Implicit complexity for coinductive data: a characterization of corecurrence Daniel Leivant Ramyaa Ramyaa IndianaUniversityandLoriaNancy IndianaUniversityandUniversitatMunchen [email protected] [email protected] We propose a framework for reasoning about programs that manipulate coinductive data as well as inductivedata. Our approachis based on using equationalprograms, which supporta seamless combination of computation and reasoning, and using productivity (fairness) as the fundamental assertion,ratherthanbi-simulation.Thelatterisexpressibleintermsoftheformer. As an application to this framework, we give an implicit characterization of corecurrence: a functionisdefinableusingcorecurrenceiffitsproductivityisprovableusingcoinductionforformulas in which data-predicates do not occur negatively. This is an analog, albeit in weaker form, of a characterizationofrecurrence(i.e.primitiverecursion)in[13]. 1 Introduction Coinductive data has been recognized for nearly twodecades asapowerful framework fordealing with infinite objects of evolving and computational nature, such as streams, and — more generally — the behavior ofunbounded processes anddynamicsystems. Weconsider computation over“data-systems”, inwhichdata-types maybedefinedbothinductively and co-inductively. As our main computation model we use equational programs, since these have im- mediatekinshipwithformaltheories: aprogram’sequationscanbeviewedasaxioms,andcomputations aresimplyderivationsinequationallogic. Inthefirstpartofthispaperwedevelopsomebuildingblocks forthisproject. WeconsidertheglobalsemanticsofprogramsPoveradata-system,thatistheirbehavior as“uninterpretedprograms”overallstructuresforthevocabularyofthedata-system. Thisapproachwas developed forinductive datain[12];hereweextendittodata-systems ingeneral, including coinductive constructions. Itisorthogonal tocategorytheoreticalmethodsinthestudyofcoinduction, whichseekto characterize theintended (canonical) model. An important benefit of streamlined proof systems for reasoning about programs is their use for characterizing major computational complexity classes. Such characterizations fall within the realm of implicitcomputationalcomplexity,whereonedelineatescomplexityclasseswithoutreferencetocompu- tational resources such astimeand space. Inparticular, there areilluminating characterizations ofcom- plexityclassesintermsofthestrengthofproofmethodsneededtoprovetermination(seee.g.[3,10,13]). Such results lend insight into the significance of complexity classes, provide natural frameworks for programming withingiven complexity boundaries, andyield static analysis tools forguaranteeing com- plexity. Implicitcharacterizations havefurtherpotentialbenefitforcoinductivedata,becausetheymight clarifycomplexitynotionsthataredualtotraditional notionsofcomputational complexitysuchasPoly- nomialTime. The primitive recursive functions over the set N of natural numbers were characterized proof theo- retically already by Parsons [18], who proved that a function is primitive recursive iff it is provable in Peano’sArithmeticwithinduction restricted toexistential formulas. Jean-YvesMarion(Ed.):SecondWorkshopon DevelopmentsinImplicitComputationalComplexity(DICE2011) EPTCS75,2012,pp.1–14,doi:10.4204/EPTCS.75.1 2 Implicitcorecurrence In[11,12]wedevelopedintrinsictheories,agenericframeworkforreasoningaboutequationalcom- putingoverinductivedata,andin[13]weusedittocharacterizetheprimitiverecursivefunctionsinterms ofinduction foraparticular classofformulas. Callaformula unipolar ifitdoesnotuse data-predicates (i.e. references to data) in both positive and negative position; an example are the