%{ = Bijection from HOAS to natural numbers = }% %{ == Preliminaries == }% %{ This file shows a simple HOAS term type and a mapping from these terms to the natural numbers. It depends on John Boyland's library signatures, in particular void, bool, nat and natpair. Such mappings are useful so that the library signatures for set and map can be used to form sets or maps using the HOAS terms as keys. The mapping is proved total, deterministic, onto and one2one in four separate metatheorems. (The actual relation itself is not proved total or deterministic directly.). Thus the mapping is a bijection. This file is a proof of concept that this sort of mapping can be done and more importantly, proved correct, in Twelf. The HOAS terms themselves are uninteresting. The purpose in doing these proofs is to help me (John Boyland) write a general package to generate such mappings and their proofs. In writing the proofs, I am greatly indebted to Rob Simmons who took up my challenge to write bijections involving HOAS terms. However, I go against his explicit advice in using the "%theorem" syntax extensively which I find much more clear that the "preferred" Twelf way of purity. }% %{| hidden=true }% %%%% Imports %%%%%% Proposed Twelf Standard Library %%%%%% John Boyland %%%%%% You may freely use, modify and distribute this file without restrictions. % This file includes some simple types that should % be standardized. Here is my proposal. %%%% Structure %%% The uninhabited type void : type. %freeze void. %%% The uninteresting type unit : type. unit/ : unit. %freeze unit. %%% The three-way comparison type comp : type. less : comp. greater : comp. equal : comp. %freeze comp. %%%%% bool.elf %%%%% Boolean literals %%%%% John Boyland %%%% Definitions bool : type. true : bool. false : bool. %freeze bool. eq : bool -> bool -> type. eq/ : eq B B. ne : bool -> bool -> type. ne/TF : ne true false. ne/FT : ne false true. eq? : bool -> bool -> bool -> type. eq?/yes : eq? B B true. eq?/no : eq? B1 B2 false <- ne B1 B2. %%%% Theorems %%% theorems about eq %theorem false-implies-eq : forall* {X1} {X2} forall {F:void} exists {E:eq X1 X2} true. %worlds () (false-implies-eq _ _). %total { } (false-implies-eq _ _). %theorem meta-eq : forall {X1} {X2} {E:eq X1 X2} true. - : meta-eq _ _ eq/. %worlds () (meta-eq _ _ _). %total { } (meta-eq _ _ _). %reduces X = Y (meta-eq X Y _). %theorem eq-reflexive : forall {X} exists {E:eq X X} true. - : eq-reflexive _ eq/. %worlds () (eq-reflexive _ _). %total { } (eq-reflexive _ _). %theorem eq-symmetric : forall* {X} {Y} forall {E:eq X Y} exists {F:eq Y X} true. - : eq-symmetric (eq/) (eq/). %worlds () (eq-symmetric _ _). %total { } (eq-symmetric _ _). %theorem eq-transitive : forall* {X} {Y} {Z} forall {E1:eq X Y} {E2:eq Y Z} exists {F:eq X Z} true. - : eq-transitive (eq/) (eq/) (eq/). %worlds () (eq-transitive _ _ _). %total { } (eq-transitive _ _ _). %%% theorems about ne %theorem false-implies-ne : forall* {X1} {X2} forall {F:void} exists {G:ne X1 X2} true. %worlds () (false-implies-ne _ _). %total { } (false-implies-ne _ _). %theorem ne-respects-eq : forall* {X1} {X2} {Y1} {Y2} forall {D1:ne X1 X2} {E1:eq X1 Y1} {E2:eq X2 Y2} exists {D2:ne Y1 Y2} true. - : ne-respects-eq X1<>X2 eq/ eq/ X1<>X2. %worlds () (ne-respects-eq _ _ _ _). %total { } (ne-respects-eq _ _ _ _). %theorem ne-anti-reflexive : forall* {B} forall {R:ne B B} exists {F:void} true. %worlds () (ne-anti-reflexive _ _). %total { } (ne-anti-reflexive _ _). %theorem ne-symmetric : forall* {B1} {B2} forall {R1:ne B1 B2} exists {R2:ne B2 B1} true. - : ne-symmetric ne/TF ne/FT. - : ne-symmetric ne/FT ne/TF. %worlds () (ne-symmetric _ _). %total { } (ne-symmetric _ _). %theorem eq-ne-implies-false : forall* {B1} {B2} forall {D1:eq B1 B2} {D2:ne B1 B2} exists {F:void} true. %worlds () (eq-ne-implies-false _ _ _). %total { } (eq-ne-implies-false _ _ _). %%% theorems about eq? %theorem eq?-total* : forall {B1} {B2} exists {B} {EQ?:eq? B1 B2 B} true. - : eq?-total* true true _ (eq?/yes). - : eq?-total* false false _ (eq?/yes). - : eq?-total* true false _ (eq?/no ne/TF). - : eq?-total* false true _ (eq?/no ne/FT). %worlds () (eq?-total* _ _ _ _). %total { } (eq?-total* _ _ _ _). %abbrev eq?-total = eq?-total* _ _ _. %abbrev bool`bool = bool. %abbrev bool`true = true. %abbrev bool`false = false. %abbrev bool`eq = eq. %abbrev bool`eq/ = eq/. %abbrev bool`ne = ne. %abbrev bool`ne/TF = ne/TF. %abbrev bool`ne/FT = ne/FT. %abbrev bool`eq? = eq?. %abbrev bool`eq?/yes = eq?/yes. %abbrev bool`eq?/no = eq?/no. %abbrev bool`false-implies-eq = false-implies-eq. %abbrev bool`meta-eq = meta-eq. %abbrev bool`eq-reflexive = eq-reflexive. %abbrev bool`eq-symmetric = eq-symmetric. %abbrev bool`eq-transitive = eq-transitive. %abbrev bool`false-implies-ne = false-implies-ne. %abbrev bool`ne-respects-eq = ne-respects-eq. %abbrev bool`ne-anti-reflexive = ne-anti-reflexive. %abbrev bool`ne-symmetric = ne-symmetric. %abbrev bool`eq-ne-implies-false = eq-ne-implies-false. %abbrev bool`eq?-total* = eq?-total*. %abbrev bool`eq?-total = eq?-total. %%%%% Natural numbers %%%%% John Boyland %%%%% Anyone may use, copy or modify this software without restriction %%%%% This file requires std.elf % The natural numbers signature comes in several pieces, % all of which are concatenated in nat.elf: % - nat-base.elf (basic definitions, relations and operations) % - nat-comp.elf (composed orders: ge, ne) % - nat-inv.elf (inverse operation: minus) % - nat-less.elf (inverse orders: lt, le) % - nat-inv-comp.elf (theorems about minus and composed relations) % - nat-inv-less.elf (theorems about minus and inverse orders) % - nat-divrem.elf (quotient/remainder operation) % - nat-minmax-elf (min/max operations) % With the exception of the nat-inv-XXX.elf files, % all later files depend on (require) only the nat-base.elf file. % The nat-inv-XXX.elf files depend also on nat-inv.elf and nat-XXX.elf. % The theorems in this signature mostly fall into the following groups: % false-implies-XXX: one can derive XXX after a contradiction % XXX-respects-eq: one can substitute equal terms in a relation XXX % XXX-total: effectiveness lemma for XXX % XXX-deterministic: uniqueness lemma for XXX % XXX-reflexive, XXX-symmetric, XXX-transitive: properties of an equivalence % XXX-anti-reflexive, XXX-anti-symmetric: properties of a partial order % XXX-commutative, XXX-associative: properties of a binary operation % XXX-left/right-distributes-over-YYY: distribution theorem % XXX-left/right-factors-over-YYY: converse of distribution theorem % XXX-left/right-preserves-ORD: If X ORD Y then we can apply Z to both sides % XXX-left/right-cancels: cancellation property of binary operator XXX % XXX-left/right-cancels-ORD: cancellation property w.r.t. order ORD % XXX-contradiction: case where XXX can never happen % XXX-implies-YYY: if XXX is true, we show YYY is true % TTT-converse: converse of theorem TTT % Additionally there are varieties of theorems with star appended to the name. % These versions of the theorems typically require more inputs. %%%%% nat-base.elf %%%%% Basic definitions, operations and theorems %%%%% This file is part of the nat.elf signature %%%% Definitions %%% Natural numbers: nat : type. %name nat N. z : nat. s : nat -> nat. %freeze nat. %%% Operations on natural numbers plus : nat -> nat -> nat -> type. plus/z : plus z Y Y. plus/s : plus (s X) Y (s Z) <- plus X Y Z. times : nat -> nat -> nat -> type. times/z : times z X z. times/s : times (s X) Y Z <- plus T Y Z <- times X Y T. eq : nat -> nat -> type. eq/ : eq N N. gt : nat -> nat -> type. gt/1 : gt (s M) M. gt/> : gt (s M) N <- gt M N. %%% Using the conditional for natural numbers compare : nat -> nat -> comp -> type. compare/= : compare N N equal. compare/< : compare M N less <- gt N M. compare/> : compare M N greater <- gt M N. %%%% Theorems %%% Theorems about eq %reduces X = Y (eq X Y). %theorem meta-eq : forall {M} {N} {E:eq M N} true. - : meta-eq N N eq/. %worlds () (meta-eq _ _ _). %total {} (meta-eq _ _ _). %reduces X = Y (meta-eq X Y _). %theorem false-implies-eq : forall* {M} {N} forall {P:void} exists {Q:eq M N} true. %worlds () (false-implies-eq _ M=N). %total {} (false-implies-eq _ _). %theorem eq-symmetric : forall* {M:nat} {N:nat} forall {E:eq M N} exists {F:eq N M} true. - : eq-symmetric (eq/) (eq/). %worlds () (eq-symmetric M>N N>M). %total {} (eq-symmetric _ _). %theorem eq-transitive : forall* {M:nat} {N:nat} {P:nat} forall {E1:eq M N} {E2:eq N P} exists {F:eq M P} true. - : eq-transitive (eq/) (eq/) (eq/). %worlds () (eq-transitive M>N N>P M>P). %total {} (eq-transitive _ _ _). %theorem succ-deterministic : forall* {N1:nat} {N2:nat} forall {E:eq N1 N2} exists {F:eq (s N1) (s N2)} true. - : succ-deterministic eq/ eq/. %worlds () (succ-deterministic N1=N2 N1+1=N2+1). %total {} (succ-deterministic E _). %theorem succ-cancels : forall* {N1:nat} {N2:nat} forall {E:eq (s N1) (s N2)} exists {F:eq N1 N2} true. - : succ-cancels eq/ eq/. %worlds () (succ-cancels N1+1=N2+1 N1=N2). %total {} (succ-cancels E _). %theorem eq-contradiction : forall* {N} forall {E:eq z (s N)} exists {F:void} true. %worlds () (eq-contradiction ZERO=N+1 _). %total {} (eq-contradiction _ _). %%% Theorems about gt %reduces M < N (gt N M). %% If we want to prove the termination of a theorem using gt, %% we need the gt relation lifted to the meta level: %theorem meta-gt : forall {M} {N} {G:gt M N} true. - : meta-gt (s M) M (gt/1). - : meta-gt (s M) N (gt/> G) <- meta-gt M N G. %worlds () (meta-gt _ _ _). %total M (meta-gt M _ _). %reduces M < N (meta-gt N M _). %theorem false-implies-gt : forall* {M} {N} forall {P:void} exists {Q:gt M N} true. %worlds () (false-implies-gt _ M>N). %total {} (false-implies-gt _ _). %theorem gt-respects-eq : forall* {M1:nat} {M2:nat} {N1:nat} {N2:nat} forall {P:gt M1 N1} {E1:eq M1 M2} {E2:eq N1 N2} exists {Q:gt M2 N2} true. - : gt-respects-eq M1>N1 eq/ eq/ M1>N1. %worlds () (gt-respects-eq M1>N1 M1=M2 N1=N2 M2>N2). %total {} (gt-respects-eq _ _ _ _). %theorem succ-implies-gt : forall* {X} {X'} forall {E:eq X (s X')} exists {G:gt X X'} true. - : succ-implies-gt eq/ gt/1. %worlds () (succ-implies-gt X=sX' X>X'). %total {} (succ-implies-gt _ _). %theorem succ-implies-gt-zero: forall {M} exists {G:gt (s M) z} true. - : succ-implies-gt-zero z gt/1. - : succ-implies-gt-zero (s M) (gt/> SM>0) <- succ-implies-gt-zero M SM>0. %worlds () (succ-implies-gt-zero M SM>0). %total M (succ-implies-gt-zero M _). %theorem succ-preserves-gt: forall* {M} {N} forall {G1:gt M N} exists {G2:gt (s M) (s N)} true. - : succ-preserves-gt gt/1 gt/1. - : succ-preserves-gt (gt/> M>N) (gt/> SM>SN) <- succ-preserves-gt M>N SM>SN. %worlds () (succ-preserves-gt M>N SM>SN). %total G1 (succ-preserves-gt G1 _). %theorem succ-preserves-gt-converse: forall* {M} {N} forall {G1:gt (s M) (s N)} exists {G2:gt M N} true. - : succ-preserves-gt-converse gt/1 gt/1. - : succ-preserves-gt-converse (gt/> SM>SN) (gt/> M>N) <- succ-preserves-gt-converse SM>SN M>N. %worlds () (succ-preserves-gt-converse SM>SN M>N). %total G1 (succ-preserves-gt-converse G1 _). %theorem gt-implies-positive : forall* {M} {N} forall {G:gt M N} exists {M'} {E:eq M (s M')} true. - : gt-implies-positive gt/1 M eq/. - : gt-implies-positive (gt/> (G:gt M N)) M eq/. %worlds () (gt-implies-positive M>N M' M=sM'). %total {} (gt-implies-positive _ _ _). %theorem gt-anti-reflexive* : forall {M} {G:gt M M} exists {F:void} true. - : gt-anti-reflexive* (s M) (G:gt (s M) (s M)) F <- succ-preserves-gt-converse G G' <- gt-anti-reflexive* M G' F. %worlds () (gt-anti-reflexive* M M>M _). %total M (gt-anti-reflexive* M _ _). %abbrev gt-anti-reflexive = gt-anti-reflexive* _. %theorem gt-transitive : forall* {M} {N} {P} forall {G1:gt M N} {G2:gt N P} exists {G3:gt M P} true. - : gt-transitive gt/1 G (gt/> G). - : gt-transitive (gt/> M>N) N>P (gt/> M>P) <- gt-transitive M>N N>P M>P. %worlds () (gt-transitive M>N N>P M>P). %total (G1) (gt-transitive G1 _ _). %theorem gt-anti-symmetric : forall* {M} {N} forall {G1:gt M N} {G2:gt N M} exists {F:void} true. - : gt-anti-symmetric M>N N>M F <- gt-transitive M>N N>M M>M <- gt-anti-reflexive M>M F. %worlds () (gt-anti-symmetric M>N N>M _). %total {} (gt-anti-symmetric _ _ _). %theorem gt-implies-plus : forall* {M} {N} forall {G:gt M N} exists {D} {P:plus (s D) N M} true. - : gt-implies-plus gt/1 z (plus/s plus/z). - : gt-implies-plus (gt/> M>N) (s D) (plus/s SD+N=M) <- gt-implies-plus M>N D SD+N=M. %worlds () (gt-implies-plus M>N D SD+N=M). %total G (gt-implies-plus G _ _). %theorem gt-contradiction : forall* {M} forall {P:gt z M} exists {Q:void} true. %worlds () (gt-contradiction ZERO>N _). %total {} (gt-contradiction _ _). %%% Theorems about compare %theorem false-implies-compare : forall* {M} {N} {C} forall {P:void} exists {Q:compare M N C} true. %worlds () (false-implies-compare _ _). %total {} (false-implies-compare _ _). %theorem succ-preserves-compare : forall* {M} {N} {C} forall {CMP:compare M N C} exists {CMP':compare (s M) (s N) C} true. - : succ-preserves-compare compare/= compare/=. - : succ-preserves-compare (compare/< M>N) (compare/< M+1>N+1) <- succ-preserves-gt M>N M+1>N+1. - : succ-preserves-compare (compare/> M>N) (compare/> M+1>N+1) <- succ-preserves-gt M>N M+1>N+1. %worlds () (succ-preserves-compare _ _). %total {} (succ-preserves-compare _ _). %theorem compare-total* : forall {M} {N} exists {CMP} {P:(compare M N CMP)} true. - : compare-total* z z equal compare/=. - : compare-total* z (s M) less (compare/< M+1>0) <- succ-implies-gt-zero M M+1>0. - : compare-total* (s M) z greater (compare/> M+1>0) <- succ-implies-gt-zero M M+1>0. - : compare-total* (s M) (s N) R M+1-R-N+1 <- compare-total* M N R M-R-N <- succ-preserves-compare M-R-N M+1-R-N+1. %worlds () (compare-total* _ _ _ _). %total (M) (compare-total* M _ _ _). %abbrev compare-total = compare-total* _ _ _. %theorem greater-implies-gt : forall* {M} {N} forall {C:compare M N greater} exists {G:gt M N} true. - : greater-implies-gt (compare/> G) G. %worlds () (greater-implies-gt M>N M-gt-N). %total C (greater-implies-gt C _). %theorem less-is-reverse-greater : forall* {M} {N} forall {C1:compare M N less} exists {C2:compare N M greater} true. - : less-is-reverse-greater (compare/< G) (compare/> G). %worlds () (less-is-reverse-greater MM). %total C (less-is-reverse-greater C _). %theorem less-implies-lt : forall* {M} {N} forall {C:compare M N less} exists {G:gt N M} true. - : less-implies-lt (compare/< G) G. %worlds () (less-implies-lt MN2 plus/z plus/z N1>N2. - : plus-left-preserves-gt* N1>N2 (plus/s M+N1=O1) (plus/s M+N2=O2) SO1>SO2 <- plus-left-preserves-gt* N1>N2 M+N1=O1 M+N2=O2 O1>O2 <- succ-preserves-gt O1>O2 SO1>SO2. %worlds () (plus-left-preserves-gt* N1>N2 M+N1=O1 M+N2=O2 O1>O2). %total P1 (plus-left-preserves-gt* _ P1 _ _). %theorem plus-left-cancels-gt : forall* {X1:nat} {X2:nat} {Y:nat} {Z:nat} {S1:nat} {S2:nat} forall {P1:plus X1 Y S1} {P2:plus X2 Z S2} {EX:eq X1 X2} {G1:gt S1 S2} exists {G2:gt Y Z} true. - : plus-left-cancels-gt plus/z plus/z eq/ G G. - : plus-left-cancels-gt (plus/s X+Y1=Z1) (plus/s X+Y2=Z2) eq/ SZ1>SZ2 Y1>Y2 <- succ-preserves-gt-converse SZ1>SZ2 Z1>Z2 <- plus-left-cancels-gt X+Y1=Z1 X+Y2=Z2 eq/ Z1>Z2 Y1>Y2. %worlds () (plus-left-cancels-gt X1+Y1=Z1 X2+Y2=Z2 X1=X2 Z1>Z2 Y1>Y2). %total P1 (plus-left-cancels-gt P1 _ _ _ _). %theorem plus-left-preserves-gt : forall* {X1} {X2} {X4} forall {G:gt X2 X4} exists {X3} {X5} {O1:plus X1 X2 X3} {O2:plus X1 X4 X5} {G2:gt X3 X5} true. - : plus-left-preserves-gt X2>X4 X3 X5 X1+X2=A3 X1+X4=X5 X3>X5 <- plus-total X1+X2=A3 <- plus-total X1+X4=X5 <- plus-left-preserves-gt* X2>X4 X1+X2=A3 X1+X4=X5 X3>X5. %worlds () (plus-left-preserves-gt X2>X4 X3 X5 X1+X2=A3 X1+X4=X5 X3>X5). %total {} (plus-left-preserves-gt _ _ _ _ _ _). %theorem plus-right-preserves-gt* : forall* {X1} {X2} {X3} {X4} {X5} forall {G1:gt X1 X2} {O1:plus X1 X3 X4} {O2:plus X2 X3 X5} exists {G2:gt X4 X5} true. - : plus-right-preserves-gt* X1>X2 X1+X3=X4 X2+X3=X5 X4>X5 <- plus-commutative X1+X3=X4 X3+X1=X4 <- plus-commutative X2+X3=X5 X3+X2=X5 <- plus-left-preserves-gt* X1>X2 X3+X1=X4 X3+X2=X5 X4>X5. %worlds () (plus-right-preserves-gt* X1>X2 X1+X3=X4 X2+X3=X5 X4>X5). %total {} (plus-right-preserves-gt* _ _ _ _). %theorem plus-right-preserves-gt : forall* {X1} {X2} {X3} forall {G1:gt X1 X2} exists {X4} {X5} {O1:plus X1 X3 X4} {O2:plus X2 X3 X5} {G2:gt X4 X5} true. - : plus-right-preserves-gt X1>X2 X4 X5 X1+X3=X4 X2+X3=X5 X4>X5 <- plus-total X1+X3=X4 <- plus-total X2+X3=X5 <- plus-right-preserves-gt* X1>X2 X1+X3=X4 X2+X3=X5 X4>X5. %worlds () (plus-right-preserves-gt X1>X2 X4 X5 X1+X3=X4 X2+X3=X5 X4>X5). %total {} (plus-right-preserves-gt _ _ _ _ _ _). %theorem plus-preserves-gt* : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {G1:gt X1 Y1} {G2:gt X2 Y2} {MX:plus X1 X2 X3} {MY:plus Y1 Y2 Y3} exists {G3:gt X3 Y3} true. - : plus-preserves-gt* X1>Y1 X2>Y2 X1+X2=X3 Y1+Y2=Y3 X3>Y3 <- plus-total Y1+X2=X <- plus-right-preserves-gt* X1>Y1 X1+X2=X3 Y1+X2=X X3>X <- plus-left-preserves-gt* X2>Y2 Y1+X2=X Y1+Y2=Y3 X>Y3 <- gt-transitive X3>X X>Y3 X3>Y3. %worlds () (plus-preserves-gt* X1>Y1 X2>Y2 X1+X2=X3 Y1+Y2=Y3 X3>Y3). %total {} (plus-preserves-gt* _ _ _ _ _). %theorem plus-preserves-gt : forall* {X1} {X2} {Y1} {Y2} forall {G1:gt X1 Y1} {G2:gt X2 Y2} exists {X3} {Y3} {MX:plus X1 X2 X3} {MY:plus Y1 Y2 Y3} {G3:gt X3 Y3} true. - : plus-preserves-gt X1>Y1 X2>Y2 X3 Y3 X1+X2=X3 Y1+Y2=Y3 X3>Y3 <- plus-total X1+X2=X3 <- plus-total Y1+Y2=Y3 <- plus-preserves-gt* X1>Y1 X2>Y2 X1+X2=X3 Y1+Y2=Y3 X3>Y3. %worlds () (plus-preserves-gt X1>Y1 X2>Y2 X3 Y3 X1+X2=X3 Y1+Y2=Y3 X3>Y3). %total {} (plus-preserves-gt _ _ _ _ _ _ _). %theorem plus-right-cancels-gt : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {OP1:plus X1 X2 X3} {OP2:plus Y1 Y2 Y3} {E2:eq X2 Y2} {G3:gt X3 Y3} exists {G1:gt X1 Y1} true. - : plus-right-cancels-gt X1+X2=X3 Y1+Y2=Y3 X2=Y2 X3>Y3 X1>Y1 <- plus-commutative X1+X2=X3 X2+X1=X3 <- plus-commutative Y1+Y2=Y3 Y2+Y1=Y3 <- plus-left-cancels-gt X2+X1=X3 Y2+Y1=Y3 X2=Y2 X3>Y3 X1>Y1. %worlds () (plus-right-cancels-gt X1+X2=X3 Y1+Y2=Y3 X2=Y2 X3>Y3 X1>Y1). %total {} (plus-right-cancels-gt _ _ _ _ _). %theorem plus-implies-gt: forall* {M} {N} {O} {M'} forall {P:plus M N O} {E:eq M (s M')} exists {G:gt O N} true. - : plus-implies-gt X+Y=Z eq/ Z>Y <- succ-implies-gt-zero _ X>0 <- plus-right-preserves-gt* X>0 X+Y=Z plus/z Z>Y. %worlds () (plus-implies-gt X+Y=Z X=sX' Z>Y). %total {} (plus-implies-gt _ _ _). %theorem plus-gt-contradiction : forall* {M} {N} {O} forall {P:plus M N O} {G:gt M O} exists {F:void} true. - : plus-gt-contradiction M+0=O M>O F <- plus-right-identity _ M+0=M <- plus-deterministic M+0=O M+0=M eq/ eq/ O=M <- gt-respects-eq M>O eq/ O=M M>M <- gt-anti-reflexive M>M F. - : plus-gt-contradiction M+N=O M>O F % N > 0 <- plus-commutative M+N=O N+M=O <- plus-implies-gt N+M=O eq/ O>M <- gt-anti-symmetric M>O O>M F. %worlds () (plus-gt-contradiction M+N=O M>O _). %total {} (plus-gt-contradiction _ _ _). %%% Theorems about times %theorem false-implies-times : forall* {M} {N} {O} forall {P:void} exists {Q:times M N O} true. %worlds () (false-implies-times _ _). %total {} (false-implies-times _ _). %theorem times-respects-eq: forall* {M1:nat} {M2:nat} {N1:nat} {N2:nat} {P1:nat} {P2:nat} forall {P:times M1 N1 P1} {E1:eq M1 M2} {E2:eq N1 N2} {E3:eq P1 P2} exists {Q:times M2 N2 P2} true. - : times-respects-eq M1*N1=P1 eq/ eq/ eq/ M1*N1=P1. %worlds () (times-respects-eq M1*N1=P1 M1=M2 N1=N2 P1=P2 M2*N2=P2). %total {} (times-respects-eq _ _ _ _ _). %theorem times-total* : forall {N1:nat} {N2:nat} exists {N3:nat} {T:times N1 N2 N3} true. - : times-total* z N2 z times/z. - : times-total* (s X) Y Z (times/s X*Y=Z' Z'+Y=Z) <- times-total* X Y Z' X*Y=Z' <- plus-total Z'+Y=Z. %worlds () (times-total* N1 N2 N3 N1*N2=N3). %total (N1) (times-total* N1 _ _ _). %abbrev times-total = times-total* _ _ _. %theorem times-deterministic : forall* {N1:nat} {N1':nat} {N2:nat} {N2':nat} {N3:nat} {N3':nat} forall {P:times N1 N2 N3} {P':times N1' N2' N3'} {E1:eq N1 N1'} {E2:eq N2 N2'} exists {E3:eq N3 N3'} true. - : times-deterministic (times/z) (times/z) eq/ eq/ eq/. - : times-deterministic (times/s X*Y=Z1 Z1+Y=Z1') (times/s X*Y=Z2 Z2+Y=Z2') eq/ eq/ Z1'=Z2' <- times-deterministic X*Y=Z1 X*Y=Z2 eq/ eq/ Z1=Z2 <- plus-deterministic Z1+Y=Z1' Z2+Y=Z2' Z1=Z2 eq/ Z1'=Z2'. %worlds () (times-deterministic X1*Y1=Z1 X2*Y2=Z2 X1=X2 Y1=Y2 Z1=Z2). %total P (times-deterministic P _ _ _ _). %theorem times-left-identity : forall {N:nat} exists {T:times (s z) N N} true. - : times-left-identity N (times/s (times/z) plus/z). %worlds () (times-left-identity N ONE*N=N). %total {} (times-left-identity _ _). %theorem times-right-identity : forall {N:nat} exists {T:times N (s z) N} true. - : times-right-identity z times/z. - : times-right-identity (s M) (times/s M*1=M M+1=sM) <- times-right-identity M M*1=M <- plus-right-identity M M+0=M <- plus-right-increase M+0=M M+1=sM. %worlds () (times-right-identity N N*1=N). %total M (times-right-identity M _). %theorem times-right-zero : forall {N:nat} exists {T:times N z z} true. - : times-right-zero z times/z. - : times-right-zero (s M) (times/s M*0=0 plus/z) <- times-right-zero M M*0=0. %worlds () (times-right-zero N N*0=0). %total M (times-right-zero M _). %theorem times-preserves-positive: forall {M} {N} exists {P} {T:times (s M) (s N) (s P)} true. -: {T1:times M (s N) O} {P1:plus O (s N) (s P)} {P2:plus O N P} times-preserves-positive M N P (times/s T1 P1) <- times-total T1 <- plus-total P2 <- plus-right-increase P2 P1. %worlds () (times-preserves-positive M N P SM*SN=SP). %total {} (times-preserves-positive _ _ _ _). %theorem times-preserves-positive*: forall* {M} {N} {P} {M'} {N'} forall {T:times M N P} {M+:eq M (s M')} {N+:eq N (s N')} exists {P'} {P+:eq P (s P')} true. - : times-preserves-positive* M*N=P M=sM' N=sN' P' P=sP' <- times-respects-eq M*N=P M=sM' N=sN' eq/ (times/s M'*sN'=O' O'+sN'=P) <- plus-right-decrease O'+sN'=P P' P=sP' _. %worlds () (times-preserves-positive* M*N=P M=sM' N=sN' P' P=sP'). %total {} (times-preserves-positive* _ _ _ _ _). %theorem times-positive-implies-positive : forall* {M} {N} {P} {P'} forall {T:times M N P} {P+:eq P (s P')} exists {M'} {M+:eq M (s M')} {N'} {N+:eq N (s N')} true. - : times-positive-implies-positive (times/s M'*N=T plus/z) eq/ M' eq/ P' eq/. - : times-positive-implies-positive (times/s M'*N=sT' (plus/s T'+N=P')) eq/ M' eq/ N' N=sN' <- times-positive-implies-positive M'*N=sT' eq/ _ _ N' N=sN'. %worlds () (times-positive-implies-positive M*N=P P=sP' M' M=sM' N' N=sN'). %total T (times-positive-implies-positive T _ _ _ _ _). %theorem times-left-increase : forall* {M} {N} {O} {X} forall {T:times M N O} {P:plus O N X} exists {U:times (s M) N X} true. - : times-left-increase T P (times/s T P). %worlds () (times-left-increase M*N=O O+N=X SM*N=X). %total {} (times-left-increase _ _ _). %theorem times-right-increase : forall* {M:nat} {N:nat} {O:nat} {X:nat} forall {T:times M N O} {P:plus M O X} exists {U:times M (s N) X} true. - : times-right-increase times/z plus/z times/z. - : {M*N=O:times M N O} {M+O=Z:plus M O Z} times-right-increase (times/s M*N=O O+N=O1) (plus/s M+O1=Y) (times/s M*sN=Z Z+sN=sY) <- plus-associative-converse O+N=O1 M+O1=Y Z M+O=Z Z+N=Y <- times-right-increase M*N=O M+O=Z M*sN=Z <- plus-right-increase Z+N=Y Z+sN=sY. %worlds () (times-right-increase M*N=O M+O=X M*sN=X). %total T (times-right-increase T _ _). %theorem times-left-decrease : forall* {X} {Y} {Z} forall {T1:times (s X) Y Z} exists {Z1} {T2:times X Y Z1} {P:plus Z1 Y Z} true. - : times-left-decrease (times/s T P) _ T P. %worlds () (times-left-decrease SX*Y=Z Z1 X*Y=Z1 Z1+Y=Z). %total {} (times-left-decrease _ _ _ _). %theorem times-right-decrease : forall* {M} {N} {X} forall {T:times M (s N) X} exists {O} {U:times M N O} {P:plus M O X} true. - : times-right-decrease times/z z times/z plus/z. - : times-right-decrease (times/s M*sN=Y Y+sN=X) O (times/s M*N=P P+N=O) SM+O=X <- times-right-decrease M*sN=Y P M*N=P M+P=Y <- plus-total P+N=O <- plus-right-increase P+N=O P+sN=sO <- plus-associative* M+P=Y Y+sN=X P+sN=sO M+sO=X <- plus-swap-succ-converse M+sO=X SM+O=X. %worlds () (times-right-decrease M*sN=X O M*N=O M+O=X). %total (T) (times-right-decrease T _ _ _). %theorem times-commutative : forall* {N1} {N2} {N3} forall {T:times N1 N2 N3} exists {U:times N2 N1 N3} true. - : times-commutative times/z T <- (times-right-zero N2 T). - : {T1: times N1' N2 N3'} {P2: plus N3' N2 N3} {T1c: times N2 N1' N3'} {P2c: plus N2 N3' N3} {Tc: times N2 (s N1') N3} times-commutative (times/s T1 P2) Tc <- plus-commutative P2 P2c <- times-commutative T1 T1c <- times-right-increase T1c P2c Tc. %worlds () (times-commutative N1*N2=N3 N2*N1=N3). %total T (times-commutative T _). %theorem times-right-distributes-over-plus : forall* {N1} {N2} {N3} {N12} {N123} forall {P1:plus N1 N2 N12} {T1:times N12 N3 N123} exists {N13} {N23} {T13:times N1 N3 N13} {T23:times N2 N3 N23} {P123:plus N13 N23 N123} true. - : times-right-distributes-over-plus plus/z Y*Z=YZ z YZ times/z Y*Z=YZ plus/z. - : times-right-distributes-over-plus (plus/s X+Y=XY) (times/s XY*Z=XYZ XYZ+Z=SXYZ) SXZ YZ (times/s X*Z=XZ XZ+Z=SXZ) Y*Z=YZ SXZ+YZ=SXYZ <- times-right-distributes-over-plus X+Y=XY XY*Z=XYZ XZ YZ X*Z=XZ Y*Z=YZ XZ+YZ=XYZ <- plus-commutative XZ+YZ=XYZ YZ+XZ=XYZ <- plus-associative YZ+XZ=XYZ XYZ+Z=SXYZ SXZ XZ+Z=SXZ YZ+SXZ=SXYZ <- plus-commutative YZ+SXZ=SXYZ SXZ+YZ=SXYZ. %worlds () (times-right-distributes-over-plus X+Y=XY XY*Z=XYZ XZ YZ X*Z=XZ Y*Z=YZ XZ+YZ=XYZ). %total (P) (times-right-distributes-over-plus P _ _ _ _ _ _). %theorem times-right-distributes-over-plus* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {A12:plus X1 X2 X3} {M34:times X3 X4 X7} {M14:times X1 X4 X5} {M24:times X2 X4 X6} exists {A56:plus X5 X6 X7} true. - : times-right-distributes-over-plus* X1+X2=X3 X3*X4=X7 X1*X4=X5 X2*X4=X6 X5+X6=X7 <- times-right-distributes-over-plus X1+X2=X3 X3*X4=X7 Y5 Y6 X1*X4=Y5 X2*X4=Y6 Y5+Y6=X7 <- times-deterministic X1*X4=Y5 X1*X4=X5 eq/ eq/ Y5=X5 <- times-deterministic X2*X4=Y6 X2*X4=X6 eq/ eq/ Y6=X6 <- plus-respects-eq Y5+Y6=X7 Y5=X5 Y6=X6 eq/ X5+X6=X7. %worlds () (times-right-distributes-over-plus* X1+X2=X3 X3*X4=X7 X1*X4=X5 X2*X4=X6 X5+X6=X7). %total {} (times-right-distributes-over-plus* _ _ _ _ _). %theorem times-left-distributes-over-plus* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {A12:plus X2 X4 X6} {M34:times X1 X6 X7} {M14:times X1 X2 X3} {M24:times X1 X4 X5} exists {A56:plus X3 X5 