Then for some x, x ∈ A but x ∈ / B. Since x ∈/ B, then

x ∈
/ A ∩ B. Since x ∈ A, x ∈ A ∪ B. So, A ∩ B ̸= A ∪ B, contradicting the
assumption that A ∩ B = A ∪ B.
Case 2: B ⊈ A. Then for some y, y ∈ B but y ∈ / A. As before, we have
y ∈ A ∪ B but y ∈
/ A ∩ B, and so A ∩ B ̸= A ∪ B, again contradicting A ∩ B =
A ∪ B.

70.8 Reading Proofs

Proofs you find in textbooks and articles very seldom give all the details we
have so far included in our examples. Authors often do not draw attention
to when they distinguish cases, when they give an indirect proof, or don’t
mention that they use a definition. So when you read a proof in a textbook,
you will often have to fill in those details for yourself in order to understand
the proof. Doing this is also good practice to get the hang of the various moves
you have to make in a proof. Let’s look at an example.

Proposition 70.14 (Absorption). For all sets A, B,

A ∩ ( A ∪ B) = A

Proof. If z ∈ A ∩ ( A ∪ B), then z ∈ A, so A ∩ ( A ∪ B) ⊆ A. Now suppose

z ∈ A. Then also z ∈ A ∪ B, and therefore also z ∈ A ∩ ( A ∪ B).

The preceding proof of the absorption law is very condensed. There is no

mention of any definitions used, no “we have to prove that” before we prove
it, etc. Let’s unpack it. The proposition proved is a general claim about any
sets A and B, and when the proof mentions A or B, these are variables for
arbitrary sets. The general claims the proof establishes is what’s required to
prove identity of sets, i.e., that every element of the left side of the identity is
an element of the right and vice versa.

“If z ∈ A ∩ ( A ∪ B), then z ∈ A, so A ∩ ( A ∪ B) ⊆ A.”

This is the first half of the proof of the identity: it estabishes that if an
arbitrary z is an element of the left side, it is also an element of the right, i.e.,
A ∩ ( A ∪ B) ⊆ A. Assume that z ∈ A ∩ ( A ∪ B). Since z is an element of
the intersection of two sets iff it is an element of both sets, we can conclude
that z ∈ A and also z ∈ A ∪ B. In particular, z ∈ A, which is what we
wanted to show. Since that’s all that has to be done for the first half, we know
that the rest of the proof must be a proof of the second half, i.e., a proof that
A ⊆ A ∩ ( A ∪ B ).

“Now suppose z ∈ A. Then also z ∈ A ∪ B, and therefore also

z ∈ A ∩ ( A ∪ B).”

Release : d3a1905 (2022-12-19) 941

 CHAPTER 70. PROOFS

We start by assuming that z ∈ A, since we are showing that, for any z, if

z ∈ A then z ∈ A ∩ ( A ∪ B). To show that z ∈ A ∩ ( A ∪ B), we have to show
(by definition of “∩”) that (i) z ∈ A and also (ii) z ∈ A ∪ B. Here (i) is just
our assumption, so there is nothing further to prove, and that’s why the proof
does not mention it again. For (ii), recall that z is an element of a union of sets
iff it is an element of at least one of those sets. Since z ∈ A, and A ∪ B is the
union of A and B, this is the case here. So z ∈ A ∪ B. We’ve shown both (i)
z ∈ A and (ii) z ∈ A ∪ B, hence, by definition of “∩,” z ∈ A ∩ ( A ∪ B). The
proof doesn’t mention those definitions; it’s assumed the reader has already
internalized them. If you haven’t, you’ll have to go back and remind yourself
what they are. Then you’ll also have to recognize why it follows from z ∈ A
that z ∈ A ∪ B, and from z ∈ A and z ∈ A ∪ B that z ∈ A ∩ ( A ∪ B).
Here’s another version of the proof above, with everything made explicit:

Proof. [By definition of = for sets, A ∩ ( A ∪ B) = A we have to show (a)

A ∩ ( A ∪ B) ⊆ A and (b) A ∩ ( A ∪ B) ⊆ A. (a): By definition of ⊆, we have
to show that if z ∈ A ∩ ( A ∪ B), then z ∈ A.] If z ∈ A ∩ ( A ∪ B), then
z ∈ A [since by definition of ∩, z ∈ A ∩ ( A ∪ B) iff z ∈ A and z ∈ A ∪ B],
so A ∩ ( A ∪ B) ⊆ A. [(b): By definition of ⊆, we have to show that if z ∈ A,
then z ∈ A ∩ ( A ∪ B).] Now suppose [(1)] z ∈ A. Then also [(2)] z ∈ A ∪ B
[since by (1) z ∈ A or z ∈ B, which by definition of ∪ means z ∈ A ∪ B], and
therefore also z ∈ A ∩ ( A ∪ B) [since the definition of ∩ requires that z ∈ A,
i.e., (1), and z ∈ A ∪ B), i.e., (2)].

70.9 I Can’t Do It!

We all get to a point where we feel like giving up. But you can do it. Your
instructor and teaching assistant, as well as your fellow students, can help.
Ask them for help! Here are a few tips to help you avoid a crisis, and what to
do if you feel like giving up.
To make sure you can solve problems successfully, do the following:
1. Start as far in advance as possible. We get busy throughout the semester
and many of us struggle with procrastination, one of the best things you
can do is to start your homework assignments early. That way, if you’re
stuck, you have time to look for a solution (that isn’t crying).
2. Talk to your classmates. You are not alone. Others in the class may also
struggle—but the may struggle with different things. Talking it out with
your peers can give you a different perspective on the problem that
might lead to a breakthrough. Of course, don’t just copy their solution:
ask them for a hint, or explain where you get stuck and ask them for the
next step. And when you do get it, reciprocate. Helping someone else
along, and explaining things will help you understand better, too.

942 Release : d3a1905 (2022-12-19)

70.10. OTHER RESOURCES

3. Ask for help. You have many resources available to you—your instructor
and teaching assistant are there for you and want you to succeed. They
should be able to help you work out a problem and identify where in
the process you’re struggling.

4. Take a break. If you’re stuck, it might be because you’ve been staring at the
problem for too long. Take a short break, have a cup of tea, or work on
a different problem for a while, then return to the problem with a fresh
mind. Sleep on it.

Notice how these strategies require that you’ve started to work on the
proof well in advance? If you’ve started the proof at 2am the day before it’s
due, these might not be so helpful.
This might sound like doom and gloom, but solving a proof is a challenge
that pays off in the end. Some people do this as a career—so there must be
something to enjoy about it. Like basically everything, solving problems and
doing proofs is something that requires practice. You might see classmates
who find this easy: they’ve probably just had lots of practice already. Try not
to give in too easily.
If you do run out of time (or patience) on a particular problem: that’s ok. It
doesn’t mean you’re stupid or that you will never get it. Find out (from your
instructor or another student) how it is done, and identify where you went
wrong or got stuck, so you can avoid doing that the next time you encounter
a similar issue. Then try to do it without looking at the solution. And next
time, start (and ask for help) earlier.

70.10 Other Resources

There are many books on how to do proofs in mathematics which may be
useful. Check out How to Read and do Proofs: An Introduction to Mathemati-
cal Thought Processes (Solow, 2013) and How to Prove It: A Structured Approach
(Velleman, 2019) in particular. The Book of Proof (Hammack, 2013) and Math-
ematical Reasoning (Sandstrum, 2019) are books on proof that are freely avail-
able online. Philosophers might find More Precisely: The Math you need to do
Philosophy (Steinhart, 2018) to be a good primer on mathematical reasoning.
There are also various shorter guides to proofs available on the internet;
e.g., “Introduction to Mathematical Arguments” (Hutchings, 2003) and “How
to write proofs” (Cheng, 2004).

Motivational Videos
Feel like you have no motivation to do your homework? Feeling down? These
videos might help!

• https://www.youtube.com/watch?v=ZXsQAXx_ao0

Release : d3a1905 (2022-12-19) 943

 CHAPTER 70. PROOFS

• https://www.youtube.com/watch?v=BQ4yd2W50No

• https://www.youtube.com/watch?v=StTqXEQ2l-Y

Problems
Problem 70.1. Suppose you are asked to prove that A ∩ B ̸= ∅. Unpack all
the definitions occuring here, i.e., restate this in a way that does not mention
“∩”, “=”, or “∅”.

Problem 70.2. Prove indirectly that A ∩ B ⊆ A.

Problem 70.3. Expand the following proof of A ∪ ( A ∩ B) = A, where you

mention all the inference patterns used, why each step follows from assump-
tions or claims established before it, and where we have to appeal to which
definitions.

Proof. If z ∈ A ∪ ( A ∩ B) then z ∈ A or z ∈ A ∩ B. If z ∈ A ∩ B, z ∈ A. Any

z ∈ A is also ∈ A ∪ ( A ∩ B).

944 Release : d3a1905 (2022-12-19)

Chapter 71

Induction

71.1 Introduction
Induction is an important proof technique which is used, in different forms,
in almost all areas of logic, theoretical computer science, and mathematics. It
is needed to prove many of the results in logic.
Induction is often contrasted with deduction, and characterized as the in-
ference from the particular to the general. For instance, if we observe many
green emeralds, and nothing that we would call an emerald that’s not green,
we might conclude that all emeralds are green. This is an inductive inference,
in that it proceeds from many particlar cases (this emerald is green, that emer-
ald is green, etc.) to a general claim (all emeralds are green). Mathematical
induction is also an inference that concludes a general claim, but it is of a very
different kind than this “simple induction.”
Very roughly, an inductive proof in mathematics concludes that all math-
ematical objects of a certain sort have a certain property. In the simplest case,
the mathematical objects an inductive proof is concerned with are natural
numbers. In that case an inductive proof is used to establish that all natural
numbers have some property, and it does this by showing that

1. 0 has the property, and

2. whenever a number k has the property, so does k + 1.

Induction on natural numbers can then also often be used to prove general
claims about mathematical objects that can be assigned numbers. For instance,
finite sets each have a finite number n of elements, and if we can use induction
to show that every number n has the property “all finite sets of size n are . . . ”
then we will have shown something about all finite sets.
Induction can also be generalized to mathematical objects that are induc-
tively defined. For instance, expressions of a formal language such as those of
first-order logic are defined inductively. Structural induction is a way to prove

945
 CHAPTER 71. INDUCTION

results about all such expressions. Structural induction, in particular, is very

useful—and widely used—in logic.

71.2 Induction on N
In its simplest form, induction is a technique used to prove results for all nat-
ural numbers. It uses the fact that by starting from 0 and repeatedly adding 1
we eventually reach every natural number. So to prove that something is true
for every number, we can (1) establish that it is true for 0 and (2) show that
whenever it is true for a number n, it is also true for the next number n + 1. If
we abbreviate “number n has property P” by P(n) (and “number k has prop-
erty P” by P(k), etc.), then a proof by induction that P(n) for all n ∈ N consists
of:
1. a proof of P(0), and

2. a proof that, for any k, if P(k ) then P(k + 1).

To make this crystal clear, suppose we have both (1) and (2). Then (1) tells us
that P(0) is true. If we also have (2), we know in particular that if P(0) then
P(0 + 1), i.e., P(1). This follows from the general statement “for any k, if P(k )
then P(k + 1)” by putting 0 for k. So by modus ponens, we have that P(1).
From (2) again, now taking 1 for n, we have: if P(1) then P(2). Since we’ve
just established P(1), by modus ponens, we have P(2). And so on. For any
number n, after doing this n times, we eventually arrive at P(n). So (1) and (2)
together establish P(n) for any n ∈ N.
Let’s look at an example. Suppose we want to find out how many different
sums we can throw with n dice. Although it might seem silly, let’s start with
0 dice. If you have no dice there’s only one possible sum you can “throw”:
no dots at all, which sums to 0. So the number of different possible throws
is 1. If you have only one die, i.e., n = 1, there are six possible values, 1
through 6. With two dice, we can throw any sum from 2 through 12, that’s
11 possibilities. With three dice, we can throw any number from 3 to 18, i.e.,
16 different possibilities. 1, 6, 11, 16: looks like a pattern: maybe the answer
is 5n + 1? Of course, 5n + 1 is the maximum possible, because there are only
5n + 1 numbers between n, the lowest value you can throw with n dice (all
1’s) and 6n, the highest you can throw (all 6’s).
Theorem 71.1. With n dice one can throw all 5n + 1 possible values between n and
6n.

Proof. Let P(n) be the claim: “It is possible to throw any number between n
and 6n using n dice.” To use induction, we prove:
1. The induction basis P(1), i.e., with just one die, you can throw any num-
ber between 1 and 6.

946 Release : d3a1905 (2022-12-19)

71.2. INDUCTION ON N

2. The induction step, for all k, if P(k) then P(k + 1).

(1) Is proved by inspecting a 6-sided die. It has all 6 sides, and every num-
ber between 1 and 6 shows up one on of the sides. So it is possible to throw
any number between 1 and 6 using a single die.
To prove (2), we assume the antecedent of the conditional, i.e., P(k). This
assumption is called the inductive hypothesis. We use it to prove P(k + 1). The
hard part is to find a way of thinking about the possible values of a throw of
k + 1 dice in terms of the possible values of throws of k dice plus of throws of
the extra k + 1-st die—this is what we have to do, though, if we want to use
the inductive hypothesis.
The inductive hypothesis says we can get any number between k and 6k
using k dice. If we throw a 1 with our (k + 1)-st die, this adds 1 to the total.
So we can throw any value between k + 1 and 6k + 1 by throwing k dice and
then rolling a 1 with the (k + 1)-st die. What’s left? The values 6k + 2 through
6k + 6. We can get these by rolling k 6s and then a number between 2 and 6
with our (k + 1)-st die. Together, this means that with k + 1 dice we can throw
any of the numbers between k + 1 and 6(k + 1), i.e., we’ve proved P(k + 1)
using the assumption P(k), the inductive hypothesis.

