Existential witness extraction in classical realizability and via a negative translation

We show how to extract existential witnesses from classical proofs using Krivine's classical realizability---where classical proofs are interpreted as lambda-terms with the call/cc control operator. We first recall the basic framework of classical realizability (in classical second-order arithmetic) and show how to extend it with primitive numerals for faster computations. Then we show how to perform witness extraction in this framework, by discussing several techniques depending on the shape of the existential formula. In particular, we show that in the Sigma01-case, Krivine's witness extraction method reduces to Friedman's through a well-suited negative translation to intuitionistic second-order arithmetic. Finally we discuss the advantages of using call/cc rather than a negative translation, especially from the point of view of an implementation.


Introduction
Extracting an existential witness (i.e. an object t such that A(t)) from a proof of the formula ∃x A(x) is now a well-understood technique in intuitionistic logic.The simplest way to do it is to normalize the proof and retrieve the witness from the premise of its normal form.Through the Brouwer-Heyting-Kolmogorov interpretation, one can also read the proof as a functional program that reduces to a pair whose first component is the desired witness.Such techniques are implemented in proof-assistants based on intuitionistic systems [29,20,27].
Extracting a witness from a classical proof of an existential formula is much more difficult, since classical logic is known not to enjoy the witness property.Such an extraction is actually not always feasible: for instance, we cannot expect to extract a witness from the obvious classical proof of the formula in general-think of C being undecidable or, say, Riemann's conjecture.However, several techniques [12,13,8,6,11] have been proposed in order to extract a witness from a classical proof of an existential formula in some particular cases-typically: when the formula is Σ 0 1 (i.e. of the form ∃x f (x) = 0).
1.1.Friedman's method.One of the most popular methods to extract witnesses from classical proofs of Σ 0 1 -formulae has been introduced by Friedman [6].The idea of Friedman is to generalize Gödel and Kolmogorov's double negation translation by replacing the intuitionistic negation ¬A ≡ A ⇒ ⊥ by a relative negation ¬ R A ≡ A ⇒ R parameterized by an arbitrary formula R. (The only condition on R is that its free variables should not be captured in the formula or the proof we want to translate.)In first-order Peano arithmetic (PA) for instance, this negative R-translation A → A ¬¬ can be defined as follows and it is easy to check that if a formula A is provable in Peano arithmetic, then the formula A ¬¬ is provable in Heyting Arithmetic (HA), independently from the choice of the formula R.
If we apply this translation to a classical proof p of the formula ∃x f (x) = 0 (i.e. a Σ 0 1 -formula), then we get an intuitionistic proof p * of the formula By simplifying the triple (relative) negation and by unfolding the relative negation ¬ R A ≡ A ⇒ R, we thus get an intuitionistic proof p * ′ of the formula ∀x (f (x) = 0 ⇒ R) ⇒ R .
(The proof p * ′ we get is parametric w.r.t. the formula R.) Now, let us introduce Friedman's trick, which is to instantiate the parameter R with the formula we want to prove, letting R ≡ ∃y f (y) = 0. Thus p * ′ is an intuitionistic proof of the implication ∀x f (x) = 0 ⇒ ∃y f (y) = 0 ⇒ ∃y f (y) = 0 .whose left member is the introduction rule of existential quantification.Combining the modus ponens with the introduction rule of existential quantification, we finally get an intuitionistic proof p ≡ (p * ′ ) (∃-intro) of the formula ∃y f (y) = 0 from which we can perform the standard extraction techniques.
The transformation above actually shows that classical arithmetic is conservative over intuitionistic arithmetic on the class of Σ 0 1 -formulae.Since the transformation even works when the inner formula depends on free variables, it is easy to generalize the latter result to a result of conservativity on the class of Π 0 2 -formulae: ⊢ PA ∀x ∃y f (x, y) = 0 ⊢ PA ∃y f (x 0 , y) = 0 This conservativity result has been extended by Friedman (using the same technique) to much stronger pairs of classical and intuitionistic theories, such as PA2/HA2, . . ., PAω/HAω, Z/IZ, ZF/IZF C [6].
1.2.Krivine's classical realizability.Up to the 90's, the computational contents of classical proofs was only studied indirectly, via clever translations to intuitionistic logic [8,12,6] or to linear logic.The situation quickly changed with the discovery of a strong connection between classical reasoning principles (such as Peirce's law) and control operators (such as call/cc) [9].This led to the rise of many extensions of the λ-calculus with control primitives, such as Krivine's λ c -calculus [19], Parigot's λµ-calculus [26], Barbanera and Berardi's (non deterministic) symmetric λ-calculus [1] or Curien and Herbelin's λ λµμ-calculus [5].(This list is far from being exhaustive.)Among these different proposals to extend the proofs-as-programs paradigm to classical logic, Krivine's theory of classical realizability [16,19] enjoys a particular position.First, it is based on realizability rather than on typing, which makes it naturally more flexible and more powerful than systems that are simply based on typing.Second, the simplicity on the underlying calculus of realizers (the λ-calculus extended with the call/cc control primitive) and of its evaluation policy (weak head normalization) hides its main feature, which is its ability to incorporate new instructions in order to realize new formulae, such as (for instance) several forms of the axiom of choice [17].Although classical realizability is traditionally presented in second-order classical arithmetic, it can be extended to much more expressive logical frameworks such as Zermelo-Fraenkel set theory [16] or the calculus of constructions with universes [21].
Less known is the fact that Krivine's framework allows to perform classical witness extraction directly (especially from realizers of Σ 0 1 -formulae), without going through a negative translation such as Friedman's.The purpose of this paper is twofold.First, it aims at presenting some methods that naturally come with classical realizability in order to extract witnesses from classical proofs of existential formulae-especially Σ 0 1 -formulae.Second, it aims to relate the extraction method for Σ 0 1 -formulae with Friedman's, by showing that through a well-chosen negative translation (inspired from [25]), both methods are basically the same (up to the details of the translation).
One of the difficulties of tracking arithmetic reasoning through a negative translation is that some parts of the proof carry over logical invariants whereas other parts are only devoted to arithmetic computations.To solve this problem, we shall introduce primitive numerals in the language of realizers, while showing that they (essentially) realize the same formulae as Church numerals.As a side effect, replacing Church numerals with primitive numerals also makes the corresponding extraction technique much more realistic-and we believe, much more efficient-in the perspective of a practical implementation.1.3.Outline of the paper.In section 2, we present a type system for classical secondorder arithmetic (PA2) based on the λ-calculus extended with the primitive call/cc.This type system is given its semantics in section 3, by defining a family of classical realizability models (following [19]).In section 4, we extend the calculus of realizers and the type system for PA2 with primitive numerals to make arithmetic computations more efficient (in proofterms) and more easily tractable through the negative translation.The classical witness extraction methods are presented in section 5 and we illustrate them with an example based on the minimum principle in section 6.In section 7, we define a more traditional type system for intuitionistic second-order arithmetic (HA2), which we relate to the type system for PA2 by defining in section 8 a negative translation in the spirit of [25].
2. Classical second-order arithmetic (PA2) 2.1.The language of second-order arithmetic.The language of PA2 (Fig. 1 p. 5) is made of two kinds of syntactic expressions: arithmetic expressions (a.k.a.first-order terms 1 ) that represent individuals, and formulae that represent mathematical propositions.
Arithmetic expressions (notation: e, e ′ , e 1 , etc.) are built from an infinite set of firstorder variables (notation: x, y, z, etc.) using function symbols (notation: f , g, h, etc.) defined in a given first-order signature.Here, we assume that the signature contains a constant symbol '0' for zero, a unary function symbol 's' for the successor function, and more generally, a function symbol f of arity k for every primitive recursive definition of a function with k arguments.In the sequel, we shall use binary function symbols '+' (addition) and '×' (multiplication) as well as unary function symbols 'pred' (predecessor) and 'neg' (boolean negation) with the following definitions: 0 + y = y 0 × y = 0 s(x) + y = s(x + y) s(x) × y = (x × y) + y pred(0) = 0 neg(0) = 1 pred(s(x)) = x neg(s(x)) = 0 (writing 1 = s(0), 2 = s(1), 3 = s(2), etc.)The set of all free variables of an arithmetic expression e is written FV (e).The notion of (first-order) substitution in an arithmetic expression is defined as usual and written e{x := e ′ }.Formulae of the language of second-order arithmetic (notation: A, B, C, etc.) are formed from second-order variables (notation: X, Y , Z, etc.) of all arities using implication and first-and second-order universal quantification (Fig. 1).We slightly deviate from the traditional presentation of the syntax of the language [7,14] by explicitly introducing a unary predicate symbol 'null' expressing that its argument yields zero.The main reason for introducing this symbol is that it facilitates the construction of a simple proof-term for Peano's 4th axiom within the type system presented in section 2.3.
The set of all free (first-and second-order) variables of a formula A is written FV (A).The notions of first-and second-order substitution in a formula are defined as usual, and written A{x := e} and A{X(x 1 , . . ., x k ) := B} respectively.(See [7,14] for a more detailed presentation of the two forms of substitutions.) 2.1.1.Second-order encodings.
Propositional units (⊤ and ⊥), negation, conjunction, disjunction, first-and second-order existential quantification as well as Leibniz equality are represented using the second-order encodings given in Fig. 1.Here, we define the propositional constant ⊤ as a shorthand for the formula null(0), which is consistent with the type system of section 2.3 and the realizability interpretation of section 3. Intuitively, the formula ⊤ is the type of all proof-terms, and it is important not to confuse it with the (true) formula 1 ≡ ∀Z (Z ⇒ Z) that has much less proof-terms.The congruences e ∼ = e ′ and A ∼ Typing rules of PA2 The congruences e ∼ = e ′ and A ∼ = A ′ .We introduce two congruences e ∼ = e ′ and A ∼ = A ′ over arithmetic expressions and formulae that will be used to incorporate the definitional equalities of the function symbols of the signature in the conversion rule of the type system we shall introduce in section 2.3.The same mechanism will be used to build proof-terms for Peano's 3rd and 4th axioms.
The congruence e ∼ = e ′ over arithmetic expressions is simply defined as the congruence generated by the defining equations of the primitive recursive function symbols of the signature.(We already gave the equations associated with the function symbols '+', '×', 'pred' and 'neg' in section 2.1.)Of course, these equations can be oriented in such a way that they form a confluent and terminating system of rewrite rules, so that the congruence e ∼ = e ′ is decidable.But we shall not need such a level of detail in the sequel.
The congruence A ∼ = A ′ over formulae is defined by adding the equation null(s(x)) ∼ = ⊥ to the system of equations defining the congruence e ∼ = e ′ .Again, this new equation can be oriented from left to right so that the resulting system of rewrite rules (including the rewrite rules for function symbols) is confluent and terminating, and the congruence A ∼ = A ′ is thus decidable.

