Gentzen-Prawitz Natural Deduction as a Teaching Tool
aa r X i v : . [ c s . L O ] J u l Gentzen-Prawitz Natural Deductionas a Teaching Tool
Jean-Fran¸cois Monin, Cristian Ene, and Micha¨el P´erin
Universit´e de Grenoble 1
Abstract.
We report a four-years experiment in teaching reasoning toundergraduate students, ranging from weak to gifted, using Gentzen-Prawitz’s style natural deduction. We argue that this pedagogical ap-proach is a good alternative to the use of Boolean algebra for teachingreasoning, especially for computer scientists and formal methods prac-tioners.
Logic is one of the uppermost basic ingredients of formal methods. The mostcommon approach for teaching logic takes its root in the model theoretical view:logical connectors are seen as Boolean functions (truth tables), and then general-ized to quantifiers: ∀ is like an infinite conjunction, ∃ is like an infinite disjunction.Teaching logic along these lines is a well-established tradition. Boolean algebraproved efficient for solving enigmas and, much more seriously, for designing digi-tal circuit or automatizing the resolution of large combinatory problems (e.g. byreduction to SAT). In the area of hardware and of programming, they provideBoolean expressions and play a key role in control structures such as the if and while constructs, not to speak about bit-level programming.However, the Boolean approach is not so clearly related to usual reasoning.The case of implication is especially questionnable. In every day life, as well asin mathematics textbooks, nobody proves an implication A ⇒ B by computinga truth table: one assumes A and then proves B under this hypothesis.It is even argued that logic is essentially about proofs , before being about truth . First we can observe that in some logics, including temporal logics andmodal logics which have many applications in formal methods, the semanticsof a proposition is rather more complex than an truth value – typically, it isdescribed by a Kripke semantics. But even in the case of usual logics, logiciansfollowing Dummet, Prawitz and Schroeder-Heister worked on a proof-theoreticsemantics of logic (see [11] for a recent presentation).Proofs can be formalized using syntactic objects described by deduction sys-tems . Such systems were introduced in the last century in order to study themeta-theory of logic. Four years ago, we decided to experiment the use of a par-ticular deduction system, namely Gentzen-Prawitz Natural Deduction (GPND,for short) for teaching purposes at an introductory undergraduate level. Thechoice of GPND is discussed below in section 2.
The main thesis of this paper is that GPND has a strong pedagogical inter-est independent from meta-theoretical considerations. First, it provides a muchbetter explanation of the meaning (and even: essence) of logical connectors andquantifiers. A formal framework for proof writing is necessary to point out theirmistakes in reasoning which, due to ambiguity, are always arguable in proofswritten in natural language. Manual proof checking becomes perfectly rigourous– indeed it can be automatized, but this is another issue – and moreover it pro-vides precious hints for proof search. More technical advantages are discussedbelow in section 4.1. Though this material is especially relevant as an introduc-tion to formal methods, we claim that, more generally, it illustrates several keynotions of computer science: – Case analysis – Tree-like data structures – Modularity – Divide and conquer problem solving – Variables and scopes – Rule-based formalisms (preparation to more advanced courses) – Good support for discussing the relation between syntax and semantics – Introduction to proof-assistantsLet us add that it also provides a good help for writing rigourous and accurateproofs by induction. However, some pitfalls have to be avoided. The way somenotions are introduced is sensitive, and some notations have to be carefullydesigned in order to keep manageable size of interesting proofs without loss ofprecision.Our thesis is supported by our experience with the use of GPND in an intro-ductory course on logic, given to first year undergraduate students from 2005 to2009. The rest of the paper is organized as follows. In Section 2, we present thescientific background, i.e. a short account of natural deduction. In section 3, weoutline the contents of the course we gave since 2005. In section 4, we discusssome issues related to the previous experiment as well as possible extensions.We conclude in section 5.
