On Natural Deduction for Herbrand Constructive Logics I: Curry-Howard Correspondence for Dummett's Logic LC

Dummett's logic LC is intuitionistic logic extended with Dummett's axiom: for every two statements the first implies the second or the second implies the first. We present a natural deduction and a Curry-Howard correspondence for first-order and second-order Dummett's logic. We add to the lambda calculus an operator which represents, from the viewpoint of programming, a mechanism for representing parallel computations and communication between them, and from the viewpoint of logic, Dummett's axiom. We prove that our typed calculus is normalizing and show that proof terms for existentially quantified formulas reduce to a list of individual terms forming an Herbrand disjunction.


Introduction
We call Herbrand constructive any intermediate logic -a logic stronger than intuitionistic but weaker than classical -which enjoys a strong form of Herbrand's theorem: for every provable formula ∃α A, the logic proves as well an Herbrand disjunction Of course intuitionistic logic is trivially Herbrand constructive, but classical logic is not: A is arbitrary! In between, there are several interesting logics which do have the property. Yet for Herbrand constructive logics there are no known natural deduction formulations with associated Curry-Howard correspondences, except in trivial cases. We launch here a new series of papers to fill this void.
We begin with Dummett's first-order and second-order logic LC: intuitionistic logic extended with the so-called Dummett linearity axiom LC was introduced by Dummett [16] as an example, in the propositional case, of a manyvalued logic with a countable set of truth values. Its propositional fragment is also called 1.2. Natural Deduction Again. Although hyper natural deduction is a legitimate proof system in its own right, the "hyper approach" is not the one we follow. For two reasons.
The first reason is that we will show that natural deduction works perfectly as it is. There is no need to change its structure and, to render Dummett's axiom, it sufficient to add the inference rule . . .
C D C which allows to conclude unconditionally C from two different deductions of C: one from the hypothesis A → B and one from the hypothesis B → A. We shall define simple reduction rules for proofs ending with this inference and we shall show that they are all we need to extract witnesses for existentially quantified formulas.
The second reason is that natural deduction should stay natural. This is the very motivation that led to its discovery. Indeed, Gentzen starts his celebrated work [18] on natural deduction and sequent calculus complaining that the proof systems known at the time were far removed from the actual mathematical reasoning. And his main goal was to set up a formalism with the aim of "reproducing as precisely as possible the real logical reasoning in mathematical proofs". To avoid betraying natural deduction's philosophical motivations, there is no alternative but to add an inference rule that naturally mirrors the kind of reasoning corresponding to Dummett's axiom, which is our approach.
1.3. Realizability. One of the most attractive features of intuitionistic natural deduction is that, in a very precise sense, it does not need a truth-based semantics. Logical inferences are divided into two groups: introduction rules and elimination rules. And as Gentzen [18] himself famously suggested, introduction rules define, so to speak, the meaning of the logical constants they introduce; elimination rules, on the other hand, are nothing but consequences of these definitions. In other words, introduction rules are self-justifyng, because they fix themselves the meaning of their conclusions, whereas elimination rules are sound in virtue of the meaning fixed by the introductions. For example, the rule [A] . . .

