Quantifier-free induction for lists

We investigate quantifier-free induction for Lisp-like lists constructed inductively from the empty list $\mathit{nil}$ and the operation $\mathit{cons}$, that adds an element to the front of a list. First we show that, for $m \geq 1$, quantifier-free $m$-step induction does not simulate quantifier-free $(m + 1)$-step induction. Secondly, we show that for all $m \geq 1$, quantifier-free $m$-step induction does not prove the right cancellation property of the concatenation operation on lists defined by left-recursion.


Introduction
In this article we consider Lisp-like lists in the context of the automation of proof by mathematical induction.The subject of automated inductive theorem proving (AITP) aims at automating the process of proving statements about inductively constructed objects such as natural numbers, lists and trees.The formal verification of software is a particularly prominent application of automated inductive theorem proving.Since every non-trivial program contains loops or recursion, some form of mathematical induction is necessary to reason about such programs.By Gödel's incompleteness theorem the task addressed by AITP is in general not even semi-decidable.Therefore, there is a lot more freedom in the choice of the proof systems than in the case of first-order validity.For that reason and because of technical constraints, a great variety of methods have been developed for that purpose.To name just a few examples, there are methods based on recursion analysis [5], integration into saturation-based provers [26,21,10], cyclic proofs [3], theory exploration [6], proof by consistency [8].
The current methodology in automated inductive theorem proving concentrates primarily on the implementation of systems and their empirical evaluation.The work in this article is part of a research program that aims at complementing this state of the art by focusing on the formal analysis of methods for automated inductive theorem proving.In particular, we aim at understanding the theoretical limits of systems by developing upper bounds on the logical strength of methods.Establishing sufficiently tight upper bounds on the strength of AITP systems often allows us to provide practically meaningful unprovability results whereas an empirical evaluation only shows the failure of a particular implementation.Moreover, upper bounds typically reveal the particular form of induction underlying the AITP systems.This knowledge permits the direct comparison of methods and helps in judging the applicability of AITP systems to certain domains.
So far the work in this research program [20,17,18,19,31] has concentrated on induction for natural numbers only.However, since lists and other inductive data types are fundamental structures of computer science, it is of paramount importance for the subject of AITP to analyze the mechanical properties of these inductive datatypes.In this article we make a first important step towards extending this research program to inductively defined lists.In particular, we show that the right cancellation property of the concatenation of lists is not provable by a form of induction used in some automated inductive theorem proving systems.With this result we pave the way for obtaining further unprovability results for AITP systems on lists and other inductive data types.
In the following we briefly mention some aspects of axiomatic theories of finite lists have been studied in theoretical computer science.In [23] an axiomatic theory of linear lists (Lisp-like lists) is defined and some basic results about consistency, completeness, and independency of the axioms are shown.Similar theories are considered in a more general setting in [24].In [12,2,1] the computability aspects of list structures are investigated.
Axiomatic theories of lists are closely related to theories of concatenation studied in logic [29,25].Theories of concatenation axiomatise strings of symbols over a finite alphabet.Theories of concatenation have been proposed as alternative basic systems for the development of metamathematical results such as Gödel's incompleteness theorems and computability [32,13,14,9,30].In such theories there is no need to develop a coding of finite sequences [25,13].Hence, theories of concatenation permit a more natural development of syntax.
In this article we consider the provability of the right-cancellation of the concatenation of finite lists from quantifier-free big-step first-order induction for Lisplike lists.After recalling some basic concepts and notations in Section 2, we show the two main results of this article in Sections 3 and 4. First, in Section 3, we show that in general m-step quantifier-free induction does not prove (m + 1)-step quantifier-free induction.This results sets induction on lists in contrast with induction for natural numbers where big-step quantifier-free induction is not stronger than one-step quantifier-free induction.Secondly, in Section 4, we show that for all m ≥ 1, m-step induction, over the language consisting of the list constructors and a concatenation operator, does not prove the right cancellation property of the concatenation operation.In order to show these unprovability results we will construct models whose domain contains sequences of transfinite length.