Very often we use induction when we want to prove something about a

series of objects (numbers, sets, etc.) that is itself defined “inductively,” i.e.,
by defining the (n + 1)-st object in terms of the n-th. For instance, we can
define the sum sn of the natural numbers up to n by

s0 = 0
s n +1 = s n + ( n + 1 )

This definition gives:

s0 = 0,
s1 = s0 + 1 = 1,
s2 = s1 + 2 = 1+2 = 3
s3 = s2 + 3 = 1 + 2 + 3 = 6, etc.

Now we can prove, by induction, that sn = n(n + 1)/2.

Proposition 71.2. sn = n(n + 1)/2.

Proof. We have to prove (1) that s0 = 0 · (0 + 1)/2 and (2) if sk = k(k + 1)/2
then sk+1 = (k + 1)(k + 2)/2. (1) is obvious. To prove (2), we assume the
inductive hypothesis: sk = k (k + 1)/2. Using it, we have to show that sk+1 =
(k + 1)(k + 2)/2.

Release : d3a1905 (2022-12-19) 947

 CHAPTER 71. INDUCTION

What is sk+1 ? By the definition, sk+1 = sk + (k + 1). By inductive hypoth-

esis, sk = k(k + 1)/2. We can substitute this into the previous equation, and
then just need a bit of arithmetic of fractions:

k ( k + 1)
s k +1 = + ( k + 1) =
2
k ( k + 1) 2( k + 1)
= + =
2 2
k ( k + 1) + 2( k + 1)
= =
2
(k + 2)(k + 1)
= .
2

The important lesson here is that if you’re proving something about some
inductively defined sequence an , induction is the obvious way to go. And
even if it isn’t (as in the case of the possibilities of dice throws), you can use
induction if you can somehow relate the case for k + 1 to the case for k.

71.3 Strong Induction

In the principle of induction discussed above, we prove P(0) and also if P(k),
then P(k + 1). In the second part, we assume that P(k) is true and use this
assumption to prove P(k + 1). Equivalently, of course, we could assume P(k −
1) and use it to prove P(k)—the important part is that we be able to carry out
the inference from any number to its successor; that we can prove the claim in
question for any number under the assumption it holds for its predecessor.
There is a variant of the principle of induction in which we don’t just as-
sume that the claim holds for the predecessor k − 1 of k, but for all numbers
smaller than k, and use this assumption to establish the claim for k. This also
gives us the claim P(n) for all n ∈ N. For once we have established P(0), we
have thereby established that P holds for all numbers less than 1. And if we
know that if P(l ) for all l < k, then P(k), we know this in particular for k = 1.
So we can conclude P(1). With this we have proved P(0) and P(1), i.e., P(l )
for all l < 2, and since we have also the conditional, if P(l ) for all l < 2, then
P(2), we can conclude P(2), and so on.
In fact, if we can establish the general conditional “for all k, if P(l ) for all
l < k, then P(k ),” we do not have to establish P(0) anymore, since it follows
from it. For remember that a general claim like “for all l < k, P(l )” is true if
there are no l < k. This is a case of vacuous quantification: “all As are Bs” is
true if there are no As, ∀ x ( φ( x ) → ψ( x )) is true if no x satisfies φ( x ). In this
case, the formalized version would be “∀l (l < k → P(l ))”—and that is true if
there are no l < k. And if k = 0 that’s exactly the case: no l < 0, hence “for all
l < 0, P(0)” is true, whatever P is. A proof of “if P(l ) for all l < k, then P(k)”
thus automatically establishes P(0).

948 Release : d3a1905 (2022-12-19)

71.4. INDUCTIVE DEFINITIONS

This variant is useful if establishing the claim for k can’t be made to just
rely on the claim for k − 1 but may require the assumption that it is true for
one or more l < k.

71.4 Inductive Definitions

In logic we very often define kinds of objects inductively, i.e., by specifying
rules for what counts as an object of the kind to be defined which explain how
to get new objects of that kind from old objects of that kind. For instance,
we often define special kinds of sequences of symbols, such as the terms and
formulas of a language, by induction. For a simple example, consider strings
of consisting of letters a, b, c, d, the symbol ◦, and brackets [ and ], such
as “[[c ◦ d][”, “[a[]◦]”, “a” or “[[a ◦ b] ◦ d]”. You probably feel that there’s
something “wrong” with the first two strings: the brackets don’t “balance” at
all in the first, and you might feel that the “◦” should “connect” expressions
that themselves make sense. The third and fourth string look better: for every
“[” there’s a closing “]” (if there are any at all), and for any ◦ we can find “nice”
expressions on either side, surrounded by a pair of parentheses.
We would like to precisely specify what counts as a “nice term.” First of
all, every letter by itself is nice. Anything that’s not just a letter by itself should
be of the form “[t ◦ s]” where s and t are themselves nice. Conversely, if t and
s are nice, then we can form a new nice term by putting a ◦ between them and
surround them by a pair of brackets. We might use these operations to define
the set of nice terms. This is an inductive definition.

Definition 71.3 (Nice terms). The set of nice terms is inductively defined as
follows:

1. Any letter a, b, c, d is a nice term.

2. If s1 and s2 are nice terms, then so is [s1 ◦ s2 ].

3. Nothing else is a nice term.

This definition tells us that something counts as a nice term iff it can be
constructed according to the two conditions (1) and (2) in some finite number
of steps. In the first step, we construct all nice terms just consisting of letters
by themselves, i.e.,
a, b, c, d
In the second step, we apply (2) to the terms we’ve constructed. We’ll get

[a ◦ a], [a ◦ b], [b ◦ a], . . . , [d ◦ d]

for all combinations of two letters. In the third step, we apply (2) again, to any
two nice terms we’ve constructed so far. We get new nice term such as [a ◦ [a ◦

Release : d3a1905 (2022-12-19) 949

 CHAPTER 71. INDUCTION

a]]—where t is a from step 1 and s is [a ◦ a] from step 2—and [[b ◦ c] ◦ [d ◦ b]]

constructed out of the two terms [b ◦ c] and [d ◦ b] from step 2. And so on.
Clause (3) rules out that anything not constructed in this way sneaks into the
set of nice terms.
Note that we have not yet proved that every sequence of symbols that
“feels” nice is nice according to this definition. However, it should be clear
that everything we can construct does in fact “feel nice”: brackets are bal-
anced, and ◦ connects parts that are themselves nice.
The key feature of inductive definitions is that if you want to prove some-
thing about all nice terms, the definition tells you which cases you must con-
sider. For instance, if you are told that t is a nice term, the inductive definition
tells you what t can look like: t can be a letter, or it can be [s1 ◦ s2 ] for some pair
of nice terms s1 and s2 . Because of clause (3), those are the only possibilities.
When proving claims about all of an inductively defined set, the strong
form of induction becomes particularly important. For instance, suppose we
want to prove that for every nice term of length n, the number of [ in it is <
n/2. This can be seen as a claim about all n: for every n, the number of [ in
any nice term of length n is < n/2.

Proposition 71.4. For any n, the number of [ in a nice term of length n is < n/2.

Proof. To prove this result by (strong) induction, we have to show that the
following conditional claim is true:

If for every l < k, any nice term of length l has < l/2 [’s, then any
nice term of length k has < k/2 [’s.

To show this conditional, assume that its antecedent is true, i.e., assume that
for any l < k, nice terms of length l contain < l/2 [’s. We call this assumption
the inductive hypothesis. We want to show the same is true for nice terms of
length k.
So suppose t is a nice term of length k. Because nice terms are inductively
defined, we have two cases: (1) t is a letter by itself, or (2) t is [s1 ◦ s2 ] for some
nice terms s1 and s2 .

1. t is a letter. Then k = 1, and the number of [ in t is 0. Since 0 < 1/2, the

claim holds.

2. t is [s1 ◦ s2 ] for some nice terms s1 and s2 . Let’s let l1 be the length of s1
and l2 be the length of s2 . Then the length k of t is l1 + l2 + 3 (the lengths
of s1 and s2 plus three symbols [, ◦, ]). Since l1 + l2 + 3 is always greater
than l1 , l1 < k. Similarly, l2 < k. That means that the induction hypothe-
sis applies to the terms s1 and s2 : the number m1 of [ in s1 is < l1 /2, and
the number m2 of [ in s2 is < l2 /2.

950 Release : d3a1905 (2022-12-19)

71.5. STRUCTURAL INDUCTION

The number of [ in t is the number of [ in s1 , plus the number of [ in s2 ,

plus 1, i.e., it is m1 + m2 + 1. Since m1 < l1 /2 and m2 < l2 /2 we have:

l1 l l + l2 + 2 l + l2 + 3
m1 + m2 + 1 < + 2 +1 = 1 < 1 = k/2.
2 2 2 2

In each case, we’ve shown that the number of [ in t is < k/2 (on the basis of
the inductive hypothesis). By strong induction, the proposition follows.

71.5 Structural Induction

So far we have used induction to establish results about all natural numbers.
But a corresponding principle can be used directly to prove results about all
elements of an inductively defined set. This often called structural induction,
because it depends on the structure of the inductively defined objects.
Generally, an inductive definition is given by (a) a list of “initial” elements
of the set and (b) a list of operations which produce new elements of the set
from old ones. In the case of nice terms, for instance, the initial objects are the
letters. We only have one operation: the operations are

o (s1 , s2 ) =[s1 ◦ s2 ]

You can even think of the natural numbers N themselves as being given by an
inductive definition: the initial object is 0, and the operation is the successor
function x + 1.
In order to prove something about all elements of an inductively defined
set, i.e., that every element of the set has a property P, we must:

1. Prove that the initial objects have P

2. Prove that for each operation o, if the arguments have P, so does the
result.

For instance, in order to prove something about all nice terms, we would
prove that it is true about all letters, and that it is true about [s1 ◦ s2 ] provided
it is true of s1 and s2 individually.

Proposition 71.5. The number of [ equals the number of ] in any nice term t.

Proof. We use structural induction. Nice terms are inductively defined, with
letters as initial objects and the operation o for constructing new nice terms
out of old ones.

1. The claim is true for every letter, since the number of [ in a letter by itself
is 0 and the number of ] in it is also 0.

Release : d3a1905 (2022-12-19) 951

 CHAPTER 71. INDUCTION

2. Suppose the number of [ in s1 equals the number of ], and the same is

true for s2 . The number of [ in o (s1 , s2 ), i.e., in [s1 ◦ s2 ], is the sum of the
number of [ in s1 and s2 plus one. The number of ] in o (s1 , s2 ) is the sum
of the number of ] in s1 and s2 plus one. Thus, the number of [ in o (s1 , s2 )
equals the number of ] in o (s1 , s2 ).

Let’s give another proof by structural induction: a proper initial segment

of a string t of symbols is any string s that agrees with t symbol by symbol,
read from the left, but t is longer. So, e.g., [ a ◦ is a proper initial segment of
[ a ◦ b], but neither are [b ◦ (they disagree at the second symbol) nor [ a ◦ b]
(they are the same length).
Proposition 71.6. Every proper initial segment of a nice term t has more [’s than ]’s.

Proof. By induction on t:
1. t is a letter by itself: Then t has no proper initial segments.

2. t = [s1 ◦ s2 ] for some nice terms s1 and s2 . If r is a proper initial segment

of t, there are a number of possibilities:

a) r is just [: Then r has one more [ than it does ].

b) r is [r1 where r1 is a proper initial segment of s1 : Since s1 is a nice
term, by induction hypothesis, r1 has more [ than ] and the same is
true for [r1 .
c) r is [s1 or [s1 ◦ : By the previous result, the number of [ and ] in s1
are equal; so the number of [ in [s1 or [s1 ◦ is one more than the
number of ].
d) r is [s1 ◦ r2 where r2 is a proper initial segment of s2 : By induction
hypothesis, r2 contains more [ than ]. By the previous result, the
number of [ and of ] in s1 are equal. So the number of [ in [s1 ◦ r2 is
greater than the number of ].
e) r is [s1 ◦ s2 : By the previous result, the number of [ and ] in s1 are
equal, and the same for s2 . So there is one more [ in [s1 ◦ s2 than
there are ].

71.6 Relations and Functions

When we have defined a set of objects (such as the natural numbers or the nice
terms) inductively, we can also define relations on these objects by induction.
For instance, consider the following idea: a nice term t1 is a subterm of a nice
term t2 if it occurs as a part of it. Let’s use a symbol for it: t1 ⊑ t2 . Every nice
term is a subterm of itself, of course: t ⊑ t. We can give an inductive definition
of this relation as follows:

952 Release : d3a1905 (2022-12-19)

71.6. RELATIONS AND FUNCTIONS

Definition 71.7. The relation of a nice term t1 being a subterm of t2 , t1 ⊑ t2 , is

defined by induction on t2 as follows:
1. If t2 is a letter, then t1 ⊑ t2 iff t1 = t2 .
2. If t2 is [s1 ◦ s2 ], then t1 ⊑ t2 iff t1 = t2 , t1 ⊑ s1 , or t1 ⊑ s2 .

