theory Winning2NE imports Main begin (*Work based on article "From winning strategy to Nash equilibrium" by Stéphane Le Roux Includes extension of this work: the order is lifted without prior linear extension*) (*Lemmas about minima and maxima in finite sets*) (*every finite non-empty partial order has a maximum*) (*I use les instead of less because less is predefined*) lemma existsMax : assumes les_transitive : "\a b c. les a b \ les b c \ les a c" and les_irreflexive : "\ a. \(les a a)" and finite_X : "finite X" shows "X\{} \ (\x\X. \y\X. \(les x y))" proof - (* (induct X) does not work, why?*) (*Induction proof*) have "finite X" by (rule finite_X) moreover (*Base*) have base : "{}\{} \ (\x\{}. \y\{}. \(les x y))" by simp moreover (*step*) { fix A and a assume finite_A : "finite A" and ihy : "A\{} \ (\x\A. \y\A. \(les x y))" have ist : "insert a A\{} \ (\x\insert a A. \y\insert a A. \(les x y))" proof (cases "A={}") (*that's really the step*) assume "A\{}" with ihy have "\x\A. \y\A. \(les x y)" by (rule mp) then obtain xm where xmA : "xm\A" and isMax : "\y\A. \(les xm y)" by (rule bexE) have "\x\insert a A. \y\insert a A. \(les x y)" proof (cases "les xm a") assume "\(les xm a)" hence "\y\insert a A. \(les xm y)" using isMax by simp moreover have "xm\ insert a A" using xmA by simp ultimately show "\x\insert a A. \y\insert a A. \(les x y)" by (rule bexI) next assume xmLa : "les xm a" { fix y { assume yA : "y\A" hence not_xmLy : "\(les xm y)" using isMax by simp moreover { assume "les a y" with xmLa have "les xm y" by (rule les_transitive) with not_xmLy have "False" by simp } hence "\(les a y)" by (rule notI) } hence "y\A \ \(les a y)" by (rule impI) } hence "\y\A. \(les a y)" by simp moreover have "\(les a a)" by (rule les_irreflexive) ultimately have " \y\insert a A. \(les a y)" by simp moreover have "a\ insert a A" by simp ultimately show "\x\insert a A. \y\insert a A. \(les x y)" by (rule bexI) qed thus "insert a A\{} \ (\x\insert a A. \y\insert a A. \(les x y))" by (rule impI) next assume "A={}" (*that's really the base case*) hence a_singl : "{a} = insert a A" by simp { fix y have "\(les a a)" by (rule les_irreflexive) hence "y\{a}\ \(les a y)" by simp with a_singl have "y\insert a A\ \(les a y)" by (rule subst) } hence "\y. y\insert a A \ \(les a y)" by (rule allI) hence "\y\insert a A. \(les a y)" by simp moreover have "a\insert a A" by simp ultimately have "\x\insert a A. \y\insert a A. \(les x y)" by (rule bexI) thus "insert a A\{} \ (\x\insert a A. \y\insert a A. \(les x y))" by (rule impI) qed } ultimately show ?thesis by (rule finite.induct) qed (*Symmetric to existsMax*) lemma existsMin : assumes les_transitive : "\a b c. les a b \ les b c \ les a c" and les_irreflexive : "\ a. \(les a a)" and finite_X : "finite X" shows "X\{} \ (\x\X. \y\X. \(les y x))" proof - have lesmax_transitive : "\a b c. les b a \ les c b \ les c a" proof - show "\a b c. les b a \ les c b \ les c a" using les_transitive by blast qed show "X\{} \ (\x\X. \y\X. \(les y x))" using lesmax_transitive and les_irreflexive and finite_X by (rule existsMax) qed (*13.2.17 : Generalisation of existsMax: either an element is a minimum or it has a minimum below it. This time I first prove it for min since that is what I need.*) (*at least half a day's work*) lemma isMinOrHasMin : assumes les_trans : "\a b c. les a b \ les b c \ les a c" and les_irr : "\ a. \les a a" and finite_X : "finite X" shows "\x\X. (\y\X. \les y x)\(\z\X. les z x \(\y\X. \les y z))" proof - (* (induct X) does not work, why?*) (*Induction proof*) have "finite X" by (rule finite_X) moreover (*Base (pseudo)*) have base : "\x\{}. (\y\{}. \les y x)\(\z\{}. les z x \(\y\{}. \les y z))" by simp moreover (*step*) { fix A and a assume finite_A : "finite A" and IH : "\x\A. (\y\A. \les y x)\(\z\A. les z x \(\y\A. \les y z))" have IS : "(\x\insert a A. (\y\insert a A. \les y x)\ (\z\insert a A. les z x \(\y\insert a A. \les y z)))" proof (rule ballI) fix x assume xaA : "x\insert a A" show "(\y\insert a A. \les y x) \ (\z\insert a A. les z x \(\y\insert a A. \les y z))" proof (cases "x\A") assume "x\A" with IH have "(\y\A. \les y x)\(\z\A. les z x \(\y\A. \les y z))" by (rule bspec) moreover (*case distinction over the above disjunction*) { assume xminA : "\y\A. \les y x" (*x is minimum in A*) have ?thesis proof (cases "les a x") assume a_newmin : "les a x" (*a replaces x as minimum in insert a A*) have "\y\insert a A. \les y a" (*a is minimum in insert a A*) proof (rule ballI) fix y assume "y\insert a A" hence "y=a\y\A" by simp moreover (*case distinction over the above disjunction*) { assume "y=a" hence "\les y a" using les_irr by simp } moreover { assume yA : "y\A" { assume "les y a" (*y would be smaller than minimum in insert a A*) hence "les y x" using a_newmin by (rule les_trans) with xminA and yA have "False" by simp } hence "\les y a" by (rule notI) } ultimately show "\les y a" by (rule disjE) qed with a_newmin have "les a x \(\y\insert a A. \les y a)" by (rule conjI) hence "\z\insert a A. les z x \(\y\insert a A. \les y z)" by blast thus ?thesis by (rule disjI2) next assume x_stays_min : "\les a x" with xminA have "\y\insert a A. \les y x" by simp thus ?thesis by (rule disjI1) qed } moreover { assume xNotMinA : "(\z\A. les z x \(\y\A. \les y z))" then obtain z where zA : "z\A" and zx_zminA : "les z x \ (\y\A. \les y z)" by (rule bexE) have zx : "les z x" using zx_zminA by (rule conjunct1) have zminA : "(\y\A. \les y z)" using zx_zminA by (rule conjunct2) have ?thesis proof (cases "les a z") assume a_newmin : "les a z" (*a replaces z as minimum in insert a A*) hence ax : "les a x" using zx by (rule les_trans) (*needed later*) have "\y\insert a A. \les y a" (*a is minimum in insert a A*) proof (rule ballI) fix y assume "y\insert a A" hence "y=a\y\A" by simp moreover (*case distinction over the above disjunction*) { assume "y=a" hence "\les y a" using les_irr by simp } moreover { assume yA : "y\A" { assume "les y a" (*y would be smaller than minimum in insert a A*) hence "les y z" using a_newmin by (rule les_trans) with zminA and yA have "False" by simp } hence "\les y a" by (rule notI) } ultimately show "\les y a" by (rule disjE) qed with ax have "les a x \(\y\insert a A. \les y a)" by (rule conjI) hence "\z\insert a A. les z x \(\y\insert a A. \les y z)" by blast thus ?thesis by (rule disjI2) next (*z remains minimum in insert a A*) assume z_stays_min : "\les a z" with zminA have "\y\insert a A. \les y z" by simp with zx have "les z x \ (\y\insert a A. \les y z)" by (rule conjI) with zA have "(\z\insert a A. les z x \ (\y\insert a A. \les y z))" by blast thus ?thesis by (rule disjI2) qed } ultimately show ?thesis by (rule disjE) next assume "x\A" hence x_a : "x=a" using xaA by simp show ?thesis proof (cases "\y\A. \les y x") assume "\y\A. \les y x" (*x=a is the minimum in insert a A*) with les_irr and x_a have "\y\insert a A. \les y x" by simp thus ?thesis by (rule disjI1) next assume "\(\y\A. \les y x)" (*x=a is not the minimum in insert a A*) hence "\y\A. les y x" by simp then obtain y where yA : "y\A" and yx : "les y x" by (rule bexE) have not_xy : "\les x y" (*needed twice below. NO, JUST ONCE*) proof (rule