2.3.
A type system for classical second-order arithmetic.The type/proof system of PA2 closely follows the spirit of Second-order functional arithmetic (FA2) [14].As in FA2, first-and second-order universal quantifications are treated uniformly, by using Curry-style proof-terms that do not keep track of introduction and elimination of universal quantifiers. 2s usual in such a framework, numeric quantifications require a special treatment we shall recall in Section 2.4.
Formally, the type system of PA2 is based on a typing judgment of the form Γ ⊢ NK t : A, where Γ is a typing context, t a (Curry-style) proof-term, and where A is a formula of the language of PA2 (section 2.1).
Proof-terms of PA2 (notation: t, u, etc.) are just pure λ-terms3 enriched with a special constant cc ('call/cc') to prove Peirce's law.The operational semantics of proof-terms (that slightly differs from the traditional operational semantics of pure λ-calculus) will be given in section 3.
A typing context (notation: Γ, Γ ′ , Γ 1 , etc.) is a finite unordered list of declarations of the form Γ ≡ x 1 : A 1 , . . ., x n : A n where x 1 , . . ., x n are pairwise distinct proof-variables and where A 1 , . . ., A n are arbitrary formulae.Given a typing context Γ ≡ x 1 : A 1 , . . ., x n : A n , we write dom(Γ) = {x 1 ; . . .; The inference rules for the judgment Γ ⊢ NK t : A are given in Fig. 1.These rules contain the standard typing rules of AF2 [14] (that correspond to the deduction rules of intuitionistic natural deduction in second-order predicate logic), plus a typing rule for the constant cc (Peirce's axiom) to recover classical logic.These rules also contain a conversion rule as well an introduction rule for the propositional constant ⊤. (These rules are specifically needed to build proof-terms for the axioms of arithmetic.)In particular: • For all arithmetic expressions e 1 (x 1 , . . ., x k ) and e 2 (x 1 , . . ., x k ) depending on the variables x 1 , . . ., x k such that e 1 (x 1 , . . ., x k ) ∼ = e 2 (x 1 , . . ., x k ), we have (where = stands for Leibniz equality).So that λz .z is a proof-term for all definitional equalities attached to the function symbols of the signature.• Given an arbitrary proof-term u such that FV (u) ⊆ {z}, we have so that Peano's 3rd and 4th axioms are provable in our type system.(The corresponding derivations are given in Fig. 2.) Figure 2: Derivations for Peano's 3rd and 4th axioms 2.4.Induction.It is well known [7,14,19] that the induction principle cannot be given a (closed) proof-term in the type system we presented above.The reason is that first-order quantification is interpreted uniformly (i.e. as an infinitary intersection type) in our setting, whereas universal quantification over natural numbers cannot be interpreted uniformly, for that most proofs of A(n) computationally depend on the natural number n.To circumvent this difficulty, we use a well-known trick of second-order logic which is to relativize first-order quantifications using the predicate nat(x) ≡ ∀Z Z(0) ⇒ ∀y (Z(y) ⇒ Z(s(y))) ⇒ Z(x) expressing that x belongs to the smallest set of individuals containing zero and stable under the successor function.With this notation, the relativized form of the induction principle can be given a closed proof-term in our setting.(See [14] for instance.) More generally, we associate to every formula A a formula A nat that is obtained by relativizing all the first-order quantifications with the predicate nat.Formally, the formula A nat is defined by induction of A with the equations: We then easily check that Proposition 2.1.If a closed formula A is provable in classical second-order arithmetic (with the unrelativized induction principle), then the formula A nat has a closed proof-term in the type system defined in Fig. 1.

Classical realizability
We shall now present the classical realizability interpretation of the type system presented in section 2.3, following the method introduced by Krivine [19].First, we shall introduce a calculus of realizers (Krivine's language λ c ) containing the proof-terms of Fig. 1, and give its evaluation rules, that constitute the small-step operational semantics of the language.From this, we shall see how to interpret every formula A of PA2 as a set of realizers |A|, reading the formula A as a specification of the computational behavior of the realizers of A. The connection between the classical realizability interpretation and big-step operational semantics in λ c should become clear in sections 4 and 5.

3.1.
A calculus of realizers.Krivine's language λ c [19] is a strict extension of the calculus of proof-terms of PA2 (section 2.3).The language λ c actually distinguishes three kinds of syntactic entities: terms, stacks and processes.
Terms of λ c are pure λ-terms enriched with two kinds of constants: • instructions κ ∈ K, where K is a fixed set of constants that contains (at least) an instruction written cc (call/cc); • continuation constants k π , one for every stack π.Stacks are finite lists of closed terms terminated by the stack constant ⋄. 4 Note that unlike terms (that may be open or closed), stacks only contain closed terms and are thus closed objects-so that the continuation constant k π associated to every stack π is actually a constant.(The details of the mutual definition of terms and stacks are given in [19].)Finally, a process is simply a pair formed by a closed term t and a stack π.The set of closed terms (resp.the set of stacks) is written Λ c (resp.Π), and the set of processes is written Λ c ⋆ Π.
In section 4 we shall extend the calculus with extra instructions to perform fast arithmetic computations.(See also Remark 3.1.)

Evaluation.
The set of processes is equipped with a binary relation of one step evaluation written p ≻ p ′ , whose reflexive-transitive closure is written p ≻ * p ′ as usual.We assume that this relation satisfies (at least) the following axioms: for all t, u ∈ Λ c and π, π ′ ∈ Π.Note that only processes are subject to evaluation: there is no notion of reduction for either terms or stacks in λ c .This list of axioms-that basically implements weak head β-reduction in presence of the control operator call/cc-can be extended with extra axioms to describe the computational behavior of the other instructions κ ∈ K. Remark 3.1.Formally, the definition of the language λ c thus depends on two parameters: the set K of instructions (containing at least the instruction cc), and the relation of evaluation ≻ that fulfils the four axioms given above.In particular, the rules (Grab), (Push), (Call/cc) and (Resume) are only conditions on the relation ≻, but they do not constitute a defi (by cases) of this relation.(The reader is invited to check that these conditions are actually the minimal conditions for proving Prop.3.10.)Putting conditions on the set K and on the relation of evaluation-rather than defining them completely-naturally makes the calculus modular, since this design allows us to enrich the calculus with extra instructions (by putting extra conditions on K) and extra evaluation rules (by putting extra conditions on ≻), while keeping all the results that have been proved using a smaller set of conditions on K and ≻5 .Technically, this open design has only one drawback, which is that it forbids any form of reasoning by 'case analysis' on an instruction or on an evaluation step-since the contents of K and the definition of ≻ are not (completely) known.Again, the reader is invited to check that this form of reasoning is never used in the results presented in Sections 3, 4 and 5-with the sole exception of Lemma 5.5 in section 5.3.The set of available instructions and evaluation rules will only be closed in section 8, in order to define the negative translation and to study its properties.

The notion of a pole.
The construction of the classical realizability model is parameterized by a set of processes ⊥ ⊥ ⊆ Λ c ⋆ Π, which we called the pole of the model.We assume that this set is closed under anti-evaluation (or saturated according to the terminology of [19]).Formally: Definition 3.2.A pole is any set of processes ⊥ ⊥ ⊆ Λ c ⋆ Π such that the conditions p ≻ p ′ and p ′ ∈ ⊥ ⊥ together imply p ∈ ⊥ ⊥ for all p, p ′ ∈ Λ c ⋆ Π. Remark 3.3.Since the definition of a pole explicitly depends on the relation of evaluation ≻, all the conditions we put on the relation of evaluation (see Remark 3.1) are mechanically reflected in the definition of the notion of a pole.For instance, the rule (Push) is reflected in all poles ⊥ ⊥ by the fact that t ⋆ u • π ∈ ⊥ ⊥ implies tu ⋆ π ∈ ⊥ ⊥ (for all terms t, u and for all stacks π).The same holds for the rules (Grab), (Call/cc) and (Resume), as well as for the new rules we shall introduce in Section 4. Putting more conditions on the relation of evaluation thus reduces the number of available poles.
Note that there are two generic ways to define a pole ⊥ ⊥ from an arbitrary set of processes P 0 ⊆ Λ c × Π: • The first method is to consider P 0 as a set of final (or 'accepting') states, and to take ⊥ ⊥ as the closure of P 0 by anti-evaluation, that is: ⊥ ⊥ = (≻P 0 ), which is defined by (≻P 0 ) ≡ {p : ∃p 0 ∈ P 0 p ≻ * p 0 }.• The second method is to consider P 0 as a set of initial ('forbidden') states, and to take ⊥ ⊥ as the complement of the closure of P 0 by evaluation, that is: ⊥ ⊥ = (Λ c ⋆ Π) \ (P 0 ≻), where (P 0 ≻) ≡ {p : ∃p 0 ∈ P 0 p 0 ≻ * p}.In this paper, we shall build particular poles (in Section 5) only using the first method, but interesting uses of the second method can be found in [17].

