Keywords

1 Introduction

Transitive Closure Logic (\(\mathrm {TCL}\)) is the extension of first-order logic by an operator computing the transitive closure of definable binary relations. It has been studied by numerous authors, e.g. [15,16,17], and in particular has been proposed as a foundation for the mechanisation and automation of mathematics [1].

Recently, Cohen and Rowe have proposed non-wellfounded and cyclic systems for \(\mathrm {TCL}\) [9, 11]. These systems differ from usual ones by allowing proofs to be infinite (finitely branching) trees, rather than finite ones, under some appropriate global correctness condition (the ‘progressing criterion’). One particular feature of the cyclic approach to proof theory is the facilitation of automation, since complexity of inductive invariants is effectively traded off for a richer proof structure. In fact this trade off has recently been made formal, cf. [3, 12], and has led to successful applications to automated reasoning, e.g. [6, 7, 24, 26, 27].

In this work we investigate the capacity of cyclic systems to automate reasoning in \(\mathrm {TCL}\). Our starting point is the demonstration of a key shortfall of Cohen and Rowe’s system: its cut-free fragment, here called \( \mathsf {TC}_G\), is unable to cyclically prove even standard theorems of relational algebra, e.g. \((a\cup b)^* = a^*(ba^*)^*\) and \((aa \cup aba)^+ \le a^+((ba^+)^+ \cup a)\)) (Theorem 12). An immediate consequence of this is that cyclic proofs of \( \mathsf {TC}_G\) do not enjoy cut-admissibility (Corollary 13). On the other hand, these (in)equations are theorems of Kleene Algebra (KA) [18, 19], a decidable theory which admits automation-via-proof-search thanks to the recent cyclic system of Das and Pous [14].

What is more, \(\mathrm {TCL}\) is well-known to interpret Propositional Dynamic Logic (\(\mathrm {PDL}\)), a modal logic whose modalities are just terms of KA, by a natural extension of the ‘standard translation’ from (multi)modal logic to first-order logic (see, e.g., [4, 5]). Incompleteness of cyclic-\( \mathsf {TC}_G\) for \(\mathrm {PDL}\) over this translation is inherited from its incompleteness for KA. This is in stark contrast to the situation for modal logics without fixed points: the standard translation from K (and, indeed, all logics in the ‘modal cube’) to first-order logic actually lifts to cut-free proofs for a wide range of modal logic systems, cf. [21, 22].

A closer inspection of the systems for KA and \(\mathrm {PDL}\) reveals the stumbling block to any simulation: these systems implicitly conduct a form of ‘deep inference’, by essentially reasoning underneath \(\exists \) and \(\wedge \). Inspired by this observation, we propose a form of hypersequents for predicate logic, with extra structure admitting the deep reasoning required. We present the cut-free system \( \mathsf H\mathsf {TC}\) and a novel notion of cyclic proof for these hypersequents. In particular, the incorporation of some deep inference at the level of the rules necessitates an ‘alternating’ trace condition corresponding to alternation in automata theory.

Our first main result is the Soundness Theorem (Theorem 23): non-wellfounded proofs of \( \mathsf H\mathsf {TC}\) are sound for standard semantics. The proof is rather more involved than usual soundness arguments in cyclic proof theory, due to the richer structure of hypersequents and the corresponding progress criterion. Our second main result is the Simulation Theorem (Theorem 28): \( \mathsf H\mathsf {TC}\) is complete for \(\mathrm {PDL}\) over the standard translation, by simulating a cut-free cyclic system for the latter. This result can be seen as a formal interpretation of cyclic modal proof theory within cyclic predicate proof theory, in the spirit of [21, 22].

To simplify the exposition, we shall mostly focus on equality-free \(\mathrm {TCL}\) and ‘identity-free’ \(\mathrm {PDL}\) in this paper, though all our results hold also for the ‘reflexive’ extensions of both logics. We discuss these extensions in Sect. 7, and present further insights and conclusions in Sect. 8. Full proofs and further examples not included here (due to space constraints) can be found in [13].

2 Preliminaries

We shall work with a fixed first-order vocabulary consisting of a countable set \(\mathsf {Pr}\) of unary predicate symbols, written pq,  etc., and of a countable set \(\mathsf {Rel}\) of binary relation symbols, written ab,  etc. We shall generally reserve the word ‘predicate’ for unary and ‘relation’ for binary. We could include further relational symbols too, of higher arity, but choose not to in order to calibrate the semantics of both our modal and predicate settings.

We build formulas from this language differently in the modal and predicate settings, but all our formulas may be formally evaluated within structures:

Definition 1

(Structures). A structure \(\mathcal M\) consists of a set D, called the domain of \(\mathcal M\), which we sometimes denote by \(|\mathcal M|\); a subset \(p^{\mathcal M} \subseteq D\) for each \(p \in \mathsf {Pr}\); and a subset \(a^{\mathcal M} \subseteq D\times D\) for each \(a \in \mathsf {Rel}\).

2.1 Transitive Closure Logic

In addition to the language introduced at the beginning of this section, in the predicate setting we further make use of a countable set of function symbols, written \(f^i,g^j,\) etc.  where the superscripts \(i,j \in \mathbb N\) indicate the arity of the function symbol and may be omitted when it is not ambiguous. Nullary function symbols (aka constant symbols), are written \({c}, {d} \) etc. We shall also make use of variables, written xy,  etc., typically bound by quantifiers. Terms, written st,  etc., are generated as usual from variables and function symbols by function application. A term is closed if it has no variables.

We consider the usual syntax for first-order logic formulas over our language, with an additional operator for transitive closure (and its dual). Formally, \(\mathrm {TCL}\) formulas, written AB,  etc., are generated as follows:

$$ \begin{array}{rl} A,B \ {:}{:}\!=\ &{} p(t) \mid \bar{p}(t) \mid a(s,t) \mid \bar{a} (s,t) \mid (A\wedge B) \mid (A \vee B) \mid \forall x A \mid \exists x A \mid \\ &{} TC ({\lambda x,y.A})(s,t) \mid \overline{ TC }({\lambda x,y. A})(s,t) \end{array} $$

When variables xy are clear from context, we may write \( TC ({A(x,y)})(s,t)\) or \( TC ({A})(s,t) \) instead of \( TC ({\lambda x,y.A})(s,t)\), as an abuse of notation, and similarly for \(\overline{ TC }\). We may write A[t/x] for the formula obtained from A by replacing every free occurrence of the variable x by the term t. We have included both \( TC \) and \(\overline{ TC }\) as primitive operators, so that we can reduce negation to atomic formulas, shown below. This will eventually allow a one-sided formulation of proofs.

