Mathematics for Computer Scientists (G51MCS)

Lecture notes

Autumn 2005

Thorsten Altenkirch

October 26 2005

Contents

1

1 Types and sets

What is a set Wikipedia 1 says

Informally a set is just a collection of objects considered as a whole

And what is a type Wikipedia offers different definitions for different subjectareas but if we look up datatype in Computer Science we learn

In computer science a datatype (often simply type) is a name orlabel for a set of values and some operations which can be performedon that set of values

Here the meaning of type refers back to the meaning of sets but it is hardto see a substantial difference We may conclude that what is called a set inMathematics is called a type in Computer Science

Here we will adopt the computer science terminology and use the term typeBut remember to translate this to set when talking to a Mathematician

There is a good reason for this choice I am going to use the type system ofthe programming language Haskell to illustrate many important constructionson types and to implement mathematical constructions on a computer Pleasenote that this course is not an introduction to Haskell this is done in the 2ndsemester in G51FUN If you want to find out more about Haskell now I referto Graham Huttonrsquos excellent forthcoming book whose first seven chapters areavailable from his web page 2 The book is going to be published soon and isthe course text for G51FUN Another good source for information about Haskellis the Haskell home page 3

While we are going to use Haskell to illustrate mathematical concepts Haskell isalso a very useful language for lots of other things from designing user interfacesto controlling robots

11 Examples of types

I am sure there are some types you already know since primary school Eg thetype Nat of natural numbers which are the numbers we use for counting InComputer Science we include the 0 to allow for the case that there is nothingto count We can start enumerating the elements of Nat

Nat = 0 1 2 3 4 5 We follow the mathematical tradition to use curly brackets when enumeratingthe elements of a type Clearly this is not a precise definition because wehave used to indicate that we can go on forever We will fix this laterMost Mathematics books will use N for Nat but in Computer Science we preferusing names made up from several letters (because we can type them in onthe keyboard) while the mathematicians like single letters but use differentalphabets (thatrsquos the reason that they use so many Greek symbols)

1httpenwikipediaorg is a free online user extensible encyclopedia2httpwwwcsnottacuk˜gmhbookhtml3httpwwwhaskellorg

2

1 Types and sets

What is a set Wikipedia 1 says

Informally a set is just a collection of objects considered as a whole

And what is a type Wikipedia offers different definitions for different subjectareas but if we look up datatype in Computer Science we learn

In computer science a datatype (often simply type) is a name orlabel for a set of values and some operations which can be performedon that set of values

Here the meaning of type refers back to the meaning of sets but it is hardto see a substantial difference We may conclude that what is called a set inMathematics is called a type in Computer Science

Here we will adopt the computer science terminology and use the term typeBut remember to translate this to set when talking to a Mathematician

There is a good reason for this choice I am going to use the type system ofthe programming language Haskell to illustrate many important constructionson types and to implement mathematical constructions on a computer Pleasenote that this course is not an introduction to Haskell this is done in the 2ndsemester in G51FUN If you want to find out more about Haskell now I referto Graham Huttonrsquos excellent forthcoming book whose first seven chapters areavailable from his web page 2 The book is going to be published soon and isthe course text for G51FUN Another good source for information about Haskellis the Haskell home page 3

While we are going to use Haskell to illustrate mathematical concepts Haskell isalso a very useful language for lots of other things from designing user interfacesto controlling robots

11 Examples of types

I am sure there are some types you already know since primary school Eg thetype Nat of natural numbers which are the numbers we use for counting InComputer Science we include the 0 to allow for the case that there is nothingto count We can start enumerating the elements of Nat

Nat = 0 1 2 3 4 5 We follow the mathematical tradition to use curly brackets when enumeratingthe elements of a type Clearly this is not a precise definition because wehave used to indicate that we can go on forever We will fix this laterMost Mathematics books will use N for Nat but in Computer Science we preferusing names made up from several letters (because we can type them in onthe keyboard) while the mathematicians like single letters but use differentalphabets (thatrsquos the reason that they use so many Greek symbols)

1httpenwikipediaorg is a free online user extensible encyclopedia2httpwwwcsnottacuk˜gmhbookhtml3httpwwwhaskellorg

2

We write 2 isin Nat to express that 2 is an element of Nat we may also saythat 2 has type Nat 4

If you have a bank account or a credit card you will also know the type ofintegers Int which extends Nat by negative numbers - in Maths one writes ZUsing the suggestive again we write

Int = minus2minus1 0 1 2 Other types of numbers are the rational numbers Rat (Q) which is the typeof fractions (eg 2 3 isin Rat) the type of real numbers Real (R) (egradic

2 isin Real and π isin Real) and the type of complex numbers Compl (C)(eg

radicminus1 isin Compl) 5 While the latter two (RealCompl) are a central

topic in Mathematics they are less essential in Theoretical Computer Sciencebut relevant in many application areas

We say a type is finite if we can enumerate it without using ldquo rdquo An impor-tant finite type is the type Bool of booleans or truth values

Bool = TrueFalse

We can define new finite types by using a collection of names different fromeach other (these are called constructors) To define a type of basic colours inHaskell 6 we would write

data Colour = Red | Green | Yellow

We can enumerate Colour

Colour = RedGreenYellowIn an an enumeration the order doesnrsquot matter eg the following are alternativeenumerations of Colour

Colour = GreenYellowRedColour = YellowRedGreen

we may also repeat elements

Colour = RedGreenYellowRedbut we usually try to avoid this You may have already noticed that we usecapitalized words for names (of types or constructors) mdash this is a Haskell con-vention We shall use names starting with small letters for variables

There is also the extreme case of a finite type the empty type empty which has noelements It is easy to enumerate empty

empty = 4In Haskell we type instead of isin I am using lhs2Tex and latex to pretty-print Haskell

programs5As most programming languages Haskell isnrsquot very good with numbers There is no prede-

fined Nat and the type Int actually stands for 32 bit integers however there is a type Integerof integers of arbitrary size (if you have got enough memory) The standard prelude doesnrsquotdefine RatReal or Compl but Float and Double which are actually an approximation ofRat However there are standard libraries for rational numbers (introducing a type Rational)and complex numbers (featuring the types Complex Float and Complex Double)

6Actual Haskell code is displayed in a framed box On the course page you find a linknoteshs which contains all the Haskell code from these notes

3

12 Making new types from old

We can construct a new type by combining information eg a card in a cardgame may be described by combining itrsquos face and itrsquos suit Eg we define

data Suit = Diamonds | Hearts | Spades | Clubsdata Face = Two | Three | Four | Five | Six | Seven | Eight | Nine | Ten

| Jack | Queen | King | Ace

and now we say that a card is a pair (face suit) (also called tuple) with face isinFace and suit isin Suit we write

type Card = Suittimes Face

We can enumerate Card

Card = (Diamonds Two) (Diamonds Three) (Diamonds Four) (Diamonds Five)(Diamonds Six) (Diamonds Seven) (Diamonds Eight) (Diamonds Nine)(Diamonds Ten) (Diamonds Jack) (Diamonds Queen) (Diamonds King)(Diamonds Ace) (Hearts Two) (Hearts Three) (Hearts Four) (Hearts Five)(Hearts Six) (Hearts Seven) (Hearts Eight) (Hearts Nine) (Hearts Ten)(Hearts Jack) (Hearts Queen) (Hearts King) (Hearts Ace) (Spades Two)(Spades Three) (Spades Four) (Spades Five) (Spades Six) (Spades Seven)(Spades Eight) (Spades Nine) (Spades Ten) (Spades Jack) (Spades Queen)(Spades King) (Spades Ace) (Clubs Two) (Clubs Three) (Clubs Four)(Clubs Five) (Clubs Six) (Clubs Seven) (Clubs Eight) (Clubs Nine)(Clubs Ten) (Clubs Jack) (Clubs Queen) (Clubs King) (Clubs Ace)

We call Face times Suit the cartesian product of Face and Suit Pairs are or-dered eg (QueenDiamonds) is not the same as (DiamondsQueen) Indeedthey have different types (QueenDiamonds) isin FacetimesSuit while (DiamondsQueen) isinSuittimesFace But even if the types are the same as in BooltimesBool we make adifference between (TrueFalse) and (FalseTrue)

Have you noticed If a is a finite type with n elements and b is a finite typewith m elements how many elements does (a b) (or a times b) have Precisely

Is there also + for types Yes there is and indeed we write a +b where a and bstand for types not numbers An element of a + b is either Left x where x isin aor Right y where y isin b This can be defined by

data a + b = Left a | Right b

Here LeftRight are parametrized constructors a and b are type variables Thisoperation is called the disjoint union and is often written as ]

As an example for the use of middot+ middot imagine there is shop which sells socks whichare either small medium or large and ties which are striped or plain We define

data Sock = Small | Medium | Largedata Tie = Striped | Plain

Then the type of articles is

type Article = Sock + Tie

4

We can enumerate Article

Article = Left SmallLeft MediumLeft LargeRight StripedRight Plain

Given types a and b we write a rarr b for the type of functions which assign anelement of b to every element of a We call a the domain and b the codomainor range of the function A simple example of a function is isRed which returnsTrue if its input is Red and False otherwise

isRed isin Colour rarr BoolisRed Red = TrueisRed Green = FalseisRed Yellow = False

To use a function we apply it to an element of the domain eg we just writeisRed Green that is we are not using extra parentheses as it is common inMathematics

We may view a function as a machine which we feed elements of the domain andwhich spits out elements of the codomain Our view of functions is extensionalie we are not allowed to look into the machine to see how it produces itsanswer While I amusing the idea of a machine donrsquot forget that a function isa methematical object like a number it is independent of space and time theoutput of a function only depends on its input Unlike procedures or methodsin imperative languages like Java or Basic functions donrsquot have a state

- -isRed BoolColour

What is the type of a function with two arguments eg + in arithmetic Onepossibility is to say that the domain of + are pairs of numbers ie that ithas the type (+) isin (NatNat) rarr Nat 7 However an alternative which isadopted in Haskell is to use the curried 8 form of the function ie (+) isinNat rarr (Nat rarr Nat) that is (+) applied to one argument eg 5 returns afunction (+) 5 Nat rarr Nat mdash the function which adds 5 to its argument Wecan apply this function to another number eg ((+) 5) 3 which returns 8 Tosave parentheses we adopt the convention that rarr associates to the right thatis that Nat rarr Nat rarr Nat stands for Nat rarr (Nat rarr Nat) and that functionapplication associates to the left that is that (+) 5 3 stands for ((+) 5) 3 andfinally that since + is an infix operator that 5 + 3 stands for (+) 5 3

Here is a picture trying to illustrate this idea

(+)n isin Nat

m isin Nat

m + n isin Nat(+)n

7We write (+) because + is usually used in an infix position ie between its arguments8Curried functions are named after the logician Haskell Curry The programming language

Haskell is also named after him

5

I have drawn the 2nd box with a dashed frame because this box is actually theoutput of the first box Once we have understood that this is how functionswith seveal arguments are defined we can simplify the picture by just drawing

-

-

-n isin Nat

m isin Nat

(+) m + n isin Nat

To summarize the type of functions with two arguments one from type a andone from type b and with results in c can be either given as (a b) rarr c (uncurriedform) ar as a rarr b rarr c (curried form)

If a is a finite type with n elements and b is a finite type with m elements howmany elements does a rarr b have A good clue may come from the fact that inMathematics one often uses an exponential notation ba to denote funtion types

13 Functions on Bool

Haskellrsquos prelude 9 already defines a number of useful functions on Bool suchas and

(ampamp) isin Bool rarr Bool rarr BoolTrueampampb = bFalseampampb = False

How does this work If the first argument a of aampampb is True then the valueof aampampb is equal to the second argument If the first argument is False thenaampampb is False no matter what b is

A function on finite types can be characterized by its value table (also calledgraph) In the case of ampamp the value table is

a b aampampbFalse False FalseFalse True FalseTrue False FalseTrue True True

Looking at the value table we notice that ampamp is symmetric but our definitionwas asymmetric Indeed we could instead define ampamplowast

(ampamp1) isin Bool rarr Bool rarr Boolbampamp1True = bbampamp1False = False

The value table of ampamp19This is the standard library which is automatically preloaded Note that some of the

definitions in this section below are not included in the appendix because the functions arealready defined in the prelude

6

a b aampamp1bFalse False FalseFalse True FalseTrue False FalseTrue True True

is the same as the one of ampamp Since we cannot look into the definition of afunction because this is hidden in the black box to us ampamp and ampamp1 define thesame function

Here is the definition of or

(||) isin Bool rarr Bool rarr BoolTrue ||b = TrueFalse||b = b

and here its value tablea b a || b

False False FalseFalse True TrueTrue False TrueTrue True True

There is also an important function with one argument (unary function) not

not isin Bool rarr Boolnot True = Falsenot False = True

and its value tablea not a

False TrueTrue False

We can combine existing functions directly to define new ones An example isboolean equality

(equiv) isin Bool rarr Bool rarr Boola equiv b = aampampb | not aampampnot b

Note that Haskell uses different precedences for boolean operators not bindsmore than amp which binds more than || Hence Haskell (and we) read a ampb || not a amp not b as (a amp b) || ((not a) amp (not b)

It is straightforward to calculate equivrsquos value table

a b a equiv bFalse False TrueFalse True FalseTrue False FalseTrue True True

We have seen that equiv is a function which can be defined by combining otherfunctions Could we have done this with some other function eg || Yesconsider the following definition of ||1 using ampamp and not

7

(||1) isin Bool rarr Bool rarr Boola||1b = not ((not a)ampamp(not b))

Letrsquos draw the value table of ||1a b a ||1 b

False False FalseFalse True TrueTrue False TrueTrue True True

and indeed it is identical to the one of || and hence (||) = (||1)Similarily we can define ampamp using || and not

(ampamp2) isin Bool rarr Bool rarr Boolaampamp2b = not ((not a)||(not b))

These definitions are based on the so called de Morgan laws which say

not (aampampb) = (not a) || (not b)not (a || b) = (not a)ampamp(not b)

and the equation not (not a) = a

Frequently we want to analyze a boolean value somewhere in the middle ofa function definition and calculate different results depending on whether theboolean is True or False For this purpose we can define

ite isin Bool rarr a rarr a rarr aite True t e = tite False t e = e

ite stands for if-then-else Note that the type of ite is polymorphic ie it worksfor any type replacing the type variable a

Since ite is used so often there is a special syntax for it

if c then t else e = ite c t e

As an example we could have defined amp using if-then-else

(ampamp3) isin Bool rarr Bool rarr Boolbampamp3c = if b then c else False

8

2 Basic logic

When we are expressing properties of mathematical objects or programs andreason about them we use the language of logic We introduce here the symbolswhich can be given a precise meaning but explain them for the moment bytheir translation into English Later in the course we will be more precise andintroduce the rules of reasoning (called natural deduction) along with a computerprogram (called tutch) which can check that you have followed them

A proposition is a precise statement which may be proven (then we believe itto be true) or disproven (then we believe it to be false) We assume some basicpropositions as given eg if a bλin A we can say a = b meaning that a and bis equal Eg we know that 1 = 1 is true but 1 = 2 is false Indeed we acceptthis without further proof both judgements are abvious

There are propositions of which we donrsquot know wether they are true or falsesuch as the proposition that there are infinitely many twin primes that is pairsof prime numbers whose difference is 2 or in computer science whether thecomplexity classes P and NP are different (the P = NP question)

21 Propositional connectives

A logical connective is a means to construct new propositions from givenones We start with the basic propositional connectives given propositions Pand Q we can construct

bull P andQ stands for P and Q We accept P andQ to be true if we can showthat both P and Q are true

bull P orQ stands for P or Q We accept that P orQ to be true if we can showat least one of P and Q Note that different to some uses of the word orin everyday language or is non-exclusive eg 0 = 0 or 1 = 1 is true

bull P =rArr Q stands for If P then Q which we can also write as Q if P We accept P =rArr Q if we can show that Q is true from assuming that Pis true

We also introduce the propositional constants True for an obviously true propo-sition (such as 0 = 0) and False for an obviously false proposition (such as0 = 1) True and False are not really used in normal conversations but wemay translate True by fish can swim or another blatantly obvious statementand False by pigs can fly or another obviously false statement

We can define new propositional connectives from the basic ones introducedabove

bull notP stands for not P We define notP as P =rArr False Intuitively wecould say notP means that if you believe P then you also believe that pigscan fly

bull P lArrrArr Q stands for P if and only if Q We define P lArrrArr Qas (P =rArr Q) and (Q =rArr P ) lArrrArr introduces a notion of logical

9

equivalence and indeed if we know P lArrrArr Q we can always replace P byQ and vice versa

To avoid having to write lots of brackets we introduce some conventions

bull not binds stronger than and ie we read notP andQ as (notP ) andQ

bull andor bind stronger than =rArr lArrrArr ie we read P and Q =rArr R as(P andQ) =rArr R

bull =rArr associates to the right ie we read P =rArr Q =rArr R as P =rArr(Q =rArr R)

We could have introduced more conventions eg that and binds stronger than orbut refrain from doing this and instead disambiguate by using brackets

22 Tautologies and proof

A propositional scheme is a proposition containing propositional variableseg A =rArr A and A =rArr A and B are propositional scheme where AB standfor any proposition

A tautology is a propositional scheme which is always provable no matterhow we replace the variables by actual propositions Eg A =rArr A is atautology but A =rArr A and B isnrsquot We can see this by proving A =rArr Aif we assume A then we know A hence A =rArr A holds We can see thatA =rArr A and B is not a tautology by replacing A with True and B with Falsebut True =rArr TrueandFalse cannot be provable because we know True hencewe would know True and False but this is only true if False is which it isnrsquot(pigs canrsquot fly)

Here are some examples of propositional tautologies

1 False =rArr Athis could be called the principle of naivety if you believe that pigs canfly you believe everything

2 A andB =rArr Anote that the converse A =rArr A andB is not a tautology

3 A =rArr A orBagain note that the converse A orB =rArr A is not a tautology

4 (A =rArr B) =rArr (notB =rArr notA)Letrsquos prove this tautology using the explanation of the connectives givenabove

Proof To show (A =rArr B) =rArr (notB =rArr notA) letrsquos assumeA =rArr B (1) to show notB =rArr notA To show this we assume notB (2)(which just stands for B =rArr False) to show notA which stands forA =rArr False hence we also assume A (3) and it remains to show Falsefrom the assumptions (1)(2) and (3) Indeed because we know A (3) and

10

A =rArr B (1) we know B and now we use (2) B =rArr False to showFalse

We notice that pigs can fly given the appropriate assumptions

Many important tautologies have the form of logical equivalences

1 A andB lArrrArr B andAwe say that and is commutative The same holds for or

2 A and (B and C) lArrrArr (A andB) and Cwe say that and is associative The same holds for or Associativity allowsus to omit brackets when we nest the same operator ie we can readA andB and C as A and (B and C) or (A andB) and C mdash it desnrsquot matter

3 (A orB) and C lArrrArr (A and C) or (B and C)we say that or distributes over and We prove this tautology

Proof To show lArrrArr we have to show both directions

(A orB) and C =rArr (A and C) or (B and C) We assume (A or B) and C (1) andtry to show (AandC)or (B andC) From (1) we know (AorB) (2) andC (3) How could we have shown A orB There are two cases

by showing A (4) From (3) and (4) we know A and C and hence(A and C) or (B and C)

by showing B (4prime) From (3rsquo) and (4rsquo) we know B andC and hence(A and C) or (B and C)

Since in both cases we were able to show (A andC) or (B andC) we havefinished this part of the proof

(A and C) or (B and C) =rArr (A orB) and C We assume (A andC) or (B andC) (1)to show (A or B) and C How could we ve shown (1) There are twopossibilities

by showing A and C and (2) Hence we know A (3) and C (34 From(3) we can derive A or B and combining this with (4) we have(A orB) and C

by showing B and C (2prime) Hence we know B (3prime) and C (4prime)From (3rsquo) we can derive A or B and combining this with (4rsquo) wehave (A orB) and C

In either case we have shown (A orB) and C

23 Classical tautologies

Is A or notA a tautology Actually it depends Given the explanation of theconnectives given above to prove AornotA we need to prove either A or disproveit by establishing notA However there are propositions which we canrsquot prove ordisprove On the other hand we are unable to exhibit an instance of A or notAwhich will lead to a definitively false statement We may adopt the point ofview that even if we cannot prove a certain statement it is still either true and

11

false This point of view is accepted in classical logic which is accepted by mostmodern Mathematicians even though its philosophical foundations are ratherproblematic

We say a tautology is a classical tautology if it is provable from assumingthat A or notA the principle of the excluded middle holds An example isnotnotB =rArr B which can be proven as follows

Proof To show notnotB =rArr B we assume notnotB (1) to show B Using theprinciple of excluded middle we know BornotB That is there are two possibilities

B holds we are done

notB holds We note that (1) means notB =rArr False hence we can use it toshow False and since False implies anything we can show B

In either case we have shown B

However at least for propositional logic there is a very mechanical way to findout whether a propositional scheme is a classical tautology Since every proposi-tion is either True or False we can identify propositions with Bool and replacethe propositional connectives by the corresponding operations on Bool

Propositions Booland ampampor ||not notlArrrArr equiv=rArr implies

where we define implies as follows

implies isin Bool rarr Bool rarr Boolimplies False x = Trueimplies True x = x

To find out whether a propositional scheme is a classical tautology all we haveto do is to draw the value table of its translation as a function on Bool (calledits truth table) and check that it allways evaluates to True Eg to checkthat notnotA =rArr A is a tautology we just calculate

A notA notnotA notnotA =rArr AFalse True False TrueTrue False True True

Letrsquos verify that (A or B) and C lArrrArr (A and C) or (B and C) is indeed a classical

12

tautology

A B C A orB and C A and C orB and C A orB and C lArrrArr A and C orB and CFalse False False False False TrueFalse False True False False TrueFalse True False False False TrueFalse True True True True TrueTrue False False False False TrueTrue False True True True TrueTrue True False False False TrueTrue True True True True True

24 Predicate logic

So far we cannot say express any interesting propositions because we cannotmake use of variables To change this we will use predicate logic A predicateover a type expresses property of elements of this type An example is thepredicate Even over the natural numbers which expresses the property of anumber being even If n isin Nat then Even n is a proposition We writeEven isin Nat rarr Prop to say that Even is a predicate over the natural numbersPredicates can have more than one argument then they are also relations Anexample of a relation is 6 which is a relation over the natural numbers (actuallyalso for other number types) that is idf mn isin Nat then m 6 n is a propositionWe write (6) isin Nat rarr Nat rarr Prop An important relation which exists forall types is equality if (=) isin a rarr a rarr Prop where a is any type

Variables are introduced by quantifiers Let P be a proposition which containsa variable lets say x and assume as given a set A Then we can construct

bull forallx isin AP we say for all x in A P holds We accept forallx isin AP if we canshow P where x is replaced by any given element of a isin A (we write thisas P [x = a]) eg we accept forallx isin Boolx = True or x = False

bull existx isin AP we say there exists x in A such that P We accept existx isin APif we can show P where x is replaced by a specific element of A eg weaccept existx isin Boolx = True

The reading conventions for quantifiers are that they bind weaker than any ofthe propositional connectives eg we read

forallx isin AP lArrrArr Q

asforallx isin A(P lArrrArr Q)

It is instructive to illustrate the use of quantifiers by showing how Englishsentences can be translated into predicate logic Letrsquos assume that we havea type Party of names of people present at a party and a relation knows isinParty rarr Party rarr Prop where knows a b expresses that a knows b Here aresome examples

13

bull John knows Maryknows John Mary

bull Everybody knows somebody

forallx isin Partyexisty isin Partyknows x y

bull Somebody is known by everybody

existy isin Partyforallx isin Partyknows x y

Note that exchanging different quatifiers changes the meaning

bull Somebody knows everybody

existx isin Partyforally isin Partyknows x y

bull Everybody who Mary knows knows her

forallx isin Partyknows Mary x =rArr knows x Mary

bull There are at least two different people who know John

existx isin Partyexisty isin Partynot(x = y) and knows x John and knows y John

It is customary to combine quantifiers of the same sort and write x 6= yfor not(x = y) ie we may write

existx y isin Partyx 6= y and knows x John and knows y John

bull There is exactly one person who George knows

existx isin Partyknows George x and forally isin Partyknows George y =rArr x = y

We express exactly one by saying that everybody who George knows isthe same person

As for propositional logic we have tautologies which are propositions which areprovable for any predicate Given a type a and predicates P Q isin a rarr Propand a proposition P here are examples for tautologies

bull (forallx isin aP x andQ x ) lArrrArr (forally isin aP y) and (forallz isin aQ z ) Proof

We show both direction seperately

(forallx isin aP x andQ x ) =rArr (forally isin aP y) and (forallz isin aQ z ) We assume forallx isin AP xandQ x (1) To show (forally isin aP y) and (forallz isin aQ z ) we have to showboth forally isin aP y (2) and forallz isin aQ y (3) To show (2) we as-sume y isin a (4) we have to show P y Using (1) and (4) we knowP y andQ y and hence Q y The proof of (3) follows the same idea

(forally isin aP y) and (forallz isin aQ z ) =rArr forallx isin aP x andQ x We assume (forally isin aP y)and(forallz isin aQ z ) (1) to prove forallx isin aP x and Q x Having assumed (1)we know forally isin aP y (2) and forallz isin aP z (3) To show this weassume x isin a (4) to show P x we use (2) and (4) and to derie Q xwe use (3) and (4) hence we have shown P x andQ x

14

bull (existx isin aP x orQ x ) lArrrArr (existy isin aP y) or (existz isin aQ z )

bull (existx isin AP =rArr R) lArrrArr forallx isin AP =rArr R

Instead only proving generic tautologies we can now prove specific statementseg that not hasnrsquot got a fixpoint

forallx isin Boolnot x 6= x

Proof We have to show not x 6= x for any x isin Bool There are only twopossibilities

x = True We have that not True = False by definition of not and it is obviousthat True 6= False

x = False We have that not False = True by definition of not and it is obviousthat False 6= True

15

3 Bits of history

Georg Cantor a German mathematician was the first one to define the notionof a set (german Menge) in 1895

By a set we are to understand any collection into a whole of definiteand separate objects of our intuition or our thought

Another German Friedrich Ludwig Gottlob Frege (1848-1925) wanted to putmathematics on a firm foundation and for this purpose he developed predicatelogic He published a book called Begriffsschrift which also used Cantorrsquosnaive perception of a set in particular the principle of comprehension ie everyproperty defines a set If P is a property (or predicate) using a variable x wewrite x | P for the set of all objects with property P The Begriffsschrift wasalso read by an English logician Bertrand Russell (1872-1970)

16

Russell found a fundamental flaw in Fregersquos system which made it inconsistentThis means you could prove anything in it no matter whether it is true or falseNaturally this renders it useless as a foundation of mathematics Russell wrotea letter to Frege explaining the problem mdash it seems that Frege never recoveredfrom the blow He certainly didnrsquot know a good way to fix it

To explain Russellrsquos paradox letrsquos have a look at a little story which involvesa barber (letrsquos call him Sweeny Todd) who lives in a little village Since he isthe only barber in the village he has put a note in his window saying I shaveeverybody in the village who doesnrsquot shave himself

by Conor McBride

Now the barber has got a dilemma If he shaves himself then he shouldnrsquot shavehimself because he is shaving precisely those people who do not shave himselfOn the other hand if he does not shave himself then he should shave himselfaccording to the sign

17

The story with the barber may not seem to be so dramatic because we are quiteused to false advertising However if we translate the same idea into set theoryit becomes much more serious Let us consider the set R of all sets which donot contain themselves we write

R = X | X isin X)

where X isin X is short for not(X isin X) Eg Nat isin R because the set of naturalnumbers does not contain itself

However what about R itself If R does contain itself then it should not Ifon the other hand R does not contain itself then by definition it should containitself Hence Fregersquos system was inconsistent

However set theory was saved by two Germans

Ernst Friedrich Ferdinand Zermelo (1871-1853)

Adolf Abraham Halevi Fraenkel (1891-1965)

Zermelo identified the unlimited comprehension principle ie that every prop-erty gives rise to a set as the source of the problems and introduced the restrictedcomprehension principle instead Ie we are only allowed to construct subsets

18

of already existing sets ie x isin A | P where A already exists The set Rclearly does not fall in this category 10 and hence is outlawed However nowwe have to provide some ways to construct basic sets ie the empty set fi-nite sets the set of natural numbers and the power set (the set of all subsetsof a set) Zermelo founded axiomatic set theory in which these principles areincorporated in some basic propositions about isin and = called axioms LaterFraenkel extended Zermelorsquos system by adding an important axiom the axiomof replacement The resulting system is usually called Zermelo Fraenkel set the-ory or ZF set theory for short and is widely accepted as a foundation of modernmathematics

For many people (certainly for most mathematicans) the story ends here How-ever ZF set theory is not very useful as a programming language (for exampleit allows to define functions which cannot be run on a computer)

Per Martin-Lof a Swedish Mathematician and Philosopher started to developType Theory as a constructive foundation of Mathematics in the early 70rsquosThis language is interesting for Computer Science because it is at the sametime a language to reason about mathematical objects and a programming lan-guage There are a number of computer programs which implement differentvariations of Martin-Lofrsquos Type Theory NuPRL (for Nearly Ultimate ProofRepresentation Language) developed by Robert Constable and his team in theUSA LEGO developed by Randy Pollack in Edinburgh the Swedish systemsALF and AGDA the French system COQ 11 which is now one of the mostsuccessful computer proof systems and very recently Conor McBridersquos Epigramsystem 12 on which my 2nd3rd year module Computer Aided Formal Reasoning(G5BCFR) is based

10Unless we introduce a set of all sets which would make the theory inconsistent due toRussellrsquos paradox

11httpcoqinriafr12httpwwwduracukCARGepigram

19

We can enumerate Article

Article = Left SmallLeft MediumLeft LargeRight StripedRight Plain

Given types a and b we write a rarr b for the type of functions which assign anelement of b to every element of a We call a the domain and b the codomainor range of the function A simple example of a function is isRed which returnsTrue if its input is Red and False otherwise

isRed isin Colour rarr BoolisRed Red = TrueisRed Green = FalseisRed Yellow = False

To use a function we apply it to an element of the domain eg we just writeisRed Green that is we are not using extra parentheses as it is common inMathematics

We may view a function as a machine which we feed elements of the domain andwhich spits out elements of the codomain Our view of functions is extensionalie we are not allowed to look into the machine to see how it produces itsanswer While I amusing the idea of a machine donrsquot forget that a function isa methematical object like a number it is independent of space and time theoutput of a function only depends on its input Unlike procedures or methodsin imperative languages like Java or Basic functions donrsquot have a state

- -isRed BoolColour

What is the type of a function with two arguments eg + in arithmetic Onepossibility is to say that the domain of + are pairs of numbers ie that ithas the type (+) isin (NatNat) rarr Nat 7 However an alternative which isadopted in Haskell is to use the curried 8 form of the function ie (+) isinNat rarr (Nat rarr Nat) that is (+) applied to one argument eg 5 returns afunction (+) 5 Nat rarr Nat mdash the function which adds 5 to its argument Wecan apply this function to another number eg ((+) 5) 3 which returns 8 Tosave parentheses we adopt the convention that rarr associates to the right thatis that Nat rarr Nat rarr Nat stands for Nat rarr (Nat rarr Nat) and that functionapplication associates to the left that is that (+) 5 3 stands for ((+) 5) 3 andfinally that since + is an infix operator that 5 + 3 stands for (+) 5 3

Here is a picture trying to illustrate this idea

(+)n isin Nat

m isin Nat

m + n isin Nat(+)n

7We write (+) because + is usually used in an infix position ie between its arguments8Curried functions are named after the logician Haskell Curry The programming language

Haskell is also named after him

5

I have drawn the 2nd box with a dashed frame because this box is actually theoutput of the first box Once we have understood that this is how functionswith seveal arguments are defined we can simplify the picture by just drawing

-

-

-n isin Nat

m isin Nat

(+) m + n isin Nat

To summarize the type of functions with two arguments one from type a andone from type b and with results in c can be either given as (a b) rarr c (uncurriedform) ar as a rarr b rarr c (curried form)

If a is a finite type with n elements and b is a finite type with m elements howmany elements does a rarr b have A good clue may come from the fact that inMathematics one often uses an exponential notation ba to denote funtion types

13 Functions on Bool

Haskellrsquos prelude 9 already defines a number of useful functions on Bool suchas and

(ampamp) isin Bool rarr Bool rarr BoolTrueampampb = bFalseampampb = False

How does this work If the first argument a of aampampb is True then the valueof aampampb is equal to the second argument If the first argument is False thenaampampb is False no matter what b is

A function on finite types can be characterized by its value table (also calledgraph) In the case of ampamp the value table is

a b aampampbFalse False FalseFalse True FalseTrue False FalseTrue True True

Looking at the value table we notice that ampamp is symmetric but our definitionwas asymmetric Indeed we could instead define ampamplowast

(ampamp1) isin Bool rarr Bool rarr Boolbampamp1True = bbampamp1False = False

The value table of ampamp19This is the standard library which is automatically preloaded Note that some of the

definitions in this section below are not included in the appendix because the functions arealready defined in the prelude

6

a b aampamp1bFalse False FalseFalse True FalseTrue False FalseTrue True True

is the same as the one of ampamp Since we cannot look into the definition of afunction because this is hidden in the black box to us ampamp and ampamp1 define thesame function

Here is the definition of or

(||) isin Bool rarr Bool rarr BoolTrue ||b = TrueFalse||b = b

and here its value tablea b a || b

False False FalseFalse True TrueTrue False TrueTrue True True

There is also an important function with one argument (unary function) not

not isin Bool rarr Boolnot True = Falsenot False = True

and its value tablea not a

False TrueTrue False

We can combine existing functions directly to define new ones An example isboolean equality

(equiv) isin Bool rarr Bool rarr Boola equiv b = aampampb | not aampampnot b

Note that Haskell uses different precedences for boolean operators not bindsmore than amp which binds more than || Hence Haskell (and we) read a ampb || not a amp not b as (a amp b) || ((not a) amp (not b)

It is straightforward to calculate equivrsquos value table

a b a equiv bFalse False TrueFalse True FalseTrue False FalseTrue True True

We have seen that equiv is a function which can be defined by combining otherfunctions Could we have done this with some other function eg || Yesconsider the following definition of ||1 using ampamp and not

7

(||1) isin Bool rarr Bool rarr Boola||1b = not ((not a)ampamp(not b))

Letrsquos draw the value table of ||1a b a ||1 b

False False FalseFalse True TrueTrue False TrueTrue True True

and indeed it is identical to the one of || and hence (||) = (||1)Similarily we can define ampamp using || and not

(ampamp2) isin Bool rarr Bool rarr Boolaampamp2b = not ((not a)||(not b))

These definitions are based on the so called de Morgan laws which say

not (aampampb) = (not a) || (not b)not (a || b) = (not a)ampamp(not b)

and the equation not (not a) = a

Frequently we want to analyze a boolean value somewhere in the middle ofa function definition and calculate different results depending on whether theboolean is True or False For this purpose we can define

ite isin Bool rarr a rarr a rarr aite True t e = tite False t e = e

ite stands for if-then-else Note that the type of ite is polymorphic ie it worksfor any type replacing the type variable a

Since ite is used so often there is a special syntax for it

if c then t else e = ite c t e

As an example we could have defined amp using if-then-else

(ampamp3) isin Bool rarr Bool rarr Boolbampamp3c = if b then c else False

8

2 Basic logic

When we are expressing properties of mathematical objects or programs andreason about them we use the language of logic We introduce here the symbolswhich can be given a precise meaning but explain them for the moment bytheir translation into English Later in the course we will be more precise andintroduce the rules of reasoning (called natural deduction) along with a computerprogram (called tutch) which can check that you have followed them

A proposition is a precise statement which may be proven (then we believe itto be true) or disproven (then we believe it to be false) We assume some basicpropositions as given eg if a bλin A we can say a = b meaning that a and bis equal Eg we know that 1 = 1 is true but 1 = 2 is false Indeed we acceptthis without further proof both judgements are abvious

There are propositions of which we donrsquot know wether they are true or falsesuch as the proposition that there are infinitely many twin primes that is pairsof prime numbers whose difference is 2 or in computer science whether thecomplexity classes P and NP are different (the P = NP question)

21 Propositional connectives

A logical connective is a means to construct new propositions from givenones We start with the basic propositional connectives given propositions Pand Q we can construct

bull P andQ stands for P and Q We accept P andQ to be true if we can showthat both P and Q are true

bull P orQ stands for P or Q We accept that P orQ to be true if we can showat least one of P and Q Note that different to some uses of the word orin everyday language or is non-exclusive eg 0 = 0 or 1 = 1 is true

bull P =rArr Q stands for If P then Q which we can also write as Q if P We accept P =rArr Q if we can show that Q is true from assuming that Pis true

We also introduce the propositional constants True for an obviously true propo-sition (such as 0 = 0) and False for an obviously false proposition (such as0 = 1) True and False are not really used in normal conversations but wemay translate True by fish can swim or another blatantly obvious statementand False by pigs can fly or another obviously false statement

We can define new propositional connectives from the basic ones introducedabove

bull notP stands for not P We define notP as P =rArr False Intuitively wecould say notP means that if you believe P then you also believe that pigscan fly

bull P lArrrArr Q stands for P if and only if Q We define P lArrrArr Qas (P =rArr Q) and (Q =rArr P ) lArrrArr introduces a notion of logical

9

equivalence and indeed if we know P lArrrArr Q we can always replace P byQ and vice versa

To avoid having to write lots of brackets we introduce some conventions

bull not binds stronger than and ie we read notP andQ as (notP ) andQ

bull andor bind stronger than =rArr lArrrArr ie we read P and Q =rArr R as(P andQ) =rArr R

bull =rArr associates to the right ie we read P =rArr Q =rArr R as P =rArr(Q =rArr R)

We could have introduced more conventions eg that and binds stronger than orbut refrain from doing this and instead disambiguate by using brackets

22 Tautologies and proof

A propositional scheme is a proposition containing propositional variableseg A =rArr A and A =rArr A and B are propositional scheme where AB standfor any proposition

A tautology is a propositional scheme which is always provable no matterhow we replace the variables by actual propositions Eg A =rArr A is atautology but A =rArr A and B isnrsquot We can see this by proving A =rArr Aif we assume A then we know A hence A =rArr A holds We can see thatA =rArr A and B is not a tautology by replacing A with True and B with Falsebut True =rArr TrueandFalse cannot be provable because we know True hencewe would know True and False but this is only true if False is which it isnrsquot(pigs canrsquot fly)

Here are some examples of propositional tautologies

1 False =rArr Athis could be called the principle of naivety if you believe that pigs canfly you believe everything

2 A andB =rArr Anote that the converse A =rArr A andB is not a tautology

3 A =rArr A orBagain note that the converse A orB =rArr A is not a tautology

4 (A =rArr B) =rArr (notB =rArr notA)Letrsquos prove this tautology using the explanation of the connectives givenabove

Proof To show (A =rArr B) =rArr (notB =rArr notA) letrsquos assumeA =rArr B (1) to show notB =rArr notA To show this we assume notB (2)(which just stands for B =rArr False) to show notA which stands forA =rArr False hence we also assume A (3) and it remains to show Falsefrom the assumptions (1)(2) and (3) Indeed because we know A (3) and

10

A =rArr B (1) we know B and now we use (2) B =rArr False to showFalse

We notice that pigs can fly given the appropriate assumptions

Many important tautologies have the form of logical equivalences

1 A andB lArrrArr B andAwe say that and is commutative The same holds for or

2 A and (B and C) lArrrArr (A andB) and Cwe say that and is associative The same holds for or Associativity allowsus to omit brackets when we nest the same operator ie we can readA andB and C as A and (B and C) or (A andB) and C mdash it desnrsquot matter

3 (A orB) and C lArrrArr (A and C) or (B and C)we say that or distributes over and We prove this tautology

Proof To show lArrrArr we have to show both directions

(A orB) and C =rArr (A and C) or (B and C) We assume (A or B) and C (1) andtry to show (AandC)or (B andC) From (1) we know (AorB) (2) andC (3) How could we have shown A orB There are two cases

by showing A (4) From (3) and (4) we know A and C and hence(A and C) or (B and C)

by showing B (4prime) From (3rsquo) and (4rsquo) we know B andC and hence(A and C) or (B and C)

Since in both cases we were able to show (A andC) or (B andC) we havefinished this part of the proof

(A and C) or (B and C) =rArr (A orB) and C We assume (A andC) or (B andC) (1)to show (A or B) and C How could we ve shown (1) There are twopossibilities

by showing A and C and (2) Hence we know A (3) and C (34 From(3) we can derive A or B and combining this with (4) we have(A orB) and C

by showing B and C (2prime) Hence we know B (3prime) and C (4prime)From (3rsquo) we can derive A or B and combining this with (4rsquo) wehave (A orB) and C

In either case we have shown (A orB) and C

23 Classical tautologies

Is A or notA a tautology Actually it depends Given the explanation of theconnectives given above to prove AornotA we need to prove either A or disproveit by establishing notA However there are propositions which we canrsquot prove ordisprove On the other hand we are unable to exhibit an instance of A or notAwhich will lead to a definitively false statement We may adopt the point ofview that even if we cannot prove a certain statement it is still either true and

11

false This point of view is accepted in classical logic which is accepted by mostmodern Mathematicians even though its philosophical foundations are ratherproblematic

We say a tautology is a classical tautology if it is provable from assumingthat A or notA the principle of the excluded middle holds An example isnotnotB =rArr B which can be proven as follows

Proof To show notnotB =rArr B we assume notnotB (1) to show B Using theprinciple of excluded middle we know BornotB That is there are two possibilities

B holds we are done

notB holds We note that (1) means notB =rArr False hence we can use it toshow False and since False implies anything we can show B

In either case we have shown B

However at least for propositional logic there is a very mechanical way to findout whether a propositional scheme is a classical tautology Since every proposi-tion is either True or False we can identify propositions with Bool and replacethe propositional connectives by the corresponding operations on Bool

Propositions Booland ampampor ||not notlArrrArr equiv=rArr implies

where we define implies as follows

implies isin Bool rarr Bool rarr Boolimplies False x = Trueimplies True x = x

To find out whether a propositional scheme is a classical tautology all we haveto do is to draw the value table of its translation as a function on Bool (calledits truth table) and check that it allways evaluates to True Eg to checkthat notnotA =rArr A is a tautology we just calculate

A notA notnotA notnotA =rArr AFalse True False TrueTrue False True True

Letrsquos verify that (A or B) and C lArrrArr (A and C) or (B and C) is indeed a classical

12

tautology

A B C A orB and C A and C orB and C A orB and C lArrrArr A and C orB and CFalse False False False False TrueFalse False True False False TrueFalse True False False False TrueFalse True True True True TrueTrue False False False False TrueTrue False True True True TrueTrue True False False False TrueTrue True True True True True

24 Predicate logic

So far we cannot say express any interesting propositions because we cannotmake use of variables To change this we will use predicate logic A predicateover a type expresses property of elements of this type An example is thepredicate Even over the natural numbers which expresses the property of anumber being even If n isin Nat then Even n is a proposition We writeEven isin Nat rarr Prop to say that Even is a predicate over the natural numbersPredicates can have more than one argument then they are also relations Anexample of a relation is 6 which is a relation over the natural numbers (actuallyalso for other number types) that is idf mn isin Nat then m 6 n is a propositionWe write (6) isin Nat rarr Nat rarr Prop An important relation which exists forall types is equality if (=) isin a rarr a rarr Prop where a is any type

Variables are introduced by quantifiers Let P be a proposition which containsa variable lets say x and assume as given a set A Then we can construct

bull forallx isin AP we say for all x in A P holds We accept forallx isin AP if we canshow P where x is replaced by any given element of a isin A (we write thisas P [x = a]) eg we accept forallx isin Boolx = True or x = False

bull existx isin AP we say there exists x in A such that P We accept existx isin APif we can show P where x is replaced by a specific element of A eg weaccept existx isin Boolx = True

The reading conventions for quantifiers are that they bind weaker than any ofthe propositional connectives eg we read

forallx isin AP lArrrArr Q

asforallx isin A(P lArrrArr Q)

It is instructive to illustrate the use of quantifiers by showing how Englishsentences can be translated into predicate logic Letrsquos assume that we havea type Party of names of people present at a party and a relation knows isinParty rarr Party rarr Prop where knows a b expresses that a knows b Here aresome examples

13

bull John knows Maryknows John Mary

bull Everybody knows somebody

forallx isin Partyexisty isin Partyknows x y

bull Somebody is known by everybody

existy isin Partyforallx isin Partyknows x y

Note that exchanging different quatifiers changes the meaning

bull Somebody knows everybody

existx isin Partyforally isin Partyknows x y

bull Everybody who Mary knows knows her

forallx isin Partyknows Mary x =rArr knows x Mary

bull There are at least two different people who know John

existx isin Partyexisty isin Partynot(x = y) and knows x John and knows y John

It is customary to combine quantifiers of the same sort and write x 6= yfor not(x = y) ie we may write

existx y isin Partyx 6= y and knows x John and knows y John

bull There is exactly one person who George knows

existx isin Partyknows George x and forally isin Partyknows George y =rArr x = y

We express exactly one by saying that everybody who George knows isthe same person

As for propositional logic we have tautologies which are propositions which areprovable for any predicate Given a type a and predicates P Q isin a rarr Propand a proposition P here are examples for tautologies

bull (forallx isin aP x andQ x ) lArrrArr (forally isin aP y) and (forallz isin aQ z ) Proof

We show both direction seperately

(forallx isin aP x andQ x ) =rArr (forally isin aP y) and (forallz isin aQ z ) We assume forallx isin AP xandQ x (1) To show (forally isin aP y) and (forallz isin aQ z ) we have to showboth forally isin aP y (2) and forallz isin aQ y (3) To show (2) we as-sume y isin a (4) we have to show P y Using (1) and (4) we knowP y andQ y and hence Q y The proof of (3) follows the same idea

(forally isin aP y) and (forallz isin aQ z ) =rArr forallx isin aP x andQ x We assume (forally isin aP y)and(forallz isin aQ z ) (1) to prove forallx isin aP x and Q x Having assumed (1)we know forally isin aP y (2) and forallz isin aP z (3) To show this weassume x isin a (4) to show P x we use (2) and (4) and to derie Q xwe use (3) and (4) hence we have shown P x andQ x

14

bull (existx isin aP x orQ x ) lArrrArr (existy isin aP y) or (existz isin aQ z )

bull (existx isin AP =rArr R) lArrrArr forallx isin AP =rArr R

Instead only proving generic tautologies we can now prove specific statementseg that not hasnrsquot got a fixpoint

forallx isin Boolnot x 6= x

Proof We have to show not x 6= x for any x isin Bool There are only twopossibilities

x = True We have that not True = False by definition of not and it is obviousthat True 6= False

x = False We have that not False = True by definition of not and it is obviousthat False 6= True

15

3 Bits of history

Georg Cantor a German mathematician was the first one to define the notionof a set (german Menge) in 1895

By a set we are to understand any collection into a whole of definiteand separate objects of our intuition or our thought

Another German Friedrich Ludwig Gottlob Frege (1848-1925) wanted to putmathematics on a firm foundation and for this purpose he developed predicatelogic He published a book called Begriffsschrift which also used Cantorrsquosnaive perception of a set in particular the principle of comprehension ie everyproperty defines a set If P is a property (or predicate) using a variable x wewrite x | P for the set of all objects with property P The Begriffsschrift wasalso read by an English logician Bertrand Russell (1872-1970)

16

Russell found a fundamental flaw in Fregersquos system which made it inconsistentThis means you could prove anything in it no matter whether it is true or falseNaturally this renders it useless as a foundation of mathematics Russell wrotea letter to Frege explaining the problem mdash it seems that Frege never recoveredfrom the blow He certainly didnrsquot know a good way to fix it

To explain Russellrsquos paradox letrsquos have a look at a little story which involvesa barber (letrsquos call him Sweeny Todd) who lives in a little village Since he isthe only barber in the village he has put a note in his window saying I shaveeverybody in the village who doesnrsquot shave himself

by Conor McBride

Now the barber has got a dilemma If he shaves himself then he shouldnrsquot shavehimself because he is shaving precisely those people who do not shave himselfOn the other hand if he does not shave himself then he should shave himselfaccording to the sign

17

The story with the barber may not seem to be so dramatic because we are quiteused to false advertising However if we translate the same idea into set theoryit becomes much more serious Let us consider the set R of all sets which donot contain themselves we write

R = X | X isin X)

where X isin X is short for not(X isin X) Eg Nat isin R because the set of naturalnumbers does not contain itself

However what about R itself If R does contain itself then it should not Ifon the other hand R does not contain itself then by definition it should containitself Hence Fregersquos system was inconsistent

However set theory was saved by two Germans

Ernst Friedrich Ferdinand Zermelo (1871-1853)

Adolf Abraham Halevi Fraenkel (1891-1965)

Zermelo identified the unlimited comprehension principle ie that every prop-erty gives rise to a set as the source of the problems and introduced the restrictedcomprehension principle instead Ie we are only allowed to construct subsets

18

of already existing sets ie x isin A | P where A already exists The set Rclearly does not fall in this category 10 and hence is outlawed However nowwe have to provide some ways to construct basic sets ie the empty set fi-nite sets the set of natural numbers and the power set (the set of all subsetsof a set) Zermelo founded axiomatic set theory in which these principles areincorporated in some basic propositions about isin and = called axioms LaterFraenkel extended Zermelorsquos system by adding an important axiom the axiomof replacement The resulting system is usually called Zermelo Fraenkel set the-ory or ZF set theory for short and is widely accepted as a foundation of modernmathematics

For many people (certainly for most mathematicans) the story ends here How-ever ZF set theory is not very useful as a programming language (for exampleit allows to define functions which cannot be run on a computer)

Per Martin-Lof a Swedish Mathematician and Philosopher started to developType Theory as a constructive foundation of Mathematics in the early 70rsquosThis language is interesting for Computer Science because it is at the sametime a language to reason about mathematical objects and a programming lan-guage There are a number of computer programs which implement differentvariations of Martin-Lofrsquos Type Theory NuPRL (for Nearly Ultimate ProofRepresentation Language) developed by Robert Constable and his team in theUSA LEGO developed by Randy Pollack in Edinburgh the Swedish systemsALF and AGDA the French system COQ 11 which is now one of the mostsuccessful computer proof systems and very recently Conor McBridersquos Epigramsystem 12 on which my 2nd3rd year module Computer Aided Formal Reasoning(G5BCFR) is based

10Unless we introduce a set of all sets which would make the theory inconsistent due toRussellrsquos paradox

11httpcoqinriafr12httpwwwduracukCARGepigram

19

I have drawn the 2nd box with a dashed frame because this box is actually theoutput of the first box Once we have understood that this is how functionswith seveal arguments are defined we can simplify the picture by just drawing

-

-

-n isin Nat

m isin Nat

(+) m + n isin Nat

To summarize the type of functions with two arguments one from type a andone from type b and with results in c can be either given as (a b) rarr c (uncurriedform) ar as a rarr b rarr c (curried form)

If a is a finite type with n elements and b is a finite type with m elements howmany elements does a rarr b have A good clue may come from the fact that inMathematics one often uses an exponential notation ba to denote funtion types

13 Functions on Bool

Haskellrsquos prelude 9 already defines a number of useful functions on Bool suchas and

(ampamp) isin Bool rarr Bool rarr BoolTrueampampb = bFalseampampb = False

How does this work If the first argument a of aampampb is True then the valueof aampampb is equal to the second argument If the first argument is False thenaampampb is False no matter what b is

A function on finite types can be characterized by its value table (also calledgraph) In the case of ampamp the value table is

a b aampampbFalse False FalseFalse True FalseTrue False FalseTrue True True

Looking at the value table we notice that ampamp is symmetric but our definitionwas asymmetric Indeed we could instead define ampamplowast

(ampamp1) isin Bool rarr Bool rarr Boolbampamp1True = bbampamp1False = False

The value table of ampamp19This is the standard library which is automatically preloaded Note that some of the

definitions in this section below are not included in the appendix because the functions arealready defined in the prelude

6

a b aampamp1bFalse False FalseFalse True FalseTrue False FalseTrue True True

is the same as the one of ampamp Since we cannot look into the definition of afunction because this is hidden in the black box to us ampamp and ampamp1 define thesame function

Here is the definition of or

(||) isin Bool rarr Bool rarr BoolTrue ||b = TrueFalse||b = b

and here its value tablea b a || b

False False FalseFalse True TrueTrue False TrueTrue True True

There is also an important function with one argument (unary function) not

not isin Bool rarr Boolnot True = Falsenot False = True

and its value tablea not a

False TrueTrue False

We can combine existing functions directly to define new ones An example isboolean equality

(equiv) isin Bool rarr Bool rarr Boola equiv b = aampampb | not aampampnot b

Note that Haskell uses different precedences for boolean operators not bindsmore than amp which binds more than || Hence Haskell (and we) read a ampb || not a amp not b as (a amp b) || ((not a) amp (not b)

It is straightforward to calculate equivrsquos value table

a b a equiv bFalse False TrueFalse True FalseTrue False FalseTrue True True

We have seen that equiv is a function which can be defined by combining otherfunctions Could we have done this with some other function eg || Yesconsider the following definition of ||1 using ampamp and not

7

(||1) isin Bool rarr Bool rarr Boola||1b = not ((not a)ampamp(not b))

Letrsquos draw the value table of ||1a b a ||1 b

False False FalseFalse True TrueTrue False TrueTrue True True

and indeed it is identical to the one of || and hence (||) = (||1)Similarily we can define ampamp using || and not

(ampamp2) isin Bool rarr Bool rarr Boolaampamp2b = not ((not a)||(not b))

These definitions are based on the so called de Morgan laws which say

not (aampampb) = (not a) || (not b)not (a || b) = (not a)ampamp(not b)

and the equation not (not a) = a

Frequently we want to analyze a boolean value somewhere in the middle ofa function definition and calculate different results depending on whether theboolean is True or False For this purpose we can define

ite isin Bool rarr a rarr a rarr aite True t e = tite False t e = e

ite stands for if-then-else Note that the type of ite is polymorphic ie it worksfor any type replacing the type variable a

Since ite is used so often there is a special syntax for it

if c then t else e = ite c t e

As an example we could have defined amp using if-then-else

(ampamp3) isin Bool rarr Bool rarr Boolbampamp3c = if b then c else False

8

2 Basic logic

When we are expressing properties of mathematical objects or programs andreason about them we use the language of logic We introduce here the symbolswhich can be given a precise meaning but explain them for the moment bytheir translation into English Later in the course we will be more precise andintroduce the rules of reasoning (called natural deduction) along with a computerprogram (called tutch) which can check that you have followed them

A proposition is a precise statement which may be proven (then we believe itto be true) or disproven (then we believe it to be false) We assume some basicpropositions as given eg if a bλin A we can say a = b meaning that a and bis equal Eg we know that 1 = 1 is true but 1 = 2 is false Indeed we acceptthis without further proof both judgements are abvious

There are propositions of which we donrsquot know wether they are true or falsesuch as the proposition that there are infinitely many twin primes that is pairsof prime numbers whose difference is 2 or in computer science whether thecomplexity classes P and NP are different (the P = NP question)

21 Propositional connectives

A logical connective is a means to construct new propositions from givenones We start with the basic propositional connectives given propositions Pand Q we can construct

bull P andQ stands for P and Q We accept P andQ to be true if we can showthat both P and Q are true

bull P orQ stands for P or Q We accept that P orQ to be true if we can showat least one of P and Q Note that different to some uses of the word orin everyday language or is non-exclusive eg 0 = 0 or 1 = 1 is true

bull P =rArr Q stands for If P then Q which we can also write as Q if P We accept P =rArr Q if we can show that Q is true from assuming that Pis true

We also introduce the propositional constants True for an obviously true propo-sition (such as 0 = 0) and False for an obviously false proposition (such as0 = 1) True and False are not really used in normal conversations but wemay translate True by fish can swim or another blatantly obvious statementand False by pigs can fly or another obviously false statement

We can define new propositional connectives from the basic ones introducedabove

bull notP stands for not P We define notP as P =rArr False Intuitively wecould say notP means that if you believe P then you also believe that pigscan fly

bull P lArrrArr Q stands for P if and only if Q We define P lArrrArr Qas (P =rArr Q) and (Q =rArr P ) lArrrArr introduces a notion of logical

9

equivalence and indeed if we know P lArrrArr Q we can always replace P byQ and vice versa

To avoid having to write lots of brackets we introduce some conventions

bull not binds stronger than and ie we read notP andQ as (notP ) andQ

bull andor bind stronger than =rArr lArrrArr ie we read P and Q =rArr R as(P andQ) =rArr R

bull =rArr associates to the right ie we read P =rArr Q =rArr R as P =rArr(Q =rArr R)

We could have introduced more conventions eg that and binds stronger than orbut refrain from doing this and instead disambiguate by using brackets

22 Tautologies and proof

A propositional scheme is a proposition containing propositional variableseg A =rArr A and A =rArr A and B are propositional scheme where AB standfor any proposition

A tautology is a propositional scheme which is always provable no matterhow we replace the variables by actual propositions Eg A =rArr A is atautology but A =rArr A and B isnrsquot We can see this by proving A =rArr Aif we assume A then we know A hence A =rArr A holds We can see thatA =rArr A and B is not a tautology by replacing A with True and B with Falsebut True =rArr TrueandFalse cannot be provable because we know True hencewe would know True and False but this is only true if False is which it isnrsquot(pigs canrsquot fly)

Here are some examples of propositional tautologies

1 False =rArr Athis could be called the principle of naivety if you believe that pigs canfly you believe everything

2 A andB =rArr Anote that the converse A =rArr A andB is not a tautology

3 A =rArr A orBagain note that the converse A orB =rArr A is not a tautology

4 (A =rArr B) =rArr (notB =rArr notA)Letrsquos prove this tautology using the explanation of the connectives givenabove

Proof To show (A =rArr B) =rArr (notB =rArr notA) letrsquos assumeA =rArr B (1) to show notB =rArr notA To show this we assume notB (2)(which just stands for B =rArr False) to show notA which stands forA =rArr False hence we also assume A (3) and it remains to show Falsefrom the assumptions (1)(2) and (3) Indeed because we know A (3) and

10

A =rArr B (1) we know B and now we use (2) B =rArr False to showFalse

We notice that pigs can fly given the appropriate assumptions

Many important tautologies have the form of logical equivalences

1 A andB lArrrArr B andAwe say that and is commutative The same holds for or

2 A and (B and C) lArrrArr (A andB) and Cwe say that and is associative The same holds for or Associativity allowsus to omit brackets when we nest the same operator ie we can readA andB and C as A and (B and C) or (A andB) and C mdash it desnrsquot matter

3 (A orB) and C lArrrArr (A and C) or (B and C)we say that or distributes over and We prove this tautology

Proof To show lArrrArr we have to show both directions

(A orB) and C =rArr (A and C) or (B and C) We assume (A or B) and C (1) andtry to show (AandC)or (B andC) From (1) we know (AorB) (2) andC (3) How could we have shown A orB There are two cases

by showing A (4) From (3) and (4) we know A and C and hence(A and C) or (B and C)

by showing B (4prime) From (3rsquo) and (4rsquo) we know B andC and hence(A and C) or (B and C)

Since in both cases we were able to show (A andC) or (B andC) we havefinished this part of the proof

(A and C) or (B and C) =rArr (A orB) and C We assume (A andC) or (B andC) (1)to show (A or B) and C How could we ve shown (1) There are twopossibilities

by showing A and C and (2) Hence we know A (3) and C (34 From(3) we can derive A or B and combining this with (4) we have(A orB) and C

by showing B and C (2prime) Hence we know B (3prime) and C (4prime)From (3rsquo) we can derive A or B and combining this with (4rsquo) wehave (A orB) and C

In either case we have shown (A orB) and C

23 Classical tautologies

Is A or notA a tautology Actually it depends Given the explanation of theconnectives given above to prove AornotA we need to prove either A or disproveit by establishing notA However there are propositions which we canrsquot prove ordisprove On the other hand we are unable to exhibit an instance of A or notAwhich will lead to a definitively false statement We may adopt the point ofview that even if we cannot prove a certain statement it is still either true and

11

false This point of view is accepted in classical logic which is accepted by mostmodern Mathematicians even though its philosophical foundations are ratherproblematic

We say a tautology is a classical tautology if it is provable from assumingthat A or notA the principle of the excluded middle holds An example isnotnotB =rArr B which can be proven as follows

Proof To show notnotB =rArr B we assume notnotB (1) to show B Using theprinciple of excluded middle we know BornotB That is there are two possibilities

B holds we are done

notB holds We note that (1) means notB =rArr False hence we can use it toshow False and since False implies anything we can show B

In either case we have shown B

However at least for propositional logic there is a very mechanical way to findout whether a propositional scheme is a classical tautology Since every proposi-tion is either True or False we can identify propositions with Bool and replacethe propositional connectives by the corresponding operations on Bool

Propositions Booland ampampor ||not notlArrrArr equiv=rArr implies

where we define implies as follows

implies isin Bool rarr Bool rarr Boolimplies False x = Trueimplies True x = x

To find out whether a propositional scheme is a classical tautology all we haveto do is to draw the value table of its translation as a function on Bool (calledits truth table) and check that it allways evaluates to True Eg to checkthat notnotA =rArr A is a tautology we just calculate

A notA notnotA notnotA =rArr AFalse True False TrueTrue False True True

Letrsquos verify that (A or B) and C lArrrArr (A and C) or (B and C) is indeed a classical

12

tautology

A B C A orB and C A and C orB and C A orB and C lArrrArr A and C orB and CFalse False False False False TrueFalse False True False False TrueFalse True False False False TrueFalse True True True True TrueTrue False False False False TrueTrue False True True True TrueTrue True False False False TrueTrue True True True True True

24 Predicate logic

So far we cannot say express any interesting propositions because we cannotmake use of variables To change this we will use predicate logic A predicateover a type expresses property of elements of this type An example is thepredicate Even over the natural numbers which expresses the property of anumber being even If n isin Nat then Even n is a proposition We writeEven isin Nat rarr Prop to say that Even is a predicate over the natural numbersPredicates can have more than one argument then they are also relations Anexample of a relation is 6 which is a relation over the natural numbers (actuallyalso for other number types) that is idf mn isin Nat then m 6 n is a propositionWe write (6) isin Nat rarr Nat rarr Prop An important relation which exists forall types is equality if (=) isin a rarr a rarr Prop where a is any type

Variables are introduced by quantifiers Let P be a proposition which containsa variable lets say x and assume as given a set A Then we can construct

bull forallx isin AP we say for all x in A P holds We accept forallx isin AP if we canshow P where x is replaced by any given element of a isin A (we write thisas P [x = a]) eg we accept forallx isin Boolx = True or x = False

bull existx isin AP we say there exists x in A such that P We accept existx isin APif we can show P where x is replaced by a specific element of A eg weaccept existx isin Boolx = True

The reading conventions for quantifiers are that they bind weaker than any ofthe propositional connectives eg we read

forallx isin AP lArrrArr Q

asforallx isin A(P lArrrArr Q)

It is instructive to illustrate the use of quantifiers by showing how Englishsentences can be translated into predicate logic Letrsquos assume that we havea type Party of names of people present at a party and a relation knows isinParty rarr Party rarr Prop where knows a b expresses that a knows b Here aresome examples

13

bull John knows Maryknows John Mary

bull Everybody knows somebody

forallx isin Partyexisty isin Partyknows x y

bull Somebody is known by everybody

existy isin Partyforallx isin Partyknows x y

Note that exchanging different quatifiers changes the meaning

bull Somebody knows everybody

existx isin Partyforally isin Partyknows x y

bull Everybody who Mary knows knows her

forallx isin Partyknows Mary x =rArr knows x Mary

bull There are at least two different people who know John

existx isin Partyexisty isin Partynot(x = y) and knows x John and knows y John

It is customary to combine quantifiers of the same sort and write x 6= yfor not(x = y) ie we may write

existx y isin Partyx 6= y and knows x John and knows y John

bull There is exactly one person who George knows

existx isin Partyknows George x and forally isin Partyknows George y =rArr x = y

We express exactly one by saying that everybody who George knows isthe same person

As for propositional logic we have tautologies which are propositions which areprovable for any predicate Given a type a and predicates P Q isin a rarr Propand a proposition P here are examples for tautologies

bull (forallx isin aP x andQ x ) lArrrArr (forally isin aP y) and (forallz isin aQ z ) Proof

We show both direction seperately

(forallx isin aP x andQ x ) =rArr (forally isin aP y) and (forallz isin aQ z ) We assume forallx isin AP xandQ x (1) To show (forally isin aP y) and (forallz isin aQ z ) we have to showboth forally isin aP y (2) and forallz isin aQ y (3) To show (2) we as-sume y isin a (4) we have to show P y Using (1) and (4) we knowP y andQ y and hence Q y The proof of (3) follows the same idea

(forally isin aP y) and (forallz isin aQ z ) =rArr forallx isin aP x andQ x We assume (forally isin aP y)and(forallz isin aQ z ) (1) to prove forallx isin aP x and Q x Having assumed (1)we know forally isin aP y (2) and forallz isin aP z (3) To show this weassume x isin a (4) to show P x we use (2) and (4) and to derie Q xwe use (3) and (4) hence we have shown P x andQ x

14

bull (existx isin aP x orQ x ) lArrrArr (existy isin aP y) or (existz isin aQ z )

bull (existx isin AP =rArr R) lArrrArr forallx isin AP =rArr R

Instead only proving generic tautologies we can now prove specific statementseg that not hasnrsquot got a fixpoint

forallx isin Boolnot x 6= x

Proof We have to show not x 6= x for any x isin Bool There are only twopossibilities

x = True We have that not True = False by definition of not and it is obviousthat True 6= False

x = False We have that not False = True by definition of not and it is obviousthat False 6= True

15

3 Bits of history

Georg Cantor a German mathematician was the first one to define the notionof a set (german Menge) in 1895

By a set we are to understand any collection into a whole of definiteand separate objects of our intuition or our thought

Another German Friedrich Ludwig Gottlob Frege (1848-1925) wanted to putmathematics on a firm foundation and for this purpose he developed predicatelogic He published a book called Begriffsschrift which also used Cantorrsquosnaive perception of a set in particular the principle of comprehension ie everyproperty defines a set If P is a property (or predicate) using a variable x wewrite x | P for the set of all objects with property P The Begriffsschrift wasalso read by an English logician Bertrand Russell (1872-1970)

16

Russell found a fundamental flaw in Fregersquos system which made it inconsistentThis means you could prove anything in it no matter whether it is true or falseNaturally this renders it useless as a foundation of mathematics Russell wrotea letter to Frege explaining the problem mdash it seems that Frege never recoveredfrom the blow He certainly didnrsquot know a good way to fix it

To explain Russellrsquos paradox letrsquos have a look at a little story which involvesa barber (letrsquos call him Sweeny Todd) who lives in a little village Since he isthe only barber in the village he has put a note in his window saying I shaveeverybody in the village who doesnrsquot shave himself

by Conor McBride

Now the barber has got a dilemma If he shaves himself then he shouldnrsquot shavehimself because he is shaving precisely those people who do not shave himselfOn the other hand if he does not shave himself then he should shave himselfaccording to the sign

17

The story with the barber may not seem to be so dramatic because we are quiteused to false advertising However if we translate the same idea into set theoryit becomes much more serious Let us consider the set R of all sets which donot contain themselves we write

R = X | X isin X)

where X isin X is short for not(X isin X) Eg Nat isin R because the set of naturalnumbers does not contain itself

However what about R itself If R does contain itself then it should not Ifon the other hand R does not contain itself then by definition it should containitself Hence Fregersquos system was inconsistent

However set theory was saved by two Germans

Ernst Friedrich Ferdinand Zermelo (1871-1853)

Adolf Abraham Halevi Fraenkel (1891-1965)

Zermelo identified the unlimited comprehension principle ie that every prop-erty gives rise to a set as the source of the problems and introduced the restrictedcomprehension principle instead Ie we are only allowed to construct subsets

18

of already existing sets ie x isin A | P where A already exists The set Rclearly does not fall in this category 10 and hence is outlawed However nowwe have to provide some ways to construct basic sets ie the empty set fi-nite sets the set of natural numbers and the power set (the set of all subsetsof a set) Zermelo founded axiomatic set theory in which these principles areincorporated in some basic propositions about isin and = called axioms LaterFraenkel extended Zermelorsquos system by adding an important axiom the axiomof replacement The resulting system is usually called Zermelo Fraenkel set the-ory or ZF set theory for short and is widely accepted as a foundation of modernmathematics

For many people (certainly for most mathematicans) the story ends here How-ever ZF set theory is not very useful as a programming language (for exampleit allows to define functions which cannot be run on a computer)

Per Martin-Lof a Swedish Mathematician and Philosopher started to developType Theory as a constructive foundation of Mathematics in the early 70rsquosThis language is interesting for Computer Science because it is at the sametime a language to reason about mathematical objects and a programming lan-guage There are a number of computer programs which implement differentvariations of Martin-Lofrsquos Type Theory NuPRL (for Nearly Ultimate ProofRepresentation Language) developed by Robert Constable and his team in theUSA LEGO developed by Randy Pollack in Edinburgh the Swedish systemsALF and AGDA the French system COQ 11 which is now one of the mostsuccessful computer proof systems and very recently Conor McBridersquos Epigramsystem 12 on which my 2nd3rd year module Computer Aided Formal Reasoning(G5BCFR) is based

10Unless we introduce a set of all sets which would make the theory inconsistent due toRussellrsquos paradox

11httpcoqinriafr12httpwwwduracukCARGepigram

19

a b aampamp1bFalse False FalseFalse True FalseTrue False FalseTrue True True

is the same as the one of ampamp Since we cannot look into the definition of afunction because this is hidden in the black box to us ampamp and ampamp1 define thesame function

Here is the definition of or

(||) isin Bool rarr Bool rarr BoolTrue ||b = TrueFalse||b = b

and here its value tablea b a || b

False False FalseFalse True TrueTrue False TrueTrue True True

There is also an important function with one argument (unary function) not

not isin Bool rarr Boolnot True = Falsenot False = True

and its value tablea not a

False TrueTrue False

We can combine existing functions directly to define new ones An example isboolean equality

(equiv) isin Bool rarr Bool rarr Boola equiv b = aampampb | not aampampnot b

Note that Haskell uses different precedences for boolean operators not bindsmore than amp which binds more than || Hence Haskell (and we) read a ampb || not a amp not b as (a amp b) || ((not a) amp (not b)

It is straightforward to calculate equivrsquos value table

a b a equiv bFalse False TrueFalse True FalseTrue False FalseTrue True True

We have seen that equiv is a function which can be defined by combining otherfunctions Could we have done this with some other function eg || Yesconsider the following definition of ||1 using ampamp and not

7

(||1) isin Bool rarr Bool rarr Boola||1b = not ((not a)ampamp(not b))

Letrsquos draw the value table of ||1a b a ||1 b

False False FalseFalse True TrueTrue False TrueTrue True True

and indeed it is identical to the one of || and hence (||) = (||1)Similarily we can define ampamp using || and not

(ampamp2) isin Bool rarr Bool rarr Boolaampamp2b = not ((not a)||(not b))

These definitions are based on the so called de Morgan laws which say

not (aampampb) = (not a) || (not b)not (a || b) = (not a)ampamp(not b)

and the equation not (not a) = a

Frequently we want to analyze a boolean value somewhere in the middle ofa function definition and calculate different results depending on whether theboolean is True or False For this purpose we can define

ite isin Bool rarr a rarr a rarr aite True t e = tite False t e = e

ite stands for if-then-else Note that the type of ite is polymorphic ie it worksfor any type replacing the type variable a

Since ite is used so often there is a special syntax for it

if c then t else e = ite c t e

As an example we could have defined amp using if-then-else

(ampamp3) isin Bool rarr Bool rarr Boolbampamp3c = if b then c else False

8

2 Basic logic

When we are expressing properties of mathematical objects or programs andreason about them we use the language of logic We introduce here the symbolswhich can be given a precise meaning but explain them for the moment bytheir translation into English Later in the course we will be more precise andintroduce the rules of reasoning (called natural deduction) along with a computerprogram (called tutch) which can check that you have followed them

A proposition is a precise statement which may be proven (then we believe itto be true) or disproven (then we believe it to be false) We assume some basicpropositions as given eg if a bλin A we can say a = b meaning that a and bis equal Eg we know that 1 = 1 is true but 1 = 2 is false Indeed we acceptthis without further proof both judgements are abvious

There are propositions of which we donrsquot know wether they are true or falsesuch as the proposition that there are infinitely many twin primes that is pairsof prime numbers whose difference is 2 or in computer science whether thecomplexity classes P and NP are different (the P = NP question)

21 Propositional connectives

A logical connective is a means to construct new propositions from givenones We start with the basic propositional connectives given propositions Pand Q we can construct

bull P andQ stands for P and Q We accept P andQ to be true if we can showthat both P and Q are true

bull P orQ stands for P or Q We accept that P orQ to be true if we can showat least one of P and Q Note that different to some uses of the word orin everyday language or is non-exclusive eg 0 = 0 or 1 = 1 is true

bull P =rArr Q stands for If P then Q which we can also write as Q if P We accept P =rArr Q if we can show that Q is true from assuming that Pis true

We also introduce the propositional constants True for an obviously true propo-sition (such as 0 = 0) and False for an obviously false proposition (such as0 = 1) True and False are not really used in normal conversations but wemay translate True by fish can swim or another blatantly obvious statementand False by pigs can fly or another obviously false statement

We can define new propositional connectives from the basic ones introducedabove

bull notP stands for not P We define notP as P =rArr False Intuitively wecould say notP means that if you believe P then you also believe that pigscan fly

bull P lArrrArr Q stands for P if and only if Q We define P lArrrArr Qas (P =rArr Q) and (Q =rArr P ) lArrrArr introduces a notion of logical

9

equivalence and indeed if we know P lArrrArr Q we can always replace P byQ and vice versa

To avoid having to write lots of brackets we introduce some conventions

bull not binds stronger than and ie we read notP andQ as (notP ) andQ

bull andor bind stronger than =rArr lArrrArr ie we read P and Q =rArr R as(P andQ) =rArr R

bull =rArr associates to the right ie we read P =rArr Q =rArr R as P =rArr(Q =rArr R)

We could have introduced more conventions eg that and binds stronger than orbut refrain from doing this and instead disambiguate by using brackets

22 Tautologies and proof

A propositional scheme is a proposition containing propositional variableseg A =rArr A and A =rArr A and B are propositional scheme where AB standfor any proposition

A tautology is a propositional scheme which is always provable no matterhow we replace the variables by actual propositions Eg A =rArr A is atautology but A =rArr A and B isnrsquot We can see this by proving A =rArr Aif we assume A then we know A hence A =rArr A holds We can see thatA =rArr A and B is not a tautology by replacing A with True and B with Falsebut True =rArr TrueandFalse cannot be provable because we know True hencewe would know True and False but this is only true if False is which it isnrsquot(pigs canrsquot fly)

Here are some examples of propositional tautologies

1 False =rArr Athis could be called the principle of naivety if you believe that pigs canfly you believe everything

2 A andB =rArr Anote that the converse A =rArr A andB is not a tautology

3 A =rArr A orBagain note that the converse A orB =rArr A is not a tautology

4 (A =rArr B) =rArr (notB =rArr notA)Letrsquos prove this tautology using the explanation of the connectives givenabove

Proof To show (A =rArr B) =rArr (notB =rArr notA) letrsquos assumeA =rArr B (1) to show notB =rArr notA To show this we assume notB (2)(which just stands for B =rArr False) to show notA which stands forA =rArr False hence we also assume A (3) and it remains to show Falsefrom the assumptions (1)(2) and (3) Indeed because we know A (3) and

10

A =rArr B (1) we know B and now we use (2) B =rArr False to showFalse

We notice that pigs can fly given the appropriate assumptions

Many important tautologies have the form of logical equivalences

1 A andB lArrrArr B andAwe say that and is commutative The same holds for or

2 A and (B and C) lArrrArr (A andB) and Cwe say that and is associative The same holds for or Associativity allowsus to omit brackets when we nest the same operator ie we can readA andB and C as A and (B and C) or (A andB) and C mdash it desnrsquot matter

3 (A orB) and C lArrrArr (A and C) or (B and C)we say that or distributes over and We prove this tautology

Proof To show lArrrArr we have to show both directions

(A orB) and C =rArr (A and C) or (B and C) We assume (A or B) and C (1) andtry to show (AandC)or (B andC) From (1) we know (AorB) (2) andC (3) How could we have shown A orB There are two cases

by showing A (4) From (3) and (4) we know A and C and hence(A and C) or (B and C)

by showing B (4prime) From (3rsquo) and (4rsquo) we know B andC and hence(A and C) or (B and C)

Since in both cases we were able to show (A andC) or (B andC) we havefinished this part of the proof

(A and C) or (B and C) =rArr (A orB) and C We assume (A andC) or (B andC) (1)to show (A or B) and C How could we ve shown (1) There are twopossibilities

by showing A and C and (2) Hence we know A (3) and C (34 From(3) we can derive A or B and combining this with (4) we have(A orB) and C

by showing B and C (2prime) Hence we know B (3prime) and C (4prime)From (3rsquo) we can derive A or B and combining this with (4rsquo) wehave (A orB) and C

In either case we have shown (A orB) and C

23 Classical tautologies

Is A or notA a tautology Actually it depends Given the explanation of theconnectives given above to prove AornotA we need to prove either A or disproveit by establishing notA However there are propositions which we canrsquot prove ordisprove On the other hand we are unable to exhibit an instance of A or notAwhich will lead to a definitively false statement We may adopt the point ofview that even if we cannot prove a certain statement it is still either true and

11

false This point of view is accepted in classical logic which is accepted by mostmodern Mathematicians even though its philosophical foundations are ratherproblematic

We say a tautology is a classical tautology if it is provable from assumingthat A or notA the principle of the excluded middle holds An example isnotnotB =rArr B which can be proven as follows

Proof To show notnotB =rArr B we assume notnotB (1) to show B Using theprinciple of excluded middle we know BornotB That is there are two possibilities

B holds we are done

notB holds We note that (1) means notB =rArr False hence we can use it toshow False and since False implies anything we can show B

In either case we have shown B

However at least for propositional logic there is a very mechanical way to findout whether a propositional scheme is a classical tautology Since every proposi-tion is either True or False we can identify propositions with Bool and replacethe propositional connectives by the corresponding operations on Bool

Propositions Booland ampampor ||not notlArrrArr equiv=rArr implies

where we define implies as follows

implies isin Bool rarr Bool rarr Boolimplies False x = Trueimplies True x = x

To find out whether a propositional scheme is a classical tautology all we haveto do is to draw the value table of its translation as a function on Bool (calledits truth table) and check that it allways evaluates to True Eg to checkthat notnotA =rArr A is a tautology we just calculate

A notA notnotA notnotA =rArr AFalse True False TrueTrue False True True

Letrsquos verify that (A or B) and C lArrrArr (A and C) or (B and C) is indeed a classical

12

tautology

A B C A orB and C A and C orB and C A orB and C lArrrArr A and C orB and CFalse False False False False TrueFalse False True False False TrueFalse True False False False TrueFalse True True True True TrueTrue False False False False TrueTrue False True True True TrueTrue True False False False TrueTrue True True True True True

24 Predicate logic

So far we cannot say express any interesting propositions because we cannotmake use of variables To change this we will use predicate logic A predicateover a type expresses property of elements of this type An example is thepredicate Even over the natural numbers which expresses the property of anumber being even If n isin Nat then Even n is a proposition We writeEven isin Nat rarr Prop to say that Even is a predicate over the natural numbersPredicates can have more than one argument then they are also relations Anexample of a relation is 6 which is a relation over the natural numbers (actuallyalso for other number types) that is idf mn isin Nat then m 6 n is a propositionWe write (6) isin Nat rarr Nat rarr Prop An important relation which exists forall types is equality if (=) isin a rarr a rarr Prop where a is any type

Variables are introduced by quantifiers Let P be a proposition which containsa variable lets say x and assume as given a set A Then we can construct

bull forallx isin AP we say for all x in A P holds We accept forallx isin AP if we canshow P where x is replaced by any given element of a isin A (we write thisas P [x = a]) eg we accept forallx isin Boolx = True or x = False

bull existx isin AP we say there exists x in A such that P We accept existx isin APif we can show P where x is replaced by a specific element of A eg weaccept existx isin Boolx = True

The reading conventions for quantifiers are that they bind weaker than any ofthe propositional connectives eg we read

forallx isin AP lArrrArr Q

asforallx isin A(P lArrrArr Q)

It is instructive to illustrate the use of quantifiers by showing how Englishsentences can be translated into predicate logic Letrsquos assume that we havea type Party of names of people present at a party and a relation knows isinParty rarr Party rarr Prop where knows a b expresses that a knows b Here aresome examples

13

bull John knows Maryknows John Mary

bull Everybody knows somebody

forallx isin Partyexisty isin Partyknows x y

bull Somebody is known by everybody

existy isin Partyforallx isin Partyknows x y

Note that exchanging different quatifiers changes the meaning

bull Somebody knows everybody

existx isin Partyforally isin Partyknows x y

bull Everybody who Mary knows knows her

forallx isin Partyknows Mary x =rArr knows x Mary

bull There are at least two different people who know John

existx isin Partyexisty isin Partynot(x = y) and knows x John and knows y John

It is customary to combine quantifiers of the same sort and write x 6= yfor not(x = y) ie we may write

existx y isin Partyx 6= y and knows x John and knows y John

bull There is exactly one person who George knows

existx isin Partyknows George x and forally isin Partyknows George y =rArr x = y

We express exactly one by saying that everybody who George knows isthe same person

As for propositional logic we have tautologies which are propositions which areprovable for any predicate Given a type a and predicates P Q isin a rarr Propand a proposition P here are examples for tautologies

bull (forallx isin aP x andQ x ) lArrrArr (forally isin aP y) and (forallz isin aQ z ) Proof

We show both direction seperately

(forallx isin aP x andQ x ) =rArr (forally isin aP y) and (forallz isin aQ z ) We assume forallx isin AP xandQ x (1) To show (forally isin aP y) and (forallz isin aQ z ) we have to showboth forally isin aP y (2) and forallz isin aQ y (3) To show (2) we as-sume y isin a (4) we have to show P y Using (1) and (4) we knowP y andQ y and hence Q y The proof of (3) follows the same idea

(forally isin aP y) and (forallz isin aQ z ) =rArr forallx isin aP x andQ x We assume (forally isin aP y)and(forallz isin aQ z ) (1) to prove forallx isin aP x and Q x Having assumed (1)we know forally isin aP y (2) and forallz isin aP z (3) To show this weassume x isin a (4) to show P x we use (2) and (4) and to derie Q xwe use (3) and (4) hence we have shown P x andQ x

14

bull (existx isin aP x orQ x ) lArrrArr (existy isin aP y) or (existz isin aQ z )

bull (existx isin AP =rArr R) lArrrArr forallx isin AP =rArr R

Instead only proving generic tautologies we can now prove specific statementseg that not hasnrsquot got a fixpoint

forallx isin Boolnot x 6= x

Proof We have to show not x 6= x for any x isin Bool There are only twopossibilities

x = True We have that not True = False by definition of not and it is obviousthat True 6= False

x = False We have that not False = True by definition of not and it is obviousthat False 6= True

15

3 Bits of history

Georg Cantor a German mathematician was the first one to define the notionof a set (german Menge) in 1895

By a set we are to understand any collection into a whole of definiteand separate objects of our intuition or our thought

Another German Friedrich Ludwig Gottlob Frege (1848-1925) wanted to putmathematics on a firm foundation and for this purpose he developed predicatelogic He published a book called Begriffsschrift which also used Cantorrsquosnaive perception of a set in particular the principle of comprehension ie everyproperty defines a set If P is a property (or predicate) using a variable x wewrite x | P for the set of all objects with property P The Begriffsschrift wasalso read by an English logician Bertrand Russell (1872-1970)

16

Russell found a fundamental flaw in Fregersquos system which made it inconsistentThis means you could prove anything in it no matter whether it is true or falseNaturally this renders it useless as a foundation of mathematics Russell wrotea letter to Frege explaining the problem mdash it seems that Frege never recoveredfrom the blow He certainly didnrsquot know a good way to fix it

To explain Russellrsquos paradox letrsquos have a look at a little story which involvesa barber (letrsquos call him Sweeny Todd) who lives in a little village Since he isthe only barber in the village he has put a note in his window saying I shaveeverybody in the village who doesnrsquot shave himself

by Conor McBride

Now the barber has got a dilemma If he shaves himself then he shouldnrsquot shavehimself because he is shaving precisely those people who do not shave himselfOn the other hand if he does not shave himself then he should shave himselfaccording to the sign

17

The story with the barber may not seem to be so dramatic because we are quiteused to false advertising However if we translate the same idea into set theoryit becomes much more serious Let us consider the set R of all sets which donot contain themselves we write

R = X | X isin X)

where X isin X is short for not(X isin X) Eg Nat isin R because the set of naturalnumbers does not contain itself

However what about R itself If R does contain itself then it should not Ifon the other hand R does not contain itself then by definition it should containitself Hence Fregersquos system was inconsistent

However set theory was saved by two Germans

Ernst Friedrich Ferdinand Zermelo (1871-1853)

Adolf Abraham Halevi Fraenkel (1891-1965)

Zermelo identified the unlimited comprehension principle ie that every prop-erty gives rise to a set as the source of the problems and introduced the restrictedcomprehension principle instead Ie we are only allowed to construct subsets

18

of already existing sets ie x isin A | P where A already exists The set Rclearly does not fall in this category 10 and hence is outlawed However nowwe have to provide some ways to construct basic sets ie the empty set fi-nite sets the set of natural numbers and the power set (the set of all subsetsof a set) Zermelo founded axiomatic set theory in which these principles areincorporated in some basic propositions about isin and = called axioms LaterFraenkel extended Zermelorsquos system by adding an important axiom the axiomof replacement The resulting system is usually called Zermelo Fraenkel set the-ory or ZF set theory for short and is widely accepted as a foundation of modernmathematics

