Proof Theory of Riesz Spaces and Modal Riesz Spaces

We design hypersequent calculus proof systems for the theories of Riesz spaces and modal Riesz spaces and prove the key theorems: soundness, completeness and cut elimination. These are then used to obtain completely syntactic proofs of some interesting results concerning the two theories. Most notably, we prove a novel result: the theory of modal Riesz spaces is decidable. This work has applications in the field of logics of probabilistic programs since modal Riesz spaces provide the algebraic semantics of the Riesz modal logic underlying the probabilistic mu-calculus.

Riesz spaces, also known as vector lattices, are real vector spaces equipped with a lattice order (≤) such that the vector space operations of addition and scalar multiplication are compatible with the order in the following sense: x ≤ y =⇒ x + z ≤ y + z x ≤ y =⇒ rx ≤ ry for every positive scalar r ∈ R ≥0 .
The simplest example of Riesz space is the linearly ordered set of real numbers (R, ≤) itself. More generally, for a given set X, the space of all functions R X with operations and order defined pointwise is a Riesz space. If X carries some additional structure, such as a topology or a σ-algebra, then the spaces of continuous and measurable functions both constitute Riesz subspaces of R X . For this reason, the study of Riesz spaces originated at the intersection of functional analysis, algebra and measure theory and was pioneered in the 1930's by F. Riesz, G. Birkhoff, L. Kantorovich and H. Freudenthal among others. Today, the study of Riesz spaces constitutes a well-established field of research. We refer to [LZ71,JR77] as standard references.
The definition of Riesz spaces merges the notions of lattice order and that of real vector spaces. The former is pervasive in logic and the latter is at the heart of probability theory (e.g., convex combinations, linearity of the expected value operator, etc.) Dexter Kozen was the first to observe in a series of seminal works (see, e.g., [Koz81,Koz85]) that, for the above reasons, the theory of Riesz spaces provides a convenient mathematical setting for the study and design of probabilistic logics. Probabilistic logics are formal languages conceived to express correctness properties of probabilistic transition systems (e.g., Markov chains, Markov decision processes, etc.) representing the formal semantics of computer programs using probabilistic operations such as random bit generation. In a series of recent works [Mio12b,MS13a,MS13b,Mio12a,Mio11,MS17,MFM17,Mio18,Mio14,FMM20], following Kozen's program, the second author has introduced a simple probabilistic modal logic called Riesz Modal Logic. Importantly, once extended with fixed-point operators in the style of the modal µ-calculus [Koz83], this logic is sufficiently expressive to interpret other popular probabilistic logics for verification such as probabilistic CTL (see, e.g., chapter 8 in [BK08] for an introduction to this logic). One key contribution from [MFM17,FMM20]  is a duality theory which provides a bridge between the probabilisitic transition system semantics of the Riesz modal logic and its algebraic semantics given in terms of so-called modal Riesz spaces.
A modal Riesz space is a structure (V, ≤, ♦) such that (V, ≤) is a Riesz space and ♦ is a unary operation ♦ : V → V satisfying certain axioms (see Definition 2.16 for details). Terms without variables in the signature of modal Riesz spaces are exactly terms of the Riesz modal logic of [MFM17,FMM20]. As a consequence of the duality theory, two terms are equivalent in the transition semantics if and only if they are provably equal in the equational theory of modal Riesz spaces. This is a complete axiomatisation result (see [MFM17,FMM20] for details).
One drawback of equational axiomatisations, such as that of [MFM17,FMM20], is that the underlying proof system of equational logic is not well-suited for proof search. It is indeed often difficult to find proofs for even simple equalities. The source of this difficulty lies in the transitivity rules of equational logic: For proving the equality A = C it is sometimes necessary to come up with an additional term B and prove the two equalities A = B and B = C. Since B ranges over all possible terms, the proof search endeavour faces an infinite branching in possibilities. It is therefore desirable to design alternative proof systems that are better behaved from the point of view of proof search, in the sense that the choices available during the proof construction process are reduced to the bare minimum. The mathematical field of structural proof theory (see [Bus98] for an overview), originated with the seminal work of Gentzen on his sequent calculus proof system LK for classical propositional logic [Gen34], investigates such proof systems. The key technical result regarding the sequent calculus, called the cut-elimination theorem, implies that when searching for a proof of a statement, only certain terms need to be considered: the so-called sub-formula property. This simplifies significantly, in practice, the proof search endeavour.
The original system LK of Gentzen has been extensively investigated and generalised. For example, sequent calculi for several substructural logics, linear logic, many modal logics and fixed-point temporal logics have been designed. One variant of sequent calculus, called hyper-sequent calculus, originally introduced by Avron in [Avr87] and independently by Pottinger in [Pot83], allows for the manipulation of non-empty lists of sequents (hence the hyper adjective) rather than just sequents. The machinery of hyper-sequent calculi has been then developed in several works (see, e.g., [CLR19, BCF03, CGT08, Cia18, MOG09, Cia01, Lah13, BCF03]).
First Contribution: Proof Theory of Riesz Spaces. The first contribution of this work is the design of a hypersequent calculus proof system HR for the theory of Riesz spaces, together with the proof of the cut-elimination theorem. From this we obtain new proofs, based on purely syntactic methods, of well-known results such as the fact that the equational theory of Riesz spaces is decidable and that the equational theory of Riesz spaces with real (R) scalars is a conservative extension of the theory of Riesz spaces with rational (Q) scalars. These results are presented in Section 3.
Our hypersequent calculus HR is based on, and extends, the hypersequent calculus GA for the theory of lattice ordered Abelian groups of [MOG05,MOG09]. From a technical point been scrutinised by the anonymous reviewers. It should be therefore taken as an external addendum of the present article.
Organisation of this work. This paper is structured in the following main sections: Section 2 -Technical Background: in this section we give the basic definitions and results regarding Riesz spaces and modal Riesz spaces and fix some notational conventions. Section 3 -Hypersequent Calculus for Riesz Spaces: this section is devoted to our hypersequent calculus HR proof system for the theory of Riesz spaces. This section is structured in several subsections, each presenting in details a result regarding HR. Section 4 -Hypersequent Calculus for Modal Riesz Spaces: this section is devoted to our hypersequent calculus HMR proof system for the theory of modal Riesz spaces. The structure of this section matches exactly that of Section 3. This should allow for an easier comparison of the two systems and their technical differences. Section 5 -Conclusions: some final remarks and directions for future work.
Finally, for convenience, we have included the rules of the proof system GA from [MOG05,MOG09] in Appendix A.

Technical Background
This section provides the necessary definitions and basic results regarding Riesz spaces (the books [LZ71,JR77] are standard references) and modal Riesz spaces from [MFM17,FMM20], which play a key role in the the duality theory of the Riesz modal logic.
2.1. Riesz Spaces. This section contains the basic definitions and results related to Riesz spaces. We refer to [LZ71,JR77] for a comprehensive reference to the subject.
A Riesz space is an algebraic structure (R, 0, +, (r) r∈R , , ) such that (R, 0, +, (r) r∈R ) is a vector space over the reals, (R, , ) is a lattice and the induced order (a ≤ b ⇔ a b = a) is compatible with addition and with the scalar multiplication, in the sense that: (i) for all a, b, c ∈ R, if a ≤ b then a + c ≤ b + c, and (ii) if a ≥ b and r ∈ R ≥0 is a non-negative real, then ra ≥ rb. Formally we have: Definition 2.1 (Riesz Space). The language L R of Riesz spaces is given by the (uncountable) signature {0, +, (r) r∈R , , } where 0 is a constant, +, and are binary functions and r is a unary function, for all r ∈ R. A Riesz space is a L R -algebra satisfying the set A Riesz of equational axioms of Figure 1. We use the standard abbreviations of −x for (−1)x and x ≤ y for x y = x.
Remark 2.2. Note how the compatibility axioms have been equivalently formalised in Figure 1 as inequalities and not as implications by using (x y) and y as two general terms automatically satisfying the hypothesis (x y) ≤ y. Moreover the inequalities can be rewritten as equations using the lattice operations (x ≤ y ⇔ x y = x) as follows: • (x y) + z ≤ y + z can be rewritten as ((x y) + z) (y + z) = (x y) + z and • r(x y) ≤ ry can be rewritten as r(x y) ry = r(x y). Hence, since Riesz space are axiomatised by a set of equations, the family of Riesz spaces is a variety in the sense of universal algebra.