B A → B
says that the grounds for asserting A → B consist in a proof of B from the hypothesis A; therefore, the elimination A → B A B is automatically justified: if we have a proof of A we can plug it into the proof of B from A, whose existence is warranted by the meaning of A → B, and obtain a proof of B. The reverse approach works as well: we may consider elimination rules as meaning constitutive and treat introduction rules as consequences of the meaning fixed by eliminations. In other words, meaning is determined by how we use a statement, by what we can directly obtain from the statement; we shall adopt this pragmatist standpoint, elaborated by Dummett himself [17]. This idea of internal justification, as it is, cannot be generalized straight away for extensions of intuitionistic logic: new inferences tend to break the harmony between introductions and eliminations. It is at this point that Brouwer's view of logic comes into play. According to Brouwer [12], the string of "logical" steps appearing in a mathematical proof is in reality a sequence of mathematical constructions. What we perceive as inference rules are instead transformations of constructions for the premises into constructions for the conclusion. This insight finds a precise formalization by means of the Curry-Howard isomorphism: a proof is indeed isomorphic to an effective construction, in fact, it is, in and of itself, a construction.
Since proofs are constructions, the role of semantics is just explaining what these constructions do. Hence, a proof-theoretic semantics of an intermediate logic is in principle always possible and is made of two ingredients: a formalization of proofs as programs and a semantical description of what these programs achieve with their calculations. The first is obtained through the decoration of deduction trees with lambda terms, the second is the task of realizability.
Realizability was introduced by Kleene [23] to computationally interpret intuitionistic first-order Arithmetic, but it is Kreisel's [24] later version with typed terms which embodies the modern perspective on the subject. Though it was initially conceived just for intuitionistic theories, realizability can be extended to intuitionistic Arithmetic with Markov's principle [6], to intuitionistic Arithmetic with the simplest excluded middle EM 1 [4] and even all the way up to the strongest classical theories [1,2,26]. Realizability replaces the notion of truth with the notion of constructive evidence. A formula holds if it is realized by some typed program, providing some constructive information about the formula.
In the following, we shall build a realizability interpretation for Dummett's LC, inspired by Krivine's realizability [26,15]. By construction, every realizer always terminates its computations and, in particular, whenever it realizes an existentially quantified formula ∃α A, it reduces to a term of the shape with the property that LC ⊢ A[m 1 /α] ∨ · · · ∨ A[m k /α] The circle is closed by a soundness theorem, the Adequacy Theorem: every formula provable in LC is realized by a closed program, which immediately implies the Normalization Theorem -every proof reduces to a normal form -and that LC is Herbrand constructive. Therefore, to extract an Herbrand disjunction it suffices to reduce any proof of any existentially quantified formula to a normal form, according to a very simple set of reduction rules.
1.4. Reduction Rules. To find simple and terminating reduction rules for a natural deduction system is always tricky, but once the job is done, the reductions often look so natural that they appear inevitable. It is the effort of removing obstacles toward a good normal form what inevitably leads to these reductions, as the flow of a river leads to the sea. In the case of LC, the main obstacles toward witness extraction for a formula ∃α A are configurations in which one of the hypotheses introduced by the Dummett inference blocks the reduction. For example, let us consider this proof shape: where ∃α C has been obtained from B by a series of elimination rules. It is clear that no witness can be retrieved in the left branch of the proof above, because there is just a proof of A and, magically, a "void" proof of B obtained by modus ponens from A and the arbitrary hypothesis A → B. But can't we just send the proof of A to the right branch of the Dummett rule and obtain a direct proof of ∃α C, like this?
D ∃α C D ∃α C and thus the previous transformation is unsound. But the idea of sending the proof of A to the right branch can work if the right branch is in turn moved on the left like this . . .
The reductions that we shall give generalize this transformation in order to work in every situation.
1.5. Curry-Howard Correspondence. It is more convenient to express proof reductions in terms of program reductions, because for that purpose the lambda notation is superior to the proof tree notation. For this reason, we shall define a lambda calculus isomorphic to natural deduction for LC and then define an head reduction strategy for lambda terms, inspired by Krivine's strategy [26]. The termination of head reduction will just be a consequence of soundness of LC with respect to realizability, while the perfect match between program reductions and proof reductions will as usual be consequence of the Subject Reduction Theorem. The decoration of intuitionistic inferences with programs is standard and Dummett's rule will be decorated in the following way . . .
The parallel operator a is inspired by the exception operator studied in [7] and keeps using the variable a for communication purposes. The variable a has the task of sending terms from u to v and viceversa, as well as allowing u to call the process v whenever it needs it and viceversa.
1.6. Plan of the Paper. In Section §2 we introduce a Curry-Howard interpretation of intuitionistic first-order natural deduction extended with the Dummett rule D. We first describe the calculus together with its computational rules and then discuss its proof theoretical interpretation. In Section §3 we prove the Normalization Theorem and the soundness of realizability with respect to LC. In Section §4, we prove that LC is Herbrand constructive and in particular that from any closed term having as type an existentially quantified formula, one can extract a corresponding Herbrand disjunction. In Section §5 we extend the previous results to the second-order LC 2 , achieving its first computational interpretation, for there is no known cut-elimination procedure for second-order hypersequent calculus.