X7} true. - : times-left-distributes-over-plus* X2+X4=X6 X1*X6=X7 X1*X2=X3 X1*X4=X5 X3+X5=X7 <- times-commutative X1*X6=X7 X6*X1=X7 <- times-commutative X1*X2=X3 X2*X1=X3 <- times-commutative X1*X4=X5 X4*X1=X5 <- times-right-distributes-over-plus* X2+X4=X6 X6*X1=X7 X2*X1=X3 X4*X1=X5 X3+X5=X7. %worlds () (times-left-distributes-over-plus* X2+X4=X6 X1*X6=X7 X1*X2=X3 X1*X4=X5 X3+X5=X7). %total {} (times-left-distributes-over-plus* _ _ _ _ _). %theorem times-left-distributes-over-plus : forall* {X1} {X2} {X4} {X6} {X7} forall {A12:plus X2 X4 X6} {M34:times X1 X6 X7} exists {X3} {X5} {M14:times X1 X2 X3} {M24:times X1 X4 X5} {A56:plus X3 X5 X7} true. - : times-left-distributes-over-plus X2+X4=X6 X1*X6=X7 X3 X5 X1*X2=X3 X1*X4=X5 X3+X5=X7 <- times-total X1*X2=X3 <- times-total X1*X4=X5 <- times-left-distributes-over-plus* X2+X4=X6 X1*X6=X7 X1*X2=X3 X1*X4=X5 X3+X5=X7. %worlds () (times-left-distributes-over-plus X2+X4=X6 X1*X6=X7 X3 X5 X1*X2=X3 X1*X4=X5 X3+X5=X7). %total {} (times-left-distributes-over-plus _ _ _ _ _ _ _). %theorem times-right-factors-over-plus : forall* {X1} {X2} {X4} {X5} {X6} {X7} forall {M14:times X1 X4 X5} {M24:times X2 X4 X6} {A56:plus X5 X6 X7} exists {X3} {A12:plus X1 X2 X3} {M34:times X3 X4 X7} true. - : times-right-factors-over-plus X1*X4=X5 X2*X4=X6 X5+X6=X7 X3 X1+X2=X3 X3*X4=X7 <- plus-total X1+X2=X3 <- times-total X3*X4=Y7 <- times-right-distributes-over-plus* X1+X2=X3 X3*X4=Y7 X1*X4=X5 X2*X4=X6 X5+X6=Y7 <- plus-deterministic X5+X6=Y7 X5+X6=X7 eq/ eq/ Y7=X7 <- times-respects-eq X3*X4=Y7 eq/ eq/ Y7=X7 X3*X4=X7. %worlds () (times-right-factors-over-plus X1*X4=X5 X2*X4=X6 X5+X6=X7 X3 X1+X2=X3 X3*X4=X7 ). %total {} (times-right-factors-over-plus _ _ _ _ _ _). %theorem times-right-factors-over-plus* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {M14:times X1 X4 X5} {M24:times X2 X4 X6} {A56:plus X5 X6 X7} {A12:plus X1 X2 X3} exists {M34:times X3 X4 X7} true. - : times-right-factors-over-plus* X1*X4=X5 X2*X4=X6 X5+X6=X7 X1+X2=X3 X3*X4=X7 <- times-total X3*X4=Y7 <- times-right-distributes-over-plus* X1+X2=X3 X3*X4=Y7 X1*X4=X5 X2*X4=X6 X5+X6=Y7 <- plus-deterministic X5+X6=Y7 X5+X6=X7 eq/ eq/ Y7=X7 <- times-respects-eq X3*X4=Y7 eq/ eq/ Y7=X7 X3*X4=X7. %worlds () (times-right-factors-over-plus* X1*X4=X5 X2*X4=X6 X5+X6=X7 X1+X2=X3 X3*X4=X7 ). %total {} (times-right-factors-over-plus* _ _ _ _ _). %theorem times-left-factors-over-plus : forall* {X1} {X2} {X3} {X4} {X5} {X7} forall {M12:times X1 X2 X3} {M14:times X1 X4 X5} {A35:plus X3 X5 X7} exists {X6} {A24:plus X2 X4 X6} {M16:times X1 X6 X7} true. - : times-left-factors-over-plus X1*X2=X3 X1*X4=X5 X3+X5=X7 X6 X2+X4=X6 X1*X6=X7 <- times-commutative X1*X2=X3 X2*X1=X3 <- times-commutative X1*X4=X5 X4*X1=X5 <- times-right-factors-over-plus X2*X1=X3 X4*X1=X5 X3+X5=X7 X6 X2+X4=X6 X6*X1=X7 <- times-commutative X6*X1=X7 X1*X6=X7. %worlds () (times-left-factors-over-plus X1*X2=X3 X1*X4=X5 X3+X5=X7 X6 X2+X4=X6 X1*X6=X7). %total {} (times-left-factors-over-plus _ _ _ _ _ _). %theorem times-left-factors-over-plus* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {M12:times X1 X2 X3} {M14:times X1 X4 X5} {A35:plus X3 X5 X7} {A24:plus X2 X4 X6} exists {M16:times X1 X6 X7} true. - : times-left-factors-over-plus* X1*X2=X3 X1*X4=X5 X3+X5=X7 X2+X4=X6 X1*X6=X7 <- times-total X1*X6=Y7 <- times-left-distributes-over-plus* X2+X4=X6 X1*X6=Y7 X1*X2=X3 X1*X4=X5 X3+X5=Y7 <- plus-deterministic X3+X5=Y7 X3+X5=X7 eq/ eq/ Y7=X7 <- times-respects-eq X1*X6=Y7 eq/ eq/ Y7=X7 X1*X6=X7. %worlds () (times-left-factors-over-plus* X1*X2=X3 X1*X4=X5 X3+X5=X7 X2+X4=X6 X1*X6=X7). %total {} (times-left-factors-over-plus* _ _ _ _ _). %theorem times-associative: forall* {N1} {N2} {N3} {N12} {N123} forall {T1:times N1 N2 N12} {T12:times N12 N3 N123} exists {N23} {T2:times N2 N3 N23} {T123:times N1 N23 N123} true. - : {T2:times N2 N3 N23} times-associative times/z times/z N23 T2 times/z <- times-total T2. - : {T1:times N1' N2 N1'2} {P2:plus N1'2 N2 N12} {T3:times N12 N3 N123} {T4:times N2 N3 N23} {T5:times N1' N23 N1'23} {P6:plus N1'23 N23 N123} {T7:times N1'2 N3 N1'23} times-associative (times/s T1 P2) T3 N23 T4 (times/s T5 P6) <- times-right-distributes-over-plus P2 T3 N1'23 N23 T7 T4 P6 <- times-associative T1 T7 N23' T4' T5' <- times-deterministic T4' T4 eq/ eq/ N23'=N23 <- times-respects-eq T5' eq/ N23'=N23 eq/ T5. %worlds () (times-associative _ _ _ _ _). %total T1 (times-associative T1 _ _ _ _). %theorem times-associative* : forall* {X1} {X2} {X12} {X3} {X23} {X123} forall {OP12:times X1 X2 X12} {OP12-3:times X12 X3 X123} {OP23:times X2 X3 X23} exists {OP1-23:times X1 X23 X123} true. - : times-associative* X1*X2=X3 X3*X4=X7 X2*X4=X6 X1*X6=X7 <- times-associative X1*X2=X3 X3*X4=X7 Y6 X2*X4=Y6 X1*Y6=X7 <- times-deterministic X2*X4=Y6 X2*X4=X6 eq/ eq/ Y6=X6 <- times-respects-eq X1*Y6=X7 eq/ Y6=X6 eq/ X1*X6=X7. %worlds () (times-associative* _ _ _ _). %total {} (times-associative* _ _ _ _). %theorem times-associative-converse : forall* {X1} {X2} {X4} {X6} {X7} forall {OP24:times X2 X4 X6} {OP16:times X1 X6 X7} exists {X3} {OP12:times X1 X2 X3} {OP34:times X3 X4 X7} true. - : times-associative-converse X2*X4=X6 X1*X6=X7 _ X1*X2=X3 X3*X4=X7 <- times-commutative X2*X4=X6 X4*X2=X6 <- times-commutative X1*X6=X7 X6*X1=X7 <- times-associative X4*X2=X6 X6*X1=X7 _ X2*X1=X3 X4*X3=X7 <- times-commutative X2*X1=X3 X1*X2=X3 <- times-commutative X4*X3=X7 X3*X4=X7. %worlds () (times-associative-converse X2*X4=X6 X1*X6=X7 X3 X1*X2=X3 X3*X4=X7). %total {} (times-associative-converse _ _ _ _ _). %theorem times-associative-converse* : forall* {X1} {X2} {X3} {X4} {X6} {X7} forall {OP24:times X2 X4 X6} {OP16:times X1 X6 X7} {OP12:times X1 X2 X3} exists {OP34:times X3 X4 X7} true. - : times-associative-converse* X2*X4=X6 X1*X6=X7 X1*X2=X3 X3*X4=X7 <- times-associative-converse X2*X4=X6 X1*X6=X7 X3P X1*X2=X3P X3P*X4=X7 <- times-deterministic X1*X2=X3P X1*X2=X3 eq/ eq/ X3P=X3 <- times-respects-eq X3P*X4=X7 X3P=X3 eq/ eq/ X3*X4=X7. %worlds () (times-associative-converse* X2*X4=X6 X1*X6=X7 X1*X2=X3 X3*X4=X7). %total {} (times-associative-converse* _ _ _ _). %theorem times-assoc-commutative* : forall* {X1} {X2} {X3} {X4} {X5} {X7} forall {OP1:times X1 X2 X3} {OP2:times X3 X4 X7} {OP3:times X1 X4 X5} exists {OP4:times X5 X2 X7} true. - : times-assoc-commutative* X1*X2=X3 X3*X4=X7 X1*X4=X5 X5*X2=X7 <- times-associative X1*X2=X3 X3*X4=X7 X6 X2*X4=X6 X1*X6=X7 <- times-commutative X2*X4=X6 X4*X2=X6 <- times-associative-converse* X4*X2=X6 X1*X6=X7 X1*X4=X5 X5*X2=X7. %worlds () (times-assoc-commutative* X1*X2=X3 X3*X4=X7 X1*X4=X5 X5*X2=X7). %total {} (times-assoc-commutative* _ _ _ _). %theorem times-assoc-commutative : forall* {X1} {X2} {X3} {X4} {X7} forall {OP1:times X1 X2 X3} {OP2:times X3 X4 X7} exists {X5} {OP3:times X1 X4 X5} {OP4:times X5 X2 X7} true. - : times-assoc-commutative X1*X2=X3 X3*X4=X7 X5 X1*X4=X5 X5*X2=X7 <- times-associative X1*X2=X3 X3*X4=X7 X6 X2*X4=X6 X1*X6=X7 <- times-commutative X2*X4=X6 X4*X2=X6 <- times-associative-converse X4*X2=X6 X1*X6=X7 X5 X1*X4=X5 X5*X2=X7. %worlds () (times-assoc-commutative X1*X2=X3 X3*X4=X7 X5 X1*X4=X5 X5*X2=X7). %total {} (times-assoc-commutative _ _ _ _ _). %theorem times-double-associative* : forall* {A} {B} {C} {D} {A+B} {C+D} {A+C} {B+D} {X} forall {AB:times A B A+B} {CD:times C D C+D} {ABCD:times A+B C+D X} {AC:times A C A+C} {BD:times B D B+D} exists {ACBD:times A+C B+D X} true. - : times-double-associative* X1*X2=X3 X4*X8=XC X3*XC=XF X1*X4=X5 X2*X8=XA X5*XA=XF <- times-associative X1*X2=X3 X3*XC=XF XE X2*XC=XE X1*XE=XF <- times-commutative X4*X8=XC X8*X4=XC <- times-associative-converse* X8*X4=XC X2*XC=XE X2*X8=XA XA*X4=XE <- times-commutative XA*X4=XE X4*XA=XE <- times-associative-converse* X4*XA=XE X1*XE=XF X1*X4=X5 X5*XA=XF. %worlds () (times-double-associative* X1*X2=X3 X4*X8=XC X3*XC=XF X1*X4=X5 X2*X8=XA X5*XA=XF). %total {} (times-double-associative* _ _ _ _ _ _). %theorem times-double-associative : forall* {A} {B} {C} {D} {A+B} {C+D} {X} forall {AB:times A B A+B} {CD:times C D C+D} {ABCD:times A+B C+D X} exists {A+C} {B+D} {AC:times A C A+C} {BD:times B D B+D} {ACBD:times A+C B+D X} true. - : times-double-associative X1*X2=X3 X4*X8=XC X3*XC=XF X5 XA X1*X4=X5 X2*X8=XA X5*XA=XF <- times-associative X1*X2=X3 X3*XC=XF XE X2*XC=XE X1*XE=XF <- times-commutative X4*X8=XC X8*X4=XC <- times-associative-converse X8*X4=XC X2*XC=XE XA X2*X8=XA XA*X4=XE <- times-commutative XA*X4=XE X4*XA=XE <- times-associative-converse X4*XA=XE X1*XE=XF X5 X1*X4=X5 X5*XA=XF. %worlds () (times-double-associative _ _ _ _ _ _ _ _). %total { } (times-double-associative _ _ _ _ _ _ _ _). %theorem times-right-cancels: forall* {X1} {Y1} {Z1} {X2} {Y2} {Z2} forall {T1:times X1 (s Y1) Z1} {T2:times X2 (s Y2) Z2} {EY:eq Y1 Y2} {EZ:eq Z1 Z2} exists {EX:eq X1 X2} true. - : times-right-cancels times/z times/z EY eq/ eq/. - : {T1:times X1 (s Y1) Z1'} {P1: plus Z1' (s Y1) Z1} {T2:times X2 (s Y2) Z2'} {P2: plus Z2' (s Y2) Z2} {EY: eq Y1 Y2} {EZ: eq Z1 Z2} {EX: eq X1 X2} times-right-cancels (times/s T1 P1) (times/s T2 P2) EY EZ EX' <- succ-deterministic EY EY' <- plus-right-cancels P1 P2 EY' EZ EZ' <- times-right-cancels T1 T2 EY EZ' EX <- succ-deterministic EX EX'. %worlds () (times-right-cancels X1*sY1=Z1 X2*sY2=Z2 Y1=Y2 Z1=Z2 X1=X2). %total T1 (times-right-cancels T1 _ _ _ _). %theorem times-right-cancels*: forall* {X1} {Y} {Y-1} {Z1} {X2} {Z2} forall {T1:times X1 Y Z1} {T2:times X2 Y Z2} {EY:eq Y (s Y-1)} {EZ:eq Z1 Z2} exists {EX:eq X1 X2} true. - : times-right-cancels* X1*Y=Z1 X2*Y=Z2 Y+ Z1=Z2 X1=X2 <- times-respects-eq X1*Y=Z1 eq/ Y+ eq/ X1*Y+=Z1 <- times-respects-eq X2*Y=Z2 eq/ Y+ eq/ X2*Y+=Z2 <- times-right-cancels X1*Y+=Z1 X2*Y+=Z2 eq/ Z1=Z2 X1=X2. %worlds () (times-right-cancels* X1*Y=Z1 X2*Y=Z2 Y+ Z1=Z2 X1=X2). %total {} (times-right-cancels* _ _ _ _ _). %theorem times-right-cancels**: forall* {X1} {Y1} {Z} {X2} {Y2} {Z-} forall {T1:times X1 Y1 Z} {T2:times X2 Y2 Z} {EY:eq Y1 Y2} {EZ:eq Z (s Z-)} exists {EX:eq X1 X2} true. - : times-right-cancels** X1*0=sZ X2*0=sZ eq/ eq/ X1=X2 <- times-right-zero _ X1*0=0 <- times-deterministic X1*0=0 X1*0=sZ eq/ eq/ ZERO=sZ <- succ-implies-gt ZERO=sZ ZERO>sZ <- gt-contradiction ZERO>sZ F <- false-implies-eq F X1=X2. - : times-right-cancels** X1*Y1-=sZ X2*Y1-=sZ eq/ eq/ X1=X2 <- times-right-cancels X1*Y1-=sZ X2*Y1-=sZ eq/ eq/ X1=X2. %worlds () (times-right-cancels** X1*Y1=Z X2*Y2=Z Y1=Y2 Z+ X1=X2). %total {} (times-right-cancels** _ _ _ _ _). %theorem times-left-cancels : forall* {X1} {Y1} {Z1} {X2} {Y2} {Z2} forall {T1:times (s X1) Y1 Z1} {T2:times (s X2) Y2 Z2} {E1:eq X1 X2} {E2:eq Z1 Z2} exists {F:eq Y1 Y2} true. - : times-left-cancels SX1*Y1=Z1 SX2*Y2=Z2 X1=X2 Z1=Z2 Y1=Y2 <- times-commutative SX1*Y1=Z1 Y1*sX1=Z1 <- times-commutative SX2*Y2=Z2 Y2*sX2=Z2 <- times-right-cancels Y1*sX1=Z1 Y2*sX2=Z2 X1=X2 Z1=Z2 Y1=Y2. %worlds () (times-left-cancels SX1*Y1=Z1 SX2*Y2=Z2 X1=X2 Z1=Z2 Y1=Y2). %total {} (times-left-cancels _ _ _ _ _). %theorem times-left-cancels* : forall* {X} {Y1} {Z1} {X-} {Y2} {Z2} forall {T1:times X Y1 Z1} {T2:times X Y2 Z2} {E1:eq X (s X-)} {E2:eq Z1 Z2} exists {F:eq Y1 Y2} true. - : times-left-cancels* X*Y1=Z1 X*Y2=Z2 X+ Z1=Z2 Y1=Y2 <- times-commutative X*Y1=Z1 Y1*X=Z1 <- times-commutative X*Y2=Z2 Y2*X=Z2 <- times-right-cancels* Y1*X=Z1 Y2*X=Z2 X+ Z1=Z2 Y1=Y2. %worlds () (times-left-cancels* X*Y1=Z1 X*Y2=Z2 X+ Z1=Z2 Y1=Y2). %total {} (times-left-cancels* _ _ _ _ _). %theorem times-left-preserves-gt : forall* {M} {N1} {N2} {P1} {P2} forall {GN:gt N1 N2} {T1:times (s M) N1 P1} {T2:times (s M) N2 P2} exists {GP:gt P1 P2} true. - : times-left-preserves-gt N1>N2 (times/s times/z plus/z) (times/s times/z plus/z) N1>N2. - : times-left-preserves-gt N1>N2 (times/s (T1:times (s M) N1 X1) X1+N1=O1) (times/s (T2:times (s M) N2 X2) X2+N2=O2) O1>O2 <- times-left-preserves-gt N1>N2 T1 T2 X1>X2 <- plus-preserves-gt* X1>X2 N1>N2 X1+N1=O1 X2+N2=O2 O1>O2. %worlds () (times-left-preserves-gt N1>N2 SM*N1=P1 SM*N2=P2 P1>P2). %total T1 (times-left-preserves-gt _ T1 _ _). %theorem times-left-preserves-gt* : forall* {M} {M-} {N1} {N2} {P1} {P2} forall {GN:gt N1 N2} {T1:times M N1 P1} {T2:times M N2 P2} {M+:eq M (s M-)} exists {GP:gt P1 P2} true. - : times-left-preserves-gt* N1>N2 M*N1=P1 M*N2=P2 M+ P1>P2 <- times-respects-eq M*N1=P1 M+ eq/ eq/ SM-*N1=P1 <- times-respects-eq M*N2=P2 M+ eq/ eq/ SM-*N2=P2 <- times-left-preserves-gt N1>N2 SM-*N1=P1 SM-*N2=P2 P1>P2. %worlds () (times-left-preserves-gt* N1>N2 M*N1=P1 M*N2=P2 M+ P1>P2). %total {} (times-left-preserves-gt* _ _ _ _ _). %theorem times-right-preserves-gt : forall* {M1} {M2} {N} {P1} {P2} forall {G1:gt M1 M2} {T1:times M1 (s N) P1} {T2:times M2 (s N) P2} exists {G2:gt P1 P2} true. - : times-right-preserves-gt M1>M2 M1*sN=P1 M2*sN=P2 P1>P2 <- times-commutative M1*sN=P1 SN*M1=P1 <- times-commutative M2*sN=P2 SN*M2=P2 <- times-left-preserves-gt M1>M2 SN*M1=P1 SN*M2=P2 P1>P2. %worlds () (times-right-preserves-gt M1>M2 M1*sN=P1 M2*sN=P2 P1>P2). %total {} (times-right-preserves-gt _ _ _ _). %theorem times-right-preserves-gt* : forall* {M1} {M2} {N} {N-1} {P1} {P2} forall {G1:gt M1 M2} {T1:times M1 N P1} {T2:times M2 N P2} {N+:eq N (s N-1)} exists {G2:gt P1 P2} true. - : times-right-preserves-gt* M1>M2 M1*N=P1 M2*N=P2 N=sN-1 P1>P2 <- times-respects-eq M1*N=P1 eq/ N=sN-1 eq/ M1*N+=P1 <- times-respects-eq M2*N=P2 eq/ N=sN-1 eq/ M2*N+=P2 <- times-right-preserves-gt M1>M2 M1*N+=P1 M2*N+=P2 P1>P2. %worlds () (times-right-preserves-gt* M1>M2 M1*N=P1 M2*N=P2 N=sN-1 P1>P2). %total {} (times-right-preserves-gt* _ _ _ _ _). %theorem times-preserves-gt : forall* {M1} {N1} {P1} {M2} {N2} {P2} forall {GM:gt M1 M2} {GN:gt N1 N2} {T1:times M1 N1 P1} {T2:times M2 N2 P2} exists {GP:gt P1 P2} true. - : {0=0': eq z _} times-preserves-gt (M1>M2:gt M1 M2) (N1>0:gt N1 z) (M1*N1=P1:times M1 N1 P1) M2*0=0' P1>0' <- gt-implies-positive M1>M2 M1' M1=sM1' <- times-respects-eq M1*N1=P1 M1=sM1' eq/ eq/ SM1'*N1=P1 <- times-right-zero M2 M2*0=0 <- times-deterministic M2*0=0 M2*0=0' eq/ eq/ 0=0' <- times-right-zero (s M1') SM1'*0=0 <- times-left-preserves-gt N1>0 SM1'*N1=P1 SM1'*0=0 P1>0 <- gt-respects-eq P1>0 eq/ 0=0' P1>0'. - : times-preserves-gt M1>M2 (N1>sN2':gt N1 (s N2')) M1*N1=P1 M2*sN2'=P2 P1>P2 <- gt-implies-positive M1>M2 M1' M1=sM1' <- times-respects-eq M1*N1=P1 M1=sM1' eq/ eq/ SM1'*N1=P1 <- times-total (SM1'*sN2'=PX:times (s M1') (s N2') _) <- times-left-preserves-gt N1>sN2' SM1'*N1=P1 SM1'*sN2'=PX P1>PX <- eq-symmetric M1=sM1' SM1'=M1 <- times-respects-eq SM1'*sN2'=PX SM1'=M1 eq/ eq/ M1*sN2'=PX <- times-right-preserves-gt M1>M2 M1*sN2'=PX M2*sN2'=P2 PX>P2 <- gt-transitive P1>PX PX>P2 P1>P2. %worlds () (times-preserves-gt M1>M2 N1>N2 M1*N1=P1 M2*N2=P2 P1>P2). %total {} (times-preserves-gt _ _ _ _ _). %theorem times-right-cancels-gt : forall* {X1:nat} {X2:nat} {Y1:nat} {Y2:nat} {Z1:nat} {Z2:nat} forall {P1:times X1 Y1 Z1} {P2:times X2 Y2 Z2} {EY:eq Y1 Y2} {G1:gt Z1 Z2} exists {G2:gt X1 X2} true. - : times-right-cancels-gt (times/s X1*Y=N1 N1+Y=Z1) times/z eq/ Z1>0 SX1>0 <- succ-implies-gt-zero _ SX1>0. - : times-right-cancels-gt (times/s X1*Y=N1 N1+Y=Z1) (times/s X2*Y=N2 N2+Y=Z2) eq/ Z1>Z2 SX1>SX2 <- plus-right-cancels-gt N1+Y=Z1 N2+Y=Z2 eq/ Z1>Z2 N1>N2 <- times-right-cancels-gt X1*Y=N1 X2*Y=N2 eq/ N1>N2 X1>X2 <- succ-preserves-gt X1>X2 SX1>SX2. %worlds () (times-right-cancels-gt X1*Y1=Z1 X2*Y2=Z2 Y1=Y2 Z1>Z2 X1>X2). %total [P1 P2] (times-right-cancels-gt P1 P2 _ _ _). %theorem times-left-cancels-gt : forall* {X1:nat} {X2:nat} {Y1:nat} {Y2:nat} {Z1:nat} {Z2:nat} forall {P1:times X1 Y1 Z1} {P2:times X2 Y2 Z2} {EX:eq X1 X2} {G1:gt Z1 Z2} exists {G2:gt Y1 Y2} true. - : times-left-cancels-gt X1*Y1=Z1 X2*Y2=Z2 X1=X2 Z1>Z2 Y1>Y2 <- times-commutative X1*Y1=Z1 Y1*X1=Z1 <- times-commutative X2*Y2=Z2 Y2*X2=Z2 <- times-right-cancels-gt Y1*X1=Z1 Y2*X2=Z2 X1=X2 Z1>Z2 Y1>Y2. %worlds () (times-left-cancels-gt X1*Y1=Z1 X2*Y2=Z2 X1=X2 Z1>Z2 Y1>Y2). %total P1 (times-left-cancels-gt P1 _ _ _ _). %%%%% nat-inv.elf %%%%% Minus for natural numbers %%%%% This file is part of the nat.elf signature %%%% Definitions %abbrev minus = [X1] [X2] [X3] plus X3 X2 X1. %%%% Theorems %%% Theorems about minus %abbrev false-implies-minus = false-implies-plus. %theorem minus-respects-eq : forall* {X1} {X2} {X3} {X4} {X5} {X6} forall {D:minus X1 X2 X3} {E1:eq X1 X4} {E2:eq X2 X5} {E3:eq X3 X6} exists {DP:minus X4 X5 X6} true. - : minus-respects-eq S eq/ eq/ eq/ S. %worlds () (minus-respects-eq _ _ _ _ _). %total {} (minus-respects-eq _ _ _ _ _). %theorem minus-deterministic : forall* {X1} {X2} {X3} {X4} {X5} {X6} forall {S:minus X1 X2 X3} {SP:minus X4 X5 X6} {E1:eq X1 X4} {E2:eq X2 X5} exists {E3:eq X3 X6} true. - : minus-deterministic X3+X2=X1 X6+X5=X4 X1=X4 X2=X5 X3=X6 <- plus-right-cancels X3+X2=X1 X6+X5=X4 X2=X5 X1=X4 X3=X6. %worlds () (minus-deterministic X1-X2=X3 X4-X5=X6 X1=X4 X2=X5 X3=X6). %total {} (minus-deterministic _ _ _ _ _). %theorem plus-associates-with-minus* : forall* {X1} {X2} {X3} {X4} {X6} {X7} forall {OP1:plus X1 X2 X3} {IOP1:minus X3 X4 X7} {IOP2:minus X2 X4 X6} exists {OP2:plus X1 X6 X7} true. - : plus-associates-with-minus* X1+X2=X3 X7+X4=X3 X6+X4=X2 X1+X6=X7 <- plus-associative-converse X6+X4=X2 X1+X2=X3 X7P X1+X6=X7P X7P+X4=X3 <- plus-right-cancels X7P+X4=X3 X7+X4=X3 eq/ eq/ X7P=X7 <- plus-respects-eq X1+X6=X7P eq/ eq/ X7P=X7 X1+X6=X7. %worlds () (plus-associates-with-minus* X1+X2=X3 X3-X4=X7 X2-X4=X6 X1+X6=X7). %total {} (plus-associates-with-minus* _ _ _ _). %theorem plus-associates-with-minus-converse* : forall* {X1} {X2} {X3} {X4} {X6} {X7} forall {IOP2:minus X2 X4 X6} {OP2:plus X1 X6 X7} {OP1:plus X1 X2 X3} exists {IOP1:minus X3 X4 X7} true. - : plus-associates-with-minus-converse* X6+X4=X2 X1+X6=X7 X1+X2=X3 X7+X4=X3 <- plus-associative-converse* X6+X4=X2 X1+X2=X3 X1+X6=X7 X7+X4=X3. %worlds () (plus-associates-with-minus-converse* X2-X4=X6 X1+X6=X7 X1+X2=X3 X3-X4=X7). %total {} (plus-associates-with-minus-converse* _ _ _ _). %theorem plus-associates-with-minus-converse : forall* {X1} {X2} {X4} {X6} {X7} forall {IOP2:minus X2 X4 X6} {OP2:plus X1 X6 X7} exists {X3} {OP1:plus X1 X2 X3} {IOP1:minus X3 X4 X7} true. - : plus-associates-with-minus-converse X6+X4=X2 X1+X6=X7 X3 X1+X2=X3 X7+X4=X3 <- plus-total X1+X2=X3 <- plus-associates-with-minus-converse* X6+X4=X2 X1+X6=X7 X1+X2=X3 X7+X4=X3. %worlds () (plus-associates-with-minus-converse X2-X4=X6 X1+X6=X7 X3 X1+X2=X3 X3-X4=X7). %total {} (plus-associates-with-minus-converse _ _ _ _ _). %theorem minus-associates-from-plus* : forall* {X1} {X2} {X3} {X4} {X6} {X7} forall {IOP1:minus X1 X2 X3} {OP1:plus X3 X4 X7} {IOP2:minus X2 X4 X6} exists {IOP3:minus X1 X6 X7} true. - : minus-associates-from-plus* X3+X2=X1 X3+X4=X7 X6+X4=X2 X7+X6=X1 <- plus-commutative X6+X4=X2 X4+X6=X2 <- plus-associative-converse* X4+X6=X2 X3+X2=X1 X3+X4=X7 X7+X6=X1. %worlds () (minus-associates-from-plus* X1-X2=X3 X3+X4=X7 X2-X4=X6 X1-X6=X7). %total {} (minus-associates-from-plus* _ _ _ _). %theorem minus-associates-from-plus-converse* : forall* {X1} {X2} {X3} {X4} {X6} {X7} forall {IOP2:minus X2 X4 X6} {IOP3:minus X1 X6 X7} {IOP1:minus X1 X2 X3} exists {OP1:plus X3 X4 X7} true. - : minus-associates-from-plus-converse* X6+X4=X2 X7+X6=X1 X3+X2=X1 X3+X4=X7 <- plus-commutative X6+X4=X2 X4+X6=X2 <- plus-associative-converse X4+X6=X2 X3+X2=X1 X7P X3+X4=X7P X7P+X6=X1 <- plus-right-cancels X7P+X6=X1 X7+X6=X1 eq/ eq/ X7P=X7 <- plus-respects-eq X3+X4=X7P eq/ eq/ X7P=X7 X3+X4=X7. %worlds () (minus-associates-from-plus-converse* X2-X4=X6 X1-X6=X7 X1-X2=X3 X3+X4=X7). %total {} (minus-associates-from-plus-converse* _ _ _ _). %theorem minus-associates-to-plus* : forall* {X1} {X2} {X3} {X4} {X6} {X7} forall {IOP1:minus X1 X2 X3} {IOP2:minus X3 X4 X7} {OP1:plus X2 X4 X6} exists {IOP3:minus X1 X6 X7} true. - : minus-associates-to-plus* X3+X2=X1 X7+X4=X3 X2+X4=X6 X7+X6=X1 <- plus-commutative X2+X4=X6 X4+X2=X6 <- plus-associative* X7+X4=X3 X3+X2=X1 X4+X2=X6 X7+X6=X1. %worlds () (minus-associates-to-plus* X1-X2=X3 X3-X4=X7 X2+X4=X6 X1-X6=X7). %total {} (minus-associates-to-plus* _ _ _ _). %theorem minus-associates-to-plus : forall* {X1} {X2} {X3} {X4} {X7} forall {IOP1:minus X1 X2 X3} {IOP2:minus X3 X4 X7} exists {X6} {OP1:plus X2 X4 X6} {IOP3:minus X1 X6 X7} true. - : minus-associates-to-plus X3+X2=X1 X7+X4=X3 X6 X2+X4=X6 X7+X6=X1 <- plus-associative X7+X4=X3 X3+X2=X1 X6 X4+X2=X6 X7+X6=X1 <- plus-commutative X4+X2=X6 X2+X4=X6. %worlds () (minus-associates-to-plus X1-X2=X3 X3-X4=X7 X6 X2+X4=X6 X1-X6=X7). %total {} (minus-associates-to-plus _ _ _ _ _). %theorem minus-associates-to-plus-converse* : forall* {X1} {X2} {X3} {X4} {X6} {X7} forall {OP1:plus X2 X4 X6} {IOP3:minus X1 X6 X7} {IOP1:minus X1 X2 X3} exists {IOP2:minus X3 X4 X7} true. - : minus-associates-to-plus-converse* X2+X4=X6 X7+X6=X1 X3+X2=X1 X7+X4=X3 <- plus-commutative X2+X4=X6 X4+X2=X6 <- plus-associative-converse X4+X2=X6 X7+X6=X1 X3P X7+X4=X3P X3P+X2=X1 <- plus-right-cancels X3P+X2=X1 X3+X2=X1 eq/ eq/ X3P=X3 <- plus-respects-eq X7+X4=X3P eq/ eq/ X3P=X3 X7+X4=X3. %worlds () (minus-associates-to-plus-converse* X2+X4=X6 X1-X6=X7 X1-X2=X3 X3-X4=X7). %total {} (minus-associates-to-plus-converse* _ _ _ _). %theorem minus-associates-to-plus-converse : forall* {X1} {X2} {X4} {X6} {X7} forall {OP1:plus X2 X4 X6} {IOP3:minus X1 X6 X7} exists {X3} {IOP1:minus X1 X2 X3} {IOP2:minus X3 X4 X7} true. - : minus-associates-to-plus-converse X2+X4=X6 X7+X6=X1 X3 X3+X2=X1 X7+X4=X3 <- plus-commutative X2+X4=X6 X4+X2=X6 <- plus-associative-converse X4+X2=X6 X7+X6=X1 X3 X7+X4=X3 X3+X2=X1. %worlds () (minus-associates-to-plus-converse X2+X4=X6 X1-X6=X7 X3 X1-X2=X3 X3-X4=X7). %total {} (minus-associates-to-plus-converse _ _ _ _ _). %theorem minus-is-zero-implies-eq : forall* {N1} {N2} {N3} forall {P:minus N1 N2 N3} {E3:eq N3 z} exists {E1:eq N1 N2} true. - : minus-is-zero-implies-eq plus/z eq/ eq/. %worlds () (minus-is-zero-implies-eq X-Y=Z Z=0 X=Y). %total {} (minus-is-zero-implies-eq _ _ _). %abbrev minus-implies-gt = plus-implies-gt. %theorem minus-left-cancels : forall* {X1} {X2} {X3} {X4} {X5} {X6} forall {IOP1:minus X1 X2 X3} {IOP2:minus X4 X5 X6} {E1:eq X1 X4} {E3:eq X3 X6} exists {E2:eq X2 X5} true. - : minus-left-cancels X3+X2=X1 X6+X5=X4 X1=X4 X3=X6 X2=X5 <- plus-left-cancels X3+X2=X1 X6+X5=X4 X3=X6 X1=X4 X2=X5. %worlds () (minus-left-cancels X1-X2=X3 X4-X5=X6 X1=X4 X3=X6 X2=X5). %total {} (minus-left-cancels _ _ _ _ _). %theorem minus-right-cancels : forall* {X1} {X2} {X3} {X4} {X5} {X6} forall {IOP1:minus X1 X2 X3} {IOP2:minus X4 X5 X6} {E2:eq X2 X5} {E3:eq X3 X6} exists {E1:eq X1 X4} true. - : minus-right-cancels X3+X2=X1 X6+X5=X4 X2=X5 X3=X6 X1=X4 <- plus-deterministic X3+X2=X1 X6+X5=X4 X3=X6 X2=X5 X1=X4. %worlds () (minus-right-cancels X1-X2=X3 X4-X5=X6 X2=X5 X3=X6 X1=X4). %total {} (minus-right-cancels _ _ _ _ _). %theorem minus-left-inverts-gt* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:gt X2 X4} {IOP1:minus X1 X2 X3} {IOP2:minus X1 X4 X5} exists {GP:gt X5 X3} true. - : minus-left-inverts-gt* X2>X4 X3+X2=X1 X5+X4=X1 X5>X3 <- plus-total X3+X4=X7 <- plus-left-preserves-gt* X2>X4 X3+X2=X1 X3+X4=X7 X1>X7 <- plus-right-cancels-gt X5+X4=X1 X3+X4=X7 eq/ X1>X7 X5>X3. %worlds () (minus-left-inverts-gt* X2>X4 X1-X2=X3 X1-X4=X5 X5>X3). %total {} (minus-left-inverts-gt* _ _ _ _). %theorem minus-right-preserves-gt* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:gt X1 X2} {IOP1:minus X1 X3 X4} {IOP2:minus X2 X3 X5} exists {GP:gt X4 X5} true. - : minus-right-preserves-gt* X1>X2 X4+X3=X1 X5+X3=X2 X4>X5 <- plus-right-cancels-gt X4+X3=X1 X5+X3=X2 eq/ X1>X2 X4>X5. %worlds () (minus-right-preserves-gt* X1>X2 X1-X3=X4 X2-X3=X5 X4>X5). %total {} (minus-right-preserves-gt* _ _ _ _). %theorem minus-left-cancels-inverts-gt : forall* {X1} {X2} {X3} {X4} {X5} {X6} forall {IOP1:minus X1 X2 X3} {IOP2:minus X4 X5 X6} {E:eq X1 X4} {G:gt X3 X6} exists {GP:gt X5 X2} true. - : minus-left-cancels-inverts-gt X3+X2=X1 X6+X5=X4 X1=X4 X3>X6 X5>X2 <- plus-total X6+X2=X7 <- plus-right-preserves-gt* X3>X6 X3+X2=X1 X6+X2=X7 X1>X7 <- eq-symmetric X1=X4 X4=X1 <- plus-respects-eq X6+X5=X4 eq/ eq/ X4=X1 X6+X5=X1 <- plus-left-cancels-gt X6+X5=X1 X6+X2=X7 eq/ X1>X7 X5>X2. %worlds () (minus-left-cancels-inverts-gt X1-X2=X3 X4-X5=X6 X1=X4 X3>X6 X5>X2). %total {} (minus-left-cancels-inverts-gt _ _ _ _ _). %theorem minus-right-cancels-gt : forall* {X1} {X2} {X3} {X4} {X5} {X6} forall {IOP1:minus X1 X2 X3} {IOP2:minus X4 X5 X6} {E2:eq X2 X5} {G3:gt X3 X6} exists {G1:gt X1 X4} true. - : minus-right-cancels-gt X3+X2=X1 X6+X5=X4 X2=X5 X3>X6 X1>X4 <- plus-respects-eq X3+X2=X1 eq/ X2=X5 eq/ X3+X5=X1 <- plus-right-preserves-gt* X3>X6 X3+X5=X1 X6+X5=X4 X1>X4. %worlds () (minus-right-cancels-gt X1-X2=X3 X4-X5=X6 X2=X5 X3>X6 X1>X4). %total {} (minus-right-cancels-gt _ _ _ _ _). %theorem times-right-distributes-over-minus : forall* {X1} {X2} {X3} {X4} {X7} forall {S12:minus X1 X2 X3} {M34:times X3 X4 X7} exists {X5} {X6} {M14:times X1 X4 X5} {M24:times X2 X4 X6} {S56:minus X5 X6 X7} true. - : times-right-distributes-over-minus X3+X2=X1 X3*X4=X7 _ _ X1*X4=X5 X2*X4=X6 X7+X6=X5 <- times-total X1*X4=X5 <- times-right-distributes-over-plus X3+X2=X1 X1*X4=X5 _ _ X3*X4=Y7 X2*X4=X6 Y7+X6=X5 <- times-deterministic X3*X4=Y7 X3*X4=X7 eq/ eq/ Y7=X7 <- plus-respects-eq Y7+X6=X5 Y7=X7 eq/ eq/ X7+X6=X5. %worlds () (times-right-distributes-over-minus X1-X2=X3 X3*X4=X7 X5 X6 X1*X4=X5 X2*X4=X6 X5-X6=X7). %total {} (times-right-distributes-over-minus _ _ _ _ _ _ _). %theorem times-right-distributes-over-minus* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {A12:minus X1 X2 X3} {M34:times X3 X4 X7} {M14:times X1 X4 X5} {M24:times X2 X4 X6} exists {A56:minus X5 X6 X7} true. - : times-right-distributes-over-minus* X1-X2=X3 X3*X4=X7 X1*X4=X5 X2*X4=X6 X5-X6=X7 <- times-right-distributes-over-minus X1-X2=X3 X3*X4=X7 Y5 Y6 X1*X4=Y5 X2*X4=Y6 Y5-Y6=X7 <- times-deterministic X1*X4=Y5 X1*X4=X5 eq/ eq/ Y5=X5 <- times-deterministic X2*X4=Y6 X2*X4=X6 eq/ eq/ Y6=X6 <- minus-respects-eq Y5-Y6=X7 Y5=X5 Y6=X6 eq/ X5-X6=X7. %worlds () (times-right-distributes-over-minus* X1-X2=X3 X3*X4=X7 X1*X4=X5 X2*X4=X6 X5-X6=X7). %total {} (times-right-distributes-over-minus* _ _ _ _ _). %theorem times-left-distributes-over-minus* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {A12:minus X2 X4 X6} {M34:times X1 X6 X7} {M14:times X1 X2 X3} {M24:times X1 X4 X5} exists {A56:minus X3 X5 X7} true. - : times-left-distributes-over-minus* X2-X4=X6 X1*X6=X7 X1*X2=X3 X1*X4=X5 X3-X5=X7 <- times-commutative X1*X6=X7 X6*X1=X7 <- times-commutative X1*X2=X3 X2*X1=X3 <- times-commutative X1*X4=X5 X4*X1=X5 <- times-right-distributes-over-minus* X2-X4=X6 X6*X1=X7 X2*X1=X3 X4*X1=X5 X3-X5=X7. %worlds () (times-left-distributes-over-minus* X2-X4=X6 X1*X6=X7 X1*X2=X3 X1*X4=X5 X3-X5=X7). %total {} (times-left-distributes-over-minus* _ _ _ _ _). %theorem times-left-distributes-over-minus : forall* {X1} {X2} {X4} {X6} {X7} forall {A12:minus X2 X4 X6} {M34:times X1 X6 X7} exists {X3} {X5} {M14:times X1 X2 X3} {M24:times X1 X4 X5} {A56:minus X3 X5 X7} true. - : times-left-distributes-over-minus X2-X4=X6 X1*X6=X7 X3 X5 X1*X2=X3 X1*X4=X5 X3-X5=X7 <- times-total X1*X2=X3 <- times-total X1*X4=X5 <- times-left-distributes-over-minus* X2-X4=X6 X1*X6=X7 X1*X2=X3 X1*X4=X5 X3-X5=X7. %worlds () (times-left-distributes-over-minus X2-X4=X6 X1*X6=X7 X3 X5 X1*X2=X3 X1*X4=X5 X3-X5=X7). %total {} (times-left-distributes-over-minus _ _ _ _ _ _ _). %theorem times-right-factors-over-minus* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {M14:times X1 X4 X5} {M24:times X2 X4 X6} {A56:minus X5 X6 X7} {A12:minus X1 X2 X3} exists {M34:times X3 X4 X7} true. - : times-right-factors-over-minus* X1*X4=X5 X2*X4=X6 X5-X6=X7 X1-X2=X3 X3*X4=X7 <- times-total X3*X4=Y7 <- times-right-distributes-over-minus* X1-X2=X3 X3*X4=Y7 X1*X4=X5 X2*X4=X6 X5-X6=Y7 <- minus-deterministic X5-X6=Y7 X5-X6=X7 eq/ eq/ Y7=X7 <- times-respects-eq X3*X4=Y7 eq/ eq/ Y7=X7 X3*X4=X7. %worlds () (times-right-factors-over-minus* X1*X4=X5 X2*X4=X6 X5-X6=X7 X1-X2=X3 X3*X4=X7 ). %total {} (times-right-factors-over-minus* _ _ _ _ _). %theorem times-left-factors-over-minus* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {M12:times X1 X2 X3} {M14:times X1 X4 X5} {A35:minus X3 X5 X7} {A24:minus X2 X4 X6} exists {M16:times X1 X6 X7} true. - : times-left-factors-over-minus* X1*X2=X3 X1*X4=X5 X3-X5=X7 X2-X4=X6 X1*X6=X7 <- times-total X1*X6=Y7 <- times-left-distributes-over-minus* X2-X4=X6 X1*X6=Y7 X1*X2=X3 X1*X4=X5 X3-X5=Y7 <- minus-deterministic X3-X5=Y7 X3-X5=X7 eq/ eq/ Y7=X7 <- times-respects-eq X1*X6=Y7 eq/ eq/ Y7=X7 X1*X6=X7. %worlds () (times-left-factors-over-minus* X1*X2=X3 X1*X4=X5 X3-X5=X7 X2-X4=X6 X1*X6=X7). %total {} (times-left-factors-over-minus* _ _ _ _ _). %theorem times-right-factors-over-minus : forall* {Y} {Z} {XY} {XZ} {YZ} {XYZ} {Z-} forall {TXY:times XY Z XYZ} {TY:times Y Z YZ} {M:minus XYZ YZ XZ} {EZ:eq Z (s Z-)} exists {X} {M':minus XY Y X} {TX:times X Z XZ} true. % minus isn't total, so this is harder. - : times-right-factors-over-minus XY*Z=YZ Y*Z=YZ plus/z eq/ z ZERO+Y=XY times/z <- times-right-cancels* XY*Z=YZ Y*Z=YZ eq/ eq/ XY=Y <- plus-respects-eq plus/z eq/ XY=Y eq/ ZERO+Y=XY. - : times-right-factors-over-minus XY*Z=XYZ Y*Z=YZ XZ+YZ=XYZ _ (s X-) X+Y=XY X*Z=XZ %% we assume XZ is of the form (s XZ-) <- plus-implies-gt XZ+YZ=XYZ eq/ XYZ>YZ <- times-right-cancels-gt XY*Z=XYZ Y*Z=YZ eq/ XYZ>YZ XY>Y <- gt-implies-plus XY>Y X- X+Y=XY <- times-right-factors-over-minus* XY*Z=XYZ Y*Z=YZ XZ+YZ=XYZ X+Y=XY X*Z=XZ. %worlds () (times-right-factors-over-minus XY*Z=XYZ Y*Z=YZ XYZ-YZ=XZ Z+ X XY-Y=X X*Z=XZ). %total {} (times-right-factors-over-minus _ _ _ _ _ _ _). %theorem times-left-factors-over-minus : forall* {X} {Y} {Z} {XY} {XZ} {XYZ} {X-} forall {TXY:times X Y XY} {TXZ:times X Z XZ} {M:minus XY XZ XYZ} {EX:eq X (s X-)} exists {YZ} {MYZ:minus Y Z YZ} {TXYZ:times X YZ XYZ} true. - : times-left-factors-over-minus X*Y=XY X*Z=XZ XY-XZ=XYZ X=sX- YZ Y-Z=YZ X*YZ=XYZ <- times-commutative X*Y=XY Y*X=XY <- times-commutative X*Z=XZ Z*X=XZ <- times-right-factors-over-minus Y*X=XY Z*X=XZ XY-XZ=XYZ X=sX- YZ Y-Z=YZ YZ*X=XYZ <- times-commutative YZ*X=XYZ X*YZ=XYZ. %worlds () (times-left-factors-over-minus X*Y=XY X*Z=XZ XY-XZ=XYZ X=sX- YZ Y-Z=YZ X*YZ=XYZ). %total {} (times-left-factors-over-minus _ _ _ _ _ _ _). %%%%% nat-comp.elf %%%%% Composed relations for natural numbers %%%%% This file is part of the nat.elf signature %%%% Definitions ge : nat -> nat -> type. ge/= : ge X Y <- eq X Y. ge/> : ge X Y <- gt X Y. %%%% Theorems %%% Theorems about ge %theorem false-implies-ge : forall* {X1} {X2} forall {F:void} exists {G:ge X1 X2} true. %worlds () (false-implies-ge _ _). %total { } (false-implies-ge _ _). %theorem ge-respects-eq : forall* {X1} {X2} {Y1} {Y2} forall {D1:ge X1 X2} {E1:eq X1 Y1} {E2:eq X2 Y2} exists {D2:ge Y1 Y2} true. - : ge-respects-eq X1>=X2 eq/ eq/ X1>=X2. %worlds () (ge-respects-eq _ _ _ _). %total { } (ge-respects-eq _ _ _ _). %theorem ge-reflexive : forall {X} exists {G:ge X X} true. - : ge-reflexive _ (ge/= eq/). %worlds () (ge-reflexive X X>=X). %total {} (ge-reflexive _ _). %theorem ge-transitive: forall* {X1} {X2} {X3} forall {G1:ge X1 X2} {G2:ge X2 X3} exists {G3:ge X1 X3} true. - : ge-transitive (ge/= eq/) (ge/= eq/) (ge/= eq/). - : ge-transitive (ge/= eq/) (ge/> X>X3) (ge/> X>X3). - : ge-transitive (ge/> X1>X) (ge/= eq/) (ge/> X1>X). - : ge-transitive (ge/> X1>X2) (ge/> X2>X3) (ge/> X1>X3) <- gt-transitive X1>X2 X2>X3 X1>X3. %worlds () (ge-transitive X1>=X2 X2>=X3 X1>=X3). %total {} (ge-transitive _ _ _). %theorem ge-anti-symmetric : forall* {X1} {X2} forall {G1:ge X1 X2} {G2:ge X2 X1} exists {E:eq X1 X2} true. - : ge-anti-symmetric (ge/= eq/) _ eq/. - : ge-anti-symmetric _ (ge/= eq/) eq/. - : ge-anti-symmetric (ge/> X1>X2) (ge/> X2>X1) X1=X2 <- gt-anti-symmetric X1>X2 X2>X1 F <- false-implies-eq F X1=X2. %worlds () (ge-anti-symmetric X1>=X2 X2>=X1 X1=X2). %total {} (ge-anti-symmetric _ _ _). %theorem ge-transitive-gt: forall* {X1} {X2} {X3} forall {G1:ge X1 X2} {G2:gt X2 X3} exists {G3:gt X1 X3} true. - : ge-transitive-gt (ge/= eq/) X>X3 X>X3. - : ge-transitive-gt (ge/> X1>X2) X2>X3 X1>X3 <- gt-transitive X1>X2 X2>X3 X1>X3. %worlds () (ge-transitive-gt X1>=X2 X2>X3 X1>X3). %total {} (ge-transitive-gt _ _ _). %theorem gt-transitive-ge: forall* {X1} {X2} {X3} forall {G1:gt X1 X2} {G2:ge X2 X3} exists {G3:gt X1 X3} true. - : gt-transitive-ge X1>X2 (ge/= eq/) X1>X2. - : gt-transitive-ge X1>X2 (ge/> X2>X3) X1>X3 <- gt-transitive X1>X2 X2>X3 X1>X3. %worlds () (gt-transitive-ge X1>X2 X2>=X3 X1>X3). %total {} (gt-transitive-ge _ _ _). %theorem meta-ge : forall {M} {N} {G:ge M N} true. - : meta-ge _ _ (ge/= eq/). - : meta-ge _ _ (ge/> M>N) <- meta-gt _ _ M>N. %worlds () (meta-ge _ _ _). %total { } (meta-ge _ _ _). %reduces N <= M (meta-ge M N _). %theorem succ-preserves-ge : forall* {M} {N} forall {G:ge M N} exists {G':ge (s M) (s N)} true. - : succ-preserves-ge (ge/= eq/) (ge/= eq/). - : succ-preserves-ge (ge/> N>M) (ge/> N+1>M+1) <- succ-preserves-gt N>M N+1>M+1. %worlds () (succ-preserves-ge M>=N M+1>=N+1). %total {} (succ-preserves-ge _ _). %theorem succ-preserves-ge-converse : forall* {M} {N} forall {G':ge (s M) (s N)} exists {G:ge M N} true. - : succ-preserves-ge-converse (ge/= eq/) (ge/= eq/). - : succ-preserves-ge-converse (ge/> N+1>M+1) (ge/> N>M) <- succ-preserves-gt-converse N+1>M+1 N>M. %worlds () (succ-preserves-ge-converse M+1>=N+1 M>=N). %total {} (succ-preserves-ge-converse _ _). %theorem ge-succ-implies-gt : forall* {N1} {N2} forall {G:ge N1 (s N2)} exists {G':gt N1 N2} true. - : ge-succ-implies-gt (ge/= eq/) (gt/1). - : ge-succ-implies-gt (ge/> N1>sN2) N1>N2 <- gt-transitive N1>sN2 (gt/1) N1>N2. %worlds () (ge-succ-implies-gt _ _). %total { } (ge-succ-implies-gt _ _). %theorem ge-implies-succ-gt : forall* {N1} {N2} forall {G:ge N1 N2} exists {G':gt (s N1) N2} true. - : ge-implies-succ-gt N1>=N2 N1+1>N2 <- succ-preserves-ge N1>=N2 N1+1>=N2+1 <- ge-succ-implies-gt N1+1>=N2+1 N1+1>N2. %worlds () (ge-implies-succ-gt _ _). %total { } (ge-implies-succ-gt _ _). %theorem succ-gt-implies-ge : forall* {N1} {N2} forall {G:gt (s N1) N2} exists {G':ge N1 N2} true. - : succ-gt-implies-ge (gt/1) (ge/= eq/). - : succ-gt-implies-ge (gt/> N1>N2) (ge/> N1>N2). %worlds () (succ-gt-implies-ge _ _). %total { } (succ-gt-implies-ge _ _). %theorem gt-implies-ge-succ : forall* {N1} {N2} forall {G':gt N1 N2} exists {G:ge N1 (s N2)} true. - : gt-implies-ge-succ N1>N2 N1>=N2+1 <- succ-preserves-gt N1>N2 N1+1>N2+1 <- succ-gt-implies-ge N1+1>N2+1 N1>=N2+1. %worlds () (gt-implies-ge-succ _ _). %total { } (gt-implies-ge-succ _ _). %theorem ge-implies-plus: forall* {N1} {N2} forall {G:ge N2 N1} exists {N0} {P:plus N0 N1 N2} true. - : ge-implies-plus (ge/= eq/) z plus/z. - : ge-implies-plus (ge/> N2>N1) (s N0) P <- gt-implies-plus N2>N1 N0 P. %worlds () (ge-implies-plus N2>=N1 N0 N0+N1=N2). %total { } (ge-implies-plus _ _ _). %theorem plus-implies-ge: forall* {N0} {N1} {N2} forall {P:plus N0 N1 N2} exists {G:ge N2 N1} true. - : plus-implies-ge plus/z (ge/= eq/). - : plus-implies-ge P (ge/> N2>N1) <- plus-implies-gt P eq/ N2>N1. %worlds () (plus-implies-ge N0+N1=N2 N2>=N1). %total { } (plus-implies-ge _ _). %theorem ge-zero-always : forall {N} exists {G:ge N z} true. - : ge-zero-always _ N>=0 <- plus-right-identity _ N+0=N <- plus-implies-ge N+0=N N>=0. %worlds () (ge-zero-always _ _). %total { } (ge-zero-always _ _). %theorem nonzero-times-implies-ge : forall* {N0} {N1} {N2} forall {P:times (s N0) N1 N2} exists {G:ge N2 N1} true. - : nonzero-times-implies-ge (times/s _ X+N1=N2) N2>=N1 <- plus-implies-ge X+N1=N2 N2>=N1. %worlds () (nonzero-times-implies-ge N0*N1=N2 N2>=N1). %total { } (nonzero-times-implies-ge _ _). %theorem times-nonzero-implies-ge : forall* {N0} {N1} {N2} forall {P:times N0 (s N1) N2} exists {G:ge N2 N0} true. - : times-nonzero-implies-ge A*B=C C>=A <- times-commutative A*B=C B*A=C <- nonzero-times-implies-ge B*A=C C>=A. %worlds () (times-nonzero-implies-ge _ _). %total { } (times-nonzero-implies-ge _ _). %theorem non-trivial-times-implies-much-gt* : forall* {N1} {N2} {N3} forall {D:times (s (s N1)) (s (s N2)) N3} exists {G:gt N3 (s (s (s N1)))} true. - : non-trivial-times-implies-much-gt* (times/s (times/s N1*ssN2=P1 P1+ssN2=P2) P2+ssN2=N3) N3>sssN1 <- times-nonzero-implies-ge N1*ssN2=P1 P1>=N1 <- succ-preserves-ge P1>=N1 SP1>=sN1 <- plus-swap-succ-converse P1+ssN2=P2 SP1+sN2=P2 <- plus-commutative SP1+sN2=P2 SN2+sP1=P2 <- plus-implies-gt SN2+sP1=P2 eq/ P2>sP1 <- gt-transitive-ge P2>sP1 SP1>=sN1 P2>sN1 <- succ-preserves-gt P2>sN1 SP2>ssN1 <- gt-implies-ge-succ SP2>ssN1 SP2>=sssN1 <- plus-commutative P2+ssN2=N3 SSN2+P2=N3 <- plus-swap-succ SSN2+P2=N3 SN2+sP2=N3 <- plus-implies-gt SN2+sP2=N3 eq/ N3>sP2 <- gt-transitive-ge N3>sP2 SP2>=sssN1 N3>sssN1. %worlds () (non-trivial-times-implies-much-gt* _ _). %total { } (non-trivial-times-implies-much-gt* _ _). %theorem non-trivial-times-implies-much-gt : forall* {N1} {N2} {N3} forall {D:times (s (s N1)) (s (s N2)) N3} exists {G1:gt N3 (s (s (s N1)))} {G2:gt N3 (s (s (s N2)))} true. - : non-trivial-times-implies-much-gt T G1 G2 <- non-trivial-times-implies-much-gt* T G1 <- times-commutative T Tc <- non-trivial-times-implies-much-gt* Tc G2. %worlds () (non-trivial-times-implies-much-gt _ _ _). %total { } (non-trivial-times-implies-much-gt _ _ _). %theorem plus-left-preserves-ge* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:ge X2 X4} {OP1:plus X1 X2 X3} {OP2:plus X1 X4 X5} exists {G2:ge X3 X5} true. - : plus-left-preserves-ge* (ge/= eq/) X1+X2=X3 X1+X2=X5 (ge/= X3=X5) <- plus-deterministic X1+X2=X3 X1+X2=X5 eq/ eq/ X3=X5. - : plus-left-preserves-ge* (ge/> X2>X4) X1+X2=X3 X1+X4=X5 (ge/> X3>X5) <- plus-left-preserves-gt* X2>X4 X1+X2=X3 X1+X4=X5 X3>X5. %worlds () (plus-left-preserves-ge* X2>=X4 X1+X2=X3 X1+X4=X5 X3>=X5). %total {} (plus-left-preserves-ge* _ _ _ _). %theorem plus-left-cancels-ge : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {OP1:plus X1 X2 X3} {OP2:plus Y1 Y2 Y3} {E1:eq X1 Y1} {G3:ge X3 Y3} exists {G2:ge X2 Y2} true. - : plus-left-cancels-ge X1+X2=X3 X1+Y2=X3 eq/ (ge/= eq/) (ge/= X2=Y2) <- plus-left-cancels X1+X2=X3 X1+Y2=X3 eq/ eq/ X2=Y2. - : plus-left-cancels-ge X1+X2=X3 X1+Y2=Y3 eq/ (ge/> X3>Y3) (ge/> X2>Y2) <- plus-left-cancels-gt X1+X2=X3 X1+Y2=Y3 eq/ X3>Y3 X2>Y2. %worlds () (plus-left-cancels-ge X1+X2=X3 Y1+Y2=Y3 X1=Y1 X3>=Y3 X2>=Y2). %total {} (plus-left-cancels-ge _ _ _ _ _). %theorem plus-left-preserves-ge : forall* {X1} {X2} {X4} forall {G:ge X2 X4} exists {X3} {X5} {O1:plus X1 X2 X3} {O2:plus X1 X4 X5} {G2:ge X3 X5} true. - : plus-left-preserves-ge X2>=X4 X3 X5 X1+X2=A3 X1+X4=X5 X3>=X5 <- plus-total X1+X2=A3 <- plus-total X1+X4=X5 <- plus-left-preserves-ge* X2>=X4 X1+X2=A3 X1+X4=X5 X3>=X5. %worlds () (plus-left-preserves-ge X2>=X4 X3 X5 X1+X2=A3 X1+X4=X5 X3>=X5). %total {} (plus-left-preserves-ge _ _ _ _ _ _). %theorem plus-right-preserves-ge* : forall* {X1} {X2} {X3} {X4} {X5} forall {G1:ge X1 X2} {O1:plus X1 X3 X4} {O2:plus X2 X3 X5} exists {G2:ge X4 X5} true. - : plus-right-preserves-ge* X1>=X2 X1+X3=X4 X2+X3=X5 X4>=X5 <- plus-commutative X1+X3=X4 X3+X1=X4 <- plus-commutative X2+X3=X5 X3+X2=X5 <- plus-left-preserves-ge* X1>=X2 X3+X1=X4 X3+X2=X5 X4>=X5. %worlds () (plus-right-preserves-ge* X1>=X2 X1+X3=X4 X2+X3=X5 X4>=X5). %total {} (plus-right-preserves-ge* _ _ _ _). %theorem plus-right-preserves-ge : forall* {X1} {X2} {X3} forall {G1:ge X1 X2} exists {X4} {X5} {O1:plus X1 X3 X4} {O2:plus X2 X3 X5} {G2:ge X4 X5} true. - : plus-right-preserves-ge X1>=X2 X4 X5 X1+X3=X4 X2+X3=X5 X4>=X5 <- plus-total X1+X3=X4 <- plus-total X2+X3=X5 <- plus-right-preserves-ge* X1>=X2 X1+X3=X4 X2+X3=X5 X4>=X5. %worlds () (plus-right-preserves-ge X1>=X2 X4 X5 X1+X3=X4 X2+X3=X5 X4>=X5). %total {} (plus-right-preserves-ge _ _ _ _ _ _). %theorem plus-preserves-ge* : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {G1:ge X1 Y1} {G2:ge X2 Y2} {MX:plus X1 X2 X3} {MY:plus Y1 Y2 Y3} exists {G3:ge X3 Y3} true. - : plus-preserves-ge* X1>=Y1 X2>=Y2 X1+X2=X3 Y1+Y2=Y3 X3>=Y3 <- plus-total Y1+X2=X <- plus-right-preserves-ge* X1>=Y1 X1+X2=X3 Y1+X2=X X3>=X <- plus-left-preserves-ge* X2>=Y2 Y1+X2=X Y1+Y2=Y3 X>=Y3 <- ge-transitive X3>=X X>=Y3 X3>=Y3. %worlds () (plus-preserves-ge* X1>=Y1 X2>=Y2 X1+X2=X3 Y1+Y2=Y3 X3>=Y3). %total {} (plus-preserves-ge* _ _ _ _ _). %theorem plus-preserves-ge : forall* {X1} {X2} {Y1} {Y2} forall {G1:ge X1 Y1} {G2:ge X2 Y2} exists {X3} {Y3} {MX:plus X1 X2 X3} {MY:plus Y1 Y2 Y3} {G3:ge X3 Y3} true. - : plus-preserves-ge X1>=Y1 X2>=Y2 X3 Y3 X1+X2=X3 Y1+Y2=Y3 X3>=Y3 <- plus-total X1+X2=X3 <- plus-total Y1+Y2=Y3 <- plus-preserves-ge* X1>=Y1 X2>=Y2 X1+X2=X3 Y1+Y2=Y3 X3>=Y3. %worlds () (plus-preserves-ge X1>=Y1 X2>=Y2 X3 Y3 X1+X2=X3 Y1+Y2=Y3 X3>=Y3). %total {} (plus-preserves-ge _ _ _ _ _ _ _). %theorem plus-right-cancels-ge : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {OP1:plus X1 X2 X3} {OP2:plus Y1 Y2 Y3} {E2:eq X2 Y2} {G3:ge X3 Y3} exists {G1:ge X1 Y1} true. - : plus-right-cancels-ge X1+X2=X3 Y1+Y2=Y3 X2=Y2 X3>=Y3 X1>=Y1 <- plus-commutative X1+X2=X3 X2+X1=X3 <- plus-commutative Y1+Y2=Y3 Y2+Y1=Y3 <- plus-left-cancels-ge X2+X1=X3 Y2+Y1=Y3 X2=Y2 X3>=Y3 X1>=Y1. %worlds () (plus-right-cancels-ge X1+X2=X3 Y1+Y2=Y3 X2=Y2 X3>=Y3 X1>=Y1). %total {} (plus-right-cancels-ge _ _ _ _ _). % Times preserves ge only because multiplying with zero yields equality. %theorem times-left-preserves-ge* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:ge X2 X4} {OP1:times X1 X2 X3} {OP2:times X1 X4 X5} exists {G2:ge X3 X5} true. - : times-left-preserves-ge* _ times/z times/z (ge/= eq/). - : times-left-preserves-ge* (ge/= eq/) X1*X2=X3 X1*X2=X5 (ge/= X3=X5) <- times-deterministic X1*X2=X3 X1*X2=X5 eq/ eq/ X3=X5. - : times-left-preserves-ge* (ge/> X2>X4) X1*X2=X3 X1*X4=X5 (ge/> X3>X5) <- times-left-preserves-gt X2>X4 X1*X2=X3 X1*X4=X5 X3>X5. %worlds () (times-left-preserves-ge* X2>=X4 X1*X2=X3 X1*X4=X5 X3>=X5). %total {} (times-left-preserves-ge* _ _ _ _). %theorem times-left-preserves-ge : forall* {X1} {X2} {X4} forall {G:ge X2 X4} exists {X3} {X5} {O1:times X1 X2 X3} {O2:times X1 X4 X5} {G2:ge X3 X5} true. - : times-left-preserves-ge X2>=X4 X3 X5 X1*X2=A3 X1*X4=X5 X3>=X5 <- times-total X1*X2=A3 <- times-total X1*X4=X5 <- times-left-preserves-ge* X2>=X4 X1*X2=A3 X1*X4=X5 X3>=X5. %worlds () (times-left-preserves-ge X2>=X4 X3 X5 X1*X2=A3 X1*X4=X5 X3>=X5). %total {} (times-left-preserves-ge _ _ _ _ _ _). %theorem times-right-preserves-ge* : forall* {X1} {X2} {X3} {X4} {X5} forall {G1:ge X1 X2} {O1:times X1 X3 X4} {O2:times X2 X3 X5} exists {G2:ge X4 X5} true. - : times-right-preserves-ge* X1>=X2 X1*X3=X4 X2*X3=X5 X4>=X5 <- times-commutative X1*X3=X4 X3*X1=X4 <- times-commutative X2*X3=X5 X3*X2=X5 <- times-left-preserves-ge* X1>=X2 X3*X1=X4 X3*X2=X5 X4>=X5. %worlds () (times-right-preserves-ge* X1>=X2 X1*X3=X4 X2*X3=X5 X4>=X5). %total {} (times-right-preserves-ge* _ _ _ _). %theorem times-right-preserves-ge : forall* {X1} {X2} {X3} forall {G1:ge X1 X2} exists {X4} {X5} {O1:times X1 X3 X4} {O2:times X2 X3 X5} {G2:ge X4 X5} true. - : times-right-preserves-ge X1>=X2 X4 X5 X1*X3=X4 X2*X3=X5 X4>=X5 <- times-total X1*X3=X4 <- times-total X2*X3=X5 <- times-right-preserves-ge* X1>=X2 X1*X3=X4 X2*X3=X5 X4>=X5. %worlds () (times-right-preserves-ge X1>=X2 X4 X5 X1*X3=X4 X2*X3=X5 X4>=X5). %total {} (times-right-preserves-ge _ _ _ _ _ _). %%%% Definitions ne : nat -> nat -> type. ne/< : ne X Y <- gt Y X. ne/> : ne X Y <- gt X Y. eq? : nat -> nat -> bool -> type. eq?/yes : eq? X X true. eq?/no : eq? X Y false <- ne X Y. %%%% Theorems %%% Theorems about ne %theorem false-implies-ne : forall* {X1} {X2} forall {F:void} exists {G:ne X1 X2} true. %worlds () (false-implies-ne _ _). %total { } (false-implies-ne _ _). %theorem ne-respects-eq : forall* {X1} {X2} {Y1} {Y2} forall {D1:ne X1 X2} {E1:eq X1 Y1} {E2:eq X2 Y2} exists {D2:ne Y1 Y2} true. - : ne-respects-eq X1<>X2 eq/ eq/ X1<>X2. %worlds () (ne-respects-eq _ _ _ _). %total { } (ne-respects-eq _ _ _ _). %theorem ne-anti-reflexive : forall* {X} forall {R:ne X X} exists {F:void} true. - : ne-anti-reflexive (ne/< X X>X) F <- gt-anti-reflexive X>X F. %worlds () (ne-anti-reflexive X<>X _). %total {} (ne-anti-reflexive _ _). %theorem ne-symmetric : forall* {X} {Y} forall {R1:ne X Y} exists {R2:ne Y X} true. - : ne-symmetric (ne/< X X X>Y) (ne/< X>Y). %worlds () (ne-symmetric X<>Y Y<>X). %total {} (ne-symmetric _ _). %theorem eq-ne-implies-false : forall* {X} {Y} forall {D1:eq X Y} {D2:ne X Y} exists {F:void} true. - : eq-ne-implies-false eq/ X<>X F <- ne-anti-reflexive X<>X F. %worlds () (eq-ne-implies-false X=Y X<>Y _). %total {} (eq-ne-implies-false _ _ _). %theorem ge-ne-implies-gt : forall* {X} {Y} forall {D1:ge X Y} {D2:ne X Y} exists {D3:gt X Y} true. - : ge-ne-implies-gt (ge/> X>Y) _ X>Y. - : ge-ne-implies-gt (ge/= eq/) X<>X X>X <- ne-anti-reflexive X<>X F <- false-implies-gt F X>X. %worlds () (ge-ne-implies-gt X>=Y X<>Y X>Y). %total {} (ge-ne-implies-gt _ _ _). %theorem eq?-total* : forall {M} {N} exists {B} {T:eq? M N B} true. %theorem eq?-total*/L : forall* {M} {N} {C} forall {CMP:compare M N C} exists {B} {T:eq? M N B} true. - : eq?-total*/L compare/= true eq?/yes. - : eq?-total*/L (compare/< X X>Y) false (eq?/no (ne/> X>Y)). %worlds () (eq?-total*/L _ _ _). %total { } (eq?-total*/L _ _ _). - : eq?-total* M N B T <- compare-total CMP <- eq?-total*/L CMP B T. %worlds () (eq?-total* _ _ _ _). %total { } (eq?-total* _ _ _ _). %abbrev eq?-total = eq?-total* _ _ _. %theorem succ-preserves-ne : forall* {M} {N} forall {D:ne M N} exists {D':ne (s M) (s N)} true. - : succ-preserves-ne (ne/< N>M) (ne/< N+1>M+1) <- succ-preserves-gt N>M N+1>M+1. - : succ-preserves-ne (ne/> N>M) (ne/> N+1>M+1) <- succ-preserves-gt N>M N+1>M+1. %worlds () (succ-preserves-ne M<>N M+1<>N+1). %total {} (succ-preserves-ne _ _). %theorem succ-preserves-ne-converse : forall* {M} {N} forall {D':ne (s M) (s N)} exists {D:ne M N} true. - : succ-preserves-ne-converse (ne/< N+1>M+1) (ne/< N>M) <- succ-preserves-gt-converse N+1>M+1 N>M. - : succ-preserves-ne-converse (ne/> N+1>M+1) (ne/> N>M) <- succ-preserves-gt-converse N+1>M+1 N>M. %worlds () (succ-preserves-ne-converse M+1<>N+1 M<>N). %total {} (succ-preserves-ne-converse _ _). %theorem plus-left-preserves-ne* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:ne X2 X4} {OP1:plus X1 X2 X3} {OP2:plus X1 X4 X5} exists {G2:ne X3 X5} true. - : plus-left-preserves-ne* (ne/< X4>X2) X1+X2=X3 X1+X4=X5 (ne/< X5>X3) <- plus-left-preserves-gt* X4>X2 X1+X4=X5 X1+X2=X3 X5>X3. - : plus-left-preserves-ne* (ne/> X2>X4) X1+X2=X3 X1+X4=X5 (ne/> X3>X5) <- plus-left-preserves-gt* X2>X4 X1+X2=X3 X1+X4=X5 X3>X5. %worlds () (plus-left-preserves-ne* X2<>X4 X1+X2=X3 X1+X4=X5 X3<>X5). %total {} (plus-left-preserves-ne* _ _ _ _). %theorem plus-left-cancels-ne : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {OP1:plus X1 X2 X3} {OP2:plus Y1 Y2 Y3} {E1:eq X1 Y1} {G3:ne X3 Y3} exists {G2:ne X2 Y2} true. - : plus-left-cancels-ne X1+X2=X3 X1+Y2=Y3 eq/ (ne/< Y3>X3) (ne/< Y2>X2) <- plus-left-cancels-gt X1+Y2=Y3 X1+X2=X3 eq/ Y3>X3 Y2>X2. - : plus-left-cancels-ne X1+X2=X3 X1+Y2=Y3 eq/ (ne/> X3>Y3) (ne/> X2>Y2) <- plus-left-cancels-gt X1+X2=X3 X1+Y2=Y3 eq/ X3>Y3 X2>Y2. %worlds () (plus-left-cancels-ne X1+X2=X3 Y1+Y2=Y3 X1=Y1 X3<>Y3 X2<>Y2). %total {} (plus-left-cancels-ne _ _ _ _ _). %theorem plus-left-preserves-ne : forall* {X1} {X2} {X4} forall {G:ne X2 X4} exists {X3} {X5} {O1:plus X1 X2 X3} {O2:plus X1 X4 X5} {G2:ne X3 X5} true. - : plus-left-preserves-ne X2<>X4 X3 X5 X1+X2=A3 X1+X4=X5 X3<>X5 <- plus-total X1+X2=A3 <- plus-total X1+X4=X5 <- plus-left-preserves-ne* X2<>X4 X1+X2=A3 X1+X4=X5 X3<>X5. %worlds () (plus-left-preserves-ne X2<>X4 X3 X5 X1+X2=A3 X1+X4=X5 X3<>X5). %total {} (plus-left-preserves-ne _ _ _ _ _ _). %theorem plus-right-preserves-ne* : forall* {X1} {X2} {X3} {X4} {X5} forall {G1:ne X1 X2} {O1:plus X1 X3 X4} {O2:plus X2 X3 X5} exists {G2:ne X4 X5} true. - : plus-right-preserves-ne* X1<>X2 X1+X3=X4 X2+X3=X5 X4<>X5 <- plus-commutative X1+X3=X4 X3+X1=X4 <- plus-commutative X2+X3=X5 X3+X2=X5 <- plus-left-preserves-ne* X1<>X2 X3+X1=X4 X3+X2=X5 X4<>X5. %worlds () (plus-right-preserves-ne* X1<>X2 X1+X3=X4 X2+X3=X5 X4<>X5). %total {} (plus-right-preserves-ne* _ _ _ _). %theorem plus-right-preserves-ne : forall* {X1} {X2} {X3} forall {G1:ne X1 X2} exists {X4} {X5} {O1:plus X1 X3 X4} {O2:plus X2 X3 X5} {G2:ne X4 X5} true. - : plus-right-preserves-ne X1<>X2 X4 X5 X1+X3=X4 X2+X3=X5 X4<>X5 <- plus-total X1+X3=X4 <- plus-total X2+X3=X5 <- plus-right-preserves-ne* X1<>X2 X1+X3=X4 X2+X3=X5 X4<>X5. %worlds () (plus-right-preserves-ne X1<>X2 X4 X5 X1+X3=X4 X2+X3=X5 X4<>X5). %total {} (plus-right-preserves-ne _ _ _ _ _ _). %theorem plus-right-cancels-ne : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {OP1:plus X1 X2 X3} {OP2:plus Y1 Y2 Y3} {E2:eq X2 Y2} {G3:ne X3 Y3} exists {G1:ne X1 Y1} true. - : plus-right-cancels-ne X1+X2=X3 Y1+Y2=Y3 X2=Y2 X3<>Y3 X1<>Y1 <- plus-commutative X1+X2=X3 X2+X1=X3 <- plus-commutative Y1+Y2=Y3 Y2+Y1=Y3 <- plus-left-cancels-ne X2+X1=X3 Y2+Y1=Y3 X2=Y2 X3<>Y3 X1<>Y1. %worlds () (plus-right-cancels-ne X1+X2=X3 Y1+Y2=Y3 X2=Y2 X3<>Y3 X1<>Y1). %total {} (plus-right-cancels-ne _ _ _ _ _). %%%%% nat-less.elf %%%%% Inverse relations for natural numbers %%%%% This file is part of the nat.elf signature %%%% Definitions %abbrev lt = [X] [Y] gt Y X. %%%% Theorems about lt %theorem false-implies-lt : forall* {X1} {X2} forall {F:void} exists {G:lt X1 X2} true. %worlds () (false-implies-lt _ _). %total { } (false-implies-lt _ _). %theorem lt-respects-eq : forall* {X1} {X2} {Y1} {Y2} forall {D1:lt X1 X2} {E1:eq X1 Y1} {E2:eq X2 Y2} exists {D2:lt Y1 Y2} true. - : lt-respects-eq X1X1 X1>X2 R <- gt-anti-symmetric X1>X2 X2>X1 R. %worlds () (lt-anti-symmetric _ _ _). %total {} (lt-anti-symmetric _ _ _). %theorem lt-transitive : forall* {X1} {X2} {X3} forall {G1:lt X1 X2} {G2:lt X2 X3} exists {G3:lt X1 X3} true. - : lt-transitive X1X2 X1+X2=X3 X1+X4=X5 X5>X3 <- plus-left-preserves-gt* X4>X2 X1+X4=X5 X1+X2=X3 X5>X3. %worlds () (plus-left-preserves-lt* X2X3 Y2>X2 <- plus-left-cancels-gt X1+Y2=X3 X1+X2=X3 eq/ Y3>X3 Y2>X2. %worlds () (plus-left-cancels-lt X1+X2=X3 Y1+Y2=Y3 X1=Y1 X3=X1 X1>=X2 R <- ge-anti-symmetric X1>=X2 X2>=X1 R. %worlds () (le-anti-symmetric _ _ _). %total {} (le-anti-symmetric _ _ _). %theorem le-transitive : forall* {X1} {X2} {X3} forall {G1:le X1 X2} {G2:le X2 X3} exists {G3:le X1 X3} true. - : le-transitive X1<=X2 X2<=X3 X1<=X3 <- ge-transitive X2<=X3 X1<=X2 X1<=X3. %worlds () (le-transitive X1<=X2 X2<=X3 X1<=X3). %total {} (le-transitive _ _ _). %abbrev le-reflexive = ge-reflexive. %theorem le-transitive-lt: forall* {X1} {X2} {X3} forall {L1:le X1 X2} {L2:lt X2 X3} exists {L3:lt X1 X3} true. - : le-transitive-lt X2>=X1 X3>X2 X3>X1 <- gt-transitive-ge X3>X2 X2>=X1 X3>X1. %worlds () (le-transitive-lt X1<=X2 X2X1 X3>=X2 X3>X1 <- ge-transitive-gt X3>=X2 X2>X1 X3>X1. %worlds () (lt-transitive-le X1=X2 X1+X2=X3 X1+X4=X5 X5>=X3 <- plus-left-preserves-ge* X4>=X2 X1+X4=X5 X1+X2=X3 X5>=X3. %worlds () (plus-left-preserves-le* X2<=X4 X1+X2=X3 X1+X4=X5 X3<=X5). %total {} (plus-left-preserves-le* _ _ _ _). %theorem plus-left-cancels-le : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {OP1:plus X1 X2 X3} {OP2:plus Y1 Y2 Y3} {E1:eq X1 Y1} {R3:le X3 Y3} exists {R2:le X2 Y2} true. - : plus-left-cancels-le X1+X2=X3 X1+Y2=X3 eq/ Y3>=X3 Y2>=X2 <- plus-left-cancels-ge X1+Y2=X3 X1+X2=X3 eq/ Y3>=X3 Y2>=X2. %worlds () (plus-left-cancels-le X1+X2=X3 Y1+Y2=Y3 X1=Y1 X3<=Y3 X2<=Y2). %total {} (plus-left-cancels-le _ _ _ _ _). %theorem plus-left-preserves-le : forall* {X1} {X2} {X4} forall {G:le X2 X4} exists {X3} {X5} {O1:plus X1 X2 X3} {O2:plus X1 X4 X5} {G2:le X3 X5} true. - : plus-left-preserves-le X2<=X4 X3 X5 X1+X2=A3 X1+X4=X5 X3<=X5 <- plus-total X1+X2=A3 <- plus-total X1+X4=X5 <- plus-left-preserves-le* X2<=X4 X1+X2=A3 X1+X4=X5 X3<=X5. %worlds () (plus-left-preserves-le X2<=X4 X3 X5 X1+X2=A3 X1+X4=X5 X3<=X5). %total {} (plus-left-preserves-le _ _ _ _ _ _). %theorem plus-right-preserves-le* : forall* {X1} {X2} {X3} {X4} {X5} forall {G1:le X1 X2} {O1:plus X1 X3 X4} {O2:plus X2 X3 X5} exists {G2:le X4 X5} true. - : plus-right-preserves-le* X1<=X2 X1+X3=X4 X2+X3=X5 X4<=X5 <- plus-commutative X1+X3=X4 X3+X1=X4 <- plus-commutative X2+X3=X5 X3+X2=X5 <- plus-left-preserves-le* X1<=X2 X3+X1=X4 X3+X2=X5 X4<=X5. %worlds () (plus-right-preserves-le* X1<=X2 X1+X3=X4 X2+X3=X5 X4<=X5). %total {} (plus-right-preserves-le* _ _ _ _). %theorem plus-right-preserves-le : forall* {X1} {X2} {X3} forall {G1:le X1 X2} exists {X4} {X5} {O1:plus X1 X3 X4} {O2:plus X2 X3 X5} {G2:le X4 X5} true. - : plus-right-preserves-le X1<=X2 X4 X5 X1+X3=X4 X2+X3=X5 X4<=X5 <- plus-total X1+X3=X4 <- plus-total X2+X3=X5 <- plus-right-preserves-le* X1<=X2 X1+X3=X4 X2+X3=X5 X4<=X5. %worlds () (plus-right-preserves-le X1<=X2 X4 X5 X1+X3=X4 X2+X3=X5 X4<=X5). %total {} (plus-right-preserves-le _ _ _ _ _ _). %theorem plus-preserves-le* : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {G1:le X1 Y1} {G2:le X2 Y2} {MX:plus X1 X2 X3} {MY:plus Y1 Y2 Y3} exists {G3:le X3 Y3} true. - : plus-preserves-le* X1<=Y1 X2<=Y2 X1+X2=X3 Y1+Y2=Y3 X3<=Y3 <- plus-total Y1+X2=X <- plus-right-preserves-le* X1<=Y1 