Truth and falsity values.
From now on, ⊥ ⊥ denotes a fixed pole.We call a falsity value any set of stacks S ⊆ Π.By orthogonality, every falsity value S ⊆ Π induces a truth value S ⊥ ⊥ ⊆ Λ c defined as:

Valuations and parametric formulae.
A valuation is a function ρ whose domain is a finite set of (first-and second-order) variables, such that: • ρ(x) ∈ N for every first-order variable x ∈ dom(ρ); • ρ(X) is a (total) function from N k to P(Π) (i.e. a falsity value function) for every k-ary second-order variable X ∈ dom(ρ).A parametric expression (resp.a parametric formula) is simply an arithmetic expression e (resp.a formula A) equipped with a valuation ρ, that we write e[ρ] (resp.A[ρ]).Parametric contexts are defined similarly.A parametric expression (formula, context) is said to be closed when every free variable of the underlying expression (formula, context) belongs to the domain of the attached valuation.
For every closed parametric expression e[ρ] we write Val(e[ρ]) ∈ N the value of e[ρ], interpreting variables by their images in ρ while giving to the primitive recursive function symbols in e their standard interpretation.
We easily check that:  We easily check that:

Writing parametric formulae.
In what follows, we shall often use the convenient shorthand Ḟ (e 1 , . . ., e k ) ≡ (X(e 1 , . . ., e k ))[X ← F ] to denote a parametric formula built from a kary predicate variable X that is bound to a particular falsity value function F : N k → P(Π) in the attached valuation.(The dot above the symbol Ḟ is here to recall that F is an object that belongs to the semantics, not to the syntax.)By systematically using this notation, we can write parametric formulae without explicitly mentioning valuations.In the sequel, we shall consider (for instance) that the notation ∀z ( Ḟ (z) ⇒ Ṡ) refers to the parametric formula where X and Y are arbitrarily chosen fresh variables.Note that the parametric formula defined by such a notation is defined up to the names of the variables that are bound in the valuation-but it is easy to see that these names have no impact in the interpretation of the corresponding parametric formula.

3.3.
The full standard model of PA2 as a degenerate case.In the case where ⊥ ⊥ = ∅, the classical realizability model defined above collapses to the full standard model of PA2 (i.e. the model where individuals are interpreted by the elements of N and where secondorder variables of arity k are interpreted by all the subsets of N k ).To understand this point, we first notice that when ⊥ ⊥ = ∅, the truth value S ⊥ ⊥ associated to an arbitrary falsity value S ⊆ Π can only take two different values: S ⊥ ⊥ = Λ c when S = ∅, and S ⊥ ⊥ = ∅ when S = ∅.Moreover, the realizability interpretation of implication and universal quantification mimics the standard truth value interpretation of the corresponding logical construction (in the case where ⊥ ⊥ = ∅).Writing M for the full standard model of PA2, we thus easily show that: We more generally show that for all formulae A and for all valuations ρ closing A (in the sense defined in section 3.2) we have where ρ is the valuation in M (in the usual sense) defined by

ρ). (This characterization is proved by a straightforward induction on A.)
An interesting consequence of the above lemma is the following: However, the converse implication is wrong in general, since the formula ∀x nat(x) (cf Fig. 1) that expresses the induction principle over individuals is obviously true in M , but has no universal realizer [19, Theorem 12]6 .Nevertheless, the converse implication becomes true when we restrict it to arithmetic formulae, that is, to the formulae of the following language: (This is a consequence of a slightly more general result in [19,Theorem 21].) Remark 3.9.In the case where ⊥ ⊥ = ∅, every truth value S ⊥ ⊥ is inhabited, for instance by any term of the form k π 0 t 0 where t 0 ⋆ π 0 ∈ ⊥ ⊥.An important consequence of this remark is that a classical realizer of a formula A (w.r.t. to a nonempty pole) can never be taken as a 'certificate' that the formula A is true, even when A is an equality.(This remark is crucial to understand the specific difficulty of witness extraction in classical realizability.) 3.4.Adequacy.We call a substitution any finite function from proof-variables to the set Λ c of closed λ c -terms, and we denote by t[σ] the term obtained by applying a substitution σ to a term t.Given a substitution σ and a closed parametric context Γ[ρ], we write σ NK Γ[ρ] when the following conditions are fulfilled: (1) dom(Γ) ⊆ dom(σ); (2) σ(x) NK A[ρ] for every declaration (x : A) ∈ Γ.We say that: • A judgment Γ ⊢ NK t : A is sound (w.r.t. the pole ⊥ ⊥) when for all valuations ρ and for all substitutions σ such that (where P 1 , . . ., P n and C are typing judgments) is sound (w.r.t. the pole ⊥ ⊥) when the soundness of its premises P 1 , . . ., P n (in the above sense) implies the soundness of its conclusion C. From these definitions, it is clear that the conclusion of any typing derivation formed with only sound inference rules is sound w.r.t.all poles ⊥ ⊥.Proposition 3.10 (Adequacy).The typing rules of PA2 (Fig. 1) are sound w.r.t.all poles Proof.The soundness of the introduction rule of ⊤ is obvious (since |⊤| = Λ c ) and the soundness of the conversion rule follows from Lemma 3.5.The soundness of the remaining typing rules is proved in [19].
A consequence of this proposition is that closed proof-terms that are built using the type system of PA2 are actually universal realizers of the corresponding formulae.(But not all realizers can be detected via typing [19].)

Primitive natural numbers
Through the formulae-as-types paradigm, the relativized form of first-order universal quantification ∀x (nat(x) ⇒ A(x)) corresponds to the (dependent) type of all functions mapping realizers of the formula nat(n) to realizers of the formula A(n) for every n ∈ N. To get a realizer of the formula A(n) (for a particular value of n ∈ N) from a realizer t of the formula ∀x (nat(x) ⇒ A(x)), it suffices to apply the term t to the Church numeral λxf .f n x using the following fact Fact 4.1.For every n ∈ N one has: combined with the property of adequacy (Prop.3.10).
On the other hand, Church numeral λxf .f n x is far from being the only realizer of the formula nat(n)-the situation being much more complex than in intuitionistic realizability due to the presence of continuations in realizers.However, it is always possible to effectively retrieve (in some sense) the natural number n from an arbitrary realizer of the formula nat(n), and the traditional way to achieve this in classical realizability is to use a storage operator [15,19].We propose here another method by changing the representation of numerals.
Indeed, the main defect of Church numerals is not only their very poor efficiency in practical computations (especially for large values), but also the non atomicity of their encoding that makes them very hard to track through a negative translation towards intuitionistic logic.For this reason, we present here an alternative implementation of natural numbers in classical realizability, based on the introduction of specific constants to represent natural numbers with new instructions to compute with them.

4.1.
Extending the language of realizers.We now enrich7 the instruction set K with the following constants: • For every n ∈ N, a constant n ∈ K representing the natural number n as a pure datum.
Here, the constant n hardly deserves the name of an instruction, since it comes with no evaluation rule.The intuition is that the constant n is only meaningful as a datum in the stack, not in head position.8• Two constants s and rec with the evaluation rules With these new instructions, it is more generally possible to implement every recursive function f of arity k as a term f with the reduction rule 9 To improve efficiency, we can also introduce the f s (or some of them) as new instructions.
Apart from the representation of numerals as pure data, every natural number n ∈ N can be also represented as a program ň defined by ň ≡ λx .x n. (We will momentarily see how to give a 'type' to this program in PA2.) 4.2.Extending the realizability interpretation.To understand the computational behavior of the instructions that come with our alternative representation of numerals, we extend the language of formulae of PA2 with a new syntactic construct {e} ⇒ B where e is an arithmetic expression and B a formula.(This extension is part of a larger system PA2 + that will be introduced in section 4.3.)Intuitively, this formula corresponds to the type of all functions taking the representation of the value of e as the constant n (where n = Val(e)) and return an object of type B.
Formally, the realizability interpretation of the formulae of PA2 (section 3.2) is extended to the syntactic construct {e} ⇒ B by letting: In this extended syntax, we can now give a type to the lazy numeral ň ≡ λx .x n by letting nat ′ (e) ≡ ∀Z (({e} ⇒ Z) ⇒ Z) and checking that: Lemma 4.2.For every n ∈ N: ň ≡ λx .x n NK nat ′ (n) Proof.Let ⊥ ⊥ be a fixed pole, and consider an arbitrary element of falsity value nat ′ (n) = ∀Z (({n} ⇒ Z) ⇒ Z) , that is: a stack of the form u•π where u ∈ |{n} ⇒ Ṡ| and π ∈ S for some falsity value S ∈ P(Π).We have λx .
(1) Let us consider an arbitrary element of ∀ N x nat ′ (s(x)) , that is: a stack of the form n•u•π, where n ∈ N, u ∈ |{s(n)} ⇒ Ṡ| and π ∈ S for some falsity value S ⊆ Π.We want to show that s⋆ n•u•π ∈ ⊥ ⊥.Using the evaluation rule of s, we get by anti-evaluation.− Let us assume that the property holds for n ∈ N, and consider a stack π ∈ F (n + 1).
We have rec For that, we take a stack π ′ ∈ F (n) and get rec u Therefore But this precisely means that rec realizes the desired formula.4.3.Extending the type system.To facilitate the construction of universal realizers using the new instructions, we define an extension of PA2 (1), which we call PA2 + .The specific formation rules and typing rules of this system are summarized in Fig. 3.

