# Theory Formula

theory Formula
imports ZF
```(*  Title:      ZF/Constructible/Formula.thy
Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
*)

section ‹First-Order Formulas and the Definition of the Class L›

theory Formula imports ZF begin

subsection‹Internalized formulas of FOL›

text‹De Bruijn representation.
Unbound variables get their denotations from an environment.›

consts   formula :: i
datatype
"formula" = Member ("x ∈ nat", "y ∈ nat")
| Equal  ("x ∈ nat", "y ∈ nat")
| Nand ("p ∈ formula", "q ∈ formula")
| Forall ("p ∈ formula")

declare formula.intros [TC]

definition
Neg :: "i=>i" where
"Neg(p) == Nand(p,p)"

definition
And :: "[i,i]=>i" where
"And(p,q) == Neg(Nand(p,q))"

definition
Or :: "[i,i]=>i" where
"Or(p,q) == Nand(Neg(p),Neg(q))"

definition
Implies :: "[i,i]=>i" where
"Implies(p,q) == Nand(p,Neg(q))"

definition
Iff :: "[i,i]=>i" where
"Iff(p,q) == And(Implies(p,q), Implies(q,p))"

definition
Exists :: "i=>i" where
"Exists(p) == Neg(Forall(Neg(p)))"

lemma Neg_type [TC]: "p ∈ formula ==> Neg(p) ∈ formula"

lemma And_type [TC]: "[| p ∈ formula; q ∈ formula |] ==> And(p,q) ∈ formula"

lemma Or_type [TC]: "[| p ∈ formula; q ∈ formula |] ==> Or(p,q) ∈ formula"

lemma Implies_type [TC]:
"[| p ∈ formula; q ∈ formula |] ==> Implies(p,q) ∈ formula"

lemma Iff_type [TC]:
"[| p ∈ formula; q ∈ formula |] ==> Iff(p,q) ∈ formula"

lemma Exists_type [TC]: "p ∈ formula ==> Exists(p) ∈ formula"

consts   satisfies :: "[i,i]=>i"
primrec (*explicit lambda is required because the environment varies*)
"satisfies(A,Member(x,y)) =
(λenv ∈ list(A). bool_of_o (nth(x,env) ∈ nth(y,env)))"

"satisfies(A,Equal(x,y)) =
(λenv ∈ list(A). bool_of_o (nth(x,env) = nth(y,env)))"

"satisfies(A,Nand(p,q)) =
(λenv ∈ list(A). not ((satisfies(A,p)`env) and (satisfies(A,q)`env)))"

"satisfies(A,Forall(p)) =
(λenv ∈ list(A). bool_of_o (∀x∈A. satisfies(A,p) ` (Cons(x,env)) = 1))"

lemma "p ∈ formula ==> satisfies(A,p) ∈ list(A) -> bool"
by (induct set: formula) simp_all

abbreviation
sats :: "[i,i,i] => o" where
"sats(A,p,env) == satisfies(A,p)`env = 1"

lemma [simp]:
"env ∈ list(A)
==> sats(A, Member(x,y), env) ⟷ nth(x,env) ∈ nth(y,env)"
by simp

lemma [simp]:
"env ∈ list(A)
==> sats(A, Equal(x,y), env) ⟷ nth(x,env) = nth(y,env)"
by simp

lemma sats_Nand_iff [simp]:
"env ∈ list(A)
==> (sats(A, Nand(p,q), env)) ⟷ ~ (sats(A,p,env) & sats(A,q,env))"
by (simp add: Bool.and_def Bool.not_def cond_def)

lemma sats_Forall_iff [simp]:
"env ∈ list(A)
==> sats(A, Forall(p), env) ⟷ (∀x∈A. sats(A, p, Cons(x,env)))"
by simp

declare satisfies.simps [simp del]

subsection‹Dividing line between primitive and derived connectives›

lemma sats_Neg_iff [simp]:
"env ∈ list(A)
==> sats(A, Neg(p), env) ⟷ ~ sats(A,p,env)"

lemma sats_And_iff [simp]:
"env ∈ list(A)
==> (sats(A, And(p,q), env)) ⟷ sats(A,p,env) & sats(A,q,env)"

lemma sats_Or_iff [simp]:
"env ∈ list(A)
==> (sats(A, Or(p,q), env)) ⟷ sats(A,p,env) | sats(A,q,env)"

lemma sats_Implies_iff [simp]:
"env ∈ list(A)
==> (sats(A, Implies(p,q), env)) ⟷ (sats(A,p,env) ⟶ sats(A,q,env))"

lemma sats_Iff_iff [simp]:
"env ∈ list(A)
==> (sats(A, Iff(p,q), env)) ⟷ (sats(A,p,env) ⟷ sats(A,q,env))"

lemma sats_Exists_iff [simp]:
"env ∈ list(A)
==> sats(A, Exists(p), env) ⟷ (∃x∈A. sats(A, p, Cons(x,env)))"

subsubsection‹Derived rules to help build up formulas›

lemma mem_iff_sats:
"[| nth(i,env) = x; nth(j,env) = y; env ∈ list(A)|]
==> (x∈y) ⟷ sats(A, Member(i,j), env)"