Preliminaries
In this section we introduce some concepts, notations, and results that we will use throughout the article.In Section 2.1 we recall some basic concepts and notations of many-sorted first-order logic.Section 2.2 defines some basic axioms of the list constructors and the traditional induction schema for lists as well as related terminology.Finally, in Section 2.3 we introduce some concepts on transfinite sequences, which we will use in the model theoretic constructions of Section 3 and Section 4.

Many-sorted first-order logic
We work in the setting of classical many-sorted first-order logic with equality.Let S be a finite set of sorts, then for each sort s ∈ S we let V s be a countably infinite set of variable symbols of the sort s.We write x : s to indicate that x is a variable symbol of sort s, that is, x ∈ V s .When the sort of a variable is irrelevant or clear from the context, we omit the sort annotation and simply use the variable symbol.We assume that the sets of variable symbols for the sorts in S are pairwise disjoint.A many-sorted first-order language L over the sorts S is a set of predicate symbols of the form P : , where P, f are symbols, s 1 , . . ., s n , s n+1 ∈ S and o is a special sort symbol assumed not to appear in S. For a function symbol f the expression f : that f takes arguments of sorts s 1 , . . ., s n to a value of sort s n+1 .Similarly, for a predicate symbol P the expression of the form P : that P is a predicate with arguments of sorts s 1 , . . ., s n .Terms of L are constructed as usual from the variable symbols and function symbols according to their respective types.Each thus constructed term t has a uniquely determined sort s and, therefore, we call t an s-term.Formulas of L are constructed from terms, predicate symbols, the connectives ⊤, ⊥, ∧, ¬, ∨, → and the quantifiers (∀x : s), (∃x : s) for s ∈ S and x ∈ V s .
In this article we will make heavy, albeit elementary, use of model theoretic techniques.Hence, we recall some basic model theoretic concepts and notations.
A first-order structure M for the language L (over sorts S) is a function that assigns: To each sort s ∈ S a non-empty set M (s); To each function symbol A variable assignment σ is a function that assigns to each variable symbol v : s with s ∈ S an element of M (s).We write M, σ |= ϕ if the formula ϕ is true in M under the variable assignment σ.Let ϕ(x 1 : s 1 , . . ., x n : s n , y) be a formula and d i ∈ M (s i ) for i = 1, . . ., n, then we write M, for all variable assignments σ with σ(x i ) = d i for i = 1, . . ., n.Thus, in particular, M |= ϕ if M, σ |= ϕ for all variable assignments σ.Let t(x 1 : s 1 , . . ., x n : s n ) be a term and d 1 , . . ., d n a finite sequence in M (s In the arguments given in Sections 3 and 4 it is often necessary to consider terms and formulas of a language L under some partial variable assignment over an L structure M .In order to simplify the notation, we let L(M ) denote the language L extended by a fresh function symbol c d : s for each element d ∈ M (s) and sort s ∈ S.Moreover, we let the structure M interpret the language L(M ) by letting M interpret c d as the object d.
In this article we define a theory T to be a set of sentences, which we call the axioms of T .Let ϕ be formula, then we write T ⊢ ϕ if ϕ is provable in (manysorted) first-order logic from the axioms of T .Let T 1 , T 2 be theories, then T 1 + T 2 denotes the theory axiomatized by the set of sentences T 1 ∪ T 2 .
Finally, let us define some notation for some particular sets of formulas.By Open(L) we denote the set of quantifier-free formulas of the language L. Let Φ be a set of formulas, then we write ∀ 1 (Φ) (∃ 1 (Φ)) for the set of formulas in Φ of the form (∀ x)ϕ ((∃ x)ϕ) where ϕ is a quantifier-free formula and x is a possibly empty sequence of variables.We also write ∀ 1 (L) for the formulas of the above form in the language L.

Induction and lists
In this section we introduce the basic construction of finite Lisp-like lists that we work with in this article.We also recall the traditional induction schema for lists and its related terminology.Throughout the article we will consider various forms of induction that will be defined when needed.We use the traditional induction schema as defined in this section as a reference in the sense that we justify the other induction schemata in terms of the traditional one.Now we will define the basic language of finite Lisp-like lists and the corresponding induction schema.
Definition 2.1.The language L 0 consists of the sort i of elements and the sort list of finite lists.Moreover, the language L 0 contains the function symbols nil : list and cons : i × list → list.
