Synthetic Undecidability of MSELL via FRACTRAN Mechanised in Coq

We present an alternate undecidability proof for entailment in (intuitionistic) multiplicative sub-exponential linear logic (MSELL). We contribute the result and its mechanised proof to the Coq library of synthetic undecidability. The result crucially relies on the undecidability of the halting problem for two counters Minsky machines, which we also hand out to the library. As a seed of undecidability, we start from FRACTRAN halting which we (many-one) reduce to Minsky machines termination by implementing Euclidean division using two counters only. We then give an alternate presentation of those two counters machines as sequent rules, where computation is performed by proof-search, and halting reduced to provability. We use this system called non-deterministic two counters Minsky machines to describe and compare both the legacy reduction to linear logic, and the more recent reduction to MSELL. In contrast with that former MSELL undecidability proof, our correctness argument for the reduction uses trivial phase semantics in place of a focused calculus.


Introduction
In the late 80s, Lincoln et al. [17] gave a first proof of the undecidability of propositional linear logic (LL) via a many-one reduction from "and-branching two-counter machines without zero-test, " a variant of Minsky machines extended with a fork instruction.The ability of LL to simulate the increment and decrement operations characteristic of Petri net operations was spotted very early and lead to paradigmatically characterise LL as a logic for counting resources.Critically, the exponential modality !can be exploited to allow unbounded reuse of some specific resources like (Petri net) transitions or (Minsky machines) instructions.
To establish undecidability, one needed of course to go beyond Petri nets because those have a decidable reachability problem, a major result from the early 80s with a very involved proof still actively revisited nowadays [18,15,4,16,5].As opposed to Minsky machines, Petri nets are not able to perform zero tests combined with a jump.Hence, the main idea of the reduction was to use forking to separate comparison with zero from jumping.In there, the additive conjunction of LL plays a central role: Indeed this right introduction rule duplicates the context Σ in the left and right sub-proofs which allows to delegate checking for emptiness in the left branch, and jumping in the right branch, the requirement of the two premises ensuring the correctness of the combination.The same idea was then exploited to establish the undecidability of smaller fragments of LL [10,11,13].In our own work [8], we gave the first mechanisation of the undecidability of the elementary fragment of LL in Coq, and hence ILL, based on this forking idea as well.
The multiplicative and exponential fragment (MELL) of linear logic lacks additive connectives, and is thus unable to duplicate the context.Arguably, the question of its decidability is the most important open conjecture (see e.g.[14]) in the context of LL, even with some claimed proof of decidability [1], later refuted [20].The recent encoding of two counters Minsky machines in a fragment of LL lacking additives opened a new logical perspective on the MELL question [2].Indeed, at the cost of a more complex modal structure, forking with & can be replaced with a constraint on modalities in the promotion rule.This extension of MELL is called multiplicative sub-exponential linear logic (MSELL).
In this paper, we mechanise this reduction from two counters Minsky machines to MSELL, following the encoding of [2].However, we proceed in the intuitionistic version of the logic (two sided sequents with exactly one conclusion formula) that we call IMSELL.That fragment only involves the linear implication ⊸ and the modalities !m with m ∈ Λ = {a, b, ∞}, so it is short to describe.It is also convenient for comparing with our previous encoding in (elementary) intuitionistic LL [13,8].Schematically, we describe and mechanise the following many-one reduction chain, explained below: Our work is based on and contributes to the Coq library of undecidability proofs; see [9] for a quick overview.As opposed to the legacy LL argument of forking, which can cope with Minsky machines using arbitrary many counters, the MSELL and IMSELL reductions rely on two counters machines in an essential way.Hence, we first had to implement the undecidability of the "halting on the zero state" problem for two counters Minsky machines, that we denote MMA0 2 ; see Section 3. To establish this, we could follow the legacy reduction from many counters to just two by Minsky [19], that uses a Gödel coding of lists of natural numbers as essential trick.Following [12], we profit from the FRACTRAN language [3] that adequately abstracts away the Gödel coding phase, hence we establish the undecidability of MMA0 2 by reducing from (regular) FRACTRAN halting instead, mainly by mechanising Euclidean division with two counters only.
In Section 4, we provide a sequent calculus style presentation of MMA0 2 , i.e. the instance (M, x, y) of MMA0 2 is viewed as a sequent Σ M // n x ⊕ y ⊢ 1, and the Minsky machine M starting at PC value 1 with register values (x, y) halts on the zero state if and only if the sequent Σ M // n x ⊕ y ⊢ 1 has a derivation.We call this system and the associated problem non-deterministic two counters Minsky machines, denoted MM nd .As MM nd is essentially a specialised proof theory for Minsky machines, reducing from it to logical entailment problems mainly consists in transformations of derivations.Hence Section 5, targeting IMSELL, can be understood from a proof theoretic perspective only.In there, we gives details of the reduction of two counters halting, explaining how the legacy fork trick for ILL is replaced by the modal constraints in the promotion rule of IMSELL, following [2].Additionally, our proof of correctness of the reduction differs significantly: the former proof relies on the completeness of focused proof-search; we instead generalise our semantic argument [8], i.e. we prove and use the soundness of trivial phase semantics for IMSELL.
Our contributions in this work are the following.First, via a proof theoretic presentation of Minsky machines, a comparison of their encoding in ILL and in IMSELL, explaining precisely how and where forking is replaced with modalities.Then, a novel completeness proof of the IMSELL reduction based on the soundness of trivial phase semantics.On the implementation side, we provide the mechanized proof of the undecidability of two counters Minsky machines (with two different presentations), and of IMSELL.The Coq 8.13 code is available at https://github.com/uds-psl/coq-library-undecidability/tree/FSCD-2021and (sub-)section titles generally provide hyperlinks to the relevant source code.Our code extends the existing library with about 1800 loc, 1200 of which concern the reductions from FRACTRAN to MM nd , and 600 more for the MM nd to IMSELL reduction.
The paper describes the major steps of the implementation, in the language of type theory, but should be readable with only basic knowledge of it.We denote P (resp.B and N) the type of propositions (resp.Booleans and natural numbers).We write L X for the type of lists over X, where [ ] represents the empty list, x :: l for the cons operation, l + + l ′ for the concatenation of two lists, and |l| : N for the length of l.We write X n for vectors ⃗ v over type X with length n : N, and F n for the finite type with exactly n elements.Notations for lists are overloaded for vectors.Moreover, for p : F n and x : X, we write ⃗ v p for the p-th component of ⃗ v : X n and ⃗ v {x/p} when ⃗ v is updated with x at component p.The (non-dependent) sum A + B represents a computable/Boolean choice between an inhabitant of A or an inhabitant of B. In the case where A and B are propositions (i.e. of type P), the sum A + B : Type is stronger than the disjunction A ∨ B : P, because one cannot computably determine which of A or B holds in the later case.We also use the type-theoretic dependent sum Σ x:A B(x), denoted {x : A | B x} in Coq,1 inhabited by (Coq computable) values x : A paired with a proof of B x.
The framework of synthetic computability [7] is based on the notion of many-one reduction.If P : X → P is a predicate (on X) and Q : Y → P is a predicate, we say that P many-one reduces to Q and write P ⪯ Q if there is a Coq function f : X → Y s.t.∀x : X, P x ↔ Q(f x), i.e. a many-one reduction from P to Q.Because we work in constructive (axiom-free) Coq, all definable functions are computable and thus the requirement of the computability of the reduction function f above can be discarded.If P ⪯ Q and P is undecidable then so is Q.

