# Limits with Signed Digit Streams

We work with the signed digit representation of abstract real numbers, which roughly is the binary representation enriched by the additional digit -1. The main objective of this paper is an algorithm which takes a sequence of signed digit representations of reals and returns the signed digit representation of their limit, if the sequence converges. As a first application we use this algorithm together with Heron's method to build up an algorithm which converts the signed digit representation of a non-negative real number into the signed digit representation of its square root. Instead of writing the algorithms first and proving their correctness afterwards, we work the other way round, in the tradition of program extraction from proofs. In fact we first give constructive proofs, and from these proofs we then compute the extracted terms, which is the desired algorithm. The correctness of the extracted term follows directly by the Soundness Theorem of program extraction. In order to get the extracted term from some proofs which are often quite long, we use the proof assistant Minlog. However, to apply the extracted terms, the programming language Haskell is useful. Therefore after each proof we show a notation of the extracted term, which can be easily rewritten as a definition in Haskell.

## Authors

• 2 publications
• ### First-order natural deduction in Agda

Agda is a dependently-typed functional programming language, based on an...
04/08/2021 ∙ by Louis Warren, et al. ∙ 0

• ### Isabelle's Metalogic: Formalization and Proof Checker

Isabelle is a generic theorem prover with a fragment of higher-order log...
04/25/2021 ∙ by Tobias Nipkow, et al. ∙ 0

• ### Three Proofs that the Square Root of 2 Is Irrational

This short article gives three proofs that √ 2 is irrational. The articl...
01/02/2021 ∙ by Shalin Shah, et al. ∙ 0

• ### Implicit and Explicit Proof Management in KeYmaera X

Hybrid systems theorem proving provides strong correctness guarantees ab...
08/06/2021 ∙ by Stefan Mitsch, et al. ∙ 0

• ### Towards Evolutionary Theorem Proving for Isabelle/HOL

Mechanized theorem proving is becoming the basis of reliable systems pro...
04/17/2019 ∙ by Yutaka Nagashima, et al. ∙ 0

• ### Constructive Domains with Classical Witnesses

We develop a constructive theory of continuous domains from the perspect...
10/11/2019 ∙ by Dirk Pattinson, et al. ∙ 0

• ### Digit Serial Methods with Applications to Division and Square Root (with mechanically checked correctness proofs)

We present a generic digit serial method (DSM) to compute the digits of ...
08/01/2017 ∙ by Warren E. Ferguson Jr, et al. ∙ 0

##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction and Motivation

There are several ways to define constructive real numbers. One of the best-known methods is to define them as Cauchy sequences of rational numbers with a Cauchy modulus. In our case, rather than we are not interested in a specific definition of real numbers, we are interested in their signed digit representation (SD code). Therefore, every quantifier on reals is non-computational, i.e. we write and . Theses decorations just mean that the bounded variable does not appear in the computational content of the proof. Logically one can ignore the decorations. By and we denote variables of reals. Instead of using the concrete real computationally, we use their signed digit representation in the extracted term.
Attention should be paid to the equality between reals numbers. By equality between two reals we mean the “real equality”, which is an equivalence relation and compatible with the usual operators and relations on the reals. The specific definition of the real equality depends on the definition of the real numbers. Generally, the real equality in not the same as the Leibniz equality. For instance, if one defines real numbers as Cauchy sequences with modulus, the real numbers and are equal w.r.t. the real equality but they are not Leibniz equal.

One of the first paper [13] where signed digits are used to represent real numbers, was published by Edwin Wiedmer in 1980. The SD code of reals is similar to the binary code of reals but in addition to the digits and , the SD code has the digit , which we also denote by . Since every real can be represented as , where is an integer and , we work on the interval .
A real number in has a binary representation if it can be written as

 x=s∞∑i=1ai2−i,

where and for every .
If one reads one by one the binary representation of a concrete real number, in each step the interval in which the real number is located, is halved. Thus from the binary code one can determine the real number arbitrarily exactly.

On the other hand it is not always possible to compute the binary representation of a given real number or even to compute the binary representation of out of the binary representations of and . Hereby “compute” means to get an algorithm which takes the binary streams of and and gives back the digits of the binary stream one by one in finitely many steps for each digit. That is, to compute finitely many binary digits of can only use finitely many binary digits of and . This is not possible due to the “gaps” in the binary representation. They are illustrated in Figure 1 at , , , and so on. Form the first digit (i.e. or ) of a real , one can decide or , with in general can not be done for constructive reals.
The signed digit code fills these gabs. For a real number it is given by

 x=∞∑i=0di2−i,

where for every .

