A realizability model for intuitionistic set theory

(1)

A realizability model for intuitionistic set theory

Rens Baardman

9

th

_{July 2018}

Bachelor thesis Mathematics

Supervisor: dr. Andrew Swan

V (Kl)0 V (Kl)1 V (Kl)2 V (Kl)3 V (Kl)ω V (Kl)ω+1 V (Kl)ω+1 ∅ =: 0 {⟨0, 0⟩} =: 1, {⟨3, 0⟩}, {⟨1, 0⟩, ⟨4, 0⟩}, . . . {⟨0, 0⟩, ⟨1, 1⟩} =: 2, {⟨4, {⟨3, 0⟩}⟩}, {⟨5, {⟨1, 0⟩, ⟨4, 0⟩}⟩, ⟨4, 1⟩}, . . .

Korteweg-de Vries Institute for Mathematics Faculty of Sciences

(2)

Abstract

In intuitionistic or constructive mathematics, the Law of Excluded Middle “p∨ ¬p” (lem) is not accepted as a logical axiom, in contrast to classical mathematics. Since the usual set-theoretic axiom systemZF(C)implies thelem, a diﬀerent collection of axioms has to be considered to ﬁnd a basis for intuitionistic set theory.

One contender isIZF, which is a slight modiﬁcation ofZF. Basing ourselves on a model of a set-theoretic universe that was described by McCarty (1984) and uses the notion of realizability as the intuitionistic version of soundness, we show thatIZFis truly intuitionistic: it doesn’t imply thelem. This follows a.o. from the fact the Church’s Thesis — the statement that every function on the natural numbers is computable, which is false classically — holds in this model.

We end with a discussion of other non-classical properties of this model, such as the non-linearity of certain ordinals (e.g. we have distinct ordinals α and β such that neither α < β or β < α), and the existence of uncountable subsets of the natural numbers.

title

A realizability model for intuitionistic set theory author

Rens Baardman, 10587772 supervisor

dr. Andrew Swan first grader

dr. Benno van den Berg second grader prof. dr. Yde Venema end date

9th_{July 2018}

Korteweg-de Vries Institute for Mathematics University of Amsterdam

Science Park 904, 1098 XH Amsterdam http://www.kdvi.uva.nl

(3)

1 Introduction

This thesis deals with mathematics based on intuitionistic logic, where the Law of Excluded Middle

(lem) Law of Excluded Middle

ϕ∨ ¬ϕ for any formula ϕ

is not accepted as a logical axiom.1 _{Note that is it equivalent to the elimination of double}

nega-tion:¬¬ϕ → ϕ. This principle is wide-spread in mainstream — or classical — mathematics re-search and education. Notably, the validity of the technique of proof by contradiction depends on it. Therefore, it is probably best to start with a short justiﬁcation why some regard this ax-iom as suspect.

Consider the following statement:

ϕ =“π + e is transcendental or π− e is transcendental”.

We know that π and e (Euler’s number) are transcendental, that is: not algebraic (there are no polynomials with rational coeﬃcients that have one of them as roots). Therefore, it seems plau-sible to assume ϕ is true. We will investigate this. Suppose¬ϕ holds:

¬ϕ = “π + e and π − e are not transcendental”.

Since “not transcendental” means “not not algebraic”, by using the Law of Excluded Middle (in the form of double negation eliminition) we see that it is equivalent to

¬ϕ = “π + e and π − e are algebraic”. But consider then

1 2

(

(π + e) + (π− e))= π.

This would be an algebraic expression of π, which is impossible! We see we arrived at a contra-diction, and therefore conclude¬¬ϕ. Classically (using thelem), we can thus conclude that ϕ holds.

This reasoning seems ﬁne at ﬁrst, but a new question comes up: which one of them actually is transcendental — π + e or π− e? The sobering answer is: we don’t know! We haven’t found a proof yet that shows which one (or possibly both of them) is transcendental. This classical reasoning therefore leads us to assert statements that turn out to be opaque upon closer inspec-tion.

Note that in this previous example, our ﬁrst application of the Law of Excluded Middle is prob-lematic too: it implies that a number that is not transcendental, is algebraic. But merely assert-ing that a number is not transcendental, doesn’t give a way of constructassert-ing such a polynomial to explicitly show that the number is rational. The general philosophy that these indirect proofs are insuﬃcient and that direct constructions are necessary, is aptly named constructivism.

1. Thelemis also known as the Principle of Excluded Middle (pem), Tertium Non Datur (‘no third (possibility) is given’;tnd) or Principium Tertii Exclusi (pte).

(5)

1.1 The bhk-interpretation

If we exclude the Law of Exluded Middle from our axioms, we need a diﬀerent way to determine what to accept as a proof — for example for the statement ‘this number is algebraic’. The most common guidance is captured in the Brouwer-Heyting-Kolmogorov (bhk) interpretation (see Table 1.1), named after the Dutch L.E.J. Brouwer and his student Arend Heyting, and the Rus-sian Andrey Kolmogorov.2

a proof of consists of such that

A∧ B ⟨p, q⟩ pproves A and q proves B

A∨ B ⟨p, q⟩ p = 0and q proves A, or

p = 1and q proves B

A→ B f fis a rule that transforms a proof p of A into a proof f (p) of B

⊥ is impossible

¬A p pproves A→ ⊥

∃x ∈ X (ϕ(x)) ⟨a, p⟩ a∈ X and p proves ϕ(a)

∀x ∈ X (ϕ(x)) f fis a rule that transforms an x∈ X

into a proof f (x) of ϕ(x)

Table 1.1: The bhk-interpretation guides the interpretation of proofs in constructive

mathe-matics

The bhk-interpretation remedies the problem of what a constructivist regards as an ‘incom-plete communication’ (cf. Kleene (1945, p. 109; 1973, p. 99)):

An existential statement about numbers, i.e. a statement of the form “there exists a number n with probertyA(n)” is ﬁnitistically taken as a “partial judgement”, that is, as an incomplete rendering of a more precisely determined proposition, which consists in either giving directly a number n with the propertyA(n), or a proce-dure by which such a number can be found […]. (Hilbert and Bernays, 1934; English translation in Van Oosten, 2000, p. 3)

Following the bhk-interpretation, a proof of an existential statement in this sense completes the communication: it gives a speciﬁc element for which the statement holds.

Note that the bhk-interpretation is still fairly imprecise: what are proofs for atomic formulas? And which proof-transforming rules should we accept? An answer to this is the notion of real-izability (see Chapter 3), that uses computable functions as rules. We will use realreal-izability later on, as a way to formalize the bhk-interpretation.

Even though it’s too imprecise to give formal proofs, we can now point out why a constructivist would take issue with our earlier proof: classically, the proof of “π + e is transcendental∨ π − e is transcendental” is ﬁne, but following the bhk-interpretation, we can only accept a proof of this statement that speciﬁcally proves one of the disjuncts, which we can’t do (yet).

(6)

1.2 Historical developments

Brouwer was one of the ﬁrst to actively pursue alem-less mathematics, following his philoso-phy called intuitionism.3 _{He stated that mathematical objects are foremost mental constructions}

of the mathematician, and that proofs are communications in an attempt to elicit a reconstruc-tion of this object in the mind of the reader. This is a thoroughly anti-Platonist posireconstruc-tion, which started a ﬁerce debate in the early 20th_{century on the foundations of mathematics, called the}

Grundlagenstreit. Brouwer was one of the central challengers, opposed to Hilbert, the founder of formalism. For an introduction to Brouwers philosophy, we refer the interested reader to Iemhoff (2016). Although Brouwer objected to the view of logic preceding mathematics and es-chewed formalizations of his philosophy, his student Heyting was one of the first to formalize intuitionistic logic, which is used as the basis of almost all constructive mathematics (see Defi-nition 2.1).4

Constructive mathematics includes many diﬀerent schools of thought besides intuitionism. An early example is (Russian) recursive constructive mathematics started by Andrey Markov. The development of constructive analysis by Erret Bishop — in a manner compatible with classi-cal mathematics — showed that a considerable part of ‘common’ mathematics can be regained without the use of the Law of Excluded Middle. The Intuitionistic Type Theory of Per Martin-Löf is a diﬀerent attempt (compared to the set-axiomatic approach) to form a foundation for constructive mathematics. For a much broader overview and the context of these developments, see Troelstra (1991). An interesting exposition of motivations for constructive mathematics can be found in (Bauer, 2016).

s

In this thesis, we will reconstruct parts of the attempt to find an intuitionistic axiomatic set the-ory. The usual axiomatic systemZF(C) implies the Law of Excluded Middle, and is therefore clas-sical in nature. We considerIZF(a relatively modest modification ofZF) as an alternative, which we describe in Chapter 2. To show that it is indeed intuitionistic — i.e. it doesn’t imply the Law of Excluded Middle — we give a model forIZFin Chapter 4, in which certain non-classical prop-erties hold (notably the statement that all functions on the natural numbers are computable). In order to do this, we have to define realizability — the ‘truth notion’ on which the model relies — and the prerequisite computability theory in Chapter 3. We follow with an exposé in Chap-ter 5 of some other non-classical and counChap-ter-intuitive characChap-teristics of the model, such as the existence of incomparable ordinals and the existence of uncountable subsets of the natural num-bers, and end with a discussion of related research topics in Chapter 6.

