1 Introduction

Cyclic (or circular Footnote 1) proof has been studied by a number of authors, see, e.g., [1, 2, 4,5,6,7,8,9,10,11,12,13, 17,18,19, 21, 22, 24]. It is a style of proof suitable for logics with inductive and coinductive definitions. The main idea is to allow proofs to be given as cyclic graphs, where the cycles capture the looping nature of arguments by induction and coinduction. For this to provide a sound method of reasoning, a global condition needs to be satisfied by the proof structure in order to rule out fallacious circular arguments. The global condition can be seen as defining cyclic proof as a formalisation of the concept of proof by infinite descent.

In [4, 5, 10, 11], Brotherston and the author studied a natural style of cyclic proof for first-order logic extended with ordinary inductive definitions in the style of Martin-Löf [16]. It was shown that cyclic proof subsumes proof by induction. The question of whether the two styles of proof are equivalent in power was left open, but conjectured to have a positive answer. In a paper appearing alongside this one, Berardi and Tatsuta refute this conjecture [3].Footnote 2 In general, cyclic proof is more powerful than proof by induction (as long as the latter uses only induction principles for the inductive definitions under consideration).

In this paper, we provide a complementary result to the theorem of Berardi and Tatsuta. We study cyclic proof for first-order arithmetic. Our main result is that the resulting Cyclic Arithmetic coincides with Peano Arithmetic. Thus, in the context of first-order arithmetic, there is, after all, an equivalence in power between cyclic proof and proof by induction.

From one point of view, the study of cyclic proof is particularly apposite in the context of arithmetic. In Sect. 2, we argue that Cyclic Arithmetic is of intrinsic interest as a natural formalisation of the notion of proof by infinite descent. Our theorem thus has potential philosophical value in establishing a non-trivial equivalence between infinite descent and induction. More generally, our result contributes to the broad programme of obtaining a better understanding of potential methods of proof. Cyclic methods, in particular, appear to offer a promising extension to machine-assisted formalised proof [9], particularly for applications in computer-science-oriented logics [1, 2, 6,7,8, 12, 13, 17,18,19, 24].

In Sect. 3, we introduce an infinitary proof system, whose \(\infty \) -proofs are non-well-founded trees. This is sound and complete for the first-order theory of true arithmetic. Then in Sect. 4, we define cyclic proofs as the restriction of \(\infty \)-proofs to regular trees — those that can be presented as finite (cyclic) graphs. Importantly, the question of whether a finite graph presents a cyclic proof is decidable. We end Sect. 4 with the proof that cyclic proof subsumes proof by induction; i.e., that Cyclic Arithmetic contains Peano Arithmetic.

The results thus far are all direct analogues, in the setting of arithmetic, of results in [11] for general inductive definitions. Nevertheless, we give detailed proofs. In the case of the completeness theorem and of the proof that cyclic proof subsumes induction, we do so because the proofs, in the context of arithmetic, are simpler than the corresponding proofs for inductive definitions. In the case of the soundness and decidability results, the proofs for arithmetic are similar to those in [11]. Nevertheless, we supply the details because they are needed in the proof of our main result, Theorem 6, which states that Cyclic Arithmetic is conservative over Peano Arithmetic.

Theorem 6 is proved in Sect. 5. The proof method is to formalise the soundness argument for \(\infty \)-proofs in \(\mathsf {ACA}_0\), a subsystem of second-order arithmetic, which has been widely studied in the context of reverse mathematics [20]. The use of second-order logic is essential for formalising soundness because of the infinitary nature of \(\infty \)-proofs. The reason for the particular choice of the subsystem \(\mathsf {ACA}_0\) is that it is conservative over Peano Arithmetic. Once the soundness of Cyclic Arithmetic has been established in \(\mathsf {ACA}_0\), the conservativity of Cyclic Arithmetic then follows from a lemma (Lemma 9) that says that \(\mathsf {ACA}_0\) can recognise a cyclic proof when presented with one.

Section 6 is devoted to the proof of Lemma 9. For this, we make use of constructions and results from the theory of Büchi automata, once again formalised in \(\mathsf {ACA}_0\). Our presentation builds on the recent work of [15], in which the fundamental complementation result for Büchi automata is studied from the perspective of reverse mathematics.

Finally, in Sect. 7, we discuss directions for further research.

2 Proof by Infinite Descent

The aim of this section is to motivate Cyclic Arithmetic informally as providing a natural style of number-theoretic proof by infinite descent. We begin with a standard example of a proof by infinite descent, establishing that \(\sqrt{2}\) is irrational. Since we work in the language of arithmetic, we express this as: there are no natural numbers \(x_0,x_1\) such that \(x_0 > 0\) and \(x_0^2 = 2x_1^2\).

Suppose, for contradiction, that we have \(x_0,x_1\) such that \(x_0 > 0\) and \(x_0^2 = 2x_1^2\). It then follows that \(x_0> x_1 > 0\). Since 2 is a prime factor of \(x_0^2\) it must be a prime factor of \(x_0\) itself. So \(x_0 = 2x_2\) for some \(x_2\). So \(4x_2^2 = 2x_1^2\), hence \(x_1^2 = 2x_2^2\).

We have now gone round in a circle back to the start of the proof, but with \(x_1,x_2\) in place of \(x_0,x_1\). By repeating the argument for \(x_1,x_2\) we discover that \(x_1> x_2 > 0\) and \(x_2^2 = 2 x_3^2\) for some \(x_3\). Continuing, \(x_2> x_3 > 0\) and \(x_3^2 = 2 x_4^2\); whence \(x_3> x_4> 0\), etc. So, starting from our initial assumptions that \(x_0 > 0\) and \(x_0^2 = 2x_1^2\), we produce an infinite strictly descending sequence \(x_0> x_1> x_2> x_3 > \dots \) of positive integers. Since no such sequence exists, we have obtained the desired contradiction.