notI) assume "les x y" with yx have "les y y" by (rule les_trans) with les_irr show "False" by (rule notE) qed (*instantiate x in IH with y: y is min in A or has min below it:*) have "(\y'\A. \les y' y)\(\z\A. les z y \(\y'\A. \les y' z))" using IH and yA by (rule bspec) moreover (*case distinction over the above disjunction*) { assume ymin : "\y'\A. \les y' y" moreover have "\les x y" by (rule not_xy) ultimately have "(\y'\A. \les y' y) \ \les x y" by (rule conjI) hence "\y'\insert a A. \les y' y" using x_a by blast hence "les y x \ (\y'\insert a A. \les y' y)" using yx by blast hence "(\z\insert a A. les z x \ (\y'\insert a A. \les y' z))" using yA by blast hence ?thesis by (rule disjI2) } moreover { assume "(\z\A. les z y \(\y'\A. \les y' z))" (*y has minimum below it*) then obtain z where zA : "z\A" and zy_zminA : "les z y \(\y'\A. \les y' z)" by (rule bexE) have zy : "les z y" using zy_zminA by (rule conjunct1) have zx : "les z x" using zy and yx by (rule les_trans) have zminA2 : "(\y'\A. \les y' z)" using zy_zminA by (rule conjunct2) moreover { assume "les a z" hence "les a x" using zx by (rule les_trans) with x_a have "les a a" by (rule subst) with les_irr have "False" by (rule notE) } hence "\les a z" by (rule notI) ultimately have "(\y'\A. \les y' z) \ \les a z" by (rule conjI) hence "\y'\insert a A. \les y' z" using x_a by blast hence "les z x \ (\y'\insert a A. \les y' z)" using zx by blast hence "(\z\insert a A. les z x \ (\y'\insert a A. \les y' z))" using zA by blast hence ?thesis by (rule disjI2) } ultimately show ?thesis by (rule disjE) qed qed qed } ultimately show ?thesis by (rule finite.induct) qed (*For defining lifting we need upper cone of a point and of a set:*) text_raw {*\DefineSnippet{uconelessP}{*} definition ucone :: "('a \ 'a \ bool) \ 'a \ ('a set)" where "ucone les x = {z. les x z}" definition uCone :: "('a \ 'a \ bool) \ ('a set) \ ('a set)" where "uCone les Y = \ ((ucone les) ` Y)" definition (*Lifting without prior extension*) lessP :: "('a \ 'a \ bool) \ ('a set) \ ('a set) \ bool" where "lessP les A B = (finite A \ (\A'\A-B. A'\{} \ A-(A'\(uCone les A')) = B-(A'\(uCone les A'))))" text_raw {*}%EndSnippet*} definition (*2.1 in paper but note that < is automatically a strict linear order*) lessPOrig :: "('a \ 'a \ bool) \ ('a set) \ ('a set) \ bool" where "lessPOrig les A B = (\a\A-B. \b\B-A. les a b)" lemma twoLiftings : assumes AB_orig : "lessPOrig les A B" and finiteA : "finite A" shows "lessP les A B" proof - have "lessPOrig les A B" by (rule AB_orig) with lessPOrig_def have "(\a\A-B. \b\B-A. les a b)" by (rule subst) then obtain a where aAB : "a\A-B" and aMin : "\b\B-A. les a b" by (rule bexE) (*will show that A-B is witness for "lessP les A B"*) have ABnonempty : "A-B\{}" using aAB by blast have ABsubset : "A-B \A-B" by simp have BA_uConeSubset : "B-A\uCone les (A-B)" proof (rule subsetI) fix x assume "x\B-A" with aMin have "les a x" by (rule bspec) hence "x\{z. les a z}" by simp with ucone_def[symmetric] have "x\ucone les a" by (rule subst) hence "x\ \ ((ucone les) ` (A-B))" using aAB by blast with uCone_def[symmetric] show "x\ uCone les (A-B)" by (rule subst) qed (*Now show A-((A-B)\(uCone les (A-B))) = B-((A-B)\(uCone les (A-B))) Approach: show that "A - " and "B -" can both be replaced by A\B*) have Amin_AB : "A-(A-B) = A\B" by blast have Bmin_AB : "B-(B-A) = A\B" by blast have "A-((A-B)\(uCone les (A-B))) = (A-(A-B)) - (uCone les (A-B))" by blast (*simple set theory*) also have "... = ((A-(A-B)) - (A-B)) - (uCone les (A-B))" by blast (*making expression more complicated*) also have "... = ((A\B) - (A-B)) - (uCone les (A-B))" using Amin_AB by blast also have "... = (A\B) - ((A-B)\(uCone les (A-B)))" by blast (*Now massage this to get to expression for B. I had to do this first in reverse to see how it goes.*) also have "... = (B- (B-A))- ((A-B)\(uCone les (A-B)))" using Bmin_AB by blast also have "... = B-((A-B)\(uCone les (A-B)))" using BA_uConeSubset by blast finally have "A-((A-B)\(uCone les (A-B))) = B-((A-B)\(uCone les (A-B)))" . with ABnonempty have "A-B\{} \ A-((A-B)\(uCone les (A-B))) = B-((A-B)\(uCone les (A-B)))" by (rule conjI) hence "(\A'\A-B. A'\{} \ A-(A'\(uCone les A')) = B-(A'\(uCone les A')))" using ABsubset by blast with finiteA have "finite A \ (\A'\A-B. A'\{} \ A-(A'\(uCone les A')) = B-(A'\(uCone les A')))" by (rule conjI) with lessP_def[symmetric] show ?thesis by (rule subst) qed text_raw {*\DefineSnippet{liftirreflexive}{*} lemma lift_irreflexive : (*Lemma 3 in note*) shows "\(lessP les A A)" text_raw {*}%EndSnippet*} proof - { assume "lessP les A A" with lessP_def have "finite A \ (\A'\A-A. A'\{} \ A-(A'\(uCone les A')) = A-(A'\(uCone les A')))" by (rule subst) hence "False" by blast } thus ?thesis by (rule notI) qed (*Used in lift_transitive*) lemma subsetCones : assumes A_sub : "A\AuB" and les_trans : "\a b c. les a b \ les b c \ les a c" and les_irr : "\ a. \les a a" and finiteAB : "finite AuB" shows "A\(uCone les A) \ {x\AuB. \y\AuB. \(les y x)} \ (uCone les {x\AuB. \y\AuB. \(les y x)})" (is "A\(uCone les A) \ ?A'' \ (uCone les ?A'')") proof (rule subsetI) fix x assume "x\ A\(uCone les A)" hence "x\A\ x\(uCone les A)" by simp (*transform this disjunction into another one that distinguishes minimal and non-minimal x:*) hence "x\A\(\y\AuB. \(les y x)) \ x\A\\(\y\AuB. \(les y x)) \ x\(uCone les A)" by blast moreover (*case distinction over the above disjunction*) { (*x is minimal*) assume xA_xMin : "x\A\(\y\AuB. \(les y x))" hence xAB : "x\AuB" using A_sub by blast have xMin : "(\y\AuB. \(les y x))" using xA_xMin by (rule conjunct2) hence "x\?A''" using xAB by blast hence "x \ ?A''\(uCone les ?A'')" by simp } moreover { (*x is not minimal*) assume xNotMinGeneral : "x\A\\(\y\AuB. \(les y x)) \ x\(uCone les A)" have "(\z\ AuB. les z x \(\y\AuB. \les y z))" (*There is a minimal z below x*) proof (cases "x\A\\(\y\AuB. \(les y x))") { (*x is in A'*) assume xA_xNotMin :"x\A\\(\y\AuB. \(les y x))" hence xAB : "x\AuB" using A_sub by blast have xNotMin : "\(\y\AuB. \(les y x))" using xA_xNotMin by (rule conjunct2) moreover have "\x\AuB. (\y\AuB. \les y x)\(\z\ AuB. les z x \(\y\AuB. \les y z))" using les_trans and les_irr and finiteAB by (rule isMinOrHasMin) hence "(\y\AuB. \les y x)\(\z\ AuB. les z x \(\y\AuB. \les y z))" using xAB by (rule bspec) ultimately show "(\z\ AuB. les z x \(\y\AuB. \les y z))" by blast } next { (*x is in uCone les A'*) assume "\(x\A\\(\y\AuB. \(les y x)))" hence "x\(uCone les A)" using xNotMinGeneral by blast with uCone_def have "x\ \ ((ucone les) ` A)" by (rule subst) hence "\z2\A. x\ (ucone les z2)" by simp then obtain z2 where z2A : "z2\A" and x_ucone_z2 : "x\ (ucone les z2)" by (rule bexE) have "x\{x'. les z2 x'}" using ucone_def and x_ucone_z2 by (rule subst) hence z2x : "les z2 x" by simp have z2AB : "z2\AuB" using z2A and A_sub by blast have "\x\AuB. (\y\AuB. \les y x)\(\z\ AuB. les z x \(\y\AuB. \les y z))" using les_trans and les_irr and finiteAB by (rule isMinOrHasMin) hence "(\y\AuB. \les y z2)\(\z\ AuB. les z z2 \(\y\AuB. \les y z))" using z2AB by (rule bspec) moreover (*Now show that there is a minimal z below x, in both cases of the line above.