As the illustration in Figure 2 shows, to compute the first signed digit of a real number one has to decide which of the cases , or holds. That this is possible, follows from the Comparability Theorem, which says that for reals , and with one has .
Figure 2 also shows that the SD code of a real number except and is not unique, whereas the binary code is “almost” everywhere unique.
A stream of signed digits is an infinite list of elements in

 Sd:={¯¯¯1,0,1}.

We will not prove something about signed digit streams directly, but we use the coinductively define predicate , which is given in the next section. For a real number a realiser of is a signed digit stream of . With the Soundness Theorem of program extraction proven in [8, 10, 14] the proofs of the corresponding theorems for the signed digit streams are obtained.
The idea to use coinductive algorithms to describe the operators on the reals goes back to Alberto Ciaffaglione and Pietro Di Gianantonio [4]. The idea to use coinductively defined predicates and the Soundness Theorem in this context is due to Ulrich Berger and Monika Seisenberger [2]. The notation and definitions in this paper are taken from Kenji Miyamoto and Helmut Schwichtenberg [7].
For computing the extraced terms and verifying the correctness of the proofs, we have used the proof assistant Minlog [6] in some cases. After each proof we state its computational content not in the notation of Minlog but in the notation of Haskell, since the runtime of the programs in Haskell is shorter, and one can define the terms in a more readable way.

We now proceed as follows:
In Section 2 we give a definition of and state the two axioms and for this predicate. The two lemmas 1 and 2 are often used in the proofs below. The main result of this work is Theorem 1, the Convergence Theorem, at the end of Section 3. An application of this theorem is shown in Section 4. Here we use Heron’s method together with the Convergence Theorem to get a signed digit representation of the square root of a non-negative real number from its signed digit representation. Section 5 is about potential extensions of this work.

## 2 Formalisation

In this section we use the theory of coinductively defined predicates given in [10, 14] to formalise the statement that a real has an SD representation.

###### Definition 1.

We define as the greaterst fixpoint of

 Φ(X):={x∣∣∣∃rd,x′(% Sd d∧Xx′∧|x|≤1∧x=d+x′2)}

Here is the existential quantifier where the quantified variable does not appear in the computational content.

In a short form we have . Therefore a realiser of has the type

 τ(coI)=μτ(X)(τ(Φ(X))→τ(X))=μξ(Sd→ξ→ξ).

Here we have identified with Sd itself. We define and with C we denote the only constructor of Str. Then in Haskell notation Str is given by

 Str::=C Sd Str.

In this notation one easily sees that an element can be interpreted as an SD code with the first digit and tail . Sometimes we abbreviate by only writing .
From the definition of as greatest fixpoint of we get two axioms for .

 coI−: coI⊆Φ(coI) coI+: X⊆Φ(coI∪X)→X⊆coI

where is an unary predicate variable. The first axiom says that is a fixpoint of and for obvious reasons it is called the elimination rule. Expressed in elementary formulas it is given by

 coI−: ∀ncx.coIx→∃rd,x′(Sd d∧co%Ix′∧|x|≤1∧x=d+x′2).

The type of this axiom is and a realiser of it is given by the destructor with computation rule

 D :str→Sd×Str, D(Cdv) :=⟨d,v⟩.

The destructor takes a stream and returns a pair consisting of its first digit and its tail. With the projectors and one gets the first digit and the tail, respectively.
The second axiom is called the introduction axiom of and says that is the greatest fixpoint in the a strong sense. We use the following long version:

 coI+: ∀ncx. Xx→ ∀ncx(Xx→∃rd,x′(Sd d∧(coI∪X)x′∧|x|≤1∧x=d+x′2)) →coIx

The type of this axiom depends on the type of the predicate variable :

 τ(coI+)=τ(X)→(τ(X)→Sd×(Str+τ(X)))→Str

A realiser of is the corecursion operator . It is given by the computation rule

 coR :τ(X)→(τ(X)→Sd×(Str+τ(X)))→Str, coRtf :=C(π0(ft))[id,λt′coRt′f]π1(ft),

where for . Here and are the two constructors of the type sum . If has the form , the corecursion stops and we have as signed digit representation. If it has the form , the corecursion goes further with the new argument . In both cases we have obtained at least the first digit of the stream. With iteration of the corecursion, if necessary, we generate each digit of the stream one by one.
Now we prove two lemmas, which are often used in our proofs:

###### Lemma 1.

The predicate is compatible with the real equality, i.e.