This definition, for instance, will tell us that a ⊑ [b ◦ a]. For (2) says that
a ⊑ [b ◦ a] iff a = [b ◦ a], or a ⊑ b, or a ⊑ a. The first two are false: a
clearly isn’t identical to [b ◦ a], and by (1), a ⊑ b iff a = b, which is also false.
However, also by (1), a ⊑ a iff a = a, which is true.
It’s important to note that the success of this definition depends on a fact
that we haven’t proved yet: every nice term t is either a letter by itself, or there
are uniquely determined nice terms s1 and s2 such that t = [s1 ◦ s2 ]. “Uniquely
determined” here means that if t = [s1 ◦ s2 ] it isn’t also = [r1 ◦ r2 ] with s1 ̸= r1
or s2 ̸= r2 . If this were the case, then clause (2) may come in conflict with
itself: reading t2 as [s1 ◦ s2 ] we might get t1 ⊑ t2 , but if we read t2 as [r1 ◦ r2 ]
we might get not t1 ⊑ t2 . Before we prove that this can’t happen, let’s look at
an example where it can happen.
Definition 71.8. Define bracketless terms inductively by
1. Every letter is a bracketless term.
2. If s1 and s2 are bracketless terms, then s1 ◦ s2 is a bracketless term.
3. Nothing else is a bracketless term.

Bracketless terms are, e.g., a, b ◦ d, b ◦ a ◦ b. Now if we defined “subterm”

for bracketless terms the way we did above, the second clause would read
If t2 = s1 ◦ s2 , then t1 ⊑ t2 iff t1 = t2 , t1 ⊑ s1 , or t1 ⊑ s2 .
Now b ◦ a ◦ b is of the form s1 ◦ s2 with

s1 = b and s2 = a ◦ b.

It is also of the form r1 ◦ r2 with

r1 = b ◦ a and r2 = b.

Now is a ◦ b a subterm of b ◦ a ◦ b? The answer is yes if we go by the first

reading, and no if we go by the second.
The property that the way a nice term is built up from other nice terms is
unique is called unique readability. Since inductive definitions of relations for
such inductively defined objects are important, we have to prove that it holds.
Proposition 71.9. Suppose t is a nice term. Then either t is a letter by itself, or there
are uniquely determined nice terms s1 , s2 such that t = [s1 ◦ s2 ].

Release : d3a1905 (2022-12-19) 953

 CHAPTER 71. INDUCTION

Proof. If t is a letter by itself, the condition is satisfied. So assume t isn’t a letter

by itself. We can tell from the inductive definition that then t must be of the
form [s1 ◦ s2 ] for some nice terms s1 and s2 . It remains to show that these are
uniquely determined, i.e., if t = [r1 ◦ r2 ], then s1 = r1 and s2 = r2 .
So suppose t = [s1 ◦ s2 ] and also t = [r1 ◦ r2 ] for nice terms s1 , s2 , r1 , r2 . We
have to show that s1 = r1 and s2 = r2 . First, s1 and r1 must be identical, for
otherwise one is a proper initial segment of the other. But by Proposition 71.6,
that is impossible if s1 and r1 are both nice terms. But if s1 = r1 , then clearly
also s2 = r2 .

We can also define functions inductively: e.g., we can define the function f
that maps any nice term to the maximum depth of nested [. . . ] in it as follows:
Definition 71.10. The depth of a nice term, f (t), is defined inductively as fol-
lows: (
0 if t is a letter
f (t) =
max( f (s1 ), f (s2 )) + 1 if t = [s1 ◦ s2 ].

For instance
f ([a ◦ b]) = max( f (a), f (b)) + 1 =
= max(0, 0) + 1 = 1, and
f ([[a ◦ b] ◦ c]) = max( f ([a ◦ b]), f (c)) + 1 =
= max(1, 0) + 1 = 2.
Here, of course, we assume that s1 an s2 are nice terms, and make use
of the fact that every nice term is either a letter or of the form [s1 ◦ s2 ]. It
is again important that it can be of this form in only one way. To see why,
consider again the bracketless terms we defined earlier. The corresponding
“definition” would be:
(
0 if t is a letter
g(t) =
max( g(s1 ), g(s2 )) + 1 if t = s1 ◦ s2 .
Now consider the bracketless term a ◦ b ◦ c ◦ d. It can be read in more than
one way, e.g., as s1 ◦ s2 with
s1 = a and s2 = b ◦ c ◦ d,

or as r1 ◦ r2 with

r1 = a ◦ b and r2 = c ◦ d.
Calculating g according to the first way of reading it would give
g(s1 ◦ s2 ) = max( g(a), g(b ◦ c ◦ d)) + 1 =
= max(0, 2) + 1 = 3

954 Release : d3a1905 (2022-12-19)

71.6. RELATIONS AND FUNCTIONS

while according to the other reading we get

g(r1 ◦ r2 ) = max( g(a ◦ b), g(c ◦ d)) + 1 =

= max(1, 1) + 1 = 2

But a function must always yield a unique value; so our “definition” of g

doesn’t define a function at all.

Problems
Problem 71.1. Define the set of supernice terms by

1. Any letter a, b, c, d is a supernice term.

2. If s is a supernice term, then so is [s].

3. If s1 and s2 are supernice terms, then so is [s1 ◦ s2 ].

4. Nothing else is a supernice term.

Show that the number of [ in a supernice term t of length n is ≤ n/2 + 1.

Problem 71.2. Prove by structural induction that no nice term starts with ].

Problem 71.3. Give an inductive definition of the function l, where l (t) is the
number of symbols in the nice term t.

Problem 71.4. Prove by structural induction on nice terms t that f (t) < l (t)
(where l (t) is the number of symbols in t and f (t) is the depth of t as defined
in Definition 71.10).

Release : d3a1905 (2022-12-19) 955

Part XVI

History

956
Chapter 72

Biographies

72.1 Georg Cantor

An early biography of Georg Cantor
(GAY-org KAHN-tor) claimed that he was
born and found on a ship that was sail-
ing for Saint Petersburg, Russia, and that
his parents were unknown. This, how-
ever, is not true; although he was born
in Saint Petersburg in 1845.
Cantor received his doctorate in
mathematics at the University of Berlin
in 1867. He is known for his work in
set theory, and is credited with found-
ing set theory as a distinctive research
discipline. He was the first to prove
that there are infinite sets of different
sizes. His theories, and especially his
theory of infinities, caused much debate
among mathematicians at the time, and
his work was controversial.
Cantor’s religious beliefs and his Figure 72.1: Georg Cantor
mathematical work were inextricably
tied; he even claimed that the theory of transfinite numbers had been com-
municated to him directly by God. In later life, Cantor suffered from mental
illness. Beginning in 1894, and more frequently towards his later years, Can-
tor was hospitalized. The heavy criticism of his work, including a falling out
with the mathematician Leopold Kronecker, led to depression and a lack of
interest in mathematics. During depressive episodes, Cantor would turn to
philosophy and literature, and even published a theory that Francis Bacon
was the author of Shakespeare’s plays.

957
 CHAPTER 72. BIOGRAPHIES

Cantor died on January 6, 1918, in a sanatorium in Halle.

Further Reading For full biographies of Cantor, see Dauben (1990) and Grattan-
Guinness (1971). Cantor’s radical views are also described in the BBC Radio 4
program A Brief History of Mathematics (du Sautoy, 2014). If you’d like to hear
about Cantor’s theories in rap form, see Rose (2012).

72.2 Alonzo Church

Alonzo Church was born in Washing-
ton, DC on June 14, 1903. In early
childhood, an air gun incident left
Church blind in one eye. He finished
preparatory school in Connecticut in
1920 and began his university education
at Princeton that same year. He com-
pleted his doctoral studies in 1927. After
a couple years abroad, Church returned
to Princeton. Church was known ex-
ceedingly polite and careful. His black-
board writing was immaculate, and he
would preserve important papers by
carefully covering them in Duco cement
(a clear glue). Outside of his academic Figure 72.2: Alonzo Church
pursuits, he enjoyed reading science fic-
tion magazines and was not afraid to write to the editors if he spotted any
inaccuracies in the writing.
Church’s academic achievements were great. Together with his students
Stephen Kleene and Barkley Rosser, he developed a theory of effective calcu-
lability, the lambda calculus, independently of Alan Turing’s development of
the Turing machine. The two definitions of computability are equivalent, and
give rise to what is now known as the Church-Turing Thesis, that a function of
the natural numbers is effectively computable if and only if it is computable
via Turing machine (or lambda calculus). He also proved what is now known
as Church’s Theorem: The decision problem for the validity of first-order for-
mulas is unsolvable.
Church continued his work into old age. In 1967 he left Princeton for
UCLA, where he was professor until his retirement in 1990. Church passed
away on August 1, 1995 at the age of 92.

Further Reading For a brief biography of Church, see Enderton (2019). Church’s
original writings on the lambda calculus and the Entscheidungsproblem (Church’s
Thesis) are Church (1936a,b). Aspray (1984) records an interview with Church

958 Release : d3a1905 (2022-12-19)

72.3. GERHARD GENTZEN

about the Princeton mathematics community in the 1930s. Church wrote a se-
ries of book reviews of the Journal of Symbolic Logic from 1936 until 1979. They
are all archived on John MacFarlane’s website (MacFarlane, 2015).

72.3 Gerhard Gentzen

Gerhard Gentzen is known primarily
as the creator of structural proof the-
ory, and specifically the creation of the
natural deduction and sequent calculus
derivation systems. He was born on
November 24, 1909 in Greifswald, Ger-
many. Gerhard was homeschooled for
three years before attending preparatory
school, where he was behind most of his
classmates in terms of education. De-
spite this, he was a brilliant student and Figure 72.3: Gerhard Gentzen
showed a strong aptitude for mathematics. His interests were varied, and he,
for instance, also write poems for his mother and plays for the school theatre.
Gentzen began his university studies at the University of Greifswald, but
moved around to Göttingen, Munich, and Berlin. He received his doctorate in
1933 from the University of Göttingen under Hermann Weyl. (Paul Bernays
supervised most of his work, but was dismissed from the university by the
Nazis.) In 1934, Gentzen began work as an assistant to David Hilbert. That
same year he developed the sequent calculus and natural deduction deriva-
tion systems, in his papers Untersuchungen über das logische Schließen I–II [In-
vestigations Into Logical Deduction I–II]. He proved the consistency of the Peano
axioms in 1936.
Gentzen’s relationship with the Nazis is complicated. At the same time his
mentor Bernays was forced to leave Germany, Gentzen joined the university
branch of the SA, the Nazi paramilitary organization. Like many Germans, he
was a member of the Nazi party. During the war, he served as a telecommuni-
cations officer for the air intelligence unit. However, in 1942 he was released
from duty due to a nervous breakdown. It is unclear whether or not Gentzen’s
loyalties lay with the Nazi party, or whether he joined the party in order to en-
sure academic success.
In 1943, Gentzen was offered an academic position at the Mathematical
Institute of the German University of Prague, which he accepted. However, in
1945 the citizens of Prague revolted against German occupation. Soviet forces
arrived in the city and arrested all the professors at the university. Because of
his membership in Nazi organizations, Gentzen was taken to a forced labour
camp. He died of malnutrition while in his cell on August 4, 1945 at the age
of 35.

Release : d3a1905 (2022-12-19) 959

 CHAPTER 72. BIOGRAPHIES

Further Reading For a full biography of Gentzen, see Menzler-Trott (2007).

An interesting read about mathematicians under Nazi rule, which gives a brief
note about Gentzen’s life, is given by Segal (2014). Gentzen’s papers on logical
deduction are available in the original german (Gentzen, 1935a,b). English
translations of Gentzen’s papers have been collected in a single volume by
Szabo (1969), which also includes a biographical sketch.

72.4 Kurt Gödel

Kurt Gödel (GER-dle) was born on
April 28, 1906 in Brünn in the Austro-
Hungarian empire (now Brno in the
Czech Republic). Due to his inquisitive
and bright nature, young Kurtele was
often called “Der kleine Herr Warum”
(Little Mr. Why) by his family. He ex-
celled in academics from primary school
onward, where he got less than the high-
est grade only in mathematics. Gödel
was often absent from school due to
poor health and was exempt from phys-
ical education. He was diagnosed with
rheumatic fever during his childhood.
Throughout his life, he believed this per-
manently affected his heart despite med-
ical assessment saying otherwise.
Gödel began studying at the Univer- Figure 72.4: Kurt Gödel
sity of Vienna in 1924 and completed his
doctoral studies in 1929. He first intended to study physics, but his interests
soon moved to mathematics and especially logic, in part due to the influence
of the philosopher Rudolf Carnap. His dissertation, written under the super-
vision of Hans Hahn, proved the completeness theorem of first-order predi-
cate logic with identity (Gödel, 1929). Only a year later, he obtained his most
famous results—the first and second incompleteness theorems (published in
Gödel 1931). During his time in Vienna, Gödel was heavily involved with
the Vienna Circle, a group of scientifically-minded philosophers that included
Carnap, whose work was especially influenced by Gödel’s results.
In 1938, Gödel married Adele Nimbursky. His parents were not pleased:
not only was she six years older than him and already divorced, but she
worked as a dancer in a nightclub. Social pressures did not affect Gödel, how-
ever, and they remained happily married until his death.
After Nazi Germany annexed Austria in 1938, Gödel and Adele emigrated
to the United States, where he took up a position at the Institute for Advanced

960 Release : d3a1905 (2022-12-19)

72.5. EMMY NOETHER

Study in Princeton, New Jersey. Despite his introversion and eccentric nature,
Gödel’s time at Princeton was collaborative and fruitful. He published essays
in set theory, philosophy and physics. Notably, he struck up a particularly
strong friendship with his colleague at the IAS, Albert Einstein.
In his later years, Gödel’s mental health deteriorated. His wife’s hospi-
talization in 1977 meant she was no longer able to cook his meals for him.
Having suffered from mental health issues throughout his life, he succumbed
to paranoia. Deathly afraid of being poisoned, Gödel refused to eat. He died
of starvation on January 14, 1978, in Princeton.