(3) Compatibility axioms: • (x y) + z ≤ y + z, • r(x y) ≤ ry, for all scalars r ≥ 0. Example 2.3. The real numbers R together with their standard linear order (≤), expressed by taking r 1 r 2 = min(r 1 , r 2 ) and r 1 r 2 = max(r 1 , r 2 ), is a Riesz space. This is a fundamental example also due to the following fact (see, e.g., [LvA07] for a proof): the real numbers R is complete for the quasiequational theory of Riesz spaces. In particuliar, this means that for any two terms A, B, we have that the equality A = B holds in all Riesz spaces if and only if A = B holds in the Riesz space (R, ≤). This provides a practical method for establishing if an equality is derivable from the axioms of Riesz spaces and since the first order theory of the real numbers is decidable [Tar51], so is the equational theory of Riesz spaces. For example, −(max(r 1 , r 2 )) = min(−r 1 , −r 2 ) holds universally in R and therefore −(x y) = (−x) (−y) holds in all Riesz spaces.
Example 2.4. For a given set X, the set R X of functions f : X → R is a Riesz space when all operations are defined pointwise: . Thus, for instance, the space of n-dimensional vectors R n is a Riesz space whose lattice order is not linear.
Convention 2.5. We use the capital letters A, B, C to range over terms built from a set of variables ranged over by x, y, z. We write A[B/x] for the term, defined as expected, obtained by substituting all occurrences of the variable x in the term A with the term B.
As observed in Remark 2.2, the family of Riesz spaces is a variety of algebras. This means, by Birkhoff completeness theorem, that two terms A and B are equivalent in all Riesz spaces if and only if the identity A = B can be derived using the familiar deductive rules of equational logic, written as A Riesz A = B.
Definition 2.6 (Deductive Rules of Equational Logic). Rules for deriving identities between terms from a set A of equational axioms: where A, B, C are terms of the algebraic signature under consideration built from a countable collection of variables and C[·] is a context.
In what follows we denote with A Riesz A ≤ B the judgment A Riesz A = A B.
The following elementary facts (see, e.g., [LZ71,§2.12] for proofs) imply that, in the theory of Riesz spaces, a proof system for deriving equalities can be equivalently seen as a proof system for deriving equalities with 0 or inequalities. Proposition 2.7. The following assertions hold: Convention 2.8. From now on, in the rest of this paper, it will be convenient to take the derived negation operation (−A) = (−1)A as part of the signature and restrict all scalars r to be strictly positive (r > 0). The scalar 0 ∈ R can be removed by rewriting (0)A as 0.
Definition 2.9. A term A is in negation normal form (NNF) if the operator (−) is only applied to variables.
For example, the term (−x) (−y) is in NNF, while the term −(x y) is not.
Lemma 2.10. Every term A can be rewritten to an equivalent term in NNF.
Proof. Negation can be pushed towards the variables by the following rewritings: Negation can be defined on terms in NNF as follows.
Definition 2.11. Given a term A in NNF, the term A is defined as follows: The following are basic facts regarding negation of NNF terms.
Proposition 2.12. For any term A in NNF, the term A is also in NNF and it holds that Proof. We prove the result by straightforward induction on A. See Lemma 2.14[7] below for the and cases. 2.1.1. Technical lemmas regarding Riesz spaces. We now list some useful facts that will be used throughout the paper. The following are useful derived operators frequently used in the theory of Riesz spaces: Symbol Terminology Definition The absolute value A + + A − Lemma 2.14. The following equations hold:  Most notably, observe that Riesz spaces are distributive lattices (Lemma 2.14[8]), that sum distributes over lattice operations (Lemma 2.14[9]) and that the least upper bound of any element with its negation is always positive (Lemma 2.14[10]).
Proof. As mentioned in Example 2.3, the Riesz space R is complete for the quasiequational theory of Riesz spaces. This means that a universally quantified Horn clause i∈I A Riesz Proof. For all A, B we have: The language of modal Riesz spaces extends that of Riesz spaces with two symbols: a constant 1 and a unary operator ♦.
Definition 2.16 (Modal Riesz Space). The language L ♦ R of modal Riesz spaces is L R ∪{1, ♦} where L R is the language of Riesz spaces as specified in Definition 2.1. A modal Riesz space is a L ♦ R -algebra satisfying the set A ♦ Riesz of axioms of Figure 2.
Axioms of Riesz spaces see Figure 1 + Positivity of 1: 0 ≤ 1 Linearity of ♦: Example 2.17. Every Riesz space R can be made into a modal Riesz space by interpreting 1 with any positive element and by interpreting ♦ as the identity function (♦(x) = x) or the constant 0 function ♦(x) = 0.
Example 2.18. The Riesz space (R, ≤) of linearly ordered real numbers becomes a modal Riesz space by interpreting 1 with the number 1, and ♦ by any linear (due to the linearity axiom) function x → rx for a scalar r ∈ R such that r ≥ 0 (due to the positivity axiom) and r ≤ 1 (due to the 1-decreasing axiom).
r 1,1 r 1,2 · · · r 1,n r 2,1 r 2,2 · · · r 2,n . . . . . . . . . . . . r n,1 r n,2 · · · r n,n      such that all entries r i,j are non-strictly positive (due to the positivity axiom) and where all the rows sum up to a value ≤ 1, i.e., for all 1 ≤ i ≤ n it holds that k j=1 r i,j ≤ 1 (due to the 1-decreasing axiom). Such matrices are known as sub-stochastic matrices. Each sub-stochastic matrix M can be regarded as a probabilistic transition system (also referred to as Markov chain) whose set S of states is S = {s 1 , . . . , s n } and whose transition function τ M : S → D ≤1 (S), defined as: τ M (s i )(s j ) = r i,j assigns to each state s i ∈ S a sub-probability 2 distribution τ M (s i ) ∈ D ≤1 (S) specifying the probability of reaching s j from s i , for any s i , s j ∈ S.
For a concrete example, consider the modal Riesz space R 2 with ♦ interpreted by the matrix M defined as: This modal Riesz space can be identified with the Markov chain having state space S = {s 1 , s 2 } and transition function τ M defined by: τ M (s 1 ) = (s 1 → 1 3 , s 2 → 1 2 ) and τ M (s 2 ) = (s 1 → 1 3 , s 2 → 0): From the state s 1 the computation progresses to s 1 itself with probability 1 3 , to s 2 with probability 1 2 and it halts with probability 1 6 (i.e., with the remaining probability 1 − ( 1 2 + 1 3 )). From the state s 2 the computation progresses to s 1 with probability 1 3 and it halts with probability 2 3 . Example 2.20 (Transition Semantics). Carrying on the previous example, given any Markov chain (S, τ M ) (i.e., equivalently, a modal Riesz space on R n with ♦ interpreted by a substochastic matrix M ), each closed (i.e., without variables) modal Riesz term A is interpreted as a function A = S → R (i.e., a vector in R n ). This interpretation is inductively defined as: is not the case since, due to linearity, x = ♦x, i.e., ♦ is self dual. While using a different symbol such as (•) might have been a better choice, we decided to stick to ♦ for backwards compatibility with previous works on modal Riesz spaces [MFM17,FMM20,LM19]. Another source of potential ambiguity lines in the "modal" adjective itself. Of course other axioms for ♦ can be conceived (e.g., ♦(x y) = ♦(x) ♦(y) instead of our ♦(x + y) = ♦(x) + ♦(y), see, e.g., [DMS18]). Therefore different notions of modal Riesz spaces can be investigated, just like many types of classical modal logic exist (K, S4, S5, etc). Once again, our choice of terminology is motivated by backwards compatibility with previous works.
We now expand the definitions and properties related to terms in negation normal form to modal Riesz spaces.  Negation can be defined on terms in NNF as follows.
The following are basic facts regarding negation of NNF terms.
Proposition 2.26. For any term A in NNF, the term A is also in NNF and it holds that

Hypersequent Calculus for Riesz Spaces
In this section we introduce the hypersequent calculus HR for the equational theory of Riesz spaces.
In what follows we proceed with a sequence of syntactical definitions and notational conventions necessary to present the rules of the system. We use the letters A, B, C to range over Riesz terms in negation normal form (NNF, see Definition 2.9) built from a countable set of variables x, y, z and negated variables x, y, z. The scalars appearing in these terms are all strictly positive and are ranged over by the letters r, s, t ∈ R >0 . From now on, the term scalar should always be understood as strictly positive scalar.
