Computing with Infinite Objects: the Gray Code Case

Infinite Gray code has been introduced by Tsuiki as a redundancy-free representation of the reals. In applications the signed digit representation is mostly used which has maximal redundancy. Tsuiki presented a functional program converting signed digit code into infinite Gray code. Moreover, he showed that infinite Gray code can effectively be converted into signed digit code, but the program needs to have some non-deterministic features (see also H. Tsuiki, K. Sugihara,"Streams with a bottom in functional languages"). Berger and Tsuiki reproved the result in a system of formal first-order intuitionistic logic extended by inductive and co-inductive definitions, as well as some new logical connectives capturing concurrent behaviour. The programs extracted from the proofs are exactly the ones given by Tsuiki. In order to do so, co-inductive predicates $\bS$ and $\bG$ are defined and the inclusion $\bS \subseteq \bG$ is derived. For the converse inclusion the new logical connectives are used to introduce a concurrent version $\S_{2}$ of $S$ and $\bG \subseteq \bS_{2}$ is shown. What one is looking for, however, is an equivalence proof of the involved concepts. One of the main aims of the present paper is to close the gap. A concurrent version $\bG^{*}$ of $\bG$ and a modification $\bS^{*}$ of $\bS_{2}$ are presented such that $\bS^{*} = \bG^{*}$. A crucial tool in U. Berger, H. Tsuiki,"Intuitionistic fixed point logic"is a formulation of the Archimedean property of the real numbers as an induction principle. We introduce a concurrent version of this principle which allows us to prove that $\bS^{*}$ and $\bG^{*}$ coincide. A further central contribution is the extension of the above results to the hyperspace of non-empty compact subsets of the reals.


Introduction
In investigations on exact computations with continuous objects such as the real numbers, objects are usually represented by streams of finite data. This is true for theoretical studies in the Type-Two Theory of Effectivity approach (cf. e.g. [We00]) as for practical research, where prevalently the signed digit representation is used (cf. [CG06,ME07,BH08]), but also others [ES98,EH02,Ts02]. In [Be11] it is shown how to use the method of program extraction from proofs to extract certified algorithms working with the signed digit representation in a semi-constructive logic allowing inductive and co-inductive definitions. In addition to producing correct algorithms, this approach allows reasoning in a representation-free way, as in usual mathematical practice. Concrete representations of the objects needed in computations are generated automatically by the extraction procedure. A detailed description of the logic (i.e. Intuitionistic Fixed Point Logic (IFP)) and the realisability approach used for extracting programs can be found in [BT21a].
In order to generalise from the different finite objects used in the various stream representations, the present authors [BS16] used the abstract framework of what was coined digit space, i.e. a bounded complete non-empty metric space X enriched with a finite set D of contractions on X, called digits, that cover the space, that is Digit spaces are compact and weakly hyperbolic, where the latter property means that for every infinite sequence d 0 , d 1 , . . . of digits the intersection n∈N d 0 • · · · • d n [X] contains at most one point [Ed96]. Compactness on the other hand, implies that each such intersection contains at least a point. By this way every stream of digits denotes a uniquely determined point in X. Because of the covering property it follows conversely that each point in X has such a code.
The framework has been generalised in [Sp21]. In both papers the proof of the main results required a strengthening of the covering condition in such way that of D(x) is a digit deciding the disjunction x ≤ 0 ∨ x ≥ 0. However, in the case x = 0 the realiser may be undefined. This provides a logical explanation why an infinite Gray code may contain an undefined digit. In [BT21a] it is shown that that S ⊆ G is provable in IFP and that the extracted algorithm is exactly the translation from signed digit representation into infinite Gray code given in [Ts02].
When trying to extract Tsuiki's translation in the opposite direction from a proof of G ⊆ S, one faces the obstacle that IFP, being based on traditional realisability, can only extract algorithms that are deterministic and sequential, while, as discussed above, an effective translation from infinite Gray code to the signed digit representation is necessarily non-deterministic and concurrent. To overcome this limitation of IFP, in [BT21b] an extension of IFP, Concurrent Fixed Point Logic (CFP), is developed. Its main novelty is a concurrency modality (A) indicating that realisers of A may be computed by two concurrent threads, where the result of the thread terminating first is taken as realiser and the other thread is discarded. More precisely, realisability of (A) is defined using a version of McCarthy's Amb [MC63]: Besides solving the above translation problem, the motivation for introducing this modality is the wish to provide a constructive interpretation of the law of excluded middle where B is a formula without computational content. The idea is that (lem) should be realised by Amb, since a realiser of the conclusion should be computable by running the given realisers of the two premises in parallel. In turns out that, to make this work, it is not enough to add the concurrency modality to the conclusion: one must also modify the premises to avoid false positives. This results in the rule where A B is a strengthening of the implication B → A, called restriction 1 , that guarantees that all its defined realisers are in fact realisers of A, independently of the truth value of B. More precisely, realisability for restriction is defined as whereas a r (B → A) Def = B → a r A. The definitions of realisability for the concurrency modality and restriction shown above are slightly simplified; for full definitions, see Section 5.
In [BT21b] the definition of S is modified by making use of the new modality for concurrency: S 2 (x) ν = ((∃d ∈ SD) II(d, x) ∧ S 2 (2x − d)), where II(d, x) Def = |2x − d| ≤ 1. In terms of realisability, S 2 (x) means that a signed digit representation of x is obtained through the concurrent computation of two threads. Now, S K ⊆ G K from which a translation between the respective representations of compact sets can be extracted, thus lifting the corresponding result in [BT21a] from points to the compact sets.
Finally, we also lift the equation S * = G * from points to compact sets. The definitions of the concurrent versions of S K (K) and G K (K) are obtained by putting stars at appropriate places (see Definition 9.9 and the beginning of Section 11): ) Our final result is the equation S * K = G * K which provides an equivalence of the concurrent signed digit and Gray code representations of non-empty compact sets.
An important proof tool in this work is Archimedean Induction (AI), a formulation of the Archimedean property for real numbers as an induction principle introduced in [BT21b]. In the present paper we introduce different version of this principle which are vital for all our main results. Let us briefly discuss the main ideas.
Common formulations of the Archimedean property are either not realisable (e.g. (∀x)(∃n ∈ N) |x| ≤ n), or don't have computational content (e.g. (∀x) ((∀n ∈ N) |x| < 2 −n ) → x = 0). In contrast, the classically equivalent principle of Archimedean Induction (cf. Section 6)) (∀x = 0) (|x| ≤ 1/2 → P (2x)) → P (x) (∀x = 0) P (x) (AI) inherits computational content from the (arbitrary) predicate P and is realised by general recursion. It is crucial that the variable x is not relativised to a predicate such as S that would yield a representation of x. A simple example of an application of (AI) is (∀x, y ∈ S) (x + y = 0 → (∃n ∈ N) (|x| > 2 −n ∨ |y| > 2 −n )), which one would normally prove using the Archimedean property (in the form without computational content), countable choice (AC ω ) and Markov's principle (MP). Using (AI) one needs neither (AC ω ) nor (MP). Roughly speaking, (AI) can be viewed as a combination of all those three principles that avoids speaking about infinite sequences. In this paper, we will use variants of (AI) and of the following classically equivalent but constructively slightly weaker form of (AI) which has another predicate B as parameter: An example is a variant where both premise and conclusion are made concurrent (cf. Definition 6.1): We also introduce versions of (AI) or (AIB) for compact sets (cf. Definition 9.1), signed digit represented compact sets (cf. Definition 9.5), and the restriction operator (cf. Definition 9.7). The paper is organised as follows: In Section 2 the definition of a digit space is recalled and extended Gray code introduced. Section 3 contains a short introduction to inductive and co-inductive definitions and the proof methods they come equipped with. The application to digit spaces is discussed as well. The next two sections give brief introductions to the logical systems used for program extraction. Section 4 deals with Intuitionistic Fixed Point Logic (IFP) and the kind of realisability used to generate programs. We follow [BT21a] except that in the case-construct of the programming language we permit clauses with overlapping patterns (see Section 4.2). In Section 5, the extension of IFP to Concurrent Fixed Point Logic (CFP) is discussed. The logic contains two new connectives from [BT21b] and corresponding proof rules. The rules are all realisable. We will derive further rules.
In Section 6 and 7, respectively, concurrent versions of Archimedean induction and the predicates S and G are introduced. These predicates are such that the realisers of their elements are signed digit and/or Gray code representations of the elements. The concurrent versions of both predicates are shown to coincide. From the proofs computable translations between the two representations can be extracted.
The remaining sections deal with non-empty compact subsets of the interval I. In Section 8 some facts presented in [BS16] about the representation of the non-empty compact subsets of a digit space by digit trees are recalled. These are finitely branching infinite trees. Their nodes are labelled with digits. The words along the infinite paths are codes of the elements of the represented compact set. In the special case of the non-empty compact subsets of I, the representation is one-to-one, if the elements of I are represented by infinite Gray code. Archimedean induction for the non-empty compact subsets of I is discussed in Section 9.
In Section 10 a predicate G K is co-inductively defined the realisers of which are Gray code representations of the non-empty compact subsets of I. A similar predicate S K was defined in the previous section with respect to the signed digit representation. It is shown that S K ⊆ G K . Just as in the point case, for the converse inclusion a concurrent version S * K of the predicate S K has to be considered. In Section 11, finally, a concurrent version G * K of the predicate G K is introduced and the equality S * K = G * K is derived. Again computable translations between the digital trees based on signed digit representation and Gray code representation, respectively, can be extracted from the proof.
Realisers are an important ingredient of the approach delineated so far: Results are derived by applying the logical rules of Concurrent Fixed Point logic as well as new rules provided in the paper. But the algorithms used in applications are obtained by following the proof rules and combining their realisers accordingly. For each of the results derived in the real number case, that is in Section 7, we will present the realisers obtained in this way. In the compact sets case we leave this to the reader as the proofs follow a pattern very similar to the point case.
A further crucial aspect of this work is abstraction: The logical language and proof calculus do not refer to the operational semantics of programs. Instead, operational soundness is guaranteed through a general computational adequacy theorem that applies to any concurrent operational semantics satisfying certain fairness requirements 2 [BT21b]. This means that extracted programs can be executed in any efficient concurrent execution model.