lemma equal_iff_sats:
"[| nth(i,env) = x; nth(j,env) = y; env ∈ list(A)|]
==> (x=y) ⟷ sats(A, Equal(i,j), env)"

lemma not_iff_sats:
"[| P ⟷ sats(A,p,env); env ∈ list(A)|]
==> (~P) ⟷ sats(A, Neg(p), env)"
by simp

lemma conj_iff_sats:
"[| P ⟷ sats(A,p,env); Q ⟷ sats(A,q,env); env ∈ list(A)|]
==> (P & Q) ⟷ sats(A, And(p,q), env)"

lemma disj_iff_sats:
"[| P ⟷ sats(A,p,env); Q ⟷ sats(A,q,env); env ∈ list(A)|]
==> (P | Q) ⟷ sats(A, Or(p,q), env)"

lemma iff_iff_sats:
"[| P ⟷ sats(A,p,env); Q ⟷ sats(A,q,env); env ∈ list(A)|]
==> (P ⟷ Q) ⟷ sats(A, Iff(p,q), env)"

lemma imp_iff_sats:
"[| P ⟷ sats(A,p,env); Q ⟷ sats(A,q,env); env ∈ list(A)|]
==> (P ⟶ Q) ⟷ sats(A, Implies(p,q), env)"

lemma ball_iff_sats:
"[| !!x. x∈A ==> P(x) ⟷ sats(A, p, Cons(x, env)); env ∈ list(A)|]
==> (∀x∈A. P(x)) ⟷ sats(A, Forall(p), env)"

lemma bex_iff_sats:
"[| !!x. x∈A ==> P(x) ⟷ sats(A, p, Cons(x, env)); env ∈ list(A)|]
==> (∃x∈A. P(x)) ⟷ sats(A, Exists(p), env)"

lemmas FOL_iff_sats =
mem_iff_sats equal_iff_sats not_iff_sats conj_iff_sats
disj_iff_sats imp_iff_sats iff_iff_sats imp_iff_sats ball_iff_sats
bex_iff_sats

subsection‹Arity of a Formula: Maximum Free de Bruijn Index›

consts   arity :: "i=>i"
primrec
"arity(Member(x,y)) = succ(x) ∪ succ(y)"

"arity(Equal(x,y)) = succ(x) ∪ succ(y)"

"arity(Nand(p,q)) = arity(p) ∪ arity(q)"

"arity(Forall(p)) = Arith.pred(arity(p))"

lemma arity_type [TC]: "p ∈ formula ==> arity(p) ∈ nat"
by (induct_tac p, simp_all)

lemma arity_Neg [simp]: "arity(Neg(p)) = arity(p)"

lemma arity_And [simp]: "arity(And(p,q)) = arity(p) ∪ arity(q)"

lemma arity_Or [simp]: "arity(Or(p,q)) = arity(p) ∪ arity(q)"

lemma arity_Implies [simp]: "arity(Implies(p,q)) = arity(p) ∪ arity(q)"

lemma arity_Iff [simp]: "arity(Iff(p,q)) = arity(p) ∪ arity(q)"

lemma arity_Exists [simp]: "arity(Exists(p)) = Arith.pred(arity(p))"

lemma arity_sats_iff [rule_format]:
"[| p ∈ formula; extra ∈ list(A) |]
==> ∀env ∈ list(A).
arity(p) ≤ length(env) ⟶
sats(A, p, env @ extra) ⟷ sats(A, p, env)"
apply (induct_tac p)
apply (simp_all add: Arith.pred_def nth_append Un_least_lt_iff nat_imp_quasinat
split: split_nat_case, auto)
done

lemma arity_sats1_iff:
"[| arity(p) ≤ succ(length(env)); p ∈ formula; x ∈ A; env ∈ list(A);
extra ∈ list(A) |]
==> sats(A, p, Cons(x, env @ extra)) ⟷ sats(A, p, Cons(x, env))"
apply (insert arity_sats_iff [of p extra A "Cons(x,env)"])
apply simp
done

subsection‹Renaming Some de Bruijn Variables›

definition
incr_var :: "[i,i]=>i" where
"incr_var(x,nq) == if x<nq then x else succ(x)"

lemma incr_var_lt: "x<nq ==> incr_var(x,nq) = x"

lemma incr_var_le: "nq≤x ==> incr_var(x,nq) = succ(x)"
apply (blast dest: lt_trans1)
done

consts   incr_bv :: "i=>i"
primrec
"incr_bv(Member(x,y)) =
(λnq ∈ nat. Member (incr_var(x,nq), incr_var(y,nq)))"

"incr_bv(Equal(x,y)) =
(λnq ∈ nat. Equal (incr_var(x,nq), incr_var(y,nq)))"

"incr_bv(Nand(p,q)) =
(λnq ∈ nat. Nand (incr_bv(p)`nq, incr_bv(q)`nq))"

"incr_bv(Forall(p)) =
(λnq ∈ nat. Forall (incr_bv(p) ` succ(nq)))"

lemma [TC]: "x ∈ nat ==> incr_var(x,nq) ∈ nat"

lemma incr_bv_type [TC]: "p ∈ formula ==> incr_bv(p) ∈ nat -> formula"
by (induct_tac p, simp_all)

text‹Obviously, @{term DPow} is closed under complements and finite
intersections and unions.  Needs an inductive lemma to allow two lists of
parameters to be combined.›

lemma sats_incr_bv_iff [rule_format]:
"[| p ∈ formula; env ∈ list(A); x ∈ A |]
==> ∀bvs ∈ list(A).