Further Reading For a complete biography of Gödel’s life is available, see

John Dawson (1997). For further biographical pieces, as well as essays about
Gödel’s contributions to logic and philosophy, see Wang (1990), Baaz et al.
(2011), Takeuti et al. (2003), and Sigmund et al. (2007).
Gödel’s PhD thesis is available in the original German (Gödel, 1929). The
original text of the incompleteness theorems is (Gödel, 1931). All of Gödel’s
published and unpublished writings, as well as a selection of correspondence,
are available in English in his Collected Papers Feferman et al. (1986, 1990).
For a detailed treatment of Gödel’s incompleteness theorems, see Smith
(2013). For an informal, philosophical discussion of Gödel’s theorems, see
Mark Linsenmayer’s podcast (Linsenmayer, 2014).

72.5 Emmy Noether

Emmy Noether (NER-ter) was born in Erlangen, Germany, on March 23, 1882,
to an upper-middle class scholarly family. Hailed as the “mother of modern
algebra,” Noether made groundbreaking contributions to both mathematics
and physics, despite significant barriers to women’s education. In Germany at
the time, young girls were meant to be educated in arts and were not allowed
to attend college preparatory schools. However, after auditing classes at the
Universities of Göttingen and Erlangen (where her father was professor of
mathematics), Noether was eventually able to enroll as a student at Erlangen
in 1904, when their policy was updated to allow female students. She received
her doctorate in mathematics in 1907.
Despite her qualifications, Noether experienced much resistance during
her career. From 1908–1915, she taught at Erlangen without pay. During this
time, she caught the attention of David Hilbert, one of the world’s foremost
mathematicians of the time, who invited her to Göttingen. However, women
were prohibited from obtaining professorships, and she was only able to lec-
ture under Hilbert’s name, again without pay. During this time she proved
what is now known as Noether’s theorem, which is still used in theoretical
physics today. Noether was finally granted the right to teach in 1919. Hilbert’s

Release : d3a1905 (2022-12-19) 961

 CHAPTER 72. BIOGRAPHIES

response to continued resistance of his university colleagues reportedly was:

“Gentlemen, the faculty senate is not a bathhouse.”
In the later 1920s, she concentrated
on work in abstract algebra, and her con-
tributions revolutionized the field. In
her proofs she often made use of the so-
called ascending chain condition, which
states that there is no infinite strictly in-
creasing chain of certain sets. For in-
stance, certain algebraic structures now
known as Noetherian rings have the
property that there are no infinite se-
quences of ideals I1 ⊊ I2 ⊊ . . . . The
condition can be generalized to any par-
tial order (in algebra, it concerns the spe-
cial case of ideals ordered by the subset
relation), and we can also consider the
dual descending chain condition, where
every strictly decreasing sequence in a
partial order eventually ends. If a par-
Figure 72.5: Emmy Noether
tial order satisfies the descending chain
condition, it is possible to use induction along this order in a similar way in
which we can use induction along the < order on N. Such orders are called
well-founded or Noetherian, and the corresponding proof principle Noetherian
induction.
Noether was Jewish, and when the Nazis came to power in 1933, she was
dismissed from her position. Luckily, Noether was able to emigrate to the
United States for a temporary position at Bryn Mawr, Pennsylvania. During
her time there she also lectured at Princeton, although she found the univer-
sity to be unwelcoming to women (Dick, 1981, 81). In 1935, Noether under-
went an operation to remove a uterine tumour. She died from an infection as
a result of the surgery, and was buried at Bryn Mawr.

Further Reading For a biography of Noether, see Dick (1981). The Perime-
ter Institute for Theoretical Physics has their lectures on Noether’s life and
influence available online (Institute, 2015). If you’re tired of reading, Stuff You
Missed in History Class has a podcast on Noether’s life and influence (Frey and
Wilson, 2015). The collected works of Noether are available in the original
German (Jacobson, 1983).

72.6 Rózsa Péter

962 Release : d3a1905 (2022-12-19)

72.6. RÓZSA PÉTER

Rózsa Péter was born Rósza Politzer, in Budapest, Hungary, on February 17,
1905. She is best known for her work on recursive functions, which was es-
sential for the creation of the field of recursion theory.
Péter was raised during harsh polit-
ical times—WWI raged when she was
a teenager—but was able to attend the
affluent Maria Terezia Girls’ School in
Budapest, from where she graduated
in 1922. She then studied at Pázmány
Péter University (later renamed Loránd
Eötvös University) in Budapest. She
began studying chemistry at the insis-
tence of her father, but later switched
to mathematics, and graduated in 1927.
Although she had the credentials to
teach high school mathematics, the eco-
nomic situation at the time was dire as
the Great Depression affected the world
economy. During this time, Péter took
Figure 72.6: Rózsa Péter
odd jobs as a tutor and private teacher
of mathematics. She eventually returned to university to take up graduate
studies in mathematics. She had originally planned to work in number the-
ory, but after finding out that her results had already been proven, she almost
gave up on mathematics altogether. She was encouraged to work on Gödel’s
incompleteness theorems, and unknowingly proved several of his results in
different ways. This restored her confidence, and Péter went on to write her
first papers on recursion theory, inspired by David Hilbert’s foundational pro-
gram. She received her PhD in 1935, and in 1937 she became an editor for the
Journal of Symbolic Logic.
Péter’s early papers are widely credited as founding contributions to the
field of recursive function theory. In Péter (1935a), she investigated the rela-
tionship between different kinds of recursion. In Péter (1935b), she showed
that a certain recursively defined function is not primitive recursive. This
simplified an earlier result due to Wilhelm Ackermann. Péter’s simplified
function is what’s now often called the Ackermann function—and sometimes,
more properly, the Ackermann–Péter function. She wrote the first book on re-
cursive function theory (Péter, 1951).
Despite the importance and influence of her work, Péter did not obtain a
full-time teaching position until 1945. During the Nazi occupation of Hungary
during World War II, Péter was not allowed to teach due to anti-Semitic laws.
In 1944 the government created a Jewish ghetto in Budapest; the ghetto was
cut off from the rest of the city and attended by armed guards. Péter was
forced to live in the ghetto until 1945 when it was liberated. She then went on

Release : d3a1905 (2022-12-19) 963

 CHAPTER 72. BIOGRAPHIES

to teach at the Budapest Teachers Training College, and from 1955 onward at
Eötvös Loránd University. She was the first female Hungarian mathematician
to become an Academic Doctor of Mathematics, and the first woman to be
elected to the Hungarian Academy of Sciences.
Péter was known as a passionate teacher of mathematics, who preferred
to explore the nature and beauty of mathematical problems with her students
rather than to merely lecture. As a result, she was affectionately called “Aunt
Rosa” by her students. Péter died in 1977 at the age of 71.

Further Reading For more biographical reading, see (O’Connor and Robert-
son, 2014) and (Andrásfai, 1986). Tamassy (1994) conducted a brief interview
with Péter. For a fun read about mathematics, see Péter’s book Playing With
Infinity (Péter, 2010).

72.7 Julia Robinson

Julia Bowman Robinson was an Amer-
ican mathematician. She is known
mainly for her work on decision prob-
lems, and most famously for her con-
tributions to the solution of Hilbert’s
tenth problem. Robinson was born in
St. Louis, Missouri, on December 8,
1919. Robinson recalls being intrigued
by numbers already as a child (Reid,
1986, 4). At age nine she contracted scar-
let fever and suffered from several re-
current bouts of rheumatic fever. This
forced her to spend much of her time
in bed, putting her behind in her educa-
tion. Although she was able to catch up
with the help of private tutors, the phys-
ical effects of her illness had a lasting im-
Figure 72.7: Julia Robinson
pact on her life.
Despite her childhood struggles, Robinson graduated high school with
several awards in mathematics and the sciences. She started her university
career at San Diego State College, and transferred to the University of Cali-
fornia, Berkeley, as a senior. There she was influenced by the mathematician
Raphael Robinson. They became good friends, and married in 1941. As a
spouse of a faculty member, Robinson was barred from teaching in the math-
ematics department at Berkeley. Although she continued to audit mathemat-
ics classes, she hoped to leave university and start a family. Not long after
her wedding, however, Robinson contracted pneumonia. She was told that

964 Release : d3a1905 (2022-12-19)

72.7. JULIA ROBINSON

there was substantial scar tissue build up on her heart due to the rheumatic
fever she suffered as a child. Due to the severity of the scar tissue, the doctor
predicted that she would not live past forty and she was advised not to have
children (Reid, 1986, 13).
Robinson was depressed for a long time, but eventually decided to con-
tinue studying mathematics. She returned to Berkeley and completed her PhD
in 1948 under the supervision of Alfred Tarski. The first-order theory of the
real numbers had been shown to be decidable by Tarski, and from Gödel’s
work it followed that the first-order theory of the natural numbers is unde-
cidable. It was a major open problem whether the first-order theory of the
rationals is decidable or not. In her thesis (1949), Robinson proved that it was
not.
Interested in decision problems, Robinson next attempted to find a solu-
tion to Hilbert’s tenth problem. This problem was one of a famous list of
23 mathematical problems posed by David Hilbert in 1900. The tenth prob-
lem asks whether there is an algorithm that will answer, in a finite amount of
time, whether or not a polynomial equation with integer coefficients, such as
3x2 − 2y + 3 = 0, has a solution in the integers. Such questions are known as
Diophantine problems. After some initial successes, Robinson joined forces with
Martin Davis and Hilary Putnam, who were also working on the problem.
They succeeded in showing that exponential Diophantine problems (where
the unknowns may also appear as exponents) are undecidable, and showed
that a certain conjecture (later called “J.R.”) implies that Hilbert’s tenth prob-
lem is undecidable (Davis et al., 1961). Robinson continued to work on the
problem throughout the 1960s. In 1970, the young Russian mathematician
Yuri Matijasevich finally proved the J.R. hypothesis. The combined result
is now called the Matijasevich–Robinson–Davis–Putnam theorem, or MRDP
theorem for short. Matijasevich and Robinson became friends and collabo-
rated on several papers. In a letter to Matijasevich, Robinson once wrote that
“actually I am very pleased that working together (thousands of miles apart)
we are obviously making more progress than either one of us could alone”
(Matijasevich, 1992, 45).
Robinson was the first female president of the American Mathematical So-
ciety, and the first woman to be elected to the National Academy of Science.
She died on July 30, 1985 at the age of 65 after being diagnosed with leukemia.

Further Reading Robinson’s mathematical papers are available in her Col-

lected Works (Robinson, 1996), which also includes a reprint of her National
Academy of Sciences biographical memoir (Feferman, 1994). Robinson’s older
sister Constance Reid published an “Autobiography of Julia,” based on inter-
views (Reid, 1986), as well as a full memoir (Reid, 1996). A short documentary
about Robinson and Hilbert’s tenth problem was directed by George Csicsery
(Csicsery, 2016). For a brief memoir about Yuri Matijasevich’s collaborations

Release : d3a1905 (2022-12-19) 965

 CHAPTER 72. BIOGRAPHIES

with Robinson, and her influence on his work, see (Matijasevich, 1992).

72.8 Bertrand Russell

Bertrand Russell is hailed as one of the

founders of modern analytic philoso-
phy. Born May 18, 1872, Russell was
not only known for his work in philoso-
phy and logic, but wrote many popular
books in various subject areas. He was
also an ardent political activist through-
out his life.
Russell was born in Trellech, Mon-
mouthshire, Wales. His parents were
members of the British nobility. They
were free-thinkers, and even made
friends with the radicals in Boston at the
time. Unfortunately, Russell’s parents
died when he was young, and Russell
was sent to live with his grandparents.
There, he was given a religious upbring-
ing (something his parents had wanted Figure 72.8: Bertrand Russell
to avoid at all costs). His grandmother
was very strict in all matters of morality. During adolescence he was mostly
homeschooled by private tutors.
Russell’s influence in analytic philosophy, and especially logic, is tremen-
dous. He studied mathematics and philosophy at Trinity College, Cambridge,
where he was influenced by the mathematician and philosopher Alfred North
Whitehead. In 1910, Russell and Whitehead published the first volume of
Principia Mathematica, where they championed the view that mathematics is
reducible to logic. He went on to publish hundreds of books, essays and po-
litical pamphlets. In 1950, he won the Nobel Prize for literature.
Russell’s was deeply entrenched in politics and social activism. During
World War I he was arrested and sent to prison for six months due to pacifist
activities and protest. While in prison, he was able to write and read, and
claims to have found the experience “quite agreeable.” He remained a pacifist
throughout his life, and was again incarcerated for attending a nuclear disar-
mament rally in 1961. He also survived a plane crash in 1948, where the only
survivors were those sitting in the smoking section. As such, Russell claimed
that he owed his life to smoking. Russell was married four times, but had a
reputation for carrying on extra-marital affairs. He died on February 2, 1970
at the age of 97 in Penrhyndeudraeth, Wales.

