Extraction of Expansion Trees

We define a new method for proof mining by CERES (cut-elimination by resolution) that is concerned with the extraction of expansion trees in first-order logic (see Miller in Stud Log 46(4):347–370, 1987) with equality. In the original CERES method expansion trees can be extracted from proofs in normal form (proofs without quantified cuts) as a post-processing of cut-elimination. More precisely they are extracted from an ACNF, a proof with at most atomic cuts. We define a novel method avoiding proof normalization and show that expansion trees can be extracted from the resolution refutation and the corresponding proof projections. We prove that the new method asymptotically outperforms the standard method (which first computes the ACNF and then extracts an expansion tree). Finally we compare an implementation of the new method with the old one; it turns out that the new method is also more efficient in our experiments.


Introduction
Proof analysis and proof mining are central mathematical activities. Extracting additional mathematical information from existing proofs plays an important role in the process of proof mining. Mathematical proofs in general are based on the structuring of reasoning by intermediate statements (lemmas). The drawback of the use of lemmas is that only their truth but not their proofs are reflected in the derivation of their end-sequents. These proofs, however, B Anela Lolic anela@logic.at Alexander Leitsch leitsch@logic.at 1 may contain important mathematical information which can be extracted only from the proofs of these lemmas. One of the most important theorems in mathematical logic is Gentzen's Hauptsatz [15]. It states that lemmas (cuts) can be eliminated from first-order derivations, resulting in a lemma-free proof combining all subproofs of the original derivation.
The result of cut-elimination is a purely combinatorial proof. These combinatorial proofs can be used to extract explicit mathematical information. Proofs can be transformed in a way such that this information becomes visible. Such a transformation for cut-free LK-proofs of prenex end-sequents was given by Gentzen [15] in the mid-sequent theorem. It basically states that a proof ϕ can be transformed into a proof ϕ such that ϕ contains a so-called midsequent, that splits the proof into a propositional part and a part with quantifier inferences. The mid-sequent is propositionally valid and contains the instantiations of the quantifiers needed to prove the end-sequent. These instantiations may contain crucial mathematical information.
Cut-elimination plays a key role in the analysis of mathematical proofs. A prominent example is Girard's analysis (see in [16]) of Fürstenberg and Weiss' topological proof [14] of van der Waerden's theorem [27] on partitions. After cut-elimination was applied to the proof of Fürstenberg and Weiss, the result was van der Waerden's original elementary proof.
Girard's analysis of the proof of Fürstenberg and Weiss was carried out by hand within mathematical meta-language. However, in automated proof analysis, formal proofs are vital. Therefore the first step in automated proof analysis consists in formalizing the mathematical proofs (typically expressed in traditional mathematical language). The next steps are algorithmic cut-elimination and, finally, the interpretation of the resulting formal proof.
For automated proof analysis of mathematical proofs, the cut-elimination method CERES (Cut-Elimination by RESolution) was developed (see [4,5]). CERES substantially differs from the traditional reductive cut-elimination methods a la Gentzen. In the reductive methods cuts are eliminated by stepwise reduction of cut-complexity. These methods always identify the uppermost logical operator in the cut-formula and either eliminate it directly (grade reduction) or indirectly (rank reduction). It is typical for such a method that the cut formulas are "peeled" from the outside till only atomic cuts are left. These methods are local in the sense that only a small part of the whole proof is analyzed, namely the derivation corresponding to the introduction of the uppermost logical operator. As a consequence, many types of redundancy in proofs are left undetected in the reductive methods, leading to an unfortunate computational behavior. In contrast, the method CERES to be presented in Sect. 3 is based on a structural analysis of the whole proof. Here all cut-derivations in an LK-proof ϕ of a sequent S are analyzed simultaneously. The interplay of binary rules, which produce ancestors of cut formulas and those which do not, defines a structure which can be represented as a set of clauses CL(ϕ). CL(ϕ) is always unsatisfiable and thus admits resolution refutations. A resolution refutation γ of CL(ϕ) may serve as a skeleton of an LK-proof of S with only atomic cuts. The proof itself (a CERES normal form) is obtained by replacing clauses in γ by so-called proof projections of ϕ. To handle predicate logic with equality the calculi can be extended by equality rules; instead of resolution refutations we obtain refutations by resolution and paramodulation (for details see [2]). CERES is a semi-semantical method of cut-elimination (see [7]). A detailed description of CERES, a comparison with reductive methods, its extensions and a complexity analysis of the method can be found in the book [6].
CERES has been applied to real mathematical proofs. The most interesting application was the analysis of Fürstenberg's proof of the infinitude of primes [13] where, as a result of cut-elimination by CERES, Euclid's original argument of prime construction was obtained.
The last step in automated proof analysis consists in the interpretation of the result. In this interpretation it is crucial to obtain compact and meaningful information rather than a full (and typically very long) formal proof. The relevant information can be bounds for variables that are used in the proof or even programs representing its algorithmic content. Actually, it is possible to extract functionals, based on Gödel's dialectica interpretation [17], and construct programs from proofs in Peano arithmetic; see [8,9] for applications to mathematical proofs.
Another structure representing explicit information are mid-sequents (also called Herbrand sequents). Herbrand's theorem, [10,18], provides one of the most fundamental insights of logic and characterizes the validity of a formula in classical first-order logic by the existence of a propositional tautology composed of instances of that formula. Roughly speaking, Herbrand sequents are compact structures encoding the essence of proofs with prenex endsequents. Hence in mathematical proof analysis it is frequently more important to extract Herbrand sequents than full formal proofs (which may be too large to be interpreted). There are efficient algorithms for extracting Herbrand sequents from cut-free proofs, see e.g. [20]. Though every formula (and any sequent) can be transformed to prenex form such a transformation is unnatural and can have a disastrous impact on proof complexity (see [3]). Thus it is vital to extend the methods to non-prenex formulas and sequents. Miller [23] developed the structure of expansion trees (and expansion proofs) generalizing the derivation of endsequents from a mid-sequent in the prenex case. The so-called deep function of an expansion proof generalizes the mid-sequent itself. As expansion proofs abstract from propositional reasoning they provide compact and explicit information about the mathematical content of formal cut-free proofs.
The result of the method CERES is a CERES normal form, which is a (typically very long) formal proof with at most atomic cuts. This proof can then be used for further investigation and particularly for the extraction of Herbrand sequents and expansion proofs in order to obtain compact information. In the ordinary CERES-method, expansion proofs can be extracted from an ACNF. In this paper we show that even the construction of an ACNF can be avoided in computing the expansion proofs. In particular, we prove that the expansion proof of the CERES normal form can be constructed from the partial expansion proofs of the projections obtained by CERES, after deleting the clause parts. A ground refutation of the characteristic clause set and the projections suffice for the extraction of expansion proofs making the construction of the CERES normal form itself obsolete. This improvement yields a gain in asymptotic complexity. In particular we show that the new method outperforms the old one (quadratic versus cubic) and that the complexity of the new method can never be higher than that of the old one. Finally we describe an implementation of the new method and the traditional one (both methods are implemented in the Gapt system [12]) and show how they can be used to extract expansion proofs from proofs. We compare the implementations of the two methods and it turns out that even for very small and simple proofs a visible speed-up in computing time can be obtained.