positive formulas, in whichdata-predicates donotoccurinanegativeposition. In[13]weproved thatacomputable function is primitive recursive iff it is provably correct in the intrinsic theory for N with induction restricted to unipolarformulas. Infactweprovedmore. Theforwardimplicationcanrefertoaveryweakformalism, namely, every primitive recursive function is provable, using minimal logic, by induction for formulas inwhich data-predicates appear only strictly-positively.1 Ontheother hand, forthe backwards implica- tion weproved thatifacomputable function isprovable, using classical logic, byinduction onunipolar formulas, thenitisprimitiverecursive. Weestablish here adual characterization for coinductive data, but where both implication refer toa weakdeductivecalculus: acomputablefunctionoverbooleanstreamsisprimitivecorecursive(i.e.defin- ableusingexplicitdefinitionsandcorecurrence)iffitisprovableusingminimallogic,bycoinductionfor formulas built from only conjunction, disjunction, and existential quantification. At present we do not knowwhetherthisresultcanbestrengthen toshowthateveryequational program overstreamswhichis provable, usingclassical logicandunipolar coinduction isprimitive-corecursive. 2 Equational programs over data systems 2.1 Equational programs We describe a generic framework for data-types that are defined using induction, coinduction, or a mix thereof. Suchframeworksarewell-knownfortypedlambdacalculi,withoperatorsm forsmallestfixpoint and n for greatest fixpoint. Our present approach is to express computational behavior of programs via global semantics, thereby dispensing with partial functions; and to define types semantically, via first orderaxiomatics, dispensing withexplicitfixpointoperators. A constructor-vocabulary is a finite set C of function identifiers, referred to as constructors, each assigned an arity ≥0 (as usual, constructors of arity 0 are object-identifiers). We posit an infinite set X of variables, and an infinite set F of function-identifiers, dubbed program-functions, and assigned arities≥0aswell. ThesetsC,X andF are,ofcourse, disjoint. IfE isasetconsistingoffunction-identifiers and(possibly)variables,wewriteE¯ forthesetofterms containing E and closed under application: if g∈E is a function-identifier of arity r, and t ...t are 1 r terms, thensoisgt ···t . Weuseinformally theparenthesized notation g(t ,...,t ),whenconvenient.2 1 r 1 r We refer to elements of C¯, C ∪X and C ∪X ∪F as data-terms, base-terms, and program-terms, respectively.3 As in [11, 12], we use an equational computation model, in the style of Herbrand-Go¨del, famil- iar from the extensive literature on algebraic semantics of programs. There are easy inter-translations between equational programs and program-terms such as those of FLR [14]. We prefer to focus on 0 equational programs because they integrate easily into logical calculi, and are naturally construed as mathematical theories (with each equation as an axiom). Codifying equations by terms is, in fact, a 1Recall that j is a strictly-positive subformula of y if j is not in the scope of a negation or the negative scope of an implication. 2Inparticular,whengisofarity0,itisitselfaterm,whereaswithparentheseswehaveg()(withr=0arguments)asaterm. 