The System LC
In this section we describe a standard natural deduction system for intuitionistic first-order logic, with a term assignment based on the Curry-Howard correspondence (e.g. see [31]), and add on top of it an operator which formalizes Dummett's axiom. First, we shall describe the lambda terms and their computational behavior, proving as main result the Subject Reduction Theorem, stating that the reduction rules preserve the type. Then, we shall analyze the logical meaning of the reductions and present them as pure proof transformations.
We start with the standard first-order language of formulas. (2) There is a countable set of predicate symbols. The atomic formulas of L are all the expressions of the form P(m 1 , . . . , m n ) such that P is a predicate symbol of arity n and m 1 , . . . , m n are terms of L. We assume to have a 0-ary predicate symbol ⊥ which represents falsity. In Figure 1 we define a type assignment for lambda terms, called proof terms, which is isomorphic to natural deduction for intuitionistic logic extended with Dummett's axiom. Axioms: . . .
where m is any term of the language L and α does not occur free in the type B of any free variable x B of u.
where α is not free in C nor in the type B of any free variable of t.
Dummett's Axiom D: We assume that in the proof terms two distinct classes of variables appear. The first class of variables is made by the variables for the proof terms themselves: for every formula A, we have variables x A 0 , x A 1 , x A 2 , . . . of type A; these variables will be denoted as x A , y A , z A . . . , a A , b A and whenever the type is not important simply as x, y, z, . . . , a, b. For 8 F. ASCHIERI clarity, the variables introduced by the Dummett's inference rule will be denoted with letters a, b, . . ., but they are not in any syntactic category apart. The second class of variables is made by the quantified variables of the formula language L of LC, denoted usually as α, β, . . ..
The free and bound variables of a proof term are defined as usual and for the new term u a v, all of the free occurrences of a in u and v are bound in u a v. In the following, we assume the standard renaming rules and alpha equivalences that are used to avoid capture of variables in the reduction rules that we shall give.
Whenever Γ = x 1 : A 1 , . . . , x n : A n and the list x 1 , . . . , x n includes all the free variables of a proof term t : A, we shall write Γ ⊢ t : A. From the logical point of view, the notation means that t represents a natural deduction of A from the hypotheses A 1 , . . . , A n . We shall write LC ⊢ t : A whenever ⊢ t : A, and the notation means provability of A in intuitionistic logic with Dummett's axiom.
We are now going to explain the basic reduction rules for the proof terms of LC, which are given in Figure 2. To understand them, we need the notions of parallel context and stack. If we omit parentheses, any term t can be written, not uniquely, in the form If we replace some t i with a "hole" [] to be filled, the expression above becomes a parallel context.
. . an u n A stack represents, from the logical perspective, a series of elimination rules; from the lambda calculus perspective, a series of either operations to be performed or arguments to be given as input to some program. A stack is also known as a continuation, because it embodies a series of tasks that wait to be executed, and corresponds to Krivine's stacks [26].
such that for every 1 ≤ i ≤ n, exactly one of the following holds: .v], with v proof term. If no confusion with other sequences of terms arises, σ will often be written without intermediate dots, that is, as σ 1 σ 2 . . . σ n . The empty sequence is denoted with ǫ and with ξ, ξ ′ , . . . we will denote stacks of length 1. If t is a proof term, as usual in lambda calculus t σ denotes the term (((t σ 1 ) σ 2 ) . . . σ n ).
We find among the reductions in Figure 2 the ordinary reductions for the intuitionistic constructs together with Prawitz-style permutation rules [30] for D, as in [7]. The reduction rules for D model the communication mechanism explained in Section §1. In the reduction we see that the term on the left is in some way stuck: the variable a A→B faces an argument u of type A; of course, it has no idea how to use u to produce a term of type B! On the contrary, the term v knows very well how to use u to produce something useful, because it contains the variable a B→A , which waits for a term of type B → A. Thus, a A→B sends the term λy B u, with y dummy, to v, yielding the term v[λy B u/a B→A ]. This program is called to replace the useless a A→B u σ and computation can go ahead. We require the context C[ ] to be parallel, because in this way types are not needed to define the reductions for D and the calculus makes sense also in its untyped version and with Curry-style typing. We have chosen Church-typing only to make clearer the intended meaning of the operations: had we omitted all the types from the terms, everything would have still worked just fine. In Theorem 2.7, we shall prove that indeed our reduction rules for D are logically correct and preserve the type.
Reduction Rules for Intuitionistic Logic: for some parallel context C, stack σ, variable a free in C[a A→B u σ], dummy variable y not occurring in u Our goal now is to define a reduction strategy for typed terms of LC: a recipe for selecting, in any given term, the subterm to which apply one of our basic reductions. As most typed lambda calculi are strongly normalizing and our reduction rules look fairly innocuous, one cannot help but conjecture that any reduction strategy eventually terminates; in other words, that reduction strategies are not necessary. We do conjecture that the fragment with ∀, →, ∧, ∨ is indeed strongly normalizing. Yet, already the proof of this weaker result appears excessively complex, to such an extent that arbitrary reduction strategies start to feel wrong, that is, to perform unnecessary computations.
We therefore leave strong normalization as an open problem and follow a more standard approach: Krivine's (weak) head reduction strategy. The difference is: in Krivine's calculus each process has a unique head; in our calculus each process has several heads, like the Hydra monster. This is due to the presence of the parallel operator a . Indeed, if we omit parenthesis, any term t can be written, not uniquely, in the form The terms t 1 , . . . , t n are parallel processes; each one has its own head and may have an head redex. And as with the Hydra monster, if we contract some head t i , more heads to contract might grow. We now formally define what are the parallel processes that appear in a term and what is the head redex of a term.

Definition 2.4 (Parallel Processes, Head).
• Removing the parentheses, whenever a proof term t can be written as each term t i , for 1 ≤ i ≤ n + 1, is said to be a parallel process of t and is said to be an elementary process of t in case it is not of the form u a v.
• A redex is a term u such that u → v for some v and basic reduction of Figure 2.
• Let σ be any stack. A redex h is said to be the head redex of a proof term t in the following cases: We now define the head reduction of a proof term: the notion generalizes Krivine's head reduction to parallel contexts. The idea is to look for the leftmost among the head redexes of the parallel processes of a term and contract that redex. The only subtlety is to determine exactly where the new redexes for D start. Since the reduction for u a v is completely localized either in u or v, it is reasonable to say that the redex starts where the subterm a u σ to be replaced is located.

Definition 2.5 (Letfmost Redex, Head Reduction).
(1) The starting symbol of a redex r is the symbol "(" when r = (u ξ) for some stack ξ of length 1; it is the leftmost occurrence of the symbol "a" such that a t σ is an elementary process of r, when r = (u a v). The leftmost redex among some redexes of a term t is the redex whose starting symbol is the leftmost in t among the starting symbols of those redexes. (2) We say that a term t head reduces to t ′ and write t ≻ t ′ when t ′ is obtained from t by contracting the leftmost among the head redexes of the parallel processes of t, using one of the basic reductions in Figure 2.
For readability, parentheses are often omitted, but in order to spot the head redex of a term, one must mentally restore the parentheses that have been suppressed. In order to train our eye, we consider three examples of head reduction: In the first case, the reduction for D is used as third step of the head reduction, while in the third case, as first and last step.
We define the concept of normal form and normalizable term in the usual way.
We define NF to be the set of head normal forms. • A sequence, finite or infinite, of proof terms u 1 , u 2 , . . . , u n , . . . is said to be a reduction of t, if t = u 1 , and for all i, We denote with HN the set of normalizable terms of LC.
The reductions defined in Figure 2 satisfy the important Subject Reduction Theorem: reduction steps at the level of proof terms preserve the type, which is to say that they correspond to logically sound transformations at the level of proofs. We first give the simple proof of the theorem, then analyze in detail its logical meaning in the next subsection.
Theorem 2.7 (Subject Reduction). If t : C and t ≻ u, then u : C. Moreover, all the free variables of u appear among those of t.
Proof. It is enough to prove the theorem for basic reductions: if t : C and t → u, then u : C.
The proof that the intuitionistic reductions and the permutation rules preserve the type is completely standard. Thus we are left with the D-reductions, which require straightforward considerations as well. Suppose Since C is a parallel context, a A→B u σ and v have both type C. Now, u must be of type A, so λy B u is of type B → A and thus v[λy B u/a B→A ] is a correct term of type C. Moreover, all the occurrences of a B→A in v are eliminated by the substitution [λy B u/a B→A ], so no new free variable is created.
2.1. Reduction Rules: Logical Interpretation. So far, in studying the system LC, we have given priority to the underlying lambda calculus and characterized it as a functional language endowed with parallelism and a communication mechanism. The explanation of the reductions had little to do with logic and much with computation. However, thanks to the Subject Reduction Theorem, we know we could have proceeded the other way around. Namely, we could have given priority to logic and dealt only with transformation of proofs, in the style of Prawitz natural deduction trees [30]. Since it is instructive to explain directly this point of view, we are finally going to do so. First of all, the following proof of ¬A ∨ ¬¬A is an example of natural deduction tree in LC: The standard reductions for lambda calculus still correspond to the ordinary conversions for all the logical constants of first-order logic: . . .