2
The FRACTRAN seed (files FRACTRAN.vand fractran_utils.v) The FRACTRAN model of computation is very simple to describe.It was introduced by Conway [3] but its main idea, the Gödel coding of a list [x 1 ; x 2 ; . . .; x n ] of natural numbers as the number predates the introduction of FRACTRAN by several decades.In the FRACTRAN formalism, programs are lists of formal fractions, i.e. terms Q of type L (N × N). 2 The state of a program is modelled as a natural number x : N. A fraction p/q is executable at state x if x•p/q is a natural number (i.e.not a proper fraction) and in that case this is the new state.To allow FRACTRAN to discriminate, and b.t.w.turn it into a Turing complete model of computation, the first executable fraction in the list has to be picked up at each step of computation.The program Q stops when no fraction in the list is executable.

Synthetic Undecidability of MSELL via FRACTRAN Mechanised in Coq
Formally this prose translates in a straightforward inductive definition, not even involving the algebraic notion of fraction, and characterized by the two inductive rules below: where u ∤ v means u does not divide v, and Q // F x ≻ y reads as the FRACTRAN program Q transforms state x into state y in one step of computation.The computation is terminated at x, denoted Q // F x ⊁ ⋆, when there is no possibility to perform one step from x, and termination from x, denoted by Q // F x ↓, means there is exists a sequence of steps starting at state x at leading to the terminated state y.Formally, this gives us: There are some obvious quick remarks to make here: the empty program Q = [ ] is terminated in any state; unless Q = [ ], the state 0 is not terminated.The step relation is strongly decidable in the sense that one can discriminate between non-terminated and terminated states, and in the former case, computationally find a next state, expressed below using (Coq) dependent types: Proof.By structural induction on the list Q combined with Euclidean division.◀ The dependent sum {y | Q // F x ≻ y} represents a (computable) state y together with a proof that y is next after x.The proposition Q // F x ⊁ ⋆ is for a proof that x is a terminated state.Finally, the outer sum + represents a computable choice between the two alternatives.
Non-regular fractions like 0/0 can make the computation non-deterministic; and nonproper fractions like 1/1 or 6/2 are always executable, implying that programs including such fractions have no terminating state.Non-deterministic step relations involves at least two different notions of termination, weak termination as defined above, and strong termination, when no infinite sequence of steps from x can exist.For our use of FRACTRAN, it does not matter because we only consider regular FRACTRAN programs where formal fractions p/0 are disallowed.Regular FRACTRAN is a universal model of computation, up to a Gödel encoding of natural numbers [3]. 3 Definition 2. A FRACTRAN reg instance is a pair composed of a list of regular formal fractions and a natural number, i.e. of type (Q, x) : L (N × N) × N | ∀p, p/0 ̸ ∈ Q , and the question asked is whether Q // F x ↓ holds or not.
Notice the use of a dependent sum in the type of instances where the predicate ∀p, p/0 ̸ ∈ Q acts as a guard against non-regular instances.
▶ Theorem 3 (mechanized in [12]).There is a many-one reduction from the Halting problem for single tape Turing machines to termination of regular FRACTRAN programs, i.e.Halt ⪯ FRACTRAN reg , and thus FRACTRAN reg is undecidable.
As a consequence, we can safely use FRACTRAN reg as our seed of undecidability for the chain of many-one reductions described in this paper.From FRACTRAN to two registers alternate Minsky machines