Digit Spaces
We review the concept of a digit space [BS16,Sp21] as a general model of computation with infinite streams of digits.
2 Committing to a fixed operational semantics would make concurrent logical rules and programming constructs reduncant since they could be sequentialised by familiar scheduling/dove-tailing techniques. Definition 2.1. Let (X, µ) be a non-empty compact metric space and E be a finite collection of contracting self-maps e : X → X.
The maps e will be called digits in this context. Note that, being a continuous map on a compact set, the metric µ is bounded. We identify a finite sequence of digits e = [e 0 , . . . , e n−1 ] ∈ E n with the composition e 0 • · · · • e n−1 and a digit e with the singleton sequence [e] ∈ E 1 . The set of all finite sequences of digits will be denoted by E <ω . Moreover, we let E ω be the set of all infinite sequences of elements of E and set for α ∈ E ω ,  Hence, for w ∈ SD ω and α w ∈ AV ω with α w (ν) . Therefore, we call (I, AV) signed digit space. It satisfies a stronger covering condition than (2.1), which is needed in the development of most of the theory presented in [BS16,Sp21]: (I, AV) is well-covering.
where int(e[X]) denotes the interior of e[X].
The other digit set we are going to consider leads to an important example of a digit space that is not well-covering.
Let GF Note that GC ω is an extension of finite Gray code to infinite words. By Proposition 2.3(2) we know that the metric topology on I is equivalent to the quotient topology induced by the coding map [[·]] G associated with (I, GF). Set Lemma 2.7. For α, β ∈ GF ω , α ∼ G β if, and only if, either α = β, or the following Properties (1-3) hold for some i ≥ 0: (1) For all j < i, α j = β j .
Proof. Without restriction assume that α = β and let i ≥ 0 be such that α <i = β <i , α i = g −1 and β i = g 1 . Moreover, let α i+1 = g 1 = β i+1 as well as α j = g −1 = β j , for all j > i + 1. Then we have for n > 0 that For the verification of the converse implication assume that α = β. Then there is a smallest i ≥ 0 so that α i = β i . It follows that either α i = g −1 and β i = g 1 , or conversely, α i = g 1 and β i = g −1 . Without restriction we only consider the first case.
where the multi-valued function g −1 ∪ g 1 is defined by (g −1 ∪ g 1 )(x) Note that in this case for Y ⊆ I, Let ⊥ ∈ GC be a new symbol (⊥ for unspecified ) and g ⊥ Set GF = {g ⊥ , g −1 , g 1 } and define Φ : The elements of G Def = range(Φ) are called modified Gray code expansions of the real numbers in I, or just Gray code [Ts02] 3 . Topologise G with the topology co-induced by Φ. As we have seen earlier in this section, GF ω also possesses a canonical metric. Its restriction to G will be denoted by δ, whereas δ denotes the corresponding metric on GF ω . For n ≥ 0, α ∈ G and α ∈ GF ω , let B δ ( α, 2 −n ) and B δ (α, 2 −n ) be the balls in G and GF ω , respectively, of radius 2 −n around α and α.
Proposition 2.10. The metric topology on G is equivalent to the topology co-induced by Φ.