A B
converts to: . . .

C C
converts to: π C C converts to: . . .
The permutation reductions for the terms of the form u a v, are just instances of Prawitzstyle permutations for disjunction elimination. From the logical perspective, they are used to systematically transform, whenever possible, the logical shape of the conclusion. This reduction is essential because the Dummett inference rule does not yield much when employed to prove implications or disjunctions; but it becomes Herbrand constructive, whenever used to prove existentially quantified statements. As an example of permutation for D, we consider the one featuring an implication as conclusion: . . .
There are similar permutations for all other elimination rules, as one can see translating in natural deduction the permutations of Figure 2. With the following notation we denote a deduction of C that, in order to obtain its final conclusion, combines the deductions D 1 , . . . , D i , . . . , D n of C using only the Dummett rule n − 1 times. In other words, below the conclusions C of the deductions D 1 , . . . , D i , . . . , D n only the Dummett rule is used. This configuration corresponds to a parallel context in our lambda calculus, as in Definition 2.2. With the notation B EL C we denote a deduction of C that, starting from B, applies only elimination rules to obtain C; in particular, B must be the main premise of the first elimination rule which concludes B 1 , which must be the main premise of the second elimination rule which concludes B 2 and so on down to C. This configuration corresponds to the concept of stack of Definition 2.3.
Finally, we can look at the two reductions for proofs containing the Dummett rule. Let us consider just the first conversion for D, the second being perfectly symmetric: . . .
The conversion above focuses first on the deduction D on the left branch of the proof; it replaces the hypothesis B → A of D with a proof of B → A directly obtained from the proof of A found on the left branch; afterwards, it takes the deduction so generated and replaces with it the old proof of C obtained from B by elimination rules. There is a crucial assumption about the structure of the first proof. In the left branch of the Dummett rule, the hypothesis A → B is used together with A to obtain B, which is in turn used to infer C by means only of a main branch of elimination rules, as called by Prawitz. Thanks to this restriction, the proof of A does not end up having more open assumptions in the second proof than it has in the first proof. But what have we gained with this reduction? It looks like we made no progress at all. The hypothesis A → B may be actually used more times in the second proof than in the first, because the hypothesis B → A might be used several times in the deduction D! Actually, the gain is subtle. In the left branch of the first proof the formula B was derived in a fictitious way: by an arbitrary hypothesis A → B, bearing no relationship with C. Since B is used to obtain C, we cannot expect B to provide constructive content to C, in particular no witness if C is an existential formula. The conversion above gets rid of this configuration and provide a more direct proof of C: in the new proof, if B → A is employed to derive A by modus ponens, one can discard B and use the proof of A coming from the first proof.
The main difficulty that we face with our reduction rules for D is termination. There is hardly any decrease in complexity from before to after the reduction and the road toward a combinatorial termination proof looks barred. We are thus forced to employ a far more abstract technique: realizability.

Classical Realizability
In this section we prove that each term of LC realizes its type and is normalizing. To this end, we make a detour into a logically inconsistent, yet computationally sound world: the system LC ⋆ , a type system which extends LC . The idea that extending a system can make easier rather than harder to prove its normalization might not seem very intuitive, but it is well tested and very successful (see [32], [5], [3], [7]). LC ⋆ will be our calculus of realizers. It is indeed typical of realizability, the method we shall use, to set up a calculus with more realizers than the actual proof terms [24,26,6]. The idea is that a realizer is defined as a proof term that defeats every opposer and passes every termination test; but proof terms, as opposers and testers of proof terms themselves, are not enough; proof terms must be opposed and tested also by "cheaters", terms that do satisfy the same definition of realizability, but only because they have some advantage. These extra tests make proof terms stronger realizers than they otherwise would be. We may imagine a realizer as a tennis player that trains himself to return fast balls thrown by a robot: if he withstands the attacks of the robot, he will perform all the more well against real weaker humans.
3.1. The Abort Operator. The system LC ⋆ is not meant to be a logical system: it would be inconsistent! The purpose of the system is not logical, but computational: to simulate the reduction rules for D by an abort operator A. We define the typing rules of LC ⋆ to be those of LC plus a new term formation scheme: With A, A 1 , . . . , A k , we shall denote some generic constant A A→B . The reduction rules for the terms of LC ⋆ are those for LC with the addition of a new reduction rule defined in Figure  3.

