Stateful Realizers for Nonstandard Analysis

In this paper we propose a new approach to realizability interpretations for nonstandard arithmetic. We deal with nonstandard analysis in the context of (semi)intuitionistic realizability, focusing on the Lightstone-Robinson construction of a model for nonstandard analysis through an ultrapower. In particular, we consider an extension of the $\lambda$-calculus with a memory cell, that contains an integer (the state), in order to indicate in which slice of the ultrapower $\cal{M}^{\mathbb{N}}$ the computation is being done. We pay attention to the nonstandard principles (and their computational content) obtainable in this setting. In particular, we give non-trivial realizers to Idealization and a non-standard version of the LLPO principle. We then discuss how to quotient this product to mimic the Lightstone-Robinson construction.


Introduction
In this paper we propose a new approach to realizability interpretations for nonstandard arithmetic. On the one hand, we deal with nonstandard analysis in the context of (semi) intuitionistic realizability. On the other hand, we focus on Lightstone and Robinson's construction of a model for nonstandard analysis through an ultrapower [LR75]. This paper is an extended version of [DM21]. The main novelties here are in Section 4.4, where we establish a connection with evidenced frames [CMT21], and in Section 6, where we give a realizer for a nonstandard version of the Lesser Limited Principle of Omniscience (LLPO). We also now have a better understanding of why performing a quotient leads to some counter-intuitive properties (cf. Section 7).
Throughout the history of mathematics, infinitesimals were crucial for the intuitive development of mathematical knowledge by authors such as Archimedes, Stevin, Fermat, realizability with slices in Section 4. We also show that our stateful interpretation induces an evidenced frame thus providing a connection with the usual algebraic tools to deal with realizability interpretations. As shown in Section 5 and Section 6, this interpretation provides us with realizers for several nonstandard reasoning principles. We discuss the possibility of taking a quotient for this interpretation in Section 7. We conclude the paper in Section 8 with a comparison to related work and with some questions left for future work.

The ultrapower construction
The main contribution of this paper consists in defining a realizability interpretation to give a computational content to the ultrapower construction of Robinson and Lightstone in [LR75]. We shall begin by briefly explaining how this construction works in the realm of model theory.
Let us start by recalling some definitions.
Definition 2.1. Let I be a set. We say that F ⊂ P(I) is a filter over I if: (i) F is non empty and ∅ / ∈ F (non triviality) (ii) for all F 1 , F 2 ∈ F, F 1 ∩ F 2 ∈ F (closure under intersection) (iii) for any F, G ∈ P(I), if F ∈ F and F ⊂ G, then G ∈ F (upwards closure) An ultrafilter is a filter U such that for any F ∈ P(I), either F or its complement F are in U.
For instance, the set of cofinite subsets of N defines the so-called Fréchet filter, which is not an ultrafilter since it contains neither the set of even natural numbers nor the set of odd natural numbers. Nonetheless, it is well-known that any filter F over an infinite set I is contained in an ultrafilter U over I: this is the so-called ultrafilter principle. An ultrafilter that contains the Fréchet filter is called a free ultrafilter. The existence of free ultrafilters was proved by Tarski in 1930 [Tar30] and is in fact a consequence of the Axiom of Choice. Logical rules It is well-known that the above definition of equality (often called Leibniz law ) enjoys the usual expected properties (reflexivity, symmetry, transitivity) and allows to perform substitution of equal terms. The quantifications ∀ N x.A and ∃ N x.A are often said to be relativized to natural numbers. The one-step (weak) reduction over terms is defined by the following rules: (λx.t)u β t[u/x] rec u 0 u 1 0 β u 0 rec u 0 u 1 (s t) β u 1 t (rec u 0 u 1 t) π 1 (t, u) β t π 2 (t, u) β u We write → β for the congruent reflexive-transitive closure of β . The reduction → β is known to be confluent, type-preserving and normalizing on typed terms [Bar92].
3.2. Realizability interpretation of HA2. In this subsection we define the realizability interpretation of the type system defined in Figure 1, in which formulas are interpreted as saturated sets of terms, i.e. as sets of closed terms S ⊆ Λ such that t → β t and t ∈ S imply that t ∈ S. We write SAT to denote the set of all saturated sets and, given a formula A, we call truth value its realizability interpretation.
Definition 3.1 (Valuation). A valuation is a function ρ that associates a natural number ρ(x) to every first-order variable x and a truth value function ρ(X), i.e. a function in N k → SAT to every second-order variable X of arity k.
(2) Given a valuation ρ, a second-order variable X of arity k and a truth value function F : N k → SAT, the valuation defined by (ρ, X → F ) ρ | dom(ρ)\{X} ∪ {X → F } will be denoted by ρ, X → F . We say that a valuation ρ is closing the formula A if F V (A) ⊆ dom(ρ).
It is easy to see that for any formula A and any valuation ρ closing A, one has |A| ρ ∈ SAT. As it turns out, the congruences defined by Equation 3.1 are sound w.r.t. the interpretation.
Proposition 3.3 [Miq11a]. If A and A are two formulas of HA2 such that A ∼ = A , then for all valuations ρ closing both A and A we have |A| ρ = |A | ρ .
We would like to point out that the proof of adequacy is very flexible. Indeed, if one wants to add a new instruction to the language of terms via its typing rule, it is enough to check that this typing rule is adequate while the remainder of the proof is exactly the same.
3.3. Introducing value restriction. The realizability interpretation of Definition 3.2 is also flexible regarding the set of formulas that are interpreted. We illustrate this point here by introducing a new construction extending formulas which we shall use in the sequel to enforce value restriction in presence of stateful computations. This will allow us to get a better handle on the operational semantics, which will be crucial afterwards since stateful computations break the confluence of the reduction system (see Example 4.1). Such a technique is reminiscent from ML value restriction that was introduced to circumvent the incompatibility of Curry-style polymorphism and side-effects (see for instance [Zei09] We start by defining the subset V ⊆ Λ of values by the following grammar: Observe that variables are not values, otherwise the system would not be stable by substitution. In the remainder of this paper, we adopt the convention that λ-terms are denoted by lowercase letters t, u, ... while uppercase letters V, W, ... refer to values.
Distinguishing the set of values allows for instance to restrict the β-reduction rule to applications of functions to values: The reflexive transitive closure → v of the one-step reduction v is known as the (left-to-right) call-by-value evaluation strategy. While it is well-known that the reduction system of the λ-calculus is confluent, so that the choice of a particular evaluation strategy does not have any consequence in terms of expressiveness, this is no longer the case when side effects (such as stateful computations in the next sections) come into play.
To enforce value restriction, let us now extend the language of formulas with a new construction: Formulas A, B ::= . . . | {A} → B and the realizability interpretation accordingly by In particular, we have It is easy to check that for any formulas A and B, |{A} → B| ρ is a saturated set, and the adequacy of the (∀ 2 E )-rule is thus preserved. While there is currently no rule to type a term t with a formula of the shape {A} → B, we can nonetheless extend the type system with any rule as long as it is adequate with respect to the realizability interpretation. Indeed, here the flexibility of the interpretation comes again into play, in the sense that once the realizability interpretation of a new construct has been defined, one could extend the type system with any rule related with that construct as long as it is adequate. For instance, the rules ( → I ) and ( → E ) below are adequate.
