A theory of finite structures

A theory of finite structures

\symitalicDaniel Leivant
SICE (Indiana University) and IRIF (Paris-Diderot)

We develop a novel formal theory of finite structures, based on a view of finite structures as a fundamental artifact of computing and programming, forming a common platform for computing both within particular finite structures, and in the aggregate for computing over infinite data-types construed as families of finite structures. A \symitalicfinite structure is here a finite collection of finite partial-functions, over a common universe of \symitalicatoms. The theory is second-order, as it uses quantification over finite functions.

Our formal theory \symboldFS uses a small number of fundamental axiom-schemas, with finiteness enforced by a schema of induction on finite partial-functions. We show that computability is definable in the theory by existential formulas, generalizing Kleene’s Theorem on the -definability of RE sets, and use that result to prove that \symboldFS is mutually interpretable with Peano Arithmetic.

1 Introduction

We develop a formal theory of finite structures, motivated in part by an imperative programming language for transforming such structures.

Our point of departure is to posit finite structures as a fundamental artifact of computing and programming. It is a truism that a database is a finite structure. But elements of infinite data-types, such as the natural numbers or binary strings, are also finite-structures that obey certain requirements. Computing over such a data-type can thus be construed as a transformation process driven by those structures’ internal making. Viewed from that angle, a function computed by a transducer-program is perceived as a mapping over the space of finite-structures, rather than a function \symitalicwithin a particular infinite structure. Thus, finite partial-structures form a common platform for computing both within particular finite structures, and in the aggregate for computing over infinite data-types, as long as their elements are not infinite themselves (e.g. streams).

Our theory is second-order, in that we quantify over structures (via a quantification over finite functions). The well-known second-order nature of inductive data is thus manifested in the computation objects being \symitalicthemselves second-order, albeit finite ones. The atoms, from which our finite structures are built, are the first-order elements. They are nameless and structure-less, and there must be an unlimited supply of them to permit unhindered structure extension during computation. One intends to identify structures that differ only by the choice of atoms, i.e. ones that are isomorphic to each other, though it turns out that we can often convey that intent implicitly, without complicating matters with permanent references to equivalence classes.

Since referencing objects by constant and function identifiers is central to imperative programming, we choose to base our structures on partial-functions, rather than sets or relations. That is, each one of our structures is a finite set of finite partial-functions. The Tarskian notion of an explicit structure universe is superfluous here: the only atoms that matter are the ones that appear as inputs and/or outputs of a structure’s functions, a set we shall call the structure’s \symitalicscope.

Finally, as we base our finite structures on finite partial-functions, the basic operations on structures must be function-updates of some form. This is analogous to the operation of adjoining an element to a set, which underlies several existing theories of finite sets (see below).

In fact, the idea that inductive data-objects, such as the natural numbers, can be construed as being composed of underlying units, goes back all the way to Euclid, who defined a number as “a multitude composed of units” [4, 7th book, definition 2]. The logicist project of Frege, Dedekind and Russell, which attempted to reduce mathematics to logic’s first principles, included this very same reduction of natural numbers to finite sets. The current predominant view of natural numbers as irreducible primal objects was advocated by opponents of the logicist project, notably Poincaré [5] and Kronecker, whose critique was subsequently advanced by the emergence of Tarskian semantics and by Gödel’s incompleteness theorems.

Philosophical considerations aside, the kinship between natural numbers and finite sets raises interesting questions about the formalization of finite set theory, and the mutual interpretation of such a theory with formal theories for arithmetic. Several formal theories proposed for finite set theory are based on \symboldZF with the Axiom of Infinity replaced by its negation, which we denote here by . [10] shows that can be interpreted in \symboldPA (Theorem 3.1), and that \symboldPA can be interpreted in (Theorem 4.5), but not by the inverse of the former. That inverse would work for the interpretation of \symboldPA provided is augmented with a \symitalicTransitive Containment axiom, asserting that every set is contained in a transitive set (Theorem 6.5). A result analogous to the latter111Wang removes from \symboldZF Infinity without replacing it with its negation, since he does not interpret finite set theory in \symboldPA. was proved by Wang already in 1953 [22], where he uses an axiom (ALG) analogous to Transitive Containment, stating the enumerability of the collection of all finite sets.

