Realizability, Set Theory and Term Extraction

2 downloads 0 Views 650KB Size Report
Aczel, Hyland, Feferman, Grayson, Powell, to name a few. An almost ..... apparently rst put forth in Powell's ( 93]). \Negative" ..... Charles McCarty's Ph.D. thesis, in 1984 80, 79]. ...... 103] Shoen eld, 1967], Mathematical Logic, Addison-Wesley.
Realizability, Set Theory and Term Extraction  In Memoriam Stephen Kleene

James Lipton Dept. of Mathematics Wesleyan University

Contents

1 Introduction 2 Axioms, and the \Nave" Theory

2.1 Justi cations of some of the choices and omissions of ZF-axioms : : : : : : : : : 2.2 Powell Ordinals : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :

3 Recursive Realizability Interpretations 3.1 3.2 3.3 3.4 3.5 3.6

Abstract Applicative Structure : : : : : : : : : : Realizability : : : : : : : : : : : : : : : : : : : : : Soundness for IZF : : : : : : : : : : : : : : : : : Term Extraction : : : : : : : : : : : : : : : : : : Strong Intuitionistic Counterexamples : : : : : : Some famous \nonstandard" consistency results :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

: : : : : :

4 Forcing in Constructive Set Theory (Unrami ed)

2 7 8 9

16

16 17 20 21 24 25

26

4.1 Kripke models over V (K) : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 26 4.2 Soundness of IZF Axioms : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 28 4.3 Examples : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 30

5 -sets,Categories and Sheaves 5.1 5.2 5.3 5.4

From Kripke Models to cHa's : : : : : : : : : : : : Logic in a cHa, -sets : : : : : : : : : : : : : : : : Presheaves, Sheaves and Topoi : : : : : : : : : : : Logic in a Topos: three views : : : : : : : : : : : : 5.4.1 The Mitchell-Benabou Language : : : : : : 5.4.2 Kripke-Beth-Joyal Semantics : : : : : : : : 5.4.3 The Fourman-Hayashi interpretation of IZF 5.5 PERs and the E ective Topos : : : : : : : : : : : :

: : : : : : : :

: : : : : : : :

: : : : : : : :

: : : : : : : :

: : : : : : : :

: : : : : : : :

: : : : : : : :

: : : : : : : :

: : : : : : : :

: : : : : : : :

: : : : : : : :

: : : : : : : :

: : : : : : : :

: : : : : : : :

: : : : : : : :

: : : : : : : :

: : : : : : : :

34

34 35 39 43 46 49 51 53

A A sketch of Kleene's 1952 realizability interpretation

58

B APP and the logic of partial terms

59

A.1 Realizability for HA : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 58

 To

appear in The Curry-Howard Isomorphism: 8-eme volume des cahiers du centre de logique de l'Universite Catholique de Louvain.

1

1 Introduction For most of this century, set theory has enjoyed the reputation of a universal language for mathematics, a reputation perhaps increasingly shared with (and even ceded to) categorical foundations. Can we expect comparable utility for computer science? In computer science, constructive formal systems based on type theory, or on the Curry-Howard isomorphismhave become increasingly widespread for program development and language design. These systems seem to be inherently more constructive than set theory, and more amenable to syntactic analysis. But a good look at many topics set theory reveals that there is nothing intrinsically nonconstructive about sets. Many operations with sets are natural from a computational point of view. Over the past thirty years the features of a truly constructive type-free set theory have begun to emerge, rst in the pioneering work of Myhill and Friedman, and since then of many others: Scedrov, Aczel, Hyland, Feferman, Grayson, Powell, to name a few. An almost parallel endeavor in the study of category-theoretic generalizations of the universe of sets, known as Toposes, began in the 1960's with the pioneering work of Lawvere, Tierney, Freyd and many others. These two lines have merged in the past ten to fteen years, so that one can broadly speaking call them both approaches to a constructive set theory, although categorical studies are closer to the typetheoretic approaches in avor. Both lines will be surveyed here, as approaches to constructive set theory in the broadest sense. We begin, however with a thorough study of the conventional (constructive) theory of . As remarked by Beeson in [6] two possible approaches to formalizing a constructive set theory are to de ne an intuitionistic theory from the ground up, or to \correct" existing classical ontologies until one is \safe in intuitionistic territory". The latter approach, which aims to save some of the desirable features of the classical ontologies, is exempli ed in such type-free theories as CZF and IZF, explored by Myhill and Friedman in the early 1970's 1 and by many others since then. Such a derived character makes type-free set theory an unusual subject, seemingly halfway between two worlds. It has some of the appearance of the powerful, descriptive foundation of classical mathematics found in Zermelo-Fraenkel Set Theory (ZF). Shorn of the excluded middle and a few other \dangerous axioms", it turns out to be closer that one might rst suspect to the typed, computational, guardedly constructive theories often studied for computer science applications, such as Martin Lof's type theory, Coquand and Huet's Theory of Constructions [19], etc.

Metamathematical issues Before exploring the theory, a few general remarks are in order. We cannot go into the general motivation for ZF set theory here2 although the axioms are brie y presented and discussed in the rst section of the paper. We assume assume that the reader has seen the elements of ZF or some axiomatic presentation of set theory (if not, an excellent discussion can be found in Johnstone's lecture notes [53]) Nonetheless, let us highlight a few, perhaps obvious points. First, the study of Set Theory, like that of a few very special theories (Constructions, Martin-Lof Type theory, etc.) is unique in one respect: it is an ontology , i.e. a proposed mathematical universe. This gives rise to very special problems since a formal study of such an ontology and its semantics is often done within the theory itself, or at least within a similar one: we do not wish to postulate a new notion of universe for the sole purpose of studying our picture of the world 3. Di erent foundations have special devices for doing this sort of self-study, e.g. universes in Martin-Lof's Theory 4. Because of its type-free, impredicative nature, in developing set theory 1 The earliest papers on the subject known to the author were presented at the \Intuitionismand Proof Theory" Symposium, in Bu alo, 1970, and later at the 1971 Cambridge Summer School in Mathematical Logic [85, 86, 34] 2 See [114, 6] for a comparative discussion of di erent classical and intuitionistic set theories. 3 We may then have to postulate yet another one for validating the second one. This possibility of in nite proliferation of meta-worlds was {in essence{ pointed out over two thousand years ago by Aristotle. 4 which have been exploited for re ection in the Nuprl system, see e.g. [17]

2

we must also take special care in de ning the right notion of models and meta-mathematical machinery, to avoid paradoxes (see [64] for an excellent discussion of the metamathematical issues). Set theory has made it possible to place most known mathematics within a single metamathematical framework. Despite the paradoxes and some of the problems one faces in de ning and dealing with cardinality, choice, proper classes, etc., it must be remarked that the world that Cantor built, and which Zermelo and others formalized, has been remarkably successful. Many mathematicians use set theory in practice as a kind of machine-code for mathematics, as well as a testing ground for the accuracy of one's notions: \if you can't de ne it in set theory, it isn't a well-de ned idea". It is precisely this kind of success, and the remarkable possibility of studying set theory and its models within set theory that led Hilbert and others to search for something so ambitious as a single foundational theory for all of mathematics that could ratify itself: prove its own consistency| an aspiration dashed by Godel in his 1931 paper [47]. This sweeping expressive power of set theory is what makes the prospect of a truly computational set theory attractive for computer science.

A type-free theory for higher-order term extraction. Set theory is a rst-order theory: we never quantify over formulas. But it is capable of formalizing higher order theories in a natural way, since what we usually mean by quantifying over all functions, say, on the natural numbers 8F : N ! N(: : : (F) : : :) can be expressed in set theory as 8x(funcN (x) ! : : : (x) : : :) where funcN (x) is the statement that x is a function from N to N, i.e., a set of ordered pairs hn; mi  N  N with the usual properties. In this sense, studying set theory is studying one way of formalizing higher order reasoning. Thus, a suitably constructive development of the subject might provide us with an ontology which is computationally useful, and where we can place a discussion of numbers, reals, sets of reals, sets of sets of reals, functions, etc., on the same footing, via a universal data type of sets. But what do we mean by suitably constructive? This depends on the applications one has in mind. I am partly guided here by projects like Nuprl, PX, Coq, Alf, Ergo, etc. (see e.g. [18, 46]) that permit the automatic extraction of algorithms from proofs. One of the aims of such systems is to produce algorithms which are guaranteed to be correct 5 , i.e. to satisfy a given speci cation. A speci cation is a logical description of a property to be satis ed by the input-output values of the algorithm. For example, a function f that computes the greatest proper divisor of its inputs satis es 8x (x; f(x)) where (x; y) is the formula div(y; x) ^ (8z)(div(z; x) ! z  y) We will consider a speci cation of this function to be the formula (x; y) together with a proof of totality of the speci cation, meaning a proof of the formula 8x 2 N 9y 2 N (x; y) in some formal system. Term extraction refers to an automated procedure for producing {given the speci cation{ an algorithm that computes such a function in a given programming language. In a system based on automated term extraction one programs by building proofs in a certain formal system . This means that one substitutes the possibly painful task of proof construction within a (possibly quite rigid) formal system for that of writing code in one's favorite programming language: not necessarily a pleasant discipline, but a price one pays for the guarantee of 5

up to the point, of course, that the system implementation has been painstakingly proven correct!

3

correctness. 6 Systems based on type theory have proven very useful for term extraction, but the rigidity of typing (which o ers many bene ts, to be sure) makes it dicult to pass between concepts at di erent type-levels. Considerable work must sometimes be done to get around this, and move freely between e.g. sets of individuals and individuals. Since type-free set theory makes no formal distinction between di erent levels, it is of interest to develop a term extraction system based on such a theory.

What does it mean to be constructive?

We assume here that the reader has encountered at least an elementary exposition of constructive principles, and in particular some notion of constructive proof7. We brie y recap some essential points, making no claim to be comprehensive. There are today many schools of thought that voice adherence to some notion of intuitionism (and our own presentation of set theory does not attempt to follow any speci c tendency). Nonetheless, certain points of view are common to most. We can think of the conceptual origin of constructivism as a critique of certain kinds of arguments that began to appear in 19th and 20th century mathematics. Such arguments included proofs by contradiction of the existence of certain mathematical objects (e.g. numbers, roots of equations, points in a space, functions). Inspection of these proofs showed that they neither supplied the object they adduced to exist nor the means for computing them. To cite one example: the intermediate value theorem states that a continuous function on the real interval [0,1] which is negative at 0 and nonnegative at 1 must have a root in [0,1]. Inspection of the customary proof of this theorem shows that it derives absurdity from the supposition that such a root does not exist. No means of computing such a root is to be found in the proof . The constructivist critique resulted in rejection of such an argument as a proof of an existential assertion. The use of such principles as

::A ! A or A _ :A was found to be responsible for the unwarranted conclusion. In fact, from this perspective, the true conclusion of the intermediate value theorem is ::9xf(x) = 0, which is a weaker conclusion. It would be inaccurate to say that constructivist critique can be reduced to a question of restricting the allowable means of inference, or even that it is an inherently logical critique.8 Nonetheless, it ultimately led to a recasting of the proof theory and semantics of logic itself. Gentzen (see e.g. [95, 114, 23]) de ned several formal systems for carrying out intuitionistic reasoning. Heyting and others came to spell out a constructivist restatement of the meaning of the logical connectives, which underlies both the Curry-Howard and the Realizability approaches, and which we brie y sketch here. It is known, in one form or another, as the Brouwer-HeytingKolmogoro interpretation (see, e.g. [6, 114, 23]). We restate it here in terms of evidence , a formulation inspired by [16].  Evidence for A ^ B is given by supplying evidence for A and evidence for B. 6 Engineering practice is quite another issue here: often one wants to incorporate\validated" code in the library into code extracted from proofs. Also one may wish to partially automate the most repetitive parts of proof construction, or write code to manage large libraries of theorems and lemmas, and make it possible to hide trivial fragments of proofs from the user.(see e.g. [17, 18]) Building a system that does this in an ecient and useful way is as much or more of an engineering challenge as devising the right formal system is a mathematical one. 7 If not, we recommend[21] for a quick introduction[114, 23] for a more thorough one, and for further references, and [24] for a detailed discussion of the philosophy and metamathematics of intuitionism. 8 Brouwer, the originator of intuitionism, certainly never felt that formal systems had anything to do with intuitionistic mathematics. We urge the reader to consult the rst chapter of [114] for an outline of the di erent schools and the sources mentioned for a further discussion.

4

 Evidence for A _ B is given by supplying evidence for A or for B and some indication of

which one is involved (and possibly an indication of the fact that it is to be regarded as evidence for A _ B).  Evidence for A ! B is given by supplying a rule or procedure that constructs evidence for B from evidence for A.  Evidence for (9x)A is given by supplying a \witness" c from the intended domain of the variable x and evidence that A(c) holds.  Evidence for (8x)A is given by supplying a rule or procedure that constructs evidence for A(c) from each individual c in the domain of the variable x. The reader should think of this more as statement of principle than a de nition. It leaves unspeci ed the meaning of the words \rules", \procedures", \constructs", \domain" and it does not state what constitutes evidence for an atomic propositions! The reader may replace \evidence" by the word \proof", and in the process make a step towards natural deduction, type theory and the Curry-Howard isomorphism. If the intended domain is the natural numbers and the language h+; i, and if rules or procedures are read as algorithms , and evidence as some sort of nite code (e.g. a number) and e.g. any number is considered evidence for a true atomic proposition, one has virtually de ned Kleene realizability , as described in the appendix. Note, however, that if one lets \rule" mean an arbitrary function and uses classical reasoning, the interpretation is sound for classical logic! In fact given a classical Tarski model M if we declare atomic formulas to be realized by all the natural numbers if true in M, and by nothing if false, then a proposition has evidence if and only if true in M (see [114], introduction). So these precepts do not pin down constructive reasoning, they merely provide a way of carrying one's intuitively acceptable notion of rules and construction into an interpretation of logic.

