\setlistdepth

9 ¹¹institutetext: Department of Software Engineering, University of Waikato, Hamilton, New Zealand ¹¹email: [email protected]
¹¹email: [email protected]

A Logic for Veracity: Development and Implementation

Daniel Britten 0000-0002-7860-3595 Steve Reeves 0000-0002-3840-6060

Abstract

In the business rules of supply chains, there are concerns around trust, truth, demonstrability and authenticity. These concerns are gathered together under the name “veracity”.

In the work for this paper we were originally motivated by the requirement around organic certification in the wine industry in New Zealand, but veracity arises in many different situations and our formalisation shows how formal methods can give insights into many such practical problems.

One activity for formal methods involves taking informal processes and formalising them and subsequently building tools to support this formalisation and therefore the original processes too, and the work reported here is an example of that.

Here, then, we explore the idea of veracity in this spirit, give highlights of the development of a logic for it and show how that logic can be implemented in Coq, both for proof support and automation.

Keywords:

Veracity Logic Coq Supply chains

1 Introduction

In supply chains of all sorts, there are concerns around trust, truth, demonstrability and authenticity. These arise because different people taking part in the chain, the actors, may not know each other or directly communicate, may have to use third parties (certainly for the software systems that they probably rely on), may have to take people or documents “at their word” when they would actually like some more tangible evidence to go on, and so on.

Such supply chains may be for physical goods, or may be for software in some distributed development environment (say, using a Git [2] repository for collaboration and the idea of a Software Bill Of Materials, SBOM [17], a counterpart of the established “bill of materials” that accompanies physical goods as they move around).

The work in this paper was initially motivated by consideration of the supply chain “problem” as part of the Veracity Project (which has a public face via The Veracity Lab [3]). In that project some extensive use cases around the production and certification of organic wine in New Zealand were developed [18].¹¹1New Zealand is one of the last countries in the world to put organic certification on a statutory basis, so this has also been a great opportunity to directly influence the government in select committees and with direct engagement with officials and ministers.

There is a set of rules for certifying organic wine and these can be viewed as business rules, perhaps, but certainly the veracity of their application is an issue. Two questions with such sets of rules arise: are the rules sound?; how do we check that someone has followed the rules?

Our way of at least providing a basis for answering these questions is to develop a logic for veracity, and subsequently to mechanise it and make it useable “under the hood” for legislators and producers.

This paper is about a rather new area for formal methods to target in such a fundamental way. Many formal methods techniques, of course, exist to deal with the various parts of a supply chain where systems and software are concerned. But we believe that this is the first work to try to formalise and then mechanise the underlying logic for such important and all-pervasive systems.

1.1 Background to the Concept of “veracity”²²2Sections 1, 2 and 3 are (abbreviated) from the unpublished [19]

When a piece of information is put out into the world it gets subjected to many attempts, both accidental and deliberate, to degrade it or tamper with it. When we are dealing with precious information, that is information which has value (cultural, monetary, scientific etc.), then having assurance that the information is always reliable is vital. When that information is not kept hidden or otherwise protected then this becomes a very hard problem. It may even be insoluble. This is the essence of the veracity problem.

Veracity seems to be a term that is widely used, but it is also hard to pin-down its meaning. In this paper we shall take it to mean, reflecting the concerns in the previous paragraph, that we have an assurance that the information has stayed constant. So, we say a piece of information has veracity when we can check that it has not changed.

1.2 Aims

There is a long, deep, rich heritage of study of the concepts of truth and trust in many settings and many of them are formal, and very complicated and subtle. We want to start from scratch, not in order to just do something different, but in order to be able treat well, but lightly, those parts of veracity which can adequately be treated that way for our purposes (so, trust will be so treated). And then other parts (demonstrability, truth) will be looked at in more depth simply because they have not (as far as a literature search can show) been considered before, either with application in mind or in a formal way. Some examples that deal with adjacent ideas are [9, 6, 22, 21, 13, 12, 8, 16, 20, 10, 14, 7, 11], though they all miss more or less of the components of veracity in some way.

To cut to the chase: we will look at intuitionistic logic since it seems to be clearly what is needed, as we argue below. None of the classical modal logics work, for example, because of their classical basis, not because we do not like modal formalisms! The key to seeing this is that all those classical (and classical-including) logics lose information, which is precisely what a formalisation of veracity, as a starting point, must not do. Intuitionistic logic does not lose information, so obviously it is the place to start.

1.3 Atomic Veracity

Some statements have a sort of immediate veracity, in the sense that they are newly minted by us and have not passed through any other hands.

Consider a couple of examples in more detail:

1.

A bar code that we have ourselves just printed and associated with a physical object might be an example in a supply chain: this act might generate the information that this bar code is stuck to this object that was produced by this person, at this time and this place, has these characteristics (composition, mass, etc.). We might say the information attests that “this bar code really does identify this object”;
2.

Or considering cultural objects, it might be an audio recording of a person giving their whakapapa (the Māori word that is usually condensed into the English word genealogy though it is a much richer concept) together with its meta-data that we have just ourselves recorded and catalogued. Here the information is attesting to the association between the meta-data and the audio data.

These cases in some sense wear their veracity on their sleeve: it is immediate, we have “a piece of veracity”, the information that this piece of data correctly describes this object since I, at just this moment, made the association. This is our atomic veracity. The claim or statement cannot be further analysed in terms of asking whose hands it has passed through, how it has be modified or added to since none of this has ever happened to it.

We might say (using logical terminology) that the piece of verifying information is a witness, proof, testimony, piece of evidence to the act of association, or the act of supporting a claim. The witness and the claim together are our judgements. It is these that we want to be able to objectify and then track. This track will be what we look to when someone says “how do we know that this bar code correctly identifies this object?”.

We might want to view this evidential information in more detail though. A witness might include information of who $p$ , where $\ell$ , when $t$ , how $m$ etc. is was made. In this case, the witness would not be an atomic name but an “atomic” term. I.e. we might view a witness either as the atomic name $w$ or the atomic term $w(p,\ell,t,m)$ . So a witness, a piece of evidence, might contain a lot of information, but from the point of view of the logic it is not further analysable.

One very important use for such a non-atomic a witness is that it contains the provenance that contributes to the witness for a claim. This is often the meta-data attached to a digital artefact, for example.

How the data about it “sticks” to the artefact (the bar code on the car part, the meta-data to the whakapapa audio file) is not what we are concerned about here. It is another technological problem that is being worked on and is outside our scope. So, we are assuming it is possible and has been, or will be, done³³3This might be wishful thinking, but it has such big stakes for such large companies that we can assume it will happen one day, and indeed we now have cameras which help prove the authenticity of photos [4], or the use of isotopes to track the provenance of food and prove its authenticity [1], or very, very close-up photos of objects from particular angles to support authenticity [5], and so on. In any case, veracity is still an interesting idea to try to reason about..

2 A Logic for Veracity

We let letters like $A$ , $B$ , etc. stand for a claim of veracity (for example “This wine is organic”, “This crankshaft is a genuine BMW one”, “This whakapapa follows the correct line for relating her ancestors”), which is a form of proposition that holds, is supported etc. when the veracity claimed is appropriately witnessed, upheld by data, by a person’s statement, by direct knowledge, evidence, that the thing is what we say it is, came from where we say it came from, was grown as we say it was grown, etc.

Then a $judgement$ $a\in A$ is a veracity judgement that $A$ has witness $a$ . A judgement like this is upheld, or perhaps we might say that $A$ has veracity because it is witnessed by $a$ , when this judgement appears as the root of a proof tree constructed according to the rules that follow. There are other forms of judgement too: for example the judgement that $A$ is a claim (of veracity) is $A\ veracity\ claim$ . We will see other forms (to do with equality or computation) later, in addition to these two.

To make the idea of judgement clearer (we hope), since it is not familiar even to most (formal) logicians, let alone others (though computing people use them all the time, formally, in type declarations like $x:Int$ ) we here borrow, paraphrase and present a diagram from [15], page three:

and when showing the witness that upholds the veracity claim we have the form

and note that, as implied by the picture, the $\in$ symbol is part of the judgement language, not part of the witness or claim languages.

