An Analytic Propositional Proof System on Graphs

The notion of formula is central to all applications of logic and proof theory in computer science, ranging from the formal verification of software, where a formula describes a property that the program should satisfy, to logic programming, where a formula represents a program [miller:uniform, Kobayashi1993], and functional programming, where a formula represents a type [howard:80]. Proof theoretical methods are also employed in concurrency theory, where a formula can represent a process whose behaviours may be extracted from a proof of the formula [miller:pi, bruscoli:02, FAGES200114, deng_simmons_cervesato_2016, OLARTE201746, NIGAM201735, horne:19, Horne2019b, Horne2020]. This formulas-as-processes paradigm is not as well-investigated as the formulas-as-properties, formulas-as-programs and formulas-as-types paradigms mentioned before. In our opinion, a reason for this is that the notion of formula reaches its limitations when it comes to describing processes as they are studied in concurrency theory.

For example, Guglielmi’s BV [gug:SIS] and Retoré’s pomset logic [Retore1997] are proof systems which extend linear logic with a notion of sequential composition and can model series-parallel orders.¹¹1In his PhD-thesis [retore:phd], Retoré considers all partial ordered multisets, but in later versions [retore:21] only series-parallel orders are considered to maintain the correspondence to formulas.^,222It has long been believed that BV and pomset logic are the same, but recently it has been shown that this is not the case [tito:lutz:csl22, SIS-III]. However, series-parallel orders cannot express some ubiquitous patterns of causal dependencies such as the logical time constraints on producer-consumer queues [Lodaya2000], which are within the scope of pomsets [Pratt1986], event structures [Nielsen1985], and Petri nets [Petri1976]. The essence of this problem is already visible when we consider symmetric dependencies, such as separation, which happens to be the dual concept to concurrency in the formulas-as-processes paradigm.

Let us use some simple examples to explain the problem. Suppose we are in a situation where two processes $A$ and $B$ can communicate with each other, written as $A\mathbin{\parr}B$, or are separated from each other, written as $A\mathbin{\otimes}B$, such that no communication is possible. Now assume we have four atomic processes $a$, $b$, $c$, and $d$, from which we form the two processes $P=(a\mathbin{\otimes}b)\mathbin{\parr}(c\mathbin{\otimes}d)$ and $Q=(a\mathbin{\parr}c)\mathbin{\otimes}(b\mathbin{\parr}d)$. Both are perfectly fine formulas of multiplicative linear logic ($\mathsf{MLL}$) [girard:87]. In $P$, we have that $a$ is separated from $b$ but can communicate with $c$ and $d$. Similarly, $d$ can communicate with $a$ and $b$ but is separated from $c$, and so on. On the other hand, in $Q$, $a$ can only communicate with $c$ and is separated from the other two, and $d$ can only communicate with $b$, and is separated from the other two. We can visualise this situation via graphs where $a$, $b$, $c$, and $d$ are the vertices, and we draw an edge between two vertices if they are separated, and no edge if they can communicate. Then $P$ and $Q$ correspond to the two graphs shown below.

It should also be possible to describe a situation where $a$ is separated from $b$, and $b$ is separated from $c$, and $c$ is separated from $d$, but $a$ can communicate with $c$ and $d$, and $b$ can communicate with $d$, as indicated by the graph below.

An example of this behaviour could arise in the setting of concurrent processes, where four processes $a$, $b$, $c$, and $d$ satisfy information flow constraints such that $c$ and $a$ can communicate; $a$ and $d$ can communicate; and $d$ and $b$ can communicate, and no further communications are possible. This models an intransitive information flow, since we have two processes, $a$ and $d$, which can communicate with each other, and respectively with $c$ and $b$; yet the same processes must also ensure that no information flows between $c$ and $b$. However, the graph (2) cannot be described by a formula in the way illustrated for the two graphs in (1).

