**LICENCE:**
This tutorial contains adaptations of material from [Programming Language Foundations in Agda](https://plfa.github.io/) by Phil Wadler and Wen Kokke. It is licensed under Creative Commons Attribution 4.0 International.

# Curry-Howard isomorphism

\begin{align*}
    &\textrm{Logic} && &&\textrm{Computer science}\\
    \hline
    &\textrm{Theorems} &\leftrightarrow &&&
        \textrm{Types} && A \\
    &\textrm{Proofs} &\leftrightarrow &&&
        \textrm{Programs (terms)}
            && a \\
    &\textrm{Proof simplification} &\leftrightarrow &&&
        \textrm{Program execution}
            && \textrm{run } a \\
    \hline
    &\textrm{Proof development} &\leftrightarrow &&&
        \textrm{Programming}
            && \textrm{write } a \\
    &\textrm{Proof checking} &\leftrightarrow &&&
        \textrm{Type checking}
            && \textrm{given } a \textrm{ and } A, \textrm{ does } a : A?\\
    &\textrm{Validity (mathematics)} &\leftrightarrow &&&
        \textrm{Inhabitation problem}
            && \textrm{given } A, \textrm{ is there some $a : A$?}
\end{align*}

**SYNTAX:**
You can enter `→` by writing `->` and pressing TAB; pressing TAB again goes back to `->`. Similar useful combinations are:

| base form | alternate form |
|:---------:|:--------------:|
| ->  | → |
| \   | λ |
| neg | ¬ |
| top | ⊤ |
| bot | ⊥ |
| /\  | ∧ |
| \\/ | ∨ |
| <   | ⟨ |
| >   | ⟩ |
| N   | ℕ |
| Pi  | Π |
| Sigma | Σ |
| forall | ∀ |
| exists | ∃ |

<!---

**PRO TRICKS:**
- You can ask Agda to provide the type of a closed expression. Just put the cursor nearby an expression and press SHIFT+TAB.
- You can ask Agda to compute the normal form of an expression enclosed in parantheses, such as `(λ x → x)` (already in normal form).

-->

# Natural numbers `ℕ` and inductive definitions

We now explore *inductive types* such as the natural numbers,
which have an infinite number of inhabitants. Functions on inductive types such as `_+_` and `fib` are defined recursively. In Agda, we can write only total functions (though not all of them). This is achieved by imposing severe restrictions on the format of recursive definitions, e.g., by requiring that some argument is strictly decreasing in every recursive call.

In [6]:
module code.nat where

data ℕ : Set where
  zero : ℕ
  suc : ℕ → ℕ

-- with the following directive we can use standard numerals 0, 1, ..., as abbreviations for zero, suc zero, ...
{-# BUILTIN NATURAL ℕ #-}

infixl 5 _+_
infixl 6 _*_ -- higher priority than _+_

-- left associative means that "a + b + c" is parsed as "(a + b) + c"

-- recursive functions on an inductive type
_+_ _*_ : ℕ → ℕ → ℕ -- declaration, definitions below

zero + m = m
(suc n) + m = suc (n + m)

zero * _  =  zero
suc m * n  =  n + (m * n)

-- we can ask Agda to compute answers (normalisation) by hitting SHIFT+TAB (twice for better visualisation)
fiftyfive : ℕ
fiftyfive = 11 * 5

OK

# Equality
Before proving interesting properties of natural numbers,
we need to be able to state (and prove) that two terms, such as `5 + 3` and `2 * 2 * 2`, have the same normal form.
This is achieved by *types* of the form `x ≡ y`,
where `x y : A` are *values* of (some) type `A`.
We are allowing types to be indexed by values, thus `x ≡ y` is a dependent type.
The type `x ≡ y` is inhabited precisely when `x` and `y` evaluate to the same normal form (say `a`),
and the unique inhabitant thereof is the constructor `refl : a ≡ a`.

We note that `_≡_` is not a primitive in Agda, but it is defined as part of the standard library.
We will not dwell into the details of how `_≡_` is defined, but rather focus on how to use it by means of examples.

In [7]:
module code.eq where

import Relation.Binary.PropositionalEquality as Eq
open Eq using (_≡_; refl; trans; sym; cong; cong-app; subst) public
open Eq.≡-Reasoning using (begin_; _≡⟨⟩_; _≡⟨_⟩_; _∎) public

open import code.nat

-- Agda establishes that `refl : 8 ≡ 8` by normalising the two arguments of `_≡_`;
-- this is one reason why it is fundamental that evaluation always terminates
_ : 5 + 3 ≡ 2 * 2 * 2
_ = refl

-- the following example shows that also terms with free variables are normalised:
-- `0 + m` and `m` evaluate (i.e., normalise) to the same normal form (namely, "m")
_ : {m : ℕ} → 0 + m ≡ m
_ = refl

-- normalisation works also inside contexts:
-- since `0 + m` normalises to `m`, `(0 + m) * n` normalises to `m * n`
_ : {m n : ℕ} → (0 + m) * n ≡ m * n
_ = refl

OK

**Exercise (Hello World!).** Define the Fibonacci function `fib` and prove that `fib 26 ≡ 121393`, where
\begin{align*}
    \mathsf{fib}(0) &= 0, \\
    \mathsf{fib}(1) &= 1, \\
    \mathsf{fib}(n) &= \mathsf{fib}(n-1) + \mathsf{fib}(n-2).
\end{align*}
Notice that we didn't define a subtraction operation on natural numbers.