2.1 No Veracity

There is a special veracity claim $\bot$ which has no witnesses, i.e. it is the claim that never has veracity, and a judgement that makes a claim about it can never be upheld.

This leads to our first proof rule:

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 1.24995pt\hbox{$\displaystyle\penalty 1a\in\bot$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=25.008pt\hbox{\kern 3.00003pt${\bot^{-}}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle a\in A$}}}}

This rule says that if you, in the course of your reasoning, somehow have shown that the claim $\bot$ (that can never have veracity) does in fact have it, then you can show that $anything$ has veracity. We call this rule $\bot^{-}$ for “ $\bot$ elimination”.

Martin-Löf makes this comment on his corresponding rule [15]:

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 13.14542pt\hbox{$\displaystyle\penalty 1c\in N_{0}$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=54.76547pt\hbox{\kern 3.00003pt${N_{0}\ elimination}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle R_{0}(c)\in C(c)$}}}}

“The explanation of this rule is that we understand that we shall never get an element $c\in N_{0}$ , so that we shall never have to execute $R_{0}(c)$ . Thus the set of instructions for executing a program of the form $R_{0}(c)$ is vacuous. It is similar to the programming statement abort introduced by Dijkstra.”

We use the same justification and motivation for our rule too.

2.2 Adding Claims Together

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 0.55556pt\hbox{$\displaystyle\penalty 1a\in A\quad b\in B$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=60.71971pt\hbox{\kern 3.00003pt${\land^{+}}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle(a,b)\in A\land B$}}}}

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1(a,b)\in A\land B$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=60.71971pt\hbox{\kern 3.00003pt${\land^{-}1}$}}}\hbox{\kern 17.85585pt\hbox{$\displaystyle a\in A$}}}}

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1(a,b)\in A\land B$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=60.71971pt\hbox{\kern 3.00003pt${\land^{-}2}$}}}\hbox{\kern 18.05957pt\hbox{$\displaystyle b\in B$}}}}

Here we are formalising the idea that if two veracity claims $A$ and $B$ are witnessed then the combined claim that $A$ together with $B$ has veracity is also witnessed, and that witness we choose to denote by the pairing of the component witnesses.

Note that this is a simple use of the the idea also of information being preserved around claims and their witnesses even when they are composed together.

2.3 Choice Between Claims

One immediate place where this information preservation becomes perhaps a little unfamiliar is when we try to think about what saying “we have claims $A$ and $B$ and we know that they each have a witness, so we know that one or the other has one: that is, a claim of $A$ or $B$ is witnessed”. We might choose to formalise this by saying

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1a\in A\quad b\in B$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=59.6086pt\hbox{\kern 3.00003pt${}$}}}\hbox{\kern 7.70137pt\hbox{$\displaystyle a\in A\lor B$}}}}

The point here is that (first) this rule has exactly the same premises as the one above, and avoiding such points of choice amongst rules is generally (for coherence) a good thing. But more importantly (at the formalisation level) is that we have lost information here. The conclusion does not record which of the alternatives we have relied on to reach it: did we justify the claim of one or the other because of the first witness, or the second?

Righting these two points means doing something like

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 15.21039pt\hbox{$\displaystyle\penalty 1a\in A$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=55.42879pt\hbox{\kern 3.00003pt${\lor^{+}1}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle i(a)\in A\lor B$}}}}

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 15.53967pt\hbox{$\displaystyle\penalty 1b\in B$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=55.67992pt\hbox{\kern 3.00003pt${\lor^{+}2}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle j(b)\in A\lor B$}}}}

So, if we have a witness to a claim of $A$ then we certainly have a witness to a claim of either $A$ or $B$ , and we “tag” the witness in the conclusion so that we do not lose the information about which claim the claim of one or the other relies on.

Now consider the case where we know that a certain witness $c$ upholds the claim that $A\lor B$ . What can we deduce, if anything, from this?

First note that our two introduction rules mean that a witness to a claim like this must in fact have a tag since tags are introduced by the only rule that could have allowed us to deduce the claim of $A\lor B$ . So, we have a case analysis to do: if the witness to this composite claim is tagged with $i$ then we know it is $A$ that we relied on and similarly with $j$ and $B$ . This preservation of all the information allows us to dismantle the composite claim:

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1i(a)\in A\lor B$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=55.42877pt\hbox{\kern 3.00003pt${\lor^{-}1}$}}}\hbox{\kern 15.21039pt\hbox{$\displaystyle a\in A$}}}}

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1j(b)\in A\lor B$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=55.6799pt\hbox{\kern 3.00003pt${\lor^{-}2}$}}}\hbox{\kern 15.53967pt\hbox{$\displaystyle b\in B$}}}}

2.4 Veracity Claims with Prior Assumptions

Imagine that by assuming that claim $A$ has veracity, i.e. that the judgement $x\in A$ has been shown for some arbitrary witness $x$ , we can show that claim $B$ has veracity, i.e. we can show $b\in B$ .

Denote this state of affairs by a claim that depends on an assumption:

x\in A\vdash b\in B

The $\vdash$ is a turnstile (because of its shape) and is a relation between judgements. As we will see, it relates a set of judgements (the assumptions) with a single judgement (the conclusion). We will call this generalised form a judgement too (since the conclusion is certainly a judgement, and it’s usually the focus of our concerns).

As is typical, we introduce an $implication\ claim$ to reflect this, i.e. to discharge the assumption, so the claim becomes

A\rightarrow B

but what would a witness to $this$ claim plausibly look like?

Given any witness $x$ to the claim $A$ then it is possible to construct a witness for the claim $B$ . That is, there is a function which given any witness to $A$ will compute a witness to $B$ , so

\lambda b\in A\rightarrow B

The witness to an implicative claim like $A\rightarrow B$ should be a function that takes a witness to the claim $A$ and turns it into a witness for the claim $B$ .⁴⁴4For expression $e$ and variable $x$ , the expression $(x)e$ is an expression where all free occurrences of $x$ in $e$ become bound by this $(x)$ . The expression $(x)e$ called an abstraction (of $e$ by $x$ ). For expression $(x)e$ and expression $a$ , $(x)e(a)$ is an expression where all occurrences of $x$ in $e$ bound by this $(x)$ are replaced by $a$ . The expression $(x)e(a)$ is called the application of $(x)e$ to $a$ . Note that $b$ in the example must be an abstraction for this judgement to be well-formed.

In general, this allows us to build a function that, given a whole set of basic veracity claims and their witnesses (the assumptions), builds for us a witness for a complex veracity claim. This function can then be read as a process to be followed which, given starting veracity claims, will assure that a complex veracity claim can be successfully and correctly made.

Implication allows us to define negation in terms of $\bot$ : $\lnot A$ is $A\rightarrow\bot$ . A witness to a claim of $\lnot A$ takes a witness to $A$ and gives us a witness to $\bot$ . But $\bot$ has no witness, so a witness to $A$ is not possible, as expected by our informal understanding of saying a claim has no witnesses, i.e. that $\lnot A$ holds.

The requirement that to justify a disjunction of claims it has to be demonstrated which of the claims were justified before (which is the role that the tags on the witnesses are playing in the rules) means that, for example, the claim $A\lor\lnot A$ is also not justifiable without saying which claim is witnessed: $A\lor\lnot A$ doesn’t survive the question: yes, but can you show, whatever $A$ is, the witness that assures the veracity of the claim here?

And the view that witnesses to implications are functions leads us in the same direction: to the thought that this is reinterpreting intuitionistic logic

Note: in fact these rules that we have given in the narrative above (in order to motivate the whole idea) are not general enough. In particular, the elimination rules need to introduce non-canonical forms of expression, and then we need equality rules to “compute” the value (i.e. the canonical form) of a non-canonical form. The full logic has this, but it turns out that for the examples we were motivated by in the supply chain rules need only introduction rules, and that is what the examples later and the automation currently concentrates on. The full rules (that go beyond those needed for the supply chain examples) are in Appendix 0.A. And as an example of an even more general rule (which the given elimination rules are special cases of, and where we have to use the full logic of dependent claims to prove them, in fact) see Appendix 0.B.