Constructivity and ZF

For readers familiar with constructive mathematics or with other intuitionistic formal systems, the idea of carrying such an eminently non-constructive theory as Zermelo-Fraenkel set theory over into a constructive, or even computational domain may seem misguided. Nonetheless, some features of IZF are not entirely unreasonable for such a domain. As stressed by many authors (see e.g. Shoen eld's discussion in [103]), ZF can be thought of as a theory issuing from an iterative, strati able, and hence in a (very weak) sense, constructive picture of the mathematical universe. One can think of the world as being built in stages corresponding to ordinals . Every set has an ordinal rank which one can think of as a time stamp indicating when the object was created, and which objects had to already exist prior to its creation. The restriction of fragments of classical ZF to intuitionistic arguments retains many desirable features, while removing some of the ones that are o ensive from the classical standpoint. But the fundamental interest in throwing out classical axioms is to obtain new consistent extensions. New, \highly non-classical" interpretations are now available. It is these interpretations that are of interest computationally, far more than the theory itself. The aim of our study is to show that inherently computational semantics of the entire ontological framework {the realizability interpretations{are now possible. In some of these interpretations, certain \strongly" non-classical principles [24, 114] are seen to hold: all total functions from N to N are recursive , all total, real-valued functions on the reals are continuous . Within certain limits, the body of results known as recursive mathematics , (that is to say the development of recursive versions of the main results in Algebra, Analysis, Topology, starting with Turing, the Russian Constructivist school, Nerode, Metakides, etc., see e.g. [6, 20]) can be understood to be what takes place within a realizability interpretation (see e.g. remarks in [49]), although e orts to exploit this in a systematic way have as yet been limited (see e.g. Scedrov's article in [98]). 5

To sum up, IZF and related constructive systems, viewed within the realizability interpretations, provide a powerful formalism for synthesizing correct algorithms from proofs of totality of recursive speci cations that use the full, impredicative apparatus of IZF, and the same speci cation language found in ordinary mathematical practice. Realizability in IZF is an after-the-fact computational analysis of proofs and propositions, a bit like typing untyped expressions: it amounts to a systematic wringing out of recursive content.

Organization of these notes

We start with an exposition of the basic theory: the axioms, and the way semantics (of di erent kinds) are formalized within the theory. We supply most of the details in proofs at the beginning, to make the early exposition as close as possible to being \self-contained". We also feel that the reader bene ts more from a close look at one or two developments than a catalogue of the many systems that now bear the name \constructive set theory" and which can be found in the references. Our nal section is devoted to a sketch of several ways of interpreting constructive set-theory categorically. It is intended more as a guide to the ideas and the literature than an exposition, which would require a book length treatment, and for which some excellent references exist (see e.g. [74, 31, 65, 55, 89]). There is more emphasis here on the tools, which have become central to the eld and to theoretical computer science, and the approach here is primarily semantical. We conclude our discussion with an outline of the e ective topos and related models.

6

2 Axioms, and the \Nave" Theory We will now give the formal axiomatization of Intuitionistic Zermelo-Fraenkel Set Theory, IZF, and several related theories, here denoted IZF0 and CZF. Except where the demands of intuitionism require modi cation, the axioms are identical to those of older classical theories: IZF and KP set theory (in fact they are all classically equivalent to their parent theories). It is in the restriction of the logic that this theory becomes constructive. The excluded middle (LEM) may not be used. Let us underscore the fact that the theories considered here are all extensional : to sets are equal precisely when they have the same elements. Intensional theories are also of computational interest and are studied in e.g. [6], where a coding, due to Friedman, of extensional set theory into intensional is also discussed. A more detailed discussion of these axioms can be found in [80], op.cit. and [6] and [86] .

Axioms of IZF, IZF0 and CZF (1) Extensionality 8x; y8z(z 2 x () z 2 y) ! x = y Two sets are equal i they have the same elements.

(2) Pairing 8x; y9z8w(w 2 z () w = x _ w = y)

If x and y are sets then there is a set fx; yg consisting of precisely the members x and y.

(3) Union 8x9z8w(w 2 z () 9y 2 x  w 2 y) S x exists.

(4) Power 8x9z8w(w 2 z () 8y 2 w  y 2 x)

The power set of x, P (x)  fy : y  xg exists.

(5) In nity 9x(9y(y 2 x) ^ (8y)(9z)(y 2 x ! z 2 x ^ y 2 z))

There is an in nite set: i.e. an inhabited set x whose every member y is a member of another member of x. (6) Separation' 8x9z8w(w 2 z () w 2 x ^ ') z not free in ' The collection of members of a given set having a certain ( rst-order) property is a set: If ' is a formula, and x is a set, then there is a set consisting of all members of x for which ' holds, usually denoted fw 2 x : 'g. 0 (6 ) Bounded Separation' 8x9z8w(w 2 z () w 2 x ^ ')

The same, but only for properties de nable by bounded quanti cation: ' must be a 01 formula. (7) Collection' 8x[(8y 2 x9z') ! 9W 8y 2 x9z 2 W'] W not free in ' If every member of a given set x has a rst-order de nable collection of associated elements, then there is a set W containing at least one of these associates for each member of x. (70) Replacement' 8x8y 2 x9!z' ! 9W 8y 2 x9z 2 W' A functional image of a set is a set.

(8) 2-Induction 8x[(8y 2 x)'(y) ! '(x)] ! 8x'(x)

Analog to induction on numbers: If a property holds for any set whenever it holds for its members then it must hold for every set.

IZF is the unprimed set of axioms (1) through (8), IZF0 is (1) - (6), (70) and (8), CZF is (1) - (5), (60 ) (70) and (8). The theory we shall be most concerned with here is IZF. However, in certain regards, IZF0 , CZF are the more constructive theories: they have the existence property EP and the disjunction 7

property DP9 while IZF does not. EP for CZF was shown by Myhill in 1975. The failure of

EP in IZF was established by Friedman and Scedrov in [36]. Our decision to take IZF as the rst ontology to study is based on the following property: IZF is strong enough to formalize and establish soundness of (the standard) semantics for set theory, i.e., it is self-validating:

1. IZF ` \cHa semantics are sound for IZF" (see Grayson 1977 paper [42]). 2. IZF ` \forcing and sheaf semantics are sound for IZF" (see e.g., Grayson, op.cit., Fourman, 1980 [29]), and section 4, below. 3. IZF ` \realizability is sound for IZF" (McCarty, 1984 Ph.D. Thesis [80]). (2) and (3) will be shown in some detail below. IZF0 is not known to have the corresponding self-validation property.

2.1 Justi cations of some of the choices and omissions of ZF-axioms

Why is the foundation axiom stated in terms of -induction, rather than in the traditional way: \every set has minimal members"? Because this statement of foundation would give us back all of classical set theory!

Lemma 2.1 (Myhill) \Classical Foundation" ( Every inhabited set has an 2-minimal element) ) LEM (the law of the excluded middle), i.e., CF (8z)[9x(x 2 z) ! (9w)(w 2 z) ^ 8t(t 2 w ! t 2= z)] gives us back every instance ' _ :' of the excluded middle. proof: Assume \classical foundation" (CF), and let S = fxj(x = 0 ^ ') _ x = 1g where 0 = fg; 1 = f0g: This set is often written f0d'; 1g, the set of \0 when ', 1". We will use such sets often. The reader accustomed to classical set theory may want to think of S as a nonstandard subset of f0; 1g, which classically must be either f1g or f0; 1g, but intuitionistically must be thought of as neither (in general). Since 1 2 S we have some so 2 S which is minimal, i.e., 8t(t 2 so ! (t 2 S !?)). Now so 2 S ! (so = 0 ^ ') _ so = 1. Suppose so = 0 ^ '. Then ', hence ' _ :'. Suppose, on the other hand so = 1, then 8t(t 2 1 ! (t 2 S !?)) and, in particular, 0 2 1 and 0 2 1 ! (0 2 S !?), so 0 2 S !?, i.e., (0 = 0 ^ ') !?, forcing ' !? i.e., :' hence ' _ :'. So, for any sentence ', IZF ` CF ! ' _ :'. Notice that only the axioms of Separation, Union, Extensionality and Pairing were used in the proof. Why the absence of Choice?

De nition 2.2 De ne AC to be the axiom [ 8s(9f : S ! S)(8x 2 S)(f(x) 2 x) 9 the Existence and Disjunction properties for a theory T over a language with closed terms state: T ` 9x'(x) ) T ` '(a) for a closed term a, and T ` A _ B ) T ` A or T ` B . They have long been regarded as fundamental criteria of constructivity of a theory. (See [114]). In the absence of closed terms, as in IZF, the existence property must be stated in terms of a formula D(x) whose extension is precisely a singleton set fag i.e T ` 9x'(x) ) T ` 8x'(x) ! D(x) ^ 8x;y(D(x) ^ D(y) ! x = y).

8

Lemma 2.3 (Diaconescu, 1975)

IZF ` AC ! LEM: i.e. Choice gives us back all instances ' _ :' of the Law of the Excluded Middle. In fact, inspection of the proof shows Separation + Union + Extension + Pairing + AC ` LEM

Proof: Let S = ff0d'; 1g; f1d'; 0gg i.e., S = fa; bg where: a = fxjx = 0 ^ ' or x = 1g b = fxjx = 1 ^ ' or x = 0g S and assume there is a choice function f : S ! S such that (8x 2 S)f(x) 2 x. Then, it is easy to see that (f(b) = 1) _ (f(a) = 0) _ (f(b) = 0 ^ f(a) = 1). We consider each case. case 1: f(b) = 1. Then 1 2 b; so (1 = 1) ^ ' or 1 = 0 (1 = 1) ^ ' ! ' (1 = 0) ! ' (by ?! ') so we get '. case 2: f(a) = 0: Then '. case 3: f(b) = 0 ^ f(a) = 1. In this case, we obviously have f(a) 6= f(b), so, in particular, a 6= b since by hypothesis f is a function 10 . But a 6= b ! :', since ' ! (0 = 0 ^ ') ^ (1 = 1 ^ '), which implies that a and b are both the set f0; 1g, hence a = b, and therefore, in all cases ' _ :': So we can't allow choice in without getting back classical logic. Remark: The countable axiom of choice (for !, the natural numbers) does not give us so much trouble: AC!;! (8x 2 !)(9y 2 !)'(x; y) ! (9f 2 !! )(8x 2 !)'(x; f(x)) holds in many non-classical models of IZF11 including the realizability model, as we shall see below, but it is not a theorem. (See Fourman's [29].) The technique shown above to \refute" AC and CF is known as the method of weak counterexamples , i.e., a proof that IZF ` ' ! LEM is called a weak counterexample to '. We

still need to show IZF 6` LEM (e.g., using cHa models, non-Boolean toposes, or Realizability interpretations) to establish that ' is not a theorem of IZF. But rst: a few more topics in \naive IZF"

2.2 Powell Ordinals

De nition 2.4 An ordinal is a transitive set of transitive sets, i.e., ON( ) def  (8x 2 )(Trans(x)) ^ Trans( ) where

Trans(x)  8z 8w(z 2 w ^ w 2 x ! z 2 x):

i.e., to be precise: func(f; D;E )  8x9y(x 2 D ! y 2 E ^ hx;yi 2 f ) ^ 8x8y8z(hx;yi 2 f ^ hx; zi 2 f ! y = z) so: f (a) 6= f (b) means we must have 9z9wha;zi 2 f ^ hb; wi 2 f ^ z 6= w and also a = b ! 8z8wha;zi 2 f ^ hb;wi 2 f ! z = w, hence f (a) 6= f (b) ^ func(f ) ` a = b !? 11 so we don't have AC !;! ) LEM. 10

9

Observe that: ON( ) ^ z 2 ! ON(z). The following \positive" and \negative" results may help elucidate the preceding de nition, apparently rst put forth in Powell's ([93]).

\Negative" Results De nition 2.5 An ordinal is decidable if 2 is decidable in , i.e., 8 , 2 ( 2 _ 2= ). is trichotomous if 8 ; 2 ( 2 _ 2 _ = ) The reader can establish by 2-induction that the two properties are equivalent. Lemma 2.6 All ordinals decidable ) LEM. Proof: Consider = f0; f0d'gg, where ' is an arbitrary sentence. is an ordinal since x 2 y 2 ) x 2 0 _ x = 0 ^ ' ) x = 0 ) x 2 : Suppose y 2 . Then y = 0 _ y = f0d'g  if y = 0 then y transitive (vacuously).  if y = f0d'g and w 2 x 2 y then x = 0 and w 2 0 so w 2 y, so y transitive. Now suppose were decidable: , 2 ! 2 _ 2= . Then 0 2 f0d'g _ 0 2= f0d'g Hence ' _ :'. De nition 2.7 For an ordinal, the successor of , called +1

( or + )

is de ned to be the set

[ f g: An ordinal is a weak limit if 8 2 9 2 ( 2 )) Note that + is an ordinal: x 2 y 2 + ) x 2 y 2 _ x 2 y = hence x 2 so x 2 + . Therefore + is transitive. Its members are or members of , hence they are also transitive.

Lemma 2.8 The following imply the excluded middle: 1.  ! 2 _ = ( take = f0d'g; = f0g) 2. 2 ! + 2 _ + = (try = 0, + = f0g, = f0, f0d'gg) 3. Every ordinal is 0 or a successor or a weak limit.

proof: Let = f0;Sf0d'gg (shown an ordinal in the proof of lemma (2.6)). Then 6= 0. a successor ) = f g ) 2 , so = 0 _ = f0d'g ? = 0 ) Sf g = f0g ) = f0g ) :' ? = f0d'g ) Sf g = f0d', f0d'gg ) ' a weak limit ) 0 2 f0d'g, hence '. Thus, in all cases, we have ' _ :'. 10

The preceding lemmas show that if we wish to retain the constructivity of our set theory, we cannot hope to preserve such familiar features as the linear ordering of ordinals, nor, more importantly, can we induct on the traditional ordinal cases of successor and limit. So what are ordinals good for in IZF? A lot. They supply us with a non-linear but useful ranking of the universe and with a case-less trans nite induction, We thus retain many of the hallmarks of classical ZF. The following results make this precise.