Formulae
A, B :: Typing rules To reflect the presence of a second form of implication, typing contexts of system PA2 + introduce a second form of declaration, written x : {e}, that expresses that the proofvariable x is bound to the constant n, where n is the value of e (i.e.n = Val(e)).
Proof-terms of PA2 + are the proof-terms of PA2 enriched with the constants n (for all n ∈ N), s and rec.System PA2 + provides typing rules for the constants s and rec, as well as an introduction rule and two elimination rules for the formula {e} ⇒ B. Note that in this system, we can only apply a proof-term of type {e} ⇒ B to a variable (declared with x : {e}) or to a constant of the form n-in which case we must have e ≡ s n (0).

The realizability interpretation of PA2
+ .The realizability interpretation of PA2 + is defined as for PA2, using the interpretation of the formula {e} ⇒ B described in Section 4.2.(Of course, we now work with a set K of instructions and a relation of evaluation that fulfill the conditions given in Section 3 and 4.) To express the soundness of the new typing rules, we first have to adapt the definition of σ NK Γ[ρ] to the extended notion of context.For that, we say that a substitution σ realizes a closed parametric context Γ[ρ] and write σ NK Γ[ρ] when the following conditions are fulfilled: ) for every declaration (x : {e}) ∈ Γ. (This definition obviously coincides with the former definition in the case where the context Γ only contains declarations of the form (x : A).)The definition of sound judgments and of sound valid rules (w.r.t. a fixed pole) immediately extends to the new system, so that we can check the following: Proof.Let ⊥ ⊥ be a pole.We only treat the specific rules of PA2 + (Fig. 3).
• Typing rules for s and rec: immediately follows from Lemma 4.3.
Thanks to this extension, it is easy to check (by means of typing) that the new relativization predicate nat ′ (x) is logically equivalent (in PA2 + ) to the traditional relativization predicate nat(x) defined in section 2.4: (Intuitively, the above terms convert a Church numeral into the corresponding lazy numeral and vice-versa.)Moreover, we can check that the formula ∀ N x A(x) defined by the shorthand (nat-as-data relativization) is logically equivalent to the formula by means of the following proof-terms: (Intuitively, functions of type ∀ N x A(x) expect a fully computed natural number represented as a datum on the top of the stack, whereas functions of type ∀x (nat ′ (x) ⇒ A(x)) expect a lazy representation of a natural number on the top of the stack, whose corresponding value can be computed later.) The same remark holds for the two different ways to relativize first-order existential quantification using primitive numerals In what follows, we shall thus only consider the problem of witness extraction from universal realizers of existential formulae of the form ∃ N x A(x), whose witnesses are the most directly accessible.

Witness extraction in classical realizability
In this section, we are interested in the problem of extracting a witness of a closed existential formula ∃ N x A(x) from a fixed universal realizer t 0 of this formula: (As a particular case, t 0 may be a proof term of ∃ N x A(x) in PA2.) Throughout this section, we assume that the instruction set K contains (at least) the extra instructions n, s and rec presented in Section 4.1, with their accompanying rules.For convenience, we also assume the existence of an instruction stop with no evaluation rule, that is intended to abort computation once the desired witness has been found.However, the proofs of Prop.5.1, 5.3 and 5.6 do not rely on any particular assumption on stop, so that these propositions still hold if we consider that stop denotes a fixed closed λ c -term.
The witness extraction methods discussed in Sections 5.2 and 5.4 are directly inspired from the techniques presented in [19], while the method presented in Section 5.6 is due to the author.5.1.The failure of the naive method.To extract a witness from the universal realizer t 0 NK ∃ N x A(x), a natural idea would be to apply t 0 to the term λxy .stop x that extracts the first component of the 'pair' t 0 and passes it to stop.Applying this idea, we get the following: Proposition 5.1.For all π ∈ Π, the process t 0 ⋆ (λxy .stop x) • π evaluates (in a finite number of steps) to a process of the form stop ⋆ n • π for some n ∈ N.
Alas, this result gives us no warranty that the natural number n we get by this method is such that A(n) is true (in the full standard model).The mistake here is that we have dropped the second component y of the pair t 0 (that cannot be taken as a certificate that A(n) holds), and we shall momentarily see that this component is actually the crucial ingredient of the extraction process.

Extraction in the Σ
Let us now consider the particular case where the predicate A(x) is of the form A(x) ≡ f (x) = 0, where f is a unary function symbol of the signature corresponding to (and denoted by) a primitive recursive function still written f .
To understand how to extract a (correct) witness from t 0 in this case, let us first study the denotation of equalities in the realizability model: Lemma 5.2.Let e 1 and e 2 be closed arithmetic expressions.For all poles ⊥ ⊥ we have (writing 1 ≡ ∀Z (Z ⇒ Z)).
In other words, true equalities are interpreted the same way as the formula 1 ≡ ∀Z (Z ⇒ Z) whereas false equalities are interpreted the same way as the formula ⊤ ⇒ ⊥ in the classical realizability model.If u is a realizer of the formula f (n) = 0 (w.r.t. a particular pole ⊥ ⊥), then we can distinguish two cases: • The equality f (n) = 0 is true.In this case, we can think of u ( NK 1) as a term that essentially behaves as the identity term λz .z: when coming in head position, it simply vanishes and gives the control to its argument.• The equality f (n) = 0 is false.In this case, we can think of u ( NK ⊤ ⇒ ⊥) as a term that consumes its argument (whatever it is) and then backtracks to an earlier point in the computation.Of course, this informal description is only an loose approximation of the actual behavior of the realizer u NK f (n) = 0 (which may considerably vary depending on the choice of ⊥ ⊥), but it gives us the clue to fix the naive extraction method.
The idea is to apply the universal realizer t 0 NK ∃ N x f (x) = 0 to the term λxy .y (stop x) that inserts a 'breakpoint' y before returning x.If the first component x is a correct witness, then the second component y will vanish and let the program return the correct answer.
If the first component x is incorrect, then y will issue a backtrack, and this until a correct witness has been found.
We can now formalize this intuition as follows: Proposition 5.3.For all π ∈ Π, the process t 0 ⋆ (λxy .y (stop x)) • π evaluates (in a finite number of steps) to a process of the form stop ⋆ n • π for some natural number n ∈ N such that f (n) = 0.
Proof.Let us take a stack π ∈ Π and work in the pole defined by Writing S = {π}, we easily check that stop NK {n} ⇒ Ṡ for all n ∈ N such that f (n) = 0 (from the very definition of ⊥ ⊥ and S).Let us now show that the term λxy .y (stop x) realizes the formula ∀x ({x} ⇒ f (x) = 0 ⇒ Ṡ).For that, consider an arbitrary element of the falsity value of this formula, that is: a stack of the form n • u • π for some n ∈ N and u ∈ |f (n) = 0|.We have To show that u ⋆ (stop n) • π ∈ ⊥ ⊥, we distinguish two cases: • f (n) = 0.In this case, we have stop n NK Ṡ (using the 'type' we gave to stop), hence In both cases we deduce that λxy .y (stop x) ⋆ n • u • π ∈ ⊥ ⊥ by anti-evaluation, which finishes the proof that λxy .y (stop x) NK ∀x ({x} ⇒ f (x) = 0 ⇒ Ṡ).From the latter we deduce that (λxy .y (stop x)) • π ∈ ∃ N x f (x) = 0 , so that t 0 ⋆ (λxy .y (stop x)) • π ∈ ⊥ ⊥.
Remark 5.4.The simple (and reliable) extraction procedure presented above returns a correct witness without keeping track of the intermediate witnesses proposed by the realizer t 0 .A simple way to display them during the computation is to introduce an instruction print such that Π) while printing the natural number n on some output device (the second part of the specification of print being purely informal).From the only evaluation rule of print, we easily check that print NK ∀x ({x} ⇒ 1).It is then a straightforward exercise to adapt the proof of Prop.5.3 when the process t 0 ⋆ (λxy .y (stop x)) • π is replaced by the process t 0 ⋆ (λxy .print x y (stop x)) • π that ultimately does the same job-while printing the intermediate results.
In section 8.4 we shall reinterpret the witness extraction method of Prop.5.3 through a well-suited negative translation.5.3.Independence of the witness w.r.t. the stack π.It is easy to see that the witness computed by the process t 0 ⋆(λxy .y (stop x))•π (in the sense of Prop.5.3) does not actually depend on the stack π, provided we make the following 'closed world' assumptions: (1) The relation of (one step) evaluation ≻ is defined as the union of the rules (Grab), (Push), (Call/cc), (Resume), (Succ), (Rec-0) and (Rec-S) (cf Sections 3.1 and 4.1).
In particular, evaluation is deterministic.
(2) The term t 0 contains no continuation constant k π , that is: t 0 is a proof-like term according to the terminology of [19].Note that this condition is automatically fulfilled when t 0 is a proof-term built in system PA2 + .(3) The term stop is an extra instruction (with no evaluation rule).
To prove the desired independence result, we define an operation of stack extension for terms, stacks and processes as follows 10 .Given a fixed stack π 0 , we denote by t{⋄ := π 0 } (resp.π{⋄ := π 0 }, p{⋄ := π 0 }) the term t (resp.the stack π, the process p) in which every occurrence of the stack bottom ⋄ is replaced by the stack π 0 , including inside continuation constants.
Proof.By case analysis on the evaluation rule using (1).
(The same result holds if we replace ≻ by ≻ * .)Let us now assume that t 0 is a proof-like term (assumption (2)) that is a universal realizer of the formula ∃ N x f (x) = 0. From Prop.5.3, we know that there is some n ∈ N such that f (n) = 0 and But if we apply Lemma 5.5 with an arbitrary stack π, we thus get (using the fact that t 0 is a proof-like term, so that t 0 {⋄ := π} ≡ t 0 ).
Since evaluation is deterministic and since the instruction stop has no evaluation rule, the answer produced by Prop.5.3 with an arbitrary stack π is unique, and it is the same as if we take the stack π ≡ ⋄.

