Bounded Arithmetic in Free Logic

One of the central open questions in bounded arithmetic is whether Buss' hierarchy of theories of bounded arithmetic collapses or not. In this paper, we reformulate Buss' theories using free logic and conjecture that such theories are easier to handle. To show this, we first prove that Buss' theories prove consistencies of induction-free fragments of our theories whose formulae have bounded complexity. Next, we prove that although our theories are based on an apparently weaker logic, we can interpret theories in Buss' hierarchy by our theories using a simple translation. Finally, we investigate finitistic G\"odel sentences in our systems in the hope of proving that a theory in a lower level of Buss' hierarchy cannot prove consistency of induction-free fragments of our theories whose formulae have higher complexity.


Introduction
One of the central open questions in bounded arithmetic is whether Buss' hierarchy S 1 2 ⊆ T 1 2 ⊆ S 2 2 ⊆ T 2 2 ⊆ · · · of theories of bounded arithmetic collapses [5] or not. Since it is known that collapse of Buss' hierarchy implies the collapse of the polynomial-time hierarchy [8], demonstration of the non-collapse of the theories in Buss' hierarchy could be one way to establish the non-collapse of the polynomial-time hierarchy. A natural way to demonstrate non-collapse of the theories in Buss' hierarchy would be to identify one of these theories that proves (some appropriate formulation of) a statement of the consistency of some theory below it in the hierarchy.
Here, it is clear that we need a delicate notion of consistency because of several negative results that have already been established. The "plain" consistency statement cannot be used to separate the theories in Buss' hierarchy, since Paris and Wilkie [19] show that S 2 (≡ S i 2 ) cannot prove the consistency of Robinson Arithmetic Q. Apparently, this result stems more from the use of predicate logic than from the strength of the base theory. However, Pudlák [14] shows that S 2 cannot prove the consistency of proofs that are carried out within S 1 2 and are comprised entirely of bounded formulae. Even if we restrict our attention to the induction-free fragment of bounded arithmetic, we cannot prove the consistency of such proofs, as shown by Buss and Ignjatović [6]. More precisely, Buss and Ignjatović prove that S i 2 cannot prove the consistency of proofs that are comprised entirely of Σ b i and Π b i formulae 2 Y. YAMAGATA and use only BASIC axioms (the axioms in Buss' hierarchy other than induction) and the rules of inference of predicate logic. Therefore, if we want to demonstrate non-collapse of the theories in Buss' hierarchy, we should consider a weaker notion of consistency and/or a weaker theory. A number of attempts of this type have been made, both on the positive side (those that establish provability of consistency of some kind) and on the negative side (those that establish non-provability of consistency). On the positive side, Krajíček and Takeuti [9] show that T i 2 ⊢ RCon(T i 1 ), where T i 1 is obtained from T i 2 by eliminating the function symbol #, and RCon(T i 1 ) is a sentence which states that all "regular" proofs carried out within T i 1 are consistent. Takeuti [17], [18] shows that there is no "small" strictly i-normal proof w of contradiction. Here, "w is small" means that w has its exponentiation 2 w . Although Takeuti allows induction in strictly i-normal proof w, the assumption that w is small is a significant restriction to w since bounded arithmetics cannot prove existence of exponentiation. Another direction is to consider cut-free provability. Paris Wilkie [19] mentioned above proves that I∆ 0 + exp proves the consistency of cut-free proofs of I∆ 0 . For weaker theories than I∆ 0 + exp, we need to relativized the consistency by some cut, then we get similar results [13], [2]. For further weaker theories, Beckmann [4] shows that S 1 2 proves the consistency of S −∞ 2 , where S −∞ 2 is the equational theory which is formalized by recursive definitions of the standard interpretations of the function symbols of S 2 . Also, it is known that S i 2 proves Con(G i ), that is, the consistency of quantified propositional logic G i . On the negative side, we have the results mentioned above, that is, those of Paris and Wilkie [19], Pudlák [14], and Buss and Ignjatović [6]. In addition, there are results which extend incompleteness theorem to Herbrand notion of consistency [3], [1].
In this paper, we introduce the theory S i 2 E (i = −1, 0, 1, 2 . . .), which for i ≥ 1 corresponds to Buss' S i 2 , and we show that the consistency of strictly i-normal proofs that are carried out only in S −1 2 E, can be proved in S i+2 2 . We improve on the aforementioned positive results in that 1) unlike T i 1 or G i , S i 2 E is based on essentially the same language as S i 2 , thereby making it possible to construct a Gödel sentence by diagonalization; 2) unlike Takeuti [17], [18], we do not assume that the Gödel number of the proofs which are proved consistent are small, that is, have exponentiations, thereby making it possible to apply the second incompleteness theorem-in particular, to derive a Gödel sentence from the consistency statement; 3) unlike the results on Herbrand and cut-free provability, S i 2 E has the Cut-rule, thereby, making it easy to apply the second incompleteness theorem; and 4) unlike Beckmann [4], our system is formalized in predicate logic. On the other hand, we are still unable to show that the consistency of strictly i-normal proofs is not provable within S j 2 for some j ≤ i, but see Section 5. In a sense, our result is an extension of that of Beckmann [4] to predicate logic, since both results are based on the fact that the proofs contain "computations" of the terms that occur in them. In fact, if we drop the Cut-rule from S −1 2 E, the consistency of strictly i-normal proofs can be proved in S 1 2 for any i. This "collapse" occurs since, roughly speaking, the combination of the Cut-rule and universal correspond substitution rule in PV.
S i 2 E is based on the following observation: The difficulty in proving the consistency of bounded arithmetic inside S 2 stems from the fact that inside S 2 we cannot define the evaluation function which, given an assignment of natural numbers to the variables, maps the terms of S 2 to their values. For example, the values of the terms 2, 2#2, 2#2#2, 2#2#2#2, . . . increase exponentially; therefore, we cannot define the function that maps these terms to their values, since the rate of growth of every function which is definable in S 2 is dominated by some polynomial in the length of the input [12]. With a leap of logic, we consider this fact to mean that we cannot assume the existence of values of arbitrary terms in bounded arithmetic. Therefore, we must explicitly prove the existence of values of the terms that occur in any given proof.
Based on this observation, S i 2 E is formulated by using free logic instead of the ordinary predicate calculus. Free logic is a logic which is free from ontological assumptions about the existence of the values of terms. Existence of such objects is explicitly stated by an existential predicate rather than being implicitly assumed. See [11] for a general introduction to free logic and [15] for its application to intuitionistic logic.
Using free logic, we can force each proof carried out within S −1 2 E to somehow "contain" the values of the terms that occur in the proof. By extracting these values from the proof, we can evaluate the terms and then determine the truth value of Σ b i formulae. The standard argument using a truth predicate proves the consistency of strictly i-normal proofs that are carried out only in S −1 2 . It is easy to see that such a consistency proof can be carried out in S i+2 2 . The paper is organized as follows. In Section 2 we define S i 2 E and compare it to the systems of logic defined in [11] and [15]. In Section 3 we present the main result of this paper: a proof inside S i+2 induction speedup [6] [14], therefore S −1 2 E polynomially interprets S i 2 E, i ≥ 0. This allows to prove Ef (n) for any polynomial time f in S −1 2 E by a proof whose length is bounded by some fixed polynomial of length of binary representation of n. However, this contradicts the statement of soundness (Proposition 3.20) Since the standard interpretation of all function symbols in F are a polynomial-time computable functions, all the function symbols of S 2 E are definable in S 1 2 , and we assume that Cobham's recursive definitions of polynomial-time computable functions are attached to the corresponding function symbols.