This means that the tools of proof theory, which have been developed over the course of the last century and which were very successful for the formulas-as-properties, formulas-as-programs, and formulas-as-types paradigms, cannot be used for the formulas-as-processes paradigm unless we forbid situations as in (2) above. This seems to be a very strong and unnatural restriction (that is, it is an a posteri restriction imposed by the use of formulas, with no a priory justification stemming from process modelling problems). The purpose of this paper is to propose a way to change this unsatisfactory situation.

We will present a proof system, called $\mathsf{GS}$ (for graphical proof system), whose objects of reason are not formulas but graphs, giving the example in (2) the same status as the examples in (1). In a less informal way, one could say that standard proof systems work on cographs (which are the class of graphs that correspond to formulas as in (1) [duffin:65]), and our proof systems works on arbitrary graphs. In order for this to make sense, our proof system should obey the following basic properties:

1. (1)

   Consistency: There are graphs that are not provable. In particular, if only a finite number of graphs is provable (or not provable) then the proof system would not be interesting.

2. (2)

   Transitivity: The proof system should come with an implication that is transitive, i.e., if we can prove that $A$ implies $B$ and that $B$ implies $C$, then we should also be able to prove that $A$ implies $C$.

3. (3)

   Analyticity: As we no longer have formulas, we cannot ask that every formula that occurs in a proof is a subformula of its conclusion. However, we can investigate a graph theoretical version of this idea, and we can ask that in a proof search situation, there is always only a finite number of ways to apply an inference rule.

4. (4)

   Minimality: We want to make as few assumptions as possible, so that the theory we develop is as general as possible.

Properties 1-3 are standard for any proof system, and they are usually proved using cut elimination. In that respect our paper is no different. We introduce a notion of cut and show its admissibility for $\mathsf{GS}$. Then Properties 1-3 are immediate consequences.

Property 4 is of a more subjective nature. In our case, we only make the following two basic assumptions:

1. (1)

   For any graph $A$, we should be able to prove that $A$ implies $A$. This assumption is almost impossible to argue against, so can be expected for any logic.

2. (2)

   If a graph $A$ is provable, then the graph $G=C[A]$ is also provable, provided that $C[\cdot]$ is a provable context.³³3Formally, the notation $G=C[A]$ means that $A$ is a module of $G$, and $C[\cdot]$ is the graph obtained from $G$ by removing all vertices belonging to $A$. We give the formal definition in Section LABEL:sec:modules. This can be compared to the necessitation rule of modal logic, which says that if $A$ is provable then so is $\Box A$, except that in our case the $\Box$ is replaced by the provable graph context $C[\cdot]$.

All other properties of the system $\mathsf{GS}$ follow from the need to obtain admissibility of cut. This means that this paper does not present some random system, but follows the underlying principles of proof theory. For a more detailed philosophical presentation of these principles, we refer the reader to Appendix LABEL:sec:phil.

We also target the desirable property of conservativity. This means that there should be a well-known logic $\mathsf{L}$ (based on formulas) such that the restriction of our proof system to those graphs that correspond to formulas proves exactly the theorems of $\mathsf{L}$. This cannot be an assumption used to design a logical system, since it would create circularity (to specify a logic we need a logic); conservativity is more so a cultural sanity condition to check that we have not invented an esoteric logic. In our case, conservativity will follow from cut admissibility, and the logic $\mathsf{L}$ is multiplicative linear logic with mix ($\mathsf{MLL^{\circ}}$) [girard:87, bellin:mix, fleury:retore:94].