For many people (certainly for most mathematicans) the story ends here How-ever ZF set theory is not very useful as a programming language (for exampleit allows to define functions which cannot be run on a computer)

Per Martin-Lof a Swedish Mathematician and Philosopher started to developType Theory as a constructive foundation of Mathematics in the early 70rsquosThis language is interesting for Computer Science because it is at the sametime a language to reason about mathematical objects and a programming lan-guage There are a number of computer programs which implement differentvariations of Martin-Lofrsquos Type Theory NuPRL (for Nearly Ultimate ProofRepresentation Language) developed by Robert Constable and his team in theUSA LEGO developed by Randy Pollack in Edinburgh the Swedish systemsALF and AGDA the French system COQ 11 which is now one of the mostsuccessful computer proof systems and very recently Conor McBridersquos Epigramsystem 12 on which my 2nd3rd year module Computer Aided Formal Reasoning(G5BCFR) is based

10Unless we introduce a set of all sets which would make the theory inconsistent due toRussellrsquos paradox

11httpcoqinriafr12httpwwwduracukCARGepigram

19

(||1) isin Bool rarr Bool rarr Boola||1b = not ((not a)ampamp(not b))

Letrsquos draw the value table of ||1a b a ||1 b

False False FalseFalse True TrueTrue False TrueTrue True True

and indeed it is identical to the one of || and hence (||) = (||1)Similarily we can define ampamp using || and not

(ampamp2) isin Bool rarr Bool rarr Boolaampamp2b = not ((not a)||(not b))

These definitions are based on the so called de Morgan laws which say

not (aampampb) = (not a) || (not b)not (a || b) = (not a)ampamp(not b)

and the equation not (not a) = a

Frequently we want to analyze a boolean value somewhere in the middle ofa function definition and calculate different results depending on whether theboolean is True or False For this purpose we can define

ite isin Bool rarr a rarr a rarr aite True t e = tite False t e = e

ite stands for if-then-else Note that the type of ite is polymorphic ie it worksfor any type replacing the type variable a

Since ite is used so often there is a special syntax for it

if c then t else e = ite c t e

As an example we could have defined amp using if-then-else

(ampamp3) isin Bool rarr Bool rarr Boolbampamp3c = if b then c else False

8

2 Basic logic

When we are expressing properties of mathematical objects or programs andreason about them we use the language of logic We introduce here the symbolswhich can be given a precise meaning but explain them for the moment bytheir translation into English Later in the course we will be more precise andintroduce the rules of reasoning (called natural deduction) along with a computerprogram (called tutch) which can check that you have followed them

A proposition is a precise statement which may be proven (then we believe itto be true) or disproven (then we believe it to be false) We assume some basicpropositions as given eg if a bλin A we can say a = b meaning that a and bis equal Eg we know that 1 = 1 is true but 1 = 2 is false Indeed we acceptthis without further proof both judgements are abvious

There are propositions of which we donrsquot know wether they are true or falsesuch as the proposition that there are infinitely many twin primes that is pairsof prime numbers whose difference is 2 or in computer science whether thecomplexity classes P and NP are different (the P = NP question)

21 Propositional connectives

A logical connective is a means to construct new propositions from givenones We start with the basic propositional connectives given propositions Pand Q we can construct

bull P andQ stands for P and Q We accept P andQ to be true if we can showthat both P and Q are true

bull P orQ stands for P or Q We accept that P orQ to be true if we can showat least one of P and Q Note that different to some uses of the word orin everyday language or is non-exclusive eg 0 = 0 or 1 = 1 is true

bull P =rArr Q stands for If P then Q which we can also write as Q if P We accept P =rArr Q if we can show that Q is true from assuming that Pis true

We also introduce the propositional constants True for an obviously true propo-sition (such as 0 = 0) and False for an obviously false proposition (such as0 = 1) True and False are not really used in normal conversations but wemay translate True by fish can swim or another blatantly obvious statementand False by pigs can fly or another obviously false statement

We can define new propositional connectives from the basic ones introducedabove

bull notP stands for not P We define notP as P =rArr False Intuitively wecould say notP means that if you believe P then you also believe that pigscan fly

bull P lArrrArr Q stands for P if and only if Q We define P lArrrArr Qas (P =rArr Q) and (Q =rArr P ) lArrrArr introduces a notion of logical

9

equivalence and indeed if we know P lArrrArr Q we can always replace P byQ and vice versa

To avoid having to write lots of brackets we introduce some conventions

bull not binds stronger than and ie we read notP andQ as (notP ) andQ

bull andor bind stronger than =rArr lArrrArr ie we read P and Q =rArr R as(P andQ) =rArr R

bull =rArr associates to the right ie we read P =rArr Q =rArr R as P =rArr(Q =rArr R)

We could have introduced more conventions eg that and binds stronger than orbut refrain from doing this and instead disambiguate by using brackets

22 Tautologies and proof

A propositional scheme is a proposition containing propositional variableseg A =rArr A and A =rArr A and B are propositional scheme where AB standfor any proposition

A tautology is a propositional scheme which is always provable no matterhow we replace the variables by actual propositions Eg A =rArr A is atautology but A =rArr A and B isnrsquot We can see this by proving A =rArr Aif we assume A then we know A hence A =rArr A holds We can see thatA =rArr A and B is not a tautology by replacing A with True and B with Falsebut True =rArr TrueandFalse cannot be provable because we know True hencewe would know True and False but this is only true if False is which it isnrsquot(pigs canrsquot fly)

Here are some examples of propositional tautologies

1 False =rArr Athis could be called the principle of naivety if you believe that pigs canfly you believe everything

2 A andB =rArr Anote that the converse A =rArr A andB is not a tautology

3 A =rArr A orBagain note that the converse A orB =rArr A is not a tautology

4 (A =rArr B) =rArr (notB =rArr notA)Letrsquos prove this tautology using the explanation of the connectives givenabove

Proof To show (A =rArr B) =rArr (notB =rArr notA) letrsquos assumeA =rArr B (1) to show notB =rArr notA To show this we assume notB (2)(which just stands for B =rArr False) to show notA which stands forA =rArr False hence we also assume A (3) and it remains to show Falsefrom the assumptions (1)(2) and (3) Indeed because we know A (3) and

10

A =rArr B (1) we know B and now we use (2) B =rArr False to showFalse

We notice that pigs can fly given the appropriate assumptions

Many important tautologies have the form of logical equivalences

1 A andB lArrrArr B andAwe say that and is commutative The same holds for or

2 A and (B and C) lArrrArr (A andB) and Cwe say that and is associative The same holds for or Associativity allowsus to omit brackets when we nest the same operator ie we can readA andB and C as A and (B and C) or (A andB) and C mdash it desnrsquot matter

3 (A orB) and C lArrrArr (A and C) or (B and C)we say that or distributes over and We prove this tautology

Proof To show lArrrArr we have to show both directions

(A orB) and C =rArr (A and C) or (B and C) We assume (A or B) and C (1) andtry to show (AandC)or (B andC) From (1) we know (AorB) (2) andC (3) How could we have shown A orB There are two cases

by showing A (4) From (3) and (4) we know A and C and hence(A and C) or (B and C)

by showing B (4prime) From (3rsquo) and (4rsquo) we know B andC and hence(A and C) or (B and C)

Since in both cases we were able to show (A andC) or (B andC) we havefinished this part of the proof

(A and C) or (B and C) =rArr (A orB) and C We assume (A andC) or (B andC) (1)to show (A or B) and C How could we ve shown (1) There are twopossibilities

by showing A and C and (2) Hence we know A (3) and C (34 From(3) we can derive A or B and combining this with (4) we have(A orB) and C

by showing B and C (2prime) Hence we know B (3prime) and C (4prime)From (3rsquo) we can derive A or B and combining this with (4rsquo) wehave (A orB) and C

In either case we have shown (A orB) and C

23 Classical tautologies

Is A or notA a tautology Actually it depends Given the explanation of theconnectives given above to prove AornotA we need to prove either A or disproveit by establishing notA However there are propositions which we canrsquot prove ordisprove On the other hand we are unable to exhibit an instance of A or notAwhich will lead to a definitively false statement We may adopt the point ofview that even if we cannot prove a certain statement it is still either true and

11

false This point of view is accepted in classical logic which is accepted by mostmodern Mathematicians even though its philosophical foundations are ratherproblematic

We say a tautology is a classical tautology if it is provable from assumingthat A or notA the principle of the excluded middle holds An example isnotnotB =rArr B which can be proven as follows

Proof To show notnotB =rArr B we assume notnotB (1) to show B Using theprinciple of excluded middle we know BornotB That is there are two possibilities

B holds we are done

notB holds We note that (1) means notB =rArr False hence we can use it toshow False and since False implies anything we can show B

In either case we have shown B

However at least for propositional logic there is a very mechanical way to findout whether a propositional scheme is a classical tautology Since every proposi-tion is either True or False we can identify propositions with Bool and replacethe propositional connectives by the corresponding operations on Bool

Propositions Booland ampampor ||not notlArrrArr equiv=rArr implies

where we define implies as follows

implies isin Bool rarr Bool rarr Boolimplies False x = Trueimplies True x = x

To find out whether a propositional scheme is a classical tautology all we haveto do is to draw the value table of its translation as a function on Bool (calledits truth table) and check that it allways evaluates to True Eg to checkthat notnotA =rArr A is a tautology we just calculate

A notA notnotA notnotA =rArr AFalse True False TrueTrue False True True

Letrsquos verify that (A or B) and C lArrrArr (A and C) or (B and C) is indeed a classical

12

tautology

A B C A orB and C A and C orB and C A orB and C lArrrArr A and C orB and CFalse False False False False TrueFalse False True False False TrueFalse True False False False TrueFalse True True True True TrueTrue False False False False TrueTrue False True True True TrueTrue True False False False TrueTrue True True True True True

24 Predicate logic

So far we cannot say express any interesting propositions because we cannotmake use of variables To change this we will use predicate logic A predicateover a type expresses property of elements of this type An example is thepredicate Even over the natural numbers which expresses the property of anumber being even If n isin Nat then Even n is a proposition We writeEven isin Nat rarr Prop to say that Even is a predicate over the natural numbersPredicates can have more than one argument then they are also relations Anexample of a relation is 6 which is a relation over the natural numbers (actuallyalso for other number types) that is idf mn isin Nat then m 6 n is a propositionWe write (6) isin Nat rarr Nat rarr Prop An important relation which exists forall types is equality if (=) isin a rarr a rarr Prop where a is any type

Variables are introduced by quantifiers Let P be a proposition which containsa variable lets say x and assume as given a set A Then we can construct

bull forallx isin AP we say for all x in A P holds We accept forallx isin AP if we canshow P where x is replaced by any given element of a isin A (we write thisas P [x = a]) eg we accept forallx isin Boolx = True or x = False

bull existx isin AP we say there exists x in A such that P We accept existx isin APif we can show P where x is replaced by a specific element of A eg weaccept existx isin Boolx = True

The reading conventions for quantifiers are that they bind weaker than any ofthe propositional connectives eg we read

forallx isin AP lArrrArr Q

asforallx isin A(P lArrrArr Q)

It is instructive to illustrate the use of quantifiers by showing how Englishsentences can be translated into predicate logic Letrsquos assume that we havea type Party of names of people present at a party and a relation knows isinParty rarr Party rarr Prop where knows a b expresses that a knows b Here aresome examples

13

bull John knows Maryknows John Mary

bull Everybody knows somebody

forallx isin Partyexisty isin Partyknows x y

bull Somebody is known by everybody

existy isin Partyforallx isin Partyknows x y

Note that exchanging different quatifiers changes the meaning

bull Somebody knows everybody

existx isin Partyforally isin Partyknows x y

bull Everybody who Mary knows knows her

forallx isin Partyknows Mary x =rArr knows x Mary

bull There are at least two different people who know John

existx isin Partyexisty isin Partynot(x = y) and knows x John and knows y John

It is customary to combine quantifiers of the same sort and write x 6= yfor not(x = y) ie we may write

existx y isin Partyx 6= y and knows x John and knows y John

bull There is exactly one person who George knows

existx isin Partyknows George x and forally isin Partyknows George y =rArr x = y

We express exactly one by saying that everybody who George knows isthe same person

As for propositional logic we have tautologies which are propositions which areprovable for any predicate Given a type a and predicates P Q isin a rarr Propand a proposition P here are examples for tautologies

bull (forallx isin aP x andQ x ) lArrrArr (forally isin aP y) and (forallz isin aQ z ) Proof

We show both direction seperately

(forallx isin aP x andQ x ) =rArr (forally isin aP y) and (forallz isin aQ z ) We assume forallx isin AP xandQ x (1) To show (forally isin aP y) and (forallz isin aQ z ) we have to showboth forally isin aP y (2) and forallz isin aQ y (3) To show (2) we as-sume y isin a (4) we have to show P y Using (1) and (4) we knowP y andQ y and hence Q y The proof of (3) follows the same idea

(forally isin aP y) and (forallz isin aQ z ) =rArr forallx isin aP x andQ x We assume (forally isin aP y)and(forallz isin aQ z ) (1) to prove forallx isin aP x and Q x Having assumed (1)we know forally isin aP y (2) and forallz isin aP z (3) To show this weassume x isin a (4) to show P x we use (2) and (4) and to derie Q xwe use (3) and (4) hence we have shown P x andQ x

14

bull (existx isin aP x orQ x ) lArrrArr (existy isin aP y) or (existz isin aQ z )

bull (existx isin AP =rArr R) lArrrArr forallx isin AP =rArr R

Instead only proving generic tautologies we can now prove specific statementseg that not hasnrsquot got a fixpoint

forallx isin Boolnot x 6= x

Proof We have to show not x 6= x for any x isin Bool There are only twopossibilities

x = True We have that not True = False by definition of not and it is obviousthat True 6= False

x = False We have that not False = True by definition of not and it is obviousthat False 6= True

15

3 Bits of history

Georg Cantor a German mathematician was the first one to define the notionof a set (german Menge) in 1895

By a set we are to understand any collection into a whole of definiteand separate objects of our intuition or our thought

Another German Friedrich Ludwig Gottlob Frege (1848-1925) wanted to putmathematics on a firm foundation and for this purpose he developed predicatelogic He published a book called Begriffsschrift which also used Cantorrsquosnaive perception of a set in particular the principle of comprehension ie everyproperty defines a set If P is a property (or predicate) using a variable x wewrite x | P for the set of all objects with property P The Begriffsschrift wasalso read by an English logician Bertrand Russell (1872-1970)

16

Russell found a fundamental flaw in Fregersquos system which made it inconsistentThis means you could prove anything in it no matter whether it is true or falseNaturally this renders it useless as a foundation of mathematics Russell wrotea letter to Frege explaining the problem mdash it seems that Frege never recoveredfrom the blow He certainly didnrsquot know a good way to fix it

To explain Russellrsquos paradox letrsquos have a look at a little story which involvesa barber (letrsquos call him Sweeny Todd) who lives in a little village Since he isthe only barber in the village he has put a note in his window saying I shaveeverybody in the village who doesnrsquot shave himself

by Conor McBride

Now the barber has got a dilemma If he shaves himself then he shouldnrsquot shavehimself because he is shaving precisely those people who do not shave himselfOn the other hand if he does not shave himself then he should shave himselfaccording to the sign

17

The story with the barber may not seem to be so dramatic because we are quiteused to false advertising However if we translate the same idea into set theoryit becomes much more serious Let us consider the set R of all sets which donot contain themselves we write

R = X | X isin X)

where X isin X is short for not(X isin X) Eg Nat isin R because the set of naturalnumbers does not contain itself

However what about R itself If R does contain itself then it should not Ifon the other hand R does not contain itself then by definition it should containitself Hence Fregersquos system was inconsistent

However set theory was saved by two Germans

Ernst Friedrich Ferdinand Zermelo (1871-1853)

Adolf Abraham Halevi Fraenkel (1891-1965)

Zermelo identified the unlimited comprehension principle ie that every prop-erty gives rise to a set as the source of the problems and introduced the restrictedcomprehension principle instead Ie we are only allowed to construct subsets

18

of already existing sets ie x isin A | P where A already exists The set Rclearly does not fall in this category 10 and hence is outlawed However nowwe have to provide some ways to construct basic sets ie the empty set fi-nite sets the set of natural numbers and the power set (the set of all subsetsof a set) Zermelo founded axiomatic set theory in which these principles areincorporated in some basic propositions about isin and = called axioms LaterFraenkel extended Zermelorsquos system by adding an important axiom the axiomof replacement The resulting system is usually called Zermelo Fraenkel set the-ory or ZF set theory for short and is widely accepted as a foundation of modernmathematics

For many people (certainly for most mathematicans) the story ends here How-ever ZF set theory is not very useful as a programming language (for exampleit allows to define functions which cannot be run on a computer)

Per Martin-Lof a Swedish Mathematician and Philosopher started to developType Theory as a constructive foundation of Mathematics in the early 70rsquosThis language is interesting for Computer Science because it is at the sametime a language to reason about mathematical objects and a programming lan-guage There are a number of computer programs which implement differentvariations of Martin-Lofrsquos Type Theory NuPRL (for Nearly Ultimate ProofRepresentation Language) developed by Robert Constable and his team in theUSA LEGO developed by Randy Pollack in Edinburgh the Swedish systemsALF and AGDA the French system COQ 11 which is now one of the mostsuccessful computer proof systems and very recently Conor McBridersquos Epigramsystem 12 on which my 2nd3rd year module Computer Aided Formal Reasoning(G5BCFR) is based

10Unless we introduce a set of all sets which would make the theory inconsistent due toRussellrsquos paradox

11httpcoqinriafr12httpwwwduracukCARGepigram

19

2 Basic logic

When we are expressing properties of mathematical objects or programs andreason about them we use the language of logic We introduce here the symbolswhich can be given a precise meaning but explain them for the moment bytheir translation into English Later in the course we will be more precise andintroduce the rules of reasoning (called natural deduction) along with a computerprogram (called tutch) which can check that you have followed them

A proposition is a precise statement which may be proven (then we believe itto be true) or disproven (then we believe it to be false) We assume some basicpropositions as given eg if a bλin A we can say a = b meaning that a and bis equal Eg we know that 1 = 1 is true but 1 = 2 is false Indeed we acceptthis without further proof both judgements are abvious

There are propositions of which we donrsquot know wether they are true or falsesuch as the proposition that there are infinitely many twin primes that is pairsof prime numbers whose difference is 2 or in computer science whether thecomplexity classes P and NP are different (the P = NP question)

21 Propositional connectives

A logical connective is a means to construct new propositions from givenones We start with the basic propositional connectives given propositions Pand Q we can construct

bull P andQ stands for P and Q We accept P andQ to be true if we can showthat both P and Q are true

bull P orQ stands for P or Q We accept that P orQ to be true if we can showat least one of P and Q Note that different to some uses of the word orin everyday language or is non-exclusive eg 0 = 0 or 1 = 1 is true

bull P =rArr Q stands for If P then Q which we can also write as Q if P We accept P =rArr Q if we can show that Q is true from assuming that Pis true

We also introduce the propositional constants True for an obviously true propo-sition (such as 0 = 0) and False for an obviously false proposition (such as0 = 1) True and False are not really used in normal conversations but wemay translate True by fish can swim or another blatantly obvious statementand False by pigs can fly or another obviously false statement

We can define new propositional connectives from the basic ones introducedabove

bull notP stands for not P We define notP as P =rArr False Intuitively wecould say notP means that if you believe P then you also believe that pigscan fly

bull P lArrrArr Q stands for P if and only if Q We define P lArrrArr Qas (P =rArr Q) and (Q =rArr P ) lArrrArr introduces a notion of logical

9

equivalence and indeed if we know P lArrrArr Q we can always replace P byQ and vice versa

To avoid having to write lots of brackets we introduce some conventions

bull not binds stronger than and ie we read notP andQ as (notP ) andQ

bull andor bind stronger than =rArr lArrrArr ie we read P and Q =rArr R as(P andQ) =rArr R

bull =rArr associates to the right ie we read P =rArr Q =rArr R as P =rArr(Q =rArr R)

We could have introduced more conventions eg that and binds stronger than orbut refrain from doing this and instead disambiguate by using brackets

22 Tautologies and proof

A propositional scheme is a proposition containing propositional variableseg A =rArr A and A =rArr A and B are propositional scheme where AB standfor any proposition

A tautology is a propositional scheme which is always provable no matterhow we replace the variables by actual propositions Eg A =rArr A is atautology but A =rArr A and B isnrsquot We can see this by proving A =rArr Aif we assume A then we know A hence A =rArr A holds We can see thatA =rArr A and B is not a tautology by replacing A with True and B with Falsebut True =rArr TrueandFalse cannot be provable because we know True hencewe would know True and False but this is only true if False is which it isnrsquot(pigs canrsquot fly)

Here are some examples of propositional tautologies

1 False =rArr Athis could be called the principle of naivety if you believe that pigs canfly you believe everything

2 A andB =rArr Anote that the converse A =rArr A andB is not a tautology

3 A =rArr A orBagain note that the converse A orB =rArr A is not a tautology

4 (A =rArr B) =rArr (notB =rArr notA)Letrsquos prove this tautology using the explanation of the connectives givenabove

Proof To show (A =rArr B) =rArr (notB =rArr notA) letrsquos assumeA =rArr B (1) to show notB =rArr notA To show this we assume notB (2)(which just stands for B =rArr False) to show notA which stands forA =rArr False hence we also assume A (3) and it remains to show Falsefrom the assumptions (1)(2) and (3) Indeed because we know A (3) and

10

A =rArr B (1) we know B and now we use (2) B =rArr False to showFalse

We notice that pigs can fly given the appropriate assumptions

Many important tautologies have the form of logical equivalences

1 A andB lArrrArr B andAwe say that and is commutative The same holds for or

2 A and (B and C) lArrrArr (A andB) and Cwe say that and is associative The same holds for or Associativity allowsus to omit brackets when we nest the same operator ie we can readA andB and C as A and (B and C) or (A andB) and C mdash it desnrsquot matter

3 (A orB) and C lArrrArr (A and C) or (B and C)we say that or distributes over and We prove this tautology

Proof To show lArrrArr we have to show both directions

(A orB) and C =rArr (A and C) or (B and C) We assume (A or B) and C (1) andtry to show (AandC)or (B andC) From (1) we know (AorB) (2) andC (3) How could we have shown A orB There are two cases

by showing A (4) From (3) and (4) we know A and C and hence(A and C) or (B and C)

by showing B (4prime) From (3rsquo) and (4rsquo) we know B andC and hence(A and C) or (B and C)

Since in both cases we were able to show (A andC) or (B andC) we havefinished this part of the proof

(A and C) or (B and C) =rArr (A orB) and C We assume (A andC) or (B andC) (1)to show (A or B) and C How could we ve shown (1) There are twopossibilities

by showing A and C and (2) Hence we know A (3) and C (34 From(3) we can derive A or B and combining this with (4) we have(A orB) and C

by showing B and C (2prime) Hence we know B (3prime) and C (4prime)From (3rsquo) we can derive A or B and combining this with (4rsquo) wehave (A orB) and C

In either case we have shown (A orB) and C

23 Classical tautologies

Is A or notA a tautology Actually it depends Given the explanation of theconnectives given above to prove AornotA we need to prove either A or disproveit by establishing notA However there are propositions which we canrsquot prove ordisprove On the other hand we are unable to exhibit an instance of A or notAwhich will lead to a definitively false statement We may adopt the point ofview that even if we cannot prove a certain statement it is still either true and

11

false This point of view is accepted in classical logic which is accepted by mostmodern Mathematicians even though its philosophical foundations are ratherproblematic

We say a tautology is a classical tautology if it is provable from assumingthat A or notA the principle of the excluded middle holds An example isnotnotB =rArr B which can be proven as follows

Proof To show notnotB =rArr B we assume notnotB (1) to show B Using theprinciple of excluded middle we know BornotB That is there are two possibilities

B holds we are done

notB holds We note that (1) means notB =rArr False hence we can use it toshow False and since False implies anything we can show B

In either case we have shown B

However at least for propositional logic there is a very mechanical way to findout whether a propositional scheme is a classical tautology Since every proposi-tion is either True or False we can identify propositions with Bool and replacethe propositional connectives by the corresponding operations on Bool

Propositions Booland ampampor ||not notlArrrArr equiv=rArr implies

where we define implies as follows

implies isin Bool rarr Bool rarr Boolimplies False x = Trueimplies True x = x

To find out whether a propositional scheme is a classical tautology all we haveto do is to draw the value table of its translation as a function on Bool (calledits truth table) and check that it allways evaluates to True Eg to checkthat notnotA =rArr A is a tautology we just calculate

A notA notnotA notnotA =rArr AFalse True False TrueTrue False True True

Letrsquos verify that (A or B) and C lArrrArr (A and C) or (B and C) is indeed a classical

12

tautology

A B C A orB and C A and C orB and C A orB and C lArrrArr A and C orB and CFalse False False False False TrueFalse False True False False TrueFalse True False False False TrueFalse True True True True TrueTrue False False False False TrueTrue False True True True TrueTrue True False False False TrueTrue True True True True True

24 Predicate logic

So far we cannot say express any interesting propositions because we cannotmake use of variables To change this we will use predicate logic A predicateover a type expresses property of elements of this type An example is thepredicate Even over the natural numbers which expresses the property of anumber being even If n isin Nat then Even n is a proposition We writeEven isin Nat rarr Prop to say that Even is a predicate over the natural numbersPredicates can have more than one argument then they are also relations Anexample of a relation is 6 which is a relation over the natural numbers (actuallyalso for other number types) that is idf mn isin Nat then m 6 n is a propositionWe write (6) isin Nat rarr Nat rarr Prop An important relation which exists forall types is equality if (=) isin a rarr a rarr Prop where a is any type

Variables are introduced by quantifiers Let P be a proposition which containsa variable lets say x and assume as given a set A Then we can construct

bull forallx isin AP we say for all x in A P holds We accept forallx isin AP if we canshow P where x is replaced by any given element of a isin A (we write thisas P [x = a]) eg we accept forallx isin Boolx = True or x = False

bull existx isin AP we say there exists x in A such that P We accept existx isin APif we can show P where x is replaced by a specific element of A eg weaccept existx isin Boolx = True

The reading conventions for quantifiers are that they bind weaker than any ofthe propositional connectives eg we read

forallx isin AP lArrrArr Q

asforallx isin A(P lArrrArr Q)

It is instructive to illustrate the use of quantifiers by showing how Englishsentences can be translated into predicate logic Letrsquos assume that we havea type Party of names of people present at a party and a relation knows isinParty rarr Party rarr Prop where knows a b expresses that a knows b Here aresome examples

13

bull John knows Maryknows John Mary

bull Everybody knows somebody

forallx isin Partyexisty isin Partyknows x y

bull Somebody is known by everybody

existy isin Partyforallx isin Partyknows x y

Note that exchanging different quatifiers changes the meaning

bull Somebody knows everybody

existx isin Partyforally isin Partyknows x y

bull Everybody who Mary knows knows her

forallx isin Partyknows Mary x =rArr knows x Mary

bull There are at least two different people who know John

existx isin Partyexisty isin Partynot(x = y) and knows x John and knows y John

It is customary to combine quantifiers of the same sort and write x 6= yfor not(x = y) ie we may write

existx y isin Partyx 6= y and knows x John and knows y John

bull There is exactly one person who George knows

existx isin Partyknows George x and forally isin Partyknows George y =rArr x = y

We express exactly one by saying that everybody who George knows isthe same person

As for propositional logic we have tautologies which are propositions which areprovable for any predicate Given a type a and predicates P Q isin a rarr Propand a proposition P here are examples for tautologies

bull (forallx isin aP x andQ x ) lArrrArr (forally isin aP y) and (forallz isin aQ z ) Proof

We show both direction seperately

(forallx isin aP x andQ x ) =rArr (forally isin aP y) and (forallz isin aQ z ) We assume forallx isin AP xandQ x (1) To show (forally isin aP y) and (forallz isin aQ z ) we have to showboth forally isin aP y (2) and forallz isin aQ y (3) To show (2) we as-sume y isin a (4) we have to show P y Using (1) and (4) we knowP y andQ y and hence Q y The proof of (3) follows the same idea

(forally isin aP y) and (forallz isin aQ z ) =rArr forallx isin aP x andQ x We assume (forally isin aP y)and(forallz isin aQ z ) (1) to prove forallx isin aP x and Q x Having assumed (1)we know forally isin aP y (2) and forallz isin aP z (3) To show this weassume x isin a (4) to show P x we use (2) and (4) and to derie Q xwe use (3) and (4) hence we have shown P x andQ x

14

bull (existx isin aP x orQ x ) lArrrArr (existy isin aP y) or (existz isin aQ z )

bull (existx isin AP =rArr R) lArrrArr forallx isin AP =rArr R

Instead only proving generic tautologies we can now prove specific statementseg that not hasnrsquot got a fixpoint

forallx isin Boolnot x 6= x

Proof We have to show not x 6= x for any x isin Bool There are only twopossibilities

x = True We have that not True = False by definition of not and it is obviousthat True 6= False

x = False We have that not False = True by definition of not and it is obviousthat False 6= True

15

3 Bits of history

Georg Cantor a German mathematician was the first one to define the notionof a set (german Menge) in 1895

By a set we are to understand any collection into a whole of definiteand separate objects of our intuition or our thought

Another German Friedrich Ludwig Gottlob Frege (1848-1925) wanted to putmathematics on a firm foundation and for this purpose he developed predicatelogic He published a book called Begriffsschrift which also used Cantorrsquosnaive perception of a set in particular the principle of comprehension ie everyproperty defines a set If P is a property (or predicate) using a variable x wewrite x | P for the set of all objects with property P The Begriffsschrift wasalso read by an English logician Bertrand Russell (1872-1970)

16

Russell found a fundamental flaw in Fregersquos system which made it inconsistentThis means you could prove anything in it no matter whether it is true or falseNaturally this renders it useless as a foundation of mathematics Russell wrotea letter to Frege explaining the problem mdash it seems that Frege never recoveredfrom the blow He certainly didnrsquot know a good way to fix it

To explain Russellrsquos paradox letrsquos have a look at a little story which involvesa barber (letrsquos call him Sweeny Todd) who lives in a little village Since he isthe only barber in the village he has put a note in his window saying I shaveeverybody in the village who doesnrsquot shave himself

by Conor McBride

Now the barber has got a dilemma If he shaves himself then he shouldnrsquot shavehimself because he is shaving precisely those people who do not shave himselfOn the other hand if he does not shave himself then he should shave himselfaccording to the sign

17

The story with the barber may not seem to be so dramatic because we are quiteused to false advertising However if we translate the same idea into set theoryit becomes much more serious Let us consider the set R of all sets which donot contain themselves we write

R = X | X isin X)

where X isin X is short for not(X isin X) Eg Nat isin R because the set of naturalnumbers does not contain itself

However what about R itself If R does contain itself then it should not Ifon the other hand R does not contain itself then by definition it should containitself Hence Fregersquos system was inconsistent

However set theory was saved by two Germans

Ernst Friedrich Ferdinand Zermelo (1871-1853)

Adolf Abraham Halevi Fraenkel (1891-1965)

Zermelo identified the unlimited comprehension principle ie that every prop-erty gives rise to a set as the source of the problems and introduced the restrictedcomprehension principle instead Ie we are only allowed to construct subsets

18

of already existing sets ie x isin A | P where A already exists The set Rclearly does not fall in this category 10 and hence is outlawed However nowwe have to provide some ways to construct basic sets ie the empty set fi-nite sets the set of natural numbers and the power set (the set of all subsetsof a set) Zermelo founded axiomatic set theory in which these principles areincorporated in some basic propositions about isin and = called axioms LaterFraenkel extended Zermelorsquos system by adding an important axiom the axiomof replacement The resulting system is usually called Zermelo Fraenkel set the-ory or ZF set theory for short and is widely accepted as a foundation of modernmathematics

For many people (certainly for most mathematicans) the story ends here How-ever ZF set theory is not very useful as a programming language (for exampleit allows to define functions which cannot be run on a computer)

Per Martin-Lof a Swedish Mathematician and Philosopher started to developType Theory as a constructive foundation of Mathematics in the early 70rsquosThis language is interesting for Computer Science because it is at the sametime a language to reason about mathematical objects and a programming lan-guage There are a number of computer programs which implement differentvariations of Martin-Lofrsquos Type Theory NuPRL (for Nearly Ultimate ProofRepresentation Language) developed by Robert Constable and his team in theUSA LEGO developed by Randy Pollack in Edinburgh the Swedish systemsALF and AGDA the French system COQ 11 which is now one of the mostsuccessful computer proof systems and very recently Conor McBridersquos Epigramsystem 12 on which my 2nd3rd year module Computer Aided Formal Reasoning(G5BCFR) is based

10Unless we introduce a set of all sets which would make the theory inconsistent due toRussellrsquos paradox

11httpcoqinriafr12httpwwwduracukCARGepigram

19

equivalence and indeed if we know P lArrrArr Q we can always replace P byQ and vice versa

To avoid having to write lots of brackets we introduce some conventions

bull not binds stronger than and ie we read notP andQ as (notP ) andQ

bull andor bind stronger than =rArr lArrrArr ie we read P and Q =rArr R as(P andQ) =rArr R

bull =rArr associates to the right ie we read P =rArr Q =rArr R as P =rArr(Q =rArr R)

We could have introduced more conventions eg that and binds stronger than orbut refrain from doing this and instead disambiguate by using brackets

22 Tautologies and proof

A propositional scheme is a proposition containing propositional variableseg A =rArr A and A =rArr A and B are propositional scheme where AB standfor any proposition

A tautology is a propositional scheme which is always provable no matterhow we replace the variables by actual propositions Eg A =rArr A is atautology but A =rArr A and B isnrsquot We can see this by proving A =rArr Aif we assume A then we know A hence A =rArr A holds We can see thatA =rArr A and B is not a tautology by replacing A with True and B with Falsebut True =rArr TrueandFalse cannot be provable because we know True hencewe would know True and False but this is only true if False is which it isnrsquot(pigs canrsquot fly)

Here are some examples of propositional tautologies

1 False =rArr Athis could be called the principle of naivety if you believe that pigs canfly you believe everything

2 A andB =rArr Anote that the converse A =rArr A andB is not a tautology

3 A =rArr A orBagain note that the converse A orB =rArr A is not a tautology

4 (A =rArr B) =rArr (notB =rArr notA)Letrsquos prove this tautology using the explanation of the connectives givenabove

Proof To show (A =rArr B) =rArr (notB =rArr notA) letrsquos assumeA =rArr B (1) to show notB =rArr notA To show this we assume notB (2)(which just stands for B =rArr False) to show notA which stands forA =rArr False hence we also assume A (3) and it remains to show Falsefrom the assumptions (1)(2) and (3) Indeed because we know A (3) and

10

A =rArr B (1) we know B and now we use (2) B =rArr False to showFalse

We notice that pigs can fly given the appropriate assumptions

Many important tautologies have the form of logical equivalences

1 A andB lArrrArr B andAwe say that and is commutative The same holds for or

2 A and (B and C) lArrrArr (A andB) and Cwe say that and is associative The same holds for or Associativity allowsus to omit brackets when we nest the same operator ie we can readA andB and C as A and (B and C) or (A andB) and C mdash it desnrsquot matter

3 (A orB) and C lArrrArr (A and C) or (B and C)we say that or distributes over and We prove this tautology

Proof To show lArrrArr we have to show both directions

(A orB) and C =rArr (A and C) or (B and C) We assume (A or B) and C (1) andtry to show (AandC)or (B andC) From (1) we know (AorB) (2) andC (3) How could we have shown A orB There are two cases

by showing A (4) From (3) and (4) we know A and C and hence(A and C) or (B and C)

by showing B (4prime) From (3rsquo) and (4rsquo) we know B andC and hence(A and C) or (B and C)

Since in both cases we were able to show (A andC) or (B andC) we havefinished this part of the proof

(A and C) or (B and C) =rArr (A orB) and C We assume (A andC) or (B andC) (1)to show (A or B) and C How could we ve shown (1) There are twopossibilities

by showing A and C and (2) Hence we know A (3) and C (34 From(3) we can derive A or B and combining this with (4) we have(A orB) and C

by showing B and C (2prime) Hence we know B (3prime) and C (4prime)From (3rsquo) we can derive A or B and combining this with (4rsquo) wehave (A orB) and C

In either case we have shown (A orB) and C

23 Classical tautologies

Is A or notA a tautology Actually it depends Given the explanation of theconnectives given above to prove AornotA we need to prove either A or disproveit by establishing notA However there are propositions which we canrsquot prove ordisprove On the other hand we are unable to exhibit an instance of A or notAwhich will lead to a definitively false statement We may adopt the point ofview that even if we cannot prove a certain statement it is still either true and

11

false This point of view is accepted in classical logic which is accepted by mostmodern Mathematicians even though its philosophical foundations are ratherproblematic

We say a tautology is a classical tautology if it is provable from assumingthat A or notA the principle of the excluded middle holds An example isnotnotB =rArr B which can be proven as follows

Proof To show notnotB =rArr B we assume notnotB (1) to show B Using theprinciple of excluded middle we know BornotB That is there are two possibilities

B holds we are done

notB holds We note that (1) means notB =rArr False hence we can use it toshow False and since False implies anything we can show B

In either case we have shown B

However at least for propositional logic there is a very mechanical way to findout whether a propositional scheme is a classical tautology Since every proposi-tion is either True or False we can identify propositions with Bool and replacethe propositional connectives by the corresponding operations on Bool

Propositions Booland ampampor ||not notlArrrArr equiv=rArr implies

where we define implies as follows

implies isin Bool rarr Bool rarr Boolimplies False x = Trueimplies True x = x

To find out whether a propositional scheme is a classical tautology all we haveto do is to draw the value table of its translation as a function on Bool (calledits truth table) and check that it allways evaluates to True Eg to checkthat notnotA =rArr A is a tautology we just calculate

A notA notnotA notnotA =rArr AFalse True False TrueTrue False True True

Letrsquos verify that (A or B) and C lArrrArr (A and C) or (B and C) is indeed a classical

12

tautology

A B C A orB and C A and C orB and C A orB and C lArrrArr A and C orB and CFalse False False False False TrueFalse False True False False TrueFalse True False False False TrueFalse True True True True TrueTrue False False False False TrueTrue False True True True TrueTrue True False False False TrueTrue True True True True True

24 Predicate logic

So far we cannot say express any interesting propositions because we cannotmake use of variables To change this we will use predicate logic A predicateover a type expresses property of elements of this type An example is thepredicate Even over the natural numbers which expresses the property of anumber being even If n isin Nat then Even n is a proposition We writeEven isin Nat rarr Prop to say that Even is a predicate over the natural numbersPredicates can have more than one argument then they are also relations Anexample of a relation is 6 which is a relation over the natural numbers (actuallyalso for other number types) that is idf mn isin Nat then m 6 n is a propositionWe write (6) isin Nat rarr Nat rarr Prop An important relation which exists forall types is equality if (=) isin a rarr a rarr Prop where a is any type

Variables are introduced by quantifiers Let P be a proposition which containsa variable lets say x and assume as given a set A Then we can construct

bull forallx isin AP we say for all x in A P holds We accept forallx isin AP if we canshow P where x is replaced by any given element of a isin A (we write thisas P [x = a]) eg we accept forallx isin Boolx = True or x = False

bull existx isin AP we say there exists x in A such that P We accept existx isin APif we can show P where x is replaced by a specific element of A eg weaccept existx isin Boolx = True

The reading conventions for quantifiers are that they bind weaker than any ofthe propositional connectives eg we read

forallx isin AP lArrrArr Q

asforallx isin A(P lArrrArr Q)

It is instructive to illustrate the use of quantifiers by showing how Englishsentences can be translated into predicate logic Letrsquos assume that we havea type Party of names of people present at a party and a relation knows isinParty rarr Party rarr Prop where knows a b expresses that a knows b Here aresome examples

13

bull John knows Maryknows John Mary

bull Everybody knows somebody

forallx isin Partyexisty isin Partyknows x y

bull Somebody is known by everybody

existy isin Partyforallx isin Partyknows x y

Note that exchanging different quatifiers changes the meaning

bull Somebody knows everybody

existx isin Partyforally isin Partyknows x y

bull Everybody who Mary knows knows her

forallx isin Partyknows Mary x =rArr knows x Mary

bull There are at least two different people who know John

existx isin Partyexisty isin Partynot(x = y) and knows x John and knows y John

It is customary to combine quantifiers of the same sort and write x 6= yfor not(x = y) ie we may write

existx y isin Partyx 6= y and knows x John and knows y John

bull There is exactly one person who George knows

existx isin Partyknows George x and forally isin Partyknows George y =rArr x = y

We express exactly one by saying that everybody who George knows isthe same person

As for propositional logic we have tautologies which are propositions which areprovable for any predicate Given a type a and predicates P Q isin a rarr Propand a proposition P here are examples for tautologies

bull (forallx isin aP x andQ x ) lArrrArr (forally isin aP y) and (forallz isin aQ z ) Proof

We show both direction seperately

(forallx isin aP x andQ x ) =rArr (forally isin aP y) and (forallz isin aQ z ) We assume forallx isin AP xandQ x (1) To show (forally isin aP y) and (forallz isin aQ z ) we have to showboth forally isin aP y (2) and forallz isin aQ y (3) To show (2) we as-sume y isin a (4) we have to show P y Using (1) and (4) we knowP y andQ y and hence Q y The proof of (3) follows the same idea

(forally isin aP y) and (forallz isin aQ z ) =rArr forallx isin aP x andQ x We assume (forally isin aP y)and(forallz isin aQ z ) (1) to prove forallx isin aP x and Q x Having assumed (1)we know forally isin aP y (2) and forallz isin aP z (3) To show this weassume x isin a (4) to show P x we use (2) and (4) and to derie Q xwe use (3) and (4) hence we have shown P x andQ x

14

bull (existx isin aP x orQ x ) lArrrArr (existy isin aP y) or (existz isin aQ z )

bull (existx isin AP =rArr R) lArrrArr forallx isin AP =rArr R

Instead only proving generic tautologies we can now prove specific statementseg that not hasnrsquot got a fixpoint

forallx isin Boolnot x 6= x

Proof We have to show not x 6= x for any x isin Bool There are only twopossibilities

x = True We have that not True = False by definition of not and it is obviousthat True 6= False

x = False We have that not False = True by definition of not and it is obviousthat False 6= True

15

3 Bits of history

Georg Cantor a German mathematician was the first one to define the notionof a set (german Menge) in 1895

By a set we are to understand any collection into a whole of definiteand separate objects of our intuition or our thought

Another German Friedrich Ludwig Gottlob Frege (1848-1925) wanted to putmathematics on a firm foundation and for this purpose he developed predicatelogic He published a book called Begriffsschrift which also used Cantorrsquosnaive perception of a set in particular the principle of comprehension ie everyproperty defines a set If P is a property (or predicate) using a variable x wewrite x | P for the set of all objects with property P The Begriffsschrift wasalso read by an English logician Bertrand Russell (1872-1970)

16

Russell found a fundamental flaw in Fregersquos system which made it inconsistentThis means you could prove anything in it no matter whether it is true or falseNaturally this renders it useless as a foundation of mathematics Russell wrotea letter to Frege explaining the problem mdash it seems that Frege never recoveredfrom the blow He certainly didnrsquot know a good way to fix it

To explain Russellrsquos paradox letrsquos have a look at a little story which involvesa barber (letrsquos call him Sweeny Todd) who lives in a little village Since he isthe only barber in the village he has put a note in his window saying I shaveeverybody in the village who doesnrsquot shave himself

by Conor McBride

Now the barber has got a dilemma If he shaves himself then he shouldnrsquot shavehimself because he is shaving precisely those people who do not shave himselfOn the other hand if he does not shave himself then he should shave himselfaccording to the sign

17

The story with the barber may not seem to be so dramatic because we are quiteused to false advertising However if we translate the same idea into set theoryit becomes much more serious Let us consider the set R of all sets which donot contain themselves we write

R = X | X isin X)

where X isin X is short for not(X isin X) Eg Nat isin R because the set of naturalnumbers does not contain itself

However what about R itself If R does contain itself then it should not Ifon the other hand R does not contain itself then by definition it should containitself Hence Fregersquos system was inconsistent

However set theory was saved by two Germans

Ernst Friedrich Ferdinand Zermelo (1871-1853)

Adolf Abraham Halevi Fraenkel (1891-1965)

Zermelo identified the unlimited comprehension principle ie that every prop-erty gives rise to a set as the source of the problems and introduced the restrictedcomprehension principle instead Ie we are only allowed to construct subsets

18

of already existing sets ie x isin A | P where A already exists The set Rclearly does not fall in this category 10 and hence is outlawed However nowwe have to provide some ways to construct basic sets ie the empty set fi-nite sets the set of natural numbers and the power set (the set of all subsetsof a set) Zermelo founded axiomatic set theory in which these principles areincorporated in some basic propositions about isin and = called axioms LaterFraenkel extended Zermelorsquos system by adding an important axiom the axiomof replacement The resulting system is usually called Zermelo Fraenkel set the-ory or ZF set theory for short and is widely accepted as a foundation of modernmathematics

For many people (certainly for most mathematicans) the story ends here How-ever ZF set theory is not very useful as a programming language (for exampleit allows to define functions which cannot be run on a computer)

Per Martin-Lof a Swedish Mathematician and Philosopher started to developType Theory as a constructive foundation of Mathematics in the early 70rsquosThis language is interesting for Computer Science because it is at the sametime a language to reason about mathematical objects and a programming lan-guage There are a number of computer programs which implement differentvariations of Martin-Lofrsquos Type Theory NuPRL (for Nearly Ultimate ProofRepresentation Language) developed by Robert Constable and his team in theUSA LEGO developed by Randy Pollack in Edinburgh the Swedish systemsALF and AGDA the French system COQ 11 which is now one of the mostsuccessful computer proof systems and very recently Conor McBridersquos Epigramsystem 12 on which my 2nd3rd year module Computer Aided Formal Reasoning(G5BCFR) is based

10Unless we introduce a set of all sets which would make the theory inconsistent due toRussellrsquos paradox

11httpcoqinriafr12httpwwwduracukCARGepigram

19

A =rArr B (1) we know B and now we use (2) B =rArr False to showFalse

We notice that pigs can fly given the appropriate assumptions

Many important tautologies have the form of logical equivalences

1 A andB lArrrArr B andAwe say that and is commutative The same holds for or

2 A and (B and C) lArrrArr (A andB) and Cwe say that and is associative The same holds for or Associativity allowsus to omit brackets when we nest the same operator ie we can readA andB and C as A and (B and C) or (A andB) and C mdash it desnrsquot matter

3 (A orB) and C lArrrArr (A and C) or (B and C)we say that or distributes over and We prove this tautology

Proof To show lArrrArr we have to show both directions

(A orB) and C =rArr (A and C) or (B and C) We assume (A or B) and C (1) andtry to show (AandC)or (B andC) From (1) we know (AorB) (2) andC (3) How could we have shown A orB There are two cases

by showing A (4) From (3) and (4) we know A and C and hence(A and C) or (B and C)

by showing B (4prime) From (3rsquo) and (4rsquo) we know B andC and hence(A and C) or (B and C)

Since in both cases we were able to show (A andC) or (B andC) we havefinished this part of the proof

(A and C) or (B and C) =rArr (A orB) and C We assume (A andC) or (B andC) (1)to show (A or B) and C How could we ve shown (1) There are twopossibilities

by showing A and C and (2) Hence we know A (3) and C (34 From(3) we can derive A or B and combining this with (4) we have(A orB) and C

by showing B and C (2prime) Hence we know B (3prime) and C (4prime)From (3rsquo) we can derive A or B and combining this with (4rsquo) wehave (A orB) and C

In either case we have shown (A orB) and C

23 Classical tautologies

Is A or notA a tautology Actually it depends Given the explanation of theconnectives given above to prove AornotA we need to prove either A or disproveit by establishing notA However there are propositions which we canrsquot prove ordisprove On the other hand we are unable to exhibit an instance of A or notAwhich will lead to a definitively false statement We may adopt the point ofview that even if we cannot prove a certain statement it is still either true and

11

false This point of view is accepted in classical logic which is accepted by mostmodern Mathematicians even though its philosophical foundations are ratherproblematic

We say a tautology is a classical tautology if it is provable from assumingthat A or notA the principle of the excluded middle holds An example isnotnotB =rArr B which can be proven as follows

Proof To show notnotB =rArr B we assume notnotB (1) to show B Using theprinciple of excluded middle we know BornotB That is there are two possibilities

B holds we are done

notB holds We note that (1) means notB =rArr False hence we can use it toshow False and since False implies anything we can show B

In either case we have shown B

However at least for propositional logic there is a very mechanical way to findout whether a propositional scheme is a classical tautology Since every proposi-tion is either True or False we can identify propositions with Bool and replacethe propositional connectives by the corresponding operations on Bool

Propositions Booland ampampor ||not notlArrrArr equiv=rArr implies

where we define implies as follows

implies isin Bool rarr Bool rarr Boolimplies False x = Trueimplies True x = x

To find out whether a propositional scheme is a classical tautology all we haveto do is to draw the value table of its translation as a function on Bool (calledits truth table) and check that it allways evaluates to True Eg to checkthat notnotA =rArr A is a tautology we just calculate

A notA notnotA notnotA =rArr AFalse True False TrueTrue False True True

Letrsquos verify that (A or B) and C lArrrArr (A and C) or (B and C) is indeed a classical

12

tautology

A B C A orB and C A and C orB and C A orB and C lArrrArr A and C orB and CFalse False False False False TrueFalse False True False False TrueFalse True False False False TrueFalse True True True True TrueTrue False False False False TrueTrue False True True True TrueTrue True False False False TrueTrue True True True True True

24 Predicate logic

So far we cannot say express any interesting propositions because we cannotmake use of variables To change this we will use predicate logic A predicateover a type expresses property of elements of this type An example is thepredicate Even over the natural numbers which expresses the property of anumber being even If n isin Nat then Even n is a proposition We writeEven isin Nat rarr Prop to say that Even is a predicate over the natural numbersPredicates can have more than one argument then they are also relations Anexample of a relation is 6 which is a relation over the natural numbers (actuallyalso for other number types) that is idf mn isin Nat then m 6 n is a propositionWe write (6) isin Nat rarr Nat rarr Prop An important relation which exists forall types is equality if (=) isin a rarr a rarr Prop where a is any type

Variables are introduced by quantifiers Let P be a proposition which containsa variable lets say x and assume as given a set A Then we can construct

bull forallx isin AP we say for all x in A P holds We accept forallx isin AP if we canshow P where x is replaced by any given element of a isin A (we write thisas P [x = a]) eg we accept forallx isin Boolx = True or x = False

bull existx isin AP we say there exists x in A such that P We accept existx isin APif we can show P where x is replaced by a specific element of A eg weaccept existx isin Boolx = True

The reading conventions for quantifiers are that they bind weaker than any ofthe propositional connectives eg we read

forallx isin AP lArrrArr Q

asforallx isin A(P lArrrArr Q)

It is instructive to illustrate the use of quantifiers by showing how Englishsentences can be translated into predicate logic Letrsquos assume that we havea type Party of names of people present at a party and a relation knows isinParty rarr Party rarr Prop where knows a b expresses that a knows b Here aresome examples

13

bull John knows Maryknows John Mary

bull Everybody knows somebody

forallx isin Partyexisty isin Partyknows x y

bull Somebody is known by everybody

existy isin Partyforallx isin Partyknows x y

Note that exchanging different quatifiers changes the meaning

bull Somebody knows everybody

existx isin Partyforally isin Partyknows x y

bull Everybody who Mary knows knows her

forallx isin Partyknows Mary x =rArr knows x Mary

bull There are at least two different people who know John

existx isin Partyexisty isin Partynot(x = y) and knows x John and knows y John

It is customary to combine quantifiers of the same sort and write x 6= yfor not(x = y) ie we may write

existx y isin Partyx 6= y and knows x John and knows y John

bull There is exactly one person who George knows

existx isin Partyknows George x and forally isin Partyknows George y =rArr x = y

We express exactly one by saying that everybody who George knows isthe same person

As for propositional logic we have tautologies which are propositions which areprovable for any predicate Given a type a and predicates P Q isin a rarr Propand a proposition P here are examples for tautologies

bull (forallx isin aP x andQ x ) lArrrArr (forally isin aP y) and (forallz isin aQ z ) Proof

We show both direction seperately

(forallx isin aP x andQ x ) =rArr (forally isin aP y) and (forallz isin aQ z ) We assume forallx isin AP xandQ x (1) To show (forally isin aP y) and (forallz isin aQ z ) we have to showboth forally isin aP y (2) and forallz isin aQ y (3) To show (2) we as-sume y isin a (4) we have to show P y Using (1) and (4) we knowP y andQ y and hence Q y The proof of (3) follows the same idea

(forally isin aP y) and (forallz isin aQ z ) =rArr forallx isin aP x andQ x We assume (forally isin aP y)and(forallz isin aQ z ) (1) to prove forallx isin aP x and Q x Having assumed (1)we know forally isin aP y (2) and forallz isin aP z (3) To show this weassume x isin a (4) to show P x we use (2) and (4) and to derie Q xwe use (3) and (4) hence we have shown P x andQ x

14

bull (existx isin aP x orQ x ) lArrrArr (existy isin aP y) or (existz isin aQ z )

bull (existx isin AP =rArr R) lArrrArr forallx isin AP =rArr R

Instead only proving generic tautologies we can now prove specific statementseg that not hasnrsquot got a fixpoint

forallx isin Boolnot x 6= x

Proof We have to show not x 6= x for any x isin Bool There are only twopossibilities

x = True We have that not True = False by definition of not and it is obviousthat True 6= False

x = False We have that not False = True by definition of not and it is obviousthat False 6= True

15

3 Bits of history

Georg Cantor a German mathematician was the first one to define the notionof a set (german Menge) in 1895

By a set we are to understand any collection into a whole of definiteand separate objects of our intuition or our thought

Another German Friedrich Ludwig Gottlob Frege (1848-1925) wanted to putmathematics on a firm foundation and for this purpose he developed predicatelogic He published a book called Begriffsschrift which also used Cantorrsquosnaive perception of a set in particular the principle of comprehension ie everyproperty defines a set If P is a property (or predicate) using a variable x wewrite x | P for the set of all objects with property P The Begriffsschrift wasalso read by an English logician Bertrand Russell (1872-1970)

16

Russell found a fundamental flaw in Fregersquos system which made it inconsistentThis means you could prove anything in it no matter whether it is true or falseNaturally this renders it useless as a foundation of mathematics Russell wrotea letter to Frege explaining the problem mdash it seems that Frege never recoveredfrom the blow He certainly didnrsquot know a good way to fix it

To explain Russellrsquos paradox letrsquos have a look at a little story which involvesa barber (letrsquos call him Sweeny Todd) who lives in a little village Since he isthe only barber in the village he has put a note in his window saying I shaveeverybody in the village who doesnrsquot shave himself

by Conor McBride

Now the barber has got a dilemma If he shaves himself then he shouldnrsquot shavehimself because he is shaving precisely those people who do not shave himselfOn the other hand if he does not shave himself then he should shave himselfaccording to the sign

17

The story with the barber may not seem to be so dramatic because we are quiteused to false advertising However if we translate the same idea into set theoryit becomes much more serious Let us consider the set R of all sets which donot contain themselves we write

R = X | X isin X)

where X isin X is short for not(X isin X) Eg Nat isin R because the set of naturalnumbers does not contain itself

However what about R itself If R does contain itself then it should not Ifon the other hand R does not contain itself then by definition it should containitself Hence Fregersquos system was inconsistent

However set theory was saved by two Germans

Ernst Friedrich Ferdinand Zermelo (1871-1853)

Adolf Abraham Halevi Fraenkel (1891-1965)

Zermelo identified the unlimited comprehension principle ie that every prop-erty gives rise to a set as the source of the problems and introduced the restrictedcomprehension principle instead Ie we are only allowed to construct subsets

18

of already existing sets ie x isin A | P where A already exists The set Rclearly does not fall in this category 10 and hence is outlawed However nowwe have to provide some ways to construct basic sets ie the empty set fi-nite sets the set of natural numbers and the power set (the set of all subsetsof a set) Zermelo founded axiomatic set theory in which these principles areincorporated in some basic propositions about isin and = called axioms LaterFraenkel extended Zermelorsquos system by adding an important axiom the axiomof replacement The resulting system is usually called Zermelo Fraenkel set the-ory or ZF set theory for short and is widely accepted as a foundation of modernmathematics

For many people (certainly for most mathematicans) the story ends here How-ever ZF set theory is not very useful as a programming language (for exampleit allows to define functions which cannot be run on a computer)

Per Martin-Lof a Swedish Mathematician and Philosopher started to developType Theory as a constructive foundation of Mathematics in the early 70rsquosThis language is interesting for Computer Science because it is at the sametime a language to reason about mathematical objects and a programming lan-guage There are a number of computer programs which implement differentvariations of Martin-Lofrsquos Type Theory NuPRL (for Nearly Ultimate ProofRepresentation Language) developed by Robert Constable and his team in theUSA LEGO developed by Randy Pollack in Edinburgh the Swedish systemsALF and AGDA the French system COQ 11 which is now one of the mostsuccessful computer proof systems and very recently Conor McBridersquos Epigramsystem 12 on which my 2nd3rd year module Computer Aided Formal Reasoning(G5BCFR) is based

10Unless we introduce a set of all sets which would make the theory inconsistent due toRussellrsquos paradox

11httpcoqinriafr12httpwwwduracukCARGepigram

19

false This point of view is accepted in classical logic which is accepted by mostmodern Mathematicians even though its philosophical foundations are ratherproblematic

We say a tautology is a classical tautology if it is provable from assumingthat A or notA the principle of the excluded middle holds An example isnotnotB =rArr B which can be proven as follows

Proof To show notnotB =rArr B we assume notnotB (1) to show B Using theprinciple of excluded middle we know BornotB That is there are two possibilities

B holds we are done

notB holds We note that (1) means notB =rArr False hence we can use it toshow False and since False implies anything we can show B

In either case we have shown B

However at least for propositional logic there is a very mechanical way to findout whether a propositional scheme is a classical tautology Since every proposi-tion is either True or False we can identify propositions with Bool and replacethe propositional connectives by the corresponding operations on Bool

Propositions Booland ampampor ||not notlArrrArr equiv=rArr implies

where we define implies as follows

implies isin Bool rarr Bool rarr Boolimplies False x = Trueimplies True x = x

To find out whether a propositional scheme is a classical tautology all we haveto do is to draw the value table of its translation as a function on Bool (calledits truth table) and check that it allways evaluates to True Eg to checkthat notnotA =rArr A is a tautology we just calculate

A notA notnotA notnotA =rArr AFalse True False TrueTrue False True True

Letrsquos verify that (A or B) and C lArrrArr (A and C) or (B and C) is indeed a classical

12

tautology

A B C A orB and C A and C orB and C A orB and C lArrrArr A and C orB and CFalse False False False False TrueFalse False True False False TrueFalse True False False False TrueFalse True True True True TrueTrue False False False False TrueTrue False True True True TrueTrue True False False False TrueTrue True True True True True

24 Predicate logic

So far we cannot say express any interesting propositions because we cannotmake use of variables To change this we will use predicate logic A predicateover a type expresses property of elements of this type An example is thepredicate Even over the natural numbers which expresses the property of anumber being even If n isin Nat then Even n is a proposition We writeEven isin Nat rarr Prop to say that Even is a predicate over the natural numbersPredicates can have more than one argument then they are also relations Anexample of a relation is 6 which is a relation over the natural numbers (actuallyalso for other number types) that is idf mn isin Nat then m 6 n is a propositionWe write (6) isin Nat rarr Nat rarr Prop An important relation which exists forall types is equality if (=) isin a rarr a rarr Prop where a is any type

Variables are introduced by quantifiers Let P be a proposition which containsa variable lets say x and assume as given a set A Then we can construct

bull forallx isin AP we say for all x in A P holds We accept forallx isin AP if we canshow P where x is replaced by any given element of a isin A (we write thisas P [x = a]) eg we accept forallx isin Boolx = True or x = False

bull existx isin AP we say there exists x in A such that P We accept existx isin APif we can show P where x is replaced by a specific element of A eg weaccept existx isin Boolx = True

The reading conventions for quantifiers are that they bind weaker than any ofthe propositional connectives eg we read

forallx isin AP lArrrArr Q

asforallx isin A(P lArrrArr Q)

It is instructive to illustrate the use of quantifiers by showing how Englishsentences can be translated into predicate logic Letrsquos assume that we havea type Party of names of people present at a party and a relation knows isinParty rarr Party rarr Prop where knows a b expresses that a knows b Here aresome examples

13

bull John knows Maryknows John Mary

bull Everybody knows somebody

forallx isin Partyexisty isin Partyknows x y

bull Somebody is known by everybody

existy isin Partyforallx isin Partyknows x y

Note that exchanging different quatifiers changes the meaning

bull Somebody knows everybody

existx isin Partyforally isin Partyknows x y

bull Everybody who Mary knows knows her

forallx isin Partyknows Mary x =rArr knows x Mary

bull There are at least two different people who know John

existx isin Partyexisty isin Partynot(x = y) and knows x John and knows y John

It is customary to combine quantifiers of the same sort and write x 6= yfor not(x = y) ie we may write

existx y isin Partyx 6= y and knows x John and knows y John

bull There is exactly one person who George knows

existx isin Partyknows George x and forally isin Partyknows George y =rArr x = y

We express exactly one by saying that everybody who George knows isthe same person

As for propositional logic we have tautologies which are propositions which areprovable for any predicate Given a type a and predicates P Q isin a rarr Propand a proposition P here are examples for tautologies

bull (forallx isin aP x andQ x ) lArrrArr (forally isin aP y) and (forallz isin aQ z ) Proof

We show both direction seperately

(forallx isin aP x andQ x ) =rArr (forally isin aP y) and (forallz isin aQ z ) We assume forallx isin AP xandQ x (1) To show (forally isin aP y) and (forallz isin aQ z ) we have to showboth forally isin aP y (2) and forallz isin aQ y (3) To show (2) we as-sume y isin a (4) we have to show P y Using (1) and (4) we knowP y andQ y and hence Q y The proof of (3) follows the same idea

(forally isin aP y) and (forallz isin aQ z ) =rArr forallx isin aP x andQ x We assume (forally isin aP y)and(forallz isin aQ z ) (1) to prove forallx isin aP x and Q x Having assumed (1)we know forally isin aP y (2) and forallz isin aP z (3) To show this weassume x isin a (4) to show P x we use (2) and (4) and to derie Q xwe use (3) and (4) hence we have shown P x andQ x

14

bull (existx isin aP x orQ x ) lArrrArr (existy isin aP y) or (existz isin aQ z )

bull (existx isin AP =rArr R) lArrrArr forallx isin AP =rArr R

Instead only proving generic tautologies we can now prove specific statementseg that not hasnrsquot got a fixpoint

forallx isin Boolnot x 6= x

Proof We have to show not x 6= x for any x isin Bool There are only twopossibilities

x = True We have that not True = False by definition of not and it is obviousthat True 6= False

x = False We have that not False = True by definition of not and it is obviousthat False 6= True

15

3 Bits of history

Georg Cantor a German mathematician was the first one to define the notionof a set (german Menge) in 1895

By a set we are to understand any collection into a whole of definiteand separate objects of our intuition or our thought

Another German Friedrich Ludwig Gottlob Frege (1848-1925) wanted to putmathematics on a firm foundation and for this purpose he developed predicatelogic He published a book called Begriffsschrift which also used Cantorrsquosnaive perception of a set in particular the principle of comprehension ie everyproperty defines a set If P is a property (or predicate) using a variable x wewrite x | P for the set of all objects with property P The Begriffsschrift wasalso read by an English logician Bertrand Russell (1872-1970)

16

Russell found a fundamental flaw in Fregersquos system which made it inconsistentThis means you could prove anything in it no matter whether it is true or falseNaturally this renders it useless as a foundation of mathematics Russell wrotea letter to Frege explaining the problem mdash it seems that Frege never recoveredfrom the blow He certainly didnrsquot know a good way to fix it

To explain Russellrsquos paradox letrsquos have a look at a little story which involvesa barber (letrsquos call him Sweeny Todd) who lives in a little village Since he isthe only barber in the village he has put a note in his window saying I shaveeverybody in the village who doesnrsquot shave himself

by Conor McBride

Now the barber has got a dilemma If he shaves himself then he shouldnrsquot shavehimself because he is shaving precisely those people who do not shave himselfOn the other hand if he does not shave himself then he should shave himselfaccording to the sign

17

The story with the barber may not seem to be so dramatic because we are quiteused to false advertising However if we translate the same idea into set theoryit becomes much more serious Let us consider the set R of all sets which donot contain themselves we write

R = X | X isin X)

where X isin X is short for not(X isin X) Eg Nat isin R because the set of naturalnumbers does not contain itself

However what about R itself If R does contain itself then it should not Ifon the other hand R does not contain itself then by definition it should containitself Hence Fregersquos system was inconsistent

However set theory was saved by two Germans

Ernst Friedrich Ferdinand Zermelo (1871-1853)

Adolf Abraham Halevi Fraenkel (1891-1965)

Zermelo identified the unlimited comprehension principle ie that every prop-erty gives rise to a set as the source of the problems and introduced the restrictedcomprehension principle instead Ie we are only allowed to construct subsets

18

of already existing sets ie x isin A | P where A already exists The set Rclearly does not fall in this category 10 and hence is outlawed However nowwe have to provide some ways to construct basic sets ie the empty set fi-nite sets the set of natural numbers and the power set (the set of all subsetsof a set) Zermelo founded axiomatic set theory in which these principles areincorporated in some basic propositions about isin and = called axioms LaterFraenkel extended Zermelorsquos system by adding an important axiom the axiomof replacement The resulting system is usually called Zermelo Fraenkel set the-ory or ZF set theory for short and is widely accepted as a foundation of modernmathematics

For many people (certainly for most mathematicans) the story ends here How-ever ZF set theory is not very useful as a programming language (for exampleit allows to define functions which cannot be run on a computer)

Per Martin-Lof a Swedish Mathematician and Philosopher started to developType Theory as a constructive foundation of Mathematics in the early 70rsquosThis language is interesting for Computer Science because it is at the sametime a language to reason about mathematical objects and a programming lan-guage There are a number of computer programs which implement differentvariations of Martin-Lofrsquos Type Theory NuPRL (for Nearly Ultimate ProofRepresentation Language) developed by Robert Constable and his team in theUSA LEGO developed by Randy Pollack in Edinburgh the Swedish systemsALF and AGDA the French system COQ 11 which is now one of the mostsuccessful computer proof systems and very recently Conor McBridersquos Epigramsystem 12 on which my 2nd3rd year module Computer Aided Formal Reasoning(G5BCFR) is based

10Unless we introduce a set of all sets which would make the theory inconsistent due toRussellrsquos paradox

11httpcoqinriafr12httpwwwduracukCARGepigram

19

tautology

A B C A orB and C A and C orB and C A orB and C lArrrArr A and C orB and CFalse False False False False TrueFalse False True False False TrueFalse True False False False TrueFalse True True True True TrueTrue False False False False TrueTrue False True True True TrueTrue True False False False TrueTrue True True True True True

24 Predicate logic

So far we cannot say express any interesting propositions because we cannotmake use of variables To change this we will use predicate logic A predicateover a type expresses property of elements of this type An example is thepredicate Even over the natural numbers which expresses the property of anumber being even If n isin Nat then Even n is a proposition We writeEven isin Nat rarr Prop to say that Even is a predicate over the natural numbersPredicates can have more than one argument then they are also relations Anexample of a relation is 6 which is a relation over the natural numbers (actuallyalso for other number types) that is idf mn isin Nat then m 6 n is a propositionWe write (6) isin Nat rarr Nat rarr Prop An important relation which exists forall types is equality if (=) isin a rarr a rarr Prop where a is any type

Variables are introduced by quantifiers Let P be a proposition which containsa variable lets say x and assume as given a set A Then we can construct

bull forallx isin AP we say for all x in A P holds We accept forallx isin AP if we canshow P where x is replaced by any given element of a isin A (we write thisas P [x = a]) eg we accept forallx isin Boolx = True or x = False

bull existx isin AP we say there exists x in A such that P We accept existx isin APif we can show P where x is replaced by a specific element of A eg weaccept existx isin Boolx = True

The reading conventions for quantifiers are that they bind weaker than any ofthe propositional connectives eg we read

forallx isin AP lArrrArr Q

asforallx isin A(P lArrrArr Q)

It is instructive to illustrate the use of quantifiers by showing how Englishsentences can be translated into predicate logic Letrsquos assume that we havea type Party of names of people present at a party and a relation knows isinParty rarr Party rarr Prop where knows a b expresses that a knows b Here aresome examples

13

bull John knows Maryknows John Mary

bull Everybody knows somebody

forallx isin Partyexisty isin Partyknows x y

bull Somebody is known by everybody

existy isin Partyforallx isin Partyknows x y

Note that exchanging different quatifiers changes the meaning

bull Somebody knows everybody

existx isin Partyforally isin Partyknows x y

bull Everybody who Mary knows knows her

forallx isin Partyknows Mary x =rArr knows x Mary

bull There are at least two different people who know John

existx isin Partyexisty isin Partynot(x = y) and knows x John and knows y John

It is customary to combine quantifiers of the same sort and write x 6= yfor not(x = y) ie we may write

existx y isin Partyx 6= y and knows x John and knows y John

bull There is exactly one person who George knows

existx isin Partyknows George x and forally isin Partyknows George y =rArr x = y

We express exactly one by saying that everybody who George knows isthe same person

As for propositional logic we have tautologies which are propositions which areprovable for any predicate Given a type a and predicates P Q isin a rarr Propand a proposition P here are examples for tautologies

bull (forallx isin aP x andQ x ) lArrrArr (forally isin aP y) and (forallz isin aQ z ) Proof

We show both direction seperately

(forallx isin aP x andQ x ) =rArr (forally isin aP y) and (forallz isin aQ z ) We assume forallx isin AP xandQ x (1) To show (forally isin aP y) and (forallz isin aQ z ) we have to showboth forally isin aP y (2) and forallz isin aQ y (3) To show (2) we as-sume y isin a (4) we have to show P y Using (1) and (4) we knowP y andQ y and hence Q y The proof of (3) follows the same idea

(forally isin aP y) and (forallz isin aQ z ) =rArr forallx isin aP x andQ x We assume (forally isin aP y)and(forallz isin aQ z ) (1) to prove forallx isin aP x and Q x Having assumed (1)we know forally isin aP y (2) and forallz isin aP z (3) To show this weassume x isin a (4) to show P x we use (2) and (4) and to derie Q xwe use (3) and (4) hence we have shown P x andQ x

14

bull (existx isin aP x orQ x ) lArrrArr (existy isin aP y) or (existz isin aQ z )

bull (existx isin AP =rArr R) lArrrArr forallx isin AP =rArr R

Instead only proving generic tautologies we can now prove specific statementseg that not hasnrsquot got a fixpoint

forallx isin Boolnot x 6= x

Proof We have to show not x 6= x for any x isin Bool There are only twopossibilities

x = True We have that not True = False by definition of not and it is obviousthat True 6= False

x = False We have that not False = True by definition of not and it is obviousthat False 6= True

15

3 Bits of history

Georg Cantor a German mathematician was the first one to define the notionof a set (german Menge) in 1895

By a set we are to understand any collection into a whole of definiteand separate objects of our intuition or our thought

Another German Friedrich Ludwig Gottlob Frege (1848-1925) wanted to putmathematics on a firm foundation and for this purpose he developed predicatelogic He published a book called Begriffsschrift which also used Cantorrsquosnaive perception of a set in particular the principle of comprehension ie everyproperty defines a set If P is a property (or predicate) using a variable x wewrite x | P for the set of all objects with property P The Begriffsschrift wasalso read by an English logician Bertrand Russell (1872-1970)

16

Russell found a fundamental flaw in Fregersquos system which made it inconsistentThis means you could prove anything in it no matter whether it is true or falseNaturally this renders it useless as a foundation of mathematics Russell wrotea letter to Frege explaining the problem mdash it seems that Frege never recoveredfrom the blow He certainly didnrsquot know a good way to fix it

To explain Russellrsquos paradox letrsquos have a look at a little story which involvesa barber (letrsquos call him Sweeny Todd) who lives in a little village Since he isthe only barber in the village he has put a note in his window saying I shaveeverybody in the village who doesnrsquot shave himself

by Conor McBride

Now the barber has got a dilemma If he shaves himself then he shouldnrsquot shavehimself because he is shaving precisely those people who do not shave himselfOn the other hand if he does not shave himself then he should shave himselfaccording to the sign

17

The story with the barber may not seem to be so dramatic because we are quiteused to false advertising However if we translate the same idea into set theoryit becomes much more serious Let us consider the set R of all sets which donot contain themselves we write

R = X | X isin X)

where X isin X is short for not(X isin X) Eg Nat isin R because the set of naturalnumbers does not contain itself

However what about R itself If R does contain itself then it should not Ifon the other hand R does not contain itself then by definition it should containitself Hence Fregersquos system was inconsistent

However set theory was saved by two Germans

Ernst Friedrich Ferdinand Zermelo (1871-1853)

Adolf Abraham Halevi Fraenkel (1891-1965)

Zermelo identified the unlimited comprehension principle ie that every prop-erty gives rise to a set as the source of the problems and introduced the restrictedcomprehension principle instead Ie we are only allowed to construct subsets

18

of already existing sets ie x isin A | P where A already exists The set Rclearly does not fall in this category 10 and hence is outlawed However nowwe have to provide some ways to construct basic sets ie the empty set fi-nite sets the set of natural numbers and the power set (the set of all subsetsof a set) Zermelo founded axiomatic set theory in which these principles areincorporated in some basic propositions about isin and = called axioms LaterFraenkel extended Zermelorsquos system by adding an important axiom the axiomof replacement The resulting system is usually called Zermelo Fraenkel set the-ory or ZF set theory for short and is widely accepted as a foundation of modernmathematics

For many people (certainly for most mathematicans) the story ends here How-ever ZF set theory is not very useful as a programming language (for exampleit allows to define functions which cannot be run on a computer)

Per Martin-Lof a Swedish Mathematician and Philosopher started to developType Theory as a constructive foundation of Mathematics in the early 70rsquosThis language is interesting for Computer Science because it is at the sametime a language to reason about mathematical objects and a programming lan-guage There are a number of computer programs which implement differentvariations of Martin-Lofrsquos Type Theory NuPRL (for Nearly Ultimate ProofRepresentation Language) developed by Robert Constable and his team in theUSA LEGO developed by Randy Pollack in Edinburgh the Swedish systemsALF and AGDA the French system COQ 11 which is now one of the mostsuccessful computer proof systems and very recently Conor McBridersquos Epigramsystem 12 on which my 2nd3rd year module Computer Aided Formal Reasoning(G5BCFR) is based

10Unless we introduce a set of all sets which would make the theory inconsistent due toRussellrsquos paradox

11httpcoqinriafr12httpwwwduracukCARGepigram

19

bull John knows Maryknows John Mary

bull Everybody knows somebody

forallx isin Partyexisty isin Partyknows x y

bull Somebody is known by everybody

existy isin Partyforallx isin Partyknows x y

Note that exchanging different quatifiers changes the meaning

bull Somebody knows everybody

existx isin Partyforally isin Partyknows x y

bull Everybody who Mary knows knows her

forallx isin Partyknows Mary x =rArr knows x Mary

bull There are at least two different people who know John

existx isin Partyexisty isin Partynot(x = y) and knows x John and knows y John

It is customary to combine quantifiers of the same sort and write x 6= yfor not(x = y) ie we may write

existx y isin Partyx 6= y and knows x John and knows y John

bull There is exactly one person who George knows

existx isin Partyknows George x and forally isin Partyknows George y =rArr x = y

We express exactly one by saying that everybody who George knows isthe same person

As for propositional logic we have tautologies which are propositions which areprovable for any predicate Given a type a and predicates P Q isin a rarr Propand a proposition P here are examples for tautologies

bull (forallx isin aP x andQ x ) lArrrArr (forally isin aP y) and (forallz isin aQ z ) Proof

We show both direction seperately

(forallx isin aP x andQ x ) =rArr (forally isin aP y) and (forallz isin aQ z ) We assume forallx isin AP xandQ x (1) To show (forally isin aP y) and (forallz isin aQ z ) we have to showboth forally isin aP y (2) and forallz isin aQ y (3) To show (2) we as-sume y isin a (4) we have to show P y Using (1) and (4) we knowP y andQ y and hence Q y The proof of (3) follows the same idea

(forally isin aP y) and (forallz isin aQ z ) =rArr forallx isin aP x andQ x We assume (forally isin aP y)and(forallz isin aQ z ) (1) to prove forallx isin aP x and Q x Having assumed (1)we know forally isin aP y (2) and forallz isin aP z (3) To show this weassume x isin a (4) to show P x we use (2) and (4) and to derie Q xwe use (3) and (4) hence we have shown P x andQ x

14

bull (existx isin aP x orQ x ) lArrrArr (existy isin aP y) or (existz isin aQ z )

bull (existx isin AP =rArr R) lArrrArr forallx isin AP =rArr R

Instead only proving generic tautologies we can now prove specific statementseg that not hasnrsquot got a fixpoint

forallx isin Boolnot x 6= x

Proof We have to show not x 6= x for any x isin Bool There are only twopossibilities

x = True We have that not True = False by definition of not and it is obviousthat True 6= False

x = False We have that not False = True by definition of not and it is obviousthat False 6= True

15

3 Bits of history

Georg Cantor a German mathematician was the first one to define the notionof a set (german Menge) in 1895

By a set we are to understand any collection into a whole of definiteand separate objects of our intuition or our thought

Another German Friedrich Ludwig Gottlob Frege (1848-1925) wanted to putmathematics on a firm foundation and for this purpose he developed predicatelogic He published a book called Begriffsschrift which also used Cantorrsquosnaive perception of a set in particular the principle of comprehension ie everyproperty defines a set If P is a property (or predicate) using a variable x wewrite x | P for the set of all objects with property P The Begriffsschrift wasalso read by an English logician Bertrand Russell (1872-1970)

16

Russell found a fundamental flaw in Fregersquos system which made it inconsistentThis means you could prove anything in it no matter whether it is true or falseNaturally this renders it useless as a foundation of mathematics Russell wrotea letter to Frege explaining the problem mdash it seems that Frege never recoveredfrom the blow He certainly didnrsquot know a good way to fix it

To explain Russellrsquos paradox letrsquos have a look at a little story which involvesa barber (letrsquos call him Sweeny Todd) who lives in a little village Since he isthe only barber in the village he has put a note in his window saying I shaveeverybody in the village who doesnrsquot shave himself

by Conor McBride

Now the barber has got a dilemma If he shaves himself then he shouldnrsquot shavehimself because he is shaving precisely those people who do not shave himselfOn the other hand if he does not shave himself then he should shave himselfaccording to the sign

17

The story with the barber may not seem to be so dramatic because we are quiteused to false advertising However if we translate the same idea into set theoryit becomes much more serious Let us consider the set R of all sets which donot contain themselves we write

R = X | X isin X)

where X isin X is short for not(X isin X) Eg Nat isin R because the set of naturalnumbers does not contain itself

However what about R itself If R does contain itself then it should not Ifon the other hand R does not contain itself then by definition it should containitself Hence Fregersquos system was inconsistent

However set theory was saved by two Germans

Ernst Friedrich Ferdinand Zermelo (1871-1853)

Adolf Abraham Halevi Fraenkel (1891-1965)

Zermelo identified the unlimited comprehension principle ie that every prop-erty gives rise to a set as the source of the problems and introduced the restrictedcomprehension principle instead Ie we are only allowed to construct subsets

18

of already existing sets ie x isin A | P where A already exists The set Rclearly does not fall in this category 10 and hence is outlawed However nowwe have to provide some ways to construct basic sets ie the empty set fi-nite sets the set of natural numbers and the power set (the set of all subsetsof a set) Zermelo founded axiomatic set theory in which these principles areincorporated in some basic propositions about isin and = called axioms LaterFraenkel extended Zermelorsquos system by adding an important axiom the axiomof replacement The resulting system is usually called Zermelo Fraenkel set the-ory or ZF set theory for short and is widely accepted as a foundation of modernmathematics

For many people (certainly for most mathematicans) the story ends here How-ever ZF set theory is not very useful as a programming language (for exampleit allows to define functions which cannot be run on a computer)

Per Martin-Lof a Swedish Mathematician and Philosopher started to developType Theory as a constructive foundation of Mathematics in the early 70rsquosThis language is interesting for Computer Science because it is at the sametime a language to reason about mathematical objects and a programming lan-guage There are a number of computer programs which implement differentvariations of Martin-Lofrsquos Type Theory NuPRL (for Nearly Ultimate ProofRepresentation Language) developed by Robert Constable and his team in theUSA LEGO developed by Randy Pollack in Edinburgh the Swedish systemsALF and AGDA the French system COQ 11 which is now one of the mostsuccessful computer proof systems and very recently Conor McBridersquos Epigramsystem 12 on which my 2nd3rd year module Computer Aided Formal Reasoning(G5BCFR) is based

10Unless we introduce a set of all sets which would make the theory inconsistent due toRussellrsquos paradox

11httpcoqinriafr12httpwwwduracukCARGepigram

19

bull (existx isin aP x orQ x ) lArrrArr (existy isin aP y) or (existz isin aQ z )

bull (existx isin AP =rArr R) lArrrArr forallx isin AP =rArr R

Instead only proving generic tautologies we can now prove specific statementseg that not hasnrsquot got a fixpoint

forallx isin Boolnot x 6= x

Proof We have to show not x 6= x for any x isin Bool There are only twopossibilities

x = True We have that not True = False by definition of not and it is obviousthat True 6= False

x = False We have that not False = True by definition of not and it is obviousthat False 6= True

15

3 Bits of history

Georg Cantor a German mathematician was the first one to define the notionof a set (german Menge) in 1895

By a set we are to understand any collection into a whole of definiteand separate objects of our intuition or our thought

Another German Friedrich Ludwig Gottlob Frege (1848-1925) wanted to putmathematics on a firm foundation and for this purpose he developed predicatelogic He published a book called Begriffsschrift which also used Cantorrsquosnaive perception of a set in particular the principle of comprehension ie everyproperty defines a set If P is a property (or predicate) using a variable x wewrite x | P for the set of all objects with property P The Begriffsschrift wasalso read by an English logician Bertrand Russell (1872-1970)

16

Russell found a fundamental flaw in Fregersquos system which made it inconsistentThis means you could prove anything in it no matter whether it is true or falseNaturally this renders it useless as a foundation of mathematics Russell wrotea letter to Frege explaining the problem mdash it seems that Frege never recoveredfrom the blow He certainly didnrsquot know a good way to fix it

To explain Russellrsquos paradox letrsquos have a look at a little story which involvesa barber (letrsquos call him Sweeny Todd) who lives in a little village Since he isthe only barber in the village he has put a note in his window saying I shaveeverybody in the village who doesnrsquot shave himself

by Conor McBride

Now the barber has got a dilemma If he shaves himself then he shouldnrsquot shavehimself because he is shaving precisely those people who do not shave himselfOn the other hand if he does not shave himself then he should shave himselfaccording to the sign

17

The story with the barber may not seem to be so dramatic because we are quiteused to false advertising However if we translate the same idea into set theoryit becomes much more serious Let us consider the set R of all sets which donot contain themselves we write

R = X | X isin X)

where X isin X is short for not(X isin X) Eg Nat isin R because the set of naturalnumbers does not contain itself

However what about R itself If R does contain itself then it should not Ifon the other hand R does not contain itself then by definition it should containitself Hence Fregersquos system was inconsistent

However set theory was saved by two Germans

Ernst Friedrich Ferdinand Zermelo (1871-1853)

Adolf Abraham Halevi Fraenkel (1891-1965)

Zermelo identified the unlimited comprehension principle ie that every prop-erty gives rise to a set as the source of the problems and introduced the restrictedcomprehension principle instead Ie we are only allowed to construct subsets

18

of already existing sets ie x isin A | P where A already exists The set Rclearly does not fall in this category 10 and hence is outlawed However nowwe have to provide some ways to construct basic sets ie the empty set fi-nite sets the set of natural numbers and the power set (the set of all subsetsof a set) Zermelo founded axiomatic set theory in which these principles areincorporated in some basic propositions about isin and = called axioms LaterFraenkel extended Zermelorsquos system by adding an important axiom the axiomof replacement The resulting system is usually called Zermelo Fraenkel set the-ory or ZF set theory for short and is widely accepted as a foundation of modernmathematics

For many people (certainly for most mathematicans) the story ends here How-ever ZF set theory is not very useful as a programming language (for exampleit allows to define functions which cannot be run on a computer)

Per Martin-Lof a Swedish Mathematician and Philosopher started to developType Theory as a constructive foundation of Mathematics in the early 70rsquosThis language is interesting for Computer Science because it is at the sametime a language to reason about mathematical objects and a programming lan-guage There are a number of computer programs which implement differentvariations of Martin-Lofrsquos Type Theory NuPRL (for Nearly Ultimate ProofRepresentation Language) developed by Robert Constable and his team in theUSA LEGO developed by Randy Pollack in Edinburgh the Swedish systemsALF and AGDA the French system COQ 11 which is now one of the mostsuccessful computer proof systems and very recently Conor McBridersquos Epigramsystem 12 on which my 2nd3rd year module Computer Aided Formal Reasoning(G5BCFR) is based

10Unless we introduce a set of all sets which would make the theory inconsistent due toRussellrsquos paradox

11httpcoqinriafr12httpwwwduracukCARGepigram

19

3 Bits of history

Georg Cantor a German mathematician was the first one to define the notionof a set (german Menge) in 1895

By a set we are to understand any collection into a whole of definiteand separate objects of our intuition or our thought

Another German Friedrich Ludwig Gottlob Frege (1848-1925) wanted to putmathematics on a firm foundation and for this purpose he developed predicatelogic He published a book called Begriffsschrift which also used Cantorrsquosnaive perception of a set in particular the principle of comprehension ie everyproperty defines a set If P is a property (or predicate) using a variable x wewrite x | P for the set of all objects with property P The Begriffsschrift wasalso read by an English logician Bertrand Russell (1872-1970)

