A direct computational interpretation of second-order arithmetic via update recursion

Second-order arithmetic has two kinds of computational interpretations: via Spector’s bar recursion of via Girard’s polymorphic lambda-calculus. Bar recursion interprets the negative translation of the axiom of choice which, combined with an interpretation of the negative translation of the excluded middle, gives a computational interpretation of the negative translation of the axiom scheme of comprehension. It is then possible to instantiate universally quantified sets with arbitrary formulas (second-order elimination). On the other hand, polymorphic lambda-calculus interprets directly second-order elimination by means of polymorphic types. The present work aims at bridging the gap between these two interpretations by interpreting directly second-order elimination through update recursion, which is a variant of bar recursion.


INTRODUCTION
In this introduction we recall the existing interpretations of secondorder arithmetic, we present the outline of our contribution, and we mention some related work.

Bar recursive interpretations
The usual route, summarized in figure 1, for interpreting secondorder arithmetic via bar recursion consists of a derivation of the axiom scheme of comprehension through a combination of the excluded middle with the axiom of countable choice, followed by a negative translation into first-order intuitionistic arithmetic extended with the negative translation of the axiom of choice.Finally, this system is interpreted with the help of bar recursion that gives computational content to the negative translation of the axiom of countable choice (or to the double-negation shift which, together with the axiom of countable choice, implies intuitionistically the negative translation of the axiom of countable choice).
We review in this section the various existing bar recursive interpretations of second-order arithmetic.
Spector's original bar recursion.Gödel's dialectica interpretation [9] provides a computational interpretation of arithmetic into System T -simply-typed lambda-calculus with natural numbers and a recursor.Spector extends this interpretation to an interpretation of second-order arithmetic [14] by extending Gödel's System T with a bar recursion operator.Spector uses this bar recursion operator to interpret what he calls the F axiom scheme, but which is nowadays known as double-negation shift (DNS).Composing his interpretation with a negative translation from classical arithmetic with countable choice into intuitionistic arithmetic with countable choice and DNS, he obtains an interpretation of classical arithmetic with countable choice and therefore of second-order arithmetic.
Berardi-Bezem-Coquand's demand-driven operator.Berardi, Bezem and Coquand define an operator [3] (usually called BBC) inspired by Spector's bar recursion but that has a more direct and intuitive behavior.Also, contrary to Spector's interpretation that extends Gödel's Dialectica, their interpretation extends Kreisel's modified realizability [10].The BBC operator is demand-driven in the sense that it computes step by step finite approximations of an ideal infinite object, the order of these steps being dictated by the environment in which the operator executes.They use this operator to provide a computational interpretation of (a principle equivalent to) the negative translation of the axiom of countable choice.Their interpretation is therefore slightly more direct than Spector's in the sense that it interprets the negative translation of the axiom of countable choice rather than DNS.
Berger-Oliva's modified bar recursion.Berger and Oliva define an operator [6] that more closely resembles Spector's bar recursion, but their interpretation extends Kreisel's modified realizability, as Berardi-Bezem-Coquand's.Moreover, they follow more closely the lead of Spector by interpreting DNS, from which the negative translation of the axiom of countable choice can be derived.
Streicher and Krivine's bar recursion in classical realizability.Streicher gives a presentation of Krivine's classical realizability in the setting of categorical realizability, as a subtopos K of the relative realizability topos E induced by the model of coherence spaces and stable maps and a well-chosen set of proof-like elements [15].Using bar induction and the interpretation of bar recursion as a stable map between appropriate coherence spaces, he shows that E validates the double-negation shift principle, and because E also validates countable choice, he obtains that the classical realizability topos K validates countable choice.
Krivine uses the BBC operator to realize the negative translation of the axiom of countable choice [11].

Interpretation of second-order arithmetic via system F
The second kind of interpretation of second-order arithmetic is via Girard's representation theorem [8] that relies on a translation of second-order arithmetic into Girard-Reynolds polymorphic lambdacalculus [7,13] (system F).This interpretation uses a version of second-order arithmetic that is obtained from first-order arithmetic by adding a quantifier on predicates, rather than the axiom schema

Contributions
As explained above, the bar recursive interpretations of secondorder arithmetic involve several logical transformations prior to the concrete interpretation by programs.Conversely, the polymorphic interpretation exploits a strong correspondence between quantification on predicates and polymorphic types.In the present paper we make a crucial step towards the unravelling of a similar strong correspondence in the case of bar recursion.Indeed, we interpret directly the same system of second-order arithmetic as the one used in Girard's representation theorem, via a bar recursive interpretation of the elimination of quantification on predicates.We define a very generic notion of realizability value and prove a general result about the behavior of the variant of bar recursion we use.This general result proves to be flexible enough so that it can be used for proving both termination of the programming language and correctness of the realizability interpretation.