Sequents and Sequent Calculus
We define an extended version of Gentzen's calculus LK in predicate logic with equality and arbitrary function symbols.

Definition 1
Let Γ and Δ be two multi-sets of formulas and be a symbol not belonging to the logical language. Then Γ Δ is called a sequent.
Definition 3 Let S : A 1 , . . . , A n B 1 , . . . , B m be a sequent. S is called a weakly quantified sequent if there is no ∃ quantifier of positive polarity in some formula A i (1 ≤ i ≤ n) and there is no ∀ quantifier of positive polarity in some formula B j (1 ≤ j ≤ m).
Definition 4 (Calculus LK = ) Basically we use Gentzen's version of LK [15] but extend it by equality rules as in [2] and call the calculus LK = . Since we consider multi-sets of formulas, we do not need exchange or permutation rules. There are two groups of rules, the logical and the structural ones. All rules except the cut have left and right versions, denoted by l and r , respectively. The binary rules are of multiplicative type, i.e. no auto-contraction of the context is applied. In the following, A and B denote formulas whereas Γ, Δ, Π, Λ denote multi-sets of formulas.
The logical rules: where t is an arbitrary term that does not contain any variables which are bound in A and α is a free variable which may not occur in Γ, Δ, A. α is called an eigenvariable.

∃-introduction
where the variable conditions for ∃ l are the same as those for ∀ r and similarly for ∃ r and ∀ l . The quantifier-rules ∀ l , ∃ r are called weak, the rules ∃ l , ∀ r strong.
The structural rules: weakening The equality rules: for inference on the left and on the right, where Λ denotes a position of a subterm where replacement of s by t has to be performed. We call s = t the active equation of the rules. Note that, on atomic sequents, the rules coincide with paramodulation-under previous application of the most general unifier.

Axioms:
Any set of atomic sequents which is closed under substitution and contains the sequent x = x (and thus all sequents of the form t = t for arbitrary terms t) is admitted as an axiom set. We define the set TAUT = {A A | A is an atom} and the axiom set Ax = TAUT ∪ { t = t | t a term}, which is called the standard axiom set.
An LK = -proof from a set of axioms A is a tree formed according to the rules of LK = such that all leaves are in A. The formulas in Γ, Δ, Π, Λ are called context formulas. The formulas in the upper sequents that are not context formulas are called auxiliary formulas and those in the lower sequents are called main formulas. The auxiliary formulas of a cut-rule are also called cut-formulas. If S is a set of sequents, then an LK-refutation of S is an LK-tree π where the end-sequent of π is the empty sequent and the leaves of π are either axioms of the standard axiom set or sequents in S.
For the proof transformations in this paper we need the concept of ancestors of nodes in a proof tree and formula occurrences within sequents occurring in proofs.
Definition 5 (Formula ancestor) Let ν be a formula occurrence in a sequent calculus proof ϕ. Then ν is an ancestor of itself in ϕ (the relation is reflexive). If ν is a principal formula occurrence of an inference then the occurrences of the auxiliary formula (formulas) in the premises are formula ancestors of ν. If ν is not a principal occurrence then the corresponding occurrences in contexts of the (premise) premises are formula ancestors of ν. The formula ancestor relation is then defined as the transitive closure.
Definition 6 (Sequent ancestor) Let ν be an occurrence of a sequent in a sequent calculus proof ϕ. Then ν is a sequent ancestor of itself (reflexivity). If ν corresponds to the conclusion of an inference with premises μ 1 , μ 2 (μ) then μ 1 , μ 2 (μ) are sequent ancestors of ν in ϕ. The sequent ancestor relation is then defined as the transitive closure. We assume that the two clauses in the premises are always variable disjoint and that σ is a most general unifier of {s, s }.
for inference on the left side of the clauses and for the right side, where Λ denotes a position of a subterm where s is replaced by t. We call s = t the active equation of the rules.
A PR-derivation from a set of clauses C is a tree derivation based on the rules above where all clauses in the leaves are variants of clauses in C. A PR-derivation of from C is called a PR-refutation of C.

Definition 9
Let ϕ be a proof and η be some arbitrary inference in ϕ. We say that η goes into the end-sequent of ϕ if the principal formula of η is an ancestor of the end-sequent. In this case, η cannot be a cut. η goes into a cut otherwise.

Expansion Trees
Expansion trees, first introduced in [23], are natural structures representing the instantiated variables for quantified formulas.
These structures record the substitutions for quantifiers in the original formula and the formulas resulting from instantiations. Expansion trees may contain logical connectives as well as the new connective + t , where t is a term. Informally, an expression of the kind Qx A(x) + t 1 E 1 + t 2 · · · + t n E n is an expansion tree, where Q ∈ {∀, ∃} and t 1 , . . . , t n are terms such that this expansion tree represents the result when instantiating the quantified expression Qx A(x) with the terms t 1 , . . . , t n to get the structures E i . E i is again an expansion tree representing A(t i ) for i = 1, . . . , n.
Our definition is a modified one as our proofs are skolemized and we do not have quantifiers with eigenvariable conditions. The definition below takes care that only trees with weak quantifiers are constructed.