3Data-termsareoftenreferredtoasvalues,andbase-termsaspatterns. LeivantandRamyaa 3 conceptualdetour,sincethecomputational behaviorofsuchtermsisitselfspelledoutusingequationsor rewrite-rules. Aprogram-equationisanequationoftheformf(t ...t )=q,wherefisaprogram-functionofarity 1 k k≥0, t ...t are base-terms, and qis a program-term. The left-hand side of a program equation is its 1 k definiendum. Twoprogram-equationsarecompatibleiftheirdefiniendumscannotbeunified. Aprogram- body is a finite set of pairwise-compatible program-equations. A program (P,f) (of arity k) consists of a program-body P and a program-function f (of arity k) dubbed the program’s principal-function. We identify eachprogram withitsprogram-body wheninnodangerofconfusion. We posit that every program over a given constructor-vocabulary has equations for destructors, as well as adiscriminator. That is, ifthe given vocabulary’s constructors are c ...c , with mthe maximal 1 k arity, then the program-functions include the unary identifiers p (i=1..m) and d , and the program i,m k contains theequations (forcanr-aryconstructor) p (c(x ,...,x ) = x (i=1..r) i,m 1 r i p (c(x ,...,x )) = c(x ,...,x ) (i=r+1..m) i,m 1 r 1 r d (c(~t),x ,...,x ) = x i=1..k k i 1 k i Thusd isadefinition-by-cases operation, depending onthemainconstructor ofthefirstargument. We k callacomposition ofndestructors (n≥0)adeepdestructor. Itiseasytodefinethedenotational semantics ofanequational program forthecanonical interpreta- tionofinductivedata. If(P,f)isaprogram foraunaryfunctionoverN,say,thenitcomputesthepartial function f : N⇀Nwhere f(p)=qjustincasetheequation f(p¯)=q¯isderivable fromPinequational logic. (Wewriten¯ forthen’thnumeral,i.e.thedata-term ss···s0withns’s. Thepartiality ofcomputable functions ismostcommonlyaddressed byeitherallowingpartialstruc- tures [9, 1, 16], or by referring to domains, in which an object ⊥ denotes divergence. Yet another approach, adopted here, is based on the “global” behavior of programs in all (usual, non-partial) struc- tures. For example, consider the program P over the constructors 0,s consisting of the two equations4 f(0)=0andf(ssx)=f(sssx). ThusPprovidesnoinstructions forinput1,anddivergesforinput≥2. The latter conditions are captured by the statement that there are structures which model the equations P,andwherethetermsf(s0)andf(ss0)arenotequaltoanynumeral. 2.2 Globalsemantics The concept of global relations, which was present implicitly in mathematical logic for long, came to prominence inFiniteModel Theory inthe1980s. LetC beacollection ofstructures. Aglobal relation (of arity r) over C is a mapping P that assigns to each structure S in C an r-ary relation over the universe|S|ofS. Forexample,ifC isthecollectionofallstructuresoveragivenvocabularyV,thena first-orderV-formulaj ,withfreevariables amongx ...x ,definesthepredicate l x ...x j thattoeach 1 r 1 r V-structure S assignstherelations {ha ...a i|S,[~x:=~a]|=j } 1 r Thenotion that aformula delineates uniformly subsets ofstructures isimplicit in[24]and [2]. Alterna- tive phrases used include generalized relations, data base queries, global relations, global predicates, uniformly definedrelations, predicates overoracles,andpredicates.) 4Weomitsomeparenthesesforreadability. 4 Implicitcorecurrence Aglobalr-aryfunctionoverC isdefinedanalogously. Forexample,eachtypedl -termoftypeo→o, withidentifiersinV asprimitives,definesaglobalfunctionovertheclassofV-structures. E.g.,ifc,fand g areV-identifiers for functions of arity 0,1 and 2 respectively, then the term l x, ,x g(f(x ),g(x ,c)) 1 2 1 2 definestheglobalfunction thattoeachV-structure S assignsthemappinghx ,x i7→g(f(x ),g(x ,c)), 1 2 1 2 wherec,f andgaretheinterpretations inS oftheidentifiersc,fandg. The starting point of Descriptive Computational Complexity [7] is that programs used as acceptors defineglobalrelations. Whenthoseglobal relations canbedefinedalsobycertainlogical formulas, one obtainsmachine-independent characterizations ofcomputationalcomplexityclasses. Forinstance,Fagin [6] and