*) { assume "\y\AuB. \les y z2" with z2x have "les z2 x \ (\y\AuB. \les y z2)" by (rule conjI) hence ?thesis using z2AB by (rule bexI) } moreover { assume "(\z\ AuB. les z z2 \(\y\AuB. \les y z))" then obtain z where zAB : "z\ AuB" and zz2_zMin : "les z z2 \(\y\AuB. \les y z)" by (rule bexE) have zMin : "\y\AuB. \les y z" using zz2_zMin by (rule conjunct2) have zz2 : "les z z2" using zz2_zMin by (rule conjunct1) hence zx : "les z x" using z2x by (rule les_trans) hence zx_zMin : "les z x \(\y\AuB. \les y z)" using zMin by (rule conjI) hence ?thesis using zAB by (rule bexI) } ultimately show ?thesis by (rule disjE) } qed then obtain z where zAB : "z\ AuB" and zx_zMin : "les z x \(\y\AuB. \les y z)" by (rule bexE) have zMin : "(\y\AuB. \(les y z))" using zx_zMin by (rule conjunct2) hence zA'' : "z\?A''" using zAB by blast have zx : "les z x" using zx_zMin by (rule conjunct1) hence "x\{z'. les z z'}" by simp with ucone_def[symmetric] have "x\ucone les z" by (rule subst) hence "x\ \ ((ucone les) ` ?A'')" using zA'' by blast with uCone_def[symmetric] have "x\uCone les ?A''" by (rule subst) hence "x \ ?A''\(uCone les ?A'')" by simp } ultimately show "x \ ?A''\(uCone les ?A'')" by (rule disjE) qed (*1 to 2 days of work*) text_raw {*\DefineSnippet{lifttransitive}{*} lemma lift_transitive : (*Lemma 3 in note*) assumes les_irr : "\x. \ (les x x)" and les_trans : "\x y z. (les x y) \ (les y z) \ (les x z)" (*not needed: *) (* and les_antisym : "\x y. (les x y) \ \(les y x)"*) and AB : "lessP les A B" and BC : "lessP les B C" shows "lessP les A C" text_raw {*}%EndSnippet*} proof - (*first 20 or so lines resemble very much proof of liftAlt_asym*) (*Exhibit witness for "lessP les A B" and show its finiteness*) have "lessP les A B" by (rule AB) with lessP_def have lessP_AB_unfold : "(finite A \ (\A'\A-B. A'\{} \ A-(A'\(uCone les A')) = B-(A'\(uCone les A'))))" by (rule subst) hence finiteA : "finite A" by (rule conjunct1) have "(\A'\A-B. A'\{} \ A-(A'\(uCone les A')) = B-(A'\(uCone les A')))" using lessP_AB_unfold by (rule conjunct2) then obtain A' where A_witn : "A'\A-B \ A'\{} \ A-(A'\(uCone les A')) = B-(A'\(uCone les A'))" by (rule exE) hence A_B : "A-(A'\(uCone les A')) = B-(A'\(uCone les A'))" by simp have AAminusB : "A'\A-B" using A_witn by (rule conjunct1) hence AA : "A'\A" by blast with finiteA have "finite A'" by (rule rev_finite_subset) moreover (*Exhibit witness for "lessP les B C" and show its finiteness*) have "lessP les B C" by (rule BC) with lessP_def have lessP_BC_unfold : "(finite B \ (\B'\B-C. B'\{} \ B-(B'\(uCone les B')) = C-(B'\(uCone les B'))))" by (rule subst) hence finiteB : "finite B" by (rule conjunct1) have "(\B'\B-C. B'\{} \ B-(B'\(uCone les B')) = C-(B'\(uCone les B')))" using lessP_BC_unfold by (rule conjunct2) then obtain B' where B_witn : "B'\B-C \ B'\{} \ B-(B'\(uCone les B')) = C-(B'\(uCone les B'))" by (rule exE) hence B_C : "B-(B'\(uCone les B')) = C-(B'\(uCone les B'))" by simp have BBminusC : "B'\B-C" using B_witn by (rule conjunct1) hence BB : "B'\B" by blast with finiteB have "finite B'" by (rule rev_finite_subset) (*Finiteness of A'\B'*) ultimately have finiteAB : "finite (A'\B')" by (rule finite_UnI) with les_trans and les_irr have "A'\B'\{} \ (\x\A'\B'. \y\A'\B'. \(les y x))" by (rule existsMin) moreover (*Non-emptyness of A'\B'*) { have "A'\{}" using A_witn by simp moreover have "B'\{}" using B_witn by simp ultimately have "A'\B'\{}" by simp } (*In consequence non-emptyness of A''=minimal elements of A'\B'*) ultimately have "\x\A'\B'. \y\A'\B'. \(les y x)" by (rule mp) hence Adashnonempty : "{x\A'\B'. \y\A'\B'. \(les y x)}\{}" (is "?A''\{}") by blast (*Will show that A'' witnesses "lessP les A C". Previous line is first part of that*) have Adash_AminusC : "?A''\A-C" (*Second part needed for A'' to witness "lessP les A C"*) proof (rule subsetI) fix x { assume xAdash : "x\?A''" hence xAorB : "x\A' \ x\B'" by blast have xMin : "\y\A'\B'. \(les y x)" using xAdash by blast show "x\A-C" proof (*not having - here means that Isabelle displays two subgoals x\A and x\C. I show those in reverse order wrt Stephane's note.*) show "x\A" proof (cases "x\A'") assume "x\A'" thus "x\A" using AA by blast next assume xnotAdash : "x\A'" hence "x\B'" using xAorB by simp hence xB : "x\B" using BB by blast have "x\uCone les A'" proof - { assume "x\uCone les A'" with uCone_def have "x\ \ ((ucone les) ` A')" by (rule subst) hence "\a\A'. x\ ucone les a" by blast then obtain a where aA : "a\A'" and x_ucone_a : "x\ ucone les a" by (rule bexE) have "x\ {z. les a z}" using ucone_def and x_ucone_a by (rule subst) hence "les a x" by simp with aA and xMin have "False" by blast } thus "x\uCone les A'" by (rule notI) qed with xnotAdash have "x\A'\uCone les A'" by blast moreover have "x\B" by (rule xB) ultimately show "x\A" using A_B by blast qed show "x\C" proof (cases "x\B'") assume "x\B'" thus "x\C" using BBminusC by blast next assume xnotBdash : "x\B'" hence "x\A'" using xAorB by simp hence xnotB : "x\B" using AAminusB by blast have "x\uCone les B'" proof - { assume "x\uCone les B'" with uCone_def have "x\ \ ((ucone les) ` B')" by (rule subst) hence "\b\B'. x\ ucone les b" by blast then obtain b where bB : "b\B'" and x_ucone_b : "x\ ucone les b" by (rule bexE) have "x\ {z. les b z}" using ucone_def and x_ucone_b by (rule subst) hence "les b x" by simp with bB and xMin have "False" by blast } thus "x\uCone les B'" by (rule notI) qed with xnotBdash have "x\B'\uCone les B'" by blast moreover have "x\B" by (rule xnotB) ultimately show "x\C" using B_C by blast qed qed } qed (*?A''\A-C*) (*Preliminary for showing A - (?A''\(uCone les ?A'')) = C - (?A''\(uCone les ?A'')), which is third part needed for A'' to witness "lessP les A C" : *) have "A'\A'\B'" by simp hence AuConeSubset : "A'\(uCone les A') \ ?A''\(uCone les ?A'')" using les_trans and les_irr and finiteAB by (rule subsetCones) have "B'\A'\B'" by simp hence BuConeSubset : "B'\(uCone les B') \ ?A''\(uCone les ?A'')" using les_trans and les_irr and finiteAB by (rule subsetCones) have A_C : "A - (?A''\(uCone les ?A'')) = C - (?A''\(uCone les ?A''))" (*Third part needed for A'' to witness "lessP les A C"*) proof (rule subset_antisym) show "A - (?A''\(uCone les ?A'')) \ C - (?A''\(uCone les ?A''))" proof (rule subsetI) fix x assume xAminusA'' : "x \ A - (?A''\(uCone les ?A''))" hence xA : "x \ A" by simp moreover have xNotuCone : "x \ ?A''\(uCone les ?A'')" using xAminusA'' by simp hence "x \ A'\(uCone les A')" using AuConeSubset by blast ultimately have "x \ A-(A'\(uCone les A'))" by simp with A_B have "x \ B-(A'\(uCone les A'))" by (rule subst) hence xB : "x \ B" by simp moreover have "x \ B'\(uCone les B')" using BuConeSubset and xNotuCone by blast ultimately have "x \ B-(B'\(uCone les B'))" by simp with B_C have "x \ C-(B'\(uCone les B'))" by (rule subst) hence "x \ C" by simp thus "x \ C - (?A''\(uCone les ?A''))" using xNotuCone by simp qed show "C - (?A''\(uCone les ?A'')) \ A - (?A''\(uCone les ?A''))" proof (rule subsetI) fix x assume xCminusA'' : "x \ C - (?A''\(uCone les ?A''))" hence xC : "x \ C" by simp moreover have xNotuCone : "x \ ?A''\(uCone les ?A'')" using xCminusA'' by simp hence "x \ B'\(uCone les B')" using