Definition 3.1. A weighted term is a formal expression r.A where r ∈ R >0 and A is a term.
Given a weighted term r.A and a scalar s we denote with s.(r.A) the weighted term (sr).A. Thus we have defined (strictly positive) scalar multiplication on weighted terms.
We use the greek letters Γ, ∆, Θ, Σ to range over possibly empty finite multisets of weighted terms. We often write these multisets as lists but they should always be understood as being taken modulo reordering of their elements. As usual, we write Γ, ∆ for the concatenation of Γ and ∆. We adopt the following notation: • Given a sequence r = (r 1 , . . . r n ) of scalars and a term A, we denote with r.A the multiset [r 1 .A, . . . , r n .A]. When r is empty, the multiset r.A is also empty. • Given a multiset Γ = [r 1 .A 1 , . . . , r n .A n ] and a scalar s > 0, we denote with s.Γ the multiset [s.r 1 .A 1 , . . . , s.r n .A n ]. • Given a sequence s = (s 1 , . . . s n ) of scalars and a multiset Γ, we denote with s.Γ the multiset s 1 .Γ, . . . , s n .Γ. • Given two sequences r = (r 1 , . . . r n ) and s = (s 1 , . . . s m ) of scalars, we denote r; s the concatenation of the two sequences, i.e. the sequence (r 1 , . . . r n , s 1 , . . . s m ). • Given a sequence s = (s 1 , . . . s n ) of scalars and a scalar r, we denote (r s) the sequence (rs 1 , . . . rs n ). If Γ = ∅, the corresponding empty sequent is simply written as .
Definition 3.3. A hypersequent is a non-empty finite multiset of sequents, written as We use the letter G, H to range over hypersequents. Note that, under these notational conventions, the expression Γ could either denote the sequent Γ itself or the hypersequent [ Γ] containing only one sequent. The context will always determine which of these two interpretations is intended.
We now describe how sequents and hypersequents can be interpreted by Riesz terms. This means that HR is a structural proof system, i.e., by manipulating sequents and hypersequents it in fact deals with terms of a certain specific form.
Definition 3.4 (Interpretation). We interpret weighted terms (r.A), sequents Γ and hypersequents G as the Riesz terms r.A , Γ and G , respectively, as follows: Syntax Term interpretation _ Weighted terms r.A rA Sequents r 1 .A 1 , . . . , r n .A n r 1 .A 1 + · · · + r n .A n Hypersequents Hence a weighted term is simply interpreted as the term scalar-multiplied by the weight. A sequent is interpreted as sum ( ) and a hypersequent is interpreted as a join of sums ( ).
The hypersequent calculus HR is a deductive system for deriving hypersequents whose interpretation is positive, i.e., the hypersequents G such that A Riesz 0 ≤ G . The rules of HR are presented in Figure 3 and are very similar to the rules of the system GA of [MOG05,MOG09] (see Appendix A) where the main difference is the use of weighted terms in sequents. We write HR G if the hypersequent G is derivable in the system HR.
The axiom INIT allows for the derivation of ( ), the hypersequent containing only the empty sequent, thus it corresponds to the positivity of the constant 0. The C rule (contraction) allows treating hypersequents as (always non-empty) sets of sequents. The M (mix) and S (split) rules are as in the system GA of [MOG05,MOG09]. We instead adopted the rule ID, in place of the axiom ID-ax of GA (see Appendix A). While the two are equivalent (i.e., mutually derivable) in presence of the other rules, the formulation of ID as a rule is convenient in the statement of the M -elimination theorem later on. The T rule is novel, and can be seen as a real-valued variant of C (contraction) rule in that the weight of a sequent in the hypersequent can be multiplied by an arbitrary positive real number. Finally, note that the logical rules are all presented using the syntactic sugaring r.A described above. For example, one valid instance of the rule (+) is the following: This effectively allows us to apply the rule to several terms in the sequent at the same time. This feature adds some flexibility in the process of derivation construction and simplifies some proofs, but it is not strictly required. All our results hold even in a variant of the HR system where rules are allowed to act on only one term at the time.
Convention 3.6. We often have to use the same rule multiple times when building a derivation. For convenience, we may write the rule only once with the number of times the rule is used as exponent, as follows: If the number of times a rule is used is not known, we use a wildcard as exponent, as in the following example where the weakening rule is used to remove all sequents appearing in G: On the one hand, we could have introduced appropriate exchange (i.e., reordering) rules and defined sequents and hypersequents as lists, rather than multisets. In the opposite direction, we could have defined hypersequents as (non-empty) sets and dispose of the rules (C). Our choice is motivated by a balance between readability and fine control over the derivation steps in the proofs.
Remark 3.8. Note that the following CUT rule is equivalent (i.e., mutually derivability) to the CAN rule in the HR hypersequent calculus:  Our choice (following [MOG09,MOG05]) of presenting the system HR using the CAN rule, rather than the equivalent CUT rule, is just motivated by elegance and technical convenience.
In what follows we say that an hypersequent G has a CAN-free derivation (resp., M-free, T-free, etc.) if it has a derivation that never uses the rule CAN (resp., rule M, rule T, etc.).

3.1.
Main results regarding the system HR. We are now ready to state the main results regarding the hypersequent calculus HR. Each theorem will be proven in a separate subsection of this section.
Recall that we write A Riesz A ≥ B if the inequality A ≥ B is derivable in equational logic from the axioms of Riesz spaces and that we write HR G if the hypersequent G is derivable in the HR proof system.
Our first technical result states that the system HR can derive all and only those hypersequents G such that A Riesz G ≥ 0.
Theorem 3.10 (Soundness). For every hypersequent G, Theorem 3.11 (Completeness). For every hypersequent G, Our next theorem states that all the logical rules of the hypersequent calculus HR are CAN-free invertible. This means that if an hypersequent G having the shape of the conclusion of a logical rule is derivable with a CAN-free derivation, then also the premises of that logical rule are derivable by CAN-free derivations. So, for example, in the case of the ( ) rule, if the hypersequent G | Γ, r.(A B) has a CAN-free derivation, then also Theorem 3.12 (CAN-free Invertibility). All the logical rules are CAN-free invertible.
The invertibility theorem is very important for proof search. When trying to derive a hypersequent G (without CAN applications) it is always possible to systematically apply the logical rules and reduce the problem of deriving G (without CAN applications) to the 32:16

C. Lucas and M. Mio
Vol. 18:1 problem of deriving a number of hypersequents G 1 , . . . G n where no logical symbols appear. We call such reduced hypersequents without logical symbols atomic hypersequents.
Logical rules Figure 6: Systematic application of the logical rules to reduce the logical complexity.
As we will discuss later (Theorem 3.18), this procedure of simplification will lead to an algorithm for deciding if an arbitrary hypersequent G is derivable in HR or not.
The three theorems above are adaptations of similar results for the hypersequent calculus GA of [MOG09,MOG05] for the theory of lattice ordered abelian groups.
The following theorem, instead, appears to be novel. It is stated in the context of our system HR but a similar result can be proved for GA too.
Theorem 3.13 (M-elimination). If a hypersequent has a CAN-free derivation, then it has a CAN-free and M-free derivation.
Our motivation for proving the above result is mostly technical. Indeed it allows us to prove our main theorem (Theorem 3.14 below) in a rather simple way (different from that of [MOG09,MOG05]). However note how the M-elimination theorem is also useful from the point of view of proof search since it reduces the space of derivation trees to be explored.
We are now ready to state our main result regarding the system HR.
Theorem 3.14 (CAN elimination). If a hypersequent G has a derivation, then it has a CAN-free derivation.
Proof sketch. The CAN rule has the following form: We show how to eliminate one application of the CAN rule. Namely, we prove that if the premise G | Γ, s.A, r.A has a CAN-free derivation then the conclusion G | Γ also has a CAN-free derivation. This of course implies the statement of the CAN-elimination theorem by using a simple inductive argument on the number of CAN's applications in a derivation.