We assume that the reader has experience with first order logic, and is familiar with the basic definitions of axiomatic set theory — in particular with the definition of ordinals, the construc-tion of the von Neumann universe V , and the axioms ofZFC.

3. There were others before Brouwer — notably Kronecker, Poincaré, Borel and Lebesgue — who were to some degree suspicious of thelem. Brouwer called them pre-intuitionists (Brouwer, 1981), but they are now usually known as

semi-intuitionists.

4. Heyting was not the ﬁrst – parallel developments were made by Kolmogorov (1925), although he rejected the principle ex

falso quodlibet (Principle of Explosion:⊥ → ϕ), resulting in minimal logic; and by Glivenko (1928) in reaction to Brouwers

(7)

2 Intuitionistic set theory

Given the importance and success of set theory as an axiomatic foundation for classical math-ematics, it is probably worthwile to try to come up with a constructive version of set theory. There have been multiple succesful approaches in this domain. The one we will follow, is the one that might come as the most natural for someone familiar with classical set theory: we con-sider the axioms ofZFC, and try to include as many of them as possible, while making sure to stay away from anything that implies the Law of Excluded Middle (lem). This approach origi-nated with Friedman (1973b).

2.1 Intuitionistic logic

In Section 2.2, we will follow this aforementioned procedure, but ﬁrst we have to make explicit which logic we will use.

We will use a first order languageL, with equality ‘=’ (and later on also ‘∈’). Terms are defined in the usual way. The connectives ofL are ‘∧’, ‘∨’ and ‘→’; we have absurdity ‘⊥’; quantifiers ‘∀’ and ‘∃’; and parentheses ‘)’, ‘(’ (which we will leave out when possible, for extra clarity). Formu-las are defined in the usual way. Note that we don’t have ‘¬’ as a primitive: we define ‘¬ϕ’ as an abbreviation for ‘ϕ→ ⊥’. Also, ‘ϕ ←→ ψ’ abbreviates ‘(ϕ → ψ)∧(ψ → ϕ)’. If a variable x is free in a formula ϕ (so not bounded by a quantifier), we can write ‘ϕ(x)’, and ‘ϕ(t)’ then means ‘ϕ[x/t]’: the replacement of the occurences of x with the term t (as long as t is free for x in ϕ).

We give a Hilbert-style deductive proof system to describe our theories. We assume the reader is familiar with the construction of proofs in these systems. The formulation is based on (Aczel & Rathjen, 2010, pp. 17-18).

def 2.1 The theoryIQCof intuitionistic ﬁrst order predicate logic consists of the languageL and the fol-lowing axioms and rules of inference:

Axioms: for all formulas ϕ, ψ, χ and terms t, s: (A1) ϕ→ (ψ → ϕ) (A2) (ϕ→ (ψ → χ)) → ((ϕ → ψ) → (ϕ → χ)) (A3) ϕ→ (ψ → (ϕ ∧ ψ)) (A4) (ϕ∧ ψ) → ϕ (A5) (ϕ∧ ψ) → ψ (A6) ϕ→ (ϕ ∨ ψ) (A7) ψ→ (ϕ ∨ ψ) (A8) (ϕ∨ ψ) → ((ϕ → χ) → ((ψ → χ) → χ)) (A9) (ϕ→ ψ) → ((ϕ → ¬ψ) → ¬ϕ) (A10) ϕ→ (¬ϕ → ψ) (A11) ∀x ϕ(x) → ϕ(t) (A12) ϕ(t)→ ∃xϕ(x)

(8)

(E1) t = t

(E2) t = s→ (ϕ(t) → ϕ(s))

Rules of inference: with⊢ ϕ we notate that we can deduce ϕ. Then we have: • all axioms are deducible

(mp) Modus Ponens: if⊢ ϕ and ⊢ ϕ → ψ, then ⊢ ϕ

(∀i) ∀-introduction: if ⊢ ϕ → ψ(t) for all terms t, then ⊢ ϕ → ∀x ψ(x) (∃i) ∃-introduction: if ⊢ ϕ(t) → ψ for some term t, then ⊢ ∃x ϕ(x) → ψ

It is now an interesting exercise to prove that¬¬¬ϕ ←→ ¬ϕ holds for any formula ϕ. This is one of the ﬁrst results in intuitionistic logic, due to Brouwer (1925).

def 2.2 The theoryIPCof intuitionistic propositional logic is the subtheory ofIQCwhere we exclude quan-tiﬁers in our language, and exclude the corresponding axioms (A11) and (A12) and the rules of in-ference (∀i) and (∃i).

When we replace axiom (A10) inIQCorIPCby¬¬ϕ → ϕ, or equivalently replace axiom (A9) with the Law of Excluded Middle, then we get the theoriesCQCof classical ﬁrst order logic andCPC

of classical propositional logic, respectively.

2.2 An intuitionistic set theory: IZF

Now that we have got our logical system in place, we can continue our search for a constructive axiomatic set theory. As said before, we start by considering the Zermelo-Fraenkel set theory (ZF, orZFCwhen including the Axiom of Choice), which consists of the following axioms:

(ext) Extensionality

∀x∀y(∀a(a ∈ x ←→ a ∈ y) → x = y) (pair) Pairing

∀x∀y(∃a(∀b(b ∈ a ←→ (b = x ∨ b = a)))) (null) Null Set

∃n(∀a(a /∈ n))

and we denote this n — which is unique by the Axiom of Extensionality — by∅ (uni) Union

∀x(∃a(∀b(b ∈ a ←→ ∃c ∈ x(b ∈ c))))

and we denote this a — which is unique by the Axiom of Extensionality — by∪x (inf) Inﬁnity

∃a(∃b(b ∈ a) ∧ ∀b ∈ a(∃c(b ∈ c ∧ c ∈ a))) (sep) Seperation (or Subset Selection)

∀x(∃y(∀a(a ∈ y ←→ a ∈ x ∧ ϕ(a))))

where ϕ(a) ranges over all formulas where y is not free in ϕ(a) (so this is actually an ax-iom schema)

(pow) Power Set

∀x(∃a(∀b(b ∈ a ←→ b ⊆ x))) (repl) Replacement

(9)

where ϕ(x, y) ranges over all formulas where b is not free in ϕ(x, y) (again an axiom schema) (fnd) Foundation (or Regularity)

∀x(∃a(a ∈ x) → ∃m ∈ x(∀c ∈ m(c /∈ x))) and such elements m are called∈-minimal elements of x

(c) Choice

∀x(∅ /∈ x → (∃f : x →∪x (∀y ∈ x(f(y) ∈ y))))

where∃f : x → ∪xmeans that there is a choice function f : x → ∪x, coded as a set of pairs in the usual way

Note that we introduced the symbol∈ — which can be seen as a binary predicate symbol, de-noted in the inﬁx-notation — and the following abbreviations:

∀a ∈ x (ϕ) := ∀a(a ∈ x → ϕ), and similar for ∃a ∈ x (ϕ); x⊆ y := ∀a ∈ x (a ∈ y).

If we want to work within the constructive setting, we have to make sure that theory we come up with doesn’t imply the Law of Excluded Middle. Basing ourselves onZFC, we immediately en-counter two problems we have to consider: the Axiom of Foundation and the Axiom of Choice imply the Law Of Excluded Middle.

lm 2.3 IQC⊢fnd+sep→lem

Proof. Given a formula ϕ, we can derive ϕ∨ ¬ϕ: consider the set A ={x | x = {∅} ∨ (x = ∅ ∧ ϕ)}.

This set exists by the Axiom of Seperation. So by the Axiom of Foundation, we have a∈-minimal element m∈ A, so that for all b ∈ A, we have that b ̸∈ a.

By construction of A, we know that a ={∅} ∨ a = ∅. If a = {∅}, we see that ∅ /∈ A, so that ¬ϕ holds and thus also ϕ∨ ¬ϕ. If a = ∅, we see that ∅ ∈ A, so ϕ holds, and again ϕ ∨ ¬ϕ holds too. So we can derive the Law of Excluded Middle.