966 Release : d3a1905 (2022-12-19)

72.9. ALFRED TARSKI

Further Reading Russell wrote an autobiography in three parts, spanning

his life from 1872–1967 (Russell, 1967, 1968, 1969). The Bertrand Russell Re-
search Centre at McMaster University is home of the Bertrand Russell archives.
See their website at Duncan (2015), for information on the volumes of his col-
lected works (including searchable indexes), and archival projects. Russell’s
paper On Denoting (Russell, 1905) is a classic of 20th century analytic philoso-
phy.
The Stanford Encyclopedia of Philosophy entry on Russell (Irvine, 2015)
has sound clips of Russell speaking on Desire and Political theory. Many video
interviews with Russell are available online. To see him talk about smoking
and being involved in a plane crash, e.g., see Russell (n.d.). Some of Russell’s
works, including his Introduction to Mathematical Philosophy are available as
free audiobooks on LibriVox (n.d.).

72.9 Alfred Tarski

Alfred Tarski was born on January 14,
1901 in Warsaw, Poland (then part of
the Russian Empire). Described as
“Napoleonic,” Tarski was boisterous,
talkative, and intense. His energy was
often reflected in his lectures—he once
set fire to a wastebasket while disposing
of a cigarette during a lecture, and was
forbidden from lecturing in that build-
ing again.
Tarski had a thirst for knowledge
from a young age. Although later in
life he would tell students that he stud-
ied logic because it was the only class in
which he got a B, his high school records
show that he got A’s across the board—
even in logic. He studied at the Univer- Figure 72.9: Alfred Tarski
sity of Warsaw from 1918 to 1924. Tarski
first intended to study biology, but became interested in mathematics, philos-
ophy, and logic, as the university was the center of the Warsaw School of Logic
and Philosophy. Tarski earned his doctorate in 1924 under the supervision of
Stanisław Leśniewski.
Before emigrating to the United States in 1939, Tarski completed some of
his most important work while working as a secondary school teacher in War-
saw. His work on logical consequence and logical truth were written during
this time. In 1939, Tarski was visiting the United States for a lecture tour. Dur-
ing his visit, Germany invaded Poland, and because of his Jewish heritage,

Release : d3a1905 (2022-12-19) 967

 CHAPTER 72. BIOGRAPHIES

Tarski could not return. His wife and children remained in Poland until the
end of the war, but were then able to emigrate to the United States as well.
Tarski taught at Harvard, the College of the City of New York, and the Insti-
tute for Advanced Study at Princeton, and finally the University of California,
Berkeley. There he founded the multidisciplinary program in Logic and the
Methodology of Science. Tarski died on October 26, 1983 at the age of 82.

Further Reading For more on Tarski’s life, see the biography Alfred Tarski:
Life and Logic (Feferman and Feferman, 2004). Tarski’s seminal works on logi-
cal consequence and truth are available in English in (Corcoran, 1983). All of
Tarski’s original works have been collected into a four volume series, (Tarski,
1981).

72.10 Alan Turing

Alan Turing was born in Maida Vale, London, on June 23, 1912. He is consid-
ered the father of theoretical computer science. Turing’s interest in the phys-
ical sciences and mathematics started at a young age. However, as a boy his
interests were not represented well in his schools, where emphasis was placed
on literature and classics. Consequently, he did poorly in school and was rep-
rimanded by many of his teachers.
Turing attended King’s College, Cam-
bridge as an undergraduate, where he
studied mathematics. In 1936 Turing de-
veloped (what is now called) the Turing
machine as an attempt to precisely de-
fine the notion of a computable function
and to prove the undecidability of the
decision problem. He was beaten to the
result by Alonzo Church, who proved
the result via his own lambda calculus.
Turing’s paper was still published with
reference to Church’s result. Church
invited Turing to Princeton, where he
spent 1936–1938, and obtained a doctor-
ate under Church.
Despite his interest in logic, Turing’s Figure 72.10: Alan Turing
earlier interests in physical sciences re-
mained prevalent. His practical skills were put to work during his service
with the British cryptanalytic department at Bletchley Park during World
War II. Turing was a central figure in cracking the cypher used by German
Naval communications—the Enigma code. Turing’s expertise in statistics and
cryptography, together with the introduction of electronic machinery, gave

968 Release : d3a1905 (2022-12-19)

72.11. ERNST ZERMELO

the team the ability to crack the code by creating a de-crypting machine called
a “bombe.” His ideas also helped in the creation of the world’s first pro-
grammable electronic computer, the Colossus, also used at Bletchley park to
break the German Lorenz cypher.
Turing was gay. Nevertheless, in 1942 he proposed to Joan Clarke, one
of his teammates at Bletchley Park, but later broke off the engagement and
confessed to her that he was homosexual. He had several lovers throughout
his lifetime, although homosexual acts were then criminal offences in the UK.
In 1952, Turing’s house was burgled by a friend of his lover at the time, and
when filing a police report, Turing admitted to having a homosexual relation-
ship, under the impression that the government was on their way to legalizing
homosexual acts. This was not true, and he was charged with gross indecency.
Instead of going to prison, Turing opted for a hormone treatment that reduced
libido. Turing was found dead on June 8, 1954, of a cyanide overdose—most
likely suicide. He was given a royal pardon by Queen Elizabeth II in 2013.

Further Reading For a comprehensive biography of Alan Turing, see Hodges

(2014). Turing’s life and work inspired a play, Breaking the Code, which was
produced in 1996 for TV starring Derek Jacobi as Turing. The Imitation Game,
an Academy Award nominated film starring Bendict Cumberbatch and Kiera
Knightley, is also loosely based on Alan Turing’s life and time at Bletchley
Park (Tyldum, 2014).
Radiolab (2012) has several podcasts on Turing’s life and work. BBC Hori-
zon’s documentary The Strange Life and Death of Dr. Turing is available to watch
online (Sykes, 1992). (Theelen, 2012) is a short video of a working LEGO Tur-
ing Machine—made to honour Turing’s centenary in 2012.
Turing’s original paper on Turing machines and the decision problem is
Turing (1937).

72.11 Ernst Zermelo

Ernst Zermelo was born on July 27, 1871 in Berlin, Germany. He had five
sisters, though his family suffered from poor health and only three survived
to adulthood. His parents also passed away when he was young, leaving
him and his siblings orphans when he was seventeen. Zermelo had a deep
interest in the arts, and especially in poetry. He was known for being sharp,
witty, and critical. His most celebrated mathematical achievements include
the introduction of the axiom of choice (in 1904), and his axiomatization of set
theory (in 1908).
Zermelo’s interests at university were varied. He took courses in physics,
mathematics, and philosophy. Under the supervision of Hermann Schwarz,
Zermelo completed his dissertation Investigations in the Calculus of Variations
in 1894 at the University of Berlin. In 1897, he decided to pursue more studies

Release : d3a1905 (2022-12-19) 969

 CHAPTER 72. BIOGRAPHIES

at the University of Göttigen, where he was heavily influenced by the foun-

dational work of David Hilbert. In 1899 he became eligible for professorship,
but did not get one until eleven years later—possibly due to his strange de-
meanour and “nervous haste.”
Zermelo finally received a paid pro-
fessorship at the University of Zurich in
1910, but was forced to retire in 1916 due
to tuberculosis. After his recovery, he
was given an honourary professorship
at the University of Freiburg in 1921.
During this time he worked on founda-
tional mathematics. He became irritated
with the works of Thoralf Skolem and
Kurt Gödel, and publicly criticized their
approaches in his papers. He was dis-
missed from his position at Freiburg in
1935, due to his unpopularity and his
opposition to Hitler’s rise to power in
Germany.
The later years of Zermelo’s life were
marked by isolation. After his dismissal
in 1935, he abandoned mathematics. He Figure 72.11: Ernst Zermelo
moved to the country where he lived
modestly. He married in 1944, and became completely dependent on his wife
as he was going blind. Zermelo lost his sight completely by 1951. He passed
away in Günterstal, Germany, on May 21, 1953.

Further Reading For a full biography of Zermelo, see Ebbinghaus (2015).

Zermelo’s seminal 1904 and 1908 papers are available to read in the origi-
nal German (Zermelo, 1904, 1908b). Zermelo’s collected works, including his
writing on physics, are available in English translation in (Ebbinghaus et al.,
2010; Ebbinghaus and Kanamori, 2013).

970 Release : d3a1905 (2022-12-19)

Chapter 73

History and Mythology of Set

Theory

This chapter includes the historical prelude from Tim Button’s Open
Set Theory text.

73.1 Infinitesimals and Differentiation

Newton and Leibniz discovered the calculus (independently) at the end of
the 17th century. A particularly important application of the calculus was
differentiation. Roughly speaking, differentiation aims to give a notion of the
“rate of change”, or gradient, of a function at a point.
Here is a vivid way to illustrate the idea. Consider the function f ( x ) =
x2/4 + 1/2, depicted in black below:

f (x)
5

x
1 2 3 4

971
 CHAPTER 73. HISTORY AND MYTHOLOGY OF SET THEORY

Suppose we want to find the gradient of the function at c = 1/2. We start by

drawing a triangle whose hypotenuse approximates the gradient at that point,
perhaps the red triangle above. When β is the base length of our triangle, its
height is f (1/2 + β) − f (1/2), so that the gradient of the hypotenuse is:

f (1/2 + β) − f (1/2)
.
β

So the gradient of our red triangle, with base length 3, is exactly 1. The hy-
potenuse of a smaller triangle, the blue triangle with base length 2, gives a
better approximation; its gradient is 3/4. A yet smaller triangle, the green tri-
angle with base length 1, gives a yet better approximation; with gradient 1/2.
Ever-smaller triangles give us ever-better approximations. So we might
say something like this: the hypotenuse of a triangle with an infinitesimal base
length gives us the gradient at c = 1/2 itself. In this way, we would obtain a
formula for the (first) derivative of the function f at the point c:

f (c + β) − f (c)
f ′ (c) = where β is infinitesimal.
β

And, roughly, this is what Newton and Leibniz said.

However, since they have said this, we must ask them: what is an infinites-
imal? A serious dilemma arises. If β = 0, then f ′ is ill-defined, for it involves
dividing by 0. But if β > 0, then we just get an approximation to the gradient,
and not the gradient itself.
This is not an anachronistic concern. Here is Berkeley, criticizing Newton’s
followers:

I admit that signs may be made to denote either any thing or noth-
ing: and consequently that in the original notation c + β, β might
have signified either an increment or nothing. But then which of
these soever you make it signify, you must argue consistently with
such its signification, and not proceed upon a double meaning:
Which to do were a manifest sophism. (Berkeley 1734, §XIII, vari-
ables changed to match preceding text)

To defend the infinitesimal calculus against Berkeley, one might reply that the
talk of “infinitesimals” is merely figurative. One might say that, so long as
we take a really small triangle, we will get a good enough approximation to the
tangent. Berkeley had a reply to this too: whilst that might be good enough
for engineering, it undermines the status of mathematics, for

we are told that in rebus mathematicis errores quàm minimi non sunt
contemnendi. [In the case of mathematics, the smallest errors are
not to be neglected.] (Berkeley, 1734, §IX)

972 Release : d3a1905 (2022-12-19)

73.2. RIGOROUS DEFINITION OF LIMITS

The italicised passage is a near-verbatim quote from Newton’s own Quadra-

ture of Curves (1704).
Berkeley’s philosophical objections are deeply incisive. Nevertheless, the
calculus was a massively successful enterprise, and mathematicians contin-
ued to use it without falling into error.

73.2 Rigorous Definition of Limits

These days, the standard solution to the foregoing problem is to get rid of the
infinitesimals. Here is how.
We saw that, as β gets smaller, we get better approximations of the gradi-
ent. Indeed, as β gets arbitrarily close to 0, the value of f ′ (c) “tends without
limit” to the gradient we want. So, instead of considering what happens at
β = 0, we need only consider the trend of f ′ (c) as β approaches 0.
Put like this, the general challenge is to make sense of claims of this shape:

As x approaches c, g( x ) tends without limit to ℓ.

which we can write more compactly as follows:

lim g( x ) = ℓ.
x →c

In the 19th century, building upon earlier work by Cauchy, Weierstrass offered
a perfectly rigorous definition of this expression. The idea is indeed that we
can make g( x ) as close as we like to ℓ, by making x suitably close to c. More
precisely, we stipulate that limx→c g( x ) = ℓ will mean:

(∀ε > 0)(∃δ > 0)∀ x (| x − c| < δ → | g( x ) − ℓ| < ε) .

The vertical bars here indicate absolute magnitude. That is, | x | = x when
x ≥ 0, and | x | = − x when x < 0; you can depict that function as follows:

|x|

x
−2 −1 1 2

So the definition says roughly this: you can make your “error” less than ε (i.e.,
| g( x ) − ℓ| < ε) by choosing arguments which are no more than δ away from c
(i.e., | x − c| < δ).