Natural Deduction was invented by Gerhard Gentzen [6] and further studied byDag Prawitz [10] for the meta-theoretical study of first-order logic. In contrastwith Hilbert’s style deduction systems, characterized by few inference rules andmany axioms, Gentzen’s systems have only one axiom and many inference rules.A strong point of his approach is that each connector is considered separately,providing a intrisic meaning for it: intuitively, each connector ∗ is defined by thecanonical way to prove a formula having ∗ as its principal connector (introductionrules), or to exploit a formula having ∗ as its principal connector (eliminationrules). The rules are recalled in figure 1. All hypotheses have a name such as h n .Discharged hypotheses are distinguished by square brackets around their name (e.g. [ h n ]), and the place where they are discharged appears in the label of therule (then we know that this hypothesis is no longer available below this rule).The main meta-theoretical property of Gentzen’s systems is the cut-eliminationtheorem saying that, basically, proofs can be normalized is a way such that thelast rule is an introduction rule for the principal connector of the conclusion[10, 7]. Important corollaries are the subformula property (delimiting the proofsearch space) and the consistency of logic (without reference to model-theoreticsemantics).Here, we are more interested in the pedagogical value of GPND proof-trees.We think that it comes from their intrisic features: they are concrete, intuitive,and according to some logician philosophers, they reflect exactly proof objects(again, see [11]). The latter fact is particularly evident if one considers GPNDproof-trees as another syntax for typed lambda-calculus, through the Curry-Howard-De Bruijn isomorphism [3, 8, 2] (it is not the case in another popularrepresentation of natural deduction using sequents, see 4.3 for details).If we compare with the Boolean approach to teaching logic, proof-trees arecertainly more complex than Boolean values but, to some respect, they lookconcrete and may be perceived as less abstract than Boolean functions. We justmay regret that shortcuts using Boolean algebraic laws are not for free in naturaldeduction. In Boolean algebra, equivalence is the same as equality, whereas here,it is a congruence: we can show that if A ⇐⇒ B , then for any context C [ . ], we have C [ A ] ⇐⇒ C [ B ]. The proof is by induction on the structure of contexts. It is notvery difficult and can be understood by good students, at least for propositionallogic, and is a good introduction to the metatheorical study of logic but we couldnot afford to present it at the level considered in our pedagogical experience.Fortunately, it turns out that algebraic laws are mainly useful when handlingwith large propositionnal formulas, which is not the case in our exercises. Inplaces where, say, commutativity, associativity or replacement of ¬ A ⇒ ¬ B with B ⇒ A , could be used, they can easily be bypassed. The course was designed to introduce logical reasoning to students without pre-vious systematic exposition to logic, in order to prepare them to further courseson computational models, automata and languages, program specification andverification, formal methods, etc. Despite some basic practice in mathematics,many of them have gaps in dealing with proofs and even in capturing the mean-ing of implication and quantifiers.Our aim is then to provide an intuition of logical connectors and proofsusing 1) a systematic approach based on the structure of the formula to prove,2) a careful and explicit treatment of quantifiers and 3) a computational data-structure able to implement these requirements, namely proof-trees.
A B ∧ I A ∧ B A ∧ B ∧ E1 A A ∧ B ∧ E2 B [ h n ] z}|{ A ... B ⇒ I [ h n ] A ⇒ B A ⇒ B A ⇒ E BA ∨ I1 A ∨ B B ∨ I2 A ∨ B A ∨ B [ h n ] z}|{ A ... C [ h m ] z}|{ B ... C ∨ E [ h n ,h m ] C ⊥ ⊥ E A ¬ A def == A ⇒ ⊥ PEM A ∨ ¬ A ¬¬ A ¬¬ E A h z }| { H ( ). . . h n z }| { H n ( )... P ( x ) ∀ I ∀ x P ( x ) ∀ x P ( x ) ∀ E ( xt ) P ( t )Side conditions for ∀ I : x must not be free in any available hypothesis h . . . h n . P ( t ) ∃ I ∃ x P ( x ) ∃ x P ( x ) [ h n ] z }| { P ( x )... C ∃ E [ h n ] C Side conditions for ∃ E : – in the proof of C from P ( x ), x must not be free in any available hypothesis but h n ; – x must not be free in C . Fig. 1.
Gentzen-Prawitz Natural Deduction Rules
Just to start with, we assume an intuitive and rough knowledge of ∧ , ∨ and ⇒ . The first new idea to become familiar with is the notion of proof-tree. Adifficulty with GPND is that deductions, in general, depend on hypotheses andthat the stock of hypotheses vary when one progresses in the reading of a proof.We then chose to postpone this issue and to use, in the first lesson, only deduc-tions having no effect on available hypotheses. To this effect we could start withGPND rules such that ∧ I , ∧ E1 , ∧ E2 , ⇒ E , ∨ I1 , ∨ I2 . However this would break asystematic exposition of the rules. We therefore slightly cheat in a first stage: weintroduce ad-hoc inference rules, relevant to the formalization of a toy reasoning,such as tri (transitivity of implication) and dli (disjunction on the left of animplication). A ⇒ B B ⇒ C tri A ⇒ C A ⇒ C B ⇒ C dli ( A ∨ B ) ⇒ C The specific rules are not important at this stage. We aim at teaching a newgame, where the key ideas are: – The notion of inference rule, with premises, conclusion, and justification (aname used as a label for an inference rule). – Checking that an inference rule is correctly applied is an easy mechanicaltask. – A rule is actually a schema (propositional variables can be replaced with anyproposition). – A proof-tree relates hypotheses (on the top) to one conclusion (at the bot-tom). – A proof-tree is built from inference rules. – Generalization and modularity: one can build a proof tree from subtrees.The last items are illustrated in a very intuitive way, using examples followingthe diagrams of figures 2 and 3, where numbers represent propositions . Figure3 also illustrates a situation where the same hypothesis can be used severaltimes . The rules of the game change very quickly (from the second lesson), butnot its shape. Actually, playing with somewhat complicated rules (involving 3or 4 occurrences of connectors) drives us to a quest for convincing elementaryrules.Before going further, let us mention that we can name proof-trees and usesuch names as justifications for non-elementary proof steps. We introduce in thisway derived inference rules, in advanced chapters. Technically, natural deduction distinguishes the name (here: a number) of a propo-sition and what the proposition stands, e.g. A ∧ B ⇒ C ∨ D . It may even happenthat two different names stand for the same proposition. Of course such details arebeyond the scope of the lesson. In general, a hypothesis can be used 0, 1 ore several times. fig2
Fig. 2.