Reduction Rules for A:
A u σ → u whenever A u σ and u have the same type The abort computational construct reminds Krivine's k π , which removes the current continuation ρ and restore a previously saved continuation π: There is indeed an analogy with Krivine's realizability: the terms of LC correspond to Krivine's proof-like terms, whereas the terms of LC ⋆ correspond to Krivine's inconsistent terms that may contain k π and may realize any formula. But in our case LC ⋆ is just a tool for defining realizability, not a tool for implementing reductions, like k π in Krivine case. The role of A will emerge later on in the proof of Propositions 3.6 and 3.7. However, by now, the intuition should be pretty clear: in the reduction the term a u σ aborts the local continuation σ. The difficulty is that the new continuation v[λy u/a], from the perspective of a, is created out of nowhere! Therefore proving by induction that C[a u σ] is a realizer would not be of great help for proving that the whole term C[a u σ] a v is realizer. With terms of the form A w we can instead simulate locally the global reduction above and get a stronger induction hypothesis.
The Definition 2.3 of stack is of course extended to LC ⋆ and the Definition 2.4 of head redex is extended to the terms of LC ⋆ by saying that A u σ is the head redex of A u σ whenever u and A u σ have the same type. The reduction relation ≻ for the terms of LC ⋆ is then defined as in Definition 2.5.
In the following, we define HN ⋆ to be the set of normalizing proof terms of LC ⋆ .
As usual in lambda calculus, a value represents the result of the computation: a function for arrow and universal types, a pair for product types, a boolean for sum types and a witness for existential types and in our case also the abort operator. We now prove a property of head normal forms that we will be crucial in the following. It is a generalization of the well known head normal form Theorem for lambda calculus and tells us that if we decompose a proof term into its elementary parallel processes, then each of them is either a value or some variable or constant applied to a list of argument.
and that each t i is an elementary process. Then for every 1 ≤ i ≤ n + 1, there is some stack σ such that either t i = x σ, with x = a 1 , . . . , a n , or t i = A u σ, with the type of u different from the type of A u σ, or t i = a j or t i is a value.
Proof. By induction on t. If t is a value, we are done. There are two other cases to consider. and for some i, u i = x σ, with σ = ǫ, then x = a (and symmetricallly for v). Indeed, if for some i, u i = a σ, then u = C[a σ] for some parallel context C[ ], and therefore u a v would be the leftmost head redex of itself, which is impossible since by assumption it is in head normal form. (2) t is neutral. Then t can be written, for some stack σ, as r σ where r is a value or r = u a v or r = x. In the third case, we are done; in the first and second case, σ = ξ.ρ, so r ξ would be the head redex of t, unless t = A ξ ρ, with the type of ξ different from the type of A ξ ρ, which is the thesis.

3.2.
Definition of Classical Realizability. Our main goal now is to prove the Normalization Theorem for LC: every proof term of LC reduces in a finite number of head reduction steps to a head normal form. We shall employ a notion of classical realizability, a generalization of the Tait-Girard reducibility method [19] that works for classical type systems. The origins of classical realizability can be traced all the way back to Parigot [28] and Krivine [25] classical reducibility, but we present it in a fashion popularized later by Krivine in his work on realizability [26], which is indeed a generalization of classical reducibility. Thanks to the fact that one considers only head reduction, Krivine-style classical realizability is slightly simpler than the notions usually employed to derive strong normalization. Given a logic, we raise a question: what kind of evidence does a proof provide other than the tiny bit "1" declaring the truth of the proven statement? Realizability is a semantics explaining what is to be taken as constructive evidence for a statement and a technique for showing that proofs can provide such an evidence. Formally, realizability is a relation between terms of LC ⋆ and formulas, with terms playing the role of constructions and formulas determining what properties a construction should satisfy. In particular, to each formula C is associated a set of stacks ||C||, which represents a collection of valid tests: whenever a term passes all these tests, in the sense that it maps them into terminating programs, it is a realizer. As prescribed by the pragmatist viewpoint, the clauses that defines realizability follow the shape of elimination rules, in order to make sure that no matter how a program is used, it always terminates. Definition 3.3 (Valid Tests, Classical Realizability). Assume t is a term of LC ⋆ and C is a formula of L. We define by mutual induction the relation t C ("t realizes C") and a set ||C|| of stacks of LC ⋆ (the "valid tests for C") according to the form of C: • t C if and only if t : C and for all σ ∈ ||C||, t σ ∈ HN ⋆

Properties of Realizers.
In this section we prove the basic properties of classical realizability. They are all we need to prove the Adequacy Theorem 3.8, which states that typable terms are realizable. The arguments for establishing the properties are in many cases standard (see Krivine [26]). We shall need extra work for dealing with terms of the form u a v.
The first task is to prove that realizability is sound for all introduction and elimination rules of LC. We start with the eliminations. Proof.
Suppose then σ = u.ρ, with u A and ρ ∈ ||B||. We have to show that A u ρ ∈ HN ⋆ . Since u A and ǫ ∈ ||A||, we have u = u ǫ ∈ HN ⋆ . Moreover, if A u ρ is not a redex, we are done, and if A u ρ ≻ u, the thesis follows.
It is now that the abort operator really enters the scene. Thanks to it, any reduction u a v ≻ u ′ a v can be simulated in a purely local way. This is possible because any such reduction affects only what is inside u and leaves v untouched. Then, in order to replicate the reduction is enough to substitute to a a term A that throws away any stack of terms it is applied to, like a does, and then restores v, with some substitution depending on the context. Of course, symmetrical considerations hold true for any reduction u a v ≻ u a v ′ .