Figure 1 presents this proof as an infinite proof tree of sequents. The steps labelled \((\star )\) and \((\dagger )\) are not intended to be atomic proof steps. Rather \((\star )\) is the main number-theoretic lemma used in the proof, and \((\dagger )\) chains together a few simple steps of arithmetical and logical reasoning (including a cut). The ellipsis at the top right represents the continuation of the argument via an infinite sequence of repetitions of the visible proof pattern, but with the variables changed appropriately at each repetition.

Fig. 1.
figure 1

Infinite descent proof of the irrationality of \(\sqrt{2}\)

Full size image
Fig. 2.
figure 2

Infinite descent proof of the totality of the Ackermann-Péter function.

Full size image

The proof tree in its entirety is an infinite tree, with one growing up to the right. Going up this branch, the variables \(x_0,x_1,x_2,\dots \), once introduced, never change their value. Moreover, we pass through an infinite sequence of underlined statements \(x_1 \!<\! x_0\), \(x_2\! <\! x_1\), \(x_3 \!< \!x_2\) each appearing as an antecedent (i.e., left-hand formula) in a sequent. It is this fact that makes the argument a valid proof by infinite descent.

We present one more example of a proof in a similar style. Let A(xyz) be a ternary relation on natural numbers satisfying:

$$\begin{aligned} A(x,y,z) \, \Leftrightarrow \,&(x = 0 \, \wedge \, z = y+1) \\&\vee \; (x>0 \, \wedge \, y= 0 \, \wedge \, A(x-1,1,z)) \\&\vee \; (x,y>0 \, \wedge \, \exists w.\, A(x,y-1,w) \wedge A(x-1,w,z)) \end{aligned}$$

This formula defines A to be the graph of the well-known 2-argument Ackermann-Péter function. Using standard techniques of definition, one can encode A(xyz) by a \(\mathsf {\Sigma ^0_1}\)-formula in the language of arithmetic satisfying the equivalence above.

Figure 2 presents a proof by infinite descent of the totality of the Ackermann-Péter function. As before, the individual rules are not atomic steps, but contain arithmetical and logical reasoning, including manipulation of the defining property of A(xyz) above. This time, the full infinite proof is built by repeating the basic pattern three times, once each at (A), (B) and (C), ad infinitum. In doing this, variables are substituted by the terms specified in each case. Note that infinitely many variables \(y,y',y'', \dots \) appear in the infinite proof.

The proof in Fig. 2 presents a correct argument by infinite descent for the following reason. By the local soundness of all rules in the proof, any xy providing a counterexample to the concluding sequent will generate an infinite branch together with assignments to all variables such that all sequents along the branch are false. There are now two cases to consider.

  • If the infinite branch passes through sequents in positions (A) or (C) infinitely often then the value of the number supplied in the x position of A(xyz) is decremented infinitely often even though it remains positive along the path.

  • Otherwise, the branch must eventually reach a point after which it avoids (A) and (C). Thus all subsequent repetitions are attained via (B). In this case, the number appearing in the y position, at the point in question, is decremented infinitely often, although it again remains positive.

In either case, we have the desired contradiction.

Thus far, we have been describing proofs by infinite descent as infinite proofs. This is in keeping with the idea that a proof by infinite descent should construct infinite sequences, but it is not compatible with the idea of a proof as a finite representation of an argument. Nonetheless, a very natural restriction on infinite proofs can be imposed to achieve such a finite representation. One simply asks for the infinite proof tree to be regular, namely for it to have only finitely many distinct subtrees. Any such regular infinite proof tree can be presented as a finite cyclic graph. For example, consider the version below of the proof from Fig. 1, in which a substitution rule is used to make all subtrees rooted at sequents labelled \((*)\) identical. The full proof tree is thus presented by the finite cyclic graph obtained by identifying the nodes labelled \((*)\).

figure a

It is similarly possible to convert Fig. 2 to a regular infinite proof.

In Sect. 3, we give a precise definition of \(\infty \) -proof that formalises the notion of infinite proof by infinite descent described informally above, and we show that \(\infty \)-proofs are sound and complete for the first-order theory of true arithmetic. Since the notion of proof is infinitary, the completeness result is unsurprising. For example, a similar completeness property is well known to hold for \(\omega \) -proofs, obtained by adding the infinitary \(\omega \)-rule to (for example) sequent calculus. Nonetheless, there is an important mathematical distinction between \(\omega \)-proofs and \(\infty \)-proofs. The former are given as infinitely-branching well-founded trees. In contrast, \(\infty \)-proofs are finitely branching (potentially) non-well-founded trees.

It is an advantage of \(\infty \)-proofs that they possess a naturally identifiable subclass of finitely presentable proofs, the regular ones, which we introduce as cyclic proofs in Sect. 4. Our main result, the coincidence of cyclic proof for arithmetic with Peano Arithmetic, thus establishes that finitary proof by infinite descent is equivalent to proof by induction.

3 \(\infty \)-proofs

We formulate arithmetic using first-order logic with equality, with signature \((0,s,+,{\cdot },<)\), where s is the successor function. The strict order relation < is included as primitive because it is used in the definition of \(\infty \)-proof below.

We give a sequent calculus presentation of our proof calculus. For our purposes, a sequent \(\varGamma \Rightarrow \varDelta \) is a pair of finite sets \(\varGamma , \varDelta \) of formulas. We use standard notational conventions for sequents, such as omitting set delimiters when writing sets, and using comma ‘, ’ for union. We write \(\varGamma [\theta ]\) for the result of applying the same substitution \(\theta \) (mapping finitely many variables to associated terms) to every formula in \(\varGamma \). We also write \(\varGamma [t_1,\dots , t_k]\), for terms \(t_1, \dots , t_k\), to mean \(\varGamma [t_1/x_1, \dots , t_k/x_k]\), where \(x_1, \dots , x_k\) are distinct variables left implicit. In such cases, a parallel mention of \(\varGamma [u_1,\dots , u_k]\) always means \(\varGamma [u_1/x_1, \dots , u_k/x_k]\) for the same variables \(x_1, \dots , x_k\).