*Hint:* Use pattern matching on the input variable.

In [8]:
module code.fib where
open import code.nat
open import code.eq

fib : ℕ → ℕ
fib = ?

?0 : ℕ → ℕ


In [9]:
module code.fib where
open import code.nat
open import code.eq

-- the hello world of functional programming
fib : ℕ → ℕ
fib 0 = 0
fib 1 = 1
fib (suc (suc n)) = fib (suc n) + fib n

_ : fib 26 ≡ 121393
_ = refl

OK

# Inductive proofs

We have seen how the set of natural numbers can be defined inductively,
and we have also seen how some identities on natural numbers such as `0 + m ≡ m`
can be proved by `refl : m ≡ m` because `0 + m` normalises to `m`.

Consider now the similarly looking property
```agda
m+0≡m : (m : ℕ) → m + 0 ≡ m
```
(Notice that `m+0≡m` is a valid identifier, and it is the name of our theorem.)
Now `refl` won't cut it, because`m + 0` is already in normal form and syntactically different from `m`.
In order to prove `m+0≡m` we need induction.

In Agda, a proof by induction is a recursive program
which transforms a proof for case $n$ into a proof for case $n+1$. 

The function `_+_` has two parameters, so we need to choose which one to do induction on.
Since `_+_` is defined by recursion on its first argument,
it is good heuristics to do induction on the first argument.

We now proceed with the proof, i.e., with the recursive definition of `m+0≡m`.
In the base case, we have `m = 0` and thus we need to prove `0 + 0 ≡ 0`,
which follows from reflexivity:
```agda
m+0≡m 0 = refl
```
In the inductive step, we need to prove `suc m + 0 ≡ suc m` (by defining `m+0≡m (suc m) : suc m + 0 ≡ suc m`)
under the assumption that `m + 0 ≡ m` holds (as witnessed by `m+0≡m m : m + 0 ≡ m`).
The term `suc m + 0` rewrites to `suc (m + 0)`, according to the definition of `_+_`.
Thus, it suffices to show `suc (m + 0) ≡ suc m`.
By inductive assumption, `m + 0 ≡ m` holds, and it suffices to lift the equivalence to the context `suc (...)`.
This is what the program `cong` (for *congruence*) does:
```agda
m+0≡m (suc m) = cong suc (m+0≡m m)
```

In [10]:
module code.nat.ind0 where
open import code.nat
open import code.eq

m+0≡m : (m : ℕ) → m + 0 ≡ m
m+0≡m 0 = refl
m+0≡m (suc m) = cong suc (m+0≡m m)

OK

## Symmetry
We now have our first proof by induction `m+0≡m : (m : ℕ) → m + 0 ≡ m`.
Suppose we now want to prove the symmetric statement, i.e., 
```agda
m≡m+0 : (m : ℕ) → m ≡ m + 0
```
One way would be to reason by induction on `m`, and essentially repeate the proof for `m+0≡m`.
A better way is to use the principle *symmetry* applied to the previous `m+0≡m`,
which is what the expression `sym : ... → x ≡ y → y ≡ x` does below.

In [11]:
module code.eq.sym where
open import code.nat public
open import code.eq public 
open import code.nat.ind0 public

m≡m+0 : (m : ℕ) → m ≡ m + 0
m≡m+0 m = sym (m+0≡m m)

OK

## Equality chains
We can make proofs using chains of equalities more readable by using some syntactic sugaring.
This also helps documenting the proof, i.e., showing what is the *intention* behind the code.
In order to illustrate the use of equality chains, we repeat the proofs above in this new style.
Additionally, we also prove associativity of addition.