16

Russell found a fundamental flaw in Fregersquos system which made it inconsistentThis means you could prove anything in it no matter whether it is true or falseNaturally this renders it useless as a foundation of mathematics Russell wrotea letter to Frege explaining the problem mdash it seems that Frege never recoveredfrom the blow He certainly didnrsquot know a good way to fix it

To explain Russellrsquos paradox letrsquos have a look at a little story which involvesa barber (letrsquos call him Sweeny Todd) who lives in a little village Since he isthe only barber in the village he has put a note in his window saying I shaveeverybody in the village who doesnrsquot shave himself

by Conor McBride

Now the barber has got a dilemma If he shaves himself then he shouldnrsquot shavehimself because he is shaving precisely those people who do not shave himselfOn the other hand if he does not shave himself then he should shave himselfaccording to the sign

17

The story with the barber may not seem to be so dramatic because we are quiteused to false advertising However if we translate the same idea into set theoryit becomes much more serious Let us consider the set R of all sets which donot contain themselves we write

R = X | X isin X)

where X isin X is short for not(X isin X) Eg Nat isin R because the set of naturalnumbers does not contain itself

However what about R itself If R does contain itself then it should not Ifon the other hand R does not contain itself then by definition it should containitself Hence Fregersquos system was inconsistent

However set theory was saved by two Germans

Ernst Friedrich Ferdinand Zermelo (1871-1853)

Adolf Abraham Halevi Fraenkel (1891-1965)

Zermelo identified the unlimited comprehension principle ie that every prop-erty gives rise to a set as the source of the problems and introduced the restrictedcomprehension principle instead Ie we are only allowed to construct subsets

18

of already existing sets ie x isin A | P where A already exists The set Rclearly does not fall in this category 10 and hence is outlawed However nowwe have to provide some ways to construct basic sets ie the empty set fi-nite sets the set of natural numbers and the power set (the set of all subsetsof a set) Zermelo founded axiomatic set theory in which these principles areincorporated in some basic propositions about isin and = called axioms LaterFraenkel extended Zermelorsquos system by adding an important axiom the axiomof replacement The resulting system is usually called Zermelo Fraenkel set the-ory or ZF set theory for short and is widely accepted as a foundation of modernmathematics

For many people (certainly for most mathematicans) the story ends here How-ever ZF set theory is not very useful as a programming language (for exampleit allows to define functions which cannot be run on a computer)

Per Martin-Lof a Swedish Mathematician and Philosopher started to developType Theory as a constructive foundation of Mathematics in the early 70rsquosThis language is interesting for Computer Science because it is at the sametime a language to reason about mathematical objects and a programming lan-guage There are a number of computer programs which implement differentvariations of Martin-Lofrsquos Type Theory NuPRL (for Nearly Ultimate ProofRepresentation Language) developed by Robert Constable and his team in theUSA LEGO developed by Randy Pollack in Edinburgh the Swedish systemsALF and AGDA the French system COQ 11 which is now one of the mostsuccessful computer proof systems and very recently Conor McBridersquos Epigramsystem 12 on which my 2nd3rd year module Computer Aided Formal Reasoning(G5BCFR) is based

10Unless we introduce a set of all sets which would make the theory inconsistent due toRussellrsquos paradox

11httpcoqinriafr12httpwwwduracukCARGepigram

19

Russell found a fundamental flaw in Fregersquos system which made it inconsistentThis means you could prove anything in it no matter whether it is true or falseNaturally this renders it useless as a foundation of mathematics Russell wrotea letter to Frege explaining the problem mdash it seems that Frege never recoveredfrom the blow He certainly didnrsquot know a good way to fix it

To explain Russellrsquos paradox letrsquos have a look at a little story which involvesa barber (letrsquos call him Sweeny Todd) who lives in a little village Since he isthe only barber in the village he has put a note in his window saying I shaveeverybody in the village who doesnrsquot shave himself

by Conor McBride

Now the barber has got a dilemma If he shaves himself then he shouldnrsquot shavehimself because he is shaving precisely those people who do not shave himselfOn the other hand if he does not shave himself then he should shave himselfaccording to the sign

17

The story with the barber may not seem to be so dramatic because we are quiteused to false advertising However if we translate the same idea into set theoryit becomes much more serious Let us consider the set R of all sets which donot contain themselves we write

R = X | X isin X)

where X isin X is short for not(X isin X) Eg Nat isin R because the set of naturalnumbers does not contain itself

However what about R itself If R does contain itself then it should not Ifon the other hand R does not contain itself then by definition it should containitself Hence Fregersquos system was inconsistent

However set theory was saved by two Germans

Ernst Friedrich Ferdinand Zermelo (1871-1853)

Adolf Abraham Halevi Fraenkel (1891-1965)

Zermelo identified the unlimited comprehension principle ie that every prop-erty gives rise to a set as the source of the problems and introduced the restrictedcomprehension principle instead Ie we are only allowed to construct subsets

18

of already existing sets ie x isin A | P where A already exists The set Rclearly does not fall in this category 10 and hence is outlawed However nowwe have to provide some ways to construct basic sets ie the empty set fi-nite sets the set of natural numbers and the power set (the set of all subsetsof a set) Zermelo founded axiomatic set theory in which these principles areincorporated in some basic propositions about isin and = called axioms LaterFraenkel extended Zermelorsquos system by adding an important axiom the axiomof replacement The resulting system is usually called Zermelo Fraenkel set the-ory or ZF set theory for short and is widely accepted as a foundation of modernmathematics

For many people (certainly for most mathematicans) the story ends here How-ever ZF set theory is not very useful as a programming language (for exampleit allows to define functions which cannot be run on a computer)

Per Martin-Lof a Swedish Mathematician and Philosopher started to developType Theory as a constructive foundation of Mathematics in the early 70rsquosThis language is interesting for Computer Science because it is at the sametime a language to reason about mathematical objects and a programming lan-guage There are a number of computer programs which implement differentvariations of Martin-Lofrsquos Type Theory NuPRL (for Nearly Ultimate ProofRepresentation Language) developed by Robert Constable and his team in theUSA LEGO developed by Randy Pollack in Edinburgh the Swedish systemsALF and AGDA the French system COQ 11 which is now one of the mostsuccessful computer proof systems and very recently Conor McBridersquos Epigramsystem 12 on which my 2nd3rd year module Computer Aided Formal Reasoning(G5BCFR) is based

10Unless we introduce a set of all sets which would make the theory inconsistent due toRussellrsquos paradox

11httpcoqinriafr12httpwwwduracukCARGepigram

19

The story with the barber may not seem to be so dramatic because we are quiteused to false advertising However if we translate the same idea into set theoryit becomes much more serious Let us consider the set R of all sets which donot contain themselves we write

R = X | X isin X)

where X isin X is short for not(X isin X) Eg Nat isin R because the set of naturalnumbers does not contain itself

However what about R itself If R does contain itself then it should not Ifon the other hand R does not contain itself then by definition it should containitself Hence Fregersquos system was inconsistent

However set theory was saved by two Germans

Ernst Friedrich Ferdinand Zermelo (1871-1853)

Adolf Abraham Halevi Fraenkel (1891-1965)

Zermelo identified the unlimited comprehension principle ie that every prop-erty gives rise to a set as the source of the problems and introduced the restrictedcomprehension principle instead Ie we are only allowed to construct subsets

18

of already existing sets ie x isin A | P where A already exists The set Rclearly does not fall in this category 10 and hence is outlawed However nowwe have to provide some ways to construct basic sets ie the empty set fi-nite sets the set of natural numbers and the power set (the set of all subsetsof a set) Zermelo founded axiomatic set theory in which these principles areincorporated in some basic propositions about isin and = called axioms LaterFraenkel extended Zermelorsquos system by adding an important axiom the axiomof replacement The resulting system is usually called Zermelo Fraenkel set the-ory or ZF set theory for short and is widely accepted as a foundation of modernmathematics

For many people (certainly for most mathematicans) the story ends here How-ever ZF set theory is not very useful as a programming language (for exampleit allows to define functions which cannot be run on a computer)

Per Martin-Lof a Swedish Mathematician and Philosopher started to developType Theory as a constructive foundation of Mathematics in the early 70rsquosThis language is interesting for Computer Science because it is at the sametime a language to reason about mathematical objects and a programming lan-guage There are a number of computer programs which implement differentvariations of Martin-Lofrsquos Type Theory NuPRL (for Nearly Ultimate ProofRepresentation Language) developed by Robert Constable and his team in theUSA LEGO developed by Randy Pollack in Edinburgh the Swedish systemsALF and AGDA the French system COQ 11 which is now one of the mostsuccessful computer proof systems and very recently Conor McBridersquos Epigramsystem 12 on which my 2nd3rd year module Computer Aided Formal Reasoning(G5BCFR) is based

10Unless we introduce a set of all sets which would make the theory inconsistent due toRussellrsquos paradox

11httpcoqinriafr12httpwwwduracukCARGepigram

19

of already existing sets ie x isin A | P where A already exists The set Rclearly does not fall in this category 10 and hence is outlawed However nowwe have to provide some ways to construct basic sets ie the empty set fi-nite sets the set of natural numbers and the power set (the set of all subsetsof a set) Zermelo founded axiomatic set theory in which these principles areincorporated in some basic propositions about isin and = called axioms LaterFraenkel extended Zermelorsquos system by adding an important axiom the axiomof replacement The resulting system is usually called Zermelo Fraenkel set the-ory or ZF set theory for short and is widely accepted as a foundation of modernmathematics

For many people (certainly for most mathematicans) the story ends here How-ever ZF set theory is not very useful as a programming language (for exampleit allows to define functions which cannot be run on a computer)

Per Martin-Lof a Swedish Mathematician and Philosopher started to developType Theory as a constructive foundation of Mathematics in the early 70rsquosThis language is interesting for Computer Science because it is at the sametime a language to reason about mathematical objects and a programming lan-guage There are a number of computer programs which implement differentvariations of Martin-Lofrsquos Type Theory NuPRL (for Nearly Ultimate ProofRepresentation Language) developed by Robert Constable and his team in theUSA LEGO developed by Randy Pollack in Edinburgh the Swedish systemsALF and AGDA the French system COQ 11 which is now one of the mostsuccessful computer proof systems and very recently Conor McBridersquos Epigramsystem 12 on which my 2nd3rd year module Computer Aided Formal Reasoning(G5BCFR) is based

10Unless we introduce a set of all sets which would make the theory inconsistent due toRussellrsquos paradox

11httpcoqinriafr12httpwwwduracukCARGepigram

19

4 Natural numbers

How can we understand an infinite type like Nat

Nat = 0 1 2 3

And how can we define operations like isEven isin Nat rarr Bool which shouldreturn True if its input is an even number and False otherwise We can hardlydefine isEven by listing all the cases

isEven 0 = TrueisEven 1 = FalseisEven 2 = TrueisEven 3 = FalseisEven 4 = TrueisEven 5 = False

And how can we reason about isEven and other functions on Nat or otherinfinite types

Our understanding of the natural numbers is that they are related to counting0 is a natural number and if n isin Nat then its successor ie the number n +1 isa natuiral number we write Succ n isin Nat Now 0 and Succ are the constructorsof Nat ie we define 13

data Nat = 0 | Succ Nat

now Nat looks a bit different than what we are used to

Nat = 0Succ 0Succ (Succ 0)Succ (Succ (Succ 0)) and conveniently we define

1 = Succ 02 = Succ 13 = Succ 24 = Succ 35 = Succ 4

However we should be able to look beyond the superficial notation using thedecimal system The above definition of the natural number is in some way thesimplest and mathematically most elegant It was suggested by Italian logicianGuiseppe Peano at the beginning of the 20th century who codified the basicrules of arithmetic by his famous axioms (called Peanorsquos axioms) We shallnot study his formulation of the axioms here in detail but our presentation iscertainly inspired by them

13This is a beautified version of the real Haskell code Haskell wouldnrsquot accept using thesymbol 0 as a constructor hence we are actually writing Zero

20

Guiseppe Peano (1858 - 1932)

We shall later say how we can express other notational systems for naturalnumbers by similar type definitions in particular we shall have a look at thebinary representation Peanorsquos representation which we could call unary ispractically useless because the numbers grow far to long quickly However it isthe easiest way to understand the natural numbers and to reason about themIndeed this is precisely what Peano intended We will later introduce binarynumbers and define translations between binary numbers adn Peanorsquos numbers

41 Primitive recursion

How can isEven be defined using Peanorsquos definitions of the natural numbersWe observe that isEven 0 = True and isEven (n+1) is the opposite of isEven nthat is isEven (n + 1) = not (isEven n) Hence we write

isEven isin Nat rarr BoolisEven 0 = TrueisEven (Succ n) = not (isEven n)

We say that isEven is defined by primitive recursion that is isEven (Succ n)is defined using isEven n This is reasonable because if we construct the nat-ural number Succ n we must have constructed the natural number n beforeIn the same way we can calculate the answer isEven n before we calculateisEven (Succ n) using our previously calculated answer

Actually this is not an accurate description of how is recursion is executed on acomputer the computer will only calculate isEven n when it has to to calculateisEven (Succ n) However the explanation above justifies why this processalways terminates and why a function constructed by primitive recursion willalways produce an answer

Hence we can calculate isEven 3 as follows

isEven 3= definition of 3 isEven (Succ 2)= definition of isEven

21

not (isEven 2)= definition of 2 not (isEven (Succ 1))= definition of isEven not (not (isEven 1))= definition of 1 not (not (isEven (Succ 0)))= definition of isEven not (not (not (isEven 0)))= definition of isEven not (not (not True))= definition of not not (not False)= definition of not not True= definition of not False

When displaying an equational derivation we always say what principles wehave applied to get from one line to the next The derivation above is a simplecalculation all we are doing is expanding definitions

Primitive recursion can be contrasted with general recursion which is permittedin Haskell A general recursive function is defined recursively without insistingthat the recursive call is on a previous value General recursion may not termi-nate and while it is easy to use for programming the mathematical theory ismore involved Hence we shall not consider it here but only means of recursionwhich can be justified like primitive recursion

411 Addition

Using primitive recursion we can now define addition

(+) isin Nat rarr Nat rarr Nat0 + n = n(Succ m) + n = Succ (m + n)

Let us spell out what we are doing (+) is defined by recursion over the firstargument (+) 0 gives rise to the function which just returns its argument (theidentity function) (+) (Succ m) uses (+) m to calculate (+) m n and thentakes Succ of that calculation

We can calculate 2 + 3

2 + 3= definition of 2 (Succ 1) + 3= definition of + Succ (1 + 3)= definition of 1 Succ ((Succ 0) + 3)= definition of +

22

Succ (Succ (0 + 3))= definition of + Succ (Succ 3)= definition of 5 5

412 Multiplication

Letrsquos go on and define some more functions eg multiplication

(lowast) isin Nat rarr Nat rarr Nat0 lowast n = 0(Succ m) lowast n = m + (m lowast n)

Multiplication is defined by repeated addition in the same way as addition isdefined by repeated Succ As an example we calculate 2 lowast 3

2 lowast 3= definition of 2 (Succ 1) lowast 3= definition of lowast 3 + 1 lowast 3= definition of 1 3 + (Succ 0) lowast 3= definition of lowast 3 + 3 + 0 lowast 3= definition of lowast 3 + 3= calculate + 6

413 Equality and less-or-equal

We define the function (equiv) isin Nat rarr Nat rarr Bool which decides whether twonatural numbers are equal As in the case of (+) we exploit the curried view ofa function in the definition Letrsquos analyze the first argument (equiv) 0 isin Nat rarrBool should return the function which recognizes 0 ie which returns Trueprecisely if its argument is 0 hence we write

0 equiv 0 = True0 equiv (Succ n) = False

The other case is (equiv) (Succ m) isin Nat rarr Bool this function should returnFalse if presented with 0 but what to do if it is applied to Succ m The answeris that we recursively call (equiv) m and apply it to n because Succ m equiv Succ nhas the same value as m equiv n Hence we define

Succ m equiv 0 = FalseSucc m equiv Succ n = m equiv n

Putting everything together we arrive at the following definition

23

(equiv) isin Nat rarr Nat rarr Bool0 equiv 0 = True0 equiv (Succ n) = False(Succ m) equiv 0 = False(Succ m) equiv (Succ n) = m equiv n

By a slight modification ie by returning True instead of False in the secondline we obtain 6 instead of equiv

(6) isin Nat rarr Nat rarr Bool0 6 0 = True0 6 (Succ n) = True(Succ m) 6 0 = False(Succ m) 6 (Succ n) = m 6 n

414 Factorial

When we set up musical chairs we may wonder How many ways are there toplace 6 children on 6 chairs The answer is there 6 possibilities for the firstchild 5 for the second and so on and there will be only one place left for the lastone Hence there are 6times 5times 4times 3times 2times 1 = 720 We write fac n (mathematicalnotation n) for the number of permutations of n elements (eg the number ofways to arrange n children on n chairs)

We observe that there is one way to arrange no children on no chairs (hencefac 0 = 1) there are n + 1 ways to place the first child and fac n ways todistribute the remaining n children hence fac (n + 1) = (n + 1) lowast (fac n) Thisleads to the following definition of fac by primitive recursion

fac isin Nat rarr Natfac 0 = 1fac (Succ n) = (Succ n) lowast (fac n)

415 Fibonacci

Another interesting function is the famous Fibonacci function fib Nat rarr Natwhich is usually motivated by the problem to calculate the number of rabbitsafter n months if we assume that the rabbits have a child two months after theyare born (ignoring among others the fact that we need actually two rabbits)We start with no rabbits in month 0 and one rabbit in month 1 consequently wehave still one rabbit in month 2 and 2 rabbits in month 3 because our first rabbitgot its first child In general we have that the rabbits in month n+2 are the sumof the number of the rabbits in the previous months and the rabbits from themonth before who will have children now fib (n + 2) = (fib (n + 1)) + (fib n)Ie we get the sequence

0 1 1 2 3 5 8 13 21 34 55 89 144 233 377 610 987 1597 2584 4181 6765

We define fib

24

fib isin Nat rarr Natfib 0 = 0fib (Succ 0) = 1fib (Succ (Succ m)) = (fib m) + (fib (Succ m))

Different from the functions we have seen so far we are not just using the valueof a function at n to calculate the value at Succ n but here we actually usetwo previous values Using smaller values in general is called course of valuerecursion and is a modest generalisation of primitive recursion Indeed it hasgot the same justification as primitive recursion eg we adopt the view thatthe function values for smaller values have been calculated earlier

42 Induction

How can we prove something for all natural numbers This is a problem verysimilar to the one we have discussed in the previous section and indeed thesolution is very closely related to primitive recursion Letrsquos consider a verysimple example we want to prove foralln isin Natn+Zero = n Recall the definitionof +

(+) isin Nat rarr Nat rarr Nat0 + n = n(Succ m) + n = Succ (m + n)

We can see by looking at the definition that forall n isin Nat0 + n = n but whatabout the equally true forall n isin Natn + 0 = n Sure we will remember theequality forall mn isin Natm + n = n + m (called commutativity of addition) buthere we shall actually establish this law from first principles and we will seethat actually forall n isin Natn + 0 = n is a useful auxilliary property when showingcommutativity

We can start showing this property for the first few natural numbers and observethat a certain pattern emerges

0 0 + 0 = 0 by definition of +

1 To show (Succ 0)+0 = Succ 0 we first use the definition of + to see (Succ 0)+0 = Succ (0 + 0) and then we can exploit the previous line to see thatSucc (0 + 0) = Succ 0

2 To show (Succ (Succ 0)) + 0 = Succ (Succ 0) we first use the definition of +to see (Succ (Succ 0)) + 0 = Succ ((Succ 0) + 0) and then we can exploitthe previous line to see that Succ ((Succ 0) + 0) = Succ (Succ 0)

Each of the subsequent line is simply a consequence of the previous one Eg toshow (Succ n)+0 = Succ n we first apply the definition of + to see (Succ n)+0 =Succ (n +0) and then we apply the previous line ie the proof for n to see thatSucc (n + 0) = Succ n

25

We can see that this shows that the property holds for all natural numbers theidea is the same as for primitive recursion because the number n is constructedbefore Succ n we can establish the property for n before we show it for Succ n

The principle of induction can be summarized as follows to prove a propertyP for all natural numbers ie to show forall n isin NatP n we prove it for 0 iewe show P 0 and assuming that it holds for n isin Nat ie P n we can show thatit holds for P (Succ n) The assumption P n which can be used when showingP (Succ n) we call the induction hypothesis (IH)

421 Commutativity of (+)

Letrsquos now prove forall mn isin Natm+n = n+m by induction over m If m = 0 thisreduces to showing 0+n = n +0 we know that 0+n = n by the definition of +and we have just shown n = n +0 above Letrsquos assume that forall n isin Natm +n =n + m to prove forall n isin Nat (Succ m) + n = n + (Succ m) Now given n isin Natwe know from the definition of + that (Succ m) + n = Succ (m + n) we canapply the induction hypthesis to deduce that Succ (m +n) = Succ (n +m) Allthat is left to show is that Succ (n + m) = n + (Succ m) showing this requiresa separate proof by induction

It is time to tidy up our argument and also follow standard mathematical prac-tice and present proofs forward ie starting from the assumptions and basiclemmas (auxilliary theorems) to the goal the final theorem No human beingconstructs a proof like this everybody does it the other way around Some peo-ple believe that this is part of a conspiracy by Mathematicians to make theirknowledge inaccessible to the rest of the world

Lemma 41 forall n isin Natn + 0 = n

Proof By induction over n isin Nat

Case n = 0 We show 0 + 0 = 0

0 + 0= definition of + 0

Case n = Succ n prime We assume n prime + 0 = n prime (IH ) to show (Succ n prime) + 0 =Succ n prime

(Succ n prime) + 0= definition of + Succ (n prime + 0)= (IH) Succ n prime

Lemma 42 forall mn isin Natm + (Succ n) = Succ (m + n)

Proof By induction over m isin Nat

26

Case m = 0 We show forall n isin Nat0 + (Succ n) = Succ (0 + n)0 + (Succ n)= definition of + Succ n= definition of + Succ (0 + n)

Case m = Succ m prime We assume forall n isin Natm+(Succ n) = Succ (m+n) (IH )to show (Succ m) + (Succ n) = Succ (m + n)

(Succ m) + (Succ n)= definition of + Succ (m + (Succ n))= IH Succ (Succ (m + n))= definition of + Succ ((Succ m) + n)

Theorem 43 forall mn isin Natm + n = n + m

Proof By induction over m isin Nat

Case m = 0 We show forall n isin Nat0 + n = n + 00 + n= definition of + n= lemma n + 0

Case m = Succ m prime We assume forall n isin Natm prime + n = n + m prime (IH ) to show(Succ m prime) + n = n + (Succ m prime)

(Succ m prime) + n= definition of + Succ (m prime + n)= IH Succ (n + m prime)= lemma n + (Succ m prime)

Isnrsquot this a bit much effort for a theorem whose truth can be easily seen intu-itively Every child knows that if you put two heaps of sweeties together thatthe order in which you do this does not affect the number of sweeties you havein the end However apart from the point that we used a simple example toillustrate a method it is sometimes worthwhile to prove the obvious Maybeyou were only thinking that the function you defined was addition but as soonas you are going to prove something about it you discover that there is a bugThis is different from Mathematics Computer Scientists are interested in prov-ing obvious things It is also a good idea to enlist the help of a computer tomake sure that we donrsquot accidently cheat We will get back to this later

27

422 Gaussrsquo theorem

Letrsquos consider a less obvious proposition we can prove by induction CarlFriederich Gauss was a famous German Mathematician in the 19th centuryone of the theorems he proved is the fundamental theorem of algebra whichsays that every polynom over the complex numbers has a solution Howeverhere we are just concerned with a little theorem he allegedly discovered whenhe was still a school boy Apprently he was naughty and as a punishementteacher set him the task to add the numbers until 100 But the teacher hadnrsquotaccounted for young Gaussrsquo genius who very quickly came up with the rightanswer 5050 Instead of doing all the stupid calculations Gauss had realizedthat there is a simple formula namely that the sum of the numbers upto n isgiven by (n lowast (n + 1)) 2 The following picture illustrates the basic idea in thecase n = 3

Ie the sum of the 1 + 2 + 3 depicted by the area covered by the black balls isprecisely half the area of the 3 lowast 4 rectangle

First for reference lets define by primitive recursion the function which cal-culates the numbers upto n which we are going to call sum (Mathematicanswould write Σn

i=0i)

sum isin Nat rarr Natsum 0 = 0sum (Succ n) = (Succ n) lowast (sum n)

We want to show sum n = (n lowast (n + 1)) 2 to avoid having to define divisionand to justify that the division in this case stays always withing the naturalnumbers we show instead 2 lowast (sum n) = n lowast (Succ n) by induction

Theorem 44 forall n isin Nat 2 lowast (sum n) = n lowast (Succ n)

Proof By induction over n isin Nat

Case n = 0 We show 2 lowast (sum 0) = 0 lowast (Succ 0)

2 lowast (sum 0)= definition of lowast sum 0= definition of lowast 0 lowast (Succ 0)

Case n = Succ n prime We assume

28

2 lowast (sum n prime) = n prime lowast (Succ n prime) (IH )

to show 2 lowast (sum (Succ n prime)) = (Succ n prime) lowast (Succ (Succ n prime))

2 lowast (sum (Succ n prime))= definition of sum 2 lowast ((Succ n prime) + (sum n prime))= distributivity 2 lowast (Succ n prime) + 2 lowast (sum n prime)= IH 2 lowast (Succ n prime) + n lowast (Succ n prime)= distributivity (2 + n) lowast (Succ n prime)= commutativity definition of + (Succ n prime) lowast (Succ (Succ n prime))

In the proof above we have used distributivity ie

forall i j k isin Nat i lowast (j + k) = (i lowast j ) + (i lowast k)

Sure we could have proven this here (by induction) but I will leave this as anexercise

29

5 Inductive types

The idea behind the definition of the type of natural numbers can be appliedto many other types using the data keyword in Haskell We are calling thosetypes inductive types and indeed they come with their own primitive recursionand induction principles

51 Lists

One of the most versatile types especially but not only in functional program-ming is the type of lists Indeed the name of the first functional language LISPintroduced in 1958 as the 2nd high level programming language stands for LIstProcessing

Given a type a we write [a ] for the type of lists or sequences of elements ofa Eg [23minus1 1 1 0] isin [Int ] similar as for (a b) we use the same symbols[ ] for the operator on types and on elements Actually the [a1 a2 an ]notation is just a shorthand for a1 (a2 (an [ ]) The basic constructors forlists are [ ] isin [a ] for the empty list and given x isin a and a list xs isin [a ] we canconstruct the new list x xs isin [a ] (for historic reasons is called cons) Ie[23minus1 1 1 0] = 23 (minus1 (1 (1 (0 [ ]))))

In Haskell lists are predefined because they use some special syntactic sugarbut apart from this we could have just defined

data [a ] = [ ] | a [a ]

Strings are a special case of lists we use the type of characters Char which isa finite type whose elements are the characters which can be used in computing(eg one of the 216 unicode characters) We write elements of Char using singlequotes eg rsquoarsquo isin Char The type of strings is defined as lists of characters

type String = [Char]

The common syntax for strings using double quotes ie Hello is just syntac-tiv sugar for [rsquoHrsquo rsquoersquo rsquolrsquo rsquolrsquo rsquoorsquo] which in turn is just short for rsquoHrsquo (rsquoersquo (rsquolrsquo (rsquolrsquo (rsquoorsquo [ ]))))

One of the basic functions on lists is append ++ which combines two lists ie[1 2] ++ [3 4] = [1 2 3 4] To be able to define this function we have to extendthe principle of primitive recursion to lists We define xs ++ ys by primitiverecursion over xs if xs is empty ie xs = [ ] then [ ] ++ ys = ys On the otherhand if xs is a cons ie xs = x isin xs prime then we know that the combined list startswith x and constinues with the result of appending xs prime to ys That is here wehave to use ++ recursively The recursive use of ++ can be justified in the sameway as for Nat the list xs prime had to be constructed before x xs prime hence we cancalculate the result of xs prime ++ ys before we have to come up with (x xs prime) ++ ysIn Haskell we write

(++) isin [a ] rarr [a ] rarr [a ][ ] ++ ys = ys(x xs) ++ ys = x (xs ++ ys)

30

Note that ++ is a polymorphic function we can replace the type variable a byany type Eg we may replace a by Char arriving at the special case of stringsHence we can use ++ to append strings eg Hel ++ lo = Hello

We also have an induction principle for lists To illustrate this letrsquos first intro-duce a function which reverses a list How to reverse a list The reverse of theempty list is the empty list The reverse of a list x xs is the reverse of xs with xput on the end We arrive at the following primitive recursive implementationof reverse

rev isin [a ] rarr [a ]rev [ ] = [ ]rev (x xs) = (rev xs) ++ [x ]

Eg rev Hello = olleH What happens if we reverse twice Rightwe get back where we started indeed rev olleH = Hello Letrsquos proveforall xs isin [a ] rev (rev xs) = xs

Induction over lists means that to show a property for all lists we show theproperty for the empty list [ ] and then we show that if it holds for any list xsthen it holds for x xs The justification is again the same as for induction forthe natural numbers

We will show forall xs isin [a ] rev (rev xs) = xs by induction over lists The [ ] case isstraightforward since rev [ ] = [ ] what about rev (rev (x xs)) = rev ((rev xs)++[x ]) We cannot apply the induction hypothesis directly we first have to movethe outer rev inside ++ The key idea is to show that rev ((rev xs) ++ [x ]) =x (rev (rev xs)) and then we apply the induction hypothesis that rev (rev xs) =xs How do we show rev ((rev xs) ++ [x ]) = x (rev (rev xs)) The point is thatthis property doesnrsquot just hold for rev xs but for any list ys ie rev ((ys++[x ]) =x (rev ys)) eg rev (Hall++o) = o (rev Hal) How to we show thatthis property holds By induction over ys

Ok thatrsquos the sketch Letrsquos tidy this up First we prove the auxilliary propertyas a lemma

Lemma 51 forall x isin a forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys))

Proof Given x isin a We show forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys)) byinduction over ys isin [a ]

Case ys = [ ] We show rev ([ ] ++ [x ]) = x (rev [ ])

rev ([ ] ++ [x ])= definition of ++ rev [x ]= definition of rev [x ]= definition of rev x (rev [ ])

Case ys = y ys prime We assume

rev ((ys ++ [x ]) = x (rev ys)) (IH )

31

to show

rev (((y ys) ++ [x ]) = x (rev (y ys)))

rev (((y ys) ++ [x ])= definition of ++ rev (y (ys ++ [x ]))= definition of rev (rev (ys ++ [x ])) ++ [y ]= (IH) (x (rev ys)) ++ [y ]= definition of ++ x ((rev ys) ++ [y ])= definition of rev x (rev (y ys))

Theorem 52 forall xs isin [a ] rev (rev xs) = xs

Proof By induction over xs

Case xs = [ ] We show rev (rev [ ]) = [ ]

rev (rev [ ])= definition of rev rev [ ]= definition of rev [ ]

Case xs = x xs prime We assume

rev (rev xs) = xs (IH )

to show

rev (rev (x xs prime)) = x xs prime

rev (rev (x xs prime))= definition of rev rev ((rev xs prime) ++ [x ])= lemma for ys = rev xs prime x (rev (rev xs))= (IH) x xs

52 Insertion sort

There are many situations where we want to sort a list eg given [56 1 10 3]we would like to produce [1 3 10 56] One of the simplest sorting algorithms isinsertion sort The idea can be best explained by describing how to sort a deckof card We sort from an unsorted pile to a sorted pile by adding one card at

32

a time to the sorted pile When adding a card to a already sorted pile we gothrough the sorted pile until we find a card with a higher value and then insertthe new card just before this card This can be expressed as a function insert which is defined by primitive recursion over lists

insert isin Nat rarr [Nat ] rarr [Nat ]insert a [ ] = [a ]insert a (b bs) = if a 6 b then a (b bs)

else b (insert a bs)

The important feature of insert is that it produces a sorted list with an ex-tra element if its argument was sorted We can now define insertionSort byprimitive recursion over the initially unsorted list

insertionSort isin [Nat ] rarr [Nat ]insertionSort [ ] = [ ]insertionSort (a as) = insert a (insertionSort as)

And indeed insertionSort [56 1 10 3] = [1 3 10 56]

The same algorithm can sort any data wrt to a given comparison functioncomp a rarr a rarr Bool which has the appropriate properties (we shall laterdiscuss in detail what properties this are)

Insertion sort shouldnrsquot be used to sort large sequences because it is quiteinefficent on average it compares every argument with half of all the others Wesay it has quadratic complexity because on average the number of comparisonsit has to carry out is proportional to n2 where n is the length of the list

53 Binary numbers

We can use lists to represent binary numbers A binary number like 1102 whichis the binary way to write 6 is nothing but a list of Booleans hence we define

type Binary = [Bool ]

We use True for 1 and False for 0 and we shall read the list backwards whichhas the advantage that it is easy to access the least significant digit eg 1102

is actually represented as [FalseTrueTrue] 14

We shall define functions which translate between Binary and Nat We startwith bin2nat isin Binary rarr Nat The idea is that to translate a number whichhas at least one digit we recursively translate the rest of the numebr withoutthe last digit double that and add the value of the last digit to it This isexpressed by the following function

bin2nat isin Binary rarr Natbin2nat [ ] = 0bin2nat (True bs) = Succ (2 lowast (bin2nat bs))bin2nat (False bs) = 2 lowast (bin2nat bs)

14We could have avoided this notational inconvenience by using snoc lists ie lists wherecons gets its arguments the other way around

33

To define the translation in the other direction nat2bin isin Nat rarr Binary weintroduce a successor function on the binary representation The successor ofthe empty list which is interpreted as 0 is 1 Otherwise if the last digit is 0 wejust change this to 1 and keep the rest of the number the same If the last digitis 1 we change this to 0 and have a carry bit which means that we have torecursively calculate the successor of the rest of the number Hence we define

bsucc isin Binary rarr Binarybsucc [ ] = [True]bsucc (False bs) = True bsbsucc (True bs) = False (bsucc bs)

Now we can define nat2bin it basically translates 0 by the empty binary andthen applies bsucc for every successor

nat2bin isin Nat rarr Binarynat2bin 0 = [ ]nat2bin (Succ n) = bsucc (nat2bin n)

Once we have established the two translations we want to show that theyare indeed inverse to each other Eg if we start with a natural numbern we can translate it to a binary nat2bin n and then translate it back bybin2nat (nat2bin n) and we should hope that we get back to the number westarted with ie that

bin2nat (nat2bin n) = n

If we start with a binary number bs isin Binary the mirror property

nat2bin (bin2nat bs) = bs

doesnrsquot actually hold The reason is that our encoding is redundant lead-ing 0s (actually trailing Falses in our notation) do not matter For examplenat2bin (bin2nat [TrueFalse]) = [True] We could insist the we do not allowleading 0s and show that for those normal numbers the property holds Actu-ally following common practive we would make the exception for the case thatthe number is just 0 but would at the same time outlaw the empty sequence asa representation of a number

Going back to proving forall n isin Natn = bin2nat (nat2bin n) unsurprisingly weare going to use induction to establish this The case for 0 is straightforwardbut in the case of Succ n prime we have that nat2bin (Succ n prime) = bsucc (nat2bin n prime)and we would like to use that

bin2nat (bsucc (nat2bin n prime)) = Succ (bin2nat (nat2bin n prime))

to be able to apply the induction hypothesis This leads to the following lemma

Lemma 53 forall bs isin Binarybin2nat (bsucc bs) = Succ (bin2nat bs)

Proof We show this by induction over bs isin Binary

Case bs = [ ] We have to show bin2nat (bsucc [ ]) = Succ (bin2nat [ ])

bin2nat (bsucc [ ])= definition of bsucc

34

bin2nat [True]= calculate bin2nat 1= definition of 1 Succ 0= definition of bin2nat Succ (bin2nat [ ])

Case bs = b bs prime We assume

bin2nat (bsucc bs prime) = Succ (bin2nat bs prime) (IH )

to show

bin2nat (bsucc (b bs prime)) = Succ (bin2nat (b bs prime))

for any b isin Bool Letrsquos analyze b isin Bool

Case b = False In this case we have to showbin2nat (bsucc (False bs prime)) = Succ (bin2nat (False bs prime))

bin2nat (bsucc (False bs prime))= definition of bsucc bin2nat (True bs prime)= definition of bin2nat Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (False bs prime))

Case b = True In this case we have to showbin2nat (bsucc (True bs prime)) = Succ (bin2nat (True bs prime))

bin2nat (bsucc (True bs prime))= definition of bsucc bin2nat (False (bsucc bs prime))= definition of bin2nat 2 lowast (bin2nat (bsucc bs prime))= (IH) 2 lowast (Succ (bin2nat bs prime))= algebra 2 lowast (Succ n) = Succ (Succ (2 lowast n)) Succ (Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (True bs prime))

Now we are ready to prove the main theorem

Theorem 54 forall n isin Natbin2nat (nat2bin n) = n

Proof We prove this by induction over n isin Nat

Case n = 0 We show bin2nat (nat2bin 0) = 0

bin2nat (nat2bin 0)= definition of nat2bin bin2nat [ ]

35

= definition of bin2nat 0

Case n = Succ n prime We assume

bin2nat (nat2bin n prime) = n prime (IH )

to show

bin2nat (nat2bin (Succ n prime)) = Succ n prime

bin2nat (nat2bin (Succ n prime))= definition of nat2bin bin2nat (bsucc (nat2bin n prime))= lemma Succ (bin2nat (nat2bin n prime))= (IH) Succ n prime

To define addition on Binary we define addition with carry which always addsthree bits caculating the current bit and the new carry bit As a first step wedefine two operations addbit and carry which calculate the new bit and carry

addbit isin Bool rarr Bool rarr Bool rarr Booladdbit a b c = (a equiv b) equiv c

carry isin Bool rarr Bool rarr Bool rarr Boolcarry a b c = (aampampb)||(bampampc)||(aampampc)

We are now ready to define binary addition with carry

addBinC isin Bool rarr Binary rarr Binary rarr BinaryaddBinC c as [ ] = if c then bsucc as else asaddBinC c [ ] as = if c then bsucc as else asaddBinC c (a as) (b bs) = (addbit a b c) (addBinC (carry a b c) as bs)

from which we can easily derive binary addition by setting the carry to False

addBin isin Binary rarr Binary rarr BinaryaddBin bs cs = addBinC False bs cs

Binary multiplication is the usual long multiplication we learn at school Wemultiply each digit of one of the numbers with the other numbers always mul-tiplying the other number by 10 ie shifting it In the binary case multiplyinga digit with a number is very easy either the bit is 0 (ie False) then the resultis 0 or the bit is 1 then the result just is the other number

multBin isin Binary rarr Binary rarr BinarymultBin [ ] bs = [ ]multBin (a as) bs = if a

then addBin bs (multBin as (False bs))else multBin as (False bs)

The operations we have defined correspond to the more primitive operations wehave defined previously That is we have

36

forall mn Nat addBin (bin2nat m) (bin2nat n) = bin2nat (m + n)

forall mn Nat multBin (bin2nat m) (bin2nat n) = bin2nat (m lowast n)

These can be established using the principles we have introduced ie induc-tion However for reasons of space and potential boredom we shall refrain fromcarrying this out here

54 Trees

Unlike in ordinary live trees in computer science have got the roots on top andthe leaves on bottom Here is an example of a binary tree whose nodes arelabelled with natural numbers

56

1

3

10

root

node

leaf

Trees are also a very useful datastructure for example they can be used toefficently store and update an ordered collection of data In Haskell we woulddefine the type of binary node-labelled trees as follows

data Tree a = Leaf | Node (Tree a) a (Tree a)

The tree pictured in the diagram would be represented as

mytree isin Tree Natmytree = Node (Node Leaf 1 Leaf)

3(Node Leaf

10(Node Leaf 56 Leaf))

You may note that the tree is ordered ie all the leaves in the left subtree ofany node has labels less (or equal) than the label on the node and the nodes inthe right subtree have greater labels Indeed ordered trees give rise to anothersorting algorithm which is called tree sort First we define by primitive recur-sion over trees a function which inserts a node into an ordered tree leaving theordering intact

37

treeInsert isin Nat rarr (Tree Nat) rarr Tree NattreeInsert a Leaf = Node Leaf a LeaftreeInsert a (Node l b r) = if a 6 b

then Node (treeInsert a l) b relse Node l b (treeInsert a r)

By inserting all elements of a list into an empty tree we obtain a function whichturns an unsorted list into an ordered tree

list2tree isin [Nat ] rarr (Tree Nat)list2tree [ ] = Leaflist2tree (a as) = treeInsert a (list2tree as)

We can also turn an ordered tree into a sorted list

tree2list isin (Tree a) rarr [a ]tree2list Leaf = [ ]tree2List (Node l a r) = (tree2list l) ++ [a ] ++ (tree2list r)

Note that the last function is polymorphic since it doesnrsquot need any operationson the data stored in a tree Now we obtain tree sort by combining the twofunctions defined above

treeSort isin [Nat ] rarr [Nat ]treeSort as = tree2list (list2tree as)

It may appear wasteful to create a tree just to sort a list but actually tree sort isbetter than insertion sort On the average every element which is inserted intothe tree is only compared with a few others on the way down to a leaft to beprecise log2 n if the number of nodes is n Since we have to insert n elementstree sort will need a number proportional to n log2 n comparisons to sort a listwith n elements which is considerably better that insertion sortrsquos n2

We can also prove propositions about trees by induction over trees As anexample observe that the tree in the example has 4 nodes and 5 leaves This isno coincidence but a general property of binary trees Maybe the best way tosee that this is the case is to notice that every tree can be generated startingfrom a leaf by replacing an aribtrary leaf by a node with two leaves The initialtree has got the proberty and it is preserved by the replacement step hence anytree will have the property More formally we can show this by induction overtrees where we have an induction hypothesis for the left and the right subtree

To make this precise we first define functions which count the number of nodesand leaves in a tree (ignoring any data)

countNodes isin (Tree a) rarr NatcountNodes Leaf = 0countNodes (Node l x r) = Succ ((countNodes l) + (countNodes r))

countLeaves isin (Tree a) rarr NatcountLeaves Leaf = 1countLeaves (Node l x r) = (countLeaves l) + (countLeaves r)

38

We are now ready to prove our theorem

Theorem 55 forall t Tree a countLeaves t = 1 + (countNodes t)

Proof We proceed by induction over t isin Tree a

Case t = Leaf We show countLeaves Leaf = 1 + (countNodes Leaf)

countLeaves Leaf= definition of countLeaves 1= definition of countNodes 1 + (countNodes Leaf)

Case t = Node l x r We assume

countLeaves l = 1 + (countNodes l) (IH minus L)

countLeaves r = 1 + (countNodes r) (IH minus R)

to show countLeaves (Node l x r) = 1 + (countNodes (Node l x r))

countLeaves (Node l x r)= definition of countLeaves (countLeaves l) + (countLeaves r)= (IH-L)(IH-R) 1 + (countNodes l) + 1 + (countNodes r)= algebra 1 + (1 + (countNodes l) + (countNodes r))= definition of countNodes 1 + (countNodes (Node l x r))

Finally note that there are different types of binary trees depending where weput the data ie there are leaf labelled trees

data Tree a = Leaf a | Node (Tree a) (Tree a)

and trees which have labels on leaves and nodes potentially of different types

data Treeprime a b = Leaf prime a | Nodeprime (Treeprime a b) b (Treeprime a b)

39

6 Predicates and relations

A predicate over a type is a property of elements of that type An example isEven isin Nat rarr Prop which expresses the property of a natural number beingeven We can define Even

Even isin Nat rarr PropEven n = exist m isin Nat 2 lowastm = n

That is we say that a number is even if it is the double of another number Iwrite a rarr Prop for the type of predicates over a Note that unlike programspredicates cannot be executed but we can use them for reasoning

A relation between two types (which may be the same) relates elements of thefirst type with elements of the 2nd An example is 6 isin Nat rarr Nat rarr Propwhich expresses the relation of a number being smaller than another Again wecan define 6 using +

(6) isin Nat rarr Nat rarr Propm6n = exist k isin Nat m + k = n

That is we say that m6n if there is a number k that if added to m gives n

In general we consider n-ary relations that is R isin a1 rarr a2 rarr middot middot middot rarr an rarr Propand predicates are just another word for 1-ary relations 2-ary (or binary)relations such as 6 are usually written infix

A fundamental binary relation on any type is equality (=) isin a rarr a rarr PropWe consider equality as a primitive notion We know that everything is equal toitself mdash we say that equality is reflexive that is forall x isin a x = x Two booleansor natural number or lists are equal if they are made only from constructorsand look the same Two functions are equal if they return the same answers forall elements of their domain that is for f g isin a rarr b we have that f = g ifforall x a f x = g x note that this involves equality on b This is the principle ofextensionality and it is the consequence of our view of functions as black boxesie we cannot look inside a function all we can do it is to apply it to arguments

We have already introduced the functions 6isin Nat rarr Nat rarr Bool equivisinBool rarr Bool rarr Bool and equivisin Nat rarr Nat rarr Bool They are related to6 isin Bool rarr Bool rarr Prop =isin Bool rarr Bool rarr Prop and =isin Nat rarrNat rarr Prop indeed they return True if the relation holds and False other-wise That is we can show that

forall x y isin Nat x6y lArrrArr x 6 y = Trueforall x y isin Bool x = y lArrrArr x equiv y = Trueforall x y isin Nat x = y lArrrArr x equiv y = True

We say that a boolean function f isin a rarr b rarr Bool decides a relation R isin a rarrb rarr Prop if forall x isin a y isin b R x y lArrrArr f x y = True A relation which canbe decided is called decidableThis concept generalizes to relations with anyarity including predicates I have silently assumed that by a boolean functionwe mean one which can actually run on a computer this is different in classicalMathematics where the notion of a function is more liberal but the definitionof a decidable function is more complicated

40

Not every relation is decidable an example of an undecidable relation is equal-ity on functions with an infinite domain eg (=) isin (Nat rarr Bool) rarr (Nat rarrBool) rarr Prop To decide whether two such functions are equal that is whetherf = g we have to check whether they agree on all natural numbers By the prin-ciple of extensionality there is no other way we can find out anything about afunction and checking them for all natural numbers is hardly possible

61 Examples of relations

In the following we will discuss some examples of relations It is helpful tovisualize relations by drawing their graphs We can only draw graphs for adecidable relation R isin a rarr a rarr Prop on finite type a by a directed graphwhose nodes (called vertices) are the elements of a and we draw an arrow (callededge) from x to y if R x y holds

We cannot draw relations on the natural numbers however we will instead usethe type Four = 0 1 2 3 4 and drwaw the graph of the relation restricted tothe numbers upto 4

611 Equality

The graph of (=) isin Four rarr Four rarr Prop is extremely simple

0 1 2 3 4

612 Inequality

We say x 6= y if x and y are not equal This relation is polymorphic ie it isuniformly defined for any type

(6=) isin a rarr a rarr Propx 6= y = not (x = y)

The graph of (6=) isin Four rarr Four rarr Prop contains an edge everywhere theprevious graph had none hence it looks pretty wild

0 1 2 3 4

613 Less or equal

We have already defined the relation (6) on the natural numbers Here is thegraph of the relation restricted to Four

41

0 1 2 3 4

614 Less than

We say m lt n if m is strictly less than n

(lt) isin Nat rarr Nat rarr Propm lt n = Succ m 6 n

The graph of (lt) Four rarr Four rarr Prop looks pretty similar as the one of (6)only the little circles pointing from every element to itself are missing

0 1 2 3 4

615 Congruence modulo k

This is an important 3-ary (ternary) relation used in number theory We saythat two numbers mn Nat are congruent modulo k if they have the sameremainder when divided by k We write cmod Nat rarr Nat rarr Nat rarr Propthat is we write cmod k m n or mlsquocmod k lsquon 15 for m is congruent to n modulok The standard mathematical notation is mλcong n mod k We can definethis relation formally as

cmod isin Nat rarr Nat rarr Nat rarr Propcmod k m n = exist p q r isin Nat (r lt n) and p lowast k + r = m and q lowast k + r = n

Usually cmod is only considered for k gt 1 For k = 1 our definition of cmod kis just (=) and for k = 0 it is the empty relation In number theory cmod k isdefined a relation on the integers not just the natural numbers

While we cannot draw ternary relations so easily we can do so for mod 2 isinFour rarr Four rarr Prop

0 1 3 42

15Here we adopt also the Haskell convention that any operator f can be made infix bywriting lsquof lsquo

42

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

Guiseppe Peano (1858 - 1932)

We shall later say how we can express other notational systems for naturalnumbers by similar type definitions in particular we shall have a look at thebinary representation Peanorsquos representation which we could call unary ispractically useless because the numbers grow far to long quickly However it isthe easiest way to understand the natural numbers and to reason about themIndeed this is precisely what Peano intended We will later introduce binarynumbers and define translations between binary numbers adn Peanorsquos numbers

41 Primitive recursion

How can isEven be defined using Peanorsquos definitions of the natural numbersWe observe that isEven 0 = True and isEven (n+1) is the opposite of isEven nthat is isEven (n + 1) = not (isEven n) Hence we write

isEven isin Nat rarr BoolisEven 0 = TrueisEven (Succ n) = not (isEven n)

We say that isEven is defined by primitive recursion that is isEven (Succ n)is defined using isEven n This is reasonable because if we construct the nat-ural number Succ n we must have constructed the natural number n beforeIn the same way we can calculate the answer isEven n before we calculateisEven (Succ n) using our previously calculated answer

Actually this is not an accurate description of how is recursion is executed on acomputer the computer will only calculate isEven n when it has to to calculateisEven (Succ n) However the explanation above justifies why this processalways terminates and why a function constructed by primitive recursion willalways produce an answer

Hence we can calculate isEven 3 as follows

isEven 3= definition of 3 isEven (Succ 2)= definition of isEven

21

not (isEven 2)= definition of 2 not (isEven (Succ 1))= definition of isEven not (not (isEven 1))= definition of 1 not (not (isEven (Succ 0)))= definition of isEven not (not (not (isEven 0)))= definition of isEven not (not (not True))= definition of not not (not False)= definition of not not True= definition of not False

When displaying an equational derivation we always say what principles wehave applied to get from one line to the next The derivation above is a simplecalculation all we are doing is expanding definitions

Primitive recursion can be contrasted with general recursion which is permittedin Haskell A general recursive function is defined recursively without insistingthat the recursive call is on a previous value General recursion may not termi-nate and while it is easy to use for programming the mathematical theory ismore involved Hence we shall not consider it here but only means of recursionwhich can be justified like primitive recursion

411 Addition

Using primitive recursion we can now define addition

(+) isin Nat rarr Nat rarr Nat0 + n = n(Succ m) + n = Succ (m + n)

Let us spell out what we are doing (+) is defined by recursion over the firstargument (+) 0 gives rise to the function which just returns its argument (theidentity function) (+) (Succ m) uses (+) m to calculate (+) m n and thentakes Succ of that calculation

We can calculate 2 + 3

2 + 3= definition of 2 (Succ 1) + 3= definition of + Succ (1 + 3)= definition of 1 Succ ((Succ 0) + 3)= definition of +

22

Succ (Succ (0 + 3))= definition of + Succ (Succ 3)= definition of 5 5

412 Multiplication

Letrsquos go on and define some more functions eg multiplication

(lowast) isin Nat rarr Nat rarr Nat0 lowast n = 0(Succ m) lowast n = m + (m lowast n)

Multiplication is defined by repeated addition in the same way as addition isdefined by repeated Succ As an example we calculate 2 lowast 3

2 lowast 3= definition of 2 (Succ 1) lowast 3= definition of lowast 3 + 1 lowast 3= definition of 1 3 + (Succ 0) lowast 3= definition of lowast 3 + 3 + 0 lowast 3= definition of lowast 3 + 3= calculate + 6

413 Equality and less-or-equal

We define the function (equiv) isin Nat rarr Nat rarr Bool which decides whether twonatural numbers are equal As in the case of (+) we exploit the curried view ofa function in the definition Letrsquos analyze the first argument (equiv) 0 isin Nat rarrBool should return the function which recognizes 0 ie which returns Trueprecisely if its argument is 0 hence we write

0 equiv 0 = True0 equiv (Succ n) = False

The other case is (equiv) (Succ m) isin Nat rarr Bool this function should returnFalse if presented with 0 but what to do if it is applied to Succ m The answeris that we recursively call (equiv) m and apply it to n because Succ m equiv Succ nhas the same value as m equiv n Hence we define

Succ m equiv 0 = FalseSucc m equiv Succ n = m equiv n

Putting everything together we arrive at the following definition

23

(equiv) isin Nat rarr Nat rarr Bool0 equiv 0 = True0 equiv (Succ n) = False(Succ m) equiv 0 = False(Succ m) equiv (Succ n) = m equiv n

By a slight modification ie by returning True instead of False in the secondline we obtain 6 instead of equiv

(6) isin Nat rarr Nat rarr Bool0 6 0 = True0 6 (Succ n) = True(Succ m) 6 0 = False(Succ m) 6 (Succ n) = m 6 n

414 Factorial

When we set up musical chairs we may wonder How many ways are there toplace 6 children on 6 chairs The answer is there 6 possibilities for the firstchild 5 for the second and so on and there will be only one place left for the lastone Hence there are 6times 5times 4times 3times 2times 1 = 720 We write fac n (mathematicalnotation n) for the number of permutations of n elements (eg the number ofways to arrange n children on n chairs)

We observe that there is one way to arrange no children on no chairs (hencefac 0 = 1) there are n + 1 ways to place the first child and fac n ways todistribute the remaining n children hence fac (n + 1) = (n + 1) lowast (fac n) Thisleads to the following definition of fac by primitive recursion

fac isin Nat rarr Natfac 0 = 1fac (Succ n) = (Succ n) lowast (fac n)

415 Fibonacci

Another interesting function is the famous Fibonacci function fib Nat rarr Natwhich is usually motivated by the problem to calculate the number of rabbitsafter n months if we assume that the rabbits have a child two months after theyare born (ignoring among others the fact that we need actually two rabbits)We start with no rabbits in month 0 and one rabbit in month 1 consequently wehave still one rabbit in month 2 and 2 rabbits in month 3 because our first rabbitgot its first child In general we have that the rabbits in month n+2 are the sumof the number of the rabbits in the previous months and the rabbits from themonth before who will have children now fib (n + 2) = (fib (n + 1)) + (fib n)Ie we get the sequence

0 1 1 2 3 5 8 13 21 34 55 89 144 233 377 610 987 1597 2584 4181 6765

We define fib

24

fib isin Nat rarr Natfib 0 = 0fib (Succ 0) = 1fib (Succ (Succ m)) = (fib m) + (fib (Succ m))

Different from the functions we have seen so far we are not just using the valueof a function at n to calculate the value at Succ n but here we actually usetwo previous values Using smaller values in general is called course of valuerecursion and is a modest generalisation of primitive recursion Indeed it hasgot the same justification as primitive recursion eg we adopt the view thatthe function values for smaller values have been calculated earlier

42 Induction

How can we prove something for all natural numbers This is a problem verysimilar to the one we have discussed in the previous section and indeed thesolution is very closely related to primitive recursion Letrsquos consider a verysimple example we want to prove foralln isin Natn+Zero = n Recall the definitionof +

(+) isin Nat rarr Nat rarr Nat0 + n = n(Succ m) + n = Succ (m + n)

We can see by looking at the definition that forall n isin Nat0 + n = n but whatabout the equally true forall n isin Natn + 0 = n Sure we will remember theequality forall mn isin Natm + n = n + m (called commutativity of addition) buthere we shall actually establish this law from first principles and we will seethat actually forall n isin Natn + 0 = n is a useful auxilliary property when showingcommutativity

We can start showing this property for the first few natural numbers and observethat a certain pattern emerges

0 0 + 0 = 0 by definition of +

1 To show (Succ 0)+0 = Succ 0 we first use the definition of + to see (Succ 0)+0 = Succ (0 + 0) and then we can exploit the previous line to see thatSucc (0 + 0) = Succ 0

2 To show (Succ (Succ 0)) + 0 = Succ (Succ 0) we first use the definition of +to see (Succ (Succ 0)) + 0 = Succ ((Succ 0) + 0) and then we can exploitthe previous line to see that Succ ((Succ 0) + 0) = Succ (Succ 0)

Each of the subsequent line is simply a consequence of the previous one Eg toshow (Succ n)+0 = Succ n we first apply the definition of + to see (Succ n)+0 =Succ (n +0) and then we apply the previous line ie the proof for n to see thatSucc (n + 0) = Succ n

25

We can see that this shows that the property holds for all natural numbers theidea is the same as for primitive recursion because the number n is constructedbefore Succ n we can establish the property for n before we show it for Succ n

The principle of induction can be summarized as follows to prove a propertyP for all natural numbers ie to show forall n isin NatP n we prove it for 0 iewe show P 0 and assuming that it holds for n isin Nat ie P n we can show thatit holds for P (Succ n) The assumption P n which can be used when showingP (Succ n) we call the induction hypothesis (IH)

421 Commutativity of (+)

Letrsquos now prove forall mn isin Natm+n = n+m by induction over m If m = 0 thisreduces to showing 0+n = n +0 we know that 0+n = n by the definition of +and we have just shown n = n +0 above Letrsquos assume that forall n isin Natm +n =n + m to prove forall n isin Nat (Succ m) + n = n + (Succ m) Now given n isin Natwe know from the definition of + that (Succ m) + n = Succ (m + n) we canapply the induction hypthesis to deduce that Succ (m +n) = Succ (n +m) Allthat is left to show is that Succ (n + m) = n + (Succ m) showing this requiresa separate proof by induction

It is time to tidy up our argument and also follow standard mathematical prac-tice and present proofs forward ie starting from the assumptions and basiclemmas (auxilliary theorems) to the goal the final theorem No human beingconstructs a proof like this everybody does it the other way around Some peo-ple believe that this is part of a conspiracy by Mathematicians to make theirknowledge inaccessible to the rest of the world

Lemma 41 forall n isin Natn + 0 = n

Proof By induction over n isin Nat

Case n = 0 We show 0 + 0 = 0

0 + 0= definition of + 0

Case n = Succ n prime We assume n prime + 0 = n prime (IH ) to show (Succ n prime) + 0 =Succ n prime

(Succ n prime) + 0= definition of + Succ (n prime + 0)= (IH) Succ n prime

Lemma 42 forall mn isin Natm + (Succ n) = Succ (m + n)

Proof By induction over m isin Nat

26

Case m = 0 We show forall n isin Nat0 + (Succ n) = Succ (0 + n)0 + (Succ n)= definition of + Succ n= definition of + Succ (0 + n)

Case m = Succ m prime We assume forall n isin Natm+(Succ n) = Succ (m+n) (IH )to show (Succ m) + (Succ n) = Succ (m + n)

(Succ m) + (Succ n)= definition of + Succ (m + (Succ n))= IH Succ (Succ (m + n))= definition of + Succ ((Succ m) + n)

Theorem 43 forall mn isin Natm + n = n + m

Proof By induction over m isin Nat

Case m = 0 We show forall n isin Nat0 + n = n + 00 + n= definition of + n= lemma n + 0

Case m = Succ m prime We assume forall n isin Natm prime + n = n + m prime (IH ) to show(Succ m prime) + n = n + (Succ m prime)

(Succ m prime) + n= definition of + Succ (m prime + n)= IH Succ (n + m prime)= lemma n + (Succ m prime)

Isnrsquot this a bit much effort for a theorem whose truth can be easily seen intu-itively Every child knows that if you put two heaps of sweeties together thatthe order in which you do this does not affect the number of sweeties you havein the end However apart from the point that we used a simple example toillustrate a method it is sometimes worthwhile to prove the obvious Maybeyou were only thinking that the function you defined was addition but as soonas you are going to prove something about it you discover that there is a bugThis is different from Mathematics Computer Scientists are interested in prov-ing obvious things It is also a good idea to enlist the help of a computer tomake sure that we donrsquot accidently cheat We will get back to this later

27

422 Gaussrsquo theorem

Letrsquos consider a less obvious proposition we can prove by induction CarlFriederich Gauss was a famous German Mathematician in the 19th centuryone of the theorems he proved is the fundamental theorem of algebra whichsays that every polynom over the complex numbers has a solution Howeverhere we are just concerned with a little theorem he allegedly discovered whenhe was still a school boy Apprently he was naughty and as a punishementteacher set him the task to add the numbers until 100 But the teacher hadnrsquotaccounted for young Gaussrsquo genius who very quickly came up with the rightanswer 5050 Instead of doing all the stupid calculations Gauss had realizedthat there is a simple formula namely that the sum of the numbers upto n isgiven by (n lowast (n + 1)) 2 The following picture illustrates the basic idea in thecase n = 3

Ie the sum of the 1 + 2 + 3 depicted by the area covered by the black balls isprecisely half the area of the 3 lowast 4 rectangle

First for reference lets define by primitive recursion the function which cal-culates the numbers upto n which we are going to call sum (Mathematicanswould write Σn

i=0i)

sum isin Nat rarr Natsum 0 = 0sum (Succ n) = (Succ n) lowast (sum n)

We want to show sum n = (n lowast (n + 1)) 2 to avoid having to define divisionand to justify that the division in this case stays always withing the naturalnumbers we show instead 2 lowast (sum n) = n lowast (Succ n) by induction

Theorem 44 forall n isin Nat 2 lowast (sum n) = n lowast (Succ n)

Proof By induction over n isin Nat

Case n = 0 We show 2 lowast (sum 0) = 0 lowast (Succ 0)

2 lowast (sum 0)= definition of lowast sum 0= definition of lowast 0 lowast (Succ 0)

Case n = Succ n prime We assume

28

2 lowast (sum n prime) = n prime lowast (Succ n prime) (IH )

to show 2 lowast (sum (Succ n prime)) = (Succ n prime) lowast (Succ (Succ n prime))

2 lowast (sum (Succ n prime))= definition of sum 2 lowast ((Succ n prime) + (sum n prime))= distributivity 2 lowast (Succ n prime) + 2 lowast (sum n prime)= IH 2 lowast (Succ n prime) + n lowast (Succ n prime)= distributivity (2 + n) lowast (Succ n prime)= commutativity definition of + (Succ n prime) lowast (Succ (Succ n prime))

In the proof above we have used distributivity ie

forall i j k isin Nat i lowast (j + k) = (i lowast j ) + (i lowast k)

Sure we could have proven this here (by induction) but I will leave this as anexercise

29

5 Inductive types

The idea behind the definition of the type of natural numbers can be appliedto many other types using the data keyword in Haskell We are calling thosetypes inductive types and indeed they come with their own primitive recursionand induction principles

51 Lists

One of the most versatile types especially but not only in functional program-ming is the type of lists Indeed the name of the first functional language LISPintroduced in 1958 as the 2nd high level programming language stands for LIstProcessing

Given a type a we write [a ] for the type of lists or sequences of elements ofa Eg [23minus1 1 1 0] isin [Int ] similar as for (a b) we use the same symbols[ ] for the operator on types and on elements Actually the [a1 a2 an ]notation is just a shorthand for a1 (a2 (an [ ]) The basic constructors forlists are [ ] isin [a ] for the empty list and given x isin a and a list xs isin [a ] we canconstruct the new list x xs isin [a ] (for historic reasons is called cons) Ie[23minus1 1 1 0] = 23 (minus1 (1 (1 (0 [ ]))))

In Haskell lists are predefined because they use some special syntactic sugarbut apart from this we could have just defined

data [a ] = [ ] | a [a ]

Strings are a special case of lists we use the type of characters Char which isa finite type whose elements are the characters which can be used in computing(eg one of the 216 unicode characters) We write elements of Char using singlequotes eg rsquoarsquo isin Char The type of strings is defined as lists of characters

type String = [Char]

The common syntax for strings using double quotes ie Hello is just syntac-tiv sugar for [rsquoHrsquo rsquoersquo rsquolrsquo rsquolrsquo rsquoorsquo] which in turn is just short for rsquoHrsquo (rsquoersquo (rsquolrsquo (rsquolrsquo (rsquoorsquo [ ]))))

One of the basic functions on lists is append ++ which combines two lists ie[1 2] ++ [3 4] = [1 2 3 4] To be able to define this function we have to extendthe principle of primitive recursion to lists We define xs ++ ys by primitiverecursion over xs if xs is empty ie xs = [ ] then [ ] ++ ys = ys On the otherhand if xs is a cons ie xs = x isin xs prime then we know that the combined list startswith x and constinues with the result of appending xs prime to ys That is here wehave to use ++ recursively The recursive use of ++ can be justified in the sameway as for Nat the list xs prime had to be constructed before x xs prime hence we cancalculate the result of xs prime ++ ys before we have to come up with (x xs prime) ++ ysIn Haskell we write

(++) isin [a ] rarr [a ] rarr [a ][ ] ++ ys = ys(x xs) ++ ys = x (xs ++ ys)

30

Note that ++ is a polymorphic function we can replace the type variable a byany type Eg we may replace a by Char arriving at the special case of stringsHence we can use ++ to append strings eg Hel ++ lo = Hello

We also have an induction principle for lists To illustrate this letrsquos first intro-duce a function which reverses a list How to reverse a list The reverse of theempty list is the empty list The reverse of a list x xs is the reverse of xs with xput on the end We arrive at the following primitive recursive implementationof reverse

rev isin [a ] rarr [a ]rev [ ] = [ ]rev (x xs) = (rev xs) ++ [x ]

Eg rev Hello = olleH What happens if we reverse twice Rightwe get back where we started indeed rev olleH = Hello Letrsquos proveforall xs isin [a ] rev (rev xs) = xs

Induction over lists means that to show a property for all lists we show theproperty for the empty list [ ] and then we show that if it holds for any list xsthen it holds for x xs The justification is again the same as for induction forthe natural numbers

We will show forall xs isin [a ] rev (rev xs) = xs by induction over lists The [ ] case isstraightforward since rev [ ] = [ ] what about rev (rev (x xs)) = rev ((rev xs)++[x ]) We cannot apply the induction hypothesis directly we first have to movethe outer rev inside ++ The key idea is to show that rev ((rev xs) ++ [x ]) =x (rev (rev xs)) and then we apply the induction hypothesis that rev (rev xs) =xs How do we show rev ((rev xs) ++ [x ]) = x (rev (rev xs)) The point is thatthis property doesnrsquot just hold for rev xs but for any list ys ie rev ((ys++[x ]) =x (rev ys)) eg rev (Hall++o) = o (rev Hal) How to we show thatthis property holds By induction over ys

Ok thatrsquos the sketch Letrsquos tidy this up First we prove the auxilliary propertyas a lemma

Lemma 51 forall x isin a forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys))

Proof Given x isin a We show forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys)) byinduction over ys isin [a ]

Case ys = [ ] We show rev ([ ] ++ [x ]) = x (rev [ ])

rev ([ ] ++ [x ])= definition of ++ rev [x ]= definition of rev [x ]= definition of rev x (rev [ ])

Case ys = y ys prime We assume

rev ((ys ++ [x ]) = x (rev ys)) (IH )

31

to show

rev (((y ys) ++ [x ]) = x (rev (y ys)))

rev (((y ys) ++ [x ])= definition of ++ rev (y (ys ++ [x ]))= definition of rev (rev (ys ++ [x ])) ++ [y ]= (IH) (x (rev ys)) ++ [y ]= definition of ++ x ((rev ys) ++ [y ])= definition of rev x (rev (y ys))

Theorem 52 forall xs isin [a ] rev (rev xs) = xs

Proof By induction over xs

Case xs = [ ] We show rev (rev [ ]) = [ ]

rev (rev [ ])= definition of rev rev [ ]= definition of rev [ ]

Case xs = x xs prime We assume

rev (rev xs) = xs (IH )

to show

rev (rev (x xs prime)) = x xs prime

rev (rev (x xs prime))= definition of rev rev ((rev xs prime) ++ [x ])= lemma for ys = rev xs prime x (rev (rev xs))= (IH) x xs

52 Insertion sort

There are many situations where we want to sort a list eg given [56 1 10 3]we would like to produce [1 3 10 56] One of the simplest sorting algorithms isinsertion sort The idea can be best explained by describing how to sort a deckof card We sort from an unsorted pile to a sorted pile by adding one card at

32

a time to the sorted pile When adding a card to a already sorted pile we gothrough the sorted pile until we find a card with a higher value and then insertthe new card just before this card This can be expressed as a function insert which is defined by primitive recursion over lists

insert isin Nat rarr [Nat ] rarr [Nat ]insert a [ ] = [a ]insert a (b bs) = if a 6 b then a (b bs)

else b (insert a bs)

The important feature of insert is that it produces a sorted list with an ex-tra element if its argument was sorted We can now define insertionSort byprimitive recursion over the initially unsorted list

insertionSort isin [Nat ] rarr [Nat ]insertionSort [ ] = [ ]insertionSort (a as) = insert a (insertionSort as)

And indeed insertionSort [56 1 10 3] = [1 3 10 56]

The same algorithm can sort any data wrt to a given comparison functioncomp a rarr a rarr Bool which has the appropriate properties (we shall laterdiscuss in detail what properties this are)

Insertion sort shouldnrsquot be used to sort large sequences because it is quiteinefficent on average it compares every argument with half of all the others Wesay it has quadratic complexity because on average the number of comparisonsit has to carry out is proportional to n2 where n is the length of the list

53 Binary numbers

We can use lists to represent binary numbers A binary number like 1102 whichis the binary way to write 6 is nothing but a list of Booleans hence we define

type Binary = [Bool ]

We use True for 1 and False for 0 and we shall read the list backwards whichhas the advantage that it is easy to access the least significant digit eg 1102

is actually represented as [FalseTrueTrue] 14

We shall define functions which translate between Binary and Nat We startwith bin2nat isin Binary rarr Nat The idea is that to translate a number whichhas at least one digit we recursively translate the rest of the numebr withoutthe last digit double that and add the value of the last digit to it This isexpressed by the following function

bin2nat isin Binary rarr Natbin2nat [ ] = 0bin2nat (True bs) = Succ (2 lowast (bin2nat bs))bin2nat (False bs) = 2 lowast (bin2nat bs)

14We could have avoided this notational inconvenience by using snoc lists ie lists wherecons gets its arguments the other way around

33

To define the translation in the other direction nat2bin isin Nat rarr Binary weintroduce a successor function on the binary representation The successor ofthe empty list which is interpreted as 0 is 1 Otherwise if the last digit is 0 wejust change this to 1 and keep the rest of the number the same If the last digitis 1 we change this to 0 and have a carry bit which means that we have torecursively calculate the successor of the rest of the number Hence we define

bsucc isin Binary rarr Binarybsucc [ ] = [True]bsucc (False bs) = True bsbsucc (True bs) = False (bsucc bs)

Now we can define nat2bin it basically translates 0 by the empty binary andthen applies bsucc for every successor

nat2bin isin Nat rarr Binarynat2bin 0 = [ ]nat2bin (Succ n) = bsucc (nat2bin n)

Once we have established the two translations we want to show that theyare indeed inverse to each other Eg if we start with a natural numbern we can translate it to a binary nat2bin n and then translate it back bybin2nat (nat2bin n) and we should hope that we get back to the number westarted with ie that

bin2nat (nat2bin n) = n

If we start with a binary number bs isin Binary the mirror property

nat2bin (bin2nat bs) = bs

doesnrsquot actually hold The reason is that our encoding is redundant lead-ing 0s (actually trailing Falses in our notation) do not matter For examplenat2bin (bin2nat [TrueFalse]) = [True] We could insist the we do not allowleading 0s and show that for those normal numbers the property holds Actu-ally following common practive we would make the exception for the case thatthe number is just 0 but would at the same time outlaw the empty sequence asa representation of a number

Going back to proving forall n isin Natn = bin2nat (nat2bin n) unsurprisingly weare going to use induction to establish this The case for 0 is straightforwardbut in the case of Succ n prime we have that nat2bin (Succ n prime) = bsucc (nat2bin n prime)and we would like to use that

bin2nat (bsucc (nat2bin n prime)) = Succ (bin2nat (nat2bin n prime))

to be able to apply the induction hypothesis This leads to the following lemma

Lemma 53 forall bs isin Binarybin2nat (bsucc bs) = Succ (bin2nat bs)

Proof We show this by induction over bs isin Binary

Case bs = [ ] We have to show bin2nat (bsucc [ ]) = Succ (bin2nat [ ])

bin2nat (bsucc [ ])= definition of bsucc

34

bin2nat [True]= calculate bin2nat 1= definition of 1 Succ 0= definition of bin2nat Succ (bin2nat [ ])

Case bs = b bs prime We assume

bin2nat (bsucc bs prime) = Succ (bin2nat bs prime) (IH )

to show

bin2nat (bsucc (b bs prime)) = Succ (bin2nat (b bs prime))

for any b isin Bool Letrsquos analyze b isin Bool

Case b = False In this case we have to showbin2nat (bsucc (False bs prime)) = Succ (bin2nat (False bs prime))

bin2nat (bsucc (False bs prime))= definition of bsucc bin2nat (True bs prime)= definition of bin2nat Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (False bs prime))

Case b = True In this case we have to showbin2nat (bsucc (True bs prime)) = Succ (bin2nat (True bs prime))

bin2nat (bsucc (True bs prime))= definition of bsucc bin2nat (False (bsucc bs prime))= definition of bin2nat 2 lowast (bin2nat (bsucc bs prime))= (IH) 2 lowast (Succ (bin2nat bs prime))= algebra 2 lowast (Succ n) = Succ (Succ (2 lowast n)) Succ (Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (True bs prime))

Now we are ready to prove the main theorem

Theorem 54 forall n isin Natbin2nat (nat2bin n) = n

Proof We prove this by induction over n isin Nat

Case n = 0 We show bin2nat (nat2bin 0) = 0

bin2nat (nat2bin 0)= definition of nat2bin bin2nat [ ]

35

= definition of bin2nat 0

Case n = Succ n prime We assume

bin2nat (nat2bin n prime) = n prime (IH )

to show

bin2nat (nat2bin (Succ n prime)) = Succ n prime

bin2nat (nat2bin (Succ n prime))= definition of nat2bin bin2nat (bsucc (nat2bin n prime))= lemma Succ (bin2nat (nat2bin n prime))= (IH) Succ n prime

To define addition on Binary we define addition with carry which always addsthree bits caculating the current bit and the new carry bit As a first step wedefine two operations addbit and carry which calculate the new bit and carry

addbit isin Bool rarr Bool rarr Bool rarr Booladdbit a b c = (a equiv b) equiv c

carry isin Bool rarr Bool rarr Bool rarr Boolcarry a b c = (aampampb)||(bampampc)||(aampampc)

We are now ready to define binary addition with carry

addBinC isin Bool rarr Binary rarr Binary rarr BinaryaddBinC c as [ ] = if c then bsucc as else asaddBinC c [ ] as = if c then bsucc as else asaddBinC c (a as) (b bs) = (addbit a b c) (addBinC (carry a b c) as bs)

from which we can easily derive binary addition by setting the carry to False

addBin isin Binary rarr Binary rarr BinaryaddBin bs cs = addBinC False bs cs

Binary multiplication is the usual long multiplication we learn at school Wemultiply each digit of one of the numbers with the other numbers always mul-tiplying the other number by 10 ie shifting it In the binary case multiplyinga digit with a number is very easy either the bit is 0 (ie False) then the resultis 0 or the bit is 1 then the result just is the other number

multBin isin Binary rarr Binary rarr BinarymultBin [ ] bs = [ ]multBin (a as) bs = if a

then addBin bs (multBin as (False bs))else multBin as (False bs)

The operations we have defined correspond to the more primitive operations wehave defined previously That is we have

36

forall mn Nat addBin (bin2nat m) (bin2nat n) = bin2nat (m + n)

forall mn Nat multBin (bin2nat m) (bin2nat n) = bin2nat (m lowast n)

These can be established using the principles we have introduced ie induc-tion However for reasons of space and potential boredom we shall refrain fromcarrying this out here

54 Trees

Unlike in ordinary live trees in computer science have got the roots on top andthe leaves on bottom Here is an example of a binary tree whose nodes arelabelled with natural numbers

56

1

3

10

root

node

leaf

Trees are also a very useful datastructure for example they can be used toefficently store and update an ordered collection of data In Haskell we woulddefine the type of binary node-labelled trees as follows

data Tree a = Leaf | Node (Tree a) a (Tree a)

The tree pictured in the diagram would be represented as

mytree isin Tree Natmytree = Node (Node Leaf 1 Leaf)

3(Node Leaf

10(Node Leaf 56 Leaf))

You may note that the tree is ordered ie all the leaves in the left subtree ofany node has labels less (or equal) than the label on the node and the nodes inthe right subtree have greater labels Indeed ordered trees give rise to anothersorting algorithm which is called tree sort First we define by primitive recur-sion over trees a function which inserts a node into an ordered tree leaving theordering intact

37

treeInsert isin Nat rarr (Tree Nat) rarr Tree NattreeInsert a Leaf = Node Leaf a LeaftreeInsert a (Node l b r) = if a 6 b

then Node (treeInsert a l) b relse Node l b (treeInsert a r)

By inserting all elements of a list into an empty tree we obtain a function whichturns an unsorted list into an ordered tree

list2tree isin [Nat ] rarr (Tree Nat)list2tree [ ] = Leaflist2tree (a as) = treeInsert a (list2tree as)

We can also turn an ordered tree into a sorted list

tree2list isin (Tree a) rarr [a ]tree2list Leaf = [ ]tree2List (Node l a r) = (tree2list l) ++ [a ] ++ (tree2list r)

Note that the last function is polymorphic since it doesnrsquot need any operationson the data stored in a tree Now we obtain tree sort by combining the twofunctions defined above

treeSort isin [Nat ] rarr [Nat ]treeSort as = tree2list (list2tree as)

It may appear wasteful to create a tree just to sort a list but actually tree sort isbetter than insertion sort On the average every element which is inserted intothe tree is only compared with a few others on the way down to a leaft to beprecise log2 n if the number of nodes is n Since we have to insert n elementstree sort will need a number proportional to n log2 n comparisons to sort a listwith n elements which is considerably better that insertion sortrsquos n2

We can also prove propositions about trees by induction over trees As anexample observe that the tree in the example has 4 nodes and 5 leaves This isno coincidence but a general property of binary trees Maybe the best way tosee that this is the case is to notice that every tree can be generated startingfrom a leaf by replacing an aribtrary leaf by a node with two leaves The initialtree has got the proberty and it is preserved by the replacement step hence anytree will have the property More formally we can show this by induction overtrees where we have an induction hypothesis for the left and the right subtree

To make this precise we first define functions which count the number of nodesand leaves in a tree (ignoring any data)

countNodes isin (Tree a) rarr NatcountNodes Leaf = 0countNodes (Node l x r) = Succ ((countNodes l) + (countNodes r))

countLeaves isin (Tree a) rarr NatcountLeaves Leaf = 1countLeaves (Node l x r) = (countLeaves l) + (countLeaves r)

38

We are now ready to prove our theorem

Theorem 55 forall t Tree a countLeaves t = 1 + (countNodes t)

Proof We proceed by induction over t isin Tree a

Case t = Leaf We show countLeaves Leaf = 1 + (countNodes Leaf)

countLeaves Leaf= definition of countLeaves 1= definition of countNodes 1 + (countNodes Leaf)

Case t = Node l x r We assume

countLeaves l = 1 + (countNodes l) (IH minus L)

countLeaves r = 1 + (countNodes r) (IH minus R)

to show countLeaves (Node l x r) = 1 + (countNodes (Node l x r))

countLeaves (Node l x r)= definition of countLeaves (countLeaves l) + (countLeaves r)= (IH-L)(IH-R) 1 + (countNodes l) + 1 + (countNodes r)= algebra 1 + (1 + (countNodes l) + (countNodes r))= definition of countNodes 1 + (countNodes (Node l x r))

Finally note that there are different types of binary trees depending where weput the data ie there are leaf labelled trees

data Tree a = Leaf a | Node (Tree a) (Tree a)

and trees which have labels on leaves and nodes potentially of different types

data Treeprime a b = Leaf prime a | Nodeprime (Treeprime a b) b (Treeprime a b)

39

6 Predicates and relations

A predicate over a type is a property of elements of that type An example isEven isin Nat rarr Prop which expresses the property of a natural number beingeven We can define Even

Even isin Nat rarr PropEven n = exist m isin Nat 2 lowastm = n

That is we say that a number is even if it is the double of another number Iwrite a rarr Prop for the type of predicates over a Note that unlike programspredicates cannot be executed but we can use them for reasoning

A relation between two types (which may be the same) relates elements of thefirst type with elements of the 2nd An example is 6 isin Nat rarr Nat rarr Propwhich expresses the relation of a number being smaller than another Again wecan define 6 using +

(6) isin Nat rarr Nat rarr Propm6n = exist k isin Nat m + k = n

That is we say that m6n if there is a number k that if added to m gives n

In general we consider n-ary relations that is R isin a1 rarr a2 rarr middot middot middot rarr an rarr Propand predicates are just another word for 1-ary relations 2-ary (or binary)relations such as 6 are usually written infix

A fundamental binary relation on any type is equality (=) isin a rarr a rarr PropWe consider equality as a primitive notion We know that everything is equal toitself mdash we say that equality is reflexive that is forall x isin a x = x Two booleansor natural number or lists are equal if they are made only from constructorsand look the same Two functions are equal if they return the same answers forall elements of their domain that is for f g isin a rarr b we have that f = g ifforall x a f x = g x note that this involves equality on b This is the principle ofextensionality and it is the consequence of our view of functions as black boxesie we cannot look inside a function all we can do it is to apply it to arguments

We have already introduced the functions 6isin Nat rarr Nat rarr Bool equivisinBool rarr Bool rarr Bool and equivisin Nat rarr Nat rarr Bool They are related to6 isin Bool rarr Bool rarr Prop =isin Bool rarr Bool rarr Prop and =isin Nat rarrNat rarr Prop indeed they return True if the relation holds and False other-wise That is we can show that

forall x y isin Nat x6y lArrrArr x 6 y = Trueforall x y isin Bool x = y lArrrArr x equiv y = Trueforall x y isin Nat x = y lArrrArr x equiv y = True

We say that a boolean function f isin a rarr b rarr Bool decides a relation R isin a rarrb rarr Prop if forall x isin a y isin b R x y lArrrArr f x y = True A relation which canbe decided is called decidableThis concept generalizes to relations with anyarity including predicates I have silently assumed that by a boolean functionwe mean one which can actually run on a computer this is different in classicalMathematics where the notion of a function is more liberal but the definitionof a decidable function is more complicated

40

Not every relation is decidable an example of an undecidable relation is equal-ity on functions with an infinite domain eg (=) isin (Nat rarr Bool) rarr (Nat rarrBool) rarr Prop To decide whether two such functions are equal that is whetherf = g we have to check whether they agree on all natural numbers By the prin-ciple of extensionality there is no other way we can find out anything about afunction and checking them for all natural numbers is hardly possible

61 Examples of relations

In the following we will discuss some examples of relations It is helpful tovisualize relations by drawing their graphs We can only draw graphs for adecidable relation R isin a rarr a rarr Prop on finite type a by a directed graphwhose nodes (called vertices) are the elements of a and we draw an arrow (callededge) from x to y if R x y holds

We cannot draw relations on the natural numbers however we will instead usethe type Four = 0 1 2 3 4 and drwaw the graph of the relation restricted tothe numbers upto 4

611 Equality

The graph of (=) isin Four rarr Four rarr Prop is extremely simple

0 1 2 3 4

612 Inequality

We say x 6= y if x and y are not equal This relation is polymorphic ie it isuniformly defined for any type

(6=) isin a rarr a rarr Propx 6= y = not (x = y)

The graph of (6=) isin Four rarr Four rarr Prop contains an edge everywhere theprevious graph had none hence it looks pretty wild

0 1 2 3 4

613 Less or equal

We have already defined the relation (6) on the natural numbers Here is thegraph of the relation restricted to Four

41

0 1 2 3 4

614 Less than

We say m lt n if m is strictly less than n

(lt) isin Nat rarr Nat rarr Propm lt n = Succ m 6 n

The graph of (lt) Four rarr Four rarr Prop looks pretty similar as the one of (6)only the little circles pointing from every element to itself are missing

0 1 2 3 4

615 Congruence modulo k

This is an important 3-ary (ternary) relation used in number theory We saythat two numbers mn Nat are congruent modulo k if they have the sameremainder when divided by k We write cmod Nat rarr Nat rarr Nat rarr Propthat is we write cmod k m n or mlsquocmod k lsquon 15 for m is congruent to n modulok The standard mathematical notation is mλcong n mod k We can definethis relation formally as

cmod isin Nat rarr Nat rarr Nat rarr Propcmod k m n = exist p q r isin Nat (r lt n) and p lowast k + r = m and q lowast k + r = n

Usually cmod is only considered for k gt 1 For k = 1 our definition of cmod kis just (=) and for k = 0 it is the empty relation In number theory cmod k isdefined a relation on the integers not just the natural numbers

While we cannot draw ternary relations so easily we can do so for mod 2 isinFour rarr Four rarr Prop

0 1 3 42

15Here we adopt also the Haskell convention that any operator f can be made infix bywriting lsquof lsquo

42

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

not (isEven 2)= definition of 2 not (isEven (Succ 1))= definition of isEven not (not (isEven 1))= definition of 1 not (not (isEven (Succ 0)))= definition of isEven not (not (not (isEven 0)))= definition of isEven not (not (not True))= definition of not not (not False)= definition of not not True= definition of not False

When displaying an equational derivation we always say what principles wehave applied to get from one line to the next The derivation above is a simplecalculation all we are doing is expanding definitions

Primitive recursion can be contrasted with general recursion which is permittedin Haskell A general recursive function is defined recursively without insistingthat the recursive call is on a previous value General recursion may not termi-nate and while it is easy to use for programming the mathematical theory ismore involved Hence we shall not consider it here but only means of recursionwhich can be justified like primitive recursion

411 Addition

Using primitive recursion we can now define addition

(+) isin Nat rarr Nat rarr Nat0 + n = n(Succ m) + n = Succ (m + n)

Let us spell out what we are doing (+) is defined by recursion over the firstargument (+) 0 gives rise to the function which just returns its argument (theidentity function) (+) (Succ m) uses (+) m to calculate (+) m n and thentakes Succ of that calculation