Related work
Berger defines a variant of the bar recursion operator that he calls "update recursion" [5].This variant is closely related to the BBC operator, in the sense that it builds finite approximations of an ideal infinite object step-by-step and on demand.Berger proves that this operator realizes a principle called "update induction" and shows that the BBC operator can indeed be implemented via update recursion.Berger's operator is the variant of bar recursion that most closely fits our needs, so we use (a slight variant of) it in the present work.However, we show directly that our version of update recursion realizes second-order elimination, without going through update induction.
Aschieri, Berardi and Birolo extend lambda-calculus with a variant of delimited exceptions and use interactive realizability to interpret intuitionistic first-order arithmetic extended with a restricted form of excluded middle EM1 on Σ 0 1 formulas [2].Powell uses a similar idea in the context of Gödel's Dialectica interpretation to define the concept of learning algorithms [12], that build approximations to witnesses of decidable formulas.He then transforms a countable sequence of learning algorithms into a single algorithm and proves that it can be used to interpret arithmetical comprehension on Σ 0 1 formulas.Our work can be seen as an extension of these works, where we relax the decidability requirement and provide computational content to the full comprehension axiom instead of its restriction to Σ 0 1 formulas.

Outline of the paper
In the first section, we present the system of second-order arithmetic used in Girard's representation theorem, where the usual comprehension axiom is replaced with the equivalent notion of quantification over predicates.
In the next section we define our programming language together with its operational and denotational semantics.
In the final section, we define our general notion of realizability value and prove a very generic result about update recursion, then we prove normalization of our programming language using "propositional" realizability values a.k.a.reducibility candidates.Then we prove adequacy of our interpretation via realizability values that depend on natural numbers and sets of natural numbers.Finally, we validate this interpretation by proving an extraction result from proofs of Π 0 2 formulas of second-order arithmetic.

SECOND-ORDER ARITHMETIC
We define in this section the theory of second-order arithmetic for which we provide a computational interpretation in the following sections.
This theory is the one used in Girard's representation theorem with quantifications over predicates, as witnessed by the ∀2 rule, where  [ ./] is the formula  where every instance of an atom of the form  () for some term  is replaced with the formula  [/].
Second-order logic has two kinds of variables: , , . . .denote first-order (number) variables and , , . . .denote second-order (set) variables.The terms of second-order arithmetic are built from number variables, 0, successor, addition and multiplication: Formulas are built from atomic formulas (set variables applied to some term), implication and first-and second-order universal quantification: The formal system of second-order arithmetic (rules and axioms) is defined in figure 2. Our proof trees are annotated with proof terms for convenience, but we do not consider any kind of reduction on these proof terms.
As usual, other logical connectors such as equality, conjunction, disjunction and first-and second-order quantification can be encoded in second-order logic.In the present paper we only use the following encodings: In particular, while formally all our predicate variables are unary, we encode the nullary ones via an arbitrary instantiation at 0. This technical choice allows for a more uniform treatment in the realizability interpretation.Note also that since we have terms for addition and multiplication, we could also encode predicate variables of arbitrary arity, but we do not need them in the present work.

THE PROGRAMMING LANGUAGE
In this section we describe the programming language in which we interpret proofs made in second-order arithmetic.We first define its syntax, typing rules and operational semantics, and then we define its denotational semantics in complete partial orders.