 ∀ncx,y.coIx→x=y→coIy.
###### Proof.

We apply to the predicate :

 ∀ncx. ∃ry(coIy∧x=y)→ ∀ncx(Px→∃rd,x′(Sd d∧(coI∪P)x′∧|x|≤1∧x=d+x′2)) →coIx

As one sees, it is sufficient to prove the second premise. Therefore we show

 ∀ncx(∃ry(coIy∧x=y)→∃rd,x′(Sd d∧(coI∪P)x′∧|x|≤1∧x=d+x′2)).

Let , with and be given. From we get and with and . We now define and and our goal follows directly because of . ∎

In the following proofs this theorem is used tacitly. If one have a model of reals in which the real equality is the same as the Leibniz equality, one do not need this theorem. The extracted term of it is given by

 λu.coRu(λv⟨π0(Dv),in0(π1(Dv))⟩).

For stream of the form this term is the identity function. Since we always deal only with such streams, we drop this term hereafter.

###### Lemma 2.
 ∀ncx,d.Sd d→coIx→coId+x2
###### Proof.

We apply to the predicate

 Px:=∃rd,x′(Sd d∧coIx′∧x=d+x′2).

 ∀ncx. ∃rd,x′(Sd d∧coIx′∧x=d+x′2)→ ∀ncx(Px→∃rd,x′(Sd d∧(coI∪P)x′∧|x|≤1∧x=d+x′2)) →coIx.

In order to prove the goal formula, it is sufficient to prove the second premise. Therefore the new goal formula is

 ∀ncx. ∃rd,x′(Sd d∧coIx′∧x=d+x′2)→ ∃rd,x′(Sd d∧(coI∪P)x′∧|x|≤1∧x=d+x′2).

This is almost a tautology. The only part one has to consider is . From and we get and therefore . ∎

Formally the extracted term of this proof is given by

 λdλu.coRuλv⟨d,in0v⟩.

If we use the computation rule of once, we get , which is identified with C itself. Therefore the constructor C is actually the computational content of this lemma.

## 3 Convergence Theorem

The aim of this chapter is to prove the convergence theorem in the SD code. It says that the limit of each convergent sequence in is also in . As extracted term we expect a function which takes a sequence of signed digit streams (i.e. a term of type ) and its modulus of convergence and returns a signed digit stream.
We do the proof step by step and therefore we first prove a few lemmas:

###### Lemma 3.
 ∀ncx.coIx→x≤0→coI(x+1) ∀ncx.coIx→0≤x→coI(x−1)
###### Proof.

Since both formulas are shown analogously we only show the first formula. Therefore we use the introduction axiom of , which is given by

 ∀ncx. Px→ ∀ncx(Px→∃rd,x′(Sd d∧(coI∪P)x′∧|x|≤1∧x=d+x′2)) →coIx.

For we insert . Hence it is sufficient to prove the second premise. Let , , , and be given. Our goal is

 ∃rd,x′(Sd d∧(coI∪P)x′∧|x|≤1∧x=d+x′2).

From we get and with , , and . Independent on and we always get out of , and . In order to prove the remaining part of the formula, we do case distinction on :
If , we define and . Here and follow directly and we also have

 x=y+1=−1+y′2+1=1+y′2=d+x′2.

If , we define and . We directly have . In this case we prove . Hence we show , and . and are already given and follows directly from and .
The last case is . Because of , and it is only possible that is equal to and therefore . Hence we define and . Then and are obviously true and is true because has the SD representation . ∎

A realiser of the first formula in this lemma is a function f, which takes a signed digit stream of a real number and returns a signed digit stream of if .
Using the formal definition of the extracted term we get for f the term

 f=λu.coRu(λv.[⟨1,in0(π1(Dv))⟩,⟨1,in1(π1(Dv))⟩,⟨1,in0→1⟩]π0(Dv)),

where for and is the infinite list with each entry equal to . Another way to characterise this function f is to give its computation rules:

 f(C¯¯¯1v) :=C1v f(C0v) :=C1(fv) f(C1v) :=[1,1,…]

Analogously as extracted term of the second statement of this lemma, we get a function which is characterised by the rules

 g(C¯¯¯1v) :=[¯¯¯1,¯¯¯1,…] g(C0v) :=C¯¯¯1(gv) g(C1v) :=C¯¯¯1v.