As a preliminary step, we first invoke the M-elimination Theorem 3.13 on the derivation of G | Γ, s.A, r.A to remove possible occurrences of the M rule. In other words, we can assume that the derivation of G | Γ, s.A, r.A does not contain applications of the M rule. This is important since the M rule is problematic to deal with in our inductive proof because its two premises can generally break the symmetry between the weights of A and A in the hypersequent. For instance, the induction hypothesis could not be used on the premises of the following instance of the M rule since the condition r = s is not satisfied in either of the two premises: Hence, in what follows we assume that the the derivation of G | Γ, s.A, r.A is M-free and the proof proceeds by induction on the structure of A. The base case in when A = x, i.e., when A is atomic. Proving this case is relatively straightforward, once the critical case regarding the M rule can be ignored, as explained above.
For the inductive case, when A is a complex term we invoke the invertibility theorem. For example, if A = B + C, the invertibility theorem states that G | Γ, s.B, s.C, r.B, r.C must also have a CAN-free derivation (and also M-free by application of the M-elimination Theorem 3.13). We then note that, since B and C both have lower complexity than A, it follows from two applications of the inductive hypothesis that G | Γ has a M-free CAN-free derivation, as desired.
Remark 3.15. Note, with reference to Remark 3.8, that Theorems 3.13 and 3.14 together imply also a CUT-elimination theorem.
The CAN rule is not analytical, meaning that in its premise there is a term not appearing (even as a subterm) in the conclusion. This is why the above CAN-elimination is of key importance, especially in the context of proof search.
However there is another rule of HR which is not analytical: the T rule. The following theorem shows that also the T rule is admissible if the scalars appearing in the end hypersequent G are all rational numbers.
Theorem 3.16 (Rational T-elimination). If a hypersequent G with only rational numbers has a CAN-free derivation, then it has also a CAN-free and T-free derivation.
It can be shown, however, that if G contains irrational numbers, it is generally not possible to eliminate both rules CAN and T at the same time.
Proposition 3.17. The system HR without the CAN and T rules is incomplete.
As mentioned earlier, using the invertibility theorem, it is possible to reduce the problem of deriving an hypersequent G to the problem of deriving a number G 1 , . . . G n of atomic (i.e., without logical symbols) hypersequents. This leads us to the following result.
Theorem 3.18 (Decidability). There is an algorithm to decide whether or not a hypersequent has a derivation.
We remark that the above statement follows easily by the soundness Theorem 3.10 and the completeness Theorems 3.11 and the known fact that the equational theory of Riesz spaces is decidable (see Example 2.3). Interestingly, however, we present an alternative proof that will be adaptable, in Section 4.8, to obtain a decidability result for the system HMR. The proof is based on considering a generalization of the concept of derivation where the scalars appearing in the hypersequents can be variables, rather than numerical constants. For instance, the derivation INIT Γ, r.x, r.
x ID is valid for any r ∈ R >0 and, similarly, the derivation INIT is valid for any values of reals (r, s, t) ∈ R 3 >0 such that r = s + t. Lastly, the hypersequent containing two scalar-variables α, β and two concrete scalars s and t (α 2 − β).x, s.x, t.x 32:18

C. Lucas and M. Mio
Vol. 18:1 is derivable for any assignment of concrete assignments r 1 , r 2 ∈ R to α and β such that (r 1 ) 2 − r 2 > 0 and (r 1 ) 2 − r 2 = s + t. Hence a hypersequent can be interpreted as describing the set of possible assignments to these real-valued variables that result in a valid concrete (i.e., where all scalars are numbers and not variables) derivation.
The main idea behind the proof of Theorem 3.18 is that it is possible, given an arbitrary hypersequent G, to construct (automatically) a formula in the first order theory of the real closed field (FO(R, +, ×, ≤)) describing the set of valid assignments. Since this theory is decidable and has quantifier elimination [Tar51], it is possible to verify if this set is nonempty and extract a valid assignment to variables.

3.2.
Relations with the calculus GA and l-ordered Abelian groups. As mentioned earlier, our hypersequent calculus system HR for the theory of Riesz spaces is an extension of the system GA of [MOG09,MOG05] for the theory of lattice-ordered Abelian groups (laG). The equational theory (A laG ) of lattice-ordered Abelian groups can be defined by removing, from the signature of Riesz spaces, the scalar multiplication operations and, accordingly, the equational axioms regarding scalar multiplication. Integer scalars (e.g., −3x) can still be used as a short hand for repeated sums (e.g., −(x + x + x)). The system HR stripped out of scalars is essentially identical to the system GA.
From our Rational T-elimination Theorem 3.16 we obtain as a corollary the fact that the theory of Riesz spaces is a proof-theoretic conservative extension of the theory of lattice-ordered Abelian groups.
Proposition 3.19. Let A be a term in the signature of lattice-ordered Abelian groups (i.e., a Riesz term where all scalars are natural numbers). Then Proof. The (⇐) direction is trivial, since A Riesz is an extension of A laG (using the same equalities as in Lemma 2.10, we can push the negation towards variables using the axioms of lattice-ordered Abelian groups).
For the other direction, assume A Riesz A ≥ 0. Then, by the completeness theorem, the hypersequent A has a HR derivation. Then, by the CAN-elimination and the rational T-elimination theorems, A has a CAN-free and T-free derivation. This is essentially (the trivial translation details are omitted) translatable to a GA derivation of A. Since the system GA is sound and complete with respect to A laG we deduce that A laG A ≥ 0 as desired.
Similarly, we could define the theory of Riesz spaces over rationals (A Q-Riesz ), defined just as Riesz spaces but over the field Q of rational numbers instead of the field R of reals. Again, from 3.16, we get the following conservativity result.
Proposition 3.20. Let A be a term in the signature of Riesz spaces over rationals. Then Both conservativity results are known as folklore in the theory of Riesz spaces. It is perhaps interesting, however, that here we obtain them in a completely syntactical (proof theoretic) way.
Compared to the proof method used in [MOG09,MOG05] to prove the CAN-elimination theorem, our approach is novel in that our proof is based on the M-elimination theorem. We remark here that a proof of all the theorems stated in this section could have been obtained without using the M-elimination theorem, and instead following the proof structure adopted in [MOG09,MOG05]. The proof technique based on the M-elimination theorem will be however of great value in proving the CAN elimination of the system HMR in Section 4.
3.3. Some technical lemmas. Before embarking in the proofs of the theorems stated in Section 3, we prove in this section a few useful routine lemmas that will be used often.
Our first lemma states that the following variant of the ID rule (see Figure 3) where general terms A are considered rather than just variables, is admissible in the proof system HR.
Formally, we prove the admissibility of a slightly more general rule which can act on several sequents of the hypersequent at the same time.
Lemma 3.21. For all terms A, numbers n > 0, and vectors r i and s i , for 1 ≤ i ≤ n, such that Proof. We prove the result by induction on A.
• If A is a variable, we simply use the ID rule n times.
• If A = 0, we use the 0 rule n times.
• If A = sB, we use the × rule 2n times and conclude with the induction hypothesis.
• If A = B + C, we use the + rule 2n times and conclude with the induction hypothesis.
• For the case A = B C or A = B C, we first use the rule 2 n − 1 times -one time on the conclusion, then again on the two premises, then on the four premises and so forth until we used the -rule for all sequents -and then the rule n times on each premise and the W rule n times on each premise to remove the sequents with both B and C in them. We can then conclude with the induction hypothesis.
Note that the premises obtained after applying the -rule can have a different shape than the displayed premise in the derivation above, where B and C were chosen. Indeed, the general shape of the premise can be any combination of B and C appearing in the sequents.
The next result states that derivability in the HR system is preserved by substitution of terms for variables.
Proof. We prove the result by induction on the derivation of G. Most cases are quite straightforward, we simply use the induction hypothesis on the premises and then use the same rule. For instance, if the derivation finishes with The only tricky case is when the ID rule is used on the variable x, where we conclude using Lemma 3.21.
The next lemma states that the logical rules are invertible using the CAN rule, meaning that if the conclusion is derivable, then the premises are also derivable. The difference with Theorem 3.12 is that the derivations of the premises introduce a CAN rule.
Lemma 3.23. All logical rules are invertible.
Proof. We simply use the CAN rule to introduce the operators. We will show the two most interesting cases, the other cases are trivial.
• The rule: we assume that G | Γ, r.(A B) is derivable. The derivation of G | Γ, r.A is then: where Π is the following derivation: Remark 3.24. The proof of invertibility does not introduce any new T rule, so if the conclusion of a logical rule has a T-free derivation then the premises also have T-free derivations.