Inductive and co-inductive definitions
Let X be a set and P(X) its powerset. An operator Φ : Since P(X) is a complete lattice, every monotone operator Φ has a least fixed point µΦ ∈ P(X) by the Knaster-Tarski Theorem. We often write instead of P = µΦ. µΦ can be defined to be the least Φ-closed subset of X. Thus, we have the induction principle stating that for every Y ⊆ X, Dual to inductive definitions are co-inductive definitions. A subset Y of X is called Φ-co-closed (or a post-fixed point of Φ) if Y ⊆ Φ(Y ). By duality, every monotone Φ has a largest fixed point νΦ which can be defined as the largest Φ-co-closed subset of Φ. So, we have the co-induction principle stating that for all Y ⊆ X, Note that for P ⊆ X we also write For monotone operators Φ, Ψ : P(X) → P(X) define It is easy to see that the operation ν is monotone, i.e., if Φ ⊆ Ψ, then νΦ ⊆ νΨ. This allows to derive the following strengthening of the co-induction principle.
Lemma 3.1 (Strong Co-induction Principle [BT21a]). Let Φ : P(X) → P(X) be a monotone operator. Then: The proof is dual to the proof of the strong induction principle in [BT21a,Sp21].
Note: If Φ is the identity, then this is the half-strong co-induction principle from [BT21a]. For a proof of that special case see [Sp21]. We will specialise generalised half-strong coinduction to a concurrent setting in Section 5 and use it in Section 7.
Example 3.4 (The set of non-empty finite subsets of a set). Let Y be a subset of a set X. Define Φ Y : P(P(X)) → P(P(X)) by and let P fin (Y ) Def = µΦ Y . Then P fin (Y ) is the set of all non-empty finite subsets of Y .
Example 3.5 (Digit Spaces). Digit spaces can be characterised co-inductively. Define C X ⊆ X by C X (x) ν = (∃e ∈ E)(∃y ∈ X) x = e(y) ∧ C X (y), i.e. C X = νΦ X , where for Z ⊆ X, Note here that we may consider subsets A ⊆ X as unary predicates and write A(x) instead of x ∈ A.
If all digits e ∈ E are invertible, a slightly more comfortable characterisation can be given. Define C X ⊆ X by Lemma 3.7. Let (X, E) be a digit space with only invertible digits. Then C X = C X .
Proof. Both inclusions follow by co-induction. Let x ∈ C X . Then there exists e ∈ E so that x ∈ range(e) and C X (e −1 (x)). It follows for y = e −1 (x) that x = e(y) and C X (y), which shows that C X ⊆ Φ X (C X ). Hence, C X ⊆ C X .
Conversely, let x ∈ C X . Then there are e ∈ E and y ∈ X with x = e(y) and C X (y). It follows that x ∈ range(e) and C X (e −1 (x)). Thus, C X ⊆ C X .
Classically the set C X is rather uninteresting, but constructively it is significant, since from a constructive proof that x ∈ C X one can extract a stream α of digits such that where for i ∈ SD and x ∈ I, I(i, x) Def = |2x − i| ≤ 1, and Note that range(g −1 ) = [−1, 0] and range(g 1 ) = [0, 1]. Moreover, the functions 1 − 2(−x) and 1 − 2x, respectively, form the left and the right branch of the tent function t(x) Def = 1 − 2|x|. Hence the right-hand side in (3.2) is equivalent to However, the last disjunction is not decidable as the test for 0 is not computable. Since we want to work in a logic that allows extracting computable content from disjunctions, a (classically) equivalent formula of what we have just obtained is preferable Example 3.8 (Well-founded induction). The principle of well-founded induction is an induction principle for elements in the accessible or well-founded part of a binary relation ≺. As shown in [BT21a], it is an instance of strictly positive induction. The accessible part of ≺ is inductively defined by Therefore, the principle of well-founded induction, which states that a progressive predicate holds on the accessible part of ≺, is a direct instance of the rule of strictly positive induction: In most applications P is of the form A → Q. The progressivity of P → Q can equivalently be written as progressivity of P relativised to A,

and the conclusion becomes
Dually to the accessibility predicate one can define for a binary relation a path predicate With the axiom of choice and classical logic it can be shown that ¬Path ≺ (x) implies Acc ≺ (x).