In [12]:
module code.nat.assoc where
open import code.nat public
open import code.eq public

m+0≡m : (m : ℕ) → m + 0 ≡ m
m+0≡m 0 = refl
m+0≡m (suc m) =
    suc m + 0 ≡⟨⟩ -- by the definition of _+_
    suc (m + 0) ≡⟨ cong suc (m+0≡m m) ⟩ -- inductive hypothesis
    suc m ∎
  
m≡m+0 : (m : ℕ) → m ≡ m + 0
m≡m+0 m =
    m ≡⟨ sym (m+0≡m m) ⟩
    m + 0 ∎
    
-- let's prove that addition is associative
+-assoc : (m n l : ℕ) → m + (n + l) ≡ m + n + l
+-assoc 0 n l =
    0 + (n + l)
    ≡⟨⟩ n + l
    ≡⟨⟩ (0 + n) + l ∎
+-assoc (suc m) n l =  
    suc m + (n + l) ≡⟨⟩
    suc (m + (n + l)) ≡⟨ cong suc (+-assoc m n l) ⟩ -- inductive hypothesis
    suc ((m + n) + l) ≡⟨⟩
    suc (m + n) + l ≡⟨⟩
    (suc m + n) + l ∎

OK

**Exercise.** In this exercise we prove that addition is commutative. We proceed in two steps.

1. Prove the following auxiliary fact about `_+_` and `suc`:
```agda
suc-lemma : (m n : ℕ) → suc (m + n) ≡ m + suc n
```
*Hint:* Use chains of equations to keep track of normal forms.

2. Prove that addition is commutative:
```agda
+-comm : (m n : ℕ) → m + n ≡ n + m
```
*Hint:* Use `m≡m+0` from above, and `suc-lemma`.

*General hint:* When there are several variables to do induction on, a good heuristics is to do induction on the variable(s) that appear as recursive arguments. For instance, if we have an expression `x + y`, it is probably more covenient to reason by induction on `x`, since `_+_` is defined by induction on its first argument.

# Relations
We explore how inductive definitions can be used to define some common unary and binary relations on the natural numbers.

## Order

In the same way as we define the natural number inductively,
we can also define relations on the natural numbers inductively.
For instance, we can define the total order relation between natural numbers `m ≤ n`,
which is inhabited precisely when `m` is less or equaly than `n` in the natural order:

```agda
data _≤_ : ℕ → ℕ → Set where
  0≤n : {n : ℕ} → 0 ≤ n
  s≤s : {m n : ℕ} → m ≤ n → suc m ≤ suc n
```

In the first case, we say that `0 ≤ n` always holds,
as witnessed by the (base) constructor `0≤n`.
In the second case, if `m ≤ n` holds (as witnessed by some `m≤n : m ≤ n`),
then `suc m ≤ suc n` also holds.
The witness of the later fact is given by the second (inductive) constructor `s≤s m≤n : suc m ≤ suc n`
applied to `m≤n`.

The type `m ≤ n` is called an *indexed type*
since it depends on the indices `m` and `n`,
which vary in the definition of `_≤_`.

In [15]:
module code.nat.leq where
open import code.eq public
open import code.nat public

infix 4 _≤_

-- indexed inductive type
data _≤_ : ℕ → ℕ → Set where
  0≤n : {n : ℕ} → 0 ≤ n
  s≤s : {m n : ℕ} → m ≤ n → suc m ≤ suc n

-- some examples
_ : 1 ≤ 100
_ = s≤s {0} {99} (0≤n {99}) -- could omit the implicit arguments

_ : 4 ≤ 1000
_ = s≤s (s≤s (s≤s (s≤s 0≤n)))

OK

## Properties of relations
We formalise and prove that `_≤_` satisfies some common relational properties.

### Reflexivity
We begin by giving an example proof that `_≤_` is *reflexive*, in the sense that
```agda
≤-refl : {n : ℕ} → n ≤ n
```
(We leave the parameter implicit because 1) Agda can infer it most of the times,
and 2) it will make the following code more readable.)
The proof that `_≤_` is reflexive is by induction:
```agda
≤-refl {0}     = 0≤n
≤-refl {suc n} = s≤s (≤-refl {n})
```
In the base case, we just use the fact that `0≤n {0} : 0 ≤ 0`.
In the inductive case, the inductive hypothesis `≤-refl {n} : n ≤ n` is a proof that `n ≤ n` holds,
and thus `s≤s (≤-refl {n}) : suc n ≤ suc n`, as required.

### Transitivity

We show that `_≤_` is *transitive*, in the sense that
```agda
≤-trans : {m n p : ℕ} → m ≤ n → n ≤ p → m ≤ p
```
While the previous proof was by induction on the natural number argument `{n : ℕ}`,
for transitivity we do induction on the *evidence* that `m ≤ n` holds.
```agda
≤-trans 0≤n _               = 0≤n
≤-trans (s≤s m≤n) (s≤s n≤p) = s≤s (≤-trans m≤n n≤p)
```
In the base case, the first (non-implicit) argument is `0≤n : 0 ≤ n`, from which we can deduce `m ≡ 0`,
and consequently `0≤n : 0 ≤ p` is the term we are after; notice that the two occurrences of `0≤n` have different types (implicit parameters hide this information).
In the inductive case, the first argument is `s≤s m≤n : suc m ≤ suc n`
and the second argument is `s≤s n≤p : suc n ≤ suc p`,
where `m≤n : m ≤ n` and `n≤p : n ≤ p`.
By inductive assumption, `≤-trans m≤n n≤p : m ≤ p`,
and thus `s≤s (≤-trans m≤n n≤p) : suc m ≤ suc p`, as required.
Notice that the case
```agda
≤-trans (s≤s m≤n) 0≤n
```
cannot arise: The shape of the first argument `s≤s m≤n` implies that `n` is of the form `suc _`,
and thus it cannot be `0`, as implied by the second argument.
Agda detects that this case cannot occurr
and does not complain that the corresponding definition is missing.