Definition 2

(Duality). For a formula A we define its complement, \(\bar{A}\), by:

We shall employ standard logical abbreviations, e.g. \(A\supset B\) for \(\bar{A} \vee B\).

We may evaluate formulas with respect to a structure, but we need additional data for interpreting function symbols:

Definition 3

(Interpreting function symbols). Let \(\mathcal M\) be a structure with domain D. An interpretation is a map \(\rho \) that assigns to each function symbol \(f^n\) a function \(D^n \rightarrow D\). We may extend any interpretation \(\rho \) to an action on (closed) terms by setting recursively \(\rho (f(t_1, \dots , t_n)) {:}{=}\rho (f)(\rho (t_1), \dots , \rho (t_n))\).

We only consider standard semantics in this work: \( TC \) (and \(\overline{ TC }\)) is always interpreted as the real transitive closure (and its dual) in a structure, rather than being axiomatised by some induction (and coinduction) principle.

Definition 4

(Semantics). Given a structure \(\mathcal M\) with domain D and an interpretation \(\rho \), the judgement \(\mathcal M,\rho \models A\) is defined as usual for first-order logic with the following additional clauses for \( TC \) and \(\overline{ TC }\):Footnote 1

  • \(\mathcal M,\rho \models TC ({A(x,y)})(s,t) \) if there are \(v_0, \dots , v_{n+1} \in D\) with \(\rho (s) = v_0\), \(\rho (t)=v_{n+1} \), such that for every \( i\le n\) we have \(\mathcal M,\rho \models A(v_i,v_{i+1})\).

  • \(\mathcal M, \rho \models \overline{ TC }({A(x,y)})(s,t)\) if for all \(v_0, \dots , v_{n+1} \in D\) with \(\rho (s)=v_0\) and \( \rho (t)=v_{n+1}\), there is some \( i\le n\) such that \(\mathcal M,\rho \models A(v_i,v_{i+1})\).

If \(\mathcal M,\rho \models A\) for all \(\mathcal M\) and \(\rho \), we simply write \(\models A\).

Remark 5

(\( TC \) and \(\overline{ TC }\) as least and greatest fixed points). As expected, we have \(\mathcal M, \rho \not \models TC ({A})(s,t) \) just if \(\mathcal M,\rho \models \overline{ TC }({\bar{A}})(s,t)\), and so the two operators are semantically dual. Thus, \( TC \) and \(\overline{ TC }\) duly correspond to least and greatest fixed points, respectively, satisfying in any model:

$$\begin{aligned} TC ({A})(s,t)\iff & {} A(s,t) \vee \exists x (A(s,x) \wedge TC ({A})(x,t) ) \end{aligned}$$
(1)
$$\begin{aligned} \overline{ TC }({A})(s,t)\iff & {} A(s,t) \wedge \forall x (A(s,x) \vee \overline{ TC }({A})(x,t) ) \end{aligned}$$
(2)

Let us point out that our \(\overline{ TC }\) operator is not the same as Cohen and Rowe’s transitive ‘co-closure’ operator \( TC ^{ op }\) in [10], but rather the De Morgan dual of \( TC \). In the presence of negation, \( TC \) and \(\overline{ TC }\) are indeed interdefinable, cf. Definition 2.

2.2 Cohen-Rowe Cyclic System for \(\mathrm {TCL}\)

Cohen and Rowe proposed in [9, 11] a non-wellfounded system for \(\mathrm {TCL}\) that extends a usual sequent calculus \(\mathsf {L}\mathsf K_=\) for first-order logic with equality and substitution by rules for \( TC \) inspired by its characterisation as a least fixed point, cf. (1).Footnote 2 Note that the presence of the substitution rule is critical for the notion of ‘regularity’ in predicate cyclic proof theory. The resulting notions of non-wellfounded and cyclic proofs are formulated similarly to those for first-order logic with (ordinary) inductive definitions [8]:

Definition 6

(Sequent system). \( \mathsf {TC}_G\) is the extension of \(\mathsf {L}\mathsf K_=\) by the rules:

(3)

\( \mathsf {TC}_G\)-preproofs are possibly infinite trees of sequents generated by the rules of \( \mathsf {TC}_G\). A preproof is regular if it has only finitely many distinct sub-preproofs.

The notion of ‘correct’ non-wellfounded proof is obtained by a standard progressing criterion in cyclic proof theory. We shall not go into details here, being beyond the scope of this work, but refer the reader to those original works (as well as [13] for our current variant). Let us write \(\vdash _ cyc \) for their notion of cyclic provability using the above rules, cf. [9, 11]. A standard infinite descent countermodel argument yields:

Proposition 7

(Soundness, [9, 11]). If \( \mathsf {TC}_G\vdash _ cyc A\) then \( \models A\).

In fact, this result is subsumed by our main soundness result for \( \mathsf H\mathsf {TC}\) (Theorem 23) and its simulation of \( \mathsf {TC}_G\) (Theorem 19). In the presence of cut, a form of converse of Proposition 7 holds: cyclic \( \mathsf {TC}_G\) proofs are ‘Henkin complete’, i.e. complete for all models of a particular axiomatisation of \(\mathrm {TCL}\) based on (co)induction principles for \( TC \) (and \(\overline{ TC }\)) [9, 11]. However, the counterexample we present in the next section implies that cut is not eliminable (Corollary 13).

3 Interlude: Motivation from PDL and Kleene Algebra

Given the \(\mathrm {TCL}\) sequent system proposed by Cohen and Rowe, why do we propose a hypersequential system? Our main argument is that proof search in \( \mathsf {TC}_G\) is rather weak, to the extent that cut-free cyclic proofs are unable to simulate a basic (cut-free) system for modal logic \(\mathrm {PDL}\) (regardless of proof search strategy). At least one motivation here is to ‘lift’ the standard translation from cut-free cyclic proofs for \(\mathrm {PDL}\) to cut-free cyclic proofs in an adequate system for \(\mathrm {TCL}\).

3.1 Identity-Free PDL

Identity-free propositional dynamic logic (\(\mathrm {PDL}^+\)) is a version of the modal logic \(\mathrm {PDL}\) without tests or identity, thereby admitting an ‘equality-free’ standard translation into predicate logic. Formally, \(\mathrm {PDL}^+\) formulas, written AB,  etc., and programs, written \( \alpha , \beta , \) etc., are generated by the following grammars:

$$\begin{aligned}&A,B \ {:}{:}\!=p \mid \overline{p} \mid (A \wedge B) \mid (A \vee B) \mid [\alpha ] A \mid \langle \alpha \rangle A\\&\alpha , \beta \ {:}{:}\!=a \mid (\alpha ;\beta ) \mid (\alpha \cup \beta ) \mid \alpha ^+ \end{aligned}$$

We sometimes simply write \(\alpha \beta \) instead of \(\alpha ;\beta \), and \((\alpha )A\) for a formula that is either \(\langle \alpha \rangle A\) or \([\alpha ]A\).