Extracting algorithmic content from co-inductive proofs
In this section we recast the theory of digit spaces in a constructive setting with the aim to extract programs that provide effective representations of certain objects or transformations between different representations. As the main results on this basis we will obtain effective transformations between the signed digit and the Gray code representations of I and the hyperspace of non-empty compact subsets of I, respectively, showing that the two representations are effectively equivalent. The method of program extraction is based on a version of realisability, and the main constructive definition and proof principles will be induction and co-induction. The advantage of the constructive approach lies in the fact that proofs can be carried out in a representation-free way. Constructive logic and the Soundness Theorem automatically guarantee that proofs are witnessed by effective and provably correct transformations on the level of representations.
4.1. The formal system IFP. As basis for program extraction from proofs we use Intuitionistic Fixed Point Logic (IFP) [BT21a], which is an extension of many-sorted first-order logic by inductive and co-inductive definitions, i.e., predicates defined as least and greatest fixed points of strictly positive operators. Here, an occurrence of an expression E is strictly positive (s.p.) in an expression F if that occurrence is not within the premise of an implication, and a predicate P is strictly positive in a predicate variable X if every occurrence of X in P is strictly positive. Strict positivity is a simple and sufficiently general syntactic condition that ensures monotonicity and hence the existence of these fixed points, as discussed in Section 3.
Relative to the language specified the following kinds of expression are defined: Formulas A, B: Equations s = t (s, t terms of the same sort), P ( t) (P a predicate which is not an abstraction, t a tuple of terms whose sorts fit the arity of P ), conjunction Predicates P, Q: Predicate variables X, Y, . . . (each of fixed arity), predicate constants, abstraction λ x. A (arity given by the variable tuple x), µΦ, νΦ (arities = arity of Φ). Operators Φ: λX. P where P must be strictly positive in X and the arities of X and P must coincide. The arity of λX. P is this common arity.
Falsity is defined as False Def = µ(λX. X)() where X is a predicate variable of arity (). Program extraction is performed via a 'uniform' realisability interpretation (Section 4.4). Uniformity concerns the interpretation of quantifiers: A formula (∀x) A(x) is realised uniformly by one object a that realises A(x) for all x, so a may not depend on x. Dually, a formula (∃x) A(x) is realised uniformly by one object a that realises A(x) for some x, so a does not contain a witness for x. Expressions (formulas, predicates, operators) that contain no disjunction and no free predicate variables are identical to their realisability interpretations and are called non-computational (nc). A slightly bigger class of expressions are Harrop expressions. These may contain disjunctions and free predicate variables but not at strictly positive positions. A Harrop formula may not be identical to its realisability interpretation, however they have at most one realiser which is trivial and which is represented by the program constant Nil (see Sections 4.2 and 4.4).
We highlight some feature that distinguish IFP from other approaches to program extraction. Classical logic: Although IFP is based on intuitionistic logic a fair amount of classical logic is available. Soundness of realisability holds in the presence of any non-computational axioms that are classically true. This can be extended to Harrop axioms whose realisability interpretations (see 4.4) are classically true. Sets: We add for every sort s a powersort P(s) and a (non-computational) element-hood relation constant ε of arity (s, P(s)). In addition, for every Harrop formula A(x) the comprehension axiom (∃u)(∀x)(x ε u ↔ A(x)) is added. (A(x) may contain free variables other than x.) The realisability interpretation of such a comprehension axiom is again a comprehension axiom and can hence be accepted as true. We will use the notation { x | A(x) } for the element u of sort P(s) whose existence is postulated in the comprehension axiom above. Hence, we can define the empty set ∅ Note that the informal notion of 'set' used in Section 3 is represented in the formal system IFP in three different ways: (1) Sorts are names for abstract 'ground' sets. For example, s is a name for the abstract set of real numbers. (2) Terms of sort P(s) denote subsets of the ground set denoted by s. Elements of sort P(s) can be defined by comprehension, {x | A(x)}, which is restricted to nc formulas A(x).
(3) Predicates are expressions denoting subsets of the ground sets. Predicates can be constructed by λ-abstraction, λx .
can be any formula. By 'set' we will mean in the following always (2), that is 'element of sort P(s)'. The three concepts form an increasing hierachy since the sort s corresponds to the set {x | True} and every set u corresponds to the predicate λx . x ε u. Note that x ε u is an nc formula while x ∈ P (which is synonym for P (x)) has computational content if the predicate P has.
To clarify the distinction we formally recast the definition of 'the set of finite subsets of a set' (Example 3.4), which should now rather be called 'the predicate of finite subsets of a predicate': Let P be a predicate of arity (s) (s and P correspond to X and Y in 3.4). We define the predicate P fin (P ) of arity (P(s)) as µ Φ P where the operator Φ P of arity (P(s)) is defined as Φ Abstract real numbers: In formalising the theory of real numbers, e.g., the set R of real numbers is regarded as a sort ι. A predicate N with N(x) if the real number x is a natural number, is introduced by induction as in Example 3.3. All arithmetic constants and functions we wish to talk about are admitted as constant or function symbols. The predicates =, < and ≤ are considered as non-computational. As axioms, any true disjunction-free formulas about real numbers can be chosen. As such, the axiom system A R consists of a discunction-free formulation of the axioms of real-closed fields, equations for exponentiation, the defining axiom for max, stability of =, ≤, <, as well as the Archimedean property AP about the non-existence of real numbers greater than all natural numbers, and Brouwer's Thesis for nc predicates Compact sets: In order to be able to deal with the hyperspace of non-empty compact subsets of the compact real interval [−1, 1], we also add a predicate constant K of arity (P(ι)) to denote the elements of that hyperspace. We also add an axiom for the finite intersection property stating that the intersection of the members of a descending sequence in K is not empty. Partial computation: Like the majority of programming languages, IFP's language of extracted programs admits general recursion and therefore partial, i.e., non-terminating computation. Infinite computation: Infinite data, as they naturally occur in exact real number computation, can be represented by infinite computations. This is achieved by an operational semantics where computations may continue forever outputting arbitrarily close approximations to the complete (infinite) result at their finite stages.
The proof rules of IFP include the usual natural deduction rules for intuitionistic first-order logic with equality. In addition there are the following rules for strictly positive induction and co-induction: the closure and co-closure of the least and greatest fixed point, respectively, stated as assumption-free rules, and the induction as well as the co-induction principle.
where D → D is the domain of continuous functions from D to D, + denotes the disjoint sum of partial orders, and (·) ⊥ adds a new bottom element. Nil, Left, Right, Pair and Fun denote the injections of the various components of the sum into D. Nil, Left, Right, Pair (but not Fun) are called constructors. D carries a natural partial order with respect to which it is a countably based Scott domain (domain for short), that is a bounded-complete algebraic directed-complete partial order with least element ⊥ and a basis of countably many compact elements [GHKLMS03]. Besides the PCA structure the algebraicity of D will be used, that is, the fact that every element of D is the directed supremum of compact elements. Compact elements have a strongly finite character. The finiteness of compact element is captured by their defining property, saying that d ∈ D is compact if for every directed set A ⊆ D, if d A, then d a for some a ∈ A, and the existence of a function assigning to every compact element a a rank, rk(a) ∈ N, satisfying rk1 : If a has the form C(a 1 , . . . , a k ) for a data constructor C, then a 1 , . . . , a k are compact and rk(a) > rk(a i ), Elements of D are denoted by programs which are defined as in [BT21a] except that the case construct is more general since it allows overlapping patterns. For example, it is now possible to define the function parallel-or [Pl77] which is not possible in the programming language defined in [BT21a]. We will need this greater expressivity in Section 5. Formally, Programs are terms M, N, . . . of a new sort δ built up as follows: where in the case-construct the Cl i are pairwise compatible clauses (see Definition 4.1 below). A clause is an expression of the form P → N where P is a pattern and N is a program. A pattern is either a constructor pattern or a function pattern. A constructor pattern is a program built from constructors and variables such that each variable occurs at most once. Function patterns are of the form fun(a) where a is a program variable.
Compatibility of clauses can be decided efficiently since it is enough to consider most general unifiers θ 1 and θ 2 .
The variables in P are considered as binders. Hence, the free variables of a clause P → N are the free variables of N that do not occur in P .
In [BT21a] only simple patterns containing one occurrence of one constructor are considered and two clauses are required to have different constructors. This is equivalent to allowing arbitrary pattern but requiring different clauses to have non-unifiable pattern.
Programs that are α-equal will be identified. Moreover, we will write a Except for the case-construct, the denotational semantics of programs in D is defined as in [BT21a]. To define the denotation case M of { Cl} we first define when a domain element d matches a pattern P and, if it does, the matching environment which has as domain the variables of the pattern. ( Due to the compatibility condition the denotation is independent of the choice of the matching clause. This follows from the fact that two patterns P 1 , P 2 are unifiable if and only if they have a common match and the most general unifiers are in a one-to-one correspondence with the matching environments of the common match. The following small-step operational semantics of closed programs is similar to the one in [BT21a]. The difference is due to the more general case expressions. i where in fix α. ρ the type ρ must be strictly positive in α. Types are interpreted by subdomains of D in an obvious way. The idea is that for a formula A, τ (A) is the type of potential realisers. Expressions without computational content will receive type 1.
4.4. Realisability. Next, we define the notion that a program a : τ (A) is a realiser of a formula A. In order to formalise this notion and to provide a formal proof of its soundness, Berger and Tsuiki [BT21a] introduced an extension RIFP of IFP which in addition to the sorts of IFP contains the sort δ, denoting the domain D. For each IFP formula A they define an RIFP predicate R(A) of arity (δ) that specifies the set of domain elements that realise A. Similarly, for every non-Harrop predicate P of arity ( σ) a predicate R(P ) of arity ( σ, δ), and every non-Harrop operator Φ of arity ( σ) an operator R(Φ) of arity ( σ, δ) is defined. Note that instead of R(A)(a) we also write a r A. Moreover, we write r A to mean (∃a) a r A.
Simultaneously, H(B) is defined, for Harrop formulas B, which expresses that B is realisable, however with trivial computational content Nil. More precisely, we define a formula H(A) for every Harrop formula A, a predicate H(P ) for every Harrop predicate P , and an operator H(Φ) for every Harrop operator Φ. H(P ) and H(Φ), respectively, will be of the same arity as P and Φ.
For the last line recall that a predicate P is X-Harrop, if P is strictly positive in X and P [X/X] is Harrop forX a predicate constant associated with X. In this situation H X (P ) stands for H(P [X/X])[X/X]. The idea is that H X (P ) is the same as H(P ) but considering X as a (non-computational) predicate constant. Example 4.7 (Realiser of induction and co-induction). Set Note that if f : ρ → σ and g : σ → σ , then g • f : ρ → σ , and if f 1 : ρ 1 → σ and f 2 : Note also that for a s.p. non-Harrop operator Φ, and a non-Harrop predicate P .
realises P ⊆ νΦ. This means that the realiser is a function f : P → νΦ defined recursively by  If one wants to apply this theorem to obtain a program realising formula A one must provide terms K 1 , . . . , K n realising the assumptions in ∆. Then it follows that the term M (K 1 , . . . , K n ) realises A, provably in RIFP. Because the program axioms of RIFP given in [BT21a] are correct with respect to the denotational semantics, a further consequence is that M (K 1 , . . . , K n ) is a correct realiser of A.
That realisers do actually compute witnesses is shown in [BT21a] by two Computational Adequacy Theorems that relate the denotational definition of realisability with a lazy operational semantics.