Proposition 3.6 (Local Simulation). Define
A := λx A v[λy x/a] B := λz A u[λy z/a] with x, y, z and A occurring with the right type. Then Proof. We prove the first statement, the other being perfectly symmetric. The only trouble is to formalize precisely the argument, which is otherwise intuitively obvious. To this end, we first need some simple, but tedious to prove, claims.
. Now, t ′ is a parallel process of either u ′ 1 or u ′ 2 ; by induction hypothesis, t ′ = t[A /a], where t is a parallel process of u 1 , in the first case, and of u 2 in the second.
a v Then for some parallel context C, we have u = C[q] and u ′ = C[q ′ ], where q ′ is either obtained from q by contracting the head redex r of q or q ′ = v[λy t/a] and q = a t σ; in the first case, it is r that is the leftmost among the head redexes of the parallel processes of u a v, whereas in the second case, it is u a v. With this notation, we have  • q = r = A k w σ or q = r = C 1 [b w ρ] b s for some variable b = a (the other case is symmetric); let respectively r ′ = w or r ′ = C 1 [s[λy w/b]] b s. By exactly the same considerations of the previous case, we get We first need to show that the head redex of q[A /a] = A t ′ σ ′ is the leftmost among the head redexes of the parallel processes of u[A /a]. Assume that a t σ is the n-th elementary process of u, so that A t ′ σ ′ is the n-th elementary process of u[A /a] as well. Then, no parallel process of u has an head redex whose starting symbol is in the m-th elementary process of u, with m < n. By Claims 1 and 2, no parallel process where p is a parallel process of u, has an head redex whose starting symbol is in the m-th elementary process of u, with m < n, otherwise the starting symbol of the head redex of p would be in the m-th elementary process of u as well (Claim 2 applies, since p cannot be of the form a w ρ, given that a is the starting symbol of the redex u a v). Finally, we conclude We are now able to tackle the most difficult case of the Adequacy Theorem 3.8 for realizability: proving that realizability is also sound for the Dummett rule. The idea is that Proposition 3.6 allows us to use in a very strong manner an inductive hypothesis that will naturally be granted when proving the Adequacy Theorem. This hypothesis is knowing that for every t A → B, u[t/a] ∈ HN ⋆ ; since one can prove that the term A realizes A → B, one can conclude with simple reasoning that the head reduction reduces u in u a v only a finite number of times and a symmetric reasoning holds for v. Hadn't we the abort operator and thus the possibility of local simulation, the hypothesis that for every t A → B, u[t/a] ∈ HN ⋆ , would not be enough to conclude a great deal. Details follow.

We start by showing that A
A → B, which establishes by means of the hypothesis that u[A /a] ∈ HN ⋆ . Let ρ ∈ ||A → B||; the case ρ = ǫ is trivial, so we assume ρ = t.σ, with t A and σ ∈ ||B||. We must show A t σ ∈ HN ⋆ . We have (assuming the last reduction is possible: if not, the thesis is trivial). In order to obtain v[λy t/a] ∈ HN ⋆ , which is what we wanted, it is enough to show that λy t B → A. Let ρ ′ ∈ ||B → A||; again, the case ρ ′ = ǫ is trivial, so we assume ρ ′ = t ′ .σ ′ , with t ′ B and σ ′ ∈ ||A||. We must show (λy t) t ′ σ ′ ∈ HN ⋆ . Indeed, since t A, We now prove that u a v ∈ HN ⋆ by induction on the length of the reduction of u[A /a] in head normal form. We have two cases. (a) Assume u a v ≻ u a v ′ so that in particular u is in head normal form. Define Since we are going again to prove the thesis by induction on the length of the reduction of v[B/a] in head normal form, we first need to show that B B → A, which allows us to conclude that indeed v[B/a] ∈ HN ⋆ . Let ρ ∈ ||B → A||; the case ρ = ǫ is trivial, so we assume ρ = t.σ, with t B and σ ∈ ||A||. We have to show B t σ ∈ HN ⋆ . We have Now, u is in head normal form and thus by Proposition 3.2, u = u 0 a 1 u 1 a 2 . . . an u n and for each 0 ≤ i ≤ n, either u i = x σ, with x = a 1 , . . . , a n , a, or u i = A w σ, with the type of w different from the type of A w σ, or u i = a j or u i = a or u i is a value. Therefore, u[λy t/a] is in head normal form, because the substitution does not create head redexes in any parallel process of u. We now prove the main thesis. By Proposition 3.6, v[B/a] ≻ + v ′ [B/a], so by induction hypothesis we conclude u a v ′ ∈ HN ⋆ and thus u a v ∈ HN ⋆ . (b) Assume u a v ≻ u ′ a v By Proposition 3.6, u[A /a] ≻ + u ′ [A /a], so by induction hypothesis we conclude u ′ a v ∈ HN ⋆ and thus u a v ∈ HN ⋆ .
3.4. The Adequacy Theorem. We finally prove that realizability is sound for LC: if we replace all free proof term variables of any proof term with realizers, then we get a realizer.
3.5. Normalization for LC. As corollary of the Adequacy Theorem 3.8, one obtains normalization for LC.
Corollary 3.9 (Normalization for LC). Suppose that t : A is a proof term of LC. Then t ∈ HN ⋆ .
Proof. Assume x 1 : A 1 , . . . , x n : A n are the free variables of t. We observe that x i A i , for i = 1, . . . , n because, given any σ ∈ ||A i ||, x σ ∈ HN ⋆ . Therefore, from Theorem 3.8, we derive that t A and since ǫ ∈ ||A||, we conclude t = t ǫ ∈ HN ⋆ .