Definition 8

(Duality). For a formula A we define its complement, \(\bar{A}\), by:

We evaluate \(\mathrm {PDL}^+\) formulas using the traditional relational semantics of modal logic, by associating each program with a binary relation in a structure. Again, we only consider standard semantics, in the sense that the \( + \) operator is interpreted as the real transitive closure within a structure.

Definition 9

(Semantics). For structures \(\mathcal M\) with domain D, elements \(v \in D\), programs \(\alpha \) and formulas A, we define \(\alpha ^{\mathcal M}\subseteq D\times D\) and the judgement \(\mathcal M,v\models A\) as follows:

  • (\(a^{\mathcal M}\) is already given in the specification of \(\mathcal M\), cf. Definition 1).

  • \((\alpha ;\beta )^{\mathcal M} := \{ (u,v) : \text {there is } w\in D \text { s.t.\ } (u,w) \in \alpha ^{\mathcal M}\text { and } (w,v) \in \beta ^{\mathcal M}\}\).

  • \((\alpha \cup \beta )^{\mathcal M} := \{ (u,v) : (u,v) \in \alpha ^{\mathcal M}\text { or } (u,v) \in \beta ^{\mathcal M}\} \).

  • \((\alpha ^+)^{\mathcal M} := \{ (u,v) : \text {there are } w_0, \dots , w_{n+1} \in D \text { s.t.\ } u = w_0, v = w_{n+1} \text { and, } \text {for } \) \( \text {every } i\le n, (w_i,w_{i+1}) \in \alpha ^{\mathcal M}\}\).

  • \(\mathcal M,v \models p\) if \(v \in p^{\mathcal M}\).

  • \(\mathcal M,v \models \overline{p}\) if \(v \notin p^{\mathcal M}\).

  • \(\mathcal M , v \models A \wedge B\) if \(\mathcal M , v \models A \) and \(\mathcal M , v \models B \).

  • \(\mathcal M , v \models A \vee B\) if \(\mathcal M , v \models A \) or \(\mathcal M , v \models B\).

  • \(\mathcal M , v \models [\alpha ] A\) if \(\forall \, (v,w) \in \alpha ^{\mathcal M}\) we have \(\mathcal M, w \models A\).

  • \(\mathcal M, v \models \langle \alpha \rangle A\) if \(\exists \, (v,w) \in \alpha ^{\mathcal M}\) with \(\mathcal M,w \models A\).

If \(\mathcal M,v \models A\) for all \(\mathcal M\) and \(v\in |\mathcal M|\), then we write \(\models A\).

Note that we are overloading the satisfaction symbol \(\models \) here, for both \(\mathrm {PDL}^+\) and \(\mathrm {TCL}\). This should never cause confusion, in particular since the two notions of satisfaction are ‘compatible’ as we shall now see.

3.2 The Standard Translation

The so-called ‘standard translation’ of modal logic into predicate logic is induced by reading the semantics of modal logic as first-order formulas. We now give a natural extension of this that interprets \(\mathrm {PDL}^+\) into \(\mathrm {TCL}\). At the logical level our translation coincides with the usual one for basic modal logic; our translation of programs, as expected, requires the \( TC \) operator to interpret the \(+\) of \(\mathrm {PDL}^+\).

Definition 10

For \(\mathrm {PDL}^+\) formulas A and programs \(\alpha \), we define the standard translations \(\mathsf {ST}(A)({x})\) and \(\mathsf {ST}(\alpha )({x,y})\) as \(\mathrm {TCL}\)-formulas with free variables x and xy, resp., inductively as follows:

figure a

where \( TC (\mathsf {ST}(\alpha ))\) is shorthand for \( TC (\lambda x,y.\mathsf {ST}(\alpha )({x,y}))\).

It is routine to show that \(\overline{\mathsf {ST}(A)({x})} = \mathsf {ST}(\bar{A})({x})\), by structural induction on A, justifying our overloading of the notation \(\bar{A}\), in both \(\mathrm {TCL}\) and \(\mathrm {PDL}^+\). Yet another advantage of using the same underlying language for both the modal and predicate settings is that we can state the following (expected) result without the need for encodings, following by a routine structural induction (see, e.g., [5]):

Theorem 11

For \(\mathrm {PDL}^+\) formulas A, we have \(\mathcal M,v \models A\) iff \(\mathcal M \models \mathsf {ST}(A)({v})\).

3.3 Cohen-Rowe System is not Complete for \(\mathrm {PDL}^+\)

\(\mathrm {PDL}^+\) admits a standard cut-free cyclic proof system \(\mathsf {L}\mathsf {PD}^+\) (see Sect. 6.1) which is both sound and complete (cf. Theorem 30). However, a shortfall of \( \mathsf {TC}_G\) is that it is unable to cut-free simulate \(\mathsf {L}\mathsf {PD}^+\). In fact, we can say something stronger:

Theorem 12

(Incompleteness). There exist a \(\mathrm {PDL}^+\) formula A such that \(\models A\) but \( \mathsf {TC}_G\not \vdash _ cyc \mathsf {ST}(A)({x})\) (in the absence of cut).

This means not only that \( \mathsf {TC}_G\) is unable to locally cut-free simulate the rules of \(\mathsf {L}\mathsf {PD}^+\), but also that there are some validities for which there are no cut-free cyclic proofs at all in \( \mathsf {TC}_G\). One example of such a formula is:

$$\begin{aligned} \langle (aa\cup aba)^+\rangle p \supset \langle a^+((ba^+)^+ \cup a)\rangle p \end{aligned}$$
(4)

A detailed proof of this is found in [13], but let us briefly discuss it here. First, the formula above is not artificial: it is derived from the well-known \(\mathrm {PDL}\) validity \(\langle (a\cup b)^*\rangle p \supset \langle a^*(ba^*)^*\rangle p\) by identity-elimination. This in turn is essentially a theorem of relational algebra, namely \((a\cup b)^* \le a^*(ba^*)^*\), which is often used to eliminate \(\cup \) in (sums of) regular expressions. The same equation was (one of those) used by Das and Pous in [14] to show that the sequent system \(\mathsf {LKA}\) for Kleene Algebra is cut-free cyclic incomplete.