It seems, though, that is somewhat of an oxymoron, in that it embraces \symboldZF, a theory designed specifically to reason about infinity, only to eviscerate it off the bat by excluding infinity.222The subtext is, of course, the conviction that \symboldZFC is the canonical formal framework for all of mathematics. An approach more germane to finiteness was proposed already by Zermelo [24, Theorem 3], Whitehead and Russell [23, *120.23], Sierpiński [18, p.106], Kuratowski [11], and Tarski [20]. It enforces finiteness by an induction principle for sets: if satisfies a property  and whenever satisfies  then so does for each , then all sets satisfy . This induction principle corresponds to the inductive definition of finite sets as the objects generated by successively joining elements to .

Mayberry [13] defines an arithmetic based on induction on sets, which he deftly dubs \symitalicEuclidean Arithmetic. He considers a number of induction principles derived from the set-induction principle above, but allows for neither set quantifiers nor unbounded atomic quantifiers in the induction formula. Consequently, his system is mutually interpretable with a weak number theory, namely extended with an exponentiation function (detailed proof in [9]). Pettigrew [15, 16] shows that these two theories are also equipollent with a bounded version of .

Our approach differs from the ones above in several respects. Our theory \symboldFS of finite structures is based on finite structures rather than finite sets, and is formally second-order, in contrast to theories based on \symboldZF, which on the one hand are first-order, and on the other hand refer to a cumulative hierarchy of sets. At the same time, \symboldFS’s second-order nature is weak, in that its induction principle implies that its second-order object are finite. As a result, our theory of finite structures, although based on a variant of set induction (and not ) is equipollent to full Peano Arithmetic.

Principally, our motivation is to develop new natural tools for the analysis and verification or computing and programming. We are particularly interested in novel forms of calibrating computational resources by syntactic methods. In [12] we already show that, by using finite structures as focal concept, one obtains an abstract characterization of primitive recursive mathematics based on the concept of loop variant, familiar from program verification.

The remaining of the paper is organized as follows. In §2 we lay out our fundamental concepts and notations. Our theory \symboldFS of finite structures is presented in §3, followed by its programming language counterpart \symboldST in §4. We then prove in §5 an abstract generalization of Kleene’s classical theorem about the existential definability of computability, and use it in §6 to show that \symboldFS is mutually interpretable in Peano Arithmetic.

2 Finite structures

2.1 Finite functions

Our basic notion is the \symitalicfinite partial structure, in which function-identifiers are interpreted as partial-functions. For example, we construe binary strings as structures over the vocabulary with a constant and unary function identifiers  and . E.g., is taken to be the four element structure

Here  is interpreted as the partial-function defined only for the leftmost atom, and  as the partial-function defined only for the second and third. As in Gurevich’s ASM, we posit our finite structures to live within a denumerable set of \symitalicatoms, i.e. unspecified and unstructured objects. To accommodate non-denoting terms we extend to a flat domain , where in addition to the atoms we posit a fresh object , intended to denote “undefined.” The elements of are the \symitalicstandard elements of .333We refer neither to boolean values not to “background structures” [1] on top of atoms.

By an \symitalic-function we mean a finite -ary partial-function over , where ; thus, the nullary -functions are the atoms. We identify an A-function with the total function satisfying


Note that is necessarily strict, i.e. its output is whenever one of its inputs is. For each we let be the empty -ary -function, i.e. the one that returns for every input. When in no danger of confusion we write for . The \symitalicscope of is the set of atoms occurring in its entries.

Function partiality provides a natural representation of finite relations over by partial functions, without recourse to booleans. We represent a finite -ary relation over () by -ary -functions whose domain is , notably the function

2.2 -structures over a vocabulary

A \symitalicvocabulary is a finite set of function-identifiers, with each assigned an \symitalicarity . We refer to nullary function-identifiers as \symitalictokens and to unary ones as \symitalicpointers. For the moment we might think of these identifiers as reserved names, but they can be construed just the same as (permanently free) variables.

An \symitalicentry of an -function is a tuple where .  is an \symitalic-structure over if it is a mapping that to each , assigns a -ary -function , said to be a \symitaliccomponent of . The \symitalicscope of  is the union of the scopes of its components.