Let us now summarise how this paper is organised: In Section 2, we give preliminaries on cographs, which form the class of graphs that correspond to formulas as in (1). Then, in Section LABEL:sec:modules we give some preliminaries on modules and prime graphs, which are needed for our move away from cographs, so that in Section LABEL:sec:system, we can present our proof system, which uses the notation of open deduction [gug:gun:par:2010] and follows the principles of deep inference [gug:str:01, brunnler:tiu:01, gug:SIS]. To our knowledge, this is the first proof system that is not tied to formulas/cographs but handles arbitrary (undirected) graphs instead. In Section LABEL:sec:properties we show some properties of our system, and Sections LABEL:sec:splitting and LABEL:sec:upfrag are dedicated to cut elimination, which is the basis for showing properties (1), (2), and (3), mentioned above. We also explain the technology we must develop in order to be able to prove cut elimination for our proof system. The interesting point is that, not only do we go beyond methods developed for the sequent calculus, but we also go beyond methods developed for deep inference on formulas. In particular, we require entirely new statements of the tools called splitting and context reduction, and furthermore their proofs are inter-dependent, whereas normally context reduction follows from splitting [SIS-V, gug:tub:split].

Then, in Section LABEL:sec:MLL, we not only show that our system is a conservative extension of $\mathsf{MLL^{\circ}}$, we also show a form of analyticity for our system. Finally, in Section LABEL:sec:generalised, we show how our work is related to the work on generalised connectives introduced in [girard:87:b, danos:regnier:89]. We end this paper with a discussion of related work in Section LABEL:sec:relatedWork and a conclusion in Section LABEL:sec:conclusion.

Compared to the conference version [Acclavio2020] of this paper, there are the following three major additions:

• •

  We give detailed proofs of the Splitting Lemma and the Context Reduction Lemma (in Section LABEL:sec:splitting and Appendix LABEL:sec:splittingproofs), which are crucial for the cut elimination proof. In fact, we also completely reorganised the proofs with respect to the technical appendix of [Acclavio2020]⁴⁴4That appendix is available at https://hal.inria.fr/hal-02560105.. For proving these lemmas, we could not rely on the general method that has been proposed by Aler Tubella in her PhD [tubella:phd].

• •

  We present a notion of analyticity for proof systems on graphs and show that our system is analytic in that respect (in Section LABEL:sec:MLL).

• •

  We show that general graphs with $n$ vertices can be seen as generalised $n$-ary connectives (in Section LABEL:sec:generalised), and we compare this notion with the existing notion of generalised (multiplicative) connective [girard:87:b, danos:regnier:89, mai:19, acc:mai:20].

• •

  We include in Appendix LABEL:sec:phil a more detailed discussion of how our proof system can be considered satisfactory with respect to the Properties (1)–(4) mentioned above.

Finally, let us argue that logics are not designed but discovered. They typically follow logical principles where design parameters are limited. For example, we will see that we do not get to chose whether or not the following implications hold:

There is no pre-existing semantics or proof system we can refer to at this point. Nonetheless, from the above discussed principles we can argue, that in a logic on graphs, the former implication in (3) cannot hold while the latter must hold. Over the course of this paper, we explore the design of proof systems on graphs based on logical principles, which enables us to confidently state such facts.

In this preliminary section we recall the basic textbook definitions for graphs and formulas, and their correspondence via cographs.

A (simple, undirected) graph $G$ is a pair $\langle V_{G},E_{G}\rangle$ where $V_{G}$ is a set of vertices and $E_{G}$ is a set of two-element subsets of $V_{G}$. We omit the index $G$ when it is clear from the context. For $v,w\in V_{G}$ we write $vw$ as an abbreviation for $\{v,w\}$. A graph $G$ is finite if its vertex set $V_{G}$ is finite. Let $L$ be a set and $G$ be a graph. We say that $G$ is $L$-labelled (or just labelled if $L$ is clear from the context) if every vertex in $V_{G}$ is associated with an element of $L$, called its label. We write $\ell_{G}(v)$ to denote the label of the vertex $v$ in $G$. A graph $G^{\prime}$ is a subgraph of a graph $G$, denoted as $G^{\prime}\subseteq G$ iff $V_{G^{\prime}}\subseteq V_{G}$ and $E_{G^{\prime}}\subseteq E_{G}$. We say that $G^{\prime}$ is an induced subgraph of $G$ if $G^{\prime}$ is a subgraph of $G$ and for all $v,w\in V_{G^{\prime}}$, if $vw\in E_{G}$ then $vw\in E_{G^{\prime}}$. For a graph $G$ we write $|V_{G}|$ for its number of vertices and $|E_{G}|$ for its number of edges.