Alternate Minsky machines (files MM.v and mma_defs.v)
We describe alternate n counters (or registers) Minsky machines, where states are described as (i, ⃗ v) : N × N n .The number i : N is the current program counter (PC) value and the vector ⃗ v : N n describes the n current values of the registers.When convenient, we also denote states as st , st 1 ... Instructions consist of either incrementing INC a x a register by one, or decrementing DEC a x j a register by one.Notice that when the register values 0, it is not possible to decrement it.So a conditional jump at j helps at discriminating between the zero and non-zero cases.Unless there is a conditional jump, the default behaviour after the register is updated is to jump to the next instruction at PC + 1.In contrast with [8,12] where the DEC x j instruction jumps at j when ⃗ v x is empty, here in DEC a x j, the jump occurs when decrementing is possible, and this is the reason we call these machines alternate and suffix instructions with an "a" just as a reminder for this alternate semantics.Hence a single (atomic) step of computation is described by the following relation where σ // a (i 1 , ⃗ v 1 ) ≻ (i 2 , ⃗ v 2 ) reads as the MMA n instruction σ at PC value i 1 transforms the state (i 1 , ⃗ v 1 ) into the state (i 2 , ⃗ v 2 ).Notice that this alternate semantics allows to implement a universal jump without needing an empty register, which will be critical when we will need to limit the number of registers to n = 2.This means that starting from state (i 1 , ⃗ v 1 ), the instruction σ at PC value i 1 (provided there is one) changes the state in exactly one possible way, and the new state (i 2 , ⃗ v 2 ) is Coq-computable from the initial state (i 1 , ⃗ v 1 ).So the only way for such programs to terminate is to jump to a PC value which holds no instruction.
A program is pair (i, P ) : N × L MMA n composed of the PC value of its first instruction and the sequence P of consecutive instructions of which is it composed.Informally, the program (i, [σ 0 ; . . .; σ m−1 ]) would be read as e.g.i : σ 0 ; 1+i : σ 1 ; . . .; m−1+i : σ m−1 using labelled instructions.We define the k-steps relation for a program (i, P ) inductively with where the constraints i 1 = |L| + i and P = L + + σ :: R impose that the instruction at PC value i 1 of (i, P ) is σ.From its structure as lists of instructions, there is at most one instruction at a given PC value and thus, the k-steps relation is also deterministic.However, it can be non-total if a jump outside of the interval [i, |P | − 1 + i] occurs, the lack of an instruction blocking the computation.We write out j (i, P ) := j < i ∨ |P | + i ≤ j when there is no instruction at j in (i, P ), and because of Proposition 4 (totality), blocked states are exactly those outside of the code, i.e. out i 1 (i,

F S C D 2 0 2 1 18:6 Synthetic Undecidability of MSELL via FRACTRAN Mechanised in Coq
We define the predicates of computation, of progress, of output and of termination as: output meaning that we have computed until we reach a state blocking the computation.
We mention that there is substantial machinery for (alternate) Minsky machines, and more generally PC based state machines, in the Coq library of undecidable problem initially described in [8].These tools enable modular reasoning in those models of computation.