Jones & Selman [8] proved that a predicate P over finite structures is defined by a program running in nondeterministic polynomial time (NP) iff it is defined by a purely existential second order formula. Programsofarity0canbeusedtodefineobjects. Forexample,thesingletonprogramT consistingof theequationt=sss0defines3,inthesensethatineverymodelS ofT (overavocabularywithtasan identifier), theinterpretation oftheidentifiertisthesameasthatofthenumeralfor3. Considerinstead a0-ary program defining aninfiniteterm(i.e.essentially astream), forinstance thesingleton program I consisting of ind=s(ind). This does not have any solution in the free algebra of the unary numerals, thatis: thefreealgebracannotbeexpandedintotherichervocabulary withindasanewidentifier,soas to satisfy the equation I.5 But I is modeled in any structure where s is interpreted as identity, and ind as any structure element. Thus the interpretation of indis not unique. For a more interesting example, consider thestructureconsisting ofcountable ordinals, withsinterpreted asthefunctionl x.1+x. Then I holdswheneverindisinterpreted asaninfiniteordinal. Itfollowsthatinourcontextbi-simulation,whileguaranteeingtrueequalityforthecanonicalmodel, implies in general only equivalent computational behavior. Indeed, in the global semantic context bi- simulation isnotasoundinference rule,sinceforexampletwodistinctobjects canunfold toexactly the samestreamofdigits(i.e.beobservationallyequivalent). However,bi-simulationleadstoanequivalence relation,whichcanbecapturedbyafunctionbsm. Considertheprogramconsistingofthetwoequations b(0:x,0:y)=0:b(x,y)andb(1:x,1:y)=1:b(x,y). IfPalsodefinesconstantidentifiersaandbas some streams, then wehave P|=S(a)∧S(b)→S(b(a,b))just incase there isabi-simulation between thestreamsdenotedbyaandb,i.e.theyareequalaselementsofthecoalgebraofbooleanstreams. Ifthe equality a=b is provable using the traditional coinduction rule for bi-simulation then the implication (P)→S(b(a,b))isprovableinourdeductivecalculusbelow. Thusourframeworksupportsallcommon formsofreasoning aboutcoinductive data. 2.3 Semantics ofprograms Theglobalsemanticapproachtoequationalprograms,consideredforinductivedatain[12],isofinterest asanalternative alternative tothe“canonical-structure” approach. Undertheglobal semantics approach the notion ofcorrectness ofprograms issimple, direct, and informative. Hereaprogram overinductive data is said to be correct if it maps, in every structure, inductive data to inductive data. This turns out to be equivalent to the program termination (for all input) in the intended structure (e.g. N when the constructors are0ands). Forprograms overco-inductive data, whichweaddress here, correctness will turn out to be equivalent to productivity (sometimes dubbed fairness): if the input is a stream, then the program willhaveastreamasoutput, withoutstalling. Thesemanticsofequational programsforinductivedata,suchasthenaturalnumbers,isstraightfor- 5Asusual,whenastructureisanexpansionofanothertheyhavethesameuniverse. LeivantandRamyaa 5 ward. GivenastructureS (foravocabulary includingtheconstructors inhand),aprogram(P,f)(unary say) computes the partial function g: N⇀N given by: g(n)=m iff P⊢f(n¯)=m¯, i.e. the equation is deducible fromPinequational logic. (Wewriten¯ forthen’thunarynumerals[n](0).) Let S be a structure whose vocabulary contains at least the constructors in hand. Consider fresh 0-ary identifiers v , one for each a ∈ |S| (i.e. element of the universe of S). In keeping with the a terminology ofModelTheory,wedefinethediagram ofS tobethetheory6 Diag(S) = {v =c(v ···v ) | a b1 br a=cS(b1···br) canr-aryconstructor } In the