In the following, we will just say graph to mean a finite, undirected, labelled graph, where the labels come from the set $\mathcal{A}$ of atoms which is the (disjoint) union of a countable set of propositional variables $\mathcal{V}=\{a,b,c,\ldots\}$ and their duals ${\mathcal{V}^{\bot}}=\{{a^{\bot}},{b^{\bot}},{c^{\bot}},\ldots\}$.

Since we are mainly interested in how vertices are labelled, but not so much in the identity of the underlying vertex, we heavily rely on the notion of graph isomorphism.

Two graphs $G$ and $G^{\prime}$ are isomorphic if there exists a bijection $f\colon V_{G}\rightarrow V_{G^{\prime}}$ such that for all $v,u\in V_{G}$ we have $vu\in E_{G}$ iff $f(v)f(u)\in E_{G^{\prime}}$ and $\ell_{G}(v)=\ell_{G^{\prime}}(f(v))$. We denote this as $G\simeq_{f}G^{\prime}$, or simply as $G\simeq G^{\prime}$ if $f$ is clear from the context or not relevant.

In the following, we will, in diagrams, forget the identity of the underlying vertices, showing only the label, as in the examples in the introduction.

In the rest of this section we recall the characterisation of those graphs that correspond to formulas. For simplicity, we restrict ourselves to only two connectives, and for reasons that will become clear later, we use the $\mathbin{\parr}$ (par) and $\mathbin{\otimes}$ (tensor) of linear logic [girard:87]. More precisely, formulas are generated by the grammar

where $\mathord{\circ}$ is the unit, and $a$ can stand for any propositional variable in $\mathcal{V}$. As usual, we can define the negation of formulas inductively by letting ${a^{\bot\bot}}=a$ for all $a\in\mathcal{V}$, and by using the De Morgan duality between $\mathbin{\parr}$ and $\mathbin{\otimes}$: ${(\phi\mathbin{\parr}\psi)^{\bot}}={\phi^{\bot}}\mathbin{\otimes}{\psi^{\bot}}$ and ${(\phi\mathbin{\otimes}\psi)^{\bot}}={\phi^{\bot}}\mathbin{\parr}{\psi^{\bot}}$; the unit is self-dual: ${\mathord{\circ}^{\bot}}=\mathord{\circ}$.

On formulas we define the following structural equivalence relation:

In order to translate formulas to graphs, we define the following two operations on graphs:

Let $G=\langle V_{G},E_{G}\rangle$ and $H=\langle V_{H},E_{H}\rangle$ be graphs. We define the par of $G$ and $H$ to be their disjoint union and the tensor to be their join, i.e.:

These operations can be visualised as follows:

For a formula $\phi$, we can now define its associated graph $\llbracket\phi\rrbracket$ inductively as follows: $\llbracket\mathord{\circ}\rrbracket=\varnothing$ the empty graph; $\llbracket a\rrbracket=a$ a single-vertex graph whose vertex is labelled by $a$ (by a slight abuse of notation, we denote that graph also by $a$); similarly $\llbracket{a^{\bot}}\rrbracket={a^{\bot}}$; finally we define $\llbracket\phi\mathbin{\parr}\psi\rrbracket=\llbracket\phi\rrbracket\mathbin{\parr}\llbracket\psi\rrbracket$ and $\llbracket\phi\mathbin{\otimes}\psi\rrbracket=\llbracket\phi\rrbracket\mathbin{\otimes}\llbracket\psi\rrbracket$.

A graph is