The argument that \( \mathsf {TC}_G\not \vdash _ cyc \mathsf {ST}((4))({x})\) is much more involved than the one from [14], due to the fact we are working in predicate logic, but the underlying basic idea is similar. At a very high level, the RHS of (4) (viewed as a relational inequality) is translated to an existential formula \(\exists z(\mathsf {ST}(a^+)({x,z}) \wedge \mathsf {ST}((ba^+)^+\cup a)({z,y})\) that, along some branch (namely the one that always chooses aa when decomposing the LHS of (4)) can never be instantiated while remaining valid. This branch witnesses the non-regularity of any proof. However \(\mathsf {ST}((4))({x})\) is cyclically provable in \( \mathsf {TC}_G\) with cut, so an immediate consequence of Theorem 12 is:

Corollary 13

The class of cyclic proofs of \( \mathsf {TC}_G\) does not enjoy cut-admissibility.

4 Hypersequent Calculus for \(\mathrm {TCL}\)

Let us take a moment to examine why any ‘local’ simulation of \(\mathsf {L}\mathsf {PD}^+\) by \( \mathsf {TC}_G\) fails, in order to motivate the main system that we shall present. The program rules, in particular the \(\langle \, \rangle \)-rules, require a form of deep inference to be correctly simulated, over the standard translation. For instance, let us consider the action of the standard translation on two rules we shall see later in \(\mathsf {L}\mathsf {PD}^+\) (cf. Sect. 6.1):

The first case above suggests that any system to which the standard translation lifts must be able to reason underneath \(\exists \) and \(\wedge \), so that the inference indicated in blue is ‘accessible’ to the prover. The second case above suggests that the existential-conjunctive meta-structure necessitated by the first case should admit basic equivalences, in particular certain prenexing. This section is devoted to the incorporation of these ideas (and necessities) into a bona fide proof system.

4.1 A System for Predicate Logic via Annotated Hypersequents

An annotated cedent, or simply cedent, written \(S,S'\) etc., is an expression \(\{ \varGamma \}^{\mathbf {x}}\), where \(\varGamma \) is a set of formulas and the annotation \(\mathbf {x}\) is a set of variables. We sometimes construe annotations as lists rather than sets when it is convenient, e.g. when taking them as inputs to a function.

Each cedent may be intuitively read as a \( \mathrm {TCL}\) formula, under the following interpretation: \( fm (\{ \varGamma \}^{x_1, \dots , x_n}) \ {:}{=}\ \exists x_1 \dots \exists x_n \bigwedge \varGamma \). When \(\mathbf {x}= \varnothing \) then there are no existential quantifiers above, and when \(\varGamma = \varnothing \) we simply identify \(\bigwedge \varGamma \) with \(\top \). We also sometimes write simply A for the annotated cedent \(\{ A\}^{\varnothing }\).

A hypersequent, written \(\mathbf {S},\mathbf {S}'\) etc., is a set of annotated cedents. Each hypersequent may be intuitively read as the disjunction of its cedents. Namely we set: \( fm (\{ \varGamma _1\}^{\mathbf {x}_1}, \dots , \{ \varGamma _n\}^{\mathbf {x}_n} ) \, {:}{=}\, fm (\{ \varGamma _1\}^{\mathbf {x}_1}) \vee \dots \vee fm (\{ \varGamma _n\}^{\mathbf {x}_n}). \)

Fig. 1.
figure 1

Hypersequent calculus \( \mathsf H\mathsf {TC}\). \(\sigma \) is a ‘substitution’ map from constants to terms and a renaming of other function symbols and variables.

Full size image

Definition 14

(System). The rules of \( \mathsf H\mathsf {TC}\) are given in Fig. 1. A \( \mathsf H\mathsf {TC}\) preproof is a (possibly infinite) derivation tree generated by the rules of \( \mathsf H\mathsf {TC}\). A preproof is regular if it has only finitely many distinct subproofs.

Our hypersequential system is somewhat more refined than usual sequent systems for predicate logic. E.g., the usual \(\exists \) rule is decomposed into \(\exists \) and \(\mathsf {inst}\), whereas the usual \(\wedge \) rule is decomposed into \(\wedge \) and \(\cup \). The rules for \( TC \) and \(\overline{ TC }\) are induced directly from their characterisations as fixed points in (1).

Note that the rules \(\overline{ TC }\) and \(\forall \) introduce, bottom-up, the fresh function symbol f, which plays the role of the Herbrand function of the corresponding \(\forall \) quantifier: just as \(\forall \mathbf {x}\exists x A( x)\) is equisatisfiable with \(\forall \mathbf {x}A( f(\mathbf {x}))\), when f is fresh, by Skolemisation, by duality \(\exists \mathbf {x}\forall x A(x)\) is equivalid with \(\exists \mathbf {x}A(f(\mathbf {x}))\), when f is fresh, by Herbrandisation. The usual \(\forall \) rule of the sequent calculus corresponds to the case when \(\mathbf {x} = \varnothing \).

4.2 Non-wellfounded Hypersequent Proofs

Our notion of ancestry, as compared to traditional sequent systems, must account for the richer structure of hypersequents:

Definition 15

(Ancestry). Fix an inference step \(\mathsf r\), as typeset in Fig. 1. A formula C in the premiss is an immediate ancestor of a formula \(C'\) in the conclusion if they have the same colour; if then we further require \(C=C'\), and if \(C,C'\) occur in then \(C=C'\) occur in the same cedent. A cedent S in the premiss is an immediate ancestor of a cedent \(S'\) in the conclusion if some formula in S is an immediate ancestor of some formula in \(S'\).

Immediate ancestry on both formulas and cedents is a binary relation, inducing a directed graph whose paths form the basis of our correctness condition:

Definition 16

((Hyper)traces). A hypertrace is a maximal path in the graph of immediate ancestry on cedents. A trace is a maximal path in the graph of immediate ancestry on formulas.

Definition 17

(Progress and proofs). Fix a preproof \(\mathcal {D}\). A (infinite) trace \( (F_i)_{i \in \omega } \) is progressing if there is k such that, for all \(i>k\), \(F_i\) has the form \( \overline{ TC }({A})(s_i,t_i)\) and is infinitely often principal.Footnote 3 A (infinite) hypertrace \(\mathcal H\) is progressing if every infinite trace within it is progressing. A (infinite) branch is progressing if it has a progressing hypertrace. \(\mathcal {D}\) is a proof if every infinite branch is progressing. If, furthermore, \(\mathcal {D}\) is regular, we call it a cyclic proof.

We write \( \mathsf H\mathsf {TC}\vdash _ nwf \mathbf {S}\) (or \( \mathsf H\mathsf {TC}\vdash _ cyc \mathbf {S}\)) if there is a proof (or cyclic proof, respectively) of \( \mathsf H\mathsf {TC}\) of the hypersequent \(\mathbf {S}\).