Proposition 3.10. The following typing rules are adequate: Proof. For the first rule it suffices to see that for any valuation ρ, we have As for the second one, if ρ is a valuation and σ a substitution such that σ(V ) ∈ |A| ρ , σ ρ(Γ), and σ(t) ∈ |{A} → B| ρ . Then, by the definition of |{A} → B| ρ , we have that We can also extend, maintaining the adequacy of the interpretation of {A} → B , the congruence relation with the following rules: Proposition 3.11. For any formulas A and B, we have Proof. The proof is analogous to the proof of Proposition 3.3, for instance for the first part, we have: We will make use of the following abbreviations: While the first definition is natural, the second one may be a bit more puzzling at first sight. As we saw, the truth value of any formula has to be a saturated set. However, given a formula A(x), the set {(n, t) : t ∈ |A(n)| ρ } is not saturated, and so we cannot define a formula ∃x.{Nat(x)} ∧ A(x) whose realizers would be this set. Nonetheless, the definition of ∃ {N} x.A is somehow doing the trick in continuation-passing style, in the sense that we have: Proposition 3.12. For any formula A, any valuation ρ and any term t, if t ∈ |∃ {N} x.A| ρ then there exists a natural number n ∈ N and a term u ∈ |A[x := n]| ρ s.t.: t (λxy.(x, y)) → β (n, u).
The next proposition relates these new quantifications with the relativized quantifications ∀ N x.A and ∃ N x.A using the term T .
Proposition 3.14. We have (1) Let t be a term in |∀ {N} x.A|, n ∈ N a natural number and u a term in |Nat(n)|. To prove the result, since |A[x := n]| is saturated, it suffices to prove that: It is straightforward to check that: Using the adequacy of the (rec)-rule, we deduce that rec (λy.y 0) (λxyz.z (s x)) u B(n) and the result follows from the hypothesis that t ∈ |∀ {N} x.A|.
(4) Let t be a term in |∃ N x.A|, X ∈ SAT be a predicate and u a term in By assumption, there exists a natural number n and two terms t 1 and t 2 such that t 1 ∈ |Nat(n)|, t 2 ∈ |A[x := n]| and t → β (t 1 , t 2 ). Then From part 1 we know that T u is in |∀ N x.(A → X)| X →X , hence T u t 1 t 2 ∈ X and the result follows from the fact that X is saturated.
The term T , which forces the evaluation of an argument of type Nat(n) to get the underlying value n to make it compatible with a function ∀ {N} x.A, is somehow simulating a call-by-value evaluation (for natural numbers). Such a term is usually called a storage operator [Kri09].
While Proposition 3.14 indicates that the different ways of relativizing the quantifiers are equivalent (in the sense that one admits a realizer if and only if the other does), it is important to keep in mind that this result is peculiar to the current effect-free settings. In particular, this result no longer holds once stateful computations are allowed.

Realizability with slices
In this section, we extend the realizability interpretation introduced in Section 3 by taking into account stateful computations. The states will be the key ingredient to give computational content to the Lightstone-Robinson construction described in Section 2. The advantage of this extended setting will become clearer in Section 5, since it allows to realize some new reasoning principles, after we investigate the status of natural numbers in Section 5.1. 4.1. Stateful computations. The first step in the Lightstone-Robinson construction aims at getting a product M N of the (initial) model M. In order to achieve this goal in our setting, we add a memory cell to our calculus that contains an integer, which we call the state. The purpose of the state is to keep track of which "slice" of the product is the interpretation being done. This product allows us to interpret first-order individuals as functions in N N , so that the interpretation accounts for new elements -the so-called nonstandard elements -for instance the diagonal function (see Proposition 5.5). In our extended calculus, the first-order expressions are the same, while second-order formulas now use a value restriction for natural numbers and include a predicate st(e), as per usual in nonstandard analysis, denoting that the expression e is standard. This means that in our framework we will also have two types of nonstandard quantifications: the usual ∀ st , ∃ st and the relativized ∀ {st} ,∃ {st} x. We say that a formula is internal if it does not contain the predicate st(·), and external otherwise. Terms are extended with two new instructions get and set. Similarly to what was remarked before concerning the {·} → · construction on formulas for value restriction, we do not need a specific rule for typing these terms since any adequate rules would work. Instead, we will only pay attention to the computational expressiveness brought by these new terms, by introducing appropriate reduction rules. The get instruction allows to obtain the content of the current state while the set instruction allows to increase its content. Formally, we extend the different grammars as follows: S N Since the formulas no longer include an unrestricted constructor Nat(e), the typing rules for 0, s and rec are no longer required 1 . Other than that, the type system is unchanged. In particular, the get and set instructions are not given any typing rule.
We will make use of the following abbreviations: With the exception of the get / set instructions, the syntax of terms does not account for states. In fact, only the reduction rule for the set instruction allows to change the state. Nonetheless, states play a crucial role in the reduction system. In particular, one-step reductions are now defined for terms together with a state. We write t s s t to denote that the term t in state s reduces to the term t in state s . The one-step reduction over terms is defined by the following rules: We write t s ↓ s t for the reflexive-transitive closure of this relation.
Since we now consider effectful computations, we have to fix an evaluation strategy in order to ensure the confluence of the reduction system. Observe that our definition for C[ ] indeed ensures that our reduction system has no critical pair. Here we follow a call-by-name evaluation strategy (we substitute unevaluated arguments), while for rec and set one of their arguments must be reduced.
The following standard example illustrates the need for an evaluation strategy to ensure confluence in the presence of states, highlighting the fact that the result of a stateful computation might depend on the chosen strategy.
Example 4.1. Let us write x + y for a term that computes the addition of x and y (such term is easily definable via rec). Let us define incr 0 set (s get) 0 (which increases the state and reduces to 0) and t (λx.(get +x) + x) incr 0 . If we reduce the argument of the functions first (call-by-value) we obtain t 0 ↓ 1 (λx.(get +x) + x)) 0 1 ↓ 1 (get +0) + 0 1 ↓ 1 1. In turn, if we perform the β-reduction without reducing the argument (call-by-name), we get t 0 ↓ 0 (get + incr 0 ) + incr 0 0 ↓ 1 (get + incr 0 ) + 0 1 ↓ 2 get +0 2 ↓ 2 2. In the absence of an evaluation strategy, the system would thus have admitted unsolvable critical pairs. 4.2. Stateful realizability interpretation. The fact that our syntax now includes states allows us to interpret formulas as terms-with-states 2 . Truth values are then defined as saturated sets in P(Λ × S). Individuals are now individuals with states, so elements of N S , and similarly predicates of arity k are elements of the set of functions from N k to P(Λ × S). This creates a mismatch in the sense that predicates are no longer shaped to be applied to individuals 3 . In order to define our interpretation, we need to deal with this mismatch between the structure of individuals and the one of predicates, by defining a suitable notion of application. Definition 4.4. We define saturated sets with respect to the stateful reduction to be sets S ∈ Λ × S s.t. for any terms t, t ∈ Λ and any states s, s ∈ S, if (t ; s ) ∈ S and t s ↓ s t then (t; s) ∈ S. With abuse of notation we denote the set of these saturated sets by SAT.
In the realizability interpretation with slices below, truth values are defined as saturated sets. This allows us to reason by anti-reduction (sometimes also called expansion) in any fixed state. By anti-reduction, we mean that to show that a term t together with a state s belongs to such a saturated set S, it is enough to find s and t such that t s ↓ s t and (t ; s ) ∈ S.
We now consider valuations which are functions that associate a function in N S to every first-order variable x and a truth value function from N k to SAT to every second-order variable X of arity k. Again, with abuse of notation we denote such valuation by ρ.
We also extend the usual interpretation of first-order expressions to range over N S . To that end, we simply define arithmetical functions pointwise on the domain. For instance, if f ∈ N S , we write S * (f ) for the function s → (S(f (s))). When it is clear from the context, we abuse the notation (even more) by writing 0, S, · ρ , etc. instead of 0 * , S * , · * ρ . Definition 4.5 (Realizability with slices). The interpretation of a formula A together with a valuation ρ closing A is the set |A| S ρ defined inductively according to the following clauses: Realizers of the type t A are called universal.