Branching proof-trees together fig3
Fig. 3.
Abstraction of a proof-tree
We keep the presentation of Gentzen, where each rule deals with only one con-nector. In some sense, GPND rules provide a semantics to the correspondingconnector, by explaining the canonical ways to prove and to exploit a formulagoverned by this connector. We start with ∧ , which has the simplest rules, andillustrate them on a proof of B ∧ A assuming A ∧ B .The next connector ( ⇒ ) is the most important for several reasons: – any theorem has at least one occurence of ⇒ (unless PEM – Principle ofExcluded Middle – is used) : a theorem is the conclusion of a proof-treewhere all hypotheses are discharged; – it is often misunderstood by students, and – it is the fundamental place for discussing hypotheses management.That said, ⇒ E is well-known (just another name for modus-ponens ) the state-ment of ⇒ I is very natural, as it sticks to the common practice for proving A ⇒ B : suppose A , then prove B .The hypothesis h n mentionned in ⇒ I[ h n ] is said to be available in the sub-proof-tree concluding to B . This rule has a special interest for computer scien-tists, as it illustrates the notion of scope, which is here applied on hypotheses: the scope of an hypothesis is its availibility domain. Note that the scope is here at the level of proof-trees. In particular, we insist on maintaining a clearseparation, using boxes, between different sub-proof-trees equipped with theirhypotheses, to represent scopes.Interesting exercises, ranging from easy to difficult, can be proposed usingonly ∧ and ⇒ , or even just ⇒ . Here are some examples – note that ⇒ associatesto the right: – A ∧ B ⇒ B ∧ A (very easy); – [( A ∧ B ) ⇒ C ] ⇒ ( A ⇒ B ⇒ C ), and conversely: intuitively, there are twoequivalent ways to express the idea of “and if”; – ( A ⇒ B ⇒ C ) ⇒ (( A ⇒ B ) ⇒ ( A ⇒ C )); – A ⇒ B ⇒ A (somewhat troubling); – ( A ⇐⇒ ( A ⇒ B )) ⇒ B .In the last one, P ⇐⇒ Q is an abbreviation for ( P ⇒ Q ) ∧ ( Q ⇒ P ). It isbasically the essence of diagonal arguments: replacing B with absurdity ⊥ andthe definition of ¬ (see below), it means that A cannot be equivalent to ¬ A . Here,the argument is developed constructively, without case analysis on A ∨ ¬ A . Aninteresting challenge is to find a solution without repeating sub-proof-trees: formore advanced students, it illustrates the notion of cut , similar to a lemma ininformal practice.We finish this part with disjunction. The two introduction rules are obvious.The elimination rules corresponds to case analysis and requires hypotheses man-agement – hence another opportunity to discuss on scopes. Note that studentsare tempted to invent a ∨ E rule with 2 conclusions, something like A ∨ B wrong- ∨ E A B
Here we have to explain that a proof-tree with 2 (and then, in general, many)conclusions is a complicated beast. In some sense those conclusions should behandled separately (otherwise, we could deduce A ∧ B from the previous deduc-tion). However, separate deductions starting from A and from B need eventuallyto be synchronized, once the same conclusion is reached. But further complica-tions will happen, typically if A (or B ) has to be used several times. So we keepthings simple, sticking to the shape of a tree.Let us mention here another challenging exercise, which requires a good un-derstanding of ⇒ I – (( A ∨ A ⇒ C ) ⇒ C ) ⇒ C It can related to the elimination of double negations, to come later.