sats(A, incr_bv(p) ` length(bvs), bvs @ Cons(x,env)) ⟷
sats(A, p, bvs@env)"
apply (induct_tac p)
apply (simp_all add: incr_var_def nth_append succ_lt_iff length_type)
apply (auto simp add: diff_succ not_lt_iff_le)
done

(*the following two lemmas prevent huge case splits in arity_incr_bv_lemma*)
lemma incr_var_lemma:
"[| x ∈ nat; y ∈ nat; nq ≤ x |]
==> succ(x) ∪ incr_var(y,nq) = succ(x ∪ y)"
apply (simp add: incr_var_def Ord_Un_if, auto)
apply (blast intro: leI)
apply (blast intro: le_anti_sym)
apply (blast dest: lt_trans2)
done

lemma incr_And_lemma:
"y < x ==> y ∪ succ(x) = succ(x ∪ y)"
apply (simp add: Ord_Un_if lt_Ord lt_Ord2 succ_lt_iff)
apply (blast dest: lt_asym)
done

lemma arity_incr_bv_lemma [rule_format]:
"p ∈ formula
==> ∀n ∈ nat. arity (incr_bv(p) ` n) =
(if n < arity(p) then succ(arity(p)) else arity(p))"
apply (induct_tac p)
apply (simp_all add: imp_disj not_lt_iff_le Un_least_lt_iff lt_Un_iff le_Un_iff
succ_Un_distrib [symmetric] incr_var_lt incr_var_le
Un_commute incr_var_lemma Arith.pred_def nat_imp_quasinat
split: split_nat_case)
txt‹the Forall case reduces to linear arithmetic›
prefer 2
apply clarify
apply (blast dest: lt_trans1)
txt‹left with the And case›
apply safe
apply (blast intro: incr_And_lemma lt_trans1)
apply (subst incr_And_lemma)
apply (blast intro: lt_trans1)
done

subsection‹Renaming all but the First de Bruijn Variable›

definition
incr_bv1 :: "i => i" where
"incr_bv1(p) == incr_bv(p)`1"

lemma incr_bv1_type [TC]: "p ∈ formula ==> incr_bv1(p) ∈ formula"

(*For renaming all but the bound variable at level 0*)
lemma sats_incr_bv1_iff:
"[| p ∈ formula; env ∈ list(A); x ∈ A; y ∈ A |]
==> sats(A, incr_bv1(p), Cons(x, Cons(y, env))) ⟷
sats(A, p, Cons(x,env))"
apply (insert sats_incr_bv_iff [of p env A y "Cons(x,Nil)"])
done

"[| p ∈ formula; n ∈ nat; x ∈ A |]
==> ∀bvs ∈ list(A). ∀env ∈ list(A).
length(bvs) = n ⟶
sats(A, iterates(incr_bv1, n, p), Cons(x, bvs@env)) ⟷
sats(A, p, Cons(x,env))"
apply (induct_tac n, simp, clarify)
apply (erule list.cases)
done

lemma arity_incr_bv1_eq:
"p ∈ formula
==> arity(incr_bv1(p)) =
(if 1 < arity(p) then succ(arity(p)) else arity(p))"
apply (insert arity_incr_bv_lemma [of p 1])
done

lemma arity_iterates_incr_bv1_eq:
"[| p ∈ formula; n ∈ nat |]
==> arity(incr_bv1^n(p)) =
(if 1 < arity(p) then n #+ arity(p) else arity(p))"
apply (induct_tac n)
apply (blast intro: le_trans add_le_self2 arity_type)
done

subsection‹Definable Powerset›

text‹The definable powerset operation: Kunen's definition VI 1.1, page 165.›
definition
DPow :: "i => i" where
"DPow(A) == {X ∈ Pow(A).
∃env ∈ list(A). ∃p ∈ formula.
arity(p) ≤ succ(length(env)) &
X = {x∈A. sats(A, p, Cons(x,env))}}"

lemma DPowI:
"[|env ∈ list(A);  p ∈ formula;  arity(p) ≤ succ(length(env))|]
==> {x∈A. sats(A, p, Cons(x,env))} ∈ DPow(A)"

text‹With this rule we can specify @{term p} later.›
lemma DPowI2 [rule_format]:
"[|∀x∈A. P(x) ⟷ sats(A, p, Cons(x,env));
env ∈ list(A);  p ∈ formula;  arity(p) ≤ succ(length(env))|]
==> {x∈A. P(x)} ∈ DPow(A)"

lemma DPowD:
"X ∈ DPow(A)
==> X ⊆ A &
(∃env ∈ list(A).