X1+X2=X3 Y1+X2=X X3<=X <- plus-left-preserves-le* X2<=Y2 Y1+X2=X Y1+Y2=Y3 X<=Y3 <- le-transitive X3<=X X<=Y3 X3<=Y3. %worlds () (plus-preserves-le* X1<=Y1 X2<=Y2 X1+X2=X3 Y1+Y2=Y3 X3<=Y3). %total {} (plus-preserves-le* _ _ _ _ _). %theorem plus-preserves-le : forall* {X1} {X2} {Y1} {Y2} forall {G1:le X1 Y1} {G2:le X2 Y2} exists {X3} {Y3} {MX:plus X1 X2 X3} {MY:plus Y1 Y2 Y3} {G3:le X3 Y3} true. - : plus-preserves-le X1<=Y1 X2<=Y2 X3 Y3 X1+X2=X3 Y1+Y2=Y3 X3<=Y3 <- plus-total X1+X2=X3 <- plus-total Y1+Y2=Y3 <- plus-preserves-le* X1<=Y1 X2<=Y2 X1+X2=X3 Y1+Y2=Y3 X3<=Y3. %worlds () (plus-preserves-le X1<=Y1 X2<=Y2 X3 Y3 X1+X2=X3 Y1+Y2=Y3 X3<=Y3). %total {} (plus-preserves-le _ _ _ _ _ _ _). %theorem plus-right-cancels-le : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {OP1:plus X1 X2 X3} {OP2:plus Y1 Y2 Y3} {E2:eq X2 Y2} {G3:le X3 Y3} exists {G1:le X1 Y1} true. - : plus-right-cancels-le X1+X2=X3 Y1+Y2=Y3 X2=Y2 X3<=Y3 X1<=Y1 <- plus-commutative X1+X2=X3 X2+X1=X3 <- plus-commutative Y1+Y2=Y3 Y2+Y1=Y3 <- plus-left-cancels-le X2+X1=X3 Y2+Y1=Y3 X2=Y2 X3<=Y3 X1<=Y1. %worlds () (plus-right-cancels-le X1+X2=X3 Y1+Y2=Y3 X2=Y2 X3<=Y3 X1<=Y1). %total {} (plus-right-cancels-le _ _ _ _ _). %theorem times-left-preserves-le* : forall* {X1} {X2} {X3} {X4} {X5} forall {R1:le X2 X4} {OP1:times X1 X2 X3} {OP2:times X1 X4 X5} exists {R2:le X3 X5} true. - : times-left-preserves-le* X4>=X2 X1*X2=X3 X1*X4=X5 X5>=X3 <- times-left-preserves-ge* X4>=X2 X1*X4=X5 X1*X2=X3 X5>=X3. %worlds () (times-left-preserves-le* X2<=X4 X1*X2=X3 X1*X4=X5 X3<=X5). %total {} (times-left-preserves-le* _ _ _ _). %theorem times-left-preserves-le : forall* {X1} {X2} {X4} forall {G:le X2 X4} exists {X3} {X5} {O1:times X1 X2 X3} {O2:times X1 X4 X5} {G2:le X3 X5} true. - : times-left-preserves-le X2<=X4 X3 X5 X1*X2=A3 X1*X4=X5 X3<=X5 <- times-total X1*X2=A3 <- times-total X1*X4=X5 <- times-left-preserves-le* X2<=X4 X1*X2=A3 X1*X4=X5 X3<=X5. %worlds () (times-left-preserves-le X2<=X4 X3 X5 X1*X2=A3 X1*X4=X5 X3<=X5). %total {} (times-left-preserves-le _ _ _ _ _ _). %theorem times-right-preserves-le* : forall* {X1} {X2} {X3} {X4} {X5} forall {G1:le X1 X2} {O1:times X1 X3 X4} {O2:times X2 X3 X5} exists {G2:le X4 X5} true. - : times-right-preserves-le* X1<=X2 X1*X3=X4 X2*X3=X5 X4<=X5 <- times-commutative X1*X3=X4 X3*X1=X4 <- times-commutative X2*X3=X5 X3*X2=X5 <- times-left-preserves-le* X1<=X2 X3*X1=X4 X3*X2=X5 X4<=X5. %worlds () (times-right-preserves-le* X1<=X2 X1*X3=X4 X2*X3=X5 X4<=X5). %total {} (times-right-preserves-le* _ _ _ _). %theorem times-right-preserves-le : forall* {X1} {X2} {X3} forall {G1:le X1 X2} exists {X4} {X5} {O1:times X1 X3 X4} {O2:times X2 X3 X5} {G2:le X4 X5} true. - : times-right-preserves-le X1<=X2 X4 X5 X1*X3=X4 X2*X3=X5 X4<=X5 <- times-total X1*X3=X4 <- times-total X2*X3=X5 <- times-right-preserves-le* X1<=X2 X1*X3=X4 X2*X3=X5 X4<=X5. %worlds () (times-right-preserves-le X1<=X2 X4 X5 X1*X3=X4 X2*X3=X5 X4<=X5). %total {} (times-right-preserves-le _ _ _ _ _ _). %theorem times-preserves-le* : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {G1:le X1 Y1} {G2:le X2 Y2} {MX:times X1 X2 X3} {MY:times Y1 Y2 Y3} exists {G3:le X3 Y3} true. - : times-preserves-le* X1<=Y1 X2<=Y2 X1*X2=X3 Y1*Y2=Y3 X3<=Y3 <- times-total Y1*X2=X <- times-right-preserves-le* X1<=Y1 X1*X2=X3 Y1*X2=X X3<=X <- times-left-preserves-le* X2<=Y2 Y1*X2=X Y1*Y2=Y3 X<=Y3 <- le-transitive X3<=X X<=Y3 X3<=Y3. %worlds () (times-preserves-le* X1<=Y1 X2<=Y2 X1*X2=X3 Y1*Y2=Y3 X3<=Y3). %total {} (times-preserves-le* _ _ _ _ _). %theorem times-preserves-le : forall* {X1} {X2} {Y1} {Y2} forall {G1:le X1 Y1} {G2:le X2 Y2} exists {X3} {Y3} {MX:times X1 X2 X3} {MY:times Y1 Y2 Y3} {G3:le X3 Y3} true. - : times-preserves-le X1<=Y1 X2<=Y2 X3 Y3 X1*X2=X3 Y1*Y2=Y3 X3<=Y3 <- times-total X1*X2=X3 <- times-total Y1*Y2=Y3 <- times-preserves-le* X1<=Y1 X2<=Y2 X1*X2=X3 Y1*Y2=Y3 X3<=Y3. %worlds () (times-preserves-le X1<=Y1 X2<=Y2 X3 Y3 X1*X2=X3 Y1*Y2=Y3 X3<=Y3). %total {} (times-preserves-le _ _ _ _ _ _ _). %%%%% nat-inv-comp.elf %%%%% Theorems about minus and composed relations %%%%% This file is part of the nat.elf signature %%%% Theorems %%% Theorems about minus %theorem minus-left-inverts-ge* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:ge X2 X4} {IOP1:minus X1 X2 X3} {IOP2:minus X1 X4 X5} exists {GP:ge X5 X3} true. - : minus-left-inverts-ge* X2>=X4 X3+X2=X1 X5+X4=X1 X5>=X3 <- plus-total X3+X4=X7 <- plus-left-preserves-ge* X2>=X4 X3+X2=X1 X3+X4=X7 X1>=X7 <- plus-right-cancels-ge X5+X4=X1 X3+X4=X7 eq/ X1>=X7 X5>=X3. %worlds () (minus-left-inverts-ge* X2>=X4 X1-X2=X3 X1-X4=X5 X5>=X3). %total {} (minus-left-inverts-ge* _ _ _ _). %theorem minus-right-preserves-ge* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:ge X1 X2} {IOP1:minus X1 X3 X4} {IOP2:minus X2 X3 X5} exists {GP:ge X4 X5} true. - : minus-right-preserves-ge* X1>=X2 X4+X3=X1 X5+X3=X2 X4>=X5 <- plus-right-cancels-ge X4+X3=X1 X5+X3=X2 eq/ X1>=X2 X4>=X5. %worlds () (minus-right-preserves-ge* X1>=X2 X1-X3=X4 X2-X3=X5 X4>=X5). %total {} (minus-right-preserves-ge* _ _ _ _). %theorem minus-left-cancels-inverts-ge : forall* {X1} {X2} {X3} {X4} {X5} {X6} forall {IOP1:minus X1 X2 X3} {IOP2:minus X4 X5 X6} {E:eq X1 X4} {G:ge X3 X6} exists {GP:ge X5 X2} true. - : minus-left-cancels-inverts-ge X3+X2=X1 X6+X5=X4 X1=X4 X3>=X6 X5>=X2 <- plus-total X6+X2=X7 <- plus-right-preserves-ge* X3>=X6 X3+X2=X1 X6+X2=X7 X1>=X7 <- eq-symmetric X1=X4 X4=X1 <- plus-respects-eq X6+X5=X4 eq/ eq/ X4=X1 X6+X5=X1 <- plus-left-cancels-ge X6+X5=X1 X6+X2=X7 eq/ X1>=X7 X5>=X2. %worlds () (minus-left-cancels-inverts-ge X1-X2=X3 X4-X5=X6 X1=X4 X3>=X6 X5>=X2). %total {} (minus-left-cancels-inverts-ge _ _ _ _ _). %theorem minus-right-cancels-ge : forall* {X1} {X2} {X3} {X4} {X5} {X6} forall {IOP1:minus X1 X2 X3} {IOP2:minus X4 X5 X6} {E2:eq X2 X5} {G3:ge X3 X6} exists {G1:ge X1 X4} true. - : minus-right-cancels-ge X3+X2=X1 X6+X5=X4 X2=X5 X3>=X6 X1>=X4 <- plus-respects-eq X3+X2=X1 eq/ X2=X5 eq/ X3+X5=X1 <- plus-right-preserves-ge* X3>=X6 X3+X5=X1 X6+X5=X4 X1>=X4. %worlds () (minus-right-cancels-ge X1-X2=X3 X4-X5=X6 X2=X5 X3>=X6 X1>=X4). %total {} (minus-right-cancels-ge _ _ _ _ _). %theorem minus-left-preserves-ne* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:ne X2 X4} {IOP1:minus X1 X2 X3} {IOP2:minus X1 X4 X5} exists {GP:ne X3 X5} true. - : minus-left-preserves-ne* X2<>X4 X3+X2=X1 X5+X4=X1 X3<>X5 <- plus-total X3+X4=X7 <- plus-left-preserves-ne* X2<>X4 X3+X2=X1 X3+X4=X7 X1<>X7 <- plus-right-cancels-ne X5+X4=X1 X3+X4=X7 eq/ X1<>X7 X5<>X3 <- ne-symmetric X5<>X3 X3<>X5. %worlds () (minus-left-preserves-ne* X2<>X4 X1-X2=X3 X1-X4=X5 X3<>X5). %total {} (minus-left-preserves-ne* _ _ _ _). %theorem minus-right-preserves-ne* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:ne X1 X2} {IOP1:minus X1 X3 X4} {IOP2:minus X2 X3 X5} exists {GP:ne X4 X5} true. - : minus-right-preserves-ne* X1<>X2 X4+X3=X1 X5+X3=X2 X4<>X5 <- plus-right-cancels-ne X4+X3=X1 X5+X3=X2 eq/ X1<>X2 X4<>X5. %worlds () (minus-right-preserves-ne* X1<>X2 X1-X3=X4 X2-X3=X5 X4<>X5). %total {} (minus-right-preserves-ne* _ _ _ _). %theorem minus-left-cancels-ne : forall* {X1} {X2} {X3} {X4} {X5} {X6} forall {IOP1:minus X1 X2 X3} {IOP2:minus X4 X5 X6} {E:eq X1 X4} {G:ne X3 X6} exists {GP:ne X2 X5} true. - : minus-left-cancels-ne X3+X2=X1 X6+X5=X4 X1=X4 X3<>X6 X2<>X5 <- plus-total X6+X2=X7 <- plus-right-preserves-ne* X3<>X6 X3+X2=X1 X6+X2=X7 X1<>X7 <- eq-symmetric X1=X4 X4=X1 <- plus-respects-eq X6+X5=X4 eq/ eq/ X4=X1 X6+X5=X1 <- plus-left-cancels-ne X6+X5=X1 X6+X2=X7 eq/ X1<>X7 X5<>X2 <- ne-symmetric X5<>X2 X2<>X5. %worlds () (minus-left-cancels-ne X1-X2=X3 X4-X5=X6 X1=X4 X3<>X6 X2<>X5). %total {} (minus-left-cancels-ne _ _ _ _ _). %theorem minus-right-cancels-ne : forall* {X1} {X2} {X3} {X4} {X5} {X6} forall {IOP1:minus X1 X2 X3} {IOP2:minus X4 X5 X6} {E2:eq X2 X5} {G3:ne X3 X6} exists {G1:ne X1 X4} true. - : minus-right-cancels-ne X3+X2=X1 X6+X5=X4 X2=X5 X3<>X6 X1<>X4 <- plus-respects-eq X3+X2=X1 eq/ X2=X5 eq/ X3+X5=X1 <- plus-right-preserves-ne* X3<>X6 X3+X5=X1 X6+X5=X4 X1<>X4. %worlds () (minus-right-cancels-ne X1-X2=X3 X4-X5=X6 X2=X5 X3<>X6 X1<>X4). %total {} (minus-right-cancels-ne _ _ _ _ _). %%%%% nat-inv-less.elf %%%%% Theorems about minus and inverted relations %%%%% This file is part of the nat.elf signature %%%% Theorems %%% Theorems about minus %theorem minus-left-inverts-lt* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:lt X2 X4} {IOP1:minus X1 X2 X3} {IOP2:minus X1 X4 X5} exists {GP:lt X5 X3} true. - : minus-left-inverts-lt* X2 nat -> nat -> nat -> type. divrem/z : divrem M N z M <- gt N M. divrem/s : divrem M (s N-) (s Q) R <- plus D (s N-) M <- divrem D (s N-) Q R. %%%% Theorems %%% Theorems about divrem %theorem false-implies-divrem : forall* {M} {N} {Q} {R} forall {F:void} exists {D:divrem M N Q R} true. %worlds () (false-implies-divrem _ M/N=Q,R). %total {} (false-implies-divrem _ _). %theorem divrem-respects-eq : forall* {M} {N} {Q} {R} {M'} {N'} {Q'} {R'} forall {D:divrem M N Q R} {E1:eq M M'} {E2:eq N N'} {E3:eq Q Q'} {E4:eq R R'} exists {D':divrem M' N' Q' R'} true. - : divrem-respects-eq D eq/ eq/ eq/ eq/ D. %worlds () (divrem-respects-eq M/N=Q,R M=M' N=N' Q=Q' R=R' M'/N'=Q',R'). %total {} (divrem-respects-eq _ _ _ _ _ _). %theorem divrem-total** : forall {M} {N-1} {C} {CMP:compare M N-1 C} exists {Q} {R} {D:divrem M (s N-1) Q R} true. - : divrem-total** M N-1 equal CMP z M (divrem/z N>M) <- equal-implies-eq CMP M=N-1 <- succ-implies-gt eq/ N>N-1 <- eq-symmetric M=N-1 N-1=M <- gt-respects-eq N>N-1 eq/ N-1=M N>M. - : divrem-total** M N-1 less CMP z M (divrem/z N>M) <- less-implies-lt CMP N-1>M <- succ-implies-gt eq/ N>N-1 <- gt-transitive N>N-1 N-1>M N>M. - : divrem-total** M N-1 greater CMP (s Q) R (divrem/s D/N=Q,R D+N=M) <- greater-implies-gt CMP M>N-1 <- gt-implies-plus M>N-1 D SD+N-1=M <- plus-swap-succ SD+N-1=M D+N=M <- plus-commutative D+N=M N+D=M <- plus-implies-gt N+D=M eq/ M>D <- meta-gt M D M>D <- compare-total* D N-1 C' CMP' <- divrem-total** D N-1 C' CMP' Q R D/N=Q,R. %worlds () (divrem-total** M N-1 C MCN Q R M/N=Q,R). %total (M) (divrem-total** M _ _ _ _ _ _). %theorem divrem-total* : forall {M} {N-} exists {Q} {R} {D:divrem M (s N-) Q R} true. - : divrem-total* M N-1 Q R M/N=Q,R <- compare-total* M N-1 C CMP <- divrem-total** M N-1 C CMP Q R M/N=Q,R. %worlds () (divrem-total* M N-1 Q R M/N=Q,R). %total {} (divrem-total* _ _ _ _ _). %abbrev divrem-total = divrem-total* _ _ _ _. %theorem divrem-deterministic : forall* {M} {N} {Q} {R} {M'} {N'} {Q'} {R'} forall {D:divrem M N Q R} {D':divrem M' N' Q' R'} {E1:eq M M'} {E2:eq N N'} exists {E3:eq Q Q'} {E4:eq R R'} true. - : divrem-deterministic (divrem/z _) (divrem/z _) eq/ eq/ eq/ eq/. - : divrem-deterministic (divrem/s D/N=Q,R D+N=M) (divrem/s D'/N=Q',R' D'+N=M) eq/ eq/ SQ=SQ' R=R' <- plus-right-cancels D+N=M D'+N=M eq/ eq/ D=D' <- divrem-deterministic D/N=Q,R D'/N=Q',R' D=D' eq/ Q=Q' R=R' <- succ-deterministic Q=Q' SQ=SQ'. %% contradiction cases: - : divrem-deterministic (divrem/z N>M) (divrem/s _ D+N=M) eq/ eq/ Q=Q' R=R' <- plus-commutative D+N=M N+D=M <- plus-gt-contradiction N+D=M N>M F <- false-implies-eq F Q=Q' <- false-implies-eq F R=R'. - : divrem-deterministic (divrem/s _ D+N=M) (divrem/z N>M) eq/ eq/ Q=Q' R=R' <- plus-commutative D+N=M N+D=M <- plus-gt-contradiction N+D=M N>M F <- false-implies-eq F Q=Q' <- false-implies-eq F R=R'. %worlds () (divrem-deterministic M/N=Q,R M'/N'=Q'/R' M=M' N=N' Q=Q' R=R'). %total (D) (divrem-deterministic D _ _ _ _ _). %theorem divrem-implies-positive : forall* {M} {N} {Q} {R} forall {D:divrem M N Q R} exists {N-1} {E:eq N (s N-1)} true. - : divrem-implies-positive (divrem/z N>M) N-1 N=sN-1 <- gt-implies-positive N>M N-1 N=sN-1. - : divrem-implies-positive (divrem/s _ _) _ eq/. %worlds () (divrem-implies-positive M/N=Q,R N-1 N=sN-1). %total {} (divrem-implies-positive _ _ _). %theorem divrem-implies-gt : forall* {M} {N} {Q} {R} forall {D:divrem M N Q R} exists {G:gt N R} true. - : divrem-implies-gt (divrem/z N>M) N>M. - : divrem-implies-gt (divrem/s D/N=Q,R _) N>R <- divrem-implies-gt D/N=Q,R N>R. %worlds () (divrem-implies-gt M/N=Q,R N>R). %total D (divrem-implies-gt D _). %theorem divrem-contradiction : forall* {M} {N} {Q} {R} {X} forall {D:divrem M N Q R} {P:plus N X R} exists {F:void} true. - : divrem-contradiction D P F <- divrem-implies-gt D N>R <- plus-commutative P Pc <- plus-implies-ge Pc R>=N <- gt-transitive-ge N>R R>=N N>N <- gt-anti-reflexive N>N F. %worlds () (divrem-contradiction _ _ _). %total { } (divrem-contradiction _ _ _). %theorem divrem-can-be-inverted : forall* {M} {N} {Q} {R} forall {D:divrem M N Q R} exists {X} {T:times Q N X} {P:plus X R M} true. - : divrem-can-be-inverted (divrem/z _) z times/z plus/z. - : divrem-can-be-inverted (divrem/s D/N=Q,R D+N=M) X (times/s Q*N=Y Y+N=X) X+R=M <- divrem-can-be-inverted D/N=Q,R Y Q*N=Y Y+R=D <- plus-commutative Y+R=D R+Y=D <- plus-associative R+Y=D D+N=M X Y+N=X R+X=M <- plus-commutative R+X=M X+R=M. %worlds () (divrem-can-be-inverted M/N=Q,R X Q*N=X X+R=M). %total (D) (divrem-can-be-inverted D _ _ _). %theorem div-can-be-inverted : forall* {M} {N} {Q} forall {D:divrem M N Q z} exists {T:times Q N M} true. - : div-can-be-inverted (divrem/z _) times/z. - : div-can-be-inverted (divrem/s D/N=Q,z D+N=M) (times/s Q*N=D D+N=M) <- div-can-be-inverted D/N=Q,z Q*N=D. %worlds () (div-can-be-inverted _ _). %total (D) (div-can-be-inverted D _). %theorem divrem-can-be-constructed : forall* {M} {N} {Q} {R} {X} forall {T:times Q N X} {P:plus X R M} {G:gt N R} exists {D:divrem M N Q R} true. - : divrem-can-be-constructed (times/z) (plus/z) N>R (divrem/z N>R). - : divrem-can-be-constructed (times/s Q*N=Y Y+N=X) X+R=M N>R (divrem/s Z/N=Q,R Z+N=M) <- plus-commutative Y+N=X N+Y=X <- plus-associative N+Y=X X+R=M Z Y+R=Z N+Z=M <- plus-commutative N+Z=M Z+N=M <- divrem-can-be-constructed Q*N=Y Y+R=Z N>R Z/N=Q,R. - : divrem-can-be-constructed _ _ ZERO>R D <- gt-contradiction ZERO>R F <- false-implies-divrem F D. %worlds () (divrem-can-be-constructed Q*N=X X+R=M N>R M/N=Q,R). %total (T) (divrem-can-be-constructed T _ _ _). %theorem div-can-be-constructed : forall* {M} {N} {Q} forall {T:times Q (s N) M} exists {D:divrem M (s N) Q z} true. - : div-can-be-constructed (times/z) (divrem/z N+1>0) <- succ-implies-gt-zero _ N+1>0. - : div-can-be-constructed (times/s Q*sN=D D+sN=M) (divrem/s D/sN=Q,z D+sN=M) <- div-can-be-constructed Q*sN=D D/sN=Q,z. %worlds () (div-can-be-constructed _ _). %total (T) (div-can-be-constructed T _). %theorem remainder-implies-gt-quotient : forall* {M} {N} {Q} {R} forall {D:divrem M N Q (s R)} exists {G:gt M Q} true. - : remainder-implies-gt-quotient (divrem/z _) R+1>0 <- succ-implies-gt-zero _ R+1>0. - : remainder-implies-gt-quotient (divrem/s D/N=Q,sR D+N=M) M>sQ <- remainder-implies-gt-quotient D/N=Q,sR D>Q <- gt-implies-ge-succ D>Q D>=sQ <- plus-commutative D+N=M N+D=M <- plus-implies-gt N+D=M eq/ M>D <- gt-transitive-ge M>D D>=sQ M>sQ. %worlds () (remainder-implies-gt-quotient _ _). %total (D) (remainder-implies-gt-quotient D _). %theorem quotient-of-nonzero-is-smaller : forall* {M} {N} {Q} {R} {M-} forall {DR:divrem M (s (s N)) Q R} {EN:eq M (s M-)} exists {G:gt M Q} true. - : quotient-of-nonzero-is-smaller _ eq/ M>0 <- succ-implies-gt-zero _ M>0. - : quotient-of-nonzero-is-smaller M/N=Q,R eq/ M>Q <- divrem-can-be-inverted M/N=Q,R X Q*N=X X+R=M <- times-right-identity _ Q*1=Q <- succ-implies-gt-zero _ N->0 <- succ-preserves-gt N->0 N>1 <- times-left-preserves-gt N>1 Q*N=X Q*1=Q X>Q <- plus-commutative X+R=M R+X=M <- plus-implies-ge R+X=M M>=X <- ge-transitive-gt M>=X X>Q M>Q. %worlds () (quotient-of-nonzero-is-smaller _ _ _). %total { } (quotient-of-nonzero-is-smaller _ _ _). %theorem quotient-is-no-greater : forall* {M} {N} {Q} {R} forall {DR:divrem M N Q R} exists {ge:ge M Q} true. - : quotient-is-no-greater M/N=Q,R M>=Q <- divrem-can-be-inverted M/N=Q,R X Q*N=X X+R=M <- divrem-implies-positive M/N=Q,R NN N=NN+1 <- eq-symmetric N=NN+1 NN+1=N <- succ-implies-gt-zero NN NN+1>0 <- gt-respects-eq NN+1>0 NN+1=N eq/ N>0 <- gt-implies-ge-succ N>0 N>=1 <- times-right-identity _ Q*1=Q <- times-left-preserves-ge* N>=1 Q*N=X Q*1=Q X>=Q <- plus-commutative X+R=M R+X=M <- plus-implies-ge R+X=M M>=X <- ge-transitive M>=X X>=Q M>=Q. %worlds () (quotient-is-no-greater _ _). %total { } (quotient-is-no-greater _ _). %%%%% minmax.elf %%%%% Minimum and Maximum functor %%%%% John Boyland % Minimum and maximum defined given anti-reflexive gt total order. % We assume compare three-way comparison. % We assume that ge is defined from gt and eq. %%%% Definitions min : nat -> nat -> nat -> type. min/= : min X X X. min/> : gt X1 X2 -> min X1 X2 X2. min/< : gt X2 X1 -> min X1 X2 X1. max : nat -> nat -> nat -> type. max/= : max X X X. max/> : gt X1 X2 -> max X1 X2 X1. max/< : gt X2 X1 -> max X1 X2 X2. %%%% Theorems %%% Theorems about min %theorem false-implies-min : forall* {X1} {X2} {X3} forall {F:void} exists {M:min X1 X2 X3} true. %worlds () (false-implies-min _ _). %total { } (false-implies-min _ _). %theorem min-respects-eq : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {MX:min X1 X2 X3} {E1:eq X1 Y1} {E2:eq X2 Y2} {E3:eq X3 Y3} exists {MY:min Y1 Y2 Y3} true. - : min-respects-eq M eq/ eq/ eq/ M. %worlds () (min-respects-eq _ _ _ _ _). %total { } (min-respects-eq _ _ _ _ _). %theorem min-total** : forall* {X1} {X2} {C} forall {D:compare X1 X2 C} exists {X3} {M:min X1 X2 X3} true. - : min-total** compare/= _ min/=. - : min-total** (compare/> X1>X2) _ (min/> X1>X2). - : min-total** (compare/< X2>X1) _ (min/< X2>X1). %worlds () (min-total** _ _ _). %total { } (min-total** _ _ _). %theorem min-total* : forall {X1} {X2} exists {X3} {M:min X1 X2 X3} true. - : min-total* X1 X2 X3 M <- compare-total D <- min-total** D X3 M. %worlds () (min-total* _ _ _ _). %total { } (min-total* _ _ _ _). %abbrev min-total = min-total* _ _ _. %theorem min-deterministic : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {MX:min X1 X2 X3} {MY:min Y1 Y2 Y3} {E1:eq X1 Y1} {E2:eq X2 Y2} exists {E3:eq X3 Y3} true. - : min-deterministic (min/=) (min/=) eq/ eq/ eq/. - : min-deterministic (min/=) (min/> X>X) eq/ eq/ eq/. - : min-deterministic (min/=) (min/< X>X) eq/ eq/ eq/. - : min-deterministic (min/> X>X) (min/=) eq/ eq/ eq/. - : min-deterministic (min/> X>Y) (min/> X>YP) eq/ eq/ eq/. - : min-deterministic (min/> X>Y) (min/< Y>X) eq/ eq/ E <- gt-anti-symmetric X>Y Y>X F <- false-implies-eq F E. - : min-deterministic (min/< X>X) (min/=) eq/ eq/ eq/. - : min-deterministic (min/< X>Y) (min/> Y>X) eq/ eq/ E <- gt-anti-symmetric X>Y Y>X F <- false-implies-eq F E. - : min-deterministic (min/< X>Y) (min/< X>YP) eq/ eq/ eq/. %worlds () (min-deterministic _ _ _ _ _). %total { } (min-deterministic _ _ _ _ _). %theorem min-commutative : forall* {X1} {X2} {X3} forall {M:min X1 X2 X3} exists {Mc:min X2 X1 X3} true. - : min-commutative min/= min/=. - : min-commutative (min/> X>Y) (min/< X>Y). - : min-commutative (min/< X>Y) (min/> X>Y). %worlds () (min-commutative _ _). %total { } (min-commutative _ _). %theorem ge-implies-min : forall* {X1} {X2} forall {G:ge X1 X2} exists {M:min X1 X2 X2} true. - : ge-implies-min (ge/> X1>X2) (min/> X1>X2). - : ge-implies-min (ge/= eq/) (min/=). %worlds () (ge-implies-min _ _). %total { } (ge-implies-min _ _). %theorem le-implies-min : forall* {X1} {X2} forall {G:le X1 X2} exists {M:min X1 X2 X1} true. - : le-implies-min X2>=X1 M <- ge-implies-min X2>=X1 Mc <- min-commutative Mc M. %worlds () (le-implies-min _ _). %total { } (le-implies-min _ _). %theorem min-implies-ge : forall* {X1} {X2} {X3} forall {M:min X1 X2 X3} exists {G1:ge X1 X3} {G2:ge X2 X3} true. - : min-implies-ge min/= (ge/= eq/) (ge/= eq/). - : min-implies-ge (min/> X1>X2) (ge/> X1>X2) (ge/= eq/). - : min-implies-ge (min/< X2>X1) (ge/= eq/) (ge/> X2>X1). %worlds () (min-implies-ge _ _ _). %total { } (min-implies-ge _ _ _). %theorem min-left-preserves-ge* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:ge X2 X4} {M12:min X1 X2 X3} {M14:min X1 X4 X5} exists {G:ge X3 X5} true. - : min-left-preserves-ge* _ min/= M G <- min-implies-ge M G _. - : min-left-preserves-ge* X2>=X4 (min/> X1>X2) X1&X4=X5 X2>=X5 <- min-implies-ge X1&X4=X5 _ X4>=X5 <- ge-transitive X2>=X4 X4>=X5 X2>=X5. - : min-left-preserves-ge* _ (min/< _) X1&X4=X5 X1>=X5 <- min-implies-ge X1&X4=X5 X1>=X5 _. %worlds () (min-left-preserves-ge* _ _ _ _). %total { } (min-left-preserves-ge* _ _ _ _). %theorem min-left-preserves-le* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:le X2 X4} {M12:min X1 X2 X3} {M14:min X1 X4 X5} exists {G:le X3 X5} true. - : min-left-preserves-le* G1 M12 M14 G2 <- min-left-preserves-ge* G1 M14 M12 G2. %worlds () (min-left-preserves-le* _ _ _ _). %total { } (min-left-preserves-le* _ _ _ _). %theorem min-left-preserves-ge : forall* {X1} {X2} {X4} forall {G:ge X2 X4} exists {X3} {X5} {O1:min X1 X2 X3} {O2:min X1 X4 X5} {G2:ge X3 X5} true. - : min-left-preserves-ge X2>=X4 X3 X5 X1&X2=A3 X1&X4=X5 X3>=X5 <- min-total X1&X2=A3 <- min-total X1&X4=X5 <- min-left-preserves-ge* X2>=X4 X1&X2=A3 X1&X4=X5 X3>=X5. %worlds () (min-left-preserves-ge X2>=X4 X3 X5 X1&X2=A3 X1&X4=X5 X3>=X5). %total {} (min-left-preserves-ge _ _ _ _ _ _). %theorem min-right-preserves-ge* : forall* {X1} {X2} {X3} {X4} {X5} forall {G1:ge X1 X2} {O1:min X1 X3 X4} {O2:min X2 X3 X5} exists {G2:ge X4 X5} true. - : min-right-preserves-ge* X1>=X2 X1&X3=X4 X2&X3=X5 X4>=X5 <- min-commutative X1&X3=X4 X3&X1=X4 <- min-commutative X2&X3=X5 X3&X2=X5 <- min-left-preserves-ge* X1>=X2 X3&X1=X4 X3&X2=X5 X4>=X5. %worlds () (min-right-preserves-ge* X1>=X2 X1&X3=X4 X2&X3=X5 X4>=X5). %total {} (min-right-preserves-ge* _ _ _ _). %theorem min-right-preserves-ge : forall* {X1} {X2} {X3} forall {G1:ge X1 X2} exists {X4} {X5} {O1:min X1 X3 X4} {O2:min X2 X3 X5} {G2:ge X4 X5} true. - : min-right-preserves-ge X1>=X2 X4 X5 X1&X3=X4 X2&X3=X5 X4>=X5 <- min-total X1&X3=X4 <- min-total X2&X3=X5 <- min-right-preserves-ge* X1>=X2 X1&X3=X4 X2&X3=X5 X4>=X5. %worlds () (min-right-preserves-ge X1>=X2 X4 X5 X1&X3=X4 X2&X3=X5 X4>=X5). %total {} (min-right-preserves-ge _ _ _ _ _ _). %theorem min-preserves-ge* : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {G1:ge X1 Y1} {G2:ge X2 Y2} {MX:min X1 X2 X3} {MY:min Y1 Y2 Y3} exists {G3:ge X3 Y3} true. - : min-preserves-ge* X1>=Y1 X2>=Y2 X1&X2=X3 Y1&Y2=Y3 X3>=Y3 <- min-total Y1&X2=X <- min-right-preserves-ge* X1>=Y1 X1&X2=X3 Y1&X2=X X3>=X <- min-left-preserves-ge* X2>=Y2 Y1&X2=X Y1&Y2=Y3 X>=Y3 <- ge-transitive X3>=X X>=Y3 X3>=Y3. %worlds () (min-preserves-ge* X1>=Y1 X2>=Y2 X1&X2=X3 Y1&Y2=Y3 X3>=Y3). %total {} (min-preserves-ge* _ _ _ _ _). %theorem min-preserves-ge : forall* {X1} {X2} {Y1} {Y2} forall {G1:ge X1 Y1} {G2:ge X2 Y2} exists {X3} {Y3} {MX:min X1 X2 X3} {MY:min Y1 Y2 Y3} {G3:ge X3 Y3} true. - : min-preserves-ge X1>=Y1 X2>=Y2 X3 Y3 X1&X2=X3 Y1&Y2=Y3 X3>=Y3 <- min-total X1&X2=X3 <- min-total Y1&Y2=Y3 <- min-preserves-ge* X1>=Y1 X2>=Y2 X1&X2=X3 Y1&Y2=Y3 X3>=Y3. %worlds () (min-preserves-ge X1>=Y1 X2>=Y2 X3 Y3 X1&X2=X3 Y1&Y2=Y3 X3>=Y3). %total {} (min-preserves-ge _ _ _ _ _ _ _). %theorem min-left-preserves-le : forall* {X1} {X2} {X4} forall {G:le X2 X4} exists {X3} {X5} {O1:min X1 X2 X3} {O2:min X1 X4 X5} {G2:le X3 X5} true. - : min-left-preserves-le X2<=X4 X3 X5 X1&X2=A3 X1&X4=X5 X3<=X5 <- min-total X1&X2=A3 <- min-total X1&X4=X5 <- min-left-preserves-le* X2<=X4 X1&X2=A3 X1&X4=X5 X3<=X5. %worlds () (min-left-preserves-le X2<=X4 X3 X5 X1&X2=A3 X1&X4=X5 X3<=X5). %total {} (min-left-preserves-le _ _ _ _ _ _). %theorem min-right-preserves-le* : forall* {X1} {X2} {X3} {X4} {X5} forall {G1:le X1 X2} {O1:min X1 X3 X4} {O2:min X2 X3 X5} exists {G2:le X4 X5} true. - : min-right-preserves-le* X1<=X2 X1&X3=X4 X2&X3=X5 X4<=X5 <- min-commutative X1&X3=X4 X3&X1=X4 <- min-commutative X2&X3=X5 X3&X2=X5 <- min-left-preserves-le* X1<=X2 X3&X1=X4 X3&X2=X5 X4<=X5. %worlds () (min-right-preserves-le* X1<=X2 X1&X3=X4 X2&X3=X5 X4<=X5). %total {} (min-right-preserves-le* _ _ _ _). %theorem min-right-preserves-le : forall* {X1} {X2} {X3} forall {G1:le X1 X2} exists {X4} {X5} {O1:min X1 X3 X4} {O2:min X2 X3 X5} {G2:le X4 X5} true. - : min-right-preserves-le X1<=X2 X4 X5 X1&X3=X4 X2&X3=X5 X4<=X5 <- min-total X1&X3=X4 <- min-total X2&X3=X5 <- min-right-preserves-le* X1<=X2 X1&X3=X4 X2&X3=X5 X4<=X5. %worlds () (min-right-preserves-le X1<=X2 X4 X5 X1&X3=X4 X2&X3=X5 X4<=X5). %total {} (min-right-preserves-le _ _ _ _ _ _). %theorem min-preserves-le* : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {G1:le X1 Y1} {G2:le X2 Y2} {MX:min X1 X2 X3} {MY:min Y1 Y2 Y3} exists {G3:le X3 Y3} true. - : min-preserves-le* X1<=Y1 X2<=Y2 X1&X2=X3 Y1&Y2=Y3 X3<=Y3 <- min-total Y1&X2=X <- min-right-preserves-le* X1<=Y1 X1&X2=X3 Y1&X2=X X3<=X <- min-left-preserves-le* X2<=Y2 Y1&X2=X Y1&Y2=Y3 X<=Y3 <- le-transitive X3<=X X<=Y3 X3<=Y3. %worlds () (min-preserves-le* X1<=Y1 X2<=Y2 X1&X2=X3 Y1&Y2=Y3 X3<=Y3). %total {} (min-preserves-le* _ _ _ _ _). %theorem min-preserves-le : forall* {X1} {X2} {Y1} {Y2} forall {G1:le X1 Y1} {G2:le X2 Y2} exists {X3} {Y3} {MX:min X1 X2 X3} {MY:min Y1 Y2 Y3} {G3:le X3 Y3} true. - : min-preserves-le X1<=Y1 X2<=Y2 X3 Y3 X1&X2=X3 Y1&Y2=Y3 X3<=Y3 <- min-total X1&X2=X3 <- min-total Y1&Y2=Y3 <- min-preserves-le* X1<=Y1 X2<=Y2 X1&X2=X3 Y1&Y2=Y3 X3<=Y3. %worlds () (min-preserves-le X1<=Y1 X2<=Y2 X3 Y3 X1&X2=X3 Y1&Y2=Y3 X3<=Y3). %total {} (min-preserves-le _ _ _ _ _ _ _). %theorem min-is-glb : forall* {X1} {X2} {X3} {X4} forall {M:min X1 X2 X3} {G1:ge X1 X4} {G2:ge X2 X4} exists {G3:ge X3 X4} true. - : min-is-glb min/= G _ G. - : min-is-glb (min/> X1>X2) _ G G. - : min-is-glb (min/< X2>X1) G _ G. %worlds () (min-is-glb _ _ _ _). %total { } (min-is-glb _ _ _ _). %theorem min-associative : forall* {X1} {X2} {X3} {X4} {X7} forall {M12:min X1 X2 X3} {M34:min X3 X4 X7} exists {X6} {M24:min X2 X4 X6} {M16:min X1 X6 X7} true. - : min-associative min/= min/= _ min/= min/=. - : min-associative min/= (min/> X3>X4) _ (min/> X3>X4) (min/> X3>X4). - : min-associative min/= (min/< X4>X3) _ (min/< X4>X3) (min/=). - : min-associative (min/> X1>X2) min/= _ (min/=) (min/> X1>X2). - : min-associative (min/> X1>X2) (min/> X2>X4) _ (min/> X2>X4) (min/> X1>X4) <- gt-transitive X1>X2 X2>X4 X1>X4. - : min-associative (min/> X1>X2) (min/< X4>X2) _ (min/< X4>X2) (min/> X1>X2). - : min-associative (min/< X2>X1) min/= _ (min/> X2>X1) min/=. - : min-associative (min/< X2>X1) (min/> X1>X4) _ (min/> X2>X4) (min/> X1>X4) <- gt-transitive X2>X1 X1>X4 X2>X4. - : min-associative (min/< X2>X1) (min/< X4>X1) _ M24 M16 <- min-total M24 <- min-is-glb M24 (ge/> X2>X1) (ge/> X4>X1) (X6>=X1: ge X6 X1) <- ge-implies-min X6>=X1 M16c <- min-commutative M16c M16. %worlds () (min-associative _ _ _ _ _). %total { } (min-associative _ _ _ _ _). %theorem min-associative* : forall* {X1} {X2} {X12} {X3} {X23} {X123} forall {OP12:min X1 X2 X12} {OP12-3:min X12 X3 X123} {OP23:min X2 X3 X23} exists {OP1-23:min X1 X23 X123} true. - : min-associative* X1&X2=X3 X3&X4=X7 X2&X4=X6 X1&X6=X7 <- min-associative X1&X2=X3 X3&X4=X7 Y6 X2&X4=Y6 X1&Y6=X7 <- min-deterministic X2&X4=Y6 X2&X4=X6 eq/ eq/ Y6=X6 <- min-respects-eq X1&Y6=X7 eq/ Y6=X6 eq/ X1&X6=X7. %worlds () (min-associative* _ _ _ _). %total {} (min-associative* _ _ _ _). %theorem min-associative-converse : forall* {X1} {X2} {X4} {X6} {X7} forall {OP24:min X2 X4 X6} {OP16:min X1 X6 X7} exists {X3} {OP12:min X1 X2 X3} {OP34:min X3 X4 X7} true. - : min-associative-converse X2&X4=X6 X1&X6=X7 _ X1&X2=X3 X3&X4=X7 <- min-commutative X2&X4=X6 X4&X2=X6 <- min-commutative X1&X6=X7 X6&X1=X7 <- min-associative X4&X2=X6 X6&X1=X7 _ X2&X1=X3 X4&X3=X7 <- min-commutative X2&X1=X3 X1&X2=X3 <- min-commutative X4&X3=X7 X3&X4=X7. %worlds () (min-associative-converse X2&X4=X6 X1&X6=X7 X3 X1&X2=X3 X3&X4=X7). %total {} (min-associative-converse _ _ _ _ _). %theorem min-associative-converse* : forall* {X1} {X2} {X3} {X4} {X6} {X7} forall {OP24:min X2 X4 X6} {OP16:min X1 X6 X7} {OP12:min X1 X2 X3} exists {OP34:min X3 X4 X7} true. - : min-associative-converse* X2&X4=X6 X1&X6=X7 X1&X2=X3 X3&X4=X7 <- min-associative-converse X2&X4=X6 X1&X6=X7 X3P X1&X2=X3P X3P&X4=X7 <- min-deterministic X1&X2=X3P X1&X2=X3 eq/ eq/ X3P=X3 <- min-respects-eq X3P&X4=X7 X3P=X3 eq/ eq/ X3&X4=X7. %worlds () (min-associative-converse* X2&X4=X6 X1&X6=X7 X1&X2=X3 X3&X4=X7). %total {} (min-associative-converse* _ _ _ _). %theorem min-assoc-commutative* : forall* {X1} {X2} {X3} {X4} {X5} {X7} forall {OP1:min X1 X2 X3} {OP2:min X3 X4 X7} {OP3:min X1 X4 X5} exists {OP4:min X5 X2 X7} true. - : min-assoc-commutative* X1&X2=X3 X3&X4=X7 X1&X4=X5 X5&X2=X7 <- min-associative X1&X2=X3 X3&X4=X7 X6 X2&X4=X6 X1&X6=X7 <- min-commutative X2&X4=X6 X4&X2=X6 <- min-associative-converse* X4&X2=X6 X1&X6=X7 X1&X4=X5 X5&X2=X7. %worlds () (min-assoc-commutative* X1&X2=X3 X3&X4=X7 X1&X4=X5 X5&X2=X7). %total {} (min-assoc-commutative* _ _ _ _). %theorem min-assoc-commutative : forall* {X1} {X2} {X3} {X4} {X7} forall {OP1:min X1 X2 X3} {OP2:min X3 X4 X7} exists {X5} {OP3:min X1 X4 X5} {OP4:min X5 X2 X7} true. - : min-assoc-commutative X1&X2=X3 X3&X4=X7 X5 X1&X4=X5 X5&X2=X7 <- min-associative X1&X2=X3 X3&X4=X7 X6 X2&X4=X6 X1&X6=X7 <- min-commutative X2&X4=X6 X4&X2=X6 <- min-associative-converse X4&X2=X6 X1&X6=X7 X5 X1&X4=X5 X5&X2=X7. %worlds () (min-assoc-commutative X1&X2=X3 X3&X4=X7 X5 X1&X4=X5 X5&X2=X7). %total {} (min-assoc-commutative _ _ _ _ _). %theorem min-double-associative* : forall* {A} {B} {C} {D} {A+B} {C+D} {A+C} {B+D} {X} forall {AB:min A B A+B} {CD:min C D C+D} {ABCD:min A+B C+D X} {AC:min A C A+C} {BD:min B D B+D} exists {ACBD:min A+C B+D X} true. - : min-double-associative* X1&X2=X3 X4&X8=XC X3&XC=XF X1&X4=X5 X2&X8=XA X5&XA=XF <- min-associative X1&X2=X3 X3&XC=XF XE X2&XC=XE X1&XE=XF <- min-commutative X4&X8=XC X8&X4=XC <- min-associative-converse* X8&X4=XC X2&XC=XE X2&X8=XA XA&X4=XE <- min-commutative XA&X4=XE X4&XA=XE <- min-associative-converse* X4&XA=XE X1&XE=XF X1&X4=X5 X5&XA=XF. %worlds () (min-double-associative* X1&X2=X3 X4&X8=XC X3&XC=XF X1&X4=X5 X2&X8=XA X5&XA=XF). %total {} (min-double-associative* _ _ _ _ _ _). %theorem min-double-associative : forall* {A} {B} {C} {D} {A+B} {C+D} {X} forall {AB:min A B A+B} {CD:min C D C+D} {ABCD:min A+B C+D X} exists {A+C} {B+D} {AC:min A C A+C} {BD:min B D B+D} {ACBD:min A+C B+D X} true. - : min-double-associative X1&X2=X3 X4&X8=XC X3&XC=XF X5 XA X1&X4=X5 X2&X8=XA X5&XA=XF <- min-associative X1&X2=X3 X3&XC=XF XE X2&XC=XE X1&XE=XF <- min-commutative X4&X8=XC X8&X4=XC <- min-associative-converse X8&X4=XC X2&XC=XE XA X2&X8=XA XA&X4=XE <- min-commutative XA&X4=XE X4&XA=XE <- min-associative-converse X4&XA=XE X1&XE=XF X5 X1&X4=X5 X5&XA=XF. %worlds () (min-double-associative _ _ _ _ _ _ _ _). %total { } (min-double-associative _ _ _ _ _ _ _ _). %%% Theorems about max %theorem false-implies-max : forall* {X1} {X2} {X3} forall {F:void} exists {M:max X1 X2 X3} true. %worlds () (false-implies-max _ _). %total { } (false-implies-max _ _). %theorem max-respects-eq : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {MX:max X1 X2 X3} {E1:eq X1 Y1} {E2:eq X2 Y2} {E3:eq X3 Y3} exists {MY:max Y1 Y2 Y3} true. - : max-respects-eq M eq/ eq/ eq/ M. %worlds () (max-respects-eq _ _ _ _ _). %total { } (max-respects-eq _ _ _ _ _). %theorem max-total** : forall* {X1} {X2} {C} forall {D:compare X1 X2 C} exists {X3} {M:max X1 X2 X3} true. - : max-total** compare/= _ max/=. - : max-total** (compare/> X1>X2) _ (max/> X1>X2). - : max-total** (compare/< X2>X1) _ (max/< X2>X1). %worlds () (max-total** _ _ _). %total { } (max-total** _ _ _). %theorem max-total* : forall {X1} {X2} exists {X3} {M:max X1 X2 X3} true. - : max-total* X1 X2 X3 M <- compare-total D <- max-total** D X3 M. %worlds () (max-total* _ _ _ _). %total { } (max-total* _ _ _ _). %abbrev max-total = max-total* _ _ _. %theorem max-deterministic : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {MX:max X1 X2 X3} {MY:max Y1 Y2 Y3} {E1:eq X1 Y1} {E2:eq X2 Y2} exists {E3:eq X3 Y3} true. - : max-deterministic (max/=) (max/=) eq/ eq/ eq/. - : max-deterministic (max/=) (max/> X>X) eq/ eq/ eq/. - : max-deterministic (max/=) (max/< X>X) eq/ eq/ eq/. - : max-deterministic (max/> X>X) (max/=) eq/ eq/ eq/. - : max-deterministic (max/> X>Y) (max/> X>YP) eq/ eq/ eq/. - : max-deterministic (max/> X>Y) (max/< Y>X) eq/ eq/ E <- gt-anti-symmetric X>Y Y>X F <- false-implies-eq F E. - : max-deterministic (max/< X>X) (max/=) eq/ eq/ eq/. - : max-deterministic (max/< X>Y) (max/> Y>X) eq/ eq/ E <- gt-anti-symmetric X>Y Y>X F <- false-implies-eq F E. - : max-deterministic (max/< X>Y) (max/< X>YP) eq/ eq/ eq/. %worlds () (max-deterministic _ _ _ _ _). %total { } (max-deterministic _ _ _ _ _). %theorem max-commutative : forall* {X1} {X2} {X3} forall {M:max X1 X2 X3} exists {Mc:max X2 X1 X3} true. - : max-commutative max/= max/=. - : max-commutative (max/> X>Y) (max/< X>Y). - : max-commutative (max/< X>Y) (max/> X>Y). %worlds () (max-commutative _ _). %total { } (max-commutative _ _). %theorem ge-implies-max : forall* {X1} {X2} forall {G:ge X1 X2} exists {M:max X1 X2 X1} true. - : ge-implies-max (ge/> X1>X2) (max/> X1>X2). - : ge-implies-max (ge/= eq/) (max/=). %worlds () (ge-implies-max _ _). %total { } (ge-implies-max _ _). %theorem le-implies-max : forall* {X1} {X2} forall {G:le X1 X2} exists {M:max X1 X2 X2} true. - : le-implies-max X2>=X1 M <- ge-implies-max X2>=X1 Mc <- max-commutative Mc M. %worlds () (le-implies-max _ _). %total { } (le-implies-max _ _). %theorem max-implies-ge : forall* {X1} {X2} {X3} forall {M:max X1 X2 X3} exists {G1:ge X3 X1} {G2:ge X3 X2} true. - : max-implies-ge max/= (ge/= eq/) (ge/= eq/). - : max-implies-ge (max/> X1>X2) (ge/= eq/) (ge/> X1>X2). - : max-implies-ge (max/< X2>X1) (ge/> X2>X1) (ge/= eq/). %worlds () (max-implies-ge _ _ _). %total { } (max-implies-ge _ _ _). %theorem max-is-lub : forall* {X0} {X1} {X2} {X3} forall {M:max X1 X2 X3} {G1:ge X0 X1} {G2:ge X0 X2} exists {G3:ge X0 X3} true. - : max-is-lub max/= G _ G. - : max-is-lub (max/> X1>X2) G _ G. - : max-is-lub (max/< X2>X1) _ G G. %worlds () (max-is-lub _ _ _ _). %total { } (max-is-lub _ _ _ _). %theorem max-left-preserves-ge* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:ge X2 X4} {M12:max X1 X2 X3} {M14:max X1 X4 X5} exists {G:ge X3 X5} true. - : max-left-preserves-ge* X>=X4 max/= X|X4=X5 X>=X5 <- ge-reflexive _ X>=X <- max-is-lub X|X4=X5 X>=X X>=X4 X>=X5. - : max-left-preserves-ge* X2>=X4 (max/> X1>X2) X1|X4=X5 X1>=X5 <- ge-transitive (ge/> X1>X2) X2>=X4 X1>=X4 <- ge-reflexive _ X1>=X1 <- max-is-lub X1|X4=X5 X1>=X1 X1>=X4 X1>=X5. - : max-left-preserves-ge* X2>=X4 (max/< X2>X1) X1|X4=X5 X2>=X5 <- max-is-lub X1|X4=X5 (ge/> X2>X1) X2>=X4 X2>=X5. %worlds () (max-left-preserves-ge* _ _ _ _). %total { } (max-left-preserves-ge* _ _ _ _). %theorem max-left-preserves-le* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:le X2 X4} {M12:max X1 X2 X3} {M14:max X1 X4 X5} exists {G:le X3 X5} true. - : max-left-preserves-le* G1 M12 M14 G2 <- max-left-preserves-ge* G1 M14 M12 G2. %worlds () (max-left-preserves-le* _ _ _ _). %total { } (max-left-preserves-le* _ _ _ _). %theorem max-left-preserves-ge : forall* {X1} {X2} {X4} forall {G:ge X2 X4} exists {X3} {X5} {O1:max X1 X2 X3} {O2:max X1 X4 X5} {G2:ge X3 X5} true. - : max-left-preserves-ge X2>=X4 X3 X5 X1&X2=A3 X1&X4=X5 X3>=X5 <- max-total X1&X2=A3 <- max-total X1&X4=X5 <- max-left-preserves-ge* X2>=X4 X1&X2=A3 X1&X4=X5 X3>=X5. %worlds () (max-left-preserves-ge X2>=X4 X3 X5 X1&X2=A3 X1&X4=X5 X3>=X5). %total {} (max-left-preserves-ge _ _ _ _ _ _). %theorem max-right-preserves-ge* : forall* {X1} {X2} {X3} {X4} {X5} forall {G1:ge X1 X2} {O1:max X1 X3 X4} {O2:max X2 X3 X5} exists {G2:ge X4 X5} true. - : max-right-preserves-ge* X1>=X2 X1&X3=X4 X2&X3=X5 X4>=X5 <- max-commutative X1&X3=X4 X3&X1=X4 <- max-commutative X2&X3=X5 X3&X2=X5 <- max-left-preserves-ge* X1>=X2 X3&X1=X4 X3&X2=X5 X4>=X5. %worlds () (max-right-preserves-ge* X1>=X2 X1&X3=X4 X2&X3=X5 X4>=X5). %total {} (max-right-preserves-ge* _ _ _ _). %theorem max-right-preserves-ge : forall* {X1} {X2} {X3} forall {G1:ge X1 X2} exists {X4} {X5} {O1:max X1 X3 X4} {O2:max X2 X3 X5} {G2:ge X4 X5} true. - : max-right-preserves-ge X1>=X2 X4 X5 X1&X3=X4 X2&X3=X5 X4>=X5 <- max-total X1&X3=X4 <- max-total X2&X3=X5 <- max-right-preserves-ge* X1>=X2 X1&X3=X4 X2&X3=X5 X4>=X5. %worlds () (max-right-preserves-ge X1>=X2 X4 X5 X1&X3=X4 X2&X3=X5 X4>=X5). %total {} (max-right-preserves-ge _ _ _ _ _ _). %theorem max-preserves-ge* : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {G1:ge X1 Y1} {G2:ge X2 Y2} {MX:max X1 X2 X3} {MY:max Y1 Y2 Y3} exists {G3:ge X3 Y3} true. - : max-preserves-ge* X1>=Y1 X2>=Y2 X1&X2=X3 Y1&Y2=Y3 X3>=Y3 <- max-total Y1&X2=X <- max-right-preserves-ge* X1>=Y1 X1&X2=X3 Y1&X2=X X3>=X <- max-left-preserves-ge* X2>=Y2 Y1&X2=X Y1&Y2=Y3 X>=Y3 <- ge-transitive X3>=X X>=Y3 X3>=Y3. %worlds () (max-preserves-ge* X1>=Y1 X2>=Y2 X1&X2=X3 Y1&Y2=Y3 X3>=Y3). %total {} (max-preserves-ge* _ _ _ _ _). %theorem max-preserves-ge : forall* {X1} {X2} {Y1} {Y2} forall {G1:ge X1 Y1} {G2:ge X2 Y2} exists {X3} {Y3} {MX:max X1 X2 X3} {MY:max Y1 Y2 Y3} {G3:ge X3 Y3} true. - : max-preserves-ge X1>=Y1 X2>=Y2 X3 Y3 X1&X2=X3 Y1&Y2=Y3 X3>=Y3 <- max-total X1&X2=X3 <- max-total Y1&Y2=Y3 <- max-preserves-ge* X1>=Y1 X2>=Y2 X1&X2=X3 Y1&Y2=Y3 X3>=Y3. %worlds () (max-preserves-ge X1>=Y1 X2>=Y2 X3 Y3 X1&X2=X3 Y1&Y2=Y3 X3>=Y3). %total {} (max-preserves-ge _ _ _ _ _ _ _). %theorem max-left-preserves-le : forall* {X1} {X2} {X4} forall {G:le X2 X4} exists {X3} {X5} {O1:max X1 X2 X3} {O2:max X1 X4 X5} {G2:le X3 X5} true. - : max-left-preserves-le X2<=X4 X3 X5 X1&X2=A3 X1&X4=X5 X3<=X5 <- max-total X1&X2=A3 <- max-total X1&X4=X5 <- max-left-preserves-le* X2<=X4 X1&X2=A3 X1&X4=X5 X3<=X5. %worlds () (max-left-preserves-le X2<=X4 X3 X5 X1&X2=A3 X1&X4=X5 X3<=X5). %total {} (max-left-preserves-le _ _ _ _ _ _). %theorem max-right-preserves-le* : forall* {X1} {X2} {X3} {X4} {X5} forall {G1:le X1 X2} {O1:max X1 X3 X4} {O2:max X2 X3 X5} exists {G2:le X4 X5} true. - : max-right-preserves-le* X1<=X2 X1&X3=X4 X2&X3=X5 X4<=X5 <- max-commutative X1&X3=X4 X3&X1=X4 <- max-commutative X2&X3=X5 X3&X2=X5 <- max-left-preserves-le* X1<=X2 X3&X1=X4 X3&X2=X5 X4<=X5. %worlds () (max-right-preserves-le* X1<=X2 X1&X3=X4 X2&X3=X5 X4<=X5). %total {} (max-right-preserves-le* _ _ _ _). %theorem max-right-preserves-le : forall* {X1} {X2} {X3} forall {G1:le X1 X2} exists {X4} {X5} {O1:max X1 X3 X4} {O2:max X2 X3 X5} {G2:le X4 X5} true. - : max-right-preserves-le X1<=X2 X4 X5 X1&X3=X4 X2&X3=X5 X4<=X5 <- max-total X1&X3=X4 <- max-total X2&X3=X5 <- max-right-preserves-le* X1<=X2 X1&X3=X4 X2&X3=X5 X4<=X5. %worlds () (max-right-preserves-le X1<=X2 X4 X5 X1&X3=X4 X2&X3=X5 X4<=X5). %total {} (max-right-preserves-le _ _ _ _ _ _). %theorem max-preserves-le* : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {G1:le X1 Y1} {G2:le X2 Y2} {MX:max X1 X2 X3} {MY:max Y1 Y2 Y3} exists {G3:le X3 Y3} true. - : max-preserves-le* X1<=Y1 X2<=Y2 X1&X2=X3 Y1&Y2=Y3 X3<=Y3 <- max-total Y1&X2=X <- max-right-preserves-le* X1<=Y1 X1&X2=X3 Y1&X2=X X3<=X <- max-left-preserves-le* X2<=Y2 Y1&X2=X Y1&Y2=Y3 X<=Y3 <- le-transitive X3<=X X<=Y3 X3<=Y3. %worlds () (max-preserves-le* X1<=Y1 X2<=Y2 X1&X2=X3 Y1&Y2=Y3 X3<=Y3). %total {} (max-preserves-le* _ _ _ _ _). %theorem max-preserves-le : forall* {X1} {X2} {Y1} {Y2} forall {G1:le X1 Y1} {G2:le X2 Y2} exists {X3} {Y3} {MX:max X1 X2 X3} {MY:max Y1 Y2 Y3} {G3:le X3 Y3} true. - : max-preserves-le X1<=Y1 X2<=Y2 X3 Y3 X1&X2=X3 Y1&Y2=Y3 X3<=Y3 <- max-total X1&X2=X3 <- max-total Y1&Y2=Y3 <- max-preserves-le* X1<=Y1 X2<=Y2 X1&X2=X3 Y1&Y2=Y3 X3<=Y3. %worlds () (max-preserves-le X1<=Y1 X2<=Y2 X3 Y3 X1&X2=X3 Y1&Y2=Y3 X3<=Y3). %total {} (max-preserves-le _ _ _ _ _ _ _). %theorem max-associative : forall* {X1} {X2} {X3} {X4} {X7} forall {M12:max X1 X2 X3} {M34:max X3 X4 X7} exists {X6} {M24:max X2 X4 X6} {M16:max X1 X6 X7} true. - : max-associative max/= max/= _ max/= max/=. - : max-associative max/= (max/> X3>X4) _ (max/> X3>X4) max/=. - : max-associative max/= (max/< X4>X3) _ (max/< X4>X3) (max/< X4>X3). - : max-associative (max/> X1>X2) max/= _ (max/< X1>X2) max/=. - : max-associative (max/> X1>X2) (max/> X1>X4) _ M24 M16 <- max-total M24 <- max-is-lub M24 (ge/> X1>X2) (ge/> X1>X4) X1>=X6 <- ge-implies-max X1>=X6 M16. - : max-associative (max/> X1>X2) (max/< X4>X1) _ (max/< X4>X2) (max/< X4>X1) <- gt-transitive X4>X1 X1>X2 X4>X2. - : max-associative (max/< X2>X1) max/= _ max/= (max/< X2>X1). - : max-associative (max/< X2>X1) (max/> X2>X4) _ (max/> X2>X4) (max/< X2>X1). - : max-associative (max/< X2>X1) (max/< X4>X2) _ (max/< X4>X2) (max/< X4>X1) <- gt-transitive X4>X2 X2>X1 X4>X1. %worlds () (max-associative _ _ _ _ _). %total { } (max-associative _ _ _ _ _). %theorem max-associative* : forall* {X1} {X2} {X12} {X3} {X23} {X123} forall {OP12:max X1 X2 X12} {OP12-3:max X12 X3 X123} {OP23:max X2 X3 X23} exists {OP1-23:max X1 X23 X123} true. - : max-associative* X1|X2=X3 X3|X4=X7 X2|X4=X6 X1|X6=X7 <- max-associative X1|X2=X3 X3|X4=X7 Y6 X2|X4=Y6 X1|Y6=X7 <- max-deterministic X2|X4=Y6 X2|X4=X6 eq/ eq/ Y6=X6 <- max-respects-eq X1|Y6=X7 eq/ Y6=X6 eq/ X1|X6=X7. %worlds () (max-associative* _ _ _ _). %total {} (max-associative* _ _ _ _). %theorem max-associative-converse : forall* {X1} {X2} {X4} {X6} {X7} forall {OP24:max X2 X4 X6} {OP16:max X1 X6 X7} exists {X3} {OP12:max X1 X2 X3} {OP34:max X3 X4 X7} true. - : max-associative-converse X2|X4=X6 X1|X6=X7 _ X1|X2=X3 X3|X4=X7 <- max-commutative X2|X4=X6 X4|X2=X6 <- max-commutative X1|X6=X7 X6|X1=X7 <- max-associative X4|X2=X6 X6|X1=X7 _ X2|X1=X3 X4|X3=X7 <- max-commutative X2|X1=X3 X1|X2=X3 <- max-commutative X4|X3=X7 X3|X4=X7. %worlds () (max-associative-converse X2|X4=X6 X1|X6=X7 X3 X1|X2=X3 X3|X4=X7). %total {} (max-associative-converse _ _ _ _ _). %theorem max-associative-converse* : forall* {X1} {X2} {X3} {X4} {X6} {X7} forall {OP24:max X2 X4 X6} {OP16:max X1 X6 X7} {OP12:max X1 X2 X3} exists {OP34:max X3 X4 X7} true. - : max-associative-converse* X2|X4=X6 X1|X6=X7 X1|X2=X3 X3|X4=X7 <- max-associative-converse X2|X4=X6 X1|X6=X7 X3P X1|X2=X3P X3P|X4=X7 <- max-deterministic X1|X2=X3P X1|X2=X3 eq/ eq/ X3P=X3 <- max-respects-eq X3P|X4=X7 X3P=X3 eq/ eq/ X3|X4=X7. %worlds () (max-associative-converse* X2|X4=X6 X1|X6=X7 X1|X2=X3 X3|X4=X7). %total {} (max-associative-converse* _ _ _ _). %theorem max-assoc-commutative* : forall* {X1} {X2} {X3} {X4} {X5} {X7} forall {OP1:max X1 X2 X3} {OP2:max X3 X4 X7} {OP3:max X1 X4 X5} exists {OP4:max X5 X2 X7} true. - : max-assoc-commutative* X1|X2=X3 X3|X4=X7 X1|X4=X5 X5|X2=X7 <- max-associative X1|X2=X3 X3|X4=X7 X6 X2|X4=X6 X1|X6=X7 <- max-commutative X2|X4=X6 X4|X2=X6 <- max-associative-converse* X4|X2=X6 X1|X6=X7 X1|X4=X5 X5|X2=X7. %worlds () (max-assoc-commutative* X1|X2=X3 X3|X4=X7 X1|X4=X5 X5|X2=X7). %total {} (max-assoc-commutative* _ _ _ _). %theorem max-assoc-commutative : forall* {X1} {X2} {X3} {X4} {X7} forall {OP1:max X1 X2 X3} {OP2:max X3 X4 X7} exists {X5} {OP3:max X1 X4 X5} {OP4:max X5 X2 X7} true. - : max-assoc-commutative X1|X2=X3 X3|X4=X7 X5 X1|X4=X5 X5|X2=X7 <- max-associative X1|X2=X3 X3|X4=X7 X6 X2|X4=X6 X1|X6=X7 <- max-commutative X2|X4=X6 X4|X2=X6 <- max-associative-converse X4|X2=X6 X1|X6=X7 X5 X1|X4=X5 X5|X2=X7. %worlds () (max-assoc-commutative X1|X2=X3 X3|X4=X7 X5 X1|X4=X5 X5|X2=X7). %total {} (max-assoc-commutative _ _ _ _ _). %theorem max-double-associative* : forall* {A} {B} {C} {D} {A+B} {C+D} {A+C} {B+D} {X} forall {AB:max A B A+B} {CD:max C D C+D} {ABCD:max A+B C+D X} {AC:max A C A+C} {BD:max B D B+D} exists {ACBD:max A+C B+D X} true. - : max-double-associative* X1|X2=X3 X4|X8=XC X3|XC=XF X1|X4=X5 X2|X8=XA X5|XA=XF <- max-associative X1|X2=X3 X3|XC=XF XE X2|XC=XE X1|XE=XF <- max-commutative X4|X8=XC X8|X4=XC <- max-associative-converse* X8|X4=XC X2|XC=XE X2|X8=XA XA|X4=XE <- max-commutative XA|X4=XE X4|XA=XE <- max-associative-converse* X4|XA=XE X1|XE=XF X1|X4=X5 X5|XA=XF. %worlds () (max-double-associative* X1|X2=X3 X4|X8=XC X3|XC=XF X1|X4=X5 X2|X8=XA X5|XA=XF). %total {} (max-double-associative* _ _ _ _ _ _). %theorem max-double-associative : forall* {A} {B} {C} {D} {A+B} {C+D} {X} forall {AB:max A B A+B} {CD:max C D C+D} {ABCD:max A+B C+D X} exists {A+C} {B+D} {AC:max A C A+C} {BD:max B D B+D} {ACBD:max A+C B+D X} true. - : max-double-associative X1|X2=X3 X4|X8=XC X3|XC=XF X5 XA X1|X4=X5 X2|X8=XA X5|XA=XF <- max-associative X1|X2=X3 X3|XC=XF XE X2|XC=XE X1|XE=XF <- max-commutative X4|X8=XC X8|X4=XC <- max-associative-converse X8|X4=XC X2|XC=XE XA X2|X8=XA XA|X4=XE <- max-commutative XA|X4=XE X4|XA=XE <- max-associative-converse X4|XA=XE X1|XE=XF X5 X1|X4=X5 X5|XA=XF. %worlds () (max-double-associative _ _ _ _ _ _ _ _). %total { } (max-double-associative _ _ _ _ _ _ _ _). %%% Distributivity theorems %theorem min-right-distributes-over-max : forall* {X1} {X2} {X3} {X4} {X7} forall {A12:max X1 X2 X3} {M34:min X3 X4 X7} exists {X5} {X6} {M14:min X1 X4 X5} {M24:min X2 X4 X6} {A56:max X5 X6 X7} true. - : min-right-distributes-over-max max/= M _ _ M M max/=. - : min-right-distributes-over-max (max/> X1>X2) X1&X4=X7 _ _ X1&X4=X7 X2&X4=X6 X7|X6=X7 <- min-total X2&X4=X6 <- min-right-preserves-ge* (ge/> X1>X2) X1&X4=X7 X2&X4=X6 X7>=X6 <- ge-implies-max X7>=X6 X7|X6=X7. - : min-right-distributes-over-max (max/< X2>X1) X2&X4=X7 _ _ X1&X4=X5 X2&X4=X7 X5|X7=X7 <- min-total X1&X4=X5 <- min-right-preserves-ge* (ge/> X2>X1) X2&X4=X7 X1&X4=X5 X7>=X5 <- ge-implies-max X7>=X5 X7|X5=X7 <- max-commutative X7|X5=X7 X5|X7=X7. %worlds () (min-right-distributes-over-max _ _ _ _ _ _ _). %total { } (min-right-distributes-over-max _ _ _ _ _ _ _). %theorem max-right-distributes-over-min : forall* {X1} {X2} {X3} {X4} {X7} forall {A12:min X1 X2 X3} {M34:max X3 X4 X7} exists {X5} {X6} {M14:max X1 X4 X5} {M24:max X2 X4 X6} {A56:min X5 X6 X7} true. - : max-right-distributes-over-min min/= M _ _ M M min/=. - : max-right-distributes-over-min (min/> X1>X2) X2|X4=X7 _ _ X1|X4=X5 X2|X4=X7 X5&X7=X7 <- max-total X1|X4=X5 <- max-right-preserves-ge* (ge/> X1>X2) X1|X4=X5 X2|X4=X7 X5>=X7 <- ge-implies-min X5>=X7 X5&X7=X7. - : max-right-distributes-over-min (min/< X2>X1) X1|X4=X7 _ _ X1|X4=X7 X2|X4=X6 X7&X6=X7 <- max-total X2|X4=X6 <- max-right-preserves-ge* (ge/> X2>X1) X2|X4=X6 X1|X4=X7 X6>=X7 <- le-implies-min X6>=X7 X7&X6=X7. %worlds () (max-right-distributes-over-min _ _ _ _ _ _ _). %total { } (max-right-distributes-over-min _ _ _ _ _ _ _). %theorem min-right-distributes-over-max* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {A12:max X1 X2 X3} {M34:min X3 X4 X7} {M14:min X1 X4 X5} {M24:min X2 X4 X6} exists {A56:max X5 X6 X7} true. - : min-right-distributes-over-max* X1|X2=X3 X3&X4=X7 X1&X4=X5 X2&X4=X6 X5|X6=X7 <- min-right-distributes-over-max X1|X2=X3 X3&X4=X7 Y5 Y6 X1&X4=Y5 X2&X4=Y6 Y5|Y6=X7 <- min-deterministic X1&X4=Y5 X1&X4=X5 eq/ eq/ Y5=X5 <- min-deterministic X2&X4=Y6 X2&X4=X6 eq/ eq/ Y6=X6 <- max-respects-eq Y5|Y6=X7 Y5=X5 Y6=X6 eq/ X5|X6=X7. %worlds () (min-right-distributes-over-max* X1|X2=X3 X3&X4=X7 X1&X4=X5 X2&X4=X6 X5|X6=X7). %total {} (min-right-distributes-over-max* _ _ _ _ _). %theorem min-left-distributes-over-max* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {A12:max X2 X4 X6} {M34:min X1 X6 X7} {M14:min X1 X2 X3} {M24:min X1 X4 X5} exists {A56:max X3 X5 X7} true. - : min-left-distributes-over-max* X2|X4=X6 X1&X6=X7 X1&X2=X3 X1&X4=X5 X3|X5=X7 <- min-commutative X1&X6=X7 X6&X1=X7 <- min-commutative X1&X2=X3 X2&X1=X3 <- min-commutative X1&X4=X5 X4&X1=X5 <- min-right-distributes-over-max* X2|X4=X6 X6&X1=X7 X2&X1=X3 X4&X1=X5 X3|X5=X7. %worlds () (min-left-distributes-over-max* X2|X4=X6 X1&X6=X7 X1&X2=X3 X1&X4=X5 X3|X5=X7). %total {} (min-left-distributes-over-max* _ _ _ _ _). %theorem min-left-distributes-over-max : forall* {X1} {X2} {X4} {X6} {X7} forall {A12:max X2 X4 X6} {M34:min X1 X6 X7} exists {X3} {X5} {M14:min X1 X2 X3} {M24:min X1 X4 X5} {A56:max X3 X5 X7} true. - : min-left-distributes-over-max X2|X4=X6 X1&X6=X7 X3 X5 X1&X2=X3 X1&X4=X5 X3|X5=X7 <- min-total X1&X2=X3 <- min-total X1&X4=X5 <- min-left-distributes-over-max* X2|X4=X6 X1&X6=X7 X1&X2=X3 X1&X4=X5 X3|X5=X7. %worlds () (min-left-distributes-over-max X2|X4=X6 X1&X6=X7 X3 X5 X1&X2=X3 X1&X4=X5 X3|X5=X7). %total {} (min-left-distributes-over-max _ _ _ _ _ _ _). %theorem min-right-factors-over-max : forall* {X1} {X2} {X4} {X5} {X6} {X7} forall {M14:min X1 X4 X5} {M24:min X2 X4 X6} {A56:max X5 X6 X7} exists {X3} {A12:max X1 X2 X3} {M34:min X3 X4 X7} true. - : min-right-factors-over-max X1&X4=X5 X2&X4=X6 X5|X6=X7 X3 X1|X2=X3 X3&X4=X7 <- max-total X1|X2=X3 <- min-total X3&X4=Y7 <- min-right-distributes-over-max* X1|X2=X3 X3&X4=Y7 X1&X4=X5 X2&X4=X6 X5|X6=Y7 <- max-deterministic X5|X6=Y7 X5|X6=X7 eq/ eq/ Y7=X7 <- min-respects-eq X3&X4=Y7 eq/ eq/ Y7=X7 X3&X4=X7. %worlds () (min-right-factors-over-max X1&X4=X5 X2&X4=X6 X5|X6=X7 X3 X1|X2=X3 X3&X4=X7 ). %total {} (min-right-factors-over-max _ _ _ _ _ _). %theorem min-right-factors-over-max* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {M14:min X1 X4 X5} {M24:min X2 X4 X6} {A56:max X5 X6 X7} {A12:max X1 X2 X3} exists {M34:min X3 X4 X7} true. - : min-right-factors-over-max* X1&X4=X5 X2&X4=X6 X5|X6=X7 X1|X2=X3 X3&X4=X7 <- min-total X3&X4=Y7 <- min-right-distributes-over-max* X1|X2=X3 X3&X4=Y7 X1&X4=X5 X2&X4=X6 X5|X6=Y7 <- max-deterministic X5|X6=Y7 X5|X6=X7 eq/ eq/ Y7=X7 <- min-respects-eq X3&X4=Y7 eq/ eq/ Y7=X7 X3&X4=X7. %worlds () (min-right-factors-over-max* X1&X4=X5 X2&X4=X6 X5|X6=X7 X1|X2=X3 X3&X4=X7 ). %total {} (min-right-factors-over-max* _ _ _ _ _). %theorem min-left-factors-over-max : forall* {X1} {X2} {X3} {X4} {X5} {X7} forall {M12:min X1 X2 X3} {M14:min X1 X4 X5} {A35:max X3 X5 X7} exists {X6} {A24:max X2 X4 X6} {M16:min X1 X6 X7} true. - : min-left-factors-over-max X1&X2=X3 X1&X4=X5 X3|X5=X7 X6 X2|X4=X6 X1&X6=X7 <- min-commutative X1&X2=X3 X2&X1=X3 <- min-commutative X1&X4=X5 X4&X1=X5 <- min-right-factors-over-max X2&X1=X3 X4&X1=X5 X3|X5=X7 X6 X2|X4=X6 X6&X1=X7 <- min-commutative X6&X1=X7 X1&X6=X7. %worlds () (min-left-factors-over-max X1&X2=X3 X1&X4=X5 X3|X5=X7 X6 X2|X4=X6 X1&X6=X7). %total {} (min-left-factors-over-max _ _ _ _ _ _). %theorem min-left-factors-over-max* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {M12:min X1 X2 X3} {M14:min X1 X4 X5} {A35:max X3 X5 X7} {A24:max X2 X4 X6} exists {M16:min X1 X6 X7} true. - : min-left-factors-over-max* X1&X2=X3 X1&X4=X5 X3|X5=X7 X2|X4=X6 X1&X6=X7 <- min-total X1&X6=Y7 <- min-left-distributes-over-max* X2|X4=X6 X1&X6=Y7 X1&X2=X3 X1&X4=X5 X3|X5=Y7 <- max-deterministic X3|X5=Y7 X3|X5=X7 eq/ eq/ Y7=X7 <- min-respects-eq X1&X6=Y7 eq/ eq/ Y7=X7 X1&X6=X7. %worlds () (min-left-factors-over-max* X1&X2=X3 X1&X4=X5 X3|X5=X7 X2|X4=X6 X1&X6=X7). %total {} (min-left-factors-over-max* _ _ _ _ _). %theorem max-right-distributes-over-min* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {A12:min X1 X2 X3} {M34:max X3 X4 X7} {M14:max X1 X4 X5} {M24:max X2 X4 X6} exists {A56:min X5 X6 X7} true. - : max-right-distributes-over-min* X1&X2=X3 X3|X4=X7 X1|X4=X5 X2|X4=X6 X5&X6=X7 <- max-right-distributes-over-min X1&X2=X3 X3|X4=X7 Y5 Y6 X1|X4=Y5 X2|X4=Y6 Y5&Y6=X7 <- max-deterministic X1|X4=Y5 X1|X4=X5 eq/ eq/ Y5=X5 <- max-deterministic X2|X4=Y6 X2|X4=X6 eq/ eq/ Y6=X6 <- min-respects-eq Y5&Y6=X7 Y5=X5 Y6=X6 eq/ X5&X6=X7. %worlds () (max-right-distributes-over-min* X1&X2=X3 X3|X4=X7 X1|X4=X5 X2|X4=X6 X5&X6=X7). %total {} (max-right-distributes-over-min* _ _ _ _ _). %theorem max-left-distributes-over-min* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {A12:min X2 X4 X6} {M34:max X1 X6 X7} {M14:max X1 X2 X3} {M24:max X1 X4 X5} exists {A56:min X3 X5 X7} true. - : max-left-distributes-over-min* X2&X4=X6 X1|X6=X7 X1|X2=X3 X1|X4=X5 X3&X5=X7 <- max-commutative X1|X6=X7 X6|X1=X7 <- max-commutative X1|X2=X3 X2|X1=X3 <- max-commutative X1|X4=X5 X4|X1=X5 <- max-right-distributes-over-min* X2&X4=X6 X6|X1=X7 X2|X1=X3 X4|X1=X5 X3&X5=X7. %worlds () (max-left-distributes-over-min* X2&X4=X6 X1|X6=X7 X1|X2=X3 X1|X4=X5 X3&X5=X7). %total {} (max-left-distributes-over-min* _ _ _ _ _). %theorem max-left-distributes-over-min : forall* {X1} {X2} {X4} {X6} {X7} forall {A12:min X2 X4 X6} {M34:max X1 X6 X7} exists {X3} {X5} {M14:max X1 X2 X3} {M24:max X1 X4 X5} {A56:min X3 X5 X7} true. - : max-left-distributes-over-min X2&X4=X6 X1|X6=X7 X3 X5 X1|X2=X3 X1|X4=X5 X3&X5=X7 <- max-total X1|X2=X3 <- max-total X1|X4=X5 <- max-left-distributes-over-min* X2&X4=X6 X1|X6=X7 X1|X2=X3 X1|X4=X5 X3&X5=X7. %worlds () (max-left-distributes-over-min X2&X4=X6 X1|X6=X7 X3 X5 X1|X2=X3 X1|X4=X5 X3&X5=X7). %total {} (max-left-distributes-over-min _ _ _ _ _ _ _). %theorem max-right-factors-over-min : forall* {X1} {X2} {X4} {X5} {X6} {X7} forall {M14:max X1 X4 X5} {M24:max X2 X4 X6} {A56:min X5 X6 X7} exists {X3} {A12:min X1 X2 X3} {M34:max X3 X4 X7} true. - : max-right-factors-over-min X1|X4=X5 X2|X4=X6 X5&X6=X7 X3 X1&X2=X3 X3|X4=X7 <- min-total X1&X2=X3 <- max-total X3|X4=Y7 <- max-right-distributes-over-min* X1&X2=X3 X3|X4=Y7 X1|X4=X5 X2|X4=X6 X5&X6=Y7 <- min-deterministic X5&X6=Y7 X5&X6=X7 eq/ eq/ Y7=X7 <- max-respects-eq X3|X4=Y7 eq/ eq/ Y7=X7 