Our proof system is built from three sets of rules manipulating sequents. Rules for the logical constants (including equality) are presented in Fig. 3. Structural rules, including \((\mathsf {Cut)}\), are given in Fig. 4. Finally, basic arithmetic properties are axiomatised, in Fig. 5, by a list of 11 axiom sequents, together with one further inference rule. The axioms and rule of Fig. 5 implement a finitely axiomatised theory of arithmetic corresponding to a natural expansion of Robinson’s system Q with < as a primitive relation. As motivated in Sect. 2, our \(\infty \)-proofs are infinite trees, where locally each node of the tree is given by an application of one of the rules or axioms in Figs. 3, 4 and 5. We call such a tree a pre- \(\infty \) -proof. In order to qualify as an actual proof, such a tree will need to satisfy a further condition, whose formulation requires the following definition.

Fig. 3.
figure 3

Cut-free sequent calculus with equality

Full size image
Fig. 4.
figure 4

Weakening, cut and substitution rules

Full size image
Fig. 5.
figure 5

Axioms and rules for basic arithmetic

Full size image

Definition 1

(Precursor, trace, progress). Let \((\varGamma _i \Rightarrow \varDelta _i)_{i\ge 0}\) be an infinite branch through a pre-proof. For terms \(t,t'\), we say that \(t'\) is a precursor of t at i if one of the following holds.

  • \(\varGamma _i \Rightarrow \varDelta _i\) is the conclusion of an application of \((\mathsf {Sub)}\), and \(t = \theta (t')\) where \(\theta \) is the substitution used in the rule application.

  • \(\varGamma _i \Rightarrow \varDelta _i\) is the conclusion of an \((u_1\! = \!u_2)\)-left rule, and it is possible to write \(t'\) and t as \(u[u_1,u_2]\) and \(u[u_2,u_1]\) respectively, for some term u.

  • \(\varGamma _i \Rightarrow \varDelta _i\) is the conclusion of one of the other rules, and \(t' = t\).

We say that a term t occurs in a sequent \(\varGamma \Rightarrow \varDelta \) if it appears within some formula in \(\varGamma , \varDelta \) (possibly as a subterm of another term). A trace along \((\varGamma _i \Rightarrow \varDelta _i)_{i\ge 0}\) is a sequence \((t_i)_{i \ge N}\), for some \(N \ge 0\), such that, for every \(i \ge N\), the term \(t_i\) occurs in \(\varGamma _i \Rightarrow \varDelta _i\), and also one of the following holds.

  • Either \(t_{i+1}\) is a precursor of \(t_i\) at i,

  • or there exists \((t_{i+1} < t) \in \varGamma _{i+1}\) such that t is a precursor of \(t_i\) at i.

When the latter case holds, we say that the trace progresses at \(i+1\).

Definition 2

( \(\infty \) -proof). An \(\infty \) -proof is a pre-\(\infty \)-proof that satisfies the following trace condition.

Along every infinite branch \((\varGamma _i \Rightarrow \varDelta _i)_i\) there exist \(N \ge 0\) and a trace \((t_i)_{i \ge N}\) that progresses at infinitely many i.

Modulo the expansion of the depicted rules into combinations of primitive rules from Figs. 3, 4 and 5, the proofs in Figs. 1 and 2 are both \(\infty \)-proofs, for the reasons explained in Sect. 2. (E.g., the required trace in Fig. 1 is \(x_0,x_1,x_1,x_2,x_2, \dots \,\).)

Semantically, we will be interested only in the standard interpretation in the natural numbers \(\mathbb {N}\). We write \(\mathbb {N} \, \models ^\rho A\) to say that formula A is true in \(\mathbb {N}\) under an environment \(\rho \) that interprets the free variables of A as natural numbers. We write \(\mathbb {N} \, \models ^\rho \varGamma \! \Rightarrow \! \varDelta \) to mean: if \(\mathbb {N} \, \models ^\rho A\) for all \(A \in \varGamma \) then there exists \(B\in \varDelta \) such that \(\mathbb {N} \,\models ^\rho B\). We define \(\mathbb {N} \,\models \, \varGamma \Rightarrow \varDelta \) to mean: \(\mathbb {N} \, \models ^\rho \varGamma \Rightarrow \varDelta \) for all \(\mathbb {N}\)-environments \(\rho \).

Theorem 3

(Soundness for \(\infty \) -proofs). If \(\varGamma \Rightarrow \varDelta \) has an \(\infty \)-proof then \(\mathbb {N} \, \models \, \varGamma \Rightarrow \varDelta \).

Proof

We suppose, for contradiction, that we have an \(\infty \)-proof of \(\varGamma _0 \Rightarrow \varDelta _0\), but that \(\mathbb {N} \not \models ^{\,\rho _0} \varGamma _0 \Rightarrow \varDelta _0\).

We first construct an infinite branch \((\varGamma _i \Rightarrow \varDelta _i)_i\), together with an associated sequence \((\rho _i)_i\) of environments, such that \(\mathbb {N} \not \models ^{\,\rho _i} \varGamma _i \Rightarrow \varDelta _i\) for all i. To do this, \(\varGamma _{i +1} \Rightarrow \varDelta _{i+1}\) and \(\rho _{i+1}\) are constructed from \(\varGamma _i \Rightarrow \varDelta _i\) and \(\rho _i\) as follows. Since \(\mathbb {N} \not \models ^{\,\rho _i} \varGamma _i \Rightarrow \varDelta _i\), the sequent \(\varGamma _i \Rightarrow \varDelta _i\) must be the conclusion of an inference rule. If this rule is an instance of \((\mathsf {Sub)}\) then define \(\rho _{i+1} = \rho _i \circ \theta \), where \(\theta \) is the substitution in the rule. Otherwise define \(\rho _{i+1} = \rho _i\). By the soundness of inference rules, at least one premise of the rule is a sequent \(\varGamma ' \Rightarrow \varDelta '\) for which \(\mathbb {N} \not \models ^{\,\rho _{i+1}} \varGamma ' \Rightarrow \varDelta '\). We define \(\varGamma _{i+1} \Rightarrow \varDelta _{i+1}\) to be a chosen such premise.