In usual cyclic systems, checking that a regular preproof is progressing is decidable by straightforward reduction to the universality of nondeterministic \(\omega \)-automata, with runs ‘guessing’ a progressing trace along an infinite branch. Our notion of progress exhibits an extra quantifier alternation: we must guess an infinite hypertrace in which every trace is progressing. Nonetheless, by appealing to determinisation or alternation, we can still decide our progressing condition:

Proposition 18

Checking whether a \( \mathsf H\mathsf {TC}\) preproof is a proof is decidable by reduction to universality of \(\omega \)-regular languages.

As we mentioned earlier, cyclic proofs of \( \mathsf H\mathsf {TC}\) indeed are at least as expressive as those of Cohen and Rowe’s system by a routine local simulation of rules:

Theorem 19

(Simulating Cohen-Rowe). If \( \mathsf {TC}_G\vdash _ cyc A\) then \( \mathsf H\mathsf {TC}\vdash _ cyc A\).

4.3 Some Examples

Example 20

(Fixed point identity). The sequent \(\{ \overline{ TC }({a})(c,d) \}^{\varnothing },\{ TC ({\bar{a}})(c,d) \}^{\varnothing }\) is finitely derivable using rule \(\mathsf {id}\) on \( TC ({a})(c,d)\) and the \(\mathsf {init}\) rule. However we can also cyclically reduce it to a simpler instance of \(\mathsf {id}\). Due to the granularity of the inference rules of \( \mathsf H\mathsf {TC}\), we actually have some liberty in how we implement such a derivation. E.g., the \( \mathsf H\mathsf {TC}\)-proof below applies \( TC \) rules below \(\overline{ TC }\) ones, and delays branching until the ‘end’ of proof search, which is impossible in \( \mathsf {TC}_G\). The only infinite branch, looping on \(\bullet \), is progressing by the blue hypertrace.

figure b

This is an example of the more general ‘rule permutations’ available in \( \mathsf H\mathsf {TC}\), hinting at a more flexible proof theory (we discuss this further in Sect. 8).

Example 21

(Transitivity).\( TC \) can be proved transitive by way of a cyclic proof in \( \mathsf {TC}_G\) of the sequent \(\overline{ TC }({a})(c,d) ,\overline{ TC }({a})(d,e), TC ({\bar{a}})(c,e)\). As in the previous example we may mimic that proof line by line, but we give a slightly different one that cannot directly be interpreted as a \( \mathsf {TC}_G\) proof:

figure c

The only infinite branch (except for that from Example 20), looping on \(\circ \), is progressing by the red hypertrace.

Finally, it is pertinent to revisit the ‘counterexample’ (4) that witnessed incompleteness of \( \mathsf {TC}_G\) for \(\mathrm {PDL}^+\). The following result is, in fact, already implied by our later completeness result, Theorem 28, but we shall present it nonetheless:

Proposition 22

\( \mathsf H\mathsf {TC}\vdash _ cyc \mathsf {ST}((aa \cup aba)^+)({c,d}) \supset \mathsf {ST}(a^+((ba^+)^+\cup a))({c,d})\).

Proof

We give the required cyclic proof in Fig. 2, using the abbreviations: \({\alpha (c,d)} = \mathsf {ST}(a a \cup a b a)({c, d})\) and \({\beta (c,d)} = \mathsf {ST}((b a^+)^+ \cup a)({c, d})\). The only infinite branch (looping on \(\bullet \)) has progressing hypertrace is marked in blue.

Hypersequents and have finitary proofs, while has a cyclic proof.

Fig. 2.
figure 2

Cyclic proof for sequent not cyclically provable by \( \mathsf {TC}_G\).

Full size image

5 Soundness of \( \mathsf H\mathsf {TC}\)

This section is devoted to the proof of the first of our main results:

Theorem 23

(Soundness). If \( \mathsf H\mathsf {TC}\vdash _ nwf \mathbf {S}\) then \( \models \mathbf {S}\).

The argument is quite technical due to the alternating nature of our progress condition. In particular the treatment of traces within hypertraces requires a more fine grained argument than usual, bespoke to our hypersequential structure.

Throughout this section, we shall fix a \( \mathsf H\mathsf {TC}\) preproof \(\mathcal {D}\) of a hypersequent \(\mathbf {S}\). For practical reasons we shall assume that \(\mathcal {D}\) is substitution-free (at the cost of regularity) and that each quantifier in \(\mathbf {S}\) binds a distinct variable.Footnote 4 We further assume some structure \(\mathcal {M}^\times \) and an interpretation \(\rho _0\) such that \(\rho _0 \not \models \mathbf {S}\) (within \(\mathcal {M}^\times \)). Since each rule is locally sound, by contraposition we can continually choose ‘false premisses’ to construct an infinite ‘false branch’:

Lemma 24

(Countermodel branch). There is a branch \(\mathcal {B}^\times = (\mathbf {S}_i)_{i < \omega }\) of \(\mathcal {D}\) and an interpretation \(\rho ^\times \) such that, with respect to \(\mathcal {M}^\times \):

  1. 1.

    \(\rho ^\times \not \models \mathbf {S}_i\), for all \(i<\omega \);

  2. 2.

    Suppose that \(\mathbf {S}_i\) concludes a \(\overline{ TC }\) step, as typeset in Fig. 1, and \(\rho ^\times \models TC ({\bar{A}})(s,t) \, [\mathbf {d}/\mathbf {x}]\). If n is minimal such that \(\rho ^\times \models \bar{A}(d_i,d_{i+1})\) for all \(i\le n\), \(\rho ^\times (s)=d_0\) and \(\rho ^\times (t)=d_n\), and \(n>1\), then \(\rho ^\times (f)(\mathbf {d}) = d_1\)Footnote 5 so that \(\rho _{i+1} \models \bar{A}(s,f(\mathbf {x})) [\mathbf {d}/\mathbf {x}]\) and \(\rho ^\times \models TC ({\bar{A}})(f(\mathbf {x}),t) [\mathbf {d}/\mathbf {x}]\).

Unpacking this a little, our interpretation \(\rho ^\times \) is actually defined as the limit of a chain of ‘partial’ interpretations \((\rho _i)_{i<\omega }\), with each \(\rho _i \not \models \mathbf {S}_i\) (within \(\mathcal {M}^\times \)). Note in particular that, by 2, whenever some \(\overline{ TC }\)-formula is principal, we choose \(\rho _{i+1}\) to always assign to it a falsifying path of minimal length (if one exists at all), with respect to the assignment to variables in its annotation. It is crucial at this point that our definition of \(\rho ^\times \) is parametrised by such assignments.