Adding other instructions.
The property of independence of the witness w.r.t. the stack π crucially depends on the fact that evaluation is deterministic and substitutive w.r.t. the stack constant ⋄ (in the sense of Lemma 5.5).However, it is sometimes useful to consider instructions whose evaluation rules break Lemma 5.5 (without breaking determinism of evaluation).An example of such an instruction is the instruction quote with the evaluation rule where n π is the code of the stack π according to a fixed bijection between natural numbers and stacks.(Such an instruction is introduced in [17] to realize several forms of the axiom of choice.)If t 0 uses such an instruction, then the witness provided by Prop.5.3 may actually depend on the stack π.
5.4.Extraction in the decidable case.The witness extraction procedure we presented in section 5.2 for Σ 0 1 -formulae can be generalized to any existential formula ∃ N x A(x) provided the predicate A(x) is decidable, using a decision function expressed as a λ c -term.
Formally, a decision function for the predicate A(x) is a term d A ∈ Λ c such that for all n ∈ N, u, v ∈ Λ c and π ∈ Π we have (writing M the full standard model of PA2).Intuitively, a decision function for the predicate A(x) is a closed λ c -term d A such that for every natural number n ∈ N, the applied term d A n acts as a boolean value indicating whether the formula A(n) holds or not in the full standard model of PA2.Extracting a witness in this case also requires another ingredient to repudiate the wrong witnesses proposed by the realizer t 0 .Formally, we call a function of conditional refutation of the predicate A(x) any term r A ∈ Λ c such that r A NK {n} ⇒ ¬A(n) for all n ∈ N such that M |= A(n).Intuitively, the purpose of a function of conditional refutation r A is to provide a counter-realizer t A n NK ¬A(n) that we shall oppose to the realizer u NK A(n) coming with any wrong witness proposed by the realizer t 0 .Such terms r A can be built for a very large class of formulae as we shall see in section 5.5.
Using the decision function d A and the function of conditional refutation r A , we now get a simple algorithm to perform witness extraction from a universal realizer t 0 NK ∃ N x A(x): (1) Extract n ∈ N and u NK A(n) from the universal realizer t 0 .
(2) Check whether A(n) is true or not, using the decision function d A .
• If A(n) is true, then return n (using the 'stop' instruction).
• If A(n) is false, then execute the realizer r A n u NK ⊥ to backtrack.In the language λ c , this procedure is implemented by applying the universal realizer t 0 to the λ c -term λxy .d A x (stop x) (r A x y) that does the expected job: Proposition 5.6.Let d A and r A be respectively a decision function and a function of conditional refutation for the predicate A(x), and let t 0 be a universal realizer of the formula ∃ N x A(x).Then for all π ∈ Π, the process evaluates (in a finite number of steps) to a process of the form stop ⋆ n • π for some natural number n ∈ N such that A(n) is true in the full standard model.
Proof.Let us take a stack π ∈ Π and work in the pole defined by Writing S = {π}, we easily check that stop NK {n} ⇒ Ṡ for all n ∈ N such that M |= A(n) (from the very definition of ⊥ ⊥ and S).Let us now show that the term λxy .d A x (stop x) (r A x y) realizes the formula ∀x ({x} ⇒ A(x) ⇒ Ṡ).For that, consider an arbitrary element of the falsity value of this formula, that is: a stack of the form n • u • π for some n ∈ N and u ∈ |A(n)|.We have In this case we have In this case we have from the definition that r A is a function of conditional refutation.By anti-evaluation we get: In both cases we deduce that λxy .d A x (stop x) (r A x y)⋆ n•u•π ∈ ⊥ ⊥ by anti-evaluation, which finishes the proof that λxy .d A x (stop x) (r A x y) realizes the formula ∀x ({x} ⇒ A(x) ⇒ Ṡ) in the pole ⊥ ⊥.From the latter, we immediately deduce that (λxy

5.4.1.
The particular case of Σ 0 1 -formulae.In the case where the predicate A(x) is of the form A(x) ≡ f (x) = 0 for some primitive recursive function symbol f , it is easy to implement a decision function d A from a λ c -term that actually computes f .Such a function d that tests whether f (n) = 0 for a given argument n ∈ N can even be characterized in terms of realizability as follows: Lemma 5.7.Let f be a primitive recursive function symbol.For every term d ∈ Λ c , the following assertions are equivalent: Proof. 1. ⇒ 2. Easily follows from the evaluation rules of the term d. 2. ⇒ 1.Let n ∈ N, u, v ∈ Λ c and π ∈ Π.We distinguish two cases: • f (n) = 0. We let ⊥ ⊥ = {p ≻ * u ⋆ π} and define a function F : N → P(π) by F (0) = {π} and F (p) = ∅ for all p > 0. We easily check that u The function of conditional refutation for the predicate A(x) ≡ f (x) = 0 is even easier to build: simply take the constant function r A ≡ λ z .z ?(where ? is any λ c -term possibly depending on z), using the fact that ⊢ NK λz .z ?: f (n) = 0 for all natural numbers n such that f (n) = 0. (Note that the term λz .z ?does not depend on n.)In this case, the function of conditional refutation r A can be replaced by the conditional refutation λz .z ?that is a universal realizer of the formula f (n) = 0 for all natural numbers n such that f (n) = 0.
Given a term d f ∈ Λ c that decides the predicate f (x) = 0, we can thus perform witness extraction from a universal realizer t 0 NK ∃ N x f (x) = 0 using the process: (whose second branch has been simplified).Note that this process is slightly more complex than the process presented in Prop.5.3 that does not even need to consider a decision function to perform witness extraction from t 0 .5.5.Existence of functions of conditional refutation.The existence of a function of conditional refutation can be shown for a wide class of predicates, and in particular for every predicate A(x) that is expressed in the language of first-order arithmetic such as defined in the end of section 3.3 (replacing ∀x (nat(x) ⇒ P ) by ∀ N x P in the corresponding BNF).
Let us first recall that: Proposition 5.8.For every k ≥ 0, there exists a closed proof-term R k such that for every formula of the form Proof.The existence of such a proof-term R k is an immediate consequence of Theorem 21 (p.14) in [19].Note that R k only depends on k.
We also check that: Proposition 5.9 (Existence of the prenex form).If A(x 1 , . . ., x p ) is a formula of firstorder arithmetic depending on p first-order variables x 1 , . . ., x p , then there exists a natural number k ≥ 0 and a function symbol f of arity p + 2k such that the formula is logically equivalent to A(x 1 , . . ., x p ), in the sense that there are closed proof-terms u 1 , u 2 such that Proof.This theorem is the reformulation in the type system of Fig. 1 and 3 of the existence of prenex forms in first-order arithmetic.
From Prop.5.8 and 5.9 we deduce the following: Proposition 5.10 (Existence of a conditional refutation).If A(x) is a formula of firstorder arithmetic that only depends on a first-order variable x, then the predicate A(x) has a function of conditional refutation r A .
Proof.From Prop.5.9, there exists a formula with closed proof-terms u 1 , u 2 such that: It suffices to take r A ≡ λx .u 2 x R k (by Prop.5.8).
5.6.The method of the kamikaze.The witness extraction procedure presented in section 5.4 depends on two components: a function d A deciding the predicate A(x), and another function r A that conditionally refutes the predicate A(x).The critical component here is the decision function d A , since the function r A can be constructed for a wider class of formulae, i.e. for all arithmetic formulae (cf section 5.5).
In the case where we have a function of conditional refutation r A but no decision function for the predicate A(x)-typically, when A(x) is a non atomic arithmetic formulawe can still extract a possibly infinite sequence of 'witness proposals' from the universal realizer t 0 NK ∀ N x A(x) by systematically repudiating every proposed witness using the function of conditional refutation r A .
This extraction method, which we call the method of the kamikaze, consists to apply the universal realizer t 0 NK ∃ N x A(x) to the term λxy .print x (r A x y) (using the 'print' instruction introduced in Remark 5.4), thus implementing in the language λ c the following algorithm: (1) Extract n ∈ N and u NK A(n) from the universal realizer t 0 .
(2) Print n on some output device.
(3) Try to backtrack by executing r A n u.The crucial point here is that there is no warranty that the piece of code executed at step 3 will actually issue a backtrack, since we do not know whether ¬A(n) is true.The only invariant we can ensure is the following: as long as the proposed witness n is incorrect, the refutation function r A is applied in agreement with its specification, so that step 3. will issue a backtrack.But as soon as a correct witness n has been reached, the current process becomes ill-typed, and then anything may happen: the process may enter an infinite loop (possibly displaying other numbers) as it may crash, for instance due to a stack underflow (by evaluating an abstraction or one of the instructions cc, k π , print in front of an empty stack), or due to the fact that print is evaluated in front of a stack which does not start with a primitive numeral.
Of course, the interest of the method is that the process that performs the blind extraction of the successive witnesses proposed by the universal realizer t 0 cannot go wrong until a correct witness has been reached.We can actually even show that this process eventually reaches a correct witness: Proposition 5.11.If t 0 is a universal realizer of ∃ N x A(x) and if r A is a function of conditional refutation of the predicate A(x), then for all stacks π ∈ Π the process t 0 ⋆ (λxy .print x (r A x y)) • π evaluates (in a finite number of steps) to a process of the form print ⋆ n • u • π, where u ∈ Λ c and where n ∈ N is such that A(n) holds in the full standard model.
Proof.Let us take a stack π ∈ Π and work in the pole defined by Set S = {π}.We first want to show that print ⋆ n • (r A n v) • π ∈ ⊥ ⊥ for all n ∈ N and for all v ∈ |A(n)|.We distinguish the following two cases: From this result we easily get and finally: Let us note that the above proof relies in an essential way in the definition of a pole ⊥ ⊥ that is not closed under evaluation, thus reflecting the fact that the process which performs kamikaze extraction is correct up to some point during evaluation.After this point has been reached-that is: when a correct witness has been printed-the realizability model gives us no invariant anymore about the execution of the current process, so that anything may happen.