We can calculate 2 + 3

2 + 3= definition of 2 (Succ 1) + 3= definition of + Succ (1 + 3)= definition of 1 Succ ((Succ 0) + 3)= definition of +

22

Succ (Succ (0 + 3))= definition of + Succ (Succ 3)= definition of 5 5

412 Multiplication

Letrsquos go on and define some more functions eg multiplication

(lowast) isin Nat rarr Nat rarr Nat0 lowast n = 0(Succ m) lowast n = m + (m lowast n)

Multiplication is defined by repeated addition in the same way as addition isdefined by repeated Succ As an example we calculate 2 lowast 3

2 lowast 3= definition of 2 (Succ 1) lowast 3= definition of lowast 3 + 1 lowast 3= definition of 1 3 + (Succ 0) lowast 3= definition of lowast 3 + 3 + 0 lowast 3= definition of lowast 3 + 3= calculate + 6

413 Equality and less-or-equal

We define the function (equiv) isin Nat rarr Nat rarr Bool which decides whether twonatural numbers are equal As in the case of (+) we exploit the curried view ofa function in the definition Letrsquos analyze the first argument (equiv) 0 isin Nat rarrBool should return the function which recognizes 0 ie which returns Trueprecisely if its argument is 0 hence we write

0 equiv 0 = True0 equiv (Succ n) = False

The other case is (equiv) (Succ m) isin Nat rarr Bool this function should returnFalse if presented with 0 but what to do if it is applied to Succ m The answeris that we recursively call (equiv) m and apply it to n because Succ m equiv Succ nhas the same value as m equiv n Hence we define

Succ m equiv 0 = FalseSucc m equiv Succ n = m equiv n

Putting everything together we arrive at the following definition

23

(equiv) isin Nat rarr Nat rarr Bool0 equiv 0 = True0 equiv (Succ n) = False(Succ m) equiv 0 = False(Succ m) equiv (Succ n) = m equiv n

By a slight modification ie by returning True instead of False in the secondline we obtain 6 instead of equiv

(6) isin Nat rarr Nat rarr Bool0 6 0 = True0 6 (Succ n) = True(Succ m) 6 0 = False(Succ m) 6 (Succ n) = m 6 n

414 Factorial

When we set up musical chairs we may wonder How many ways are there toplace 6 children on 6 chairs The answer is there 6 possibilities for the firstchild 5 for the second and so on and there will be only one place left for the lastone Hence there are 6times 5times 4times 3times 2times 1 = 720 We write fac n (mathematicalnotation n) for the number of permutations of n elements (eg the number ofways to arrange n children on n chairs)

We observe that there is one way to arrange no children on no chairs (hencefac 0 = 1) there are n + 1 ways to place the first child and fac n ways todistribute the remaining n children hence fac (n + 1) = (n + 1) lowast (fac n) Thisleads to the following definition of fac by primitive recursion

fac isin Nat rarr Natfac 0 = 1fac (Succ n) = (Succ n) lowast (fac n)

415 Fibonacci

Another interesting function is the famous Fibonacci function fib Nat rarr Natwhich is usually motivated by the problem to calculate the number of rabbitsafter n months if we assume that the rabbits have a child two months after theyare born (ignoring among others the fact that we need actually two rabbits)We start with no rabbits in month 0 and one rabbit in month 1 consequently wehave still one rabbit in month 2 and 2 rabbits in month 3 because our first rabbitgot its first child In general we have that the rabbits in month n+2 are the sumof the number of the rabbits in the previous months and the rabbits from themonth before who will have children now fib (n + 2) = (fib (n + 1)) + (fib n)Ie we get the sequence

0 1 1 2 3 5 8 13 21 34 55 89 144 233 377 610 987 1597 2584 4181 6765

We define fib

24

fib isin Nat rarr Natfib 0 = 0fib (Succ 0) = 1fib (Succ (Succ m)) = (fib m) + (fib (Succ m))

Different from the functions we have seen so far we are not just using the valueof a function at n to calculate the value at Succ n but here we actually usetwo previous values Using smaller values in general is called course of valuerecursion and is a modest generalisation of primitive recursion Indeed it hasgot the same justification as primitive recursion eg we adopt the view thatthe function values for smaller values have been calculated earlier

42 Induction

How can we prove something for all natural numbers This is a problem verysimilar to the one we have discussed in the previous section and indeed thesolution is very closely related to primitive recursion Letrsquos consider a verysimple example we want to prove foralln isin Natn+Zero = n Recall the definitionof +

(+) isin Nat rarr Nat rarr Nat0 + n = n(Succ m) + n = Succ (m + n)

We can see by looking at the definition that forall n isin Nat0 + n = n but whatabout the equally true forall n isin Natn + 0 = n Sure we will remember theequality forall mn isin Natm + n = n + m (called commutativity of addition) buthere we shall actually establish this law from first principles and we will seethat actually forall n isin Natn + 0 = n is a useful auxilliary property when showingcommutativity

We can start showing this property for the first few natural numbers and observethat a certain pattern emerges

0 0 + 0 = 0 by definition of +

1 To show (Succ 0)+0 = Succ 0 we first use the definition of + to see (Succ 0)+0 = Succ (0 + 0) and then we can exploit the previous line to see thatSucc (0 + 0) = Succ 0

2 To show (Succ (Succ 0)) + 0 = Succ (Succ 0) we first use the definition of +to see (Succ (Succ 0)) + 0 = Succ ((Succ 0) + 0) and then we can exploitthe previous line to see that Succ ((Succ 0) + 0) = Succ (Succ 0)

Each of the subsequent line is simply a consequence of the previous one Eg toshow (Succ n)+0 = Succ n we first apply the definition of + to see (Succ n)+0 =Succ (n +0) and then we apply the previous line ie the proof for n to see thatSucc (n + 0) = Succ n

25

We can see that this shows that the property holds for all natural numbers theidea is the same as for primitive recursion because the number n is constructedbefore Succ n we can establish the property for n before we show it for Succ n

The principle of induction can be summarized as follows to prove a propertyP for all natural numbers ie to show forall n isin NatP n we prove it for 0 iewe show P 0 and assuming that it holds for n isin Nat ie P n we can show thatit holds for P (Succ n) The assumption P n which can be used when showingP (Succ n) we call the induction hypothesis (IH)

421 Commutativity of (+)

Letrsquos now prove forall mn isin Natm+n = n+m by induction over m If m = 0 thisreduces to showing 0+n = n +0 we know that 0+n = n by the definition of +and we have just shown n = n +0 above Letrsquos assume that forall n isin Natm +n =n + m to prove forall n isin Nat (Succ m) + n = n + (Succ m) Now given n isin Natwe know from the definition of + that (Succ m) + n = Succ (m + n) we canapply the induction hypthesis to deduce that Succ (m +n) = Succ (n +m) Allthat is left to show is that Succ (n + m) = n + (Succ m) showing this requiresa separate proof by induction

It is time to tidy up our argument and also follow standard mathematical prac-tice and present proofs forward ie starting from the assumptions and basiclemmas (auxilliary theorems) to the goal the final theorem No human beingconstructs a proof like this everybody does it the other way around Some peo-ple believe that this is part of a conspiracy by Mathematicians to make theirknowledge inaccessible to the rest of the world

Lemma 41 forall n isin Natn + 0 = n

Proof By induction over n isin Nat

Case n = 0 We show 0 + 0 = 0

0 + 0= definition of + 0

Case n = Succ n prime We assume n prime + 0 = n prime (IH ) to show (Succ n prime) + 0 =Succ n prime

(Succ n prime) + 0= definition of + Succ (n prime + 0)= (IH) Succ n prime

Lemma 42 forall mn isin Natm + (Succ n) = Succ (m + n)

Proof By induction over m isin Nat

26

Case m = 0 We show forall n isin Nat0 + (Succ n) = Succ (0 + n)0 + (Succ n)= definition of + Succ n= definition of + Succ (0 + n)

Case m = Succ m prime We assume forall n isin Natm+(Succ n) = Succ (m+n) (IH )to show (Succ m) + (Succ n) = Succ (m + n)

(Succ m) + (Succ n)= definition of + Succ (m + (Succ n))= IH Succ (Succ (m + n))= definition of + Succ ((Succ m) + n)

Theorem 43 forall mn isin Natm + n = n + m

Proof By induction over m isin Nat

Case m = 0 We show forall n isin Nat0 + n = n + 00 + n= definition of + n= lemma n + 0

Case m = Succ m prime We assume forall n isin Natm prime + n = n + m prime (IH ) to show(Succ m prime) + n = n + (Succ m prime)

(Succ m prime) + n= definition of + Succ (m prime + n)= IH Succ (n + m prime)= lemma n + (Succ m prime)

Isnrsquot this a bit much effort for a theorem whose truth can be easily seen intu-itively Every child knows that if you put two heaps of sweeties together thatthe order in which you do this does not affect the number of sweeties you havein the end However apart from the point that we used a simple example toillustrate a method it is sometimes worthwhile to prove the obvious Maybeyou were only thinking that the function you defined was addition but as soonas you are going to prove something about it you discover that there is a bugThis is different from Mathematics Computer Scientists are interested in prov-ing obvious things It is also a good idea to enlist the help of a computer tomake sure that we donrsquot accidently cheat We will get back to this later

27

422 Gaussrsquo theorem

Letrsquos consider a less obvious proposition we can prove by induction CarlFriederich Gauss was a famous German Mathematician in the 19th centuryone of the theorems he proved is the fundamental theorem of algebra whichsays that every polynom over the complex numbers has a solution Howeverhere we are just concerned with a little theorem he allegedly discovered whenhe was still a school boy Apprently he was naughty and as a punishementteacher set him the task to add the numbers until 100 But the teacher hadnrsquotaccounted for young Gaussrsquo genius who very quickly came up with the rightanswer 5050 Instead of doing all the stupid calculations Gauss had realizedthat there is a simple formula namely that the sum of the numbers upto n isgiven by (n lowast (n + 1)) 2 The following picture illustrates the basic idea in thecase n = 3

Ie the sum of the 1 + 2 + 3 depicted by the area covered by the black balls isprecisely half the area of the 3 lowast 4 rectangle

First for reference lets define by primitive recursion the function which cal-culates the numbers upto n which we are going to call sum (Mathematicanswould write Σn

i=0i)

sum isin Nat rarr Natsum 0 = 0sum (Succ n) = (Succ n) lowast (sum n)

We want to show sum n = (n lowast (n + 1)) 2 to avoid having to define divisionand to justify that the division in this case stays always withing the naturalnumbers we show instead 2 lowast (sum n) = n lowast (Succ n) by induction

Theorem 44 forall n isin Nat 2 lowast (sum n) = n lowast (Succ n)

Proof By induction over n isin Nat

Case n = 0 We show 2 lowast (sum 0) = 0 lowast (Succ 0)

2 lowast (sum 0)= definition of lowast sum 0= definition of lowast 0 lowast (Succ 0)

Case n = Succ n prime We assume

28

2 lowast (sum n prime) = n prime lowast (Succ n prime) (IH )

to show 2 lowast (sum (Succ n prime)) = (Succ n prime) lowast (Succ (Succ n prime))

2 lowast (sum (Succ n prime))= definition of sum 2 lowast ((Succ n prime) + (sum n prime))= distributivity 2 lowast (Succ n prime) + 2 lowast (sum n prime)= IH 2 lowast (Succ n prime) + n lowast (Succ n prime)= distributivity (2 + n) lowast (Succ n prime)= commutativity definition of + (Succ n prime) lowast (Succ (Succ n prime))

In the proof above we have used distributivity ie

forall i j k isin Nat i lowast (j + k) = (i lowast j ) + (i lowast k)

Sure we could have proven this here (by induction) but I will leave this as anexercise

29

5 Inductive types

The idea behind the definition of the type of natural numbers can be appliedto many other types using the data keyword in Haskell We are calling thosetypes inductive types and indeed they come with their own primitive recursionand induction principles

51 Lists

One of the most versatile types especially but not only in functional program-ming is the type of lists Indeed the name of the first functional language LISPintroduced in 1958 as the 2nd high level programming language stands for LIstProcessing

Given a type a we write [a ] for the type of lists or sequences of elements ofa Eg [23minus1 1 1 0] isin [Int ] similar as for (a b) we use the same symbols[ ] for the operator on types and on elements Actually the [a1 a2 an ]notation is just a shorthand for a1 (a2 (an [ ]) The basic constructors forlists are [ ] isin [a ] for the empty list and given x isin a and a list xs isin [a ] we canconstruct the new list x xs isin [a ] (for historic reasons is called cons) Ie[23minus1 1 1 0] = 23 (minus1 (1 (1 (0 [ ]))))

In Haskell lists are predefined because they use some special syntactic sugarbut apart from this we could have just defined

data [a ] = [ ] | a [a ]

Strings are a special case of lists we use the type of characters Char which isa finite type whose elements are the characters which can be used in computing(eg one of the 216 unicode characters) We write elements of Char using singlequotes eg rsquoarsquo isin Char The type of strings is defined as lists of characters

type String = [Char]

The common syntax for strings using double quotes ie Hello is just syntac-tiv sugar for [rsquoHrsquo rsquoersquo rsquolrsquo rsquolrsquo rsquoorsquo] which in turn is just short for rsquoHrsquo (rsquoersquo (rsquolrsquo (rsquolrsquo (rsquoorsquo [ ]))))

One of the basic functions on lists is append ++ which combines two lists ie[1 2] ++ [3 4] = [1 2 3 4] To be able to define this function we have to extendthe principle of primitive recursion to lists We define xs ++ ys by primitiverecursion over xs if xs is empty ie xs = [ ] then [ ] ++ ys = ys On the otherhand if xs is a cons ie xs = x isin xs prime then we know that the combined list startswith x and constinues with the result of appending xs prime to ys That is here wehave to use ++ recursively The recursive use of ++ can be justified in the sameway as for Nat the list xs prime had to be constructed before x xs prime hence we cancalculate the result of xs prime ++ ys before we have to come up with (x xs prime) ++ ysIn Haskell we write

(++) isin [a ] rarr [a ] rarr [a ][ ] ++ ys = ys(x xs) ++ ys = x (xs ++ ys)

30

Note that ++ is a polymorphic function we can replace the type variable a byany type Eg we may replace a by Char arriving at the special case of stringsHence we can use ++ to append strings eg Hel ++ lo = Hello

We also have an induction principle for lists To illustrate this letrsquos first intro-duce a function which reverses a list How to reverse a list The reverse of theempty list is the empty list The reverse of a list x xs is the reverse of xs with xput on the end We arrive at the following primitive recursive implementationof reverse

rev isin [a ] rarr [a ]rev [ ] = [ ]rev (x xs) = (rev xs) ++ [x ]

Eg rev Hello = olleH What happens if we reverse twice Rightwe get back where we started indeed rev olleH = Hello Letrsquos proveforall xs isin [a ] rev (rev xs) = xs

Induction over lists means that to show a property for all lists we show theproperty for the empty list [ ] and then we show that if it holds for any list xsthen it holds for x xs The justification is again the same as for induction forthe natural numbers

We will show forall xs isin [a ] rev (rev xs) = xs by induction over lists The [ ] case isstraightforward since rev [ ] = [ ] what about rev (rev (x xs)) = rev ((rev xs)++[x ]) We cannot apply the induction hypothesis directly we first have to movethe outer rev inside ++ The key idea is to show that rev ((rev xs) ++ [x ]) =x (rev (rev xs)) and then we apply the induction hypothesis that rev (rev xs) =xs How do we show rev ((rev xs) ++ [x ]) = x (rev (rev xs)) The point is thatthis property doesnrsquot just hold for rev xs but for any list ys ie rev ((ys++[x ]) =x (rev ys)) eg rev (Hall++o) = o (rev Hal) How to we show thatthis property holds By induction over ys

Ok thatrsquos the sketch Letrsquos tidy this up First we prove the auxilliary propertyas a lemma

Lemma 51 forall x isin a forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys))

Proof Given x isin a We show forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys)) byinduction over ys isin [a ]

Case ys = [ ] We show rev ([ ] ++ [x ]) = x (rev [ ])

rev ([ ] ++ [x ])= definition of ++ rev [x ]= definition of rev [x ]= definition of rev x (rev [ ])

Case ys = y ys prime We assume

rev ((ys ++ [x ]) = x (rev ys)) (IH )

31

to show

rev (((y ys) ++ [x ]) = x (rev (y ys)))

rev (((y ys) ++ [x ])= definition of ++ rev (y (ys ++ [x ]))= definition of rev (rev (ys ++ [x ])) ++ [y ]= (IH) (x (rev ys)) ++ [y ]= definition of ++ x ((rev ys) ++ [y ])= definition of rev x (rev (y ys))

Theorem 52 forall xs isin [a ] rev (rev xs) = xs

Proof By induction over xs

Case xs = [ ] We show rev (rev [ ]) = [ ]

rev (rev [ ])= definition of rev rev [ ]= definition of rev [ ]

Case xs = x xs prime We assume

rev (rev xs) = xs (IH )

to show

rev (rev (x xs prime)) = x xs prime

rev (rev (x xs prime))= definition of rev rev ((rev xs prime) ++ [x ])= lemma for ys = rev xs prime x (rev (rev xs))= (IH) x xs

52 Insertion sort

There are many situations where we want to sort a list eg given [56 1 10 3]we would like to produce [1 3 10 56] One of the simplest sorting algorithms isinsertion sort The idea can be best explained by describing how to sort a deckof card We sort from an unsorted pile to a sorted pile by adding one card at

32

a time to the sorted pile When adding a card to a already sorted pile we gothrough the sorted pile until we find a card with a higher value and then insertthe new card just before this card This can be expressed as a function insert which is defined by primitive recursion over lists

insert isin Nat rarr [Nat ] rarr [Nat ]insert a [ ] = [a ]insert a (b bs) = if a 6 b then a (b bs)

else b (insert a bs)

The important feature of insert is that it produces a sorted list with an ex-tra element if its argument was sorted We can now define insertionSort byprimitive recursion over the initially unsorted list

insertionSort isin [Nat ] rarr [Nat ]insertionSort [ ] = [ ]insertionSort (a as) = insert a (insertionSort as)

And indeed insertionSort [56 1 10 3] = [1 3 10 56]

The same algorithm can sort any data wrt to a given comparison functioncomp a rarr a rarr Bool which has the appropriate properties (we shall laterdiscuss in detail what properties this are)

Insertion sort shouldnrsquot be used to sort large sequences because it is quiteinefficent on average it compares every argument with half of all the others Wesay it has quadratic complexity because on average the number of comparisonsit has to carry out is proportional to n2 where n is the length of the list

53 Binary numbers

We can use lists to represent binary numbers A binary number like 1102 whichis the binary way to write 6 is nothing but a list of Booleans hence we define

type Binary = [Bool ]

We use True for 1 and False for 0 and we shall read the list backwards whichhas the advantage that it is easy to access the least significant digit eg 1102

is actually represented as [FalseTrueTrue] 14

We shall define functions which translate between Binary and Nat We startwith bin2nat isin Binary rarr Nat The idea is that to translate a number whichhas at least one digit we recursively translate the rest of the numebr withoutthe last digit double that and add the value of the last digit to it This isexpressed by the following function

bin2nat isin Binary rarr Natbin2nat [ ] = 0bin2nat (True bs) = Succ (2 lowast (bin2nat bs))bin2nat (False bs) = 2 lowast (bin2nat bs)

14We could have avoided this notational inconvenience by using snoc lists ie lists wherecons gets its arguments the other way around

33

To define the translation in the other direction nat2bin isin Nat rarr Binary weintroduce a successor function on the binary representation The successor ofthe empty list which is interpreted as 0 is 1 Otherwise if the last digit is 0 wejust change this to 1 and keep the rest of the number the same If the last digitis 1 we change this to 0 and have a carry bit which means that we have torecursively calculate the successor of the rest of the number Hence we define

bsucc isin Binary rarr Binarybsucc [ ] = [True]bsucc (False bs) = True bsbsucc (True bs) = False (bsucc bs)

Now we can define nat2bin it basically translates 0 by the empty binary andthen applies bsucc for every successor

nat2bin isin Nat rarr Binarynat2bin 0 = [ ]nat2bin (Succ n) = bsucc (nat2bin n)

Once we have established the two translations we want to show that theyare indeed inverse to each other Eg if we start with a natural numbern we can translate it to a binary nat2bin n and then translate it back bybin2nat (nat2bin n) and we should hope that we get back to the number westarted with ie that

bin2nat (nat2bin n) = n

If we start with a binary number bs isin Binary the mirror property

nat2bin (bin2nat bs) = bs

doesnrsquot actually hold The reason is that our encoding is redundant lead-ing 0s (actually trailing Falses in our notation) do not matter For examplenat2bin (bin2nat [TrueFalse]) = [True] We could insist the we do not allowleading 0s and show that for those normal numbers the property holds Actu-ally following common practive we would make the exception for the case thatthe number is just 0 but would at the same time outlaw the empty sequence asa representation of a number

Going back to proving forall n isin Natn = bin2nat (nat2bin n) unsurprisingly weare going to use induction to establish this The case for 0 is straightforwardbut in the case of Succ n prime we have that nat2bin (Succ n prime) = bsucc (nat2bin n prime)and we would like to use that

bin2nat (bsucc (nat2bin n prime)) = Succ (bin2nat (nat2bin n prime))

to be able to apply the induction hypothesis This leads to the following lemma

Lemma 53 forall bs isin Binarybin2nat (bsucc bs) = Succ (bin2nat bs)

Proof We show this by induction over bs isin Binary

Case bs = [ ] We have to show bin2nat (bsucc [ ]) = Succ (bin2nat [ ])

bin2nat (bsucc [ ])= definition of bsucc

34

bin2nat [True]= calculate bin2nat 1= definition of 1 Succ 0= definition of bin2nat Succ (bin2nat [ ])

Case bs = b bs prime We assume

bin2nat (bsucc bs prime) = Succ (bin2nat bs prime) (IH )

to show

bin2nat (bsucc (b bs prime)) = Succ (bin2nat (b bs prime))

for any b isin Bool Letrsquos analyze b isin Bool

Case b = False In this case we have to showbin2nat (bsucc (False bs prime)) = Succ (bin2nat (False bs prime))

bin2nat (bsucc (False bs prime))= definition of bsucc bin2nat (True bs prime)= definition of bin2nat Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (False bs prime))

Case b = True In this case we have to showbin2nat (bsucc (True bs prime)) = Succ (bin2nat (True bs prime))

bin2nat (bsucc (True bs prime))= definition of bsucc bin2nat (False (bsucc bs prime))= definition of bin2nat 2 lowast (bin2nat (bsucc bs prime))= (IH) 2 lowast (Succ (bin2nat bs prime))= algebra 2 lowast (Succ n) = Succ (Succ (2 lowast n)) Succ (Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (True bs prime))

Now we are ready to prove the main theorem

Theorem 54 forall n isin Natbin2nat (nat2bin n) = n

Proof We prove this by induction over n isin Nat

Case n = 0 We show bin2nat (nat2bin 0) = 0

bin2nat (nat2bin 0)= definition of nat2bin bin2nat [ ]

35

= definition of bin2nat 0

Case n = Succ n prime We assume

bin2nat (nat2bin n prime) = n prime (IH )

to show

bin2nat (nat2bin (Succ n prime)) = Succ n prime

bin2nat (nat2bin (Succ n prime))= definition of nat2bin bin2nat (bsucc (nat2bin n prime))= lemma Succ (bin2nat (nat2bin n prime))= (IH) Succ n prime

To define addition on Binary we define addition with carry which always addsthree bits caculating the current bit and the new carry bit As a first step wedefine two operations addbit and carry which calculate the new bit and carry

addbit isin Bool rarr Bool rarr Bool rarr Booladdbit a b c = (a equiv b) equiv c

carry isin Bool rarr Bool rarr Bool rarr Boolcarry a b c = (aampampb)||(bampampc)||(aampampc)

We are now ready to define binary addition with carry

addBinC isin Bool rarr Binary rarr Binary rarr BinaryaddBinC c as [ ] = if c then bsucc as else asaddBinC c [ ] as = if c then bsucc as else asaddBinC c (a as) (b bs) = (addbit a b c) (addBinC (carry a b c) as bs)

from which we can easily derive binary addition by setting the carry to False

addBin isin Binary rarr Binary rarr BinaryaddBin bs cs = addBinC False bs cs

Binary multiplication is the usual long multiplication we learn at school Wemultiply each digit of one of the numbers with the other numbers always mul-tiplying the other number by 10 ie shifting it In the binary case multiplyinga digit with a number is very easy either the bit is 0 (ie False) then the resultis 0 or the bit is 1 then the result just is the other number

multBin isin Binary rarr Binary rarr BinarymultBin [ ] bs = [ ]multBin (a as) bs = if a

then addBin bs (multBin as (False bs))else multBin as (False bs)

The operations we have defined correspond to the more primitive operations wehave defined previously That is we have

36

forall mn Nat addBin (bin2nat m) (bin2nat n) = bin2nat (m + n)

forall mn Nat multBin (bin2nat m) (bin2nat n) = bin2nat (m lowast n)

These can be established using the principles we have introduced ie induc-tion However for reasons of space and potential boredom we shall refrain fromcarrying this out here

54 Trees

Unlike in ordinary live trees in computer science have got the roots on top andthe leaves on bottom Here is an example of a binary tree whose nodes arelabelled with natural numbers

56

1

3

10

root

node

leaf

Trees are also a very useful datastructure for example they can be used toefficently store and update an ordered collection of data In Haskell we woulddefine the type of binary node-labelled trees as follows

data Tree a = Leaf | Node (Tree a) a (Tree a)

The tree pictured in the diagram would be represented as

mytree isin Tree Natmytree = Node (Node Leaf 1 Leaf)

3(Node Leaf

10(Node Leaf 56 Leaf))

You may note that the tree is ordered ie all the leaves in the left subtree ofany node has labels less (or equal) than the label on the node and the nodes inthe right subtree have greater labels Indeed ordered trees give rise to anothersorting algorithm which is called tree sort First we define by primitive recur-sion over trees a function which inserts a node into an ordered tree leaving theordering intact

37

treeInsert isin Nat rarr (Tree Nat) rarr Tree NattreeInsert a Leaf = Node Leaf a LeaftreeInsert a (Node l b r) = if a 6 b

then Node (treeInsert a l) b relse Node l b (treeInsert a r)

By inserting all elements of a list into an empty tree we obtain a function whichturns an unsorted list into an ordered tree

list2tree isin [Nat ] rarr (Tree Nat)list2tree [ ] = Leaflist2tree (a as) = treeInsert a (list2tree as)

We can also turn an ordered tree into a sorted list

tree2list isin (Tree a) rarr [a ]tree2list Leaf = [ ]tree2List (Node l a r) = (tree2list l) ++ [a ] ++ (tree2list r)

Note that the last function is polymorphic since it doesnrsquot need any operationson the data stored in a tree Now we obtain tree sort by combining the twofunctions defined above

treeSort isin [Nat ] rarr [Nat ]treeSort as = tree2list (list2tree as)

It may appear wasteful to create a tree just to sort a list but actually tree sort isbetter than insertion sort On the average every element which is inserted intothe tree is only compared with a few others on the way down to a leaft to beprecise log2 n if the number of nodes is n Since we have to insert n elementstree sort will need a number proportional to n log2 n comparisons to sort a listwith n elements which is considerably better that insertion sortrsquos n2

We can also prove propositions about trees by induction over trees As anexample observe that the tree in the example has 4 nodes and 5 leaves This isno coincidence but a general property of binary trees Maybe the best way tosee that this is the case is to notice that every tree can be generated startingfrom a leaf by replacing an aribtrary leaf by a node with two leaves The initialtree has got the proberty and it is preserved by the replacement step hence anytree will have the property More formally we can show this by induction overtrees where we have an induction hypothesis for the left and the right subtree

To make this precise we first define functions which count the number of nodesand leaves in a tree (ignoring any data)

countNodes isin (Tree a) rarr NatcountNodes Leaf = 0countNodes (Node l x r) = Succ ((countNodes l) + (countNodes r))

countLeaves isin (Tree a) rarr NatcountLeaves Leaf = 1countLeaves (Node l x r) = (countLeaves l) + (countLeaves r)

38

We are now ready to prove our theorem

Theorem 55 forall t Tree a countLeaves t = 1 + (countNodes t)

Proof We proceed by induction over t isin Tree a

Case t = Leaf We show countLeaves Leaf = 1 + (countNodes Leaf)

countLeaves Leaf= definition of countLeaves 1= definition of countNodes 1 + (countNodes Leaf)

Case t = Node l x r We assume

countLeaves l = 1 + (countNodes l) (IH minus L)

countLeaves r = 1 + (countNodes r) (IH minus R)

to show countLeaves (Node l x r) = 1 + (countNodes (Node l x r))

countLeaves (Node l x r)= definition of countLeaves (countLeaves l) + (countLeaves r)= (IH-L)(IH-R) 1 + (countNodes l) + 1 + (countNodes r)= algebra 1 + (1 + (countNodes l) + (countNodes r))= definition of countNodes 1 + (countNodes (Node l x r))

Finally note that there are different types of binary trees depending where weput the data ie there are leaf labelled trees

data Tree a = Leaf a | Node (Tree a) (Tree a)

and trees which have labels on leaves and nodes potentially of different types

data Treeprime a b = Leaf prime a | Nodeprime (Treeprime a b) b (Treeprime a b)

39

6 Predicates and relations

A predicate over a type is a property of elements of that type An example isEven isin Nat rarr Prop which expresses the property of a natural number beingeven We can define Even

Even isin Nat rarr PropEven n = exist m isin Nat 2 lowastm = n

That is we say that a number is even if it is the double of another number Iwrite a rarr Prop for the type of predicates over a Note that unlike programspredicates cannot be executed but we can use them for reasoning

A relation between two types (which may be the same) relates elements of thefirst type with elements of the 2nd An example is 6 isin Nat rarr Nat rarr Propwhich expresses the relation of a number being smaller than another Again wecan define 6 using +

(6) isin Nat rarr Nat rarr Propm6n = exist k isin Nat m + k = n

That is we say that m6n if there is a number k that if added to m gives n

In general we consider n-ary relations that is R isin a1 rarr a2 rarr middot middot middot rarr an rarr Propand predicates are just another word for 1-ary relations 2-ary (or binary)relations such as 6 are usually written infix

A fundamental binary relation on any type is equality (=) isin a rarr a rarr PropWe consider equality as a primitive notion We know that everything is equal toitself mdash we say that equality is reflexive that is forall x isin a x = x Two booleansor natural number or lists are equal if they are made only from constructorsand look the same Two functions are equal if they return the same answers forall elements of their domain that is for f g isin a rarr b we have that f = g ifforall x a f x = g x note that this involves equality on b This is the principle ofextensionality and it is the consequence of our view of functions as black boxesie we cannot look inside a function all we can do it is to apply it to arguments

We have already introduced the functions 6isin Nat rarr Nat rarr Bool equivisinBool rarr Bool rarr Bool and equivisin Nat rarr Nat rarr Bool They are related to6 isin Bool rarr Bool rarr Prop =isin Bool rarr Bool rarr Prop and =isin Nat rarrNat rarr Prop indeed they return True if the relation holds and False other-wise That is we can show that

forall x y isin Nat x6y lArrrArr x 6 y = Trueforall x y isin Bool x = y lArrrArr x equiv y = Trueforall x y isin Nat x = y lArrrArr x equiv y = True

We say that a boolean function f isin a rarr b rarr Bool decides a relation R isin a rarrb rarr Prop if forall x isin a y isin b R x y lArrrArr f x y = True A relation which canbe decided is called decidableThis concept generalizes to relations with anyarity including predicates I have silently assumed that by a boolean functionwe mean one which can actually run on a computer this is different in classicalMathematics where the notion of a function is more liberal but the definitionof a decidable function is more complicated

40

Not every relation is decidable an example of an undecidable relation is equal-ity on functions with an infinite domain eg (=) isin (Nat rarr Bool) rarr (Nat rarrBool) rarr Prop To decide whether two such functions are equal that is whetherf = g we have to check whether they agree on all natural numbers By the prin-ciple of extensionality there is no other way we can find out anything about afunction and checking them for all natural numbers is hardly possible

61 Examples of relations

In the following we will discuss some examples of relations It is helpful tovisualize relations by drawing their graphs We can only draw graphs for adecidable relation R isin a rarr a rarr Prop on finite type a by a directed graphwhose nodes (called vertices) are the elements of a and we draw an arrow (callededge) from x to y if R x y holds

We cannot draw relations on the natural numbers however we will instead usethe type Four = 0 1 2 3 4 and drwaw the graph of the relation restricted tothe numbers upto 4

611 Equality

The graph of (=) isin Four rarr Four rarr Prop is extremely simple

0 1 2 3 4

612 Inequality

We say x 6= y if x and y are not equal This relation is polymorphic ie it isuniformly defined for any type

(6=) isin a rarr a rarr Propx 6= y = not (x = y)

The graph of (6=) isin Four rarr Four rarr Prop contains an edge everywhere theprevious graph had none hence it looks pretty wild

0 1 2 3 4

613 Less or equal

We have already defined the relation (6) on the natural numbers Here is thegraph of the relation restricted to Four

41

0 1 2 3 4

614 Less than

We say m lt n if m is strictly less than n

(lt) isin Nat rarr Nat rarr Propm lt n = Succ m 6 n

The graph of (lt) Four rarr Four rarr Prop looks pretty similar as the one of (6)only the little circles pointing from every element to itself are missing

0 1 2 3 4

615 Congruence modulo k

This is an important 3-ary (ternary) relation used in number theory We saythat two numbers mn Nat are congruent modulo k if they have the sameremainder when divided by k We write cmod Nat rarr Nat rarr Nat rarr Propthat is we write cmod k m n or mlsquocmod k lsquon 15 for m is congruent to n modulok The standard mathematical notation is mλcong n mod k We can definethis relation formally as

cmod isin Nat rarr Nat rarr Nat rarr Propcmod k m n = exist p q r isin Nat (r lt n) and p lowast k + r = m and q lowast k + r = n

Usually cmod is only considered for k gt 1 For k = 1 our definition of cmod kis just (=) and for k = 0 it is the empty relation In number theory cmod k isdefined a relation on the integers not just the natural numbers

While we cannot draw ternary relations so easily we can do so for mod 2 isinFour rarr Four rarr Prop

0 1 3 42

15Here we adopt also the Haskell convention that any operator f can be made infix bywriting lsquof lsquo

42

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

Succ (Succ (0 + 3))= definition of + Succ (Succ 3)= definition of 5 5

412 Multiplication

Letrsquos go on and define some more functions eg multiplication

(lowast) isin Nat rarr Nat rarr Nat0 lowast n = 0(Succ m) lowast n = m + (m lowast n)

Multiplication is defined by repeated addition in the same way as addition isdefined by repeated Succ As an example we calculate 2 lowast 3

2 lowast 3= definition of 2 (Succ 1) lowast 3= definition of lowast 3 + 1 lowast 3= definition of 1 3 + (Succ 0) lowast 3= definition of lowast 3 + 3 + 0 lowast 3= definition of lowast 3 + 3= calculate + 6

413 Equality and less-or-equal

We define the function (equiv) isin Nat rarr Nat rarr Bool which decides whether twonatural numbers are equal As in the case of (+) we exploit the curried view ofa function in the definition Letrsquos analyze the first argument (equiv) 0 isin Nat rarrBool should return the function which recognizes 0 ie which returns Trueprecisely if its argument is 0 hence we write

0 equiv 0 = True0 equiv (Succ n) = False

The other case is (equiv) (Succ m) isin Nat rarr Bool this function should returnFalse if presented with 0 but what to do if it is applied to Succ m The answeris that we recursively call (equiv) m and apply it to n because Succ m equiv Succ nhas the same value as m equiv n Hence we define

Succ m equiv 0 = FalseSucc m equiv Succ n = m equiv n

Putting everything together we arrive at the following definition

23

(equiv) isin Nat rarr Nat rarr Bool0 equiv 0 = True0 equiv (Succ n) = False(Succ m) equiv 0 = False(Succ m) equiv (Succ n) = m equiv n

By a slight modification ie by returning True instead of False in the secondline we obtain 6 instead of equiv

(6) isin Nat rarr Nat rarr Bool0 6 0 = True0 6 (Succ n) = True(Succ m) 6 0 = False(Succ m) 6 (Succ n) = m 6 n

414 Factorial

When we set up musical chairs we may wonder How many ways are there toplace 6 children on 6 chairs The answer is there 6 possibilities for the firstchild 5 for the second and so on and there will be only one place left for the lastone Hence there are 6times 5times 4times 3times 2times 1 = 720 We write fac n (mathematicalnotation n) for the number of permutations of n elements (eg the number ofways to arrange n children on n chairs)

We observe that there is one way to arrange no children on no chairs (hencefac 0 = 1) there are n + 1 ways to place the first child and fac n ways todistribute the remaining n children hence fac (n + 1) = (n + 1) lowast (fac n) Thisleads to the following definition of fac by primitive recursion

fac isin Nat rarr Natfac 0 = 1fac (Succ n) = (Succ n) lowast (fac n)

415 Fibonacci

Another interesting function is the famous Fibonacci function fib Nat rarr Natwhich is usually motivated by the problem to calculate the number of rabbitsafter n months if we assume that the rabbits have a child two months after theyare born (ignoring among others the fact that we need actually two rabbits)We start with no rabbits in month 0 and one rabbit in month 1 consequently wehave still one rabbit in month 2 and 2 rabbits in month 3 because our first rabbitgot its first child In general we have that the rabbits in month n+2 are the sumof the number of the rabbits in the previous months and the rabbits from themonth before who will have children now fib (n + 2) = (fib (n + 1)) + (fib n)Ie we get the sequence

0 1 1 2 3 5 8 13 21 34 55 89 144 233 377 610 987 1597 2584 4181 6765

We define fib

24

fib isin Nat rarr Natfib 0 = 0fib (Succ 0) = 1fib (Succ (Succ m)) = (fib m) + (fib (Succ m))

Different from the functions we have seen so far we are not just using the valueof a function at n to calculate the value at Succ n but here we actually usetwo previous values Using smaller values in general is called course of valuerecursion and is a modest generalisation of primitive recursion Indeed it hasgot the same justification as primitive recursion eg we adopt the view thatthe function values for smaller values have been calculated earlier

42 Induction

How can we prove something for all natural numbers This is a problem verysimilar to the one we have discussed in the previous section and indeed thesolution is very closely related to primitive recursion Letrsquos consider a verysimple example we want to prove foralln isin Natn+Zero = n Recall the definitionof +

(+) isin Nat rarr Nat rarr Nat0 + n = n(Succ m) + n = Succ (m + n)

We can see by looking at the definition that forall n isin Nat0 + n = n but whatabout the equally true forall n isin Natn + 0 = n Sure we will remember theequality forall mn isin Natm + n = n + m (called commutativity of addition) buthere we shall actually establish this law from first principles and we will seethat actually forall n isin Natn + 0 = n is a useful auxilliary property when showingcommutativity

We can start showing this property for the first few natural numbers and observethat a certain pattern emerges

0 0 + 0 = 0 by definition of +

1 To show (Succ 0)+0 = Succ 0 we first use the definition of + to see (Succ 0)+0 = Succ (0 + 0) and then we can exploit the previous line to see thatSucc (0 + 0) = Succ 0

2 To show (Succ (Succ 0)) + 0 = Succ (Succ 0) we first use the definition of +to see (Succ (Succ 0)) + 0 = Succ ((Succ 0) + 0) and then we can exploitthe previous line to see that Succ ((Succ 0) + 0) = Succ (Succ 0)

Each of the subsequent line is simply a consequence of the previous one Eg toshow (Succ n)+0 = Succ n we first apply the definition of + to see (Succ n)+0 =Succ (n +0) and then we apply the previous line ie the proof for n to see thatSucc (n + 0) = Succ n

25

We can see that this shows that the property holds for all natural numbers theidea is the same as for primitive recursion because the number n is constructedbefore Succ n we can establish the property for n before we show it for Succ n

The principle of induction can be summarized as follows to prove a propertyP for all natural numbers ie to show forall n isin NatP n we prove it for 0 iewe show P 0 and assuming that it holds for n isin Nat ie P n we can show thatit holds for P (Succ n) The assumption P n which can be used when showingP (Succ n) we call the induction hypothesis (IH)

421 Commutativity of (+)

Letrsquos now prove forall mn isin Natm+n = n+m by induction over m If m = 0 thisreduces to showing 0+n = n +0 we know that 0+n = n by the definition of +and we have just shown n = n +0 above Letrsquos assume that forall n isin Natm +n =n + m to prove forall n isin Nat (Succ m) + n = n + (Succ m) Now given n isin Natwe know from the definition of + that (Succ m) + n = Succ (m + n) we canapply the induction hypthesis to deduce that Succ (m +n) = Succ (n +m) Allthat is left to show is that Succ (n + m) = n + (Succ m) showing this requiresa separate proof by induction

It is time to tidy up our argument and also follow standard mathematical prac-tice and present proofs forward ie starting from the assumptions and basiclemmas (auxilliary theorems) to the goal the final theorem No human beingconstructs a proof like this everybody does it the other way around Some peo-ple believe that this is part of a conspiracy by Mathematicians to make theirknowledge inaccessible to the rest of the world

Lemma 41 forall n isin Natn + 0 = n

Proof By induction over n isin Nat

Case n = 0 We show 0 + 0 = 0

0 + 0= definition of + 0

Case n = Succ n prime We assume n prime + 0 = n prime (IH ) to show (Succ n prime) + 0 =Succ n prime

(Succ n prime) + 0= definition of + Succ (n prime + 0)= (IH) Succ n prime

Lemma 42 forall mn isin Natm + (Succ n) = Succ (m + n)

Proof By induction over m isin Nat

26

Case m = 0 We show forall n isin Nat0 + (Succ n) = Succ (0 + n)0 + (Succ n)= definition of + Succ n= definition of + Succ (0 + n)

Case m = Succ m prime We assume forall n isin Natm+(Succ n) = Succ (m+n) (IH )to show (Succ m) + (Succ n) = Succ (m + n)

(Succ m) + (Succ n)= definition of + Succ (m + (Succ n))= IH Succ (Succ (m + n))= definition of + Succ ((Succ m) + n)

Theorem 43 forall mn isin Natm + n = n + m

Proof By induction over m isin Nat

Case m = 0 We show forall n isin Nat0 + n = n + 00 + n= definition of + n= lemma n + 0

Case m = Succ m prime We assume forall n isin Natm prime + n = n + m prime (IH ) to show(Succ m prime) + n = n + (Succ m prime)

(Succ m prime) + n= definition of + Succ (m prime + n)= IH Succ (n + m prime)= lemma n + (Succ m prime)

Isnrsquot this a bit much effort for a theorem whose truth can be easily seen intu-itively Every child knows that if you put two heaps of sweeties together thatthe order in which you do this does not affect the number of sweeties you havein the end However apart from the point that we used a simple example toillustrate a method it is sometimes worthwhile to prove the obvious Maybeyou were only thinking that the function you defined was addition but as soonas you are going to prove something about it you discover that there is a bugThis is different from Mathematics Computer Scientists are interested in prov-ing obvious things It is also a good idea to enlist the help of a computer tomake sure that we donrsquot accidently cheat We will get back to this later

27

422 Gaussrsquo theorem

Letrsquos consider a less obvious proposition we can prove by induction CarlFriederich Gauss was a famous German Mathematician in the 19th centuryone of the theorems he proved is the fundamental theorem of algebra whichsays that every polynom over the complex numbers has a solution Howeverhere we are just concerned with a little theorem he allegedly discovered whenhe was still a school boy Apprently he was naughty and as a punishementteacher set him the task to add the numbers until 100 But the teacher hadnrsquotaccounted for young Gaussrsquo genius who very quickly came up with the rightanswer 5050 Instead of doing all the stupid calculations Gauss had realizedthat there is a simple formula namely that the sum of the numbers upto n isgiven by (n lowast (n + 1)) 2 The following picture illustrates the basic idea in thecase n = 3

Ie the sum of the 1 + 2 + 3 depicted by the area covered by the black balls isprecisely half the area of the 3 lowast 4 rectangle

First for reference lets define by primitive recursion the function which cal-culates the numbers upto n which we are going to call sum (Mathematicanswould write Σn

i=0i)

sum isin Nat rarr Natsum 0 = 0sum (Succ n) = (Succ n) lowast (sum n)

We want to show sum n = (n lowast (n + 1)) 2 to avoid having to define divisionand to justify that the division in this case stays always withing the naturalnumbers we show instead 2 lowast (sum n) = n lowast (Succ n) by induction

Theorem 44 forall n isin Nat 2 lowast (sum n) = n lowast (Succ n)

Proof By induction over n isin Nat

Case n = 0 We show 2 lowast (sum 0) = 0 lowast (Succ 0)

2 lowast (sum 0)= definition of lowast sum 0= definition of lowast 0 lowast (Succ 0)

Case n = Succ n prime We assume

28

2 lowast (sum n prime) = n prime lowast (Succ n prime) (IH )

to show 2 lowast (sum (Succ n prime)) = (Succ n prime) lowast (Succ (Succ n prime))

2 lowast (sum (Succ n prime))= definition of sum 2 lowast ((Succ n prime) + (sum n prime))= distributivity 2 lowast (Succ n prime) + 2 lowast (sum n prime)= IH 2 lowast (Succ n prime) + n lowast (Succ n prime)= distributivity (2 + n) lowast (Succ n prime)= commutativity definition of + (Succ n prime) lowast (Succ (Succ n prime))

In the proof above we have used distributivity ie

forall i j k isin Nat i lowast (j + k) = (i lowast j ) + (i lowast k)

Sure we could have proven this here (by induction) but I will leave this as anexercise

29

5 Inductive types

The idea behind the definition of the type of natural numbers can be appliedto many other types using the data keyword in Haskell We are calling thosetypes inductive types and indeed they come with their own primitive recursionand induction principles

51 Lists

One of the most versatile types especially but not only in functional program-ming is the type of lists Indeed the name of the first functional language LISPintroduced in 1958 as the 2nd high level programming language stands for LIstProcessing

Given a type a we write [a ] for the type of lists or sequences of elements ofa Eg [23minus1 1 1 0] isin [Int ] similar as for (a b) we use the same symbols[ ] for the operator on types and on elements Actually the [a1 a2 an ]notation is just a shorthand for a1 (a2 (an [ ]) The basic constructors forlists are [ ] isin [a ] for the empty list and given x isin a and a list xs isin [a ] we canconstruct the new list x xs isin [a ] (for historic reasons is called cons) Ie[23minus1 1 1 0] = 23 (minus1 (1 (1 (0 [ ]))))

In Haskell lists are predefined because they use some special syntactic sugarbut apart from this we could have just defined

data [a ] = [ ] | a [a ]

Strings are a special case of lists we use the type of characters Char which isa finite type whose elements are the characters which can be used in computing(eg one of the 216 unicode characters) We write elements of Char using singlequotes eg rsquoarsquo isin Char The type of strings is defined as lists of characters

type String = [Char]

The common syntax for strings using double quotes ie Hello is just syntac-tiv sugar for [rsquoHrsquo rsquoersquo rsquolrsquo rsquolrsquo rsquoorsquo] which in turn is just short for rsquoHrsquo (rsquoersquo (rsquolrsquo (rsquolrsquo (rsquoorsquo [ ]))))

One of the basic functions on lists is append ++ which combines two lists ie[1 2] ++ [3 4] = [1 2 3 4] To be able to define this function we have to extendthe principle of primitive recursion to lists We define xs ++ ys by primitiverecursion over xs if xs is empty ie xs = [ ] then [ ] ++ ys = ys On the otherhand if xs is a cons ie xs = x isin xs prime then we know that the combined list startswith x and constinues with the result of appending xs prime to ys That is here wehave to use ++ recursively The recursive use of ++ can be justified in the sameway as for Nat the list xs prime had to be constructed before x xs prime hence we cancalculate the result of xs prime ++ ys before we have to come up with (x xs prime) ++ ysIn Haskell we write

(++) isin [a ] rarr [a ] rarr [a ][ ] ++ ys = ys(x xs) ++ ys = x (xs ++ ys)

30

Note that ++ is a polymorphic function we can replace the type variable a byany type Eg we may replace a by Char arriving at the special case of stringsHence we can use ++ to append strings eg Hel ++ lo = Hello

We also have an induction principle for lists To illustrate this letrsquos first intro-duce a function which reverses a list How to reverse a list The reverse of theempty list is the empty list The reverse of a list x xs is the reverse of xs with xput on the end We arrive at the following primitive recursive implementationof reverse

rev isin [a ] rarr [a ]rev [ ] = [ ]rev (x xs) = (rev xs) ++ [x ]

Eg rev Hello = olleH What happens if we reverse twice Rightwe get back where we started indeed rev olleH = Hello Letrsquos proveforall xs isin [a ] rev (rev xs) = xs

Induction over lists means that to show a property for all lists we show theproperty for the empty list [ ] and then we show that if it holds for any list xsthen it holds for x xs The justification is again the same as for induction forthe natural numbers

We will show forall xs isin [a ] rev (rev xs) = xs by induction over lists The [ ] case isstraightforward since rev [ ] = [ ] what about rev (rev (x xs)) = rev ((rev xs)++[x ]) We cannot apply the induction hypothesis directly we first have to movethe outer rev inside ++ The key idea is to show that rev ((rev xs) ++ [x ]) =x (rev (rev xs)) and then we apply the induction hypothesis that rev (rev xs) =xs How do we show rev ((rev xs) ++ [x ]) = x (rev (rev xs)) The point is thatthis property doesnrsquot just hold for rev xs but for any list ys ie rev ((ys++[x ]) =x (rev ys)) eg rev (Hall++o) = o (rev Hal) How to we show thatthis property holds By induction over ys

Ok thatrsquos the sketch Letrsquos tidy this up First we prove the auxilliary propertyas a lemma

Lemma 51 forall x isin a forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys))

Proof Given x isin a We show forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys)) byinduction over ys isin [a ]

Case ys = [ ] We show rev ([ ] ++ [x ]) = x (rev [ ])

rev ([ ] ++ [x ])= definition of ++ rev [x ]= definition of rev [x ]= definition of rev x (rev [ ])

Case ys = y ys prime We assume

rev ((ys ++ [x ]) = x (rev ys)) (IH )

31

to show

rev (((y ys) ++ [x ]) = x (rev (y ys)))

rev (((y ys) ++ [x ])= definition of ++ rev (y (ys ++ [x ]))= definition of rev (rev (ys ++ [x ])) ++ [y ]= (IH) (x (rev ys)) ++ [y ]= definition of ++ x ((rev ys) ++ [y ])= definition of rev x (rev (y ys))

Theorem 52 forall xs isin [a ] rev (rev xs) = xs

Proof By induction over xs

Case xs = [ ] We show rev (rev [ ]) = [ ]

rev (rev [ ])= definition of rev rev [ ]= definition of rev [ ]

Case xs = x xs prime We assume

rev (rev xs) = xs (IH )

to show

rev (rev (x xs prime)) = x xs prime

rev (rev (x xs prime))= definition of rev rev ((rev xs prime) ++ [x ])= lemma for ys = rev xs prime x (rev (rev xs))= (IH) x xs

52 Insertion sort

There are many situations where we want to sort a list eg given [56 1 10 3]we would like to produce [1 3 10 56] One of the simplest sorting algorithms isinsertion sort The idea can be best explained by describing how to sort a deckof card We sort from an unsorted pile to a sorted pile by adding one card at

32

a time to the sorted pile When adding a card to a already sorted pile we gothrough the sorted pile until we find a card with a higher value and then insertthe new card just before this card This can be expressed as a function insert which is defined by primitive recursion over lists

insert isin Nat rarr [Nat ] rarr [Nat ]insert a [ ] = [a ]insert a (b bs) = if a 6 b then a (b bs)

else b (insert a bs)

The important feature of insert is that it produces a sorted list with an ex-tra element if its argument was sorted We can now define insertionSort byprimitive recursion over the initially unsorted list

insertionSort isin [Nat ] rarr [Nat ]insertionSort [ ] = [ ]insertionSort (a as) = insert a (insertionSort as)

And indeed insertionSort [56 1 10 3] = [1 3 10 56]

The same algorithm can sort any data wrt to a given comparison functioncomp a rarr a rarr Bool which has the appropriate properties (we shall laterdiscuss in detail what properties this are)

Insertion sort shouldnrsquot be used to sort large sequences because it is quiteinefficent on average it compares every argument with half of all the others Wesay it has quadratic complexity because on average the number of comparisonsit has to carry out is proportional to n2 where n is the length of the list

53 Binary numbers

We can use lists to represent binary numbers A binary number like 1102 whichis the binary way to write 6 is nothing but a list of Booleans hence we define

type Binary = [Bool ]

We use True for 1 and False for 0 and we shall read the list backwards whichhas the advantage that it is easy to access the least significant digit eg 1102

is actually represented as [FalseTrueTrue] 14

We shall define functions which translate between Binary and Nat We startwith bin2nat isin Binary rarr Nat The idea is that to translate a number whichhas at least one digit we recursively translate the rest of the numebr withoutthe last digit double that and add the value of the last digit to it This isexpressed by the following function

bin2nat isin Binary rarr Natbin2nat [ ] = 0bin2nat (True bs) = Succ (2 lowast (bin2nat bs))bin2nat (False bs) = 2 lowast (bin2nat bs)

14We could have avoided this notational inconvenience by using snoc lists ie lists wherecons gets its arguments the other way around

33

To define the translation in the other direction nat2bin isin Nat rarr Binary weintroduce a successor function on the binary representation The successor ofthe empty list which is interpreted as 0 is 1 Otherwise if the last digit is 0 wejust change this to 1 and keep the rest of the number the same If the last digitis 1 we change this to 0 and have a carry bit which means that we have torecursively calculate the successor of the rest of the number Hence we define

bsucc isin Binary rarr Binarybsucc [ ] = [True]bsucc (False bs) = True bsbsucc (True bs) = False (bsucc bs)

Now we can define nat2bin it basically translates 0 by the empty binary andthen applies bsucc for every successor

nat2bin isin Nat rarr Binarynat2bin 0 = [ ]nat2bin (Succ n) = bsucc (nat2bin n)

Once we have established the two translations we want to show that theyare indeed inverse to each other Eg if we start with a natural numbern we can translate it to a binary nat2bin n and then translate it back bybin2nat (nat2bin n) and we should hope that we get back to the number westarted with ie that

bin2nat (nat2bin n) = n

If we start with a binary number bs isin Binary the mirror property

nat2bin (bin2nat bs) = bs

doesnrsquot actually hold The reason is that our encoding is redundant lead-ing 0s (actually trailing Falses in our notation) do not matter For examplenat2bin (bin2nat [TrueFalse]) = [True] We could insist the we do not allowleading 0s and show that for those normal numbers the property holds Actu-ally following common practive we would make the exception for the case thatthe number is just 0 but would at the same time outlaw the empty sequence asa representation of a number

Going back to proving forall n isin Natn = bin2nat (nat2bin n) unsurprisingly weare going to use induction to establish this The case for 0 is straightforwardbut in the case of Succ n prime we have that nat2bin (Succ n prime) = bsucc (nat2bin n prime)and we would like to use that

bin2nat (bsucc (nat2bin n prime)) = Succ (bin2nat (nat2bin n prime))

to be able to apply the induction hypothesis This leads to the following lemma

Lemma 53 forall bs isin Binarybin2nat (bsucc bs) = Succ (bin2nat bs)

Proof We show this by induction over bs isin Binary

Case bs = [ ] We have to show bin2nat (bsucc [ ]) = Succ (bin2nat [ ])

bin2nat (bsucc [ ])= definition of bsucc

34

bin2nat [True]= calculate bin2nat 1= definition of 1 Succ 0= definition of bin2nat Succ (bin2nat [ ])

Case bs = b bs prime We assume

bin2nat (bsucc bs prime) = Succ (bin2nat bs prime) (IH )

to show

bin2nat (bsucc (b bs prime)) = Succ (bin2nat (b bs prime))

for any b isin Bool Letrsquos analyze b isin Bool

Case b = False In this case we have to showbin2nat (bsucc (False bs prime)) = Succ (bin2nat (False bs prime))

bin2nat (bsucc (False bs prime))= definition of bsucc bin2nat (True bs prime)= definition of bin2nat Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (False bs prime))

Case b = True In this case we have to showbin2nat (bsucc (True bs prime)) = Succ (bin2nat (True bs prime))

bin2nat (bsucc (True bs prime))= definition of bsucc bin2nat (False (bsucc bs prime))= definition of bin2nat 2 lowast (bin2nat (bsucc bs prime))= (IH) 2 lowast (Succ (bin2nat bs prime))= algebra 2 lowast (Succ n) = Succ (Succ (2 lowast n)) Succ (Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (True bs prime))

Now we are ready to prove the main theorem

Theorem 54 forall n isin Natbin2nat (nat2bin n) = n

Proof We prove this by induction over n isin Nat

Case n = 0 We show bin2nat (nat2bin 0) = 0

bin2nat (nat2bin 0)= definition of nat2bin bin2nat [ ]

35

= definition of bin2nat 0

Case n = Succ n prime We assume

bin2nat (nat2bin n prime) = n prime (IH )

to show

bin2nat (nat2bin (Succ n prime)) = Succ n prime

bin2nat (nat2bin (Succ n prime))= definition of nat2bin bin2nat (bsucc (nat2bin n prime))= lemma Succ (bin2nat (nat2bin n prime))= (IH) Succ n prime

To define addition on Binary we define addition with carry which always addsthree bits caculating the current bit and the new carry bit As a first step wedefine two operations addbit and carry which calculate the new bit and carry

addbit isin Bool rarr Bool rarr Bool rarr Booladdbit a b c = (a equiv b) equiv c

carry isin Bool rarr Bool rarr Bool rarr Boolcarry a b c = (aampampb)||(bampampc)||(aampampc)

We are now ready to define binary addition with carry

addBinC isin Bool rarr Binary rarr Binary rarr BinaryaddBinC c as [ ] = if c then bsucc as else asaddBinC c [ ] as = if c then bsucc as else asaddBinC c (a as) (b bs) = (addbit a b c) (addBinC (carry a b c) as bs)

from which we can easily derive binary addition by setting the carry to False

addBin isin Binary rarr Binary rarr BinaryaddBin bs cs = addBinC False bs cs

Binary multiplication is the usual long multiplication we learn at school Wemultiply each digit of one of the numbers with the other numbers always mul-tiplying the other number by 10 ie shifting it In the binary case multiplyinga digit with a number is very easy either the bit is 0 (ie False) then the resultis 0 or the bit is 1 then the result just is the other number

multBin isin Binary rarr Binary rarr BinarymultBin [ ] bs = [ ]multBin (a as) bs = if a

then addBin bs (multBin as (False bs))else multBin as (False bs)

The operations we have defined correspond to the more primitive operations wehave defined previously That is we have

36

forall mn Nat addBin (bin2nat m) (bin2nat n) = bin2nat (m + n)

forall mn Nat multBin (bin2nat m) (bin2nat n) = bin2nat (m lowast n)

These can be established using the principles we have introduced ie induc-tion However for reasons of space and potential boredom we shall refrain fromcarrying this out here

54 Trees

Unlike in ordinary live trees in computer science have got the roots on top andthe leaves on bottom Here is an example of a binary tree whose nodes arelabelled with natural numbers

56

1

3

10

root

node

leaf

Trees are also a very useful datastructure for example they can be used toefficently store and update an ordered collection of data In Haskell we woulddefine the type of binary node-labelled trees as follows

data Tree a = Leaf | Node (Tree a) a (Tree a)

The tree pictured in the diagram would be represented as

mytree isin Tree Natmytree = Node (Node Leaf 1 Leaf)

3(Node Leaf

10(Node Leaf 56 Leaf))

You may note that the tree is ordered ie all the leaves in the left subtree ofany node has labels less (or equal) than the label on the node and the nodes inthe right subtree have greater labels Indeed ordered trees give rise to anothersorting algorithm which is called tree sort First we define by primitive recur-sion over trees a function which inserts a node into an ordered tree leaving theordering intact

37

treeInsert isin Nat rarr (Tree Nat) rarr Tree NattreeInsert a Leaf = Node Leaf a LeaftreeInsert a (Node l b r) = if a 6 b

then Node (treeInsert a l) b relse Node l b (treeInsert a r)

By inserting all elements of a list into an empty tree we obtain a function whichturns an unsorted list into an ordered tree

list2tree isin [Nat ] rarr (Tree Nat)list2tree [ ] = Leaflist2tree (a as) = treeInsert a (list2tree as)

We can also turn an ordered tree into a sorted list

tree2list isin (Tree a) rarr [a ]tree2list Leaf = [ ]tree2List (Node l a r) = (tree2list l) ++ [a ] ++ (tree2list r)

Note that the last function is polymorphic since it doesnrsquot need any operationson the data stored in a tree Now we obtain tree sort by combining the twofunctions defined above

treeSort isin [Nat ] rarr [Nat ]treeSort as = tree2list (list2tree as)

It may appear wasteful to create a tree just to sort a list but actually tree sort isbetter than insertion sort On the average every element which is inserted intothe tree is only compared with a few others on the way down to a leaft to beprecise log2 n if the number of nodes is n Since we have to insert n elementstree sort will need a number proportional to n log2 n comparisons to sort a listwith n elements which is considerably better that insertion sortrsquos n2

We can also prove propositions about trees by induction over trees As anexample observe that the tree in the example has 4 nodes and 5 leaves This isno coincidence but a general property of binary trees Maybe the best way tosee that this is the case is to notice that every tree can be generated startingfrom a leaf by replacing an aribtrary leaf by a node with two leaves The initialtree has got the proberty and it is preserved by the replacement step hence anytree will have the property More formally we can show this by induction overtrees where we have an induction hypothesis for the left and the right subtree

To make this precise we first define functions which count the number of nodesand leaves in a tree (ignoring any data)

countNodes isin (Tree a) rarr NatcountNodes Leaf = 0countNodes (Node l x r) = Succ ((countNodes l) + (countNodes r))

countLeaves isin (Tree a) rarr NatcountLeaves Leaf = 1countLeaves (Node l x r) = (countLeaves l) + (countLeaves r)

38

We are now ready to prove our theorem

Theorem 55 forall t Tree a countLeaves t = 1 + (countNodes t)

Proof We proceed by induction over t isin Tree a

Case t = Leaf We show countLeaves Leaf = 1 + (countNodes Leaf)

countLeaves Leaf= definition of countLeaves 1= definition of countNodes 1 + (countNodes Leaf)

Case t = Node l x r We assume

countLeaves l = 1 + (countNodes l) (IH minus L)

countLeaves r = 1 + (countNodes r) (IH minus R)

to show countLeaves (Node l x r) = 1 + (countNodes (Node l x r))

countLeaves (Node l x r)= definition of countLeaves (countLeaves l) + (countLeaves r)= (IH-L)(IH-R) 1 + (countNodes l) + 1 + (countNodes r)= algebra 1 + (1 + (countNodes l) + (countNodes r))= definition of countNodes 1 + (countNodes (Node l x r))

Finally note that there are different types of binary trees depending where weput the data ie there are leaf labelled trees

data Tree a = Leaf a | Node (Tree a) (Tree a)

and trees which have labels on leaves and nodes potentially of different types

data Treeprime a b = Leaf prime a | Nodeprime (Treeprime a b) b (Treeprime a b)

39

6 Predicates and relations

A predicate over a type is a property of elements of that type An example isEven isin Nat rarr Prop which expresses the property of a natural number beingeven We can define Even

Even isin Nat rarr PropEven n = exist m isin Nat 2 lowastm = n

That is we say that a number is even if it is the double of another number Iwrite a rarr Prop for the type of predicates over a Note that unlike programspredicates cannot be executed but we can use them for reasoning

A relation between two types (which may be the same) relates elements of thefirst type with elements of the 2nd An example is 6 isin Nat rarr Nat rarr Propwhich expresses the relation of a number being smaller than another Again wecan define 6 using +

(6) isin Nat rarr Nat rarr Propm6n = exist k isin Nat m + k = n

That is we say that m6n if there is a number k that if added to m gives n

In general we consider n-ary relations that is R isin a1 rarr a2 rarr middot middot middot rarr an rarr Propand predicates are just another word for 1-ary relations 2-ary (or binary)relations such as 6 are usually written infix

A fundamental binary relation on any type is equality (=) isin a rarr a rarr PropWe consider equality as a primitive notion We know that everything is equal toitself mdash we say that equality is reflexive that is forall x isin a x = x Two booleansor natural number or lists are equal if they are made only from constructorsand look the same Two functions are equal if they return the same answers forall elements of their domain that is for f g isin a rarr b we have that f = g ifforall x a f x = g x note that this involves equality on b This is the principle ofextensionality and it is the consequence of our view of functions as black boxesie we cannot look inside a function all we can do it is to apply it to arguments

We have already introduced the functions 6isin Nat rarr Nat rarr Bool equivisinBool rarr Bool rarr Bool and equivisin Nat rarr Nat rarr Bool They are related to6 isin Bool rarr Bool rarr Prop =isin Bool rarr Bool rarr Prop and =isin Nat rarrNat rarr Prop indeed they return True if the relation holds and False other-wise That is we can show that

forall x y isin Nat x6y lArrrArr x 6 y = Trueforall x y isin Bool x = y lArrrArr x equiv y = Trueforall x y isin Nat x = y lArrrArr x equiv y = True

We say that a boolean function f isin a rarr b rarr Bool decides a relation R isin a rarrb rarr Prop if forall x isin a y isin b R x y lArrrArr f x y = True A relation which canbe decided is called decidableThis concept generalizes to relations with anyarity including predicates I have silently assumed that by a boolean functionwe mean one which can actually run on a computer this is different in classicalMathematics where the notion of a function is more liberal but the definitionof a decidable function is more complicated

40

Not every relation is decidable an example of an undecidable relation is equal-ity on functions with an infinite domain eg (=) isin (Nat rarr Bool) rarr (Nat rarrBool) rarr Prop To decide whether two such functions are equal that is whetherf = g we have to check whether they agree on all natural numbers By the prin-ciple of extensionality there is no other way we can find out anything about afunction and checking them for all natural numbers is hardly possible

61 Examples of relations

In the following we will discuss some examples of relations It is helpful tovisualize relations by drawing their graphs We can only draw graphs for adecidable relation R isin a rarr a rarr Prop on finite type a by a directed graphwhose nodes (called vertices) are the elements of a and we draw an arrow (callededge) from x to y if R x y holds

We cannot draw relations on the natural numbers however we will instead usethe type Four = 0 1 2 3 4 and drwaw the graph of the relation restricted tothe numbers upto 4

611 Equality

The graph of (=) isin Four rarr Four rarr Prop is extremely simple

0 1 2 3 4

612 Inequality

We say x 6= y if x and y are not equal This relation is polymorphic ie it isuniformly defined for any type

(6=) isin a rarr a rarr Propx 6= y = not (x = y)

The graph of (6=) isin Four rarr Four rarr Prop contains an edge everywhere theprevious graph had none hence it looks pretty wild

0 1 2 3 4

613 Less or equal

We have already defined the relation (6) on the natural numbers Here is thegraph of the relation restricted to Four

41

0 1 2 3 4

614 Less than

We say m lt n if m is strictly less than n

(lt) isin Nat rarr Nat rarr Propm lt n = Succ m 6 n

The graph of (lt) Four rarr Four rarr Prop looks pretty similar as the one of (6)only the little circles pointing from every element to itself are missing

0 1 2 3 4

615 Congruence modulo k

This is an important 3-ary (ternary) relation used in number theory We saythat two numbers mn Nat are congruent modulo k if they have the sameremainder when divided by k We write cmod Nat rarr Nat rarr Nat rarr Propthat is we write cmod k m n or mlsquocmod k lsquon 15 for m is congruent to n modulok The standard mathematical notation is mλcong n mod k We can definethis relation formally as

cmod isin Nat rarr Nat rarr Nat rarr Propcmod k m n = exist p q r isin Nat (r lt n) and p lowast k + r = m and q lowast k + r = n

Usually cmod is only considered for k gt 1 For k = 1 our definition of cmod kis just (=) and for k = 0 it is the empty relation In number theory cmod k isdefined a relation on the integers not just the natural numbers

While we cannot draw ternary relations so easily we can do so for mod 2 isinFour rarr Four rarr Prop

0 1 3 42

15Here we adopt also the Haskell convention that any operator f can be made infix bywriting lsquof lsquo

42

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

(equiv) isin Nat rarr Nat rarr Bool0 equiv 0 = True0 equiv (Succ n) = False(Succ m) equiv 0 = False(Succ m) equiv (Succ n) = m equiv n

By a slight modification ie by returning True instead of False in the secondline we obtain 6 instead of equiv

(6) isin Nat rarr Nat rarr Bool0 6 0 = True0 6 (Succ n) = True(Succ m) 6 0 = False(Succ m) 6 (Succ n) = m 6 n

414 Factorial

When we set up musical chairs we may wonder How many ways are there toplace 6 children on 6 chairs The answer is there 6 possibilities for the firstchild 5 for the second and so on and there will be only one place left for the lastone Hence there are 6times 5times 4times 3times 2times 1 = 720 We write fac n (mathematicalnotation n) for the number of permutations of n elements (eg the number ofways to arrange n children on n chairs)

We observe that there is one way to arrange no children on no chairs (hencefac 0 = 1) there are n + 1 ways to place the first child and fac n ways todistribute the remaining n children hence fac (n + 1) = (n + 1) lowast (fac n) Thisleads to the following definition of fac by primitive recursion

fac isin Nat rarr Natfac 0 = 1fac (Succ n) = (Succ n) lowast (fac n)

415 Fibonacci

Another interesting function is the famous Fibonacci function fib Nat rarr Natwhich is usually motivated by the problem to calculate the number of rabbitsafter n months if we assume that the rabbits have a child two months after theyare born (ignoring among others the fact that we need actually two rabbits)We start with no rabbits in month 0 and one rabbit in month 1 consequently wehave still one rabbit in month 2 and 2 rabbits in month 3 because our first rabbitgot its first child In general we have that the rabbits in month n+2 are the sumof the number of the rabbits in the previous months and the rabbits from themonth before who will have children now fib (n + 2) = (fib (n + 1)) + (fib n)Ie we get the sequence

0 1 1 2 3 5 8 13 21 34 55 89 144 233 377 610 987 1597 2584 4181 6765

We define fib

24

fib isin Nat rarr Natfib 0 = 0fib (Succ 0) = 1fib (Succ (Succ m)) = (fib m) + (fib (Succ m))

Different from the functions we have seen so far we are not just using the valueof a function at n to calculate the value at Succ n but here we actually usetwo previous values Using smaller values in general is called course of valuerecursion and is a modest generalisation of primitive recursion Indeed it hasgot the same justification as primitive recursion eg we adopt the view thatthe function values for smaller values have been calculated earlier

42 Induction

How can we prove something for all natural numbers This is a problem verysimilar to the one we have discussed in the previous section and indeed thesolution is very closely related to primitive recursion Letrsquos consider a verysimple example we want to prove foralln isin Natn+Zero = n Recall the definitionof +

(+) isin Nat rarr Nat rarr Nat0 + n = n(Succ m) + n = Succ (m + n)

We can see by looking at the definition that forall n isin Nat0 + n = n but whatabout the equally true forall n isin Natn + 0 = n Sure we will remember theequality forall mn isin Natm + n = n + m (called commutativity of addition) buthere we shall actually establish this law from first principles and we will seethat actually forall n isin Natn + 0 = n is a useful auxilliary property when showingcommutativity

We can start showing this property for the first few natural numbers and observethat a certain pattern emerges

0 0 + 0 = 0 by definition of +

1 To show (Succ 0)+0 = Succ 0 we first use the definition of + to see (Succ 0)+0 = Succ (0 + 0) and then we can exploit the previous line to see thatSucc (0 + 0) = Succ 0

2 To show (Succ (Succ 0)) + 0 = Succ (Succ 0) we first use the definition of +to see (Succ (Succ 0)) + 0 = Succ ((Succ 0) + 0) and then we can exploitthe previous line to see that Succ ((Succ 0) + 0) = Succ (Succ 0)

Each of the subsequent line is simply a consequence of the previous one Eg toshow (Succ n)+0 = Succ n we first apply the definition of + to see (Succ n)+0 =Succ (n +0) and then we apply the previous line ie the proof for n to see thatSucc (n + 0) = Succ n

25

We can see that this shows that the property holds for all natural numbers theidea is the same as for primitive recursion because the number n is constructedbefore Succ n we can establish the property for n before we show it for Succ n

The principle of induction can be summarized as follows to prove a propertyP for all natural numbers ie to show forall n isin NatP n we prove it for 0 iewe show P 0 and assuming that it holds for n isin Nat ie P n we can show thatit holds for P (Succ n) The assumption P n which can be used when showingP (Succ n) we call the induction hypothesis (IH)

421 Commutativity of (+)

Letrsquos now prove forall mn isin Natm+n = n+m by induction over m If m = 0 thisreduces to showing 0+n = n +0 we know that 0+n = n by the definition of +and we have just shown n = n +0 above Letrsquos assume that forall n isin Natm +n =n + m to prove forall n isin Nat (Succ m) + n = n + (Succ m) Now given n isin Natwe know from the definition of + that (Succ m) + n = Succ (m + n) we canapply the induction hypthesis to deduce that Succ (m +n) = Succ (n +m) Allthat is left to show is that Succ (n + m) = n + (Succ m) showing this requiresa separate proof by induction

It is time to tidy up our argument and also follow standard mathematical prac-tice and present proofs forward ie starting from the assumptions and basiclemmas (auxilliary theorems) to the goal the final theorem No human beingconstructs a proof like this everybody does it the other way around Some peo-ple believe that this is part of a conspiracy by Mathematicians to make theirknowledge inaccessible to the rest of the world

Lemma 41 forall n isin Natn + 0 = n

Proof By induction over n isin Nat

Case n = 0 We show 0 + 0 = 0

0 + 0= definition of + 0

Case n = Succ n prime We assume n prime + 0 = n prime (IH ) to show (Succ n prime) + 0 =Succ n prime

(Succ n prime) + 0= definition of + Succ (n prime + 0)= (IH) Succ n prime

Lemma 42 forall mn isin Natm + (Succ n) = Succ (m + n)

Proof By induction over m isin Nat

26

Case m = 0 We show forall n isin Nat0 + (Succ n) = Succ (0 + n)0 + (Succ n)= definition of + Succ n= definition of + Succ (0 + n)

Case m = Succ m prime We assume forall n isin Natm+(Succ n) = Succ (m+n) (IH )to show (Succ m) + (Succ n) = Succ (m + n)

(Succ m) + (Succ n)= definition of + Succ (m + (Succ n))= IH Succ (Succ (m + n))= definition of + Succ ((Succ m) + n)

Theorem 43 forall mn isin Natm + n = n + m

Proof By induction over m isin Nat

Case m = 0 We show forall n isin Nat0 + n = n + 00 + n= definition of + n= lemma n + 0

Case m = Succ m prime We assume forall n isin Natm prime + n = n + m prime (IH ) to show(Succ m prime) + n = n + (Succ m prime)

(Succ m prime) + n= definition of + Succ (m prime + n)= IH Succ (n + m prime)= lemma n + (Succ m prime)

Isnrsquot this a bit much effort for a theorem whose truth can be easily seen intu-itively Every child knows that if you put two heaps of sweeties together thatthe order in which you do this does not affect the number of sweeties you havein the end However apart from the point that we used a simple example toillustrate a method it is sometimes worthwhile to prove the obvious Maybeyou were only thinking that the function you defined was addition but as soonas you are going to prove something about it you discover that there is a bugThis is different from Mathematics Computer Scientists are interested in prov-ing obvious things It is also a good idea to enlist the help of a computer tomake sure that we donrsquot accidently cheat We will get back to this later

27

422 Gaussrsquo theorem

Letrsquos consider a less obvious proposition we can prove by induction CarlFriederich Gauss was a famous German Mathematician in the 19th centuryone of the theorems he proved is the fundamental theorem of algebra whichsays that every polynom over the complex numbers has a solution Howeverhere we are just concerned with a little theorem he allegedly discovered whenhe was still a school boy Apprently he was naughty and as a punishementteacher set him the task to add the numbers until 100 But the teacher hadnrsquotaccounted for young Gaussrsquo genius who very quickly came up with the rightanswer 5050 Instead of doing all the stupid calculations Gauss had realizedthat there is a simple formula namely that the sum of the numbers upto n isgiven by (n lowast (n + 1)) 2 The following picture illustrates the basic idea in thecase n = 3

Ie the sum of the 1 + 2 + 3 depicted by the area covered by the black balls isprecisely half the area of the 3 lowast 4 rectangle

First for reference lets define by primitive recursion the function which cal-culates the numbers upto n which we are going to call sum (Mathematicanswould write Σn

i=0i)

sum isin Nat rarr Natsum 0 = 0sum (Succ n) = (Succ n) lowast (sum n)

We want to show sum n = (n lowast (n + 1)) 2 to avoid having to define divisionand to justify that the division in this case stays always withing the naturalnumbers we show instead 2 lowast (sum n) = n lowast (Succ n) by induction

Theorem 44 forall n isin Nat 2 lowast (sum n) = n lowast (Succ n)

Proof By induction over n isin Nat

Case n = 0 We show 2 lowast (sum 0) = 0 lowast (Succ 0)

2 lowast (sum 0)= definition of lowast sum 0= definition of lowast 0 lowast (Succ 0)

Case n = Succ n prime We assume

28

2 lowast (sum n prime) = n prime lowast (Succ n prime) (IH )

to show 2 lowast (sum (Succ n prime)) = (Succ n prime) lowast (Succ (Succ n prime))

2 lowast (sum (Succ n prime))= definition of sum 2 lowast ((Succ n prime) + (sum n prime))= distributivity 2 lowast (Succ n prime) + 2 lowast (sum n prime)= IH 2 lowast (Succ n prime) + n lowast (Succ n prime)= distributivity (2 + n) lowast (Succ n prime)= commutativity definition of + (Succ n prime) lowast (Succ (Succ n prime))

In the proof above we have used distributivity ie

forall i j k isin Nat i lowast (j + k) = (i lowast j ) + (i lowast k)

Sure we could have proven this here (by induction) but I will leave this as anexercise

29

5 Inductive types

The idea behind the definition of the type of natural numbers can be appliedto many other types using the data keyword in Haskell We are calling thosetypes inductive types and indeed they come with their own primitive recursionand induction principles

51 Lists

One of the most versatile types especially but not only in functional program-ming is the type of lists Indeed the name of the first functional language LISPintroduced in 1958 as the 2nd high level programming language stands for LIstProcessing

Given a type a we write [a ] for the type of lists or sequences of elements ofa Eg [23minus1 1 1 0] isin [Int ] similar as for (a b) we use the same symbols[ ] for the operator on types and on elements Actually the [a1 a2 an ]notation is just a shorthand for a1 (a2 (an [ ]) The basic constructors forlists are [ ] isin [a ] for the empty list and given x isin a and a list xs isin [a ] we canconstruct the new list x xs isin [a ] (for historic reasons is called cons) Ie[23minus1 1 1 0] = 23 (minus1 (1 (1 (0 [ ]))))

In Haskell lists are predefined because they use some special syntactic sugarbut apart from this we could have just defined

data [a ] = [ ] | a [a ]

Strings are a special case of lists we use the type of characters Char which isa finite type whose elements are the characters which can be used in computing(eg one of the 216 unicode characters) We write elements of Char using singlequotes eg rsquoarsquo isin Char The type of strings is defined as lists of characters

type String = [Char]

The common syntax for strings using double quotes ie Hello is just syntac-tiv sugar for [rsquoHrsquo rsquoersquo rsquolrsquo rsquolrsquo rsquoorsquo] which in turn is just short for rsquoHrsquo (rsquoersquo (rsquolrsquo (rsquolrsquo (rsquoorsquo [ ]))))

One of the basic functions on lists is append ++ which combines two lists ie[1 2] ++ [3 4] = [1 2 3 4] To be able to define this function we have to extendthe principle of primitive recursion to lists We define xs ++ ys by primitiverecursion over xs if xs is empty ie xs = [ ] then [ ] ++ ys = ys On the otherhand if xs is a cons ie xs = x isin xs prime then we know that the combined list startswith x and constinues with the result of appending xs prime to ys That is here wehave to use ++ recursively The recursive use of ++ can be justified in the sameway as for Nat the list xs prime had to be constructed before x xs prime hence we cancalculate the result of xs prime ++ ys before we have to come up with (x xs prime) ++ ysIn Haskell we write

(++) isin [a ] rarr [a ] rarr [a ][ ] ++ ys = ys(x xs) ++ ys = x (xs ++ ys)

30

Note that ++ is a polymorphic function we can replace the type variable a byany type Eg we may replace a by Char arriving at the special case of stringsHence we can use ++ to append strings eg Hel ++ lo = Hello

We also have an induction principle for lists To illustrate this letrsquos first intro-duce a function which reverses a list How to reverse a list The reverse of theempty list is the empty list The reverse of a list x xs is the reverse of xs with xput on the end We arrive at the following primitive recursive implementationof reverse

rev isin [a ] rarr [a ]rev [ ] = [ ]rev (x xs) = (rev xs) ++ [x ]

Eg rev Hello = olleH What happens if we reverse twice Rightwe get back where we started indeed rev olleH = Hello Letrsquos proveforall xs isin [a ] rev (rev xs) = xs

Induction over lists means that to show a property for all lists we show theproperty for the empty list [ ] and then we show that if it holds for any list xsthen it holds for x xs The justification is again the same as for induction forthe natural numbers

We will show forall xs isin [a ] rev (rev xs) = xs by induction over lists The [ ] case isstraightforward since rev [ ] = [ ] what about rev (rev (x xs)) = rev ((rev xs)++[x ]) We cannot apply the induction hypothesis directly we first have to movethe outer rev inside ++ The key idea is to show that rev ((rev xs) ++ [x ]) =x (rev (rev xs)) and then we apply the induction hypothesis that rev (rev xs) =xs How do we show rev ((rev xs) ++ [x ]) = x (rev (rev xs)) The point is thatthis property doesnrsquot just hold for rev xs but for any list ys ie rev ((ys++[x ]) =x (rev ys)) eg rev (Hall++o) = o (rev Hal) How to we show thatthis property holds By induction over ys

Ok thatrsquos the sketch Letrsquos tidy this up First we prove the auxilliary propertyas a lemma

Lemma 51 forall x isin a forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys))

Proof Given x isin a We show forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys)) byinduction over ys isin [a ]

Case ys = [ ] We show rev ([ ] ++ [x ]) = x (rev [ ])

rev ([ ] ++ [x ])= definition of ++ rev [x ]= definition of rev [x ]= definition of rev x (rev [ ])

Case ys = y ys prime We assume

rev ((ys ++ [x ]) = x (rev ys)) (IH )

31

to show

rev (((y ys) ++ [x ]) = x (rev (y ys)))

rev (((y ys) ++ [x ])= definition of ++ rev (y (ys ++ [x ]))= definition of rev (rev (ys ++ [x ])) ++ [y ]= (IH) (x (rev ys)) ++ [y ]= definition of ++ x ((rev ys) ++ [y ])= definition of rev x (rev (y ys))

Theorem 52 forall xs isin [a ] rev (rev xs) = xs

Proof By induction over xs

Case xs = [ ] We show rev (rev [ ]) = [ ]

rev (rev [ ])= definition of rev rev [ ]= definition of rev [ ]

Case xs = x xs prime We assume

rev (rev xs) = xs (IH )

to show

rev (rev (x xs prime)) = x xs prime

rev (rev (x xs prime))= definition of rev rev ((rev xs prime) ++ [x ])= lemma for ys = rev xs prime x (rev (rev xs))= (IH) x xs

52 Insertion sort

There are many situations where we want to sort a list eg given [56 1 10 3]we would like to produce [1 3 10 56] One of the simplest sorting algorithms isinsertion sort The idea can be best explained by describing how to sort a deckof card We sort from an unsorted pile to a sorted pile by adding one card at

32

a time to the sorted pile When adding a card to a already sorted pile we gothrough the sorted pile until we find a card with a higher value and then insertthe new card just before this card This can be expressed as a function insert which is defined by primitive recursion over lists

insert isin Nat rarr [Nat ] rarr [Nat ]insert a [ ] = [a ]insert a (b bs) = if a 6 b then a (b bs)

else b (insert a bs)

The important feature of insert is that it produces a sorted list with an ex-tra element if its argument was sorted We can now define insertionSort byprimitive recursion over the initially unsorted list

insertionSort isin [Nat ] rarr [Nat ]insertionSort [ ] = [ ]insertionSort (a as) = insert a (insertionSort as)

And indeed insertionSort [56 1 10 3] = [1 3 10 56]

The same algorithm can sort any data wrt to a given comparison functioncomp a rarr a rarr Bool which has the appropriate properties (we shall laterdiscuss in detail what properties this are)

Insertion sort shouldnrsquot be used to sort large sequences because it is quiteinefficent on average it compares every argument with half of all the others Wesay it has quadratic complexity because on average the number of comparisonsit has to carry out is proportional to n2 where n is the length of the list

53 Binary numbers

We can use lists to represent binary numbers A binary number like 1102 whichis the binary way to write 6 is nothing but a list of Booleans hence we define

type Binary = [Bool ]

We use True for 1 and False for 0 and we shall read the list backwards whichhas the advantage that it is easy to access the least significant digit eg 1102

is actually represented as [FalseTrueTrue] 14

We shall define functions which translate between Binary and Nat We startwith bin2nat isin Binary rarr Nat The idea is that to translate a number whichhas at least one digit we recursively translate the rest of the numebr withoutthe last digit double that and add the value of the last digit to it This isexpressed by the following function

bin2nat isin Binary rarr Natbin2nat [ ] = 0bin2nat (True bs) = Succ (2 lowast (bin2nat bs))bin2nat (False bs) = 2 lowast (bin2nat bs)

14We could have avoided this notational inconvenience by using snoc lists ie lists wherecons gets its arguments the other way around

33

To define the translation in the other direction nat2bin isin Nat rarr Binary weintroduce a successor function on the binary representation The successor ofthe empty list which is interpreted as 0 is 1 Otherwise if the last digit is 0 wejust change this to 1 and keep the rest of the number the same If the last digitis 1 we change this to 0 and have a carry bit which means that we have torecursively calculate the successor of the rest of the number Hence we define

bsucc isin Binary rarr Binarybsucc [ ] = [True]bsucc (False bs) = True bsbsucc (True bs) = False (bsucc bs)