Definition 10
Expansion trees, dual expansion trees and a function Sh (shallow) which maps expansion trees to formulas are defined inductively as follows: 1. If A is a quantifier-free formula then A is an expansion tree (and a dual expansion tree) for A and Sh(A) = A. 2. If E is an expansion tree then ¬E is a dual expansion tree and Sh(¬E) = ¬Sh(E). 3. If E is a dual expansion tree then ¬E is an expansion tree and Sh(¬E) = ¬Sh(E). 4. If E 1 and E 2 are (dual) expansion trees, then E 1 ∧ E 2 , E 1 ∨ E 2 are (dual) expansion trees and Sh(E 1 ∧ E 2 ) = Sh(E 1 ) ∧ Sh(E 2 ), the same for ∨.

5.
If E 1 is a dual expansion tree and E 2 is an expansion tree then E 1 → E 2 is an expansion tree and Sh(E 1 → E 2 ) = Sh(E 1 ) → Sh(E 2 ). 6. If E 1 is an expansion tree and E 2 is a dual expansion tree then E 1 → E 2 is a dual expansion tree and Sh(E 1 → E 2 ) = Sh(E 1 ) → Sh(E 2 ). 7. Let A(x) be a formula and t 1 , . . . , t n (n ≥ 1) be a list of terms. Let E 1 , . . . , E n be expansion trees with Sh(E i ) = A(t i ) for i = 1, . . . , n; then ∃x A(x) + t 1 E 1 + t 2 · · ·+ t n E n is an expansion tree with Sh(∃x A(x) + t 1 E 1 + t 2 · · · + t n E n ) = ∃x A(x). 8. Let A(x) be a formula and t 1 , . . . , t n (n ≥ 1) be a list of terms. Let E 1 , . . . , E n be dual expansion trees with Sh( Example 1 Let P(x) be an atom. Then P(a) is a dual expansion tree and ∀x.P(x) + a P(a) is a dual expansion tree. ∃x.P(x) + a P(a) is an expansion tree. So ∀x.P(x) + a P(a) → ∃x.P(x) + a P(a) is an expansion tree. But note that ∀x.P(x) + a P(a) → ∀x.P(x) + a P(a) is not an expansion tree according to Definition 10 as ∀x.P(x) + a P(a) is a dual expansion tree but not an expansion tree. Indeed, having strong quantifiers with the type of expansion defined above would be unsound.
The function Dp (deep) maps expansion trees (and dual expansion trees) to quantifier-free formulas, their full expansion.

Definition 11
Dp maps a (dual) expansion tree to a formula as follows:

Dp(E)
= E for an atomic expansion tree E, In [23] a notion of expansion proof was defined from expansion trees using the conditions acyclicity and tautology. Acyclicity ensures that there are no cycles between the strong quantifier nodes in the expansion tree. Since our formulas are skolemized and hence do not contain strong quantifiers, we do not need this condition.

Definition 12 (Expansion proof)
Let E T be an expansion tree of a formula A without strong quantifiers. Then E T is called an expansion proof of A from a set of axioms A if Sh(E T ) = A and A | Dp(E T ) (where | is the consequence relation in predicate logic with equality).
Expansion proofs encode a proof of validity of the formula they represent. They can be directly translated into sequent calculus, see [23], and the transformation is based on so-called q-sequents, which we refer to as s-expansion trees (sequent of expansion trees) in this paper.
Definition 13 (S-expansion tree) The structure S : Γ Δ where Δ : Q 1 , . . . , Q s is a multiset of expansion trees, Γ : P 1 , . . . , P r is a multiset of dual expansion trees is called an s-expansion tree. If ¬Γ ∨ Δ (which stands for ¬P 1 ∨ · · · ∨ ¬P r ∨ Q 1 ∨ · · · ∨ Q s ) is an expansion proof then S is called an s-expansion proof. This expansion proof is the expansion proof associated with S; the sequent is the sequent associated with S.
It is also possible to read off expansion proofs from sequent calculus proofs. Note that the expansion proof of a proof ϕ is a sequent of expansion trees, which are defined to be the expansion trees of all formulas in the end-sequent of ϕ. An algorithm for the extraction of expansion proofs from sequent calculus proofs is presented in [23] and modified algorithms (dealing with cuts and equality) are presented in [21,22]. There exist also algorithms for a transformation of resolution-trees into expansion-trees, see [24].
We will use an algorithm that is briefly described in [21]. In order to show how an expansion proof is extracted from a proof in LK = , we first need to define an operation on expansion trees. The Merge operator on expansion trees is defined in [23]. Intuitively, two expansion trees T 1 and T 2 can be merged, if Sh(T 1 ) = Sh(T 2 ). We give a definition adapted to our concept of expansion tree.
We define the merge inductively on the complexity of E 1 .
-If E 1 is an atom then E 2 is an atom too and Example 2 Let T 1 = ∀x Px + a Pa and T 2 = ∀x Px + b Pb be two dual expansion trees then The definition can be easily extended to more than two expansion trees. Let T 1 , . . . , T n (for n ≥ 2) be (dual) expansion trees such that Sh( It is also possible to merge s-expansion trees. As an s-expansion tree is defined via multisets of expansion trees, some expansion trees might occur more than once either on the left or on the right. In such cases merging s-expansion trees might become ambiguous. To avoid this ambiguity we restrict the merge of s-expansion trees to so-called normalized ones, where the shallow forms occur only once.

Definition 15 (Normalized sequents)
Remark 1 Note that every LK-proof ϕ of S and every s-expansion tree can be easily transformed into a proof (s-expansion tree) of a normalized sequent: just apply the rules c l , c r to S. In Sect. 4 we will merge s-expansion trees only if they correspond to end-sequents of proofs. Therefore restricting the merge to normalized s-expansion proofs does not affect the generality of our approach.
In normalized sequents the multisets become sets which allows us to define some set-based operations on sequents: We define the following operations on S 1 , S 2 : The sequents S 1 and S 2 are called disjoint if S 1 ∩ S 2 = .Then, obviously, S 1 ∩ S 2 , S 1 \ S 2 and S 2 \ S 1 are pairwise disjoint and Now we are ready to define the merging of normalized s-expansion trees.