The next lemmas state that CAN-free derivability in the HR system is preserved by scalar multiplication.
Proof. We simply use the C,T and S rules : Lemma 3.26. Let r ∈ R >0 be a vector and G a hypersequent. If HR\{CAN} G | Γ then HR\{CAN} G | r.Γ. Proof. We reason by induction on the size of r.
If the size of r is 0: Since r.Γ = , we simply use the W rule until we can use the INIT rule: INIT If the size of r is 1: we can use the T rule: Otherwise: Let (r 1 , ..., r n+1 ) = r. We can invoke the inductive hypothesis and conclude as follows: .., r n .Γ, r n+1 .Γ M The above lemmas have two useful corollaries. 3.4. Soundness -Proof of Theorem 3.10. We need to prove that if there exists a HR derivation of a hypersequent G then G ≥ 0 is derivable in equational logic (written A Riesz G ≥ 0). This is done in a straightforward way by showing that each deduction rule of the system HR is sound. The desired result then follows immediately by induction on the derivation of G.

• For the rule INIT
The semantics of the hypersequent consisting only of the empty sequent is = 0 and therefore ≥ 0, as desired.
• For the C, ID, +, 0, × and CAN rules, it is immediate to observe that the interpretation of the only premise and the interpretation of its conclusion are equal, therefore the result is trivial. • For the rule Our goal is to prove that G | Γ 1 | Γ 2 ≥ 0. Again, using Lemma 2.15, we equivalently need to prove that The above expression is of the form A − B − , and since A − ≥ 0 always holds for every A (see Section 2.1.1), it is clear that . This is done as follows: Following the same reasoning of the previous case (S rule) our goal is to show that G − Γ 1 , Γ 2 − ≤ 0. This is done as follows: the hypothesis is G | r.Γ ≥ 0 so using Lemma 2.15, we have By the same reasoning as for the S rule's case, our goal is to show that G − Γ − ≤ 0. To do so, we need to distinguish between two cases: whether or not r ≥ 1.
If r ≥ 1, then Otherwise, Lemma 2.14[5] states that G − Γ − ≤ 0 if and only if r.( G − Γ − ) ≤ 0, which is proven as follows: 3.5. Completeness -Proof of Theorem 3.11. In order to prove Theorem 3.11 we first prove an equivalent result (Lemma 3.29 below) stating that if A Riesz A = B then the hypersequents r.A, r.B and r.B, r.A are both derivable for all r > 0. The advantage of this formulation is that it allows for a simpler proof by induction.
From Lemma 3.29 one indeed obtains Theorem 3.11 as a corollary.
Lemma 3.29. If A Riesz A = B then r.A, r.B and r.B, r.A are provable for all r > 0. • It now remains to consider the cases when the derivation finishes with one of the axioms of Figure 1. We only show the nontrivial cases. r.(s(x y)), r.((s(x y)) (sy)) − W Remark 3.30. By inspecting the proof of Lemma 3.29 it is possible to verify that the T rule is never used in the construction of HR G. This, together with the similar Remark 3.24 regarding Lemma 3.23, implies that the T rule is never used in the proof of the completeness Theorem 3.11. From this we get the following corollary.
Corollary 3.31. The T rule is admissible in the system HR.
It turns out, however, that there is no hope of eliminating both the T rule and the CAN rule from the HR system.
Lemma 3.32. Let r 1 and r 2 be two irrational numbers that are incommensurable (so there is no q ∈ Q such that qr 1 = r 2 ). Then the atomic hypersequent G r 1 .x | r 2 .x does not have a CAN-free and T-free derivation. Proof. This is a corollary of the next Lemma 3.33. The idea is that in the HR system without the T rule and the CAN rule, the only way to derive G is by applying the structural rules S, C, W, M and the ID rule. Each of these rules can be seen as adding up the sequents in G or multiplying them up by a positive natural number scalar. Since r 1 and r 2 are incommensurable, it is not possible to construct a derivation.
Lemma 3.33. For all atomic hypersequents G, built using the variables and negated variables x 1 , x 1 , . . . , x k , x k , of the form .., s i,k .x i,k , the following are equivalent: (1) G has a CAN-free and T-free derivation.
.m] such that n i = 0, i.e., the numbers are not all 0's, and • for every variable and covariable (x j , x j ) pair, it holds that i.e., the scaled (by the numbers n 1 . . . n m ) sum of the coefficients in front of the variable x j is equal to the scaled sum of the coefficients in from of the covariable x j .
Proof. We prove (1) ⇒ (2) by induction on the derivation of G. We show only the M case, the other cases being trivial: • If the derivation finishes with by induction hypothesis, there are n 1 , ..., n m ∈ N and n 1 , ..., n m ∈ N such that : there exists i ∈ [1.
for every variable and covariable (x j , x j ) pair, it holds that i n i . r i,j = i n i . s i,j .
.m] such that n i = 0 and • for every variable and covariable (x j , x j ) pair, it holds that then we can use the W rule to remove the sequents corresponding to the numbers n i = 0, and use the C rule n i − 1 times then the S rule n i − 1 times on the ith sequent to multiply it by n i . If we assume that there is a natural number l such that n i = 0 for all i > l and n i = 0 for all i ≤ l, then the CAN-free T-free derivation is: where Γ n stands for Γ, . . . , Γ n .
3.6. CAN-free Invertibility -Proof of Theorem 3.12. In this section, we go through the details of the proof of Theorem 3.12.
It is technically convenient, in order to carry out the inductive argument, to prove a slightly stronger result, expressed as the invertibility of more general logical rules that can act on the same term on different sequents of the hypersequent, at the same time. The generalised rules are the following: Logical rules: Figure 7: Generalised logical rules We conceptually divide the logical rules in three categories: • The rules with only one premise and that do not change the number of sequents -the 0, +, × rules. • The rule with two premises -the rule.
• The rule with only one premise but that adds one sequent to the hypersequent -the rule. Because of the similarities of the rules in each of these categories, we just prove the CAN-free invertibility of one rule in each category by means of a sequence of lemmas. • If the derivation finishes with then by induction hypothesis on the CAN-free derivations of the premises we have that HR\{CAN} G | Γ 1 , r 1 .A | Γ 1 , r 1 .B and HR\{CAN} G | Γ 2 , r 2 .A | Γ 2 , r 2 .B are derivable by CAN-free derivations. We want to prove that both HR\{CAN} G | Γ 1 , r 1 .A | Γ 2 , r 2 .B and HR\{CAN} G | Γ 2 , r 2 .A | Γ 1 , r 1 .B are CAN-free derivable, as this will allow us to conclude by application of the M rule: If r 1 = ∅ or r 2 = ∅, those two hypersequents are derivable using the C rule then the W rule. Otherwise, by using the W rule, Lemma 3.26 and the M rule, we have HR\{CAN} G | Γ 1 , r 1 .A | Γ 2 , r 2 .B | r 2 .Γ 1 , r 1 .Γ 2 , ( r 1 r 2 )A, ( r 1 r 2 )B and HR\{CAN} G | Γ 2 , r 2 .A | Γ 1 , r 1 .B | r 2 .Γ 1 , r 1 .Γ 2 , ( r 1 r 2 )A, ( r 1 r 2 )B We can then conclude using the S rule, Lemma 3.25 and the C rule.    hence completing the prederivation of into a full derivation. From this it is possible to obtain the desired CAN-free and M-free derivation of G | Γ, ∆ using several times the C rule: In what follows, the first step is formalized as Lemma 3.37 and the second step as Lemma 3.38. where all non-terminated leaves are of the form G | r.∆ for some vector r.
Proof. This is an instance of the slightly more general statement of Lemma 3.39 below where: Proof. This is an instance of the slightly more general statement of Lemma 3.40 below where: • [ ∆ i ] n−1 i=1 = G and ∆ n = ∆. • r i = 1 for 1 ≤ i < n and r n = r.
Lemma 3.39. Let d 1 be a CAN-free and M-free derivation of [ Γ i ] n i=1 and let G be a hypersequent and ∆ be a sequent. Then for every sequence of vectors r i , there exists a CAN-free M-free prederivation of where all non-terminated leaves are of the form G | r.∆ for some vector r.