Before explaining the rules, a number of notions are needed on what is usuallycalled a first-order language. Hoowever, a perfectly formal and rigourous presen-tation would be counter-productive at this level. Students have an operationnel knowledge of terms made of function symbols, constants and variables. So weinsist only on sensitive concepts: free and bound variables, their scope (at thelevel of the syntax of formulas, here), substitution of free variables. Formulaswhich differ only on the name of free variables are considered identical. The rulefor ∀ elimination is obvious. We choose to provide the substitution in the label: ∀ E ( xt ) means that the (free occurences of) variable x will be substituted with t .This level of precision is useful (even needed!) for students, we go back to thisissue in section 4.Rule ∀ I raises the sensitive question of fresh variables. In the premise P ( x ), x stands for an arbitrary variable. What does it mean? It is easy to explainthat “arbitrary” means “not subject to an hypothesis” or, more accurately, “notsubject to an available hypothesis”, hence “not free in any available hypothesis”.We could say as well that the premise P ( x ) must not be in the scope (at thelevel of proofs) of an hypothesis on x . Mastering hypotheses handling is thencrucial at this stage. We require students to write explicitly this side conditionas s x F V ( h , . . . h n ) and to check it during the proof process.The explanations about ∃ E [ h n ] are along the same lines. We stress that ∃ behaves like an infinite version of ∨ . Hence it is not surprising that the structureof ∃ E is similar to ∨ E . But similarly as well, students tend to formalize “we knowthat ∃ xP ( x ); let x be the witness such that P ( x )” by ∃ xP ( x ) wrong- ∃ E P ( x )Such a rule leads very quickly to undesired consequences, as it behaves as a ∀ E ( xx ). Indeed, it yields ∃ xP ( x ) wrong- ∃ E P ( x ) ∀ I ∀ x P ( x )hence ( ∃ xP ( x )) ⇒ ( ∀ x P ( x )). This usual error is an opportunity to discuss onthe effect and the consequences of wrong- ∃ E . The right ∃ E rule takes a situationwhere one has a proof of ∃ x P ( x ) and, from any witness x such that P ( x ),one can build a proof-tree ∇ having some conclusion C , possibly using otherpremises. Then, one can infer C . Note that P ( x ) may be used several timesin ∇ , while it is not feasible in wrong- ∃ E . Students agree that each use of ∃ E would produce a different x i . Another important intuition is that, in ∀ E ( xx ), x does not come from the premise ∀ x P ( x ) it is typically given by a ∀ I below inthe proof-tree – the proof is often built in a bottom-up manner, initially. This isto be contrasted with in ∃ E , where x is a witness contained in the proof of thepremise ∃ xP ( x ).At this point students are able to find proof-trees for formulas such as( ∃ x ∀ y R ( x, y )) ⇒ ( ∀ y ∃ xR ( x, y )) and to become aware that the converse is nota theorem. The absurd proposition ( ⊥ ) has no introduction rule. We mention that ⊥ cannotbe proved in the empty context, as a corollary of the cut-elimination theorem(the latter is only stated, its proof is beyond the scope of our course).Negation is defined by ¬ A def == A ⇒ ⊥ .It is interesting to note that ⊥ and ¬ can be introduced very late, after first-order notions. Many interesting exercises can be done without ¬ . In fact, we coulddelay further these connectors, after equalities and induction. A large amountof logic material can be developed without reference to False. For instance, it isthe case for algebraic properties of + and × on natural numbers.However we decided to talk about ¬ at this stage in order to introduceclassical reasoning, using either the Principle of Excluded Middle (PEM) or ¬¬ E .This is also the place for discussing about constructive reasoning – somethingwhich is certainly more sensitive in the framework of computer science thanmathematics.Among the exercises which can be proposed at this stage, let us mentionsome puzzles such as – ¬¬ A ∧ ¬¬ B ⇐⇒ ¬¬ ( A ∧ B ) – ¬¬ ( ¬¬ A ∨ ¬¬ B ⇐⇒ ¬¬ ( A ∨ B )).They can be proved with ¬¬ E , but finding a solution without this rule andwithout PEM) requires a good understanding of implication. If o and o are “identical”, it is clear that everything we prove about o , holdsfor o as well. This common kind of equational reasoning, often called Leibniz’slaw, is embodied in our framework as equality elimination. We recall it in Figure4, together with equality introduction, which is the only general axiom about =,that is, equality is reflexive. It is easy to derive symmetry and transitivity of =from = I and = E . In principle, it is possible to present any equationnal reasoningas proof-trees using only = I and = E . However, it turns out quite tedious andlengthy. Therefore we prefer to present an equational reasoning as illustrated onthe right hand of Figure 5. It can be shown (by induction on number of rewritingsteps) that such a proof can be put in the proof-tree format. Implementing thattransformation on proof-trees could be a programming exercise in a companioncourse on functional programming. This proof E i is then abstracted under theform of a multiple inference step h z}|{ . . . h n z}|{ E i U = Z . Note that justifications usedin E i can themselves refer to separate proof-trees. A very useful device for keeping proofs manageable is to use definitions . Forinstance a sub-formula such as ∀ x P ( x ) ⇒ Q ( x, y ) can be abbreviated as R ( y ), = I t = t a = b P ( a ) = E P ( b ) Fig. 4.