\Positive" Results

Perhaps the main justi cation of the Powell Ordinals and the formulation of foundation that IZF retains is that: 2-induction

)

trans nite inductive de nitions on ordinals that do not make case distinctions work in IZF. in a way made precise in the indictive de nability theorem below. Note that in the statement of the theorem we use the informal term class function below to denote a formula which is functional for all arguments in its domain, but is not necessarily a set, for reasons we brie y discuss here. We remind the reader that certain \large collections" such as that of all sets (to be called \V" below), cannot be counted as sets, by an argument due to Russell (1906) and known as Russell's paradox. This runs as follows. If fx : x = xg is a set, then by separation (and validity of x = x), so is fx : x 2= xg. But the reader can check that (fx : x 2= xg 2 fx : x 2= xg) () :(fx : x 2= xg 2 fx : x 2= xg) From A () :A one easily derives falsity, for any A, just in intuitionistic propositional logic. As just mentioned, we use the letter V to denote the \standard model" of all sets, which is something of a ction, but one we will have to live with until more semantic notions have been developed. V is ocially a formula V (x) whose extension is \all sets", for example V (x)  x = x. Thus, ocially, the statement \x 2 V " is a euphemism for V (x). Submodels M of V will be formulas that restrict the choice of x. Properties are then said to be \true in M" if they hold when their quanti ers 8x; 9x are relativized to M, that is to say, replaced by 8x 2 M, 9x 2 M. The reader may want to think of these classes informally as worlds, i.e. models according to the reader's notion of model, perhaps a set or Kripke model interpreting  as a binary relation.12 Since we have not yet developed the model theory we proceed formally in terms of formulas as models. The ranked universes we will de ne several times in this article (once we have established the validity of trans nite inductive de nitions) are themselves formulas, however these actually denote sets, as can be readily seen applying power set, collection and -induction to the inductive de nition of the hierarchy. Thus the reader may think of these semantics in terms of ranked set-theoretic approximations to the \totality" of the world of sets. We begin by giving an informal statement of the inductive de nability theorem. The formal statement of the follows immediately after. Theorem 2.9 (Inductive De nability) Let A be a set, ON the ordinals, G a \class function" V  A  V ! V . Then there is a unique class function F : ON  A ! V such that 12 The metamathematical issues here are delicate. We cannot prove that a set -model of IZF exists within IZF by Godel's second incompleteness theorem. This is the problem of formalizing an ontology within itself alluded to in the introduction. We refer the reader to appendix 3, ch. 1 of [64] for an excellent, precise discussion of the issues in a classical context. A constructive outlook poses even greater challenges. A radical constructivist would challenge the existence of mathematical objects independent of their construction, and would not accept anything like a mathematical object containing \everything". The reader must proceed according to his or her own intuitions!

11

(1)

(8 2 ON)(8x 2 A)F( ; x) = G( ; x; (F  ; x))

where F  ; x = fhx; ; F( ; x)i : 2 g.

The formal statement of this is perhaps a bit less readable: assume 'G is a formula such that (2)

8a 2 A8y8z 9!w'G (a; y; z; w)

Then we can construct a formula U such that the following holds (3) (8 2 ON)(8x 2 A)(8z)[U( ; x; z) () 'G ( ; x; fhx; ; wij 2 ^ U(x; ; w)g; z)] and 8 8x 2 A9!zU( ; x; z) and, if W( ; x; z) satis es (3) then (8 2 ON)8x z W( ; x; z) () U( ; x; z): Intuitively, f is built by taking ordinal-bounded approximations to the class function. We show existence and uniqueness by 2-induction. The arguments are the same ones used in classical ZF but with some care taken not to invoke ordinal case distinctions in our induction.

De nition 2.10 Let A and G be as in theorem (2.9) and  an ordinal. We de ne a - approximation (to G on A) to be a function f with domain   A satisfying DAG (f; ; A) , which is

the formula

(4)

(8x 2 A) (8 2 ) f( ; x) = G( ; x; (f  ; x)):

Lemma 2.11 If g is a -approximation and g0 a  0-approximation then (suppressing the second argument x 2 A) g   \  0 = g0   \  0: proof: The proof is by 2-induction on the rst ordinal . Fix  0 and a  0 approximation g. Suppose, inductively, for every 2  and every -approximation h we have h  \  0 = g0  \  0: Then suppose  2  \  0 . Then 2  ! 2  \  0 . Observe also that if g is a -approximation it is also a -approximation. Thus, for every x 2 A, by induction hypothesis g(; x) = G(; x; (g  ; x)) = G(; x; (g0  ; x)) = g0 (; x) Therefore, g(; x) = g0 (; x) for every  2  \  0 which is what we wanted to prove. Lemma 2.12 Fix G and A as above. Then, for every ordinal  there is a -approximation. proof: By induction: we assume 9hDAG(h; ; A) for smaller ordinals , that is to say, for every ordinal in  we have a function h with domain  A satisfying for every  2 and x 2 A h(; x) = G(; x; (h  ; x)): 12

Then de ne the ternary relation ' by (5)

def

'( ; x; y)  2  ^ (8h)(DA(h; ; A) ! G( ; x; (h  ; x)) = y):

It is easy to check that ' is functional (by the preceding lemma two di erent witnesses h and h0 to the existential quanti er would agree on ), and has with domain . So let f(x) = y () '( ; x; y) It is easy to show by induction now that f agrees with every -approximation for 2 so f  ; x = h  ; x whence f( ; x) = G( ; x; (f  ; x)) and is therefore a  approximation. Now let U(; x; y) be the result of 8 quanti cation of the right hand side of (5). U is the formula whose existence is asserted in (3), which proves theorem (2.9). Of course our foundation axiom allows us to make inductive de nitions directly on the structure of sets. Lemma 2.13 Let A and B be sets, g a function from A  (A  P (B)) to B. Then there is a unique function f : A ! B satisfying

8x 2 A f(x) = g(x; f  x) The proof is a straightforward induction, and left to the reader. See remarks after def. (2.19) about induction on other kinds of relations. We will repeatedly make tacit use of the preceding results in our de nitions. For example, we are now able to de ne, constructively, a unique rank function, as in classical set theory. De nition 2.14 For any set x we de ne rk(x) def  Sfrk(y) + 1 : y 2 xg Recall that x + 1 def  x [ fxg. This de nition is justi ed by lemma (2.13) for x a member of any set A and [ g(x; z) = f1u [ f1ug : u 2 z g One must then show that the value of rank(x) is independent of the choice of A. The details are left to the reader. Lemma 2.15 (8x)rk(x) 2 ON Proof: Recall that 2 ONS ! + 1 2 ON. Also, if x is a set of ordinals ) S x is an ordinal. For, suppose w 2 v 2 r 2 x. Then z. Therefore v must S w 2 v 2 r 2 z 2 x for some ordinal S be a member of z, and hence v 2 x and w 2 r. This shows that x transitive and that r is S transitive, but then x is an ordinal. S Now suppose (8y 2 x)rk(y) 2 ON. Then rk(y) + 1 2 ON and frk(y) + 1 : y 2 xg 2 ON so, ((8y 2 x)rk(y) 2 ON ! rk(x) 2 ON) and by 2-induction, (8x)rk(x) 2 ON. Lemma 2.16 8 2 ON rk( ) = . Proof: Suppose 8 2 rk( ) = (Recall that 2 ) 2 ON) Then, if 2 we have 2 + 1 so 2 rk( ). Suppose 2 rk( ). Then 2 + 1 for some 2 forcing 2 or = . But then 2 . Hence rk( ) = : With the Powell ordinals we are also able to de ne a constructive analogue of the ranked \standard model" of set theory.

13

De nition 2.17 (The Von Neumann Hierarchy) The formula V , the Von Neumann universe of sets, is de ned in terms of the strati ed or ranked levels V in the same spirit as classical ZF: [ V = fP (V ) : 2 g [ V = fV : ON( )g

Strictly speaking V is a unary formula satisfying

V (x) () 9 ON( ) ^ V ( ; x) where V ( ; x) is a formula whose existence is guaranteed by the inductive de nability theorem (2.9) with

V ( ; x) () 'G ( ; x; fh ; xi : 2 ^ V ( ; x)g) S def and where 'G ( ; x; y)  x  (^ (y)) ,with ^ (y) = f3z : z 2 yg and 3(ha; b; ci) = c. There is a well-de ned notion of rank associated with this hierarchy, namely the function rk(x) we just saw: Lemma 2.18 (8x)x 2 Vrk(x)+1 Proof: Say (8y 2 x)y 2 VSrk(y)+1 i.e., y 2 SfP (V ) : 2 rk(y) + 1g. Then y 2 P (V ) for some such . But rk(y) + 1  frk(z) + 1 : z 2 xg = rk(x) so 2 rk(x). Therefore [ y 2 fP (V ) : 2 rk(x)g = Vrk(x):

But then we have shown x  Vrk(x) , hence x 2 P (Vrk(x) )  Vrk(x)+1 . Thus in IZF we can prove 8x9 (ON( ) ^ x 2 V ), which is to say everything in the universe is ranked . A few more nice facts (left to the reader to prove): 1. V is transitive. 2. x 2 V ! rk(V ) 2 V 3.  V \ ON = rk(V ) but the containment is, in general, strict: IZF` (2 = V2 \ ON) ! LEM. (take f0d'g  f0g so f0d'g 2 V2 \ ON but if f0d'g 2 2 then = 0 or 1 and we can decide '!) This makes development of an analogue to Godel's L not so straightforward. This property ( = V [ ON) is usually a key part of proving that the constructible sets L are a model of the Axiom of Constructibility (see e.g. Kunen's [64], or Devlin's [22]). However, recently, R. Lubarsky has shown that V = L in intuitionistic L [72]. T 4. rk(x) = f : x 2 V +1 g

Exercise: IZF6` 8 2 ON(0 2 +1) (trivial if you use counterexamples above, but where does the induction argument break down?) De nition 2.19 A well-founded relation on a set A is a binary relation that is inductive on A, i.e., 8X  A[8x 2 A((8y < x)y 2 X ! x 2 X) ! A  X] 14

The following facts are easily established using arguments like those just given for 2.  The existence of < -minimal elements for well-founded order relations < gives LEM.  A well-founded < -relation has no in nite descending chains.  There is a unique rank function < , such that for each x in A [ < (x) = f< (y)+ jy < xg The rank of any ; ?g is complete. (Its completeness implies the schema :P _ ::P , but is not quite as strong an assertion as the full scheme of the excluded middle LEM. See e.g. [30] pp. 313-314).

5.2 Logic in a cHa, -sets

Let K be a Kripke model over some language. A natural topology on K is given by taking all upwards closed sets

O(K) = fS  K : 8x 2 S 8y 2 K y  x ! y 2 S g: The monotonicity property of Kripke models guarantees that for any sentence , the set [  ] = fp 2 K : p g is an open set in this topology.  is true in K i it is forced at all nodes, i.e. i [  ] = K. Sentences forced only at some nodes, will have [  ] a proper subset of K. Thus the cHa O(K) is an object of truth values for the model, with the maximal set K playing the role of >. It is easily checked, for example, that [A ^ B ] = [A ] \ [B ] [A _ B ] = [A ] [ [B ] [A ! B ] = [A ] ) [B ]: S If K has a growing domain, elements d 2 D  K D(p) will have a \degree of existence" or extent given by Ed = fp 2 K : d 2 D(p)g. The reader can think of this example as motivating the following de nition.17

(34) (35) (36)

-set Semantics

De nition 5.4 Let be a cHa. An -set A = hA; ; [  =  ] i consists of a set A together with a cHa-valued partial equivalence relation [ ] : A  A ! (whose action is usually denoted [ x = y ] ) satisfying symmetry and transitivity: [x = y ] = [y = x ]

[x = y ] ^ [y = z ]  [x = z ]:

and

17 This de nition, in the case of topological cHa's, predates Kripke's semantics by more than a decade. It was proposed by Tarski and McKinsey's in the 1940's [82, 21]

35

It will be convenient to de ne the extent of a member a of A to be [ a = a]] and a singleton to be a map s : A ! satisfying

s(a) ^ [ a = b ]  s(b)

and

s(a) ^ s(b)  [ a = b ] :

There is a natural induced notion of weak equality, or equivalence [ a  b ] de ned by (Ea ^ Eb) ) [ a = b]].

We now show how to interpret rst order logic in an set. We consider models over arbitrary languages and then consider the case of IZF. First some preliminaries. Let V be a set of variables and A the set of atomic formulas over L . De nition 5.5 If D is a set, a function  : V ! D is called a D-environment. The set of D-environments will be denoted ED . Let hA; h = iii be an -set. Then an n-ary -relation R is a mapping satisfying

R : D   D !

^

hai = bii ^ R(a1 ; : : : ; an)  R(b1; : : : ; bn) ^ R(a1 ; : : : ; an)  hai = aii A n-ary -function f : M ! N from an set M to another N is an n-ary function on the underlying sets satisfying, for every a in M

hFa = Fai ^ ha = bi  hFa = Fbi and hFa = Fai  ha = ai An function is total if the last inequality is replaced by equality.