Observe that this stateful interpretation has the structure of a product of the interpretation given by Definition 3.2. The interpretation corresponding to a given state can thus be seen as a slice of this product. However, it is important to keep in mind that the set instruction still allows terms to change the value of the state, therefore the slices are not completely independent. We write |A| s ρ to denote the truth value {(t; s) ∈ |A| S ρ } in the slice induced by s.
We first verify that truth values are indeed saturated sets and that the interpretation validates the congruence rules.
Proposition 4.6. Let A be a formula and ρ a valuation closing A. Then |A| S ρ ∈ SAT.
Proof. By a straighforward induction on the structure of A. Observe for instance that the case st(f ) follows from the definition and that the case X(e 1 , . . . , e n ) follows from the fact that, by definition, ρ(X) takes values in SAT. By induction on the structure of A. The case st(f ) is clear from the definition and the case X(e 1 , . . . , e n ) follows from the fact that, by definition, ρ(X) takes values in SAT.
A → B. Let t, t be two terms such that (t ; s ) ∈ |A → B| S ρ and t s s t for some states s, s . Let (u; s ) ∈ |A| S ρ . We have that t u s s t u, which by definition belongs to |B| S ρ . We conclude the result by the induction hypothesis for B. The same proof applies to the case {Nat(e)} → A.
A 1 ∧ A 2 . Let t, t be two terms such that (t ; s ) ∈ |A 1 ∧ A 2 | S ρ and t s s t for some states s, s . For any i ∈ {1, 2}, we have that π i (t) s s π i (t ), which by definition belongs to |A 1 | S ρ . We conclude the result by the induction hypothesis for A i . The proof for the case A 1 ∨ A 2 is analogous. Vol. 19:2 ∀x.A. Let t, t be two terms such that (t ; s ) ∈ |∀x.A| S ρ and t s s t for some state s, s . By definition, for any f ∈ N S , it holds that (t ; s ) ∈ |A| S ρ,x →f . Hence by the induction hypothesis for A, we get that (t; s) ∈ |A| S ρ,x →f . This being true for any f ∈ N S , we deduce that (t; s) ∈ |∀x.A| S ρ . The cases for the other quantifiers are similar. Proposition 4.7. If A and A are two formulas of HA2 such that A ∼ = A , then for all valuations ρ closing both A and A we have |A| S ρ = |A | S ρ . Proof. The proof, by induction on A ∼ = A , is similar to the proof of Proposition 3.3. Congruence easily goes through by induction, and again we have The proofs for second-order quantifiers and value restrictions are analogous.
In order to prove the adequacy theorem in this setting we need to adapt a few definitions.
Definition 4.8. Given a context Γ, a state s and a valuation ρ closing the formulas in Γ, we say that a substitution σ realizes ρ(Γ) in the state s and write (σ; s) ρ(Γ) if dom(ρ(Γ)) ⊆ dom(σ) and (σ(x); s) ∈ |A| S ρ , for every declaration (x : A) ∈ Γ. Definition 4.9. We say that a typing judgement Γ t : A is adequate w.r.t. a state s in the stateful system if for any valuation ρ closing A and Γ and any substitution (σ; s) ρ(Γ) we have (σ(t); s) ∈ |ρ(A)|. An inference rule is adequate w.r.t. a state s if the adequacy (w.r.t. s) of all its premises implies the adequacy (w.r.t. s) of its conclusion.
We are now able to show that, with the exception of the (∀ 2 E )/(∃ 2 I )-rules, our logical rules are adequate. The (∀ 2 E )/(∃ 2 I )-rules are shown to be adequate, for internal formulas only, in Proposition 4.17. The status of natural numbers will be investigated in Section 5.1. Proof. The proof, by case analysis, is essentially the same as the usual adequacy proof for HA2, since none of the instructions involved in the typing rules allows to change the value of the state.
In each case, we write Γ for the typing context, ρ for a valuation closing all the considered formulas, s for the considered state and σ for a substitution such that (σ; s) ρ(Γ).
By assumption, (t; s) ∈ |A| ρ for any valuation ρ closing A which, since x does not occur in Γ, can freely map x to any individual in N S . In other words, (t; s) ∈ f ∈N S |A| ρ,x →f . The case for (∀ 2 I ) is similar.
Remark 4.11. Let us explain why the (∀ 2 E )-rule is not adequate in general (the same argument applies to the (∃ 2 I )-rule). As emphasized at the beginning of this section, we interpret predicates by functions from N k to SAT, while the truth values of formulas may vary in the set of functions from (N S ) k to SAT. Theorem 4.16 will make this more precise: internal formulas correspond to functions from N k to SAT while external formulas correspond to functions from (N S ) k to SAT. Therefore, in general we cannot substitute a second-order variable by any formula. Indeed, in the second-order elimination rule (for universal quantifiers) variables can only be instantiated by internal formulas. Moreover, if the formula B that we want to substitute is a proposition (i.e. if its arity k is equal to 0), then the substitution is valid since the interpretations of internal and external formulas coincide. This means that we could have chosen to work with impredicative encodings of the conjunction (or other connectives) as in the Russell-Prawitz translation [Pra65]. Indeed, such an encoding relies on the use of propositions, which are thus compatible with the elimination rule: Remark 4.12. We would like to attract the reader's attention to the fact that our realizability interpretation is grounded in the elimination rules for the connectives. While this choice may not be so meaningful in a pure intuitionistic setting, here the fact that our realizers may perform some effectful computations makes this choice relevant. Indeed, the other possibility would have been to require from a realizer of A ∧ B to be a term reducing to a pair of realizers, forcing the effectful computations to be done "right away", which could in particular make the value of the state evolve. In turn, our definition delays such computations further, which allows us to reason within the same state before eventually reducing the term (and thus performing the effect). This technicality turns out to be crucial in some proofs in the sequel, in particular for defining the realizer of LLPO st in Section 6.
We show that rec realizes a formula that emulates its former typing rule by using quantifiers relativized with a value restriction.
Proposition 4.13. We have rec ∀X.
Proof. Let X : N → SAT be a predicate, s ∈ S be a state, f ∈ N S be a natural number, u 0 and u S be terms and V be a value such that . Let us prove, by induction on n, that rec u 0 u S n ∈ X(n).
• If n = 0, then we have that rec u 0 u S t s ↓ s rec u 0 u S 0 s ↓ s u 0 , the result follows by antireduction from the hypothesis on u 0 .
The result thus follows (by antireduction) from the hypothesis on u S .
Remark 4.14. Regarding the necessity of restricting the relativization of quantifiers to values, the proof of Proposition 4.13 is enlightening. Indeed, if instead of a value V we were only given a term in |Nat(f )| s ρ , by definition this term may change the value of the state, say to some s , before reducing to the value of f (s ). This would break the proof since nothing is assumed on the realizers u 0 and u S in this new state s .

4.3.
Glueing. An important property of our interpretation (which also reflects a similar property in the Lightstone-Robinson construction) is that the interpretation of internal formulas can be decomposed as the product of its slices (Theorem 4.16). In other words, internal formulas can only access information in the current state. In particular, and as expected, this means that it is impossible to express standardness by means of internal formulas. To state this formally, we first define the restriction of formulas and truth values with respect to a slice.