By the trace condition, the infinite branch has a trace \((t_i)_{i \ge N}\) that progresses infinitely often. Consider the associated sequence of numbers \((t_i^{\rho _i})_{i \ge N}\). Since \(\mathbb {N} \not \models ^{\,\rho _i} \varGamma _i \Rightarrow \varDelta _i\), we have that \(\mathbb {N} \, \models ^{\,\rho _i} A\) for every \(A \in \varGamma _i\). So, using the definitions of precursor and of \(\rho _{i+1}\), if \(t_{i+1}\) is a precursor of t then \({t_{i+1}}^{\,\rho _{i+1}} = t^{\, \rho _i}\). Therefore,

  • \(t_{i+1}^{\rho _{i+1}} = t_i^{\rho _i}\), if \(t_{i+1}\) is a precursor of \(t_i\); and

  • \(t_{i+1}^{\rho _{i+1}} < t_i^{\rho _i}\), if \((t_{i+1} < t) \in \varGamma _{i+1}\) and t is a precursor of \(t_i\).

By the trace condition, the second case applies infinitely often. Thus \((t_i^{\rho _i})_{i \ge N}\) is an infinite non-increasing sequence of natural numbers that decreases infinitely often, which gives the desired contradiction.    \(\square \)

Due to their infinitary nature, \(\infty \)-proofs are complete. Indeed, completeness holds even for proofs that contain no instances of \((\mathsf {Wk)}\) and \((\mathsf {Sub)}\), and in which \((\mathsf {Cut)}\) occurs only in cases in which the cut formula A is atomic. We call such proofs atomic cut \(\infty \)-proofs.

Theorem 4

(Atomic-cut completeness for \(\infty \) -proofs). If \(\mathbb {N} \, \models \, \varGamma \Rightarrow \varDelta \) then there exists an atomic-cut \(\infty \)-proof of \(\varGamma \Rightarrow \varDelta \).

Proof

The main observation required is that the sequent calculus \(\omega \)-rule:

figure b

is simulated by the \(\infty \)-proof below (we combine multiple rules into single steps).

figure c

To apply the above, we plug in an \(\infty \)-proof for each premise \(\varGamma [\underline{n}] \Rightarrow \varDelta [\underline{n}]\). The resulting pre-\(\infty \)-proof has just one additional infinite branch, the rightmost branch. Along this branch, the sequence \(t,t,t,x_1,x_1,x_1, x_2,x_2,x_2,\dots \) is an infinitely progressing trace. (The progress points are underlined.)    \(\square \)

4 Cyclic Arithmetic

A (possibly infinite) tree is said to be regular if it has only finitely many distinct subtrees. Equivalently, a tree is regular if it can be defined as an unfolding of a finite directed (possibly cyclic) graph.

We shall be interested in regular \(\infty \)-proofs; that is, in \(\infty \)-proofs whose underlying pre-\(\infty \)-proofs are regular trees. For this, we consider a regular pre-\(\infty \)-proof to be presented by a finite graph of the following form. Each vertex v of the graph is labelled with an instance \(\mathsf {rule}(v)\) of one of the rules in Figs. 3, 4 and 5. We write \(\mathsf {conc}(v)\) for the sequent that is the conclusion of the rule instance, and \(\mathsf {prem}_i(v)\) for the sequent that is the i-th premise. (Axioms are considered as rules with 0 premises.) When a vertex v has label \(\mathsf {rule}(v)\) with n premises, the graph must contain exactly n edges \(e^1_v, \dots , e^n_v\) with source v. Moreover, for each \(i = 1, \dots , n\), it must hold that \(\mathsf {prem}_i(v) = \mathsf {conc}(v_i) \), where \(v_i\) is the target vertex of \(e^i_v\). Finally, there is a distinguished vertex \(\varepsilon \), which represents the conclusion of the pre-\(\infty \)-proof; i.e., \(\mathsf {conc}(\varepsilon )\) is the conclusion sequent.

It is straightforward to see how each such finite graph presentation unfolds to a regular pre-\(\infty \)-proof, and conversely how each regular pre-\(\infty \)-proof can be given such a presentation; see [11] for a detailed treatment.

We next establish the decidability of the global trace condition for regular pre-\(\infty \)-proofs, for which we follow analogous arguments in [11, 21]. Although the relatively simple construction does not provide a practical decision procedure, it has the advantage of facilitating the proofs in Sect. 6 below.

Recall that a (nondeterministic) Büchi automaton over an alphabet \(\varSigma \) is just a nondeterministic finite automaton over \(\varSigma \) with an acceptance condition defined for infinite words as follows. An accepting run of a Büchi automaton B is an infinite sequence of consecutive transitions, starting from an initial state, that passes through an accepting state infinitely often. An infinite word \(X \in \varSigma ^\omega \) is accepted by B if there exists an accepting run labelled by X.

Theorem 5

It is decidable whether a regular pre-\(\infty \)-proof, presented as a finite directed graph, is an \(\infty \)-proof.

Proof

Let \(\varSigma \) be the alphabet whose symbols are the edges in the finite graph G that presents the proof. We construct a Büchi automaton \(B_t\) over \(\varSigma \) that recognises those infinite paths through G that possess an infinitely progressing trace. The states of \(B_t\) are of the form:

  • (v) where v is a vertex in G.