Proof. By straightforward induction on d 1 . If r 1 = ∅ or r 2 = ∅, we have the empty sequent which is derivable. Otherwise, Lemma 3.25 3.8. CAN-elimination -Proof of Theorem 3.14. The CAN rule has the following form: We prove Theorem 3.14 by showing that if the hypersequent G | Γ, r.A, s.A has a M-free CAN-free derivation then the hypersequent G | Γ also has a M-free CAN-free derivation.
Our proof proceeds by induction on the complexity of the term A. The base case is given by A = x (or equivalently A = x) for some variable x. The following lemma proves this base case. Proof. The statement follows as a special case of Lemma 3.42 below, a stronger version of Lemma 3.41 that allows for a simpler proof by induction on the structure of the derivation of G | Γ, r.x, s.x, where: • r n = r, s n = s and r n = s n = ∅.
For complex terms A, we proceed by using the CAN-free invertibility Theorem 3.12 as follows: We can then derive the hypersequent G | Γ as: • If A = B C, since the rule is CAN-free invertible, G | Γ, r.(B C), s.B | Γ, r.(B C), s.C has a M-free CAN-free derivation. Then, since the rule is CAN-free invertible, G | Γ, r.B, s.B | Γ, r.C, s.C has a M-free CAN-free derivation. Therefore we can have a M-free CAN-free derivation of the hypersequent G | Γ | Γ by invoking the induction hypothesis twice on the simpler terms B and C.
We can then derive the hypersequent G | Γ as: This concludes the proof of Theorem 3.14.
We now prove Lemma 3.42, the stronger version of Lemma 3.41.
Lemma 3.42. If there is a CAN-free and M-free derivation of the hypersequent then for all r i and s i , with 1 ≤ i ≤ n, such that Most cases are trivial, we just describe the most interesting one.
• If the derivation finishes with: with r 1 = b; c and s 1 = b ; c . We want to show that | Γ 1 , ( a; r 1 ).x, ( a ; s 1 ).x We will now prove that c − c = r 1 + a − ( s 1 + a ) to be able to conclude with the induction hypothesis.
so by induction hypothesis, we have ( a; r 1 ).x, ( a ; s 1 ).x which is the result we want. 3.9. Rational T-elimination -Proof of Theorem 3.16. We need to prove that if a hypersequent sequent G, with all scalars in Q, has a CAN-free derivation then it also has a CAN-free and T-free derivation. Firstly, we observe that we can restrict to the case of G being an atomic hypersequent. Indeed, if G is not atomic, we can iteratively apply the logical rules (see Figure 6 on page 16) and reduce G to a number of atomic hypersequents G 1 , . . . , G n . By the CAN-free invertibility Theorem 3.12, G is CAN-free derivable if and only if all G i are CAN-free derivable.
Secondly, assume G is atomic and has a CAN-free derivation. Then, by application of Lemma 3.43 below and using the same notation, there are t 1 , ..., t m in R ≥0 such that • there exists i ∈ [1..m] such that t i = 0 and • for every variable and covariable (x j , x j ) pair, it holds that Since all coefficients are rational and the theory of linear arithmetic over R is an elementary extension of that of linear arithmetic over Q [FR75], there are q 1 , ..., q m ∈ Q ≥0 satisfying the same property of t 1 , ..., t m . By multiplying all q i by the least common multiple of their denominators, we get a solution k 1 , ..., k m in N. So according to Lemma 3.33, G has also a CAN-free and T-free derivation. This concludes the proof. We now state a similar result to Lemma 3.33 regarding derivations that use the T rule. The only difference is that since the T rule can multiply a sequent by any strictly positive real number, the coefficients in the statement are arbitrary positive real numbers instead of natural numbers. where Γ i = r i,1 .x 1 , ..., r i,k .x k , s i,1 .x 1 , ..., s i,k .x k , the following are equivalent: (1) G has a derivation.
.m] such that t i = 0, i.e., the numbers are not all 0's, and • for every variable and covariable (x j , x j ) pair, it holds that i.e., the scaled (by the numbers t 1 . . . t m ) sum of the coefficients in front of the variable x j is equal to the scaled sum of the coefficients in from of the covariable x j .
Proof. We prove (1) ⇒ (2) by induction on the derivation of G. By using Theorem 3.14, we can assume that the derivation of G is CAN-free. We will only deal with the case of T rule since every other cases are exactly the same as in Lemma 3.33. If the derivation finishes with then by induction hypothesis there are t 1 , ..., t m ∈ R such that : • there exists i ∈ [1.
.m] such that t i = 0. • for every variable and covariable (x j , x j ) pair, it holds that m−1 i=0 t i . r i,j + t m . r r m,j = m−1 i=0 t i . s i,j + t m . r s m,j . so t 1 , . . . , t m−1 , rt m satisfies the property.
The other way ((2) ⇒ (1)) is very similar to Lemma 3.33, only using the T rule instead of the C and S rules. If there exist numbers t 1 , ..., t m ∈ R, one for each sequent in G, such that: • there exists i ∈ [1..m] such that t i = 0 and • for every variable and covariable (x j , x j ) pair, it holds that then we can use the W rule to remove the sequents corresponding to the numbers t i = 0, and use the T rule on the ith sequent to multiply it by t i . If we assume that there is a natural number l such that t i = 0 for all i > l and t i = 0 for all i ≤ l, then the CAN-free derivation is: INIT 3.10. Decidability -Proof of Theorem 3.18. The previous results give us a simple algorithm for deciding if a hypersequent G is derivable in the system HR. We do not claim that this algorithm is optimal, and we merely prove that it has elementary complexity. It is valuable, however, because it will be adaptable to the context of the more complex system HMR.
The algorithm works in two steps: (1) the problem of deciding if G is derivable is reduced to the problem of deciding if a finite number of atomic hypersequents G 1 , . . . , G n are derivable.
(2) A decision procedure for atomic hypersequents is executed and it verifies if all hypersequents computed at the first step are derivable. The first step consists in applying recursively all possible logical rules to G until atomic premises G 1 , ..., G n are obtained (see Figure 6 on page 16). Indeed, the CAN-free invertibility Theorem 3.12 guarantees that G is derivable if and only if all the atomic hypersequents obtained in this way are derivable.
The second step can be performed using Lemma 3.43 which states that the hypersequent G i is derivable if and only if there exists a sequence of real numbers t ∈ R ≥0 satisfying the system of (in)equations of Lemma 3.43. This can be expressed directly by a (existentially quantified) formula in the first order theory of the real-closed field F O(R, +, ×, ≤). It is well known that this theory is decidable and admits quantifier elimination [Tar51,Gri88]. Thus it is possible to decide if this formula is satifiable or not, that is, if the atomic hypersequent G i is derivable or not.
The idea behind the above algorithm, reducing the problem of derivability to the problem of verifying the satisfiability of formulas in the first order theory of the real-closed field, can in fact be pushed forward. Not only we can decide if G is derivable or not, but we can return 32:36

C. Lucas and M. Mio
Vol. 18:1 a formula φ ∈ F O(R, +, ×, ≤) which describes the set of real-values assigned to the scalars in G that admits a derivation. For example, as explained in Section 3.1, consider the following simple hypersequent r.x, r.x Not only this hypersequent is derivable for a fixed scalar r ∈ R >0 , but the hypersequent α.x, α.x is derivable for any assignment of concrete scalars in r ∈ R to the scalar-variable α such that r > 0.
Similarly, the hypersequent containing the scalar-variable α and two concrete scalars s and t α.x, s.x, t.x is derivable for all concrete r ∈ R assignments to α such that r > 0 and r = s + t.
Hence we can generally consider hypersequents having polynomials (over a set α 1 , . . . , α l of scalar-variables) in place of concrete scalars.
The algorithm takes as input G and proceeds, again, in two steps: (1) The algorithm returns where G 1 , . . . , G n are the atomic hypersequents obtained by iteratively applying the logical rules, and φ G i is the formula recursively computed by the algorithm on input G i . (2) if G is atomic then G has the shape • A formula N Z I (β 1 , ..., β m ) that states that for all i / ∈ I, 0 < β i .
• A formula A I (β 1 , ..., β m ) that states that all the atoms cancel each other.
• A formula φ G,I that corresponds to φ G where G is the hypersequent obtained on using the W rule on all i-th sequents for i ∈ I, i.e. the leaf of the following prederivation: The formula φ G is then constructed as follow: The following theorem states the correctness of the above described algorithm.