Now we de ne interpretations. Fix a language L , and once again, let hA; h = iii be an -set. De nition 5.6 An -Interpretation D = hD; ; [ : ] ; i for the language L consists of a set D, a D-environment  and a meaning function [ : ]  which assigns an -relation [ R]] to each relation symbol R in L , and an (n-ary) -function [ F ] from D to D for each (n-ary) function symbol F in L (in particular it assigns values [ c ] 2 D to constant symbols c). An -interpretation is called total if it assigns only total functions to function symbols in the language. An -interpretation assigns values [ t ]  in D for every open term t over the language L and truth values [ A ]  2 as follows:

terms:

 [ c ] for constants c  [ c ]  def  (x) for variables x  [ x ]  def  [ F ] ( [ t1 ]  ; : : : ; [ t n ]  )  [ F(t1; : : : ; tn) ]  def formulas: For atomic formulas we have  [ R]]( [ t1 ]  ; : : : ; [ tn ]  )  [ R(t1; : : : ; tn ) ]  def  h [ t1 ]  = [ t2 ] i  [ t1 = t2 ]  def

36

For nonatomic formulas: (37) (38) (39) (40) (41)

[A ^ B ] [A _ B ] [A ! B ] [ (9x)A(x)]]

[ A ] ^ [ B ]  [ A ] _ [ B ]  [A ] ) [B ] _ [ A(x)]][x=d] d2D ^ [ (8x)A(x)]] = [ A(x)]][x=d] = = = =

d2D

where, if  is an environment, d 2 D and x 2 V , we de ne the environment [x=d] by  x [x=d](y) = d(y) ifif yy 6 x We say a sentence A is true in the -interpretation D D j= A if [ A ]  = >. A formula A is valid if for every interpretation D we have D j= A. We write this j= A. If ? is a set of sentences, we write ? j= A if for every -interpretation in which all sentences in ? are true A is also true. Theorem 5.7 (Soundness and Completeness) ? ` A i ? j= A. The proof of soundness is is a straightforward induction. One can prove completeness (in a classical metatheory) by showing that each Kripke model gives rise to an elementarily equivalent O(K)-interpretation, where O(K) is the topology discussed at the beginning of section (5.2), and using the completeness of Kripke semantics. Completeness can also be established directly by building a Lindenbaum algebra for a given theory (which is a Heyting algebra with some in nite suprema and in ma but not all), and then embedding it in a cHa in a way that preserves all meets and joins. We refer the reader to e.g. chapter 13 of [114] for details.

-set semantics for set theory As with models for classical set theory, we can extend the notion of -interpretation to proper class domains (i.e. predicates) D  V ( ). As with the class-models V (!) and V (P) we de ned for realizability and Kripke forcing, we will write d 2 D to mean D(d) and think of the \extension" of D as a domain of interpretation. De nition 5.8 Let be a cHa. We now de ne the -hierarchy of ranked universes V ( ) and W( ) for each ordinal . [ W( ) def  (42) V ( ) (43) (44)

def

2

V ( )  ff : W( ) ! g [ V ( ) def  V ( ) 2ON

Observe that the last line de nes the formula V ( )(x) to be (9y)(ON(y) ^ V ( )y (x)) where V ( ) is de ned by trans nite induction in IZF. 37

Truth in V ( ) We now de ne by simultaneous induction an interpretation [  ] mapping atomic formulas to . Let b; a 2 V ( ). (45) (46)

_ [ b 2 a ] def  f [ b = x ] ^ a(x) : x 2 dom(a)g ^ [ b = a ] def  f [ x 2 b]] $ [ x 2 a]] : x 2 dom(a) [ dom(b)g

Sentences are now interpreted as with ordinary -interpretations (37-41). (47) (48) (49) (50) (51)

[A ^ B ] [A _ B ] [A ! B ] [ (9x)A(x) ] [ (8x)A(x) ]

= = = = =

[A ]^[B ] [A ]_[B ] [A ] ) [B ] _ f [ A(d)]] : d 2 V ( )g ^ f [ A(d)]] : d 2 V ( )g

Note that this de nition is formalizable in IZF: by the axiom of separation f [ A(d)]] : d 2 V ( )g i.e. fx 2 : 9d V ( )(d) ^ x = [ A(d)]]g is a subset of . Since is a cHa, this subset has a supremum and an in mum in .

De nition 5.9 Given a cHa , and a closed formula ' in the language of IZF, we say the formula is true in the -set interpretation, and write V ( ) j= ' i >  [ ' ] . We write j= ' to mean ' is true in every -set interpretation. The following theorem can be established within IZF as a metatheory, along the lines of the soundness proof in section (4). Theorem 5.10 Let ' be a closed formula in the language of IZF. Then IZF ` '

) j= '

Scott-presheaves De nition 5.11 Let be a cHa. A Scott- -presheaf A is a triple hA; E; i consisting of a set A, and maps of extent E : A ! (whose action on a member a of A is written Ea), and of restriction : A  ! A satisfying, for all a 2 A and all p; q 2 . 1. a  Ea = a. 2. (a  p)  q = a  (p ^ q) 3. E(a  p) = Ea ^ p. We de ne equality on Scott-presheaves as follows:

_ [ a = b ] = fp : p  Ea ^ Eb & a  p = b  pg

Lemma 5.12 Scott-presheaves (with the induced equality de ned above) are -sets, and are partially ordered by the relation

a  b def  a = b  Ea: 38

proof: Exercise (or see [30]). With the induced partial order just de ned, we can speak of joins of subsets of a Scott presheaf. De nition 5.13 A Scott presheaf A is separated if whenever a subset B of A has a join its is unique. An -set A is separated if for every a; b 2 A [a  b ] = >

)

a = b:

The reader can check that a presheaf is separated if and only of it is separated as an -set.

5.3 Presheaves, Sheaves and Topoi

In the remainder of this article we assume some elementary familiarity with category theory, in particular, the de nitions of functors, adjoints, (co-) products, pullbacks, (co-) equalizers, limits, natural transformations, equivalence of categories, along the lines of, e.g. the rst 25 pages of [65], or chapter 1 of [74]. We use the notation Ar(A ) for the collection of arrows (or morphisms) of a category, j A j for its collection of objects. The opposite category of A is denoted A o . The notation - will be reserved for monic arrows and -- for epics. We denote the Hom-set of arrows in a category C from A to B by C (A; B). We also use the terminology \x is a generalized element of A" if x is an arrow from some object C to A, and will sometimes write this x 2C A. We will also call x \an element of A at stage C". All categories are assumed locally small: the class of arrows from one object to another is a set. We begin with some de nitions and facts that will prove useful. We refer the reader to the cited references for proofs.

De nition 5.14 A category is said to be small if the class of arrows in the category is a set. If A and B are categories, the functor category A B has as objects the functors from A to B , and as morphisms natural transformations. If C is a category and A an object, then the slice category C =A has as objects the arrows p- A in C targeted at A. A morphism between two objects pA and q- A is an arrow  of C making the resulting diagram commute:

@@ ? ? ?q p@@ ? @R ? 

A

When C is the category Set , we can think of an object X f- A in the slice category as an A-indexed family fXa : a 2 Ag where Xa = f ?1 (a). Morphisms are just maps which preserve A-indexing. Thus, up to isomorphism, objects in this category can be thought of as functors from A viewed as a category, the discrete category ( whose objects are members of A and whose morphisms are just the identities a - a) to Set . This observation can be made precise as follows. Lemma 5.15 There is an equivalence of categories Set A = Set =A. o Set -valued functor categories Set A (and their duals Set A ) constitute an extremely important class of examples. In particular when A is a monoid (a category with only one object), a group (a monoid in which every arrow is an iso) or even an arbitrary small category, Set A is called the category of monoid actions, group-actions, or, respectively, of (right) A -sets (see [31]). These 39

are sets X endowed with an index operator  : X !j A j, and a partial binary operation from X and Ar(A ) to X, indicated by juxtaposition xa, de ned whenever the index x of x is equal to the source of a and satisfying (xa)b = x(ab).

Lemma 5.16 The category of left (resp. right) A -sets is equivalent to Set A o (resp. Set A ). Given an object X in a category C , we recall that the operations A 7! C (X; A) and A 7! C (A; X) de ne the covariant and contravariant Hom-functors from C to Set , whose actions on arrows are given by composition. Given (A f- A0) in C , the morphism C (X; f) : C (X; A) ! C (X; A0 ) takes X  - A to X f - A0. C ( ; X) acts contravariantly by right-composition. These functors are called representable . The object X is called the representative of C ( ; X) (and its dual).

Lemma 5.17 (Yoneda) The embedding C ! Set C o induced by mapping an object X to the

contravariant Hom-functor represented by X is a full and faithful functor (with action on arrows given by composition). If F is a contravariant functor from C to Set then there is a bijection

Nat(C ( ; X); F)  = F(X)

given by mapping in Nat(C ( ; X); F) to (X)(IX) which is natural in both F and X .

When considering Kripke-Joyal semantics, below, we will use the fact that every natural transformation in Nat(C ( ; X); F) is the image a^ of a 2 F(X) given by a = (X)(IX). The proof is straightforward, one has to check that the given functor and bijection have the required properties. We refer the reader to [73, 31] for proofs, further discussion, and on how to make the naturality statement precise. We remark for the time being that representable functors play an important role in the categorical semantics for logic de ned below, and that the preceding lemma also tells us that every category can be fully and faithfully embedded in a Set -valued functor category (hence, cf. de nitions below, in a topos of presheaves). De nition 5.18 A presheaf F is a contravariant functor from a cHa to Set . F is called a presheaf on X if is the cHa O(X) associated with a topological space X. A morphism of presheaves  : F ! G is a natural transformation of the functors. For a given topological space X we write preSh (X) for the category of presheaves on X with presheaf morphisms. Every Scott presheaf is easily construed a presheaf and conversely. Suppose A = hA; E; i is a Scott-presheaf. De ne the contravariant functor FA : ! Set by FA (p) def  fx 2 A : p  Exg on objects and let the action on morphisms FA (p  q) = qp : FA (q) ! FA(p) be given by qp (x) = x  p. The reader can check functoriality of FA . Conversely if F is a contravariant functor from a cHa to Set then, letting G AF = F(p) E hp; xi = p hp; xi  q = hp ^ q; xi

that hAF ; E; i is a Scott-presheaf.

it is easily checked Suppose F is a presheaf. A sheaf on X is a presheaf F : O(X)op ! Set satisfying an additional glueing or compatibility property. 40

De nition 5.19 Let F be a presheaf on X . Let U be an open subset of X , and suppose fVi : i 2 I g is a family of open subsets of U such that [ U  Vi Such a family is called an open cover of U . Since F is a contravariant functor, we have, for each pair of open sets U  V a restriction map

VU def  F(U ,! V ) : F(V ) ! F(U) satisfying UW  VU = VW . Now suppose that S = fsi : i 2 I g satis es si 2 F(Ui ) for all i. We call S a family of sections. We call S compatible if for every pair of members si ; sj in S we have UUii \Uj (si ) = UUji \Uj (sj ): (52) F is called a sheaf on X if given any open set U  X , any open cover of U and compatible family of sections S there is a section s in F(U) of which each member in S is a restriction, that is to say, for each Ui in the cover and si in S si = UUi s The sheaves on a space X form a category with natural transformations as morphisms, which we denote Sh (X ). A slight generalization of this de nition will help make the link with Kripke models precise. De nition 5.20 Let K be a partial order viewed as a category. Then a K -presheaf is a functor from K to Set , whose action on morphisms p  q is is called restriction or transition qp : K(p) ! K(q). A K -sheaf is a presheaf satisfying the glueing condition de ned above: for any subset S  K and V any compatible family of sections fsp : p 2 S g with sp 2 K(p) for every p 2 S and each q  S there is a unique c 2 K(q) such that for each p 2 S we have sp = pq (c). It is straightforward to show that P-sheaves are Kripke models with transition maps qp : K(p) ! K(q) from the domain at node p to that at node q (see e.g. [114] for a discussion). Sheaves can be de ned over an arbitrary category endowed with a Grothendieck topology, also called a site . This yields a generalization of Beth semantics, or of classical Cohen forcing, and plays an important role in the application of topos theory to independence results in intuitionistic and classical ZF. The details are beyond the scope of this treatment. We refer the reader to e.g. [111, 54, 31, 65] for further discussions of these notions.

De nition 5.21 We say a category is nitely complete if it has nite products, a terminal object 1, (the limit of the empty diagram) and equalizers. It is nitely co-complete if the opposite category is complete, i.e. if it has an initial object, coproducts and coequalizers. A category C is said to have exponents if for each pair of objects A; B there is an object B A (also written [A ) B]) and an arrow evA;B : B A  A ! B which represents the Hom-set C (A; B) in the sense that, for any object C there is a unique arrow A f , called the transpose of f making the following diagram commute. B A  APP

6 PPPevPP qP B A f  IA  1       f CA

41

Equivalently, there is a bijection

C (A  B; C)  C (A; C B ) natural in A; B and C , that is to say,  B and B are adjoints. If f : A ! B then the transpose of f1 : 1  A ! B is often written d f e : 1 ! B A and called the name of f . A category with nite products and exponents is called cartesian closed. The de nition of nitely complete is equivalent to the assertion that the category C has all nite limits.

De nition 5.22 A topos is a nitely complete category with exponents and a subobject classi er, that is to say, an object and a morphism >:1!

often called \true", such that for every object A and subobject B m- A there is a morphism m making the following diagram a pullback

B !B

m

-A

m

- ?

?

1

> m is called the classi er or characteristic morphism of m. The subobject B m- A is said to be classi ed by m , and is also referred to by some authors [65] as its kernel. De nition 5.23 (Power objects and epsilon) If A is an object in a topos E , then A is called the the power object of A (and often written PA). We the de ne the 2A -relation to be the objects classi ed by the evaluation map composed with the twist:

A  A x- A  A ev- A:

The object classi ed by ev is called epsilo (Freyd) and written 3A .

A relation UC u- B  C is called universal (for C) if every relation R r- A  C with range C factors through a morphism A f- B and UC , that is to say, for some morphism f the following is a pullback - UC R r

?

AC

u

? B C f I C

Freyd and Scedrov give the following nice characterization of power objects and 3 \from basics" and use it as a starting point for de ning topoi. Lemma 5.24 A cartesian category is a topos i each object C has a universal relation UC u- B  C in which case u is the 3C relation, and the domain B is the power object C . 42

We conclude our general discussion of topoi with a few more important results.

Lemma 5.25 In a topos every arrow A

- B has an image Im(f): a minimal subobject of

f

B through which f factors, and a factorization

eIm(f) m- B A -

with e epic and m monic (called an epi-mono factorization). The factorization is unique up to isomorphism.