Release : d3a1905 (2022-12-19) 973

 CHAPTER 73. HISTORY AND MYTHOLOGY OF SET THEORY

Having defined the notion of a limit, we can use it to avoid infinitesimals

altogether, stipulating that the gradient of f at c is given by:

f (c + x ) − f (c)
 
′
f (c) = lim where a limit exists.
x →0 x

It is important, though, to realise why our definition needs the caveat “where
a limit exists”. To take a simple example, consider f ( x ) = | x |, whose graph we
just saw. Evidently, f ′ (0) is ill-defined: if we approach 0 “from the right”, the
gradient is always 1; if we approach 0 “from the left”, the gradient is always
−1; so the limit is undefined. As such, we might add that a function f is
differentiable at x iff such a limit exists.
We have seen how to handle differentiation using the notion of a limit. We
can use the same notion to define the idea of a continuous function. (Bolzano
had, in effect, realised this by 1817.) The Cauchy–Weierstrass treatment of
continuity is as follows. Roughly: a function f is continuous (at a point) pro-
vided that, if you demand a certain amount of precision concerning the output
of the function, you can guarantee this by insisting upon a certain amount of
precision concerning the input of the function. More precisely: f is continu-
ous at c provided that, as x tends to zero, the difference between f (c + x ) and
f (c) itself tends to 0. Otherwise put: f is continuous at c iff f (c) = limx→c f ( x ).
To go any further would just lead us off into real analysis, when our subject
matter is set theory. So now we should pause, and state the moral. During
the 19th century, mathematicians learnt how to do without infinitesimals, by
invoking a rigorously defined notion of a limit.

73.3 Pathologies
However, the definition of a limit turned out to allow for some rather “patho-
logical” constructions.
Around the 1830s, Bolzano discovered a function which was continuous ev-
erywhere, but differentiable nowhere. (Unfortunately, Bolzano never published
this; the idea was first encountered by mathematicians in 1872, thanks to
Weierstrass’s independent discovery of the same idea.)1 This was, to say the
least, rather surprising. It is easy to find functions, such as | x |, which are con-
tinuous everywhere but not differentiable at a particular point. But a function
which is continuous everywhere but differentiable nowhere is a very different
beast. Consider, for a moment, how you might try to draw such a function.
To ensure it is continuous, you must be able to draw it without ever removing
your pen from the page; but to ensure it is differentiable nowhere, you would
have to abruptly change the direction of your pen, constantly.
1 The history is documented in extremely thorough footnotes to the Wikipedia article on the

Weierstrass function.

974 Release : d3a1905 (2022-12-19)

73.3. PATHOLOGIES

Further “pathologies” followed. In January 5 1874, Cantor wrote a letter

to Dedekind, posing the problem:

Can a surface (say a square including its boundary) be one-to-one

correlated to a line (say a straight line including its endpoints) so
that to every point of the surface there corresponds a point of the
line, and conversely to every point of the line there corresponds a
point of the surface?
It still seems to me at the moment that the answer to this question
is very difficult—although here too one is so impelled to say no
that one would like to hold the proof to be almost superfluous.
[Quoted in Gouvêa 2011]

But, in 1877, Cantor proved that he had been wrong. In fact, a line and a
square have exactly the same number of points. He wrote on 29 June 1877 to
Dedekind “je le vois, mais je ne le crois pas”; that is, “I see it, but I don’t believe
it”. In the “received history” of mathematics, this is often taken to indicate
just how literally incredible these new results were to the mathematicians of the
time. (The correspondence is presented in Gouvêa (2011), and we return to it
in section 73.4. Cantor’s proof is outlined in section 73.5.)
Inspired by Cantor’s result, Peano started to consider whether it might be
possible to map a line smoothly onto a plane. This would be a curve which
fills space. In 1890, Peano constructed just such a curve. This is truly counter-
intuitive: Euclid had defined a line as “breadthless length” (Book I, Definition
2), but Peano had shown that, by curling up a line appropriately, its length can
be turned into breadth. In 1891, Hilbert described a slightly more intuitive
space-filling curve, together with some pictures illustrating it. The curve is
constructed in sequence, and here are the first six stages of the construction:

Release : d3a1905 (2022-12-19) 975

 CHAPTER 73. HISTORY AND MYTHOLOGY OF SET THEORY

In the limit—a notion which had, by now, received rigorous definition—the

entire square is filled in solid red. And, in passing, Hilbert’s curve is continu-
ous everywhere but differentiable nowhere; intuitively because, in the infinite
limit, the function abruptly changes direction at every moment. (We will out-
line Hilbert’s construction in more detail in section 73.6.)
For better or worse, these “pathological” geometric constructions were
treated as a reason to doubt appeals to geometric intuition. They became
something approaching propaganda for a new way of doing mathematics, which
would culminate in set theory. In the later myth-building of the subject, it was
repeated, often, that these results were both perfectly rigorous and perfectly
shocking. They therefore served a dual purpose: as a warning against relying
upon geometric intuition, and as a demonstration of the fertility of new ways
of thinking.

73.4 More Myth than History?

Looking back on these events with more than a century of hindsight, we must
be careful not to take these verdicts on trust. The results were certainly novel,
exciting, and surprising. But how truly shocking were they? And did they
really demonstrate that we should not rely on geometric intuition?
On the question of shock, Gouvêa (2011) points out that Cantor’s famous
note to Dedekind, “je le vois, mais je ne le crois pas” is taken rather out of context.
Here is more of that context (quoted from Gouvêa):

Please excuse my zeal for the subject if I make so many demands

upon your kindness and patience; the communications which I
lately sent you are even for me so unexpected, so new, that I can
have no peace of mind until I obtain from you, honoured friend,
a decision about their correctness. So long as you have not agreed
with me, I can only say: je le vois, mais je ne le crois pas.

Cantor knew his result was “so unexpected, so new”. But it is doubtful that
he ever found his result unbelievable. As Gouvêa points out, he was simply
asking Dedekind to check the proof he had offered.
On the question of geometric intuition: Peano published his space-filling
curve without including any diagrams. But when Hilbert published his curve,
he explained his purpose: he would provide readers with a clear way to un-
derstand Peano’s result, if they “help themselves to the following geometric
intuition”; whereupon he included a series of diagrams just like those provided
in section 73.3.
More generally: whilst diagrams have fallen rather out of fashion in pub-
lished proofs, there is no getting round the fact that mathematicians frequently
use diagrams when proving things. (Roughly put: good mathematicians know
when they can rely upon geometric intuition.)

976 Release : d3a1905 (2022-12-19)

73.5. CANTOR ON THE LINE AND THE PLANE

In short: don’t believe the hype; or at least, don’t just take it on trust. For
more on this, you could read Giaquinto (2007).

73.5 Cantor on the Line and the Plane

Some of the circumstances surrounding the proof of Schröder-Bernstein tie
in with the history we discussed in section 73.3. Recall that, in 1877, Cantor
proved that there are exactly as many points on a square as on one of its sides.
Here, we will present his (first attempted) proof.
Let L be the unit line, i.e., the set of points [0, 1]. Let S be the unit square,
i.e., the set of points L × L. In these terms, Cantor proved that L ≈ S. He
wrote a note to Dedekind, essentially containing the following argument.

Theorem 73.1. L ≈ S

Proof: first part.. Fix a, b ∈ L. Write them in binary notation, so that we have
infinite sequences of 0s and 1s, a1 , a2 , . . . , and b1 , b2 , . . . , such that:

a = 0.a1 a2 a3 a4 . . .
b = 0.b1 b2 b3 b4 . . .

Now consider the function f : S → L given by

f ( a, b) = 0.a1 b1 a2 b2 a3 b3 a4 b4 . . .

Now f is an injection, since if f ( a, b) = f (c, d), then an = cn and bn = dn for

all n ∈ N, so that a = c and b = d.

Unfortunately, as Dedekind pointed out to Cantor, this does not answer

the original question. Consider 0.1̇0̇ = 0.1010101010 . . .. We need that f ( a, b) =
0.1̇0̇, where:

a = 0.1̇1̇ = 0.111111 . . .
b=0

But a = 0.1̇1̇ = 1. So, when we say “write a and b in binary notation”, we

have to choose which notation to use; and, since f is to be a function, we can
use only one of the two possible notations. But if, for example, we use the
simple notation, and write a as “1.000 . . .”, then we have no pair ⟨ a, b⟩ such
that f ( a, b) = 0.1̇0̇.
To summarise: Dedekind pointed out that, given the possibility of certain
recurring decimal expansions, Cantor’s function f is an injection but not a sur-
jection. So Cantor has shown only that S ⪯ L and not that S ≈ L.
Cantor wrote back to Dedekind almost immediately, essentially suggesting
that the proof could be completed as follows:

Release : d3a1905 (2022-12-19) 977

 CHAPTER 73. HISTORY AND MYTHOLOGY OF SET THEORY

Proof: completed.. So, we have shown that S ⪯ L. But there is obviously an in-
jection from L to S: just lay the line flat along one side of the square. So L ⪯ S
and S ⪯ L. By Schröder–Bernstein (Theorem 4.25), L ≈ S.

But of course, Cantor could not complete the last line in these terms, for
the Schröder-Bernstein Theorem was not yet proved. Indeed, although Cantor
would subsequently formulate this as a general conjecture, it was not satisfac-
torily proved until 1897. (And so, later in 1877, Cantor offered a different
proof of Theorem 73.1, which did not go via Schröder–Bernstein.)

73.6 Appendix: Hilbert’s Space-filling Curves

In chapter section 73.3, we mentioned that Cantor’s proof that a line and
a square have exactly the same number of points (Theorem 73.1) prompted
Peano to ask whether there might be a space-filling curve. He obtained a pos-
itive answer in 1890. In this section, we explain (in a hand-wavy way) how to
construct Hilbert’s space-filling curve (with a tiny tweak).2
We must define a function, h, as the limit of a sequence of functions h1 ,
h2 , h3 , . . . We first describe the construction. Then we show it is space-filling.
Then we show it is a curve.
We will take h’s range to be the unit square, S. Here is our first approxima-
tion to h, i.e., h1 :

To keep track of things, we have imposed a 2 × 2 grid on the square. We can

think of the curve starting in the bottom left quarter, moving to the top left,
then to the top right, then finally to the bottom right. Here is the second stage
in the construction, i.e., h2 :

2 For a more rigorous explanation, see Rose (2010). The tweak amounts to the inclusion of the

red parts of the curves below. This makes it slightly easier to check that the curve is continuous.

978 Release : d3a1905 (2022-12-19)

73.6. APPENDIX: HILBERT’S SPACE-FILLING CURVES

The different colours will help explain how h2 was constructed. We first place
scaled-down copies of the non-red bit of h1 into the bottom left, top left, top
right, and bottom right of our square (drawn in black). We then connect these
four figures (with green lines). Finally, we connect our figure to the boundary
of the square (with red lines).
Now to h3 . Just as h2 was made from four connected, scaled-down copies
of the non-red bit of h1 , so h3 is made up of four scaled-down copies of the
non-red bit of h2 (drawn in black), which are then joined together (with green
lines) and finally connected to the boundary of the square (with red lines).

And now we see the general pattern for defining hn+1 from hn . At last we
define the curve h itself by considering the point-by-point limit of these suc-
cessive functions h1 , h2 , . . . That is, for each x ∈ S:

h( x ) = lim hn ( x )
n→∞

We now show that this curve fills space. When we draw the curve hn , we
impose a 2n × 2n grid onto S. By Pythagoras’s Theorem, the diagonal of each
grid-location is of length:
q
1
(1/2n )2 + (1/2n )2 = 2( 2 −n)

and evidently hn passes through every grid-location. So each point in S is at

1
most 2( 2 −n) distance away from some point on hn . Now, h is defined as the
limit of the functions h1 , h2 , h3 , . . . So the maximum distance of any point from
h is given by:
1
lim 2( 2 −n) = 0.
n→∞
That is: every point in S is 0 distance from h. In other words, every point of S
lies on the curve. So h fills space!
It remains to show that h is, indeed, a curve. To show this, we must define
the notion. The modern definition builds on one given by Jordan in 1887 (i.e.,
only a few years before the first space-filling curve was provided):

Definition 73.2. A curve is a continuous map from L to R2 .

This is fairly intuitive: a curve is, intuitively, a “smooth” map which takes
a canonical line onto the plane R2 . Our function, h, is indeed a map from L

Release : d3a1905 (2022-12-19) 979

 CHAPTER 73. HISTORY AND MYTHOLOGY OF SET THEORY

to R2 . So, we just need to show that h is continuous. We defined continuity

in section 73.2 using ε/δ notation. In the vernacular, we want to establish the
following: If you specify a point p in S, together with any desired level of precision
ε, we can find an open section of L such that, given any x in that open section, h( x )
is within ε of p.
So: assume that you have specified p and ε. This is, in effect, to draw a
circle with centre p and radius ε on S. (The circle might spill off the edge of
S, but that doesn’t matter.) Now, recall that, when describing the function hn ,
we drew a 2n × 2n grid upon S. It is obvious that, no matter how small ε is,
there is some n such that some individual grid-location of the 2n × 2n grid on
S lies wholly within the circle with centre p and radius ε.
So, take that n, and let I be the largest open part of L which hn maps wholly
into the relevant grid location. (It is clear that ( a, b) exists, since we already
noted that hn passes through every grid-location in the 2n × 2n grid.) It now
suffices to show to show that, whenever x ∈ I the point h( x ) lies in that same
grid-location. And to do this, it suffices to show that hm ( x ) lies in that same
grid location, for any m > n. But this is obvious. If we consider what happens
with hm for m > n, we see that exactly the “same part” of the unit interval
is mapped into the same grid-location; we just map it into that region in an
increasingly stretched-out, wiggly fashion.