Syntax, typing and operational semantics
This programming language is an extension of simply-typed lambdacalculus with primitive natural numbers, sum types, a unit type and an update recursion operator ur.
The types are as follows, where  denotes the type of natural numbers: ,  :: The typing rules and operational semantics are given in figure 3, where the notation _. is a shorthand for  .when  is not free in , and the construct _ ⟨_ ↦ →⟩ in the reduction rule for update recursion is syntactic sugar for the update of a notion of partial function that we define now.These partial functions on natural numbers, that the update recursion operator relies on, are encoded as functions from natural numbers to a sum type  + 1, that we use as an option type.We consider that such a partial function Consequently, the function with empty domain is defined as: and if  is some partial function, then  ⟨ 1 ↦ →  2 ⟩ denotes its update with value  2 at  1 , which is defined as: where: is an operation deciding equality on natural numbers.We now comment on the update recursion operator.By looking at the type of the recursor, one can understand update recursion as an operator turning a program of type: That is, if some  takes as input a sequence of elements which are either of type  or of type  → , then ur  takes simply as input a partial function to .The reduction rule of ur shows how this happens: if  needs the value of its argument at some point , then: • either the partial function given as argument to ur  is defined at , in which case ur  provides that value to , as a value of type , • or the argument to ur  is undefined at , in which case ur  provides indirectly to  a value of type  →  by reading the input  of type  from , and triggering a recursive call with an updated partial function having value  at .
Our version of update recursion is a bit different from Berger's [5].The first difference is that we use sum types, while Berger encodes them with booleans and products.The second difference is that while the first argument in our version is of type: the first argument in Berger's version is (with our notations) of type: Finaly, Berger's update recursion satisfies (with our notations) the following equation: Berger's version and ours are however interdefinable: axioms of second-order arithmetic rules of second-order logic Figure 2: Second-order arithmetic operational semantics Figure 3: The programming language

Denotational semantics: complete partial orders
The termination of the update recursion operator depends crucially on the continuity of programs: if a program turns an infinite sequence into a value of type , then it can only depend on a finite part of its input sequence.The intuition is that such a program converges in a finite number of steps to a final value, and therefore during this computation it can only evaluate its input at a finite number of positions.The denotational model of complete partial orders does provide a general framework to talk about continuity of programs in this sense.
Moreover, it will be convenient, for proving correctness of update recursion, to talk about ideal sequences which are limits of finite sequences, but may not be expressible as programs.Such ideal sequences may even be non-computable.If (  ) ∈N is a sequence of elements of some complete partial order , then the function that turns  ∈ N into   is itself an element of the complete partial order of functions from natural numbers to , so the model of complete partial orders is very suited for handling such ideal sequences.
We now turn to the basic definitions about complete partial orders: Definition 3.1.A partially ordered set  is directed if it is nonempty and: ∀,  ∈ , ∃ ∈ ,  ≤  and  ≤  A complete partial order (cpo) is a partial order : • which has a least element ⊥, • such that every directed subset  ⊆  has a least upper bound  ∈ .
A continuous function between cpos is a function that preserves directed sets and their suprema: Definition 3.2.If  and  are cpos, a map  :  →  is continuous if for all directed  ⊆ ,  ( ) ⊆  is directed and: The following proposition is a fundamental result about cpos that permits the interpretation of functional programming languages in the model of cpos.Its proof can be found, e.g. in [1].Proposition 3.3.The set of pointwise ordered continuous maps from cpo  to cpo  is a cpo that we denote with  → .
Moreover, the componentwise ordering on products of cpos turns the model of cpos into a cartesian closed category, and therefore into a model of -calculus (see [1] for details).
After these general definitions about the model of cpos, we move to its use for our programming language.
We start with the operation of lifting of a cpo, which adds a least element to an existing cpo: if  is a partially ordered set we let  ⊥ be the set  ∪ {⊥} equipped with the order on  extended with ⊥ ≤  for all  ∈  ⊥ .If  is a set then it is implicitly equipped with the discrete ordering.Liftings of such sets are used to interpret base types.We associate to each type  a cpo [] as follows: where we choose the same symbol ★ to denote the program on the unit type and its interpretation.We now prove that the operation deciding equality between natural numbers, the empty function and the update of a partial function do have the intended semantics.Proposition 3.4.We have: otherwise define: so that: We then prove by induction on if  ≠ , from which the result follows.The second item is immediate and the third follows easily from the first by case analysis.□ We now prove that the interpretation of update recursion satisfies the recursive equation implied by its reduction rule: Lemma 3.5.For all ì , : Proof.Indeed,  is continuous so: The following proposition asserts that the denotational semantics of our programming language is correct with respect to its operational semantics.Proof.By case on the reduction  ⇝  , using the previous lemma for the case of update recursion.□ The following result, computational adequacy, allows to "go back" from the denotational model to the syntactic language on base types.It asserts that if some program on a base type is interpreted as a value, then it must reduce to that value.It will be particularly useful for proving that extracted programs do compute the intended values.The result is standard, usually proved via logical relations, the interested reader can refer to [1].In the following we will often drop the interpretation brackets and use programs with parameters, that is, we will write  [ ì /ì ] instead of [] ( ì ).