∃p ∈ formula. arity(p) ≤ succ(length(env)) &
X = {x∈A. sats(A, p, Cons(x,env))})"

lemmas DPow_imp_subset = DPowD [THEN conjunct1]

(*Kunen's Lemma VI 1.2*)
lemma "[| p ∈ formula; env ∈ list(A); arity(p) ≤ succ(length(env)) |]
==> {x∈A. sats(A, p, Cons(x,env))} ∈ DPow(A)"
by (blast intro: DPowI)

lemma DPow_subset_Pow: "DPow(A) ⊆ Pow(A)"

lemma empty_in_DPow: "0 ∈ DPow(A)"
apply (rule_tac x=Nil in bexI)
apply (rule_tac x="Neg(Equal(0,0))" in bexI)
done

lemma Compl_in_DPow: "X ∈ DPow(A) ==> (A-X) ∈ DPow(A)"
apply (simp add: DPow_def, clarify, auto)
apply (rule bexI)
apply (rule_tac x="Neg(p)" in bexI)
apply auto
done

lemma Int_in_DPow: "[| X ∈ DPow(A); Y ∈ DPow(A) |] ==> X ∩ Y ∈ DPow(A)"
apply (rename_tac envp p envq q)
apply (rule_tac x="envp@envq" in bexI)
apply (rule_tac x="And(p, iterates(incr_bv1,length(envp),q))" in bexI)
apply typecheck
apply (rule conjI)
(*finally check the arity!*)
apply (simp add: arity_iterates_incr_bv1_eq length_app Un_least_lt_iff)
done

lemma Un_in_DPow: "[| X ∈ DPow(A); Y ∈ DPow(A) |] ==> X ∪ Y ∈ DPow(A)"
apply (subgoal_tac "X ∪ Y = A - ((A-X) ∩ (A-Y))")
done

lemma singleton_in_DPow: "a ∈ A ==> {a} ∈ DPow(A)"
apply (rule_tac x="Cons(a,Nil)" in bexI)
apply (rule_tac x="Equal(0,1)" in bexI)
apply typecheck
apply (force simp add: succ_Un_distrib [symmetric])
done

lemma cons_in_DPow: "[| a ∈ A; X ∈ DPow(A) |] ==> cons(a,X) ∈ DPow(A)"
apply (rule cons_eq [THEN subst])
apply (blast intro: singleton_in_DPow Un_in_DPow)
done

(*Part of Lemma 1.3*)
lemma Fin_into_DPow: "X ∈ Fin(A) ==> X ∈ DPow(A)"
apply (erule Fin.induct)
apply (rule empty_in_DPow)
apply (blast intro: cons_in_DPow)
done

text‹@{term DPow} is not monotonic.  For example, let @{term A} be some
non-constructible set of natural numbers, and let @{term B} be @{term nat}.
Then @{term "A<=B"} and obviously @{term "A ∈ DPow(A)"} but @{term "A ∉
DPow(B)"}.›

(*This may be true but the proof looks difficult, requiring relativization
lemma DPow_insert: "DPow (cons(a,A)) = DPow(A) ∪ {cons(a,X) . X ∈ DPow(A)}"
apply (rule equalityI, safe)
oops
*)

lemma Finite_Pow_subset_Pow: "Finite(A) ==> Pow(A) ⊆ DPow(A)"
by (blast intro: Fin_into_DPow Finite_into_Fin Fin_subset)

lemma Finite_DPow_eq_Pow: "Finite(A) ==> DPow(A) = Pow(A)"
apply (rule equalityI)
apply (rule DPow_subset_Pow)
apply (erule Finite_Pow_subset_Pow)
done

subsection‹Internalized Formulas for the Ordinals›

text‹The ‹sats› theorems below differ from the usual form in that they
include an element of absoluteness.  That is, they relate internalized
formulas to real concepts such as the subset relation, rather than to the
relativized concepts defined in theory ‹Relative›.  This lets us prove
the theorem as ‹Ords_in_DPow› without first having to instantiate the
locale ‹M_trivial›.  Note that the present theory does not even take
‹Relative› as a parent.›

subsubsection‹The subset relation›

definition
subset_fm :: "[i,i]=>i" where
"subset_fm(x,y) == Forall(Implies(Member(0,succ(x)), Member(0,succ(y))))"

lemma subset_type [TC]: "[| x ∈ nat; y ∈ nat |] ==> subset_fm(x,y) ∈ formula"

lemma arity_subset_fm [simp]:
"[| x ∈ nat; y ∈ nat |] ==> arity(subset_fm(x,y)) = succ(x) ∪ succ(y)"
by (simp add: subset_fm_def succ_Un_distrib [symmetric])

lemma sats_subset_fm [simp]:
"[|x < length(env); y ∈ nat; env ∈ list(A); Transset(A)|]
==> sats(A, subset_fm(x,y), env) ⟷ nth(x,env) ⊆ nth(y,env)"
apply (frule lt_length_in_nat, assumption)
apply (blast intro: nth_type)
done

subsubsection‹Transitive sets›