980 Release : d3a1905 (2022-12-19)

Part XVII

Reference

981
 CHAPTER 73. HISTORY AND MYTHOLOGY OF SET THEORY

This part collects various lists of alphabets, notations, definitions,

rules, etc., for inclusion as appendices in a textbook.

982 Release : d3a1905 (2022-12-19)

Chapter 74

The Greek Alphabet

Alpha α A Nu ν N
Beta β B Xi ξ Ξ
Gamma γ Γ Omicron o O
Delta δ ∆ Pi π Π
Epsilon ε E Rho ρ P
Zeta ζ Z Sigma σ Σ
Eta η H Tau τ T
Theta θ Θ Upsilon υ Υ
Iota ι I Phi φ Φ
Kappa κ K Chi χ X
Lambda λ Λ Psi ψ Ψ
Mu µ M Omega ω Ω

983
Chapter 75

The Fraktur Alphabet

A A a a N N n n
B B b b O O o o
C C c c P P p p
D D d d Q Q q q
E E e e R R r r
F F f f S S s s
G G g g T T t t
H H h h U U u u
I I i i V V v v
J J j j W W w w
K K k k X X x x
L L l l Y Y y y
M M m m Z Z z z

Photo Credits

Georg Cantor, p. 957: Portrait of Georg Cantor by Otto Zeth courtesy of the
Universitätsarchiv, Martin-Luther Universität Halle–Wittenberg. UAHW Rep. 40-
VI, Nr. 3 Bild 102.
Alonzo Church, p. 958: Portrait of Alonzo Church, undated, photogra-
pher unknown. Alonzo Church Papers; 1924–1995, (C0948) Box 60, Folder 3.
Manuscripts Division, Department of Rare Books and Special Collections, Prince-
ton University Library. © Princeton University. The Open Logic Project has

984
Photo Credits

obtained permission to use this image for inclusion in non-commercial OLP-

derived materials. Permission from Princeton University is required for any
other use.
Gerhard Gentzen, p. 959: Portrait of Gerhard Gentzen playing ping-pong
courtesy of Ekhart Mentzler-Trott.
Kurt Gödel, p. 960: Portrait of Kurt Gödel, ca. 1925, photographer un-
known. From the Shelby White and Leon Levy Archives Center, Institute for
Advanced Study, Princeton, NJ, USA, on deposit at Princeton University Li-
brary, Manuscript Division, Department of Rare Books and Special Collec-
tions, Kurt Gödel Papers, (C0282), Box 14b, #110000. The Open Logic Project
has obtained permission from the Institute’s Archives Center to use this image
for inclusion in non-commercial OLP-derived materials. Permission from the
Archives Center is required for any other use.
Emmy Noether, p. 962: Portrait of Emmy Noether, ca. 1922, courtesy of the
Abteilung für Handschriften und Seltene Drucke, Niedersächsische Staats-
und Universitätsbibliothek Göttingen, Cod. Ms. D. Hilbert 754, Bl. 14 Nr. 73.
Restored from an original scan by Joel Fuller.
Rózsa Péter, p. 963: Portrait of Rózsa Péter, undated, photographer un-
known. Courtesy of Béla Andrásfai.
Julia Robinson, p. 964: Portrait of Julia Robinson, unknown photographer,
courtesy of Neil D. Reid. The Open Logic Project has obtained permission to
use this image for inclusion in non-commercial OLP-derived materials. Per-
mission is required for any other use.
Bertrand Russell, p. 966: Portrait of Bertrand Russell, ca. 1907, courtesy of
the William Ready Division of Archives and Research Collections, McMaster
University Library. Bertrand Russell Archives, Box 2, f. 4.
Alfred Tarski, p. 967: Passport photo of Alfred Tarski, 1939. Cropped and
restored from a scan of Tarski’s passport by Joel Fuller. Original courtesy
of Bancroft Library, University of California, Berkeley. Alfred Tarski Papers,
Banc MSS 84/49. The Open Logic Project has obtained permission to use this
image for inclusion in non-commercial OLP-derived materials. Permission
from Bancroft Library is required for any other use.
Alan Turing, p. 968: Portrait of Alan Mathison Turing by Elliott & Fry, 29
March 1951, NPG x82217, © National Portrait Gallery, London. Used under a
Creative Commons BY-NC-ND 3.0 license.
Ernst Zermelo, p. 970: Portrait of Ernst Zermelo, ca. 1922, courtesy of the
Abteilung für Handschriften und Seltene Drucke, Niedersächsische Staats-
und Universitätsbibliothek Göttingen, Cod. Ms. D. Hilbert 754, Bl. 6 Nr. 25.

Release : d3a1905 (2022-12-19) 985

Bibliography

Andrásfai, Béla. 1986. Rózsa (Rosa) Péter. Periodica Polytechnica Electrical En-
gineering 30(2-3): 139–145. URL http://www.pp.bme.hu/ee/article/
view/4651.

Aspray, William. 1984. The Princeton mathematics community in the 1930s:

Alonzo Church. URL http://www.princeton.edu/mudd/finding_
aids/mathoral/pmc05.htm. Interview.

Baaz, Matthias, Christos H. Papadimitriou, Hilary W. Putnam, Dana S. Scott,

and Charles L. Harper Jr. 2011. Kurt Gödel and the Foundations of Mathematics:
Horizons of Truth. Cambridge: Cambridge University Press.

Banach, Stefan and Alfred Tarski. 1924. Sur la décomposition des ensembles
de points en parties respectivement congruentes. Fundamenta Mathematicae
6: 244–77.

Benacerraf, Paul. 1965. What numbers could not be. The Philosophical Review
74(1): 47–73.

Berkeley, George. 1734. The Analyst; or, a Discourse Adressed to an Infidel Mathe-
matician.

Boolos, George. 1971. The iterative conception of set. The Journal of Philosophy
68(8): 215–31.

Boolos, George. 1989. Iteration again. Philosophical Topics 17(2): 5–21.

Boolos, George. 2000. Must we believe in set theory? In Between Logic and Intu-
ition: Essays in Honor of Charles Parsons, eds. Gila Sher and Richard Tieszen,
257–68. Cambridge: Cambridge University Press.

Burali-Forti, Cesare. 1897. Una questione sui numeri transfiniti. Rendiconti del
Circolo Matematico di Palermo 11: 154–64.

Button, Tim. forthcoming. Level theory, part 1: Axiomatizing the bare idea of
a cumulative hierarchy of sets. Bulletin of Symbolic Logic .

986
BIBLIOGRAPHY

Cantor, Georg. 1878. Ein Beitrag zur Mannigfaltigkeitslehre. Journal für die
reine und angewandte Mathematik 84: 242–58.

Cantor, Georg. 1883. Grundlagen einer allgemeinen Mannigfaltigkeitslehre. Ein

mathematisch-philosophischer Versuch in der Lehre des Unendlichen. Leipzig:
Teubner.

Cantor, Georg. 1892. Über eine elementare Frage der Mannigfaltigkeitslehre.

Jahresbericht der deutschen Mathematiker-Vereinigung 1: 75–8.

Cheng, Eugenia. 2004. How to write proofs: A quick quide. URL

http://http://eugeniacheng.com/wp-content/uploads/2017/
02/cheng-proofguide.pdf.

Church, Alonzo. 1936a. A note on the Entscheidungsproblem. Journal of Sym-

bolic Logic 1: 40–41.

Church, Alonzo. 1936b. An unsolvable problem of elementary number theory.

American Journal of Mathematics 58: 345–363.

Cohen, Paul J. 1963. The independence of the continuum hypothesis. Pro-

ceedings of the National Academy of Sciences of the United States of America 24:
556–557.

Cohen, Paul J. 1966. Set Theory and the Continuum Hypothesis. Reading, MA:
Benjamin.

Conway, John. 2006. The power of mathematics. In Power, eds. Alan Blackwell
and David MacKay, Darwin College Lectures. Cambridge: Cambridge Uni-
versity Press. URL http://www.cs.toronto.edu/˜mackay/conway.
pdf.

Corcoran, John. 1983. Logic, Semantics, Metamathematics. Indianapolis: Hack-

ett, 2nd ed.

Csicsery, George. 2016. Zala films: Julia Robinson and Hilbert’s tenth problem.
URL http://www.zalafilms.com/films/juliarobinson.html.

Dauben, Joseph. 1990. Georg Cantor: His Mathematics and Philosophy of the Infi-
nite. Princeton: Princeton University Press.

Davis, Martin, Hilary Putnam, and Julia Robinson. 1961. The decision prob-
lem for exponential Diophantine equations. Annals of Mathematics 74(3):
425–436. URL http://www.jstor.org/stable/1970289.

Dedekind, Richard. 1888. Was sind und was sollen die Zahlen? Braunschweig:
Vieweg.

Dick, Auguste. 1981. Emmy Noether 1882–1935. Boston: Birkhäuser.

Release : d3a1905 (2022-12-19) 987

 BIBLIOGRAPHY

du Sautoy, Marcus. 2014. A brief history of mathematics: Georg Cantor. URL

http://www.bbc.co.uk/programmes/b00ss1j0. Audio Recording.

Duncan, Arlene. 2015. The Bertrand Russell Research Centre. URL http:
//russell.mcmaster.ca/.

Ebbinghaus, Heinz-Dieter. 2015. Ernst Zermelo: An Approach to his Life and

Work. Berlin: Springer-Verlag.

Ebbinghaus, Heinz-Dieter, Craig G. Fraser, and Akihiro Kanamori. 2010. Ernst

Zermelo. Collected Works, vol. 1. Berlin: Springer-Verlag.

Ebbinghaus, Heinz-Dieter and Akihiro Kanamori. 2013. Ernst Zermelo: Col-

lected Works, vol. 2. Berlin: Springer-Verlag.

Enderton, Herbert B. 2019. Alonzo Church: Life and Work. In The Collected
Works of Alonzo Church, eds. Tyler Burge and Herbert B. Enderton. Cam-
bridge, MA: MIT Press.

Feferman, Anita and Solomon Feferman. 2004. Alfred Tarski: Life and Logic.
Cambridge: Cambridge University Press.

Feferman, Solomon. 1994. Julia Bowman Robinson 1919–1985. Biograph-

ical Memoirs of the National Academy of Sciences 63: 1–28. URL http:
//www.nasonline.org/publications/biographical-memoirs/
memoir-pdfs/robinson-julia.pdf.

Feferman, Solomon, John W. Dawson Jr., Stephen C. Kleene, Gregory H.

Moore, Robert M. Solovay, and Jean van Heijenoort. 1986. Kurt Gödel: Col-
lected Works. Vol. 1: Publications 1929–1936. Oxford: Oxford University Press.

Feferman, Solomon, John W. Dawson Jr., Stephen C. Kleene, Gregory H.

Moore, Robert M. Solovay, and Jean van Heijenoort. 1990. Kurt Gödel: Col-
lected Works. Vol. 2: Publications 1938–1974. Oxford: Oxford University Press.

Feferman, Solomon and Azriel Levy. 1963. Independence results in set theory
by Cohen’s method II. Notices of the American Mathematical Society 10: 593.

Fraenkel, Abraham. 1922. Über den Begriff ‘definit’ und die Unabhängigkeit
des Auswahlaxioms. Sitzungsberichte der Preussischen Akadademie der Wis-
senschaften, Physikalisch-mathematische Klasse 253–257.

Frege, Gottlob. 1884. Die Grundlagen der Arithmetik: Eine logisch mathematische
Untersuchung über den Begriff der Zahl. Breslau: Wilhelm Koebner. Transla-
tion in Frege (1953).

Frege, Gottlob. 1953. Foundations of Arithmetic, ed. J. L. Austin. Oxford: Basil

Blackwell & Mott, 2nd ed.

988 Release : d3a1905 (2022-12-19)

BIBLIOGRAPHY

Frey, Holly and Tracy V. Wilson. 2015. Stuff you missed in history class:
Emmy Noether, mathematics trailblazer. URL https://www.iheart.
com/podcast/stuff-you-missed-in-history-cl-21124503/
episode/emmy-noether-mathematics-trailblazer-30207491/.
Podcast audio.
Gentzen, Gerhard. 1935a. Untersuchungen über das logische Schließen I.
Mathematische Zeitschrift 39: 176–210. English translation in Szabo (1969),
pp. 68–131.
Gentzen, Gerhard. 1935b. Untersuchungen über das logische Schließen II.
Mathematische Zeitschrift 39: 176–210, 405–431. English translation in Szabo
(1969), pp. 68–131.
Giaquinto, Marcus. 2007. Visual Thinking in Mathematics. Oxford: Oxford Uni-
versity Press.
Gödel, Kurt. 1929. Über die Vollständigkeit des Logikkalküls [On the com-
pleteness of the calculus of logic]. Dissertation, Universität Wien. Reprinted
and translated in Feferman et al. (1986), pp. 60–101.
Gödel, Kurt. 1931. über formal unentscheidbare Sätze der Principia Mathe-
matica und verwandter Systeme I [On formally undecidable propositions
of Principia Mathematica and related systems I]. Monatshefte für Mathematik
und Physik 38: 173–198. Reprinted and translated in Feferman et al. (1986),
pp. 144–195.
Gödel, Kurt. 1938. The consistency of the axiom of choice and the generalized
continuum hypothesis. Proceedings of the National Academy of Sciences of the
United States of America 50: 1143–8.
Gouvêa, Fernando Q. 2011. Was Cantor surprised? American Mathematical
Monthly 118(3): 198–209.
Grattan-Guinness, Ivor. 1971. Towards a biography of Georg Cantor. Annals
of Science 27(4): 345–391.
Hammack, Richard. 2013. Book of Proof. Richmond, VA: Virginia Common-
wealth University. URL http://www.people.vcu.edu/˜rhammack/
BookOfProof/BookOfProof.pdf.
Hartogs, Friedrich. 1915. Über das Problem der Wohlordnung. Mathematische
Annalen 76: 438–43.
Hausdorff, Felix. 1914. Bemerkung über den Inhalt von Punktmengen. Math-
ematische Annalen 75: 428–34.
Heijenoort, Jean van. 1967. From Frege to Gödel: A Source Book in Mathematical
Logic, 1879–1931. Cambridge, MA: Harvard University Press.