In [16]:
module code.nat.leq.trans where
open import code.nat.leq public

≤-refl : {n : ℕ} → n ≤ n
≤-refl {0} = 0≤n
≤-refl {suc n} = s≤s (≤-refl {n}) -- we could omit {n}, left for clarity here

≤-trans : {m n p : ℕ} → m ≤ n → n ≤ p → m ≤ p
≤-trans 0≤n _               = 0≤n
≤-trans (s≤s m≤n) (s≤s n≤p) = s≤s (≤-trans m≤n n≤p)

OK

**Exercise.** We show that addition by a natural number is an nondecreasing function:
```agda
≤+ : {m n : ℕ} → m ≤ m + n
```
*Hint:* Do induction on the inductive argument of `_+_`.

In [17]:
module code.nat.leq.plus where
open import code.nat.leq

≤+ : {m n : ℕ} → m ≤ m + n
≤+ {m} {n} = ?

?0 : m ≤ m + n


In [18]:
module code.nat.leq.plus where
open import code.nat.leq public

≤+ : {m n : ℕ} → m ≤ m + n
≤+ {zero} {_} = 0≤n
≤+ {suc m} {n} = s≤s (≤+ {m} {n})

OK

### Antisymmetry

We show that `_≤_` is *antisymmetric*, in the sense that
```agda
≤-asym : {m n : ℕ} → m ≤ n → n ≤ m → m ≡ n
```

**Exercise**. Prove that `_≤_` is *anti-symmetric*.

*Hint:* Do induction on `_≤_`.
As in transitivity, in the inductive step not all cases can arise (two out of four).

In [19]:
module code.nat.leq.asym where
open import code.nat.leq

≤-asym : {m n : ℕ} → m ≤ n → n ≤ m → m ≡ n
≤-asym = ?

?0 : m ≤ n → n ≤ m → m ≡ n


# Mutually inductive definitions

**Exercise.** Define the unary relations (predicates) on the natural numbers `Even n` and `Odd n`
by a mutual inductive definition.
This is possible by separating the *declaration* of `Even` and `Odd` from their *definition*, as shown below.

In [21]:
module code.nat.even-odd where
open import code.nat public

data Even : ℕ → Set
data Odd : ℕ → Set

data Even where
    zero : ?
    suc : ?
    
data Odd where
    suc : ?
    
-- note that we are overloading the constructor zero (twice, since also zero : ℕ) and suc (thrice!);
-- this is allowed since the typing context always disambiguates the constructor

?0 : Set
?1 : Set
?2 : Set
_5 : ℕ  [ at /Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/code/nat/even-odd.agda:8,5-13 ]
_8 : ℕ  [ at /Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/code/nat/even-odd.agda:9,5-12 ]
_12 : ℕ  [ at /Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/code/nat/even-odd.agda:12,5-12 ]


# External verification

**Exercise.** Show that
- the sum of two even numbers is an even number,
- the sum of an odd and an even number is an odd number (2 cases), and
- the sum of two odd numbers is an even number.

*Hint:* It's convenient to define four mutually recursive functions.

This is an example of *external verification*, whereby we are proving a property of the sum function `_+_` separately (externally) from its definition.
We will see later on an example of *internal verification*,
whereby the property is hard-wired inside the function.

# Intuitionistic first-order  logic

We show how dependent types can be used to implement universal quantification (dependent function space)
and existential quantification (dependent product),
thus concluding our overview of intuitionistic logic.

## The universal quantifier
In intuitionistic logic a proof of $\forall (a : A) B$ is a function $f$ mapping a proof $a$ of $A$
into a proof $f\; a$ of $B\; a$, where we can see $B$ as a family of types indexed by proofs of $A$.
The universal quantifier is implemented via the *dependent function space*
```agda
Π : (A : Set) → (B : A → Set) → Set
Π A B = (a : A) → B a
```
This generalises implication `A → B`, which corresponds to non-dependent function space.
In this sense, in intuitionistic logic implication is a special case of universal quantification.

Universal quantification also generalises conjunction,
since the type $B_1 \wedge B_2$ is isomorphic to $\Pi\; A\; B$
where $A = \{1, 2\}$ and $B = \{ 1 \mapsto B_1, 2 \mapsto B_2 \}$.
For this reason, sometimes `Π` is called dependent product (hence the notation).