BuConeSubset by blast ultimately have "x \ C-(B'\(uCone les B'))" by simp with B_C[symmetric] have "x \ B-(B'\(uCone les B'))" by (rule subst) hence xB : "x \ B" by simp moreover have "x \ A'\(uCone les A')" using AuConeSubset and xNotuCone by blast ultimately have "x \ B-(A'\(uCone les A'))" by simp with A_B[symmetric] have "x \ A-(A'\(uCone les A'))" by (rule subst) hence "x \ A" by simp thus "x \ A - (?A''\(uCone les ?A''))" using xNotuCone by simp qed qed (*Now put the results together:*) have "?A''\{} \ A - (?A''\(uCone les ?A'')) = C - (?A''\(uCone les ?A''))" using Adashnonempty and A_C by (rule conjI) hence "(\A''\A-C. A''\{} \ A-(A''\(uCone les A'')) = C-(A''\(uCone les A'')))" using Adash_AminusC by blast with finiteA have "(finite A \ (\A''\A-C. A''\{} \ A-(A''\(uCone les A'')) = C-(A''\(uCone les A''))))" by (rule conjI) with lessP_def[symmetric] show ?thesis by (rule subst) qed (*I also have an independent proof (at the end of the file) but in fact it is a simple corollary of transitivity and irreflexivity:*) lemma lift_asym : (*Lemma 3 in note*) assumes les_irr : "\x. \ (les x x)" and les_trans : "\x y z. (les x y) \ (les y z) \ (les x z)" and AB : "lessP les A B" and finiteA : "finite A" and finiteB : "finite B" assumes AB : "lessP les A B" shows "\(lessP les B A)" proof - { assume BA : "lessP les B A" have "lessP les B B" using les_irr and les_trans and BA and AB by (rule lift_transitive) moreover have "\(lessP les B B)" by (rule lift_irreflexive) ultimately have "False" by simp } thus ?thesis by (rule notI) qed (*Used once in proof of main theorem but maybe in an irrelevant branch*) lemma lift_subset : assumes BsubA : "B \ A" and finiteA : "finite A" shows "lessP les A B" proof - have "A-B\{}" using BsubA by blast (*A-B is witness for "lessP les A B"*) moreover have "A-(A-B) = B-(A-B)" using BsubA by blast hence "A-((A-B)\(uCone les (A-B))) = B-((A-B)\(uCone les (A-B)))" by blast moreover have "A-B\A-B" by simp ultimately have "(\A'\A-B. A'\{} \ A-(A'\(uCone les A')) = B-(A'\(uCone les A')))" by blast with finiteA have "(finite A \ (\A'\A-B. A'\{} \ A-(A'\(uCone les A')) = B-(A'\(uCone les A'))))" by (rule conjI) thus ?thesis using lessP_def by blast qed (*construction needed later in proof of main theorem: Given a set A and an element a, put in all elements from U that are better than a, and remove a*) text_raw {*\DefineSnippet{replaceWithPreferred}{*} definition replaceWithPreferred :: "('a \ 'a \ bool) \ 'a \ 'a set \ 'a set \ 'a set" where "replaceWithPreferred les a A U = (A \ {a'\U. les a a'})-{a}" text_raw {*}%EndSnippet*} (*24.2.17*) lemma replaceStaysFinite : assumes finiteA : "finite A" and finiteU : "finite U" shows "finite (replaceWithPreferred les a A U)" proof - have "finite {a'\U. les a a'}" using finiteU by simp hence "finite (A \ {a'\U. les a a'})" using finiteA by simp hence "finite ((A \ {a'\U. les a a'})-{a})" by simp with replaceWithPreferred_def[symmetric] show ?thesis by (rule subst) qed (*24.2.17*) lemma replaceRetrieve : assumes aA : "a\A" shows "A - (replaceWithPreferred les a A U) = {a}" proof - thm subst[of "replaceWithPreferred les a A U" "A \ {a'\U. les a a'}" "\x. A -x = A -x"] thm arg_cong[of "replaceWithPreferred les a A U" "A \ {a'\U. les a a'}" "\x. A -x"] have "A - (replaceWithPreferred les a A U) = A - ((A \ {a'\U. les a a'})-{a})" using replaceWithPreferred_def by (rule arg_cong[of "replaceWithPreferred les a A U" "(A \ {a'\U. les a a'})-{a}" "\x. A -x"]) (*can't find unifier?*) also have "... = {a}" using aA by blast finally show ?thesis . qed (*The set A' constructed from player1's preferred set is even better than A. This truly deserves a lemma of its own*) text_raw {*\DefineSnippet{replaceIsPreferred}{*} lemma replaceIsPreferred : assumes a_A : "a\A" and finiteA : "finite A" shows "lessP les A (replaceWithPreferred les a A U)" text_raw {*}%EndSnippet*} proof - have "replaceWithPreferred les a A U = (A \ {a'\U. les a a'})-{a}" by (rule replaceWithPreferred_def) also have "((A \ {a'\U. les a a'})-{a}) - A = ((A \ {a'\U. les a a'})-A) - {a}" by blast also have "(A \ {a'\U. les a a'})-A = {a'\U-A. les a a'}" by blast finally have "(replaceWithPreferred les a A U) - A = {a'\U-A. les a a'}-{a}" . hence "\b\(replaceWithPreferred les a A U) - A. les a b" by blast moreover { have "replaceWithPreferred les a A U = (A \ {a'\U. les a a'})-{a}" by (rule replaceWithPreferred_def) also have "A - ... = {a}" using a_A by blast finally have "A - replaceWithPreferred les a A U = {a}" . } hence "a \ A - replaceWithPreferred les a A U" by blast ultimately have "\a' \ A - replaceWithPreferred les a A U. \b \ (replaceWithPreferred les a A U) - A. les a' b" by (rule bexI) with lessPOrig_def[symmetric] have "lessPOrig les A (replaceWithPreferred les a A U)" by (rule subst) thus ?thesis using finiteA by (rule twoLiftings) qed text_raw {*\DefineSnippet{gameform}{*} (*We define "game form"*) type_synonym ('O,'S1,'S2) game_form = "('S1 * 'S2) \ 'O" (*But that's just the outcome function*) text_raw {*}%EndSnippet*} text_raw {*\DefineSnippet{game}{*} (*A game is a game form plus the preferences of each player*) type_synonym ('O,'S1,'S2) game = "('O \ 'O \ bool) * ('O \ 'O \ bool) * (('O,'S1,'S2) game_form)" text_raw {*}%EndSnippet*} definition pref1 :: "('O,'S1,'S2) game \ ('O \ 'O \ bool)" where "pref1 = fst" definition pref2 :: "('O,'S1,'S2) game \ ('O \ 'O \ bool)" where "pref2 = (fst \ snd)" definition form :: "('O,'S1,'S2) game \ ('S1 * 'S2) \ 'O" where "form = (snd \ snd)" text_raw {*\DefineSnippet{isNash}{*} definition isNash :: "(('O,'S1,'S2) game) \ 'S1 \ 'S2 \ bool" where "isNash g s1 s2 = ((\s1'. \(pref1 g) ((form g) (s1,s2)) ((form g) (s1',s2))) \ (\s2'. \(pref2 g) ((form g) (s1,s2)) ((form g) (s1,s2'))))" text_raw {*}%EndSnippet*} (*added for R-extension*) (*win/lose game determined via R1 and R2*) (*Probably someone_wins (below) could be adapted to use this concept, without big difficulty*) text_raw {*\DefineSnippet{determined}{*} definition determined :: "((bool,'S1,'S2) game) \ ('S1 set) \ ('S2 set) \ bool" where "determined g R1 R2 = ((\s1\R1. \s2. (form g) (s1,s2) = True) \ (\s2\R2. \s1. (form g) (s1,s2) = False))" text_raw {*}%EndSnippet*} (*I also defined a predicate isWLGame but this is never used in sequel since derivedWLGame fulfils it by construction*) text_raw {*\DefineSnippet{derivedWLGame}{*} definition derivedWLGame :: "(('O,'S1,'S2) game_form) \ ('O set) \ ((bool,'S1,'S2) game)" where "derivedWLGame gf Ou = ((\ ou p. p\\ou), (\ ou p. ou\\p), (\ou. ou\Ou)\gf)" text_raw {*}%EndSnippet*} (*added for R-extension*) (*needed at all?*) lemma extractForm : shows "form (derivedWLGame gf Ou) = (\ou. ou\Ou)\gf" proof - have "form (derivedWLGame gf Ou) = form ((\ ou p. p\\ou), (\ ou p. ou\\p), (\ou. ou\Ou)\gf)" using derivedWLGame_def by (rule arg_cong) also have "... = (snd\snd) ((\ ou p. p\\ou), (\ ou p. ou\\p), (\ou. ou\Ou)\gf)" using form_def by (rule arg_cong) also have "... = (\ou. ou\Ou)\gf" by simp finally show "form (derivedWLGame gf Ou) = (\ou. ou\Ou)\gf" . qed (*In a win-lose game, existence of a Nash equilibrium means that one of the players has a winning strategy. One direction of Remark 1.4/Remark 4 I had doubts whether we need this lemma but it appears to be used several times. Needed?