We sometimes identify the function symbols of S 2 E with their standard interpretations. The distinction between the two types of entities will be clear from the context. Definition 2.2. A set F of function symbols (for polynomial-time computable functions) is well grounded if it satisfies the following conditions. (1) F contains the n-ary constant zero function 0 n (the n-ary constant function whose value is 0); the n-ary projection function proj n l (the n-ary function that outputs the lth element in a sequence of length n), k = 1, . . . , n; and the so-called binary successor functions s 0 and s 1 , where s 0 (resp. s 1 ) is the unary function defined by s 0 (a) := 2a (resp. s 1 (a) := 2a+1). Note that the binary representation of 2a (resp. 2a+1) is obtained by appending 0 (resp. 1) to the binary representation of a, whence the moniker binary successor function.
(3) If f ∈ F is defined from functions g, h 1 , h 2 by recursion, that is, f is defined by the equations then g, h 1 , h 2 ∈ F. Cobham's limit recursion on notations can be written as above, providing Cond, # ∈ F. Since Cond, # can be defined by recursion as above, for any finite set of polynomial time functions f 1 , · · · , f n , there is a well-grounded F such that f 1 , · · · , f n ∈ F.
If F is well grounded (which is true of every set F of function symbols we consider in this paper), we can define the definition degree d(f ) of each f ∈ F.
Induction on the definition degree of f is used in Subsection 4.2 to prove the totality of f (i.e., that Ea 1 , . . . , Ea n → Ef (a 1 , . . . , a n ), where a 1 , . . . , a n are used here as meta-symbols for variables of S i 2 E). Now we define the vocabulary of S i 2 E(F, A). Definition 2.4 (Vocabulary). The vocabulary of S i 2 E(F, A) consists of the following symbols. Constant symbols: The only constant symbol of S i 2 is 0. Variables: The variables of S i 2 E are x 1 , x 2 , . . . . We often use a, b and a 1 , a 2 , . . . , b 1 , b 2 , . . ., x, y, x 1 , x 2 , . . . as meta-symbols for variables, and we often denote a finite sequence of variables by a, a ′ , or b. Function symbols: The function symbols of S i 2 E(F, A) are the symbols in the finite set F. For all i ≥ 0, we can interpret S i 2 in S i 2 E(F, A), provided that F contains the function symbols of S 2 (those for the unary functions S, ⌊ · 2 ⌋, | · | and the binary functions #, +, ·), where S is the successor function division by two rounded to 0, length defined by S(a) := a + 1 and ⌊ · 2 ⌋ is the function where a 2 is defined as the natural number n such that a ∈ {2n, 2n + 1}. As stated earlier, |a| is defined as the number of bits in the binary representation of a (by convention, |0| = 0). The binary function # is the so-called smash function defined by a#b := 2 |a||b| , and + and · are the usual addition and multiplication functions, respectively. We assume that these function symbols are contained in F. Further as we exploit the binary representations of the natural numbers (as finite bit strings), we introduce the binary function ⊕ and ⊖. ⊕(a, b) is defined as the natural number whose binary representation is the concatenation of the binary representations of the natural numbers a and b (the bits of a being the most significant bits of ⊕(a, b)). ⊖(a, b) is defined as ⌊ a 2 |b| ⌋. We also assume ⊕ and ⊖ are contained in F. From this point on, we write them in infix notation (as in u ⊕ r and u ⊖ r). Since the functions ⊖ and ⊕ are polynomial-time functions, and thus Σ b 1 -definable in S 1 2 , we use the notations u ⊕ r and u ⊖ r in our informal proofs as well as in actual formulae of S 2 and S 2 E. Predicate symbols: S i 2 E has three predicate symbols: E, =, ≤. The unary predicate E signifies that, for every term t of which E is asserted to hold, the value of t actually exists(i.e., that it converges to a standard natural number). The binary predicate = signifies equality, and ≤ signifies the less-than-or-equal-to relation. p is used as a metavariable for the predicate symbols = and ≤. • If f is an n-ary function symbol and t 1 , . . . , t n are terms, then f (t 1 , . . . , t n ) is a term.
We use s, t, t 1 , t 2 , . . . , u 1 , u 2 , . . . as meta-variables for terms, and we often denote a finite sequence of terms by s or t.
For the functions S, s 0 , s 1 , we omit parentheses, instead denoting S(t), s 0 (t), and s 1 (t) by St, s 0 t, and s 1 t, respectively. Also, we write ⌊ t 2 ⌋ or ⌊ 1 2 t⌋ for ⌊ · 2 ⌋t, and we write the binary functions #, +, · in infix notation, as in t + u.
We define numerals as terms which are constructed from s 0 , s 1 , and 0 alone. They are used in S i 2 E to denote natural numbers. We (informally) use the numbers 0, 1, 2, . . . (represented in the decimal system) to denote numerals. In general, we use the same notation for numerals as for the corresponding natural numbers. The distinction between the two types of entities will be obvious from the context. Definition 2.6 (Formulae). The formulae of S i 2 E are defined recursively as follows. • If t is a term, then Et is a formula.
• If p is = or ≤ and t 1 , t 2 are terms, then p(t 1 , t 2 ) is a formula.
• If p is = or ≤ and t 1 , t 2 are terms, then ¬p(t 1 , t 2 ) is a formula.
• If A and B are formulae, then A ∧ B and A ∨ B are formulae.
• If A(a) is a formula and x is a variable, then ∀x.A(x) and ∃x.A(x) are formulae.
• If A(a) is a formula, x is a variable, and t is a term, then ∀x ≤ t.A(x) and ∃x ≤ t.A(x) are formulae.
If p is = (resp. ≤), we write the formula p(t 1 , t 2 ) in infix notation, as t 1 = t 2 (resp. t 1 ≤ t 2 ). We write the negations of t 1 = t 2 and t 1 ≤ t 2 as t 1 = t 2 and t 1 ≤ t 2 , respectively. In the meta-language, a notation of the form a ≡ b means that a and b are the same syntactic construct (the same variable, the same term, the same formula, or the same sequence of variables/terms). We often write E a to denote the sequence Ea 1 , . . . , Ea k for a finite sequence a ≡ a 1 , . . . , a k of variables.
Formulae have the usual meaning, and free and bound variables are defined as usual. We sometimes write A(a) to indicate that a is possibly among the variables that occur free in A. This notation does not imply that a actually occurs in A; what it indicates is that if a does occur in A, then a occurs free in A. We tend to use meta-symbols such as x, y, x 1 , x 2 , . . . for variables that are captured by an outer quantifier, as in ∀x.A(x) or ∃x.A(x), and meta-symbols such as a, b, a 1 , a 2 , . . . , b 1 , b 2 , . . . otherwise. We write A(t) for the formula which is obtained by substituting the term t for a in A(a) (or for the variable x in A(x)). We follow the convention of assuming that variables which occur bound in A(a) and also occur in t are renamed in A(a) before such a substitution is made, so that the variables in t are not "accidentally" bound in A(t).
We say that a quantifier is bounded if it is of the form ∀x ≤ t or ∃x ≤ t. On the other hand, the quantifiers ∀x and ∃x, without the bound ≤ t, are called unbounded.
A formula of the form t 1 = t 2 or t 1 ≤ t 2 is called atomic, and a formula of the form Et, t 1 = t 2 , t 1 ≤ t 2 , t 1 = t 2 , or t 1 ≤ t 2 is called basic. Also, a formula of the form Et is called an E-form, but in contrast to the usual convention for atomic formulae in predicate logic, an E-form is defined not to be atomic.
In S i 2 E, implication is absent and negation is restricted to atomic formulae. We interpret the negation ¬A for a non E-form formula A as the De Morgan dual A, and the implication A ⊂ B as A ∨ B. As shown in Section 4.4, ¬ and ⊃ defined in this way satisfy the usual rules of inference of predicate logic, provided that all the functions represented by function symbols of S 2 E are provably total (that is, for each n-ary function symbol f , we can prove Ea 1 , . . . , Ea n → Ef (a 1 , . . . , a n )). This fact is proved in Proposition 4.3.
Since implication is absent, we cannot code bounded universal quantification by unbounded universal quantification together with implication. Therefore, we need bounded quantifiers that are constructs in their own right.
By formalizing the notion of "usual meaning," we obtain an interpretation of the formulae of S i 2 E in S 2 . Definition 2.7 (Standard Interpretation). We interpret an S i 2 E formula A in S 2 by first replacing every subformula of A which is of the form Et with the S 2 formula t = t, and then replacing the function symbols in the resulting formula with their S 1 2 definitions. Therefore, we obtain an interpretation of the S i 2 E formulae in S i 2 , and for i ∈ {−1, 0} we obtain an interpretation of the S i 2 E formulae in S 1 2 . In Subsection 4.1, we present an interpretation of the S i 2 formulae in S i 2 E(F, A) for any F that contains the function symbols of S 2 .
We say that a formula of S i 2 E is bounded if all of its quantifiers are bounded. The bounded formulae of S i 2 E are classified into hierarchies Σ b j , Π b j (j ∈ N).
. The classes Σ b j , Π b j of bounded formulae of S i 2 E are defined recursively as follows.
is the set of quantifier-free formulae (formulae without quantifiers).
. These hierarchies are used to control the strength of mathematical induction in S 2 E, just as in Buss' system.