3 More Actors

The argument so far is that the logic work above covers the demonstrability (checking a proof is easy) and truth aspects of veracity. What is not yet settled is the trust aspect (the authenticity is left for now–yet to have any ideas on how it might be treated, or even what it is), and once we start to think about trust, we think about people and the relationships between them.

The section above works well when one person is collecting and making veracity claims. It is a one-person logic because we never mention who is making claims, so we cannot tell how many people might be, so we can only correctly assume it is one person from the form of the rules. In other words, there are no rules for combining or tracking veracity claims made by several actors.

One way to perhaps tackle this is to add a name (of an actor) to each justified judgement. So, if actors $k$ and $\ell$ from a set $Act$ have made claims then we might have two judgements $a^{k}\in A$ and $b^{\ell}\in B$ , that is actor $k$ has made claim $A$ with witness $a$ , and similarly for $\ell$ , $b$ and $B$ .

This now adds a second dimension to our logic above. The first dimension dealt with one actor, so we can think of all the judgements before as being abbreviations (because there’s only one actor $k$ ) of judgements of the form $a^{k}\in A$ , so we left the $k$ out because it never varied. Now the second dimension is around how actors become incorporated into the logic.

3.1 Relating Actors

Having introduced more than one actor we now need to think about how, from a veracity point of view, they can be related.

Keeping to the idea that we think of simple cases to guide us rather than trying to do everything we might wish all at once, the question: what relationship between actors is a useful one (there will be others) to consider? Fundamentally, surely, is one of trust: does this actor trust that actor? Once we know who trusts who we can plausibly expect things like $k$ trusting $\ell$ mean that any judgement that $\ell$ has accepted allows $k$ accept that judgement. So, roughly, we would say that $\vdash a^{\ell}\in A$ leads to $\vdash a^{k}\in A$ if $k$ trusts $\ell$ . If we denote the trust relation by $T\subseteq Act\times Act$ then $k$ trusts $\ell$ will be $kTl$ . We propose a rule

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1a^{\ell}\in A\quad kTl$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=50.49773pt\hbox{\kern 3.00003pt${trust\ T}$}}}\hbox{\kern 12.58788pt\hbox{$\displaystyle a^{k}\in A$}}}}

and we can picture the relation as

A note: in the rule $trust\ T$ , the $kTl$ premise should be considered to be syntactic sugar intended to focus on one particular element of $T$ for the purposes of clarity, since the presence of $T$ in the name of the rule is enough to justify the inference given that the remaining premise and the conclusion show what must be checked (that indeed $kTl$ ) and that can be done by reviewing the definition of $T$ . This means that a proof always takes place in the context of one or more trust relations, and that the name of the rule is actually a name $trust$ and an abbreviated proviso, namely $the\ required\ actors\ must\ be\ related\ to\ one\ another\ in\ an\ in-context\ trust\ relation$ . $k$ and $\ell$ in the rule can be identified by noting that $k$ is the actor mentioned in the conclusion and $\ell$ the actor mentioned in the premise.

3.2 Trust Relations

We can explore, even with this simple basis, how veracity works.

Given $T$ as

we have

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1a^{m}\in A\quad lTm$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=56.34055pt\hbox{\kern 3.00003pt${trust\ T}$}}}\hbox{\kern 15.88846pt\hbox{$\displaystyle a^{\ell}\in A$}}}}\hskip 5.0pt plus 1.0fil\penalty 2\quad kTl$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=151.14978pt\hbox{\kern 3.00003pt${trust\ T}$}}}\hbox{\kern 62.91391pt\hbox{$\displaystyle a^{k}\in A$}}}}

Given this example we might ask: can $any$ binary relation between actors be a trust one? No; it surely needs to be at least reflexive and certainly not symmetric: we trust ourselves, and if we trust someone does it follow that they should trust us?

Note that the proof above seems to show that trust is also transitive: it turns out to be a property of our simple rule. Does that call the simple rule into question, since it a stretch to accept that if I trust someone, and they trust someone else, then I should trust that someone else?

Well, we make the point that trust here is “100% trust” which explains this rule and how transitivity emerges in this pointwise way. We will return to this below.

Another derivable rule which seems to be a good thing: if two people see veracity in two different things and one trusts the other then the first person believes the conjunction.

Here is a derivation (a proof tree) that shows the validity of this derived rule:

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1a^{k}\in A\quad kTl$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=51.25604pt\hbox{\kern 3.00003pt${trust\ T}$}}}\hbox{\kern 13.3462pt\hbox{$\displaystyle a^{\ell}\in A$}}}}\hskip 5.0pt plus 1.0fil\penalty 2\quad b^{\ell}\in B$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=154.28741pt\hbox{\kern 3.00003pt${\land^{+}}$}}}\hbox{\kern 47.00604pt\hbox{$\displaystyle(a,b)^{\ell}\in A\land B$}}}}

and where we have generalised (not the final generalisation step, as we will see) the $\land^{+}$ rule from Section 2.3 by adding actors.

3.3 Degrees of Trust

This brings the final augmentation, that we need degrees of trust to make things work. We write

a_{0.5}^{k}\in A

for $k$ believes with strength 0.5 that $a$ supports the claim $A$ (and we drop the subscript in the case it’s 1.0).

Then the apparent transitivity above only works if $kT_{1.0}\ell$ and $lT_{1.0}m$ , i.e. $k$ trusts $\ell$ completely, and the same for $\ell$ and $m$ , i.e.

and that makes the apparent transitivity look reasonable.

So, we recast the $trust\ T$ rule as

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1kT_{x}l\quad a_{y}^{\ell}\in A$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=54.31142pt\hbox{\kern 3.00003pt${trust\ T}$}}}\hbox{\kern 12.18925pt\hbox{$\displaystyle a_{x.y}^{k}\in A$}}}}

If instead $kT_{0.5}\ell$ and $lT_{0.4}m$ then I would say $kT_{0.2}m$ and the proof above supports this, rewritten as

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1kT_{0.5}\ell\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1lT_{0.4}m\quad a^{m}\in A$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=63.4961pt\hbox{\kern 3.00003pt${trust\ T}$}}}\hbox{\kern 17.05513pt\hbox{$\displaystyle a_{0.4}^{\ell}\in A$}}}}\hskip 5.0pt plus 1.0fil\penalty 2$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=156.44698pt\hbox{\kern 3.00003pt${trust\ T}$}}}\hbox{\kern 63.53056pt\hbox{$\displaystyle a_{0.2}^{k}\in A$}}}}

i.e. if $a_{1.0}^{m}\in A$ and $kT_{0.5}\ell$ and $lT_{0.4}m$

then $a_{0.2}^{k}\in A$ .

3.4 The Full Logic

For reasons of space, we have barely scratched the surface of the complete logic, but have sought to give motivation to the idea and then a few formal highlights. The complete logic can be summarised as: Martin-Löf’s intuitionistic type theory, with the trust rule, actors and weights added, and then the whole reinterpreted as we have shown above. In particular, where the original logic talked about proof objects (or programs) and propositions (or types, specifications) we talk about witnesses and claims, respectively. We also rest on Martin-Löf’s soundness argument for the logic [15] (though we have also shown the rules are sound more conventionally via a semantics that rests on defining the meaning of a claim as being the set of all its witnesses).

4 Mechanisation via Coq

We now pass to the next stage of this work, that of mechanising the logic, via Coq, in order that we can take advantage of the proof assistant to both help in finding and then checking our proofs. Given that ultimately we want tools which will help non-logicians (or perhaps even non-formal methods people) use the logic to explore veracity concerns, this is a vital step.