Now we can define nat2bin it basically translates 0 by the empty binary andthen applies bsucc for every successor

nat2bin isin Nat rarr Binarynat2bin 0 = [ ]nat2bin (Succ n) = bsucc (nat2bin n)

Once we have established the two translations we want to show that theyare indeed inverse to each other Eg if we start with a natural numbern we can translate it to a binary nat2bin n and then translate it back bybin2nat (nat2bin n) and we should hope that we get back to the number westarted with ie that

bin2nat (nat2bin n) = n

If we start with a binary number bs isin Binary the mirror property

nat2bin (bin2nat bs) = bs

doesnrsquot actually hold The reason is that our encoding is redundant lead-ing 0s (actually trailing Falses in our notation) do not matter For examplenat2bin (bin2nat [TrueFalse]) = [True] We could insist the we do not allowleading 0s and show that for those normal numbers the property holds Actu-ally following common practive we would make the exception for the case thatthe number is just 0 but would at the same time outlaw the empty sequence asa representation of a number

Going back to proving forall n isin Natn = bin2nat (nat2bin n) unsurprisingly weare going to use induction to establish this The case for 0 is straightforwardbut in the case of Succ n prime we have that nat2bin (Succ n prime) = bsucc (nat2bin n prime)and we would like to use that

bin2nat (bsucc (nat2bin n prime)) = Succ (bin2nat (nat2bin n prime))

to be able to apply the induction hypothesis This leads to the following lemma

Lemma 53 forall bs isin Binarybin2nat (bsucc bs) = Succ (bin2nat bs)

Proof We show this by induction over bs isin Binary

Case bs = [ ] We have to show bin2nat (bsucc [ ]) = Succ (bin2nat [ ])

bin2nat (bsucc [ ])= definition of bsucc

34

bin2nat [True]= calculate bin2nat 1= definition of 1 Succ 0= definition of bin2nat Succ (bin2nat [ ])

Case bs = b bs prime We assume

bin2nat (bsucc bs prime) = Succ (bin2nat bs prime) (IH )

to show

bin2nat (bsucc (b bs prime)) = Succ (bin2nat (b bs prime))

for any b isin Bool Letrsquos analyze b isin Bool

Case b = False In this case we have to showbin2nat (bsucc (False bs prime)) = Succ (bin2nat (False bs prime))

bin2nat (bsucc (False bs prime))= definition of bsucc bin2nat (True bs prime)= definition of bin2nat Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (False bs prime))

Case b = True In this case we have to showbin2nat (bsucc (True bs prime)) = Succ (bin2nat (True bs prime))

bin2nat (bsucc (True bs prime))= definition of bsucc bin2nat (False (bsucc bs prime))= definition of bin2nat 2 lowast (bin2nat (bsucc bs prime))= (IH) 2 lowast (Succ (bin2nat bs prime))= algebra 2 lowast (Succ n) = Succ (Succ (2 lowast n)) Succ (Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (True bs prime))

Now we are ready to prove the main theorem

Theorem 54 forall n isin Natbin2nat (nat2bin n) = n

Proof We prove this by induction over n isin Nat

Case n = 0 We show bin2nat (nat2bin 0) = 0

bin2nat (nat2bin 0)= definition of nat2bin bin2nat [ ]

35

= definition of bin2nat 0

Case n = Succ n prime We assume

bin2nat (nat2bin n prime) = n prime (IH )

to show

bin2nat (nat2bin (Succ n prime)) = Succ n prime

bin2nat (nat2bin (Succ n prime))= definition of nat2bin bin2nat (bsucc (nat2bin n prime))= lemma Succ (bin2nat (nat2bin n prime))= (IH) Succ n prime

To define addition on Binary we define addition with carry which always addsthree bits caculating the current bit and the new carry bit As a first step wedefine two operations addbit and carry which calculate the new bit and carry

addbit isin Bool rarr Bool rarr Bool rarr Booladdbit a b c = (a equiv b) equiv c

carry isin Bool rarr Bool rarr Bool rarr Boolcarry a b c = (aampampb)||(bampampc)||(aampampc)

We are now ready to define binary addition with carry

addBinC isin Bool rarr Binary rarr Binary rarr BinaryaddBinC c as [ ] = if c then bsucc as else asaddBinC c [ ] as = if c then bsucc as else asaddBinC c (a as) (b bs) = (addbit a b c) (addBinC (carry a b c) as bs)

from which we can easily derive binary addition by setting the carry to False

addBin isin Binary rarr Binary rarr BinaryaddBin bs cs = addBinC False bs cs

Binary multiplication is the usual long multiplication we learn at school Wemultiply each digit of one of the numbers with the other numbers always mul-tiplying the other number by 10 ie shifting it In the binary case multiplyinga digit with a number is very easy either the bit is 0 (ie False) then the resultis 0 or the bit is 1 then the result just is the other number

multBin isin Binary rarr Binary rarr BinarymultBin [ ] bs = [ ]multBin (a as) bs = if a

then addBin bs (multBin as (False bs))else multBin as (False bs)

The operations we have defined correspond to the more primitive operations wehave defined previously That is we have

36

forall mn Nat addBin (bin2nat m) (bin2nat n) = bin2nat (m + n)

forall mn Nat multBin (bin2nat m) (bin2nat n) = bin2nat (m lowast n)

These can be established using the principles we have introduced ie induc-tion However for reasons of space and potential boredom we shall refrain fromcarrying this out here

54 Trees

Unlike in ordinary live trees in computer science have got the roots on top andthe leaves on bottom Here is an example of a binary tree whose nodes arelabelled with natural numbers

56

1

3

10

root

node

leaf

Trees are also a very useful datastructure for example they can be used toefficently store and update an ordered collection of data In Haskell we woulddefine the type of binary node-labelled trees as follows

data Tree a = Leaf | Node (Tree a) a (Tree a)

The tree pictured in the diagram would be represented as

mytree isin Tree Natmytree = Node (Node Leaf 1 Leaf)

3(Node Leaf

10(Node Leaf 56 Leaf))

You may note that the tree is ordered ie all the leaves in the left subtree ofany node has labels less (or equal) than the label on the node and the nodes inthe right subtree have greater labels Indeed ordered trees give rise to anothersorting algorithm which is called tree sort First we define by primitive recur-sion over trees a function which inserts a node into an ordered tree leaving theordering intact

37

treeInsert isin Nat rarr (Tree Nat) rarr Tree NattreeInsert a Leaf = Node Leaf a LeaftreeInsert a (Node l b r) = if a 6 b

then Node (treeInsert a l) b relse Node l b (treeInsert a r)

By inserting all elements of a list into an empty tree we obtain a function whichturns an unsorted list into an ordered tree

list2tree isin [Nat ] rarr (Tree Nat)list2tree [ ] = Leaflist2tree (a as) = treeInsert a (list2tree as)

We can also turn an ordered tree into a sorted list

tree2list isin (Tree a) rarr [a ]tree2list Leaf = [ ]tree2List (Node l a r) = (tree2list l) ++ [a ] ++ (tree2list r)

Note that the last function is polymorphic since it doesnrsquot need any operationson the data stored in a tree Now we obtain tree sort by combining the twofunctions defined above

treeSort isin [Nat ] rarr [Nat ]treeSort as = tree2list (list2tree as)

It may appear wasteful to create a tree just to sort a list but actually tree sort isbetter than insertion sort On the average every element which is inserted intothe tree is only compared with a few others on the way down to a leaft to beprecise log2 n if the number of nodes is n Since we have to insert n elementstree sort will need a number proportional to n log2 n comparisons to sort a listwith n elements which is considerably better that insertion sortrsquos n2

We can also prove propositions about trees by induction over trees As anexample observe that the tree in the example has 4 nodes and 5 leaves This isno coincidence but a general property of binary trees Maybe the best way tosee that this is the case is to notice that every tree can be generated startingfrom a leaf by replacing an aribtrary leaf by a node with two leaves The initialtree has got the proberty and it is preserved by the replacement step hence anytree will have the property More formally we can show this by induction overtrees where we have an induction hypothesis for the left and the right subtree

To make this precise we first define functions which count the number of nodesand leaves in a tree (ignoring any data)

countNodes isin (Tree a) rarr NatcountNodes Leaf = 0countNodes (Node l x r) = Succ ((countNodes l) + (countNodes r))

countLeaves isin (Tree a) rarr NatcountLeaves Leaf = 1countLeaves (Node l x r) = (countLeaves l) + (countLeaves r)

38

We are now ready to prove our theorem

Theorem 55 forall t Tree a countLeaves t = 1 + (countNodes t)

Proof We proceed by induction over t isin Tree a

Case t = Leaf We show countLeaves Leaf = 1 + (countNodes Leaf)

countLeaves Leaf= definition of countLeaves 1= definition of countNodes 1 + (countNodes Leaf)

Case t = Node l x r We assume

countLeaves l = 1 + (countNodes l) (IH minus L)

countLeaves r = 1 + (countNodes r) (IH minus R)

to show countLeaves (Node l x r) = 1 + (countNodes (Node l x r))

countLeaves (Node l x r)= definition of countLeaves (countLeaves l) + (countLeaves r)= (IH-L)(IH-R) 1 + (countNodes l) + 1 + (countNodes r)= algebra 1 + (1 + (countNodes l) + (countNodes r))= definition of countNodes 1 + (countNodes (Node l x r))

Finally note that there are different types of binary trees depending where weput the data ie there are leaf labelled trees

data Tree a = Leaf a | Node (Tree a) (Tree a)

and trees which have labels on leaves and nodes potentially of different types

data Treeprime a b = Leaf prime a | Nodeprime (Treeprime a b) b (Treeprime a b)

39

6 Predicates and relations

A predicate over a type is a property of elements of that type An example isEven isin Nat rarr Prop which expresses the property of a natural number beingeven We can define Even

Even isin Nat rarr PropEven n = exist m isin Nat 2 lowastm = n

That is we say that a number is even if it is the double of another number Iwrite a rarr Prop for the type of predicates over a Note that unlike programspredicates cannot be executed but we can use them for reasoning

A relation between two types (which may be the same) relates elements of thefirst type with elements of the 2nd An example is 6 isin Nat rarr Nat rarr Propwhich expresses the relation of a number being smaller than another Again wecan define 6 using +

(6) isin Nat rarr Nat rarr Propm6n = exist k isin Nat m + k = n

That is we say that m6n if there is a number k that if added to m gives n

In general we consider n-ary relations that is R isin a1 rarr a2 rarr middot middot middot rarr an rarr Propand predicates are just another word for 1-ary relations 2-ary (or binary)relations such as 6 are usually written infix

A fundamental binary relation on any type is equality (=) isin a rarr a rarr PropWe consider equality as a primitive notion We know that everything is equal toitself mdash we say that equality is reflexive that is forall x isin a x = x Two booleansor natural number or lists are equal if they are made only from constructorsand look the same Two functions are equal if they return the same answers forall elements of their domain that is for f g isin a rarr b we have that f = g ifforall x a f x = g x note that this involves equality on b This is the principle ofextensionality and it is the consequence of our view of functions as black boxesie we cannot look inside a function all we can do it is to apply it to arguments

We have already introduced the functions 6isin Nat rarr Nat rarr Bool equivisinBool rarr Bool rarr Bool and equivisin Nat rarr Nat rarr Bool They are related to6 isin Bool rarr Bool rarr Prop =isin Bool rarr Bool rarr Prop and =isin Nat rarrNat rarr Prop indeed they return True if the relation holds and False other-wise That is we can show that

forall x y isin Nat x6y lArrrArr x 6 y = Trueforall x y isin Bool x = y lArrrArr x equiv y = Trueforall x y isin Nat x = y lArrrArr x equiv y = True

We say that a boolean function f isin a rarr b rarr Bool decides a relation R isin a rarrb rarr Prop if forall x isin a y isin b R x y lArrrArr f x y = True A relation which canbe decided is called decidableThis concept generalizes to relations with anyarity including predicates I have silently assumed that by a boolean functionwe mean one which can actually run on a computer this is different in classicalMathematics where the notion of a function is more liberal but the definitionof a decidable function is more complicated

40

Not every relation is decidable an example of an undecidable relation is equal-ity on functions with an infinite domain eg (=) isin (Nat rarr Bool) rarr (Nat rarrBool) rarr Prop To decide whether two such functions are equal that is whetherf = g we have to check whether they agree on all natural numbers By the prin-ciple of extensionality there is no other way we can find out anything about afunction and checking them for all natural numbers is hardly possible

61 Examples of relations

In the following we will discuss some examples of relations It is helpful tovisualize relations by drawing their graphs We can only draw graphs for adecidable relation R isin a rarr a rarr Prop on finite type a by a directed graphwhose nodes (called vertices) are the elements of a and we draw an arrow (callededge) from x to y if R x y holds

We cannot draw relations on the natural numbers however we will instead usethe type Four = 0 1 2 3 4 and drwaw the graph of the relation restricted tothe numbers upto 4

611 Equality

The graph of (=) isin Four rarr Four rarr Prop is extremely simple

0 1 2 3 4

612 Inequality

We say x 6= y if x and y are not equal This relation is polymorphic ie it isuniformly defined for any type

(6=) isin a rarr a rarr Propx 6= y = not (x = y)

The graph of (6=) isin Four rarr Four rarr Prop contains an edge everywhere theprevious graph had none hence it looks pretty wild

0 1 2 3 4

613 Less or equal

We have already defined the relation (6) on the natural numbers Here is thegraph of the relation restricted to Four

41

0 1 2 3 4

614 Less than

We say m lt n if m is strictly less than n

(lt) isin Nat rarr Nat rarr Propm lt n = Succ m 6 n

The graph of (lt) Four rarr Four rarr Prop looks pretty similar as the one of (6)only the little circles pointing from every element to itself are missing

0 1 2 3 4

615 Congruence modulo k

This is an important 3-ary (ternary) relation used in number theory We saythat two numbers mn Nat are congruent modulo k if they have the sameremainder when divided by k We write cmod Nat rarr Nat rarr Nat rarr Propthat is we write cmod k m n or mlsquocmod k lsquon 15 for m is congruent to n modulok The standard mathematical notation is mλcong n mod k We can definethis relation formally as

cmod isin Nat rarr Nat rarr Nat rarr Propcmod k m n = exist p q r isin Nat (r lt n) and p lowast k + r = m and q lowast k + r = n

Usually cmod is only considered for k gt 1 For k = 1 our definition of cmod kis just (=) and for k = 0 it is the empty relation In number theory cmod k isdefined a relation on the integers not just the natural numbers

While we cannot draw ternary relations so easily we can do so for mod 2 isinFour rarr Four rarr Prop

0 1 3 42

15Here we adopt also the Haskell convention that any operator f can be made infix bywriting lsquof lsquo

42

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

fib isin Nat rarr Natfib 0 = 0fib (Succ 0) = 1fib (Succ (Succ m)) = (fib m) + (fib (Succ m))

Different from the functions we have seen so far we are not just using the valueof a function at n to calculate the value at Succ n but here we actually usetwo previous values Using smaller values in general is called course of valuerecursion and is a modest generalisation of primitive recursion Indeed it hasgot the same justification as primitive recursion eg we adopt the view thatthe function values for smaller values have been calculated earlier

42 Induction

How can we prove something for all natural numbers This is a problem verysimilar to the one we have discussed in the previous section and indeed thesolution is very closely related to primitive recursion Letrsquos consider a verysimple example we want to prove foralln isin Natn+Zero = n Recall the definitionof +

(+) isin Nat rarr Nat rarr Nat0 + n = n(Succ m) + n = Succ (m + n)

We can see by looking at the definition that forall n isin Nat0 + n = n but whatabout the equally true forall n isin Natn + 0 = n Sure we will remember theequality forall mn isin Natm + n = n + m (called commutativity of addition) buthere we shall actually establish this law from first principles and we will seethat actually forall n isin Natn + 0 = n is a useful auxilliary property when showingcommutativity

We can start showing this property for the first few natural numbers and observethat a certain pattern emerges

0 0 + 0 = 0 by definition of +

1 To show (Succ 0)+0 = Succ 0 we first use the definition of + to see (Succ 0)+0 = Succ (0 + 0) and then we can exploit the previous line to see thatSucc (0 + 0) = Succ 0

2 To show (Succ (Succ 0)) + 0 = Succ (Succ 0) we first use the definition of +to see (Succ (Succ 0)) + 0 = Succ ((Succ 0) + 0) and then we can exploitthe previous line to see that Succ ((Succ 0) + 0) = Succ (Succ 0)

Each of the subsequent line is simply a consequence of the previous one Eg toshow (Succ n)+0 = Succ n we first apply the definition of + to see (Succ n)+0 =Succ (n +0) and then we apply the previous line ie the proof for n to see thatSucc (n + 0) = Succ n

25

We can see that this shows that the property holds for all natural numbers theidea is the same as for primitive recursion because the number n is constructedbefore Succ n we can establish the property for n before we show it for Succ n

The principle of induction can be summarized as follows to prove a propertyP for all natural numbers ie to show forall n isin NatP n we prove it for 0 iewe show P 0 and assuming that it holds for n isin Nat ie P n we can show thatit holds for P (Succ n) The assumption P n which can be used when showingP (Succ n) we call the induction hypothesis (IH)

421 Commutativity of (+)

Letrsquos now prove forall mn isin Natm+n = n+m by induction over m If m = 0 thisreduces to showing 0+n = n +0 we know that 0+n = n by the definition of +and we have just shown n = n +0 above Letrsquos assume that forall n isin Natm +n =n + m to prove forall n isin Nat (Succ m) + n = n + (Succ m) Now given n isin Natwe know from the definition of + that (Succ m) + n = Succ (m + n) we canapply the induction hypthesis to deduce that Succ (m +n) = Succ (n +m) Allthat is left to show is that Succ (n + m) = n + (Succ m) showing this requiresa separate proof by induction

It is time to tidy up our argument and also follow standard mathematical prac-tice and present proofs forward ie starting from the assumptions and basiclemmas (auxilliary theorems) to the goal the final theorem No human beingconstructs a proof like this everybody does it the other way around Some peo-ple believe that this is part of a conspiracy by Mathematicians to make theirknowledge inaccessible to the rest of the world

Lemma 41 forall n isin Natn + 0 = n

Proof By induction over n isin Nat

Case n = 0 We show 0 + 0 = 0

0 + 0= definition of + 0

Case n = Succ n prime We assume n prime + 0 = n prime (IH ) to show (Succ n prime) + 0 =Succ n prime

(Succ n prime) + 0= definition of + Succ (n prime + 0)= (IH) Succ n prime

Lemma 42 forall mn isin Natm + (Succ n) = Succ (m + n)

Proof By induction over m isin Nat

26

Case m = 0 We show forall n isin Nat0 + (Succ n) = Succ (0 + n)0 + (Succ n)= definition of + Succ n= definition of + Succ (0 + n)

Case m = Succ m prime We assume forall n isin Natm+(Succ n) = Succ (m+n) (IH )to show (Succ m) + (Succ n) = Succ (m + n)

(Succ m) + (Succ n)= definition of + Succ (m + (Succ n))= IH Succ (Succ (m + n))= definition of + Succ ((Succ m) + n)

Theorem 43 forall mn isin Natm + n = n + m

Proof By induction over m isin Nat

Case m = 0 We show forall n isin Nat0 + n = n + 00 + n= definition of + n= lemma n + 0

Case m = Succ m prime We assume forall n isin Natm prime + n = n + m prime (IH ) to show(Succ m prime) + n = n + (Succ m prime)

(Succ m prime) + n= definition of + Succ (m prime + n)= IH Succ (n + m prime)= lemma n + (Succ m prime)

Isnrsquot this a bit much effort for a theorem whose truth can be easily seen intu-itively Every child knows that if you put two heaps of sweeties together thatthe order in which you do this does not affect the number of sweeties you havein the end However apart from the point that we used a simple example toillustrate a method it is sometimes worthwhile to prove the obvious Maybeyou were only thinking that the function you defined was addition but as soonas you are going to prove something about it you discover that there is a bugThis is different from Mathematics Computer Scientists are interested in prov-ing obvious things It is also a good idea to enlist the help of a computer tomake sure that we donrsquot accidently cheat We will get back to this later

27

422 Gaussrsquo theorem

Letrsquos consider a less obvious proposition we can prove by induction CarlFriederich Gauss was a famous German Mathematician in the 19th centuryone of the theorems he proved is the fundamental theorem of algebra whichsays that every polynom over the complex numbers has a solution Howeverhere we are just concerned with a little theorem he allegedly discovered whenhe was still a school boy Apprently he was naughty and as a punishementteacher set him the task to add the numbers until 100 But the teacher hadnrsquotaccounted for young Gaussrsquo genius who very quickly came up with the rightanswer 5050 Instead of doing all the stupid calculations Gauss had realizedthat there is a simple formula namely that the sum of the numbers upto n isgiven by (n lowast (n + 1)) 2 The following picture illustrates the basic idea in thecase n = 3

Ie the sum of the 1 + 2 + 3 depicted by the area covered by the black balls isprecisely half the area of the 3 lowast 4 rectangle

First for reference lets define by primitive recursion the function which cal-culates the numbers upto n which we are going to call sum (Mathematicanswould write Σn

i=0i)

sum isin Nat rarr Natsum 0 = 0sum (Succ n) = (Succ n) lowast (sum n)

We want to show sum n = (n lowast (n + 1)) 2 to avoid having to define divisionand to justify that the division in this case stays always withing the naturalnumbers we show instead 2 lowast (sum n) = n lowast (Succ n) by induction

Theorem 44 forall n isin Nat 2 lowast (sum n) = n lowast (Succ n)

Proof By induction over n isin Nat

Case n = 0 We show 2 lowast (sum 0) = 0 lowast (Succ 0)

2 lowast (sum 0)= definition of lowast sum 0= definition of lowast 0 lowast (Succ 0)

Case n = Succ n prime We assume

28

2 lowast (sum n prime) = n prime lowast (Succ n prime) (IH )

to show 2 lowast (sum (Succ n prime)) = (Succ n prime) lowast (Succ (Succ n prime))

2 lowast (sum (Succ n prime))= definition of sum 2 lowast ((Succ n prime) + (sum n prime))= distributivity 2 lowast (Succ n prime) + 2 lowast (sum n prime)= IH 2 lowast (Succ n prime) + n lowast (Succ n prime)= distributivity (2 + n) lowast (Succ n prime)= commutativity definition of + (Succ n prime) lowast (Succ (Succ n prime))

In the proof above we have used distributivity ie

forall i j k isin Nat i lowast (j + k) = (i lowast j ) + (i lowast k)

Sure we could have proven this here (by induction) but I will leave this as anexercise

29

5 Inductive types

The idea behind the definition of the type of natural numbers can be appliedto many other types using the data keyword in Haskell We are calling thosetypes inductive types and indeed they come with their own primitive recursionand induction principles

51 Lists

One of the most versatile types especially but not only in functional program-ming is the type of lists Indeed the name of the first functional language LISPintroduced in 1958 as the 2nd high level programming language stands for LIstProcessing

Given a type a we write [a ] for the type of lists or sequences of elements ofa Eg [23minus1 1 1 0] isin [Int ] similar as for (a b) we use the same symbols[ ] for the operator on types and on elements Actually the [a1 a2 an ]notation is just a shorthand for a1 (a2 (an [ ]) The basic constructors forlists are [ ] isin [a ] for the empty list and given x isin a and a list xs isin [a ] we canconstruct the new list x xs isin [a ] (for historic reasons is called cons) Ie[23minus1 1 1 0] = 23 (minus1 (1 (1 (0 [ ]))))

In Haskell lists are predefined because they use some special syntactic sugarbut apart from this we could have just defined

data [a ] = [ ] | a [a ]

Strings are a special case of lists we use the type of characters Char which isa finite type whose elements are the characters which can be used in computing(eg one of the 216 unicode characters) We write elements of Char using singlequotes eg rsquoarsquo isin Char The type of strings is defined as lists of characters

type String = [Char]

The common syntax for strings using double quotes ie Hello is just syntac-tiv sugar for [rsquoHrsquo rsquoersquo rsquolrsquo rsquolrsquo rsquoorsquo] which in turn is just short for rsquoHrsquo (rsquoersquo (rsquolrsquo (rsquolrsquo (rsquoorsquo [ ]))))

One of the basic functions on lists is append ++ which combines two lists ie[1 2] ++ [3 4] = [1 2 3 4] To be able to define this function we have to extendthe principle of primitive recursion to lists We define xs ++ ys by primitiverecursion over xs if xs is empty ie xs = [ ] then [ ] ++ ys = ys On the otherhand if xs is a cons ie xs = x isin xs prime then we know that the combined list startswith x and constinues with the result of appending xs prime to ys That is here wehave to use ++ recursively The recursive use of ++ can be justified in the sameway as for Nat the list xs prime had to be constructed before x xs prime hence we cancalculate the result of xs prime ++ ys before we have to come up with (x xs prime) ++ ysIn Haskell we write

(++) isin [a ] rarr [a ] rarr [a ][ ] ++ ys = ys(x xs) ++ ys = x (xs ++ ys)

30

Note that ++ is a polymorphic function we can replace the type variable a byany type Eg we may replace a by Char arriving at the special case of stringsHence we can use ++ to append strings eg Hel ++ lo = Hello

We also have an induction principle for lists To illustrate this letrsquos first intro-duce a function which reverses a list How to reverse a list The reverse of theempty list is the empty list The reverse of a list x xs is the reverse of xs with xput on the end We arrive at the following primitive recursive implementationof reverse

rev isin [a ] rarr [a ]rev [ ] = [ ]rev (x xs) = (rev xs) ++ [x ]

Eg rev Hello = olleH What happens if we reverse twice Rightwe get back where we started indeed rev olleH = Hello Letrsquos proveforall xs isin [a ] rev (rev xs) = xs

Induction over lists means that to show a property for all lists we show theproperty for the empty list [ ] and then we show that if it holds for any list xsthen it holds for x xs The justification is again the same as for induction forthe natural numbers

We will show forall xs isin [a ] rev (rev xs) = xs by induction over lists The [ ] case isstraightforward since rev [ ] = [ ] what about rev (rev (x xs)) = rev ((rev xs)++[x ]) We cannot apply the induction hypothesis directly we first have to movethe outer rev inside ++ The key idea is to show that rev ((rev xs) ++ [x ]) =x (rev (rev xs)) and then we apply the induction hypothesis that rev (rev xs) =xs How do we show rev ((rev xs) ++ [x ]) = x (rev (rev xs)) The point is thatthis property doesnrsquot just hold for rev xs but for any list ys ie rev ((ys++[x ]) =x (rev ys)) eg rev (Hall++o) = o (rev Hal) How to we show thatthis property holds By induction over ys

Ok thatrsquos the sketch Letrsquos tidy this up First we prove the auxilliary propertyas a lemma

Lemma 51 forall x isin a forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys))

Proof Given x isin a We show forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys)) byinduction over ys isin [a ]

Case ys = [ ] We show rev ([ ] ++ [x ]) = x (rev [ ])

rev ([ ] ++ [x ])= definition of ++ rev [x ]= definition of rev [x ]= definition of rev x (rev [ ])

Case ys = y ys prime We assume

rev ((ys ++ [x ]) = x (rev ys)) (IH )

31

to show

rev (((y ys) ++ [x ]) = x (rev (y ys)))

rev (((y ys) ++ [x ])= definition of ++ rev (y (ys ++ [x ]))= definition of rev (rev (ys ++ [x ])) ++ [y ]= (IH) (x (rev ys)) ++ [y ]= definition of ++ x ((rev ys) ++ [y ])= definition of rev x (rev (y ys))

Theorem 52 forall xs isin [a ] rev (rev xs) = xs

Proof By induction over xs

Case xs = [ ] We show rev (rev [ ]) = [ ]

rev (rev [ ])= definition of rev rev [ ]= definition of rev [ ]

Case xs = x xs prime We assume

rev (rev xs) = xs (IH )

to show

rev (rev (x xs prime)) = x xs prime

rev (rev (x xs prime))= definition of rev rev ((rev xs prime) ++ [x ])= lemma for ys = rev xs prime x (rev (rev xs))= (IH) x xs

52 Insertion sort

There are many situations where we want to sort a list eg given [56 1 10 3]we would like to produce [1 3 10 56] One of the simplest sorting algorithms isinsertion sort The idea can be best explained by describing how to sort a deckof card We sort from an unsorted pile to a sorted pile by adding one card at

32

a time to the sorted pile When adding a card to a already sorted pile we gothrough the sorted pile until we find a card with a higher value and then insertthe new card just before this card This can be expressed as a function insert which is defined by primitive recursion over lists

insert isin Nat rarr [Nat ] rarr [Nat ]insert a [ ] = [a ]insert a (b bs) = if a 6 b then a (b bs)

else b (insert a bs)

The important feature of insert is that it produces a sorted list with an ex-tra element if its argument was sorted We can now define insertionSort byprimitive recursion over the initially unsorted list

insertionSort isin [Nat ] rarr [Nat ]insertionSort [ ] = [ ]insertionSort (a as) = insert a (insertionSort as)

And indeed insertionSort [56 1 10 3] = [1 3 10 56]

The same algorithm can sort any data wrt to a given comparison functioncomp a rarr a rarr Bool which has the appropriate properties (we shall laterdiscuss in detail what properties this are)

Insertion sort shouldnrsquot be used to sort large sequences because it is quiteinefficent on average it compares every argument with half of all the others Wesay it has quadratic complexity because on average the number of comparisonsit has to carry out is proportional to n2 where n is the length of the list

53 Binary numbers

We can use lists to represent binary numbers A binary number like 1102 whichis the binary way to write 6 is nothing but a list of Booleans hence we define

type Binary = [Bool ]

We use True for 1 and False for 0 and we shall read the list backwards whichhas the advantage that it is easy to access the least significant digit eg 1102

is actually represented as [FalseTrueTrue] 14

We shall define functions which translate between Binary and Nat We startwith bin2nat isin Binary rarr Nat The idea is that to translate a number whichhas at least one digit we recursively translate the rest of the numebr withoutthe last digit double that and add the value of the last digit to it This isexpressed by the following function

bin2nat isin Binary rarr Natbin2nat [ ] = 0bin2nat (True bs) = Succ (2 lowast (bin2nat bs))bin2nat (False bs) = 2 lowast (bin2nat bs)

14We could have avoided this notational inconvenience by using snoc lists ie lists wherecons gets its arguments the other way around

33

To define the translation in the other direction nat2bin isin Nat rarr Binary weintroduce a successor function on the binary representation The successor ofthe empty list which is interpreted as 0 is 1 Otherwise if the last digit is 0 wejust change this to 1 and keep the rest of the number the same If the last digitis 1 we change this to 0 and have a carry bit which means that we have torecursively calculate the successor of the rest of the number Hence we define

bsucc isin Binary rarr Binarybsucc [ ] = [True]bsucc (False bs) = True bsbsucc (True bs) = False (bsucc bs)

Now we can define nat2bin it basically translates 0 by the empty binary andthen applies bsucc for every successor

nat2bin isin Nat rarr Binarynat2bin 0 = [ ]nat2bin (Succ n) = bsucc (nat2bin n)

Once we have established the two translations we want to show that theyare indeed inverse to each other Eg if we start with a natural numbern we can translate it to a binary nat2bin n and then translate it back bybin2nat (nat2bin n) and we should hope that we get back to the number westarted with ie that

bin2nat (nat2bin n) = n

If we start with a binary number bs isin Binary the mirror property

nat2bin (bin2nat bs) = bs

doesnrsquot actually hold The reason is that our encoding is redundant lead-ing 0s (actually trailing Falses in our notation) do not matter For examplenat2bin (bin2nat [TrueFalse]) = [True] We could insist the we do not allowleading 0s and show that for those normal numbers the property holds Actu-ally following common practive we would make the exception for the case thatthe number is just 0 but would at the same time outlaw the empty sequence asa representation of a number

Going back to proving forall n isin Natn = bin2nat (nat2bin n) unsurprisingly weare going to use induction to establish this The case for 0 is straightforwardbut in the case of Succ n prime we have that nat2bin (Succ n prime) = bsucc (nat2bin n prime)and we would like to use that

bin2nat (bsucc (nat2bin n prime)) = Succ (bin2nat (nat2bin n prime))

to be able to apply the induction hypothesis This leads to the following lemma

Lemma 53 forall bs isin Binarybin2nat (bsucc bs) = Succ (bin2nat bs)

Proof We show this by induction over bs isin Binary

Case bs = [ ] We have to show bin2nat (bsucc [ ]) = Succ (bin2nat [ ])

bin2nat (bsucc [ ])= definition of bsucc

34

bin2nat [True]= calculate bin2nat 1= definition of 1 Succ 0= definition of bin2nat Succ (bin2nat [ ])

Case bs = b bs prime We assume

bin2nat (bsucc bs prime) = Succ (bin2nat bs prime) (IH )

to show

bin2nat (bsucc (b bs prime)) = Succ (bin2nat (b bs prime))

for any b isin Bool Letrsquos analyze b isin Bool

Case b = False In this case we have to showbin2nat (bsucc (False bs prime)) = Succ (bin2nat (False bs prime))

bin2nat (bsucc (False bs prime))= definition of bsucc bin2nat (True bs prime)= definition of bin2nat Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (False bs prime))

Case b = True In this case we have to showbin2nat (bsucc (True bs prime)) = Succ (bin2nat (True bs prime))

bin2nat (bsucc (True bs prime))= definition of bsucc bin2nat (False (bsucc bs prime))= definition of bin2nat 2 lowast (bin2nat (bsucc bs prime))= (IH) 2 lowast (Succ (bin2nat bs prime))= algebra 2 lowast (Succ n) = Succ (Succ (2 lowast n)) Succ (Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (True bs prime))

Now we are ready to prove the main theorem

Theorem 54 forall n isin Natbin2nat (nat2bin n) = n

Proof We prove this by induction over n isin Nat

Case n = 0 We show bin2nat (nat2bin 0) = 0

bin2nat (nat2bin 0)= definition of nat2bin bin2nat [ ]

35

= definition of bin2nat 0

Case n = Succ n prime We assume

bin2nat (nat2bin n prime) = n prime (IH )

to show

bin2nat (nat2bin (Succ n prime)) = Succ n prime

bin2nat (nat2bin (Succ n prime))= definition of nat2bin bin2nat (bsucc (nat2bin n prime))= lemma Succ (bin2nat (nat2bin n prime))= (IH) Succ n prime

To define addition on Binary we define addition with carry which always addsthree bits caculating the current bit and the new carry bit As a first step wedefine two operations addbit and carry which calculate the new bit and carry

addbit isin Bool rarr Bool rarr Bool rarr Booladdbit a b c = (a equiv b) equiv c

carry isin Bool rarr Bool rarr Bool rarr Boolcarry a b c = (aampampb)||(bampampc)||(aampampc)

We are now ready to define binary addition with carry

addBinC isin Bool rarr Binary rarr Binary rarr BinaryaddBinC c as [ ] = if c then bsucc as else asaddBinC c [ ] as = if c then bsucc as else asaddBinC c (a as) (b bs) = (addbit a b c) (addBinC (carry a b c) as bs)

from which we can easily derive binary addition by setting the carry to False

addBin isin Binary rarr Binary rarr BinaryaddBin bs cs = addBinC False bs cs

Binary multiplication is the usual long multiplication we learn at school Wemultiply each digit of one of the numbers with the other numbers always mul-tiplying the other number by 10 ie shifting it In the binary case multiplyinga digit with a number is very easy either the bit is 0 (ie False) then the resultis 0 or the bit is 1 then the result just is the other number

multBin isin Binary rarr Binary rarr BinarymultBin [ ] bs = [ ]multBin (a as) bs = if a

then addBin bs (multBin as (False bs))else multBin as (False bs)

The operations we have defined correspond to the more primitive operations wehave defined previously That is we have

36

forall mn Nat addBin (bin2nat m) (bin2nat n) = bin2nat (m + n)

forall mn Nat multBin (bin2nat m) (bin2nat n) = bin2nat (m lowast n)

These can be established using the principles we have introduced ie induc-tion However for reasons of space and potential boredom we shall refrain fromcarrying this out here

54 Trees

Unlike in ordinary live trees in computer science have got the roots on top andthe leaves on bottom Here is an example of a binary tree whose nodes arelabelled with natural numbers

56

1

3

10

root

node

leaf

Trees are also a very useful datastructure for example they can be used toefficently store and update an ordered collection of data In Haskell we woulddefine the type of binary node-labelled trees as follows

data Tree a = Leaf | Node (Tree a) a (Tree a)

The tree pictured in the diagram would be represented as

mytree isin Tree Natmytree = Node (Node Leaf 1 Leaf)

3(Node Leaf

10(Node Leaf 56 Leaf))

You may note that the tree is ordered ie all the leaves in the left subtree ofany node has labels less (or equal) than the label on the node and the nodes inthe right subtree have greater labels Indeed ordered trees give rise to anothersorting algorithm which is called tree sort First we define by primitive recur-sion over trees a function which inserts a node into an ordered tree leaving theordering intact

37

treeInsert isin Nat rarr (Tree Nat) rarr Tree NattreeInsert a Leaf = Node Leaf a LeaftreeInsert a (Node l b r) = if a 6 b

then Node (treeInsert a l) b relse Node l b (treeInsert a r)

By inserting all elements of a list into an empty tree we obtain a function whichturns an unsorted list into an ordered tree

list2tree isin [Nat ] rarr (Tree Nat)list2tree [ ] = Leaflist2tree (a as) = treeInsert a (list2tree as)

We can also turn an ordered tree into a sorted list

tree2list isin (Tree a) rarr [a ]tree2list Leaf = [ ]tree2List (Node l a r) = (tree2list l) ++ [a ] ++ (tree2list r)

Note that the last function is polymorphic since it doesnrsquot need any operationson the data stored in a tree Now we obtain tree sort by combining the twofunctions defined above

treeSort isin [Nat ] rarr [Nat ]treeSort as = tree2list (list2tree as)

It may appear wasteful to create a tree just to sort a list but actually tree sort isbetter than insertion sort On the average every element which is inserted intothe tree is only compared with a few others on the way down to a leaft to beprecise log2 n if the number of nodes is n Since we have to insert n elementstree sort will need a number proportional to n log2 n comparisons to sort a listwith n elements which is considerably better that insertion sortrsquos n2

We can also prove propositions about trees by induction over trees As anexample observe that the tree in the example has 4 nodes and 5 leaves This isno coincidence but a general property of binary trees Maybe the best way tosee that this is the case is to notice that every tree can be generated startingfrom a leaf by replacing an aribtrary leaf by a node with two leaves The initialtree has got the proberty and it is preserved by the replacement step hence anytree will have the property More formally we can show this by induction overtrees where we have an induction hypothesis for the left and the right subtree

To make this precise we first define functions which count the number of nodesand leaves in a tree (ignoring any data)

countNodes isin (Tree a) rarr NatcountNodes Leaf = 0countNodes (Node l x r) = Succ ((countNodes l) + (countNodes r))

countLeaves isin (Tree a) rarr NatcountLeaves Leaf = 1countLeaves (Node l x r) = (countLeaves l) + (countLeaves r)

38

We are now ready to prove our theorem

Theorem 55 forall t Tree a countLeaves t = 1 + (countNodes t)

Proof We proceed by induction over t isin Tree a

Case t = Leaf We show countLeaves Leaf = 1 + (countNodes Leaf)

countLeaves Leaf= definition of countLeaves 1= definition of countNodes 1 + (countNodes Leaf)

Case t = Node l x r We assume

countLeaves l = 1 + (countNodes l) (IH minus L)

countLeaves r = 1 + (countNodes r) (IH minus R)

to show countLeaves (Node l x r) = 1 + (countNodes (Node l x r))

countLeaves (Node l x r)= definition of countLeaves (countLeaves l) + (countLeaves r)= (IH-L)(IH-R) 1 + (countNodes l) + 1 + (countNodes r)= algebra 1 + (1 + (countNodes l) + (countNodes r))= definition of countNodes 1 + (countNodes (Node l x r))

Finally note that there are different types of binary trees depending where weput the data ie there are leaf labelled trees

data Tree a = Leaf a | Node (Tree a) (Tree a)

and trees which have labels on leaves and nodes potentially of different types

data Treeprime a b = Leaf prime a | Nodeprime (Treeprime a b) b (Treeprime a b)

39

6 Predicates and relations

A predicate over a type is a property of elements of that type An example isEven isin Nat rarr Prop which expresses the property of a natural number beingeven We can define Even

Even isin Nat rarr PropEven n = exist m isin Nat 2 lowastm = n

That is we say that a number is even if it is the double of another number Iwrite a rarr Prop for the type of predicates over a Note that unlike programspredicates cannot be executed but we can use them for reasoning

A relation between two types (which may be the same) relates elements of thefirst type with elements of the 2nd An example is 6 isin Nat rarr Nat rarr Propwhich expresses the relation of a number being smaller than another Again wecan define 6 using +

(6) isin Nat rarr Nat rarr Propm6n = exist k isin Nat m + k = n

That is we say that m6n if there is a number k that if added to m gives n

In general we consider n-ary relations that is R isin a1 rarr a2 rarr middot middot middot rarr an rarr Propand predicates are just another word for 1-ary relations 2-ary (or binary)relations such as 6 are usually written infix

A fundamental binary relation on any type is equality (=) isin a rarr a rarr PropWe consider equality as a primitive notion We know that everything is equal toitself mdash we say that equality is reflexive that is forall x isin a x = x Two booleansor natural number or lists are equal if they are made only from constructorsand look the same Two functions are equal if they return the same answers forall elements of their domain that is for f g isin a rarr b we have that f = g ifforall x a f x = g x note that this involves equality on b This is the principle ofextensionality and it is the consequence of our view of functions as black boxesie we cannot look inside a function all we can do it is to apply it to arguments

We have already introduced the functions 6isin Nat rarr Nat rarr Bool equivisinBool rarr Bool rarr Bool and equivisin Nat rarr Nat rarr Bool They are related to6 isin Bool rarr Bool rarr Prop =isin Bool rarr Bool rarr Prop and =isin Nat rarrNat rarr Prop indeed they return True if the relation holds and False other-wise That is we can show that

forall x y isin Nat x6y lArrrArr x 6 y = Trueforall x y isin Bool x = y lArrrArr x equiv y = Trueforall x y isin Nat x = y lArrrArr x equiv y = True

We say that a boolean function f isin a rarr b rarr Bool decides a relation R isin a rarrb rarr Prop if forall x isin a y isin b R x y lArrrArr f x y = True A relation which canbe decided is called decidableThis concept generalizes to relations with anyarity including predicates I have silently assumed that by a boolean functionwe mean one which can actually run on a computer this is different in classicalMathematics where the notion of a function is more liberal but the definitionof a decidable function is more complicated

40

Not every relation is decidable an example of an undecidable relation is equal-ity on functions with an infinite domain eg (=) isin (Nat rarr Bool) rarr (Nat rarrBool) rarr Prop To decide whether two such functions are equal that is whetherf = g we have to check whether they agree on all natural numbers By the prin-ciple of extensionality there is no other way we can find out anything about afunction and checking them for all natural numbers is hardly possible

61 Examples of relations

In the following we will discuss some examples of relations It is helpful tovisualize relations by drawing their graphs We can only draw graphs for adecidable relation R isin a rarr a rarr Prop on finite type a by a directed graphwhose nodes (called vertices) are the elements of a and we draw an arrow (callededge) from x to y if R x y holds

We cannot draw relations on the natural numbers however we will instead usethe type Four = 0 1 2 3 4 and drwaw the graph of the relation restricted tothe numbers upto 4

611 Equality

The graph of (=) isin Four rarr Four rarr Prop is extremely simple

0 1 2 3 4

612 Inequality

We say x 6= y if x and y are not equal This relation is polymorphic ie it isuniformly defined for any type

(6=) isin a rarr a rarr Propx 6= y = not (x = y)

The graph of (6=) isin Four rarr Four rarr Prop contains an edge everywhere theprevious graph had none hence it looks pretty wild

0 1 2 3 4

613 Less or equal

We have already defined the relation (6) on the natural numbers Here is thegraph of the relation restricted to Four

41

0 1 2 3 4

614 Less than

We say m lt n if m is strictly less than n

(lt) isin Nat rarr Nat rarr Propm lt n = Succ m 6 n

The graph of (lt) Four rarr Four rarr Prop looks pretty similar as the one of (6)only the little circles pointing from every element to itself are missing

0 1 2 3 4

615 Congruence modulo k

This is an important 3-ary (ternary) relation used in number theory We saythat two numbers mn Nat are congruent modulo k if they have the sameremainder when divided by k We write cmod Nat rarr Nat rarr Nat rarr Propthat is we write cmod k m n or mlsquocmod k lsquon 15 for m is congruent to n modulok The standard mathematical notation is mλcong n mod k We can definethis relation formally as

cmod isin Nat rarr Nat rarr Nat rarr Propcmod k m n = exist p q r isin Nat (r lt n) and p lowast k + r = m and q lowast k + r = n

Usually cmod is only considered for k gt 1 For k = 1 our definition of cmod kis just (=) and for k = 0 it is the empty relation In number theory cmod k isdefined a relation on the integers not just the natural numbers

While we cannot draw ternary relations so easily we can do so for mod 2 isinFour rarr Four rarr Prop

0 1 3 42

15Here we adopt also the Haskell convention that any operator f can be made infix bywriting lsquof lsquo

42

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

We can see that this shows that the property holds for all natural numbers theidea is the same as for primitive recursion because the number n is constructedbefore Succ n we can establish the property for n before we show it for Succ n

The principle of induction can be summarized as follows to prove a propertyP for all natural numbers ie to show forall n isin NatP n we prove it for 0 iewe show P 0 and assuming that it holds for n isin Nat ie P n we can show thatit holds for P (Succ n) The assumption P n which can be used when showingP (Succ n) we call the induction hypothesis (IH)

421 Commutativity of (+)

Letrsquos now prove forall mn isin Natm+n = n+m by induction over m If m = 0 thisreduces to showing 0+n = n +0 we know that 0+n = n by the definition of +and we have just shown n = n +0 above Letrsquos assume that forall n isin Natm +n =n + m to prove forall n isin Nat (Succ m) + n = n + (Succ m) Now given n isin Natwe know from the definition of + that (Succ m) + n = Succ (m + n) we canapply the induction hypthesis to deduce that Succ (m +n) = Succ (n +m) Allthat is left to show is that Succ (n + m) = n + (Succ m) showing this requiresa separate proof by induction

It is time to tidy up our argument and also follow standard mathematical prac-tice and present proofs forward ie starting from the assumptions and basiclemmas (auxilliary theorems) to the goal the final theorem No human beingconstructs a proof like this everybody does it the other way around Some peo-ple believe that this is part of a conspiracy by Mathematicians to make theirknowledge inaccessible to the rest of the world

Lemma 41 forall n isin Natn + 0 = n

Proof By induction over n isin Nat

Case n = 0 We show 0 + 0 = 0

0 + 0= definition of + 0

Case n = Succ n prime We assume n prime + 0 = n prime (IH ) to show (Succ n prime) + 0 =Succ n prime

(Succ n prime) + 0= definition of + Succ (n prime + 0)= (IH) Succ n prime

Lemma 42 forall mn isin Natm + (Succ n) = Succ (m + n)

Proof By induction over m isin Nat

26

Case m = 0 We show forall n isin Nat0 + (Succ n) = Succ (0 + n)0 + (Succ n)= definition of + Succ n= definition of + Succ (0 + n)

Case m = Succ m prime We assume forall n isin Natm+(Succ n) = Succ (m+n) (IH )to show (Succ m) + (Succ n) = Succ (m + n)

(Succ m) + (Succ n)= definition of + Succ (m + (Succ n))= IH Succ (Succ (m + n))= definition of + Succ ((Succ m) + n)

Theorem 43 forall mn isin Natm + n = n + m

Proof By induction over m isin Nat

Case m = 0 We show forall n isin Nat0 + n = n + 00 + n= definition of + n= lemma n + 0

Case m = Succ m prime We assume forall n isin Natm prime + n = n + m prime (IH ) to show(Succ m prime) + n = n + (Succ m prime)

(Succ m prime) + n= definition of + Succ (m prime + n)= IH Succ (n + m prime)= lemma n + (Succ m prime)

Isnrsquot this a bit much effort for a theorem whose truth can be easily seen intu-itively Every child knows that if you put two heaps of sweeties together thatthe order in which you do this does not affect the number of sweeties you havein the end However apart from the point that we used a simple example toillustrate a method it is sometimes worthwhile to prove the obvious Maybeyou were only thinking that the function you defined was addition but as soonas you are going to prove something about it you discover that there is a bugThis is different from Mathematics Computer Scientists are interested in prov-ing obvious things It is also a good idea to enlist the help of a computer tomake sure that we donrsquot accidently cheat We will get back to this later

27

422 Gaussrsquo theorem

Letrsquos consider a less obvious proposition we can prove by induction CarlFriederich Gauss was a famous German Mathematician in the 19th centuryone of the theorems he proved is the fundamental theorem of algebra whichsays that every polynom over the complex numbers has a solution Howeverhere we are just concerned with a little theorem he allegedly discovered whenhe was still a school boy Apprently he was naughty and as a punishementteacher set him the task to add the numbers until 100 But the teacher hadnrsquotaccounted for young Gaussrsquo genius who very quickly came up with the rightanswer 5050 Instead of doing all the stupid calculations Gauss had realizedthat there is a simple formula namely that the sum of the numbers upto n isgiven by (n lowast (n + 1)) 2 The following picture illustrates the basic idea in thecase n = 3

Ie the sum of the 1 + 2 + 3 depicted by the area covered by the black balls isprecisely half the area of the 3 lowast 4 rectangle

First for reference lets define by primitive recursion the function which cal-culates the numbers upto n which we are going to call sum (Mathematicanswould write Σn

i=0i)

sum isin Nat rarr Natsum 0 = 0sum (Succ n) = (Succ n) lowast (sum n)

We want to show sum n = (n lowast (n + 1)) 2 to avoid having to define divisionand to justify that the division in this case stays always withing the naturalnumbers we show instead 2 lowast (sum n) = n lowast (Succ n) by induction

Theorem 44 forall n isin Nat 2 lowast (sum n) = n lowast (Succ n)

Proof By induction over n isin Nat

Case n = 0 We show 2 lowast (sum 0) = 0 lowast (Succ 0)

2 lowast (sum 0)= definition of lowast sum 0= definition of lowast 0 lowast (Succ 0)

Case n = Succ n prime We assume

28

2 lowast (sum n prime) = n prime lowast (Succ n prime) (IH )

to show 2 lowast (sum (Succ n prime)) = (Succ n prime) lowast (Succ (Succ n prime))

2 lowast (sum (Succ n prime))= definition of sum 2 lowast ((Succ n prime) + (sum n prime))= distributivity 2 lowast (Succ n prime) + 2 lowast (sum n prime)= IH 2 lowast (Succ n prime) + n lowast (Succ n prime)= distributivity (2 + n) lowast (Succ n prime)= commutativity definition of + (Succ n prime) lowast (Succ (Succ n prime))

In the proof above we have used distributivity ie

forall i j k isin Nat i lowast (j + k) = (i lowast j ) + (i lowast k)

Sure we could have proven this here (by induction) but I will leave this as anexercise

29

5 Inductive types

The idea behind the definition of the type of natural numbers can be appliedto many other types using the data keyword in Haskell We are calling thosetypes inductive types and indeed they come with their own primitive recursionand induction principles

51 Lists

One of the most versatile types especially but not only in functional program-ming is the type of lists Indeed the name of the first functional language LISPintroduced in 1958 as the 2nd high level programming language stands for LIstProcessing

Given a type a we write [a ] for the type of lists or sequences of elements ofa Eg [23minus1 1 1 0] isin [Int ] similar as for (a b) we use the same symbols[ ] for the operator on types and on elements Actually the [a1 a2 an ]notation is just a shorthand for a1 (a2 (an [ ]) The basic constructors forlists are [ ] isin [a ] for the empty list and given x isin a and a list xs isin [a ] we canconstruct the new list x xs isin [a ] (for historic reasons is called cons) Ie[23minus1 1 1 0] = 23 (minus1 (1 (1 (0 [ ]))))

In Haskell lists are predefined because they use some special syntactic sugarbut apart from this we could have just defined

data [a ] = [ ] | a [a ]

Strings are a special case of lists we use the type of characters Char which isa finite type whose elements are the characters which can be used in computing(eg one of the 216 unicode characters) We write elements of Char using singlequotes eg rsquoarsquo isin Char The type of strings is defined as lists of characters

type String = [Char]

The common syntax for strings using double quotes ie Hello is just syntac-tiv sugar for [rsquoHrsquo rsquoersquo rsquolrsquo rsquolrsquo rsquoorsquo] which in turn is just short for rsquoHrsquo (rsquoersquo (rsquolrsquo (rsquolrsquo (rsquoorsquo [ ]))))

One of the basic functions on lists is append ++ which combines two lists ie[1 2] ++ [3 4] = [1 2 3 4] To be able to define this function we have to extendthe principle of primitive recursion to lists We define xs ++ ys by primitiverecursion over xs if xs is empty ie xs = [ ] then [ ] ++ ys = ys On the otherhand if xs is a cons ie xs = x isin xs prime then we know that the combined list startswith x and constinues with the result of appending xs prime to ys That is here wehave to use ++ recursively The recursive use of ++ can be justified in the sameway as for Nat the list xs prime had to be constructed before x xs prime hence we cancalculate the result of xs prime ++ ys before we have to come up with (x xs prime) ++ ysIn Haskell we write

(++) isin [a ] rarr [a ] rarr [a ][ ] ++ ys = ys(x xs) ++ ys = x (xs ++ ys)

30

Note that ++ is a polymorphic function we can replace the type variable a byany type Eg we may replace a by Char arriving at the special case of stringsHence we can use ++ to append strings eg Hel ++ lo = Hello

We also have an induction principle for lists To illustrate this letrsquos first intro-duce a function which reverses a list How to reverse a list The reverse of theempty list is the empty list The reverse of a list x xs is the reverse of xs with xput on the end We arrive at the following primitive recursive implementationof reverse

rev isin [a ] rarr [a ]rev [ ] = [ ]rev (x xs) = (rev xs) ++ [x ]

Eg rev Hello = olleH What happens if we reverse twice Rightwe get back where we started indeed rev olleH = Hello Letrsquos proveforall xs isin [a ] rev (rev xs) = xs

Induction over lists means that to show a property for all lists we show theproperty for the empty list [ ] and then we show that if it holds for any list xsthen it holds for x xs The justification is again the same as for induction forthe natural numbers

We will show forall xs isin [a ] rev (rev xs) = xs by induction over lists The [ ] case isstraightforward since rev [ ] = [ ] what about rev (rev (x xs)) = rev ((rev xs)++[x ]) We cannot apply the induction hypothesis directly we first have to movethe outer rev inside ++ The key idea is to show that rev ((rev xs) ++ [x ]) =x (rev (rev xs)) and then we apply the induction hypothesis that rev (rev xs) =xs How do we show rev ((rev xs) ++ [x ]) = x (rev (rev xs)) The point is thatthis property doesnrsquot just hold for rev xs but for any list ys ie rev ((ys++[x ]) =x (rev ys)) eg rev (Hall++o) = o (rev Hal) How to we show thatthis property holds By induction over ys

Ok thatrsquos the sketch Letrsquos tidy this up First we prove the auxilliary propertyas a lemma

Lemma 51 forall x isin a forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys))

Proof Given x isin a We show forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys)) byinduction over ys isin [a ]

Case ys = [ ] We show rev ([ ] ++ [x ]) = x (rev [ ])

rev ([ ] ++ [x ])= definition of ++ rev [x ]= definition of rev [x ]= definition of rev x (rev [ ])

Case ys = y ys prime We assume

rev ((ys ++ [x ]) = x (rev ys)) (IH )

31

to show

rev (((y ys) ++ [x ]) = x (rev (y ys)))

rev (((y ys) ++ [x ])= definition of ++ rev (y (ys ++ [x ]))= definition of rev (rev (ys ++ [x ])) ++ [y ]= (IH) (x (rev ys)) ++ [y ]= definition of ++ x ((rev ys) ++ [y ])= definition of rev x (rev (y ys))

Theorem 52 forall xs isin [a ] rev (rev xs) = xs

Proof By induction over xs

Case xs = [ ] We show rev (rev [ ]) = [ ]

rev (rev [ ])= definition of rev rev [ ]= definition of rev [ ]

Case xs = x xs prime We assume

rev (rev xs) = xs (IH )

to show

rev (rev (x xs prime)) = x xs prime

rev (rev (x xs prime))= definition of rev rev ((rev xs prime) ++ [x ])= lemma for ys = rev xs prime x (rev (rev xs))= (IH) x xs

52 Insertion sort

There are many situations where we want to sort a list eg given [56 1 10 3]we would like to produce [1 3 10 56] One of the simplest sorting algorithms isinsertion sort The idea can be best explained by describing how to sort a deckof card We sort from an unsorted pile to a sorted pile by adding one card at

32

a time to the sorted pile When adding a card to a already sorted pile we gothrough the sorted pile until we find a card with a higher value and then insertthe new card just before this card This can be expressed as a function insert which is defined by primitive recursion over lists

insert isin Nat rarr [Nat ] rarr [Nat ]insert a [ ] = [a ]insert a (b bs) = if a 6 b then a (b bs)

else b (insert a bs)

The important feature of insert is that it produces a sorted list with an ex-tra element if its argument was sorted We can now define insertionSort byprimitive recursion over the initially unsorted list

insertionSort isin [Nat ] rarr [Nat ]insertionSort [ ] = [ ]insertionSort (a as) = insert a (insertionSort as)

And indeed insertionSort [56 1 10 3] = [1 3 10 56]

The same algorithm can sort any data wrt to a given comparison functioncomp a rarr a rarr Bool which has the appropriate properties (we shall laterdiscuss in detail what properties this are)

Insertion sort shouldnrsquot be used to sort large sequences because it is quiteinefficent on average it compares every argument with half of all the others Wesay it has quadratic complexity because on average the number of comparisonsit has to carry out is proportional to n2 where n is the length of the list

53 Binary numbers

We can use lists to represent binary numbers A binary number like 1102 whichis the binary way to write 6 is nothing but a list of Booleans hence we define

type Binary = [Bool ]

We use True for 1 and False for 0 and we shall read the list backwards whichhas the advantage that it is easy to access the least significant digit eg 1102

is actually represented as [FalseTrueTrue] 14

We shall define functions which translate between Binary and Nat We startwith bin2nat isin Binary rarr Nat The idea is that to translate a number whichhas at least one digit we recursively translate the rest of the numebr withoutthe last digit double that and add the value of the last digit to it This isexpressed by the following function

bin2nat isin Binary rarr Natbin2nat [ ] = 0bin2nat (True bs) = Succ (2 lowast (bin2nat bs))bin2nat (False bs) = 2 lowast (bin2nat bs)

14We could have avoided this notational inconvenience by using snoc lists ie lists wherecons gets its arguments the other way around

33

To define the translation in the other direction nat2bin isin Nat rarr Binary weintroduce a successor function on the binary representation The successor ofthe empty list which is interpreted as 0 is 1 Otherwise if the last digit is 0 wejust change this to 1 and keep the rest of the number the same If the last digitis 1 we change this to 0 and have a carry bit which means that we have torecursively calculate the successor of the rest of the number Hence we define

bsucc isin Binary rarr Binarybsucc [ ] = [True]bsucc (False bs) = True bsbsucc (True bs) = False (bsucc bs)

Now we can define nat2bin it basically translates 0 by the empty binary andthen applies bsucc for every successor

nat2bin isin Nat rarr Binarynat2bin 0 = [ ]nat2bin (Succ n) = bsucc (nat2bin n)

Once we have established the two translations we want to show that theyare indeed inverse to each other Eg if we start with a natural numbern we can translate it to a binary nat2bin n and then translate it back bybin2nat (nat2bin n) and we should hope that we get back to the number westarted with ie that

bin2nat (nat2bin n) = n

If we start with a binary number bs isin Binary the mirror property

nat2bin (bin2nat bs) = bs

doesnrsquot actually hold The reason is that our encoding is redundant lead-ing 0s (actually trailing Falses in our notation) do not matter For examplenat2bin (bin2nat [TrueFalse]) = [True] We could insist the we do not allowleading 0s and show that for those normal numbers the property holds Actu-ally following common practive we would make the exception for the case thatthe number is just 0 but would at the same time outlaw the empty sequence asa representation of a number

Going back to proving forall n isin Natn = bin2nat (nat2bin n) unsurprisingly weare going to use induction to establish this The case for 0 is straightforwardbut in the case of Succ n prime we have that nat2bin (Succ n prime) = bsucc (nat2bin n prime)and we would like to use that

bin2nat (bsucc (nat2bin n prime)) = Succ (bin2nat (nat2bin n prime))

to be able to apply the induction hypothesis This leads to the following lemma

Lemma 53 forall bs isin Binarybin2nat (bsucc bs) = Succ (bin2nat bs)

Proof We show this by induction over bs isin Binary

Case bs = [ ] We have to show bin2nat (bsucc [ ]) = Succ (bin2nat [ ])

bin2nat (bsucc [ ])= definition of bsucc

34

bin2nat [True]= calculate bin2nat 1= definition of 1 Succ 0= definition of bin2nat Succ (bin2nat [ ])

Case bs = b bs prime We assume

bin2nat (bsucc bs prime) = Succ (bin2nat bs prime) (IH )

to show

bin2nat (bsucc (b bs prime)) = Succ (bin2nat (b bs prime))

for any b isin Bool Letrsquos analyze b isin Bool

Case b = False In this case we have to showbin2nat (bsucc (False bs prime)) = Succ (bin2nat (False bs prime))

bin2nat (bsucc (False bs prime))= definition of bsucc bin2nat (True bs prime)= definition of bin2nat Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (False bs prime))

Case b = True In this case we have to showbin2nat (bsucc (True bs prime)) = Succ (bin2nat (True bs prime))

bin2nat (bsucc (True bs prime))= definition of bsucc bin2nat (False (bsucc bs prime))= definition of bin2nat 2 lowast (bin2nat (bsucc bs prime))= (IH) 2 lowast (Succ (bin2nat bs prime))= algebra 2 lowast (Succ n) = Succ (Succ (2 lowast n)) Succ (Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (True bs prime))

Now we are ready to prove the main theorem

Theorem 54 forall n isin Natbin2nat (nat2bin n) = n

Proof We prove this by induction over n isin Nat

Case n = 0 We show bin2nat (nat2bin 0) = 0

bin2nat (nat2bin 0)= definition of nat2bin bin2nat [ ]

35

= definition of bin2nat 0

Case n = Succ n prime We assume

bin2nat (nat2bin n prime) = n prime (IH )

to show

bin2nat (nat2bin (Succ n prime)) = Succ n prime

bin2nat (nat2bin (Succ n prime))= definition of nat2bin bin2nat (bsucc (nat2bin n prime))= lemma Succ (bin2nat (nat2bin n prime))= (IH) Succ n prime

To define addition on Binary we define addition with carry which always addsthree bits caculating the current bit and the new carry bit As a first step wedefine two operations addbit and carry which calculate the new bit and carry

addbit isin Bool rarr Bool rarr Bool rarr Booladdbit a b c = (a equiv b) equiv c

carry isin Bool rarr Bool rarr Bool rarr Boolcarry a b c = (aampampb)||(bampampc)||(aampampc)

We are now ready to define binary addition with carry

addBinC isin Bool rarr Binary rarr Binary rarr BinaryaddBinC c as [ ] = if c then bsucc as else asaddBinC c [ ] as = if c then bsucc as else asaddBinC c (a as) (b bs) = (addbit a b c) (addBinC (carry a b c) as bs)

from which we can easily derive binary addition by setting the carry to False

addBin isin Binary rarr Binary rarr BinaryaddBin bs cs = addBinC False bs cs

Binary multiplication is the usual long multiplication we learn at school Wemultiply each digit of one of the numbers with the other numbers always mul-tiplying the other number by 10 ie shifting it In the binary case multiplyinga digit with a number is very easy either the bit is 0 (ie False) then the resultis 0 or the bit is 1 then the result just is the other number

multBin isin Binary rarr Binary rarr BinarymultBin [ ] bs = [ ]multBin (a as) bs = if a

then addBin bs (multBin as (False bs))else multBin as (False bs)

The operations we have defined correspond to the more primitive operations wehave defined previously That is we have

36

forall mn Nat addBin (bin2nat m) (bin2nat n) = bin2nat (m + n)

forall mn Nat multBin (bin2nat m) (bin2nat n) = bin2nat (m lowast n)

These can be established using the principles we have introduced ie induc-tion However for reasons of space and potential boredom we shall refrain fromcarrying this out here

54 Trees

Unlike in ordinary live trees in computer science have got the roots on top andthe leaves on bottom Here is an example of a binary tree whose nodes arelabelled with natural numbers

56

1

3

10

root

node

leaf

Trees are also a very useful datastructure for example they can be used toefficently store and update an ordered collection of data In Haskell we woulddefine the type of binary node-labelled trees as follows

data Tree a = Leaf | Node (Tree a) a (Tree a)

The tree pictured in the diagram would be represented as

mytree isin Tree Natmytree = Node (Node Leaf 1 Leaf)

3(Node Leaf

10(Node Leaf 56 Leaf))

You may note that the tree is ordered ie all the leaves in the left subtree ofany node has labels less (or equal) than the label on the node and the nodes inthe right subtree have greater labels Indeed ordered trees give rise to anothersorting algorithm which is called tree sort First we define by primitive recur-sion over trees a function which inserts a node into an ordered tree leaving theordering intact

37

treeInsert isin Nat rarr (Tree Nat) rarr Tree NattreeInsert a Leaf = Node Leaf a LeaftreeInsert a (Node l b r) = if a 6 b

then Node (treeInsert a l) b relse Node l b (treeInsert a r)

By inserting all elements of a list into an empty tree we obtain a function whichturns an unsorted list into an ordered tree

list2tree isin [Nat ] rarr (Tree Nat)list2tree [ ] = Leaflist2tree (a as) = treeInsert a (list2tree as)

We can also turn an ordered tree into a sorted list

tree2list isin (Tree a) rarr [a ]tree2list Leaf = [ ]tree2List (Node l a r) = (tree2list l) ++ [a ] ++ (tree2list r)

Note that the last function is polymorphic since it doesnrsquot need any operationson the data stored in a tree Now we obtain tree sort by combining the twofunctions defined above

treeSort isin [Nat ] rarr [Nat ]treeSort as = tree2list (list2tree as)

It may appear wasteful to create a tree just to sort a list but actually tree sort isbetter than insertion sort On the average every element which is inserted intothe tree is only compared with a few others on the way down to a leaft to beprecise log2 n if the number of nodes is n Since we have to insert n elementstree sort will need a number proportional to n log2 n comparisons to sort a listwith n elements which is considerably better that insertion sortrsquos n2

We can also prove propositions about trees by induction over trees As anexample observe that the tree in the example has 4 nodes and 5 leaves This isno coincidence but a general property of binary trees Maybe the best way tosee that this is the case is to notice that every tree can be generated startingfrom a leaf by replacing an aribtrary leaf by a node with two leaves The initialtree has got the proberty and it is preserved by the replacement step hence anytree will have the property More formally we can show this by induction overtrees where we have an induction hypothesis for the left and the right subtree

To make this precise we first define functions which count the number of nodesand leaves in a tree (ignoring any data)

countNodes isin (Tree a) rarr NatcountNodes Leaf = 0countNodes (Node l x r) = Succ ((countNodes l) + (countNodes r))

countLeaves isin (Tree a) rarr NatcountLeaves Leaf = 1countLeaves (Node l x r) = (countLeaves l) + (countLeaves r)

38

We are now ready to prove our theorem

Theorem 55 forall t Tree a countLeaves t = 1 + (countNodes t)

Proof We proceed by induction over t isin Tree a

Case t = Leaf We show countLeaves Leaf = 1 + (countNodes Leaf)

countLeaves Leaf= definition of countLeaves 1= definition of countNodes 1 + (countNodes Leaf)

Case t = Node l x r We assume

countLeaves l = 1 + (countNodes l) (IH minus L)

countLeaves r = 1 + (countNodes r) (IH minus R)

to show countLeaves (Node l x r) = 1 + (countNodes (Node l x r))

countLeaves (Node l x r)= definition of countLeaves (countLeaves l) + (countLeaves r)= (IH-L)(IH-R) 1 + (countNodes l) + 1 + (countNodes r)= algebra 1 + (1 + (countNodes l) + (countNodes r))= definition of countNodes 1 + (countNodes (Node l x r))

Finally note that there are different types of binary trees depending where weput the data ie there are leaf labelled trees

data Tree a = Leaf a | Node (Tree a) (Tree a)

and trees which have labels on leaves and nodes potentially of different types

data Treeprime a b = Leaf prime a | Nodeprime (Treeprime a b) b (Treeprime a b)

39

6 Predicates and relations

A predicate over a type is a property of elements of that type An example isEven isin Nat rarr Prop which expresses the property of a natural number beingeven We can define Even

Even isin Nat rarr PropEven n = exist m isin Nat 2 lowastm = n

That is we say that a number is even if it is the double of another number Iwrite a rarr Prop for the type of predicates over a Note that unlike programspredicates cannot be executed but we can use them for reasoning

A relation between two types (which may be the same) relates elements of thefirst type with elements of the 2nd An example is 6 isin Nat rarr Nat rarr Propwhich expresses the relation of a number being smaller than another Again wecan define 6 using +

(6) isin Nat rarr Nat rarr Propm6n = exist k isin Nat m + k = n

That is we say that m6n if there is a number k that if added to m gives n

In general we consider n-ary relations that is R isin a1 rarr a2 rarr middot middot middot rarr an rarr Propand predicates are just another word for 1-ary relations 2-ary (or binary)relations such as 6 are usually written infix

A fundamental binary relation on any type is equality (=) isin a rarr a rarr PropWe consider equality as a primitive notion We know that everything is equal toitself mdash we say that equality is reflexive that is forall x isin a x = x Two booleansor natural number or lists are equal if they are made only from constructorsand look the same Two functions are equal if they return the same answers forall elements of their domain that is for f g isin a rarr b we have that f = g ifforall x a f x = g x note that this involves equality on b This is the principle ofextensionality and it is the consequence of our view of functions as black boxesie we cannot look inside a function all we can do it is to apply it to arguments

We have already introduced the functions 6isin Nat rarr Nat rarr Bool equivisinBool rarr Bool rarr Bool and equivisin Nat rarr Nat rarr Bool They are related to6 isin Bool rarr Bool rarr Prop =isin Bool rarr Bool rarr Prop and =isin Nat rarrNat rarr Prop indeed they return True if the relation holds and False other-wise That is we can show that

forall x y isin Nat x6y lArrrArr x 6 y = Trueforall x y isin Bool x = y lArrrArr x equiv y = Trueforall x y isin Nat x = y lArrrArr x equiv y = True

We say that a boolean function f isin a rarr b rarr Bool decides a relation R isin a rarrb rarr Prop if forall x isin a y isin b R x y lArrrArr f x y = True A relation which canbe decided is called decidableThis concept generalizes to relations with anyarity including predicates I have silently assumed that by a boolean functionwe mean one which can actually run on a computer this is different in classicalMathematics where the notion of a function is more liberal but the definitionof a decidable function is more complicated

40

Not every relation is decidable an example of an undecidable relation is equal-ity on functions with an infinite domain eg (=) isin (Nat rarr Bool) rarr (Nat rarrBool) rarr Prop To decide whether two such functions are equal that is whetherf = g we have to check whether they agree on all natural numbers By the prin-ciple of extensionality there is no other way we can find out anything about afunction and checking them for all natural numbers is hardly possible

61 Examples of relations

In the following we will discuss some examples of relations It is helpful tovisualize relations by drawing their graphs We can only draw graphs for adecidable relation R isin a rarr a rarr Prop on finite type a by a directed graphwhose nodes (called vertices) are the elements of a and we draw an arrow (callededge) from x to y if R x y holds

We cannot draw relations on the natural numbers however we will instead usethe type Four = 0 1 2 3 4 and drwaw the graph of the relation restricted tothe numbers upto 4

611 Equality

The graph of (=) isin Four rarr Four rarr Prop is extremely simple

0 1 2 3 4

612 Inequality

We say x 6= y if x and y are not equal This relation is polymorphic ie it isuniformly defined for any type

(6=) isin a rarr a rarr Propx 6= y = not (x = y)

The graph of (6=) isin Four rarr Four rarr Prop contains an edge everywhere theprevious graph had none hence it looks pretty wild

0 1 2 3 4

613 Less or equal

We have already defined the relation (6) on the natural numbers Here is thegraph of the relation restricted to Four

41

0 1 2 3 4

614 Less than

We say m lt n if m is strictly less than n

(lt) isin Nat rarr Nat rarr Propm lt n = Succ m 6 n

The graph of (lt) Four rarr Four rarr Prop looks pretty similar as the one of (6)only the little circles pointing from every element to itself are missing

0 1 2 3 4

615 Congruence modulo k

This is an important 3-ary (ternary) relation used in number theory We saythat two numbers mn Nat are congruent modulo k if they have the sameremainder when divided by k We write cmod Nat rarr Nat rarr Nat rarr Propthat is we write cmod k m n or mlsquocmod k lsquon 15 for m is congruent to n modulok The standard mathematical notation is mλcong n mod k We can definethis relation formally as

cmod isin Nat rarr Nat rarr Nat rarr Propcmod k m n = exist p q r isin Nat (r lt n) and p lowast k + r = m and q lowast k + r = n

Usually cmod is only considered for k gt 1 For k = 1 our definition of cmod kis just (=) and for k = 0 it is the empty relation In number theory cmod k isdefined a relation on the integers not just the natural numbers

While we cannot draw ternary relations so easily we can do so for mod 2 isinFour rarr Four rarr Prop

0 1 3 42

15Here we adopt also the Haskell convention that any operator f can be made infix bywriting lsquof lsquo

42

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

Case m = 0 We show forall n isin Nat0 + (Succ n) = Succ (0 + n)0 + (Succ n)= definition of + Succ n= definition of + Succ (0 + n)

Case m = Succ m prime We assume forall n isin Natm+(Succ n) = Succ (m+n) (IH )to show (Succ m) + (Succ n) = Succ (m + n)

(Succ m) + (Succ n)= definition of + Succ (m + (Succ n))= IH Succ (Succ (m + n))= definition of + Succ ((Succ m) + n)

Theorem 43 forall mn isin Natm + n = n + m

Proof By induction over m isin Nat

Case m = 0 We show forall n isin Nat0 + n = n + 00 + n= definition of + n= lemma n + 0

Case m = Succ m prime We assume forall n isin Natm prime + n = n + m prime (IH ) to show(Succ m prime) + n = n + (Succ m prime)

(Succ m prime) + n= definition of + Succ (m prime + n)= IH Succ (n + m prime)= lemma n + (Succ m prime)

Isnrsquot this a bit much effort for a theorem whose truth can be easily seen intu-itively Every child knows that if you put two heaps of sweeties together thatthe order in which you do this does not affect the number of sweeties you havein the end However apart from the point that we used a simple example toillustrate a method it is sometimes worthwhile to prove the obvious Maybeyou were only thinking that the function you defined was addition but as soonas you are going to prove something about it you discover that there is a bugThis is different from Mathematics Computer Scientists are interested in prov-ing obvious things It is also a good idea to enlist the help of a computer tomake sure that we donrsquot accidently cheat We will get back to this later

27

422 Gaussrsquo theorem

Letrsquos consider a less obvious proposition we can prove by induction CarlFriederich Gauss was a famous German Mathematician in the 19th centuryone of the theorems he proved is the fundamental theorem of algebra whichsays that every polynom over the complex numbers has a solution Howeverhere we are just concerned with a little theorem he allegedly discovered whenhe was still a school boy Apprently he was naughty and as a punishementteacher set him the task to add the numbers until 100 But the teacher hadnrsquotaccounted for young Gaussrsquo genius who very quickly came up with the rightanswer 5050 Instead of doing all the stupid calculations Gauss had realizedthat there is a simple formula namely that the sum of the numbers upto n isgiven by (n lowast (n + 1)) 2 The following picture illustrates the basic idea in thecase n = 3

Ie the sum of the 1 + 2 + 3 depicted by the area covered by the black balls isprecisely half the area of the 3 lowast 4 rectangle

First for reference lets define by primitive recursion the function which cal-culates the numbers upto n which we are going to call sum (Mathematicanswould write Σn

i=0i)

sum isin Nat rarr Natsum 0 = 0sum (Succ n) = (Succ n) lowast (sum n)

We want to show sum n = (n lowast (n + 1)) 2 to avoid having to define divisionand to justify that the division in this case stays always withing the naturalnumbers we show instead 2 lowast (sum n) = n lowast (Succ n) by induction

Theorem 44 forall n isin Nat 2 lowast (sum n) = n lowast (Succ n)

Proof By induction over n isin Nat

Case n = 0 We show 2 lowast (sum 0) = 0 lowast (Succ 0)

2 lowast (sum 0)= definition of lowast sum 0= definition of lowast 0 lowast (Succ 0)

Case n = Succ n prime We assume

28

2 lowast (sum n prime) = n prime lowast (Succ n prime) (IH )

to show 2 lowast (sum (Succ n prime)) = (Succ n prime) lowast (Succ (Succ n prime))

2 lowast (sum (Succ n prime))= definition of sum 2 lowast ((Succ n prime) + (sum n prime))= distributivity 2 lowast (Succ n prime) + 2 lowast (sum n prime)= IH 2 lowast (Succ n prime) + n lowast (Succ n prime)= distributivity (2 + n) lowast (Succ n prime)= commutativity definition of + (Succ n prime) lowast (Succ (Succ n prime))

In the proof above we have used distributivity ie

forall i j k isin Nat i lowast (j + k) = (i lowast j ) + (i lowast k)

Sure we could have proven this here (by induction) but I will leave this as anexercise

29

5 Inductive types

The idea behind the definition of the type of natural numbers can be appliedto many other types using the data keyword in Haskell We are calling thosetypes inductive types and indeed they come with their own primitive recursionand induction principles

51 Lists

One of the most versatile types especially but not only in functional program-ming is the type of lists Indeed the name of the first functional language LISPintroduced in 1958 as the 2nd high level programming language stands for LIstProcessing

Given a type a we write [a ] for the type of lists or sequences of elements ofa Eg [23minus1 1 1 0] isin [Int ] similar as for (a b) we use the same symbols[ ] for the operator on types and on elements Actually the [a1 a2 an ]notation is just a shorthand for a1 (a2 (an [ ]) The basic constructors forlists are [ ] isin [a ] for the empty list and given x isin a and a list xs isin [a ] we canconstruct the new list x xs isin [a ] (for historic reasons is called cons) Ie[23minus1 1 1 0] = 23 (minus1 (1 (1 (0 [ ]))))

In Haskell lists are predefined because they use some special syntactic sugarbut apart from this we could have just defined

data [a ] = [ ] | a [a ]

Strings are a special case of lists we use the type of characters Char which isa finite type whose elements are the characters which can be used in computing(eg one of the 216 unicode characters) We write elements of Char using singlequotes eg rsquoarsquo isin Char The type of strings is defined as lists of characters

type String = [Char]

The common syntax for strings using double quotes ie Hello is just syntac-tiv sugar for [rsquoHrsquo rsquoersquo rsquolrsquo rsquolrsquo rsquoorsquo] which in turn is just short for rsquoHrsquo (rsquoersquo (rsquolrsquo (rsquolrsquo (rsquoorsquo [ ]))))

One of the basic functions on lists is append ++ which combines two lists ie[1 2] ++ [3 4] = [1 2 3 4] To be able to define this function we have to extendthe principle of primitive recursion to lists We define xs ++ ys by primitiverecursion over xs if xs is empty ie xs = [ ] then [ ] ++ ys = ys On the otherhand if xs is a cons ie xs = x isin xs prime then we know that the combined list startswith x and constinues with the result of appending xs prime to ys That is here wehave to use ++ recursively The recursive use of ++ can be justified in the sameway as for Nat the list xs prime had to be constructed before x xs prime hence we cancalculate the result of xs prime ++ ys before we have to come up with (x xs prime) ++ ysIn Haskell we write

(++) isin [a ] rarr [a ] rarr [a ][ ] ++ ys = ys(x xs) ++ ys = x (xs ++ ys)

30

Note that ++ is a polymorphic function we can replace the type variable a byany type Eg we may replace a by Char arriving at the special case of stringsHence we can use ++ to append strings eg Hel ++ lo = Hello

We also have an induction principle for lists To illustrate this letrsquos first intro-duce a function which reverses a list How to reverse a list The reverse of theempty list is the empty list The reverse of a list x xs is the reverse of xs with xput on the end We arrive at the following primitive recursive implementationof reverse

rev isin [a ] rarr [a ]rev [ ] = [ ]rev (x xs) = (rev xs) ++ [x ]

Eg rev Hello = olleH What happens if we reverse twice Rightwe get back where we started indeed rev olleH = Hello Letrsquos proveforall xs isin [a ] rev (rev xs) = xs

Induction over lists means that to show a property for all lists we show theproperty for the empty list [ ] and then we show that if it holds for any list xsthen it holds for x xs The justification is again the same as for induction forthe natural numbers

We will show forall xs isin [a ] rev (rev xs) = xs by induction over lists The [ ] case isstraightforward since rev [ ] = [ ] what about rev (rev (x xs)) = rev ((rev xs)++[x ]) We cannot apply the induction hypothesis directly we first have to movethe outer rev inside ++ The key idea is to show that rev ((rev xs) ++ [x ]) =x (rev (rev xs)) and then we apply the induction hypothesis that rev (rev xs) =xs How do we show rev ((rev xs) ++ [x ]) = x (rev (rev xs)) The point is thatthis property doesnrsquot just hold for rev xs but for any list ys ie rev ((ys++[x ]) =x (rev ys)) eg rev (Hall++o) = o (rev Hal) How to we show thatthis property holds By induction over ys

Ok thatrsquos the sketch Letrsquos tidy this up First we prove the auxilliary propertyas a lemma

Lemma 51 forall x isin a forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys))

Proof Given x isin a We show forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys)) byinduction over ys isin [a ]

Case ys = [ ] We show rev ([ ] ++ [x ]) = x (rev [ ])

rev ([ ] ++ [x ])= definition of ++ rev [x ]= definition of rev [x ]= definition of rev x (rev [ ])

Case ys = y ys prime We assume

rev ((ys ++ [x ]) = x (rev ys)) (IH )

31

to show

rev (((y ys) ++ [x ]) = x (rev (y ys)))

rev (((y ys) ++ [x ])= definition of ++ rev (y (ys ++ [x ]))= definition of rev (rev (ys ++ [x ])) ++ [y ]= (IH) (x (rev ys)) ++ [y ]= definition of ++ x ((rev ys) ++ [y ])= definition of rev x (rev (y ys))

Theorem 52 forall xs isin [a ] rev (rev xs) = xs

Proof By induction over xs

Case xs = [ ] We show rev (rev [ ]) = [ ]

rev (rev [ ])= definition of rev rev [ ]= definition of rev [ ]

Case xs = x xs prime We assume

rev (rev xs) = xs (IH )

to show

rev (rev (x xs prime)) = x xs prime

rev (rev (x xs prime))= definition of rev rev ((rev xs prime) ++ [x ])= lemma for ys = rev xs prime x (rev (rev xs))= (IH) x xs

52 Insertion sort

There are many situations where we want to sort a list eg given [56 1 10 3]we would like to produce [1 3 10 56] One of the simplest sorting algorithms isinsertion sort The idea can be best explained by describing how to sort a deckof card We sort from an unsorted pile to a sorted pile by adding one card at

32

a time to the sorted pile When adding a card to a already sorted pile we gothrough the sorted pile until we find a card with a higher value and then insertthe new card just before this card This can be expressed as a function insert which is defined by primitive recursion over lists

insert isin Nat rarr [Nat ] rarr [Nat ]insert a [ ] = [a ]insert a (b bs) = if a 6 b then a (b bs)

else b (insert a bs)

The important feature of insert is that it produces a sorted list with an ex-tra element if its argument was sorted We can now define insertionSort byprimitive recursion over the initially unsorted list

insertionSort isin [Nat ] rarr [Nat ]insertionSort [ ] = [ ]insertionSort (a as) = insert a (insertionSort as)

And indeed insertionSort [56 1 10 3] = [1 3 10 56]

The same algorithm can sort any data wrt to a given comparison functioncomp a rarr a rarr Bool which has the appropriate properties (we shall laterdiscuss in detail what properties this are)

Insertion sort shouldnrsquot be used to sort large sequences because it is quiteinefficent on average it compares every argument with half of all the others Wesay it has quadratic complexity because on average the number of comparisonsit has to carry out is proportional to n2 where n is the length of the list

53 Binary numbers

We can use lists to represent binary numbers A binary number like 1102 whichis the binary way to write 6 is nothing but a list of Booleans hence we define

type Binary = [Bool ]

We use True for 1 and False for 0 and we shall read the list backwards whichhas the advantage that it is easy to access the least significant digit eg 1102

is actually represented as [FalseTrueTrue] 14

We shall define functions which translate between Binary and Nat We startwith bin2nat isin Binary rarr Nat The idea is that to translate a number whichhas at least one digit we recursively translate the rest of the numebr withoutthe last digit double that and add the value of the last digit to it This isexpressed by the following function

bin2nat isin Binary rarr Natbin2nat [ ] = 0bin2nat (True bs) = Succ (2 lowast (bin2nat bs))bin2nat (False bs) = 2 lowast (bin2nat bs)

14We could have avoided this notational inconvenience by using snoc lists ie lists wherecons gets its arguments the other way around

33

To define the translation in the other direction nat2bin isin Nat rarr Binary weintroduce a successor function on the binary representation The successor ofthe empty list which is interpreted as 0 is 1 Otherwise if the last digit is 0 wejust change this to 1 and keep the rest of the number the same If the last digitis 1 we change this to 0 and have a carry bit which means that we have torecursively calculate the successor of the rest of the number Hence we define

bsucc isin Binary rarr Binarybsucc [ ] = [True]bsucc (False bs) = True bsbsucc (True bs) = False (bsucc bs)