A basic MMA n library up to Euclidean division (file mma_utils.v)
We specify, implement and verify a small library to compute some basic operations with MMA n .For this section, n : N is a fixed number of registers but all the below sub-programs involve at most two registers.In the coming statements, the vector ⃗ v : N n is implicitly universally quantified over.The names i, j, p, q : N range over PC values, k : N over natural number constants, and the names x, t, s, d : F n over registers indices.
Let us start with the easy simulations of an unconditional jump, the nullification of register x and the operation that adds k units to register x. ▶ Proposition 6.For i, j : N and x : Then we simulate test for emptiness of register x, jumping to PC value p when x is empty, or else to the end of the sub-program otherwise.Registers are restored to their initial values when the sub-program is finished (assuming p points outside of its code).
▶ Proposition 9.For x : F n and p, i : Notice that this sub-program is of length |EMPTY a x p i| = 4 (despite looking 3), because we abuse the list notation [. . .; . . .; . ..] by allowing dots to be not only single instructions but also lists of instructions such as JUMP a p x. Hence, EMPTY a x p i is formally defined as DEC a x (3 + i) :: JUMP a p x + + INC a x :: [ ] but we choose the friendly display for readability.
We now simulate the transfer of the contents of register s (for source) to d (for destination).
We simulate multiplication of a register by a constant.The idea is similar to transfer but instead of transferring one for one, when one unit is removed from s, k units are added to d.
We simulate the minus k operation (with overflow management), jumping to PC value p when k units can be removed from register x, or else to PC value q when register x contains less than k units (overflow).
▶ Proposition 12.For p, q, k, i : N and x : F n , we define where the pattern DEC a x (3u + i); JUMP a q x is repeated for u = 1, . . ., k.
Depending on the comparison between ⃗ v x and k, we have the following: Using an extra temporary register t, we implement a non-destructive minus k operation (with overflow management).
▶ Proposition 13.For x ̸ = t : F n and p, q, k, i : N, we define where the pattern DEC a x (4u − 1 + i); JUMP a q x; INC a t is repeated for u = 1, . . ., k.
Depending on the comparison between ⃗ v x and k, we have the following: Notice that the initial value of t has to be known if one wants to recover the initial value of x, e.g. if the initial value of t is 0 and x contains less than k units, then once the computation is finished, t contains a copy of the initial value of x.
We implement a non-destructive computation of a divisibility test of register x by a constant k > 0, using a spare register t to preserve the initial value of x. ▶ Proposition 14.For x, t : F n and p, q, k, i : N, we define and we check the identity |MOD_CST a x t p q k i| = 6 + 4k.Assuming x ̸ = t and k > 0, we have (i, MOD_CST a x t p q k i) // a (i, ⃗ v) ≻ + (j, ⃗ v{0/s}{(⃗ v x + ⃗ v t )/t}) where j := p when k divides ⃗ v x , and j := q otherwise.We now implement division by a constant k > 0. It will only work when the contents of the input register s is a multiple of k and the quotient is then stored in d.
▶ Proposition 15.For s, d : F n and k, i : N, we define and we check the identity

Compiling regular FRACTRAN programs (file fractran_mma.v)
We are now in position to compile regular FRACTRAN programs (with no p/0 fractions).We start with a sub-program for simulating the FRACTRAN step relation for one regular fraction p/q then we will chain those sub-programs.
We fix n := 2, and s := 0 : F 2 and d := 1 : F 2 are the two available registers for two counters alternate Minsky machines.Let use assume a regular fraction, i.e. p, q : N with q ̸ = 0, and i, j : N where i the starting PC value of the sub-program.
To help the readability of the following code, we decorate it with relevant labels (PC values), although those are not formally present in the mechanisation: Proof.The proof of Proposition 17 (resp.18) is sketched in Appendix A (resp.B). ◀ Hence (i, FRAC_ONE a p q i j) performs the multiplication of x by p/q if the result is a natural number, transferring the control to PC value j, or else, would the result be a proper fraction, the registers are globally unmodified and the PC is transferred at i 7 , the end of this sub-program.Notice that the register d is assumed to be initially empty.
We now chain those sub-programs to simulate one step of a regular FRACTRAN program, encoding a list Q of fractions by structural recursion on Q: where P := FRAC_ONE a p q i j ▶ Lemma 19.For any regular FRACTRAN program Q : L (N × N) and any i, j, x, y : Proof.By induction on the predicate Q // F x ≻ y using Propositions 17 and 18. ◀ ▶ Lemma 20.For any regular FRACTRAN program Q : L (N × N) and any i, j, x : Proof.By induction on Q using Proposition 18. ◀ The instance FRAC_STEP a 1 Q 1 starts at i = 1 and loops on itself (j = 1) until no fraction can be executed.In addition, we finish by nullifying s and then jump to PC value 0: The S-MM nd sequent style calculus for non-deterministic two counters Minsky machines.
▶ Theorem 21.For any regular FRACTRAN program Q : L (N × N) and any x : N, the three following properties are equivalent:

Minsky machine termination as provability
While the (heavy) alternate Minsky machines framework was useful to simulate FRACTRAN programs with two counter machines, using it as a seed for other reductions is not recommended.First, explaining the semantics and termination predicates requires many definitions, not necessarily obvious at first.Also, manipulating them without the tools for modular reasoning is quite difficult.