REALIZABILITY
In this section we define a general notion of realizability value.We first use it to prove normalization of our programming language.
We then define the interpretation of proofs in our programming language and we prove the correctness of this interpretation with respect to realizability values associated to formulas.Finally, we prove an extraction theorem from proofs of Π 0 2 theorems.
Figure 4: Denotational semantics in complete partial orders

Realizability values
In this section we define a general notion of realizability value that is just a subset of the cpo interpretation of a type.We then prove some properties on these realizability values and we prove a general result on the behavior of update recursion with respect to arbitrary realizability values.
Definition 4.1.A realizability value A on a type  is a subset of its interpretation [].We define for each realizability values A on  and B on  the following realizability values on  →  and  + : As for subtyping, → is contravariant on the left and covariant on the right with respect to inclusion.We also have some commutation rules with respect to unions and intersections.Lemma 4.2.For every realizability values A 1 , A 2 on  and B 1 , B 2 on , if A 2 ⊆ A 1 and B 1 ⊆ B 2 then: Il (A  )  ∈ is a family of realizability values and B is a realizability value, then: The second item follows from the basic rules of quantifiers.□ The following proposition describes very precisely the behavior of update recursion on arbitrary realizability values.We will use it both for proving normalization of our programming language, and for proving correctness of our interpretation of the ∀2 rule of second-order arithmetic.Our proof is largely inspired by [4].
Proof.Remark that ∈N ({} → A  + {★}) is a realizability value on the type  →  + 1 of partial functions on  that we presented earlier.We define a preorder ≼ on this realizability value, which corresponds to the usual order between partial functions, as follows: Be careful that this preorder ≼ is not the cpo order ≤.It is a different preorder that we only use in the proof of the current proposition.
Let  ∈ ∈N ({} → A  + (A  → B)) → B and let: We prove that every non-empty chain of (, ≼) has an upper bound but (, ≼) has no maximal element.Therefore by Zorn's lemma  must be empty, which proves the result.Every non-empty chain of (, ≼) has an upper bound.Let  ⊆  be a non-empty chain.Define ⋎ by ⋎ (⊥) = ⊥ and: Note that since  is a chain, the value in the second case is unique so ⋎ is well defined.By construction, ⋎ is an upper bound of  in ∈N ({} → A  + {★}), so we are left to prove ⋎ ∈ .Suppose for the sake of contradiction that ⋎ ∉ , that is, ur  ⋎ ∈ B. Define   for finite  ⊆ N by: Then for the cpo order ≤ on [ →  + 1]: By monotonicity of ur  we have for all  : ur    ≤ ur  ⋎ so ur    ∈ {⊥, ur  ⋎ } and then by continuity of ur  there must exist  0 such that: By definition of ⋎ and non-emptiness of  , for each  ∈  0 there exists   ∈  such that: Then since  is a chain and  0 is finite, there exists  ∈  such that   ≼  for every  ∈  0 .Finally, for each  ∈ N:

Normalization
We now use the general notion of realizability value to prove the normalization of our programming language.For that, we define for each type  the realizability value | | on  as follows: These realizability values are the semantic counterparts of the usual reducibility candidates, so they satisfy the following property: □ We are now ready to prove that each program belongs to the realizability value associated to its type: Theorem 4.5.For each typing derivation: Finally, for update recursion, this is a consequence of 4.3 with A  = | | and B = || = N, since by lemma 4.2: From this theorem and the previous lemma we get normalization of our programming language: Corollary 4.6.If  is a closed program, then  is normalizing.

Realizability interpretation
We now define the interpretation of second-order arithmetic proofs as programs of our programming language.Our interpretation follows the line of modified realizability and associates to each proof of a formula  in second-order arithmetic a program which type  † is derived from the formula.The mapping is defined as follows: We interpret  () with type  in order to be able to extract natural numbers from proofs in theorem 4.14.In case we aren't interested in extraction then we can interpret  () with an arbitrary discrete non-empty type.Before interpreting proofs as programs, we have to interpret terms  of the logic as programs  † of type .The free variables of  † are the first-order variables of  and they are of type .This interpretation is straightforward, since addition and multiplication are easily implemented with the following programs: Finally, the proof of a sequent: are the free first-order variables of  1 , . . .,   , .The interpretation of logical rules and arithmetical axioms is given in figure 5. Most of these interpretations are standard and the novelty here lies in the interpretation of the ∀2 rule.The interpretation of this rule consists in an instance of update recursion applied to a program inductively defined over the formula under the second-order quantification.