Definition 17 (Merge of s-expansion trees) Let S 1 and S 2 be two normalized s-expansion trees and S
Note that the concatenation • of sequents can be directly extended to s-expansion trees.
Then there exist bijective mappings π l : Γ → Γ and π r : Δ → Δ with π l (T ) = T iff Sh(T ) = Sh(T ) (the same for π r ). So assume We extend the merging of s-sequents to more than two as follows. Let n ≥ 2 and S 1 , . . . , S n be normalized s-expansion trees. Then The s-expansion tree merge s (S 1 , . . . , S n ) is also normal which can be verified by an obvious inductive argument.
Frequently we will write merge s {S i | i = 1, . . . , n} for merge s (S 1 , . . . , S n ). If no confusion arises we will frequently write merge instead of merge t and merge s .
Qa and S 3 = ∃y Qy be s-expansion trees. Then The extraction of expansion proofs from LK-proofs requires quantifier-free cuts. Due to the structure of the CERES-method (which will be used for a efficient method of extracting expansion proofs) we consider proofs with only atomic cuts. Definition 19 (Extraction of s-expansion trees from proofs in LK 0 ) We define a transformation ET which maps proofs in LK 0 to s-expansion trees. We define the transformation inductively (on the number of inferences in the proof) but the rules for ¬ l , ¬ r , ∨ l , ∨ r 1 , ∨ r 2 , = l2 , = r 2 are omitted, the transformation of the these rules being obvious. base case: ϕ is an axiom. Then ϕ is of the form Similarly for c r . Note that, for the rules below, the auxiliary formulas of the rules are atomic.

Proposition 1 The transformation ET is sound: if ϕ is a proof in LK 0 then ET(ϕ) is an s-expansion proof.
Proof We proceed by induction on the number of inferences in ϕ. We consider the cases of axioms (represented by an axiom set A), ∧ r , cut and = r 1 ; the other cases are analogous.
In case of a prenex end-sequent S an expansion proof corresponds to the derivation of S from the mid-sequent (Herbrand sequent). The essence of Herbrand's theorem [18] consists of the replacement of quantified formulas by instances of these formulas. This results in a quantifier-free formula which is validity-equivalent to the original formula. Of course, the function Dp of an expansion proof corresponds to a Herbrand sequent. But if we consider proofs of prenex end-sequents we can extract Herbrand sequents directly, instead of extracting expansion proofs and computing their deep functions. The method for Herbrand sequent extraction in the prenex case is based on collecting instances, and is described in [6,20].
To illustrate construction of an s-expansion proof from an LK 0 -proof , consider the following simple example.  Q(a, f (a)) ∃x(P(x) ∧ ∃y.Q(x, y)) ∃ r Note that S is not in prenex form. Therefore, extracting the Herbrand sequent by collecting instances is not possible. Instead we compute the expansion proof ET(ϕ). Below we compute the s-expansion proof corresponding to ϕ. First we compute expansion trees for all formulas F in S and call them ET(F).

The Method CERES
The method CERES [4,5], is a cut-elimination method that is based on resolution. It differs from the reductive stepwise methods a la Gentzen [15] by analyzing the whole proof in a preprocessing step and extracting a formula in clausal form which forms the kernel of the cut-elimination method.
CERES in predicate logic with equality roughly works as follows: The structure of a proof ϕ containing cuts is encoded in an unsatisfiable set of clauses CL(ϕ) (the characteristic clause set of ϕ). A refutation of CL(ϕ) by resolution and paramodulation (abbreviated as PR-refutation) then serves as a skeleton for an atomic cut normal form, a new proof which contains at most atomic cuts. The corresponding proof theoretic transformation uses socalled proof projections ϕ[C] for C ∈ CL(ϕ), which are simple cut-free proofs extracted from ϕ (proving the end-sequent S extended by the atomic sequent C). In [5] it was shown that CERES outperforms reductive methods of cut-elimination (a la Gentzen or Tait) in computational complexity: there are infinite sequences of proofs where the computing time of CERES is nonelementarily faster than that of the reductive methods; on the other hand a nonelementary speed-up of CERES via reductive methods is shown impossible.
In this section we describe the original CERES method which was designed for classical logic. Given an LK = -proof ϕ of a skolemized sequent Γ Δ, the main steps of (classical) CERES are: 1. Extraction of the characteristic clause set CL(ϕ). 2. Construction of a PR-refutation (see Definition 8) of CL(ϕ). 3. Extraction of a set of projections π(C) for every C ∈ CL(ϕ). 4. Merging of refutation and projections into a proof ϕ * (a CERES-normal form) with only atomic cuts.
We will use the following proof as our running example to clarify the definitions below. -Ifν is an axiom, then CL(ν) contains the sub-sequent of ν composed only of cut-ancestors.

Example 5 The set of axioms Ax s is defined as
-If ν is the result of the application of a unary rule on a sequent μ, then CL(ν) = CL(μ) -If ν is the result of the application of a binary rule on sequents μ 1 and μ 2 , then we distinguish two cases: -If the rule is applied to ancestors of the cut formula, then CL(ν) = CL(μ 1 ) ∪ CL(μ 2 ) -If the rule is applied to ancestors of the end-sequent, then CL(ν) = CL( Note that • represents the merging of sequents. If ν 0 is the root node CL(ν 0 ) is called the characteristic clause set of ϕ.

Example 6
The characteristic clause set of our proof ϕ from Example 5 is constructed as follows: We consider the following cut-ancestors (in axioms) in ϕ 1 = r 1 operates on cut-ancestors, therefore we get The next step is to obtain a resolution refutation of C L(ϕ). It is thus important to show that this set is always refutable.

Theorem 1 Let ϕ be a proof of a skolemized end-sequent. Then the characteristic clause set CL(ϕ) is refutable by resolution and paramodulation.
Proof In [2,6].