definition
transset_fm :: "i=>i" where
"transset_fm(x) == Forall(Implies(Member(0,succ(x)), subset_fm(0,succ(x))))"

lemma transset_type [TC]: "x ∈ nat ==> transset_fm(x) ∈ formula"

lemma arity_transset_fm [simp]:
"x ∈ nat ==> arity(transset_fm(x)) = succ(x)"
by (simp add: transset_fm_def succ_Un_distrib [symmetric])

lemma sats_transset_fm [simp]:
"[|x < length(env); env ∈ list(A); Transset(A)|]
==> sats(A, transset_fm(x), env) ⟷ Transset(nth(x,env))"
apply (frule lt_nat_in_nat, erule length_type)
apply (blast intro: nth_type)
done

subsubsection‹Ordinals›

definition
ordinal_fm :: "i=>i" where
"ordinal_fm(x) ==
And(transset_fm(x), Forall(Implies(Member(0,succ(x)), transset_fm(0))))"

lemma ordinal_type [TC]: "x ∈ nat ==> ordinal_fm(x) ∈ formula"

lemma arity_ordinal_fm [simp]:
"x ∈ nat ==> arity(ordinal_fm(x)) = succ(x)"
by (simp add: ordinal_fm_def succ_Un_distrib [symmetric])

lemma sats_ordinal_fm:
"[|x < length(env); env ∈ list(A); Transset(A)|]
==> sats(A, ordinal_fm(x), env) ⟷ Ord(nth(x,env))"
apply (frule lt_nat_in_nat, erule length_type)
apply (simp add: ordinal_fm_def Ord_def Transset_def)
apply (blast intro: nth_type)
done

text‹The subset consisting of the ordinals is definable.  Essential lemma for
‹Ord_in_Lset›.  This result is the objective of the present subsection.›
theorem Ords_in_DPow: "Transset(A) ==> {x ∈ A. Ord(x)} ∈ DPow(A)"
apply (rule_tac x=Nil in bexI)
apply (rule_tac x="ordinal_fm(0)" in bexI)
done

subsection‹Constant Lset: Levels of the Constructible Universe›

definition
Lset :: "i=>i" where
"Lset(i) == transrec(i, %x f. ⋃y∈x. DPow(f`y))"

definition
L :: "i=>o" where ―‹Kunen's definition VI 1.5, page 167›
"L(x) == ∃i. Ord(i) & x ∈ Lset(i)"

text‹NOT SUITABLE FOR REWRITING -- RECURSIVE!›
lemma Lset: "Lset(i) = (⋃j∈i. DPow(Lset(j)))"
by (subst Lset_def [THEN def_transrec], simp)

lemma LsetI: "[|y∈x; A ∈ DPow(Lset(y))|] ==> A ∈ Lset(x)"
by (subst Lset, blast)

lemma LsetD: "A ∈ Lset(x) ==> ∃y∈x. A ∈ DPow(Lset(y))"
apply (insert Lset [of x])
apply (blast intro: elim: equalityE)
done

subsubsection‹Transitivity›

lemma elem_subset_in_DPow: "[|X ∈ A; X ⊆ A|] ==> X ∈ DPow(A)"
apply (rule_tac x="[X]" in bexI)
apply (rule_tac x="Member(0,1)" in bexI)
done

lemma Transset_subset_DPow: "Transset(A) ==> A ⊆ DPow(A)"
apply clarify
apply (blast intro: elem_subset_in_DPow)
done

lemma Transset_DPow: "Transset(A) ==> Transset(DPow(A))"
apply (blast intro: elem_subset_in_DPow dest: DPowD)
done

text‹Kunen's VI 1.6 (a)›
lemma Transset_Lset: "Transset(Lset(i))"
apply (rule_tac a=i in eps_induct)
apply (subst Lset)
apply (blast intro!: Transset_Union_family Transset_Un Transset_DPow)
done

lemma mem_Lset_imp_subset_Lset: "a ∈ Lset(i) ==> a ⊆ Lset(i)"
apply (insert Transset_Lset)
done

subsubsection‹Monotonicity›

text‹Kunen's VI 1.6 (b)›
lemma Lset_mono [rule_format]:
"∀j. i<=j ⟶ Lset(i) ⊆ Lset(j)"
proof (induct i rule: eps_induct, intro allI impI)
fix x j
assume "∀y∈x. ∀j. y ⊆ j ⟶ Lset(y) ⊆ Lset(j)"
and "x ⊆ j"
thus "Lset(x) ⊆ Lset(j)"
by (force simp add: Lset [of x] Lset [of j])
qed

text‹This version lets us remove the premise @{term "Ord(i)"} sometimes.›
lemma Lset_mono_mem [rule_format]:
"∀j. i ∈ j ⟶ Lset(i) ⊆ Lset(j)"
proof (induct i rule: eps_induct, intro allI impI)
fix x j
assume "∀y∈x. ∀j. y ∈ j ⟶ Lset(y) ⊆ Lset(j)"
and "x ∈ j"
thus "Lset(x) ⊆ Lset(j)"
by (force simp add: Lset [of j]
intro!: bexI intro: elem_subset_in_DPow dest: LsetD DPowD)
qed

text‹Useful with Reflection to bump up the ordinal›