Definition 4.15. Given an internal formula A, we define A s as the formula whose individuals are all applied in s. Formally, it amounts to replacing each individual by the standard individual with which it coincides in the state s: Theorem 4.16 (Glueing). For any internal formula A and valuation ρ closing A, we have that (t; s) ∈ |A| S ρ ⇔ t ∈ |A s | s ρ . Proof. The proof is by induction on the structure of A.
The cases of the second-order quantifiers are similar to the corresponding first-order quantifiers.
Let B(x) be a formula whose only free variable is x, and ρ a valuation closing B. In general, the function F B that associates to any individual f the truth value |B(f )| S ρ is a function from N S to SAT. If B is internal, by the glueing theorem, to determine F B it is enough to know its value for standard individuals. This means that we only need to know a function from N to SAT. As such, we can now formally state the intuition developed in Remark 4.11.
Proposition 4.17. The elimination rule for the 2nd-order universal quantification and the introduction rule for the 2nd-order existential quantification are adequate for any internal formula B whose only free variables are (x 1 , ..., x k ). Proof. This essentially follows from the glueing theorem and Definition 4.2. Indeed, recall that by definition we have |∀X.A| S ρ = F :N k →SAT |A| S ρ,X →F . Let us define the following function from N k to SAT: We can prove by an easy induction on A that |A| S ρ,X →F = |A[X(x 1 , ..., x k ) := B]| S ρ , from which the proposition follows trivially. The only interesting case is when A ≡ X(x 1 , ..., x n ).
Let us write f 1 , ..., f k for ρ(x 1 ) , ..., ρ(x k ) . We have: ). Since we have the (∀ 2 E )-rule restricted to internal formulas B, the comprehension scheme is also valid for these formulas. In particular, this implies Standardization for internal formulas, i.e. for B an internal formula, the following holds Of course, the comprehension scheme does not hold for external formulas, so the relativization on the quantifiers in Standardization is in this sense necessary. We will come back to Standardization in Section 7.1.

4.4.
The induced evidenced frame. Before studying the properties of this interpretation, we shall connect it with the usual algebraic tools to deal with realizability interpretation, in order to better emphasize its structure and peculiarities. In recent work, Cohen et al. have been introducing a new framework to capture the algebraic structure of realizability interpretations, which they named evidenced frames [CMT21]. These have the benefit of being generic enough to easily encompass effectful interpretation, while uniformly inducing triposes (and thus toposes), hence a model of higher-order logic. We show here how our interpretation fits the picture, hinting in particular at the possibility to extend our interpretation to deal with higher-order logic (which is out of the scope of this paper, as here we want to focus on the second-order fragment only).
We start by recalling the definition of evidenced frame. Definition 4.19 [CMT21]. An evidenced frame is a triple (Φ, E, · · − → ·), where Φ is a set of propositions, E is a collection of evidence, and φ 1 e − → φ 2 is a ternary evidence relation on Φ × E × Φ, along with the following: Reflexivity: There exists evidence e id ∈ E: • ∀φ. φ eid − → φ Transitivity: There exists an operator · ; · ∈ E × E → E: • ∀φ. φ e − → Conjunction: An operator ∧ ∈ Φ × Φ → Φ such that there exists evidence e fst , e snd ∈ E and an operator ⦉·,·⦊ ∈ E ×E → E: Universal Implication: An operator ⊃ ∈ Φ × P(Φ) → Φ such that there exists an operator λ ∈ E → E and evidence e eval ∈ E: The definition of the evidenced frame induced by our stateful interpretation better highlights its core structure. First, as shown by the interpretation of second-order variables, propositions are defined as truth values, that is as saturated sets of terms-with-states. Evidences, in turn, are defined as universal realizers, i.e. λ-terms, with the corresponding evidence relation Proposition 4.20. The tuple (SAT, Λ, · · → ·) defines an evidenced frame.
Proof. We give the evidence and constructors on propositions for each case. We mostly follow the realizability interpretation given in Definition 4.5 Reflexivity: It is clear that e id λx.x S → S for any S ∈ SAT. Transitivity: For any S 1 , S 2 , S 3 ∈ SAT if t 1 S 1 → S 2 and t 2 S 2 → S 3 , it is clear that Then we have e λx.x S → for any S ∈ SAT. Conjunction: Let S 1 ∧ S 2 {(t; s) ∈ Λ × S : (π 1 (t); s) ∈ S 1 ∧ (π 2 (t); s) ∈ S 2 } for S 1 , S 2 ∈ SAT. Then it is then straightforward to check that ⦉e 1 , e 2 ⦊ λx.(e 1 x, e 2 x), where e fst π 1 , e snd π 2 define the expected evidences. Universal Implication: For S 1 ∈ SAT and S ∈ P(SAT), we define the implication of propositions by S 1 ⊃ S {(t; s) ∈ Λ × S : ∀u. (u; s) ∈ S 1 ⇒ (t u; s) ∈ S∈ S S }. Let λe λxy.e (x, y) and e eval λx.(π 1 (x)) (π 2 (x)). Let S 1 , S 2 ∈ SAT and S ∈ P(SAT) be saturated sets. It is straightforward to show that e eval (S 1 ⊃ S) ∧ S 1 → S for any S ∈ S. We prove that if e ∈ Λ is such that (∀S ∈ S. e S 1 ∧ S 2 → S) then λe S 1 → (S 2 ⊃ S). Let (t 1 ; s) ∈ S 1 , then λe t 1 s ↓ s λy.e (x, y). Clearly, if (t 2 ; s) ∈ S 2 , λy.e (x, y) t 2 s ↓ s e (t 1 , t 2 ). Since for any S ∈ S the last term belongs to S, we can conclude by anti-reduction that λe S 1 → (S 2 ⊃ S). Proposition 4.20 implies, in particular, that our interpretation also induces a tripos and a topos, by following the method described in [CMT21]. In the following sections, we pay attention to nonstandard reasoning principles for which we can define universal realizers, as these are the evidences for our interpretation (as shown by Proposition 4.20).
5. Nonstandard principles in realizability with slices 5.1. Natural numbers. In Section 4, we considered a setting with a value restricted variant of the Nat(·) predicate. Nonetheless, we can still assert that an expression is a natural number through the formula Nat (e) ∀X.({Nat(e)} → X) → X.
As seen below, realizers of this formula will give access to the expected computations for natural numbers.
Remark 5.1. Observe that the language of HA2 does not express the existence of specific nonstandard elements, e.g. δ is not in the language. However, to refer to some nonstandard element τ , we can always consider a valuation that maps a variable x to τ . With abuse of notation, in the remainder of this paper, we will write nonstandard elements directly in formulas as if they were in the language. Also, we will use the notation † to refer to an arbitrary λ-term with no further assumption.
Using an argument similar to Proposition 3.12, one can show that for any individual f ∈ N S , if t is a term such that (t; s) ∈ |Nat (f )| S , then one can actually compute out of t (without changing the value of the state) the value of f (s) ∈ N. In other words, t is an effect-free term producing f (s). This is to be compared with Nat(f ), for which the requirement for its truth value to be saturated would have entailed its interpretation to reduce to a natural number f (s ) in a possibly different state.
Proposition 5.2. Let f ∈ N S and s ∈ S. If t is a term such that (t; s) ∈ |Nat (f )| S , then t λx.x s ↓ s n, where n = f (s).
Proof. Let us define X {(t; s ) : t s ↓ sn}. This set is clearly saturated, and it is easy to see that (λx.x; s) ∈ |{Nat(f )} → X| S (since λx.x n s ↓ s n). Therefore, we have that t ∈ |({Nat(f )} → X) → X| S and then (t λx.x; s) ∈ X, that is t λx.x s ↓ s n.