Realizability semantics
We now have to prove that this interpretation is correct with respect to the logic.In order to define what we mean by correct, we associate to each formula a realizability value that represents (the interpretations of) the programs which are correct with respect to the formula.
A valuation for a term  (resp.a formula ) is a mapping of firstorder variables of  (resp.) to elements of N and second-order variables of  to elements of P (N).As we did for programs, instead of pairs (, ) (resp.(, )) of a term (resp.formula) and a valuation for it, we rather use terms (resp.formulas) with parameters, that is, terms (resp.formulas) where free variables are replaced with their assignment through .The value | | in N of a closed term with parameters  is defined using the standard interpretations of , + and × in N. Proof.The proof is by induction on , using that 0 † = 0,   † =  † + 1 and the following facts: We are now ready to define the realizability value associated to each formula with parameters.The whole realizability semantics is parameterized by a set ⊥ ⊥ ⊆ N that will be the set of realizers of the formula ⊥.Allowing for a non-empty set of realizers of ⊥ is a well-known technique for keeping computational content from classical proofs.Indeed, if ⊥ has no realizers then for any formula , either  has realizers, in which case ¬ has no realizer, or  has no realizer, in which case everything is a realizer of ¬.Therefore ¬¬ has no computational content and we cannot hope to get anything interesting when eliminating double negation on it.
For each closed formula with parameters  we define the realizability value || ⊆  † of  on  † as follows:

Adequacy
We now prove the main result of our realizability interpretation.
The adequacy theorem asserts that the program interpreting a given proof belongs to the realizability value of the formula proven.
Theorem 4.8.For each proof in second-order arithmetic: The proof of this theorem proceeds by induction on .We split it into three parts: adequacy for the axioms, adequacy for the firstorder intuitionistic part, and adequacy for the  and ∀2 rules.
Adequacy for the axioms.In the case of axioms, the correctness of our interpretation is mostly straightforward.As usual, we use recursion on natural numbers to interpret induction.Adequacy for the first-order intuitionistic part.We now prove adequacy for the system without the  and ∀2 rules.As for the axioms, this result is straightforward.Lemma 4.10.For each proof in second-order arithmetic without the  and ∀2 rules: Proof.The proof is by induction on .Most of the cases are straightforward.For the ∀ rule we use lemma 4.7.□ Adequacy for the  and ∀2 rules.This section contains the main result: correctness of our interpretation of second-order elimination.First, we prove adequacy for double-negation elimination: Lemma 4.11.For each formula  with parameters:

CONCLUSION AND FUTURE WORKS
We have defined a bar recursive interpretation of second-order arithmetic presented as arithmetic with quantification on predicates rather than the equivalent axiom scheme of comprehension.This presentation of second-order arithmetic is the one that most closely reflects the typing rules of polymorphic -calculus, and as such we made a step towards a comparison of the two families of interpretations of second-order arithmetic: bar recursion and system F. As a future work we would like to deepen the understanding of the connection between these two principles by comparing the computational behavior of programs extracted from a single proof via the two techniques.
Another aspect that we would like to study is wether it is possible to use control operators in the interpretation of the ∀2 rule.Indeed, there is a strong connection between the negative translation of proofs and the continuation-passing style (cps) translation of programs, the latter being the Curry-Howard equivalent of the former.Calculi with control features have been designed to interpret classical proofs directly.Most of these calculi contain a notion of duality that corresponds on the logical side to the duality between a formula and its negation, and on the computational side to a call-by-name or a call-by-value evaluation strategy.During the computation of an approximation to the "perfect knowledge" mentioned in the previous section, update recursion has an asymmetric behavior that consists in building a realizer of ¬ by reading a realizer of  and making a recursive call with a new knowledge extended with this new realizer.This behavior corresponds to the call-by-name interpretation of the excluded middle under a cps translation.We would therefore like to have a version of update recursion that uses control operators and can be translated either to the current version through a call-by-name cps translation, or to a dual version through a call-by-value cps translation.Moreover, control operators can capture context and restore it at a later point.We would like to explore the possibility of using this property to define more intuitive versions of our  1 and  2 that could act on all instances of  () in a formula through context capture.