Lemma 5.26 (Kock, Mikkelsen) Every topos is nitely co-complete. We refer the reader to [65] for a simple proof that makes use of the internal logic. Up to now, the only topos we have seen is Set . There are many others. Lemma 5.27 For any topological space X , preSh (X) and Sh (X), the categories of presheaves and sheaves on X , are topoi. A topos is said to be spatial if it is Sh (X) for some X. Not every topos is spatial (e.g. the e ective topos, below). Lemma 5.28 In a topos, the set Sub(A) of subobjects of an object A, forms a cHa. The following result, due to Freyd, allows us to uniformly extend the notion of quanti cation, as understood in Set , to topoi, in a very general way. Lemma 5.29 (Fundamental lemma of topos theory) Every slice E =A of a topos is a topos, and the canonical functor  : E ! E =A preserves nite limits and power objects. Thus, in particular, the functor

f # : E =B ! E =A

(induced by the arrow A f- B in E by pulling back) has a right adjoint.

The import of this lemma for interpreting quanti cation is discussed below.

5.4 Logic in a Topos: three views

With this machinery, we are able to interpret set-theoretic logic formalisms in a topos in several related ways that extend their conventional meaning in the category of sets, or in some of the categories we have seen, to arbitrary topoi. The rst two interpret a typed language (with bounded quanti cation and sorts) which has been dubbed by some authors [11] local set theory . The third interprets type-free IZF, and is a straightforward generalization of the set semantics of the preceding section. We brie y motivate the de nitions with a look at how logic and the basic set-theoretic notions are captured in some familiar categories. Let us denote by c the classical object of truth-values f?; >g that is to say the subobject classi er in Set . Then we recall that classical Boolean propositional operators  : c ! c  c are given by:  ^z = > () z 2 fh>; >ig:  ) z = > () z 2 fh>; >i; h?; ?i; h?; >ig: If we think of logical predicates p, q as maps from some domain A to c, and hp; qi : c  c ! c the canonical product map a 7?! hp(a); q(a)i, then p ^ q and p ) q are equal as functions to ^hp; qi and ) hp; qi. Also observe that the object classi ed by ) (i.e. the subset it maps to >) is precisely the  relation on c . We would like to de ne this relation in a way that does not 43

make reference to elements of c , so as to use it in an arbitrary topos. A simple characterization is suggested by the fact that = fhx; yi 2 c  c : x = x ^ yg i.e.  is the largest subset of c  c on which left projection and conjunction agree, hence the equalizer of the corresponding arrows. Observe that bounded universal quanti cation maps an open formula p de ned on some domain B  A to a new formula 8x2A p : B ! c . Its action can be captured algebraically by de ning 8A : c A ! c to be the characteristic function of the singleton set fAg 2 }(A), and observing that 8A   B p : B ! c is the characteristic function of fb 2 B : fa 2 A : p(b; a)g = Ag, that is to say, it is precisely the predicate 8x2A p(x; y) (where y ranges over B).

Logical Connectives as Adjoints There is another perspective on the interpretation of logic

in a topos, due to Lawvere, which is of independent interest because it generalizes to categories with less than the full structure of a topos and has played a fundamental role in categorical formulation of type theory and of realizability-style semantics. We have already seen how ^ and ! can be viewed as adjoints in a cHa (this adjunction is expressed in (33)). We can do the same for universal and existential quanti cation in a topos. Let p be a predicate on B  A, i.e. a member of cBA . As we remarked before, quanti cation over A is a map from c BA ! c B . We can view it as an operation induced by the projection  : B  A ! B, as follows. In the foregoing discussion in Set we identify the set of characteristic functions c X with the power set }(X). Let } be the contravariant power set functor from Set to itself mapping sets to their power sets, and functions f from X to Y to the map f  : }(Y ) ! }(X) given by Z - f ?1 (Z). Then its action on  gives rise to a map  : }(B) ! }(B  A) which is a covariant functor if we view power sets as categories (with objects the members of the power set and morphisms given by inclusions). The reader can easily check that 8A : }(B  A) ! }(B) as de ned above, or, equivalently, by 8A (Z) = fb 2 B : 8a 2 A hb; ai 2 Z g is a right adjoint to  . A left adjoint also exists: 9A : }(B  A) ! B given by 9A (Z) = fb 2 B : 9a 2 A hb; ai 2 Z g: The interest of this construction it that it can be generalized considerably. First, we can replace  by any function f : X ! Y and de ne quanti cation along f by adjunction to the induced functor. Theorem 5.30 If X f- Y is an arrow in any topos E , the induced functor on power objects f  : Y ! X has left and right adjoints: 9f a f  a 8 f : The construction \mimics" the de nitions of quanti cation given above. The de nition of the right adjoint is given below, in the discussion of the Mitchell-Benabou language. The construction of 9f is also straightforward. See e.g. [74] for details. We will also make use of the following property which holds in any topos. 44

Lemma 5.31 (Beck-Chevalley conditions) If q is a subobject of D in a topos E and the diagram on the left is a pullback then the one on the right commutes g g B A

A

m

?

C

as does the dual diagram for 8f .

f

-B



q

9m

- D?

-

9p

?C

f

?

D

The 9-condition is sometimes called \Frobenius reciprocity".

Corollary 5.32 If B m- C is a subobject in a topos, then B 9m- C is monic. proof: Apply the Beck-condition lemma to the pullback diagram Bw ===== B w w w m w ? B -C m and observe that m  9m = I B . Instead of carrying these constructions out with the power-set functor in a topos, we can take any category with pullbacks, and let f  be the so-called change of base functor on the slice categories C =Y ! C =X given by pulling back along any f : X ! Y

-A

f # (A) f # ( )



? f - ? Y X When they exist, the corresponding adjoints f a f # a f : constitute a pair of generalized quanti ers in the category. f will always exist if C has pullbacks. The existence of f is guaranteed if C is LCC, or locally cartesian closed: every slice is cartesian closed. By the fundamental lemma (5.29) every topos is LCC, and admits this interpretation of quanti ers. But so do other categories. This adjoint situation is the starting point for the so-called hyperdoctrine formulation of logic over an indexed category, used for interpreting dependent type theories, and further discussed below in section (5.5). Connectives in an arbitrary topos By analogy with the preceding discussion in Set , we can de ne the logical connectives ^; !; 8A as classifying arrows on suitable domains. De nition 5.33 Let E be a topos and its subobject classi er. 45

-  .   ^- is the classi er of 1 h>;>i   )- is the classi er of < -  where  def 

equalizer( 

^-

- ):

0

d e  A 8A- is the classi er of the name 1 >A- A of the arrow >A  A

- 1 >- .

!A

The reader should compare these de nitions with the characterizations of logical connectives in Set , above. In particular, 8A is de ned in essentially the same way: it is the classi er of the arrow that \names" the subobject fAg of the power set A .

5.4.1 The Mitchell-Benabou Language Let E be a topos. We de ne the internal Mitchell-Benabou language of E to be given by the

following types and terms : types There is type A for each object A of E (we identify the two classes notationally from here on). Thus, the class of types includes, amongst many others, 0 and 1 (initial and terminal object), , and for each pair of types A and B, the types A  B, B A .

terms

 For each type A, variables of type A: x; y; z : : : We indicate type membership by

writing x: A (and distinguish terms from morphisms by displaying source-target information with a labeled arrow for the latter).  ~ : 1 and > :

 if a: A and b: B then ha; bi : A  B. We can express this as the familiar rule a:A b:B ha; bi : A  B



t : A u : BA u(t) : B

 For each arrow A - B in E and each term t : A there is a term   t : B.  For each arrow X A - B in E and each variable x : A there is a term x: A: : B A ,

in which x is a bound variable. In addition there are certain terms of type called predicates or formulas .

formulas  

t : A t0 : A t = t0 :

t : A u : A t2u:

46

 If p and q are formulas then so are p ^ q; p _ q; p ) q; :p. If p is a formula with the variable x free, and if A is a type, then 8x2A p; 9x2A p are formulas, with the variable

x bound. We will also speak about the term fx : p(x)g : A for x a variable of type A and p a formula with x free in p.18 All terms t(x1; : : : ; xn) : B with free variables among the x1; : : : ; xn of ] B where types A1 ; : : : ; An, respectively, have an interpretation [ t ] in E as arrows A [ t A = A1     An , as follows:

   

If x is a variable of type A then [ x ] is A IA- A.

b] A  B. If U [ a-] A and V [ b-] B then [ ha; bi ] is U  V [ a ]  [-

] ] If A [ tB and B - C then [   t ] is just the composition A [ tB - C.

] If T [ tA and U [ u-] B A then [ u(t)]] is

U  T [ t ]  [ u-] A  B A ev- B

 For (x: A:) : B A as above [ x: A: ] is the transpose (see def. 5.21) X

- BA.

A 

Atomic formulas (with the types and constituents given above) have the following interpretation, [ t] [ t0] for U A; V A and V [ u-] A :

(53) [ t = t0 ] is U  V [ t ]  [ t-] A  A - A x

(54) [ t 2 u]] is U  V [ t ]  [ u-] A  A evwhere x is the twist map h1 ; 0i : A  A - A  A. If p and q have the interpretation A [ p-] and B [ q-] , compound formulas are interpreted as follows. 0

(55) (56)

q]

 ^-

[ p ^ q ] is A  B [ p ]  [ q] [ p ) q ] is A  B [ p ]  [  )-

If B  A [ p-] then [ 8x2A p]] is

B [ p-] A 8A- : where, we recall that [ p ] is the transpose (see 5.21) of [ p ] . The remaining formulas can be viewed as derived expressions via the standard \second-order" coding (57) ? def  8t2 t def (58) :p  p )? (59) p _ q def  8t2 (((p ) t) ^ (q ) t)) ) t) (60) 9x2A p(x) def  8t2 (8x2A (p(x) ) t) ) t) or via the corresponding compositions : [ p ] ; _ ( [ p ]  [ q ] ); and 9A  (A p) along the lines just given using the corresponding HA-operations of the subobject lattice (see e.g. [55, 74, 65, 38, 81] for further discussion).

18 Many authors (e.g. [55, 65]) call this a term of type A . See the comments following the de nition of its interpretation.

47

If p(x) is a formula with a free variable of type A then [ fx : p(x)g ] is the subobject of A classi ed by p: We warn the reader that many authors de ne fx : p(x)g in such a way that its meaning in a topos E is the name of the arrow [ fx : p(x)g ] we have de ned above, and hence a (unique) member of 1 - A . However, we prefer to follow the convention of e.g. [74] in keeping the meaning of fx : pg as close to its \familiar" set-theoretic meaning as a subobject of the domain of [ p ] . But it is unique only up to isomorphism, and best thought of as an equivalence class of subobjects. In Set we are able to select a preferred representative of the class of subobjects of a set A isomorphic to some B - A, namely the one that is mapped to A by inclusion . But not all topoi admit a notion of canonical subobject making this possible (see [65, 31, 28] for a discussion of canonical objects in categories ).

Generalized elements and substitution In Set there is a one to one correspondence between members of an object A and the set of arrows 1 a- A, called the global elements of A. In a topos, it might seem that these arrows are reasonable candidates for capturing the notion of \element" categorically. We then think of a composition 1 a- A f- B as analogous to the set-theoretic \f of a". But a weak point in the analogy is that the behavior of f on global elements does not determine f in an arbitrary topos: the following diagram may commute for every global element a 1

- A fg-- B

a

without f = g. (A topos in which global elements suce to determine equality of arrows is called well-pointed ). It is therefore necessary to consider generalized elements C a- A as well. Following this analogy, any arrow A f- B can be thought of as de ning a function with an indeterminate argument x of type A and the composition C a- A f- B as substitution f[a=x]. We will also call a formula p with interpretation A [ p-] a formula on A. 19

Truth in a topos Now we can de ne what it means for a formula in the internal language of a topos E to be true in E (or true \in the internal logic of E "). De nition 5.34 Let p be a formula, with interpretation A [ p-]

classifying the object P - A. Then we say that p is true in E , and write E j= p if [ p ] factors through \true", i.e. if the following diagram commutes. A ========= A !A

?

1

[p ]

>

- ?

19 For a categorical treatment of variables in terms that captures more of their \true role" in logic, the reader should consult [65], who de ne polynomial categories C [x] in an indeterminate arrow, in an analogous manner to e.g. polynomial rings.

48

Equivalently, [ p ] = >!A. Notice that if this holds, there must be a unique map A - P through which IA factors, which asserts, in topos terms, that \the subobject of A on which p holds is A itself".

5.4.2 Kripke-Beth-Joyal Semantics

A look at the diagram in def. (5.34) suggests that the de nition of truth in E can be localized, much in the spirit of Kripke semantics, by replacing A in the upper left corner by one of its subobjects.

De nition 5.35 Suppose p(x) is a formula as above and C a- A is a generalized element of A (i.e. an arrow with target A) in a topos E . Then we de ne the forcing relation in E by (61) C p[a=x] i [ p ]  a = >!C : Note that since fx 2 A : p(x)g is the pullback of (> along) [ p ] , the above condition is equivalent to saying that C a- A factors through fx 2 A : p(x)g. It also follows immediately that a formula (with interpretation given above) is true in E i it is forced by every every generalized IA A. element C a- A i it is forced by the \generic element" A ==== One can now show that the forcing relation behaves much like Beth or Kripke forcing. Lemma 5.36 Suppose p is a formula, with interpretation A [ p-]

in E and let C a- A be an arrow in E . monotonicity If D c- C and C p[a=x] then D p[ac=x].

covering If D -c- C is epic and D p[ac=x] then C p[a=x]. We also have: C p[a=x] i E j= 8y2C p[ay=x].