lemma subset_Lset_ltD: "[|A ⊆ Lset(i); i < j|] ==> A ⊆ Lset(j)"
by (blast dest: ltD [THEN Lset_mono_mem])

subsubsection‹0, successor and limit equations for Lset›

lemma Lset_0 [simp]: "Lset(0) = 0"
by (subst Lset, blast)

lemma Lset_succ_subset1: "DPow(Lset(i)) ⊆ Lset(succ(i))"
by (subst Lset, rule succI1 [THEN RepFunI, THEN Union_upper])

lemma Lset_succ_subset2: "Lset(succ(i)) ⊆ DPow(Lset(i))"
apply (subst Lset, rule UN_least)
apply (erule succE)
apply blast
apply clarify
apply (rule elem_subset_in_DPow)
apply (subst Lset)
apply blast
apply (blast intro: dest: DPowD Lset_mono_mem)
done

lemma Lset_succ: "Lset(succ(i)) = DPow(Lset(i))"
by (intro equalityI Lset_succ_subset1 Lset_succ_subset2)

lemma Lset_Union [simp]: "Lset(⋃(X)) = (⋃y∈X. Lset(y))"
apply (subst Lset)
apply (rule equalityI)
txt‹first inclusion›
apply (rule UN_least)
apply (erule UnionE)
apply (rule subset_trans)
apply (erule_tac [2] UN_upper, subst Lset, erule UN_upper)
txt‹opposite inclusion›
apply (rule UN_least)
apply (subst Lset, blast)
done

subsubsection‹Lset applied to Limit ordinals›

lemma Limit_Lset_eq:
"Limit(i) ==> Lset(i) = (⋃y∈i. Lset(y))"
by (simp add: Lset_Union [symmetric] Limit_Union_eq)

lemma lt_LsetI: "[| a ∈ Lset(j);  j<i |] ==> a ∈ Lset(i)"
by (blast dest: Lset_mono [OF le_imp_subset [OF leI]])

lemma Limit_LsetE:
"[| a ∈ Lset(i);  ~R ==> Limit(i);
!!x. [| x<i;  a ∈ Lset(x) |] ==> R
|] ==> R"
apply (rule classical)
apply (rule Limit_Lset_eq [THEN equalityD1, THEN subsetD, THEN UN_E])
prefer 2 apply assumption
apply blast
apply (blast intro: ltI  Limit_is_Ord)
done

subsubsection‹Basic closure properties›

lemma zero_in_Lset: "y ∈ x ==> 0 ∈ Lset(x)"
by (subst Lset, blast intro: empty_in_DPow)

lemma notin_Lset: "x ∉ Lset(x)"
apply (rule_tac a=x in eps_induct)
apply (subst Lset)
apply (blast dest: DPowD)
done

subsection‹Constructible Ordinals: Kunen's VI 1.9 (b)›

lemma Ords_of_Lset_eq: "Ord(i) ==> {x∈Lset(i). Ord(x)} = i"
apply (erule trans_induct3)
apply (simp_all add: Lset_succ Limit_Lset_eq Limit_Union_eq)
txt‹The successor case remains.›
apply (rule equalityI)
txt‹First inclusion›
apply clarify
apply (erule Ord_linear_lt, assumption)
apply (blast dest: DPow_imp_subset ltD notE [OF notin_Lset])
apply blast
apply (blast dest: ltD)
txt‹Opposite inclusion, @{term "succ(x) ⊆ DPow(Lset(x)) ∩ ON"}›
apply auto
txt‹Key case:›
apply (erule subst, rule Ords_in_DPow [OF Transset_Lset])
apply (blast intro: elem_subset_in_DPow dest: OrdmemD elim: equalityE)
apply (blast intro: Ord_in_Ord)
done

lemma Ord_subset_Lset: "Ord(i) ==> i ⊆ Lset(i)"
by (subst Ords_of_Lset_eq [symmetric], assumption, fast)

lemma Ord_in_Lset: "Ord(i) ==> i ∈ Lset(succ(i))"
apply (subst Ords_of_Lset_eq [symmetric], assumption,
rule Ords_in_DPow [OF Transset_Lset])
done

lemma Ord_in_L: "Ord(i) ==> L(i)"
by (simp add: L_def, blast intro: Ord_in_Lset)

subsubsection‹Unions›

lemma Union_in_Lset:
"X ∈ Lset(i) ==> ⋃(X) ∈ Lset(succ(i))"
apply (insert Transset_Lset)
apply (rule LsetI [OF succI1])
apply (intro conjI, blast)
txt‹Now to create the formula @{term "∃y. y ∈ X ∧ x ∈ y"}›
apply (rule_tac x="Cons(X,Nil)" in bexI)
apply (rule_tac x="Exists(And(Member(0,2), Member(1,0)))" in bexI)
apply typecheck
apply (simp add: succ_Un_distrib [symmetric], blast)
done

theorem Union_in_L: "L(X) ==> L(⋃(X))"
by (simp add: L_def, blast dest: Union_in_Lset)

subsubsection‹Finite sets and ordered pairs›

lemma singleton_in_Lset: "a ∈ Lset(i) ==> {a} ∈ Lset(succ(i))"