  • (vt) where v is a vertex in G and t is a term in \(\mathsf {conc}(v)\).

  • \((v, t, \checkmark )\) where v is a vertex in G and t is a term in \(\mathsf {conc}(v)\).

The transitions are of the form:

  • \((v) {\xrightarrow {e^i_v}} (v')\) and \((v) {\xrightarrow {e^i_v}} (v',t')\) whenever \(v'\) is the target of \(e^i_v\).

  • \((v,t) {\xrightarrow {e^i_v}} (v',t')\) and \((v,t,\checkmark ) {\xrightarrow {e^i_v}} (v',t')\) whenever \(v'\) is the target of \(e^i_v\) and \(t'\) is a precursor of t for \(\mathsf {rule}(v)\).

  • \((v,t) {\xrightarrow {e^i_v}} (v',t',\checkmark )\) and \((v,t,\checkmark ) {\xrightarrow {e^i_v}} (v',t',\checkmark )\) whenever \(v'\) is the target of \(e^i_v\) and \((t'<t'')\) is an antecedent of \(\mathsf {conc}(v')\) for some precursor \(t''\) of t for \(\mathsf {rule}(v)\).

The accepting states are those with a \(\checkmark \) component. The start state is \(\varepsilon \). It is clear that an \(\omega \)-word is accepted if and only if it defines an infinite path through the pre-\(\infty \)-proof that possess an infinitely progressing trace.

We also need a Büchi automaton \(B_p\) that recognises the language of all infinite paths through the pre-\(\infty \)-proof. The construction of this is trivial, hence omitted.

The pre-\(\infty \)-proof is an \(\infty \)-proof if and only if there is an inclusion of \(\omega \)-languages \(\mathcal {L}(B_p) \subseteq \mathcal {L}(B_t)\). Such inclusions are decidable.    \(\square \)

Since regular \(\infty \)-proofs are presented as finite cyclic graphs, we call such proofs cyclic proofs, following the terminology of [11]. Similarly, we call the first-order theory consisting of all sentences A such that the sequent \(\Rightarrow A\) has a cyclic proof Cyclic Arithmetic (\(\mathsf {CA}\)).

The main result of this paper is that Cyclic Arithmetic coincides with Peano Arithmetic (\(\mathsf {PA}\)). To ease the comparison, we assume that \(\mathsf {PA}\) is also formulated in the language \((0,s,+,\cdot ,<)\).

Theorem 6

(Coincidence theorem).  \(\mathsf {CA}= \mathsf {PA}\).

The proposition below establishes the easier inclusion of Theorem 6. The converse inclusion is left to Sect. 5.

Proposition 7

\(\mathsf {PA}\subseteq \mathsf {CA}\).

Proof

The axioms and rule of Figs. 3, 4 and 5 capture all of \(\mathsf {PA}\) except for the induction schema. Moreover, since we have the cut rule, the cyclic-provable sentences are closed under logical consequence. We thus need only show that every instance of induction has a cyclic proof. Such a proof is given by (we identify the \((*)\) nodes):

figure d

The infinite trace is \((x_0 \, x_0 \, x_0 \, x_1\, x_1\, x_1)^\omega \). This indeed progresses infinitely often, at the point underlined in the proof.    \(\square \)

5 Conservativity of \(\mathsf {CA}\) over \(\mathsf {PA}\)

The goal of this section is to prove that \(\mathsf {CA}\subseteq \mathsf {PA}\). The first step is to prove the soundness of \(\infty \)-proofs in \(\mathsf {ACA}_0\), a well-known subsystem of second-order arithmetic, which enjoys the property of being conservative over \(\mathsf {PA}\). The use of a second-order language allows the formalisation of concepts associated with infinite trees and infinite paths through them, which is necessary for reasoning about \(\infty \)-proofs.

Recall (see [20] for a detailed exposition) that the language of second-order arithmetic extends our first-order language with: set variables \(X,Y,Z, \dots \); with quantification over set variables; and with a new atomic formula \(t \in X\), where t is a first-order term and X a set variable. A formula is said to be arithmetical if it does not contain any set quantifiers (it may contain free set variables). The theory \(\mathsf {ACA}_0\) contains the usual first-order axioms of arithmetic, the expected quantifier rules for set variables, and the two principles below.

  • The induction axiom:

    $$ \forall X. ~ 0 \in X \, \wedge \, (\forall x.\, x \in X \rightarrow s(x) \in X) \, \rightarrow \, \forall x.\, x \in X . $$

  • The arithmetical comprehension schema:

    $$ \exists X.\, \forall x.\, (x \in X \, \leftrightarrow \, \phi ) , $$

    where \(\phi \) ranges over arithmetical formulas in which the set variable X does not occur free.

We assume reasonable encodings of ordered pairs, and sequences as numbers, in which each ordered pair and sequence has a unique encoding. A set X of natural numbers encodes a tree if:

  • every \(x \in X\) encodes a sequence \(x_1\dots x_k\) for some \(k \ge 0\);

  • if (an encoding of) \(x_1 \dots x_k x_{k+1} \in X\) then also \(x_1 \dots x_k \in X\); and

  • \(\varepsilon \in X\) (where \(\varepsilon \) encodes the empty sequence).

A (partial) function is encoded as a set X of (codes of) ordered pairs satisfying: if \((x,y) \in X\) and \((x,z) \in X\) then \(y = z\). The domain of X is \(\{x \mid \exists y.~(x,y) \in X\}\). We say that a set X encodes a labelled tree if it encodes a function whose domain is a tree. In this case we call the elements of the domain of X the nodes of X, and we call the result of applying the function to a node x the label of x.

We shall encode \(\infty \)-proofs as trees labelled with Gödel numbers of instances of rules from Figs. 3, 4 and 5. For this, we assume a reasonable Gödel numbering of terms, formulas, sequents and rule instances.