Now we can define nat2bin it basically translates 0 by the empty binary andthen applies bsucc for every successor

nat2bin isin Nat rarr Binarynat2bin 0 = [ ]nat2bin (Succ n) = bsucc (nat2bin n)

Once we have established the two translations we want to show that theyare indeed inverse to each other Eg if we start with a natural numbern we can translate it to a binary nat2bin n and then translate it back bybin2nat (nat2bin n) and we should hope that we get back to the number westarted with ie that

bin2nat (nat2bin n) = n

If we start with a binary number bs isin Binary the mirror property

nat2bin (bin2nat bs) = bs

doesnrsquot actually hold The reason is that our encoding is redundant lead-ing 0s (actually trailing Falses in our notation) do not matter For examplenat2bin (bin2nat [TrueFalse]) = [True] We could insist the we do not allowleading 0s and show that for those normal numbers the property holds Actu-ally following common practive we would make the exception for the case thatthe number is just 0 but would at the same time outlaw the empty sequence asa representation of a number

Going back to proving forall n isin Natn = bin2nat (nat2bin n) unsurprisingly weare going to use induction to establish this The case for 0 is straightforwardbut in the case of Succ n prime we have that nat2bin (Succ n prime) = bsucc (nat2bin n prime)and we would like to use that

bin2nat (bsucc (nat2bin n prime)) = Succ (bin2nat (nat2bin n prime))

to be able to apply the induction hypothesis This leads to the following lemma

Lemma 53 forall bs isin Binarybin2nat (bsucc bs) = Succ (bin2nat bs)

Proof We show this by induction over bs isin Binary

Case bs = [ ] We have to show bin2nat (bsucc [ ]) = Succ (bin2nat [ ])

bin2nat (bsucc [ ])= definition of bsucc

34

bin2nat [True]= calculate bin2nat 1= definition of 1 Succ 0= definition of bin2nat Succ (bin2nat [ ])

Case bs = b bs prime We assume

bin2nat (bsucc bs prime) = Succ (bin2nat bs prime) (IH )

to show

bin2nat (bsucc (b bs prime)) = Succ (bin2nat (b bs prime))

for any b isin Bool Letrsquos analyze b isin Bool

Case b = False In this case we have to showbin2nat (bsucc (False bs prime)) = Succ (bin2nat (False bs prime))

bin2nat (bsucc (False bs prime))= definition of bsucc bin2nat (True bs prime)= definition of bin2nat Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (False bs prime))

Case b = True In this case we have to showbin2nat (bsucc (True bs prime)) = Succ (bin2nat (True bs prime))

bin2nat (bsucc (True bs prime))= definition of bsucc bin2nat (False (bsucc bs prime))= definition of bin2nat 2 lowast (bin2nat (bsucc bs prime))= (IH) 2 lowast (Succ (bin2nat bs prime))= algebra 2 lowast (Succ n) = Succ (Succ (2 lowast n)) Succ (Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (True bs prime))

Now we are ready to prove the main theorem

Theorem 54 forall n isin Natbin2nat (nat2bin n) = n

Proof We prove this by induction over n isin Nat

Case n = 0 We show bin2nat (nat2bin 0) = 0

bin2nat (nat2bin 0)= definition of nat2bin bin2nat [ ]

35

= definition of bin2nat 0

Case n = Succ n prime We assume

bin2nat (nat2bin n prime) = n prime (IH )

to show

bin2nat (nat2bin (Succ n prime)) = Succ n prime

bin2nat (nat2bin (Succ n prime))= definition of nat2bin bin2nat (bsucc (nat2bin n prime))= lemma Succ (bin2nat (nat2bin n prime))= (IH) Succ n prime

To define addition on Binary we define addition with carry which always addsthree bits caculating the current bit and the new carry bit As a first step wedefine two operations addbit and carry which calculate the new bit and carry

addbit isin Bool rarr Bool rarr Bool rarr Booladdbit a b c = (a equiv b) equiv c

carry isin Bool rarr Bool rarr Bool rarr Boolcarry a b c = (aampampb)||(bampampc)||(aampampc)

We are now ready to define binary addition with carry

addBinC isin Bool rarr Binary rarr Binary rarr BinaryaddBinC c as [ ] = if c then bsucc as else asaddBinC c [ ] as = if c then bsucc as else asaddBinC c (a as) (b bs) = (addbit a b c) (addBinC (carry a b c) as bs)

from which we can easily derive binary addition by setting the carry to False

addBin isin Binary rarr Binary rarr BinaryaddBin bs cs = addBinC False bs cs

Binary multiplication is the usual long multiplication we learn at school Wemultiply each digit of one of the numbers with the other numbers always mul-tiplying the other number by 10 ie shifting it In the binary case multiplyinga digit with a number is very easy either the bit is 0 (ie False) then the resultis 0 or the bit is 1 then the result just is the other number

multBin isin Binary rarr Binary rarr BinarymultBin [ ] bs = [ ]multBin (a as) bs = if a

then addBin bs (multBin as (False bs))else multBin as (False bs)

The operations we have defined correspond to the more primitive operations wehave defined previously That is we have

36

forall mn Nat addBin (bin2nat m) (bin2nat n) = bin2nat (m + n)

forall mn Nat multBin (bin2nat m) (bin2nat n) = bin2nat (m lowast n)

These can be established using the principles we have introduced ie induc-tion However for reasons of space and potential boredom we shall refrain fromcarrying this out here

54 Trees

Unlike in ordinary live trees in computer science have got the roots on top andthe leaves on bottom Here is an example of a binary tree whose nodes arelabelled with natural numbers

56

1

3

10

root

node

leaf

Trees are also a very useful datastructure for example they can be used toefficently store and update an ordered collection of data In Haskell we woulddefine the type of binary node-labelled trees as follows

data Tree a = Leaf | Node (Tree a) a (Tree a)

The tree pictured in the diagram would be represented as

mytree isin Tree Natmytree = Node (Node Leaf 1 Leaf)

3(Node Leaf

10(Node Leaf 56 Leaf))

You may note that the tree is ordered ie all the leaves in the left subtree ofany node has labels less (or equal) than the label on the node and the nodes inthe right subtree have greater labels Indeed ordered trees give rise to anothersorting algorithm which is called tree sort First we define by primitive recur-sion over trees a function which inserts a node into an ordered tree leaving theordering intact

37

treeInsert isin Nat rarr (Tree Nat) rarr Tree NattreeInsert a Leaf = Node Leaf a LeaftreeInsert a (Node l b r) = if a 6 b

then Node (treeInsert a l) b relse Node l b (treeInsert a r)

By inserting all elements of a list into an empty tree we obtain a function whichturns an unsorted list into an ordered tree

list2tree isin [Nat ] rarr (Tree Nat)list2tree [ ] = Leaflist2tree (a as) = treeInsert a (list2tree as)

We can also turn an ordered tree into a sorted list

tree2list isin (Tree a) rarr [a ]tree2list Leaf = [ ]tree2List (Node l a r) = (tree2list l) ++ [a ] ++ (tree2list r)

Note that the last function is polymorphic since it doesnrsquot need any operationson the data stored in a tree Now we obtain tree sort by combining the twofunctions defined above

treeSort isin [Nat ] rarr [Nat ]treeSort as = tree2list (list2tree as)

It may appear wasteful to create a tree just to sort a list but actually tree sort isbetter than insertion sort On the average every element which is inserted intothe tree is only compared with a few others on the way down to a leaft to beprecise log2 n if the number of nodes is n Since we have to insert n elementstree sort will need a number proportional to n log2 n comparisons to sort a listwith n elements which is considerably better that insertion sortrsquos n2

We can also prove propositions about trees by induction over trees As anexample observe that the tree in the example has 4 nodes and 5 leaves This isno coincidence but a general property of binary trees Maybe the best way tosee that this is the case is to notice that every tree can be generated startingfrom a leaf by replacing an aribtrary leaf by a node with two leaves The initialtree has got the proberty and it is preserved by the replacement step hence anytree will have the property More formally we can show this by induction overtrees where we have an induction hypothesis for the left and the right subtree

To make this precise we first define functions which count the number of nodesand leaves in a tree (ignoring any data)

countNodes isin (Tree a) rarr NatcountNodes Leaf = 0countNodes (Node l x r) = Succ ((countNodes l) + (countNodes r))

countLeaves isin (Tree a) rarr NatcountLeaves Leaf = 1countLeaves (Node l x r) = (countLeaves l) + (countLeaves r)

38

We are now ready to prove our theorem

Theorem 55 forall t Tree a countLeaves t = 1 + (countNodes t)

Proof We proceed by induction over t isin Tree a

Case t = Leaf We show countLeaves Leaf = 1 + (countNodes Leaf)

countLeaves Leaf= definition of countLeaves 1= definition of countNodes 1 + (countNodes Leaf)

Case t = Node l x r We assume

countLeaves l = 1 + (countNodes l) (IH minus L)

countLeaves r = 1 + (countNodes r) (IH minus R)

to show countLeaves (Node l x r) = 1 + (countNodes (Node l x r))

countLeaves (Node l x r)= definition of countLeaves (countLeaves l) + (countLeaves r)= (IH-L)(IH-R) 1 + (countNodes l) + 1 + (countNodes r)= algebra 1 + (1 + (countNodes l) + (countNodes r))= definition of countNodes 1 + (countNodes (Node l x r))

Finally note that there are different types of binary trees depending where weput the data ie there are leaf labelled trees

data Tree a = Leaf a | Node (Tree a) (Tree a)

and trees which have labels on leaves and nodes potentially of different types

data Treeprime a b = Leaf prime a | Nodeprime (Treeprime a b) b (Treeprime a b)

39

6 Predicates and relations

A predicate over a type is a property of elements of that type An example isEven isin Nat rarr Prop which expresses the property of a natural number beingeven We can define Even

Even isin Nat rarr PropEven n = exist m isin Nat 2 lowastm = n

That is we say that a number is even if it is the double of another number Iwrite a rarr Prop for the type of predicates over a Note that unlike programspredicates cannot be executed but we can use them for reasoning

A relation between two types (which may be the same) relates elements of thefirst type with elements of the 2nd An example is 6 isin Nat rarr Nat rarr Propwhich expresses the relation of a number being smaller than another Again wecan define 6 using +

(6) isin Nat rarr Nat rarr Propm6n = exist k isin Nat m + k = n

That is we say that m6n if there is a number k that if added to m gives n

In general we consider n-ary relations that is R isin a1 rarr a2 rarr middot middot middot rarr an rarr Propand predicates are just another word for 1-ary relations 2-ary (or binary)relations such as 6 are usually written infix

A fundamental binary relation on any type is equality (=) isin a rarr a rarr PropWe consider equality as a primitive notion We know that everything is equal toitself mdash we say that equality is reflexive that is forall x isin a x = x Two booleansor natural number or lists are equal if they are made only from constructorsand look the same Two functions are equal if they return the same answers forall elements of their domain that is for f g isin a rarr b we have that f = g ifforall x a f x = g x note that this involves equality on b This is the principle ofextensionality and it is the consequence of our view of functions as black boxesie we cannot look inside a function all we can do it is to apply it to arguments

We have already introduced the functions 6isin Nat rarr Nat rarr Bool equivisinBool rarr Bool rarr Bool and equivisin Nat rarr Nat rarr Bool They are related to6 isin Bool rarr Bool rarr Prop =isin Bool rarr Bool rarr Prop and =isin Nat rarrNat rarr Prop indeed they return True if the relation holds and False other-wise That is we can show that

forall x y isin Nat x6y lArrrArr x 6 y = Trueforall x y isin Bool x = y lArrrArr x equiv y = Trueforall x y isin Nat x = y lArrrArr x equiv y = True

We say that a boolean function f isin a rarr b rarr Bool decides a relation R isin a rarrb rarr Prop if forall x isin a y isin b R x y lArrrArr f x y = True A relation which canbe decided is called decidableThis concept generalizes to relations with anyarity including predicates I have silently assumed that by a boolean functionwe mean one which can actually run on a computer this is different in classicalMathematics where the notion of a function is more liberal but the definitionof a decidable function is more complicated

40

Not every relation is decidable an example of an undecidable relation is equal-ity on functions with an infinite domain eg (=) isin (Nat rarr Bool) rarr (Nat rarrBool) rarr Prop To decide whether two such functions are equal that is whetherf = g we have to check whether they agree on all natural numbers By the prin-ciple of extensionality there is no other way we can find out anything about afunction and checking them for all natural numbers is hardly possible

61 Examples of relations

In the following we will discuss some examples of relations It is helpful tovisualize relations by drawing their graphs We can only draw graphs for adecidable relation R isin a rarr a rarr Prop on finite type a by a directed graphwhose nodes (called vertices) are the elements of a and we draw an arrow (callededge) from x to y if R x y holds

We cannot draw relations on the natural numbers however we will instead usethe type Four = 0 1 2 3 4 and drwaw the graph of the relation restricted tothe numbers upto 4

611 Equality

The graph of (=) isin Four rarr Four rarr Prop is extremely simple

0 1 2 3 4

612 Inequality

We say x 6= y if x and y are not equal This relation is polymorphic ie it isuniformly defined for any type

(6=) isin a rarr a rarr Propx 6= y = not (x = y)

The graph of (6=) isin Four rarr Four rarr Prop contains an edge everywhere theprevious graph had none hence it looks pretty wild

0 1 2 3 4

613 Less or equal

We have already defined the relation (6) on the natural numbers Here is thegraph of the relation restricted to Four

41

0 1 2 3 4

614 Less than

We say m lt n if m is strictly less than n

(lt) isin Nat rarr Nat rarr Propm lt n = Succ m 6 n

The graph of (lt) Four rarr Four rarr Prop looks pretty similar as the one of (6)only the little circles pointing from every element to itself are missing

0 1 2 3 4

615 Congruence modulo k

This is an important 3-ary (ternary) relation used in number theory We saythat two numbers mn Nat are congruent modulo k if they have the sameremainder when divided by k We write cmod Nat rarr Nat rarr Nat rarr Propthat is we write cmod k m n or mlsquocmod k lsquon 15 for m is congruent to n modulok The standard mathematical notation is mλcong n mod k We can definethis relation formally as

cmod isin Nat rarr Nat rarr Nat rarr Propcmod k m n = exist p q r isin Nat (r lt n) and p lowast k + r = m and q lowast k + r = n

Usually cmod is only considered for k gt 1 For k = 1 our definition of cmod kis just (=) and for k = 0 it is the empty relation In number theory cmod k isdefined a relation on the integers not just the natural numbers

While we cannot draw ternary relations so easily we can do so for mod 2 isinFour rarr Four rarr Prop

0 1 3 42

15Here we adopt also the Haskell convention that any operator f can be made infix bywriting lsquof lsquo

42

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

422 Gaussrsquo theorem

Letrsquos consider a less obvious proposition we can prove by induction CarlFriederich Gauss was a famous German Mathematician in the 19th centuryone of the theorems he proved is the fundamental theorem of algebra whichsays that every polynom over the complex numbers has a solution Howeverhere we are just concerned with a little theorem he allegedly discovered whenhe was still a school boy Apprently he was naughty and as a punishementteacher set him the task to add the numbers until 100 But the teacher hadnrsquotaccounted for young Gaussrsquo genius who very quickly came up with the rightanswer 5050 Instead of doing all the stupid calculations Gauss had realizedthat there is a simple formula namely that the sum of the numbers upto n isgiven by (n lowast (n + 1)) 2 The following picture illustrates the basic idea in thecase n = 3

Ie the sum of the 1 + 2 + 3 depicted by the area covered by the black balls isprecisely half the area of the 3 lowast 4 rectangle

First for reference lets define by primitive recursion the function which cal-culates the numbers upto n which we are going to call sum (Mathematicanswould write Σn

i=0i)

sum isin Nat rarr Natsum 0 = 0sum (Succ n) = (Succ n) lowast (sum n)

We want to show sum n = (n lowast (n + 1)) 2 to avoid having to define divisionand to justify that the division in this case stays always withing the naturalnumbers we show instead 2 lowast (sum n) = n lowast (Succ n) by induction

Theorem 44 forall n isin Nat 2 lowast (sum n) = n lowast (Succ n)

Proof By induction over n isin Nat

Case n = 0 We show 2 lowast (sum 0) = 0 lowast (Succ 0)

2 lowast (sum 0)= definition of lowast sum 0= definition of lowast 0 lowast (Succ 0)

Case n = Succ n prime We assume

28

2 lowast (sum n prime) = n prime lowast (Succ n prime) (IH )

to show 2 lowast (sum (Succ n prime)) = (Succ n prime) lowast (Succ (Succ n prime))

2 lowast (sum (Succ n prime))= definition of sum 2 lowast ((Succ n prime) + (sum n prime))= distributivity 2 lowast (Succ n prime) + 2 lowast (sum n prime)= IH 2 lowast (Succ n prime) + n lowast (Succ n prime)= distributivity (2 + n) lowast (Succ n prime)= commutativity definition of + (Succ n prime) lowast (Succ (Succ n prime))

In the proof above we have used distributivity ie

forall i j k isin Nat i lowast (j + k) = (i lowast j ) + (i lowast k)

Sure we could have proven this here (by induction) but I will leave this as anexercise

29

5 Inductive types

The idea behind the definition of the type of natural numbers can be appliedto many other types using the data keyword in Haskell We are calling thosetypes inductive types and indeed they come with their own primitive recursionand induction principles

51 Lists

One of the most versatile types especially but not only in functional program-ming is the type of lists Indeed the name of the first functional language LISPintroduced in 1958 as the 2nd high level programming language stands for LIstProcessing

Given a type a we write [a ] for the type of lists or sequences of elements ofa Eg [23minus1 1 1 0] isin [Int ] similar as for (a b) we use the same symbols[ ] for the operator on types and on elements Actually the [a1 a2 an ]notation is just a shorthand for a1 (a2 (an [ ]) The basic constructors forlists are [ ] isin [a ] for the empty list and given x isin a and a list xs isin [a ] we canconstruct the new list x xs isin [a ] (for historic reasons is called cons) Ie[23minus1 1 1 0] = 23 (minus1 (1 (1 (0 [ ]))))

In Haskell lists are predefined because they use some special syntactic sugarbut apart from this we could have just defined

data [a ] = [ ] | a [a ]

Strings are a special case of lists we use the type of characters Char which isa finite type whose elements are the characters which can be used in computing(eg one of the 216 unicode characters) We write elements of Char using singlequotes eg rsquoarsquo isin Char The type of strings is defined as lists of characters

type String = [Char]

The common syntax for strings using double quotes ie Hello is just syntac-tiv sugar for [rsquoHrsquo rsquoersquo rsquolrsquo rsquolrsquo rsquoorsquo] which in turn is just short for rsquoHrsquo (rsquoersquo (rsquolrsquo (rsquolrsquo (rsquoorsquo [ ]))))

One of the basic functions on lists is append ++ which combines two lists ie[1 2] ++ [3 4] = [1 2 3 4] To be able to define this function we have to extendthe principle of primitive recursion to lists We define xs ++ ys by primitiverecursion over xs if xs is empty ie xs = [ ] then [ ] ++ ys = ys On the otherhand if xs is a cons ie xs = x isin xs prime then we know that the combined list startswith x and constinues with the result of appending xs prime to ys That is here wehave to use ++ recursively The recursive use of ++ can be justified in the sameway as for Nat the list xs prime had to be constructed before x xs prime hence we cancalculate the result of xs prime ++ ys before we have to come up with (x xs prime) ++ ysIn Haskell we write

(++) isin [a ] rarr [a ] rarr [a ][ ] ++ ys = ys(x xs) ++ ys = x (xs ++ ys)

30

Note that ++ is a polymorphic function we can replace the type variable a byany type Eg we may replace a by Char arriving at the special case of stringsHence we can use ++ to append strings eg Hel ++ lo = Hello

We also have an induction principle for lists To illustrate this letrsquos first intro-duce a function which reverses a list How to reverse a list The reverse of theempty list is the empty list The reverse of a list x xs is the reverse of xs with xput on the end We arrive at the following primitive recursive implementationof reverse

rev isin [a ] rarr [a ]rev [ ] = [ ]rev (x xs) = (rev xs) ++ [x ]

Eg rev Hello = olleH What happens if we reverse twice Rightwe get back where we started indeed rev olleH = Hello Letrsquos proveforall xs isin [a ] rev (rev xs) = xs

Induction over lists means that to show a property for all lists we show theproperty for the empty list [ ] and then we show that if it holds for any list xsthen it holds for x xs The justification is again the same as for induction forthe natural numbers

We will show forall xs isin [a ] rev (rev xs) = xs by induction over lists The [ ] case isstraightforward since rev [ ] = [ ] what about rev (rev (x xs)) = rev ((rev xs)++[x ]) We cannot apply the induction hypothesis directly we first have to movethe outer rev inside ++ The key idea is to show that rev ((rev xs) ++ [x ]) =x (rev (rev xs)) and then we apply the induction hypothesis that rev (rev xs) =xs How do we show rev ((rev xs) ++ [x ]) = x (rev (rev xs)) The point is thatthis property doesnrsquot just hold for rev xs but for any list ys ie rev ((ys++[x ]) =x (rev ys)) eg rev (Hall++o) = o (rev Hal) How to we show thatthis property holds By induction over ys

Ok thatrsquos the sketch Letrsquos tidy this up First we prove the auxilliary propertyas a lemma

Lemma 51 forall x isin a forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys))

Proof Given x isin a We show forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys)) byinduction over ys isin [a ]

Case ys = [ ] We show rev ([ ] ++ [x ]) = x (rev [ ])

rev ([ ] ++ [x ])= definition of ++ rev [x ]= definition of rev [x ]= definition of rev x (rev [ ])

Case ys = y ys prime We assume

rev ((ys ++ [x ]) = x (rev ys)) (IH )

31

to show

rev (((y ys) ++ [x ]) = x (rev (y ys)))

rev (((y ys) ++ [x ])= definition of ++ rev (y (ys ++ [x ]))= definition of rev (rev (ys ++ [x ])) ++ [y ]= (IH) (x (rev ys)) ++ [y ]= definition of ++ x ((rev ys) ++ [y ])= definition of rev x (rev (y ys))

Theorem 52 forall xs isin [a ] rev (rev xs) = xs

Proof By induction over xs

Case xs = [ ] We show rev (rev [ ]) = [ ]

rev (rev [ ])= definition of rev rev [ ]= definition of rev [ ]

Case xs = x xs prime We assume

rev (rev xs) = xs (IH )

to show

rev (rev (x xs prime)) = x xs prime

rev (rev (x xs prime))= definition of rev rev ((rev xs prime) ++ [x ])= lemma for ys = rev xs prime x (rev (rev xs))= (IH) x xs

52 Insertion sort

There are many situations where we want to sort a list eg given [56 1 10 3]we would like to produce [1 3 10 56] One of the simplest sorting algorithms isinsertion sort The idea can be best explained by describing how to sort a deckof card We sort from an unsorted pile to a sorted pile by adding one card at

32

a time to the sorted pile When adding a card to a already sorted pile we gothrough the sorted pile until we find a card with a higher value and then insertthe new card just before this card This can be expressed as a function insert which is defined by primitive recursion over lists

insert isin Nat rarr [Nat ] rarr [Nat ]insert a [ ] = [a ]insert a (b bs) = if a 6 b then a (b bs)

else b (insert a bs)

The important feature of insert is that it produces a sorted list with an ex-tra element if its argument was sorted We can now define insertionSort byprimitive recursion over the initially unsorted list

insertionSort isin [Nat ] rarr [Nat ]insertionSort [ ] = [ ]insertionSort (a as) = insert a (insertionSort as)

And indeed insertionSort [56 1 10 3] = [1 3 10 56]

The same algorithm can sort any data wrt to a given comparison functioncomp a rarr a rarr Bool which has the appropriate properties (we shall laterdiscuss in detail what properties this are)

Insertion sort shouldnrsquot be used to sort large sequences because it is quiteinefficent on average it compares every argument with half of all the others Wesay it has quadratic complexity because on average the number of comparisonsit has to carry out is proportional to n2 where n is the length of the list

53 Binary numbers

We can use lists to represent binary numbers A binary number like 1102 whichis the binary way to write 6 is nothing but a list of Booleans hence we define

type Binary = [Bool ]

We use True for 1 and False for 0 and we shall read the list backwards whichhas the advantage that it is easy to access the least significant digit eg 1102

is actually represented as [FalseTrueTrue] 14

We shall define functions which translate between Binary and Nat We startwith bin2nat isin Binary rarr Nat The idea is that to translate a number whichhas at least one digit we recursively translate the rest of the numebr withoutthe last digit double that and add the value of the last digit to it This isexpressed by the following function

bin2nat isin Binary rarr Natbin2nat [ ] = 0bin2nat (True bs) = Succ (2 lowast (bin2nat bs))bin2nat (False bs) = 2 lowast (bin2nat bs)

14We could have avoided this notational inconvenience by using snoc lists ie lists wherecons gets its arguments the other way around

33

To define the translation in the other direction nat2bin isin Nat rarr Binary weintroduce a successor function on the binary representation The successor ofthe empty list which is interpreted as 0 is 1 Otherwise if the last digit is 0 wejust change this to 1 and keep the rest of the number the same If the last digitis 1 we change this to 0 and have a carry bit which means that we have torecursively calculate the successor of the rest of the number Hence we define

bsucc isin Binary rarr Binarybsucc [ ] = [True]bsucc (False bs) = True bsbsucc (True bs) = False (bsucc bs)

Now we can define nat2bin it basically translates 0 by the empty binary andthen applies bsucc for every successor

nat2bin isin Nat rarr Binarynat2bin 0 = [ ]nat2bin (Succ n) = bsucc (nat2bin n)

Once we have established the two translations we want to show that theyare indeed inverse to each other Eg if we start with a natural numbern we can translate it to a binary nat2bin n and then translate it back bybin2nat (nat2bin n) and we should hope that we get back to the number westarted with ie that

bin2nat (nat2bin n) = n

If we start with a binary number bs isin Binary the mirror property

nat2bin (bin2nat bs) = bs

doesnrsquot actually hold The reason is that our encoding is redundant lead-ing 0s (actually trailing Falses in our notation) do not matter For examplenat2bin (bin2nat [TrueFalse]) = [True] We could insist the we do not allowleading 0s and show that for those normal numbers the property holds Actu-ally following common practive we would make the exception for the case thatthe number is just 0 but would at the same time outlaw the empty sequence asa representation of a number

Going back to proving forall n isin Natn = bin2nat (nat2bin n) unsurprisingly weare going to use induction to establish this The case for 0 is straightforwardbut in the case of Succ n prime we have that nat2bin (Succ n prime) = bsucc (nat2bin n prime)and we would like to use that

bin2nat (bsucc (nat2bin n prime)) = Succ (bin2nat (nat2bin n prime))

to be able to apply the induction hypothesis This leads to the following lemma

Lemma 53 forall bs isin Binarybin2nat (bsucc bs) = Succ (bin2nat bs)

Proof We show this by induction over bs isin Binary

Case bs = [ ] We have to show bin2nat (bsucc [ ]) = Succ (bin2nat [ ])

bin2nat (bsucc [ ])= definition of bsucc

34

bin2nat [True]= calculate bin2nat 1= definition of 1 Succ 0= definition of bin2nat Succ (bin2nat [ ])

Case bs = b bs prime We assume

bin2nat (bsucc bs prime) = Succ (bin2nat bs prime) (IH )

to show

bin2nat (bsucc (b bs prime)) = Succ (bin2nat (b bs prime))

for any b isin Bool Letrsquos analyze b isin Bool

Case b = False In this case we have to showbin2nat (bsucc (False bs prime)) = Succ (bin2nat (False bs prime))

bin2nat (bsucc (False bs prime))= definition of bsucc bin2nat (True bs prime)= definition of bin2nat Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (False bs prime))

Case b = True In this case we have to showbin2nat (bsucc (True bs prime)) = Succ (bin2nat (True bs prime))

bin2nat (bsucc (True bs prime))= definition of bsucc bin2nat (False (bsucc bs prime))= definition of bin2nat 2 lowast (bin2nat (bsucc bs prime))= (IH) 2 lowast (Succ (bin2nat bs prime))= algebra 2 lowast (Succ n) = Succ (Succ (2 lowast n)) Succ (Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (True bs prime))

Now we are ready to prove the main theorem

Theorem 54 forall n isin Natbin2nat (nat2bin n) = n

Proof We prove this by induction over n isin Nat

Case n = 0 We show bin2nat (nat2bin 0) = 0

bin2nat (nat2bin 0)= definition of nat2bin bin2nat [ ]

35

= definition of bin2nat 0

Case n = Succ n prime We assume

bin2nat (nat2bin n prime) = n prime (IH )

to show

bin2nat (nat2bin (Succ n prime)) = Succ n prime

bin2nat (nat2bin (Succ n prime))= definition of nat2bin bin2nat (bsucc (nat2bin n prime))= lemma Succ (bin2nat (nat2bin n prime))= (IH) Succ n prime

To define addition on Binary we define addition with carry which always addsthree bits caculating the current bit and the new carry bit As a first step wedefine two operations addbit and carry which calculate the new bit and carry

addbit isin Bool rarr Bool rarr Bool rarr Booladdbit a b c = (a equiv b) equiv c

carry isin Bool rarr Bool rarr Bool rarr Boolcarry a b c = (aampampb)||(bampampc)||(aampampc)

We are now ready to define binary addition with carry

addBinC isin Bool rarr Binary rarr Binary rarr BinaryaddBinC c as [ ] = if c then bsucc as else asaddBinC c [ ] as = if c then bsucc as else asaddBinC c (a as) (b bs) = (addbit a b c) (addBinC (carry a b c) as bs)

from which we can easily derive binary addition by setting the carry to False

addBin isin Binary rarr Binary rarr BinaryaddBin bs cs = addBinC False bs cs

Binary multiplication is the usual long multiplication we learn at school Wemultiply each digit of one of the numbers with the other numbers always mul-tiplying the other number by 10 ie shifting it In the binary case multiplyinga digit with a number is very easy either the bit is 0 (ie False) then the resultis 0 or the bit is 1 then the result just is the other number

multBin isin Binary rarr Binary rarr BinarymultBin [ ] bs = [ ]multBin (a as) bs = if a

then addBin bs (multBin as (False bs))else multBin as (False bs)

The operations we have defined correspond to the more primitive operations wehave defined previously That is we have

36

forall mn Nat addBin (bin2nat m) (bin2nat n) = bin2nat (m + n)

forall mn Nat multBin (bin2nat m) (bin2nat n) = bin2nat (m lowast n)

These can be established using the principles we have introduced ie induc-tion However for reasons of space and potential boredom we shall refrain fromcarrying this out here

54 Trees

Unlike in ordinary live trees in computer science have got the roots on top andthe leaves on bottom Here is an example of a binary tree whose nodes arelabelled with natural numbers

56

1

3

10

root

node

leaf

Trees are also a very useful datastructure for example they can be used toefficently store and update an ordered collection of data In Haskell we woulddefine the type of binary node-labelled trees as follows

data Tree a = Leaf | Node (Tree a) a (Tree a)

The tree pictured in the diagram would be represented as

mytree isin Tree Natmytree = Node (Node Leaf 1 Leaf)

3(Node Leaf

10(Node Leaf 56 Leaf))

You may note that the tree is ordered ie all the leaves in the left subtree ofany node has labels less (or equal) than the label on the node and the nodes inthe right subtree have greater labels Indeed ordered trees give rise to anothersorting algorithm which is called tree sort First we define by primitive recur-sion over trees a function which inserts a node into an ordered tree leaving theordering intact

37

treeInsert isin Nat rarr (Tree Nat) rarr Tree NattreeInsert a Leaf = Node Leaf a LeaftreeInsert a (Node l b r) = if a 6 b

then Node (treeInsert a l) b relse Node l b (treeInsert a r)

By inserting all elements of a list into an empty tree we obtain a function whichturns an unsorted list into an ordered tree

list2tree isin [Nat ] rarr (Tree Nat)list2tree [ ] = Leaflist2tree (a as) = treeInsert a (list2tree as)

We can also turn an ordered tree into a sorted list

tree2list isin (Tree a) rarr [a ]tree2list Leaf = [ ]tree2List (Node l a r) = (tree2list l) ++ [a ] ++ (tree2list r)

Note that the last function is polymorphic since it doesnrsquot need any operationson the data stored in a tree Now we obtain tree sort by combining the twofunctions defined above

treeSort isin [Nat ] rarr [Nat ]treeSort as = tree2list (list2tree as)

It may appear wasteful to create a tree just to sort a list but actually tree sort isbetter than insertion sort On the average every element which is inserted intothe tree is only compared with a few others on the way down to a leaft to beprecise log2 n if the number of nodes is n Since we have to insert n elementstree sort will need a number proportional to n log2 n comparisons to sort a listwith n elements which is considerably better that insertion sortrsquos n2

We can also prove propositions about trees by induction over trees As anexample observe that the tree in the example has 4 nodes and 5 leaves This isno coincidence but a general property of binary trees Maybe the best way tosee that this is the case is to notice that every tree can be generated startingfrom a leaf by replacing an aribtrary leaf by a node with two leaves The initialtree has got the proberty and it is preserved by the replacement step hence anytree will have the property More formally we can show this by induction overtrees where we have an induction hypothesis for the left and the right subtree

To make this precise we first define functions which count the number of nodesand leaves in a tree (ignoring any data)

countNodes isin (Tree a) rarr NatcountNodes Leaf = 0countNodes (Node l x r) = Succ ((countNodes l) + (countNodes r))

countLeaves isin (Tree a) rarr NatcountLeaves Leaf = 1countLeaves (Node l x r) = (countLeaves l) + (countLeaves r)

38

We are now ready to prove our theorem

Theorem 55 forall t Tree a countLeaves t = 1 + (countNodes t)

Proof We proceed by induction over t isin Tree a

Case t = Leaf We show countLeaves Leaf = 1 + (countNodes Leaf)

countLeaves Leaf= definition of countLeaves 1= definition of countNodes 1 + (countNodes Leaf)

Case t = Node l x r We assume

countLeaves l = 1 + (countNodes l) (IH minus L)

countLeaves r = 1 + (countNodes r) (IH minus R)

to show countLeaves (Node l x r) = 1 + (countNodes (Node l x r))

countLeaves (Node l x r)= definition of countLeaves (countLeaves l) + (countLeaves r)= (IH-L)(IH-R) 1 + (countNodes l) + 1 + (countNodes r)= algebra 1 + (1 + (countNodes l) + (countNodes r))= definition of countNodes 1 + (countNodes (Node l x r))

Finally note that there are different types of binary trees depending where weput the data ie there are leaf labelled trees

data Tree a = Leaf a | Node (Tree a) (Tree a)

and trees which have labels on leaves and nodes potentially of different types

data Treeprime a b = Leaf prime a | Nodeprime (Treeprime a b) b (Treeprime a b)

39

6 Predicates and relations

A predicate over a type is a property of elements of that type An example isEven isin Nat rarr Prop which expresses the property of a natural number beingeven We can define Even

Even isin Nat rarr PropEven n = exist m isin Nat 2 lowastm = n

That is we say that a number is even if it is the double of another number Iwrite a rarr Prop for the type of predicates over a Note that unlike programspredicates cannot be executed but we can use them for reasoning

A relation between two types (which may be the same) relates elements of thefirst type with elements of the 2nd An example is 6 isin Nat rarr Nat rarr Propwhich expresses the relation of a number being smaller than another Again wecan define 6 using +

(6) isin Nat rarr Nat rarr Propm6n = exist k isin Nat m + k = n

That is we say that m6n if there is a number k that if added to m gives n

In general we consider n-ary relations that is R isin a1 rarr a2 rarr middot middot middot rarr an rarr Propand predicates are just another word for 1-ary relations 2-ary (or binary)relations such as 6 are usually written infix

A fundamental binary relation on any type is equality (=) isin a rarr a rarr PropWe consider equality as a primitive notion We know that everything is equal toitself mdash we say that equality is reflexive that is forall x isin a x = x Two booleansor natural number or lists are equal if they are made only from constructorsand look the same Two functions are equal if they return the same answers forall elements of their domain that is for f g isin a rarr b we have that f = g ifforall x a f x = g x note that this involves equality on b This is the principle ofextensionality and it is the consequence of our view of functions as black boxesie we cannot look inside a function all we can do it is to apply it to arguments

We have already introduced the functions 6isin Nat rarr Nat rarr Bool equivisinBool rarr Bool rarr Bool and equivisin Nat rarr Nat rarr Bool They are related to6 isin Bool rarr Bool rarr Prop =isin Bool rarr Bool rarr Prop and =isin Nat rarrNat rarr Prop indeed they return True if the relation holds and False other-wise That is we can show that

forall x y isin Nat x6y lArrrArr x 6 y = Trueforall x y isin Bool x = y lArrrArr x equiv y = Trueforall x y isin Nat x = y lArrrArr x equiv y = True

We say that a boolean function f isin a rarr b rarr Bool decides a relation R isin a rarrb rarr Prop if forall x isin a y isin b R x y lArrrArr f x y = True A relation which canbe decided is called decidableThis concept generalizes to relations with anyarity including predicates I have silently assumed that by a boolean functionwe mean one which can actually run on a computer this is different in classicalMathematics where the notion of a function is more liberal but the definitionof a decidable function is more complicated

40

Not every relation is decidable an example of an undecidable relation is equal-ity on functions with an infinite domain eg (=) isin (Nat rarr Bool) rarr (Nat rarrBool) rarr Prop To decide whether two such functions are equal that is whetherf = g we have to check whether they agree on all natural numbers By the prin-ciple of extensionality there is no other way we can find out anything about afunction and checking them for all natural numbers is hardly possible

61 Examples of relations

In the following we will discuss some examples of relations It is helpful tovisualize relations by drawing their graphs We can only draw graphs for adecidable relation R isin a rarr a rarr Prop on finite type a by a directed graphwhose nodes (called vertices) are the elements of a and we draw an arrow (callededge) from x to y if R x y holds

We cannot draw relations on the natural numbers however we will instead usethe type Four = 0 1 2 3 4 and drwaw the graph of the relation restricted tothe numbers upto 4

611 Equality

The graph of (=) isin Four rarr Four rarr Prop is extremely simple

0 1 2 3 4

612 Inequality

We say x 6= y if x and y are not equal This relation is polymorphic ie it isuniformly defined for any type

(6=) isin a rarr a rarr Propx 6= y = not (x = y)

The graph of (6=) isin Four rarr Four rarr Prop contains an edge everywhere theprevious graph had none hence it looks pretty wild

0 1 2 3 4

613 Less or equal

We have already defined the relation (6) on the natural numbers Here is thegraph of the relation restricted to Four

41

0 1 2 3 4

614 Less than

We say m lt n if m is strictly less than n

(lt) isin Nat rarr Nat rarr Propm lt n = Succ m 6 n

The graph of (lt) Four rarr Four rarr Prop looks pretty similar as the one of (6)only the little circles pointing from every element to itself are missing

0 1 2 3 4

615 Congruence modulo k

This is an important 3-ary (ternary) relation used in number theory We saythat two numbers mn Nat are congruent modulo k if they have the sameremainder when divided by k We write cmod Nat rarr Nat rarr Nat rarr Propthat is we write cmod k m n or mlsquocmod k lsquon 15 for m is congruent to n modulok The standard mathematical notation is mλcong n mod k We can definethis relation formally as

cmod isin Nat rarr Nat rarr Nat rarr Propcmod k m n = exist p q r isin Nat (r lt n) and p lowast k + r = m and q lowast k + r = n

Usually cmod is only considered for k gt 1 For k = 1 our definition of cmod kis just (=) and for k = 0 it is the empty relation In number theory cmod k isdefined a relation on the integers not just the natural numbers

While we cannot draw ternary relations so easily we can do so for mod 2 isinFour rarr Four rarr Prop

0 1 3 42

15Here we adopt also the Haskell convention that any operator f can be made infix bywriting lsquof lsquo

42

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

2 lowast (sum n prime) = n prime lowast (Succ n prime) (IH )

to show 2 lowast (sum (Succ n prime)) = (Succ n prime) lowast (Succ (Succ n prime))

2 lowast (sum (Succ n prime))= definition of sum 2 lowast ((Succ n prime) + (sum n prime))= distributivity 2 lowast (Succ n prime) + 2 lowast (sum n prime)= IH 2 lowast (Succ n prime) + n lowast (Succ n prime)= distributivity (2 + n) lowast (Succ n prime)= commutativity definition of + (Succ n prime) lowast (Succ (Succ n prime))

In the proof above we have used distributivity ie

forall i j k isin Nat i lowast (j + k) = (i lowast j ) + (i lowast k)

Sure we could have proven this here (by induction) but I will leave this as anexercise

29

5 Inductive types

The idea behind the definition of the type of natural numbers can be appliedto many other types using the data keyword in Haskell We are calling thosetypes inductive types and indeed they come with their own primitive recursionand induction principles

51 Lists

One of the most versatile types especially but not only in functional program-ming is the type of lists Indeed the name of the first functional language LISPintroduced in 1958 as the 2nd high level programming language stands for LIstProcessing

Given a type a we write [a ] for the type of lists or sequences of elements ofa Eg [23minus1 1 1 0] isin [Int ] similar as for (a b) we use the same symbols[ ] for the operator on types and on elements Actually the [a1 a2 an ]notation is just a shorthand for a1 (a2 (an [ ]) The basic constructors forlists are [ ] isin [a ] for the empty list and given x isin a and a list xs isin [a ] we canconstruct the new list x xs isin [a ] (for historic reasons is called cons) Ie[23minus1 1 1 0] = 23 (minus1 (1 (1 (0 [ ]))))

In Haskell lists are predefined because they use some special syntactic sugarbut apart from this we could have just defined

data [a ] = [ ] | a [a ]

Strings are a special case of lists we use the type of characters Char which isa finite type whose elements are the characters which can be used in computing(eg one of the 216 unicode characters) We write elements of Char using singlequotes eg rsquoarsquo isin Char The type of strings is defined as lists of characters

type String = [Char]

The common syntax for strings using double quotes ie Hello is just syntac-tiv sugar for [rsquoHrsquo rsquoersquo rsquolrsquo rsquolrsquo rsquoorsquo] which in turn is just short for rsquoHrsquo (rsquoersquo (rsquolrsquo (rsquolrsquo (rsquoorsquo [ ]))))

One of the basic functions on lists is append ++ which combines two lists ie[1 2] ++ [3 4] = [1 2 3 4] To be able to define this function we have to extendthe principle of primitive recursion to lists We define xs ++ ys by primitiverecursion over xs if xs is empty ie xs = [ ] then [ ] ++ ys = ys On the otherhand if xs is a cons ie xs = x isin xs prime then we know that the combined list startswith x and constinues with the result of appending xs prime to ys That is here wehave to use ++ recursively The recursive use of ++ can be justified in the sameway as for Nat the list xs prime had to be constructed before x xs prime hence we cancalculate the result of xs prime ++ ys before we have to come up with (x xs prime) ++ ysIn Haskell we write

(++) isin [a ] rarr [a ] rarr [a ][ ] ++ ys = ys(x xs) ++ ys = x (xs ++ ys)

30

Note that ++ is a polymorphic function we can replace the type variable a byany type Eg we may replace a by Char arriving at the special case of stringsHence we can use ++ to append strings eg Hel ++ lo = Hello

We also have an induction principle for lists To illustrate this letrsquos first intro-duce a function which reverses a list How to reverse a list The reverse of theempty list is the empty list The reverse of a list x xs is the reverse of xs with xput on the end We arrive at the following primitive recursive implementationof reverse

rev isin [a ] rarr [a ]rev [ ] = [ ]rev (x xs) = (rev xs) ++ [x ]

Eg rev Hello = olleH What happens if we reverse twice Rightwe get back where we started indeed rev olleH = Hello Letrsquos proveforall xs isin [a ] rev (rev xs) = xs

Induction over lists means that to show a property for all lists we show theproperty for the empty list [ ] and then we show that if it holds for any list xsthen it holds for x xs The justification is again the same as for induction forthe natural numbers

We will show forall xs isin [a ] rev (rev xs) = xs by induction over lists The [ ] case isstraightforward since rev [ ] = [ ] what about rev (rev (x xs)) = rev ((rev xs)++[x ]) We cannot apply the induction hypothesis directly we first have to movethe outer rev inside ++ The key idea is to show that rev ((rev xs) ++ [x ]) =x (rev (rev xs)) and then we apply the induction hypothesis that rev (rev xs) =xs How do we show rev ((rev xs) ++ [x ]) = x (rev (rev xs)) The point is thatthis property doesnrsquot just hold for rev xs but for any list ys ie rev ((ys++[x ]) =x (rev ys)) eg rev (Hall++o) = o (rev Hal) How to we show thatthis property holds By induction over ys

Ok thatrsquos the sketch Letrsquos tidy this up First we prove the auxilliary propertyas a lemma

Lemma 51 forall x isin a forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys))

Proof Given x isin a We show forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys)) byinduction over ys isin [a ]

Case ys = [ ] We show rev ([ ] ++ [x ]) = x (rev [ ])

rev ([ ] ++ [x ])= definition of ++ rev [x ]= definition of rev [x ]= definition of rev x (rev [ ])

Case ys = y ys prime We assume

rev ((ys ++ [x ]) = x (rev ys)) (IH )

31

to show

rev (((y ys) ++ [x ]) = x (rev (y ys)))

rev (((y ys) ++ [x ])= definition of ++ rev (y (ys ++ [x ]))= definition of rev (rev (ys ++ [x ])) ++ [y ]= (IH) (x (rev ys)) ++ [y ]= definition of ++ x ((rev ys) ++ [y ])= definition of rev x (rev (y ys))

Theorem 52 forall xs isin [a ] rev (rev xs) = xs

Proof By induction over xs

Case xs = [ ] We show rev (rev [ ]) = [ ]

rev (rev [ ])= definition of rev rev [ ]= definition of rev [ ]

Case xs = x xs prime We assume

rev (rev xs) = xs (IH )

to show

rev (rev (x xs prime)) = x xs prime

rev (rev (x xs prime))= definition of rev rev ((rev xs prime) ++ [x ])= lemma for ys = rev xs prime x (rev (rev xs))= (IH) x xs

52 Insertion sort

There are many situations where we want to sort a list eg given [56 1 10 3]we would like to produce [1 3 10 56] One of the simplest sorting algorithms isinsertion sort The idea can be best explained by describing how to sort a deckof card We sort from an unsorted pile to a sorted pile by adding one card at

32

a time to the sorted pile When adding a card to a already sorted pile we gothrough the sorted pile until we find a card with a higher value and then insertthe new card just before this card This can be expressed as a function insert which is defined by primitive recursion over lists

insert isin Nat rarr [Nat ] rarr [Nat ]insert a [ ] = [a ]insert a (b bs) = if a 6 b then a (b bs)

else b (insert a bs)

The important feature of insert is that it produces a sorted list with an ex-tra element if its argument was sorted We can now define insertionSort byprimitive recursion over the initially unsorted list

insertionSort isin [Nat ] rarr [Nat ]insertionSort [ ] = [ ]insertionSort (a as) = insert a (insertionSort as)

And indeed insertionSort [56 1 10 3] = [1 3 10 56]

The same algorithm can sort any data wrt to a given comparison functioncomp a rarr a rarr Bool which has the appropriate properties (we shall laterdiscuss in detail what properties this are)

Insertion sort shouldnrsquot be used to sort large sequences because it is quiteinefficent on average it compares every argument with half of all the others Wesay it has quadratic complexity because on average the number of comparisonsit has to carry out is proportional to n2 where n is the length of the list

53 Binary numbers

We can use lists to represent binary numbers A binary number like 1102 whichis the binary way to write 6 is nothing but a list of Booleans hence we define

type Binary = [Bool ]

We use True for 1 and False for 0 and we shall read the list backwards whichhas the advantage that it is easy to access the least significant digit eg 1102

is actually represented as [FalseTrueTrue] 14

We shall define functions which translate between Binary and Nat We startwith bin2nat isin Binary rarr Nat The idea is that to translate a number whichhas at least one digit we recursively translate the rest of the numebr withoutthe last digit double that and add the value of the last digit to it This isexpressed by the following function

bin2nat isin Binary rarr Natbin2nat [ ] = 0bin2nat (True bs) = Succ (2 lowast (bin2nat bs))bin2nat (False bs) = 2 lowast (bin2nat bs)

14We could have avoided this notational inconvenience by using snoc lists ie lists wherecons gets its arguments the other way around

33

To define the translation in the other direction nat2bin isin Nat rarr Binary weintroduce a successor function on the binary representation The successor ofthe empty list which is interpreted as 0 is 1 Otherwise if the last digit is 0 wejust change this to 1 and keep the rest of the number the same If the last digitis 1 we change this to 0 and have a carry bit which means that we have torecursively calculate the successor of the rest of the number Hence we define

bsucc isin Binary rarr Binarybsucc [ ] = [True]bsucc (False bs) = True bsbsucc (True bs) = False (bsucc bs)

Now we can define nat2bin it basically translates 0 by the empty binary andthen applies bsucc for every successor

nat2bin isin Nat rarr Binarynat2bin 0 = [ ]nat2bin (Succ n) = bsucc (nat2bin n)

Once we have established the two translations we want to show that theyare indeed inverse to each other Eg if we start with a natural numbern we can translate it to a binary nat2bin n and then translate it back bybin2nat (nat2bin n) and we should hope that we get back to the number westarted with ie that

bin2nat (nat2bin n) = n

If we start with a binary number bs isin Binary the mirror property

nat2bin (bin2nat bs) = bs

doesnrsquot actually hold The reason is that our encoding is redundant lead-ing 0s (actually trailing Falses in our notation) do not matter For examplenat2bin (bin2nat [TrueFalse]) = [True] We could insist the we do not allowleading 0s and show that for those normal numbers the property holds Actu-ally following common practive we would make the exception for the case thatthe number is just 0 but would at the same time outlaw the empty sequence asa representation of a number

Going back to proving forall n isin Natn = bin2nat (nat2bin n) unsurprisingly weare going to use induction to establish this The case for 0 is straightforwardbut in the case of Succ n prime we have that nat2bin (Succ n prime) = bsucc (nat2bin n prime)and we would like to use that

bin2nat (bsucc (nat2bin n prime)) = Succ (bin2nat (nat2bin n prime))

to be able to apply the induction hypothesis This leads to the following lemma

Lemma 53 forall bs isin Binarybin2nat (bsucc bs) = Succ (bin2nat bs)

Proof We show this by induction over bs isin Binary

Case bs = [ ] We have to show bin2nat (bsucc [ ]) = Succ (bin2nat [ ])

bin2nat (bsucc [ ])= definition of bsucc

34

bin2nat [True]= calculate bin2nat 1= definition of 1 Succ 0= definition of bin2nat Succ (bin2nat [ ])

Case bs = b bs prime We assume

bin2nat (bsucc bs prime) = Succ (bin2nat bs prime) (IH )

to show

bin2nat (bsucc (b bs prime)) = Succ (bin2nat (b bs prime))

for any b isin Bool Letrsquos analyze b isin Bool

Case b = False In this case we have to showbin2nat (bsucc (False bs prime)) = Succ (bin2nat (False bs prime))

bin2nat (bsucc (False bs prime))= definition of bsucc bin2nat (True bs prime)= definition of bin2nat Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (False bs prime))

Case b = True In this case we have to showbin2nat (bsucc (True bs prime)) = Succ (bin2nat (True bs prime))

bin2nat (bsucc (True bs prime))= definition of bsucc bin2nat (False (bsucc bs prime))= definition of bin2nat 2 lowast (bin2nat (bsucc bs prime))= (IH) 2 lowast (Succ (bin2nat bs prime))= algebra 2 lowast (Succ n) = Succ (Succ (2 lowast n)) Succ (Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (True bs prime))

Now we are ready to prove the main theorem

Theorem 54 forall n isin Natbin2nat (nat2bin n) = n

Proof We prove this by induction over n isin Nat

Case n = 0 We show bin2nat (nat2bin 0) = 0

bin2nat (nat2bin 0)= definition of nat2bin bin2nat [ ]

35

= definition of bin2nat 0

Case n = Succ n prime We assume

bin2nat (nat2bin n prime) = n prime (IH )

to show

bin2nat (nat2bin (Succ n prime)) = Succ n prime

bin2nat (nat2bin (Succ n prime))= definition of nat2bin bin2nat (bsucc (nat2bin n prime))= lemma Succ (bin2nat (nat2bin n prime))= (IH) Succ n prime

To define addition on Binary we define addition with carry which always addsthree bits caculating the current bit and the new carry bit As a first step wedefine two operations addbit and carry which calculate the new bit and carry

addbit isin Bool rarr Bool rarr Bool rarr Booladdbit a b c = (a equiv b) equiv c

carry isin Bool rarr Bool rarr Bool rarr Boolcarry a b c = (aampampb)||(bampampc)||(aampampc)

We are now ready to define binary addition with carry

addBinC isin Bool rarr Binary rarr Binary rarr BinaryaddBinC c as [ ] = if c then bsucc as else asaddBinC c [ ] as = if c then bsucc as else asaddBinC c (a as) (b bs) = (addbit a b c) (addBinC (carry a b c) as bs)

from which we can easily derive binary addition by setting the carry to False

addBin isin Binary rarr Binary rarr BinaryaddBin bs cs = addBinC False bs cs

Binary multiplication is the usual long multiplication we learn at school Wemultiply each digit of one of the numbers with the other numbers always mul-tiplying the other number by 10 ie shifting it In the binary case multiplyinga digit with a number is very easy either the bit is 0 (ie False) then the resultis 0 or the bit is 1 then the result just is the other number

multBin isin Binary rarr Binary rarr BinarymultBin [ ] bs = [ ]multBin (a as) bs = if a

then addBin bs (multBin as (False bs))else multBin as (False bs)

The operations we have defined correspond to the more primitive operations wehave defined previously That is we have

36

forall mn Nat addBin (bin2nat m) (bin2nat n) = bin2nat (m + n)

forall mn Nat multBin (bin2nat m) (bin2nat n) = bin2nat (m lowast n)

These can be established using the principles we have introduced ie induc-tion However for reasons of space and potential boredom we shall refrain fromcarrying this out here

54 Trees

Unlike in ordinary live trees in computer science have got the roots on top andthe leaves on bottom Here is an example of a binary tree whose nodes arelabelled with natural numbers

56

1

3

10

root

node

leaf

Trees are also a very useful datastructure for example they can be used toefficently store and update an ordered collection of data In Haskell we woulddefine the type of binary node-labelled trees as follows

data Tree a = Leaf | Node (Tree a) a (Tree a)

The tree pictured in the diagram would be represented as

mytree isin Tree Natmytree = Node (Node Leaf 1 Leaf)

3(Node Leaf

10(Node Leaf 56 Leaf))

You may note that the tree is ordered ie all the leaves in the left subtree ofany node has labels less (or equal) than the label on the node and the nodes inthe right subtree have greater labels Indeed ordered trees give rise to anothersorting algorithm which is called tree sort First we define by primitive recur-sion over trees a function which inserts a node into an ordered tree leaving theordering intact

37

treeInsert isin Nat rarr (Tree Nat) rarr Tree NattreeInsert a Leaf = Node Leaf a LeaftreeInsert a (Node l b r) = if a 6 b

then Node (treeInsert a l) b relse Node l b (treeInsert a r)

By inserting all elements of a list into an empty tree we obtain a function whichturns an unsorted list into an ordered tree

list2tree isin [Nat ] rarr (Tree Nat)list2tree [ ] = Leaflist2tree (a as) = treeInsert a (list2tree as)

We can also turn an ordered tree into a sorted list

tree2list isin (Tree a) rarr [a ]tree2list Leaf = [ ]tree2List (Node l a r) = (tree2list l) ++ [a ] ++ (tree2list r)

Note that the last function is polymorphic since it doesnrsquot need any operationson the data stored in a tree Now we obtain tree sort by combining the twofunctions defined above

treeSort isin [Nat ] rarr [Nat ]treeSort as = tree2list (list2tree as)

It may appear wasteful to create a tree just to sort a list but actually tree sort isbetter than insertion sort On the average every element which is inserted intothe tree is only compared with a few others on the way down to a leaft to beprecise log2 n if the number of nodes is n Since we have to insert n elementstree sort will need a number proportional to n log2 n comparisons to sort a listwith n elements which is considerably better that insertion sortrsquos n2

We can also prove propositions about trees by induction over trees As anexample observe that the tree in the example has 4 nodes and 5 leaves This isno coincidence but a general property of binary trees Maybe the best way tosee that this is the case is to notice that every tree can be generated startingfrom a leaf by replacing an aribtrary leaf by a node with two leaves The initialtree has got the proberty and it is preserved by the replacement step hence anytree will have the property More formally we can show this by induction overtrees where we have an induction hypothesis for the left and the right subtree

To make this precise we first define functions which count the number of nodesand leaves in a tree (ignoring any data)

countNodes isin (Tree a) rarr NatcountNodes Leaf = 0countNodes (Node l x r) = Succ ((countNodes l) + (countNodes r))

countLeaves isin (Tree a) rarr NatcountLeaves Leaf = 1countLeaves (Node l x r) = (countLeaves l) + (countLeaves r)

38

We are now ready to prove our theorem

Theorem 55 forall t Tree a countLeaves t = 1 + (countNodes t)

Proof We proceed by induction over t isin Tree a

Case t = Leaf We show countLeaves Leaf = 1 + (countNodes Leaf)

countLeaves Leaf= definition of countLeaves 1= definition of countNodes 1 + (countNodes Leaf)

Case t = Node l x r We assume

countLeaves l = 1 + (countNodes l) (IH minus L)

countLeaves r = 1 + (countNodes r) (IH minus R)

to show countLeaves (Node l x r) = 1 + (countNodes (Node l x r))

countLeaves (Node l x r)= definition of countLeaves (countLeaves l) + (countLeaves r)= (IH-L)(IH-R) 1 + (countNodes l) + 1 + (countNodes r)= algebra 1 + (1 + (countNodes l) + (countNodes r))= definition of countNodes 1 + (countNodes (Node l x r))

Finally note that there are different types of binary trees depending where weput the data ie there are leaf labelled trees

data Tree a = Leaf a | Node (Tree a) (Tree a)

and trees which have labels on leaves and nodes potentially of different types

data Treeprime a b = Leaf prime a | Nodeprime (Treeprime a b) b (Treeprime a b)

39

6 Predicates and relations

A predicate over a type is a property of elements of that type An example isEven isin Nat rarr Prop which expresses the property of a natural number beingeven We can define Even

Even isin Nat rarr PropEven n = exist m isin Nat 2 lowastm = n

That is we say that a number is even if it is the double of another number Iwrite a rarr Prop for the type of predicates over a Note that unlike programspredicates cannot be executed but we can use them for reasoning

A relation between two types (which may be the same) relates elements of thefirst type with elements of the 2nd An example is 6 isin Nat rarr Nat rarr Propwhich expresses the relation of a number being smaller than another Again wecan define 6 using +

(6) isin Nat rarr Nat rarr Propm6n = exist k isin Nat m + k = n

That is we say that m6n if there is a number k that if added to m gives n

In general we consider n-ary relations that is R isin a1 rarr a2 rarr middot middot middot rarr an rarr Propand predicates are just another word for 1-ary relations 2-ary (or binary)relations such as 6 are usually written infix

A fundamental binary relation on any type is equality (=) isin a rarr a rarr PropWe consider equality as a primitive notion We know that everything is equal toitself mdash we say that equality is reflexive that is forall x isin a x = x Two booleansor natural number or lists are equal if they are made only from constructorsand look the same Two functions are equal if they return the same answers forall elements of their domain that is for f g isin a rarr b we have that f = g ifforall x a f x = g x note that this involves equality on b This is the principle ofextensionality and it is the consequence of our view of functions as black boxesie we cannot look inside a function all we can do it is to apply it to arguments

We have already introduced the functions 6isin Nat rarr Nat rarr Bool equivisinBool rarr Bool rarr Bool and equivisin Nat rarr Nat rarr Bool They are related to6 isin Bool rarr Bool rarr Prop =isin Bool rarr Bool rarr Prop and =isin Nat rarrNat rarr Prop indeed they return True if the relation holds and False other-wise That is we can show that

forall x y isin Nat x6y lArrrArr x 6 y = Trueforall x y isin Bool x = y lArrrArr x equiv y = Trueforall x y isin Nat x = y lArrrArr x equiv y = True

We say that a boolean function f isin a rarr b rarr Bool decides a relation R isin a rarrb rarr Prop if forall x isin a y isin b R x y lArrrArr f x y = True A relation which canbe decided is called decidableThis concept generalizes to relations with anyarity including predicates I have silently assumed that by a boolean functionwe mean one which can actually run on a computer this is different in classicalMathematics where the notion of a function is more liberal but the definitionof a decidable function is more complicated

40

Not every relation is decidable an example of an undecidable relation is equal-ity on functions with an infinite domain eg (=) isin (Nat rarr Bool) rarr (Nat rarrBool) rarr Prop To decide whether two such functions are equal that is whetherf = g we have to check whether they agree on all natural numbers By the prin-ciple of extensionality there is no other way we can find out anything about afunction and checking them for all natural numbers is hardly possible

61 Examples of relations

In the following we will discuss some examples of relations It is helpful tovisualize relations by drawing their graphs We can only draw graphs for adecidable relation R isin a rarr a rarr Prop on finite type a by a directed graphwhose nodes (called vertices) are the elements of a and we draw an arrow (callededge) from x to y if R x y holds

We cannot draw relations on the natural numbers however we will instead usethe type Four = 0 1 2 3 4 and drwaw the graph of the relation restricted tothe numbers upto 4

611 Equality

The graph of (=) isin Four rarr Four rarr Prop is extremely simple

0 1 2 3 4

612 Inequality

We say x 6= y if x and y are not equal This relation is polymorphic ie it isuniformly defined for any type

(6=) isin a rarr a rarr Propx 6= y = not (x = y)

The graph of (6=) isin Four rarr Four rarr Prop contains an edge everywhere theprevious graph had none hence it looks pretty wild

0 1 2 3 4

613 Less or equal

We have already defined the relation (6) on the natural numbers Here is thegraph of the relation restricted to Four

41

0 1 2 3 4

614 Less than

We say m lt n if m is strictly less than n

(lt) isin Nat rarr Nat rarr Propm lt n = Succ m 6 n

The graph of (lt) Four rarr Four rarr Prop looks pretty similar as the one of (6)only the little circles pointing from every element to itself are missing

0 1 2 3 4

615 Congruence modulo k

This is an important 3-ary (ternary) relation used in number theory We saythat two numbers mn Nat are congruent modulo k if they have the sameremainder when divided by k We write cmod Nat rarr Nat rarr Nat rarr Propthat is we write cmod k m n or mlsquocmod k lsquon 15 for m is congruent to n modulok The standard mathematical notation is mλcong n mod k We can definethis relation formally as

cmod isin Nat rarr Nat rarr Nat rarr Propcmod k m n = exist p q r isin Nat (r lt n) and p lowast k + r = m and q lowast k + r = n

Usually cmod is only considered for k gt 1 For k = 1 our definition of cmod kis just (=) and for k = 0 it is the empty relation In number theory cmod k isdefined a relation on the integers not just the natural numbers

While we cannot draw ternary relations so easily we can do so for mod 2 isinFour rarr Four rarr Prop

0 1 3 42

15Here we adopt also the Haskell convention that any operator f can be made infix bywriting lsquof lsquo

42

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

5 Inductive types

The idea behind the definition of the type of natural numbers can be appliedto many other types using the data keyword in Haskell We are calling thosetypes inductive types and indeed they come with their own primitive recursionand induction principles

51 Lists

One of the most versatile types especially but not only in functional program-ming is the type of lists Indeed the name of the first functional language LISPintroduced in 1958 as the 2nd high level programming language stands for LIstProcessing

Given a type a we write [a ] for the type of lists or sequences of elements ofa Eg [23minus1 1 1 0] isin [Int ] similar as for (a b) we use the same symbols[ ] for the operator on types and on elements Actually the [a1 a2 an ]notation is just a shorthand for a1 (a2 (an [ ]) The basic constructors forlists are [ ] isin [a ] for the empty list and given x isin a and a list xs isin [a ] we canconstruct the new list x xs isin [a ] (for historic reasons is called cons) Ie[23minus1 1 1 0] = 23 (minus1 (1 (1 (0 [ ]))))

In Haskell lists are predefined because they use some special syntactic sugarbut apart from this we could have just defined

data [a ] = [ ] | a [a ]

Strings are a special case of lists we use the type of characters Char which isa finite type whose elements are the characters which can be used in computing(eg one of the 216 unicode characters) We write elements of Char using singlequotes eg rsquoarsquo isin Char The type of strings is defined as lists of characters

type String = [Char]

The common syntax for strings using double quotes ie Hello is just syntac-tiv sugar for [rsquoHrsquo rsquoersquo rsquolrsquo rsquolrsquo rsquoorsquo] which in turn is just short for rsquoHrsquo (rsquoersquo (rsquolrsquo (rsquolrsquo (rsquoorsquo [ ]))))

One of the basic functions on lists is append ++ which combines two lists ie[1 2] ++ [3 4] = [1 2 3 4] To be able to define this function we have to extendthe principle of primitive recursion to lists We define xs ++ ys by primitiverecursion over xs if xs is empty ie xs = [ ] then [ ] ++ ys = ys On the otherhand if xs is a cons ie xs = x isin xs prime then we know that the combined list startswith x and constinues with the result of appending xs prime to ys That is here wehave to use ++ recursively The recursive use of ++ can be justified in the sameway as for Nat the list xs prime had to be constructed before x xs prime hence we cancalculate the result of xs prime ++ ys before we have to come up with (x xs prime) ++ ysIn Haskell we write

(++) isin [a ] rarr [a ] rarr [a ][ ] ++ ys = ys(x xs) ++ ys = x (xs ++ ys)

30

Note that ++ is a polymorphic function we can replace the type variable a byany type Eg we may replace a by Char arriving at the special case of stringsHence we can use ++ to append strings eg Hel ++ lo = Hello

We also have an induction principle for lists To illustrate this letrsquos first intro-duce a function which reverses a list How to reverse a list The reverse of theempty list is the empty list The reverse of a list x xs is the reverse of xs with xput on the end We arrive at the following primitive recursive implementationof reverse

rev isin [a ] rarr [a ]rev [ ] = [ ]rev (x xs) = (rev xs) ++ [x ]

Eg rev Hello = olleH What happens if we reverse twice Rightwe get back where we started indeed rev olleH = Hello Letrsquos proveforall xs isin [a ] rev (rev xs) = xs

Induction over lists means that to show a property for all lists we show theproperty for the empty list [ ] and then we show that if it holds for any list xsthen it holds for x xs The justification is again the same as for induction forthe natural numbers

We will show forall xs isin [a ] rev (rev xs) = xs by induction over lists The [ ] case isstraightforward since rev [ ] = [ ] what about rev (rev (x xs)) = rev ((rev xs)++[x ]) We cannot apply the induction hypothesis directly we first have to movethe outer rev inside ++ The key idea is to show that rev ((rev xs) ++ [x ]) =x (rev (rev xs)) and then we apply the induction hypothesis that rev (rev xs) =xs How do we show rev ((rev xs) ++ [x ]) = x (rev (rev xs)) The point is thatthis property doesnrsquot just hold for rev xs but for any list ys ie rev ((ys++[x ]) =x (rev ys)) eg rev (Hall++o) = o (rev Hal) How to we show thatthis property holds By induction over ys

Ok thatrsquos the sketch Letrsquos tidy this up First we prove the auxilliary propertyas a lemma

Lemma 51 forall x isin a forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys))

Proof Given x isin a We show forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys)) byinduction over ys isin [a ]

Case ys = [ ] We show rev ([ ] ++ [x ]) = x (rev [ ])

rev ([ ] ++ [x ])= definition of ++ rev [x ]= definition of rev [x ]= definition of rev x (rev [ ])

Case ys = y ys prime We assume

rev ((ys ++ [x ]) = x (rev ys)) (IH )

31

to show

rev (((y ys) ++ [x ]) = x (rev (y ys)))

rev (((y ys) ++ [x ])= definition of ++ rev (y (ys ++ [x ]))= definition of rev (rev (ys ++ [x ])) ++ [y ]= (IH) (x (rev ys)) ++ [y ]= definition of ++ x ((rev ys) ++ [y ])= definition of rev x (rev (y ys))

Theorem 52 forall xs isin [a ] rev (rev xs) = xs

Proof By induction over xs

Case xs = [ ] We show rev (rev [ ]) = [ ]

rev (rev [ ])= definition of rev rev [ ]= definition of rev [ ]

Case xs = x xs prime We assume

rev (rev xs) = xs (IH )

to show

rev (rev (x xs prime)) = x xs prime

rev (rev (x xs prime))= definition of rev rev ((rev xs prime) ++ [x ])= lemma for ys = rev xs prime x (rev (rev xs))= (IH) x xs

52 Insertion sort

There are many situations where we want to sort a list eg given [56 1 10 3]we would like to produce [1 3 10 56] One of the simplest sorting algorithms isinsertion sort The idea can be best explained by describing how to sort a deckof card We sort from an unsorted pile to a sorted pile by adding one card at

32

a time to the sorted pile When adding a card to a already sorted pile we gothrough the sorted pile until we find a card with a higher value and then insertthe new card just before this card This can be expressed as a function insert which is defined by primitive recursion over lists

insert isin Nat rarr [Nat ] rarr [Nat ]insert a [ ] = [a ]insert a (b bs) = if a 6 b then a (b bs)

else b (insert a bs)

The important feature of insert is that it produces a sorted list with an ex-tra element if its argument was sorted We can now define insertionSort byprimitive recursion over the initially unsorted list

insertionSort isin [Nat ] rarr [Nat ]insertionSort [ ] = [ ]insertionSort (a as) = insert a (insertionSort as)

And indeed insertionSort [56 1 10 3] = [1 3 10 56]

The same algorithm can sort any data wrt to a given comparison functioncomp a rarr a rarr Bool which has the appropriate properties (we shall laterdiscuss in detail what properties this are)

Insertion sort shouldnrsquot be used to sort large sequences because it is quiteinefficent on average it compares every argument with half of all the others Wesay it has quadratic complexity because on average the number of comparisonsit has to carry out is proportional to n2 where n is the length of the list

53 Binary numbers

We can use lists to represent binary numbers A binary number like 1102 whichis the binary way to write 6 is nothing but a list of Booleans hence we define

type Binary = [Bool ]

We use True for 1 and False for 0 and we shall read the list backwards whichhas the advantage that it is easy to access the least significant digit eg 1102

is actually represented as [FalseTrueTrue] 14

We shall define functions which translate between Binary and Nat We startwith bin2nat isin Binary rarr Nat The idea is that to translate a number whichhas at least one digit we recursively translate the rest of the numebr withoutthe last digit double that and add the value of the last digit to it This isexpressed by the following function

bin2nat isin Binary rarr Natbin2nat [ ] = 0bin2nat (True bs) = Succ (2 lowast (bin2nat bs))bin2nat (False bs) = 2 lowast (bin2nat bs)

14We could have avoided this notational inconvenience by using snoc lists ie lists wherecons gets its arguments the other way around

33

To define the translation in the other direction nat2bin isin Nat rarr Binary weintroduce a successor function on the binary representation The successor ofthe empty list which is interpreted as 0 is 1 Otherwise if the last digit is 0 wejust change this to 1 and keep the rest of the number the same If the last digitis 1 we change this to 0 and have a carry bit which means that we have torecursively calculate the successor of the rest of the number Hence we define

bsucc isin Binary rarr Binarybsucc [ ] = [True]bsucc (False bs) = True bsbsucc (True bs) = False (bsucc bs)

Now we can define nat2bin it basically translates 0 by the empty binary andthen applies bsucc for every successor

nat2bin isin Nat rarr Binarynat2bin 0 = [ ]nat2bin (Succ n) = bsucc (nat2bin n)

Once we have established the two translations we want to show that theyare indeed inverse to each other Eg if we start with a natural numbern we can translate it to a binary nat2bin n and then translate it back bybin2nat (nat2bin n) and we should hope that we get back to the number westarted with ie that

bin2nat (nat2bin n) = n

If we start with a binary number bs isin Binary the mirror property

nat2bin (bin2nat bs) = bs

doesnrsquot actually hold The reason is that our encoding is redundant lead-ing 0s (actually trailing Falses in our notation) do not matter For examplenat2bin (bin2nat [TrueFalse]) = [True] We could insist the we do not allowleading 0s and show that for those normal numbers the property holds Actu-ally following common practive we would make the exception for the case thatthe number is just 0 but would at the same time outlaw the empty sequence asa representation of a number

Going back to proving forall n isin Natn = bin2nat (nat2bin n) unsurprisingly weare going to use induction to establish this The case for 0 is straightforwardbut in the case of Succ n prime we have that nat2bin (Succ n prime) = bsucc (nat2bin n prime)and we would like to use that

bin2nat (bsucc (nat2bin n prime)) = Succ (bin2nat (nat2bin n prime))

to be able to apply the induction hypothesis This leads to the following lemma

Lemma 53 forall bs isin Binarybin2nat (bsucc bs) = Succ (bin2nat bs)

Proof We show this by induction over bs isin Binary

Case bs = [ ] We have to show bin2nat (bsucc [ ]) = Succ (bin2nat [ ])

bin2nat (bsucc [ ])= definition of bsucc

34

bin2nat [True]= calculate bin2nat 1= definition of 1 Succ 0= definition of bin2nat Succ (bin2nat [ ])

Case bs = b bs prime We assume

bin2nat (bsucc bs prime) = Succ (bin2nat bs prime) (IH )

to show

bin2nat (bsucc (b bs prime)) = Succ (bin2nat (b bs prime))

for any b isin Bool Letrsquos analyze b isin Bool

Case b = False In this case we have to showbin2nat (bsucc (False bs prime)) = Succ (bin2nat (False bs prime))

bin2nat (bsucc (False bs prime))= definition of bsucc bin2nat (True bs prime)= definition of bin2nat Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (False bs prime))

Case b = True In this case we have to showbin2nat (bsucc (True bs prime)) = Succ (bin2nat (True bs prime))

bin2nat (bsucc (True bs prime))= definition of bsucc bin2nat (False (bsucc bs prime))= definition of bin2nat 2 lowast (bin2nat (bsucc bs prime))= (IH) 2 lowast (Succ (bin2nat bs prime))= algebra 2 lowast (Succ n) = Succ (Succ (2 lowast n)) Succ (Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (True bs prime))

Now we are ready to prove the main theorem

Theorem 54 forall n isin Natbin2nat (nat2bin n) = n

Proof We prove this by induction over n isin Nat

Case n = 0 We show bin2nat (nat2bin 0) = 0

bin2nat (nat2bin 0)= definition of nat2bin bin2nat [ ]

35

= definition of bin2nat 0

Case n = Succ n prime We assume

bin2nat (nat2bin n prime) = n prime (IH )

to show

bin2nat (nat2bin (Succ n prime)) = Succ n prime

bin2nat (nat2bin (Succ n prime))= definition of nat2bin bin2nat (bsucc (nat2bin n prime))= lemma Succ (bin2nat (nat2bin n prime))= (IH) Succ n prime

To define addition on Binary we define addition with carry which always addsthree bits caculating the current bit and the new carry bit As a first step wedefine two operations addbit and carry which calculate the new bit and carry

addbit isin Bool rarr Bool rarr Bool rarr Booladdbit a b c = (a equiv b) equiv c

carry isin Bool rarr Bool rarr Bool rarr Boolcarry a b c = (aampampb)||(bampampc)||(aampampc)

We are now ready to define binary addition with carry

addBinC isin Bool rarr Binary rarr Binary rarr BinaryaddBinC c as [ ] = if c then bsucc as else asaddBinC c [ ] as = if c then bsucc as else asaddBinC c (a as) (b bs) = (addbit a b c) (addBinC (carry a b c) as bs)

from which we can easily derive binary addition by setting the carry to False

addBin isin Binary rarr Binary rarr BinaryaddBin bs cs = addBinC False bs cs

Binary multiplication is the usual long multiplication we learn at school Wemultiply each digit of one of the numbers with the other numbers always mul-tiplying the other number by 10 ie shifting it In the binary case multiplyinga digit with a number is very easy either the bit is 0 (ie False) then the resultis 0 or the bit is 1 then the result just is the other number

multBin isin Binary rarr Binary rarr BinarymultBin [ ] bs = [ ]multBin (a as) bs = if a

then addBin bs (multBin as (False bs))else multBin as (False bs)

The operations we have defined correspond to the more primitive operations wehave defined previously That is we have

36

forall mn Nat addBin (bin2nat m) (bin2nat n) = bin2nat (m + n)

forall mn Nat multBin (bin2nat m) (bin2nat n) = bin2nat (m lowast n)

These can be established using the principles we have introduced ie induc-tion However for reasons of space and potential boredom we shall refrain fromcarrying this out here

54 Trees

Unlike in ordinary live trees in computer science have got the roots on top andthe leaves on bottom Here is an example of a binary tree whose nodes arelabelled with natural numbers

56

1

3

10

root

node

leaf

Trees are also a very useful datastructure for example they can be used toefficently store and update an ordered collection of data In Haskell we woulddefine the type of binary node-labelled trees as follows

data Tree a = Leaf | Node (Tree a) a (Tree a)

The tree pictured in the diagram would be represented as

mytree isin Tree Natmytree = Node (Node Leaf 1 Leaf)

3(Node Leaf

10(Node Leaf 56 Leaf))

You may note that the tree is ordered ie all the leaves in the left subtree ofany node has labels less (or equal) than the label on the node and the nodes inthe right subtree have greater labels Indeed ordered trees give rise to anothersorting algorithm which is called tree sort First we define by primitive recur-sion over trees a function which inserts a node into an ordered tree leaving theordering intact

37

treeInsert isin Nat rarr (Tree Nat) rarr Tree NattreeInsert a Leaf = Node Leaf a LeaftreeInsert a (Node l b r) = if a 6 b

then Node (treeInsert a l) b relse Node l b (treeInsert a r)

By inserting all elements of a list into an empty tree we obtain a function whichturns an unsorted list into an ordered tree

list2tree isin [Nat ] rarr (Tree Nat)list2tree [ ] = Leaflist2tree (a as) = treeInsert a (list2tree as)

We can also turn an ordered tree into a sorted list

tree2list isin (Tree a) rarr [a ]tree2list Leaf = [ ]tree2List (Node l a r) = (tree2list l) ++ [a ] ++ (tree2list r)

Note that the last function is polymorphic since it doesnrsquot need any operationson the data stored in a tree Now we obtain tree sort by combining the twofunctions defined above

treeSort isin [Nat ] rarr [Nat ]treeSort as = tree2list (list2tree as)

It may appear wasteful to create a tree just to sort a list but actually tree sort isbetter than insertion sort On the average every element which is inserted intothe tree is only compared with a few others on the way down to a leaft to beprecise log2 n if the number of nodes is n Since we have to insert n elementstree sort will need a number proportional to n log2 n comparisons to sort a listwith n elements which is considerably better that insertion sortrsquos n2

We can also prove propositions about trees by induction over trees As anexample observe that the tree in the example has 4 nodes and 5 leaves This isno coincidence but a general property of binary trees Maybe the best way tosee that this is the case is to notice that every tree can be generated startingfrom a leaf by replacing an aribtrary leaf by a node with two leaves The initialtree has got the proberty and it is preserved by the replacement step hence anytree will have the property More formally we can show this by induction overtrees where we have an induction hypothesis for the left and the right subtree

To make this precise we first define functions which count the number of nodesand leaves in a tree (ignoring any data)

countNodes isin (Tree a) rarr NatcountNodes Leaf = 0countNodes (Node l x r) = Succ ((countNodes l) + (countNodes r))

countLeaves isin (Tree a) rarr NatcountLeaves Leaf = 1countLeaves (Node l x r) = (countLeaves l) + (countLeaves r)

38

We are now ready to prove our theorem

Theorem 55 forall t Tree a countLeaves t = 1 + (countNodes t)

Proof We proceed by induction over t isin Tree a

Case t = Leaf We show countLeaves Leaf = 1 + (countNodes Leaf)

countLeaves Leaf= definition of countLeaves 1= definition of countNodes 1 + (countNodes Leaf)

Case t = Node l x r We assume

countLeaves l = 1 + (countNodes l) (IH minus L)

countLeaves r = 1 + (countNodes r) (IH minus R)

to show countLeaves (Node l x r) = 1 + (countNodes (Node l x r))

countLeaves (Node l x r)= definition of countLeaves (countLeaves l) + (countLeaves r)= (IH-L)(IH-R) 1 + (countNodes l) + 1 + (countNodes r)= algebra 1 + (1 + (countNodes l) + (countNodes r))= definition of countNodes 1 + (countNodes (Node l x r))

Finally note that there are different types of binary trees depending where weput the data ie there are leaf labelled trees

data Tree a = Leaf a | Node (Tree a) (Tree a)

and trees which have labels on leaves and nodes potentially of different types

data Treeprime a b = Leaf prime a | Nodeprime (Treeprime a b) b (Treeprime a b)

39

6 Predicates and relations

A predicate over a type is a property of elements of that type An example isEven isin Nat rarr Prop which expresses the property of a natural number beingeven We can define Even

Even isin Nat rarr PropEven n = exist m isin Nat 2 lowastm = n

That is we say that a number is even if it is the double of another number Iwrite a rarr Prop for the type of predicates over a Note that unlike programspredicates cannot be executed but we can use them for reasoning

A relation between two types (which may be the same) relates elements of thefirst type with elements of the 2nd An example is 6 isin Nat rarr Nat rarr Propwhich expresses the relation of a number being smaller than another Again wecan define 6 using +

(6) isin Nat rarr Nat rarr Propm6n = exist k isin Nat m + k = n

That is we say that m6n if there is a number k that if added to m gives n

In general we consider n-ary relations that is R isin a1 rarr a2 rarr middot middot middot rarr an rarr Propand predicates are just another word for 1-ary relations 2-ary (or binary)relations such as 6 are usually written infix

A fundamental binary relation on any type is equality (=) isin a rarr a rarr PropWe consider equality as a primitive notion We know that everything is equal toitself mdash we say that equality is reflexive that is forall x isin a x = x Two booleansor natural number or lists are equal if they are made only from constructorsand look the same Two functions are equal if they return the same answers forall elements of their domain that is for f g isin a rarr b we have that f = g ifforall x a f x = g x note that this involves equality on b This is the principle ofextensionality and it is the consequence of our view of functions as black boxesie we cannot look inside a function all we can do it is to apply it to arguments

We have already introduced the functions 6isin Nat rarr Nat rarr Bool equivisinBool rarr Bool rarr Bool and equivisin Nat rarr Nat rarr Bool They are related to6 isin Bool rarr Bool rarr Prop =isin Bool rarr Bool rarr Prop and =isin Nat rarrNat rarr Prop indeed they return True if the relation holds and False other-wise That is we can show that

forall x y isin Nat x6y lArrrArr x 6 y = Trueforall x y isin Bool x = y lArrrArr x equiv y = Trueforall x y isin Nat x = y lArrrArr x equiv y = True

We say that a boolean function f isin a rarr b rarr Bool decides a relation R isin a rarrb rarr Prop if forall x isin a y isin b R x y lArrrArr f x y = True A relation which canbe decided is called decidableThis concept generalizes to relations with anyarity including predicates I have silently assumed that by a boolean functionwe mean one which can actually run on a computer this is different in classicalMathematics where the notion of a function is more liberal but the definitionof a decidable function is more complicated

40

Not every relation is decidable an example of an undecidable relation is equal-ity on functions with an infinite domain eg (=) isin (Nat rarr Bool) rarr (Nat rarrBool) rarr Prop To decide whether two such functions are equal that is whetherf = g we have to check whether they agree on all natural numbers By the prin-ciple of extensionality there is no other way we can find out anything about afunction and checking them for all natural numbers is hardly possible

61 Examples of relations

In the following we will discuss some examples of relations It is helpful tovisualize relations by drawing their graphs We can only draw graphs for adecidable relation R isin a rarr a rarr Prop on finite type a by a directed graphwhose nodes (called vertices) are the elements of a and we draw an arrow (callededge) from x to y if R x y holds

We cannot draw relations on the natural numbers however we will instead usethe type Four = 0 1 2 3 4 and drwaw the graph of the relation restricted tothe numbers upto 4

611 Equality

The graph of (=) isin Four rarr Four rarr Prop is extremely simple

0 1 2 3 4

612 Inequality

We say x 6= y if x and y are not equal This relation is polymorphic ie it isuniformly defined for any type

(6=) isin a rarr a rarr Propx 6= y = not (x = y)

The graph of (6=) isin Four rarr Four rarr Prop contains an edge everywhere theprevious graph had none hence it looks pretty wild

0 1 2 3 4

613 Less or equal

We have already defined the relation (6) on the natural numbers Here is thegraph of the relation restricted to Four

41

0 1 2 3 4

614 Less than

We say m lt n if m is strictly less than n

(lt) isin Nat rarr Nat rarr Propm lt n = Succ m 6 n

The graph of (lt) Four rarr Four rarr Prop looks pretty similar as the one of (6)only the little circles pointing from every element to itself are missing

0 1 2 3 4

615 Congruence modulo k

This is an important 3-ary (ternary) relation used in number theory We saythat two numbers mn Nat are congruent modulo k if they have the sameremainder when divided by k We write cmod Nat rarr Nat rarr Nat rarr Propthat is we write cmod k m n or mlsquocmod k lsquon 15 for m is congruent to n modulok The standard mathematical notation is mλcong n mod k We can definethis relation formally as

cmod isin Nat rarr Nat rarr Nat rarr Propcmod k m n = exist p q r isin Nat (r lt n) and p lowast k + r = m and q lowast k + r = n

Usually cmod is only considered for k gt 1 For k = 1 our definition of cmod kis just (=) and for k = 0 it is the empty relation In number theory cmod k isdefined a relation on the integers not just the natural numbers

While we cannot draw ternary relations so easily we can do so for mod 2 isinFour rarr Four rarr Prop

0 1 3 42

15Here we adopt also the Haskell convention that any operator f can be made infix bywriting lsquof lsquo

42

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

Note that ++ is a polymorphic function we can replace the type variable a byany type Eg we may replace a by Char arriving at the special case of stringsHence we can use ++ to append strings eg Hel ++ lo = Hello