Rules for equality h z}|{ . . . h n z}|{ E i U = Z where E i is E i U = { justification that U = V provided h . . . h n } V ... Y = { justification that Y = Z provided h . . . h n } Z Fig. 5.
Equational reasoning provided we define R ( u ) def == ∀ x P ( x ) ⇒ Q ( x, u ). Free variables have to beproperly taken into account. The definiendum can be freely replaced with thecorresponding definiens and conversely. Technically speeking, in proof-theory,such steps are not considered as deductions, but follow from the conversion rule,which means that a proof-tree having A as its conclusion is a proof-tree having B as its conclusion, when A def == B or when B def == A (for a more general setting, werefer the reader to deduction modulo as defined in [4]). However, for pedagogicalpurposes, we prefer to make such steps explicit, at least at the beginning. Inorder to distinguish such steps from regular deduction steps, we present themusing dot lines instead of plain lines. In the previous example, we could thenwrite D ∧ ( ∀ x P ( x ) ⇒ Q ( x, y )) ∨ E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . R def D ∧ R ( y ) ∨ E The reverse replacement can also be done by invoking R def. Definitions are extensively used when dealing with set-theoretic constructs. Be-sides the extensionnality axiom – A = B ⇐⇒ ( ∀ x, x ∈ A ⇐⇒ x ∈ B )we have the following definitions: – A ⊆ B def == ( ∀ x x ∈ A ⇒ x ∈ B ) – x ∈ A ∩ B def == x ∈ A ∧ x ∈ B – x ∈ A ∪ B def == x ∈ A ∨ x ∈ B – x ∈ ∅ def == ⊥ – x ∈ { a } def == x = a – x ∈ { a , . . . a n } def == x = a ∨ . . . ∨ x = a n – A ∈ P ( B ) def == A ⊆ B From these definitions we prove convenient derived rules, given in Figure 6.From an epistemological point of view, students get a taste on mathematicalfoundations: relying on a solid basis to define new objects and some convenientabstract rules to reason about. [ n ] z }| { x ∈ A ... x ∈ B ⇒ I ∀ I ⊆ [ n ] A ⊆ B x ∈ A A ⊆ B ⊆∀ E ⇒ E x ∈ B [ n ] z }| { x ∈ A ... x ∈ B [ m ] z }| { x ∈ B ... x ∈ A ext[ n,m ] A = Bx ∈ A x ∈ B ∧ I ∩ x ∈ A ∩ B x ∈ A ∩ B ∩∧ E1 x ∈ A x ∈ A ∩ B ∩∧ E2 x ∈ Bx ∈ A ∨ I1 ∪ x ∈ A ∪ B x ∈ B ∨ I2 ∪ x ∈ A ∪ B x ∈ A ∪ B [ n ] z }| { x ∈ A ... P [ m ] z }| { x ∈ B ... P ∪∨ E [ n,m ] P Fig. 6.
Derived rules for set-theoretic notations
The usual induction principle is formalized by the following deduction rule: P (0) ∀ n P ( n ) ⇒ P ( S ( n )) nat - rec ∀ n P ( n )We also provide Peano axioms and then can propose exercises on elementaryalgebraic properties of addition and multiplication. +0 ∀ n n + 0 = n +S ∀ n ∀ m n + S ( m ) = S ( n + m ) × ∀ n n × × S ∀ n ∀ m n × S ( m ) = ( n × m ) + n Predicates ≤ and < can be defined by m ≤ n def == ∃ k n = k + m and m < n def == S ( m ) ≤ n . Then we can derive “strong” (or noetherian) induction on naturalnumbers: ∀ n ( ∀ m m < n ⇒ P ( m )) ⇒ P ( n ) strong nat − rec ∀ n P ( n )A natural extension is to work on structural induction on ML-style lists orbinary trees. In order to illustrate the above ideas, we consider the example depicted in Figure7, which is a typical examination problem. In order to simplify notations, we donot type variables, but we want to emphasize that n is a natural variable (hencewe can apply inductive reasoning over it). Also, for sake of simplicity, we startby defining some predicates. Hence, predicate H states that everybody has afather. Predicates H states that everybody is its own 0-ancestor, and predicate H states that the n + 1-ancestor is defined as the father of the n -ancestor. Wewant to prove that for any n ∈ N , everybody has an n -ancestor, that is, forany n ∈ N , the property Q ( n ) holds. The way we teach this example is thefollowing one. First, we remark that we want to prove some statement, withoutany additional hypothesis. Fortunately, the goal corresponds to an implication.Hence, it suffices to prove the right part, admitting the left part as an hypothesis.Formally, this corresponds to an aplication of an ⇒ I rule. We continue thisbottom-up proof by applying the rule ⇒ I twice again. Now, we face a propertyof the kind ∀ n ... where n is a variable ranging over naturals, so we can applyinduction. The next goal is split into two other