Non-deterministic two counters Minsky machines (file ndMM2.v)
For our reductions to linear logic, we replace MMA 2 with an equivalent model, much easier to describe and work with, where computations are performed by proof-search and termination matches the provability/derivability predicate.Reductions to entailment in logical systems will thus mainly consist in encoding derivations from one system to another.We call this model non-deterministic two counters Minsky machines and denote MM nd .We comment this logical presentation, sequent style, of Minsky machines.MM nd instructions are of the form STOP n p | INC n x p q | DEC n x p q | ZERO n x p q where x ∈ {α, β} is a register index, either the first α or the second β, 4 and p, q : N are labels, here in type N, but the definitions in this section are completely parametric in the type of labels.A sequent of MM nd is of the form Σ // n a ⊕ b ⊢ p where Σ is a list of MM nd instructions viewed as a finite set, a and b of type N represent the values of the counters α and β respectively and p is the current label.
We define provability/derivability inductively by the rules the calculus S-MM nd in Fig. 1.Notice that since computation is simulated by proof-search, the initial state is the conclusion of a rule and it is transformed into the premise, when there is one.For example, the INC n _ p q rule contains both the initial label and the jump-to label, hence it can only execute at label p.However, nothing prevents the simultaneous occurrence of another instruction INC n _ p q ′ in Σ, and this could render proof-search non-deterministic, hence our choice of terminology.However, non-determinism is not relevant to the undecidability of the MM nd .
Notice that it is common practice to represent the sequent and the derivability predicate of the sequent by the same denotation Σ // n a ⊕ b ⊢ p which could lead to confusion.Usually, we qualify the notation with the "sequent" word to make it explicit.Unqualified or followed with "is derivable" means that the notation represents the S-MM nd derivability predicate.
▶ Definition 23.A MM nd problem instance is the data of a sequent Σ // n a ⊕ b ⊢ p, and the question is whether this sequent is derivable or not using the rules of S-MM nd (Fig. 1).
Notice that ZERO n x p q performs both a zero-test on x and if zero, a jump from p to q without changing registers.If we remove the ZERO n _ p q rules, we get Petri nets reachability, more specifically VASS with states, which have a decidable reachability problem with non-elementary complexity [4], even non-primitive recursive according to [16,5].

From MMA0 2 to MM nd (file MMA2_to_ndMM2_ACCEPT.v)
We give an alternate presentation of termination on zero for two registers Minsky machines, using the S-MM nd calculus of Section 4.1.Let us consider alternate Minsky machines MMA 2 with two counters, s := 0 : F 2 and d := 1 : F 2 .We denote by α, β : B the two registers of MM nd instructions.We define the following encodings of single instructions and programs: Proof.Item 1 is by case analysis on σ and item 2 follows from item 1. ◀ Let us now define Σ P := STOP n 0 :: ⟨⟨1, P ⟩⟩ which constitutes the encoding of MMA 2 programs into MM nd sequents.We establish its soundness.

◀ Undecidability of Sub-Exponential Linear Logic
Having established the undecidability of MM nd via FRACTRAN reg and MMA0 2 , we can now switch to undecidability in some fragments of linear logic and give a comparison between two different reductions.We introduce the intuitionistic version of sub-exponential linear logic [2] (IMSELL) and mechanise a many-one reduction from MM nd to entailment in IMSELL.
Even if the former reduction [2] applies to classical sub-exponential linear logic with one sided sequents, our own reduction function is inspired from it.However, the completeness proof that we have mechanised largely differs since we avoid focused proofs (used to recover computations) and instead, adapt the trivial phase semantics argument [13,8].Additionally we precisely compare the reduction to ILL with the reduction to IMSELL by starting from the same MM nd seed, detailing what set of logical rules are used to simulate those machines.

The ILL and IMSELL fragments (files ILL.v and IMSELL.v)
We introduce two fragments/extensions of intuitionistic linear logic (ILL) that allow for a reduction from non-deterministic two counters Minsky machines.
