Formal Proof Systems
You have been writing proofs for years — "assume n is even,
then n = 2k, so…". A
formal proof system takes that informal habit and makes it into a
game with strict rules: a fixed, tiny list of legal moves, and a proof is
nothing but a finite record of those moves. No hand-waving, no "clearly", no appeals to
intuition — every single line must be justified by a rule you could check with a stamp. It is so
mechanical that a computer can verify it, which is exactly what proof assistants like
Coq, Lean and Isabelle do: they check that a
human's chain of moves really is legal, all the way down.
This page teaches one such system — natural deduction — and, above it, the one
idea that gives all formal systems their point: the gap between truth and
derivation. Everything here builds on ordinary
proof by deduction;
we are just making the deduction formal.
Two turnstiles: \models versus \vdash
There are two completely different questions you can ask about "does
P follow from \Gamma?", and formal logic
keeps them apart with two symbols that look alike but mean very different things.
-
\Gamma \models P — semantic entailment. It says:
in every valuation (every "possible world", every truth-table row) that makes all of
\Gamma true, P is true as well. This is
about meaning and truth.
-
\Gamma \vdash P — syntactic derivability. It says:
there exists a formal proof of P from the premises
\Gamma, built entirely by pushing symbols around with the rules of
your chosen system. This is about shape and moves, not
meaning at all.
The \models symbol is read "models" or "entails";
the \vdash symbol (a "turnstile") is read
"proves" or "yields". A machine can check
\vdash by inspecting a proof line by line; checking
\models in general means reasoning about all models. That these two
end up agreeing is the deepest fact in the subject.
For classical propositional logic, the two turnstiles coincide:
-
Soundness: if \Gamma \vdash P then
\Gamma \models P — anything you can prove is actually
true (the rules never lie).
-
Completeness: if \Gamma \models P then
\Gamma \vdash P — anything that is true in all models can
actually be proved (the rules are enough).
-
Together: \Gamma \vdash P \iff \Gamma \models P. Provability and
truth are two faces of one coin.
What a formal proof is
A formal proof of P from premises
\Gamma is a finite sequence (or tree) of formulas
ending in P, in which every formula is either
- a premise from \Gamma, or a temporary
assumption we open (and must later close), or
- an axiom — a formula the system hands you for free, no justification
needed, or
- the result of applying a rule of inference to earlier lines.
The difference between an axiom and a rule matters. An axiom is
a specific formula declared true at the start (for example
P \rightarrow (Q \rightarrow P) in some systems). A rule of inference
is a licence to move: given lines of one shape, you may write down a line of another
shape. "From P \rightarrow Q and P, write
Q" is a rule, not a formula.
Different systems strike the axiom-versus-rule balance differently:
-
A Hilbert system is nearly all axioms and almost no rules — often just a few
axiom schemes plus the single rule modus ponens. Proofs are long, flat lists;
the system is easy to reason about but painful to compute in.
-
Natural deduction (Gentzen, 1934) flips it: almost no axioms, but a rich kit
of introduction and elimination rules — one pair per
connective — plus the ability to make and discharge assumptions. Proofs read
the way people actually argue.
-
The sequent calculus works instead with whole sequents
\Gamma \vdash \Delta and left/right rules; it is the tidiest for
proving things about proofs (cut-elimination, decidability).
We spend the rest of this page in natural deduction.
The introduction and elimination rules
Natural deduction gives each connective an introduction rule (how to
build a formula with that connective) and an elimination rule (how to
use one). Read \dfrac{\text{premises}}{\text{conclusion}} as
"from the premises above the bar, infer the conclusion below it".
Conjunction.
\wedge\text{I}:\ \frac{P \quad Q}{P \wedge Q}
\qquad
\wedge\text{E}:\ \frac{P \wedge Q}{P} \quad \frac{P \wedge Q}{Q}
Implication. Elimination is modus ponens; introduction is a
conditional proof — you assume P, derive
Q, then discharge the assumption to conclude
P \rightarrow Q. The square brackets
[P] mark the assumption as closed.
\rightarrow\!\text{E}:\ \frac{P \rightarrow Q \quad P}{Q}
\qquad
\rightarrow\!\text{I}:\ \frac{\begin{array}{c}[P] \\ \vdots \\ Q\end{array}}{P \rightarrow Q}
Disjunction. Introduction is easy; elimination is
proof by cases — to use P \vee Q, show the goal
R follows from P alone and from
Q alone.