In [25]:
module code.universal where

Π : (A : Set) → (B : A → Set) → Set
Π A B = (a : A) → B a

-- compare with implication:
-- ((a : A) → B a) versus A → B

-- the type of the first argument of Π can be inferred from the second
forAll : {A : Set} → (B : A → Set) → Set
forAll {A} B = Π A B

-- we introduce a convenient syntax reminiscent of universal quantification in logic
∀-syntax = forAll
infix 0 ∀-syntax
syntax ∀-syntax (λ x → B) = ∀[ x ] B

-- dependent apply; corresponds to ∀-elimination
apply : {A : Set} → {B : A → Set} → Π A B → (a : A) → B a
apply f x = f x

OK

We show an application of universal quantification
and prove that every natural number is either even or odd:
```agda
even∨odd : ∀[ n ] Even n ∨ Odd n
```

We now explain how the syntax above works.
The latter expands to 
```agda
even∨odd : forAll (λ n → Even n ∨ Odd n)
```
which in turn is the same as `Π A B`
with `A = ℕ` and `B = λ n → Even n ∨ Odd n`
(we can avoid typing `n` because its occurrence in `Even n` implies `n : ℕ`), i.e.,
```agda
even∨odd : Π ℕ (λ n → Even n ∨ Odd n)
```
By unrolling the definition of `Π A B = (a : A) → B a`,
we finally get
```agda
even∨odd : (n : ℕ) → Even n ∨ Odd n
```
This shows precisely how the universal quantifier is implemented by having `B a` to depend on `(a : A)`.
Thus, while `∀[ n ] Even n ∨ Odd n` is just syntactic sugaring for the more familiar `(n : ℕ) → Even n ∨ Odd n`,
we will use the former when we want to emphasise its logical content,
and the latter when we want to emphasise its computational content.
As a courtesy of the Curry-Howard isomorphism, they correspond to each other.

We now proceed to prove `even∨odd`,
which is another instance of external verification.
The proof is by induction on `n`.
In the base case `n = 0` and we can use the base constructor `zero : Even zero`
(notice how `zero` is overloaded):
```agda
even∨odd zero = left zero
```
In the inductive case, we proceed as follows:
```agda
even∨odd (suc n) with even∨odd n
... | left even = right (suc even)
... | right odd = left (suc odd)
```

### The `with` pattern matching construct

In order to decide whether `suc n` is even or odd,
we recursively call `even∨odd n` and inspect its result:
if it pattern matches with `left even` (where `even : Even n`)
then we return `right (suc even)` (where `suc even : Odd (suc n)`, again `suc` is overloaded),
and symmetrically in the other case.
This is the first time that we see the `with` construct,
which allows us to extend the set of arguments that we can pattern match on.

In [26]:
module code.nat.even-odd-total where
open import code.universal
open import code.nat.even-odd
open import code.or

-- with syntax sugaring
even∨odd : ∀[ n ] Even n ∨ Odd n -- the same as: Π ℕ (λ n → Even n ∨ Odd n)
even∨odd zero = left zero
even∨odd (suc n) with even∨odd n
... | left even = right (suc even)
... | right odd = left (suc odd)

OK

**Exercise.** Show that the order `_≤_` is total, in the sense that
```agda
≤-total : ∀[ m ] ∀[ n ] m ≤ n ∨ n ≤ m
```
*Hint:* Induction on `m`.

In [27]:
module code.universal.example where
open import code.nat.leq
open import code.universal
open import code.or public

≤-total : ∀[ m ] ∀[ n ] m ≤ n ∨ n ≤ m
≤-total = ?

?0 : ∀-syntax (λ m → ∀-syntax (λ n → m ≤ n ∨ n ≤ m))


In [28]:
module code.universal.example where
open import code.nat.leq
open import code.universal
open import code.or public

≤-total : ∀[ m ] ∀[ n ] m ≤ n ∨ n ≤ m
≤-total zero _ = left 0≤n
≤-total _ zero = right 0≤n
≤-total (suc m) (suc n) with ≤-total m n
... | left m≤n = left (s≤s m≤n)
... | right n≤m = right (s≤s n≤m)

OK

### The universal quantifier, ∧, and ∨

**Exercise.**
Which of the following are intuitionistic tautologies?
Which are classic tautologies?
Which are none?
Prove the intuitionistic ones.

1. $\forall a B \wedge C \to (\forall a B) \wedge (\forall a C)$.
2. $(\forall a B) \wedge (\forall a C) \to \forall a B \wedge C$.
3. $\forall a B \vee C \to (\forall a B) \vee (\forall a C)$.
4. $ \forall a B \vee C \to (\forall a B) \vee C$, where $a$ does not occurr in $C$.
5. $(\forall a B) \vee (\forall a C) \to \forall a (B \vee C)$.