Example 7
We give a PR-refutation γ of CL(ϕ) for ϕ in Example 5: Pz P f 2 z R P f 2 gc para Pz f 2 z = gz R f 2 c = gc para Pgc Definition 21 For a characteristic clause set CL(ϕ) and a ground refutation R of of a PR refutation ρ of CL(ϕ) we define CL(ϕ, R) = {C i | C i ∈ CL(ϕ) and C i occurs in R}.
Each clause in the clause set will have a projection associated with it. A projection of a clause C is a derivation built from ϕ by taking the axioms in which the atoms of C occur and all the inferences that operate on end-sequent ancestors. As a result, the end-sequent of a projection will be the end-sequent of ϕ extended by the atoms of C.
Definition 22 (Projections) Let ϕ be a proof of a skolemized end-sequent Γ Δ in LK = .
For nodes ν in ϕ we define inductively the set of cut-free proofs p(ν). If ν 0 is the root node and ψ ∈ p(ν 0 ) we call ψ a projection. Let ν be a node in ϕ such that S(ν) = Γ Δ; then Γ Δ = Γ c , Γ e Δ e , Δ c where Γ c Δ c consists of cut-ancestors and Γ e Δ e of ancestors of the end-sequent.
(a) ν is a leaf in ϕ. Then the sequent at ν is an axiom and we define p(ν) = {ν}. The clause part of ν is the subsequent CL(ν). (b) ν is the conclusion of a unary rule ξ with premise μ.
(b1) The principal formula of ξ is an ancestor of a cut. Then ϕ.ν is of the form We define p(ν) = p(μ). (b2) The principal formula of ξ is an ancestor of the end-sequent. Then ϕ.ν is of the form Let ψ ∈ p(μ) be a proof of C, Γ e Δ e , D where C D is the clause part of ψ.
and C D is the clause part of ψ .
(c) ν is the conclusion of a binary rule ξ with premises μ 1 , μ 2 .
(c1) The auxiliary formulas of ξ are ancestors of a cut. Then ϕ.ν is of the form Let ψ ∈ p(μ 1 ) such that ψ is a proof of C, Γ e Δ e , D where C D is the clause part of ψ. Then ψ ∈ p(ν) for ψ = (ψ) C, Γ e Δ e , D C, Γ e , Π e Δ e , Λ e , D w * and C D is the clause part of ψ . Let ψ ∈ p(μ 2 ) such that ψ is a proof of E, Π e Λ e , F where E F is the clause part of ψ. Then ψ ∈ p(ν) for ψ = and E F is the clause part of ψ . (c2) The auxiliary formulas of ξ are ancestors of the end-sequent. Then ϕ.ν is of the form Let ψ 1 ∈ p(μ 1 ) such that ψ 1 is a proof of C, Γ e Δ e , D and C D is the clause part of ψ 1 ; likewise let ψ 2 ∈ p(μ 2 ) such that ψ 2 is a proof of E, Π e Λ e , F and E F is the clause part of ψ 2 . Then ψ ∈ p(ν) for ψ = Pz Pz P f z P f z Given the projections and a grounded PR refutation, it is possible to build a proofφ of Γ Δ with only atomic cuts.
If we apply all most general unifiers in the PR proof γ we obtain a proof in LK = (in fact only contractions, cut and paramodulation remain). If γ σ is such a proof and we apply a substitution replacing all variables by a constant symbol we obtain a ground PR refutation. Note that after applying the most general unifiers to γ we obtain a derivation in LK = where the resolution rule becomes a cut rule. For a formal definition see [6].

Example 9
The ground PR-refutation γ is Pgc P f 2 gc cut P f 2 gc para Note that γ is an LK = -refutation of ground instances of clauses in CL(ϕ).
-The last inference in is a paramodulation rule. We consider only the case = r 1 ; for the other rules the construction is analogous. Then is of the form Let us assume that A proof ψ is called in top normal form if there are C, and ρ (defined as above) such that ψ = Θ(ρ, C, ).

Remark 2
The function top collects all cut-free subproofs in a top normal form which occur at the top and thus belong to .

Extraction of Expansion Trees from Projections
The extraction of expansion proofs is usually performed after the construction of a proof in top normal form. However, only the logical parts of the proof play a role in the construction of expansion trees. These logical parts can be identified as the cut-free subproofs after removal of all cut-ancestors. Note that no cut-ancestor in such a subproof is principal formula of an inference; we identify such subsequents as passive subsequent.
Definition 25 (Passive subsequent) Let ϕ be a cut-free proof of S : C, Γ Δ, D such that C D is a clause. The subsequent C D of S is called passive in ϕ if no ancestor of C D in ϕ contains a formula which is principal formula of an inference.
Note that the passive subsequents are just the clauses used to define a top normal form. Examples of proofs with passive clause parts are proof projections in CERES:

Proposition 2 Let ψ be a cut-free proof of C , Γ Δ, D which is an instance of a proof projection ϕ[C D] in CERES. Then C D is passive in ψ.
Proof Immediate by induction on the length of ψ and by Definition 22. Note that the only case in Definition 22 where the clause part changes is (c2). Here the projection ψ is defined as By induction hypothesis C D is passive in ψ 1 and E F is passive in ψ 2 . Therefore C, E D, F is passive in ψ.

Definition 26
Let ϕ be a cut-free proof of C, Γ Δ, D where C D is passive in ϕ. We define ϕ\(C D) by induction on the number of nodes in ϕ.
-If ϕ is an axiom then ϕ = C, C D, D (note that the whole sequent is passive in ϕ).
Then, by definition of passive subclauses, ϕ is a proof of C, Γ Δ , D for some Γ and Δ . Indeed, the subclause C D does not contain a formula which is principal formula of an inference. By induction we have a proof ϕ \(C D) of Γ Δ (note that C D is also passive in ϕ ) and we define ϕ\ where C D is passive in ϕ. As C, D are not principal formulas of an inference we get that By induction we have a proof ϕ 1 \(C 1 D 1 ) of Γ 1 Δ 1 and a proof ϕ 2 \(C 2 D 2 ) of Γ 2 Δ 2 . Then we obtain ϕ\(C D) = The function logical(ϕ) for a proof in top normal form takes the cut-free proofs on top and "subtracts" from them all ancestors of passive clauses. Below we define an expansion treeÊ(ϕ) which is defined by merging the expansion trees of logical(ϕ). This structure will be the key for the development of an efficient algorithm for extracting expansion trees from CERES normal forms.