Theorem 5.37 Suppose C

- A is a generalized element of A and p and q are formulas (on

a

A) with a free variable x. Then

^: C p[a=x] ^ q[a=x] i C p[a=x] and C q[a=x] --] C _: C p[a=x] _ q[a=x] i there are arrows u : U ! C and v : V ! C such that U + V [u;v and C p[au=x] and C q[av=x]. ) : C p[a=x] ) q[a=x] i for every D c- C whenever D p[ac=x] then D q[ac=x]. :: C :p[a=x] i for every D c- C whenever D p[ac=x] then D = 0. Suppose p is a formula with free variables x of type A and y of type B , with interpretation A  B [ p-] . Then

9B : C 9y2B p[a=x] i there is an epic D -c- C and a generalized element D that D p[ac=x; d=y]. 8B : C 8y2B p[a=x] i for every D c- C and every generalized element D p[ac=x; d=y].

49

- B such

d

- B, D

d

proof: (See e.g. [74, 65], whose development we follow for the remaining discussion of KripkeJoyal semantics). If instead of considering an arbitrary topos one considers a topos of presheaves or sheaves, the forcing clauses become quite a bit simpler. For example, consider the case E = Set C . Then objects (hence \nodes" forcing sentences) are functors F : C ! Set . But one can show that it suces to restrict attention in Kripke-Joyal semantics to a generating set of objects.

De nition 5.38 A class C of objects in a category E is said to generate E if every pair of arrows in E A

f g

-- B

are equal if and only if for every C 2 C and every C x- A we have fx = gx. In other words, equality is determined by actions on generalized elements from C .

Thus, in a well-pointed Topos, f1g generates. It is easily shown that generalized elements from a generating class of objects determine truth in E . Lemma 5.39 Let p(x) be a formula with interpretation A [ p-] , and suppose C generates E . Then p is true in E i for every C 2 C and C a- A we have C p[a=x].

The proof is immediate: if p is forced on a generating set, then [ p ]  a = >!C for any C a- A with C in C . But then for all such a, [ p ]  a = >!A  a hence [ p ] = >!A which is the de nition of p true in E . In a presheaf topos, the representable functors E (C; ) form a generating set, for if two arrows ;  : F ! G in E = Set C disagree then for some object A of C and some element a 2 F(A) they must di er: (A)(a) 6= (A)(a). By the Yoneda lemma (5.17) there is a natural transformation a^ : C (A; ) ! F such that a^(A)(IA) = F(IA)(a) = a, so (A)(a) = (A)(^a(A)(IA)) = (  a^)(A)(IA) so   a^ and   a^ disagree, with the source of a^ representable. We now apply Yoneda again to note that for each representable functor C (C; ) and each generalized element  : C (C; ) ! F in E , there is a unique representative a 2 F(C) such that  = a^ with a^ satisfying ^a(C)(IC) as in the preceding paragraph. Thus we can think of the \nodes" of the associated Kripke-Joyal interpretation as objects C of C and generalized elements as images C (C; ) a^- F of members a 2 F(C). With this revised notation, some of the clauses become much simpler.

Lemma 5.40 Let E be the topos Set C , and the Kripke-Joyal forcing relation for E . ^: C p[^a=x] ^ q[^a=x] i C p[^a=x] and C q[^a=x] _: C p[^a=x] _ q[^a=x] i C p[^a=x] or C q[^a=x] ) : C p[^a=x] ) q[^a=x] i for every C k- D whenever C p[^a[k]=x] then C q[^a[k]=x], where [k] is the induced C (k; ) : C (D; ) ! C (C; ). Suppose p is a formula with free variables x of type A and y of type B , with interpretation A  B [ p-] . Then ^ 9B : C 9y2B p[^a=x] i there is a generalized element C (C; ) b- G such that C p[^a=x; ^b=y].

50

The simpli ed existence and disjunction clauses follow from the fact that each representable functor in Set C is an indecomposable projective . An object C in a category is indecomposable if whenever it is the target of an epic arrow A + B [h;k-] C with [h; k] the canonical co-product map induced by a pair of maps from A and B into C, one eof A h- C, B k- C is epic. It is projective if every epic D C has a splitting, i.e. a left inverse C f- D with f  e = ID. (A simple example of an indecomposable is the open set p " fq : q  pg in the topology O(K) of upward closed subsets of a Kripke model. Such an open set is generated by a \point" p 2 K and has the property p " O1 [ O2 ) p " O1 or p " O2 , which is not satis ed by an arbitrary open U in place of p ". If the reader translates this condition to the opposite category O(K)o , it gives the indecomposability of p "). In case C is just a partial order viewed as a category, the Kripke-Joyal clauses reduce essentially to ordinary Kripke semantics (for local set theory) We refer the reader to [65] for details.

5.4.3 The Fourman-Hayashi interpretation of IZF

We now de ne a topos-theoretic semantics for IZF which extends the forcing and -set semantics that were developed in earlier sections. We interpret the untyped, global, rst order language of set theory, with unbounded quanti cation, by means of the same sort of ordinal induction over ranked universes we used before. This interpretation was developed by Fourman (who applied it to Fraenkel-Mostowski permutation models in [29]) and (in an essentially equivalent way) independently by Hayashi [45]. It was further developed by Scedrov in [99] to obtain a number of independence results. We sketch Fourman's development of IZF (without urelements) in a complete and co-complete topos. Here complete means that all set-indexed diagrams have limits. The problem one must address in adapting earlier type-free set theoretic interpretations is the absence of any immediately obvious analogue in an arbitrary topos of the ordinal hierarchies we have used in Set . That is to say, we must construct a model \V (E )" of IZF in a topos, which consists of ranked objects V (E ) together with maps V (E )  - V (E ) whenever  . Each such V (E ) is itself a co-limit of the preceding ones. This is why such strong completeness conditions are required. As it turns out, such topoi are not hard to nd: every presheaf and sheaf topos is complete and co-complete and is also locally complete : for any object A each hom-set E (A; ) is a cHa. A proof of these facts (Giraud's theorem) can be found in e.g. [55, 31]. De nition 5.41 For each ordinal de ne (62)

W(E ) def  lim V (E ) 2

V (E ) def  W (E ) V (E ) def  the full subcategory of E containing the objects W(E ) ; V (E ) : We henceforth refer to these objects as W ; V . Note that in particular W0 is the co-limit of the empty diagram, which is 0. Strictly speaking, the colimit W de ned above is of a diagram consisting of all lower V together with the (monic) arrows

V - V : (65) for  , satisfying (66)     =   : (63) (64)

51

We denote by e the evaluation map V  W

- :

To show that our construction of the V is well-de ned, we must show, by induction, that monics (65) satisfying (66) exist. So we assume that they do for all pairs of ordinals   below and show that they do for the pair ; , where  . Observe that there is a natural monic  : W ! W for  (since W is the colimit of the subdiagram of V below , we obtain the embedding as a unique map commuting with all 

0 between the V , which in a topos must be  monic).  induces the direct image embedding W 9 W which is the internal left adjoint   to W - W induced by the power-object functor. By corollary (5.32) if  is monic, so is 9 (in fact its right inverse is   by the proof of the same corollary). This shows, by induction, that the  exist for all comparable ordinals. The objects classi ed by the evaluation maps e give the local 2-structure on each V . We are now able to interpret ordinal-ranked formulas at each V as follows. We de ne limited formulas to be those formulas in the expanded language of set theory containing the constants V , built up with the connectives ^; ) ; _; : and bounded quanti cation 8x2V ; 9x2V . A ranking is a map # : V ars ! ON. A ranking is admissible for a formula ' if for every free occurrence of x in ' in a subformula of the form x 2 V we have #x  . We now de ne an interpretation of limited formulas [ ' ] ~x; ~ where ~x = hx1 ; : : : ; xni is the sequence of variables occurring free in ' and ~ = h 1 ; : : : ; ni the sequence of values of a '-admissible ranking # of ~x. In all cases [ ' ] ~x;~ is an arrow V a      V n -

(67) (68) (69) (70) (71)

[ x = y ] hx;yi;h ; i [ x = x ] x; [ x 2 y ] hx;yi;h ; i [ x 2 x ] x; [ x 2 V ] x;

= = = = =

V  V -

V >!V-

V  V e -

V ?-



V -

where  has the appropriate sub-and super-scripts. Logical connectives are interpreted exactly as with the Mitchell-Benabou language, as are the bounded quanti ers: [ 8x2V ' ] ~x = 8 [ x 2 V ! ' ] hx;~xi [ 9x2V ' ] ~x = 9 [ x 2 V ^ ' ] hx;~xi where some xed ranking # is assumed, and where 8 ; 9 are the quanti cations along the projection map corresponding to the variable bound by the quanti cation, e.g. V 0  V 1     V n - V 1    V n . As with the -set semantics, we de ne the interpretation of arbitrary formulas (with unbounded quanti cation) by taking suprema and in ma over the subobject lattices E (D; ) for suitable D. (72) (73)

(74) (75)

^ [ 8x']] = [ 8x2V ' ] _ [ 9x']] = [ 9x2V ' ]

Soundness of the interpretation is established in [29]. Several other interesting approaches to categorical models of IZF have appeared. Hayashi's model [45] is based on Johnstone's formalization [55] of the collection of transitive objects E tr within a topos. Hayashi shows how to build a model of IZF by taking ltered colimits of 52

local models in a Grothendieck Topos. In the case of ordinal-indexed set models, Hayashi's construction gives the -set interpretation de ned above. An interesting reformulation of this for A -sets (see discussion prior to lemma 5.16), A any category, is developed by Freyd and Scedrov [31]. A translation is provided (similar to one due to Friedman [34] also discussed in [6]) that reduces soundness for IZF to soundness for a related non-extensional theory with a much simpler semantics, which they then use to give (for the Boolean case) simple proofs of ZF-independence of Choice and the Continuum Hypothesis.

5.5 PERs and the E ective Topos

We now consider a category closely linked to the realizability interpretation, which will be used to construct the e ective topos. The category of partial equivalence relations, known as PER for short has played an interesting role recently in computer science applications, since it provides a natural model for polymorphism. An extensional subcategory of PER (ExPER) rst de ned by Freyd, Mulry, Rosolini and Scott, makes precise the denotational semantics implicit in realizability.

De nition 5.42 Let A be a partial combinatory algebra. The category of PERs over A , Per (A ) has as objects, all pairs hX; Ri such that R is a partial equivalence relation on A with domain X . A pre-morphism in Per (A ) is a term e in A satisfying, for every x; y 2 X , xRy ! exSey Morphisms [e] : hX; Ri ! hY; S i in Per (A ) are equivalence classes of pre-morphisms of A under the equivalence

 8x 2 X(exSe0 y): e  e0 def

De nition 5.43 Let A be a PCA (cf. def. 3.1). Then we de ne PA , the A -realizability pre-algebra to be the Heyting pre-algebra PA with carrier set }(A) and structure given by (76) U ^ V = fhu; vi : u 2 U & v 2 V g (77) U _ V = fh0; ui : u 2 U g [ fh1; vi : v 2 V g (78) U ) V = ft : (8u 2 U) tu # & tu 2 V g and partial order given by U  V i there is a t in U ) V (a state of a airs we sometimes t denote by U  V ). Top and bottom elements are given by A and ? respectively. The reader should compare this with the de nitions of the ; +; ) operations for Kleene realizability given in the appendix. It should be remarked that the above de nition can take place in classical or constructive set theory. Classically, P(A) is equivalent to a two element pre-algebra since for any inhabited X and any u 2 X we have x:u

A  X: Of course, in IZF, we cannot prove that every set is inhabited or not, so each model of IZF gives a di erent version of P(A). The reader may take the metatheory to be classical here if he or she so desires, however. A simple construction allows us to interpret predicate logic in a realizability pre-algebra in a straightforward manner that extends the standard realizability interpretation of quanti ers in the appendix, and is more like the McCarty realizability of quanti ers in IZF.

53

Let X be a set, H a realizability pre-algebra. Then we de ne the X-indexed pre-algebra H X to consist of all functions from X to H with logical operations de ned pointwise: (79) (80) (81)

F ^ G(x) = F(x) ^ G(x) F _ G(x) = F(x) _ G(x) F(x) ! G(x) = F(x) ! G(x)

top and bottom elements given by x:>H and x:?H respectively, and with the preorder given by \ F G i F(x) ! G(x) 6= ?: x2X

The reader should note that the pre-order on functions is not given pointwise: a single realizer must work for all x 2 X. De nition 5.44 A member F of an indexed realizability pre-algebra H X is said to be realized in H if it is uniformly realized by a term in H :

\

x2X

F(x) 6= ?:

this state of a airs is denoted by

H j= F

or H j= F(x)

with the understanding that the displayed variable is uniformly quanti ed over (by intersection). The preceding construction will in fact give us a Set -indexed family of realizability pre-

algebras H X . This yields a non-topos-theoretic example of a Lawvere hyperdoctrine, which we now discuss.

De nition 5.45 An indexed category C consists of  a base category C  a bre category C A for each object A of C  For each arrow A f- B in C a functor [f] : C B ! C A (called the \substitution functor")

satisfying 1. [IA] : C A ! C A ' (is naturally isomorphic to) the identity functor. 2. [g  f] ' [g]  [f] The two properties satis ed by [] are often called pseudofunctoriality.

De nition 5.46 (Lawvere) A hyperdoctrine is an indexed category C in which  The base category is cartesian closed.  for each arrow f in the base category, the induced functor [f] preserves cartesian structure, and has a left and right adjoints 9f a [f] a 8f

54

 These functors satisfy \Frobenius reciprocity" and the \Beck condition"(see lemma (5.31)), that is to say, for each pullback

A p

?

C

g

-B q

f

- D?

there are natural isos 9p  [g] ' [f]  9q , and 8p  [g] ' [f]  8q .