Computationally motivated logical connectives
Non-termination is a natural and fundamental phenomenon in computation. It is denotationally modelled in domain theory [GHKLMS03] and a logical account of it is Scott's logic with an existence predicate [Sc79]. The Minlog system [Min11] supports the extraction of programs that may or may not terminate and keeps control of potential partiality through a logic with totality degrees. A limitation of programs extracted from proofs in Minlog, or other systems such as Coq [Let02], is that they are sequential. Having the possibility of running computations concurrently, on the other hand, can be very useful to get around partiality.
If, e.g., M and N are two programs known to realise formula A under the assumption that condition B or ¬B holds, respectively, then at least one of them is guaranteed to terminate. So running them concurrently and picking the result obtained first, will lead to a result realising A, provided that if M or N terminates then it realises A.
To capture realisability restricted to a condition as described above, we follow the approach in [BT21b] and extend in Section 5.1 IFP by a propositional connective A B ("A restricted to B") which, for nc-formulas B, has a similar meaning as the formula B → A but behaves slightly differently (and better) with respect to realisability: While a realiser of B → A is a program that realises A if B holds but otherwise provides no guarantees, a realiser of A B is a program p that terminates and realises A if B holds, but even if B does not hold, p will realise A provided p terminates. In order to behave well, the formation of A B is restricted to formulas A satisfying a syntactic condition called productivity (defined in Section 5.1) that guarantees that only terminating programs can realise A.
In Section 5.2 we introduce the concurrency modality (A) from [BT21b] with the crucial rule that makes precise the above intuition. We also prove the realisability of a couple of further rules that say how interacts with other logical connectives.
Finally, in Section 5.3, we introduce a new concurrency modality, * (A), which inherits most of the properties of (A) but in addition has realisable rules corresponding to a monad. This new modality will be used in Section 7 to define concurrent versions of the signed digit representation and infinite Gray code which are constructively equivalent.