presence of coinductive data-types, data may be infinite, and so the operational semantics of equational programs must compute the output piecemeal from finite information about the input. If G is any set of equations, and t and t′ are terms, we write G ⊢w t=t′ if for all deep-destructors P we have(inequationallogic)G , Diag⊢d ((P (t),~x)=d ((P (t′)). Thatis,onecanestablishequationally the observational equivalenceoftandt′,i.e.thestepwiseequalityoffiniteapproximations ofthetwoterms. If t′ is a data term, then G ⊢w t=t′ is clearly equivalent (by discourse-level induction on |t′|) to G , Diag⊢t=t′. Wesaythatak-aryprogram (P,f)computes overS thepartial-function f : |S|k ⇀|S|whenforevery~a,b∈|S|wehave f(~a)=bjustincaseP∪Diag(S)⊢w f(v )=v . a b Examples. Considerasconstructors twounaryfunctions(“successors”) 0and1. LetS bethestructure ofthew -words over{0,1}, withtheobvious interpretation oftheconstructors. Writingafor(01)w and b for (10)w , the diagram of S includes the equations v =0v , and v =1v . In this simple case these a b b a equationscouldbeusedtodefineaandb,butifcandd arethebinaryexpansionsofp /4and(p −2)/2, thentheequation v =1v isalsointhediagram, withnotmuchtosayaboutwhatcandd reallyare. c d Theunaryprogramconsistingofthetwoequationsf(0w)=1f(w),f(1w)=0f(w)definesthefunc- tionflip: |S|→|S|. Wehaveflip((01)w )=(10)w ,because wecaneasilyseethat w P, v =0v , v =1v ⊢ flip(v )=v a b b a a b Wealsohavefore=thedigitwiseflipofcabovethat P, Diag(S)⊢w flip(c)=e However, as we take deeper destructors for the two terms, the equational proof needed here will use increasingly large(albeitfinite)portions ofDiag(S). 2.4 Data systems Sofarwehaveconsidered abstractstructures, withnoapriorirestrictiononthebehaviorofconstructor- identifiers. Wenow proceed todefine data-types, needed toreflect theintended computational behavior of programs. We use reserved relation-identifiers (i.e. predicate symbols) for data-types, and convey their definingproperties byaxioms(closure conditions) ratherthanvia m andn fixpointoperators. This allowsustoincorporate datatypesseamlesslyintothe(firstorder)deductive machinery. Descriptive and deductive tools for inductive and coinductive data are not new, of course. For in- stance, the Common Algebraic Specification Language CASL has been used as a unifying standard in 6WewritecS fortheinterpretationoftheidentifiercinthestructureS. 6 Implicitcorecurrence thealgebraicspecification community, andextendedtocoalgebraic data[20,21,15,22]. Severalframe- works combining inductive and coinductive data, such as [17], strive to be comprehensive, including various syntactic distinctions and categories, whereas our approach is minimalist. Such minimalism is made possible by combining the global semantic approach with a semantic (i.e. Curry-style) view of types, bywhichtypesindicate semantic properties ofpre-existing objects, asopposed totheontological (Church-style) view,bywhichtypesprecede objects, witheachobjectcomingwithapre-assigned type. Let C ={c ,...,c } be a set of constructors as above, where c is of arity r =arity(c). A data- 1 k i i i systemoverC consists of 1. A list D ...D (the order matters) of unary relation-identifiers, where each D is designated as 1 k n eitheraninductive-predicate oracoinductive-predicate, andassociated asetC ⊆C ofconstruc- n tors. 2. Foreachconstructor c,ofarityrsay,anon-emptyfinitesetoffunctional typest ,eachoftheform E ×···×E →E ,whereeachE isoneoftheD ’s. HerewerequirethatnoE comesafterE in 1 r 0 i j i 0 thegivenlisting ofthepredicates D. Wesaythenthatchastypet . i Thedata-systems definedabovedonotaccommodate simultaneous inductive orcoinductive definitions, butastraightforward generalization does. Example. Let C consist of the identifiers 0,1,[],s,t, and c, of arities 0,0,0,1,1, and 2, respectively. Consider the following (ordered) list of predicates: inductive predicate B (for booleans) and N (natural numbers), coinductive predicates J (infinite s/t-words) and S (streams of natural numbers), and an inductive predicate L(listsofsuchstreams). Theassociation oftypestoconstructors isasfollows. 