An example based on the minimum principle
In this section, we give an example of witness extraction in the Σ 0 1 -case.An important aspect of the witness extraction procedure described in Prop.5.3 is that the universal realizer t 0 NK ∃ N x f (x) = 0 does not need to be a proof-term in the sense of the type system of PA2 + -it just needs to be a universal realizer in the sense of classical realizability.Indeed, the naive method that consists to extract the λ c -term from the proof as is tends to produce highly inefficient code.On the other hand, many useful arithmetic lemmas have universal realizers that are much more compact (and much more efficient) than the realizers that would come from official proofs.
For this reason, it is reasonable to isolate such lemmas during the extraction process, and to replace their official proof-terms (i.e.coming from derivations in PA2 + ) by universal realizers built by hand.In what follows, we shall illustrate this point with the minimum principle.
6.1.Notations.In PA2 + , it is convenient to define the ordering relation x ≤ y from Leibniz equality by letting x ≤ y ≡ minus(x, y) = 0 , where minus is the binary primitive recursive function defined by the equations minus(x, 0) = x minus(0, s(y)) = 0 minus(s(x), s(y)) = minus(x, y) Given a unary primitive recursive function symbol f , we express that f is a function from natural numbers to natural numbers with the formula It is easy to check that universal realizers of the formula Fun(f ) are precisely the closed λ c -terms that compute the function f , namely: Lemma 6.1.Given a term t ∈ Λ c , the following assertions are equivalent:

e. t universally realizes Fun(f ))
Proof. 1. ⇒ 2. immediately follows from the definitions of classical realizability.Finally, we use the shorthand x; y ≡ λz .z x y to denote order pairs in λ c , keeping in mind that this construction can be used to prove (or realize) both conjunctions and numeric existential quantifications.6.2.The functional minimum principle.We now want to build a universal realizer of the formula expressing that a function from natural numbers to natural numbers reaches its minimum: MinPrinc ≡ Fun(f ) ⇒ ∃ N x ∀ N y (f (x) ≤ f (y)) (Note that the premise Fun(f ) is crucial to prove/realize the result.)Since this formulation of the minimum principle is (classically) provable in PA2 + , we could take any proof-term of it as a universal realizer.In this case however, it is much more interesting to build a universal realizer by hand.
For that, let us take a closed λ c -term test le that performs the comparison of two primitive natural numbers, in the sense that (It is a straightforward exercise of programming to implement such a term in λ c .)Now, let us consider a closed λ c -term min aux such that for all f, k, n, m ∈ Λ c and π ∈ Π. Intuitively, such a λ c -term min aux is a recursive function that takes the following arguments: for backtracking.
• The current witness proposal n.
• The image m = f (n) of the current witness proposal.(We keep this argument across the recursive call to avoid recomputing it later.)When it is called with these arguments, the function min aux returns an ordered pair n, h whose first component is the current witness proposal n, and whose second component is a function ) that takes a natural number n ′ , computes its image m ′ = f (n ′ ) compares it with m.In the case where m ≤ m ′ , the function h returns the identity term I, which is an obvious realizer of f (n) ≤ f (n ′ ).In the case where m ′ < m, the function f backtracks using the continuation k, and recursively calls min aux with n ′ as the new witness proposal, and m ′ as its image by f .
Note that there are several ways to implement the term min aux in λ c .For instance, we can let where Y ≡ (λyz .z(yy))(λyz .z(yy)) is Turing's fixpoint combinator 11 ; or we can simply introduce min aux as an extra instruction with the desired evaluation rule.Whatever the way we implement min aux, we can check that: Lemma 6.2.Writing E ≡ ∃ N x ∀ N y f (x) ≤ f (y), we have: we have: We want to prove IH(m) by well-founded induction on m.For that, let us fix m ∈ N, assume that IH(m ′ ) for all m ′ < m, and take n ∈ N such that f (n) = m and π ∈ E .
From the evaluation rules of test le, we can derive that ), distinguishing cases depending on whether m ≤ m ′ or m ′ < m, and using the induction hypothesis IH(m ′ ) in the second case.From this we successively get
Intuitively, this function takes an implementation of f , computes the image m = f (0), captures the current continuation as k and then calls min aux with 0 as the initial witness proposal (accompanied with its image m = f (0)).
Combining Lemma 6.2 and the property of adequacy (Prop.3.10) with the derivable judgment 6.3.A Σ 0 1 -consequence of the minimum principle.Let f and g be two functions from natural numbers to natural numbers.The minimum principle gives a simple argument to show the existence of a natural number x such that f (x) ≤ f (g(x)), which is to take a point x where f reaches its minimum.In PA2 + , the argument is formalized as follows: Considering implementations f NK Fun(f ) and ǧ NK Fun(g) of the functions f and g, we thus get a universal realizer of the following Σ 0 1 -formula: )) By Prop.5.3, we know that the process p 0 ≡ min princ f (λnh .n, ǧ n h ) ⋆ (λxy .y (stop x)) • ⋄ computes the desired witness (which depends of course on f and g).

6.4.
Executing λ c -code.Fig. 4 illustrates the execution of the above process p 0 in the particular case where f and g are given by The process p 0 was executed using the jivaro head reduction machine [23], a small interpretor of Krivine's λ c -calculus extended with many built-in primitives (mainly for arbitraryprecision arithmetic and string manipulation).We slightly altered the code of p 0 in order to print intermediate witness proposals, so that the actual code of p 0 is where print is the instruction mentioned in Remark 5.4 p. 20.
As shown in the input script of Fig. 4, each component of the process p 0 is introduced as a new instruction given with its evaluation rule (using the command Define).Note that such definitions may be (mutually) recursive, which is the case here for the instructions min aux and min snd.The interest of using named instructions rather than anonymous λ c -terms is that we can more easily track when each piece of the code comes into head position during execution.The output given in Fig. 4 shows that during its execution, the process p 0 successively tries the following guesses for x: The choice of this particular sequence of guesses is explained as follows.

Input script
During the execution of the process p 0 , the proof of ∃ N x (f (x) ≤ f (g(x))) uses the guess x i produced by the minimum principle as well as the accompanying justification of the formula ∀ N y (f (x i ) ≤ f (y)) to build a realizer of f (x i ) ≤ f (g(x)).But when the latter is executed, it invokes the accompanying justification, that actually compares the values of x i and g(x i ) by f .In the case where f (g(x i )) < f (x i ), the guess x i was wrong, and the accompanying justification backtracks to the point where the minimum principle was invoked (using an embedded continuation k π ).When restarted, the minimum principle can then propose x i+1 = g(x i ) as a new guess.As a consequence, the process p 0 produces its guesses x i = g i (0) by iterating the function g until f (x i ) ≤ f (g(x i )). 12ote that this behavior is the same as the one we observe when treating the same example using Friedman's method or its refinements [3].Of course, this similarity is not a coincidence since Friedman's translation is actually hard-wired in Krivine's semantics (as already pointed out in [25]), and we shall come back to this point with more details in sections 7 and 8. 6.4.1.Evaluation statistics.Fig. 4 also provides some statistics giving how many times each instruction has been called during evaluation.
Not surprisingly, the most frequent operations are Push (419 times) and Grab (68 times), the asymmetry between these coming from the fact that stack arguments are not only consumed by abstractions (Grab), but also by the instructions used by the program, which may be primitive (callcc, int le, etc.) or defined by the user (pair, min aux, etc.) We can also see that our hand-made implementation of the minimum principle is optimal: the number of calls to the function f as well as the number of comparisons of images (by f ) of guesses (using the instruction test le) are both minimal.Moreover, the callcc instruction is called once during the whole execution, thus creating a unique continuation constant k π (where |π| = 2) that is used exactly 10 times (Restore), that is: once for each backtrack.
We also tested this example by replacing the hand-made realizer of the minimum principle with an actual proof of it (in PA2 + ).The observed behavior remains the same, but the proof-term is much bigger and its execution is quite inefficient, mainly due to the arithmetic reasoning involved in the induction underlying the proof of the principle.(In the hand-made realizer, induction is performed at the meta-theoretic level, and thus has no cost during execution.)We can also notice that depending the way we use classical logic in the proof of the minimum principle, the corresponding proof-term may invoke several times the call/cc instruction, or only once as in the hand-made realizer.