Axioms of
In this subsection, we first discuss the conditions which all axioms of S i 2 E must satisfy. Then we introduce the logical axioms, and finally we impose certain conditions on the axioms in A that will allow us to interpret S i 2 inside S i 2 E for i ≥ 1. For our proof of consistency of strictly i-normal proofs to work, the axioms of S i 2 E must satisfy the boundedness conditions. Definition 2.9. A sequent Γ → ∆ satisfies the boundedness conditions if it has the following three properties, where a are the variables that occur free in Γ → ∆.
(1) All the formulae that occur in Γ → ∆ are basic.
(2) Every variable in a occurs free in at least one formula in Γ.
(3) There is a constant α ∈ N such that are the subterms of the terms that occur in ∆ and t Γ ( a) are the subterms of the terms that occur in Γ (for convenience, max ∅ is defined to be 1). Since the function symbols of S 2 E are definable in S 1 2 , we can regard the terms in t Γ ( a) and t ∆ ( a) as terms of S 1 2 , hence we can regard max{ t Γ ( a)} ≤ α · max{ t ∆ ( a)} as an S 1 2 formula. For our proof of consistency of i-normal proofs, we need the boundedness conditions to hold of the axioms. The third condition states that, under any given valuation of the variables that occur free in Γ → ∆, the values of the subterms of the terms in ∆ cannot exceed the values of the subterms of the terms in Γ by the constant factor α, and that this fact can be proved in S 1 2 . In general, the constant α varies from one axiom to another. Since A is finite, however, there is a single constant α that applies to all the axioms in A. For the logical axioms and the proper axioms required to interpret S i 2 E in S 1 2 , we can take α to be 4, so from this point on we assume that α = 4. This property plays a crucial role in our consistency proof. The reason for imposing the first and second boundedness conditions is that we want to avoid complexities that would otherwise arise in satisfying the third boundedness condition.
The logical axioms are divided into E-axioms and equality axioms. The E-axioms establish the basic properties of the E predicate, and the equality axioms establish the basic properties of equality.

Definition 2.11 (Equality axioms).
Ea → a = a (2.10) Axioms (2.11), (2.12), (2.13), and (2.15) are standard, but Axiom (2.10) needs an explanation. For our soundness proof, we would like to have the property that when a closed formula φ is proved, the values of the terms which occur in φ are bounded by the code for the proof of φ. Therefore, we cannot use just t = t as a substitution instance of an equality axiom with a closed term t, since we would have no control over the value of t. To deal with this problem, we add Ea to the antecedent of the usual reflexive law of equality, which ensures that the proof of t = t contains the proof of Et, and hence that the code for the proof of t = t exceeds the value of t.
Axiom (2.13) states that the binary successor functions s 0 , s 1 preserve equality. For the other function symbols, we have only a restricted preservation of equality, Ef ( a), a = b → f ( a) = f ( b), as an axiom, and not full preservation of equality, . This is because,the case of the reflexive law of equality, for sequences t, u of closed terms we want to bound the values of f ( t) and f ( u) by the code for the proof of the equality f ( t) = f ( u). Without the condition Ef ( a) in the antecedent of Axiom (2.14), we cannot ensure that this property will hold. For example, if t 1 , t 2 , u 1 , u 2 are closed terms and t 1 = u 1 , t 2 = u 2 → t 1 #t 2 = u 1 #u 2 is a substitution instance of the usual equality axiom (Axiom (2.14) with f ≡ #, a ≡ (a 1 , a 2 ), and b ≡ (b 1 , b 2 ), but without Ef ( a) in the antecedent), the values of t 1 #t 2 and u 1 #u 2 are not necessarily bounded by the code for the proof of the equality t 1 #t 2 = u 1 #u 2 . However, we can prove full preservation of equality for function symbols as a theorem, without assuming Ef ( a) (see Subsection 4.3), since we can prove that all the function symbols of S 2 E represent total functions, that is, that for all f ∈ F, E a → Ef ( a). Actually, using the Σ b 2 -PIND rule, we can prove full preservation of equality for function symbols by induction on the definition degree of f , without using Axiom (2.14) at all. However, we retain Axiom (2.14) since we want to have the equality axioms in S 1 2 E. Axiom (2.15) states that the truth value of the predicates = and ≤ is preserved by equality.
Next, we discuss the proper axioms (the axioms in A). In S i+2 2 we can prove the consistency of strictly i-normal proofs-which are carried out within S −1 2 E(F, A)-for any A all of whose elements satisfy the boundedness conditions. To interpret S i 2 inside S i 2 E(F, A), we need to have the function symbols of S 2 in F, and to have the following data axioms, separation axioms and auxiliary axioms in A.
Definition 2.14 (Defining axioms). It is clear that by Cobham's definition of polynomialtime computable functions, the defining equations for each n-ary function symbol f ∈ F can be written in the form f (u(a 1 ), a 2 , . . . , a n ) = t(a 1 , a 2 , . . . , a n ) where u(a 1 ) is one of 0, a 1 , s 0 a 1 , s 1 a 1 . For each defining equation in this form, the following axiom is in A.
Definition 2.15 (Auxiliary axioms). The auxiliary axioms are those generated from the BASIC axioms of S 2 by the following procedure. First, render these axioms free of logical connectives (see [17]). For example, the first Then for each term t that occurs in the succedent, we add Et to the antecedent. The axiom in the example becomes Eb, Finally, simplify the resulting axioms by removing the unnecessary assumptions-taking care, however, to ensure that the final version of each axiom satisfies the boundedness conditions (Definition 2.9). For example, we simplify Eb, ) and, after this simplification, this auxiliary axiom still satisfies the boundedness conditions.
From the data axioms and separation axioms, we can prove the relations n = m and n = m that hold between numerals n, m in their standard interpretations. Moreover, we can prove totality of every f ∈ F (i.e., that Ea 1 , . . . , Ea n → Ef (a 1 , . . . , a n )) from the logical axioms, the defining axioms, and Σ b 0 -PIND (see Subsection 4.2). Also, we can use the auxiliary axioms, together with other axioms and the rules of inference of S 1 2 E, to prove the interpretation of the BASIC axioms of S 2 in S 1 2 E which is defined in Subsection 4.1 (see Subsection 4.4).
From this point on, we assume that F contains all the function symbols of S 2 and that A contains all the proper axioms outlined above. All of these proper axioms, as well as the logical axioms, satisfy the boundedness conditions.

Rules of inference of
We formulate S i 2 E proofs using the sequent calculus. The rules of inference of S i 2 E consist of the rules for predicate logic (but with a modified R ¬-rule; see (2.33)) plus the PIND rule applied to Σ If we can derive a sequent Γ → ∆ from premises Γ 1 → ∆ 1 , . . . , Γ n → ∆ n , we write where R is the name of the rule. The name is often omitted if it is obvious. All the rules of inference which appear in this paper have at most three premises. The rules of inference are divided into the identity rule, the axiom rule, the structural rules, the logical rules, the Cut rule, and the PIND rule.
The identity rule is used to express that a formula A implies itself.
Identity rule: 24) The axiom rule is used to derive a sequent which is a substitution instance of an axiom, that is, a sequent of the form is an axiom, a are the variables that occur in Γ → ∆, t are the terms that are being substituted for the variables in a, and b are the variables that occur in t.
Axiom rule: 25) The structural rules are defined as usual.
Weakening rules: Exchange rules: 31) The logical rules are those of classical sequent calculus with a modified R¬-rule. The logical rules for negation are used to negate atomic formulae only, since the language of S i 2 E allows negation of atomic formulae only.
R ¬, (2.33) where p is = or ≤ and t 1 , t 2 are terms. Unlike the usual textbook definition of the R ¬-rule, in the antecedent we introduce the formulae Et 1 and Et 2 that express the existence of values of the terms t 1 and t 2 , respectively. This is because we interpret ¬p(t 1 , t 2 ) to mean that the values v 1 , v 2 of t 1 , t 2 exist and satisfy ¬p(v 1 , v 2 ). Therefore, to infer ¬p(t 1 , t 2 ) we presuppose Et 1 and Et 2 .