If  is an -structure over , and  an -structure over , then  is an \symitalicexpansion of  (to ), and  a \symitalicreduct of (to ), if the two structures have the same interpretation for identifiers in (the scope of  may be strictly larger than that of ). For -structures  and  over the same vocabulary, we say that  is a \symitalicsubstructure of  if every entry of  is an entry of .

A finite collection of structures is itself a structure: if is a structure over (), then the collection is the union over the disjoint union of the vocabularies.

Given a vocabulary , the set of \symitalic-terms is generated by

  • .

  • If , and then

Note that we write function application in formal terms without parentheses and commas, as in or . We optionally superscript function identifiers by their arity, and implicitly posit that the arity of a function matches the number of arguments displayed; thus writing assumes that is a vector of length , and (with no superscript) that the vector is as long as ’s arity. A term is \symitalicstandard if does not occur in it.

Given an -structure  over , the \symitalicvalue of a -term \symboldt in , denoted , is obtained by recurrence on \symboldt:

  1. For ,

An atom is \symitalic-accessible in  if for some . An A-structure  over is \symitalicaccessible if every atom in the scope of  is -accessible. For example, if is without tokens then no atom of a -structure can be accessible. If every atom in the scope of an accessible structure  is the value of a \symitalicunique -term we say that  is \symitalicfree. Note that an accessible A-structure  can fail to be free even if all its components are injective:

However, we have the straightforward observation:

\symsmallcapsLemma 1

An accessible A-structure  over is free iff there is a finite set of -terms, closed under taking sub-terms, such that the function is injective.

If \symboldq is a standard -term, and consists of the sub-terms of \symboldq, then we write for the resulting \symitalicfree -structure. It is often convenient to fix a reserved token, say , to denote in each structure its root, i.e. the term \symboldq as a whole. For example, for nullary  and , unary , and binary , the structures , , , are, respectively,

2.3 A second-order language

We wish to present a formal theory of finite structures, that deals not only with one structure at a time, but with structure transformation, in particular by suitable imperative programs. To that end, we generalize our discussion from a single vocabulary to a vocabulary “on demand.” We posit for each a denumerable sets of \symitalic-ary variables, intended to range over the -ary -functions. The variables of arity and are dubbed \symitalicatomic and \symitalicfunctional, respectively. When a particular vocabulary is of interest (with the exhibited ordering of its identifiers), we write (with the vocabulary’s name as superscript) for a vector of variables , with . We update our definitions of the set \symboldTm of \symitalicterms, and of their semantics in a structure , by referring to function variables rather than identifiers of a fixed vocabulary.

An \symitalicequation is a phrase of the form , where . The set \symboldFm of \symitalicformulas is generated inductively by

  1. Every equation is a formula;

  2. \symboldFm is closed under the propositional operators ( and ).

  3. If  is a formula, then so are and ().

Given an -structure  for a set of variables, a variable , and -ary -function , we write for the structure which is identical to , except that . Given a formula  and a structure , where all variables free in  are in the domain of , the \symitalictruth of  in , denoted , is defined by recurrence on formulas, as follows.


When we also say that  \symitalicverifies . Clearly, depends only on for variables occurring free in .

Recall from (1) that we identify a finite with its strict extension , so the quantifiers range over all strict -valued functions, which for the nullary case means that atomic variables may take any value in . This definition departs from Tarski’s semantics in that quantification ranges over \symitalicall -functions, regardless of the scope of .

2.4 First-order formulas

We call quantification over atomic variables \symitalicfirst-order, and quantification over functional variables \symitalicsecond-order. A formula is \symitalicfirst-order if all its quantifiers are first-order.

We use notation conventions for some important first-order formulas:

  • for . We overload this convention, and write to mean , where .

    Dually, abbreviates  

  • (3)

    states that the atom denoted by is in the scope of . Thus

    means that  is true “within” , which is not the same as . For example, is true for all -structures, whereas is false for all -structures.

  • Let . The -structures that model the following formula are precisely the structures for the natural numbers, described in §2.2.444We disregard here the token


The following observation is a variant of a basic result of Finite Model Theory. We shall not use it in this paper.

\symsmallcapsProposition 2

Let  be a first-order formula. The following problem is decidable in polynomial time (in the size of the input structure presentation). We assume that -structure are given as tables.

  • \symslantedGiven an A-structure , is  true for .