Restriction A B . Following [BT21b], we introduce restriction, A B , where
A is required to be productive 4 , that is, every implication and restriction in A has to be part of a Harrop formula or a disjunction. In particular, Harrop formulas and disjunctions are always productive. The reason why A is required to be productive is that this ensures that A has only defined realisers, that is ⊥ does not realise A.
The definition of the Harrop property is extended by demanding that Harrop formulas must not contain a restriction at a strictly positive position. In particular, restrictions are not Harrop. Realisability for restrictions is defined as → a r A). 4 Observe that in [BT21b] the notion "strict" is used instead of "productive". Note that if A is a Harrop formula, then a r A B is equivalent to the formula ∧ H(A)).
The type of restriction is τ (A B ) Def = τ (A). To gain some intuition suppose that a closed program M realises A B . Since closed programs denote a value different from ⊥ exactly if they reduce to whnf, one has: (i) If B is realisable, then M reduces to whnf. (ii) If M reduces to whnf, then M realises A (even if B is not realisable). In this sense, one has partial correctness of M with respect to the specification A. The distinction between A B and B → A regarding realisability is carefully discussed in [BT21b].
Sometimes, we need to get rid of the productivity requirement. This can be achieved by considering formulas of kind A ∨ False instead of just A. By definition, A ∨ False is always productive. Moreover, a r A, exactly if Left(a) r A ∨ False. Note here that False has no realiser. This leads us to the following unrestricted version of the restriction connective Since the realisers of such formulas are more complicated than those in the productive case, we keep both versions of the restriction connective. It should be clear from the definition that all statements in this paper about the realisability of rules for the restriction connective also hold for the unrestricted version u .
The following derivation rules concerning restriction are added to IFP: Lemma 5.1 [BT21b]. The rules for restriction are realisable, provably in extended RIFP. Hence, Soundness Theorem 4.9 remains valid for the extension of IFP by restriction, however, classical logic is needed to derive the correctness of realisers.
Note that the last two rules have not been considered in [BT21b]. As is easily verified, Rule ( -absorb) is realised by λa. Lemma 5.2 [BT21b]. The following rule is derivable from the rules for restriction: The rule is realised by λf. λa. f ↓a. To see this assume that a r A B and f r (A → A ). We have to show that f ↓a r A B . Suppose first that r B. Then a = ⊥ and hence by definition of f ↓, f ↓a = f a. We need that f a = ⊥. Here, the productivity requirement for the restriction connective comes into play: A needs to be productive and since f a r A , we have that f a = ⊥, as was to be shown. Next, suppose that f ↓a = ⊥. Then a = ⊥ as well, by definition of f ↓. Therefore, a r A. It follows that f a r A . Since a = ⊥, we moreover have that f ↓a = f a. Thus, f ↓a r A .

McCarthy's Amb and the concurrency modality (A).
To deal with concurrency, [BT21b] introduced a further constructor Amb(a, b) indicating that its arguments a, b need be evaluated concurrently in order to obtain one of the results even if the other one is not terminating. The domain D now has to satisfy the domain equation The programming language is extended by a constructor Amb which denotes the constructor Amb in the domain D. Hence, denotationally, the constructor Amb is an exact copy of Pair, that is, it acts like a lazy pairing operator. Only the operational semantics interprets a program Amb(M, N ) as a concurrent computation of M and N until one of them is reduced to whnf. This is formalised by the following (non-deterministic) relation The deterministic relation which c extends is now to be understood with respect to all constructors, including Amb. The intuition of c is that a program is first deterministically evaluated using . If a program of the form Amb(M 1 , M 2 ) is obtained, deterministic computation continuous in parallel with M 1 and M 2 . As soon as one of the two programs reach a whnf, the other may be discarded using Rule (cii). Rule (ciii) says that the computation can be carried out inside (nested) data constructors. Note that rule (cii) cannot be applied to proper subterms of a term Amb(M 1 , M 2 ) since the only way of reducing Amb(M 1 , M 2 ) with a rule other than (cii) is by Rule (ci) and Rule (vi) of . This ensures that at any point only two concurrent threads are needed to carry out the computation. For the reductions to yield the desired result (see [BT21b], Theorems 1 and 2), fairness conditions must be imposed. For example, if in Amb(M 1 , M 2 ) at least one of the M i is hnf, then Rule (cii) will eventually be applied. In [BT21b] slighty more general (and more complicated) but essentially equivalent rules are given which facilitate the formalisation of the fairness condition and allow parallel threads to be evaluated at differend 'speeds'. To indicate at the logical level that a realiser of a formula A may be computed concurrently, a new modality (A) was introduced in [BT21b] where, again, the formula A is 1:28

D. Spreen and U. Berger
Vol. 19:3 required to be productive. For a non-Harrop formula A realisability is defined as Thus, a realiser of (A) is a pair of candidate realisers a and b at least one of which denotes a defined value and all of a and b which are defined values are correct realisers. In particular, if a and b are both defined, then they are both correct realisers. Therefore, by running the two programs for the candidates a and b concurrently and taking the one which becomes defined (i.e. a whnf) first, it is guaranteed that we obtain a correct result. Hence, we can safely stop the other process. IFP is once more extended by adding the following derivation rules. The logical system thus obtained is called Concurrent Fixed Point Logic (CFP).
Note that the last three rules have not been considered in [BT21b].
Lemma 5.3. The rules for the concurrency modality are realisable.
Proof. The realisability of the first four rules has been shown in [BT21b]. It remains to consider the last three rules. It is easy to see that ( --absorb) is realised by the identity function: Assume c r (A B ). Then c = Amb(a, b). Furthermore, a = ⊥ or b = ⊥, and in the first case a r A B while in the second case b r A B . We show that c r (A). By the facts we know about c, it suffices to show that if a = ⊥ then a r A (and similarly for b). But if a = ⊥, then a r A B and hence a r A.
Next, we show that Rule ( --∨) is realised by where Amb LR (u, v) (1) Assume B ∨ D is realisable. Then B or D is realisable. Without restriction assume r B. Then a = ⊥ and hence Left↓a = Left(a) and g a b = Amb(Left(a), Right↓b) = ⊥.
( We summarise the realisers obtained by displaying the rules above with their realisers. We restrict Rule ( -mon) to the most interesting cases where A and B are both non-Harrop. In this case we need for the rule the program where g, h are as defined in the proof. Lemma 5.4. The following rules are derivable in CFP: Proof. Rules ( -∨-elim) and ( -∨-elim-or ) have already been considered in [BT21b]. The Rules ( -∨-dist) and ( -∧-dist) are easy consequences of the Rules ( -return) and (mon).
Let us again display the rules with their realisers.
where g i d Note that * (A) is defined for arbitrary formulas A (not only productive ones) since in its definition is applied to a disjunction. As follows from the definition, we have for c : δ, As we will see next, in case of the iterated concurrency modality the following analogue of Rule ( --intro) modality is realisable. Again A 0 , A 1 , B are required to be Harrop: Left(Right(Nil)) → Nil; Lemma 5.5. Assume A = A 0 ∨ A 1 where A 0 and A 1 are Harrop formulas.  We prove this by induction on the rank of c. The proof is in large parts similar to the proof of (2). Let c be compact and assume h + c = Amb(a , b ). Then c = Amb(a, b) with f * a Nil f * b = Nil, a = f * a g a and b = f * b g b. Since f * a Nil f * b = Nil, it This can be easily shown by induction on the maximum of the ranks of a 0 and b 0 . Now, we are able to derive the result on Rule ( * --intro) we are aiming for. Right(e ) → Right(h 2 d e )}; Lemma 5.7.
Proof. Both statements are shown by s.p. induction.
(1) Assume that d r A and c r * Amb(a , b ) with a = f * ā g dā and b = f * b g db. Since f * ā In Case (ii) we have q r * (B). By the induction hypothesis we therefore obtain that (2) Now, suppose that c 1 r A and c 2 r B. Then  In Case (ii) we have that d r * (A) and hence by the induction hypothesis that Corollary 5.8. Rule ( * -∧-intro) is realised by h 1 .
Lemma 5.9. The following rules for the iterated concurrency modality are derivable: *  The subsequent list contains realisers for the rules in the above lemma extracted from their proofs.
A further useful rule that we will use in the sequel is a concurrent version of half-strong co-induction.