∧-rules:
39) The logical rules for universal quantification are of two types: bounded (indicated with a "b" following the L or R) and unbounded, corresponding to bounded and unbounded universal quantification, respectively, in the language of S i 2 E. The same is true of the logical rules for existential quantification. In both types, bounded and unbounded, the quantification (universal or existential) is done over objects that actually exist.
Bounded ∀-rules: where neither the variable a nor the variable x occurs in the term t, and a does not occur free in Γ → ∆.
Unbounded ∀-rules: 44) where neither the variable a nor the variable x occurs in neither the term t, and a does not 45) where the variable x does not occur in the term s.
47) The Cut rule is used to derive a sequent by employing an intermediate "lemma." 48) The PIND rule is used to infer statements A(t) (for formulae A(a) and terms t) from the assumption that t converges and A satisfies the induction hypothesis on the value of t.
where the variable a does not occur free in Γ → ∆. We call this the PIND rule on t. If we restrict the PIND rule to formulae A(a) from some class Φ, we call the resulting rule the Φ-PIND rule. Informally, the PIND rule expresses induction on the notations of the natural numbers represented in binary. We call A(a) the induction hypothesis, the proof of Γ → ∆, A(0) the base case, and the proofs of A(a), Γ → ∆, A(s 0 a) and A(a), Γ → ∆, A(s 1 a) the induction steps.
From the PIND rule on t, we have the following derived rule.
We call this the PIND -E rule on t. To derive this rule, we first derive . This is done via the axiom Ea → Es 0 a and propositional reasoning. Similarly, we derive A(a) ∧ Ea, Γ → ∆, A(s 1 a) ∧ Es 1 a from Ea, A(a), Γ → ∆, A(s 1 a). Then, applying PIND to A(a) ∧ Ea, we derive Et, Γ → ∆, A(t) ∧ Et. Finally, we derive Et, Γ → ∆, A(t) by purely propositional reasoning. This completes the definition of the rules of inference of S i 2 E.
2.4. Comparison to Free Logic and Scott's system. In this subsection, we briefly discuss the similarities between our system and two others: free logic (see [11] for a comprehensive summary) and Scott's E-logic [15].
Our system is quite similar to free logic with negative semantics, known as NFL, and Scott's system, in that in all three systems an equational formula t = u implies existence of the objects denoted by t and u. Moreover, in our system as well as in NFL, all the functions are strict (in Scott's terminology), that is, Ef (a 1 , . . . , a n ) implies Ea j (j = 1, . . . , n). The rules for universal and existential quantification are also similar.
On the other hand, our R¬ rule is more restrictive than that of either NFL or Scott's system. Also, we do not have full preservation of equality for functions, a 1 = b 1 , . . . , a n = b n → f (a 1 , . . . , a n ) = f (b 1 , . . . , b n ), as axioms (although that can be proved as a theorem). Furthermore, we do not have totality of functions, Ea 1 , . . . , Ea n → Ef (a 1 , . . . , a n ), as axioms (again, that can be proved as a theorem). The only functions for which we have totality as axioms are the binary successor functions s 0 and s 1 ; however, we can prove the totality of the other functions from the binary successor functions via the Σ b 0 -PIND rule.
As we will see in the next section, the restrictions we have imposed on our system are crucial to the provability in S 2 of the consistency of strictly i-normal proofs in S −1 2 E.

S i+2
2 proof of consistency of strictly i-normal proofs In this section, we define i-normal formula and strictly i-normal proof, and in S i+2 2 we prove the consistency of strictly i-normal proofs in S −1 2 E. The consistency proof is based on the facts that we can produce a Σ b i formula that constitutes a truth definition for i-normal formulae and we can apply the Σ b i+2 -PIND rule to prove the soundness of strictly i-normal proofs in S −1 2 E. The idea is that to use a term t in an S −1 2 E proof, we first need to prove that Et holds. To do this, we show that for a given assignment ρ of values to the variables in t, the value of t is bounded by the size of the proof of Et plus the size of ρ. Therefore, we can define a valuation function for terms and a truth definition for the formulae in the proof. Once we obtain the truth definition, consistency is easy to prove.
In Subsection 3.1, we describe how we assign Gödel numbers to formulae and proofs. In Subsection 3.2, we introduce a "bounded" valuation for terms and prove its basic properties. In Subsection 3.3, we introduce a "bounded" truth definition for quantifier-free formulae and then extend it to i-normal formulae. In Subsection 3.4, we introduce strictly i-normal proofs in S −1 2 E, and we prove the soundness of such proofs with respect to the truth definition given in Subsection 3. 3.

3.1.
Gödel numbers for formulae and proofs. Before proceeding to the main topics treated in this section, we need to explain how we assign Gödel numbers to the formulae of S i 2 E and to S i 2 E proofs. Since our proofs are structured as proof trees (nested sequences of formulae and rules of inference), we first assign Gödel numbers to the symbols which appear in the formulae and rules of inference of S i 2 E, using a different natural number for each symbol. Then we assign Gödel numbers to finite sequences of natural numbers, and we apply this Gödel numbering to the formulae of S i 2 E and the nodes of proof trees. In assigning Gödel numbers to sequences of natural numbers, we follow Buss' method [5]. The Gödel number of the sequence u 1 , . . . , u n is determined by the following procedure.
(1) For every j (1 ≤ j ≤ n), let u ′ j be the natural number whose binary representation is obtained by inserting 0 between consecutive bits in the binary representation of u j , and then appending 0 to the resulting bit string. (By convention, 0 ′ = 0.) For example, if the binary representation of u j is 11, then that of u ′ j is 1010; and if the binary representation of u j is 101, then that of u ′ is 100010.
(2) Define the Gödel number of u 1 , . . . , u n to be u ′ Since the binary representation of the number 3 is 11, the Gödel number of the sequence u 1 , . . . , u n is the natural number whose binary representation is obtained by inserting 11 between the binary representations of u ′ j and u ′ j+1 (j = 1, . . . , n − 1). (3) The Gödel number of u 1 is defined to be u ′ 1 , and the Gödel number of the empty sequence defined to be 0. The notation ⌈·⌉ is used for the Gödel number of any symbol or sequence. For example, the Gödel number of the formula A(a) is denoted by ⌈A(a)⌉.