Proof. If G is atomic, the theorem is a direct corollary of Lemma 3.43. So assume G is not atomic, i.e., the terms in G contain some logical connective. Given any vector of scalars s 1 , . . . , s l ∈ R, by using the CAN-free invertibility Theorem 3.12, G[s j /α j ] is derivable if and only if all G i [s j /α j ] are derivable, where the hypersequents G i are the atomic hypersequents obtainable from G by repeated applications of the logical rules, as show in Figure 6. Hence, the set of scalars s 1 , . . . , s l ∈ R that allows for a derivation of G is exactly the intersection of the scalars that allow derivations of each G i . This is precisely the semantics of: The size of the formula φ G can be bounded by a double exponential in the number of sequents and operators in G, so the algorithm described previously is elementary.
Claim 3.45. Let G be a hypersequent having polynomials R 1 , ..., R k ∈ R[α 1 , ..., α l ] of degree at most d. Let p be the number of different variables appearing in the terms of G, q the number of sequents in G and o the total number of operators appearing in G. Then φ G is equivalent to a formula ∃ β, P (α 1 , ..., α l , β) where P is a quantifier-free formula with at most 2 4×2 (q+o) (1 + p) polynomials of degree at most d + 1 and where the size of β is at most 2 3×2 (q+o) .
Idea of the proof. If G is atomic, we have ∃β 1 , ..., β q , Z I (β 1 , ..., β q ) ∧ N Z I (β 1 , ..., β q ) ∧ A I (β 1 , ..., β q ) which, using basic identities of first order logic, is equivalent to so the upper bounds are satisfied. If G is not atomic, then where the G i are the atomic hypersequents obtainable from G by repeated applications of the logical rules (see Figure 6). Since the G i are atomic, we have just shown that each φ G i is equivalent to and we need to obtain an upper bound on n and the size of all G i . Each application of the rule done to compute the G i increases n, and each application of the rule increases the size of the atomic hypersequents G i so we have to compute the maximum number of times those rules are used.
Applications of the rule can, potentially, duplicate the number of connectives in the hypersequent, and thus duplicate the steps needed. Moreover, since the rule has two premises on which the procedure is recursively iterated, each operator can also double the number of steps, and so we can bound the number of times the rule is used by 2 (# operators)2 # operators − 1, thus the double exponential.
Some simplifications are then done to obtain the upper bounds given in the claim, which are easier to manipulate.
Proof. The reduction of has a time complexity linear in n and the sum of the sizes of β i , and thus is in 2-ExpTime since those two values can be bounded by a double exponential in the size of G.
The algorithm decribed in [Gri88] to decide the existential fragment of the first order theory of the real-closed field has a complexity of M (kd) (O(n)) 2 where k is the number of The M elimination Theorem 4.11 is crucially important in eliminating this difficult case. The rest of the CAN elimination proof can then be carried out without serious technical difficulties. This is our main motivation for proving the M elimination theorem.
We can now state our main theorem regarding the system HMR.
Theorem 4.12 (CAN elimination). If a hypersequent G has a derivation, then it has a CAN-free derivation.
Proof sketch. The full proof appears in Section 4.7. The CAN rule has the following form: Following the same proof structure as in Theorem 3.14, we show how to eliminate one application of the CAN rule. Namely, we prove that if the premise G | Γ, s.A, r.A, with r = s, has a CAN-free derivation then the conclusion G | Γ also has a CAN-free derivation. This of course implies the statement of the CAN-elimination theorem by using a simple inductive argument on the number of applications of the CAN rule in a derivation.
As in Theorem 3.14, it is useful to first invoke the M-elimination Theorem 4.11 on the derivation of G | Γ, s.A, r.A to remove possible occurrences of the M rule. This is critical since the M rule is problematic to deal with in our inductive proof because its two premises can generally break the condition r = s. Hence, in what follows we assume that the derivation of G | Γ, s.A, r.A is M-free and the proof proceeds by double induction on the structure of A and the M-free derivation of G | Γ, s.A, r.A.
The base cases are when A = x, i.e., when A is atomic, and when A = 1. Proving those cases is relatively straightforward, once the critical case regarding the M rule can be ignored.
For the inductive case, when A is a complex term which is not a ♦ term we invoke the CAN-free invertibility theorem. For example, if A = B + C, the invertibility theorem states that G | Γ, s.B, s.C, r.B, r.B must also have a CAN-free derivation (and also M-free by application of the M-elimination Theorem 4.11). We then note that, since B and C both have lower complexity than A, it follows from two applications of the inductive hypothesis that G | Γ has a CAN-free derivation, as desired.
Finally, when A = ♦B for some B we prove the result by decreasing the complexity of the derivation while keeping ♦B as the CAN term: we use the induction hypothesis on the premises of the last rule used in the derivation -all cases are straightforward under the hypothesis that the derivation is M-free. This simplification process is repeated until we reach an application of the ♦ rule, necessarily (due to the constraints of the ♦ rule) of the form: Finally the algorithm introduced in the proof of Theorem 3.18 can be adapted to the HMR system to prove the following theorem.
Theorem 4.13 (Decidability). There is an algorithm to decide whether or not a hypersequent has a derivation.

Some technical lemmas.
All the lemmas presented in Section 3.3 in the context of the system HR need to be adapted to the new system HMR. In most cases, as in for instance Lemma 3.25, the proof is essentially identical and, for this reason, we omit it. In some cases, however, like Lemma 3.21, the ♦ rule makes the proof different and more complicated and, for this reason, we discuss how to prove the new difficult aspects of the proof.
We first adapt Lemma 3.21 to the system HMR.
Lemma 4.14. For all A, r i , s i such that . We prove the result by double induction on (A, d). If A is not a ♦ term, we prove the result as in Lemma 3.21 -which decreases the complexity of the term each time. Otherwise A = ♦B. We prove the result by induction on the derivation d. We will only show three cases: the other cases are similar to the + case. The next lemma states that if G is provable then the hypersequent obtained by substituting an atom for a term in G is also provable. Proof. Similar to the proof of Lemma 3.22.
The following lemma, which will be useful in the proof of the completeness theorem, states that the rules {0, +, ×, , }, are invertible in HMR, in the sense that if the conclusion of one of these rules is derivable (possibly using CAN rules) then its premises are also derivable (possibly using CAN rules).
does not have a CAN-free and T-free derivation.
Proof. The proof is similar to that of Lemma 3.32 but Lemma 4.26 below takes the place of Lemma 3.33.
Lemma 4.26. For all basic hypersequents G, built using the variables and negated variables x 1 , x 1 , . . . , x k , x k , of the form where Γ i = r i,1 .x 1 , ..., r i,k .x k , s i,1 .x 1 , ..., s i,k .x k , the following are equivalent: (1) G has a CAN-free and T-free derivation.
.m] such that n i = 0, i.e., the numbers are not all 0's, and • for every variable and covariable (x j , x j ) pair, it holds that i.e., the scaled (by the numbers n 1 . . . n m ) sum of the coefficients in front of the variable x j is equal to the scaled sum of the coefficients in from of the covariable x j , and • m i=1 n i s i ≤ m i=1 n i r i , i.e., there are more 1 than 1, and • the hypersequent consisting of only one sequent ∆ n 1 1 , ..., ∆ nm m , ( r 1 .1) n 1 , ..., ( r m .1) nm , ( s 1 .1) n 1 , ..., ( s m .1) nm has a CAN-free and T-free derivation, where the notation Γ n means Γ, ..., Γ n times . Proof. We prove (1) ⇒ (2) by induction on the derivation of G. We show only the M case, the other cases being simple. We write Γ i for Γ i , ♦∆ i , r i .1, s i .1.
• If the derivation finishes with by induction hypothesis, there are n 1 , ..., n m ∈ N such that : there exists i ∈ [1.
4.5. CAN-free Invertibility -Proof of Theorem 4.8. The proofs presented in this section follow the same pattern of those in Section 3.6: we will prove the CAN-free invertibility of more general rules. The generalised non-modal rules are the same as those in Figure 7 from Section 3.6 and the generalised ♦ rule has the following shape: Remark 4.27. The generalized ♦ rule is unsound, the hypersequent 1.♦(x y), 1.♦(x) ♦(y) is derivable using this rule (see Remark 4.7, a similar derivation can be used to derive the hypersequent). Yet, even if the generalized ♦ rule is not sound, it still enjoys CAN-free invertibility.