0:B 0:N 1:B []:L s:N→N s:J→J t:J→J c:N×S→S c:S×L→L Note that constructors are being reused for different data-types. This is in agreement with our un- typed,genericapproach,wheretheintendedtypeinformationisconveyedbythedata-predicates. Inother words,data-typesareexplicitlyconveyedintheformalism’ssyntaxassemantic(Currystyle)ratherthan ✷ onthological (Churchstyle)properties. The canonical model A = [[D]] of a data-system D consists of interpretations [[D ]] (n = 1..k) of n thedata-predicates assetsoffiniteandinfiniteterms,obtainedbydiscourse-level recurrence, asfollows. If D is inductive, then [[D ]] is the set of terms obtained from [[D ]] ... [[D ]] by a finite number of n n 1 n−1 application of the constructors in C ; dually, if D is coinductive, then [[D ]] is the set of finite and n n n infinite terms obtained from [[D ]] ... [[D ]] by such applications. These terms are trees labeled by 1 n−1 constructors, where any node labeled by a constructor of arity r has r children. Note that if the (non- empty)setC ofconstructors associated withD hasno0-aryconstructors, thenforaninductiveD the n n n set[[D ]]isempty,whereasforacoinductive D itisanonemptysetofinfiniteterms. n n 2.5 Adequacy ofGlobalsemantics LeivantandRamyaa 7 Herbrand famously proposed to define the computable functions (over N) as those that are unique solutions ofequational programs. Thatdefinitionyieldsinfactallthehyper-arithmetical functions, afar largerclass. ButHerbrandwasnotfaroff: heonlyneededtoadoptaglobalapproach,ratherthanrestrict attentiontothestandardstructureofthenaturalnumbers. Indeed,in[12]weobservedthefollowing. We saythatastructure isdata-correct forNifitinterprets theidentifierNasthesetofnumeraldenotations. THEOREM 1 (Semantic Adequacy Theorem for Inductive Data) Anequationalprogram(P,f) overN computesatotalfunctionifftheformulaN(x)→N(f(x))istrueineverymodelofPwhichisdata-correct forN. The proof in [12] of the nontrivial direction of Theorem 1 proceeds by constructing a “test-model” fortheprogramP. Onestartswithanextendedtermmodel,usingtheprogram-functions inPaswellthe constructors, andtakesthequotientofthattermmodelovertheequivalencerelationofequality-derived- fromP. 3 Intrinsic Theories Intrinsictheories,introducedin[11,12]forinductivedata,areskeletalfirst-ordertheorieswhoseinterest lies in a natural and streamlined formalization of reasoning about equational computing. For example, the intrinsic theory for the natural numbers is suited for incorporating equational programs as axioms, andwhileithasthesameprovablycomputablefunctionsasPeano’sArithmetic,ithasamoreimmediate formalizationofthenotionofprovablecomputability. Forbackground, rationale,andexamples,werefer to[12]. Theintrinsic theoryforadata-system D,IT(D),has • TherulesofD; • Injectiveness axiomsstatingthattheconstructors areinjective, i.e.foreachc∈C,ofarityr, ∀x1...xr,y1...yr c(~x)=c(~y)→^ xi=yi i • Separation axiomsstatingthattheconstructors havedisjoint images: ∀~x,~y c~x6=d~y foreachdistinctconstructors c,d;and • For each constructor c, and type E ×···×E → E for c, with E an inductive predicate, the 1 r 0 0 corresponding clauseintheinductive definitionofE . Thatis,thedata-introduction rule 0 E (x ) ··· E (x ) 1 1 r r E (cx ···x ) 0 1 r Theserulesdelineate theintended meaningofE frombelow. 