Valuation of terms inside
In this subsection, we define a valuation function for the terms of S i 2 E. Our strategy in defining this valuation is to attach values to the nodes of a tree which is made up of all the subterms of the given term, and then to define the value of the term as the value attached to the root of the tree (the node that represents the entire term). We can view construction of this tree as a process of computation we undertake to obtain the value of its root.
(2) If ρ is an environment, we write ρ(x) = n to denote that (⌈x⌉, n) ∈ ρ, and we sometimes write ρ( a) to denote the sequence ρ(a 1 ), . . . , ρ(a k ) for a finite sequence a ≡ a 1 , . . . , a k of variables of S i 2 E. (3) Let σ be a term, a formula, or a sequent. ρ is an environment for σ if ρ is an environment and, for every variable x that occurs free in σ, there is a pair (⌈x⌉, n) in ρ (for some n ∈ N). (4) If ρ is an environment, and if x is a variable and n ∈ N, then ρ[x → n] denotes environment obtained from ρ by replacing the pair (⌈x⌉, ρ(x)) with (⌈x⌉, n) if there is some m ∈ N with (⌈x⌉, m) in ρ, and by adding the pair (⌈x⌉, n) to ρ otherwise. (5) Env denotes the ternary relation that holds of precisely the triples (ρ ′ , ⌈σ⌉, u) where σ is a term, a formula, or a sequent; ρ ′ is an environment for σ; u ∈ N; for every variable x of S i 2 E, there is a pair (⌈x⌉, n) in ρ ′ (for some n ∈ N) if and only if x occurs free in σ; and ρ ′ (x) ≤ u for every variable x that occurs free in σ. From this point on, we identify environments with their Gödel numbers; therefore, we regard Env as a ternary relation on N. (6) Let u ∈ N, and let σ be a term, a formula, or a sequent. BdEnv(⌈σ⌉, u) denotes the greatest m ∈ N which is (the Gödel number of) an environment ρ ′ such that Env(ρ ′ , ⌈σ⌉, u) holds. Although an environment is a sequence-not a set-of pairs, from this point on we make no reference to the order of the pairs in an environment.
For a term, formula, or sequent σ and natural numbers ρ, u, the relation Env(ρ, ⌈σ⌉, u) and the function BdEnv(⌈σ⌉, u) are Σ b 1 -definable. Also, if t is a term and ρ is an environment for t, we can extend ρ to t by recursion on the construction of t, as follows: For a fixed term t, the function that, given an arbitrary environment ρ ′ for t, maps ρ ′ to the value of ρ ′ (t) obtained by this method is definable in S 1 2 . For a fixed environment ρ, however, the function that, given an arbitrary term t ′ such that ρ is an environment for t ′ , maps t ′ to the value of ρ(t ′ ) obtained by this method is not definable in S 2 , since there are sequences of such terms t ′ for which the values of ρ(t ′ ) increase exponentially in the length of t ′ .
Definition 3.2. Let t be a term of S i 2 E, let ρ be an environment for t, and let u ∈ N. A ρ-valuation tree for t which is bounded by u is a tree w that satisfies the following conditions. (1) Every node of w is of the form ⌈t j ⌉, c where t j is a subterm of t, c ∈ N, and c ≤ u.
(2) Every leaf of w is either ⌈0⌉, 0 or ⌈a⌉, ρ(a) for some variable a in the domain of ρ.
(3) The root of w is ⌈t⌉, c for some c ≤ u. (4) If ⌈f (t 1 , . . . , t n )⌉, c is a node of w, then the children of this node are the nodes If the root of a ρ-valuation tree w for t is ⌈t⌉, c , we say the value of w is c.
The statement that t converges to the value c (and c ≤ u) is defined by the Σ b 1 formula which expresses that the following relation (which we denote by v(⌈t⌉, ρ) ↓ u c) holds: "∃w ≤ s(⌈t⌉, u) such that w is (the Gödel number of) a ρ-valuation tree for t which is bounded by u and has root ⌈t⌉, c ," where s(⌈t⌉, u) is a term whose Gödel number bounds (the Gödel numbers of) all ρ-valuation trees for t which are bounded by u.
Here are some simple facts about the relation v(⌈t⌉, ρ) ↓ u c. (2) If f is an n-ary function such that t ≡ f t 1 · · · t n for terms t 1 , . . . , t n and we have Lemmata 3.4, 3.5 and 3.6 are key properties of v that are used in our proof of the consistency of strictly i-normal proofs (Subsection 3.4). Lemma 3.4 states that substitution is provably equivalent to assignment. Lemma 3.5 states that the relation v(⌈t⌉, ρ) ↓ u c is closed upward with respect to u. Lemma 3.6 states that if u is sufficiently large, the relation v(⌈t⌉, ρ) ↓ u c coincides with the valuation of t.
Lemma 3.4. For terms t( a, a) and t ′ ( a) such that the variable a occurs in t and is not in a, the following is provable in Proof. By induction on the contraction of t.
Lemma 3.5. The following statement is provable in S 1 2 : "If v(⌈t⌉, ρ) ↓ u c and u < u ′ , then v(⌈t⌉, ρ) ↓ u ′ c." Proof. The lemma holds since if ρ-valuation tree w is bounded by u, then it is bounded by u ′ . Lemma 3.6. Let t be a term of S i 2 E, let t 1 , . . . , t m be an enumeration of all the subterms of t. Then the following statement is provable in S 1 2 : "For any environment ρ for t and u ∈ N, if ρ(t j ) ≤ u for every j, then v(⌈t⌉, ρ) ↓ u ρ(t) holds; and if ρ(t j ) > u for some j, then v(⌈t⌉, ρ) ↓ u c does not hold for any natural number c ≤ u.".
Proof. If ρ(t j ) ≤ u for every j, we can construct a ρ-valuation tree for t which is bounded by u, by induction (outside of S 1 2 ) on t. If ρ(t j ) > u for some j, then there is no ρ-valuation tree for t which is bounded by u and this fact can be proved in S 1 2 .

3.3.
Truth definition inside S i 2 . In this subsection, we give a "bounded" truth definition for quantifier-free formulae, and then we extend the definition to the formulae i-normal formulae [16], [17], [18].
First, we present a truth definition for quantifier-free formulae. Since logical symbols can be arbitrarily nested, we follow the same strategy that was used in our definition of valuation for terms. We attach a truth value to each node of a subformula tree, and we define the value attached to the root (the node that represents the entire formula) as the truth value of the formula.
Definition 3.7. Let A be a quantifier-free formula of S −1 2 E, let ρ be an environment for A, and let u ∈ N. A ρ-truth tree for A which is bounded by u is a tree w that satisfies the following conditions. Every leaf of w has one of the following five forms (where in each form the possible values of ǫ are 0 and 1): For a leaf of the form For a leaf of the form The conditions that must be satisfied by a leaf of the form ⌈t 1 = t 2 ⌉, ǫ or ⌈t 1 = t 2 ⌉, ǫ are the obvious analogues of those for ⌈t 1 ≤ t 2 ⌉, ǫ and ⌈t 1 ≤ t 2 ⌉, ǫ , respectively.
For a leaf of the form ⌈Et⌉, where the children of r are the nodes ⌈A 1 ⌉, ǫ 1 and ⌈A 2 ⌉, ǫ 2 .
For a node of the form ⌈A 1 ∧ A 2 ⌉, ǫ , ǫ = 1 if ǫ 1 = 1 and ǫ 2 = 1; otherwise, ǫ = 0. For a node of the form ⌈A 1 ∨ A 2 ⌉, ǫ , ǫ = 1 if ǫ 1 = 1 or ǫ 2 = 1; otherwise, ǫ = 0. The root of w is ⌈A⌉, ǫ for some ǫ ∈ {0, 1}. The truth of a quantifier-free formula A is defined by the Σ b 1 formula T −1 (u, ⌈A⌉, ρ) which expresses that "∃w ≤ s(⌈A⌉, u) such that w is (the Gödel number of) a ρ-truth tree for A which is bounded by u and has root ⌈A⌉, 1 ," where s(⌈A⌉, u) is a term which bounds (the Gödel numbers of) all ρ-truth trees for A which are bounded by u.
We can prove several basic properties of the truth definition T −1 .
Lemma 3.8. The following statements are provable in S 1 2 .
Lemmata 3.9, 3.10, 3.11, and 3.12 are key properties of T −1 that are used in our consistency proof. Lemma 3.9 states that substitution is provably equivalent to assignment. Lemma 3.10 states that T −1 is closed upward with respect to u. Lemma 3.11 states a reflection principle for T −1 . Lemma 3.12 states the law of the excluded middle.
Proof. Induction on the construction of A, using Lemma 3.5 for basic formulae A, and clauses 6 and 7 of Lemma 3.8 for other quantifier-free formulae.
We can prove that T −1 is a truth definition by showing a kind of reflection principle for T −1 . Proof. Induction on the construction of A, using Lemma 3.6 for basic formulae A.
Next, we would like to present a truth definition for Σ b i formulae. However, since it is technically difficult to do this for general Σ b i formulae, we restrict our definition to i-normal formulae. Since i ∈ {−1, 0, 1, 2, . . .}, we have −1-normal formulae, 0-normal formulae, 1-normal formulae, 2-normal formulae, and so on. If where Q i is ∀ if i is even, and ∃ if i is odd (and vice versa for Q i+1 ), and A 0 ( a, x 1 , . . . , x i+1 ) is quantifier free and does not contain the predicate E. Note that if i ≥ 0, then a pure i-normal formula has at least one quantifier, so quantifier-free formulae are not pure inormal. Also note that unlike the variables x 1 , . . . , x i (which are bounded by the values of the terms t 1 , . . . , t i , respectively), the value of the variable x i+1 is bounded by |t i+1 ( a, x 1 , . . . , x i )|, that is, by the number of bits in the binary representation of the value of the term t i+1 ( a, x 1 , . . . , x i ).
it is a subformula of a pure i-normal formula or is Et for some term t. In other words, A( a) is either an E-form, a quantifier-free formula that does not contain E, or a formula of the form , x 1 , . . . , x i )|.A 0 ( a, x 1 , . . . , x i+1 ), (3.3) where A 0 ( a, x 1 , . . . , x i+1 ) is quantifier free and does not contain E; 1 ≤ j ≤ i + 1; and for every k with j ≤ k ≤ i + 1, Q k is either ∀ or ∃, according as k is even or odd. If j = i + 1, the above formula is Q i+1 x i+1 ≤ |t i+1 ( a, x 1 , . . . , x i )|. A 0 ( a, x 1 , . . . , x i+1 ).
The following is a truth definition T i (u, ⌈B⌉, ρ) for i-normal formulae B. First, we define a truth definition T i,l for i-normal forms with l quantifiers. Definition 3.14. Let i ≥ −1, let B be an i-normal formula with l quantifiers. Note that 0 ≤ l ≤ i + 1. We define T i,l (u, ⌈B⌉, ρ) by recursion on l in the meta-language.
Then, let INQ(⌈B⌉, l) be a formula which represents "B is an i-normal form with l quantifiers". we define T i (u, ⌈B⌉, ρ) as Since we can contract successive ∃ quantifiers into a single ∃ quantifier, T i (u, ⌈B⌉, ρ) is Σ b i+1 . Lemmata 3.15 and 3.16 are key properties of T i that are used in our consistency proof. Lemma 3.15 states that substitution is provably equivalent to assignment. Lemma 3.16 states that T i is closed upward with respect to u. Similarly, we can use Lemma 3.10 to prove upward closedness of T i with respect to u.