X3|X4=X7. %worlds () (max-right-factors-over-min X1|X4=X5 X2|X4=X6 X5&X6=X7 X3 X1&X2=X3 X3|X4=X7 ). %total {} (max-right-factors-over-min _ _ _ _ _ _). %theorem max-right-factors-over-min* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {M14:max X1 X4 X5} {M24:max X2 X4 X6} {A56:min X5 X6 X7} {A12:min X1 X2 X3} exists {M34:max X3 X4 X7} true. - : max-right-factors-over-min* X1|X4=X5 X2|X4=X6 X5&X6=X7 X1&X2=X3 X3|X4=X7 <- max-total X3|X4=Y7 <- max-right-distributes-over-min* X1&X2=X3 X3|X4=Y7 X1|X4=X5 X2|X4=X6 X5&X6=Y7 <- min-deterministic X5&X6=Y7 X5&X6=X7 eq/ eq/ Y7=X7 <- max-respects-eq X3|X4=Y7 eq/ eq/ Y7=X7 X3|X4=X7. %worlds () (max-right-factors-over-min* X1|X4=X5 X2|X4=X6 X5&X6=X7 X1&X2=X3 X3|X4=X7 ). %total {} (max-right-factors-over-min* _ _ _ _ _). %theorem max-left-factors-over-min : forall* {X1} {X2} {X3} {X4} {X5} {X7} forall {M12:max X1 X2 X3} {M14:max X1 X4 X5} {A35:min X3 X5 X7} exists {X6} {A24:min X2 X4 X6} {M16:max X1 X6 X7} true. - : max-left-factors-over-min X1|X2=X3 X1|X4=X5 X3&X5=X7 X6 X2&X4=X6 X1|X6=X7 <- max-commutative X1|X2=X3 X2|X1=X3 <- max-commutative X1|X4=X5 X4|X1=X5 <- max-right-factors-over-min X2|X1=X3 X4|X1=X5 X3&X5=X7 X6 X2&X4=X6 X6|X1=X7 <- max-commutative X6|X1=X7 X1|X6=X7. %worlds () (max-left-factors-over-min X1|X2=X3 X1|X4=X5 X3&X5=X7 X6 X2&X4=X6 X1|X6=X7). %total {} (max-left-factors-over-min _ _ _ _ _ _). %theorem max-left-factors-over-min* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {M12:max X1 X2 X3} {M14:max X1 X4 X5} {A35:min X3 X5 X7} {A24:min X2 X4 X6} exists {M16:max X1 X6 X7} true. - : max-left-factors-over-min* X1|X2=X3 X1|X4=X5 X3&X5=X7 X2&X4=X6 X1|X6=X7 <- max-total X1|X6=Y7 <- max-left-distributes-over-min* X2&X4=X6 X1|X6=Y7 X1|X2=X3 X1|X4=X5 X3&X5=Y7 <- min-deterministic X3&X5=Y7 X3&X5=X7 eq/ eq/ Y7=X7 <- max-respects-eq X1|X6=Y7 eq/ eq/ Y7=X7 X1|X6=X7. %worlds () (max-left-factors-over-min* X1|X2=X3 X1|X4=X5 X3&X5=X7 X2&X4=X6 X1|X6=X7). %total {} (max-left-factors-over-min* _ _ _ _ _). %abbrev nat`nat = nat. %abbrev nat`z = z. %abbrev nat`s = s. %abbrev nat`plus = plus. %abbrev nat`plus/z = plus/z. %abbrev nat`plus/s = plus/s. %abbrev nat`times = times. %abbrev nat`times/z = times/z. %abbrev nat`times/s = times/s. %abbrev nat`eq = eq. %abbrev nat`eq/ = eq/. %abbrev nat`gt = gt. %abbrev nat`gt/1 = gt/1. %abbrev nat`gt/> = gt/>. %abbrev nat`compare = compare. %abbrev nat`compare/= = compare/=. %abbrev nat`compare/< = compare/<. %abbrev nat`compare/> = compare/>. %abbrev nat`meta-eq = meta-eq. %abbrev nat`false-implies-eq = false-implies-eq. %abbrev nat`eq-symmetric = eq-symmetric. %abbrev nat`eq-transitive = eq-transitive. %abbrev nat`succ-deterministic = succ-deterministic. %abbrev nat`succ-cancels = succ-cancels. %abbrev nat`eq-contradiction = eq-contradiction. %abbrev nat`meta-gt = meta-gt. %abbrev nat`false-implies-gt = false-implies-gt. %abbrev nat`gt-respects-eq = gt-respects-eq. %abbrev nat`succ-implies-gt = succ-implies-gt. %abbrev nat`succ-implies-gt-zero = succ-implies-gt-zero. %abbrev nat`succ-preserves-gt = succ-preserves-gt. %abbrev nat`succ-preserves-gt-converse = succ-preserves-gt-converse. %abbrev nat`gt-implies-positive = gt-implies-positive. %abbrev nat`gt-anti-reflexive* = gt-anti-reflexive*. %abbrev nat`gt-anti-reflexive = gt-anti-reflexive. %abbrev nat`gt-transitive = gt-transitive. %abbrev nat`gt-anti-symmetric = gt-anti-symmetric. %abbrev nat`gt-implies-plus = gt-implies-plus. %abbrev nat`gt-contradiction = gt-contradiction. %abbrev nat`false-implies-compare = false-implies-compare. %abbrev nat`succ-preserves-compare = succ-preserves-compare. %abbrev nat`compare-total* = compare-total*. %abbrev nat`compare-total = compare-total. %abbrev nat`greater-implies-gt = greater-implies-gt. %abbrev nat`less-is-reverse-greater = less-is-reverse-greater. %abbrev nat`less-implies-lt = less-implies-lt. %abbrev nat`equal-implies-eq = equal-implies-eq. %abbrev nat`false-implies-plus = false-implies-plus. %abbrev nat`plus-respects-eq = plus-respects-eq. %abbrev nat`plus-total* = plus-total*. %abbrev nat`plus-total = plus-total. %abbrev nat`plus-deterministic = plus-deterministic. %abbrev nat`plus-left-identity = plus-left-identity. %abbrev nat`plus-left-increase = plus-left-increase. %abbrev nat`plus-right-identity = plus-right-identity. %abbrev nat`plus-right-increase = plus-right-increase. %abbrev nat`plus-left-decrease = plus-left-decrease. %abbrev nat`plus-right-decrease = plus-right-decrease. %abbrev nat`plus-swap-succ = plus-swap-succ. %abbrev nat`plus-swap-succ-converse = plus-swap-succ-converse. %abbrev nat`plus-left-preserves-positive = plus-left-preserves-positive. %abbrev nat`plus-right-preserves-positive = plus-right-preserves-positive. %abbrev nat`plus-is-zero-implies-zero = plus-is-zero-implies-zero. %abbrev nat`plus-commutative = plus-commutative. %abbrev nat`plus-associative = plus-associative. %abbrev nat`plus-associative* = plus-associative*. %abbrev nat`plus-associative-converse = plus-associative-converse. %abbrev nat`plus-associative-converse* = plus-associative-converse*. %abbrev nat`plus-assoc-commutative* = plus-assoc-commutative*. %abbrev nat`plus-assoc-commutative = plus-assoc-commutative. %abbrev nat`plus-double-associative* = plus-double-associative*. %abbrev nat`plus-double-associative = plus-double-associative. %abbrev nat`plus-left-cancels = plus-left-cancels. %abbrev nat`plus-right-cancels* = plus-right-cancels*. %abbrev nat`plus-right-cancels = plus-right-cancels. %abbrev nat`plus-left-preserves-gt* = plus-left-preserves-gt*. %abbrev nat`plus-left-cancels-gt = plus-left-cancels-gt. %abbrev nat`plus-left-preserves-gt = plus-left-preserves-gt. %abbrev nat`plus-right-preserves-gt* = plus-right-preserves-gt*. %abbrev nat`plus-right-preserves-gt = plus-right-preserves-gt. %abbrev nat`plus-preserves-gt* = plus-preserves-gt*. %abbrev nat`plus-preserves-gt = plus-preserves-gt. %abbrev nat`plus-right-cancels-gt = plus-right-cancels-gt. %abbrev nat`plus-implies-gt = plus-implies-gt. %abbrev nat`plus-gt-contradiction = plus-gt-contradiction. %abbrev nat`false-implies-times = false-implies-times. %abbrev nat`times-respects-eq = times-respects-eq. %abbrev nat`times-total* = times-total*. %abbrev nat`times-total = times-total. %abbrev nat`times-deterministic = times-deterministic. %abbrev nat`times-left-identity = times-left-identity. %abbrev nat`times-right-identity = times-right-identity. %abbrev nat`times-right-zero = times-right-zero. %abbrev nat`times-preserves-positive = times-preserves-positive. %abbrev nat`times-preserves-positive* = times-preserves-positive*. %abbrev nat`times-positive-implies-positive = times-positive-implies-positive. %abbrev nat`times-left-increase = times-left-increase. %abbrev nat`times-right-increase = times-right-increase. %abbrev nat`times-left-decrease = times-left-decrease. %abbrev nat`times-right-decrease = times-right-decrease. %abbrev nat`times-commutative = times-commutative. %abbrev nat`times-right-distributes-over-plus = times-right-distributes-over-plus. %abbrev nat`times-right-distributes-over-plus* = times-right-distributes-over-plus*. %abbrev nat`times-left-distributes-over-plus* = times-left-distributes-over-plus*. %abbrev nat`times-left-distributes-over-plus = times-left-distributes-over-plus. %abbrev nat`times-right-factors-over-plus = times-right-factors-over-plus. %abbrev nat`times-right-factors-over-plus* = times-right-factors-over-plus*. %abbrev nat`times-left-factors-over-plus = times-left-factors-over-plus. %abbrev nat`times-left-factors-over-plus* = times-left-factors-over-plus*. %abbrev nat`times-associative = times-associative. %abbrev nat`times-associative* = times-associative*. %abbrev nat`times-associative-converse = times-associative-converse. %abbrev nat`times-associative-converse* = times-associative-converse*. %abbrev nat`times-assoc-commutative* = times-assoc-commutative*. %abbrev nat`times-assoc-commutative = times-assoc-commutative. %abbrev nat`times-double-associative* = times-double-associative*. %abbrev nat`times-double-associative = times-double-associative. %abbrev nat`times-right-cancels = times-right-cancels. %abbrev nat`times-right-cancels* = times-right-cancels*. %abbrev nat`times-right-cancels** = times-right-cancels**. %abbrev nat`times-left-cancels = times-left-cancels. %abbrev nat`times-left-cancels* = times-left-cancels*. %abbrev nat`times-left-preserves-gt = times-left-preserves-gt. %abbrev nat`times-left-preserves-gt* = times-left-preserves-gt*. %abbrev nat`times-right-preserves-gt = times-right-preserves-gt. %abbrev nat`times-right-preserves-gt* = times-right-preserves-gt*. %abbrev nat`times-preserves-gt = times-preserves-gt. %abbrev nat`times-right-cancels-gt = times-right-cancels-gt. %abbrev nat`times-left-cancels-gt = times-left-cancels-gt. %abbrev nat`minus = minus. %abbrev nat`false-implies-minus = false-implies-minus. %abbrev nat`minus-respects-eq = minus-respects-eq. %abbrev nat`minus-deterministic = minus-deterministic. %abbrev nat`plus-associates-with-minus* = plus-associates-with-minus*. %abbrev nat`plus-associates-with-minus-converse* = plus-associates-with-minus-converse*. %abbrev nat`plus-associates-with-minus-converse = plus-associates-with-minus-converse. %abbrev nat`minus-associates-from-plus* = minus-associates-from-plus*. %abbrev nat`minus-associates-from-plus-converse* = minus-associates-from-plus-converse*. %abbrev nat`minus-associates-to-plus* = minus-associates-to-plus*. %abbrev nat`minus-associates-to-plus = minus-associates-to-plus. %abbrev nat`minus-associates-to-plus-converse* = minus-associates-to-plus-converse*. %abbrev nat`minus-associates-to-plus-converse = minus-associates-to-plus-converse. %abbrev nat`minus-is-zero-implies-eq = minus-is-zero-implies-eq. %abbrev nat`minus-implies-gt = minus-implies-gt. %abbrev nat`minus-left-cancels = minus-left-cancels. %abbrev nat`minus-right-cancels = minus-right-cancels. %abbrev nat`minus-left-inverts-gt* = minus-left-inverts-gt*. %abbrev nat`minus-right-preserves-gt* = minus-right-preserves-gt*. %abbrev nat`minus-left-cancels-inverts-gt = minus-left-cancels-inverts-gt. %abbrev nat`minus-right-cancels-gt = minus-right-cancels-gt. %abbrev nat`times-right-distributes-over-minus = times-right-distributes-over-minus. %abbrev nat`times-right-distributes-over-minus* = times-right-distributes-over-minus*. %abbrev nat`times-left-distributes-over-minus* = times-left-distributes-over-minus*. %abbrev nat`times-left-distributes-over-minus = times-left-distributes-over-minus. %abbrev nat`times-right-factors-over-minus* = times-right-factors-over-minus*. %abbrev nat`times-left-factors-over-minus* = times-left-factors-over-minus*. %abbrev nat`times-right-factors-over-minus = times-right-factors-over-minus. %abbrev nat`times-left-factors-over-minus = times-left-factors-over-minus. %abbrev nat`ge = ge. %abbrev nat`ge/= = ge/=. %abbrev nat`ge/> = ge/>. %abbrev nat`false-implies-ge = false-implies-ge. %abbrev nat`ge-respects-eq = ge-respects-eq. %abbrev nat`ge-reflexive = ge-reflexive. %abbrev nat`ge-transitive = ge-transitive. %abbrev nat`ge-anti-symmetric = ge-anti-symmetric. %abbrev nat`ge-transitive-gt = ge-transitive-gt. %abbrev nat`gt-transitive-ge = gt-transitive-ge. %abbrev nat`meta-ge = meta-ge. %abbrev nat`succ-preserves-ge = succ-preserves-ge. %abbrev nat`succ-preserves-ge-converse = succ-preserves-ge-converse. %abbrev nat`ge-succ-implies-gt = ge-succ-implies-gt. %abbrev nat`ge-implies-succ-gt = ge-implies-succ-gt. %abbrev nat`succ-gt-implies-ge = succ-gt-implies-ge. %abbrev nat`gt-implies-ge-succ = gt-implies-ge-succ. %abbrev nat`ge-implies-plus = ge-implies-plus. %abbrev nat`plus-implies-ge = plus-implies-ge. %abbrev nat`ge-zero-always = ge-zero-always. %abbrev nat`nonzero-times-implies-ge = nonzero-times-implies-ge. %abbrev nat`times-nonzero-implies-ge = times-nonzero-implies-ge. %abbrev nat`non-trivial-times-implies-much-gt* = non-trivial-times-implies-much-gt*. %abbrev nat`non-trivial-times-implies-much-gt = non-trivial-times-implies-much-gt. %abbrev nat`plus-left-preserves-ge* = plus-left-preserves-ge*. %abbrev nat`plus-left-cancels-ge = plus-left-cancels-ge. %abbrev nat`plus-left-preserves-ge = plus-left-preserves-ge. %abbrev nat`plus-right-preserves-ge* = plus-right-preserves-ge*. %abbrev nat`plus-right-preserves-ge = plus-right-preserves-ge. %abbrev nat`plus-preserves-ge* = plus-preserves-ge*. %abbrev nat`plus-preserves-ge = plus-preserves-ge. %abbrev nat`plus-right-cancels-ge = plus-right-cancels-ge. %abbrev nat`times-left-preserves-ge* = times-left-preserves-ge*. %abbrev nat`times-left-preserves-ge = times-left-preserves-ge. %abbrev nat`times-right-preserves-ge* = times-right-preserves-ge*. %abbrev nat`times-right-preserves-ge = times-right-preserves-ge. %abbrev nat`ne = ne. %abbrev nat`ne/< = ne/<. %abbrev nat`ne/> = ne/>. %abbrev nat`eq? = eq?. %abbrev nat`eq?/yes = eq?/yes. %abbrev nat`eq?/no = eq?/no. %abbrev nat`false-implies-ne = false-implies-ne. %abbrev nat`ne-respects-eq = ne-respects-eq. %abbrev nat`ne-anti-reflexive = ne-anti-reflexive. %abbrev nat`ne-symmetric = ne-symmetric. %abbrev nat`eq-ne-implies-false = eq-ne-implies-false. %abbrev nat`ge-ne-implies-gt = ge-ne-implies-gt. %abbrev nat`eq?-total* = eq?-total*. %abbrev nat`eq?-total*/L = eq?-total*/L. %abbrev nat`eq?-total = eq?-total. %abbrev nat`succ-preserves-ne = succ-preserves-ne. %abbrev nat`succ-preserves-ne-converse = succ-preserves-ne-converse. %abbrev nat`plus-left-preserves-ne* = plus-left-preserves-ne*. %abbrev nat`plus-left-cancels-ne = plus-left-cancels-ne. %abbrev nat`plus-left-preserves-ne = plus-left-preserves-ne. %abbrev nat`plus-right-preserves-ne* = plus-right-preserves-ne*. %abbrev nat`plus-right-preserves-ne = plus-right-preserves-ne. %abbrev nat`plus-right-cancels-ne = plus-right-cancels-ne. %abbrev nat`lt = lt. %abbrev nat`false-implies-lt = false-implies-lt. %abbrev nat`lt-respects-eq = lt-respects-eq. %abbrev nat`lt-anti-symmetric = lt-anti-symmetric. %abbrev nat`lt-transitive = lt-transitive. %abbrev nat`lt-anti-reflexive = lt-anti-reflexive. %abbrev nat`plus-left-preserves-lt* = plus-left-preserves-lt*. %abbrev nat`plus-left-cancels-lt = plus-left-cancels-lt. %abbrev nat`plus-left-preserves-lt = plus-left-preserves-lt. %abbrev nat`plus-right-preserves-lt* = plus-right-preserves-lt*. %abbrev nat`plus-right-preserves-lt = plus-right-preserves-lt. %abbrev nat`plus-preserves-lt* = plus-preserves-lt*. %abbrev nat`plus-preserves-lt = plus-preserves-lt. %abbrev nat`plus-right-cancels-lt = plus-right-cancels-lt. %abbrev nat`le = le. %abbrev nat`false-implies-le = false-implies-le. %abbrev nat`le-respects-eq = le-respects-eq. %abbrev nat`le-anti-symmetric = le-anti-symmetric. %abbrev nat`le-transitive = le-transitive. %abbrev nat`le-reflexive = le-reflexive. %abbrev nat`le-transitive-lt = le-transitive-lt. %abbrev nat`lt-transitive-le = lt-transitive-le. %abbrev nat`plus-left-preserves-le* = plus-left-preserves-le*. %abbrev nat`plus-left-cancels-le = plus-left-cancels-le. %abbrev nat`plus-left-preserves-le = plus-left-preserves-le. %abbrev nat`plus-right-preserves-le* = plus-right-preserves-le*. %abbrev nat`plus-right-preserves-le = plus-right-preserves-le. %abbrev nat`plus-preserves-le* = plus-preserves-le*. %abbrev nat`plus-preserves-le = plus-preserves-le. %abbrev nat`plus-right-cancels-le = plus-right-cancels-le. %abbrev nat`times-left-preserves-le* = times-left-preserves-le*. %abbrev nat`times-left-preserves-le = times-left-preserves-le. %abbrev nat`times-right-preserves-le* = times-right-preserves-le*. %abbrev nat`times-right-preserves-le = times-right-preserves-le. %abbrev nat`times-preserves-le* = times-preserves-le*. %abbrev nat`times-preserves-le = times-preserves-le. %abbrev nat`minus-left-inverts-ge* = minus-left-inverts-ge*. %abbrev nat`minus-right-preserves-ge* = minus-right-preserves-ge*. %abbrev nat`minus-left-cancels-inverts-ge = minus-left-cancels-inverts-ge. %abbrev nat`minus-right-cancels-ge = minus-right-cancels-ge. %abbrev nat`minus-left-preserves-ne* = minus-left-preserves-ne*. %abbrev nat`minus-right-preserves-ne* = minus-right-preserves-ne*. %abbrev nat`minus-left-cancels-ne = minus-left-cancels-ne. %abbrev nat`minus-right-cancels-ne = minus-right-cancels-ne. %abbrev nat`minus-left-inverts-lt* = minus-left-inverts-lt*. %abbrev nat`minus-right-preserves-lt* = minus-right-preserves-lt*. %abbrev nat`minus-left-cancels-inverts-lt = minus-left-cancels-inverts-lt. %abbrev nat`minus-right-cancels-lt = minus-right-cancels-lt. %abbrev nat`minus-left-inverts-le* = minus-left-inverts-le*. %abbrev nat`minus-right-preserves-le* = minus-right-preserves-le*. %abbrev nat`minus-left-cancels-inverts-le = minus-left-cancels-inverts-le. %abbrev nat`minus-right-cancels-le = minus-right-cancels-le. %abbrev nat`divrem = divrem. %abbrev nat`divrem/z = divrem/z. %abbrev nat`divrem/s = divrem/s. %abbrev nat`false-implies-divrem = false-implies-divrem. %abbrev nat`divrem-respects-eq = divrem-respects-eq. %abbrev nat`divrem-total** = divrem-total**. %abbrev nat`divrem-total* = divrem-total*. %abbrev nat`divrem-total = divrem-total. %abbrev nat`divrem-deterministic = divrem-deterministic. %abbrev nat`divrem-implies-positive = divrem-implies-positive. %abbrev nat`divrem-implies-gt = divrem-implies-gt. %abbrev nat`divrem-contradiction = divrem-contradiction. %abbrev nat`divrem-can-be-inverted = divrem-can-be-inverted. %abbrev nat`div-can-be-inverted = div-can-be-inverted. %abbrev nat`divrem-can-be-constructed = divrem-can-be-constructed. %abbrev nat`div-can-be-constructed = div-can-be-constructed. %abbrev nat`remainder-implies-gt-quotient = remainder-implies-gt-quotient. %abbrev nat`quotient-of-nonzero-is-smaller = quotient-of-nonzero-is-smaller. %abbrev nat`quotient-is-no-greater = quotient-is-no-greater. %abbrev nat`min = min. %abbrev nat`min/= = min/=. %abbrev nat`min/> = min/>. %abbrev nat`min/< = min/<. %abbrev nat`max = max. %abbrev nat`max/= = max/=. %abbrev nat`max/> = max/>. %abbrev nat`max/< = max/<. %abbrev nat`false-implies-min = false-implies-min. %abbrev nat`min-respects-eq = min-respects-eq. %abbrev nat`min-total** = min-total**. %abbrev nat`min-total* = min-total*. %abbrev nat`min-total = min-total. %abbrev nat`min-deterministic = min-deterministic. %abbrev nat`min-commutative = min-commutative. %abbrev nat`ge-implies-min = ge-implies-min. %abbrev nat`le-implies-min = le-implies-min. %abbrev nat`min-implies-ge = min-implies-ge. %abbrev nat`min-left-preserves-ge* = min-left-preserves-ge*. %abbrev nat`min-left-preserves-le* = min-left-preserves-le*. %abbrev nat`min-left-preserves-ge = min-left-preserves-ge. %abbrev nat`min-right-preserves-ge* = min-right-preserves-ge*. %abbrev nat`min-right-preserves-ge = min-right-preserves-ge. %abbrev nat`min-preserves-ge* = min-preserves-ge*. %abbrev nat`min-preserves-ge = min-preserves-ge. %abbrev nat`min-left-preserves-le = min-left-preserves-le. %abbrev nat`min-right-preserves-le* = min-right-preserves-le*. %abbrev nat`min-right-preserves-le = min-right-preserves-le. %abbrev nat`min-preserves-le* = min-preserves-le*. %abbrev nat`min-preserves-le = min-preserves-le. %abbrev nat`min-is-glb = min-is-glb. %abbrev nat`min-associative = min-associative. %abbrev nat`min-associative* = min-associative*. %abbrev nat`min-associative-converse = min-associative-converse. %abbrev nat`min-associative-converse* = min-associative-converse*. %abbrev nat`min-assoc-commutative* = min-assoc-commutative*. %abbrev nat`min-assoc-commutative = min-assoc-commutative. %abbrev nat`min-double-associative* = min-double-associative*. %abbrev nat`min-double-associative = min-double-associative. %abbrev nat`false-implies-max = false-implies-max. %abbrev nat`max-respects-eq = max-respects-eq. %abbrev nat`max-total** = max-total**. %abbrev nat`max-total* = max-total*. %abbrev nat`max-total = max-total. %abbrev nat`max-deterministic = max-deterministic. %abbrev nat`max-commutative = max-commutative. %abbrev nat`ge-implies-max = ge-implies-max. %abbrev nat`le-implies-max = le-implies-max. %abbrev nat`max-implies-ge = max-implies-ge. %abbrev nat`max-is-lub = max-is-lub. %abbrev nat`max-left-preserves-ge* = max-left-preserves-ge*. %abbrev nat`max-left-preserves-le* = max-left-preserves-le*. %abbrev nat`max-left-preserves-ge = max-left-preserves-ge. %abbrev nat`max-right-preserves-ge* = max-right-preserves-ge*. %abbrev nat`max-right-preserves-ge = max-right-preserves-ge. %abbrev nat`max-preserves-ge* = max-preserves-ge*. %abbrev nat`max-preserves-ge = max-preserves-ge. %abbrev nat`max-left-preserves-le = max-left-preserves-le. %abbrev nat`max-right-preserves-le* = max-right-preserves-le*. %abbrev nat`max-right-preserves-le = max-right-preserves-le. %abbrev nat`max-preserves-le* = max-preserves-le*. %abbrev nat`max-preserves-le = max-preserves-le. %abbrev nat`max-associative = max-associative. %abbrev nat`max-associative* = max-associative*. %abbrev nat`max-associative-converse = max-associative-converse. %abbrev nat`max-associative-converse* = max-associative-converse*. %abbrev nat`max-assoc-commutative* = max-assoc-commutative*. %abbrev nat`max-assoc-commutative = max-assoc-commutative. %abbrev nat`max-double-associative* = max-double-associative*. %abbrev nat`max-double-associative = max-double-associative. %abbrev nat`min-right-distributes-over-max = min-right-distributes-over-max. %abbrev nat`max-right-distributes-over-min = max-right-distributes-over-min. %abbrev nat`min-right-distributes-over-max* = min-right-distributes-over-max*. %abbrev nat`min-left-distributes-over-max* = min-left-distributes-over-max*. %abbrev nat`min-left-distributes-over-max = min-left-distributes-over-max. %abbrev nat`min-right-factors-over-max = min-right-factors-over-max. %abbrev nat`min-right-factors-over-max* = min-right-factors-over-max*. %abbrev nat`min-left-factors-over-max = min-left-factors-over-max. %abbrev nat`min-left-factors-over-max* = min-left-factors-over-max*. %abbrev nat`max-right-distributes-over-min* = max-right-distributes-over-min*. %abbrev nat`max-left-distributes-over-min* = max-left-distributes-over-min*. %abbrev nat`max-left-distributes-over-min = max-left-distributes-over-min. %abbrev nat`max-right-factors-over-min = max-right-factors-over-min. %abbrev nat`max-right-factors-over-min* = max-right-factors-over-min*. %abbrev nat`max-left-factors-over-min = max-left-factors-over-min. %abbrev nat`max-left-factors-over-min* = max-left-factors-over-min*. %%%%% natpair.elf %%%%% Pairs of natural numbers %%%%% John Boyland % Pairs of natural numbers are mapped one-to-one to the natural numbers. % We use the binary merging technique, e.g.: % (x3x2x1x0,y3y2y1y0) <-> x3y3x2y2x1y1x0y0 %%%% Functor use %%%%% pair.elf %%%%% a pseudo-functor %%%%% John Boyland % We require the following definitions: % nat : equality type. % nat : equality type. % The result is an equality type too. %%%% Definitions pair : type. pair/ : nat -> nat -> pair. eq : pair -> pair -> type. eq/ : eq P P. ne : pair -> pair -> type. ne/1 : ne (pair/ X1 Y1) (pair/ X2 Y2) <- nat`ne X1 X2. ne/2 : ne (pair/ X1 Y1) (pair/ X2 Y2) <- nat`ne Y1 Y2. eq? : pair -> pair -> bool -> type. eq?/yes : eq? P P true. eq?/no : eq? P1 P2 false <- ne P1 P2. %%%% Theorems %%% theorems about eq %theorem false-implies-eq : forall* {X1} {X2} forall {F:void} exists {E:eq X1 X2} true. %worlds () (false-implies-eq _ _). %total { } (false-implies-eq _ _). %theorem meta-eq : forall {X1} {X2} {E:eq X1 X2} true. - : meta-eq _ _ eq/. %worlds () (meta-eq _ _ _). %total { } (meta-eq _ _ _). %reduces X = Y (meta-eq X Y _). %theorem eq-reflexive : forall {X} exists {E:eq X X} true. - : eq-reflexive _ eq/. %worlds () (eq-reflexive _ _). %total { } (eq-reflexive _ _). %theorem eq-symmetric : forall* {X} {Y} forall {E:eq X Y} exists {F:eq Y X} true. - : eq-symmetric (eq/) (eq/). %worlds () (eq-symmetric _ _). %total { } (eq-symmetric _ _). %theorem eq-transitive : forall* {X} {Y} {Z} forall {E1:eq X Y} {E2:eq Y Z} exists {F:eq X Z} true. - : eq-transitive (eq/) (eq/) (eq/). %worlds () (eq-transitive _ _ _). %total { } (eq-transitive _ _ _). %theorem pair-eq-implies-eq : forall* {D1a} {D1b} {D2a} {D2b} forall {E:eq (pair/ D1a D2a) (pair/ D1b D2b)} exists {E1:nat`eq D1a D1b} {E2:nat`eq D2a D2b} true. - : pair-eq-implies-eq eq/ nat`eq/ nat`eq/. %worlds () (pair-eq-implies-eq _ _ _). %total { } (pair-eq-implies-eq _ _ _). %theorem pair-preserves-eq : forall* {D1a} {D1b} {D2a} {D2b} forall {E1:nat`eq D1a D1b} {E2:nat`eq D2a D2b} exists {E:eq (pair/ D1a D2a) (pair/ D1b D2b)} true. - : pair-preserves-eq nat`eq/ nat`eq/ eq/. %worlds () (pair-preserves-eq _ _ _). %total { } (pair-preserves-eq _ _ _). %%% theorems about ne %theorem false-implies-ne : forall* {X1} {X2} forall {F:void} exists {G:ne X1 X2} true. %worlds () (false-implies-ne _ _). %total { } (false-implies-ne _ _). %theorem ne-respects-eq : forall* {X1} {X2} {Y1} {Y2} forall {D1:ne X1 X2} {E1:eq X1 Y1} {E2:eq X2 Y2} exists {D2:ne Y1 Y2} true. - : ne-respects-eq X1<>X2 eq/ eq/ X1<>X2. %worlds () (ne-respects-eq _ _ _ _). %total { } (ne-respects-eq _ _ _ _). %theorem ne-anti-reflexive : forall* {P} forall {R:ne P P} exists {F:void} true. - : ne-anti-reflexive (ne/1 X<>X) F <- nat`ne-anti-reflexive X<>X F. - : ne-anti-reflexive (ne/2 Y<>Y) F <- nat`ne-anti-reflexive Y<>Y F. %worlds () (ne-anti-reflexive _ _). %total { } (ne-anti-reflexive _ _). %theorem ne-symmetric : forall* {P1} {P2} forall {R1:ne P1 P2} exists {R2:ne P2 P1} true. - : ne-symmetric (ne/1 X1<>X2) (ne/1 X2<>X1) <- nat`ne-symmetric X1<>X2 X2<>X1. - : ne-symmetric (ne/2 Y1<>Y2) (ne/2 Y2<>Y1) <- nat`ne-symmetric Y1<>Y2 Y2<>Y1. %worlds () (ne-symmetric _ _). %total { } (ne-symmetric _ _). %theorem eq-ne-implies-false : forall* {P1} {P2} forall {D1:eq P1 P2} {D2:ne P1 P2} exists {F:void} true. - : eq-ne-implies-false eq/ X<>X F <- ne-anti-reflexive X<>X F. %worlds () (eq-ne-implies-false _ _ _). %total { } (eq-ne-implies-false _ _ _). %%% theorems about eq? %theorem eq?-total* : forall {P1} {P2} exists {B} {T:eq? P1 P2 B} true. %theorem eq?-total*/L : forall* {X1} {Y1} {X2} {Y2} {B1} {B2} forall {T1:nat`eq? X1 Y1 B1} {T2:nat`eq? X2 Y2 B2} exists {B} {T:eq? (pair/ X1 X2) (pair/ Y1 Y2) B} true. - : eq?-total*/L (nat`eq?/yes) (nat`eq?/yes) _ (eq?/yes). - : eq?-total*/L (nat`eq?/no X1<>Y1) _ _ (eq?/no (ne/1 X1<>Y1)). - : eq?-total*/L _ (nat`eq?/no X2<>Y2) _ (eq?/no (ne/2 X2<>Y2)). %worlds () (eq?-total*/L _ _ _ _). %total { } (eq?-total*/L _ _ _ _). - : eq?-total* _ _ _ T <- nat`eq?-total E?1 <- nat`eq?-total E?2 <- eq?