Coq [23] is a proof assistant with a dependently typed programming language called Gallina. The mechanisation of the veracity logic in Coq enforces the rules of the logic and facilitates constructing correct proof trees, both interactively and semi-automatically. The approach to the mechanisation centres around defining the dependent inductive type proofTreeOf Ps j which is the type for correct proof trees, i.e. proof trees that have this judgement at their root, of the judgement j, with the assumptions Ps. This approach makes interactive proofs using Coq’s proof mode possible, where the user is actually constructing a value of type proofTreeOf Ps j rather than proving a typical Coq proposition. It also makes it possible to use regular functional programming techniques on proof trees. This has been used to generate LaTeX renderings of proof trees as well as simple natural language renderings of proof trees. The automation, much of which is future work, also relies on being able to construct proof trees in a similar way to how trees can be constructed in other functional programming languages.

4.1 The Proof Tree Type

The type for proof trees constrains them to be correct proof trees of the root judgement, however the type does not constrain which assumptions can be made.

Figure 1: Selected rules from proof tree type

⬇

Inductive proofTreeOf : list judgement -> judgement -> Type :=

| assume e a c

: proofTreeOf [((AtomicEvid e) \bya \inc)]

((AtomicEvid e) \bya \inc)

| and_intro e1 e2 a C1 C2 Ps Qs Rs

(H : (Ps ++ Qs ==? Rs) = true)

(L: proofTreeOf Ps (e1 \bya \inC1))

(R: proofTreeOf Qs (e2 \bya \inC2))

: proofTreeOf Rs ({{e1, e2}} \bya \in(C1 /\’ C2))

| or_elim1 e1 a C1 C2 Ps

(M: proofTreeOf Ps ((Left e1) \bya \in(C1 \/’ C2)))

: proofTreeOf Ps (e1 \bya \inC1)

| impl_elim x bx y a C1 C2 Ps Qs Rs

(H1 : (Ps ++ Qs ==? Rs) = true)

(H2 : notUsedInInnerLambda x bx = true)

(L: proofTreeOf Ps ((Lambda x bx) \bya \in(Implies C1 C2)))

(R: proofTreeOf Qs (y \bya \inC1))

: proofTreeOf Rs ((apply_lambda x bx y H2) \bya \inC2)

The intention is that when carrying out a proof either interactively or semi-automatically, the person constructing the proof will make use of only the assumptions and trust relations that are valid in their use-case. It is still possible to programmatically analyse a proof tree after it has been constructed to ensure that only certain assumptions and trust relations have been used.

In Figure 1 we demonstrate how the proofTreeOf Ps j type is defined, focusing on a selected rules. The full definition is available on GitHub⁵⁵5https://github.com/Coda-Coda/Veracity-Logic-Mechanised/tree/FM-24.

–

The base case is handled by the rule assume which allows us to assume that actor a holds claim C by the evidence e provided. This rule should only be used when it is appropriate to do so given the use-case.
–

The rule and_intro requires a proof tree showing that claim C1 is held by actor a with the evidence e1 as well as a proof tree that claim C2 is also held by actor a with the evidence e2. Given this, we have a proof tree that the conjunction of claims C1 and C2 is held by actor a with the evidence {{e1, e2}}. This corresponds to the rule labelled “ $\wedge^{+}$ ” in Section 2.2.
–

The rule or_elim1 captures the rule labelled “ $\vee^{-}1$ ” in Section 2.3.
–

The rule impl_elim allows the application of the function that is included in the evidence for a proof of C1 to C2, to potentially different evidence of C2. Such a function is referred to as $b$ in Section 2.4.

4.2 Interactive Proof Tree Construction

To construct a proof tree interactively, we can use Coq tactics as in Figure 2. As shown, the proof follows from the application of the impl_intro and and_intro rules, followed by assuming $C_{1}$ , $C_{2}$ and $C_{3}$ involving the evidence $\ell$ , $s$ and $c$ , respectively. This is an example from a case study, as discussed in Section 0.C.2.

Figure 2: Example proof script

⬇

Definition j1 := x \byP \inc1. Definition j2 := y \byP \inc2.

Definition j3 := z \byP \inc3.

Definition process_example

: proofTreeOf_wrapped P (c3 ->’ (c2 ->’ (c1 ->’ (c1 /\’ c2 /\’ c3)))).

Proof. eexists _ _.

eapply impl_intro with (x:=_z_) (Ps := [j3]) (Qs:=[]). 1-3: shelve.

eapply impl_intro with (x:=_y_) (Ps := [j2;j3]) (Qs:=[j3]). 1-3: shelve.

eapply impl_intro with (x:=_x_) (Ps := [j1;j2;j3]) (Qs:=[j2;j3]).

1-3: shelve.

eapply and_intro with (Ps := [j1;j2]). shelve. eapply and_intro. shelve.

apply assume with (e := _x_). apply assume with (e := _y_).

apply assume with (e := _z_).

Unshelve. all: reflexivity. Defined.

4.3 Generating Renderings of Proof Trees

Once we have constructed proof trees we can use standard functional programming techniques to convert value of the proofTreeOf Ps j type to strings such as renderings in LaTeX or natural language. The code that implements this is omitted for brevity, but is available on GitHub⁶⁶6https://github.com/Coda-Coda/Veracity-Logic-Mechanised/tree/FM-24. In Figure 3, we show the result of rendering the proof from Figure 2. A natural language rendering of the same proof is included in Appendix 0.D. Both renderings are computed by Coq from a completed proof, a value of type proofTreeOf Ps j. The notation $P$ , as a superscript to evidence, applies to all parts of the witness.

$C_{1}\textit{ is a veracity claim}$ $assume$ $x^{P}\in C_{1}\vdash x^{P}\in C_{1}$ $C_{2}\textit{ is a veracity claim}$ $assume$ $y^{P}\in C_{2}\vdash y^{P}\in C_{2}$ $\wedge^{+}$ $x^{P}\in C_{1},y^{P}\in C_{2}\vdash(x,y)^{P}\in(C_{1}\wedge C_{2})$ $C_{3}\textit{ is a veracity claim}$ $assume$ $z^{P}\in C_{3}\vdash z^{P}\in C_{3}$ $\wedge^{+}$ $x^{P}\in C_{1},y^{P}\in C_{2},z^{P}\in C_{3}\vdash((x,y),z)^{P}\in((C_{1}\wedge C_{2})\wedge C_{3})$ $\rightarrow^{+}$ $y^{P}\in C_{2},z^{P}\in C_{3}\vdash\lambda(x)(((x,y),z))^{P}\in(C_{1}\rightarrow((C_{1}\wedge C_{2})\wedge C_{3}))$ $\rightarrow^{+}$ $z^{P}\in C_{3}\vdash\lambda(y)(\lambda(x)(((x,y),z)))^{P}\in(C_{2}\rightarrow(C_{1}\rightarrow((C_{1}\wedge C_{2})\wedge C_{3})))$ $\rightarrow^{+}$ $\lambda(z)(\lambda(y)(\lambda(x)(((x,y),z))))^{P}\in(C_{3}\rightarrow(C_{2}\rightarrow(C_{1}\rightarrow((C_{1}\wedge C_{2})\wedge C_{3}))))$

Figure 3: Generated LaTeX rendering of the proof constructed in Figure 2

4.4 Automating Proof Tree Construction

This section gives an insight into a technique for automating proof tree constructions using a much simplified version of the proofTreeOf type. Bringing this level of automation to the version of proofTreeOf Ps j described previously is left for future work.

Rather than incorporating evidence into the type proofTreeOf, we instead only include the actor and claim as a part of j here and omit the list of assumptions. Then we define a Coq function, computeEvidence, to compute the evidence for each line in the proof tree. A similar approach is taken for the list of assumptions.

The main automation approach taken is to define a function which takes a proof tree with holes and fills in all the holes by one level deeper. This function is then repeated multiple times up until a depth limit is reached. For each unique proof goal and use-case, the user must define the function that takes the proof tree one level deeper. For an example of such a function see Figure 4. This could be facilitated by a web page with a helpful user interface in the future.