Lemma 3.16. For an i-normal formula A, it is provable in
As the clause 9 of Lemma 3.8, if ρ contains variables other than free variables which occurs in A, we can ignore such variables.
By definition of T i , we see that we can take the outermost quantifier of an i-normal formula whose Gödel number is the second argument of T i and move it to the outside of T i .

Lemma 3.18. Let ∀x ≤ t.A(x) and ∃x ≤ t.A(x) be i-normal formulae with at least one quantifier (and whose outermost quantifier is of the indicated type). Then the following is
3.4. Strictly i-normal proofs and their consistency. Since we have defined truth for i-normal formulae only, we can define soundness for only those proofs that consist entirely of i-normal formulae. We call such proofs strictly i-normal, and we use the term strictly i-normal proof tree for Γ → ∆ to mean a tree w which represents a proof of Γ → ∆. In such a tree, every node r has the form R, ⌈Γ r → ∆ r ⌉, w 1 , . . . , w l(R) , where R is a name of inference, Γ r → ∆ r is the conclusion of the inference, and l(R) is a number of premises of R. If l(R) = 0, the node has the form R, ⌈Γ r → ∆ r ⌉ .
Definition 3.19. An S −1 2 E proof is strictly i-normal if all formulae contained in the proof are i-normal. The property "w is (the Gödel number of) a strictly i-normal proof tree for Γ → ∆" is ∆ b 1 -definable. We write i -Prf(w, ⌈Γ → ∆⌉) for the ∆ b 1 formula that defines this property.
Proposition 3.20. Let Γ → ∆ be a sequent comprised entirely of i-normal formulae, and let u, w ∈ N such that i -Prf(w, ⌈Γ → ∆⌉) holds, w ≤ u, and the binary representation of u is of the form 11 · · · 1, that is, all the bits are 1. Then for every node r of w, the following holds (where ρ denotes an environment as well as its Gödel number and Γ r → ∆ r denotes the conclusion of the subproof which corresponds a node r).
Furthermore, this is derivable in S i+2 2 . Proof. We prove the proposition by tree induction on r. Since the formula in (3.7) is Π b i+2 , our proof can be carried out in S i+2 2 . Let ρ ≤ BdEnv(⌈Γ r → ∆ r ⌉, u), assume that Env(ρ, ⌈Γ r → ∆ r ⌉, u), and let u ′ ≤ u ⊖ r. Note that u ≥ r, since u ≥ w ≥ r. Therefore, u ′ ⊕ r ≤ u ⊖ r ⊕ r ≤ u, since all the bits in the binary representation of u are 1. We use this fact throughout this proof.
We prove that if ∀A ∈ Γ r , T i (u ′ , ⌈A⌉, ρ) holds, then ∃B ∈ ∆ r , T i (u ′ ⊕ r, ⌈B⌉, ρ), by considering all possible forms for the last inference in the derivation of Γ r → ∆ r .
Since there are only finite many axioms, we use case analysis on the axiom which derives this substitution instance. Assume that ∀A ∈ Γ, T i (u ′ , ⌈A( s( a))⌉, ρ). Let Γ( b) → ∆( b) be the axiom into which the substitution was made. By the assumption on A, this axiom satisfies the boundedness conditions (Definition 2.9). Moreover, its standard interpretation (given in Definition 2.7) is derivable in S i+2 2 . By the first boundedness condition, all the formulae in Γ and ∆ are basic. Let b = b 1 , . . . , b l and s( a) = s 1 ( a), . . . , s l ( a), where s k ( a) is the term that was substituted for the variable b k in the application of the axiom rule (k = 1, . . . , l). By the second boundedness condition, b k occurs in Γ, so by Lemma 3.15 Let t Γ ( b) be the subterms of the terms that occur in Γ( b), and let t ∆ ( b) be the subterms of the terms that occur in ∆( b). Since all formulae occur in Γ and ∆ are basic, b are all variables contained t Γ ( b) and Γ( b). Since the function symbol of S i 2 E is definable in S 1 2 , we can view the terms in t Γ ( b) and t ∆ ( b) as terms of S 1 2 . By the third boundedness condition, the relation , we have max{ t Γ ( d)} ≤ u ′ . By Lemma 3.11, we have that, for every A in Γ, A( d) is true (in the meta-language). Since Γ( d) → ∆( d) holds (in the meta-language), there is some B in ∆ such that B( d) is true (in the meta-language). Since we can take α to be 4, we have max{ t ∆ ( d)} ≤ 4 · u ′ ≤ u ′ ⊕ r. Let c = F V (B( b)). Then T i (u ′ ⊕ r, ⌈B( c)⌉, ρ[ c → d] holds by Lemma 3.18. By Lemma 3.5 and the fact that v(⌈s k ( a)⌉, ρ) ↓ u ′ d k (k = 1, . . . , l), we obtain v(⌈s k ( a)⌉, ρ) ↓ u ′ ⊕r d k . Using that result and Lemma 3.15, we have T i (u ′ ⊕ r, ⌈B( s( a))⌉, ρ), so we are done.

∨-rules:
The proofs for ∨-rules are similar to the proofs for ∧-rules.
Rb ∀, (3.17) where neither the variable a nor the variable x occurs in the term t, and a does not occur free in Γ → ∆.
Assume that T i (u ′ , ⌈Et⌉, ρ) and ∀B ∈ Γ, T i (u ′ , ⌈B⌉, ρ). Since T i (u ′ , ⌈Et⌉, ρ) holds, there is some c ≤ u ′ such that v(⌈t⌉, ρ) ↓ u ′ c. Let d be any natural number such that d ≤ c. Then T i (u ′ , ⌈a ≤ t⌉, ρ[a → d]) holds by Lemma 3.11 and the fact that . Furthermore, since a does not occur free in Γ, we have Note that ρ[a → d] is an environment for Γ r 1 → ∆ r 1 , since every variable other than a that occurs free in Γ r 1 → ∆ r 1 also occurs free in Γ r → ∆ r . Moreover, ρ[a → d](y) ≤ u for every variable y that occurs free in Γ r 1 → ∆ r 1 , since d ≤ c ≤ u ′ ≤ u. Since Env(ρ, ⌈Γ r → 24 Y. YAMAGATA ∆ r ⌉, u), Env(ρ[a → d], ⌈Γ r 1 → ∆ r 1 ⌉, u) holds. By the induction hypothesis applied to r 1 together with the fact that u ′ ≤ u ⊖ r ≤ u ⊖ r 1 , either ∃C ∈ ∆, If there is some C in ∆ such that T i (u ′ ⊕ r 1 , ⌈C⌉, ρ[a → d]), then we have T i (u ′ ⊕ r 1 , ⌈C⌉, ρ), since a does not occur free in D. Hence we are done by Lemma 3.16 and the fact that u ′ ⊕ r 1 ≤ u ′ ⊕ r, so assume otherwise. Then holds. Since d was an arbitrary natural number less than or equal to c, by Lemma 3.18 we have T i (u ′ ⊕r 1 , ⌈∀x ≤ t.A(x)⌉, ρ). Since u ′ ⊕r 1 ≤ u ′ ⊕r, we are done by Lemma 3.16.
Bounded ∃-rules: . . . . r 1 18) where neither the variable a nor the variable x occurs in the term t, and a does not occur free in Γ → ∆. Assume

