Equational and Inductive Reasoning
for Maude in Athena

WRLA 2026 — Torino, April 11–12
Mateo Sanabria, Carlos Varela, Camilo Rocha, Nicolás Cardozo

Equational and Inductive Reasoning
for Maude in Athena

A programming language for proof engineering and natural deduction.
Proofs are first-class citizens

A language where equational specifications are directly executable.
Rewrite rules are first-class computations

Maude

Athena

  • Many-sorted first-order logic
  • Natural-deduction proofs
  • Structural induction on datatypes
  • No native subsorting support
  • Order-sorted equational logic
  • Rewriting modulo axioms
  • High-performance execution
  • Limited interactive theorem proving*
How can we leverage both?
Execute in Maude, prove in Athena.

Maude

Athena

fmod PEANO is
    sort NzNat Even Nat .
    subsorts NzNat Even < Nat .
    op zero : -> Even [ctor] .
    op s_  : Nat -> NzNat [ctor] .
    op _+_ : Nat Nat -> Nat .
    vars N M : Nat .
    cmb s s N : Even if N : Even .
    eq N + zero = N .
    eq N + s M  = s (N + M) .
endfm

Maude: peano numbers

Operations

Sorts/Subsorting

Conditional membership

Ctors

Equations

datatype Nat := zero | (s Nat)
declare plus: [Nat Nat] -> Nat [+]
define [n m] := [?n:Nat ?m:Nat]
assert  Plus-zero := (forall n . (zero + n) = n)
assert* Plus-s    := ((n + (s m)) = (s (n + m)))

ATHENA: peano numbers

Ctors: zero, s

Datatype

Operations

Assertions

conclude plus_associative
by-induction (forall P Q R .  ((Q + R) + P) = (Q + (R + P))) {
  zero  => pick-any q r
           (!chain [((q + r) + zero)
                   --> (q + r)          [Plus-zero]
                   <-- (q + (r + zero)) [Plus-zero]])
  | (s p) => let {ih := (forall ?q ?r .
                   (?q + ?r) + p = ?q + (?r + p))}
           pick-any q r
           (!chain [((q + r) + (s p))
                   --> (s ((q + r) + p))   [Plus-s]
                   --> (s (q + (r + p)))   [ih]
                   <-- (q + (s (r + p)))   [Plus-s]
                   <-- (q + (r + (s p)))   [Plus-s]])
}

ATHENA: proofs by induction

by-induction: built-in method

✓ works because Nat is a datatype

So... what is the challenge?

A simpler Peano module translates cleanly:

sort Nat .
op zero : -> Nat [ctor] .
op s_   : Nat -> Nat [ctor] .

datatype Nat := zero | (s Nat)

✓ Nat has no subsorts → becomes a datatype → by-induction works

But the full Peano module has subsorts:

sort NzNat Even Nat .
subsorts NzNat Even < Nat .
op zero : -> Even [ctor] .
op s_   : Nat  -> NzNat [ctor] .

✗ subsorts cannot be directly translated to datatypes → by-induction no longer applies

Maude2Athena  Key challenges

  1. Subsorting gap: Maude's order-sorted signatures have no direct counterpart in Athena's many-sorted logic.
  2. Induction loss: Flattening order-sorted datatypes into many-sorted domains prevents the use of Athena’s built-in inductive reasoning.
  3. Structural axioms: Maude rewrites modulo ACU. Athena has no built-in support for these axioms  
 
  • Signature \(\Sigma = (K, F, S)\):  kinds \(K\), function symbols \(F\), sorts \(S\)
  • Sort poset \((S, \leq)\): subsort relation, connected components are kinds
  • Equations \(E\): oriented left-to-right as simplification rules
  • Structural axioms \(A\): associativity, commutativity, Unity (ACU)
Assumptions: sort-decreasingness, ground confluence, operational termination, and sufficient completeness w.r.t. constructors \(\Omega \subseteq \Sigma\). 
Maude2Athena contemplates functional modules based on equational logic
where:
\mathcal{E} = (\Sigma, E \cup A)

Membership Equational Logic

Strictly sensible signatures

Precondition for a well-defined translation
  1. Strongly sensible: argument-compatible overloaded symbols share the same target sort.
  2. Maximal argument-bounding: every compatibility class has a unique maximal representative.

Guarantees a linear, unambiguous mapping from order-sorted to many-sorted 

A Method to Translate Order-Sorted Algebras to Many-Sorted Algebras, Liyi Li et al.

Maude2Athena  Components

trS
Sorts

trF
Operators

trT
Terms

trE
Equations

trM
Memberships

trη
Induction

trS  Sorts → datatype (no subsorts) or domain
trF  Maximal representatives + cast symbols + ACU axioms
trT  Terms with explicit casts
trE  Equations + core equalities
trM  Membership predicates (is_s)
trη  Parametric induction methods

Sort Translation

A sort s becomes a datatype if it has constructors and no subsort relations, domain otherwise.