*) text_raw {*\DefineSnippet{someonewins}{*} lemma someone_wins : assumes isNashWL : "isNash ((derivedWLGame gf Ou)::((bool,'S1,'S2) game)) s1 s2" (is "isNash ?wlG s1 s2") shows "(\s2'. (form ?wlG) (s1,s2') = True) \ (\s1'. (form ?wlG) (s1',s2) = False)" text_raw {*}%EndSnippet*} proof (cases "(form ?wlG) (s1,s2) = True") (*Whether player1 wins*) assume wins1 : "(form ?wlG) (s1,s2) = True" (*player 1 wins*) have "(\s2'. (form ?wlG) (s1,s2') = True)" proof - have "((\s1'. \(pref1 ?wlG) ((form ?wlG) (s1,s2)) ((form ?wlG) (s1',s2))) \ (\s2'. \(pref2 ?wlG) ((form ?wlG) (s1,s2)) ((form ?wlG) (s1,s2'))))" using isNash_def and isNashWL by (rule subst) hence "(\s2'. \(pref2 ?wlG) ((form ?wlG) (s1,s2)) ((form ?wlG) (s1,s2')))" by (rule conjunct2) with derivedWLGame_def have "(\s2'. \(pref2 ((\ ou p. p\\ou), (\ ou p. ou\\p), (\ou. ou\Ou)\gf) ((form ?wlG) (s1,s2)) ((form ?wlG) (s1,s2'))))" by (rule subst) with pref2_def have "(\s2'. \((fst \ snd) ((\ ou p. p\\ou), (\ ou p. ou\\p), (\ou. ou\Ou)\gf) ((form ?wlG) (s1,s2)) ((form ?wlG) (s1,s2'))))" by (rule subst[of pref2]) hence "(\s2'. \(\ ou p. ou\\p) ((form ?wlG) (s1,s2)) ((form ?wlG) (s1,s2')))" by simp hence "(\s2'. \( ((form ?wlG) (s1,s2)) \ \((form ?wlG) (s1,s2'))))" by simp (*beta reduction*) thus "(\s2'. ((form ?wlG) (s1,s2')) = True)" using wins1 by blast qed thus ?thesis by (rule disjI1) next (*rest symmetric*) assume "\((form ?wlG) (s1,s2) = True)" hence wins2 : "(form ?wlG) (s1,s2) = False" by simp (*player 2 wins*) have "(\s1'. (form ?wlG) (s1',s2) = False)" proof - have "((\s1'. \(pref1 ?wlG) ((form ?wlG) (s1,s2)) ((form ?wlG) (s1',s2))) \ (\s2'. \(pref2 ?wlG) ((form ?wlG) (s1,s2)) ((form ?wlG) (s1,s2'))))" using isNash_def and isNashWL by (rule subst) hence "(\s1'. \(pref1 ?wlG) ((form ?wlG) (s1,s2)) ((form ?wlG) (s1',s2)))" by (rule conjunct1) with derivedWLGame_def have "(\s1'. \(pref1 ((\ ou p. p\\ou), (\ ou p. ou\\p), (\ou. ou\Ou)\gf) ((form ?wlG) (s1,s2)) ((form ?wlG) (s1',s2))))" by (rule subst) with pref1_def have "(\s1'. \(fst ((\ ou p. p\\ou), (\ ou p. ou\\p), (\ou. ou\Ou)\gf) ((form ?wlG) (s1,s2)) ((form ?wlG) (s1',s2))))" by (rule subst[of pref1]) hence "(\s1'. \(\ ou p. p\\ou) ((form ?wlG) (s1,s2)) ((form ?wlG) (s1',s2)))" by simp hence "(\s1'. \( ((form ?wlG) (s1',s2)) \ \((form ?wlG) (s1,s2))))" by simp (*beta reduction*) thus "(\s1'. ((form ?wlG) (s1',s2)) = False)" using wins2 by blast qed thus ?thesis by (rule disjI2) qed (*added for R-extension*) (*game form determined via R1 and R2*) text_raw {*\DefineSnippet{determinedForm}{*} definition determinedForm :: "(('O,'S1,'S2) game_form) \ ('S1 set) \ ('S2 set) \ bool" where "determinedForm gf R1 R2 = (\ Ou. determined (derivedWLGame gf Ou) R1 R2)" text_raw {*}%EndSnippet*} (*Note that the bigger a set the easier it is to enforce.*) (*notion from paper but in my formal development I prefer an exact notion of enforcement.*) definition canEnforce1 :: "(('O,'S1,'S2) game_form) \ ('O set) \ bool" where "canEnforce1 f Ou = (\s1. \s2. f(s1,s2)\Ou)" definition canEnforce2 :: "(('O,'S1,'S2) game_form) \ ('O set) \ bool" where "canEnforce2 f Ou = (\s2. \s1. f(s1,s2)\Ou)" (*This is aimed at exact enforcement not an overapproximation*) text_raw {*\DefineSnippet{enforceSet}{*} definition enforceSet1 :: "(('O,'S1,'S2) game_form) \ 'S1 \ ('O set)" where "enforceSet1 f s1 = {ou. \s2. f(s1,s2) = ou}" text_raw {*}%EndSnippet*} definition enforceSet2 :: "(('O,'S1,'S2) game_form) \ 'S2 \ ('O set)" where "enforceSet2 f s2 = {ou. \s1. f(s1,s2) = ou}" lemma enforceSet1_range : shows "enforceSet1 f s1 \ range f" proof - have "enforceSet1 f s1 = {ou. \s2. f(s1,s2) = ou}" by (rule enforceSet1_def) also have "... = {ou. \s\ ({s1}\UNIV). ou = f s}" using enforceSet1_def by blast also have "... \ range f" by blast finally show ?thesis . qed lemma enforceSet1_nonempty : shows "\s1. enforceSet1 f s1 \ {}" proof - { fix s1 have "enforceSet1 f s1 = {ou. \s2. f(s1,s2) = ou}" by (rule enforceSet1_def) also have "... = {ou. \s\ ({s1}\UNIV). ou = f s}" using enforceSet1_def by blast also have "... \ {}" by blast finally have "enforceSet1 f s1 \ {}" . } thus ?thesis by (rule allI) qed lemma enforceSet2_nonempty : shows "\s2. enforceSet2 f s2 \ {}" proof - { fix s2 have "enforceSet2 f s2 = {ou. \s1. f(s1,s2) = ou}" by (rule enforceSet2_def) also have "... = {ou. \s\ (UNIV\{s2}). ou = f s}" using enforceSet2_def by blast also have "... \ {}" by blast finally have "enforceSet2 f s2 \ {}" . } thus ?thesis by (rule allI) qed (*needed at all?*) text_raw {*\DefineSnippet{enforceSets}{*} definition enforceSets1 :: "(('O,'S1,'S2) game_form) \ ('O set set)" where "enforceSets1 f = range (enforceSet1 f)" text_raw {*}%EndSnippet*} (*If you prefer : {Ou. \s1. enforceSet1 f s1 = Ou}*) definition enforceSets2 :: "(('O,'S1,'S2) game_form) \ ('O set set)" where "enforceSets2 f = range (enforceSet2 f)" (*image_is_empty could be used*) lemma enforceSets1_nonempty : shows "enforceSets1 f \ {}" proof - have "enforceSets1 f = (enforceSet1 f) ` UNIV" by (rule enforceSets1_def) thus ?thesis by blast qed (*This is not used. I use enforceSets1_witness instead*) lemma enforceSets1_members_nonempty : shows "{} \ enforceSets1 f" proof - { assume wrong_hyp : "{} \ enforceSets1 f" have "\(\s1. enforceSet1 f s1 = {})" using enforceSet1_nonempty by simp moreover have "{}\(enforceSet1 f) ` UNIV" using enforceSets1_def and wrong_hyp by (rule subst) hence "\s1. enforceSet1 f s1 = {}" by blast ultimately have "False" by (rule notE) } thus ?thesis by (rule notI) qed (*proof reuses idea from enforceSets1_members_nonempty*) lemma enforceSets1_witness : assumes M_enforceSets1 : "M\enforceSets1 f" shows "\s1. enforceSet1 f s1 = M" proof - have "M\(enforceSet1 f) ` UNIV" using enforceSets1_def and M_enforceSets1 by (rule subst) thus ?thesis by blast qed (*added for R-extension*) lemma enforceSets2_witness : assumes M_enforceSets2 : "M\enforceSets2 f" shows "\s2. enforceSet2 f s2 = M" proof - have "M\(enforceSet2 f) ` UNIV" using enforceSets2_def and M_enforceSets2 by (rule subst) thus ?thesis by blast qed lemma enforceSets1_range : shows "enforceSets1 f \ Pow (range f)" proof - have "\s1. enforceSet1 f s1 \ range f" by (rule enforceSet1_range) hence "range (enforceSet1 f) \ Pow (range f)" by blast with enforceSets1_def[symmetric] show ?thesis by (rule subst) qed (*Added for R-extension*) lemma enforceSetsR1_range : shows "(enforceSet1 f) ` R1 \ Pow (range f)" proof - have "\s1. enforceSet1 f s1 \ range f" by (rule enforceSet1_range) hence "range (enforceSet1 f) \ Pow (range f)" by blast thus "(enforceSet1 f) `R1 \ Pow (range f)" by blast qed (*added for R-extension*) (*needed?