1
• If the derivation finishes with an application of the ♦ rule, the shape of the conclusion is ♦Γ 1 , r.1, s.1 with r 1 = ∅ so the hypersequent ♦Γ 1 , r 1 .A, r 1 .B, r.1, s.1 = ♦Γ 1 , r.1, s.1 is derivable.  • If the derivation finishes with r 1 .(A B), r.1, s.1 1 then by induction hypothesis on the CAN-free derivation of the premise we have that Proof. By induction on the derivation. Since the hypersequent under consideration is basic, we do not need to deal with any logical rule beside the ♦-rule, which leads immediately to the desired result, and the 1-rule. The cases regarding the structural rules and the 1-rule are very simple. For instance, if the derivation finishes with the W rule: The general idea presented in Section 3.7 is to combine the derivations d 1 and d 2 in a sequential way, first constructing a prederivation d 1 of G | G | Γ, ∆ (using d 1 ) whose leaves are either axioms or hypersequents of the form G | r.∆, and then by completing this prederivation into a derivation (using d 2 ). Finally, G | G | Γ, ∆ can be easily turned into a derivation of G | Γ, ∆ as desired.
However, this technique cannot be directly applied in the context of the system HMR due to the constraints imposed on the shape of the hypersequent by the ♦ rule. Indeed an application of the ♦ rule in d 1 acting on some hypersequent of the form r 1 .∆ 1 , ( r 1 s).1, ( r 1 t).1 r 1 .♦∆ 1 , ( r 1 s).1, ( r 1 t).1 ♦, r 1 s ≥ r 1 t which gives a derivation with a modal depth less or equal than d 2 .
As in Section 3.8, we prove Theorem 4.12 by showing that if the hypersequent G | Γ, s.A, r.A has a M-free CAN-free derivation, then so does the hypersequent G | Γ.
As explained in the discussion before Theorem 4.12 and in its proof sketch, the proof cannot just invoke the CAN-free invertibility Theorem 4.8 to simplify the logical complexity of the CAN term, due to the constraints imposed by the ♦-rule (the 1-rule is dealt with in a similar fashion to the ID-rule).
To circumvent this issue, we prove the slightly more general Lemma 4.39 by double induction on both the term A and the derivation of G | Γ, r.A, s.A.
We first prove the two basic cases where A = x (or equivalently A = x) in Lemma 4.37 and A = 1 (or equivalently A = 1) in Lemma 4.38, and the general case in Lemma 4.39. Proof. The statement follows as a special case of Lemma 4.40 below, a stronger version of Lemma 4.37 that allows for a simpler proof by induction on the structure of the derivation of G | Γ, r.x, s.x, where: • r n = r, s n = s and r n = s n = ∅. Proof. The statement follows as a special case of Lemma 4.41 below, a stronger version of Lemma 4.38 that allows for a simpler proof by induction on the structure of the derivation of G | Γ, r.1, s.1, where: • r n = r, s n = s and r n = s n = ∅.
We are now ready to prove the general case.
Lemma 4.39. For all terms A and numbers n > 0 and for all sequents Γ i and vectors r i , s i such that has a M-free CAN-free derivation, then so does [ Γ i ] n i=1 . Proof. For the basic cases A = x, A = x, A = 1 and A = 1, we use Lemmas 4.37 and 4.38. For complex terms A which are not ♦ terms, we proceed by invoking the CAN-free invertibility Theorem 4.8 as follows: • If A = 0, we can conclude with the CAN-free invertibility of the rule 0.
• If A = B + C, since the + rule is CAN-free invertible, Γ i , r i .B, r i .C, s i .B, s i .C has a CAN-free, M-free derivation. Therefore we can have a CAN-free derivation of the hypersequent [ Γ i ] n i=1 by invoking the induction hypothesis twice, since the complexity of B and C is lower than that of B + C.
has a CAN-free, M-free derivation. Then since the is CAN-free invertible, has a CAN-free, M-free derivation. Therefore we can obtain a CAN-free derivation of the hypersequent [ Γ i ] n i=1 by invoking the induction hypothesis twice on the simpler terms B and C.
• If A = B C, we proceed in a similar way as for the case A = B C.
• Finally, if A = ♦B, we distinguish two cases: (1) the derivation ends with an application of the ♦ rule which simplifies A = ♦B to B.
In this case we can simply conclude by invoking the induction hypothesis on B.
(2) The derivation ends with some other rule (recall that no CAN rules and no M rules appear in the derivation). In this case we decrease the complexity of the derivation, keeping ♦B as the CAN term, and then invoke the induction hypothesis on the derivation having reduced complexity. This proof step is rather long to prove, as it requires analysing all possible cases. We just illustrate the two cases when the derivation ends with a logical rule (+) and a structural rule (C) to illustrate the general method.
if the derivation finishes with We now have all necessary tools to prove the CAN-elimination theorem.
Proof of Theorem 4.12. We want to prove that if G has a derivation, then G has a CAN-free derivation. We prove this result by induction on the derivation of G: • If the derivation finishes with an application of a rule that is not the CAN-rule, then by induction, the premises have CAN-free derivations and we can conclude by using the exact same rule to obtain a CAN-free derivation of G. For  We will now prove that c − c ≤ r 1 + a − ( s 1 + a ) to be able to conclude with the induction hypothesis. 4.8. Decidability -Proof of Theorem 4.13. In this section we adapt the algorithm presented in Section 3.10 and prove the decidability of the HMR system. The procedure takes a hypersequent G, where scalars are polynomials over scalar-variables α as coefficients in weighted terms, and construct a formula φ G ( α) ∈ F O(R, +, ×, ≤) in the language of the first order theory of the reals. The procedure is recursive and terminates because each recursive call decreases the logical complexity and the modal complexity (i.e., the maximal modal depth of any terms) of its input G. The key property is that a sequence of scalars s ∈ R satisfies φ G if and only if the hypersequent G[s j /α j ] is derivable in the system HMR. The decidability then follows from the well-known fact that the theory F O(R, +, ×, ≤) admits quantifier elimination and is decidable [Tar51,Gri88].
The algorithm to construct φ G takes as input G and proceeds as follows: (1) if G is not a basic hypersequent (i.e., if it contains any complex term whose outermost connective is not ♦ or 1 or 1), then the algorithm returns where G 1 , . . . , G n are the basic hypersequents obtained by iteratively applying the logical rules, and φ G i is the formula recursively computed by the algorithm on input G i . (2) if G has the shape then φ G = .
(3) if G is a basic hypersequent which is not then G has the shape • A formula A I (β 1 , ..., β m ) that states that all the atoms cancel each other.
• A formula φ G,I that corresponds to φ G where G is the hypersequent obtained on using the W rule on all i-th sequents for i ∈ I, i.e. the leaf of the following prederivation: Γ k 1 , ♦∆ k 1 , R k 1 .1, S k 1 .1 | ... | Γ k l , ♦∆ k l , R k l .1, S k l .1 Finally, we return φ G defined as follows: The following theorem states the correctness of the above described algorithm.
Theorem 4.42. Let G be a hypersequent having polynomials R 1 , . . . , R k ∈ R[ α] over scalarvariables α. Let φ G ( α) be the formula returned by the algorithm described above on input G. Then, for all s ∈ R such that for all i ∈ [1..k], R i ( s) > 0, the following are equivalent: (1) φ G ( s) holds in R, (2) G[s j /α j ] is derivable in HMR.
Proof. As in Theorem 3.44, by using the CAN-free invertibility Theorem 4.8, we can assume that G is a basic hypersequent. If G has the shape , the result is trivial. Otherwise, the result is a direct corollary of Lemma 4.44 below since the formula N Z I corresponds to the first property, the formula A I corresponds to the second property, the formula O I corresponds to the third one and the formula φ H I corresponds to the last one.
Even though the problem is decidable, the algorithm described previously is non elementary since the size of the formula φ G can not be bound by a finite tower of exponentials.
Lemma 4.43. Let A n be defined by induction on n as follows: For i ∈ N, let G i = 1.A i . Then for all i, φ G i has at least 2 2 . . . = 1), i.e., each use of the ♦ rule will add one exponential to the number of existentials.
Logical rules: