assumption u rst for tt and then for ff. Eectively, the value tt obtains a higher
priority: in both programs the functions computing indices of ff are always invoked
from functions computing indices oftt.
Both programs reect the use of classical logic by some form of backtracking. Generally, the backtracking is triggered by invoking a functional parameter with two dierent values: tt and ff. However, in [[P]]◦ the functional parameters are contin-
uations, in the sense that the invocations are always tail-recursive (cf. [Rat10]). This is not the case in [[M]]+, where functional parameters compute challenge can-
didates whose validity controls the backtracking process. Both programs use similar case distinctions with quite dierent origins: while in [[L]]◦ the only case distinction
comes from the proof of CB, in both [[L]]+ and [[M]]+, the case distinction is the
quantier-free translation of the formula proved by L.
Stolzenberg's example is not parametrised by a number, hence theoretically both programs have constant time complexity. However, it is easy to see that[[M]]+ is not
only larger, but also less ecient. The reason is that the subterms of ground type
m andxw0are repeated several times throughout the programs[[L]]+ and [[M]]+ and will be hence redundantly evaluated to the same number more than once under any reduction strategy. The problem can be partially remedied by using a let construct in the case distinction operator ./u , but will not be solved completely; xw0 will still be repeated in the term[[M4]]
−
w. The next case studies will help to outline the nature of this ineciency and how it can be solved.
3.2 Integer root
One possible application of methods for extraction from classical proofs is to obtain a valid program from a non-constructive proof of existence, which is presumably easier to provide than an explicit (constructive) proof. Stolzenberg's example demonstrated how programs obtained from a proof that makes non-trivial use of classical logic, are not necessarily optimal. The present example will investigate the behaviour of programs extracted from classical proofs, which are essentially constructive, i.e., prove contradiction from a false assumption without using it more than once.
We will use the integer root example, presented in [BS95,Ber95] and later treated also in [Mak06]. The example can be stated as follows.
Proposition 3.4. Let f : N ⇒ N be an unbounded function, i.e., there exists a
function g : N ⇒ N, such that ∀n(f(gn)> n). Then for every m ≥ f0 there is an n, such that f n ≤m < f(n+ 1).
Proof. We assume that there is no such n, i.e., ∀n(f n ≤ m → f(n+ 1) ≤ m). By
induction we can prove that ∀n(f n ≤ m), and by setting n := gm we arrive at a
contradiction.
3.2.1 Proof formalisation
Let us denote the type of sequences of natural numbers as NS := N ⇒ N. The
existence of an integer root can be formalised as follows:
∀fNS∀gNS∀mN(∀nN(f(gn)> n)→ ¬(f0> m)→˜∃nN(¬(f n > m) ˜∧f(Sn)> m)).
The proof of Proposition 3.4 can be expressed by the following proof term:
M :=λf λg λm λu∀n(f(gn)>n)λv¬(f0<m)λw∀n(¬(f n>m)→¬(f(Sn)>m))
Indn,¬(f n>m)(gm)v w(um).
The formalisation is particularly simple, because we have chosen to use only the relation > and dened ≤ as its negation. Moreover, a constructive proof of this statement would be much more involved, as it would require an additional lemma [BS95].
3.2.2 Extraction via rened A-translation
This example has already been treated in [BS95] with rened A-translation. M
proves a formula of the formD1 →D2 →˜∃n(G1∧˜G2), whereD1 :=∀n(f(gn)> n)
and D2 := ¬(f0 > m) are denite formulas, while G1 := ¬(f n > m) and G2 :=
f(Sn)> mare goal formulas.
By Corollary 2.14, we need to extract from the translated proof P :=λuDF1 1 λu DF 2 2 P 0 [⊥:=∃n(G1∧G2)]u1u2(λn λv GF 1 1 λv GF 2 2 ∃ + nhv1, v2i), where P0 :=λuDF1 1 λu DF 2 2 λv ∀n(G~F→⊥) M f gm(Q01u1)(Q02u2) (λn λwG1 1 λw G2 2 Q 00 1w1(λzG F 1 Q00 2w2(vnz)), Q01 :=λuD1 1 u1, Q02 :=λuDF2 2 λv f0>m 2 ⊥ + (u2v2), Q001 :=CDf n>m,⊥, Q002 :=λwG2 2 λv G2→⊥ 2 v2w2.
To simplify notation, in the following we will not explicitly denote the substitution
3.2 Integer root
[[Q01]]◦ ≡ε, [[Q02]]◦ ≡N≡0, [[Q002]]◦ ≡λk k,
[[Q001]]◦ ≡CasesN⇒N⇒N(f n > m)(λx λy x)(λx λy y)=r CasesN(f n > m) [[M f gm]]◦ =r RN
N(gm),
[[P0]]◦ ≡λhN⇒NRN(gm)0(λn λpCases(f n > m)p(hn)),
[[P]]◦ ≡[[P0]]◦
(λn n)=r RN(gm)0(λn λpCases(f n > m)pn),
The programP is already in normal form. It performs a linear search for a number
n with f n≤m starting from gm down to 0 and returns the rst one found.
3.2.3 Extraction via the Dialectica interpretation
Let M1 := Indn,¬(f n>m)(gm)v w(um). As above, we will not explicitly denote the
substitution[⊥:= F]. Then [[M]]+≡λf λg λm [[M1]] − u,[[M1]] − w ≡λf λg λm Dm,RN(gm) N(λn λp(p./ n))w E, where p./ nw ≡Cases T→(f p≤m)(m ≥f(Sp)) np.
The program [[M]]+ is very similar to [[P]]◦, however, there are two prominent
dierences. First of all, the Dialectica interpretation extracts more information from the proof. Apart from the program [[M1]]
−
w, which computes the counterexample for w, and hence the witness for ∃˜n, we also extract the term [[M1]]
−
u, which is a counterexample for the assumption u, stating that g bounds f at every n. The
underlying reason is that classically we can read Proposition 3.4 as For a function
f if some number m ≥ f0 has no integer root, then f is bounded by some number M. Then from the Dialectica interpretation of the proof we can see that m is a
witness for M, which, in fact, does not depend on g. We could obtain the same
witness by rened A-translation, but we would need to rearrange the formalisation
ofM and then the translated proofP would be completely dierent. In contrast, via the Dialectica interpretation we obtain both witnesses, even if we are only interested in one of them.
The second dierence between the two programs[[M]]+and[[P]]◦lies in the recursive
processes generated by them. While in [[P]]◦ the recursion starts from gm and stops
unfolding as soon as an integer root is found, in [[M]]+ the case distinction involves
the variable p, which corresponds to a recursive call. Hence, the recursion in [[M]]+
always unfolds to 0 and then the search starts from 0 up towards gm. Once an
evaluate to ff and k will be the nally computed witness. However, all these case
distinctions for n ∈ (k;gm] will be redundant, because they will reconrm, what
is already known: that k is the witness. Thus [[M]]+ and [[P]]◦ return the smallest
and the largest integer root of f in the interval [0;gm], respectively. Moreover, the
two programs have the same worst time complexity O(gm). However, [[M]]+ can be
noticeably slower on average, since it will perform always exactly gm steps, while [[P]]◦ will only perform gm−k number of steps, where k is the largest integer root
of f, which is smaller than gm. Hence, if g produces a good approximation of an
integer root on average, the program [[P]]◦ will have better average time complexity.
There are two easy solutions, which can improve the program[[M]]+. The rst one
is to use the case distinction operator with reversed arguments:
n./ pw ≡Cases T→(f n ≤m)(m ≥f(Sn))pn.
This change is sound, because in Theorem2.21 the order of arguments is not impor- tant. It is easy to see that in this way the program becomes almost the same as[[P]]◦,
the only dierence being that we still perform two comparisons instead of one. The modied program will now return the largest integer root.
The other solution is to introduce a boolean ag, which remembers that a coun- terexample is found and avoids further case distinctions. The altered program will look as follows: [[M1]] − w ≡ R N×B N (gm)h0,ffi(λn λp(Cases(py)p (Cases T→(f(px)≤m)(m≥f(S(px)))hn,ffi hpx,tti)))
Note thatpis now a pair nN, bB, where ifb istt, thennhas been already veried to
be a witness. The program will retain its original behaviour computing the smallest integer root, but it will skip the unnecessary case distinctions involvingn, by reducing
them to verifying the value of the boolean ag b. This change can also be proved
to be sound, but the proof is more involved, as it requires an additional statement about the soundness of the ag b.
The rst solution seems easier and more natural, but we will later demonstrate that it does not improve the eciency in more general cases, in particular, when the induction formula is not quantier-free. However, we will see that in cases where the induction formula requires witnesses but does not require challenges, the second solution still applies.