*) lemma enforceComplements : assumes enforcesM : "M \ enforceSets1 (form g)" shows "\M2\range (form g) - M. M2\ enforceSets2 (form g)" proof fix M2 have "\s1. enforceSet1 (form g) s1 = M" using enforcesM by (rule enforceSets1_witness) then obtain s1 where s1EnforcesM : "enforceSet1 (form g) s1 = M" by (rule exE) { assume M2DisjM : "M2\range (form g) - M" have "M2\ enforceSets2 (form g)" proof assume "M2 \ enforceSets2 (form g)" hence "\s2. enforceSet2 (form g) s2 = M2" by (rule enforceSets2_witness) then obtain s2 where s2EnforcesM2 : "enforceSet2 (form g) s2 = M2" by (rule exE) with enforceSet2_def have "{ou. \s1. (form g)(s1,s2) = ou} = M2" by (rule subst) hence "(form g)(s1,s2) \ M2" by blast hence "(form g)(s1,s2) \ M" using M2DisjM by blast moreover have "{ou. \s2. (form g)(s1,s2) = ou} = M" using enforceSet1_def and s1EnforcesM by (rule subst) hence "(form g)(s1,s2) \ M" by blast ultimately show False by (rule notE) qed } thus "M2\range (form g) - M \ M2\ enforceSets2 (form g)" by (rule impI) qed (*Added for R-extension*) (*One direction of Lemma 6 in paper*) text_raw {*\DefineSnippet{determinedFormViaImplEnforceOutc}{*} lemma determined_form_via_impl_enforce_outc : assumes det : "determinedForm gf R1 R2" shows "(\ Ou. (\s1\R1. enforceSet1 gf s1 \ Ou)\ (\s2\R2. enforceSet2 gf s2 \ (range gf) - Ou))" text_raw {*}%EndSnippet*} proof fix Ou have "(\ Ou. determined (derivedWLGame gf Ou) R1 R2)" using determinedForm_def and det by (rule subst) hence "determined (derivedWLGame gf Ou) R1 R2" by (rule spec) with determined_def have "((\s1\R1. \s2. (form (derivedWLGame gf Ou)) (s1,s2) = True) \ (\s2\R2. \s1. (form (derivedWLGame gf Ou)) (s1,s2) = False))" by (rule subst) moreover { assume "\s1\R1. \s2. (form (derivedWLGame gf Ou)) (s1,s2) = True" with extractForm have "\s1\R1. \s2. ((\ou. ou\Ou)\gf) (s1,s2) = True" by (rule subst[of "form (derivedWLGame gf Ou)"]) then obtain s1 where s1R1 : "s1\R1" and s1winning : "\s2. ((\ou. ou\Ou)\gf) (s1,s2) = True" by (rule bexE) have "\s2. gf (s1,s2) \ Ou" using s1winning by simp hence "{ou. \s2. gf (s1,s2) = ou} \ Ou" by blast with enforceSet1_def[symmetric] have "enforceSet1 gf s1 \ Ou" by (rule subst) hence "\s1\R1. enforceSet1 gf s1 \ Ou" using s1R1 by (rule bexI) hence "(\s1\R1. enforceSet1 gf s1 \ Ou)\(\s2\R2. enforceSet2 gf s2 \ (range gf) - Ou)" by (rule disjI1) } moreover { assume "\s2\R2. \s1. (form (derivedWLGame gf Ou)) (s1,s2) = False" with extractForm have "\s2\R2. \s1. ((\ou. ou\Ou)\gf) (s1,s2) = False" by (rule subst[of "form (derivedWLGame gf Ou)"]) then obtain s2 where s2R2 : "s2\R2" and s2winning : "\s1. ((\ou. ou\Ou)\gf) (s1,s2) = False" by (rule bexE) have "\s1. gf (s1,s2) \ Ou" using s2winning by simp hence "{ou. \s1. gf (s1,s2) = ou} \ (range gf) - Ou" by blast with enforceSet2_def[symmetric] have "enforceSet2 gf s2 \ (range gf) - Ou" by (rule subst) hence "\s2\R2. enforceSet2 gf s2 \ (range gf) - Ou" using s2R2 by (rule bexI) hence "(\s1\R1. enforceSet1 gf s1 \ Ou)\(\s2\R2. enforceSet2 gf s2 \ (range gf) - Ou)" by (rule disjI2) } ultimately show "(\s1\R1. enforceSet1 gf s1 \ Ou)\(\s2\R2. enforceSet2 gf s2 \ (range gf) - Ou)" by (rule disjE) qed (*Corollary of determined_form_via_imp_enforce_outc*) lemma via_nonempty : assumes det : "determinedForm gf R1 R2" shows "R1\{}\R2\{}" proof have "(\ Ou. (\s1\R1. enforceSet1 gf s1 \ Ou)\(\s2\R2. enforceSet2 gf s2 \ (range gf) - Ou))" using det by (rule determined_form_via_impl_enforce_outc) hence "(\s1\R1. enforceSet1 gf s1 \ (range gf))\ (\s2\R2. enforceSet2 gf s2 \ (range gf) - (range gf))" by (rule spec) hence "(\s1\R1. enforceSet1 gf s1 \ (range gf))\ (\s2\R2. enforceSet2 gf s2 = {})" by simp moreover have "\s2. enforceSet2 gf s2 \ {}" by (rule enforceSet2_nonempty) hence "\ (\s2\R2. enforceSet2 gf s2 = {})" by simp ultimately have "\s1\R1. enforceSet1 gf s1 \ (range gf)" by blast (*A\B, \B \ A*) thus "R1 \ {}" by blast next (* subgoal R2 \ {}"*) have "(\ Ou. (\s1\R1. enforceSet1 gf s1 \ Ou)\(\s2\R2. enforceSet2 gf s2 \ (range gf) - Ou))" using det by (rule determined_form_via_impl_enforce_outc) hence "(\s1\R1. enforceSet1 gf s1 \ {})\ (\s2\R2. enforceSet2 gf s2 \ (range gf) - {})" by (rule spec) hence "(\s1\R1. enforceSet1 gf s1 = {})\ (\s2\R2. enforceSet2 gf s2 \ (range gf) - {})" by simp moreover have "\s1. enforceSet1 gf s1 \ {}" by (rule enforceSet1_nonempty) hence "\ (\s1\R1. enforceSet1 gf s1 = {})" by simp ultimately have "\s2\R2. enforceSet2 gf s2 \ (range gf) - {}" by blast (*A\B, \B \ A*) thus "R2 \ {}" by blast qed text_raw {*\DefineSnippet{equilibriumtransferfinite}{*} theorem equilibrium_transfer_finite : assumes finiteO : "finite (range (form g))" and trans1 : "\a b c. (pref1 g) a b \ (pref1 g) b c \ (pref1 g) a c" and irref1 : "\a. \(pref1 g) a a" and trans2 : "\a b c. (pref2 g) a b \ (pref2 g) b c \ (pref2 g) a c" and irref2 : "\a. \(pref2 g) a a" and det : "determinedForm (form g) R1 R2" shows "\s1\R1. \s2\R2. isNash g s1 s2" text_raw {*}%EndSnippet*} proof - have "R1\{}\R2\{}" using det by (rule via_nonempty) hence nonemptyR1 : "R1\{}" by (rule conjunct1) have enforceSetsR1Finite : "finite ((enforceSet1 (form g)) ` R1)" proof - have "(enforceSet1 (form g)) ` R1 \ Pow (range (form g))" by (rule enforceSetsR1_range) moreover have "finite (range (form g))" by (rule finiteO) with finite_Pow_iff[symmetric] have "finite (Pow (range (form g)))" by (rule subst) ultimately show "finite ((enforceSet1 (form g)) ` R1)" by (rule finite_subset) qed have pref1_lift_trans : "\A B C. (lessP (pref1 g) A B) \ (lessP (pref1 g) B C) \ (lessP (pref1 g) A C)" using lift_transitive and trans1 and irref1 by blast have "(enforceSet1 (form g)) ` R1 \{} \ (\M\(enforceSet1 (form g)) ` R1. (\M'\(enforceSet1 (form g)) ` R1. \(lessP (pref1 g) M M')))" using pref1_lift_trans and lift_irreflexive and enforceSetsR1Finite by (rule existsMax) moreover have "(enforceSet1 (form g)) ` R1\{}" using nonemptyR1 by blast (*M is preferred set player1 can enforce using R1*) ultimately have max1set : "\M\(enforceSet1 (form g)) ` R1. (\M'\(enforceSet1 (form g)) ` R1. \(lessP (pref1 g) M M'))" by (rule mp) then obtain M where M_enforceSetsR1 : "M\(enforceSet1 (form g)) ` R1" and M_is_max1 : "\M'\(enforceSet1 (form g)) ` R1. \(lessP (pref1 g) M M')" by (rule bexE) have "\s1\ R1. enforceSet1 (form g) s1 = M" using M_enforceSetsR1 by blast (*Will need s1 later ? Yes.*) then obtain s1 where s1R1 : "s1\R1" and s1_witness : "enforceSet1 (form g) s1 = M" by (rule bexE) have "M\range (form g)" using s1_witness and enforceSet1_range by (rule subst) hence finiteM : "finite M" using finiteO by (rule finite_subset) with trans2 and irref2 have "M\{} \ (\m\M. (\y'\M. \((pref2 g) m y')))" by (rule existsMax) moreover have "enforceSet1 (form g) s1 \ {}" using enforceSet1_nonempty by (rule spec) with s1_witness have "M\{}" by (rule subst) ultimately have "(\m\M. (\y'\M. \((pref2 g) m y')))" by (rule mp) then obtain m where m_M : "m\M" and m_is_max2 : "\y'\M. \((pref2 g) m y')" by (rule bexE) let ?M' = "replaceWithPreferred (pref1 g) m M (range (form g))" have finiteM' : "finite ?M'" using finiteM and finiteO by (rule replaceStaysFinite) have cannot_enforce_Mdash : "\Msub. Msub\?M' \ Msub \ (enforceSet1 (form g)) ` R1" proof - { fix Msub { assume Msub_sub : "Msub\?M'" { assume "Msub \ (enforceSet1 (form g)) ` R1" with M_is_max1 have "\(lessP (pref1 g) M Msub)" by (rule bspec) moreover have "lessP (pref1 g) M Msub" (*Don't we have lessP (pref1 g) M ?M' by construction AND lessP (pref1 g) ?M Msub because Msub\?M and hence lessP (pref1 g) M Msub by transitivity ? *) proof (cases "Msub\?M'") assume "Msub\?M'" hence Mdash_Msub : "lessP (pref1 g) ?M' Msub" using