lemma doubleton_in_Lset:
"[| a ∈ Lset(i);  b ∈ Lset(i) |] ==> {a,b} ∈ Lset(succ(i))"
by (simp add: Lset_succ empty_in_DPow cons_in_DPow)

lemma Pair_in_Lset:
"[| a ∈ Lset(i);  b ∈ Lset(i); Ord(i) |] ==> <a,b> ∈ Lset(succ(succ(i)))"
apply (unfold Pair_def)
apply (blast intro: doubleton_in_Lset)
done

lemmas Lset_UnI1 = Un_upper1 [THEN Lset_mono [THEN subsetD]]
lemmas Lset_UnI2 = Un_upper2 [THEN Lset_mono [THEN subsetD]]

text‹Hard work is finding a single @{term"j ∈ i"} such that @{term"{a,b} ⊆ Lset(j)"}›
lemma doubleton_in_LLimit:
"[| a ∈ Lset(i);  b ∈ Lset(i);  Limit(i) |] ==> {a,b} ∈ Lset(i)"
apply (erule Limit_LsetE, assumption)
apply (erule Limit_LsetE, assumption)
apply (blast intro: lt_LsetI [OF doubleton_in_Lset]
Lset_UnI1 Lset_UnI2 Limit_has_succ Un_least_lt)
done

theorem doubleton_in_L: "[| L(a); L(b) |] ==> L({a, b})"
apply (drule Ord2_imp_greater_Limit, assumption)
apply (blast intro: lt_LsetI doubleton_in_LLimit Limit_is_Ord)
done

lemma Pair_in_LLimit:
"[| a ∈ Lset(i);  b ∈ Lset(i);  Limit(i) |] ==> <a,b> ∈ Lset(i)"
txt‹Infer that a, b occur at ordinals x,xa < i.›
apply (erule Limit_LsetE, assumption)
apply (erule Limit_LsetE, assumption)
txt‹Infer that @{term"succ(succ(x ∪ xa)) < i"}›
apply (blast intro: lt_Ord lt_LsetI [OF Pair_in_Lset]
Lset_UnI1 Lset_UnI2 Limit_has_succ Un_least_lt)
done

text‹The rank function for the constructible universe›
definition
lrank :: "i=>i" where ―‹Kunen's definition VI 1.7›
"lrank(x) == μ i. x ∈ Lset(succ(i))"

lemma L_I: "[|x ∈ Lset(i); Ord(i)|] ==> L(x)"

lemma L_D: "L(x) ==> ∃i. Ord(i) & x ∈ Lset(i)"

lemma Ord_lrank [simp]: "Ord(lrank(a))"

lemma Lset_lrank_lt [rule_format]: "Ord(i) ==> x ∈ Lset(i) ⟶ lrank(x) < i"
apply (erule trans_induct3)
apply simp
apply (simp only: lrank_def)
apply (blast intro: Least_le)
apply (blast intro: ltI Limit_is_Ord lt_trans)
done

text‹Kunen's VI 1.8.  The proof is much harder than the text would
suggest.  For a start, it needs the previous lemma, which is proved by
induction.›
lemma Lset_iff_lrank_lt: "Ord(i) ==> x ∈ Lset(i) ⟷ L(x) & lrank(x) < i"
apply (blast intro: Lset_lrank_lt)
apply (unfold lrank_def)
apply (drule succI1 [THEN Lset_mono_mem, THEN subsetD])
apply (drule_tac P="λi. x ∈ Lset(succ(i))" in LeastI, assumption)
apply (blast intro!: le_imp_subset Lset_mono [THEN subsetD])
done

lemma Lset_succ_lrank_iff [simp]: "x ∈ Lset(succ(lrank(x))) ⟷ L(x)"

text‹Kunen's VI 1.9 (a)›
lemma lrank_of_Ord: "Ord(i) ==> lrank(i) = i"
apply (unfold lrank_def)
apply (rule Least_equality)
apply (erule Ord_in_Lset)
apply assumption
apply (insert notin_Lset [of i])
apply (blast intro!: le_imp_subset Lset_mono [THEN subsetD])
done

text‹This is lrank(lrank(a)) = lrank(a)›
declare Ord_lrank [THEN lrank_of_Ord, simp]

text‹Kunen's VI 1.10›
lemma Lset_in_Lset_succ: "Lset(i) ∈ Lset(succ(i))"
apply (rule_tac x=Nil in bexI)
apply (rule_tac x="Equal(0,0)" in bexI)
apply auto
done

lemma lrank_Lset: "Ord(i) ==> lrank(Lset(i)) = i"
apply (unfold lrank_def)
apply (rule Least_equality)
apply (rule Lset_in_Lset_succ)
apply assumption
apply clarify
apply (subgoal_tac "Lset(succ(ia)) ⊆ Lset(i)")
apply (blast dest: mem_irrefl)
apply (blast intro!: le_imp_subset Lset_mono)
done

text‹Kunen's VI 1.11›
lemma Lset_subset_Vset: "Ord(i) ==> Lset(i) ⊆ Vset(i)"
apply (erule trans_induct)
apply (subst Lset)
apply (subst Vset)
apply (rule UN_mono [OF subset_refl])
apply (rule subset_trans [OF DPow_subset_Pow])
apply (rule Pow_mono, blast)
done