Concurrent Archimedean induction
A powerful tool in the investigation in [BT21a,BT21b] of the relationship between the signed digit representation and infinite Gray code is Archimedean induction, which is the Archimedean principle formulated as an induction rule: In IFP Rule(AI) is deduced as a special case of well-founded induction (cf. [BT21a]). A useful variant is: In what follows a concurrent version of the Rule (AIB) is needed.
Definition 6.1. Iterated concurrent Archimedean induction is the rule where B and P are non-Harrop predicates.
). To complete the proof, it clearly suffices to show that if x = 0 and w realises * (C(x)), then a w realises * (P (x)). Let We use Rule (AI) to prove that (∀x = 0) Q(x).
Let x = 0. The Archimedean induction hypothesis is We show Q(x) by a side induction on the definition of w r * (C(x)). Hence we assume w r * (C(x)), that is, w r (C(x) ∨ * (C(x))), and have to derive that a w realises * (P (x)). Thus, w = Amb(u, v) and a w = Amb(s ↓u, s ↓ v). Furthermore, u = ⊥ or v = ⊥, hence s ↓u = s u or s ↓v = s v. Moreover, for k ∈ {u, v}, if k = ⊥ then k r (C(x) ∨ * (C(x))) .
For what follows, we extend CFP again by adding Rule (CAIB * ).

Concurrent signed digit and Gray codes
We first briefly formalise the definitions given in Section 3 in IFP and CFP, respectively. For details the reader is referred to [BT21a,BT21b].
Define the IFP predicates SD(x) and S(x) as follows In the sequel the three digits −1, 1, 0 will be identified with their realisers, which are programs of type 3. For the predicate S(x) we obtain The realisers of S(x) are hence streams of digits -1, 0, 1. Let us next consider the Gray code case. Define where types are τ (B) = τ (D) = 2 with 2 Def = 1 + 1, and τ (G) = 2 ω . Then the predicates D(x) and G(x) are realised as follows Since an infinite Gray code may contain a ⊥, a sequential access of the sequence from left to right will diverge when it accesses a ⊥. However, because at most one ⊥ is contained in each sequence, if one evaluates the first two cells concurrently, then at least one of the two processes is guaranteed to terminate. On the basis of this idea Berger and Tsuiki [BT21b] showed that a concurrent algorithm converting infinite Gray code into signed digit representation can be extracted from a CFP proof. To this end a concurrent variant of the predicate S is introduced S 2 (x) means that a signed digit representation of x is obtained through the concurrent computation of two threads. Note that τ (S 2 ) = fix α. A(3 × α).
This result expresses the fact that, as explained above, when computably translating from Gray code to signed digit representation one needs to allow for computations to be carried out concurrently, which, however is not the case for the converse translation from signed digit representation to Gray code. On the other hand the result is not completely satisfying, as one would like to see under which conditions both representations are computably equivalent.
To achieve a result of this kind we have to introduce concurrent Gray code. In addition we have to allow for iterated concurrent computations. Define For the concurrent signed digit representation we have a) . Pair(d, f a)), and On the other hand, for the concurrent infinite Gray code we have We see that a realiser of G * (x) is simply an ordinary infinite stream (where the consoperation is the deterministic constructor Pair) of non-deterministic partial binary digits, whereas a realiser of S * (x) is something that could be called a non-deterministic stream (where the cons-operation is non-deterministic) given by a pair of concurrent computations at least one of which will yield a head, which is signed digit, and a tail, which is again a non-deterministic stream. Consequently, the function mon τ (Φ G * ) is much simpler than mon τ (Φ S * ) .
Our next goal is to show that S * = G * . Note that iterated concurrent computations also occur in the case of S 2 , which can be seen by unfolding the co-inductive definition.
Because of Rule ( * -mon) it suffices to prove that Let z ∈ SD. We show that (2) Let Q We use concurrent half-strong co-induction (Lemma 5.10) to show that Q ⊆ S * . This means that we have to prove that By the definition of Q we therefore have to show for x, y with y = t(x) that * Because of the monotonicity and return rules for * , it suffices to prove that for x, y, with y = t(x) and z ∈ SD that which follows by case distinction: Case z = −1 We have that x ∈ [−1, 0] and S * (2x + 1). Since 2x + 1 = t(x) = y in this case, it follows that S * (y).
We will use strong co-induction to show that P ⊆ G * . To this end it needs to be shown that P(y) → D * (y) ∧ (P(t(y)) ∨ G * (t(y))).
Assume that P(y). Then y = −x for some x ∈ G * . It follows that D * (x) and G * (t(x)). The first property implies that D * (−x), that is D * (y). Moreover, since t(x) = t(−x), we also have G * (t(y)).
The statement (∀x) (G * (x) → G * (−x)) is realised by Proof. By case distinction on d we show that Therefore, assume that G * (x). Then D * (x) and G * (t(x)).
Then we obtain with Rule ( * is realised by the function h + as defined in Lemma 5.6. The converse implication is realised by the identity. Lemma 7.9. G * (x) → * ((∃z) SD(z) ∧ II(z, x)).