finiteM' by (rule lift_subset) have M_Mdash : "lessP (pref1 g) M ?M'" using m_M and finiteM by (rule replaceIsPreferred) show "lessP (pref1 g) M Msub" using irref1 and trans1 and M_Mdash and Mdash_Msub by (rule lift_transitive) next assume "\ Msub\?M'" hence "?M' = Msub" using Msub_sub by blast moreover have "lessP (pref1 g) M ?M'" using m_M and finiteM by (rule replaceIsPreferred) ultimately show "lessP (pref1 g) M Msub" by (rule subst) qed ultimately have "False" by (rule notE) } hence "Msub \ (enforceSet1 (form g)) ` R1" by (rule notI) } hence "Msub\?M' \ Msub \ (enforceSet1 (form g)) ` R1" by (rule impI) } thus "\Msub. Msub\?M' \ Msub \ (enforceSet1 (form g)) ` R1" by (rule allI) qed (*Just a bit of massage of cannot_enforce_Mdash*) hence "\Msub. Msub\?M' \ \ (\s1\R1. Msub = enforceSet1 (form g) s1)" by blast hence cannot_enforce_Mdash_alt : "\ (\s1\R1. enforceSet1 (form g) s1 \?M')" by blast (*Since player 1 cannot enforce ?M', player can enforce the complement*) have "(\ Ou. (\s1\R1. enforceSet1 (form g) s1 \ Ou)\ (\s2\R2. enforceSet2 (form g) s2 \ (range (form g)) - Ou))" using det by (rule determined_form_via_impl_enforce_outc) hence "(\s1\R1. enforceSet1 (form g) s1 \ ?M')\ (\s2\R2. enforceSet2 (form g) s2 \ (range (form g)) - ?M')" by (rule spec) hence "(\s2\R2. enforceSet2 (form g) s2 \ (range (form g)) - ?M')" using cannot_enforce_Mdash_alt by blast then obtain s2 where s2R2 : "s2\R2" and s2_witness : "enforceSet2 (form g) s2 \ (range (form g)) - ?M'" by (rule bexE) have outcome_m : "(form g) (s1,s2) = m" proof - have "(form g) (s1,s2) \ {ou. \s2. (form g) (s1,s2) = ou}" by blast with enforceSet1_def[symmetric] have "(form g) (s1,s2) \ enforceSet1 (form g) s1" by (rule subst) with s1_witness have outcome_M : "(form g) (s1,s2) \ M" by (rule subst) moreover have "(form g) (s1,s2) \ {ou. \s1. (form g) (s1,s2) = ou}" by blast with enforceSet2_def[symmetric] have "(form g) (s1,s2) \ enforceSet2 (form g) s2" by (rule subst) with s2_witness have outcome_not_Mdash : "(form g) (s1,s2) \ ?M'" by blast ultimately have "(form g) (s1,s2) \ M-?M'" by simp moreover have "M-?M' = {m}" using m_M by (rule replaceRetrieve) ultimately show "(form g) (s1,s2) = m" using replaceWithPreferred_def by blast qed have s1s2nd_is_Nash : "isNash g s1 s2" proof - have "(\s1'. \(pref1 g) ((form g) (s1,s2)) ((form g) (s1',s2)))" (*first half of Nash def*) proof (rule allI) fix s1' { assume "(pref1 g) ((form g) (s1,s2)) ((form g) (s1',s2))" with outcome_m have m_s1' : "(pref1 g) m ((form g) (s1',s2))" by (rule subst) hence "((form g) (s1',s2))\{a'\(range (form g)). (pref1 g) m a'}" by simp (*wow*) hence "((form g) (s1',s2))\M \{a'\(range (form g)). (pref1 g) m a'}" by simp (*M => M - m ? SLR*) hence "((form g) (s1',s2))\{m} \ ((form g) (s1',s2))\(M \{a'\(range (form g)). (pref1 g) m a'})-{m}" by simp (*wow*) moreover { assume "((form g) (s1',s2))\{m}" hence "((form g) (s1',s2)) = m" by simp hence "(pref1 g) m m" using m_s1' by (rule subst) hence "False" using irref1 by simp } moreover { assume "((form g) (s1',s2))\(M \{a'\(range (form g)). (pref1 g) m a'})-{m}" also have "(M \{a'\(range (form g)). (pref1 g) m a'})-{m} = ?M'" by (rule replaceWithPreferred_def[symmetric]) finally have "((form g) (s1',s2))\?M'" . moreover have "(form g) (s1',s2) \ {ou. \s1. (form g) (s1,s2) = ou}" by blast with enforceSet2_def[symmetric] have "(form g) (s1',s2) \ enforceSet2 (form g) s2" by (rule subst) ultimately have "(enforceSet2 (form g) s2) \ ?M' \ {}" by blast hence "False" using s2_witness by blast } ultimately have "False" by (rule disjE) } thus "\ (pref1 g) ((form g) (s1,s2)) ((form g) (s1',s2))" by (rule notI) qed moreover have "(\s2'. \(pref2 g) ((form g) (s1,s2)) ((form g) (s1,s2')))" (*second half of Nash def*) proof (rule allI) fix s2' have "M = enforceSet1 (form g) s1" by (rule s1_witness[symmetric]) also have "... = {ou. \s2. (form g) (s1,s2) = ou}" by (rule enforceSet1_def) finally have "M = {ou. \s2. (form g) (s1,s2) = ou}" . hence "((form g) (s1,s2'))\M" by blast moreover have "\y'\M. \((pref2 g) m y')" by (rule m_is_max2) ultimately have "\((pref2 g) m ((form g) (s1,s2')))" by (rule bspec[rotated 1]) (*I also tried to prove the hypothesis of bspec in a different order but did not work.*) with outcome_m[symmetric] show "\((pref2 g) ((form g) (s1,s2)) ((form g) (s1,s2')))" by (rule subst) qed ultimately have "(\s1'. \(pref1 g) ((form g) (s1,s2)) ((form g) (s1',s2))) \ (\s2'. \(pref2 g) ((form g) (s1,s2)) ((form g) (s1,s2')))" by (rule conjI) with isNash_def[symmetric] show "isNash g s1 s2" by (rule subst) qed hence "\s2 \ R2. isNash g s1 s2" using s2R2 by (rule bexI) thus "\s1\R1. \s2\R2. isNash g s1 s2" using s1R1 by (rule bexI) qed (* ARCHIVE OF UNNEEDED PROOFS: *) (*Same as lift_antisym but with independent, quite complicated proof.*) lemma liftAlt_asym : (*Lemma 3 in note*) (*It's not so elegant that the lemma has so many hypotheses but the aim is to require only what is really needed for the proof.*) assumes les_irr : "\x. \ (les x x)" and les_trans : "\x y z. (les x y) \ (les y z) \ (les x z)" and AB : "lessP les A B" and finiteA : "finite A" and finiteB : "finite B" shows "\(lessP les B A)" proof - { assume "lessP les B A" (*to derive a contradiction*) with lessP_def have "(finite B \ (\B'\B-A. B'\{} \ B-(B'\(uCone les B')) = A-(B'\(uCone les B'))))" by (rule subst) hence "\B'\B-A. B'\{} \ B-(B'\(uCone les B')) = A-(B'\(uCone les B'))" by (rule conjunct2) then obtain B' where B_witn : "B'\B-A \ B'\{} \ B-(B'\(uCone les B')) = A-(B'\(uCone les B'))" by (rule exE) have "lessP les A B" by (rule AB) with lessP_def have "(finite A \ (\A'\A-B. A'\{} \ A-(A'\(uCone les A')) = B-(A'\(uCone les A'))))" by (rule subst) hence "\A'\A-B. A'\{} \ A-(A'\(uCone les A')) = B-(A'\(uCone les A'))" by (rule conjunct2) then obtain A' where A_witn : "A'\A-B \ A'\{} \ A-(A'\(uCone les A')) = B-(A'\(uCone les A'))" by (rule exE) (*finiteness of A'\B'*) hence AAminusB : "A'\A-B" by (rule conjunct1) hence AA : "A'\A" by blast with finiteA have "finite A'" by (rule rev_finite_subset) moreover have BBminusA : "B'\B-A" using B_witn by (rule conjunct1) hence BB : "B'\B" by blast with finiteB have "finite B'" by (rule rev_finite_subset) ultimately have finiteWitn : "finite (A'\B')" by (rule finite_UnI) with les_trans and les_irr have "A'\B'\{} \ (\x\A'\B'. \y\A'\B'. \(les y x))" by (rule existsMin) moreover (*Non-emptyness of A'\B'*) { have "A'\{}" using A_witn by simp moreover have "B'\{}" using B_witn by simp ultimately have "A'\B'\{}" by simp } ultimately have "\x\A'\B'. \y\A'\B'. \(les y x)" by (rule mp) then obtain x where xAB : "x\A'\B'" and xMin : "\y\A'\B'. \(les y x)" by (rule bexE) have xAorB : "x\A' \ x\B'" using xAB by simp moreover { assume xA' : "x\A'" hence xnotB : "x\B" using AAminusB by blast hence "x\B'" using BB by blast moreover have "x\ uCone les B'" proof - { assume "x\ uCone les B'" with uCone_def have "x\ \ ((ucone les) ` B')" by (rule subst) hence "\b\B'. x\ ucone les b" by blast then obtain b where bB : "b\B'" and x_ucone_b : "x\ ucone les b" by (rule bexE) have "x\ {z. les b z}" using ucone_def and x_ucone_b by (rule subst) hence "les b x" by simp with bB and xMin have "False" by