We now show that (by-value) natural numbers, i.e. Nat , contain 0, and are closed under the successor and recursion for internal formulas.
Proof. Easy realizability proofs by anti-reduction.
(1) Follows from the definition of Nat (0): if X ∈ SAT is a saturated set, s a state and t a term such that (t; s) ∈ |{Nat(0)} → X| S , we have (λx.x 0) t s ↓ s t 0 ∈ X. Since X is saturated, we conclude by anti-reduction. (2) Let f ∈ N S , X be a saturated set, s be a state and t be a term such that (t; s) ∈ |{Nat(Sf )} → X| S ρ . Let us write n f (s). Then (λxy.y (s x)) n t s ↓ s t (s n). Since s n = n + 1 = S(f )(s), we get that t (s n) ∈ X and we conclude by anti-reduction.
The interpretation now witnesses the existence of new elements. The canonical example is the diagonal, i.e. the function δ : n → n. Indeed, the diagonal is a nonstandard natural number which is realized by the get instruction. We first show a lemma concerning the storage operator T (from Definition 3.13) in this new context.
Lemma 5.4. Let s ∈ S and t, u be terms.
(1) For any n ∈ N, if u s ↓ s n, then T t u s ↓ s t n.
Proof. The first part is an easy induction on n, and the second part follows from the first by anti-reduction.
(2) By definition, it holds that (t; s) ∈ |{Nat(f )} → A(f )| S . By part 1, we obtain that T t u s ↓ s t f (s), hence the result follows by anti-reduction.
(3) Follows from the fact that δ(s) = s and that by part 1 of Lemma 5.4, for any t.
(λx.T x get) t s ↓ s T t get s ↓ s t s (4) The proof is similar to the proof of Proposition 3.14. Let X ∈ SAT be a predicate and u be a term such that (u; s) ∈ |∀ {N} x.¬st(x) → X| S ρ . In particular, the latter implies that for any term t, it holds that (u s t; s) ∈ X. Since X is saturated, the result then follows from the fact that T u get t s ↓ s u s t which is a consequence of part 1 of Lemma 5.4.
Part 2 in Proposition 5.5 is sometimes referred to as the ENS 0 (existence of nonstandard elements) principle (e.g. in [BBS12]). As a consequence of Proposition 4.17, Leibniz equality is only compatible with the (∀ 2 E )-rule restricted to internal formulas. In our setting, this encoding only reflects equality in the current state, i.e. a local knowledge of individuals (slice by slice), while the usual notion of equality (for N S ) requires a global knowledge (on all the slices). If A(x) is an external formula, we cannot hope to have an internal definition of equality such that its elimination principle x = y → A(x) → A(y) is valid.
Nonetheless, the elimination of Leibniz equality is realizable for standard individuals or for internal formulas. 5.2. Nonstandard reasoning principles. In this section, we prove some properties which are usual in frameworks that use nonstandard analysis: Transfer, Overspill, External Induction, Idealization, etc.
Theorem 5.8 below indicates that the Transfer property (for internal formulas) is devoid of computational content. This is a somewhat reassuring fact: properties that are true for standard individuals are automatically true for all individuals.

Theorem 5.8 (Transfer). For any internal formula A we have:
( Proof. Parts 1 and 4 follow from the glueing theorem. Indeed, we have: The proof for part 4 is analogous. Parts 2 and 3 (resp. 5, 6) are direct consequences of the first (resp. fourth) part. For instance, for part 3, let s be a state and u be a term such that (u; s) ∈ |∀ st x.A(x)| S . Recalling that |st(n * )| S = Λ × S for any n ∈ N, we have: where the last implication is obtained using part 1. In particular, (u t; s) belongs to |∀x.A(x)| S and by anti-reduction, so does ((λx.x t)u; s).
As expected, Transfer does not hold for all formulas. A counter-example is given in the next proposition by the external formula stating that all individuals are (not not) standard. Proof. Both statements follow from the definitions. For instance, for the second formula, observe that The principle of External Induction [Nel87] allows to prove that a certain property is valid for all standard natural numbers. For instance, the assertion stating that every nonstandard element is larger than all standard natural numbers 4 . We show that in our context, this principle can be realized using the rec instruction.
Proposition 5.10 (External induction). For any formula A(x) whose only free variable is Proof. Let s be a state, n ∈ N be a natural number and u 0 , u S be terms and V be a value such that (u 0 ; s) ∈ |A(0 * )| S , (u S ; s) ∈ |∀ st y.(A(y) → A(S(y))| S and (V ; s) ∈ |Nat(n * )| S . The latter implies that V = n. Let us prove, by induction on n, that rec u 0 u S n ∈ |A(n * )| S • If n = 0, then we have that rec u 0 u S 0 s ↓ s u 0 , the result follows by anti-reduction from the hypothesis on u 0 . • If n = S(m), then we have that rec u 0 u S (s m) s ↓ s u S m (rec u 0 u S m). By induction hypothesis, we have that (rec u 0 u S m; s) ∈ |A(m)| S . The result thus follows (by antireduction) from the hypothesis on u S . The next two propositions show that one cannot separate standard natural numbers from nonstandard natural numbers using an internal formula [Rob66]. This fact is usually formalized by the properties of Overspill and Underspill. We first show that, in our context, Overspill can be realized by combining the realizers for ENS 0 and for the Transfer principle.
4 Actually, this requires to consider a quotiented definition of the standardness predicate, see Proposition 7.1.
The usual proof of Underspill is by contradiction, hence using classical logic, which we do not have here. Nevertheless, we can obtain the following version in which a double-negation occurs.
This coincides with the interpretation of the relation R through a second-order variable and the corresponding semantic relation from N 2 to SAT in the interpretation.
Let us now briefly illustrate the main idea behind the proof of Idealization by showing that there exists a (nonstandard) natural number greater than or equal to any standard number. The usual proof relies on the fact that δ is such a number, since for any standard number n, in any slice greater than or equal to n, the relation n ≤ δ holds. In our setting, we use the set instruction to reach such a state. Proof. Let s be an arbitrary state. Following the proof of part 2 of Lemma 5.4, it is clearly enough to prove that (λxy. set y †; s) ∀ {st} y.y ≤ δ (the rest of the proof is exactly the same replacing ¬st(δ) with ∀ {st} y.y ≤ δ). Let n ∈ N and t an arbitrary term. Then (λxy. set y t) t n s ↓ s set n t s ↓ s t where s = max(n, s). In particular, n ≤ δ(s ) holds, hence (t; s ) ∈ |n ≤ δ| S and we can conclude by anti-reduction. Consider a term loop + such that 5 for any state s ∈ S it holds that loop + s ↓ s incr loop + , where incr λx. set (s get) x. Then for any natural number n ∈ N and any state s ∈ S, loop + s ↓ s loop + where s ≥ n. Since for any s ≥ n, ( †; s ) ∈ |n < δ| S , by anti-reduction we obtain the following Proposition.
Observe that here the value of n is not required, so the quantifier does not need to be relativized. Yet, the computation never terminates and we do not even know when the computation reaches a correct state.
As mentioned above, the idea to prove the general case of Idealization is very similar. If for any n ∈ N there exists τ n ∈ N such that for any m ≤ n, R(τ n , m) holds, we can consider the nonstandard natural number τ (τ s ) s∈S ∈ N S . Using a witness extraction mechanism, as provided by the next proposition, we can compute τ from any realizer of ∀ {st} n.∃ {st} x.∀ {st} y.(y ≤ n → R(x, y)).