Let X encode a labelled tree. We say that X encodes a pre- \(\infty \) -proof if:

  • for every \((x,y) \in X\), we have that y encodes a valid rule instance \(\mathsf {rule}(x)\);

  • if \(\mathsf {rule}(x_1\dots x_k)\) has n premises then the n sequences \(x_1\!\dots \! x_k1,\, \dots \,, x_1\!\dots \! x_kn\) are all nodes in X, and no other sequence \(x_1\dots x_ki\) is a node in X; and

  • if \(x_1\dots x_k i\) is a node in X then \(\mathsf {prem}_i(x_1\dots x_k) = \mathsf {conc}(x_1\dots x_ki)\), where we write \(\mathsf {prem}_i(x)\) for the i-th premise of \(\mathsf {rule}(x)\) and \(\mathsf {conc}(x)\) for the conclusion.

An infinite branch through a tree X is given by a function Y with domain \(\mathbb {N}\), such that \(Y(0) = \varepsilon \) and, for every x, it holds that Y(s(x)) is a child in X of Y(x). A set Z encodes a sequence \((t_i)_{i \ge N}\) of terms if it is a partial function with domain \(\{x \mid x \ge N\}\) and, for every \(x \ge N\), it holds that Z(x) is the Gödel number of a term. If X encodes a pre-\(\infty \)-proof, Y is an infinite branch through X, and Z is a sequence of terms then Definition 1 can be directly translated into the language of second-order arithmetic to define (arithmetical) formulas that express each of the properties:

  • Z is a trace along Y in X;

  • the trace Z progresses at i in the branch Y of X;

  • the trace Z progresses infinitely often in the branch Y of X.

(Note that X needs to appear explicitly in the above formulas because the labelling containing the information about which inference rules are applied is present only in X.) One can thus directly formalize Definiton 2 to obtain a (non-arithmetical) formula expressing:

  • X is an \(\infty \)-proof.

We wish to prove the soundness of \(\infty \)-proofs in \(\mathsf {ACA}_0\). Thus, we would like to show that, when we have an \(\infty \)-proof of a sequent, that sequent is true (under any interpretation of its free variables). However, the above statement cannot be formulated in \(\mathsf {ACA}_0\), because truth is a non-arithmetical property of first-order-arithmetic formulas. We circumvent this by bounding the logical complexity of formulas. For every \(n \ge 0\), there is a first-order-arithmetic formula \(\mathsf {Tr}_n(x,y)\) which holds if and only if: x is the Gödel number \(\ulcorner A \urcorner \) of a \(\mathsf {\Sigma ^0_n}\)-formula A, and y is the encoding \(\ulcorner \rho \urcorner \) an environment \(\rho \), assigning numbers to all free variables in A, such that \(\mathbb {N} \, \models ^\rho A\). (See [14, Chap. 9] for a careful construction of such a formula.) If A is a \(\mathsf {\Sigma ^0_n}\)-sentence then \(\mathsf {PA}\) proves the truth-reflection schema:

$$\begin{aligned} \mathsf {Tr}_n(\ulcorner A \urcorner ,\ulcorner \emptyset \urcorner )~ \leftrightarrow ~ A . \end{aligned}$$
(1)

Lemma 8

(Formalised soundness). For every \(n \ge 0\, \), \(\mathsf {ACA}_0\) proves: “for all X, if X is an \(\infty \) -proof, containing formulas of complexity at most \(\mathsf {\Sigma ^0_n}\), then, for every assignment \(\rho \) of numbers to all free variables in the conclusion sequent \(\varGamma \Rightarrow \varDelta \) of X, the formula \(\bigwedge \varGamma \rightarrow \bigvee \varDelta \) is \(\mathsf {\Sigma ^0_{n+1}}\) -true under \(\rho \)”.

In the statement of the lemma, we use quoted sans-serif to emphasise the scope of the formal statement proved in \(\mathsf {ACA}_0\). Notice that this formal statement is really a statement about encodings of \(\infty \)-proofs and Gödel numbers of sequents and formulas. We have stated it informally for readability. Note also that the use of the \(\mathsf {\Sigma ^0_{n+1}}\)-truth predicate is appropriate because \(\bigwedge \varGamma \rightarrow \bigvee \varDelta \) is a \(\varDelta ^0_{n+1}\)-formula. For convenience, we henceforth write the sequent \(\varGamma \Rightarrow \varDelta \) in place of the formula \(\bigwedge \varGamma \rightarrow \bigvee \varDelta \) in order to talk directly about truth and falsity of sequents.

Proof

We formalise the proof of Theorem 3 in \(\mathsf {ACA}_0\). So again suppose we have an \(\infty \)-proof X of \(\varGamma _0 \Rightarrow \varDelta _0\), but that \(\varGamma _0 \Rightarrow \varDelta _0\) is \(\mathsf {\Sigma ^0_{n+1}}\)-false under \(\rho _0\).

The main point that requires elaboration is the construction, in \(\mathsf {ACA}_0\), of the infinite path \((\varGamma _i \Rightarrow \varDelta _i)_i\) in combination with the associated sequence \((\rho _i)_i\) of environments. For this, we assign, to every node x in X, an environment \(\rho _x\):

  • \(\rho _\varepsilon = \rho _0\).