blast } thus "x\ uCone les B'" by (rule notI) qed ultimately have "x\B'\uCone les B'" by simp moreover have "A-(B'\(uCone les B')) = B-(B'\(uCone les B'))" using B_witn by simp moreover have "x\A" using xA' and AA by blast ultimately have "x\B" by blast with xnotB have "False" by (rule notE) } moreover (*symmetric, in paper you simply write wlog*) { assume xB' : "x\B'" hence xnotA : "x\A" using BBminusA by blast hence "x\A'" using AA by blast moreover have "x\ uCone les A'" proof - { assume "x\ uCone les A'" with uCone_def have "x\ \ ((ucone les) ` A')" by (rule subst) hence "\a\A'. x\ ucone les a" by blast then obtain a where aA : "a\A'" and x_ucone_a : "x\ ucone les a" by (rule bexE) have "x\ {z. les a z}" using ucone_def and x_ucone_a by (rule subst) hence "les a x" by simp with aA and xMin have "False" by blast } thus "x\ uCone les A'" by (rule notI) qed ultimately have "x\A'\uCone les A'" by simp moreover have "A-(A'\(uCone les A')) = B-(A'\(uCone les A'))" using A_witn by simp moreover have "x\B" using xB' and BB by blast ultimately have "x\A" by blast with xnotA have "False" by (rule notE) } ultimately have "False" by (rule disjE) } thus ?thesis by (rule notI) qed (*Win-lose game: player prefers True, player 2 prefers False*) definition isWLGame :: "((bool,'S1,'S2) game) \ bool" where "isWLGame g = (((pref1 g) = (\ ou p. p\\ou)) \ ((pref2 g) = (\ ou p. \p\ou)))" (*useful for intuition but maybe never used in since derivedWLGame fulfils it by construction*) (*"Corollary" of someone_wins: In a win-lose game, existence of a Nash equilibrium means that the losing player is indifferent and hence any deviation on his part still gives a Nash equilibrium. Wow, the corollary has 88 lines of proof!*) (*It's never used, why did I think it might be useful?*) lemma nash_indifferent : assumes isNashWL : "isNash ((derivedWLGame gf Ou)::((bool,'S1,'S2) game)) s1 s2" (is "isNash ?wlG s1 s2") shows "(\s2''. isNash (?wlG::(bool,'S1,'S2) game) s1 s2'') \ (\s1''. isNash ?wlG s1'' s2)" proof (cases "(\s2''. form ?wlG (s1,s2'') = True)") (*To exploit someone_wins*) assume wins1 : "(\s2''. form ?wlG (s1,s2'') = True)" (*player 1 wins*) have "(\s2''. isNash ?wlG s1 s2'')" proof (rule allI) fix s2'' have "(\s1'. \(pref1 ?wlG) ((form ?wlG) (s1,s2'')) ((form ?wlG) (s1',s2'')))" (*first half of Nash def*) proof (rule allI) fix s1' have "True = form ?wlG (s1,s2'')" using wins1 by simp moreover have "\((\ ou p. p \\ou) True ((form ?wlG) (s1',s2'')))" by simp (*pl1 wins so s1' cannot be better*) ultimately have "\((\ ou p. p \\ou) (form ?wlG (s1,s2'')) ((form ?wlG) (s1',s2'')))" by (rule subst) hence "\((fst ((\ ou p. p\\ou), (\ ou p. ou\\p), (\ou. ou\Ou)\gf)) (form ?wlG (s1,s2'')) ((form ?wlG) (s1',s2'')))" by simp with derivedWLGame_def[symmetric] have "\((fst ?wlG) (form ?wlG (s1,s2'')) ((form ?wlG) (s1',s2'')))" by (rule subst) with pref1_def[symmetric] show "\((pref1 ?wlG) (form ?wlG (s1,s2'')) ((form ?wlG) (s1',s2'')))" by (rule subst[of fst pref1]) qed moreover have "(\s2'. \(pref2 ?wlG) ((form ?wlG) (s1,s2'')) ((form ?wlG) (s1,s2')))" (*second half of Nash def*) proof (rule allI) fix s2' have true1 : "True = form ?wlG (s1,s2'')" using wins1 by simp have true2 : "True = form ?wlG (s1,s2')" using wins1 by simp have "\((\ ou p. ou\\p) True True)" by simp (*pl2 loses anyway*) with true1 have "\((\ ou p. ou\\p) (form ?wlG (s1,s2'')) True)" by (rule subst) with true2 have "\((\ ou p. ou\\p) (form ?wlG (s1,s2'')) (form ?wlG (s1,s2')))" by (rule subst) hence "\(((fst \ snd) ((\ ou p. p\\ou), (\ ou p. ou\\p), (\ou. ou\Ou)\gf)) (form ?wlG (s1,s2'')) ((form ?wlG) (s1,s2')))" by simp with derivedWLGame_def[symmetric] have "\(((fst \ snd) ?wlG) (form ?wlG (s1,s2'')) ((form ?wlG) (s1,s2')))" by (rule subst) thm subst[of "(fst \ snd)" pref2 "\x.\((x ?wlG) (form ?wlG (s1,s2'')) ((form ?wlG) (s1,s2')))"] with pref2_def[symmetric] show "\((pref2 ?wlG) (form ?wlG (s1,s2'')) ((form ?wlG) (s1,s2')))" by (rule subst[of "fst \ snd" pref2]) qed ultimately have "(\s1'. \(pref1 ?wlG) ((form ?wlG) (s1,s2'')) ((form ?wlG) (s1',s2''))) \ (\s2'. \(pref2 ?wlG) ((form ?wlG) (s1,s2'')) ((form ?wlG) (s1,s2')))" by (rule conjI) with isNash_def[symmetric] show "isNash ?wlG s1 s2''" by (rule subst) qed thus ?thesis by (rule disjI1) next assume loses1 : "\(\s2''. form ?wlG (s1,s2'') = True)" have "isNash ?wlG s1 s2" by (rule isNashWL) hence "(\s2''. (form ?wlG (s1,s2'') = True)) \ (\s1''. (form ?wlG) (s1'',s2) = False)" by (rule someone_wins) hence wins2 : "(\s1''. (form ?wlG) (s1'',s2) = False)" using loses1 by blast(*player 2 wins*) (*Rest symmetric to "player 1 wins". But since there are two dimensions of symmetry this is fiddly!*) have "(\s1''. isNash ?wlG s1'' s2)" proof (rule allI) fix s1'' have "(\s1'. \(pref1 ?wlG) ((form ?wlG) (s1'',s2)) ((form ?wlG) (s1',s2)))" (*first half of Nash def*) proof (rule allI) fix s1' have false1 : "False = form ?wlG (s1'',s2)" using wins2 by simp have false2 : "False = form ?wlG (s1',s2)" using wins2 by simp have "\((\ ou p. p \\ou) False False)" by simp (*pl1 loses anyway*) with false1 have "\((\ ou p. p \\ou) (form ?wlG (s1'',s2)) False)" by (rule subst) with false2 have "\((\ ou p. p \\ou) (form ?wlG (s1'',s2)) (form ?wlG (s1',s2)))" by (rule subst) hence "\((fst ((\ ou p. p\\ou), (\ ou p. ou\\p), (\ou. ou\Ou)\gf)) (form ?wlG (s1'',s2)) ((form ?wlG) (s1',s2)))" by simp with derivedWLGame_def[symmetric] have "\((fst ?wlG) (form ?wlG (s1'',s2)) ((form ?wlG) (s1',s2)))" by (rule subst) with pref1_def[symmetric] show "\((pref1 ?wlG) (form ?wlG (s1'',s2)) ((form ?wlG) (s1',s2)))" by (rule subst[of fst pref1]) qed moreover have "(\s2'. \(pref2 ?wlG) ((form ?wlG) (s1'',s2)) ((form ?wlG) (s1'',s2')))" (*second half of Nash def*) proof (rule allI) fix s2' have "False = ((form ?wlG) (s1'',s2))" using wins2 by simp moreover have "\((\ ou p. ou\\p) False ((form ?wlG) (s1'',s2')))" by simp (*pl2 wins so s2' cannot be better*) ultimately have "\((\ ou p. ou\\p) (form ?wlG (s1'',s2)) ((form ?wlG) (s1'',s2')))" by (rule subst) hence "\(((fst \ snd) ((\ ou p. p\\ou), (\ ou p. ou\\p), (\ou. ou\Ou)\gf)) (form ?wlG (s1'',s2)) ((form ?wlG) (s1'',s2')))" by simp with derivedWLGame_def[symmetric] have "\(((fst \ snd) ?wlG) (form ?wlG (s1'',s2)) ((form ?wlG) (s1'',s2')))" by (rule subst) with pref2_def[symmetric] show "\((pref2 ?wlG) (form ?wlG (s1'',s2)) ((form ?wlG) (s1'',s2')))" by (rule subst[of "fst \ snd" pref2]) qed ultimately have "(\s1'. \(pref1 ?wlG) ((form ?wlG) (s1'',s2)) ((form ?wlG) (s1',s2))) \ (\s2'. \(pref2 ?wlG) ((form ?wlG) (s1'',s2)) ((form ?wlG) (s1'',s2')))" by (rule conjI) with isNash_def[symmetric] show "isNash ?wlG s1'' s2" by (rule subst) qed thus ?thesis by (rule disjI2) qed (*Not true at all!*) (* lemma enforceComplements2 : assumes notEnforcesM2 : "\M2' \ enforceSets2 (form g). \ M2' \ M2" shows "\M\enforceSets1 (form g). M \ M2={}" proof -*) (*Added for R-extension, but probably not even needed.*) (* lemma enforceViaR : (*Formalises first paragraph of proof of Lemma 2.4/Theorem 8*) assumes determined : "\Ou. \s1\R1. \s2\R2. isNash (derivedWLGame (form g) Ou) s1 s2" and enforces1 : "M\enforceSets1 (form g)" shows "\s1\R1. enforceSet1 (form g) s1 \ M" proof -*) end