Proof. The proof is by induction on . Absent second-order quantifiers, the only case of interest is when the main operator of  is an atomic quantifier, say . The input’s format provides direct scanning of all entries that are in the scope of , and the denotations of the A-functions all yield for all other entries. From this the calculation of the truth in of is immediate.

3 A theory of finite structures

3.1 On axiomatizing finiteness

Since our -structure are built of functions, we refer to a generative process that extends functions rather than sets ore relations. The set of -ary -functions is generated by:

  • \symslantedThe empty -ary function is in ;

  • \symslantedIf , , and , then extending with an entry yields an -function in .

From this inductive definition we obtain an Induction Schema for -functions. Using the abbreviations


Induction for a formula (with a distinguished function-variable ) reads


Since the components of -structures are -functions, without constraints that relate them, there is no need to articulate a separate induction principle for -structures. Indeed, every -structure  for a vocabulary is obtained by first generating the entries of , then those for , and so on. Note that this would no longer be the case for an inductive definition of the class of \symitalicaccessible structures, whose components must be generated in tandem:555We shall discuss the class in detail elsewhere.

  • \symslantedIf is in , is \symitalicin the scope of , , and ,
    then extending  with an entry yields a structure in .

3.2 The theory \symboldFs

Our axiomatic theory \symboldFS for -functions has free and bound variables for \symitalicatoms and free and bound variables for \symitalicfunctions of arbitrary positive arity. We use as syntactic parameters for atomic variables, and as syntactic parameters for functional variables, optionally superscripted with their arity when convenient.

The axiom schemas are the universal closures of the following templates, for all arities , terms \symboldt, and formulas . For a function variable and variables we write for .



Note that this states that is infinite (unbounded), and has no bearing on the finiteness of -functions.

[\symboldEmpty-function]     .


This schema combines Zermelo’s Separation Schema with an Explicit Definition principle: is defined by the term \symboldt, for arguments in the domain of .

[\symboldf-Induction]   Recalling (6) above:

For each of the schemas [Empty-function], [Function-extension], and [Explicit-definition], the function asserted to exist is trivially unique, and so adding identifiers for these functions is conservative over \symboldFS. We write , and , respectively, for these functions (one for every arity ).

The relevant axiom-schemas above can be rephrased using these three constructs as primitives:




Also note the contra-positive form of f-Induction:


3.3 Some derived schemas

[\symboldUnion] .
The proof is by f-Induction on and Extension.



This follows from Explicit-definition and Union.


The universal closure with respect to is proved by inductions on and , using Extension.



This is the dual of Extension. The proof of (refeq:contraction) is by induction on for the universal closure of (9) with respect to .

[\symboldFunction pairing]


Much of the expressive and proof theoretic power of arithmetic is due to the representation of finite sequences and finite sets of numbers by numbers. The Function-pairing schema provides a representation of two -ary -functions by a single -ary -function. Namely, are “tagged” withing by the tags respectively. In other words, writing for , we have and . (We might require, in addition, that for all atoms , but this is inessential if we include explicitly in the representation.)

[\symboldAtomic-choice] A more interesting form of tagging is provided by the following principles of \symitalicChoice.


This is analogous to [14, Lemma 2(e)], and is straightforward by induction on . Suppose the schema holds for , yielding the function . To show the schema true for suppose it satisfies the premise


Then satisfies (12) as well, yielding a for the conclusion. Also, by (12) there is an atom such that , and so the conclusion is satisfied by in place of .


where  abbreviates   Note that Atomic-choice is a special case of Function-choice, with nullary.

Note that the bounding condition in the choice schemas above is essential: even the simplest case


is false already for , since the identity function over is not finite.

4 Imperative programs over -structures

We define a variant of Gurevich’s abstract state machines (ASMs) [2, 6, 8], for the transformation of -structures. Transducer-programs define mappings between structures, which are akin to the mappings underlying Fraenkel’s Replacement Axiom, and more generally the proper classes of Bernays-Gödel set theory. Namely, these mappings are not -functions, and are referred to in the theory \symboldFS via the formulas that define them.