]) holds by Lemma 3.11 and the fact that
Note that ρ[a → d] is an environment for Γ r 1 → ∆ r 1 , and that ρ[a → d](y) ≤ u for every variable y that occurs free in Γ r . Thus by the induction hypothesis applied to r 1 together with the fact that u ′ ≤ u⊖r ≤ u⊖r 1 , there is some C in ∆ such that T i (u ′ ⊕r 1 , ⌈C⌉, ρ[a → d]). Since a does not occur free in C, we have T i (u ′ ⊕ r 1 , ⌈C⌉, ρ). Therefore, we are done, by Lemma 3.16 and the fact that u ′ ⊕ r 1 ≤ u ′ ⊕ r.
Rb ∃, (3.19) where the variable x does not occur in the term s.
If there is some C in ∆ such that T i (u ′ ⊕ r 1 , ⌈C⌉, ρ 1 ), then we have T i (u ′ ⊕ r 1 , ⌈C⌉, ρ) by Lemma 3.17. Hence we are done by Lemma 3.16 and the fact that u ′ ⊕ r 1 ≤ u ′ ⊕ r, so assume otherwise.
Theorem 3.21. Let i -Con ≡ ∀w.¬i -Prf(w, ⌈→⌉), which states that there is no strictly i-normal proof of the empty sequent →. Then Proof. We informally argue inside of S i+2 2 . Assume that i -Prf(w, ⌈→⌉) holds for some w. Let u be as in the statement of Proposition 3.20, let ρ be the empty environment, and let r be the root of w. Then we obtain [∀A ∈ Γ r , T i (u ′ , ⌈A⌉, ρ)] ⊃ [∃B ∈ ∆ r , T i (u ′ ⊕ r, ⌈B⌉, ρ)]. However, both Γ r and ∆ r are empty. Therefore, we obtain [∀A ∈ ∅, T i (u ′ , ⌈A⌉, ρ)] ⊃ [∃B ∈ ∅, T i (u ′ ⊕ r, ⌈B⌉, ρ)]. Since there is no A ∈ ∅, the premise is true. But since there is no B ∈ ∅, the conclusion cannot be true. This is a contradiction. Therefore, the formula ∀w.¬i -Prf(w, ⌈→⌉) holds.

4.
Bootstrapping Theorem of S i 2 E In this section, we establish the correspondence between S i 2 E and S i 2 . We show that S i 2 E has essentially the same strength as S i 2 if i ≥ 1. The theorem which establishes the correspondence is called the Bootstrapping Theorem (Theorem 4.2), following Buss' use of the term "bootstrapping" in [5], since we bootstrap from the restricted set of axioms of S i 2 E to the full power of S i 2 . We present a proof of the theorem in four "phases" of bootstrapping. In the first phase, we show that all the functions of S 2 E are provably total. Each of the remaining phases applies to a particular class of inferences of S i 2 , and we show that all the inferences covered in each phase are admissible in S i 2 E (if properly translated from S i 2 to S i 2 E), that is, that if all the premises of an inference covered in a given phase are provable in S i 2 E, then the conclusion of that inference is also provable in S i 2 E (Definition 4.7). The Bootstrapping Theorem (Theorem 4.2) then follows from the fact that every inference of S i 2 is treated in some phase of the bootstrapping. Even the axioms are included in this, since an axiom is just a rule of inference with no premise.

Translation of theorems of
In this subsection, we introduce a translation of S i 2 formulae to the language of S i 2 E and state the Bootstrapping Theorem (Theorem 4.2). Definition 4.1. The formulae of S i 2 are translated into formulae of S i 2 E by replacing every formula of the form A ⊃ B with one of the form ¬A ∨ B, and using De Morgan duality to replace every formula of the form ¬A with a logically equivalent formula in which every subformula prefaced with the negation symbol "¬" is of the form t 1 = t 2 or t 1 ≤ t 2 . We call this translation the * -translation and denote the * -translation of A by A * . Formally, the * -translation is defined as follows.
Γ * is the sequence of formulae which is obtained by applying * to the formulae in the sequence Γ.
The following theorem states that S i 2 E proves the * -translations of sequents derivable in S i 2 if i ≥ 0. The rest of this section is devoted to a proof of the Bootstrapping Theorem. To simplify the notation, we write S i 2 E for S i 2 E(F, A)

4.2.
Bootstrapping Phase I: S i 2 E proves totality of its functions. In this subsection, we prove that if i ≥ 0, all the functions of S i 2 E are provably total, that is, that S i 2 E ⊢ E a → Ef a for every function symbol f ∈ F. The proof is by induction (in the meta-language) on the definition degree of f (Definition 2.3).
The reason for specifying that i ≥ 0 is that in the proof we apply the PIND rule to Σ b 0 formulae of S i 2 E. It follows from this proposition that if all the variables in a term of S i 2 E converge, then the term itself converges. Proof of Corollary 4.4. Induction on the construction of t.
The base case t ≡ 0: This is immediate, since → E0 is Axiom (2.16). The base case t ≡ a 1 : This is also immediate, by Identity (Ea 1 → Ea 1 ).
Induction step t ≡ f t 1 · · · t m : We assume that the corollary holds for t 1 , . . . , t m . Then for every j, we have an S i 2 E proof of Ea 1 , . . . , Ea n → Et j by the induction hypothesis (together with Weakening if at least one of the variables a 1 , . . . , a n does not occur in t j ). Let b 1 , . . . , b m be variables. By Proposition 4.3, we have Eb 1 , . . . , Eb m → Ef b 1 · · · b m . By the Substitution Lemma (Lemma 2.16), we have Et 1 , . . . , Et m → Ef t 1 · · · t m . Applying Cut m times (once for each j), followed by Contraction every time but the first, we obtain is an axiom (See Definition 2.14). By → E0 (Axiom (2.16)) together with Cut, we have E a → 0 n (a 1 , . . . , a n ) = 0. Using a substitution instance of Axiom (2.8) with p set to =, we can derive 0 n (a 1 , . . . , a n ) = 0 → E0 n (a 1 , . . . , a n ). Thus, we obtain Ea 1 , . . . , Ea n → E0 n (a 1 , . . . , a n ) by Cut. If f is proj n k , then E a → proj n k (a 1 , . . . , a n ) = a k (4.4) is an axiom. Using a substitution instance of Axiom (2.8) with Cut, we can derive Ea 1 , . . . , Ea n → Eproj n k (a 1 , . . . , a n ). (4.5) If f is a binary successor function s j for some j ∈ {0, 1}, then Ea → Es j a is a data axiom (Definition 2.12).
The proofs for the other equality axioms are straightforward.
Next we prove that the * -translations of the BASIC axioms of S i 2 are provable in S i 2 E. Proposition 4.6. Assume that A is a BASIC axiom.