The compact sets case
As is well known, the collection K(X) of non-empty compact subsets of a non-empty compact metric space is a compact space again with respect to the Hausdorff metric µ H .
Definition 8.1. Let (X, E) be a digit space. A digital tree is a nonempty set T ⊆ E <ω of finite sequences of digits that is downwards closed under the prefix ordering and has no maximal element, that is, [] ∈ T and whenever [e 0 , . . . , e n ] ∈ T , then [e 0 , . . . , e n−1 ] ∈ T and [e 0 , . . . , e n , e] ∈ T for some e ∈ E.
Let T E denote the set of digital trees with digits in E. Note that each such tree is finitely branching as E is finite. Moreover, every element [e 0 , . . . , e n−1 ] ∈ T can be continued to an infinite path α in T , that is, α ∈ E ω is such that α i = e i , for i < n, and [α 0 , . . . , α k−1 ] ∈ T for all k ∈ N. In the following we write α ∈ [T ] to mean that α is a path in T , and by a path we always mean an infinite path.
[T ] is a non-empty compact subset of E ω , for every tree T ∈ T E , and conversely, for every non-empty compact subset C of E ω , C = [T C ], where For T ∈ T E and n ≥ 0, let T ≤n be the finite initial subtree of T of height n. Then Every such initial subtree defines a map f T,n : X → P(X) from X into the powerset of X in the obvious way: The metric defined on E ω in Section 2 can be transferred to T E . As we will see next, it coincides with the Hausdorff metric.
Lemma 8.4 [BS16]. For S, T ∈ T E , As a consequence of Lemma 8.3 we have for trees T 1 , T 2 ∈ T E that Lemma 8.7. Let T 1 , T 2 ∈ T E be full. Then Proof. We have that The converse implication holds trivially, as (| · |) is a map.
Lemma 8.8. Let T ∈ T E and C be a non-empty compact subset of E ω . Then the following two statements hold: 1. If T is full, then [T ] is a non-empty compact subset of E ω that is closed under ∼.
2. If C is closed under ∼, then T C is full.

By Proposition 2.4, [[·]
] is a bijection between E ω /∼ and space X. So, if C is a non-empty compact, and hence closed, subset of X, [[·]] −1 [C] is a non-empty closed subset of E ω /∼.
] is a non-empty closed, and thus compact, subset of E ω , which in addition is closed under ∼. It follows that T C is a full tree in T D with [[T C ]] = C.
Let T f E be the subspace of full trees in T E .
Proposition 8.9. (| · |) : T f E → K(X) is one-to-one and onto. This shows that K(X) can be represented in straightforward one-to-one way without requiring that X is represented in this way. For the special case of the real interval I and Gray code we have seen in Section 2 that [[·]] : G → I is one-to-one. Hence, every digital tree T ∈ T GF with [T ] ⊆ G is full.

Archimedean induction for compact sets
Archimedean induction is a formulation of the Archimedean property as an induction principle introduced in [BT21a]. It turned out quite a powerful proof tool. We will now lift this induction principle to the case of non-empty compact sets. Let Z(x) be the predicate stating that x is an integer. Moreover, for K : P(ι) and n ∈ Z define Here, K is a predicate constant denoting the set of non-empty compact subsets of the compact interval II Def = [−1, 1] (see Section 4.1).
Lemma 9.2. Acc ≺ (K) if and only if K ∈ K 0 .
The 'if' part reduces, by BT nc , to the implication K ∈ K 0 → ¬Path ≺ (K). Therefore, we assume K ∈ K 0 and Path ≺ (K) with the aim to arrive at a contradiction. Recall that Hence by unfolding Path ≺ (K) we can construct a decreasing sequence (K n ) n∈N ⊆ K such that K 0 = K and for all n ∈ N, |K n | ≤ 2 −n .
Since K is compact, there exists x ε n∈N K n . Then |x| ≤ 2 −n , for all n ∈ N. By the Archimedean axiom, x = 0, hence 0 ε K, contradicting our assumption. Proposition 9.3. Archimedean induction for compact sets (AIC) is derivable in IFP(A R ) and realised by rec .
Proof. It remains to show the second statement. Note that both ≺ and the predicate K 0 (K) are Harrop. Moreover, let s realise the premise of Rule (AIC). Then s also realises Prog ≺,K 0 . Therefore, it follows with the result in Example 4.8 that rec s realises Acc ≺ ∩ K 0 ⊆ P which is equivalent to the conclusion of the rule.
In applications, Archimedean induction is mostly used for compact sets that are generated in a particular way and therefore come with a special kind of realisers. Here, we are interested in the case that non-empty compact sets are represented by signed digit code.
Definition 9.4. We define the analogue of the signed digit representation for compact sets as As follows from the definition of realisability, the type τ (S K (K)) of realisers of the formula S K (K) is given by τ (S K (K)) = fix α.
which is essentially the set T SD of all digital trees.
In the case of non-empty compact sets with property S K the Archimedean induction rule can be much simplified. Let S 0 K denote the set of all K ∈ S K with 0 ε K. Definition 9.5. Archimedean induction for signed-digit represented compact sets is the rule (∀K ∈ S 0 K ) (P (K) ∨ (S K (2(K 0 )) ∧ (P (2(K 0 )) → P (K)))) (∀K ∈ S 0 K ) P (K) where P is a non-Harrop predicate. Proof. We will show that Rule (AICSD) is a consequence of Rule (AIC). Set A(X) Def = S K (X) → P (X). It suffices to show that the premise of (AICSD) implies the premise of (AIC). Therefore, let K ∈ K 0 and assume that (∀K ∈ K)(K ⊆ K ∧ |K | ≤ 1/2 → A(2K )) (9.1) We have to prove that A(K). So, let K ∈ S K . Then we need to derive P (K). By the premise of (AICSD) we have that 1. P (K) or 2. S K (2(K 0 )) ∧ (P (2(K 0 )) → P (K)). In the first case we are done. Let us therefore consider the second case.
Since we know that S K (2(K 0 )), we obtain that P (2(K 0 )) and hence, as we are considering the second case, that P (K). As we have just seen, the premise of (AICSD) implies the premise of (AIC). If the first premise is realised by s the latter is realised by  (Pair(a , h)) → h (f a )}, realises the conclusion (∀K ∈ S 0 K ) P (K). If one strengthens the premise of Rule (AICSD) to all K ∈ S K instead of only those not containing 0, one can strengthen the conclusion to a restriction.
(2) We use Scott induction, that is, we consider the approximations χ i of χ, Proof. The statement follows again by co-induction. Assume that G K (1/2K). Then G(min K/2) and G(max K/2). Since by [Be16, Lemma 11] G is closed under λx. 2x for |x| ≤ 1/2, it follows that G(min K) and G(max K).