Definition 28
Let ϕ be a proof in top normal form of a skolemized and normalized endsequent. We defineÊ and thus it remains to show that ( ) is obtained via an easy induction on the number of inferences in ϕ i using Definition 26. Case 2: The last inference in is R. Then is of the form Then (by definition of ϕ as Θ( , C, )) ϕ= where Seq(Γ * Δ * ) = Seq(Γ + Δ + ). By Definition 19 we obtain Note that Γ * , Γ + and Δ * , Δ + are normalized. By induction hypothesis we havê and therefore By definition of the merge operator we get from (1) and (2) By Definition 28 we obtain But by Definition 28Ê(ϕ) = merge{ET(ψ) | ψ ∈ logical(ϕ)}. Combing this with (3) we obtain

Corollary 1 Let
Proof Immediate by Theorem 2: just define C D as the empty sequent. Proof Let ψ be a cut-free proof of C, Γ Δ, D which is an instance of a projection of ϕ. By Proposition 2 C D is passive in ψ. As CERES normal forms are top normal forms all conditions of Corollary 1 are fulfilled.
The last corollary describes a method to compute an expansion tree from any proof in top normal form of a skolemized sequent S. Note that in case of a prenex sequent S we extract Herbrand sequents. The computation of an expansion tree is based on top normal forms. CERES normal forms ϕ * of proofs ϕ are also in top normal form, therefore we can compute expansion trees in the same way. For CERES it means that ϕ * has to be constructed first. The usual algorithm for the extraction of expansion trees from the CERES normal form is: begin % algorithm EXP 1. compute CL(ϕ); 2. find a PR refutation ρ of CL(ϕ); 3. compute a ground refutation R from ρ; 4. compute the projections ϕ[C] for C ∈ CL(ϕ, R); 5. construct the CERES normal form ϕ * from the projections and R; 6. extract an expansion proof ET(ϕ) from ϕ * . end.
Instead of using algorithm EXP, we make use of Theorem 2 and define a new method that extracts expansion proofs more efficiently by extracting partial expansion trees from the projections. The idea is the following: we do not compute logical(ϕ * ) which would be the set of all instantiated projections. Note that the size of logical(ϕ * ) is roughly the size of ϕ * itself. Instead we use from a ground resolution refutation R of CL(ϕ) the general projections ϕ[C] for C ∈ CL(ϕ, R) and the set of substitutions Σ(C) for C ∈ CL(ϕ, R) which are the set of ground substitutions for the clause C in the refutation R. Then the computation of an expansion tree via CERES for a proof ϕ (of a closed skolemized end-sequent S) goes as follows: begin % algorithm EXP new 1. compute CL(ϕ); 2. find a PR refutation ρ of CL(ϕ); 3. compute a ground refutation R from ρ and for every C ∈ CL(ϕ, R) the set Σ(C); 4. compute the projections ϕ[C] and ϕ − [C] for C ∈ CL(ϕ, R); Note that the computation of the Dp function of an expansion proof via CERES for a proof ϕ (of a closed skolemized end-sequent S) can be easily obtained by computing the Dp function of T (ϕ, R).

Theorem 3 Let ϕ be a proof of a skolemized, closed and normalized end-sequent and ϕ * the CERES normal form based on a ground refutation R of CL(ϕ). Then ET(ϕ
Then by Theorem 2 we know that which, by Definition 29, is exactly T (ϕ, R). So ET(ϕ * ) = T (ϕ, R).

Corollary 3 Let ϕ be a proof of a skolemized,closed and normalized sequent S and R be a refutation of CL(ϕ). Then T (ϕ, R) is an expansion proof of S.
Proof By Theorems 2 and 3.
Instead of computing all ϕ[C j ]σ j i (obtained from the ACNF ϕ * ) the algorithm EXP new computes the ϕ[C j ] and extracts ET(ϕ − [C j ]) ≡ T j , which is a partial expansion proof, then constructs × σ ∈Σ(C j ) T j σ for all j and merges them. Example 11 illustrates the main features of the method.

Example 11
Consider the proof ϕ as in Example 5 (where F = ∀x(Px → P f x)). The ACNF ϕ is: where ϕ 1 is The Dp function is Dp(T (ϕ, R))) = Pc, Pc → P f c, P f c → P f 2 c, Pgc → P f gc, P f gc → P f 2 gc Pg 2 c

Complexity
In this section we prove that the algorithm EXP new outperforms the old algorithm EXP. In particular we prove that the complexity of EXP new is always better or equal to that of EXP. Then we define an infinite sequence of LK-proofs ϕ n where the complexity of EXP is cubic in n while that of EXP new is only quadratic. This implies that the computational complexity of EXP cannot be linearly bounded by that of EXP new . Our complexity measure will be the maximal logical complexity of objects constructed by the algorithms.