Figure 4: An example function for taking a proof tree one level deeper

⬇

Definition proofStepExample (j : judgementPart) : list (proofTreeOf j) :=

match j with JudgementPart a c =>

(if (a =? a1) && (c =? C) then [assume e a c] else []) ++

(if (a =? a1) && (c =? (C /\’ C)) then [assume e a c] else []) ++

match c with

| And C1 C2 => [and_intro a C1 C2 (hole _) (hole _)]

| _ => [] end end.

The user-defined function is then passed to the function shown in Figure 5, which applies the user-defined step function to a proof tree with holes and returns a list of proof trees that have had any holes filled in ‘one level deeper’. This function is then generalised to take in a list of proof trees with holes, making use of flat_map. The resulting function, which both takes in and returns a list of proof trees with holes, is then repeated on its own output until the depth limit is reached. Typically, the initial list would be a list containing the single proof tree of the claim aiming to be proved with a hole as its evidence.

Figure 5: Part of the helper function for semi-automated proof search

⬇

Fixpoint oneLevelDeeper (step : forall j : judgementPart, list (proofTreeOf j)) (j : judgementPart) (p : proofTreeOf j)

: list (proofTreeOf j) :=

match p with

| assume e a c => [(assume e a c)]

| bot_elim a C M => map (bot_elim a C) (oneLevelDeeper step _ M)

| and_intro a C1 C2 L R =>

map (fun L2 => and_intro a C1 C2 L2 R) (oneLevelDeeper step _ L)

++ map (and_intro a C1 C2 L) (oneLevelDeeper step _ R)

An important consideration with this approach to proof search is that in the context of these veracity proofs, it matters which proof we have of a certain claim’s veracity. Proof-irrelevance is not appropriate and so the usual techniques for proof search, which typically result in only one proof being found, are less useful. For example, there are four different proofs of the claim $C\wedge C\wedge C\wedge C$ generated using the step function shown in Figure 4. It would not be sufficient to only generate one of these proofs of this illustrative claim automatically because in realistic examples what can be assumed is constrained. The resulting LaTeX renderings of the four generated proofs are shown in Appendix 0.E.

5 Future Work

The mechanisation does not handle non-canonical evidence and the associated rules, such as given in Appendix 0.A and Appendix 0.B. Future work would involve including this and a richer representation of claims, capturing the notion of families of sets of claims. Incorporating weights for trust relations and throughout the mechanisation is also future work.

As described in Section 4.4, the automation only works with a simplified set of incomplete rules from the logic. In particular, reasoning about ‘or’ elimination and implications in a way which supports automation is not yet possible. This stems from removing evidence from the type of proofTreeOf which makes it possible to have, for instance, lists of proofs of claims. With the proofTreeOf depending on evidence, such lists would be ill-typed. While there are work-arounds, the natural approaches using flat_map, for example, would need to be reworked in future work extending the automation to all the rules.

6 Conclusions

We started this work because others in the wider Veracity project needed some formulation for what the word “veracity” might mean. The abstraction that the logic embodies gives insight into the common ways of reasoning in many particular example domains. And its formal nature gives a basis for computational tools to be developed. Thus, this work has been a classic exercising of the “use case” for formal methods.

Considering the various goals we set ourselves, we summarise as follows:

–

assuming we get true claims as our starting point (our assumptions and undischarged premisses), then truth is maintained. Also trust is expressed and handled in the rules. A proof tree demonstrates all this. So, three of the four components of veracity are preserved in the logic;
–

regarding the fourth component of veracity, authenticity: at least one aspect of it may be expressed in witnesses (recall they can be load-carrying). We have found in our use of the logic that another aspect that points to problems with authenticity is when a proof can be constructed but with certain assumptions undischarged, since those assumptions are often failures of authenticity;
–

the proof support from Coq, for the sorts of problems that arise in our examples around supply chains and organic certification, has been achieved, plus some user-friendly mechanisation to render proof trees in somewhat natural language which typical users can more readily relate to.

References

[1] Food authenticity and profiling, https://www.thermofisher.com/nz/en/home/industrial/food-beverage/food-authenticity-labeling.html
[2] Git version control https://git-scm.com/
[3] The veracity lab https://veracity.wgtn.ac.nz/
[4] Reuters new proof of concept employs authentication system to securely capture, store and verify photographs (2023), https://www.canon.co.uk/press-centre/press-releases/2023/08/reuters-new-proof-of-concept-employs-authentication-system/
[5] Alberge, D.: Manufacturing giant develops revolutionary system to detect counterfeit art (2024), https://www.theguardian.com/artanddesign/2024/jan/27/manufacturing-giant-develops-revolutionary-system-to-detect-counterfeit-art
[6] Aldini, A., Curzi, G., Graziani, P., Tagliaferri, M.: Trust evidence logic. In: Vejnarová, J., Wilson, N. (eds.) Symbolic and Quantitative Approaches to Reasoning with Uncertainty. pp. 575–589. Springer International Publishing, Cham (2021)
[7] Alwhishi, G., Bentahar, J., Elwhishi, A.: Multi-valued model checking a smart glucose monitoring system with trust. In: 2023 International Wireless Communications and Mobile Computing (IWCMC). pp. 1697–1702 (2023). https://doi.org/10.1109/IWCMC58020.2023.10183263
[8] Andrade Guzman, J.M., Hernandez Quiroz, F.: Natural deduction and semantic models of justification logic in the proof assistant coq. Logic journal of the IGPL 28(6), 1077–1092 (2020)
[9] Artemov, S.N., Fitting, M.: Justification Logic: Reasoning with Reasons. Cambridge University Press (2019)
[10] van Benthem, J., Fernández-Duque, D., Pacuit, E.: Evidence logic: A new look at neighborhood structures (2012)
[11] van Benthem, J., Fernńdez-Duque, D., Pacuit, E.: Evidence and plausibility in neighborhood structures. Annals of pure and applied logic 165(1), 106–133 (2014)
[12] From, A.H.: Formalized soundness and completeness of epistemic logic. In: WoLLIC (2021)
[13] Goranko, V.: How deonic logic ought to be: towards a many-sorted framework for normative reasoning. In: DEON (2021)
[14] Liu, F., Lorini, E.: Reasoning about belief, evidence and trust in a multi-agent setting. In: International Conference on Principles and Practice of Multi-Agent Systems (2017)
[15] Martin-Löf, P.: Intuitionistic Type Theory. Bibliopolis, Naples (1984)
[16] Michaelis, J., Nipkow, T.: Formalized proof systems for propositional logic. In: TYPES (2017)
[17] NIST: Software security in supply chains: Software bill of materials (SBOM) (2022), https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1
[18] Perera, J., Silva, C.C.: Organics case study: Use case briefs (2022), https://veracity.wgtn.ac.nz/wp-content/uploads/2023/04/Organic˙Supply˙Chain˙˙Use˙Case˙Briefs˙Report.pdf
[19] Reeves, S.: A Logic for Veracity (2024), https://doi.org/10.48550/arXiv.2302.06164
[20] Renne, B.: Multi-agent justification logic: communication and evidence elimination. Synthese (2012)
[21] Rönnedal, D.: Doxastic logic: a new approach. Journal of Applied Non-Classical Logics (2018)
[22] Tagliaferri, M., Aldini, A.: From belief to trust: A quantitative framework based on modal logic. Journal of Logic and Computation (2022)
[23] The Coq Development Team: The Coq Proof Assistant (Jun 2023). https://doi.org/10.5281/zenodo.1003420, https://coq.inria.fr

Appendices

Appendix 0.A The Logic

0.A.1 Logical Rules

0.A.1.1 Preliminaries

These purely logical rules do not change trust, so we have left the actor annotations off, since they will be the same for all witnesses mentioned.