Normal Form Property and Herbrand's Disjunction Extraction
In this section, we finally show that our Curry-Howard correspondence for LC is meaningful from the computational perspective. We already know that every execution of every program we extract always terminate; now we prove that in the case of any existentially quantified formula ∃α A, every closed program of that type produces a complete finite sequence m 1 , m 2 , . . . , m k of possible witnesses for ∃α A. This means that whatever first-order model we consider, there will be an i such that A[m i /α] is true in it. In other terms, we have provided a proof that LC is Herbrand constructive and a Curry-Howard computational interpretation of this very strong Herbrand-like theorem.
Such statements in first-order logic are typically drawn as consequences of the Subformula Property, which is in turn a corollary of full cut-elimination when sequent calculus is available. But as in [7], a more primitive argument suffices here. This is indeed providential, since not only without permutation rules for ∨ and ∃ we can have no Subformula Property, but surprisingly even those reductions would not suffice. The topic of what reductions are needed is very non-trivial and left as subject of future research. However, in a sense, Herbrand constructiveness is already a weak Subformula Property and holds for the most interesting case of the existential quantifier, when there is actually some information to gain. For lambda calculus, instead, to enjoy the Subformula Property is a mere curiosity without much computational sense. In fact, if we think that in intuitionistic Logic or fragments of classical Arithmetic [4] general permutation rules are not needed to compute witnesses, it should not entirely come as a surprise that this is still the case in our framework.
If we omit parentheses, we know that every proof term in head normal form can be written as v 0 a 1 v 1 . . . an v n , where each v i is not of the form u a v; if for every i, v i is of the form (m i , u i ), then we call the whole term an Herbrand normal form, because it is essentially a list of the witnesses appearing in an Herbrand disjunction. Formally: Definition 4.1 (Herbrand Normal Forms). We define by induction a set of proof terms, called Herbrand normal forms, as follows: • Every proof-term (m, u) is an Herbrand normal form; • if u and v are Herbrand normal forms, u a v is an Herbrand normal form.
An Herbrand normal form represents, in a straightforward way, a proof of an Herbrand disjunction.

Proposition 4.2 (Herbrand Normal Forms and Herbrand Disjunctions).
Suppose that Γ ⊢ u : ∃α A in LC and u is an Herbrand normal form Proof. We proceed by induction on k.
If k = 0, then u = (m 0 , v 0 ) and thus Γ ⊢ v 0 : A[m 0 /α], which is the thesis. If k > 0, then u = w 1 a i w 2 , for some 1 ≤ i ≤ n and . . . Our last task is to prove that every closed realizer of any existentially quantified statement ∃α A include an exhaustive sequence m 1 , m 2 , . . . , m k of possible witnesses.

Theorem 4.3 (Herbrand Disjunction and Realizability).
Let ∃α A be any formula. Suppose t ∃α A, t contains neither free proof term variables nor A, and t ≻ * u ∈ HNF. Then u is an Herbrand normal form Proof. By Proposition 3.2 u = u 0 a 1 u 1 a 2 . . . a k u k where for each 0 ≤ i ≤ k, either u i = x σ, with x = a 1 , . . . , a n or u i = a j , with 1 ≤ j ≤ k, or u i is a value. Since u i does not contain free proof term variables other than a 1 , . . . , a k , it cannot be of the form u i = x σ. Moreover, u i : ∃α A, hence u i cannot be equal to some a j , because a j must have type B → C. Therefore u i is a value, according to Definition 3.1, and the only possible shape compatible with its type ∃α A is (m i , u i ). We have thus shown that u is an Herbrand normal form which is the thesis.
As corollary, we obtain that Dummett's logic LC is Herbrand constructive.
Then there is a proof term u such that t ≻ * u ∈ HNF, LC ⊢ u : ∃α A and u is an Herbrand Proof. By the Subject Reduction Theorem 2.7, LC ⊢ u : ∃α A. By the Adequacy Theorem 3.8, t ∃α A and the thesis follows from Theorem 4.3.
We suggest to interpret an Herbrand normal form in the following way. Each (m i , u i ) represents the result of an intuitionistic computation of a witness in a possible universe. These witnesses have been obtained by communication coming from other intuitionistic computations in other parallel universes. It is that process of interaction and dialogue between different possible computations that generates the Herbrand normal forms.
4.1. Parallel Reductions. Head reduction, of course, is sequential computation. Yet, the operator a has such a strong parallel flavour that parallel reduction strategies inevitably arise as consequence of Normalization for head reduction. To see this, let us consider a proof term u a v of LC. By the Normalization Theorem 3.9, the head reduction of u a v reduces subterms inside the left part of the term until it is possible, afterwards it continues to reduce the right part and finally it stops. If we consider only the first half of the reduction, we get for some u ′ in head normal form and not of the shape C[a t σ], otherwise a further reduction inside u ′ would be possible. Thanks to the perfect logical symmetry of the term u a v, also v a u is a term of the same type. Again, we can reduce for some v ′ in head normal form and not of the shape C[a t σ]. The point is that the head reductions (4.1) and (2) can be made in parallel and what we get, u ′ a v ′ not only is a term of the same type of u a v and with no more free variables, it also is a head normal form!