sub-goals. Here, we can see themanner we compose proofs, for example the tree T can be proved separately,and then it can be plugged in the overall proof. But we have to pay attention tothe hypothesis that remain active at the end of the proof T . Other interestingpoints are the way we unfold definitions, and the use of equational reasoning. We already mentionned that GPND proof-trees reflect usual reasoning muchbetter than the truth-table approach. This is especially clear on implication.The fact that the rules for ⇒ and for ∧ look completely different is a chance, asit helps beginners not to confuse between these two connectors.A very interesting point, from a pedagogical perspective, is that proof treesallow us to point out errors with accuracy. It occurs quite often that some studentcomes with rough and obscure ideas and still believes that his argument is good.It is much more difficult to show him where are his mistakes on informal orsemi-formal writings than on proof trees. If a rule is wrongly applied, we can Let us note Q ( n ) def == ∀ x ∃ y y = A ( n, x ), H == ∀ x ∃ y y = F ( x ), H == ∀ x x = A (0 , x ), H == ∀ n ∀ x F ( A ( n, x )) = A ( S ( n ) , x ). [2] z}|{ H . . . . . . . . . . . . . . H ∀ x x = A (0 , x ) ∀ E( xx x = A (0 , x ) ∃ I ∃ y y = A (0 , x ) ∀ I ∀ x ∃ y y = A (0 , x ). . . . . . . . . . . . . . . . . . Q def Q (0) [1] z}|{ H z}|{ H T ∀ m Q ( m ) ⇒ Q ( S ( m )) nat - rec ∀ n Q ( n ). . . . . . . . . . . . . . . . . . . . . Q def ∀ n ∀ x ∃ y y = A ( n, x ) ⇒ I[3] H ⇒ ( ∀ n ∀ x ∃ y y = A ( n, x )) ⇒ I[2] H ⇒ ( H ⇒ ( ∀ n ∀ x ∃ y y = A ( n, x ))) ⇒ I[1] H ⇒ (( H ⇒ ( H ⇒ ( ∀ n ∀ x ∃ y y = A ( n, x ))))where the tree T is [ hrec ] z }| { Q ( m ). . . . . . . . . . . . . . . . . . . Q def ∀ x ∃ y y = A ( m , x ) ∀ E( xx ∃ y y = A ( m , x ) z}|{ H . . . . . . . . . . . . . . . H ∀ x ∃ y y = F ( x ) ∀ E( yy ∃ y y = F ( y ) [ e z }| { y = A ( m , x ) , [ e z }| { y = F ( y ) , z}|{ H D y = A ( S ( m ) , x ) ∃ I ∃ y y = A ( S ( m ) , x ) ∃ E[ e ∃ y y = A ( S ( m ) , x ) ∃ E[ e ∃ y y = A ( S ( m ) , x ) ∀ I ∀ x ∃ y y = A ( S ( m ) , x ). . . . . . . . . . . . . . . . . . . . . . Q def Q ( S ( m )) ⇒ I[ hrec ] Q ( m ) ⇒ Q ( S ( m )) ∀ I ∀ m Q ( m ) ⇒ Q ( S ( m ))and D is D y = { hypothesis e } F ( y )= { hypothesis e } F ( A ( m , x ))= { H by hypothesis 3, with ∀ E nm and ∀ E xx } A ( S ( m ) , x ) Fig. 7.
Example “Everybody has n-ancestors”4 first say “this does not conform to the you Law, on which we agreed” and mayadd: “if your rule was right, you would get this or that undesired consequence”.This turns out quite convincing with all kind of students. Here are some typicalerrors that can be pointed out in GPND proof style: – Incorrect use of a deduction rule (especially ∨ E ). – Violation of the scope of an hypothesis (for instance, a hypothesis availablein a branch of a case analysis is used in the other branch). – Violation of the side condition of ∃ E or ∀ I , using a “convenient” choice for ∃ x or ∀ x instead of a fresh variable. – Exploiting an implication, or a rule, without proving its premises.Such errors correspond to typical wrong reasoning written informally.Another benefit is that GPND enforces a precise understanding of the dis-tinction between available and discharged hypotheses. This is particularly im-portant for a rigorous treatment of quantifiers and of inductions, especially whenwe they are embedded. It is sometimes crucial, when proving a property of theform ∀ n ∀ m P ( n, m ) by induction on n , that the inductive property ∀ m P ( n, m )remains universally quantified, because the m we need for S ( n ) may come froma different value in the induction hypothesis. A well-known example, amongothers, is the proof of strong induction using basic induction on the property ∀ m m ≤ n ⇒ P ( m ).Let us now mention a number of issues showing the relevance of the GPNDapproach to computer science, including formal methods. Case analysis.
The elimination rule for ∨ states exactly how a disjunctive pieceof information can be exploited. This is clearly related to algorithmic constructssuch if . . . then . . . else . . . , case . . . of . . . , switch . . . Tree-like data structures.