The first fragment of the ILL logic we consider is composed of propositional formulae build from two binary connectives, the linear implication ⊸ and additive conjunction &, and one modality, exponentiation !. Logical variables come from (a copy of) the N type.Formally, the formulae of ILL are of the form A, B :: where X : N. To simplify, we abusively call this fragment ILL.By cut-elimination, the reduction discussed below also works for larger fragments containing more connectives like ⊗, ⊕, etc.
The sequents of ILL are intuitionistic, i.e. a pair (Γ, A) written Γ ⊢ A where Γ is a multiset of formulae and A is a single formula.Multisets are just lists identified up-to permutations.If it is more convenient to work with lists, as we do in the Coq mechanization, then an explicit permutation rule is added to the sequent rules of the S-ILL calculus in Fig. 2.
The three leftmost rules are the identity (or axiom) rule stating that the sequent A ⊢ A has a trivial proof, and then the left-and right-introduction rules for the linear implication ⊸.The three rules middle-left are two left-and one right-introduction rules for the additive conjunction &.The two middle-right rules are modal rules, on top, the promotion rule, and at bottom, the dereliction rule.Finally, on the right-hand-side are the structural rules for the !modality, i.e. weakening on top and contraction at the bottom.Notice that specifically, linear logic does not allow for general weakening or contraction rules.
On the other hand, IMSELL is a purely multiplicative fragment but with several modalities, among them exponentials.The logic is parameterized with a fixed type Λ of modalities and a fixed sub-type U : Λ → P of unbounded modalities, also called exponentials.We follow the set theoretic syntax and write u ∈ U (instead of U u) when u is unbounded.The formulae of IMSELL Λ are of the form A, B :: where X : N and m : Λ.So compared to ILL, the additive & is missing whereas the modality !becomes indexed as !m with m spanning over Λ. IMSELL Λ sequents have the same structure Γ ⊢ A as those of ILL except that they are composed of IMSELL Λ formulae instead.
Before we describe the associated sequent calculus S-IMSELL Λ , we introduce supplementary structures on modalities: a pre-order ≼ : Λ → Λ → P, i.e. a reflexive and transitive binary relation, such that U is upward-closed for ≼, i.e. u ≼ m and u ∈ U entail m ∈ U for any m, u : Λ.In the sequel, we will somehow abuse the notation and denote Λ both for the base type and the modal structure (Λ, U, ≼) moreover assuming the pre-order and upward-closure properties.
In the sequent rules of the S-IMSELL Λ calculus of Fig. 3, the three leftmost rules are common with S-ILL, there is no rule for the additive conjunction & since it does belong to the fragment, and the modal rules have changed a bit.We skip over the two middle rules for the moment and consider the rightmost structural rules of weakening and contraction which generalise the corresponding rules of S-ILL, except that their use is limited to unbounded modalities (u ∈ U).Back to the two middle rules, the bottom dereliction rule applies to every modality, so a direct generalisation of the corresponding rule of S-ILL.However, the promotion rule (reproduced below on the left) is somehow more complicated and deserves further explanations.The ⋆ notation represents a multiset k 1 , . . ., k n of modalities and !⋆ Γ represents the multiset !k1 A 1 , . . ., ! kn A n .The constraint m ≼ ⋆ imposes that m is lower than every modality in {k 1 , . . ., k n }.Using these more explicit notations, we reframe it as in the above displayed middle rule.Finally, the (uniform) instance where m = k 1 = • • • = k n (the rightmost above; the constraint m ≼ ⋆ holds by reflexivity), matches the promotion rule of S-ILL.
Considered independently, all modalities behave like ILL modalities, satisfying dereliction and promotion rules, while only unbounded modalities allow for contraction and weakening.However, depending on the relation ≼, the promotion rule allows for non-trivial interactions between modalities.Given an unbounded modality ∞ ∈ U and replacing ! with !∞ , one can trivially embed the multiplicative fragment of ILL and recover intuitionistic multiplicative and exponential linear logic (IMELL), of which the (un)decidability of entailment is a notoriously difficult open problem [14,20].