We have also, usually, omitted premises of the form $A\emph{ is a veracity claim}$ where this is clearly needed to make the rule well-formed. We have also omitted assumptions which appear unchanged in both the premises and the conclusion of a rule. So, for example:

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1x\in A\vdash b(x)\in B$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=75.19757pt\hbox{\kern 3.00003pt${\rightarrow^{+}}$}}}\hbox{\kern 13.3541pt\hbox{$\displaystyle\lambda b\in A\rightarrow B$}}}}

is the abbreviated form of the full form:

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1\Gamma\vdash A\emph{ is a veracity claim}\quad\Delta\vdash B\emph{ is a veracity claim}\quad\Theta,x\in A\vdash b(x)\in B$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=326.64555pt\hbox{\kern 3.00003pt${\rightarrow^{+}}$}}}\hbox{\kern 118.17537pt\hbox{$\displaystyle\Gamma,\Delta,\Theta\vdash\lambda b\in A\rightarrow B$}}}}

0.A.1.2 The Rules

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1A\emph{ a veracity claim}$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=80.3057pt\hbox{\kern 3.00003pt${assume}$}}}\hbox{\kern 8.88219pt\hbox{$\displaystyle x\in A\vdash x\in A$}}}}\qquad{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 27.64885pt\hbox{$\displaystyle\penalty 1a\in A$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=80.30571pt\hbox{\kern 3.00003pt${claim}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle A\emph{ a veracity claim}$}}}}

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 1.24995pt\hbox{$\displaystyle\penalty 1a\in\bot$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=25.008pt\hbox{\kern 3.00003pt${\bot^{-}}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle a\in A$}}}}

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 15.21039pt\hbox{$\displaystyle\penalty 1a\in A$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=55.42879pt\hbox{\kern 3.00003pt${\lor^{+}1}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle i(a)\in A\lor B$}}}}\quad{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 15.53967pt\hbox{$\displaystyle\penalty 1b\in B$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=55.67992pt\hbox{\kern 3.00003pt${\lor^{+}2}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle j(b)\in A\lor B$}}}}

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1c\in A\lor B\quad x\in A\vdash d(x)\in C\quad y\in B\vdash e(y)\in C$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=214.1513pt\hbox{\kern 3.00003pt${\lor^{-}}$}}}\hbox{\kern 69.78334pt\hbox{$\displaystyle cases(c,d,e)\in C$}}}}

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1c\in A\quad x\in A\vdash d(x)\in C\quad y\in B\vdash e(y)\in C$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=194.95348pt\hbox{\kern 3.00003pt${\lor^{=}1}$}}}\hbox{\kern 41.19568pt\hbox{$\displaystyle cases(i(c),d,e=d(c)\in C$}}}}

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1c\in B\quad x\in A\vdash d(x)\in C\quad y\in B\vdash e(y)\in C$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=195.54027pt\hbox{\kern 3.00003pt${\lor^{=}2}$}}}\hbox{\kern 39.19624pt\hbox{$\displaystyle cases(j(c),d,e)=e(c)\in C$}}}}

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 0.25975pt\hbox{$\displaystyle\penalty 1a_{x}\in A\quad b_{y}\in B$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=60.71971pt\hbox{\kern 3.00003pt${\land^{+}}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle(a,b)\in A\land B$}}}}\quad{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1c\in A\land B\quad x\in A,y\in B\vdash d(x,y)\in C$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=168.85492pt\hbox{\kern 3.00003pt${\land^{-}}$}}}\hbox{\kern 53.53006pt\hbox{$\displaystyle split(c,d)\in C$}}}}

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1a\in A\quad b\in B\quad x\in A,y\in B\vdash d(x,y)\in C$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=185.216pt\hbox{\kern 3.00003pt${\land^{=}}$}}}\hbox{\kern 34.75003pt\hbox{$\displaystyle split((a,b),d=d(a,b)\in C$}}}}

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1x_{z}\in A\vdash b(x)\in B$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=75.27042pt\hbox{\kern 3.00003pt${\rightarrow^{+}}$}}}\hbox{\kern 13.39052pt\hbox{$\displaystyle\lambda b\in A\rightarrow B$}}}}\quad{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1c\in A\rightarrow B\quad a\in A$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=77.69995pt\hbox{\kern 3.00003pt${\rightarrow^{-}}$}}}\hbox{\kern 10.1035pt\hbox{$\displaystyle app(c,a)\in B$}}}}

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1a\in A\quad x\in A\vdash b(x)\in B$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=110.2056pt\hbox{\kern 3.00003pt${\rightarrow^{=}}$}}}\hbox{\kern 8.11331pt\hbox{$\displaystyle app(\lambda b,a)=b(a)\in B$}}}}

Note: $\lambda b$ is to be understood as $(\lambda b)$ but we leave parentheses off for brevity, and anyhow this is always clear from the context.

The equality rules in the above set are, as can be seen, nicely thought of a computation rules: rules which show us how to go from the non-canonical forms of expressions for witnesses that we get from elimination rules towards the canonical forms of expressions for witnesses that we get from introduction rules. As elsewhere, we view the canonical forms as “the value” of an expression.

Appendix 0.B Families of Claims and Proof of Specialised $\lor$ -elimination Rules (from Section 2.3)

In order to derive the simplified elimination rules in the paper we have to generalise the veracity claims (the propositions, $C$ is what follows) to make them families of sets of claims. As usual with a family of sets, there is an index which comes from another set over which the family members range.

This rule is:

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1c\in A\lor B\quad z\in A\lor B\vdash C(z)\quad x\in A\vdash d(i(x))\in C(c)\quad y\in B\vdash e(j(y))\in C(c)$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=348.46065pt\hbox{\kern 3.00003pt${\lor^{-}}$}}}\hbox{\kern 130.88533pt\hbox{$\displaystyle cases(c,d,e)\in C(c)$}}}}

along with some equality rules for “computing” with $cases$ . Like:

	$\displaystyle cases(i(a),d,e)=d(a)$
	$\displaystyle cases(j(b),d,e)=e(b)$

In the example that follows $C(c)$ , where $c\in A\lor B$ , in the above rule is specialised (for this example) and is the family $\{A_{i(a)},B_{j(b)}\}$ , i.e. $C(c)$ is to be thought of as, more usually written, $\{C_{y}\}_{y\in A\lor B}$ for appropriate $C_{y}$ s. An alternative way to say what $C(c)$ is might be to write

	$\displaystyle C(i(a))=A$
	$\displaystyle C(j(b))=B$

Then rule $\lor^{-}1$ above is derived as:

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1i(a)\in A\lor B\quad x\in A\vdash x\in A\quad y\in B\vdash y\in B$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=200.77768pt\hbox{\kern 3.00003pt${\lor^{-}}$}}}\hbox{\kern 33.76411pt\hbox{$\displaystyle cases(i(a),(x)x,(y)y)\in A\lor B$}}}}

which simplifies, given the computation rules for $cases$ and the trivially holding second and third premises, to the rule given previously for $\lor^{-}1$ .

Appendix 0.C Examples

In this section we give simple examples of the logic in action.

0.C.1 Stars v. Chains

As a small example of how we can use the formalism of trust relations developed so far in characterising simple differences we consider a typical supply chain from a trust point-of-view and contrast it with a star supply “chain” and see how the formalism shows the difference between them (an obvious difference, so this is a check that the formalism correctly characterises this, rather than a hard test for the formalism to solve).

The setting is a supply chain for some product (perhaps grain, perhaps grapes etc.) where producers, carriers, warehousers, wholesalers and retailers are all involved as actors as the product moves from countryside to consumer. We might picture this chain as

where the edges denote that movement of goods is possible between the actors $p$ , $q$ , … (at the nodes). So, $p$ can pass goods to $q$ and vice versa, and so on.

The story behind this is: $p$ supplies good to storer $q$ , who tells distributor $r$ that the goods are available and $r$ tells transporter $s$ that delivery can go ahead, so $s$ collects goods and delivers to retailer $t$ who finally supplies to customer $u$ .

Now think about how information works in the chain. There is no reason it should follow the same path as the goods. In the usual supply chain it often does. So $u$ has no access to information that $p$ has, but only to information that $t$ has. This leads to inefficiencies in the chain’s working: things might be more efficient if $u$ could see (some) information that $q$ has because it would increase veracity (trust, truth-telling etc.) and therefore the ease of working in the chain. A real example of this is where $p$ claims to have the means to pay for storage of the goods from where $u$ can collect them, but actually doesn’t, leading to $u$ arriving at the storage to find a bill for their release. If $u$ could see the information about $p$ directly then they might be able to see that $p$ has paid (or not) the storage bill.