4.1 Structure revisions

Our \symitalicstructure transformation programming language, \symboldST, is designed to be a Turing-complete computing system for the transformation of finite partial-structures, using the simplest possible building blocks while maintaining expressiveness. An \symboldST-program takes an -structure as input, and successively applies basic structure revisions to it. The process may terminate with a final -structure when no further revision is called for. For example, addition over  might be computed by a program that takes as input a structure representing two natural numbers and , and grafting the second on top of the first. Doubling a number might be performed by copying the input before grafting the copy over the input, or alternatively generating a new structure by repeatedly extending it with two atoms while depleting the input.

We start by defining the basic operations of \symboldST, to handle entries. Each such operation maps a structure  into a structure which is identical to  with the exceptions noted.

  1. An \symitalicextension is a phrase where the ’s are standard terms and \symboldq is a term. The intent is that is identical to , except that if then .

  2. An \symitalicinception is a phrase of the form , where \symboldc is a token. A common alternative notation is . The intent is that is identical to , except that if , then is an atom not in the scope of . A more general form of inception, with a fresh atom assigned to a term \symboldt is obtained as the composition

    where \symboldc is a reserved token.

    We allow extensions and inceptions to refer to an identifier \symboldf not in the vocabulary of , in which case the vocabulary of extends that of , and we posit that .

  3. A \symitaliccontraction, the dual of an extension, is a phrase of the form . The intent is that is identical to , except that .

  4. A \symitalicdeletion, the dual of an inception, is a phrase of the form , where \symboldc is a token. The intent is that is obtained by removing . That is, is identical to , except that for all -functions present and all , if , then .

    Note that a deletion cannot be obtained via the composition of contractions, because might be reached by -functions of  from atoms that are not accessible, in which case the atom cannot be eliminated from the scope of by contractions alone.

We refer to extensions, contractions, inceptions and deletions as \symitalicrevisions. Extensions and inceptions are then \symitalicconstructive revisions, whereas contractions and deletions are the \symitalicdestructive revisions.

An extension and a contraction can be combined into an \symitalicassignment, i.e. a phrase of the form . This can be viewed as an abbreviation, with  a fresh token, for the composition of four revisions:

(Note that the atom denoted by \symboldq (when defined) is being memorized by , since \symboldq may become inaccessible due to the contraction .) Although assignments are common and useful, we prefer contractions and extensions as basic constructs, for two reasons. First, these constructs are truly elemental. More concretely, the distinction between constructive and destructive revisions plays a role in implicit characterizations of computational complexity classes, as for example in [12].

4.2 \symboldSt programs

Our programming language \symboldST for structure transformation consists of guarded iterative programs using revisions as basic operations. Define a \symitalicguard to be a quantifier-free formula.666Taking for guards arbitrary \symitalicfirst-order formulas would not make a difference anywhere. The \symitalicprograms of \symboldST are generated inductively as follows.

  1. A structure-revision is a program.

  2. If and are programs and is a guard, then , and are programs.

For a program we define the binary \symitalicyield relation between structures by recurrence on . For a revision the definition follows the intended semantics described informally above. The cases for composition, branching, and iteration, are straightforward as usual.

Let be a partial-mapping from a class  of A-structures to a class of A-structures. A program \symitaliccomputes if for every , for some expansion  of . Note that the vocabulary of the output structure need not be related to the input vocabulary.

4.3 Turing completeness

Guarded iterative programs are well known to be sound and complete for Turing computability, and proofs of the Turing completeness of abstract state machines have been given before (see for example [7, §3.1]). To dispel any concern that those proofs need more than finite structures and our simple revision operations, we outline a proof here.

\symsmallcapsTheorem 3

Let be a Turing transducer computing a partial-function . There is an \symboldST-program that, for every , transforms to .


Proof. Suppose uses an extended alphabet , set of states , start state , print state , and transition function . Recall that for we write for the structure .

Define to be the vocabulary with ,  and each state in as tokens; and with  and each symbol in  as pointers. The intent is that a configuration (i.e. with cursored) be represented by the -structure

All remaining tokens are undefined.

We define the program to implement the following phases:

  1. Convert the input structure into the structure for the initial configuration, and initialize  to the initial input element. Use a loop to initialize a fresh pointer  to be the destructor function for the input string, to be used for backwards movements of the cursor.

  2. Main loop: configurations are revised as called for by . The loop’s guard is  (the “print” state) being undefined.

  3. Convert the final configuration into the output.

5 Computability implies existential definability

5.1 Expressing relation iteration

Suppose is a formula, with variable-vectors , both for the vocabulary . Define the relation as the least fixpoint of the closure conditions:

  • for all .