  • \(\rho _{x_1\dots x_k x_{k+1}} = {\left\{ \begin{array}{ll} \rho _{x_1\dots x_k} &{} \text {if}\,\, \mathsf {rule}(x_1\dots x_k)\,\, \text {is not an instance of } (\mathsf {Sub)}\\ \rho _{x_1\dots x_k} \circ \theta &{} \text {if}\,\, \mathsf {rule}(x_1\dots x_k) \,\,\text {is a} \,\,(\mathsf {Sub)}\,\,\text {with substitution}\,\, \theta \end{array}\right. }\)

Let Y be the set (whose definition, for unbounded n, requires full arithmetical comprehension):

$$\begin{aligned} \{x \in X \mid \text { for all prefixes}\,\, x'\,\, \text {of}\,\, x\text {, the sequent}\,\, \mathsf {conc}(x') \,\,\text {is}\,\, \mathsf {\Sigma ^0_{n+1}}\text {-false under}\,\, \rho _{x'} \} . \end{aligned}$$

Then Y is a finitely branching tree. Moreover, by the soundness of inference rules, every \(x \in Y\) has a child node \(x' \in Y\). Thus Y is infinite. Hence, by König’s lemma (which is a theorem of \(\mathsf {ACA}_0\) [20]), there exists an infinite branch Z in Y. Then \(i \mapsto \mathsf {conc}(Z(i))\) defines \((\varGamma _i \Rightarrow \varDelta _i)_i\) and \(i \mapsto \rho _{Z(i)}\) defines \((\rho _i)_i\).

The remainder of the proof, which argues that an infinitely progressing trace along Z contradicts the falsity of the sequents in Z, goes through exactly as in the proof of Theorem 3.    \(\square \)

We next consider cyclic proofs. Any such is presented by a finite graph of the kind introduced at the start of Sect. 4. We assume a sensible encoding of such graphs as natural numbers, and we write \(\ulcorner G \urcorner \) for the number representing G. Given \(\ulcorner G \urcorner \), we define in \(\mathsf {ACA}_0\) the pre-\(\infty \)-proof generated by G as the set \(\mathsf {unfold}(\ulcorner G \urcorner )\) defined as:

$$\begin{aligned} \{ (x_1\dots x_k,\, y) \mid \text {there is a path}\,\, \varepsilon \, e^{x_1}\, v_1 \, e^{x_2} \, {v_2} \dots e^{x_k} \, {v_{k}}\,\, \text {in} \,\,G,\,\, \text {and}\,\, y = \mathsf {rule}(v_k) \} . \end{aligned}$$

This indeed defines a set since the defining formula is arithmetical.

Lemma 9

If G is a finite graph presentation of a regular \(\infty \)-proof then \(\mathsf {ACA}_0\) proves “\(\mathsf {unfold}({G})\) is an \(\infty \) -proof”.

Here, and henceforth, we write \(\mathsf {unfold}({G})\) rather than \(\mathsf {unfold}(\ulcorner G \urcorner )\), since the latter is the default interpretation of the former. Whenever we refer to a finite combinatorial object within \(\mathsf {ACA}_0\), we always do so via its numerical encoding.

We postpone the proof of Lemma 9 to Sect. 6 below. Modulo this one pending proof, we now have all the ingredients to complete the proof of Theorem 6.

Proposition 10

\(\mathsf {CA}\subseteq \mathsf {PA}\).

Proof

Suppose G is a finite graph presentation of a regular \(\infty \)-proof with conclusion sequent \(\Rightarrow A\), where A is a sentence. Let n be such that every formula in G is at most \(\mathsf {\Sigma ^0_n}\). By Lemma 9, \(\mathsf {ACA}_0\) proves “\(\mathsf {unfold}({G})\) is an \(\infty \) -proof”. Whence, by Lemma 8, \(\mathsf {ACA}_0\) proves “A is \(\mathsf {\Sigma ^0_{n+1}}\) -true”. Therefore, by an application of the reflection property (1) of the \(\mathsf {\Sigma ^0_{n+1}}\)-truth predicate, \(\mathsf {ACA}_0\) proves A. Since \(\mathsf {ACA}_0\) is conservative over \(\mathsf {PA}\), it follows that \(\mathsf {PA}\) proves A.    \(\square \)

Propositions 7 and 10 together establish Theorem 6.

6 Büchi Automata in \(\mathsf {ACA}_0\)

It remains to prove Lemma 9. Our method of proof is to apply the theory of Büchi automata as formalised in \(\mathsf {ACA}_0\). Since a Büchi automaton B over a finite alphabet \(\varSigma \) is a finite combinatorial object, it can be encoded as a natural number \(\ulcorner B \urcorner \). We thus formalise properties of Büchi automata as properties of their codes, but we continue with our policy of omitting explicit reference to codes. In \(\mathsf {ACA}_0\), an infinite word is coded as a set X defining an infinite sequence of elements of \(\varSigma \). The property:

$$\begin{aligned} B\,\, \text {accepts the infinite word}\,\, X \end{aligned}$$

is directly expressible by a (non-arithmetical) formula in second-order arithmetic. Using this, we formalise the following properties of Büchi automata in \(\mathsf {ACA}_0\).

Proposition 11

(Formalised Büchi intersection). There is a computable binary function \(\sqcap \) such that \(\mathsf {ACA}_0\) proves: “for all Büchi automata \(B_1,B_2\), it holds that \(B_1\!\sqcap \! B_2\) is a Büchi automaton satisfying:

$$\begin{aligned} \mathsf {for\,\, every\,\, infinite}\,\, \varSigma \text {-}\mathsf {word}\,\, X,~ B_1 \!\sqcap \!B_2 \,\,\mathsf {accepts}\,\, X \; \leftrightarrow \; B_1 \,\,\mathsf {and}\,\, B_2 \,\,\mathsf {both\,\, accept}\,\, X '' . \end{aligned}$$

Proposition 12

(Formalised Büchi complementation). There is a computable unary function \((\cdot )^c\) such that \(\mathsf {ACA}_0\) proves: “for every Büchi automaton B it holds that \(B^c\) is a Büchi automaton satisfying:

$$\begin{aligned} \mathsf {for\,\, every\,\, infinite}\,\, \varSigma \text {-}\mathsf {word}\,\, X,\,\, B^c\,\, \mathsf {accepts}\,\, X ~ \leftrightarrow ~ B\,\, \mathsf {does\,\, not\,\, accept}\,\, X '' . \end{aligned}$$