Proposition 5.15 (Witness extraction). For any formula A, any valuation ρ closing ∃x.A, any state s and any term t such that (t; s) ∈ |∃ {N} x.A| S ρ , there exists a natural number f ∈ N S and a term u such that (u; s) ∈ |A| S ρ,x →f and t (λxy.(x, y)) s ↓ s (f (s), u).

The term
ideal λx.λy.T y (π 1 (T (x †) get (λxy.(x, y)))) (λyz. set z y) is a realizer for the Idealization principle. Indeed, in any state s the first component of ideal computes τ (s) (using Proposition 5.15), while the second component increases the state to ensure the validity of the relation (as in Proposition 5.13).
Theorem 5.16 (Idealization). We have: Proof. Let s be any state and u a term such that Consider the (possibly nonstandard) individual τ ∈ N S defined by τ (s) = f s (s) . We have ideal u s ↓ s λy.T y (π 1 (T (u †) get (λxy.(x, y)))) (λyz. set z y) hence, by part 2 of Lemma 5.4, to conclude by anti-reduction it suffices to prove that (1) π 1 (T (u †) get (λxy.(x, y))) s ↓ s τ (s). Indeed, we know that this term reduces as follows: and by definition τ (s) = f s (s).
(2) (λyz. set z y; s) ∀ {st} y.R(τ, y). To prove this, it suffices to show that for any m ∈ N and any t ∈ Λ, we have ((λyz. set z y) t m; s) R(τ, m * ). With s max(s, m), we have that (λyz. set z y) t m s ↓ s set m t s ↓ s t. By construction, since m ≤ s , we know that R(τ (s ), m) holds, hence (t; s ) ∈ |R(τ (s ), m)| S ρ and we conclude by anti-reduction.

LLPO
In this section we give a realizer for a nonstandard version of the Lesser Limited Principle of Omniscience: This principle is a semi-intuitionistic principle, in the sense that it is seen as being nonconstructive (it is indeed provably false in some intuitionistic theories, cf. [BR87, p. 4]) while still being weaker than the full law of excluded middle.
6.1. LLPO in nonstandard arithmetic. We will consider a variant of the LLPO principle in our setting, where the quantifiers are restricted to standard elements and the formulas A and B are internal (where x (resp. y) does not occur in B (resp. in A)): A(x) ∨ ∀ {st} y.B(y)) Let us give an overview of our computational interpretation for this principle, which will rely on the several realizers introduced in Section 6.3 and described in Figure 2. Assume that we are given, in a certain state, a realizer of the hypothesis The main idea consists in turning this term into a realizer of Indeed, observing that the formula A ≤z is internal, by Transfer and instantiation with δ (or any other nonstandard element), the proposition x ≤ δ becomes trivially true for any standard x and we get the expected conclusion y.B(y)).
In fact, this last step is the only step where we actually use nonstandard principles (here Transfer and the existence of nonstandard elements). The rest of the proof, forgetting all the relativizations to standard elements, would be valid in standard arithmetic. This is reflected by the fact that we only use External Induction and properties of the disjunction. In terms of realizers, this means that we will only use universal realizers that will never manipulate the state.
To get a realizer of ∀ {st} z.(A ≤z ∨ B ≤z ), we rely on External Induction (as the term t aux shows), the main difficulty lying in proving the induction step To illustrate this step, let us consider the case where A ≤x holds. To obtain the expected conclusion, it is sufficient to show that A(S(x)) ∨ B ≤S(x) holds. This leads us to break the symmetry between A and B by considering the formula But using our starting assumption, namely a realizer of ∀ {st} x.∀ {st} y.(A(x) ∨ B(y)), for any standard x we can easily get ∀ {st} y.Φ A,B (x, y) by external induction, and thus ∀ {st} x.∀ {st} y.Φ A,B (x, y) which is enough to conclude the whole proof. For the inductive step ∀ {st} y. (Φ A,B (x, y) → Φ A,B (x, S(y))) of the latter induction, we reason by cases on the induction hypothesis: • if A(x) holds then the conclusion follows immediately, • if B ≤y holds, then we use the assumption to get either A(x) or B(S(y)), and again, in both cases the conclusion follows. This proof is a variation of [BBS12,Prop. 3.4], the main difference being that in our context, we have access to concrete nonstandard elements (namely δ), and we can instantiate a certain formula with δ instead of using the Idealization principle.
6.2. Disjunction. In order to define a realizer for LLPO st , we first need to extend our language with disjunctions. We choose to rely on a primitive disjunction rather than on a second-order impredicative encoding of disjunction as the latter would make the task of finding realizers much more difficult without bringing additional strength to our setting.
We thus extend the languages of terms and formulas as follows: Formulas A, B ::= ... | A ∨ B Terms t, u ::= ... | ι 1 (t) | ι 2 (t) | case t {ι 1 (x 1 ) → t 1 |ι 2 (x 2 ) → t 2 } and the type system accordingly We also extend the reduction system with one extra case to define contexts C[] ::= ... | case [ ] {ι 1 (x 1 ) → t 1 |ι 2 (x 2 ) → t 2 } and one additional reduction rule for this new operations Finally, we extend the realizability interpretation to include the case of disjunction. We base the definition on the elimination rule of the disjunction (see Remark 4.12), as has been done before for the other connectives: Observe that glueing still holds by simply defining Once more, we take advantage of the modularity of the realizability interpretation to get the adequacy with respect with the type system extended with disjunction by only proving the adequacy of the new typing rules (see Definition 4.8).
Proposition 6.1. The rules (∨ 1 I ), (∨ 2 I ) and (∨ E ) are adequate. Proof. The adequacy of the rule (∨ E ) follows directly from the definition, by considering the particular set S = |C| S ρ . We now prove adequacy of the rule (∨ 1 I ). Assume that the typing judgment Γ t : A 1 is adequate with respect to some state s ∈ S. To prove that the conclusion is adequate with respect to the same state, let us consider ρ a valuation closing A 1 ∨ B 2 and Γ, σ a substitution such that (σ; s) ρ(Γ) and let t 1 , t 2 be two terms and S ∈ SAT be such that for any (u Using the hypotheses, we have that (σ(t); s) ∈ |A 1 | S ρ and therefore (t 1 [σ(t)/x 1 ]; s) ∈ S. We can conclude by anti-reduction.
As an illustration of the use of disjunction, we define below a term allowing us to commute A and B in the premise of LLPO st . This term will be useful afterwards since the proof mostly relies on two External Inductions in which the formulas A and B have asymmetric roles.
Lemma 6.2. For any formulas A and B we have Proof. Let s ∈ S be a state, (h; s) ∀ {st} x∀ {st} y.(A(x) ∨ B(y)) and n, m ∈ N be two natural numbers. We have The assumption on h gives us that (h †n †m; s) ∈ |A ∨ B| S ρ . Since it is clear that for any (t A ; s) ∈ |A| S ρ , (ι 2 (t A ); s) ∈ |B ∨ A| S ρ (and vice-versa with (t B ; s) ∈ |B| S ρ and ι 1 (t B )), by definition of |A ∨ B| S ρ we have that the right-hand side terms belongs to |B ∨ A| S ρ and we can conclude by anti-reduction. In the next lemma, we write ifn =m then t else u (where n, m ∈ N and t, u ∈ Λ) for a term that reduces to t if n = m and to u otherwise (defining such a term using the rec operator is an easy programming exercise, which we would rather not bother the reader with).
Lemma 6.4. For any internal formula A and any natural number n ∈ N, we have where t ≤s λnxymz. if m = sn then y else (x m z).