*Hint:* If you cannot easily program a solution, then most likely there is no solution.

## The existential quantifier

In intuitionistic logic,
a proof of $\exists (a : A) B$ is a pair $(a, b)$,
where $a$ is a proof of $A$
and $b$ is a proof of $B\; a$.
Like in universal quantification, we can see $B$ as a family of types indexed by proofs of $A$.
The existential quantifier is implemented with the *dependent product*:
```agda
data Σ (A : Set) (B : A → Set) : Set where
    ⟨_,_⟩ : (a : A) → B a → Σ A B
```
Compare this with conjunction, which corresponds to non-dependent product $A \wedge B$:
```agda
data _∧_ (A : Set) (B : Set) : Set where
  ⟨_,_⟩ : A → B → A ∧ B
```
In this sense, in intuitionistic logic existential quantification `Σ` generalises conjunction,
which justifies the name dependent product.
(This can create confusion because `Π` is sometimes called dependent product too,
since also `Π` generalises conjunction.)

Existential quantification also generalises disjunction,
since the type $B_1 \vee B_2$ is isomorphic to $\Sigma\; A\; B$
with $A = \{1, 2\}$ and $B = \{ 1 \mapsto B_1, 2 \mapsto B_2 \}$.
For this reason, `Σ` is sometimes called dependent sum.

In [31]:
module code.existential where
open import code.universal

-- the only exists-introduction rule
data Σ (A : Set) (B : A → Set) : Set where
    ⟨_,_⟩ : (a : A) → B a → Σ A B

-- compare with conjunction:
-- ⟨_,_⟩ : (a : A) → B a → Σ A B versus
-- ⟨_,_⟩ : A → B → A ∧ B

thereExists : ∀ {A : Set} (B : A → Set) → Set
thereExists {A} B = Σ A B

∃-syntax = thereExists
infix 0 ∃-syntax
syntax ∃-syntax (λ x → B) = ∃[ x ] B

-- aka uncurry
∃-elim : {A : Set} {B : A → Set} {C : Set} → ((a : A) → B a → C) → Σ A B → C
∃-elim a→b→c ⟨ a , b ⟩ = a→b→c a b

OK

In [32]:
{-

{-

-- dfst : {A : Set} {B : A → Set} → Σ A B → A
-- dfst ⟨ a , _ ⟩ = a

-- can't type the second projection!
-- dsnd : {A : Set} {B : A → Set} → Σ A B → (a : A) -> B a
-- dsnd ⟨ _ , b ⟩ _ = b

-- solution: records
record Σ (A : Set) (B : A → Set) : Set where
    constructor ⟨_,_⟩
    field
      dfst : A
      dsnd : B dfst

uncurry : {A B C : Set} → (A → B → C) → A ∧ B → C
uncurry f ⟨ a , b ⟩ = f a b
  
-- the corresponding elimination rule is dependent uncurrying,
-- that is, uncurrying generalised to dependent product (and function space)

-}

-}

Error: the first line of the cell should be in the format "module [modulename] where"

### An example

As an application of existential quantification,
we show that `m ≤ n` implies that there is some `p` s.t. `m + p ≡ n`:
```agda
q : ∀[ m ] ∀[ n ] (m ≤ n → ∃[ p ] m + p ≡ n)
```

The proof is by induction on `m` (which is also simultaneously an induction on `m ≤ n`).
In the base case, `m ≡ 0` and we can just take as witness for `p` the value `n`:

```agda
q zero n _ = ⟨ n , refl ⟩
```

In the inductive case, we have

```agda
q (suc m) (suc n) (s≤s m≤n) with q m n m≤n
... | ⟨ p , m+p≡n ⟩ = ⟨ p , cong suc m+p≡n ⟩
```

We recursively call `q m n m≤n` to collect a witness `⟨ p , m+p≡n ⟩ : ∃[ p ] m + p ≡ n`,
where `p : ℕ` and `m+p≡n : m + p ≡ n`.
Then, `⟨ p , cong suc m+p≡n ⟩ : ∃[ p ] suc m + p ≡ suc n`
because `suc m + p` normalises to `suc (m + p)`.

We do not have to worry about the other case `q (suc m) zero (s≤s m≤n)`
because Agda correctly detects that it cannot possibly occurr as witnessed by `s≤s m≤n`.

This is another yet example of external verification.

In [33]:
module code.nat.leq-exists where
open import code.universal
open import code.existential
open import code.eq
open import code.nat.leq

q : ∀[ m ] ∀[ n ] (m ≤ n → ∃[ p ] m + p ≡ n)
q zero n _ = ⟨ n , refl ⟩
q (suc m) (suc n) (s≤s m≤n) with q m n m≤n
... | ⟨ p , m+p≡n ⟩ = ⟨ p , cong suc m+p≡n ⟩

OK

**Exercise.** Show the other direction, namely,
```agda
r : ∀[ m ] ∀[ n ] (∃[ p ] m + p ≡ n → m ≤ n)
```
Proceed by induction on `m`.
In the inductive case, use the fact that `suc` is injective (`suc-injective`) to derive `m + p ≡ n`,
which can be used to call `r` recursively.