It takes a signed digit stream of a real and returns a signed digit stream of if .
With this lemma we can now prove the following lemma easily:

###### Lemma 4.
 ∀ncx.coIx→|x|≤12→coI(2x)
###### Proof.

From we get , with , , and . Case distinction on gives three cases:
: Here and with it follows . Therefore the first formula of Lemma 3 gives .
: The proof in this case is done analogously but we need the second statement of Lemma 3.

If we keep the definition of the functions f and g form the computational context of the privios lemma, the computational content of this lemma is given by

 D=λu.[g(π1(Du)),π1(Du),f(π1(Du))]π0(Du).

Again we give a more readable characterisation of D by the computation rules

 D(C¯¯¯1u) :=gu D(C0u) :=u D(C1u) :=fu.
###### Lemma 5.
 ∀ncx.coIx→coI% (x2±14)
###### Proof.

gives and with . We show only because the proof of is done analogously. Case distinction on leads to the following three cases:
gives ,
gives and
gives .
In each case we get by using Lemma 2 twice. ∎

We denote the extracted term of the proven statement by . From the proof and the fact, that the extracted term of Lemma 2 is given by C, one easily sees that has the following computation rules:

 q+(¯¯¯1u) :=00u q+(0u) :=01u q+(1u) :=10u

Analogously, the computational content of the statement is characterised by

 q−(¯¯¯1u) :=¯¯¯10u q−(0u) :=0¯¯¯1u q−(1u) :=00u.

Before we prove the Convergence Theorem, we have to give a definition of convergence. In this definition the witness of convergence is included:

###### Definition 2.

Let a real , a sequence of reals and a modulus be given. We say convergences to with modulus if

 ∀p∀n≥M(p)|f(n)−x|≤2−p.
###### Theorem 1.

Let be a sequence of reals in which converges to a real with a modulus , then also is in .
Expressed in a formula:

 ∀ncx∀ncf∀M.∀ncoIf(n)∧∀p∀n≥M(p)|f(n)−x|≤2−p→coIx
###### Proof.

We show the equivalent formula

 ∀ncx.∃rf∃dM(∀ncoIf(n)∧∀p∀n≥M(p)|f(n)−x|≤2−p)→coIx.

The existence quantifier is an inductively defined predicate and given by . This means that in contrast to the quantified variable is also part of the computational content.
To prove this formula we apply to the predicate

 Px:=∃rf∃dM(∀ncoIf(n)∧∀p∀n≥M(p)|f(n)−x|≤2−p)

and show the second premise, which is given by

 ∀ncx. ∃rf∃dM(∀ncoIf(n)∧∀p∀n≥M(p)|f(n)−x|≤2−p)→ ∃rd,x′(Sd d∧(coI∪P)x′∧|x|≤1∧x=d+x′2).

Let , , , and be given. We show

 ∃rd,x′. Sd d∧∃rg∃dN(∀ncoIg(n)∧∀p∀n≥N(p)|g(n)−x′|≤2−p)∧ |x|≤1∧x=d+x′2.

Regardless of the choice of and we get from and with it follows . Therefore in each case we consider as proven.
Specializing to leads to and triple application of gives and such that or in short notation

 f(M(4))=d1d2d3y′.

Now we do case distinction on this representation of .
If has one of the forms , , , or , it follows that . In this case we choose

 d:=1 and x′:=2x−1,

then and follow directly. Furthermore we define

 g(n):=2f(M(4)∨n)−1

for all , where , and

 N(p):=M(p+1)

for all . The formular is a direct consequence of and it remains to show . We calculate

 g(n)=2f(M(4)∨n)−1=4(f(M(4)∨n)2−14).

Lemma 5 gives . Futhermore we have and therefore

 f(M(4)∨n) =(f(M(4)∨n)−x)+(x−f(M(4)))+f(M(4)) ≥−116−116+18=0.