Let us now fix \(\mathcal {B}^\times \) and \(\rho ^\times \) as provided by the Lemma above. Moreover, let us henceforth assume that \(\mathcal {D}\) is a proof, i.e. it is progressing, and fix a progressing hypertrace \( \mathcal {H}= (\{ \varGamma _i\}^{\mathbf {x}_i})_{i< \omega } \) along \(\mathcal {B}^\times \). In order to carry out an infinite descent argument, we will need to define a particular trace along this hypertrace that ‘preserves’ falsity, bottom-up. This is delicate since the truth values of formulas in a trace depend on the assignment of elements to variables in the annotations. A particular issue here is the instantiation rule \(\mathsf {inst}\), which requires us to ‘revise’ whatever assignment of y we may have defined until that point. Thankfully, our earlier convention on substitution-freeness and uniqueness of bound variables in \(\mathcal {D}\) facilitates the convergence of this process to a canonical such assignment:

Definition 25

(Assignment). We define \(\delta _\mathcal {H}: \bigcup \limits _{i<\omega }\mathbf {x}_i \rightarrow |\mathcal {M}^\times |\) by \( \delta _\mathcal {H}(x) {:}{=}\rho (t)\) if x is instantiated by t in \(\mathcal {H}\); otherwise \(\delta _\mathcal {H}(x)\) is some arbitrary \(d\in |\mathcal {M}^\times |\).

Note that \(\delta _\mathcal {H}\) is indeed well-defined, thanks to the convention that each quantifier in \(\mathbf {S}\) binds a distinct variable. In particular we have that each variable x is instantiated at most once along a hypertrace. Henceforth we shall simply write \(\rho ,\delta _\mathcal {H}\models A(\mathbf {x})\) instead of \(\rho \models A(\delta _\mathcal {H}(\mathbf {x}))\). Working with such an assignment ensures that false formulas along \(\mathcal {H}\) always have a false immediate ancestor:

Lemma 26

(Falsity through \(\mathcal {H}\)). If \(\rho ^\times , \delta _\mathcal {H}\not \models F\) for some \(F\in \varGamma _i\), then F has an immediate ancestor \(F'\in \varGamma _{i+1}\) with \(\rho ^\times ,\delta _\mathcal {H}\not \models F'\).

In particular, regarding the \(\mathsf {inst}\) rule of Fig. 1, note that if \(F \in \varGamma (y)\) then we can choose \(F' = F[t/y]\) which, by definition of \(\delta _\mathcal {H}\), has the same truth value. By repeatedly applying this Lemma we obtain:

Proposition 27

(False trace). There exists an infinite trace \( \tau ^\times = (F_i)_{i<\omega } \) through \( \mathcal {H}\) such that, for all i, it holds that \( \mathcal {M}^\times , \rho ^\times , \delta _\mathcal {H}\not \models F_i \).

We are now ready to prove our main soundness result.

Proof (of Theorem 23, sketch)

. Fix the infinite trace \( \tau ^\times = (F_i)_{i<\omega } \) through \( \mathcal {H}\) obtained by Proposition 27. Since \(\tau ^\times \) is infinite, by definition of \( \mathsf H\mathsf {TC}\) proofs, it needs to be progressing, i.e., it is infinitely often \(\overline{ TC }\)-principal and there is some \(k\in \mathbb N\) s.t. for \(i>k\) we have that \(F_i = \overline{ TC }({A})(s_i,t_i)\) for some terms \(s_i,t_i\).

To each \( F_i \), for \(i>k\), we associate the natural number \(n_i\) measuring the ‘\(\bar{A}\)-distance between \(s_i\) and \(t_i\)’. Formally, \(n_i\in \mathbb N\) is least such that there are \(d_0, \dots , d_{n_i} \in |\mathcal {M}^\times |\) with \(\rho ^\times (s) = d_0, \rho ^\times (t) = d_{n_i}\) and, for all \(i<n_i\), \(\rho ^\times ,\delta _\mathcal {H}\models \bar{A}(d_i,d_{i+1})\). Our aim is to show that \( (n_i)_{i > k} \) has no minimal element, contradicting wellfoundness of \( \mathbb N\). For this, we establish the following two local properties:

Fig. 3.
figure 3

Rules of \(\mathsf {L}\mathsf {PD}^+\).

Full size image
  1. 1.

    \( (n_i)_{i> k} \) is monotone decreasing, i.e., for all \( i > k \), we have \( n_{i+1}\le n_i \);

  2. 2.

    Whenever \( F_i\) is principal, we have \( n_{i+1} < n_i \).

So \( (n_i)_{i > k} \) is monotone decreasing, by 1, but cannot converge, by 2 and the definition of progressing trace. Thus \( (n_i)_{k <i} \) has no minimal element, yielding the required contradiction.

6 \( \mathsf H\mathsf {TC}\) is Complete for \(\mathrm {PDL}^+\), Over Standard Translation

In this section we give our next main result:

Theorem 28

(Completeness for \(\mathrm {PDL}^+\)). For a \(\mathrm {PDL}^+\) formula A, if \(\models A\) then \( \mathsf H\mathsf {TC}\vdash _ cyc \mathsf {ST}(A)({c})\).

The proof is by a direct simulation of a cut-free cyclic system for \(\mathrm {PDL}^+\) that is complete. We shall briefly sketch this system below.

6.1 Circular System for \(\mathrm {PDL}^+\)

The system \(\mathsf {L}\mathsf {PD}^+\), given in Fig. 3, is the natural extension of the usual sequent calculus for basic multimodal logic K by rules for programs. In Fig. 3, \(\langle a\rangle \varGamma \) is shorthand for \(\{\langle a\rangle B : B \in \varGamma \} \). (Regular) preproofs for this system are defined just like for \( \mathsf H\mathsf {TC}\) or \( \mathsf {TC}_G\). The notion of ‘immediate ancestor’ is induced by the indicated colouring: a formula C in a premiss is an immediate ancestor of a formula \(C'\) in the conclusion if they have the same colour; if \(C,C'\in \varGamma \) then we furthermore require \(C=C'\).

Definition 29

(Non-wellfounded proofs). Fix a preproof \(\mathcal {D}\) of a sequent \(\varGamma \). A thread is a maximal path in its graph of immediate ancestry. We say a thread is progressing if it has a smallest infinitely often principal formula of the form \([\alpha ^+]A\). \(\mathcal {D}\) is a proof if every infinite branch has a progressing thread. If \(\mathcal {D}\) is regular, we call it a cyclic proof and we may write \(\mathsf {L}\mathsf {PD}^+\vdash _ cyc \varGamma \).