0 • For each constructor c, and type E ×···×E →E for c, with E a co-inductive predicate, the 1 r 0 0 corresponding clauseintheco-inductive definitionofE . Thatis,thedata-elimination rule 0 E (cx ···x ) 0 1 r E(x) i i Theserulesdelineate theintended meaningofacoinductive E fromabove. 0 8 Implicitcorecurrence • For each inductive data-predicate D as above, a data-elimination (i.e. Induction) rule: for each n formula7 j ≡j [z],therule D (t) Cmp [j ] n n j [t] where j j {E (x )}···{E (x )} 1 1 r r · · Cmp [j ] ≡ · n D (t) { j [c(x ···x )] } n 1 r c:E1×···×Er→Dn j [t] HereEj (u)isj [u]ifE isD ,andisE(u)otherwise. (Theseopenassumptions areclosedbythe i i n i inference.) Thatis,ifj [u]hasthesameclosure properties undertheconstructors asD ,thenD (t)→j [t]. n n • For each coinductive data-predicate D , a data-introduction (i.e. coinduction) rule: for each for- n mulaj [z], j [t] Dcm [j ] n D (t) (1) n where {j [x]} · Dcm [j ] ≡ · n · j {∃z ...z .(∧E (z)) ∧ x=c(~z)|c:E ×··· ×E →D } W 1 r i i i 1 r n j (HereQ isdefinedasfortheinduction templateabove.) i Thatis,ifj hasthesameclosureproperties underdatadecomposition (i.e.thedestructors) asD , n thenj [t]→D (t). n Note. Since our approach here is generic to all structures, the bounding condition in the statement of ¥ Coinduction is necessary. Consider for example the coinductive dataW of infinite 0-1 words, i.e. the coinductive data predicate built from unary function identifiers 0 and 1, considered above. Taking the eigen formula j of Coinduction to be x=x, we would get, absent the bounding condition, ∀xW¥ (x), whichisnotvalidinmodelsoftheintrinsictheoryforW. From the injectiveness and separation axioms it follows that it is innocuous to use identifiers for destructors anddiscriminator functions, asabove. Theorem 1 justifies a concept of provable correctness of programs: (P,f) is provably correct in a givenformaltheoryiftheformulaaboveisnotmerelytrueinalldata-correct modelsofP,butisindeed provableintheintrinsictheoryIT(D)from(theuniversalclosure of)P,asanaxiom. 4 Corecurrence and strictly-positive coinduction 4.1 Functions definition by corecurrence Afunctiondefinitionbyrecurrenceusesitsinputbyeagerevaluation: itconsumesthetopconstructorof theinputtoselectthedefinition-case, andproceedstoconsumethatconstructor’s arguments. Thatis,for 7Weusethebracketnotationj [t]tostandforthecorrectsubstitutioninj oftforthefreeoccurrencesofsomefixedvariable z. LeivantandRamyaa 9 eachconstructor c,onehasaclause f(c(x ...x ),~y) = g (e ...e ,~y) r=arity(c) e = f(x,~y) (2) 1 r c 1 r i df i Here each g is a previously defined function of appropriate arity. Using a discriminator case function, c thetemplateabovecanbesummarizedas f(x,~y) = case(x,e ...e ) 1 k e = f(p (x),~x) i df i (Recallthatp isthei’thdestructor.) i Dually, a definition by corecurrence builds up the output: it produces the top constructor of the output, andproceeds toproduce thatconstructor’s arguments: r = arity(h(~x)) f(~x)=c (~x,e ...e ) (3) h 1 r e = f(~g(~x)) i df i Thistemplatecanbesummarizedby f(~x)=cocase(h(~x),e ...e ) e = f(~g(~x)) 1 k i df i wherecocase(u,~v)returnsthemainconstructorcofu,ofarityrsay,appliedtothefirstroftheremaining arguments~v. More generally, we use corecurrence to define as above not a single function f, but a vector ~f = hf ...f ioffunctions: 1 k f (~x)=cocase(h (~x),e ...e ) e = f (~g (~x)) j j 1 k i df ℓi ij Thedistinctionin(2)betweentherecurrenceargumentandtheparameters~ydisappearsin(3)because the focus of the definition shifts to the output, which plays arole