Formal Proof Systems

You have been writing proofs for years — "assume n is even, then n = 2k, so…". A formal proof system takes that informal habit and makes it into a game with strict rules: a fixed, tiny list of legal moves, and a proof is nothing but a finite record of those moves. No hand-waving, no "clearly", no appeals to intuition — every single line must be justified by a rule you could check with a stamp. It is so mechanical that a computer can verify it, which is exactly what proof assistants like Coq, Lean and Isabelle do: they check that a human's chain of moves really is legal, all the way down.

This page teaches one such system — natural deduction — and, above it, the one idea that gives all formal systems their point: the gap between truth and derivation. Everything here builds on ordinary proof by deduction; we are just making the deduction formal.

Two turnstiles: \models versus \vdash

There are two completely different questions you can ask about "does P follow from \Gamma?", and formal logic keeps them apart with two symbols that look alike but mean very different things.

The \models symbol is read "models" or "entails"; the \vdash symbol (a "turnstile") is read "proves" or "yields". A machine can check \vdash by inspecting a proof line by line; checking \models in general means reasoning about all models. That these two end up agreeing is the deepest fact in the subject.

For classical propositional logic, the two turnstiles coincide:

What a formal proof is

A formal proof of P from premises \Gamma is a finite sequence (or tree) of formulas ending in P, in which every formula is either

The difference between an axiom and a rule matters. An axiom is a specific formula declared true at the start (for example P \rightarrow (Q \rightarrow P) in some systems). A rule of inference is a licence to move: given lines of one shape, you may write down a line of another shape. "From P \rightarrow Q and P, write Q" is a rule, not a formula.

Different systems strike the axiom-versus-rule balance differently:

We spend the rest of this page in natural deduction.

The introduction and elimination rules

Natural deduction gives each connective an introduction rule (how to build a formula with that connective) and an elimination rule (how to use one). Read \dfrac{\text{premises}}{\text{conclusion}} as "from the premises above the bar, infer the conclusion below it".

Conjunction.

\wedge\text{I}:\ \frac{P \quad Q}{P \wedge Q} \qquad \wedge\text{E}:\ \frac{P \wedge Q}{P} \quad \frac{P \wedge Q}{Q}

Implication. Elimination is modus ponens; introduction is a conditional proof — you assume P, derive Q, then discharge the assumption to conclude P \rightarrow Q. The square brackets [P] mark the assumption as closed.

\rightarrow\!\text{E}:\ \frac{P \rightarrow Q \quad P}{Q} \qquad \rightarrow\!\text{I}:\ \frac{\begin{array}{c}[P] \\ \vdots \\ Q\end{array}}{P \rightarrow Q}

Disjunction. Introduction is easy; elimination is proof by cases — to use P \vee Q, show the goal R follows from P alone and from Q alone.

\vee\text{I}:\ \frac{P}{P \vee Q} \quad \frac{Q}{P \vee Q} \qquad \vee\text{E}:\ \frac{P \vee Q \quad \begin{array}{c}[P]\\\vdots\\R\end{array} \quad \begin{array}{c}[Q]\\\vdots\\R\end{array}}{R}

Negation and contradiction. Write \bot for "contradiction" (the absurdity). To introduce a negation, assume P, reach \bot, and conclude \neg P. To eliminate, a formula and its negation together give \bot.

\neg\text{I}:\ \frac{\begin{array}{c}[P]\\\vdots\\\bot\end{array}}{\neg P} \qquad \neg\text{E}:\ \frac{P \quad \neg P}{\bot} \qquad \text{RAA}:\ \frac{\begin{array}{c}[\neg P]\\\vdots\\\bot\end{array}}{P}

The last, reductio ad absurdum (RAA, or "proof by contradiction"), is the classical extra: assume the negation of what you want, derive absurdity, and conclude the thing itself. (Intuitionists accept \negI but not RAA — that one rule is the whole quarrel between classical and constructive logic.)

Worked example: a full derivation

Let us prove \vdash (P \wedge Q) \rightarrow (Q \wedge P) — commuting a conjunction — with no premises at all (so it is a theorem). The strategy is set by the goal: to prove an implication, use \rightarrowI, which tells us to assume the left side and chase the right side.

  1. Assume P \wedge Q. (assumption 1)
  2. Q, by \wedgeE on line 1.
  3. P, by \wedgeE on line 1.
  4. Q \wedge P, by \wedgeI on lines 2, 3.
  5. (P \wedge Q) \rightarrow (Q \wedge P), by \rightarrowI, discharging assumption 1.

Because line 5 discharges the only assumption, the finished proof depends on nothing: we have shown \vdash (P \wedge Q) \rightarrow (Q \wedge P). The diagram below is the same proof drawn as a tree — premises above each bar, conclusions below — so you can watch it grow move by move.

Another classic: modus tollens

Modus tollens — from P \rightarrow Q and \neg Q, conclude \neg P — is not a primitive rule; it is derived. Here is P \rightarrow Q,\ \neg Q \vdash \neg P:

  1. P \rightarrow Q (premise)
  2. \neg Q (premise)
  3. Assume P. (assumption 1)
  4. Q, by \rightarrowE on 1, 3.
  5. \bot, by \negE on 4, 2.
  6. \neg P, by \negI, discharging assumption 1.

Notice how the whole argument turns on opening assumption 1 at line 3 and closing it at line 6. Everything between lives inside that assumption's scope; once discharged, \neg P rests only on the two genuine premises.

It looks too cheap to be true, yet \vdash P \rightarrow (Q \rightarrow P) holds with zero premises. The proof is pure assumption-juggling:

  1. Assume P. (assumption 1)
  2. Assume Q. (assumption 2)
  3. P — we already have it from line 1 (it never went away).
  4. Q \rightarrow P, by \rightarrowI, discharging assumption 2.
  5. P \rightarrow (Q \rightarrow P), by \rightarrowI, discharging assumption 1.

We never used Q — that is fine. The reading "if P, then Q-or-not, P still holds" is exactly what the formula claims. This is why it serves as an axiom in many Hilbert systems: it is trivially, unfailingly true.

The single most common wreck in a natural-deduction proof is forgetting to discharge an assumption — or worse, using an assumption outside its scope. If you open "assume P" and reach your goal but never close that assumption with a \rightarrowI, \negI or RAA, then your conclusion still secretly depends on P. You have proved P \vdash \text{goal}, not \vdash \text{goal} — a completely different (weaker) claim. A closed assumption box is a promise kept; an unclosed one is a debt hidden in the conclusion.

Related trap: confusing \vdash with \models. Writing P \models Q when you mean "I derived Q using the rules" is not just sloppy notation — it claims a fact about all models that your line-by-line proof did not, on its own, establish (it is soundness that lets you bridge them). Keep "I built a proof" (\vdash) apart from "it is true in every world" (\models).