Informally, the symbol nil denotes the empty list and cons denotes the operation that adds a given element to the front of a given list.For the sake of legibility we will use upper case letters X, Y , Z and variants thereof to denote variables that range over the sort list.For these variables we omit the the sort annotation, that is, the ": list" part.
The traditional induction schema for Lisp-like lists is analogous to the one for natural numbers with the exception that the induction step also quantifies over elements.
Definition 2.2.Let ϕ(X, z) be a formula, then the formula I X ϕ is given by For a set of formulas Φ, the theory Φ-IND is axiomatized by the universal closure of the formulas I X ϕ, where ϕ(X, z) ∈ Φ.
The induction schema given above is parameterized by the set of possible induction formulas.This permits to consider various theories by varying the structure of the induction formulas.
We will also refer to the above induction principle as one-step induction, since the induction step proceeds by a step of size one.In Section 3 we will introduce the big-step induction principle that proceeds in larger steps.
When we work with theories of lists we usually work over the following base theory that provides the disjointness and the injectivity of the list constructors nil and cons.
Definition 2.3.The theory T 0 is axiomatized by the following axioms

Transfinite sequences
In this section we introduce some notations and definitions related to transfinite sequences, that is, sequences indexed by ordinals.Later on in Sections 3 and 4, we will heavily rely on transfinite sequences, of length up to ω 3 , for the construction of non-standard models of induction over lists.Let X be a set and α be an ordinal number, then as usual X α denotes the set {f : α → X } of sequences of elements of X with length α.By X <α (X ≤α ) we denote the set β<α X β ( β≤α X β ).In particular, we denote by X * the set X <ω = i∈N X i of all finite sequences of elements of X .Let a ∈ X ≤α , then |a| denotes the ordinal β ≤ α such that a ∈ X β .The empty sequence () (= ∅) is also denoted by ε and (x) denotes the one element sequence {0 → x}.
In the following we define concatenation of ordinal indexed sequences.The definition as given below relies on the well-definedness of ordinal subtraction of an ordinal β from an ordinal α when α ≥ β (see [28,Theorem 8.8]).
Observe that the definition of concatenation of ordinal indexed sequences given above generalizes the concatenation of finite sequences, since The concatenation of ordinal indexed sequences as defined above has some interesting properties.
Proof.For (i ) let µ < α + β + δ.By the associativity of ordinal addition we have a ⌢ (b ⌢ c), (a ⌢ b) ⌢ c ∈ X α+β+γ .Now we have to consider three cases.If µ < α, then µ < α + β.Hence If α ≤ µ < α + β, then there is a unique ordinal δ such that α + δ = µ.Moreover, by the monotonicity properties of ordinal addition we have δ < β.Hence For (ii ) observe that since a ⌢ b ∈ X α+β , a ⌢ c ∈ X α+γ we have α+β = α+γ and therefore by the left cancellation of ordinal addition β = γ.Now let δ < β, then we have Observe, however, that since already ordinal addition does not have right cancellation, the concatenation of ordinal indexed sequences does clearly also not have right cancellation.
For sequences we will often be interested in suffixes.In the following definition we introduce some notation for accessing the suffix of a sequence.Definition 2.6 (Sequence suffix).Let X be a set, α, β ordinals with β ≤ α, and a ∈ X α , then the sequence a ↑ β is given by for γ < µ where µ is the unique ordinal such that β + µ = α.
Finally, let us give some notation for the sequence obtained by concatenating sequences of uniform length.This construction will be used in Section 4 and relies on ordinal division with remainder (see [28,Theorem 8.27]).Definition 2.7.Let X be a set, α, β ordinals with α > 0, and a ∈ (X α ) β .The sequence ⌊a⌋ ∈ X α•β is defined by for ξ < α •β where µ, δ are the unique ordinals such that ξ = (α •δ)+ µ with µ < α.Furthermore, for a ∈ X α , we denote by a β the sequence ⌊(a) γ<β ⌋ consisting of β times the sequence a.