We also have an induction principle for lists To illustrate this letrsquos first intro-duce a function which reverses a list How to reverse a list The reverse of theempty list is the empty list The reverse of a list x xs is the reverse of xs with xput on the end We arrive at the following primitive recursive implementationof reverse

rev isin [a ] rarr [a ]rev [ ] = [ ]rev (x xs) = (rev xs) ++ [x ]

Eg rev Hello = olleH What happens if we reverse twice Rightwe get back where we started indeed rev olleH = Hello Letrsquos proveforall xs isin [a ] rev (rev xs) = xs

Induction over lists means that to show a property for all lists we show theproperty for the empty list [ ] and then we show that if it holds for any list xsthen it holds for x xs The justification is again the same as for induction forthe natural numbers

We will show forall xs isin [a ] rev (rev xs) = xs by induction over lists The [ ] case isstraightforward since rev [ ] = [ ] what about rev (rev (x xs)) = rev ((rev xs)++[x ]) We cannot apply the induction hypothesis directly we first have to movethe outer rev inside ++ The key idea is to show that rev ((rev xs) ++ [x ]) =x (rev (rev xs)) and then we apply the induction hypothesis that rev (rev xs) =xs How do we show rev ((rev xs) ++ [x ]) = x (rev (rev xs)) The point is thatthis property doesnrsquot just hold for rev xs but for any list ys ie rev ((ys++[x ]) =x (rev ys)) eg rev (Hall++o) = o (rev Hal) How to we show thatthis property holds By induction over ys

Ok thatrsquos the sketch Letrsquos tidy this up First we prove the auxilliary propertyas a lemma

Lemma 51 forall x isin a forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys))

Proof Given x isin a We show forall ys isin [a ] rev ((ys ++ [x ]) = x (rev ys)) byinduction over ys isin [a ]

Case ys = [ ] We show rev ([ ] ++ [x ]) = x (rev [ ])

rev ([ ] ++ [x ])= definition of ++ rev [x ]= definition of rev [x ]= definition of rev x (rev [ ])

Case ys = y ys prime We assume

rev ((ys ++ [x ]) = x (rev ys)) (IH )

31

to show

rev (((y ys) ++ [x ]) = x (rev (y ys)))

rev (((y ys) ++ [x ])= definition of ++ rev (y (ys ++ [x ]))= definition of rev (rev (ys ++ [x ])) ++ [y ]= (IH) (x (rev ys)) ++ [y ]= definition of ++ x ((rev ys) ++ [y ])= definition of rev x (rev (y ys))

Theorem 52 forall xs isin [a ] rev (rev xs) = xs

Proof By induction over xs

Case xs = [ ] We show rev (rev [ ]) = [ ]

rev (rev [ ])= definition of rev rev [ ]= definition of rev [ ]

Case xs = x xs prime We assume

rev (rev xs) = xs (IH )

to show

rev (rev (x xs prime)) = x xs prime

rev (rev (x xs prime))= definition of rev rev ((rev xs prime) ++ [x ])= lemma for ys = rev xs prime x (rev (rev xs))= (IH) x xs

52 Insertion sort

There are many situations where we want to sort a list eg given [56 1 10 3]we would like to produce [1 3 10 56] One of the simplest sorting algorithms isinsertion sort The idea can be best explained by describing how to sort a deckof card We sort from an unsorted pile to a sorted pile by adding one card at

32

a time to the sorted pile When adding a card to a already sorted pile we gothrough the sorted pile until we find a card with a higher value and then insertthe new card just before this card This can be expressed as a function insert which is defined by primitive recursion over lists

insert isin Nat rarr [Nat ] rarr [Nat ]insert a [ ] = [a ]insert a (b bs) = if a 6 b then a (b bs)

else b (insert a bs)

The important feature of insert is that it produces a sorted list with an ex-tra element if its argument was sorted We can now define insertionSort byprimitive recursion over the initially unsorted list

insertionSort isin [Nat ] rarr [Nat ]insertionSort [ ] = [ ]insertionSort (a as) = insert a (insertionSort as)

And indeed insertionSort [56 1 10 3] = [1 3 10 56]

The same algorithm can sort any data wrt to a given comparison functioncomp a rarr a rarr Bool which has the appropriate properties (we shall laterdiscuss in detail what properties this are)

Insertion sort shouldnrsquot be used to sort large sequences because it is quiteinefficent on average it compares every argument with half of all the others Wesay it has quadratic complexity because on average the number of comparisonsit has to carry out is proportional to n2 where n is the length of the list

53 Binary numbers

We can use lists to represent binary numbers A binary number like 1102 whichis the binary way to write 6 is nothing but a list of Booleans hence we define

type Binary = [Bool ]

We use True for 1 and False for 0 and we shall read the list backwards whichhas the advantage that it is easy to access the least significant digit eg 1102

is actually represented as [FalseTrueTrue] 14

We shall define functions which translate between Binary and Nat We startwith bin2nat isin Binary rarr Nat The idea is that to translate a number whichhas at least one digit we recursively translate the rest of the numebr withoutthe last digit double that and add the value of the last digit to it This isexpressed by the following function

bin2nat isin Binary rarr Natbin2nat [ ] = 0bin2nat (True bs) = Succ (2 lowast (bin2nat bs))bin2nat (False bs) = 2 lowast (bin2nat bs)

14We could have avoided this notational inconvenience by using snoc lists ie lists wherecons gets its arguments the other way around

33

To define the translation in the other direction nat2bin isin Nat rarr Binary weintroduce a successor function on the binary representation The successor ofthe empty list which is interpreted as 0 is 1 Otherwise if the last digit is 0 wejust change this to 1 and keep the rest of the number the same If the last digitis 1 we change this to 0 and have a carry bit which means that we have torecursively calculate the successor of the rest of the number Hence we define

bsucc isin Binary rarr Binarybsucc [ ] = [True]bsucc (False bs) = True bsbsucc (True bs) = False (bsucc bs)

Now we can define nat2bin it basically translates 0 by the empty binary andthen applies bsucc for every successor

nat2bin isin Nat rarr Binarynat2bin 0 = [ ]nat2bin (Succ n) = bsucc (nat2bin n)

Once we have established the two translations we want to show that theyare indeed inverse to each other Eg if we start with a natural numbern we can translate it to a binary nat2bin n and then translate it back bybin2nat (nat2bin n) and we should hope that we get back to the number westarted with ie that

bin2nat (nat2bin n) = n

If we start with a binary number bs isin Binary the mirror property

nat2bin (bin2nat bs) = bs

doesnrsquot actually hold The reason is that our encoding is redundant lead-ing 0s (actually trailing Falses in our notation) do not matter For examplenat2bin (bin2nat [TrueFalse]) = [True] We could insist the we do not allowleading 0s and show that for those normal numbers the property holds Actu-ally following common practive we would make the exception for the case thatthe number is just 0 but would at the same time outlaw the empty sequence asa representation of a number

Going back to proving forall n isin Natn = bin2nat (nat2bin n) unsurprisingly weare going to use induction to establish this The case for 0 is straightforwardbut in the case of Succ n prime we have that nat2bin (Succ n prime) = bsucc (nat2bin n prime)and we would like to use that

bin2nat (bsucc (nat2bin n prime)) = Succ (bin2nat (nat2bin n prime))

to be able to apply the induction hypothesis This leads to the following lemma

Lemma 53 forall bs isin Binarybin2nat (bsucc bs) = Succ (bin2nat bs)

Proof We show this by induction over bs isin Binary

Case bs = [ ] We have to show bin2nat (bsucc [ ]) = Succ (bin2nat [ ])

bin2nat (bsucc [ ])= definition of bsucc

34

bin2nat [True]= calculate bin2nat 1= definition of 1 Succ 0= definition of bin2nat Succ (bin2nat [ ])

Case bs = b bs prime We assume

bin2nat (bsucc bs prime) = Succ (bin2nat bs prime) (IH )

to show

bin2nat (bsucc (b bs prime)) = Succ (bin2nat (b bs prime))

for any b isin Bool Letrsquos analyze b isin Bool

Case b = False In this case we have to showbin2nat (bsucc (False bs prime)) = Succ (bin2nat (False bs prime))

bin2nat (bsucc (False bs prime))= definition of bsucc bin2nat (True bs prime)= definition of bin2nat Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (False bs prime))

Case b = True In this case we have to showbin2nat (bsucc (True bs prime)) = Succ (bin2nat (True bs prime))

bin2nat (bsucc (True bs prime))= definition of bsucc bin2nat (False (bsucc bs prime))= definition of bin2nat 2 lowast (bin2nat (bsucc bs prime))= (IH) 2 lowast (Succ (bin2nat bs prime))= algebra 2 lowast (Succ n) = Succ (Succ (2 lowast n)) Succ (Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (True bs prime))

Now we are ready to prove the main theorem

Theorem 54 forall n isin Natbin2nat (nat2bin n) = n

Proof We prove this by induction over n isin Nat

Case n = 0 We show bin2nat (nat2bin 0) = 0

bin2nat (nat2bin 0)= definition of nat2bin bin2nat [ ]

35

= definition of bin2nat 0

Case n = Succ n prime We assume

bin2nat (nat2bin n prime) = n prime (IH )

to show

bin2nat (nat2bin (Succ n prime)) = Succ n prime

bin2nat (nat2bin (Succ n prime))= definition of nat2bin bin2nat (bsucc (nat2bin n prime))= lemma Succ (bin2nat (nat2bin n prime))= (IH) Succ n prime

To define addition on Binary we define addition with carry which always addsthree bits caculating the current bit and the new carry bit As a first step wedefine two operations addbit and carry which calculate the new bit and carry

addbit isin Bool rarr Bool rarr Bool rarr Booladdbit a b c = (a equiv b) equiv c

carry isin Bool rarr Bool rarr Bool rarr Boolcarry a b c = (aampampb)||(bampampc)||(aampampc)

We are now ready to define binary addition with carry

addBinC isin Bool rarr Binary rarr Binary rarr BinaryaddBinC c as [ ] = if c then bsucc as else asaddBinC c [ ] as = if c then bsucc as else asaddBinC c (a as) (b bs) = (addbit a b c) (addBinC (carry a b c) as bs)

from which we can easily derive binary addition by setting the carry to False

addBin isin Binary rarr Binary rarr BinaryaddBin bs cs = addBinC False bs cs

Binary multiplication is the usual long multiplication we learn at school Wemultiply each digit of one of the numbers with the other numbers always mul-tiplying the other number by 10 ie shifting it In the binary case multiplyinga digit with a number is very easy either the bit is 0 (ie False) then the resultis 0 or the bit is 1 then the result just is the other number

multBin isin Binary rarr Binary rarr BinarymultBin [ ] bs = [ ]multBin (a as) bs = if a

then addBin bs (multBin as (False bs))else multBin as (False bs)

The operations we have defined correspond to the more primitive operations wehave defined previously That is we have

36

forall mn Nat addBin (bin2nat m) (bin2nat n) = bin2nat (m + n)

forall mn Nat multBin (bin2nat m) (bin2nat n) = bin2nat (m lowast n)

These can be established using the principles we have introduced ie induc-tion However for reasons of space and potential boredom we shall refrain fromcarrying this out here

54 Trees

Unlike in ordinary live trees in computer science have got the roots on top andthe leaves on bottom Here is an example of a binary tree whose nodes arelabelled with natural numbers

56

1

3

10

root

node

leaf

Trees are also a very useful datastructure for example they can be used toefficently store and update an ordered collection of data In Haskell we woulddefine the type of binary node-labelled trees as follows

data Tree a = Leaf | Node (Tree a) a (Tree a)

The tree pictured in the diagram would be represented as

mytree isin Tree Natmytree = Node (Node Leaf 1 Leaf)

3(Node Leaf

10(Node Leaf 56 Leaf))

You may note that the tree is ordered ie all the leaves in the left subtree ofany node has labels less (or equal) than the label on the node and the nodes inthe right subtree have greater labels Indeed ordered trees give rise to anothersorting algorithm which is called tree sort First we define by primitive recur-sion over trees a function which inserts a node into an ordered tree leaving theordering intact

37

treeInsert isin Nat rarr (Tree Nat) rarr Tree NattreeInsert a Leaf = Node Leaf a LeaftreeInsert a (Node l b r) = if a 6 b

then Node (treeInsert a l) b relse Node l b (treeInsert a r)

By inserting all elements of a list into an empty tree we obtain a function whichturns an unsorted list into an ordered tree

list2tree isin [Nat ] rarr (Tree Nat)list2tree [ ] = Leaflist2tree (a as) = treeInsert a (list2tree as)

We can also turn an ordered tree into a sorted list

tree2list isin (Tree a) rarr [a ]tree2list Leaf = [ ]tree2List (Node l a r) = (tree2list l) ++ [a ] ++ (tree2list r)

Note that the last function is polymorphic since it doesnrsquot need any operationson the data stored in a tree Now we obtain tree sort by combining the twofunctions defined above

treeSort isin [Nat ] rarr [Nat ]treeSort as = tree2list (list2tree as)

It may appear wasteful to create a tree just to sort a list but actually tree sort isbetter than insertion sort On the average every element which is inserted intothe tree is only compared with a few others on the way down to a leaft to beprecise log2 n if the number of nodes is n Since we have to insert n elementstree sort will need a number proportional to n log2 n comparisons to sort a listwith n elements which is considerably better that insertion sortrsquos n2

We can also prove propositions about trees by induction over trees As anexample observe that the tree in the example has 4 nodes and 5 leaves This isno coincidence but a general property of binary trees Maybe the best way tosee that this is the case is to notice that every tree can be generated startingfrom a leaf by replacing an aribtrary leaf by a node with two leaves The initialtree has got the proberty and it is preserved by the replacement step hence anytree will have the property More formally we can show this by induction overtrees where we have an induction hypothesis for the left and the right subtree

To make this precise we first define functions which count the number of nodesand leaves in a tree (ignoring any data)

countNodes isin (Tree a) rarr NatcountNodes Leaf = 0countNodes (Node l x r) = Succ ((countNodes l) + (countNodes r))

countLeaves isin (Tree a) rarr NatcountLeaves Leaf = 1countLeaves (Node l x r) = (countLeaves l) + (countLeaves r)

38

We are now ready to prove our theorem

Theorem 55 forall t Tree a countLeaves t = 1 + (countNodes t)

Proof We proceed by induction over t isin Tree a

Case t = Leaf We show countLeaves Leaf = 1 + (countNodes Leaf)

countLeaves Leaf= definition of countLeaves 1= definition of countNodes 1 + (countNodes Leaf)

Case t = Node l x r We assume

countLeaves l = 1 + (countNodes l) (IH minus L)

countLeaves r = 1 + (countNodes r) (IH minus R)

to show countLeaves (Node l x r) = 1 + (countNodes (Node l x r))

countLeaves (Node l x r)= definition of countLeaves (countLeaves l) + (countLeaves r)= (IH-L)(IH-R) 1 + (countNodes l) + 1 + (countNodes r)= algebra 1 + (1 + (countNodes l) + (countNodes r))= definition of countNodes 1 + (countNodes (Node l x r))

Finally note that there are different types of binary trees depending where weput the data ie there are leaf labelled trees

data Tree a = Leaf a | Node (Tree a) (Tree a)

and trees which have labels on leaves and nodes potentially of different types

data Treeprime a b = Leaf prime a | Nodeprime (Treeprime a b) b (Treeprime a b)

39

6 Predicates and relations

A predicate over a type is a property of elements of that type An example isEven isin Nat rarr Prop which expresses the property of a natural number beingeven We can define Even

Even isin Nat rarr PropEven n = exist m isin Nat 2 lowastm = n

That is we say that a number is even if it is the double of another number Iwrite a rarr Prop for the type of predicates over a Note that unlike programspredicates cannot be executed but we can use them for reasoning

A relation between two types (which may be the same) relates elements of thefirst type with elements of the 2nd An example is 6 isin Nat rarr Nat rarr Propwhich expresses the relation of a number being smaller than another Again wecan define 6 using +

(6) isin Nat rarr Nat rarr Propm6n = exist k isin Nat m + k = n

That is we say that m6n if there is a number k that if added to m gives n

In general we consider n-ary relations that is R isin a1 rarr a2 rarr middot middot middot rarr an rarr Propand predicates are just another word for 1-ary relations 2-ary (or binary)relations such as 6 are usually written infix

A fundamental binary relation on any type is equality (=) isin a rarr a rarr PropWe consider equality as a primitive notion We know that everything is equal toitself mdash we say that equality is reflexive that is forall x isin a x = x Two booleansor natural number or lists are equal if they are made only from constructorsand look the same Two functions are equal if they return the same answers forall elements of their domain that is for f g isin a rarr b we have that f = g ifforall x a f x = g x note that this involves equality on b This is the principle ofextensionality and it is the consequence of our view of functions as black boxesie we cannot look inside a function all we can do it is to apply it to arguments

We have already introduced the functions 6isin Nat rarr Nat rarr Bool equivisinBool rarr Bool rarr Bool and equivisin Nat rarr Nat rarr Bool They are related to6 isin Bool rarr Bool rarr Prop =isin Bool rarr Bool rarr Prop and =isin Nat rarrNat rarr Prop indeed they return True if the relation holds and False other-wise That is we can show that

forall x y isin Nat x6y lArrrArr x 6 y = Trueforall x y isin Bool x = y lArrrArr x equiv y = Trueforall x y isin Nat x = y lArrrArr x equiv y = True

We say that a boolean function f isin a rarr b rarr Bool decides a relation R isin a rarrb rarr Prop if forall x isin a y isin b R x y lArrrArr f x y = True A relation which canbe decided is called decidableThis concept generalizes to relations with anyarity including predicates I have silently assumed that by a boolean functionwe mean one which can actually run on a computer this is different in classicalMathematics where the notion of a function is more liberal but the definitionof a decidable function is more complicated

40

Not every relation is decidable an example of an undecidable relation is equal-ity on functions with an infinite domain eg (=) isin (Nat rarr Bool) rarr (Nat rarrBool) rarr Prop To decide whether two such functions are equal that is whetherf = g we have to check whether they agree on all natural numbers By the prin-ciple of extensionality there is no other way we can find out anything about afunction and checking them for all natural numbers is hardly possible

61 Examples of relations

In the following we will discuss some examples of relations It is helpful tovisualize relations by drawing their graphs We can only draw graphs for adecidable relation R isin a rarr a rarr Prop on finite type a by a directed graphwhose nodes (called vertices) are the elements of a and we draw an arrow (callededge) from x to y if R x y holds

We cannot draw relations on the natural numbers however we will instead usethe type Four = 0 1 2 3 4 and drwaw the graph of the relation restricted tothe numbers upto 4

611 Equality

The graph of (=) isin Four rarr Four rarr Prop is extremely simple

0 1 2 3 4

612 Inequality

We say x 6= y if x and y are not equal This relation is polymorphic ie it isuniformly defined for any type

(6=) isin a rarr a rarr Propx 6= y = not (x = y)

The graph of (6=) isin Four rarr Four rarr Prop contains an edge everywhere theprevious graph had none hence it looks pretty wild

0 1 2 3 4

613 Less or equal

We have already defined the relation (6) on the natural numbers Here is thegraph of the relation restricted to Four

41

0 1 2 3 4

614 Less than

We say m lt n if m is strictly less than n

(lt) isin Nat rarr Nat rarr Propm lt n = Succ m 6 n

The graph of (lt) Four rarr Four rarr Prop looks pretty similar as the one of (6)only the little circles pointing from every element to itself are missing

0 1 2 3 4

615 Congruence modulo k

This is an important 3-ary (ternary) relation used in number theory We saythat two numbers mn Nat are congruent modulo k if they have the sameremainder when divided by k We write cmod Nat rarr Nat rarr Nat rarr Propthat is we write cmod k m n or mlsquocmod k lsquon 15 for m is congruent to n modulok The standard mathematical notation is mλcong n mod k We can definethis relation formally as

cmod isin Nat rarr Nat rarr Nat rarr Propcmod k m n = exist p q r isin Nat (r lt n) and p lowast k + r = m and q lowast k + r = n

Usually cmod is only considered for k gt 1 For k = 1 our definition of cmod kis just (=) and for k = 0 it is the empty relation In number theory cmod k isdefined a relation on the integers not just the natural numbers

While we cannot draw ternary relations so easily we can do so for mod 2 isinFour rarr Four rarr Prop

0 1 3 42

15Here we adopt also the Haskell convention that any operator f can be made infix bywriting lsquof lsquo

42

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

to show

rev (((y ys) ++ [x ]) = x (rev (y ys)))

rev (((y ys) ++ [x ])= definition of ++ rev (y (ys ++ [x ]))= definition of rev (rev (ys ++ [x ])) ++ [y ]= (IH) (x (rev ys)) ++ [y ]= definition of ++ x ((rev ys) ++ [y ])= definition of rev x (rev (y ys))

Theorem 52 forall xs isin [a ] rev (rev xs) = xs

Proof By induction over xs

Case xs = [ ] We show rev (rev [ ]) = [ ]

rev (rev [ ])= definition of rev rev [ ]= definition of rev [ ]

Case xs = x xs prime We assume

rev (rev xs) = xs (IH )

to show

rev (rev (x xs prime)) = x xs prime

rev (rev (x xs prime))= definition of rev rev ((rev xs prime) ++ [x ])= lemma for ys = rev xs prime x (rev (rev xs))= (IH) x xs

52 Insertion sort

There are many situations where we want to sort a list eg given [56 1 10 3]we would like to produce [1 3 10 56] One of the simplest sorting algorithms isinsertion sort The idea can be best explained by describing how to sort a deckof card We sort from an unsorted pile to a sorted pile by adding one card at

32

a time to the sorted pile When adding a card to a already sorted pile we gothrough the sorted pile until we find a card with a higher value and then insertthe new card just before this card This can be expressed as a function insert which is defined by primitive recursion over lists

insert isin Nat rarr [Nat ] rarr [Nat ]insert a [ ] = [a ]insert a (b bs) = if a 6 b then a (b bs)

else b (insert a bs)

The important feature of insert is that it produces a sorted list with an ex-tra element if its argument was sorted We can now define insertionSort byprimitive recursion over the initially unsorted list

insertionSort isin [Nat ] rarr [Nat ]insertionSort [ ] = [ ]insertionSort (a as) = insert a (insertionSort as)

And indeed insertionSort [56 1 10 3] = [1 3 10 56]

The same algorithm can sort any data wrt to a given comparison functioncomp a rarr a rarr Bool which has the appropriate properties (we shall laterdiscuss in detail what properties this are)

Insertion sort shouldnrsquot be used to sort large sequences because it is quiteinefficent on average it compares every argument with half of all the others Wesay it has quadratic complexity because on average the number of comparisonsit has to carry out is proportional to n2 where n is the length of the list

53 Binary numbers

We can use lists to represent binary numbers A binary number like 1102 whichis the binary way to write 6 is nothing but a list of Booleans hence we define

type Binary = [Bool ]

We use True for 1 and False for 0 and we shall read the list backwards whichhas the advantage that it is easy to access the least significant digit eg 1102

is actually represented as [FalseTrueTrue] 14

We shall define functions which translate between Binary and Nat We startwith bin2nat isin Binary rarr Nat The idea is that to translate a number whichhas at least one digit we recursively translate the rest of the numebr withoutthe last digit double that and add the value of the last digit to it This isexpressed by the following function

bin2nat isin Binary rarr Natbin2nat [ ] = 0bin2nat (True bs) = Succ (2 lowast (bin2nat bs))bin2nat (False bs) = 2 lowast (bin2nat bs)

14We could have avoided this notational inconvenience by using snoc lists ie lists wherecons gets its arguments the other way around

33

To define the translation in the other direction nat2bin isin Nat rarr Binary weintroduce a successor function on the binary representation The successor ofthe empty list which is interpreted as 0 is 1 Otherwise if the last digit is 0 wejust change this to 1 and keep the rest of the number the same If the last digitis 1 we change this to 0 and have a carry bit which means that we have torecursively calculate the successor of the rest of the number Hence we define

bsucc isin Binary rarr Binarybsucc [ ] = [True]bsucc (False bs) = True bsbsucc (True bs) = False (bsucc bs)

Now we can define nat2bin it basically translates 0 by the empty binary andthen applies bsucc for every successor

nat2bin isin Nat rarr Binarynat2bin 0 = [ ]nat2bin (Succ n) = bsucc (nat2bin n)

Once we have established the two translations we want to show that theyare indeed inverse to each other Eg if we start with a natural numbern we can translate it to a binary nat2bin n and then translate it back bybin2nat (nat2bin n) and we should hope that we get back to the number westarted with ie that

bin2nat (nat2bin n) = n

If we start with a binary number bs isin Binary the mirror property

nat2bin (bin2nat bs) = bs

doesnrsquot actually hold The reason is that our encoding is redundant lead-ing 0s (actually trailing Falses in our notation) do not matter For examplenat2bin (bin2nat [TrueFalse]) = [True] We could insist the we do not allowleading 0s and show that for those normal numbers the property holds Actu-ally following common practive we would make the exception for the case thatthe number is just 0 but would at the same time outlaw the empty sequence asa representation of a number

Going back to proving forall n isin Natn = bin2nat (nat2bin n) unsurprisingly weare going to use induction to establish this The case for 0 is straightforwardbut in the case of Succ n prime we have that nat2bin (Succ n prime) = bsucc (nat2bin n prime)and we would like to use that

bin2nat (bsucc (nat2bin n prime)) = Succ (bin2nat (nat2bin n prime))

to be able to apply the induction hypothesis This leads to the following lemma

Lemma 53 forall bs isin Binarybin2nat (bsucc bs) = Succ (bin2nat bs)

Proof We show this by induction over bs isin Binary

Case bs = [ ] We have to show bin2nat (bsucc [ ]) = Succ (bin2nat [ ])

bin2nat (bsucc [ ])= definition of bsucc

34

bin2nat [True]= calculate bin2nat 1= definition of 1 Succ 0= definition of bin2nat Succ (bin2nat [ ])

Case bs = b bs prime We assume

bin2nat (bsucc bs prime) = Succ (bin2nat bs prime) (IH )

to show

bin2nat (bsucc (b bs prime)) = Succ (bin2nat (b bs prime))

for any b isin Bool Letrsquos analyze b isin Bool

Case b = False In this case we have to showbin2nat (bsucc (False bs prime)) = Succ (bin2nat (False bs prime))

bin2nat (bsucc (False bs prime))= definition of bsucc bin2nat (True bs prime)= definition of bin2nat Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (False bs prime))

Case b = True In this case we have to showbin2nat (bsucc (True bs prime)) = Succ (bin2nat (True bs prime))

bin2nat (bsucc (True bs prime))= definition of bsucc bin2nat (False (bsucc bs prime))= definition of bin2nat 2 lowast (bin2nat (bsucc bs prime))= (IH) 2 lowast (Succ (bin2nat bs prime))= algebra 2 lowast (Succ n) = Succ (Succ (2 lowast n)) Succ (Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (True bs prime))

Now we are ready to prove the main theorem

Theorem 54 forall n isin Natbin2nat (nat2bin n) = n

Proof We prove this by induction over n isin Nat

Case n = 0 We show bin2nat (nat2bin 0) = 0

bin2nat (nat2bin 0)= definition of nat2bin bin2nat [ ]

35

= definition of bin2nat 0

Case n = Succ n prime We assume

bin2nat (nat2bin n prime) = n prime (IH )

to show

bin2nat (nat2bin (Succ n prime)) = Succ n prime

bin2nat (nat2bin (Succ n prime))= definition of nat2bin bin2nat (bsucc (nat2bin n prime))= lemma Succ (bin2nat (nat2bin n prime))= (IH) Succ n prime

To define addition on Binary we define addition with carry which always addsthree bits caculating the current bit and the new carry bit As a first step wedefine two operations addbit and carry which calculate the new bit and carry

addbit isin Bool rarr Bool rarr Bool rarr Booladdbit a b c = (a equiv b) equiv c

carry isin Bool rarr Bool rarr Bool rarr Boolcarry a b c = (aampampb)||(bampampc)||(aampampc)

We are now ready to define binary addition with carry

addBinC isin Bool rarr Binary rarr Binary rarr BinaryaddBinC c as [ ] = if c then bsucc as else asaddBinC c [ ] as = if c then bsucc as else asaddBinC c (a as) (b bs) = (addbit a b c) (addBinC (carry a b c) as bs)

from which we can easily derive binary addition by setting the carry to False

addBin isin Binary rarr Binary rarr BinaryaddBin bs cs = addBinC False bs cs

Binary multiplication is the usual long multiplication we learn at school Wemultiply each digit of one of the numbers with the other numbers always mul-tiplying the other number by 10 ie shifting it In the binary case multiplyinga digit with a number is very easy either the bit is 0 (ie False) then the resultis 0 or the bit is 1 then the result just is the other number

multBin isin Binary rarr Binary rarr BinarymultBin [ ] bs = [ ]multBin (a as) bs = if a

then addBin bs (multBin as (False bs))else multBin as (False bs)

The operations we have defined correspond to the more primitive operations wehave defined previously That is we have

36

forall mn Nat addBin (bin2nat m) (bin2nat n) = bin2nat (m + n)

forall mn Nat multBin (bin2nat m) (bin2nat n) = bin2nat (m lowast n)

These can be established using the principles we have introduced ie induc-tion However for reasons of space and potential boredom we shall refrain fromcarrying this out here

54 Trees

Unlike in ordinary live trees in computer science have got the roots on top andthe leaves on bottom Here is an example of a binary tree whose nodes arelabelled with natural numbers

56

1

3

10

root

node

leaf

Trees are also a very useful datastructure for example they can be used toefficently store and update an ordered collection of data In Haskell we woulddefine the type of binary node-labelled trees as follows

data Tree a = Leaf | Node (Tree a) a (Tree a)

The tree pictured in the diagram would be represented as

mytree isin Tree Natmytree = Node (Node Leaf 1 Leaf)

3(Node Leaf

10(Node Leaf 56 Leaf))

You may note that the tree is ordered ie all the leaves in the left subtree ofany node has labels less (or equal) than the label on the node and the nodes inthe right subtree have greater labels Indeed ordered trees give rise to anothersorting algorithm which is called tree sort First we define by primitive recur-sion over trees a function which inserts a node into an ordered tree leaving theordering intact

37

treeInsert isin Nat rarr (Tree Nat) rarr Tree NattreeInsert a Leaf = Node Leaf a LeaftreeInsert a (Node l b r) = if a 6 b

then Node (treeInsert a l) b relse Node l b (treeInsert a r)

By inserting all elements of a list into an empty tree we obtain a function whichturns an unsorted list into an ordered tree

list2tree isin [Nat ] rarr (Tree Nat)list2tree [ ] = Leaflist2tree (a as) = treeInsert a (list2tree as)

We can also turn an ordered tree into a sorted list

tree2list isin (Tree a) rarr [a ]tree2list Leaf = [ ]tree2List (Node l a r) = (tree2list l) ++ [a ] ++ (tree2list r)

Note that the last function is polymorphic since it doesnrsquot need any operationson the data stored in a tree Now we obtain tree sort by combining the twofunctions defined above

treeSort isin [Nat ] rarr [Nat ]treeSort as = tree2list (list2tree as)

It may appear wasteful to create a tree just to sort a list but actually tree sort isbetter than insertion sort On the average every element which is inserted intothe tree is only compared with a few others on the way down to a leaft to beprecise log2 n if the number of nodes is n Since we have to insert n elementstree sort will need a number proportional to n log2 n comparisons to sort a listwith n elements which is considerably better that insertion sortrsquos n2

We can also prove propositions about trees by induction over trees As anexample observe that the tree in the example has 4 nodes and 5 leaves This isno coincidence but a general property of binary trees Maybe the best way tosee that this is the case is to notice that every tree can be generated startingfrom a leaf by replacing an aribtrary leaf by a node with two leaves The initialtree has got the proberty and it is preserved by the replacement step hence anytree will have the property More formally we can show this by induction overtrees where we have an induction hypothesis for the left and the right subtree

To make this precise we first define functions which count the number of nodesand leaves in a tree (ignoring any data)

countNodes isin (Tree a) rarr NatcountNodes Leaf = 0countNodes (Node l x r) = Succ ((countNodes l) + (countNodes r))

countLeaves isin (Tree a) rarr NatcountLeaves Leaf = 1countLeaves (Node l x r) = (countLeaves l) + (countLeaves r)

38

We are now ready to prove our theorem

Theorem 55 forall t Tree a countLeaves t = 1 + (countNodes t)

Proof We proceed by induction over t isin Tree a

Case t = Leaf We show countLeaves Leaf = 1 + (countNodes Leaf)

countLeaves Leaf= definition of countLeaves 1= definition of countNodes 1 + (countNodes Leaf)

Case t = Node l x r We assume

countLeaves l = 1 + (countNodes l) (IH minus L)

countLeaves r = 1 + (countNodes r) (IH minus R)

to show countLeaves (Node l x r) = 1 + (countNodes (Node l x r))

countLeaves (Node l x r)= definition of countLeaves (countLeaves l) + (countLeaves r)= (IH-L)(IH-R) 1 + (countNodes l) + 1 + (countNodes r)= algebra 1 + (1 + (countNodes l) + (countNodes r))= definition of countNodes 1 + (countNodes (Node l x r))

Finally note that there are different types of binary trees depending where weput the data ie there are leaf labelled trees

data Tree a = Leaf a | Node (Tree a) (Tree a)

and trees which have labels on leaves and nodes potentially of different types

data Treeprime a b = Leaf prime a | Nodeprime (Treeprime a b) b (Treeprime a b)

39

6 Predicates and relations

A predicate over a type is a property of elements of that type An example isEven isin Nat rarr Prop which expresses the property of a natural number beingeven We can define Even

Even isin Nat rarr PropEven n = exist m isin Nat 2 lowastm = n

That is we say that a number is even if it is the double of another number Iwrite a rarr Prop for the type of predicates over a Note that unlike programspredicates cannot be executed but we can use them for reasoning

A relation between two types (which may be the same) relates elements of thefirst type with elements of the 2nd An example is 6 isin Nat rarr Nat rarr Propwhich expresses the relation of a number being smaller than another Again wecan define 6 using +

(6) isin Nat rarr Nat rarr Propm6n = exist k isin Nat m + k = n

That is we say that m6n if there is a number k that if added to m gives n

In general we consider n-ary relations that is R isin a1 rarr a2 rarr middot middot middot rarr an rarr Propand predicates are just another word for 1-ary relations 2-ary (or binary)relations such as 6 are usually written infix

A fundamental binary relation on any type is equality (=) isin a rarr a rarr PropWe consider equality as a primitive notion We know that everything is equal toitself mdash we say that equality is reflexive that is forall x isin a x = x Two booleansor natural number or lists are equal if they are made only from constructorsand look the same Two functions are equal if they return the same answers forall elements of their domain that is for f g isin a rarr b we have that f = g ifforall x a f x = g x note that this involves equality on b This is the principle ofextensionality and it is the consequence of our view of functions as black boxesie we cannot look inside a function all we can do it is to apply it to arguments

We have already introduced the functions 6isin Nat rarr Nat rarr Bool equivisinBool rarr Bool rarr Bool and equivisin Nat rarr Nat rarr Bool They are related to6 isin Bool rarr Bool rarr Prop =isin Bool rarr Bool rarr Prop and =isin Nat rarrNat rarr Prop indeed they return True if the relation holds and False other-wise That is we can show that

forall x y isin Nat x6y lArrrArr x 6 y = Trueforall x y isin Bool x = y lArrrArr x equiv y = Trueforall x y isin Nat x = y lArrrArr x equiv y = True

We say that a boolean function f isin a rarr b rarr Bool decides a relation R isin a rarrb rarr Prop if forall x isin a y isin b R x y lArrrArr f x y = True A relation which canbe decided is called decidableThis concept generalizes to relations with anyarity including predicates I have silently assumed that by a boolean functionwe mean one which can actually run on a computer this is different in classicalMathematics where the notion of a function is more liberal but the definitionof a decidable function is more complicated

40

Not every relation is decidable an example of an undecidable relation is equal-ity on functions with an infinite domain eg (=) isin (Nat rarr Bool) rarr (Nat rarrBool) rarr Prop To decide whether two such functions are equal that is whetherf = g we have to check whether they agree on all natural numbers By the prin-ciple of extensionality there is no other way we can find out anything about afunction and checking them for all natural numbers is hardly possible

61 Examples of relations

In the following we will discuss some examples of relations It is helpful tovisualize relations by drawing their graphs We can only draw graphs for adecidable relation R isin a rarr a rarr Prop on finite type a by a directed graphwhose nodes (called vertices) are the elements of a and we draw an arrow (callededge) from x to y if R x y holds

We cannot draw relations on the natural numbers however we will instead usethe type Four = 0 1 2 3 4 and drwaw the graph of the relation restricted tothe numbers upto 4

611 Equality

The graph of (=) isin Four rarr Four rarr Prop is extremely simple

0 1 2 3 4

612 Inequality

We say x 6= y if x and y are not equal This relation is polymorphic ie it isuniformly defined for any type

(6=) isin a rarr a rarr Propx 6= y = not (x = y)

The graph of (6=) isin Four rarr Four rarr Prop contains an edge everywhere theprevious graph had none hence it looks pretty wild

0 1 2 3 4

613 Less or equal

We have already defined the relation (6) on the natural numbers Here is thegraph of the relation restricted to Four

41

0 1 2 3 4

614 Less than

We say m lt n if m is strictly less than n

(lt) isin Nat rarr Nat rarr Propm lt n = Succ m 6 n

The graph of (lt) Four rarr Four rarr Prop looks pretty similar as the one of (6)only the little circles pointing from every element to itself are missing

0 1 2 3 4

615 Congruence modulo k

This is an important 3-ary (ternary) relation used in number theory We saythat two numbers mn Nat are congruent modulo k if they have the sameremainder when divided by k We write cmod Nat rarr Nat rarr Nat rarr Propthat is we write cmod k m n or mlsquocmod k lsquon 15 for m is congruent to n modulok The standard mathematical notation is mλcong n mod k We can definethis relation formally as

cmod isin Nat rarr Nat rarr Nat rarr Propcmod k m n = exist p q r isin Nat (r lt n) and p lowast k + r = m and q lowast k + r = n

Usually cmod is only considered for k gt 1 For k = 1 our definition of cmod kis just (=) and for k = 0 it is the empty relation In number theory cmod k isdefined a relation on the integers not just the natural numbers

While we cannot draw ternary relations so easily we can do so for mod 2 isinFour rarr Four rarr Prop

0 1 3 42

15Here we adopt also the Haskell convention that any operator f can be made infix bywriting lsquof lsquo

42

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

a time to the sorted pile When adding a card to a already sorted pile we gothrough the sorted pile until we find a card with a higher value and then insertthe new card just before this card This can be expressed as a function insert which is defined by primitive recursion over lists

insert isin Nat rarr [Nat ] rarr [Nat ]insert a [ ] = [a ]insert a (b bs) = if a 6 b then a (b bs)

else b (insert a bs)

The important feature of insert is that it produces a sorted list with an ex-tra element if its argument was sorted We can now define insertionSort byprimitive recursion over the initially unsorted list

insertionSort isin [Nat ] rarr [Nat ]insertionSort [ ] = [ ]insertionSort (a as) = insert a (insertionSort as)

And indeed insertionSort [56 1 10 3] = [1 3 10 56]

The same algorithm can sort any data wrt to a given comparison functioncomp a rarr a rarr Bool which has the appropriate properties (we shall laterdiscuss in detail what properties this are)

Insertion sort shouldnrsquot be used to sort large sequences because it is quiteinefficent on average it compares every argument with half of all the others Wesay it has quadratic complexity because on average the number of comparisonsit has to carry out is proportional to n2 where n is the length of the list

53 Binary numbers

We can use lists to represent binary numbers A binary number like 1102 whichis the binary way to write 6 is nothing but a list of Booleans hence we define

type Binary = [Bool ]

We use True for 1 and False for 0 and we shall read the list backwards whichhas the advantage that it is easy to access the least significant digit eg 1102

is actually represented as [FalseTrueTrue] 14

We shall define functions which translate between Binary and Nat We startwith bin2nat isin Binary rarr Nat The idea is that to translate a number whichhas at least one digit we recursively translate the rest of the numebr withoutthe last digit double that and add the value of the last digit to it This isexpressed by the following function

bin2nat isin Binary rarr Natbin2nat [ ] = 0bin2nat (True bs) = Succ (2 lowast (bin2nat bs))bin2nat (False bs) = 2 lowast (bin2nat bs)

14We could have avoided this notational inconvenience by using snoc lists ie lists wherecons gets its arguments the other way around

33

To define the translation in the other direction nat2bin isin Nat rarr Binary weintroduce a successor function on the binary representation The successor ofthe empty list which is interpreted as 0 is 1 Otherwise if the last digit is 0 wejust change this to 1 and keep the rest of the number the same If the last digitis 1 we change this to 0 and have a carry bit which means that we have torecursively calculate the successor of the rest of the number Hence we define

bsucc isin Binary rarr Binarybsucc [ ] = [True]bsucc (False bs) = True bsbsucc (True bs) = False (bsucc bs)

Now we can define nat2bin it basically translates 0 by the empty binary andthen applies bsucc for every successor

nat2bin isin Nat rarr Binarynat2bin 0 = [ ]nat2bin (Succ n) = bsucc (nat2bin n)

Once we have established the two translations we want to show that theyare indeed inverse to each other Eg if we start with a natural numbern we can translate it to a binary nat2bin n and then translate it back bybin2nat (nat2bin n) and we should hope that we get back to the number westarted with ie that

bin2nat (nat2bin n) = n

If we start with a binary number bs isin Binary the mirror property

nat2bin (bin2nat bs) = bs

doesnrsquot actually hold The reason is that our encoding is redundant lead-ing 0s (actually trailing Falses in our notation) do not matter For examplenat2bin (bin2nat [TrueFalse]) = [True] We could insist the we do not allowleading 0s and show that for those normal numbers the property holds Actu-ally following common practive we would make the exception for the case thatthe number is just 0 but would at the same time outlaw the empty sequence asa representation of a number

Going back to proving forall n isin Natn = bin2nat (nat2bin n) unsurprisingly weare going to use induction to establish this The case for 0 is straightforwardbut in the case of Succ n prime we have that nat2bin (Succ n prime) = bsucc (nat2bin n prime)and we would like to use that

bin2nat (bsucc (nat2bin n prime)) = Succ (bin2nat (nat2bin n prime))

to be able to apply the induction hypothesis This leads to the following lemma

Lemma 53 forall bs isin Binarybin2nat (bsucc bs) = Succ (bin2nat bs)

Proof We show this by induction over bs isin Binary

Case bs = [ ] We have to show bin2nat (bsucc [ ]) = Succ (bin2nat [ ])

bin2nat (bsucc [ ])= definition of bsucc

34

bin2nat [True]= calculate bin2nat 1= definition of 1 Succ 0= definition of bin2nat Succ (bin2nat [ ])

Case bs = b bs prime We assume

bin2nat (bsucc bs prime) = Succ (bin2nat bs prime) (IH )

to show

bin2nat (bsucc (b bs prime)) = Succ (bin2nat (b bs prime))

for any b isin Bool Letrsquos analyze b isin Bool

Case b = False In this case we have to showbin2nat (bsucc (False bs prime)) = Succ (bin2nat (False bs prime))

bin2nat (bsucc (False bs prime))= definition of bsucc bin2nat (True bs prime)= definition of bin2nat Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (False bs prime))

Case b = True In this case we have to showbin2nat (bsucc (True bs prime)) = Succ (bin2nat (True bs prime))

bin2nat (bsucc (True bs prime))= definition of bsucc bin2nat (False (bsucc bs prime))= definition of bin2nat 2 lowast (bin2nat (bsucc bs prime))= (IH) 2 lowast (Succ (bin2nat bs prime))= algebra 2 lowast (Succ n) = Succ (Succ (2 lowast n)) Succ (Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (True bs prime))

Now we are ready to prove the main theorem

Theorem 54 forall n isin Natbin2nat (nat2bin n) = n

Proof We prove this by induction over n isin Nat

Case n = 0 We show bin2nat (nat2bin 0) = 0

bin2nat (nat2bin 0)= definition of nat2bin bin2nat [ ]

35

= definition of bin2nat 0

Case n = Succ n prime We assume

bin2nat (nat2bin n prime) = n prime (IH )

to show

bin2nat (nat2bin (Succ n prime)) = Succ n prime

bin2nat (nat2bin (Succ n prime))= definition of nat2bin bin2nat (bsucc (nat2bin n prime))= lemma Succ (bin2nat (nat2bin n prime))= (IH) Succ n prime

To define addition on Binary we define addition with carry which always addsthree bits caculating the current bit and the new carry bit As a first step wedefine two operations addbit and carry which calculate the new bit and carry

addbit isin Bool rarr Bool rarr Bool rarr Booladdbit a b c = (a equiv b) equiv c

carry isin Bool rarr Bool rarr Bool rarr Boolcarry a b c = (aampampb)||(bampampc)||(aampampc)

We are now ready to define binary addition with carry

addBinC isin Bool rarr Binary rarr Binary rarr BinaryaddBinC c as [ ] = if c then bsucc as else asaddBinC c [ ] as = if c then bsucc as else asaddBinC c (a as) (b bs) = (addbit a b c) (addBinC (carry a b c) as bs)

from which we can easily derive binary addition by setting the carry to False

addBin isin Binary rarr Binary rarr BinaryaddBin bs cs = addBinC False bs cs

Binary multiplication is the usual long multiplication we learn at school Wemultiply each digit of one of the numbers with the other numbers always mul-tiplying the other number by 10 ie shifting it In the binary case multiplyinga digit with a number is very easy either the bit is 0 (ie False) then the resultis 0 or the bit is 1 then the result just is the other number

multBin isin Binary rarr Binary rarr BinarymultBin [ ] bs = [ ]multBin (a as) bs = if a

then addBin bs (multBin as (False bs))else multBin as (False bs)

The operations we have defined correspond to the more primitive operations wehave defined previously That is we have

36

forall mn Nat addBin (bin2nat m) (bin2nat n) = bin2nat (m + n)

forall mn Nat multBin (bin2nat m) (bin2nat n) = bin2nat (m lowast n)

These can be established using the principles we have introduced ie induc-tion However for reasons of space and potential boredom we shall refrain fromcarrying this out here

54 Trees

Unlike in ordinary live trees in computer science have got the roots on top andthe leaves on bottom Here is an example of a binary tree whose nodes arelabelled with natural numbers

56

1

3

10

root

node

leaf

Trees are also a very useful datastructure for example they can be used toefficently store and update an ordered collection of data In Haskell we woulddefine the type of binary node-labelled trees as follows

data Tree a = Leaf | Node (Tree a) a (Tree a)

The tree pictured in the diagram would be represented as

mytree isin Tree Natmytree = Node (Node Leaf 1 Leaf)

3(Node Leaf

10(Node Leaf 56 Leaf))

You may note that the tree is ordered ie all the leaves in the left subtree ofany node has labels less (or equal) than the label on the node and the nodes inthe right subtree have greater labels Indeed ordered trees give rise to anothersorting algorithm which is called tree sort First we define by primitive recur-sion over trees a function which inserts a node into an ordered tree leaving theordering intact

37

treeInsert isin Nat rarr (Tree Nat) rarr Tree NattreeInsert a Leaf = Node Leaf a LeaftreeInsert a (Node l b r) = if a 6 b

then Node (treeInsert a l) b relse Node l b (treeInsert a r)

By inserting all elements of a list into an empty tree we obtain a function whichturns an unsorted list into an ordered tree

list2tree isin [Nat ] rarr (Tree Nat)list2tree [ ] = Leaflist2tree (a as) = treeInsert a (list2tree as)

We can also turn an ordered tree into a sorted list

tree2list isin (Tree a) rarr [a ]tree2list Leaf = [ ]tree2List (Node l a r) = (tree2list l) ++ [a ] ++ (tree2list r)

Note that the last function is polymorphic since it doesnrsquot need any operationson the data stored in a tree Now we obtain tree sort by combining the twofunctions defined above

treeSort isin [Nat ] rarr [Nat ]treeSort as = tree2list (list2tree as)

It may appear wasteful to create a tree just to sort a list but actually tree sort isbetter than insertion sort On the average every element which is inserted intothe tree is only compared with a few others on the way down to a leaft to beprecise log2 n if the number of nodes is n Since we have to insert n elementstree sort will need a number proportional to n log2 n comparisons to sort a listwith n elements which is considerably better that insertion sortrsquos n2

We can also prove propositions about trees by induction over trees As anexample observe that the tree in the example has 4 nodes and 5 leaves This isno coincidence but a general property of binary trees Maybe the best way tosee that this is the case is to notice that every tree can be generated startingfrom a leaf by replacing an aribtrary leaf by a node with two leaves The initialtree has got the proberty and it is preserved by the replacement step hence anytree will have the property More formally we can show this by induction overtrees where we have an induction hypothesis for the left and the right subtree

To make this precise we first define functions which count the number of nodesand leaves in a tree (ignoring any data)

countNodes isin (Tree a) rarr NatcountNodes Leaf = 0countNodes (Node l x r) = Succ ((countNodes l) + (countNodes r))

countLeaves isin (Tree a) rarr NatcountLeaves Leaf = 1countLeaves (Node l x r) = (countLeaves l) + (countLeaves r)

38

We are now ready to prove our theorem

Theorem 55 forall t Tree a countLeaves t = 1 + (countNodes t)

Proof We proceed by induction over t isin Tree a

Case t = Leaf We show countLeaves Leaf = 1 + (countNodes Leaf)

countLeaves Leaf= definition of countLeaves 1= definition of countNodes 1 + (countNodes Leaf)

Case t = Node l x r We assume

countLeaves l = 1 + (countNodes l) (IH minus L)

countLeaves r = 1 + (countNodes r) (IH minus R)

to show countLeaves (Node l x r) = 1 + (countNodes (Node l x r))

countLeaves (Node l x r)= definition of countLeaves (countLeaves l) + (countLeaves r)= (IH-L)(IH-R) 1 + (countNodes l) + 1 + (countNodes r)= algebra 1 + (1 + (countNodes l) + (countNodes r))= definition of countNodes 1 + (countNodes (Node l x r))

Finally note that there are different types of binary trees depending where weput the data ie there are leaf labelled trees

data Tree a = Leaf a | Node (Tree a) (Tree a)

and trees which have labels on leaves and nodes potentially of different types

data Treeprime a b = Leaf prime a | Nodeprime (Treeprime a b) b (Treeprime a b)

39

6 Predicates and relations

A predicate over a type is a property of elements of that type An example isEven isin Nat rarr Prop which expresses the property of a natural number beingeven We can define Even

Even isin Nat rarr PropEven n = exist m isin Nat 2 lowastm = n

That is we say that a number is even if it is the double of another number Iwrite a rarr Prop for the type of predicates over a Note that unlike programspredicates cannot be executed but we can use them for reasoning

A relation between two types (which may be the same) relates elements of thefirst type with elements of the 2nd An example is 6 isin Nat rarr Nat rarr Propwhich expresses the relation of a number being smaller than another Again wecan define 6 using +

(6) isin Nat rarr Nat rarr Propm6n = exist k isin Nat m + k = n

That is we say that m6n if there is a number k that if added to m gives n

In general we consider n-ary relations that is R isin a1 rarr a2 rarr middot middot middot rarr an rarr Propand predicates are just another word for 1-ary relations 2-ary (or binary)relations such as 6 are usually written infix

A fundamental binary relation on any type is equality (=) isin a rarr a rarr PropWe consider equality as a primitive notion We know that everything is equal toitself mdash we say that equality is reflexive that is forall x isin a x = x Two booleansor natural number or lists are equal if they are made only from constructorsand look the same Two functions are equal if they return the same answers forall elements of their domain that is for f g isin a rarr b we have that f = g ifforall x a f x = g x note that this involves equality on b This is the principle ofextensionality and it is the consequence of our view of functions as black boxesie we cannot look inside a function all we can do it is to apply it to arguments

We have already introduced the functions 6isin Nat rarr Nat rarr Bool equivisinBool rarr Bool rarr Bool and equivisin Nat rarr Nat rarr Bool They are related to6 isin Bool rarr Bool rarr Prop =isin Bool rarr Bool rarr Prop and =isin Nat rarrNat rarr Prop indeed they return True if the relation holds and False other-wise That is we can show that

forall x y isin Nat x6y lArrrArr x 6 y = Trueforall x y isin Bool x = y lArrrArr x equiv y = Trueforall x y isin Nat x = y lArrrArr x equiv y = True

We say that a boolean function f isin a rarr b rarr Bool decides a relation R isin a rarrb rarr Prop if forall x isin a y isin b R x y lArrrArr f x y = True A relation which canbe decided is called decidableThis concept generalizes to relations with anyarity including predicates I have silently assumed that by a boolean functionwe mean one which can actually run on a computer this is different in classicalMathematics where the notion of a function is more liberal but the definitionof a decidable function is more complicated

40

Not every relation is decidable an example of an undecidable relation is equal-ity on functions with an infinite domain eg (=) isin (Nat rarr Bool) rarr (Nat rarrBool) rarr Prop To decide whether two such functions are equal that is whetherf = g we have to check whether they agree on all natural numbers By the prin-ciple of extensionality there is no other way we can find out anything about afunction and checking them for all natural numbers is hardly possible

61 Examples of relations

In the following we will discuss some examples of relations It is helpful tovisualize relations by drawing their graphs We can only draw graphs for adecidable relation R isin a rarr a rarr Prop on finite type a by a directed graphwhose nodes (called vertices) are the elements of a and we draw an arrow (callededge) from x to y if R x y holds

We cannot draw relations on the natural numbers however we will instead usethe type Four = 0 1 2 3 4 and drwaw the graph of the relation restricted tothe numbers upto 4

611 Equality

The graph of (=) isin Four rarr Four rarr Prop is extremely simple

0 1 2 3 4

612 Inequality

We say x 6= y if x and y are not equal This relation is polymorphic ie it isuniformly defined for any type

(6=) isin a rarr a rarr Propx 6= y = not (x = y)

The graph of (6=) isin Four rarr Four rarr Prop contains an edge everywhere theprevious graph had none hence it looks pretty wild

0 1 2 3 4

613 Less or equal

We have already defined the relation (6) on the natural numbers Here is thegraph of the relation restricted to Four

41

0 1 2 3 4

614 Less than

We say m lt n if m is strictly less than n

(lt) isin Nat rarr Nat rarr Propm lt n = Succ m 6 n

The graph of (lt) Four rarr Four rarr Prop looks pretty similar as the one of (6)only the little circles pointing from every element to itself are missing

0 1 2 3 4

615 Congruence modulo k

This is an important 3-ary (ternary) relation used in number theory We saythat two numbers mn Nat are congruent modulo k if they have the sameremainder when divided by k We write cmod Nat rarr Nat rarr Nat rarr Propthat is we write cmod k m n or mlsquocmod k lsquon 15 for m is congruent to n modulok The standard mathematical notation is mλcong n mod k We can definethis relation formally as

cmod isin Nat rarr Nat rarr Nat rarr Propcmod k m n = exist p q r isin Nat (r lt n) and p lowast k + r = m and q lowast k + r = n

Usually cmod is only considered for k gt 1 For k = 1 our definition of cmod kis just (=) and for k = 0 it is the empty relation In number theory cmod k isdefined a relation on the integers not just the natural numbers

While we cannot draw ternary relations so easily we can do so for mod 2 isinFour rarr Four rarr Prop

0 1 3 42

15Here we adopt also the Haskell convention that any operator f can be made infix bywriting lsquof lsquo

42

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

To define the translation in the other direction nat2bin isin Nat rarr Binary weintroduce a successor function on the binary representation The successor ofthe empty list which is interpreted as 0 is 1 Otherwise if the last digit is 0 wejust change this to 1 and keep the rest of the number the same If the last digitis 1 we change this to 0 and have a carry bit which means that we have torecursively calculate the successor of the rest of the number Hence we define

bsucc isin Binary rarr Binarybsucc [ ] = [True]bsucc (False bs) = True bsbsucc (True bs) = False (bsucc bs)

Now we can define nat2bin it basically translates 0 by the empty binary andthen applies bsucc for every successor

nat2bin isin Nat rarr Binarynat2bin 0 = [ ]nat2bin (Succ n) = bsucc (nat2bin n)

Once we have established the two translations we want to show that theyare indeed inverse to each other Eg if we start with a natural numbern we can translate it to a binary nat2bin n and then translate it back bybin2nat (nat2bin n) and we should hope that we get back to the number westarted with ie that

bin2nat (nat2bin n) = n

If we start with a binary number bs isin Binary the mirror property

nat2bin (bin2nat bs) = bs

doesnrsquot actually hold The reason is that our encoding is redundant lead-ing 0s (actually trailing Falses in our notation) do not matter For examplenat2bin (bin2nat [TrueFalse]) = [True] We could insist the we do not allowleading 0s and show that for those normal numbers the property holds Actu-ally following common practive we would make the exception for the case thatthe number is just 0 but would at the same time outlaw the empty sequence asa representation of a number

Going back to proving forall n isin Natn = bin2nat (nat2bin n) unsurprisingly weare going to use induction to establish this The case for 0 is straightforwardbut in the case of Succ n prime we have that nat2bin (Succ n prime) = bsucc (nat2bin n prime)and we would like to use that

bin2nat (bsucc (nat2bin n prime)) = Succ (bin2nat (nat2bin n prime))

to be able to apply the induction hypothesis This leads to the following lemma

Lemma 53 forall bs isin Binarybin2nat (bsucc bs) = Succ (bin2nat bs)

Proof We show this by induction over bs isin Binary

Case bs = [ ] We have to show bin2nat (bsucc [ ]) = Succ (bin2nat [ ])

bin2nat (bsucc [ ])= definition of bsucc

34

bin2nat [True]= calculate bin2nat 1= definition of 1 Succ 0= definition of bin2nat Succ (bin2nat [ ])

Case bs = b bs prime We assume

bin2nat (bsucc bs prime) = Succ (bin2nat bs prime) (IH )

to show

bin2nat (bsucc (b bs prime)) = Succ (bin2nat (b bs prime))

for any b isin Bool Letrsquos analyze b isin Bool

Case b = False In this case we have to showbin2nat (bsucc (False bs prime)) = Succ (bin2nat (False bs prime))

bin2nat (bsucc (False bs prime))= definition of bsucc bin2nat (True bs prime)= definition of bin2nat Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (False bs prime))

Case b = True In this case we have to showbin2nat (bsucc (True bs prime)) = Succ (bin2nat (True bs prime))

bin2nat (bsucc (True bs prime))= definition of bsucc bin2nat (False (bsucc bs prime))= definition of bin2nat 2 lowast (bin2nat (bsucc bs prime))= (IH) 2 lowast (Succ (bin2nat bs prime))= algebra 2 lowast (Succ n) = Succ (Succ (2 lowast n)) Succ (Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (True bs prime))

Now we are ready to prove the main theorem

Theorem 54 forall n isin Natbin2nat (nat2bin n) = n

Proof We prove this by induction over n isin Nat

Case n = 0 We show bin2nat (nat2bin 0) = 0

bin2nat (nat2bin 0)= definition of nat2bin bin2nat [ ]

35

= definition of bin2nat 0

Case n = Succ n prime We assume

bin2nat (nat2bin n prime) = n prime (IH )

to show

bin2nat (nat2bin (Succ n prime)) = Succ n prime

bin2nat (nat2bin (Succ n prime))= definition of nat2bin bin2nat (bsucc (nat2bin n prime))= lemma Succ (bin2nat (nat2bin n prime))= (IH) Succ n prime

To define addition on Binary we define addition with carry which always addsthree bits caculating the current bit and the new carry bit As a first step wedefine two operations addbit and carry which calculate the new bit and carry

addbit isin Bool rarr Bool rarr Bool rarr Booladdbit a b c = (a equiv b) equiv c

carry isin Bool rarr Bool rarr Bool rarr Boolcarry a b c = (aampampb)||(bampampc)||(aampampc)

We are now ready to define binary addition with carry

addBinC isin Bool rarr Binary rarr Binary rarr BinaryaddBinC c as [ ] = if c then bsucc as else asaddBinC c [ ] as = if c then bsucc as else asaddBinC c (a as) (b bs) = (addbit a b c) (addBinC (carry a b c) as bs)

from which we can easily derive binary addition by setting the carry to False

addBin isin Binary rarr Binary rarr BinaryaddBin bs cs = addBinC False bs cs

Binary multiplication is the usual long multiplication we learn at school Wemultiply each digit of one of the numbers with the other numbers always mul-tiplying the other number by 10 ie shifting it In the binary case multiplyinga digit with a number is very easy either the bit is 0 (ie False) then the resultis 0 or the bit is 1 then the result just is the other number

multBin isin Binary rarr Binary rarr BinarymultBin [ ] bs = [ ]multBin (a as) bs = if a

then addBin bs (multBin as (False bs))else multBin as (False bs)

The operations we have defined correspond to the more primitive operations wehave defined previously That is we have

36

forall mn Nat addBin (bin2nat m) (bin2nat n) = bin2nat (m + n)

forall mn Nat multBin (bin2nat m) (bin2nat n) = bin2nat (m lowast n)

These can be established using the principles we have introduced ie induc-tion However for reasons of space and potential boredom we shall refrain fromcarrying this out here

54 Trees

Unlike in ordinary live trees in computer science have got the roots on top andthe leaves on bottom Here is an example of a binary tree whose nodes arelabelled with natural numbers

56

1

3

10

root

node

leaf

Trees are also a very useful datastructure for example they can be used toefficently store and update an ordered collection of data In Haskell we woulddefine the type of binary node-labelled trees as follows

data Tree a = Leaf | Node (Tree a) a (Tree a)

The tree pictured in the diagram would be represented as

mytree isin Tree Natmytree = Node (Node Leaf 1 Leaf)

3(Node Leaf

10(Node Leaf 56 Leaf))

You may note that the tree is ordered ie all the leaves in the left subtree ofany node has labels less (or equal) than the label on the node and the nodes inthe right subtree have greater labels Indeed ordered trees give rise to anothersorting algorithm which is called tree sort First we define by primitive recur-sion over trees a function which inserts a node into an ordered tree leaving theordering intact

37

treeInsert isin Nat rarr (Tree Nat) rarr Tree NattreeInsert a Leaf = Node Leaf a LeaftreeInsert a (Node l b r) = if a 6 b

then Node (treeInsert a l) b relse Node l b (treeInsert a r)

By inserting all elements of a list into an empty tree we obtain a function whichturns an unsorted list into an ordered tree

list2tree isin [Nat ] rarr (Tree Nat)list2tree [ ] = Leaflist2tree (a as) = treeInsert a (list2tree as)

We can also turn an ordered tree into a sorted list

tree2list isin (Tree a) rarr [a ]tree2list Leaf = [ ]tree2List (Node l a r) = (tree2list l) ++ [a ] ++ (tree2list r)

Note that the last function is polymorphic since it doesnrsquot need any operationson the data stored in a tree Now we obtain tree sort by combining the twofunctions defined above

treeSort isin [Nat ] rarr [Nat ]treeSort as = tree2list (list2tree as)

It may appear wasteful to create a tree just to sort a list but actually tree sort isbetter than insertion sort On the average every element which is inserted intothe tree is only compared with a few others on the way down to a leaft to beprecise log2 n if the number of nodes is n Since we have to insert n elementstree sort will need a number proportional to n log2 n comparisons to sort a listwith n elements which is considerably better that insertion sortrsquos n2

We can also prove propositions about trees by induction over trees As anexample observe that the tree in the example has 4 nodes and 5 leaves This isno coincidence but a general property of binary trees Maybe the best way tosee that this is the case is to notice that every tree can be generated startingfrom a leaf by replacing an aribtrary leaf by a node with two leaves The initialtree has got the proberty and it is preserved by the replacement step hence anytree will have the property More formally we can show this by induction overtrees where we have an induction hypothesis for the left and the right subtree

To make this precise we first define functions which count the number of nodesand leaves in a tree (ignoring any data)

countNodes isin (Tree a) rarr NatcountNodes Leaf = 0countNodes (Node l x r) = Succ ((countNodes l) + (countNodes r))

countLeaves isin (Tree a) rarr NatcountLeaves Leaf = 1countLeaves (Node l x r) = (countLeaves l) + (countLeaves r)

38

We are now ready to prove our theorem

Theorem 55 forall t Tree a countLeaves t = 1 + (countNodes t)

Proof We proceed by induction over t isin Tree a

Case t = Leaf We show countLeaves Leaf = 1 + (countNodes Leaf)

countLeaves Leaf= definition of countLeaves 1= definition of countNodes 1 + (countNodes Leaf)

Case t = Node l x r We assume

countLeaves l = 1 + (countNodes l) (IH minus L)

countLeaves r = 1 + (countNodes r) (IH minus R)

to show countLeaves (Node l x r) = 1 + (countNodes (Node l x r))

countLeaves (Node l x r)= definition of countLeaves (countLeaves l) + (countLeaves r)= (IH-L)(IH-R) 1 + (countNodes l) + 1 + (countNodes r)= algebra 1 + (1 + (countNodes l) + (countNodes r))= definition of countNodes 1 + (countNodes (Node l x r))

Finally note that there are different types of binary trees depending where weput the data ie there are leaf labelled trees

data Tree a = Leaf a | Node (Tree a) (Tree a)

and trees which have labels on leaves and nodes potentially of different types

data Treeprime a b = Leaf prime a | Nodeprime (Treeprime a b) b (Treeprime a b)

39

6 Predicates and relations

A predicate over a type is a property of elements of that type An example isEven isin Nat rarr Prop which expresses the property of a natural number beingeven We can define Even

Even isin Nat rarr PropEven n = exist m isin Nat 2 lowastm = n

That is we say that a number is even if it is the double of another number Iwrite a rarr Prop for the type of predicates over a Note that unlike programspredicates cannot be executed but we can use them for reasoning

A relation between two types (which may be the same) relates elements of thefirst type with elements of the 2nd An example is 6 isin Nat rarr Nat rarr Propwhich expresses the relation of a number being smaller than another Again wecan define 6 using +

(6) isin Nat rarr Nat rarr Propm6n = exist k isin Nat m + k = n

That is we say that m6n if there is a number k that if added to m gives n

In general we consider n-ary relations that is R isin a1 rarr a2 rarr middot middot middot rarr an rarr Propand predicates are just another word for 1-ary relations 2-ary (or binary)relations such as 6 are usually written infix

A fundamental binary relation on any type is equality (=) isin a rarr a rarr PropWe consider equality as a primitive notion We know that everything is equal toitself mdash we say that equality is reflexive that is forall x isin a x = x Two booleansor natural number or lists are equal if they are made only from constructorsand look the same Two functions are equal if they return the same answers forall elements of their domain that is for f g isin a rarr b we have that f = g ifforall x a f x = g x note that this involves equality on b This is the principle ofextensionality and it is the consequence of our view of functions as black boxesie we cannot look inside a function all we can do it is to apply it to arguments

We have already introduced the functions 6isin Nat rarr Nat rarr Bool equivisinBool rarr Bool rarr Bool and equivisin Nat rarr Nat rarr Bool They are related to6 isin Bool rarr Bool rarr Prop =isin Bool rarr Bool rarr Prop and =isin Nat rarrNat rarr Prop indeed they return True if the relation holds and False other-wise That is we can show that

forall x y isin Nat x6y lArrrArr x 6 y = Trueforall x y isin Bool x = y lArrrArr x equiv y = Trueforall x y isin Nat x = y lArrrArr x equiv y = True

We say that a boolean function f isin a rarr b rarr Bool decides a relation R isin a rarrb rarr Prop if forall x isin a y isin b R x y lArrrArr f x y = True A relation which canbe decided is called decidableThis concept generalizes to relations with anyarity including predicates I have silently assumed that by a boolean functionwe mean one which can actually run on a computer this is different in classicalMathematics where the notion of a function is more liberal but the definitionof a decidable function is more complicated

40

Not every relation is decidable an example of an undecidable relation is equal-ity on functions with an infinite domain eg (=) isin (Nat rarr Bool) rarr (Nat rarrBool) rarr Prop To decide whether two such functions are equal that is whetherf = g we have to check whether they agree on all natural numbers By the prin-ciple of extensionality there is no other way we can find out anything about afunction and checking them for all natural numbers is hardly possible

61 Examples of relations

In the following we will discuss some examples of relations It is helpful tovisualize relations by drawing their graphs We can only draw graphs for adecidable relation R isin a rarr a rarr Prop on finite type a by a directed graphwhose nodes (called vertices) are the elements of a and we draw an arrow (callededge) from x to y if R x y holds

We cannot draw relations on the natural numbers however we will instead usethe type Four = 0 1 2 3 4 and drwaw the graph of the relation restricted tothe numbers upto 4

611 Equality

The graph of (=) isin Four rarr Four rarr Prop is extremely simple

0 1 2 3 4

612 Inequality

We say x 6= y if x and y are not equal This relation is polymorphic ie it isuniformly defined for any type

(6=) isin a rarr a rarr Propx 6= y = not (x = y)

The graph of (6=) isin Four rarr Four rarr Prop contains an edge everywhere theprevious graph had none hence it looks pretty wild

0 1 2 3 4

613 Less or equal

We have already defined the relation (6) on the natural numbers Here is thegraph of the relation restricted to Four

41

0 1 2 3 4

614 Less than

We say m lt n if m is strictly less than n

(lt) isin Nat rarr Nat rarr Propm lt n = Succ m 6 n

The graph of (lt) Four rarr Four rarr Prop looks pretty similar as the one of (6)only the little circles pointing from every element to itself are missing

0 1 2 3 4

615 Congruence modulo k

This is an important 3-ary (ternary) relation used in number theory We saythat two numbers mn Nat are congruent modulo k if they have the sameremainder when divided by k We write cmod Nat rarr Nat rarr Nat rarr Propthat is we write cmod k m n or mlsquocmod k lsquon 15 for m is congruent to n modulok The standard mathematical notation is mλcong n mod k We can definethis relation formally as

cmod isin Nat rarr Nat rarr Nat rarr Propcmod k m n = exist p q r isin Nat (r lt n) and p lowast k + r = m and q lowast k + r = n

Usually cmod is only considered for k gt 1 For k = 1 our definition of cmod kis just (=) and for k = 0 it is the empty relation In number theory cmod k isdefined a relation on the integers not just the natural numbers

While we cannot draw ternary relations so easily we can do so for mod 2 isinFour rarr Four rarr Prop

0 1 3 42

15Here we adopt also the Haskell convention that any operator f can be made infix bywriting lsquof lsquo

42

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

bin2nat [True]= calculate bin2nat 1= definition of 1 Succ 0= definition of bin2nat Succ (bin2nat [ ])

Case bs = b bs prime We assume

bin2nat (bsucc bs prime) = Succ (bin2nat bs prime) (IH )

to show

bin2nat (bsucc (b bs prime)) = Succ (bin2nat (b bs prime))

for any b isin Bool Letrsquos analyze b isin Bool

Case b = False In this case we have to showbin2nat (bsucc (False bs prime)) = Succ (bin2nat (False bs prime))

bin2nat (bsucc (False bs prime))= definition of bsucc bin2nat (True bs prime)= definition of bin2nat Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (False bs prime))

Case b = True In this case we have to showbin2nat (bsucc (True bs prime)) = Succ (bin2nat (True bs prime))

bin2nat (bsucc (True bs prime))= definition of bsucc bin2nat (False (bsucc bs prime))= definition of bin2nat 2 lowast (bin2nat (bsucc bs prime))= (IH) 2 lowast (Succ (bin2nat bs prime))= algebra 2 lowast (Succ n) = Succ (Succ (2 lowast n)) Succ (Succ (2 lowast (bin2nat bs prime))= definition of bin2nat Succ (bin2nat (True bs prime))

Now we are ready to prove the main theorem

Theorem 54 forall n isin Natbin2nat (nat2bin n) = n

Proof We prove this by induction over n isin Nat

Case n = 0 We show bin2nat (nat2bin 0) = 0

bin2nat (nat2bin 0)= definition of nat2bin bin2nat [ ]

35

= definition of bin2nat 0

Case n = Succ n prime We assume

bin2nat (nat2bin n prime) = n prime (IH )

to show

bin2nat (nat2bin (Succ n prime)) = Succ n prime

bin2nat (nat2bin (Succ n prime))= definition of nat2bin bin2nat (bsucc (nat2bin n prime))= lemma Succ (bin2nat (nat2bin n prime))= (IH) Succ n prime

To define addition on Binary we define addition with carry which always addsthree bits caculating the current bit and the new carry bit As a first step wedefine two operations addbit and carry which calculate the new bit and carry

addbit isin Bool rarr Bool rarr Bool rarr Booladdbit a b c = (a equiv b) equiv c

carry isin Bool rarr Bool rarr Bool rarr Boolcarry a b c = (aampampb)||(bampampc)||(aampampc)

We are now ready to define binary addition with carry

addBinC isin Bool rarr Binary rarr Binary rarr BinaryaddBinC c as [ ] = if c then bsucc as else asaddBinC c [ ] as = if c then bsucc as else asaddBinC c (a as) (b bs) = (addbit a b c) (addBinC (carry a b c) as bs)

from which we can easily derive binary addition by setting the carry to False

addBin isin Binary rarr Binary rarr BinaryaddBin bs cs = addBinC False bs cs

Binary multiplication is the usual long multiplication we learn at school Wemultiply each digit of one of the numbers with the other numbers always mul-tiplying the other number by 10 ie shifting it In the binary case multiplyinga digit with a number is very easy either the bit is 0 (ie False) then the resultis 0 or the bit is 1 then the result just is the other number

multBin isin Binary rarr Binary rarr BinarymultBin [ ] bs = [ ]multBin (a as) bs = if a

then addBin bs (multBin as (False bs))else multBin as (False bs)

The operations we have defined correspond to the more primitive operations wehave defined previously That is we have

36

forall mn Nat addBin (bin2nat m) (bin2nat n) = bin2nat (m + n)

forall mn Nat multBin (bin2nat m) (bin2nat n) = bin2nat (m lowast n)

These can be established using the principles we have introduced ie induc-tion However for reasons of space and potential boredom we shall refrain fromcarrying this out here

54 Trees

Unlike in ordinary live trees in computer science have got the roots on top andthe leaves on bottom Here is an example of a binary tree whose nodes arelabelled with natural numbers

56

1

3

10

root

node

leaf

Trees are also a very useful datastructure for example they can be used toefficently store and update an ordered collection of data In Haskell we woulddefine the type of binary node-labelled trees as follows

data Tree a = Leaf | Node (Tree a) a (Tree a)

The tree pictured in the diagram would be represented as

mytree isin Tree Natmytree = Node (Node Leaf 1 Leaf)

3(Node Leaf

10(Node Leaf 56 Leaf))

You may note that the tree is ordered ie all the leaves in the left subtree ofany node has labels less (or equal) than the label on the node and the nodes inthe right subtree have greater labels Indeed ordered trees give rise to anothersorting algorithm which is called tree sort First we define by primitive recur-sion over trees a function which inserts a node into an ordered tree leaving theordering intact

37

treeInsert isin Nat rarr (Tree Nat) rarr Tree NattreeInsert a Leaf = Node Leaf a LeaftreeInsert a (Node l b r) = if a 6 b

then Node (treeInsert a l) b relse Node l b (treeInsert a r)

By inserting all elements of a list into an empty tree we obtain a function whichturns an unsorted list into an ordered tree

list2tree isin [Nat ] rarr (Tree Nat)list2tree [ ] = Leaflist2tree (a as) = treeInsert a (list2tree as)

We can also turn an ordered tree into a sorted list

tree2list isin (Tree a) rarr [a ]tree2list Leaf = [ ]tree2List (Node l a r) = (tree2list l) ++ [a ] ++ (tree2list r)

Note that the last function is polymorphic since it doesnrsquot need any operationson the data stored in a tree Now we obtain tree sort by combining the twofunctions defined above

treeSort isin [Nat ] rarr [Nat ]treeSort as = tree2list (list2tree as)

It may appear wasteful to create a tree just to sort a list but actually tree sort isbetter than insertion sort On the average every element which is inserted intothe tree is only compared with a few others on the way down to a leaft to beprecise log2 n if the number of nodes is n Since we have to insert n elementstree sort will need a number proportional to n log2 n comparisons to sort a listwith n elements which is considerably better that insertion sortrsquos n2

We can also prove propositions about trees by induction over trees As anexample observe that the tree in the example has 4 nodes and 5 leaves This isno coincidence but a general property of binary trees Maybe the best way tosee that this is the case is to notice that every tree can be generated startingfrom a leaf by replacing an aribtrary leaf by a node with two leaves The initialtree has got the proberty and it is preserved by the replacement step hence anytree will have the property More formally we can show this by induction overtrees where we have an induction hypothesis for the left and the right subtree

To make this precise we first define functions which count the number of nodesand leaves in a tree (ignoring any data)

countNodes isin (Tree a) rarr NatcountNodes Leaf = 0countNodes (Node l x r) = Succ ((countNodes l) + (countNodes r))

countLeaves isin (Tree a) rarr NatcountLeaves Leaf = 1countLeaves (Node l x r) = (countLeaves l) + (countLeaves r)

38

We are now ready to prove our theorem

Theorem 55 forall t Tree a countLeaves t = 1 + (countNodes t)

Proof We proceed by induction over t isin Tree a

Case t = Leaf We show countLeaves Leaf = 1 + (countNodes Leaf)

countLeaves Leaf= definition of countLeaves 1= definition of countNodes 1 + (countNodes Leaf)

Case t = Node l x r We assume

countLeaves l = 1 + (countNodes l) (IH minus L)

countLeaves r = 1 + (countNodes r) (IH minus R)

to show countLeaves (Node l x r) = 1 + (countNodes (Node l x r))

countLeaves (Node l x r)= definition of countLeaves (countLeaves l) + (countLeaves r)= (IH-L)(IH-R) 1 + (countNodes l) + 1 + (countNodes r)= algebra 1 + (1 + (countNodes l) + (countNodes r))= definition of countNodes 1 + (countNodes (Node l x r))

Finally note that there are different types of binary trees depending where weput the data ie there are leaf labelled trees

data Tree a = Leaf a | Node (Tree a) (Tree a)

and trees which have labels on leaves and nodes potentially of different types

data Treeprime a b = Leaf prime a | Nodeprime (Treeprime a b) b (Treeprime a b)

39

6 Predicates and relations

A predicate over a type is a property of elements of that type An example isEven isin Nat rarr Prop which expresses the property of a natural number beingeven We can define Even

Even isin Nat rarr PropEven n = exist m isin Nat 2 lowastm = n

That is we say that a number is even if it is the double of another number Iwrite a rarr Prop for the type of predicates over a Note that unlike programspredicates cannot be executed but we can use them for reasoning

A relation between two types (which may be the same) relates elements of thefirst type with elements of the 2nd An example is 6 isin Nat rarr Nat rarr Propwhich expresses the relation of a number being smaller than another Again wecan define 6 using +

(6) isin Nat rarr Nat rarr Propm6n = exist k isin Nat m + k = n

That is we say that m6n if there is a number k that if added to m gives n

In general we consider n-ary relations that is R isin a1 rarr a2 rarr middot middot middot rarr an rarr Propand predicates are just another word for 1-ary relations 2-ary (or binary)relations such as 6 are usually written infix

A fundamental binary relation on any type is equality (=) isin a rarr a rarr PropWe consider equality as a primitive notion We know that everything is equal toitself mdash we say that equality is reflexive that is forall x isin a x = x Two booleansor natural number or lists are equal if they are made only from constructorsand look the same Two functions are equal if they return the same answers forall elements of their domain that is for f g isin a rarr b we have that f = g ifforall x a f x = g x note that this involves equality on b This is the principle ofextensionality and it is the consequence of our view of functions as black boxesie we cannot look inside a function all we can do it is to apply it to arguments

We have already introduced the functions 6isin Nat rarr Nat rarr Bool equivisinBool rarr Bool rarr Bool and equivisin Nat rarr Nat rarr Bool They are related to6 isin Bool rarr Bool rarr Prop =isin Bool rarr Bool rarr Prop and =isin Nat rarrNat rarr Prop indeed they return True if the relation holds and False other-wise That is we can show that

forall x y isin Nat x6y lArrrArr x 6 y = Trueforall x y isin Bool x = y lArrrArr x equiv y = Trueforall x y isin Nat x = y lArrrArr x equiv y = True

We say that a boolean function f isin a rarr b rarr Bool decides a relation R isin a rarrb rarr Prop if forall x isin a y isin b R x y lArrrArr f x y = True A relation which canbe decided is called decidableThis concept generalizes to relations with anyarity including predicates I have silently assumed that by a boolean functionwe mean one which can actually run on a computer this is different in classicalMathematics where the notion of a function is more liberal but the definitionof a decidable function is more complicated

40

Not every relation is decidable an example of an undecidable relation is equal-ity on functions with an infinite domain eg (=) isin (Nat rarr Bool) rarr (Nat rarrBool) rarr Prop To decide whether two such functions are equal that is whetherf = g we have to check whether they agree on all natural numbers By the prin-ciple of extensionality there is no other way we can find out anything about afunction and checking them for all natural numbers is hardly possible

61 Examples of relations

In the following we will discuss some examples of relations It is helpful tovisualize relations by drawing their graphs We can only draw graphs for adecidable relation R isin a rarr a rarr Prop on finite type a by a directed graphwhose nodes (called vertices) are the elements of a and we draw an arrow (callededge) from x to y if R x y holds

We cannot draw relations on the natural numbers however we will instead usethe type Four = 0 1 2 3 4 and drwaw the graph of the relation restricted tothe numbers upto 4

611 Equality

The graph of (=) isin Four rarr Four rarr Prop is extremely simple

0 1 2 3 4

612 Inequality

We say x 6= y if x and y are not equal This relation is polymorphic ie it isuniformly defined for any type

(6=) isin a rarr a rarr Propx 6= y = not (x = y)

The graph of (6=) isin Four rarr Four rarr Prop contains an edge everywhere theprevious graph had none hence it looks pretty wild

0 1 2 3 4

613 Less or equal

We have already defined the relation (6) on the natural numbers Here is thegraph of the relation restricted to Four

41

0 1 2 3 4

614 Less than

We say m lt n if m is strictly less than n

(lt) isin Nat rarr Nat rarr Propm lt n = Succ m 6 n

The graph of (lt) Four rarr Four rarr Prop looks pretty similar as the one of (6)only the little circles pointing from every element to itself are missing

0 1 2 3 4

615 Congruence modulo k

This is an important 3-ary (ternary) relation used in number theory We saythat two numbers mn Nat are congruent modulo k if they have the sameremainder when divided by k We write cmod Nat rarr Nat rarr Nat rarr Propthat is we write cmod k m n or mlsquocmod k lsquon 15 for m is congruent to n modulok The standard mathematical notation is mλcong n mod k We can definethis relation formally as

cmod isin Nat rarr Nat rarr Nat rarr Propcmod k m n = exist p q r isin Nat (r lt n) and p lowast k + r = m and q lowast k + r = n

Usually cmod is only considered for k gt 1 For k = 1 our definition of cmod kis just (=) and for k = 0 it is the empty relation In number theory cmod k isdefined a relation on the integers not just the natural numbers

While we cannot draw ternary relations so easily we can do so for mod 2 isinFour rarr Four rarr Prop

0 1 3 42

15Here we adopt also the Haskell convention that any operator f can be made infix bywriting lsquof lsquo

42

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

= definition of bin2nat 0

Case n = Succ n prime We assume

bin2nat (nat2bin n prime) = n prime (IH )

to show

bin2nat (nat2bin (Succ n prime)) = Succ n prime

bin2nat (nat2bin (Succ n prime))= definition of nat2bin bin2nat (bsucc (nat2bin n prime))= lemma Succ (bin2nat (nat2bin n prime))= (IH) Succ n prime

To define addition on Binary we define addition with carry which always addsthree bits caculating the current bit and the new carry bit As a first step wedefine two operations addbit and carry which calculate the new bit and carry

addbit isin Bool rarr Bool rarr Bool rarr Booladdbit a b c = (a equiv b) equiv c

carry isin Bool rarr Bool rarr Bool rarr Boolcarry a b c = (aampampb)||(bampampc)||(aampampc)

We are now ready to define binary addition with carry

addBinC isin Bool rarr Binary rarr Binary rarr BinaryaddBinC c as [ ] = if c then bsucc as else asaddBinC c [ ] as = if c then bsucc as else asaddBinC c (a as) (b bs) = (addbit a b c) (addBinC (carry a b c) as bs)

from which we can easily derive binary addition by setting the carry to False

addBin isin Binary rarr Binary rarr BinaryaddBin bs cs = addBinC False bs cs

Binary multiplication is the usual long multiplication we learn at school Wemultiply each digit of one of the numbers with the other numbers always mul-tiplying the other number by 10 ie shifting it In the binary case multiplyinga digit with a number is very easy either the bit is 0 (ie False) then the resultis 0 or the bit is 1 then the result just is the other number

multBin isin Binary rarr Binary rarr BinarymultBin [ ] bs = [ ]multBin (a as) bs = if a

then addBin bs (multBin as (False bs))else multBin as (False bs)

The operations we have defined correspond to the more primitive operations wehave defined previously That is we have

36

forall mn Nat addBin (bin2nat m) (bin2nat n) = bin2nat (m + n)

forall mn Nat multBin (bin2nat m) (bin2nat n) = bin2nat (m lowast n)

These can be established using the principles we have introduced ie induc-tion However for reasons of space and potential boredom we shall refrain fromcarrying this out here

54 Trees

Unlike in ordinary live trees in computer science have got the roots on top andthe leaves on bottom Here is an example of a binary tree whose nodes arelabelled with natural numbers

56

1

3

10

root

node

leaf

Trees are also a very useful datastructure for example they can be used toefficently store and update an ordered collection of data In Haskell we woulddefine the type of binary node-labelled trees as follows

data Tree a = Leaf | Node (Tree a) a (Tree a)

The tree pictured in the diagram would be represented as

mytree isin Tree Natmytree = Node (Node Leaf 1 Leaf)

3(Node Leaf

10(Node Leaf 56 Leaf))

You may note that the tree is ordered ie all the leaves in the left subtree ofany node has labels less (or equal) than the label on the node and the nodes inthe right subtree have greater labels Indeed ordered trees give rise to anothersorting algorithm which is called tree sort First we define by primitive recur-sion over trees a function which inserts a node into an ordered tree leaving theordering intact