4.4.
Bootstrapping Phase III : * -translations of predicate logic are admissible in S i 2 E. In Bootstrapping Phase III, we prove that the * -translations of the inferences of predicate logic are admissible in S i 2 E. Definition 4.7. The inference is admissible in S i 2 E. We prove the proposition by considering the various rules of inference of S i 2 . We begin by providing detailed proofs for the L ¬-rule and the R ¬-rule, in Lemma 4.9 and Lemma 4.10, respectively. Then we proceed to proofs for the ⊃-rules and the quantifier rules. The proofs for the other rules are trivial. If A is atomic, the inference given in the statement of the Lemma is an instance of the L ¬-rule of S i 2 E. In the induction step, we assume that E a, Γ * → ∆ * , A * holds and show that E a, (¬A) * , Γ * → ∆ * holds. The proof depends on the form of A.
A ≡ ∀x ≤ t.A 1 (x): Let a be a variable that occurs in neither A nor Γ → ∆. By Identity, we have A 1 (a) * → A 1 (a) * . Thus E b, Ea, a = a, A 1 (a) * → A 1 (a) * holds by Weakening, where b are the variables other than a that occur free in A 1 (a). Since a occurs free in a = a, A 1 (a) * , we can apply the induction hypothesis to E b, Ea, a = a, A 1 (a) * → A 1 (a) * , hence we have E b, Ea, a = a, A 1 (a) * , (¬A 1 (a)) * →.
A ≡ ∀x.A 1 (x): The proof is similar to the proof of the previous case, the main differences being that we use Ea instead of a ≤ t and we apply the unbounded counterparts of the bounded-quantifier rules of S i 2 E employed in that proof.
A ≡ ∃x.A 1 (x): The proof is similar to the proof of the previous case, the main differences being that we use Ea instead of a ≤ t and we apply the unbounded counterparts of the bounded-quantifier rules of S i 2 E used in that proof. This completes the proof for the L ¬-rule. E a, A * , Γ * → ∆ * E a, Γ * → ∆ * , (¬A) * (4.29) is admissible in S i 2 E, where a are the variables that occur free in the sequent A, Γ → ∆. Proof. By induction on A.
If A is atomic (A ≡ p(t 1 , t 2 ), where p is = or ≤), the inference given in the statement of the Lemma follows from the R ¬-rule of S i 2 E, together with E a → Et 1 and E a → Et 2 , where the latter are derivable by Corollary 4.4. In the induction step, we assume that E a, A * , Γ * → ∆ * holds and show that E a, Γ * → ∆ * , (¬A) * holds. The proof depends on the form of A.
A ≡ ∀x.A 1 (x): The proof is similar to the proof of the previous case, the main differences being that we use Ea instead of a ≤ t and we apply the unbounded counterparts of the bounded-quantifier rules of S i 2 E used in that proof.
A ≡ ∃x.A 1 (x): The proof is similar to the proof of the previous case, the main differences being that we use Ea instead of a ≤ t and we apply the unbounded counterparts of the bounded-quantifier rules used in that proof.
This completes the proof for the R ¬-rule.
Proof of Proposition 4.8. We prove that the * -translation of every inference of predicate logic is admissible in S i 2 E. We consider only the rules of inference for negation, implication, and quantification. The others are obvious. L ⊃-rule: E a, Γ * → ∆ * , A * 1 E a, A * 2 , Γ * → ∆ * E a, (¬A 1 ) * ∨ A * 2 , Γ * → ∆ * (4.30) The admissibility of this inference follows from Lemma 4.9 and the L ∨-rule of S i 2 E.
Lb ∀-rule: E a, A(t) * , Γ * → ∆ * E a, E b, t ≤ s, ∀x ≤ s.A(x) * , Γ * → ∆ * , (4.32) where the variable x does not occur in the term s, a are the variables that occur free in the sequent A(t), Γ → ∆, and b are the variables that occur in s but are not in a. Without loss of generality, we can assume that x does not occur in t. Therefore, a, b are precisely the variables that occur free in t ≤ s, ∀x ≤ s.A(x), Γ → ∆.
From the premise, we can derive E a, E b, t ≤ s, ∀x ≤ s.A(x) * , Γ * → ∆ * by the Lb ∀-rule of S i 2 E and Weakening. where a ′ are the variables that occur free in the sequent A(t), Γ → ∆ and a are the variables that occur free in the sequent ∀x.A(x), Γ → ∆. Clearly, every variable that occurs free in ∀x.A(x), Γ → ∆ also occurs free in A(t), Γ → ∆. If there is at least one variable in a ′ which is not in a, then for each such variable b, we substitute 0 for b in both Eb and t. After repeated application of Cut with the axiom → E0, we obtain E a, A(t ′ ) * , Γ * → ∆ * , where t ′ is obtained by substituting 0 in t for every variable in a ′ which is not in a.
Rb ∀-rule: E a, Ea, a ≤ t, Γ * → ∆ * , A(a) * E a, Γ * → ∆ * , ∀x ≤ t.A(x) * , (4.34) where neither the variable a nor the variable x occurs in the term t; a does not occur free in Γ → ∆; and a are the variables other than a that occur free in the sequent a ≤ t, Γ → ∆, A(a). Clearly, a are precisely the variables that occur free in the sequent Γ → ∆, ∀x ≤ t.A(x).
Using a ≤ t → Ea (a substitution instance of Axiom (2.8)), we can eliminate the Ea in the antecedent of the premise by Cut and Contraction. Therefore, we have E a, a ≤ t, Γ * → ∆ * , A(a) * . Using the Rb ∀-rule of S i 2 E, we can derive E a, Et, Γ * → ∆ * , ∀x ≤ t.A(x) * . However, since Et is derivable from E a, we obtain E a, Γ * → ∆ * , ∀x ≤ t.A(x) * . R ∀-rule: E a{, Ea}, Γ * → ∆ * , A(a) * E a, Γ * → ∆ * , ∀x.A(x) * , (4.35) where the variable a does not occur free in Γ → ∆, and a are the variables other than a that occur free in the sequent Γ → ∆, A(a). Clearly, a are precisely the variables that occur free in the sequent Γ → ∆, ∀x.A(x). Here, the formula Ea is enclosed in braces to indicate that it is not included in the premise of the * -translation of the R ∀-rule unless the variable a occurs free in A(a). Otherwise, Ea can be added to the premise by Weakening. In either case, we can derive E a, Ea, Γ * → ∆ * , ∀x.A(x) * by the R ∀-rule of S i 2 E.

∃-rules:
The proofs of admissibility of the * -translations of the ∃-rules are analogous to the proofs of admissibility of the * -translations of the ∀-rules.

4.5.
Bootstrapping Phase IV : * -translation of Σ b i -PIND rule is admissible in S i 2 E. Finally, we prove admissibility of the * -translation of the Σ b i -PIND rule of S i 2 . First, we prove that our formulation of PIND, which uses the binary successor functions, proves Buss' formulation of PIND [5], which uses ⌊x/2⌋. Lemma 4.11. Assume that Γ, Ea, A(⌊ 1 2 a⌋) → A(a), ∆ is provable in S i 2 E, where the variable a does not occur free in Γ → ∆ and A(a) is a Σ b i formula. Then Γ, E a, A(0) → A(t), ∆ is also provable in S i 2 E, where a are the variables that occur in the term t.
Proof. Note that ⌊ 1 2 s 0 a⌋ = ⌊ 1 2 s 1 a⌋ = a if Ea holds. Therefore, substituting s 0 a and s 1 a for a in Γ, Ea, A(⌊ 1 2 a⌋) → A(a), ∆ and applying Cut with Ea → Es 0 a and Ea → Es 1 a, we obtain Γ, Ea, A(a) → A(s 0 a), ∆ and Γ, Ea, A(a) → A(s 1 a), ∆, respectively. Combining Γ, A(0) → A(0), ∆ and the Σ b i -PIND -E rule, we have Γ, Et, A(0) → A(t), ∆. Since Et is derivable from E a (Corollary 4.4), we have Γ, E a, A(0) → A(t), ∆. On the other hand, it looks as though it would be difficult to prove that S i 2 ⊢ ∀x.ϕ k (x). The crux of the problem is that even if S i 2 ⊢ ∀x.ϕ k (x), there is no (known) bound on the length of a strictly i-normal proof w(d) of ϕ k (d). We know that w(d) is not bounded by t k (d), because by (5.2) that would contradict the consistency of S i 2 . However, perhaps w(d) is bounded by t l (d) for some l > k.
Finally, we prove that S i 2 ⊢ i -Con ↔ ∀x.ϕ k (x) for k ≥ 2. The proof of S i 2 ⊢ i -Con → ∀x.ϕ k (x) uses a method similar to that used in the proof of Theorem 4 on p. 135 of [5]. The proof of S i 2 ⊢ i -Con ← ∀x.ϕ k (x) is a consequence of the trivial fact that a contradiction proves anything.