Big-step induction
Big-step induction is a generalization of the induction principle of Definition 2.2 in which the induction step proceeds by adding more than one element.Big-step induction and other induction principles are often used in automated inductive theorem provers [4].Some formulas can be proved more naturally by a special induction principle.Hence a special induction principle may allow a prover to find a proof faster under the constraints of its proof search algorithm or even enable the prover to prove the formula in the first place [31].It is therefore interesting to investigate the relation between the one-step induction principle and special induction principles implemented in AITP systems.
In this section we show the first main result of this article, namely that, for all m ≥ 1, quantifier-free (m + 1)-step induction for lists does not follow from quantifier-free m-step induction.In particular, quantifier-free big-step induction for lists cannot be reduced to quantifier-free one-step induction, which is in contrast to induction on natural numbers where such a reduction is possible (see for example [31]).
The definition below defines the big-step induction principle for lists considered in this article.Let us introduce some notation to make it easier to state big-step induction for lists.Let t 1 , . . ., t n be a possibly empty list of terms of sort i and T a term of sort list, then the term cons(t 1 , . . ., t n ; T ) is defined inductively by cons(; T ) = T, cons(t 1 , . . ., t n+1 ; T ) = cons(t 1 , . . ., t n , cons(t n+1 , T )).Definition 3.1.Let ϕ(x, z) be a formula and m ≥ 1, then the formula I x m ϕ is given by Let Φ be a set of formulas and m ≥ 1, then the m-step induction schema Φ-IND m over Φ is axiomatized by the universal closure of the formulas I x m ϕ where ϕ(x, z) ∈ Φ.
A simple example of formulas that have natural proofs by big-step induction are the acyclicity formulas given below, which express that adding a finite number n ≥ 1 of elements to a list results in a different list: To prove this formula by n-step induction it suffices to proceed by induction on X in the formula itself.For the base case we have to show that nil = cons(x 1 , . . ., x n ; nil ), which follows readily from (L0.1).For the induction step we assume (⋆).For a contradiction assume Then by an n-fold application of (L0.2) we obtain x ′ i = x i for i = 1, . . ., n and This contradicts the induction hypothesis and thus completes the induction step.Interestingly, however, the acyclicity formula (⋆) also has a slightly less natural proof using one-step quantifier-free induction.
For (ii ) we proceed by induction on Y in the formula X = Y .For the base case we have to show X = nil.Assume X = nil , then we are done.For the induction step, we assume X = Y and X = cons(y, Y ) and we are done.Hence we have (∀Y )X = Y .Thus in particular X = X, which is a contradiction and thus implies the claim.This gives rise to the question whether a similar technique as we have used to prove the acyclicity formulas with quantifier-free induction is also possible in general.It is straightforward to see that we can simulate big-step induction with single-step induction by making use of universal quantifiers and conjunction.For the sake of completeness we recall the argument.Lemma 3.3.Let m ≥ 1 and ϕ(X, z) be a formula, then Proof.Assume (∀x 1 ). . .(∀x i−1 )ϕ(cons(x 1 , . . ., x i−1 ; nil ), z) for i = 1, . . ., m and (∀X)(∀x 1 ). . .(∀x m )(ϕ(X, z) → ϕ(cons(x 1 , . . ., x m ; X), z)). (⋆) Clearly it suffices to show the following formula.We proceed by induction on X in the formula ( †).The base case follows immediately from the assumptions.For the induction step case we assume ( †).Now let i ∈ {1, . . ., m}, let x ′ , x 1 , . . ., x i−1 be fixed but arbitrary.If i < m, then we have to show ϕ(cons(x 1 , . . ., x i−1 , x ′ ; X), z), which follows from the induction hypothesis with j = i + 1.If i = m, then we have to show ϕ(cons(x 1 , . . ., x m−1 , x ′ ; X), z).By ( †) with j = 1, we have ϕ(X, z), hence by (⋆) we obtain the desired formula.
Remark 3.4.When the domain of the elements provably consists of a finite number of elements n ≥ 1, then the quantifiers over elements in the induction formula of Lemma 3.3 can be replaced by a conjunction.Hence, in this situation (m + 1)-step induction reduces to m-step induction without an increase in quantifier-complexity of the induction formulas.