analogous to the recurrence argument oftherecurrence schema. When we have just one constructor, e.g. a binary function cons, the output’s main constructor need notbespecified,and(3)canbeconveyed byapplying destructors totheoutput: p (f(~x)) = f(~g(~x)) i=0,1 (4) i i Such use of destructors is common in presentations ofcorecurrence, but itfails to capture corecurrence forarbitrarycoinductivedata. Ofcourse,eachcasecanbecodedusingstreams,justasallinductivedata canbecodedusingthenaturalnumbers. Inouruntypedsettingthevalues f(~g (~x))and f(~g (~x))havethesamestanding. Streamsoverafinite 0 1 base set A can be construed as a restricted form of (3), with each a∈A taken as a nullary constructor, andrequiring thefirstargument ofconstobeoneoftheseconstructors. Afunctionoverthegivendata-systemisprimitivecorecursiveifitisgeneratedfromtheconstructors anddestructors bycomposition andcorecurrence. Example. Booleanstreamsformasimpledatasystemofthekindmentionedabove: CONSistheunique non-constant constructor, whichwedenotebyaninfixedcolon. Theremainingconstructsarethenullary 0and1,andthedata-predicatesaretheinductive(andfinite)B(booleans)andthecoinductiveS(streams). Therulesare S(x:y) S(x:y) B(0) B(1) B(x) S(y) 10 Implicitcorecurrence Theconstructor conshasthethetwodestructors hd: S→Bandtl: S→S. Since there is a single non-constant constructor here, corecursion can be formulated using the de- structors, asinthetemplate: hd(f(x,~y)) = g (x,~y) 0 tl(f(x,~y)) = f(g (x,~y),~y) 1 Forexample,wecandefinebycorecurrence afunction even: hd(even(x))=hd(x); tl(even(x))=even(tl(tl(x))). Thefunction evenisproductive (i.e.fair,see[23,5]),inthesensethatitmapsstreamstostreams. Moreprecisely, ineverymodelS ofthedata-system, expandedtointerpretevenwhilesatisfying its equational definition, ifS(x)holdsforxboundtoanelementaofS’suniverse,thenS(even(x)). Thegeneric coinduction rule(1)specializes forbooleanstreamstothefollowing. {j [x]} · · (5) · j [t] ∃z ,z .(B(z )∧j [z ]∧x=z :z 0 1 0 1 0 1 S(t) While corecurrence is dual to recurrence, it is computationally weaker in some ways. Recurrence allows coding of computation traces, so that cumulative (course-of-value) recurrence is implementable using simple recurrence. In contrast, a cumulative variant of corecursion, using at any given point the outputstreamsofar,isnotcapturedbystandardcorecurrence. Forexample,thedefinitionoftheMorse- Thuesequence, x=1:merge(x,not(x)), isnotalegalcorecurrence. 4.2 Strictly-positivecoinduction captures corecurrence Consider theintrinsic theory foracoinductive datatype, suchastheboolean streams. Wecall aformula strongly positive ifbuilt using conjunction, disjunction, and ∃astheonly logical operations. Aformula is unipolar if it does not have both positive and negative occurrences of data-predicates. As mentioned intheIntroduction above,weknowthatafunctionoverNisprimitiverecursiveiffitisprovablycorrect, usingclassicallogic,intheintrinsictheoryforNwithinductionrestrictedtounipolarformulas;andalso iff it is provably correct, using minimal logic, in the intrinsic theory for N with induction restricted to strongly-positive formulas. Here we prove for the primitive corecursive functions an analog of the latter characterization. For concreteness and expository economy, we focus on the data-system Sm consisting of just streams of booleans as data-type, and refer to the intrinsic theory for it, based onminimal logic. WewriteIT+ for thattheory, withcoinduction restricted tostrictly-positive formulas. PROPOSITION 2 Ifak-aryf isdefinedbycorecursionfromfunctionsprovableinIT+,thenf isprovable inIT+. Proof. Supposethat f isdefinedby f(x)=g (x) : f(g (x)) 0 1