Soundness of cyclic-\(\mathsf {L}\mathsf {PD}^+\) is established by a standard infinite descent argument, but is also implied by the soundness of cyclic-\( \mathsf H\mathsf {TC}\) (Theorem 23) and the simulation we are about to give (Theorem 28), though this is somewhat overkill. Completeness may be established by the game theoretic approach of Niwinskí and Walukiewicz [23], as done by Lange [20] for \(\mathrm {PDL}\) (with identity), or by purely proof theoretic techniques of Studer [25]. Either way, both results follow from a standard embedding of \(\mathrm {PDL}^+\) into the \(\mu \)-calculus and its known completeness results [23, 25], by way of a standard ‘proof reflection’ argument: \(\mu \)-calculus proofs of the embedding are ‘just’ step-wise embeddings of \(\mathsf {L}\mathsf {PD}^+\) proofs:

Theorem 30

(Soundness and completeness, [20]). Let A be a \(\mathrm {PDL}^+\) formula. \( \models A\) iff \(\mathsf {L}\mathsf {PD}^+\vdash _ cyc A\).

6.2 A ‘Local’ Simulation of \(\mathsf {L}\mathsf {PD}^+\) by \( \mathsf H\mathsf {TC}\)

In this subsection we show that \(\mathsf {L}\mathsf {PD}^+\)-preproofs can be stepwise transformed into \( \mathsf H\mathsf {TC}\)-proofs, with respect to the standard translation. In order to produce this local simulation, we need a more refined version of the standard translation that incorporates the structural elements of hypersequents.

Fix a \( \mathrm {PDL}^+\) formula \(A =[\alpha _1] \dots [\alpha _n]\langle \beta _1\rangle \dots \langle \beta _m\rangle B \), for \( n,m \ge 0 \). The hypersequent translation of A, written \( \mathsf {HT}(A)({c}) \), is defined as:

$$\begin{aligned}&\{ \overline{\mathsf {ST}(\alpha _1)({{c},{d}_1})} \}^{\varnothing }, \{ \overline{\mathsf {ST}(\alpha _2)({{d}_1,{d}_2})} \}^{\varnothing }, \dots , \{ \overline{\mathsf {ST}(\alpha _n)({{d}_{n-1},{d}_n})} \}^{\varnothing }, \\&\{ \mathsf {ST}(\beta _1)({{d}_n,y_1}),\mathsf {ST}(\beta _2)({y_2,y_3}),\dots , \mathsf {ST}(\beta _m)({y_{m-1},y_m}), \mathsf {ST}(B)({y_m})\}^{y_1, \dots , y_m} \end{aligned}$$

For \( \varGamma = A_1, \dots , A_k \), we write \( \mathsf {HT}(\varGamma )({c}) {:}{=}\mathsf {HT}(A_1)({c}), \dots , \mathsf {HT}(A_k)({c}) \).

Definition 31

(\(\mathsf {HT}\)-translation). Let \( \mathcal {D} \) be a \( \mathrm {PDL}^+\) preproof. We shall define a \( \mathsf H\mathsf {TC}\) preproof \( \mathsf {HT}(\mathcal {D})(c)\) of the hypersequent \( \mathsf {HT}(A)({c}) \) by a local translation of inference steps. We give only a few of the important cases here, but a full definition can be found in [13].

  • A step is translated to:

figure d

where (omitted) left-premisses of \(\cup \) steps are simply proved by \(\mathsf {wk},\mathsf {id},\mathsf {init}\). In this and the following cases, we use the notation \(\mathsf {CT}(A)(c)\) and \(\mathbf {x}_A\) for the appropriate sets of formulas and variables forced by the definition of \(\mathsf {HT}\) (again, see [13] for further details).

  • A \({\langle \cup \rangle }_i\) step (for \(i=0,1\)), as typeset in Fig. 3, is translated to:

  • A \(\langle ;\rangle \) step, as typeset in Fig. 3, is translated to:

  • A \([+]\) step, as typeset in Fig. 3, is translated to:

    where \(\mathcal E \) and \(\mathcal E'\) derive \(\mathsf {HT}(\varGamma )({c})\) and \( \mathsf {HT}([\alpha ]A)({c}) \), resp., using \(\mathsf {wk}\)-steps.

Note that, formally speaking, the well-definedness of \(\mathsf {HT}(\mathcal {D})(c)\) in the definition above is guaranteed by coinduction: each rule of \(\mathcal {D}\) is translated into a (nonempty) derivation.

Remark 32

(Deeper inference). Observe that \( \mathsf H\mathsf {TC}\) can also simulate ‘deeper’ program rules than are available in \(\mathsf {L}\mathsf {PD}^+\). E.g. a rule may be simulated too (similarly for \([\, ]\)). E.g. \(\langle a^+\rangle \langle b\rangle p \supset \langle a^+\rangle \langle b\cup c \rangle p\) admits a finite proof in \( \mathsf H\mathsf {TC}\) (under \(\mathsf {ST}\)), rather than a necessarily infinite (but cyclic) one in \(\mathsf {L}\mathsf {PD}^+\).

6.3 Justifying Regularity and Progress

Proposition 33

If \(\mathcal {D}\) is regular, then so is \(\mathsf {HT}(\mathcal {D})(c)\).

Proof

Notice that each rule in \(\mathcal {D}\) is translated to a finite derivation in \(\mathsf {HT}(\mathcal {D})(c)\). Thus, if \( \mathcal {D} \) has only finitely many distinct subproofs, then also \(\mathsf {HT}(\mathcal {D})({c}) \) has only finitely many distinct subproofs.

Proposition 34

If \(\mathcal {D}\) is progressing, then so is \(\mathsf {HT}(\mathcal {D})(c)\).

Proof (sketch)

We need to show that every infinite branch of \( \mathsf {HT}(\mathcal {D})({c}) \) has a progressing hypertrace. Since the \(\mathsf {HT}\) translation is defined stepwise on the individual steps of \(\mathcal {D}\), we can associate to each infinite branch \(\mathcal B\) of \(\mathsf {HT}(\mathcal {D})({c}) \) a unique infinite branch \(\mathcal B'\) of \(\mathcal {D}\). Since \(\mathcal {D}\) is progressing, let \( \tau = (F_i)_{i < \omega } \) be a progressing thread along \(\mathcal B'\). By inspecting the rules of \(\mathsf {L}\mathsf {PD}^+\) (and by definition of progressing thread), for some \(k\in \mathbb N\), each \(F_i\) for \(i>k\) has the form: \( [\alpha _{i,1}]\cdots [\alpha _{i,n_i}] [\alpha ^+]A, \) for some \(n_i \ge 0\). So, for \(i>k\), \(\mathsf {HT}(F_i)(d_i)\) has the form:

figure e

By inspection of the \(\mathsf {HT}\)-translation (Definition 31) whenever \( F_{i+1} \) is an immediate ancestor of \( F_i \) in \(\mathcal B'\), there is a path from the cedent to the cedent in the graph of immediate ancestry along \(\mathcal B\). Thus, since \(\tau =(F_i)_{i<\omega }\) is a trace along \(\mathcal B'\), we have a (infinite) hypertrace of the form \(\mathcal H_\tau {:}{=}( \{ \varDelta _i, \overline{ TC }({\overline{\mathsf {ST}(\alpha )}})( {d}_{i,{n_i}} ,d_i) \}^{\varnothing } )_{i>k'} \) along \(\mathcal B\). By construction \(\varDelta _i = \varnothing \) for infinitely many \(i>k'\), and so \(\mathcal H_\tau \) has just one infinite trace. Moreover, by inspection of the \([+]\) step in Definition 31, this trace progresses in \(\mathcal B\) every time \(\tau \) does in \(\mathcal B'\), and so progresses infinitely often. Thus, \(\mathcal H\) is a progressing hypertrace. Since the choice of the branch \(\mathcal B\) of \(\mathcal {D}\) was arbitrary, we are done.