However, as we will show, the increase of the quantifier complexity when simulating big-step induction with one-step induction is in general unavoidable.The remainder of the section is devoted to the proof of the following proposition.Definition 3.5.The language L A extends the base language of lists L 0 by the predicate symbol A : list → o.Proposition 3.6.Let m ≥ 2, then This proposition entails, in particular, that T 0 +Open(L A )-IND ⊢ Open(L A )-IND 2 .We will show the above claim by constructing a model of quantifier-free induction over the language L A in which the predicate A does not satisfy two-step induction.In such a model we call an element a standard element if it can be expressed as a term of the form cons(x 1 , . . .cons(x n , nil )) under a suitable variable assignment.All other elements are called the non-standard elements.By Lemma 3.2.(ii ) a non-standard element can be decomposed any finite number of times and thus resemble transfinite sequences of length at least ω.The model constructed in Definition 3.8 will use transfinite sequences of length up to ω as the non-standard elements.Since for example the transfinite sequence v ω with v ∈ N * satisfies v ω = v ⌢ v ω it violates the acyclicity property X = cons(x 1 , . . ., x |v| , X) (see Lemma 3.2).Hence we have to avoid sequences that absorb a finite prefix.
The following definition introduces the non-standard elements that we use for the model constructed in this section.datatypes.A positive answer to the conjecture above together with analogues of the results [19,31] would provide a formal justification for the necessity to implement more powerful induction rules that handle conjunction and quantification such as described in [16].As a byproduct, the formulas I X m A(X) with m ≥ 1 form a set of benchmark problems of increasing difficulty for automated theorem provers.
The above shows that mechanizing induction on lists is more complicated than induction on natural numbers in the sense that a reduction of big-step induction to one-step induction requires induction formulas with a higher quantifier-complexity.In the following we will consider lists with a concatenation operation and we will show that big-step induction does not prove the right cancellation of concatenation.

Right cancellation of list concatenation
In the previous section we have shown that quantifier-free (m + 1)-big step induction is strictly stronger than quantifier-free m-step induction, but not stronger than ∀ 1 induction.In this section we show that big-step quantifier-free induction is in general strictly weaker than ∀ 1 induction.We will prove this result by showing that the right cancellation property of the append operation on lists can not be proved with quantifier-free big-step induction on lists.This result is of particular interest for the automation of proof by mathematical induction, since it implies the necessity to work with induction rules that exceed the power quantifier-free big-step induction to handle comparatively basic properties such as the right cancellation of list concatenation.
In the following we will work with a language that extends the base language of lists L 0 by an infix symbol for the concatenation of lists.We will work with the usual left-recursive definition of concatenation.Definition 4.1.The infix function symbol • ⌢ • : list × list → list represents the append operation on lists.We define the language L 1 to be L 0 ∪ {⌢}.The theory T 1 extends the base theory of lists T 0 by the following axioms In the following lemmas we prove several properties about lists, and in particular the concatenation operation, using increasingly powerful induction principles.We start by proving some simple properties with quantifier-free induction.
We prove the next property, the right cancellation for single-element lists, using simultaneous induction on two variables.Definition 4.3.Let ϕ(X, Y, z) be a formula, then the formula I X,Y ϕ is given by Let Γ be a set of formulas, then the theory Γ-DIND is axiomatized by the sentences Proof.We proceed by induction on Y and Z simultaneously.We consider only one of the two base cases, since the other one is symmetric.For the base case Y = nil we assume nil ⌢ cons(x, nil ) = Z ⌢ cons(x, nil ) and we have to show that Z = nil .First of all, by (L1.1) we obtain cons(x, nil ) = Z ⌢ cons(x, nil ).By Lemma 3.2 we can consider two cases.If Z = nil , then we are done.Otherwise, there are z ′ and Z ′ such that Z = cons(z ′ , Z ′ ).Thus Therefore, by (L0.2) we have in particular nil = Z ′ ⌢ cons(x, nil ).We apply Lemma 3.2 and consider two cases.If Z ′ = nil , then nil = nil ⌢ cons(x, nil ) = cons(x, nil ), which contradicts (L0.1).Otherwise, there are z ′′ and Z ′′ such that Z ′ = cons(z ′′ , Z ′′ ), then, by (L1.2), nil = cons(z ′′ , Z ′′ ⌢ cons(x, nil )), which contradicts (L0.1).For the induction step assume Y ⌢ cons(x, nil Then by (L1.2) and (L0.2) we obtain y = z and By the induction hypothesis we obtain Y = Z, thus, cons(y, Y ) = cons(z, Z).