-total*/L E?1 E?2 _ T. %worlds () (eq?-total* _ _ _ _). %total { } (eq?-total* _ _ _ _). %abbrev eq?-total = eq?-total* _ _ _. %%%% Definitions %%% local abbreviations: %abbrev ssN>N = (gt/> gt/1). %abbrev 2>0 : gt (s (s z)) z = ssN>N. %abbrev 1*N=N = (times/s times/z plus/z). %abbrev 1*2=2 : times (s z) (s (s z)) (s (s z)) = 1*N=N. %abbrev 2*2=4 = (times/s 1*N=N (plus/s (plus/s plus/z))). %abbrev 2+1=3 : plus (s (s z)) (s z) (s (s (s z))) = (plus/s (plus/s plus/z)). %%% mapping from a pair to a nat pair2nat : pair -> nat -> type. pair2nat/00 : pair2nat (pair/ z z) z. pair2nat/XX : plus Z3 Y0 Z -> plus Z2 X2 Z3 -> times X0 (s (s z)) X2 -> times Z1 (s (s (s (s z)))) Z2 -> pair2nat (pair/ X1 Y1) Z1 -> divrem Y (s (s z)) Y1 Y0 -> divrem X (s (s z)) X1 X0 -> pair2nat (pair/ X Y) Z. %%% mapping from a nat to pair %abbrev nat2pair : nat -> pair -> type = [N] [P] pair2nat P N. %%%% Theorems %theorem false-implies-pair2nat : forall* {P} {N} forall {F:void} exists {P2N:pair2nat P N} true. %worlds () (false-implies-pair2nat _ _). %total { } (false-implies-pair2nat _ _). %abbrev false-implies-not2pair = false-implies-pair2nat. %theorem pair2nat-respects-eq : forall* {P1} {N1} {P2} {N2} forall {D1:pair2nat P1 N1} {EP:eq P1 P2} {EN:nat`eq N1 N2} exists {D2:pair2nat P2 N2} true. - : pair2nat-respects-eq P2N eq/ nat`eq/ P2N. %worlds () (pair2nat-respects-eq _ _ _ _). %total { } (pair2nat-respects-eq _ _ _ _). %reduces D1 = D2 (pair2nat-respects-eq D1 _ _ D2). %abbrev nat2pair-respects-eq : (nat2pair N1 P1) -> (nat`eq N1 N2) -> (eq P1 P2) -> (nat2pair N2 P2) -> type = [D1] [EN] [EP] [D2] pair2nat-respects-eq D1 EP EN D2. %theorem pair2nat-total** : forall {X:nat} {Y:nat} exists {Z} {P2N:pair2nat (pair/ X Y) Z} true. - : pair2nat-total** z z z pair2nat/00. - : pair2nat-total** (s X-) Y Z (pair2nat/XX Z3+Y0=Z Z2+X2=Z3 X0*2=X2 Z1*4=Z2 (P2N:pair2nat (pair/ X1 Y1) Z1) Y/2=Y1,Y0 X/2=X1,X0) <- divrem-total X/2=X1,X0 <- divrem-total Y/2=Y1,Y0 <- quotient-of-nonzero-is-smaller X/2=X1,X0 nat`eq/ X>X1 <- quotient-is-no-greater Y/2=Y1,Y0 Y>=Y1 <- meta-gt _ _ X>X1 <- meta-ge _ _ Y>=Y1 <- pair2nat-total** _ _ _ P2N <- times-total Z1*4=Z2 <- times-total X0*2=X2 <- plus-total Z2+X2=Z3 <- plus-total Z3+Y0=Z. - : pair2nat-total** X (s Y-) Z (pair2nat/XX Z3+Y0=Z Z2+X2=Z3 X0*2=X2 Z1*4=Z2 (P2N:pair2nat (pair/ X1 Y1) Z1) Y/2=Y1,Y0 X/2=X1,X0) <- divrem-total X/2=X1,X0 <- divrem-total Y/2=Y1,Y0 <- quotient-is-no-greater X/2=X1,X0 X>=X1 <- quotient-of-nonzero-is-smaller Y/2=Y1,Y0 nat`eq/ Y>Y1 <- meta-ge _ _ X>=X1 <- meta-gt _ _ Y>Y1 <- pair2nat-total** _ _ _ P2N <- times-total Z1*4=Z2 <- times-total X0*2=X2 <- plus-total Z2+X2=Z3 <- plus-total Z3+Y0=Z. %worlds () (pair2nat-total** _ _ _ _). %total [X Y] (pair2nat-total** X Y _ _). %theorem pair2nat-total* : forall {P:pair} exists {N:nat} {P2N:pair2nat P N} true. - : pair2nat-total* (pair/ X Y) Z P2N <- pair2nat-total** X Y Z P2N. %worlds () (pair2nat-total* _ _ _). %total { } (pair2nat-total* _ _ _). %abbrev pair2nat-total = pair2nat-total* _ _. %theorem nat2pair-total* : forall {N:nat} exists {P:pair} {N2P:nat2pair N P} true. - : nat2pair-total* z (pair/ z z) (pair2nat/00). - : nat2pair-total* (s Z-) (pair/ X Y) (pair2nat/XX Z3+Y0=Z Z2+X2=Z3 X0*2=X2 Z1*4=Z2 (P2N:pair2nat (pair/ X1 Y1) Z1) Y/2=Y1,Y0 X/2=X1,X0) <- divrem-total Z/4=Z1,R <- divrem-implies-gt Z/4=Z1,R FOUR>R <- divrem-can-be-inverted Z/4=Z1,R Z2 Z1*4=Z2 Z2+R=Z <- divrem-total R/2=X0,Y0 <- divrem-implies-gt R/2=X0,Y0 TWO>Y0 <- divrem-can-be-inverted R/2=X0,Y0 X2 X0*2=X2 X2+Y0=R <- plus-associative-converse X2+Y0=R Z2+R=Z Z3 Z2+X2=Z3 Z3+Y0=Z % now we need to get 2>X0 <- plus-commutative X2+Y0=R Y0+X2=R <- plus-implies-ge Y0+X2=R R>=X2 <- gt-transitive-ge FOUR>R R>=X2 FOUR>X2 <- times-right-cancels-gt 2*2=4 X0*2=X2 nat`eq/ FOUR>X2 TWO>X0 % now we need to prove Z>Z1 (for termination) <- quotient-of-nonzero-is-smaller Z/4=Z1,R nat`eq/ Z>Z1 <- meta-gt _ _ Z>Z1 <- nat2pair-total* Z1 (pair/ X1 Y1) P2N <- times-total X1*2=XE <- times-total Y1*2=YE <- plus-total XE+X0=X <- plus-total YE+Y0=Y <- divrem-can-be-constructed X1*2=XE XE+X0=X TWO>X0 X/2=X1,X0 <- divrem-can-be-constructed Y1*2=YE YE+Y0=Y TWO>Y0 Y/2=Y1,Y0. %worlds () (nat2pair-total* _ _ _). %total (Z) (nat2pair-total* Z _ _). % %reduces X <= N (nat2pair-total* N (pair/ X _) _). % %reduces Y <= N (pair2nat-total* N (pair/ _ Y) _). %abbrev nat2pair-total = nat2pair-total* _ _. %theorem pair2nat-deterministic : forall* {P1} {P2} {N1} {N2} forall {D1:pair2nat P1 N1} {D2:pair2nat P2 N2} {EP:eq P1 P2} exists {EN:nat`eq N1 N2} true. - : pair2nat-deterministic pair2nat/00 pair2nat/00 eq/ nat`eq/. % lemma %theorem pair2nat-deterministic/00 : forall* {Z} forall {P2N:pair2nat (pair/ z z) Z} exists {E:nat`eq Z z} true. - : pair2nat-deterministic/00 pair2nat/00 nat`eq/. - : pair2nat-deterministic/00 (pair2nat/XX Z3+Y0=Z Z2+X2=Z3 X0*2=X2 Z1*4=Z2 (P2N:pair2nat (pair/ X1 Y1) Z1) ZERO/2=Y1,Y0 ZERO/2=X1,X0) Z=0 <- divrem-deterministic ZERO/2=X1,X0 (divrem/z 2>0) nat`eq/ nat`eq/ X1=0 X0=0 <- divrem-deterministic ZERO/2=Y1,Y0 (divrem/z 2>0) nat`eq/ nat`eq/ Y1=0 Y0=0 <- pair-preserves-eq X1=0 Y1=0 X1,Y1=0,0 <- pair2nat-respects-eq P2N X1,Y1=0,0 nat`eq/ ZERO,ZERO->Z1 <- pair2nat-deterministic/00 ZERO,ZERO->Z1 Z1=0 <- times-deterministic Z1*4=Z2 times/z Z1=0 nat`eq/ Z2=0 <- times-deterministic X0*2=X2 times/z X0=0 nat`eq/ X2=0 <- plus-deterministic Z2+X2=Z3 plus/z Z2=0 X2=0 Z3=0 <- plus-deterministic Z3+Y0=Z plus/z Z3=0 Y0=0 Z=0. %worlds () (pair2nat-deterministic/00 _ _). %total (D) (pair2nat-deterministic/00 D _). - : pair2nat-deterministic pair2nat/00 P2N eq/ ZERO=Z <- pair2nat-deterministic/00 P2N Z=0 <- nat`eq-symmetric Z=0 ZERO=Z. - : pair2nat-deterministic P2N pair2nat/00 eq/ Z=0 <- pair2nat-deterministic/00 P2N Z=0. - : pair2nat-deterministic (pair2nat/XX Z3+Y0=Z Z2+X2=Z3 X0*2=X2 Z1*4=Z2 (P2N:pair2nat (pair/ X1 Y1) Z1) Y/2=Y1,Y0 X/2=X1,X0) (pair2nat/XX Z3'+Y0'=Z' Z2'+X2'=Z3' X0'*2=X2' Z1'*4=Z2' (P2N':pair2nat (pair/ X1' Y1')Z1') Y/2=Y1',Y0' X/2=X1',X0') eq/ Z=Z' <- divrem-deterministic X/2=X1,X0 X/2=X1',X0' nat`eq/ nat`eq/ X1=X1' X0=X0' <- divrem-deterministic Y/2=Y1,Y0 Y/2=Y1',Y0' nat`eq/ nat`eq/ Y1=Y1' Y0=Y0' <- pair-preserves-eq X1=X1' Y1=Y1' X1,Y1=X1',Y1' <- pair2nat-deterministic P2N P2N' X1,Y1=X1',Y1' Z1=Z1' <- times-deterministic Z1*4=Z2 Z1'*4=Z2' Z1=Z1' nat`eq/ Z2=Z2' <- times-deterministic X0*2=X2 X0'*2=X2' X0=X0' nat`eq/ X2=X2' <- plus-deterministic Z2+X2=Z3 Z2'+X2'=Z3' Z2=Z2' X2=X2' Z3=Z3' <- plus-deterministic Z3+Y0=Z Z3'+Y0'=Z' Z3=Z3' Y0=Y0' Z=Z'. %worlds () (pair2nat-deterministic _ _ _ _). %total (D) (pair2nat-deterministic D _ _ _). %theorem nat2pair-deterministic : forall* {P1} {P2} {N1} {N2} forall {D1:nat2pair N1 P1} {D2:nat2pair N2 P2} {EN:nat`eq N1 N2} exists {EP:eq P1 P2} true. % lemma %theorem nat2pair-deterministic/0 : forall* {P} forall {D:nat2pair z P} exists {EP:eq P (pair/ z z)} true. - : nat2pair-deterministic/0 pair2nat/00 eq/. - : nat2pair-deterministic/0 (pair2nat/XX Z3+Y0=0 Z2+X2=Z3 X0*2=X2 Z1*4=Z2 (P2N:pair2nat (pair/ X1 Y1) Z1) Y/2=Y1,Y0 X/2=X1,X0) X,Y=0,0 <- plus-is-zero-implies-zero Z3+Y0=0 nat`eq/ Z3=0 Y0=0 <- plus-is-zero-implies-zero Z2+X2=Z3 Z3=0 Z2=0 X2=0 <- times-right-cancels X0*2=X2 times/z nat`eq/ X2=0 X0=0 <- times-right-cancels Z1*4=Z2 times/z nat`eq/ Z2=0 Z1=0 <- nat2pair-respects-eq P2N Z1=0 eq/ N2P <- nat2pair-deterministic/0 N2P X1,Y1=0,0 <- pair-eq-implies-eq X1,Y1=0,0 X1=0 Y1=0 <- divrem-can-be-inverted X/2=X1,X0 XM X1*2=XM XM+X0=X <- divrem-can-be-inverted Y/2=Y1,Y0 YM Y1*2=YM YM+Y0=Y <- times-deterministic X1*2=XM times/z X1=0 nat`eq/ XM=0 <- times-deterministic Y1*2=YM times/z Y1=0 nat`eq/ YM=0 <- plus-deterministic XM+X0=X plus/z XM=0 X0=0 X=0 <- plus-deterministic YM+Y0=Y plus/z YM=0 Y0=0 Y=0 <- pair-preserves-eq X=0 Y=0 X,Y=0,0. %worlds () (nat2pair-deterministic/0 _ _). %total (D) (nat2pair-deterministic/0 D _). - : nat2pair-deterministic N2P N2P' nat`eq/ X,Y=X',Y' <- nat2pair-deterministic/0 N2P X,Y=0,0 <- nat2pair-deterministic/0 N2P' X',Y'=0,0 <- eq-symmetric X',Y'=0,0 ZERO,ZERO=X',Y' <- eq-transitive X,Y=0,0 ZERO,ZERO=X',Y' X,Y=X',Y'. - : nat2pair-deterministic (pair2nat/XX Z3+Y0=Z Z2+X2=Z3 X0*2=X2 Z1*4=Z2 (P2N:pair2nat (pair/ X1 Y1) Z1) Y/2=Y1,Y0 X/2=X1,X0) (pair2nat/XX Z3'+Y0'=Z Z2'+X2'=Z3' X0'*2=X2' Z1'*4=Z2' (P2N':pair2nat (pair/ X1' Y1') Z1') Y'/2=Y1',Y0' X'/2=X1',X0') nat`eq/ X,Y=X',Y' <- plus-associative Z2+X2=Z3 Z3+Y0=Z R X2+Y0=R Z2+R=Z <- divrem-implies-gt X/2=X1,X0 TWO>X0 <- divrem-implies-gt Y/2=Y1,Y0 TWO>Y0 <- succ-gt-implies-ge TWO>X0 ONE>=X0 <- succ-gt-implies-ge TWO>Y0 ONE>=Y0 <- times-right-preserves-ge* ONE>=X0 1*2=2 X0*2=X2 TWO>=X2 <- plus-preserves-ge* TWO>=X2 ONE>=Y0 2+1=3 X2+Y0=R THREE>=R <- ge-implies-succ-gt THREE>=R FOUR>R <- divrem-can-be-constructed Z1*4=Z2 Z2+R=Z FOUR>R Z/4=Z1,R <- plus-associative Z2'+X2'=Z3' Z3'+Y0'=Z R' X2'+Y0'=R' Z2'+R'=Z <- divrem-implies-gt X'/2=X1',X0' TWO>X0' <- divrem-implies-gt Y'/2=Y1',Y0' TWO>Y0' <- succ-gt-implies-ge TWO>X0' ONE>=X0' <- succ-gt-implies-ge TWO>Y0' ONE>=Y0' <- times-right-preserves-ge* ONE>=X0' 1*2=2 X0'*2=X2' TWO>=X2' <- plus-preserves-ge* TWO>=X2' ONE>=Y0' 2+1=3 X2'+Y0'=R' THREE>=R' <- ge-implies-succ-gt THREE>=R' FOUR>R' <- divrem-can-be-constructed Z1'*4=Z2' Z2'+R'=Z FOUR>R' Z/4=Z1',R' <- divrem-deterministic Z/4=Z1,R Z/4=Z1',R' nat`eq/ nat`eq/ Z1=Z1' R=R' <- divrem-can-be-constructed X0*2=X2 X2+Y0=R TWO>Y0 R/2=X0,Y0 <- divrem-can-be-constructed X0'*2=X2' X2'+Y0'=R' TWO>Y0' R'/2=X0',Y0' <- divrem-deterministic R/2=X0,Y0 R'/2=X0',Y0' R=R' nat`eq/ X0=X0' Y0=Y0' <- nat2pair-deterministic P2N P2N' Z1=Z1' X1,Y1=X1',Y1' <- pair-eq-implies-eq X1,Y1=X1',Y1' X1=X1' Y1=Y1' <- divrem-can-be-inverted X/2=X1,X0 XM X1*2=XM XM+X0=X <- divrem-can-be-inverted Y/2=Y1,Y0 YM Y1*2=YM YM+Y0=Y <- divrem-can-be-inverted X'/2=X1',X0' XM' X1'*2=XM' XM'+X0'=X' <- divrem-can-be-inverted Y'/2=Y1',Y0' YM' Y1'*2=YM' YM'+Y0'=Y' <- times-deterministic X1*2=XM X1'*2=XM' X1=X1' nat`eq/ XM=XM' <- plus-deterministic XM+X0=X XM'+X0'=X' XM=XM' X0=X0' X=X' <- times-deterministic Y1*2=YM Y1'*2=YM' Y1=Y1' nat`eq/ YM=YM' <- plus-deterministic YM+Y0=Y YM'+Y0'=Y' YM=YM' Y0=Y0' Y=Y' <- pair-preserves-eq X=X' Y=Y' X,Y=X',Y'. %worlds () (nat2pair-deterministic _ _ _ _). %total (D) (nat2pair-deterministic D _ _ _). %theorem pair2nat-preserves-ne* : forall* {P1} {P2} {N1} {N2} forall {PNE: ne P1 P2} {T1:pair2nat P1 N1} {T2:pair2nat P2 N2} exists {NE: nat`ne N1 N2} true. %theorem pair2nat-preserves-ne*/L : forall* {P1} {P2} {N1} {N2} {B} forall {PNE: ne P1 P2} {T1:pair2nat P1 N1} {T2:pair2nat P2 N2} {NT: nat`eq? N1 N2 B} exists {NE: nat`ne N1 N2} true. - : pair2nat-preserves-ne* P1<>P2 P1->N1 P2->N2 N1<>N2 <- nat`eq?-total EQ? <- pair2nat-preserves-ne*/L P1<>P2 P1->N1 P2->N2 EQ? N1<>N2. - : pair2nat-preserves-ne*/L _ _ _ (nat`eq?/no N1<>N2) N1<>N2. - : pair2nat-preserves-ne*/L P1<>P2 P1->N P2->N (nat`eq?/yes) N<>N <- nat2pair-deterministic P1->N P2->N nat`eq/ P1=P2 <- eq-ne-implies-false P1=P2 P1<>P2 F <- nat`false-implies-ne F N<>N. %worlds () (pair2nat-preserves-ne*/L _ _ _ _ _). %total { } (pair2nat-preserves-ne*/L _ _ _ _ _). %worlds () (pair2nat-preserves-ne* _ _ _ _). %total { } (pair2nat-preserves-ne* _ _ _ _). %theorem pair2nat-preserves-ne : forall* {P1} {P2} forall {PNE: ne P1 P2} exists {N1} {N2} {T1:pair2nat P1 N1} {T2:pair2nat P2 N2} {NE: nat`ne N1 N2} true. - : pair2nat-preserves-ne P1<>P2 N1 N2 T1 T2 N1<>N2 <- pair2nat-total T1 <- pair2nat-total T2 <- pair2nat-preserves-ne* P1<>P2 T1 T2 N1<>N2. %worlds () (pair2nat-preserves-ne _ _ _ _ _ _). %total { } (pair2nat-preserves-ne _ _ _ _ _ _). %theorem nat2pair-preserves-ne* : forall* {P1} {P2} {N1} {N2} forall {NE: nat`ne N1 N2} {T1:nat2pair N1 P1} {T2:nat2pair N2 P2} exists {PNE: ne P1 P2} true. %theorem nat2pair-preserves-ne*/L : forall* {P1} {P2} {N1} {N2} {B} forall {NE: nat`ne N1 N2} {T1:nat2pair N1 P1} {T2:nat2pair N2 P2} {PT: eq? P1 P2 B} exists {PNE: ne P1 P2} true. - : nat2pair-preserves-ne* N1<>N2 N1->P1 N2->P2 P1<>P2 <- eq?-total EP? <- nat2pair-preserves-ne*/L N1<>N2 N1->P1 N2->P2 EP? P1<>P2. - : nat2pair-preserves-ne*/L _ _ _ (eq?/no P1<>P2) P1<>P2. - : nat2pair-preserves-ne*/L N1<>N2 N1->P N2->P (eq?/yes) P<>P <- pair2nat-deterministic N1->P N2->P eq/ N1=N2 <- nat`eq-ne-implies-false N1=N2 N1<>N2 F <- false-implies-ne F P<>P. %worlds () (nat2pair-preserves-ne*/L _ _ _ _ _). %total { } (nat2pair-preserves-ne*/L _ _ _ _ _). %worlds () (nat2pair-preserves-ne* _ _ _ _). %total { } (nat2pair-preserves-ne* _ _ _ _). %theorem nat2pair-preserves-ne : forall* {N1} {N2} forall {NNE: nat`ne N1 N2} exists {P1} {P2} {T1:nat2pair N1 P1} {T2:nat2pair N2 P2} {PE: ne P1 P2} true. - : nat2pair-preserves-ne N1<>N2 P1 P2 T1 T2 P1<>P2 <- nat2pair-total T1 <- nat2pair-total T2 <- nat2pair-preserves-ne* N1<>N2 T1 T2 P1<>P2. %worlds () (nat2pair-preserves-ne _ _ _ _ _ _). %total { } (nat2pair-preserves-ne _ _ _ _ _ _). %theorem nonzero-nat2pair-implies-gt-ge : forall* {N} {X} {Y} forall {D:nat2pair (s N) (pair/ X Y)} exists {G1: gt (s N) X} {G2: ge (s N) Y} true. - : nonzero-nat2pair-implies-gt-ge (pair2nat/XX plus/z plus/z times/z times/z _ (divrem/z _) (divrem/z _)) N+1>0 (nat`ge/= nat`eq/) <- succ-implies-gt-zero _ N+1>0. - : nonzero-nat2pair-implies-gt-ge (pair2nat/XX X2+Y=sN plus/z (times/s X-1*2=X2-2 X2-2+2=X2) times/z _ (divrem/z _) (divrem/z TWO>X)) N+1>X N+1>=Y <- plus-implies-ge X2+Y=sN (N+1>=Y:ge (s N) Y) <- succ-gt-implies-ge TWO>X ONE>=X <- ge-succ-implies-gt ONE>=X ONE>X-1 <- succ-gt-implies-ge ONE>X-1 ZERO>=X-1 <- ge-zero-always _ X-1>=0 <- ge-anti-symmetric ZERO>=X-1 X-1>=0 ZERO=X-1 <- succ-deterministic ZERO=X-1 ONE=X <- times-deterministic times/z X-1*2=X2-2 ZERO=X-1 nat`eq/ ZERO=X2-2 <- plus-deterministic plus/z X2-2+2=X2 ZERO=X2-2 nat`eq/ TWO=X2 <- gt-respects-eq (gt/1) TWO=X2 ONE=X X2>X <- plus-commutative X2+Y=sN Y+X2=sN <- plus-implies-ge Y+X2=sN N+1>=X2 <- ge-transitive-gt N+1>=X2 X2>X N+1>X. - : nonzero-nat2pair-implies-gt-ge (pair2nat/XX _ _ _ _ (P2z:pair2nat (pair/ (s _) _) z) _ _) GT GE <- nat2pair-deterministic pair2nat/00 P2z nat`eq/ ZERO,0=sN,_ <- pair-eq-implies-eq ZERO,0=sN,_ ZERO=sN _ <- nat`eq-contradiction ZERO=sN F <- nat`false-implies-gt F GT <- nat`false-implies-ge F GE. - : nonzero-nat2pair-implies-gt-ge (pair2nat/XX _ _ _ _ (P2z:pair2nat (pair/ _ (s _)) z) _ _) GT GE <- nat2pair-deterministic pair2nat/00 P2z nat`eq/ ZERO,0=_,sN <- pair-eq-implies-eq ZERO,0=_,sN _ ZERO=sN <- nat`eq-contradiction ZERO=sN F <- nat`false-implies-gt F GT <- nat`false-implies-ge F GE. - : nonzero-nat2pair-implies-gt-ge (pair2nat/XX Z3+Y0=sN Z2+X2=Z3 X0*2=X2 Z1*4=Z2 Z1->X1,Y1 Y/2=Y1,Y0 X/2=X1,X0) N+1>X (ge/> N+1>Y) <- plus-commutative Z3+Y0=sN Y0+Z3=sN <- plus-implies-ge Y0+Z3=sN N+1>=Z3 <- plus-commutative Z2+X2=Z3 X2+Z2=Z3 <- plus-implies-ge X2+Z2=Z3 Z3>=Z2 <- ge-transitive N+1>=Z3 Z3>=Z2 N+1>=Z2 <- nonzero-nat2pair-implies-gt-ge Z1->X1,Y1 Z1>X1 Z1>=Y1 <- times-associative-converse 2*2=4 Z1*4=Z2 Z2/2 Z1*2=Z2/2 Z2/2*2=Z2 <- divrem-can-be-inverted Y/2=Y1,Y0 Y12 Y1*2=Y12 Y12+Y0=Y <- divrem-can-be-inverted X/2=X1,X0 X12 X1*2=X12 X12+X0=X <- times-right-preserves-gt* Z1>X1 Z1*2=Z2/2 X1*2=X12 nat`eq/ Z2/2>X12 <- succ-implies-gt-zero _ Z1>0 <- gt-implies-ge-succ Z1>0 Z1>=1 <- times-right-preserves-ge* Z1>=1 Z1*2=Z2/2 1*2=2 Z2/2>=2 <- ge-implies-plus Z2/2>=2 ZZ ZZ+2=Z2/2 <- plus-commutative ZZ+2=Z2/2 TWO+ZZ=Z2/2 <- plus-deterministic TWO+ZZ=Z2/2 (plus/s (plus/s plus/z)) nat`eq/ nat`eq/ Z2/2=ssZZ <- times-respects-eq Z2/2*2=Z2 Z2/2=ssZZ nat`eq/ nat`eq/ SSZZ*2=Z2 <- non-trivial-times-implies-much-gt* SSZZ*2=Z2 Z2>sssZZ <- divrem-implies-gt X/2=X1,X0 TWO>X0 <- succ-gt-implies-ge TWO>X0 ONE>=X0 <- plus-right-identity _ X12+0=X12 <- plus-right-increase X12+0=X12 X12+1=sX12 <- plus-left-preserves-ge* ONE>=X0 X12+1=sX12 X12+X0=X SX12>=X <- gt-implies-ge-succ Z2/2>X12 Z2/2>=sX12 <- ge-transitive Z2/2>=sX12 SX12>=X Z2/2>=X <- ge-respects-eq Z2/2>=X Z2/2=ssZZ nat`eq/ SSZZ>=X <- ge-implies-succ-gt SSZZ>=X SSSZZ>X <- gt-transitive Z2>sssZZ SSSZZ>X Z2>X <- ge-transitive-gt N+1>=Z2 Z2>X N+1>X <- times-right-preserves-ge* Z1>=Y1 Z1*2=Z2/2 Y1*2=Y12 Z2/2>=Y12 <- ge-respects-eq Z2/2>=Y12 Z2/2=ssZZ nat`eq/ SSZZ>=Y12 <- divrem-implies-gt Y/2=Y1,Y0 TWO>Y0 <- succ-gt-implies-ge TWO>Y0 ONE>=Y0 <- plus-right-identity _ Y12+0=Y12 <- plus-right-increase Y12+0=Y12 Y12+1=sY12 <- plus-left-preserves-ge* ONE>=Y0 Y12+1=sY12 Y12+Y0=Y SY12>=Y <- succ-preserves-ge SSZZ>=Y12 SSSZZ>=SY12 <- ge-transitive SSSZZ>=SY12 SY12>=Y SSSZZ>=Y <- gt-transitive-ge Z2>sssZZ SSSZZ>=Y Z2>Y <- ge-transitive-gt N+1>=Z2 Z2>Y N+1>Y. %worlds () (nonzero-nat2pair-implies-gt-ge _ _ _). %total (N) (nonzero-nat2pair-implies-gt-ge N _ _). %theorem nat2pair-implies-ge : forall* {N} {X} {Y} forall {D:nat2pair N (pair/ X Y)} exists {G1: ge N X} {G2: ge N Y} true. - : nat2pair-implies-ge N2P (ge/> N>X) N>=Y <- nonzero-nat2pair-implies-gt-ge N2P N>X N>=Y. - : nat2pair-implies-ge Z2P (ge/= ZERO=X) (ge/= ZERO=Y) <- nat2pair-deterministic pair2nat/00 Z2P nat`eq/ ZERO,ZERO=X,Y <- pair-eq-implies-eq ZERO,ZERO=X,Y ZERO=X ZERO=Y. %worlds () (nat2pair-implies-ge _ _ _). %total { } (nat2pair-implies-ge _ _ _). %theorem constrained1-pair2nat-unbounded : forall {N1} {B} exists {N2} {N} {D:pair2nat (pair/ N1 N2) N} {G:gt N B} true. - : constrained1-pair2nat-unbounded N1 B (s B) N N1,N2->N N>B <- pair2nat-total N1,N2->N <- nat2pair-implies-ge N1,N2->N N>=N1 N>=N2 <- ge-succ-implies-gt N>=N2 N>B. %worlds () (constrained1-pair2nat-unbounded _ _ _ _ _ _). %total { } (constrained1-pair2nat-unbounded _ _ _ _ _ _). %theorem constrained2-pair2nat-unbounded : forall {N2} {B} exists {N1} {N} {D:pair2nat (pair/ N1 N2) N} {G:gt N B} true. - : constrained2-pair2nat-unbounded N2 B (s B) N N1,N2->N N>B <- pair2nat-total N1,N2->N <- nat2pair-implies-ge N1,N2->N N>=N1 N>=N2 <- ge-succ-implies-gt N>=N1 N>B. %worlds () (constrained2-pair2nat-unbounded _ _ _ _ _ _). %total { } (constrained2-pair2nat-unbounded _ _ _ _ _ _). %%%% Renamings %abbrev natpair = pair. %abbrev natpair/ = pair/. %%%% Exports %abbrev natpair`pair = pair. %abbrev natpair`pair/ = pair/. %abbrev natpair`eq = eq. %abbrev natpair`eq/ = eq/. %abbrev natpair`ne = ne. %abbrev natpair`ne/1 = ne/1. %abbrev natpair`ne/2 = ne/2. %abbrev natpair`eq? = eq?. %abbrev natpair`eq?/yes = eq?/yes. %abbrev natpair`eq?/no = eq?/no. %abbrev natpair`false-implies-eq = false-implies-eq. %abbrev natpair`meta-eq = meta-eq. %abbrev natpair`eq-reflexive = eq-reflexive. %abbrev natpair`eq-symmetric = eq-symmetric. %abbrev natpair`eq-transitive = eq-transitive. %abbrev natpair`pair-eq-implies-eq = pair-eq-implies-eq. %abbrev natpair`pair-preserves-eq = pair-preserves-eq. %abbrev natpair`false-implies-ne = false-implies-ne. %abbrev natpair`ne-respects-eq = ne-respects-eq. %abbrev natpair`ne-anti-reflexive = ne-anti-reflexive. %abbrev natpair`ne-symmetric = ne-symmetric. %abbrev natpair`eq-ne-implies-false = eq-ne-implies-false. %abbrev natpair`eq?-total* = eq?-total*. %abbrev natpair`eq?-total*/L = eq?-total*/L. %abbrev natpair`eq?-total = eq?-total. %abbrev natpair`pair2nat = pair2nat. %abbrev natpair`pair2nat/00 = pair2nat/00. %abbrev natpair`pair2nat/XX = pair2nat/XX. %abbrev natpair`nat2pair = nat2pair. %abbrev natpair`false-implies-pair2nat = false-implies-pair2nat. %abbrev natpair`false-implies-not2pair = false-implies-not2pair. %abbrev natpair`pair2nat-respects-eq = pair2nat-respects-eq. %abbrev natpair`nat2pair-respects-eq = nat2pair-respects-eq. %abbrev natpair`pair2nat-total** = pair2nat-total**. %abbrev natpair`pair2nat-total* = pair2nat-total*. %abbrev natpair`pair2nat-total = pair2nat-total. %abbrev natpair`nat2pair-total* = nat2pair-total*. %abbrev natpair`nat2pair-total = nat2pair-total. %abbrev natpair`pair2nat-deterministic = pair2nat-deterministic. %abbrev natpair`pair2nat-deterministic/00 = pair2nat-deterministic/00. %abbrev natpair`nat2pair-deterministic = nat2pair-deterministic. %abbrev natpair`nat2pair-deterministic/0 = nat2pair-deterministic/0. %abbrev natpair`pair2nat-preserves-ne* = pair2nat-preserves-ne*. %abbrev natpair`pair2nat-preserves-ne*/L = pair2nat-preserves-ne*/L. %abbrev natpair`pair2nat-preserves-ne = pair2nat-preserves-ne. %abbrev natpair`nat2pair-preserves-ne* = nat2pair-preserves-ne*. %abbrev natpair`nat2pair-preserves-ne*/L = nat2pair-preserves-ne*/L. %abbrev natpair`nat2pair-preserves-ne = nat2pair-preserves-ne. %abbrev natpair`nonzero-nat2pair-implies-gt-ge = nonzero-nat2pair-implies-gt-ge. %abbrev natpair`nat2pair-implies-ge = nat2pair-implies-ge. %abbrev natpair`constrained1-pair2nat-unbounded = constrained1-pair2nat-unbounded. %abbrev natpair`constrained2-pair2nat-unbounded = constrained2-pair2nat-unbounded. %abbrev natpair`natpair = natpair. %abbrev natpair`natpair/ = natpair/. %{ == Definitions == }% %{ === The syntax === }% %{ The HOAS defined here is uninteresting. There isn't even any way to use more than one variable (although the proofs use techniques that can handle any number of variables). }% t : type. a : t. b : t -> t. f : (t -> t) -> t. %block blocksimple : block {v:t}. %{ === Equality === }% eq : t -> t -> type. eq/ : eq T T. %{ === Variable levels === }% %{ A variable level is the (nonzero) natural number for a variable. This value is used to determine the mapping for a variable. }% varlevel : t -> nat -> type. %block blockvar : some {l} block {v} {vl:varlevel v (s l)}. %{ === Mapping === }% %{ The bijection from t to nat is called "tonat". In its more general form the relation takes a natural number indicating how deep we are inside functions. }% tonat* : nat -> t -> nat -> type. %abbrev tonat = tonat* z. tonat/v : varlevel V L -> plus M L N -> tonat* N V M. tonat/a : tonat* N a N. tonat/b : tonat* N T M -> times (s (s z)) M TM -> plus (s N) TM M' -> tonat* N (b T) M'. tonat/f : ({v} (varlevel v (s N)) -> tonat* (s N) (F v) M) -> times (s (s z)) M TM -> plus (s (s N)) TM M' -> tonat* N (f F) M'. %{ === Utility lemmas === }% %{ The following theorems prove obvious simple things about the basic relations. They following the conventions established in John Boyland's library signatures. }% %theorem false-implies-varlevel : forall* {V} {L} forall {F:void} exists {VL:varlevel V L} true. %worlds (blockvar) (false-implies-varlevel _ _). %total { } (false-implies-varlevel _ _). %theorem varlevel-respects-eq : forall* {V} {L1} {L2} forall {VL1:varlevel V L1} {E:nat`eq L1 L2} exists {VL2:varlevel V L2} true. - : varlevel-respects-eq VL nat`eq/ VL. %worlds (blocksimple | blockvar) (varlevel-respects-eq _ _ _). %total { } (varlevel-respects-eq _ _ _). %theorem false-implies-tonat : forall* {N} {T} {M} forall {F:void} exists {TN:tonat* N T M} true. %worlds (blockvar) (false-implies-tonat _ _). %total { } (false-implies-tonat _ _). %{ == Proof of totality of tonat == }% %{ The difficulty here is that we need to prove that when we get to a variable (and exactly how we tell this in Twelf is tricky because variables can't be captured in case analysis), we need to ensure that (1) the variable has a level associated with it and (2) the level is in the range 1..N where N is the block nesting we are in. Blocks are useful for (1) but not for (2) because there's no way to connect the context with the current nesting level. Instead we use a technique (I learn from Rob Simmons) to handle one level of variable a time in a separate lemma. This works since for each particular HOAS function we know that the variable is bound legally. We package this approach up into an auxiliary relation that incidentally makes it easy to capture variables in case analysis. This makes for a wordy series of proofs. Perhaps we can get rid of 'case' in general. }% %{ === Auxiliary definitions === }% %{ ==== raw variables ==== }% %{ A variable is raw if we haven't verified that it has a level in range. Non variables are not raw. }% israw : t -> bool -> type. %abbrev rawvar = [T] israw T true. israw/a : israw a false. israw/b : israw (b _) false. israw/f : israw (f _) false. %{ ==== case analysis ==== }% %{ We case analysis terms with two cases for variables. The raw case is used only internally and can be ignored in "clients" that don't use israw. }% case : nat -> t -> type. case/a : case _ a. case/b : case N T -> case N (b T). case/f : ({v} varlevel v (s N) -> case (s N) (F v)) -> case N (f F). case/var : varlevel V L -> nat`ge N L -> case N V. case/raw : rawvar V -> case N V. %{ === Theorems about auxiliary definitions === }% %{ What follows first is a theorem that says that in a context where all variables are raw, we can campute the rawness of all terms. In a Twelf idiom that will be seen several times in this file (and which I learned from Rob Simmons), we have to put the theorem for the the variable case in the same context that defines the variable as raw. (This is rather annoying: Twelf should be smart enough to see that the context that defines the variable has the necessary relation.) This somewhat contorted idiom falls afoul of autofreezing in Twelf 1.5r3. I consider this a bug in Twelf, but fortunately it can be worked around by defining a fake circular dependency. (Again, the idea from Rob Simmons.) For some reason, unlike Rob's examples and the later instances in this file, I need to add israw to the fake dependencies as well. The definition "fake" is never used again. It has no "meaning." }% %theorem israw-total* : forall {T} exists {B} {I:israw T B} true. %abbrev israw-total = israw-total* _ _. - : israw-total israw/a. - : israw-total israw/b. - : israw-total israw/f. fake : type. - : fake <- {i:israw-total* T B I} israw-total* T' B' I'. - : fake <- {i:israw-total* T B I} israw T' B'. %block blockraw : block {v} {rv:rawvar v} {irt:israw-total rv}. %worlds (blockraw) (israw-total* _ _ _). %total { } (israw-total* _ _ _). %{ The following theorem handles one variable converting it from raw to handle a level that is in the required range. This is an important technique for handle variables in Twelf: one at a time. }% %theorem var-gets-level : forall* {N} {T} {L} forall {F: {v} {rv:rawvar v} {i:israw-total rv} case N (T v)} {GE: nat`ge N L} exists {F': {v} (varlevel v L) -> case N (T v)} true. - : var-gets-level ([v] [r] [i] (case/raw r)) N>=L ([v] [vl] (case/var vl N>=L)). - : var-gets-level ([v] [r] [i] (case/raw R)) _ ([v] [vl] (case/raw R)). - : var-gets-level ([v] [c] [i] (case/var VL N>=L)) _ ([v] [vl] (case/var VL N>=L)). - : var-gets-level ([v] [c] [i] case/a) _ ([v] [vl] case/a). - : var-gets-level ([v] [c] [i] (case/b (C v c i))) N>=L ([v] [vl] (case/b (C' v vl))) <- var-gets-level ([v] [c] [i] (C v c i)) N>=L ([v][vl] (C' v vl)). - : var-gets-level ([v] [c] [i] (case/f ([v'][vl'] (C v' vl' v c i)))) N>=L ([v][vl] (case/f ([v'][vl'] (C' v' vl' v vl)))) <- ge-implies-succ-gt N>=L N+1>L <- ({v'} {vl':varlevel v' _} var-gets-level ([v] [c] [i] (C v' vl' v c i)) (nat`ge/> N+1>L) ([v][vl](C' v' vl' v vl))). %worlds (blockvar | blockraw) (var-gets-level _ _ _). %total F (var-gets-level F _ _). %{ We are now ready to prove that we can always "case" a term. This code follows John Boyland's library convention of defining a "-total" metatheorem as having implicit arguments that are explicit in a "-total*" version. In the main lemma, the interesting case is when we have a "f" term: after ensuring that the subterm can be be tested for rawness, we recurse while the variable is assumed raw. Once this is done, we convert the variable into one with a level using "var-gets-level". Note that the var levels don't go into the context for this theorem. }% %theorem case-total* : forall {T} exists {C:case z T} true. %abbrev case-total = case-total* _. %theorem case-total/L : forall* {B} forall {N} {T} {I:israw T B} exists {C:case N T} true. - : case-total/L _ _ _ (case/a). - : case-total/L _ _ _ (case/b C) <- israw-total I <- case-total/L _ _ I C. - : case-total/L _ (f ([v] F v)) israw/f (case/f ([v] [vl] (C' v vl))) <- ({v} {r:rawvar v} {i:israw-total r} israw-total (I v r i)) <- ({v} {r:rawvar v} {i:israw-total r} case-total/L _ (F v) (I v r i : israw (F v) B) (C v r i)) <- var-gets-level C (nat`ge/= nat`eq/) C'. - : case-total/L _ V R (case/raw R). %worlds (blockraw) (case-total/L _ _ _ _). %total T (case-total/L _ T _ _). - : case-total* T C <- israw-total I <- case-total/L z T I C. %worlds () (case-total* _ _). %total { } (case-total* _ _). %{ === Main theorem === }% %{ We are ready now to prove totality of the relation. We case the term first and then have everything we need to push through totality. }% %theorem tonat-total* : forall {T:t} exists {M:nat} {D:tonat T M} true. %abbrev tonat-total = tonat-total* _ _. %theorem tonat-total/L : forall {N:nat} {T:t} {C:case N T} exists {M:nat} {D:tonat* N T M} true. - : tonat-total/L _ _ (case/var VL GE) _ (tonat/v VL P) <- ge-implies-plus GE _ P. - : tonat-total/L _ _ (case/a) _ (tonat/a). - : tonat-total/L _ _ (case/b C) _ (tonat/b TN T P) <- tonat-total/L _ _ C _ TN <- times-total T <- plus-total P. - : tonat-total/L _ _ (case/f ([v] [vl] (C v vl))) _ (tonat/f ([v] [vl] (TN v vl)) T P) <- ({v} {vl:varlevel v (s N)} tonat-total/L _ _ (C v vl) _ (TN v vl)) <- times-total T <- plus-total P. %worlds (blockvar) (tonat-total/L _ _ _ _ _). %total (C) (tonat-total/L _ _ C _ _). - : tonat-total TN <- case-total C <- tonat-total/L _ _ C _ TN. %worlds () (tonat-total* _ _ _). %total { } (tonat-total* _ _ _). %{ == Proof of the determinicity of the mapping == }% %{ In this section, we prove that tonat gives only one value (hence it is a function). This sort of theorem is called a "uniqueness" theorem. Here the name I use for it comes from Twelf's "%deterministic" declaration. (I find the term "unique" might refer to the "one2one" aspect, proved later.) This aspect is much easier to prove that any of the others. That probably reflects the fact that the relation was written in a functional style. }% %{ === Auxiliary theorems === }% %{ We prove that variable levels are "unique" and that they are never zero. The proofs are trivial: Twelf can accept them from the context alone. }% %theorem varlevel-deterministic : forall* {V} {L1} {L2} forall {VL1:varlevel V L1} {VL2:varlevel V L2} exists {E:nat`eq L1 L2} true. - : varlevel-deterministic _ _ nat`eq/. %worlds (blockvar) (varlevel-deterministic _ _ _). %total { } (varlevel-deterministic _ _ _). %theorem varlevel-contradiction : forall* {V} {L} forall {VL:varlevel V L} {E:nat`eq L z} exists {F:void} true. %worlds (blockvar) (varlevel-contradiction _ _ _). %total { } (varlevel-contradiction _ _ _). %{ === Main Theorem === }% %theorem tonat-deterministic : forall* {T1} {T2} {N1} {N2} forall {TN1:tonat T1 N1} {TN2:tonat T2 N2} {E: eq T1 T2} exists {E: nat`eq N1 N2} true. %theorem tonat-deterministic/L : forall* {T} {N} {N1} {N2} forall {TN1:tonat* N T N1} {TN2:tonat* N T N2} exists {E: nat`eq N1 N2} true. - : tonat-deterministic/L (tonat/v VL1 P1) (tonat/v VL2 P2) N1=N2 <- varlevel-deterministic VL1 VL2 L1=L2 <- plus-right-cancels P1 P2 L1=L2 nat`eq/ N1=N2. - : tonat-deterministic/L (tonat/a) (tonat/a) nat`eq/. - : tonat-deterministic/L (tonat/b TN1 T1 P1) (tonat/b TN2 T2 P2) M1'=M2' <- tonat-deterministic/L TN1 TN2 M1=M2 <- times-deterministic T1 T2 nat`eq/ M1=M2 TM1=TM2 <- plus-deterministic P1 P2 nat`eq/ TM1=TM2 M1'=M2'. - : tonat-deterministic/L (tonat/f ([v] [vl] (TN1 v vl)) T1 P1) (tonat/f ([v] [vl] (TN2 v vl)) T2 P2) M1'=M2' <- ({v} {vl:varlevel v (s N)} tonat-deterministic/L (TN1 v vl) (TN2 v vl) M1=M2) <- times-deterministic T1 T2 nat`eq/ M1=M2 TM1=TM2 <- plus-deterministic P1 P2 nat`eq/ TM1=TM2 M1'=M2'. %worlds (blockvar) (tonat-deterministic/L _ _ _). %total (T) (tonat-deterministic/L T _ _). - : tonat-deterministic TN1 TN2 eq/ N1=N2 <- tonat-deterministic/L TN1 TN2 N1=N2. %worlds () (tonat-deterministic _ _ _ _). %total { } (tonat-deterministic _ _ _ _). %{ == Proving that the mapping is onto. == }% %{ Here we use the mathematical term "onto": a function is "onto" if its range is equal to its co-domain: that is if every value in the co-domain has a value in the domain that maps to it. The tricky aspect here is that we need to show that every level that the reverse mapping has a variable associated with it. We do this using a helper relation, as opposed to putting something in the context, since as explained earlier, the context is useless to connect variables with the nesting level. }% %{ === Auxiliary definitions === }% %{ We define a relation that builds on the context relation. I find this rather interesting because it uses the context relation but is not itself in the context. This is rather rare in my limited experience. upto N says that we have a variable for all levels 1..N. }% upto : nat -> type. upto/z : upto z. upto/s : upto N -> varlevel V (s N) -> upto (s N). %{ === Theorems about auxiliary definitions === }% %{ ==== The obvious lemma that makes use of the main purpose of the relation: ==== }% %theorem upto-implies-varlevel : forall* {N} {L} forall {U:upto N} {LT:nat`gt N L} exists {V} {VL:varlevel V (s L)} true. - : upto-implies-varlevel upto/z ZERO>L a VL <- nat`gt-contradiction ZERO>L F <- false-implies-varlevel F VL. - : upto-implies-varlevel (upto/s _ VL) (gt/1) _ VL. - : upto-implies-varlevel (upto/s U _) (gt/> G) _ VL <- upto-implies-varlevel U G _ VL. %worlds (blockvar) (upto-implies-varlevel _ _ _ _). %total (U) (upto-implies-varlevel U _ _ _). %{ === Main theorem === }% %{ We prove the main result using two lemmas that do the case analysis on the number against the nesting level and the parity. (In general, one would use a divisor counting all cases that are recursive.) The proofs are long but simply arithmetic manipulation. Proving termination uses meta-gt for strong induction over the natural numbers. }% %theorem tonat-onto* : forall {N:nat} exists {T} {TN:tonat T N} true. %abbrev tonat-onto = tonat-onto* _ _. %theorem tonat-onto/L1 : forall* {C} forall {N:nat} {U:upto N} {M:nat} {CMP:nat`compare N M C} exists {T} {TN:tonat* N T M} true. %theorem tonat-onto/L2 : forall* {TM} forall {N:nat} {U:upto N} {M:nat} {P:plus N (s TM) M} {Q} {R} {DR:divrem TM (s (s z)) Q R} exists {T} {TN:tonat* N T M} true. - : tonat-onto/L1 N U M (compare/> N>M) _ (tonat/v VL M+L+1=N) <- nat`gt-implies-plus N>M L L+1+M=N <- plus-commutative L+1+M=N M+L+1=N <- plus-implies-ge M+L+1=N N>=L+1 <- ge-succ-implies-gt N>=L+1 N>L <- upto-implies-varlevel U N>L _ VL. - : tonat-onto/L1 N U _ (compare/=) a tonat/a. - : tonat-onto/L1 N U M (compare/< M>N) _ TN <- gt-implies-plus M>N TM TM+1+N=M <- plus-commutative TM+1+N=M N+TM+1=M <- divrem-total DR <- tonat-onto/L2 N U M N+TM+1=M _ _ DR _ TN. - : tonat-onto/L2 _ U M' N+TM+1=M' M z TM/2=M _ (tonat/b TN TWO*M=TM N+1+TM=M') <- div-can-be-inverted TM/2=M M*2=TM <- times-commutative M*2=TM TWO*M=TM <- plus-swap-succ-converse N+TM+1=M' N+1+TM=M' <- plus-implies-gt N+1+TM=M' nat`eq/ M'>TM <- times-nonzero-implies-ge M*2=TM TM>=M <- nat`gt-transitive-ge M'>TM TM>=M M'>M <- meta-gt _ _ M'>M <- compare-total CMP <- tonat-onto/L1 _ U M CMP _ TN. - : tonat-onto/L2 N U M' (N+TM'+1=M':plus N (s TM') M') M (s z) TM'/2=M,1 (f ([v] F v)) (tonat/f ([v] [vl] (TN v vl)) TWO*M=TM N+2+TM=M') <- divrem-can-be-inverted TM'/2=M,1 TM M*2=TM TM+ONE=TM' <- times-commutative M*2=TM TWO*M=TM <- plus-commutative (plus/s plus/z) TM+ONE=TM+1 <- plus-deterministic TM+ONE=TM' TM+ONE=TM+1 nat`eq/ nat`eq/ TM'=TM+1 <- succ-deterministic TM'=TM+1 (TM'+1=TM+2:nat`eq (s TM') (s (s TM))) <- plus-respects-eq N+TM'+1=M' nat`eq/ TM'+1=TM+2 nat`eq/ N+TM+2=M' <- plus-swap-succ-converse N+TM+2=M' N+1+TM+1=M' <- plus-swap-succ-converse N+1+TM+1=M' N+2+TM=M' <- plus-implies-ge N+TM'+1=M' M'>=TM'+1 <- ge-succ-implies-gt M'>=TM'+1 M'>TM' <- quotient-of-nonzero-is-smaller TM'/2=M,1 TM'=TM+1 TM'>M <- nat`gt-transitive M'>TM' TM'>M M'>M <- meta-gt _ _ M'>M <- nat`compare-total CMP <- ({v} {vl:varlevel v (s N)} tonat-onto/L1 (s N) (upto/s U vl) M CMP (F v) (TN v vl)). - : tonat-onto/L2 _ _ _ _ _ (s (s _)) DR a TN <- divrem-implies-gt DR TWO>R+2 <- succ-preserves-gt-converse TWO>R+2 ONE>R+1 <- succ-preserves-gt-converse ONE>R+1 ZERO>R <- gt-contradiction ZERO>R F <- false-implies-tonat F TN. %worlds (blockvar) (tonat-onto/L1 _ _ _ _ _ _) (tonat-onto/L2 _ _ _ _ _ _ _ _ _). %total (M1 M2) (tonat-onto/L2 _ _ M2 _ _ _ _ _ _) (tonat-onto/L1 _ _ M1 _ _ _). %{ == Proof that mapping is "one to one" == }% %{ This is the most involved proof. The sketch is that we first prove that two terms that reduce to the same natural number are "eql" in a way that only requires that the variables have the same level, but not that they are the same. Of course, there is only one variable for each level, which means that the terms are truly identical. But this is impossible to express in the context. Instead, we chip away at the variables from the "outside", each time reducing the level of the remaining variables. }% %{ === Auxiliary definitions === }% %{ ==== Equality (permitting variables with the same level). ==== }% eql* : nat -> t -> t -> type. %abbrev eql = eql* z. eql/eq : eq T1 T2 -> eql* N T1 T2. eql/b : eql* N T1 T2 -> eql* N (b T1) (b T2). eql/f1 : ({v:t} (eql* N (F1 v) (F2 v))) -> eql* N (f F1) (f F2). eql/f2 : ({v:t} {vl:varlevel v (s N)} (eql* (s N) (F1 v) (F2 v))) -> eql* N (f F1) (f F2). eql/v : varlevel V1 L -> varlevel V2 L -> eql* N V1 V2. %{ ==== Measure of eql sizes. ==== }% %{ We use this measure to be able to prove termination. We need eqlsize/v = eqlsize/eq, eqlsize/f1 = eqlsize/f2. (Less than is ok in each case but would require that we rephrase the lemmas.) }% eqlsize : (eql* N T1 T2) -> nat -> type. eqlsize/eq : eqlsize (eql/eq _) z. eqlsize/b : eqlsize E N -> eqlsize (eql/b E) (s N). eqlsize/f1 : ({v} eqlsize (E v) N) -> eqlsize (eql/f1 ([v] (E v))) (s N). eqlsize/f2 : ({v} {vl} eqlsize (E v vl) N) -> eqlsize (eql/f2 ([v] [vl] (E v vl))) (s N). eqlsize/v : eqlsize (eql/v _ _) z. %{ ==== Copied definitions ==== }% %{ It turns out that switching variables to an earlier level will cause mixup (because we need to have both the old and new levels in the context at the same time) unless we use a different definition. For that reason, we define alternatives for varlevel, eql and eqlsize. }% varlevel' : t -> nat -> type. eql*' : nat -> t -> t -> type. eql'/eq : eq T1 T2 -> eql*' N T1 T2. eql'/b : eql*' N T1 T2 -> eql*' N (b T1) (b T2). eql'/f1 : ({v:t} (eql*' N (F1 v) (F2 v))) -> eql*' N (f F1) (f F2). eql'/f2 : ({v:t} {vl:varlevel' v (s N)} (eql*' (s N) (F1 v) (F2 v))) -> eql*' N (f F1) (f F2). eql'/v : varlevel' V1 L -> varlevel' V2 L -> eql*' N V1 V2. eqlsize' : (eql*' N T1 T2) -> nat -> type. eqlsize'/eq : eqlsize' (eql'/eq _) z. eqlsize'/b : eqlsize' E N -> eqlsize' (eql'/b E) (s N). eqlsize'/f1 : ({v} eqlsize' (E v) N) -> eqlsize' (eql'/f1 ([v] (E v))) (s N). eqlsize'/f2 : ({v} {vl} eqlsize' (E v vl) N) -> eqlsize' (eql'/f2 ([v] [vl] (E v vl))) (s N). eqlsize'/v : eqlsize' (eql'/v _ _) z. %{ === Theorems about auxiliary definitions === }% %theorem false-implies-eql : forall* {T1} {T2} {N} forall {F:void} exists {E:eql* N T1 T2} true. %worlds (blockvar | blocksimple) (false-implies-eql _ _). %total { } (false-implies-eql _ _). %theorem eqlsize-total* : forall* {N} {T1} {T2} forall {E:eql* N T1 T2} exists {S} {ES:eqlsize E S} true. %abbrev eqlsize-total = eqlsize-total* _ _. - : eqlsize-total eqlsize/eq. - : eqlsize-total (eqlsize/b ES) <- eqlsize-total ES. - : eqlsize-total (eqlsize/f1 ([v] (ES v))) <- ({v} eqlsize-total (ES v)). - : eqlsize-total (eqlsize/f2 ([v] [vl] (ES v vl))) <- ({v} {vl} eqlsize-total (ES v vl)). - : eqlsize-total eqlsize/v. %worlds (blocksimple | blockvar) (eqlsize-total* _ _ _). %total (E) (eqlsize-total* E _ _). %{ The following block is used when we remove the outmost variable: all other variables are at least level 2. "blockvar2" makes this context explicit. }% %block blockvar2 : some {l} block {v} {vl:varlevel v (s (s l))}. %theorem remove-one-var : forall* {F1} {F2} {N} {S} forall {E:{v} {vl:varlevel v (s z)} (eql* (s N) (F1 v) (F2 v))} {ES:{v} {vl} eqlsize (E v vl) S} exists {E':{v} (eql* (s N) (F1 v) (F2 v))} {ES':{v} eqlsize (E' v) S} true. - : remove-one-var ([v] [vl] eql/eq eq/) ([v] [vl] eqlsize/eq) ([v] eql/eq eq/) ([v] eqlsize/eq). - : remove-one-var ([v] [vl] eql/b (F v vl)) ([v] [vl] eqlsize/b (FS v vl)) ([v] eql/b (F' v)) ([v] eqlsize/b (FS' v)) <- remove-one-var F FS F' FS'. - : remove-one-var ([v] [vl] eql/f1 ([v'] (F v' v vl))) ([v] [vl] eqlsize/f1 ([v'] (FS v' v vl))) ([v] eql/f1 ([v'] (F' v' v))) ([v] eqlsize/f1 ([v'] (FS' v' v))) <- {v'} remove-one-var (F v') (FS v') (F' v') (FS' v'). - : remove-one-var ([v] [vl] eql/f2 ([v'] [vl'] (F v' vl' v vl))) ([v] [vl] eqlsize/f2 ([v'] [vl'] (FS v' vl' v vl))) ([v] eql/f2 ([v'] [vl'] (F' v' vl' v))) ([v] eqlsize/f2 ([v'] [vl'] (FS' v' vl' v))) <- {v'} {vl'} remove-one-var (F v' vl') (FS v' vl') (F' v' vl') (FS' v' vl'). - : remove-one-var ([v] [vl] eql/v vl vl) ([v] [vl] eqlsize/v) ([v] eql/eq eq/) ([v] eqlsize/eq). - : remove-one-var ([v] [vl] eql/v VL1 VL2) ([v] [vl] eqlsize/v) ([v] eql/v VL1 VL2) ([v] eqlsize/v). %worlds (blocksimple | blockvar2) (remove-one-var _ _ _ _). %total (E) (remove-one-var E _ _ _). %{ Next follows the tortuous shift down of levels: we shift down and change to use the alternative definitions, and then we go to back the normal definitions (with no shift). The context we use will have both the old and new varlevels. It order to shift from one to the other, we need theorems that let us go from one to the other. Unfortunately, Twelf is not smart enough to infer that the context has what the theorem needs, so (as explained above) we need to put the theorem in context itself and add fake dependencies. Adding to the complexity is the fact that we need to track the size of the equality rules for termination proof (later). }% %theorem varlevel-shifts-down : forall* {V} {L} forall {VL:varlevel V (s (s L))} exists {VL':varlevel' V (s L)} true. %block shiftdown : some {l} block {v} {vl:varlevel v (s (s l))} {vl':varlevel' v (s l)} {vsd:varlevel-shifts-down vl vl'}. fake : type. - : fake <- ({x:varlevel-shifts-down X Y} varlevel-shifts-down X' Y'). %worlds (blocksimple | shiftdown) (varlevel-shifts-down _ _). %total { } (varlevel-shifts-down _ _). %theorem shift-varlevel/L1 : forall* {N} {T1} {T2} {S} forall {E: eql* (s N) T1 T2} {ES:eqlsize E S} exists {E': eql*' N T1 T2} {ES':eqlsize' E' S} true. - : shift-varlevel/L1 (eql/eq eq/) eqlsize/eq (eql'/eq eq/) eqlsize'/eq. - : shift-varlevel/L1 (eql/b E) (eqlsize/b ES) (eql'/b E') (eqlsize'/b ES') <- shift-varlevel/L1 E ES E' ES'. - : shift-varlevel/L1 (eql/f1 ([v] (F v))) (eqlsize/f1 FS) (eql'/f1 ([v] (F' v))) (eqlsize'/f1 FS') <- {v} shift-varlevel/L1 (F v) (FS v) (F' v) (FS' v). - : shift-varlevel/L1 (eql/f2 ([v] [vl:varlevel v (s (s N))] (F v vl))) (eqlsize/f2 FS) (eql'/f2 ([v] [vl:varlevel' v (s N)] (F' v vl))) (eqlsize'/f2 FS') <- {v} {vl} {vl':varlevel' v (s N)} {vsd:varlevel-shifts-down vl vl'} shift-varlevel/L1 (F v vl) (FS v vl) (F' v vl') (FS' v vl'). - : shift-varlevel/L1 (eql/v VL1 VL2) eqlsize/v (eql'/v VL1' VL2') eqlsize'/v <- varlevel-shifts-down VL1 VL1' <- varlevel-shifts-down VL2 VL2'. %worlds (blocksimple | shiftdown) (shift-varlevel/L1 _ _ _ _). %total (E) (shift-varlevel/L1 E _ _ _). %theorem varlevel-shifts-back : forall* {V} {L} forall {VL':varlevel' V (s L)} exists {VL:varlevel V (s L)} true. %block shiftback : some {l} block {v} {vl':varlevel' v (s l)} {vl:varlevel v (s l)} {vsb:varlevel-shifts-back vl' vl}. fake : type. - : fake <- ({x:varlevel-shifts-back X Y} varlevel-shifts-back X' Y'). %worlds (blocksimple | shiftback) (varlevel-shifts-back _ _). %total { } (varlevel-shifts-back _ _). %theorem shift-varlevel/L2 : forall* {N} {T1} {T2} {S} forall {E': eql*' N T1 T2} {ES': eqlsize' E' S} exists {E: eql* N T1 T2} {ES: eqlsize E S} true. - : shift-varlevel/L2 (eql'/eq eq/) eqlsize'/eq (eql/eq eq/) eqlsize/eq. - : shift-varlevel/L2 (eql'/b E) (eqlsize'/b ES) (eql/b E') (eqlsize/b ES') <- shift-varlevel/L2 E ES E' ES'. - : shift-varlevel/L2 (eql'/f1 ([v] (F v))) (eqlsize'/f1 FS) (eql/f1 ([v] (F' v))) (eqlsize/f1 FS') <- {v} shift-varlevel/L2 (F v) (FS v) (F' v) (FS' v). - : shift-varlevel/L2 (eql'/f2 ([v] [vl:varlevel' v (s N)] (F v vl))) (eqlsize'/f2 FS) (eql/f2 ([v] [vl:varlevel v (s N)] (F' v vl))) (eqlsize/f2 FS') <- {v} {vl'} {vl} {vsb:varlevel-shifts-back vl' vl} shift-varlevel/L2 (F v vl') (FS v vl') (F' v vl) (FS' v vl). - : shift-varlevel/L2 (eql'/v VL1 VL2) eqlsize'/v (eql/v VL1' VL2') eqlsize/v <- varlevel-shifts-back VL1 VL1' <- varlevel-shifts-back VL2 VL2'. %worlds (blocksimple | shiftback) (shift-varlevel/L2 _ _ _ _). %total (E) (shift-varlevel/L2 E _ _ _). %{ Now we put these two parts in one that hides the alternative definitions. }% %theorem shift-varlevel : forall* {N} {T1} {T2} {S} forall {E: eql* (s N) T1 T2} {ES:eqlsize E S} exists {E': eql* N T1 T2} {ES':eqlsize E' S} true. - : shift-varlevel E1 ES1 E3 ES3 <- shift-varlevel/L1 E1 ES1 E2 ES2 <- shift-varlevel/L2 E2 ES2 E3 ES3. %worlds (blocksimple) (shift-varlevel _ _ _ _). %total { } (shift-varlevel _ _ _ _). %{ The following two theorems relate structural equality with identity based equality. One of them is called "Leibnitz" equality, I have heard, but apparently haven't remembered which one. }% %theorem b-preserves-eq : forall* {T1} {T2} forall {E:eq T1 T2} exists {BE:eq (b T1) (b T2)} true. - : b-preserves-eq eq/ eq/. %worlds (blocksimple) (b-preserves-eq _ _). %total { } (b-preserves-eq _ _). %theorem f-preserves-eq : forall* {F1} {F2} forall {E:{v} eq (F1 v) (F2 v)} exists {E:eq (f F1) (f F2)} true. - : f-preserves-eq ([v] eq/) eq/. %worlds (blocksimple) (f-preserves-eq _ _). %total { } (f-preserves-eq _ _). %{ Next the main lemma that says we can avoid looking at varlevels in checking equality. We remove the outside variable, shift remaining variables, and then recurse (hence the need for tracking eqlsize). Note that we never put var levels in the context. }% %theorem eql-implies-eq : forall* {T1} {T2} forall {E:eql T1 T2} exists {E':eq T1 T2} true. %theorem eql-implies-eq/L : forall* {T1} {T2} forall {E:eql T1 T2} {S} {ES:eqlsize E S} exists {E':eq T1 T2} true. - : eql-implies-eq/L (eql/eq E) _ _ E. - : eql-implies-eq/L (eql/b E1) _ (eqlsize/b ES) E' <- eql-implies-eq/L E1 _ ES E1' <- b-preserves-eq E1' E'. - : eql-implies-eq/L (eql/f1 ([v] (E1 v))) _ (eqlsize/f1 FS) E' <- ({v} eql-implies-eq/L (E1 v) _ (FS v) (E1' v)) <- f-preserves-eq E1' E'. - : eql-implies-eq/L (eql/f2 ([v] [vl] (F1 v vl))) _ (eqlsize/f2 FS1) E' <- remove-one-var F1 FS1 ([v] (F2 v)) FS2 <- ({v} shift-varlevel (F2 v) (FS2 v) (F3 v) (FS3 v)) <- ({v} eql-implies-eq/L (F3 v) _ (FS3 v) (F4 v)) <- f-preserves-eq F4 E'. %worlds (blocksimple) (eql-implies-eq/L _ _ _ _). %total (S) (eql-implies-eq/L _ S _ _). - : eql-implies-eq E E' <- eqlsize-total ES <- eql-implies-eq/L E _ ES E'. %worlds (blocksimple) (eql-implies-eq _ _). %total { } (eql-implies-eq _ _). %{ === Main Theorem === }% %{ Finally the statement of the main theorem of this section. It is proved by using eql as a between station. In this case, we do have var levels in the context. This theorem (or rather its main lemma) uses reasoning-from-false extensively because the cases cannot be distinguished by Twelf's case analysis. It also uses the "divrem" part of the nat signature extensively as well as theorems about plus and times. The proofs of the cases are uninteresting arithmetic fiddling. }% %theorem tonat-one2one : forall* {T1} {N1} {T2} {N2} forall {TN1:tonat T1 N1} {TN2:tonat T2 N2} {E:nat`eq N1 N2} exists {ET:eq T1 T2} true. %theorem tonat-one2one/L : forall* {N} {T1} {M1} {T2} {M2} forall {TN1:tonat* N T1 M1} {TN2:tonat* N T2 M2} {E:nat`eq M1 M2} exists {ET:eql* N T1 T2} true. - : tonat-one2one/L tonat/a tonat/a _ (eql/eq eq/). - : tonat-one2one/L tonat/a (tonat/b _ _ N+1+TM=N) nat`eq/ E <- plus-swap-succ N+1+TM=N N+TM+1=N <- plus-commutative N+TM+1=N TM+1+N=N <- plus-implies-gt TM+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-eql F E. - : tonat-one2one/L (tonat/b _ _ N+1+TM=N) tonat/a nat`eq/ E <- plus-swap-succ N+1+TM=N N+TM+1=N <- plus-commutative N+TM+1=N TM+1+N=N <- plus-implies-gt TM+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-eql F E. - : tonat-one2one/L tonat/a (tonat/f _ _ N+2+TM=N) nat`eq/ E <- plus-swap-succ N+2+TM=N N+1+TM+1=N <- plus-swap-succ N+1+TM+1=N N+TM+2=N <- plus-commutative N+TM+2=N TM+2+N=N <- plus-implies-gt TM+2+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-eql F E. - : tonat-one2one/L (tonat/f _ _ N+2+TM=N) tonat/a nat`eq/ E <- plus-swap-succ N+2+TM=N N+1+TM+1=N <- plus-swap-succ N+1+TM+1=N N+TM+2=N <- plus-commutative N+TM+2=N TM+2+N=N <- plus-implies-gt TM+2+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-eql F E. - : tonat-one2one/L tonat/a (tonat/v VL N+L=N) nat`eq/ E <- plus-right-identity N N+0=N <- plus-left-cancels N+L=N N+0=N nat`eq/ nat`eq/ L=0 <- varlevel-contradiction VL L=0 F <- false-implies-eql F E. - : tonat-one2one/L (tonat/v VL N+L=N) tonat/a nat`eq/ E <- plus-right-identity N N+0=N <- plus-left-cancels N+L=N N+0=N nat`eq/ nat`eq/ L=0 <- varlevel-contradiction VL L=0 F <- false-implies-eql F E. - : tonat-one2one/L (tonat/b TN1 TWO*M1=TM1 N+1+TM1=M) (tonat/b TN2 TWO*M2=TM2 N+1+TM2=M) nat`eq/ (eql/b E) <- plus-left-cancels N+1+TM1=M N+1+TM2=M nat`eq/ nat`eq/ TM1=TM2 <- times-left-cancels TWO*M1=TM1 TWO*M2=TM2 nat`eq/ TM1=TM2 M1=M2 <- tonat-one2one/L TN1 TN2 M1=M2 E. - : tonat-one2one/L (tonat/b _ TWO*M1=TM1 N+1+TM1=M) (tonat/f _ TWO*M2=TM2 N+2+TM2=M) nat`eq/ E <- plus-swap-succ N+2+TM2=M N+1+TM2+1=M <- plus-left-cancels N+1+TM1=M N+1+TM2+1=M nat`eq/ nat`eq/ TM1=TM2+1 <- times-commutative TWO*M1=TM1 M1*2=TM1 <- plus-right-identity _ TM1+0=TM1 <- divrem-can-be-constructed M1*2=TM1 TM1+0=TM1 (gt/> gt/1) TM1/2=M1,0 <- times-commutative TWO*M2=TM2 M2*2=TM2 <- nat`eq-symmetric TM1=TM2+1 TM2+1=TM1 <- plus-respects-eq (plus/s plus/z) nat`eq/ nat`eq/ TM2+1=TM1 ONE+TM2=TM1 <- plus-commutative ONE+TM2=TM1 TM2+ONE=TM1 <- divrem-can-be-constructed M2*2=TM2 TM2+ONE=TM1 gt/1 TM1/2=M2,1 <- divrem-deterministic TM1/2=M1,0 TM1/2=M2,1 nat`eq/ nat`eq/ _ ZERO=ONE <- nat`eq-contradiction ZERO=ONE F <- false-implies-eql F E. - : tonat-one2one/L (tonat/f _ TWO*M2=TM2 N+2+TM2=M) (tonat/b _ TWO*M1=TM1 N+1+TM1=M) nat`eq/ E <- plus-swap-succ N+2+TM2=M N+1+TM2+1=M <- plus-left-cancels N+1+TM1=M N+1+TM2+1=M nat`eq/ nat`eq/ TM1=TM2+1 <- times-commutative TWO*M1=TM1 M1*2=TM1 <- plus-right-identity _ TM1+0=TM1 <- divrem-can-be-constructed M1*2=TM1 TM1+0=TM1 (gt/> gt/1) TM1/2=M1,0 <- times-commutative TWO*M2=TM2 M2*2=TM2 <- nat`eq-symmetric TM1=TM2+1 TM2+1=TM1 <- plus-respects-eq (plus/s plus/z) nat`eq/ nat`eq/ TM2+1=TM1 ONE+TM2=TM1 <- plus-commutative ONE+TM2=TM1 TM2+ONE=TM1 <- divrem-can-be-constructed M2*2=TM2 TM2+ONE=TM1 gt/1 TM1/2=M2,1 <- divrem-deterministic TM1/2=M1,0 TM1/2=M2,1 nat`eq/ nat`eq/ _ ZERO=ONE <- nat`eq-contradiction ZERO=ONE F <- false-implies-eql F E. - : tonat-one2one/L (tonat/b _ _ N+1+TM=M) (tonat/v _ M+L=N) nat`eq/ E <- plus-swap-succ N+1+TM=M N+TM+1=M <- plus-commutative N+TM+1=M TM+1+N=M <- plus-implies-gt TM+1+N=M nat`eq/ M>N <- plus-commutative M+L=N L+M=N <- plus-implies-ge L+M=N N>=M <- nat`gt-transitive-ge M>N N>=M M>M <- nat`gt-anti-reflexive M>M F <- false-implies-eql F E. - : tonat-one2one/L (tonat/v _ M+L=N) (tonat/b _ _ N+1+TM=M) nat`eq/ E <- plus-swap-succ N+1+TM=M N+TM+1=M <- plus-commutative N+TM+1=M TM+1+N=M <- plus-implies-gt TM+1+N=M nat`eq/ M>N <- plus-commutative M+L=N L+M=N <- plus-implies-ge L+M=N N>=M <- nat`gt-transitive-ge M>N N>=M M>M <- nat`gt-anti-reflexive M>M F <- false-implies-eql F E. - : tonat-one2one/L (tonat/f ([v] [vl] (F1 v vl)) TWO*M1=TM1 N+2+TM1=M) (tonat/f ([v] [vl] (F2 v vl)) TWO*M2=TM2 N+2+TM2=M) nat`eq/ (eql/f2 FE) <- plus-left-cancels N+2+TM1=M N+2+TM2=M nat`eq/ nat`eq/ TM1=TM2 <- times-left-cancels TWO*M1=TM1 TWO*M2=TM2 nat`eq/ TM1=TM2 M1=M2 <- ({v} {vl:varlevel v (s N)} tonat-one2one/L (F1 v vl) (F2 v vl) M1=M2 (FE v vl)). - : tonat-one2one/L (tonat/f _ _ N+2+TM=M) (tonat/v _ M+L=N) nat`eq/ E <- plus-swap-succ N+2+TM=M N+1+TM+1=M <- plus-swap-succ N+1+TM+1=M N+TM+2=M <- plus-commutative N+TM+2=M TM+2+N=M <- plus-implies-gt TM+2+N=M nat`eq/ M>N <- plus-commutative M+L=N L+M=N <- plus-implies-ge L+M=N N>=M <- nat`gt-transitive-ge M>N N>=M M>M <- nat`gt-anti-reflexive M>M F <- false-implies-eql F E. - : tonat-one2one/L (tonat/v _ M+L=N) (tonat/f _ _ N+2+TM=M) nat`eq/ E <- plus-swap-succ N+2+TM=M N+1+TM+1=M <- plus-swap-succ N+1+TM+1=M N+TM+2=M <- plus-commutative N+TM+2=M TM+2+N=M <- plus-implies-gt TM+2+N=M nat`eq/ M>N <- plus-commutative M+L=N L+M=N <- plus-implies-ge L+M=N N>=M <- nat`gt-transitive-ge M>N N>=M M>M <- nat`gt-anti-reflexive M>M F <- false-implies-eql F E. - : tonat-one2one/L (tonat/v VL1 M+L1=N) (tonat/v VL2 M+L2=N) nat`eq/ (eql/v VL1' VL2) <- plus-left-cancels M+L1=N M+L2=N nat`eq/ nat`eq/ L1=L2 <- varlevel-respects-eq VL1 L1=L2 VL1'. %worlds (blockvar) (tonat-one2one/L _ _ _ _). %total (T) (tonat-one2one/L T _ _ _). - : tonat-one2one TN1 TN2 EQ TEQ <- tonat-one2one/L TN1 TN2 EQ EQL <- eql-implies-eq EQL TEQ. %worlds () (tonat-one2one _ _ _ _). %total { } (tonat-one2one _ _ _ _).