6.4 Putting it all Together

We can now finally conclude our main simulation theorem:

Proof (of Theorem 28, sketch)

[of Theorem 28, sketch] Let A be a \(\mathrm {PDL}^+\) formula s.t. \(\models A\). By the completeness result for \(\mathsf {L}\mathsf {PD}^+\), Theorem 30, we have that \(\mathsf {L}\mathsf {PD}^+\vdash _ cyc A\), say by a cyclic proof \(\mathcal {D}\). From here we construct the \( \mathsf H\mathsf {TC}\) preproof \(\mathsf {HT}(\mathcal {D})(c)\) which, by Propositions 33 and 34, is in fact a cyclic proof of \(\mathsf {HT}(A)(c)\). Finally, we apply some basic \(\vee , \wedge , \exists , \forall \) steps to obtain a cyclic \( \mathsf H\mathsf {TC}\) proof of \(\mathsf {ST}(A)({c})\).

7 Extension by Equality and Simulating Full \(\mathrm {PDL}\)

We now briefly explain how our main results are extended to the ‘reflexive’ version of \(\mathrm {TCL}\). The language of \( \mathsf H\mathsf {TC}_=\) allows further atomic formulas of the form \(s=t\) and \(s\ne t\). The calculus \( \mathsf H\mathsf {TC}_=\) extends \( \mathsf H\mathsf {TC}\) by the rules:

The notion of immediate ancestry is colour-coded as in Definition 15, and the resulting notions of (pre)proof, (hyper)trace and progress are as in Definition 17. The simulation of Cohen and Rowe’s system \( \mathsf {TC}_G\) extends to their reflexive system, \( \mathsf R \mathsf {TC}_G\), by defining their operator \( RTC ({\lambda x,y.A}) (s,t) {:}{=} TC ({\lambda x,y.(x=y \vee A)})(s,t)\). Note that, while it is semantically correct to set \( RTC ({A}) (s,t)\) to be \(s=t \vee TC ({A})(s,t)\), this encoding does not lift to the Cohen-Rowe rules for \( RTC \). Understanding that structures interpret \(=\) as true equality, a modular adaptation of the soundness argument for \( \mathsf H\mathsf {TC}\), cf. Sect. 5, yields:

Theorem 35

(Soundness of \( \mathsf H\mathsf {TC}_=\)). If \( \mathsf H\mathsf {TC}_=\vdash _ nwf \mathbf {S}\) then \( \models \mathbf {S}\).

Turning to the modal setting, \(\mathrm {PDL}\) may be defined as the extension of \(\mathrm {PDL}^+\) by including a program A? for each formula A. Semantically, we have \((A?)^{\mathcal M} = \{ (v,v) : \mathcal M,v\models A \}\). From here we may define \(\varepsilon {:}{=}\top ?\) and \(\alpha ^* {:}{=}(\varepsilon \cup \alpha )^+\); again, while it is semantically correct to set \(\alpha ^* = \varepsilon \cup \alpha ^+\), this encoding does not lift to the standard sequent rules for \(*\). The system \(\mathsf {L}\mathsf {PD}\) is obtained from \(\mathsf {L}\mathsf {PD}^+\) by including the rules:

Again, the notion of immediate ancestry is colour-coded as for \(\mathsf {L}\mathsf {PD}^+\); the resulting notions of (pre)proof, thread and progress are as in Definition 29. Just like for \(\mathsf {L}\mathsf {PD}^+\), a standard encoding of \(\mathsf {L}\mathsf {PD}\) into the \(\mu \)-calculus yields its soundness and completeness, thanks to known sequent systems for the latter, cf. [23, 25], but has also been established independently [20]. Again, a modular adaptation of the simulation of \(\mathsf {L}\mathsf {PD}^+\) by \( \mathsf H\mathsf {TC}\), cf. Sect. 6, yields:

Theorem 36

(Completeness for \(\mathrm {PDL}\)). Let A be a \(\mathrm {PDL}\) formula. If \(\models A\) then \( \mathsf H\mathsf {TC}_=\vdash _ cyc \mathsf {ST}(A)({c})\).

8 Conclusions

In this work we proposed a novel cyclic system \( \mathsf H\mathsf {TC}\) for Transitive Closure Logic (\(\mathrm {TCL}\)) based on a form of hypersequents. We showed a soundness theorem for standard semantics, requiring an argument bespoke to our hypersequents. Our system is cut-free, rendering it suitable for automated reasoning via proof search. We showcased its expressivity by demonstrating completeness for \(\mathrm {PDL}\), over the standard translation. In particular, we demonstrated formally that such expressivity is not available in the previously proposed system \( \mathsf {TC}_G\) of Cohen and Rowe (Theorem 12). Our system \( \mathsf H\mathsf {TC}\) locally simulates \( \mathsf {TC}_G\) too (Theorem 19).

As far as we know, \( \mathsf H\mathsf {TC}\) is the first cyclic system employing a form of deep inference resembling alternation in automata theory, e.g. wrt. proof checking, cf. Proposition 18. It would be interesting to investigate the structural proof theory that emerges from our notion of hypersequent. As hinted at in Examples 20 and 21, our hypersequential system exhibits more liberal rule permutations than usual sequents, so we expect their focussing and cut-elimination behaviours to similarly be richer, cf. [21, 22]. Note however that such investigations are rather pertinent for pure predicate logic (without \( TC \)): focussing and cut-elimination arguments do not typically preserve regularity of non-wellfounded proofs, cf. [2].

Finally, our work bridges the cyclic proof theories of (identity-free) \(\mathrm {PDL}\) and (reflexive) \(\mathrm {TCL}\). With increasing interest in both modal and predicate cyclic proof theory, it would be interesting to further develop such correspondences.