Definition 30 (Size of a formula) Let A be a formula, then the size of A ( A f ) is inductively defined as follows
To improve legibility we write F instead of F f (with the exception of cases where the precise notation is essential) and use the measure also for sequents, proofs and clause sets.
Definition 31 (Size of a sequent) Let S : A 1 , . . . , A n A n+1 , . . . , A m be a sequent, then the size of S is Definition 32 (Size of an LK = -proof) Let ϕ be an LK = -proof. If ϕ is an axiom then ϕ consists of just one node labelled by a sequent S; here we define ϕ = S . If ϕ is not an axiom then the end-sequent is a conclusion of a unary or of a binary rule. So we distinguish two cases: Definition 33 (Size of an expansion tree) Let E be an expansion tree, then the size of E ( E ) is inductively defined as follows Definition 34 (Size of an s-expansion proof) Let E : E 1 , . . . , E n E n+1 , . . . , E m be an s-expansion proof, then the size of E ( E ) is In our algorithms EXP and EXP new we do not only construct sequents, formulas and proofs, but also sets of clauses (which are finite sets of atomic sequents). If C = {C 1 , . . . , C n } we define C = C 1 + . . . + C n . We call the objects produced by a proof transformation expressions.
Definition 35 (Expression) An expression is a formula, a sequent, a proof or a set of clauses. Now we consider computations as sequences of expressions which are generated by an algorithmic proof transformation. So let A be an algorithm and ϕ be a proof serving as input to A. Then E A (ϕ) is the sequence of all expressions generated by A on input ϕ. Below we define a complexity function induced by A given by the maximal expression generated by A: Definition 36 Let A be an algorithm on proofs. Then we define Proof sketch: the first 4 steps of EXP and EXP new are identical. The sum of the sizes of the expansion trees generated by EXP new is smaller or equal to the size of the CERES normal form generated by EXP.
We show now that EXP new can be asymptotically better that EXP. To this aim we define the following sequence of LK-proofs ϕ n : where ω n is: Py, Py → P f y, . . . , P f n−1 y → P f n y P f n y → r Py → P f y, . . . , P f n−1 y → P f n y Py → P f n y ∀ l (n×) ∀x(Px → P f x) Py → P f n y ∀ r ∀x(Px → P f x) ∀x(Px → P f n x) and π n is: Pa → P f n a, P f n a → P f 2n a, . . . , P f (n−1)n a → P f n 2 a, Pa P f n 2 a ∀ l (n×) ∀x(Px → P f n x), Pa P f n 2 a recursive definition of ψ n : ψ 0 = Py Py. And for n > 0 ψ n = Py Py . . , P f n−1 y → P f n y P f n y → l Py, Py → P f y, . . . , P f n−1 y → P f n y P f n y For our complexity measure we obtain Obviously, there are constants a 1 , a 2 , b 1 , b 2 (all > 0) such that a 1 * n 2 ≤ ψ n ≤ a 2 * (n + 1) 2 and b 1 * n 2 ≤ χ n ≤ b 2 * (n + 1) 2 .
Putting things together there are constants c 1 , c 2 > 0 with c 1 * n 2 ≤ ϕ n ≤ c 2 * (n + 1) 2 . Now we compute the characteristic clause sets of the ϕ n . After elimination of tautologies we get C L(ϕ n ) = {C 1,n : Py P f n y; C 2 : Pa; C 3,n : P f n 2 a }.
Now we compute the resolution refutation. The recursive definition is the following: γ 1 : Pa Pa P f n a R P f n a γ n : We obtain γ n = γ n−1 + 3.
Concerning the projections we adapt an improved version, minimal projections, which is also used in the implementation of CERES. In this form of projection it is sufficient to derive just a subsequent of the end-sequent which reduces the number of weakenings and contractions in the ACNF.
ϕ n [C 1,n ]: Py, Py → P f y, . . . , P f n−1 y → P f n y P f n y Now we can construct the ACNF. ϕ * n is the ACNF-schema: ϕ * 1 : Pa Pa where F = ∀x(Px → P f x). In ϕ * n there are n substitution instances of the proof ψ n and therefore the size of the ACNF-schema ϕ * n is ϕ * n ≥ a 1 * n 3 .
As C EXP (ϕ n ) ≥ ϕ * n (the algorithm EXP contains the construction of ϕ * n ) we finally obtain Therefore every expansion tree extraction from ϕ * n via EXP is at least cubic in n. Now we consider the complexity of our improved method for extraction of expansion trees. We construct the projections first, here we have the complexity O(n 2 ) (just for ϕ n [C 1,n ], otherwise constant). The construction of the refutation δ n is in O(n). For the construction of the partial expansion proof: T (y) = ∀x(Px → P f x) + y Py → P f y, + f y P f y → P f 2 y, · · · + f n−1 y P f n−1 y → P f n y we obtain The last sequent is an expansion proof of ϕ * n . The total expense of EXP new is therefore (k being a constant) Now we put things together and obtain that EXP new is never more expensive than EXP, but EXP cannot be linearly bounded in EXP new : Proof (a) By Theorem 4. (b): Assume that such a constant d exists. By the construction of the proofs ϕ n above we would obtain C EXP (ϕ n ) ≤ d * C EXP new (ϕ n ) for all n and thus a 1 * n 3 ≤ d * k * (n + 1) 2 for all n.
But a 1 * n 3 > d * k * (n + 1) 2 almost everywhere and we obtain a contradiction.

Remark 4
We have shown that, for all proofs ϕ in LK = , C EXP new (ϕ) ≤ C EXP (ϕ) and that a asymptotic speed-up of C EXP via C EXP new is possible. The problem to define a sharp bound on C EXP in terms of C EXP new remains open. Our conjecture is that C EXP cannot be exponential in C EXP new , i.e. that there exists a polynomial p such that In addition to the gain in complexity, another gain is a compact symbolic representation of the expansion tree: merge(T 1 Σ 1 , T 2 Σ 2 , . . . , T n Σ n ).