Observe that double induction is contained within induction on ∀ 1 formulas when working modulo case analysis CA given by Proof.Let ϕ(X, Y, z) be a quantifier-free L formula.Let X, Y, z be fixed and assume (∀X)ϕ(X, nil , z), (∀Y )ϕ(nil , Y, z), and We proceed by induction on X in (∀Y )ϕ(X, Y, z).The base case follows immediately from the assumptions.For the step case assume (∀Y )ϕ(X, Y, z) and let Y be fixed.By CA we can consider two cases.If Y = nil , then we are done by the assumption.Otherwise, there are y ′ and Y ′ such that Y = cons(y ′ , Y ′ ).By the induction hypothesis, we obtain ϕ(X, Y ′ , z).Hence, by the third assumptions, we have ϕ(cons (x, X), cons (y ′ , Y ′ ), z), that is, ϕ(cons(x, X), Y, z).
Using induction on a ∀ 1 formula, we can straightforwardly prove the right cancellation of the append operation for arbitrary lists.
Lemma 4.6.The theory Proof.We proceed by induction on X in the formula For the base case, let Y and Z be arbitrary and assume Y ⌢ nil = Z ⌢ nil .By Lemma 4.2 we readily obtain Y = Z.For the step case we assume and Y ⌢ cons(x, X) = Z ⌢ cons(x, X).By (L1.1), (L1.2), and Lemma 4.2 we obtain By the induction hypothesis we obtain Y ⌢ cons(x, nil ) = Z ⌢ cons(x, nil ).Hence, by Lemmas 4.4 and 4.5 we obtain Y = Z.
In the remainder of this section we will show that right cancellation of append cannot be proved by quantifier-free big-step induction on lists.Theorem 4.7.
We proceed as usual by constructing a structure that satisfies the base theory of lists with append together with quantifier-free induction for lists, but which contains elements l 1 , l 2 such that l 1 ⌢ l 2 = l 2 and l 1 = ε.Since the concatenation of transfinite sequences of length greater or equal to ω does not have the right cancellation property, as for example a ⌢ a ω = a ω , it seems natural to use concatenation as an interpretation of the append symbol ⌢.
In Section 3 we have already mentioned that, in order to construct a model of T 0 + Open(L 0 )-IND we have to avoid transfinite sequences λ such that λ = w ⌢ λ for some w ∈ N * , cf.Lemma 3.2.However, we may introduce sequences that have a transfinitely periodic structure, such as, the sequence In the following we define the set of elements that we will use for the construction of the model of quantifier-free big-step induction.
Definition 4.8.The structure M 2 interprets the sort i as the set N and the sort list as the set L given by Furthermore, the structure M 2 interprets the non-logical symbols as follows We will now first ensure that the structure M 2 defined above is indeed a welldefined L 1 structure, that is, that it is closed under the functions nil M 2 , cons M 2 , and then we use an analogous argument as above.If l 2 ∈ N * , then we clearly have l 1 ⌢ l 2 ∈ L. If l 1 and l 2 are non-standard, then for i = 1, 2 there are α i < ω 2 , a i ∈ N α i , w i ∈ N * such that l i = ⌊a i ⌋ ⌢ w i .Moreover, there exists δ ≤ α 2 and w ′ ⌢ N k ∈ N such that 1+δ = α 2 and l 2 = w ′ ⌢ N k ⌢ ⌊(a 2,1+γ ) γ<δ ⌋.Therefore, we have Next we show that M 2 satisfies the basic axioms of the list constructors nil and cons, as well as those of the append symbol.Proof.Let n ∈ N and l ∈ L, then there is some ordinal Thus, M 2 |= (L1.2).
Since the domain of M 2 interprets the sort of lists as transfinite sequences and the append operation as the concatenation of transfinite sequences, we can decompose list terms as follows.