Thus implies and Lemma 4 applied twice gives .
If has one of the forms , , , or , it follows . Here we define

 d:=−1,x′:=2x+1,g:=λn(2f(M(4)∨n)+1) and N:=λpM(p+1).

The proof in this case is analogous to the proof of the first case.
It remains to consider the case that has one of the forms , , , or . Here we have and we define

 d:=0 and x′:=2x.

The formulars and are obvious. In order to prove

 ∃rg∃dN(∀ncoIg(n)∧∀p∀n≥N(p)|g(n)−x′|≤2−p),

we define

 g:=λn2f(M(4)∨n) and N:=λpM(p+1).

The second part of the conjunction follows from , which is given. And because of

 |f(M(4)∨n)| ≤|f(M(4)∨n)−x|+|x−f(M(4))|+|f(M(4))| ≤116+116+14≤12

for every , we have by Lemma 4. ∎

We denote the extracted term by Lim. It has the type

 Lim:(Z+→N)→(N→Str)→Str.

It takes the modulus of convergence and the sequence of streams and returns the stream of the limit value. In order to give an at most readable characterisation of Lim, we define the following sets:

 R :={11v,10v,1¯¯¯11v,1¯¯¯10v,011v,010v|v∈%Str} M :={00v,¯¯¯111v,1¯¯¯¯¯¯11v,01¯¯¯1v,0¯¯¯11v|v∈Str} L :={¯¯¯¯¯¯11v,¯¯¯10v,¯¯¯11¯¯¯1v,¯¯¯110v,0¯¯¯¯¯¯11v,0¯¯¯10v|v∈Str}

These three sets correspond to the three cases in the proof and therefore we have the following rule for Lim:

 Lim M F:=⎧⎪⎨⎪⎩1 (Lim λpM(p+1) λn(DDq−F(M(4)∨n)))if F(M(4))∈R% 0 (Lim λpM(p+1) λn(DF(M(4)∨n)))if F(M(4))∈M¯¯¯1 (Lim λpM(p+1) λn(DDq+F(M(4)∨n)))if F(M(4))∈L

Because of readability, we have omitted some brackets, for example shall be read as . The functions D, and are the computational content of the lemmas above and, as in the proof, between natural numbers means their maximum.
One note that the definition of the new sequence is not unique. For reasons of efficiency one should be flexible with the choice of the new sequence, which is called in the proof above. For example by choosing one can replace by . The efficiency depends on the concrete sequence. In the next section we define the Heron sequence and apply it to Lim. In this case the definition with is most efficient.
Since the definition of this function is not so easy, we give an example for an implementation as a Haskell program. First the sets R and L are realised as Boolean functions:

rAux :: Str -> Bool
rAux (SdR :~: SdR :~: v) = True
rAux (SdR :~: SdM :~: v) = True
rAux (SdR :~: SdL :~: SdR :~: v) = True
rAux (SdR :~: SdL :~: SdM :~: v) = True
rAux (SdM :~: SdR :~: SdR :~: v) = True
rAux (SdM :~: SdR :~: SdM :~: v) = True
rAux v = False

lAux :: Str -> Bool
lAux (SdL :~: SdL :~: v) = True
lAux (SdL :~: SdM :~: v) = True
lAux (SdL :~: SdR :~: SdL :~: v) = True
lAux (SdL :~: SdR :~: SdM :~: v) = True
lAux (SdM :~: SdL :~: SdL :~: v) = True
lAux (SdM :~: SdL :~: SdM :~: v) = True
lAux v = False


Then one can define cCoILim by case distinction:

cCoILim :: (Int -> Int) -> (Int -> Str) -> Str
cCoILim m f
| rAux (f (m 4)) = SdR :~: (cCoILim n (funcR m f))
| lAux (f (m 4)) = SdL :~: (cCoILim n (funcL m f))
| otherwise      = SdM :~: (cCoILim n (funcM m f))
where n = \p -> (m (p+1))


In this implementation the constructor C is denoted by :~: and written as an infix. The tree elements in Sd are given by SdR, SdM and SdL and shall be interpreted by , and , respectively.

## 4 Square Root

###### Definition 3.

We define by the computation rules

 H(x,0) :=1 H(x,n+1) :=