From tfm%computer-lab.cambridge.ac.uk@NSFnet-Relay.AC.UK  Thu Apr 19 16:00:06 1990
Received: by iris.ucdavis.edu (5.57/UCD.EECS.2.0)
        id AA26692; Thu, 19 Apr 90 16:00:06 PDT
Received: from ucdavis.ucdavis.edu by clover.ucdavis.edu (5.59/UCD.EECS.1.11)
        id AA10632; Thu, 19 Apr 90 16:04:29 PDT
Received: from NSFNET-RELAY.AC.UK by ucdavis.ucdavis.edu (5.61/UCD2.03)
        id AA19093; Thu, 19 Apr 90 15:56:29 -0700
Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK
           via Janet with NIFTP  id aa05219; 19 Apr 90 23:44 BST
Received: from moorhen.cl.cam.ac.uk by gnnt.Cl.Cam.AC.UK id aa07919;
          19 Apr 90 23:43 BST
Received: by uk.ac.cam.cl.moorhen (4.0/SMI-3.0DEV3)
        id AA14522; Thu, 19 Apr 90 23:43:04 BST
Date: Thu, 19 Apr 90 23:43:04 BST
From: tfm%computer-lab.cambridge.ac.uk@NSFnet-Relay.AC.UK
Message-Id: <9004192243.AA14522@uk.ac.cam.cl.moorhen>
To: info-hol%clover.ucdavis.edu@NSFnet-Relay.AC.UK
Subject: dealing with epsilon...

RE: Kumar's query about dealing with the choice operator.

The best general strategy for dealing with constants defined using the
choice operator (e.g. MOD) is to first prove that an object having the
chosen property exists.  It is then trivial to prove that the defined
constant itself has the property in question.  ONE THEN FORGETS ABOUT
EPSILON AND THE DEFINITION, and uses this second result in all subsequent
proofs.

Here are some typical scenarios:

1: THE EASY CASE
----------------

 Given a constant c defined by

     DEF  |- c = @x. P[x]

 The absolutely first thing to prove is that

     ETH  |- ?x. P[x]

 From this, it is trivial to show that

     PTH  |- P[c]

 Given the definition DEF and the existence theorem ETH, here's how that
 last result might be proved:

    let PTH = TAC_PROOF(([], "P[c]"),
                        SUBST_TAC [DEF] THEN
                        CONV_TAC SELECT_CONV THEN
                        MATCH_ACCEPT_TAC ETH);;

 Having proved this last theorem, we then forget all about epsilon
 and the definition c = @x.P[x].  We just use PTH in all subsequent
 reasoning about the constant c.


2: THE SLIGHTLY HARDER CASE
---------------------------

 We have a constant c defined by

    DEF  |- c y = @x. P[x,y]

 and we can prove only that:

    ETH  |- !y. Q[y] ==> ?x. P[x,y]

 This is not too bad, for then we can prove:

    PTH  |- !y. Q[y] ==> P[c y, y]

 and use only this theorem from now on (forget about epsilion and
 the definition).  The tactic in this case is:

    let PTH = TAC_PROOF(([], "!y. Q[y] ==> P[c y, y]"),
                        GEN_TAC THEN DISCH_TAC THEN
                        PURE_ONCE_REWRITE_TAC [DEF] THEN
                        CONV_TAC SELECT_CONV THEN
                        IMP_RES_TAC ETH);;

 Having proved this, we no longer need to deal with epsilon.

3: IN-LINE epsilons
-------------------

 The above method also applies when there's no constant definition,
 but instead we're just using an unabbreviated @-term.  In this situation,
 the easy example shown above translates to:

   i) first prove    ETH  |- ?x. P[x]

  ii) then prove     PTH  |- P[@x.P[x]]

 Then try to ignore the epsilon and just work with this.



4: UNIQUE EXISTENCE
-------------------

 Strictly speaking, this really has nothing to do with the details
 of dealing with epsilon in tactics etc.  But it comes up quite often.

 Suppose we have defined

   DEF   |-  c = @x.P[x]

 and (as oulined above) proved |- ?x. P[x] and therefore that:

   PTH   |- P[c]

 Now, it may also be the case that there is only one value that
 satisfies P.  And this may be important (e.g. in the case of MOD).
 Then we want to show that:

  UTH    |- !x. P[x] ==> !y. P[y] ==> (y = x)

 I.e. we want to prove uniqueness.  It then follows immediately from
 PTH and UTH that:

  THM    |- !y. P[y] ==> (y = c)

 That is, that anything with property P is equal to c.  Proving this
 (given PTH) has nothing to do with epsilon, though.  But the MOD example
 mentioned in Kumar's message is a case in which a result of this kind
 is essential.

I hope the above remarks may be of some help.

Tom

PS: for the MOD example, the existence theorem is just:

      ETH |- !k n. ~(n=0) ==> ?r q. (k=(q*n)+r) /\ r<n

    we then immediately have:

      PTH |- !k n. ~(n=0) ==>
                   ?q. (k = ((q * n) + (k MOD n))) /\ ((k MOD n) < n)",

    Once we have this, we can forget that @ was used to define MOD. But
    we still have to go on to prove uniqueness....