Trees are a ubiquitous concept in computer sci-ence. Their handling is intuitive. Here is an opportunity to introduce and ma-nipulate them at an abstract level, without reference to an implementation.
Modularity.
Even middle-size proofs cannot be displayed using a monolithicproof-tree on a single sheet of paper. Structuring a proof in sub-trees with aclear interface allows one to handle this issue. Here, the interface is defined bythe set of hypotheses and the conclusion.
Problem solving.
Faced to proving a goal from given hypotheses, many stepscan be carried out just by examining the form of the formulas at hand. If theconclusion is among the hypotheses, we are done. Else, if the conclusion is notatomic, it can be decomposed along a divide-and-conquer approach, using anintroduction rule. However, some of them ( ∨ I1 , ∨ I2 and ∃ I ) are dangerous as theymay drive into a dead end We warn the students to postpone as far as possible the use of these rules. These are the places where thinking on the contents ofhypotheses and creativity are needed. This method can be carried out in parallelon the corresponding informal reasoning. Variables and scope.
It is clear that the notions of free, bound variables withtheir scopes are developed when introducing the syntax of first-order formulas.Admittedly, this comes from formal logic, not specifically GPND. Looking atprogramming languages, logic variables are closer to the concept to be found inthe functionnal paradigm than in the imperative paradigm.What is more specific to GPND is that scopes are also related to hypotheses,more exactly names of hypotheses: the scope of an hypothesis is the largest sub-treee where it is available (still not discharged). One can even speak about localand global hypotheses. Scopes are then discussed already in the framework ofpropositional logic.
Rule-based formalisms.
Many formalisms used in computer science a rule-based presentation: typing systems, operational semantics, etc. Studying GPNDis then a good training in order to prepare more advanced courses.
Introduction to proof assistants.
In the area of formal methods and soft-ware verification, well-recognized proof assistants such as Coq [12, 1] and Is-abelle/HOL [9] are available and commonly used. Their theoretic foundationsare logic systems quite close to GPND.
A number of pedagogical issues have to be taken into account, in order to makeGPND an efficient tool for teaching.We already mentioned that proof trees allow us to point out mistakes withaccuracy. To this effect, we insist that justifications (labels used in deductionsteps) are mandatory: often students suffer from a lack of precise ideas on whattheir are really doing, or at least from a poor ability to communicate theirarguments. In this spirit we tend to demand more than what is generally givenin textbooks. For instance, the elimination rule for ∀ makes explicit the term t to be substituted to the quantified variable x : ∀ E ( xt ).There is a pedagogical issue with implication: in GPND, it is impossible toget a theorem without using ⇒ I . Hence we have to consider hypothesis manage-ment very early. As explained in 3.1, we fix this issue by temporary consideringfake rules such as tri and dli . A drawback is that some students tend to thinkthat any rule is good, provided it looks plausible. So we have to insist heavily, At least for intuitionistic logic. But it is clear that PEM cannot be exploited withouthypothesis management, except if the conclusion is just an instance of A ∨ ¬ A . Forexample, all theorems of the form ¬ P ∨ Q , where Q can be deduced from P , areproved by case analysis on P ∨ ¬ P , i.e. using ∨ E .6 from the beginning, that tri and so on should be forgotten and that the rightrules are coming. A complementary approach is to work on deductions underhypotheses with simple rules such as ⇒ E ∀ E and rules for ∧ . In fact we letstudents discover these rules in the first exercise session.We already mentionned some wrong attempts about ∨ E and ∃ E , respectivelyin 3.2 and 3.3. How to deal with space consuming proofs was considered from thebeginning (3.1), through modularity, and using a special notation for equationalreasoning (see 3.5). Natural deduction can be presented in terms of sequents Γ ⊢ C , where Γ isa multiset of formulas and C a formula, whose intuitive meaning is “given theconjunction of hypotheses in Γ , the conclusion C holds”. Rules have severalsequents as premises and a sequent A formula A is a theorem if the sequent ⊢ A can be derived. A proof tree is a tree labelled as follows: leaves are labelledby axioms, i.e. sequents Γ ⊢ C where C ∈ Γ . Although this approach maybe prefered for the meta-theoretical study of natural deduction [5], it puts theemphasis more on provability than on proofs.Note that, from a pedagogical perspective, the sequent based presentation iscloser to inference systems used for typing or structured operational semantics.But it is a bit far from the objectives of an introductory course to logic. Moreover,once somebody is familiar with a deduction system, it is reasonnable to expectthat she or he can easily move to another presentation of it or to another inferencesystem. This course was given to an audience of 150 to 200 students per year, withthe following rythm: one lecture (1h30) and one exercise class (1h30) per week,during 11 weeks. About 3 weeks are needed for discovering proof-trees, the 3 firstpropositionnal connectors; then another 3 weeks for quantifiers and negation;the next 3 weeks are devoted to set-theoretic notions ans the last 2 weeks toinduction.The course got a good ranking from the students, which is quite satisfactorysince most of the material is new for them. It turns out that they like to play withtrees. However, our main goal in introducing formal proofs as a first year coursewas to improve the ability of students in reasoning beyond the formal frameworkof GPND, that is detecting wrong deduction and convincing proof in naturallanguage. We brought students from approximate reasoning in natural languageto formal proofs, and we expected them to do the opposite by themselves. Afterfour years we had to admit that we partially failed. Indeed, some students werestill handicapped when asked to prove a statements in natural language whereasthey were perfectly able to build the proof tree in GPND style. This observationbrought us to the conclusion that we need more time transferring the lessonslearned in GPND back to the free reasoning. This includes proof guidelines: how to decompose a statement to proof into subgoals, how to find the hypothesisand what should finally be proved and how a proof tree can be told as anargumentative discourse. On this last point we plan to extend the teaching witha project – in collaboration with a course on functional programming – thatconsists in a systematic translation of a GPND proof tree into a reasoning innatural language.We are anyway convinced that working on proof-trees help students to get amore structured mind. In order to strengthen the work done so far, connectionshave to be established with other courses given in second year on logic, automataand languages, proofs and algorithmics. Students happen to ask for buildingproof-trees 2 or 3 years later. When one of them is stuck at the beginning ofa proof, suggesting her or him to start a proof-tree turns out quite helpful. Onthe teaching side, colleagues have to be convinced that our approach is goodand can be reused to some extent. We are confident that progress will be donein this direction, because our teaching team became quite enthusiastic, thoughmost teachers discovered natural deduction in this course. We advocated that GPND is the good way to introduce logic to beginners, atleast for students in computer science. Everybody gets a chance to better un-derstand what is a reasoning and to improve her or his reasoning abilities. Whatabout other scholars ? It is often advocated that computer science should betaught much earlier in the curriculum, notably in the highschool. Computerscientists should contribute to this chapter of mathematics. In particular, proof-trees are simple to understand and funny. They require no mathematical back-ground. We think that they could be introduced at the highschool, at least forpropositional logic, thus helping scholars in their scientific activities.Let us finish with some perspectives. We limited ourselves to a pencil and pa-per approach, mainly because we didn’t have enough time slots to do otherwise.We plan to use a proof assistant in a next version of the course. However, wewill have to take care of the danger of button-pushing: existing proof assistantsare good at helping the user to find proofs and to automatize tedious tasks.Hoawever we want here the user to be aware of the elementary deduction steps.In a pedagogical use, a proof-assistant should just be used as a proof checker.
References
1. Yves Bertot and Pierre Cast´eran.
Interactive Theorem Proving and Program De-velopment. Coq’Art: The Calculus of Inductive Constructions . Texts in TheoreticalComputer Science. Springer Verlag, 2004.2. N. De Bruijn. Automath, a language for mathematics. In
Automation and Rea-soning, vol 2, Classical papers on computational logic 1967-1970 . Springer Verlag,1983. from a technical report, Eindowen, 1968.3. Haskell B. Curry and Robert Feys.
Combinatory Logic , volume I. North-HollandPublishing Company, Amsterdam, third printing edition, 1974.84. G. Dowek, T. Hardin, and C. Kirchner. Theorem proving modulo.
Journal ofAutomated Reasoning , 31:2003, 1998.5. J. Gallier. Constructive logics: Part i: a tutorial on proof systems and typed λ -calculi. Theor. Comput. Sci. , 110(2):249–339, 1993.6. Gehrard Gentzen. Investigations into logical deductions. In M. E. Szabo, editor,
The collected papers of Gerhard Gentzen , pages 68–131. North Holland, 1935.7. J.-Y. Girard, Y. Lafont, and P. Taylor.
Proofs and Types , volume 7 of
CambridgeTracts in Theoretical Computer Science . Cambridge University Press, 1989.8. W. A. Howard. The Formulae-As-Types Notion Of Construction. In J. P. Seldinand J. R. Hindley, editors,
To H. B. Curry: Essays on Combinatory Logic, LambdaCalculus and Formalism , pages 479–490. Academic Press, Inc., New York, N.Y.,1980.9. Tobias Nipkow, Lawrence C. Paulson, and Markus Wenzel.
Isabelle/HOL — AProof Assistant for Higher-Order Logic , volume 2283 of
LNCS . Springer, 2002.10. Dag Prawitz.
Natural Deduction. A Proof-Theoretical Study , volume 3 of
StockholmStudies in Philosophy . Almqvist & Wiksell, Stockholm, 1965.11. Peter Schroeder-Heister. Validity concepts in proof-theoretic semantics.
Synthese ,148(3):525–571, February 2006.12. The Coq Development Team.