No subsorts → datatype

datatype Nat := zero | (s Nat)

With subsorts → domains

domains NzNat Even Nat

✗ domains lose built-in induction — requires trη

Operators & Casts

For each argument-compatibility class, select the maximal representative:

declare s    : [Nat]     -> NzNat
declare zero : []        -> Even
declare +    : [Nat Nat] -> Nat

For each subsort pair s ≤ s', generate a cast symbol:

declare Cast_Even_to_Nat  : [Even]  -> Nat
declare Cast_NzNat_to_Nat : [NzNat] -> Nat

ACU axioms become explicit assertions in β

Terms & Equations

Implicit subsort coercions become explicit casts:

Maude

eq N + zero = N .
eq N + s M  =
   s (N + M) .

Athena (after tr)


assert* ((+ N (Cast_Even_to_Nat zero)) 
        = N)
assert* ((+ N (Cast_NzNat_to_Nat (s M))) = 
        (Cast_NzNat_to_Nat (s (+ N M))))

Core equalities ensure cast-path independence: Casts'→s''(Casts→s'(x)) = Casts→s''(x)

Memberships

Membership axioms have no native counterpart in Athena — translated to Boolean predicates:

Maude

cmb s s N : Even
    if N : Even .

Athena

declare is_even : [Nat] -> Boolean
assert* ((is_even N)
         ==> (is_even s s N))

Predicate domain is the kind — the top supersort in the connected component

Full Peano Translation

Maude input

fmod PEANO is
  sort NzNat Even Nat .
  subsorts NzNat Even < Nat .
  op zero : -> Even [ctor] .
  op s_   : Nat -> NzNat [ctor] .
  op _+_  : Nat Nat -> Nat .
  vars N M : Nat .
  cmb s s N : Even
      if N : Even .
  eq N + zero = N .
  eq N + s M = s (N + M) .
endfm

Athena output — tr(ℰ)

module PEANO {
  domains NzNat Even Nat
  declare s    : [Nat]     -> NzNat
  declare zero : []        -> Even
  declare +    : [Nat Nat] -> Nat
  declare Cast_Even_to_Nat  : [Even]  -> Nat
  declare Cast_NzNat_to_Nat : [NzNat] -> Nat
  define [N M] := [?N:Nat ?M:Nat]
  assert* ((+ N (Cast_Even_to_Nat zero)) = N)
  assert* ((+ N (Cast_NzNat_to_Nat (s M)))
         = (Cast_NzNat_to_Nat (s (+ N M))))
  declare is_even : [Nat] -> Boolean
  assert* ((is_even N) ==> (is_even s s N))
}

The Induction Challenge

Problem: Athena's by-induction works only for datatypes, but trS maps subsorted sorts to domains ⇒ native induction is lost

Solution: Generate parametric primitive methods (trη) that reconstruct induction for domains

1 Compute the effective constructor set Ω+C per connected component

2 Partition into base cases (Ic = ∅) and inductive cases (Ic ≠ ∅)

3 Assemble a primitive method with nested check / holds?

Primitive Induction Method

primitive-method (nat-induction property) :=
let {
    basis := (property (Cast_Even_to_Nat zero));
    ic    := (forall x
               (if (property x)
                   (property (Cast_NzNat_to_Nat (s x)))))
  }
check {
    (holds? basis) =>
      check { (holds? ic) =>
                 (forall x (property x))
              | else => (error "Inductive step fails.") }
    | else => (error "Basis step fails.") }

primitive-method: takes a predicate

basis + ic: the two obligations

check / holds?: sequential verification

✓ Restores structural induction for the Nat domain — generated automatically by trη

Case Study: Toy Compiler

A compiler for arithmetic expressions on a Stack Machine — three sorts, heavy use of subsorting and structural axioms:

Exp
source expressions
(Int < Exp)

Instr/Program
instruction set
(Instr < Program)

Stack
runtime stack
(datatype)

Core correctness property proven in Athena:

forall e p s . (exec (++ (compile e) p) s)
             = (exec p (:: (I e) s))

✗ Exp is a domain — no native induction

✓ exp-induction generated by trη

📦 Full specification + proofs: github.com/FLAGlab/Maude2Athena

Contributions

1 Semantics-preserving translation from Maude's membership equational logic to Athena's many-sorted first-order logic

2 Parametric induction methods (trη) that reconstruct structural induction over translated domains

3 First implementation grounded in Li's et al strictly sensible order-sorted translation — validated on a compiler case study

Future Work

Map Maude's built-in modules directly to Athena's native domains for better modularity and automation

Extend to rewrite rules — enabling verification of concurrent and distributed systems via Talcott's Actor theories

Bridge model checking and theorem proving — leveraging both Maude's execution and Athena's deductive power

maude2athena

By Mateo Sanabria Ardila

Made with Slides.com

maude2athena

Maude2Athena WRLA26

  • 49

More from Mateo Sanabria Ardila