Intuitionistic second-order arithmetic
We now define a type system for intuitionistic second-order arithmetic (HA2), as well as a realizability model that closely follows the traditional Brouwer-Heyting-Kolmogorov interpretation.As in [25], we introduce a primitive form of conjunction (as a Cartesian product) and primitive forms of first-and second-order existential quantification (as infinitary unions).
7.1.The language of formulae.The language of arithmetic expressions of HA2 is the same as for PA2 (Fig. 1), and it is equipped with the congruence e ∼ = e ′ generated from the same equations (cf section 2.2).The language of formulae is now the following: To the language of formulae of PA2 (Fig. 1) we add: • A new predicate symbol nat(e) to give a type to the Peano-style numerals we shall introduce in the language of proof-terms.• A primitive conjunction A ∧ B that we shall interpret in the intuitionistic realizability model as a type of pairs.• Primitive forms of first-and second-order existential quantification that will be interpreted in the model as infinitary unions (as in [25]).In this setting, the units ⊤ and ⊥ are defined with the shorthands ⊤ ≡ ∃ZZ and ⊥ = ∀ZZ, whereas numeric quantifications are defined as over the class of formulae of HA2 is defined from the defining equations of the primitive recursive function symbols of the signature, plus the three equations and null(0) ∼ = ⊤ ≡ ∃ZZ null(s(e)) ∼ = ⊥ ≡ ∀ZZ where v is any first-or second-order variable that does not occur free in B. We shall see that the second equation is not only consistent with the interpretation of existential quantifications as infinitary unions (cf section 7.4), but that it is also crucial to establish Prop.8.6.

7.2.
A type system for intuitionistic second-order arithmetic.We introduce an intuitionistic (and more traditional) proof system based on a judgment of the form Γ ⊢ NJ t : A, where the proof-term t is now formed in the pure λ-calculus enriched with the following constants: pair (pairing), fst (first projection), snd (second projection), 0 (zero), s (successor) and rec (recursor).In what follows we shall write t; u for the application pair t u, and denote by Λ the set of all closed proof-terms.Typing contexts are simply defined here as finite ordered lists of declarations of the form Γ ≡ x 1 : A 1 , . . ., x n : A n where x 1 , . . ., x n are pairwise distinct proof-variables.The class of derivable judgments Γ ⊢ NJ t : A is inductively defined from the rules of inference of Fig. 5 (writing ∀ N x A(x) ≡ ∀x (nat(x) ⇒ A(x))).Note that there is no elimination rule for first-and second-order primitive existential quantification, since the desired elimination can be performed using the conversion rule ∀v (A(v) ⇒ B) ∼ = (∃v A(v)) ⇒ B (where v / ∈ FV (B)).The congruence

The language of HA2
Typing rules The type system of HA2 is expressive enough to provide typable proof-terms for all the theorems of intuitionistic second-order arithmetic.(The specific axioms of arithmetic are treated the same way as in PA2.) 7.3.Weak reduction and inner reduction.Proof-terms of HA2 are equipped with a binary relation of one-step weak reduction written t ≻ w t ′ and defined from the rules Note that weak reduction is allowed both in the left-and right hand-side of applications, but not below λ-abstraction (i.e.we disable the ξ-rule of λ-calculus).We write ≻ * w the reflexive-transitive closure of one step weak reduction.Lemma 7.1.If t ≻ w t ′ , then t{x := u} ≻ w t ′ {x := u} (for all terms u).
Proof.By induction on the derivation of t ≻ w t ′ .
Complementarily to the notion of weak reduction, we also define a relation of inner reduction written t ≻ i t ′ from the rules: The reflexive-transitive closure of the relation of inner reduction is written ≻ * i while its reflexive-symmetric-transitive closure is written = i .
The union of both relations ≻ w and ≻ i is the ordinary relation of one step reduction, written ≻.By the standard method of parallel reductions we get: Proposition 7.2.The relation ≻ is confluent.
We now want to deduce from this proposition a result of confluence for weak reduction modulo inner reductions.For that, we first need to show that inner reductions can be postponed, in this sense that any finite sequence of (weak and inner) reductions can be decomposed into a finite sequence of weak reductions followed by a finite sequence of inner reductions.Following Takahashi [28], we shall prove this result by introducing a notion of parallel inner reduction, written t ≻ I t ′ and defined from the rules: It is a simple exercise to check that: Proof.This is obvious for the defining equations of function symbols (that are the same in both systems) since the translation does not affect arithmetic expressions.We only have to check that (null(s(e))) ⊥ ≡ null(neg(s(e))) ∼ = null(0) ∼ = ∃ZZ ≡ (∀ZZ) ⊥ ≡ (⊥) ⊥ .
The rest of the proof proceeds by a straightforward induction.
We finally extend the translation A → A ¬¬ to a translation Γ → Γ ¬¬ that transforms any context Γ of PA2 + into a context Γ ¬¬ of HA2.This translation is defined by induction on the length of Γ as follows: ∅ ¬¬ ≡ ∅ (Γ, x : A) ¬¬ ≡ Γ ¬¬ , x : A ¬¬ (Γ, x : {e}) ¬¬ ≡ Γ ¬¬ , x : nat(e) .We first define a translation t → t * from proof-terms of PA2 + (Fig. 1 and 3) into proof-terms terms of HA2 (Fig. 5).We will later extend this translation to continuation constants k π and stacks.Formally: Definition 8.5 (Translation of proof-terms).We associate to every proof-term of PA2 + a proof-term t * of HA2 that is inductively defined by: Notice how the destructing let is used to mimic the destruction of the stack represented by the continuation variable k.Also note that the translation of the constant n does not start with a continuation abstraction λk . .., which reflects the fact that this construct is not intended to appear in head position.
Proof.By induction on the derivation, distinguishing cases according to the last applied rule.We first treat the cases of the rules of Fig. 1.
• ⇒-intro.The desired judgment comes from the following derivation: (In the derivation above, we omit obvious branches and indicate uses of the admissible rule of weakening with a double bar.) • ⇒-elim.The desired judgment comes from the following derivation: Let us now treat the rules of Fig. 3.
• { } ⇒-intro.The desired judgment comes from the derivation: The desired judgment comes from the derivation: The desired judgment comes from the derivation: . . . .(IH) The cases of s and rec are left to the reader.

8.2.1.
Extending the translation to the full λ c -calculus.We now extend the translation t → t * defined on the proof-terms of PA2 + into a full translation of the λ c -calculus.For that, we close the set of instructions K by letting and we close the relation of evaluation ≻ by defining it as the union of the rules (Grab), (Push), (Call/cc), (Resume), (Succ), (Rec-0) and (Rec-S).Formally, we define by mutual induction on t and π two translations t → t * (where t now ranges over all terms of the λ c -calculus) and π → π * by adding to the equations of Def.8.5 the following: Stacks are translated here in the obvious way, that is: as finite lists.Note that the bottom of the stack ⋄ could be translated by any closed term as well: it has no evaluation rule, and it is not involved in the type system of PA2.On the other hand, we translate stop as the identity term, and this choice will be important in the analysis of section 8.4.

8.3.
Simulation of evaluation by weak reduction.The expected property would be that each evaluation step t 1 ⋆ π 2 ≻ t 2 ⋆ π 2 in λ c corresponds to one or several weak reduction steps t * 1 π * 1 ≻ + w t * 2 π * 2 through the CPS-translation.Although this works for almost all the evaluation rules (application, abstraction, call/cc, continuation and successor), the property does not hold for the rule (Rec-s) so that we need to refine a little bit more.
Moreover, for all rules but ( Succ-s), we have u ≡ π * 2 .Proof.We distinguish cases according to the applied rule.The cases of abstraction, application, call/cc and continuation constants are easy-they do not involve inner conversion steps-and standard [25], so that we do not treat them here.Let us consider the evaluation rules dealing with primitive numerals.
• Rule (Succ) We have: • Rule (Rec-0) We have: In the second last line, we mimic η-reduction with an inner reduction step, using the fact that the term (rec u 0 u 1 n) * is an abstraction).
Proof.By induction on the number of evaluation steps, using Prop.8.7 and Corollary 7.5 for the induction case.8.4.The negative interpretation of classical witness extraction.Let us now reinterpret the classical witness extraction method described in section 5.2 through the negative translation defined above.
For that, let us consider a closed classical proof term t 0 such that ), and let us analyze the behavior of the process p 0 ≡ t 0 ⋆ (λxy .y (stop x)) • ⋄ that performs witness extraction (by Prop.5.3) through the negative translation of section 8.1 and the CPS-translation of section 8.2.(We can end p 0 with the empty stack from the results of section 5.3.) In the sequel, we write u ≡ λxy .y (stop x).
8.4.1.Typing the process (p 0 ) * .From Prop.8.6 we get writing conjunction right-associative), so that by instantiating Y with ⊤: Let us now fix the pole R by letting R ≡ ∃ N x null(f (x)).Since stop * ≡ λz .z, we can give it the type Thanks to this, we can typecheck through the CPS-translation all the constituents of the term u.We first have (using the definition of Leibniz equality, the axiom rule and the conversion rule), so that by instantiating Z(x) with null(x) we get We thus have x : nat(x), y : (f (x) = 0) ¬¬ ⊢ NJ (y (stop x)) * : ⊤ ⇒ R and finally: so that ⊢ NJ p * 0 ≡ t * 0 u * ; 0 : R.This shows that the CPS-translation of the process described in Prop.5.3 is actually an intuitionistic proof (in HA2) of the formula R ≡ ∃ N x null(f (x)).From Prop.7.9, we thus know that the term (p 0 ) * weakly reduces to a pair whose first component is the desired witness.
Through the CPS-translation defined in section 8.2, the extraction method described in section 5.2 thus amounts to transform a classical proof-term t 0 of the formula ∃ N x f (x) = 0 into an intuitionistic proof-term t * 0 u * ; 0 of the same formula (up to the coding details of numeric existential quantification and of the predicate expressing the nullity of its argument).
Here we can see the essential ingredients of Friedman's transformation: • The use of a negative translation to transform a classical proof t 0 of a Σ 0 1 -formula into an intuitionistic proof t * 0 of a more complex formula.• The choice of the return formula R (the pole), that is precisely defined as the formula we want to prove intuitionistically.• The key use of the introduction rule of numeric existential quantification (here via the term stop * ≡ λz .z) to return the desired result.