Second-Order Intuitionistic Logic with Dummett's Axiom
At the time of this writing, there is no known cut-free sequent calculus for second-order intuitionistic logic with Dummett's Axiom, which we call LC 2 . Even if there were one, the situation would be similar to what happens in the hypersequent calculus for second-order Gödel-Dummett logic [27]: there is no known cut-elimination procedure, only a semantical proof that valid statements can be proved without cuts. Why? This state of thing reminds the status of Takeuti's conjecture [33], a problem which resisted the effort of the best researchers for many years in the 1950-60's, and was solved constructively in 1971 by Girard (see [19]). It asked whether the now standard second-order sequent calculus was cut-free. A cut-elimination procedure for intuitionistic second-order sequent calculus was finally obtained only through translation to natural deduction, where the powerful Tait-Girard reducibility settles the matter. This shortcoming of sequent calculus is even worse in the case of hypersequent calculus, which is more complicated and no cut-elimination procedure is known at second-order.
In this section, we consider second-order natural deduction for LC 2 and prove the Normalization of head reduction. Unlike in hypersequent calculus, where second-order cutelimination requires climbing a steep and cold combinatorial mountain, extending classical realizability to the second-oder case is a like a quiet stroll in a peaceful and sunny countryside road. Indeed, classical realizability was introduced directly in the second-order case by Parigot [28] and Krivine [25], without even bothering with the first-order case. We follow once again Krivine's successive formulation [26].
The language L 2 of LC 2 extends L in the standard way, adding second order predicate variables, representing sets of individuals. . . , m n ) and X(m) such that P is a predicate symbol of arity n, X is a predicate variable and m, m 1 , . . . , m n are terms of L 2 . We assume to have a 0-ary predicate symbol ⊥ which represents falsity. The natural deduction for LC 2 and LC ⋆ 2 extends respectively the natural deduction for LC and the one for LC ⋆ with the following inference and reduction rules (see Girard [19]):

Second-Order Universal Quantification:
t : where in the left rule X does not occur free in the types of the free variables of A. Reduction Rule for Universal Quantification: (ΛX u)(λαB) → u[λαB/X] The Definition 2.3 of stack is of extended to LC ⋆ 2 allowing expressions (λαB), with B formula, to appear in the stack, and the Definition 2.4 of head redex is extended to the terms of LC ⋆ 2 by saying that (ΛX u)(λαB) is the head redex of (ΛX u)(λαB) σ for every stack σ. The reduction relation ≻ for the terms of LC ⋆ 2 is then defined as in Definition 2.5. In the following, we define HN ⋆ to be the set of normalizing proof terms of LC ⋆ 2 . In order to define second-order realizability we need the concept of realizability opponent, which is nothing but a function mapping terms of L 2 to arbitrary sets of stacks adapted to some fixed type. The idea is that an arbitrary realizability opponent represents the sets of tests that an arbitrary definition of realizability requires to pass in order to declare a term to be a realizer. (1) A stack σ of LC ⋆ 2 is said to be adapted to a type C, if for all terms t of type C, t σ is still a term of LC ⋆ 2 .
(2) A realizability opponent of type λαC is any function that maps each term m of L 2 to a set of stacks adapted to C[m/α]. We assume that for each realizability opponent X of type C there is in L 2 an opponent predicate constant X of type λαC associated to it.
Realizability for LC ⋆ 2 extends realizability for LC ⋆ to second-order quantification. The idea is the usual: we would like to define t ∀X A as: for all formulas B, t (λαB) A[λαB/X], but we cannot. So we define t ∀X A as t A for all possible definitions of realizability which X can be assigned to, that is, for all reducibility opponents that replace X. Definition 5.3 (Classical Realizability for LC ⋆ 2 ). Assume t is a term of LC ⋆ 2 and C is a formula of L 2 . We define by mutual induction the relation t C ("t is reducible of type C") and a set ||C|| of stacks of LC ⋆ 2 according to the form of C: The next proposition says that in the definition of ||A[λαB/X]||, we can replace λαB with the realizability opponent corresponding to it, transforming in this way an intensionally defined set into an extensionally defined object. We extended Proposition 3.4 by showing that realizability is also sound with respect to second-order quantification elimination. We extended Proposition 3.5 by showing that realizability is also sound with respect to second-order quantification introduction. The Adequacy Theorem is readily extended to second-order realizability.
Theorem 5.7 (Adequacy Theorem). Suppose that w : A in the system LC 2 , with w having free variables among x A 1 1 , . . . , x An n . Let r 1 , . . . , r k and B 1 , . . . , B m be respectively terms of L 2 and realizability opponents of type λβ 1 B 1 , . . . , λβ m B m . For every formula C, set C = C[r 1 /α 1 · · · r k /α k B 1 /X 1 · · · B m /X m ]. If there are terms t 1 , . . . , t n such that for i = 1, . . . , n, t i A i then w[r 1 /α 1 · · · r k /α k λβ 1 B 1 /X 1 · · · λβ m B m /X m ][t 1 /x A 1 1 · · · t n /x An n ] A Proof. For any term v, we define v := v[r 1 /α 1 · · · r k /α k λβ 1 B 1 /X 1 · · · λβ m B m /X m ][t 1 /x A 1 1 · · · t n /x An n ] We proceed by induction on w. Consider the last rule R in the derivation of w : A: we just have to deal with the second-order cases, the other ones have been settled in the proof of Theorem 3.8.
So, w = u (λαC). By inductive hypothesis u ∀X C and so u (λαB) C[λαB/X] by Proposition 5.5. (2) If R is the second-order ∀I rule, then w = ΛX u, A = ∀X B and u : B (with X not occurring free in the types A 1 , . . . , A n of the free variables of u). So, w = ΛX u, since we may assume X = X 1 , . . . , X m . By Proposition 5.6, it is enough to prove that u[λαB/X] B[ B/X] for every realizability opponent B of type λαB, which amounts to showing that the induction hypothesis can be applied to u. For this purpose, we observe that, since X = X 1 , . . . , X m , for i = 1, . . . , n we have As consequence of the Adequacy Theorem 5.7, we obtain that every typed term of LC 2 is normalizable by head reduction.
We can finally prove that second-order Dummett's logic LC 2 is Herbrand constructive.