\vee\text{I}:\ \frac{P}{P \vee Q} \quad \frac{Q}{P \vee Q}
\qquad
\vee\text{E}:\ \frac{P \vee Q \quad \begin{array}{c}[P]\\\vdots\\R\end{array} \quad \begin{array}{c}[Q]\\\vdots\\R\end{array}}{R}
Negation and contradiction. Write \bot for
"contradiction" (the absurdity). To introduce a negation, assume
P, reach \bot, and conclude
\neg P. To eliminate, a formula and its negation together
give \bot.
\neg\text{I}:\ \frac{\begin{array}{c}[P]\\\vdots\\\bot\end{array}}{\neg P}
\qquad
\neg\text{E}:\ \frac{P \quad \neg P}{\bot}
\qquad
\text{RAA}:\ \frac{\begin{array}{c}[\neg P]\\\vdots\\\bot\end{array}}{P}
The last, reductio ad absurdum (RAA, or "proof by contradiction"), is the
classical extra: assume the negation of what you want, derive absurdity, and conclude
the thing itself. (Intuitionists accept \negI but not RAA — that one
rule is the whole quarrel between classical and constructive logic.)
Worked example: a full derivation
Let us prove \vdash (P \wedge Q) \rightarrow (Q \wedge P) — commuting a
conjunction — with no premises at all (so it is a theorem). The strategy is set
by the goal: to prove an implication, use \rightarrowI, which tells us
to assume the left side and chase the right side.
- Assume P \wedge Q. (assumption 1)
- Q, by \wedgeE on line 1.
- P, by \wedgeE on line 1.
- Q \wedge P, by \wedgeI on lines 2, 3.
- (P \wedge Q) \rightarrow (Q \wedge P), by
\rightarrowI, discharging assumption 1.
Because line 5 discharges the only assumption, the finished proof depends on nothing:
we have shown \vdash (P \wedge Q) \rightarrow (Q \wedge P). The diagram
below is the same proof drawn as a tree — premises above each bar, conclusions
below — so you can watch it grow move by move.
Another classic: modus tollens
Modus tollens — from P \rightarrow Q and
\neg Q, conclude \neg P — is not a
primitive rule; it is derived. Here is
P \rightarrow Q,\ \neg Q \vdash \neg P:
- P \rightarrow Q (premise)
- \neg Q (premise)
- Assume P. (assumption 1)
- Q, by \rightarrowE on 1, 3.
- \bot, by \negE on 4, 2.
- \neg P, by \negI, discharging
assumption 1.
Notice how the whole argument turns on opening assumption 1 at line 3 and
closing it at line 6. Everything between lives inside that assumption's
scope; once discharged, \neg P rests only on the two
genuine premises.
It looks too cheap to be true, yet \vdash P \rightarrow (Q \rightarrow P)
holds with zero premises. The proof is pure assumption-juggling:
- Assume P. (assumption 1)
- Assume Q. (assumption 2)
- P — we already have it from line 1 (it never went away).
- Q \rightarrow P, by \rightarrowI,
discharging assumption 2.
- P \rightarrow (Q \rightarrow P), by
\rightarrowI, discharging assumption 1.
We never used Q — that is fine. The reading "if
P, then Q-or-not,
P still holds" is exactly what the formula claims. This is why it
serves as an axiom in many Hilbert systems: it is trivially, unfailingly true.
The single most common wreck in a natural-deduction proof is forgetting to discharge an
assumption — or worse, using an assumption outside its scope. If you
open "assume P" and reach your goal but never close that assumption
with a \rightarrowI, \negI or RAA, then your
conclusion still secretly depends on P. You have proved
P \vdash \text{goal}, not \vdash \text{goal}
— a completely different (weaker) claim. A closed assumption box is a promise kept; an unclosed
one is a debt hidden in the conclusion.
Related trap: confusing \vdash with
\models. Writing P \models Q when
you mean "I derived Q using the rules" is not just sloppy notation —
it claims a fact about all models that your line-by-line proof did not, on its own,
establish (it is soundness that lets you bridge them). Keep "I built a proof"
(\vdash) apart from "it is true in every world"
(\models).