So, though the goods might move along the chain, it would be more efficient (due to better veracity) if information was arranged in a star where all participants have access to a pool of information:

We can formalise this to see the benefit. Let there be a (new) trust relation $S$ over the actors, weighted so that

pS_{x}q,qS_{y}r,rS_{z}s,sS_{a}t,tS_{b}u

for the chain. To take into account the star we can define $S$ so that

pS_{1.0}\ell,qS_{1.0}\ell,rS_{1.0}\ell,sS_{1.0}\ell,tS_{1.0}\ell,uS_{1.0}\ell

which records that each node completely trusts the central actor $\ell$ to keep a true record. (Perhaps “ $\ell$ ” is for “ledger”….?)

$p$ needs to trust that $t$ will pay for the goods (via intermediate actors), and using the logic we can say that $pT_{x.y.z.a}t$ . So, we can see that, unless there is complete trust ( $x=y=z=a=1$ ) between all the actors then trust steadily decreases as information (about the payment being made) flows along the chain. In the case of the star, the very worst that can happen is that $t$ is untrustworthy to some degree (i.e. they don’t always put true information into the ledger). If $t$ is trusted with a weight $c\%$ then $lS_{c}t$ and so $pS_{c}t$ .

This is a very simple case for illustration, but we can see that we now have a formal basis for calculating and discussing degrees of trust. In this case it is clear that the star will be better for $p$ as long as $c\geq x.y.z.a$ .

In general it is clear that the longer the chain, the less trust there is. With the star, the trust level is constant (pairwise).

0.C.2 Simple First Examples from some Case Studies

A typical (though very small) example of a derivation (proof tree) for a simple supply chain.

We have:

–
$C_{1}$ is “the fertilizer has these ingredients” (which might be further broken down into:
- $\bullet$
  
  $C_{11}$ this is the list of organic ingredients
- $\bullet$
  
  $C_{12}$ this is the list of non-organic ingredients
)
–

$C_{2}$ is “the spreadsheet describes the ingredients of the fertilizer” (with similar components to $C_{11}$ and $C_{12}$ above)
–

$C_{3}$ is “the ingredients are all certified” (with component claims for each ingredient, perhaps)
–

and so on…

Then we have a series of witnesses that support these claims. For example we might have $x^{P}\in C_{1}$ where $x^{P}$ is the evidence that Penelope uses (believes, cites, quotes) to support the claim that the the fertilizer has the ingredients as indicated. Similarly, $y^{P}\in C_{2}$ is a judgement where $y^{P}$ is the evidence that Penelope uses (believes, quotes, cites) to show that the spreadsheet is a true record of the ingredients. And finally, similarly for $z^{P}\in C_{3}$ .

Then, an abbreviated form of the case study claim “All things are listed and certified” comes out as

C_{1}\land C_{2}\land C_{3}

and a proof tree would be

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1C_{1}\ a\ veracity\ claim$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=92.5506pt\hbox{\kern 3.00003pt${assume}$}}}\hbox{\kern 11.63567pt\hbox{$\displaystyle x^{P}\in C_{1}\vdash x^{P}\in C_{1}$}}}}\hskip 5.0pt plus 1.0fil\penalty 2\quad\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1C_{2}\ a\ veracity\ claim$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=92.5506pt\hbox{\kern 3.00003pt${assume}$}}}\hbox{\kern 12.08934pt\hbox{$\displaystyle y^{P}\in C_{2}\vdash y^{P}\in C_{2}$}}}}\hskip 5.0pt plus 1.0fil\penalty 2$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=331.1826pt\hbox{\kern 3.00003pt${\land^{+}}$}}}\hbox{\kern 95.34111pt\hbox{$\displaystyle x^{P}\in C_{1},y^{P}\in C_{2}\vdash(x,y)^{P}\in C_{1}\land C_{2}$}}}}\hskip 5.0pt plus 1.0fil\penalty 2\quad\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1C_{3}\ a\ veracity\ claim$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=92.5506pt\hbox{\kern 3.00003pt${assume}$}}}\hbox{\kern 12.26064pt\hbox{$\displaystyle z^{P}\in C_{3}\vdash z^{P}\in C_{3}$}}}}\hskip 5.0pt plus 1.0fil\penalty 2$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=542.01498pt\hbox{\kern 3.00003pt${\land^{+}}$}}}\hbox{\kern 165.31804pt\hbox{$\displaystyle x^{P}\in C_{1},y^{P}\in C_{2},z^{P}\in C_{3}\vdash((x,y),z)^{P}\in C_{1}\land C_{2}\land C_{3}$}}}}

Note how the assumptions accumulate on the left of the turnstile, so we never lose assumptions (something that in a large example may well be a problem if keeping track of things by conventional means, perhaps).

We can give an example of another feature using the above example as a starting point. That is, we can show how a process (or function) for constructing evidence for complex claims can be built.

We can abstract on $x,y$ and $z$ above (the witnesses) to get the modified tree

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1C_{1}\ a\ veracity\ claim$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=92.5506pt\hbox{\kern 3.00003pt${assume}$}}}\hbox{\kern 11.63567pt\hbox{$\displaystyle x^{P}\in C_{1}\vdash x^{P}\in C_{1}$}}}}\hskip 5.0pt plus 1.0fil\penalty 2\quad\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1C_{2}\ a\ veracity\ claim$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=92.5506pt\hbox{\kern 3.00003pt${assume}$}}}\hbox{\kern 12.08934pt\hbox{$\displaystyle y^{P}\in C_{2}\vdash y^{P}\in C_{2}$}}}}\hskip 5.0pt plus 1.0fil\penalty 2$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=331.1826pt\hbox{\kern 3.00003pt${\land^{+}}$}}}\hbox{\kern 95.34111pt\hbox{$\displaystyle x^{P}\in C_{1},y^{P}\in C_{2}\vdash(x,y)^{P}\in C_{1}\land C_{2}$}}}}\hskip 5.0pt plus 1.0fil\penalty 2\quad\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1C_{3}\ a\ veracity\ claim$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=92.5506pt\hbox{\kern 3.00003pt${assume}$}}}\hbox{\kern 12.26064pt\hbox{$\displaystyle z^{P}\in C_{3}\vdash z^{P}\in C_{3}$}}}}\hskip 5.0pt plus 1.0fil\penalty 2$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=532.65941pt\hbox{\kern 3.00003pt${\land^{+}}$}}}\hbox{\kern 80.41739pt\hbox{$\displaystyle\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 63.11345pt\hbox{$\displaystyle\penalty 1x^{P}\in C_{1},y^{P}\in C_{2},z^{P}\in C_{3}\vdash((x,y),z)^{P}\in C_{1}\land C_{2}\land C_{3}$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=328.25023pt\hbox{\kern 3.00003pt${\rightarrow^{+}}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 33.6873pt\hbox{$\displaystyle\penalty 1y^{P}\in C_{2},z^{P}\in C_{3}\vdash\lambda(x^{P})((x,y),z)^{P}\in C_{1}\rightarrow(C_{1}\land C_{2}\land C_{3})$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=284.67581pt\hbox{\kern 3.00003pt${\rightarrow^{+}}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 2.50006pt\hbox{$\displaystyle\penalty 1z^{P}\in C_{3}\vdash\lambda(y^{P})(x^{P})((x,y),z)^{P}\in C_{2}\rightarrow(C_{1}\rightarrow(C_{1}\land C_{2}\land C_{3}))$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=241.10143pt\hbox{\kern 3.00003pt${\rightarrow^{+}}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle\lambda(z^{P})(y^{P})(x^{P})((x,y),z)^{P}\in C_{3}\rightarrow(C_{2}\rightarrow(C_{1}\rightarrow(C_{1}\land C_{2}\land C_{3})))$}}}}\hskip 5.0pt plus 1.0fil\penalty 2$}}}}\hskip 5.0pt plus 1.0fil\penalty 2$}}}}\hskip 5.0pt plus 1.0fil\penalty 2$}}}}

We can see we have constructed a function which, given appropriate witnesses, constructs for us a witness to (the conjunction which is) the required claim.