In [34]:
module code.nat.leq-exists2 where
open import code.universal
open import code.existential
open import code.eq
open import code.nat.leq

suc-injective : ∀[ m ] ∀[ n ] (suc m ≡ suc n → m ≡ n)
suc-injective m n refl = refl

r : ∀[ m ] ∀[ n ] (∃[ p ] m + p ≡ n → m ≤ n)
r zero _ _ = ?
r (suc m) (suc n) ⟨ p , sucm+p≡sucn ⟩ = ?
    where
        m+p≡n : m + p ≡ n
        m+p≡n = ?
        m≤n : m ≤ n
        m≤n = ?

?0 : zero ≤ a
?1 : m + p ≡ n
?2 : m ≤ n
?3 : suc m ≤ suc n


In [35]:
module code.nat.leq-exists2 where
open import code.universal
open import code.existential
open import code.eq
open import code.nat.leq

suc-injective : ∀[ m ] ∀[ n ] (suc m ≡ suc n → m ≡ n)
suc-injective m n refl = refl

r : ∀[ m ] ∀[ n ] (∃[ p ] m + p ≡ n → m ≤ n)
r zero _ _ = 0≤n
r (suc m) (suc n) ⟨ p , sucm+p≡sucn ⟩ = s≤s m≤n
    where
        m+p≡n : m + p ≡ n
        m+p≡n = suc-injective (m + p) n sucm+p≡sucn
        m≤n : m ≤ n
        m≤n = r m n ⟨ p , m+p≡n ⟩

OK

### The existential quantifier, ∧, and ∨

**Exercise.**
Establish whether the following are intuitionistic tautologies
and prove it in Agda for the positive cases:

1. $\exists a B \vee C \to (\exists a B) \vee (\exists a C)$.
2. $(\exists a B) \vee (\exists a C) \to \exists a B \vee C$.
3. $\exists a B \wedge C \to (\exists a B) \wedge (\exists a C)$.
4. $(\exists a B) \wedge (\exists a C) \to \exists a B \wedge C$.
5. $(\exists a B) \wedge C \to \exists a B \wedge C$, where $a$ does not occurr in $C$.

### Universal quantification, existential quantification, and negation

**Exercise.** Which of the following hold in intuitionistic logic? Prove it.

1. $\exists a \forall b C \to \forall b \exists a C$, where $C$ depends on $a$ and $b$.
2. $\exists a \neg B \to \neg \forall a B$, where $B$ depends on $a$.
3. $\neg \forall a B \to \exists a \neg B$, where $B$ depends on $a$.


# Challenges

In this last part we propose some more advanced exercises.
No additional tools are required, but the solutions are more elaborated.

**Exercise**. In this exercise we prove properties relating addition and multiplication.
1. Prove that right multiplication distributes over addition,
in the sense that
```agda
+*-distr : (a b c : ℕ) → (a + b) * c ≡ a * c + b * c
```
2. Prove that multiplication is associative. *Hint: use* `+*-distr`.
3. Prove that multiplication is commutative.
It might be convenient to preliminarily prove the first two properties:
```agda
*-zero : (a : ℕ) → a * 0 ≡ 0
*-suc : (a b : ℕ) → a * suc b ≡ a + a * b
*-comm : (a b : ℕ) → a * b ≡ b * a
```
4. Prove that left multiplication distributes over addition, in the sense that
```agda
*+-distr : (a b c : ℕ) → a * (b + c) ≡ a * b + a * c
```
*Hint: use the previous points*.
5. Using the results above, prove the following
```agda
*+-full : (a b c d : ℕ) → (a + b) * (c + d) ≡ a * c + a * d + b * c + b * d
```
*Advice*: If an induction is required, it's convenient to proceed on the first argument `a : ℕ`.

In [40]:
module code.nat.prop where

open import code.eq
open import code.nat
open import code.nat.assoc
open import code.nat.comm

-- 1.
+*-distr : (a b c : ℕ) → (a + b) * c ≡ a * c + b * c
+*-distr = ?

-- 2.
*-assoc : (a b c : ℕ) → a * b * c ≡ a * (b * c)
*-assoc = ?

-- 3.
*-zero : (a : ℕ) → a * 0 ≡ 0
*-zero = ?

*-suc : (a b : ℕ) → a * suc b ≡ a + a * b
*-suc = ?

*-comm : (a b : ℕ) → a * b ≡ b * a
*-comm = ?