For an discussion of hyperdoctrines, reciprocity and Beck conditions we refer the reader to [105, 89, 74]. Suce it to say here that the hyperdoctrine point of view de nes (semantically) an abstract logic over a base category of types . One can think of each bre category C X as the family of abstract predicates over the type or domain X (we will use this terminology below). The local cartesian structure on the bres (which is often strengthened to include more logical operations) induces a propositional logic structure over each type. The global hyperdoctrine provides an extension to an abstract predicate logic, with quanti cation de ned by the adjoints to the \substitution operation" along each arrow in C . If the resulting abstract formulas are to behave like logical formulas, they must admit commutation of quanti cation with substitution and addition of dummy variables. These and other fundamental properties (depending on the hyperdoctrine in question) are guaranteed by the Beck conditions. For example, when applied to canonical projections X  Y p- X and X  Y f I-Y X 0  Y in lieu of g, these conditions guarantee the following logical laws, for x not free in ': 9x((x) ^ ') () 9x(x) ^ ' and 8x((x) ! ') () 8x(x) ! ' Observe that Freyd's fundamental lemma (5.29) (with a proof of the corresponding Beck conditions) and lemmas(5.30) and (5.31) give us two examples of hyperdoctrines in a topos. We now consider a more general class of hyperdoctrines which will be used to build a topos out of any applicative structure.

De nition 5.47 (Hyland, Johnstone, Pitts) A tripos is a hyperdoctrine C whose bre categories C X are Heyting pre-algebras (CX `X ) (for each object X in the base category C ) satisfying the \power object condition": for each object A of C there is an object P A and a membership predicate 2A in C AP A such that for any B in C and ' in C AB there is a morphism f : B ! P A in C satisfying [IA  f] 2A  = '. Theorem 5.48 If H = fH X g is a Set -indexed family of realizability pre-algebras, then it is a tripos, with the functor [f] : H Y ! H X corresponding to X f- Y induced by composition.

For each set A the power object will be H A , with the membership predicate just the evaluation map H A  A - H. Each H X is clearly cartesian closed as a category. For a detailed proof see [48]. Although there is a quite general theory of realizability-style topoi based on arbitrary triposes, we will con ne our attention to those generated by the Set -based realizability pre-algebras described above. The aim of the rest of the section, then, is to sketch how a model of constructive set theory can be built out of the realizability structures we have de ned, one that captures much of the behavior of the realizability interpretation we saw earlier. The reader should note the similarity between the way E H is built out of a realizability pre-algebra H and the way

-sets and -interpretations are built out of a cHa (see section (5.2)). 55

De nition 5.49 Let A be a PCA. The e ective topos over A , or E A, is the category whose objects are PA -valued PERs, that is to say, pairs hX; [   =X  ] i where X is a set and [   =X  ] PA satisfying a partial map X  X

j= [ x = y ] ! [ y = x]] j= [ x = y ] ^ [ y = z ] ! [ x = z ]   ] is symmetric and transitive. For x 2 X we In other words PA realizes the fact that [  =  x ]. X de ne Ex, the extent of x , to be [ x = ] A morphism hX;  hY; =Y i in E A is an equivalence class of PA -valued func=X i [Ftional relations, that is to say a (Set ) function F : X  Y ! PA such that F is relational PA j= F(x; y) ^ [ x  (84) = u ] ^ [y  = v ] ! F(u; v) (85) F is strict PA j= F(x; y) ! Ex ^ Ey F is single ? valued PA j= F(x; y) ^ F(x; z) ! [ y  (86) = z] [ (87) F is total PA j= Ex ! Ey ^ F(x; y) (82) (83)

PA PA

y2Y

where two functional relations F; G are equivalent if PA

j= F(x; y) = G(x; y)

One must now show that E A is a category, i.e. that a composition operation can be de ned which is independent of the choice of representative of morphisms. The de nition of composition of functional relations hX; =X i F- hY; =Y i G- hZ; =Z i is given by [ (G  F)(x; z) = Ey ^ F(x; y) ^ G(y; z) y2Y

With this de nition we obtain not only that E A is a category, but much more.

Theorem 5.50 (Hyland, Johnstone, Pitts) E A is a topos. The terminal object of E A is hf0g;  =1 i where [0  =1 0 ] = jA j: Products hA;  =A i  hB;  =B i are given by hA  B;  =AB i where [ hx; yi  =AB hx0; y0 i ] = [ x  =B y0 ] =A y ] ^ [ x 0  The subobject classi er is hPA ;  = i with [U  = V ] = U ! V ^ V ! U:

We refer the reader to [48] for the details, and for a proof of a much stronger fact, namely that any category built from a tripos along the lines pursued above for realizability algebras is a topos. In said reference, and in [49, 89] it is shown that E A , and in particular E ! , are topostheoretic formulations of the realizability \universe". Those principles we saw validated in the McCarty interpretation which make sense in local set theory, are true when suitably translated in the internal logic of E A . For example the set of Kleene-realizable sentences in the rst-order language of HA (see appendix) are precisely those sentences true of the natural number object (hN;  =N i where [ n  = m ] = fx 2 fng : n = mg). Hyland shows in [49] that analysis in E ! 56

is essentially contsructive recursive analysis (see e.g. [6] for a discussion of this area). The real numbers in E ! are the recursive Cauchy sequences. Church's thesis and Brouwer's continuity principle for the reals are true in E ! . Hyland and others (Scedrov) have proposed E A as the suitable framework for carrying out recursive mathematics in the spirit of the Russian constructivist school or of the e ective algebra results of Nerode, Metakides and others. Furthermore E A and its subcategories (e.g. Modest Sets, see [89]) has o ered a framework for giving a natural constructive set-theoretic interpretation of polymorphism [91]. The constructions sketched out above are the starting point for a rich theory that has provided semantics for the ontologies of greatest interest in computer science, e.g. dependent type theories, Constructions, linear and modal logics. Both the syntax and semantical analysis of new programming languages is being shaped by these semantic frameworks. The reader is urged to consult the work in e.g. [31, 97, 96, 2, 75, 51, 49, 48, 107, 108, 71, 83, 106, 88] and others cited in the appendix, for further details. The author would like to thank Anil Nerode for introducing him to the realizability interpretation of IZF, and encouraging further study of the eld, and Peter Freyd for many insights about the e ective topos and PERs. Many thanks also to Robert Lubarsky for countless helpful discussions, and to Paul Taylor for careful reading and helpful comments, as well as his diagram macros. Thanks also to Ramesh Subrahmanyam for helpful suggestions. This work was partially supported by ONR grant 4331-001-srp-01

57

A A sketch of Kleene's 1952 realizability interpretation

A.1 Realizability for HA

We de ne realizability formulas in one free variable j'j(e) associated to each arithmetic sentence ' over the language L : j'j(e) is ' for atomic ' j:'j(e) is 8f :j'j(f) j' & j(e) is j'j(e0 ) & j j(e1 ) j' _ j(e) is [e0 = 0 & j'j(e1)] _ [e0 = 1 & j j(e1 )] j' ! j(e) is (8f)[j'j(f) ! 9uvT(e; f; u) & U(u) = v & j (v)j] j9x '(x)j(e) is j'(e1 )j(e0 ) j8x '(x)j(e) is 8n[9uv(T(e; n; u) & U(u) = v & j'(n)j(v)] where e = he0 ; e1i via the standard primitive recursive pairing and unpairing. Formally, any assertion of the form e.g. A(e0 ) is given by (9uv) (Pair(u; v; e) & A(u)), where Pair(u; v; e) is (u+v)(u+v+1) = 2(e ? v), the standard diagonal coding predicate. Alternatively, we can (conservatively) make a de nitional extension of HA, introducing the function symbols ( )0 , ( )1 and h; i for unpairing and pairing. We follow the latter convention informally and leave the formalization to the reader's taste. We will adopt the following notation, for formulas A, B in one free variable : (A  B)(x)  A(x0 ) & B(x1 ) (A + B)(x)  (x0 = 0 & A(x1 )) _ (x0 = 1 & B(x1 )) (A ) B)(x)  8n[A(n) ! 9uv(T(x; n; u) & U(u) = v & B(v)] For formulas S(x; y) in two free variables (over L) we de ne P ( S)(z)  S(z1 ; z0) Q ( S)(z)  8x[9uv(T(z; x; u) & U(u) = v & S(x; v)] which formalizes \z is a choice function on x in the collection fS(x; y)g". With this notation, we can abbreviate the de nitions of realizability formulas: j' & j  j'j  j j j' _ j  j'j + j j j' ! j  j'j ) j j and if ' is a formula with one variable free and '(x; ^ y) is the formula in two free variables given by j'(x)j(y) then P j9x'j  (Q '^) j8x'j  ( ') ^ We can similarly de ne abstract realizability for Feferman's theory APP (de ned in appendix B). De nition A.1 Let A; B be sentences over the language of APP. Then we de ne inductively the realizability formulas jAj in one free variable as follows: If A is prime jAj(x) is A & x # 58

jA & B j(x)  (jAj  jB j)(x) def  jAj(0x) & jB j(1x) jA _ B j(x)  (jAj + jB j)(x) def  N(0x) & (0x = 0 ! jAj(1x)) & (0x = 6 0 ! jB j(1x)) jA ! B j(x)  (jAj ) jB j)(x) def  8y[jAj(y) ! xy # & jB j(xy)] P def j9yA(y)j(x)  ( jAj)(x)  jA(0x)j(1x) j8yA(y)j(x)  (QjAj)(x) def  8y[(xy) # & jA(y)j(xy)] jAj(x) is usually written x r A. Note that if A is a formula in n variables over APP then the above clauses de ned an associated realizability formula in n + 1 variables.

B APP and the logic of partial terms

(There are many formulations, e.g., Troelstra{Van Dalen's E + logic ([114]), Fourman and Scott's treatment in [30] Feferman's formalism, Beeson's EON [6]). We follow the lines of Beeson's EON. A detailed formulation of abstract applicative structures within IZF is carried out in McCarty's [80]. We need: First order language  A partial binary function Ap( , ) 20  variables x1; : : :y1 ; : : :  equality =  distinguished constants s; k; 0; 1; p; d; 0  unary relation symbol # \convergence"  binary relation symbol  (here, following Beeson and others,one may take it to be de ned: t  s  t # _s #! t = s)  A unary predicate N(x) (standing for the natural number sort). Note: we need to agree on how to deal with partiality in our logic. Beeson, Troesltra-van Dalen, McCarty op.cit. take slightly di erent approaches, as does Scott in [102]. The most important point is that quanti er laws have to be modi ed to deal with partiality, e.g. we require axioms

8xA & t #! A[t=x]

A[t=x] & t #! 9xA

in lieu of the conventional laws, and strict atomic relations R(t1; :::; tn) ! t1 # &    tn # for atomic formulas R. The constants satisfy the axioms: 1. kxy = x (kx #) 2. sxy # & sxyz  xz(yz) 3. k 6= s which suce to give combinatory completeness:. 20

(Ap(f;x) is usually written fx)

59

Theorem B.1 (Curry) For each term t and variable x, one can construct a term x  t such that x  t # (x  t)x ' t (x  t)u ' t[u=x] u; t terms See e.g. Beeson or Troesltra and Van Dalen (op.cit.) for a proof. We also have the axioms:  pairing: pxy # & 0 (pxy) = x 1 (pxy) = y

 conditional:

N(a) & N(b) & a = b ! dxyab = x N(a) & N(b) & a 6= b ! dxyab = y

 natural number sort 8x(N(x) ! N(sN (x)) & pN (sN (x)) = x & sN (x) 6= 0) and

8x(N(x) & x 6= 0 ! N(pN x) & sN (pN (x)) = x);

as well as the induction schema for N

'(0) ^ 8x(N(x) ^ '(x) ! '(sN (x))) ! 8x(N(x) ! '(x)): The above system and most variants in the literature satisfy two important properties:

Theorem B.2

Recursion Theorem

9R APP ` Rf # &[g = Rf ! 8x(fx ' fgx)]

i.e., (Rf)x ' (f(Rf)x) Term Existence (APP ` 9xA(x)) ) There is a term t, such that (APP ` A(t)&t #)

References [1] Asperti, A. and Longo, G., [1991], Categories, Types and Structures , MIT. [2] Barr, M., and Wells, C.[1985], Toposes, Triples and Theories , Springer, New York. [3] Barwise, Jon, [1975], Admissible sets and structures : an approach to de nability theory , Berlin ; New York : Springer-Verlag, 1975. [4] Barwise, J; Keisler, J. eds. [1977] Handbook of Mathematical Logic , Amsterdam ; New York : North-Holland Pub. Co., 1977. [5] Beeson, M. J. [1988], \Towards a computation system based on set theory", Theoretical Computer Science 60, 1988, North-Holland. [6] Beeson, M. J. [1985a], Foundations of Constructive Mathematics, Springer-Verlag, Berlin. [7] Beeson, M. J. [1982], \Recursive models of constructive set theories", Annals of Mathematical Logic 23, 127-178.