Proof. Recall that
. Let s ∈ S be a state, n ∈ N be a natural number, f ∈ N S be an individual, and u, v, w ∈ Λ be terms such that (u; s) ∈ |A ≤n | S ρ , (v; s) ∈ |A(S(n)))| S ρ and (w; s) ∈ |f ≤ S(n)| S ρ . Putting m f (s), the latter entails that m ≤ S(n). By construction, we have t ≤sn u vm w s ↓ s ifm = sn then v else (um w).
Let us reason by case analysis: and since A is internal, we get that (v; s) ∈ |A(f )| S ρ by glueing which allows us to conclude by anti-reduction.
• if f (s) = m < S(n), then we have ifm = sn then v else (um w) s ↓ s um w.
By assumption on u, we have that (um w; s) ∈ |A(m)| S ρ , and therefore (um w; s) ∈ |A(f )| S ρ using glueing. We can thus conclude by anti-reduction.
If something is true below a certain nonstandard element, such as δ, then it is true for any standard element. This is connected with Proposition 5.14 that states that δ is greater than any standard natural number, and is somewhat trivial in usual nonstandard settings (which is reflected here by the fact that the realizer is making a blind loop).
Proof. Let s be a state and u be a term such that (u; s) ∀ {N} y.y ≤ δ → A(y). We need to show that (t δ u; s) ∀ {st} y.A(y). Letting n ∈ N be a standard natural number, we have t δ un s ↓ s un ι 2 (loop + ).
We now show how to build the different terms necessary to the first External Induction, allowing us to obtain a realizer for the formula ∀ {st} x.∀ {st} y.Φ A,B (x, y).
Lemma 6.6. For any internal formulas A and B, we have Proof. Recall that Φ A,B (x, y) = A(x) ∨ B ≤y . Let s ∈ S be a state, n ∈ N be a natural number and h ∈ Λ be a term such that (h; Using the assumption on h, we have ((h †n † 0); s) ∈ |A(x) ∨ B(0)| S ρ . We can thus conclude by anti-reduction using the adequacy of the (∨ E ) rule and Lemma 6.3 for the ι 2 (·) case.
Lemma 6.7. For any internal formulas A and B, we have Proof. Recall that Φ A,B (x, y) = A(x) ∨ B ≤y . Let s ∈ S be a state, n, m ∈ N be natural numbers and h, u ∈ Λ be terms such that (h; To conclude by anti-reduction, we need to prove that the term on the right-hand side is in |A(n) ∨ B ≤S(m) | S ρ , using the assumption on u and the adequacy of the (∨ E ) rule. The ι 1 (·) case is immediate. For the ι 2 (·) case, let us consider a term u 2 such that (u 2 ; s) ∈ |B ≤m | S ρ and prove that case (h †n † (sm)) {ι 1 (a) → ι 1 (a)|ι 2 (b) → ι 2 (t ≤s u 2 b)} ∈ |Φ A,B (n, S(m))| S ρ . Again, we use the assumption on h and the adequacy of the (∨ E ) rule to conclude. Let us consider a term b such that (b; s) ∈ |B(S(m))| S ρ . It then follows from the assumption on u 2 and Lemma 6.4 that (t ≤s u 2 b; s) ∈ |B ≤S(m) | S ρ and hence (ι 2 (t ≤s u 2 b); s) ∈ |A(n) ∨ B ≤S(m) | S ρ . Corollary 6.8. Let A(x) and B(x) be any formulas whose only free variable is x. Then Proof. Let s be a state, h be a term such that (h; s) ∀ {st} x.∀ {st} y. (A(x) ∨ B(y)), and n ∈ N be a natural number. We want to show that (t Φ h †p; s) ∀ {st} y.Φ A,B (p, y). By definition of t Φ , we have t Φ h †n s ↓ s rec (t 0 h †n) (t s h †n). Then, the result follows directly from External Induction (Proposition 5.10) and Lemmas 6.6 and 6.7.
We can now take advantage of these terms to define the terms necessary to realize the formula A ≤x ∨ B ≤x where the role of A and B is now made symmetric again, using a second External Induction.
To conclude by anti-reduction, we need to show that the reduced term realizes A ≤S(n) ∨B ≤S(n) . Using Corollary 6.8, we get that Using the adequacy of the (∨ E ) rule (for which the ι 2 (·) case is immediate), we now have to prove that for any term v such that (v; s) A(S(n)), t ≤s a v; s A ≤S(n) . This follows from Lemma 6.4 and the assumptions on a and v.
Lemma 6.10. For any internal formulas A and B, we have Proof. Let s ∈ S be a state and h ∈ Λ a term such that (h; s) ∀ {st} x∀ {st} y.(A(x) ∨ B(y)).
By construction, we have The result easily follows by anti-reduction, using the adequacy of the (∨ E ) rule and Lemma 6.3.
Lemma 6.11. For any internal formulas A and B, we have Proof. Let s ∈ S be a state, n ∈ N a natural number and h, v ∈ Λ be two terms such that (h; s) ∀ {st} x.∀ {st} y.(A(x) ∨ B(y)) and (v; s) A ≤n ∨ B ≤n . By construction, we have To conclude by anti-reduction, we use the adequacy of the (∨ E ) rule to prove that the reduced term belongs to |A ≤S(n) ∨ B ≤S(n) | S ρ . For the ι 1 (·) case, if w is a term such that (w; s) A ≤S(n) , then (t ∆ h †n w; s) A ≤S(n) ∨ B ≤S(n) by Lemma 6.9 as expected. The ι 2 (·) case is symmetric, using t ∨ and Lemma 6.2.
Corollary 6.12. For any internal formulas A and B, we have Proof. Let s be a state, and (h; s) ∀ {st} x∀ {st} y(A(x) ∨ B(y). We have that so the result easily follows from Proposition 5.10 and Lemmas 6.10 and 6.11.
We are now ready to prove the main theorem of this section, by combining all the terms into a realizer of LLPO st .

A tainted quotient
In this section we explore the possibility of extending the work done above through a quotient, and the limitations of such construction. In Section 7.1, we explain how this quotient can be obtained in a way that maintains the analogy with the Lightstone-Robinson construction. The resulting theory is indeed an extension in which universal realizers for closed formulas are preserved and more principles are now realizable (e.g. Proposition 7.1). This makes it an even more convincing approach to nonstandard analysis from the point of the captured theory, but not in terms of realizability. Indeed, as we will see in Section 7.2, the terms witnessing the validity of formulas in the quotient can no longer be composed. On the other hand, as explained in Remark 7.6, if one tries to be more faithful to the spirit of realizability, then the connection with nonstandard analysis is less convincing as one loses compatibility with Loś ' theorem. Furthermore, the limitations do not seem to depend on the particular way one defines the quotient, as discussed in Section 7.3. 7.1. Realizability up to an ultrafilter. In order to fully mimic Lightstone and Robinson's construction, an extra step is required where one takes a quotient of the interpretation with slices. This step allows us to consider a more flexible notion of realizability where realizers are only required to be compatible with almost all states, in the sense that the set of compatible states belongs to the ultrafilter.
In order to simplify the discussion, and similarly to what was done in most of the paper, we don't include disjunction as a primitive connective.
Let us fix a free ultrafilter U over the set of states. Given any set V , we denote by ∼ = the equivalence relation over V S defined by f ∼ = g {s ∈ S : f (s) = g(s)} ∈ U.
First, we can, within the realizability with slices, change the way st(f ) is interpreted to consider standardness up to the ultrafilter. In this way, f ∈ N S is said to be standard if and only if there exists n ∈ N s.t. f ∼ = n * . This allows to show, for instance, that nonstandard natural numbers are larger than standard ones. Proof. If f ∈ N S is a nonstandard individual and n ∈ N any natural number, one proves by contradiction that S = {s ∈ S : n < f (s)} ∈ U. Indeed, otherwise one would haveS ∈ U. For any k ∈ N, let us write S k for the set {s ∈ S : f (s) = k}. Since the sets S 0 , ..., S n form a partition ofS, it is easy to see that (exactly) one of these sets, say S m , belongs to U. Then f ∼ = m * , which contradicts the fact that f is nonstandard.