Lemma 4.11.Let t(X, y) be a L 1 list-term and b elements of M 2 , then there exist n ∈ N and l 0 , . . ., l n ∈ L such that Proof.We proceed by induction on the structure of the term t.If t is nil, then M 2 |= t = ε, and thus we are done.If t is the variable X, then we are done by letting n = 0 and l 0 = ε ∈ N 0 .If t is of the form cons(u, t ′ ), then M 2 |= u( b) = k, for some k ∈ N. Hence we apply the induction hypothesis in order to obtain n ′ ∈ N and l ′ 0 , . . ., l Thus, we let n = n ′ and l 0 = (k)) ⌢ l ′ 0 and l i = l ′ i for 1 ≤ i ≤ n.If t is of the form t 1 ⌢ t 2 , then simply apply the induction hypothesis to t 1 and t 2 .
Equational predicates over M 2 in one variable stabilize eventually in a similar way to Lemma 3.11.Lemma 4.12.Let E(X) be an L 1 (M 2 ) equation such that M 2 |= E(X), then there exists N ∈ N such that M 2 |= E((n) ⌢ l) for all n ≥ N and l ∈ L.
Proof.Let E(X) be t 1 (X) = t 2 (X), then by Lemma 4.11 for i = 1, 2 there exist n i ∈ N and l i 0 , . . ., l i n i ∈ L such that By the symmetry of equality we can assume n 1 ≤ n 2 without loss of generality.Since M 2 |= E(X) we either have n 1 = n 2 or l 1 i = l 2 i for some i ∈ {0, . . ., n 1 }.We start by assuming that l 1 i = l 2 i for i = 0, . . ., n 1 and n 1 < n 2 .Then by the left cancellation of ⌢ we obtain , for all n ∈ N and l ∈ L. Now consider the case where there exists j ∈ {0, . . ., n 1 } such that l 1 j = l 2 j and let j 0 ∈ {0, . . ., n 1 } be the least such number.There are sequences l, l 1′ j 0 and l 2′ j 0 such that l i j 0 = l ⌢ l i′ j 0 for i = 1, 2 and either |l 1′ Hence, by left cancellation of concatenation, we obtain If l 1 ′ j 0 = ε and l 2 ′ j 0 = ε, then for n = (l 2 j 0 ) 0 , we have M 2 |= E((n) ⌢ l) for all l ∈ L. The case where l 1 ′ j 0 = ε and l 2 ′ j 0 = ε is symmetric.Finally, in the case that l 1 ′ j 0 , l 2 ′ j 0 = ε with (l 1 ′ j 0 ) 0 = (l 2 ′ j 0 ), we trivially have M 2 |= E(l) for all l ∈ L. As an immediate consequence of the previous lemma, we obtain the following result, which essentially says that for a non-standard element λ a list-equation E(X) can eventually be stabilized for predecessors of λ.
This result is of interest for automated inductive theorem proving, because it essentially provides a lower bound on the power necessary for the proof of a rather simple yet practically relevant property about the important datatype of lists.
The unprovability of right cancellation of concatenation is a first step towards a classification of the inductive power needed to prove certain practically interesting properties of finite Lisp-like lists.Theorem 4.7 as well as the auxiliary results of this section give rise to many related questions and conjectures that we will briefly discuss in the following.
We conjecture that even quantifier-free simultaneous induction on several variables with big-steps does not prove right cancellation of the concatenation operation.Let x = (x 1 , . . ., x n ) be a finite sequence and i ∈ N such that 1 ≤ i ≤ n, then by x <i we denote the sequence (x 1 , . . ., x i−1 ).Similarly, x >i denotes the sequence (x i+1 , . . ., x n ).Definition 4.16.Let X = (X 1 , . . ., X m ) be pairwise distinct variables with m ≥ 1, p = (p 1 , . . ., p m ) a sequence of non-zero natural numbers, and ϕ( X, z) a formula.The multivariate big-step list induction axiom I list X p ϕ for ϕ is given by where the x p i with i ∈ {1, . . ., m} are vectors of variables of sort i whose elements are all pairwise distinct.Let Φ be a set of formulas, then theory Φ-IND list ր is axiomatized by I list X p ϕ with ϕ( X, z) ∈ Φ and X, p as above.
A positive answer to this question would thus greatly improve upon our Theorem 4.7.A related question of interest is whether single-element right cancellation can be proven by quantifier-free big-step induction in one variable.