  • If and then .

\symsmallcapsTheorem 4

For every formula there is a formula that defines the relation .


Proof. By definition, just in case there are () such that

The function-vectors can be bundled jointly into a single vector , using a vocabulary with a fresh variable for each in . We also refer to two fresh auxiliary variables and , and let the bundled vector be defined by

For a term \symboldt let abbreviate .

Now define


\symboldExample. Let be a vocabulary with identifiers of arity , and etc. be vectors of atomic variables. Take for the following formula (where and are construed as sets).

That is, is identical to except that it may contain additional atoms, all obtained by applying some to elements of . Then the existential formula

defines the set of -accessible atoms. Consequently,

is true for a -structure  iff  is -accessible.

5.2 Existential definability of computable relations between -structures

\symsmallcapsTheorem 5

For every \symboldST-program over -structures, there is an existential formula that holds iff .


Proof. By induction on .

  • If is a revision then is in fact first-order, and trivially defined.

  • If is , then by IH there are existential formulas and that hold just in case and . We thus define

    which is existential if and are.

  • If is we define

    which is existential if and are. Note that here is first-order, so the negation is harmless.

  • If is , let

    and define

    Here is the existential formula defined in (14).

Theorem 5 defines a binary relation between the initial and final configurations of an \symboldST-program. Given a convention on which program variables are to be considered inputs and which output, the formula can be modified to express the input-output relation computed by the program. For instance, if uses variables , of which and are used for the inputs, and and are used for the outputs, then the I/O relation defined by is


6 Equipollence of \symboldFs and \symboldPa

6.1 Interpretation of arithmetic formulas in finite structures

The intended model of \symboldFS has no “universe” in the traditional, Tarskian, sense. Using the structures as the target “elements” falls short of the natural embedding, where natural numbers are interpreted as equivalence classes of such structures. Note that we cannot take one representative from each equivalence class because there is no way to formally identify such representatives. Consequently, we depart from the traditional definition of interpretations between languages and between formal theories, (see e.g. [3, §2.7]), relax the requirement that the source universe be interpreted by a definable subset of the target universe, and interpret the natural numbers instead by equivalence classes of structures satisfying  (as defined in (4)).

The representation of natural numbers by equivalence classes of structures can now be formalized as follows. Take \symboldPA to be based on logic \symitalicwithout equality, that is with equality considered a binary relation identifier rather than a logical constant, which for \symboldPA happens to be interpreted as identity. The point is that our interpretation of \symboldPA in \symboldFS must now include a definition of the interpretation of equality, though not as the identity relation between the atoms of \symboldFS, but rather as structure isomorphism. The property of a unary function being an isomorphism between structures over the vocabulary can be defined by


Given that  (as defined in (16)) is assumed true for and , and that must be strict, the condition above implies that the function must be a bijection. We now define the interpretation of the equality relation of \symboldPA as the relation

between structures representing natural numbers.

We interpret the remaining non-logical constants of \symboldPA, namely 0, successor, addition and multiplication, via basic equations for them. For each variable of \symboldPA let and be \symboldFS-variables. In any given context only finitely many -variables will be present, so the collection of all corresponding \symboldFS-variables will be finite as well. Every equation of \symboldPA is equivalent to a formula involving only equation of one of the following five forms:


We define the following interpretation for such equations.

  • .

  •   where \symoperatorsIso is as in (16).

  • where    is

  • where is the existential formula defined by (15) for the \symboldST-program computing addition,

  • ( is defined similarly, referring to the \symboldST-program for multiplication.

  • Combining the previous cases, we easily define (by discourse-level induction on terms) an interpretation for all terms \symboldt,\symboldq.

We let the mapping commute with the connectives: is , etc.

For the quantifiers we let


Let be the standard model of \symboldPA, with zero, successor, addition, and multiplication as functions.

\symsmallcapsTheorem 6

The interpretation is semantically sound and complete: for every closed formula  of \symboldPA, is true in iff is true for all -structures.


Proof. Consider the following fixed interpretation of the natural numbers as -structures. Let be an atom (to interpret 0), and an injective unary partial-function . That is, and form a copy of  in . Define the \symitaliccanonical interpretation of to be the -structure where is truncated to its first steps. Thus every