60

[8] Beeson, M. J. [1978], \A type-free Godel interpretation", Journal of Symbolic Logic 43, 213-227. [9] Beeson, M. J. [1977], \Continuity and comprehension in intuitionistic formal systems", Paci c Journal of Mathematics,.68, 29-30. [10] Bell, J. [1985], Boolean-Valued Models and Independence Proofs in Set Theory , Clarendon Press, Oxford. [11] Bell, J. [1989] Local Set Theory and Toposes , Cambridge University Press. [12] Bunge, M. [1974], \Topos Theory and Souslin's Hypothesis", in The Journal of Pure and Applied Algebra , North-Holland. [13] Chang, C.C., and Keisler, J. [1977], Model Theory , North Holland, Amsterdam. [14] Cohen, P. J. [1966], Set Theory and the Continuum Hypothesis, W. A. Benjamin Inc., New York. [15] Cohen, P. J. [1963], \The independence of continuum hypothesis", Proceedings of the National Academy of Science, USA 50, 1143-1148. [16] Constable, R. [1985] The Semantics of Evidence , manuscript. [17] Constable, R. L. and Howe, D. J., [1990], \Implementing Metamathematics as an Approach to Automatic Theorem Proving", in Formal Techniques in Arti cial Intelligence, R. Banerji, ed., North-Holland. [18] Constable, R. L., et al [1986], Implementing Mathematics with the NUPRL Development System , Prentice-Hall, N.J. [19] Coquand, T. and G. Huet [1985a], \Constructions: A higher order proof system for mechanizing mathematics", EUROCAL 85, Linz, Austria. [20] Crossley, J. (ed.) [1985], \Aspects of Recursive Algebra", The Upside Down A, Melbourne. [21] Van Dalen, D. [1986] \Intuitionistic Logic", in The Handbook of Philosophical Logic, vol.III , D. Reidel, Dordrecht. [22] Devlin, K. [1984] Constructibility , North-Holland, Amsterdam. [23] Dragalin, A. G. [1987], Mathematical Intuitionism: Introduction to Proof Theory, Translations of Mathematical Monographs 67, AMS, Providence, R. I. [24] Dummett, M. [1977],Elements of Intuitionism , Oxford University Press, Oxford. [25] Feferman, S. [1975] \A language and axioms for explicit mathematics", in: Algebra and Logic, Lecture Notes in Mathematics No. 450, pp. 87-139, Springer, Berlin. [26] Feferman, S. [1977], \Theories of Finite Type", in: Barwise, J. (ed.), Handbook of Mathematical Logic, pp. 913-972, North-Holland, Amsterdam. [27] Feferman, S. [1979], \Constructive theories of functions and classes", in Bo a, M., D. van Dalen and K. McAloon (eds.), Logic Colloquium '78: Proceedings of the Logic Colloquium at Mons, 1978, pp.159-224, North-Holland, Amsterdam. [28] Finkelstein, S. [1994], Ph. D. Dissertation, University of Pennsylvania, to appear. [29] Fourman, M.P. [1980], \Sheaf Models for Set Theory" in The Journal of Pure and Applied Algebra 19, North-Holland. [30] Fourman, M. P. and D. S. Scott [1979], \Sheaves and logic", in: Fourman, Mulvey and Scott, (eds.), Applications of Sheaves, Mathematical Lecture Notes 753, pp.302-401, Springer-Verlag, Berlin. [31] Freyd, P. and Scedrov, A. [1990], Categories, Allegories, North-Holland, Amsterdam.

61

[32] Freyd, P., [1980], \The Axiom of Choice", in The Journal of Pure and Applied Algebra , vol. 19, North-Holland, Amsterdam. [33] Freyd, P., Mulry, P., Rosolini, G., Scott, D. [1990], \Extensional PERs", in LICS 1990, and in TCS 1993. [34] Friedman, H. [1973], \Some applications of Kleene's methods for intuitionistic systems", in: Mathias, A. and H. Rogers (eds.), Cambridge Summer School in Mathematical Logic, pp. 113-170, Lecture Notes in Mathematics No. 337, Springer, Berlin. [35] Friedman, H. [1978], \Classically and intuitionistically provably recursive functions", in: Muller, G.H. and D. S. Scott (eds.), Higher Set Theory, Proceedings, Oberwolfach, 1977, pp. 21-27, Lecture Notes in Mathematics No. 669, Springer, Berlin. [36] Friedman, H. and A. Scedrov [1985], "The lack of de nable witnesses and provably recursive functions intuitionistic set theories", in Advances in Math 57. [37] Friedman, H. [1986?], Functional Realizability , Manuscript. [38] Goldblatt, R. [1984], Topoi , revised ed., North-Holland, Amsterdam. [39] Goodman, N. [1978], \Relativized realizability in intuitionistic arithmetic of all nite types", Journal of Symbolic Logic 43, 23-44. [40] Grayson, R. J. [1983], \Forcing in intuitionistic systems without power set", Journal of Symbolic Logic 48, 670-682. [41] Grayson, R. J. [1984], \Heyting-valued semantics", in: F. Lolli, G. Longo and G. Marcja (eds.), Logic Colloquium '82, North-Holland, Amsterdam. [42] Grayson, R. J. [1979], \Heyting-valued models for intuitionistic set theory", in: M. P. Fourman, D.J. Mulvey and D. S. Scott (eds.), Application of Sheaves, Springer Verlag, Berlin. [43] Grayson, R. J. [1975], \A sheaf approach to models of set theory", M.Sc. thesis, Oxford. [44] Hatcher, W. S. [1982] The Logical Foundations of Mathematics , Pergamon Press, Oxford. [45] Hayashi, S. [1980] \On set theories and toposes", in the Proceedings of the Logic Conference, Hakone, Lecture Notes in Mathematics 891, Springer. [46] Hayashi, S.and H. Nakano [1989], PX: A Computational Logic, The MIT Press, Cambridge. [47] van Heijenoort, J. (ed.) [1967], From Frege to Godel: A Source Book in Mathematical Logic , Harvard University Press. [48] Hyland, J. M. E., P. T. Johnstone and A. M. Pitts [1980], \Tripos Theory", Math. Proceedings of the Cambridge Phil. Society 88, 205-252. [49] Hyland, M. [1982], \The E ective Topos", in The L.E.J. Brouwer Centenary Symposium , North Holland. [50] Hyland, M. and Pitts A., [1989], \The Theory of Constructions: Categorical Semantics and ToposTheoretic Models". [51] Jacobs, B. [1991], Categorical Type Theory , Ph. D. dissertation, Nijmegen. [52] Jech, T. [1978], Set Theory, Academic Press, San Diego. [53] Johnstone, P. T., [1987], Notes on logic and set theory , Cambridge; New York : Cambridge University Press. [54] Johnstone, P. T., [1982], Stone Spaces , Cambridge University Press. [55] Johnstone, P. T. [1977], Topos Theory , Academic Press, New York.

62

[56] Kleene, S. C. [1945], \On the interpretation of intuitionistic number theory", JSL 10, pp.109-124. [57] Kleene, S. C. [1952], \Recursive Functions and Intuitionistic Mathematics", Proc. ICM, Cambridge, 1952. [58] Kleene, S. C. [1952], Introduction to Metamathematics, North-Holland (1971 edition), Amsterdam. [59] Kleene, S. C. [1957], \Realizability", Summaries of talks at the Cornell University summer school. [60] Kleene, S. C. [1969], Formalized recursive functionals and formalized realizability , memoirs AMS, 89. [61] Kleene, S. C. [1973], \Realizability: a retrospective survey" in [78]. [62] Kreisel, G., Troelstra, A.S. [1970]\Formal systems for some branches of intuitionistic analysis", Annals of Math Logic I,229-387. [63] Kripke, S. [1965], \Semantical analysis of intuitionistic logic I", in: Crossley, J. N. and M. Dummett (eds.), Formal Systems and Recursive Functions, Proceedings of the Eighth Logic Colloquium, Oxford, 1963, North-Holland, Amsterdam, 92-130. [64] Kunen, K. [1983], Set Theory , North-Holland, Amsterdam. [65] Lambek, J. and P. J. Scott [1986], Introduction to higher order categorical logic, Cambridge Studies in Advanced Mathematics 7, Cambridge. [66] Lauchli, H. [1970], \An abstract notion of realizability for which predicate calculus is complete", in: Myhill, J., A. Kino, and R. E. Vesley (eds.), Intuitionism and Proof Theory, North-Holland, Amsterdam, 227-234. [67] Lawvere, W. [1975], \Continuously Variable Sets; algebraic geometry = geometric logic", in Logic Colloquium '73 , Rose and Sheperdson, eds., North-Holland, Amsterdam. [68] Lawvere, W. [1969], \Adjointness in Foundations", Dialectica ,23. [69] Lawvere, W. [1964], \An elementary theory of the category of sets", Proc.Nat.Acad.Sci.USA, 52. [70] Lipton, J., [1990], \Constructive Kripke Semantics and Realizability", in the proceedings of the Logic for Computer Science conference held at the Math. Sci. Research Institute, Berkeley, Nov. 1989. [71] Longo, G. and E. Moggi [1988], \Constructive natural deduction and its modest interpretation", CMU Report CS-88-131, Lecture delivered at the workshop on \The semantics of natural and programming languages", Stanford, March 1987, M.I.T. Press. [72] Lubarsky, R., [1994], \V=L in Intuitionistic L", Manuscript, (to appear). [73] Mac Lane, S. [1971], Categories for the working mathematician , Springer, Berlin. [74] Mac Lane, S. and Moerdijk, I., [1992], Sheaves in Geometry and Logic: A First Introduction to Topos Theory , Springer, Berlin. [75] Makkai, M. and G. Reyes [1977], \First order categorical logic", Lecture Notes in Mathematics 611, Springer-Verlag, Berlin. [76] Martin -Lof, P. [1982], \Constructive Mathematics and Computer Programming", in Logic, Methodology and Philosophy of Science IV, North Holland, Amsterdam. [77] Martin-Lof, P. [1984], Intuitionistic Type Theory, Studies in Proof Theory Lecture Notes, BIBLIOPOLIS, Napoli, Italy. [78] Mathias, A. and Rogers, H., [1973], Proceedings of the Cambridge Summer School in Mathematical Logic , LNM 337, Springer-Verlag, Berlin.

63

[79] McCarty, D. C. [1986], \Realizability and recursive set theory", Annals of Pure and Applied Logic 32, 11-194. [80] McCarty, D. C. [1984], \Realizability and recursive mathematics", Doctoral Dissertation, Computer Science Department, Carnegie-Mellon University. [81] McLarty, C. [1993] Elementary Categories, Elementary Toposes , Oxford University Press. [82] McKinsey and Tarski, [1948], \Some theorems on the sentential calculi of Lewis and Heyting", JSL 13, 1-15. [83] Moggi, E., [1991] \Notions of Computation and Monads", Information and Computation , 93(1). [84] Mulry, P. [1980], The Recursive Topos , Ph. D. Dissertation, SUNY Bu alo, Bu alo, NY. [85] Myhill, J. [1970], \Constructive set theory", in Intuitionism and Proof Theory, Kino, Myhill, Vesley (eds.), North-Holland, Amsterdam. [86] Myhill, J. [1973], \Some properties of Intuitionistic Zermelo-Fraenkel set theory", in: Mathias, A. and H. Rogers (eds.), Cambridge Summer School in Mathematical Logic, pp. 113-170, Lecture Notes in Mathematics No. 337, Springer, Berlin. [87] Odifreddi, P. [1989], Classical Recursion Theory, North-Holland, Amsterdam. [88] van Oosten, J. [1990], Exercises in Realizability , Ph.D. Dissertation, Amsterdam. [89] Phoa, W., [1990] An Introduction to bration, topos theory, the e ective topos, and modest sets, from theory.ic.ac.uk . [90] Pitts, A. M., [1981], The Theory of Triposes , Ph. D. Thesis, Cambridge. [91] Pitts, A. M., [1987], \Polymorphism is Set Theoretic, constructively", in Category Theory and Computer Science , LNCS 283, Springer. [92] Powell, W. [1976], \A Completeness Theorem for Zermelo-Fraenkel Set Theory", JSL 41. [93] Powell, W. [1975], \Extending Godel's Negative Interpretation to ZF", JSL 40. [94] Powell, W. [1975], Unpublished manuscript. [95] Prawitz, D. [1965] Natural Deduction: A Proof-Theoretical Study , Almquist and Wiskell, Stockholm. [96] Rosolini, G. [1986] Continuity and E ectiveness in Topoi , Ph. D. Dissertation, Oxford. [97] Scedrov, A. and Mitchell, J., [1993] \Notes on Sconing and Relators", CSL '92, Springer. [98] Scedrov, A. [1985], \Intuitionistic Set Theory", in Harvey Friedman's Research on the Foundations of Mathematics, North-Holland, Amsterdam. [99] Scedrov, A. [1984], Forcing and Classifying Topoi, Memoirs of the American Mathematical Society 295, Providence , R.I. [100] Scedrov, A. [1981], \Consistency and independence results in intuitionistic set theory", in: F. Richman (ed.), Constructive Mathematics, Proceedings , New Mexico, 1980, pp. 54-86, Lecture Notes in Mathematics 873, Springer-Verlag, Berlin. [101] Scedrov, A. [1979], \'Every continuous function f : [0; 1] ! R is uniformly continuous' is Independent of intuitionistic ZF", Preliminary Report, AMS Notices, October, 1979, A-525. [102] Scott, D. S. [1979], \Identity and existence in intuitionistic logic", in: Fourman, M. P., Mulvey, C. J. and D. S. Scott (eds.), Applications of Sheaves, Lecture Notes in Mathematics 753, pp. 660-696, Springer, Berlin/Heidelberg/New York

64

[103] Shoen eld, [1967], Mathematical Logic , Addison-Wesley. [104] Shoen eld, [1971], \Unrami ed Forcing" in Axiomatic Set Theory , V. 1, Proc.Sym. Pure Math., Vol. 13, AMS, Providence, R.I. [105] Seely, R. [1983], \Hyperdoctrines, Natural Deduction and the Beck Condition", ZML 29. [106] Seely, R. [1984], \Locally Cartesian Closed Categories and Type Theory", Math. Proc. Camb. Phil. Soc. 95. [107] Streicher, T. [1989], Correctness and Completeness of a Categorical Semantics of the Calculus of Constructions , Ph. D. dissertation,Univ. Passau. [108] Streicher, T. [1992], \Independence of the induction principle and the axiom of choice in the pure calculus of constructions", TCS 103, pp. 395-408. [109] Takeuti, G. and Titani, G. [1980], \Heyting-valued universes of intuitionistic set theory" in Logic Symposia, Hakone, 79-80, Lecture Notes in Mathematics 891, Springer. [110] Tait, W. W. [1975], \A realizability interpretation of the theory of species", Logic Colloquium (Boston, Mass., 1972=73), Lecture Notes in Mathematics, V. 453, Springer-Verlag, 240-251. [111] Tennison, B. R. [1975] Sheaf Theory , Cambridge University Press. [112] Tierney, M. [1972], \Sheaf Theory and Continuum hypothesis", in: F. W. Lawvere (ed.), Toposes, Algebraic Geometry and Logic, Lecture Notes in Mathematics 274, pp. 13-42, Springer-Verlag, Berlin. [113] Troelstra, A. [1978], Choice Sequences , Oxford Logic Guides, Oxford University Press. [114] Troelstra, A. S. and D. van Dalen [1988], Constructivism in Mathematics: An Introduction, Vol. II, Studies in Logic and the Foundations of Mathematics, Vol. 123, North-Holland, Amsterdam.

65