In particular, for any individuals f, g, any state s, and any terms t, u such that (t; s) ∈ |st(f ) → ⊥| S and (u; s) ∈ |st(g)| S , we have that f is necessarily nonstandard and that there exists n ∈ N such that g ∼ = n * . By the claim above, we know that there exists s > s such that s < f (s ). The result then follows by anti-reduction from the fact that loop + s ↓ s loop + .
We then need to define a new notion of realizability in which realizers are also considered up to the equivalence relations induced by U. To that end, a natural attempt consists in considering Loś ' theorem as a guideline. For the sake of clarity, let us denote by |A| * the truth values in this interpretation, which we shall call realizability up to U.
Definition 7.2. We say that a formula A is Loś -reducible if for any valuation ρ closing A, t ∈ |A| * if and only if {s ∈ S : (t; s) ∈ |A| S ρ } ∈ U. We actually define the interpretation of connectives by this equivalence. For example, the interpretation |A → B| * ρ for the implication is defined by {t ∈ Λ : {s ∈ S : (t; s) ∈ |A → B| S ρ } ∈ U}, while the interpretation of the quantifiers is still defined via intersections (resp. unions) over the same domain as in the interpretation with slices (e.g., |∀x.A| * ρ f ∈N S |A| * ρ,x →f ). Definition 7.3 (Realizability up to U). The interpretation of a formula A together with a valuation ρ closing A is the set |A| * ρ defined inductively according to the following clauses: As shown in the following theorem, first-order quantifiers behave well w.r.t. the ultrafilter.
The next result shows that even if there are enough slices in which t reduces to u in a slice that makes it a realizer of some formula A, u may not be a realizer of A often enough.
8. Related and future work 8.1. Related work. Some related works concern notions of realizability for nonstandard arithmetic which are variants of Kreisel's modified realizability [BBS12,DG18]. These notions of realizability are more inspired by Nelson's syntactical approach to nonstandard analysis. In particular, they rely on translations of formulas inducing conservative extensions of Heyting arithmetic. To draw a comparison with Van den Berg et al.'s work, it should be observed that they interpret standard elements as finite sequences that can be thought of as a process of accumulating potential witnesses. In particular, their interpretation crucially relies on a monotonicity property for these sequences (regarding sequence inclusion), stating that realizers are provably upwards-closed [BBS12,Lemma 5.4]. This property has no counterpart in our setting. On the other hand, our interpretation is able to give computational content to nonstandard individuals, and even to give explicit nonstandard elements (such as the diagonal) with their corresponding realizers. This is, for example, what allows us to computationally interpret Idealization (see Theorem 5.16), whereas the functional interpretation for Idealization in [BBS12] is trivial in the sense that the interpretations of the premise and the conclusion of any instance of Idealization are identical. It could be interesting to better understand the relation between this approach and the approaches based on Kreisel's realizability. In particular, we would like to know whether we can obtain a preservation result for some class of formulas (e.g. internal, quantifier-free, ∃-free formulas). Similar ideas have been addressed by Aschieri. In [Asc17] the author uses a notion of state which allows to construct a forcing model. In particular, natural numbers are interpreted as functions from states to N. Yet, his work does not pay attention to the nonstandard principles that can be obtained in his setting but rather to forcing. It would be natural to investigate whether our setting also allows for forcing techniques. This connection with forcing is reinforced by the fact that in the realm of Krivine's realizability, which generalizes Cohen's forcing, the latter is given a computational content via the addition of a monotone memory cell to the abstract machine in order to store forcing conditions [Kri11,Miq11b]. Also, recent work of Powell has been focusing on a variant of Gödel's functional interpretation to take into account stateful computations [Pow18]. In addition to investigating the computational contents of the stateful programs obtained by extraction through this interpretation, the author proposes some problems that the reader might find interesting.
8.2. Weak Kőnig's Lemma. As shown in [DF17], WKL 0 (one of the Big Five systems from Reverse Mathematics) is interpretable, over a nonstandard version of primitive recursive arithmetic with extensionality, using a version of the Axiom of Choice and Idealization. It relies on distinguishing two sorts: the number sort is interpreted by the standard numbers, and the set sort is interpreted by bounded type 1 functionals (or by number codes, both standard and nonstandard, of finite sets of numbers, again both standard and nonstandard).
Recall that Weak Kőnig's Lemma states that every infinite binary tree has an infinite branch. As it turns out, in that context to say that T is a tree is to say two things: (i) every standard natural number which is in the tree is the code of a binary sequence and (ii) if some standard σ is in the tree and the binary sequence coded by a standard element τ is an initial segment of the binary sequence coded by σ, then τ is also on the tree. The interpretation of being infinite is a formula saying that for every standard natural number σ there exists a standard element with length w which is in the tree. The proof then relies on showing that an element α, defined exactly as σ below and at w and 0 from there onwards can be turned into an infinite branch with the use of Idealization.
So, the interpretation of Weak Kőnig's Lemma crucially relies on the ability to manipulate trees and on Idealization. Of course, in our setting, we have an explicit (nontrivial) realizer for Idealization, so, in principle, it should be possible to give a realizer for Weak Kőnig's Lemma. However, that would require a whole reformulation of the framework in order to have an explicit access to trees instead of a noncomputational second-order quantification.
8.3. Horizons. The work done in this paper raises some natural questions of which we mention a few, as possible lines of investigation.
A first natural question comes from the fact that prior interpretations of nonstandard arithmetic, such as [BBS12,DG18,FG15] (and also [FO05] and [FN06] in a context that does not involve nonstandard arithmetic), restrict quantifiers by bounding the variables under their scope. It is then pertinent to ask whether this could be given a more computational interpretation as we do here, in order to see it as some kind of "computation up to (the bound)". A second possible path would be to reformulate our interpretations in order to account for classical logic by using control operators as is usual in Krivine's realizability [Kri09]. Alas, our attempts in that direction have not been very fruitful, mostly because Krivine's interpretation crucially relies on an orthogonality relation between terms and evaluations contexts (which is reminiscent of the duality of computation in classical logic [CH00]). In terms of the ultrafilter, this would require some sort of perfect balance to make the quotient compatible with this orthogonality relation which so far has eluded us. This is similar to the limitations pointed out in Section 7.2.
Thirdly, there is a very active line of research in realizability concerning the interpretation of various choice principles. In particular, the use of states or memoization has proven to be useful for interpreting dependent choice (e.g. in [BBC98], [Her12] or [CFT19], to name but a few) or Double Negation Shift (DNS) (in [Blo22], Blot uses an "update recursion" mechanism to realize DNS). At the same time, DNS is also interesting in itself as a non-intuitionistic principle. This is particularly relevant since our setting interprets (a version of) the LLPO principle, which means that we are somewhere between intuitionistic and classical logic. Furthermore, DNS is also known to be interpretable using bar recursion, which raises the question of knowing whether our interpretation could be compatible with such an operator.
Finally, we would like to mention that Brede and Herbelin's [BH21] establishes a hierarchy of choice principles, relating in particular tree-based choices principles and their dual bar induction-based principles. Many of the principles they study are not attached to a precise computational content so far, and so it would be interesting to see if there exist specific interpretations that could capture exactly each of these principles, and, in particular, "lower" instances of their generalized dependent choice or generalized bar induction principles.