The above propositions hold because the standard proofs are directly formalisable in \(\mathsf {ACA}_0\). Complementation is the more interesting of the two cases since its proof involves nontrivial infinite combinatorics. For example, the crucial step in Büchi’s original proof invokes the infinite Ramsey Theorem for pairs (see, e.g., [25]). This does not present a problem for the formalisation because the (general) infinite Ramsey Theorem holds in \(\mathsf {ACA}_0\) (see, e.g., [20]). A full analysis can be found in the recent paper [15], where it is shown that Proposition 12 is equivalent to the schema \(\mathsf {\Sigma ^0_2\text {-}IND}\) of \(\mathsf {\Sigma ^0_2}\)-induction, relative to the weak subsystem of second-order arithmetic \(\mathsf {RCA}_0\). In particular, this means that Proposition 12 is provable in \(\mathsf {RCA}_0\!+\!\mathsf {\Sigma ^0_2\text {-}IND}\), which is a subsystem of \(\mathsf {ACA}_0\).

If B is a Büchi automaton, we write \(\rightarrow ^*_B\) for the reachability relation on states of B (the transitive-reflexive closure of the label-erased transition relation \(\rightarrow _B\)). The ternary relation “B is a Büchi automaton and \(y \rightarrow ^*_B z\)” is definable by a formula in second-order arithmetic with free first-order variables xyz where the parameter x supplies B via its code.

Proposition 13

(Formalised non-emptiness criterion).  \(\mathsf {ACA}_0\) proves: “for every Büchi automaton B, there exists \(X \in \Sigma ^\omega \) accepted by B if and only if there exist states \(q_0,q_1\) of B such that \(q_0\) is initial, \(q_1\) is accepting and \(q_0 \rightarrow ^*_B q_1 \rightarrow ^*_B q_1\)”.

We omit the proof, which is once again a straightforward formalisation of the (this time easy) standard argument.

Lemma 14

If B is a Büchi automaton recognising the empty language then \(\mathsf {ACA}_0\) proves: “for every infinite \(\varSigma \) -word X, the automaton B does not accept X”.

Proof

Suppose B recognises the empty language. By the standard non-formalised version of Proposition 13, there do not exist states \(q_0,q_1\) of B such that \(q_0\) is initial, \(q_1\) is accepting and \(q_0 \rightarrow ^*_B q_1 \rightarrow ^*_B q_1\). Since B is finite, the relation \(\rightarrow ^*_B\) can be encoded as a natural number \(\ulcorner \rightarrow ^*_B \urcorner \). Easily, \(\mathsf {ACA}_0\) proves: “\(\ulcorner \rightarrow ^*_B \urcorner \) encodes a transitive, reflexive relation R that contains \(\rightarrow _B\), and there do not exist states \(q_0,q_1\) of B such that \(q_0\) is initial, \(q_1\) is accepting and \(q_0\, R \,q_1\, R \,q_1 \)”. Since \(\rightarrow ^*_B\) is the smallest transitive-reflexive relation containing \(\rightarrow _B\), it follows that \(\mathsf {ACA}_0\) proves: “there do not exist states \(q_0,q_1\) of B such that \(q_0\) is initial, \(q_1\) is accepting and \(q_0 \rightarrow ^*_B q_1 \rightarrow ^*_B q_1\)”. Hence, by Proposition 13, \(\mathsf {ACA}_0\) proves: “for every infinite \(\varSigma \) -word X, the automaton B does not accept X”.    \(\square \)

Proof

(of Lemma 9 ). Let G be a finite graph presentation of a regular pre-\(\infty \)-proof. Consider the Büchi automata \(B_t\) and \(B_p\) defined in the proof of Theorem 5. By the definitions of \(B_t\) and \(B_p\), the following statements are provable in \(\mathsf {ACA}_0\).

  • For all X, \(~B_t\) accepts X if and only if X is a path through G that possesses an infinitely progressing trace.

  • For all X, \(~B_p\) accepts X if and only if X is an infinite path through G.”

Hence, by Propositions 11 and 12, \(\mathsf {ACA}_0\) proves:

(2)

Now, assume G presents an \(\infty \)-proof. We have, as in the proof of Theorem 5, \(\mathcal {L}(B_t) \subseteq \mathcal {L}(B_p)\), hence the language of the Büchi automaton \({B_t}^{\!c\,} \!\sqcap \!B_p\) is empty. Hence, by Lemma 14, \(\mathsf {ACA}_0\) proves: “there is no X such that \({B_t}^{\!c\,} \!\sqcap \!B_p\) accepts X”. It thus follows from (2) that \(\mathsf {ACA}_0\) proves: “\(\mathsf {unfold}(G)\) is an \(\infty \) -proof”, as required.    \(\square \)

7 Further Work

The following are natural possible continuations of the work in this paper.

  1. (i)

    Give a syntactic rewrite-based proof eliminating non-atomic cuts from \(\infty \)-proofs. (This is done in [2, 13] for different notions of cyclic proof.)

  2. (ii)

    Give an explicit syntactic translation from cyclic proofs to proofs in \(\mathsf {PA}\). Is there an essential blow-up in size? (Because of Solovay’s speed-up theorem for \(\mathsf {ACA}_0\) over \(\mathsf {PA}\), the indirect translation implicit in our proof has a potential non-elementary blow-up.)

  3. (iii)

    Understand the power of cyclic proof in the context of weaker fragments of arithmetic. For example, what is the power of cyclic proof if restricted to \(\mathsf {\Sigma ^0_1}\)-sequents? The example in Fig. 2 shows that the resulting theory is stronger than \(\mathsf {I\Sigma _1}\).

  4. (iv)

    If the rules and axioms in Figs. 3, 4 and 5 are changed to their intuitionistic versions is the resulting notion of cyclic proof conservative over Heyting Arithmetic?

  5. (v)

    Understand in general terms when cyclic proof is conservative over proof by induction (as in this paper), and when it is not (as in [3]).