37

treeInsert isin Nat rarr (Tree Nat) rarr Tree NattreeInsert a Leaf = Node Leaf a LeaftreeInsert a (Node l b r) = if a 6 b

then Node (treeInsert a l) b relse Node l b (treeInsert a r)

By inserting all elements of a list into an empty tree we obtain a function whichturns an unsorted list into an ordered tree

list2tree isin [Nat ] rarr (Tree Nat)list2tree [ ] = Leaflist2tree (a as) = treeInsert a (list2tree as)

We can also turn an ordered tree into a sorted list

tree2list isin (Tree a) rarr [a ]tree2list Leaf = [ ]tree2List (Node l a r) = (tree2list l) ++ [a ] ++ (tree2list r)

Note that the last function is polymorphic since it doesnrsquot need any operationson the data stored in a tree Now we obtain tree sort by combining the twofunctions defined above

treeSort isin [Nat ] rarr [Nat ]treeSort as = tree2list (list2tree as)

It may appear wasteful to create a tree just to sort a list but actually tree sort isbetter than insertion sort On the average every element which is inserted intothe tree is only compared with a few others on the way down to a leaft to beprecise log2 n if the number of nodes is n Since we have to insert n elementstree sort will need a number proportional to n log2 n comparisons to sort a listwith n elements which is considerably better that insertion sortrsquos n2

We can also prove propositions about trees by induction over trees As anexample observe that the tree in the example has 4 nodes and 5 leaves This isno coincidence but a general property of binary trees Maybe the best way tosee that this is the case is to notice that every tree can be generated startingfrom a leaf by replacing an aribtrary leaf by a node with two leaves The initialtree has got the proberty and it is preserved by the replacement step hence anytree will have the property More formally we can show this by induction overtrees where we have an induction hypothesis for the left and the right subtree

To make this precise we first define functions which count the number of nodesand leaves in a tree (ignoring any data)

countNodes isin (Tree a) rarr NatcountNodes Leaf = 0countNodes (Node l x r) = Succ ((countNodes l) + (countNodes r))

countLeaves isin (Tree a) rarr NatcountLeaves Leaf = 1countLeaves (Node l x r) = (countLeaves l) + (countLeaves r)

38

We are now ready to prove our theorem

Theorem 55 forall t Tree a countLeaves t = 1 + (countNodes t)

Proof We proceed by induction over t isin Tree a

Case t = Leaf We show countLeaves Leaf = 1 + (countNodes Leaf)

countLeaves Leaf= definition of countLeaves 1= definition of countNodes 1 + (countNodes Leaf)

Case t = Node l x r We assume

countLeaves l = 1 + (countNodes l) (IH minus L)

countLeaves r = 1 + (countNodes r) (IH minus R)

to show countLeaves (Node l x r) = 1 + (countNodes (Node l x r))

countLeaves (Node l x r)= definition of countLeaves (countLeaves l) + (countLeaves r)= (IH-L)(IH-R) 1 + (countNodes l) + 1 + (countNodes r)= algebra 1 + (1 + (countNodes l) + (countNodes r))= definition of countNodes 1 + (countNodes (Node l x r))

Finally note that there are different types of binary trees depending where weput the data ie there are leaf labelled trees

data Tree a = Leaf a | Node (Tree a) (Tree a)

and trees which have labels on leaves and nodes potentially of different types

data Treeprime a b = Leaf prime a | Nodeprime (Treeprime a b) b (Treeprime a b)

39

6 Predicates and relations

A predicate over a type is a property of elements of that type An example isEven isin Nat rarr Prop which expresses the property of a natural number beingeven We can define Even

Even isin Nat rarr PropEven n = exist m isin Nat 2 lowastm = n

That is we say that a number is even if it is the double of another number Iwrite a rarr Prop for the type of predicates over a Note that unlike programspredicates cannot be executed but we can use them for reasoning

A relation between two types (which may be the same) relates elements of thefirst type with elements of the 2nd An example is 6 isin Nat rarr Nat rarr Propwhich expresses the relation of a number being smaller than another Again wecan define 6 using +

(6) isin Nat rarr Nat rarr Propm6n = exist k isin Nat m + k = n

That is we say that m6n if there is a number k that if added to m gives n

In general we consider n-ary relations that is R isin a1 rarr a2 rarr middot middot middot rarr an rarr Propand predicates are just another word for 1-ary relations 2-ary (or binary)relations such as 6 are usually written infix

A fundamental binary relation on any type is equality (=) isin a rarr a rarr PropWe consider equality as a primitive notion We know that everything is equal toitself mdash we say that equality is reflexive that is forall x isin a x = x Two booleansor natural number or lists are equal if they are made only from constructorsand look the same Two functions are equal if they return the same answers forall elements of their domain that is for f g isin a rarr b we have that f = g ifforall x a f x = g x note that this involves equality on b This is the principle ofextensionality and it is the consequence of our view of functions as black boxesie we cannot look inside a function all we can do it is to apply it to arguments

We have already introduced the functions 6isin Nat rarr Nat rarr Bool equivisinBool rarr Bool rarr Bool and equivisin Nat rarr Nat rarr Bool They are related to6 isin Bool rarr Bool rarr Prop =isin Bool rarr Bool rarr Prop and =isin Nat rarrNat rarr Prop indeed they return True if the relation holds and False other-wise That is we can show that

forall x y isin Nat x6y lArrrArr x 6 y = Trueforall x y isin Bool x = y lArrrArr x equiv y = Trueforall x y isin Nat x = y lArrrArr x equiv y = True

We say that a boolean function f isin a rarr b rarr Bool decides a relation R isin a rarrb rarr Prop if forall x isin a y isin b R x y lArrrArr f x y = True A relation which canbe decided is called decidableThis concept generalizes to relations with anyarity including predicates I have silently assumed that by a boolean functionwe mean one which can actually run on a computer this is different in classicalMathematics where the notion of a function is more liberal but the definitionof a decidable function is more complicated

40

Not every relation is decidable an example of an undecidable relation is equal-ity on functions with an infinite domain eg (=) isin (Nat rarr Bool) rarr (Nat rarrBool) rarr Prop To decide whether two such functions are equal that is whetherf = g we have to check whether they agree on all natural numbers By the prin-ciple of extensionality there is no other way we can find out anything about afunction and checking them for all natural numbers is hardly possible

61 Examples of relations

In the following we will discuss some examples of relations It is helpful tovisualize relations by drawing their graphs We can only draw graphs for adecidable relation R isin a rarr a rarr Prop on finite type a by a directed graphwhose nodes (called vertices) are the elements of a and we draw an arrow (callededge) from x to y if R x y holds

We cannot draw relations on the natural numbers however we will instead usethe type Four = 0 1 2 3 4 and drwaw the graph of the relation restricted tothe numbers upto 4

611 Equality

The graph of (=) isin Four rarr Four rarr Prop is extremely simple

0 1 2 3 4

612 Inequality

We say x 6= y if x and y are not equal This relation is polymorphic ie it isuniformly defined for any type

(6=) isin a rarr a rarr Propx 6= y = not (x = y)

The graph of (6=) isin Four rarr Four rarr Prop contains an edge everywhere theprevious graph had none hence it looks pretty wild

0 1 2 3 4

613 Less or equal

We have already defined the relation (6) on the natural numbers Here is thegraph of the relation restricted to Four

41

0 1 2 3 4

614 Less than

We say m lt n if m is strictly less than n

(lt) isin Nat rarr Nat rarr Propm lt n = Succ m 6 n

The graph of (lt) Four rarr Four rarr Prop looks pretty similar as the one of (6)only the little circles pointing from every element to itself are missing

0 1 2 3 4

615 Congruence modulo k

This is an important 3-ary (ternary) relation used in number theory We saythat two numbers mn Nat are congruent modulo k if they have the sameremainder when divided by k We write cmod Nat rarr Nat rarr Nat rarr Propthat is we write cmod k m n or mlsquocmod k lsquon 15 for m is congruent to n modulok The standard mathematical notation is mλcong n mod k We can definethis relation formally as

cmod isin Nat rarr Nat rarr Nat rarr Propcmod k m n = exist p q r isin Nat (r lt n) and p lowast k + r = m and q lowast k + r = n

Usually cmod is only considered for k gt 1 For k = 1 our definition of cmod kis just (=) and for k = 0 it is the empty relation In number theory cmod k isdefined a relation on the integers not just the natural numbers

While we cannot draw ternary relations so easily we can do so for mod 2 isinFour rarr Four rarr Prop

0 1 3 42

15Here we adopt also the Haskell convention that any operator f can be made infix bywriting lsquof lsquo

42

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

forall mn Nat addBin (bin2nat m) (bin2nat n) = bin2nat (m + n)

forall mn Nat multBin (bin2nat m) (bin2nat n) = bin2nat (m lowast n)

These can be established using the principles we have introduced ie induc-tion However for reasons of space and potential boredom we shall refrain fromcarrying this out here

54 Trees

Unlike in ordinary live trees in computer science have got the roots on top andthe leaves on bottom Here is an example of a binary tree whose nodes arelabelled with natural numbers

56

1

3

10

root

node

leaf

Trees are also a very useful datastructure for example they can be used toefficently store and update an ordered collection of data In Haskell we woulddefine the type of binary node-labelled trees as follows

data Tree a = Leaf | Node (Tree a) a (Tree a)

The tree pictured in the diagram would be represented as

mytree isin Tree Natmytree = Node (Node Leaf 1 Leaf)

3(Node Leaf

10(Node Leaf 56 Leaf))

You may note that the tree is ordered ie all the leaves in the left subtree ofany node has labels less (or equal) than the label on the node and the nodes inthe right subtree have greater labels Indeed ordered trees give rise to anothersorting algorithm which is called tree sort First we define by primitive recur-sion over trees a function which inserts a node into an ordered tree leaving theordering intact

37

treeInsert isin Nat rarr (Tree Nat) rarr Tree NattreeInsert a Leaf = Node Leaf a LeaftreeInsert a (Node l b r) = if a 6 b

then Node (treeInsert a l) b relse Node l b (treeInsert a r)

By inserting all elements of a list into an empty tree we obtain a function whichturns an unsorted list into an ordered tree

list2tree isin [Nat ] rarr (Tree Nat)list2tree [ ] = Leaflist2tree (a as) = treeInsert a (list2tree as)

We can also turn an ordered tree into a sorted list

tree2list isin (Tree a) rarr [a ]tree2list Leaf = [ ]tree2List (Node l a r) = (tree2list l) ++ [a ] ++ (tree2list r)

Note that the last function is polymorphic since it doesnrsquot need any operationson the data stored in a tree Now we obtain tree sort by combining the twofunctions defined above

treeSort isin [Nat ] rarr [Nat ]treeSort as = tree2list (list2tree as)

It may appear wasteful to create a tree just to sort a list but actually tree sort isbetter than insertion sort On the average every element which is inserted intothe tree is only compared with a few others on the way down to a leaft to beprecise log2 n if the number of nodes is n Since we have to insert n elementstree sort will need a number proportional to n log2 n comparisons to sort a listwith n elements which is considerably better that insertion sortrsquos n2

We can also prove propositions about trees by induction over trees As anexample observe that the tree in the example has 4 nodes and 5 leaves This isno coincidence but a general property of binary trees Maybe the best way tosee that this is the case is to notice that every tree can be generated startingfrom a leaf by replacing an aribtrary leaf by a node with two leaves The initialtree has got the proberty and it is preserved by the replacement step hence anytree will have the property More formally we can show this by induction overtrees where we have an induction hypothesis for the left and the right subtree

To make this precise we first define functions which count the number of nodesand leaves in a tree (ignoring any data)

countNodes isin (Tree a) rarr NatcountNodes Leaf = 0countNodes (Node l x r) = Succ ((countNodes l) + (countNodes r))

countLeaves isin (Tree a) rarr NatcountLeaves Leaf = 1countLeaves (Node l x r) = (countLeaves l) + (countLeaves r)

38

We are now ready to prove our theorem

Theorem 55 forall t Tree a countLeaves t = 1 + (countNodes t)

Proof We proceed by induction over t isin Tree a

Case t = Leaf We show countLeaves Leaf = 1 + (countNodes Leaf)

countLeaves Leaf= definition of countLeaves 1= definition of countNodes 1 + (countNodes Leaf)

Case t = Node l x r We assume

countLeaves l = 1 + (countNodes l) (IH minus L)

countLeaves r = 1 + (countNodes r) (IH minus R)

to show countLeaves (Node l x r) = 1 + (countNodes (Node l x r))

countLeaves (Node l x r)= definition of countLeaves (countLeaves l) + (countLeaves r)= (IH-L)(IH-R) 1 + (countNodes l) + 1 + (countNodes r)= algebra 1 + (1 + (countNodes l) + (countNodes r))= definition of countNodes 1 + (countNodes (Node l x r))

Finally note that there are different types of binary trees depending where weput the data ie there are leaf labelled trees

data Tree a = Leaf a | Node (Tree a) (Tree a)

and trees which have labels on leaves and nodes potentially of different types

data Treeprime a b = Leaf prime a | Nodeprime (Treeprime a b) b (Treeprime a b)

39

6 Predicates and relations

A predicate over a type is a property of elements of that type An example isEven isin Nat rarr Prop which expresses the property of a natural number beingeven We can define Even

Even isin Nat rarr PropEven n = exist m isin Nat 2 lowastm = n

That is we say that a number is even if it is the double of another number Iwrite a rarr Prop for the type of predicates over a Note that unlike programspredicates cannot be executed but we can use them for reasoning

A relation between two types (which may be the same) relates elements of thefirst type with elements of the 2nd An example is 6 isin Nat rarr Nat rarr Propwhich expresses the relation of a number being smaller than another Again wecan define 6 using +

(6) isin Nat rarr Nat rarr Propm6n = exist k isin Nat m + k = n

That is we say that m6n if there is a number k that if added to m gives n

In general we consider n-ary relations that is R isin a1 rarr a2 rarr middot middot middot rarr an rarr Propand predicates are just another word for 1-ary relations 2-ary (or binary)relations such as 6 are usually written infix

A fundamental binary relation on any type is equality (=) isin a rarr a rarr PropWe consider equality as a primitive notion We know that everything is equal toitself mdash we say that equality is reflexive that is forall x isin a x = x Two booleansor natural number or lists are equal if they are made only from constructorsand look the same Two functions are equal if they return the same answers forall elements of their domain that is for f g isin a rarr b we have that f = g ifforall x a f x = g x note that this involves equality on b This is the principle ofextensionality and it is the consequence of our view of functions as black boxesie we cannot look inside a function all we can do it is to apply it to arguments

We have already introduced the functions 6isin Nat rarr Nat rarr Bool equivisinBool rarr Bool rarr Bool and equivisin Nat rarr Nat rarr Bool They are related to6 isin Bool rarr Bool rarr Prop =isin Bool rarr Bool rarr Prop and =isin Nat rarrNat rarr Prop indeed they return True if the relation holds and False other-wise That is we can show that

forall x y isin Nat x6y lArrrArr x 6 y = Trueforall x y isin Bool x = y lArrrArr x equiv y = Trueforall x y isin Nat x = y lArrrArr x equiv y = True

We say that a boolean function f isin a rarr b rarr Bool decides a relation R isin a rarrb rarr Prop if forall x isin a y isin b R x y lArrrArr f x y = True A relation which canbe decided is called decidableThis concept generalizes to relations with anyarity including predicates I have silently assumed that by a boolean functionwe mean one which can actually run on a computer this is different in classicalMathematics where the notion of a function is more liberal but the definitionof a decidable function is more complicated

40

Not every relation is decidable an example of an undecidable relation is equal-ity on functions with an infinite domain eg (=) isin (Nat rarr Bool) rarr (Nat rarrBool) rarr Prop To decide whether two such functions are equal that is whetherf = g we have to check whether they agree on all natural numbers By the prin-ciple of extensionality there is no other way we can find out anything about afunction and checking them for all natural numbers is hardly possible

61 Examples of relations

In the following we will discuss some examples of relations It is helpful tovisualize relations by drawing their graphs We can only draw graphs for adecidable relation R isin a rarr a rarr Prop on finite type a by a directed graphwhose nodes (called vertices) are the elements of a and we draw an arrow (callededge) from x to y if R x y holds

We cannot draw relations on the natural numbers however we will instead usethe type Four = 0 1 2 3 4 and drwaw the graph of the relation restricted tothe numbers upto 4

611 Equality

The graph of (=) isin Four rarr Four rarr Prop is extremely simple

0 1 2 3 4

612 Inequality

We say x 6= y if x and y are not equal This relation is polymorphic ie it isuniformly defined for any type

(6=) isin a rarr a rarr Propx 6= y = not (x = y)

The graph of (6=) isin Four rarr Four rarr Prop contains an edge everywhere theprevious graph had none hence it looks pretty wild

0 1 2 3 4

613 Less or equal

We have already defined the relation (6) on the natural numbers Here is thegraph of the relation restricted to Four

41

0 1 2 3 4

614 Less than

We say m lt n if m is strictly less than n

(lt) isin Nat rarr Nat rarr Propm lt n = Succ m 6 n

The graph of (lt) Four rarr Four rarr Prop looks pretty similar as the one of (6)only the little circles pointing from every element to itself are missing

0 1 2 3 4

615 Congruence modulo k

This is an important 3-ary (ternary) relation used in number theory We saythat two numbers mn Nat are congruent modulo k if they have the sameremainder when divided by k We write cmod Nat rarr Nat rarr Nat rarr Propthat is we write cmod k m n or mlsquocmod k lsquon 15 for m is congruent to n modulok The standard mathematical notation is mλcong n mod k We can definethis relation formally as

cmod isin Nat rarr Nat rarr Nat rarr Propcmod k m n = exist p q r isin Nat (r lt n) and p lowast k + r = m and q lowast k + r = n

Usually cmod is only considered for k gt 1 For k = 1 our definition of cmod kis just (=) and for k = 0 it is the empty relation In number theory cmod k isdefined a relation on the integers not just the natural numbers

While we cannot draw ternary relations so easily we can do so for mod 2 isinFour rarr Four rarr Prop

0 1 3 42

15Here we adopt also the Haskell convention that any operator f can be made infix bywriting lsquof lsquo

42

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

treeInsert isin Nat rarr (Tree Nat) rarr Tree NattreeInsert a Leaf = Node Leaf a LeaftreeInsert a (Node l b r) = if a 6 b

then Node (treeInsert a l) b relse Node l b (treeInsert a r)

By inserting all elements of a list into an empty tree we obtain a function whichturns an unsorted list into an ordered tree

list2tree isin [Nat ] rarr (Tree Nat)list2tree [ ] = Leaflist2tree (a as) = treeInsert a (list2tree as)

We can also turn an ordered tree into a sorted list

tree2list isin (Tree a) rarr [a ]tree2list Leaf = [ ]tree2List (Node l a r) = (tree2list l) ++ [a ] ++ (tree2list r)

Note that the last function is polymorphic since it doesnrsquot need any operationson the data stored in a tree Now we obtain tree sort by combining the twofunctions defined above

treeSort isin [Nat ] rarr [Nat ]treeSort as = tree2list (list2tree as)

It may appear wasteful to create a tree just to sort a list but actually tree sort isbetter than insertion sort On the average every element which is inserted intothe tree is only compared with a few others on the way down to a leaft to beprecise log2 n if the number of nodes is n Since we have to insert n elementstree sort will need a number proportional to n log2 n comparisons to sort a listwith n elements which is considerably better that insertion sortrsquos n2

We can also prove propositions about trees by induction over trees As anexample observe that the tree in the example has 4 nodes and 5 leaves This isno coincidence but a general property of binary trees Maybe the best way tosee that this is the case is to notice that every tree can be generated startingfrom a leaf by replacing an aribtrary leaf by a node with two leaves The initialtree has got the proberty and it is preserved by the replacement step hence anytree will have the property More formally we can show this by induction overtrees where we have an induction hypothesis for the left and the right subtree

To make this precise we first define functions which count the number of nodesand leaves in a tree (ignoring any data)

countNodes isin (Tree a) rarr NatcountNodes Leaf = 0countNodes (Node l x r) = Succ ((countNodes l) + (countNodes r))

countLeaves isin (Tree a) rarr NatcountLeaves Leaf = 1countLeaves (Node l x r) = (countLeaves l) + (countLeaves r)

38

We are now ready to prove our theorem

Theorem 55 forall t Tree a countLeaves t = 1 + (countNodes t)

Proof We proceed by induction over t isin Tree a

Case t = Leaf We show countLeaves Leaf = 1 + (countNodes Leaf)

countLeaves Leaf= definition of countLeaves 1= definition of countNodes 1 + (countNodes Leaf)

Case t = Node l x r We assume

countLeaves l = 1 + (countNodes l) (IH minus L)

countLeaves r = 1 + (countNodes r) (IH minus R)

to show countLeaves (Node l x r) = 1 + (countNodes (Node l x r))

countLeaves (Node l x r)= definition of countLeaves (countLeaves l) + (countLeaves r)= (IH-L)(IH-R) 1 + (countNodes l) + 1 + (countNodes r)= algebra 1 + (1 + (countNodes l) + (countNodes r))= definition of countNodes 1 + (countNodes (Node l x r))

Finally note that there are different types of binary trees depending where weput the data ie there are leaf labelled trees

data Tree a = Leaf a | Node (Tree a) (Tree a)

and trees which have labels on leaves and nodes potentially of different types

data Treeprime a b = Leaf prime a | Nodeprime (Treeprime a b) b (Treeprime a b)

39

6 Predicates and relations

A predicate over a type is a property of elements of that type An example isEven isin Nat rarr Prop which expresses the property of a natural number beingeven We can define Even

Even isin Nat rarr PropEven n = exist m isin Nat 2 lowastm = n

That is we say that a number is even if it is the double of another number Iwrite a rarr Prop for the type of predicates over a Note that unlike programspredicates cannot be executed but we can use them for reasoning

A relation between two types (which may be the same) relates elements of thefirst type with elements of the 2nd An example is 6 isin Nat rarr Nat rarr Propwhich expresses the relation of a number being smaller than another Again wecan define 6 using +

(6) isin Nat rarr Nat rarr Propm6n = exist k isin Nat m + k = n

That is we say that m6n if there is a number k that if added to m gives n

In general we consider n-ary relations that is R isin a1 rarr a2 rarr middot middot middot rarr an rarr Propand predicates are just another word for 1-ary relations 2-ary (or binary)relations such as 6 are usually written infix

A fundamental binary relation on any type is equality (=) isin a rarr a rarr PropWe consider equality as a primitive notion We know that everything is equal toitself mdash we say that equality is reflexive that is forall x isin a x = x Two booleansor natural number or lists are equal if they are made only from constructorsand look the same Two functions are equal if they return the same answers forall elements of their domain that is for f g isin a rarr b we have that f = g ifforall x a f x = g x note that this involves equality on b This is the principle ofextensionality and it is the consequence of our view of functions as black boxesie we cannot look inside a function all we can do it is to apply it to arguments

We have already introduced the functions 6isin Nat rarr Nat rarr Bool equivisinBool rarr Bool rarr Bool and equivisin Nat rarr Nat rarr Bool They are related to6 isin Bool rarr Bool rarr Prop =isin Bool rarr Bool rarr Prop and =isin Nat rarrNat rarr Prop indeed they return True if the relation holds and False other-wise That is we can show that

forall x y isin Nat x6y lArrrArr x 6 y = Trueforall x y isin Bool x = y lArrrArr x equiv y = Trueforall x y isin Nat x = y lArrrArr x equiv y = True

We say that a boolean function f isin a rarr b rarr Bool decides a relation R isin a rarrb rarr Prop if forall x isin a y isin b R x y lArrrArr f x y = True A relation which canbe decided is called decidableThis concept generalizes to relations with anyarity including predicates I have silently assumed that by a boolean functionwe mean one which can actually run on a computer this is different in classicalMathematics where the notion of a function is more liberal but the definitionof a decidable function is more complicated

40

Not every relation is decidable an example of an undecidable relation is equal-ity on functions with an infinite domain eg (=) isin (Nat rarr Bool) rarr (Nat rarrBool) rarr Prop To decide whether two such functions are equal that is whetherf = g we have to check whether they agree on all natural numbers By the prin-ciple of extensionality there is no other way we can find out anything about afunction and checking them for all natural numbers is hardly possible

61 Examples of relations

In the following we will discuss some examples of relations It is helpful tovisualize relations by drawing their graphs We can only draw graphs for adecidable relation R isin a rarr a rarr Prop on finite type a by a directed graphwhose nodes (called vertices) are the elements of a and we draw an arrow (callededge) from x to y if R x y holds

We cannot draw relations on the natural numbers however we will instead usethe type Four = 0 1 2 3 4 and drwaw the graph of the relation restricted tothe numbers upto 4

611 Equality

The graph of (=) isin Four rarr Four rarr Prop is extremely simple

0 1 2 3 4

612 Inequality

We say x 6= y if x and y are not equal This relation is polymorphic ie it isuniformly defined for any type

(6=) isin a rarr a rarr Propx 6= y = not (x = y)

The graph of (6=) isin Four rarr Four rarr Prop contains an edge everywhere theprevious graph had none hence it looks pretty wild

0 1 2 3 4

613 Less or equal

We have already defined the relation (6) on the natural numbers Here is thegraph of the relation restricted to Four

41

0 1 2 3 4

614 Less than

We say m lt n if m is strictly less than n

(lt) isin Nat rarr Nat rarr Propm lt n = Succ m 6 n

The graph of (lt) Four rarr Four rarr Prop looks pretty similar as the one of (6)only the little circles pointing from every element to itself are missing

0 1 2 3 4

615 Congruence modulo k

This is an important 3-ary (ternary) relation used in number theory We saythat two numbers mn Nat are congruent modulo k if they have the sameremainder when divided by k We write cmod Nat rarr Nat rarr Nat rarr Propthat is we write cmod k m n or mlsquocmod k lsquon 15 for m is congruent to n modulok The standard mathematical notation is mλcong n mod k We can definethis relation formally as

cmod isin Nat rarr Nat rarr Nat rarr Propcmod k m n = exist p q r isin Nat (r lt n) and p lowast k + r = m and q lowast k + r = n

Usually cmod is only considered for k gt 1 For k = 1 our definition of cmod kis just (=) and for k = 0 it is the empty relation In number theory cmod k isdefined a relation on the integers not just the natural numbers

While we cannot draw ternary relations so easily we can do so for mod 2 isinFour rarr Four rarr Prop

0 1 3 42

15Here we adopt also the Haskell convention that any operator f can be made infix bywriting lsquof lsquo

42

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

We are now ready to prove our theorem

Theorem 55 forall t Tree a countLeaves t = 1 + (countNodes t)

Proof We proceed by induction over t isin Tree a

Case t = Leaf We show countLeaves Leaf = 1 + (countNodes Leaf)

countLeaves Leaf= definition of countLeaves 1= definition of countNodes 1 + (countNodes Leaf)

Case t = Node l x r We assume

countLeaves l = 1 + (countNodes l) (IH minus L)

countLeaves r = 1 + (countNodes r) (IH minus R)

to show countLeaves (Node l x r) = 1 + (countNodes (Node l x r))

countLeaves (Node l x r)= definition of countLeaves (countLeaves l) + (countLeaves r)= (IH-L)(IH-R) 1 + (countNodes l) + 1 + (countNodes r)= algebra 1 + (1 + (countNodes l) + (countNodes r))= definition of countNodes 1 + (countNodes (Node l x r))

Finally note that there are different types of binary trees depending where weput the data ie there are leaf labelled trees

data Tree a = Leaf a | Node (Tree a) (Tree a)

and trees which have labels on leaves and nodes potentially of different types

data Treeprime a b = Leaf prime a | Nodeprime (Treeprime a b) b (Treeprime a b)

39

6 Predicates and relations

A predicate over a type is a property of elements of that type An example isEven isin Nat rarr Prop which expresses the property of a natural number beingeven We can define Even

Even isin Nat rarr PropEven n = exist m isin Nat 2 lowastm = n

That is we say that a number is even if it is the double of another number Iwrite a rarr Prop for the type of predicates over a Note that unlike programspredicates cannot be executed but we can use them for reasoning

A relation between two types (which may be the same) relates elements of thefirst type with elements of the 2nd An example is 6 isin Nat rarr Nat rarr Propwhich expresses the relation of a number being smaller than another Again wecan define 6 using +

(6) isin Nat rarr Nat rarr Propm6n = exist k isin Nat m + k = n

That is we say that m6n if there is a number k that if added to m gives n

In general we consider n-ary relations that is R isin a1 rarr a2 rarr middot middot middot rarr an rarr Propand predicates are just another word for 1-ary relations 2-ary (or binary)relations such as 6 are usually written infix

A fundamental binary relation on any type is equality (=) isin a rarr a rarr PropWe consider equality as a primitive notion We know that everything is equal toitself mdash we say that equality is reflexive that is forall x isin a x = x Two booleansor natural number or lists are equal if they are made only from constructorsand look the same Two functions are equal if they return the same answers forall elements of their domain that is for f g isin a rarr b we have that f = g ifforall x a f x = g x note that this involves equality on b This is the principle ofextensionality and it is the consequence of our view of functions as black boxesie we cannot look inside a function all we can do it is to apply it to arguments

We have already introduced the functions 6isin Nat rarr Nat rarr Bool equivisinBool rarr Bool rarr Bool and equivisin Nat rarr Nat rarr Bool They are related to6 isin Bool rarr Bool rarr Prop =isin Bool rarr Bool rarr Prop and =isin Nat rarrNat rarr Prop indeed they return True if the relation holds and False other-wise That is we can show that

forall x y isin Nat x6y lArrrArr x 6 y = Trueforall x y isin Bool x = y lArrrArr x equiv y = Trueforall x y isin Nat x = y lArrrArr x equiv y = True

We say that a boolean function f isin a rarr b rarr Bool decides a relation R isin a rarrb rarr Prop if forall x isin a y isin b R x y lArrrArr f x y = True A relation which canbe decided is called decidableThis concept generalizes to relations with anyarity including predicates I have silently assumed that by a boolean functionwe mean one which can actually run on a computer this is different in classicalMathematics where the notion of a function is more liberal but the definitionof a decidable function is more complicated

40

Not every relation is decidable an example of an undecidable relation is equal-ity on functions with an infinite domain eg (=) isin (Nat rarr Bool) rarr (Nat rarrBool) rarr Prop To decide whether two such functions are equal that is whetherf = g we have to check whether they agree on all natural numbers By the prin-ciple of extensionality there is no other way we can find out anything about afunction and checking them for all natural numbers is hardly possible

61 Examples of relations

In the following we will discuss some examples of relations It is helpful tovisualize relations by drawing their graphs We can only draw graphs for adecidable relation R isin a rarr a rarr Prop on finite type a by a directed graphwhose nodes (called vertices) are the elements of a and we draw an arrow (callededge) from x to y if R x y holds

We cannot draw relations on the natural numbers however we will instead usethe type Four = 0 1 2 3 4 and drwaw the graph of the relation restricted tothe numbers upto 4

611 Equality

The graph of (=) isin Four rarr Four rarr Prop is extremely simple

0 1 2 3 4

612 Inequality

We say x 6= y if x and y are not equal This relation is polymorphic ie it isuniformly defined for any type

(6=) isin a rarr a rarr Propx 6= y = not (x = y)

The graph of (6=) isin Four rarr Four rarr Prop contains an edge everywhere theprevious graph had none hence it looks pretty wild

0 1 2 3 4

613 Less or equal

We have already defined the relation (6) on the natural numbers Here is thegraph of the relation restricted to Four

41

0 1 2 3 4

614 Less than

We say m lt n if m is strictly less than n

(lt) isin Nat rarr Nat rarr Propm lt n = Succ m 6 n

The graph of (lt) Four rarr Four rarr Prop looks pretty similar as the one of (6)only the little circles pointing from every element to itself are missing

0 1 2 3 4

615 Congruence modulo k

This is an important 3-ary (ternary) relation used in number theory We saythat two numbers mn Nat are congruent modulo k if they have the sameremainder when divided by k We write cmod Nat rarr Nat rarr Nat rarr Propthat is we write cmod k m n or mlsquocmod k lsquon 15 for m is congruent to n modulok The standard mathematical notation is mλcong n mod k We can definethis relation formally as

cmod isin Nat rarr Nat rarr Nat rarr Propcmod k m n = exist p q r isin Nat (r lt n) and p lowast k + r = m and q lowast k + r = n

Usually cmod is only considered for k gt 1 For k = 1 our definition of cmod kis just (=) and for k = 0 it is the empty relation In number theory cmod k isdefined a relation on the integers not just the natural numbers

While we cannot draw ternary relations so easily we can do so for mod 2 isinFour rarr Four rarr Prop

0 1 3 42

15Here we adopt also the Haskell convention that any operator f can be made infix bywriting lsquof lsquo

42

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

6 Predicates and relations

A predicate over a type is a property of elements of that type An example isEven isin Nat rarr Prop which expresses the property of a natural number beingeven We can define Even

Even isin Nat rarr PropEven n = exist m isin Nat 2 lowastm = n

That is we say that a number is even if it is the double of another number Iwrite a rarr Prop for the type of predicates over a Note that unlike programspredicates cannot be executed but we can use them for reasoning

A relation between two types (which may be the same) relates elements of thefirst type with elements of the 2nd An example is 6 isin Nat rarr Nat rarr Propwhich expresses the relation of a number being smaller than another Again wecan define 6 using +

(6) isin Nat rarr Nat rarr Propm6n = exist k isin Nat m + k = n

That is we say that m6n if there is a number k that if added to m gives n

In general we consider n-ary relations that is R isin a1 rarr a2 rarr middot middot middot rarr an rarr Propand predicates are just another word for 1-ary relations 2-ary (or binary)relations such as 6 are usually written infix

A fundamental binary relation on any type is equality (=) isin a rarr a rarr PropWe consider equality as a primitive notion We know that everything is equal toitself mdash we say that equality is reflexive that is forall x isin a x = x Two booleansor natural number or lists are equal if they are made only from constructorsand look the same Two functions are equal if they return the same answers forall elements of their domain that is for f g isin a rarr b we have that f = g ifforall x a f x = g x note that this involves equality on b This is the principle ofextensionality and it is the consequence of our view of functions as black boxesie we cannot look inside a function all we can do it is to apply it to arguments

We have already introduced the functions 6isin Nat rarr Nat rarr Bool equivisinBool rarr Bool rarr Bool and equivisin Nat rarr Nat rarr Bool They are related to6 isin Bool rarr Bool rarr Prop =isin Bool rarr Bool rarr Prop and =isin Nat rarrNat rarr Prop indeed they return True if the relation holds and False other-wise That is we can show that

forall x y isin Nat x6y lArrrArr x 6 y = Trueforall x y isin Bool x = y lArrrArr x equiv y = Trueforall x y isin Nat x = y lArrrArr x equiv y = True

We say that a boolean function f isin a rarr b rarr Bool decides a relation R isin a rarrb rarr Prop if forall x isin a y isin b R x y lArrrArr f x y = True A relation which canbe decided is called decidableThis concept generalizes to relations with anyarity including predicates I have silently assumed that by a boolean functionwe mean one which can actually run on a computer this is different in classicalMathematics where the notion of a function is more liberal but the definitionof a decidable function is more complicated

40

Not every relation is decidable an example of an undecidable relation is equal-ity on functions with an infinite domain eg (=) isin (Nat rarr Bool) rarr (Nat rarrBool) rarr Prop To decide whether two such functions are equal that is whetherf = g we have to check whether they agree on all natural numbers By the prin-ciple of extensionality there is no other way we can find out anything about afunction and checking them for all natural numbers is hardly possible

61 Examples of relations

In the following we will discuss some examples of relations It is helpful tovisualize relations by drawing their graphs We can only draw graphs for adecidable relation R isin a rarr a rarr Prop on finite type a by a directed graphwhose nodes (called vertices) are the elements of a and we draw an arrow (callededge) from x to y if R x y holds

We cannot draw relations on the natural numbers however we will instead usethe type Four = 0 1 2 3 4 and drwaw the graph of the relation restricted tothe numbers upto 4

611 Equality

The graph of (=) isin Four rarr Four rarr Prop is extremely simple

0 1 2 3 4

612 Inequality

We say x 6= y if x and y are not equal This relation is polymorphic ie it isuniformly defined for any type

(6=) isin a rarr a rarr Propx 6= y = not (x = y)

The graph of (6=) isin Four rarr Four rarr Prop contains an edge everywhere theprevious graph had none hence it looks pretty wild

0 1 2 3 4

613 Less or equal

We have already defined the relation (6) on the natural numbers Here is thegraph of the relation restricted to Four

41

0 1 2 3 4

614 Less than

We say m lt n if m is strictly less than n

(lt) isin Nat rarr Nat rarr Propm lt n = Succ m 6 n

The graph of (lt) Four rarr Four rarr Prop looks pretty similar as the one of (6)only the little circles pointing from every element to itself are missing

0 1 2 3 4

615 Congruence modulo k

This is an important 3-ary (ternary) relation used in number theory We saythat two numbers mn Nat are congruent modulo k if they have the sameremainder when divided by k We write cmod Nat rarr Nat rarr Nat rarr Propthat is we write cmod k m n or mlsquocmod k lsquon 15 for m is congruent to n modulok The standard mathematical notation is mλcong n mod k We can definethis relation formally as

cmod isin Nat rarr Nat rarr Nat rarr Propcmod k m n = exist p q r isin Nat (r lt n) and p lowast k + r = m and q lowast k + r = n

Usually cmod is only considered for k gt 1 For k = 1 our definition of cmod kis just (=) and for k = 0 it is the empty relation In number theory cmod k isdefined a relation on the integers not just the natural numbers

While we cannot draw ternary relations so easily we can do so for mod 2 isinFour rarr Four rarr Prop

0 1 3 42

15Here we adopt also the Haskell convention that any operator f can be made infix bywriting lsquof lsquo

42

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

Not every relation is decidable an example of an undecidable relation is equal-ity on functions with an infinite domain eg (=) isin (Nat rarr Bool) rarr (Nat rarrBool) rarr Prop To decide whether two such functions are equal that is whetherf = g we have to check whether they agree on all natural numbers By the prin-ciple of extensionality there is no other way we can find out anything about afunction and checking them for all natural numbers is hardly possible

61 Examples of relations

In the following we will discuss some examples of relations It is helpful tovisualize relations by drawing their graphs We can only draw graphs for adecidable relation R isin a rarr a rarr Prop on finite type a by a directed graphwhose nodes (called vertices) are the elements of a and we draw an arrow (callededge) from x to y if R x y holds

We cannot draw relations on the natural numbers however we will instead usethe type Four = 0 1 2 3 4 and drwaw the graph of the relation restricted tothe numbers upto 4

611 Equality

The graph of (=) isin Four rarr Four rarr Prop is extremely simple

0 1 2 3 4

612 Inequality

We say x 6= y if x and y are not equal This relation is polymorphic ie it isuniformly defined for any type

(6=) isin a rarr a rarr Propx 6= y = not (x = y)

The graph of (6=) isin Four rarr Four rarr Prop contains an edge everywhere theprevious graph had none hence it looks pretty wild

0 1 2 3 4

613 Less or equal

We have already defined the relation (6) on the natural numbers Here is thegraph of the relation restricted to Four

41

0 1 2 3 4

614 Less than

We say m lt n if m is strictly less than n

(lt) isin Nat rarr Nat rarr Propm lt n = Succ m 6 n

The graph of (lt) Four rarr Four rarr Prop looks pretty similar as the one of (6)only the little circles pointing from every element to itself are missing

0 1 2 3 4

615 Congruence modulo k

This is an important 3-ary (ternary) relation used in number theory We saythat two numbers mn Nat are congruent modulo k if they have the sameremainder when divided by k We write cmod Nat rarr Nat rarr Nat rarr Propthat is we write cmod k m n or mlsquocmod k lsquon 15 for m is congruent to n modulok The standard mathematical notation is mλcong n mod k We can definethis relation formally as

cmod isin Nat rarr Nat rarr Nat rarr Propcmod k m n = exist p q r isin Nat (r lt n) and p lowast k + r = m and q lowast k + r = n

Usually cmod is only considered for k gt 1 For k = 1 our definition of cmod kis just (=) and for k = 0 it is the empty relation In number theory cmod k isdefined a relation on the integers not just the natural numbers

While we cannot draw ternary relations so easily we can do so for mod 2 isinFour rarr Four rarr Prop

0 1 3 42

15Here we adopt also the Haskell convention that any operator f can be made infix bywriting lsquof lsquo

42

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

0 1 2 3 4

614 Less than

We say m lt n if m is strictly less than n

(lt) isin Nat rarr Nat rarr Propm lt n = Succ m 6 n

The graph of (lt) Four rarr Four rarr Prop looks pretty similar as the one of (6)only the little circles pointing from every element to itself are missing

0 1 2 3 4

615 Congruence modulo k

This is an important 3-ary (ternary) relation used in number theory We saythat two numbers mn Nat are congruent modulo k if they have the sameremainder when divided by k We write cmod Nat rarr Nat rarr Nat rarr Propthat is we write cmod k m n or mlsquocmod k lsquon 15 for m is congruent to n modulok The standard mathematical notation is mλcong n mod k We can definethis relation formally as

cmod isin Nat rarr Nat rarr Nat rarr Propcmod k m n = exist p q r isin Nat (r lt n) and p lowast k + r = m and q lowast k + r = n

Usually cmod is only considered for k gt 1 For k = 1 our definition of cmod kis just (=) and for k = 0 it is the empty relation In number theory cmod k isdefined a relation on the integers not just the natural numbers

While we cannot draw ternary relations so easily we can do so for mod 2 isinFour rarr Four rarr Prop

0 1 3 42

15Here we adopt also the Haskell convention that any operator f can be made infix bywriting lsquof lsquo

42

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

616 Suffix of a list

We say that a list xs is a suffix of ys we write xs ys if it is occurs at the endof the list To be precise we define

() isin [a ] rarr [a ] rarr Propxs ys = exist zs ys = zs ++ xs

This time we consider lists built from 0 1 with no more than two elementsfor a finitisation if the relation

[00] [10] [11]

[0] [1]

[]

[01]

There is also a strict version of the suffix relation

(≺) isin [a ] rarr [a ] rarr Propxs ≺ ys = exist x isin a x xs ys

and here is its graph

[00] [10] [11]

[0] [1]

[]

[01]

62 Equivalence relations

An important class of relations are equivalence relations which group similarthings together Formally an equivalence relation R isin a rarr a rarr Prop has thefollowing properties

Reflexivity Every element is similar to itself

forall x isin a R x x

We can recognize the graph of a reflexive relation by the little circles oneach node

43

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

Symmetry Similarity is symmetric

forall x y isin a R x y =rArr R y x

We can see that for every arrow in the graph there is one going into theother direction

Transitivity If one thing is similar to a second and the second is similar to athird then the first thing is similar to the third

forall x y z isin a R x y =rArr R y z =rArr R x z

We recognize transitivity in the graph by noticing that all shortcuts exist

Of the relations we have discussed above equality = and cmod k for any k areequivalence relations 6= lt are not equivalence relations because they arenot reflexive It is a common mistake to think that 6= is transitive but it isnrsquot1 6= 2 and 2 6= 1 but 1 6= 1 doesnrsquot hold 6 are reflexive and transitive butnot symmetric eg 2 6 3 but 3 6 2 does not hold

63 Order relations

Another important class of relations are orders when we order objects we caneither include equality as in 6 or not as in lt We will concentrate on the formercase here but have a closer look on relations auch as lt in the next section Wesay a relation is a partial order if it is reflexive transitive and antisymmetricThe first two we have already seen in the previous section

Reflexivity

forall x isin a R x x

Transitivity

forall x y z isin a R x y =rArr R y z =rArr R x z

Antisymmetry Antisymmetry is what makes the relation an order relationif you can go one way you cannot come back However since we haveincluded equality we have to allow for the possibility that we went fromone element to itself

forall x y isin a R x y =rArr R y x =rArr x = y

Looking at the graph we can easily recognize an antisymmetric relationby the fact that if there is an arrow one way there is never one going back

44

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

Of the relations we have introduced so far 6 and are partial orders 6 iseven a total order because it has the property

Totality

forall x y a R x y or R y x

We can recognize the graph of a total order by noticing that between anytwo nodes there is an arrow going one way or another

Indeed for two numbers it is the case that one of them os less or equal the theother However is not total eg [1] and [0] are not suffixes of each other

45

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

7 Subset and Quotients

71 Subsets and comprehension

With every predicate like EvenNat rarr Prop we associate a new type the typeof elements which satisfy the predicate We define a new type by comprehensionand write n isin Nat | Even n for the type of even numbers Eg we have

n isin Nat | Even n = 0 2 4 We call this a subset because this construction comes from set theory and isnrsquotusually associated with types Eg Haskell doesnrsquot support subsets or subtypes

In general given a type A and a predicate P isin A rarr Prop we can construct asubset by comprehension we write a isin A | P a We write S sube A to expressthat S is a subset of A in particular we have that a isin A | P a sube A GivenS sube A we define a relation

(isin) isin A rarr S rarr Propx isin a isin A | P a = P x

You may notice that we have used isin before to indicate membership of a typeWe overload this symbol now to also mean the subset membership relation Ourunderstanding of subsets is extensional all we can see about a subset is whichelements it contains Hence two subsets with the same elements are the equal(forall a isin Aa isin P lArrrArr a isin Q) =rArr P = Q

We define a finite subset by enumerating the elements eg

onetwothree sube Natonetwothree = 1 2 3

Actually this can be understood as a special case of comprehension mdash ie wecan read the definition above as a shorthand for

onetwothree = n isin Nat | n = 1 or n = 2 or n = 3

We write P A for the the powerset ie type of all subsets of A That is everysubset P sube A gives rise to an element of the powerset P isin A In the case offinite types we can enumerate the powerset eg

P Bool = False True FalseTrueWe can iterate powersets eg

P (P Bool) = False False True TrueFalse True False True FalseTrue FalseTrue False FalseTrue False FalseTrueTrue FalseTrue True FalseTrueFalse True FalseTrue False True FalseTrue

In the case of a finite type with n elements the powerset has 2n elements

On subsets we define a relation the subset relation

(sube) isin P A rarr P A rarr PropP sube Q = forall a isin Aa isin P =rArr a isin Q

As before isin we use sube in two situations first to say that P is a subset of a given

46

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

type P sube A and second as a relation between two subsets of the same type

sube is a partial order on subsets it is

reflexive P sube P holds because forall a isin Aa isin P =rArr a isin P is a tautology

transitive Given P sube Q and Q sube R we know that forall a isin Aa isin P =rArr a isin Qand forall a isin Aa isin Q =rArr a isin R From this we can prove forall a isin Aa isinP =rArr a isin R which means that P sube R

antisymmetric Given P sube Q and Q sube P we have that forall a isin Aa isin P =rArra isin Q and forall a isin Aa isin Q =rArr a isin P This implies forall a isin Aa isin Q lArrrArra isin P and by extensionality we have P = Q

It is not a total order eg True False sube Bool but neither True subeFalse nor False sube True holds

72 Operations on subsets

We commonly use the following operations on subsets which can be illustratedby Venn diagrams where each region represents a subset

intersection The elements in the intersection of P and Q P cap Q are theones which are in both subsets

(cap) isin P A rarr P A rarr P AP cap Q = a isin A | a isin P and a isin Q

P capQ

P

Q

47

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

union The elements in the union of P and Q P cup Q are the ones which arein either subset

(cup) isin P A rarr P A rarr P AP cup Q = a isin A | a isin P or a isin Q

PQ

P cupQ

difference The elements in the difference of P and Q P minus Q are the oneswhich are in P but not in Q

(minus) isin P A rarr P A rarr P AP minusQ = a isin A | a isin P and not a isin Q

PQ

P minusQ

Venn diagrams also work fine for three sets eg we can mark all the areascreated by three circles with the appropriate subsets

48

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

PQ

R

P minus (Q cupR) Qminus (P cupR)P capQminusR

Q capRminus PP capRminusQ

P capQ capR

Rminus (P cupQ)

73 Finite subsets as lists

We can represent the enumeration of a finite subset as a list eg we canrepresent 1 2 3 by the list [1 2 3] The basic predicates on sets can bedecided on this representation and the operations from the previous section canbe implemented as operations on lists if the equality of elements is decidableFor simplicity we shall carry out this construction only for finite sets of naturalnumbers where we have already seen that equality can be decided

We first implement a function deciding set membership (that is (isin) isin Nat rarrP Nat rarr Prop) on the list representation

mem isin Nat rarr [Nat ] rarr Boolmem n [ ] = Falsemem n (m ms) = if n equiv m then True

else mem n ms

Using mem we can decide (sube) isin P Nat rarr P Nat rarr Prop by checking whetherevery element of the first list belongs to the second

subseteq isin [Nat ] rarr [Nat ] rarr Boolsubseteq [ ] ns = Truesubseteq (m ms) ns = mem m nsampampsubseteq ms ns

Does subseteq implement a partial order We can show that the relation decidedby subseteq is reflexive and transitive but it is not antisymmetric eg we havethat subseteq [1 2 3] [3 2 1] = True and subseteq [3 2 1] [1 2 3] = True butclearly [1 2 3] 6= [3 2 1]

We shall use precisely this observation to decine set equality ie a functionwhether two lists are equal as representations of sets ie whether they containthe same elements

seteq isin [Nat ] rarr [Nat ] rarr Bool

49

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

seteq ms ns = subseteq ms nsampampsubseteq ns ms

The relation decided by seteq is an equivalence relation It is reflexive andtransitive because subseteq is and it is symmetric by definition

We implement cap on lists by checking for every element of the first lists whetherit is a member of the second and only returning those which path the test

intersect isin [Nat ] rarr [Nat ] rarr [Nat ]intersect [ ] ns = [ ]intersect (m ms) ns = if mem m ns then m (intersect ms ns)

else intersect ms ns

We could implement cup on the list representation simply as ++ but this may leadto duplicates eg [1 2 3]++ [2 3 4] = [1 2 3 3 4 4] containing duplicates Anbetter implementation only uses those elements of the first subset that are notelements of the second

union isin [Nat ] rarr [Nat ] rarr [Nat ]union [ ] ns = nsunion (m ms) ns = if mem m ns then union ms ns

else m (union ms ns)

Indeed we now have union [1 2 3] [2 3 4] = [1 2 3 4]

The implementation of set difference proceeds similarily we only return thoseelements of the first list that are not elements of the second

setminus isin [Nat ] rarr [Nat ] rarr [Nat ]setminus [ ] ns = [ ]setminus (m ms) ns = if mem m ns then setminus ms ns

else m (setminus ms ns)

74 Quotients

In the previous section we used the type of lists to implement finite sets How-ever we would want to identify two lists which are equal as sets This construc-tion is known as a quotient in set theory while in Computer Science the termabstract data type is used In this case we shall use the mathematical terminol-ogy Lets write SetEq isin [Nat ] rarr [Nat ] rarr Prop for the relation decided byseteq ie

SetEq isin [Bool ] rarr [Bool ] rarr PropSetEq bs cs = forall b isin Bool mem b bs = mem b cs

We introduce FinSet as the quotient of [Nat ] by SetEq that is we look at[Nat ] but we identify lists which represent equal sets

type FinSet = [Nat ] SetEq

A list of natural numbers ms [Nat ] gives rise to an element of the quotientltmsgt isin FinSet two lists which are identified by SetEq are identified as finitesets that is if SetEq ms ns then ltmsgt = ltnsgt holds

To define a predicate or a function on FinSet we first define it on [Nat ] andthen show that it is invariant under SetEq Eg we can use mem on FinSet

50

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

after showing that if SetEq ms ns then for all n isin Nat it is the case thatmem n ns = mem n ns Hence mem gives rise to mem prime isin Nat rarr FinSet rarrBool We can show that all the operations defined in the previous section iesubseteq intersect union and setminus can be lifted to FinSet However weshall not verify this in detail here

In general given a type a and an equivalence relation R isin a rarr a rarr Propwe introduce the quotient type a R whose elements ltxgt isin a R can beconstructed from x isin a Two elements of the quotients are equal ltxgt = ltygtif R x y holds We can lift predicates or functions from a to a R after verifyingthat they are invariant under R

Quotients are useful to define the number types which we have ignored so farEg we represent integers as pairs of natural numbers which represent theirdifference eg (2 1) represents 2 minus 1 = 1 while (1 2) represents 1 minus 2 = minus1However different pairs represent the same integers eg (1 0) also represents1minus 0 = 1 and (0 1) also represents 0minus 1 = minus1 We would like to say that (a b)and (c d) represent the same integer if a minus b = c minus d however subtractionalready requires integers which we are just about to define However we cansave the situation by using the equivalent condition that a + d = c + b Thatleads to the following definition

type IntRep = (NatNat)IntEq isin IntRep rarr IntRep rarr PropIntEq (a b) (c d) = a + d = c + dtype Int = IntRep IntEq

We can implement the standard arithmetical operation on the integers by firstdefining it in IntRep We start with addition certainly a minus b + c minus d =a + c minus (b + d) hence

intAdd isin IntRep rarr IntRep rarr IntRepintAdd (a b) (c d) = (a + c b + d)

To define multiplication we observe that (aminusb)lowast(cminusd) = alowastc+blowastdminus(blowastc+alowastd)hence

intMult isin IntRep rarr IntRep rarr IntRepintMult (a b) (c d) = (a lowast c + b lowast d b lowast c + a lowast d)

For both function we can show that they are invariant under IntEq eg ifIntEq i i prime and IntEq j j prime then IntEq (intAdd i j ) (intAdd i prime j prime) and alsoIntEq (intMult i j ) (intMult i prime j prime) Hence we can use them to define (+) isinInt rarr Int rarr Int and (lowast) isin Int rarr Int rarr Int We also can define additiveinverses by

minus isin IntRep rarr IntRepminus (a b) = (b a)

which gives rise to (sim) isin Int rarr Int Now we can define

(minus) isin Int rarr Int rarr Inti minus j = i +simj

51

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

A similar idea works for the rational numbers eg a rational number can berepresented as a pair of an integer and a natural number (i n) standing fori (n + 1) Here we avoid the complication of dvision by zero by adding oneto the denominator Two representations (i n) and (j m) represent the samenumber if i (n + 1) = j (m + 1) and as before with subtraction we can avoiddivision by instead requiring i lowast (m + 1) = j lowast (n + 1) Hence we define

type RatRep = (IntNat)RatEq isin RatRep rarr RatRep rarr PropRatEq (i n) (j m) = i lowast (m + 1) = j lowast (n + 1)type Rat = RatRep RatEq

I leave it to the reader to work out how to define arithmetical operations on ra-tional numbers We will also use the function abs Rat rarr Rat which calcuatesthe absolute value of a rational number

Letrsquos just have a quick look at the Reals following Cauchy a real number canbe represented as an infinite sequence of rational numbers such that the abso-lute difference between the subsequent elements of the sequence gets arbitrarilysmall We use functions Nat rarr Rat to represent infinite sequences Two realnumbers are equal if the sequence of differences gets arbitrarily small Hencewe define

type RealRep = seq isin Nat rarr Rat| forall r Ratr gt 0 =rArr exist i isin Natabs (seq (i + 1)minus seq i) 6 r

RealEq seq seq prime = forall r Ratr gt 0 =rArr exist i isin Natabs (seq i minus seq prime i) 6 rReal = RealRep RealEq

It is interesting to note that in the case of Int and Rat we can actually avoidthe use of quotients ie we can represent integers as a pair (BoolNat) wherethe boolean indicates whether the number is negative mdash we an easily avoindredundant representations of 0 by decreeing that minus1 is represented by (True 0)and 0 as (False 0) In the case of Rat we use pairs that have no commondivisors ie we replace quotients by subset However in the case of Real wecannot avoid the use of quotients

52

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

8 Functions

81 Identity and composition

The identity function id is the function which just which just echos its inputIt can be defined polymorphically at any type a

id isin a rarr aid x = x

If we have two functions f isin a rarr b and g isin b rarr c we can compose them byfirst running f and then g giving rise to a new function g f isin a rarr c That isfor x isin a we have g f x = g (f x )

As an example consider the previously defined functions

length isin [a ] rarr Natlength [ ] = 0length (a as) = 1 + length aseven isin Nat rarr Booleven 0 = Trueeven (n + 1) = not (f n)

What is even length isin [a ] rarr Bool Basically this function calculates thelength of a list an then determines whether it is even We can fuse the twofunctions into one

evenLength isin [a ] rarr BoolevenLength [ ] = TrueevenLength (a as) = not (evenLength as)

To show that even length = evenLength it is sufficent to show

forall as isin [a ] even length as = evenLength as

using the principle of extensionality Unfolding the definition of this boilsdown to

forall as isin [a ] even length as = evenLength as

which can be shown by induction over as

Maybe you have noticed that composition is written backwards When we ex-ecute even length we first calculate the length and then determine whetherit was even Wouldnrsquot it be more natural to write length first and then eventhat is since we read from left to right we would write length left from evenas in length even However consequently we should then also change the way wewrite function application because when we actually calculate even (length [1 2 3])we first have to calculate length [1 2 3] = 3 and then even 3 = False Indeedthe way we write composition merely reflects the way we write applicationActually it has been suggested to write both application and composition theother more intuitive way around However since most people write it back-wards we follow this convention for ease of communication

53

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

82 Higher order functions

is itself a function that is

() isin (b rarr c) rarr (a rarr b) rarr a rarr c(f g) a = f (g a)

() is a higher order function that is it is a function on functions it takes twofunctions as inputs and returns a function In general we could define the orderof a type as follows (here lowast is the type of ordinary types)

order isin lowast rarr Natorder Nat = 0order Bool = 0order empty = 0order [a ] = order aorder (a b) = max (order a) (order b)order (a + b) = max (order a) (order b)order (a rarr b) = max (1 + (order a)) (order b)

I said we could because this sort of definition of a function by recursion overthe type is not valid in Haskell It has the intrinsic problem that each time wewant to define a new type (eg like Tree) we have to extend the function Italso raises the question whether lowast isin lowast mdash remember the trouble the barber washaving

Leaving this aside as a consequence any instance of () has an order of at least2 I say it least because I havenrsquot assign orders to type variables because theycould be instantiated at any type and hence could have any order Howevermost people are a bit sloppy and say that () is a 2nd order function

Eg a function like even isin Nat rarr Bool is a first order function because itstype has order 1

order (Nat rarr Bool)= definition of order max (1 + (order Nat)) (order Bool)= definition of order and + max 1 0= definition of max 1

Note that add isin Nat rarr Nat rarr Nat is also first order mdash currying does notincrease the order of the type

If we instantiate the type variables of by data ie by types of order 0eg () isin (Nat rarr Bool) rarr ([Nat ] rarr Nat) rarr [Nat ] rarr Bool then ()is 2nd order Can we find functions of even higher order Yes just considercomposing compositions To be precise lets fix the first argument in the exampleabove () even isin ([Nat ] rarr Nat) rarr [Nat ] rarr Bool and use it again as thefirst argument to () as in

() (() even) isin (a rarr ([Nat ] rarr Nat)) rarr a rarr ([Nat ] rarr Bool)

which has an order of at least 3 depending on the order of the type variable aWhat is this function actually doing It expects as argument a function which

54

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

returns a function of type [Nat ] rarr Nat and it transforms this into a functionwhich returns [Nat ] rarr Bool instead by composing with even It should beclear that we can repeat this process any number of times reaching types of anyorder However intuition will be lost quickly

83 The category of types

Composition and identity have some simple properties

forall f isin a rarr b f id = fforall f isin a rarr b id f = fforall f isin a rarr b g isin b rarr c h isin c rarr d (h g) f = h (g f )

All of these are easy to verify eg to show the first forall f isin a rarr b f id = f weassume as given f isin a rarr b and to show f id = f using extensionality reducesto showing forall x isin a f id x = f x That is given x isin a we have

f id x= definition of f (id x )= definition of id f x

The verification of the other properties proceed in a similar manner

We say that types and functions form a category This is the central notionof category theory which was introduced by Saunders McLane and others to beable to concisely state generic properties of mathematical constructions Cate-gory theory is nowadays used extensively in Computer Science because it offersa convenient way to express and reason about concepts which are central incomputing

To catch but a glimpse of this power lets discuss some basic concepts of categorytheory using the catgory of types as an example Lists can be constructed atany type hence we may say that List a = [a ] is actually a function on typesie List isin lowast rarr lowast Even better List can be extended to act on functions thatis we can define

map isin (a rarr b) rarr [a ] rarr [b ]map f [ ] = [ ]map f (a as) = (f a) (map f as)

What is map doing Eg map even isin [Nat ] rarr [Bool ] applies even to everyelement of a list that is map even [1 2 3] = [FalseTrueFalse] Note that mapis a higher order function it has at least order 2

map preserves identity and composition that is we have

map id = idmap (f g) = (map f ) (map g)

We can verify these properties by using extensionality and induction on lists

We say that List is a functor In category theory one uses the same name forthe operation on types and functions that is we would write List f for map f 16

16Alas this is inconsistent with the Haskell convention to use uppercase names for construc-

55

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

The function rev isin [a ] rarr [a ] which reverses a list is defined uniformly on alltypes We note that rev commutes with map that is

forall f isin a rarr b rev (map f ) = (map f ) rev

This property can be expressed in a more readable form by a categorical dia-gram

List A

map f

rev List A

map f

List A rev

List A

We say that the diagram commutes that is if we follow different paths we willend up with the same function Intuitively this reflects the fact that it doesnrsquotmatter whether we first map a function and then reverse the result or firstreverse and then map the same function Eg if we apply map even to [1 2 4]we obtain [FalseTrueTrue] and after reversing we get [TrueTrueFalse] Ifon the other hand we first reverse [1 2 4] we obtain [4 2 1] and after applyingmap even we also end up with [TrueTrueFalse] In general we can show thisporperty by induction over lists

We say that rev is a natural transformation from List to List because thediagram commutes This reflects the fact that rev acts uniformly on all typesEg if we had a function rev prime isin [a ] rarr [a ] which reverses lists on all types butis just the identity on Bool it is easy to see that the above property wouldfail In fact it is impossible to define such a function in Haskell and hence thatnaturality holds is called a free theorem

84 Properties of functions

A function is injective (or one-to-one) if it doesnrsquot identify any elements egthe function double isin Nat rarr Nat with double n = 2 lowast n is injective whilethe function half isin Nat rarr Nat with half n = n rsquodivrsquo 2 isnrsquot because ithalf 2 = half 3 = 1 A function is surjective (or onto) if it covers the wholerange eg half is surjective but double isnrsquot because odd numbers like 3 arenever reached by double A function which is both injective and surjective iscalled bijective neither half nor double are bijective However the function

switch isin Nat rarr Natswitch n = if even n

then n + 1else n minus 1

is a bijection it sends every even number to the next odd number and everyodd number to the previous even number Here is the precise definition of thethree predicates on functions

Injective isin (a rarr b) rarr PropInjective f = forall x y isin a f x = f y =rArr x = ySurjective isin (a rarr b) rarr PropSurjective f = forall y isin b exist x isin a f x = y

tors

56

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

Bijective isin (a rarr b) rarr PropBijective f = Injective f and Surjective f

We use the nouns injection surjection and bijection for functions with the cor-responding properties A bijection is just a reordering of elements there areonly bijections between finite types with the same number of elements Egthere is a bijection f isin 1 2 3 rarr 4 5 6 but there isnrsquot any between 1 2and 4 5 6 Eg there is no surjection from 1 2 to 4 5 6 because weare always one element short and there is no injection from 4 5 6 to 1 2because any such function will inevitably identify some elements

We say that two types are in bijection if there is a bijection between themThis is an equivalence relation on types it is reflexive because the identity isa bijection it is symmetric because we can turn around any bijection and itis transitive because the composition of bijections is a bijection Two bijectivetypes are basically the same upto renaming of elements Using this relationwe can compare infinite types and see whether they have the same number ofelements

Unlike for finite types for infinite types it is not the case that adding an elementmakes the type different ass for as bijection is concerned We can genericallyadd an element to a type a by a +() where () is the type with only one element() isin () However we can construct the following bijection

succnat isin Nat + () rarr Natsuccnat (Left n) = n + 1succnat (Right ()) = 0

Even if we double the type ie by a + a we still get a bijection

doublenat isin Nat + Nat rarr Natdoublenat (Left n) = 2 lowast ndoublenat (Right n) = 2 lowast n + 1

What about the square of a type ie (a a) We can still obtain a bijection

squarenat isin (NatNat) rarr Natsqarenat (mn) = (m + 1) lowast (m + n + 1) rsquodivrsquo 2 + n

The idea of this function is to use the enumeration of pairs starting like this

0 1 2 3 0 0 1 3 6 1 2 4 7 2 5 8 3 9

As a concequence of these constructions we notice that Nat Int and Rat arein bijection ie have the same number of elements However we get biggertypes as soon as we use function types Indeed we can show that there is nosurjection from Nat to Nat rarr Bool Assume as given a function f isin Nat rarr(Nat rarr Bool) then we can construct g isin Nat rarr Bool by g n = not (f n n)Now for every i isin Nat the function f i isin Nat rarr Bool is different from

57

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

g isin Nat rarr Bool at i because g i = not (f i i) Hence f cannot be surjectivebecause it will never return g

This proof method is called diagonalisation We can use the same method toshow that there is no bijection between Nat and Real

58

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

9 Formal proof

What is a proof Here is an attempt at a definition

A proof is an argument which will convince a critical but not ob-noxious person that a proposition is a tautology

A proof in science is usually read by other scientists (who can be assumed to becritical but not obnoxious) and is accepted as correct if all the experts agreethat it is correct However this process may need some iterations mdash see ImreLakatosrsquo nice book Proofs and Refutations

Here we are concerned with formal proofs which are especially interesting forComputer Science Many of the facts which we want to verify in ComputerScience arenrsquot interesting from a scientific point of view (program X works cor-rectly) but we often want to avoid to many iterations (program X may controla nuclear power station) Some typical properties of formal proofs are

bull written in a precisely defined syntax (like a program)

bull uses only a fixed set of deduction rules

bull can be checked by a computer program (a proof checker)

In this course we are going to work with tutch tutorial proof checker a proofchecker for educational purposes implemented by Andreas Abel (Munich) whenhe was working for Frank Pfenning at Carnegie Mellon University USA in 2001

tutch works similar to a java compiler A java compiler processes java sourcefiles (java) and produces either error messages or a class file

error messages

class

java

javacsource

In contrast tutch reads proof sources (tut) and produces as output eithererror messages or it reports that it accepts the proof QED (latin quod eratdemonstrandum mdash what there was to be proven)

59

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

error messages

source

tut

tutch

QED

In general tutch knows two sorts of error messages

syntax errors Like in java tutch doesnrsquot like it if you forget a semicolon etc

incomplete proofs tutch complains if a step in the proof doesnrsquot seem to bejustified

With respect to the first definition for a proof given above tutch behaves likea very stupid (but reasonable) person who is hard to convince that somethingis true There are better tools available (eg COQ Isabelle NuPRL ) butits stupidity makes tutch ideal for educational purposes The best way to learnthe art of proofs is if you have to convince somebody (or in this case something)very stupid

91 tutch syntax

A tutch proof is a sequence of propositions or frames separated by semicolons() each of them is justified by some of the previous propositions or framesA frame is a sequence of propositions or frames which is enclosed in [ and ]Frames are used for hypothetical reasoning the first proposition in a frame isan assumption form which the following propositions can be derived

Here is an example of a simple propositional proof of the fact AandB =rArr BandAin tutch syntax

proof comAnd A amp B =gt B amp A =begin[A amp BABB amp A]

A amp B =gt B amp Aend

The first thing we notice is that tutch isnrsquot actually using the symbols we haveintroduced previously A simple reason for this is that they arenrsquot available

60

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

on the computer keyboard In general tutch uses the following translationLogic tutchand ampor |not ~

=rArr =gtTrue TFalse FlArrrArr lt=gtforall exist

However in these notes we shall use the proper symbols The tutch proof scriptsare available via links in the online version hence the previous proof looks likethat (comAndtut)

proof comAnd A and B =rArr B and A =begin[A and BABB and A]

A and B =rArr B and Aend

This example shows also the basic structure of a tutch proof It starts withthe word proof which is followed by the name of the proof (here comAnd) andthen after we write the proposition we are going to prove followed by = andthe proof The proof starts with begin and ends with end The last line ofthe proof is identical to the proposition which we were going to prove A tutchproof script may contain several proofs and in each proof we can use the oneswhich were proven previously

To run tutch we save the proof script in a text file using any text editor likeemacs or notepad (but not something like word) and then run tutch by typing

tutch proof-filetut

on the UNIX command prompt Eg in our example we would save the proofin comAndtut and type

[mytutch]$ tutch comAndtut

tutch replies with 17

TUTCH 051 beta[Opening file comAndtut]Proving comAnd A and B =rArr B and A QED[Closing file comAndtut]

17Ok I am cheating mdash it will use the ASCII symbols

61

We can also ask tutch to be a bit more explicit and tell us why it accepts ourproofs by typing

tutch -v proof-filetut

Here -v stands for verbose Tutch replies by

TUTCH 051 beta $Date 20051009 201705 $[Opening file comAndtut]

Proving comAnd A and B =rArr B and A 1 [ A and B2 A by AndEL 13 B by AndER 14 B and A ] by AndI 3 25 A and B =rArr B and A by ImpI 4

QED

I will explain the meaning of words like AndEL etc in a moment Note that thenumbers after this are line numbers which refer to previous propositions (orframes) which justify the current line

92 Propositional logic in tutch

tutch accepts a proof if each proposition can be justified from the previouspropositions or frames by some basic rules These rules were introduced byGerhard Gentzen in the 1930ies and are referred to as Gentzenrsquos natural deduc-tion calculus

921 Rules for and

And introduction To show P andQ show P and show QP Q

AndIP andQ

An example is the line 4 in the proof above where B and A is justified byhaving proven A and B previously in line 3 and 2 mdash the order doesnrsquotmatter Note that P and Q in the rule are placeholders for arbitrarypropositions

And elimination left If we know P andQ we also know P P andQ

AndELP

An example is line 2 where A is justified A andB (in line 1)

And elimination right If we know P andQ we also know QP andQ

AndERQ

An example is line 3 where B is justified again by A andB (in line 1)

62

Rules in natural deduction come in two varieties

introduction rules These are rules which tell us how to prove something egand introduction (AndI) tells us how to prove a conjunction To show

elimination rules This rules tell us how to use something which we have es-tablished previously If we know

922 Rules for =rArr

Frames are essential for the rule implication introduction Frames are usedto represent hypothetical reasoning ie in line 1 of the proof comAnd an as-sumption A and B is made and the subsequent lines of this frame may use thisassumption The assumption cannot be used any longer after the frame is closedin line 4 However assumptions can be used in nested frames

[ A an assumption A is made A can be used here

[ A can be used here as well

] A can be used here

] A cannot be used here

This resembles the scoping rules used in programming language eg in java

int i a variable i is declared i can be used here

i can be used here as well

i can be used here

i cannot be used here

Implication introduction To show P =rArr Q assume P and show Q[ P

Q ]

ImpIP =rArr Q

In the example comAnd we use this rule to justify line 5 it refers back toline 4 which is the last line of a frame mdash to refer to a frame tutch usesthe last line of this frame

63

Implication elimination If we know P =rArr Q and we can show P we canalso show QP =rArr Q P

ImpEQ

This rule is not used in comAnd here is an example ((monAndtut))

proof monAnd (A =rArr B) =rArr (A and C =rArr B and C) =begin[ A =rArr B[ A and CACB here we use ImpE

B and C]A and C =rArr B and C]

(A =rArr B) =rArr (A and C =rArr B and C)end

and here is tutchrsquos output

Proving monAnd (A =rArr B) =rArr A and C =rArr B and C 1 [ A =rArr B2 [ A and C3 A by AndEL 24 C by AndER 25 B by ImpE 1 36 B and C ] by AndI 5 47 A and C =rArr B and C ] by ImpI 68 (A =rArr B) =rArr A and C =rArr B and C by ImpI 7

QED

There is also a rule Hyp which says that you can prove something which youhave assumed previously

Hypothesis If we know P then we know P P

HypPAn example for the use of Hyp is the following proof (Itut) of the tautologyA =rArr A

proof I A =rArr A =begin[ AA] use Hyp here

A =rArr Aend

and here is tutchrsquos output

64

Rules in natural deduction come in two varieties

introduction rules These are rules which tell us how to prove something egand introduction (AndI) tells us how to prove a conjunction To show

elimination rules This rules tell us how to use something which we have es-tablished previously If we know

922 Rules for =rArr

Frames are essential for the rule implication introduction Frames are usedto represent hypothetical reasoning ie in line 1 of the proof comAnd an as-sumption A and B is made and the subsequent lines of this frame may use thisassumption The assumption cannot be used any longer after the frame is closedin line 4 However assumptions can be used in nested frames

[ A an assumption A is made A can be used here

[ A can be used here as well

] A can be used here

] A cannot be used here

This resembles the scoping rules used in programming language eg in java

int i a variable i is declared i can be used here

i can be used here as well

i can be used here

i cannot be used here

Implication introduction To show P =rArr Q assume P and show Q[ P

Q ]

ImpIP =rArr Q

In the example comAnd we use this rule to justify line 5 it refers back toline 4 which is the last line of a frame mdash to refer to a frame tutch usesthe last line of this frame

63

Implication elimination If we know P =rArr Q and we can show P we canalso show QP =rArr Q P

ImpEQ

This rule is not used in comAnd here is an example ((monAndtut))

proof monAnd (A =rArr B) =rArr (A and C =rArr B and C) =begin[ A =rArr B[ A and CACB here we use ImpE

B and C]A and C =rArr B and C]

(A =rArr B) =rArr (A and C =rArr B and C)end

and here is tutchrsquos output

Proving monAnd (A =rArr B) =rArr A and C =rArr B and C 1 [ A =rArr B2 [ A and C3 A by AndEL 24 C by AndER 25 B by ImpE 1 36 B and C ] by AndI 5 47 A and C =rArr B and C ] by ImpI 68 (A =rArr B) =rArr A and C =rArr B and C by ImpI 7

QED

There is also a rule Hyp which says that you can prove something which youhave assumed previously

Hypothesis If we know P then we know P P

HypPAn example for the use of Hyp is the following proof (Itut) of the tautologyA =rArr A

proof I A =rArr A =begin[ AA] use Hyp here

A =rArr Aend

and here is tutchrsquos output

64

Implication elimination If we know P =rArr Q and we can show P we canalso show QP =rArr Q P

ImpEQ

This rule is not used in comAnd here is an example ((monAndtut))

proof monAnd (A =rArr B) =rArr (A and C =rArr B and C) =begin[ A =rArr B[ A and CACB here we use ImpE

B and C]A and C =rArr B and C]

(A =rArr B) =rArr (A and C =rArr B and C)end

and here is tutchrsquos output

Proving monAnd (A =rArr B) =rArr A and C =rArr B and C 1 [ A =rArr B2 [ A and C3 A by AndEL 24 C by AndER 25 B by ImpE 1 36 B and C ] by AndI 5 47 A and C =rArr B and C ] by ImpI 68 (A =rArr B) =rArr A and C =rArr B and C by ImpI 7

QED

There is also a rule Hyp which says that you can prove something which youhave assumed previously

Hypothesis If we know P then we know P P

HypPAn example for the use of Hyp is the following proof (Itut) of the tautologyA =rArr A

proof I A =rArr A =begin[ AA] use Hyp here

A =rArr Aend

and here is tutchrsquos output

64

Proving I A =rArr A 1 [ A2 A ] by Hyp 13 A =rArr A by ImpI 2

QED

923 Rules for or

Here is an example of a proof using ormdash we verify AorB =rArr BorA (comOrtut)

proof comOr A or B =rArr B or A =begin[ A or B[ AB or A]

[ BB or A]

B or A]A or B =rArr B or Aend

and here is tutchrsquos ouput

Proving comOr A or B =rArr B or A 1 [ A or B2 [ A3 B or A ] by OrIR 24 [ B5 B or A ] by OrIL 46 B or A ] by OrE 1 3 57 A or B =rArr B or A by ImpI 6

QED

Or introduction left To show P orQ show P P

OrILP orQ

This is used in line 5 in the proof above

Or Introduction Right To show P orQ show QP

OrIRP orQ

This is used in line 3 in the proof above

Or elimination If we know P orQ and we can show R assuming P and we canshow R assuming Q then we can show R

P orQ

[ PR ]

[ QR ]

OrER

65

This is used in line 6 above

924 True and False

There is only an introduction rule for True (which is rather obvious) and only anelimination rule for False mdash indeed there shouldnrsquot be a way to prove somethingfalse

True introduction To show True you donrsquot need to do anything

TrueITrue

False elimination If we know False we can show anythingFalse

FalseEP

925 not and lArrrArr

There are no special rules for not and lArrrArr there are simply defined in terms ofthe other connectives

notA = A =rArr FalseA lArrrArr B = (A =rArr B) and (B =rArr A)

As an example for not letrsquos show not(A and notA) (inconstut)

proof incons not(A and not A) =begin[ A and not A

Anot AF]

not (A and not A)end

and here is tutchrsquos output

1 [ A and not A2 A by AndEL 13 not A by AndER 14 F ] by ImpE 3 25 not (A and not A) by ImpI 4

As an example for lArrrArr letrsquos show A =rArr B =rArr C lArrrArr A and B =rArr Cmdash If A then if B then C is the same as If A and B then C We call thislemma curry (currytut) after Haskell Curry after whom also the programminglanguage Haskell is named

66

proof curry ( A and B =rArr C ) lArrrArr (A =rArr (B =rArr C)) =begin[ (A =rArr (B =rArr C))[ A and BABB =rArr CC]

( A and B =rArr C )](A =rArr (B =rArr C)) =rArr ( A and B =rArr C )[ A and B =rArr C[ A[ B

A and BC ]

B =rArr C]A =rArr (B =rArr C)]

( A and B =rArr C ) =rArr (A =rArr (B =rArr C))( A and B =rArr C ) lArrrArr (A =rArr (B =rArr C))end

and here is tutchrsquos output

Proving curry A and B =rArr C lArrrArr A =rArr B =rArr C 1 [ A =rArr B =rArr C2 [ A and B3 A by AndEL 24 B by AndER 25 B =rArr C by ImpE 1 36 C ] by ImpE 5 47 A and B =rArr C ] by ImpI 68 (A =rArr B =rArr C) =rArr A and B =rArr C by ImpI 79 [ A and B =rArr C

10 [ A11 [ B12 A and B by AndI 10 1113 C ] by ImpE 9 1214 B =rArr C ] by ImpI 1315 A =rArr B =rArr C ] by ImpI 1416 (A and B =rArr C) =rArr A =rArr B =rArr C by ImpI 1517 A and B =rArr C lArrrArr A =rArr B =rArr C by AndI 16 8QED

926 Using lemmas

A lemma is an auxiliary theorem which is only needed to prove some biggertheorem Eg if we want to prove an equivalence like (A or B =rArr C) lArrrArr(A =rArr C) and (B =rArr C) it may be convenient first to establish (A or B =rArrC) =rArr (A =rArr C) and (B =rArr C) and (A =rArr C) and (B =rArr C) =rArr(A orB =rArr C) as lemmas which can be used to establish the equivalence

67

In tutch we can just use a previously established proposition in a proof (an-dAdjtut)

proof lem1 (A or B =rArr C) =rArr (A =rArr C) and (B =rArr C) =beginend

proof lem2 (A =rArr C) and (B =rArr C) =rArr (A or B =rArr C) =beginend

proof andAdj (A or B =rArr C) lArrrArr (A =rArr C) and (B =rArr C) =begin(A or B =rArr C) =rArr (A =rArr C) and (B =rArr C)(A =rArr C) and (B =rArr C) =rArr (A or B =rArr C)(A or B =rArr C) lArrrArr (A =rArr C) and (B =rArr C)end

and here is tutchrsquos output for andAdj

Proving andAdj A or B =rArr C lArrrArr (A =rArr C) and (B =rArr C) 1 (A or B =rArr C) =rArr (A =rArr C) and (B =rArr C) by Lemma lem12 (A =rArr C) and (B =rArr C) =rArr A or B =rArr C by Lemma lem23 A or B =rArr C lArrrArr (A =rArr C) and (B =rArr C) by AndI 1 2

QED

93 Classical logic

We have seen to views on propositional logic truth tables and formal proofsala tutch It is interesting to compare the two We say a proof system is

sound All provable propositions are tautologies

complete All tautologies are provable

It turns out that tutch is sound because all the rules are sound but it is notcomplete The simplest counterexample is to be or not to be

A or notA

is a tautology (simple exercise in checking its truth table) but it is not provablein tutch Since we have no assumption to play with we have to prove either Aor notA but which one should we choose if we donrsquot know anything about A

However this incompleteness can be easily cured by adopting the principle ofindirect proof also called proof by contradiction In tutch this corresponds tothe following rule

68

In tutch we can just use a previously established proposition in a proof (an-dAdjtut)

proof lem1 (A or B =rArr C) =rArr (A =rArr C) and (B =rArr C) =beginend

proof lem2 (A =rArr C) and (B =rArr C) =rArr (A or B =rArr C) =beginend

proof andAdj (A or B =rArr C) lArrrArr (A =rArr C) and (B =rArr C) =begin(A or B =rArr C) =rArr (A =rArr C) and (B =rArr C)(A =rArr C) and (B =rArr C) =rArr (A or B =rArr C)(A or B =rArr C) lArrrArr (A =rArr C) and (B =rArr C)end

and here is tutchrsquos output for andAdj

Proving andAdj A or B =rArr C lArrrArr (A =rArr C) and (B =rArr C) 1 (A or B =rArr C) =rArr (A =rArr C) and (B =rArr C) by Lemma lem12 (A =rArr C) and (B =rArr C) =rArr A or B =rArr C by Lemma lem23 A or B =rArr C lArrrArr (A =rArr C) and (B =rArr C) by AndI 1 2

QED

93 Classical logic

We have seen to views on propositional logic truth tables and formal proofsala tutch It is interesting to compare the two We say a proof system is

sound All provable propositions are tautologies

complete All tautologies are provable

It turns out that tutch is sound because all the rules are sound but it is notcomplete The simplest counterexample is to be or not to be

A or notA

is a tautology (simple exercise in checking its truth table) but it is not provablein tutch Since we have no assumption to play with we have to prove either Aor notA but which one should we choose if we donrsquot know anything about A

However this incompleteness can be easily cured by adopting the principle ofindirect proof also called proof by contradiction In tutch this corresponds tothe following rule

68

indirect proof To prove P assume notP and show that this leads to a contra-diction (False)

[ notP

False ]Class

PThis rule is called Class because it distinguishes classical logic from intu-itionistic logic Accordingly any tutch proof using class has to be markedclassical proof Here is a classical proof of A or notA (TNDtut)

classical proof TND A or not A =begin[not (A or not A)[AA or not AF]not AA or not AF]A or not Aend

and here is tutchrsquos output

Proving TND A or not A (classically)1 [ not (A or not A)2 [ A3 A or not A by OrIL 24 F ] by ImpE 1 35 not A by ImpI 46 A or not A by OrIR 57 F ] by ImpE 1 68 A or not A by Class 7

QED

94 Predicate logic in tutch

Additional to propositions we also have typings of the form u T where u is aterm and T is a type A proof may depend on the fact that a term has a type- however typings are not propositions

To understand the rules for Forall elimination and Exists introduction we needto introduce substitution if we have a proposition P which may contain a vari-able x and a term u we write P [x = u] for P where x is replaced by u Hereare some examples

Q(x)[x = u] = Q(u)(forallxQ(x))[x = u] = forallxQ(x)

(forallyR(x y))[x = u] = forallyR(u y)

69

In the 2nd line x is not replaced because it is a bound variable

95 Rules for forall

Forall introduction To show forallx tP assume as given x t and show P

[ x tP ]

ForallIforallx tP

Forall elimination If we know forallx tP (x) and u t then P (u)forallx tP u t

P [x = u]

As an example here is a proof that we can commute universal quantifiers forallx tforally tP (x y) =rArr forally tforallx tP (x y) (allComtut)

proof allCom (forall xt forall yt P(xy)) =rArr (forall ytforall xtP(xy)) =begin[forall xt forall yt P(xy)[ yt[ xtforall yt P(xy)P(xy)]

forall xtP(xy)]forall ytforall xtP(xy)](forall xt forall yt P(xy)) =rArr (forall ytforall xtP(xy))end

The tutch output (tutch -v) shows where the rules are used

Proving allCom (forall xt forall yt P (x y)) =rArr forall yt forall xt P (x y) 1 [ forall xt forall yt P (x y)2 [ y t3 [ x t4 forall yt P (x y) by ForallE 1 35 P (x y) ] by ForallE 4 26 forall xt P (x y) ] by ForallI 57 forall yt forall xt P (x y) ] by ForallI 68 (forall xt forall yt P (x y)) =rArr forall yt forall xt P (x y) by ImpI 7

QED

96 Rules for exist

Exists introduction To show existx tP (x) construct u t and show P (u)u t P [x = t]

ExistsIexistx tP

70

Exists elimination If we know existx tP and we can show Q assuming x tand P then we can show Q

existx tP

[ x t PQ ]

existsEQ

Note the in the first line of the frame This is needed because we needto assume both the typing and the proposition at once

As an example for a proof involving existential quantifiers we show an interestinginteraction between universal and existential quantifiers (existx tP (x)) =rArr(forally tP (y) =rArr Q) =rArr Q (exAlltut)

proof exAll (exist xtP(x)) =rArr (forall ytP(y) =rArr Q) =rArr Q =begin[exist xtP(x)[ forall ytP(y) =rArr Q[xtP(x)P(x) =rArr QP(x)Q]Q]

(forall ytP(y) =rArr Q) =rArr Q](exist xtP(x)) =rArr (forall xtP(x) =rArr Q) =rArr Qend

and here are tutchrsquos comments on the proof

Proving exAll (exist xt P x) =rArr (forall yt P y =rArr Q) =rArr Q 1 [ exist xt P x2 [ forall yt P y =rArr Q3 [ x t P x4 P x =rArr Q by ForallE 2 35 P x by Hyp 36 Q ] by ImpE 4 57 Q ] by ExistsE 1 68 (forall yt P y =rArr Q) =rArr Q ] by ImpI 79 (exist xt P x) =rArr (forall xt P x =rArr Q) =rArr Q by ImpI 8

QED

71