Release : d3a1905 (2022-12-19) 989

 BIBLIOGRAPHY

Hilbert, David. 1891. Über die stetige Abbildung einer Linie auf ein
Flächenstück. Mathematische Annalen 38(3): 459–460.

Hilbert, David. 2013. David Hilbert’s Lectures on the Foundations of Arithmetic

and Logic 1917–1933, eds. William Bragg Ewald and Wilfried Sieg. Heidel-
berg: Springer.

Hodges, Andrew. 2014. Alan Turing: The Enigma. London: Vintage.

Hume, David. 1740. A Treatise of Human Nature. London.

Hutchings, Michael. 2003. Introduction to mathematical arguments. URL

https://math.berkeley.edu/˜hutching/teach/proofs.pdf.

Incurvati, Luca. 2020. Conceptions of Set and the Foundations of Mathematics.

Cambridge: Cambridge University Press.

Institute, Perimeter. 2015. Emmy Noether: Her life, work, and influence. URL
https://www.youtube.com/watch?v=tNNyAyMRsgE. Video Lecture.

Irvine, Andrew David. 2015. Sound clips of Bertrand Russell speak-

ing. URL http://plato.stanford.edu/entries/russell/
russell-soundclips.html.

Jacobson, Nathan. 1983. Emmy Noether: Gesammelte Abhandlungen—Collected

Papers. Berlin: Springer-Verlag.

John Dawson, Jr. 1997. Logical Dilemmas: The Life and Work of Kurt Gödel. Boca
Raton: CRC Press.

Katz, Karin Usadi and Mikhail G. Katz. 2012. Stevin numbers and reality.
Foundations of Science 17(2): 109–23.

Kunen, Kenneth. 1980. Set Theory: An Introduction to Independence Proofs. New

York: North Holland.

Lévy, Azriel. 1960. Axiom schemata of strong infinity in axiomatic set theory.
Pacific Journal of Mathematics 10(1): 223–38.

LibriVox. n.d. Bertrand Russell. URL https://librivox.org/author/

1508?primary_key=1508&search_category=author&search_
page=1&search_form=get_results. Collection of public domain
audiobooks.

Linnebo, Øystein. 2010. Predicative and impredicative definitions. Internet

Encyclopedia of Philosophy URL http://www.iep.utm.edu/predicat/.

Linsenmayer, Mark. 2014. The partially examined life: Gödel on

math. URL http://www.partiallyexaminedlife.com/2014/06/
16/ep95-godel/. Podcast audio.

990 Release : d3a1905 (2022-12-19)

BIBLIOGRAPHY

MacFarlane, John. 2015. Alonzo Church’s JSL reviews. URL http://

johnmacfarlane.net/church.html.

Maddy, Penelope. 1988a. Believing the axioms I. Journal of Symbolic Logic 53(2):
481–511.

Maddy, Penelope. 1988b. Believing the axioms II. Journal of Symbolic Logic
53(3): 736–64.

Magnus, P. D., Tim Button, J. Robert Loftis, Aaron Thomas-Bolduc, Robert

Trueman, and Richard Zach. 2021. Forall x: Calgary. An Introduction to For-
mal Logic. Calgary: Open Logic Project, f21 ed. URL https://forallx.
openlogicproject.org/.

Matijasevich, Yuri. 1992. My collaboration with Julia Robinson. The Mathemat-

ical Intelligencer 14(4): 38–45.

Menzler-Trott, Eckart. 2007. Logic’s Lost Genius: The Life of Gerhard Gentzen.
Providence: American Mathematical Society.

Montague, Richard. 1961. Semantic closure and non-finite axiomatizability I.

In Infinitistic Methods: Proceedings of the Symposium on Foundations of Mathe-
matics (Warsaw 1959), 45–69. New York: Pergamon.

Montague, Richard. 1965. Set theory and higher-order logic. In Formal systems
and recursive functions, eds. John Crossley and Michael Dummett, 131–48.
Amsterdam: North-Holland. Proceedings of the Eight Logic Colloquium,
July 1963.

O’Connor, John J. and Edmund F. Robertson. 2005. The real numbers:

Stevin to Hilbert URL http://www-history.mcs.st-and.ac.uk/
HistTopics/Real_numbers_2.html.

O’Connor, John J. and Edmund F. Robertson. 2014. Rózsa Péter.

URL http://www-groups.dcs.st-and.ac.uk/˜history/
Biographies/Peter.html.

Peano, Giuseppe. 1890. Sur une courbe, qui remplit toute une aire plane. Math-
ematische Annalen 36(1): 157–60.

Péter, Rózsa. 1935a. Über den Zusammenhang der verschiedenen Begriffe der
rekursiven Funktion. Mathematische Annalen 110: 612–632.

Péter, Rózsa. 1935b. Konstruktion nichtrekursiver Funktionen. Mathematische

Annalen 111: 42–60.

Péter, Rózsa. 1951. Rekursive Funktionen. Budapest: Akademiai Kiado. English

translation in (Péter, 1967).

Release : d3a1905 (2022-12-19) 991

 BIBLIOGRAPHY

Péter, Rózsa. 1967. Recursive Functions. New York: Academic Press.

Péter, Rózsa. 2010. Playing with Infinity. New York: Dover. URL
https://books.google.ca/books?id=6V3wNs4uv_4C&lpg=PP1&
ots=BkQZaHcR99&lr&pg=PP1#v=onepage&q&f=false.

Potter, Michael. 2004. Set Theory and its Philosophy. Oxford: Oxford University
Press.

Radiolab. 2012. The Turing problem. URL http://www.radiolab.org/

story/193037-turing-problem/. Podcast audio.

Ramsey, Frank Plumpton. 1925. The foundations of mathematics. Proceedings

of the London Mathematical Society 25: 338–384.

Reid, Constance. 1986. The autobiography of Julia Robinson. The College Math-
ematics Journal 17: 3–21.

Reid, Constance. 1996. Julia: A Life in Mathematics. Cambridge: Cam-

bridge University Press. URL https://books.google.ca/books?id=
lRtSzQyHf9UC&lpg=PP1&pg=PP1#v=onepage&q&f=false.

Robinson, Julia. 1949. Definability and decision problems in arithmetic.

Journal of Symbolic Logic 14(2): 98–114. URL http://www.jstor.org/
stable/2266510.

Robinson, Julia. 1996. The Collected Works of Julia Robinson. Providence: Amer-
ican Mathematical Society.

Robinson, Raphael. 1947. On the decomposition of spheres. Fundamenta Math-

ematicae 34(1): 246–60.

Rose, Daniel. 2012. A song about Georg Cantor. URL https://www.

youtube.com/watch?v=QUP5Z4Fb5k4. Audio Recording.

Rose, Nicholas J. 2010. Hilbert-type space-filling curves. URL

https://web.archive.org/web/20151010184939/http:
//www4.ncsu.edu/˜njrose/pdfFiles/HilbertCurve.pdf.

Russell, Bertrand. 1905. On denoting. Mind 14: 479–493.

Russell, Bertrand. 1919. Introduction to Mathematical Philosophy. London: Allen

& Unwin.

Russell, Bertrand. 1967. The Autobiography of Bertrand Russell, vol. 1. London:

Allen and Unwin.

Russell, Bertrand. 1968. The Autobiography of Bertrand Russell, vol. 2. London:

Allen and Unwin.

992 Release : d3a1905 (2022-12-19)

BIBLIOGRAPHY

Russell, Bertrand. 1969. The Autobiography of Bertrand Russell, vol. 3. London:

Allen and Unwin.

Russell, Bertrand. n.d. Bertrand Russell on smoking. URL https://www.

youtube.com/watch?v=80oLTiVW_lc. Video Interview.

Sandstrum, Ted. 2019. Mathematical Reasoning: Writing and Proof. Allendale,

MI: Grand Valley State University. URL https://scholarworks.gvsu.
edu/books/7/.

Scott, Dana. 1974. Axiomatizing set theory. In Axiomatic Set Theory II, ed.
Thomas Jech, 207–14. American Mathematical Society. Proceedings of the
Symposium in Pure Mathematics of the American Mathematical Society,
July–August 1967.

Segal, Sanford L. 2014. Mathematicians under the Nazis. Princeton: Princeton

University Press.

Shoenfield, Joseph R. 1977. Axioms of set theory. In Handbook of Mathematical

Logic, ed. Jon Barwise, 321–44. London: North-Holland.

Sigmund, Karl, John Dawson, Kurt Mühlberger, Hans Magnus Enzensberger,

and Juliette Kennedy. 2007. Kurt Gödel: Das Album–The Album. The Math-
ematical Intelligencer 29(3): 73–76.

Skolem, Thoralf. 1922. Einige Bemerkungen zur axiomatischen Begründung

der Mengenlehre. In Wissenschaftliche Vorträge gehalten auf dem fünften
Kongress der skandanivschen Mathematiker in Helsingfors vom 4. bis zum 7. Juli
1922, 137–52. Akademiska Bokhandeln.

Smith, Peter. 2013. An Introduction to Gödel’s Theorems. Cambridge: Cambridge

University Press.

Smullyan, Raymond M. 1968. First-Order Logic. New York, NY: Springer.

Corrected reprint, New York, NY: Dover, 1995.

Solow, Daniel. 2013. How to Read and Do Proofs. Hoboken, NJ: Wiley.

Steinhart, Eric. 2018. More Precisely: The Math You Need to Do Philosophy. Pe-
terborough, ON: Broadview, 2nd ed.

Sykes, Christopher. 1992. BBC Horizon: The strange life and death of Dr. Tur-
ing. URL https://www.youtube.com/watch?v=gyusnGbBSHE.

Szabo, Manfred E. 1969. The Collected Papers of Gerhard Gentzen. Amsterdam:

North-Holland.

Takeuti, Gaisi, Nicholas Passell, and Mariko Yasugi. 2003. Memoirs of a Proof
Theorist: Gödel and Other Logicians. Singapore: World Scientific.

Release : d3a1905 (2022-12-19) 993

 BIBLIOGRAPHY

Tamassy, Istvan. 1994. Interview with Róza Péter. Modern Logic 4(3): 277–280.

Tarski, Alfred. 1981. The Collected Works of Alfred Tarski, vol. I–IV. Basel:
Birkhäuser.

Theelen, Andre. 2012. Lego turing machine. URL https://www.youtube.

com/watch?v=FTSAiF9AHN4.

Tomkowicz, Grzegorz and Stan Wagon. 2016. The Banach-Tarski Paradox. Cam-
bridge: Cambridge University Press.

Turing, Alan M. 1937. On computable numbers, with an application to the

“Entscheidungsproblem”. Proceedings of the London Mathematical Society, 2nd
Series 42: 230–265.

Tyldum, Morten. 2014. The imitation game. Motion picture.

Velleman, Daniel J. 2019. How to Prove It: A Structured Approach. Cambridge:

Cambridge University Press, 3rd ed.

Vitali, Giuseppe. 1905. Sul problema della misura dei gruppi di punti di una retta.
Bologna: Gamberini e Parmeggiani.

von Neumann, John. 1925. Eine Axiomatisierung der Mengenlehre. Journal

für die reine und angewandte Mathematik 154: 219–40.

Wang, Hao. 1990. Reflections on Kurt Gödel. Cambridge: MIT Press.

Weston, Tom. 2003. The Banach-Tarski paradox URL http://people.

math.umass.edu/˜weston/oldpapers/banach.pdf.

Whitehead, Alfred North and Bertrand Russell. 1910. Principia Mathematica,

vol. 1. Cambridge: Cambridge University Press.

Zermelo, Ernst. 1904. Beweis, daß jede Menge wohlgeordnet werden kann.
Mathematische Annalen 59: 514–516. English translation in (Ebbinghaus
et al., 2010, pp. 115–119).

Zermelo, Ernst. 1908a. Untersuchungen über die Grundlagen der Mengen-

lehre I. Mathematische Annalen 65: 261–81.

Zermelo, Ernst. 1908b. Untersuchungen über die Grundlagen der Mengen-

lehre I. Mathematische Annalen 65(2): 261–281. English translation in
(Ebbinghaus et al., 2010, pp. 189-229).

Zuckerman, Martin M. 1973. Formation sequences for propositional formulas.

Notre Dame Journal of Formal Logic 14(1): 134–138.

994 Release : d3a1905 (2022-12-19)