The subject of AITP mainly focuses on the mechanization of induction in general, rather than on the mechanization of individual theories.Nevertheless, the theories of lists with concatenation considered in this section are of some practical relevance.Hence, it may be valuable to investigate their mechanization separately.Because of the homomorphic relation between natural numbers with addition and lists with concatenation, it could be especially interesting to investigate whether simple theories of lists such as T 1 + ∀ 1 (L 1 )-IND have finite axiomatizations analogous to the one shown in [27] for natural numbers with addition.
Finally, let us observe that as an immediate consequence of Proposition 4.15 we obtain the unprovability of right-decomposition of list by open big-step induction.
Proof.Consider the element N 0 ∈ M 2 (list) and observe that N 0 = nil but since |N 0 | = ω, we cannot express N 0 as λ ⌢ (n) with λ ∈ N ≤ω and n ∈ N. Now, the claim follows from Proposition 4.15.
Clearly, the formula X = nil ∨ (∃x ′ )(∃X ′ )X = X ′ ⌢ cons(x ′ , nil ) is provable by induction on the formula itself, that is, by ∃ 1 induction.This gives rise to the question whether right-decomposition can be proved by ∀ 1 induction and more generally to the more general question how ∃ 1 induction and ∀ 1 induction over lists with concatenation are related.This question is relevant for AITP, since there are systems such as [21] that are based on ∃ 1 induction [18] and systems such as [10] that are based on ∀ 1 induction [31, Chapter 5].We plan to investigate this question separately in the future.

Conclusion
In this article we have shown two main results about induction for lists.Firstly, in Section 3 we have shown that quantifier-free (m + 1)-step induction can in general not be simulated with quantifier-free m-step induction.In particular, this result thus renders impossible a reductive implementation of quantifier-free bigstep induction in AITP systems with an induction mechanism based on quantifierfree induction.This observation may be relevant for future extensions of systems based on quantifier-free one-step induction mechanism, such as the AITP system described in [26,Section 3.2].The idea is that whenever an induction principle can be reduced to a simpler one, then for the sake of soundness one should consider the reduction.
The second main result of this article, shown in Section 4, is the unprovability of right cancellation of the concatenation for lists by quantifier-free big-step induction.Thus automated inductive theorem provers have to implement a comparatively strong induction mechanism in order to the prove seemingly simple property of right cancellation of concatenation.
In the light of the results of Section 3, a natural choice would be to implement an induction principle that can handle at least ∀ 1 induction formulas with conjunction.Such an induction principle permits a reductive implementation of ∀ 1 big-step induction.An example of a system implementing such an induction mechanism is the one described in [10] and analyzed in [31,Chapter 5].
One direction for future research is to carry out similar investigations focusing on other datatypes, induction principles, and properties.In principle questions such as the one addressed in Section 4 could be considered for every problem in benchmark suites such as [7] in order to obtain a classification of the difficulty of the problems that complements empirical results.
Furthermore, the results in this article raise a number of questions and conjectures that we would like to address in the future.In particular, we would like to investigate Conjecture 4.17, since a positive answer, showing that quantifier-free induction combining, both, simultaneous induction and big-step induction does not prove right cancellation of concatenation, would significantly strengthen the result of Section 4. Another interesting question is whether the right injectivity of concatenation (see Lemma 4.4) can be proved with quantifier-free big-step induction.Finally, the use of transfinite lists used in this article are reminiscent of streams defined by coinduction.It could be interesting investigate to which extent the techniques employed for the analysis of AITP systems can be transferred to systems that automate the coinduction principle such as [22,11].

Definition 3 . 7 .
Let k ∈ N, then by N k we denote the sequence (i) k≤i<ω .Now we define N := {w ⌢ N k | w ∈ N * , k ∈ N}.

Lemma 4 . 13 .
Let E(X) be an L 1 (M 2 ) equation such that M 2 |= E(X) and λ ∈ L \ N * .Then there exists N ∈ N such that M 2 |= E(λ ↑ n) for all n ≥ N .Proof.First by applying Lemma 4.12 we obtain m 0 such that M |= E((m) ⌢ l) for all m ≥ m 0 and l ∈ L. Since λ ∈ N * , there clearly is n 0