Embedding in S-ILL vs. S-IMSELL (file ndMM2_IMSELL.v)
For the reduction from MM nd to IMSELL Λ to work out properly, we need at least three modality {a, b, ∞} where ∞ is the only unbounded modality (∞ ∈ U and a, b ̸ ∈ U), a ≼ ∞, b ≼ ∞ and a and b are incomparable, i.e. a ̸ ≼ b and b ̸ ≼ a.As a consequence, ∞ is also strictly above a and b.From now on, we assume that Λ satisfies these requirements.The coming discussion can also be understood in the minimal case where Λ 3 = {a, b, ∞} and we denote IMSELL 3 for either of these logics.

18:13
In this section, we review the encoding of MM nd sequents into both ILL and IMSELL 3 , and explain how, while mostly similar, they noticeably differ on how they handle zero tests combined with jumps.Notice that the encoding targeting ILL can be adapted to n registers Minsky machines (as done in [8]), while in the case of IMSELL 3 , working with two counters only is critically important to the construction.
Identifying the exponential ! with the unbounded modality !∞ allows to discuss IMELL, ILL and IMSELL 3 in a common syntactic framework, avoiding cumbersome notations for trivial embeddings.We show the derivability of the two following rules: generalised weakening and customised absorption.
▶ Lemma 28.The two following rules are derivable in IMELL, and hence ILL and IMSELL 3 : Proof.We obtain the left generalised weakening rule by repeating the weakening rule.For customised absorption, it is the combination of dereliction and contraction.◀ These derived rules are essential tools for the reduction from MM nd .Let us review the other tools.Recall that a MM nd sequent is of the form Σ // n x ⊕ y ⊢ p.We encode this with an IMSELL 3 (or ILL) sequent of the form ! ∞ Σ, ∆ ⊢ p where ∆ := xα, yβ encodes the pair (x, y) : N × N, i.e. α (resp.β) is repeated x (resp.y) times.Hence increment and decrement operations on the values x/y naturally correspond to the multiset operations.We do not need to specify what formulae are α and β for the moment, but these will differ in the ILL case compared to the IMSELL 3 case.On the other hand, p or q will always be logical variables.
First, we show how to simulate the INC n α p q rule of S-MM nd : and the DEC n α p q rule of S-MM nd : Notice that we only use the customised absorption rule, the left-and right-introduction rules for ⊸ and the identity (axiom) rule hence simulating INC n α p q and DEC n α p q can be performed within the IMELL fragment.
The axiom rule STOP n p of S-MM nd (acceptance of (0, 0) at p) can also be simulated using the customised absorption rule, then the generalised weakening rule, the left-and right-introduction rules for ⊸ and the identity rule.Hence an IMELL proof as well.
The remaining rules of MM nd , that of e.g.ZERO n α p q, a zero test combined with a jump instruction, are the problematic rules to encode in the IMELL fragment.This can however be done in ILL and in IMSELL 3 , but the techniques for the two fragments diverge precisely on these ZERO n α p q instructions.Let us first review5 the (idea behind the) legacy encoding of Minsky machines into linear logic [17], mechanized for ILL in [8].The idea is to fork the ZERO n α p q simulation into a proof-search branch where only a zero test on α is performed, and in the other branch, only a jump to q is performed: Notice that α and β denote fresh logical variables.Critically for this encoding, the additive conjunction & is used to copy the context into the two premises, implementing a fork.The zero test on left sub-branch can however by performed in IMELL only: Notice that the dots above !∞ Σ, yβ ⊢ α mean repetition of the lower part of the proof until exhaustion of all the β from the context: this is implemented by an induction on y, and the base case where y = 0 corresponds to the upper part of the proof, starting at ! ∞ Σ, ∅ ⊢ α and completed on the right hand side, simulating of a would be STOP n α instruction (see above).
We see that α together with the formulae β ⊸ (α ⊸ α) and (α ⊸ α) ⊸ α in Σ allow α to perform the elimination of all the β from the context.However, α will not allow the removal of any α and hence, the zero test branch cannot be completed if ∆ contains an occurrence of α, i.e. when x ̸ = 0.This encoding of the zero test using α, while it can already be performed in IMELL, is pertinent only for ILL because it is in combination with the fork in (α & q) ⊸ p (see above) that it provides the ability to conditionally jump on zero.
Contrary to the ILL encoding, IMSELL 3 does not require (and cannot use) forking but instead uses sub-modalities to prevent jumping when the zero test fails.In that case, α and β are not atomic formulae anymore: they contain the bounded modalities ! a and !b , and we define α := ! a α 0 and β := !b β 0 where α 0 , β 0 are fresh variables.In the following encoding, notice that the upper rule is an instance of the promotion rule of S-IMSELL 3 .It is allowed because every formula on the left is prefixed either with the unbounded modality !∞ for those in !∞ Σ, or with the modality !b for those in yβ = !b β 0 , . . ., ! b β 0 , and we have both b ≼ ∞ and b ≼ b.On the other hand, an occurrence of α = !a α 0 in the context, corresponding to a non-zero value of x, would prevent the application of the promotion rule (b ̸ ≼ a).This interaction of modalities in the promotion rule of IMSELL 3 is the key to simulate zero tests.
Proof.The argument proceeds by induction on the derivation of Σ // n x ⊕ y ⊢ p, combining the proof skeletons of the above discussion in a direct way.◀

Trivial Phase semantics for IMSELL (file imsell.v)
We define trivial phase semantics for IMSELL Λ and show soundness w.r.t. the S-IMSELL Λ calculus.We start with a commutative monoid (M, •, ϵ).Typically, for the completeness of our reduction, we will only need to use the semantics for M = (N 2 , +, ⃗ 0), i.e. vectors of natural numbers of length 2, but the semantics works for any commutative monoid.For any X, Y ⊆ M , we define the point-wise extension by X providing a residuated monoidal structure on the subset type M → P.
To interpret the modal structure (Λ, U, ≼), we further require for each modality m ∈ Λ, a subset K m ⊆ M i.e. a predicate K m : M → P. We assume that the map m → K m is monotonically decreasing w.r.t.≼ (on the left below) and satisfies the three extra following rightmost axioms:

Given any semantic interpretation [[•]
] ⊆ M of logical variables, we extend it inductively to IMSELL Λ sequents via trivial phase semantics: 6 ).Notice that trivial phase semantics is sound but not complete for IMELL, ILL and IMSELL Λ ; see [13] for details.Notice that because we work with commutative monoids, the above semantic interpretation of lists is invariant under permutations, hence is suitable for multisets.An ▶ Theorem 31.Trivial phase semantics is sound: ] for any possible trivial phase semantics interpretation.
Proof.We proceed by structural induction on the S-IMSELL Λ derivation of Γ ⊢ A. In the code, the proof is limited to the case where M = (N n , +, ⃗ 0) for some n : N. Compared to the soundness of trivial phase semantics for S-ILL [8], the only interesting new case is that of the promotion rule.In that case, we observe that m ≼ k 1 , . . ., k n implies Proof.We use a soundness argument for trivial phase semantics in place of reasoning by induction on focused derivation in MSELL as done in [2].We consider the monoid of vectors M = (N 2 , +, [0; 0]) of length 2 of natural numbers.We define the following interpretation for modalities, and as a consequence, we can check that K m satisfies the required axioms as well as i.e. for any [x; y] : N 2 , if Σ // n x ⊕ y ⊢ q and x = 0 then Σ // n x ⊕ y ⊢ p which is precisely the instance of rule ZERO n α p q ∈ Σ of S-MM nd .
From the previous observation, we deduce [0