text‹Kunen's VI 1.12›
lemma Lset_subset_Vset': "i ∈ nat ==> Lset(i) = Vset(i)"
apply (erule nat_induct)
apply (simp add: Lset_succ Vset_succ Finite_Vset Finite_DPow_eq_Pow)
done

text‹Every set of constructible sets is included in some @{term Lset}›
lemma subset_Lset:
"(∀x∈A. L(x)) ==> ∃i. Ord(i) & A ⊆ Lset(i)"
by (rule_tac x = "⋃x∈A. succ(lrank(x))" in exI, force)

lemma subset_LsetE:
"[|∀x∈A. L(x);
!!i. [|Ord(i); A ⊆ Lset(i)|] ==> P|]
==> P"
by (blast dest: subset_Lset)

subsubsection‹For L to satisfy the Powerset axiom›

lemma LPow_env_typing:
"[| y ∈ Lset(i); Ord(i); y ⊆ X |]
==> ∃z ∈ Pow(X). y ∈ Lset(succ(lrank(z)))"
by (auto intro: L_I iff: Lset_succ_lrank_iff)

lemma LPow_in_Lset:
"[|X ∈ Lset(i); Ord(i)|] ==> ∃j. Ord(j) & {y ∈ Pow(X). L(y)} ∈ Lset(j)"
apply (rule_tac x="succ(⋃y ∈ Pow(X). succ(lrank(y)))" in exI)
apply simp
apply (rule LsetI [OF succI1])
apply (intro conjI, clarify)
apply (rule_tac a=x in UN_I, simp+)
txt‹Now to create the formula @{term "y ⊆ X"}›
apply (rule_tac x="Cons(X,Nil)" in bexI)
apply (rule_tac x="subset_fm(0,1)" in bexI)
apply typecheck
apply (rule conjI)
apply (rule equality_iffI)
apply (simp add: Transset_UN [OF Transset_Lset] LPow_env_typing)
apply (auto intro: L_I iff: Lset_succ_lrank_iff)
done

theorem LPow_in_L: "L(X) ==> L({y ∈ Pow(X). L(y)})"
by (blast intro: L_I dest: L_D LPow_in_Lset)

subsection‹Eliminating @{term arity} from the Definition of @{term Lset}›

lemma nth_zero_eq_0: "n ∈ nat ==> nth(n,[0]) = 0"
by (induct_tac n, auto)

lemma sats_app_0_iff [rule_format]:
"[| p ∈ formula; 0 ∈ A |]
==> ∀env ∈ list(A). sats(A,p, env@[0]) ⟷ sats(A,p,env)"
apply (induct_tac p)
apply (simp_all del: app_Cons add: app_Cons [symmetric]
done

lemma sats_app_zeroes_iff:
"[| p ∈ formula; 0 ∈ A; env ∈ list(A); n ∈ nat |]
==> sats(A,p,env @ repeat(0,n)) ⟷ sats(A,p,env)"
apply (induct_tac n, simp)
apply (simp del: repeat.simps
done

lemma exists_bigger_env:
"[| p ∈ formula; 0 ∈ A; env ∈ list(A) |]
==> ∃env' ∈ list(A). arity(p) ≤ succ(length(env')) &
(∀a∈A. sats(A,p,Cons(a,env')) ⟷ sats(A,p,Cons(a,env)))"
apply (rule_tac x="env @ repeat(0,arity(p))" in bexI)
apply (simp del: app_Cons add: app_Cons [symmetric]
done

text‹A simpler version of @{term DPow}: no arity check!›
definition
DPow' :: "i => i" where
"DPow'(A) == {X ∈ Pow(A).
∃env ∈ list(A). ∃p ∈ formula.
X = {x∈A. sats(A, p, Cons(x,env))}}"

lemma DPow_subset_DPow': "DPow(A) ⊆ DPow'(A)"
by (simp add: DPow_def DPow'_def, blast)

lemma DPow'_0: "DPow'(0) = {0}"

lemma DPow'_subset_DPow: "0 ∈ A ==> DPow'(A) ⊆ DPow(A)"
apply (auto simp add: DPow'_def DPow_def)
apply (frule exists_bigger_env, assumption+, force)
done

lemma DPow_eq_DPow': "Transset(A) ==> DPow(A) = DPow'(A)"
apply (drule Transset_0_disj)
apply (erule disjE)
apply (rule equalityI)
apply (rule DPow_subset_DPow')
apply (erule DPow'_subset_DPow)
done

text‹And thus we can relativize @{term Lset} without bothering with
@{term arity} and @{term length}›
lemma Lset_eq_transrec_DPow': "Lset(i) = transrec(i, %x f. ⋃y∈x. DPow'(f`y))"
apply (rule_tac a=i in eps_induct)
apply (subst Lset)
apply (subst transrec)
apply (simp only: DPow_eq_DPow' [OF Transset_Lset], simp)
done

text‹With this rule we can specify @{term p} later and don't worry about
arities at all!›
lemma DPow_LsetI [rule_format]:
"[|∀x∈Lset(i). P(x) ⟷ sats(Lset(i), p, Cons(x,env));
env ∈ list(Lset(i));  p ∈ formula|]
==> {x∈Lset(i). P(x)} ∈ DPow(Lset(i))"
by (simp add: DPow_eq_DPow' [OF Transset_Lset] DPow'_def, blast)

end
```