The following was ﬁrst proved by Diaconescu (1975):

lm 2.4 IQC⊢c+ext+sep→lem

Proof. Given a formula ϕ, we can derive ϕ∨ ¬ϕ: consider the sets A ={n ∈ N | n = 0 ∨ (n = 1 ∧ ϕ)} B ={n ∈ N | n = 1 ∨ (n = 0 ∧ ϕ)}.

These sets exist because ofsep. If ϕ holds, A ={0, 1} and B = {0, 1}, so A = B by the Axiom of Extensionality. If ϕ does not hold, A = {0} and B = {1}. We always have 0 ∈ A and 1 ∈ B, so they are inhabited. By the Axiom of Choice, there is a choice function f : {A, B} → A ∪ B, such that f (A)∈ A and f(B) ∈ B.

Since f (A) and f (B) are integers, we know f (A) = f (B)∨ f(A) ̸= f(B). If f(A) = f(B), we need that 1 ∈ A or 0 ∈ B, so ϕ holds, and thus also ϕ ∨ ¬ϕ. If f(A) ̸= f(B), we can derive ¬ϕ, since ϕ implies that A = B, so that f (A) = f (B). So in both case we can derive ϕ∨ ¬ϕ, so we can derive the Law of Excluded Middle.

(10)

problem-atic axioms. The usual way to proceed is to exclude the Axiom of Choice, and replace the Axiom of Foundation with the axiom:

(∈-ind) ∈-Induction

∀x(∀y(y ∈ x → ϕ(y)) → ϕ(x)) → ∀xϕ(x).

We could stop at this point, but the convention is to substitute the Axiom of Replacement with a slightly diﬀerent axiom:

(coll) Collection

∀a(∀x ∈ a(∃y ϕ(x, y)) → ∃b(∀x ∈ a ∃y ∈ b (ϕ(x, y)))).

Picking the Axiom of Collection instead of the Axiom of Replacement doesn’t weaken our the-ory, since we can regain Replacement:

lm 2.5 IQC⊢coll+sep+ext→repl

Proof. Let ϕ be a formula and a set a, such that for all x ∈ a there exists a unique y such that ϕ(x, y)(the premise of the Axiom of Replacement). Then by the Axiom of Collection we can form a set b′that contains all those y’s for x ∈ a. It might also contain other elements, but by applying the Axiom of Seperation to b′with respect to the formula ψ(y) :=∃x ∈ a (ϕ(x, y)), we obtain a set b where precisely those other elements are excluded, so by the Axiom of Extension-ality we have constructed our required set.

In fact, within the intuitionistic setting, the Axiom of Collection is stronger then the Axiom of Replacement (Friedman & Ščedrov, 1985).

Now we have our axiomatic system:

IZF={ext,pair,null,uni,inf,sep,pow,

coll,∈-ind}, where we use the logic ofIQC.

A justiﬁcation for this procedure and the chosen replacements for the axioms, is that from a classical viewpoint, nothing really changed. That is: within classical logic, these reformulations are equivalent:

thm 2.6 IZF+lem=ZF

Proof. Note that when working withinZF, we use the logic ofCQC. Adding the Law of Excluded Middle toIQCresults inCQC, so we only have to check whether we can regain the set theoretic axioms ofZFthat we replaced, and whether our chosen replacements aren’t so strong thatIZF+

lemis stronger thanZF.

“⊆” We check thatZFis as strong asIZF:

claim: CQC⊢fnd→ ∈-ind

Proof: We prove the contrapositive (note that we can only use this proof-technique because we work inCQC— the Law of Excluded Middle is a necessary assumption!). Suppose the Ax-iom of∈-Induction does not hold. So there is some ϕ such that ∀x(∀y ∈ x (ϕ(y)) → ϕ(x), but that the conclusion∀x(ϕ(x)) does not hold.

Suppose now that the Axiom of Foundation holds, then there must be some∈-minimal el-ement m, such that¬ϕ(m). Since it is ∈-minimal, we know that ∀y ∈ m (ϕ(y)). But then by our assumption, we see that also ϕ(m). Contradiction! So the Axiom of Foundation

(11)

can-not hold, and we have proven the contrapositive.

claim: CQC⊢repl+fnd+uni→coll

Proof: Assume that the Axiom of Replacement holds, together with the antecedent of the Axiom of Collection. That is, we have formula ϕ and a set a such that

∀x ∈ a ∃y ϕ(x, y). We want to construct a set b such that

∀x ∈ a ∃y ∈ b ϕ(x, y).

If we could pick for every x a speciﬁc yxsuch that ϕ(x, yx), we could apply the Axiom of

Replacement and be done. Unfortunately, we would need the Axiom of Choice for this. There is another way to do it without Choice, using Scott’s trick, named after Dana Scott:

The idea is that instead of picking such yx’s, we take for every x the lowest stage Vαof the

von Neumann universe that contains a y such that ϕ(x, y). The assumption on ϕ and a to-gether with the Axiom of Foundation, guarantee that such a Vαexist, and that this

opera-tion is well-deﬁned. This collecopera-tion of Vαstages (one for every x ∈ a) is a set by the

Ax-iom of Replacement (because Vαis unique for every x). Then taking the union, which is again

a set by the Axiom of Union, gives us our desired b. For a more formal proof, see e.g. (Jech, 2003, pp. 64-65). “⊇” We show thatIZF+lemis as strong asZF:

Lemma 2.5 already showed that we don’t lose any power by choosing the Axiom of Col-lection over the Axiom of Replacement. This leaves us only to check that we can regain the Axiom of Foundation (where we useCQC, since we added the Law of Excluded Mid-dle):

claim: CQC⊢ ∈-ind→fnd

Proof: Assume the Axiom of∈-Induction holds. Then it’s contrapositive ∃x(¬ϕ(x)) → ∃x((∀y ∈ x [ϕ(y)]) ∧ ¬ϕ(x))

holds too, for any formula ϕ. We will show that this implies that any non-empty set has a minimal element, proving the Axiom of Foundation.

Fix a set non-empty set z, and take

ϕ(y) = y̸∈ z.

Since z is non-empty, there is an x such that x∈ z, and thus ¬ϕ(x). Using our earlier con-trapositive, we see there has to be an x′such that for all y∈ x′we have ϕ(y), but¬ϕ(x′). This means that for all y ∈ x′we have y ̸∈ z, and x′ ∈ z. We see that x′is our desired minimal element, since x′∩ z = ∅.

The question that appears now, is whetherIZFisn’t too strong. We have to make sure thatIZFis constructive:

qst 2.7 DoesIZF⊢lem?

We will answer this question in the negative in Chapter 4, ensuring the sensibility of this ap-proach:IZFis in fact intuitionistic!

(12)

2.3 Historical and philosophical context

TheIZF-approach is not unproblematic. Since it is only a relatively minor deviation ofZF, it is still a very strong axiomatic system — possibly too strong to have a proper intuitionistic philo-sophical foundation. To be precise:IZFhas the same proof-theoretic strength asZF, a.o. in the aspect that they are equiconsistent: Con(IZF) ⇐⇒ Con(ZF)(see Friedman (1973a), Beeson (1985, p. 176)). So in a way, the ‘validity’ (or philosophical foundation) ofIZFstill relies on our classical notions fromZF: it is not an independent theory in this sense.

A specific drawback ofIZFlies in its impredicativity: it has constructions such as the powerset operation, that have to quantify over a domain that contains the set to be constructed. When considering the powerset operation: the definition ‘all subsets of a given set’ is problematic, since when ‘selecting’ the subsets from all sets, the powerset itself has to be considered too. This leads to possible circular definitions, or as Myhill puts it:

[…] in order to explain what it is to be an element of a certain set, we have to explain what it is to satisfy the defining condition of that set; that defining condition must only refer to sets which were or might have been defined previously, otherwise (on the constructive view that sets only come into being as we define them, and were not there “all along”) a vicious circle might result. (Myhill, 1975, p. 351)

There are predicative alternatives toIZF, that do not have this problem. One example is Myhill’s Constructive Set Theory (Myhill, 1975), which uses the Exponentiation Axiom instead of the Powerset Axiom. Another notable example is Aczel’sCZF, which uses the Subset Collection Ax-iom instead of the Powerset AxAx-iom (and some other adjustments; see Aczel and Rathjen (2010) for an introduction). CZFhas a strictly lower proof theoretic strength thanIZFandZF. It has the advantage that it can be interpretated in Martin-Löf Type Theory (Aczel, 1978), which can be considered properly grounded in the intuitionistic philosophy.

The usual terminology is to call impredicative set theories intuitionistic, and predicative set the-ories constructive. We will try to maintain this distinction throughout, although we should note that it isn’t always followed so strictly in the literature (in particular, the modern version of In-tuitionistic (Martin-Löf) Type Theory is predicative). For a broader introduction to predicativity in set theory, see Crosilla (2015, Section 1.3).

(13)

3 Realizability

It is important that we describe the formalization of what intuitionists accepts as a proof. Not only do intuitionists reject the Law of Excluded Middle, they also have different ideas of what it means to show something is true. In Section 1.1, we have seen a first description of this idea in the bhk-interpretation, but this is still a too informal description to comfortably work with. One formalization that has become a standard in the intuitionist world, is the notion of ‘realiz-ability’, as first suggested and described by Kleene (1945). Although he didn’t set out to find a formalization of the bhk-interpretation,1_{it does align with its central ideas. An important part}

is what an acceptable proof of “ϕ→ ψ” is. According to the bhk-interpretation, this should be some rule that transforms a proof of ϕ into a proof of ψ. The important question here, is what kind of ‘rules’ we accept. In some way, we should only allow rules for which an ‘effectively com-putable’ program exist (which can be applied to an input either by hand or with the use of a ma-chine). The field that studies the notions of programs and computability is called ‘computability theory’ (also known as ‘recursion theory’).2 _{Since we need its central definitions and theorems}

to be able to discuss realizability, we start with an introduction to this ﬁeld in the following sec-tion, follow up with the description of Church’s Thesis — an important axiom in constructive mathematics — in Section 3.2, and then deﬁne realizability in Section 3.3.

3.1 Computability theory

Discussions of what programs are ‘effectively computable’, originated in the 1930s, with re-searchers suggesting different models of an idealizes machines that could perform calculations. The most important ones are that of the Turing Machine, suggested by Turing (1936); the class of recursive functions, suggested by Kleene (1936); and the lambda calculus, as suggested by Church (1936).3 _{It turns out that all these different models are equivalent. That is: they are all}

capable of emulating each other in an effective way, and thus compute exactly the same class of functions. Combined with the fact that these models make minimal and natural assumptions about the possible steps an idealized computer can take, it is reasonable to assume that these models — diverse in appearance, but all defining the same class of computations — define the class of ‘effectively computable’ functions. This statement is known as the Church-Turing the-sis. Since this thesis is commonly accepted among researchers, it can also be used as the formal definition of effective calculability.

In this section, we will deﬁne this class by looking at the class of partial recursive functions. Since we assume the reader is already familiar with functions in general, this is probably the simplest way to introduce the notion of computability. Then we are able to informally describe

1. His goal — in which he succeeded — was to make precise the connection between intuitionism and the theory of re-cursive functions (Kleene, 1973). He conjectured there would be a connection, since “[b]oth theories claimed to deal […] with effective or constructive processes.” (Kleene, 1973, p. 95) Although he tried at first to use the bhk-interpretation, he remarked that “[…] Heyting’s proof-interpretation failed to help me to my goal” and that “[a]lso Kolmogoroff’s problem-interpretation […] failed to help me in any way of which I am conscious”. See also Van Oosten (2000, pp. 4–5) for a broader historic view on realizability and a description of Kleene’s attempts and motivation.

2. Although the notions of ‘computable’ and ‘recursive’ tend to overlap in practice, there is a diﬀerence both in meaning and history. Soare (1996) gives an overview of this, and also advocates that ‘computability theory’ should be the standard name.

(14)

the equivalence with the other notions of computability. Via the Gödel-numbering of com-putable functions, we can assign to each comcom-putable function a unique natural number. This is key in reasoning about computable function when deﬁning realizability in Section 3.3. Many of the formulations in this section are based on the syllabus by Van Oosten (1993, revised 2013, Ch. 0–2), which we also recommend for a more complete introduction to computability theory.

s

def 3.1 A partial function of k arguments (or a k-ary partial function) is function from A → N, where A ⊆ Nk_{. If A =}_Nk_{, we say the function is a k-ary total function.}

When k = 0, 1, 2, 3 respectively, we call these functions nullary, unary, binary and ternary.

Notation: We use lambda notation (originating in lambda calculus) to denote k-ary partial

func-tions: λx1x2. . . xk.f (x1, x2, . . . , xk)denotes the function which assigns to a tuple (n1, n2, . . . , nk)∈

dom(f ) the value f (n1, n2, . . . , nk), where f is a k-ary partial function.

When k is clear from the context, we can abbreviate a tuple (x1, x2, . . . , xk)with ⃗x.

def 3.2 Given k-ary partial functions g1, g2, . . . , gℓand an ℓ-ary partial function h, we can construct the

k-ary function f deﬁned from g1, g2, . . . , gℓand h by composition as follows:

dom(f ) ={⃗x ∈ Nk _{| ⃗x ∈} ℓ

∩

i=1

dom(gi)and (g1(⃗x), g2(⃗x), . . . , gℓ(⃗x))∈ dom(h)},

and for ⃗x∈ dom(f):

f (⃗x) := h(g1(⃗x), g2(⃗x), . . . , gℓ(⃗x)).

In particular, given a k-ary partial function g and a unary function h, we obtain the usual compo-sition

f (⃗x) = h(g(⃗x)) = (h◦ g)(⃗x).

def 3.3 Given a k-ary partial function g and a (k + 2)-ary partial function h, we can construct the (k + 1)-ary function f deﬁned from g and h by primitive recursion as follows:

• for ⃗x∈ dom(g):

f (0, ⃗x) := g(⃗x);

• for x∈ Nk_{, y}_{∈ N: if f(y, ⃗x) is deﬁned and (y, f(y, ⃗x), x) ∈ dom(h):}

f (y + 1, ⃗x) := h(y, f (y, ⃗x), x).

In particular, given a nullary partial function g (so it takes no input values) with g( ) = n, we see: f (0) = n

f (y + 1) = h(y, f (y)).

Using this, we can deﬁne for example the y-th power of a ﬁxed base b (i.e. the function fb(y) = by):

fb(0) = b0= 1;

(15)

So taking hbto be the function that maps (y, fb(y))7→ fb(y)· b, we can construct the function fb

by primitive recursion from the functions g( ) := 1 and hb.

We can easily extend this method to get a binary function that calculates any exponent (i.e. the function f (y, x) = xy_{), by using the ternary function h(y, f (y, x), x) := f (y, x)}_{· x and the same}

nullary function g.

def 3.4 A primitive recursive function is a function in the class deﬁned inductively by the following charac-teristics:

• the nullary function λ.0 (“number 0”) is primitive recursive; • the zero function Z = λx.0 is primitive recursive;

• the successor function S = λx.(x + 1) is primitive recursive; • the projections Πk

i = λx1x2. . . xk.xi(for 1≤ i ≤ k) are primitive recursive;

• if the functions g1, g2, . . . , gℓand h are primitive recursive, the function deﬁned from g1, g2, . . . , gℓ

and h by composition (if it is well-deﬁned) is also primitive recursive;

• if the functions g and h are primitive recursive, the function deﬁned from g and h by prim-itive recursion (if it is well-deﬁned) is also primprim-itive recursive.

By using induction, it is not hard to show that a primitive recursive function is a total function.

def 3.5 A k-ary relation R (so deﬁned onNk_{) is a primitive recursive relation if its characteristic function}

χR:Nk→ N (x1, x2, . . . , xk)7→ { 1 if Rx1x2. . . xk 0 else is primitive recursive.

We showed earlier that we can construct the function f = λyx.xy_{by primitive recursion from}

the functions g = λ.1 and h = λyzx.(z· x). Since g = S(0), it is the composition of the number 0and the successor function, so g is primitive recursive. We can show that h is also primitive recursive, by ﬁrst showing that λxy.(x + y) is primitive recursive, and then using primitive re-cursion and the projections to obtain h. This then implies that f itself is primitive recursive.

def 3.6 Given a (k +1)-ary function g, we can construct the k-ary function f deﬁned from g by minimiza-tion as follows:

dom(f ) ={⃗x ∈ Nk_{| ∃y ∈ N such that}

(0, ⃗x), (1, ⃗x), . . . , (y, ⃗x)∈ dom(g) with g(y, ⃗x) = 0} and

f (⃗x) =the least y such that g(y, ⃗x) = 0.

In general, for any (k + 1)-relation R and ⃗x∈ Nk_{, we can deﬁne the minimization operator (or}

µ-operator)

µy.Ry⃗x

(16)

Similarly, the bounded minimization operator

µy < z.Ry⃗x

outputs the least y < z such that Ry⃗x if such an y exists, and z else.

The µ-operator is indeed a generalization of bounded minimization of functions: if f is the bounded minimization of a function g and ⃗x∈ dom(f), then we have

f (⃗x) = µy.(g(y, ⃗x) = 0), where we see ‘g(y, ⃗x) = 0’ as a relation in the obvious way.

Now we are ready to deﬁne the class of partial recursive functions:

def 3.7 A partial recursive function is a function in the class deﬁned inductively by the following charac-teristics:

• all primitive recursive functions are partial recursive;

• if a function g is partial recursive, the function deﬁned from g by minimization is also par-tial recursive;

• if g is a partial recursive function and h is a unary primitive recursive function, then the func-tion deﬁned from g and h by composifunc-tion is also primitive recursive.

We call a function Turing computable if there is a Turing machine that calculates the function. Similarly, we call a function lambda computable if the corresponding function in the lambda cal-culus can be represented by a term of that calcal-culus. The equivalence discussed in the beginning of this section can then be stated as follows:

thm 3.8 Given a partial function f :

fis partial recursive ⇐⇒ f is Turing computable ⇐⇒ f is lambda computable.

The second equivalence was already proved by Turing (1936). From now one, we will call these functions simply ‘computable’, if the kind of computability is irrelevant.

s

For the three diﬀerent models of computation, we can informally deﬁne what a program is: • for Turing Machines: a list of instructions;

• for recursive functions: a system of equations (a recursive deﬁnition); • for lambda calculus: a lambda expression.

When we write ‘program’, we appeal to the intuition of the reader that any of these deﬁnitions (or their formal equivalents) can be used interchangeably. In all three cases, we can see the re-sult of applying the program to an input as a list of intermediate steps in following the instruc-tions or solving the equainstruc-tions, with the output of the program at the last step. We call this the computation of a program applied to an input. Since we can view programs and computations as (lists of) strings of symbols, we can use Gödel-numbering to assign to each of them a represent-ing number. It does so in a reversible manner: given a Gödel-number, we can reconstruct the as-sociated program or computation. Important in our discussion is that this Gödel-numbering is computable. Luckily, this follows from the following standard result in computability theory:

(17)

thm 3.9 There is a primitive recursive bijection j : ∪_k_∈NNk_↣_{↠ N.}

cor 3.10 There is an injective primitive recursive function that assigns to each program P a unique natu-ral number P which we call the code of the program P , and assigns to each computation C a unique natural number C, which we call the code of the computation C.

Proof. This follows from applying the function j from Theorem 3.9 to the list of Gödel-numberings of symbols of P or C. These codes are unique, since the function is bijective (so certainly injec-tive).

Note that this doesn’t guarantee that every natural number corresponds to a valid program or computation. It is not diﬃcult to adjust the function to make it so, since the procedure to check whether a given program or computation is valid is primitive recursive.

We now arrive at the central results, relating partial recursive functions to the code of a pro-gram:

thm 3.11 There is a primitive recursive relation T and a primitive recursive function U such that

• T (e, x, y)holds⇐⇒ e is the code a program P ,

and y is the code of the computation of P applied to input j−1(x). • If T (e, x, y) holds, then U (y) is the output of the computation coded by y.

The function U is commonly referred to as the output function, and the relation T is usually called the Kleene T -predicate, after Kleene (1943) who ﬁrst described them and proved that they were primitive recursive.

Now, we can assign a code to each partial recursive functions:

thm 3.12 (Kleene’s Normal Form Theorem)Given an m-ary partial function f , there is a number e such that

f (x1, . . . , xm)≃ U(µy.T (e, j(x1, . . . , xm), y)),

where ‘≃’ means that for any input, the outputs are either equal or both sides are undeﬁned. Again, this theorem is due too Kleene (1943, thm. iv, pp. 52–53).

Notation: We will use the codes as indexes for functions: φedenotes the e-th partial recursive

function. In symbols:

φe(x)≃ U(µy.T (e, x, y)),

where from now on we will assume x to be the code of an input. The Normal Form Theorem thus assures that for every partial recursive function f , there is an index e such that f ≃ φe. We

will usually use the shorter version e· x instead of φe(x), also to prevent confusion with formulas

denoted by ϕ. Another common notation in the literature is{e}(x).

3.2 Church’s Thesis

In constructive mathematics, there is a much stronger variant of the Church-Turing thesis — somewhat confusingly called Church’s Thesis — which states that every total function is com-putable:

(ct) Church’s Thesis

∀f : N → N(∃e ∈ N (f = φe)

(18)

This is not only a very strong axiom, but also one that is classically false! An important coun-terexample is the Halting Problem:

prob 3.13 The Halting Problem asks the following: given a description of a program and an input, decide whether the program applied to that input will terminate.

There are programs that will never terminate: a trivial example would be an infinite empty loop. It would be easy though, to construct an algorithm that would notice that such a program will never terminate. But more generally, there is no effective procedure that can decide for all pro-grams whether they halt or not. Thus: the Halting Problem is undecidable. This was first proved by Turing (1936).

The argument is the following: suppose there is an eﬀectively computable function f such that f (n, m) =

{

1 if φn(m)is deﬁned;

0 if φn(m)is not deﬁned,

where φn(m)is deﬁned if φnhalts at input m. This would imply that f solves the Halting

Prob-lem. We can then consider the following program λn.

{

φn(n) + 1 if f (n, n) = 1;

0 if f (n, n) = 0.

Because we assumed that f is computable, this function is computable too, so it has a code — say e.

But consider then φe(e): we arrive at a circularity! Since if φehalts at input e, we have f (e, e) =

1, so that φe(e) = φe(e) + 1, an impossibility. But if φedoes not halt at e, then f (e, e) = 0 and

φe(e) = 0, and we see that φedoes halt at e! Such a function f therefore can not be computable.

From this, we immediately have a classical counterexample to Church’s Thesis. Consider the following functions (with parameter i∈ N):

gi(n) =

{

1 if φn(i)is deﬁned;

0 if φn(i)is not deﬁned.

Using the Law of Excluded Middle, either φnhalts at i or it doesn’t, so all giare total functions

onN. Church’s Thesis would imply that every giis computable, but this is impossible. If it was,

then the combination of gi’s would solve the Halting Problem. We just showed that this is

im-possible.

So in any logical system that is strong enough to encode and quantify over numbers and func-tions, Church’s thesis and the Law of Excluded Middle cannot both hold. Important however, is that there are intuitionistic systems where Church’s Thesis is consistent. That is: adding Church’s Thesis to the system wouldn’t make it inconsistent if it wasn’t before. The diﬀerence is that those systems can’t in generally prove that functions such as giare total, which renders

Church’s Thesis unapplicable in those cases.

One such system — and also an important one in the study of intuitionistic logic — is Heyting Arithmetic (HA). It is the intuitionistic equivalent of Peano Arithmetic: it has the same arith-metical axioms, but usesIPCinstead ofCPC. Speciﬁcally, we have:

thm 3.14 Con(HA) ⇐⇒ Con(HA+ct0),

(19)

formulas (see Section 4.3).4 _{But then we also see that}_HA_̸⊢ _lem_{! So}_HA_{is truly intuitionistic. In}

Chapter 4, we will use similar proof to show thatIZFis also intuitionistic.

3.3 Realizability

With this machinery in place, we can take a look at realizability. The precise definition of re-alizability can depend on the theory or model discussed. We will define it forHA, since it is a relatively simple theory, and suited to get familiar with the definition. The definition we will use for realizability onIZFwill differ slightly (see Definition 4.2).

Notation: We write pairs as⟨p, q⟩, and their accompanying codes as [p, q]. If e = [p, q], then (e)0

denotes the ﬁrst component p, and (e)1the second component q. Technically, (·)0and (·)1are

the unpairing functions, taking e as input. We can assume these functions are primitive recur-sive. We will overload this notation to also work for pairs, so that e.g. (⟨a, b⟩)0 = ([a, b])0 = a.

This should not cause any confusion.

def 3.15 We deﬁne realizability for formulas ofHArecursively (note that e∈ N):

e⊩ ⊥ iﬀ ⊥

e⊩ (s = t) iﬀ (s = t)is true

e⊩ ϕ ∧ ψ iﬀ e = [p, q]with p⊩ ϕ and q ⊩ ψ e⊩ ϕ ∨ ψ iﬀ e = [p, q]with either p = 0 and q⊩ ϕ,

or p = 1 and q⊩ ψ e⊩ ϕ → ψ iﬀ ∀f((f ⊩ ϕ) → (e · f ⊩ ψ))

e⊩ ∀x ϕ(x) iﬀ ∀a(e· a ⊩ ϕ(a))

e⊩ ∃x ϕ(x) iﬀ e = [a, f] with f ⊩ ϕ(a)

If e⊩ ϕ, we say that ϕ is realized by e, or that e is a realizer for ϕ.

This definition was first given by Kleene (1945). Some comments are in order. When we write something like ‘e· a’, we assume that e is defined at all possible values of a (forHA, that is usually all natural numbers). In the literature, this is often denoted with ‘e·a ↓’. Also, note that we didn’t say when ‘¬ϕ’ is realized. Since we defined ¬ϕ as an abbreviation for ‘ϕ → ⊥’, we have that

e⊩ ¬ϕ ⇐⇒ e ⊩ ϕ → ⊥

⇐⇒ ∀f((f ⊩ ϕ) → (e · f ⊩ ⊥)).

Since⊥ can never be realized, we see that e realizes ϕ if and only if there is no realizer for ϕ. The most important metamathematical remark is that this is not a ‘self-contained’ definition: it presumes an outside view that can tell whether for example ‘s = t’ is true, and from that view-point can check whether a certain formula is realized. This is one of the flaws of this definition: if the external viewpoint is a classical one, this hinders the attempt of constructing an indepen-dent intuitionistic theory.

One important result about realizability is the following (Kleene, 1945):

(20)

thm 3.16 For any formula ϕ:

(HA⊢ ϕ) =⇒ ∃n ∈ N (HA⊢ (n ⊩ ϕ)).

The reverse statement however, is not true: there are formulas that can be provably realized, but not proved within the same system. A clear example is the Law of Excluded Middle: looking at the deﬁnition of realizability, we see it is not realized for certain formulas (e.g. the Halting Prob-lem), so¬lemis realized for these formulas. But clearlyHA̸⊢ ¬lem, since Heyting Arithmetic is a subtheory of Peano Arithmetic (PA). So ifHAwould prove the negation of the Law of Excluded Middle, then alsoPA ⊢ ¬lem, which is absurd since the Law of Excluded Middle is an axiom of

(21)

4 The McCarty realizability model for IZF

After definingIZFin Section 2.2, we had an important open question: isIZFtruly intuitionistic? (see Question 2.7) In this chapter, we will prove that it indeed is: the Law of Excluded Middle is not a consequence of the axioms ofIZF. In order to do this, we construct a model that satisfies all the axioms, but not the Law of Excluded Middle. In particular, it satisfies Church’s Thesis (see Section 3.2 and Section 4.3), which is incompatible with the Law of Excluded Middle. Since satifisfiability is intuitionistically shown by realizability, and the model we use was developed by McCarty in his thesis (McCarty, 1984), we will call this model the McCarty realizability model. Most of the definitions and proofs in this chapter also come from his thesis, specifically from Chapters 3 and 4. (McCarty, 1986) is a condensed version of the results, and is more widely avail-able.

4.1 The realizability structure

We start by describing our realizability structure, which we deﬁne in stages and resembles the usual set-theoretic von Neumann universe V (see Figure 4.1 for a visual interpretation):

def 4.1 The universe of realizability sets, denoted with V (Kl) (where ‘Kl’ stands for ‘Kleene’), is deﬁned by ordinal induction as follows:1

V (Kl)0 =∅,

V (Kl)α+1=P(ω × V (Kl)α), (for any ordinal α)

V (Kl)λ =

∪

α<λ

V (Kl)α, (for a limit ordinal λ)

V (Kl) = ∪

α∈On

V (Kl)α.

If we look at the deﬁnition, we see that a realizability set at stage V (Kl)α+1consists of pairs

⟨n, x⟩, where n is a natural number and x is an element of V (Kl)α. McCarty based the idea of a

universe with this structure on remarks made by Poincaré (1963) on the constructive notion of a set: a set is then given by its elements combined with ‘proofs’ that those elements are truly in that set. We see this in V (Kl): if⟨n, x⟩ ∈ a for some realizability set a, we can see n as ‘evidence’ (or in realizability terms: the code of a realizer) that x∈ a. The role of this evidence will become apparent in our deﬁnition of realizability for V (Kl).

Notation: As before, we use⟨a, b⟩ to describe the pair consisting of a and b, and [n, m] for the

code (the Gödel-numbering) of⟨n, m⟩, where n and m are natural numbers. The unpairing func-tions (·)0and (·)1extract the ﬁrst and second element respectively (both for pairs and codes of

pairs).

Furthermore, for lambda notation: when F is a partial recursive function, we use Λx.F (x) to denote that code of λx.F (x).

1. From now one, we will use the notation ω instead ofN. The symbol ω is more common in set theoretic discussions, and emphasizes that it is an ordinal.

(22)

V (Kl)0 V (Kl)1 V (Kl)2 V (Kl)3 V (Kl)ω V (Kl)ω+1 V (Kl)ω+1 ∅ =: 0 {⟨0, 0⟩} =: 1, {⟨3, 0⟩}, {⟨1, 0⟩, ⟨4, 0⟩}, . . . {⟨0, 0⟩, ⟨1, 1⟩} =: 2, {⟨4, {⟨3, 0⟩}⟩}, {⟨5, {⟨1, 0⟩, ⟨4, 0⟩}⟩, ⟨4, 1⟩}, . . .

Figure 4.1: A visualisation of the universe of realizability sets, which forms the basis of our realizability

model. Examples of sets are included at the ﬁrst stages, among them the internal versions of the internal numbers: 0, 1, 2, . . . (see Deﬁnition 4.8).

Note that realizers for V (Kl) always come from ω, so that when we have a realizer e and talk about its components (e)0and (e)1, e is always the code [(e)0, (e)1].

def 4.2 We deﬁne realizability for formulas of V (Kl) recursively:

e⊩ ⊥ iﬀ ⊥

e⊩ a ∈ b iﬀ ∃c(⟨(e)0, c⟩ ∈ b and (e)1⊩ a = c

)

e⊩ a = b iﬀ ∀c, f(⟨f, c⟩ ∈ a implies that (e)0· f ⊩ c ∈ b

and⟨f, c⟩ ∈ b implies that (e)1· f ⊩ c ∈ a

) e⊩ ϕ ∧ ψ iﬀ (e)0⊩ ϕ and (e)1⊩ ψ

e⊩ ϕ ∨ ψ iﬀ either (e)0= 0and (e)1⊩ ϕ, or (e)0= 1and (e)1⊩ ψ

e⊩ ϕ → ψ iﬀ ∀f((f ⊩ ϕ) → (e · f ⊩ ψ)) e⊩ ∀x ϕ(x) iﬀ ∀a(e⊩ ϕ(a))

e⊩ ∃x ϕ(x) iﬀ ∃a(e ⊩ ϕ(a))

If there is an e∈ ω such that e ⊩ ϕ, then we say V (Kl) |= ϕ.

(23)

of things diﬀer. We of course needed to add realizability for ‘∈’. But note that the realizability of ‘∈’ and ‘=’ is determined by a double recursion (simultaneously on ‘∈’ and ‘=’). The fact that this works (i.e. that this deﬁnition ‘terminates’) can be shown by∈-induction. Note that we can apply∈-induction, because we analyze the system from our outside view ofZF.

The surprising diﬀerence compared to ourlier deﬁnition, is the uniformity of the realizability for ∀- and ∃-formulas. To realize for example ∀x ϕ(x), you have to realize ϕ(x) for all x at once! It would have been impossible to use a similar construction as withHA— where the realizer is a function that has natural numbers as input — since there is no general way to code realizability sets as natural numbers. See Section 5.1 for the more direct consequences of this constraint (although it plays a role in many of our further discussions).

We check that with this deﬁnition of realizability, V (Kl) is sound to intuitionistic logic:

thm 4.3 V (Kl)|=IQC.

Proof. See Deﬁnition 2.1 for all axioms ofIQC.

Realizers for axioms (A1) through (A10) should be straightforward. Consider for example (A1) ϕ→ (ψ → ϕ).

Suppose e ⊩ ϕ, then Λx.e ⊩ ψ → ϕ. So Λx.(Λx.e) ⊩ ϕ → (ψ → ϕ), and we see V (Kl) |= (A1). Similar reasonings give realizers for the other axioms.

Consider then

(A11) ∀x (ϕ(x)) → ϕ(t) for all terms t.

A realizer for this follows immediately from the deﬁnition of realizability for∀-formulas: if e ⊩ ∀x(ϕ(x)), then e ⊩ ϕ(t) for all realizability sets t. Similarly, ‘ϕ(t) → ∃x ϕ(x)’ (A12) is realized. Regarding the equality axioms: the proof for

(E1) t = t

is quite technical, and relies on fundamental results in computability theory. We will therefore skip the proof here, but refer the interested reader to (McCarty, 1986, p. 92). Because we will need a uniform realizer for this identity later on, we call it ‘ir’ (for Reﬂexivity of Identity), so that

ir⊩ x = x for any x ∈ V (Kl).

The last axiom

(E2) s = t→ (ϕ(s) → ϕ(t))

can be proved by simultaneous induction on ‘∈’ and ‘=’. The interesting steps there, are to prove that

V (Kl)|= s = t → t = s; (symmetry)

V (Kl)|= (s = t ∧ s = u) → t = u; (transitivity) V (Kl)|= (s = t ∧ s ∈ u) → t ∈ u;

V (Kl)|= (s = t ∧ u ∈ s) → u ∈ t.

We refer the interested reader to McCarty (1984, pp. 92–95) for the full proof.

Regarding the Rules of Inference: the validity of these follow directly from the deﬁnition of realizability.

(24)

4.2 Representations inside the structure

We want to interpret the important sets in our outside world — the natural numbers, the set ω of natural numbers, the set ωω_{of total functions — and the usual operations on sets — pairing,}

union — as realizability sets and operations on realizability sets, inside our realizability model. There is not one general way to do this, but we can ﬁnd suitable interpretations in our structure that ‘behave’ in a similar way inside the structure as their counterparts on the outside. In gen-eral, given a set x we will denote our interpretation of x inside the realizability structure with x.

We will start with the basic operations: given realizability sets, constructing singletons, pairs and ﬁnite combinations of these realizability sets. We want them to behave as expected: e.g. if we denote the internal singleton with{a}, then we want the model to ‘think’ that a is its only member.

def 4.4 Given a∈ V (Kl), we deﬁne the internal singleton as: {a} = {⟨0, a⟩}. Given a, b∈ V (Kl), we deﬁne the internal unordered pair as:

{a, b} = {⟨0, a⟩, ⟨1, b⟩}.

Extending this: given a0, a1, . . . , an ∈ V (Kl), we deﬁne the internal (ﬁnite) set as:

{a0, a1, . . . , an} = {⟨0, a0⟩, ⟨1, a1⟩, . . . , ⟨n, an⟩}.

It should be clear that these new constructions are in fact realizability sets.

Remark: In the literature, there are also diﬀerent deﬁnitions: often{a} := {a, a} for example.

We ﬁnd our deﬁnitions more elegant, also with later applications in mind. Internally, they are the same, so it has no impact on our conclusions which convention to take.

It is also standard to use that notation{a} instead of {a}, but we wanted to make clear that it is not the internal version of the set{a}, but the result of the internal operation { · } applied to the realizability set a. Similar concerns also lead to diﬀerent notations for the internal union (see Deﬁnition 4.6), where we use a∪ b instead of the more common a ∪ b.

We check that these deﬁnitions align with our usual interpretations:

lm 4.5 Given a0, a1, . . . , an∈ V (Kl):

V (Kl)|= x ∈ {a0, a1, . . . , an} ←→ x = a0∨ x = a1∨ . . . ∨ x = an,

so in particular for a, b∈ V (Kl) (and all x ∈ V (Kl)): V (Kl)|= x ∈ {a} ←→ x = a,

V (Kl)|= x ∈ {a, b} ←→ x = a ∨ x = b.

Proof. We have to show that we can transform a realizer for ‘x∈ {a0, a1, . . . , an}’ into a realizer

for ‘x = a0∨ x = a1∨ . . . ∨ x = an’ and vice versa.

Strictly speaking, we should express the left side as something like x = a0∨(x = a1∨(. . . (x = an−1∨

x = an) . . .)). A realizer for that would be a complicated series of nested pairs — similar to a

bi-nary tree — were we have to state for the nested disjunctions whether we prove the left or the right side. Instead, we can say that

(25)

since it is easy to give a recursive function that transforms such a realizer into a realizer of the strict kind.

Then, we see that realizers for x∈ {a0, a1, . . . , an} are also realizers for x = a0∨ x = a1∨ . . . ∨

x = anand vice versa:

Suppose e ⊩ x ∈ {a0, a1, . . . , an}, then there is a c such that ⟨(e)0, c⟩ ∈ {a0, a1, . . . , an} and

(e)1 ⊩ x = c. Since {a0, a1, . . . , an} = {⟨0, a0⟩, ⟨1, a1⟩, . . . , ⟨n, an⟩}, we see (e)0 = m ∈

{0, 1, . . . , n}, c = amand (e)1⊩ x = am. By our earlier argument, we see that then also e⊩ x =

a0∨ x = a1∨ . . . ∨ x = an, which is what we wanted to show. By following this proof backwards,

we see that the other directions also holds.

Note that the realizer for the previous lemma is the identity map, or strictly speaking [Λx.x, Λx.x]. This realizer doesn’t depend on the sets a0, a1, . . . , an. If that is the case, we say there exists a

realizer (or a realizability witness) uniform in (or independent from) a0, a1, . . . , an. This does not

always happen, see e.g. Lemma 4.9.

The next operation is taking the union of two realizability sets:

def 4.6 Given a, b∈ V (Kl), we deﬁne the internal union as:

a∪ b = {⟨[0, n], x⟩ | ⟨n, x⟩ ∈ a} ∪ {⟨[1, m], y⟩ | ⟨m, y⟩ ∈ b}.

Note that since the codes [0, n] and [1, m] are natural numbers, this construction is in fact a real-izability set.

Again, this deﬁnition has the desired characteristics:

lm 4.7 Given a, b∈ V (Kl):

V (Kl)|= x ∈ a ∪ b ←→ x ∈ a ∨ x ∈ b.

Proof. We have to transform realizers for ‘x ∈ a ∪ b’ into realizers for ‘x ∈ a ∨ x ∈ b’ and vice versa.

“→” Suppose e ⊩ x ∈ a ∪ b. Then there is a c such that ⟨(e)0, c⟩ ∈ a ∪ b and (e)1 ⊩ c = x. So

either:

– (e)0= [0, n]with⟨n, c⟩ ∈ a; or

– (e)0= [1, m]with⟨m, c⟩ ∈ b.

In the ﬁrst case, we see⟨(e)01, c⟩ ∈ a, and since (e)1⊩ c = x we have:

⟨(e)01, (e)1⟩ ⊩ x ∈ a.

Similarly in the second case, we see⟨(e)01, (e)1⟩ ⊩ x ∈ b. Taken together:

⟨(e)00,⟨(e)01, (e)1⟩⟩ ⊩ x ∈ a ∨ x ∈ b.

“←” Suppose e ⊩ x ∈ a ∨ x ∈ b. Then either (e)0 = 0and (e)1 ⊩ x ∈ a, or (e)0 = 1and

(e)1⊩ x ∈ b.

In the ﬁrst case, there exists a c such that⟨(e)10, c⟩ ∈ a and (e)11⊩ c = x, so we have

⟨[0, (e)10], c⟩ ∈ a ∪ b,

and

(26)

Plugging in (e)0= 0, we see

⟨[(e)0, (e)10], (e)11⟩ ⊩ x ∈ a ∪ b,

and it is easy to check that this realizer also works for the case (e)0= 1.

s

We are now ready to work on something ‘practical’: the natural numbers. Usually, we deﬁne the natural numbers inductively as follows:

0 :=∅; n + 1 := n∪ {n}. We might be tempted then, to take as our internal versions:

e0 := ∅; ]

n + 1 :=en ∪ { en}.

This works, but turns out to give unwieldy deﬁnitions for higher numbers. There is a more ele-gant option that will simplify our discussion later on, and is based on the more direct deﬁnition of ordinals:

def 4.8 Given n∈ ω, we deﬁne the internal natural number n as: n :={0, 1, . . . , n − 1}

={⟨0, 0⟩, ⟨1, 1⟩, . . . , ⟨n − 1, n − 1⟩} ={⟨m, m⟩ | m ∈ n}.

Fortunately, the model agrees on these diﬀerent deﬁnitions internally:

lm 4.9 Given n∈ ω:

V (Kl)|= n + 1 = n ∪ {n}. Proof. We expand the deﬁnitions:

n + 1 ={⟨m, m⟩ | m ∈ n + 1} ={⟨m, m⟩ | m ∈ n} ∪ {⟨n, n⟩}; n∪ {n} = {⟨m, m⟩ | m ∈ n} ∪ {⟨0, n⟩}

={⟨[0, m], m⟩ | m ∈ n} ∪ {⟨[1, 0], n⟩}.

We now want to construct a realizer e, such that for⟨m, m⟩ ∈ n + 1, we have (e)0· m ⊩ m ∈

n∪ {n}; and that for ⟨[b, c], m⟩ ∈ n ∪ {n} we have (e)1· [b, c] ⊩ m ∈ n + 1.

There are two ways to construct such a realizer: the ﬁrst is to directly construct partial recursive functions (e)0and (e)1that suﬃce. This will work, as can be seen by the internal similarities

between the two sets.

The second way is to note that we know ir ⊩ m = m (see proof of Theorem 4.3). If we know

m ∈ n (so ⟨m, m⟩ ∈ n + 1), we see ⟨m, ir⟩ ⊩ m = 0 ∨ m = 1 ∨ . . . ∨ m = n − 1 ∨ m = n. Then,

using Lemma 4.5, we know there is an eﬀective way to transform this into a realizer i′such that i′ ⊩ m ∈ {0, 1, . . . , n − 1} ∨ m ∈ {n}. Then by applying Lemma 4.7 and plugging in the deﬁnition of n, we get a realizer i′′such that i′′ ⊩ m ∈ n ∪ {n + 1}. So we know (e)0· m := i′′

suﬃces, and we can calculate i′′in an eﬀective way for each m, so (e)0is a recursive function. A

(27)

Note that in both cases, the realizer depends on n: it is not uniform in n.

If we use the notation x + 1 := x∪ {x}, we can summarize Lemma 4.9 as: for any n ∈ ω, n + 1 and n + 1 are internally the same.

We end our treatment of the natural numbers with the following absoluteness properties (for a sketch of the proof, see McCarty (1984, p. 109, thm. 3.11)):

lm 4.10 Given n, m∈ ω:

(a) V |= n = m ⇐⇒ V (Kl) |= n = m; (b) V |= n ∈ m ⇐⇒ V (Kl) |= n ∈ m.

Now, our deﬁnition for ω shouldn’t be surprising:

def 4.11 We deﬁne the internal representation of the set of natural numbers as ω ={⟨n, n⟩ | n ∈ ω}.

As before, we will show this ω matches our intuition of the external ω. The following lemma will be helpful:

lm 4.12 For any formula ϕ with one free variable:

V (Kl)|= ∀x ∈ ω (ϕ(x)) iﬀ there is a total recursive function coded by e, such that e· n ⊩ ϕ(n) for all n ∈ ω.

Proof. This follows quite directly from the deﬁnition of realizability for∀-formulas: “ =⇒” Let e′be a realizer such that e′ ⊩ ∀x ∈ ω (ϕ(x)), so

e′⊩ a ∈ ω → ϕ(a) for all a. Since [n, ir]⊩ n ∈ ω for all n ∈ ω, we see

e′· [n, ir]⊩ ϕ(n).

Thus, taking e· n := e′· [n, ir], we found our desired total recursive function.

“⇐=” Now suppose we have such a total recursive function coded by e: we want to ﬁnd a real-izer for a∈ ω → ϕ(a) for all x.

Suppose f is a realizer such that f ⊩ a ∈ ω, so (f)1 ⊩ a = (f)0. Then by our assumption

on e, we have e· (f)0 ⊩ ϕ((f)0), where (f )0 ∈ ω. We now use the Axiom of Substitution

of Identity (see (E2) in Deﬁnition 2.1) which is realized in V (Kl) by Theorem 4.14. If we apply this to the identity realized by (f )1, we get a realizer for ϕ(a).2

2. We can make this substitution more explicit, at the cost of obscuring the general idea by the introduction of extra sym-bols. We will make the step explicit here, and leave it out in other proofs where we use a similar step.

In this case, we have e· (f)0⊩ ϕ((f)0)and (f )1⊩ (f)0= a. Let kϕbe the realizer such that kϕ⊩ (ϕ(y) ∧ y = z) → ϕ(z),

which exists by our the fact that axiom (E2) is realized for every formula ϕ. Then we see:

(28)

Note that the total recursive function e was obtained eﬀectively from e′.

As we did before, we want to show that ω ‘resembles’ ω. But what deﬁnition of ω should we take? We will use the one that is closest to the formulation in the Axiom of Inﬁnity:

• it contains 0;

• whenever it contains n, it also contains n + 1;

• it is the smallest set to do so, or equivalently: the induction principle on successors holds (e.g. if ϕ(0) and ϕ(m)→ ϕ(m + 1), then ∀n ϕ(n)).

Translated in a formula, and using the internal versions, we get the following:

lm 4.13 Let ϕ be a formula containing one free variable. Then: V (Kl)|= 0 ∈ ω ∧ ∀x ∈ ω (x + 1 ∈ ω)

∧(ϕ(0)∧ ∀y(ϕ(y) → ϕ(y + 1)) → ∀x ∈ ω ϕ(x)). Proof. We will divide the proof into the three diﬀerent clauses of the conjunction:

• We see [0, ir]⊩ 0 ∈ ω, since ⟨0, 0⟩ ∈ ω and ir⊩ 0 = 0.

• By Lemma 4.12, we only have to give an e such that e· n ⊩ n + 1 ∈ ω

for all n∈ ω. This is straightforward, since [n + 1, ir]⊩ n + 1 ∈ ω, and V (Kl) |= n + 1 =

n + 1by Lemma 4.9. Applying the Axiom of Substitution gives our desired realizer, in an eﬀective way for every n.

• Now for the induction part: suppose the antecedent is true, so there are realizers e and f with e⊩ ϕ(0), and f ⊩ ϕ(y) → ϕ(y + 1) for all y ∈ V (Kl). We want to realize ∀x ∈ ω ϕ(x). Again by Lemma 4.12, we have to ﬁnd a g such that

g· n ⊩ ϕ(n) for all n∈ ω.

We can construct g by recursion:

– for n = 0: set g· 0 := e, since e ⊩ ϕ(0) (note that 0 = 0);

– for n + 1: suppose g·n ⊩ ϕ(n). Then f ·g·n ⊩ ϕ(n + 1). By the Axiom of Substitution

(since again we have V (Kl) |= n + 1 = n + 1), we get a realizer h such that h ⊩ ϕ(n + 1). Then set g· (n + 1) := h.

All these procedures that transform realizers are eﬀective, so we realized the implication. Taking these realizers together in the usual way will realize the whole formula.

This is our ﬁrst important result in showing that V (Kl) truly is a model ofIZF: the Axiom of In-ﬁnity holds! The amount of work it cost us to achieve this result for only one axiom, shows that it would take too much space to give all the axioms the same thorough inspection. We will stick to the most interesting and important ones:

thm 4.14 V (Kl)|=IZF, that is: (a) V (Kl)|=IQC

(b) all set theoretic axioms ofIZFhold in V (Kl)

Proof. From Theorem 4.3, it follows that all axioms fromIQChold. What is left to check are the set theoretic axioms ofIZF. We don’t have space to treat all axioms , but we can give some

(29)

exam-ples and recap earlier results. To start: V (Kl)|=null, since∅ ∈ V (Kl). By Lemma 4.5, we have V (Kl)|=pair, since{a, b} functions as the pair.

By Lemma 4.13, we have

V (Kl)|=inf, since ω suﬃces.

We will do one extra axiom:

claim:

V (Kl)|=ext. Proof: We have to realize

∀x∀y (∀a (a ∈ x ←→ a ∈ y) → x = y), which means that given a realizer e such that

(e)0⊩ a ∈ x → a ∈ y for all a

and

(e)1⊩ a ∈ y → a ∈ x for all a,

we have to realize x = y independently from x and y.

We will work backwards to construct our desired realizer f , so that f ⊩ x = y. This means that for all realizability sets c and natural numbers g, we have

⟨g, c⟩ ∈ x implies (f)0· g ⊩ c ∈ y,

and⟨g, c⟩ ∈ y implies (f)1· g ⊩ c ∈ x.

But if⟨g, c⟩ ∈ x, we have [g, ir]⊩ c ∈ x. So (e)0· [g, ir]⊩ c ∈ y. This works similarly for ⟨g, c⟩ ∈

x. So taking

f = [Λg.((e)0· [g, ir]), Λg.((e)1· [g, ir])]

is a realizer for x = y, which is independent from x and y.

For proofs of the remaining axioms, we refer the interested reader to (McCarty, 1984, pp. 96– 99).

It might be redundant to say, but note that Theorem 4.14 is equivalent to

IZF⊢ ϕ =⇒ V (Kl) |= ϕ. We have shown that V (Kl) is sound toIZF!

4.3 Church’s Thesis in the realizability model

We are now ready to show that Church’s Thesis holds in V (Kl). We formalize it as follows: (ct0) Church’s Thesis

A realizability model for intuitionistic set theory