Related works and Implementation remarks
While Theorem 33 gives us a mechanised synthetic proof of the undecidability of IMSELL 3 , neither its statement nor the arguments deployed directly provide hints towards a solution to the question of the decidability IMELL/MELL.As in the original pen and paper proof [2], the two bounded modalities ! a and !b , and their interaction with the unbounded modality !∞ in the promotion rule, play an essential role in the simulation of conditional jumps of two counters Minsky machines.While the zero test can be implemented in MELL only, the provided implementation consumes its context and thus cannot conditionally branch at the same time, hence the fork used in the case of ILL [8].However Theorem 33 does give indications that certain decidability arguments for MELL are bound to fail, e.g.those that would also apply to MSELL in general, or IMSELL 3 in particular.It is our understanding that the refutation [20] of the faulty proof attempt for the decidability of MELL [1] partly proceeds in showing how the claimed "proof" technique would easily generalise to MSELL.In the same vein, the lower bounds on the complexity of a would be decision procedure for MELL [14], and more recently the reachability problem for Petri nets themselves [4], indicate that a decision procedure for MELL must be of non-elementary complexity.The most recent investigations [16,5] might very well confirm that this problem is Ackermann complete and hence not primitive recursive.
Considering formalisation issues, the growing Coq library of undecidability proofs [9] was of course of great help to this work.Indeed, at the time we decided to try to implement the undecidability of MSELL, the framework for certified programming with Minsky machines was already part of the library [8].Hence, to get two counters Minsky machines, i.e. the seed of undecidability of the pen and paper proof [2], only a modest step from many counters machines was necessary and this was even alleviated by the results on the FRACTRAN language [12], factoring out the Gödel coding phase.In fact, we contributed the seed of two counters machines much ahead of the MSELL result, and in the meantime, this seed was used to establish to undecidability uniform boundedness for simple stack machines and then of the problem of semi-unification [6].This illustrates a critical aspect of this undecidability framework: its extensive range of seed problems for plugging into it.
Indeed, there is an important issue to consider when proving undecidability by many-one reduction, by far the most used method in the field: even mechanised, your proof is only as strong as the implementation of your seed problem.Typical problems can exhibit subtleties that show up at the mechanisation level: for instance Turing machines are built on tapes, a potentially infinite structure of which it could be easy to corrupt the implementation.Choosing a seed already linked to the many-one equivalence class containing easy to describe problems such as e.g. the Post correspondence problem or FRACTRAN gives much more confidence that starting from an isolated seed, still to be mechanically checked undecidable.
Another aspect which is mostly overlooked in pen and paper proofs is the computability of the reduction function.The reason is that programming with low-level Turing complete models of computation is hard and painful, with encodings at every corner.To get a glimpse of the difficulty, think of a Turing machine working with logical formulas: because it only manipulates text written on tapes, it has to implement a syntax analyser, moreover proved correct.And only then can it start its real work.The general shortcut used in pen and paper proofs to avoid this kind of description is to speak about "algorithms" that manipulate high-level data-structures and rely on an informal and consensual understanding of what these are, hand-waving away the implementation issues completely.
In this regard, the synthetic computability framework allows, at the price of relying on the computability of Coq functions -e.g. by avoiding axioms, -to formally describe the reduction functions in a language strict enough to ensures their computability, but at the same time powerful enough to largely avoid complex encodings and hence get more natural correctness proofs following or inspired from pen and paper ones.Using a constructive framework like e.g.Coq or Agda is essential in that approach, because in classical frameworks, there is no direct way to automatically ensure the general computability of the defined (reduction) functions.

A Proof (sketch) of Proposition 17
Let us use the denotation s (resp.d) for the dynamic value of register s (resp.d).Hence, the contents of the registers is represented by the vector [s; d] of length 2 with initial value [x; 0].Also, the initial value of the PC is i 0 = i.The sub-program MULT_CST a s d p i 0 multiplies s with p and adds the result to the contents of d while emptying s, so the PC moves to i 1 and s = 0 and d = px.Then MOD_CST a d s i 2 i 4 q i 1 tests the divisibility of d by q, which succeeds under the assumption qy = px.By Proposition 15, this transfers the control to i 2 and now d = 0 and s = px.Then DIV_CST a s d q i 2 divides s with q while swapping the registers hence now s = 0, d = y and the PC is at i 3 .Then TRANSFER a d s i 3 swaps s with d hence now s = y and d = 0 and PC is now i 4 .Finally, JUMP a j d transfers the control to j without altering the registers.

B Proof (sketch) of Proposition 18
As in the proof of Proposition 17, we reach the state where the PC is at i 1 and s = 0 and d = px.However now, MOD_CST a d s i 2 i 4 q i 1 gives a negative answer to the divisibility of d by s hence according to Proposition 14, the control is transferred to i 5 while s = px and d = 0. Then DIV_CST a s d p i 5 divides the contents of s by p, reverting it to its initial value but there is a swap: PC is at i 6 , s = 0 and d = x.Finally TRANSFER a d s i 6 swaps again and reverts the registers to their initial values s = x and d = 0 while the PC moves to the end of the sub-program at i 7 .

C Proof (sketch) of Theorem 21
The implication 2 =⇒ 3 is trivial.We

.4 The completeness of the reduction (file ndMM2_IMSELL.v)
If the sequent !∞ Σ, xα, yβ ⊢ p is provable in S-IMSELL 3 , then there is a derivation of Σ // n x ⊕ y ⊢ p in S-MM nd .