-- 4.
*+-distr : (a b c : ℕ) → a * (b + c) ≡ a * b + a * c
*+-distr = ?

?0 : (a b c : ℕ) → (a + b) * c ≡ a * c + b * c
?1 : (a b c : ℕ) → a * b * c ≡ a * (b * c)
?2 : (a : ℕ) → a * 0 ≡ 0
?3 : (a b : ℕ) → a * suc b ≡ a + a * b
?4 : (a b : ℕ) → a * b ≡ b * a
?5 : (a b c : ℕ) → a * (b + c) ≡ a * b + a * c


**Exercise.** Show that multiplication by a strictly positive number is an increasing function:

```agda
≤* : {m n : ℕ} → 1 ≤ n → m ≤ m * n
```

We proceed in three steps:

1. Show that `_≤_` is preserved if we replace the r.h.s. modulo `_≡_`:
```agda
≤-≡-right : {m n p : ℕ} → n ≡ p → m ≤ n → m ≤ p
```
*Hint:* Use induction on the evidence that `m ≤ n` holds.

2. Show
```agda
≤+2 : {m n : ℕ} → m ≤ n + m
```
This is very similar to `≤+ : {m n : ℕ} → m ≤ m + n` that we proved in module `code.nat.leq.plus`.
*Hint:* Use `≤+`, `≤-≡-right`, and commutativity of addition `+-comm`.

3. Finally, show `≤*`.
*Hint:* Do induction on the inductive argument of `_*_`.
In the inductive case, apply `≤+2` and transitivity `≤-trans`.

In [42]:
module code.nat.leq.mul where
open import code.nat.leq.plus
open import code.nat.comm

≤-≡-right : {m n p : ℕ} → n ≡ p → m ≤ n → m ≤ p
≤-≡-right refl a≤b = ?

≤+2 : {m n : ℕ} → m ≤ n + m
≤+2 {m} {n} = ?

≤* : {m n : ℕ} → 1 ≤ n → m ≤ m * n
≤* {m} {n} 1≤n = ?

?0 : m ≤ n
?1 : m ≤ n + m
?2 : m ≤ m * n


In [43]:
module code.nat.leq.mul where
open import code.nat.leq.trans
open import code.nat.comm
open import code.nat.leq.plus

≤-≡-right : {a b c : ℕ} → b ≡ c → a ≤ b → a ≤ c
≤-≡-right refl 0≤n = 0≤n
≤-≡-right refl (s≤s p) = s≤s p

≤+2 : {m n : ℕ} → m ≤ n + m
≤+2 {m} {n} = ≤-≡-right (+-comm m n) (≤+ {m} {n})

≤* : {m n : ℕ} → 1 ≤ n → m ≤ m * n
≤* {zero} {_} _ = 0≤n
≤* {suc m} {suc n} 1≤n = s≤s (≤-trans (≤* {m} {suc n} 1≤n) (≤+2 {m * suc n} {n}))

OK

### Even numbers and divisibility

We want to show that even numbers are divisible by two.
In fact, it is easier to provide such a characterisation simultaneously for even and odd numbers:

```agda
p : ∀[ n ] (Even n → ∃[ m ] n ≡ m * 2)
q : ∀[ n ] (Odd n → ∃[ m ] n ≡ 1 + m * 2)
```

The code for `p` goes as follows

```agda
p _ zero = ⟨ zero , refl ⟩
p (suc n) (suc odd) with q n odd
... | ⟨ m , refl ⟩ = ⟨ suc m , refl ⟩
```
In the inductive case, we call recursively `q n odd : ∃[ m ] n ≡ 1 + m * 2`
and we pattern match `⟨ m , refl ⟩` against its result.
Thus, `m : ℕ` and, more importantly, `refl : n ≡ 1 + m * 2`
tells us that `n` is the same as the normal form for `1 + m * 2`,
namely `suc (m * 2)`.
Consequently, `suc n ≡ suc m * 2`,
since `suc m * 2` goes in one step to `2 + m * 2`,
which normalises (in two steps) to `suc (suc (m * 2))`.
Therefore, we return `⟨ suc m , refl ⟩`.

**Exercise.** Complete the code with the definition for `q`.

In [44]:
module code.nat.even-odd-div2 where
open import code.universal
open import code.existential
open import code.eq
open import code.nat
open import code.nat.even-odd

p : ∀[ n ] (Even n → ∃[ m ] n ≡ m * 2)
q : ∀[ n ] (Odd n → ∃[ m ] n ≡ 1 + m * 2)

p _ zero = ⟨ zero , refl ⟩
p (suc n) (suc odd) with q n odd
... | ⟨ m , refl ⟩ = ⟨ suc m , refl ⟩

q = ?

?0 : ∀-syntax (λ n → Odd n → ∃-syntax (λ m → n ≡ 1 + m * 2))