0.C.3 Another Example—the process has been followed to justify a particular fact

Assuming that Peter’s status in the system is “Completed”, what supports the claim (how do we know the process that justifies the status has been followed) that this is a correct status?

The claim in the example rests on 13 steps. In order to make this a bit more tractable (without mechanisation) we’ll consider just steps 3, 5, 6, 10 and 12. We assume here that we can simply check that the system has Peter’s status as “Completed”; here we are interested in the claim that the process ending with this being that case has been followed. So, using $L_{3},...L_{12}$ to stand for the relevant claims, we’re looking for the evidence (the witness) for

L_{3}\rightarrow(L_{5}\land L_{6})\rightarrow L_{10}\rightarrow L_{12}

We can build the following proof tree (where we’ve left out the leaves of the tree which simply make the assumptions that the $L$ s are veracity claims, and that Peter is the actor in all cases):

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 51.44673pt\hbox{$\displaystyle\penalty 1z\in L_{10},y\in(L_{5}\land L_{6}),x\in L_{3}\vdash\ell\in L_{12}$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=250.73236pt\hbox{\kern 3.00003pt${\rightarrow^{+}}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 28.68721pt\hbox{$\displaystyle\penalty 1y\in(L_{5}\land L_{6}),x\in L_{3}\vdash\lambda(z)\ell\in L_{10}\rightarrow L_{12}$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=207.15797pt\hbox{\kern 3.00003pt${\rightarrow^{+}}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1x\in L_{3}\vdash\lambda(y)(z)\ell\in(L_{5}\land L_{6})\rightarrow L_{10}\rightarrow L_{12}$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=163.58356pt\hbox{\kern 3.00003pt${\rightarrow^{+}}$}}}\hbox{\kern 2.77771pt\hbox{$\displaystyle\lambda(x)(y)(z)\ell\in L_{3}\rightarrow(L_{5}\land L_{6})\rightarrow L_{10}\rightarrow L_{12}$}}}}\hskip 5.0pt plus 1.0fil\penalty 2$}}}}\hskip 5.0pt plus 1.0fil\penalty 2$}}}}

Appendix 0.D Natural Language Rendering of the Proof from Figure 2, and example Section 0.C.2 above

–
(claim 3 implies (claim 2 implies (claim 1 implies ((claim 1 and claim 2) and claim 3)))) is supported by $\lambda(z)(\lambda(y)(\lambda(x)(((x,y),z))))$ which Penelope uses, because
- $\bullet$
  Assuming claim 3 is supported by $z$ which Penelope uses then (claim 2 implies (claim 1 implies ((claim 1 and claim 2) and claim 3))) is supported by $\lambda(y)(\lambda(x)(((x,y),z)))$ which Penelope uses, because
  - $\bullet$
    
    Assuming claim 2 is supported by $y$ which Penelope uses, and claim 3 is supported by $z$ which Penelope uses then (claim 1 implies ((claim 1 and claim 2) and claim 3)) is supported by $\lambda(x)(((x,y),z))$ which Penelope uses, because
    
    $\bullet$
    
    Assuming claim 1 is supported by $x$ which Penelope uses, claim 2 is supported by $y$ which Penelope uses, and claim 3 is supported by $z$ which Penelope uses then ((claim 1 and claim 2) and claim 3) is supported by $((x,y),z)$ which Penelope uses, because
    
    $\bullet$
    
    Assuming claim 1 is supported by $x$ which Penelope uses, and claim 2 is supported by $y$ which Penelope uses then (claim 1 and claim 2) is supported by $(x,y)$ which Penelope uses, because
    
    $\bullet$
    
    Assuming claim 1 is supported by $x$ which Penelope uses then claim 1 is supported by $x$ which Penelope uses, because
    
    $\bullet$
    
    claim 1 is a veracity claim.
    
    $\bullet$
    
    by assumption.
    
    $\bullet$
    
    Assuming claim 2 is supported by $y$ which Penelope uses then claim 2 is supported by $y$ which Penelope uses, because
    
    $\bullet$
    
    claim 2 is a veracity claim.
    
    $\bullet$
    
    by assumption.
    
    $\bullet$
    
    by a logical rule for ’and’.
    
    $\bullet$
    
    Assuming claim 3 is supported by $z$ which Penelope uses then claim 3 is supported by $z$ which Penelope uses, because
    
    $\bullet$
    
    claim 3 is a veracity claim.
    
    $\bullet$
    
    by assumption.
    
    $\bullet$
    
    by a logical rule for ’and’.
  - $\bullet$
    
    by a logical rule for implication.
- $\bullet$
  
  by a logical rule for implication.
–

by a logical rule for implication.

Appendix 0.E Automatically Generated Proofs of $C\wedge C\wedge C\wedge C$

$C\wedge C\textit{ is a veracity claim}$ $assume$ $e^{a_{1}}\in C\wedge C\vdash e^{a_{1}}\in C\wedge C$ $C\wedge C\textit{ is a veracity claim}$ $assume$ $e^{a_{1}}\in C\wedge C\vdash e^{a_{1}}\in C\wedge C$ $\wedge^{+}$ $e^{a_{1}}\in C\wedge C\vdash(e,e)^{a_{1}}\in C\wedge C\wedge C\wedge C$

$C\textit{ is a veracity claim}$ $assume$ $e^{a_{1}}\in C\vdash e^{a_{1}}\in C$ $C\textit{ is a veracity claim}$ $assume$ $e^{a_{1}}\in C\vdash e^{a_{1}}\in C$ $\wedge^{+}$ $e^{a_{1}}\in C\vdash(e,e)^{a_{1}}\in C\wedge C$ $C\wedge C\textit{ is a veracity claim}$ $assume$ $e^{a_{1}}\in C\wedge C\vdash e^{a_{1}}\in C\wedge C$ $\wedge^{+}$ $e^{a_{1}}\in C,e^{a_{1}}\in C\wedge C\vdash((e,e),e)^{a_{1}}\in C\wedge C\wedge C\wedge C$

$C\wedge C\textit{ is a veracity claim}$ $assume$ $e^{a_{1}}\in C\wedge C\vdash e^{a_{1}}\in C\wedge C$ $C\textit{ is a veracity claim}$ $assume$ $e^{a_{1}}\in C\vdash e^{a_{1}}\in C$ $C\textit{ is a veracity claim}$ $assume$ $e^{a_{1}}\in C\vdash e^{a_{1}}\in C$ $\wedge^{+}$ $e^{a_{1}}\in C\vdash(e,e)^{a_{1}}\in C\wedge C$ $\wedge^{+}$ $e^{a_{1}}\in C\wedge C,e^{a_{1}}\in C\vdash(e,(e,e))^{a_{1}}\in C\wedge C\wedge C\wedge C$

$C\textit{ is a veracity claim}$ $assume$ $e^{a_{1}}\in C\vdash e^{a_{1}}\in C$ $C\textit{ is a veracity claim}$ $assume$ $e^{a_{1}}\in C\vdash e^{a_{1}}\in C$ $\wedge^{+}$ $e^{a_{1}}\in C\vdash(e,e)^{a_{1}}\in C\wedge C$ $C\textit{ is a veracity claim}$ $assume$ $e^{a_{1}}\in C\vdash e^{a_{1}}\in C$ $C\textit{ is a veracity claim}$ $assume$ $e^{a_{1}}\in C\vdash e^{a_{1}}\in C$ $\wedge^{+}$ $e^{a_{1}}\in C\vdash(e,e)^{a_{1}}\in C\wedge C$ $\wedge^{+}$ $e^{a_{1}}\in C\vdash((e,e),(e,e))^{a_{1}}\in C\wedge C\wedge C\wedge C$