Conclusion
9.1.From BHK semantics to Krivine's semantics.Friedman's extraction method consists to transform a classical proof of an existential formula into an intuitionistic proof of the same formula.Its main drawback is that the underlying CPS-transformation makes the resulting program much bigger than the originating proof, and more difficult to understand.For this reason, much attention has been devoted to the optimization of the extracted code.The typical approach is refined program extraction [3], that relies on a clever analysis of formulae in order to minimize the insertion of negations during the translation.In practice, such an approach gives much better programs than Friedman's method, typically when considering examples such as the one we treated in section 6.However, the approach of refined program extraction ultimately remains intuitionistic, since the extracted program is built and analyzed according to the traditional Brouwer-Heyting-Kolmogorov (BHK) semantics, using the tools of intuitionistic realizability (i.e. the mathematical expression of BHK semantics).
In this paper, we have proposed another approach, which is to extract a program from a classical proof directly, by interpreting classical reasoning principles with control operators.The price to pay is that the computational meaning of the extracted program cannot be analyzed within the traditional BHK semantics anymore.For that, we proposed to use Krivine's theory of classical realizability, that constitutes a genuine alternative to BHK semantics for classical logic.

A negative semantics for classical programs.
It has already been pointed out [25] that Friedman's negative translation is hard-wired in Krivine's semantics.Taking the notations of section 8, we get the correspondence:

Krivine's semantics
Friedman's translation The pole ⊥ ⊥ The formula R Falsity value A Formula A ⊥ Truth value |A| = A ⊥ ⊥ Formula A ¬¬ ≡ A ⊥ ⇒ R Classical proof-term t CPS-translated term t * In this paper, we have shown that the correspondence can be lifted up at the level of the witness extraction methods, in the sense that the natural extraction method that comes with Krivine's machinery (section 5.2) is, up to a CPS-translation, the same as Friedman's (provided we use Streicher and Oliva's negative translation instead of the traditional not-not translation).However, Krivine's semantics is more subtle than the composition of a negative translation with the standard BHK interpretation, since the way it is formulated makes the negative translation implicit.Thanks to this, it is possible to reason about classical programs directly.We illustrated this point with the witness extraction procedures presented in section 5 and with the construction by hand of a universal realizer of the minimum principle in section 6.
It should also be noted that Krivine's semantics is compatible with the usual deduction rules of intuitionistic logic, as soon as they are formulated in FA2 style [14].In particular, the typing rules of Fig. 1 but the last one (Peirce's law) are the usual Curry-style typing rules of intuitionistic minimal logic, formulated the usual way.Any intuitionistic proofterm that is well typed in FA2 is not only correct w.r.t. the usual intuitionistic realizability semantics of FA2 [14], but it is also correct according to Krivine's semantics.The latter departs from the traditional BHK semantics only when classical reasoning is involved.9.2.Executing extracted programs.In our approach, extracted programs are not ordinary λ-terms, but λ-terms with control operators that need to be evaluated according to a strict call-by-name discipline.Specific tools are thus required to execute them 13 .
The main implementation difficulty comes from stacks, whose machine representation has to be carefully designed in order to avoid unnecessary duplications when call/cc is executed.Fortunately, control operators have been introduced in programming languages long before the discovery of their connection with classical logic, and we can benefit from the many implementation strategies that have been proposed since.To illustrate this, we shall discuss two of them.(For a survey on the different ways to implement control, see [4].)

Stacks as chained lists.
The simplest way to implement stacks is to represent them as heap-allocated chained lists of closures.With this representation, call/cc comes for free since it simply consists to make a copy of the current stack pointer.The main advantage of this method is that it naturally maximizes the possibility of sharing large final segments of stacks.Its main drawback is that each Push operation requires the allocation of a small block on the heap, which block is subject to later garbage collection.Moreover, the resulting fragmentation of the stack may considerably degrade cache performance.
However, the simplicity of this approach makes it well-suited for a small interpreter intended to quickly test small examples.This is this design that is currently used in the jivaro machine [23].9.2.2.The stack/heap model.
In the perspective of implementing a real compiler of λ cprograms, a more realistic representation of stacks is given by the stack/heap model [4], where the logical stack is physically split in two parts: • A stack cache, that consists of a mutable array of closures representing the topmost part of the logical stack.This stack cache lies in a fixed zone of the memory, and works almost as the ordinary system stack.• A far stack, that represents the rest of the logical stack in the heap as a chained list of non mutable blocks containing stack chunks.As for all the other heap-allocated blocks, the stack chunks of the far stack may be shared and are subject to garbage collection.
The underlying idea of the stack/heap approach is that during execution, almost all the operations on the logical stack take place in the stack cache, the manipulation of the far stack being exceptional.Pushing an argument onto the stack proceeds in the stack cache as usual, as well as grabbing the topmost element.The difference is that in the latter case, the cache may underflow, in which case we need to refill the cache by copying the contents of the first block of the far stack.(After copying, the far stack pointer should point to the next block).With this approach, call/cc only needs to make a copy of the stack cache into a newly heap-allocated block.The pointer to this newly allocated block then becomes the corresponding continuation constant as illustrated in Fig. 6.Restoring a formerly saved 13 We cannot directly use the interpreters and compilers dedicated to popular functional programming languages such as LISP, Caml, SML or Haskell, since these tools implement either the call-by-value discipline or the call-by-need discipline.The interest of this approach is that call/cc only needs to copy the part of the stack that has been used since the last execution of a control operator.The authors of [4] consider that this approach is a zero overhead approach, in the sense that it adds a negligible overhead to the most frequent operations Push and Grab, compared with the traditional single-chunk stack model.

On the frequency of control in classical proofs.
The above discussion about implementation issues raises a strong argument in favor of using λ c for interpreting classical proofs.A quick look at the classical proofs of well-known theorems shows that classical reasoning is definitely not used with the same frequency as intuitionistic reasoning.Purely intuitionistic reasoning (introduction/elimination of connectives and quantifiers, induction. . . ) appears everywhere, whereas classical reasoning principles are only used at some few strategic places.In some sense, one can consider that actual mathematics are more quasi-intuitionistic than really classical.The execution trace (Fig. 4 p. 30) of the example of section 6 makes the comparison more dramatic, since it shows that intuitionistic operations are executed several hundreds of times while classical operations are executed a dozen of times (call/cc being invoked only once).
These figures suggest that a good execution policy for classical proofs should concentrate all the execution overhead induced by the presence of classical reasoning to the classical operations themselves (that are the less frequent ones) while keeping ordinary intuitionistic operations (the most frequent ones) as fast as possible.But this is precisely what the λ c -calculus does, especially when executed in the stack/heap model described above.On the other hand, using a negative translation-even optimized-adds a non negligible execution overhead to all the intuitionistic operations of the proof, just to remove the need of introducing specific operators for classical reasoning.9.3.Classical extraction in Coq.The ideas presented in this paper have been implemented in a classical extraction module for Coq developed by the author [22].On the theoretical side, this implementation is based on an extension of Krivine's classical realizability model to the calculus of constructions with universes [21].This module permits the extraction of a λ c -term from any classical proof formalized in Coq-provided classical logic is only allowed in the impredicative sort Prop.It also proposes witness extraction facilities based on the techniques presented in section 5.

Lemma 3 . 4 . 3 . 2 . 4 .
If e and e ′ are two arithmetic expressions such that e ∼ = e ′ , then for all valuations ρ closing e and e ′ we have Val(e[ρ]) = Val(e ′ [ρ]).Proof.By induction on the derivation of e ∼ = e ′ .The interpretation function.Every closed parametric formula A[ρ] is interpreted as two sets, namely: a falsity value A[ρ] ⊆ Π and a truth value |A[ρ]| ⊆ Λ c .Both sets are defined by induction on the formula A as follows: The reader is invited to check that the sets A[ρ] and |A[ρ]| only depend on the values given by ρ to the free variables of A, so that we can drop the valuation ρ when A is closed and simply write A and |A| for A[ρ] and |A[ρ]|.

Lemma 3 . 5 .
If A and A ′ are two formulae of PA2 such that A ∼ = A ′ , then for all valuations ρ closing A and A ′ we have A[ρ] = A ′ [ρ] .Proof.By induction on the derivation of A ≈ A ′ using Lemma 3.4 together with the fact that ⊥ = S⊆Π S = Π = null(s(e))[ρ] for all closed parametric expressions e[ρ] (to interpret ⊥ ∼ = null(s(e))).Since the truth value |A[ρ]| and the falsity value A[ρ] of the formula A actually depend on the pole ⊥ ⊥, we shall sometimes use the notations |A[ρ]| ⊥ ⊥ and A[ρ] ⊥ ⊥ to indicate this dependency explicitly.Definition 3.6 (Realizability).Given a pole ⊥ ⊥, a closed parametric formula A[ρ] and a closed term t, we say that t realizes A[ρ] and write t NK A[ρ] when t ∈ |A[ρ]| ⊥ ⊥ , keeping in mind that this notation depends on the choice of the particular pole ⊥ ⊥.When t ∈ |A[ρ]| ⊥ ⊥ for all poles ⊥ ⊥, we say that t universally realizes A[ρ] and write t NK A[ρ].

Figure 3 :
Figure 3: Extending PA2 with primitive numerals Compared to PA2, the grammar of the formulae of PA2 + is enriched with the syntactic construct {e} ⇒ B introduced in Section 4.2.(Arithmetic expressions remain unchanged.)To reflect the presence of a second form of implication, typing contexts of system PA2 +