Implementation and Experiments in Gapt
The algorithm EXP new is implemented in the Gapt-system 1 [12], which is a framework for implementing proof transformations written in the programming language Scala. Initially it was developed for the method CERES, but has been extended to other proof transformation algorithms (note that the methods described in this paper are available from version 2.5 on). This section explains how to run the described algorithm, followed by a discussion of results obtained by experiments with formal proofs.
For information on how to install and use the system Gapt we refer to the Gapt User Manual. 2 Gapt opens in a Scala interactive shell (scala>) which can be used to run all the commands provided by the system. Under "Proof Examples" there is a set of functions that generate proofs of some end-sequent. In the following demonstration we will use the proof from Example 5, which is referred to as CERESExpansionExampleProof. proof in Gapt. The sequence of commands scala> val p = CERESExpansionExampleProof. proof scala> val p1 = CERES( p ) scala> prooftool ( p1 ) instantiates the proof from Example 5 and stores it in the variable p, which is used as input for the method CERES. The variable p1 stores the generated CERES normal form. Note that the outputs stored in variables p and p1 are strings representing the proofs. To obtain a proof in a tree-like structure prooftool can be used, which is a viewer for proofs and other elements also implemented in Gapt [11]. The algorithm EXP, which extracts expansion proofs from CERES normal forms is implemented in Gapt as the method LKToExpansionProof. Note that this method extracts an expansion proof from any LK-proof and not only from CERES normal forms. More information on expansion trees in Gapt can be found in [21,25]. The following demonstration shows how to obtain expansion proofs and Herbrand sequents (corresponding to the deep function of an expansion proof) from the CERES normal form p1 (defined in the demonstration above): scala> val exp = LKToExpansionProof( p1 ) scala> prooftool ( exp ) scala> val dp = exp.deep scala> prooftool ( dp ) The output stored in exp is a string representing the expansion proof of p1; using prooftool a better representation can be obtained. Note that also the deep function can be displayed in prooftool. The next demonstration shows how to use the algorithm EXP new , which is implemented as the method CERESExpansionProof (within the CERES implementation) scala> val p = CERESExpansionExampleProof. proof scala> val exp = CERES.CERESExpansionProof( p, Escargot ) scala> val dp = exp.deep The output stored in variable dp is a string representing the deep function of the expansion proof extracted from the proof projections and the corresponding ground PR refutation. Note that we use a simple built-in prover called Escargot. Instead of using Escargot, any other resolution prover supported by Gapt may be used (Gapt includes interfaces to several firstorder theorem provers, such as Prover9, E Prover and LeanCoP, for more details we refer to the Gapt User Manual).
To measure the complexity of algorithms we use the command time, provided by the Gapt system. This command measures the time in ms that is needed on the system in use to perform a method. We performed several experiments with proofs containing cuts and measured the speed-up in time via scala> time{ LKToExpansionProof( CERES( p ) ) } scala> time{ CERES.CERESExpansionProof( p ) } Our experiments have shown that there is a speed-up in the computation of expansion proofs with the algorithm EXP new compared to the algorithm EXP already for small and simple proofs like in Example 5: our best result for the algorithm EXP is 47ms, on the other hand, with the algorithm EXP new we obtained 18ms. Since even for a small and simple proof like the proof in Example 5 a speed-up is obtained, it is clear that we can increase the speed-up when we consider more complex and longer proofs. Therefore we analyzed more complicated proofs provided by Gapt, as lattice . proof, a proof of (one direction of) the equivalence of different definitions of the concept of a lattice. For background information about this proof and an informal version, we refer to Section 5 of [20]. Another interesting proof for analyzing and comparing the implemented methods is tape . proof, which is a proof of the statement "Given an infinite tape labelled by zeros and ones there are two cells with the same value.". The proof proceeds by a lemma stating that on such a tape there are either infinitely many zeros or infinitely many ones. This is a subcase of the proof of the unbounded pigeonhole principle, for more information we refer to Section 4.2 of [26] and Section 3 of [1]. Note that the formalization of the tape proof as described in [26] is realized in Gapt as tabeUrban . proof. Figure 1 shows our results on experiments with the proofs l a ttice . proof, tape . proof and tapeUrban . proof; in all three cases, the method EXP new outperforms the method EXP.   Another interesting sequence of cut-free proofs provided by Gapt is formalized in SquareDiagonalExampleProof(n), which constructs a sequence of cut-free proofs of the sequents P(0, 0), ∀x∀y(P(x, y) → P(s(x), y)), ∀x∀y(P(x, y) → P(x, s(y))) P(s n (0), s n (0)), where n ≥ 0. For every n the constructed proof goes along the diagonal of P, i.e. one x-step, then one y-step, etc. Cuts can be introduced to this sequence of proofs, however the proof containing cuts obtained by the method CutIntroduction(SquareDiagonal ExampleProof(n)) is not necessarily longer the higher the value for n is. More precisely, the proof SquareDiagonalExampleProof(n) might not get as much compressed as the proof SquareDiagonalExampleProof(n+1) by introducing cuts, leading to a shorter proof for n + 1. Therefore, the method based on reductive cut-elimination is not always slower for higher values of n. In fact, as can be observed in Fig. 2, the computing time for the method based on reductive cut-elimination on the proof CutIntroduction(SquareDiagonalExampleProof (7)) is 6235ms, while on the proof CutIntroduction(SquareDiagonalExampleProof (8)) it is 1278ms. The analysis in Fig. 2 is performed for values 2 ≤ n ≤ 18, as for higher values the constructed proof is too long to be analyzed on the operating system in use. Note that also for SquareDiagonalExampleProof(n) the method EXP new outperforms the method EXP, as can be seen in Fig. 3.
We want to remark that the obtained results depend to a great degree on the operating system in use. Therefore, it is possible that the obtained results fluctuate. Nevertheless, the speed-up of the method EXP new compared to EXP is given and can be clearly recognized.

Conclusion
In the analysis of mathematical proofs it is usually more important to gain essential mathematical information from proofs (which typically lies in the terms), than to traverse complicated and long propositional proofs. This was our motivation for avoiding the construction of an atomic cut normal form and focus on the quantifier inferences in the final proof (represented by a Herbrand sequent or by an expansion proof). In the original CERES method, the extraction of expansion proofs is performed after the final result of CERES (a proof containing at most atomic cuts, the CERES normal form) is obtained. We first analysed ACNFs and defined a new version of ACNF where the cut-inferences are the last inferences in the proof and only contractions and weakenings occur between them. Proofs of that structure are said to be in top normal form. We have shown that the logical parts of proofs in top normal form suffice to compute expansion proofs. Since proofs in CERES normal form are in top normal form, its logical parts (the proof-projections) suffice to extract expansion proofs. First we refute the characteristic clause set CL(ϕ) and, from a corresponding ground refutation R, obtain a set of ground substitutions Σ(C) for all clauses C ∈ CL(ϕ) that occur in R. We construct the general CERES projections ϕ[C], corresponding to the clauses C ∈ CL(ϕ) that occur in R, and extract partial expansion proofs T [C]. Finally we instantiate the partial expansion proofs T [C] by substitutions in Σ(C) and combine the resulting expansion proofs by merging; the result is an expansion proof of the end-sequent (which coincides with the expansion proof of the CERES normal form). Using this method we avoided the construction of an atomic cut normal form.
We also obtain an improvement in asymptotic complexity. Note that we do not compute n instances of the projection ϕ[C i ] with the corresponding substitution σ i j like it is needed for the construction of the CERES normal form, instead we compute the projection once, remove clause parts and then instantiate the corresponding expansion proof (Herbrand sequent) with the corresponding substitutions. The described algorithm is implemented in the Gapt system and we describe how to use it. We show that even for small and not complicated proofs a speed-up in time is obtained by the new algorithm.
Since we investigated this method for first-order logic only, further work has to deal with a generalization of this method to higher-order logic. In higher-order logic we have to deal with a different CERES-method (CERES ω [19]) and a resolution calculus for higher-order logic. The extraction of expansion proofs from CERES-projections in the higher-order case is a non-trivial task, since CERES ω as well as the resolution calculus for higher-order logic are much more complicated than in the first-order case. If and how the method can be generalized to the higher-order case, future work will tell.